Ensuring compliance of organizations to federal regulations is a growing concern. This paper presents a framework and methods to verify whether an implemented low-level security policy is compliant to a high-level security policy. Our compliance checking framework is based on organizational and security metadata to support refinement of high-level concepts to implementation specific instances. Our work uses the results of refinement calculus to express valid refinement patterns and their properties. Intuitively, a low-level security policy is compliant to a high-level security policy if there is a valid refinement path from the high-level security policy to the low-level security policy. Our model is capable of detecting violations of security policies, failures to meet obligations, and capability and modal conflicts.
In this work, we propose a policy refinement framework and action algebra that we apply for checking compliance of security policies. The proposed action algebra forms the basis of action refinements. To illustrate the need of action refinement to study compliance checking we now present an example. Let a 1 , a 2 , and a 3 be actions, s a subject, and o an object. Assume that allowing action a 1 is equivalent to allowing action a 2 and disallowing action a 3 . If a high-level policy contains an access control rule (s, o, +a 1 ) and low-level policy contains access control rules (s, o, +a 2 ) and (s, o, +a 3 ) then the low level policy is not compliant to the high-level policy. Intuitively, the policy compliance problem asks the question whether the low-level policy satisfies the relevant requirements of the high-level security policy.
Our main contributions in this paper are development of an action algebra, a framework for policy refinement using refinement pattern, and a definition of compliance based on the concept of model checking. We describe a policy language that can model both high-level and low-level security policies. The proposed policy language is an extension of the Authorization Specification Language (ASL) and Flexible Authorization Framework(FAF) [5]. The extended language supports specification of obligations, dispensations, and authorizations. We have applied the principles of refinement calculus to security policies, and developed an action algebra that can be used to evaluate the correctness of action compositions. In addition, we have developed a policy refinement mechanism that combines action algebra and the policy language to refine high-level security policy into low-level security policies. Security policies are refined using action refinement patterns and derivation rules. The refinement process results in a set of possible low-level policies and corresponding system states. If the implemented low-level policy and the current system state corresponds to a derived low-level policy and state then we consider the implemented policy to be compliant to the high-level policy.
Rest of the paper is organized as follows: Section II presents an overview of the proposed compliance checking framework. Section III presents definitions of basic constructs. Section IV describes action composition. Section V and VI describe our extension of Flexible Authorization Framework(FAF) and the compliance checking process respectively. In Section VII we conclude and recommend future work.
We propose a compliance-checking framework, where all entities in the concerned organization are described with ontological concepts. We define an ontology that models concepts like, subjects, permissions, obligations, actions, protection objects, and metadata associated with them and with the organization. Our compliance checking framework comprises of the following components: 1. an ontology, 2. instances of ontology concepts (e.g., users, organization’s resources, roles, etc.), 3. a high-level security policy, 4. a set of low-level security policies, 5. refinement patterns, and 6. compliance checking engine. An overview of the compliance checking framework is shown in Figure 1(a). We now describe the components of the proposed compliance checking framework.
We model security policies as locally stratified logic programs similar to Authorization Specification Language [5]. The security policy language presented in this work can represent obligation, dispensations, and authorizations. It also supports conflict resolution rules and policy refinement. Action refinement patterns specify refinement of an action of type A into a composition expression (Section IV) formed with sub-actions of A such that the constraints for satisfying any obligation of type A are preserved.
The compliance checking engine in our framework refines the high-level security policy by recursively applying policy refinement rules. The refinement process continues until no new facts can be derived. The refined policies generated by this process comprise of ground rules and system-state information (facts) only. The set of all decision rules in a policy is called a decision view.
The low-level security policy and system information given as input to check for compliance is now compared with the set of refined security policies generated. If the given system state satisfies post conditions of applicable obligations and the decision view of input low-level policy implies one of the possible decision views of high-level policy, we say that the given system complies to high-level policy. However, if the given system is not compliant, the compliance checking engine may also detect violations of high-level policy and capability conflicts that prevent users from performing their obligations.
In Section VI, we discuss different types of violations and capability conflicts in further detail.
Rules in high-level policy contain composite actions. Composi
This content is AI-processed based on open access ArXiv data.
