Section: New Results

Practical applications

Security policy analysis

Participants : Tony Bourdier, Horatiu Cirstea, Claude Kirchner, Hélène Kirchner, Pierre-Etienne Moreau.

Security policies are one of the most fundamental elements of computer security. The rewrite-based approach of security policies provides executable specifications which can be independently designed, verified, and then anchored on programs using a modular discipline. In the lineage of  [69] , we describe in [16] how to perform queries over these rule-based policies in order to increase the trust of the policy author on the correct behavior of the policy. The analysis we provide is founded on the strategic narrowing process, which provides both the necessary abstraction for simulating executions of the policy over access requests and the mechanism for solving what-if queries from the security administrator. We illustrate this general approach by the analysis of a firewall system policy.

Access control policies, a particular case of security policies should guarantee that information can be accessed only by authorized users and thus prevent all information leakage. We proposed [24] , [21] a methodology for specifying and implementing access control policies using the rewrite based framework Tom . This approach allows us to check that any reachable state obtained following an access granted in the implementation satisfies the policy specification. We show that when security levels are not totally ordered some information leakage can be detected.

In [26] , extended Petri net processes are used to specify and verify security policies in a modular way. It defines fundamental policy properties, i.e., completeness, termination, consistency and confluence, in Petri net terminology and gets some theoretical results. According to XACML combiners and property-preserving Petri net process algebra, several policy composition operators are specified and property-preserving results are stated for the policy correctness verification. In [25] , four types of policy compositions are defined, such that the integrated policy is capable of handling resources sharing, simultaneously executing operations and embedding sub-policies into main policies in multiple heterogeneous systems. Furthermore, the global policy can preserve the fundamental policy properties, (completeness, termination, consistency and confluence), and satisfy policy autonomy and security principles that are required for secure interoperation. These results are detailed and expanded in [32] .

In a multiple domains application environment, where distributed multiple heterogeneous systems interoperate with each other, the local access control policies should correspondingly be integrated together in order to allow users of one organization to interact with other domains. One of the key challenges of integrating policies is the conflict detection and resolution while preserving individual policy consistency. The problem of detecting and resolving inheritance violation in the interoperation of multiple heterogeneous systems is addressed in  [52] . The inheritance hierarchy of a security policy is formulated with a directed graph. Solving inheritance violation problem (IVP) is formulated as a feedback arc set problem, which is NP-hard. Then, some classical approximation algorithms are introduced. The IVP in two interoperating domains is converted into the problem of finding a minimum weight vertex cover problem in a bipartite graph, which is polynomial-time solvable. These results are extended in [33] where several types of potential conflicts and consistency properties are considered. Graph theory, network flow technology and colored Petri nets are applied for specifying and verifying a secure interoperation design. The component-based integration of policies is applicable for both static and dynamic multi-domains environments.

The verification approaches presented above generally specify the analysed systems without making a clear distinction between the policies and the corresponding contexts. In [29] we propose a framework where the security policies and the systems they are applied on are specified separately but using a common formalism. This separation allows not only some analysis of the policy independently of the target system but also the application of a given policy on different systems. In this framework, we propose a method to check properties like confidentiality, integrity or confinment over secure systems based on different policy specifications.