Jonathan D. Moffett

Security Requirements Engineering: A Framework for Representation and Analysis

This paper presents a framework for security requirements elicitation and analysis. The framework is based on constructing a context for the system, representing security requirements as constraints, and developing satisfaction arguments for the security requirements. The system context is described using a problem-oriented notation, then is validated against the security requirements through construction of a satisfaction argument. The satisfaction argument consists of two parts: a formal argument that the system can meet its security requirements and a structured informal argument supporting the assumptions expressed in the formal argument. The construction of the satisfaction argument may fail, revealing either that the security requirement cannot be satisfied in the context or that the context does not contain sufficient information to develop the argument. In this case, designers and architects are asked to provide additional design information to resolve the problems. We evaluate the framework by applying it to a security requirements analysis within an air traffic control technology evaluation project.

Policy hierarchies for distributed systems management

Distributed system management, involves monitoring the activity of a system, making management decisions and performing control actions to modify the behavior of the system. Most of the research on management has concentrated on management mechanisms related to network management or operating systems. However, in order to automate the management of very large distributed systems, it is necessary to be able to represent and manipulate management policy within the system. These objectives are typically set out in the form of general policies which require detailed interpretation by the system managers. The paper explores the refinement of general high-level policies into a number of more specific policies to form a policy hierarchy in which each policy in the hierarchy represents, to its maker, his plans to meet his objectives and, to its subject, the objectives which he must plan to meet. Management action policies are introduced, and the distinction between imperatival and authority policies is made. The relationship of hierarchies of imperatival policies to responsibility, and to authority policies, is discussed. An outline approach to the provision of automated support for the analysis of policy hierarchies is provided, by means of a more formal definition of policy hierarchy refinement relationships in Prolog. >

A goal-based approach to policy refinement

As the interest in using policy-based approaches for systems management grows, it is becoming increasingly important to develop methods for performing analysis and refinement of policy specifications. Although this is an area that researchers have devoted some attention to, none of the proposed solutions address the issue of deriving implementable policies from high-level goals. A key part of the solution to this problem is having the ability to identify the operations, available on the underlying system, which can achieve a given goal. This work presents an approach by which a formal representation of a system, based on the event calculus, can be used in conjunction with abductive reasoning techniques to derive the sequence of operations that will allow a given system to achieve a desired goal. Additionally it outlines how this technique might be used for providing tool support and partial automation for policy refinement. Building on previous work on using formal techniques for policy analysis, the approach presented here applies a transformation of both policy and system behaviour specifications into a formal notation that is based on event calculus. Finally, it shows how the overall process could be used in conjunction with UML modelling and illustrates this by means of an example.

The role-based access control system of a European bank: a case study and discussion

Research in the area of role-based access control has made fast progress over the last few years. However, little has been done to identify and describe existing role-based access control systems within large organisations. This paper describes the access control system of a major European Bank. An overview of the systems structure, its administration and existing control principles constraining the administration is given. In addition, we provide an answer to a key question - the ratio of the number of roles to the system user population - which was raised in the recent RBAC2000 Workshop. Having described certain weaknesses of the Banks system, the case study is extended to a comparison between the system and the RBAC96 models. In particular the issues of inheritance and grouping are addressed.

Policy Conflict Analysis in Distributed System Management

Distributed system management is concerned with the tasks needed to ensure that large distributed systems can function in accordance with the objectives of their users. These objectives are typically set out in the form of policies that are interpreted by the system managers. There are benefits to be gained by providing automated support for human managers, or actually automating routine management tasks. To do this, it is desirable to have a model of policies as objects that can be interpreted by the system itself. The model is summarized. It is clear that there is the potential for conflicts between policies. These conflicts may be resolved informally by human managers, but if an automated system is to recognize them and resolve them appropriately, first it is necessary to analyze the types of conflict that may occur. We analyze the types of overlap that may occur between policies, and show that this analysis corresponds to several familiar types of policy conflict. Some possible approaches to the preve...

A framework for security requirements engineering

This paper presents a framework for security requirements elicitation and analysis, based upon the construction of a context for the system and satisfaction arguments for the security of the system. One starts with enumeration of security goals based on assets in the system. These goals are used to derive security requirements in the form of constraints. The system context is described using a problem-centered notation, then this context is validated against the security requirements through construction of a satisfaction argument. The satisfaction argument is in two parts: a formal argument that the system can meet its security requirements, and a structured informal argument supporting the assumptions expressed in the formal argument. The construction of the satisfaction argument may fail, revealing either that the security requirement cannot be satisfied in the context, or that the context does not contain sufficient information to develop the argument. In this case, designers and architects are asked to provide additional design information to resolve the problems.

Observations on the role life-cycle in the context of enterprise security management

Roles are a powerful and policy neutral concept for facilitating distributed systems management and enforcing access control. Models which are now subject to becoming a standard have been proposed and much work on extensions to these models has been done over the last years as documented in the recent RBAC/SACMAT workshops. When looking at these extensions we can often observe that they concentrate on a particular stage in the life of a role. We investigate how these extensions fit into a more general theoretical framework in order to give practitioners a starting point from which to develop role-based systems. We believe that the life-cycle of a role could be seen as the basis for such a framework and we provide an initial discussion on such a role life-cycle, based on our experiences and observations in enterprise security management. We propose a life-cycle model that is based on an iterative-incremental process similar to those found in the area of software development.

A lightweight approach to specification and analysis of role-based access control extensions

Role-based access control is a powerful and policy-neutral concept for enforcing access control. Many extensions have been proposed, the most significant of which are the decentralised administration of role-based systems and the enforcement of constraints. However, the simultaneous integration of these extensions can cause conflicts in a later system implementation. We demonstrate how we use the Alloy language for the specification of a conflict-free role-based system. This specification provides us at the same time with a suitable basis for further analysis by the Alloy constraint analyser.

Control principles and role hierarchies

Role -based access control (RBAC) has been introduced in the last few years, and offers a powerful means of specifying access control decisions. The model of RBAC usually assumes that, if there is a role hierarchy, then access rights are inherited upwards through the hierarchy. This paper examines the relationship between the inheritance properties of role hierarchies and control principles which are used in many large organisations: separation of duties; delegation; and supervision and review. It discusses possible relationships between roles and identifies three different kinds of role hierarchy. The control principles and role hierarchies are illustrated in a realistic application, and their interactions are discussed. It emerges that there may be conflict between control principles and the inheritance of access rights through a role hierarchy. Some ways in which role hierarchies can be used for safe inheritance of access rights are discussed.

The uses of role hierarchies in access control

The value of role-based access control (RBAC) is now well recognised. One aspect of it is the ability to make access decisions based upon the position of a role in a hierarchy. It is now recognised that there are some problems associated with this, because of the risk that these decisions may conflict with the control principles that are applied within an organisation. The aim of this paper is to identify the possible uses of role hierarchies in simplifying access rules, while remaining within the constraints of organisational control principles. We use the concept of authority state, i.e., the set of fixed and variable policies and rules in the system which influence the Reference Monitors access decisions. We then consider the uses of role hierarchies in two separate contexts: first, within a static view of the authority state, where role hierarchies may be used by an access control decision facility; and second, as constraints upon permissible changes to the authority state. We conclude that role hierarchies have some possible uses within the static view, but that they are more important as a means of constraining the permissible changes to the authority state. We make proposals for further research on the place of role hierarchies in controlling change.