research-article

Security policy foundations in context UNITY

Authors:

M. Todd Gamble,

Rose F. Gamble,

Matthew L. HaleAuthors Info & Claims

SESS '11: Proceedings of the 7th International Workshop on Software Engineering for Secure Systems

Pages 8 - 14

https://doi.org/10.1145/1988630.1988633

Published: 22 May 2011 Publication History

Get Access

Abstract

Security certification includes assessing an information system to verify its compliance with diverse, pre-selected security controls. The goal of certification is to identify where controls are implemented correctly and where they are violated, creating potential vulnerability risks. Certification complexity is magnified in software composed of systems of systems where there are limited formal methodologies to express management policies, given a set of security control properties, and verify them against the interaction of the participating components and their individual security policy implementations. In this paper, we extend Context UNITY, a formal, distributed, and context aware coordination language to support policy controls. The new language features enforce security controls and provide a means to declare policy specifics in a manner similar to declaring variable types. We use these features in a specification to show how verifying system compliance with selected security controls, such as those found in the NIST SP800-53 document, can be accomplished.

References

[1]

U. S. DoD, "DoD Information Assurance Certification and Accreditation Process (DIACAP)," 2007.

Google Scholar

[2]

NIST, "SP 800-53 Rev 3: Recommended Security Controls for Federal Information Systems and Organizations," 2010.

Digital Library

Google Scholar

[3]

G.-C. Roman, C. Julien, and J. Payton, "Modeling Adaptive Behaviors in Context UNITY," Theoretical Computer Science, vol. 376, pp. 185--204, May 2007.

Digital Library

Google Scholar

[4]

"Common Criteria for Information Technology Security Evaluation," vol. Version 3.1, Part 2: Security Functional Components ed, 2007.

Google Scholar

[5]

U. S. DoD, "Information Assurance (IA) Implementation," 2003.

Google Scholar

[6]

J. Jurjens, J. Schreck, and P. Bartmann, "Model-based security analysis for mobile communications," in 30th International Conference on Software Engineering, pp. 683--692, 2008.

Digital Library

Google Scholar

[7]

B. Best, J. Jurjens, and B. Nuseibeh, "Model-based Security Engineering of Distributed Information Systems using UMLsec," in 29th International Conference on Software Engineering, 2007.

Digital Library

Google Scholar

[8]

D. Gelernter, "Generative communication in Linda," ACM Transactions on Programming Languages and Systems, vol. 7, pp. 80--112, 1985.

Digital Library

Google Scholar

[9]

M. Bravetti, N. Busi, R. Gorrieri, R. Lucchi, and G. Zavattaro, "Security issues in the tuple-space coordination model," Formal Aspects in Security and Trust, pp. 1--12, 2005.

Google Scholar

[10]

R. Focardi, R. Lucchi, and G. Zavattaro, "Secure shared data-space coordination languages: A process algebraic survey," Science of Computer Programming, vol. 63, pp. 3--15, 2006.

Digital Library

Google Scholar

[11]

G.-C. Roman and P. J. McCann, "A notation and logic for mobile computing," Formal Methods in System Design vol. 20, pp. 47--68, 2002.

Digital Library

Google Scholar

[12]

K. M. Chandy and J. Misra, Parallel Program Design: A Foundation: Addison-Wesley, 1988.

Digital Library

Google Scholar

[13]

J. Hosey and R. Gamble, "Extracting Security Control Requirements," in Cyber Security and Information Intelligence Research Workshop, 2010.

Digital Library

Google Scholar

Cited By

View all

Hale MGamble R(2019)Semantic hierarchies for extracting, modeling, and connecting compliance requirements in information security control standardsRequirements Engineering10.1007/s00766-017-0287-524:3(365-402)Online publication date: 1-Sep-2019
https://dl.acm.org/doi/10.1007/s00766-017-0287-5
Hale MGamble MGamble R(2013)A Design and Verification Framework for Service Composition in the CloudProceedings of the 2013 IEEE Ninth World Congress on Services10.1109/SERVICES.2013.46(317-324)Online publication date: 28-Jun-2013
https://dl.acm.org/doi/10.1109/SERVICES.2013.46
Lee SMonga MJürjens JTaylor RGall HMedvidović N(2011)Seventh international workshop on software engineering for secure systems (SESS 2011)Proceedings of the 33rd International Conference on Software Engineering10.1145/1985793.1986045(1200-1201)Online publication date: 21-May-2011
https://dl.acm.org/doi/10.1145/1985793.1986045

Index Terms

Security policy foundations in context UNITY
1. Security and privacy
  1. Security in hardware
  2. Security services
    1. Authentication
    2. Authorization
2. Social and professional topics
  1. Professional topics
    1. Management of computing and information systems
      1. Information system economics

Recommendations

Security policy compliance with violation management
FMSE '07: Proceedings of the 2007 ACM workshop on Formal methods in security engineering

A security policy of an information system is a set of security requirements that correspond to permissions, prohibitions and obligations to execute some actions when some contextual conditions are satisfied. Traditional approaches consider that the ...
IPsec/VPN security policy correctness and assurance
Managing security policies: Modeling, verification and configuration

With IPsec/VPN policies being widely deployed, how to correctly specify and configure them is critical in enforcing security requirements, especially among different administrative domains across the Internet. Under current practice, IPsec/VPN policies ...
IPSec/VPN Security Policy: Correctness, Conflict Detection, and Resolution
POLICY '01: Proceedings of the International Workshop on Policies for Distributed Systems and Networks

IPSec (Internet Security Protocol Suite) functions will be executed correctly only if its policies are correctly specified and configured. Manual IPSec policy configuration is inefficient and error-prone. An erroneous policy could lead to communication ...

Comments

Please enable JavaScript to view thecomments powered by Disqus.

Information & Contributors

Information

Published In

SESS '11: Proceedings of the 7th International Workshop on Software Engineering for Secure Systems

May 2011

62 pages

ISBN:9781450305815

DOI:10.1145/1988630

Program Chairs:
Jan Jürjens
Technical University Dortmund, Germany
,
Seok-Won Lee
University of Nebraska-Lincoln, USA
,
Mattia Monga
Università degli Studi di Milano, Italy

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 22 May 2011

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Research-article

Conference

ICSE11

Sponsor:

SIGSOFT

ICSE11: International Conference on Software Engineering

May 22, 2011

HI, Waikiki, Honolulu, USA

Acceptance Rates

SESS '11 Paper Acceptance Rate 8 of 11 submissions, 73%;

Overall Acceptance Rate 8 of 11 submissions, 73%

Upcoming Conference

ICSE 2025

2025 IEEE/ACM 46th International Conference on Software Engineering

April 26 - May 3, 2025

Ottawa , ON , Canada

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

3
Total Citations
View Citations
150
Total Downloads

Downloads (Last 12 months)1
Downloads (Last 6 weeks)1

Reflects downloads up to 10 Nov 2024

Other Metrics

View Author Metrics

Citations

Cited By

View all

Hale MGamble R(2019)Semantic hierarchies for extracting, modeling, and connecting compliance requirements in information security control standardsRequirements Engineering10.1007/s00766-017-0287-524:3(365-402)Online publication date: 1-Sep-2019
https://dl.acm.org/doi/10.1007/s00766-017-0287-5
Hale MGamble MGamble R(2013)A Design and Verification Framework for Service Composition in the CloudProceedings of the 2013 IEEE Ninth World Congress on Services10.1109/SERVICES.2013.46(317-324)Online publication date: 28-Jun-2013
https://dl.acm.org/doi/10.1109/SERVICES.2013.46
Lee SMonga MJürjens JTaylor RGall HMedvidović N(2011)Seventh international workshop on software engineering for secure systems (SESS 2011)Proceedings of the 33rd International Conference on Software Engineering10.1145/1985793.1986045(1200-1201)Online publication date: 21-May-2011
https://dl.acm.org/doi/10.1145/1985793.1986045

View Options

Get Access

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Cited By

Index Terms

Recommendations

Security policy compliance with violation management

IPsec/VPN security policy correctness and assurance

IPSec/VPN Security Policy: Correctness, Conflict Detection, and Resolution