Article

The Ponder Policy Specification Language

Authors:

Nicodemos Damianou,

Naranker Dulay,

Morris SlomanAuthors Info & Claims

POLICY '01: Proceedings of the International Workshop on Policies for Distributed Systems and Networks

Pages 18 - 38

Published: 29 January 2001 Publication History

Abstract

The Ponder language provides a common means of specifying security policies that map onto various access control implementation mechanisms for firewalls, operating systems, databases and Java. It supports obligation policies that are event triggered condition-action rules for policy based management of networks and distributed systems. Ponder can also be used for security management activities such as registration of users or logging and auditing events for dealing with access to critical resources or security violations. Key concepts of the language include roles to group policies relating to a position in an organisation, relationships to define interactions between roles and management structures to define a configuration of roles and relationships pertaining to an organisational unit such as a department. These reusable composite policy specifications cater for the complexity of large enterprise information systems. Ponder is declarative, strongly-typed and object-oriented which makes the language flexible, extensible and adaptable to a wide range of management requirements.

References

[1]

Abrams, M.D. Renewed Understanding of Access Control Policies. In Proceedings of 16th National Computer Security Conference. 1993. Baltimore, Maryland, U.S.A.

[2]

Chen, F. and R.S. Sandhu. Constraints for Role-Based Access Control. In Proceedings of First ACM/NIST Role Based Access Control Workshop. 1995. Gaithersburg, Maryland, USA, ACM Press.

[3]

Chess, D.M., Security Issues in Mobile Code Systems, in Mobile Agents and Security, G. Vigna, Editor. 1998, Springer. p. 256.

[4]

Clark, D.D. and D.R. Wilson. A Comparison of Commercial and Military Computer Security Policies. In Proceedings of IEEE Symposium on Security and Privacy. 1987.

[5]

Damianou, N., N. Dulay, E. Lupu, and M. Sloman. Ponder: A Language for Specifying Security and Management Policies for Distributed Systems. The Language Specification - Version 2.2. Research Report DoC 2000/1, Imperial College of Science Technology and Medicine, Department of Computing, London, 3 April, 2000.

[6]

Distributed Management Task Force, Inc. (DMTF), Common Information Model (CIM) Specification, version 2.2, available from http://www.dmtf.org/spec/cims.html, June 14, 1999.

[7]

Goh, G. Policy Management Requirements, System Management Department, HP Laboratories Bristol, April, 1998.

[8]

Hegering, H.-G., S. Abeck, and B. Neumair, Integrated Management of Network Systems: Concepts, Architectures and Their Operational Application, 1999: Morgan Kaufmann Publishers.

[9]

Hewlett-Packard Company, A Primer on Policy-based Network Management, OpenView Network Management Division, Hewlett-Packard Company, September 14, 1999.

[10]

Hoagland, J.A., R. Pandey, and K.N. Levitt. Security Policy Specificaton Using a Graphical Approach. Technical report CSE-98-3, UC Davis Computer Science Department, July 22, 1998.

[11]

Internet Engineering Task Force, Policy Working Group http://www.ietf.org/html.charters/policy-charter.html

[12]

Jajodia, S., P. Samarati, and V.S. Subrahmanian. A Logical Language for Expressing Authorisations. In Proceedings of IEEE Symposium on Security and Privacy. 1997, pp.31- 42.

[13]

Lobo, J., R. Bhatia, and S. Naqvi. A Policy Description Language. In Proc. of AAAI, July 1999. Orlando, Florida, USA.

[14]

Lupu, E.C., and M. Sloman. Conflicts in Policy-Based Distributed Systems Management. IEEE Trans. on Software Engineering, 25(6): 852-869 Nov. 1999.

[15]

Lupu, E.C. A Role-Based Framework for Distributed Systems Management. Ph.D. Thesis, Department of Computing, Imperial College, London, U. K.

[16]

Lupu, E.C. and M.S. Sloman, Towards a Role Based Framework for Distributed Systems Management. Journal of Network and Systems Management, 1997b. 5(1): p. 5-30.

[17]

Mahon, H. Requirements for a Policy Management System. IETF Internet draft work in progress, Available from http://www.ietf.org, 22 October 1999.

[18]

Marriott, D.A. Policy Service for Distributed Systems. Ph.D. Thesis, Department of Computing, Imperial College, London, U. K.

[19]

Miller, J., HELP! How to specify policies?, Unpublished paper, available electronically from http://enterprise.shl.com/policy/help.pdf

[20]

Moore, B., J. Strassner, and E. Ellesson, Policy Core Information Model VI, IETF Internet draft, Available from http://www.ietf.org, May 2000.

[21]

Ortalo, R. A Flexible Method for Information System Security Policy Specification. In Proceedings of 5th European Symposium on Research in Computer Security (ESORICS 98). 1998. Louvain-la-Neuve, Belgium, Springer-Verlag.

[22]

Rational Software Corporation, Object Constraint Language Specification, Version 1.1, Available at http://www.rational.com/uml/, September 1997.

[23]

Sandhu, R.S. and P. Samarati, Authentication, Access Control, and Intrusion Detection. Part of the paper appeared under the title "Access Control: Principles and Practice" in IEEE Communications, 1994. 32(9): p. 40-48.

[24]

Sandhu, R.S., E.J. Coyne, H.L. Feinstein, and C.E. Youman, Role-Based Access Control Models. IEEE Computer, 1996. 29(2): p. 38-47.

[25]

Sloman, M. and K. Twidle, Domains: A Framework for Structuring Management Policy. Chapter 16 in Network and Distributed Systems Management (Sloman, 1994ed), 1994a: p. 433-453.

[26]

Sloman, M.S., Policy Driven Management for Distributed Systems. Journal of Network and Systems Management, 1994b. 2(4): p. 333-360.

[27]

Sun Microsystems, Inc., Java Management Extensions Instrumentation and Agent Specification, v 1.0, December 1999.

[28]

Virmani A., J. Lobo, M. Kohli. Netmon: Network Management for the SARAS Softswitch, IEEE/IFIP Network Operations and Management Symposium, (NOMS2000), ed. J. Hong, R., Weihmayer, Hawaii, May 2000, pp 803-816.

[29]

Weis, R. Policy Definition and Classification: Aspects, Criteria and Examples. In Proceedings of IFIP/IEEE International Workshop on Distributed Systems: Operations & Management. 1994a. Toulouse, France.

Cited By

Bringhenti DMarchetto GSisto RValenza F(2023)Automation for Network Security Configuration: State of the Art and Research TrendsACM Computing Surveys10.1145/361640156:3(1-37)Online publication date: 5-Oct-2023
https://dl.acm.org/doi/10.1145/3616401
Larisch JAqeel WLum MGoldschlag YKannan LTorshizi KWang YChung TLevin DMaggs BMislove AParno BWilson CYin HStavrou ACremers CShi E(2022)HammurabiProceedings of the 2022 ACM SIGSAC Conference on Computer and Communications Security10.1145/3548606.3560594(1857-1870)Online publication date: 7-Nov-2022
https://dl.acm.org/doi/10.1145/3548606.3560594
Ravindrababu SAlves-Foss J(2020)Automated Detection of Configured SDN Security Policies for ICS NetworksSixth Annual Industrial Control System Security (ICSS) Workshop10.1145/3442144.3442148(31-38)Online publication date: 8-Dec-2020
https://dl.acm.org/doi/10.1145/3442144.3442148
Show More Cited By

Recommendations

ConSpec -- A Formal Language for Policy Specification

The paper presents ConSpec, an automata based policy specification language. The language trades off clean semantics to language expressiveness; a formal semantics for the language is provided as security automata. ConSpec specifications can be used at ...
A logical specification and analysis for SELinux MLS policy
SACMAT '07: Proceedings of the 12th ACM symposium on Access control models and technologies

The SELinux mandatory access control (MAC) policy has recently added a multi-level security (MLS) model which is able to express a fine granularity of control over a subject's access rights. The problem is that the richness of this policy makes it ...
ConSpec – A formal language for policy specification

The paper presents ConSpec, an automata-based policy specification language. The language trades off clean semantics to language expressiveness; a formal semantics for the language is provided as security automata. ConSpec specifications can be used at ...

Comments

Please enable JavaScript to view thecomments powered by Disqus.

Information & Contributors

Information

Published In

cover image Guide Proceedings

POLICY '01: Proceedings of the International Workshop on Policies for Distributed Systems and Networks

January 2001

262 pages

ISBN:3540416102

Publisher

Springer-Verlag

Berlin, Heidelberg

Publication History

Published: 29 January 2001

Qualifiers

Article

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

222
Total Citations
View Citations
0
Total Downloads

Downloads (Last 12 months)0
Downloads (Last 6 weeks)0

Reflects downloads up to 22 Nov 2024

Other Metrics

View Author Metrics

Citations

Cited By

Bringhenti DMarchetto GSisto RValenza F(2023)Automation for Network Security Configuration: State of the Art and Research TrendsACM Computing Surveys10.1145/361640156:3(1-37)Online publication date: 5-Oct-2023
https://dl.acm.org/doi/10.1145/3616401
Larisch JAqeel WLum MGoldschlag YKannan LTorshizi KWang YChung TLevin DMaggs BMislove AParno BWilson CYin HStavrou ACremers CShi E(2022)HammurabiProceedings of the 2022 ACM SIGSAC Conference on Computer and Communications Security10.1145/3548606.3560594(1857-1870)Online publication date: 7-Nov-2022
https://dl.acm.org/doi/10.1145/3548606.3560594
Ravindrababu SAlves-Foss J(2020)Automated Detection of Configured SDN Security Policies for ICS NetworksSixth Annual Industrial Control System Security (ICSS) Workshop10.1145/3442144.3442148(31-38)Online publication date: 8-Dec-2020
https://dl.acm.org/doi/10.1145/3442144.3442148
Margheri AMasi MPugliese RTiezzi F(2019)A Rigorous Framework for Specification, Analysis and Enforcement of Access Control PoliciesIEEE Transactions on Software Engineering10.1109/TSE.2017.276564045:1(2-33)Online publication date: 1-Jan-2019
https://dl.acm.org/doi/10.1109/TSE.2017.2765640
Bonache-Seco JLopez-Orozco JPortas EMartín JRisco Martín JBesada EDe Rango F(2018)Adaptive event driven framework for real time multi-agent missionsProceedings of the 22nd International Symposium on Distributed Simulation and Real Time Applications10.5555/3330299.3330333(255-262)Online publication date: 15-Oct-2018
https://dl.acm.org/doi/10.5555/3330299.3330333
Jonckers DLagaisse BJoosen W(2018)Expect the unexpectedProceedings of the 5th Workshop on Middleware and Applications for the Internet of Things10.1145/3286719.3286721(7-10)Online publication date: 10-Dec-2018
https://dl.acm.org/doi/10.1145/3286719.3286721
Martiny KDenker GHallman RLi SChang V(2018)Expiring Decisions for Stream-based Data Access in a Declarative Privacy Policy FrameworkProceedings of the 2nd International Workshop on Multimedia Privacy and Security10.1145/3267357.3267361(71-80)Online publication date: 15-Oct-2018
https://dl.acm.org/doi/10.1145/3267357.3267361
Nacci ARana VBalaji BSpoletini PGupta RSciuto DAgarwal Y(2018)BuildingRulesACM Transactions on Cyber-Physical Systems10.1145/31855002:2(1-22)Online publication date: 23-May-2018
https://dl.acm.org/doi/10.1145/3185500
Callegati FGiallorenzo SMelis APrandini M(2018)Cloud-of-Things meets Mobility-as-a-ServiceComputers and Security10.1016/j.cose.2017.10.00674:C(277-295)Online publication date: 1-May-2018
https://dl.acm.org/doi/10.1016/j.cose.2017.10.006
Grace PSurridge M(2017)Towards a Model of User-centered Privacy PreservationProceedings of the 12th International Conference on Availability, Reliability and Security10.1145/3098954.3104054(1-8)Online publication date: 29-Aug-2017
https://dl.acm.org/doi/10.1145/3098954.3104054
Show More Cited By

View Options

View options

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

Media

Figures

Other

Tables

View Table of Contents