CERIAS - Center for Education and Research in Information Assurance and Security

Skip Navigation
Purdue University - Discovery Park
Center for Education and Research in Information Assurance and Security

Some Reflections on Defining Security Policy

Ivan Krsul and Tugkan Tugular - CERIAS

Oct 10, 1997


The notion of "Computer Policy" is fundamental to the study of computer security models, the analysis of computer vulnerabilities, the development of intrusion detection tools, and the development of misuse detection tools. Security only makes sense, as a mater of fact, in relation of a security policy that specifies what is being protected, how it must be protected, who has access to what is being protected, etc. Policies are, however, difficult to write, normally ambiguous, and difficult to understand. Unfortunately then, much of computer security analysis is also ambiguous and difficult.

Humans can deal well with fuzzy and ambiguous definitions because they apply common sense and intuition to resolve conflicts that arise from the inherent ambiguities of the problem domain. Policies of the type presented in this section may be (and frequently are) appropriate for system administrators but they are not adequate for the development of computer based analysis tools that require to identify actions, for example, that result in a violation of policy. Misuse detection, for example, is one of these areas. The computer must be able to accurately pinpoint the violation of policies and for this needs a precise, unambiguous, deterministic, and objective definition.

In this seminar Ivan Krsul and Tugkan Tuglular will show what are some of the problems with traditional policy models, that these are really inadequate for COTS operating systems (like Unix or NT) and will present a model they are working on that allows them to specify realistic and practical policies by using a system based on value.

Unless otherwise noted, the security seminar is held on Wednesdays at 4:30P.M. STEW G52, West Lafayette Campus. More information...


The views, opinions and assumptions expressed in these videos are those of the presenter and do not necessarily reflect the official policy or position of CERIAS or Purdue University. All content included in these videos, are the property of Purdue University, the presenter and/or the presenter’s organization, and protected by U.S. and international copyright laws. The collection, arrangement and assembly of all content in these videos and on the hosting website exclusive property of Purdue University. You may not copy, reproduce, distribute, publish, display, perform, modify, create derivative works, transmit, or in any other way exploit any part of copyrighted material without permission from CERIAS, Purdue University.