Some Reflections on Defining Security Policy
Ivan Krsul and Tugkan Tugular - CERIAS
Oct 10, 1997
AbstractThe notion of "Computer Policy" is fundamental to the study of computer security models, the analysis of computer vulnerabilities, the development of intrusion detection tools, and the development of misuse detection tools. Security only makes sense, as a mater of fact, in relation of a security policy that specifies what is being protected, how it must be protected, who has access to what is being protected, etc. Policies are, however, difficult to write, normally ambiguous, and difficult to understand. Unfortunately then, much of computer security analysis is also ambiguous and difficult.
Humans can deal well with fuzzy and ambiguous definitions because they apply common sense and intuition to resolve conflicts that arise from the inherent ambiguities of the problem domain. Policies of the type presented in this section may be (and frequently are) appropriate for system administrators but they are not adequate for the development of computer based analysis tools that require to identify actions, for example, that result in a violation of policy. Misuse detection, for example, is one of these areas. The computer must be able to accurately pinpoint the violation of policies and for this needs a precise, unambiguous, deterministic, and objective definition.
In this seminar Ivan Krsul and Tugkan Tuglular will show what are some of the problems with traditional policy models, that these are really inadequate for COTS operating systems (like Unix or NT) and will present a model they are working on that allows them to specify realistic and practical policies by using a system based on value.
The views, opinions and assumptions expressed in these videos are those of the presenter and do not necessarily reflect the official policy or position of CERIAS or Purdue University. All content included in these videos, are the property of Purdue University, the presenter and/or the presenter’s organization, and protected by U.S. and international copyright laws. The collection, arrangement and assembly of all content in these videos and on the hosting website exclusive property of Purdue University. You may not copy, reproduce, distribute, publish, display, perform, modify, create derivative works, transmit, or in any other way exploit any part of copyrighted material without permission from CERIAS, Purdue University.