• Login
    View Item 
    •   DSpace Home
    • Stony Brook University
    • Stony Brook Theses & Dissertations [SBU]
    • View Item
    •   DSpace Home
    • Stony Brook University
    • Stony Brook Theses & Dissertations [SBU]
    • View Item
    JavaScript is disabled for your browser. Some features of this site may not work without it.

    Browse

    All of DSpaceCommunities & CollectionsBy Issue DateAuthorsTitlesSubjectsDepartmentThis CollectionBy Issue DateAuthorsTitlesSubjectsDepartment

    My Account

    LoginRegister

    Statistics

    Most Popular ItemsStatistics by CountryMost Popular Authors

    Verification of Security Policy Administration and Enforcement in Enterprise Systems

    Thumbnail
    View/Open
    Gupta_grad.sunysb_0771E_10808.pdf (977.5Kb)
    Date
    1-Dec-11
    Author
    Gupta, Puneet
    Publisher
    The Graduate School, Stony Brook University: Stony Brook, NY.
    Metadata
    Show full item record
    Abstract
    The scale and complexity of security policies in enterprise systems makes it difficult to ensure that they achieve higher-level security goals. This dissertation explores two important ways in which policy analysis can help: reachability analysis for administrative policies, and analysis of policy enforcement in enterprise systems. An administrative policy specifies how each user in an enterprise may change the policy. Fully understanding the consequences of an administrative policy can be difficult, because sequences of changes by different users may interact in unexpected ways. Administrative policy analysis helps by answering questions such as user-permission reachability, which asks whether specified users can together change the policy in a way that achieves a specified goal, namely, granting a specified permission to a specified user. This dissertation presents a rule-based access control policy language, a rule-based administrative policy model that controls addition and removal of rules and facts, and an abductive analysis algorithm for user-permission reachability. Abductive analysis means that the algorithm can analyze policy rules even if the facts initially in the policy (e.g., information about users) are unavailable. The algorithm does this by computing minimal sets of facts that, if present in the initial policy, imply reachability of the goal. Many security requirements for enterprise systems can be expressed in a natural way as high-level access control policies, but are not enforced by a single mechanism that directly interprets such policies. A high-level policy may refer to abstract information resources, independent of where the information is stored; it controls both direct and indirect accesses to the information; it may refer to the context of a request, i.e., the request's path through the system; and its enforcement point and enforcement mechanism may be unspecified. Enforcement of a high-level policy may depend on the system architecture and the configurations of a variety of security mechanisms, such as firewalls, database access control, and application-level access control. This dissertation presents a framework for expressing high-level policies, a method for verifying that a high-level policy is enforced, and an algorithm for determining a trusted computing base for each resource.
    Description
    120 pg.
    URI
    http://hdl.handle.net/1951/59677
    Collections
    • Stony Brook Theses & Dissertations [SBU] [1955]

    SUNY Digital Repository Support
    DSpace software copyright © 2002-2023  DuraSpace
    Contact Us
    DSpace Express is a service operated by 
    Atmire NV
     

     


    SUNY Digital Repository Support
    DSpace software copyright © 2002-2023  DuraSpace
    Contact Us
    DSpace Express is a service operated by 
    Atmire NV