Methods and limitations of security policy reconciliation

ACM Transactions on Information and System Security

Volumn 9, Issue 3, 2006, Pages 259-291

  Mcdaniel, Patrick ^a,c   Prakash, Atul ^b  

^a PENNSYLVANIA STATE UNIVERSITY   (United States)

^b UNIVERSITY OF MICHIGAN   (United States)

^c The Center for Nanotechnology Education and Utilization   (United States)

Author keywords

Security policy

Indexed keywords

ANTIGONE COMMUNICATION SYSTEM; AUTOMATED RECONCILIATION; POLICY LANGUAGES; SECURITY POLICY;

ALGORITHMS; COMMUNICATION SYSTEMS; HEURISTIC METHODS; OPTICAL RESOLVING POWER; SECURITY SYSTEMS;

PUBLIC POLICY;

EID: 33750907119     PISSN: 10949224     EISSN: 10949224     Source Type: Journal    
DOI: 10.1145/1178618.1178620     Document Type: Article

References (47)

1. BALENSON, D., BRANSTAD, D., DINSMORE, P., HEYMAN, M., AND SCACE, C. 1999. Cryptographic Context Negotiation Template. Tech. Rep. TISR #07452-2, TIS Labs at Network Associates, Inc. February.
2. BARTAL, Y., MAYER, A. J., NISSIM, K., AND WOOL, A. 1999. Firmato: A novel firewall management toolkit. In IEEE Symposium on Security and Privacy. 17-31.
3. BELLOVIN, S. November 1999. Distributed Firewalls. USENIX; Login:, 39-47.
4. BHATTI, N. T., HILTUNEN, M. A., SCHLICHTING, R. D., AND CHIU, W. 1998. Coyote: A system for constructing fine-grain configurable communication services. ACM Transactions on Computer Systems 16, 4 (Nov.), 321-366.
5. BLAZE, M., FEIGENBAUM, J., AND LACY, J. 1996. Decentralized trust management. In Proceedings of the 1996 IEEE Symposium on Security and Privacy. Los Alamitos. 164-173.
6. BLAZE, M., FEIGENBAUM, J., IOANNIDIS, J., AND KEROMYTIS, A. 1999a. The role of trust management in distributed systems security. In Secure Internet Programming: Issues in Distributed and Mobile Object Systems. Lecture Notes in Computer Science, vol. 1603. State-of-the-Art series, Springer-Verlag, New York, NY. 184-210.
7. BLAZE, M., FEIGNBAUM, J., IOANNIDIS, J., AND KEROMYTIS, A. 1999b. The keyNote trust management system-Version 2. Internet Engineering Task Force. RFC 2704.
8. BLIGHT, D. C. AND HAMADA, T. 1999. Policy-based networking architecture for QoS interworking in IP management. In Proceedings of Integrated network management VI, Distributed Management for the Networked Millennium. IEEE. 811-826.
9. BRANSTAD, D. AND BALENSON, D. 2000. Policy-based cryptographic key management: Experience with the KRP project. In Proceedings of DARPA Information Survivability Conference and Exposition (DISCEX'00). DARPA, Hilton Head, SC. 103-114
10. CHOLVY, L. AND CUPPENS, F. 1997. Analyzing consistancy of security policies. In 1997 IEEE Symposium on Security and Privacy. IEEE, Oakland, CA. 103-112.
11. CHU, Y., FEIGENBAUM, J., LAMACCHIA, B., RESNICK, P., AND STRAUSS, M. 1998. REFEREE: trust management for web applications. In Proceedings of Financial Cryptography '98. vol. 1465. Anguilla, British West Indies. 254-274.
12. COOK, S. 1971. The complexity of theorem-proving procedures. In Proceedings of 3th Annual ACM Symposium on Theorey of Computing. ACM, New York. 151-158.
13. DIFFIE, W. AND HELLMAN, M. 1976. New directions in cryptography. IEEE Transactions on Information Theory IT-22, 6 (Nov.), 644-654.
14. DINSMORE, P., BALENSON, D., HEYMAN, M., KRUUS, P., SCACE, C., AND SHERMAN, A. 2000. Policy-based security management for large dynamic groups: A overview of the DCCM project. In. Proceedings of DARPA Information Survivability Conference and Exposition (DISCEX '00). DARPA, Hilton Head, SC. 64-73.
15. DURHAM, D., BOYLE, J., COHEN, R., HERZOG, S., RAJAN, R., AND SASTRY, A. 2000. RFC 2748, The COPS (Common Open Policy Service) Protocol. Internet Engineering Task Force.
16. GAREY, M. R. AND JOHNSON, D. S. 1979. Computers and intractibility, A guide to the theory of NP-completeness, 1st ed. Freeman, San Francisco, CA.
17. GONG, L. AND QIAN, X. 1994. The complexity and composability of secure interoperation. In Proceedings of the IEEE Symposium on Research in Security and Privacy. IEEE, Oakland, CA. 190-200.
18. HARKINS, D. AND CARREL, D. 1998. The internet key exchange. Internet Engineering Task Force. RFC 2409.
19. HILTUNEN, M. 1998. Configuration management for highly-customizable software. IEE Proceedings: Software 145, 5, 180-188.
20. HILTUNEN, M., JAIPRAKASH, S., SCHLICHTING, R., AND UGARTE, C. 2000. Fine-grain configurability for secure communication. Tech. Rep. TROO-05, Department of Computer Science, University of Arizona. June.
21. HOUSLEY, R., FORD, W., POLK, W., AND SOLO, D. 1999. Internet X.509 public key infrastructure certificate and CRL profile. Internet Engineering Task Force. RFC 1949.
22. HUTCHINSON, N. AND PETERSON, L. 1994. The x-kernel: An architecture for implementing network protocols. IEEE Transactions on Software Engineering 17, 1 (Jan.), 64-76.
23. JAJODIA, S., SAMARATI, P., AND SUBRAHMANIAN, V. 1997. A logical language for expressing authorizations. In Proceedings of the 1997 IEEE Symposium on Security and Privacy. IEEE, Oakland, CA. 31-42.
24. KARPINSKI, M. AND WAGNER, K. W. 1988. The computational complexity of graph algorithms with succinct representations. Z. Operations Res. 3, 32, 201-211.
25. KENT, S. AND ATKINSON, R. 1998. Security architecture for the internet protocol. Internet Engineering Task Force. RFC 2401.
26. LEIGHTON, T. AND MICALI, S. 1994. Secret-key agreement without public-key cryptography. In Proceedings of Crypto 93, 456-479.
27. LI, N., MITCHELL, J. C. AND WINSBOROUGH, W. H. 2005. Beyond proof-of-compliance: Security analysis in trust management. Journal of the ACM 52, 3, 474-514.
28. LIU, X., KREITZ, C., VAN RENESSE, R., HICKEY, J., HAYDEN, M., BIRMAN, K., AND CONSTABLE, R. 1999. Building reliable high-performance communication systems from components. In Proceedings of 17th ACM Symposium on Operating Systems Principles (SOSP '99). vol. 33. ACM, New York. 80-92.
29. MCDANIEL, P. 2001. Policy management in secure group communication. Ph.D. thesis, University of Michigan, Ann Arbor, MI.
30. MCDANIEL, P. 2003. On context in authorization policy. Tech. Rep. TD-5JCJCK, AT&T Labs-Research, Florham Park, NJ. January.
31. MCDANIEL, P. AND PRAKASH, A. 2002. An architecture for security policy enforcement. Tech. Rep. TD-5C6JFV, AT&T Labs-Research, Florham Park, NJ. July.
32. MCDANIEL, P. AND PRAKASH, A. 2005. Security policy enforcement in the antigone system. Journal of Computer Security, Accepted for publication.
33. MCDANIEL, P., PRAKASH, A., AND HONEYMAN, P. 1999. Antigone: A flexible framework for secure group communication. In. Proceedings of the 8th USENIX Security Symposium. Washington, DC. 99-114.
34. MCDANIEL, P., PRAKASH, A., IRRER, J., MITTAL, S., AND THUANG, T.-C. 2001. Flexibly constructing secure groups in Antigone 2.0. In Proceedings of DARPA Information Survivability Conference and Exposition II. IEEE Computer Society Press, Los Angeles, CA. 55-67.
35. MENDELSON, E. 1997. Introduction to Mathematical Logic. Chapman & Hall, London.
36. MORICONI, M., QIAN, X., RIEMENSCHNEIDER, R. A., AND GONG, L. 1997. Secure software architectures. In Proceedings of the 1997 IEEE Symposium on Security and Privacy. 84-93.
37. NEUMAN, B. C. AND TS'O, T. 1994. Kerberos: An authentication service for computer networks. IEEE Communications 32, 9 (Sept.), 33-38.
38. NIKANDER, P. AND KARILA, A. 1998. A java beans component architecture for cryptographic protocols. In Proceedings of 7th USENIX UNIX Security Symposium. USENIX Association, San Antonio, Texas. 107-121.
39. ORMAN, H., O'MALLEY, S., SCHROEPPEL, R., AND SCHWARTZ, D. 1994. Paving the road to network security or the value of small cobblestones. In Proceedings of the 1994 Internet Society Symposium on Network and Distributed System Security.
40. RYUTOV, T. AND NEUMAN, C. 2000. Representation and evaluation of security policies for distributed system services. In Proceedings of DARPA Information Survivability Conference and Exposition. DARPA, Hilton Head, SC. 172-183.
41. SCHAEFER, T. J. 1978. The complexity of satisfiability problems. In Proceedings of 10th Annual ACM Symposium on Theorey of Computers. ACM, New York. 216-226.
42. SCHMIDT, D., FOX, D., AND SUDYA, T. 1993. Adaptive: A dynamically assembled protocol transformation, integration, and evaluation environment. Journal of Concurrency: Practice and Experience 5, 4 (June), 269-286.
43. WALLNER, D. M., HARDER, E. J., AND AGEE, R. C. 1999. Key management for multicast: Issues and architectures. Internet Engineering Task Force. RFC 2627.
44. WANG, H., JHA, S., MCUANIEL, P., AND LIVNY, M. 2004. Security policy reconciliation in distributed computing environments. In Proceedings of 5th International Workshop on Policies for Distributed Systems and Networks (Policy 2004). IEEE Computer Society Press, New York 137-146.
45. Woo, T. AND LAM, S. 1993. Authorization in distributed systems; A new approach. Journal of Computer Security 2, 2-3, 107-136.
46. Woo, T. AND LAM, S. 1998. Designing a distributed authorization service. In Proceedings of INFOCOM '98. IEEE, San Francisco, CA.
47. ZAO, J., SANCHEZ, L., CONDELL, M., LYNN, C., FEEDETTE, M., HELINEK, P., KRISHNAN, P., JACKSON, A., MANKINS, D., SHEPARD, M., AND KENT, S. 2000. Domain based internet security policy management. In Proceedings of DARPA Information Survuvability Conference and Exposition, DARPA, Hilton Head, SC. 41-53.