Formal specification of common criteria based access control policy model

International Journal of Network Security

Volumn 11, Issue 3, 2010, Pages 139-148

  Singh, Manpreet ^a   Patterh, Manjeet S ^a  

^a PUNJABI UNIVERSITY   (India)

Author keywords

Access control; Evaluation criteria; Formal methods; Security policy model

Indexed keywords

ACCESS CONTROL MECHANISM; ACCESS CONTROL POLICIES; ENTERPRISE INFORMATION SYSTEM; EVALUATION CRITERIA; FORMAL SPECIFICATION; NETWORK ACCESS CONTROL; SECURITY POLICY MODEL; SECURITY SOLUTIONS;

FORMAL METHODS; INFORMATION SYSTEMS; SPECIFICATIONS;

ACCESS CONTROL;

EID: 80054057560     PISSN: 1816353X     EISSN: 18163548     Source Type: Journal    
DOI: None     Document Type: Article

References (27)

1. S. R. Band, D. M. Cappelli, L.F. Fischer, A. P. Moore, E.D. Shaw, and R.F. Trzeciak, Comparing Insider IT Sabotage and Espionage: A Model-Based Analysis, Software Engineering Institute Technical Report CMU/SEI-2006-TR-026, Carnegie Mel-lon University, Dec. 2006.
2. D. E. Bell, and L. J. LaPadula, Secure Computer Systems: Unified Exposition and Multics Interpretation, Technical Report ESD-TR-73-306, The MITRE Corporation, 1976.
3. D. Bell, "Modeling the multipolicy machine," Pro-ceedings NewSecurity Paradigms Workshop, pp. 2-9, 1994.
4. E. Bertino et al., "Supporting multiple access con-trol policies in database systems," Proceedings IEEE Symposium on Research in Security and Privacy, pp. 94-109, 1996.
5. K. J. Biba, Integrity Consideration for Secure Com-puter Systems, Technical Report MTR-3153, The MITRE Corporation, 1975.
6. D. M. Cappelli, A. G. Desai, A. P. Moore, T. J. Shimeall, E. A. Weaver, B. J. and Willke, "Management and education of the risk of insider threat (MERIT): Mitigating the risk of sabotage to employers' information, systems, or networks," Proceedings of the 24th International System Dynamics Conference, Nijmegen, Netherlands, July 2006.
7. J. Cheng, G. Yuichi, S. Morimoto, H. A. Daisuke, "Security engineering environment based on iso/iec standards: Providing standard, formal, and consistent supports for design, development, operation, and maintenance of secure information systems," International Conference on Information Security and Assurance, pp. 350-354, 2008.
8. Common Criteria for Information Technology Security Evaluation (CC), version 2.3, ISO/IEC 15408, Aug. 2005.
9. Common Criteria for Information Technology Security Evaluation (CC), version 3.1 Revision 1, Sep. 2006.
10. D. F. Ferraiolo, R. Sandhu, S. Gavrila, D. R. Kuhn, and R. Chandramouli, "Proposed NIST standard for rolebased access control," ACM Transactions on Information and System Security, vol. 4, no. 3, pp. 224-274, 2001.
11. D. Ferraiolo, and V. Atluri, "A meta model for access control: Why is it needed and is it even possible to achieve?," Proceedings of the 13th ACM Symposium on Access Control Models and Technologies, pp. 153-154, New York, NY, 2008.
12. Information Technology -Z Formal Specification Notation -Syntax, Type System and Semantics, ISO/IEC 13568:2002(E), International Standard.
13. S. Jajodia et al., "A unified framework for enforcing multiple access control policies," Proceedings ACM SIGMOD Conference, pp. 474-485, 1997.
14. A. A. E. Kalam, et al., "Organization based access control," IEEE 4th International Workshop on Policies for Distributed Systems and Networks, pp. 120-134, 2003.
15. M. M. Keeney, E.F. Kowalski, D.M. Cappelli, A.P. Moore, T.J. Shimeall, and S.N. Rogers, Insider Threat Study: Computer System Sabotage in Critical Infrastructure Sectors, Joint SEI and U.S. Secret Service Report, May 2005.
16. F. Keblawi, and D. Sullivan, "Applying the Common Criteria in Systems Engineering," IEEE Security and Privacy, vol. 4, no. 2, pp. 50-55, Mar. 2006.
17. W. Kuhnhauser, and M. Von Kopp Ostrowski, "A framework to support multiple security policies," Proceedings 7th Annual Canadian Computer Secu-rity Symposium, pp. 1-19, 1995.
18. B. Lampson, "Protection," 5th Princeton Symposium on Information Sciences and Systems, pp. 417-429, 1971.
19. J. Lee, S. Lee, and B. Choi, "A CC-based security engineering process evaluation model," Proceedings of the 27th Annual international Conference on Computer Software and Applications COMPSAC, pp. 130-137, IEEE Computer Society, Nov. 2003.
20. D. Mellado, E. Fernåndez-Medina, and M. Piattini, "A common criteria based security requirements engineering process for the development of secure information systems," Computer Standard Interfaces, vol. 29, no. 2, Feb. 2007.
21. D. McPherson, Role-Based Access Control for Multitier Applications Using Authorization Manager, technical report.
22. S. Morimoto, S. Shigematsu, Y. Goto, and J. Cheng, "A security specification verification technique based on the international standard ISO/IEC 15408," Proceedings of the 2006 ACM Symposium on Applied Computing, pp. 1802-1803, France, Apr. 2006.
23. R. S. Sandhu, E. Coyne, H. Feinstein, and C. Youman, "Role-based access control models," IEEE Computer, vol. 29, no. 2, pp. 38-47, 1996.
24. R. Sandhu, D. Ferraiolo, and R. Kuhn, "The NIST model for role-based access control: Towards a uni-fied standard," Proceedings of the 5th ACM Work-shop on Role-Based Access Control, pp. 47-61, 26-28, Berlin, Germany, 2000.
25. M. Singh, and M. Patterh, "Security functional com-ponents for building a secure network computing environment," International Journal of Information Systems Security, vol. 16, no. 6, pp. 332-343, Nov. 2007.
26. G. Stoneburner, "Developerfocused assurance requirements," Computer, vol. 38, no. 7, pp. 91-93, 2005.
27. M. Vetterling, G. Wimmel, and A. Wisspeintner, "Secure systems development based on the common criteria: The PalME project," SIGSOFT Software Engineering Notes, vol. 27, no. 6, Nov. 2002