|
|
|
Security policy composition arises in federated databases [155, 802] and government procurement [741] because of the interconnections among multiple organizations. Rosenthal and Fung [850] discuss the composition of multilevel security policies with differing semantics. Gligor, Gavrila, and Ferraiolo [399] discuss composition policies with a focus on separation of duty.
Studies of information flow include work on all of the models described in this chapter. Graham-Cumming [414] discusses noninterference in the context of CSP to illustrate its use. Allen [16] compares noninterference and nondeducibility using the language CSP. Roscoe, Woodcock, and Wulf [849] develop an approach using process algebra to specify security properties and show how to verify noninterference using it. McLean [684] argues that a trace-based analysis of noninterference offers some advantages over the traditional state-based analysis technique because it allows a more abstract analysis that is valid unless the user interface changes. However, Bevier and Young [92] counter that a state machine model can provide a better link to verification and specification work, and should be pursued.
Johnson and Thayer [524] have developed another definition of security, called "forward correctibility," that is also composable. It has some advantages over the restrictiveness property. Millen [711] has developed and proved a version of the unwinding theorem for this model.
Gray [420] discusses the application of probability theory to these models. Focardi and Gorrieri [361] agree, pointing out that the issue of nondeterminism is closely related.
The results in this section assert that if components meet certain security requirements, then their composition meets those requirements. The most pessimistic properties of connections are assumed. McDermid and Shi [674] argue that a more realistic approach is to assert that if components meet certain internal security requirements, and their connections meet certain external security requirements, then the entire system is secure.
|
|
|
| Top |