Communications of the ACM
Protection in operating systems
Communications of the ACM
Survivability analysis of networked systems
ICSE '01 Proceedings of the 23rd International Conference on Software Engineering
Trusted Recovery and Defensive Information Warfare
Trusted Recovery and Defensive Information Warfare
Intrusion-Tolerant Group Management in Enclaves
DSN '01 Proceedings of the 2001 International Conference on Dependable Systems and Networks (formerly: FTCS)
Dynamic access control: preserving safety and trust for network defense operations
Proceedings of the eighth ACM symposium on Access control models and technologies
Surviving information warfare attacks on databases
SP '97 Proceedings of the 1997 IEEE Symposium on Security and Privacy
Building intrusion tolerant applications
SSYM'99 Proceedings of the 8th conference on USENIX Security Symposium - Volume 8
Extracting security control requirements
Proceedings of the Sixth Annual Workshop on Cyber Security and Information Intelligence Research
Hi-index | 0.00 |
We present an access-control policy specification and verification process that is well-suited to model survivability of information resources under threat of compromise. Our process differs from the traditional policy engineering methodology in many ways. First, we contend that traditional safety-property modeling cannot provide any guarantees when the policy enforcement mechanisms are compromised. Therefore, we extend traditional access control specifications by modeling insecure states and transitions explicitly, to describe possible system behavior after compromise. Next, we observe that it may not always possible to recover from an insecure state, and both compromise and recovery impact the availability of information. Based on these observations, we refine traditional information security properties as liveness assertions and explicitly add recovery actions to our specifications, to guarantee resources are available to legitimate users infinitely often, in spite of malicious attacks or inadvertent compromise. We explain our process using an example behavioral specification and show how we can define different measures of availability and verify them using standard model-checking techniques within this framework.