CONTROL POLICY MANAGEMENT A Dissertation

Wang, Qihua. Ph.D., Purdue University, May 2009. Access Control Policy Management. Major Professor: Ninghui Li. Access control is the traditional center of gravity of computer security [1]. People specify access control policies to control accesses to resources in computer systems. The management of access control policies include policy specification and policy analysis. In this dissertation, we design a new language for policy specification, propose a new type of access control policy, and study the computational complexity of a variety of policy analysis problems. In particular, • We design a novel algebra that enables the specification of high-level security policies that combine qualification requirements with quantity requirements. Our algebra contains six operators and is expressive enough to specify many natural high-level security policies. We study the properties of the algebra, as well as several computational problems related to the algebra. • Traditional access control policy analysis focuses on restricting access. However, an equally important aspect of access control is to enable access. With this in mind, we introduce the notion of resiliency policies for access control systems. We formally define resiliency policies and study computational problems on checking whether an access control state satisfies a resiliency policy. We also study the consistency between resiliency policies and separation of duty policies. • The workflow authorization system is a popular access control model. We study fundamental problems related to policy analysis in workflow authorization systems, such as determining whether a set of users can complete a workflow in a certain access control state. In particular, we apply tools from parameterized complexity