Application - Oriented Security Policies and theirCompositionVirgil

We deene the notion of the application-oriented security policy and suggest that it diiers from that of a system-level, global security policy. We view a policy as a conjunction of security properties and argue that these properties are not always independent and, hence, cannot be analyzed (e.g., composed) individually. We also argue that some necessary policy properties fall outside of the Alpern-Schneider safety/liveness domain and, hence, are not subject to the Abadi-Lamport composition principle. We suggest several areas of research in policy deenition, composition , and administration. We distinguish an application-oriented (a-o) security policy from a system-level, global security policy by three characteristics, namely, (1) locality of enforcement , (2) mandated composability with other a-o policies, and (3) mandated compatibility with the application itself. Locality of Enforcement. Enforcement of a policy can be local or global. Enforcement of a policy in an application is local if the policy can be completely and correctly enforced within the application. Enforcement of a policy is global if the policy must be uniformly enforced for all applications under its control. Although in systems supporting multiple applications, an a-o policy must also be composable with an underlying (more) global policy in the sense that the latter must enable the local enforcement of the former, the a-o policy need not also be enforced within the global policy. For instance, a database security policy must use its underlying operating system's policy to protect its objects from unauthorized access by other applications, but the operating system policy does not have the obligation to also enforce the database policy. In contrast to the local enforcement of an a-o policy, a global policy must be enforced uniformly for all applications under its control or, else, it may be ineeective for any applications. Mandated Composability. Mandated Composability means that an a-o policy must be composable with any and all other a-o policies with which it coexists within a system. This is both a separate concern and obligation. It is a separate concern because global policy support of individual a-o policy enforcement (i.e., \hierarchical" 8, 10] a-o policy composability with the underlying global policy) cannot always guarantee composability among a-o policies, since the global