Semi-automatic Synthesis of Security Policies by Invariant-Guided Abduction
نویسندگان
چکیده
We present a specification approach of secured systems as transition systems and security policies as constraints that guard the transitions. In this context, security properties are expressed as invariants. Then we propose an abduction algorithm to generate possible security policies for a given transition-based system. Because abduction is guided by invariants, the generated security policies enforce security properties specified by these invariants. In this framework we are able to tune abduction in two ways in order to: (i) filter out bad security policies and (ii) generate additional possible security policies. Invariant-guided abduction helps designing policies and thus allows using formal methods much earlier in the process of building secured systems. This approach is illustrated on role-based access control systems.
منابع مشابه
An automatic test case generator for evaluating implementation of access control policies
One of the main requirements for providing software security is the enforcement of access control policies which aim to protect resources of the system against unauthorized accesses. Any error in the implementation of such policies may lead to undesirable outcomes. For testing the implementation of access control policies, it is preferred to use automated methods which are faster and more relia...
متن کاملA Model for the Analysis of Security Policies in Industrial Networks
The analysis of security policies designed for ICS and SCADA can benefit significantly from the adoption of automatic/semi-automatic software tools that are able to work at a global (system) level. This implies the availability of a suitable model of the system, which is able to combine the abstractions used in the definition of policies with the access control and right management mechanisms u...
متن کاملMaintaining the Confidentiality of Interoperable Databases with a Multilevel Federated Security System
When several databases with multilevel security policies are federated to form a tightly coupled federated database management system, heterogeneities such as different accreditation ranges must be overcome. This paper describes an extended methodology to integrate policies that use different lattices as accreditation ranges. A semi-automatic process obtains the federated accreditation range an...
متن کاملCyclic Abduction of Inductively Defined Safety and Termination Preconditions
We describe a new method, called cyclic abduction, for automatically inferring safety and/or termination preconditions for heap-manipulating while programs, expressed as inductive definitions in separation logic. Cyclic abduction essentially works by searching for a cyclic proof of memory safety and/or termination, abducing definitional clauses of the precondition as necessary in order to advan...
متن کاملInvariants of Automatic Presentations and Semi-synchronous Transductions
Automatic structures are countable structures finitely presentable by a collection of automata. We study questions related to properties invariant with respect to the choice of an automatic presentation. We give a negative answer to a question of Rubin concerning definability of intrinsically regular relations by showing that order-invariant firstorder logic can be stronger than first-order log...
متن کامل