Your Security Policy is What??

Citation

• M. Bishop and S. Peisert, “Your Security Policy is What??”, Technical Report CSE-2006-20, Dept. of Computer Science, University of California at Davis, Davis, CA 95616-8562 (Mar. 2006).

Paper

• PDF
• PS
• Official copy (UC eScholarship)

Abstract

Systems and infrastructure rarely enforce a site’s security policy precisely. Conversely, determining the policy (or policy components) that the systems and infrastructure do enforce is difficult because of the plethora of configuration files and systems at the site. We propose a way to unify these problems by applying a bi-directional method of enforcing and reverse-engineering system and infrastructure policy. The process uses a platform-independent intermediate policy representation (IPR) to bridge the gap between a high-level expression of policy and a machinedependent, system configuration. The result of these methods, shown along with a detailed example, is that both policy discovery and enforcement can be made into a much more rigorous process.