Deployment of smart cards for identity verification requires collection of credentials and provisioning of credentials from and to heterogeneous and sometimes legacy systems. To facilitate this process, a centralized identity store called identity management system (IDMS) is often used. To protect the integrity, confidentiality and privacy of the credential data that is collected, stored and disseminated through IDMS, a sophisticated set of policies governing data flows, processing and distribution are required. In this paper, we present a policy specification and enforcement framework using XML, XML schemas and XSLT that was developed for secure management of the infrastructure system used for a large scale smart ID card deployment.
{"title":"Policy Specification and Enforcement for Smart ID Cards Deployment","authors":"R. Chandramouli","doi":"10.1109/POLICY.2008.14","DOIUrl":"https://doi.org/10.1109/POLICY.2008.14","url":null,"abstract":"Deployment of smart cards for identity verification requires collection of credentials and provisioning of credentials from and to heterogeneous and sometimes legacy systems. To facilitate this process, a centralized identity store called identity management system (IDMS) is often used. To protect the integrity, confidentiality and privacy of the credential data that is collected, stored and disseminated through IDMS, a sophisticated set of policies governing data flows, processing and distribution are required. In this paper, we present a policy specification and enforcement framework using XML, XML schemas and XSLT that was developed for secure management of the infrastructure system used for a large scale smart ID card deployment.","PeriodicalId":247708,"journal":{"name":"2008 IEEE Workshop on Policies for Distributed Systems and Networks","volume":"NS34 8 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2008-06-02","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"116551454","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Traditional policies often focus on access control requirement and there have been several proposals to define access control policy algebras to handle their compositions. Recently, obligations are increasingly being expressed as part of security policies. However, the compositions and interactions between these two have not yet been studied adequately. In this paper, we propose an algebra capturing both authorization and obligation policies. The algebra consists of two policy constants and six basic operations. It provides language independent mechanisms to manage policies. As a concrete example, we instantiate the algebra for the Ponder2 policy language.
{"title":"An Algebra for Integration and Analysis of Ponder2 Policies","authors":"Hang Zhao, Jorge Lobo, S. Bellovin","doi":"10.1109/POLICY.2008.42","DOIUrl":"https://doi.org/10.1109/POLICY.2008.42","url":null,"abstract":"Traditional policies often focus on access control requirement and there have been several proposals to define access control policy algebras to handle their compositions. Recently, obligations are increasingly being expressed as part of security policies. However, the compositions and interactions between these two have not yet been studied adequately. In this paper, we propose an algebra capturing both authorization and obligation policies. The algebra consists of two policy constants and six basic operations. It provides language independent mechanisms to manage policies. As a concrete example, we instantiate the algebra for the Ponder2 policy language.","PeriodicalId":247708,"journal":{"name":"2008 IEEE Workshop on Policies for Distributed Systems and Networks","volume":"25 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2008-06-02","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"122299566","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Matt Johnson, J. Bradshaw, Hyuckchul Jung, Niranjan Suri, M. Carvalho
One of the challenges of building a policy management framework is making it flexible enough to handle differences in both policy semantics and enforcement strategies across multiple platforms and application domains. The system must be expressive enough in each application domain to provide the richness needed for interesting policies. It must also provide a simple and flexible enforcement mechanism for adaptation to a variety of systems. In this paper we discuss the application of the KAoS policy services framework to human-robot teamwork - an application that involves a variety of application domains and enforcement at different levels of control; from low level network resource control to high level organizational constraints and coordination management. The study culminated in an outdoor field exercise that required coordination of mixed sub teams composed of two people and five robots whose task was to find and apprehend an intruder on a Navy pier.
{"title":"Policy Management across Multiple Platforms and Application Domains","authors":"Matt Johnson, J. Bradshaw, Hyuckchul Jung, Niranjan Suri, M. Carvalho","doi":"10.1109/POLICY.2008.35","DOIUrl":"https://doi.org/10.1109/POLICY.2008.35","url":null,"abstract":"One of the challenges of building a policy management framework is making it flexible enough to handle differences in both policy semantics and enforcement strategies across multiple platforms and application domains. The system must be expressive enough in each application domain to provide the richness needed for interesting policies. It must also provide a simple and flexible enforcement mechanism for adaptation to a variety of systems. In this paper we discuss the application of the KAoS policy services framework to human-robot teamwork - an application that involves a variety of application domains and enforcement at different levels of control; from low level network resource control to high level organizational constraints and coordination management. The study culminated in an outdoor field exercise that required coordination of mixed sub teams composed of two people and five robots whose task was to find and apprehend an intruder on a Navy pier.","PeriodicalId":247708,"journal":{"name":"2008 IEEE Workshop on Policies for Distributed Systems and Networks","volume":"72 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2008-06-02","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"117075564","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Policies can be understood as specifications; therefore they can be translated more or less easily into formal languages and then be verified by formal techniques such as model checking. In this paper, we focus on formal verification of real-life industrial policies of the IBM Tivoli System Automation for Multi-Platform (ISA). We use PSL to model the system and describe the desired behavior and the RuleBase PE model checker to verify it.
策略可以理解为规范;因此,可以或多或少地将它们翻译成形式语言,然后通过模型检查等形式技术进行验证。在本文中,我们着重于IBM Tivoli System Automation for Multi-Platform (ISA)的现实产业政策的形式化验证。我们使用PSL对系统建模并描述期望的行为,并使用RuleBase PE模型检查器对其进行验证。
{"title":"Policy Validation for System Automation: A Case Study","authors":"E. Zarpas, C. Eisner, Sivan Tal","doi":"10.1109/POLICY.2008.19","DOIUrl":"https://doi.org/10.1109/POLICY.2008.19","url":null,"abstract":"Policies can be understood as specifications; therefore they can be translated more or less easily into formal languages and then be verified by formal techniques such as model checking. In this paper, we focus on formal verification of real-life industrial policies of the IBM Tivoli System Automation for Multi-Platform (ISA). We use PSL to model the system and describe the desired behavior and the RuleBase PE model checker to verify it.","PeriodicalId":247708,"journal":{"name":"2008 IEEE Workshop on Policies for Distributed Systems and Networks","volume":"1 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2008-06-02","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"129885715","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
The authors are investigating how emerging policy and semantic Web technologies can be used to help provide the best set of available tactical information to the Soldier in the field. In this initial effort, Researchers from the U.S. Army Research Labs (ARL) and the Florida Institute for Human and Machine Cognition (IHMC) have developed a system that demonstrates the potential of these technologies in a small-scale U.S. army mockup scenario. The system represents and reasons about domain-specific policies to help recognize what documents the end soldier is allowed to receive given the current mission context. The system also relies on policies to help recognize when appropriate human approval can be obtained or a specific transformation of the information can be performed to allow the information to be sent. Semantic Web technologies are further used to describe the properties and features of each document and relate these features to mission contexts in which the information is likely to be appropriate. The result is a compelling demonstration of the role that policies and semantic Web technologies can play in promoting the Army's need to share information while remaining vigilant of the requirements to protect methods and sources.
{"title":"Policy-Governed Information Exchange in a U.S. Army Operational Scenario","authors":"L. Bunch, J. Bradshaw, Clifford O. Young","doi":"10.1109/POLICY.2008.26","DOIUrl":"https://doi.org/10.1109/POLICY.2008.26","url":null,"abstract":"The authors are investigating how emerging policy and semantic Web technologies can be used to help provide the best set of available tactical information to the Soldier in the field. In this initial effort, Researchers from the U.S. Army Research Labs (ARL) and the Florida Institute for Human and Machine Cognition (IHMC) have developed a system that demonstrates the potential of these technologies in a small-scale U.S. army mockup scenario. The system represents and reasons about domain-specific policies to help recognize what documents the end soldier is allowed to receive given the current mission context. The system also relies on policies to help recognize when appropriate human approval can be obtained or a specific transformation of the information can be performed to allow the information to be sent. Semantic Web technologies are further used to describe the properties and features of each document and relate these features to mission contexts in which the information is likely to be appropriate. The result is a compelling demonstration of the role that policies and semantic Web technologies can play in promoting the Army's need to share information while remaining vigilant of the requirements to protect methods and sources.","PeriodicalId":247708,"journal":{"name":"2008 IEEE Workshop on Policies for Distributed Systems and Networks","volume":"1 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2008-06-02","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"129290493","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Policy-based approaches to the management of systems distinguish between the specification of requirements, in the form of policies, and their enforcement on the system. In this work we focus on the latter aspect and investigate the enforcement of stateful policies in a concurrent environment. As a representative of stateful policies we use the UCON model and show how dependencies between policy rules affect their enforcement. We propose a technique for enforcing policies concurrently based on the static analysis of dependencies between policies. The potential of our technique for improving the efficacy of enforcement mechanisms is illustrated using a small, but representative example.
{"title":"Concurrent Enforcement of Usage Control Policies","authors":"H. Janicke, A. Cau, F. Siewe, H. Zedan","doi":"10.1109/POLICY.2008.44","DOIUrl":"https://doi.org/10.1109/POLICY.2008.44","url":null,"abstract":"Policy-based approaches to the management of systems distinguish between the specification of requirements, in the form of policies, and their enforcement on the system. In this work we focus on the latter aspect and investigate the enforcement of stateful policies in a concurrent environment. As a representative of stateful policies we use the UCON model and show how dependencies between policy rules affect their enforcement. We propose a technique for enforcing policies concurrently based on the static analysis of dependencies between policies. The potential of our technique for improving the efficacy of enforcement mechanisms is illustrated using a small, but representative example.","PeriodicalId":247708,"journal":{"name":"2008 IEEE Workshop on Policies for Distributed Systems and Networks","volume":"37 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2008-06-02","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"124020851","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
P. Rao, D. Lin, E. Bertino, Ninghui Li, Jorge Lobo
As distributed collaborative applications and architectures are adopting policy-based solutions for tasks such as access control, network security and data privacy, the management and consolidation of a large number of policies is becoming a crucial component of such solutions. In large-scale distributed collaborative applications like Web services, there is need for analyzing policy interaction and performing policy integration. In this demonstration, we present EXAM, a comprehensive environment for policy analysis and management, which can be used to perform a variety of functions such as policy property analyses, policy similarity analysis, policy integration. Our work focuses on analysis of access control policies written in XACML (Extensible Access Control Markup Language) [5]. We consider XACML policies because XACML is a rich language able to represent many policies of interest to real world applications and is gaining widespread adoption in the industry.
{"title":"EXAM: An Environment for Access Control Policy Analysis and Management","authors":"P. Rao, D. Lin, E. Bertino, Ninghui Li, Jorge Lobo","doi":"10.1109/POLICY.2008.30","DOIUrl":"https://doi.org/10.1109/POLICY.2008.30","url":null,"abstract":"As distributed collaborative applications and architectures are adopting policy-based solutions for tasks such as access control, network security and data privacy, the management and consolidation of a large number of policies is becoming a crucial component of such solutions. In large-scale distributed collaborative applications like Web services, there is need for analyzing policy interaction and performing policy integration. In this demonstration, we present EXAM, a comprehensive environment for policy analysis and management, which can be used to perform a variety of functions such as policy property analyses, policy similarity analysis, policy integration. Our work focuses on analysis of access control policies written in XACML (Extensible Access Control Markup Language) [5]. We consider XACML policies because XACML is a rich language able to represent many policies of interest to real world applications and is gaining widespread adoption in the industry.","PeriodicalId":247708,"journal":{"name":"2008 IEEE Workshop on Policies for Distributed Systems and Networks","volume":"155 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2008-06-02","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"131644169","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
K. Twidle, Emil C. Lupu, Naranker Dulay, M. Sloman
Policies form an important part of management activities and are an effective means of implementing self-adaptation in pervasive systems. Many policy- based systems designed to date focus on large-scale networks and distributed systems. Consequently, they are often fragmented, dependent on infrastructure and lacking flexibility and extensibility. This demonstration presents Ponder2, a self-contained, stand-alone policy environment that is suitable for a wide range of applications in environments ranging from single devices, to personal area networks, ad-hoc networks and distributed systems. Ponder2 environments can be federated giving a consistent view of the name spaces within the environments and the ability to propagate events in a transparent manner.
{"title":"Ponder2 - A Policy Environment for Autonomous Pervasive Systems","authors":"K. Twidle, Emil C. Lupu, Naranker Dulay, M. Sloman","doi":"10.1109/POLICY.2008.10","DOIUrl":"https://doi.org/10.1109/POLICY.2008.10","url":null,"abstract":"Policies form an important part of management activities and are an effective means of implementing self-adaptation in pervasive systems. Many policy- based systems designed to date focus on large-scale networks and distributed systems. Consequently, they are often fragmented, dependent on infrastructure and lacking flexibility and extensibility. This demonstration presents Ponder2, a self-contained, stand-alone policy environment that is suitable for a wide range of applications in environments ranging from single devices, to personal area networks, ad-hoc networks and distributed systems. Ponder2 environments can be federated giving a consistent view of the name spaces within the environments and the ability to propagate events in a transparent manner.","PeriodicalId":247708,"journal":{"name":"2008 IEEE Workshop on Policies for Distributed Systems and Networks","volume":"1 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2008-06-02","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"129872873","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
This paper discusses policy architecture for converged service provider networks and the need for policy peering. A policy peering architecture is proposed. The design principles and requirements for the peering interface and its use for static and dynamic policies across service providers are explained.
{"title":"Policy Peering for Next-Generation Networks","authors":"K. Bogineni, F. Andreasen","doi":"10.1109/POLICY.2008.27","DOIUrl":"https://doi.org/10.1109/POLICY.2008.27","url":null,"abstract":"This paper discusses policy architecture for converged service provider networks and the need for policy peering. A policy peering architecture is proposed. The design principles and requirements for the peering interface and its use for static and dynamic policies across service providers are explained.","PeriodicalId":247708,"journal":{"name":"2008 IEEE Workshop on Policies for Distributed Systems and Networks","volume":"158 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2008-06-02","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"131652058","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
This demonstration will present policies and scenarios from selected W3C Policy Language Group use cases. The flexibility of the KAoS ontology-based policy services framework will be demonstrated by modeling the very diverse policies described in the use cases. The integration of the KAoS policy decision point (Guard) with the JBoss server will be shown. One of the use cases requires spatial reasoning for location-based policies.
此演示将展示来自所选W3C Policy Language Group用例的策略和场景。通过对用例中描述的非常多样化的策略进行建模,将展示基于KAoS本体的策略服务框架的灵活性。将展示KAoS策略决策点(Guard)与JBoss服务器的集成。其中一个用例需要对基于位置的策略进行空间推理。
{"title":"Demonstrating Selected W3C Policy Languages Interest Group Use Cases Using the KAoS Policy Services Framework","authors":"Andrzej Uszok, J. Bradshaw","doi":"10.1109/POLICY.2008.49","DOIUrl":"https://doi.org/10.1109/POLICY.2008.49","url":null,"abstract":"This demonstration will present policies and scenarios from selected W3C Policy Language Group use cases. The flexibility of the KAoS ontology-based policy services framework will be demonstrated by modeling the very diverse policies described in the use cases. The integration of the KAoS policy decision point (Guard) with the JBoss server will be shown. One of the use cases requires spatial reasoning for location-based policies.","PeriodicalId":247708,"journal":{"name":"2008 IEEE Workshop on Policies for Distributed Systems and Networks","volume":"36 8","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2008-06-02","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"134128428","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
京公网安备 11010802042870号
京ICP备2023020795号-1
扫码关注我们
求助内容:
应助结果提醒方式: