A Java Framework for Security Policy Representation

Tim Fraser -- 16 November 1996

The SPRF package

This page describes the SPRF java package, which implements a framework for security policy representation. This framework is basically a collection of classes that are useful for representing security policy statements as data structures. The classes also contain methods which may be used to evaluate policy decisions based on these structures. The most primitive classes in the framework may be used to represent mathematical concepts such as sets and mappings. These are used as the basis for more specialized classes which may be used to represent higher-level concepts such as access control lists, labels, and rules. At its highest level, the framework provides classes which represent a variety of complete policy-forms, including (but not limited to) types of discretionary and non-discretionary access control.

The functionality provided by this framework might also be provided by a language and interpreter designed specifically for policy representation. (In fact, the language-based approach seems to be the more common solution.) Both approaches provide the same expressive power. It is likely that a language with the same capabilities as this framework would take much longer to develop, however, since it would require the development of a new interpreter as well as a language. This framework uses the existing Java interpreter to evaluate its policy decisions. This framework is also easily extensible, due to its object-oriented nature.

The purpose of the framework is to provide a means for representing a wide variety of application-specific policies. It is intended to be used as a component of trusted operating systems or policy-enforcing applications with configurable security policy decision functions (SPDFs).

The Need for Configurable SPDFs

Traditional operating systems (OSs) have SPDFs that are not configurable. They are only capable of enforcing one security policy - the policy is hard-coded into the SPDF itself. Unfortunately, different organizations have different information security needs. Each organization needs an OS which is capable of enforcing its own unique security policy, and an OS which can only enforce one policy cannot satisfy them all.

The answer to this problem is to develop OSs with SPDFs which may be configured to enforce whatever organization-specific security policy is necessary. [1] This configurability is made possible by SPDFs which take descriptions of policies as input, and interpret them to make their policy decisions. This ability to take a policy as input requires some sort of interpretable representation of security policy. This framework may be used for just this sort of policy representation.

Uses for this framework

This framework might be be useful in a variety of applications. As indicated by the above discussion, it could be employed to describe policies interpreted by the SPDFs of OSs and policy-enforcing applications. Since its classes encapsulate methods which can evaluate policy decisions, the framework already provides most of the interpretation and evaluation functionality normally required of SPDFs. Conceivably, the framework could be used as the basis for a number of interesting application-specific policies, ranging from access control for file servers to describing the resources available to scripts executing in sandboxes.

Expressing policies in a program-like interpretable form also allows policy descriptions to be communicated between applications. For example, a process submitting a cryptographic key to a key server might accompany it with a short description of the policy governing the key's release to other processes. In a similar vein, the ability to send policy descriptions between nodes in a distributed system might be exploited by security management tools to reconfigure remote systems.

Resources Available at this Site

A list of SPRF-related documents is provided below. It includes the API documentation for the SPRF package, which was generated with javadoc from the actual source code. It also includes the framework project proposal, initial architecture, and final thesis. These documents discuss the structure and uses of the framework in detail.

This is followed by a list of demos. These are intended to demonstrate the usefulness of the framework in a variety of situations. Only the NDAC and DSP demo is fully implemented at this time. It provides a simple SPDF simulator that allows a user to play with a sample NDAC and DSP policy. Fortunately, this is the most interesting of the three proposed demo policies.

Papers and Docs

Framework Package Documentation. (Prone to silly cut-and-paste errors, but largely accurate.)
Project Proposal.
Initial Architecture (~85% correspondence to architecture actually implemented).
Draft of thesis paper.

Demos and Distribution

NDAC and DSP policy demo.
Traditional MAC demo.
DAC demo.
Distribution.

Back to the SSRG Security page...

Please direct comments and questions to Tim Fraser (tfraser@cs.uiuc.edu).

notes

[ 1 ] Center for Information Systems Security (CISS). Department of Defense Goal Security Architecture Version 3.0. (30 September 1995).