Approach

An authorization policy regulates access to objects. An object is a target of requests and it has to be protected, e.g., critical programs, files, hosts and print jobs.

An access right (alternative words that we use are operation, action and permission) is a particular type of access to a protected object, e.g., read or write. Specific system events, such as restarting or shutting down the system, system log-in and log-off can be modeled as access rights associated with the system, where the system is the protected object.

A condition describes the context in which each access right is granted.

In our framework, a policy is represented as a set of conditions associated with the access right. All conditions must be satisfied in order to allow an operation to be performed on a target object ³.

Traditional security systems lack adaptive security policies and enforcement mechanisms. In the non-adaptive setting, the set of policies is chosen in advance, before the access request is received. The adaptive policy enforcement mechanism chooses the appropriate set of policies during the course of computation based on the current system state.

Adaptive policy implementation requires either the reloading of the policy or changing the policy computation algorithms [3]. Both of these approaches are ineffective and not scalable.

Our approach avoids policy reloading and switching to the different policy evaluation mode:

1. The policy specification describes more than one set of disjoint policies.

2. The policy evaluation mechanism is extended with the ability to read and write system state. The implementation is based on read and write conditions that provide support for monitoring and updating internal system structures and their runtime behaviors.

With the extended policy evaluation mechanism, transition between the disjoint sets of policies is regulated automatically by reading the system state (e.g., the time of day, or system threat level). The downside of this approach is the requirement for more tedious and careful policy specification and dealing with the side effects of the policy evaluation.

The advanced policies are specified using different conditions that permit run-time adaptation in the event of possible security attacks. To enforce the advanced security policies we adopted the three-phase policy enforcement scheme. During each phase only the specified set of all conditions in the policy is evaluated.