Developing and using a "policy neutral" access control policy

Abstract

The foundation for security enforcement is access control. Resources must be protected against access by unauthorized entities. Furthermore, authorized entities must be prevented from accessing resources in inappropriate ways. A major challenge to the developer of an access control policy is to provide users the flexibility to protect their resources as they see fit; system policies that are inconsistent with user needs are inadequate. In particular, systems that enforce a single, hard-coded policy cannot satisfy the needs of all users. As part of the Distributed Trusted Operating System (DTOS) program, we have developed and implemented a flexible security architecture using the Mach microkernel. In this architecture, the security rales enforced by the system are denned by a system component outside the microkernel. This reduces the problem of supporting other security policies to redefining this system component; the same microkernel can be used to support a wide range of policies. Formal methods were used to provide a rigorous approach for the development of the policy. Recognizing that most people are uninterested in reading security requirements stated in formal specification languages, an approach was developed for representing and maintaining the policy in a tabular format This paper describes the flexibility of the DTOS security architecture and the approach used in developing the access control policy for this flexible architecture. It also gives examples of how to define a component that makes security decisions for the microkernel.