Policy Calculus Research

Goal: explore graph based approaches to security policy expression

We have looked at Lawrence Chung's work from UT Dallas before. He dealt with the concept of "satisfiable" using soft-graphs. These were based on analyzing the non-functional requirements of a software system. I need to go back and look through his work and summarize some notes about that here:

• Looking at his website it does not look like he's published anything recently.
• 
  

Searching through ACM and IEEE, here are some phrases that show up:

• logical attack graphs
• information flow violations
• security policy reconciliation
• security compilers
• information security
• enforcement
• encoding
  

Terms that I've been searching for:

• security policy graph
• security policy language
• security policy expression
• 
  

Found this, its a silly name but could be interesting: Symposium On Usable Privacy and Security (SOUPS 2009)

Papers that might be interesting (going to try and move more interesting towards the top of the list):

• A multi-layered security architecture for modelling complex systems
  - interesting because we've done multi-layered approaches before
• A graph-based formalism for RBAC
• Dynamic graph-based software fingerprinting - title caught my eye but not a good fit
• Security policies for downgrading - possibly a new type of policy and they'd have to express their policy somehow so I thought it'd be worth looking at, its not graph based but they seem to have a policy language
  
• A graph based approach towards network forensic analysis - just network graphs with weights and fuzzy states, probably not what we're looking for
• MAC and UML for secure software design - design time, mandatory access control, and a UML based approach
• Formalizing information security knowledge - they use ontologys
• An algebra for composing access control policies - its not a calculus but its math based...?
• Automatic generation of model based tests for a class of security policies -
• Policy expression and checking in XACML, WS-Policies, and the jABC - uses XACML and has graphs
  
• A propositional policy algebra for access control -
• When Role Models Have Flaws: Static Validation of Enterprise Security Policies -
• Improving Secure Communication Policy Agreements by Building Coalitions -
• Modeling Context-Based Security Policies with Contextual Graphs -
• Context-Based Security Policies: A New Modeling Approach -
  
• An Ontology-based Approach to the Formalization of Information Security Policies -