| Policy-based management is one of the latest developments in network and distributed systems management. The use of policy-based management in areas such as security is particularly attractive. Security management involves specification and deployment of access control policies.This thesis presents a framework suitable to express and analyse a set of selected secure control principles. A review and discussion of secure models and secure policies, their origin, relationships, and existing role- and policy-based frameworks partially support their expression. A formal model for secure control principles on the basis of which we define, analyse, discuss and explore including separation controls, delegation and revocation controls, review and supervision controls. In this thesis we propose a policy framework to support security and management of information systems. The framework consists of a policy specification language, and architecture for deploying policies based on the language and a set of tools for specifying and managing policies.In this work, four principal achievements have been obtained. First, dynamics of security policy is analysed. Separation of security policy and security mechanism is presented, and BSK security kernel is the basis of security mechanism. BSK is an object-oriented and security domain model for specifying security and management policies implementation for security kernel. In particular it is important that the policy not be hard-coded into the enforcement mechanism. Formalization language Alloy is used to describe and verify security domain model for reliability and security of its design. Second, Security policy is described by SPL policy language. Use operational semantics as tools to proof definiteness and terminability of SPL expressions, so security of SPL is guaranteed. Third, security management framework is designed for security management of information system, including management control model and duty separation model, and using Alloy language to describe it formally. Monitor model is used in BSK kernel design that kernel message filter rules mechanism is the key in its design. This thesis gives the design of BSK kernel message system, and construct filter rules and acess control rules formally. Fourth, compiler is designed for SPL policy language using ANTLR toolkits as compiler constructor to generate Java codes. Apllys static object design to implementation of security domain and presents concepts of self contain security domain and relation loop used for analysis of complex security domain. Finally, this thesis gives a general framework and layering models of security for security of information system.
|
PDF Full Text Request