Specifying and Implementing Security Policies Using LaSCO, the Language for
Security Constraints on Objects

James A. Hoagland
(Ph.D. Dissertation, UC Davis, Computer Science, March 2000)

Abstract

     In this dissertation, we present LaSCO, the Language for Security
Constraints on Objects, a new approach to expressing security policies using
policy graphs and present a method for enforcing policies so expressed.  A
security policy is a statement about how a system (any executing entity)
should behave with respect to a sitešs particular notion of security.  Other
approaches for stating security policies fall short of what is desirable
with respect to either policy clarity, executability, or the precision with
which a policy may be expressed.  This results in expressed policies that
are ambiguous, are not implementable, or are that are not an accurate
reflection of the policy goal, respectively.  However, LaSCO is designed to
have those three desirable properties of a security policy language as well
as:   relevance for many different systems, statement of policies at an
appropriate level of detail, user friendliness for both casual and expert
users, and amenability to formal reasoning.  In LaSCO, the constraints of a
policy are stated as directed graphs annotated with expressions describing
the situation under which the policy applies and what the requirement is. 
LaSCO may be used for such diverse applications as executing programs, file
systems, operating systems, distributed systems, and networks.

     Formal operational semantics have been defined for LaSCO.  An
architecture for implementing LaSCO on any system, consisting of a
system-independent policy interpretation engine and a system-specific
interface layer, is presented along with an implementation of the engine in
Perl.  Using this, we have implemented LaSCO for Java programs.  Our
implementation prevents Java programs from violating policy through
instrumented run time checks and includes a GUI to facilitate writing
policies.  This implementation is analyzed quantitatively and qualitatively.
We have studied applying LaSCO to a network as viewed by GrIDS, a
distributed intrusion detection system for large networks.  A proposed
design involves correlating partial policy matches in a hierarchy and
sending alerts on violations.  We conclude that LaSCO has characteristics
that enable its use on different types of systems throughout the process of
precisely expressing a policy, understanding the implications of a policy,
and implementing it on a system.