August 25, 1999
3085 ENG II

In attendance:
Karl Levitt (KL), Michael Gertz (MG), Jim Hoagland (JH), Brant Hashii (BH) and Dave Peticolas (DP)

  1. Proposals due September 20th
    1. Develop a policy language
      1. PLEDGE, ADAGE, John Zao at BBN.COM - already have policy languages sponsored
      2. Offer reasoning and a model
      3. Specification at a high level - project down to enforcement sites
    2. JH: Why operational easier that declarative? Can be extended
    3. TIS - Policy proposal with Sue Rho - couple policy into mission statement in terms of resources in needs (when/how long)
      1. Her policy should cover ours.
    4. MG: Higher order logic to specify any type of policy? What is the problem with using HOL? Developing ontology - it's a design model.
      1. How to integrate heterogeneous policy? How to establish common policy? Temporal logic, transition graph, deontic language (Cuppens). Modeling concept - abstract à projection problem.
      2. DP: Don't want to implement relation.
      3. MG: 3 levels of architecture: conceptual, physical levels
    5. KL: Inheritance, extensibility
      1. HOL: Can write theories, sub-theories, predicates. Formal methods - too abstract.
    6. MG: Model package - ontology, domain-vocabulary. Conceptualize at domain, provide ontology to access rights
      1. For specifying policy: at network, host and application level
    7. Composition (refinement) - system model
      1. Capability of firewall (connection blocking)
      2. Achieve policy by blocking certain connections
        1. Rule for transformation - ad hoc
      3. Scott Miller's Thesis
      4. Josh Goodman - Filtering Postures - filtering routers - certain connections don't go through
      5. No way to enforce some policies - can't specify all the capabilities of a computer - how closely tied policy is to the system
      6. Projection - deciding on rules for firewall - what engine is going to generate rules - CYC, theorem prover
      7. MG: Many levels to do reasoning, consistency, completeness, synthesis
    8. Need examples of policy statements - what can/can't be specified
      1. Domain is too big or access control
      2. Safety vs. liveness (not in LaSCO)
      3. Make policies readable
      4. Program transformation for executables - rule-driven, large knowledge-base
      5. Conditional access control
        1. When a grade for a student can be released
        2. Liveness - a grade must be released by a certain time
        3. Projection - prevent something - access control or detection - killing user from system
      6. Service - software company connect through a network with a web server, database system
        1. Access control on the database
        2. Ecommerce service in network environment
        3. Translate into military environment
        4. Describe the environment/system/network - computer application
          1. Iterative process, projection - expert driven
          2. Proof -checking - user could enforce policy in certain places
          3. How policies are enforced - by single or many components
          4. Cost model - properties of web server - $/hour
        5. Quality of service
        6. Track history - log -who can access log
        7. Chinese Wall; deducible security - non interference property
        8. Level of encryption/authentication needed
      7. MG: Platform - specific mechanism
    9. DNS for network
      1. Security service for DNS
      2. Policy for each software component
      3. KL: Store mapping of authoritative service
        1. Synthesize Steven Cheung systems
          1. Reactive - recursive, iteratively up and down DNS chain
          2. Wrapper - product of transformation
        2. Policy - mechanisms
          1. Query DNS server - response within two minutes -don't know how to implement
  2. Assignments
    1. MG, KL: Outline for proposal
    2. All: Scenarios for policy
      1. Mechanisms - what to describe, filtering router, firewall, Miro work, wrapper, how to utilize/administrate the service