Policy Specification Using Sequence Diagrams. Applied to Trust Management
Abstract
With the ever increasing importance of computer networks such as the Internet,and the today almost ubiquitous online services, the needs for themanagement of these networks and services, as well as the management ofthe associated security, risk and trust are growing correspondingly.Policy based management of information systems has the last decadeemerged as an adaptive and flexible approach to this challenge. Policies arerules governing the choices in the behavior of systems, the enforcement ofwhich ensures that the system meets the relevant requirements. This thesisaddresses the problem of capturing, specifying and developing policies. Wepropose a language suitable for the specification of policies across domains,at various abstraction levels, and that facilitates human interpretation. Atthe same time the language is underpinned by a formal semantics, allowingprecise and rigorous analysis.Abstraction allows details about system functionality and architecture tobe ignored, thus facilitating analysis and supporting understanding, whichis beneficial and useful particularly during the initial phases of policy development.From the initial, abstract levels, a policy specification is typicallyfurther developed by adding details, making it more concrete and closer toimplementation and enforcement. This thesis proposes a notion of policy refinementthat relates policy specifications of different abstraction levels, preciselydefining what it means that a low-level, concrete policy specificationis a correct representation of a high-level, abstract specification. Refinementallows policy specifications to be developed in a stepwise and incrementalmanner, and ensures that the enforcement of the final, concrete specificationimplies the enforcement of the previous, more abstract specifications.The applicability of the approach is demonstrated within the domainof policy based trust management. The thesis proposes a method for thedevelopment of trust management policies that facilitates the modeling andanalysis of trust within systems, and the evaluation of the risks and opportunitiesto which the system is exposed as a consequence of trust-baseddecisions. The method is supported by designated languages for the appropriatemodeling and analyses, and aims at the capturing and formalizationof policies the enforcement of which optimizes the trust-based decisions byminimizing risks and maximizing opportunities.
Has parts
Paper 1: Solhaug, B.; Elgesem, D.; Stolen, K., 2007, Why trust is not proportional to risk, pp. 11-18. In: Second International Conference on Availability, Reliability and Security (ARES'07). Copyright 2007 IEEE. Reproduced with permission. Published version. The published version is also available at: http://dx.doi.org/10.1109/ARES.2007.161Paper 2: Solhaug, B.; Elgesem, D.; Stolen, K., Specifying policies using UML sequence diagrams – An evaluation based on a case study, 34 p. SINTEF A1230. Trondheim : SINTEF ICT, 2009. Reproduced with permission. Published version.
Paper 3: Telektronikk 105(1), Solhaug, B.; Johannessen, T. H., Specification of policies using UML sequence diagrams, pp. 90-97. Copyright 2009 Telenor ASA. Reproduced with permission. Published version.
Paper 4: Solhaug, B.; Stolen, K., Compositional refinement of policies in UML – Exemplified for access control, 33 p. SINTEF A11359. Trondheim : SINTEF ICT, 2009. Reproduced with permission. Published version.
Paper 5: Software and Systems Modeling 2009 8(1), Seehusen, F.; Solhaug, B.; Stolen, K., Adherence preserving refinement of trace-set properties in STAIRS: exemplified for information flow properties and policies, pp. 45–65. Copyright 2008 Springer-Verlag. Full text not available in BORA due to publisher restrictions. The published version is available at: http://dx.doi.org/10.1007/s10270-008-0102-3
Paper 6: Solhaug, B.; Stolen, K., Preservation of policy adherence under refinement, 57 p. SINTEF A11358. Trondheim : SINTEF ICT, 2009. Reproduced with permission. Published version.
Paper 7: Refsdal, A.; Solhaug, B.; Stolen, K., A UML-based method for the development of policies to support trust management, pp. 33-49. In: Karabulut, Y.; Mitchell, J.; Herrmann, P.; Jensen, C. D., Trust Management II. Proceedings of IFIPTM 2008: Joint iTrust and PST Conferences on Privacy, Trust Management and Security, June 18-20, 2008, Trondheim, Norway. IFIP 263. Copyright 2008 by International Federation for Information Processing. Published by Springer Science+Business Media. Full text not available in BORA due to publisher restrictions. The published version is available at: http://dx.doi.org/10.1007/978-0-387-09428-1_3