Degree Granting Department
Computer Science and Engineering
Policy Composition, Policy-Specification Languages, Signed Regular Languages, Software Engineering, Visual Specification
Complex software-security policies are dicult to specify, understand, and update. The
same is true for complex software in general, but while many tools and techniques exist
for decomposing complex general software into simpler reusable modules (packages, classes,
functions, aspects, etc.), few tools exist for decomposing complex security policies into simpler
reusable modules. The tools that do exist for modularizing policies either encapsulate
entire policies as atomic modules that cannot be decomposed or allow ne-grained policy
modularization but require expertise to use correctly.
This dissertation presents a policy-composition tool called PoliSeer [27, 26] and the
PoCo policy-composition software-security language. PoliSeer is a GUI-based tool designed
to enable users who are not expert policy engineers to
exibly specify, visualize, modify,
and enforce complex runtime policies on untrusted software. PoliSeer users rely on expert
policy engineers to specify universally composable policy modules; PoliSeer users then build
complex policies by composing those expert-written modules. This dissertation describes
the design and implementation of PoliSeer and a case study in which we have used PoliSeer
to specify and enforce a policy on PoliSeer itself.
PoCo is a language for specifying composable software-security policies. PoCo users
specify software-security policies in terms of abstract input-output event sequences. The
policy outputs are expressive, capable of describing all desired, irrelevant, and prohibited
events at once. These descriptive outputs compose well: operations for combining them
satisfy a large number of algebraic properties, which allows policy hierarchies to be designed
more simply and naturally. We demonstrate PoCo's capability via a case study in which a
sophisticated policy is implemented in PoCo.
Scholar Commons Citation
Lomsak, Daniel, "Toward More Composable Software-Security Policies: Tools and Techniques" (2013). Graduate Theses and Dissertations.