Security policy foundations in Context UNITY

M. Todd Gamble; Rose F. Gamble; Matthew L. Hale

doi:10.1145/1988630.1988633

Security policy foundations in Context UNITY

M. Todd Gamble, Rose F. Gamble, Matthew L. Hale

Cybersecurity

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution

4 Scopus citations

Abstract

Security certification includes assessing an information system to verify its compliance with diverse, pre-selected security controls. The goal of certification is to identify where controls are implemented correctly and where they are violated, creating potential vulnerability risks. Certification complexity is magnified in software composed of systems of systems where there are limited formal methodologies to express management policies, given a set of security control properties, and verify them against the interaction of the participating components and their individual security policy implementations. In this paper, we extend Context UNITY, a formal, distributed, and context aware coordination language to support policy controls. The new language features enforce security controls and provide a means to declare policy specifics in a manner similar to declaring variable types. We use these features in a specification to show how verifying system compliance with selected security controls, such as those found in the NIST SP800-53 document, can be accomplished.

Original language	English (US)
Title of host publication	SESS'11 - Proceedings of the 7th International Workshop on Software Engineering for Secure Systems, Co-located with ICSE 2011
Pages	8-14
Number of pages	7
DOIs	https://doi.org/10.1145/1988630.1988633
State	Published - 2011
Event	7th International Workshop on Software Engineering for Secure Systems, SESS 2011, Co-located with ICSE 2011 - Waikiki, Honolulu, HI, United States Duration: May 22 2011 → May 22 2011

Publication series

Name	Proceedings - International Conference on Software Engineering
ISSN (Print)	0270-5257

Conference

Conference	7th International Workshop on Software Engineering for Secure Systems, SESS 2011, Co-located with ICSE 2011
Country	United States
City	Waikiki, Honolulu, HI
Period	5/22/11 → 5/22/11

Keywords

Security certification
Security controls
UNITY

ASJC Scopus subject areas

Software

Access to Document

10.1145/1988630.1988633

Fingerprint Dive into the research topics of 'Security policy foundations in Context UNITY'. Together they form a unique fingerprint.

Cite this

Security policy foundations in Context UNITY. / Gamble, M. Todd; Gamble, Rose F.; Hale, Matthew L.

SESS'11 - Proceedings of the 7th International Workshop on Software Engineering for Secure Systems, Co-located with ICSE 2011. 2011. p. 8-14 (Proceedings - International Conference on Software Engineering).

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution

Gamble, MT, Gamble, RF & Hale, ML 2011, Security policy foundations in Context UNITY. in SESS'11 - Proceedings of the 7th International Workshop on Software Engineering for Secure Systems, Co-located with ICSE 2011. Proceedings - International Conference on Software Engineering, pp. 8-14, 7th International Workshop on Software Engineering for Secure Systems, SESS 2011, Co-located with ICSE 2011, Waikiki, Honolulu, HI, United States, 5/22/11. https://doi.org/10.1145/1988630.1988633

@inproceedings{d003b140c1e24fc2b82d188f91186581,

title = "Security policy foundations in Context UNITY",

abstract = "Security certification includes assessing an information system to verify its compliance with diverse, pre-selected security controls. The goal of certification is to identify where controls are implemented correctly and where they are violated, creating potential vulnerability risks. Certification complexity is magnified in software composed of systems of systems where there are limited formal methodologies to express management policies, given a set of security control properties, and verify them against the interaction of the participating components and their individual security policy implementations. In this paper, we extend Context UNITY, a formal, distributed, and context aware coordination language to support policy controls. The new language features enforce security controls and provide a means to declare policy specifics in a manner similar to declaring variable types. We use these features in a specification to show how verifying system compliance with selected security controls, such as those found in the NIST SP800-53 document, can be accomplished.",

keywords = "Security certification, Security controls, UNITY",

author = "Gamble, {M. Todd} and Gamble, {Rose F.} and Hale, {Matthew L.}",

year = "2011",

doi = "10.1145/1988630.1988633",

language = "English (US)",

isbn = "9781450305815",

series = "Proceedings - International Conference on Software Engineering",

pages = "8--14",

booktitle = "SESS'11 - Proceedings of the 7th International Workshop on Software Engineering for Secure Systems, Co-located with ICSE 2011",

note = "7th International Workshop on Software Engineering for Secure Systems, SESS 2011, Co-located with ICSE 2011 ; Conference date: 22-05-2011 Through 22-05-2011",

}

TY - GEN

T1 - Security policy foundations in Context UNITY

AU - Gamble, M. Todd

AU - Gamble, Rose F.

AU - Hale, Matthew L.

PY - 2011

Y1 - 2011

N2 - Security certification includes assessing an information system to verify its compliance with diverse, pre-selected security controls. The goal of certification is to identify where controls are implemented correctly and where they are violated, creating potential vulnerability risks. Certification complexity is magnified in software composed of systems of systems where there are limited formal methodologies to express management policies, given a set of security control properties, and verify them against the interaction of the participating components and their individual security policy implementations. In this paper, we extend Context UNITY, a formal, distributed, and context aware coordination language to support policy controls. The new language features enforce security controls and provide a means to declare policy specifics in a manner similar to declaring variable types. We use these features in a specification to show how verifying system compliance with selected security controls, such as those found in the NIST SP800-53 document, can be accomplished.

AB - Security certification includes assessing an information system to verify its compliance with diverse, pre-selected security controls. The goal of certification is to identify where controls are implemented correctly and where they are violated, creating potential vulnerability risks. Certification complexity is magnified in software composed of systems of systems where there are limited formal methodologies to express management policies, given a set of security control properties, and verify them against the interaction of the participating components and their individual security policy implementations. In this paper, we extend Context UNITY, a formal, distributed, and context aware coordination language to support policy controls. The new language features enforce security controls and provide a means to declare policy specifics in a manner similar to declaring variable types. We use these features in a specification to show how verifying system compliance with selected security controls, such as those found in the NIST SP800-53 document, can be accomplished.

KW - Security certification

KW - Security controls

KW - UNITY

UR - http://www.scopus.com/inward/record.url?scp=79959551871&partnerID=8YFLogxK

UR - http://www.scopus.com/inward/citedby.url?scp=79959551871&partnerID=8YFLogxK

U2 - 10.1145/1988630.1988633

DO - 10.1145/1988630.1988633

M3 - Conference contribution

AN - SCOPUS:79959551871

SN - 9781450305815

T3 - Proceedings - International Conference on Software Engineering

SP - 8

EP - 14

BT - SESS'11 - Proceedings of the 7th International Workshop on Software Engineering for Secure Systems, Co-located with ICSE 2011

T2 - 7th International Workshop on Software Engineering for Secure Systems, SESS 2011, Co-located with ICSE 2011

Y2 - 22 May 2011 through 22 May 2011

ER -