Resolving constraint conflicts

Trent Jaeger, Reiner Sailer, Xiaolan Zhang

Research output: Contribution to conferencePaper

24 Scopus citations

Abstract

In this paper, we define constraint conflicts and examine properties that may aid in guiding their resolution. A constraint conflict is an inconsistency between the access control policy and the constraints specified to limit that policy. For example, a policy that permits a high integrity subject to access low integrity data is in conflict with a Biba integrity constraint. Constraint conflicts differ from typical policy conflicts in that constraints are never supposed to be violated. That is, a conflict with a constraint results in a policy compilation error, whereas policy conflicts are resolved at runtime. As we have found in the past, when constraint conflicts occur in a specification a variety of resolutions are both possible and practical. In this paper, we detail some key formal properties of constraint conflicts and show how these are useful in guiding conflict resolution. We use the SELinux example policy for Linux 2.4.19 as the source of our constraint conflicts and resolution examples. The formal properties are used to guide the selection of resolutions and provide a basis for a resolution language that we apply to resolve conflicts in the SELinux example policy.

Original languageEnglish (US)
Pages105-114
Number of pages10
Publication statusPublished - Aug 30 2004
EventProceedings on the Ninth ACM Symposium on Access Control Models and Technologies, SACMAT 2004 - Yorktown Heights, NY, United States
Duration: Jun 2 2004Jun 4 2004

Other

OtherProceedings on the Ninth ACM Symposium on Access Control Models and Technologies, SACMAT 2004
CountryUnited States
CityYorktown Heights, NY
Period6/2/046/4/04

    Fingerprint

All Science Journal Classification (ASJC) codes

  • Computer Science(all)

Cite this

Jaeger, T., Sailer, R., & Zhang, X. (2004). Resolving constraint conflicts. 105-114. Paper presented at Proceedings on the Ninth ACM Symposium on Access Control Models and Technologies, SACMAT 2004, Yorktown Heights, NY, United States.