NIST logo

Publication Citation: The Policy Machine: a Novel Architecture and Framework for Access Control Policy Specification and Enforcement

NIST Authors in Bold

Author(s): David F. Ferraiolo; Vijay (. Atluri; Serban I. Gavrila;
Title: The Policy Machine: a Novel Architecture and Framework for Access Control Policy Specification and Enforcement
Published: April 01, 2011
Abstract: The ability to control access to sensitive data in accordance with policy is perhaps the most fundamental security requirement. Despite over four decades of security research, the limited ability for existing access control mechanisms to generically enforce policy persists. While researchers, practitioners and policy makers have specified a large variety of access control policies to address real-world security issues, only a relatively small subset of these policies can be enforced through off-the-shelf technology, and even a smaller subset can be enforced by any one mechanism. In this paper, we propose an access control framework, referred to as the Policy Machine (PM) that fundamentally changes the way policy is expressed and enforced. Employing PM helps in building high assurance enforcement mechanisms in three respects. First, only a relatively small piece of the overall access control mechanism needs to be included in the host system (e.g., an operating system or application). This significantly reduces the amount of code that needs to be trusted. Second, it is possible to enforce the precise policies of resource owners, without compromise on enforcement or resorting to less effective administrative procedures. Third, the PM is capable of generically imposing confinement constraints that can be used to prevent leakage of information to unauthorized principals within the context of a variety of policies to include the commonly implemented Discretionary Access Control and Role-Based Access Control models.
Citation: Journal of Systems Architecture
Volume: 57
Issue: 4
Pages: pp. 412 - 424
Keywords: Security policy enforcement framework; Policy Machine; Access Control
Research Areas: Computer Security, Cybersecurity
DOI: http://dx.doi.org/10.1016/j.sysarc.2010.04.005  (Note: May link to a non-U.S. Government webpage)