Skip to main content
U.S. flag

An official website of the United States government

Official websites use .gov
A .gov website belongs to an official government organization in the United States.

Secure .gov websites use HTTPS
A lock ( ) or https:// means you’ve safely connected to the .gov website. Share sensitive information only on official, secure websites.

The Policy Machine: a Novel Architecture and Framework for Access Control Policy Specification and Enforcement

Published

Author(s)

David F. Ferraiolo, Vijay (. Atluri, Serban I. Gavrila

Abstract

The ability to control access to sensitive data in accordance with policy is perhaps the most fundamental security requirement. Despite over four decades of security research, the limited ability for existing access control mechanisms to generically enforce policy persists. While researchers, practitioners and policy makers have specified a large variety of access control policies to address real-world security issues, only a relatively small subset of these policies can be enforced through off-the-shelf technology, and even a smaller subset can be enforced by any one mechanism. In this paper, we propose an access control framework, referred to as the Policy Machine (PM) that fundamentally changes the way policy is expressed and enforced. Employing PM helps in building high assurance enforcement mechanisms in three respects. First, only a relatively small piece of the overall access control mechanism needs to be included in the host system (e.g., an operating system or application). This significantly reduces the amount of code that needs to be trusted. Second, it is possible to enforce the precise policies of resource owners, without compromise on enforcement or resorting to less effective administrative procedures. Third, the PM is capable of generically imposing confinement constraints that can be used to prevent leakage of information to unauthorized principals within the context of a variety of policies to include the commonly implemented Discretionary Access Control and Role-Based Access Control models.
Citation
Journal of Systems Architecture
Volume
57
Issue
4

Keywords

Security policy enforcement framework, Policy Machine, Access Control

Citation

Ferraiolo, D. , Atluri, V. and Gavrila, S. (2011), The Policy Machine: a Novel Architecture and Framework for Access Control Policy Specification and Enforcement, Journal of Systems Architecture, [online], https://doi.org/10.1016/j.sysarc.2010.04.005 (Accessed May 25, 2022)
Created April 1, 2011, Updated November 10, 2018