The syntax of policy is given by the the following BNFs whereP, Qand S range over policies,pdenotes a simple policy,tstands for a duration,Can ITL formula, andwfor a condition (or predicate).
P ::= p|N U LL|CHAOS|P u Q|w?P :Q|P_Q|P⊕
|P;Q|P+|t:P |[w]P | hwiP |P t
wQ:S|C::P
An example of compound policy is
(δ :p)_(p∪r)
wherepis a simple policy andra policy rule. This policy behaves likepfor a duration of
δtime units, then a new ruleris added and enforced together withp. This simple example shows yet how changes in policies can be modelled and enforced.
N U LL andCHAOS are singular policies. N U LL behaves like the empty policy∅
denotes an infeasible policy, i.e. a policy that cannot be implemented in our model. Two policiesP andQcan be composed in sequence to form a policy P;Q (readP
chopQ) that behaves likeP for some time, then behaves likeQ. However, the final state of the subinterval that satisfiesP is the initial state of the subinterval satisfyingQ. Thus this operator is used ifP andQcan agree on that state. Otherwise, the weak chop operator can be used, andP_Qdenotes a policy that behaves likeP for some time, then behaves like
Qafterwards starting from the state next to the final state of the subinterval that satisfies
P. In this case P andQ share no state. An informal illustration of the operators chop and weak chop is depicted in Figure 5.1. In both cases, the sequential composition can be used to specify policies that are intended to evolve over time by changing policy rules. In general, organisations apply different policies for specific periods of time. Universities distinguish between term time and vacations. Banks render restricted services in week- ends and holidays.
P;Q: σ•0 P z }| { · · · σ•i Q z }| { · · · σ•|σ| P_Q: σ0 • P z }| { · · · σ•iσi•+1 Q z }| { · · · σ|•σ|
Figure 5.1: The operators Chop and Weak Chop
The conditional w?P : Qspecifies a policy that behaves like P when the condition
wholds and behaves likeQotherwise. For example, in an organisationP may apply for staff andQfor non-staff. Note thatP and/orQmight also be conditionals, refining staff and non-staff further into different subcategories.
On the contrary, the non-deterministic choiceP uQspecifies a policy which behaves either like P or like Q. This is a more abstract specification as the choice between the policiesP andQcannot be determined beforehand. However, the conditional for example is a refinement of the non-deterministic choice, that is a way of implementing such a specification at a lower level of abstraction.
The policyP+specifies a policy that behaves like a finite non-empty sequence of P
using the chop operator. Similarly, the policyP⊕denotes a finite non-empty sequence of
P in the sense of the operator weak-chop. Both operators are used to express iteration of a policy.
The policy expressiont :P limits the scope of the policyP to a period of durationt. For example the policy
δ : (true7→autho+(bob, movie, watch))
grantsbob, for a specific amount of timeδ, the right to watch movies.
The operator as long as defines a policy[w]P (read: P as long asw) that enforcesP as long as the conditionwholds. The conditionwcan state a critical situation that requires a specific policyP to be enforced to ensure security throughout the critical period. For example, at the outbreak of epidemic diseases specific security policies are enforced to protect the population during the crisis.
On the other hand, the operator unless specifies a policyhwiP (read:P unlessw) that enforces the policyP until the guardwis triggered. That is, the policyP is enforced as long as the guard is false. Therefore the policyhwiP behaves just like[¬w]P. Suppose, in the military a policyP applies during peacetime and the policyQapplies during war
crisis. Then the policy of the whole system can be specified as
(peace?([peace]P) : (hpeaceiQ))+.
The triangle operator is devised to express policy of the formPt
wQ:Sthat behaves
like the policyP until the conditionwistrueor a time-outt time unit(s) has elapsed. If the condition w becomes true then the policy behaves like the policy Q, otherwise it behaves like the policeSin the event of time-out.
The context operator “::” allows to specify constraints on the environment in which a policy is deployed. So, an expression of the formC :: P means that the environment in which the policyP is enforced must fulfil the constraintC. Constraints are used to specify application-dependent conditions such as group or role memberships. In RBAC [67, 8] for example, constraints are used to specify control principles such as least privilege (i.e. users are assigned only privileges necessary for the accomplishment of their tasks) and separation of duties (i.e. no user should be given enough privileges to misuse the system on their own).
The formal semantics of these policies is given in Definition 5.1.
Definition 5.1 The formal semantics of a policy P is an ITL formula Mc(P) defined
inductively on the structure of policies by:
1. Mc(N U LL)=b empty
2. Mc(CHAOS)=b f alse
4. Mc(P uQ)=b Mc(P)∨ Mc(Q) 5. Mc(w?P :Q)= (wb ∧ Mc(P))∨(¬w∧ Mc(Q)) 6. Mc(P_Q)=b Mc(P);skip;Mc(Q) 7. Mc(P⊕)=b Mc(P); (skip;Mc(P))∗ 8. Mc(P;Q)=b Mc(P);Mc(Q) 9. Mc(P+)=b Mc(P); (Mc(P))∗ 10. Mc(t :P)=b Mc(P)∧len=t 11. Mc(C ::P)=b C∧ Mc(P) 12. Mc([w]P)= (Mb c(P)∧2w)∨(((Mc(P)∧2w);skip)∧f in¬w)∨(empty∧¬w) 13. Mc(hwiP)=b Mc([¬w]P) 14. Mc(P 0wQ:S)=b w?Mc(Q) :Mc(S) 15. Mc(P ∞w Q:S)=b Mc((hwiP); (w?Q:N U LL)) 16. Mc(P twQ:S)= (wb ∧ Mc(Q)) ∨ (Mc(P)∧(2¬w)∧len < t)∨ ((Mc(P)∧(2¬w)∧len < t);skip; (Mc(Q)∧w))∨