Scientific Understanding of Policy Complexity - April 2016

Submitted by drwright on Thu, 03/10/2016 - 12:17pm

Public Audience
Purpose: To highlight project progress. Information is generally at a higher level which is accessible to the interested public. All information contained in the report (regions 1-3) is a Government Deliverable/CDRL.

PI(s): Ninghui Li, Robert Proctor, Emerson Murphy-Hill
Researchers: Jing Chen, Haining Chen, Matt Witte

HARD PROBLEM(S) ADDRESSED

Policy-Governed Secure Collaboration - Security policies can be very complex, in the sense that they are difficult for humans to understand and update. We are interested in two kinds of complexity measures. The first is a measure of the inherent complexity of a policy. The second is a measure of the representational complexity, which is the complexity of a particular way to encode the policy. It is desirable to have a scientific understanding of both kinds of complexity.
Human Behavior - Our policy complexity is based on how easy for humans to understand and write policies. There is thus a human behavior aspect to it.

PUBLICATIONS
Report papers written as a results of this research. If accepted by or submitted to a journal, which journal. If presented at a conference, which conference.

Haining Chen, Omar Chowdhury, Ninghui Li, Warut Khern-Am-Nuai, Suresh Chari, Ian Molloy, Youngja Park. 2016. Tri-Modularization of Firewall Policies. ACM Symposium on Access Control Models and Technologies (SACMAT).

ACCOMPLISHMENT HIGHLIGHTS

Our paper on firewall policy complexity has been accepted by ACM SACMAT. Inspired by ideas from modular programming and code refactoring, we introduced an approach to make firewall policies more modularized. We also develop ModFP, an automated tool for converting legacy firewall policies represented in access control list to their modularized format. With the help of ModFP, when examining several real-world policies with sizes ranging from dozens to hundreds of rules, we are able to understand complex policies as well as identify subtle errors. The modularization approach and tool has the potential to enable policy authors to better specify firewall policies. The idea of supporting modularization and abstraction in policy specification can be applied to other policy languages.
Results from pilot studies on comparing the usability of a modularized firewall policy language with an existing one made us appreciate the difficulty of comparing usability of languages and a decision to forgo human subject studies. This led us to change the direction in our research. It also points to a fundamental roadblock in research on usable policy languages.

Groups:

NCSU Science of Security Lablet Research Initiative