Scientific Understanding of Policy Complexity - October 2016

Public Audience
Purpose: To highlight project progress. Information is generally at a higher level which is accessible to the interested public. All information contained in the report (regions 1-3) is a Government Deliverable/CDRL.

PI(s):  Ninghui Li, Robert Proctor, Emerson Murphy-Hill
Researchers: Jing Chen, Haining Chen, Huangyi Ge, Matt Witte

HARD PROBLEM(S) ADDRESSED

• Policy-Governed Secure Collaboration -  Security policies can be very complex, in the sense that they are difficult for humans to understand and update.  We are interested in two kinds of complexity measures.  The first is a measure of the inherent complexity of a policy.  The second is a measure of the representational complexity, which is the complexity of a particular way to encode the policy.  It is desirable to have a scientific understanding of both kinds of complexity. 
• Human Behavior - Our policy complexity is based on how easy for humans to understand and write policies.  There is thus a human behavior aspect to it. 

PUBLICATIONS
Report papers written as a results of this research. If accepted by or submitted to a journal, which journal. If presented at a conference, which conference.

ACCOMPLISHMENT HIGHLIGHTS

• We have started developing a tool for extracting access control policy information from the Android framework code.  The goal of the tool is to understand how the different access control policy elements correspond with resources to be protected. We have written a basic version of the tool, which uses static analysis to obtain mappings from API calls to Android permissions.  From anecdotal evidence, we know that the complexity of multi-layer access control in Android causes inconsistency in protection.  For example, a piece of resource may be protected stronger if accessed in one way, but weaker if accessed in a different way.  The goal of the tool is to systematically discover such inconsistencies.