Wednesday, 14 December 2011

Summary: The Ponder Policy Specification Language


N. Damianou, N. Dulay, E. Lupu, and M. Sloman. The ponder specification language. In Workshop on Policies for Distributed Systems and Networks (Policy2001), pages 29–31, Bristol, UK, Jan 2001. HP Labs.

N. Damianou, N. Dulay, E. Lupu, M. Sloman, and N. D. N. Dulay. Ponder: An object-oriented language for specifying security and management policies, 2000.

N. Damianou, N. Dulay, E. Lupu, and M. Sloman. Ponder: A language for specifying security and management policies for distributed systems. Research Report. London, UK, Imperial College, Octuber 2000.

These papers introduced Ponder an object-orientate security policy language that has the ability to represent authorization, obligations, refrain, and delegation policies. It can also represent time and state constrains. Ponder is a flexible language that allows reuse of policy specifications, and it provides scalability by allowing composite policy types.

Ponder right rules in the form of: first stating the type of the policy (auth+, auth-, delg+, …) then stating the name of the policy (so it might be reused later). Then stating the subject (user), the target (object e.g. resource), and action, finally a when (for time constrains) is optional.  Ponder pre-defined type of policies; it has auth+ (for granting authority), auth- (for revoking authority), deleg+ (to grant delegation), deleg- (to revoke delegation), refrain (to apply prohibition), and oblig (to present obligations). Ponder also provides ‘filter’ to be able to apply specific constrain (e.g. location, time, specific target, etc.) on a policy. Ponder also make use of roles (group of people with the same role e.g. system administrator) and groups (group of people with anything in common e.g. same floor, same branch, etc.) to make it easier to manage large complex organizations. Finally, Ponder uses meta-policies, which are policies about policies, to avoid conflicts and to control the sequence of the policies.

Ponder has pre-defined the policy types, and each of these types has its own structure, for example if you are using delegation policy you need to add the ‘grantee’ filed, which specify the element receiving the delegation. For obligation policies you need to add ‘do’ filed.  

Damianou et al. in these papers introduced Ponder; a security policy language that has the ability to represent authorizations, obligations, delegations, and prohibitions. Ponder is different that it pre-defined the type of policies to be used, and provided a structure for each of these policies. Although Ponder covered a wide range of policies, but this pre-definition method made it hard to add to Ponder and to widen the language capabilities. Ponder provides conflict resolution using meta-policies, it also makes use of groups and roles to provide scalability to large organization. Ponder also provide flexibility by reusing the policies. Ponder focuses on access control and obligations. It also has the ability to represent time and state constrains. The use of filters in Ponder made it easy to apply any type of constrains such as sequence constrains. As a drawback, Ponder is not an easy language to understand or to map to runtime object-model. 


No comments:

Post a Comment