中央研究院 資訊科學研究所

A policy is a set of guidelines meant to accomplish some intent. In information security, a policy will take the form of an access control policy that describes the conditions under which entities can perform actions on data objects. Further, such policies are prolific in modern society, where information must flow between different enterprises, states, and countries, all of which will likely have different policies. Unfortunately, policies have proven to be extremely difficult to evaluate. Even with formal policies, basic questions about policy completeness and consistency can be undecidable. These problems are confounded when multiple policies must be considered in aggregation. Even worse, many policies are merely “formal-looking”or are completely informal. Thus, they cannot be reasoned about in a formal way and it may not even be possible to reliably determine whether a given course of action is allowed. Even with all of these problems, policies face issues related to their validity. That is, to be valid, a policy should reflect the intent of the policy makers and it should be clear what the consequences are if a policy is violated. 

It is the contention of the authors that when evaluating policies, one needs to be able to understand and reason about the policy maker’s intentions and the consequences associated with them. This work focuses on the intent portion of this perspective. Unfortunately, because policy makers are humans, policy maker intentions are not readily captured by existing policy languages and notations. To rectify this, we take inspiration from task analytic methods, a set of tools and techniques human factors engineers and cognitive scientists use to represent and reason about the intentions behind human behavior. Using task analytic models as a template, we describe how policies can be represented in task-like models as hierarchies of goals and rules, with logics specifying when goals are contextually relevant and what outcomes are expected when goals are achieved. We then discuss how this framing could be used to reason about policy maker intent when evaluating policies. We further outline how this approach could be extended to facilitate reasoning about consequences. 

Support for legacy systems is also explored.

Joint work with Matthew Bolton and Celeste Wallace.

Lenore Zuck teaches at the University of Illinois at Chicago.  She recently returned there after having spent several years as a program director at the National Science Foundation, where she was a member of the Trustworthy Computing program, the Software and Hardware Foundation program, and the Cyber Physical Systems program. Her background is in formal methods. Her recent work includes 

methodologies for automatic verification of infinite-state systems,  

translation validation of optimizing compilers and microcode, and applications of formal methods to security. Lenore has moved to UIC from NYU. Before that, she was on the Computer Science faculty at Yale University. Lenore holds a PhD in Computer Science from the Weizmann Institute of Science.