Access control is an information security process which guards protected resources against unauthorized access, as specified by restrictions in security policies. A variety of policy languages have been designed to specify security policies of systems. In this paper, we introduce a certified policy language, called TEpla, with formal semantics and simple language constructs, which we have leveraged to express and formally verify properties about complex security goals. In developing TEpla, we focus on security in operating systems and exploit security contexts used in the Type Enforcement mechanism of the SELinux security module. TEpla is certified in the sense that we have encoded the formal semantics and machine-checked the proofs of its properties using the Coq Proof Assistant. In order to express the desired properties, we first analyze the behavior of the language by defining different ordering relations on policies, queries, and decisions. These ordering relations enable us to evaluate how algorithms for deciding whether or not requests are granted by policies will react to changes in policies and queries. The machine-checked mathematical proofs guarantee that TEpla behaves as prescribed by the semantics. TEpla is a crucial step toward developing certifiably correct policy-related tools for Type Enforcement policies.
scite is a Brooklyn-based organization that helps researchers better discover and understand research articles through Smart Citations–citations that display the context of the citation and describe whether the article provides supporting or contrasting evidence. scite is used by students and researchers from around the world and is funded in part by the National Science Foundation and the National Institute on Drug Abuse of the National Institutes of Health.