Building a trusted computing base Home ToC Prev Up Next 

Policy Definition Problems

Policy Definition faces a number of problems. Perhaps the most critical is the scalability of rules.

  1. How many rules does it take to restrict or allow a certain behavior? Will the rule sets still be manageable after a while?

  2. Will a default deny or a default allow policy be appropriate? And will default deny work on a global level? This can cause complete system lockup if improperly used but is much safer because no program can escape (e.g. a newly installed program)

  3. Do rules work only on instance level (e.g. on file /tmp/foo/bar.xml) or only on class level (e.g. all objects of type "file") or both. And how are sets of resources defined? Usually some kind of wildcard (globbing) system is needed like /tmp/*)

  4. What kind of logical operations are possible within rules: counters, and, or etc. Can identity information be used as well (e.g. rule x applies if user is y)

  5. And last but not least the way the rules are expressed. Most policies follow a subject, action, object pattern here which matches the way many natural languages express access rights and restrictions.