On Optimizing Compatible Security Policies in Wireless Networks

This paper deals with ﬁnding the maximum number of security policies without conﬂicts. By doing so we can remove security loophole that causes security violation. We present the problem of maximum compatible security policy and its relationship to the problem of maximum acyclic subgraph, which is proved to be NP-hard. Then we present a polynomial-time approximation algorithm and show that our result has approximation ratio 1 + 1 /k for any integer k with complexity O ( N k +1 ). Copyright


INTRODUCTION
Security is the basis of any system, and it can be described in general terms such as confidentiality, integrity, and availability, but what we do precisely mean by security for a particular system varies from system to system and possibly depends on the situation. The security policies in the army, in a financial institution, at a university, and in a big corporation are significantly different. Each of which has their own needs that should be reflected in the design of their security infrastructures. In the army, every document is classified into different confidential levels. Only authorized persons have the right to view a document. Also, certain sensitive tasks can only be executed by authorized personnel. In a financial institution, each customer has his/her data file, in which some are confidential and some are not. As a whole, there must be a system to deal with these requirements. Security policies should also be designed at different layers. This all depends on the actual data for which security mechanisms are designed. Confidentiality and authenticity of communications are usually classified at the application layer while authenticity of routing packets should be at the network layer. Even for confidentiality, there are end-to-end encryption and link-based encryption, which totally depend on system needs. Since the requirement and design techniques vary quite widely from layer to layer, we cannot regard them as a whole and not differentiate the needs for each layer when designing a system's security infrastructure.
A security policy is a description of the security goals for a system and how a system should behave in order to meet these goals. It may concern access control, information flow, and availability. Security policy bridges the gap between static implementations and the broad and diverse security requirements of user communities. Security policy becomes more complicated in heterogeneous environments. When two or more entities share a security association, they must reach agreement on a governing policy. An example policy is that the request for a purchase and its approval must be by different users. Since the security goals for a system affect how the security mechanisms on the system are configured, it is important for the security policy to be stated clearly. The term security policy may mean different things to different communities. For example, access control policy defines who has access to what and under what circumstances. Other forms of security policy specify under what conditions credentials are accepted, or how a firewall is configured. In its broadest definition, security policy is the specification of security-relevant system behavior.
In a large enterprise, it is often necessary to manage a large set of diverse objects across various organization boundaries. For example, access to the shared resources like printer, scanner, and so forth needs to be carefully managed. In such a scenario, conflicts often arise when large sets of objects across diverse boundaries are being managed. In general, finding whether there is a security policy conflict is an NP-complete problem. If there exists a conflict, then these security policies must be reconciled by removing some part of the policies. Since the security goals for a system affect how the security mechanisms on the system are configured, it is important for the security policy to be stated clearly. Additional benefit is obtained if the policy can be directly used to configure the security mechanisms or to formally reason about the effect of the policy. A common security need is to restrict access to the resources on a system. This is reflected in a constraint security policy, which states constraints on the system.
In this paper, we do not deal with the problem of conflict resolution (or conflict reconciliation). Previous works about security policy conflict resolution (Dunlop et al. [1]) or logic regarding security policies (Abadi [2], Jajodia et al. [3]) all have the goal to determine a security conflict and resolve it. Our work is motivated by optimizing security policies without conflicts to achieve maximal benefit instead of trying to locate conflicts, on which none of the previous works have addressed. In the discussion about security policies, we particularly focus on the part of access control in networks. We seek to maximize the subset of compatible security policies in a system. If there exists some security loophole in a system, by using our algorithm we can find the maximum compatible policies and remove other ones that cause conflict. First we will present the problem statement and prove this problem is NP-hard. Then we will present approximation algorithm and show that our result has approximation ratio 1 + 1/k for any integer k with complexity O(N k+1 ).

PROBLEM FORMULATION
We present the standard logic used by Abadi as a basis of our problem statement. Jajodia et al. also proposed similar results and this was, in fact, earlier than Abadi's. Martin Abadi viewed access control as a description of ternary relation may-access. In addition to the functions Abadi introduced, we also consider two more functions may-not-access and forbids. May-not-access, as its name suggests, represents that some principal does not have the right to do something. Namely, may-not-access(p, o, r) stands for "p" not having the right "r" on "o." The function forbids represents that a principal will forbid another one to do something. Here, this function is a bit different, as only certain authorized principals, called the deauthorizer, are allowed to use the forbid function. Also, u forbids v means that if u does not have access to something, it will result in v not having access to it either. u itself cannot make such kind of policy, and this kind of policy must be made by some deauthorizer other than both u and v. As for who the deauthorizers are, it totally depends on the security policy.
We basically use Abadi's terminology as a basis, and modify it to best suit our scenario. The building blocks of our notation are as follows.
(1) Access control verifier "may-access": may-access (p, o, r) represents that principal "p" has the right "r" on object "o." Here the right "r" can be thought of as the right "read" or "write" on a file "toad.txt." The exam-ple may-access(Alice, toad.txt, read) tells us that Alice has the "read" authorization on file "toad.txt." (2) Authorization function "says": we also consider the transfer or recommendation of authorization. In other words, we allow certain users to authorize others if they have authorization on something themselves. This is represented by the function says. For example, p says may-access(q, o, r) basically means that "p" hands the right "r" over to "q" or "p" authorizes "q" to obtain the right "r." (3) Negated access control verifier "may-not-access": this is actually the negated access control verifier mayaccess(p, o, r). In other words, (4) Deauthorization function "forbids": different to says, u forbids v means that there is a chain of deassociation from u to v. If may-access(u, o, r) is false, then mayaccess(v, o, r) will be false as well. Note that such a policy cannot be made by either u or v. Instead, it can only be made by legal deauthorizers.

Logical deduction rules
With these two functions may-access and says, we can perform logical deductions as follows.
(1) First authorization rule: Conceptually, this means if "p" has access to "o," then p can grant q the same access rights, too. In other words, the right "r" can be transferred by a user that has this right. (2) Second authorization rule: This means if something that has an implication such as having right a will result in having right b, this implied right will be passed on in the case of authorization, too. Take the file access rights, for example. If "p" says that a file allowed to be modified by a user will automatically have the right to be read by that user too, then if p authorizes some other user to have the right of modifying a file, it is implied that p also authorizes that user to read the file too. This rule is supplementary, but it allows us to do nested or compound authorization. (3) Deauthorization rule: Scott C.-H. Huang et al.
3 Table 1: Security policy example

Security policy graph
Now we introduce the use of security policy graph to transform the problem of security policies into a problem of graph theory. To simplify the construction, we only consider the graph representing four functions: may-access, says, may-notaccess, and forbids. Also, to further simplify our discussion, we do not differentiate different rights, as we can actually represent them as different objects (i.e., to differentiate the rights "read," "write" on a file, we can actually regard them as two separate objects "read-file" and "write-file"). The construction of the basic security policy graph G(V , E) is as follows: V ="the set of all users, object o and ¬o," e = (u, v) ∈ E if and only if one of the following is true: (1) u is a user, v is an object, and may-access(u, v) = true; (2) u is an object, v is a user, and may-access(v, u) = false; Consider the following example of security policy shown in Table 1, whose corresponding security policy graph will be Figure 1. There are two objects o and ¬o, and five users u, v, w, x, y. An arc is added from u to o because of policy 1 on the table and rule 1. Two arcs from v to u and from w to u are added according to policy 2, 3 and rule 3. The arc from ¬o to x is added according to policy 4 and rule 2, while the arc from x to y is added according to policy 5 and rule 4. Finally, an arc is added from o to ¬o according to rule 5.  Proof. u has no access to

THE MAXIMUM COMPATIBLE SECURITY POLICY PROBLEM
Our main motivation is to find the maximum subset of compatible security policies (i.e., in which there is no conflict).
Theorem 1 gives us a necessary and sufficient condition for whether or not a conflict exists in a set of security policies. In light of this theorem, finding the maximum subset of compatible security policies is equivalent to finding the maximum acyclic subgraph (with certain property) in its security policy graph. In general, the maximum acyclic subgraph problem is NP-hard, but the maximum compatible security policy problem is a special case of it. In this section, we introduce the maximum acyclic subgraph problem and show that it is NP-hard by reducing 3-SAT to it. First we define the maximum acyclic subgraph problem as follows.

Maximum acyclic subgraph problem
Given a directed graph G = (V , E), find a subset E ⊂ E of maximum cardinality such that G = (V , E ) is acyclic.

3-SAT (maximization version)
Given a formula F = {C 1 , C 2 , . . . , C m } of clauses on a finite set U of variables such that |C i | = 3 for 1 ≤ i ≤ m, find a subcollection S (of F) of maximum cardinality such that there is a truth assignment for S.

3-SAT ≤ P max-acyclic-subgraph
(This reduction is based on Newman [4], though quite different from it.) Given a 3-SAT formula F with n variables and m clauses, we construct a corresponding multigraph G using the following rules.
(1) For each variable x ∈ F, we create 2 vertices x 1 and x 2 . These two vertices will form the variable gadget for the variable x. (2) For each clause C k ∈ F, we create a directed 6-cycle and label each of 3 alternating edges with a distinct literal from the clause C k . This will be the clause gadget for the clause C k as shown in Figure 2. Each of the three literals corresponds to an arc in the 6-cycle, and the other 3 arcs are used to connect them. corresponding to x (the negated form of a variable), we add a directed edge from vertex i to vertex x 2 , an edge from x 1 to j, and a 2-cycle between x 1 , x 2 (we allow multiple occurrences). (4) Then in every 6-cycle we remove each arc that corresponds to each literal.
Note that this graph has 15 m edges in total: in each clause gadget, there are 6 edges from it to its 3 corresponding variable gadgets, 6 edges within its corresponding variable gadgets (because we allow multiple occurrences), and 3 edges within it. There are thus 15 m edges in total, as each clause gadget contributes to 15 edges and there are m clauses. Now we need to make a definition.

Definition 2.
A feedback arc set is a set of arcs that makes a graph acyclic when removed.
The minimum feedback arc set is a feedback arc set of minimum cardinality. It has the following properties.

Lemma 3. A minimum feedback arc set is acyclic.
Proof. An acyclic graph can be viewed as an ordering of the vertices such that all the arcs are in the forward direction, that is, for each arc (i, j), i comes before j in the ordering. Given a feedback arc set, consider such an ordering for the acyclic graph obtained upon deleting the feedback arc set. If the feedback arc set has any edges in the forward direction, then it is not minimum (such an edge can be added to the acyclic graph without creating any cycles). Thus the feedback arc set consists only of backward edges and hence is itself acyclic. Proof. If we include any edges from x i1 to x i2 and even one edge from x i2 to x i1 in the minimum feedback arc set, then it would not be acyclic, which is a contradiction to Lemma 3. If we do not include all the edges from one of the sets in the minimum feedback arc set, then we will not have an edge from every cycle in the minimum feedback arc set, which is also a contradiction. Proof. This theorem will be proved as a consequence of two claims: (i) given an assignment for the variables in F that results in u unsatisfied clauses, we can construct a feedback arc set of size at most 3 m+u; (ii) conversely, given a feedback arc set of size 3 m+u, we can find an assignment for the variables of F such that no more than u clauses are satisfied.
First we observe that the graph G consists of lots of 12cycles and many arcs within the variable gadgets (so the only possible cycles are those 12-cycles and the 2-cycles within the variable gadgets). Each 12-cycle contains 3 arcs within the clause, 2 arcs to and from each variable gadget (thus 6 arcs in total), and 2 arcs within each variable gadget (6 arcs in total too). The graph G thus has m 12-cycles as there are m clauses and each clause corresponds to a cycle. Now if we remove certain arcs within each variable gadget, then both the 12cycles and the 2-cycles will be made acyclic.
(i) Given an assignment for the variables in F, we will show that we can find a feedback arc set including exactly 3 arcs from each satisfied clause and exactly 4 arcs from each unsatisfied clause. We construct the feedback set as follows: if x i is set to TRUE, then we include all the arcs from x i1 to x i2 ; if it is set to FALSE, we include all the arcs from x i2 to x i1 . In addition, we include one arc in the clause gadget corresponding to an unsatisfied clause. The resulting subset is a feedback set for the following reasons: (1) including all arcs from x i1 to x i2 or from x i2 to x i1 will break all 2-cycles; (2) in a satisfied clause, at least one literal will be true and the way we connect the clause gadget to it will break the 12-cycle; (3) in an unsatisfied clause, including one more arc in the clause gadget will break the 12-cycle.
Thus, it is a feedback set having a total of 3m + u arcs.
(ii) Given a feedback arc set, we now show how to construct an assignment from it. First we delete edges from the feedback arc set until it is minimum. Then we assign each variable x i in F a value depending on which set of edges with endpoints in {x i1 , x i2 } is included in the feedback arc set. If all the edges from x i1 to x i2 are in the feedback arc set, the variable x i is set to FALSE. Otherwise all the edges from x i2 to x i1 are in the feedback arc set, and then x i is set to TRUE. Now we look at each clause and its corresponding variable gadgets. If the 12-cycle is broken because of at least one reversed arc in one variable gadget, then it must be a satisfied clause and exactly 3 arcs are added in the minimum feedback arc set. If, in one clause gadget, no reversed arc exists in any of the corresponding variable gadgets, then there must be another arc taken out and there must be exactly 4 arcs in the minimum feedback arc set. Therefore, if the feedback arc set has 3m + u arcs, the assignment leaves at most u clauses unsatisfied.

Corollary 1. The maximum acyclic subgraph for G is of size
11m+s where m is the number of clauses and s is the maximum number of satisfied clauses.

APPROXIMATING MAX-COMPATIBLE SPP
In this section we are going to provide an efficient algorithm for approximating the maximum compatible security policy problem. Actually, it is not clear whether it is NP-hard or not because of its limitations (though we believe so). Our algorithm has approximation ratio 1 + 1/k for any given integer k. The computational complexity for our algorithm is O(N k ). Our algorithm has three parts: (1) k-cycle removal, (2) marking of vertices, (3) arc removal.

Our algorithm k-cycle removal
In this part, any cycle with degree less than or equal to k that contains the arc from an object to its negation will be removed. This can be done trivially for the following reason. To remove all j-cycles, we can generate all possible sequences of ( j−1) vertices and check whether they (along with the special arc) form a cycle or not. In a graph that has N vertices, such an attempt will take O(N j ) time. Therefore, to remove all j-cycles, for all j ≤ k, it will take O(N k ) to do so.

Marking of vertices
After executing the k-cycle removal part, we are sure that there are no cycles of order less than or equal to k. Now we mark all vertices as follows.
(1) Starting from the negated object. We mark it 0.
(2) If there is an arc that goes directly from the negated object to a vertex, we mark it 1. (3) If there is an arc from a marked vertex to an unmarked one and the mark of that vertex is i, then we mark the other vertex i + 1. (4) If there is an arc from a marked vertex (with mark i) to a marked one (which has been marked by some other vertex), then we compute its new mark (i+1) and compare with its old mark. If the new mark is smaller than the old mark, then we remark that vertex with i + 1. Otherwise, do nothing. (5) If all vertices have been marked already, we stop.

Arc removal
Now we look at the mark of the object. Since there is no kcycle containing the special arc after executing the first part, we know that its mark is at least k. Let its mark be l (l ≥ k). Now we look at the relation between an arc and its vertices.

EURASIP Journal on Wireless Communications and Networking
For an arc e = (v 1 , v 2 ), there are only two cases: Note that m(v 2 ) cannot be greater than m(v 1 )+1 because that way it would have been remarked m(v 1 ) + 1 according to step 4 of the marking algorithm. Now we group all of the arcs into S 1 , S 2 , . . . , S l as follows: Let then these S j 's have the following properties: l i=1 ∪ T = E. Now we choose one S i of the smallest cardinality and call it S * . From the above properties, we know that |S * | ≤ (1/l)|E|. Now we remove S * from E and the rest of the arcs cannot have any cycle containing the special arc. to v m and look at their marks, at each step the mark cannot increase by 2 or more. We also know that S * = S p for some 1 ≤ p ≤ l. Then, at some point, there must be some v i such that m(v i ) = p. Since marks cannot increase by 2 or more, m(v i−1 ) must be p − 1. Then (v i−1 , v i ) ∈ S p = S * , which should have been removed. There is a contradiction.

Computational Complexity
We already know that the first part of our algorithm takes O(N k+1 ) time (since we choose k as k − 1 now). Both the second and the third are involved in going through all the arcs once, so the time complexity is O(|E|), where |E| is the number of arcs in the graph. If a directed graph has N vertices, then the number of arcs is 2 N 2 = N(N − 1), which is also a polynomial of N. It follows that the time complexity of the second and the third part cannot exceed O(N 2 ). Overall, the time complexity of our algorithm is of order O(N k+1 ).

RELATED WORK
Jajodia et al. [3] pointed out the problem that specification of security requirement may be quite complex in a largescale system and proposed a logical language that deals with security policies. Dunlop et al. [1] and Abadi [2] used different graph-based approaches to locate and resolve a security conflict in a set of security policies. Schneider [5] addresses the questions for the class of enforcement mechanisms that work by monitoring execution steps of some target and terminating the target's execution if it is about to violate the security policy being enforced. Walker [6] talked about certified code for enforcing security properties. In his scheme, untrusted agent code carries annotations that allow a host to verify its trustworthiness. He used the host to check the annotations and proved that they imply the host's security policy. Hoagland et al. [7] also use directed graphs to represent security policies. They designed LaSCO, the language for security constraints on objects, to express many of the security policy situations and the composition of policies. Works [8][9][10] focused on access control policy (i.e., who has access to what and under what circumstances). Blaze et al. [11] specified under what conditions credentials are accepted. Bartal et al. [12] mentioned how a firewall is configured according to different security policies.

CONCLUSION AND FUTURE WORK
In this paper we have presented the maximum compatible security policy problem and its relationship to the maximum acyclic subgraph problem. We have proved that, in general, the maximum acyclic subgraph problem is NP-hard. We have also designed a polynomial time approximation algorithm and have shown that our result has approximation ratio 1 + 1/k for any integer k with complexity O(N k+1 ). However, it is still not clear whether the maximum compatible security problem is NP-hard or not, nor is it clear whether there exists a better algorithm that can achieve a tighter bound. These will be interesting topics to dig in more.