Computer Communications 23 (2000) 17161723

www.elsevier.com/locate/comcom

Security policy conceptual modeling and formalization

for networked information systems
D. Trcek*
Institut Jozef Stefan, Dept. of Digital Communications and Networks E6, Jamova 39, Ljubljana, Slovenia and College of Management, Cankarjeva 5, Koper,
Slovenia

Abstract
Security in networked information systems is a very complex task that ranges from the level of crypto-primitives over crypto-protocols to
the level of organizational matters and legislation. All this is comprised in a so-called security policy, which is often treated as an afterthought. One of the main reasons is the lack of appropriate techniques for conceptual modeling of security policy at early stages of system
design. The approach in this paper is based on flow controls as one of the key ingredients for defining a security policy. Consequent security
services and security architectures are derived by means of the proposed technique, which also bridges the gap to formal techniques. The
result is a formalized output that serves as a basis for further refinement in subsequent stages of the modeling process. 2000 Elsevier
Science B.V. All rights reserved.
Keywords: Security architectures; Security policy; Conceptual modeling; Formal methods

1. Introduction
Providing security in contemporary information systems
(ISs) requires a wide spectrum of knowledge consisting of
cryptography, cryptographic protocols, system reliability,
organizational and even legislative matters. This clearly
implies the need for the involvement of various profiles in
the process of IS protection, which was recognized in the
early eighties [1] and it evolved recently to appropriate
standards in the field [2,3]. The most general framework
in the area of ISs security has been carried out by the US
Department of Defense and the European union, resulting in
the so-called Common Criteria: CC [4]. This should be the
basis for every attempt to model IS security, and it is also the
basis for this paper.
Projected damage in case of loss of data or non-operational IS is a starting point for security-related activities.
Threat analysis is essential and has been studied intensively
for a long time. It can be found in many places in the literature [57] and is usually very technically oriented. On the
other hand, many successful attacks have been due to
system design blunders and organizational matters [8,9].
Reasons arise from the development of ISs itself, which
has a top-down nature, while security mechanisms and
services are incorporated bottom-up. Therefore means are
* Tel.: 386-611-773379; fax: 336-611 262102.
E-mail address: denis.trcek@ijs.si (D. Trcek).

needed for addressing security policy at the stage of IS

analysis and design. Besides, being confined to technically-oriented risk analysis, business processes cannot be
properly addressed. Attempts to remedy this situation are
described in Refs. [10,11], but they do not show how to
interface these approaches to existing formal methods, let
alone address the vertical integration of these formal methods at all levels of IS security. Moreover, the approaches are
not integrated with existing techniques for information
systems analysis and design.
The purpose of this paper is to provide a means for
addressing security policy at the conceptual level of system
design and specification. The approach is based on a
synchronous incorporation of flow controls that define
security policy, using an intuitive graphical solution that is
related to standardized notation Z [12]. The intention is to
chain existing formal approaches vertically and to interface
them to graphics notation and to one another. This way the
gap between the highest level of managerial specification
and the lowest level of crypto primitives is covered. The
technique, presented in this paper, is called Security Policy
Conceptual Modeling Technique or SPCMT.
The paper is organized as follows. In Section 2, basic ISs
security policy concepts are considered. A classification of
security services along with their inter-relationships is
discussed. In Section 3, SPCMT is presented. SPCMT
formalization automation is discussed followed by an
example of SPCMT use. The conclusion is given in Section

0140-3664/00/$ - see front matter 2000 Elsevier Science B.V. All rights reserved.
PII: S0140-366 4(00)00257-7

D. Trcek / Computer Communications 23 (2000) 17161723

4, while in Appendix A a short additional description is

given.

2. Basic security concepts

IS security policy has many interpretations in the literature. For the purposes of this paper two informal definitions
for security objectives and security policy are given, and
referenced as such through the rest of the paper:
Definition 1. Security objectives are those objectives that
are concerned with information flow controls, assured
service, recovery and liability.
Definition 2. Security policy is a continuos process of
setting, refining and implementing security objectives,
regarding all aspects and levels of IS resources and based
on organizational structure and its mission.
The above definition specifies a so-called intra-domain
security policy. As each organization will have its own
intra-domain security policy, the question of automatic verification of policies arises for inter-domain operations [13];
however that is beyond the scope of this paper.
Cryptographic algorithms are treated as a starting point
for providing security, as the focus is on cryptographyrelated problems. The next level in a networked environment presents an upgrade of ordinary communication protocols to cryptographic protocols that are more vulnerable to
attacks than the previous level. A similar situation holds true
for the third level, where human users interact with the IS.
In the beginning, computer security research has focused
on cryptographic algorithms. The situation changed few
years ago when it turned out that ISs security problems
start mainly with successful attacks at the level of cryptographic protocols, and continue with errors in system design
on the third level. Therefore this paper is targeting interaction levels, which means that only flow controls will be
addressed among security objectives. Another reason is
that for the application of formal techniques to the rest of
security objectives, substantial work is required.
Security services are built using security mechanisms.
According to OSI standards [1416], security in open
communication systems could be provided by use of authentication, confidentiality, integrity, non-repudiation and
access-control. These services are partly inter-related in
terms of an orthogonal set. Based on research on formal
techniques for cryptographic protocols, BAN logic [17]
and Boyds work [18] (this model is summarized in Appendix A), it is reasonable to assume that authentication is a
basic security service. Authentication denotes the state of a
system (authenticated state), realized by means of integrity.
Detecting any modification, insertion or deletion of data
means assuring that the data is delivered unchanged from
an originator to a recipient. Any changes result in unauthen-

1717

ticated data, which no longer comes from the claimed

source. Basically it is not possible to provide authentication
without data integrity, and additional incorporation of a
time-context through time-stamps or random numbers.
Therefore integrity can be interpreted as a kind of a mechanism for the provision of data authentication.
The definition of confidentiality is not based on any other
definition of security services. However, unauthorized
disclosure is related to proper authentication, so that confidentiality depends implicitly on authentication for its own
reasonableness. As with authentication, confidentiality also
denotes a specific state of a system (confidential state) and
these two services form an orthogonal set of services from a
cryptographic point of view.
With regard to access control-authorized use of resources
implies proper identification of an entity, which is the task
of authentication. After positive authentication, an entity is
allowed to access resources. Although access control is
often realized by the use of confidentiality, it can be realized
also by a sequence of non-cryptographic actions. Access
control can be treated as a basic security service, since it
constitutes a means of realization of authorized use of
resources in an authenticated state of the system.
Regarding non-repudiation it can be concluded that proof of
origin and delivery requires proper identification, which is the
task of authentication. Besides, modifications of a message
have to be hindered. Any third person has to be able to
check its integrity, where proof of origin and/or delivery has
to exist for a longer period and not only during the session,
which is the case with ordinary integrity. Therefore implementation of non-repudiation requires an authenticated state of a
system with additional requirements for integrity service.
Thus it can be treated as a composite service.

3. Security policy conceptual modeling technique

A technique is needed that will enable incorporation of
incomplete and intuitive specifications of security policies
at the stage of IS design, together with supporting a transformation to a formal presentation. An SPCMT is introduced for this purpose. It is based on a well-established
and commonly used technique in IS design and analysis,
which is a Data Flow Diagram: DFD [19]. Additionally, it
incorporates specifications in formal language Z, for interfacing a specification to formal verification techniques at
various levels. SPCMT consists of:
a graphical part to achieve intuitiveness, expressiveness
and independence of particular platforms, suitable for
CASE implementation and supplementing the formalization process; and
a complementary formal part in language Z and SPCMT
grammar for support of formalization, consistency,
correctness checking of a specification and further
refinement, i.e. logical model.

1718

D. Trcek / Computer Communications 23 (2000) 17161723

The first strategic decision for security policy is to specify

which entity can access certain information and what this
entity can do with it. This is related to the difference
between access control and information flow control.
Access control is a service for the provision of authorized
use of resources. It basically regulates the accessing of
resources, but not what objects might do with the information contained in these resources. And this is exactly the task
of flow controls, i.e. the dissemination of information [20].
In the case of SPCMT, all pieces of information are encrypted,
thus access control is realized on the basis of key management.
It is assumed that security architectures are built using two
typical cryptographic algorithms, DES and RSA.
Information flows must be defined first and their definition
implies necessary access controls. Secondly, implementation
of flow controls requires authentication. Thirdly, after authentication, it is necessary to decide which (if any) confidential
channels are to be established. This is also the path for linking
formal verification techniques. The dissemination or proliferation of sensitive information in the IS is defined by security
policy, i.e. flow controls.
The starting point are generic sets of the model and their
definition is given below.
[Entity,Key,Message,ID,Detail]
Sets Entity and Key are needed for flow-controls and Boyds
specification. Sets Message, ID, Detail serve for detailed
specification after the conceptual phase is completed. This
means inclusion of formal description and verification on
the level of crypto protocols, e.g. BAN logic.
At this stage, initial assumptions, the structure of
messages, their sequence, etc., become important. For this
purpose, generic sets include ID and Message. Set Message
serves for detailed specification of message elements, where
time-stamps and nonces play a specific role, denoted by the
set ID. BAN constructs can be defined in terms of new
relations, while logical postulates are actually conjunctions
of constructs that logically imply new constructs. The set
Detail serves for specification of non-technical requirements of a security policy.

numbers. Next, keys are grouped in sets and each set has
a corresponding key length. These sets form a sequence,
where a consecutive position of a set in a sequence implies
the length of keys in that set. Associating a particular security domain with a particular set is achieved with categorization. Besides, it is required that sets of keys are disjoint.
All entities have to be classified into defined security
domains. A particular entity can belong to only one security
domain. There should be no unconnected security domains,
i.e. at least one data flow has to exist to or from a domain.
To handle data flows from one domain to another, a definition of a new relation dFT (dataFlowsTo) is introduced.
This relation embodies flow controls, i.e. security policy. It
is a matter of access control how a piece of information
within one domain is accessed. But once it is accessed
within a particular domain, it is assumed that it is shared
between all members of this domain.
The next step is controlling its propagation to another
security domain. This is the fundamental concept of
SPCMT. Relation dFT is the key building block of the
whole SPCMT approach. Whichever security policy is
chosen for a particular environment, it is embodied with a
dFT relation, which has to be defined accordingly. The most
known technique in this field is the BellLa Padula or BLP
technique [21]. Its definition would require appropriate
statements for no-write-down and no-read-up requirements.
However, to keep things simple, the relation dFT in this
paper is defined as a loose, network-like variant of BLP
model, in line with the following considerations:
Based on a security policy, the dissemination of information is realized by using appropriate keys to set up confidentiality channels. It is required that an entity may not
forward a received information from one domain to an
entity in another. Only the originating entity is eligible to
do this, and if necessary an appropriate data flow has to be
established.
A concept of hierarchy is replaced by a concept of security
domains, because organizations have structures that are
closer to networks than trees. This is also reflected in
their networked computer systems, which are operating in
a distributed manner. For these reasons the hierarchical
proliferation of information may be too limiting.
A concept of subjects and objects is replaced with entities,
as active and passive roles are interleaved (clientserver
technology).
Table 1
Initial specification for SPCMT

The first definition reflects a hierarchy of keys in terms of

their length. Then, the definition of security domains is
needed, where security domains are denoted with natural

Domain/flow control

Authentication

Confidentiality

0
1
2
3

Password
Short keys
Mid keys
Long keys

Short keys
Mid keys
Long keys

D. Trcek / Computer Communications 23 (2000) 17161723

1719

Thus the relation dFT is reflexive, symmetric and transitive

within a particular domain. However, it is not symmetric and
not transitive between different security domains.

Each connection is weighed with a ponder that corresponds to

the category of a domain, where a particular data flow
starts.

Once information flows are defined, they are analyzed

from the point of view of the cryptographic protocols.
Boyds formalism turns out to be very useful here. It is
written completely in Z and relies on a notion of channels
that enables transformation between graphics and formal
presentation. It is well suited for the design stage, where
particular protocols are not yet being considered. Later on,
when the conceptual model is transformed to a logical one,
the output can be interfaced to techniques that deal in detail
with particular protocols, e.g. BAN.
3.1. SPCMT pre-modeling activities
Initially, a determination of information flow control has
to be defined. This requires classifying entities in appropriate classes. These classes are related to cryptographic chan-

Fig. 1. Elements of SPCMT (X stands for security domains/flow control).

Fig. 2. Conversion of flow controls to Z specification.

nels in terms of cryptographic strength through appropriate

key-lengths, which is the basis for access control. Table 1
summarizes the concept and it is the starting point before
any design takes place.
The number of security domains can be arbitrary. It is a
matter of decision at the system design phase, as to which
domains for flow controls will be defined, and the consequent requirements for authentication and confidentiality
are derived then. These levels are related to the key length
used for a particular service. As various cryptographic algorithms require different key lengths for comparable strength
(in terms of bits), a relative key-length description, such as
given in the initial Table 1, completely serves the purpose.
It should be emphasized that the lowest domain uses only
passwords for authentication and no confidentiality services.
This is equivalent to authentication and confidentiality
channels established with keys of length zero. Therefore a
uniform concept, as specified by the axiomatic description
of the SPCMT, remains valid for all transformations that
follow in the next subsection.
3.2. Modeling phases
A graphical part of SPCMT consists of basic DFD
elements (Fig. 1) with additional labels to denote classification of resources (policy-weighted connections).
A starting point is identification of entities, their classification and the inclusion of data flows in line with flow
controls. Later, data flows are weighted according to categories of the security domains that they are linking. The
sequence of steps and its transformation to Z is given in
Fig. 2.
The procedure in the next step requires replacement of
weighted data flows with crypto channels, as depicted in
Fig. 3. The dashed arrow denotes an authentication channel,
and a continuous arrow denotes a confidentiality channel,
while a two-way arrow denotes a symmetric channel.

1720

D. Trcek / Computer Communications 23 (2000) 17161723

Fig. 3. Cryptographic channels.

Fig. 4. Channel derivations.

In the following step, redundant cryptographic channels can be removed according to the derivation rules
given in Fig. 4, which denotes system transitions, where
existing channels can be replaced with new channels
[19].
Now the complete procedure of the conceptual modeling
can be given. It consists of the following phases:
1. Analyzing a business process, entities and data flows are
identified. This is modeled with an ordinary DFD
technique.
2. Entities are classified into security domains and keys are
categorized.
3. Data flows are weighted with labels, where a label of a
particular data flow is determined by the security domain,
at which a connection starts.
4. Weighted data flow controls are replaced accordingly with
crypto channels. Due to the fact that authentication is the
most basic service, the replacement starts with authentication channels.
5. If confidentiality channels are needed, it is checked
whether they can be derived using existing authentication
channels (see Fig. 3). If not, these channels are defined
explicitly.
The output of this process is a model, defined in Z
notation.
A short explanation of the above steps/procedure follows.
In the first step processes have to be modeled somehow. For
SPCMT, DFD is chosen, because it is one of the most
popular tools for system analysis and design. DFD gives a
clear presentation of what systems do along with definitions
of repositories of data. In the second step the starting point
for implementation of a security policy is defined. In the
third step a dFT relation is included, which is a core of a
security policy. The fourth step presents its practical implementation by using cryptographic channels. In the fifth step
it is checked whether systems transitions also result in
desired confidential channels. This last step basically
presents optimization of key management.

3.3. SPCMT formalization automation

There should exist a way for a graphical part of SPCMT
to be automatically translated into a formalized output. Such
support is necessary for implementation in CASE tools.
Therefore a SPCMT grammar G is defined.

Grammar G is introduced for efficient translations, i.e.

computational reasons. To preserve the possibility for
formal analysis, a one-to-one mapping has to exist between
words produced by G and appropriate Z schemas. A backward link to Boyds model is defined with the following
schemas.

D. Trcek / Computer Communications 23 (2000) 17161723

Schema Filter is used extract (to make valid) only those

words produced by grammar G, where connections indeed
exist.

1721

Fig. 5. Phases 13.

Once this architecture has been defined, a CASE tool

makes use of a grammar G based generator, which results
in a formal output with the following words:

3.4. An example of use of SPCMT

In the following example, the design of an IS for a scientific conference will be considered. Organizing activities
present a central process with data flows to public media
(call for papers and announcements). There are additional
data flows towards two databases, one containing papers and
the other refereeing data. All these flows have to be authenticated. Moreover, data flows to/from authors have to be
authenticated and confidential. The design starts with
Table 2.
The DFD model of the whole business process is given in
Fig. 5(a). It is assumed that public media belong to domain 0
with lowest security requirements. Authors are a part of
domain 1 with higher security requirements (protection of
material to assure copyright), while other elements are a part
of domain 2 with highest security requirements.
As mentioned, all data flows are authenticated, while
confidentiality channels have to exist between authors
and organizing activities in both directions to preserve
authorship and to report confidential decisions. Based
on this decision, flow controls are weighted, as depicted in
Fig. 5(b).
In the next phase, appropriate cryptographic channels
replace weighted flow-controls. Due to the fact that authentication is the most basic service it is a wise practice to start
with authentication channels; see Fig. 6(a).
Using transformation rules from Fig. 3, it turns out that
existing authentication channels do not result in appropriate
confidentiality channels. Therefore additional confidentiality channels are introduced explicitly for two data-flows to/
from authors. The result is given in Fig. 6(b).

In the above words, a stands for authors, o for organizing

activities, m for public media, p for papers, r for
refereeing data, while security domains are denoted by
0, 1 and 2.
This step concludes the conceptual phase with a straightforward relation to Z (schema GtoZ), where the fundamental cryptographic properties of the derived system can be
studied. With a translation to ML/HOL, interactive theorem proving in a higher-order logic is enabled [22]. This
presents a backward linking with formal methods, i.e.
Boyds model.
The next phase, which is the subject of current research, is
a specification of a logical model with necessary details for
implementation. Each channel has to be further specified in
terms of particular protocol details and analyzed with an
appropriate technique, i.e. BAN logic. Besides, access
controls have to be considered. Put in another way, a
forward linking with formal methods through words of
SPCMT language will be done in this phase. This is a

Table 2
The initial table
Domain/flow control

Authentication

Confidentiality

0
1
2

Passwords
Short keys
Mid keys

Short keys
Mid keys

Fig. 6. (a) The fourth phase and (b) the fifth phase.

1722

D. Trcek / Computer Communications 23 (2000) 17161723

more interesting and demanding task than the previous one,

and includes:
a further refinement of grammar G in terms of terminal
symbols to reflect the necessary protocol details
(mapping to BAN logic); and
a further refinement of grammar G to support access
control formalisms [23,24].
Worthy of mention is that there exists a possibility for optimization of grammar G (number of words, inclusion of
symmetric channels, etc.).
4. Conclusion
Assuring optimal security of IS is not a trivial task, as it
requires a wide variety of expertise from technological to
organizational. A technique aimed at assisting engineers and
managers when addressing the problem of ISs security
policy is given in this paper. It provides the possibility for
addressing it at the ISs design stage and is interfaced to
existing formal specifications and verification methods.
The approach in this paper is based on DFD, which gives
a static perspective on a designed system. In cases where the
timing component is critical, a state transition diagram
should be incorporated into the DFD model and reflected
accordingly in Z specification.
The real problem with formal verification, however, is
that the number of interactions in large systems increases
enormously and it is often practically impossible to
comprise all system details. In addition, the resulting specifications may not be computationally feasible to handle. An
alternative solution is to deploy fuzzy set theory to achieve a
reasonable compromise between rigorous proofs and qualitative simulation (heuristic proofs), as discussed in Ref.
[25].
Finally, it should be noted that this approach is not the
only one possible. However it gives an integrated solution
based on previous work done in various fields, ranging from
cryptographic protocols to human management related
issues. As such it presents an attempt to further support a
complex task of security policy specification and implementation (see e.g. Ref. [26]). Future work will be oriented
towards refinement of grammar G for the derivation of logical models, inclusion of non-cryptography related security
objectives and heuristics that can be applied to large
systems. Besides, formal techniques for access controls
will be addressed.
Appendix A
Boyds model describes secure communication architecture as a state-based sequential system. It assumes use of
most widespread algorithms like DES and RSA, as properties of these two algorithms determine the model. Funda-

mental values are users and keys, where keys consist of

public, secret and shared keys. Each of these keys has associated semantics, i.e. it has to be a confidentiality or authentication key. Every user is associated with a set of keys and
based on this, confidentiality, authentication and symmetric
channels can be established. Passing keys from one user to
another denotes state changes, which may or may not result
in new channels. Only transitions that add new and secure
channels to the model are defined. Necessary conditions are
studied along with architectures that can be built using existing channels.

References
[1] D.B. Parker, Managers Guide to Computer Security, Prentice-Hall,
London, 1981.
[2] ISO, Information Security Guidelines, TC68/SC2/WG4, TR 13569,
CD N481, Geneva, 1997.
[3] ISO, Guidelines for the management of IT Security, part 14
Selection of Safeguards, ISO/IEC JTC1/SC27, TR 13335, WD N
1659, Geneva, 1998.
[4] ISO, Common Criteria for Information Technology Security
Evaluation, version 2.0, part 13, ISO/IEC 15408, Geneva,
May 1998.
[5] E. Amoroso, Fundamentals of Computer Security Technology,
Prentice-Hall, New Jersey, 1994.
[6] W. Stallings, Network and Internetwork Security, Prentice-Hall,
London, 1995.
[7] National Institute of Standards and Technology, Computer Security
Handbook, Computer Systems Laboratory, Gaithersburg, MD 208990001.
[8] R.J. Anderson, Whither Cryptography, Information Management and
Computer Security, vol. 2, no. 5, MCB University Press, 1994.
[9] R.J. Anderson, Why Cryptosystems Fail, Communications of the
ACM1994, pp. 3240.
[10] B.S. Collins, S. Matthews, Securing Your Business Process, Computers and Security 12 (7) (1993) 629633.
[11] J. Leiwo et al., Harmonizer A Tool for Dealing with Information
Security Requirements, Proceedings of the 3rd NWSCS, Trondheim,
November 1998.
[12] ISO, Z version 1.2, CD 13568, JTC1 SC22, September 1995,
Geneva.
[13] D. Trcek, et al., Security Policy Space Definition and Structuring,
Computer Standards and Interfaces, 18, 1996, pp. 191196.
[14] ISO, Information Processing Systems, OSI RM Security Architecture, ISO 7498-2, July 1988.
[15] ISO/IEC, Information technology OSI Security frameworks for
open systems, 10181, parts 18, Geneva, 1996.
[16] ITU-T, Authentication Framework, X.509(E), Geneva, 1993.
[17] M. Burrows, et al., Logic of authentication, ACM Transactions on
Computer Systems 8 (1) (1990) 1836.
[18] C. Boyd, Security architectures using formal methods, IEEE Journal
on Selected Areas in Communications 11 (5) (1993) 694701.
[19] T. DeMarco, Structured Analysis and System Specification, PrenticeHall, New York, 1978.
[20] D.E.R. Denning, Cryptography and Data Security, Addison Wesley,
Reading, 1982.
[21] D. Bell, L. La Padula, Secure Computer Systems: Mathematical
Foundations, ESD-TR-73-278, MITRE Corporation, 1973.
[22] M. Gordon, T. Melham, Introduction to HOL, Cambridge University
Press, Cambridge, 1993.
[23] M. Abadi, et al., Calculus for access control in distributed systems,

D. Trcek / Computer Communications 23 (2000) 17161723

ACM Transactions on Programming Languages and Systems 15 (4)
(1993) 706734.
[24] D. Ferraiolo, J. Cugini, K. Richard, Role-based access control:
Features and motivations, Proceedings Of the Annual Computer
Security Applications Conference, IEEE Press, 1995.
[25] H.H. Hosmer, Applying fuzzy logic to the multipolicy paradigm,
Computer Security Journal 10 (11) (2000) 3445.
[26] R. Anderson, A security policy for clinical information systems,
Proceedings Of the 15th IEEE Symposium on Security and Privacy,
IEEE Press, 1996.

1723

Denis Trcek received his PhD from University of Ljubljana in 1995. As a scientist he
is involved in the field of information
systems and computer networks with
emphasis on security, for almost ten
years. He has authored or co-authored
about 60 papers, a majority of them
published in international journals,
proceedings of international conferences
and invitational workshops. He is involved
in many EU research projects, e.g.
NetLINK/CEE, COST 257. Some recent
market-oriented projects: a project leader for design and implementation of information system for Slovene National Gallery and consulting
in the field of security policy for e-banking services at Nova ljubljanska
banka (the biggest Slovene bank). His current interests include security
policy formalization, e-business and intrusion detection.