4.7. Further Reading
Much of security analysis involves definition and refinement of security policies. Wood [954] has published a book of templates for specific parts of policies. That book justifies each part and allows readers to develop policies by selecting the appropriate parts from a large set of possibilities. Essays by Bailey [51] and Abrams and Bailey [4] discuss management of security issues and explain why different members of an organization interpret the same policy differently. Sterne's wonderful paper [875] discusses the nature of policy in general.
Jajodia and his colleagues [467] present a "little language" for expressing authorization policies. They show that their language can express many aspects of existing policies and argue that it allows elements of these policies to be combined into authorization schemes. Other little languages include DTEL [50,336], a constraint language for Java programs [708]. File system state analysis programs use low-level policy languages to describe the current file system state; two examples are the programs tripwire [510] and the RIACS auditing and checking system [98].
Boebert and Kain [119] observed that type checking provides a form of access control. Some policy languages (such as DTEL) are based on this observation. At least one firewall [900] has security mechanisms also based on type checking.
Cholvy and Cuppens [173] describe a method of checking policies for consistency and determining how they apply to given situations.
Son, Chaney, and Thomlinson [856] discuss enforcement of partial security policies in real-time databases to balance real-time requirements with security. Their idea of "partial security policies" has applications in other environments. Zurko and Simon [966] present an alternative focus for policies.
Jones and Lipton [472] explored the balancing of security and precision for confidentiality policies.
| 
