A novel logic-based automatic approach to constructing compliant security policies

It is significant to automatically detect and resolve the incompliance in security policy. Most existing works in this field focus on compliance verification, and few of them provide approaches to automatically correct the incompliant security policies. This paper proposes a novel approach to automatically transform a given security policy into a compliant one. Given security policy Pi and delegation policy M declared by logic programs, the approach automatically rewrites Pi into a new one Pi(M) which is compliant with M and is readable by the humans. We prove that the algorithm is sound and complete under noninterference assumption. Formally, we show that the security policy query evaluation algorithm with conflict and unsettlement resolution still works very well on Pi(M). The approach is automatic, so it doesn't require a administrator with excess abilities. In this sense, our proposal can help us to save much manpower resource in security management and improves the security assurance abilities.