By Topic

Computer Security Applications Conference, 1994. Proceedings., 10th Annual

Date 5-9 Dec. 1994

Filter Results

Displaying Results 1 - 25 of 33
  • Tenth Annual Computer Security Applications Conference

    Save to Project icon | Request Permissions | PDF file iconPDF (51 KB)  
    Freely Available from IEEE
  • Ops/Intel interface lessons learned: the integrator's perspective

    Page(s): 268 - 277
    Save to Project icon | Request Permissions | Click to expandQuick Abstract | PDF file iconPDF (888 KB)  

    This paper describes our experiences in integrating and fielding the Operations/Intelligence (Ops/Intel) Interface. The Ops/Intel Interface integrates secure commercial off-the-shelf (COTS) technology with untrusted applications to produce a trusted Ops/Intel workstation. The Ops/Intel Interface enables the intelligence analyst to bridge the gap between the Sensitive Compartmented Information and Secret environments, and provide more active intelligence support to the warfighter. This paper presents the lessons learned from our integration and fielding of the Ops/Intel Interface for a joint military exercise at the United States Atlantic Command View full abstract»

    Full text access may be available. Click article title to sign in or learn about subscription options.
  • Property-based testing of privileged programs

    Page(s): 154 - 163
    Save to Project icon | Request Permissions | Click to expandQuick Abstract | PDF file iconPDF (820 KB)  

    Addresses the problem of testing security-relevant software, especially privileged (typically, setuid root) and daemon programs in UNIX. The problem is important, since it is these programs that are the source of most UNIX security flaws. For some programs, such as the UNIX sendmail program, new security flaws are still being discovered, despite being in use for many years. For special-purpose systems with fewer users, flaws are likely to remain undiscovered for even longer. Our testing process is driven by specifications we create for the privileged programs. These specifications simultaneously define the allowed behavior far these programs and identify problematic system calls, regions where the program is vulnerable, and generic security flaws. The specifications serve three roles in our testing methodology: as criteria against which a program is sliced, as oracles against which it is tested, and as a basis for generating useful tests. Slicing is employed to significantly reduce the size of the program to be tested. We show that a slice of a privileged program (rdist) with respect to its security specifications is quite small. We introduce the Tester's Assistant, a collection of tools to mechanize the process of testing security-related C programs View full abstract»

    Full text access may be available. Click article title to sign in or learn about subscription options.
  • Applying the Abadi-Lamport composition theorem in real-world secure system integration environments

    Page(s): 44 - 53
    Save to Project icon | Request Permissions | Click to expandQuick Abstract | PDF file iconPDF (904 KB)  

    This paper describes research that addresses application of the Abadi Lamport Composition theorem to the integration of real-world systems. The Formal Development Methodology (FDM) was used to describe system and component security properties, including access control, label consistency, and communications constraints. These descriptions were then used as input to the FDM theorem prover to prove the hypotheses of the Abadi Lamport Composition Rule. Although the FDM tools were not designed for this application, they were found to be usable as long as the properties being addressed are limited to safety properties. The Abadi Lamport framework provides a powerful, well-grounded mathematical proof rule for composing the properties of components to form systems. The combination of this framework and a usable supporting tool set is especially valuable for system integration efforts, in that it enhances the integrator's ability to describe, analyze, understand, and control the integration process View full abstract»

    Full text access may be available. Click article title to sign in or learn about subscription options.
  • Availability: theory and fundamentals for practical evaluation and use

    Page(s): 258 - 264
    Save to Project icon | Request Permissions | Click to expandQuick Abstract | PDF file iconPDF (480 KB)  

    What the currently available security criteria are still missing is a functional structure of the concept of availability. The intention of the article is to define a functional structure of the concept of availability in terms of basic functions, similar to the Generic Headings in the ITSEC (IT Security Criteria). The article gives the basic definitions and terms as well as a terminological introduction. It contains a list of possible threats, with a view to technical and human failure. These threats are compared with possible security functions. Examples are given of the technical implementation of these security functions (defined as mechanisms). A first approach for evaluation, based on ITSEC is also presented View full abstract»

    Full text access may be available. Click article title to sign in or learn about subscription options.
  • AOS: an avionics operating system for multi-level secure real-time environments

    Page(s): 236 - 245
    Save to Project icon | Request Permissions | Click to expandQuick Abstract | PDF file iconPDF (824 KB)  

    In parallel with advances in the design of real-time systems there is an increasing need for real-time systems that can provide multilevel security. This need is highlighted by the DOD's endorsed move towards integrated avionics to enable real-time avionics and tactical applications to share a common processing platform. A generic Integrated Avionics Platform (IAP) is a heterogeneous distributed system made of a complex network of interconnected systems, each designed to support real-time applications ranging from vehicle management to weapons control. The Avionics Operating System (AOS) meets these evolving needs of multilevel secure real-time avionics systems. The AOS takes advantage of advanced microprocessor features and other innovative techniques to create an efficient yet flexible multilevel secure real-time operating system View full abstract»

    Full text access may be available. Click article title to sign in or learn about subscription options.
  • A practical approach to user authentication

    Page(s): 108 - 116
    Save to Project icon | Request Permissions | Click to expandQuick Abstract | PDF file iconPDF (592 KB)  

    A method for user authentication is presented which analyzes keystroking data as the user types his or her name. This study utilizes the ADALINE (ADAptive LINear Element) and backpropagation neural nets to identify the typing pattern characteristic of a particular user. A simple measure of geometric distance is also used for comparison. This paper provides a brief introduction to this type of neural net. It then describes the research procedure and contrasts the initial and new results, followed by a conclusion with notes concerning future research. For an average 15-character name, a complete exclusion of imposters is obtained from a set of over 5000 imposter samples View full abstract»

    Full text access may be available. Click article title to sign in or learn about subscription options.
  • Editorial: a view of cryptography in TCSEC products

    Page(s): 308 - 309
    Save to Project icon | Request Permissions | Click to expandQuick Abstract | PDF file iconPDF (196 KB)  

    The U.S. National Computer Security Center (NCSC) recently announced a change in its historical policy of not accepting encryption of any kind as a protection mechanism for TCSEC evaluated products. This editorial presents an view of this change from a vendor's perspective and raises some of the issues associated with the new policy View full abstract»

    Full text access may be available. Click article title to sign in or learn about subscription options.
  • System-of-systems security engineering

    Page(s): 228 - 235
    Save to Project icon | Request Permissions | Click to expandQuick Abstract | PDF file iconPDF (704 KB)  

    There is an increasing trend to treat a collection of individual systems that support a common mission as a single entity and to perform systems engineering activities for that entity. A security engineering process is proposed for systems-of-systems. This process addresses such issues as how to identify and mitigate risks resulting from connectivity, how to integrate security into a target architecture, and how to address the constraints associated with legacy systems View full abstract»

    Full text access may be available. Click article title to sign in or learn about subscription options.
  • Using security models to investigate CMW design and implementation

    Page(s): 278 - 287
    Save to Project icon | Request Permissions | Click to expandQuick Abstract | PDF file iconPDF (912 KB)  

    Some new security models are presented as a means of understanding the complexities of the Compartmented Mode Workstation dual-label design and the different implementations that are available. The security models, which are based upon a realistic abstraction of a computer, have floating security labels. The models are pessimistic, in that they assume that if information is potentially able to flow then it does so. The models vary in their degrees of pessimism, and thus provide different guarantees about the accuracy of a security label View full abstract»

    Full text access may be available. Click article title to sign in or learn about subscription options.
  • The effects of trusted technology on distributed applications

    Page(s): 246 - 255
    Save to Project icon | Request Permissions | Click to expandQuick Abstract | PDF file iconPDF (928 KB)  

    The paper examines the effect of trusted technology on a distributed application being transitioned to a trusted system. Two styles of operation are examined: restricting the operation of all components of the application to a single sensitivity level and allowing the user interface components of the application to operate across a range of sensitivity levels. Within these operational styles, the effects of the trusted technology on the end user, the application administrator, and the developer are examined. The paper also offers suggestions for taking advantage of the enhanced security control features on trusted systems to address typical security weaknesses in distributed applications View full abstract»

    Full text access may be available. Click article title to sign in or learn about subscription options.
  • Composing system integrity using I/O automata

    Page(s): 34 - 43
    Save to Project icon | Request Permissions | Click to expandQuick Abstract | PDF file iconPDF (580 KB)  

    The I/O automata model of Lynch and Turtle (1987) is summarized and used to formalize several types of system integrity based on the control of transitions to invalid starts. Type-A integrity is exhibited by systems with no invalid initial states and that disallow transitions from valid reachable to invalid states. Type-B integrity is exhibited by systems that disallow externally-controlled transitions from valid reachable to invalid states, Type-C integrity is exhibited by systems that allow locally-controlled or externally-controlled transitions from reachable to invalid states. Strict-B integrity is exhibited by systems that are Type-B but not Type-A. Strict-C integrity is exhibited by systems that are Type-C but not Type-B. Basic results on the closure properties that hold under composition of systems exhibiting these types of integrity are presented in I/O automata-theoretic terms. Specifically, Type-A, Type-B, and Type-C integrity are shown to be composable, whereas Strict-B and Strict-C integrity are shown to not be generally composable. The integrity definitions and compositional results are illustrated using the familiar vending machine example specified as an I/O automaton and composed with a customer environment. The implications of the integrity definitions and compositional results on practical system design are discussed and a research plan for future work is outlined View full abstract»

    Full text access may be available. Click article title to sign in or learn about subscription options.
  • Architectural impact on performance of a multilevel database system

    Page(s): 76 - 85
    Save to Project icon | Request Permissions | Click to expandQuick Abstract | PDF file iconPDF (680 KB)  

    Since protection and assurance are the primary concerns in multilevel secure (MLS) databases, performance has often been sacrificed in some known MLS database approaches. Motivated by performance concerns, a replicated architecture approach which uses a physically distinct back-end database management system for each security level is being investigated. This is a report on the behavior and performance issues for the replicated architecture approach. Especially, we compare the performance of the SINTRA (Secure INformation Through Replicated Architecture) MLS database system to that of a typical conventional (non-secure, single-level) database system. After observing the performance bottlenecks for SINTRA, we present solutions that can alleviate them View full abstract»

    Full text access may be available. Click article title to sign in or learn about subscription options.
  • Benchmarking multilevel secure database systems using the MITRE benchmark

    Page(s): 86 - 95
    Save to Project icon | Request Permissions | Click to expandQuick Abstract | PDF file iconPDF (804 KB)  

    Multilevel secure (MLS) DBMSs are subject to a number of security-related architectural and functional factors that affect performance. These factors include, among others, the distribution of data among security levels, the session levels at which queries are run, and how the database is physically partitioned into files. In this paper, we present a benchmark methodology, a test database design, and a query suite designed to quantify this impact upon query processing. We introduce three metrics (uniformity, scale-up and speed-up) that characterize DBMS performance with varying data distributions. Finally, we provide comparisons and analysis of the results of a number of actual benchmarking experiments using DBMSs representative of the two major MLS DBMS architectures (trusted-subject and TCB-subset) View full abstract»

    Full text access may be available. Click article title to sign in or learn about subscription options.
  • Editorial: why bad things happen to good systems, and what to do about it

    Page(s): 306 - 307
    Save to Project icon | Request Permissions | Click to expandQuick Abstract | PDF file iconPDF (164 KB)  

    Perfection in large software systems is improbable; therefore, it is prudent to enhance security by anticipating failures and preparing for contingencies. We propose an analogy with medicine, supporting curative as well as preventive action. Information technology (IT) security needs to allocate resources to contingency resolution mechanisms that can be used to complement prevention mechanisms View full abstract»

    Full text access may be available. Click article title to sign in or learn about subscription options.
  • A practical approach to high assurance multilevel secure computing service

    Page(s): 2 - 11
    Save to Project icon | Request Permissions | Click to expandQuick Abstract | PDF file iconPDF (968 KB)  

    Current projects aimed at providing MLS computing services rarely seem to exploit advances in related fields. Specifically, the concepts of data distribution, replication, and interoperation are currently receiving much attention in the commercial database system sector but have yet to be applied to the delivery of MLS computing services. This paper explains how these concepts might kelp deliver MLS computing services relatively, quickly and cheaply, and how they can ease integration of legacy systems and new technology into future MLS cooperative, distributed computing environments View full abstract»

    Full text access may be available. Click article title to sign in or learn about subscription options.
  • EINet: a secure, open network for electronic commerce

    Page(s): 219 - 226
    Save to Project icon | Request Permissions | Click to expandQuick Abstract | PDF file iconPDF (740 KB)  

    Corporate users are by far the most rapidly growing segment of the Internet community, supplementing the existing base of government and academic users. Both corporate and government organizations want to use the Internet to “integrate” their enterprises, and foresee using the Internet to conduct electronic commerce as well. However, the lack of security services on the Internet deters its use for many such applications. The Enterprise Integration Network (EINet) provides security services to support enterprise integration and electronic commerce activities on the Internet. EINet incorporates an application based security system with the security management and operations necessary to protect these activities in an open network environment. The paper discusses the need for security on the Internet, describes the EINet Security System, then summarizes operational experiences and future work View full abstract»

    Full text access may be available. Click article title to sign in or learn about subscription options.
  • Role-based access control: a multi-dimensional view

    Page(s): 54 - 62
    Save to Project icon | Request Permissions | Click to expandQuick Abstract | PDF file iconPDF (648 KB)  

    Recently there has been considerable interest in role-based access control (RBAC) as an alternative, and supplement, to the traditional discretionary and mandatory access controls (DAC and MAC) embodied in the Orange Book. The roots of RBAC can be traced back to the earliest access control systems. Roles have been used in a number of systems for segregating various aspects of security and system administration. Recent interest in RBAC has been motivated by the use of roles at the application level to control access to application data. This is an important innovation which offers the opportunity to realize benefits in securing an organization's information assets, similar to the benefits of employing databases instead of files as the data repository. A number of proposals for RBAC have been published in the literature, but there is no consensus on precisely what is meant by RBAC. This paper lays the groundwork for developing this consensus. In our view RBAC is a concept which has several dimensions, all of which may not be present in a given system or product. We envisage each dimension as being linearly ordered with respect to the sophistication of features provided. This leads us to the idea of a multi-dimension model for RBAC. Achieving agreement on what these dimensions are, and how the features in each dimension should be ordered, will take debate and time. Our contribution here is to lay out a vision on how to approach a common understanding of RBAC, and take a first cut at identifying the dimensions of RBAC. A major benefit of such a multidimensional RBAC would be to allow comparison of different products and assess their appropriateness for various system requirements View full abstract»

    Full text access may be available. Click article title to sign in or learn about subscription options.
  • Automated detection of vulnerabilities in privileged programs by execution monitoring

    Page(s): 134 - 144
    Save to Project icon | Request Permissions | Click to expandQuick Abstract | PDF file iconPDF (888 KB)  

    Presents a method for detecting exploitations of vulnerabilities in privileged programs by monitoring their execution using audit trails, where the monitoring is with respect to specifications of the security-relevant behavior of the programs. Our work is motivated by the intrusion detection paradigm, but is an attempt to avoid ad hoc approaches to codifying misuse behavior. Our approach is based on the observation that although privileged programs can be exploited (due to errors) to cause security compromises in systems because of the privileges accorded to them, the intended behavior of privileged programs is, of course, limited and benign. The key, then, is to specify the intended behavior (i.e. the program policy) and to detect any action by a privileged program that is outside the intended behavior and that imperils security. We describe a program policy specification language, which is based on simple predicate logic and regular expressions. In addition, we present specifications of privileged programs in Unix, and a prototype execution monitor for analyzing audit trails with respect to these specifications. The program policies are surprisingly concise and clear, and in addition, capable of detecting exploitations of known vulnerabilities in these programs. Although our work has been motivated by the known vulnerabilities in Unix, we believe that by tightly restricting the behavior of all privileged programs, exploitations of unknown vulnerabilities can be detected. As a check on the specifications, work is in progress on verifying them with respect to an abstract security policy View full abstract»

    Full text access may be available. Click article title to sign in or learn about subscription options.
  • A validated security policy modeling approach

    Page(s): 189 - 200
    Save to Project icon | Request Permissions | Click to expandQuick Abstract | PDF file iconPDF (1032 KB)  

    The paper presents a security policy modeling approach that can be applied to many types of systems, including networks and distributed systems. The approach is driven by security requirements and by system architecture. It is compatible with the modeling principles offered by recent modeling guidelines and the TCSEC modeling requirements at the B1-A1 assurance levels. The approach has been validated through its application to various development, certification and research projects, including tactical systems, secure gateways, and C3I systems. The approach presented here has been favorably reviewed by security evaluation teams for government agencies. The paper illustrates the approach by applying it to an example tactical system View full abstract»

    Full text access may be available. Click article title to sign in or learn about subscription options.
  • Performance analysis of a method for high level prevention of traffic analysis using measurements from a campus network

    Page(s): 288 - 297
    Save to Project icon | Request Permissions | Click to expandQuick Abstract | PDF file iconPDF (824 KB)  

    We provide cost estimates for achieving spatial neutrality under realistic network traffic conditions using two methods. Measurements done on the University of Florida campus wide backbone network (UFNET) provide us with considerable experience to model an actual network better. Simulation results show that the algorithm's improvement over padding alone is greater for a sparse traffic matrix than for a uniform random traffic matrix. It accomplishes this by smoothing the traffic matrix by rerouting, reducing the padding overhead required to achieve a neutral traffic matrix. On the other hand, a sparse traffic matrix leads to increased costs over uniform random traffic matrix for both padding alone and for padding with rerouting. Experiments done with UFNET traffic characteristics show that the costs are such that the proposed method can be employed in actual networks, under moderate load conditions, to achieve traffic neutrality with acceptable overheads View full abstract»

    Full text access may be available. Click article title to sign in or learn about subscription options.
  • Security for the Common Object Request Broker Architecture (CORBA)

    Page(s): 21 - 30
    Save to Project icon | Request Permissions | Click to expandQuick Abstract | PDF file iconPDF (840 KB)  

    Over the last several years, there has been an emphasis on distributed client/server computing in business as well as government. A useful means of achieving this capability is through the use of object technology. Distributed object systems offer many benefits, such as downsizing and right sizing, resulting in a trend toward small, modular, commercial or government off-the-shelf components as a means of system development. Distributed object management standards, such as the Common Object Request Broker Architecture (CORBA) specification are aiding the integration process. One area of distributed object systems that has received little attention to date is security. Security is a difficult problem in traditional software systems, and adding distribution and use of object-oriented techniques just increases the complexity of the problem. The Object Management Group (OMG) is beginning to solicit proposals from vendors for handling security in a distributed object environment. This paper gives an overview of distributed object management and standards being specified by the OMG. It applies traditional security engineering analysis to CORBA and highlights some of the security function interdependencies among CORBA components View full abstract»

    Full text access may be available. Click article title to sign in or learn about subscription options.
  • Secure system composition: five practical initiatives

    Page(s): 67 - 73
    Save to Project icon | Request Permissions | Click to expandQuick Abstract | PDF file iconPDF (560 KB)  

    Standards profiles, goal security architectures, core products, the Multilevel Information Systems Security Initiative (MISSI), and security profiles are important ongoing INFOSEC initiatives. This paper considers them as varying practical attempts to solve the problem of secure system composition (i.e., of how to produce a secure system from secure components). The strategy used by each to solve this problem is first characterized. The ability of each to solve the problem is then assessed. The paper concludes that, by virtue of their focus on component interfaces, all five contribute to the solution of the composition problem (to a limited degree now, to a greater degree in the future) View full abstract»

    Full text access may be available. Click article title to sign in or learn about subscription options.
  • Networked information discovery and retrieval tools: security capabilities and needs

    Page(s): 145 - 153
    Save to Project icon | Request Permissions | Click to expandQuick Abstract | PDF file iconPDF (760 KB)  

    The Internet is a rapidly growing global network of networks. Users employ the Internet to search for and retrieve information, access remote resources, and collaborate with other users. More and more information is becoming available on the Internet. Networked information discovery and retrieval (NIDR) tools, such as Gopher, Wide Area Information Server (WAIS) and World Wide Web (WWW), have been developed to assist users with searching and retrieving a wide variety of information on the Internet. NIDR tools are becoming increasingly popular due to their ease of use and powerful navigation and “surfing” capabilities. Security is becoming an increasingly important topic regarding the use of NIDR tools. This paper identifies current and planned NIDR security capabilities and provides security recommendations for administrators and commercial NIDR providers View full abstract»

    Full text access may be available. Click article title to sign in or learn about subscription options.
  • Security concerns for distributed systems

    Page(s): 12 - 20
    Save to Project icon | Request Permissions | Click to expandQuick Abstract | PDF file iconPDF (704 KB)  

    One of the stated purposes of the Trusted Computer System Evaluation Criteria (TCSEC) is “to provide a standard to manufacturers as to what security features to build into their new and planned commercial products in order to provide widely available systems that satisfy trust requirements (with particular emphasis on preventing the disclosure of data) for sensitive applications”. The trend in today's technology is towards networked distributed systems. One of the major criticisms of the TCSEC, more commonly known as the Orange Book, and the draft Federal Criteria (FC), now the U.S. input to the international Common Criteria (CC) draft, concerns their inability to encompass distributed systems in their rating schemes. The purpose of this paper is to discuss the various aspects of security required for distributed systems and to describe the security requirements needed in criteria from which manufacturers could build secure distributed systems View full abstract»

    Full text access may be available. Click article title to sign in or learn about subscription options.