By Topic

Security and Privacy, 1997. Proceedings., 1997 IEEE Symposium on

Date 4-7 May 1997

Filter Results

Displaying Results 1 - 25 of 30
  • Proceedings. 1997 IEEE Symposium on Security and Privacy (Cat. No.97CB36097)

    Save to Project icon | Request Permissions | PDF file iconPDF (275 KB)  
    Freely Available from IEEE
  • Author index

    Page(s): 249
    Save to Project icon | Request Permissions | PDF file iconPDF (52 KB)  
    Freely Available from IEEE
  • A secure and reliable bootstrap architecture

    Page(s): 65 - 71
    Save to Project icon | Request Permissions | Click to expandQuick Abstract | PDF file iconPDF (600 KB)  

    In a computer system, the integrity of lower layers is typically treated as axiomatic by higher layers. Under the presumption that the hardware comprising the machine (the lowest layer) is valid, the integrity of a layer can be guaranteed if and only if: (1) the integrity of the lower layers is checked and (2) transitions to higher layers occur only after integrity checks on them are complete. The resulting integrity “chain” inductively guarantees system integrity. When these conditions are not met, as they typically are not in the bootstrapping (initialization) of a computer system, no integrity guarantees can be made, yet these guarantees are increasingly important to diverse applications such as Internet commerce, security systems and “active networks”. In this paper, we describe the AEGIS architecture for initializing a computer system. It validates integrity at each layer transition in the bootstrap process. AEGIS also includes a recovery process for integrity check failures, and we show how this results in robust systems View full abstract»

    Full text access may be available. Click article title to sign in or learn about subscription options.
  • An MBone proxy for an application gateway firewall

    Page(s): 72 - 81
    Save to Project icon | Request Permissions | Click to expandQuick Abstract | PDF file iconPDF (900 KB)  

    The Internet's multicast backbone (MBone) holds great potential for many organizations because it supports low-cost audio and video conferencing and carries live broadcasts of an increasing number of public interest events. MBone conferences are transmitted via unauthenticated multicast datagrams, which unfortunately convey significant security vulnerabilities to any system that receives them. For this reason, most application gateway firewalls block MBone datagrams sent from the Internet and prevent them from reaching hosts on internal networks. This paper describes the design and rationale for a new set of facilities for the Trusted Information Systems (TIS) Internet Firewall Toolkit (FWTK). These facilities, which are fully implemented, significantly reduce the security risks of observing or participating in MBone conferences. They impose no functional constraints on MBone applications and are transparent to users. Configuration options that support tradeoffs among security, performance and ease of use are discussed View full abstract»

    Full text access may be available. Click article title to sign in or learn about subscription options.
  • The design and implementation of a multilevel secure log manager

    Page(s): 55 - 64
    Save to Project icon | Request Permissions | Click to expandQuick Abstract | PDF file iconPDF (940 KB)  

    This paper discusses the security issues involved in log management for a multilevel secure database system and presents a design and implementation of a prototype multilevel secure log manager. The main goal of a log manager is to provide high bandwidth and low flush latency. We examine the performance of our design, by observing the flush latency and log bandwidth. We also informally evaluate the security of our approach View full abstract»

    Full text access may be available. Click article title to sign in or learn about subscription options.
  • Filtering postures: local enforcement for global policies

    Page(s): 120 - 129
    Save to Project icon | Request Permissions | Click to expandQuick Abstract | PDF file iconPDF (836 KB)  

    When packet filtering is used as a security mechanism, different routers may need to cooperate to enforce the desired security policy. It is difficult to ensure that they will do so correctly. We introduce a simple language for expressing global network access control policies of a kind that filtering routers are capable of enforcing. We then introduce an algorithm that, given the network topology, will compute a set of filters for the individual routers; these filters are guaranteed to enforce the policy correctly. Since these filters may not provide optimal service, a human must sometimes alter them. A second algorithm compares a resulting set of filters to the global network access control policy to determine all policy violations, or to report that none exist. A prototype implementation demonstrates that the algorithms are efficient enough to give quick answers to questions of realistic scale View full abstract»

    Full text access may be available. Click article title to sign in or learn about subscription options.
  • Providing flexibility in information flow control for object oriented systems

    Page(s): 130 - 140
    Save to Project icon | Request Permissions | Click to expandQuick Abstract | PDF file iconPDF (1004 KB)  

    This paper presents an approach to control information flow in object-oriented systems that takes into account, besides authorizations on objects, also how the information has been obtained and/or transmitted. These aspects are considered by allowing exceptions to the restrictions stated by the authorizations. Exceptions are specified by means of waivers associated with methods. Two kinds of waivers are supported: invoke-waivers, specifying exceptions applicable during a method's execution, and reply-waivers, specifying exceptions applicable to the information returned by a method. Information flowing from one object into another object is subject to the different waivers of the methods enforcing the transmission. We formally characterize information transmission and flow in a transaction taking into consideration different interaction modes among objects. We then define security specifications, meaning authorizations and waivers, and characterize safe information flows. We formally define conditions whose satisfaction ensures absence of unsafe flows and present an algorithm enforcing these conditions View full abstract»

    Full text access may be available. Click article title to sign in or learn about subscription options.
  • Research on proof-carrying code for untrusted-code security

    Save to Project icon | Request Permissions | Click to expandQuick Abstract | PDF file iconPDF (96 KB)  

    A powerful method of interaction between two software systems is through mobile code. By allowing code to be installed dynamically and then executed, a host system can provide a flexible means of access to its internal resources and services. There are many problems to be solved before such uses of untrusted code can become practical. We focus on the problem of how to establish guarantees about the intrinsic behavior of untrusted programs. Of particular interest are the following: (1) How can the host system ensure that the untrusted code will not damage it, for example, by corrupting internal data structures? (2) How can the host ensure that the untrusted code will not use too many resources (such as CPU, memory, and so forth) or use them for too long a time period? (3) How can the host make these assurances without undue effort and deleterious effect on overall system performance? Our position is that the theory of programming languages, including formal semantics, type theory, and applications of logic, are critical to solving the untrusted code security problem. To illustrate the possibilities of programming language theory, we briefly describe one rather extreme but promising example, which is proof carrying code (PCC). This is a technique by which the host establishes a set of safety rules that guarantee safe behavior of programs, and the code producer creates a formal safety proof that proves, for the untrusted code, adherence to the safety rules. Then, the host is able to use a simple and fast proof validator to check, with certainty, that the proof is valid and hence the foreign code is safe to execute View full abstract»

    Full text access may be available. Click article title to sign in or learn about subscription options.
  • Analysis of a denial of service attack on TCP

    Page(s): 208 - 223
    Save to Project icon | Request Permissions | Click to expandQuick Abstract | PDF file iconPDF (1112 KB)  

    The paper analyzes a network based denial of service attack for IP (Internet Protocol) based networks. It is popularly called SYN flooding. It works by an attacker sending many TCP (Transmission Control Protocol) connection requests with spoofed source addresses to a victim's machine. Each request causes the targeted host to instantiate data structures out of a limited pool of resources. Once the target host's resources are exhausted, no more incoming TCP connections can be established, thus denying further legitimate access. The paper contributes a detailed analysis of the SYN flooding attack and a discussion of existing and proposed countermeasures. Furthermore, we introduce a new solution approach, explain its design, and evaluate its performance. Our approach offers protection against SYN flooding for all hosts connected to the same local area network, independent of their operating system or networking stack implementation. It is highly portable, configurable, extensible, and requires neither special hardware, nor modifications in routers or protected end systems View full abstract»

    Full text access may be available. Click article title to sign in or learn about subscription options.
  • Some weaknesses of the TCB model

    Page(s): 3 - 5
    Save to Project icon | Request Permissions | Click to expandQuick Abstract | PDF file iconPDF (204 KB)  

    This paper summarizes the affirmative argument supporting the proposition that “the concept of the trusted computing base (TCB) as a basis for constructing systems to meet security requirements is fundamentally flawed and should no longer be used to justify system security architectures” View full abstract»

    Full text access may be available. Click article title to sign in or learn about subscription options.
  • A logical language for expressing authorizations

    Page(s): 31 - 42
    Save to Project icon | Request Permissions | Click to expandQuick Abstract | PDF file iconPDF (1084 KB)  

    A major drawback of existing access control systems is that they have all been developed with a specific access control policy in mind. This means that all protection requirements (i.e. accesses to be allowed or denied) must be specified in terms of the policy enforced by the system. While this may be trivial for some requirements, specification of other requirements may become quite complex or even impossible. The reason for this is that a single policy simply cannot capture the different protection requirements that users may need to enforce on different data. In this paper, we take a first step towards a model that is able to support different access control policies. We propose a logical language for the specification of authorizations on which such a model can be based. The Authorization Specification Language (ASL) allows users to specify, together with the authorizations, the policy according to which access control decisions are to be made. Policies are expressed by means of rules which enforce the derivation of authorizations, conflict resolution, access control and integrity constraint checking. We illustrate the power of our language by showing how different constraints that are sometimes required, but very seldom supported by existing access control systems, can be represented in our language View full abstract»

    Full text access may be available. Click article title to sign in or learn about subscription options.
  • Automated analysis of cryptographic protocols using Murφ

    Page(s): 141 - 151
    Save to Project icon | Request Permissions | Click to expandQuick Abstract | PDF file iconPDF (940 KB)  

    A methodology is presented for using a general-purpose state enumeration tool, Murφ, to analyze cryptographic and security-related protocols. We illustrate the feasibility of the approach by analyzing the Needham-Schroeder (1978) protocol, finding a known bug in a few seconds of computation time, and analyzing variants of Kerberos and the faulty TMN protocol used in another comparative study. The efficiency of Murφ also allows us to examine multiple terms of relatively short protocols, giving us the ability to detect replay attacks, or errors resulting from confusion between independent execution of a protocol by independent parties View full abstract»

    Full text access may be available. Click article title to sign in or learn about subscription options.
  • Ensuring assurance in mobile computing

    Page(s): 114 - 118
    Save to Project icon | Request Permissions | Click to expandQuick Abstract | PDF file iconPDF (416 KB)  

    This paper introduces a panel discussion on establishing assurance evidence that mobile code applications perform as expected by the user, without the side effects that have been demonstrated as possible in constructed examples of malicious or “rogue” applets. The paper's principal authors, Schaefer and Pinsky, have been engaged in cooperative research with the JavaSoft community to gain understanding of the complexities of assurance for mobile code applications. The paper discusses part of this on-going research. The panel adds the voices and experience of a continuing researcher, Dean, and of active practitioners from the principal vendors of mobile-code-enabled (and enabling) products. The panel actively debates the issues of providing compelling assurance evidence relating to the control of such code View full abstract»

    Full text access may be available. Click article title to sign in or learn about subscription options.
  • Toward acceptable metrics of authentication

    Page(s): 10 - 20
    Save to Project icon | Request Permissions | Click to expandQuick Abstract | PDF file iconPDF (956 KB)  

    Authentication using a path of trusted intermediaries, each able to authenticate the next one in the path, is a well-known technique for authenticating entities in a large-scale system. Recent work has extended this technique to include multiple paths in an effort to bolster authentication, but the success of this approach may be unclear in the face of intersecting paths, ambiguities in the meaning of certificates, and interdependencies in the use of different keys. Several authors have thus proposed metrics to evaluate the confidence afforded by a set of paths. In this paper, we develop a set of guiding principles for the design of such metrics. We motivate our principles by showing how previous approaches fail with respect to them and what the consequences to authentication might be. We then propose a direction for constructing metrics that come closer to meeting our principles and thus, we believe, to being satisfactory metrics for authentication View full abstract»

    Full text access may be available. Click article title to sign in or learn about subscription options.
  • Anonymous connections and onion routing

    Page(s): 44 - 54
    Save to Project icon | Request Permissions | Click to expandQuick Abstract | PDF file iconPDF (1076 KB)  

    Onion routing provides anonymous connections that are strongly resistant to both eavesdropping and traffic analysis. Unmodified Internet applications can use these anonymous connections by means of proxies. The proxies may also make communication anonymous by removing identifying information from the data stream. Onion routing has been implemented on Sun Solaris 2.X with proxies for Web browsing, remote logins and e-mail. This paper's contribution is a detailed specification of the implemented onion routing system, a vulnerability analysis based on this specification, and performance results View full abstract»

    Full text access may be available. Click article title to sign in or learn about subscription options.
  • Is the reference monitor concept fatally flawed? The case for the negative

    Page(s): 6 - 7
    Save to Project icon | Request Permissions | Click to expandQuick Abstract | PDF file iconPDF (164 KB)  

    The reference monitor (RM) model has passed the critical test imposed by the methodology of science: it has been a productive concept for the field of computer security since its introduction. The call to abandon a productive model, however intellectually stimulating, should not be heeded simply for the sake of novelty. It is our hope that this debate will stimulate an examination of foundations, but we do not believe that such an examination, carefully undertaken, supports the affirmative case. We urge our readers and listeners to embrace the following conclusions, favoring dismissal of the resolution: first, that claims that the RM model is fundamentally flawed must be based on more than wishful thinking or technical frustration. Second, that radical claims for “new paradigms” be subjected to the usual degree of skepticism unless accompanied by compelling proofs of concept View full abstract»

    Full text access may be available. Click article title to sign in or learn about subscription options.
  • Surviving information warfare attacks on databases

    Page(s): 164 - 174
    Save to Project icon | Request Permissions | Click to expandQuick Abstract | PDF file iconPDF (1116 KB)  

    We consider the problem of surviving information warfare attacks on databases. We adopt a fault tolerance approach to the different phases of an attack. To maintain precise information about the attack, we mark data to reflect the severity of detected damage as well as the degree to which the damaged data has been repaired. In the case of partially repaired data, integrity constraints might be violated, but data is nonetheless available to support mission objectives. We define a notion of consistency suitable for databases in which some information is known to be damaged, and other information is known to be only partially repaired. We present a protocol for normal transactions with respect to the damage markings and show that consistency preserving normal transactions maintain database consistency in the presence of damage. We present an algorithm for taking consistent snapshots of databases under attack. The snapshot algorithm has the virtue of not interfering with countermeasure transactions View full abstract»

    Full text access may be available. Click article title to sign in or learn about subscription options.
  • Security in innovative new operating systems

    Page(s): 202 - 203
    Save to Project icon | Request Permissions | Click to expandQuick Abstract | PDF file iconPDF (144 KB)  

    A principal criterion by which new operating systems are judged is the level of performance that they provide for applications. To this end, new operating systems have sought novel approaches to performance enhancement. A theme common to many of these initiatives is that of specialization. Instead of an operating system designed to serve all applications (either equally well or equally badly), the operating system is adapted to serve the needs of the application. The intent is not to provide a different static operating system for each application but to allow the operating system to be dynamically modified or specialized to best serve each application. The five operating system efforts presented are: the Exokernel Project, the Fluke Project, the Fox Project, the Scout Project, and the SPIN Project. The authors hope to give an overview of the innovative techniques being used to enhance performance in these systems and to discuss the effect of those enhancements on one's ability to reason about the security properties of systems View full abstract»

    Full text access may be available. Click article title to sign in or learn about subscription options.
  • Full text access may be available. Click article title to sign in or learn about subscription options.
  • Escort: securing Scout paths

    Save to Project icon | Request Permissions | Click to expandQuick Abstract | PDF file iconPDF (80 KB)  

    Scout is a communication oriented operating system that can be specialized for different information appliances. It uses paths as an explicit first class object to describe the flow of information through the system. Escort is the security architecture for Scout. It uses the explicit knowledge provided by a path abstraction to secure information flow in a flexible manner View full abstract»

    Full text access may be available. Click article title to sign in or learn about subscription options.
  • Catalytic inference analysis: detecting inference threats due to knowledge discovery

    Page(s): 188 - 199
    Save to Project icon | Request Permissions | Click to expandQuick Abstract | PDF file iconPDF (1048 KB)  

    Knowledge discovery in databases can be enhanced by introducing “catalytic relations” conveying external knowledge. The new information catalyzes database inference, manifesting latent channels. Catalytic inference is imprecise in nature, but the granularity of inference may be fine enough to create security compromises. Catalytic inference is computationally intensive. However, it can be automated by advanced search engines that gather and assemble knowledge from information repositories. The relentless information gathering potential of such search engines makes them formidable security threats. This paper presents a formalism for modeling and analyzing catalytic inference in “mixed” databases containing various precise, imprecise and fuzzy relations. The inference formalism is flexible and robust, and well-suited to implementation View full abstract»

    Full text access may be available. Click article title to sign in or learn about subscription options.
  • An authorization scheme for distributed object systems

    Page(s): 21 - 30
    Save to Project icon | Request Permissions | Click to expandQuick Abstract | PDF file iconPDF (800 KB)  

    Addresses the problem of distributed object system protection. A new authorization scheme is presented and described, based on the collaboration between a central authorization server and security kernels located on each site of the system. A novel approach to access rights management for such an architecture is detailed, based on a new kind of access rights and a new scheme of privilege delegation. This authorization scheme can be adapted to various security policies, including multilevel policies such as that of Bell & LaPadula (1975). An extension of the Bell-LaPadula model to distributed object systems is presented and its implementation using the authorization scheme is described View full abstract»

    Full text access may be available. Click article title to sign in or learn about subscription options.
  • Analyzing consistency of security policies

    Page(s): 103 - 112
    Save to Project icon | Request Permissions | Click to expandQuick Abstract | PDF file iconPDF (752 KB)  

    We discuss the development of a methodology for reasoning about properties of security policies. We view a security policy as a special case of regulation which specifies what actions some agents are permitted, obliged or forbidden to perform and we formalize a policy by a set of deontic formulae. We first address the problem of checking policy consistency and describe a method for solving it. The second point we are interested in is how to query a policy to know the actual norms which apply to a given situation. In order to provide the user with consistent answers, the normative conflicts which may appear in the policy must be solved. For doing so, we suggest using the notion of roles and define priorities between roles View full abstract»

    Full text access may be available. Click article title to sign in or learn about subscription options.
  • How to systematically classify computer security intrusions

    Page(s): 154 - 163
    Save to Project icon | Request Permissions | Click to expandQuick Abstract | PDF file iconPDF (872 KB)  

    This paper presents a classification of intrusions with respect to the technique as well the result. The taxonomy is intended to be a step on the road to an established taxonomy of intrusions for use in incident reporting, statistics, warning bulletins, intrusion detection systems etc. Unlike previous schemes, it takes the viewpoint of the system owner and should therefore be suitable to a wider community than that of system developers and vendors only. It is based on data from a realistic intrusion experiment, a fact that supports the practical applicability of the scheme. The paper also discusses general aspects of classification, and introduces a concept called dimension. After having made a broad survey of previous work in the field, we decided to base our classification of intrusion techniques on a scheme proposed by Neumann and Parker (1989) and to further refine relevant parts of their scheme. Our classification of intrusion results is derived from the traditional three aspects of computer security: confidentiality, availability and integrity View full abstract»

    Full text access may be available. Click article title to sign in or learn about subscription options.
  • Execution monitoring of security-critical programs in distributed systems: a specification-based approach

    Page(s): 175 - 187
    Save to Project icon | Request Permissions | Click to expandQuick Abstract | PDF file iconPDF (1180 KB)  

    We describe a specification-based approach to detect exploitations of vulnerabilities in security-critical programs. The approach utilizes security specifications that describe the intended behavior of programs and scans audit trails for operations that are in violation of the specifications. We developed a formal framework for specifying the security-relevant behavior of programs, on which we based the design and implementation of a real-time intrusion detection system for a distributed system. Also, we wrote security specifications for 15 Unix setuid root programs. Our system detects attacks caused by monitored programs, including security violations caused by improper synchronization in distributed programs. Our approach encompasses attacks that exploit previously unknown vulnerabilities in security-critical programs View full abstract»

    Full text access may be available. Click article title to sign in or learn about subscription options.