By Topic

Software Engineering, IEEE Transactions on

Issue 6 • Date Jun 1990

Filter Results

Displaying Results 1 - 10 of 10
  • Compartmented mode workstation: prototype highlights

    Publication Year: 1990 , Page(s): 608 - 618
    Cited by:  Papers (6)  |  Patents (22)
    Save to Project icon | Request Permissions | Click to expandQuick Abstract | PDF file iconPDF (1136 KB)  

    The primary goal of the MITRE compartmented mode workstation (CMW) project was to articulate the security requirements that workstations must meet to process highly classified intelligence data. As a basis for the validity of the requirements developed, a prototype was implemented which demonstrated that workstations could meet the requirements in an operationally useful manner while still remaining binary compatible with off-the-shelf software. The security requirements not only addressed traditional security concerns but also introduced concepts in areas such as labeling and the use of a trusted window management system. The CMW labeling paradigm is based on associating two types of security labels with objects: sensitivity levels and information labels. Sensitivity levels describe the levels at which objects must be protected. Information labels are used to prevent data overclassification and also provide a mechanism for associating with data those markings that are required for accurate data labeling, but which play no role in access control decisions. The use of a trusted window manager allows users to easily operate at multiple sensitivity levels and provides a convenient mechanism for communicating security information to users in a relatively unobtrusive manner View full abstract»

    Full text access may be available. Click article title to sign in or learn about subscription options.
  • A model for multilevel security in computer networks

    Publication Year: 1990 , Page(s): 647 - 659
    Cited by:  Papers (1)  |  Patents (24)
    Save to Project icon | Request Permissions | Click to expandQuick Abstract | PDF file iconPDF (1264 KB)  

    A model is presented that precisely describes the mechanism that enforces the security policy and requirements for a multilevel secure network. The mechanism attempts to ensure secure flow of information between entities assigned to different security classes in different computer systems connected to the network. The mechanism also controls the access to the network devices by the subjects (users and processes executed on behalf of the users) with different security clearances. The model integrates the notions of nondiscretionary access control and information flow control to provide a trusted network base that imposes appropriate restrictions on the flow of information among the various devices. Utilizing simple set-theoretic concepts, a procedure is given to verify the security of a network that implements the model View full abstract»

    Full text access may be available. Click article title to sign in or learn about subscription options.
  • A hookup theorem for multilevel security

    Publication Year: 1990 , Page(s): 563 - 568
    Cited by:  Papers (32)
    Save to Project icon | Request Permissions | Click to expandQuick Abstract | PDF file iconPDF (508 KB)  

    A security property for trusted multilevel systems, restrictiveness, is described. It restricts the inferences a user can make about sensitive information. This property is a hookup property, or composable, meaning that a collection of secure restrictive systems when hooked together form a secure restrictive composite system. It is argued that the inference control and composability of restrictiveness make it an attractive choice for a security policy on trusted systems and processes View full abstract»

    Full text access may be available. Click article title to sign in or learn about subscription options.
  • ABYSS: an architecture for software protection

    Publication Year: 1990 , Page(s): 619 - 629
    Cited by:  Papers (9)  |  Patents (97)
    Save to Project icon | Request Permissions | Click to expandQuick Abstract | PDF file iconPDF (1040 KB)  

    ABYSS (a basic Yorktown security system) is an architecture for protecting the execution of application software. It supports a uniform security service across the range of computing systems. The use of ABYSS in solving the software protection problem, especially in the lower end of the market, is discussed. Both current and planned software distribution channels are supportable by the architecture, and the system is nearly transparent to legitimate users. A novel use-once authorization mechanism, called a token, is introduced as a solution to the problem of providing authorizations without direct communication. Software vendors may use the system to obtain technical enforcement of virtually any terms and conditions of the sale of their software, including such things as rental software. Software may be transferred between systems, and backed up to guard against loss in case of failure. The problem of protecting software on these systems is discussed, and guidelines to its solution are offered View full abstract»

    Full text access may be available. Click article title to sign in or learn about subscription options.
  • A language for specifying program transformations

    Publication Year: 1990 , Page(s): 630 - 638
    Cited by:  Patents (3)
    Save to Project icon | Request Permissions | Click to expandQuick Abstract | PDF file iconPDF (728 KB)  

    A language is described for specifying program transformations, from which programs can be generated to perform the transformations on sequences of code. The main objective of this work has been to develop a language that would allow the user to quickly and easily specify a wide range of transformations for a variety of programming languages. The rationale for the language constructs is given, as well as the details of an implementation which was prototyped using Prolog. Numerous examples of the language usage are provided View full abstract»

    Full text access may be available. Click article title to sign in or learn about subscription options.
  • Memory access dependencies in shared-memory multiprocessors

    Publication Year: 1990 , Page(s): 660 - 673
    Cited by:  Papers (31)  |  Patents (6)
    Save to Project icon | Request Permissions | Click to expandQuick Abstract | PDF file iconPDF (1336 KB)  

    The presence of high-performance mechanisms in shared-memory multiprocessors such as private caches, the extensive pipelining of memory access, and combining networks may render a logical concurrency model complex to implement or inefficient. The problem of implementing a given logical concurrency model in such a multiprocessor is addressed. Two concurrency models are considered, and simple rules are introduced to verify that a multiprocessor architecture adheres to the models. The rules are applied to several examples of multiprocessor architectures View full abstract»

    Full text access may be available. Click article title to sign in or learn about subscription options.
  • The SeaView security model

    Publication Year: 1990 , Page(s): 593 - 607
    Cited by:  Papers (29)  |  Patents (5)
    Save to Project icon | Request Permissions | Click to expandQuick Abstract | PDF file iconPDF (1420 KB)  

    A multilevel database is intended to provide the security needed for database systems that contain data at a variety of classifications and serve a set of users having different clearances. A formal security model for such a system is described. The model is formulated in two layers, one corresponding to a reference monitor that enforces mandatory security, and the second an extension of the standard relational model defining multilevel relations and formalizing policies for labeling new and derived data, data consistency, and discretionary security. The model also defines application-independent properties for entity integrity, referential integrity, and polyinstantiation integrity View full abstract»

    Full text access may be available. Click article title to sign in or learn about subscription options.
  • A transportable programming language (TPL) system. II. The bifunctional compiler system

    Publication Year: 1990 , Page(s): 639 - 646
    Cited by:  Patents (1)
    Save to Project icon | Request Permissions | Click to expandQuick Abstract | PDF file iconPDF (796 KB)  

    For pt.I see P.A.D. de Maine, S. Leong, and C.G. Dairs, Int. J. Comput. Inform. Sci., vol.14, p.161-82, 1985. The transportable programming language (TPL) method is a high-level-language approach that uses a bifunctional compiler to efficiently convert code among various dialects of a particular high-level language (HLL) via the hypothetical parent of the high-level language (HPHLL). The TPL compiler system that has been implemented has three parts: a rule modifier, a table generator, and a TPL compiler. A metalanguage, called the conversion rule description language (CRDL), is used to describe the conversion of a dialect to HPHLL and of the HPHLL to another dialect. The table generator translates those descriptions to tabular forms that drive the bifunctional compiler. The TPL compiler can then be used to translate programs coded in a local dialect into HPHLL and vice versa. The rule modifier alters the descriptions of a default-a synthetic `most common'-dialect. It greatly simplifies the task of writing the conversion descriptions for a new environment or dialect. The TPL method is now being extended so that it can be used to retarget a dialect of any HLL to a standard environment such as Ada. Details of the TPL compiler system are given View full abstract»

    Full text access may be available. Click article title to sign in or learn about subscription options.
  • A specification and verification method for preventing denial of service

    Publication Year: 1990 , Page(s): 581 - 592
    Cited by:  Papers (5)
    Save to Project icon | Request Permissions | Click to expandQuick Abstract | PDF file iconPDF (1116 KB)  

    A specification and verification method is presented for preventing denial of service in absence of failures and of integrity violations. The notion of user agreements is introduced, and it is argued that lack of specifications for these agreements and for simultaneity conditions makes it impossible to demonstrate denial-of-service prevention, in spite of demonstrably fair service access. The use of this method is illustrated with an example and it is explained why current methods for specification and verification of safety and liveness properties of concurrent programs do not handle this problem. The proposed specification and verification method is meant to augment current methods for secure system design View full abstract»

    Full text access may be available. Click article title to sign in or learn about subscription options.
  • On the identification of covert storage channels in secure systems

    Publication Year: 1990 , Page(s): 569 - 580
    Cited by:  Papers (13)
    Save to Project icon | Request Permissions | Click to expandQuick Abstract | PDF file iconPDF (1080 KB)  

    A practical method for the identification of covert storage channels is presented and its application to the source code of the Secure Xenix kernel is illustrated. The method is based on the identification of all visible/alterable kernel variables by using information-flow analysis of language code. The method also requires that, after the sharing relationships among the kernel primitives and the visible/alterable variables are determined, the nondiscretionary access rules implemented by each primitive be applied to identify the potential storage channels. The method can be generalized to other implementation languages, and has the following advantages: it helps discover all potential storage channels is kernel code, thereby helping determine whether the nondiscretionary access rules are implemented correctly; it helps avoid discovery of false flow violations and their unnecessary analysis; and it helps identify the kernel locations where audit code and time-delay variables need to be placed for covert-channel handling View full abstract»

    Full text access may be available. Click article title to sign in or learn about subscription options.

Aims & Scope

The IEEE Transactions on Software Engineering is interested in well-defined theoretical results and empirical studies that have potential impact on the construction, analysis, or management of software. The scope of this Transactions ranges from the mechanisms through the development of principles to the application of those principles to specific environments. Specific topic areas include: a) development and maintenance methods and models, e.g., techniques and principles for the specification, design, and implementation of software systems, including notations and process models; b) assessment methods, e.g., software tests and validation, reliability models, test and diagnosis procedures, software redundancy and design for error control, and the measurements and evaluation of various aspects of the process and product; c) software project management, e.g., productivity factors, cost models, schedule and organizational issues, standards; d) tools and environments, e.g., specific tools, integrated tool environments including the associated architectures, databases, and parallel and distributed processing issues; e) system issues, e.g., hardware-software trade-off; and f) state-of-the-art surveys that provide a synthesis and comprehensive review of the historical development of one particular area of interest.

Full Aims & Scope

Meet Our Editors

Editor-in-Chief
Matthew B. Dwyer
Dept. Computer Science and Engineering
256 Avery Hall
University of Nebraska-Lincoln
Lincoln, NE 68588-0115 USA
tseeicdwyer@computer.org