By Topic

Aerospace Computer Security Applications Conference, 1988., Fourth

Date 12-16 Sept. 1988

Filter Results

Displaying Results 1 - 25 of 52
  • Fourth Aerospace Computer Security Applications Conference (IEEE Cat. No.CH2619-5)

    Publication Year: 1988
    Save to Project icon | Request Permissions | PDF file iconPDF (558 KB)  
    Freely Available from IEEE
  • Encryption using random keys-a scheme for secure communications

    Publication Year: 1988 , Page(s): 410 - 412
    Cited by:  Patents (2)
    Save to Project icon | Request Permissions | Click to expandQuick Abstract | PDF file iconPDF (220 KB)  

    An encryption scheme using a random key generator with memory is presented. This system generates a random sequence of encryption/decryption keys. A feedback mechanism is used to endow the key generator with memory, thereby making it difficult to infer the random key sequence from a partial sequence of keys. The random key sequence is independent of the encrypting algorithm and is particularly suitable for block encryption. An information-theoretic entropy measure of cryptologic hardness is developed and an upper bound for this measure is established. The proposed scheme is compared with some existing cryptographic schemes and it is demonstrated that the proposed scheme and its variants are more attack resilient and are capable of achieving the theoretical upper bound View full abstract»

    Full text access may be available. Click article title to sign in or learn about subscription options.
  • Retrofitting and developing applications for a trusted computing base

    Publication Year: 1988 , Page(s): 212 - 215
    Cited by:  Papers (2)
    Save to Project icon | Request Permissions | Click to expandQuick Abstract | PDF file iconPDF (292 KB)  

    The authors discuss the concept of a software analysis procedure to aid in the conversion of existing applications and in the development of applications for use with a trusted computing base (TCB). In this procedure, the system processes are broken down into small entities that permit detailed analysis to ensure that the trusted processes will be at the absolute minimum. The use of this analysis within two separate projects, one involving conversion of existing software and one involving development of software, is discussed to demonstrate the process. It is concluded that the processes identified and needing to be trusted were those which violated the security model; all other security-related processes are supplied by the TCB. It is further concluded that performance problems caused by TCB mediation brought about by security requirements can be somewhat alleviated by implementing larger object-level entities in a layered fashion View full abstract»

    Full text access may be available. Click article title to sign in or learn about subscription options.
  • Producing secure digital information systems

    Publication Year: 1988 , Page(s): 180 - 122
    Save to Project icon | Request Permissions | Click to expandQuick Abstract | PDF file iconPDF (204 KB)  

    The security of a digital information system is determined by the process that produces the system. Thus, it is argued that the system production process is the central issue in achieving secure systems. A rigorous approach to digital system engineering is described which is based on a mathematical function that accurately and completely describes the physical behavior of the digital device in question. It is concluded that two critical steps needed to enable this rigorous approach to engineering secure digital systems are: to provide digital hardware whose behavior conforms to a mathematical function; and to provide a clear, precise statement of what that function is View full abstract»

    Full text access may be available. Click article title to sign in or learn about subscription options.
  • Secure system development in industry: a perspective from Digital Equipment

    Publication Year: 1988 , Page(s): 132 - 136
    Cited by:  Papers (1)
    Save to Project icon | Request Permissions | Click to expandQuick Abstract | PDF file iconPDF (368 KB)  

    Three types of threat to computer and network security, namely user irresponsibility, probing, and penetration, are examined and their implications for product development are assessed. These implications are compared to the US Trusted Computer System Evaluation Criteria, with the finding that systems of evaluation class C2 are required throughout the customer base of a large commercial manufacturer. Enhancement of the security of such systems to class B1 is found to be both practical and useful to customers in both the national security and commercial sectors. The longer-term prospects for systems at higher evaluation classes are also examined. In the area of network security, the requirements of local and long-haul networks are examined, and roles of link and end-to-end encryption products characterized. The prospects for general commercial network security products and their relationship to national security requirements are examined View full abstract»

    Full text access may be available. Click article title to sign in or learn about subscription options.
  • Making databases secure with TRUDATA technology

    Publication Year: 1988 , Page(s): 82 - 90
    Cited by:  Papers (1)  |  Patents (2)
    Save to Project icon | Request Permissions | Click to expandQuick Abstract | PDF file iconPDF (820 KB)  

    Trusted database (TRUDATA) technology injects multilevel security (MLS) policy enforcement features and assurances into existing relational database management system (DBMS) products. TRUDATA technology consists of a data model, a security policy model, system architecture, and implementation approach which, together, define a trusted MLS DBMS. The result of applying TRUDATA technology to existing baseline products with suitable characteristics is a trusted DBMS targeted at the B1 and B2 evaluation classes of DOD5200.28-STD as interpreted for DBMSs. By combining a view-based security model and by altering slightly the relational DBMS products without abandoning existing applications investments, the first implementation substantiates the protection and performance capabilities of TRUDATA View full abstract»

    Full text access may be available. Click article title to sign in or learn about subscription options.
  • Structuring trust in a large general purpose operating system

    Publication Year: 1988 , Page(s): 152 - 158
    Save to Project icon | Request Permissions | Click to expandQuick Abstract | PDF file iconPDF (552 KB)  

    A description is given of the approach taken by ICL to ameliorate the problem of evaluating the security of a large operating system in which the number of TCB (trusted computing base) and trusted process code procedures is large enough to make exhaustive detailed scrutinization more than exhausting. The approach is applicable to any structured large general-purpose system that enables a conventional TCB/trusted process architecture to be implemented, though it is described with particular reference to ICL's VME (virtual machine environment) operating system. It is concluded that not only is it possible to structure the TCB into separately identifiable components with different responsibilities but it is also possible to provide a fine-grain categorization of the different degrees of trust vested in the trusted processes View full abstract»

    Full text access may be available. Click article title to sign in or learn about subscription options.
  • Inference controls for frequency count tables: an update

    Publication Year: 1988 , Page(s): 112 - 117
    Save to Project icon | Request Permissions | Click to expandQuick Abstract | PDF file iconPDF (360 KB)  

    A synopsis of mathematical problems and results that have been obtained in establishing effective inference controls for frequency-count tables, is presented. This brings up-to-date a related article by L.H. Cox (see CIPHER, p.4-14, 1986). Particular attention is given to inference controls for two-way frequency count tables and generalization for sets of tables and higher dimensions View full abstract»

    Full text access may be available. Click article title to sign in or learn about subscription options.
  • An alternative implementation of the reference monitor concept [military messaging, secure]

    Publication Year: 1988 , Page(s): 159 - 166
    Cited by:  Patents (5)
    Save to Project icon | Request Permissions | Click to expandQuick Abstract | PDF file iconPDF (608 KB)  

    Research into the multilevel secure automated exchange of military messages is reported. This work represents approaches to `designed-in security that are not based on the security kernal and Bell/LaPadula model approaches that have dominated military message systems and the industry. Instead, the approach is based on the concept of a network of communicating finite-state machines. The resulting product is the military message embedded executive (ME2), and its supporting hardware base, the trusted military message processor. Beyond its state machine architecture it is suggested that the (ME2) is additionally unique for its attention to the process security requirements of embedded computers View full abstract»

    Full text access may be available. Click article title to sign in or learn about subscription options.
  • Query processing in LDV: a secure database system

    Publication Year: 1988 , Page(s): 118 - 124
    Cited by:  Papers (1)  |  Patents (13)
    Save to Project icon | Request Permissions | Click to expandQuick Abstract | PDF file iconPDF (668 KB)  

    An overview is given of the query processing of the multilevel secure database management system (MLS/DBMS), LOCK Data Views (LDV), for the secure distributed Data Views contract. The authors summarize design issues such as data distribution, polyinstantiation, and response assembly. They show the need for a security policy for a database system that builds on the classical security policies for operating systems. They describe some of the problems associated with multilevel databases and their approach to solving them. They also explain how a pipeline organization helps to minimize the amount of design and code that must be trusted and/or verified View full abstract»

    Full text access may be available. Click article title to sign in or learn about subscription options.
  • Security protection based on mission criticality

    Publication Year: 1988 , Page(s): 228 - 232
    Cited by:  Papers (2)
    Save to Project icon | Request Permissions | Click to expandQuick Abstract | PDF file iconPDF (372 KB)  

    Developments connected with security protection based on mission criticality at the US Department of Defense (DoD) are discussed. It is shown that assurance of service can be achieved as part of the design, thereby making availability in the presence of malicious threat an integrity problem. There are two approaches to simultaneously deal with both sensitivity and criticality policies: a restrictive combined data flow policy or a strategy that uses isolation techniques (e.g., encryption). Criticality attacks almost always allow a detection and recovery strategy, which can utilize encoding and is less expensive than a resistance strategy (like sensitivity protection). It is suggested that a DoD security objective and accompanying policy should be based on assuring accomplishment of nationally critical missions dealing with loss of integrity and denial of service threats View full abstract»

    Full text access may be available. Click article title to sign in or learn about subscription options.
  • A microprocessor design for multilevel security

    Publication Year: 1988 , Page(s): 194 - 198
    Cited by:  Patents (2)
    Save to Project icon | Request Permissions | Click to expandQuick Abstract | PDF file iconPDF (428 KB)  

    A protection architecture, specifically designed to meet the requirements for secure hardware is described. This architecture, which is called the KEVEC-32 (Kernelized Verifiable CISC processor), enforces a multilevel, categorized model of security. Intended for multilevel applications, the microprocessor uses several unique features to provide a high degree of security. The most significant of these is a separation of processor privilege states and data classification. The processor also provides enhanced access control through a domain-based virtual addressing system. An extended 56-bit virtual address provides accountability by assigning each user with a specific address space. Finally, security validation is facilitated by organizing all security-related portions of hardware into a secure kernel View full abstract»

    Full text access may be available. Click article title to sign in or learn about subscription options.
  • A model for secure distributed computations in a heterogeneous environment

    Publication Year: 1988 , Page(s): 233 - 241
    Cited by:  Papers (2)  |  Patents (15)
    Save to Project icon | Request Permissions | Click to expandQuick Abstract | PDF file iconPDF (756 KB)  

    The author presents a model for secure distributed computations in a multilevel security, heterogeneous environment, called the multimember session model. This model does not place any restrictions on the computations using it, nor does it require any modification of security policies of local secure operating systems. It provides isolation between unrelated computations, and it ensures that the information flow in a distributed environment follows the rules of a multilevel security model, such as the Bell-Lapadula model. Protocols to establish secure communication channels within a session are also discussed View full abstract»

    Full text access may be available. Click article title to sign in or learn about subscription options.
  • Integrity controls for military and commercial applications

    Publication Year: 1988 , Page(s): 298 - 322
    Cited by:  Papers (3)  |  Patents (2)
    Save to Project icon | Request Permissions | Click to expandQuick Abstract | PDF file iconPDF (2028 KB)  

    Because it is generally not possible to prevent the destruction or alteration of data when objects are stored or transmitted outside the security perimeter of a TCB (trusted computer base), the emphasis is placed on detecting any illicit data, including the results of computer viruses and Trojan Horse programs, using cryptographic checksums and digital signature techniques. It is concluded that a mandatory integrity policy consisting of the Biba hierarchical integrity policy extended to include integrity categories and multilevel integrity-trusted subjects, plus a discretionary integrity policy that uses a digital signature mechanism incorporated in a file label to indicate who created or produced that file, can provide integrity controls very well-suited to the networking environment View full abstract»

    Full text access may be available. Click article title to sign in or learn about subscription options.
  • Denial of service flaws in SDI software-an initial assessment

    Publication Year: 1988 , Page(s): 22 - 29
    Cited by:  Patents (2)
    Save to Project icon | Request Permissions | Click to expandQuick Abstract | PDF file iconPDF (776 KB)  

    The author provides a tutorial and survey into the denial-of-service aspect of computer security. Definitions from existing literature are presented, and several categorizations of potential denial-of-service flaws are provided with examples from actual cases. Methods for providing preventive resistance against denial-of-service threats as well as mechanisms for detection and recovery from denial-of-service flaws are presented. The application of these methods and mechanisms with respect to software developed for the Strategic Defense Initiative (SDI), program is discussed View full abstract»

    Full text access may be available. Click article title to sign in or learn about subscription options.
  • A mandatory access control mechanism for the Unix file system

    Publication Year: 1988 , Page(s): 173 - 177
    Cited by:  Patents (15)
    Save to Project icon | Request Permissions | Click to expandQuick Abstract | PDF file iconPDF (364 KB)  

    The design of a mandatory access control (MAC) mechanism for the Unix file system is described. The design is simple, compatible with AT&T's Systems V and Berkeley's BSD Unix with Sun Microsystem's Network File System support, and it avoids some of the deficiencies present in approaches done to date. The MAC design introduces the concept of file name hiding. The design eliminates the need for partitioned directories and the need to log out and then log in again to use upgraded directories. The author briefly describes the traditional Unix file system. Approaches to adding a mandatory access control mechanism to the Unix file system are detailed, and problems with the approaches are examined. Finally, the proposed approach is described, including an explanation of how it solves the deficiencies of the previous approaches View full abstract»

    Full text access may be available. Click article title to sign in or learn about subscription options.
  • Software security evaluation based on a top-down McCall-like approach

    Publication Year: 1988 , Page(s): 414 - 418
    Cited by:  Papers (1)
    Save to Project icon | Request Permissions | Click to expandQuick Abstract | PDF file iconPDF (296 KB)  

    The authors present a methodology for software security evaluation and certification. A systematic approach has been used to build software security throughout the whole life cycle. This leads to using specific development and certification techniques according to the initial risk and vulnerability analysis. In the security certification process, it is of prime importance to measure the specific security nonfunctional attributes of software. The authors therefore propose a top-down approach for their definitions. This approach is compatible with the factor, criteria, and metrics approach of J.A. McCall et al. (1977), thus enabling a common approach with software quality assurance practices View full abstract»

    Full text access may be available. Click article title to sign in or learn about subscription options.
  • Genesis of a secure application: a multilevel secure message preparation workstation demonstration

    Publication Year: 1988 , Page(s): 30 - 36
    Cited by:  Papers (1)
    Save to Project icon | Request Permissions | Click to expandQuick Abstract | PDF file iconPDF (544 KB)  

    A multilevel secure message preparation workstation is described as a prototypical secure application. Suggestions for the development of secure applications are introduced. Techniques have been developed and demonstrated that permit untrusted applications to be integrated with a highly secure trusted computer base (TCB). By using an existing TCB, and approximately the same level of resources as for nonsecure application development, it is demonstrated that highly-secure evaluable applications are achievable View full abstract»

    Full text access may be available. Click article title to sign in or learn about subscription options.
  • Using CASE tools to improve the security of applications systems

    Publication Year: 1988 , Page(s): 205 - 208
    Cited by:  Papers (1)
    Save to Project icon | Request Permissions | Click to expandQuick Abstract | PDF file iconPDF (324 KB)  

    The authors overview CASE (computer-aided software engineering) tools and reviews security extensions to the system development life cycle. They then focus on requirements analysis to illustrate how security can be included in a CASE environment by adding tools or extending existing ones. These tools can help identify, store, analyze, report, track, and validate requirements View full abstract»

    Full text access may be available. Click article title to sign in or learn about subscription options.
  • System security in the Space Flight Operations Center

    Publication Year: 1988 , Page(s): 426 - 430
    Save to Project icon | Request Permissions | Click to expandQuick Abstract | PDF file iconPDF (480 KB)  

    The Space Flight Operations Center is a networked system of workstation-class computers that will provide ground support for NASA's (US National Aeronautics and Space Administration's) next generation of deep-space missions. The author recounts the development of the SFOC system security policy and discusses the various management and technology issues involved. Particular attention is given to risk assessment, security plan development, security implications of design requirements, automatic safeguards, and procedural safeguards View full abstract»

    Full text access may be available. Click article title to sign in or learn about subscription options.
  • Providing software integrity using type managers

    Publication Year: 1988 , Page(s): 287 - 294
    Cited by:  Patents (1)
    Save to Project icon | Request Permissions | Click to expandQuick Abstract | PDF file iconPDF (700 KB)  

    The authors consider the protection of software development objects, including design specifications, program text, executables, test results and documentation, from both accidental and malicious modifications. An integrity policy based on the authors' interpretation of the D. Clark and D. Wilson (1987) model is defined and mechanisms to enforce the policy are described. Emphasis is on software mechanisms which can be implemented on current computer systems. The approach is based on capabilities that limit the potential damage of undetected Trojan horses in development tools, and type managers that control access to software objects View full abstract»

    Full text access may be available. Click article title to sign in or learn about subscription options.
  • Privacy enhanced electronic mail

    Publication Year: 1988 , Page(s): 16 - 21
    Cited by:  Papers (2)
    Save to Project icon | Request Permissions | Click to expandQuick Abstract | PDF file iconPDF (500 KB)  

    The progress of work at University College of London in implementing a prototype model of a privacy-enhanced messaging (PEM) system is reported. The design of model is specified by the DARPANET IAB Privacy Task Force RFC 1040. The model is one which provides privacy, integrity, and authentication of messages transmitted in a typical electronic-mail system. The design and implementation experience of the prototype model is set out and several potential refinements to the model are suggested for future development View full abstract»

    Full text access may be available. Click article title to sign in or learn about subscription options.
  • Configuring a trusted system using the TNI

    Publication Year: 1988 , Page(s): 256 - 261
    Save to Project icon | Request Permissions | Click to expandQuick Abstract | PDF file iconPDF (440 KB)  

    The authors summarize a study performed to identify and evaluate alternatives for achieving an acceptable level of risk in a distributed system by utilizing computer components with the lowest TCSEC (trusted computer system evaluation criteria) ratings acceptable under DoD guidelines. The security implications of connecting equipments that handle differing sensitivity levels of data are examined together with the consequences of using equipments using trusted system technology, utilizing personnel with higher clearances, and separating data by sensitivity level as ways of achieving a desired level of trust in a multilevel system. The rationale for choosing this system is that it is large enough to demonstrate the implications of the guidelines given in the trusted network interpretation (TNI), yet small enough to easily verify the validity of the results View full abstract»

    Full text access may be available. Click article title to sign in or learn about subscription options.
  • Security issues of the Trusted Mach system

    Publication Year: 1988 , Page(s): 362 - 367
    Cited by:  Papers (4)
    Save to Project icon | Request Permissions | Click to expandQuick Abstract | PDF file iconPDF (484 KB)  

    Trusted Mach (TMach) is a message-passing, server-oriented system being targeted at the B3 level of the Trusted Computer System Evaluation Criteria (TCSEC). The authors present a rationale for why these characteristics, and the TMach architecture that implements and embodies them, are compatible with B3 requirements. It is shown that the TMach TCB (trusted computer base), composed of a kernel (which implements basic system abstractions and mediates their access) and a collection of trusted servers, is structured to provide conceptually simple protection mechanisms. Least privilege and modularity are central to the server-oriented design of the system. Easy extensibility of the TMach TCB to provide trusted applications is an added benefit of the system structure View full abstract»

    Full text access may be available. Click article title to sign in or learn about subscription options.
  • A taxonomy of the causes of proof failures in applications using the HDM methodology

    Publication Year: 1988 , Page(s): 419 - 423
    Save to Project icon | Request Permissions | Click to expandQuick Abstract | PDF file iconPDF (376 KB)  

    A methodology for formal verification and validation based on HDM (Hierarchical Development Methodology) is described. The HDM formula generator and theorem prover is used to perform data flow analysis on the system specification. In applying this methodology, the author discovered that although there may be a large number of individual proof failures, there were always only a small number of distinct causes of the failures. The taxonomy of the causes of these proof failures is discussed. The causes of proof failures are discussed in connection with the following categories: actual and formal parameters, printer copying, data dictionary, partial and complete copy, packed access, resolved in context, propagation resultant, and indirect integrity View full abstract»

    Full text access may be available. Click article title to sign in or learn about subscription options.