Proceedings. 1991 IEEE Computer Society Symposium on Research in Security and Privacy

20-22 May 1991

Filter Results

Displaying Results 1 - 25 of 29
  • An analysis of covert timing channels

    Publication Year: 1991, Page(s):2 - 7
    Cited by:  Papers (59)  |  Patents (1)
    Request permission for reuse | Click to expandAbstract | PDF file iconPDF (512 KB)

    Covert channels have traditionally been categorized as either storage channels or timing channels. The author questions this categorization, and discusses channels that cannot be clearly identified as either storage or timing channels, but have aspects of both. A new model of timing channels is presented, which allows for channels that have characteristics of both storage channels and timing chann... View full abstract»

    Full text access may be available. Click article title to sign in or learn about subscription options.
  • Reducing timing channels with fuzzy time

    Publication Year: 1991, Page(s):8 - 20
    Cited by:  Papers (67)  |  Patents (2)
    Request permission for reuse | Click to expandAbstract | PDF file iconPDF (1057 KB)

    Fuzzy time is a collection of techniques that reduces the bandwidths of covert timing channels by making all clocks available to a process noisy. Developed in response to the problems posed by high-speed hardware timing channels, fuzzy time has been implemented in the VAX security kernel. Fuzzy time has proven to be highly effective against the timing channels in the VAX security kernel. Not only ... View full abstract»

    Full text access may be available. Click article title to sign in or learn about subscription options.
  • Toward a mathematical foundation for information flow security

    Publication Year: 1991, Page(s):21 - 34
    Cited by:  Papers (52)
    Request permission for reuse | Click to expandAbstract | PDF file iconPDF (993 KB)

    A general-purpose, probabilistic state machine model which can be used to model a large class of nondeterministic (as well as deterministic) computer systems is described. The necessary probability theory to rigorously state and prove probabilistic properties of modeled systems is developed. A definition of information flow-security making use of this formalism is given. Intuitively, information f... View full abstract»

    Full text access may be available. Click article title to sign in or learn about subscription options.
  • Covert flow trees: a technique for identifying and analyzing covert storage channels

    Publication Year: 1991, Page(s):36 - 51
    Cited by:  Papers (11)
    Request permission for reuse | Click to expandAbstract | PDF file iconPDF (1323 KB)

    A technique for detecting covert storage channels using a tree structure called a covert flow tree (CFT) is introduced. By traversing the paths of a CFT a comprehensive list of scenarios that potentially support covert communication via particular resource attributes can be automatically constructed. CFTs graphically illustrate the process through which information regarding the state of one attri... View full abstract»

    Full text access may be available. Click article title to sign in or learn about subscription options.
  • Storage channels in disk arm optimization

    Publication Year: 1991, Page(s):52 - 61
    Cited by:  Papers (13)
    Request permission for reuse | Click to expandAbstract | PDF file iconPDF (821 KB)

    The covert storage channels found in disk I/O optimization schemes are studied. The authors examine the source of the problems in the context of various disk architectures, propose several classes of generic solutions and conclude with recommendations for future storage-system architectures. The work was done as part of the covert channel analysis for Digital's VAX security kernel.<<ETX>&... View full abstract»

    Full text access may be available. Click article title to sign in or learn about subscription options.
  • Modeling nondisclosure in terms of the subject-instruction stream

    Publication Year: 1991, Page(s):64 - 77
    Request permission for reuse | Click to expandAbstract | PDF file iconPDF (1025 KB)

    A formal definition is given of nondisclosure for a computing system and the author describes a functional decomposition of the system into two kinds of activities, namely, the selection and execution of subject instructions. Security requirements for each of the two resulting subsystems are given, and it is proved that, if each subsystem satisfies its security requirements, then the entire system... View full abstract»

    Full text access may be available. Click article title to sign in or learn about subscription options.
  • A separation model for virtual machine monitors

    Publication Year: 1991, Page(s):78 - 86
    Cited by:  Papers (12)
    Request permission for reuse | Click to expandAbstract | PDF file iconPDF (828 KB)

    A security policy is given for separation virtual machine monitors (SVMMs) and the authors interpret J.M. Rushby's (1981) separation model for SVMMs. Applying Rushby's technique yields a practical method for demonstrating that an implementation of an SVMM adheres to the abstract isolation axiom of the separation model, thus providing relatively strong assurance for a low level of effort. The autho... View full abstract»

    Full text access may be available. Click article title to sign in or learn about subscription options.
  • Safety analysis for the extended schematic protection model

    Publication Year: 1991, Page(s):87 - 97
    Cited by:  Papers (10)
    Request permission for reuse | Click to expandAbstract | PDF file iconPDF (895 KB)

    It is argued that the access matrix model of M.H. Harrison, W.L. Ruzzo and J.D. Ullman (HRU) (1976) has extremely weak safety properties; safety analysis is undecidable for most policies of practical interest. An alternate formulation of the HRU model is presented that gives strong safety properties. This alternative formulation is called the extended schematic protection model (ESPM). ESPM is der... View full abstract»

    Full text access may be available. Click article title to sign in or learn about subscription options.
  • A taxonomy for information flow policies and models

    Publication Year: 1991, Page(s):98 - 108
    Cited by:  Papers (7)
    Request permission for reuse | Click to expandAbstract | PDF file iconPDF (838 KB)

    A notation for describing information flow policies that can express transitive, aggregation and separation (of duty) exceptions is proposed. Operators for comparing, composing, and abstracting flow policies are described. These allow complex policies to be built from simpler policies. Many existing confidentiality (and by using a dual model, integrity) policies and their models can be captured in... View full abstract»

    Full text access may be available. Click article title to sign in or learn about subscription options.
  • Intrusion tolerance in distributed computing systems

    Publication Year: 1991, Page(s):110 - 121
    Cited by:  Papers (83)  |  Patents (23)
    Request permission for reuse | Click to expandAbstract | PDF file iconPDF (1003 KB)

    An intrusion-tolerant distributed system is a system which is designed so that any intrusion into a part of the system will not endanger confidentiality, integrity and availability. This approach is suitable for distributed systems, because distribution enables isolation of elements so that an intrusion gives physical access to only a part of the system. In particular, the intrusion-tolerant authe... View full abstract»

    Full text access may be available. Click article title to sign in or learn about subscription options.
  • Verification of secure distributed systems in higher order logic: A modular approach using generic components

    Publication Year: 1991, Page(s):122 - 135
    Cited by:  Papers (1)  |  Patents (20)
    Request permission for reuse | Click to expandAbstract | PDF file iconPDF (1084 KB)

    A generalization of D. McCullough's (1987; 1988) restrictiveness model is given as the basis for providing security properties for distributed system designs. This generalization is mechanized for an event-based model of computer systems in the HOL (higher order logic) system to prove the composability of the model and several other properties about the model. A set of generalized classes of syste... View full abstract»

    Full text access may be available. Click article title to sign in or learn about subscription options.
  • Applying a theory of modules and interfaces to security verification

    Publication Year: 1991, Page(s):136 - 154
    Cited by:  Papers (7)
    Request permission for reuse | Click to expandAbstract | PDF file iconPDF (1245 KB)

    An overview is given of a theory of modules and interfaces applicable to the specification and verification of systems with a layered architecture. At the heart of this theory is a module composition theorem. The theory is applied to the specification of a distributed system consisting of subjects and objects in different hosts (computers). Formal specifications of a user interface and a network i... View full abstract»

    Full text access may be available. Click article title to sign in or learn about subscription options.
  • The use of logic in the analysis of cryptographic protocols

    Publication Year: 1991, Page(s):156 - 170
    Cited by:  Papers (28)
    Request permission for reuse | Click to expandAbstract | PDF file iconPDF (1419 KB)

    Logics for cryptographic protocol analysis are presented, and a study is made of the protocol features that they are appropriate for analyzing: some are appropriate for analyzing trust, others security. It is shown that both features can be adequately captured by a single properly designed logic. The goals and capabilities of M. Burrows, M. Abadi and R. Needham's (1989) BAN logic are examined. It ... View full abstract»

    Full text access may be available. Click article title to sign in or learn about subscription options.
  • Exploring the BAN approach to protocol analysis

    Publication Year: 1991, Page(s):171 - 181
    Cited by:  Papers (13)  |  Patents (2)
    Request permission for reuse | Click to expandAbstract | PDF file iconPDF (694 KB)

    The BAN approach to analysis of cryptographic protocols (M. Burrows et al., 1988) transforms a correctness requirement into a proof obligation of a formal belief logic. It is shown that the BAN protocol annotation rules make flaws due solely to protocol step permutation undetectable by the BAN logic. This is illustrated by a short example. In the style of BAN logic, the author defines the concept ... View full abstract»

    Full text access may be available. Click article title to sign in or learn about subscription options.
  • A system for the specification and analysis of key management protocols

    Publication Year: 1991, Page(s):182 - 195
    Cited by:  Papers (28)
    Request permission for reuse | Click to expandAbstract | PDF file iconPDF (1043 KB)

    Describes a formal specification language and verification technique for analyzing key management protocols. A prototype verification tool that can be used to apply this technique is introduced. A protocol intended for use in the management of resource sharing, is formally specified and verified, and it is shown how the use of the considered techniques led to the discovery of a flaw that could be ... View full abstract»

    Full text access may be available. Click article title to sign in or learn about subscription options.
  • Toward an approach to measuring software trust

    Publication Year: 1991, Page(s):198 - 218
    Cited by:  Papers (22)
    Request permission for reuse | Click to expandAbstract | PDF file iconPDF (1837 KB)

    The authors have been involved in the development of an approach to measuring the trust of software, at some state in the software development life cycle. The primary emphasis has been on the use of well-known and generally accepted security and software engineering principles as a means for establishing software trust. A description of the critical issues related to software trust is provided her... View full abstract»

    Full text access may be available. Click article title to sign in or learn about subscription options.
  • On the buzzword 'security policy'

    Publication Year: 1991, Page(s):219 - 230
    Cited by:  Papers (17)
    Request permission for reuse | Click to expandAbstract | PDF file iconPDF (886 KB)

    It is pointed out that, although the term 'security policy' is fundamental to computer security, its conflicting meanings have obscured important conceptual distinctions, especially where concerns other than confidentiality are involved. A clearer definition is needed to clarify routine technical discourse, facilitate resolution of key research issues, and establish the scope of security research ... View full abstract»

    Full text access may be available. Click article title to sign in or learn about subscription options.
  • SPX: global authentication using public key certificates

    Publication Year: 1991, Page(s):232 - 244
    Cited by:  Papers (48)  |  Patents (31)
    Request permission for reuse | Click to expandAbstract | PDF file iconPDF (899 KB)

    SPX, a reference implementation of an open distributed authentication service architecture based on ISO Standard 9594-9/CCITT X.509 directory public key certificates and hierarchically organized certification authorities, is described. SPX manages the end system state and provides the run-time environment enabling applications to mutually authenticate on the basis of a global principal identity. S... View full abstract»

    Full text access may be available. Click article title to sign in or learn about subscription options.
  • Protecting security information in distributed systems

    Publication Year: 1991, Page(s):245 - 254
    Cited by:  Papers (1)  |  Patents (1)
    Request permission for reuse | Click to expandAbstract | PDF file iconPDF (713 KB)

    It is shown how security information for user authentication, peer-entity authentication and access control is created and utilized in large distributed systems. The protection mechanisms used are hash functions, and symmetric and asymmetric cryptography. The authors describe and combine data formats for security information based on international standards from several standardization bodies.<... View full abstract»

    Full text access may be available. Click article title to sign in or learn about subscription options.
  • An analysis of the proxy problem in distributed systems

    Publication Year: 1991, Page(s):255 - 275
    Cited by:  Papers (42)  |  Patents (10)
    Request permission for reuse | Click to expandAbstract | PDF file iconPDF (1440 KB)

    The authors look at the problem of delegation of rights or proxy in distributed object systems. Two signature-based schemes for achieving delegation which require different inter-object trust assumptions are presented. These schemes have been instantiated using public key and secret key based cryptographic techniques. Additional trust implications which arise from these implementations are also co... View full abstract»

    Full text access may be available. Click article title to sign in or learn about subscription options.
  • Microdata disclosure limitation in statistical databases: query size and random sample query control

    Publication Year: 1991, Page(s):278 - 287
    Cited by:  Papers (4)  |  Patents (7)
    Request permission for reuse | Click to expandAbstract | PDF file iconPDF (710 KB)

    A probabilistic framework can be used to assess the risk of disclosure of confidential information in statistical databases that use disclosure control mechanisms. The authors show how the method may be used to assess the strengths and weaknesses of two existing disclosure control mechanisms: the query set size restriction control and random sample query control mechanisms. Results indicate that n... View full abstract»

    Full text access may be available. Click article title to sign in or learn about subscription options.
  • Discretionary access controls in a high-performance object management system

    Publication Year: 1991, Page(s):288 - 299
    Cited by:  Papers (8)  |  Patents (37)
    Request permission for reuse | Click to expandAbstract | PDF file iconPDF (896 KB)

    A method for efficiently implementing access control lists (ACLs) in the main memory object-oriented database systems (OODBSs) is proposed. The main features of the method are the following: ACLs are not stored directly, but via ACL numbers; and each process has a cache which records results of evaluations of ACLs for this process and certain ACL numbers. The particular implementation of ACL numbe... View full abstract»

    Full text access may be available. Click article title to sign in or learn about subscription options.
  • A novel decomposition of multilevel relations into single-level relations

    Publication Year: 1991, Page(s):300 - 313
    Cited by:  Papers (7)
    Request permission for reuse | Click to expandAbstract | PDF file iconPDF (940 KB)

    Presents a novel decomposition algorithm that breaks a multilevel relation into single-level relations and a novel recovery algorithm which reconstructs the original multilevel relation from the decomposed single-level relations. There are several novel aspects to these decomposition and recovery algorithms which provide substantial advantages over previous proposals. The algorithms are formulated... View full abstract»

    Full text access may be available. Click article title to sign in or learn about subscription options.
  • The SRI IDES statistical anomaly detector

    Publication Year: 1991, Page(s):316 - 326
    Cited by:  Papers (83)  |  Patents (57)
    Request permission for reuse | Click to expandAbstract | PDF file iconPDF (954 KB)

    SRI International's real-time intrusion-detection expert system (IDES) contains a statistical subsystem that observes behavior on a monitored computer system and adaptively learns what is normal for individual users and groups of users. The statistical subsystem also monitors observed behavior and identifies behavior as a potential intrusion (or misuse by authorized users) if it deviates significa... View full abstract»

    Full text access may be available. Click article title to sign in or learn about subscription options.
  • A pattern-oriented intrusion-detection model and its applications

    Publication Year: 1991, Page(s):327 - 342
    Cited by:  Papers (10)  |  Patents (44)
    Request permission for reuse | Click to expandAbstract | PDF file iconPDF (1039 KB)

    Operational security problems can lead to intrusion in secure computer systems. The authors justify the need for, and present, a pattern-oriented intrusion-detection model that can be used to analyze object privilege and data flows in secure computer systems to detect operational security problems. This model can address context-dependent intrusion, such as use of covert-storage channels and virus... View full abstract»

    Full text access may be available. Click article title to sign in or learn about subscription options.