Proceedings. 1997 IEEE Symposium on Security and Privacy (Cat. No.97CB36097)

4-7 May 1997

Filter Results

Displaying Results 1 - 25 of 30
  • Proceedings. 1997 IEEE Symposium on Security and Privacy (Cat. No.97CB36097)

    Publication Year: 1997
    Request permission for reuse | PDF file iconPDF (275 KB)
    Freely Available from IEEE
  • Is The Trusted Computing Base Concept Fundamentally Flawed?

    Publication Year: 1997, Page(s): 2
    Cited by:  Papers (2)
    Request permission for reuse | PDF file iconPDF (95 KB)
    Full text access may be available. Click article title to sign in or learn about subscription options.
  • Some weaknesses of the TCB model

    Publication Year: 1997, Page(s):3 - 5
    Request permission for reuse | Click to expandAbstract | PDF file iconPDF (229 KB)

    This paper summarizes the affirmative argument supporting the proposition that "the concept of the trusted computing base (TCB) as a basis for constructing systems to meet security requirements is fundamentally flawed and should no longer be used to justify system security architectures". View full abstract»

    Full text access may be available. Click article title to sign in or learn about subscription options.
  • Is the reference monitor concept fatally flawed? The case for the negative

    Publication Year: 1997, Page(s):6 - 7
    Request permission for reuse | Click to expandAbstract | PDF file iconPDF (183 KB)

    The reference monitor (RM) model has passed the critical test imposed by the methodology of science: it has been a productive concept for the field of computer security since its introduction. The call to abandon a productive model, however intellectually stimulating, should not be heeded simply for the sake of novelty. It is our hope that this debate will stimulate an examination of foundations, ... View full abstract»

    Full text access may be available. Click article title to sign in or learn about subscription options.
  • Toward acceptable metrics of authentication

    Publication Year: 1997, Page(s):10 - 20
    Cited by:  Papers (24)  |  Patents (3)
    Request permission for reuse | Click to expandAbstract | PDF file iconPDF (1071 KB)

    Authentication using a path of trusted intermediaries, each able to authenticate the next one in the path, is a well-known technique for authenticating entities in a large-scale system. Recent work has extended this technique to include multiple paths in an effort to bolster authentication, but the success of this approach may be unclear in the face of intersecting paths, ambiguities in the meanin... View full abstract»

    Full text access may be available. Click article title to sign in or learn about subscription options.
  • An authorization scheme for distributed object systems

    Publication Year: 1997, Page(s):21 - 30
    Cited by:  Papers (6)  |  Patents (3)
    Request permission for reuse | Click to expandAbstract | PDF file iconPDF (898 KB)

    Addresses the problem of distributed object system protection. A new authorization scheme is presented and described, based on the collaboration between a central authorization server and security kernels located on each site of the system. A novel approach to access rights management for such an architecture is detailed, based on a new kind of access rights and a new scheme of privilege delegatio... View full abstract»

    Full text access may be available. Click article title to sign in or learn about subscription options.
  • A logical language for expressing authorizations

    Publication Year: 1997, Page(s):31 - 42
    Cited by:  Papers (134)  |  Patents (1)
    Request permission for reuse | Click to expandAbstract | PDF file iconPDF (1204 KB)

    A major drawback of existing access control systems is that they have all been developed with a specific access control policy in mind. This means that all protection requirements (i.e. accesses to be allowed or denied) must be specified in terms of the policy enforced by the system. While this may be trivial for some requirements, specification of other requirements may become quite complex or ev... View full abstract»

    Full text access may be available. Click article title to sign in or learn about subscription options.
  • Anonymous connections and onion routing

    Publication Year: 1997, Page(s):44 - 54
    Cited by:  Papers (172)  |  Patents (22)
    Request permission for reuse | Click to expandAbstract | PDF file iconPDF (1181 KB)

    Onion routing provides anonymous connections that are strongly resistant to both eavesdropping and traffic analysis. Unmodified Internet applications can use these anonymous connections by means of proxies. The proxies may also make communication anonymous by removing identifying information from the data stream. Onion routing has been implemented on Sun Solaris 2.X with proxies for Web browsing, ... View full abstract»

    Full text access may be available. Click article title to sign in or learn about subscription options.
  • The design and implementation of a multilevel secure log manager

    Publication Year: 1997, Page(s):55 - 64
    Cited by:  Papers (1)  |  Patents (1)
    Request permission for reuse | Click to expandAbstract | PDF file iconPDF (1036 KB)

    This paper discusses the security issues involved in log management for a multilevel secure database system and presents a design and implementation of a prototype multilevel secure log manager. The main goal of a log manager is to provide high bandwidth and low flush latency. We examine the performance of our design, by observing the flush latency and log bandwidth. We also informally evaluate th... View full abstract»

    Full text access may be available. Click article title to sign in or learn about subscription options.
  • A secure and reliable bootstrap architecture

    Publication Year: 1997, Page(s):65 - 71
    Cited by:  Papers (147)  |  Patents (88)
    Request permission for reuse | Click to expandAbstract | PDF file iconPDF (673 KB)

    In a computer system, the integrity of lower layers is typically treated as axiomatic by higher layers. Under the presumption that the hardware comprising the machine (the lowest layer) is valid, the integrity of a layer can be guaranteed if and only if: (1) the integrity of the lower layers is checked and (2) transitions to higher layers occur only after integrity checks on them are complete. The... View full abstract»

    Full text access may be available. Click article title to sign in or learn about subscription options.
  • An MBone proxy for an application gateway firewall

    Publication Year: 1997, Page(s):72 - 81
    Cited by:  Papers (1)  |  Patents (5)
    Request permission for reuse | Click to expandAbstract | PDF file iconPDF (982 KB)

    The Internet's multicast backbone (MBone) holds great potential for many organizations because it supports low-cost audio and video conferencing and carries live broadcasts of an increasing number of public interest events. MBone conferences are transmitted via unauthenticated multicast datagrams, which unfortunately convey significant security vulnerabilities to any system that receives them. For... View full abstract»

    Full text access may be available. Click article title to sign in or learn about subscription options.
  • Secure software architectures

    Publication Year: 1997, Page(s):84 - 93
    Cited by:  Papers (17)
    Request permission for reuse | Click to expandAbstract | PDF file iconPDF (902 KB)

    The computer industry is increasingly dependent on open architectural standards for their competitive success. This paper describes a new approach to secure system design in which the various representations of the architecture of a software system are described formally and the desired security properties of the system are proven to hold at the architectural level. The main ideas are illustrated ... View full abstract»

    Full text access may be available. Click article title to sign in or learn about subscription options.
  • A general theory of security properties

    Publication Year: 1997, Page(s):94 - 102
    Cited by:  Papers (50)
    Request permission for reuse | Click to expandAbstract | PDF file iconPDF (808 KB)

    We present a general theory of possibilistic security properties. We show that we can express a security property as a predicate that is true of every set containing all the traces with the same low level event sequence. Given this security predicate, we show how to construct a partial ordering of security properties. We also discuss information flow and present the weakest property such that no i... View full abstract»

    Full text access may be available. Click article title to sign in or learn about subscription options.
  • Analyzing consistency of security policies

    Publication Year: 1997, Page(s):103 - 112
    Cited by:  Papers (43)  |  Patents (3)
    Request permission for reuse | Click to expandAbstract | PDF file iconPDF (843 KB)

    We discuss the development of a methodology for reasoning about properties of security policies. We view a security policy as a special case of regulation which specifies what actions some agents are permitted, obliged or forbidden to perform and we formalize a policy by a set of deontic formulae. We first address the problem of checking policy consistency and describe a method for solving it. The... View full abstract»

    Full text access may be available. Click article title to sign in or learn about subscription options.
  • Ensuring assurance in mobile computing

    Publication Year: 1997, Page(s):114 - 118
    Cited by:  Papers (1)
    Request permission for reuse | Click to expandAbstract | PDF file iconPDF (463 KB)

    This paper introduces a panel discussion on establishing assurance evidence that mobile code applications perform as expected by the user, without the side effects that have been demonstrated as possible in constructed examples of malicious or "rogue" applets. The paper's principal authors, Schaefer and Pinsky, have been engaged in cooperative research with the JavaSoft community to gain understan... View full abstract»

    Full text access may be available. Click article title to sign in or learn about subscription options.
  • Filtering postures: local enforcement for global policies

    Publication Year: 1997, Page(s):120 - 129
    Cited by:  Papers (59)  |  Patents (9)
    Request permission for reuse | Click to expandAbstract | PDF file iconPDF (932 KB)

    When packet filtering is used as a security mechanism, different routers may need to cooperate to enforce the desired security policy. It is difficult to ensure that they will do so correctly. We introduce a simple language for expressing global network access control policies of a kind that filtering routers are capable of enforcing. We then introduce an algorithm that, given the network topology... View full abstract»

    Full text access may be available. Click article title to sign in or learn about subscription options.
  • Providing flexibility in information flow control for object oriented systems

    Publication Year: 1997, Page(s):130 - 140
    Cited by:  Papers (25)  |  Patents (1)
    Request permission for reuse | Click to expandAbstract | PDF file iconPDF (1116 KB)

    This paper presents an approach to control information flow in object-oriented systems that takes into account, besides authorizations on objects, also how the information has been obtained and/or transmitted. These aspects are considered by allowing exceptions to the restrictions stated by the authorizations. Exceptions are specified by means of waivers associated with methods. Two kinds of waive... View full abstract»

    Full text access may be available. Click article title to sign in or learn about subscription options.
  • Automated analysis of cryptographic protocols using Mur/spl phi/

    Publication Year: 1997, Page(s):141 - 151
    Cited by:  Papers (74)
    Request permission for reuse | Click to expandAbstract | PDF file iconPDF (1034 KB)

    A methodology is presented for using a general-purpose state enumeration tool, Mur/spl phi/, to analyze cryptographic and security-related protocols. We illustrate the feasibility of the approach by analyzing the Needham-Schroeder (1978) protocol, finding a known bug in a few seconds of computation time, and analyzing variants of Kerberos and the faulty TMN protocol used in another comparative stu... View full abstract»

    Full text access may be available. Click article title to sign in or learn about subscription options.
  • How to systematically classify computer security intrusions

    Publication Year: 1997, Page(s):154 - 163
    Cited by:  Papers (73)  |  Patents (8)
    Request permission for reuse | Click to expandAbstract | PDF file iconPDF (967 KB)

    This paper presents a classification of intrusions with respect to the technique as well the result. The taxonomy is intended to be a step on the road to an established taxonomy of intrusions for use in incident reporting, statistics, warning bulletins, intrusion detection systems etc. Unlike previous schemes, it takes the viewpoint of the system owner and should therefore be suitable to a wider c... View full abstract»

    Full text access may be available. Click article title to sign in or learn about subscription options.
  • Surviving information warfare attacks on databases

    Publication Year: 1997, Page(s):164 - 174
    Cited by:  Papers (38)  |  Patents (8)
    Request permission for reuse | Click to expandAbstract | PDF file iconPDF (1222 KB)

    We consider the problem of surviving information warfare attacks on databases. We adopt a fault tolerance approach to the different phases of an attack. To maintain precise information about the attack, we mark data to reflect the severity of detected damage as well as the degree to which the damaged data has been repaired. In the case of partially repaired data, integrity constraints might be vio... View full abstract»

    Full text access may be available. Click article title to sign in or learn about subscription options.
  • Execution monitoring of security-critical programs in distributed systems: a specification-based approach

    Publication Year: 1997, Page(s):175 - 187
    Cited by:  Papers (97)  |  Patents (24)
    Request permission for reuse | Click to expandAbstract | PDF file iconPDF (1302 KB)

    We describe a specification-based approach to detect exploitations of vulnerabilities in security-critical programs. The approach utilizes security specifications that describe the intended behavior of programs and scans audit trails for operations that are in violation of the specifications. We developed a formal framework for specifying the security-relevant behavior of programs, on which we bas... View full abstract»

    Full text access may be available. Click article title to sign in or learn about subscription options.
  • Catalytic inference analysis: detecting inference threats due to knowledge discovery

    Publication Year: 1997, Page(s):188 - 199
    Cited by:  Papers (7)  |  Patents (3)
    Request permission for reuse | Click to expandAbstract | PDF file iconPDF (1156 KB)

    Knowledge discovery in databases can be enhanced by introducing "catalytic relations" conveying external knowledge. The new information catalyzes database inference, manifesting latent channels. Catalytic inference is imprecise in nature, but the granularity of inference may be fine enough to create security compromises. Catalytic inference is computationally intensive. However, it can be automate... View full abstract»

    Full text access may be available. Click article title to sign in or learn about subscription options.
  • Security in innovative new operating systems

    Publication Year: 1997, Page(s):202 - 203
    Request permission for reuse | Click to expandAbstract | PDF file iconPDF (166 KB)

    A principal criterion by which new operating systems are judged is the level of performance that they provide for applications. To this end, new operating systems have sought novel approaches to performance enhancement. A theme common to many of these initiatives is that of specialization. Instead of an operating system designed to serve all applications (either equally well or equally badly), the... View full abstract»

    Full text access may be available. Click article title to sign in or learn about subscription options.
  • Research on proof-carrying code for untrusted-code security

    Publication Year: 1997
    Cited by:  Papers (7)  |  Patents (4)
    Request permission for reuse | Click to expandAbstract | PDF file iconPDF (113 KB)

    A powerful method of interaction between two software systems is through mobile code. By allowing code to be installed dynamically and then executed, a host system can provide a flexible means of access to its internal resources and services. There are many problems to be solved before such uses of untrusted code can become practical. We focus on the problem of how to establish guarantees about th... View full abstract»

    Full text access may be available. Click article title to sign in or learn about subscription options.
  • Access control for the SPIN extensible operating system

    Publication Year: 1997
    Cited by:  Patents (3)
    Request permission for reuse | Click to expandAbstract | PDF file iconPDF (112 KB)

    Summary form only given. In the SPIN operating system (B.N. Bershad et al., 1995; Przemyslaw Pardyak and B.N. Bershad, 1996) built at the University of Washington, we are experimenting with a version of domain and type enforcement (DTE) (L. Badger et al., 1995) that has been extended to address the security concerns of extensible systems. The SPIN operating system defines an extension infrastructu... View full abstract»

    Full text access may be available. Click article title to sign in or learn about subscription options.