{"title":"Coding for a Believable Specification to Implementation Mapping","authors":"W. D. Young, J. McHugh","doi":"10.1109/SP.1987.10003","DOIUrl":"https://doi.org/10.1109/SP.1987.10003","url":null,"abstract":"Abstract: One criterion for \"Beyond Al\" certification according to the DoD Trusted Computer Systems Evaluation Criteria will be code-level verification. We argue that, while verification at the actual code level may be infeasible for large secure systems, it is possible to push the verification to a low level of abstraction and then map the specification in an intuitive manner to the source code. Providing a suitable mapping requires adhering to a strict discipline on both the specification and code sides. We discuss the issues involved in this problem, particularizing the discussion to a mapping from Gypsy specifications to C code.","PeriodicalId":123213,"journal":{"name":"1987 IEEE Symposium on Security and Privacy","volume":"56 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"1987-04-27","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"116058984","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
{"title":"Multilevel Security for Knowledge-Based Systems","authors":"Thomas A. Berson, T. Lunt","doi":"10.1109/SP.1987.10024","DOIUrl":"https://doi.org/10.1109/SP.1987.10024","url":null,"abstract":"The paper presents results of an initial investigation of multilevel security for knowledge-based systems. Knowledge-based systems are computer programs that give advice using techniques developed in artificial intelligence research. Although many apparently multilevel knowledge-based systems are now being developed, security requirements have not yet been articulated for them. We adopt the production system model as a generalization of knowledge-based systems. We apply noninterference concepts of multilevel security to the production model, and from this we suggest an approach for achieving multilevel secure production systems. Our approach puts control structures at system low, assigns a single classification to entries in the knowledge base, and provide different views both of the database and of the rule base depending upon the clearance of the user. We conclude that it will be possible to achieve multilevel security for many knowledge-based systems. We present a research agenda for further study,","PeriodicalId":123213,"journal":{"name":"1987 IEEE Symposium on Security and Privacy","volume":"2 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"1987-04-27","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"122718848","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
{"title":"The Integrity Lock Architecture and Its Application to Message Systems: Reducing Covert Channels","authors":"C. Meadows","doi":"10.1109/SP.1987.10008","DOIUrl":"https://doi.org/10.1109/SP.1987.10008","url":null,"abstract":"The integrity lock architecture provides a means of constructing a secure database management system with a relatively small amount of trusted code, using a trusted filter which verifies the integrity of security labels on data from an untrusted DBMS by computing cryptographic checksums. However, since the trusted filter can only check whether or not an individual item of data has been tampered with, and not whether or not that item is a correct answer to a particular database query, a covert channel exists through which a Trojan Horse in the DBMS can leak classified information by encoding it in various incorrect (but unclassified) answers to seemingly innocuous queries. in this paper we discuss a possible solution to this covert channel problem for message systems.","PeriodicalId":123213,"journal":{"name":"1987 IEEE Symposium on Security and Privacy","volume":"35 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"1987-04-27","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"117084101","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
{"title":"Covert Channel Capacity","authors":"J. Millen","doi":"10.1109/SP.1987.10013","DOIUrl":"https://doi.org/10.1109/SP.1987.10013","url":null,"abstract":"Techniques for detecting covert channels are based on information flow models. This paper establishes a connection between Shannon's theory of communication and information flow models, such as the Goguen-Meseguer model, that view a reference monitor as a state-transition automaton. The channel associated with a machine and a compromise policy is defined, and the capacity of that channel is taken as a measure of covert channel information rate.","PeriodicalId":123213,"journal":{"name":"1987 IEEE Symposium on Security and Privacy","volume":"180 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"1987-04-27","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"123198347","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
{"title":"A Universal Theory of Information Flow","authors":"S. Foley","doi":"10.1109/SP.1987.10012","DOIUrl":"https://doi.org/10.1109/SP.1987.10012","url":null,"abstract":"A new theory of information flow is presented. This theory is used to determine the information flows between the users of a system. Information flows when variety in the actions of a source user can be conveyed to a destination user. This theory is developed around Hoare'a calculus for communicating sequential processes. Information flows due to concurrency, non-determinism and input/output can be examined within the framework of this calculus.","PeriodicalId":123213,"journal":{"name":"1987 IEEE Symposium on Security and Privacy","volume":"28 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"1987-04-27","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"128139734","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
{"title":"A Graph-Theoretic Formulation of Multilevel Secure Distributed Systems: An Overview","authors":"J. C. Williams, G. Dinolt","doi":"10.1109/SP.1987.10026","DOIUrl":"https://doi.org/10.1109/SP.1987.10026","url":null,"abstract":"Research in developing formalisms for secure distributed systems reveals that a graph-theoretic model captures the fundamental notion of trust, while permitting a rigorous and elegant decomposition into lower levels of implementation. With such a model, security labels need be applied to directed edges only, not to events, ports, processes, messages, or whatever. Moreover, the usual concept of \"secure state\" does not lend itself to defining security in a distributed system, whereas our Model guarantees secure transitions in precisely this context.","PeriodicalId":123213,"journal":{"name":"1987 IEEE Symposium on Security and Privacy","volume":"130 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"1987-04-27","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"124516647","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
{"title":"Physical Security for the μABYSS System","authors":"Steve H. Weingart","doi":"10.1109/SP.1987.10019","DOIUrl":"https://doi.org/10.1109/SP.1987.10019","url":null,"abstract":"Open systems, now common in many small computers, have given the user logical access to all parts of his or her system. At the same time, the computing environment is moving out of the computing center and into the office and home, giving users physical access to their systems. This movement of the computing environment necessitates a mechanism to prevent the user from physically accessing certain parts of his or her system if logical security (of the type which limits the user's ability to make copies, change code, etc.) is to be reliable. This paper describes the development of a physical security system for protecting electronic circuits from unauthorized access. This system can be used to ensure that logical security mechanisms will remain uncompromised. The requirements, design criteria, and implementation of the system are discussed with an orientation towards practicality and manufacturing.","PeriodicalId":123213,"journal":{"name":"1987 IEEE Symposium on Security and Privacy","volume":"275 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"1987-04-27","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"133198387","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
P. T. Cummings, D. A. Fullam, M. Goldstein, M. Gosselin, J. Picciotto, J. P. Woodward, J. Wynn
{"title":"Compartmented Model Workstation: Results Through Prototyping","authors":"P. T. Cummings, D. A. Fullam, M. Goldstein, M. Gosselin, J. Picciotto, J. P. Woodward, J. Wynn","doi":"10.1109/SP.1987.10010","DOIUrl":"https://doi.org/10.1109/SP.1987.10010","url":null,"abstract":"The Defense Intelligence Agency (DIA) recognized that commercially available workstations could significantly enhance the capabilities of today's Intelligence Data Handling Systems (IDHS) if they could be integrated with the IDHS systems in a secure manner. The Compartmented Mode Workstation (CMW) project was started at the request of the DIA to further the state-of-the-art of computer security in general and workstation security in particular. The prototype effort had two major purposes. The first purpose was to demonstrate that operationally useful implementations of each requirement could be designed and developed. The second, more general, purpose was to gain insight into what measures could be taken to augment commercially available workstations with meaningful security. Therefore, as the Security Requirements for System High and Compartmented Mode Workstations [CMWREQS] were stated, a development team attempted to implement thereon the CMW prototype. Viable approaches were found for all requirements thereby verifying the premise that a workstation and its associated operating system could be modified such that off-the-shelf software (distributed in binary form) could execute with adequate security .This paper describes compartmented mode operation, how the prototype satisfied each requirement, and the level of effort involved in the prototype implementation.","PeriodicalId":123213,"journal":{"name":"1987 IEEE Symposium on Security and Privacy","volume":"13 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"1987-04-27","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"128755835","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
{"title":"Specifications for Multi-Level Security and a Hook-Up","authors":"D. McCullough","doi":"10.1109/SP.1987.10009","DOIUrl":"https://doi.org/10.1109/SP.1987.10009","url":null,"abstract":"In this paper, we give a brief description of several formalisms for computer security, and discuss some of the problems in their interpretation and application. We define the property of \"hook-up security\", which can be shown to imply that a collection of hook-up secure systems can be hooked up to form a secure complex system. We believe this result addresses some of the problems with other definitions of security, and will be valuable in the design of large secure systems from simpler secure components.","PeriodicalId":123213,"journal":{"name":"1987 IEEE Symposium on Security and Privacy","volume":"66 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"1987-04-27","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"124980524","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
{"title":"Limiting the Damage Potential of Discretionary Trojan Horses","authors":"P. Karger","doi":"10.1109/SP.1987.10011","DOIUrl":"https://doi.org/10.1109/SP.1987.10011","url":null,"abstract":"Many discretionary Trojan Horse attacks can be defeated by a table-driven file name translation mechanism that has knowledge of the normal patterns of use of a computer system. File name translation is built into a protected subsystem, and the human user is queried about possible violations of discretionary access control policies. The technique is most effective against unauthorized tampering or sabotage and can be used in conjunction with non-discretionary security controls.","PeriodicalId":123213,"journal":{"name":"1987 IEEE Symposium on Security and Privacy","volume":"5 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"1987-04-27","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"133260574","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
求助内容:
应助结果提醒方式:
京公网安备 11010802042870号
