{"title":"Absorbing covers and intransitive non-interference","authors":"Sylvan Pinsky","doi":"10.1109/SECPRI.1995.398926","DOIUrl":"https://doi.org/10.1109/SECPRI.1995.398926","url":null,"abstract":"The paper gives necessary and sufficient conditions for a system to satisfy intransitive non-interference. Security is defined in terms of allowable flows of information among action domains as represented by an interferes relation /spl sim/>. We examine properties of special sets called basis elements generated from the relation /spl sim/> and introduce the notion of absorbing covers which is associated with the standard unwinding theorems for non-interference. Our approach separates the equivalence relation arguments from the non-interference properties, and as a by product, we develop a decision procedure for non-interference. An upper bound on the number of iterations needed for termination of the procedure is provided.<<ETX>>","PeriodicalId":420458,"journal":{"name":"Proceedings 1995 IEEE Symposium on Security and Privacy","volume":"36 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"1995-05-08","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"115390376","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
{"title":"The Intel 80/spl times/86 processor architecture: pitfalls for secure systems","authors":"O. Sibert, Phillip A. Porras, R. Lindell","doi":"10.1109/SECPRI.1995.398934","DOIUrl":"https://doi.org/10.1109/SECPRI.1995.398934","url":null,"abstract":"An in-depth analysis of the 80/spl times/86 processor families identifies architectural properties that may have unexpected, and undesirable, results in secure computer systems. In addition, reported implementation errors in some processor versions render them undesirable for secure systems because of potential security and reliability problems. We discuss the imbalance in scrutiny for hardware protection mechanisms relative to software, and why this imbalance is increasingly difficult to justify as hardware complexity increases. We illustrate this difficulty with examples of architectural subtleties and reported implementation errors.<<ETX>>","PeriodicalId":420458,"journal":{"name":"Proceedings 1995 IEEE Symposium on Security and Privacy","volume":"48 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"1995-05-08","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"117347432","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
{"title":"Preserving privacy in a network of mobile computers","authors":"D. Cooper, K. Birman","doi":"10.1109/SECPRI.1995.398920","DOIUrl":"https://doi.org/10.1109/SECPRI.1995.398920","url":null,"abstract":"Even as wireless networks create the potential for access to information from mobile platforms, they pose a problem for privacy. In order to retrieve messages, users must periodically poll the network. The information that the user must give to the network could potentially be used to track that user. However, the movements of the user can also be used to hide the user's location if the protocols for sending and retrieving messages are carefully designed. We have developed a replicated memory service which allows users to read from memory without revealing which memory locations they are reading. Unlike previous protocols, our protocol is efficient in its use of computation and bandwidth. We show how this protocol can be used in conjunction with existing privacy preserving protocols to allow a user of a mobile computer to maintain privacy despite active attacks.<<ETX>>","PeriodicalId":420458,"journal":{"name":"Proceedings 1995 IEEE Symposium on Security and Privacy","volume":"22 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"1995-05-08","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"117019696","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
{"title":"A network version of the Pump","authors":"Myong H. Kang, I. S. Moskowitz, D. Lee","doi":"10.1109/SECPRI.1995.398929","DOIUrl":"https://doi.org/10.1109/SECPRI.1995.398929","url":null,"abstract":"A designer of reliable MLS networks must consider covert channels and denial of service attacks in addition to traditional network performance measures such as throughput, fairness, and reliability. We show how to extend the NRL data Pump to a certain MLS network architecture in order to balance the requirements of congestion control, fairness, good performance, and reliability against those of minimal threats from covert channels and denial of service attacks. We back up our claims with simulation results.<<ETX>>","PeriodicalId":420458,"journal":{"name":"Proceedings 1995 IEEE Symposium on Security and Privacy","volume":"70 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"1995-05-08","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"116064365","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
{"title":"Integrating security in CORBA based object architectures","authors":"R. Deng, S. Bhonsle, Weiguo Wang, A. Lazar","doi":"10.1109/SECPRI.1995.398922","DOIUrl":"https://doi.org/10.1109/SECPRI.1995.398922","url":null,"abstract":"We propose a distributed security architecture for incorporation into object oriented distributed computing systems, and in particular, into OMG's CORBA based object architectures. The primary objective of the security architecture is to make CORBA resilient to both component failures and malicious attacks. The core of the architecture is the notion of secure ORB node-an ORB node enhanced with \"pluggable\" system security objects interacting through generic security service APIs. System security objects coupled with protocols among them facilitate creation and management of clients, objects, and security information. Security services addressed in the paper include, but are in no way limited to, client/object authentication, access control, and integrity and confidentiality protections.<<ETX>>","PeriodicalId":420458,"journal":{"name":"Proceedings 1995 IEEE Symposium on Security and Privacy","volume":"25 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"1995-05-08","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"114224623","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
{"title":"Capacity estimation and auditability of network covert channels","authors":"B. Venkatraman, R. Newman","doi":"10.1109/SECPRI.1995.398932","DOIUrl":"https://doi.org/10.1109/SECPRI.1995.398932","url":null,"abstract":"Classical covert channel analysis has focused on channels available on a single computer: timing channels and storage channels. We characterize network covert channels. Potential network covert channels are exploited by modulating transmission characteristics. We distinguish between spatial covert channels, caused by a variation in the relative volume of communication between nodes in the network, and temporal covert channels caused by a variation in transmission characteristics over time, extending the work of Girling (1987). A model for obtaining a spatially neutral transmission schedule was given by Newman-Wolfe and Venkatraman (1991, 1992). Temporally neutral transmissions are characterized and scheduling policies to generate temporally neutral transmission schedules were given by Venkatraman and Newman-Wolfe (1993). We estimate the covert channel capacity using an adaptive scheduling policy, modeling the system as a mode secure system. Based on our measurements on the University of Florida campus-wide backbone network (UFNET), we discuss the auditability of network covert channels and suggest some handling policies to reduce the capacity of these covert channels to TCSEC acceptable levels.<<ETX>>","PeriodicalId":420458,"journal":{"name":"Proceedings 1995 IEEE Symposium on Security and Privacy","volume":"1197 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"1995-05-08","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"126737152","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
{"title":"Reasoning about accountability in protocols for electronic commerce","authors":"R. Kailar","doi":"10.1109/SECPRI.1995.398936","DOIUrl":"https://doi.org/10.1109/SECPRI.1995.398936","url":null,"abstract":"A new framework is proposed for the analysis of communication protocols that require accountability, such as those for electronic commerce. Informal arguments are presented to show that a heretofore un-explored property \"provability\" is pertinent to examine the potential use of communication protocols in the context of litigation, and in the context of audit. A set of postulates which are applicable to the analysis of proofs in general (e.g., zero knowledge proofs), and the proofs of accountability in particular, are proposed. The proposed approach is more natural for the analysis of accountability then the existing belief logics that have been used in the past for the analysis of key distribution protocols. Some recently proposed protocols for electronic commerce and public-key delegation are analyzed to illustrate the use of the new analysis framework in detecting (and suggesting remedies for eliminating) their lack of accountability, and in detecting and eliminating redundancies.<<ETX>>","PeriodicalId":420458,"journal":{"name":"Proceedings 1995 IEEE Symposium on Security and Privacy","volume":"6 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"1995-05-08","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"131197447","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
{"title":"A multilevel file system for high assurance","authors":"C. Irvine","doi":"10.1109/SECPRI.1995.398924","DOIUrl":"https://doi.org/10.1109/SECPRI.1995.398924","url":null,"abstract":"The designs of applications for multilevel systems cannot merely duplicate those of the untrusted world. When applications are built on a high assurance base, they will be constrained by the underlying policy enforcement mechanism. Consideration must be given to the creation and management of multilevel data structures by untrusted subjects. Applications should be designed to rely upon the TCB's security policy enforcement services rather than build new access control services beyond the TCB perimeter. The results of an analysis of the design of a general purpose file system developed to execute as an untrusted application on a high assurance TCB are presented. The design illustrates a number of solutions to problems resulting from a high assurance environment.<<ETX>>","PeriodicalId":420458,"journal":{"name":"Proceedings 1995 IEEE Symposium on Security and Privacy","volume":"49 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"1995-05-08","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"130509800","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
{"title":"The design and implementation of a secure auction service","authors":"M. Franklin, M. Reiter","doi":"10.1109/SECPRI.1995.398918","DOIUrl":"https://doi.org/10.1109/SECPRI.1995.398918","url":null,"abstract":"We present the design and implementation of a distributed service for performing sealed-bid auctions. This service provides an interface by which clients, or \"bidders\", can issue secret bids to the service for an advertised auction. Once the bidding period has ended, the auction service opens the bids, determines the winning bid, and provides the winning bidder with a ticket for claiming the item bid upon. Using novel cryptographic techniques, the service is constructed to provide strong protection for both the auction house and correct bidders, despite the malicious behavior of any number of bidders and even a constant fraction of the servers comprising the auction service. Specifically, it is guaranteed that (i) bids of correct bidders are not revealed until after the bidding period has ended, (ii) the auction house collects payment for the winning bid, (iii) losing bidders forfeit no money, and (iv) only the winning bidder can collect the item bid upon. We also discuss techniques to enable anonymous bidding.<<ETX>>","PeriodicalId":420458,"journal":{"name":"Proceedings 1995 IEEE Symposium on Security and Privacy","volume":"190 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"1995-05-08","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"121328932","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
{"title":"Recent-secure authentication: enforcing revocation in distributed systems","authors":"S. Stubblebine","doi":"10.1109/SECPRI.1995.398935","DOIUrl":"https://doi.org/10.1109/SECPRI.1995.398935","url":null,"abstract":"A general method is described for formally specifying and reasoning about distributed systems with any desired degree of immediacy for revoking authentication. To effect revocation, 'authenticating entities' impose freshness constraints on credentials or authenticated statements made by trusted intermediaries. If fresh statements are not presented, then the authentication is questionable. Freshness constraints are derived from initial policy assumptions and authentic statements made by trusted intermediaries. By adjusting freshness constraints, the delay for certain revocation can be arbitrarily bounded. We illustrate how the inclusion of freshness policies within certificates enables the design of a secure and highly available revocation service. We illustrate the application of the method and new techniques in an example.<<ETX>>","PeriodicalId":420458,"journal":{"name":"Proceedings 1995 IEEE Symposium on Security and Privacy","volume":"35 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"1995-05-08","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"115208886","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}