Charles N. Payne

Architecture and applications for a distributed embedded firewall

The distributed firewall is an important new line of network defense. It provides fine-grained access control to augment the protections afforded by the traditional perimeter firewall. To be effective, though, a distributed firewall must satisfy two critical requirements. First, it must embrace a protection model that acknowledges that everything behind the firewall may not be trustworthy. The malicious insider with unobstructed access the network can still mount limited attacks. Second, the firewall must be tamper-resistant. Any firewall that executes on the same untrusted operating system that it is charged to protect begs the question: who is protecting whom? This paper presents a new distributed, embedded firewall that satisfies both requirements. The firewall filters Internet Protocol traffic to and from the host. The firewall is tamper-resistant because it is independent of the hosts operating system. It is implemented on the hosts network interface card and managed by a protected, central policy server located elsewhere on the network. This paper describes the firewalls architecture and associated assurance claims and discusses unique applications for it.

Napoleon: network application policy environment

Napoleon consists of three parts; a model for specifying security policies for a heterogeneous set of network resources: a graphical tool for manipulating the model and software to translate the policy to target security mechanisms. This paper focuses on how the layered policy approach in the Napoleon model has been generalized to allow for adding additional layers. For the Napoleon tool a new approach for manipulating the role hierarchy is discussed.

Napoleon: a recipe for workflow

The paper argues that Napoleon, a flexible, role-based access control (RBAC) modeling environment, is also a practical solution for enforcing business process control, or workflow policies. Napoleon provides two important benefits for workflow: simplified policy management and support for heterogeneous, distributed systems. We discuss our strategy for modeling workflow in Napoleon, and we present an architecture that incorporates Napoleon into a workflow management system.

Increasing assurance with literate programming techniques

The assurance argument that a trusted system satisfies its information security requirements mast be convincing, because the argument supports the accreditation decision to allow the computer to process classified information in an operational environment. Assurance is achieved through understanding, but some evidence that supports the assurance argument can be difficult to understand. The paper describes a novel application of a technique, called literate programming (D.E. Knuth, 1984), that significantly improves the readability of the assurance argument while maintaining its consistency with formal specifications that are input to specification and verification systems. We describe an application of this technique to a simple example and discuss the lessons learned from this effort.

Trapping Malicious Insiders in the SPDR Web

The insider threat has assumed increasing importance as our dependence on critical cyber information infrastructure has increased. In this paper we describe an approach for thwarting and attributing insider attacks. The Sense, Prepare, Detect, and React (SPDR) approach utilizes both a highly intelligent software reasoning system to anticipate, recognize, respond to, and attribute attacks as well as a widely distributed set of hardware-based sensor-effectors to provide alerts used by the reasoning system and to implement responses as directed by it. Using hardware sensor-effectors greatly reduces the risk that a savvy malicious insider can bypass or cripple the system’s monitoring and control capabilities. In this paper we describe the prototype SPDR system and the results of its successful evaluation by an independent, DARPA-sponsored Red Team. We conclude with thoughts on possible SPDR enhancements and further research.

The Releasable Data Products Framework

Future warfare will operate at an increased tempo that is driven and sustained by an ever-expanding inventory of data driven weapons. The dataflow itself could be a bottleneck, particularly where U.S. intelligence assets and facilities must share information with multinational coalitions. The bottleneck could be reduced by replacing the difficult manual check at the time of release with many simpler and mostly automated checks that are scattered throughout the data production process. However conventional release processes, which are implemented using COTS (commercial off-the-shelf) systems, are susceptible to malicious code that could easily subvert these checks. This paper describes the Releasable Data Products Framework (RDPF), a collection of building blocks that when augmented with COTS release systems, can protect the data production process and can provide the release officer with assurance that only those data produced in an approved and secure manner are released.

Using composition to design secure, fault-tolerant systems

Complex systems must be analyzed in smaller pieces. Analysis must support both bottom-up (composition) and top-down (refinement) development, and it must support the consideration of several critical properties, e.g., functional correctness, fault tolerance and security, as appropriate. We describe a mathematical framework for performing composition and refinement analysis and discuss some lessons learned from its application. The framework is written and verified in PVS.