Daryl McCullough

Noninterference and the composability of security properties

The problem of composability of multilevel security properties, particularly the noninterference property and some of its generalizations, is discussed. Examples are used to show that some of these security properties do not compose; it is possible to connect two systems, both of which are judged to be secure, so that the composite system is not secure. A property called restrictiveness is introduced that is generally composable, so that two restrictive systems connected legally result in a new restrictive composite system. A novel feature in the brief discussion of restrictiveness is a state-machine version of the property.<<ETX>>

A hookup theorem for multilevel security

A security property for trusted multilevel systems, restrictiveness, is described. It restricts the inferences a user can make about sensitive information. This property is a hookup property, or composable, meaning that a collection of secure restrictive systems when hooked together form a secure restrictive composite system. It is argued that the inference control and composability of restrictiveness make it an attractive choice for a security policy on trusted systems and processes. >

Knowledge requirements for the automatic generation of project management reports

The automatic generation of project management reports for software engineering projects puts special demands on the knowledge representation of software engineering environments (SEEs). This knowledge can best be represented as a process model, and must include a rich type hierarchy and various kinds of entity relations. Furthermore, histories must be maintained for certain types of information, and specific information about problems must be available. These types of knowledge, while useful in particular for automatic project reporting, are more generally important if a SEE is to provide comprehensive and useful services to a user.<<ETX>>

Security modeling in the Ulysses environment

The authors give an overview of how the Ulysses system can be used for security modeling. The default theory of security permits the security analysis of complex designs by decomposing them into their parts. System specifications may be made by using a specialized graphical language interface and a textual interface. In addition, there are a number of support tools which aid the modeler. One of these tools is the natural language component, which allows users to automatically generate short English descriptions of a graphical design. There is also a library component that facilitates the reuse of secure designs. In addition, there are mechanisms for adding security theories and other mathematical facts to augment the power of the theorem prover.<<ETX>>