Glenn H. MacEwen

A logic for reasoning about security

A formal framework called <italic>Security Logic</italic> (<italic>SL</italic>) is developed for specifying and reasoning about security policies and for verifying that system designs adhere to such policies. Included in this modal logic framework are definitions of <italic>knowledge, permission,</italic> and <italic>obligation</italic>. Permission is used to specify secrecy policies and obligation to specify integrity policies. The combination of policies is addressed and examples based on policies from the current literature are given.

Performance of Movable-Head Disk Storage Devices

A queueing model of movable-head disk storage systems is developed so that the performance, as measured by the mean response time, can be calculated. Queue scheduling algorithms which improve the performance are considered. Single-module disk systems are analyzed, incorporating the SCAN scheduling algorithm suggested by Denning so that comparisons with the FIFO algorithm are possible. This analysis is extended to multimodule systems whereby tables of approximate glean response values time can be calculated over system parameters describing equipment characteristics, equipment configuration, system loading, file organization, and scheduling algorithm (SCAN or FIFO). The use of such tables is discussed and the applicability of the analysis to a recently marketed disk is noted.

RNet: A Hard Real-Time Distributed Programming System

RNet is a high-level programming system for building and executing distributed hard real-time programs. The main objective in developing RNet is to investigate how high-level programming concepts and tools can be used to simplify the real-time programming task. A distributed real-time program in RNet consists of a configuration specification that outlines the structure and real-time properties of the program, and a set of program modules written in a high-level programming language. The RNet configuration system performs a static feasibility analysis of the specifications and handles the construction, distribution, and execution of the program. A debugging and timing analysis system, currently under development and not described here, will be used to measure the real-time characteristics of network resources and the application program, and to perform a validation of the specifications via simulation. The distributed RNet kernel provides run-time support for message-passing and real-time scheduling. The RNet programming model, based on message ports having associated deadlines, provides the programmer with a direct means of expressing a variety of real-time behavioral effects in a way that can be validated. In particular, timing constraints can be used to obtain reliable event synchronization. Some properties that are considered desirable in a high-level distributed real-time programming system are identified. These address issues such as program moduilarity and reconfigurability, timing constraint specification, validation and enforcement, real-time event handling, I/O and exception handling, logical and physical structure specification, and program analysis. The degree to which RNet succeeds in possessing these properties is discussed.

Using Higher-order Logic for Modular Specification of Real-time Distributed Systems

The problem of specifying and verifying modular components of real-time distributed systems is investigated, and a theory for a distributed real-time logic (DRTL), based on Jahanian and Moks RTL, is presented. DRTL is proposed as a good basis in which to express the semantics of higher level specification languages.

Reasoning about knowledge in multilevel secure distributed systems

A method for reasoning about knowledge in multilevel secure distributed systems is introduced. This method, based on a behavioral semantics for operator nets, can be used to specify a variety of security properties such as nondisclosure, integrity, and authority systems. The major attributes of the method are the intuitive nature of the specifications and the expressibility of the model, which allows statements about temporal properties and deductive capabilities of processes.<<ETX>>

The development and proof of a formal specification for a multilevel secure system

This paper describes current work on the design and specification of a multilevel secure distributed system called SNet. It discusses security models in general, the various problems of information flows in SNet, and the abstract and concrete security model components for SNet. It also introduces Lucid as a language for specifying distributed systems. The model components are expressed in Lucid; these Lucid partial specifications are shown to be correct with respect to the formal model, and the two model components are shown to be consistent. The complete functional specification of SNet in Lucid, its implementation in Concurrent Euclid, and the verification of the implementation with respect to the Lucid specification are not discussed.

Behavioral views for software requirements engineering

This paper introduces the idea of a software behavioural view: intuitively, this is a complete description of the behaviour of the system observable from a specific point of view. We believe that a fully developed methodology based on views would significantly reduce the complexity of creating and understanding software requirements. In this paper we take the first steps towards such a methodology. We define a formal notation, Viewcharts, with a well-defined semantics based on Statecharts. Viewcharts gives a means for precisely describing views and their compositions. We show that Viewcharts reasonably capture the informal idea of a view by giving an example: a manufacturing control system. We show that Viewcharts have some advantages over Statecharts; in particular, Viewcharts add name space control to limit the scope of broadcast communication, solving a problem with Statecharts presented by Harel.

Obligation as the basis of integrity specification

It is suggested that the notion of obligation found in modal logic can be used as the fundamental notion in formally specifying integrity. Integrity as represented by Clark-Wilson-type models is discussed. It is argued that the essential part of their model, for the purpose of formal specification, is an expression of required connectivity in a graph representing integrity subjects. A review of knowledge logic is given, followed by a discussion of a logic of security that contains operators for knowledge and obligation. A formal semantic definition of integrity based on operator nets is given.<<ETX>>

Information Flow Certification Using an Intermediate Code Program Representation

This paper describes a compile-time information flow control (IFC) mechanism that certifies secure information flow within the collection of objects accessed by a program. The IFC mechanism is based on the lattice model and certification mechanism of Denning, who proposes the use of the mechanism during the analysis phase of compilation. However, IFC is placed after semantic analysis and before code optimization by ufilizing an intermediate code representation. This reduces the complexity of IFC and allows a degree of language independence. An implentation has been developed for Pascal.

Task behavior monitoring for adaptive real-time communication

Real-time distributed systems include communicating tasks that interact via message-passing. In such systems the timely delivery of messages is essential for meeting task timing constraints. Consequently, in addition to task execution times, message delivery times must also be constrained. In order to minimize the number of failures to meet timing constraints message communication protocols, in addition to task scheduling algorithms, play a crucial role. A legitimate question to ask is whether making such protocols adaptive to run-time system and environment status can significantly improve system performance. Consequently, a rum-time monitoring approach to adaptive real-time distributed systems is proposed; the work focuses on an investigation of adaptive message communication protocols and corresponding run-time support mechanisms. Simulation is used to obtain performance results. It is concluded that although improvement is obtained it ,ay not be significant enough to offset the increased overhead and requirement for task information.