Jim Alves-Foss

The MILS architecture for high-assurance embedded systems

High-assurance systems require a level of rigor, in both design and analysis, not typical of conventional systems. This paper provides an overview of the Multiple Independent Levels of Security and Safety (MILS) approach to high-assurance system design for security and safety critical embedded systems. MILS enables the development of a system using manageable units, each of which can be analysed separately, avoiding costly analysis required of more conventional designs. MILS is particularly well suited to embedded systems that must provide guaranteed safety or security properties.

Formal Syntax and Semantics of Java

Formal Grammar for Java.- Formal Grammar for Java.- Type Soundness.- Describing the Semantics of Java and Proving Type Soundness.- Proving Java Type Soundness.- Machine-Checking the Java Specification: Proving Type-Safety.- Semantic Approaches.- An Event-Based Structural Operational Semantics of Multi-threaded Java.- Dynamic Denotational Semantics of Java.- A Programmers Reduction Semantics for Classes and Mixins.- A Formal Specification of Java? Virtual Machine Instructions for Objects, Methods and Subroutines.- The Operational Semantics of a Java Secure Processor.- A Programmer Friendly Modular Definition of the Semantics of Java.

The use of encrypted functions for mobile agent security

Mobile agent technology is a new paradigm of distributed computing that can replace the conventional client-server model. However, it has not become popular due to some problems such as security. The fact that computers have complete control over all the programs makes it very hard to protect mobile agents from untrusted hosts. In this paper we propose a security approach for mobile agents, which protect mobile agents from malicious hosts. Our new approach prevents privacy attacks and integrity attacks to mobile agents from malicious hosts. This approach is an extension of mobile cryptography, as proposed by Sander and Tschudin, and it removes many problems found in the original idea of mobile cryptography while preserving most of the benefits. Although the original idea of mobile cryptography allowed direct computations without decryptions on encrypted mobile agents, it did not provide any practical ways of implementation due to the fact that no homomorphic encryption schemes are found for their approach. Our approach provides a practical idea for implementing mobile cryptography by suggesting a hybrid method that mixes a function composition technique and a homomorphic encryption scheme that we have found. Like the original mobile cryptography, our approach will encrypt both code and data including state information in a way that enables direct computation on encrypted data without decryption.

NATE: N etwork Analysis of A nomalous T raffic E vents, a low-cost approach

A new approach to network intrusion detection is needed to solve the monitoring problems of high volume network data and the time constraints for Intrusion Detection System (IDS) management. Most current network IDSs have not been specifically designed for high speed traffic or low maintenance. We propose a solution to these problems which we call NATE, Network Analysis of Anomalous Traffic Events. Our approach features minimal network traffic measurement, an anomaly-based detection method, and a limited attack scope. NATE is similar to other lightweight approaches in its simplified design, but our approach, being anomaly based, should be more efficient in both operation and maintenance than other lightweight approaches. We present the method and perform an empirical test using MIT Lincoln Labs data.

A multi-layered approach to security in high assurance systems

Past efforts at designing and implementing ultra high assurance systems for government security and safety have centered on the concept of a monolithic security kernel responsible for a system-wide security policy. This approach leads to inflexible, overly complex operating systems that are too large to evaluate at the highest assurance levels (e.g., Common Criteria EAL 5 and above). We describe a new multi-layered approach to the design and verification of embedded trustworthy systems that is currently being used in the implementation of real time, embedded applications. The framework supports multiple levels of safety and multiple levels of security, based on the principle of creating separate layers of responsibility and control, with each layer responsible for enforcing its own security policy.

A communication-computation efficient group key algorithm for large and dynamic groups

The management of secure communication among groups of participants requires a set of secure and efficient operations. In this paper we extend existing work to present a Communication-Computation Efficient Group Key Algorithm (CCEGK) designed to provide both efficient communication and computation, addressing performance, security and authentication issues of CCEGK. Additionally, we compare CCEGK with three other leading group key algorithms, EGK, TGDH, and STR. An analytical comparison of all algorithms revealed eight similar methods: add, remove, merge, split, mass add, mass remove, initialize, and key refresh. Comparing the cost in terms of communication and computation, we found CCEGK to be more efficient across the board.

An empirical analysis of NATE: Network Analysis of Anomalous Traffic Events

This paper presents results of an empirical analysis of NATE (Network Analysis of Anomalous Traffic Events), a lightweight, anomaly based intrusion detection tool. Previous work was based on the simulated Lincoln Labs data set. Here, we show that NATE can operate under the constraints of real data inconsistencies. In addition, new TCP sampling and distance methods are presented. Differences between real and simulated data are discussed in the course of the analysis.

Assessing computer security vulnerability

The lack of a standard gauge for quantifying computer system vulnerability is a hindrance to communicating information about vulnerabilities, and is thus a hindrance to reducing those vulnerabilities. The inability to address this issue through uniform semantics often leads to uncoordinated efforts at combating exposure to common avenues of exploitation. The de-facto standard for evaluating computer security is the governments Trusted Computer Evaluation Criteria, also known as the Orange Book. However, it is a generally accepted fact that the majority of non-government multi-user computer systems are classified into one of its two lower classes. The link between the higher classes and government classified data, makes the measure unsuitable for commercial use.This project presents a feasible approach for resolving this problem by introducing a standardized assessment. It introduces a method, termed the System Vulnerability Index (SVI), that analyzes a number of factors that affect security. These factors are evaluated and combined, through the use of special rules, to provide a measure of vulnerability. The strength of this method is in its abstraction of the problem, which makes it applicable to various operating systems and hardware implementations. User and superuser actions, as well as clues to a potentially breached state of security, serve as the basis for the security relevant factors. Facts for assessment are presented in a form suitable for implementation in a rule-based expert system.

Dynamic Denotational Semantics of Java

This chapter presents a dynamic denotational semantics of the Java programming language. This semantics covers almost the full range of the base language, excluding only concurrency and the APIs. A discussion of these limitations is provided in the final section of the chapter.

Securing Database as a Service: Issues and Compromises

Database-as-a-service is one of many services being marketed as part of cloud computing. It has several major issues and concerns related to security, including data security, trust, expectations, regulations, and performance issues. Proposed resolutions include risk management and better contractual agreements, while solutions include database encryption and authenticity techniques. Other cloud computing issues include hardware security concerns and the balance of trust and risk.