John P. McDermott

A taxonomy of computer program security flaws

An organized record of actual flaws can be useful to computer system designers, programmers, analysts, administrators, and users. This survey provides a taxonomy for computer program security flaws, with an Appendix that documents 50 actual security flaws. These flaws have all been described previously in the open literature, but in widely separated places. For those new to the field of computer security, they provide a good introduction to the characteristics of security flaws and how they can arise. Because these flaws were not randomly selected from a valid statistical sample of such flaws, we make no strong claims concerning the likely distribution of actual security flaws within the taxonomy. However, this method of organizing security flaw data can help those who have custody of more representative samples to organize them and to focus their efforts to remove and, eventually, to prevent the introduction of security flaws.

Abuse-case-based assurance arguments

This paper describes an extension to abuse-case-based security requirements analysis that provides a lightweight means of increasing assurance in security relevant software. The approach is adaptable to lightweight software development processes but results in a concrete and explicit assurance argument. Like abuse-case-based security requirements analysis, this approach is suitable for use in projects without security experts. When used in this way (without security experts) it will not produce as much assurance as the more traditional alternatives, but arguably give better results than ad hoc consideration of security issues.

Towards a model of storage jamming

Storage jamming can degrade real-world activities that share stored data. Storage jamming is not prevented by access controls or cryptographic techniques. Verification to rule out storage jamming logic is impractical for shrink-wrapped software or low-cost custom applications. Detection mechanisms do offer more promise. In this paper, we model storage jamming and a detection mechanism, using Unity logic. We find that Unity logic, in conjunction with some high-level operators, models storage jamming in a natural way and allows us to reason about susceptibility, rate of jamming, and impact on persistent values.

Attack-potential-based survivability modeling for high-consequence systems

Previous quantitative models of security or survivability have been defined on a range of probable intruder behavior. This measures survivability as a statistic such as mean time to breach. This kind of purely stochastic quantification is not suitable for high-consequence systems. For high-consequence systems the quantified survivability should be based on the most competent intruders the system is likely to face. We show how to accomplish this with a contingency analysis based on variations in intruder attack-potential. The quantitative results are then organized and presented according to intruder attack potential. Examples of the technique are presented using stochastic process algebra. An interesting result for diverse replication is included in the examples.

A single-level scheduler for the replicated architecture for multilevel-secure databases

The replicated architecture for multilevel secure database systems provides security by replicating data into separate untrusted single-level database systems. To be successful, a system using the replicated architecture must have a concurrency and replica control algorithm that does not introduce any covert channels. Jajodia and Kogan (1990) have developed one such algorithm that uses update projections and a write-all replica control algorithm. The authors describe an alternative algorithm. The new algorithm uses replicated transactions and a set of queues organized according to security class. A new definition of correctness is required for this approach, so they present one and use it to show that the algorithm is correct. The existence of this new algorithm increases the viability of the replicated architecture as an alternative to kernelized approaches.<<ETX>>

A formal security policy for xenon

The up-front choice of security policy and formalism used to model it is critical to the success of projects that seek to enforce information-flow security. This paper reports on the Xenon projects choice of policy and formalism. Xenon is a high-assurance separation hypervisor based on re-engineering the Xen open-source hypervisor. Xenons formal policy both guides the re-engineering and serves as a basis for formal modelling. Definitions of information-flow security can be difficult to apply, because in general they are not preserved by refinement. Roscoe, Woodcock, and Wulf have defined an information-flow policy that is preserved by refinement, but it is defined in a purely event-based formalism that does not directly support refinement into state-rich implementations like hypervisor internals. Circus is a combination of Z, CSP, and Hoare and Hes unifying theories of programming. Circus is suited for both event-based and state-based modelling. In this paper, we show how to define an information-flow policy in Circus that is also preserved by refinement. Because Circus retains the human-readability of Z, heuristic application of the policy to re-engineering is simplified and a larger open source community can be supported. Because Circus can easily model state-rich implementations of event-based security policies, the Xenon model can support complete policy-to-code modelling in a single language.

A multilevel transaction problem for multilevel secure database systems and its solution for the replicated architecture

A definition of multilevel transaction for multilevel secure databases is proposed, and a notion of correctness that is consistent with the traditional idea of correctness of replicated systems is defined. To demonstrate the applicability of these ideas, an algorithm for correct transaction processing within this framework is presented for replicated architecture multilevel databases.<<ETX>>

Visual security protocol modeling

This paper argues that the existing model-driven architecture paradigm does not adequately cover the visual modeling of security protocols: sequences of interactions between principals. A security protocol modeling formalism should be not only well-defined but also support event-based, compositional, comprehensive, laconic, lucid, sound, and complete modeling. Candidate visual approaches from both the OMGs MDA and other more well-defined formalisms fail to satisfy one or more of these criteria. By means of two example security protocol models, we present the GSPML visual formalism as a solution.

Security and Architectural Issues for National Security Cloud Computing

Security concerns with respect to cloud computing haveimpelled the private sector to suggest a hybrid cloudarchitecture consisting of private and public clouds.For national security purposes, we advocate a hybridcloud model that consists of private, public andcommunity clouds. The community clouds in thisarchitecture are as defined by NIST, and will be usedfor inter-agency and community-of-interest (COI)information sharing and collaboration needs. Thesecurity requirements and characteristics of private andpublic clouds will not differ greatly from the privatesector. However, while the architecturalcharacteristics remain the same, we believe thatnational security community clouds will have differentsecurity features than the typical community cloud inorder to support COI requirements. In this paper, wefocus on the requirements and characteristics ofnational security community clouds that can meet theneeds of COIs.

A practical approach to high assurance multilevel secure computing service

Current projects aimed at providing MLS computing services rarely seem to exploit advances in related fields. Specifically, the concepts of data distribution, replication, and interoperation are currently receiving much attention in the commercial database system sector but have yet to be applied to the delivery of MLS computing services. This paper explains how these concepts might kelp deliver MLS computing services relatively, quickly and cheaply, and how they can ease integration of legacy systems and new technology into future MLS cooperative, distributed computing environments.<<ETX>>