Mary Ellen Zurko

A retrospective on the VAX VMM security kernel

The development of a virtual-machine monitor (VMM) security kernel for the VAX architecture is described. The focus is on how the systems hardware, microcode, and software are aimed at meeting A1-level security requirements while maintaining the standard interfaces and applications of the VMS and ULTRIX-32 operating systems. The VAX security kernel supports multiple concurrent virtual machines on a single VAX system, providing isolation and controlled sharing of sensitive data. Rigorous engineering standards were applied during development to comply with the assurance requirements for verification and configuration management. The VAX security kernel has been developed with a heavy emphasis on performance and system management tools. The kernel performs sufficiently well that much of its development was carried out in virtual machines running on the kernel itself, rather than in a conventional time-sharing system. >

A VMM security kernel for the VAX architecture

The development of a virtual-machine monitor (VMM) security kernel for the VAX architecture is described. Particular focus is on how the systems hardware, microcode, and software are aimed at meeting A1-level security requirements while maintaining the standard interfaces and applications of the VMS and ULTRIX-32 operating systems. The VAX security kernel supports multiple concurrent virtual machines on a single VAX system, providing isolation and controlled sharing of sensitive data. Rigorous engineering standards were applied during development to comply with the assurance requirements for verification and configuration management. The VAX security kernel was developed with a heavy emphasis on performance and on system management tools. The kernel performs sufficiently well that all of its development can be now carried out in virtual machines running on the kernel itself, rather than in a conventional time-sharing system.<<ETX>>

A user-centered, modular authorization service built on an RBAC foundation

Psychological acceptability has been mentioned as a requirement for secure systems for as long as least privilege and fail safe defaults, but until now has been all but ignored in the actual design of secure systems. We place this principle at the center of our design for Adage, an authorization service for distributed applications. We employ usability design techniques to specify and test the features of our authorization language and the corresponding administrative GUI. Our testing results reinforce our initial design center and suggest directions for deployment of our authorization services. A modular architecture allows us to experiment with our design during short term integration, and evolve it for longer term exploration. An RBAC foundation enables coherent design of flexible authorization constraints and queries. We discuss lessons learned from the implementation of this service through a planned deployment in a context that must balance new research in risk management with dependencies on legacy services.

User-centered security: stepping up to the grand challenge

User-centered security has been identified as a grand challenge in information security and assurance. It is on the brink of becoming an established subdomain of both security and human/computer interface (HCI) research, and an influence on the product development lifecycle. Both security and HCI rely on the reality of interactions with users to prove the utility and validity of their work. As practitioners and researchers in those areas, we still face major issues when applying even the most foundational tools used in either of these fields across both of them. This essay discusses the systemic roadblocks at the social, technical, and pragmatic levels that user-centered security must overcome to make substantial breakthroughs. Expert evaluation and user testing are producing effective usable security today. Principles such as safe staging, enumerating usability failure risks, integrated security, transparent security and reliance on trustworthy authorities can also form the basis of improved systems

Did you ever have to make up your mind? What Notes users do when faced with a security decision

Designers are often faced with difficult tradeoffs between easing the users burden by making security decisions for them and offering features that ensure that users can make the security decisions that are right for them and their environment. Users often do not understand enough about the impact of a security decision to make an informed choice. We report on the experience in a 500-person organization on the security of each users Lotus Notes client against unsigned active content. We found that the default configuration of the majority of users did not allow unsigned active content to run. However, we found that when presented with a choice during their workflow, many of those otherwise secured users would allow unsigned active content to run. We discuss the features that are in Lotus Notes that provide security for active content and that respond to the usability issues from this study.

Performance Considerations in Web Security

This paper discusses techniques for improving Web performance and how they are affected by security. While security is an essential component for many Web applications, it can negatively affect performance. Encryption results in significant overhead. A scalable Web site deploying SSL has special load balancing requirements in order to allow efficient use of the protocol. We discuss how fragment-based creation of Web content can allow partial caching of pages containing encrypted content. We also discuss performance issues related to security checks on mobile code.

Panel: Empirically-based Secure OS Design

This NSPW panel discussed how we, as a community, should pursue evidence-based research on designs for commoditizable mass-market secure operating systems. This panel did not discuss what features or architectures should be adopted, but instead focused on how we evaluate competing features and designs. How can, or should, we gather data about the usability and resilience of secure OS designs without requiring massive implementations and deployments?

Tracking influence through citation index comparisons and preliminary case studies panel position statement

We consider the influence of the New Security Paradigms Workshop by looking at the web citations to its papers in CiteSeer, and comparing those to another computer security workshop and a conference. We then go on to ask selected NSPW authors and NSPW 2001 attendees for their opinion of the influence of NSPW to date.