Richard A. Kemmerer

The STAT tool suite

Describes a suite of intrusion detection tools developed by the Reliable Software Group at the University of California at Santa Barbara (UCSB). The tool suite is based on the state transition analysis technique (STAT), in which computer penetrations are specified as sequences of actions that cause transitions in the security state of a system. This general approach has been extended and tailored to perform intrusion detection in different domains and environments. The most recent STAT-based intrusion detection systems were developed following a framework-based approach, and the resulting design uses a core module that embodies the domain-independent characteristics of the STAT approach. This generic core is extended in a well-defined way to implement intrusion detection systems for different domains and environments. The approach supports software reuse, portability and extendibility, and it allows for the optimization of critical functionalities.

Binary Reachability Analysis of Discrete Pushdown Timed Automata

We introduce discrete pushdown timed automata that are timed automata with integer-valued clocks augmented with a pushdown stack. A configuration of a discrete pushdown timed automaton includes a control state, finitely many clock values and a stack word. Using a pure automata-theoretic approach, we show that the binary reachability (i.e., the set of all pairs of configurations (α,β), encoded as strings, such that α can reach β through 0 or more transitions) can be accepted by a nondeterministic pushdown machine augmented with reversal-bounded counters (NPCM). Since discrete timed automata with integer-valued clocks can be treated as discrete pushdown timed automata without the pushdown stack, we can show that the binary reachability of a discrete timed automaton can be accepted by a nondeterministic reversal-bounded multicounter machine. Thus, the binary reachability is Presburger. By using the known fact that the emptiness problem is decidable for reversal-bounded NPCMs, the results can be used to verify a number of properties that can not be expressed by timed temporal logics for discrete timed automata and CTL* for pushdown systems.

ASTRAL: An Assertion Language for Specifying Realtime Systems

ASTRAL is a formal specification language for realtime systems. This paper discusses the rationale of ASTRALs design and shows how the language builds on previous language experiments. ASTRAL is intended to support formal software development; therefore, the language itself has been formally defined. ASTRALs specification style is illustrated by discussing a case study taken from telephony.

A formal framework for ASTRAL intralevel proof obligations

ASTRAL is a formal specification language for real-time systems. It is intended to support formal software development, and therefore has been formally defined. This paper focuses on how to formally prove the mathematical correctness of ASTRAL specifications. ASTRAL is provided with structuring mechanisms that allow one to build modularized specifications of complex systems with layering. In this paper, further details of the ASTRAL environment components and the critical requirements components, which were not fully developed in previous papers, are presented. Formal proofs in ASTRAL can be divided into two categories: interlevel proofs and intralevel proofs. The former deal with proving that the specification of level i+1 is consistent with the specification of level i, and the latter deal with proving that the specification of level i is consistent and satisfies the stated critical requirements. This paper concentrates on intralevel proofs. >

Conter Machines: Decidable Properties and Applications to Verification Problems

We study various generalizations of reversal-bounded multicounter machines and show that they have decidable emptiness, infiniteness, disjointness, containment, and equivalence problems. The extensions include allowing the machines to perform linear-relation tests among the counters and parameterized constants (e.g., Is 3x-5y-2D1+9D2 < 12?, where x, y are counters, and D1, D2 are parameterized constants). We believe that these machines are the most powerful machines known to date for which these decision problems are decidable. Decidability results for such machines are useful in the analysis of reachability problems and the verification/debugging of safety properties in infinite-state transition systems. For example, we show that (binary, forward, and backward) reachability, safety, and invariance are solvable for these machines.

Safe areas of computation for secure computing with insecure applications

Currently the computer systems and software used by the average user offer virtually no security. Because of this, many attacks, both simulated and real, have been described by the security community and have appeared in the popular press. The paper presents an approach to increase the level of security provided to users when interacting with otherwise unsafe applications and computing systems. The general approach, called Safe Areas of Computation (SAC), uses trusted devices, such as smart cards, to provide an area of secure processing and storage. The paper describes preliminary results of using the Safe Areas of Computation approach to protect specific browsing applications. The intent is for protected browsers to be used to interact with institutions that have requirements for high security, such as financial institutions that enable users to perform sensitive operations for electronic commerce or online banking.

Web Browsers and Security

Today the World Wide Web is considered to be a platform for building distributed applications. This evolution is made possible by browsers with processing capabilities and by programming languages that allow web designers to embed real programs into HTML documents. Downloading and executing code from anywhere on the Internet brings security problems along with it. A systematic and thorough analysis of security flaws in the browsers and related technology is necessary to reach a sufficient level of confidence. This paper presents some preliminary results of ongoing research that has the final goal of developing properties for secure browsers and procedures for secure browsing. The research started by investigating features provided by the standard environment. The paper describes some experimental attacks that have been carried out by exploiting features of Java and JavaScript executed by Netscape Navigator and Microsoft Explorer browsers.

Decidable Approximations on Generalized and Parameterized Discrete Timed Automata

We consider generalized discrete timed automata with general linear relations over clocks and parameterized constants as clock constraints and with parameterized durations. We look at three approximation techniques (i.e., the r-reset-bounded approximation, the B-bounded approximation, and the 〈B, r〉-crossing-bounded approximation), and derive automata-theoretic characterizations of the binary reachability under these approximations. The characterizations allow us to show that the safety analysis problem is decidable for generalized discrete timed automata with unit durations and for deterministic generalized discrete timed automata with parameterized durations. An example specification written in ASTRAL is used to run a number of experiments using one of the approximation techniques.

Formulating Cyber-Security as Convex Optimization Problems

Mission-centric cyber-security analysts require a complete overview and understanding of the state of a mission and any potential threats to their completion. To facilitate this, we propose optimization based algorithms that can be used to predict in real-time how an attacker may try to compromise a cyber-mission with a limited amount of resources, based on a model that takes into account potential damage to the mission and probabilistic uncertainty. Two different optimization schemes are considered: one where all the mission data is known a priori to the attacker and another where system identification and a moving horizon optimization is used to produce the estimates based on historical data. Our schemes are compared with real attacks carried our by human players in the 2011 international Capture The Flag (iCTF) hacking competition.

Parallel Refinement Mechanisms for Real-Time Systems

This paper discusses highly general mechanisms for specifying the refinement of a real-time system as a collection of lower level parallel components that preserve the timing and functional requirements of the upper level specification. These mechanisms are discussed in the context of ASTRAL, which is a formal specification language for real-time systems. Refinement is accomplished by mapping all of the elements of an upper level specification into lower level elements that may be split among several parallel components. In addition, actions that can occur in the upper level are mapped to actions of components operating at the lower level. This allows several types of implementation strategies to be specified in a fairly natural way, while the price for generality (in terms of complexity) is paid only when necessary. The refinement mechanisms are illustrated using a simple digital circuit and a much more complex example is sketched.