Richard C. O'Brien

Napoleon: network application policy environment

Napoleon consists of three parts; a model for specifying security policies for a heterogeneous set of network resources: a graphical tool for manipulating the model and software to translate the policy to target security mechanisms. This paper focuses on how the layered policy approach in the Napoleon model has been generalized to allow for adding additional layers. For the Napoleon tool a new approach for manipulating the role hierarchy is discussed.

Napoleon: a recipe for workflow

The paper argues that Napoleon, a flexible, role-based access control (RBAC) modeling environment, is also a practical solution for enforcing business process control, or workflow policies. Napoleon provides two important benefits for workflow: simplified policy management and support for heterogeneous, distributed systems. We discuss our strategy for modeling workflow in Napoleon, and we present an architecture that incorporates Napoleon into a workflow management system.

Linux kernel loadable wrappers

This paper describes the results of the Hypervisors for Security and Robustness (Kernel Hypervisors) program. Using the concept of a loadable module, kernel loadable wrappers (KLWs) were implemented in a Linux kernel. These kernel loadable wrappers provide unbypassable security wrappers for application specific security requirements and can also be used to provide replication services. KLWs have a number of potential applications, including protecting user systems from malicious active content downloaded via a Web browser and wrapping servers and firewall services for limiting possible compromises. This paper also includes a summary of the composability analysis that was done on the program.

Trapping Malicious Insiders in the SPDR Web

The insider threat has assumed increasing importance as our dependence on critical cyber information infrastructure has increased. In this paper we describe an approach for thwarting and attributing insider attacks. The Sense, Prepare, Detect, and React (SPDR) approach utilizes both a highly intelligent software reasoning system to anticipate, recognize, respond to, and attribute attacks as well as a widely distributed set of hardware-based sensor-effectors to provide alerts used by the reasoning system and to implement responses as directed by it. Using hardware sensor-effectors greatly reduces the risk that a savvy malicious insider can bypass or cripple the system’s monitoring and control capabilities. In this paper we describe the prototype SPDR system and the results of its successful evaluation by an independent, DARPA-sponsored Red Team. We conclude with thoughts on possible SPDR enhancements and further research.

Virtual Private Groups for Protecting Critical Infrastructure Networks

In an era when critical infrastructure networks are increasingly less isolated and more accessible from open networks, including the Internet, the air-gap security that these critical networks once enjoyed no longer exists. Malicious individuals can exploit this network connectivity, in conjunction with security weaknesses in widely used, homogeneous, COTS (commercial off-the-shelf) products, to penetrate deep within an organizations critical networks. Such an attack on SCADA (Supervisory Control And Data Acquisition) and Process Control networks could have devastating consequences. This paper describes an approach, Virtual Private Groups (VPGs), for creating and managing a virtual air-gap between these networks and the environments in which they may operate. After a brief description of the security issues that confront these networks, we describe our approach for addressing them. Many of the ideas presented here are the result of work done while implementing a version of VPGs directed towards critical infrastructure networks. In the process of doing that work we made a number of advances in managing policy for VPG and related mechanisms.

The case for prevention-based, host-resident defenses in the modern PCS network

The process control system (PCS) owner can no longer rely on a physical air gap and custom hardware to protect her network from attack. Demand for greater visibility into PCS operations, coupled with greater use of commodity hardware, now exposes the PCS network to the same threats facing other networks. To address these threats, we argue for the deployment of prevention-based, host-resident, network layer devices, coupled with scalable, service-based management, that will not only protect PCS communications but will also support higher level reasoning about PCS trustworthiness. We explain why the modern PCS network is particularly well-suited for this approach, and we highlight where our own research supports this claim.