P. Sewell and J. Vitek. Secure composition of insecure components. In Proceedings of the 12th IEEE Computer Security Foundations Workshop, pages 136150. IEEE, 1999. Extended version as University of Cambridge TR 463, 1999.  Home/Search   Document Details and Download   Summary   Related Articles   Check

....guarantee that the code will behave in an expected way. Di#erent static checking mechanisms have been suggested to address specific security properties of programs: a security sensitive type system [5] wrappers which encapsulate untrusted programs and implement security concerned properties [7], and so on. They give the users better facilities to address security properties than typical type checking does, but they still su#er from a lack of expressiveness since their security or linking policies are fixed and encoded in their type or logic systems. This material is based upon work ....

Sewell and Vitek. Secure composition of insecure components. In PCSFW: Proceedings of The 12th Computer Security Foundations Workshop, 1999.

....introduce hooks into the program, either at compile time or load time, in order to rcify runtime events, mostly method invocation. They do not require any modification to the VM, which explains why some low level events cannot be rcificd. 2. 3 Component Based Architecture and MOPs As observed in [27], monolithic programs are now being gradually replaced with programs that are made up of a number of components, originating from various 2 formerly known as MetaJava 3 By type here we mean primitive types, arrays, classes, and interfaces. sources and with various levels of trust, plus some ....

Peter Sewell and Jan Vitek. Secure composition of insecure components. In Proceedings of the Computer Security Foundations Workshop, CSFW-12, 1999.

....has gone into the study of mobile computation and programming languages that support it. On the theoretical side of this research, several concurrent and distributed calculi have been proposed, such as the Distributed Join Calculus [FGL 96] the D# Calculus [RH98, RH99] the Box Pi Calculus [SV99] the Seal Calculus [VC99] among others 1 . The Ambient Calculus (henceforth, AC) is a recent addition to this list and the starting point of our investigation. Our long term interest is the design and implementation of a strongly typed programming language for mobile computation. Part of ....

P. Sewell and J. Vitek. Secure composition of insecure components. In 12th IEEE Computer Security Foundations Workshop (CSFW-12), Mordano, Italy, June 1999.

....has gone into the study of mobile computation and programming languages that support it. On the theoretical side of this research, several concurrent and distributed calculi have been proposed, such as the Distributed Join Calculus [FGL 96] the D# Calculus [RH98, RH99] the Box Pi Calculus [SV99] the Seal Calculus [VC99] among others 1 . The Ambient Calculus (henceforth, AC) is a recent addition to this list and the starting point of our investigation. Our long term interest is the design and implementation of a strongly typed programming language for mobile computation. Part of ....

P. Sewell and J. Vitek. Secure composition of insecure components. In 12th IEEE Computer Security Foundations Workshop (CSFW-12), Mordano, Italy, June 1999.

....x#y# (c x(z) b) # (x#y# x(z) b) c y z b c . The ease with which reaction rules are defined in this style facilitated an outpouring of new process calculi for modelling encrypted communication [AG97] secure encapsulation 1.2. Historical background and motivation 7 [SV99] agent migration [CG98, Sew98, FGL 96] and so on. Each isolates a computational phenomenon and presents it via a reaction rule together with a structural congruence over some syntax. Here are two examples of reaction rules: In Cardelli and Gordon s ambient calculus, one ambient may move ....

P. Sewell and J. Vitek. Secure compositions of insecure components. In Proc. 12th Computer Security Foundations Workshop. IEEE Press, June 1999. {7}

....and then to send the message to this location in an other step. An alternate approach would simply consist in sending a message on a dynamic name that is not de ned locally to the parent location, which would then deal with the message (this second incremental approach is similar to [6] and [19]) The two semantics yield two di erent behaviors but, surprisingly enough, the type system presented in this paper is also sound for the second system. The primary goal of [1] is to guarantee receptiveness of channel names and deadlock freedom in a calculus with localities. The receptiveness ....

....if it was not given the capability to do so. In the local area calculus [7] localities form a xed hierarchy of levels that do not migrate. Channels have a level of operation, meaning that no communication on such a channel may cross the boundary of an higher level area. In the box calculus [19], localities also form a xed hierarchy, and communication may cross only one locality boundary at a time. This calculus aims at controlling the ow of information between localities. The higher order calculus of [21] also deals with access control, by explicitly specifying for each input which ....

P. Sewell and J. Vitek. Secure composition of insecure components. In Proceedings of CSFW 99: The 12th IEEE Computer Security Foundations Workshop (Mordano, Italy), pages 136{ 150. IEEE Computer Society, June 1999.

....Each channel belongs to one and only one seal. Some syntactic constructs allow the owner of a channel to regulate remote accesses to it and, thus, to control both remote communication and mobility. 3 A similar solution was independently proposed for a calculus without agent mobility in [17]. between the current seal and the parent seal and that actions on it will synchronize with processes in the parent, and finally the shared channel x z admits interactions between the current seal and a child seal named z. These interactions are expressed by the first three rules in Figure 1. ....

P. Sewell and J. Vitek. Secure composition of insecure components. In 12th IEEE Computer Security Foundations Workshop, 1999.

....has gone into the study of mobile computation and programming languages that support it. On the theoretical side of this research, several concurrent and distributed calculi have been proposed, such as the Distributed Join Calculus [FGL 96] the D# Calculus [RH98, RH99] the Box Pi Calculus [SV99] the Seal Calculus [VC99] among others. 1 The Ambient Calculus [Car99] is a recent addition to this list and the starting point of our investigation. Our main interest is the design of a strongly typed programming language for mobile computation. Part of this effort is an examination of the ....

P. Sewell and J. Vitek. Secure composition of insecure components. In 12th IEEE Computer Security Foundations Workshop (CSFW-12), Mordano, Italy, June 1999.

....if it was not given the capability to do so. In the local area calculus [7] locatilities form a xed hierarchy of levels that do not migrate. Channels have a level of operation, meaning that no communication on such a channel may cross the boundary of an higher level area. In the box calculus [16], localities also form a xed hierarchy, and communication may cross only one locality boundary at a time. The goal of this work is to control the ow of information between the localities. The higher order calculus of [17] also deals with access control, by explicitely specifying for each input ....

P. Sewell and J. Vitek. Secure composition of insecure components. In Proceedings of CSFW 99: The 12th IEEE Computer Security Foundations Workshop (Mordano, Italy), pages 136-150. IEEE Computer Society, June 1999.

....has gone into the study of mobile computation and programming languages that support it. On the theoretical side of this research, several concurrent and distributed calculi have been proposed, such as the Distributed Join Calculus [FGL 96] the D Calculus [RH98, RH99] the Box Pi Calculus [SV99] the Seal Calculus [VC99] among others 1 . The Ambient Calculus (henceforth, AC) is a recent addition to this list and the starting point of our investigation. Our long term interest is the design and implementation of a strongly typed programming language for mobile computation. Part of this ....

P. Sewell and J. Vitek. Secure composition of insecure components. In 12th IEEE Computer Security Foundations Workshop (CSFW-12), Mordano, Italy, June 1999.

....has gone into the study of mobile computation and programming languages that support it. On the theoretical side of this research, several concurrent and distributed calculi have been proposed, such as the Distributed Join Calculus [FGL 96] the D Calculus [RH98, RH99] the Box Pi Calculus [SV99] the Seal Calculus [VC99] among others. 1 The Ambient Calculus (henceforth, AC) is a recent addition to this list and the starting point of our investigation. Our long term interest is the design and implementation of a strongly typed programming language for mobile computation. Part of this ....

P. Sewell and J. Vitek. Secure composition of insecure components. In 12th IEEE Computer Security Foundations Workshop (CSFW-12), Mordano, Italy, June 1999.

....has gone into the study of mobile computation and programming languages that support it. On the theoretical side of this research, several concurrent and distributed calculi have been proposed, such as the Distributed Join Calculus [FGL 96] the D Calculus [RH98, RH99] the Box Pi Calculus [SV99] the Seal Calculus [VC99] among others. 1 The Ambient Calculus (henceforth, AC) is a recent addition to this list and the starting point of our investigation. Our long term interest is the design and implementation of a strongly typed programming language for mobile computation. Part of this ....

P. Sewell and J. Vitek. Secure composition of insecure components. In 12th IEEE Computer Security Foundations Workshop (CSFW-12), Mordano, Italy, June 1999.

....Each channel belongs to one and only one seal. Some syntactic constructs allow the owner of a channel to regulate remote accesses to it and, thus, to control both remote communication and mobility. 3 A similar solution was independently proposed for a calculus without agent mobility in [12]. 4 The first five process constructs have the same meaning as in the calculus, namely: the 0 process does nothing, the composition P j Q denotes two processes P and Q running in parallel, the replication P unleashes an unbounded number of copies of P , the restriction ( x)P introduces a new ....

P. Sewell and J. Vitek. Secure composition of insecure components. In 12th IEEE Computer Security Foundations Workshop, 1999.

....syntax of our source calculus is given in Figure 1. A distributed computation is modeled as a con guration, that is, as an assembly of processes. Each process corresponds to a principal or location (in the sense of the distributed join calculus and of other process calculi with locations, e.g. [12, 31, 6]) We let A be a countable set of principal names, and (Na)a2A be a family of countable, disjoint sets of channel names indexed by principals. Hence, every channel name corresponds to one principal. We implicitly rely on a type system (see the appendix) assume that every set Na contains in ....

Peter Sewell and Jan Vitek. Secure composition of insecure components. In Proceedings of the 12th IEEE Computer Security Foundations Workshop, pages 136{ 150, 1999.

No context found.

P. Sewell and J. Vitek. Secure composition of insecure components. In Proceedings of the 12th IEEE Computer Security Foundations Workshop (CSFW-12), Mordano, Italy, June 1999.

No context found.

P. Sewell and J. Vitek. Secure composition of insecure components. Technical Report 463, Computer Laboratory, University of Cambridge, Apr. 1999.

.... ( x)n[x z] in which a new bound name enters a box boundary. The two semantics coincide in the following sense. Theorem 1 If fn(P ) A then A P Q i P Q. This give con dence that the labelled semantics carries enough information. The proof is somewhat delicate; it is sketched in [29] and given in detail in [28] 7 3 A Filtering Example To demonstrate the use of box we give the de nition of a wrapper that restricts the interface for user programs. In most operating systems, programs installed and run by a user enjoy the same access rights as the user, so if the user is ....

Peter Sewell and Jan Vitek. Secure composition of insecure components. Trusted objects, Centre Universitaire d'Informatique, University of Geneva, July 1999. Also available as University of Cambridge TR 463.

....the user to typecheck, our type system must admit programs with badly typed subcomponents. Expressing wrappers requires a language for composing concurrently executing components, including primitives for encapsulating components and controlling their interactions. We use the box calculus of [28], recapitulated in Sections 2 and 3. Box is a minimal extension of the calculus with encapsulation; it is suciently expressive for components and wrappers while retaining the simplicity and tractable semantics needed for proving properties. Moreover Pict [22] demonstrates how to build a real ....

....2 omitting all transition subscripts, occurrences of C : and occurrences of C . We write A; x for A [ fxg where x is assumed not to be in A, and A; p for the union of A and the names occurring in the pattern p, where these are assumed disjoint. The labelled semantics is explained further in [28]. It is similar to a standard semantics but must also deal with boxes and with reductions such as ( x)x z) j n[0] x)n[x z] in which a new bound name enters a box boundary. The two semantics coincide in the following sense. Theorem 1 If fn(P ) A then A P Q i P Q. This ....

[Article contains additional citation context not shown here]

Peter Sewell and Jan Vitek. Secure composition of insecure components. In Proceedings of the 12th IEEE Computer Security Foundations Workshop (CSFW-12), Mordano, Italy, June 1999.

....of mobile programs. In fact, a related project is investigating formal proof techniques for agent systems [35, 34] This project has defined a formal semantics of JavaSeal as a process calculus and has been able to validate some security properties, for example confinement by formal proofs [34, 31]. We begin by clarifying our use of terminology. A mobile agent platform is an execution environment for mobile agents. A platform is located on a single network node, several platforms connected by a communication infrastructure form a mobile agent network. A mobile agent is a program, in our ....

P. Sewell and J. Vitek. Secure composition of insecure components. In IEEE Computer Security Foundations Workshop (CSFW12), Mordano, Italy, June 1999.

....process languages. In particular, we would like a categorical understanding of our operations for the two models, related by the results presented in Section 6. One could then use these results to address the problem of giving causal semantics to variants of the calculus, e.g. the box of [53, 54], for which an approximate notion of causality is used to state security properties. Preliminary discussion of this, and of other future directions, can be found in Section 8. Among earlier models of processes, the name passing synchronisation trees of [27] and presheaves of [12] are the ....

.... It is also worth noticing that while the domain models are tailored for late bisimulation, our focus here is on early semantics, both to obtain a simpler notion of transition system, and because we have found the early style suits work on concurrent language semantics and on secure encapsulation [51, 53, 54, 52]. Presheaf models exist for both early and late notions [10] Moreover we should add that, in contrast to [56, 20] which have full abstraction results wrt. strong bisimulation) we focus on intensional models, over which a number of equivalences can be de ned (though we give results only for ....

[Article contains additional citation context not shown here]

P. Sewell and J. Vitek. Secure composition of insecure components. In Proceedings of the 12th IEEE Computer Security Foundations Workshop. Mordano, Italy, pages 136-150. IEEE Computer Society, June 1999. Extended version as University of Cambridge TR 463, 1999.

....( x)n[x z] in which a new bound name enters a box boundary. The two semantics coincide in the following sense. Theorem 1 If fn(P ) A then A P Q i P Q. This give con dence that the labelled semantics carries enough information. The proof is somewhat delicate; it is sketched in [SV99b] and given in detail in [SV99a] 3 A Filtering Example To demonstrate the use of box we give the de nition of a wrapper that restricts the interface for user programs. In most operating systems, programs installed and run by a user enjoy the same access rights as the user, so if the user is ....

....considering simply processes, we believe that intensional properties stated in terms of causal ow will generally imply properties stated purely in terms of trace sets. As a starting point, we show that our type system implies a non interference property (similar to the permutation property of [SV99b] but for processes rather than wrappers) in a particular case. We prove that an output on a low channel can always be permuted before an input on a higher channel (with respect to the lattice of sets of colours) Proposition 9 If L ( H and fh : chan H U; l : chan L V g P : proc ; then ....

Peter Sewell and Jan Vitek. Secure composition of insecure components. Trusted objects, Centre Universitaire d'Informatique, University of Geneva, July 1999. Also available as University of Cambridge TR 463.

....the user to typecheck, our type system must admit programs with badly typed subcomponents. Expressing wrappers requires a language for composing concurrently executing components, including primitives for encapsulating components and controlling their interactions. We use the box calculus of [SV99a] recapitulated in Sections 2 and 3. Box is a minimal extension of the calculus with encapsulation; it is suciently expressive for components and wrappers while retaining the simplicity and tractable semantics needed for proving properties. Moreover Pict [PT99] demonstrates how to build a ....

....2 omitting all transition subscripts, occurrences of C : and occurrences of C . We write A; x for A [ fxg where x is assumed not to be in A, and A; p for the union of A and the names occurring in the pattern p, where these are assumed disjoint. The labelled semantics is explained further in [SV99a] It is similar to a standard semantics but must also deal with boxes and with reductions such as ( x)x n z) j n[0] x)n[x z] in which a new bound name enters a box boundary. The two semantics coincide in the following sense. Theorem 1 If fn(P ) A then A P Q i P Q. ....

[Article contains additional citation context not shown here]

Peter Sewell and Jan Vitek. Secure composition of insecure components. In Proceedings of the 12th IEEE Computer Security Foundations Workshop (CSFW-12), Mordano, Italy, June 1999.

....and Nomadic calculi of Sewell, Wojciechowski and Pierce [SWP98] introduced to study communication infrastructures for mobile agents. The Seal calculus of Vitek and Castagna [VC98] focussing on protection mechanisms including revocable capabilities. The Box calculus of Sewell and Vitek [SV99, SV00], used to study secure encapsulation of untrusted components and causality typing. Grouping The rst point is that standard calculi do not have any notion of the identity of processes; the syntax describes only collections of atomic processes (outputs, inputs etc. in parallel. For example, ....

Peter Sewell and Jan Vitek. Secure composition of insecure components. In Proceedings of the 12th IEEE Computer Security Foundations Workshop. Mordano, Italy, pages 136-150. IEEE Computer Society, June 1999.

.... It is also worth noticing that while the domain models are tailored for late bisimulation, our focus here is on early semantics, both to obtain a simpler notion of transition system, and because we have found the early style suits work on concurrent language semantics and on secure encapsulation [Sew97, SV99a, SV99b, Sew00]. Presheaf models exist for both early and late notions [Cat99] Moreover we should add that, in constrast to [Sta96, FMS96] which have full abstraction results wrt. strong bisimulation) we focus on intensional models, over which a number of equivalences can be de ned (though we give results ....

....provide a basis for proofs and model checking of cryptographic protocols. In particular, it would support direct (i.e. not via a process calculus syntax) de nitions of behaviours, as in [Pau98] while still allowing composition of these behaviours. Thirdly, developing work on secure encapsulation [SV99a, SV99b], quantifying over elements of the model, rather than over syntactic processes, would allow stronger security properties to be stated. We state conjectures relating the coloured calculus semantics an approximate but simple notion of causality used there to state security properties to N LATS. ....

[Article contains additional citation context not shown here]

P. Sewell and J. Vitek. Secure composition of insecure components. In Proceedings of the 12th IEEE Computer Security Foundations Workshop, pages 136150. IEEE, 1999. Extended version as University of Cambridge TR 463, 1999.

....and Nomadic calculi of Sewell, Wojciechowski and Pierce [SWP98] introduced to study communication infrastructures for mobile agents. The Seal calculus of Vitek and Castagna [VC98] focussing on protection mechanisms including revocable capabilities. The Box calculus of Sewell and Vitek [SV99a, SV99b], used to study secure encapsulation of untrusted components and causality typing. Grouping The rst point is that standard calculi do not have any notion of the identity of processes; the syntax describes only collections of atomic processes (outputs, inputs etc. in parallel. For example, ....

Peter Sewell and Jan Vitek. Secure composition of insecure components. In Proceedings of the 12th IEEE Computer Security Foundations Workshop. Mordano, Italy, pages 136-150. IEEE Computer Society, June 1999.

....x)n[x z] in which a new bound name enters a box boundary. The two semantics coincide in the following sense. Theorem 1 If fn(P ) A then A P Q iff P Q. This give con dence that the labelled semantics carries enough information. The proof is somewhat delicate; it is sketched in [SV99b] and given in detail in [SV99a] 3 A Filtering Example To demonstrate the use of box we give the de nition of a wrapper that restricts the interface for user programs. In most operating systems, programs installed and run by a user enjoy the same access rights as the user, so if the user is ....

....considering simply processes, we believe that intensional properties stated in terms of causal ow will generally imply properties stated purely in terms of trace sets. As a starting point, we show that our type system implies a noninterference property (similar to the permutation property of [SV99b] but for processes rather than wrappers) in a particular case. We prove that an output on a low channel can always be permuted before an input on a higher channel (with respect to the lattice of sets of colours) Proposition 9 If L ( H and fh : chan H U; l : chan L V g P : proc ; then ....

Peter Sewell and Jan Vitek. Secure composition of insecure components. Trusted objects, Centre Universitaire d'Informatique, University of Geneva, July 1999. Also available as University of Cambridge TR 463.

....the user to typecheck, our type system must admit programs with badly typed subcomponents. Expressing wrappers requires a language for composing concurrently executing components, including primitives for encapsulating components and controlling their interactions. We use the box calculus of [SV99a] recapit ulated in Sections 2 and 3. Box is a minimal extension of the calculus with encapsulation; it is suf ciently expressive for components and wrappers while retaining the simplicity and tractable semantics needed for proving properties. Moreover Pict [PT99] demonstrates how to build a ....

....3 omitting all transition subscripts, occurrences of C : and occurrences of C . We write A; x for A[fxg where x is assumed not to be in A, and A; p for the union of A and the names occurring in the pattern p, where these are assumed disjoint. The labelled semantics is explained further in [SV99a] It is similar to a standard semantics but must also deal with boxes and with reductions such as ( x)x n z) j n[0] x)n[x z] in which a new bound name enters a box boundary. The two semantics coincide in the following sense. Theorem 1 If fn(P ) A then A P Q iff P ....

[Article contains additional citation context not shown here]

Peter Sewell and Jan Vitek. Secure composition of insecure components. In Proceedings of the 12th IEEE Computer Security Foundations Workshop (CSFW12) , Mordano, Italy, June 1999.

....level in the hierarchy are scrutinized and controlled by higher levels. The hierarchical model guarantees that a policy defined at some level will not be bypassed or amended at lower levels. When coupled with mediation this gives rise to programming styles that emphasize interposition techniques [26, 17, 33]. 2.1 Abstractions Seal unifies several concepts from distributed programming into three abstractions: locations; processes and resources. Locations are meant to stand for physical places such as those delimited by the boundaries of address spaces, host machines, routers, firewalls, local area ....

....informal and ad hoc. For Seal to be used to state and prove security properties it is necessary to define a theory of proof, to develop some techniques of proof, and to define suitable notions of observation , test , and specification (see e.g. 1] We are working in this direction [13, 33]. 5 Related work Ambients The Ambient calculus of Cardelli and Gordon [12] has been one of the inspirations of this work. Ambients resemble seals in the sense that they are named places with a hierarchical structure. The main difference between the models is that in the Ambient setting, mobility ....

P. Sewell and J. Vitek. Secure composition of insecure components. In Computer Security Foundations Workshop (CSFW-12). Mordano, Italy, June 1999.

....x)n[x z] in which a new bound name enters a box boundary. The two semantics coincide in the following sense. Theorem 1 If fn(P ) A then A P Q i P Q. 4 This give con dence that the labelled semantics carries enough information. The proof is somewhat delicate; it is sketched in [36] and given in detail in [35] 3 Security Wrappers This section presents three wrappers. The rst two are simple examples from [35] W 1 providing basic ltering and W 2 providing unidirectional asynchronous unordered ow between wrapped components. The third is more complex: F provides ....

Peter Sewell and Jan Vitek. Secure composition of insecure components. Trusted objects, Centre Universitaire d'Informatique, University of Geneva, July 1999. Also available as University of Cambridge TR 463.

....to the user. They allow more exible interaction than sandboxing, albeit coarser grain policies than proof carrying components or security type checked components. We are exploring secure composition using wrappers, focussing on the rigorous statement and proof of their security properties. In [35] we introduced the box calculus for studying wrappers, gave some simple examples, and discussed the security properties they should guarantee, including causal ow properties. In this paper we give a type system that allows constraints on causal ows to be enforced. Wrappers containing untrusted ....

....a type system that allows constraints on causal ows to be enforced. Wrappers containing untrusted (even badlytyped) components can be typed; the subject reduc tion theorem, given in this paper, then entails certain security properties of the wrapper. We consider more general wrappers than in [35], including FIFO communication between components. A wrapper should allow the user to explicitly specify the permitted ows between components, for example to ensure that an accounting package cannot leak information to a browser (and hence to the net) but nonetheless permitting downloads of ....

[Article contains additional citation context not shown here]

Peter Sewell and Jan Vitek. Secure composition of insecure components. In Proceedings of the 12th IEEE Computer Security Foundations Workshop (CSFW-12), Mordano, Italy, June 1999.

No context found.

P. Sewell and J. Vitek. Secure composition of insecure components. In Proceedings of the 12th IEEE Computer Security Foundations Workshop, pages 136150. IEEE, 1999. Extended version as University of Cambridge TR 463, 1999.

No context found.

Peter Sewell and Jan Vitek. Secure composition of insecure components. In 12th IEEE Computer Security Foundations Workshop (CSFW-12), Mordano, Italy, June 1999.

No context found.

P. Sewell and J. Vitek. Secure compositions of insecure components. In Proc. 12th Computer Security Foundations Workshop. IEEE Press, June 1999.

No context found.

P. Sewell and J. Vitek. Secure composition of insecure components. In 12th IEEE Computer Security Foundations Workshop (CSFW-12), Mordano, Italy, June 1999.

No context found.

P. Sewell and J. Vitek. Secure composition of insecure components. In Proceedings of the 12th IEEE Computer Security Foundations Workshop, 1999.

No context found.

P. Sewell and J. Vitek. Secure composition of insecure components. In Proceedings of CSFW 99 (Mordano, Italy), June 1999.

No context found.

P. Sewell and J. Vitek. Secure composition of insecure components. In 12th IEEE Computer Security Foundations Workshop (CSFW-12), Mordano, Italy, June 1999. 1

No context found.

P. Sewell and J. Vitek. Secure composition of insecure components. In 12th IEEE Computer Security Foundations Workshop, 1999.

No context found.

Peter Sewell and Jan Vitek. Secure composition of insecure components. In Proceedings of CSFW 99: The 12th IEEE Computer Security Foundations Workshop (Mordano, Italy), pages 136-150. IEEE Computer Society, June 1999.

Online articles have much greater impact   More about CiteSeer.IST   Add search form to your site   Submit documents   Feedback  

CiteSeer.IST - Copyright Penn State and NEC