J. McLean. The Specification and Modeling of Computer Security. IEEE Computer, 23(1):9--16, January 1990.  Home/Search   Document Details and Download   Summary   Related Articles   Check

....Language (CAPSL) 9] is a highlevel language whose goal is to permit a security protocol to be specified once in a form that can act as as an interface to any type of analysis tool or technique. Techniques to specify guidelines for security protocol design and modelling have also been presented [2, 21, 18, 3]. The development of cryptographic logics to analyze security protocols has provided one technique for ensuring the correctness of security protocols. One of the primary reasons for using security logics is to determine whether a given protocol achieves its design goals. Another use is to help ....

J.D. McLean. The Specification and Modeling of Computer Security. Computer, 23(1), January 1990.

....security in terms of a program logic [3] without any models to relate the logic to the semantics of the programming language. The problem here is that an instrumented semantics or a security logic is just a definition, not subject to any further mathematical justification. McLean points out [30] in a related discussion about the (non language specific) Bell and LaPadula model: One problem is that : they [the Bell LaPadula security properties] constitute a possible implementation of security, rather than an abstract specification of what all secure systems must satisfy. By ....

McLean, J.: 1990b, `The Specification and Modeling of Computer Security'. Computer 23(1), 9--16.

....behaviour. The ability to dynamically create threads also leads to similar possibilities. 1.3. Related Work There is a substantial body of work in the security community in studying definitions and reasoning principles relating to information flow and confidentiality. For an overview see, e.g. [15]. The basic approach we take is based on an extentional characterisation usually known as noninterference. The particular flavour of noninterference studied here is most closely related to Gray s notion of PRestrictiveness [10] since it aims to eliminate dependence between classified data and ....

J. McLean. The specification and modeling of computer security. Computer, 23(1), January 1990.

....Merchant, or downloading some fancy piece of graphics from somewhere) as long as that behaviour does not depend on the value of acc. This type of confidentiality property is different and far more intensional than the MLS properties traditionally considered in the information flow literature (cf. [9]) There seems to be no useful way in which protocol entities or their actions can be assigned security levels. Neither is there a useful sense in which the role of the applet can be regarded as an information downgrader, for instance in the sense of intransitive information flow (cf. 17, 16] ....

J. McLean. The specification and modeling of computer security. Computer, 23(1):9--16, 1990.

....behaviour. The ability to dynamically create threads also leads to similar possibilities. 1.3 Related Work There is a substantial body of work in the security community in studying definitions and reasoning principles relating to information flow and confidentiality. For an overview see e.g. [McL90]. The basic approach we take is based on an extentional characterisation usually known as noninterference. The particular flavour of noninterference studied here is most closely related to Gray s notion of P Restrictiveness [Gra90] since it aims to eliminate dependence between classified data and ....

J. McLean. The specification and modeling of computer security. Computer, 23(1), January 1990.

....security in terms of a program logic 2 [3] without any models to relate the logic to the semantics of the programming language. The problem here is that an instrumented semantics or a security logic is just a definition, not subject to any further mathematical justification. McLean points out [24] in a related discussion about the (non language specific) Bell and LaPadula model: One problem is that : they [the Bell LaPadula security properties] constitute a possible implementation of security, rather than an abstract specification of what all secure systems must satisfy. ....

McLean, J. The specification and modeling of computer security. Computer 23, 1 (January 1990), 9--16.

....behaviour. The ability to dynamically create threads also leads to similar possibilities. 1.3 Related Work There is a substantial body of work in the security community in studying definitions and reasoning principles relating to information flow and confidentiality. For an overview see e.g. [McL90]. The basic approach we take is based on an extensional characterisation usually known as noninterference. The use of program analysis as a means to eliminate insecure flows was pioneered by Denning [Den76, DD77] A modern incarnation of this work which recasts Denning s analysis as a type system ....

J. McLean. The specification and modeling of computer security. Computer, 23(1), 1990.

....concluding remarks. 2 Relation to Other Work Before relating this paper to other work, we would like to emphasize several points. First, our work is concerned with access control, and does not address information flow control [4, 13, 28] Thus, the typical concerns in most security modeling work [12, 13, 27, 29] are orthogonal to the ones in this paper. In particular, these references focus on modeling the abstract security properties of a system as a whole, while our work has a more narrow focus on authorization only. Second, the research reported in this paper is mainly concerned with representation ....

J. McLean. The specification and modeling of computer security. Computer, 23(1):9--16, January 1990.

....logic programs. We also introduce two composition operators for policy bases, which are appropriate for modeling distributed systems with multiple administrative domains. In relating our research to previous work, we observe that our concerns are orthogonal to those of others in security modeling [11, 10, 21, 22]. These references are concerned with modeling abstract security properties of a system as a whole, which includes authorization as a key component. The papers by Abadi, et al. 2] and Lunt [19] are similar in spirit to ours, in that their focus is on understanding the semantics of authorization. ....

J. McLean. The specification and modeling of computer security. Computer, 23(1):9--16, January 1990.

....increase with the growth of the number of subjects and objects. In particular, the maintenance of such lists is expensive in terms of time and consumed computing resources. However, the access matrix provides a flexible model which can be used to analyze its security properties. It is known [23, 95] that the general safety problem is undecidable, i.e. there is no algorithm which can be used to verify the security of the access control matrix model. But it is still possible to restrict the model and design an algorithm which can be used to prove some security properties. Some work has been ....

John Mclean. The Specification and Modeling of Computer Security. Computer, January 1990.

....and to compare them. It is hardly surprising since in most engineering activities it is a current practice to develop several schemes of various aspects of one product. The idea of using diverse specifications of the same software was already suggested in [17] and [10] among several others. In [16] a similar technique was used to analyse security models: in that case, both a statebased and trace based approaches were used. It is interesting to note that here the two formal approaches do not address the same aspects of the system, and that, in this case, strong simplifications were done in ....

J. McLean. The Specification and Modeling of Computer Security. Computer, pp.9-16, January 1990.

....realizes the more abstract formal model. The research community has spent considerable effort on the first of these challenges. The security properties considered include non interference, information flow, and composability, with system models built using traces, CSP, and other formal languages [3, 6, 7, 8]. These behavioral models are far removed from the actual systems, making it extremely hard, if not impossible, to be convinced that an implementation satisfies the security properties proven about the model. On the other hand, commercially available systems, such as OSF s DCE 1.1, include a wide ....

J. McLean. The Specification and Modeling of Computer Security. IEEE Computer, 23(1):9--16, January 1990.

....An even more restricted session is like a board meeting, where only the board members can participate. From time to time non members are invited, but only if a majority of the members consent. We can easily imagine an infinite number of such policies (including the multilevel security variety [27]) As more restrictions are added, we reach an ultra secure and closed session. As we argued earlier, the multicast L. Gong and N. Shacham Multicast Security 8 architecture should be flexible enough to accommodate many policies so that each individual application or each session can choose to ....

....encryption keys and the corresponding signed message headers and reusing them until a membership change occurs. 4.7 Multilevel Secure Multicast End to end encryption can be used to control message dissemination on a discretionary basis. Mandatory control, possibly of a multilevel structure [27], can also be implemented. Here, groups and members are classified at different levels, and a party cannot become a member of a group whose security level is higher than its own. Levels are also assigned to encryption keys. A member cannot have access to a key whose level is higher. For ....

J. McLean. The Specification and Modeling of Computer Security. IEEE Computer, 23(1):9-- 16, January 1990.

....three elementary types of internal composition: oe1 [ oe2, oe1 oe2, and oe1 Gamma oe2. The set consisting of these three composition constructions, which we shall call the set of regular composition constructions, is analogous to the set of constructions defined for access control policies in [9]. The first construction corresponds to a system that accepts any input acceptable to oe1 or oe2 and behaves as the relevant system would behave. If the input is acceptable to both systems, then output could be the output of either system. The second construction accepts as input only input that ....

John McLean, "The Specification and Modeling of Computer Security," Computer, 23(1):9-16, 1990.

....general confidentiality requirements. We then give pointers to security model work in other areas. 2 Models of Confidentiality Even if we limit ourselves to models of confidentiality, there are two related, but distinct, senses of the term security model in the computer security literature [McL90b] In the more limited use of the term, a security model specifies a particular mechanism for enforcing confidentiality, called access control, which was brought over into computer security from the world of documents and safes. In the more general usage of the term, security models are ....

....only one type of transition: when a subject s requests any type of access to an object o, every subject and object in the system are downgraded to the lowest security level and access is granted. System Z satisfies BLP s notion of security, but it is obviously not secure in any meaningful sense [McL90b] To address the problem raised by System Z, McLean defines a framework of security models that contain transition restrictions [McL90b] A framework is a quadruple (S; O; L; A) where each element of the quadruple keeps the same meaning it has in BLP. As in BLP, a model within the framework is ....

[Article contains additional citation context not shown here]

J. McLean. The specification and modeling of computer security. Computer, 23(1):9 -- 16, January 1990.

No context found.

J. McLean. The Specification and Modeling of Computer Security. IEEE Computer, 23(1):9--16, January 1990.

No context found.

J. McLean. The specification and modeling of computer security. Computer, 23(1), January 1990.

No context found.

J. McLean. The specification and modeling of computer security. Computer, 23(1):9--16, January 1990.

No context found.

McLean, J., The Specification and Modeling of Computer Security, IEEE Computer, 23(1), pp. 9-16, 1990.

Online articles have much greater impact   More about CiteSeer.IST   Add search form to your site   Submit documents   Feedback  

CiteSeer.IST - Copyright Penn State and NEC