R. J. Feiertag, K. N. Levitt, and L. Robinson. Proving multilevel security of a system design. Proc. 6th ACM Symp. on Operating System Principles (SOSP), ACM Operating Systems Review, 11(5):57--66, November 1977.  Home/Search   Document Not in Database   Summary   Related Articles   Check

....logic, and its application to the design of particular covert channel analysis techniques and software tools. In the early 1980 s came non interference, originating at SRI as a theoretical foundation for the HDM Special ow tool [GoMe82] it was actually a generalization of an earlier SRI model [FLR77]. Based on an abstract state transition machine model, non interference was an elegant concept that spawned many interpretations and subsequent advances. The theory is deep enough so that it underlies both access control and covert channel analysis, and does not distinguish between them. It has ....

R. J. Feiertag, K. N. Levitt, and L. Robinson, \Proving Multilevel Security of a System Design ," Proc. 6th ACM Symp. Operating System Principles, pp. 57-65

....with the Bell and La Padula model based approach to security requirements specification were one of the motivations for the development of an alternative property based approach. This was first seen in work that developed the basis for checking multilevel security by information flow analysis [5] and was later generalized as noninterference [7] Noninterference works very nicely for sequential systems and for multilevel security properties, but proved difficult to generalize to distributed systems and to nonhierarchical policies. For distributed systems, the challenge is to find a ....

R. J. Feiertag, K. N. Levitt, and L. Robinson. Proving multilevel security of a system design. In Sixth ACM Symposium on Operating System Principles, pages 57--65, November 1977.

....semantics of Revised Special and will not be discussed here; the other two assumptions constitute the security model of Enhanced HDM and are the subject of this paper. The security model of Enhanced HDM is the same as that of Old HDM, which was developed by Feiertag, Levitt, and Robinson in 1977 [4] and which 1 provided the basis for the original MLS Checking Tool developed by Feiertag [3] The description of the model has been improved over the years (notably by Goguen and Meseguer [5] the informal presentation given here is based on the current technical description [13] It should be ....

R. J. Feiertag, K. N. Levitt, and L. Robinson. Proving multilevel security of a system design. In Sixth ACM Symposium on Operating System Principles, pages 57--65, November 1977.

....drawn from P, which represent users, groups, roles, and other entities with authority. In a privacy component, the set contains the principals that have a stake in the data: they are owners or sources of the data. The principals are similar to categories in classic multilevel security policies [FLR77], except for their interaction with declassification. The ordering on privacy components is ordinary set inclusion: the most restrictive privacy component is the set of all principals P, in which every principal wishes to control the flow of the data; the least restrictive privacy component is the ....

R. J. Feiertag, K. N. Levitt, and L. Robinson. Proving multilevel security of a system design. Proc. 6th ACM Symp. on Operating System Principles (SOSP), ACM Operating Systems Review, 11(5):57--66, November 1977.

....is widely considered to offer the most promising basis for the construction of truly secure computer systems, at least in the short term. A number of kernelized systems have been constructed [12,19,25] and various models of security have been formulated to serve as the basis for their verification [6, 9, 28]. Despite the enthusiasm for this approach, there remain certain difficulties and problems in its application (see, for example [1] I shall expand on these later, but briefly they include the difficulty of verifying the trusted processes that seem necessary in most applications, concern about ....

....program. In order to guarantee the security of the whole system, all we need to do is to verify that single program with respect to an appropriate specification of its security requirements. It turns out that the role of a multilevel secure file server matches the security model developed at SRI [9] (which is more than can be said of a security kernel a point I shall return to later) and this model therefore provides both a specification for the security requirements of the file server and the justification for its verification by the method of information flow analysis [8, 20, 21] We ....

[Article contains additional citation context not shown here]

R. J. Feiertag, K. N. Levitt, and L. Robinson. Proving multilevel security of a system design. In Sixth ACM Symposium on Operating System Principles, pages 57--65, November 1977.

....invocations of functions provided by the kernel and P ( Delta) is a predicate over the input output behavior of that set. 2 2 Those interested in the precise P ( Delta) that describes multilevel security are referred to the papers that describe what has become known as the SRI Security Model [4, 5, 8, 7, 14] essentially, it 5 The second order formula (1) expresses the following important property: provided every operation that can be performed by non kernel software ultimately comes down to a sequence of calls on the kernel interface (i.e. functions in the set op) 3 and provided the kernel ....

....that both the separation kernel and the resource managers enforce negative properties. In the case of the kernel it is the property this domain is not allowed 7 to influence that domain, while in the case of a multilevel secure resource manager it is the noninterference definition of security [5, 7, 14]. We believe this TCB structure is well suited to enforcing negative properties other than security, and thereby to preventing certain types of errors of commission. The limited inter domain communications channels provided by a separation kernel minimize the possibility that errors in one domain ....

R.J. Feiertag, K.N. Levitt, and L. Robinson. Proving multilevel security of a system design. In Proc. 6th ACM Symposium on Operating System Principles, pages 57--65, November 1977.

....flow control and on the static analysis of security guarantees. The lattice model of information flow comes from the early work of Bell and LaPadula[Bell and LaPadula 1975] and Denning [Denning 1976] A commonly used label model fitting into the lattice formalism is that of Feiertag et al. [Feiertag et al. 1977]. The decentralized label model has several similarities to the ORAC model of McCollum et al. McCollum et al. 1990] both models provide some approximation of the originatorcontrolled release labeling used by the U.S. DoD Intelligence community. Both ORAC and the decentralized label model have ....

FEIERTAG, R. J., LEVITT, K. N., AND ROBINSON, L. 1977. Proving multilevel security of a system design. Proc. 6th ACM Symp. on Operating System Principles (SOSP), ACM Operating Systems Review 11, 5 (Nov.), 57--66.

....channel [174] B.5 Information Flow Approaches Flow controls regulate the dissemination of information, regardless of what object holds it, specifying valid channels through which information may flow. Some of the earlier work done on flow controls was by Denning [58] 243 The Feiertag model[77], developed for use in SRI s Hierarchical Development Methodology (HDM) is a very early attempt to model MLS by dealing directly with information flow. Like BLP, it uses a finite state machine system model. However, where BLP is based on state properties and allowed transitions, the SRI model ....

Feiertag, R., Levitt, K., and Robinson, L. Proving multilevel security of a system design. In Proc. 6th Symposium on Operating Systems Principles (November 1977), Association for Computing Machinery, pp. 57--65.

....order, since two labels may be equivalent without being equal. However, it does support the lattice operations of join ( # ) and meet ( # ) on equivalence classes of labels, and these operations distribute over each other. Denning s lattice framework was instantiated by Feiertag et al. FLR77] in multilevel security policies. A multilevel security policy is a pair (A, C) where A is a hierarchical security class, and C is a set of categories. Hierarchical security classes form a totally ordered set like that of the Bell LaPadula model; categories are arbitrary symbols. One ....

R. J. Feiertag, K. N. Levitt, and L. Robinson. Proving multilevel security of a system design. Proc. 6th ACM Symp. on Operating System Principles (SOSP), ACM Operating Systems Review, 11(5):57--66, November 1977.

....A number of efforts attempted to design, implement and verify a security kernel. A security policy given by Bell and LaPadula [Bell 75] was the first attempt to formalize a specification for a security kernel. Alternative formulations of security were given by Feiertag, Levitt and Robinson [Feiertag 77] and by Popek and Farber [Popek 78] The goals of each security kernel project were similar in outline: design a security kernel, prove that the design satisfies a formally described security policy, implement the kernel, and prove the implementation correct. Some projects were intended to ....

R.J. Feiertag, K.N. Levitt, L. Robinson. Proving Multilevel Security of a System Design. In Proceedings 6th ACM Symposium on Operating System Principles, pages 57-65. 1977.

....Related Work Several efforts have proposed models for information flow [Coh77, Den76, Bel73a, Bel73b, Bel74] and access rights leakage [Har76, Jon76] Karger asserts (incorrectly) Kar88] that capability systems cannot enforce either confinement or the lattice model of information flow. Feiertag [Fei77] considers the interactions between information flow and access rights, but in a highly restrictive system model. Bishop and Snyder [Bis79] consider the information flow consequences of access right propagation in the take grant model. This model is similar enough to the Metagap e model to warrant ....

R. J. Feiertag, K. N. Levitt, and L. Robinson, "Proving Multilevel Security of a System Design." Proceedings of the 6th ACM Symposium on Operating Systems Principles, published as Operating System Review, Vol 11, No 5, Nov 1977, pp. 57-65.

....that a user gets to see the contents of objects at his or lower levels; that is information can flow to higher levels but never lower levels. A more abstract model of security that avoids the need to consider objects has been formulated by Goguen and Meseguer [9, 10] Feiertag, Levitt and Robinson [7], and McCullough [13, 14] In these models the information a user observes is to be dependent on the actions of users at his level or lower. That is, the actions of higher level users cannot be observed by lower level users. The burden of security falls on the operating system, although appropriate ....

R. J Fiertag, K. Levitt, and L. Robinson. Proving multilevel security of a system design. In Proc. Symposium on Operating System Principles, pages 57--95, 1977.

.... Early systems included the Jovial Verification System [1] Jovial was a language based on Algol 58, a precursor to the more famous Algol 60, that was used by the US Air Force) and the Hierarchical Development Methodology (HDM) 2 4] HDM had a security analyzer [5] based on information flow [6] that was used in the verification of the Honeywell SCOMP [7,8] the first computer to gain the NSA s A1 [9] rating) and several other secure systems [10,11] The HDM security flow analyzer used the Boyer Moore theorem prover, much of whose early development was performed at SRI [12] A parallel ....

R. J. Feiertag, K. N. Levitt, and L. Robinson. Proving multilevel security of a system design. In Sixth ACM Symposium on Operating System Principles, pages 57--65, November 1977.

.... implementors to understand what security controls to build, and certifiers to determine whether the system s security controls are consistent with the relevant policies and directives and whether these controls are implemented correctly [2] In recent years, the Bell and LaPadula model [3,4], has dominated efforts to build secure systems. The publication of this model advanced the technology of computer security by providing a mathematical basis for examining the security provided by a given system. Moreover, the model was a major component of one of the first disciplined approaches ....

....can be checked only by comparing two or more states. In the view we adopted, all static security properties are included in the definition of a secure state. To a large extent the choice in conceptualizations is a matter of taste. Bell and LaPadula [3] use the latter, while Feiertag, et al. [4] lean to the former. By minimizing the notion of a secure state, the former view makes the Basic Security Theorem shorter. The deciding factor in our adopting the latter view is that it makes it impossible for a system to undergo a security relevant change without undergoing a change in state. ....

Feiertag, R.J., Levitt, K.N., and Robinson, L. Proving multilevel security of a system design. In Proc. 6th ACM Symp. Operating Systems Principles, ACM SIGOPS Operating System Rev., 11, 5 (Nov. 1977) pp. 57-65.

No context found.

Feiertag, R. J., K. N. Levitt and L. Robinson, "Proving Multilevel Security of a System Design," Proc. ACM Sixth Symposium on Operating Systems Principles, November 1977, pp. 57-65. 9

No context found.

R. J. Feiertag, K. N. Levitt, and L. Robinson. Proving multilevel security of a system design. Proc. 6th ACM Symp. on Operating System Principles (SOSP), ACM Operating Systems Review, 11(5):57--66, November 1977.

No context found.

R. J. Feiertag, K. N. Levitt, and L. Robinson. Proving multilevel security of a system design. In Sixth ACM Symposium on Operating System Principles, pages 57--65, November 1977.

No context found.

, 57-65.

No context found.

R. J. Feiertag, K. N. Levitt, and L. Robinson. Proving multilevel security of a system design. In Sixth ACM Symposium on Operating System Principles, pages 57-65, November 1977.

No context found.

R.J. Feiertag, K.N. Levitt, and L. Robinson. Proving multilevel security of a system design. In Proceedings of the Sixth ACM Symposium on Operating System Principles, pages 57-65, November 1977.

No context found.

R.J. Feiertag K.N. Levitt and L Robinson, "Proving multilevel security of a system design", in Proc. 6th ACM Symp. Operating Systems Principles, ACM SIGOPS Operating Syst. rev., 11, 5 (Nov. 1977), 57-65.

No context found.

R. J. Feiertag, K. N. Levitt, and L. Robinson. Proving multilevel security of a system design. In Sixth ACM Symposium on Operating System Principles, pages 57--65, November 1977.

No context found.

R.J. Feiertag, K.N. Levitt, L. Robinson. Proving Multilevel Security of a System Design. In Proceedings 6th ACM Symposium on Operating System Principles, pages 57-65. 1977.

No context found.

R. J. Feiertag, K. Levitt, and L. Robinson. Proving multilevel security of a system design. In Proc. 6th Symp. on Operating System Principles, pages 57--65. ACM, November 1977.

No context found.

FEIE77 Feiertag, R. J., K. N. Levitt, and L. Robinson, "Proving Multilevel Security of a System Design," 6th Symposium on Operating Systems Principles, ACM Operating Systems Review, Vol. 11 No.5, pp. 57-65, November 1977.

Online articles have much greater impact   More about CiteSeer.IST   Add search form to your site   Submit documents   Feedback  

CiteSeer.IST - Copyright Penn State and NEC