R.J. Feiertag. A technique for proving specifications are multilevel secure. Technical Report CSL109, Computer Science Laboratory, SRI International, Menlo Park, California, January 1980.  Home/Search   Document Not in Database   Summary   Related Articles   Check

....Our primary concern is confidentiality. An attacker must be prevented from distinguishing two program executions that differ only in their confidential inputs, because the attacker might otherwise learn something about the inputs. As usual, we assume that there is a lattice L of security labels [7, 11]. Lattice elements describe restrictions on the propagation of the information they label; labels higher in the lattice describe data whose use is more restricted. For confidentiality, labels higher in the lattice describe more confidential data whose dissemination should be restricted. In this ....

R. J. Feiertag. A technique for proving specifications are multilevel secure. Technical Report CSL-109, SRI International Computer Science Lab, Menlo Park, California, Jan. 1980.

....on both hosts, though only in hash value form on the opponent s host. 6 Related Work We have used the term end to end security policies largely synonymously with information flow policies . Information flow policies have been enforced using both dynamic [14, 25] and language based techniques [9, 27, 28, 13, 53, 18, 34, 35, 3, 38]. Jif [29, 31] is a full scale implementation of a security typed language. This work builds on the original Jif split system [61] that introduced the secure partitioning technique, extending it to support automatic replication of code and data. Although most research on information flow has ....

Richard J. Feiertag. A technique for proving specifications are multilevel secure. Technical Report CSL-109, SRI International Computer Science Lab, Menlo Park, California, January 1980.

....difficulty controlling implicit information flows accurately. Static analysis of information flow has a long history, although it has not been as widely used as dynamic checking. Denning originally proposed a language to permit static checking [8] but it was not implemented. Other researchers [24, 25, 12] developed techniques for information flow checking using formal specifications and automatic or semi automatic theorem proving. Recently, there has been more interest in provably secure programming languages. Palsberg and rbk have developed a simple type system for checking integrity [33] ....

Richard J. Feiertag. A technique for proving specifications are multilevel secure. Technical Report CSL-109, SRI International Computer Science Lab, Menlo Park, California, January 1980.

....[41] F. Static Information Flow Control Denning and Denning [40] first observed that static program analysis can also be used to control information flow with increased precision and low run time overhead. Static characterizations of information flow have been implemented using theorem provers [42], 43] Information flow analyses can also be performed by type checking, which is the focus of this article. The type checking approach has been implemented in the Jif compiler [7] 44] In the type checking approach, every program expression has a security type with two parts: an ordinary type ....

R. J. Feiertag, "A technique for proving specifications are multilevel secure," Tech. Rep. CSL-109, SRI International Computer Science Lab, Menlo Park, California, Jan. 1980.

....the security model of Enhanced HDM and are the subject of this paper. The security model of Enhanced HDM is the same as that of Old HDM, which was developed by Feiertag, Levitt, and Robinson in 1977 [4] and which 1 provided the basis for the original MLS Checking Tool developed by Feiertag [3]. The description of the model has been improved over the years (notably by Goguen and Meseguer [5] the informal presentation given here is based on the current technical description [13] It should be stressed that it is only the MLS Checking component of Enhanced HDM that has this (or any ....

....the one on which the MLS Checker is built. I will discuss its interpretation and application in the next section. 8 3 Applications The theorem quoted at the end of the previous section provides the basis for the MLS Checker of Enhanced HDM, and for a similar tool developed earlier by Feiertag [3]. These tools process system specifications that have been augmented with information concerning the sensitivity labels associated with the objects and operations defined in the specifications and then check the specifications of the operations to see that they comply with the three conditions ....

[Article contains additional citation context not shown here]

R. J. Feiertag. A technique for proving specifications are multilevel secure. Technical Report CSL-109, Computer Science Laboratory, SRI International, Menlo Park, CA, January 1980. 15

....difficulty controlling implicit information flows accurately. Static analysis of information flow has a long history, although it has not been as widely used as dynamic checking. Denning originally proposed a language to permit static checking [8] but it was not implemented. Other researchers [24, 25, 12] developed techniques for information flow checking using formal specifications and automatic or semi automatic theorem proving. Recently, there has been more interest in provably secure programming languages. Palsberg and rbk have developed a simple type system for checking integrity [33] ....

Richard J. Feiertag. A technique for proving specifications are multilevel secure. Technical Report CSL-109, SRI International Computer Science Lab, Menlo Park, California, January 1980.

....difficulty controlling implicit information flows accurately. Static analysis of information flow has a long history, although it has not been as widely used as dynamic checking. Denning originally proposed a language to permit static checking [8] but it was not implemented. Other researchers [24, 25, 12] developed techniques for information flow checking using formal specifications and automatic or semi automatic theorem proving. Recently, there has been more interest in provably secure programming languages. Palsberg and rbk have developed a simple type system for checking integrity [33] ....

Richard J. Feiertag. A technique for proving specifications are multilevel secure. Technical Report CSL-109, SRI International Computer Science Lab, Menlo Park, California, January 1980.

....ours is to mechanize the often mundane and tedious proofs arising in connection with computer programs. For example, our theorem prover has been used to prove thousands of theorems related to the correctness of various programs [4, 5] communications protocols [9] and computer security [10]. Because of the high cost of bugs in software, the increasing impact of software due to cheap microprocessors, and the relatively shallow nature of most program correctness proofs, we expect to see, within the decade, commercial use of mechanical theorem provers and formal logic in software ....

Richard J. Feiertag. A Technique for Proving Specifications are Multilevel Secure. Technical Report CSL-109, SRI International, 1981.

....invocations of functions provided by the kernel and P ( Delta) is a predicate over the input output behavior of that set. 2 2 Those interested in the precise P ( Delta) that describes multilevel security are referred to the papers that describe what has become known as the SRI Security Model [4, 5, 8, 7, 14] essentially, it 5 The second order formula (1) expresses the following important property: provided every operation that can be performed by non kernel software ultimately comes down to a sequence of calls on the kernel interface (i.e. functions in the set op) 3 and provided the kernel ....

R.J. Feiertag. A technique for proving specifications are multilevel secure. Technical Report CSL109, Computer Science Laboratory, SRI International, Menlo Park, CA, January 1980.

....originally proposed a language to permit static checking [Denning and Denning 1977] but it was not implemented. Another approach to checking programs for information flows statically has been automatic or semi automatic theorem proving. Researchers at MITRE [Millen 1976; Millen 1981] and SRI [Feiertag 1980] developed techniques for information flow checking using formal specifications. Feiertag [Feiertag 1980] developed a tool for automatically checking these specifications using a Boyer Moore theorem prover. Recently, there has been more interest in provably secure programming languages, treating ....

....implemented. Another approach to checking programs for information flows statically has been automatic or semi automatic theorem proving. Researchers at MITRE [Millen 1976; Millen 1981] and SRI [Feiertag 1980] developed techniques for information flow checking using formal specifications. Feiertag [Feiertag 1980] developed a tool for automatically checking these specifications using a Boyer Moore theorem prover. Recently, there has been more interest in provably secure programming languages, treating information flow checks in the domain of type checking, which does not require a theorem prover. A simple ....

FEIERTAG, R. J. 1980. A technique for proving specifications are multilevel secure. Technical Report CSL-109 (Jan.), SRI International Computer Science Lab, Menlo Park, California.

....not integrate dynamic checking, making them impractical. Earlier static checking techniques did not handle exceptions, either. Another approach to checking programs for information flows statically has been automatic or semiautomatic theorem proving. Researchers at MITRE [Mil76, Mil81] and SRI [Fei80] developed techniques for information flow checking using formal specifications. Feiertag [Fei80] developed a tool for automatically checking these specifications using a Boyer Moore theorem prover. Recently, there has been more interest in provably secure programming languages, treating ....

....not handle exceptions, either. Another approach to checking programs for information flows statically has been automatic or semiautomatic theorem proving. Researchers at MITRE [Mil76, Mil81] and SRI [Fei80] developed techniques for information flow checking using formal specifications. Feiertag [Fei80] developed a tool for automatically checking these specifications using a Boyer Moore theorem prover. Recently, there has been more interest in provably secure programming languages, treating information flow checks in the domain of type checking, which does not require a theorem prover. Palsberg ....

Richard J. Feiertag. A technique for proving specifications are multilevel secure. Technical Report CSL-109, SRI International Computer Science Lab, Menlo Park, California, January 1980.

....ours is to mechanize the often mundane and tedious proofs arising in connection with computer programs. For example, our theorem prover has been used to prove thousands of theorems related to the correctness of various programs [4, 5] communications protocols [9] and computer security [10]. Because of the high cost of bugs in software, the increasing impact of software due to cheap microprocessors, and the relatively shallow nature of most program correctness proofs, we expect to see, within the decade, commercial use of mechanical theorem provers and formal logic in software ....

Richard J. Feiertag. A Technique for Proving Specifications are Multilevel Secure. Technical Report CSL-109, SRI International, 1981.

....of specifications. Since specifications are often simpler to reason about than programs, there have been several attempts to reason mechanically about specifications. This method has been used to try to establish the security of operating system designs. One such checker is that by Feiertag [24]. The idea 5 of design verification was also used in the attempt to establish the reliability of SRI s Software Implemented Fault Tolerant (SIFT) system [49] Of course, a program whose design has been verified is unworthy of trust until the running program has been shown to implement the ....

Richard J. Feiertag. A Technique for Proving Specifications are Multilevel Secure. Technical Report CSL-109, SRI International, 1981.

....that goes back over 20 years. Early systems included the Jovial Verification System [1] Jovial was a language based on Algol 58, a precursor to the more famous Algol 60, that was used by the US Air Force) and the Hierarchical Development Methodology (HDM) 2 4] HDM had a security analyzer [5] based on information flow [6] that was used in the verification of the Honeywell SCOMP [7,8] the first computer to gain the NSA s A1 [9] rating) and several other secure systems [10,11] The HDM security flow analyzer used the Boyer Moore theorem prover, much of whose early development was ....

R. J. Feiertag. A technique for proving specifications are multilevel secure. Technical Report CSL-109, Computer Science Laboratory, SRI International, Menlo Park, CA, January 1980.

....Systems Most interface models for confidentiality are based on Noninterference, the restriction that high level user input cannot interfere with low level user output. The original formulation of Noninterference, due to Goguen and Meseguer [GM82] is based directly on the work of Feiertag [Fei80] and indirectly on earlier work by Cohen [Coh77] and by Popek and Farber [PF78] Goguen and Meseguer consider a deterministic system whose output to user u is given by the function out(u; hist:read(u) where hist:read(u) is an input history (trace) of the system whose last input is read(u) a ....

R. Feiertag. A technique for proving specifications are multilevel secure. Technical Report CSL-109, SRI, Menlo Park, CA, 1980.

No context found.

R.J. Feiertag. A technique for proving specifications are multilevel secure. Technical Report CSL109, Computer Science Laboratory, SRI International, Menlo Park, California, January 1980.

No context found.

R. J. Feiertag. A technique for proving specifications are multilevel secure. Technical Report CSL-109, Computer Science Laboratory, SRI International, Menlo Park, CA, January 1980.

No context found.

R. J. Feiertag, "A technique for proving specifications are multilevel secure," Tech. Rep. CSL-109, SRI International Computer Science Lab, Menlo Park, California, Jan. 1980.

No context found.

Richard J. Feiertag. A technique for proving specifications are multilevel secure. Technical Report CSL-109, SRI International Computer Science Lab, Menlo Park, California, January 1980.

Online articles have much greater impact   More about CiteSeer.IST   Add search form to your site   Submit documents   Feedback  

CiteSeer.IST - Copyright Penn State and NEC