C.E. Landwehr, C.L. Heitmeyer, and J. McLean. A Security Model for Military Message Systems. ACM Transactions on Computer Systems, 9(3), August 1984.  Home/Search   Document Details and Download   Summary   Related Articles   Check

....The DTOS system [43] and its successor Flask [58] concentrated on policy flexibility in a microkernel based OS. In some systems, security decisions are spread over the whole system, which makes it difficult to understand what kind of security policy the system as a whole actually enforces [37]. Centralizing the policy facilitates adaptations to new security requirements and enhances manageability. The policy can be changed without changes to the fundamental security and system architecture and without changes to the object servers. Furthermore, a central security manager is a ....

C. E. Landwehr, C. L. Heitmeyer, and J. McLean. A Security Model for Military Message Systems. In ACM Trans. on Computer Systems, 2(3), pp. 198-222, Aug. 1984.

....SAC to enforce security policies. In addition, the approach uses operations on these access control lists to perform the necessary update actions. In the SAC approach data is organized in multi level security containers. The container model used is a variation of the container model described in [LAND84], which was proposed for military multi level security documents, where each container is an abstraction for a set of data that has some attribute in common. The SAC approach uses pointers to data and headers to implement its container model. A header is a set of zero or more metadata entries that ....

C. E. Landwehr, C. L. Heitmeyer, and J. McLean, "A Security Model for Military Message Systems," ACM Transactions on Computer Systems, vol. 9, no. 3, pp. 198-222, 1984.

....that one could not credibly Page 8 implement a multilevel secure database management system (DBMS) on top of an untrusted operating system base. However, some research in multilevel secure DBMSs (mostly theoretical) was conducted during the 1970s [15 16] and research has continued to the present [9 14, 17 19, 22, 25 28]. By the mid 1980s, commercially developed, trusted operating systems were becoming available that could provide the basis for hosting secure applications such as multilevel secure DBMSs. In June 1986, the National Computer Security Center (NCSC) initiated its efforts to address the evaluation of ....

C. E. Landwehr, C. L. Heitmeyer, and J. McLean, "A Security Model for Military Message Systems," ACM Transactions on Computer Systems, Vol. 2, No. 3, August 1984, pp. 198-222.

....and assumptions for the trusted system. The SPM developed under this approach provides a definition of security that is valuable as a design tool and an assurance tool, because it is expressed in terms of the system s operational requirements. The Secure Military Message System (SMMS) SPM [16] used this approach. Its authors felt that keeping the application in mind during the modeling effort was very important [18] Other inputs to the SPM that are not illustrated in Figure 4 include architectural assumptions about the implementation, a source for the SPM s mathematical notation and ....

.... Computational Framework Instructions # Validity Argument Note that these items represent only the minimum for effective communication. Other topics, such as a thorough introduction to the model s domain (e.g. the discussion of requirements for military message systems in the SMMS model [16]) are also appropriate and will be valuable for the reader. 13 3.2.1 The Informal Description The modeler s progress in defining the model depends on maintaining a clear, overall image of the work. An informal description that presents the essentials but not the details helps the ....

[Article contains additional citation context not shown here]

C. Landwehr, C. Heitmeyer, and J. McLean. A security model for military message systems. ACM Transactions on Computer Systems, 2(3):198--222, August 1984.

....of operation, that may be mapped to top level TCB functions. Bell and LaPadula s exposition of the SPM includes an interpretation for the Multics architecture. The interpretation is a mapping between the Multics TCB functions and the rules of the SPM. The Secure Military Message System (SMMS) SPM [5], on the other hand, is an abstract SPM. The SMMS SPM defines an abstract state transition function T that represents all possible transitions in which the system could engage. There are several reasons for choosing an abstract SPM over a concrete SPM. Good software engineering suggests that ....

C. Landwehr, C. Heitmeyer, and J. McLean. A security model for military message systems. ACM Transactions on Computer Systems, 2(3):198--222, August 1984.

....(standing for a specific access request) in their logic is fully abstract (i.e. uninterpreted) 1, p. 725] In some sense, our work is complementary to theirs in that we investigate the structure of these statements and provide meanings to them. Lastly, concrete models such as those proposed in [8, 15, 24] address the same general concerns as ours, but for application specific domains. Our framework can be used as a general basis underlying their respective specific proposals. 3 Three Types of Structural Properties Authorization requirements are highly structured because the set of subjects and ....

C.E. Landwehr, C.L. Heitmeyer, and J. McLean. A security model for military message systems. ACM Transactions on Computer Systems, 2(3):198-- 222, August 1984.

....abstract security properties of a system as a whole, which includes authorization as a key component. The papers by Abadi, et al. 2] and Lunt [19] are similar in spirit to ours, in that their focus is on understanding the semantics of authorization. Concrete models such as those proposed in [6, 12, 18] address the same general concerns as ours, but for application specific domains. Lastly, our composition operators are designed for authorization requirements, and are different from the one in [20] which is designed for a particular notion of security. The balance of this paper is organized as ....

C.E. Landwehr, C.L. Heitmeyer, and J. McLean. A security model for military message systems. ACM Transactions on Computer Systems, 2(3):198--222, August 1984.

....available to all users without control. Thus, security offered in object oriented approaches cannot differentiate between user needs based on their individual responsibilities. Research and development for access control in databases has traditionally taken an approach based on security clearance [12, 13, 18, 19, 22, 29, 35, 36] using the Bell and Lapadula security model [3] These multi level secure approaches support mandatory access control (MAC) to classify and tag data with relevant security levels. To complement MAC, discretionary access 1 INTRODUCTION 3 control (DAC) has been proposed [21, 30, 34] to allow ....

C. Landwehr, et al., "A Security Model for Military Message Systems", ACM Trans. on Computer Systems, Vol. 2, No. 3, Sept. 1984.

....must satisfy, the properties checked by the consistency checker are independent of a particular application. A second analysis tool, called a verifier, checks the specification for critical application properties, such as timing properties [Heitmeyer and Mandrioli 1996] and security properties [Landwehr et al. 1984]. Because verification of application properties depends on a consistent requirements specification, analysis using a verifier logically follows analysis with a consistency checker. Checking the consistency of an SCR requirements specification is usually quite simple. For example, given a ....

....As Berry and Gonthier [1992] have observed, The importance of determinism cannot be overestimated; deterministic systems are one order of magnitude simpler to specify, debug, and analyze than nondeterministic ones. Our requirements model, inspired by the formal security model presented by Landwehr et al. 1984], defines sets of modes, entity names, values, and data types and a special function TY, which maps an entity to its legal values. The model defines system state in terms of the entities, a condition as a predicate on the system state, and an input event as a change in an input variable which ....

LANDWEHR, C. E., HEITMEYER, C. L., AND MCLEAN, J. 1984. A security model for military message systems. ACM Trans. Comput. Syst. 2, 3 (Aug.), 198--222.

....approach to system development and certification developed recently at the Naval Research Laboratory. This approach has yet to be applied in sufficient detail to a large example to permit us to make strong claims about its effectiveness, but it is based on concepts proven in our earlier work [13,14]. It has strong intuitive appeal, both as a way to address security requirements during system development and as a way to explain to the accreditor (the person responsible for deciding whether to permit the system to be operated) what security the system provides and what risks its operation ....

Landwehr C E, Heitmeyer C L, McLean J. A security model for military message systems. ACM Trans. on Computer Systems 1984; 2(3):198-222.

....framework that we propose for documenting the trade off decisions is based on identifying the assumptions and assertions that must be true for the system as a whole to be secure. The notion of identifying assumptions and assertions is not new; it derives from earlier work documented by Landwehr [5] and Froscher [6] Its use to identify relationships among various security disciplines, however, has not been advocated previously, nor has it been suggested as a tool for documenting trade Mission Mission Budget Organizational Organizational Security Policy Security Policy Threats Available ....

C. Landwehr, C. Heitmeyer, and J. McLean, "A security model for military message systems," ACM Transactions on Computer Systems, vol. 2, pp. 198--222, August 1984.

.... in death, injury, illness, or damage to property; timing properties, which require the system to produce results within specified time intervals (see, e.g. 9] and security properties, which prevent the unauthorized disclosure, modification, and withholding of sensitive information (see, e.g. [15]) Given a system requirements specification and another system description (such as a software design or source code) the third class of formal analysis checks that the system description satisfies the requirements specification. The properties that consistency checking tests are usually quite ....

C. E. Landwehr, C. L. Heitmeyer, and J. McLean. A security model for military message systems. ACM Trans. on Comp. Syst., 2(3):198--222, August 1984.

....a system that conforms to one formulation of simple security conforms to another. To answer this question, one needs to consider not just the two explications, but the mappings from the system to the explications as well. 2. Such an approach is taken in the Military Message System Model (MMS) [10]. 5 assumptions about how fine grained our knowledge of process behavior is. For example, assume that we have two secret files S1 and S2, two confidential files C1 and C2, and a program P. If P reads S1, we may, for ease of implementation, simply prevent P from writing to C1. However, if we ....

....of the property , however, requires more substantial modification. We now say that a state is secure if and only if for any subjects s 1 ,s 2 and objects x ,y if (s 1 ,x ,read ) b and ############### 7. See, for example, the SeaView model [5] 8. See, for example, the MMS model [10]. 9. What follows can be applied to the set of objects in an analogous manner if we wish to capture the notion of being able to operate on an object only conjointly with operations on another object, as for example, in double entry bookkeeping. 13 (s 2 ,y ,write ) b and f o (y ) f o (x ) ....

[Article contains additional citation context not shown here]

C. Landwehr, C. Heitmeyer, and J. McLean, "A Security Model for Military Message Systems," ACM Transactions on Computer Systems, vol. 2, no. 3, pp. 198-222, August 1984.

No context found.

C.E. Landwehr, C.L. Heitmeyer, and J. McLean. A Security Model for Military Message Systems. ACM Transactions on Computer Systems, 9(3), August 1984.

No context found.

Carl E. Landwehr, C.L. Heitmyer, and J.McLean: "A Security Model for Military Message Systems"; ACM Trans. on Computer Systems, Vol.2 No.3, Aug. 1984, pp. 198-222.

Online articles have much greater impact   More about CiteSeer.IST   Add search form to your site   Submit documents   Feedback  

CiteSeer.IST - Copyright Penn State and NEC