Showing papers presented at "Annual Computer Security Applications Conference in 1994"

Automated detection of vulnerabilities in privileged programs by execution monitoring

Abstract: Presents a method for detecting exploitations of vulnerabilities in privileged programs by monitoring their execution using audit trails, where the monitoring is with respect to specifications of the security-relevant behavior of the programs. Our work is motivated by the intrusion detection paradigm, but is an attempt to avoid ad hoc approaches to codifying misuse behavior. Our approach is based on the observation that although privileged programs can be exploited (due to errors) to cause security compromises in systems because of the privileges accorded to them, the intended behavior of privileged programs is, of course, limited and benign. The key, then, is to specify the intended behavior (i.e. the program policy) and to detect any action by a privileged program that is outside the intended behavior and that imperils security. We describe a program policy specification language, which is based on simple predicate logic and regular expressions. In addition, we present specifications of privileged programs in Unix, and a prototype execution monitor for analyzing audit trails with respect to these specifications. The program policies are surprisingly concise and clear, and in addition, capable of detecting exploitations of known vulnerabilities in these programs. Although our work has been motivated by the known vulnerabilities in Unix, we believe that by tightly restricting the behavior of all privileged programs, exploitations of unknown vulnerabilities can be detected. As a check on the specifications, work is in progress on verifying them with respect to an abstract security policy. >

Role-based access control: a multi-dimensional view

Abstract: Recently there has been considerable interest in role-based access control (RBAC) as an alternative, and supplement, to the traditional discretionary and mandatory access controls (DAC and MAC) embodied in the Orange Book. The roots of RBAC can be traced back to the earliest access control systems. Roles have been used in a number of systems for segregating various aspects of security and system administration. Recent interest in RBAC has been motivated by the use of roles at the application level to control access to application data. This is an important innovation which offers the opportunity to realize benefits in securing an organization's information assets, similar to the benefits of employing databases instead of files as the data repository. A number of proposals for RBAC have been published in the literature, but there is no consensus on precisely what is meant by RBAC. This paper lays the groundwork for developing this consensus. In our view RBAC is a concept which has several dimensions, all of which may not be present in a given system or product. We envisage each dimension as being linearly ordered with respect to the sophistication of features provided. This leads us to the idea of a multi-dimension model for RBAC. Achieving agreement on what these dimensions are, and how the features in each dimension should be ordered, will take debate and time. Our contribution here is to lay out a vision on how to approach a common understanding of RBAC, and take a first cut at identifying the dimensions of RBAC. A major benefit of such a multidimensional RBAC would be to allow comparison of different products and assess their appropriateness for various system requirements. >

Property-based testing of privileged programs

Abstract: Addresses the problem of testing security-relevant software, especially privileged (typically, setuid root) and daemon programs in UNIX. The problem is important, since it is these programs that are the source of most UNIX security flaws. For some programs, such as the UNIX sendmail program, new security flaws are still being discovered, despite being in use for many years. For special-purpose systems with fewer users, flaws are likely to remain undiscovered for even longer. Our testing process is driven by specifications we create for the privileged programs. These specifications simultaneously define the allowed behavior far these programs and identify problematic system calls, regions where the program is vulnerable, and generic security flaws. The specifications serve three roles in our testing methodology: as criteria against which a program is sliced, as oracles against which it is tested, and as a basis for generating useful tests. Slicing is employed to significantly reduce the size of the program to be tested. We show that a slice of a privileged program (rdist) with respect to its security specifications is quite small. We introduce the Tester's Assistant, a collection of tools to mechanize the process of testing security-related C programs. >

Performance analysis of a method for high level prevention of traffic analysis using measurements from a campus network

Abstract: We provide cost estimates for achieving spatial neutrality under realistic network traffic conditions using two methods. Measurements done on the University of Florida campus wide backbone network (UFNET) provide us with considerable experience to model an actual network better. Simulation results show that the algorithm's improvement over padding alone is greater for a sparse traffic matrix than for a uniform random traffic matrix. It accomplishes this by smoothing the traffic matrix by rerouting, reducing the padding overhead required to achieve a neutral traffic matrix. On the other hand, a sparse traffic matrix leads to increased costs over uniform random traffic matrix for both padding alone and for padding with rerouting. Experiments done with UFNET traffic characteristics show that the costs are such that the proposed method can be employed in actual networks, under moderate load conditions, to achieve traffic neutrality with acceptable overheads. >

A secure Email gateway (building an RCAS external interface)

Abstract: Fielding secure computer systems requires tradeoffs between functionality, flexibility, and security to meet the users' needs. Multilevel secure (MLS) computer systems provide better control over classified information than traditional systems and allow users from a diverse population access to information they need while protecting sensitive data. Users want the functionality of non-MLS computer systems; graphical user interfaces, a rich assortment of software, and electronic connectivity with other systems. Compartmented mode workstations (CMW) can provide such an environment. An overview of secure system architectures and an example MLS network provide the framework for discussing the risks associated with interconnecting MLS systems and unclassified networks, and approaches for mitigating those risks. A secure Email gateway, using a high-assurance (AI) network component, provides the necessary safeguards for protecting the MLS network from external attacks. >

System-of-systems security engineering

Abstract: There is an increasing trend to treat a collection of individual systems that support a common mission as a single entity and to perform systems engineering activities for that entity. A security engineering process is proposed for systems-of-systems. This process addresses such issues as how to identify and mitigate risks resulting from connectivity, how to integrate security into a target architecture, and how to address the constraints associated with legacy systems. >

Audit reduction and misuse detection in heterogeneous environments: framework and application

Abstract: Audit data analysis is a non-invasive method for security assurance that may be used to detect computer misuse and mitigate security risks in large, distributed, open architecture environments. In most real-world environments, the heterogeneous nature of the available audit data combined with environment-specific detection requirements makes it difficult to integrate re-usable detection mechanisms in an effective audit analysis capability. This paper presents a framework for implementing audit reduction and intrusion detection in a heterogeneous environment with a re-usable set of detection mechanisms. Experimental results indicate that this framework brings order to the analysis process and demonstrates the efficacy of the framework for producing cohesive, intuitive audit reduction in a heterogeneous environment with a re-usable detection toolset. >

The design of an audit trail analysis tool

Abstract: Discusses the design of a tool that automatically removes security-sensitive information from intruder activity log files collected at a compromised site. The sanitization of sensitive information enables researchers to study the log files without further compromising the security of the affected sites. This paper begins with a brief discussion of the importance of such a tool and a description of the complete sanitization process. This is followed by an examination of the important design issues of the sanitizer. The paper concludes with the final design of a sanitizer for SunOS-based intruder activity logs. >

A practical approach to user authentication

Abstract: A method for user authentication is presented which analyzes keystroking data as the user types his or her name. This study utilizes the ADALINE (ADAptive LINear Element) and backpropagation neural nets to identify the typing pattern characteristic of a particular user. A simple measure of geometric distance is also used for comparison. This paper provides a brief introduction to this type of neural net. It then describes the research procedure and contrasts the initial and new results, followed by a conclusion with notes concerning future research. For an average 15-character name, a complete exclusion of imposters is obtained from a set of over 5000 imposter samples. >

A practical approach to high assurance multilevel secure computing service

Abstract: Current projects aimed at providing MLS computing services rarely seem to exploit advances in related fields. Specifically, the concepts of data distribution, replication, and interoperation are currently receiving much attention in the commercial database system sector but have yet to be applied to the delivery of MLS computing services. This paper explains how these concepts might kelp deliver MLS computing services relatively, quickly and cheaply, and how they can ease integration of legacy systems and new technology into future MLS cooperative, distributed computing environments. >

Security concerns for distributed systems

Abstract: One of the stated purposes of the Trusted Computer System Evaluation Criteria (TCSEC) is "to provide a standard to manufacturers as to what security features to build into their new and planned commercial products in order to provide widely available systems that satisfy trust requirements (with particular emphasis on preventing the disclosure of data) for sensitive applications". The trend in today's technology is towards networked distributed systems. One of the major criticisms of the TCSEC, more commonly known as the Orange Book, and the draft Federal Criteria (FC), now the U.S. input to the international Common Criteria (CC) draft, concerns their inability to encompass distributed systems in their rating schemes. The purpose of this paper is to discuss the various aspects of security required for distributed systems and to describe the security requirements needed in criteria from which manufacturers could build secure distributed systems. >

EINet: a secure, open network for electronic commerce

Abstract: Corporate users are by far the most rapidly growing segment of the Internet community, supplementing the existing base of government and academic users. Both corporate and government organizations want to use the Internet to "integrate" their enterprises, and foresee using the Internet to conduct electronic commerce as well. However, the lack of security services on the Internet deters its use for many such applications. The Enterprise Integration Network (EINet) provides security services to support enterprise integration and electronic commerce activities on the Internet. EINet incorporates an application based security system with the security management and operations necessary to protect these activities in an open network environment. The paper discusses the need for security on the Internet, describes the EINet Security System, then summarizes operational experiences and future work. >

Security for the Common Object Request Broker Architecture (CORBA)

Abstract: Over the last several years, there has been an emphasis on distributed client/server computing in business as well as government. A useful means of achieving this capability is through the use of object technology. Distributed object systems offer many benefits, such as downsizing and right sizing, resulting in a trend toward small, modular, commercial or government off-the-shelf components as a means of system development. Distributed object management standards, such as the Common Object Request Broker Architecture (CORBA) specification are aiding the integration process. One area of distributed object systems that has received little attention to date is security. Security is a difficult problem in traditional software systems, and adding distribution and use of object-oriented techniques just increases the complexity of the problem. The Object Management Group (OMG) is beginning to solicit proposals from vendors for handling security in a distributed object environment. This paper gives an overview of distributed object management and standards being specified by the OMG. It applies traditional security engineering analysis to CORBA and highlights some of the security function interdependencies among CORBA components. >

Networked information discovery and retrieval tools: security capabilities and needs

Abstract: The Internet is a rapidly growing global network of networks. Users employ the Internet to search for and retrieve information, access remote resources, and collaborate with other users. More and more information is becoming available on the Internet. Networked information discovery and retrieval (NIDR) tools, such as Gopher, Wide Area Information Server (WAIS) and World Wide Web (WWW), have been developed to assist users with searching and retrieving a wide variety of information on the Internet. NIDR tools are becoming increasingly popular due to their ease of use and powerful navigation and "surfing" capabilities. Security is becoming an increasingly important topic regarding the use of NIDR tools. This paper identifies current and planned NIDR security capabilities and provides security recommendations for administrators and commercial NIDR providers. >

Organizing MLS databases from a data modelling point of view

Abstract: The conceptual and logical design of multilevel secure (MLS) database applications are treated in an integrated way. For the conceptual design, a powerful semantic data model is suggested in order to represent the data and security semantics of the application domain. For the logical design, a two-phase approach is developed. Phase one consists of the transformation of the database conceptualization into multilevel relational concepts, while phase two is concerned with integrity management. Enforcing the integrity in MLS databases is known to be a difficult task. Careful data modelling is a necessary prerequisite in order to arrive at consistent and secure MLS applications. >

A validated security policy modeling approach

Abstract: The paper presents a security policy modeling approach that can be applied to many types of systems, including networks and distributed systems. The approach is driven by security requirements and by system architecture. It is compatible with the modeling principles offered by recent modeling guidelines and the TCSEC modeling requirements at the B1-A1 assurance levels. The approach has been validated through its application to various development, certification and research projects, including tactical systems, secure gateways, and C/sup 3/I systems. The approach presented here has been favorably reviewed by security evaluation teams for government agencies. The paper illustrates the approach by applying it to an example tactical system. >

Availability: theory and fundamentals for practical evaluation and use

Abstract: What the currently available security criteria are still missing is a functional structure of the concept of availability. The intention of the article is to define a functional structure of the concept of availability in terms of basic functions, similar to the Generic Headings in the ITSEC (IT Security Criteria). The article gives the basic definitions and terms as well as a terminological introduction. It contains a list of possible threats, with a view to technical and human failure. These threats are compared with possible security functions. Examples are given of the technical implementation of these security functions (defined as mechanisms). A first approach for evaluation, based on ITSEC is also presented. >

Benchmarking multilevel secure database systems using the MITRE benchmark

Abstract: Multilevel secure (MLS) DBMSs are subject to a number of security-related architectural and functional factors that affect performance. These factors include, among others, the distribution of data among security levels, the session levels at which queries are run, and how the database is physically partitioned into files. In this paper, we present a benchmark methodology, a test database design, and a query suite designed to quantify this impact upon query processing. We introduce three metrics (uniformity, scale-up and speed-up) that characterize DBMS performance with varying data distributions. Finally, we provide comparisons and analysis of the results of a number of actual benchmarking experiments using DBMSs representative of the two major MLS DBMS architectures (trusted-subject and TCB-subset). >

The MITRE security perimeter

Abstract: To protect MITRE's unclassified computing resources from unauthorized use, MITRE maintains a network firewall between the MITRE corporate network and the Internet, and limits dial-in to three modem pools. The firewall limits Internet connectivity to a small set of computer systems called boundary hosts. The boundary hosts and the modem pools use a smartcard-based user authentication scheme to ensure that only authorized MITRE employees can gain access to the corporate network. The combination of firewall, boundary hosts, and modem pools is known as the MITRE security perimeter. The paper describes the design of the security perimeter and the integration of the smartcard system into the boundary hosts and modem pools. >

AOS: an avionics operating system for multi-level secure real-time environments

Abstract: In parallel with advances in the design of real-time systems there is an increasing need for real-time systems that can provide multilevel security. This need is highlighted by the DOD's endorsed move towards integrated avionics to enable real-time avionics and tactical applications to share a common processing platform. A generic Integrated Avionics Platform (IAP) is a heterogeneous distributed system made of a complex network of interconnected systems, each designed to support real-time applications ranging from vehicle management to weapons control. The Avionics Operating System (AOS) meets these evolving needs of multilevel secure real-time avionics systems. The AOS takes advantage of advanced microprocessor features and other innovative techniques to create an efficient yet flexible multilevel secure real-time operating system. >

STU-III-multilevel secure computer interface

Abstract: The interconnection of the STU-III (Secure Telephone Unit) and a multilevel secure (MLS) host computer is a layered composition of systems. The composed systems that form the layers result from the connection processing done to establish the host-to-host link. To ensure that the system represented by each composed layer is consistent with the security policy, an additional agent must be added to the host's trusted computing base (TCB). This agent manages the STU-III data port interface and undertakes the coordination necessary to ensure that the security state is consistent between each layer; this coordination includes the security coordination between the two host TCBs and the eventual establishment of the remote session. The agent is implemented as a trusted process and is invisible to a process requesting connection to another host. This implementation allows for the greatest flexibility in the use of hardware at some additional cost in complexity. >

Composing system integrity using I/O automata

Abstract: The I/O automata model of Lynch and Turtle (1987) is summarized and used to formalize several types of system integrity based on the control of transitions to invalid starts. Type-A integrity is exhibited by systems with no invalid initial states and that disallow transitions from valid reachable to invalid states. Type-B integrity is exhibited by systems that disallow externally-controlled transitions from valid reachable to invalid states, Type-C integrity is exhibited by systems that allow locally-controlled or externally-controlled transitions from reachable to invalid states. Strict-B integrity is exhibited by systems that are Type-B but not Type-A. Strict-C integrity is exhibited by systems that are Type-C but not Type-B. Basic results on the closure properties that hold under composition of systems exhibiting these types of integrity are presented in I/O automata-theoretic terms. Specifically, Type-A, Type-B, and Type-C integrity are shown to be composable, whereas Strict-B and Strict-C integrity are shown to not be generally composable. The integrity definitions and compositional results are illustrated using the familiar vending machine example specified as an I/O automaton and composed with a customer environment. The implications of the integrity definitions and compositional results on practical system design are discussed and a research plan for future work is outlined. >

Applying the Abadi-Lamport composition theorem in real-world secure system integration environments

Abstract: This paper describes research that addresses application of the Abadi Lamport Composition theorem to the integration of real-world systems. The Formal Development Methodology (FDM) was used to describe system and component security properties, including access control, label consistency, and communications constraints. These descriptions were then used as input to the FDM theorem prover to prove the hypotheses of the Abadi Lamport Composition Rule. Although the FDM tools were not designed for this application, they were found to be usable as long as the properties being addressed are limited to safety properties. The Abadi Lamport framework provides a powerful, well-grounded mathematical proof rule for composing the properties of components to form systems. The combination of this framework and a usable supporting tool set is especially valuable for system integration efforts, in that it enhances the integrator's ability to describe, analyze, understand, and control the integration process. >

Architectural impact on performance of a multilevel database system

Abstract: Since protection and assurance are the primary concerns in multilevel secure (MLS) databases, performance has often been sacrificed in some known MLS database approaches. Motivated by performance concerns, a replicated architecture approach which uses a physically distinct back-end database management system for each security level is being investigated. This is a report on the behavior and performance issues for the replicated architecture approach. Especially, we compare the performance of the SINTRA (Secure INformation Through Replicated Architecture) MLS database system to that of a typical conventional (non-secure, single-level) database system. After observing the performance bottlenecks for SINTRA, we present solutions that can alleviate them. >

Where we stand in multilevel security (MLS): requirements, approaches, issues, and lessons learned

Abstract: Many government planners and trusted system vendors have an oversimplified view of actual user needs for multilevel security (MLS). The purpose of this paper is to improve insight into what users really need and want in the name of MLS. This paper is primarily derived from work performed under Contract DAAB07-94-C-H601 for the Defense Information Systems Agency (DISA). >

Ops/Intel interface lessons learned: the integrator's perspective

Abstract: This paper describes our experiences in integrating and fielding the Operations/Intelligence (Ops/Intel) Interface. The Ops/Intel Interface integrates secure commercial off-the-shelf (COTS) technology with untrusted applications to produce a trusted Ops/Intel workstation. The Ops/Intel Interface enables the intelligence analyst to bridge the gap between the Sensitive Compartmented Information and Secret environments, and provide more active intelligence support to the warfighter. This paper presents the lessons learned from our integration and fielding of the Ops/Intel Interface for a joint military exercise at the United States Atlantic Command. >

Editorial: why bad things happen to good systems, and what to do about it

Abstract: Perfection in large software systems is improbable; therefore, it is prudent to enhance security by anticipating failures and preparing for contingencies. We propose an analogy with medicine, supporting curative as well as preventive action. Information technology (IT) security needs to allocate resources to contingency resolution mechanisms that can be used to complement prevention mechanisms. >

A prototype multilevel-secure DoD directory

Abstract: The US Department of Defense (DoD) has begun to plan for the implementation of a DoD Directory capability based on the CCITT X.500 series recommendations, which define the data communication network directory. The DoD Directory statement of requirements has established the need to hold data of different classifications (UNCLASSIFIED to SECRET) and to serve users with different clearances. We describe a prototype secure read only directory system agent emulator (SRODE) far the DoD directory. The demonstration of a multilevel SRODE, which is implemented as an application on SeaView, has shown the feasibility of building an MLS DoD Directory with existing technology. >

The effects of trusted technology on distributed applications

Abstract: The paper examines the effect of trusted technology on a distributed application being transitioned to a trusted system. Two styles of operation are examined: restricting the operation of all components of the application to a single sensitivity level and allowing the user interface components of the application to operate across a range of sensitivity levels. Within these operational styles, the effects of the trusted technology on the end user, the application administrator, and the developer are examined. The paper also offers suggestions for taking advantage of the enhanced security control features on trusted systems to address typical security weaknesses in distributed applications. >

Using security models to investigate CMW design and implementation

Abstract: Some new security models are presented as a means of understanding the complexities of the Compartmented Mode Workstation dual-label design and the different implementations that are available. The security models, which are based upon a realistic abstraction of a computer, have floating security labels. The models are pessimistic, in that they assume that if information is potentially able to flow then it does so. The models vary in their degrees of pessimism, and thus provide different guarantees about the accuracy of a security label. >