Showing papers presented at "Annual Computer Security Applications Conference in 1999"

Using abuse case models for security requirements analysis

Abstract: The relationships between the work products of a security engineering process can be hard to understand, even for persons with a strong technical background but little knowledge of security engineering. Market forces are driving software practitioners who are not security specialists to develop software that requires security features. When these practitioners develop software solutions without appropriate security-specific processes and models, they sometimes fail to produce effective solutions. We have adapted a proven object oriented modeling technique, use cases, to capture and analyze security requirements in a simple way. We call the adaptation an abuse case model. Its relationship to other security engineering work products is relatively simple, from a user perspective.

An application of machine learning to network intrusion detection

Abstract: Differentiating anomalous network activity from normal network traffic is difficult and tedious. A human analyst must search through vast amounts of data to find anomalous sequences of network connections. To support the analyst's job, we built an application which enhances domain knowledge with machine learning techniques to create rules for an intrusion detection expert system. We employ genetic algorithms and decision trees to automatically generate rules for classifying network connections. This paper describes the machine learning methodology and the applications employing this methodology.

The ARBAC99 model for administration of roles

Abstract: Role-Based Access Control (RBAC) is a flexible and policy-neutral access control technology. For large systems-with hundreds of roles, thousands of users and millions of permissions-managing roles, users, permissions and their interrelationships is a formidable task that cannot realistically be centralized an a small team of security administrators. An appealing possibility is to use RBAC itself to facilitate decentralized administration of RBAC. The ARBAC97 (administrative RBAC '97) model was recently introduced for this purpose. ARBAC97 has three sub-models called URA97 (for user-role administration), PRA97 (for permission-role administration) and RRA97 (for role-role administration). In this paper we define enhancements to ARBAC97 to give us the new ARBAC99 model. Specifically the URA and PRA sub-models of ARBAC99 introduce significant new features relative to their counterparts in ARBAC97 (while RRA is left unchanged). ARBAC99 incorporates the concept of mobile and immobile users and permissions for the first time in this arena. This paper gives a formal definition of ARBAC99, motivates these enhancements and analyzes several subtle issues that arise in this context.

User authentication and authorization in the Java/sup TM/ platform

Abstract: Java/sup TM/ security technology originally focused on creating a safe environment in which to run potentially untrusted code downloaded from the public network. With the latest release of the Java/sup TM/ platform (the Java/sup TM/ 2 Software Development Kit, v 1.2), fine-grained access controls can be placed upon critical resources with regard to the identity of the running applets and applications, which are distinguished by where the code came from and who signed it. However, the Java platform still lacks the means to enforce access controls based on the identity of the user who runs the code. In this paper we describe the design and implementation of the Java/sup TM/ Authentication and Authorization Service (JAAS), a framework and programming interface that augments the Java/sup TM/ platform with both user-based authentication and access control capabilities.

A model of certificate revocation

Abstract: This paper presents a model for the distribution of revocation information using certificate revocation lists (CRLs). This model is used to highlight inefficiencies in the "traditional" method of distributing certificate status information using CRLs. Two alternative CRL-based revocation distribution mechanisms, over-issued CRLs and segmented CRLs, are then presented. The original model is then expanded to encompass each of the alternative mechanisms and these expanded models are used to demonstrate the advantages of the alternative mechanisms to the "traditional" method. Finally the paper offers some suggestions for choosing the best CRL-based revocation distribution mechanism for any particular environment.

Toward a taxonomy and costing method for security services

Abstract: A wide range of security services may be available to applications in a heterogeneous computer network environment. Resource management systems (RMSs) responsible for assigning computing and network resources to tasks need to know the resource-utilization costs associated with the various network security services. In order to understand the range of security services all RMS needs to manage, a preliminary security service taxonomy is defined. The taxonomy is used as a framework for defining the costs associated with network security services.

A middleware approach to asynchronous and backward compatible detection and prevention of ARP cache poisoning

Abstract: Discusses the Address Resolution Protocol (ARP) and the problem of ARP cache poisoning. ARP cache poisoning is the malicious act, by a host in a LAN, of introducing a spurious IP address to MAC (Ethernet) address mapping in another host's ARP cache. We discuss design constraints for a solution: the solution needs to be implemented in middleware, without any access or change to any operating system source code, it needs to be backward-compatible with the existing protocol and to be asynchronous. We present our solution and implementation aspects of it in a Streams-based networking subsystem. Our solution comprises two parts: a "bump in the stack" Streams module, and a separate Stream with a driver and user-level application. We also present the algorithm that is executed in the module and application to prevent ARP cache poisoning where possible, and to detect and raise alarms otherwise. We then discuss some limitations with our approach and present some preliminary performance figures for our implementation.

Policy-based management: bridging the gap

Abstract: In a policy-based system, policy goals are described with respect to network entities (e.g. networks and users) instead of enforcement points (e.g., firewalls and routers). This global view has several advantages: usability, global rules are closer to the goals of the human administrator; scalability, the policy system ensures that the enforcement points are configured appropriately, whether there are 1 or 100 enforcement points; and security, the policy system ensures that the policy is enforced consistently. This paper describes techniques for accurately translating from global policy rules to actual per-device configurations, and it describes how these techniques were used in the implementation of Cisco Secure Policy Manager.

A resource access decision service for CORBA-based distributed systems

Abstract: Decoupling authorization logic from application logic allows applications with fine-grain access control requirements to be independent of a particular access control policy and from factors that are used in authorization decisions as well as access control models, no matter how dynamic those policies and factors are. It also enables elaborate and consistent access control policies across heterogeneous systems. We present the design of a service for resource access authorization in distributed systems. The service enables one to decouple authorization logic from application functionality. Although the described service is based on CORBA technology, the design approach can be successfully used in any distributed computing environment.

A parallel packet screen for high speed networks

Abstract: The paper demonstrates why security issues related to the continually increasing bandwidth of high speed networks (HSN) cannot be addressed with conventional firewall mechanisms. A single packet screen running on a fast computer is not capable of filtering all packets traversing a Fast/Gigabit Ethernet. This problem can be addressed by using parallel processing methods to implement a fast, scalable packet screen for Ethernets. The paper shows how hardware may be utilized to distribute the network load among such parallel packet screens. Empirical results using 'off-the-shelf' equipment indicate that this approach is usable.

Towards a practical, secure, and very large scale online election

Abstract: We propose a practical and secure electronic voting protocol for large-scale online elections. Our protocol satisfies a large set of important criteria that has never been put together in a single protocol before. Among all electronic voting schemes in the literature, Sensus, a security-conscious electronic voting protocol proposed by Cranor and Cytron (1997), satisfies most of our criteria. Sensus has been implemented and used in mock elections. However, Sensus suffers from several major drawbacks. For instance, we show that even if all voters follow the Sensus protocol honestly, some voters' votes may still be replaced with different votes without being detected. Our protocol overcomes these drawbacks.

Transactions in Java Card

Abstract: A smart-card run-time environment must provide proper transaction support for the reliable updating of data, especially on multi-application cards like the Java Card. The transaction mechanism must meet these demands by means of the applications and the system itself, within the minimal resources offered by current smart-card hardware. This paper presents the current transaction model implied by the Java Card 2.1 specification, highlights its shortcomings and presents a detailed discussion of possible implementation schemes and their optimizations. It especially addresses the problem of object instantiations within a transaction in the Java Card 2.1 specification and presents an effective solution.

SCR: a practical approach to building a high assurance COMSEC system

Abstract: To date, the tabular based SCR (Software Cost Reduction) method has been applied mostly to the development of embedded control systems. The paper describes the successful application of the SCR method, including the SCR* toolset, to a different class of system, a COMSEC (Communications Security) device called CD that must correctly manage encrypted communications. The paper summarizes how the tools in SCR* were used to validate and to debug the SCR specification and to demonstrate that the specification satisfies a set of critical security properties. The development of the CD specification involved many tools in SCR*: a specification editor, a consistency checker, a simulator, the TAME interface to the theorem prover PVS, and various other analysis tools. Our experience provides evidence that use of the SCR* toolset to develop high quality requirements specifications of moderately complex COMSEC systems is both practical and low cost.

Modular fair exchange protocols for electronic commerce

Abstract: Recently, research has focused on enabling fair exchange between payment and electronically shipped items. The reason for this is the growing importance of electronic commerce and the increasing number of applications in this area. Although a considerable number of fair exchange protocols exist, they usually have been defined for special scenarios and thus only work under particular assumptions. Furthermore, these protocols provide different degrees of fairness and cause different communication overhead. The purpose of the paper is to present a unifying solution to the problem. We do this by defining a suite of protocol modules which allow us to compose protocols where the achieved degree of fairness can be enhanced step by step. The advantage of the stepwise approach is that after each step one can decide if the provided degree of fairness is acceptable or if one is willing to spend more in order to reach a higher degree of fairness. We show the applicability of our approach by deriving a novel efficient fair exchange protocol.

Security policy coordination for heterogeneous information systems

Abstract: Coordinating security policies in information enclaves is challenging due to their heterogeneity and autonomy. Administrators must reconcile the semantic diversity of data and security models before negotiating secure interoperation. This paper proposes an architecture that uses mediators and a primitive ticket-based authorization model to manage disparate policies in information enclaves. The formal foundation of the architecture facilitates static and dynamic analysis of global consistency and policy enforcement.

SAM: Security Adaptation Manager

Abstract: In the trade-offs between security and performance, it seems that security is always the loser. If we allow for adaptive security, we can at least ensure that security and performance are treated somewhat equally. Using adaptive security, we can allow a system to exist in a less secure, more performant state until it comes under attack. We then adapt the system to a more secure, less performant implementation. In this paper, we introduce the Security Adaptation Manager, or SAM. We describe SAM and how we have implemented SAM to take advantage of the different protection strengths offered by the StackGuard compiler. Using SAM to provide StackGuard-based adaptive security provides a form of misuse-based intrusion detection, capable of detecting known and novel attacks.

How to cheat at the lottery (or, massively parallel requirements engineering)

Abstract: Collaborative software projects such as Linux and Apache have shown that a large, complex system can be built and maintained by many developers working in a highly parallel, relatively unstructured way. The author reports on an experiment to see whether a high quality system specification can also be produced by a large number of people working in parallel with minimum communication.

Architecture and concepts of the ARGuE Guard

Abstract: ARGuE (Advanced Research Guard for Experimentation) is a prototype guard being developed as a basis for experimentation. ARGuE is based on Network Associates' Gauntlet firewall. By integrating capabilities developed under several government programs, we were able to create a system which is easier to extend than other guards, provides significant new features (such as integration with an intrusion detection system), and yet has a reasonable degree of assurance.

Non-repudiation evidence generation for CORBA using XML

Abstract: Focuses on the provision of a non-repudiation service for CORBA. The current OMG specification of a CORBA non-repudiation service forces the programmer to augment the application with calls to functions for generating or validating evidence. Furthermore, the application itself has to manage the exchange of this evidence between parties and its storage. The paper describes our design for a generic CORBA non-repudiation service implementation. Our approach provides a separation between the application business logic and the generation of evidence, allowing non-repudiation support to be incorporated into applications with the minimum of programmer effort. Our design is described in this paper using the example of ordering goods over the Internet. The non-repudiation service provides the parties with evidence proving that the transaction has taken place. This proof is a XML document based on the proposed IETF Internet standard "Digital Signatures for XML".

A prototype secure workflow server

Abstract: Workflow systems provide automated support that enables organizations to efficiently and reliably move important data through their routine business processes. For some organizations, the information processed by their workflow systems is highly valued and in need of protection from disclosure or corruption. Current workflow systems do not help organizations to adequately protect this important data. We describe a prototype secure workflow system that allows users to develop high level workflow security policies and to automatically execute these policies within the workflow system. These workflow policies can use the workflow context to provide fine-grained dynamic access control and other security services that enhance the organization's ability to control the information contained in its workflow system. We explain these security policy goals, our prototype policy editor, our prototype workflow server, and our underlying Java based implementation.

Fast checking of individual certificate revocation on small systems

Abstract: High-security network transactions require the checking of the revocation status of public key certificates. On mobile systems this may lead to excessive delays and unacceptable performance. This paper examines small system requirements and options, with a view to improving performance. It is shown that the use of keyed hash functions (message authentication codes) with a pre-registration option reduces network latency and allows stateless servers.

A language for modelling secure business transactions

Abstract: Among other areas, electronic commerce includes the fields of electronic markets and workflow management. Workflow management systems are usually used to specify and manage inter- and intra-organisational business processes. Although workflow management techniques are capable of specifying and conducting at least parts of market transactions, these techniques are not or are very rarely used for this purpose yet. In both fields, users demand security and integrity to protect for example their privacy, their property rights or digital payments. To satisfy these security demands, a variety of existing security services, mechanisms, protocols, and organisational measures may be used. On the one hand, to encourage using these techniques it is necessary to have a tool which enables a firm's executive to formulate market transaction security demands at a high abstraction level. On the other hand, executing market transactions needs a more formal, machine readable description of the transaction and its security requirements. We present a methodology to specify secure protocols, which are usable to automatically conduct business processes, as well as market transactions.

Efficient certificate status handling within PKIs: an application to public administration services

Abstract: Public administration has shown a strong interest in digital signature technology as a means for secure and authenticated document exchange, hoping that it will help reduce paper-based transactions with citizens The main problem posed by this technology is the necessary public-key infrastructure, and in particular certificate status handling This paper describes the definition and deployment of a Web-based environment suitable for offering administrative services to citizens and for accepting authenticated documents from citizens The best features of two different certificate status handling schemes, namely CRL and OCSP, have been exploited within this environment to obtain a good balance between security, timeliness and efficiency

Napoleon: a recipe for workflow

Abstract: The paper argues that Napoleon, a flexible, role-based access control (RBAC) modeling environment, is also a practical solution for enforcing business process control, or workflow policies. Napoleon provides two important benefits for workflow: simplified policy management and support for heterogeneous, distributed systems. We discuss our strategy for modeling workflow in Napoleon, and we present an architecture that incorporates Napoleon into a workflow management system.

Trustworthy access control with untrustworthy Web servers

Abstract: If sensitive information is to be included in a shared Web, access controls will be required. However, the complex software needed to provide a Web service is prone to failure. To provide access control without relying on such software, encryption can be used. Bob is a prototype system that supports complex access control expressions through the transparent use of encryption.

Security relevancy analysis on the registry of Windows NT 4.0

Abstract: Many security breaches are caused by inappropriate inputs, crafted by people with malicious intents. To enhance the system security, we need either to ensure that inappropriate inputs are filtered out by the program, or to ensure that only trusted people can access those inputs. In the second approach, we certainly do not want to put such a constraint on every input; instead, we only want to restrict the access to the security-relevant inputs. This paper investigates how to identify which inputs are relevant to system security. We formulate the problem as a security relevancy problem and deploy static analysis technique to identify security-relevant inputs. Our approach is based on the dependency analysis technique; it identifies whether the behavior of any security-critical action depends on a certain input. If such a dependency relationship exists, we say that the input is security-relevant, otherwise we say the input is security-nonrelevant. This technique is applied to a security analysis project initiated by the Microsoft Windows NT Security Group. The project is intended to identify security-relevant registry keys in the Windows NT operating system. The results from this approach proved useful to enhancing Windows NT security. Our experiences and results from this project are presented in this paper.

A process state-transition analysis and its application to intrusion detection

Abstract: This paper describes a new technique for detecting security breaches in a computer system. For each Unix process, the user credentials, which are user identifiers, determine the process privilege, including whether a process has gained a high privilege, such as that of the superuser. The state transition technique is applied to a suitably defined process state, identified by certain classes of user credential values. A transition takes place when these values change from one class to another. These states are clearly defined, and prohibited state transitions as well as some supporting rules are identified. When many break-ins succeed, either the rules are violated or these prohibited transitions occur, and this implies a violation of system security policy. A specially modified system call, ktrace0, is used by the superuser to monitor the process-state and state transition analysis is applied to the traced information, by the Intrusion Detection System. Tests show that most known security violations belonging to the targeted classes (such as buffer overflow exploits) can be detected (and possibly pre-empted) while the constituent activities are still being processed in the kernel.

TrustedBox: a kernel-level integrity checker

Abstract: There is a large number of situations in which computer security is unpopular. In fact, common users do not like too much restricted security policies. Usability is often preferred to security. Many users want to be free to use their computers to run untrusted applications. Moreover, it is not possible to require that every computer user is a security expert. As a consequence, it is very easy for hackers to gain access to a computer system, and to perform a number of unauthorized operations. In this paper we focus on the problem of system integrity. There are some applications in which system integrity is at least as important as privacy and service availability. For this purpose, we have designed and implemented TrustedBox, a kernel-level integrity checker that can be used to enforce a very restricted security policy and that allows users to use the same system to perform untrusted operations.

Tools to support secure enterprise computing

Abstract: Secure enterprise programming is a difficult and tedious task. Programmers need tools that support different levels of abstraction and that track all the components that participate in distributed enterprises. Those components must cooperate in a distributed environment to achieve higher level goals. A special case of secure enterprise computing is multilevel secure (MLS) computing. Components that may reside in different security domains have to cooperate to achieve higher-level missions. To ease the programmer's burden, we are developing an MLS workflow management system (WFMS), called MLS METEOR. A programmer can specify a distributed programming logic through a GUI based workflow design tool. Based on the programming logic, MLS METEOR will generate a distributed runtime system that handles communication among different hosts, even those that reside in different classification domains, The multilevel security enforcement of MLS METEOR does not depend on the WFMS itself but rather on the underlying MLS infrastructure and a few security critical components. The paper concentrates on the system organization of MLS METEOR and the rationale for this structure. We explain which portions of the system can be used in generic enterprise computing and which portions are specific to MLS computing.

Safe areas of computation for secure computing with insecure applications

Abstract: Currently the computer systems and software used by the average user offer virtually no security. Because of this, many attacks, both simulated and real, have been described by the security community and have appeared in the popular press. The paper presents an approach to increase the level of security provided to users when interacting with otherwise unsafe applications and computing systems. The general approach, called Safe Areas of Computation (SAC), uses trusted devices, such as smart cards, to provide an area of secure processing and storage. The paper describes preliminary results of using the Safe Areas of Computation approach to protect specific browsing applications. The intent is for protected browsers to be used to interact with institutions that have requirements for high security, such as financial institutions that enable users to perform sensitive operations for electronic commerce or online banking.