Showing papers in "ACM Transactions on Information and System Security in 1998"

Crowds: anonymity for Web transactions

Abstract: In this paper we introduce a system called Crowds for protecting users' anonymity on the world-wide-web. Crowds, named for the notion of “blending into a crowd,” operates by grouping users into a large and geographically diverse group (crowd) that collectively issues requests on behalf of its members. Web servers are unable to learn the true source of a request because it is equally likely to have originated from any member of the crowd, and even collaborating crowd members cannot distinguish the originator of a request from a member who is merely forwarding the request on behalf of another. We describe the design, implementation, security, performance, and scalability of our system. Our security analysis introduces degrees of anonymity as an important tool for describing and proving anonymity properties.

The multilevel relational (MLR) data model

Abstract: Many multilevel relational models have been proposed; different models offer different advantages. In this paper, we adapt and refine several of the best ideas from previous models and add new ones to build the new Multilevel Relational (MLR) data model. MLR provides multilevel relations with element-level labeling as a natural extension of the traditional relational data model. MLR introduces several new concepts (notably, data-borrow integrity and the UPLEVEL statement) and significantly redefines existing concepts (polyinstantiation and referential integrity as well as data manipulation operations). A central contribution of this paper is proofs of soundness, completeness, and security of MLR. A new data-basedsemantics is given for the MLR data model by combining ideas from SeaView, belief-based semantics, and LDV. This new semantics has the advantages of both eliminating ambiguity and retaining upward information flow. MLR is secure, unambiguous, and powerful. It has five integrity properties and five operations for manipulating multilevel relations. Soundness, completeness, and security show that any of the five database manipulation operations will keep database states legal (i.e., satisfy all integrity properties), that every legal database state can be constructed, and that MLR is noninterfering. The expressive power of MLR also compares favorably with several other models.

High dictionary compression for proactive password checking

Abstract: The important problem of user password selection is addressed and a new proactive password-checking technique is presented. In a training phase, a decision tree is generated based on a given dictionary of weak passwords. Then, the decision tree is used to determine whether a user password should be accepted. Experimental results described here show that the method leads to a very high dictionary compression (up to 1000 to 1) with low error rates (of the order of 1%). A prototype implementation, called ProCheck, is made available online. We survey previous approaches to proactive password checking, and provide an in-depth comparison.

Exception-based information flow control in object-oriented systems

Abstract: We present an approach to control information flow in object-oriented systems. The decision of whether an information flow is permitted or denied depends on both the authorizations specified on the objects and the process by which information is obtained and transmitted. Depending on the specific computations, a process accessing sensitive information could still be allowed to release information to users who are not allowed to directly access it. Exceptions to the permissions and restrictions stated by the authorizations are specified by means of exceptions associated with methods. Two kinds of exceptions are considered: invoke exceptions, applicable during a mehtod execution and reply exceptions applicable to the information returned by a method. Information flowing from one object into another or returned to the user is subject to the different exceptions specified for the methods enforcing the transmission. We formally characterize information transmission and flow in a transaction and define the conditions for safe information flow. We define security specifications and characterize safe information flows. We propose an approach to control unsafe flows and present an algorithm to enforce it. We also illustrate an efficient implementation of our controls and present some experimental results evaluating its performance.