1,622 research outputs found
Time Protection: the Missing OS Abstraction
Timing channels enable data leakage that threatens the security of computer
systems, from cloud platforms to smartphones and browsers executing untrusted
third-party code. Preventing unauthorised information flow is a core duty of
the operating system, however, present OSes are unable to prevent timing
channels. We argue that OSes must provide time protection in addition to the
established memory protection. We examine the requirements of time protection,
present a design and its implementation in the seL4 microkernel, and evaluate
its efficacy as well as performance overhead on Arm and x86 processors
Recommended from our members
Arguing satisfaction of security requirements
This chapter presents a process for security requirements elicitation and analysis,
based around the construction of a satisfaction argument for the security of a
system. The process starts with the enumeration of security goals based on assets
in the system, then uses these goals to derive security requirements in the form of
constraints. Next, a satisfaction argument for the system is constructed, using a
problem-centered representation, a formal proof to analyze properties that can be
demonstrated, and structured informal argumentation of the assumptions exposed
during construction of the argument. Constructing the satisfaction argument can
expose missing and inconsistent assumptions about system context and behavior
that effect security, and a completed argument provides assurances that a system
can respect its security requirements
Security Policy Specification Using a Graphical Approach
A security policy states the acceptable actions of an information system, as
the actions bear on security. There is a pressing need for organizations to
declare their security policies, even informal statements would be better than
the current practice. But, formal policy statements are preferable to support
(1) reasoning about policies, e.g., for consistency and completeness, (2)
automated enforcement of the policy, e.g., using wrappers around legacy systems
or after the fact with an intrusion detection system, and (3) other formal
manipulation of policies, e.g., the composition of policies. We present LaSCO,
the Language for Security Constraints on Objects, in which a policy consists of
two parts: the domain (assumptions about the system) and the requirement (what
is allowed assuming the domain is satisfied). Thus policies defined in LaSCO
have the appearance of conditional access control statements. LaSCO policies
are specified as expressions in logic and as directed graphs, giving a visual
view of policy. LaSCO has a simple semantics in first order logic (which we
provide), thus permitting policies we write, even for complex policies, to be
very perspicuous. LaSCO has syntax to express many of the situations we have
found to be useful on policies or, more interesting, the composition of
policies. LaSCO has an object-oriented structure, permitting it to be useful to
describe policies on the objects and methods of an application written in an
object-oriented language, in addition to the traditional policies on operating
system objects. A LaSCO specification can be automatically translated into
executable code that checks an invocation of a program with respect to a
policy. The implementation of LaSCO is in Java, and generates wrappers to check
Java programs with respect to a policy.Comment: 28 pages, 22 figures, in color (but color is not essential for
viewing); UC Davis CS department technical report (July 22, 1998
Using Event Calculus to Formalise Policy Specification and Analysis
As the interest in using policy-based approaches for systems management grows, it is becoming increasingly important to develop methods for performing analysis and refinement of policy specifications. Although this is an area that researchers have devoted some attention to, none of the proposed solutions address the issues of analysing specifications that combine authorisation and management policies; analysing policy specifications that contain constraints on the applicability of the policies; and performing a priori analysis of the specification that will both detect the presence of inconsistencies and explain the situations in which the conflict will occur. We present a method for transforming both policy and system behaviour specifications into a formal notation that is based on event calculus. Additionally it describes how this formalism can be used in conjunction with abductive reasoning techniques to perform a priori analysis of policy specifications for the various conflict types identified in the literature. Finally, it presents some initial thoughts on how this notation and analysis technique could be used to perform policy refinement
Information Flow Model for Commercial Security
Information flow in Discretionary Access Control (DAC) is a well-known difficult problem. This paper formalizes the fundamental concepts and establishes a theory of information flow security. A DAC system is information flow secure (IFS), if any data never flows into the hands of owner’s enemies (explicitly denial access list.
- …