A Verified Information-Flow Architecture

SAFE is a clean-slate design for a highly secure computer system, with pervasive mechanisms for tracking and limiting information flows. At the lowest level, the SAFE hardware supports fine-grained programmable tags, with efficient and flexible propagation and combination of tags as instructions are executed. The operating system virtualizes these generic facilities to present an information-flow abstract machine that allows user programs to label sensitive data with rich confidentiality policies. We present a formal, machine-checked model of the key hardware and software mechanisms used to dynamically control information flow in SAFE and an end-to-end proof of noninterference for this model. We use a refinement proof methodology to propagate the noninterference property of the abstract machine down to the concrete machine level. We use an intermediate layer in the refinement chain that factors out the details of the information-flow control policy and devise a code generator for compiling such information-flow policies into low-level monitor code. Finally, we verify the correctness of this generator using a dedicated Hoare logic that abstracts from low-level machine instructions into a reusable set of verified structured code generators

History-sensitive versus future-sensitive approaches to security in distributed systems

We consider the use of aspect-oriented techniques as a flexible way to deal with security policies in distributed systems. Recent work suggests to use aspects for analysing the future behaviour of programs and to make access control decisions based on this; this gives the flavour of dealing with information flow rather than mere access control. We show in this paper that it is beneficial to augment this approach with history-based components as is the traditional approach in reference monitor-based approaches to mandatory access control. Our developments are performed in an aspect-oriented coordination language aiming to describe the Bell-LaPadula policy as elegantly as possible. Furthermore, the resulting language has the capability of combining both history- and future-sensitive policies, providing even more flexibility and power.Comment: In Proceedings ICE 2010, arXiv:1010.530

Water Rights and Markets in the US Semi-arid West: Efficiency and Equity Issues

There are both high resource and political costs in defining and enforcing property rights to water and in managing it with markets. In this paper, I examine these issues in the semi-arid U.S. West where many of the intensifying demand and supply problems regarding fresh water are playing out. I begin by illustrating the current state of water markets in 12 western U.S. states. There are major differences in water prices across uses (agriculture, urban, environmental) and these differences appear to persist, suggesting that water markets have not developed fully enough to narrow the gaps. Moreover, there is considerable difference in the extent and nature of water trading across the western states, suggesting that water values and transaction costs of trade vary considerably across jurisdictions. I then turn to the resource and political costs of defining water rights and expanding the use of markets. In this discussion, efficiency and equity objectives play important, often conflicting, roles. This tension reflects the very social nature of the water resource. To understand the problems of expanding water markets, it is critical to understand the varying political, bureaucratic, and administrative incentives involved

Water Rights and Markets in the U.S. Semi Arid West: Efficiency and Equity Issues

There are both high resource and political costs in defining and enforcing property rights to water and in managing it with markets. In this paper, I examine these issues in the semi-arid U.S. West where many of the intensifying demand and supply problems regarding fresh water are playing out. I begin by illustrating the current state of water markets in 12 western U.S. states. There are major differences in water prices across uses (agriculture, urban, environmental) and these differences appear to persist, suggesting that water markets have not developed fully enough to narrow the gaps. Moreover, there is considerable difference in the extent and nature of water trading across the western states, suggesting that water values and transaction costs of trade vary considerably across jurisdictions. I then turn to the resource and political costs of defining water rights and expanding the use of markets. In this discussion, efficiency and equity objectives play important, often conflicting, roles. This tension reflects the very social nature of the water resource.

Money, credit, banking, and payments system policy

This article employs contract theory to analyze the evolution of the payments system. Insights gained are used subsequently to evaluate three prominent public payments system policies: monetary policy, central bank lending, and deposit insurance.Payment systems