On the inability of existing security models to cope with data mobility in dynamic organizations

Modeling tools play an important role in identifying threats in traditional\ud IT systems, where the physical infrastructure and roles are assumed\ud to be static. In dynamic organizations, the mobility of data outside the\ud organizational perimeter causes an increased level of threats such as the\ud loss of confidential data and the loss of reputation. We show that current\ud modeling tools are not powerful enough to help the designer identify the\ud emerging threats due to mobility of data and change of roles, because they\ud do not include the mobility of IT systems nor the organizational dynamics\ud in the security model. Researchers have proposed security models that\ud particularly focus on data mobility and the dynamics of modern organizations,\ud such as frequent role changes of a person. We show that none\ud of the current security models simultaneously considers the data mobility\ud and organizational dynamics to a satisfactory extent. As a result, none\ud of the current security models effectively identifies the potential security\ud threats caused by data mobility in a dynamic organization

Discovering, quantifying, and displaying attacks

In the design of software and cyber-physical systems, security is often perceived as a qualitative need, but can only be attained quantitatively. Especially when distributed components are involved, it is hard to predict and confront all possible attacks. A main challenge in the development of complex systems is therefore to discover attacks, quantify them to comprehend their likelihood, and communicate them to non-experts for facilitating the decision process. To address this three-sided challenge we propose a protection analysis over the Quality Calculus that (i) computes all the sets of data required by an attacker to reach a given location in a system, (ii) determines the cheapest set of such attacks for a given notion of cost, and (iii) derives an attack tree that displays the attacks graphically. The protection analysis is first developed in a qualitative setting, and then extended to quantitative settings following an approach applicable to a great many contexts. The quantitative formulation is implemented as an optimisation problem encoded into Satisfiability Modulo Theories, allowing us to deal with complex cost structures. The usefulness of the framework is demonstrated on a national-scale authentication system, studied through a Java implementation of the framework.Comment: LMCS SPECIAL ISSUE FORTE 201

The sharing of rights and information in a capability-based protection system

The question of sharing of rights and information in the Take-Grant Protection Model is examined by concentrating on the similarities between the two; in order to do this, new theorems are stated and proven for each that specifically show the similarities. The proof for one of the original theorems is also provided. These statements of necessary and sufficient conditions are contrasted to illustrate the proposition that transferring rights and transferring information are fundamentally the same, as one would expect in a capability-based system. Directions are then discussed for future research in light of these results

Modeling and simulation enabled UAV electrical power system design

With the diversity of mission capability and the associated requirement for more advanced technologies, designing modern unmanned aerial vehicle (UAV) systems is an especially challenging task. In particular, the increasing reliance on the electrical power system for delivering key aircraft functions, both electrical and mechanical, requires that a systems-approach be employed in their development. A key factor in this process is the use of modeling and simulation to inform upon critical design choices made. However, effective systems-level simulation of complex UAV power systems presents many challenges, which must be addressed to maximize the value of such methods. This paper presents the initial stages of a power system design process for a medium altitude long endurance (MALE) UAV focusing particularly on the development of three full candidate architecture models and associated technologies. The unique challenges faced in developing such a suite of models and their ultimate role in the design process is explored, with case studies presented to reinforce key points. The role of the developed models in supporting the design process is then discussed

CapablePtrs: Securely Compiling Partial Programs using the Pointers-as-Capabilities Principle

Capability machines such as CHERI provide memory capabilities that can be used by compilers to provide security benefits for compiled code (e.g., memory safety). The C to CHERI compiler, for example, achieves memory safety by following a principle called "pointers as capabilities" (PAC). Informally, PAC says that a compiler should represent a source language pointer as a machine code capability. But the security properties of PAC compilers are not yet well understood. We show that memory safety is only one aspect, and that PAC compilers can provide significant additional security guarantees for partial programs: the compiler can provide guarantees for a compilation unit, even if that compilation unit is later linked to attacker-controlled machine code. This paper is the first to study the security of PAC compilers for partial programs formally. We prove for a model of such a compiler that it is fully abstract. The proof uses a novel proof technique (dubbed TrICL, read trickle), which is of broad interest because it reuses and extends the compiler correctness relation in a natural way, as we demonstrate. We implement our compiler on top of the CHERI platform and show that it can compile legacy C code with minimal code changes. We provide performance benchmarks that show how performance overhead is proportional to the number of cross-compilation-unit function calls

Department of Homeland Security Science and Technology Directorate: Developing Technology to Protect America

In response to a congressional mandate and in consultation with Department of Homeland Security's (DHS) Science and Technology Directorate (S&T), the National Academy conducted a review of S&T's effectiveness and efficiency in addressing homeland security needs. This review included a particular focus that identified any unnecessary duplication of effort, and opportunity costs arising from an emphasis on homeland security-related research. Under the direction of the National Academy Panel, the study team reviewed a wide variety of documents related to S&T and homeland security-related research in general. The team also conducted interviews with more than 200 individuals, including S&T officials and staff, officials from other DHS component agencies, other federal agencies engaged in homeland security-related research, and experts from outside government in science policy, homeland security-related research and other scientific fields.Key FindingsThe results of this effort indicated that S&T faces a significant challenge in marshaling the resources of multiple federal agencies to work together to develop a homeland security-related strategic plan for all agencies. Yet the importance of this role should not be underestimated. The very process of working across agencies to develop and align the federal homeland security research enterprise around a forward-focused plan is critical to ensuring that future efforts support a common vision and goals, and that the metrics by which to measure national progress, and make changes as needed, are in place

China’s Institutional Architecture: A New Institutional Economics and Organization Theory Perspective on the Links between Local Governance and Local Enterprises

We start our exploration of China’s institutional change by asking what the China experience can tell us about institutional economics and organization theory. We point to under-researched areas such as the formation of firms and the interplay between firms and local politics. Our findings support the dynamic capability approach which concentrates on activities rather than on pre-defined groups and models institution building as a co-operative game between the local business community and local government agencies. We find that the analysis of firms has to set in before they are formed by entrepreneurs and networks and we identify political management as a core competence of these two groups. While this contradicts the conventional view of clientelism or principle agent relations as institutional building blocks, we don’t propose competing models. Instead, we suggest focusing on a dynamic process in which the role of players can change. Faced with the spontaneous emergence of institutions, our concept of institutional architecture captures the fact that the two models can co-exist side by side and that, once the dichotomy between formal and informal institutions is given up, there can be a transition from local patron-client relations to local business-state coordination.entrepreneurship;dynamic capabilities;networks;institutional change;diversity and convergence of institutions