Putting time into proof outlines

A logic for reasoning about timing of concurrent programs is presented. The logic is based on proof outlines and can handle maximal parallelism as well as resource-constrained execution environments. The correctness proof for a mutual exclusion protocol that uses execution timings in a subtle way illustrates the logic in action

Blueprint for a Science of Cybersecurity

A secure system must defend against all possible attacks--including those unknown to the defender. But defenders, having limited resources, typically develop defenses only for attacks they know about. New kinds of attacks are then likely to succeed. So our growing dependence on networked computing systems puts at risk individuals, commercial enterprises, the public sector, and our military

Federated Identity Management Systems: A Privacy-based Characterization

Identity management systems store attributes associated with users and facilitate authorization on the basis of these attributes. A privacy-driven characterization of the principal design choices for identity management systems is given, and existing systems are fit into this framework. The taxonomy of design choices also can guide public policy relating to identity management, which is illustrated using the United States NSTIC initiative

Fine-Grained User Privacy from Avenance Tags

In the Internet, users interact with service providers; these interactions exchange information that might be considered private by the user. Existing schemes for expressing and enforcing user privacy on the Internet---notably notice and consent---are inadequate to address privacy needs of Internet users. This paper suggests a new, practical, and expressive policy tag scheme that would enable users to express both control-based and secrecy-based restrictions. We identify key design goals, explore various design choices that impact these goals, and outline a proposed implementation---called avenance tags---that realizes these goals

Trustworthiness as a Limitation on Network Neutrality

The policy debate over how to govern access to broadband networks has largely ignored the objective of network trustworthiness-a set of properties (including security, survivability, and safety) that guarantee expected behavior. Instead, the terms of the network access debate have focused on whether imposing a nondiscrimination or network neutrality obligation on network providers is justified by the condition of competition among last-mile providers. Rules proposed by scholars and policymakers would allow network providers to deviate from network neutrality to protect network trustworthiness, but none of these proposals has explored the implications of such exceptions for either neutrality or trustworthiness. This Article examines the relationship between network trustworthiness and network neutrality and finds that providing a trustworthiness exception is a viable way to accommodate trustworthiness within a network neutrality rule. Network providers need leeway to block or degrade traffic within their own subnets, and trustworthiness exceptions can provide them with sufficient flexibility to do so. But, the Article argues, defining the scope of a trustworthiness exception is critically important to the network neutrality rule as a whole: an unduly narrow exception could thwart innovative network defenses, while a broad exception could allow trustworthiness to become a pretext that protects a wide range of discrimination that network neutrality advocates seek to prevent. Furthermore, monitoring network providers\u27 use of a trustworthiness exception is necessary to ensure that it remains an exception, rather than becoming a rule. The Article therefore proposes that network providers be required to disclose data regarding their use of a trustworthiness exception . It also offers a general structure for managing these disclosure

Operating System Support for Mobile Agents

An "agent" is a process that may migrate through a computer network in order to satisfy requests made by its clients. Agents implement a computational metaphor that is analogous to how most people conduct business in their daily lives: visit a place, use a service (perhaps after some negotiation), and then move on. Thus, for the computer illiterate, agents are an attractive way to describe network-wide computations. Agents are also useful abstractions for programmers who must implement distributed applications. This is because in the agent metaphor, the processor or "place" the computation is performed is not hidden from the programmer, but the communications channels are. Most current research on agents has focused on language design and application issues. The TACOMA project (Tromso And COrnell Moving Agents) has, instead, focused on operating system support for agents and how agents can be used to solve problems traditionally addressed by operating systems. We have implemented prototype systems to support agents using UNIX and using Tcl/Tk on top of Horus. This paper outlines insights and questions based on that experience. We discuss abstractions needed by an operating system to support agents, and discuss some problems that arise in connection with electronic commerce involving agents

Nerio: Leader Election and Edict Ordering

Coordination in a distributed system is facilitated if there is a unique process, the leader, to manage the other processes. The leader creates edicts and sends them to other processes for execution or forwarding to other processes. The leader may fail, and when this occurs a leader election protocol selects a replacement. This paper describes Nerio, a class of such leader election protocols

An introduction to the TACOMA distributed system. Version 1.0

This report briefly introduces TACOMA Version 1.0. This distributed system supports agents, computations that can roam the internet. The report presents the TACOMA project, the computational model, how to get started, and the basic TACOMA abstractions

Quantifying Information Flow with Beliefs

To reason about information flow, a new model is developed that describes how attacker beliefs change due to the attacker's observation of the execution of a probabilistic (or deterministic) program. The model enables compositional reasoning about information flow from attacks involving sequences of interactions. The model also supports a new metric for quantitative information flow that measures accuracy of an attacker's beliefs. Applying this new metric reveals inadequacies of traditional information flow metrics, which are based on reduction of uncertainty. However, the new metric is sufficiently general that it can be instantiated to measure either accuracy or uncertainty. The new metric can also be used to reason about misinformation; deterministic programs are shown to be incapable of producing misinformation. Additionally, programs in which nondeterministic choices are made by insiders, who collude with attackers, can be analyzed

JRIF: Reactive Information Flow Control for Java

A reactive information flow (RIF) automaton for a value v specifies (i) allowed uses for v and (ii) the RIF automaton for any value that might be directly or indirectly derived from v. RIF automata thus specify how transforming a value alters how the result might be used. Such labels are more expressive than existing approaches for controlling downgrading. We devised a type system around RIF automata and incorporated it into Jif, a dialect of Java that supports a classic form of labels for information flow. By implementing a compiler for the resulting JRIF language, we demonstrate how easy it is to replace a classic information-flow type system by a more expressive RIF-based type system. We programmed two example applications in JRIF, and we discuss insights they provide into the benefits of RIF-based security labels.Supported in part by AFOSR grants F9550-06-0019 and FA9550-11-1-0137, National Science Foundation grants 0430161, 0964409, and CCF-0424422 (TRUST), ONR grants N00014-01- 1-0968 and N00014-09-1-0652, and grants from Microsoft