33 research outputs found
Resume of Roger R. Schell, 1978
Naval Postgraduate School Faculty Resum
Mechanism sufficiency validation by assignment
This paper introduces a mathematical framework for evaluating the relationship between policies and mechanisms. An evaluation approach called the assignment technique is defined. This technique consists of establishing an assignment between the security classes of information established by policy constraints, and the protection domains, established by the properties of the mechanism. The assignment technique provides a theoretical foundation for assessing the sufficiency of an access control mechanism with respect to a well formed protection policy. Although this paper presents preliminary results of research, the proposed framework suggests a promising new approach for evaluating the protection mechanisms of existing and proposed systemsPrepared for Chief of Naval Research.http://archive.org/details/mechanismsuffici00shirN0002381R015374NAApproved for public release; distribution is unlimited
The Naval Postgraduate School secure archival storage system, Part I. Design
There is an increasing need tor systems which Drovide controlled
access to multiple levels ot sensitive data and intormaticn. This
rencrt comorises the first phase ot the realization ot such a system:
the comprehensive design ot a multilevel secure tile storage system.
This is the tocus ot an ongoing research oroject, which is currently in
the early implementation phases. The design is based uocn security kernel
technology as applied to modern multiple microcomputer arrays.
This design is intended to interface with other (distributed)
Drocessing elements, perhaps torminq the central hub ot a data secure
network ot computers. The design would orovide archival shared storage while insuring that each interfacing processor accessed only that information
appropriate. The design ohase of the orcject is presented in a
series of three research reports (Masters Oegree theses) . These
reports, reorinted in their entirety here are: (1) Capt, O'Conneli and
Lt. Richardson's definition ot a secure multi-microprocessor family of
operating systems; (2) Cant- Coleman's detailed security kernel design
tor a member ot this family; and (3) Lt. Parks' hierarchical tile system
designed to run under the control ot Capt. Coleman's security kernel.supported in part by the Foundation
Research Program of the Naval Postgraduate School with funds provided by the Chief of Naval Researchhttp://archive.org/details/navalpostgraduat00scheNoool480WR00Q5
Resume of Roger R. Schell, 1978
Naval Postgraduate School Faculty Resum
The Naval Postgraduate School secure archival storage system, Part II : Segment and process management implementation
The security kernel technology has provided the technical foundation for highly reliable protection of computerized information. However, the operating system implementations face two significant challenges: providing (1) adequate computational resources for applications tasks, and (2) a clean, straightforward structure whose correctness can be easily reviewed. This paper presents the experience on an ongoing security kernel implementation using the Advanced Micro Devices 4116 single-board computer based on the Z8002 microprocessor. The performance issues of process switching, domain changing, and multiprocessor bus contention are explicitly addressed. The strictly hierarchical (i.e., loop-free) structure provides a series of increasingly capable, separately usable operating system subsets. Security enforcement is structured in two layers: the basic kernel rigorously enforces a non-discretionary (viz., lattice model) policy, while an upper layer provides the access refinements for a discretionary policy. (Author)supported by grants from the Office of Naval
Research, Project No. 427-001, monitored by Mr. Joel Trimble, and the Naval
Postgraduate School Research Foundationhttp://archive.org/details/navalpostgraduat00coxlN000148lWRl003
Using Proven Reference Monitor Patterns for Security Evaluation
The most effective approach to evaluating the security of complex systems is to deliberately construct the systems using security patterns specifically designed to make them evaluable. Just such an integrated set of security patterns was created decades ago based on the Reference Monitor abstraction. An associated systematic security engineering and evaluation methodology was codified as an engineering standard in the Trusted Computer System Evaluation Criteria (TCSEC). This paper explains how the TCSEC and its Trusted Network Interpretation (TNI) constitute a set of security patterns for large, complex and distributed systems and how those patterns have been repeatedly and successfully used to create and evaluate some of the most secure government and commercial systems ever developed
Multics security evaluation: Vulnerability analysis
A security evaluation of Multics for potential use as
Dynamic Reconfiguration in a Modular Computer System
This thesis presents an orderly design approach for dynamically changing the configuration of constituent physical units in a modular computer system. Dynamic reconfiguration contributes to high system availability by allowing preventive maintenance, development of new operating systems, and changes in system capacity on a noninterference basis. The design presented includes the operating system primitives and hardware architecture for adding and removing any (primary or secondary) storage module and associated processing modules while the system is running. Reconfiguration is externally initiated by a simple request from a human operator and is accomplished automatically without disruption to users of the system. This design allows the modules in an installation to be partitioned into separate non- interfering systems. The viability of the design approach has been demonstrated by employing it for a practical implementation of processor and primary memory dynamic reconfiguration in the Multics system at M.I.T
Subversion as a Threat in Information Warfare
As adversaries develop Information Warfare capabilities, the threat of information system subversion presents a significant risk. System subversion will be defined and characterized as a warfare tool. Through recent security incidents, it is shown that means, motive, and opportunity exist for subversion, that this threat is real, and that it represents a significant vulnerability. Mitigation of the subversion threat touches the most fundamental aspect of the security problem: proving the absence of a malicious artifice. A constructive system engineering technique to mitigate the subversion threat is identified