A Multilevel File System for High Assurance

The designs of applications for multilevel systems cannot merely duplicate those of the untrusted world. When applications are built on a high assurance base they will be constrained by the underlying policy enforcement mechanism_ Consideration must be given to the creation and management of multilevel data structures by untrusted subjects_ Applications should be designed to rely upon the TCB s security policy enforcement services rather than build new access control services beyond the TCB perimeter The results of an analysis of the design of a general purpose le system developed to execute as an untrusted application on a high assurance TCB are presented. The design illustrates a number of solutions to problems resulting from a high assurance environment.Approved for public release; distribution is unlimited

Emergency response for cyber infrastructure management

The objective of this research is to investigate architectural mechanisms to provide an emergency response capability for Cyber Infrastructure management through the use of distributed, highly secure, protected domains. Instead of creating a costly physically separate cyber domain, logical separation is used. This work developed an architecture and prototype demonstration in the context of an open source operating system.Approved for public release; distribution is unlimited

An introduction to Quality of Security Services

We examine the concept of security as a dimension of Quality of Service in distributed systems. We provide a discussion and examples of user- specified security variables and show how the range of service levels associated with these variables can support the provision of Quality of Security Service. We also discuss various design implications regarding security ranges provided in a QoS-aware distributed system. Our goal has been to provide an understanding of QoSS and variant security, and to determine whether these concepts can be useful in improving security service and system performance in QoS-aware distributed systems. We described the general requirements for system attributes to participate in the provision of Quality of Service, and described how certain security attributes might meet these requirements. We then described various forms of user and application security "ranges "and showed how these ranges can make sense in relation to existing security policies, when those ranges are presented as user choices. Finally we described security ranges as forming a coherent system of relationships in a distributed multi-tiered system. Our conclusion is that it may be possible for security to be a semantically meaningful dimension of Quality of Service without compromising existing security policies. Further study is needed to understand the effectiveness of QoSS in improving system performance in QoS-aware systems.Approved for public release; distribution is unlimited

An Information Security Education Initiative for Engineering and Computer Science

This paper puts forward a case for an educational initiative in information security at both the undergraduate and graduate levels. Its focus is on the need for such education, the desired educational outcomes, and how the outcomes may be assessed. A basic thesis of this paper is that the goals, methods, and evaluation techniques of information and computer security are consistent with and supportive of the stated goals of engineering education and the growing movement for outcomes-based assessment in higher education

MYSEA Testbed

The technical vision of the emerging net-centric Global Information Grid (GIG) encompasses support for high assurance authentication and multilevel security (MLS) as well as flexible, dynamic security policies. The GIG is intended to address the inefficient exchange of information in current military and intelligence operations that utilize a variety of specialized (so-called "stove-piped") systems. In this context, secure information access problems are exacerbated by the need to share information from networks at different classifications (e.g., Unclassified, Secret, and Top Secret) and within multinational coalitions in episodic, ad hoc situations. These challenges provide the impetus for the creation of the Monterey Security Architecture (MYSEA) Testbed. The purpose of this Testbed is to support research in high assurance multilevel security (MLS) [1, 2] and dynamic security, two areas that are critical to the realization of the GIG's assured information sharing vision.Approved for public release; distribution is unlimited

Managing Costs and Variability of Security Services

Approved for public release; distribution is unlimited

A Program for Education in Certification and Accreditation

Large complex systems need to be analyzed prior to operation so that those depending upon them for the protection of their information have a well defined understanding of the measures that have been taken to achieve security and the residual risk the system owner assumes during its operation. The U.S. military calls this analysis and vetting process certification and accreditation. Today there is a large, unsatisfied need for personnel qualified to conduct system certifications. An educational program to address those needs is described. Large complex systems need to be analyzed prior to operation so that those depending upon them for the protection of their information have a well defined understanding of the measures that have been taken to achieve security and the residual risk the system owner assumes during its operation. The U.S. military calls this analysis and vetting process certification and accreditation. Today there is a large, unsatisfied need for personnel qualified to conduct system certifications. An educational program to address those needs is described.Approved for public release; distribution is unlimited

A Linux Implementation of Temporal Access Controls

Abstract — Control of access to information based upon temporal attributes can add another dimension to access control. To demonstrate the feasibility of operating system-level support for temporal access controls, the Time Interval File Protection System (TIFPS), a prototype of the Time In-terval Access Control (TIAC) model, has been implemented by modifying Linux extended attributes to include temporal metadata associated both with files and users. The Linux Security Module was used to provide hooks for temporal ac-cess control logic. In addition, a set of utilities was modified to be TIFPS-aware. These tools permit users to view and manage the temporal attributes associated with their files and directories. Functional, performance, and concurrency testing were conducted. The ability of TIFPS to grant or revoke access in the future, as well to limit access to specific time intervals enhances traditional information control and sharing. I