A Classification of Interdomain Actions

This paper contributes to the recent discussion on unmet information security challenges for operating system designers. It focuses on the problem that in order to meet these challenges operating systems must be capable of supporting a multitude of information domains, each domain defined by its own and individual security policy. In such multi-domain systems, the inter-operability between different information domains constitutes a major problem. While the security policies of the system control the interactions within their domains, it is an unsolved problem how interactions between different domains can be made secure. In order to provide a precise foundation for the discussion of secure interdomain actions as well as for the development of concepts for their implementation, the paper proposes a classification of interdomain actions that clearly identifies two major types of interdomain actions: interactions that cause conflicts between the involved security policies and interactions for which none of the involved policies can provide any security rule. The paper concludes that in order to support multiple information domains, operating systems must be capable of classifying interdomain actions, and they must support new types of interdomain security policies that mediate security conflicts in interdomain actions and complete the set of security rules for interdomain actions. The paper concludes with a discussion of the computational complexity of interdomain action classification. Keywords: security policy, multipolicy system, information domain, policy domain. 1 Introductio

Confidence Domains for Distributed Systems

The paper addresses the problem of trust in large computer networks that connect several independent organizations. While in such networks it is politically difficult to agree upon one single common point of trust and one single global network security policy, few networks exist in which no system trusts any other system. Thus we observe that systems in a network form clusters, based on the sharing of a common point of trust or a common security policy. One of the major assumptions in this paper is that trust cannot be achieved ona simple technical or mechanical level alone. We introduce confidence domains as an approach to describe human belief in the trustworthyness of systems and thus make this knowledge available to the system's security components. The paper describes the concept of confidence domains together with the paradigms used to de ne and estabish them. It gives examples how confidence domains can be exploited as a foundation for security policies. The paper also describes mechanisms needed to enforce confidence domains in an open network and concludes with a detailed description of an implementation for the BirliX Security Architecture

Policy Groups

This paper contributes to the current discussion on multipolicy systems: Systems that support a multitude of independent security domains in which an individual security policy is enforced on the applications. In multipolicy systems, the interoperability between different security domains constitutes a major problem. While security policies are capable of controlling the applications within their domains, interactions between different security domains create security loop-holes and cause conflicts between the involved security policies