Information Security and Security Architecture (IMT 4162 ...english.hig.no/content/download/7822/108795/file/Syllabus_HS2007.pdfInformation Security and Security Architecture (IMT

Information Security and Security Architecture(IMT 4162) Syllabus

C. Busch S. Wolthusen

August 27, 2007

1 Introduction

This course provides an introduction to information security and securityarchitecture aspects at the graduate (M.Sc. and Ph.D.) level.

2 Formal Aspects

2.1 Faculty Contact Information

Prof. Dr. Stephen D. WolthusenGjøvik University CollegeComputer Science DepartmentTeknologiveien 222802 GjøvikNorway

Email: [email protected]: +47 61 13 52 89 (while in Gjøvik)Phone: +44 1784 44 3270 (office in the UK)Skype: swolthusenFax: +47 61 13 52 40

Office: A124COffice hours: By appointment.

2.2 Co-Lecturer

Prof. Dr. Christoph BuschGjøvik University CollegeComputer Science DepartmentTeknologiveien 222802 Gjøvik

1

Norway

Email: [email protected]: TBD (while in Gjøvik)Fax: +47 61 13 52 40

Office: A124DOffice hours: By appointment.

2.3 Instruction Language

Instruction language will be English.

2.4 Prerequisites

Some mathematical preparation as may be provided by an undergraduatescience, mathematics, or computer science and engineering degree is re-quired. In particular, knowledge of the fundamentals of logic, set theory,proof techniques, complexity theory, computability and decidability, andabstract algebra is required. Certain aspects of the course may also requirea basic understanding of probability theory and statistics.

Basic knowledge of cryptology as provided by IMT 4051 may also berequired.

Certain knowledge of operating systems, particularly memory manage-ment, system calls, process switching, and concepts such as the separationof kernel and user space, is also necessary as these concepts will not bereviewed during the course.

However, it is feasible to take the course without having had a formalcourse in operating systems provided some understanding of the abovetopics. Such knowledge might have been obtained from undergraduate op-erating systems courses or a reasonable level of background and self-study.Such self-study could be based on the book Operating System Concepts bySilberschatz et al. [71].

2.5 Course Requirements and Objectives

The following items will be expected from students during the course:

2.6 Workload

The course is a 10 ECTS credit course. The ECTS assumes that 60 creditsmeasure the workload of a full-time student during one academic year.This workload is calculated to amount to 40 weeks a year, with 10 creditstherefore representing approximately 300 hours of work.

2

2.7 Grading and Academic Integrity

2.7.1 Grading

Grading will be based on three elements with the following approximateweighting:

• Midterm exam (3 hours): 33%

• Final exam (3 hours): 33%

• Term paper and oral presentation of term paper results: 33%.

Academic results will be documented on the A-F scale. The overallgrade will be determined by a comprehensive performance evaluation tak-ing into account the abovementioned components.

Late submission of the term paper or of exercise projects will be penal-ized without regard to the actual merit of the paper or submission. Thispenalty will apply except in case of documented emergency (e.g. in caseof medical emergency), or by prior arrangement at the discretion of theinstructor.

Any assignment due on a day of class or exercise are due at the begin-ning of that class or exercise.

All written work submitted must carry the student’s name and must bereasonably neat and well organized. Any work that cannot easily be readwill be penalized.

2.7.2 Academic Integrity

Penalties will particularly be imposed for academic dishonesty. Academicdishonesty is defined as any action or practice that provides the potentialfor an unfair advantage to one individual or one group.

Academic dishonesty includes the misrepresentation of facts, the fabri-cation or manipulation of data or results, representing another’s work orknowledge as one’s own, disrupting or destroying the work of others, orabetting anyone who engages in such practices.

Academic dishonesty is not absolute because the expectations for col-laboration vary. However, unless given specific permission, any and allresults submitted must be the result of individual effort, performed with-out the help of other individuals or outside sources.

If a question arises about the type of external materials that may be usedor the amount of collaboration that is permitted for a given task, each indi-vidual involved is responsible for verifying the rules with the instructor orteaching assistant before engaging in collaborative activities, using externalmaterials, or accepting help from others.

3

2.8 Schedule

Session Date Time Location1 August 23, 2007 9:00am A2042 September 6, 2007 9:00am A2043 September 20, 2007 9:00am A2044 October 18, 2007 9:00am A2045 November 1, 2007 9:00am A2046 November 15, 2007 9:00am A204

3 Required Reading

Primary references for this course is the book Computer Security by DieterGollmann [29]. Using the second edition of that book [30] is not mandatory;references in the syllabus are to chapters in the first edition. In addition,selected chapters from the books book Computer Security: Art and Scienceby Bishop [6] and Building a Secure Computer System by Gasser [27].

Detailed reading assignments are listed in the session plan (see section4 of this document).

4 Session Plan

4.1 Session 1 (August 23, 2007):

Together with elements from session 2, the blocks in this session providean overview of some of the fundamental problems of information securitybeginning with a historical overview and moving on to elementary aspectsof identification and authentication as well as access control, which will bedeveloped further in subsequent sessions.

Objectives

• Provide some historical background to motivate the lines of researchand development in computer security research, including terminol-ogy used in defining confidentiality measures

• Exhibit initial working definitions of core terminology for computersecurity, including confidentiality, integrity, availability, accountabil-ity, trust, and privacy

• Explain interconnection between concepts in an overall security ar-chitecture

• Point out typical threats to a networked environment• Explain identification and authentication (I&A) concepts

4

• Discuss elementary aspects of I&A: Passwords, tokens, and their re-spective usage requirements, strengths, and weaknesses

• Explain fundamental results in security and access control

4.1.1 Block 1.1:

Administrative Matters

• Overview of the course, reading materials, and expected outcomes

• Schedule of lectures and Tutorials

• Term papers: Topics, writing, and expected outcomes

• Exams: Schedule and format

The early history of computer security

• Origins in requirements of time-sharing systems [52, 87, 75, 90]

• Classification mechanisms

• Initial applications in the defense and intelligence sector: new re-quirements

• From COMSEC to COMPUSEC [5, 62, 83]

4.1.2 Block 1.2:

Identification and Authentication I

• Basic definitions and techniques for identification and authentication

• Password- and PIN-code based mechanisms, their effectiveness andfactors for their adoption

Access Control I

• Security requirements [16]

• Access control matrix formalism

Required reading Chapters 2,3 of [29], chapters 2,3 of [6].

5

Suggested additional reading The first mention of time-sharing comput-ing may be in [52]; see [83] for a surprisingly up-to-date and comprehensivethreat analysis.

For additional material on passwords and password handling, see chap-ter 3 of [3]. The implementation of the logon mechanism for Unix and Mi-crosoft Windows NT derivatives is covered in sections 6.3 and 7.3 of [29],respectively. Strength of mechanism for passwords is discussed in [56]; hu-man factors are also discussed in [46]. Interesting security aspects of PINcodes are discussed in [8].

For smart cards and tamper resistance issues, see chapter 14 of [3] andchapter 9 of [4]. Chapter 13 of [3] provides a now somewhat dated andcursory overview of biometrics, see [39, 7, 84] for a more comprehensive,up-to-date overview.

4.2 Session 2 (September 27):

This session continues the discussion of identification and authenticationapproaches with an in-depth look at biometrics in the first block. The sec-ond block is devoted to tools and techniques for security analysis.

Objectives

• Discuss biometric techniques• Review statistical foundations• Review physiological foundations for biometrics• Discuss measurement approaches including fingerprints, face recog-

nition, and iris recognition• Explain analytical approaches and tools for security analysis• Review examples of fine-grained security analysis tools and special

application areas

4.2.1 Block 2.1:

Identification and Authentication II

• Biometric I&A mechanisms as exemplified by fingerprint, face, andiris recognition.

4.2.2 Block 2.2:

System Security Analysis Approaches

• Analytical tools from other engineering domains: Failure Mode andEffect Analysis

• Security-specific analytical tools: Attack trees

6

• Detailed system analysis tools: Flaw Hypothesis Model, attack nets,Petri net-based approaches

Required reading The survey paper [41] covers most aspects of the bio-metrics block, additional reading from the recommended reading list may,however, be advisable. Chapter 4 of [29], chapters 18 and 21 of [6].

Suggested additional reading Chapter 13 of [3] provides a now some-what dated and cursory overview of biometrics, see [40, 63, 39, 7, 84] formore comprehensive, up-to-date overviews.

Failure mode and effects analysis (FMEA) is covered in detail in [74];a survey of fault tree analysis is given in [49]. The attack net approach isdescribed in [54], the currently used flaw hypothesis model is discussed in[85, 1, 86].

4.3 Session 3 (September 6):

This session is devoted to an in-depth review at foundational theoretical re-sults and models in access control on one hand and on a review several keysecurity models and approaches for confidentiality and integrity models.

Objectives

• Review basic aspects of lattice theory• Identify key confidentiality models and their properties• Explain integrity and hybrid security models• Explain key techniques for (high-level) system security analysis

4.3.1 Block 3.1:

Access Control II

• Foundational results for the access matrix model: Undecidability ofsafety

• Limited access matrix models

• Decidable security models: The Take-Grant and Schematic protectionmodels

4.3.2 Block 3.2:

Security Models

• Bathtub ring model (Weissman)

7

• Bell-LaPadula model

• Biba’s integrity models

• Clark and Wilson’s integrity models

• Chinese Wall security model

• Role-based access controls

• Information flow and information flow models: Noninterference andnondeducibility

Required reading Chapter 4 of [29], chapters 5,6 of [6]. Role-based accesscontrol is also surveyed in [25]. Section 17.3 of [6] for a discussion of covertchannels.

Suggested additional reading For original discussion the confinementproblem, see [47]. The original proofs of the take-grant theorems (not cov-ered in the lecture) can be found in [42, 43].

The Schematic Protection model evolved in several iterations from thesend-receive transport model (SSR) of Sandhu [65, 66, 67]; additional re-sults not covered in the lecture can be obtained from the extended schematicprotection model (ESPM) proposed by Ammann and Sandhu [2] and thetyped access matrix model (TAM) by Sandhu[68, 69].

[48] provides a (historical and incomplete) overview of confidentialitymodel formalizations; [55] contains a more recent and complete survey.

Role-based access control is covered in detail in [24], although [25] pro-vides a more-than-solid overview. Additional research-relevant papers canalso be found in the SACMAT (formerly RBAC) conference series proceed-ings sponsored by ACM SIGSAC. A survey of covert channels is providedin [45]; this also describes the shared resource matrix model in detail. Theoriginal formulation of the lattice model of information flow can be foundin [18]; while the exposition in [19] is rather more clear, this book has longbeen out of print. One of the seminal papers on noninterference is [28], [53]and [51] provide additional material on composability.

4.4 Session 4 (September 20):

In this session, the focus is shifted to the pragmatic aspects of computerand information security. To this end, design principles for both hard- andsoftware in support of security mechanisms as well as the concept of hard-ware/software co-design are covered. Given that most current operatingsystems honor such principles mainly in the breach, the second block ofthis session is then devoted to a number of mostly research-derived histor-ical operating system case studies.

8

Objectives

• Explain security design principles• Review basic hardware architecture elements relevant for security

and protection• Review case studies of secure operating systems and operating sys-

tem designs

4.4.1 Block 4.1:

Design Principles

• The design principles of Saltzer & Schroeder

• Requirements for secure multiprogramming

• Execution domains (including architectural examples)

• Memory protection and virtual memory

• Input/output controls

• The reference monitor concept

• Fine-granularity memory protection mechanisms: The ring, segment,and capability concepts

4.4.2 Block 4.2:

Case Studies

• PSOS

• Intel 432

• GEMSOS

Required reading Chapter 5 of [29], chapter of [6]. Chapters 8, 10 of [27].The report [58] should at least be surveyed entirely, chapter 2 is requiredreading. The i432 architecture is surveyed in chapter 9 of [50]; [59] providesa survey of PSOS. A survey of the GEMSOS architecture is provided in [70];note that this refers only to the original i80286-based system, later hardwareupgrades are referred to e.g. in [23].

9

Suggested additional reading The original paper by Saltzer and Schroederis well worth reading [64]. It is desirable to at least skim over part I (“Overview”)of [27]. The Honeywell 6180 hardware architecture purposely designed forMultics is described in [33].

The Intel IA-32 architecture is described in detail in the technical manu-als [34, 35, 36, 37]; chapters 2–4 of [37] cover most material discussed in thelecture.

Karger provides valuable background material on the use of virtual ma-chines in the design and engineering of secure systems [44].

A rich set of materials is available for the case studies; unfortunately, thebest survey of the i432 architecture has long been out of print [61]. How-ever, a survey of the i432 is also provided in chapter 9 of [50], which hasbeen made available electronically.

The GTNP evaluation report also contains most relevant details of theGEMSOS operating system [23].

4.5 Session 5 (October 25):

This session consists of a more pragmatically oriented block covering a se-lection of attack techniques that are used to elucidate general principles (asthe concrete examples are of course no longer applicable to current sys-tems) on one hand, which is further augmented by a discussion of variousmalware techniques and definitions in the second block. The majority ofthe second block, however, is devoted to detailing computer and informa-tion system evaluation criteria in their evolution to the current CommonCriteria as well as their limitations.

Objectives

• Provide examples of common attack techniques and approaches• Outline international legal implications of attack technique disclosure• Explain threat and attack techniques of common malware compo-

nents such as viruses, worms, Trojan horses and rootkits• Review assurance and trustworthiness concepts• Explain development of evaluation criteria for secure systems• Explain evaluation methodology for selected evaluation criteria

4.5.1 Block 5.1:

Attack Techniques

• Buffer overflows (heap and stack overflows)

• Pointer manipulations

• Race conditions

10

• Command stream injection

• Input validation issues

• Full disclosure and legal ramifications

4.5.2 Block 5.2:

Evaluation Criteria

• Evaluation Criteria: Rationale and Evolution

• The Trusted Computer Security Evaluation Criteria (TCSEC / OrangeBook)

• European Activities: ITSK and ITSEC

• The Common Criteria for Information Technology Security Evalua-tion

Malware I

• Malware taxonomy

• The Morris Worm

• Viruses, Worms, and Trojan Horses

Required reading Chapter 10 of [30], chapters 18 and 21 of [6].

Suggested additional reading The MITRE report [60] provides valuablehistorical insight into the development of evaluation criteria; note that someof the terminology used therein is no longer current and may even contra-dict current usage. See [57] for an earlier paper detailing concepts for theevaluation of existing systems. The TCSEC and its relevant interpretationsare [79, 81, 80, 82]. While never formally promulgated, [10] represents thelatest version of the CTCPEC. The German ITSK criteria (also known asthe “Green Book”) [89] provided another important source for the ITSECcriteria [78, 22].

The current version of the Common Criteria at version 3.1 is [12, 13, 14],although legacy evaluations may still occur against older CC versions. Thematching Common Evaluation Manual (CEM) is [15].

11

4.6 Session 6 (November 15):

The final session of the course continues with the topic of malware de-fense from the previous session in the first block, which is subsequentlyaugmented by discussions on developmental assurance techniques, someof which were already touched upon in the block on evaluation criteria.Many of these techniques are critical in preventing or at least mitigatingthe types of attacks that were discussed in the previous session. The sec-ond block provides a high-level overview of some of the security issuesfound in database systems, particularly in relational database managementsystems (RDBMS).

Objectives

• Discussion of defensive and detective countermeasures to malware• Provide an overview of issues in database security• Describe techniques for developmental assurance, particularly for-

mal specification and verification techniques

4.6.1 Block 6.1:

Malware II

• Defensive Mechanisms: Signature Analysis, Program Flow,

• Worm Detection and Early Warning Systems

Developmental Assurance

• Configuration management

• Requirement documentation

• Formal specification mechanisms

• Program verification

• Controversies about the limits of program verification

4.6.2 Block 6.2:

Database Security

• Access Control Mechanisms

• Multilevel secure database systems

• Statistical Database Security

12

Required reading For developmental assurance, refer to chapter 8 of [29]and chapters 18 through 20 of [6]. [77] provides a poignant illustration ofthe importance of trustworthy tools. For database security see chapter 14and 15 of [29] and chapters 22 and 24 of [6].

Suggested additional reading The July/August 2005 issue of IEEE Secu-rity&Privacy magazine (Vol. 3, No. 4) contains several articles related to de-velopmental assurance and secure software construction. The key papersin the verification controversy are [17] and [26]. Additional perspective onthe use of formal methods is given in [31, 9]. For details on the Z notationsee e.g. [38, 88]

For a more in-depth (if somewhat dated) treatment of database securitysee [11]; the DBSec conferences of the IFIP as well as SIGMOD conferencesare primary sources for material on database security. An example of amultilevel secure DBMS implementation is the SeaView system [21, 20]. Anexcellent treatment of attacks on statistical databases is covered in chapter6 of [19].

See also [77] once again for a classic example of an insidious Trojanhorse; flash worms are dealt with in [73]. For a more detailed treatmentof viruses and Trojans see [76]; rootkits, particularly for the Windows plat-form are discussed in [32], and a (now somewhat dated) general overviewof malware is given in [72].

5 Tutorial Plan

5.1 Schedule

Session Date Lecture Covered Time Location1 August 30, 2007 1 9:00am A2042 September 13, 2007 3 9:00am A2043 October 4, 2007 2 9:00am A2044 October 18, 2007 4 9:00am A2045 November 1, 2007 5 9:00am A2046 November 22, 2007 6 9:00am A204

6 Term Papers

Students must compose a term paper to be handed in no later than Novem-ber 30, 2007. Papers must be written in English and are expected to meet orexceed accepted graduate-level English and scholarship standards.

All term papers must be formatted in the format used for transactionsof the Association for Computing Machinery (ACM) (preferably using the

13

LATEX typesetting system and the acmtrans2e style and acmtrans.bstbibliography style).

The term paper must defines the problem or research area tutorially,clearly explain the current state of the art where appropriate and the rela-tive merits of the principal approach covered.

While guidance for literature will be provided, a partial objective ofgraduate studies is to acquaint students with graduate research in the pri-mary literature. Hence, students are expected to independently identifyrelevant literature from primary and secondary sources during the compo-sition of their term paper.

Possible subjects of the term papers are those congruent with the topicscovered during the lecture but are not strictly limited to those topics. Stu-dents interested in particular subjects should contact the lecturer as soonas possible. Students are responsible to ensure they have a term paper as-signed no later than September 28, 2007.

7 Exams

The midterm exam will be held on October 11, 2007 from 9am to 12 noon;the final exam will be held on December 13, 2007 from 9am to 12 noon. Notethat these dates are still tentative and may change. Room assignments willbe announced later.

Reading List

[1] ABRAMS, M. D., JAJODIA, S., AND PODELL, H. J., Eds. InformationSecurity: An Integrated Collection of Essays. IEEE Press, 1995.

[2] AMMANN, P. E., AND SANDHU, R. S. The Extended Schematic Pro-tection Model. Journal of Computer Security 1, 3/4 (1992), 335–384.

[3] ANDERSON, R. Security Engineering: A Guide to Building DependableDistributed Systems. John Wiley & Sons, Chichester, UK, 2001. Avail-able electronically at the University of Cambridge at http://www.cl.cam.ac.uk/∼rja14/book.html.

[4] ARNOLD, M., SCHMUCKER, M., AND WOLTHUSEN, S. D. Techniquesand Applications of Digital Watermarking and Content Protection. TheArtech House Computer Security Series. Artech House, Norwood,MA, USA, 2003.

[5] BINGHAM, H. W. Security Techniques for EDP of Multilevel ClassifiedInformation. Tech. Rep. Document RADC-TR-65-415., U.S. Air ForceRome Air Development Center, Rome, NY, USA, Dec. 1965.

14

[6] BISHOP, M. Computer Security: Art and Science. Addison-Wesley,Boston, MA, USA, 2003. Errata can be found at http://nob.cs.ucdavis.edu/book/book-aands/index.html.

[7] BOLLE, R., CONNELL, J. H., PANKANTI, S., RATHA, N., AND SENIOR,A. W. Guide to Biometrics. Springer Professional Computing Series.Springer-Verlag, Heidelberg, Germany, 2003.

[8] BOND, M., AND ZIELINSKI, P. Decimalisation table attacks for PINcracking. Tech. Rep. UCAM-CL-TR-560, University of CambridgeComputer Laboratory, Cambridge, UK, Feb. 2003. Available electron-ically at the University of Cambridge at http://www.cl.cam.ac.uk/TechReports/UCAM-CL-TR-560.pdf.

[9] BOWEN, J. P., AND HINCHEY, M. G. Seven More Myths of FormalMethods. IEEE Software 12, 4 (Apr. 1995), 34–41.

[10] CANADIAN SYSTEM SECURITY CENTRE. Trusted Database ManagementSystem Interpretation of the TCSEC. Communications Security Estab-lishment, Government of Canada, Ottawa, Canada, 1993.

[11] CASTANO, S., FUGINI, M., MARTELLA, G., AND SAMARATI, P.Database Security. Addison-Wesley, Boston, MA, USA, 1990.

[12] COMMON CRITERIA IMPLEMENTATION AND MAINTENANCE BOARD.Common Criteria for Information Technology Security Evaluation: Part1: Introduction and General Model. Common Criteria Implementa-tion and Maintenance Board, Cheltenham, Glos, UK, 2006. Ver-sion 3.1, Revision 1, CCMB document 2006-09-001. Available onlineas http://www.commoncriteriaportal.org/public/files/CCPART1V3.1R1.pdf.

[13] COMMON CRITERIA IMPLEMENTATION AND MAINTENANCE BOARD.Common Criteria for Information Technology Security Evaluation: Part2: Security Functional Components. Common Criteria Implementa-tion and Maintenance Board, Cheltenham, Glos, UK, 2006. Ver-sion 3.1, Revision 1, CCMB document 2006-09-002. Available onlineas http://www.commoncriteriaportal.org/public/files/CCPART2V3.1R1.pdf.

[14] COMMON CRITERIA IMPLEMENTATION AND MAINTENANCE BOARD.Common Criteria for Information Technology Security Evaluation: Part3: Security Assurance Components. Common Criteria Implementa-tion and Maintenance Board, Cheltenham, Glos, UK, 2006. Ver-sion 3.1, Revision 1, CCMB document 2006-09-003. Available onlineas http://www.commoncriteriaportal.org/public/files/CCPART3V3.1R1.pdf.

15

[15] COMMON CRITERIA IMPLEMENTATION AND MAINTENANCE

BOARD. Common Methodology for Information Technology Secu-rity Evaluation. Common Criteria Implementation and Main-tenance Board, Cheltenham, Glos, UK, 2006. Version 3.1,Revision 1, CCMB document 2006-09-004. Available online ashttp://www.commoncriteriaportal.org/public/files/CEMV3.1R1.pdf.

[16] DALEY, R. C., AND NEUMANN, P. G. A General-Purpose File Systemfor Secondary Storage. In Proceedings of the AFIPS Fall Joint ComputerConference (1965 FJCC) (Las Vegas, NV, USA, Nov. 1965), vol. 27 part 1,AFIPS, Spartan Books, pp. 213–229.

[17] DEMILLO, R. A., LIPTON, R. J., AND PERLIS, A. J. Social Processesand Proofs of Theorems and Programs. In Proceedings of the 4th ACMSIGACT-SIGPLAN Symposium on Principles of Programming Language(Los Angeles, CA, USA, Jan. 1977), IEEE Computer Society, pp. 206–214.

[18] DENNING, D. E. A Lattice Model of Secure Information Flow. Com-munications of the Association for Computing Machinery 19, 5 (May 1976),236–243.

[19] DENNING, D. E. Cryptography and Data Security. Addison-Wesley,Reading, MA, USA, 1983.

[20] DENNING, D. E., LUNT, T. F., SCHELL, R. R., HECKMAN, M., AND

SHOCKLEY, W. R. The SeaView Security Model. IEEE Transactions onSoftware Engineering 16, 6 (June 1990), 593–607.

[21] DENNING, D. E., LUNT, T. F., SCHELL, R. R., SHOCKLEY, W. R., AND

HECKMAN, M. The SeaView Security Model. In Proceedings of the1988 IEEE Symposium on Security and Privacy (SOSP ’88) (Oakland, CA,USA, May 1988), pp. 218–233.

[22] DIRECTORATE GENERAL XIII: TELECOMMUNICATIONS, INFORMA-TION MARKET AND EXPLORATION OF RESEARCH. Information Tech-nology Security Evaluation Manual. European Commission, Brussels,Belgium, 1993. Available online as http://www.bsi.bund.de/zertifiz/itkrit/itsem-en.pdf.

[23] FAIGIN, D. P. Final Evaluation Report: Gemini Computers, Incorpo-rated Gemini Trusted Network Processor Version 1.01. Tech. Rep. 34-94, U.S. National Security Agency National Computer Security Center,Fort George G. Meade, MD, USA, June 1995.

16

[24] FERRAIOLO, D. F., KUHN, D. R., AND CHANDRAMOULI, R. Role-Based Access Control. The Artech House Computer Security Series.Artech House, Norwood, MA, USA, 2003.

[25] FERRAIOLO, D. F., SANDHU, R., GAVRILA, S., KUHN, D. R., AND

CHANDRAMOULI, R. Proposed NIST Standard for Role-based AccessControl. ACM Transactions on Information and System Security 4, 3 (Aug.2001), 224–274.

[26] FETZER, J. H. Program Verification: The Very Idea. Communications ofthe Association for Computing Machinery 31, 9 (Sept. 1988), 1048–1063.

[27] GASSER, M. Building a Secure Computer System. Van Nostrand Rein-hold, New York, NY, USA, 1988. Available electronically at the Univer-sity of Nebraska Omaha via http://cs.unomaha.edu/∼stanw/gasserbook.pdf.

[28] GOGUEN, J. A., AND MESEGUER, J. Security Policy and Security Mod-els. In Proceedings of the 1982 IEEE Symposium on Security and Privacy(SOSP ’82) (Oakland, CA, USA, Apr. 1982), IEEE Computer Society,pp. 11–20.

[29] GOLLMANN, D. Computer Security. John Wiley & Sons, Chichester,UK, 1999.

[30] GOLLMANN, D. Computer Security, 2nd ed. John Wiley & Sons, Chich-ester, UK, 2006.

[31] HALL, A. Seven Myths of Formal Methods. IEEE Software 7, 5 (Sept.1990), 11–19.

[32] HOGLUND, G., AND BUTLER, J. Rootkits: Subverting the Windows Ker-nel. Addison-Wesley, Boston, MA, USA, 2005.

[33] HONEYWELL INFORMATION SYSTEMS. Multics Processor Manual.Tech. Rep. AL39-1C, Honeywell, Inc., Minneapolis, MN, USA, Nov.1985.

[34] INTEL CORPORATION. IA-32 Intel Architecture Software Developer’sManual: Volume 1: Basic Architecture. Intel, Denver, CO, USA, June2005.

[35] INTEL CORPORATION. IA-32 Intel Architecture Software Developer’sManual: Volume 2A: Instruction Set Reference, A–M. Intel, Denver, CO,USA, June 2005.

[36] INTEL CORPORATION. IA-32 Intel Architecture Software Developer’sManual: Volume 2B: Instruction Set Reference, N–Z. Intel, Denver, CO,USA, June 2005.

17

[37] INTEL CORPORATION. IA-32 Intel Architecture Software Developer’sManual: Volume 3: System Programming Guide. Intel, Denver, CO, USA,June 2005.

[38] JACKY, J. The Way of Z, Practical programming with formal methods. Cam-bridge University Press, Cambridge, UK, 1997.

[39] JAIN, A., BOLLE, R., AND PANKANTI, S., Eds. Biometrics: PersonalIdentification in Networked Society, vol. 479 of The Kluwer InternationalSeries in Engineering and Computer Science. Springer-Verlag, Heidel-berg, Germany, 1999.

[40] JAIN, A. K., FLYNN, P. J., AND ROSS, A. A., Eds. Handbook of Biomet-rics. Springer-Verlag, Heidelberg, Germany, 2007.

[41] JAIN, A. K., ROSS, A., AND PRABHAKAR, S. An Introduction to Bio-metric Recognition. IEEE Transactions on Circuits and Systems for VideoTechnology 14, 1 (Jan. 2004), 4–20.

[42] JONES, A. K., LIPTON, R. J., AND SNYDER, L. A Linear Time Algo-rithm for Deciding Subject-Object Security. In Proceedings of the 17thSymposium on the Foundations of Computer Science (Houston, TX, USA,Oct. 1976), IEEE, IEEE, pp. 33–41.

[43] JONES, A. K., LIPTON, R. J., AND SNYDER, L. A Linear Time Algo-rithm for Deciding Subject Security. Journal of the Association for Com-puting Machinery 24, 3 (July 1977), 455–464.

[44] KARGER, P. A., ZURKO, M. E., BONIN, D. W., MASON, A. H., AND

KAHN, C. E. A Retrospective on the VAX VMM Security Kernel. IEEETransactions on Software Engineering 17, 11 (Nov. 1991), 1147–1165.

[45] KEMMERER, R. A. Shared Resource Matrix Methodology: An Ap-proach to Identifying Storage and Timing Channels. ACM Transactionson Computer Systems 1, 3 (Aug. 1983), 256–277.

[46] KLEIN, D. V. Foiling the Cracker; A Survey of, and Improvements toUnix Password Security. In Proceedings of the 1990 USENIX SecurityWorkshop (Portland, OR, USA, Aug. 1990), USENIX, pp. 5–14.

[47] LAMPSON, B. W. A Note on the Confinement Problem. Communica-tions of the Association for Computing Machinery 16, 10 (Oct. 1973), 613–615.

[48] LANDWEHR, C. E. Formal Models for Computer Security. ACM Com-puting Surveys 13, 3 (1981), 247–278.

18

[49] LEE, W., GROSH, D., AND TILLMAN, F. Fault tree analysis, methods,and applications. IEEE Transactions on Reliability 34, 3 (Aug. 1985),194–203.

[50] LEVY, H. M. Capability-Based Computer Systems. Digital Press, Bedford,MA, USA, 1984.

[51] MANTEL, H. On the Composition of Secure Systems. In Proceedings ofthe 2002 IEEE Symposium on Security and Privacy (SOSP ’02) (Oakland,CA, USA, May 2002), pp. 81–94.

[52] MCCARTHY, J. A Time Sharing Operator Program for Our ProjectedIBM 709. Memorandum to Prof. P.M. Morse, Massachusetts Instituteof Technology, Jan. 1959.

[53] MCCULLOUGH, D. Noninterference and the Composability of Secu-rity Properties. In Proceedings of the 1988 IEEE Symposium on Securityand Privacy (SOSP ’88) (Oakland, CA, USA, Apr. 1988), pp. 177–187.

[54] MCDERMOTT, J. P. Attack Net Penetration Testing. In Proceedings of the2000 Workshop on New Security Paradigms (NSPW 2000) (Ballycotton,Ireland, Oct. 2000), pp. 15–21.

[55] MCLEAN, J. Security Models. In Encyclopaedia of Software Engineering,J. J. Marciniak, Ed., 1st ed. John Wiley & Sons, Inc., New York, NY,USA, 1994, pp. 1136–1145.

[56] MORRIS, R., AND THOMPSON, K. Password Security: A Case History.Communications of the Association for Computing Machinery 22, 11 (Nov.1979), 594–597.

[57] NEUMANN, P. G. Computer System Security Evaluation. In Proceed-ings of the 1978 National Computer Conference Proceedings (Montvale, NJ,USA, June 1978), AFIPS Press, pp. 1087–1095.

[58] NEUMANN, P. G. Principled Assuredly Trustworthy Composable Ar-chitectures. Tech. Rep. AL39-1C, SRI International Computer ScienceLaboratory, Menlo Park, CA, USA, Dec. 2004.

[59] NEUMANN, P. G., AND FEIERTAG, R. J. PSOS Revisited. In Proceedingsof the 19th Annual Computer Security Applications Conference (Las Vegas,NV, USA, Dec. 2003), pp. 208–216.

[60] NIBALDI, G. H. Proposed Technical Evaluation Criteria for TrustedComputer Systems. Tech. Rep. D-75, MITRE Corporation, Bedford,MA, USA, Oct. 1979.

[61] ORGANICK, E. I. A Programmer’s View of the Intel 432 System. McGraw-Hill, Inc., New York, NY, USA, 1983.

19

[62] PETERS, B. Security considerations in a multi-programmed computersystem. In Proceedings of the AFIPS Spring Joint Computer Conference(1967 SJCC) (Atlantic City, NJ, USA, Apr. 1967), vol. 30, AFIPS, AFIPSPress, pp. 283–286.

[63] ROSS, A. A., JAIN, A. K., NANDAKUMAR, K., AND ZHANG, D. Hand-book of Multibiometrics: Human Recognition Systems. Springer-Verlag,Heidelberg, Germany, 2005.

[64] SALTZER, J. H., AND SCHROEDER, M. D. The Protection of Informa-tion in Computer Systems. Proceedings of the IEEE 63, 9 (Sept. 1975),1278–1308.

[65] SANDHU, R. S. Design and Analysis of Protection Schemes Based onthe Send-Receive Transport Mechanism. PhD thesis, Rutgers University,New Brunswick, NJ, USA, Apr. 1983. Also available as technical reportDCS-TR-130.

[66] SANDHU, R. S. Analysis of Acyclic Attenuation Systems for the SSRProtection Model. In Proceedings of the 1985 IEEE Symposium on Se-curity and Privacy (SOSP ’85) (Oakland, CA, USA, Apr. 1985), IEEEComputer Society, pp. 197–206.

[67] SANDHU, R. S. The Schematic Protection Model: Its Definitions andAnalysis for Acyclic Attenuating Schemes. Journal of the Association forComputing Machinery 35, 2 (Apr. 1988), 404–432.

[68] SANDHU, R. S. Implementation Considerations for the Typed Ac-cess Matrix Model in a Distributed Environment. In Proceedings ofthe 15th NIST-NCSC National Computer Security Conference (Baltimore,MD, USA, 1992), NIST/NCSC, pp. 221–235.

[69] SANDHU, R. S. The Typed Access Matrix Model. In Proceedings of the1992 IEEE Symposium on Security and Privacy (SOSP ’92) (Oakland, CA,USA, May 1992), IEEE Computer Society, pp. 122–136.

[70] SCHELL, R. R., TAO, T. F., AND HECKMAN, M. Designing the GEM-SOS Security Kernel for Security and Performance. In Proceedings ofthe 8th DoD/NBS National Computer Security Conference (Gaithersburg,MD, USA, Sept. 1985), pp. 108–119.

[71] SILBERSCHATZ, A., GAGNE, G., AND GALVIN, P. B. Operating SystemConcepts, 7th ed. John Wiley & Sons, Chichester, UK, 2004.

[72] SKOUDIS, E. Malware: Fighting Malicious Code. Prentice Hall, Engle-wood Cliffs, NJ, USA, 2003.

20

[73] STANIFORD, S., MOORE, D., PAXSON, V., AND WEAVER, N. The TopSpeed of Flash Worms. In Proceedings of the 2004 ACM Workshop onRapid Malcode (Washington D.C., USA, Oct. 2004), pp. 33–42.

[74] STARNATIS, D. H. Failure Mode and Effect Analysis: FMEA from Theoryto Execution, 2nd ed. ASQ Quality Press, Milwaukee, WI, USA, 1995.

[75] STRACHEY, C. Time sharing in large, fast computers. In InformationProcessing, Proceedings of the International Conference on Information Pro-cessing (1. IFIP Congress) (Paris, France, June 1959), UNESCO, R. Old-enbourg, Butterworths, and UNESCO, pp. 336–341.

[76] SZOR, P. The Art of Computer Virus Research and Defense. Addison-Wesley, Boston, MA, USA, 2005.

[77] THOMPSON, K. Reflections on Trusting Trust. Communications of theAssociation for Computing Machinery 27, 8 (Aug. 1984), 761–763.

[78] UK IT SECURITY EVALUATION AND CERTIFICATION SCHEME. Infor-mation Technology Security Evaluation Criteria (ITSEC): Harmonized Cri-teria of France, Germany, the Netherlands, the United Kingdom. Depart-ment of Trade and Industry, UK, Cheltenham, Glos, UK, 1991. Avail-able online as http://www.bsi.bund.de/zertifiz/itkrit/itsec-en.pdf.

[79] UNITED STATES NATIONAL COMPUTER SECURITY CENTER. Depart-ment of Defense Trusted Computer System Evaluation Criteria. UnitedStates Department of Defense, Fort Meade, MD, USA, 1985. Depart-ment of Defense Standard DOD 5200.28-STD.

[80] UNITED STATES NATIONAL COMPUTER SECURITY CENTER. TrustedNetwork Interpretation of the TCSEC. United States Department of De-fense, Fort Meade, MD, USA, 1987. NCSC-TG-005.

[81] UNITED STATES NATIONAL COMPUTER SECURITY CENTER. ComputerSecurity Subsystem Interpretation of the TCSEC. United States Depart-ment of Defense, Fort Meade, MD, USA, 1988. NCSC-TG-009.

[82] UNITED STATES NATIONAL COMPUTER SECURITY CENTER. TrustedDatabase Management System Interpretation of the TCSEC. United StatesDepartment of Defense, Fort Meade, MD, USA, 1991. NCSC-TG-021.

[83] WARE, W. H. Security Controls for Computer Systems: Report ofDefense Science Board Task Force on Computer Security. Tech. rep.,The RAND Corporation, Santa Monica, CA, USA, Feb. 1970. NumberR-609. Document was declassified in October 1975 and reissued as R-609/1 with a new introduction in 1979.

21

[84] WAYMAN, J., JAIN, A., MALTONI, D., AND MAIO, D., Eds. BiometricSystems: Technology, Design and Performance Evaluation. Springer Pro-fessional Computing Series. Springer-Verlag, Heidelberg, Germany,2004.

[85] WEISSMAN, C. Security Penetration Testing Guideline, U.S. NavyHandbook on Security Certification. Tech. Rep. TM-8889/000/00,Paramax Systems Corp., Camarillo, CA, USA, Dec. 1992. Preparedunder contract to the U.S. Naval Research Laboratory.

[86] WEISSMAN, C. Penetration Testing. In Abrams et al. [1], pp. 269–296.

[87] WILKES, M. V. Time-Sharing Computer Systems, 3rd ed. MacDonaldand Jane’s, London, UK, 1975.

[88] WOODCOCK, J., AND DAVIS, J. Using Z: Specification, Refinement, andProof. Prentice Hall, Englewood Cliffs, NJ, USA, 1996.

[89] ZENTRALSTELLE FUR SICHERHEIT IN DER INFORMATIONSTECHNIK.IT-Sicherheitskriterien. Bundesrepublik Deutschland, Bonn, Germany,1989. Available online as http://www.bsi.bund.de/zertifiz/itkrit/itgruene.pdf.

[90] ZIEGLER, J. R. Time-Sharing Data Processing Systems. Series in Auto-matic Computation. Prentice-Hall, Englewood Cliffs, NJ, USA, 1967.

22