Pub Date : 2002-12-09DOI: 10.1109/CSAC.2002.1176301
Cristina Serban, O. S. Saydjari
This panel highlights a selection of the most interesting and provocative papers from the 2002 New Security Paradigms Workshop. This workshop was held September 2002 - the URL for more information is . The panel consists of authors of the selected papers, and the session is moderated by the workshop’s general chairs. We present selected papers focusing on exciting major themes that emerged from the workshop. These are the papers that will provoke the most interesting discussion at ACSAC.
{"title":"Themes and highlights of the new security paradigms workshop 2002","authors":"Cristina Serban, O. S. Saydjari","doi":"10.1109/CSAC.2002.1176301","DOIUrl":"https://doi.org/10.1109/CSAC.2002.1176301","url":null,"abstract":"This panel highlights a selection of the most interesting and provocative papers from the 2002 New Security Paradigms Workshop. This workshop was held September 2002 - the URL for more information is . The panel consists of authors of the selected papers, and the session is moderated by the workshop’s general chairs. We present selected papers focusing on exciting major themes that emerged from the workshop. These are the papers that will provoke the most interesting discussion at ACSAC.","PeriodicalId":389487,"journal":{"name":"18th Annual Computer Security Applications Conference, 2002. Proceedings.","volume":"112 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2002-12-09","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"123552229","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Pub Date : 2002-12-09DOI: 10.1109/CSAC.2002.1176288
B. Popescu, M. Steen, A. Tanenbaum
Large-scale distributed systems present numerous security problems not present in local systems. We present a general security architecture for a large-scale object-based distributed system. Its main features include ways for servers to authenticate clients, clients to authenticate servers, new secure servers to be instantiated without manual intervention, and ways to restrict which client can perform which operation on which object. All of these features are done in a platform- and application-independent way, so the results are quite general. The basic idea behind the scheme is to have each object owner issue cryptographically sealed certificates to users to prove which operations they may request and to servers to prove which operations they are authorized to execute. These certificates are used to ensure secure binding and secure method invocation. The paper discusses the required certificates and security protocols for using them.
{"title":"A security architecture for object-based distributed systems","authors":"B. Popescu, M. Steen, A. Tanenbaum","doi":"10.1109/CSAC.2002.1176288","DOIUrl":"https://doi.org/10.1109/CSAC.2002.1176288","url":null,"abstract":"Large-scale distributed systems present numerous security problems not present in local systems. We present a general security architecture for a large-scale object-based distributed system. Its main features include ways for servers to authenticate clients, clients to authenticate servers, new secure servers to be instantiated without manual intervention, and ways to restrict which client can perform which operation on which object. All of these features are done in a platform- and application-independent way, so the results are quite general. The basic idea behind the scheme is to have each object owner issue cryptographically sealed certificates to users to prove which operations they may request and to servers to prove which operations they are authorized to execute. These certificates are used to ensure secure binding and secure method invocation. The paper discusses the required certificates and security protocols for using them.","PeriodicalId":389487,"journal":{"name":"18th Annual Computer Security Applications Conference, 2002. Proceedings.","volume":"20 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2002-12-09","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"128708306","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Pub Date : 2002-12-09DOI: 10.1109/CSAC.2002.1176308
K. Levitt
Intrusion detection is a technique employed tocatch and report attacks as they occur. It isneeded given that vulnerabilities in operatingsystems, network protocols, applications, andconfigurations leave systems open to attacks.
{"title":"Intrusion detection: current capabilities and future directions","authors":"K. Levitt","doi":"10.1109/CSAC.2002.1176308","DOIUrl":"https://doi.org/10.1109/CSAC.2002.1176308","url":null,"abstract":"Intrusion detection is a technique employed tocatch and report attacks as they occur. It isneeded given that vulnerabilities in operatingsystems, network protocols, applications, andconfigurations leave systems open to attacks.","PeriodicalId":389487,"journal":{"name":"18th Annual Computer Security Applications Conference, 2002. Proceedings.","volume":"29 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2002-12-09","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"124079276","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Pub Date : 2002-12-09DOI: 10.1109/CSAC.2002.1176298
M. Clifford
The Solar Trust Model provides a method by which the sender of a message can be authenticated, and the level of trust that can be placed in the sender of the message or the message itself can be computed The model works even if there is no prior relationship between the sender and receiver of the message. The Solar Trust Model overcomes a variety of limitations inherent in the design of other trust models and public key infrastructures. This paper presents a variety of enhancements and formalizations to the basic concepts of the model. In addition, this paper provides a set of algorithms that can be used to determine all of the possible trusted paths along which a message can be sent from a sender to recipient and the optimal choice of paths from a selection of paths. The paper also presents algorithms for reducing the network load produced by the model through piggybacking, path caching, and load distribution techniques.
{"title":"Networking in the Solar Trust Model: determining optimal trust paths in a decentralized trust network","authors":"M. Clifford","doi":"10.1109/CSAC.2002.1176298","DOIUrl":"https://doi.org/10.1109/CSAC.2002.1176298","url":null,"abstract":"The Solar Trust Model provides a method by which the sender of a message can be authenticated, and the level of trust that can be placed in the sender of the message or the message itself can be computed The model works even if there is no prior relationship between the sender and receiver of the message. The Solar Trust Model overcomes a variety of limitations inherent in the design of other trust models and public key infrastructures. This paper presents a variety of enhancements and formalizations to the basic concepts of the model. In addition, this paper provides a set of algorithms that can be used to determine all of the possible trusted paths along which a message can be sent from a sender to recipient and the optimal choice of paths from a selection of paths. The paper also presents algorithms for reducing the network load produced by the model through piggybacking, path caching, and load distribution techniques.","PeriodicalId":389487,"journal":{"name":"18th Annual Computer Security Applications Conference, 2002. Proceedings.","volume":"1 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2002-12-09","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"130195801","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Pub Date : 2002-12-09DOI: 10.1109/CSAC.2002.1176275
Ronald W. Ritchey, Brian O'Berry, S. Noel
The individual vulnerabilities of hosts on a network can be combined by an attacker to gain access that would not be possible if the hosts were not interconnected. Currently available tools report vulnerabilities in isolation and in the context of individual hosts in a network. Topological vulnerability analysis (TVA) extends this by searching for sequences of interdependent vulnerabilities, distributed among the various network hosts. Model checking has been applied to the analysis of this problem with some interesting initial results. However previous efforts did not take into account a realistic representation of network connectivity. These models were enough to demonstrate the usefulness of the model checking approach but would not be sufficient to analyze real-world network security problems. This paper presents a modem of network connectivity at multiple levels of the TCP/IP stack appropriate for use in a model checker. With this enhancement, it is possible to represent realistic networks including common network security devices such as firewalls, filtering routers, and switches.
{"title":"Representing TCP/IP connectivity for topological analysis of network security","authors":"Ronald W. Ritchey, Brian O'Berry, S. Noel","doi":"10.1109/CSAC.2002.1176275","DOIUrl":"https://doi.org/10.1109/CSAC.2002.1176275","url":null,"abstract":"The individual vulnerabilities of hosts on a network can be combined by an attacker to gain access that would not be possible if the hosts were not interconnected. Currently available tools report vulnerabilities in isolation and in the context of individual hosts in a network. Topological vulnerability analysis (TVA) extends this by searching for sequences of interdependent vulnerabilities, distributed among the various network hosts. Model checking has been applied to the analysis of this problem with some interesting initial results. However previous efforts did not take into account a realistic representation of network connectivity. These models were enough to demonstrate the usefulness of the model checking approach but would not be sufficient to analyze real-world network security problems. This paper presents a modem of network connectivity at multiple levels of the TCP/IP stack appropriate for use in a model checker. With this enhancement, it is possible to represent realistic networks including common network security devices such as firewalls, filtering routers, and switches.","PeriodicalId":389487,"journal":{"name":"18th Annual Computer Security Applications Conference, 2002. Proceedings.","volume":"7 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2002-12-09","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"132162888","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Pub Date : 2002-12-09DOI: 10.1109/CSAC.2002.1176294
A. Schaad, J. Moffett
Organisational control principles, such as those expressed in the separation of duties, supervision, review and delegation, support the main business goals and activities of an organisation. Some of these principles have previously been described and analysed within the context of role- and policy-based distributed systems, but little has been done with respect to the more general context they are placed in and the analysis of relationships between them. This paper presents a framework in which organisational control principles can be formally expressed and analysed using the Alloy specification language and its constraint analysis tools.
{"title":"A framework for organisational control principles","authors":"A. Schaad, J. Moffett","doi":"10.1109/CSAC.2002.1176294","DOIUrl":"https://doi.org/10.1109/CSAC.2002.1176294","url":null,"abstract":"Organisational control principles, such as those expressed in the separation of duties, supervision, review and delegation, support the main business goals and activities of an organisation. Some of these principles have previously been described and analysed within the context of role- and policy-based distributed systems, but little has been done with respect to the more general context they are placed in and the analysis of relationships between them. This paper presents a framework in which organisational control principles can be formally expressed and analysed using the Alloy specification language and its constraint analysis tools.","PeriodicalId":389487,"journal":{"name":"18th Annual Computer Security Applications Conference, 2002. Proceedings.","volume":"1 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2002-12-09","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"128721993","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Pub Date : 2002-12-09DOI: 10.1109/CSAC.2002.1176290
Daniel E. Geer, John Harthorne
Penetration testing is the art of finding an open door. It is not a science as science depends on falsifiable hypotheses. The most penetration testing can hope for is to be the science of insecurity - not the science of security nasmuch as penetration testing can at most prove insecurity by falsifying the hypothesis that any system, network, or application is secure. To be a science of security would require falsifiable hypotheses that any given system, network, or application was insecure, something that could only be done if the number of potential insecurities were known and enumerated such that the penetration tester could thereby falsify (test) a known-to-be-complete list of vulnerabilities claimed to not be present. Because the list of potential insecurities is unknowable and hence unenumerable, no penetration tester can prove security, just as no doctor can prove that you are without occult disease. Putting it as Picasso did, "Art is a lie that shows the truth" and security by penetration testing is a lie in that on a good day can show the truth. These incompleteness and proof-by-demonstration characteristics of penetration testing ensure that it remains an art so long as high rates of technical advance remains brisk and hence enumeration of vulnerabilities an impossibility. Brisk technical advance equals productivity growth and thereby wealth creation, so it is forbidden to long for a day when penetration testing could achieve the status of science.
{"title":"Penetration testing: a duet","authors":"Daniel E. Geer, John Harthorne","doi":"10.1109/CSAC.2002.1176290","DOIUrl":"https://doi.org/10.1109/CSAC.2002.1176290","url":null,"abstract":"Penetration testing is the art of finding an open door. It is not a science as science depends on falsifiable hypotheses. The most penetration testing can hope for is to be the science of insecurity - not the science of security nasmuch as penetration testing can at most prove insecurity by falsifying the hypothesis that any system, network, or application is secure. To be a science of security would require falsifiable hypotheses that any given system, network, or application was insecure, something that could only be done if the number of potential insecurities were known and enumerated such that the penetration tester could thereby falsify (test) a known-to-be-complete list of vulnerabilities claimed to not be present. Because the list of potential insecurities is unknowable and hence unenumerable, no penetration tester can prove security, just as no doctor can prove that you are without occult disease. Putting it as Picasso did, \"Art is a lie that shows the truth\" and security by penetration testing is a lie in that on a good day can show the truth. These incompleteness and proof-by-demonstration characteristics of penetration testing ensure that it remains an art so long as high rates of technical advance remains brisk and hence enumeration of vulnerabilities an impossibility. Brisk technical advance equals productivity growth and thereby wealth creation, so it is forbidden to long for a day when penetration testing could achieve the status of science.","PeriodicalId":389487,"journal":{"name":"18th Annual Computer Security Applications Conference, 2002. Proceedings.","volume":"1 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2002-12-09","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"130663923","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Pub Date : 2002-12-09DOI: 10.1109/CSAC.2002.1176313
J. Haggerty, Q. Shi, M. Merabti
The threat to organisations from network attacks is very real. Current countermeasures to denial of service (DoS) attacks rely on the perimeter model of network security. However, as the case study and analysis in this paper make apparent, the perimeter model, which relies on firewalls and intrusion detection systems, is unable to provide an effective defence against DoS attacks. Therefore, there is a need for a new approach; one that identifies an attack beyond the perimeter. We present such an approach. We achieve early detection of DoS attacks by the identification of traffic signatures which indicate that an attack is underway. As these signatures can be identified 'outside' the perimeter, appropriate measures can be taken to prevent the attack from succeeding. We use examples of DoS attacks and a case study to demonstrate the applicability of our approach.
{"title":"Beyond the perimeter: the need for early detection of denial of service attacks","authors":"J. Haggerty, Q. Shi, M. Merabti","doi":"10.1109/CSAC.2002.1176313","DOIUrl":"https://doi.org/10.1109/CSAC.2002.1176313","url":null,"abstract":"The threat to organisations from network attacks is very real. Current countermeasures to denial of service (DoS) attacks rely on the perimeter model of network security. However, as the case study and analysis in this paper make apparent, the perimeter model, which relies on firewalls and intrusion detection systems, is unable to provide an effective defence against DoS attacks. Therefore, there is a need for a new approach; one that identifies an attack beyond the perimeter. We present such an approach. We achieve early detection of DoS attacks by the identification of traffic signatures which indicate that an attack is underway. As these signatures can be identified 'outside' the perimeter, appropriate measures can be taken to prevent the attack from succeeding. We use examples of DoS attacks and a case study to demonstrate the applicability of our approach.","PeriodicalId":389487,"journal":{"name":"18th Annual Computer Security Applications Conference, 2002. Proceedings.","volume":"12 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2002-12-09","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"126664553","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Pub Date : 2002-12-09DOI: 10.1109/CSAC.2002.1176309
M. Zurko, C. Kaufman, Katherine Spanbauer, C. Bassett
Designers are often faced with difficult tradeoffs between easing the user's burden by making security decisions for them and offering features that ensure that users can make the security decisions that are right for them and their environment. Users often do not understand enough about the impact of a security decision to make an informed choice. We report on the experience in a 500-person organization on the security of each user's Lotus Notes client against unsigned active content. We found that the default configuration of the majority of users did not allow unsigned active content to run. However, we found that when presented with a choice during their workflow, many of those otherwise secured users would allow unsigned active content to run. We discuss the features that are in Lotus Notes that provide security for active content and that respond to the usability issues from this study.
{"title":"Did you ever have to make up your mind? What Notes users do when faced with a security decision","authors":"M. Zurko, C. Kaufman, Katherine Spanbauer, C. Bassett","doi":"10.1109/CSAC.2002.1176309","DOIUrl":"https://doi.org/10.1109/CSAC.2002.1176309","url":null,"abstract":"Designers are often faced with difficult tradeoffs between easing the user's burden by making security decisions for them and offering features that ensure that users can make the security decisions that are right for them and their environment. Users often do not understand enough about the impact of a security decision to make an informed choice. We report on the experience in a 500-person organization on the security of each user's Lotus Notes client against unsigned active content. We found that the default configuration of the majority of users did not allow unsigned active content to run. However, we found that when presented with a choice during their workflow, many of those otherwise secured users would allow unsigned active content to run. We discuss the features that are in Lotus Notes that provide security for active content and that respond to the usability issues from this study.","PeriodicalId":389487,"journal":{"name":"18th Annual Computer Security Applications Conference, 2002. Proceedings.","volume":"1 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2002-12-09","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"131130476","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Pub Date : 2002-12-09DOI: 10.1109/CSAC.2002.1176284
R. Kemmerer
Secure computer systems use both mandatory and discretionary access controls to restrict the flow of information through legitimate communication channels such as files, shared memory and process signals. Unfortunately, in practice one finds that computer systems are built such that users are not limited to communicating only through the intended communication channels. As a result, a well-founded concern of security-conscious system designers is the potential exploitation of system storage locations and timing facilities to provide unforeseen communication channels to users. These illegitimate channels are known as covert storage and timing channels. Prior to the presentation of this paper twenty years ago the covert channel analysis that took place was mostly ad hoc. Methods for discovering and dealing with these channels were mostly informal, and the formal methods were restricted to a particular specification language. This paper presents a methodology for discovering storage and timing channels that can be used through all phases of the software life cycle to increase confidence that all channels have been identified. In the original paper the methodology was presented and applied to an example system having three different descriptions: English, formal specification, and high order language implementation. In this paper only the English requirements are considered. However the paper also presents how the methodology has evolved and the influence it had on other work.
{"title":"A practical approach to identifying storage and timing channels: twenty years later","authors":"R. Kemmerer","doi":"10.1109/CSAC.2002.1176284","DOIUrl":"https://doi.org/10.1109/CSAC.2002.1176284","url":null,"abstract":"Secure computer systems use both mandatory and discretionary access controls to restrict the flow of information through legitimate communication channels such as files, shared memory and process signals. Unfortunately, in practice one finds that computer systems are built such that users are not limited to communicating only through the intended communication channels. As a result, a well-founded concern of security-conscious system designers is the potential exploitation of system storage locations and timing facilities to provide unforeseen communication channels to users. These illegitimate channels are known as covert storage and timing channels. Prior to the presentation of this paper twenty years ago the covert channel analysis that took place was mostly ad hoc. Methods for discovering and dealing with these channels were mostly informal, and the formal methods were restricted to a particular specification language. This paper presents a methodology for discovering storage and timing channels that can be used through all phases of the software life cycle to increase confidence that all channels have been identified. In the original paper the methodology was presented and applied to an example system having three different descriptions: English, formal specification, and high order language implementation. In this paper only the English requirements are considered. However the paper also presents how the methodology has evolved and the influence it had on other work.","PeriodicalId":389487,"journal":{"name":"18th Annual Computer Security Applications Conference, 2002. Proceedings.","volume":"76 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2002-12-09","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"126529473","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
京公网安备 11010802042870号
京ICP备2023020795号-1
扫码关注我们
求助内容:
应助结果提醒方式: