A separation of duty policy requires a sensitive task to be performed by a team of at least k users. It states a high-level requirement about the task without the need to refer to individual steps in the task. While extremely important and widely used, separation of duty policies cannot capture qualification requirements on users involved in the task. In this paper, we introduce a novel algebra that enables the specification of high-level policies that combine user qualification requirements with separation of duty considerations. A high-level policy associates a task with a term in the algebra and requires that all sets of users that perform the task satisfy the term. Our algebra has four operators. We give the syntax and semantics of the algebra and study algebraic properties of these operators. We also study several computational problems related to the algebra. As our algebra is about the general concept of sets of sets, we conjecture that it will prove to be useful in other contexts as well.

Specifying and managing access control policies is a challenging problem. We propose to develop formal verification techniques for access control policies to improve the current state of the art of policy specification and management. In this paper, we formalize classes of security analysis and administrative insider threat assessment problems in the context of Role-Based Access Control. We show that in general these problems are PSPACE-complete. We also study the factors that contribute to the computational complexity by considering a lattice of various subcases of the problem with different restrictions. We show that several subcases remain PSPACE-complete, several further restricted subcases are NP-complete, and identify two subcases that are solvable in polynomial time. We also discuss our experiences and findings from experimentations that use existing formal method tools, such as model checking and logic programming, for addressing these problems.

Wormhole attacks enable an attacker with limited resources and no cryptographic material to wreak havoc on wireless networks. To date, no general defenses against wormhole attacks have been proposed. This paper presents an analysis of wormhole attacks and proposes a countermeasure using directional antennas. We present a cooperative protocol whereby nodes share directional information to prevent wormhole endpoints from masquerading as false neighbors. Our defense greatly diminishes the threat of wormhole attacks and requires no location information or clock synchronization.

We describe general methods for designing deterministic parallel algorithms in computational geometry. We focus on techniques for shared-memory parallel machines, which we describe and illustrate with examples. We also discuss some open problems in this area.

Instruction Set Randomization (ISR) has been proposed as a promising defense against code injection attacks. It defuses all standard code injection attacks since the attacker does not know the instruction set of the target machine. A motivated attacker, however, may be able to circumvent ISR by determining the randomization key. In this paper, we investigate the possibility of a remote attacker successfully ascertaining an ISR key using an incremental attack. We introduce a strategy for attacking ISR-protected servers, develop and analyze two attack variations, and present a technique for packaging a worm with a miniature virtual machine that reduces the number of key bytes an attacker must acquire to 100. Our attacks can break enough key bytes to infect and ISR-protected server in about six minutess. Our results provide insights into properties necessary for ISR implementations to be sure

Software vulnerability disclosure has become a critical area of concern for policymakers. Traditionally, a Computer Emergency Response Team (CERT) acts as an infomediary between benign identifiers (who voluntarily report vulnerability information) and software users. After verifying a reported vulnerability, CERT sends out a public advisory so that users can safeguard their systems against potential exploits. Lately, firms such as iDefense have been implementing a new market-based approach for vulnerability information. The marketbased infomediary provides monetary rewards to identifiers for each vulnerability reported. The infomediary then shares this information with its client base. Using this information, clients protect themselves against potential attacks that exploit those specific vulnerabilities. The key question addressed in our paper is whether movement toward such a market-based mechanism for vulnerability disclosure leads to a better social outcome. Our analysis demonstrates that an active unregulated market-based mechanism for vulnerabilities almost always underperforms a passive CERT-type mechanism. This counterintuitive result is attributed to the market-based infomediary’s incentive to leak the vulnerability information inappropriately. If a profit-maximizing firm is not allowed to (or chooses not to) leak vulnerability information, we find that social welfare improves. Even a regulated market-based mechanism performs better than a CERT-type one, but only under certain conditions. Finally, we extend our analysis and show that a proposed mechanism—federally funded social planner—always performs better than a market-based mechanism.

In this paper, we propose a framework for secure composition and management of time based work flows. The proposed framework allows communication and sharing of information among predefined or ad hoc team of users collaborating with each other in the time critical workflow applications. A key requirement for such applications is to provide the right data to the right person at the right time. In addition, the workflow needs to be adapted if a subtask of a workflow cannot be executed within the due time. The proposed framework supports GTRBAC based workflow specification and allows dynamic adaptation of workflow instances depending on the execution status of workflow tasks and environmental context. Adaptations in a workflow may include rescheduling of component tasks, reassignment of users to the scheduled tasks, or abortion of component tasks that cannot be completed under the current system state. We propose an integer programming based approach for finding the best possible adaptation according to the pre-defined optimality criterion.

Trust is an increasingly important issue:  interpersonal trust, consumer trust, trust within organizations, and trust of organizations from corporations to non-profits to governments.  Not only is trust important, but it is also communication-centered.  In order to prepare communication students (especially those in public relations) to make healthy trusting decisions and manage organizational trust issues, this essay proposes a special topics course in trust issue management.  It provides a rationale for the course, course objectives, a reading list and schedule, and assignments that engage students in examining the concept and management of trust.

Computer intrusions can occur in various ways. Many of them occur by exploiting program flaws and system configuration errors. Existing solutions that detects specific kinds of flaws are substantially different from each other, so aggregate use of them may be incompatible and require substantial changes in the current system and computing practice. Intrusion detection systems may not be the answer either, because they are inherently inaccurate and susceptible to false positives/negatives. This dissertation presents a taxonomy of security flaws that classifies program vulnerabilities into finite number of error categories, and presents a security mechanism that can produce accurate solutions for many of these error categories in a modular fashion. To be accurate, a solution should closely match the characteristic of the target error category. To ensure this, we focus only on error categories whose characteristics can be defined in terms of a violation of process integrity. The thesis of this work is that the proposed approach produces accurate solutions for many error categories. To prove the accuracy of produced solutions, we define the process integrity checking approach and analyze its properties. To prove that this approach can cover many error categories, we develop a classification of program security flaws and find error characteristics (in terms of a process integrity) from many of these categories. We implement proof-of-concept solutions for two most prevalent error categories, the buffer overflow and the race condition, and analyze their accuracy and performance.

Nirenburg and Raskin

The Internet and information systems have enabled businesses to reduce costs, attain greater market reach, and develop closer business partnerships along with improved customer relationships. However, using the Internet has led to new risks and concerns. This research provides a management perspective on the issues confronting CIOs and IT managers. It outlines the current state of the art of information security, the important issues confronting managers, security enforcement measure/techniques, and potential threats and attacks. It develops a model for classification of threats and control measures. It also develops a scheme for probabilistic evaluation of the impact of security threats with some illustrative examples. It involves validation of information assets and probabilities of success of attacks on those assets in organizations and evaluates the expected damages of these attacks. The research outlines some suggested control measures and presents some cost models for quantifying damages from these attacks and compares the tangible and intangible costs of these attacks. This research also develops a risk management system for information systems security incidents in five stages: 1- Resource and application value analysis, 2- Vulnerability and risk analysis, 3- Computation of losses due to threats and benefits of control measures, 4- Selection of control measures, and 5- Implementation of alternatives. The outcome of this research should help decision makers to select the appropriate control measure(s) to minimize damage or loss due to security incidents. Finally, some recommendations for future work are provided to improve the management of security in organizations.

This thesis presents the notion of computational resiliency to provide reliability in heterogeneous distributed applications. The notion provides both software fault tolerance and the ability to tolerate information warfare (IW) attacks. This technology seeks to strengthen a military mission, rather than protect its network infrastructure using static defense measures such as network security, intrusion sensors, and firewalls. Even if a failure or successful attack is never detected, it should be possible to continue information operations and achieve mission objectives. Computational resiliency involves the dynamic use of replicated software structures, guided by mission policy, to achieve reliable operation. However, it goes further to automatically regenerate replication in response to a failure or attack, allowing the level of system reliability to be restored and maintained. Replicated structures can be protected through several techniques such as camouflage, dispersion, and layered security policy. This thesis examines a prototype concurrent programming technology to support computational resiliency in a heterogeneous distributed comp0uting environment. The performance of the technology is explored through two example applications, concurrent sonar processing and remote sensing. We develop the associated performance analytical model and verify the model against the experimental results. Overhead of computation resiliency over homogeneous and heterogeneous systems are investigated. Load balancing techniques are used to improve the overall performance of the system especially on heterogeneous computing environments.