Access control is a mechanism for achieving confidentiality and integrity in software systems. Access control policies (ACPs) define how access is managed and the high-level rules of who can access what information under certain conditions. Traditionally, access control policies have been specified in an ad-hoc manner, leaving systems vulnerable to security breaches. ACP specification is often isolated from requirements analysis, resulting in policies that are not in compliance with system requirements. This dissertation introduces the Requirements-based Access Control Analysis and Policy Specification (ReCAPS) method for deriving access control policies from various sources, including software requirements specifications (SRS), software designs, and high-level security/privacy policies. The ReCAPS method is essentially an analysis method supported by a set of heuristics and a software tool: the Security and Privacy Requirements Analysis Tool (SPRAT). The method was developed in two formative case studies and validated in two summative case studies. All four case studies involved operational systems, and ReCAPS evolved as a result of the lessons learned from applying the method to these case studies. Further validation of the method was performed via an empirical study to evaluate the usefulness and effectiveness of the approach. Results from these evaluations indicate that the process and heuristics provided by the ReCAPS method are useful for specifying database-level and application-level ACPs. Additionally, ReCAPS integrates policy specification into software development, thus providing a basic framework for ensuring compliance between different levels of policies, system requirements and software design. The method also improves the quality of requirements specifications and system designs by clarifying ambiguities and resolving conflicts across these artifacts.

Future generations of in-vehicle Intelligent Transportation Systems (ITS) will network nearby vehicles for enhanced safety and efficiency. Initially, these intelligent vehicles will utilize wireless communications to extend the perception horizon for individual drivers through warning messages of roadway hazards, including obstacles in the roadway, accidents, and hard-braking incidents. Ultimately, this communication will become a vital part of automated highway systems including cooperative driving and coordinated collision avoidance. For efficiency and cost reasons, the wireless communication is likely to be done directly between vehicles. However, direct inter-vehicle communication (IVC) presents unique security and scalability issues that must be addressed before these systems can be realized.

This dissertation describes a Communication Architecture for Reliable Adaptive Vehicular Ad hoc Networks (CARAVAN) to address these issues. CARAVAN consists of IVC-specific parameterization for the physical layer, as well as protocols for the link and the network layers of the architecture. In the development of CARAVAN, this dissertation makes the following contributions: 1. A study of the characteristics and requirements of the IVC network, elicited through analytical and simulation studies of the network 2. A description of the services needed to support the distribution of the secret spreading codes and the additional scalability requirements that arise from the use of spread spectrum, in order to use spread spectrum to provide protection against denial of Service attacks. 3. A methodology to balance the tradeoffs between radio range, spatial reuse, and multi-hop message delivery 4. A novel mapping function, which maps discrete sections of roadway to timeslots allocated to vehicles that allows for significantly lower latencies for multi-hop transmissions. 5. Novel assignment rules, which specify the timeslots a vehicle is authorized to use, that allow for significantly more efficient use of allocated spectrum. 6. Assignment rules designed to automatically adapt the timeslot allocation to varying densities of vehicle traffic. 7. Forwarding rules at the network layer, including acknowledgement processing, for the delivery of a-periodic messages to all nodes in the zone-of-relevance. 8. A network layer that leverages the benefits of varying radio ranges to reduce the latency in multi-hop message delivery.

Through simulation and analysis, the CARAVAN architecture is shown to present significant and measurable improvement over current IVC architecture proposals.

The goal of this dissertation is to elucidate principles for representing complex-event knowledge (or

FASH is a cryptographic hash function that is more then 5 times faster then SHA1 making it more suited for large amounts of data. However, this increase in speed comes at the cost of security. Although
all tests performed in this paper show that FASH is as secure as SHA1, FASH has a higher rate of collision. F ASH was created as a replacement for SHA1 in applications where speed is much more important than security.

This report contains a survey of the state of the art in software engineering for secure software. Secure software is defined and techniques used in each phase of the software lifecycle to engineer the development of secure software are described. Also identified are open questions and areas where further research is needed.

The survey reported here was undertaken to understand how the practice of software engineering blends with the requirement of secure software. This has resulted in a novel two-dimensional description of the relationship between the software lifecycle phases and techniques for satisfying security requirements. The report is organized around this relationship.

In this dissertation, previous work on access control for both collaborate and non-collaborative systems is surveyed.  New access control requirements for general collaborative environments are identified, and it is shown that existing models do not completely meet these requirements.  A new access control model is developed for meeting the requirements.  In particular, a set of collaboration rights are identified based on a general collaboration model; exception-based, multiple inheritance mechanisms are used to support both flexible and high-level access specification; and dynamic, multiple ownership rules are developed to support flexible access administration.  The model can emulate a variety of existing systems and meets the new access requirements.  It has been implemented in a generic, extensible collaborative system, which relieves individual applications from implementing the model.

A widely-used class of real-time, reactive, embedded systems is called interrupt-driven systems (8).  Programming of interrupt-driven systems is notoriously difficult and error-prone.  This is because such systems are usually equipped with a small amount of memory while being asked to handle as many external interrupts as possible.  Furthermore, such systems demand responsive handling of interrupts.  Due to the fact that an interrupt may happen at any time, a handler can be interrupted by another interrupt, making the stack grow in order to store the context information for the current handler.  The problem with such a scenario is that it may lead to stack overflow.  Traditionally, this problem has been avoided by forbidding other interrupts during the execution of the handler.  However, doing this puts tremendous limit on the number of interrupts which can be handled.  Moreover, it greatly increases the response time for interrupts, resulting in an inefficient system and causing a potential predictability problem:  the handling of an interrupt can be so long that the next interrupt occurrence is missed.  In this thesis, we lay a formal framework, which, to the best of our knowledge, is the first in the field, to ensure stack boundedness, to give the tightest possible upper bound of the stack usage for interrupt-driven programs, and to guarantee predictability.  Specifically, we develop two formal languages, interrupt calculus and periodic interrupt calculus, to capture the characteristics of interrupt-driven systems.  We advocate intersection types and union types from the field of programming languages as a convenient vehicle to solve these problems.  We base our analysis on two type systems which are designed for the two calculi.  Our results show that the calculi demonstrate the desired capability for characterizing interrupt-driven programs.  We show that once an interrupt calculus program type checks, there can be no stack overflow; we prove that the type inference problem for interrupt calculus is in PSPACE.  For type-checked periodic interrupt calculus programs, we show that not only can the stack not overflow, but that it is also guaranteed that no single interrupt can be missed.  In addition, our building of the types and type derivations of the periodic interrupt calculus programs unveils an equivalence relation between model checking and type systems, which may be of interest in its own right.

Sensor networks are designed with the assumption that nodes are willing to collaborate.  However, the open collaboration of nodes introduces privacy and security issues.  Therefore, ensuring privacy in wireless sensor networks is a challenging task.  Based on a multilevel security paradigm, in this paper we present a hierarchical key generation and distribution protocol for wireless sensor networks.  We show by simulation results that our key generation scheme outperforms the existing hierarchical key generation schemes thus it is suitable for sensor networks with limited computation and energy capabilities.  Furthermore, we present an energy efficient key diffusion protocol.  We also discuss the possible security threats involved with the proposed protocol and provide suitable solutions to such threats.

Access control is the key security service used for information and system security. The access control mechanisms can be used to enforce various security policies, but the desired access control objectives can only be achieved if the underlying software implementation is correct. It therefore becomes essential to not only verify that the implementation conforms to the given policy but also to confirm the absence of any violations in it. We propose a model-based strategy for testing implementations of access control systems that employ the RBAC policy specification. Our approach is based on the construction of a structural and behavioral model of the corresponding RBAC specification. The model is then used to generate static and dynamic test suites for the corresponding implementation. The code coverage and mutation score were used as metrics to determine the efficacy of the proposed approach in a case study. The results of the case study show that the tests generated using the proposed approach not only provide good control flow coverage of the implementation but are also effective in detecting faults induced via mutation operators.

Cross Domain Controlled Interface and Labeling (CDCIL) is intended to provide a capability that will allow web services in separate security policy domains to exchange eXtended Markup Language (XML) objects (messages, documents, web-based content) securely across domain boundaries, while preventing the flow of content not authorized to cross those boundaries. In this way, CDCIL will provide a framework for enabling the creation of a single service oriented architecture (SOA) composed of multiple security policy domains, each with its own security requirements and attributes.
The CDCIL services have been conceived as standards based web services that will provide mechanisms to (1) persistently bind a label (metadata header) containing flexibly-derived set of security attributes to XML objects exchanged by web services in different domains, and (2) enforce security policies that govern those exchanges. The CDCIL services go beyond other cross domain solutions being used to control XML exchanges in their ability to (1) accommodate a broader definition of