This report summarizes a Workshop Breakout Session on trust, privacy, and security moderated by B. Bhargava, and held at the NSF IDM Workshop in Seattle, Washington, September 14 - 16, 2003.

In this paper, we present the design and implementation of a Collaborative Intrusion Detection System (CIDS) for accurate and efficient intrusion detection in a distributed system. CIDS employs multiple specialized detectors at the different layers

Distributed e-commerce systems are suitable targets for malicious attacks because of the potential financial impact. Intrusion detection in such systems has been an active area of research. Once an intrusion is detected, it is important to contain the effect of the intrusion to some parts of the system while allowing the other parts to continue to provide service. It is also important to take preventive or reactive response to reduce the likelihood of the system being compromised through a future attack. In this paper, we present the design and implementation of an Adaptive Intrusion Tolerant System, ADEPTS, for automatically containing and responding to intrusions in a distributed e-commerce system. We use a directed acyclic graph (DAG) of intrusion goals as the underlying representation in the system. In an I-DAG, the nodes are sub-goals of an attack and to reach a particular node, goals corresponding to its child nodes have to be achieved first. We assume an intrusion detection framework which provides alerts to ADEPTS. In response, a parallel algorithm is executed to compute the likelihood that one or more goals in the DAG have been achieved. Next, a response measure computation algorithm is executed to determine the appropriate response action. There is also a feedback mechanism which estimates the success or failure of a deployed response and uses that in adjusting the system weights to guide future choices. ADEPTS is implemented on a distributed e-commerce system that comprises services including, web server, application server, database server, directory server. Alerts are simulated corresponding to different attack types, the algorithms executed and response actions deployed. The experiments bring out the latency of the infrastructure, and the effectiveness in dealing with failed responses through escalation compared to statically mapped Intrusion Response Systems (IRS).

In addition to basic security services such as confidentiality, integrity and data source authentication, a secure group communication system should also provide authentication of participants and access control to group resources. While considerable research has been conducted on providing confidentiality and integrity for group communication, less work focused on group access control services. In the context of group communication, specifying and enforcing access control becomes more challenging because of the dynamic and distributed nature of groups and the fault tolerance issues (i.e. withstanding process faults and network partitions).

In this paper we analyze the requirements access control mechanisms must fulfill in the context of group communication and define a framework for supporting fine-grained access control in client-server group communication systems. Our framework combines role-based access control mechanisms with environment parameters (time, IP address, etc.) to provide policy support for a wide range of applications with very different requirements. While policy is defined by the application, its efficient enforcement is provided by the group communication system. %We discuss how such a framework addresses the unique needs %of group communication systems and can be supported and %enforced in an efficient manner in Spread, a publicly available %group communication system.

The current study was a pilot study and attempted to add to the growing body of knowledge regarding inherent issues in computer forensics. The study consisted of an Internet based survey that asked respondents to identify the top five issues in computer forensics.  60 respondents answered the survey using a free form text field. The results indicated that education/training and certification were the most reported issue (18%) and lack of funding was the least reported (4%).  These findings are consistent with a similar law enforcement community study (Stambaugh et al., 2001).  The findings emphasize the fragmented nature of the computer forensics discipline. Currently there is a lack of a national framework for curricula and training development, and no gold standard for professional certification. The findings further support the criticism that there is a disproportional focus on the applied aspects of computer forensics, at the expense of the development of fundamental theories. Further implications of the findings are discussed as well as suggestions for future research in the area.

In this paper, a process model for digital investigations is defined using the theories and techniques from the physical investigation world.  While digital investigations have recently become more common, physical investigations have existed for thousands of years and the experience from them can be applied to the digital world.  This paper introduces the notion of a digital crime scene with its own witnesses, evidence, and events that can be investigated using the same model as a physical crime scene.  The proposed model integrates the physical crime scene investigation with the digital crime scene investigation to identify a person who is responsible for the digital activity.  The proposed model applies to both law enforcement and corporate investigations.

The Platform for Privacy Preferences (P3P), developed by the W3C, is a major effort to improve online privacy.  It provides a language for websites to encode their data-collection and data-use practices in a machine-readable form.  The W3C also designed a P3P preference language, APPEL, to allow users to specify their privacy preferences. Although P3P has received broad attention, adoption has been slow.  A key reason for this slow adoption is the lack of a formal semantics. Without a formal semantics, a P3P policy may be semantically inconsistent and may be interpreted and represented differently by different user agents. Additionally, APPEL is both complex and error-prone.

In this paper, we redress these problems by adopting a semantics-based approach. We propose a relational formal semantics for P3P policies, which precisely model the relationships between different components of P3P statements (i.e., purposes, recipients and retentions) during online information collection. Based on this semantics, we present SemPref, a simple, efficient and expressive semantics-based preference language. Unlike previously proposed preference languages, SemPref queries the meaning of a privacy policy rather than its syntactical representation. The proposed formal semantics and preference language are an important step towards improving P3P and making it more comprehensible to enterprises and individual users, and ultimately accelerating the large-scale adoption of P3P across the Internet.

Modern day enterprises exhibit a growing trend toward adoption of enterprise computing services for efficient resource utilization, scalability and flexibility. These environments are characterized by heterogeneous, distributed computing systems exchanging enormous volumes of time-critical data with varying levels of access control in a dynamic business environment. The enterprises are thus faced with significant challenges as they endeavor to achieve their primary goals, and simultaneously ensure enterprise-wide secure interoperation among the various collaborating entities. Key among these challenges are providing effective mechanism for enforcement of enterprise policy across distributed domains, ensuring secure content-based access to enterprise resources at all user levels, and allowing the specification of temporal and non-temporal context conditions to support fine-grained dynamic access control. This thesis investigates these challenges, and presents X-GTRBAC, an XML-based GTRBAC policy specification language and its implementation for enforcing enterprise-wide access control. Our specification language is based on the GTRBAC model that incorporates the content- and context-aware dynamic access control requirements of an enterprise. An X-GTRBAC system has been implemented as a Java application. We discuss the salient features of the specification language, and present the software architecture of our system. A comprehensive example is included to discuss and motivate the applicability of the X-GTRBAC framework to a generic enterprise environment. An application level interface for implementing the policy in the X-GTRBAC system is also provided to consolidate the ideas presented in the thesis.

Self is an object-oriented language for exploatory programming based on a small number of simple and concrete ideas: prototypes, slots, and behaviors.  Prototypes combine inheritance and instantiation to provide a framework that is simpler and more flexible than most object-oriented languages.  Slots unite variables and procudures into a single construct.  This permits the inheritance hierarchy to take over the function of lexical scoping in conventional languages.  Finally, because Self does not distinguish state from behavior, it narrows the gaps between ordinary objects, prodecures, and closures.  Self’s simplicity and expressiveness offer insight into object-oriented computation.`

The counterflow pipeline processor architecture (CFPP) is a proposal for a family of microarchitectures for RISC processors.  The architecture derives from its fundamental features, namely that is=nstructions and results flow in opposite directions within a pipeline and interact as they pass.  The architecture seeks geometric regularity in processor chip layout, purely local control to avoid performance limitations of complex global pipeline stall signal, and simplicity that might lead to provably correct processor designs.  Moreover, CFPP designs allow asynchronous implementations, in conventional pipeline designs where the synchronization required for operand forwarding makes asynchronouw designs unattractive.  This paper presents the CFPP architecture and a proposal for an asynchronous implementation.  Details performance simulations of a complete processor design are not yet available.

Much design effort toward a Sproull Counterflow Pipeline Processor has been focused on management of movements of Instructions and Results in the pipelines so that every Instrucion and Result that pass one another meet and interact in exacly one stage of the pipeline.  The full SCPP design problem poses other requirements as well, such as creation and deletion of items flowing in the pipelines, scheduling of execution of instructions only in stages with the required hardware, and high speed. Nevertheless, even a simplified version of the design problem that ignores the latter requirements has resisted synthesis using existing formal methods.  At a workshop on Asynchronous VLSI Design held in ISrael on March 20-22, 1995, Alain Martin of Caltech discussed his synthesis methodology and tools, which he claimed can translate almost any Communicating Sequential Process (CSP) program to a circuit by systematic procedure.  Since our essential requirements for movement of Instructions and Results had been expressed by us as a 5-state FSM graph that is easily interpreted as a CSP program, we asked Martin to demonstrate how his method would be applied to this problem. At the suggestion of the workshop organizer, Dr. Ran Ginosar if the Technion, Dr. Huub Schols presented the challenge to all workshop attendees, and produced the careful documentation cantained here.  Several thoughtful responces to our challenges are cited in the list of references.  They lead us to conclude that the problem that we have posed is indeed difficult and worthy of further study and analysis. Martin has declined to provide us with any information about a solution that he claimed to have found after the workshop.

Past scaling of VLSI circuits has resulted in wire delays that scale as the square factor.  This has occurred because wires have been much wider than they are thick: their aspect ratio has been (much) greater than one.  For today’s and future VLSI processes, the aspect ratio of wires will be very near to one, and scaling will no longer produce dramatic decreases i wire delays.  Long wires will gain the least from future scaling suggesting that, more than ever, high-speed system designs will have to avoid long-distance communiation.