Mutation analysis is a method for reliable testing of large software systems.  It provides a method for assessing the adequacy of test data.  Mothra (DeMi87) is a mutation analysis based software testing environment that currently supports the testing of Fortran 77 programs.  Work is underway to enhance this tool along several dimensions.  One of these is the addition of multilingual capability.  C is one of the languages that we plan to support.

Two problems of importance in computer security are to 1) detect the presence of an intruder masquerading as the valid user and 2) detect the perpetration of abusive actions on the part of an otherwise innocuous user.  In this paper we present a machine learning approach to anomaly detection, designed to handle these two problems.  Our system learns a user profile for each user account and subsequently employs it to detect anomalous behavior in that acount.  Based on sequences of actions (UNIX commands) of the current user\‘s input stream, the system compares each fixed-length input sequence with a historical library of the account\‘s command sequences using a similarity measure…

The designs of applications for multilevel systems cannot merely duplicate those of the untrusted world.  When applications are built on a high assurance base, they will be constrained by the underlying policy enforcement mechanism.  Consideration must be given to the creation and management of multilevel data structures to rely upon the TCB\‘s security policy enforcement services rather than build new access control services beyond the TCB perimeter. The results of an analysis of the design of a general purpose fiule system developed to execute as an untrusted applicatioin on a high assurance TCB are presented.  The design illustrates a number of solutions to problems resulting from a high assurance environment.

Ensuring secure iniformation flow within programs in the context of multiple sensitivity levels has been widely studied. Especially noteworthy is Denning\‘s work in secure flow analysis and the lattice model [6][7].  Until now, however, the soundness of Denning\‘s analysishas not been established satisfactorily.  We formulate Denning\‘s approach as a type system and ppresent a notion of soundness for the system that can be vieewed as a form of noninterferencee.  Soundness is established by proving, with respect to a standard programming language semantics, that all well-typed programs have this noninterference property.

The designs of applications for multilevel systems cannot merely duplicate those of the untrusted world.  When applications are built on a high assurance base, they will be constrained by the underlying policy enforcement mechanism.  Consideration must be given to the creation and management of multilevel data structures by untrusted subjects.  Applications should be designed to rely upon the TCB\‘s security policy enforcement services rather than build new access control services beyond the TCB perimeter. The result of an analysis of the design of a general purpose file system developed to execute as an untrusted appplication on high assurance TCB are presented.  The design illustrates a number of solutions to problems resulting from a hihg assurance environment.

For over twenty-five years, the Reference Monitor Concept [1] has proved itself to be a useful tool for computer security practitioners.  It can also be used as a conceptual tool in computer security education.  THis paper describes a computer security education program at the Naval Postgraduate School that has used the Reference Monitor concept as a unifying principle for courses, laboratory work, and student research.  The intent of the program is to produce graduates who will think critically about the design and implementation of systems intended to enforce security policies.

A virtual machine monitor (VMM) allows multiple operating systems to run concurrently on virtual machines (VM\‘s) on a single hardware platform.  Each VM can be treated as an independent operating system platform.  A secure VMM would enforce an overarching security policy on its VMs. The potential benefits of a secure VMM for PCs include: a more secure environment, familiar COTS operating systems and applications, and enormous savingfs resulting from the elimination of the need for separate platforms when both high assurance policy enforcement, and COTS software are required. This paper addresses the problem of implementing secure VMMs on the Intel Pentium architecture.  The requirements for various types of VMMs reviewed. We report an analysis of the virtualizability of all the approximately 250 instructions of the Intel Pentium platform and address its ability to support a VMM.  Concurrentt \“virtualization\” techniques for the Intel Pentium architecture are exxamined and several security problems are identified.  An approach to providing a virtalizable hardware base for a highly secure VMM is discussed.

Enforcement of a high-level statement of security policy may be difficult to discern when mapped through functional requirements to a myriad of possible security services and mechanisms in a highly complex, networked environment.  A method for articulating network security functional requirements, and their fulfillment, is presented.  Using gthis method, security in a quality of service framework is discussed in terms of \“variant\” security mechanisms and dynamic security policies.  For illustration, it is shown how this method can be used to represent Quality of Security Service (QoSS) in a network sceduler benefit function.

Mothra is a software test environment tha supports mutation-based testing of software systems.  Mutation analysis is a powerful software testing technique that evaluates the adequacy of test data based on its ability to differentiate between the program under test and its mutants, where mutants are constructed by inserting single, simple errors into the program under test.  Mothra consists of a collection of individual tools, each of which implements a separate, independent function for the testing system.  The initial Mothra tool set, for the most part, duplicates functionality existing in previous mutation analysis systems.  Current efforts are constructed on extending this basic toolj set to include capabilities previously unavailable to the software testing community.  The paper describes the current Mothra tol set extensions planned for the near future.