Computer security “incidents” occur with alarming frequency.  The incidents range from direct attacks by both hackers and insiders to automated attacks such as network worms.  Weak system controls are frequently cited as the cause, but many of these incidents are the result of improper use of existing control mechanisms.  For example, improper access control specifications for key system files could open the entire system to unauthorized access.  Moreover, many computer systemms are delivered with default settings that, if left unchanged, leave the system exposed. This document discusses automated tools for testing computer system, a system manager can identify common vulnerabilities stemming from administrative errors.  Using automated tools, thsi process may examine the content and protections of hundreds of files on a multi-user system administrators can significantly reduce their systems’ security exposure. Automated vulnerability testing tools are available for a wide variety of systems. Some tools are commercially available; others are available from other system administrators. Additional tools may be developed to address specific concerns for an organization’s computer systems.  This document examines basic requirements for vulnerability testing tools and describes the different functional classes of tools.  Finally, the document offers general recommendations about the selection and distribution of such tools.

Designers of cryptographic systems are at a disadvantage compared with most other engineers, in that information on how these systems fail is hard to get: their major users have been traditionally governemtn agencies which are very secretive about their mistakes. We Presnt the results of a survey of the failure modes of retail banking systems, which constitute the next largest application of cryptology. It turns out that the threat model commonly used by crytosystem designers was wrong: most frauds were not caused by cryptoanalysis or other technical attacks, but by implemenation errors and management failures. This suggests that a paradigm shift is overdue in computer security; we look at some alternatives, and see some signs taht this shift may be under way.

This paper describes safety analysis tools that have been developed for state-based requirements specification language called Reuirements State Machine Language (RSML). These tools include a simultor that allows for forward and backward execution os RSML specifications, a fault tree generator that is based on backward simulation, tools to check for consistency and completeness of specifications, and additional safety analysis techniques. AN example requirements specification for an Automated Highway System (AHS) is used for describing the functionality of the tools.

Standard safety analysis techniques are often ineffective when computers and digital devices are integrated into plant control. The “Safeware” methodologyand its set of supporting safety analysis techniques (and prototype tools) includes modeling and hazard analysis of complex systems where components may be a mixture of humans, hardware and software. This paper describes one of the Safeware hazard analysis techniques, Software deviation analysis, that incorporates beneficial features such as HAZOPS (such as guidewords, deviations, exploratory analysis, and a systems engineering approach) into an automated procedure that is capable of hadling the complexity and logical nature of computer software.

This paper describes the methods fro automatically analyzing formal, state-based requiements specifications for some aspects of completeness and consistency. The approach uses a low level functional formalism, simplifying the analysis process. State-space explosion problems are eliminated by applying the analysis at a high level of abstraction; i.e. instead of generating a reachability graph for analysis, th analysis is performed directly on the model. The method scales up to large scale systems by decompsing the specification into smaller, analyzable parts and then using functional composition rules to ensure that verifiable properties hold for the entire specification. The analysis algorithms and tools have been validated on a TCAS II, a complex, air-borne, collision avoidance system required on all commercial aircraft with more than 30 passengers that fly in US airspace.

The heterogeneity , increasing size and complexity fo distributed systems requires new architectures, strategies and tools for their technical management. In this paper we propose a policy based approach to distributed systems management. The use of different abstraction levels allows stepwise refinement from an informal strategic level to a formalized operation level. On the lowet level we use a formal language for separate definition of policies and events, that enables the computer to check the syntax of a given policy description and translate policies into executable rules. To increase the capability for reasoning on a given set of policies. we extended the architecture by a graph model of the process sematics of operational policy and event specifications. The graph model is supported by a compiler mapping operational specifications into their semantic graphs, and performing analysis and manipulation on such graphs.