Abstract: A formal security policy model that uses basic view concepts for a secure multilevel relational database system is described. The model is formulated in two layers, one corresponding to a security kernel of reference monitor that enforces mandatory security, and the other defining multilevel relations and formalizing policies for labeling new and derived data, data consistency, discretionary security, and transaction consistency. This includes the policies for sanitization, aggregation, and downgrading. The model also defines application-independent properties for entity integrity, referential integrity, and polyinstantiation integrity. >

Abstract: A method of controlling the unauthorized disclosure of classified data that is used to describe an event that has been calendared in an electronic calendaring application of an interactive information handling system in which the calendar owner assigns a security classification to an event as it is being calendared. The classification assigned is pre-established by an information security protocol that is either unique to the calendar function or a more comprehensive information security system for the organization. The security classes are pre-established by the system. When the calendar data is presented in a format that allows event descriptions to be readable such as when a day calendar is viewable on the display terminal or in a printed copy, an overall security lable is displayed and printed out when the display is converted to hard copy. The period covered by the security label generally corresponds to the period that is selected for viewing. The security classification displayed is the highest security class of any of the event descriptions that are displayed. Data structures are established for each calendar entry which store the data in the system. These data structures are scanned to determine the overall classification that is displayed for the day calendar. Since a readable security classification label is automatically applied, regardless of whether the calendar presentation is on the display screen or in hard copy, all of the requirements of the established information security system are met and the electronic calendaring application need not be treated as an exception to the information security system. The method allows each calendar user on the system that has an assigned permission level to view classified event descriptions at or below his or her assigned security level with a security label automatically displayed or printed.

Abstract: This book addresses the uses and practical aspects of the analysis, design and specification of information systems security, and will represent the intersection of the work in computer security and current work in systems analysis and auditing. Written from a management information perspective rather than from the standpoint of computer science or from the standpoint of the security consultant, the book looks at both the managerial, organizational and social implications as well as the underlying technology. The book further discusses the problems created by computer security and analyses the managerial justification of information systems controls.

Abstract: The potential for logical inference of high-level information based on lower-level visible data presents a threat to multilevel security. The author proposes a framework for studying these inference control problems, describes a representation for relevant semantics of the application, develops criteria for safety and security of a system to prevent these problems, and describes the functionality of the proposed classification tool in terms of a scenario for its use. >

Abstract: A model which precisely describes the mechanism that enforces the security policy and requirements for a multilevel secure network is described. This mechanism attempts to ensure secure flow of information between entities assigned to different security classes in different computer systems connected to the network. The mechanism also controls the access to the network devices by the subjects (users and processes executed on behalf of the users) with different security clearances. The model integrates the notions of access control and information flow control to provide a trusted network base that imposes appropriate restrictions on the flow of information among the various devices. Utilizing simple set-theoretic concepts, a procedure is given to verify the security of a network that implements the present model. >

Abstract: A mandatory security policy for a multilevel secure relational DBMS using views as the security objects is presented. The advantages and disadvantages of this approach are examined. A method of ensuring the completeness and consistency of the set of secure views is described, as well as an approach to implementing views as the security objects. >

Abstract: SATURNE, a research project aimed at increasing distributed system reliability by means of fault-tolerance and security by means intrusion tolerance, is discussed. The saturation and fragmentation-and-scattering techniques proposed by the SATURNE project show that it is possible to exploit more distribution than has been done up to now, in order to increase computing system dependability, and more precisely reliability with respect to accidental, physical faults, and security with respect to intrusions, i.e. deliberate, human-made, interaction faults. >

Abstract: The author approaches database security from the semantic level. He identifies the need to classify outputs from multilevel secure database systems at a level which accurately reflects the contents. Specifically, he addresses the question of what really makes information classified, that is, the security semantics of an application. A multidimensional taxonomy of generic secrecy constraints is presented with examples that illustrate application-specific security semantics. Using labels to represent security semantics is shown to be ambiguous and therefore ineffective. Representing security semantics external to the database is proposed and several approaches are discussed. Finally, the use of a semantic data model, on top of a logic-based representation, is proposed to explicitly represent the security semantics of an application. >

Abstract: : This publication, "A Guide to Understanding Audit in Trusted Systems," is being issued by the National Computer Security Center (NCSC) under the authority of and in accordance with Department of Defense (DoD) Directive 52151 The guidelines described in this document provide a set of good practices related to the use of auditing in automatic data processing systems employed for processing classified and other sensitive information

Abstract: An overview is given of the query processing of the multilevel secure database management system (MLS/DBMS), LOCK Data Views (LDV), for the secure distributed Data Views contract. The authors summarize design issues such as data distribution, polyinstantiation, and response assembly. They show the need for a security policy for a database system that builds on the classical security policies for operating systems. They describe some of the problems associated with multilevel databases and their approach to solving them. They also explain how a pipeline organization helps to minimize the amount of design and code that must be trusted and/or verified. >

Abstract: The author presents a model for secure distributed computations in a multilevel security, heterogeneous environment, called the multimember session model. This model does not place any restrictions on the computations using it, nor does it require any modification of security policies of local secure operating systems. It provides isolation between unrelated computations, and it ensures that the information flow in a distributed environment follows the rules of a multilevel security model, such as the Bell-Lapadula model. Protocols to establish secure communication channels within a session are also discussed. >

Abstract: Scale should be recognized as a primary factor influencing the architecture and implementation of distributed systems. This paper uses Andrew, a distributed environment at Carnegie Mellon University, to validate this proposition. The design of Andrew is dominated by considerations of performance, operability and security. Caching of information and placing trust in as few machines as possible emerge as two general principles that enhance scalability. The separation of concerns made possible by specialized mechanisms is also valuable. Heterogeneity is a natural consequence of growth and anticipating it in the initial stages of system design is important. A location transparent shared file system considerably enhances the usability of a distributed environment.

Abstract: The general problem of protection in a network, focusing on its modeling in a packet-switch context, is considered. A general network interpretation of a standard computer security model is applied to the next-generation packet switch. The situation requires modeling at both the network and individual packet switch levels of discourse, using different interpretations. >

Abstract: Computer security standards are needed to reduce the cost of security products and to allow for interoperability and evaluation. Several national and international groups are trying to standardize approaches to information security for certain applications. This paper describes and compares three types of standards activities: United States government standards, financial standards, and standards developed for the International Standards Organization Open Systems Interconnection Basic Reference Model.

Abstract: A security strategy is presented to protect the operations database of a network element (NE) of a telecommunications network from unauthorized access and/or unauthorized transactions. With the advent of technology, and increased control of networks and service features by customers, it is expected that the NE operations database will become increasingly accessible to third-party service providers, large-business customers, and even small-business and residential customers. This, in turn, will increase the security risk to the NE database and force NE manufacturers to consider introducing features to enhance the database security. The author discusses some of these security threats and proposes the introduction of NE features that could reduct such threats. >

Abstract: Information security technology encompasses all measures used to protect information from unauthorized disclosure, modification, or destruction. In an age when information is widely recognized as a valuable commodity, information security has become particularly vital. This issue of the AT&T Technical Journal brings together papers on various aspects of digital electronic information security, representing work in many areas of the company. This paper presents a brief overview of the problems addressed by information security technology and how its focus has changed with the advance of computing science.

Abstract: Information security box for safe storing and transportation of storage media which are information carriers. Security is achieved by erasing the information in the contained storage media if intruders attempt to gain admittance to the stored information. The information security box contains means for rapid erasure, which are activated when attempting to break open the box or opening the box without following the correct procedure.

Abstract: Research into the multilevel secure automated exchange of military messages is reported. This work represents approaches to 'designed-in security that are not based on the security kernal and Bell/LaPadula model approaches that have dominated military message systems and the industry. Instead, the approach is based on the concept of a network of communicating finite-state machines. The resulting product is the military message embedded executive (ME2), and its supporting hardware base, the trusted military message processor. Beyond its state machine architecture it is suggested that the (ME2) is additionally unique for its attention to the process security requirements of embedded computers. >

Abstract: The issues that are relevant to computer security and communications security are reviewed, including security architecture and cryptography. Possible solutions for security management functions that are compatible with present and future telecommunications networks standardized by CCITT are described. European cooperation is briefly considered. >

Abstract: The authors address the issue of maintaining security in a fault-tolerant replicated database. They present a data-management protocol that integrates the information-dispersal algorithm (for security) and the quorum-consensus algorithm (for reliability). Although this protocol provides the desired level of security, it does not achieve the same level of availability for both read and write operations as the quorum-consensus algorithm. By integrating a log-based propagation mechanism with their protocol, the authors are able to achieve the same level of availability for both read and write operations as other quorum-consensus protocols, while maintaining the desired level of security. >

Abstract: Information-flow theory is used to develop a protocol which supports data security in Smalltalk-80. First, the general approach is explained along with its specific issues and problems. This approach establishes a protocol for data flow among objects in the environment. The basic strategy of this protocol is to develop security levels in which objects reside. In these security levels, information can be passed up to an object in an upper or more secure level, but cannot be passed down to an object in a lower of less secure level. This strategy dictates that a security-checking system be developed to control creating objects and passing messages. Solutions to various problems and modifications in the Smalltalk-80 environment are given. These solutions consist of detailed protocols, refined algorithms, and actual Smalltalk code. The main security-verifying algorithm for Smalltalk methods is demonstrated, along with a rigid evaluation of the algorithm and the general security system. >

Abstract: Major upgrades to the physical security systems of Lawrence Livermore National Laboratory are in the form of two integrated multiyear projects: SSE-1 (Safeguards and Security Enhancements-Phase I) is a five-year effort that started in late 1984; the second five-year phase, SSE-2, began in 1986. SSE-1 upgrades obsolete operating systems and constructs the facilities needed to house the equipment. Its subprojects replace the existing alarm system, automate access-control functions, restructure security command and control, upgrade the security radio network, modernize nuclear materials accountability, construct two communications centers, and add perimeter-security features. SSE-2 consolidates and protects operations involving special nuclear materials in an area called the Superblock, as well as improving the lab-wide physical security system. SSE-2 subprojects add perimeter protection to the Superblock, construct processing facilities for special nuclear materials, construct an office complex with a secondary command and control center, build security training and housing facilities, and improve roads, fencing, and lighting. >