papers of interest to developers

tfraser at tislabs.com tfraser at tislabs.com
Wed Apr 12 17:57:42 GMT 2000 

Hi!

rw> In the mean time, a number of book/paper references have been 
rw> posted on the mailing list--it would probably be nice to have a
rw> bibliography online, so I'll collect them and put them on the web
rw> page at some point in the next few days.

	Here are some papers that I believe might be of interest to
people who want to write some mandatory access control code for
FreeBSD, in BibTex format, with annotations.


@TECHREPORT{anderson72,
AUTHOR = {Anderson, J. P.},
TITLE = "{Computer Security Technology Planning Study}",
INSTITUTION = {USAF Electronic Systems Division},
ADDRESS = {Hanscom Air Force Base, Bedford, Massachusetts},
MONTH = {October},
YEAR = {1972},
NUMBER = {ESD-TR-73-51},
VOLUME = {2}
}

This is the second volume of the famous "Anderson Report", one of the
seminal papers of the info security field.  It defines the notion of a
"reference monitor", an architectural feature that may be of interest
to people implementing kernel-resident access control.  Readers may be
amused to find that, to a great extent, the problems outlined in this
1972 report are still facing us today.

Available in PDF via UC Davis's excellent site:
http://seclab.cs.ucdavis.edu/projects/history/seminal.html


@TECHREPORT{biba,
AUTHOR = {Biba, K. J.},
TITLE = "{Integrity Considerations for Secure Computer Systems}",
INSTITUTION = {USAF Electronic Systems Division},
ADDRESS = {Hanscom Air Force Base, Bedford, Massachusetts},
MONTH = {April},
YEAR = {1977},
NUMBER = {ESD-TR-76-372}
}

This report (mentioned earlier on this mailing list) describes a
number of MAC models for integrity protection.  Some of these schemes
impose a partial-ordering among a set of integrity levels, and prevent
the movement of data from low-integrity to higher-integrity levels
during run-time.  These schemes could be capable of protecting (at
least parts) of a FreeBSD system from viruses and Trojans, should
anyone care to give them a try.  I've heard the phrase "Biba model"
used to refer to the Strict Integrity model described in this report.


@INPROCEEDINGS{clark_wilson,
AUTHOR = {Clark, D. D. and D. R. Wilson},
TITLE = "{A Comparison of Commercial and Military Computer Security Policies}",
BOOKTITLE = {Proceedings of the 1987 IEEE Symposium on Security and Privacy},
ADDRESS = {Oakland, California},
MONTH = {April},
YEAR = {1987},
PAGES = {184--194}
}

This widely-cited paper suggests that the partial-order-based models
described above are not the most appropriate for commercial
environments.  It describes a competing scheme where certain classes
of data can be modified only by certain users using certain programs.


@INPROCEEDINGS{boebertkain,
AUTHOR = {Boebert, W. E. and R. Y. Kain},
TITLE = "{A Practical Alternative to Hierarchical Integrity Policies}",
BOOKTITLE = {Proceedings of the 8th National Computer Security
		  Conference},
ADDRESS = {Gaithersburg, Maryland},
MONTH = {September},
PAGES = {18--27},
YEAR = {1985},
}

My personal favorite, this paper describes Type Enforcement (TE), a
scheme designed to overcome the need for trusted subjects found in the
partial-order-oriented models.  Although the author's main intent may
have been only to demonstrate a means of implementing Assured
Pipelines (a series of filter programs with a set of useful security
guarantees), the TE mechanism also provides an excellent means of
enforcing policies based on other models, including (most of) those
described by Biba, Clark&Wilson, and the BLP-style confidentiality
policies well-known to Orange Book fetishists.  A must-read.


@INPROCEEDINGS{dte_usenix,
AUTHOR = {Badger, Lee and Daniel F. Sterne and David L. Sherman and
		  Kenneth M. Walker and Sheila A. Haghighat},
TITLE = "{A Domain and Type Enforcement UNIX Prototype}",
BOOKTITLE = {Proceedings of the 5th USENIX UNIX Security Symposium},
YEAR = {1995},
MONTH = {June},
ORGANIZATION = {Salt Lake City, Utah}
}

This paper describes the BSD/OS implementation of DTE, a form of TE.
DTE's main contribution is a technique for mapping security attributes
(such as labels) onto existing unmodified local and remote
file systems.  (You can run DTE or BSD on the same machine just by
booting different kernels).  This paper may be of interest to
TrustedBSD developers, since it describes the DTE group's experience
putting a form of MAC into a BSD kernel.  (FYI: A mostly-functional
port of DTE to FreeBSD 3.2 exists, but is currently in limbo due to a
lack of funding.)  USENIX members can download this paper here:

http://www.usenix.org/publications/library/proceedings/security95/index.html


@INPROCEEDINGS{ken,
AUTHOR = {Walker, Kenneth W. and Daniel F. Sterne and M. Lee Badger and Michael J. Petkac and David L. Sherman and Karen A. Oostendorp},
TITLE = "{Confining Root Programs with Domain and Type Enforcement}",
BOOKTITLE = {Proceedings of the 6th Usenix Security Symposium},
ADDRESS = {San Jose, California},
PAGES = {21--36},
MONTH = {July},
YEAR = {1996}
}

This paper describes how DTE can be used to restrict standard
root-privileged daemons to the minimum privileges required to do their
job, thereby reducing their ability to do harm if compromised.  This
can also be downloaded from USENIX:

http://www.usenix.org/publications/library/proceedings/sec96/

To Unsubscribe: send mail to majordomo at trustedbsd.org
with "unsubscribe trustedbsd-discuss" in the body of the message

More information about the trustedbsd-discuss mailing list