Learn More
A strand is a sequence of events; it represents either an execution by a legitimate party in a security protocol or else a sequence of actions by a penetrator. A strand space is a collection of strands, equipped with a graph structure generated by causal interaction. In this framework, protocol correctness claims may be expressed in terms of the connections(More)
A strand is a sequence of events; it represents either the execution of legitimate party in a security protocol or else a sequence of actions by a penetrator. A strand space is a collection of strands, equipped with a graph structure generated by causal interaction. In this framework, protocol correctness claims may be expressed in terms of the connections(More)
Suppose a principal in a cryptographic protocol creates and transmits a message containing a new value v, later receiving v back in a different cryptographic context. It can conclude that some principal possessing the relevant key has received and transformed the message in which v was emitted. In some circumstances, this principal must be a regular(More)
When packet filtering is used as a security mechanism, different routers may need to cooperate to enforce the desired security policy. It is difficult to ensure that they will do so correctly. We introduce a simple language for expressing global network access control policies of a kind that filtering routers are capable of enforcing. We then introduce an(More)
In this paper, we present a systematic way to determine the information flow security goals achieved by systems running a secure O/S, specifically systems running Security-Enhanced Linux. A formalization of the access control mechanism of the SELinux security server, together with a labeled transition system representing an SELinux configuration, provides(More)
Partial functions can be easily represented in set theory as certain sets of ordered pairs. However, classical set theory provides no special machinery for reasoning about partial functions. For instance, there is no direct way of handling the application of a function to an argument outside its domain as in partial logic. There is also no utilization of(More)
A model-theoretic approach can establish security theorems, which are formulas expressing authen-tication and non-disclosure properties of protocols. Security theorems have a special form, namely quantified implications ∀ x. (φ ⊃ ∃ y. ψ). Models (interpretations) for these formulas are skeletons, partially ordered structures consisting of a number of local(More)
Mobile agents are processes which can autonomously migrate to new hosts. Despite its many practical ben-ets, mobile agent technology results in signicant new security threats from malicious agents and hosts. The primary added complication is that, as an agent traverses multiple hosts that are trusted to dierent degrees, its state can change in ways that(More)