Extending the Noninterference Version of MLS for SAT
IEEE Transactions on Software Engineering - Special issue on computer security and privacy
Communications of the ACM
Firewalls and Internet security: repelling the wily hacker
Firewalls and Internet security: repelling the wily hacker
Social processes and proofs of theorems and programs
Communications of the ACM
A lattice model of secure information flow
Communications of the ACM
A note on the confinement problem
Communications of the ACM
Software Engineering Economics
Software Engineering Economics
Lattice-Based Access Control Models
Computer
Gypsy: A language for specification and implementation of verifiable programs
Proceedings of an ACM conference on Language design for reliable software
Access and use control using externally controlled reference monitors
ACM SIGOPS Operating Systems Review
Lessons learned using alloy to formally specify MLS-PCA trusted security architecture
Proceedings of the 2004 ACM workshop on Formal methods in security engineering
Proceedings of the 13th ACM conference on Computer and communications security
Capturing industry experience for an effective information security assessment
International Journal of Information Systems and Change Management
Trends in Security Product Evaluations
Information Systems Security
Kells: a protection framework for portable data
Proceedings of the 26th Annual Computer Security Applications Conference
Policy-driven memory protection for reconfigurable hardware
ESORICS'06 Proceedings of the 11th European conference on Research in Computer Security
| Hi-index | 0.00 |
The Logical Coprocessing Kernel (LOCK) began as a research project to stretch the state of the art in secure computing by trying to meet or even exceed the “A1” requirements of the Trusted Computer System Evaluation Criteria (TCSEC). Over the span os seven years, the project was transformed into an effort to develop and deploy a product: the Standard Mail Guard (SMG). Since the project took place under a US government contract, the development team needed to maintain detailed records of the time spent on the project. The records from 1987 to 1992 have been combined with information about software code size and error detection. This information has been used to examine the practical impacts of high assurance techniques on a large-scale software development program. Tasks are associated with the A1 formal assurance requirements added approximately 58% to the development cost of security-critical software. In exchange for these costs, the formal assurance tasks (formal specifications, proofs, and specification code correspondence) uncovered 68% of the security flaws detected in LOCK's critical security mechanisms. However, a study of flaw detection during the SMG program found that only 14% of all flaws detected were of the type that could be detected using formal assurance, and that the work of the formal assusrance team only accounted for 19% of all flaws detected. While formal assurance is clearly effective at detecting flaws, its practicality hinges on the degree to which the formally modeled system properties represent all of a system's esential properties.