Increased Information Flow Needs for High-Assurance Composite Evaluations
IWIA '04 Proceedings of the Second IEEE International Information Assurance Workshop (IWIA'04)
Analyzing integrity protection in the SELinux example policy
SSYM'03 Proceedings of the 12th conference on USENIX Security Symposium - Volume 12
The Multics encipher_Algorithm
Cryptologia
Robustly secure computer systems: a new security paradigm of system discontinuity
NSPW '07 Proceedings of the 2007 Workshop on New Security Paradigms
The epistemology of computer security
ACM SIGSOFT Software Engineering Notes
Separation virtual machine monitors
Proceedings of the 28th Annual Computer Security Applications Conference
Hi-index | 0.00 |
Almost thirty years ago a vulnerability assessment ofMultics identified significant vulnerabilities, despite thefact that Multics was more secure than other contemporary(and current) computer systems. Considerably moreimportant than any of the individual design and implementationflaws was the demonstration of subversion ofthe protection mechanism using malicious software (e.g.,trap doors and Trojan horses). A series of enhancementswere suggested that enabled Multics to serve in a relativelybenign environment. These included addition of"Mandatory Access Controls" and these enhancementswere greatly enabled by the fact the Multics was designedfrom the start for security. However, the bottom-line conclusionwas that "restructuring is essential" around averifiable "security kernel" before using Multics (or anyother system) in an open environment (as in today'sInternet) with the existence of well-motivated professionalattackers employing subversion. The lessons learnedfrom the vulnerability assessment are highly applicabletoday as governments and industry strive (unsuccessfully)to "secure" today's weaker operating systems throughadd-ons, "hardening", and intrusion detection schemes.