A technique for software module specification with examples
Communications of the ACM
A note on the confinement problem
Communications of the ACM
On attaining reliable software for a secure operating system
Proceedings of the international conference on Reliable software
Implications of a virtual memory mechanism for implementing protection in a family of operating systems
The multics system: an examination of its structure
The multics system: an examination of its structure
On the Identification of Covert Storage Channels in Secure Systems
IEEE Transactions on Software Engineering
A Retrospective on the VAX VMM Security Kernel
IEEE Transactions on Software Engineering
Covert Flow Trees: A Visual Approach to Analyzing Covert Storage Channels
IEEE Transactions on Software Engineering
Fault Tolerant Operating Systems
ACM Computing Surveys (CSUR)
Operating System Structures to Support Security and Reliable Software
ACM Computing Surveys (CSUR)
ACM Computing Surveys (CSUR)
An Axiomatic Approach to Information Flow in Programs
ACM Transactions on Programming Languages and Systems (TOPLAS)
Shared resource matrix methodology: an approach to identifying storage and timing channels
ACM Transactions on Computer Systems (TOCS)
Certification of programs for secure information flow
Communications of the ACM
Proceedings of the 25th International Conference on Software Engineering
An extensible file system for hydra
ICSE '78 Proceedings of the 3rd international conference on Software engineering
The Lattice Security Model In A Public Computing Network
ACM '78 Proceedings of the 1978 annual conference
Design and verification of secure systems
SOSP '81 Proceedings of the eighth ACM symposium on Operating systems principles
Software development and proofs of multi-level security
ICSE '76 Proceedings of the 2nd international conference on Software engineering
Resolving covert channels within a B2 class secure system
ACM SIGOPS Operating Systems Review
Performance and security lessons learned from virtualizing the alpha processor
Proceedings of the 34th annual international symposium on Computer architecture
The advent of trusted computer operating systems
AFIPS '80 Proceedings of the May 19-22, 1980, national computer conference
Putting Trojans on the Horns of a Dilemma: Redundancy for Information Theft Detection
Transactions on Computational Science IV
Privacy-enabling social networking over untrusted networks
Proceedings of the 2nd ACM workshop on Online social networks
Airavat: security and privacy for MapReduce
NSDI'10 Proceedings of the 7th USENIX conference on Networked systems design and implementation
An analysis of the timed Z-channel
SP'96 Proceedings of the 1996 IEEE conference on Security and privacy
Differentially private billing with rebates
IH'11 Proceedings of the 13th international conference on Information hiding
Finding covert channels in protocols with message sequence charts: the case of RMTP2
SAM'04 Proceedings of the 4th international SDL and MSC conference on System Analysis and Modeling
Leaving timing-channel fingerprints in hidden service log files
Digital Investigation: The International Journal of Digital Forensics & Incident Response
Students who don't understand information flow should be eaten: an experience paper
CSET'12 Proceedings of the 5th USENIX conference on Cyber Security Experimentation and Test
Analysis of the communication between colluding applications on modern smartphones
Proceedings of the 28th Annual Computer Security Applications Conference
Proceedings of the Twenty-Fourth ACM Symposium on Operating Systems Principles
ACM SIGOPS 24th Symposium on Operating Systems Principles
From L3 to seL4 what have we learnt in 20 years of L4 microkernels?
Proceedings of the Twenty-Fourth ACM Symposium on Operating Systems Principles
| Hi-index | 0.02 |
The confinement problem, as identified by Lampson, is the problem of assuring that a borrowed program does not steal for its author information that it processes for a borrower. An approach to proving that an operating system enforces confinement, by preventing borrowed programs from writing information in storage in violation of a formally stated security policy, is presented. The confinement problem presented by the possibility that a borrowed program will modulate its resource usage to transmit information to its author is also considered. This problem is manifest by covert channels associated with the perception of time by the program and its author; a scheme for closing such channels is suggested. The practical implications of the scheme are discussed.