%%% -*-BibTeX-*- %%% ==================================================================== %%% BibTeX-file{ %%% author = "Nelson H. F. Beebe", %%% version = "1.33", %%% date = "24 March 2012", %%% time = "09:46:28 MDT", %%% filename = "tissec.bib", %%% address = "University of Utah %%% Department of Mathematics, 110 LCB %%% 155 S 1400 E RM 233 %%% Salt Lake City, UT 84112-0090 %%% USA", %%% telephone = "+1 801 581 5254", %%% FAX = "+1 801 581 4148", %%% URL = "http://www.math.utah.edu/~beebe", %%% checksum = "59840 9075 45670 430950", %%% email = "beebe at math.utah.edu, beebe at acm.org, %%% beebe at computer.org (Internet)", %%% codetable = "ISO/ASCII", %%% keywords = "bibliography, BibTeX, ACM Transactions %%% on Information and System Security", %%% license = "public domain", %%% supported = "yes", %%% docstring = "This is a COMPLETE BibTeX bibliography for %%% the journal ACM Transactions on Information %%% and System Security (CODEN ATISBQ, ISSN %%% 1094-9224 (print), 1557-7406 (electronic)), %%% covering all journal issues from 1998 -- %%% date. %%% %%% At version 1.33, the COMPLETE journal %%% coverage looked like this: %%% %%% 1998 ( 5) 2003 ( 17) 2008 ( 42) %%% 1999 ( 15) 2004 ( 20) 2009 ( 19) %%% 2000 ( 12) 2005 ( 16) 2010 ( 31) %%% 2001 ( 14) 2006 ( 16) 2011 ( 32) %%% 2002 ( 17) 2007 ( 12) 2012 ( 5) %%% %%% Article: 273 %%% %%% Total entries: 273 %%% %%% The journal Web page can be found at: %%% %%% http://www.acm.org/pubs/tissec %%% %%% The journal table of contents page is at: %%% %%% http://www.acm.org/pubs/contents/journals/tissec/ %%% http://portal.acm.org/browse_dl.cfm?idx=J789 %%% %%% The initial draft was extracted from the %%% journal Web site. %%% %%% ACM copyrights explicitly permit abstracting %%% with credit, so article abstracts, keywords, %%% and subject classifications have been %%% included in this bibliography wherever %%% available. Article reviews have been %%% omitted, until their copyright status has %%% been clarified. %%% %%% URL keys in the bibliography point to %%% World Wide Web locations of additional %%% information about the entry. %%% %%% Numerous errors in the sources noted above %%% have been corrected. Spelling has been %%% verified with the UNIX spell and GNU ispell %%% programs using the exception dictionary %%% stored in the companion file with extension %%% .sok. %%% %%% BibTeX citation tags are uniformly chosen %%% as name:year:abbrev, where name is the %%% family name of the first author or editor, %%% year is a 4-digit number, and abbrev is a %%% 3-letter condensation of important title %%% words. Citation tags were automatically %%% generated by software developed for the %%% BibNet Project. %%% %%% In this bibliography, entries are sorted in %%% publication order, using ``bibsort -byvolume.'' %%% %%% The checksum field above contains a CRC-16 %%% checksum as the first value, followed by the %%% equivalent of the standard UNIX wc (word %%% count) utility output of lines, words, and %%% characters. This is produced by Robert %%% Solovay's checksum utility.", %%% } %%% ==================================================================== @Preamble{"\input bibnames.sty"} %%% ==================================================================== %%% Acknowledgement abbreviations: @String{ack-nhfb = "Nelson H. F. Beebe, University of Utah, Department of Mathematics, 110 LCB, 155 S 1400 E RM 233, Salt Lake City, UT 84112-0090, USA, Tel: +1 801 581 5254, FAX: +1 801 581 4148, e-mail: \path|beebe@math.utah.edu|, \path|beebe@acm.org|, \path|beebe@computer.org| (Internet), URL: \path|http://www.math.utah.edu/~beebe/|"} %%% ==================================================================== %%% Journal abbreviations: @String{j-TISSEC = "ACM Transactions on Information and System Security"} %%% ==================================================================== %%% Bibliography entries: @Article{Sandhu:1998:E, author = "Ravi Sandhu", title = "Editorial", journal = j-TISSEC, volume = "1", number = "1", pages = "1--2", month = nov, year = "1998", CODEN = "ATISBQ", ISSN = "1094-9224 (print), 1557-7406 (electronic)", ISSN-L = "1094-9224", bibdate = "Tue Jul 27 17:35:45 MDT 1999", bibsource = "http://www.acm.org/tissec/; http://www.math.utah.edu/pub/tex/bib/tissec.bib", URL = "http://www.acm.org:80/pubs/citations/journals/tissec/1998-1-1/p1-sandhu/", acknowledgement = ack-nhfb, fjournal = "ACM Transactions on Information and System Security", } @Article{Bergadano:1998:HDC, author = "Francesco Bergadano and Bruno Crispo and Giancarlo Ruffo", title = "High dictionary compression for proactive password checking", journal = j-TISSEC, volume = "1", number = "1", pages = "3--25", month = nov, year = "1998", CODEN = "ATISBQ", ISSN = "1094-9224 (print), 1557-7406 (electronic)", ISSN-L = "1094-9224", bibdate = "Tue Jul 27 17:35:45 MDT 1999", bibsource = "http://www.acm.org/tissec/; http://www.math.utah.edu/pub/tex/bib/tissec.bib", URL = "http://www.acm.org:80/pubs/citations/journals/tissec/1998-1-1/p3-bergadano/", abstract = "The important problem of user password selection is addressed and a new proactive password-checking technique is presented. In a training phase, a decision tree is generated based on a given dictionary of weak passwords. Then, the decision tree is used to determine whether a user password should be accepted. Experimental results described here show that the method leads to a very high dictionary compression (up to 1000 to 1) with low error rates (of the order of 1\%). A prototype implementation, called ProCheck, is made available online. We survey previous approaches to proactive password checking, and provide an in-depth comparison.", acknowledgement = ack-nhfb, fjournal = "ACM Transactions on Information and System Security", keywords = "experimentation; management; performance; security", subject = "{\bf D.4.6} Software, OPERATING SYSTEMS, Security and Protection, Authentication. {\bf K.6.5} Computing Milieux, MANAGEMENT OF COMPUTING AND INFORMATION SYSTEMS, Security and Protection, Authentication.", } @Article{Bertino:1998:EBI, author = "Elisa Bertino and Sabrina {De Capitani Di Vimercati} and Elena Ferrari and Pierangela Samarati", title = "Exception-based information flow control in object-oriented systems", journal = j-TISSEC, volume = "1", number = "1", pages = "26--65", month = nov, year = "1998", CODEN = "ATISBQ", ISSN = "1094-9224 (print), 1557-7406 (electronic)", ISSN-L = "1094-9224", bibdate = "Tue Jul 27 17:35:45 MDT 1999", bibsource = "http://www.acm.org/tissec/; http://www.math.utah.edu/pub/tex/bib/tissec.bib", URL = "http://www.acm.org:80/pubs/citations/journals/tissec/1998-1-1/p26-bertino/", abstract = "We present an approach to control information flow in object-oriented systems. The decision of whether an information flow is permitted or denied depends on both the authorizations specified on the objects and the process by which information is obtained and transmitted. Depending on the specific computations, a process accessing sensitive information could still be allowed to release information to users who are not allowed to directly access it. Exceptions to the permissions and restrictions stated by the authorizations are specified by means of exceptions associated with methods. Two kinds of exceptions are considered: {\em invoke exceptions,\/} applicable during a method execution and {\em reply exceptions\/} applicable to the information returned by a method. Information flowing from one object into another or returned to the user is subject to the different exceptions specified for the methods enforcing the transmission. We formally characterize information transmission and flow in a transaction and define the conditions for safe information flow. We define security specifications and characterize safe information flows. We propose an approach to control unsafe flows and present an algorithm to enforce it. We also illustrate an efficient implementation of our controls and present some experimental results evaluating its performance.", acknowledgement = ack-nhfb, fjournal = "ACM Transactions on Information and System Security", keywords = "security", subject = "{\bf H.2.7} Information Systems, DATABASE MANAGEMENT, Database Administration, Security, integrity, and protection. {\bf H.2.4} Information Systems, DATABASE MANAGEMENT, Systems, Object-oriented databases.", } @Article{Reiter:1998:CAW, author = "Michael K. Reiter and Aviel D. Rubin", title = "Crowds: anonymity for {Web} transactions", journal = j-TISSEC, volume = "1", number = "1", pages = "66--92", month = nov, year = "1998", CODEN = "ATISBQ", ISSN = "1094-9224 (print), 1557-7406 (electronic)", ISSN-L = "1094-9224", bibdate = "Tue Jul 27 17:35:45 MDT 1999", bibsource = "http://www.acm.org/tissec/; http://www.math.utah.edu/pub/tex/bib/tissec.bib", URL = "http://www.acm.org:80/pubs/citations/journals/tissec/1998-1-1/p66-reiter/", abstract = "In this paper we introduce a system called Crowds for protecting users' anonymity on the world-wide-web. Crowds, named for the notion of ``blending into a crowd,'' operates by grouping users into a large and geographically diverse group (crowd) that collectively issues requests on behalf of its members. Web servers are unable to learn the true source of a request because it is equally likely to have originated from any member of the crowd, and even collaborating crowd members cannot distinguish the originator of a request from a member who is merely forwarding the request on behalf of another. We describe the design, implementation, security, performance, and scalability of our system. Our security analysis introduces {\em degrees of anonymity\/} as an important tool for describing and proving anonymity properties.", acknowledgement = ack-nhfb, fjournal = "ACM Transactions on Information and System Security", keywords = "security", subject = "{\bf C.2.2} Computer Systems Organization, COMPUTER-COMMUNICATION NETWORKS, Network Protocols, Applications (SMTP, FTP, etc.). {\bf C.2.0} Computer Systems Organization, COMPUTER-COMMUNICATION NETWORKS, General, Security and protection (e.g., firewalls). {\bf K.4.1} Computing Milieux, COMPUTERS AND SOCIETY, Public Policy Issues, Privacy. {\bf K.4.4} Computing Milieux, COMPUTERS AND SOCIETY, Electronic Commerce, Security.", } @Article{Sandhu:1998:MRM, author = "Ravi Sandhu and Fang Chen", title = "The multilevel relational ({MLR}) data model", journal = j-TISSEC, volume = "1", number = "1", pages = "93--132", month = nov, year = "1998", CODEN = "ATISBQ", ISSN = "1094-9224 (print), 1557-7406 (electronic)", ISSN-L = "1094-9224", bibdate = "Tue Jul 27 17:35:45 MDT 1999", bibsource = "http://www.acm.org/tissec/; http://www.math.utah.edu/pub/tex/bib/tissec.bib", URL = "http://www.acm.org:80/pubs/citations/journals/tissec/1998-1-1/p93-sandhu/", abstract = "Many multilevel relational models have been proposed; different models offer different advantages. In this paper, we adapt and refine several of the best ideas from previous models and add new ones to build the new Multilevel Relational (MLR) data model. MLR provides multilevel relations with element-level labeling as a natural extension of the traditional relational data model. MLR introduces several new concepts (notably, data-borrow integrity and the UPLEVEL statement) and significantly redefines existing concepts (polyinstantiation and referential integrity as well as data manipulation operations). A central contribution of this paper is proofs of soundness, completeness, and security of MLR. A new {\em data-based\/} semantics is given for the MLR data model by combining ideas from SeaView, belief-based semantics, and LDV. This new semantics has the advantages of both eliminating ambiguity and retaining upward information flow. MLR is secure, unambiguous, and powerful. It has five integrity properties and five operations for manipulating multilevel relations. Soundness, completeness, and security show that any of the five database manipulation operations will keep database states legal (i.e., satisfy all integrity properties), that every legal database state can be constructed, and that MLR is noninterfering. The expressive power of MLR also compares favorably with several other models.", acknowledgement = ack-nhfb, fjournal = "ACM Transactions on Information and System Security", keywords = "security", subject = "{\bf H.2.7} Information Systems, DATABASE MANAGEMENT, Database Administration, Security, integrity, and protection.", } @Article{Sandhu:1999:E, author = "Ravi Sandhu", title = "Editorial", journal = j-TISSEC, volume = "2", number = "1", pages = "1--2", month = feb, year = "1999", CODEN = "ATISBQ", ISSN = "1094-9224 (print), 1557-7406 (electronic)", ISSN-L = "1094-9224", bibdate = "Thu Oct 26 10:21:44 MDT 2000", bibsource = "http://www.acm.org/tissec/; http://www.math.utah.edu/pub/tex/bib/tissec.bib", URL = "http://www.acm.org/pubs/citations/journals/tissec/1999-2-1/p1-sandhu/", acknowledgement = ack-nhfb, fjournal = "ACM Transactions on Information and System Security", } @Article{Nyanchama:1999:RGM, author = "Matunda Nyanchama and Sylvia Osborn", title = "The role graph model and conflict of interest", journal = j-TISSEC, volume = "2", number = "1", pages = "3--33", month = feb, year = "1999", CODEN = "ATISBQ", ISSN = "1094-9224 (print), 1557-7406 (electronic)", ISSN-L = "1094-9224", bibdate = "Tue Jul 27 17:35:45 MDT 1999", bibsource = "http://www.acm.org/tissec/; http://www.math.utah.edu/pub/tex/bib/tissec.bib", URL = "http://www.acm.org:80/pubs/citations/journals/tissec/1999-2-1/p3-nyanchama/", abstract = "We describe in more detail than before the reference model for role-based access control introduced by Nyanchama and Osborn, and the role-graph model with its accompanying algorithms, which is one way of implementing role-role relationships. An alternative role insertion algorithm is added, and it is shown how the role creation policies of Fernandez et al. correspond to role addition algorithms in our model. We then use our reference model to provide a taxonomy for kinds of conflict. We then go on to consider in some detail privilege-privilege and role-role conflicts in conjunction with the role graph model. We show how role-role conflicts lead to a partitioning of the role graph into nonconflicting collections that can together be safely authorized to a given user. Finally, in an appendix, we present the role graph algorithms with additional logic to disallow roles that contain conflicting privileges.", acknowledgement = ack-nhfb, fjournal = "ACM Transactions on Information and System Security", keywords = "algorithms; management; security", subject = "{\bf D.4.6} Software, OPERATING SYSTEMS, Security and Protection, Access controls. {\bf K.6.5} Computing Milieux, MANAGEMENT OF COMPUTING AND INFORMATION SYSTEMS, Security and Protection. {\bf G.2.2} Mathematics of Computing, DISCRETE MATHEMATICS, Graph Theory, Graph algorithms.", } @Article{Ferraiolo:1999:RBA, author = "David F. Ferraiolo and John F. Barkley and D. Richard Kuhn", title = "A role-based access control model and reference implementation within a corporate intranet", journal = j-TISSEC, volume = "2", number = "1", pages = "34--64", month = feb, year = "1999", CODEN = "ATISBQ", ISSN = "1094-9224 (print), 1557-7406 (electronic)", ISSN-L = "1094-9224", bibdate = "Tue Jul 27 17:35:45 MDT 1999", bibsource = "http://www.acm.org/tissec/; http://www.math.utah.edu/pub/tex/bib/tissec.bib", URL = "http://www.acm.org:80/pubs/citations/journals/tissec/1999-2-1/p34-ferraiolo/", abstract = "This paper describes NIST's enhanced RBAC model and our approach to designing and implementing RBAC features for networked Web servers. The RBAC model formalized in this paper is based on the properties that were first described in Ferraiolo and Kuhn [1992] and Ferraiolo et al. [1995], with adjustments resulting from experience gained by prototype implementations, market analysis, and observations made by Jansen [1988] and Hoffman [1996]. The implementation of RBAC for the Web (RBAC/Web) provides an alternative to the conventional means of administering and enforcing authorization policy on a server-by-server basis. RBAC/Web provides administrators with a means of managing authorization data at the enterprise level, in a manner consistent with the current set of laws, regulations, and practices.", acknowledgement = ack-nhfb, fjournal = "ACM Transactions on Information and System Security", keywords = "security; standardization", subject = "{\bf C.2.4} Computer Systems Organization, COMPUTER-COMMUNICATION NETWORKS, Distributed Systems. {\bf C.2.5} Computer Systems Organization, COMPUTER-COMMUNICATION NETWORKS, Local and Wide-Area Networks. {\bf D.4.6} Software, OPERATING SYSTEMS, Security and Protection, Access controls. {\bf D.4.7} Software, OPERATING SYSTEMS, Organization and Design, Distributed systems.", } @Article{Bertino:1999:SEA, author = "Elisa Bertino and Elena Ferrari and Vijay Atluri", title = "The specification and enforcement of authorization constraints in workflow management systems", journal = j-TISSEC, volume = "2", number = "1", pages = "65--104", month = feb, year = "1999", CODEN = "ATISBQ", ISSN = "1094-9224 (print), 1557-7406 (electronic)", ISSN-L = "1094-9224", bibdate = "Tue Jul 27 17:35:45 MDT 1999", bibsource = "http://www.acm.org/tissec/; http://www.math.utah.edu/pub/tex/bib/tissec.bib", URL = "http://www.acm.org:80/pubs/citations/journals/tissec/1999-2-1/p65-bertino/", abstract = "In recent years, workflow management systems (WFMSs) have gained popularity in both research and commercial sectors. WFMSs are used to coordinate and streamline business processes. Very large WFMSs are often used in organizations with users in the range of several thousands and process instances in the range of tens and thousands. To simplify the complexity of security administration, it is common practice in many businesses to allocate a role for each activity in the process and then assign one or more users to each role---granting an authorization to roles rather than to users. Typically, security policies are expressed as constraints (or rules) on users and roles; {\em separation of duties\/} is a well-known constraint. Unfortunately, current role-based access control models are not adequate to model such constraints. To address this issue we (1) present a language to express both static and dynamic authorization constraints as clauses in a logic program; (2) provide formal notions of constraint consistency; and (3) propose algorithms to check the consistency of constraints and assign users and roles to tasks that constitute the workflow in such a way that no constraints are violated.", acknowledgement = ack-nhfb, fjournal = "ACM Transactions on Information and System Security", keywords = "security", subject = "{\bf H.2.0} Information Systems, DATABASE MANAGEMENT, General, Security, integrity, and protection**.", } @Article{Sandhu:1999:AMR, author = "Ravi Sandhu and Venkata Bhamidipati and Qamar Munawer", title = "The {ARBAC97} model for role-based administration of roles", journal = j-TISSEC, volume = "2", number = "1", pages = "105--135", month = feb, year = "1999", CODEN = "ATISBQ", ISSN = "1094-9224 (print), 1557-7406 (electronic)", ISSN-L = "1094-9224", bibdate = "Tue Jul 27 17:35:45 MDT 1999", bibsource = "http://www.acm.org/tissec/; http://www.math.utah.edu/pub/tex/bib/tissec.bib", URL = "http://www.acm.org:80/pubs/citations/journals/tissec/1999-2-1/p105-sandhu/", abstract = "In role-based access control (RBAC), permissions are associated with roles' and users are made members of roles, thereby acquiring the roles; permissions. RBAC's motivation is to simplify administration of authorizations. An appealing possibility is to use RBAC itself to manage RBAC, to further provide administrative convenience and scalability, especially in decentralizing administrative authority, responsibility, and chores. This paper describes the motivation, intuition, and formal definition of a new role-based model for RBAC administration. This model is called ARBAC97 (administrative RBAC '97) and has three components: URA97 (user-role assignment '97), RPA97 (permission-role assignment '97), and RRA97 (role-role assignment '97) dealing with different aspects of RBAC administration. URA97, PRA97, and an outline of RRA97 were defined in 1997, hence the designation given to the entire model. RRA97 was completed in 1998. ARBAC97 is described completely in this paper for the first time. We also discusses possible extensions of ARBAC97.", acknowledgement = ack-nhfb, fjournal = "ACM Transactions on Information and System Security", keywords = "algorithms; management; security", subject = "{\bf C.2.4} Computer Systems Organization, COMPUTER-COMMUNICATION NETWORKS, Distributed Systems. {\bf D.4.6} Software, OPERATING SYSTEMS, Security and Protection, Access controls. {\bf D.4.7} Software, OPERATING SYSTEMS, Organization and Design, Distributed systems. {\bf G.2.2} Mathematics of Computing, DISCRETE MATHEMATICS, Graph Theory, Graph algorithms. {\bf H.2.0} Information Systems, DATABASE MANAGEMENT, General, Security, integrity, and protection**. {\bf K.6.5} Computing Milieux, MANAGEMENT OF COMPUTING AND INFORMATION SYSTEMS, Security and Protection.", } @Article{Reiter:1999:AMA, author = "Michael K. Reiter and Stuart G. Stubblebine", title = "Authentication metric analysis and design", journal = j-TISSEC, volume = "2", number = "2", pages = "138--158", month = may, year = "1999", CODEN = "ATISBQ", ISSN = "1094-9224 (print), 1557-7406 (electronic)", ISSN-L = "1094-9224", bibdate = "Thu Oct 26 11:39:38 MDT 2000", bibsource = "http://www.acm.org/tissec/; http://www.math.utah.edu/pub/tex/bib/tissec.bib", URL = "http://www.acm.org/pubs/citations/journals/tissec/1999-2-2/p138-reiter/", abstract = "Authentication using a path of trusted intermediaries, each able to authenticate the next in the path, is a well-known technique for authenticating entities in a large-scale system. Recent work has extended this technique to include multiple paths in an effort to bolster authentication, but the success of this approach may be unclear in the face of intersecting paths, ambiguities in the meaning of certificates, and interdependencies in the use of different keys. Thus, several authors have proposed metrics to evaluate the confidence afforded by a set of paths. In this paper we develop a set of guiding principles for the design of such metrics. We motivate our principles by showing how previous approaches failed with respect to these principles and what the consequences to authentication might be. We then propose a new metric that appears to meet our principles, and so to be a satisfactory metric of authentication.", acknowledgement = ack-nhfb, fjournal = "ACM Transactions on Information and System Security", generalterms = "Measurement; Security", keywords = "metrics of authentication; public key infrastructure", subject = "Software --- Operating Systems --- Security and Protection (D.4.6): {\bf Authentication}; Computing Milieux --- Management of Computing and Information Systems --- Security and Protection (K.6.5): {\bf Authentication}", } @Article{Schneier:1999:SAL, author = "Bruce Schneier and John Kelsey", title = "Secure Audit Logs to Support Computer Forensics", journal = j-TISSEC, volume = "2", number = "2", pages = "159--176", month = may, year = "1999", CODEN = "ATISBQ", ISSN = "1094-9224 (print), 1557-7406 (electronic)", ISSN-L = "1094-9224", bibdate = "Thu Oct 26 11:39:38 MDT 2000", bibsource = "http://www.acm.org/tissec/contents/v2no2.html; http://www.math.utah.edu/pub/tex/bib/tissec.bib", URL = "http://www.acm.org/pubs/citations/journals/tissec/1999-2-2/p159-schneier/", abstract = "In many real-world applications, sensitive information must be kept it log files on an untrusted machine. In the event that an attacker captures this machine, we would like to guarantee that he will gain little or no information from the log files and to limit his ability to corrupt the log files. We describe a computationally cheap method for making all log entries generated prior to the logging machine's compromise impossible for the attacker to read, and also impossible to modify or destroy undetectably.", acknowledgement = ack-nhfb, fjournal = "ACM Transactions on Information and System Security", generalterms = "Security", keywords = "audit logs; auditing; authentication; computer forensics; hash chains; intrusion detection", subject = "Computer Systems Organization --- Computer-Communication Networks --- Distributed Systems (C.2.4); Computer Systems Organization --- Computer-Communication Networks (C.2); Computer Systems Organization --- Computer-Communication Networks --- General (C.2.0); Computer Systems Organization --- Computer-Communication Networks --- Network Protocols (C.2.2)", } @Article{Jaeger:1999:FCD, author = "Trent Jaeger and Atul Prakash and Jochen Liedtke and Nayeem Islam", title = "Flexible Control of Downloaded Executable Content", journal = j-TISSEC, volume = "2", number = "2", pages = "177--228", month = may, year = "1999", CODEN = "ATISBQ", ISSN = "1094-9224 (print), 1557-7406 (electronic)", ISSN-L = "1094-9224", bibdate = "Thu Oct 26 11:39:38 MDT 2000", bibsource = "http://www.acm.org/tissec/contents/v2no2.html; http://www.math.utah.edu/pub/tex/bib/tissec.bib", URL = "http://www.acm.org/pubs/citations/journals/tissec/1999-2-2/p177-jaeger/", abstract = "We present a security architecture that enables system and application access control requirements to be enforced on applications composed from downloaded executable content. Downloaded executable content consists of messages downloaded from remote hosts that contain executables that run, upon receipt, on the downloading principal's machine. Unless restricted, this content can perform malicious actions, including accessing its downloading principal's private data and sending messages on this principal's behalf. Current security architectures for controlling downloaded executable content (e.g., JDK 1.2) enable specification of access control requirements for content based on its provider and identity. Since these access control requirements must cover every legal use of the class, they may include rights that are not necessary for a particular application of content. Therefore, using these systems, an application composed from downloaded executable content cannot enforce its access control requirements without the addition of application-specific security mechanisms. In this paper, we define an access control model with the following properties: (1) system administrators can define system access control requirements on applications and (2) application developers can use the same model to enforce application access control requirements without the need for ad hoc security mechanisms. This access control model uses features of role-based access control models to enable (1) specification of a single role that applies to multiple application instances; (2) selection of a content's access rights based on the content's application and role in the application; (3) consistency maintained between application state and content access rights; and (4) control of role administration. We detail a system architecture that uses this access control model to implement secure collaborative applications. Lastly, we describe an implementation of this architecture, called the Lava security architecture.", acknowledgement = ack-nhfb, fjournal = "ACM Transactions on Information and System Security", generalterms = "Management; Security", keywords = "access control models; authentication; authorization mechanisms; collaborative systems; role-based access control", subject = "Software --- Software Engineering --- Management (D.2.9): {\bf Software configuration management}; Software --- Operating Systems --- Security and Protection (D.4.6): {\bf Access controls}; Software --- Operating Systems --- Security and Protection (D.4.6): {\bf Invasive software}; Computing Milieux --- Management of Computing and Information Systems --- System Management (K.6.4): {\bf Centralization/decentralization}; Computing Milieux --- Management of Computing and Information Systems --- Security and Protection (K.6.5): {\bf Invasive software}", } @Article{Halevi:1999:PKC, author = "Shai Halevi and Hugo Krawczyk", title = "Public-Key Cryptography and Password Protocols", journal = j-TISSEC, volume = "2", number = "3", pages = "230--268", month = aug, year = "1999", CODEN = "ATISBQ", ISSN = "1094-9224 (print), 1557-7406 (electronic)", ISSN-L = "1094-9224", bibdate = "Thu Oct 26 11:39:38 MDT 2000", bibsource = "http://www.acm.org/tissec/contents/v2no3.html; http://www.math.utah.edu/pub/tex/bib/tissec.bib", URL = "http://www.acm.org/pubs/citations/journals/tissec/1999-2-3/p230-halevi/", abstract = "We study protocols for strong authentication and key exchange in asymmetric scenarios where the authentication server possesses a pair of private and public keys while the client has only a weak human-memorizable password as its authentication key. We present and analyze several simple password authentication protocols in this scenario, and show that the security of these protocols can be formally proven based on standard cryptographic assumptions. Remarkably, our analysis shows optimal resistance to off-line password guessing attacks under the choice of suitable public key encryption functions. In addition to user authentication, we describe ways to enhance these protocols to provide two-way authentication, authenticated key exchange, defense against server's compromise, and user anonymity. We complement these results with a proof that strongly indicates that public key techniques are unavoidable for password protocols that resist off-line guessing attacks. \par As a further contribution, we introduce the notion of {\em public passwords\/} that enables the use of the above protocols in situations where the client's machine does not have the means to validate the server's public key. Public passwords serve as ``hand-held certificates'' that the user can carry without the need for special computing devices.", acknowledgement = ack-nhfb, fjournal = "ACM Transactions on Information and System Security", keywords = "dictionary attacks; hand-held certificates; key exchange; passwords; public passwords; public-key protocols", subject = "Computer Systems Organization --- Computer-Communication Networks --- General (C.2.0): {\bf Security and protection (e.g., firewalls)}; Computing Milieux --- Management of Computing and Information Systems --- Security and Protection (K.6.5): {\bf Authentication}", } @Article{Xu:1999:DHP, author = "Jun Xu and Mukesh Singhal", title = "Design of a High-Performance {ATM} Firewall", journal = j-TISSEC, volume = "2", number = "3", pages = "269--294", month = aug, year = "1999", CODEN = "ATISBQ", ISSN = "1094-9224 (print), 1557-7406 (electronic)", ISSN-L = "1094-9224", bibdate = "Thu Oct 26 11:39:38 MDT 2000", bibsource = "http://www.acm.org/tissec/contents/v2no3.html; http://www.math.utah.edu/pub/tex/bib/tissec.bib", URL = "http://www.acm.org/pubs/citations/journals/tissec/1999-2-3/p269-xu/", abstract = "A router-based packet-filtering firewall is an effective way of protecting an enterprise network from unauthorized access. However, it will not work efficiently in an ATM network because it requires the termination of end-to-end ATM connections at a packet-filtering router, which incurs huge overhead of SAR (Segmentation and Reassembly). Very few approaches to this problem have been proposed in the literature, and none is completely satisfactory. In this paper we present the hardware design of a high-speed ATM firewall that does not require the termination of an end-to-end connection in the middle. We propose a novel firewall design philosophy, called Quality of Firewalling (QoF), that applies security measures of different strength to traffic with different risk levels and show how it can be implemented in our firewall. Compared with the traditional firewalls, this ATM firewall performs exactly the same packet-level filtering without compromising the performance and has the same ``look and feel'' by sitting at the chokepoint between the trusted ATM LAN and untrusted ATM WAN. It is also easy to manage and flexible to use.", acknowledgement = ack-nhfb, fjournal = "ACM Transactions on Information and System Security", keywords = "asynchronous transfer mode; firewall; packet filtering; switch architecture; TCP/IP", subject = "Computer Systems Organization --- Performance of Systems (C.4): {\bf Performance attributes}; Computer Systems Organization --- Performance of Systems (C.4); Computer Systems Organization --- Computer-Communication Networks --- General (C.2.0); Computer Systems Organization --- Computer-Communication Networks --- Network Architecture and Design (C.2.1): {\bf Asynchronous Transfer Mode (ATM)}; Computer Systems Organization --- Computer-Communication Networks --- Internetworking (C.2.6): {\bf Routers}; Computer Systems Organization --- Computer-Communication Networks --- Local and Wide-Area Networks (C.2.5)", } @Article{Lane:1999:TSL, author = "Terran Lane and Carla E. Brodley", title = "Temporal sequence learning and data reduction for anomaly detection", journal = j-TISSEC, volume = "2", number = "3", pages = "295--331", month = aug, year = "1999", CODEN = "ATISBQ", ISSN = "1094-9224 (print), 1557-7406 (electronic)", ISSN-L = "1094-9224", bibdate = "Thu Oct 26 11:39:38 MDT 2000", bibsource = "http://www.acm.org/tissec/contents/v2no3.html; http://www.math.utah.edu/pub/tex/bib/tissec.bib", URL = "http://www.acm.org/pubs/citations/journals/tissec/1999-2-3/p295-lane/", abstract = "The anomaly-detection problem can be formulated as one of learning to characterize the behaviors of an individual, system, or network in terms of temporal sequences of discrete data. We present an approach on the basis of instance-based learning (IBL) techniques. To cast the anomaly-detection task in an IBL framework, we employ an approach that transforms temporal sequences of discrete, unordered observations into a metric space via a similarity measure that encodes intra-attribute dependencies. Classification boundaries are selected from an {\em a posteriori\/} characterization of valid user behaviors, coupled with a domain heuristic. An empirical evaluation of the approach on user command data demonstrates that we can accurately differentiate the profiled user from alternative users when the available features encode sufficient information. Furthermore, we demonstrate that the system detects anomalous conditions {\em quickly\/} --- an important quality for reducing potential damage by a malicious user. We present several techniques for reducing data storage requirements of the user profile, including instance-selection methods and clustering. As empirical evaluation shows that a new greedy clustering algorithm reduces the size of the user model by 70\%, with only a small loss in accuracy.", acknowledgement = ack-nhfb, fjournal = "ACM Transactions on Information and System Security", keywords = "anomaly detection; clustering; data reduction; empirical evaluation; instance based learning; machine learning; user profiling", subject = "Software --- Operating Systems --- Security and Protection (D.4.6)", } @Article{Paulson:1999:IAI, author = "Lawrence C. Paulson", title = "Inductive analysis of the {Internet} protocol {TLS}", journal = j-TISSEC, volume = "2", number = "3", pages = "332--351", month = aug, year = "1999", CODEN = "ATISBQ", ISSN = "1094-9224 (print), 1557-7406 (electronic)", ISSN-L = "1094-9224", bibdate = "Thu Oct 26 11:39:38 MDT 2000", bibsource = "http://www.acm.org/tissec/contents/v2no3.html; http://www.math.utah.edu/pub/tex/bib/tissec.bib", URL = "http://www.acm.org/pubs/citations/journals/tissec/1999-2-3/p332-paulson/", abstract = "Internet browsers use security protocols to protect sensitive messages. An inductive analysis of TLS (a descendant of SSL 3.0) has been performed using the theorem prover Isabelle. Proofs are based on higher-order logic and make no assumptions concerning beliefs of finiteness. All the obvious security goals can be proved; session resumption appears to be secure even if old session keys are compromised. The proofs suggest minor changes to simplify the analysis. \par TLS, even at an abstract level, is much more complicated than most protocols verified by researchers. Session keys are negotiated rather than distributed, and the protocol has many optional parts. Netherless, the resources needed to verify TLS are modest: six man-weeks of effort and three minutes of processor time.", acknowledgement = ack-nhfb, fjournal = "ACM Transactions on Information and System Security", generalterms = "Security; Verification", keywords = "authentication; inductive method; Isabelle; proof tools; TLS", subject = "Theory of Computation --- Logics and Meanings of Programs --- Specifying and Verifying and Reasoning about Programs (F.3.1): {\bf Mechanical verification}; Computer Systems Organization --- Computer-Communication Networks --- Network Protocols (C.2.2): {\bf Protocol verification}", } @Article{Stubblebine:1999:UST, author = "Stuart G. Stubblebine and Paul F. Syverson and David M. Goldschlag", title = "Unlinkable serial transactions: protocols and applications", journal = j-TISSEC, volume = "2", number = "4", pages = "354--389", month = nov, year = "1999", CODEN = "ATISBQ", ISSN = "1094-9224 (print), 1557-7406 (electronic)", ISSN-L = "1094-9224", bibdate = "Thu Oct 26 11:39:38 MDT 2000", bibsource = "http://www.acm.org/tissec/; http://www.math.utah.edu/pub/tex/bib/tissec.bib", URL = "http://www.acm.org/pubs/articles/journals/tissec/1999-2-4/p354-stubblebine/p354-stubblebine.pdf; http://www.acm.org/pubs/citations/journals/tissec/1999-2-4/p354-stubblebine/", abstract = "We present a protocol for unlinkable serial transactions suitable for a variety of network-based subscription services. It is the first protocol to use cryptographic blinding to enable subscription services. The protocol prevents the service from tracking the behavior of its customers, while protecting the service vendor from abuse due to simultaneous or cloned use by a single subscriber. Our basic protocol structure and recovery protocol are robust against failure in protocol termination. We evaluate the security of the basic protocol and extend the basic protocol to include auditing, which further deters subscription sharing. We describe other applications of unlinkable serial transactions for pay-per-use trans subscription, third-party subscription management, multivendor coupons, proof of group membership, and voting.", acknowledgement = ack-nhfb, fjournal = "ACM Transactions on Information and System Security", generalterms = "Design; Security; Verification", keywords = "anonymity; blinding; cryptographic protocols; unlinkable serial transactions", subject = "Computer Applications --- Administrative Data Processing (J.1); Software --- Operating Systems --- Security and Protection (D.4.6): {\bf Access controls}; Software --- Operating Systems --- Security and Protection (D.4.6): {\bf Cryptographic controls}; Software --- Operating Systems --- Security and Protection (D.4.6): {\bf Authentication}; Computing Milieux --- Management of Computing and Information Systems --- Security and Protection (K.6.5); Computing Milieux --- Management of Computing and Information Systems --- Security and Protection (K.6.5): {\bf Authentication}; Computing Milieux --- Management of Computing and Information Systems --- Security and Protection (K.6.5): {\bf Unauthorized access (e.g., hacking, phreaking)}; Information Systems --- Information Storage and Retrieval --- Systems and Software (H.3.4): {\bf User profiles and alert services}; Information Systems --- Database Management --- Systems (H.2.4): {\bf Transaction processing}; Information Systems --- Information Storage and Retrieval --- Digital Libraries (H.3.7): {\bf User issues}", } @Article{Gabber:1999:SPC, author = "Eran Gabber and Phillip B. Gibbons and David M. Kristol and Yossi Matias and Alain Mayer", title = "On secure and pseudonymous client-relationships with multiple servers", journal = j-TISSEC, volume = "2", number = "4", pages = "390--415", month = nov, year = "1999", CODEN = "ATISBQ", ISSN = "1094-9224 (print), 1557-7406 (electronic)", ISSN-L = "1094-9224", bibdate = "Thu Oct 26 11:39:38 MDT 2000", bibsource = "http://www.acm.org/tissec/; http://www.math.utah.edu/pub/tex/bib/tissec.bib", URL = "http://www.acm.org/pubs/citations/journals/tissec/1999-2-4/p390-gabber/", abstract = "This paper introduces a cryptographic engine, Janus, which assists clients in establishing and maintaining secure and pseudonymous relationships with multiple servers. The setting is such that clients reside on a particular subnet (e.g., corporate intranet, ISP) and the servers reside anywhere on the Internet. The Janus engine allows each client-server relationship to use either weak or strong authentication on each interaction. At the same time, each interaction preserves privacy by neither revealing a clients true identity (except for the subnet) nor the set of servers with which a particular client interacts. Furthermore, clients do not need any secure long-term memory, enabling scalability and mobility. The interaction model extends to allow servers to send data back to clients via e-mail at a later date. Hence, our results complement the functionality of current network anonymity tools and remailers. The paper also describes the design and implementation of the Lucent Personalized Web Assistant (LPWA), which is a practical system that provides secure and pseudonymous relations with multiple servers on the Internet. LPWA employs the Janus function to generate site-specific person?, which consist of alias usernames, passwords, and e-mail addresses.", acknowledgement = ack-nhfb, fjournal = "ACM Transactions on Information and System Security", generalterms = "Algorithms; Experimentation; Security", keywords = "anonymity; Janus function; mailbox; persistent relationship; privacy; pseudonym", subject = "Computing Milieux --- Management of Computing and Information Systems --- Security and Protection (K.6.5): {\bf Authentication}", } @Article{Hevia:1999:STD, author = "Alejandro Hevia and Marcos Kiwi", title = "Strength of Two {Data Encryption Standard} Implementations under Timing Attack", journal = j-TISSEC, volume = "2", number = "4", pages = "416--437", month = nov, year = "1999", CODEN = "ATISBQ", ISSN = "1094-9224 (print), 1557-7406 (electronic)", ISSN-L = "1094-9224", bibdate = "Thu Oct 26 11:39:38 MDT 2000", bibsource = "http://www.acm.org/tissec/contents/v2no2.html; http://www.math.utah.edu/pub/tex/bib/tissec.bib", URL = "http://www.acm.org/pubs/citations/journals/tissec/1999-2-4/p416-hevia/", abstract = "We study the vulnerability of two implementations of the Data Encryption Standard (DES) cryptosystem under a timing attack. A timing attack is a method, recently proposed by Paul Kocher, that is designed to break cryptographic systems. It exploits the engineering aspects involved in the implementation of cryptosystems and might succeed even against cryptosystems that remain impervious to sophisticated cryptanalytic techniques. A timing attack is, essentially, a way of obtaining some users private information by carefully measuring the time it takes the user to carry out cryptographic operations. In this work, we analyze two implementations of DES. We show that a timing attack yields the Hamming weight of the key used by both DES implementations. Moreover, the attack is computationally inexpensive. We also show that all the design characteristics of the target system, necessary to carry out the timing attack, can be inferred from timing measurements.", acknowledgement = ack-nhfb, fjournal = "ACM Transactions on Information and System Security", generalterms = "Security", keywords = "cryptanalysis; cryptography; data encryption standard; timing attack", subject = "Data --- Data Encryption (E.3): {\bf Data encryption standard (DES)**}; Computer Systems Organization --- Special-Purpose and Application-Based Systems (C.3)", } @Article{Frincke:2000:BCR, author = "Deborah Frincke", title = "Balancing Cooperation and Risk in Intrusion Detection", journal = j-TISSEC, volume = "3", number = "1", pages = "1--29", month = feb, year = "2000", CODEN = "ATISBQ", ISSN = "1094-9224 (print), 1557-7406 (electronic)", ISSN-L = "1094-9224", bibdate = "Mon Feb 25 16:47:22 MST 2002", bibsource = "http://www.acm.org/tissec/v3no1.html; http://www.math.utah.edu/pub/tex/bib/tissec.bib", acknowledgement = ack-nhfb, fjournal = "ACM Transactions on Information and System Security", } @Article{Schneider:2000:ESP, author = "Fred B. Schneider", title = "Enforceable Security Policies", journal = j-TISSEC, volume = "3", number = "1", pages = "30--50", month = feb, year = "2000", CODEN = "ATISBQ", ISSN = "1094-9224 (print), 1557-7406 (electronic)", ISSN-L = "1094-9224", bibdate = "Mon Feb 25 16:47:22 MST 2002", bibsource = "http://www.acm.org/tissec/v3no1.html; http://www.math.utah.edu/pub/tex/bib/tissec.bib", acknowledgement = ack-nhfb, fjournal = "ACM Transactions on Information and System Security", } @Article{Spinellis:2000:RMS, author = "Diomidis Spinellis", title = "Reflection as a Mechanism for Software Integrity Verification", journal = j-TISSEC, volume = "3", number = "1", pages = "51--62", month = feb, year = "2000", CODEN = "ATISBQ", ISSN = "1094-9224 (print), 1557-7406 (electronic)", ISSN-L = "1094-9224", bibdate = "Mon Feb 25 16:47:22 MST 2002", bibsource = "http://www.acm.org/tissec/v3no1.html; http://www.math.utah.edu/pub/tex/bib/tissec.bib", acknowledgement = ack-nhfb, fjournal = "ACM Transactions on Information and System Security", } @Article{Dolev:2000:XTE, author = "Shlomi Dolev and Rafail Ostrovsky", title = "Xor-Trees for Efficient Anonymous Multicast and Reception", journal = j-TISSEC, volume = "3", number = "2", pages = "63--84", month = may, year = "2000", CODEN = "ATISBQ", ISSN = "1094-9224 (print), 1557-7406 (electronic)", ISSN-L = "1094-9224", bibdate = "Mon Feb 25 16:47:22 MST 2002", bibsource = "http://www.acm.org/tissec/v3no2.html; http://www.math.utah.edu/pub/tex/bib/tissec.bib", acknowledgement = ack-nhfb, fjournal = "ACM Transactions on Information and System Security", } @Article{Osborn:2000:CRB, author = "Sylvia Osborn and Ravi Sandhu and Qamar Munawer", title = "Configuring Role-Based Access Control to Enforce Mandatory and Discretionary Access Control Policies", journal = j-TISSEC, volume = "3", number = "2", pages = "85--106", month = may, year = "2000", CODEN = "ATISBQ", ISSN = "1094-9224 (print), 1557-7406 (electronic)", ISSN-L = "1094-9224", bibdate = "Mon Feb 25 16:47:22 MST 2002", bibsource = "http://www.acm.org/tissec/v3no2.html; http://www.math.utah.edu/pub/tex/bib/tissec.bib", acknowledgement = ack-nhfb, fjournal = "ACM Transactions on Information and System Security", } @Article{Wool:2000:KME, author = "Avishai Wool", title = "Key Management for Encrypted Broadcast", journal = j-TISSEC, volume = "3", number = "2", pages = "107--134", month = may, year = "2000", CODEN = "ATISBQ", ISSN = "1094-9224 (print), 1557-7406 (electronic)", ISSN-L = "1094-9224", bibdate = "Mon Feb 25 16:47:22 MST 2002", bibsource = "http://www.acm.org/tissec/v3no2.html; http://www.math.utah.edu/pub/tex/bib/tissec.bib", acknowledgement = ack-nhfb, fjournal = "ACM Transactions on Information and System Security", } @Article{Molva:2000:SMS, author = "Refik Molva and Alain Pannetrat", title = "Scalable Multicast Security with Dynamic Recipient Groups", journal = j-TISSEC, volume = "3", number = "3", pages = "136--160", month = aug, year = "2000", CODEN = "ATISBQ", ISSN = "1094-9224 (print), 1557-7406 (electronic)", ISSN-L = "1094-9224", bibdate = "Mon Feb 25 16:47:22 MST 2002", bibsource = "http://www.acm.org/tissec/v3no3.html; http://www.math.utah.edu/pub/tex/bib/tissec.bib", acknowledgement = ack-nhfb, fjournal = "ACM Transactions on Information and System Security", } @Article{Cramer:2000:SSB, author = "Ronald Cramer and Victor Shoup", title = "Signature Schemes Based on the Strong {RSA} Assumption", journal = j-TISSEC, volume = "3", number = "3", pages = "161--185", month = aug, year = "2000", CODEN = "ATISBQ", ISSN = "1094-9224 (print), 1557-7406 (electronic)", ISSN-L = "1094-9224", bibdate = "Mon Feb 25 16:47:22 MST 2002", bibsource = "http://www.acm.org/tissec/v3no3.html; http://www.math.utah.edu/pub/tex/bib/tissec.bib", acknowledgement = ack-nhfb, fjournal = "ACM Transactions on Information and System Security", } @Article{Axelsson:2000:BRF, author = "Stefan Axelsson", title = "The Base-Rate Fallacy and the Difficulty of Intrusion Detection", journal = j-TISSEC, volume = "3", number = "3", pages = "186--205", month = aug, year = "2000", CODEN = "ATISBQ", ISSN = "1094-9224 (print), 1557-7406 (electronic)", ISSN-L = "1094-9224", bibdate = "Mon Feb 25 16:47:22 MST 2002", bibsource = "http://www.acm.org/tissec/v3no3.html; http://www.math.utah.edu/pub/tex/bib/tissec.bib", acknowledgement = ack-nhfb, fjournal = "ACM Transactions on Information and System Security", } @Article{Ahn:2000:RBA, author = "Gail-Joon Ahn and Ravi Sandhu", title = "Role-based Authorization Constraints Specification", journal = j-TISSEC, volume = "3", number = "4", pages = "207--226", month = nov, year = "2000", CODEN = "ATISBQ", ISSN = "1094-9224 (print), 1557-7406 (electronic)", ISSN-L = "1094-9224", bibdate = "Mon Feb 25 16:47:22 MST 2002", bibsource = "http://www.acm.org/tissec/v3no4.html; http://www.math.utah.edu/pub/tex/bib/tissec.bib", acknowledgement = ack-nhfb, fjournal = "ACM Transactions on Information and System Security", } @Article{Lee:2000:FCF, author = "Wenke Lee and Salvatore J. Stolfo", title = "A Framework for Constructing Features and Models for Intrusion Detection Systems", journal = j-TISSEC, volume = "3", number = "4", pages = "227--261", month = nov, year = "2000", CODEN = "ATISBQ", ISSN = "1094-9224 (print), 1557-7406 (electronic)", ISSN-L = "1094-9224", bibdate = "Mon Feb 25 16:47:22 MST 2002", bibsource = "http://www.acm.org/tissec/v3no4.html; http://www.math.utah.edu/pub/tex/bib/tissec.bib", acknowledgement = ack-nhfb, fjournal = "ACM Transactions on Information and System Security", } @Article{McHugh:2000:TID, author = "John McHugh", title = "Testing Intrusion detection systems: a critique of the 1998 and 1999 {DARPA} intrusion detection system evaluations as performed by {Lincoln Laboratory}", journal = j-TISSEC, volume = "3", number = "4", pages = "262--294", month = nov, year = "2000", CODEN = "ATISBQ", ISSN = "1094-9224 (print), 1557-7406 (electronic)", ISSN-L = "1094-9224", bibdate = "Mon Feb 25 16:47:22 MST 2002", bibsource = "http://www.acm.org/tissec/v3no4.html; http://www.math.utah.edu/pub/tex/bib/tissec.bib", acknowledgement = ack-nhfb, fjournal = "ACM Transactions on Information and System Security", } @Article{Chang:2001:RTP, author = "Ho-Yen Chang and S. Felix Wu and Y. Frank Jou", title = "Real-Time Protocol Analysis for Detecting Link-State Routing Protocol Attacks", journal = j-TISSEC, volume = "4", number = "1", pages = "1--36", month = feb, year = "2001", CODEN = "ATISBQ", ISSN = "1094-9224 (print), 1557-7406 (electronic)", ISSN-L = "1094-9224", bibdate = "Mon Feb 25 16:47:22 MST 2002", bibsource = "http://www.acm.org/tissec/v4no1.html; http://www.math.utah.edu/pub/tex/bib/tissec.bib", acknowledgement = ack-nhfb, fjournal = "ACM Transactions on Information and System Security", } @Article{Park:2001:RBA, author = "Joon S. Park and Ravi Sandhu and Gail-Joon Ahn", title = "Role-based access control on the {Web}", journal = j-TISSEC, volume = "4", number = "1", pages = "37--71", month = feb, year = "2001", CODEN = "ATISBQ", ISSN = "1094-9224 (print), 1557-7406 (electronic)", ISSN-L = "1094-9224", bibdate = "Mon Feb 25 16:47:22 MST 2002", bibsource = "http://www.math.utah.edu/pub/tex/bib/tissec.bib", acknowledgement = ack-nhfb, fjournal = "ACM Transactions on Information and System Security", } @Article{Smith:2001:CPH, author = "Richard E. Smith", title = "Cost Profile of a Highly Assured, Secure Operating System", journal = j-TISSEC, volume = "4", number = "1", pages = "72--101", month = feb, year = "2001", CODEN = "ATISBQ", ISSN = "1094-9224 (print), 1557-7406 (electronic)", ISSN-L = "1094-9224", bibdate = "Mon Feb 25 16:47:22 MST 2002", bibsource = "http://www.acm.org/tissec/v4no1.html; http://www.math.utah.edu/pub/tex/bib/tissec.bib", acknowledgement = ack-nhfb, fjournal = "ACM Transactions on Information and System Security", } @Article{Shands:2001:SVE, author = "Deborah Shands and Jay Jacobs and Richard Yee and E. John Sebes", title = "Secure Virtual Enclaves: Supporting Coalition Use of Distributed Application Technologies", journal = j-TISSEC, volume = "4", number = "2", pages = "103--133", month = may, year = "2001", CODEN = "ATISBQ", ISSN = "1094-9224 (print), 1557-7406 (electronic)", ISSN-L = "1094-9224", bibdate = "Mon Feb 25 16:47:22 MST 2002", bibsource = "http://www.acm.org/tissec/contents/v4no2.html; http://www.math.utah.edu/pub/tex/bib/tissec.bib", acknowledgement = ack-nhfb, fjournal = "ACM Transactions on Information and System Security", } @Article{Steiner:2001:SPB, author = "Michael Steiner and Peter Buhler and Thomas Eirich and Michael Waidner", title = "Secure Password-Based Cipher Suite for {TLS}", journal = j-TISSEC, volume = "4", number = "2", pages = "134--157", month = may, year = "2001", CODEN = "ATISBQ", ISSN = "1094-9224 (print), 1557-7406 (electronic)", ISSN-L = "1094-9224", bibdate = "Mon Feb 25 16:47:22 MST 2002", bibsource = "http://www.acm.org/tissec/contents/v4no2.html; http://www.math.utah.edu/pub/tex/bib/tissec.bib", acknowledgement = ack-nhfb, fjournal = "ACM Transactions on Information and System Security", } @Article{Jaeger:2001:PSF, author = "Trent Jaeger and Jonathon E. Tidswell", title = "Practical Safety in Flexible Access Control Models", journal = j-TISSEC, volume = "4", number = "2", pages = "158--190", month = may, year = "2001", CODEN = "ATISBQ", ISSN = "1094-9224 (print), 1557-7406 (electronic)", ISSN-L = "1094-9224", bibdate = "Mon Feb 25 16:47:22 MST 2002", bibsource = "http://www.acm.org/tissec/contents/v4no3.html; http://www.math.utah.edu/pub/tex/bib/tissec.bib", acknowledgement = ack-nhfb, fjournal = "ACM Transactions on Information and System Security", } @Article{Bertino:2001:TTR, author = "Elisa Bertino and Piero Andrea Bonatti and Elena Ferrari", title = "{TRBAC}: {A} Temporal Role-based Access Control Model", journal = j-TISSEC, volume = "4", number = "3", pages = "191--223", month = aug, year = "2001", CODEN = "ATISBQ", ISSN = "1094-9224 (print), 1557-7406 (electronic)", ISSN-L = "1094-9224", bibdate = "Mon Feb 25 16:47:23 MST 2002", bibsource = "http://www.acm.org/tissec/contents/v4no3.html; http://www.math.utah.edu/pub/tex/bib/tissec.bib", acknowledgement = ack-nhfb, fjournal = "ACM Transactions on Information and System Security", } @Article{Ferraiolo:2001:PNS, author = "David F. Ferraiolo and Ravi Sandhu and Serban Gavrila and D. Richard Kuhn and Ramaswamy Chandramouli", title = "Proposed {NIST} standard for role-based access control", journal = j-TISSEC, volume = "4", number = "3", pages = "224--274", month = aug, year = "2001", CODEN = "ATISBQ", ISSN = "1094-9224 (print), 1557-7406 (electronic)", ISSN-L = "1094-9224", bibdate = "Mon Feb 25 16:47:23 MST 2002", bibsource = "http://www.math.utah.edu/pub/tex/bib/tissec.bib", acknowledgement = ack-nhfb, fjournal = "ACM Transactions on Information and System Security", } @Article{Kaliski:2001:UKS, author = "Burton S. Kaliski", title = "An unknown key-share attack on the {MQV} key agreement protocol", journal = j-TISSEC, volume = "4", number = "3", pages = "275--288", month = aug, year = "2001", CODEN = "ATISBQ", ISSN = "1094-9224 (print), 1557-7406 (electronic)", ISSN-L = "1094-9224", bibdate = "Mon Feb 25 16:47:23 MST 2002", bibsource = "http://www.math.utah.edu/pub/tex/bib/tissec.bib", acknowledgement = ack-nhfb, fjournal = "ACM Transactions on Information and System Security", } @Article{Rodeh:2001:APS, author = "Ohad Rodeh and Kenneth P. Birman and Danny Dolev", title = "The Architecture and Performance of Security Protocols in the {Ensemble Group Communication System}: Using Diamonds to Guard the Castle", journal = j-TISSEC, volume = "4", number = "3", pages = "289--319", month = aug, year = "2001", CODEN = "ATISBQ", ISSN = "1094-9224 (print), 1557-7406 (electronic)", ISSN-L = "1094-9224", bibdate = "Mon Feb 25 16:47:23 MST 2002", bibsource = "http://www.acm.org/tissec/contents/v4no4.html; http://www.math.utah.edu/pub/tex/bib/tissec.bib", acknowledgement = ack-nhfb, fjournal = "ACM Transactions on Information and System Security", } @Article{Bertino:2001:NTM, author = "Elisa Bertino and Barbara Catania and Elena Ferrari", title = "A Nested Transaction Model for Multilevel Secure Database Management Systems", journal = j-TISSEC, volume = "4", number = "4", pages = "321--370", month = nov, year = "2001", CODEN = "ATISBQ", ISSN = "1094-9224 (print), 1557-7406 (electronic)", ISSN-L = "1094-9224", bibdate = "Mon Feb 25 16:47:23 MST 2002", bibsource = "http://www.acm.org/tissec/contents/v4no4.html; http://www.math.utah.edu/pub/tex/bib/tissec.bib", acknowledgement = ack-nhfb, fjournal = "ACM Transactions on Information and System Security", } @Article{Kihlstrom:2001:SGC, author = "Kim Potter Kihlstrom and L. E. Moser and P. M. Melliar-Smith", title = "The SecureRing group communication system", journal = j-TISSEC, volume = "4", number = "4", pages = "371--406", month = nov, year = "2001", CODEN = "ATISBQ", ISSN = "1094-9224 (print), 1557-7406 (electronic)", ISSN-L = "1094-9224", bibdate = "Mon Feb 25 16:47:23 MST 2002", bibsource = "http://www.math.utah.edu/pub/tex/bib/tissec.bib", acknowledgement = ack-nhfb, fjournal = "ACM Transactions on Information and System Security", } @Article{Ning:2001:ABI, author = "Peng Ning and Sushil Jajodia and Xiaoyang Sean Wang", title = "Abstraction-based intrusion detection in distributed environments", journal = j-TISSEC, volume = "4", number = "4", pages = "407--452", month = nov, year = "2001", CODEN = "ATISBQ", ISSN = "1094-9224 (print), 1557-7406 (electronic)", ISSN-L = "1094-9224", bibdate = "Mon Feb 25 16:47:23 MST 2002", bibsource = "http://www.acm.org/tissec/contents/v4no4.html; http://www.math.utah.edu/pub/tex/bib/tissec.bib", acknowledgement = ack-nhfb, fjournal = "ACM Transactions on Information and System Security", } @Article{Samarati:2001:AMP, author = "Pierangela Samarati and Michael K. Reiter and Sushil Jajodia", title = "An authorization model for a public key management service", journal = j-TISSEC, volume = "4", number = "4", pages = "453--482", month = nov, year = "2001", CODEN = "ATISBQ", ISSN = "1094-9224 (print), 1557-7406 (electronic)", ISSN-L = "1094-9224", bibdate = "Mon Feb 25 16:47:23 MST 2002", bibsource = "http://www.math.utah.edu/pub/tex/bib/tissec.bib", acknowledgement = ack-nhfb, fjournal = "ACM Transactions on Information and System Security", } @Article{Bonatti:2002:ACA, author = "Piero Bonatti and Sabrina {De Capitani di Vimercati} and Pierangela Samarati", title = "An Algebra for Composing Access Control Policies", journal = j-TISSEC, volume = "5", number = "1", pages = "1--35", month = feb, year = "2002", CODEN = "ATISBQ", ISSN = "1094-9224 (print), 1557-7406 (electronic)", ISSN-L = "1094-9224", bibdate = "Thu Aug 7 09:02:35 MDT 2003", bibsource = "http://portal.acm.org/; http://www.acm.org/tissec/contents/v5no1.html; http://www.math.utah.edu/pub/tex/bib/tissec.bib", acknowledgement = ack-nhfb, fjournal = "ACM Transactions on Information and System Security", } @Article{Bernaschi:2002:RSE, author = "Massimo Bernaschi and Emanuele Gabrielli and Luigi V. Mancini", title = "{REMUS}: {A} Security-Enhanced Operating System", journal = j-TISSEC, volume = "5", number = "1", pages = "36--61", month = feb, year = "2002", CODEN = "ATISBQ", ISSN = "1094-9224 (print), 1557-7406 (electronic)", ISSN-L = "1094-9224", bibdate = "Thu Aug 7 09:02:35 MDT 2003", bibsource = "http://portal.acm.org/; http://www.acm.org/tissec/contents/v5no1.html; http://www.math.utah.edu/pub/tex/bib/tissec.bib", acknowledgement = ack-nhfb, fjournal = "ACM Transactions on Information and System Security", } @Article{Atluri:2002:AMT, author = "Vijayalakshmi Atluri and Avigdor Gal", title = "An authorization model for temporal and derived data: securing information portals", journal = j-TISSEC, volume = "5", number = "1", pages = "62--94", month = feb, year = "2002", CODEN = "ATISBQ", ISSN = "1094-9224 (print), 1557-7406 (electronic)", ISSN-L = "1094-9224", bibdate = "Thu Aug 7 09:02:35 MDT 2003", bibsource = "http://portal.acm.org/; http://www.math.utah.edu/pub/tex/bib/tissec.bib", acknowledgement = ack-nhfb, fjournal = "ACM Transactions on Information and System Security", } @Article{Blaze:2002:TMI, author = "Matt Blaze and John Ioannidis and Angelos D. Keromytis", title = "Trust Management for {IPsec}", journal = j-TISSEC, volume = "5", number = "2", pages = "95--118", month = may, year = "2002", CODEN = "ATISBQ", ISSN = "1094-9224 (print), 1557-7406 (electronic)", ISSN-L = "1094-9224", bibdate = "Wed Jul 25 16:54:06 MDT 2001", bibsource = "http://portal.acm.org/; http://www.math.utah.edu/pub/tex/bib/tissec.bib", acknowledgement = ack-nhfb, fjournal = "ACM Transactions on Information and System Security", } @Article{Dean:2002:AAI, author = "Drew Dean and Matt Franklin and Adam Stubblefield", title = "An Algebraic Approach to {IP} Traceback", journal = j-TISSEC, volume = "5", number = "2", pages = "119--137", month = may, year = "2002", CODEN = "ATISBQ", ISSN = "1094-9224 (print), 1557-7406 (electronic)", ISSN-L = "1094-9224", bibdate = "Thu Aug 7 09:02:35 MDT 2003", bibsource = "http://portal.acm.org/; http://www.acm.org/tissec/contents/v5no3.html; http://www.math.utah.edu/pub/tex/bib/tissec.bib", acknowledgement = ack-nhfb, fjournal = "ACM Transactions on Information and System Security", } @Article{Rudys:2002:TLB, author = "Algis Rudys and Dan S. Wallach", title = "Termination in language-based systems", journal = j-TISSEC, volume = "5", number = "2", pages = "138--168", month = may, year = "2002", CODEN = "ATISBQ", ISSN = "1094-9224 (print), 1557-7406 (electronic)", ISSN-L = "1094-9224", bibdate = "Thu Aug 7 09:02:35 MDT 2003", bibsource = "http://portal.acm.org/; http://www.math.utah.edu/pub/tex/bib/tissec.bib", acknowledgement = ack-nhfb, fjournal = "ACM Transactions on Information and System Security", } @Article{Damiani:2002:FGA, author = "Ernesto Damiani and Sabrina {De Capitani di Vimercati} and Stefano Paraboschi and Pierangela Samarati", title = "A Fine-Grained Access Control System for {XML} Documents", journal = j-TISSEC, volume = "5", number = "2", pages = "169--202", month = may, year = "2002", CODEN = "ATISBQ", ISSN = "1094-9224 (print), 1557-7406 (electronic)", ISSN-L = "1094-9224", bibdate = "Thu Aug 7 09:02:35 MDT 2003", bibsource = "http://portal.acm.org/; http://www.acm.org/tissec/contents/v5no2.html; http://www.math.utah.edu/pub/tex/bib/tissec.bib", acknowledgement = ack-nhfb, fjournal = "ACM Transactions on Information and System Security", } @Article{Michael:2002:SSB, author = "C. C. Michael and Anup Ghosh", title = "Simple, state-based approaches to program-based anomaly detection", journal = j-TISSEC, volume = "5", number = "3", pages = "203--237", month = aug, year = "2002", CODEN = "ATISBQ", ISSN = "1094-9224 (print), 1557-7406 (electronic)", ISSN-L = "1094-9224", bibdate = "Thu Aug 7 09:02:36 MDT 2003", bibsource = "http://portal.acm.org/; http://www.math.utah.edu/pub/tex/bib/tissec.bib", acknowledgement = ack-nhfb, fjournal = "ACM Transactions on Information and System Security", } @Article{Viega:2002:TBS, author = "John Viega and J. T. Bloch and Tadayoshi Kohno and Gary McGraw", title = "Token-based scanning of source code for security problems", journal = j-TISSEC, volume = "5", number = "3", pages = "238--261", month = aug, year = "2002", CODEN = "ATISBQ", ISSN = "1094-9224 (print), 1557-7406 (electronic)", ISSN-L = "1094-9224", bibdate = "Thu Aug 7 09:02:36 MDT 2003", bibsource = "http://portal.acm.org/; http://www.math.utah.edu/pub/tex/bib/tissec.bib", acknowledgement = ack-nhfb, fjournal = "ACM Transactions on Information and System Security", keywords = "ITS4", } @Article{Loughry:2002:ILO, author = "Joe Loughry and David A. Umphress", title = "Information leakage from optical emanations", journal = j-TISSEC, volume = "5", number = "3", pages = "262--289", month = aug, year = "2002", CODEN = "ATISBQ", ISSN = "1094-9224 (print), 1557-7406 (electronic)", ISSN-L = "1094-9224", bibdate = "Thu Aug 7 09:02:36 MDT 2003", bibsource = "http://portal.acm.org/; http://www.math.utah.edu/pub/tex/bib/tissec.bib", acknowledgement = ack-nhfb, fjournal = "ACM Transactions on Information and System Security", } @Article{Bertino:2002:SSD, author = "Elisa Bertino and Elena Ferrari", title = "Secure and Selective Dissemination of {XML} Documents", journal = j-TISSEC, volume = "5", number = "3", pages = "290--331", month = aug, year = "2002", CODEN = "ATISBQ", ISSN = "1094-9224 (print), 1557-7406 (electronic)", ISSN-L = "1094-9224", bibdate = "Thu Aug 7 09:02:36 MDT 2003", bibsource = "http://portal.acm.org/; http://www.acm.org/tissec/contents/v5no2.html; http://www.math.utah.edu/pub/tex/bib/tissec.bib", acknowledgement = ack-nhfb, fjournal = "ACM Transactions on Information and System Security", } @Article{Koch:2002:GBF, author = "Manuel Koch and Luigi V. Mancini and Francesco Parisi-Presicce", title = "A graph-based formalism for {RBAC}", journal = j-TISSEC, volume = "5", number = "3", pages = "332--365", month = aug, year = "2002", CODEN = "ATISBQ", ISSN = "1094-9224 (print), 1557-7406 (electronic)", ISSN-L = "1094-9224", bibdate = "Thu Aug 7 09:02:36 MDT 2003", bibsource = "http://portal.acm.org/; http://www.math.utah.edu/pub/tex/bib/tissec.bib", acknowledgement = ack-nhfb, fjournal = "ACM Transactions on Information and System Security", } @Article{Bergadano:2002:UAT, author = "Francesco Bergadano and Daniele Gunetti and Claudia Picardi", title = "User authentication through keystroke dynamics", journal = j-TISSEC, volume = "5", number = "4", pages = "367--397", month = nov, year = "2002", CODEN = "ATISBQ", ISSN = "1094-9224 (print), 1557-7406 (electronic)", ISSN-L = "1094-9224", bibdate = "Thu Aug 7 09:02:36 MDT 2003", bibsource = "http://portal.acm.org/; http://www.math.utah.edu/pub/tex/bib/tissec.bib", acknowledgement = ack-nhfb, fjournal = "ACM Transactions on Information and System Security", } @Article{Swift:2002:IGA, author = "Michael M. Swift and Anne Hopkins and Peter Brundrett and Cliff Van Dyke and Praerit Garg and Shannon Chan and Mario Goertzel and Gregory Jensenworth", title = "Improving the granularity of access control for {Windows 2000}", journal = j-TISSEC, volume = "5", number = "4", pages = "398--437", month = nov, year = "2002", CODEN = "ATISBQ", ISSN = "1094-9224 (print), 1557-7406 (electronic)", ISSN-L = "1094-9224", bibdate = "Thu Aug 7 09:02:36 MDT 2003", bibsource = "http://portal.acm.org/; http://www.acm.org/tissec/contents/v5no4.html; http://www.math.utah.edu/pub/tex/bib/tissec.bib", acknowledgement = ack-nhfb, fjournal = "ACM Transactions on Information and System Security", } @Article{Gordon:2002:EIS, author = "Lawrence A. Gordon and Martin P. Loeb", title = "The economics of information security investment", journal = j-TISSEC, volume = "5", number = "4", pages = "438--457", month = nov, year = "2002", CODEN = "ATISBQ", ISSN = "1094-9224 (print), 1557-7406 (electronic)", ISSN-L = "1094-9224", bibdate = "Thu Aug 7 09:02:36 MDT 2003", bibsource = "http://portal.acm.org/; http://www.math.utah.edu/pub/tex/bib/tissec.bib", acknowledgement = ack-nhfb, fjournal = "ACM Transactions on Information and System Security", } @Article{Harbitter:2002:MAP, author = "Alan Harbitter and Daniel A. Menasc{\'e}", title = "A methodology for analyzing the performance of authentication protocols", journal = j-TISSEC, volume = "5", number = "4", pages = "458--491", month = nov, year = "2002", CODEN = "ATISBQ", ISSN = "1094-9224 (print), 1557-7406 (electronic)", ISSN-L = "1094-9224", bibdate = "Thu Aug 7 09:02:36 MDT 2003", bibsource = "http://portal.acm.org/; http://www.math.utah.edu/pub/tex/bib/tissec.bib", acknowledgement = ack-nhfb, fjournal = "ACM Transactions on Information and System Security", } @Article{Bacon:2002:MOR, author = "Jean Bacon and Ken Moody and Walt Yao", title = "A model of {OASIS} role-based access control and its support for active security", journal = j-TISSEC, volume = "5", number = "4", pages = "492--540", month = nov, year = "2002", CODEN = "ATISBQ", ISSN = "1094-9224 (print), 1557-7406 (electronic)", ISSN-L = "1094-9224", bibdate = "Thu Aug 7 09:02:36 MDT 2003", bibsource = "http://portal.acm.org/; http://www.math.utah.edu/pub/tex/bib/tissec.bib", acknowledgement = ack-nhfb, fjournal = "ACM Transactions on Information and System Security", } @Article{Yu:2003:SSC, author = "Ting Yu and Marianne Winslett and Kent E. Seamons", title = "Supporting structured credentials and sensitive policies through interoperable strategies for automated trust negotiation", journal = j-TISSEC, volume = "6", number = "1", pages = "1--42", month = feb, year = "2003", CODEN = "ATISBQ", ISSN = "1094-9224 (print), 1557-7406 (electronic)", ISSN-L = "1094-9224", bibdate = "Thu Aug 7 09:02:37 MDT 2003", bibsource = "http://portal.acm.org/; http://www.math.utah.edu/pub/tex/bib/tissec.bib", acknowledgement = ack-nhfb, fjournal = "ACM Transactions on Information and System Security", } @Article{Halpern:2003:RBS, author = "Joseph Y. Halpern and Riccardo Pucella", title = "On the relationship between strand spaces and multi-agent systems", journal = j-TISSEC, volume = "6", number = "1", pages = "43--70", month = feb, year = "2003", CODEN = "ATISBQ", ISSN = "1094-9224 (print), 1557-7406 (electronic)", ISSN-L = "1094-9224", bibdate = "Thu Aug 7 09:02:37 MDT 2003", bibsource = "http://portal.acm.org/; http://www.math.utah.edu/pub/tex/bib/tissec.bib", acknowledgement = ack-nhfb, fjournal = "ACM Transactions on Information and System Security", } @Article{Bertino:2003:LFR, author = "Elisa Bertino and Barbara Catania and Elena Ferrari and Paolo Perlasca", title = "A Logical Framework for Reasoning about Access Control Models", journal = j-TISSEC, volume = "6", number = "1", pages = "71--127", month = feb, year = "2003", CODEN = "ATISBQ", ISSN = "1094-9224 (print), 1557-7406 (electronic)", ISSN-L = "1094-9224", bibdate = "Thu Aug 7 09:02:37 MDT 2003", bibsource = "http://portal.acm.org/; http://www.acm.org/tissec/contents/v5no4.html; http://www.math.utah.edu/pub/tex/bib/tissec.bib", acknowledgement = ack-nhfb, fjournal = "ACM Transactions on Information and System Security", } @Article{Li:2003:DLL, author = "Ninghui Li and Benjamin N. Grosof and Joan Feigenbaum", title = "Delegation logic: {A} logic-based approach to distributed authorization", journal = j-TISSEC, volume = "6", number = "1", pages = "128--171", month = feb, year = "2003", CODEN = "ATISBQ", ISSN = "1094-9224 (print), 1557-7406 (electronic)", ISSN-L = "1094-9224", bibdate = "Thu Aug 7 09:02:37 MDT 2003", bibsource = "http://portal.acm.org/; http://www.math.utah.edu/pub/tex/bib/tissec.bib", acknowledgement = ack-nhfb, fjournal = "ACM Transactions on Information and System Security", } @Article{Chari:2003:BPD, author = "Suresh N. Chari and Pau-Chen Cheng", title = "{BlueBoX}: {A} policy-driven, host-based intrusion detection system", journal = j-TISSEC, volume = "6", number = "2", pages = "173--200", month = may, year = "2003", CODEN = "ATISBQ", ISSN = "1094-9224 (print), 1557-7406 (electronic)", ISSN-L = "1094-9224", bibdate = "Thu Aug 7 09:02:37 MDT 2003", bibsource = "http://portal.acm.org/; http://www.math.utah.edu/pub/tex/bib/tissec.bib", acknowledgement = ack-nhfb, fjournal = "ACM Transactions on Information and System Security", } @Article{Crampton:2003:ASF, author = "Jason Crampton and George Loizou", title = "Administrative scope: {A} foundation for role-based administrative models", journal = j-TISSEC, volume = "6", number = "2", pages = "201--231", month = may, year = "2003", CODEN = "ATISBQ", ISSN = "1094-9224 (print), 1557-7406 (electronic)", ISSN-L = "1094-9224", bibdate = "Thu Aug 7 09:02:37 MDT 2003", bibsource = "http://portal.acm.org/; http://www.math.utah.edu/pub/tex/bib/tissec.bib", acknowledgement = ack-nhfb, fjournal = "ACM Transactions on Information and System Security", } @Article{Karjoth:2003:ACI, author = "G{\"u}nter Karjoth", title = "Access control with {IBM Tivoli} access manager", journal = j-TISSEC, volume = "6", number = "2", pages = "232--257", month = may, year = "2003", CODEN = "ATISBQ", ISSN = "1094-9224 (print), 1557-7406 (electronic)", ISSN-L = "1094-9224", bibdate = "Thu Aug 7 09:02:37 MDT 2003", bibsource = "http://portal.acm.org/; http://www.math.utah.edu/pub/tex/bib/tissec.bib", acknowledgement = ack-nhfb, fjournal = "ACM Transactions on Information and System Security", } @Article{Park:2003:EMS, author = "Jung Min Park and Edwin K. P. Chong and Howard Jay Siegel", title = "Efficient multicast stream authentication using erasure codes", journal = j-TISSEC, volume = "6", number = "2", pages = "258--285", month = may, year = "2003", CODEN = "ATISBQ", ISSN = "1094-9224 (print), 1557-7406 (electronic)", ISSN-L = "1094-9224", bibdate = "Thu Aug 7 09:02:37 MDT 2003", bibsource = "http://portal.acm.org/; http://www.math.utah.edu/pub/tex/bib/tissec.bib", acknowledgement = ack-nhfb, fjournal = "ACM Transactions on Information and System Security", } @Article{Wijesekera:2003:PPA, author = "Duminda Wijesekera and Sushil Jajodia", title = "A propositional policy algebra for access control", journal = j-TISSEC, volume = "6", number = "2", pages = "286--325", month = may, year = "2003", CODEN = "ATISBQ", ISSN = "1094-9224 (print), 1557-7406 (electronic)", ISSN-L = "1094-9224", bibdate = "Thu Aug 7 09:02:37 MDT 2003", bibsource = "http://portal.acm.org/; http://www.math.utah.edu/pub/tex/bib/tissec.bib", acknowledgement = ack-nhfb, fjournal = "ACM Transactions on Information and System Security", } @Article{Jaeger:2003:PMU, author = "Trent Jaeger and Xiaolan Zhang and Fidel Cacheda", title = "Policy management using access control spaces", journal = j-TISSEC, volume = "6", number = "3", pages = "327--364", month = aug, year = "2003", CODEN = "ATISBQ", ISSN = "1094-9224 (print), 1557-7406 (electronic)", ISSN-L = "1094-9224", bibdate = "Mon Dec 22 17:56:09 MST 2003", bibsource = "http://portal.acm.org/; http://www.math.utah.edu/pub/tex/bib/tissec.bib", acknowledgement = ack-nhfb, fjournal = "ACM Transactions on Information and System Security", } @Article{Rogaway:2003:OBC, author = "Phillip Rogaway and Mihir Bellare and John Black", title = "{OCB}: {A} block-cipher mode of operation for efficient authenticated encryption", journal = j-TISSEC, volume = "6", number = "3", pages = "365--403", month = aug, year = "2003", CODEN = "ATISBQ", ISSN = "1094-9224 (print), 1557-7406 (electronic)", ISSN-L = "1094-9224", bibdate = "Mon Dec 22 17:56:09 MST 2003", bibsource = "http://portal.acm.org/; http://www.math.utah.edu/pub/tex/bib/tissec.bib", acknowledgement = ack-nhfb, fjournal = "ACM Transactions on Information and System Security", } @Article{Zhang:2003:RBF, author = "Longhua Zhang and Gail-Joon Ahn and Bei-Tseng Chu", title = "A rule-based framework for role-based delegation and revocation", journal = j-TISSEC, volume = "6", number = "3", pages = "404--441", month = aug, year = "2003", CODEN = "ATISBQ", ISSN = "1094-9224 (print), 1557-7406 (electronic)", ISSN-L = "1094-9224", bibdate = "Mon Dec 22 17:56:09 MST 2003", bibsource = "http://portal.acm.org/; http://www.math.utah.edu/pub/tex/bib/tissec.bib", acknowledgement = ack-nhfb, fjournal = "ACM Transactions on Information and System Security", } @Article{Julisch:2003:CID, author = "Klaus Julisch", title = "Clustering intrusion detection alarms to support root cause analysis", journal = j-TISSEC, volume = "6", number = "4", pages = "443--471", month = nov, year = "2003", CODEN = "ATISBQ", ISSN = "1094-9224 (print), 1557-7406 (electronic)", ISSN-L = "1094-9224", bibdate = "Mon Dec 22 17:56:10 MST 2003", bibsource = "http://portal.acm.org/; http://www.math.utah.edu/pub/tex/bib/tissec.bib", acknowledgement = ack-nhfb, fjournal = "ACM Transactions on Information and System Security", } @Article{Persiano:2003:SPS, author = "Pino Persiano and Ivan Visconti", title = "A secure and private system for subscription-based remote services", journal = j-TISSEC, volume = "6", number = "4", pages = "472--500", month = nov, year = "2003", CODEN = "ATISBQ", ISSN = "1094-9224 (print), 1557-7406 (electronic)", ISSN-L = "1094-9224", bibdate = "Mon Dec 22 17:56:10 MST 2003", bibsource = "http://portal.acm.org/; http://www.math.utah.edu/pub/tex/bib/tissec.bib", acknowledgement = ack-nhfb, fjournal = "ACM Transactions on Information and System Security", } @Article{Barker:2003:FAC, author = "Steve Barker and Peter J. Stuckey", title = "Flexible access control policy specification with constraint logic programming", journal = j-TISSEC, volume = "6", number = "4", pages = "501--546", month = nov, year = "2003", CODEN = "ATISBQ", ISSN = "1094-9224 (print), 1557-7406 (electronic)", ISSN-L = "1094-9224", bibdate = "Mon Dec 22 17:56:10 MST 2003", bibsource = "http://portal.acm.org/; http://www.math.utah.edu/pub/tex/bib/tissec.bib", acknowledgement = ack-nhfb, fjournal = "ACM Transactions on Information and System Security", } @Article{Ellison:2003:PKS, author = "Carl Ellison and Steve Dohrmann", title = "Public-key support for group collaboration", journal = j-TISSEC, volume = "6", number = "4", pages = "547--565", month = nov, year = "2003", CODEN = "ATISBQ", ISSN = "1094-9224 (print), 1557-7406 (electronic)", ISSN-L = "1094-9224", bibdate = "Mon Dec 22 17:56:10 MST 2003", bibsource = "http://portal.acm.org/; http://www.math.utah.edu/pub/tex/bib/tissec.bib", acknowledgement = ack-nhfb, fjournal = "ACM Transactions on Information and System Security", } @Article{Thompson:2003:CBA, author = "Mary R. Thompson and Abdelilah Essiari and Srilekha Mudumbai", title = "Certificate-based authorization policy in a {PKI} environment", journal = j-TISSEC, volume = "6", number = "4", pages = "566--588", month = nov, year = "2003", CODEN = "ATISBQ", ISSN = "1094-9224 (print), 1557-7406 (electronic)", ISSN-L = "1094-9224", bibdate = "Mon Dec 22 17:56:10 MST 2003", bibsource = "http://portal.acm.org/; http://www.math.utah.edu/pub/tex/bib/tissec.bib", acknowledgement = ack-nhfb, fjournal = "ACM Transactions on Information and System Security", } @Article{Ateniese:2004:VED, author = "Giuseppe Ateniese", title = "Verifiable encryption of digital signatures and applications", journal = j-TISSEC, volume = "7", number = "1", pages = "1--20", month = feb, year = "2004", CODEN = "ATISBQ", ISSN = "1094-9224 (print), 1557-7406 (electronic)", ISSN-L = "1094-9224", bibdate = "Thu Nov 4 08:41:51 MST 2004", bibsource = "http://portal.acm.org/; http://www.math.utah.edu/pub/tex/bib/tissec.bib", acknowledgement = ack-nhfb, fjournal = "ACM Transactions on Information and System Security", } @Article{Levi:2004:UNC, author = "Albert Levi and M. Ufuk Caglayan and Cetin K. Koc", title = "Use of nested certificates for efficient, dynamic, and trust preserving public key infrastructure", journal = j-TISSEC, volume = "7", number = "1", pages = "21--59", month = feb, year = "2004", CODEN = "ATISBQ", ISSN = "1094-9224 (print), 1557-7406 (electronic)", ISSN-L = "1094-9224", bibdate = "Thu Nov 4 08:41:51 MST 2004", bibsource = "http://portal.acm.org/; http://www.math.utah.edu/pub/tex/bib/tissec.bib", acknowledgement = ack-nhfb, fjournal = "ACM Transactions on Information and System Security", } @Article{Kim:2004:TBG, author = "Yongdae Kim and Adrian Perrig and Gene Tsudik", title = "Tree-based group key agreement", journal = j-TISSEC, volume = "7", number = "1", pages = "60--96", month = feb, year = "2004", CODEN = "ATISBQ", ISSN = "1094-9224 (print), 1557-7406 (electronic)", ISSN-L = "1094-9224", bibdate = "Thu Nov 4 08:41:51 MST 2004", bibsource = "http://portal.acm.org/; http://www.math.utah.edu/pub/tex/bib/tissec.bib", acknowledgement = ack-nhfb, fjournal = "ACM Transactions on Information and System Security", } @Article{Montenegro:2004:CBI, author = "Gabriel Montenegro and Claude Castelluccia", title = "Crypto-based identifiers {(CBIDs)}: {Concepts} and applications", journal = j-TISSEC, volume = "7", number = "1", pages = "97--127", month = feb, year = "2004", CODEN = "ATISBQ", ISSN = "1094-9224 (print), 1557-7406 (electronic)", ISSN-L = "1094-9224", bibdate = "Thu Nov 4 08:41:51 MST 2004", bibsource = "http://portal.acm.org/; http://www.math.utah.edu/pub/tex/bib/tissec.bib", acknowledgement = ack-nhfb, fjournal = "ACM Transactions on Information and System Security", } @Article{Park:2004:UUC, author = "Jaehong Park and Ravi Sandhu", title = "The {UCON$_{ABC}$} usage control model", journal = j-TISSEC, volume = "7", number = "1", pages = "128--174", month = feb, year = "2004", CODEN = "ATISBQ", ISSN = "1094-9224 (print), 1557-7406 (electronic)", ISSN-L = "1094-9224", bibdate = "Thu Nov 4 08:41:51 MST 2004", bibsource = "http://portal.acm.org/; http://www.math.utah.edu/pub/tex/bib/tissec.bib", acknowledgement = ack-nhfb, fjournal = "ACM Transactions on Information and System Security", } @Article{Jaeger:2004:CAA, author = "Trent Jaeger and Antony Edwards and Xiaolan Zhang", title = "Consistency analysis of authorization hook placement in the {Linux} security modules framework", journal = j-TISSEC, volume = "7", number = "2", pages = "175--205", month = may, year = "2004", CODEN = "ATISBQ", ISSN = "1094-9224 (print), 1557-7406 (electronic)", ISSN-L = "1094-9224", bibdate = "Thu Nov 4 08:41:51 MST 2004", bibsource = "http://portal.acm.org/; http://www.math.utah.edu/pub/tex/bib/tissec.bib", acknowledgement = ack-nhfb, fjournal = "ACM Transactions on Information and System Security", } @Article{Bellare:2004:BPR, author = "Mihir Bellare and Tadayoshi Kohno and Chanathip Namprempre", title = "Breaking and provably repairing the {SSH} authenticated encryption scheme: {A} case study of the Encode-then-Encrypt-and-{MAC} paradigm", journal = j-TISSEC, volume = "7", number = "2", pages = "206--241", month = may, year = "2004", CODEN = "ATISBQ", ISSN = "1094-9224 (print), 1557-7406 (electronic)", ISSN-L = "1094-9224", bibdate = "Thu Nov 4 08:41:51 MST 2004", bibsource = "http://portal.acm.org/; http://www.math.utah.edu/pub/tex/bib/tissec.bib", acknowledgement = ack-nhfb, fjournal = "ACM Transactions on Information and System Security", } @Article{Aiello:2004:JFK, author = "William Aiello and Steven M. Bellovin and Matt Blaze and Ran Canetti and John Ioannidis and Angelos D. Keromytis and Omer Reingold", title = "Just fast keying: {Key} agreement in a hostile {Internet}", journal = j-TISSEC, volume = "7", number = "2", pages = "242--273", month = may, year = "2004", CODEN = "ATISBQ", ISSN = "1094-9224 (print), 1557-7406 (electronic)", ISSN-L = "1094-9224", bibdate = "Thu Nov 4 08:41:51 MST 2004", bibsource = "http://portal.acm.org/; http://www.math.utah.edu/pub/tex/bib/tissec.bib", acknowledgement = ack-nhfb, fjournal = "ACM Transactions on Information and System Security", } @Article{Ning:2004:TTA, author = "Peng Ning and Yun Cui and Douglas S. Reeves and Dingbang Xu", title = "Techniques and tools for analyzing intrusion alerts", journal = j-TISSEC, volume = "7", number = "2", pages = "274--318", month = may, year = "2004", CODEN = "ATISBQ", ISSN = "1094-9224 (print), 1557-7406 (electronic)", ISSN-L = "1094-9224", bibdate = "Thu Nov 4 08:41:51 MST 2004", bibsource = "http://portal.acm.org/; http://www.math.utah.edu/pub/tex/bib/tissec.bib", acknowledgement = ack-nhfb, fjournal = "ACM Transactions on Information and System Security", } @Article{Stubblefield:2004:KRA, author = "Adam Stubblefield and John Ioannidis and Aviel D. Rubin", title = "A key recovery attack on the 802.11b wired equivalent privacy protocol {(WEP)}", journal = j-TISSEC, volume = "7", number = "2", pages = "319--332", month = may, year = "2004", CODEN = "ATISBQ", DOI = "http://doi.acm.org/10.1145/996943.996948", ISSN = "1094-9224 (print), 1557-7406 (electronic)", ISSN-L = "1094-9224", bibdate = "Thu Nov 4 08:41:51 MST 2004", bibsource = "http://portal.acm.org/; http://www.math.utah.edu/pub/tex/bib/tissec.bib", abstract = "In this paper, we present a practical key recovery attack on WEP, the link-layer security protocol for 802.11b wireless networks. The attack is based on a partial key exposure vulnerability in the RC4 stream cipher discovered by Fluhrer, Mantin, and Shamir. This paper describes how to apply this flaw to breaking WEP, our implementation of the attack, and optimizations that can be used to reduce the number of packets required for the attack. We conclude that the 802.11b WEP standard is completely insecure, and we provide recommendations on how this vulnerability could be mitigated and repaired.", acknowledgement = ack-nhfb, fjournal = "ACM Transactions on Information and System Security", } @Article{Carrier:2004:STP, author = "Brian Carrier and Clay Shields", title = "The session token protocol for forensics and traceback", journal = j-TISSEC, volume = "7", number = "3", pages = "333--362", month = aug, year = "2004", CODEN = "ATISBQ", ISSN = "1094-9224 (print), 1557-7406 (electronic)", ISSN-L = "1094-9224", bibdate = "Thu Nov 4 08:41:51 MST 2004", bibsource = "http://portal.acm.org/; http://www.math.utah.edu/pub/tex/bib/tissec.bib", acknowledgement = ack-nhfb, fjournal = "ACM Transactions on Information and System Security", } @Article{Wedde:2004:MAA, author = "Horst F. Wedde and Mario Lischka", title = "Modular authorization and administration", journal = j-TISSEC, volume = "7", number = "3", pages = "363--391", month = aug, year = "2004", CODEN = "ATISBQ", ISSN = "1094-9224 (print), 1557-7406 (electronic)", ISSN-L = "1094-9224", bibdate = "Thu Nov 4 08:41:51 MST 2004", bibsource = "http://portal.acm.org/; http://www.math.utah.edu/pub/tex/bib/tissec.bib", acknowledgement = ack-nhfb, fjournal = "ACM Transactions on Information and System Security", } @Article{Strembeck:2004:IAE, author = "Mark Strembeck and Gustaf Neumann", title = "An integrated approach to engineer and enforce context constraints in {RBAC} environments", journal = j-TISSEC, volume = "7", number = "3", pages = "392--427", month = aug, year = "2004", CODEN = "ATISBQ", ISSN = "1094-9224 (print), 1557-7406 (electronic)", ISSN-L = "1094-9224", bibdate = "Thu Nov 4 08:41:51 MST 2004", bibsource = "http://portal.acm.org/; http://www.math.utah.edu/pub/tex/bib/tissec.bib", acknowledgement = ack-nhfb, fjournal = "ACM Transactions on Information and System Security", } @Article{Hess:2004:CTT, author = "Adam Hess and Jason Holt and Jared Jacobson and Kent E. Seamons", title = "Content-triggered trust negotiation", journal = j-TISSEC, volume = "7", number = "3", pages = "428--456", month = aug, year = "2004", CODEN = "ATISBQ", ISSN = "1094-9224 (print), 1557-7406 (electronic)", ISSN-L = "1094-9224", bibdate = "Thu Nov 4 08:41:51 MST 2004", bibsource = "http://portal.acm.org/; http://www.math.utah.edu/pub/tex/bib/tissec.bib", acknowledgement = ack-nhfb, fjournal = "ACM Transactions on Information and System Security", } @Article{Amir:2004:PGK, author = "Yair Amir and Yongdae Kim and Cristina Nita-Rotaru and Gene Tsudik", title = "On the performance of group key agreement protocols", journal = j-TISSEC, volume = "7", number = "3", pages = "457--488", month = aug, year = "2004", CODEN = "ATISBQ", ISSN = "1094-9224 (print), 1557-7406 (electronic)", ISSN-L = "1094-9224", bibdate = "Thu Nov 4 08:41:51 MST 2004", bibsource = "http://portal.acm.org/; http://www.math.utah.edu/pub/tex/bib/tissec.bib", acknowledgement = ack-nhfb, fjournal = "ACM Transactions on Information and System Security", } @Article{Wright:2004:PAA, author = "Matthew K. Wright and Micah Adler and Brian Neil Levine and Clay Shields", title = "The predecessor attack: {An} analysis of a threat to anonymous communications systems", journal = j-TISSEC, volume = "7", number = "4", pages = "489--522", month = nov, year = "2004", CODEN = "ATISBQ", ISSN = "1094-9224 (print), 1557-7406 (electronic)", ISSN-L = "1094-9224", bibdate = "Thu Mar 24 15:53:55 MST 2005", bibsource = "http://portal.acm.org/; http://www.math.utah.edu/pub/tex/bib/tissec.bib", acknowledgement = ack-nhfb, fjournal = "ACM Transactions on Information and System Security", } @Article{Huang:2004:KCB, author = "Dijiang Huang and Deep Medhi", title = "A key-chain-based keying scheme for many-to-many secure group communication", journal = j-TISSEC, volume = "7", number = "4", pages = "523--552", month = nov, year = "2004", CODEN = "ATISBQ", ISSN = "1094-9224 (print), 1557-7406 (electronic)", ISSN-L = "1094-9224", bibdate = "Thu Mar 24 15:53:55 MST 2005", bibsource = "http://portal.acm.org/; http://www.math.utah.edu/pub/tex/bib/tissec.bib", acknowledgement = ack-nhfb, fjournal = "ACM Transactions on Information and System Security", } @Article{Shacham:2004:CSC, author = "Hovav Shacham and Dan Boneh and Eric Rescorla", title = "Client-side caching for {TLS}", journal = j-TISSEC, volume = "7", number = "4", pages = "553--575", month = nov, year = "2004", CODEN = "ATISBQ", ISSN = "1094-9224 (print), 1557-7406 (electronic)", ISSN-L = "1094-9224", bibdate = "Thu Mar 24 15:53:55 MST 2005", bibsource = "http://portal.acm.org/; http://www.math.utah.edu/pub/tex/bib/tissec.bib", acknowledgement = ack-nhfb, fjournal = "ACM Transactions on Information and System Security", } @Article{Walcott:2004:TMR, author = "Tom Walcott and Matt Bishop", title = "Traducement: {A} model for record security", journal = j-TISSEC, volume = "7", number = "4", pages = "576--590", month = nov, year = "2004", CODEN = "ATISBQ", ISSN = "1094-9224 (print), 1557-7406 (electronic)", ISSN-L = "1094-9224", bibdate = "Thu Mar 24 15:53:55 MST 2005", bibsource = "http://portal.acm.org/; http://www.math.utah.edu/pub/tex/bib/tissec.bib", acknowledgement = ack-nhfb, fjournal = "ACM Transactions on Information and System Security", } @Article{Ning:2004:HRA, author = "Peng Ning and Dingbang Xu", title = "Hypothesizing and reasoning about attacks missed by intrusion detection systems", journal = j-TISSEC, volume = "7", number = "4", pages = "591--627", month = nov, year = "2004", CODEN = "ATISBQ", ISSN = "1094-9224 (print), 1557-7406 (electronic)", ISSN-L = "1094-9224", bibdate = "Thu Mar 24 15:53:55 MST 2005", bibsource = "http://portal.acm.org/; http://www.math.utah.edu/pub/tex/bib/tissec.bib", acknowledgement = ack-nhfb, fjournal = "ACM Transactions on Information and System Security", } @Article{Sandhu:2005:E, author = "Ravi Sandhu", title = "Editorial", journal = j-TISSEC, volume = "8", number = "1", pages = "1--1", month = feb, year = "2005", CODEN = "ATISBQ", ISSN = "1094-9224 (print), 1557-7406 (electronic)", ISSN-L = "1094-9224", bibdate = "Thu Mar 24 15:53:55 MST 2005", bibsource = "http://portal.acm.org/; http://www.math.utah.edu/pub/tex/bib/tissec.bib", acknowledgement = ack-nhfb, fjournal = "ACM Transactions on Information and System Security", } @Article{Atluri:2005:P, author = "Vijay Atluri", title = "Preface", journal = j-TISSEC, volume = "8", number = "1", pages = "2--2", month = feb, year = "2005", CODEN = "ATISBQ", ISSN = "1094-9224 (print), 1557-7406 (electronic)", ISSN-L = "1094-9224", bibdate = "Thu Mar 24 15:53:55 MST 2005", bibsource = "http://portal.acm.org/; http://www.math.utah.edu/pub/tex/bib/tissec.bib", acknowledgement = ack-nhfb, fjournal = "ACM Transactions on Information and System Security", } @Article{Barrantes:2005:RIS, author = "Elena Gabriela Barrantes and David H. Ackley and Stephanie Forrest and Darko Stefanovi{\'c}", title = "Randomized instruction set emulation", journal = j-TISSEC, volume = "8", number = "1", pages = "3--40", month = feb, year = "2005", CODEN = "ATISBQ", ISSN = "1094-9224 (print), 1557-7406 (electronic)", ISSN-L = "1094-9224", bibdate = "Thu Mar 24 15:53:55 MST 2005", bibsource = "http://portal.acm.org/; http://www.math.utah.edu/pub/tex/bib/tissec.bib", acknowledgement = ack-nhfb, fjournal = "ACM Transactions on Information and System Security", } @Article{Liu:2005:EPK, author = "Donggang Liu and Peng Ning and Rongfang Li", title = "Establishing pairwise keys in distributed sensor networks", journal = j-TISSEC, volume = "8", number = "1", pages = "41--77", month = feb, year = "2005", CODEN = "ATISBQ", ISSN = "1094-9224 (print), 1557-7406 (electronic)", ISSN-L = "1094-9224", bibdate = "Thu Mar 24 15:53:55 MST 2005", bibsource = "http://portal.acm.org/; http://www.math.utah.edu/pub/tex/bib/tissec.bib", acknowledgement = ack-nhfb, fjournal = "ACM Transactions on Information and System Security", } @Article{Liu:2005:IBM, author = "Peng Liu and Wanyu Zang and Meng Yu", title = "Incentive-based modeling and inference of attacker intent, objectives, and strategies", journal = j-TISSEC, volume = "8", number = "1", pages = "78--118", month = feb, year = "2005", CODEN = "ATISBQ", ISSN = "1094-9224 (print), 1557-7406 (electronic)", ISSN-L = "1094-9224", bibdate = "Thu Mar 24 15:53:55 MST 2005", bibsource = "http://portal.acm.org/; http://www.math.utah.edu/pub/tex/bib/tissec.bib", acknowledgement = ack-nhfb, fjournal = "ACM Transactions on Information and System Security", } @Article{Ceselli:2005:MAI, author = "Alberto Ceselli and Ernesto Damiani and Sabrina {De Capitani Di Vimercati} and Sushil Jajodia and Stefano Paraboschi and Pierangela Samarati", title = "Modeling and assessing inference exposure in encrypted databases", journal = j-TISSEC, volume = "8", number = "1", pages = "119--152", month = feb, year = "2005", CODEN = "ATISBQ", ISSN = "1094-9224 (print), 1557-7406 (electronic)", ISSN-L = "1094-9224", bibdate = "Thu Mar 24 15:53:55 MST 2005", bibsource = "http://portal.acm.org/; http://www.math.utah.edu/pub/tex/bib/tissec.bib", acknowledgement = ack-nhfb, fjournal = "ACM Transactions on Information and System Security", } @Article{Ye:2005:TPB, author = "Zishuang (Eileen) Ye and Sean Smith and Denise Anthony", title = "Trusted paths for browsers", journal = j-TISSEC, volume = "8", number = "2", pages = "153--186", month = may, year = "2005", CODEN = "ATISBQ", ISSN = "1094-9224 (print), 1557-7406 (electronic)", ISSN-L = "1094-9224", bibdate = "Thu Jul 7 12:29:10 MDT 2005", bibsource = "http://portal.acm.org/; http://www.math.utah.edu/pub/tex/bib/tissec.bib", acknowledgement = ack-nhfb, fjournal = "ACM Transactions on Information and System Security", } @Article{Bhatti:2005:XGX, author = "Rafae Bhatti and Arif Ghafoor and Elisa Bertino and James B. D. Joshi", title = "{X-GTRBAC}: an {XML}-based policy specification framework and architecture for enterprise-wide access control", journal = j-TISSEC, volume = "8", number = "2", pages = "187--227", month = may, year = "2005", CODEN = "ATISBQ", ISSN = "1094-9224 (print), 1557-7406 (electronic)", ISSN-L = "1094-9224", bibdate = "Thu Jul 7 12:29:10 MDT 2005", bibsource = "http://portal.acm.org/; http://www.math.utah.edu/pub/tex/bib/tissec.bib", acknowledgement = ack-nhfb, fjournal = "ACM Transactions on Information and System Security", } @Article{Du:2005:PKP, author = "Wenliang Du and Jing Deng and Yunghsiang S. Han and Pramod K. Varshney and Jonathan Katz and Aram Khalili", title = "A pairwise key predistribution scheme for wireless sensor networks", journal = j-TISSEC, volume = "8", number = "2", pages = "228--258", month = may, year = "2005", CODEN = "ATISBQ", ISSN = "1094-9224 (print), 1557-7406 (electronic)", ISSN-L = "1094-9224", bibdate = "Thu Jul 7 12:29:10 MDT 2005", bibsource = "http://portal.acm.org/; http://www.math.utah.edu/pub/tex/bib/tissec.bib", acknowledgement = ack-nhfb, fjournal = "ACM Transactions on Information and System Security", } @Article{Zhou:2005:APS, author = "Lidong Zhou and Fred B. Schneider and Robbert {Van Renesse}", title = "{APSS}: proactive secret sharing in asynchronous systems", journal = j-TISSEC, volume = "8", number = "3", pages = "259--286", month = aug, year = "2005", CODEN = "ATISBQ", ISSN = "1094-9224 (print), 1557-7406 (electronic)", ISSN-L = "1094-9224", bibdate = "Sat Sep 17 15:42:03 MDT 2005", bibsource = "http://portal.acm.org/; http://www.math.utah.edu/pub/tex/bib/tissec.bib", acknowledgement = ack-nhfb, fjournal = "ACM Transactions on Information and System Security", } @Article{Dojen:2005:CLP, author = "Reiner Dojen and Tom Coffey", title = "The concept of layered proving trees and its application to the automation of security protocol verification", journal = j-TISSEC, volume = "8", number = "3", pages = "287--311", month = aug, year = "2005", CODEN = "ATISBQ", ISSN = "1094-9224 (print), 1557-7406 (electronic)", ISSN-L = "1094-9224", bibdate = "Sat Sep 17 15:42:03 MDT 2005", bibsource = "http://portal.acm.org/; http://www.math.utah.edu/pub/tex/bib/tissec.bib", acknowledgement = ack-nhfb, fjournal = "ACM Transactions on Information and System Security", } @Article{Gunetti:2005:KAF, author = "Daniele Gunetti and Claudia Picardi", title = "Keystroke analysis of free text", journal = j-TISSEC, volume = "8", number = "3", pages = "312--347", month = aug, year = "2005", CODEN = "ATISBQ", ISSN = "1094-9224 (print), 1557-7406 (electronic)", ISSN-L = "1094-9224", bibdate = "Sat Sep 17 15:42:03 MDT 2005", bibsource = "http://portal.acm.org/; http://www.math.utah.edu/pub/tex/bib/tissec.bib", acknowledgement = ack-nhfb, fjournal = "ACM Transactions on Information and System Security", } @Article{Ferrari:2005:GES, author = "Elena Ferrari", title = "Guest editorial: {Special} issue on access control models and technologies", journal = j-TISSEC, volume = "8", number = "4", pages = "349--350", month = nov, year = "2005", CODEN = "ATISBQ", ISSN = "1094-9224 (print), 1557-7406 (electronic)", ISSN-L = "1094-9224", bibdate = "Tue Jan 10 07:44:45 MST 2006", bibsource = "http://portal.acm.org/; http://www.math.utah.edu/pub/tex/bib/tissec.bib", acknowledgement = ack-nhfb, fjournal = "ACM Transactions on Information and System Security", } @Article{Zhang:2005:FMP, author = "Xinwen Zhang and Francesco Parisi-Presicce and Ravi Sandhu and Jaehong Park", title = "Formal model and policy specification of usage control", journal = j-TISSEC, volume = "8", number = "4", pages = "351--387", month = nov, year = "2005", CODEN = "ATISBQ", ISSN = "1094-9224 (print), 1557-7406 (electronic)", ISSN-L = "1094-9224", bibdate = "Tue Jan 10 07:44:45 MST 2006", bibsource = "http://portal.acm.org/; http://www.math.utah.edu/pub/tex/bib/tissec.bib", acknowledgement = ack-nhfb, fjournal = "ACM Transactions on Information and System Security", } @Article{Bhatti:2005:XGA, author = "Rafae Bhatti and Basit Shafiq and Elisa Bertino and Arif Ghafoor and James B. D. Joshi", title = "{X-gtrbac} admin: {A} decentralized administration model for enterprise-wide access control", journal = j-TISSEC, volume = "8", number = "4", pages = "388--423", month = nov, year = "2005", CODEN = "ATISBQ", ISSN = "1094-9224 (print), 1557-7406 (electronic)", ISSN-L = "1094-9224", bibdate = "Tue Jan 10 07:44:45 MST 2006", bibsource = "http://portal.acm.org/; http://www.math.utah.edu/pub/tex/bib/tissec.bib", acknowledgement = ack-nhfb, fjournal = "ACM Transactions on Information and System Security", } @Article{Hengartner:2005:ACP, author = "Urs Hengartner and Peter Steenkiste", title = "Access control to people location information", journal = j-TISSEC, volume = "8", number = "4", pages = "424--456", month = nov, year = "2005", CODEN = "ATISBQ", ISSN = "1094-9224 (print), 1557-7406 (electronic)", ISSN-L = "1094-9224", bibdate = "Tue Jan 10 07:44:45 MST 2006", bibsource = "http://portal.acm.org/; http://www.math.utah.edu/pub/tex/bib/tissec.bib", acknowledgement = ack-nhfb, fjournal = "ACM Transactions on Information and System Security", } @Article{Ateniese:2006:IPR, author = "Giuseppe Ateniese and Kevin Fu and Matthew Green and Susan Hohenberger", title = "Improved proxy re-encryption schemes with applications to secure distributed storage", journal = j-TISSEC, volume = "9", number = "1", pages = "1--30", month = feb, year = "2006", CODEN = "ATISBQ", ISSN = "1094-9224 (print), 1557-7406 (electronic)", ISSN-L = "1094-9224", bibdate = "Sat Apr 29 09:23:50 MDT 2006", bibsource = "http://portal.acm.org/; http://www.math.utah.edu/pub/tex/bib/tissec.bib", acknowledgement = ack-nhfb, fjournal = "ACM Transactions on Information and System Security", } @Article{Malvestuto:2006:ASQ, author = "Francesco M. Malvestuto and Mauro Mezzini and Marina Moscarini", title = "Auditing sum-queries to make a statistical database secure", journal = j-TISSEC, volume = "9", number = "1", pages = "31--60", month = feb, year = "2006", CODEN = "ATISBQ", ISSN = "1094-9224 (print), 1557-7406 (electronic)", ISSN-L = "1094-9224", bibdate = "Sat Apr 29 09:23:50 MDT 2006", bibsource = "http://portal.acm.org/; http://www.math.utah.edu/pub/tex/bib/tissec.bib", acknowledgement = ack-nhfb, fjournal = "ACM Transactions on Information and System Security", } @Article{Mutz:2006:ASC, author = "Darren Mutz and Fredrik Valeur and Giovanni Vigna and Christopher Kruegel", title = "Anomalous system call detection", journal = j-TISSEC, volume = "9", number = "1", pages = "61--93", month = feb, year = "2006", CODEN = "ATISBQ", ISSN = "1094-9224 (print), 1557-7406 (electronic)", ISSN-L = "1094-9224", bibdate = "Sat Apr 29 09:23:50 MDT 2006", bibsource = "http://portal.acm.org/; http://www.math.utah.edu/pub/tex/bib/tissec.bib", acknowledgement = ack-nhfb, fjournal = "ACM Transactions on Information and System Security", } @Article{Futoransky:2006:FAS, author = "Ariel Futoransky and Emiliano Kargieman and Carlos Sarraute and Ariel Waissbein", title = "Foundations and applications for secure triggers", journal = j-TISSEC, volume = "9", number = "1", pages = "94--112", month = feb, year = "2006", CODEN = "ATISBQ", ISSN = "1094-9224 (print), 1557-7406 (electronic)", ISSN-L = "1094-9224", bibdate = "Sat Apr 29 09:23:50 MDT 2006", bibsource = "http://portal.acm.org/; http://www.math.utah.edu/pub/tex/bib/tissec.bib", acknowledgement = ack-nhfb, fjournal = "ACM Transactions on Information and System Security", } @Article{Oh:2006:ERA, author = "Sejong Oh and Ravi Sandhu and Xinwen Zhang", title = "An effective role administration model using organization structure", journal = j-TISSEC, volume = "9", number = "2", pages = "113--137", month = may, year = "2006", CODEN = "ATISBQ", DOI = "http://doi.acm.org/10.1145/1151414.1151415", ISSN = "1094-9224 (print), 1557-7406 (electronic)", ISSN-L = "1094-9224", bibdate = "Sat Aug 26 08:10:38 MDT 2006", bibsource = "http://portal.acm.org/; http://www.math.utah.edu/pub/tex/bib/tissec.bib", acknowledgement = ack-nhfb, fjournal = "ACM Transactions on Information and System Security", } @Article{Bella:2006:APF, author = "Giampaolo Bella and Lawrence C. Paulson", title = "Accountability protocols: {Formalized} and verified", journal = j-TISSEC, volume = "9", number = "2", pages = "138--161", month = may, year = "2006", CODEN = "ATISBQ", DOI = "http://doi.acm.org/10.1145/1151414.1151416", ISSN = "1094-9224 (print), 1557-7406 (electronic)", ISSN-L = "1094-9224", bibdate = "Sat Aug 26 08:10:38 MDT 2006", bibsource = "http://portal.acm.org/; http://www.math.utah.edu/pub/tex/bib/tissec.bib", acknowledgement = ack-nhfb, fjournal = "ACM Transactions on Information and System Security", } @Article{Chandramouli:2006:BPA, author = "R. Chandramouli and S. Bapatla and K. P. Subbalakshmi and R. N. Uma", title = "Battery power-aware encryption", journal = j-TISSEC, volume = "9", number = "2", pages = "162--180", month = may, year = "2006", CODEN = "ATISBQ", DOI = "http://doi.acm.org/10.1145/1151414.1151417", ISSN = "1094-9224 (print), 1557-7406 (electronic)", ISSN-L = "1094-9224", bibdate = "Sat Aug 26 08:10:38 MDT 2006", bibsource = "http://portal.acm.org/; http://www.math.utah.edu/pub/tex/bib/tissec.bib", abstract = "Minimizing power consumption is crucial in battery power-limited secure wireless mobile networks. In this paper, we (a) introduce a hardware/software set-up to measure the battery power consumption of encryption algorithms through real-life experimentation, (b) based on the profiled data, propose mathematical models to capture the relationships between power consumption and security, and (c) formulate and solve security maximization subject to power constraints. Numerical results are presented to illustrate the gains that can be achieved in using solutions of the proposed security maximization problems subject to power constraints.", acknowledgement = ack-nhfb, fjournal = "ACM Transactions on Information and System Security", } @Article{Gennaro:2006:FPB, author = "Rosario Gennaro and Yehuda Lindell", title = "A framework for password-based authenticated key exchange", journal = j-TISSEC, volume = "9", number = "2", pages = "181--234", month = may, year = "2006", CODEN = "ATISBQ", DOI = "http://doi.acm.org/10.1145/1151414.1151418", ISSN = "1094-9224 (print), 1557-7406 (electronic)", ISSN-L = "1094-9224", bibdate = "Sat Aug 26 08:10:38 MDT 2006", bibsource = "http://portal.acm.org/; http://www.math.utah.edu/pub/tex/bib/tissec.bib", abstract = "In this paper, we present a general framework for password-based authenticated key exchange protocols, in the common reference string model. Our protocol is actually an abstraction of the key exchange protocol of Katz et al. and is based on the recently introduced notion of smooth projective hashing by Cramer and Shoup. We gain a number of benefits from this abstraction. First, we obtain a modular protocol that can be described using just three high-level cryptographic tools. This allows a simple and intuitive understanding of its security. Second, our proof of security is significantly simpler and more modular. Third, we are able to derive analogs to the Katz et al. protocol under additional cryptographic assumptions. Specifically, in addition to the DDH assumption used by Katz et al., we obtain protocols under both the quadratic and N-residuosity assumptions. In order to achieve this, we construct new smooth projective hash functions.", acknowledgement = ack-nhfb, fjournal = "ACM Transactions on Information and System Security", } @Article{VanOorschot:2006:COD, author = "Paul C. {Van Oorschot} and Stuart Stubblebine", title = "On countering online dictionary attacks with login histories and humans-in-the-loop", journal = j-TISSEC, volume = "9", number = "3", pages = "235--258", month = aug, year = "2006", CODEN = "ATISBQ", ISSN = "1094-9224 (print), 1557-7406 (electronic)", ISSN-L = "1094-9224", bibdate = "Wed Nov 15 06:44:34 MST 2006", bibsource = "http://portal.acm.org/; http://www.math.utah.edu/pub/tex/bib/tissec.bib", acknowledgement = ack-nhfb, fjournal = "ACM Transactions on Information and System Security", } @Article{McDaniel:2006:MLS, author = "Patrick McDaniel and Atul Prakash", title = "Methods and limitations of security policy reconciliation", journal = j-TISSEC, volume = "9", number = "3", pages = "259--291", month = aug, year = "2006", CODEN = "ATISBQ", ISSN = "1094-9224 (print), 1557-7406 (electronic)", ISSN-L = "1094-9224", bibdate = "Wed Nov 15 06:44:34 MST 2006", bibsource = "http://portal.acm.org/; http://www.math.utah.edu/pub/tex/bib/tissec.bib", acknowledgement = ack-nhfb, fjournal = "ACM Transactions on Information and System Security", } @Article{Murata:2006:XAC, author = "Makoto Murata and Akihiko Tozawa and Michiharu Kudo and Satoshi Hada", title = "{XML} access control using static analysis", journal = j-TISSEC, volume = "9", number = "3", pages = "292--324", month = aug, year = "2006", CODEN = "ATISBQ", ISSN = "1094-9224 (print), 1557-7406 (electronic)", ISSN-L = "1094-9224", bibdate = "Wed Nov 15 06:44:34 MST 2006", bibsource = "http://portal.acm.org/; http://www.math.utah.edu/pub/tex/bib/tissec.bib", acknowledgement = ack-nhfb, fjournal = "ACM Transactions on Information and System Security", } @Article{Kogan:2006:PRS, author = "Noam Kogan and Yuval Shavitt and Avishai Wool", title = "A practical revocation scheme for broadcast encryption using smartcards", journal = j-TISSEC, volume = "9", number = "3", pages = "325--351", month = aug, year = "2006", CODEN = "ATISBQ", ISSN = "1094-9224 (print), 1557-7406 (electronic)", ISSN-L = "1094-9224", bibdate = "Wed Nov 15 06:44:34 MST 2006", bibsource = "http://portal.acm.org/; http://www.math.utah.edu/pub/tex/bib/tissec.bib", acknowledgement = ack-nhfb, fjournal = "ACM Transactions on Information and System Security", } @Article{Winsborough:2006:SAT, author = "William H. Winsborough and Ninghui Li", title = "Safety in automated trust negotiation", journal = j-TISSEC, volume = "9", number = "3", pages = "352--390", month = aug, year = "2006", CODEN = "ATISBQ", ISSN = "1094-9224 (print), 1557-7406 (electronic)", ISSN-L = "1094-9224", bibdate = "Wed Nov 15 06:44:34 MST 2006", bibsource = "http://portal.acm.org/; http://www.math.utah.edu/pub/tex/bib/tissec.bib", acknowledgement = ack-nhfb, fjournal = "ACM Transactions on Information and System Security", } @Article{Li:2006:SAR, author = "Ninghui Li and Mahesh V. Tripunitara", title = "Security analysis in role-based access control", journal = j-TISSEC, volume = "9", number = "4", pages = "391--420", month = nov, year = "2006", CODEN = "ATISBQ", DOI = "http://doi.acm.org/10.1145/1187441.1187442", ISSN = "1094-9224 (print), 1557-7406 (electronic)", ISSN-L = "1094-9224", bibdate = "Thu Jun 12 17:51:51 MDT 2008", bibsource = "http://portal.acm.org/; http://www.math.utah.edu/pub/tex/bib/tissec.bib", abstract = "The administration of large role-based access control (RBAC) systems is a challenging problem. In order to administer such systems, decentralization of administration tasks by the use of delegation is an effective approach. While the use of delegation greatly enhances flexibility and scalability, it may reduce the control that an organization has over its resources, thereby diminishing a major advantage RBAC has over discretionary access control (DAC). We propose to use security analysis techniques to maintain desirable security properties while delegating administrative privileges. We give a precise definition of a family of security analysis problems in RBAC, which is more general than safety analysis that is studied in the literature. We show that two classes of problems in the family can be reduced to similar analysis in the RT[$\leftarrow,\cap$] role-based trust-management language, thereby establishing an interesting relationship between RBAC and the RT framework. The reduction gives efficient algorithms for answering most kinds of queries in these two classes and establishes the complexity bounds for the intractable cases.", acknowledgement = ack-nhfb, fjournal = "ACM Transactions on Information and System Security", keywords = "delegation; role-based access control; role-based administration; trust management", } @Article{Mella:2006:CCU, author = "Giovanni Mella and Elena Ferrari and Elisa Bertino and Yunhua Koglin", title = "Controlled and cooperative updates of {XML} documents in {Byzantine} and failure-prone distributed systems", journal = j-TISSEC, volume = "9", number = "4", pages = "421--460", month = nov, year = "2006", CODEN = "ATISBQ", DOI = "http://doi.acm.org/10.1145/1187441.1187443", ISSN = "1094-9224 (print), 1557-7406 (electronic)", ISSN-L = "1094-9224", bibdate = "Thu Jun 12 17:51:51 MDT 2008", bibsource = "http://portal.acm.org/; http://www.math.utah.edu/pub/tex/bib/tissec.bib", abstract = "This paper proposes an infrastructure and related algorithms for the controlled and cooperative updates of XML documents. Key components of the proposed system are a set of XML-based languages for specifying access-control policies and the path that the document must follow during its update. Such path can be fully specified before the update process begins or can be dynamically modified by properly authorized subjects while being transmitted. Our approach is fully distributed in that each party involved in the process can verify the correctness of the operations performed until that point on the document without relying on a central authority. More importantly, the recovery procedure also does not need the participation of a central authority. Our approach is based on the use of some special control information that is transmitted together with the document and a suite of protocols. We formally specify the structure of such control information and the protocols. We also analyze security and complexity of the proposed protocols.", acknowledgement = ack-nhfb, fjournal = "ACM Transactions on Information and System Security", keywords = "Byzantine and distributed systems; policy languages; updates; XML documents", } @Article{Kogan:2006:IER, author = "Noam Kogan and Tamir Tassa", title = "Improved efficiency for revocation schemes via {Newton} interpolation", journal = j-TISSEC, volume = "9", number = "4", pages = "461--486", month = nov, year = "2006", CODEN = "ATISBQ", DOI = "http://doi.acm.org/10.1145/1187441.1187444", ISSN = "1094-9224 (print), 1557-7406 (electronic)", ISSN-L = "1094-9224", bibdate = "Thu Jun 12 17:51:51 MDT 2008", bibsource = "http://portal.acm.org/; http://www.math.utah.edu/pub/tex/bib/tissec.bib", abstract = "We present a novel way to implement the secret-sharing-based family of revocation schemes of Naor and Pinkas [2003]. The basic scheme of [Naor and Pinkas 2000] uses Shamir's polynomial secret-sharing to revoke up to r users, where r is the degree of the secret-sharing polynomial, and it is information theoretically secure against coalitions of up to r collaborators. The nonrevoked users use Lagrange interpolation in order to compute the new key. Our basic scheme uses a novel modification of Shamir's polynomial secret-sharing: The secret equals the leading coefficient of the polynomial (as opposed to the free coefficient as in the original scheme) and the polynomial is reconstructed by Newton interpolation (rather than Lagrange interpolation). Comparing our scheme to one variant of the Naor--Pinkas scheme, we offer revocation messages that are shorter by a factor of almost 2, while the computation cost at the user end is smaller by a constant factor of approximately 13/2. Comparing to a second variant of the Naor--Pinkas scheme, our scheme offers a reduction of O ( r ) in the computation cost at the user end, without affecting any of the other performance parameters. We then extend our basic scheme to perform multiround revocation for stateless and stateful receivers, along the lines offered by Naor and Pinkas [2000] and Kogan et al. [2003]. We show that using Newton rather than Lagrange interpolants enables a significantly more efficient transmission of the new revocation message and shorter response time for each round. Pay TV systems that implement broadcast encryption techniques can benefit significantly from the improved efficiency offered by our revocation schemes.", acknowledgement = ack-nhfb, fjournal = "ACM Transactions on Information and System Security", keywords = "broadcast encryption; Newton interpolation; secret sharing; User revocation", } @Article{Ahn:2007:GES, author = "Gail-Joon Ahn", title = "Guest editorial: {Special} issue on access control models and technologies", journal = j-TISSEC, volume = "10", number = "1", pages = "1:1--1:??", month = feb, year = "2007", CODEN = "ATISBQ", DOI = "http://doi.acm.org/10.1145/1210263.1216576", ISSN = "1094-9224 (print), 1557-7406 (electronic)", ISSN-L = "1094-9224", bibdate = "Thu Jun 12 17:51:58 MDT 2008", bibsource = "http://portal.acm.org/; http://www.math.utah.edu/pub/tex/bib/tissec.bib", acknowledgement = ack-nhfb, articleno = "1", fjournal = "ACM Transactions on Information and System Security", } @Article{Damiani:2007:GRS, author = "Maria Luisa Damiani and Elisa Bertino and Barbara Catania and Paolo Perlasca", title = "{GEO-RBAC}: {A} spatially aware {RBAC}", journal = j-TISSEC, volume = "10", number = "1", pages = "2:1--2:??", month = feb, year = "2007", CODEN = "ATISBQ", DOI = "http://doi.acm.org/10.1145/1210263.1210265", ISSN = "1094-9224 (print), 1557-7406 (electronic)", ISSN-L = "1094-9224", bibdate = "Thu Jun 12 17:51:58 MDT 2008", bibsource = "http://portal.acm.org/; http://www.math.utah.edu/pub/tex/bib/tissec.bib", abstract = "Securing access to data in location-based services and mobile applications requires the definition of spatially aware access-control systems. Even if some approaches have already been proposed either in the context of geographic database systems or context-aware applications, a comprehensive framework, general and flexible enough to deal with spatial aspects in real mobile applications, is still missing. In this paper, we make one step toward this direction and present GEO-RBAC, an extension of the RBAC model enhanced with spatial-and location-based information. In GEORBAC, spatial entities are used to model objects, user positions, and geographically bounded roles. Roles are activated based on the position of the user. Besides a physical position, obtained from a given mobile terminal or a cellular phone, users are also assigned a logical and device-independent position, representing the feature (the road, the town, the region) in which they are located. To enhance flexibility and reusability, we also introduce the concept of role schema, specifying the name of the role, as well as the type of the role spatial boundary and the granularity of the logical position. We then extend GEO-RBAC to support hierarchies, modeling permission, user, and activation inheritance, and separation of duty constraints. The proposed classes of constraints extend the conventional ones to deal with different granularities (schema/instance level) and spatial information. We conclude the paper with an analysis of several properties concerning the resulting model.", acknowledgement = ack-nhfb, articleno = "2", fjournal = "ACM Transactions on Information and System Security", keywords = "access-control model; GIS; location-based services", } @Article{Iwaihara:2007:RBA, author = "Mizuho Iwaihara and Ryotaro Hayashi and Somchai Chatvichienchai and Chutiporn Anutariya and Vilas Wuwongse", title = "Relevancy-based access control and its evaluation on versioned {XML} documents", journal = j-TISSEC, volume = "10", number = "1", pages = "3:1--3:??", month = feb, year = "2007", CODEN = "ATISBQ", DOI = "http://doi.acm.org/10.1145/1210263.1210266", ISSN = "1094-9224 (print), 1557-7406 (electronic)", ISSN-L = "1094-9224", bibdate = "Thu Jun 12 17:51:58 MDT 2008", bibsource = "http://portal.acm.org/; http://www.math.utah.edu/pub/tex/bib/tissec.bib", abstract = "Integration of version and access control of XML documents has the benefit of regulating access to rapidly growing archives of XML documents. Versioned XML documents provide us with valuable information on dependencies between document nodes, but, at the same time, presenting the risk of undesirable data disclosure. In this article, we introduce the notion of relevancy-based access control, which realizes protection of versioned XML documents by various types of relevancy, such as version dependencies, schema similarities, and temporal proximity. We define a new path query language XVerPath over XML document versions, which can be utilized for specifying relevancy-based access-control policies. We also introduce the notion of relevancy class, for collectively and compactly specifying relevancy-based policies. Regarding efficient processing of access requests, we propose the packed version model, which realizes space-efficient difference-based archives of versioned XML documents and, at the same time, providing efficient evaluation of XVerPath queries. Experimental results show reasonable performance superiority over conventional methods, which do not utilize version differences.", acknowledgement = ack-nhfb, articleno = "3", fjournal = "ACM Transactions on Information and System Security", keywords = "access control; query language; security; version control; XML; XPath", } @Article{Zhou:2007:MNI, author = "Jingmin Zhou and Mark Heckman and Brennen Reynolds and Adam Carlson and Matt Bishop", title = "Modeling network intrusion detection alerts for correlation", journal = j-TISSEC, volume = "10", number = "1", pages = "4:1--4:??", month = feb, year = "2007", CODEN = "ATISBQ", DOI = "http://doi.acm.org/10.1145/1210263.1210267", ISSN = "1094-9224 (print), 1557-7406 (electronic)", ISSN-L = "1094-9224", bibdate = "Thu Jun 12 17:51:58 MDT 2008", bibsource = "http://portal.acm.org/; http://www.math.utah.edu/pub/tex/bib/tissec.bib", abstract = "Signature-based network intrusion-detection systems (NIDSs) often report a massive number of simple alerts of low-level security-related events. Many of these alerts are logically involved in a single multi-stage intrusion incident and a security officer often wants to analyze the complete incident instead of each individual simple alert. This paper proposes a well-structured model that abstracts the logical relation between the alerts in order to support automatic correlation of those alerts involved in the same intrusion. The basic building block of the model is a logical formula called a capability. We use capability to abstract consistently and precisely all levels of accesses obtained by the attacker in each step of a multistage intrusion. We then derive inference rules to define logical relations between different capabilities. Based on the model and the inference rules, we have developed several novel alert correlation algorithms and implemented a prototype alert correlator. The experimental results of the correlator using several intrusion datasets demonstrate that the approach is effective in both alert fusion and alert correlation and has the ability to correlate alerts of complex multistage intrusions. In several instances, the alert correlator successfully correlated more than two thousand Snort alerts involved in massive scanning incidents. It also helped us find two multistage intrusions that were missed in auditing by the security officers.", acknowledgement = ack-nhfb, articleno = "4", fjournal = "ACM Transactions on Information and System Security", keywords = "alert correlation; alert fusion; capability; intrusion detection", } @Article{Li:2007:MER, author = "Ninghui Li and Mahesh V. Tripunitara and Ziad Bizri", title = "On mutually exclusive roles and separation-of-duty", journal = j-TISSEC, volume = "10", number = "2", pages = "5:1--5:??", month = may, year = "2007", CODEN = "ATISBQ", DOI = "http://doi.acm.org/10.1145/1237500.1237501", ISSN = "1094-9224 (print), 1557-7406 (electronic)", ISSN-L = "1094-9224", bibdate = "Thu Jun 12 17:52:05 MDT 2008", bibsource = "http://portal.acm.org/; http://www.math.utah.edu/pub/tex/bib/tissec.bib", abstract = "Separation-of-duty (SoD) is widely considered to be a fundamental principle in computer security. A static SoD (SSoD) policy states that in order to have all permissions necessary to complete a sensitive task, the cooperation of at least a certain number of users is required. Role-based access control (RBAC) is today's dominant access-control model. It is widely believed that one of RBAC's main strengths is that it enables the use of constraints to support policies, such as separation-of-duty. In the literature on RBAC, statically mutually exclusive roles (SMER) constraints are used to enforce SSoD policies. In this paper, we formulate and study fundamental computational problems related to the use of SMER constraints to enforce SSoD policies. We show that directly enforcing SSoD policies is intractable (coNP-complete), while checking whether an RBAC state satisfies a set of SMER constraints is efficient; however, verifying whether a given set of SMER constraints enforces an SSoD policy is also intractable (coNP-complete). We discuss the implications of these results. We show also how to generate SMER constraints that are as accurate as possible for enforcing an SSoD policy.", acknowledgement = ack-nhfb, articleno = "5", fjournal = "ACM Transactions on Information and System Security", keywords = "computational complexity; constraints; role-based access control; separation-of-duty; verification", } @Article{Peng:2007:BZK, author = "Kun Peng and Colin Boyd and Ed Dawson", title = "Batch zero-knowledge proof and verification and its applications", journal = j-TISSEC, volume = "10", number = "2", pages = "6:1--6:??", month = may, year = "2007", CODEN = "ATISBQ", DOI = "http://doi.acm.org/10.1145/1237500.1237502", ISSN = "1094-9224 (print), 1557-7406 (electronic)", ISSN-L = "1094-9224", bibdate = "Thu Jun 12 17:52:05 MDT 2008", bibsource = "http://portal.acm.org/; http://www.math.utah.edu/pub/tex/bib/tissec.bib", abstract = "The batch verification technique of Bellare et al. is extended to verification of several frequently employed zero-knowledge proofs. The new techniques are correct, sound, efficient, and can be widely applied. Specific applications are discussed in detail, including batch ZK proof and verification of validity of encryption (or reencryption) and batch ZK proof and verification of validity of decryption. Considerable efficiency improvements are gained in these two applications without compromising security. As a result, efficiency of the practical cryptographic systems (such as mix networks) based on these two applications is dramatically improved.", acknowledgement = ack-nhfb, articleno = "6", fjournal = "ACM Transactions on Information and System Security", keywords = "batch proof and verification of decryption; batch proof and verification of reencryption; mix network", } @Article{Ahmed:2007:SVS, author = "Tanvir Ahmed and Anand R. Tripathi", title = "Specification and verification of security requirements in a programming model for decentralized {CSCW} systems", journal = j-TISSEC, volume = "10", number = "2", pages = "7:1--7:??", month = may, year = "2007", CODEN = "ATISBQ", DOI = "http://doi.acm.org/10.1145/1237500.1237503", ISSN = "1094-9224 (print), 1557-7406 (electronic)", ISSN-L = "1094-9224", bibdate = "Thu Jun 12 17:52:05 MDT 2008", bibsource = "http://portal.acm.org/; http://www.math.utah.edu/pub/tex/bib/tissec.bib", abstract = "We present, in this paper, a role-based model for programming distributed CSCW systems. This model supports specification of dynamic security and coordination requirements in such systems. We also present here a model-checking methodology for verifying the security properties of a design expressed in this model. The verification methodology presented here is used to ensure correctness and consistency of a design specification. It is also used to ensure that sensitive security requirements cannot be violated when policy enforcement functions are distributed among the participants. Several aspect-specific verification models are developed to check security properties, such as task-flow constraints, information flow, confidentiality, and assignment of administrative privileges.", acknowledgement = ack-nhfb, articleno = "7", fjournal = "ACM Transactions on Information and System Security", keywords = "finite state-based model checking; methodology for access-control policy design; role-based access control; Security policy specification", } @Article{Bhargavan:2007:SSW, author = "Karthikeyan Bhargavan and Ricardo Corin and C{\'e}dric Fournet and Andrew D. Gordon", title = "Secure sessions for {Web} services", journal = j-TISSEC, volume = "10", number = "2", pages = "8:1--8:??", month = may, year = "2007", CODEN = "ATISBQ", DOI = "http://doi.acm.org/10.1145/1237500.1237504", ISSN = "1094-9224 (print), 1557-7406 (electronic)", ISSN-L = "1094-9224", bibdate = "Thu Jun 12 17:52:05 MDT 2008", bibsource = "http://portal.acm.org/; http://www.math.utah.edu/pub/tex/bib/tissec.bib", abstract = "We address the problem of securing sequences of SOAP messages exchanged between web services and their clients. The WS-Security standard defines basic mechanisms to secure SOAP traffic, one message at a time. For typical web services, however, using WS-Security independently for each message is rather inefficient; moreover, it is often important to secure the integrity of a whole session, as well as each message. To these ends, recent specifications provide further SOAP-level mechanisms. WS-SecureConversation defines security contexts, which can be used to secure sessions between two parties. WS-Trust specifies how security contexts are issued and obtained. We develop a semantics for the main mechanisms of WS-Trust and WS-SecureConversation, expressed as a library for TulaFale, a formal scripting language for security protocols. We model typical protocols relying on these mechanisms and automatically prove their main security properties. We also informally discuss some pitfalls and limitations of these specifications.", acknowledgement = ack-nhfb, articleno = "8", fjournal = "ACM Transactions on Information and System Security", keywords = "Web services; XML security", } @Article{Abadi:2007:JFK, author = "Mart{\'\i}n Abadi and Bruno Blanchet and C{\'e}dric Fournet", title = "Just fast keying in the pi calculus", journal = j-TISSEC, volume = "10", number = "3", pages = "9:1--9:??", month = jul, year = "2007", CODEN = "ATISBQ", DOI = "http://doi.acm.org/10.1145/1266977.1266978", ISSN = "1094-9224 (print), 1557-7406 (electronic)", ISSN-L = "1094-9224", bibdate = "Thu Jun 12 17:52:14 MDT 2008", bibsource = "http://portal.acm.org/; http://www.math.utah.edu/pub/tex/bib/tissec.bib", abstract = "JFK is a recent, attractive protocol for fast key establishment as part of securing IP communication. In this paper, we formally analyze this protocol in the applied pi calculus (partly in terms of observational equivalences and partly with the assistance of an automatic protocol verifier). We treat JFK's core security properties and also other properties that are rarely articulated and rigorously studied, such as plausible deniability and resistance to denial-of-service attacks. In the course of this analysis, we found some ambiguities and minor problems, such as limitations in identity protection, but we mostly obtain positive results about JFK. For this purpose, we develop ideas and techniques that should be more generally useful in the specification and verification of security protocols.", acknowledgement = ack-nhfb, articleno = "9", fjournal = "ACM Transactions on Information and System Security", keywords = "IP security; key exchange; process calculus", } @Article{Bresson:2007:PSA, author = "Emmanuel Bresson and Olivier Chevassut and David Pointcheval", title = "Provably secure authenticated group {Diffie--Hellman} key exchange", journal = j-TISSEC, volume = "10", number = "3", pages = "10:1--10:??", month = jul, year = "2007", CODEN = "ATISBQ", DOI = "http://doi.acm.org/10.1145/1266977.1266979", ISSN = "1094-9224 (print), 1557-7406 (electronic)", ISSN-L = "1094-9224", bibdate = "Thu Jun 12 17:52:14 MDT 2008", bibsource = "http://portal.acm.org/; http://www.math.utah.edu/pub/tex/bib/tissec.bib", abstract = "Authenticated key-exchange protocols allow two participants A and B, communicating over a public network and each holding an authentication means to exchange a shared secret value. Methods designed to deal with this cryptographic problem ensure A (resp. B ) that no other participants aside from B (resp. A ) can learn any information about the agreed value and often also ensure A and B that their respective partner has actually computed this value. A natural extension to this cryptographic method is to consider a pool of participants exchanging a shared secret value and to provide a formal treatment for it. Starting from the famous two-party Diffie--Hellman (DH) key-exchange protocol and from its authenticated variants, security experts have extended it to the multiparty setting for over a decade and, in the past few years, completed a formal analysis in the framework of modern cryptography. The present paper synthesizes this body of work on the provably-secure authenticated group DH key exchange.", acknowledgement = ack-nhfb, articleno = "10", fjournal = "ACM Transactions on Information and System Security", keywords = "cryptography; Diffie--Hellman; Group Key Exchange", } @Article{vanOorschot:2007:IRS, author = "P. C. van Oorschot and Tao Wan and Evangelos Kranakis", title = "On interdomain routing security and pretty secure {BGP (psBGP)}", journal = j-TISSEC, volume = "10", number = "3", pages = "11:1--11:??", month = jul, year = "2007", CODEN = "ATISBQ", DOI = "http://doi.acm.org/10.1145/1266977.1266980", ISSN = "1094-9224 (print), 1557-7406 (electronic)", ISSN-L = "1094-9224", bibdate = "Thu Jun 12 17:52:14 MDT 2008", bibsource = "http://portal.acm.org/; http://www.math.utah.edu/pub/tex/bib/tissec.bib", abstract = "It is well known that the Border Gateway Protocol (BGP), the IETF standard interdomain routing protocol, is vulnerable to a variety of attacks, and that a single misconfigured or malicious BGP speaker could result in large-scale service disruption. In this paper, we present Pretty Secure BGP (psBGP) ---a proposal for securing BGP, including an architectural overview, design details for significant aspects, and preliminary security and operational analysis. psBGP differs from other security proposals (e. g. , S-BGP and soBGP) in that it makes use of a single-level PKI for AS number authentication, a decentralized trust model for verifying the propriety of IP prefix origin, and a rating-based stepwise approach for AS_PATH (integrity) verification. psBGP trades off the strong security guarantees of S-BGP for presumed-simpler operation, e. g. , using a PKI with a simple structure, with a small number of certificate types, and of manageable size. psBGP is designed to successfully defend against various (nonmalicious and malicious) threats from uncoordinated BGP speakers, and to be incrementally deployed with incremental benefits.", acknowledgement = ack-nhfb, articleno = "11", fjournal = "ACM Transactions on Information and System Security", keywords = "authentication; BGP; certificates; interdomain routing; public-key infrastructure; secure routing protocols; trust", } @Article{Squicciarini:2007:PTX, author = "A. Squicciarini and E. Bertino and Elena Ferrari and F. Paci and B. Thuraisingham", title = "{PP-trust-X}: {A} system for privacy preserving trust negotiations", journal = j-TISSEC, volume = "10", number = "3", pages = "12:1--12:??", month = jul, year = "2007", CODEN = "ATISBQ", DOI = "http://doi.acm.org/10.1145/1266977.1266981", ISSN = "1094-9224 (print), 1557-7406 (electronic)", ISSN-L = "1094-9224", bibdate = "Thu Jun 12 17:52:14 MDT 2008", bibsource = "http://portal.acm.org/; http://www.math.utah.edu/pub/tex/bib/tissec.bib", abstract = "Trust negotiation is a promising approach for establishing trust in open systems, in which sensitive interactions may often occur between entities with no prior knowledge of each other. Although, to date several trust negotiation systems have been proposed, none of them fully address the problem of privacy preservation. Today, privacy is one of the major concerns of users when exchanging information through the Web and thus we believe that trust negotiation systems must effectively address privacy issues in order to be widely applicable. For these reasons, in this paper, we investigate privacy in the context of trust negotiations. We propose a set of privacy-preserving features for inclusion in any trust negotiation system, such as the support for the P3P standard, as well as a number of innovative features, such as a novel format for encoding digital credentials specifically designed for preserving privacy. Further, we present a variety of interoperable strategies to carry on the negotiation with the aim of improving both privacy and efficiency.", acknowledgement = ack-nhfb, articleno = "12", fjournal = "ACM Transactions on Information and System Security", keywords = "access control; attribute-based access control; automated trust negotiation; credentials; privacy; strategy", } @Article{Chakrabarti:2008:ETR, author = "Deepayan Chakrabarti and Yang Wang and Chenxi Wang and Jurij Leskovec and Christos Faloutsos", title = "Epidemic thresholds in real networks", journal = j-TISSEC, volume = "10", number = "4", pages = "1:1--1:??", month = jan, year = "2008", CODEN = "ATISBQ", DOI = "http://doi.acm.org/10.1145/1284680.1284681", ISSN = "1094-9224 (print), 1557-7406 (electronic)", ISSN-L = "1094-9224", bibdate = "Thu Jun 12 17:52:24 MDT 2008", bibsource = "http://portal.acm.org/; http://www.math.utah.edu/pub/tex/bib/tissec.bib", abstract = "How will a virus propagate in a real network? How long does it take to disinfect a network given particular values of infection rate and virus death rate? What is the single best node to immunize? Answering these questions is essential for devising network-wide strategies to counter viruses. In addition, viral propagation is very similar in principle to the spread of rumors, information, and ``fads,'' implying that the solutions for viral propagation would also offer insights into these other problem settings. We answer these questions by developing a nonlinear dynamical system ( NLDS ) that accurately models viral propagation in any arbitrary network, including real and synthesized network graphs. We propose a general epidemic threshold condition for the NLDS system: we prove that the epidemic threshold for a network is exactly the inverse of the largest eigenvalue of its adjacency matrix. Finally, we show that below the epidemic threshold, infections die out at an exponential rate. Our epidemic threshold model subsumes many known thresholds for special-case graphs (e.g., Erd{\"o}s--R{\'e}nyi, BA powerlaw, homogeneous). We demonstrate the predictive power of our model with extensive experiments on real and synthesized graphs, and show that our threshold condition holds for arbitrary graphs. Finally, we show how to utilize our threshold condition for practical uses: It can dictate which nodes to immunize; it can assess the effects of a throttling policy; it can help us design network topologies so that they are more resistant to viruses.", acknowledgement = ack-nhfb, articleno = "1", fjournal = "ACM Transactions on Information and System Security", keywords = "eigenvalue; epidemic threshold; viral propagation", } @Article{Joshi:2008:FFH, author = "James B. D. Joshi and Elisa Bertino and Arif Ghafoor and Yue Zhang", title = "Formal foundations for hybrid hierarchies in {GTRBAC}", journal = j-TISSEC, volume = "10", number = "4", pages = "2:1--2:??", month = jan, year = "2008", CODEN = "ATISBQ", DOI = "http://doi.acm.org/10.1145/1284680.1284682", ISSN = "1094-9224 (print), 1557-7406 (electronic)", ISSN-L = "1094-9224", bibdate = "Thu Jun 12 17:52:24 MDT 2008", bibsource = "http://portal.acm.org/; http://www.math.utah.edu/pub/tex/bib/tissec.bib", abstract = "A role hierarchy defines permission acquisition and role-activation semantics through role--role relationships. It can be utilized for efficiently and effectively structuring functional roles of an organization having related access-control needs. The focus of this paper is the analysis of hybrid role hierarchies in the context of the generalized temporal role-based access control (GTRBAC) model that allows specification of a comprehensive set of temporal constraints on role, user-role, and role-permission assignments. We introduce the notion of uniquely activable set (UAS) associated with a role hierarchy that indicates the access capabilities of a user resulting from his membership to a role in the hierarchy. Identifying such a role set is essential, while making an authorization decision about whether or not a user should be allowed to activate a particular combination of roles in a single session. We formally show how UAS can be determined for a hybrid hierarchy. Furthermore, within a hybrid hierarchy, various hierarchical relations may be derived between an arbitrary pair of roles. We present a set of inference rules that can be used to generate all the possible derived relations that can be inferred from a specified set of hierarchical relations and show that it is sound and complete. We also present an analysis of hierarchy transformations with respect to role addition, deletion, and partitioning, and show how various cases of these transformations allow the original permission acquisition and role-activation semantics to be managed. The formal results presented here provide a basis for developing efficient security administration and management tools.", acknowledgement = ack-nhfb, articleno = "2", fjournal = "ACM Transactions on Information and System Security", keywords = "derived relation; role hierarchy", } @Article{Gassend:2008:CPR, author = "Blaise Gassend and Marten {Van Dijk} and Dwaine Clarke and Emina Torlak and Srinivas Devadas and Pim Tuyls", title = "Controlled physical random functions and applications", journal = j-TISSEC, volume = "10", number = "4", pages = "3:1--3:??", month = jan, year = "2008", CODEN = "ATISBQ", DOI = "http://doi.acm.org/10.1145/1284680.1284683", ISSN = "1094-9224 (print), 1557-7406 (electronic)", ISSN-L = "1094-9224", bibdate = "Thu Jun 12 17:52:24 MDT 2008", bibsource = "http://portal.acm.org/; http://www.math.utah.edu/pub/tex/bib/tissec.bib", abstract = "The cryptographic protocols that we use in everyday life rely on the secure storage of keys in consumer devices. Protecting these keys from invasive attackers, who open a device to steal its key, is a challenging problem. We propose controlled physical random functions (CPUFs) as an alternative to storing keys and describe the core protocols that are needed to use CPUFs. A physical random functions (PUF) is a physical system with an input and output. The functional relationship between input and output looks like that of a random function. The particular relationship is unique to a specific instance of a PUF, hence, one needs access to a particular PUF instance to evaluate the function it embodies. The cryptographic applications of a PUF are quite limited unless the PUF is combined with an algorithm that limits the ways in which the PUF can be evaluated; this is a CPUF. A major difficulty in using CPUFs is that you can only know a small set of outputs of the PUF---the unknown outputs being unrelated to the known ones. We present protocols that get around this difficulty and allow a chain of trust to be established between the CPUF manufacturer and a party that wishes to interact securely with the PUF device. We also present some elementary applications, such as certified execution.", acknowledgement = ack-nhfb, articleno = "3", fjournal = "ACM Transactions on Information and System Security", keywords = "certified execution; physical random function; physical security; physical unclonable function; trusted computing", } @Article{Bouganim:2008:DAC, author = "Luc Bouganim and Fran{\c{c}}ois Dang Ngoc and Philippe Pucheral", title = "Dynamic access-control policies on {XML} encrypted data", journal = j-TISSEC, volume = "10", number = "4", pages = "4:1--4:??", month = jan, year = "2008", CODEN = "ATISBQ", DOI = "http://doi.acm.org/10.1145/1284680.1284684", ISSN = "1094-9224 (print), 1557-7406 (electronic)", ISSN-L = "1094-9224", bibdate = "Thu Jun 12 17:52:24 MDT 2008", bibsource = "http://portal.acm.org/; http://www.math.utah.edu/pub/tex/bib/tissec.bib", abstract = "The erosion of trust put in traditional database servers and in Database Service Providers and the growing interest for different forms of selective data dissemination are different factors that lead to move the access-control from servers to clients. Different data encryption and key dissemination schemes have been proposed to serve this purpose. By compiling the access-control rules into the encryption process, all these methods suffer from a static way of sharing data. With the emergence of hardware security elements on client devices, more dynamic client-based access-control schemes can be devised. This paper proposes a tamper-resistant client-based XML access-right controller supporting flexible and dynamic access-control policies. The access-control engine is embedded in a hardware-secure device and, therefore, must cope with specific hardware resources. This engine benefits from a dedicated index to quickly converge toward the authorized parts of a potentially streaming XML document. Pending situations (i. e. , where data delivery is conditioned by predicates, which apply to values encountered afterward in the document stream) are handled gracefully, skipping, whenever possible the pending elements and reassembling relevant parts when the pending situation is solved. Additional security mechanisms guarantee that (1) the input document is protected from any form of tampering and (2) no forbidden information can be gained by replay attacks on different versions of the XML document and of the access-control rules. Performance measurements on synthetic and real datasets demonstrate the effectiveness of the approach. Finally, the paper reports on two experiments conducted with a prototype running on a secured hardware platform.", acknowledgement = ack-nhfb, articleno = "4", fjournal = "ACM Transactions on Information and System Security", keywords = "access-control; data confidentiality; smartcard; ubiquitous data management", } @Article{vanOorschot:2008:PMU, author = "P. C. van Oorschot and Julie Thorpe", title = "On predictive models and user-drawn graphical passwords", journal = j-TISSEC, volume = "10", number = "4", pages = "5:1--5:??", month = jan, year = "2008", CODEN = "ATISBQ", DOI = "http://doi.acm.org/10.1145/1284680.1284685", ISSN = "1094-9224 (print), 1557-7406 (electronic)", ISSN-L = "1094-9224", bibdate = "Thu Jun 12 17:52:24 MDT 2008", bibsource = "http://portal.acm.org/; http://www.math.utah.edu/pub/tex/bib/tissec.bib", abstract = "In commonplace text-based password schemes, users typically choose passwords that are easy to recall, exhibit patterns, and are thus vulnerable to brute-force dictionary attacks. This leads us to ask whether other types of passwords (e. g. , graphical) are also vulnerable to dictionary attack because of users tending to choose memorable passwords. We suggest a method to predict and model a number of such classes for systems where passwords are created solely from a user's memory. We hypothesize that these classes define weak password subspaces suitable for an attack dictionary. For user-drawn graphical passwords, we apply this method with cognitive studies on visual recall. These cognitive studies motivate us to define a set of password complexity factors (e. g. , reflective symmetry and stroke count), which define a set of classes. To better understand the size of these classes and, thus, how weak the password subspaces they define might be, we use the ``Draw-A-Secret'' (DAS) graphical password scheme of Jermyn et al. [1999] as an example. We analyze the size of these classes for DAS under convenient parameter choices and show that they can be combined to define apparently popular subspaces that have bit sizes ranging from 31 to 41---a surprisingly small proportion of the full password space (58 bits). Our results quantitatively support suggestions that user-drawn graphical password systems employ measures, such as graphical password rules or guidelines and proactive password checking.", acknowledgement = ack-nhfb, articleno = "5", fjournal = "ACM Transactions on Information and System Security", keywords = "dictionary attack; Draw-a-Secret; graphical dictionary; Graphical passwords; memorable passwords; modeling user choice; password complexity factors", } @Article{Awerbuch:2008:ODS, author = "Baruch Awerbuch and Reza Curtmola and David Holmer and Cristina Nita-Rotaru and Herbert Rubens", title = "{ODSBR}: {An} on-demand secure {Byzantine} resilient routing protocol for wireless ad hoc networks", journal = j-TISSEC, volume = "10", number = "4", pages = "6:1--6:??", month = jan, year = "2008", CODEN = "ATISBQ", DOI = "http://doi.acm.org/10.1145/1284680.1341892", ISSN = "1094-9224 (print), 1557-7406 (electronic)", ISSN-L = "1094-9224", bibdate = "Thu Jun 12 17:52:24 MDT 2008", bibsource = "http://portal.acm.org/; http://www.math.utah.edu/pub/tex/bib/tissec.bib", abstract = "Ah hoc networks offer increased coverage by using multihop communication. This architecture makes services more vulnerable to internal attacks coming from compromised nodes that behave arbitrarily to disrupt the network, also referred to as Byzantine attacks. In this work, we examine the impact of several Byzantine attacks performed by individual or colluding attackers. We propose ODSBR, the first on-demand routing protocol for ad hoc wireless networks that provides resilience to Byzantine attacks caused by individual or colluding nodes. The protocol uses an adaptive probing technique that detects a malicious link after log n faults have occurred, where n is the length of the path. Problematic links are avoided by using a route discovery mechanism that relies on a new metric that captures adversarial behavior. Our protocol never partitions the network and bounds the amount of damage caused by attackers. We demonstrate through simulations ODSBR's effectiveness in mitigating Byzantine attacks. Our analysis of the impact of these attacks versus the adversary's effort gives insights into their relative strengths, their interaction, and their importance when designing multihop wireless routing protocols.", acknowledgement = ack-nhfb, articleno = "6", fjournal = "ACM Transactions on Information and System Security", keywords = "ad hoc wireless networks; Byzantine failures; on-demand routing; security", } @Article{Ray:2008:E, author = "Indrakshi Ray", title = "Editorial", journal = j-TISSEC, volume = "11", number = "1", pages = "1:1--1:??", month = feb, year = "2008", CODEN = "ATISBQ", DOI = "http://doi.acm.org/10.1145/1330295.1330296", ISSN = "1094-9224 (print), 1557-7406 (electronic)", ISSN-L = "1094-9224", bibdate = "Thu Jun 12 17:52:35 MDT 2008", bibsource = "http://portal.acm.org/; http://www.math.utah.edu/pub/tex/bib/tissec.bib", acknowledgement = ack-nhfb, articleno = "1", fjournal = "ACM Transactions on Information and System Security", } @Article{Lee:2008:TAS, author = "Adam J. Lee and Marianne Winslett and Jim Basney and Von Welch", title = "The {Traust Authorization Service}", journal = j-TISSEC, volume = "11", number = "1", pages = "2:1--2:??", month = feb, year = "2008", CODEN = "ATISBQ", DOI = "http://doi.acm.org/10.1145/1330295.1330297", ISSN = "1094-9224 (print), 1557-7406 (electronic)", ISSN-L = "1094-9224", bibdate = "Thu Jun 12 17:52:35 MDT 2008", bibsource = "http://portal.acm.org/; http://www.math.utah.edu/pub/tex/bib/tissec.bib", abstract = "In recent years, trust negotiation has been proposed as a novel authorization solution for use in open-system environments, in which resources are shared across organizational boundaries. Researchers have shown that trust negotiation is indeed a viable solution for these environments by developing a number of policy languages and strategies for trust negotiation that have desirable theoretical properties. Further, existing protocols, such as TLS, have been altered to interact with prototype trust negotiation systems, thereby illustrating the utility of trust negotiation. Unfortunately, modifying existing protocols is often a time-consuming and bureaucratic process that can hinder the adoption of this promising technology. \par In this paper, we present Traust, a third-party authorization service that leverages the strengths of existing prototype trust negotiation systems. Traust acts as an authorization broker that issues access tokens for resources in an open system after entities use trust negotiation to satisfy the appropriate resource access policies. The Traust architecture was designed to allow Traust to be integrated either directly with newer trust-aware applications or indirectly with existing legacy applications; this flexibility paves the way for the incremental adoption of trust negotiation technologies without requiring widespread software or protocol upgrades. We discuss the design and implementation of Traust, the communication protocol used by the Traust system, and its performance. We also discuss our experiences using Traust to broker access to legacy resources, our proposal for a Traust-aware version of the GridFTP protocol, and Traust's resilience to attack.", acknowledgement = ack-nhfb, articleno = "2", fjournal = "ACM Transactions on Information and System Security", keywords = "attribute-based access control; credentials; trust negotiation", } @Article{Zhang:2008:TUB, author = "Xinwen Zhang and Masayuki Nakae and Michael J. Covington and Ravi Sandhu", title = "Toward a {Usage-Based Security Framework} for {Collaborative Computing Systems}", journal = j-TISSEC, volume = "11", number = "1", pages = "3:1--3:??", month = feb, year = "2008", CODEN = "ATISBQ", DOI = "http://doi.acm.org/10.1145/1330295.1330298", ISSN = "1094-9224 (print), 1557-7406 (electronic)", ISSN-L = "1094-9224", bibdate = "Thu Jun 12 17:52:35 MDT 2008", bibsource = "http://portal.acm.org/; http://www.math.utah.edu/pub/tex/bib/tissec.bib", abstract = "Collaborative systems such as Grids provide efficient and scalable access to distributed computing capabilities and enable seamless resource sharing between users and platforms. This heterogeneous distribution of resources and the various modes of collaborations that exist between users, virtual organizations, and resource providers require scalable, flexible, and fine-grained access control to protect both individual and shared computing resources. In this article we propose a usage control (UCON) based security framework for collaborative applications, by following a layered approach with policy, enforcement, and implementation models, called the PEI framework. In the policy model layer, UCON policies are specified with predicates on subject and object attributes, along with system attributes as conditional constraints and user actions as obligations. General attributes include not only persistent attributes such as role and group memberships but also mutable usage attributes of subjects and objects. Conditions in UCON can be used to support context-based authorizations in ad hoc collaborations. In the enforcement model layer, our novel framework uses a hybrid approach for subject attribute acquisition with both push and pull modes. By leveraging attribute propagations between a centralized attribute repository and distributed policy decision points, our architecture supports decision continuity and attribute mutability of the UCON policy model, as well as obligation evaluations during policy enforcement. As a proof-of-concept, we implement a prototype system based on our proposed architecture and conduct experimental studies to demonstrate the feasibility and performance of our approach.", acknowledgement = ack-nhfb, articleno = "3", fjournal = "ACM Transactions on Information and System Security", keywords = "access control; Authorization; collaborative computing; security architecture; UCON; usage control", } @Article{Mazzoleni:2008:XPI, author = "Pietro Mazzoleni and Bruno Crispo and Swaminathan Sivasubramanian and Elisa Bertino", title = "{XACML Policy Integration Algorithms}", journal = j-TISSEC, volume = "11", number = "1", pages = "4:1--4:??", month = feb, year = "2008", CODEN = "ATISBQ", DOI = "http://doi.acm.org/10.1145/1330295.1330299", ISSN = "1094-9224 (print), 1557-7406 (electronic)", ISSN-L = "1094-9224", bibdate = "Thu Jun 12 17:52:35 MDT 2008", bibsource = "http://portal.acm.org/; http://www.math.utah.edu/pub/tex/bib/tissec.bib", abstract = "XACML is the OASIS standard language specifically aimed at the specification of authorization policies. While XACML fits well with the security requirements of a single enterprise (even if large and composed by multiple departments), it does not address the requirements of virtual enterprises in which several autonomous subjects collaborate by sharing their resources to provide better services to customers. In this article we highlight such limitation, and we propose an XACML extension, the policy integration algorithms, to address them. In the article we also present the implementation of a system that makes use of the policy integration algorithms to securely replicate information in a P2P-like environment. In our solution, the data replication process considers the policies specified by both the owners of the data shared and the peers sharing data storage.", acknowledgement = ack-nhfb, articleno = "4", fjournal = "ACM Transactions on Information and System Security", keywords = "content distributed networks; distributed systems; security policies integration; SOA; Web services; XACML", } @Article{Lee:2008:CPK, author = "Jooyoung Lee and Douglas R. Stinson", title = "On the {Construction} of {Practical Key Predistribution Schemes} for {Distributed Sensor Networks Using Combinatorial Designs}", journal = j-TISSEC, volume = "11", number = "2", pages = "1:1--1:??", month = mar, year = "2008", CODEN = "ATISBQ", DOI = "http://doi.acm.org/10.1145/1330332.1330333", ISSN = "1094-9224 (print), 1557-7406 (electronic)", ISSN-L = "1094-9224", bibdate = "Thu Jun 12 17:52:41 MDT 2008", bibsource = "http://portal.acm.org/; http://www.math.utah.edu/pub/tex/bib/tissec.bib", abstract = "In this paper, we discuss the use of combinatorial set systems (combinatorial designs) in the design of key predistribution schemes (KPSs) for sensor networks. We show that the performance of a KPS can be improved by carefully choosing a certain class of set systems as ``key ring spaces''. Especially, we analyze KPSs based on a type of combinatorial design known as a {$<$}it{$>$}transversal design{$<$}/it{$>$}. We employ two types of transversal designs, which are represented by the set of all linear polynomials and the set of quadratic polynomials (over some finite field), respectively. These KPSs turn out to have significant efficiency in a shared-key discovery phase without degrading connectivity and resiliency.", acknowledgement = ack-nhfb, articleno = "1", fjournal = "ACM Transactions on Information and System Security", keywords = "key predistribution; security; wireless sensor networks", } @Article{Mano:2008:RRI, author = "Chad D. Mano and Andrew Blaich and Qi Liao and Yingxin Jiang and David A. Cieslak and David C. Salyers and Aaron Striegel", title = "{RIPPS}: {Rogue Identifying Packet Payload Slicer Detecting Unauthorized Wireless Hosts Through Network Traffic Conditioning}", journal = j-TISSEC, volume = "11", number = "2", pages = "2:1--2:??", month = mar, year = "2008", CODEN = "ATISBQ", DOI = "http://doi.acm.org/10.1145/1330332.1330334", ISSN = "1094-9224 (print), 1557-7406 (electronic)", ISSN-L = "1094-9224", bibdate = "Thu Jun 12 17:52:41 MDT 2008", bibsource = "http://portal.acm.org/; http://www.math.utah.edu/pub/tex/bib/tissec.bib", abstract = "Wireless network access has become an integral part of computing both at home and at the workplace. The convenience of wireless network access at work may be extremely beneficial to employees, but can be a burden to network security personnel. This burden is magnified by the threat of inexpensive wireless access points being installed in a network without the knowledge of network administrators. These devices, termed {$<$}it{$>$}Rogue Wireless Access Points{$<$}/it{$>$}, may allow a malicious outsider to access valuable network resources, including confidential communication and other stored data. For this reason, wireless connectivity detection is an essential capability, but remains a difficult problem. We present a method of detecting wireless hosts using a local RTT metric and a novel packet payload slicing technique. The local RTT metric provides the means to identify physical transmission media while packet payload slicing conditions network traffic to enhance the accuracy of the detections. Most importantly, the packet payload slicing method is transparent to both clients and servers and does not require direct communication between the monitoring system and monitored hosts.", acknowledgement = ack-nhfb, articleno = "2", fjournal = "ACM Transactions on Information and System Security", keywords = "network security; rogue systems; traffic conditioning", } @Article{Wright:2008:PLA, author = "Matthew K. Wright and Micah Adler and Brian Neil Levine and Clay Shields", title = "Passive-Logging {Attacks Against Anonymous Communications Systems}", journal = j-TISSEC, volume = "11", number = "2", pages = "3:1--3:??", month = mar, year = "2008", CODEN = "ATISBQ", DOI = "http://doi.acm.org/10.1145/1330332.1330335", ISSN = "1094-9224 (print), 1557-7406 (electronic)", ISSN-L = "1094-9224", bibdate = "Thu Jun 12 17:52:41 MDT 2008", bibsource = "http://portal.acm.org/; http://www.math.utah.edu/pub/tex/bib/tissec.bib", abstract = "Using analysis, simulation, and experimentation, we examine the threat against anonymous communications posed by passive-logging attacks. In previous work, we analyzed the success of such attacks under various assumptions. Here, we evaluate the effects of these assumptions more closely. First, we analyze the Onion Routing-based model used in prior work in which a fixed set of nodes remains in the system indefinitely. We show that for this model, by removing the assumption of uniformly random selection of nodes for placement in the path, initiators can greatly improve their anonymity. Second, we show by simulation that attack times are significantly lower in practice than bounds given by analytical results from prior work. Third, we analyze the effects of a dynamic membership model, in which nodes are allowed to join and leave the system; we show that all known defenses fail more quickly when the assumption of a static node set is relaxed. Fourth, intersection attacks against peer-to-peer systems are shown to be an additional danger, either on their own or in conjunction with the predecessor attack. Finally, we address the question of whether the regular communication patterns required by the attacks exist in real traffic. We collected and analyzed the Web requests of users to determine the extent to which basic patterns can be found. We show that, for our study, frequent and repeated communication to the same Web site is common.", acknowledgement = ack-nhfb, articleno = "3", fjournal = "ACM Transactions on Information and System Security", keywords = "anonymity; anonymous communication; intersection attack; predecessor attack; privacy", } @Article{Cheon:2008:PST, author = "Jung Hee Cheon and Nicholas Hopper and Yongdae Kim and Ivan Osipkov", title = "Provably {Secure Timed-Release Public Key Encryption}", journal = j-TISSEC, volume = "11", number = "2", pages = "4:1--4:??", month = mar, year = "2008", CODEN = "ATISBQ", DOI = "http://doi.acm.org/10.1145/1330332.1330336", ISSN = "1094-9224 (print), 1557-7406 (electronic)", ISSN-L = "1094-9224", bibdate = "Thu Jun 12 17:52:41 MDT 2008", bibsource = "http://portal.acm.org/; http://www.math.utah.edu/pub/tex/bib/tissec.bib", abstract = "A timed-release cryptosystem allows a sender to encrypt a message so that only the intended recipient can read it only after a specified time. We formalize the concept of a secure timed-release public-key cryptosystem and show that, if a third party is relied upon to guarantee decryption after the specified date, this concept is equivalent to identity-based encryption; this explains the observation that all known constructions use identity-based encryption to achieve timed-release security. We then give several provably-secure constructions of timed-release encryption: a generic scheme based on any identity-based encryption scheme, and two more efficient schemes based on the existence of cryptographically admissible bilinear mappings. The first of these is essentially as efficient as the Boneh--Franklin Identity-Based encryption scheme, and is provably secure and authenticated in the random oracle model; the final scheme is not authenticated but is provably secure in the standard model (i. e. , without random oracles).", acknowledgement = ack-nhfb, articleno = "4", fjournal = "ACM Transactions on Information and System Security", keywords = "authenticated encryption; key-insulated encryption; timed-release", } @Article{Pang:2008:VCR, author = "Hweehwa Pang and Kian-Lee Tan", title = "Verifying {Completeness} of {Relational Query Answers} from {Online Servers}", journal = j-TISSEC, volume = "11", number = "2", pages = "5:1--5:??", month = mar, year = "2008", CODEN = "ATISBQ", DOI = "http://doi.acm.org/10.1145/1330332.1330337", ISSN = "1094-9224 (print), 1557-7406 (electronic)", ISSN-L = "1094-9224", bibdate = "Thu Jun 12 17:52:41 MDT 2008", bibsource = "http://portal.acm.org/; http://www.math.utah.edu/pub/tex/bib/tissec.bib", abstract = "The number of successful attacks on the Internet shows that it is very difficult to guarantee the security of online servers over extended periods of time. A breached server that is not detected in time may return incorrect query answers to users. In this article, we introduce authentication schemes for users to verify that their query answers from an online server are complete (i. e. , no qualifying tuples are omitted) and authentic (i. e. , all the result values are legitimate). We introduce a scheme that supports range selection, projection as well as primary key-foreign key join queries on relational databases. We also present authentication schemes for single- and multi-attribute range aggregate queries. The schemes complement access control mechanisms that rewrite queries dynamically, and are computationally secure. We have implemented the proposed schemes, and experiment results showed that they are practical and feasible schemes with low overheads.", acknowledgement = ack-nhfb, articleno = "5", fjournal = "ACM Transactions on Information and System Security", keywords = "query answer verification; secure database systems", } @Article{Brandt:2008:EUP, author = "Felix Brandt and Tuomas Sandholm", title = "On the {Existence} of {Unconditionally Privacy-Preserving Auction Protocols}", journal = j-TISSEC, volume = "11", number = "2", pages = "6:1--6:??", month = mar, year = "2008", CODEN = "ATISBQ", DOI = "http://doi.acm.org/10.1145/1330332.1330338", ISSN = "1094-9224 (print), 1557-7406 (electronic)", ISSN-L = "1094-9224", bibdate = "Thu Jun 12 17:52:41 MDT 2008", bibsource = "http://portal.acm.org/; http://www.math.utah.edu/pub/tex/bib/tissec.bib", abstract = "We investigate whether it is possible to preserve privacy in sealed-bid auctions to a maximal extent. In particular, this paper focuses on {$<$}it{$>$}unconditional full privacy{$<$}/it{$>$}, i. e. , privacy that relies neither on trusted third parties (like auctioneers), nor on computational intractability assumptions (like the hardness of factoring). These constraints imply a scenario in which bidders exchange messages according to some predefined protocol in order to jointly determine the auction outcome without revealing any additional information. It turns out that the first-price sealed-bid auction can be emulated by an unconditionally fully private protocol. However, the protocol's round complexity is exponential in the bid size, and there is no more efficient protocol. On the other hand, we prove the impossibility of privately emulating the second-price sealed-bid auction for more than two bidders. This impossibility holds even when relaxing various privacy constraints such as allowing the revelation of all but one losing bid (while maintaining anonymity) or allowing the revelation of the second highest bidder's identity.", acknowledgement = ack-nhfb, articleno = "6", fjournal = "ACM Transactions on Information and System Security", keywords = "auctions; multiparty computation", } @Article{Tsudik:2008:E, author = "Gene Tsudik", title = "Editorial", journal = j-TISSEC, volume = "11", number = "3", pages = "11:1--11:??", month = mar, year = "2008", CODEN = "ATISBQ", DOI = "http://doi.acm.org/10.1145/1341731.1341732", ISSN = "1094-9224 (print), 1557-7406 (electronic)", ISSN-L = "1094-9224", bibdate = "Thu Jun 12 17:52:50 MDT 2008", bibsource = "http://portal.acm.org/; http://www.math.utah.edu/pub/tex/bib/tissec.bib", acknowledgement = ack-nhfb, articleno = "11", fjournal = "ACM Transactions on Information and System Security", } @Article{Zhang:2008:FIC, author = "Qing Zhang and Ting Yu and Peng Ning", title = "A {Framework} for {Identifying Compromised Nodes} in {Wireless Sensor Networks}", journal = j-TISSEC, volume = "11", number = "3", pages = "12:1--12:??", month = mar, year = "2008", CODEN = "ATISBQ", DOI = "http://doi.acm.org/10.1145/1341731.1341733", ISSN = "1094-9224 (print), 1557-7406 (electronic)", ISSN-L = "1094-9224", bibdate = "Thu Jun 12 17:52:50 MDT 2008", bibsource = "http://portal.acm.org/; http://www.math.utah.edu/pub/tex/bib/tissec.bib", abstract = "Sensor networks are often subject to physical attacks. Once a node's cryptographic key is compromised, an attacker may completely impersonate it and introduce arbitrary false information into the network. Basic cryptographic mechanisms are often not effective in this situation. Most techniques to address this problem focus on detecting and tolerating false information introduced by compromised nodes. They cannot pinpoint exactly where the false information is introduced and who is responsible for it. \par In this article, we propose an application-independent framework for accurately identifying compromised sensor nodes. The framework provides an appropriate abstraction of application-specific detection mechanisms and models the unique properties of sensor networks. Based on the framework, we develop alert reasoning algorithms to identify compromised nodes. The algorithm assumes that compromised nodes may collude at will. We show that our algorithm is optimal in the sense that it identifies the largest number of compromised nodes without introducing false positives. We evaluate the effectiveness of the designed algorithm through comprehensive experiments.", acknowledgement = ack-nhfb, articleno = "12", fjournal = "ACM Transactions on Information and System Security", keywords = "intrusion detection; sensor networks", } @Article{DiPietro:2008:RSN, author = "Roberto {Di Pietro} and Luigi V. Mancini and Alessandro Mei and Alessandro Panconesi and Jaikumar Radhakrishnan", title = "Redoubtable {Sensor Networks}", journal = j-TISSEC, volume = "11", number = "3", pages = "13:1--13:??", month = mar, year = "2008", CODEN = "ATISBQ", DOI = "http://doi.acm.org/10.1145/1341731.1341734", ISSN = "1094-9224 (print), 1557-7406 (electronic)", ISSN-L = "1094-9224", bibdate = "Thu Jun 12 17:52:50 MDT 2008", bibsource = "http://portal.acm.org/; http://www.math.utah.edu/pub/tex/bib/tissec.bib", abstract = "We give, for the first time, a precise mathematical analysis of the connectivity and security properties of sensor networks that make use of the random predistribution of keys. We also show how to set the parameters---pool and key ring size---in such a way that the network is not only connected with high probability via secure links but also provably resilient, in the following sense: We formally show that any adversary that captures sensors at random with the aim of compromising a constant fraction of the secure links must capture at least a constant fraction of the nodes of the network. In the context of wireless sensor networks where random predistribution of keys is employed, we are the first to provide a mathematically precise proof, with a clear indication of parameter choice, that two crucial properties---connectivity via secure links and resilience against malicious attacks---can be obtained simultaneously. We also show in a mathematically rigorous way that the network enjoys another strong security property. The adversary cannot partition the network into two linear size components, compromising all the links between them, unless it captures linearly many nodes. This implies that the network is also fault tolerant with respect to node failures. Our theoretical results are complemented by extensive simulations that reinforce our main conclusions.", acknowledgement = ack-nhfb, articleno = "13", fjournal = "ACM Transactions on Information and System Security", keywords = "connectivity; probabilistic key sharing; random graphs; Wireless sensor network", } @Article{Chang:2008:DAP, author = "Katharine Chang and Kang G. Shin", title = "Distributed {Authentication} of {Program Integrity Verification} in {Wireless Sensor Networks}", journal = j-TISSEC, volume = "11", number = "3", pages = "14:1--14:??", month = mar, year = "2008", CODEN = "ATISBQ", DOI = "http://doi.acm.org/10.1145/1341731.1341735", ISSN = "1094-9224 (print), 1557-7406 (electronic)", ISSN-L = "1094-9224", bibdate = "Thu Jun 12 17:52:50 MDT 2008", bibsource = "http://portal.acm.org/; http://www.math.utah.edu/pub/tex/bib/tissec.bib", abstract = "Security in wireless sensor networks has become important as they are being developed and deployed for an increasing number of applications. The severe resource constraints in each sensor make it very challenging to secure sensor networks. Moreover, sensors are usually deployed in hostile and unattended environments and hence are susceptible to various attacks, including node capture, physical tampering, and manipulation of the sensor program. Park and Shin [2005] proposed a soft tamper-proofing scheme that verifies the integrity of the program in each sensor device, called the program integrity verification (PIV), in which sensors authenticate PIV servers (PIVSs) using centralized and trusted third-party entities, such as authentication servers (ASs). This article presents a distributed authentication protocol of PIVSs (DAPP) without requiring the commonly used ASs. DAPP uses the Blundo scheme [Blundo et al. 1992] for sensors and PIVSs to establish pairwise keys and for PIVSs to authenticate one another. We also present a protocol for PIVSs to cooperatively detect and revoke malicious PIVSs in the network. We implement and evaluate both DAPP and PIV on Mica2 Motes and laptops, showing that DAPP reduces the sensors' communication traffic in the network by more than 90\% and the energy consumption on each sensor by up to 85\%, as compared to the case of using a centralized AS for authenticating PIVSs. We also analyze the security of DAPP under various attack models, demonstrating its capability in dealing with diverse types of attacks.", acknowledgement = ack-nhfb, articleno = "14", fjournal = "ACM Transactions on Information and System Security", keywords = "distributed authentication; node revocation; program integrity verification; wireless sensor networks", } @Article{Xie:2008:MDA, author = "Liang Xie and Sencun Zhu", title = "Message {Dropping Attacks} in {Overlay Networks}: {Attack Detection} and {Attacker Identification}", journal = j-TISSEC, volume = "11", number = "3", pages = "15:1--15:??", month = mar, year = "2008", CODEN = "ATISBQ", DOI = "http://doi.acm.org/10.1145/1341731.1341736", ISSN = "1094-9224 (print), 1557-7406 (electronic)", ISSN-L = "1094-9224", bibdate = "Thu Jun 12 17:52:50 MDT 2008", bibsource = "http://portal.acm.org/; http://www.math.utah.edu/pub/tex/bib/tissec.bib", abstract = "Overlay multicast networks are used by service providers to distribute contents such as Web pages, static and streaming multimedia data, or security updates to a large number of users. However, such networks are extremely vulnerable to message-dropping attacks by malicious or selfish nodes that intentionally drop the packets they are required to forward to others. It is difficult to detect such attacks both efficiently and effectively and to further identify the attackers, especially when members in the overlay switch between online/offline statuses frequently. In this article, we consider various attacking strategies of an attacker and propose an optimal sampling-based scheme to detect such attacks in the overlay network. We analyze the detection problem from a game-theoretical viewpoint and show that our scheme outperforms a random sampling-based scheme in terms of detection rate. In addition, based on a reputation system, we propose a sampling-based path-resolving scheme to identify compromised or selfish nodes. Unlike other existing approaches, our schemes do not assume global knowledge of the overlay hierarchy and work for dynamic overlay networks as well. Extensive analysis and simulation results show that besides being band width efficient, our schemes have high detection and identification rates and low false-positive rates.", acknowledgement = ack-nhfb, articleno = "15", fjournal = "ACM Transactions on Information and System Security", keywords = "attack detection; attacker identification; message dropping attacks; Overlay networks", } @Article{Traynor:2008:NMH, author = "Patrick Traynor and Michael Chien and Scott Weaver and Boniface Hicks and Patrick McDaniel", title = "Noninvasive {Methods} for {Host Certification}", journal = j-TISSEC, volume = "11", number = "3", pages = "16:1--16:??", month = mar, year = "2008", CODEN = "ATISBQ", DOI = "http://doi.acm.org/10.1145/1341731.1341737", ISSN = "1094-9224 (print), 1557-7406 (electronic)", ISSN-L = "1094-9224", bibdate = "Thu Jun 12 17:52:50 MDT 2008", bibsource = "http://portal.acm.org/; http://www.math.utah.edu/pub/tex/bib/tissec.bib", abstract = "Determining whether a user or system is exercising appropriate security practices is difficult in any context. Such difficulties are particularly pronounced when uncontrolled or unknown platforms join public networks. Commonly practiced techniques used to vet these hosts, such as system scans, have the potential to infringe on the privacy of users. In this article, we show that it is possible for clients to prove both the presence and proper functioning of security infrastructure without allowing unrestricted access to their system. We demonstrate this approach, specifically applied to antivirus security, by requiring clients seeking admission to a network to positively identify the presence or absence of malcode in a series of puzzles. The implementation of this mechanism and its application to real networks are also explored. In so doing, we demonstrate that it is not necessary for an administrator to be invasive to determine whether a client implements required security practices.", acknowledgement = ack-nhfb, articleno = "16", fjournal = "ACM Transactions on Information and System Security", keywords = "assurance; certification; malware; network security", } @Article{Avoine:2008:CIT, author = "Gildas Avoine and Pascal Junod and Philippe Oechslin", title = "Characterization and Improvement of Time-Memory Trade-Off Based on Perfect Tables", journal = j-TISSEC, volume = "11", number = "4", pages = "17:1--17:??", month = jul, year = "2008", CODEN = "ATISBQ", DOI = "http://doi.acm.org/10.1145/1380564.1380565", ISSN = "1094-9224 (print), 1557-7406 (electronic)", ISSN-L = "1094-9224", bibdate = "Tue Aug 5 19:37:22 MDT 2008", bibsource = "http://portal.acm.org/; http://www.math.utah.edu/pub/tex/bib/tissec.bib", abstract = "Cryptanalytic time-memory trade-offs have been studied for 25 years and have benefited from several improvements since the original work of Hellman. The ensuing variants definitely improve the original trade-off but their real impact has never been evaluated in practice. We fill this lack by analyzing the {\em perfect\/} form of classic tables, distinguished point-based tables, and rainbow tables. We especially provide a thorough analysis of the latter variant, whose performances have never been formally calculated yet. Our analysis leads to the concept of a {\em characteristic\/} that enables to measure the intrinsic quality of a trade-off. We finally introduce a new technique based on {\em checkpoints\/} that still reduces the cryptanalysis time by ruling out false alarms probabilistically. Our analysis yields the exact gain of this approach and establishes its efficiency when applied on rainbow tables.", acknowledgement = ack-nhfb, articleno = "17", fjournal = "ACM Transactions on Information and System Security", keywords = "cryptography; Hellman's time-memory trade-off; password cracking; rainbow tables", } @Article{Yang:2008:SSH, author = "Yi Yang and Xinran Wang and Sencun Zhu and Guohong Cao", title = "{SDAP}: {A} Secure Hop-by-Hop Data Aggregation Protocol for Sensor Networks", journal = j-TISSEC, volume = "11", number = "4", pages = "18:1--18:??", month = jul, year = "2008", CODEN = "ATISBQ", DOI = "http://doi.acm.org/10.1145/1380564.1380568", ISSN = "1094-9224 (print), 1557-7406 (electronic)", ISSN-L = "1094-9224", bibdate = "Tue Aug 5 19:37:22 MDT 2008", bibsource = "http://portal.acm.org/; http://www.math.utah.edu/pub/tex/bib/tissec.bib", abstract = "Hop-by-hop data aggregation is a very important technique for reducing the communication overhead and energy expenditure of sensor nodes during the process of data collection in a sensor network. However, because individual sensor readings are lost in the per-hop aggregation process, compromised nodes in the network may forge false values as the aggregation results of other nodes, tricking the base station into accepting spurious aggregation results. Here a fundamental challenge is how can the base station obtain a good approximation of the fusion result when a fraction of sensor nodes are compromised?\par To answer this challenge, we propose SDAP, a Secure Hop-by-hop Data Aggregation Protocol for sensor networks. SDAP is a general-purpose secure data aggregation protocol applicable to multiple aggregation functions. The design of SDAP is based on the principles of {\em divide-and-conquer\/} and {\em commit-and-attest}. First, SDAP uses a novel probabilistic grouping technique to dynamically partition the nodes in a tree topology into multiple logical groups (subtrees) of similar sizes. A commitment-based hop-by-hop aggregation is performed in each group to generate a group aggregate. The base station then identifies the suspicious groups based on the set of group aggregates. Finally, each group under suspect participates in an attestation process to prove the correctness of its group aggregate. The aggregate by the base station is calculated over all the group aggregates that are either normal or have passed the attestation procedure. Extensive analysis and simulations show that SDAP can achieve the level of efficiency close to an ordinary hop-by-hop aggregation protocol while providing high assurance on the trustworthiness of the aggregation result. Last, prototype implementation on top of TinyOS shows that our scheme is practical on current generation sensor nodes such as Mica2 motes.", acknowledgement = ack-nhfb, articleno = "18", fjournal = "ACM Transactions on Information and System Security", keywords = "commit-and-attest; data aggregation; hop-by-hop; probabilistic grouping; sensor network security", } @Article{Radosavac:2008:AFM, author = "Svetlana Radosavac and George Moustakides and John S. Baras and Iordanis Koutsopoulos", title = "An Analytic Framework for Modeling and Detecting Access Layer Misbehavior in Wireless Networks", journal = j-TISSEC, volume = "11", number = "4", pages = "19:1--19:??", month = jul, year = "2008", CODEN = "ATISBQ", DOI = "http://doi.acm.org/10.1145/1380564.1380567", ISSN = "1094-9224 (print), 1557-7406 (electronic)", ISSN-L = "1094-9224", bibdate = "Tue Aug 5 19:37:22 MDT 2008", bibsource = "http://portal.acm.org/; http://www.math.utah.edu/pub/tex/bib/tissec.bib", abstract = "The widespread deployment of wireless networks and hot spots that employ the IEEE 802.11 technology has forced network designers to put emphasis on the importance of ensuring efficient and fair use of network resources. In this work we propose a novel framework for detection of intelligent adaptive adversaries in the IEEE 802.11 MAC by addressing the problem of detection of the worst-case scenario attacks. Utilizing the nature of this protocol we employ sequential detection methods for detecting greedy behavior and illustrate their performance for detection of least favorable attacks. By using robust statistics in our problem formulation, we attempt to utilize the precision given by parametric tests, while avoiding the specification of the adversarial distribution. This approach establishes the lowest performance bound of a given Intrusion Detection System (IDS) in terms of detection delay and is applicable in online detection systems where users who pay for their services want to obtain the information about the best and the worst case scenarios and performance bounds of the system. This framework is meaningful for studying misbehavior due to the fact that it does not focus on specific adversarial strategies and therefore is applicable to a wide class of adversarial strategies.", acknowledgement = ack-nhfb, articleno = "19", fjournal = "ACM Transactions on Information and System Security", keywords = "MAC layer; min-max robust detection; protocol misbehavior; wireless networks", } @Article{Ryu:2008:EID, author = "Young U. Ryu and Hyeun-Suk Rhee", title = "Evaluation of Intrusion Detection Systems Under a Resource Constraint", journal = j-TISSEC, volume = "11", number = "4", pages = "20:1--20:??", month = jul, year = "2008", CODEN = "ATISBQ", DOI = "http://doi.acm.org/10.1145/1380564.1380566", ISSN = "1094-9224 (print), 1557-7406 (electronic)", ISSN-L = "1094-9224", bibdate = "Tue Aug 5 19:37:22 MDT 2008", bibsource = "http://portal.acm.org/; http://www.math.utah.edu/pub/tex/bib/tissec.bib", abstract = "An intrusion detection system plays an important role in a firm's overall security protection. Its main purpose is to identify potentially intrusive events and alert the security personnel to the danger. A typical intrusion detection system, however, is known to be imperfect in detection of intrusive events, resulting in high false-alarm rates. Nevertheless, current intrusion detection models unreasonably assume that upon alerts raised by a system, an information security officer responds to all alarms without any delay and avoids damages of hostile activities. This assumption of responding to all alarms with no time lag is often impracticable. As a result, the benefit of an intrusion detection system can be overestimated by current intrusion detection models. In this article, we extend previous models by including an information security officer's alarm inspection under a constraint as a part of the process in determining the optimal intrusion detection policy. Given a potentially hostile environment for a firm, in which the intrusion rates and costs associated with intrusion and security officers' inspection can be estimated, we outline a framework to establish the optimal operating points for intrusion detection systems under security officers' inspection constraint. The optimal solution to the model will provide not only a basis of better evaluation of intrusion detection systems but also useful insights into operations of intrusion detection systems. The firm can estimate expected benefits for running intrusion detection systems and establish a basis for increase in security personnel to relax security officers' inspection constraint.", acknowledgement = ack-nhfb, articleno = "20", fjournal = "ACM Transactions on Information and System Security", keywords = "computer security; intrusion detection; optimal inspection rates; optimal operating points", } @Article{Halpern:2008:UFO, author = "Joseph Y. Halpern and Vicky Weissman", title = "Using First-Order Logic to Reason about Policies", journal = j-TISSEC, volume = "11", number = "4", pages = "21:1--21:??", month = jul, year = "2008", CODEN = "ATISBQ", DOI = "http://doi.acm.org/10.1145/1380564.1380569", ISSN = "1094-9224 (print), 1557-7406 (electronic)", ISSN-L = "1094-9224", bibdate = "Tue Aug 5 19:37:22 MDT 2008", bibsource = "http://portal.acm.org/; http://www.math.utah.edu/pub/tex/bib/tissec.bib", abstract = "A policy describes the conditions under which an action is permitted or forbidden. We show that a fragment of (multi-sorted) first-order logic can be used to represent and reason about policies. Because we use first-order logic, policies have a clear syntax and semantics. We show that further restricting the fragment results in a language that is still quite expressive yet is also tractable. More precisely, questions about entailment, such as ``May Alice access the file?'', can be answered in time that is a low-order polynomial (indeed, almost linear in some cases), as can questions about the consistency of policy sets.", acknowledgement = ack-nhfb, articleno = "21", fjournal = "ACM Transactions on Information and System Security", keywords = "digital rights management", } @Article{Liu:2008:ARL, author = "Donggang Liu and Peng Ning and An Liu and Cliff Wang and Wenliang Kevin Du", title = "Attack-Resistant Location Estimation in Wireless Sensor Networks", journal = j-TISSEC, volume = "11", number = "4", pages = "22:1--22:??", month = jul, year = "2008", CODEN = "ATISBQ", DOI = "http://doi.acm.org/10.1145/1380564.1380570", ISSN = "1094-9224 (print), 1557-7406 (electronic)", ISSN-L = "1094-9224", bibdate = "Tue Aug 5 19:37:22 MDT 2008", bibsource = "http://portal.acm.org/; http://www.math.utah.edu/pub/tex/bib/tissec.bib", abstract = "Many sensor network applications require sensors' locations to function correctly. Despite the recent advances, location discovery for sensor networks in {\em hostile environments\/} has been mostly overlooked. Most of the existing localization protocols for sensor networks are vulnerable in hostile environments. The security of location discovery can certainly be enhanced by authentication. However, the possible node compromises and the fact that location determination uses certain physical features (e.g., received signal strength) of radio signals make authentication not as effective as in traditional security applications. This article presents two methods to tolerate malicious attacks against range-based location discovery in sensor networks. The first method filters out malicious beacon signals on the basis of the ``consistency'' among multiple beacon signals, while the second method tolerates malicious beacon signals by adopting an iteratively refined voting scheme. Both methods can survive malicious attacks even if the attacks bypass authentication, provided that the benign beacon signals constitute the majority of the beacon signals. This article also presents the implementation and experimental evaluation (through both field experiments and simulation) of all the secure and resilient location estimation schemes that can be used on the current generation of sensor platforms (e.g., MICA series of motes), including the techniques proposed in this article, in a network of MICAz motes. The experimental results demonstrate the effectiveness of the proposed methods, and also give the secure and resilient location estimation scheme most suitable for the current generation of sensor networks.", acknowledgement = ack-nhfb, articleno = "22", fjournal = "ACM Transactions on Information and System Security", keywords = "localization; security; sensor networks", } @Article{Ganeriwal:2008:STS, author = "Saurabh Ganeriwal and Christina P{\"o}pper and Srdjan {\v{C}}apkun and Mani B. Srivastava", title = "Secure Time Synchronization in Sensor Networks", journal = j-TISSEC, volume = "11", number = "4", pages = "23:1--23:??", month = jul, year = "2008", CODEN = "ATISBQ", DOI = "http://doi.acm.org/10.1145/1380564.1380571", ISSN = "1094-9224 (print), 1557-7406 (electronic)", ISSN-L = "1094-9224", bibdate = "Tue Aug 5 19:37:22 MDT 2008", bibsource = "http://portal.acm.org/; http://www.math.utah.edu/pub/tex/bib/tissec.bib", abstract = "Time synchronization is critical in sensor networks at many layers of their design. It enables better duty-cycling of the radio, accurate and secure localization, beamforming, and other collaborative signal processing tasks. These benefits make time-synchronization protocols a prime target of malicious adversaries who want to disrupt the normal operation of a sensor network. In this article, we analyze attacks on existing time synchronization protocols for wireless sensor networks and we propose a secure time synchronization toolbox to counter these attacks. This toolbox includes protocols for secure pairwise and group synchronization of nodes that either lie in the neighborhood of each other or are separated by multiple hops. We provide an in-depth analysis of the security and the energy overhead of the proposed protocols. The efficiency of these protocols has been tested through an experimental study on Mica2 motes.", acknowledgement = ack-nhfb, articleno = "23", fjournal = "ACM Transactions on Information and System Security", keywords = "delay; message authentication code; sensor networks; time synchronization", } @Article{Barker:2008:SBA, author = "Steve Barker and Marek J. Sergot and Duminda Wijesekera", title = "Status-Based Access Control", journal = j-TISSEC, volume = "12", number = "1", pages = "1:1--1:??", month = oct, year = "2008", CODEN = "ATISBQ", DOI = "http://doi.acm.org/10.1145/1410234.1410235", ISSN = "1094-9224 (print), 1557-7406 (electronic)", ISSN-L = "1094-9224", bibdate = "Tue Nov 11 15:54:06 MST 2008", bibsource = "http://portal.acm.org/; http://www.math.utah.edu/pub/tex/bib/tissec.bib", abstract = "Despite their widespread adoption, Role-based Access Control (RBAC) models exhibit certain shortcomings that make them less than ideal for deployment in, for example, distributed access control. In the distributed case, standard RBAC assumptions (e.g., of relatively static access policies, managed by human users, with complete information available about users and job functions) do not necessarily apply. Moreover, RBAC is restricted in the sense that it is based on one type of ascribed status, an assignment of a user to a role. In this article, we introduce the status-based access control (SBAC) model for distributed access control. The SBAC model (or family of models) is based on the notion of users having an action status as well as an ascribed status. A user's action status is established, in part, from a history of events that relate to the user; this history enables changing access policy requirements to be naturally accommodated. The approach can be implemented as an autonomous agent that reasons about the events, actions, and a history (of events and actions), which relates to a requester for access to resources, in order to decide whether the requester is permitted the access sought. We define a number of algebras for composing SBAC policies, algebras that exploit the language that we introduce for SBAC policy representation: identification-based logic programs. The SBAC model is richer than RBAC models and the policies that can be represented in our approach are more expressive than the policies admitted by a number of monotonic languages that have been hitherto described for representing distributed access control requirements. Our algebras generalize existing algebras that have been defined for access policy composition. We also describe an approach for the efficient implementation of SBAC policies.", acknowledgement = ack-nhfb, articleno = "1", fjournal = "ACM Transactions on Information and System Security", keywords = "algebras; distributed security; logic; status-based access control", } @Article{Xu:2008:DSB, author = "Shouhuai Xu and Srdjan {\v{C}}apkun", title = "Distributed and Secure Bootstrapping of Mobile Ad Hoc Networks: Framework and Constructions", journal = j-TISSEC, volume = "12", number = "1", pages = "2:1--2:??", month = oct, year = "2008", CODEN = "ATISBQ", DOI = "http://doi.acm.org/10.1145/1410234.1410236", ISSN = "1094-9224 (print), 1557-7406 (electronic)", ISSN-L = "1094-9224", bibdate = "Tue Nov 11 15:54:06 MST 2008", bibsource = "http://portal.acm.org/; http://www.math.utah.edu/pub/tex/bib/tissec.bib", abstract = "Secure bootstrapping of mobile ad hoc networks (MANETs) is a challenging problem in scenarios in which network users (or nodes) do not share trust relationships prior to the network deployment. In recent years, a number of schemes have been proposed to solve this problem, assuming either no or limited trust between the nodes prior to their deployment. Despite numerous proposals, there is no common understanding of the proposed schemes and of the trade-offs that they provide. This has consequences for both researchers and practitioners, who do not have a clear idea how to compare the schemes and how to select a scheme for a given application. In this article, we present a framework that helps in understanding and comparing schemes for secure bootstrapping of MANETs. The framework is general because it is policy-neutral and can accommodate many existing bootstrapping schemes. The proposed framework can equally serve as a good basis for the development of new MANET bootstrapping schemes; we show how the development of the framework leads to two new (classes of) distributed bootstrapping schemes. Within the framework, we not only investigate and characterize the properties of the relevant bootstrapping schemes, but also give methods for practitioners to select the relevant system parameters in the Random Walk and the (Restricted) Random Waypoint mobility models.", acknowledgement = ack-nhfb, articleno = "2", fjournal = "ACM Transactions on Information and System Security", keywords = "MANETs; secure communication; security bootstrapping", } @Article{Boldyreva:2008:NMS, author = "Alexandra Boldyreva and Craig Gentry and Adam O'Neill and Dae Hyun Yum", title = "New Multiparty Signature Schemes for Network Routing Applications", journal = j-TISSEC, volume = "12", number = "1", pages = "3:1--3:??", month = oct, year = "2008", CODEN = "ATISBQ", DOI = "http://doi.acm.org/10.1145/1410234.1410237", ISSN = "1094-9224 (print), 1557-7406 (electronic)", ISSN-L = "1094-9224", bibdate = "Tue Nov 11 15:54:06 MST 2008", bibsource = "http://portal.acm.org/; http://www.math.utah.edu/pub/tex/bib/tissec.bib", abstract = "We construct two new multiparty digital signature schemes that allow multiple signers to sequentially and non-interactively produce a compact, fixed-length signature. First, we introduce a new primitive that we call {\em ordered multisignature\/} (OMS) scheme, which allows signers to attest to a common message as well as the order in which they signed. Our OMS construction substantially improves computational efficiency and scalability over any existing scheme with suitable functionality. Second, we design a new identity-based sequential aggregate signature scheme, where signers can attest to different messages and signature verification does not require knowledge of traditional public keys. The latter property permits savings on bandwidth and storage as compared to public-key solutions. In contrast to the only prior scheme to provide this functionality, ours offers improved security that does not rely on synchronized clocks or a trusted first signer. We provide formal security definitions and support the proposed schemes with security proofs under appropriate computational assumptions. We focus on applications of our schemes to secure network routing, but we believe that they will find other applications as well.", acknowledgement = ack-nhfb, articleno = "3", fjournal = "ACM Transactions on Information and System Security", keywords = "aggregate signatures; digital signatures; identity-based signatures; multisignatures; network security; pairings", } @Article{Wang:2008:GBA, author = "Wei Wang and Thomas E. Daniels", title = "A Graph Based Approach Toward Network Forensics Analysis", journal = j-TISSEC, volume = "12", number = "1", pages = "4:1--4:??", month = oct, year = "2008", CODEN = "ATISBQ", DOI = "http://doi.acm.org/10.1145/1410234.1410238", ISSN = "1094-9224 (print), 1557-7406 (electronic)", ISSN-L = "1094-9224", bibdate = "Tue Nov 11 15:54:06 MST 2008", bibsource = "http://portal.acm.org/; http://www.math.utah.edu/pub/tex/bib/tissec.bib", abstract = "In this article we develop a novel graph-based approach toward network forensics analysis. Central to our approach is the evidence graph model that facilitates evidence presentation and automated reasoning. Based on the evidence graph, we propose a hierarchical reasoning framework that consists of two levels. Local reasoning aims to infer the functional states of network entities from local observations. Global reasoning aims to identify important entities from the graph structure and extract groups of densely correlated participants in the attack scenario. This article also presents a framework for interactive hypothesis testing, which helps to identify the attacker's nonexplicit attack activities from secondary evidence. We developed a prototype system that implements the techniques discussed. Experimental results on various attack datasets demonstrate that our analysis mechanism achieves good coverage and accuracy in attack group and scenario extraction with less dependence on hard-coded expert knowledge.", acknowledgement = ack-nhfb, articleno = "4", fjournal = "ACM Transactions on Information and System Security", keywords = "evidence graph; hierarchical reasoning; network forensics", } @Article{Halpern:2008:SMS, author = "Joseph Y. Halpern and Kevin R. O'Neill", title = "Secrecy in Multiagent Systems", journal = j-TISSEC, volume = "12", number = "1", pages = "5:1--5:??", month = oct, year = "2008", CODEN = "ATISBQ", DOI = "http://doi.acm.org/10.1145/1410234.1410239", ISSN = "1094-9224 (print), 1557-7406 (electronic)", ISSN-L = "1094-9224", bibdate = "Tue Nov 11 15:54:06 MST 2008", bibsource = "http://portal.acm.org/; http://www.math.utah.edu/pub/tex/bib/tissec.bib", abstract = "We introduce a general framework for reasoning about secrecy requirements in multiagent systems. Our definitions extend earlier definitions of secrecy and nondeducibility given by Shannon and Sutherland. Roughly speaking, one agent maintains secrecy with respect to another if the second agent cannot rule out any possibilities for the behavior or state of the first agent. We show that the framework can handle probability and nondeterminism in a clean way, is useful for reasoning about asynchronous systems as well as synchronous systems, and suggests generalizations of secrecy that may be useful for dealing with issues such as resource-bounded reasoning. We also show that a number of well-known attempts to characterize the absence of information flow are special cases of our definitions of secrecy.", acknowledgement = ack-nhfb, articleno = "5", fjournal = "ACM Transactions on Information and System Security", keywords = "information flow; secrecy", } @Article{Yao:2008:PIR, author = "Danfeng Yao and Keith B. Frikken and Mikhail J. Atallah and Roberto Tamassia", title = "Private Information: To Reveal or not to Reveal", journal = j-TISSEC, volume = "12", number = "1", pages = "6:1--6:??", month = oct, year = "2008", CODEN = "ATISBQ", DOI = "http://doi.acm.org/10.1145/1410234.1410240", ISSN = "1094-9224 (print), 1557-7406 (electronic)", ISSN-L = "1094-9224", bibdate = "Tue Nov 11 15:54:06 MST 2008", bibsource = "http://portal.acm.org/; http://www.math.utah.edu/pub/tex/bib/tissec.bib", abstract = "This article studies the notion of quantitative policies for trust management and gives protocols for realizing them in a disclosure-minimizing fashion. Specifically, Bob values each credential with a certain number of points, and requires a minimum total threshold of points before granting Alice access to a resource. In turn, Alice values each of her credentials with a privacy score that indicates her degree of reluctance to reveal that credential. Bob's valuation of credentials and his threshold are private. Alice's privacy-valuation of her credentials is also private. Alice wants to find a subset of her credentials that achieves Bob's required threshold for access, yet is of as small a value to her as possible. We give protocols for computing such a subset of Alice's credentials without revealing any of the two parties' above-mentioned private information. Furthermore, we develop a fingerprint method that allows Alice to independently and easily recover the optimal knapsack solution, once the computed optimal value is given, but also enables verification of the integrity of the optimal value. The fingerprint method is useful beyond the specific authorization problem studied, and can be applied to any integer knapsack dynamic programming in a private setting.", acknowledgement = ack-nhfb, articleno = "6", fjournal = "ACM Transactions on Information and System Security", keywords = "authorization; policies; secure multi-party computation", } @Article{Wright:2008:GES, author = "Rebecca N. Wright and {Sabrina De Capitanidi Vimercati}", title = "Guest Editorial: Special Issue on Computer and Communications Security", journal = j-TISSEC, volume = "12", number = "2", pages = "7:1--7:??", month = dec, year = "2008", CODEN = "ATISBQ", DOI = "http://doi.acm.org/10.1145/1455518.1455519", ISSN = "1094-9224 (print), 1557-7406 (electronic)", ISSN-L = "1094-9224", bibdate = "Tue Dec 23 11:58:14 MST 2008", bibsource = "http://portal.acm.org/; http://www.math.utah.edu/pub/tex/bib/tissec.bib", acknowledgement = ack-nhfb, articleno = "7", fjournal = "ACM Transactions on Information and System Security", } @Article{Lee:2008:ESC, author = "Adam J. Lee and Marianne Winslett", title = "Enforcing Safety and Consistency Constraints in Policy-Based Authorization Systems", journal = j-TISSEC, volume = "12", number = "2", pages = "8:1--8:??", month = dec, year = "2008", CODEN = "ATISBQ", DOI = "http://doi.acm.org/10.1145/1455518.1455520", ISSN = "1094-9224 (print), 1557-7406 (electronic)", ISSN-L = "1094-9224", bibdate = "Tue Dec 23 11:58:14 MST 2008", bibsource = "http://portal.acm.org/; http://www.math.utah.edu/pub/tex/bib/tissec.bib", abstract = "In trust negotiation and other forms of distributed proving, networked entities cooperate to form proofs of authorization that are justified by collections of certified attribute credentials. These attributes may be obtained through interactions with any number of external entities and are collected and validated over an extended period of time. Although these collections of credentials in some ways resemble partial system snapshots, current trust negotiation and distributed proving systems lack the notion of a consistent global state in which the satisfaction of authorization policies should be checked. In this article, we argue that unlike the notions of consistency studied in other areas of distributed computing, the level of consistency required during policy evaluation is predicated solely upon the security requirements of the policy evaluator. As such, there is little incentive for entities to participate in complicated consistency preservation schemes like those used in distributed computing, distributed databases, and distributed shared memory. We go on to show that the most intuitive notion of consistency fails to provide basic safety guarantees under certain circumstances and then propose several more refined notions of consistency that provide stronger safety guarantees. We provide algorithms that allow each of these refined notions of consistency to be attained in practice with minimal overheads and formally prove several security and privacy properties of these algorithms. Lastly, we explore the notion of strategic design trade-offs in the consistency enforcement algorithm space and propose several modifications to the core algorithms presented in this article. These modifications enhance the privacy-preservation or completeness properties of these algorithms without altering the consistency constraints that they enforce.", acknowledgement = ack-nhfb, articleno = "8", fjournal = "ACM Transactions on Information and System Security", keywords = "consistency; credentials; distributed proving; trust negotiation", } @Article{Golle:2008:DCS, author = "Philippe Golle and Frank McSherry and Ilya Mironov", title = "Data Collection with Self-Enforcing Privacy", journal = j-TISSEC, volume = "12", number = "2", pages = "9:1--9:??", month = dec, year = "2008", CODEN = "ATISBQ", DOI = "http://dx.doi.org/10.1145/1455518.1455521.", ISSN = "1094-9224 (print), 1557-7406 (electronic)", ISSN-L = "1094-9224", bibdate = "Tue Dec 23 11:58:14 MST 2008", bibsource = "http://portal.acm.org/; http://www.math.utah.edu/pub/tex/bib/tissec.bib", abstract = "Consider a pollster who wishes to collect private, sensitive data from a number of distrustful individuals. How might the pollster convince the respondents that it is trustworthy? Alternately, what mechanism could the respondents insist upon to ensure that mismanagement of their data is detectable and publicly demonstrable?\par We detail this problem, and provide simple data submission protocols with the properties that a) leakage of private data by the pollster results in evidence of the transgression and b) the evidence cannot be fabricated without breaking cryptographic assumptions. With such guarantees, a responsible pollster could post a ``privacy-bond,'' forfeited to anyone who can provide evidence of leakage. The respondents are assured that appropriate penalties are applied to a leaky pollster, while the protection from spurious indictment ensures that any honest pollster has no disincentive to participate in such a scheme.", acknowledgement = ack-nhfb, articleno = "9", fjournal = "ACM Transactions on Information and System Security", keywords = "data collection; privacy", } @Article{Cadar:2008:EAG, author = "Cristian Cadar and Vijay Ganesh and Peter M. Pawlowski and David L. Dill and Dawson R. Engler", title = "{EXE}: Automatically Generating Inputs of Death", journal = j-TISSEC, volume = "12", number = "2", pages = "10:1--10:??", month = dec, year = "2008", CODEN = "ATISBQ", DOI = "http://doi.acm.org/10.1145/1455518.1455522", ISSN = "1094-9224 (print), 1557-7406 (electronic)", ISSN-L = "1094-9224", bibdate = "Tue Dec 23 11:58:14 MST 2008", bibsource = "http://portal.acm.org/; http://www.math.utah.edu/pub/tex/bib/tissec.bib", abstract = "This article presents EXE, an effective bug-finding tool that automatically generates inputs that crash real code. Instead of running code on manually or randomly constructed input, EXE runs it on symbolic input initially allowed to be anything. As checked code runs, EXE tracks the constraints on each symbolic (i.e., input-derived) memory location. If a statement uses a symbolic value, EXE does not run it, but instead adds it as an input-constraint; all other statements run as usual. If code conditionally checks a symbolic expression, EXE forks execution, constraining the expression to be true on the true branch and false on the other. Because EXE reasons about all possible values on a path, it has much more power than a traditional runtime tool: (1) it can force execution down any feasible program path and (2) at dangerous operations (e.g., a pointer dereference), it detects if the current path constraints allow {\em any\/} value that causes a bug. When a path terminates or hits a bug, EXE automatically generates a test case by solving the current path constraints to find concrete values using its own co-designed constraint solver, STP. Because EXE's constraints have no approximations, feeding this concrete input to an uninstrumented version of the checked code will cause it to follow the same path and hit the same bug (assuming deterministic code).\par EXE works well on real code, finding bugs along with inputs that trigger them in: the BSD and Linux packet filter implementations, the dhcpd DHCP server, the pcre regular expression library, and three Linux file systems.", acknowledgement = ack-nhfb, articleno = "10", fjournal = "ACM Transactions on Information and System Security", keywords = "attack generation; bug finding; constraint solving; dynamic analysis; symbolic execution; test case generation", } @Article{Wang:2008:FBB, author = "Xiaofeng Wang and Zhuowei Li and Jong Youl Choi and Jun Xu and Michael K. Reiter and Chongkyung Kil", title = "Fast and Black-box Exploit Detection and Signature Generation for Commodity Software", journal = j-TISSEC, volume = "12", number = "2", pages = "11:1--11:??", month = dec, year = "2008", CODEN = "ATISBQ", DOI = "http://doi.acm.org/10.1145/1455518.1455523", ISSN = "1094-9224 (print), 1557-7406 (electronic)", ISSN-L = "1094-9224", bibdate = "Tue Dec 23 11:58:14 MST 2008", bibsource = "http://portal.acm.org/; http://www.math.utah.edu/pub/tex/bib/tissec.bib", abstract = "In biology, a {\em vaccine\/} is a weakened strain of a virus or bacterium that is intentionally injected into the body for the purpose of stimulating antibody production. Inspired by this idea, we propose a {\em packet vaccine\/} mechanism that randomizes address-like strings in packet payloads to carry out fast exploit detection and signature generation. An exploit with a randomized jump address behaves like a vaccine: it will likely cause an exception in a vulnerable program's process when attempting to hijack the control flow, and thereby expose itself. Taking that exploit as a template, our signature generator creates a set of new vaccines to probe the program in an attempt to uncover the necessary conditions for the exploit to happen. A signature is built upon these conditions to shield the underlying vulnerability from further attacks. In this way, packet vaccine detects exploits and generates signatures in a black-box fashion, that is, not relying on the knowledge of a vulnerable program's source and binary code. Therefore, it even works on the commodity software obfuscated for the purpose of copyright protection. In addition, since our approach avoids the expense of tracking the program's execution flow, it performs almost as fast as a normal run of the program and is capable of generating a signature of high quality within seconds or even subseconds. We present the design of the packet vaccine mechanism and an example of its application. We also describe our proof-of-concept implementation and the evaluation of our technique using real exploits.", acknowledgement = ack-nhfb, articleno = "11", fjournal = "ACM Transactions on Information and System Security", keywords = "black-box defense; exploit detection; signature generation; vaccine injection; worm", } @Article{Antonatos:2008:PMW, author = "Spiros Antonatos and Periklis Akritidis and Vinh The Lam and Kostas G. Anagnostakis", title = "Puppetnets: Misusing {Web} Browsers as a Distributed Attack Infrastructure", journal = j-TISSEC, volume = "12", number = "2", pages = "12:1--12:??", month = dec, year = "2008", CODEN = "ATISBQ", DOI = "http://dx.doi.org/10.1145/1455518.1455524.", ISSN = "1094-9224 (print), 1557-7406 (electronic)", ISSN-L = "1094-9224", bibdate = "Tue Dec 23 11:58:14 MST 2008", bibsource = "http://portal.acm.org/; http://www.math.utah.edu/pub/tex/bib/tissec.bib", abstract = "Most of the recent work on Web security focuses on preventing attacks that directly harm the browser's host machine and user. In this paper we attempt to quantify the threat of browsers being indirectly misused for attacking third parties. Specifically, we look at how the existing Web infrastructure (e.g., the languages, protocols, and security policies) can be exploited by malicious or subverted Web sites to remotely instruct browsers to orchestrate actions including denial of service attacks, worm propagation, and reconnaissance scans. We show that attackers are able to create powerful botnet-like infrastructures that can cause significant damage. We explore the effectiveness of countermeasures including anomaly detection and more fine-grained browser security policies.", acknowledgement = ack-nhfb, articleno = "12", fjournal = "ACM Transactions on Information and System Security", keywords = "distributed attacks; malicious software; Web security", } @Article{Xie:2008:TMS, author = "Mengjun Xie and Heng Yin and Haining Wang", title = "Thwarting {E}-mail Spam Laundering", journal = j-TISSEC, volume = "12", number = "2", pages = "13:1--13:??", month = dec, year = "2008", CODEN = "ATISBQ", DOI = "http://doi.acm.org/10.1145/1455518.1455525", ISSN = "1094-9224 (print), 1557-7406 (electronic)", ISSN-L = "1094-9224", bibdate = "Tue Dec 23 11:58:14 MST 2008", bibsource = "http://portal.acm.org/; http://www.math.utah.edu/pub/tex/bib/tissec.bib", abstract = "Laundering e-mail spam through open-proxies or compromised PCs is a widely-used trick to conceal real spam sources and reduce spamming cost in the underground e-mail spam industry. Spammers have plagued the Internet by exploiting a large number of spam proxies. The facility of breaking spam laundering and deterring spamming activities close to their sources, which would greatly benefit not only e-mail users but also victim ISPs, is in great demand but still missing. In this article, we reveal one salient characteristic of proxy-based spamming activities, namely packet symmetry, by analyzing protocol semantics and timing causality. Based on the packet symmetry exhibited in spam laundering, we propose a simple and effective technique, DBSpam, to online detect and break spam laundering activities inside a customer network. Monitoring the bidirectional traffic passing through a network gateway, DBSpam utilizes a simple statistical method, Sequential Probability Ratio Test, to detect the occurrence of spam laundering in a timely manner. To balance the goals of promptness and accuracy, we introduce a noise-reduction technique in DBSpam, after which the laundering path can be identified more accurately. Then DBSpam activates its spam suppressing mechanism to break the spam laundering. We implement a prototype of DBSpam based on {\em libpcap}, and validate its efficacy on spam detection and suppression through both theoretical analyses and trace-based experiments.", acknowledgement = ack-nhfb, articleno = "13", fjournal = "ACM Transactions on Information and System Security", keywords = "proxy; Spam; SPRT", } @Article{Liang:2009:AIE, author = "Zhenkai Liang and Weiqing Sun and V. N. Venkatakrishnan and R. Sekar", title = "{Alcatraz}: An Isolated Environment for Experimenting with Untrusted Software", journal = j-TISSEC, volume = "12", number = "3", pages = "14:1--14:37", month = jan, year = "2009", CODEN = "ATISBQ", DOI = "http://doi.acm.org/10.1145/1455526.1455527", ISSN = "1094-9224 (print), 1557-7406 (electronic)", ISSN-L = "1094-9224", bibdate = "Mon Feb 2 18:03:37 MST 2009", bibsource = "http://portal.acm.org/; http://www.math.utah.edu/pub/tex/bib/tissec.bib", abstract = "In this article, we present an approach for realizing a {\em safe execution environment (SEE)\/} that enables users to ``try out'' new software (or configuration changes to existing software) without the fear of damaging the system in any manner. A key property of our SEE is that it faithfully reproduces the behavior of applications, as if they were running natively on the underlying (host) operating system. This is accomplished via {\em one-way isolation\/}: processes running within the SEE are given read-access to the environment provided by the host OS, but their write operations are prevented from escaping outside the SEE. As a result, SEE processes cannot impact the behavior of host OS processes, or the integrity of data on the host OS. SEEs support a wide range of tasks, including: study of malicious code, controlled execution of untrusted software, experimentation with software configuration changes, testing of software patches, and so on. It provides a convenient way for users to inspect system changes made within the SEE. If these changes are not accepted, they can be rolled back at the click of a button. Otherwise, the changes can be committed so as to become visible outside the SEE. We provide consistency criteria that ensure semantic consistency of the committed results. We develop two different implementation approaches, one in {\em user-land\/} and the other in the {\em OS kernel}, for realizing a safe-execution environment. Our implementation results show that most software, including fairly complex server and client applications, can run successfully within our SEEs. It introduces low performance overheads, typically below 10 percent.", acknowledgement = ack-nhfb, articleno = "14", fjournal = "ACM Transactions on Information and System Security", keywords = "Isolation; one-way isolation", } @Article{Yao:2009:CAR, author = "Danfeng Yao and Roberto Tamassia", title = "Compact and Anonymous Role-Based Authorization Chain", journal = j-TISSEC, volume = "12", number = "3", pages = "15:1--15:??", month = jan, year = "2009", CODEN = "ATISBQ", DOI = "http://doi.acm.org/10.1145/1455526.1455528", ISSN = "1094-9224 (print), 1557-7406 (electronic)", ISSN-L = "1094-9224", bibdate = "Mon Feb 2 18:03:37 MST 2009", bibsource = "http://portal.acm.org/; http://www.math.utah.edu/pub/tex/bib/tissec.bib", abstract = "We introduce a decentralized delegation model called anonymous role-based cascaded delegation. In this model, a delegator can issue authorizations on behalf of her role without revealing her identity. This type of delegation protects the sensitive membership information of a delegator and hides the internal structure of an organization. To provide an efficient storage and transmission mechanism for credentials used in anonymous role-based cascaded delegation, we present a new digital signature scheme that supports both signer anonymity and signature aggregation. Our scheme has compact role signatures that make it especially suitable for ubiquitous computing environments, where users may have mobile computing devices with narrow communication bandwidth and small storage units.", acknowledgement = ack-nhfb, articleno = "15", fjournal = "ACM Transactions on Information and System Security", keywords = "aggregate signature; anonymity; Delegation", } @Article{Bethencourt:2009:NTP, author = "John Bethencourt and Dawn Song and Brent Waters", title = "New Techniques for Private Stream Searching", journal = j-TISSEC, volume = "12", number = "3", pages = "16:1--16:??", month = jan, year = "2009", CODEN = "ATISBQ", DOI = "http://doi.acm.org/10.1145/1455526.1455529", ISSN = "1094-9224 (print), 1557-7406 (electronic)", ISSN-L = "1094-9224", bibdate = "Mon Feb 2 18:03:37 MST 2009", bibsource = "http://portal.acm.org/; http://www.math.utah.edu/pub/tex/bib/tissec.bib", abstract = "A system for private stream searching, introduced by Ostrovsky and Skeith, allows a client to provide an untrusted server with an encrypted search query. The server uses the query on a stream of documents and returns the matching documents to the client while learning nothing about the nature of the query. We present a new scheme for conducting private keyword search on streaming data which requires $O(m)$ server to client communication complexity to return the content of the matching documents, where $m$ is an upper bound on the size of the documents. The required storage on the server conducting the search is also $O(m)$. The previous best scheme for private stream searching was shown to have $O(m \log m)$ communication and storage complexity. Our solution employs a novel construction in which the user reconstructs the matching files by solving a system of linear equations. This allows the matching documents to be stored in a compact buffer rather than relying on redundancies to avoid collisions in the storage buffer as in previous work. This technique requires a small amount of metadata to be returned in addition to the documents; for this the original scheme of Ostrovsky and Skeith may be employed with $O(m \log m)$ communication and storage complexity. We also present an alternative method for returning the necessary metadata based on a unique encrypted Bloom filter construction. This method requires $O(m \log(t / m))$ communication and storage complexity, where $t$ is the number of documents in the stream. In this article we describe our scheme, prove it secure, analyze its asymptotic performance, and describe a number of extensions. We also provide an experimental analysis of its scalability in practice. Specifically, we consider its performance in the demanding scenario of providing a privacy preserving version of the Google News Alerts service.", acknowledgement = ack-nhfb, articleno = "16", fjournal = "ACM Transactions on Information and System Security", keywords = "Bloom filter; private information retrieval; private stream searching; public key program obfuscation", } @Article{Crosby:2009:OLR, author = "Scott A. Crosby and Dan S. Wallach and Rudolf H. Riedi", title = "Opportunities and Limits of Remote Timing Attacks", journal = j-TISSEC, volume = "12", number = "3", pages = "17:1--17:??", month = jan, year = "2009", CODEN = "ATISBQ", DOI = "http://doi.acm.org/10.1145/1455526.1455530", ISSN = "1094-9224 (print), 1557-7406 (electronic)", ISSN-L = "1094-9224", bibdate = "Mon Feb 2 18:03:37 MST 2009", bibsource = "http://portal.acm.org/; http://www.math.utah.edu/pub/tex/bib/tissec.bib", abstract = "Many algorithms can take a variable amount of time to complete depending on the data being processed. These timing differences can sometimes disclose confidential information. Indeed, researchers have been able to reconstruct an RSA private key purely by querying an SSL Web server and timing the results. Our work analyzes the limits of attacks based on accurately measuring network response times and jitter over a local network and across the Internet. We present the design of filters to significantly reduce the effects of jitter, allowing an attacker to measure events with 15--100$\mu$s accuracy across the Internet, and as good as 100ns over a local network. Notably, security-related algorithms on Web servers and other network servers need to be carefully engineered to avoid timing channel leaks at the accuracy demonstrated in this article.", acknowledgement = ack-nhfb, articleno = "17", fjournal = "ACM Transactions on Information and System Security", keywords = "Information leakage; jitter; timing attacks", } @Article{Atallah:2009:DEK, author = "Mikhail J. Atallah and Marina Blanton and Nelly Fazio and Keith B. Frikken", title = "Dynamic and Efficient Key Management for Access Hierarchies", journal = j-TISSEC, volume = "12", number = "3", pages = "18:1--18:??", month = jan, year = "2009", CODEN = "ATISBQ", DOI = "http://doi.acm.org/10.1145/1455526.1455531", ISSN = "1094-9224 (print), 1557-7406 (electronic)", ISSN-L = "1094-9224", bibdate = "Mon Feb 2 18:03:37 MST 2009", bibsource = "http://portal.acm.org/; http://www.math.utah.edu/pub/tex/bib/tissec.bib", abstract = "Hierarchies arise in the context of access control whenever the user population can be modeled as a set of partially ordered classes (represented as a directed graph). A user with access privileges for a class obtains access to objects stored at that class and all descendant classes in the hierarchy. The problem of key management for such hierarchies then consists of assigning a key to each class in the hierarchy so that keys for descendant classes can be obtained via efficient key derivation.\par We propose a solution to this problem with the following properties: (1) the space complexity of the public information is the same as that of storing the hierarchy; (2) the private information at a class consists of a single key associated with that class; (3) updates (i.e., revocations and additions) are handled {\em locally\/} in the hierarchy; (4) the scheme is provably secure against collusion; and (5) each node can derive the key of any of its descendant with a number of symmetric-key operations bounded by the length of the path between the nodes. Whereas many previous schemes had some of these properties, ours is the first that satisfies all of them. The security of our scheme is based on pseudorandom functions, without reliance on the Random Oracle Model.\par Another substantial contribution of this work is that we are able to lower the key derivation time at the expense of modestly increasing the public storage associated with the hierarchy. Insertion of additional, so-called shortcut, edges, allows to lower the key derivation to a small constant number of steps for graphs that are total orders and trees by increasing the total number of edges by a small asymptotic factor such as $O(\log^* n)$ for an $n$-node hierarchy. For more general access hierarchies of dimension $d$, we use a technique that consists of adding dummy nodes and dimension reduction. The key derivation work for such graphs is then linear in $d$ and the increase in the number of edges is by the factor $O(\log^{d - 1} n)$ compared to the one-dimensional case.\par Finally, by making simple modifications to our scheme, we show how to handle extensions proposed by Crampton [2003] of the standard hierarchies to ``limited depth'' and reverse inheritance.", acknowledgement = ack-nhfb, articleno = "18", fjournal = "ACM Transactions on Information and System Security", keywords = "Efficient key derivation; hierarchical access control; key management", } @Article{Ligatti:2009:RTE, author = "Jay Ligatti and Lujo Bauer and David Walker", title = "Run-Time Enforcement of Nonsafety Policies", journal = j-TISSEC, volume = "12", number = "3", pages = "19:1--19:??", month = jan, year = "2009", CODEN = "ATISBQ", DOI = "http://doi.acm.org/10.1145/1455526.1455532", ISSN = "1094-9224 (print), 1557-7406 (electronic)", ISSN-L = "1094-9224", bibdate = "Mon Feb 2 18:03:37 MST 2009", bibsource = "http://portal.acm.org/; http://www.math.utah.edu/pub/tex/bib/tissec.bib", abstract = "A common mechanism for ensuring that software behaves securely is to monitor programs at run time and check that they dynamically adhere to constraints specified by a security policy. Whenever a program monitor detects that untrusted software is attempting to execute a dangerous action, it takes remedial steps to ensure that only safe code actually gets executed.\par This article improves our understanding of the space of policies enforceable by monitoring the run-time behaviors of programs. We begin by building a formal framework for analyzing policy enforcement: we precisely define policies, monitors, and enforcement. This framework allows us to prove that monitors enforce an interesting set of policies that we call the infinite renewal properties. We show how to construct a program monitor that provably enforces any reasonable infinite renewal property. We also show that the set of infinite renewal properties includes some nonsafety policies, that is, that monitors can enforce some nonsafety (including some purely liveness) policies. Finally, we demonstrate concrete examples of nonsafety policies enforceable by practical run-time monitors.", acknowledgement = ack-nhfb, articleno = "19", fjournal = "ACM Transactions on Information and System Security", keywords = "liveness; monitoring; policy enforcement; safety; security automata; security policies", } @Article{Li:2009:RPA, author = "Ninghui Li and Qihua Wang and Mahesh Tripunitara", title = "Resiliency Policies in Access Control", journal = j-TISSEC, volume = "12", number = "4", pages = "20:1--20:??", month = apr, year = "2009", CODEN = "ATISBQ", DOI = "http://doi.acm.org/10.1145/1513601.1513602", ISSN = "1094-9224 (print), 1557-7406 (electronic)", ISSN-L = "1094-9224", bibdate = "Thu May 14 13:53:50 MDT 2009", bibsource = "http://portal.acm.org/; http://www.math.utah.edu/pub/tex/bib/tissec.bib", abstract = "We introduce the notion of resiliency policies in the context of access control systems. Such policies require an access control system to be resilient to the absence of users. An example resiliency policy requires that upon removal of any $s$ users, there should still exist $d$ disjoint sets of users such that the users in each set together possess certain permissions of interest. Such a policy ensures that even when emergency situations cause some users to be absent, there still exist independent teams of users that have the permissions necessary for carrying out critical tasks. The Resiliency Checking Problem determines whether an access control state satisfies a given resiliency policy. We show that the general case of the problem and several subcases are intractable (NP hard), and identify two subcases that are solvable in linear time. For the intractable cases, we also identify the complexity class in the polynomial hierarchy to which these problems belong. We discuss the design and evaluation of an algorithm that can efficiently solve instances of nontrivial sizes that belong to the intractable cases of the problem. Furthermore, we study the consistency problem between resiliency policies and static separation of duty policies. Finally, we combine the notions of resiliency and separation of duty to introduce the resilient separation of duty policy, which is useful in situations where both fault-tolerance and fraud-prevention are desired.", acknowledgement = ack-nhfb, articleno = "20", fjournal = "ACM Transactions on Information and System Security", keywords = "access control; fault-tolerant; policy design", } @Article{Burmester:2009:UCR, author = "Mike Burmester and Tri Van Le and Breno {De Medeiros} and Gene Tsudik", title = "Universally Composable {RFID} Identification and Authentication Protocols", journal = j-TISSEC, volume = "12", number = "4", pages = "21:1--21:??", month = apr, year = "2009", CODEN = "ATISBQ", DOI = "http://doi.acm.org/10.1145/1513601.1513603", ISSN = "1094-9224 (print), 1557-7406 (electronic)", ISSN-L = "1094-9224", bibdate = "Thu May 14 13:53:50 MDT 2009", bibsource = "http://portal.acm.org/; http://www.math.utah.edu/pub/tex/bib/tissec.bib", abstract = "As the number of RFID applications grows, concerns about their security and privacy become greatly amplified. At the same time, the acutely restricted and cost-sensitive nature of RFID tags rules out simple reuse of traditional security/privacy solutions and calls for a new generation of extremely lightweight identification and authentication protocols.\par This article describes a universally composable security framework designed especially for RFID applications. We adopt RFID-specific setup, communication, and concurrency assumptions in a model that guarantees strong security, privacy, and availability properties. In particular, the framework supports modular deployment, which is most appropriate for ubiquitous applications. We also describe a set of simple, efficient, secure, and anonymous (untraceable) RFID identification and authentication protocols that instantiate the proposed framework. These protocols involve minimal interaction between tags and readers and place only a small computational load on the tag, and a light computational burden on the back-end server. We show that our protocols are provably secure within the proposed framework.", acknowledgement = ack-nhfb, articleno = "21", fjournal = "ACM Transactions on Information and System Security", keywords = "authentication and key-exchange protocols; RFID security; universal composability", } @Article{Cabuk:2009:ICC, author = "Serdar Cabuk and Carla E. Brodley and Clay Shields", title = "{IP} Covert Channel Detection", journal = j-TISSEC, volume = "12", number = "4", pages = "22:1--22:29", month = apr, year = "2009", CODEN = "ATISBQ", DOI = "http://doi.acm.org/10.1145/1513601.1513604", ISSN = "1094-9224 (print), 1557-7406 (electronic)", ISSN-L = "1094-9224", bibdate = "Thu May 14 13:53:50 MDT 2009", bibsource = "http://portal.acm.org/; http://www.math.utah.edu/pub/tex/bib/tissec.bib", abstract = "A covert channel can occur when an attacker finds and exploits a shared resource that is not designed to be a communication mechanism. A network covert channel operates by altering the timing of otherwise legitimate network traffic so that the arrival times of packets encode confidential data that an attacker wants to exfiltrate from a secure area from which she has no other means of communication. In this article, we present the first public implementation of an IP covert channel, discuss the subtle issues that arose in its design, and present a discussion on its efficacy. We then show that an IP covert channel can be differentiated from legitimate channels and present new detection measures that provide detection rates over 95\%. We next take the simple step an attacker would of adding noise to the channel to attempt to conceal the covert communication. For these noisy IP covert timing channels, we show that our online detection measures can fail to identify the covert channel for noise levels higher than 10\%. We then provide effective offline search mechanisms that identify the noisy channels.", acknowledgement = ack-nhfb, articleno = "22", fjournal = "ACM Transactions on Information and System Security", keywords = "channel detection; information hiding; network covert channels", } @Article{Meadows:2009:IAT, author = "Catherine Meadows", title = "Introduction to {ACM TISSEC} special issue on {CCS 2005}", journal = j-TISSEC, volume = "13", number = "1", pages = "1:1--1:??", month = oct, year = "2009", CODEN = "ATISBQ", DOI = "http://doi.acm.org/10.1145/1609956.1609957", ISSN = "1094-9224 (print), 1557-7406 (electronic)", ISSN-L = "1094-9224", bibdate = "Tue Mar 16 10:18:12 MDT 2010", bibsource = "http://portal.acm.org/; http://www.math.utah.edu/pub/tex/bib/tissec.bib", acknowledgement = ack-nhfb, articleno = "1", fjournal = "ACM Transactions on Information and System Security", } @Article{Li:2009:ATN, author = "Jiangtao Li and Ninghui Li and William H. Winsborough", title = "Automated trust negotiation using cryptographic credentials", journal = j-TISSEC, volume = "13", number = "1", pages = "2:1--2:??", month = oct, year = "2009", CODEN = "ATISBQ", DOI = "http://doi.acm.org/10.1145/1609956.1609958", ISSN = "1094-9224 (print), 1557-7406 (electronic)", ISSN-L = "1094-9224", bibdate = "Tue Mar 16 10:18:12 MDT 2010", bibsource = "http://portal.acm.org/; http://www.math.utah.edu/pub/tex/bib/tissec.bib", acknowledgement = ack-nhfb, articleno = "2", fjournal = "ACM Transactions on Information and System Security", } @Article{Zhuang:2009:KAE, author = "Li Zhuang and Feng Zhou and J. D. Tygar", title = "Keyboard acoustic emanations revisited", journal = j-TISSEC, volume = "13", number = "1", pages = "3:1--3:??", month = oct, year = "2009", CODEN = "ATISBQ", DOI = "http://doi.acm.org/10.1145/1609956.1609959", ISSN = "1094-9224 (print), 1557-7406 (electronic)", ISSN-L = "1094-9224", bibdate = "Tue Mar 16 10:18:12 MDT 2010", bibsource = "http://portal.acm.org/; http://www.math.utah.edu/pub/tex/bib/tissec.bib", acknowledgement = ack-nhfb, articleno = "3", fjournal = "ACM Transactions on Information and System Security", } @Article{Abadi:2009:CFI, author = "Mart{\'\i}n Abadi and Mihai Budiu and {\'U}lfar Erlingsson and Jay Ligatti", title = "Control-flow integrity principles, implementations, and applications", journal = j-TISSEC, volume = "13", number = "1", pages = "4:1--4:??", month = oct, year = "2009", CODEN = "ATISBQ", DOI = "http://doi.acm.org/10.1145/1609956.1609960", ISSN = "1094-9224 (print), 1557-7406 (electronic)", ISSN-L = "1094-9224", bibdate = "Tue Mar 16 10:18:12 MDT 2010", bibsource = "http://portal.acm.org/; http://www.math.utah.edu/pub/tex/bib/tissec.bib", acknowledgement = ack-nhfb, articleno = "4", fjournal = "ACM Transactions on Information and System Security", } @Article{Etalle:2009:MCW, author = "Sandro Etalle and William H. Winsborough", title = "Maintaining control while delegating trust: Integrity constraints in trust management", journal = j-TISSEC, volume = "13", number = "1", pages = "5:1--5:??", month = oct, year = "2009", CODEN = "ATISBQ", DOI = "http://doi.acm.org/10.1145/1609956.1609961", ISSN = "1094-9224 (print), 1557-7406 (electronic)", ISSN-L = "1094-9224", bibdate = "Tue Mar 16 10:18:12 MDT 2010", bibsource = "http://portal.acm.org/; http://www.math.utah.edu/pub/tex/bib/tissec.bib", acknowledgement = ack-nhfb, articleno = "5", fjournal = "ACM Transactions on Information and System Security", } @Article{Carminati:2009:EAC, author = "Barbara Carminati and Elena Ferrari and Andrea Perego", title = "Enforcing access control in {Web}-based social networks", journal = j-TISSEC, volume = "13", number = "1", pages = "6:1--6:??", month = oct, year = "2009", CODEN = "ATISBQ", DOI = "http://doi.acm.org/10.1145/1609956.1609962", ISSN = "1094-9224 (print), 1557-7406 (electronic)", ISSN-L = "1094-9224", bibdate = "Tue Mar 16 10:18:12 MDT 2010", bibsource = "http://portal.acm.org/; http://www.math.utah.edu/pub/tex/bib/tissec.bib", acknowledgement = ack-nhfb, articleno = "6", fjournal = "ACM Transactions on Information and System Security", } @Article{Juels:2009:DSP, author = "Ari Juels and Stephen A. Weis", title = "Defining strong privacy for {RFID}", journal = j-TISSEC, volume = "13", number = "1", pages = "7:1--7:??", month = oct, year = "2009", CODEN = "ATISBQ", DOI = "http://doi.acm.org/10.1145/1609956.1609963", ISSN = "1094-9224 (print), 1557-7406 (electronic)", ISSN-L = "1094-9224", bibdate = "Tue Mar 16 10:18:12 MDT 2010", bibsource = "http://portal.acm.org/; http://www.math.utah.edu/pub/tex/bib/tissec.bib", acknowledgement = ack-nhfb, articleno = "7", fjournal = "ACM Transactions on Information and System Security", } @Article{Zhu:2009:CAC, author = "Ye Zhu and Riccardo Bettati", title = "Compromising anonymous communication systems using blind source separation", journal = j-TISSEC, volume = "13", number = "1", pages = "8:1--8:??", month = oct, year = "2009", CODEN = "ATISBQ", DOI = "http://doi.acm.org/10.1145/1609956.1609964", ISSN = "1094-9224 (print), 1557-7406 (electronic)", ISSN-L = "1094-9224", bibdate = "Tue Mar 16 10:18:12 MDT 2010", bibsource = "http://portal.acm.org/; http://www.math.utah.edu/pub/tex/bib/tissec.bib", acknowledgement = ack-nhfb, articleno = "8", fjournal = "ACM Transactions on Information and System Security", } @Article{Sang:2009:ESP, author = "Yingpeng Sang and Hong Shen", title = "Efficient and secure protocols for privacy-preserving set operations", journal = j-TISSEC, volume = "13", number = "1", pages = "9:1--9:??", month = oct, year = "2009", CODEN = "ATISBQ", DOI = "http://doi.acm.org/10.1145/1609956.1609965", ISSN = "1094-9224 (print), 1557-7406 (electronic)", ISSN-L = "1094-9224", bibdate = "Tue Mar 16 10:18:12 MDT 2010", bibsource = "http://portal.acm.org/; http://www.math.utah.edu/pub/tex/bib/tissec.bib", acknowledgement = ack-nhfb, articleno = "9", fjournal = "ACM Transactions on Information and System Security", } @Article{Dorrendorf:2009:CRN, author = "Leo Dorrendorf and Zvi Gutterman and Benny Pinkas", title = "Cryptanalysis of the random number generator of the {Windows} operating system", journal = j-TISSEC, volume = "13", number = "1", pages = "10:1--10:32", month = oct, year = "2009", CODEN = "ATISBQ", DOI = "http://doi.acm.org/10.1145/1609956.1609966", ISSN = "1094-9224 (print), 1557-7406 (electronic)", ISSN-L = "1094-9224", bibdate = "Tue Mar 16 10:18:12 MDT 2010", bibsource = "http://portal.acm.org/; http://www.math.utah.edu/pub/tex/bib/tissec.bib", abstract = "The PseudoRandom Number Generator (PRNG) used by the Windows operating system is the most commonly used PRNG. The pseudorandomness of the output of this generator is crucial for the security of almost any application running in Windows. Nevertheless, its exact algorithm was never published.\par We examined the binary code of a distribution of Windows 2000. This investigation was done without any help from Microsoft.We reconstructed the algorithm used by the pseudorandom number generator (namely, the function CryptGenRandom). We analyzed the security of the algorithm and found a nontrivial attack: Given the internal state of the generator, the previous state can be computed in 223 steps. This attack on forward security demonstrates that the design of the generator is flawed, since it is well known how to prevent such attacks. After our analysis was published, Microsoft acknowledged that Windows XP is vulnerable to the same attack.\par We also analyzed the way in which the generator is used by the operating system and found that it amplifies the effect of the attack: The generator is run in user mode rather than in kernel mode; therefore, it is easy to access its state even without administrator privileges. The initial values of part of the state of the generator are not set explicitly, but rather are defined by whatever values are present on the stack when the generator is called. Furthermore, each process runs a different copy of the generator, and the state of the generator is refreshed with system-generated entropy only after generating 128KB of output for the process running it. The result of combining this observation with our attack is that learning a single state may reveal 128KB of the past and future output of the generator.\par The implication of these findings is that a buffer overflow attack or a similar attack can be used to learn a single state of the generator, which can then be used to predict all random values, such as SSL keys, used by a process in all its past and future operations. This attack is more severe and more efficient than known attacks in which an attack", acknowledgement = ack-nhfb, articleno = "10", fjournal = "ACM Transactions on Information and System Security", } @Article{diVimercati:2010:GES, author = "Sabrina de Capitani di Vimercati and Paul Syverson", title = "Guest editorial: Special issue on computer and communications security", journal = j-TISSEC, volume = "13", number = "2", pages = "11:1--11:??", month = feb, year = "2010", CODEN = "ATISBQ", DOI = "http://doi.acm.org/10.1145/1698750.1698751", ISSN = "1094-9224 (print), 1557-7406 (electronic)", ISSN-L = "1094-9224", bibdate = "Tue Mar 16 10:18:15 MDT 2010", bibsource = "http://portal.acm.org/; http://www.math.utah.edu/pub/tex/bib/tissec.bib", acknowledgement = ack-nhfb, articleno = "11", fjournal = "ACM Transactions on Information and System Security", } @Article{Jiang:2010:SMD, author = "Xuxian Jiang and Xinyuan Wang and Dongyan Xu", title = "Stealthy malware detection and monitoring through {VMM}-based ``out-of-the-box'' semantic view reconstruction", journal = j-TISSEC, volume = "13", number = "2", pages = "12:1--12:??", month = feb, year = "2010", CODEN = "ATISBQ", DOI = "http://doi.acm.org/10.1145/1698750.1698752", ISSN = "1094-9224 (print), 1557-7406 (electronic)", ISSN-L = "1094-9224", bibdate = "Tue Mar 16 10:18:15 MDT 2010", bibsource = "http://portal.acm.org/; http://www.math.utah.edu/pub/tex/bib/tissec.bib", acknowledgement = ack-nhfb, articleno = "12", fjournal = "ACM Transactions on Information and System Security", } @Article{Hopper:2010:HMA, author = "Nicholas Hopper and Eugene Y. Vasserman and Eric Chan-TIN", title = "How much anonymity does network latency leak?", journal = j-TISSEC, volume = "13", number = "2", pages = "13:1--13:??", month = feb, year = "2010", CODEN = "ATISBQ", DOI = "http://doi.acm.org/10.1145/1698750.1698753", ISSN = "1094-9224 (print), 1557-7406 (electronic)", ISSN-L = "1094-9224", bibdate = "Tue Mar 16 10:18:15 MDT 2010", bibsource = "http://portal.acm.org/; http://www.math.utah.edu/pub/tex/bib/tissec.bib", acknowledgement = ack-nhfb, articleno = "13", fjournal = "ACM Transactions on Information and System Security", } @Article{Bisht:2010:CDC, author = "Prithvi Bisht and P. Madhusudan and V. N. Venkatakrishnan", title = "{CANDID}: Dynamic candidate evaluations for automatic prevention of {SQL} injection attacks", journal = j-TISSEC, volume = "13", number = "2", pages = "14:1--14:??", month = feb, year = "2010", CODEN = "ATISBQ", DOI = "http://doi.acm.org/10.1145/1698750.1698754", ISSN = "1094-9224 (print), 1557-7406 (electronic)", ISSN-L = "1094-9224", bibdate = "Tue Mar 16 10:18:15 MDT 2010", bibsource = "http://portal.acm.org/; http://www.math.utah.edu/pub/tex/bib/tissec.bib", acknowledgement = ack-nhfb, articleno = "14", fjournal = "ACM Transactions on Information and System Security", } @Article{Ponec:2010:NPA, author = "Miroslav Ponec and Paul Giura and Joel Wein and Herv{\'e} Br{\"o}nnimann", title = "New payload attribution methods for network forensic investigations", journal = j-TISSEC, volume = "13", number = "2", pages = "15:1--15:??", month = feb, year = "2010", CODEN = "ATISBQ", DOI = "http://doi.acm.org/10.1145/1698750.1698755", ISSN = "1094-9224 (print), 1557-7406 (electronic)", ISSN-L = "1094-9224", bibdate = "Tue Mar 16 10:18:15 MDT 2010", bibsource = "http://portal.acm.org/; http://www.math.utah.edu/pub/tex/bib/tissec.bib", acknowledgement = ack-nhfb, articleno = "15", fjournal = "ACM Transactions on Information and System Security", } @Article{Moran:2010:SBV, author = "Tal Moran and Moni Naor", title = "Split-ballot voting: Everlasting privacy with distributed trust", journal = j-TISSEC, volume = "13", number = "2", pages = "16:1--16:??", month = feb, year = "2010", CODEN = "ATISBQ", DOI = "http://doi.acm.org/10.1145/1698750.1698756", ISSN = "1094-9224 (print), 1557-7406 (electronic)", ISSN-L = "1094-9224", bibdate = "Tue Mar 16 10:18:15 MDT 2010", bibsource = "http://portal.acm.org/; http://www.math.utah.edu/pub/tex/bib/tissec.bib", acknowledgement = ack-nhfb, articleno = "16", fjournal = "ACM Transactions on Information and System Security", } @Article{Lysyanskaya:2010:AEC, author = "Anna Lysyanskaya and Roberto Tamassia and Nikos Triandopoulos", title = "Authenticated error-correcting codes with applications to multicast authentication", journal = j-TISSEC, volume = "13", number = "2", pages = "17:1--17:??", month = feb, year = "2010", CODEN = "ATISBQ", DOI = "http://doi.acm.org/10.1145/1698750.1698757", ISSN = "1094-9224 (print), 1557-7406 (electronic)", ISSN-L = "1094-9224", bibdate = "Tue Mar 16 10:18:15 MDT 2010", bibsource = "http://portal.acm.org/; http://www.math.utah.edu/pub/tex/bib/tissec.bib", acknowledgement = ack-nhfb, articleno = "17", fjournal = "ACM Transactions on Information and System Security", } @Article{Wang:2010:DVT, author = "Xiaofeng Wang and Philippe Golle and Markus Jakobsson and Alex Tsow", title = "Deterring voluntary trace disclosure in re-encryption mix-networks", journal = j-TISSEC, volume = "13", number = "2", pages = "18:1--18:??", month = feb, year = "2010", CODEN = "ATISBQ", DOI = "http://doi.acm.org/10.1145/1698750.1698758", ISSN = "1094-9224 (print), 1557-7406 (electronic)", ISSN-L = "1094-9224", bibdate = "Tue Mar 16 10:18:15 MDT 2010", bibsource = "http://portal.acm.org/; http://www.math.utah.edu/pub/tex/bib/tissec.bib", acknowledgement = ack-nhfb, articleno = "18", fjournal = "ACM Transactions on Information and System Security", } @Article{Biskup:2010:EE, author = "Joachim Biskup and Javier Lopez", title = "Editorial: {ESORICS 2007}", journal = j-TISSEC, volume = "13", number = "3", pages = "19:1--19:??", month = jul, year = "2010", CODEN = "ATISBQ", DOI = "http://doi.acm.org/10.1145/1805974.1805975", ISSN = "1094-9224 (print), 1557-7406 (electronic)", ISSN-L = "1094-9224", bibdate = "Wed Jul 28 14:57:15 MDT 2010", bibsource = "http://portal.acm.org/; http://www.math.utah.edu/pub/tex/bib/tissec.bib", acknowledgement = ack-nhfb, articleno = "19", fjournal = "ACM Transactions on Information and System Security", } @Article{Becker:2010:LSM, author = "Moritz Y. Becker and Sebastian Nanz", title = "A logic for state-modifying authorization policies", journal = j-TISSEC, volume = "13", number = "3", pages = "20:1--20:??", month = jul, year = "2010", CODEN = "ATISBQ", DOI = "http://doi.acm.org/10.1145/1805974.1805976", ISSN = "1094-9224 (print), 1557-7406 (electronic)", ISSN-L = "1094-9224", bibdate = "Wed Jul 28 14:57:15 MDT 2010", bibsource = "http://portal.acm.org/; http://www.math.utah.edu/pub/tex/bib/tissec.bib", abstract = "Administering and maintaining access control systems is a challenging task, especially in environments with complex and changing authorization requirements. A number of authorization logics have been proposed that aim at simplifying access control by factoring the authorization policy out of the hard-coded resource guard. However, many policies require the authorization state to be updated after a granted access request, for example, to reflect the fact that a user has activated or deactivated a role. Current authorization languages cannot express such state modifications; these still have to be hard-coded into the resource guard. We present a logic for specifying policies where access requests can have effects on the authorization state. The logic is semantically defined by a mapping to Transaction Logic. Using this approach, updates to the state are factored out of the resource guard, thus enhancing maintainability and facilitating more expressive policies that take the history of access requests into account. We also present a sound and complete proof system for reasoning about sequences of access requests. This gives rise to a goal-oriented algorithm for finding minimal sequences that lead to a specified target authorization state.", acknowledgement = ack-nhfb, articleno = "20", fjournal = "ACM Transactions on Information and System Security", keywords = "access control; Authorization; Hoare logic; policy", } @Article{Barthe:2010:SMP, author = "Gilles Barthe and Tamara Rezk and Alejandro Russo and Andrei Sabelfeld", title = "Security of multithreaded programs by compilation", journal = j-TISSEC, volume = "13", number = "3", pages = "21:1--21:??", month = jul, year = "2010", CODEN = "ATISBQ", DOI = "http://doi.acm.org/10.1145/1805974.1895977", ISSN = "1094-9224 (print), 1557-7406 (electronic)", ISSN-L = "1094-9224", bibdate = "Wed Jul 28 14:57:15 MDT 2010", bibsource = "http://portal.acm.org/; http://www.math.utah.edu/pub/tex/bib/tissec.bib", abstract = "End-to-End security of mobile code requires that the code neither intentionally nor accidentally propagates sensitive information to an adversary. Although mobile code is commonly multithreaded low-level code, there lack enforcement mechanisms that ensure information security for such programs. The modularity is three-fold: we give modular extensions of sequential semantics, sequential security typing, and sequential security-type preserving compilation that allow us enforcing security for multithreaded programs. Thanks to the modularity, there are no more restrictions on multithreaded source programs than on sequential ones, and yet we guarantee that their compilations are provably secure for a wide class of schedulers.", acknowledgement = ack-nhfb, articleno = "21", fjournal = "ACM Transactions on Information and System Security", keywords = "compilers; Noninterference; schedulers; type systems", } @Article{Ciriani:2010:CFE, author = "Valentina Ciriani and Sabrina {De Capitani Di Vimercati} and Sara Foresti and Sushil Jajodia and Stefano Paraboschi and Pierangela Samarati", title = "Combining fragmentation and encryption to protect privacy in data storage", journal = j-TISSEC, volume = "13", number = "3", pages = "22:1--22:??", month = jul, year = "2010", CODEN = "ATISBQ", DOI = "http://doi.acm.org/10.1145/1805974.1805978", ISSN = "1094-9224 (print), 1557-7406 (electronic)", ISSN-L = "1094-9224", bibdate = "Wed Jul 28 14:57:15 MDT 2010", bibsource = "http://portal.acm.org/; http://www.math.utah.edu/pub/tex/bib/tissec.bib", abstract = "The impact of privacy requirements in the development of modern applications is increasing very quickly. Many commercial and legal regulations are driving the need to develop reliable solutions for protecting sensitive information whenever it is stored, processed, or communicated to external parties. To this purpose, encryption techniques are currently used in many scenarios where data protection is required since they provide a layer of protection against the disclosure of personal information, which safeguards companies from the costs that may arise from exposing their data to privacy breaches. However, dealing with encrypted data may make query processing more expensive.\par In this article, we address these issues by proposing a solution to enforce the privacy of data collections that combines data fragmentation with encryption. We model privacy requirements as confidentiality constraints expressing the sensitivity of attributes and their associations. We then use encryption as an underlying (conveniently available) measure for making data unintelligible while exploiting fragmentation as a way to break sensitive associations among attributes. We formalize the problem of minimizing the impact of fragmentation in terms of number of fragments and their affinity and present two heuristic algorithms for solving such problems. We also discuss experimental results, comparing the solutions returned by our heuristics with respect to optimal solutions, which show that the heuristics, while guaranteeing a polynomial-time computation cost are able to retrieve solutions close to optimum.", acknowledgement = ack-nhfb, articleno = "22", fjournal = "ACM Transactions on Information and System Security", keywords = "encryption; fragmentation; Privacy", } @Article{Thuraisingham:2010:ES, author = "Bhavani Thuraisingham", title = "Editorial: {SACMAT 2007}", journal = j-TISSEC, volume = "13", number = "3", pages = "23:1--23:??", month = jul, year = "2010", CODEN = "ATISBQ", DOI = "http://doi.acm.org/10.1145/1805974.1805979", ISSN = "1094-9224 (print), 1557-7406 (electronic)", ISSN-L = "1094-9224", bibdate = "Wed Jul 28 14:57:15 MDT 2010", bibsource = "http://portal.acm.org/; http://www.math.utah.edu/pub/tex/bib/tissec.bib", acknowledgement = ack-nhfb, articleno = "23", fjournal = "ACM Transactions on Information and System Security", } @Article{Ni:2010:PAR, author = "Qun Ni and Elisa Bertino and Jorge Lobo and Carolyn Brodie and Clare-Marie Karat and John Karat and Alberto Trombeta", title = "Privacy-aware role-based access control", journal = j-TISSEC, volume = "13", number = "3", pages = "24:1--24:??", month = jul, year = "2010", CODEN = "ATISBQ", DOI = "http://doi.acm.org/10.1145/1805974.1805980", ISSN = "1094-9224 (print), 1557-7406 (electronic)", ISSN-L = "1094-9224", bibdate = "Wed Jul 28 14:57:15 MDT 2010", bibsource = "http://portal.acm.org/; http://www.math.utah.edu/pub/tex/bib/tissec.bib", abstract = "In this article, we introduce a comprehensive framework supporting a privacy-aware access control mechanism, that is, a mechanism tailored to enforce access control to data containing personally identifiable information and, as such, privacy sensitive. The key component of the framework is a family of models (P-RBAC) that extend the well-known RBAC model in order to provide full support for expressing highly complex privacy-related policies, taking into account features like purposes and obligations. We formally define the notion of privacy-aware permissions and the notion of conflicting permission assignments in P-RBAC, together with efficient conflict-checking algorithms. The framework also includes a flexible authoring tool, based on the use of the SPARCLE system, supporting the high-level specification of P-RBAC permissions. SPARCLE supports the use of natural language for authoring policies and is able to automatically generate P-RBAC permissions from these natural language specifications. In the article, we also report performance evaluation results and contrast our approach with other relevant access control and privacy policy frameworks such as P3P, EPAL, and XACML.", acknowledgement = ack-nhfb, articleno = "24", fjournal = "ACM Transactions on Information and System Security", keywords = "model; Privacy; purpose; Role-based access control", } @Article{Lee:2010:CDP, author = "Adam J. Lee and Kazuhiro Minami and Marianne Winslett", title = "On the consistency of distributed proofs with hidden subtrees", journal = j-TISSEC, volume = "13", number = "3", pages = "25:1--25:??", month = jul, year = "2010", CODEN = "ATISBQ", DOI = "http://doi.acm.org/10.1145/1805974.1805981", ISSN = "1094-9224 (print), 1557-7406 (electronic)", ISSN-L = "1094-9224", bibdate = "Wed Jul 28 14:57:15 MDT 2010", bibsource = "http://portal.acm.org/; http://www.math.utah.edu/pub/tex/bib/tissec.bib", abstract = "Previous work has shown that distributed authorization systems that fail to sample a consistent snapshot of the underlying system during policy evaluation are vulnerable to a number of attacks. Unfortunately, the consistency enforcement solutions presented in previous work were designed for systems in which only CA-certified evidence is used during the decision-making process, all of which is available to the decision-making node at runtime. In this article, we generalize previous results and present light-weight mechanisms through which consistency constraints can be enforced in proof systems in which the full details of a proof may be unavailable to the querier due to information release policies, and the existence of certificate authorities for certifying evidence is unlikely; these types of distributed proof systems are likely candidates for use in pervasive computing and sensor network environments. We present modifications to one such distributed proof system that enable three types of consistency constraints to be enforced while still respecting the same confidentiality and integrity policies as the original proof system. We then discuss how these techniques can be adapted and applied to other, less restrictive, distributed proof systems. Further, we detail a performance analysis that illustrates the modest overheads of our consistency enforcement schemes.", acknowledgement = ack-nhfb, articleno = "25", fjournal = "ACM Transactions on Information and System Security", keywords = "Consistency; distributed proving; pervasive computing", } @Article{Hicks:2010:LSA, author = "Boniface Hicks and Sandra Rueda and Luke St. Clair and Trent Jaeger and Patrick McDaniel", title = "A logical specification and analysis for {SELinux MLS} policy", journal = j-TISSEC, volume = "13", number = "3", pages = "26:1--26:??", month = jul, year = "2010", CODEN = "ATISBQ", DOI = "http://dx.doi.org/10.1145/1805874.1805982", ISSN = "1094-9224 (print), 1557-7406 (electronic)", ISSN-L = "1094-9224", bibdate = "Wed Jul 28 14:57:15 MDT 2010", bibsource = "http://portal.acm.org/; http://www.math.utah.edu/pub/tex/bib/tissec.bib", abstract = "The SELinux mandatory access control (MAC) policy has recently added a multilevel security (MLS) model which is able to express a fine granularity of control over a subject's access rights. The problem is that the richness of the SELinux MLS model makes it impractical to manually evaluate that a given policy meets certain specific properties. To address this issue, we have modeled the SELinux MLS model, using a logical specification and implemented that specification in the Prolog language. Furthermore, we have developed some analyses for testing information flow properties of a given policy as well as an algorithm to determine whether one policy is compliant with another. We have implemented these analyses in Prolog and compiled our implementation into a tool for SELinux MLS policy analysis, called PALMS. Using PALMS, we verified some important properties of the SELinux MLS reference policy, namely that it satisfies the simple security condition and {\SGMLsstarf}-property defined by Bell and LaPadula. We also evaluated whether the policy associated to a given application is compliant with the policy of the SELinux system in which it would be deployed.", acknowledgement = ack-nhfb, articleno = "26", fjournal = "ACM Transactions on Information and System Security", keywords = "multilevel security; policy analysis; policy compliance; SELinux", } @Article{Vaidya:2010:RMP, author = "Jaideep Vaidya and Vijayalakshmi Atluri and Qi Guo", title = "The role mining problem: {A} formal perspective", journal = j-TISSEC, volume = "13", number = "3", pages = "27:1--27:??", month = jul, year = "2010", CODEN = "ATISBQ", DOI = "http://doi.acm.org/10.1145/1805974.1895983", ISSN = "1094-9224 (print), 1557-7406 (electronic)", ISSN-L = "1094-9224", bibdate = "Wed Jul 28 14:57:15 MDT 2010", bibsource = "http://portal.acm.org/; http://www.math.utah.edu/pub/tex/bib/tissec.bib", abstract = "Devising a complete and correct set of roles has been recognized as one of the most important and challenging tasks in implementing role-based access control. A key problem related to this is the notion of goodness/interestingness --- when is a role good/interesting? In this article, we define the {\em Role Mining Problem\/} (RMP) as the problem of discovering an optimal set of roles from existing user permissions. The main contribution of this article is to formally define RMP and analyze its theoretical bounds. In addition to the above basic RMP, we introduce two different variations of the RMP, called the {\em {\delta}-Approx RMP\/} and the {\em minimal-noise RMP\/} that have pragmatic implications. We reduce the known ``Set Basis Problem'' to RMP to show that RMP is an NP-complete problem. An important contribution of this article is also to show the relation of the RMP to several problems already identified in the data mining and data analysis literature. By showing that the RMP is in essence reducible to these known problems, we can directly borrow the existing implementation solutions and guide further research in this direction. We also develop a heuristic solution based on the previously proposed FastMiner algorithm, which is very accurate and efficient.", acknowledgement = ack-nhfb, articleno = "27", fjournal = "ACM Transactions on Information and System Security", keywords = "RBAC; role engineering; role mining", } @Article{Carminati:2010:FEA, author = "Barbara Carminati and Elena Ferrari and Jianneng Cao and Kian Lee Tan", title = "A framework to enforce access control over data streams", journal = j-TISSEC, volume = "13", number = "3", pages = "28:1--28:??", month = jul, year = "2010", CODEN = "ATISBQ", DOI = "http://doi.acm.org/10.1145/1805974.1805984", ISSN = "1094-9224 (print), 1557-7406 (electronic)", ISSN-L = "1094-9224", bibdate = "Wed Jul 28 14:57:15 MDT 2010", bibsource = "http://portal.acm.org/; http://www.math.utah.edu/pub/tex/bib/tissec.bib", abstract = "Although access control is currently a key component of any computational system, it is only recently that mechanisms to guard against unauthorized access to streaming data have started to be investigated. To cope with this lack, in this article, we propose a general framework to protect streaming data, which is, as much as possible, independent from the target stream engine. Differently from RDBMSs, up to now a standard query language for data streams has not yet emerged and this makes the development of a general solution to access control enforcement more difficult. The framework we propose in this article is based on an expressive role-based access control model proposed by us. It exploits a query rewriting mechanism, which rewrites user queries in such a way that they do not return tuples/attributes that should not be accessed according to the specified access control policies. Furthermore, the framework contains a deployment module able to translate the rewritten query in such a way that it can be executed by different stream engines, therefore, overcoming the lack of standardization. In the article, besides presenting all the components of our framework, we prove the correctness and completeness of the query rewriting algorithm, and we present some experiments that show the feasibility of the developed techniques.", acknowledgement = ack-nhfb, articleno = "28", fjournal = "ACM Transactions on Information and System Security", keywords = "access control; Data stream; secure query rewriting", } @Article{Kate:2010:PBO, author = "Aniket Kate and Greg M. Zaverucha and Ian Goldberg", title = "Pairing-Based Onion Routing with Improved Forward Secrecy", journal = j-TISSEC, volume = "13", number = "4", pages = "29:1--29:??", month = dec, year = "2010", CODEN = "ATISBQ", DOI = "http://dx.doi.org/10.1145/1880022.1880023", ISSN = "1094-9224 (print), 1557-7406 (electronic)", ISSN-L = "1094-9224", bibdate = "Wed Jan 12 17:10:07 MST 2011", bibsource = "http://portal.acm.org/; http://www.math.utah.edu/pub/tex/bib/tissec.bib", abstract = "This article presents new protocols for onion routing anonymity networks. We define a provably secure privacy-preserving key agreement scheme in an identity-based infrastructure setting, and use it to design new onion routing circuit constructions. These constructions, based on a user's selection, offer immediate or eventual forward secrecy at each node in a circuit and require significantly less computation and communication than the telescoping mechanism used by the Tor project. Further, the use of an identity-based infrastructure also leads to a reduction in the required amount of authenticated directory information.", acknowledgement = ack-nhfb, articleno = "29", fjournal = "ACM Transactions on Information and System Security", } @Article{Pennington:2010:SBI, author = "Adam G. Pennington and John Linwood Griffin and John S. Bucy and John D. Strunk and Gregory R. Ganger", title = "Storage-Based Intrusion Detection", journal = j-TISSEC, volume = "13", number = "4", pages = "30:1--30:??", month = dec, year = "2010", CODEN = "ATISBQ", DOI = "http://dx.doi.org/10.1145/1880022.1880024", ISSN = "1094-9224 (print), 1557-7406 (electronic)", ISSN-L = "1094-9224", bibdate = "Wed Jan 12 17:10:07 MST 2011", bibsource = "http://portal.acm.org/; http://www.math.utah.edu/pub/tex/bib/tissec.bib", abstract = "Storage-based intrusion detection consists of storage systems watching for and identifying data access patterns characteristic of system intrusions. Storage systems can spot several common intruder actions, such as adding backdoors, inserting Trojan horses, and tampering with audit logs. For example, examination of 18 real intrusion tools reveals that most (15) can be detected based on their changes to stored files. Further, an Intrusion Detection System (IDS) embedded in a storage device continues to operate even after client operating systems are compromised. We describe and evaluate a prototype storage IDS, built into a disk emulator, to demonstrate both feasibility and efficiency of storage-based intrusion detection.", acknowledgement = ack-nhfb, articleno = "30", fjournal = "ACM Transactions on Information and System Security", } @Article{Bobba:2010:ABM, author = "Rakesh Bobba and Omid Fatemieh and Fariba Khan and Arindam Khan and Carl A. Gunter and Himanshu Khurana and Manoj Prabhakaran", title = "Attribute-Based Messaging: Access Control and Confidentiality", journal = j-TISSEC, volume = "13", number = "4", pages = "31:1--31:??", month = dec, year = "2010", CODEN = "ATISBQ", DOI = "http://dx.doi.org/10.1145/1880022.1880025", ISSN = "1094-9224 (print), 1557-7406 (electronic)", ISSN-L = "1094-9224", bibdate = "Wed Jan 12 17:10:07 MST 2011", bibsource = "http://portal.acm.org/; http://www.math.utah.edu/pub/tex/bib/tissec.bib", abstract = "Attribute-Based Messaging (ABM) enables messages to be addressed using attributes of recipients rather than an explicit list of recipients. Such messaging offers benefits of efficiency, exclusiveness, and intensionality, but faces challenges in access control and confidentiality. In this article we explore an approach to intraenterprise ABM based on providing access control and confidentiality using information from the same attribute database exploited by the addressing scheme. We show how to address three key challenges. First, we demonstrate a manageable access control system based on attributes. Second, we demonstrate use of attribute-based encryption to provide end-to-end confidentiality. Third, we show that such a system can be efficient enough to support ABM for mid-size enterprises.", acknowledgement = ack-nhfb, articleno = "31", fjournal = "ACM Transactions on Information and System Security", } @Article{Li:2010:AIS, author = "Feifei Li and Marios Hadjieleftheriou and George Kollios and Leonid Reyzin", title = "Authenticated Index Structures for Aggregation Queries", journal = j-TISSEC, volume = "13", number = "4", pages = "32:1--32:??", month = dec, year = "2010", CODEN = "ATISBQ", DOI = "http://dx.doi.org/10.1145/1880022.1880026", ISSN = "1094-9224 (print), 1557-7406 (electronic)", ISSN-L = "1094-9224", bibdate = "Wed Jan 12 17:10:07 MST 2011", bibsource = "http://portal.acm.org/; http://www.math.utah.edu/pub/tex/bib/tissec.bib", abstract = "Query authentication is an essential component in Outsourced DataBase (ODB) systems. This article introduces efficient index structures for authenticating aggregation queries over large datasets. First, we design an index that features good performance characteristics for static environments. Then, we propose more involved structures for the dynamic case. Our structures feature excellent performance for authenticating queries with multiple aggregate attributes and multiple selection predicates. Furthermore, our techniques cover a large number of aggregate types, including distributive aggregates (such as SUM, COUNT, MIN, and MAX), algebraic aggregates (such as the AVG), and holistic aggregates (such as MEDIAN and QUANTILE). We have also addressed the issue of authenticating aggregation queries efficiently when the database is encrypted to protect data confidentiality.", acknowledgement = ack-nhfb, articleno = "32", fjournal = "ACM Transactions on Information and System Security", } @Article{Sarkar:2010:SGC, author = "Palash Sarkar", title = "A Simple and Generic Construction of Authenticated Encryption with Associated Data", journal = j-TISSEC, volume = "13", number = "4", pages = "33:1--33:??", month = dec, year = "2010", CODEN = "ATISBQ", DOI = "http://dx.doi.org/10.1145/1880022.1880027", ISSN = "1094-9224 (print), 1557-7406 (electronic)", ISSN-L = "1094-9224", bibdate = "Wed Jan 12 17:10:07 MST 2011", bibsource = "http://portal.acm.org/; http://www.math.utah.edu/pub/tex/bib/tissec.bib", abstract = "We revisit the problem of constructing a protocol for performing Authenticated Encryption with Associated Data (AEAD). A technique is described which combines a collision-resistant hash function with a protocol for Authenticated Encryption (AE). The technique is both simple and generic and does not require any additional key material beyond that of the AE protocol. Concrete instantiations are shown where a 256-bit hash function is combined with some known single-pass AE protocols employing either 128-bit or 256-bit block ciphers. This results in possible efficiency improvement in the processing of the header.", acknowledgement = ack-nhfb, articleno = "33", fjournal = "ACM Transactions on Information and System Security", } @Article{Schultz:2010:MMP, author = "David Schultz and Barbara Liskov and Moses Liskov", title = "{MPSS}: {Mobile Proactive Secret Sharing}", journal = j-TISSEC, volume = "13", number = "4", pages = "34:1--34:??", month = dec, year = "2010", CODEN = "ATISBQ", DOI = "http://dx.doi.org/10.1145/1880022.1880028", ISSN = "1094-9224 (print), 1557-7406 (electronic)", ISSN-L = "1094-9224", bibdate = "Wed Jan 12 17:10:07 MST 2011", bibsource = "http://portal.acm.org/; http://www.math.utah.edu/pub/tex/bib/tissec.bib", abstract = "This article describes MPSS, a new way to do proactive secret sharing. MPSS provides mobility: The group of nodes holding the shares of the secret can change at each resharing, which is essential in a long-lived system. MPSS additionally allows the number of tolerated faulty shareholders to change when the secret is moved so that the system can tolerate more (or fewer) corruptions; this allows reconfiguration on-the-fly to accommodate changes in the environment. MPSS includes an efficient protocol that is intended to be used in practice. The protocol is optimized for the common case of no or few failures, but degradation when there are more failures is modest.", acknowledgement = ack-nhfb, articleno = "34", fjournal = "ACM Transactions on Information and System Security", } @Article{Wright:2010:USP, author = "Charles V. Wright and Lucas Ballard and Scott E. Coull and Fabian Monrose and Gerald M. Masson", title = "Uncovering Spoken Phrases in Encrypted Voice over {IP} Conversations", journal = j-TISSEC, volume = "13", number = "4", pages = "35:1--35:??", month = dec, year = "2010", CODEN = "ATISBQ", DOI = "http://dx.doi.org/10.1145/1880022.1880029", ISSN = "1094-9224 (print), 1557-7406 (electronic)", ISSN-L = "1094-9224", bibdate = "Wed Jan 12 17:10:07 MST 2011", bibsource = "http://portal.acm.org/; http://www.math.utah.edu/pub/tex/bib/tissec.bib", abstract = "Although Voice over IP (VoIP) is rapidly being adopted, its security implications are not yet fully understood. Since VoIP calls may traverse untrusted networks, packets should be encrypted to ensure confidentiality. However, we show that it is possible to identify the phrases spoken within encrypted VoIP calls when the audio is encoded using variable bit rate codecs. To do so, we train a hidden Markov model using only knowledge of the phonetic pronunciations of words, such as those provided by a dictionary, and search packet sequences for instances of specified phrases. Our approach does not require examples of the speaker's voice, or even example recordings of the words that make up the target phrase. We evaluate our techniques on a standard speech recognition corpus containing over 2,000 phonetically rich phrases spoken by 630 distinct speakers from across the continental United States. Our results indicate that we can identify phrases within encrypted calls with an average accuracy of 50\%, and with accuracy greater than 90\% for some phrases. Clearly, such an attack calls into question the efficacy of current VoIP encryption standards. In addition, we examine the impact of various features of the underlying audio on our performance and discuss methods for mitigation.", acknowledgement = ack-nhfb, articleno = "35", fjournal = "ACM Transactions on Information and System Security", } @Article{Molloy:2010:MRM, author = "Ian Molloy and Hong Chen and Tiancheng Li and Qihua Wang and Ninghui Li and Elisa Bertino and Seraphin Calo and Jorge Lobo", title = "Mining Roles with Multiple Objectives", journal = j-TISSEC, volume = "13", number = "4", pages = "36:1--36:??", month = dec, year = "2010", CODEN = "ATISBQ", DOI = "http://dx.doi.org/10.1145/1880022.1880030", ISSN = "1094-9224 (print), 1557-7406 (electronic)", ISSN-L = "1094-9224", bibdate = "Wed Jan 12 17:10:07 MST 2011", bibsource = "http://portal.acm.org/; http://www.math.utah.edu/pub/tex/bib/tissec.bib", abstract = "With the growing adoption of Role-Based Access Control (RBAC) in commercial security and identity management products, how to facilitate the process of migrating a non-RBAC system to an RBAC system has become a problem with significant business impact. Researchers have proposed to use data mining techniques to discover roles to complement the costly top-down approaches for RBAC system construction. An important problem is how to construct RBAC systems with low complexity. In this article, we define the notion of weighted structural complexity measure and propose a role mining algorithm that mines RBAC systems with low structural complexity. Another key problem that has not been adequately addressed by existing role mining approaches is how to discover roles with semantic meanings.", acknowledgement = ack-nhfb, articleno = "36", fjournal = "ACM Transactions on Information and System Security", } @Article{Libert:2010:KES, author = "Beno{\^\i}t Libert and Jean-Jacques Quisquater and Moti Yung", title = "Key Evolution Systems in Untrusted Update Environments", journal = j-TISSEC, volume = "13", number = "4", pages = "37:1--37:??", month = dec, year = "2010", CODEN = "ATISBQ", DOI = "http://dx.doi.org/10.1145/1880022.1880031", ISSN = "1094-9224 (print), 1557-7406 (electronic)", ISSN-L = "1094-9224", bibdate = "Wed Jan 12 17:10:07 MST 2011", bibsource = "http://portal.acm.org/; http://www.math.utah.edu/pub/tex/bib/tissec.bib", abstract = "Forward-Secure Signatures (FSS) prevent forgeries for past time periods when an attacker obtains full access to the signer's storage by evolving the private key in a one-way fashion. To simplify the integration of these primitives into standard security architectures, Boyen et al. [2006] recently introduced the concept of forward-secure signatures with untrusted updates where private keys are additionally protected by a second factor (derived from a password). Key updates can be made on encrypted version of signing keys so that passwords only come into play for signing messages and not at update time (since update is not user-driven). The scheme put forth by Boyen et al.", acknowledgement = ack-nhfb, articleno = "37", fjournal = "ACM Transactions on Information and System Security", } @Article{Zage:2010:RDV, author = "David Zage and Cristina Nita-Rotaru", title = "Robust Decentralized Virtual Coordinate Systems in Adversarial Environments", journal = j-TISSEC, volume = "13", number = "4", pages = "38:1--38:??", month = dec, year = "2010", CODEN = "ATISBQ", DOI = "http://dx.doi.org/10.1145/1880022.1880032", ISSN = "1094-9224 (print), 1557-7406 (electronic)", ISSN-L = "1094-9224", bibdate = "Wed Jan 12 17:10:07 MST 2011", bibsource = "http://portal.acm.org/; http://www.math.utah.edu/pub/tex/bib/tissec.bib", abstract = "Virtual coordinate systems provide an accurate and efficient service that allows hosts on the Internet to determine the latency to arbitrary hosts without actively monitoring all of the nodes in the network. Many of the proposed systems were designed with the assumption that all of the nodes are altruistic. However, this assumption may be violated by compromised nodes acting maliciously to degrade the accuracy of the coordinate system. As numerous peer-to-peer applications come to rely on virtual coordinate systems to achieve good performance, it is critical to address the security of such systems. In this work, we demonstrate the vulnerability of decentralized virtual coordinate systems to insider (or Byzantine) attacks.", acknowledgement = ack-nhfb, articleno = "38", fjournal = "ACM Transactions on Information and System Security", } @Article{Tsang:2010:BRR, author = "Patrick P. Tsang and Man Ho Au and Apu Kapadia and Sean W. Smith", title = "{BLAC}: Revoking Repeatedly Misbehaving Anonymous Users without Relying on {TTPs}", journal = j-TISSEC, volume = "13", number = "4", pages = "39:1--39:??", month = dec, year = "2010", CODEN = "ATISBQ", DOI = "http://dx.doi.org/10.1145/1880022.1880033", ISSN = "1094-9224 (print), 1557-7406 (electronic)", ISSN-L = "1094-9224", bibdate = "Wed Jan 12 17:10:07 MST 2011", bibsource = "http://portal.acm.org/; http://www.math.utah.edu/pub/tex/bib/tissec.bib", abstract = "Several credential systems have been proposed in which users can authenticate to service providers anonymously. Since anonymity can give users the license to misbehave, some variants allow the selective deanonymization (or linking) of misbehaving users upon a complaint to a Trusted Third Party (TTP). The ability of the TTP to revoke a user's privacy at any time, however, is too strong a punishment for misbehavior. To limit the scope of deanonymization, some systems have been proposed in which users can be deanonymized only if they authenticate ``too many times,'' such as ``double spending'' with electronic cash. While useful in some applications, such techniques cannot be generalized to more subjective definitions of misbehavior, for example, using such schemes it is not possible to block anonymous users who ``deface too many Web pages'' on a Web site.", acknowledgement = ack-nhfb, articleno = "39", fjournal = "ACM Transactions on Information and System Security", } @Article{Wang:2010:SRW, author = "Qihua Wang and Ninghui Li", title = "Satisfiability and Resiliency in Workflow Authorization Systems", journal = j-TISSEC, volume = "13", number = "4", pages = "40:1--40:??", month = dec, year = "2010", CODEN = "ATISBQ", DOI = "http://dx.doi.org/10.1145/1880022.1880034", ISSN = "1094-9224 (print), 1557-7406 (electronic)", ISSN-L = "1094-9224", bibdate = "Wed Jan 12 17:10:07 MST 2011", bibsource = "http://portal.acm.org/; http://www.math.utah.edu/pub/tex/bib/tissec.bib", abstract = "We propose the role-and-relation-based access control (R2BAC) model for workflow authorization systems. In R2BAC, in addition to a user's role memberships, the user's relationships with other users help determine whether the user is allowed to perform a certain step in a workflow. For example, a constraint may require that two steps must not be performed by users who have conflicts of interests. We study computational complexity of the workflow satisfiability problem, which asks whether a set of users can complete a workflow. In particular, we apply tools from parameterized complexity theory to better understand the complexities of this problem. Furthermore, we reduce the workflow satisfiability problem to SAT and apply SAT solvers to address the problem.", acknowledgement = ack-nhfb, articleno = "40", fjournal = "ACM Transactions on Information and System Security", } @Article{Mukhamedov:2010:IEP, author = "Aybek Mukhamedov and Mark D. Ryan", title = "Identity Escrow Protocol and Anonymity Analysis in the Applied Pi-Calculus", journal = j-TISSEC, volume = "13", number = "4", pages = "41:1--41:??", month = dec, year = "2010", CODEN = "ATISBQ", DOI = "http://dx.doi.org/10.1145/1880022.1880035", ISSN = "1094-9224 (print), 1557-7406 (electronic)", ISSN-L = "1094-9224", bibdate = "Wed Jan 12 17:10:07 MST 2011", bibsource = "http://portal.acm.org/; http://www.math.utah.edu/pub/tex/bib/tissec.bib", abstract = "Anonymity with identity escrow attempts to allow users of an online service to remain anonymous, while providing the possibility that the service owner can break the anonymity in exceptional circumstances, such as to assist in a criminal investigation. In the article, we propose an identity escrow protocol that distributes user identity among several escrow agents. The main feature of our scheme is it is based on standard encryption algorithms and it provides user anonymity even if all but one escrow holders are dishonest acting in a coalition. We also present analysis of the anonymity property of our protocol in the applied pi-calculus.", acknowledgement = ack-nhfb, articleno = "41", fjournal = "ACM Transactions on Information and System Security", } @Article{Li:2011:ISS, author = "Ninghui Li", title = "Introduction to special section {SACMAT'08}", journal = j-TISSEC, volume = "14", number = "1", pages = "1:1--1:??", month = may, year = "2011", CODEN = "ATISBQ", DOI = "http://dx.doi.org/10.1145/1952982.1952983", ISSN = "1094-9224 (print), 1557-7406 (electronic)", ISSN-L = "1094-9224", bibdate = "Thu Jun 2 07:27:23 MDT 2011", bibsource = "http://portal.acm.org/; http://www.math.utah.edu/pub/tex/bib/tissec.bib", acknowledgement = ack-nhfb, articleno = "1", fjournal = "ACM Transactions on Information and System Security", } @Article{Bauer:2011:DRP, author = "Lujo Bauer and Scott Garriss and Michael K. Reiter", title = "Detecting and resolving policy misconfigurations in access-control systems", journal = j-TISSEC, volume = "14", number = "1", pages = "2:1--2:??", month = may, year = "2011", CODEN = "ATISBQ", DOI = "http://dx.doi.org/10.1145/1952982.1952984", ISSN = "1094-9224 (print), 1557-7406 (electronic)", ISSN-L = "1094-9224", bibdate = "Thu Jun 2 07:27:23 MDT 2011", bibsource = "http://portal.acm.org/; http://www.math.utah.edu/pub/tex/bib/tissec.bib", abstract = "Access-control policy misconfigurations that cause requests to be erroneously denied can result in wasted time, user frustration, and, in the context of particular applications (e.g., health care), very severe consequences. In this article we apply association rule mining to the history of accesses to predict changes to access-control policies that are likely to be consistent with users' intentions, so that these changes can be instituted in advance of misconfigurations interfering with legitimate accesses. Instituting these changes requires the consent of the appropriate administrator, of course, and so a primary contribution of our work is how to automatically determine from whom to seek consent and how to minimize the costs of doing so.", acknowledgement = ack-nhfb, articleno = "2", fjournal = "ACM Transactions on Information and System Security", } @Article{Wei:2011:ARH, author = "Qiang Wei and Jason Crampton and Konstantin Beznosov and Matei Ripeanu", title = "Authorization recycling in hierarchical {RBAC} systems", journal = j-TISSEC, volume = "14", number = "1", pages = "3:1--3:??", month = may, year = "2011", CODEN = "ATISBQ", DOI = "http://dx.doi.org/10.1145/1952982.1952985", ISSN = "1094-9224 (print), 1557-7406 (electronic)", ISSN-L = "1094-9224", bibdate = "Thu Jun 2 07:27:23 MDT 2011", bibsource = "http://portal.acm.org/; http://www.math.utah.edu/pub/tex/bib/tissec.bib", abstract = "As distributed applications increase in size and complexity, traditional authorization architectures based on a dedicated authorization server become increasingly fragile because this decision point represents a single point of failure and a performance bottleneck. Authorization caching, which enables the reuse of previous authorization decisions, is one technique that has been used to address these challenges. This article introduces and evaluates the mechanisms for authorization ``recycling'' in RBAC enterprise systems. The algorithms that support these mechanisms allow making precise and approximate authorization decisions, thereby masking possible failures of the authorization server and reducing its load. We evaluate these algorithms analytically as well as using simulation and a prototype implementation.", acknowledgement = ack-nhfb, articleno = "3", fjournal = "ACM Transactions on Information and System Security", } @Article{Bohli:2011:RAP, author = "Jens-Matthias Bohli and Andreas Pashalidis", title = "Relations among privacy notions", journal = j-TISSEC, volume = "14", number = "1", pages = "4:1--4:??", month = may, year = "2011", CODEN = "ATISBQ", DOI = "http://dx.doi.org/10.1145/1952982.1952986", ISSN = "1094-9224 (print), 1557-7406 (electronic)", ISSN-L = "1094-9224", bibdate = "Thu Jun 2 07:27:23 MDT 2011", bibsource = "http://portal.acm.org/; http://www.math.utah.edu/pub/tex/bib/tissec.bib", abstract = "This article presents a hierarchy of privacy notions that covers multiple anonymity and unlinkability variants. The underlying definitions, which are based on the idea of indistinguishability between two worlds, provide new insights into the relation between, and the fundamental structure of, different privacy notions. We furthermore place previous privacy definitions concerning group signature, anonymous communication, and secret voting systems in the context of our hierarchy; this renders these traditionally disconnected notions comparable.", acknowledgement = ack-nhfb, articleno = "4", fjournal = "ACM Transactions on Information and System Security", } @Article{Oligeri:2011:REA, author = "Gabriele Oligeri and Stefano Chessa and Roberto {Di Pietro} and Gaetano Giunta", title = "Robust and efficient authentication of video stream broadcasting", journal = j-TISSEC, volume = "14", number = "1", pages = "5:1--5:??", month = may, year = "2011", CODEN = "ATISBQ", DOI = "http://dx.doi.org/10.1145/1952982.1952987", ISSN = "1094-9224 (print), 1557-7406 (electronic)", ISSN-L = "1094-9224", bibdate = "Thu Jun 2 07:27:23 MDT 2011", bibsource = "http://portal.acm.org/; http://www.math.utah.edu/pub/tex/bib/tissec.bib", abstract = "We present a novel video stream authentication scheme which combines signature amortization by means of hash chains and an advanced watermarking technique. We propose a new hash chain construction, the Duplex Hash Chain, which allows us to achieve bit-by-bit authentication that is robust to low bit error rates. This construction is well suited for wireless broadcast communications characterized by low packet losses such as in satellite networks. Moreover, neither hardware upgrades nor specific end-user equipment are needed to enjoy the authentication services. The computation overhead experienced on the receiver only sums to two hashes per block of pictures and one digital signature verification for the whole received stream.", acknowledgement = ack-nhfb, articleno = "5", fjournal = "ACM Transactions on Information and System Security", } @Article{Demsky:2011:CAD, author = "Brian Demsky", title = "Cross-application data provenance and policy enforcement", journal = j-TISSEC, volume = "14", number = "1", pages = "6:1--6:??", month = may, year = "2011", CODEN = "ATISBQ", DOI = "http://dx.doi.org/10.1145/1952982.1952988", ISSN = "1094-9224 (print), 1557-7406 (electronic)", ISSN-L = "1094-9224", bibdate = "Thu Jun 2 07:27:23 MDT 2011", bibsource = "http://portal.acm.org/; http://www.math.utah.edu/pub/tex/bib/tissec.bib", abstract = "We present a new technique that can trace data provenance and enforce data access policies across multiple applications and machines. We have developed Garm, a tool that uses binary rewriting to implement this technique on arbitrary binaries. Users can use Garm to attach access policies to data and Garm enforces the policy on all accesses to the data (and any derived data) across all applications and executions. Garm uses static analysis to generate optimized instrumentation that traces the provenance of an application's state and the policies that apply to this state. Garm monitors the interactions of the application with the underlying operating system to enforce policies.", acknowledgement = ack-nhfb, articleno = "6", fjournal = "ACM Transactions on Information and System Security", } @Article{Dong:2011:PDA, author = "Jing Dong and Reza Curtmola and Cristina Nita-Rotaru", title = "Practical defenses against pollution attacks in wireless network coding", journal = j-TISSEC, volume = "14", number = "1", pages = "7:1--7:??", month = may, year = "2011", CODEN = "ATISBQ", DOI = "http://dx.doi.org/10.1145/1952982.1952989", ISSN = "1094-9224 (print), 1557-7406 (electronic)", ISSN-L = "1094-9224", bibdate = "Thu Jun 2 07:27:23 MDT 2011", bibsource = "http://portal.acm.org/; http://www.math.utah.edu/pub/tex/bib/tissec.bib", abstract = "Recent studies have shown that network coding can provide significant benefits to network protocols, such as increased throughput, reduced network congestion, higher reliability, and lower power consumption. The core principle of network coding is that intermediate nodes actively mix input packets to produce output packets. This mixing subjects network coding systems to a severe security threat, known as a pollution attack, where attacker nodes inject corrupted packets into the network. Corrupted packets propagate in an epidemic manner, depleting network resources and significantly decreasing throughput. Pollution attacks are particularly dangerous in wireless networks, where attackers can easily inject packets or compromise devices due to the increased network vulnerability.", acknowledgement = ack-nhfb, articleno = "7", fjournal = "ACM Transactions on Information and System Security", } @Article{Schneider:2011:NAL, author = "Fred B. Schneider and Kevin Walsh and Emin G{\"u}n Sirer", title = "{Nexus Authorization Logic (NAL)}: Design rationale and applications", journal = j-TISSEC, volume = "14", number = "1", pages = "8:1--8:??", month = may, year = "2011", CODEN = "ATISBQ", DOI = "http://dx.doi.org/10.1145/1952982.1952990", ISSN = "1094-9224 (print), 1557-7406 (electronic)", ISSN-L = "1094-9224", bibdate = "Thu Jun 2 07:27:23 MDT 2011", bibsource = "http://portal.acm.org/; http://www.math.utah.edu/pub/tex/bib/tissec.bib", abstract = "Nexus Authorization Logic (NAL) provides a principled basis for specifying and reasoning about credentials and authorization policies. It extends prior access control logics that are based on ``says'' and ``speaks for'' operators. NAL enables authorization of access requests to depend on (i) the source or pedigree of the requester, (ii) the outcome of any mechanized analysis of the requester, or (iii) the use of trusted software to encapsulate or modify the requester. To illustrate the convenience and expressive power of this approach to authorization, a suite of document-viewer applications was implemented to run on the Nexus operating system.", acknowledgement = ack-nhfb, articleno = "8", fjournal = "ACM Transactions on Information and System Security", } @Article{Bruns:2011:ACB, author = "Glenn Bruns and Michael Huth", title = "Access control via {Belnap} logic: Intuitive, expressive, and analyzable policy composition", journal = j-TISSEC, volume = "14", number = "1", pages = "9:1--9:??", month = may, year = "2011", CODEN = "ATISBQ", DOI = "http://dx.doi.org/10.1145/1952982.1952991", ISSN = "1094-9224 (print), 1557-7406 (electronic)", ISSN-L = "1094-9224", bibdate = "Thu Jun 2 07:27:23 MDT 2011", bibsource = "http://portal.acm.org/; http://www.math.utah.edu/pub/tex/bib/tissec.bib", abstract = "Access control to IT systems increasingly relies on the ability to compose policies. Hence there is benefit in any framework for policy composition that is intuitive, formal (and so ``analyzable'' and ``implementable''), expressive, independent of specific application domains, and yet able to be extended to create domain-specific instances. Here we develop such a framework based on Belnap logic. An access-control policy is interpreted as a four-valued predicate that maps access requests to either grant, deny, conflict, or unspecified -- the four values of the Belnap bilattice. We define an expressive access-control policy language PBel, having composition operators based on the operators of Belnap logic.", acknowledgement = ack-nhfb, articleno = "9", fjournal = "ACM Transactions on Information and System Security", } @Article{Coull:2011:ACO, author = "Scott E. Coull and Matthew Green and Susan Hohenberger", title = "Access controls for oblivious and anonymous systems", journal = j-TISSEC, volume = "14", number = "1", pages = "10:1--10:??", month = may, year = "2011", CODEN = "ATISBQ", DOI = "http://dx.doi.org/10.1145/1952982.1952992", ISSN = "1094-9224 (print), 1557-7406 (electronic)", ISSN-L = "1094-9224", bibdate = "Thu Jun 2 07:27:23 MDT 2011", bibsource = "http://portal.acm.org/; http://www.math.utah.edu/pub/tex/bib/tissec.bib", abstract = "The use of privacy-enhancing cryptographic protocols, such as anonymous credentials and oblivious transfer, could have a detrimental effect on the ability of providers to effectively implement access controls on their content. In this article, we propose a stateful anonymous credential system that allows the provider to implement nontrivial, real-world access controls on oblivious protocols conducted with anonymous users. Our system models the behavior of users as a state machine and embeds that state within an anonymous credential to restrict access to resources based on the state information. The use of state machine models of user behavior allows the provider to restrict the users' actions according to a wide variety of access control models without learning anything about the users' identities or actions.", acknowledgement = ack-nhfb, articleno = "10", fjournal = "ACM Transactions on Information and System Security", } @Article{Burmester:2011:LRA, author = "Mike Burmester and Jorge Munilla", title = "Lightweight {RFID} authentication with forward and backward security", journal = j-TISSEC, volume = "14", number = "1", pages = "11:1--11:??", month = may, year = "2011", CODEN = "ATISBQ", DOI = "http://dx.doi.org/10.1145/1952982.1952993", ISSN = "1094-9224 (print), 1557-7406 (electronic)", ISSN-L = "1094-9224", bibdate = "Thu Jun 2 07:27:23 MDT 2011", bibsource = "http://portal.acm.org/; http://www.math.utah.edu/pub/tex/bib/tissec.bib", abstract = "We propose a lightweight RFID authentication protocol that supports forward and backward security. The only cryptographic mechanism that this protocol uses is a pseudorandom number generator (PRNG) that is shared with the backend Server. Authentication is achieved by exchanging a few numbers (3 or 5) drawn from the PRNG. The lookup time is constant, and the protocol can be easily adapted to prevent online man-in-the-middle relay attacks. Security is proven in the UC security framework.", acknowledgement = ack-nhfb, articleno = "11", fjournal = "ACM Transactions on Information and System Security", } @Article{Ateniese:2011:RDC, author = "Giuseppe Ateniese and Randal Burns and Reza Curtmola and Joseph Herring and Osama Khan and Lea Kissner and Zachary Peterson and Dawn Song", title = "Remote data checking using provable data possession", journal = j-TISSEC, volume = "14", number = "1", pages = "12:1--12:??", month = may, year = "2011", CODEN = "ATISBQ", DOI = "http://dx.doi.org/10.1145/1952982.1952994", ISSN = "1094-9224 (print), 1557-7406 (electronic)", ISSN-L = "1094-9224", bibdate = "Thu Jun 2 07:27:23 MDT 2011", bibsource = "http://portal.acm.org/; http://www.math.utah.edu/pub/tex/bib/tissec.bib", abstract = "We introduce a model for provable data possession (PDP) that can be used for remote data checking: A client that has stored data at an untrusted server can verify that the server possesses the original data without retrieving it. The model generates probabilistic proofs of possession by sampling random sets of blocks from the server, which drastically reduces I/O costs. The client maintains a constant amount of metadata to verify the proof. The challenge/response protocol transmits a small, constant amount of data, which minimizes network communication. Thus, the PDP model for remote data checking is lightweight and supports large data sets in distributed storage systems.", acknowledgement = ack-nhfb, articleno = "12", fjournal = "ACM Transactions on Information and System Security", } @Article{Liu:2011:FDI, author = "Yao Liu and Peng Ning and Michael K. Reiter", title = "False data injection attacks against state estimation in electric power grids", journal = j-TISSEC, volume = "14", number = "1", pages = "13:1--13:??", month = may, year = "2011", CODEN = "ATISBQ", DOI = "http://dx.doi.org/10.1145/1952982.1952995", ISSN = "1094-9224 (print), 1557-7406 (electronic)", ISSN-L = "1094-9224", bibdate = "Thu Jun 2 07:27:23 MDT 2011", bibsource = "http://portal.acm.org/; http://www.math.utah.edu/pub/tex/bib/tissec.bib", abstract = "A power grid is a complex system connecting electric power generators to consumers through power transmission and distribution networks across a large geographical area. System monitoring is necessary to ensure the reliable operation of power grids, and state estimation is used in system monitoring to best estimate the power grid state through analysis of meter measurements and power system models. Various techniques have been developed to detect and identify bad measurements, including interacting bad measurements introduced by arbitrary, nonrandom causes. At first glance, it seems that these techniques can also defeat malicious measurements injected by attackers. In this article, we expose an unknown vulnerability of existing bad measurement detection algorithms by presenting and analyzing a new class of attacks, called false data injection attacks, against state estimation in electric power grids.", acknowledgement = ack-nhfb, articleno = "13", fjournal = "ACM Transactions on Information and System Security", } @Article{Crampton:2011:PEC, author = "Jason Crampton", title = "Practical and efficient cryptographic enforcement of interval-based access control policies", journal = j-TISSEC, volume = "14", number = "1", pages = "14:1--14:??", month = may, year = "2011", CODEN = "ATISBQ", DOI = "http://dx.doi.org/10.1145/1952982.1952996", ISSN = "1094-9224 (print), 1557-7406 (electronic)", ISSN-L = "1094-9224", bibdate = "Thu Jun 2 07:27:23 MDT 2011", bibsource = "http://portal.acm.org/; http://www.math.utah.edu/pub/tex/bib/tissec.bib", abstract = "The enforcement of access control policies using cryptography has received considerable attention in recent years and the security of such enforcement schemes is increasingly well understood. Recent work in the area has considered the efficient enforcement of temporal and geo-spatial access control policies, and asymptotic results for the time and space complexity of efficient enforcement schemes have been obtained. However, for practical purposes, it is useful to have explicit bounds for the complexity of enforcement schemes. In this article we consider interval-based access control policies, of which temporal and geo-spatial access control policies are special cases. We define enforcement schemes for interval-based access control policies for which it is possible, in almost all cases, to obtain exact values for the schemes' complexity, thereby subsuming a substantial body of work in the literature.", acknowledgement = ack-nhfb, articleno = "14", fjournal = "ACM Transactions on Information and System Security", } @Article{Wang:2011:CAF, author = "Tielei Wang and Tao Wei and Guofei Gu and Wei Zou", title = "Checksum-Aware Fuzzing Combined with Dynamic Taint Analysis and Symbolic Execution", journal = j-TISSEC, volume = "14", number = "2", pages = "15:1--15:??", month = sep, year = "2011", CODEN = "ATISBQ", DOI = "http://dx.doi.org/10.1145/2019599.2019600", ISSN = "1094-9224 (print), 1557-7406 (electronic)", ISSN-L = "1094-9224", bibdate = "Sat Oct 22 08:53:59 MDT 2011", bibsource = "http://portal.acm.org/; http://www.math.utah.edu/pub/tex/bib/tissec.bib", acknowledgement = ack-nhfb, articleno = "15", fjournal = "ACM Transactions on Information and System Security", } @Article{Basin:2011:FRA, author = "David Basin and Srdjan Capkun and Patrick Schaller and Benedikt Schmidt", title = "Formal Reasoning about Physical Properties of Security Protocols", journal = j-TISSEC, volume = "14", number = "2", pages = "16:1--16:??", month = sep, year = "2011", CODEN = "ATISBQ", DOI = "http://dx.doi.org/10.1145/2019599.2019601", ISSN = "1094-9224 (print), 1557-7406 (electronic)", ISSN-L = "1094-9224", bibdate = "Sat Oct 22 08:53:59 MDT 2011", bibsource = "http://portal.acm.org/; http://www.math.utah.edu/pub/tex/bib/tissec.bib", acknowledgement = ack-nhfb, articleno = "16", fjournal = "ACM Transactions on Information and System Security", } @Article{Crosby:2011:ADR, author = "Scott A. Crosby and Dan S. Wallach", title = "Authenticated Dictionaries: Real-World Costs and Trade-Offs", journal = j-TISSEC, volume = "14", number = "2", pages = "17:1--17:??", month = sep, year = "2011", CODEN = "ATISBQ", DOI = "http://dx.doi.org/10.1145/2019599.2019602", ISSN = "1094-9224 (print), 1557-7406 (electronic)", ISSN-L = "1094-9224", bibdate = "Sat Oct 22 08:53:59 MDT 2011", bibsource = "http://portal.acm.org/; http://www.math.utah.edu/pub/tex/bib/tissec.bib", acknowledgement = ack-nhfb, articleno = "17", fjournal = "ACM Transactions on Information and System Security", } @Article{Appel:2011:SSV, author = "Andrew W. Appel", title = "Security Seals on Voting Machines: {A} Case Study", journal = j-TISSEC, volume = "14", number = "2", pages = "18:1--18:??", month = sep, year = "2011", CODEN = "ATISBQ", DOI = "http://dx.doi.org/10.1145/2019599.2019603", ISSN = "1094-9224 (print), 1557-7406 (electronic)", ISSN-L = "1094-9224", bibdate = "Sat Oct 22 08:53:59 MDT 2011", bibsource = "http://portal.acm.org/; http://www.math.utah.edu/pub/tex/bib/tissec.bib", acknowledgement = ack-nhfb, articleno = "18", fjournal = "ACM Transactions on Information and System Security", } @Article{Schreuders:2011:EEU, author = "Z. Cliffe Schreuders and Tanya McGill and Christian Payne", title = "Empowering End Users to Confine Their Own Applications: The Results of a Usability Study Comparing {SELinux}, {AppArmor}, and {FBAC-LSM}", journal = j-TISSEC, volume = "14", number = "2", pages = "19:1--19:??", month = sep, year = "2011", CODEN = "ATISBQ", DOI = "http://dx.doi.org/10.1145/2019599.2019604", ISSN = "1094-9224 (print), 1557-7406 (electronic)", ISSN-L = "1094-9224", bibdate = "Sat Oct 22 08:53:59 MDT 2011", bibsource = "http://portal.acm.org/; http://www.math.utah.edu/pub/tex/bib/tissec.bib", acknowledgement = ack-nhfb, articleno = "19", fjournal = "ACM Transactions on Information and System Security", } @Article{Williams:2011:POO, author = "Peter Williams and Radu Sion and Miroslava Sotakova", title = "Practical Oblivious Outsourced Storage", journal = j-TISSEC, volume = "14", number = "2", pages = "20:1--20:??", month = sep, year = "2011", CODEN = "ATISBQ", DOI = "http://dx.doi.org/10.1145/2019599.2019605", ISSN = "1094-9224 (print), 1557-7406 (electronic)", ISSN-L = "1094-9224", bibdate = "Sat Oct 22 08:53:59 MDT 2011", bibsource = "http://portal.acm.org/; http://www.math.utah.edu/pub/tex/bib/tissec.bib", acknowledgement = ack-nhfb, articleno = "20", fjournal = "ACM Transactions on Information and System Security", } @Article{Xiang:2011:CFR, author = "Guang Xiang and Jason Hong and Carolyn P. Rose and Lorrie Cranor", title = "{CANTINA+}: {A} Feature-Rich Machine Learning Framework for Detecting Phishing {Web} Sites", journal = j-TISSEC, volume = "14", number = "2", pages = "21:1--21:??", month = sep, year = "2011", CODEN = "ATISBQ", DOI = "http://dx.doi.org/10.1145/2019599.2019606", ISSN = "1094-9224 (print), 1557-7406 (electronic)", ISSN-L = "1094-9224", bibdate = "Sat Oct 22 08:53:59 MDT 2011", bibsource = "http://portal.acm.org/; http://www.math.utah.edu/pub/tex/bib/tissec.bib", acknowledgement = ack-nhfb, articleno = "21", fjournal = "ACM Transactions on Information and System Security", } @Article{Joshi:2011:GES, author = "James Joshi and Barbara Carminati", title = "Guest Editorial: {SACMAT 2009} and 2010", journal = j-TISSEC, volume = "14", number = "3", pages = "22:1--22:??", month = nov, year = "2011", CODEN = "ATISBQ", DOI = "http://dx.doi.org/10.1145/2043621.2043622", ISSN = "1094-9224 (print), 1557-7406 (electronic)", ISSN-L = "1094-9224", bibdate = "Thu Dec 15 09:12:37 MST 2011", bibsource = "http://portal.acm.org/; http://www.math.utah.edu/pub/tex/bib/tissec.bib", acknowledgement = ack-nhfb, articleno = "22", fjournal = "ACM Transactions on Information and System Security", } @Article{Krishnan:2011:GCS, author = "Ram Krishnan and Jianwei Niu and Ravi Sandhu and William H. Winsborough", title = "{Group-Centric} Secure {Information-Sharing} Models for Isolated Groups", journal = j-TISSEC, volume = "14", number = "3", pages = "23:1--23:??", month = nov, year = "2011", CODEN = "ATISBQ", DOI = "http://dx.doi.org/10.1145/2043621.2043623", ISSN = "1094-9224 (print), 1557-7406 (electronic)", ISSN-L = "1094-9224", bibdate = "Thu Dec 15 09:12:37 MST 2011", bibsource = "http://portal.acm.org/; http://www.math.utah.edu/pub/tex/bib/tissec.bib", abstract = "Group-Centric Secure Information Sharing (g-SIS) envisions bringing users and objects together in a group to facilitate agile sharing of information brought in from external sources as well as creation of new information within the group. We expect g-SIS to be orthogonal and complementary to authorization systems deployed within participating organizations. The metaphors ``secure meeting room'' and ``subscription service'' characterize the g-SIS approach. The focus of this article is on developing the foundations of isolated g-SIS models. Groups are isolated in the sense that membership of a user or an object in a group does not affect their authorizations in other groups.", acknowledgement = ack-nhfb, articleno = "23", fjournal = "ACM Transactions on Information and System Security", } @Article{Mao:2011:CDP, author = "Ziqing Mao and Ninghui Li and Hong Chen and Xuxian Jiang", title = "Combining Discretionary Policy with Mandatory Information Flow in Operating Systems", journal = j-TISSEC, volume = "14", number = "3", pages = "24:1--24:??", month = nov, year = "2011", CODEN = "ATISBQ", DOI = "http://dx.doi.org/10.1145/2043621.2043624", ISSN = "1094-9224 (print), 1557-7406 (electronic)", ISSN-L = "1094-9224", bibdate = "Thu Dec 15 09:12:37 MST 2011", bibsource = "http://portal.acm.org/; http://www.math.utah.edu/pub/tex/bib/tissec.bib", abstract = "Discretionary Access Control (DAC) is the primary access control mechanism in today's major operating systems. It is, however, vulnerable to Trojan Horse attacks and attacks exploiting buggy software. We propose to combine the discretionary policy in DAC with the dynamic information flow techniques in MAC, therefore achieving the best of both worlds, that is, the DAC's easy-to-use discretionary policy specification and MAC's defense against threats caused by Trojan Horses and buggy programs. We propose the Information Flow Enhanced Discretionary Access Control (IFEDAC) model that implements this design philosophy. We describe our design of IFEDAC, and discuss its relationship with the Usable Mandatory Integrity Protection (UMIP) model proposed earlier by us.", acknowledgement = ack-nhfb, articleno = "24", fjournal = "ACM Transactions on Information and System Security", } @Article{Leighton:2011:ACP, author = "Gregory Leighton and Denilson Barbosa", title = "Access Control Policy Translation, Verification, and Minimization within Heterogeneous Data Federations", journal = j-TISSEC, volume = "14", number = "3", pages = "25:1--25:??", month = nov, year = "2011", CODEN = "ATISBQ", DOI = "http://dx.doi.org/10.1145/2043621.2043625", ISSN = "1094-9224 (print), 1557-7406 (electronic)", ISSN-L = "1094-9224", bibdate = "Thu Dec 15 09:12:37 MST 2011", bibsource = "http://portal.acm.org/; http://www.math.utah.edu/pub/tex/bib/tissec.bib", abstract = "Data federations provide seamless access to multiple heterogeneous and autonomous data sources pertaining to a large organization. As each source database defines its own access control policies for a set of local identities, enforcing such policies across the federation becomes a challenge. In this article, we first consider the problem of translating existing access control policies defined over source databases in a manner that allows the original semantics to be observed while becoming applicable across the entire data federation. We show that such a translation is always possible, and provide an algorithm for automating the translation. We show that verifying whether a translated policy obeys the semantics of the original access control policy defined over a source database is intractable, even under restrictive scenarios.", acknowledgement = ack-nhfb, articleno = "25", fjournal = "ACM Transactions on Information and System Security", } @Article{Chan:2011:PCR, author = "T.-H. Hubert Chan and Elaine Shi and Dawn Song", title = "Private and Continual Release of Statistics", journal = j-TISSEC, volume = "14", number = "3", pages = "26:1--26:??", month = nov, year = "2011", CODEN = "ATISBQ", DOI = "http://dx.doi.org/10.1145/2043621.2043626", ISSN = "1094-9224 (print), 1557-7406 (electronic)", ISSN-L = "1094-9224", bibdate = "Thu Dec 15 09:12:37 MST 2011", bibsource = "http://portal.acm.org/; http://www.math.utah.edu/pub/tex/bib/tissec.bib", abstract = "We ask the question: how can Web sites and data aggregators continually release updated statistics, and meanwhile preserve each individual user's privacy? Suppose we are given a stream of 0's and 1's. We propose a differentially private continual counter that outputs at every time step the approximate number of 1's seen thus far. Our counter construction has error that is only poly-log in the number of time steps. We can extend the basic counter construction to allow Web sites to continually give top-k and hot items suggestions while preserving users' privacy.", acknowledgement = ack-nhfb, articleno = "26", fjournal = "ACM Transactions on Information and System Security", } @Article{Chan-Tin:2011:FBA, author = "Eric Chan-Tin and Victor Heorhiadi and Nicholas Hopper and Yongdae Kim", title = "The {Frog-Boiling} Attack: Limitations of Secure Network Coordinate Systems", journal = j-TISSEC, volume = "14", number = "3", pages = "27:1--27:??", month = nov, year = "2011", CODEN = "ATISBQ", DOI = "http://dx.doi.org/10.1145/2043621.2043627", ISSN = "1094-9224 (print), 1557-7406 (electronic)", ISSN-L = "1094-9224", bibdate = "Thu Dec 15 09:12:37 MST 2011", bibsource = "http://portal.acm.org/; http://www.math.utah.edu/pub/tex/bib/tissec.bib", abstract = "A network coordinate system assigns Euclidean ``virtual'' coordinates to every node in a network to allow easy estimation of network latency between pairs of nodes that have never contacted each other. These systems have been implemented in a variety of applications, most notably the popular Vuze BitTorrent client. Zage and Nita-Rotaru (at CCS 2007) and independently, Kaafar et al. (at SIGCOMM 2007), demonstrated that several widely-cited network coordinate systems are prone to simple attacks, and proposed mechanisms to defeat these attacks using outlier detection to filter out adversarial inputs. Kaafar et al. goes a step further and requires that a fraction of the network is trusted. More recently, Sherr et al. (at USENIX ATC 2009) proposed Veracity, a distributed reputation system to secure network coordinate systems. We describe a new attack on network coordinate systems, Frog-Boiling, that defeats all of these defenses. Thus, even a system with trusted entities is still vulnerable to attacks. Moreover, having witnesses vouch for your coordinates as in Veracity does not prevent our attack. Finally, we demonstrate empirically that the Frog-Boiling attack is more disruptive than the previously known attacks: systems that attempt to reject ``bad'' inputs by statistical means or reputation cannot be used to secure a network coordinate system.", acknowledgement = ack-nhfb, articleno = "27", fjournal = "ACM Transactions on Information and System Security", } @Article{Gorantla:2011:MKC, author = "M. C. Gorantla and Colin Boyd and Juan Manuel Gonz{\'a}lez Nieto and Mark Manulis", title = "Modeling key compromise impersonation attacks on group key exchange protocols", journal = j-TISSEC, volume = "14", number = "4", pages = "28:1--28:??", month = dec, year = "2011", CODEN = "ATISBQ", DOI = "http://dx.doi.org/10.1145/2043628.2043629", ISSN = "1094-9224 (print), 1557-7406 (electronic)", ISSN-L = "1094-9224", bibdate = "Thu Dec 22 18:15:07 MST 2011", bibsource = "http://portal.acm.org/; http://www.math.utah.edu/pub/tex/bib/tissec.bib", abstract = "Two-party key exchange (2PKE) protocols have been rigorously analyzed under various models considering different adversarial actions. However, the analysis of group key exchange (GKE) protocols has not been as extensive as that of 2PKE protocols. Particularly, an important security attribute called key compromise impersonation (KCI) resilience has been completely ignored for the case of GKE protocols. Informally, a protocol is said to provide KCI resilience if the compromise of the long-term secret key of a protocol participant A does not allow the adversary to impersonate an honest participant B to A. In this paper, we argue that KCI resilience for GKE protocols is at least as important as it is for 2PKE protocols.", acknowledgement = ack-nhfb, articleno = "28", fjournal = "ACM Transactions on Information and System Security", } @Article{Au:2011:PPT, author = "M. Ho Au and P. P. Tsang and A. Kapadia", title = "{PEREA}: Practical {TTP}-free revocation of repeatedly misbehaving anonymous users", journal = j-TISSEC, volume = "14", number = "4", pages = "29:1--29:??", month = dec, year = "2011", CODEN = "ATISBQ", DOI = "http://dx.doi.org/10.1145/2043628.2043630", ISSN = "1094-9224 (print), 1557-7406 (electronic)", ISSN-L = "1094-9224", bibdate = "Thu Dec 22 18:15:07 MST 2011", bibsource = "http://portal.acm.org/; http://www.math.utah.edu/pub/tex/bib/tissec.bib", abstract = "Several anonymous authentication schemes allow servers to revoke a misbehaving user's ability to make future accesses. Traditionally, these schemes have relied on powerful Trusted Third Parties (TTPs) capable of deanonymizing (or linking) users' connections. Such TTPs are undesirable because users' anonymity is not guaranteed, and users must trust them to judge misbehaviors fairly. Recent schemes such as Blacklistable Anonymous Credentials (BLAC) and Enhanced Privacy ID (EPID) support ``privacy-enhanced revocation''--- servers can revoke misbehaving users without a TTP's involvement, and without learning the revoked users' identities. In BLAC and EPID, however, the computation required for authentication at the server is linear in the size (L) of the revocation list, which is impractical as the size approaches thousands of entries.", acknowledgement = ack-nhfb, articleno = "29", fjournal = "ACM Transactions on Information and System Security", } @Article{Li:2011:TRP, author = "Yingjiu Li and Robert H. Deng and Junzuo Lai and Changshe Ma", title = "On two {RFID} privacy notions and their relations", journal = j-TISSEC, volume = "14", number = "4", pages = "30:1--30:??", month = dec, year = "2011", CODEN = "ATISBQ", DOI = "http://dx.doi.org/10.1145/2043628.2043631", ISSN = "1094-9224 (print), 1557-7406 (electronic)", ISSN-L = "1094-9224", bibdate = "Thu Dec 22 18:15:07 MST 2011", bibsource = "http://portal.acm.org/; http://www.math.utah.edu/pub/tex/bib/tissec.bib", abstract = "Privacy of RFID systems is receiving increasing attention in the RFID community. Basically, there are two kinds of RFID privacy notions in the literature: one based on the indistinguishability of two tags, denoted as ind-privacy, and the other based on the unpredictability of the output of an RFID protocol, denoted as unp-privacy. In this article, we first revisit the existing unpredictability-based RFID privacy models and point out their limitations. We then propose a new RFID privacy model, denoted as unp*-privacy, based on the indistinguishability of a real tag and a virtual tag. We formally clarify its relationship with the ind-privacy model.", acknowledgement = ack-nhfb, articleno = "30", fjournal = "ACM Transactions on Information and System Security", } @Article{Burkhart:2011:PPD, author = "Martin Burkhart and Xenofontas Dimitropoulos", title = "Privacy-preserving distributed network troubleshooting---bridging the gap between theory and practice", journal = j-TISSEC, volume = "14", number = "4", pages = "31:1--31:??", month = dec, year = "2011", CODEN = "ATISBQ", DOI = "http://dx.doi.org/10.1145/2043628.2043632", ISSN = "1094-9224 (print), 1557-7406 (electronic)", ISSN-L = "1094-9224", bibdate = "Thu Dec 22 18:15:07 MST 2011", bibsource = "http://portal.acm.org/; http://www.math.utah.edu/pub/tex/bib/tissec.bib", abstract = "Today, there is a fundamental imbalance in cybersecurity. While attackers act more and more globally and coordinated, network defense is limited to examine local information only due to privacy concerns. To overcome this privacy barrier, we use secure multiparty computation (MPC) for the problem of aggregating network data from multiple domains. We first optimize MPC comparison operations for processing high volume data in near real-time by not enforcing protocols to run in a constant number of synchronization rounds. We then implement a complete set of basic MPC primitives in the SEPIA library. For parallel invocations, SEPIA's basic operations are between 35 and several hundred times faster than those of comparable MPC frameworks.", acknowledgement = ack-nhfb, articleno = "31", fjournal = "ACM Transactions on Information and System Security", } @Article{Bethea:2011:SSV, author = "Darrell Bethea and Robert A. Cochran and Michael K. Reiter", title = "Server-side verification of client behavior in online games", journal = j-TISSEC, volume = "14", number = "4", pages = "32:1--32:??", month = dec, year = "2011", CODEN = "ATISBQ", DOI = "http://dx.doi.org/10.1145/2043628.2043633", ISSN = "1094-9224 (print), 1557-7406 (electronic)", ISSN-L = "1094-9224", bibdate = "Thu Dec 22 18:15:07 MST 2011", bibsource = "http://portal.acm.org/; http://www.math.utah.edu/pub/tex/bib/tissec.bib", abstract = "Online gaming is a lucrative and growing industry but one that is slowed by cheating that compromises the gaming experience and hence drives away players (and revenue). In this paper we develop a technique by which game developers can enable game operators to validate the behavior of game clients as being consistent with valid execution of the sanctioned client software. Our technique employs symbolic execution of the client software to extract constraints on client-side state implied by each client-to-server message, and then uses constraint solving to determine whether the sequence of client-to-server messages can be ``explained'' by any possible user inputs, in light of the server-to-client messages already received.", acknowledgement = ack-nhfb, articleno = "32", fjournal = "ACM Transactions on Information and System Security", } @Article{Syverson:2012:GES, author = "Paul Syverson and Somesh Jha", title = "Guest Editorial: Special Issue on Computer and Communications Security", journal = j-TISSEC, volume = "15", number = "1", pages = "1:1--1:??", month = mar, year = "2012", CODEN = "ATISBQ", DOI = "http://dx.doi.org/10.1145/2133375.2133376", ISSN = "1094-9224 (print), 1557-7406 (electronic)", ISSN-L = "1094-9224", bibdate = "Sat Mar 24 09:45:43 MDT 2012", bibsource = "http://portal.acm.org/; http://www.math.utah.edu/pub/tex/bib/tissec.bib", acknowledgement = ack-nhfb, articleno = "1", fjournal = "ACM Transactions on Information and System Security", } @Article{Roemer:2012:ROP, author = "Ryan Roemer and Erik Buchanan and Hovav Shacham and Stefan Savage", title = "Return-Oriented Programming: Systems, Languages, and Applications", journal = j-TISSEC, volume = "15", number = "1", pages = "2:1--2:??", month = mar, year = "2012", CODEN = "ATISBQ", DOI = "http://dx.doi.org/10.1145/2133375.2133377", ISSN = "1094-9224 (print), 1557-7406 (electronic)", ISSN-L = "1094-9224", bibdate = "Sat Mar 24 09:45:43 MDT 2012", bibsource = "http://portal.acm.org/; http://www.math.utah.edu/pub/tex/bib/tissec.bib", abstract = "We introduce return-oriented programming, a technique by which an attacker can induce arbitrary behavior in a program whose control flow he has diverted, without injecting any code. A return-oriented program chains together short instruction sequences already present in a program's address space, each of which ends in a ``return'' instruction. Return-oriented programming defeats the W[??_0xe2_??][??_0x8a_??][??_0x95_??]X protections recently deployed by Microsoft, Intel, and AMD; in this context, it can be seen as a generalization of traditional return-into-libc attacks. But the threat is more general. Return-oriented programming is readily exploitable on multiple architectures and systems. It also bypasses an entire category of security measures---those that seek to prevent malicious computation by preventing the execution of malicious code. To demonstrate the wide applicability of return-oriented programming, we construct a Turing-complete set of building blocks called gadgets using the standard C libraries of two very different architectures: Linux/x86 and Solaris/SPARC. To demonstrate the power of return-oriented programming, we present a high-level, general-purpose language for describing return-oriented exploits and a compiler that translates it to gadgets.", acknowledgement = ack-nhfb, articleno = "2", fjournal = "ACM Transactions on Information and System Security", } @Article{Bhargavan:2012:VCI, author = "Karthikeyan Bhargavan and C{\'e}dric Fournet and Ricardo Corin and Eugen Zalinescu", title = "Verified Cryptographic Implementations for {TLS}", journal = j-TISSEC, volume = "15", number = "1", pages = "3:1--3:??", month = mar, year = "2012", CODEN = "ATISBQ", DOI = "http://dx.doi.org/10.1145/2133375.2133378", ISSN = "1094-9224 (print), 1557-7406 (electronic)", ISSN-L = "1094-9224", bibdate = "Sat Mar 24 09:45:43 MDT 2012", bibsource = "http://portal.acm.org/; http://www.math.utah.edu/pub/tex/bib/tissec.bib", abstract = "We narrow the gap between concrete implementations of cryptographic protocols and their verified models. We develop and verify a small functional implementation of the Transport Layer Security protocol (TLS 1.0). We make use of the same executable code for interoperability testing against mainstream implementations for automated symbolic cryptographic verification and automated computational cryptographic verification. We rely on a combination of recent tools and also develop a new tool for extracting computational models from executable code. We obtain strong security guarantees for TLS as used in typical deployments.", acknowledgement = ack-nhfb, articleno = "3", fjournal = "ACM Transactions on Information and System Security", } @Article{Camenisch:2012:EAA, author = "Jan Camenisch and Thomas Gro{\ss}", title = "Efficient Attributes for Anonymous Credentials", journal = j-TISSEC, volume = "15", number = "1", pages = "4:1--4:??", month = mar, year = "2012", CODEN = "ATISBQ", DOI = "http://dx.doi.org/10.1145/2133375.2133379", ISSN = "1094-9224 (print), 1557-7406 (electronic)", ISSN-L = "1094-9224", bibdate = "Sat Mar 24 09:45:43 MDT 2012", bibsource = "http://portal.acm.org/; http://www.math.utah.edu/pub/tex/bib/tissec.bib", abstract = "We extend the Camenisch-Lysyanskaya anonymous credential system such that selective disclosure of attributes becomes highly efficient. The resulting system significantly improves upon existing approaches, which suffer from a linear number of modular exponentiations in the total number of attributes. This limitation makes them unfit for many practical applications, such as electronic identity cards. Our novel approach can incorporate a large number of binary and finite-set attributes without significant performance impact. It compresses all such attributes into a single attribute base and, thus, boosts the efficiency of all proofs of possession. The core idea is to encode discrete binary and finite-set values as prime numbers. We then use the divisibility property for efficient proofs of their presence or absence. In addition, we contribute efficient methods for conjunctions and disjunctions. The system builds on the strong RSA assumption. We demonstrate the aptness of our method in realistic application scenarios, notably electronic identity cards, and show its advantages for small devices, such as smartcards and cell phones.", acknowledgement = ack-nhfb, articleno = "4", fjournal = "ACM Transactions on Information and System Security", } @Article{Mittal:2012:ILS, author = "Prateek Mittal and Nikita Borisov", title = "Information Leaks in Structured Peer-to-Peer Anonymous Communication Systems", journal = j-TISSEC, volume = "15", number = "1", pages = "5:1--5:??", month = mar, year = "2012", CODEN = "ATISBQ", DOI = "http://dx.doi.org/10.1145/2133375.2133380", ISSN = "1094-9224 (print), 1557-7406 (electronic)", ISSN-L = "1094-9224", bibdate = "Sat Mar 24 09:45:43 MDT 2012", bibsource = "http://portal.acm.org/; http://www.math.utah.edu/pub/tex/bib/tissec.bib", abstract = "We analyze information leaks in the lookup mechanisms of structured peer-to-peer (P2P) anonymous communication systems and how these leaks can be used to compromise anonymity. We show that the techniques used to combat active attacks on the lookup mechanism dramatically increase information leaks and the efficacy of passive attacks, resulting in a tradeoff between robustness to active and passive attacks. We study this tradeoff in two P2P anonymous systems: Salsa and AP3. In both cases, we find that, by combining both passive and active attacks, anonymity can be compromised much more effectively than previously thought, rendering these systems insecure for most proposed uses. Our results hold even if security parameters are changed or other improvements to the systems are considered. Our study, therefore, shows the importance of considering these attacks in P2P anonymous communication.", acknowledgement = ack-nhfb, articleno = "5", fjournal = "ACM Transactions on Information and System Security", }