The Community for Technology Leaders
RSS Icon
Issue No.01 - January/February (2011 vol.9)
pp: 31-39
Timothy Levin , Naval Postgraduate School
The construction of a complex secure system composed from individual secure components presents a variety of challenges to the designer. The authors leverage experiences from 50 years in the security R&D community and from the first-hand experience of building several high-assurance (EAL7) systems to shed light on various high-trust security engineering challenges, including those related to secure architecture, secure implementation, and trustworthy development. The authors use an example system lessons learned. The Encryption-box Security System is a trusted hardware foundation that includes hosts, called arbitrary application processors, a trusted network security controller that defines a security policy over network communications, and a trusted encryption gateway. This system of distributed components results in a comprehensive network security architecture. The authors also describe key concepts for security analysis in complex distributed systems, including the security perimeter, the allocation of policies to specific components, and the security policy domain.
Protection mechanisms, software engineering, software architectures, formal methods, access controls, security and privacy protection, operating systems
Clark Weissman, Timothy Levin, "Lessons Learned from Building a High-Assurance Crypto Gateway", IEEE Security & Privacy, vol.9, no. 1, pp. 31-39, January/February 2011, doi:10.1109/MSP.2010.201
1. C. Weissman, "MLS-PCA: A High Assurance Security Architecture for Future Avionics," Proc. 19th Annual Computer Security Applications Conf. (ACSAC), ACM Press, 2003, p. 2;
2. J. Rushby and B. Randell, "A Distributed Secure System," Computer, July 1983, pp. 55–67.
3. Controlled Access Program Coordination Office (CAPCO), "Authorized Classification and Control Markings Register," vol. 1, Director of Nat'l Intelligence (DNI) Special Security Center (SSC), May 2008.
4. B. Hashii, "Lessons Learned Using ALLOY to Formally Specify MLS-PCA Trusted Security Architecture," Proc. ACM Workshop Formal Methods, ACM Press, 2004, pp. 86–95.
5. D.E. Bell and L. LaPadula, "Secure Computer System: Unified Exposition and Multics Interpretation," tech. report ESD-TR-75-306, MITRE Corp., 1975.
6. US Dept. Defense, "Trusted Computer Systems Evaluation Criteria," (Orange Book) 5200. 28-STD, US Nat'l Computer Security Center, Dec. 1985.
7. C. Weissman, "BLACKER: Security for the DDN: Examples of A1 Security Engineering Trades," Proc. IEEE Symp. Security and Privacy, IEEE CS Press, 1992, p. 286.
8. M.H. Kang and I.S. Moskowitz, "A Pump for Rapid, Reliable, Secure Communication," Proc. 1st ACM Conf. Computer and Communications Security, V. Ashby ed., ACM Press, 1993, pp. 119–129.
9. P. Wolfowitz, "Global Information Grid (GIG) Overarching Policy," directive number 8100. 1, US Dept. Defense, Sept. 2002.
10. A. van Lamsweerde, "Formal Specification: A Roadmap," Proc. Conf. Future of Software Eng. (ICSE 00), ACM Press, 2000, pp. 147–159.
11. M. Kaufmann, P. Manolios, and J. Moore, Computer-Aided Reasoning: An Approach, Kluwer Academic, 2000.
12. J. Rushby, "Formal Methods and Their Role in the Certification of Critical Systems," tech. report security level-95-1, SRI Int'l, Mar. 1995;
16 ms
(Ver 2.0)

Marketing Automation Platform Marketing Automation Tool