Embed Size (px)
Citation preview
RO
UB/TIB Hannover National InformationSystems SecurityConference
N A T I O N A L I N S T I T U T E O F S T A N D A R D S A N D T E C H N O L O G Y
CDCD
coenaz
o
3=
O
COmCO
N A T I O N A L C O M P U T E R S E C U R I T Y C E N T E R
October 22-25, 1996
Baltimore Convention Center
Baltimore, MD
Volume 2
Use of the Zachman Architecture for Security Engineering 398Ronda Henning, Harris Corporation
Developing Secure Objects 410Deborah Frincke, University of Idaho
Deriving Security Requirements for Applications on Trusted Systems 420Raymond Spencer, Secure Computing Corporation
Security Implications of the Choice of Distributed Database Management System 428Model: Relational vs. Object-OrientedStephen Coy, University of Maryland
Management Model for the Federal Public Key Infrastructure 438Noel A. Nazario, William E. Burr, W. Timothy Polk,
National Institute of Standards and Technology
Security Policies for the Federal Public Key Infrastructure 445Noel A. Nazario, National Institute of Standards and Technology
A Proposed Federal PKI using X.509 V3 Certificates 452William E. Burr, Noel A. Nazario, W. Timothy Polk,
National Institute of Standards and Technology
A Security Flaw in the X.509 Standard 463Santosh Chokhani, CygnaCom Solutions, Inc.
Solutions Track HComputer Virus Response Using Autonomous Agent Technology 471
Christine M. Trently, Mitretek Systems
Security Across the Curriculum: Using Computer Security to Teach Computer SciencePrinciples 483Major Gregory White, Ph.D., Captain Gregory Nordstrom (ret), USAF Academy
U.S. Government Wide Incident Response Capability 489Marianne Swanson, National Institute of Standards and Technology
MLS DBMS Interoperability Study 495Rae K. Burns, AGCS, Inc.Yi-Fang Koh, Raytheon Electronic Systems
MISSI Compliance for Commercial-Off-The-Shelf Firewalls 505Michael Hale, Tammy Mannarino, National Security Agency
Designing & Operating a Multilevel Security Network Using Standard CommercialProducts 515Richard A. Griffith, Mac E. McGregor, Air Force C4 Technology Validation Office
Real World And-Virus Product Reviews and Evaluations - The Current State of Affairs 526Sarah Gordon, Richard Ford, Command Systems, Inc.
Security Proof of Concept Keystone (SPOCK) 539James McGehee, COACT, Inc.
x v i
Use of a Taxonomy of Security Faults 551Taimur Aslam, Ivan Krsul, Eugene H. Spafford, Purdue University
Protecting Collaboration 561Gio Wiederhold, Michel Bilello, Stanford UniversityVatsala Sarathy, Oracle Corp.XiaoLei Qian, SRI International
Design and Management of a Secure Networked Administration System:A Practical Solution .-> 570Vijay Varadharajan, University of Western Sydney, Australia
Information Warfare, INFOSEC and Dynamic Information Defense 581J.R. Winkler, C.J. O'Shea, M.C. Stokrp, PRC Inc.
Security for Mobile Agents: Issues and Requirements 591William M. Farmer, Joshua D. Guttman, Vipin Swamp, The MITRE Corporation
Extended Capability: A Simple Way to Enforce Complex Security Policiesin Distributed Systems 598I-Lung Kao, IBM CorporationRandy Chow, University of Florida
IGOR: The Intelligence Guard for ONI Replication 607R.W. Shore, The ISX Corporation
Invited PapersManagement & Administration Track FEthical and Responsible Behavior for Children to Senior Citizens
in the Information Age 620Gale S. Warshawsky, International Community Interconnected Computing eXchange
Legal Perspectives
Privacy Rights in a Digital AgeWilliam Galkin, Esq., Law Office of William S. Galkin
Track E
630
PanelsCriteria & AssuranceTrust Technology Assessment Program
Chair: Tom Anderson, National Security AgencyPanelists:
Pat Toth, National Institute of Standards and Technology
Track A643
XVI1
Alternative Assurance: There's Gotta Be a Better Way! 644Chair: Douglas J. Landoll, Area Systems, Inc.
Panelists:John J. Adams, National Security AgencyTBD, WITAT System Analysis & Operational Assurance Subgroup ChairM. Abrams, The MITRE Organization, WITAT Impact Mitigation Subgroup ChairTBD, WITAT Determining Assurance Mix Subgroup Chair
Certification and Accreditation - Processes and Lessons Learned....: 646Chair: Jack Eller, DISA, CISS (ISBEQ
Viewpoints:The Certification and Accreditation Process Handbook For Certifiers 647
Paul Wisniewski, National Security AgencyStandards in Certification and Accreditation 648
Candice Stark, Computer Science CorporationThe Certification of the Interim Key Escrow System 652
Ray Snouffer. National Institute of Standards and TechnologyLessons Learned From Application of the Department of Defense Information TechnologySecurity Certification and Accreditation 653
Barry C. Stauffer, CORBETT Technologies, Inc.
Firewall Testing and Rating 655Chair: J. Wack, National Institute of Standards and Technology
The Trusted Product Evaluation Program: Direction for the Future 656Chair: J. Pedersen, National Security Agency
Common Criteria Project Implementation Status 657Chair: E. Troy, National Institute of Standards and Technology
Panelists:Lynne Ambuel, National Security AgencyMurray Donaldson, Communications-Electronics Security Group, UKRobert Harland, Communications Security Establishment, CanadaKlaus Keus, BSI/GISA, GermanyFrank Mulder, Netherlands National Communications Security AgencyJonathan Smith, Gamma Secure Systems, UK
Developmental Assurance and the Common Criteria 660Chair: M. Schauken, National Security Agency
Panelists:S. Katzke, National Institute of Standards and TechnologyE. Troy, National Institute of Standards and TechnologyK. Keus, BSI/GISA, GermanyY. Klein, SCSSI, France
xvm
Secure Networking and Assurance Technologies 661Chair: T. Lunt, Defense Advanced Research Projects Agency (DARPA)
Panelists:K. Levitt, University of California, DavisS. Kent, BBN
Viewpoints:Secure Mobile Networks 663
J. McHugh, Portland State UniversityAdaptable Dependable Wrappers .-. 666
D. Weber, Key SoftwareGeneric Software Wrappers for Security and Reliability 667
L. Badger, Trusted Information Systems, Inc.Defining an Adaptive Software Security Metric From A Dynamic Software Fault-Tolerance
Measure 669J. Voas, Reliable Software Technologies
Electronic Commerce Track BUsing Security to Meet Business Needs: An Integrated View From
The United Kingdom 677Chair: Alex Mclntosh, PC Security, Ltd.
Viewpoints:Dr. David Brewer, Gamma Secure Systems, Ltd. 679Nigel Hickson, Department of Trade & Industry 682Denis Anderton, Barclays Bank PLC 684Dr. James Hodsdon, CESG 685Michael Stubbings, Government Communications Headquarters, UK 686
Security APIs: CAPIs and Beyond 687Chair: Amy Reiss, National Security Agency
Panelists:John Centafont, National Security AgencyTBD, MicrosoftLawrence Dobranski, Canadian Communications Security Establishment, CanadaDavid Balenson, Trusted Information Systems, Inc.
Are Cryptosystems Really Unbreakable? 691Chair: Dorothy E. Denning, Georgetown University
Panelists:Steven M. Bellovin, AT&T ResearchPaul Kocher, Independent Cryptography ConsultantEric Thompson AccessData Corporation
Viewpoints:.The Mathematical Primitives: Are They Really Secure? 692Arjen K. Lenstra, Citibank
X I X
In Depth Track CBest of the New Security Paradigms Workshop 693
Chair: T. Haigh, Secure Computing CorporationViewpoints:New Paradigms for Internetwork Security 693
J. T. Haigh, Secure Computing CorporationThe Emperor's Old Armor 694
R. Blakely, International Business MachinesPosition Statement for New Paradigms Internetwork Security Panel 698
S. Greenwald, Naval Research LaboratoryReactive Security and Social Control 701
S. Janson, Swedish Institute of Computer Science, SwedenNISS Whitepaper: A New Model of Security for Distributed Systems 704
W. Wulf, University of Virginia
Series: Public Key Infrastructure: From Theory to Implementation 707Public Key Infrastructure Technology
Chair: D. Dodson, National Institute of Standards and TechnologyPanelists:
R. Housley, SpyrusC. Martin, Government Accounting OfficeW. Polk, National Institute of Standards and TechnologyS. Chokani, Cygnacom Solutions, Inc.V. Hampel, Hampel Consulting
Public Key Infrastructure ImplementationsChair: W. Polk, National Institute of Standards and Technology
Panelists:P. Edfors, Government Information Technology Services (GITS) Working GroupD. Heckman, National Security AgencyD. Dodson, National Institute of Standards and TechnologyJ. Galvin, CommerceNetW. Redden, Communications Security Establishment
Establishing an Enterprise Virus Response Program 709Christine Trently, Mitretek Systems
Data Warehousing I 711Chair: John Campbell, National Security Agency
Panelists:Jesse C. Worthington, Informix Software, Inc.
Viewpoints:Data Warehousing, Data Mining, and Security: Developments and Challenges 711
Dr. Bhavani Thuraisingham, The MITRE CorporationData Warehousing, Data Mining, and the Security Issues 716
Dr. John Campbell, National Security AgencyData Warehousing'!!: The Technology 717
Chair: John Davis, NCSCPanelists:
Dr. Bhavani Thuraisingham, The MITRE CorporationDr. John Campbell, National Security Agency
xx
Track D718
InternetIntroduction to Infowarfare Terminology
Francis Bondoc, Klein & Stump
Information Warfare: Real Threats, Definition Changes, and Science Fiction 725Chair: Wayne Madsen, Computer Sciences Corporation
Panelists:Martin Hill, Office of the Assistant Secretary of Defense C3 I/Information WarfareFrederick G. Tompkins, Matthew Devost, Science Applications IntemationalCorporationScott Shane, The Baltimore SunJohn Stanton, Journal of Technology Transfer
Security in World Wide Web Browsers: More than Visa cards?.Chair: R. Dobry, National Security Agency
Panelists:C. Kolcun, MicrosoftB. Atkins, National Security AgencyK. Rowe, NCSA
Attack/DefenseChair: J. David, The Fortress
Panelists:S. Bellovin,Ar<£rW.Cheswick,Ar<&7P. Peterson, Martin MariettaM. Ranum, V-One
The Web SeriesI. The Web - What is it, Why/How is it VulnerableII. Securing the Web
Chair: J. David, The FortressSpeaker:J. Freivald, Charter Systems, Inc.P. Peterson, Martin MariettaD. Dean, Princeton University
.737
.738
739
Legal Perspectives Track EElectronic Data: Privacy, Security, Confidentiality Issues 740
Chair: Kristin R. Blair, Esq., Duvall, Harrington, Hale and HassanViewpoints:Virginia Computer Crime Law 741
The Honorable Leslie M. Alden, Judge, Fairfax County Circuit CourtElectronic Data: Privacy, Security and Confidentality 749
Ronald J. Palenski, Esq., Gordon and Glickson, P.C.Steve A. Mandell, Esq., The Mandell Law Firm
x x i
Monitoring Your Employees: How Much Can You Do And What Should You Do WhenYou Uncover Wrongdoing? 800
Steven W. Ray, Esq., Kruchko & Fries
Computer Crime on the Internet - Sources and Methods 817Chair: Christine Axsmith, Esq. The Orkand Corporation
Panelists:Special Agent Mark Pollitt, Federal Bureau of InvestigationPhil Reitinger, Esq., Department of JusticeBarbara Fraser, CERT, Carnegie Mellon University
Legal Liability for Information System Security Compliance Failures:New Recipes for Electronic Sachertorte Algorithms 818Chair: Fred Chris Smith, Esq., Private Practice, Santa Fe, New Mexico
Panelists:John Montjoy Sr., BBN CorporationEdward Tenner, Princeton UniversityDavid J. Loundy, Esq., Private Practice, Highland Park, Illinois
V-Chip: Policies and Technology 822Chair: Hilary Hosmer, Data Security, Inc.
Panelists:D. Moulton, Esq., Chief of Staff, Office of Congressman Markey, HRDr. D. Brody, MD, American Academy of Child and Adolescent PsychiatryMs. S. Goering, Esq., American Civil Liberties UnionW. Diffie, Sun Microsystems
Protecting Medical Records and Health Information 824Chair: Joan D. Winston, Trusted Information Systems, Inc.
Panelists:Gail Belles, VA Medical Information Security ServiceBill Braithwaite, US Department of Health and Human ServicesPaula J. Bruening, Information Policy ConsultantPatricia Taylor, US General Accounting Office
Crimes in Cyberspace: Case Studies 827Chair: William S. Galkin, Esq., Law Office of William S. Galkin
Panelists:Arnold M. Weiner, Esq., Weiner, Astrachan, Gunst, Hillman & AllenKenneth C. Bass, HI, Venable, Baejter, Howard & Civeletti
X X l l
Management & AdministrationCurrent Challenges in Computer Security Program Management
Chair: Mark Wilson, National Institute of Standards and TechnologyPanelists:
Lynn McNulty, McNulty and AssociatesPaul M. Connelly, White House Communications AgencyAnn F. Miller, Fleet and Industrial Supply CenterBarbara Gutmann, National Institute of Standards and Technology
Track F,...828
Achieving Vulnerability Data SharingChair: Lisa J. Carnahan, National Institute of Standards and Technology
Panelists:Matt Bishop, University of California, DavisJames Ellis, CERT/Coordination Center, Carnegie Mellon UniversityIvan Krsul, COAST Laboratory, Purdue University
830
Incident Handling Policy, Procedures, and ToolsChair: Marianne Swanson, National Institute of Standards and Technology
Panelists:Kelly Cooper, BBN PlanetThomas Longstaff, Computer Emergency Response Team/Coordination CenterPeter Richards, Westinghouse Savannah River CompanyKen van Wyk, Science Applications International Corporation
Interdisciplinary Perspectives on Information Security: Mandatory Reporting.Chair: M.E. Kabay, Ph.D., National Computer Security Association
Panelists:Bruce Butterworth, Federal Aviation AdministrationBarbara Smith Jacobs, Securities and Exchange CommissionBob Whitmore, Occupational Health and Safety AdministrationDr. Scott Wetterhall, Centers for Disease Control and Prevention
831
833
International Perspectives on Cryptography PolicyChair: Dorothy E. Denning, Georgetown University
Panelists:Peter Ford, Attorney General's Department, AustraliaDavid Herson, Commission of the European Communities, Belgium
Viewpoint:International Perspectives on Cryptography Policy: A UK Perspective
Nigel Hickson, Department of Trade and Industry, UK
,835
836
Security Protocols/Protocol SecurityChair: D. Maughan, National Security Agency
838
xxm
Surviving the Year 2000 Time Bomb 839Grace L. Hammonds, AGCS, Inc.
Panelists:James W. White, National Director of the Millenium Solutions Center, OAO CorporationAndrew Hodyke, United States Air Force, ESC/AXS
Research & Development Track GDatabase Systems Today: Safe Information at My Fingertips? 842
Chair: John R. Campbell, National Security AgencyPanelists:
Tim Ehrsam, OracleDick O'Brien, Security Computing CorporationThomas Parenty, Sybase CorporationLTC Ken Pointdexter, DISASatpal S. Sahni, 3 S Group Incorporated
Webware: Nightmare or Dream Come True? 844Chair: Peter G. Neumann, SRI International
Viewpoints:Java - Threat or Menance? 845
Steve Bellovin, AT&T ResearchLanguage-based Proctection: Why? Why Now? 846
Ed Felten, Drew Dean, Dan S. Wallach, Princeton UniversityUntrusted Application Need Trusted Operating Systems... 847
Paul Karger, International Business MachinesWebware: Widely Distributed Computation Coming of Age 849
James A. Roskind, Netscape Communication Corporation
Secure Systems and Access Control 851Chair: T. Lunt, Defense Advanced Research Projects Agency (DARPA)
Viewpoints:Domain and Type Enforcement Firewalls 852
D. Sterne, Trusted Information Systems, Inc.Task-based Authorization: A Research Project in Next-generation Active Security Models . 854
, R. Thomas, ORAUser-centered Security and Adage 855
M. Zurko, OSFEncapsulated Environments Using the Flux Operating System 857
J. Lepreau, University of Utah
Facing the Challenge: Secure Network Technology for the 21st Century 867Chair: R. Schaeffer, National Security Agency
Panelists:R. Meushaw, National Security AgencyC. McBride, National Security AgencyD. Muzzy, National Security AgencyB. Burnham, National Security Agency
xxiv
Toward a Common Framework for Role-Based Access ControlChair: David Ferraiolo, National Institute of Standards and Technology
Panelists:Dr. Ravi Sandhu, George Mason UniversityDr. Virgil Gligor, University of MarylandRick Kuhn, National Institute of Standards and TechnologyThomas Parently, Sybase
868
Solutions Track H
MISSI Security Management Infrastructure The Certificate Management Infrastructure:Now and In the Next Year 871
Chair: A. Arsenault, National Security AgencyPanelists:
D. Heckman, National Security AgencyS. Capps, National Security AgencyS. Hunt, National Security Agency
Future of Trust in Commercial Operating SystemsChair: T. Inskeep, National Security Agency
Panelists:K. Moss, MicrosoftJ. Alexander, Sun MicrosystemsJ. Spencer, Data GeneralM. Branstad, Trusted Information Systems, Inc.G. Liddle, Hewlett Packard
872
Vendors Experience with Security Evaluations 873Chair: Jeff DeMello, Oracle Corporation
Panelist:Janice Caywood, Digital Equipment Corporation
Viewpoints:Duncan Harris, Oracle Corporation 874Ken Moss, Microsoft Corporation 876Ian Prickett, Sun Microsystems '. 877
Workshop Report on the Role of Optical Systems and Devices for Security 879Chair: Terry Mayfield, Institute for Defense Analyses
Panelist:Mark Krawczewicz, National Security Agency
Viewpoints:Security Issues For All-Optical Networks 882
Muriel Medard, MIT Lincoln LaboratorySecurity for All-Optical Networks 883
Jeff Ingles, Scott McNown, National Security Agency
xxv
Optical Processing Systems for Encryption, Security Verification, and Anticounterfeiting 886Bahrain Javidi, University of Connecticut
Closing Plenary Session
Information Systems Security: Directions and ChallengesChair: Dr. Willis H. Ware, Corporate Research Staff, Emeritus, The Rand CorporationPanelists:
J. F. Mergan, BBNStephen Smaha, Haystack LabsCharles Stuckey, Security Dynamics
Viewpoints:Information Security Challenges in the Financial Services Industry 889
C. Thomas Cook, Bane One Services CorporationInformation Systems Auditing Requirements : 890
John W. Lainhart IV, Inspector General, U.S. House of RepresentativesViewpoint
Willis Ware, The Rand Corporation 895
The Next Generation of Cybercriminals 896Chair: Mark Gembicki, WarRoom Research, LLC
Panelists:Jim Christy, Air Force Office of Special InvestigationBill Perez, Federal Bureau of InvestigationDoug Waller, Time Magazine
XXVI
