<HTML>
<HEAD>
   <META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=iso-8859-1">
   <META NAME="Author" CONTENT="Chris Peterson">
   <META NAME="GENERATOR" CONTENT="Mozilla/4.03 [en] (X11; I; Linux 2.0.30 i586) [Netscape]">
   <TITLE>Foresight Computer Security Fact Forum</TITLE>
</HEAD>
<BODY BGCOLOR="#FFFFFF">

<H3>
<IMG SRC="foresight.med.gif"  ALIGN=BOTTOM>Computer Security Fact Forum</H3>

<CENTER>
<HR></CENTER>


<P>The Foresight Computer Security Fact Forum is a critical discussion
of issues in computer security.&nbsp; This discussion is intended to cover
several competing protection models, including capabilities, access control
lists (ACLs), and the Java security model.

<P>The Fact Forum uses a new web tool, the <A HREF="http://crit.org/">Crit
Mediator</A>, to enable fine-grained, bidirectional, typed links to be
made among documents by those other than each document's author. This annotation
ability is expected to greatly <A HREF="http://www.foresight.org/WebEnhance/HPEK4.html">enhance
the effectiveness of debating</A> complex topics using the web. The mediator
enables you to add comments to the papers and discussions here, and to
see comments made by others.

<P>If you are not already seeing this page through the mediator, click
<A HREF="http://crit.org/http://crit.org/~foresight/CSFactForum.html">here</A>
or go to <A HREF="http://crit.org">http://crit.org</A> and type the URL
of this page into the mediator's text box. The mediator is not limited
to the computer security forum. It can be used to annotate any web page.

<P>
The discussion has been seeded with documents representing various
views from invited experts. For the moment, it is organized in three
parts:
<UL>
<LI>
What are the competing models of protection?</LI>

<LI>
What problems must these models address?&nbsp; This list will expand over
time.</LI>

<LI>
What solutions are already known to exist, or have emerged from the discussion
to date?</LI>
</UL>
If you are new to the discussion, you may find it useful to read a
background document on the <A
HREF="http://www.caplet.com/security/taxonomy/">framework of
concepts</A> underlying this Fact Forum before launching into active
debate. Another useful overview is <a
href="http://www.ce.chalmers.se/~ulfl/webmdemo/wmwork/www/security_122_1.html"><em>A
Structured Approach to Computer Security</em></a> by Tomas Olovsson.
<P>Once oriented, participants are encouraged to mark up the seed
documents and add new material.  <h1>General Background</h1>
<ul>
  <p>
  The venerable <A
  HREF="http://www.disa.mil/MLS/info/orange/">Orange Book</A> 
  describing evaluation critera for military grade security
  <p>
  A <A
  HREF="http://www.securityinfo.com/glossary.html">Glossary</A> 
  of computer security terminology may be found here.
</ul>
<p>
<H1> Models of Protection</H1>
<p>
The current discussion addresses three models of protection:
capabilities, access control lists, and the Java security model.  In
all cases, the views expressed are those of the author only unless
explicity stated otherwise):
<p>
<UL>
  <h2>Capabilities</h2>
  <ul>
    Introductory notes:
    <br><br>
    <ul>
      <A
      HREF="http://www.eros-os.org/essays/capintro.html">What
      <em>Is</em> a Capability, Anyway?</a> by <a
      href="http://www.cis.upenn.edu/~shap"><b>Jonathan
      S. Shapiro</b></a>.
      <ul>
  <br>
  This note provides a very introductory view of
  capabilities for those who have not encountered them before.
  <p>
  Jonathan is the architect of <a
  href="http://www.eros-os.org">EROS</a>, a
  high-performance capability system that runs on x86 machines.
  He has recently completed his Ph.D. at the University of
  Pennsylvania.
      </ul>
      <P>
      <A
      HREF="http://www.communities.com/company/papers/security">Introduction 
      to Capability Based Security</A> by <b>Marc Stiegler</b>.
      <ul>
  <br> <a href="http://www.communities.com">Electric
  Communities</a> is building a secure persistent distributed
  object system on which they are building networked social
  virtual realities. Here, their VP of engineering explains
  capabilities and other security matters.
      </ul>
      <p>
      An <A
      HREF="http://crit.org/~peterson/ComputerSecurity.html">over-simplified
      explanation</A> of capabilities by <a
      href="http://www.foresight.org/FI/Peterson.html"><b>Chris
      Peterson</b></a>.
      <ul>
  <br> Provides a different take on the concept for
  non-computer scientists.  Among other things, this note
  describes the types of problems capabilties can be used to
  solve.
      </ul>
    </ul>
    <p>
    More Advanced Documents:
    <ul>
      <P>
      <A HREF="http://www.mediacity.com/~norm/CapTheory/">Capability
      Theory by Sound Bytes</A> by <a
      href="http://www.mediacity.com/~norm"><b>Norm Hardy</b></a>.
      <ul>
  <br>
  A series of mind-sized micro-essays explaining the power of
  capabilities and providing various illustrative tails.
  <p>
  Norm is the chief architect of the <a
  href="http://www.cis.upenn.edu/~KeyKOS">KeyKOS</a> secure
  persistent operating system.
      </ul>
    </ul>
    <p>
    Critiques:
    <ul>
      <br>
      <A HREF="http://www.mediacity.com/~norm/CapTheory/ProtInf/">The
      Protection of Information in Computer Systems</A> by
      <b>Saltzer and Schroeder</b>.
      <ul>
  <BR>
  This classic paper is still the best critique of the
  capability security model.
      </ul>
    </ul>
    <p>
    Other Contributions:
    <ul>
      <P><B>Ka-Ping Yee's</b> <A
      HREF="http://crit.org/~ping/alert/index.html">Security
      Alert</A>
      <ul>
  <BR>Microsoft and Netscape have lately been abusing the term
  "capability-based security". Here is Ping's challenge to them,
  signed by capability advocates and posted to RISKs Digest.
  <p>
  Ping is the author of the Crit Mediator. Until recently at Xerox
  PARC, Ping has now returned to University of Waterloo.
      </ul>
    </ul>

  </ul>

  <h2>Access Control Lists</h2>
  <ul>
    <p>We are actively seeking both introductory and in-depth
    documents on access control lists.
  </ul>

  <h2>The Java Model (Stack Introspection)</h2>
  <ul>
    Overview:
    <ul>
      <P><A
      HREF="http://swissnet.ai.mit.edu/~jbank/javapaper/javapaper.html">Java
      Security</A> by <a href="mailto:jbank@mit.edu"><b>Joseph
      A. Bank</b></a>
      <ul>
  <br>An excellent overview of the issues and techniques used in
  Java implementations to provide security.
      </ul>
    </ul>
    <p>
    Essential Reading:
    <ul>
      <P><A
      HREF="http://java.sun.com/javaone/sessions/slides/TT03/index.html">Slides
      from JavaOne</A> by <b>Li Gong</B>
      <ul>
  <br>Li is the security chief at JavaSoft.
      </ul>
      <p>
      <A HREF="http://www.cs.princeton.edu/sip/pub/sosp97/paper.html">
      Extensible
      Security Architectures for Java</A>
      by <b>Dan Wallach</b>.
      <ul>
  <BR>Dan and colleagues at Princeton explain various Java security matters,
  including a consideration of capabilities vs ACLs. Non-HTML
        formats for this paper can be found 
        <a href="http://www.cs.princeton.edu/sip/pub/sosp97.html">here</a>.
  <p>
  Now at Netscape, Dan will soon return to Princeton.
      </ul>
    </ul>
    <p>
    Specifications:
    <ul>
      <P><A
      HREF="http://www.javasoft.com/docs/books/vmspec/index.html">The
      Java Virtual Machine Specification</a>.
      by <b>Tim Lindholm and Frank Yellin</b>.
      <ul>We referenced this page because it includes the copyright
  notice.  Take note of the link labeled "View HTML" toward the
  bottom of the page.
      </ul>
      <p>
      Other Perspectives:
      <ul>
  <p>
  Microsoft's <A HREF="http://www.microsoft.com/ie/ie40/features/ie-security.htm">Introducing
  a Common Sense Approach to Security</A> and <A HREF="http://www.microsoft.com/java/security/default.htm">Trust-Based
  Security for Java</A>
  <p>
  Netscape's main <A HREF="http://www.netscape.com/assist/security/index.html">Security
  page</A>, and in particular their <A HREF="http://developer.netscape.com/library/documentation/signedobj/trust/owp.htm">Signing
  Architecture</A>
  <p>
  The Princeton <A HREF="http://www.cs.princeton.edu/sip/">Java Security
  Page</A>
  <p>
  <A HREF="http://kimera.cs.washington.edu/flaws/vacuum/">Notes on
  Java Security</A> from the University of Washington</LI>
      </ul>
    </ul>
  </ul>
  <h2>Other Models</h2>
  <ul>
    <P>If you have a different model you would like to see discussed,
    add a link to the words <em>different protection models</em>.
  </ul>
</ul>

<H1>Problems to be Solved</H1>
<p>
<ul>
  <h2>Virus and Trojan Horse Prevention</h2>
  <ul>
    <p>
    Modern computers are infected with hostile programs (viruses or
    Trojan horses) with disturbing regularity.  What requirements must
    be satisfied to prevent viruses from taking hold?  Can the various
    proection models support these requirements?  model?
  </ul>
  <p>
  <h2>Fault Containment</h2>
  <ul>
    <p>
    ActiveX uses a Authenticode<sup>tm</sup> to authenticate software
    components, but this technology provides no protection against
    (unintentional) flaws or (intentional) attacks.  A properly fault
    contained system would never crash because an erroneous
    application had been installed.
  </ul>
  <h2>Confinement</h2>
  <ul>
    <p>
    Confinement is a step up on Fault Containment.  In the confinement
    scenario, we want to make sure that the component cannot give our
    secrets away to someone else.  For example, a text box control
    should not be able to send credit card numbers to a third party.
  </ul>
  <h2>Collaboration Between Mutually Suspicious Parties</h2>
  <ul>
    <p>
    Mutual suspicion is a twist on confinement.  In this case, the
    user wants to know that the component is confined, and the
    component author wants to know that the user cannot steal and
    examine the code or data used by the component.
  </ul>
  <h2>Multilevel Security</h2>
  <ul>
    <p>
    In 1977, the National Bureau of Standards made the following statement
    in the report from the 1977 workshop on the Audit and Evaluation of
    Computer Systems:
    <blockquote>
      ... The point is that internal control mechanisms of current
      operating systems have too low integrity for them to... effectively
      isolate a user on the system from data that is at a `higher'
      security than he is trusted... to deal with.
    </blockquote>
    <p>
    Multilevel security systems are designed to solve this problem.
    In a multilevel security system, a user must be of sufficient
    authority to gain access to documents.  The main problem is
    ensuring that such a user does not transmit those documents to
    someone at a lower authority level.  While a few such systems have
    been completed, neither the systems themselves nor the ideas they
    embody have seen widespread use.
  </ul>
  <p>
  Got another interesting challenge problem?  Link it the words
  <em>another challenge problem</em> and we'll incorporate it.
</ul>
<H1>Solutions to Date</H1>
<p>
<ul>
  <h2>Confinement</h2>
  <ul>
    <p>
    Work by Jonathan Shapiro and Sam Weber at the University of
    Pennsylvania has proven mathematically that capability systems can
    support confinement.  The paper, entitled <a
    href="http://www.cis.upenn.edu/~shap/EROS/popl98.300dpi.ps">Verifying
    Operating System Security</a> is available online.  We are working
    on making this proof available in commentable form.
  </ul>
  <p>
  Got another solution?  Link it to the words <em>another protection
  solution</em> and we'll add it.
</ul>
<p>
<h1>About the Fact Forum</h1>
<P>
The Foresight <A
HREF="http://www.foresight.org/EOC/EOC_Chapter_13.html">Fact Forum</A>
was inspired by the Science Court concept, originated by Prof.  Arthur
Kantrowitz, an advisor to Foresight Institute now at Dartmouth
College, combined with hypertext publishing concepts from Ted Nelson,
Doug Engelbart, Eric Drexler, and others.
<P>
Foresight Institute considers the building of reliable, secure
software to be essential in a world of increasingly-ubiquitous
computing. For more on Foresight Institute and how we are preparing
for coming technologies including nanotechnology, see the main <A
HREF="http://www.foresight.org/">Foresight web site</A>.

<P>
<HR>
<TABLE>
<TR>
<TD><FONT SIZE=-1>For ongoing nanotechnology</FONT>&nbsp;
<BR><FONT SIZE=-1>information, <A HREF="http://www.foresight.org/FI/FEMform.html">Register</A>
for a</FONT></TD>

<TD><A HREF="http://www.foresight.org/FI/FEMform.html"><IMG SRC="FEMsm.gif" ALT="Free Electronic Membership" BORDER=0  ALIGN=CENTER></A></TD>
</TR>

<TR>
<TD><FONT SIZE=-1>To help prepare</FONT>&nbsp;
<BR><FONT SIZE=-1>for nanotechnology</FONT></TD>

<TD ALIGN=CENTER><B><A HREF="../FI/RegMemb.html">Make a Donation</A> to
Support Foresight</B></TD>
</TR>

<TR>
<TD><FONT SIZE=-1>To play a key role</FONT>&nbsp;
<BR><FONT SIZE=-1>in Foresight's efforts</FONT></TD>

<TD ALIGN=CENTER><B>Become a <A HREF="../SrAssoc/index.html">Senior Associate</A></B></TD>
</TR>
</TABLE>

<HR><FONT SIZE=-1>| <A HREF="index.html">Announcements and Events</A> |
<A HREF="../index.html">Foresight Institute Home Page</A> |</FONT>
<BR>
<HR><FONT SIZE=-1>Foresight reserves the right to remove materials stored
on its servers at any time, without notice.</FONT>
<BR><FONT SIZE=-1>Foresight materials on the Web are &copy;1986-1997 Foresight
Institute. All rights reserved.</FONT>
<BR><FONT SIZE=-1>Last updated 17Aug97. The URL of this document is: http://crit.org/~foresight/CSFactForum.html</FONT>
<BR><FONT SIZE=-1>Send requests for information about Foresight Institute
activities and membership to <A HREF="mailto:inform@foresight.org">inform@foresight.org</A>.</FONT>
<BR><FONT SIZE=-1>Send comments and questions about material on this web
site and reports of errors to <A HREF="mailto:webmaster@foresight.org">webmaster@foresight.org</A>.</FONT>
<BR>activities and membership to <A HREF="mailto:inform@foresight.org">inform@foresight.org</A>.
<BR>Send comments and questions about material on this web site and reports
of errors to <A HREF="mailto:webmaster@foresight.org">webmaster@foresight.org</A>.
</BODY>
</HTML>