This paper is a call for standardization and certification for the computer forensics field. It presents an overview of some of the more serious issues in the maturing discipline of computer forensics and explores three areas within the legal system where computer forensics is most likely to be questioned: search and seizure, expert qualifications, and analysis and preservation. One problem area identified that needs to be addressed sooner, as opposed to later, is the lack of standards and certification. The paper examines the need for standardization and certification by analyzing federal and state court cases (criminal and civil) and concludes with suggestions for dealing with some of the issues raised.

Distributed systems with multiple interacting services, such as distributed e-commerce systems, are suitable targets for malicious attacks because of the potential financial impact. Intrusion detection in such systems has been an active area of research, while the problem of containment has received relatively less attention. Containment seeks to localize the effect of the intrusion to some parts of the system while allowing the other parts to continue to provide service. In this paper, we present the design and implementation of an Adaptive Intrusion Tolerant System, ADEPTS,  for automatically containing intrusions in a distributed system.  ADEPTS uses a directed acyclic graph of intrusion goals,  called I-DAG,  and a graph of service interactions, called SNet, as the underlying representations in the system. The containment action in ADEPTS initially has the goal of preventing the spread of the intrusion by modifying its path of escalation in the I-DAG. Failing that, it adopts a more drastic response of modifying the interactions of the services in the SNet. There is also a feedback mechanism for the effectiveness of a deployed response and uses that in guiding future choices. ADEPTS is demonstrated on a distributed e- commerce system and evaluated using a survivability metric whose value depends on the operational services in the face of an intrusion.

The administration of large Role-Based Access Control (RBAC) systems is a challenging problem. In order to administer such systems,  decentralization of administration tasks by the use of delegation is an effective approach. %Delegation is an effective approach for such %systems to decentralize administration tasks.  While the use of delegation greatly enhances flexibility and scalability, it may reduce the control that an organization has over its resources, thereby diminishing a major advantage RBAC has over Discretionary Access Control (DAC).  We propose to use security analysis techniques to maintain desirable security properties while delegating administrative privileges.  We give a precise definition of a family of security analysis problems in RBAC, which is more general than safety analysis that is studied in the literature. We show that two classes of problems in the family can be reduced to similar analysis in the $\SRT$ role-based trust-management language, thereby establishing an interesting relationship between RBAC and the $RT$ framework.  The reduction gives efficient algorithms for answering most kinds of queries in these two classes and establishes the complexity bounds for the intractable cases.

Trust plays a growing role in research on security in open computing systems, including Grid computing. We propose using trust for authorization in such systems. Traditionally, authentication and authorization in computer systems guard only user interfaces, thus providing only a perimeter defense against attacks. We search for an authentication and authorization approach that satisfies the requirements of defense in depth. After reviewing and classifying a variety of security paradigms, we propose the paradigm of Pervasive Trust. It is analogous to a social model of interaction, where trust is constantly

Adding a computer security course to a traditional computer science curriculum presents several challenges, not least of which is the difficulty of providing appropriate laboratory facilities, finding a qualified instructor, and devising a curriculum.  The cost and time requried to introduce such courses can be considerable, beyond the capacity of some institutions that would like to include them.  This paper discusses strategies used at a small private university to rapidly expand its undergraduate and graduate curriculum with only a moderate budget and without hiring additional permanent faculty.  The student body was primarly comprised of part time graduate students attending night courses to complete their degree while working full time during the day and seniors in an undergraduate computer science program in need of elective courses.  Using resources available within traveling distance and the ready and willing participation of enthusiastic students, the school was able to launch a well-received program in a very short period of time.  The course was structured around a combination of on-campus instruction, additional DVD materials provided by an NSA Center of Excellence site, presentations by local subject area experts, and students who maintained their own hand’s on laboratory.  The lessons learned from this effort could prove useful to other universities contemplating similar attempts.

Event reconstruction plays a critical role in solving physical crimes by explaining why a piece of physical evidence has certain characteristics. With digital crimes, the current focus has been on the recognition and identification of digital evidence using an object’s characteristics, but not on the identification of the events that caused the characteristics. This paper examines digital event reconstruction and proposes a process model and procedure that can be used for a digital crime scene. The model has been designed so that it can apply to physical crime scenes, can support the unique aspects of a digital crime scene, and can be implemented in software to automate part of the process. We also examine the differences between physical event reconstruction and digital event reconstruction.

Many different access control policies and models have been developed to suit a variety of goals; these include Role-Based Access Control, One-directional Information Flow, Chinese Wall, Clark-Wilson, N-person Control, and DAC, in addition to more informal ad hoc policies.  While each of these policies has a particular area of strength, the notational differences between these policies are substantial.  As a result it is difficult to combine them, both in making formal statements about systems which are based on differing models and in using more than one access control policy model within a given system.  Thus, there is a need for a unifying formalism which is general enough to encompass a range of these policies and models.  In this paper, we propose an open security architecture called Policy Machine (PM) that would meet this need.  We also provide examples showing how the PM specifies and enforces access control polices.

In this paper, we present a framework for digital forensics that includes an investigation process model based on physical crime scene procedures. In this model, each digital device is considered a digital crime scene, which is included in the physical crime scene where it is located. The investigation includes the preservation of the system, the search for digital evidence, and the reconstruction of digital events. The focus of the investigation is on the reconstruction of events using evidence so that hypotheses can be developed and tested. This paper also includes definitions and descriptions of the basic and core concepts that the framework uses.