We give the first solution to the problem of access control in an arbitrary n-node hierarchy G (e.g., RBAC) where all of the following hold: (i) only hash functions are used for a node to derive a descendant’s key from its own key, as opposed to the use of RSA public-key cryptography in many previous schemes (which requires slow modular exponentiations); (ii) the space complexity of the public information is the same as that of storing graph G (which is asymptotically optimal), as opposed to the quadratic space complexity of some other schemes; (iii) the derivation by a node of a descendant’s access key takes O(n) bit operations in the worst case, as opposed to O(n^2) bit operations in some of the previous schemes; (iv) updates are handled locally in the hierarchy and do not “propagate” to descendants or ancestors of the affected part of the tree; and (v) the scheme is resistant to collusion in that no subset of nodes can conspire to gain access to any node that is not already a descendant of one of the conspirators (hence legally accessible). Similar to a number of previous schemes, the private information at a node consists of a single key associated with that node. The security of our scheme relies on the existence of cryptographic one-way hash functions and the random oracle model. Another (more minor) property of our scheme is that it does not require access graph G to be free of directed cycles. We provide simple modifications to our scheme so it can handle Crampton’s extensions of the standard hierarchies to “limited depth” and reverse inheritance.

Suppose a number of hospitals in a geographic area want to learn how their own heart-surgery unit is doing compared with the others in terms of mortality rates, subsequent complications, or any other quality metric. Similarly, a number of small businesses might want to use their recent point-of-sales data to cooperatively forecast future demand and thus make more informed decisions about inventory, capacity, employment, etc. These are simple examples of cooperative benchmarking and (respectively) forecasting that would benefit all participants as well as the public at large, as they would make it possible for participants to avail themselves of more precise and reliable data collected from many sources, to assess their own local performance in comparison to global trends, and to avoid many of the inefficiencies that currently arise because of having less information available for their decision-making. And yet, in spite of all these advantages, cooperative benchmarking and forecasting typically do not take place, because of the participants’ unwillingness to share their information with others. Their reluctance to share is quite rational, and is due to fears of embarrassment, lawsuits, weakening their negotiating position (e.g., in case of over-capacity), revealing corporate performance and strategies, etc. The development and deployment of private benchmarking and forecasting technologies would allow such collaborations to take place without revealing any participant’s data to the others, reaping the benefits of collaboration while avoiding the drawbacks. Moreover, this kind of technology would empower smaller organizations who could then cooperatively base their decisions on a much broader information base, in a way that is today restricted to only the largest corporations. This paper is a step towards this goal, as it gives protocols for forecasting and benchmarking that reveal to the participants the desired answers yet do not reveal to any participant any other participant’s private data. We consider several forecasting methods, including linear regression and time series techniques such as moving average and exponential smoothing. One of the novel parts of this work, that further distinguishes it from previous work in secure multi-party computation, is that it involves floating point arithmetic, in particular it provides protocols to securely and efficiently perform division.

The papers in this book comprise the proceedings of the meeting mentioned on the cover and title page.  They reflect the author’s opinons and, in the interests of timely dissemination, are published as presented and without change.

Parameters of a program’s runtime environment such as the machine architecture and opening system largely determine whether a vulnerability can be exploited.  For example, the machine word size is an important factor in an integer overflow attack and likewise the memory layout of a process in a buffer or heap overflow attack.  In this paper, we present an analysis of the effects of a runtime environment on a language’s data types.  Based on this analysis, we have developed Archerr, an automated one-pass source-to-source transformer that derives appropriate architecture dependant runtime safety error checks and inserts them in C source programs.  Our approach achieves comprehensive vulnerability coverage against a wide array of program-level exploits including integer overflows/underflows.  We demonstrate the efficacy of our technique on versions of C programs with known vulnerabilities such as Send-mail.  We have benchmarked our technique and the results show that it is general less expensive than other well-known runtime techniques, and at the same time requires no extentions to the C programming language.  Additional benefits include the ability to gracefully handle arbitrary pointer usage, aliasing, and typecasting.

Replication and redundancy techniques rely on the assumption that a majority of components are always safe and voting is used to resolve any ambiguities.  This assumption may be unreasonable in the context of attacks and intrusions.  An intruder could compromise any number of the available copies of a service resulting in a false sense of security.  The kernel based approaches have proven to be quite effective but they cause performance impacts if any code changes are in the critical path.  In this paper, we provide an alternate user space mechanism consisting of process monitors by which such user space daemons can be unambiguously monitored without causing serious performance impacts.  A framework that claims to provide such a feature must itself be tamper-resistant to attacks.  We the-oretically analyze and compare some relevant schemes and show their fallibility.  We propose our own framework that is based on some simple principals of graph theory and well-founded concepts in topological fault tolerance, and show that it can not only unambiguously detect any such attacks on the services but is also very hard to subvert.  We also present some preliminary results as a proof of concept.

Local and wide area network information assurance analysts need current and precise knowlege about their systems activities in order to address the challenges of critical infrastructure protection.

The focus of this paper is on assessment of student performance in an information security risk assessment, service learning course.  The paper provides a brief overview of the information security risk assessment course as background information and a review of relevant educational assessment theory with a focus on outcomes assessment.  An example of how assessment theory was applied to this service learning course to assess student performance outcomes is described with the aim of sharing performance assessment methods with other educators.  This material is based upon work supported by the Nation Science Foundation under Grant No. 0313871.  Any opinions, findings, and conclusions or recommendations expressed in this material are those of the author(s) and do not necessarily reflect the views of the National Science Foundation.

This paper describes a needed and innovative service learning Information Security Management class that was designed,  developed, and offered at Purdue University in spring 2004.  This paper overviews 1) the need for service learning, 2) the more specific need for service learning in information technology and educational technology programs, 3) the need for information security in K12 school corporations as these bodies of work pertain to this experimental course.  For faculty interested in developing a similar course, the paper then 4) highlights the course description and objectives as a reference point, and 5)  describes how this course evolved from past work with an emphasis on the type of capacity that was needed to make such a course possible.

A multi-domain application environment consists of distributed multiple organizations, each employing its own security policy, allowing highly intensive inter-domain accesses. Ensuring security in such an environment poses several challenges. XML technologies are being perceived as the most promising approach for developing pragmatic security solutions for such environments because of the integration and interoperation framework they provide. In this paper, we highlight these challenges and propose an XML-based access control specification language called X-RBAC that addresses policy specification needs of a multi-domain environment. Our specification language is based on an extension of the widely accepted NIST RBAC model. X-RBAC allows specification of RBAC policies and facilitates specification of timing constraints on roles as well as context and content-based access requirements. Furthermore, it provides a framework for specifying mediation policies in a multi-domain environment where RBAC policies have been employed.