Recommendations are rovided to promote accuracy, integrity, and security in computerized vote-tallying, and to improve confidence in the resuls produced.  The recommendations respond to identified problems, and conern software, hardware, operational procedures, and institutional changes. It is proposed that the concept of internal control, almost universally used to protect operations that produce priced goods or services, be adapted to vote-tallying, a non-priced service.  For software, recommendations concern certrification, assurance of logical correctness, and protection against containation by hidden code.  For hardware, recommendations concern accuracy of ballot reading, and design and certification of vote-tallying systems that do not use ballots.  Improved pre-election testing and parial manuel recounting of ballots are recommended operational procedures. Solme recent significant events concernign computerized cote-tallying are reported.  These events unclude development of performance speciafications, publication of a series pf New York Times articles, and activities in texas leading to passage of a revised statute on electronic voting systems. Relative vulnerabilities of different tpes of voting-tallying systems, i.e. punch card, mark-sense, and dircet recording electronic , are discussed.  Certain recent elections in which difficulties occurred are reviewed, and categories of failuere are highlighted.

The Guideline provides explicit direction to Federal database administration and database security personnel on how to improve database control.  The document identifies integrity and security problems in the administration of database technology, and discusses those procedures and methods which have proven effective in addressing these problems.  The document also provides an explicit, step-by-step procedure for examining and verifying the accuracy and completeness of a database.

The SEAL calculus is a calculus of mobile computations
designed for programming secure distributed
applications over large scale open networks. The
calculus is a distributed variant of the pi-calculus
that incorporates agent mobility as well as strong
protection mechanisms. Linear, revocable, capabilities
control access to resources and ensure that agents may
only use resources that have been allocated to them.
Capabilities are also used to protect agents from the
hosts on which they execute. The syntax and semantics
of the SEAL calculus are presented and its expressive
power is demonstrated with an example secure mobile

Aliasing is endemic in object oriented programming.
Because an object can be modified via any alias, object
oriented programs are hard to understand, maintain, and
analyse. Flexalias is a conceptual model of
inter-object relationships which limits the visibility
of changes via aliases, allowing objects to be aliased
but mitigating the undesirable effects of aliasing.
Flexalias can be checked statically using programmer
supplied {\”}aliasing modes{\”} and imposes no run-time
overhead. Using flexalias, programs can incorporate
mutable objects, immutable values, and updatable
collections of shared objects, in a natural object
oriented programming style, while avoiding the problems
caused by aliasing.

The sharing and transfer of references in object-oriented languages is difficult to control.  Without any constraint, practical experience has shown that even carefully engineered object-oriented code can be brittle, and subtle security deficiencies can go unnoticed.  In this paper, we present inexpensive syntactic constraints that strengthen encapsulation by imposing static restrictions on the spread of references.  In particular, we introduce confined types to impose a static scoping discipline on dynamic references and anonymous methods to loosen confinement somewhat to allow code reuse.  We have implemented a verifier which performs a modular analysis of Java programs and provides a static guarantee that confinement is respected.

Mobile agents show promise as a new distributed programming paradigm in which locality plays a central role - programs that are able to move closer to their data can overcome limitations of connectivity, latency or bandwidth.  Mobility also enables distributed systems to evolve; for instance, the deployment of a new service over a network can be programmed as part of the service itself.  Of course, moving programs introduces new challenges.  One of these is related to program structure: How much of a computation should be moved?  Where are the boundaries between mobile and immobile entities drawn?  A second challenge is to provide security guarantees: How can the actions of mobile agent be controlled?  And what kinds of securty properties can we realistically expect to enforce?  We answer these questions within the framework of the JavaSeal mobile agent system kernel.  JavaSeal provides several abstractions for constructuring agent systems in Java.  Our basic building block is the seal which is a nested encapsulated computation fragment with sharply delineated boundaries.  Strands are sequential threads of computation bound to a seal.  Capules transfer passive seals and objects over communication channels; Traffic over channels is regulated by portals.  We argue that these abstractions are sufficient to program secure mobile agent systems.  An electronic commerce application built over our kernel is used as a demonstrator.