diff --git a/.gitignore b/.gitignore index 0daff37..6dd22b0 100644 --- a/.gitignore +++ b/.gitignore @@ -1,3 +1,4 @@ generated_definitions z3_problems c_emulator +sail_latex_riscv diff --git a/archdoc/.gitignore b/archdoc/.gitignore new file mode 100644 index 0000000..211a472 --- /dev/null +++ b/archdoc/.gitignore @@ -0,0 +1,2 @@ +*.pdf +build diff --git a/archdoc/LICENSE b/archdoc/LICENSE new file mode 100644 index 0000000..c45ef86 --- /dev/null +++ b/archdoc/LICENSE @@ -0,0 +1,7 @@ +\noindent +The CHERI ISA specification is licensed under the Creative Commons Attribution +4.0 International License. To view a copy of this license, visit: + +\medskip + +\url{http://creativecommons.org/licenses/by/4.0/} diff --git a/archdoc/LICENSE-sail-cheri-riscv b/archdoc/LICENSE-sail-cheri-riscv new file mode 100644 index 0000000..4ad0e9c --- /dev/null +++ b/archdoc/LICENSE-sail-cheri-riscv @@ -0,0 +1,57 @@ +\noindent +The CHERI-RISC-V pseudocode is derived from the Sail CHERI-RISC-V model\footnote{\url{https://github.com/CTSRD-CHERI/sail-cheri-riscv}}, +which has the following license: + +\begin{scriptsize} +\begin{verbatim} +This CHERI Sail RISC-V architecture model here, comprising all files and +directories except for the snapshots of the Lem and Sail libraries in the +prover_snapshots directory (which include copies of their licenses), is subject +to the BSD two-clause licence below. + +Copyright (c) 2017-2021 Alasdair Armstrong, Thomas Bauereiss, Brian Campbell, + Jessica Clarke, Nathaniel Wesley Filardo (contributions prior to July 2020, + thereafter Microsoft), Alexandre Joannou, Microsoft, Prashanth Mundkur, + Robert Norton-Wright (contributions prior to March 2020, thereafter + Microsoft), Alexander Richardson, Peter Rugg, Peter Sewell + +All rights reserved. + +This software was developed by SRI International and the University of +Cambridge Computer Laboratory (Department of Computer Science and +Technology) under DARPA/AFRL contract FA8650-18-C-7809 ("CIFV"), and +under DARPA contract HR0011-18-C-0016 ("ECATS") as part of the DARPA +SSITH research programme. + +This software was developed within the Rigorous Engineering of +Mainstream Systems (REMS) project, partly funded by EPSRC grant +EP/K008528/1, at the Universities of Cambridge and Edinburgh. + +This project has received funding from the European Research Council +(ERC) under the European Union’s Horizon 2020 research and innovation +programme (grant agreement 789108, ELVER). + +Redistribution and use in source and binary forms, with or without +modification, are permitted provided that the following conditions +are met: +1. Redistributions of source code must retain the above copyright + notice, this list of conditions and the following disclaimer. +2. Redistributions in binary form must reproduce the above copyright + notice, this list of conditions and the following disclaimer in + the documentation and/or other materials provided with the + distribution. + +THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' +AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED +TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A +PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR +CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, +SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT +LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF +USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND +ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, +OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT +OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF +SUCH DAMAGE. +\end{verbatim} +\end{scriptsize} diff --git a/archdoc/LICENSE-sail-riscv b/archdoc/LICENSE-sail-riscv new file mode 100644 index 0000000..1bc51af --- /dev/null +++ b/archdoc/LICENSE-sail-riscv @@ -0,0 +1,59 @@ +\noindent +The RISC-V pseudocode is derived from the Sail RISC-V model\footnote{\url{https://github.com/riscv/sail-riscv}}, +which has the following license: +\begin{scriptsize} +\begin{verbatim} +This Sail RISC-V architecture model, comprising all files and +directories except for the snapshots of the Lem and Sail libraries +in the prover_snapshots directory (which include copies of their +licences), is subject to the BSD two-clause licence below. + +Copyright (c) 2017-2021 Prashanth Mundkur, Rishiyur S. Nikhil and + Bluespec, Inc., Jon French, Brian Campbell, Robert Norton-Wright, + Alasdair Armstrong, Thomas Bauereiss, Shaked Flur, Christopher Pulte, + Peter Sewell, Alexander Richardson, Hesham Almatary, + Jessica Clarke, Microsoft, for contributions by Robert Norton-Wright and + Nathaniel Wesley Filardo, Peter Rugg, + Aril Computer Corp., for contributions by Scott Johnson + +All rights reserved. + +This software was developed by the above within the Rigorous +Engineering of Mainstream Systems (REMS) project, partly funded by +EPSRC grant EP/K008528/1, at the Universities of Cambridge and +Edinburgh. + +This software was developed by SRI International and the University of +Cambridge Computer Laboratory (Department of Computer Science and +Technology) under DARPA/AFRL contract FA8650-18-C-7809 ("CIFV"), and +under DARPA contract HR0011-18-C-0016 ("ECATS") as part of the DARPA +SSITH research programme. + +This project has received funding from the European Research Council +(ERC) under the European Union’s Horizon 2020 research and innovation +programme (grant agreement 789108, ELVER). + +Redistribution and use in source and binary forms, with or without +modification, are permitted provided that the following conditions +are met: +1. Redistributions of source code must retain the above copyright + notice, this list of conditions and the following disclaimer. +2. Redistributions in binary form must reproduce the above copyright + notice, this list of conditions and the following disclaimer in + the documentation and/or other materials provided with the + distribution. + +THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' +AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED +TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A +PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR +CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, +SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT +LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF +USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND +ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, +OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT +OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF +SUCH DAMAGE. +\end{verbatim} +\end{scriptsize} diff --git a/archdoc/Makefile b/archdoc/Makefile new file mode 100644 index 0000000..235d804 --- /dev/null +++ b/archdoc/Makefile @@ -0,0 +1,93 @@ +TARGET=cheriot-architecture.pdf +MAIN_TEX=cheriot-architecture.tex +SAIL_LATEX_RISCV_DIR=sail_latex_riscv + +SOURCES=$(wildcard *.tex insn-riscv/*.tex $(SAIL_LATEX_RISCV_DIR)/*.tex) cheri.bib LICENSE LICENSE-sail-cheri-riscv LICENSE-sail-riscv + +TIKZFIGURES=fig-representable-regions.pdf fig-sentry-plt.pdf fig-type-token.pdf +FIGSOURCES= \ + misc/perms/perms5_clustered.pdf \ + $(TIKZFIGURES) + +V?=0 +ifeq ($(V),0) +INTERACTION=batchmode +TEXLOGANALYSER_FLAGS=-w +else +INTERACTION=nonstopmode +# Also include page numbers to make it easier to find what caused the warning +TEXLOGANALYSER_FLAGS=-w -n +endif + +LATEXMK_COMMON_FLAGS=-bibtex -pdf +PDFLATEX_FLAGS=-file-line-error -halt-on-error -interaction=$(INTERACTION) + +.PHONY: all +all: sail-latex ${TARGET} + +# The texloganalyser tool can be used to find all warning messages in the latex +# logfile which is useful when using interaction=batchmode. There is also +# a python package pydflatex that does the same thing (but with colours). +# Howver, texloganalyser is included by default in some TeX distributions so +# prefer that one. +# TODO: fix the broken sail hyperrefs so we don't have to filter the out. +${TARGET}: ${SOURCES} ${FIGSOURCES} + latexmk $(LATEXMK_COMMON_FLAGS) $(MAIN_TEX) $(PDFLATEX_FLAGS); ret=$$?; \ + if command -v texloganalyser >/dev/null 2>/dev/null; then \ + texloganalyser $(TEXLOGANALYSER_FLAGS) build/cheri-architecture.log; \ + fi; exit $$ret + +$(TIKZFIGURES): %.pdf: %.tex Makefile + latexmk $(LATEXMK_COMMON_FLAGS) $(PDFLATEX_FLAGS) $< + +.PHONY: figures +figures: $(TIKZFIGURES) + +.PHONY: quick +quick: + pdflatex $(MAIN_TEX) $(PDFLATEX_FLAGS) + @(echo "pdflatex only run once so build may be incomplete") + +# The sed commands require GNU sed +ifeq ($(shell uname -s),Linux) +SED?=sed +else +SED?=gsed +endif + +# Work around `find: fts_read: Invalid argument` on macOS +ifeq ($(shell uname -s),Darwin) +FIND?=gfind +else +FIND?=find +endif + +SAIL_CHERI_RISCV_DIR?=.. +sail-latex: + rm -rf $(SAIL_LATEX_RISCV_DIR) + $(MAKE) -C $(SAIL_CHERI_RISCV_DIR) latex + mv $(SAIL_CHERI_RISCV_DIR)/$(SAIL_LATEX_RISCV_DIR) . + $(FIND) $(SAIL_LATEX_RISCV_DIR) -type f -name 'fcl*zexecute*.tex' -exec $(SED) -i -e '1d; 2{/^{$$/d}; $$d; s/^ //;' {} + + touch $(SAIL_LATEX_RISCV_DIR)/0GENERATED_FILES_DO_NOT_EDIT + touch $(SAIL_LATEX_RISCV_DIR)/zGENERATED_FILES_DO_NOT_EDIT + $(FIND) $(SAIL_LATEX_RISCV_DIR) -type f -exec chmod -w {} + + +.PHONY: clean update-sail-defs sail-latex +clean: + latexmk -C $(LATEXMK_COMMON_FLAGS) $(MAIN_TEX) + latexmk -C $(LATEXMK_COMMON_FLAGS) fig-*.tex + rm -f $(TARGET) $(TIKZFIGURES) + +cheri-sorted.bib: cheri.bib bib-sorting.conf + biber --tool $< --sortcase=false --strip-comments --sortdebug --isbn13 --isbn-normalise --fixinits \ + --output_indent=4 --output_fieldcase=lower --sortlocale=en_GB \ + --configfile=bib-sorting.conf --validate-config --output-file=$@ + + +.PHONY: check-bibliography check-bibliography-strict +check-bibliography: + # For more detailed output add --debug + biber --tool cheri.bib + +check-bibliography-strict: + biber --tool --validate-datamodel cheri.bib | grep -v "Missing mandatory field 'editor'" | grep -v "is not an integer" diff --git a/archdoc/acknowledgments.tex b/archdoc/acknowledgments.tex new file mode 100644 index 0000000..8c57b23 --- /dev/null +++ b/archdoc/acknowledgments.tex @@ -0,0 +1,134 @@ +\section*{Acknowledgments} + +\vspace{-0.2cm} + +\noindent +This document contains some elements from the CHERI ISA Specification\footnote{\url{https://github.com/CTSRD-CHERI/cheri-specification}}, +which is licensed under the Creative Commons Attribution 4.0 International License. +To view a copy of this license, visit: + +\medskip + +\url{http://creativecommons.org/licenses/by/4.0/} + +\medskip +\noindent +We acknowledge all the authors of that report: + +\medskip +\begin{small} +\noindent\begin{autogrid}{4} +Robert~N.~M.~Watson \\ +Peter~G.~Neumann \\ +Jonathan~Woodruff \\ +Michael~Roe \\ +Hesham~Almatary \\ +Jonathan~Anderson \\ +John~Baldwin \\ +Graeme~Barnes \\ +David~Chisnall \\ +Jessica~Clarke \\ +Brooks~Davis \\ +Lee~Eisen \\ +Nathaniel~Wesley~Filardo \\ +Richard~Grisenthwaite \\ +Alexandre~Joannou \\ +Ben~Laurie \\ +A.~Theodore~Markettos \\ +Simon~W.~Moore \\ +Steven~J.~Murdoch \\ +Kyndylan~Nienhuis \\ +Robert~Norton \\ +Alexander~Richardson \\ +Peter~Rugg \\ +Peter~Sewell \\ +Stacey~Son \\ +Hongyan~Xia +\end{autogrid} +\end{small} + +\medskip +\noindent +as well as the many other contributors to the CHERI project: +\medskip + +\begin{small} +\noindent\begin{autogrid}{4} +Sam Ainsworth \\ +Ross J. Anderson \\ +Ruben Ayrapetyan \\ +Hadrien Barral \\ +Thomas Bauereiss \\ +Stuart Biles \\ +Andrew Bivin \\ +Peter Blandford-Baker \\ +Matthias Boettcher \\ +David Brazdil \\ +Reuben Broadfoot \\ +Kevin Brodsky \\ +Ruslan Bukin \\ +Brian Campbell \\ +Gregory Chadwick \\ +Serban Constantinescu \\ +Chris Dalton \\ +Nirav Dave \\ +Dominique Devriese \\ +Mike Dodson \\ +Lawrence Esswood \\ +Jonas Fiala \\ +Wedson Filho \\ +Anthony Fox \\ +Paul J. Fox \\ +Franz Fuchs \\ +Ivan Gomes Ribeiro \\ +Paul Gotch \\ +Tom Grocutt \\ +Khilan Gudka \\ +Brett Gutstein \\ +Jong Hun Han \\ +Andy Hopper \\ +Alex Horsman \\ +Timothy Jones \\ +Asif Khan \\ +Myron King \\ +Joe Kiniry \\ +Chris Kitching \\ +Wojciech Koszek \\ +Robert Kovacsics \\ +Karthik Muthusamy \\ +Patrick Lincoln \\ +Marno van der Maas \\ +Anil Madhavapeddy \\ +Ilias Marinos \\ +Tim Marsland \\ +Ed Maste \\ +Alfredo Mazzinghi \\ +Kayvan Memarian \\ +Dejan Milojicic \\ +Andrew W. Moore \\ +Will Morland \\ +Alan Mujumdar \\ +Prashanth Mundkur \\ +Edward Napierala \\ +Philip Paeps \\ +Lucian Paul-Trifu \\ +Austin Roach \\ +Colin Rothwell \\ +John Rushby \\ +Hassen Saidi \\ +Hans Petter Selasky \\ +Andrew Scull \\ +Muhammad Shahbaz \\ +Bradley Smith \\ +Lee Smith \\ +Ian Stark \\ +Ramy Tadros \\ +Andrew Turner \\ +Richard Uhler \\ +Munraj Vadera \\ +Jacques Vidrine \\ +Hugo Vincent \\ +Philip Withnall \\ +Bjoern A. Zeeb \\ +\end{autogrid} +\end{small} diff --git a/archdoc/app-isaquick-riscv-macros.tex b/archdoc/app-isaquick-riscv-macros.tex new file mode 100644 index 0000000..f0ef90f --- /dev/null +++ b/archdoc/app-isaquick-riscv-macros.tex @@ -0,0 +1,46 @@ +\input{app-isaquick-table-macros} + +\makeatletter +\def\rvcherienctablecols{4} +\def\rvcherienctablefontsize{\normalsize} + +% class count +\newcommand{\@rvcherimakeenctablecmd}[2]{% + % [cols] + \ea\NewDocumentCommand\ea{\csname rvcherienctable#1\endcsname}{o}{% + \IfValueTF{##1}{% + \@cherienctable{##1}{@rvcheriencusetablestr@#1}{#2}% + }{% + \ea\@cherienctable\ea{\rvcherienctablecols}{@rvcheriencusetablestr@#1}{#2}% + }% + }% +} +\@rvcherimakeenctablecmd{top}{8} +\@rvcherimakeenctablecmd{srcsrcdest}{128} +\@rvcherimakeenctablecmd{srcsrc}{32} +\@rvcherimakeenctablecmd{src}{32} +\@rvcherimakeenctablecmd{srcdest}{32} +\@rvcherimakeenctablecmd{dest}{32} +\@rvcherimakeenctablecmd{expload}{32} +\@rvcherimakeenctablecmd{expstore}{32} + +\let\rvcheriasminsnref\insnriscvref +\let\rvcheriasminsnnoref\insnnoref +\providecommand{\rvcheriasmfmt}{} +\renewcommand{\rvcheriasmfmt}[2][]{% + ~\raiseforbf{% + \textsf{\footnotesize{#2}}% + \ifthenelse{\equal{#1}{}}{% + }{% + ~{\textit{\scriptsize{(#1)}}}% + }% + }% +} + +\newcommand{\rvcheriisaquick}[1]{% + \rvcheribitbox{#1}~\rvcheriasm{#1}% +} + +\newcommand{\riscvbitboxaq}{\rotateinbitbox{\small aq}} +\newcommand{\riscvbitboxrl}{\rotateinbitbox{\small rl}} +\makeatother diff --git a/archdoc/app-isaquick-riscv.tex b/archdoc/app-isaquick-riscv.tex new file mode 100644 index 0000000..f636b3f --- /dev/null +++ b/archdoc/app-isaquick-riscv.tex @@ -0,0 +1,537 @@ +{ +\setlength{\parindent}{0cm} + +\input{def-riscv-insns} +\input{app-isaquick-riscv-macros} + +\chapter{Instruction encoding summary} +\label{app:isaquick-riscv} + + \section{Primary new instructions} + + The RISC-V specification reserves 4 major opcodes for extensions: 11 (0xb / 0b0001011), 43 (0x2b / 0b0101011), 91 (0x5b / 0b1011011), and 123 (0x7b / 0b1111011). + The proposed CHERI encodings use major opcode 0x5b for all capability instructions. + + All register-register operations use the RISC-V R-type or I-type encoding formats. + \optype{Capability-Inspection} + + \rvcheriheader + \rvcheriisaquick{CGetPerm} + + \rvcheriisaquick{CGetType} + + \rvcheriisaquick{CGetBase} + + \rvcheriisaquick{CGetLen} + + \rvcheriisaquick{CGetTag} + + \rvcheriisaquick{CGetAddr} + + \rvcheriisaquick{CGetHigh} + + \rvcheriisaquick{CGetTop} + + \optype{Capability-Modification} + + \rvcheriheader + \rvcheriisaquick{CSeal} + + \rvcheriisaquick{CUnseal} + + \rvcheriisaquick{CAndPerm} + + \rvcheriisaquick{CSetAddr} + + \rvcheriisaquick{CIncAddr} + + \rvcheriisaquick{CIncAddrImm} + + \rvcheriisaquick{CSetBounds} + + \rvcheriisaquick{CSetBoundsExact} + + \rvcheriisaquick{CSetBoundsImm} + + \rvcheriisaquick{CSetHigh} + + \rvcheriisaquick{CClearTag} + + \texttt{CSetBoundsExact} may not be required. + + \optype{Pointer-Arithmetic} + + \rvcheriheader + + \jwnote{We do not need CSub, since a standard Sub will return the difference between two capabilities.} + + \jrtcnote{We do need a separate CSub with a split register file though, + so we define one that should be used even with a merged register file.} + + \rvcheriisaquick{CSub} + + \rvcheriisaquick{CMove} + + \optype{Pointer-Comparison} + + \rvcheriheader + + \rvcheriisaquick{CTestSubset} + + \rvcheriisaquick{CSetEqualExact} + + \optype{Special Capabilty Register Access} + \rvcheriheader + + \rvcheriisaquick{CSpecialRW} + + \optype{Adjusting to Compressed Capability Precision} + \rvcheriheader + + \rvcheriisaquick{CRoundRepresentableLength} + + \rvcheriisaquick{CRepresentableAlignmentMask} + + \section{Modifications to existing RISC-V instructions} + \optype{Control-Flow} + + No special new control flow instructions are added, although RISC-V \texttt{JAL} / \texttt{JALR} become capability instructions \rvcheriasminsnref{CJAL} / \rvcheriasminsnref{CJALR}. + The branch instructions also check that \PCC{} permits at least one 2-byte instruction to be loaded from the target address, otherwise they raise a capability bounds exception. + + \optype{Memory-Access} + \label{quickref:mem} + + \vspace{1.5ex} + +The standard RV32 load and store instructions are modified to take a capability +as the base address:\\ + + \begin{bytefield}{32} + \bitheader[endianness=big]{0,6,7,11,12,14,15,19,20,24,25,31}\\ + \bitbox{12}{imm[11:0]} + \bitbox{5}{cs1} + \bitbox{3}{op} + \bitbox{5}{rd} + \bitbox{7}{0x3} + \end{bytefield} + \rvcheriasmfmt{CL[BHW][U] rd, cs1, imm} + + \begin{bytefield}{32} + \bitbox{7}{imm[11:5]} + \bitbox{5}{rs2} + \bitbox{5}{cs1} + \bitbox{3}{op} + \bitbox{5}{imm[4:0]} + \bitbox{7}{0x23} + \end{bytefield} + \rvcheriasmfmt{CS[BHW] rs2, cs1, imm}\\ + +The RV64 instructions \texttt{LD} and \texttt{SD} are reused to behave as load capability (\texttt{LC}) and store capability (\texttt{SC}) respectively:\\ + + \begin{bytefield}{32} + \bitheader[endianness=big]{0,6,7,11,12,14,15,19,20,24,25,31}\\ + \bitbox{12}{imm} + \bitbox{5}{rs1} + \bitbox{3}{0x3} + \bitbox{5}{cd} + \bitbox{7}{0x3} + \end{bytefield} + \rvcheriasmfmt[RV32]{\rvcheriasminsnref{CLC} cd, rs1, imm} + + \begin{bytefield}{32} + \bitbox{7}{imm[11:5]} + \bitbox{5}{cs2} + \bitbox{5}{rs1} + \bitbox{3}{0x3} + \bitbox{5}{imm[4:0]} + \bitbox{7}{0x23} + \end{bytefield} + \rvcheriasmfmt[RV32]{\rvcheriasminsnref{CSC} cs2, rs1, imm}\\ + +% \optype{Atomic Memory-Access} + +% When using 64-bit capabilities in RV32, the RV64A instructions \texttt{LR.D}, \texttt{SC.D} and \texttt{AMOSWAP.D} are reused to behave as \texttt{LR.C}, \texttt{SC.C} and \texttt{AMOSWAP.C} respectively.\\ + +% \begin{bytefield}{32} +% \bitheader[endianness=big]{0,6,7,11,12,14,15,19,20,24,25,26,27,31}\\ +% \bitbox{5}{0x2} +% \bitbox{1}{\riscvbitboxaq} +% \bitbox{1}{\riscvbitboxrl} +% \bitbox{5}{0x0} +% \bitbox{5}{rs1} +% \bitbox{3}{0x3} +% \bitbox{5}{cd} +% \bitbox{7}{0x2f} +% \end{bytefield} +% \rvcheriasmfmt[RV32]{\rvcheriasminsnnoref{LR.C} cd, rs1} + +% \begin{bytefield}{32} +% \bitbox{5}{0x3} +% \bitbox{1}{\riscvbitboxaq} +% \bitbox{1}{\riscvbitboxrl} +% \bitbox{5}{cs2} +% \bitbox{5}{rs1} +% \bitbox{3}{0x3} +% \bitbox{5}{rd} +% \bitbox{7}{0x2f} +% \end{bytefield} +% \rvcheriasmfmt[RV32]{\rvcheriasminsnnoref{SC.C} rd, cs2, rs1} + +% \begin{bytefield}{32} +% \bitbox{5}{0x1} +% \bitbox{1}{\riscvbitboxaq} +% \bitbox{1}{\riscvbitboxrl} +% \bitbox{5}{cs2} +% \bitbox{5}{rs1} +% \bitbox{3}{0x3} +% \bitbox{5}{cd} +% \bitbox{7}{0x2f} +% \end{bytefield} +% \rvcheriasmfmt[RV32]{\rvcheriasminsnnoref{AMOSWAP.C} cd, cs2, rs1} +% +% We do not provide any of the other AMOs at this point when operating on +% capability values, as they generally make sense only when operating on integer +% values. + +% Since capabilities have precise bounds, sub-word atomics cannot be implemented +% using word-sized atomics. To avoid unnecessary complexity compared with a +% non-CHERI RISC-V implementation, we define only \texttt{LR.B}, \texttt{SC.B}, +% \texttt{LR.H} and \texttt{SC.H}, without any of the corresponding AMOs. We also +% only require these to be present in capability mode, but implementations may +% choose to always provide them for simplicity. + +% \begin{bytefield}{32} +% \bitheader[endianness=big]{0,6,7,11,12,14,15,19,20,24,25,26,27,31}\\ +% \bitbox{5}{0x2} +% \bitbox{1}{\riscvbitboxaq} +% \bitbox{1}{\riscvbitboxrl} +% \bitbox{5}{0x0} +% \bitbox{5}{rs1} +% \bitbox{3}{0x0} +% \bitbox{5}{rd} +% \bitbox{7}{0x2f} +% \end{bytefield} +% \rvcheriasmfmt{\rvcheriasminsnnoref{LR.B} rd, rs1} + +% \begin{bytefield}{32} +% \bitbox{5}{0x3} +% \bitbox{1}{\riscvbitboxaq} +% \bitbox{1}{\riscvbitboxrl} +% \bitbox{5}{rs2} +% \bitbox{5}{rs1} +% \bitbox{3}{0x0} +% \bitbox{5}{rd} +% \bitbox{7}{0x2f} +% \end{bytefield} +% \rvcheriasmfmt{\rvcheriasminsnnoref{SC.B} rd, rs2, rs1} + +% \begin{bytefield}{32} +% \bitbox{5}{0x2} +% \bitbox{1}{\riscvbitboxaq} +% \bitbox{1}{\riscvbitboxrl} +% \bitbox{5}{0x0} +% \bitbox{5}{rs1} +% \bitbox{3}{0x1} +% \bitbox{5}{rd} +% \bitbox{7}{0x2f} +% \end{bytefield} +% \rvcheriasmfmt{\rvcheriasminsnnoref{LR.H} rd, rs1} + +% \begin{bytefield}{32} +% \bitbox{5}{0x3} +% \bitbox{1}{\riscvbitboxaq} +% \bitbox{1}{\riscvbitboxrl} +% \bitbox{5}{rs2} +% \bitbox{5}{rs1} +% \bitbox{3}{0x1} +% \bitbox{5}{rd} +% \bitbox{7}{0x2f} +% \end{bytefield} +% \rvcheriasmfmt{\rvcheriasminsnnoref{SC.H} rd, rs2, rs1} + +\optype{Address Construction} +The \asm{AUIPC} instruction is replaced by \asm{AUIPCC}, which derives capabilities from \PCC{}. +Our ABI also requires a new instruction, \asm{AUICGP}, that is similar to \asm{AUIPCC} but derives from \asm{\$c3} (\asm{\$cgp}). +This required allocating a new major opcode, although we expect that further support for linker relaxation may remove the need for \asm{AUICGP}. \\ + + \begin{bytefield}{32} + \bitheader[endianness=big]{0,6,7,11,12,31}\\ + \bitbox{20}{imm[31:12]} + \bitbox{5}{cd} + \bitbox{7}{0x17} + \end{bytefield} + \rvcheriasmfmt{\rvcheriasminsnref{AUIPCC} cd, imm} + + + \begin{bytefield}{32} + \bitbox{20}{imm[31:12]} + \bitbox{5}{cd} + \bitbox{7}{0x7b} + \end{bytefield} + \rvcheriasmfmt{\rvcheriasminsnref{AUICGP} cd, imm} + +% \section{Assembly Programming} + +% \subsection{Capability Register ABI Names} + +% Table~\ref{table:riscv-register-names} lists the ABI names of +% the capability registers. The ABI names follow from the ABI +% names of the RISC-V \textbf{x} registers. All capability registers are +% Caller-Save in the hybrid ABI. Capability registers follow +% the same save requirements as \textbf{x} registers in the purecap ABI. + +% \begin{table}[h] +% \begin{center} +% \begin{tabular}{lllll} +% \toprule +% Register & ABI Name & Description & Hybrid Saver & Purecap Saver \\ +% \midrule +% c0 & cnull & NULL pointer & - & - \\ +% c1 & cra & Return address & Caller & Caller \\ +% c2 & csp & Stack pointer & Caller & Callee \\ +% c3 & cgp & Global pointer & - & - \\ +% c4 & ctp & Thread pointer & - & - \\ +% c5 & ct0 & Temporary/alternate link register & Caller & Caller \\ +% c6-7 & ct1-2 & Temporaries & Caller & Caller \\ +% c8 & cs0/cfp & Saved register/frame pointer & Caller & Callee \\ +% c9 & cs1 & Saved register & Caller & Callee \\ +% c10-11 & ca0-1 & Function arguments/return values & Caller & Caller \\ +% c12-17 & ca2-7 & Function arguments & Caller & Caller \\ +% c18-27 & cs2-11 & Saved registers & Caller & Callee \\ +% c28-31 & ct3-6 & Temporaries & Caller & Caller \\ +% \bottomrule +% \end{tabular} +% \end{center} +% \caption{Assembler mnemonics for CHERI RISC-V capability registers} +% \label{table:riscv-register-names} +% \end{table} + +% \subsection{Capability Encoding Mode Instructions} + +% Table~\ref{table:riscv-capmode-instructions} lists uncompressed +% instructions which change semantics under capability mode. +% Table~\ref{table:riscv-capmode-instructions-rvc} lists compressed +% instructions which change semantics under capability mode. + +% \begin{table} +% \begin{center} +% \begin{tabular}{ll} +% \toprule +% Integer Instruction & Capability Instruction \\ +% \midrule +% \texttt{l\{b|h|w|d\}[u] rd, offset(rs1)} & \texttt{cl\{b|h|w|d\}[u] rd, offset(cs1)} \\ +% \texttt{lc cd, offset(rs1)} & \texttt{clc cd, offset(cs1)} \\ +% \texttt{s\{b|h|w|d\} rs2, offset(rs1)} & \texttt{cs\{b|h|w|d\} rs2, offset(cs1)} \\ +% \texttt{sc rs2, offset(rs1)} & \texttt{csc cs2, offset(cs1)} \\ +% \texttt{fl\{h|w|d|q\} fd, offset(rs1)} & \texttt{cfl\{h|w|d|q\} fd, offset(cs1)} \\ +% \texttt{fs\{h|w|d|q\} fs2, offset(rs1)} & \texttt{cfs\{h|w|d|q\} fs2, offset(cs1)} \\ +% \texttt{lr.\{b|h|w|d\} rd, (rs1)} & \texttt{clr.\{b|h|w|d\} rd, (cs1)} \\ +% \texttt{lr.c cd, (rs1)} & \texttt{clr.c cd, (cs1)} \\ +% \texttt{sc.\{b|h|w|d\} rd, rs2, (rs1)} & \texttt{csc.\{b|h|w|d\} rd, rs2, (cs1)} \\ +% \texttt{sc.c cd, cs2, (rs1)} & \texttt{csc.c cd, cs2, (cs1)} \\ +% \texttt{amo.\{w|d\}[.order] rd, rs2, (rs1)} & \texttt{camo.\{w|d\}[.order] rd, rs2, (cs1)} \\ +% \texttt{amo.c[.order] cd, cs2, (rs1)} & \texttt{camo.c[.order] cd, cs2, (cs1)} \\ +% \texttt{auipc rd, offset} & \texttt{auipcc cd, offset} \\ +% \bottomrule +% \end{tabular} +% \end{center} +% \caption{Uncompressed Instructions Dependent on Encoding Mode} +% \label{table:riscv-capmode-instructions} +% \end{table} + +% \begin{table} +% \begin{center} +% \begin{tabular}{lll} +% \toprule +% Integer Instruction & Capability Instruction & ISA \\ +% \midrule +% \texttt{c.jr rs1} & \texttt{c.cjr cs1} & - \\ +% \texttt{c.jalr rs1} & \texttt{c.cjalr cs1} & - \\ +% \texttt{c.l\{w|d\} rd, offset(rs1)} & \texttt{c.cl\{w|d\} rd, offset(cs1)} & - \\ +% \texttt{c.l\{w|d\}sp rd, offset(sp)} & \texttt{c.cl\{w|d\}sp rd, offset(csp)} & - \\ +% \texttt{c.s\{w|d\} rs2, offset(rs1)} & \texttt{c.cs\{w|d\} rs2, offset(cs1)} & - \\ +% \texttt{c.s\{w|d\}sp rs2, offset(sp)} & \texttt{c.cs\{w|d\}sp rs2, offset(csp)} & - \\ +% \texttt{c.flw fd, offset(rs1)} & \texttt{c.clc cd, offset(cs1)} & RV32 \\ +% \texttt{c.flwsp fd, offset(sp)} & \texttt{c.clcsp cd, offset(csp)} & RV32 \\ +% \texttt{c.fsw fs2, offset(rs1)} & \texttt{c.csc cs2, offset(cs1)} & RV32 \\ +% \texttt{c.fswsp fs2, offset(sp)} & \texttt{c.cscsp cs2, offset(csp)} & RV32 \\ +% \texttt{c.fld fd, offset(rs1)} & \texttt{c.cfld fd, offset(cs1)} & RV32 \\ +% \texttt{c.fldsp fd, offset(sp)} & \texttt{c.cfldsp fd, offset(csp)} & RV32 \\ +% \texttt{c.fsd fs2, offset(rs1)} & \texttt{c.cfsd fs, offset(cs1)} & RV32 \\ +% \texttt{c.fsdsp fs2, offset(sp)} & \texttt{c.cfsdsp fs, offset(csp)} & RV32 \\ +% \texttt{c.fld fd, offset(rs1)} & \texttt{c.clc cd, offset(cs1)} & RV64 \\ +% \texttt{c.fldsp fd, offset(sp)} & \texttt{c.clcsp cd, offset(csp)} & RV64 \\ +% \texttt{c.fsd fs2, offset(rs1)} & \texttt{c.csc cs, offset(cs1)} & RV64 \\ +% \texttt{c.fsdsp fs2, offset(sp)} & \texttt{c.cscsp cs, offset(csp)} & RV64 \\ +% \bottomrule +% \end{tabular} +% \end{center} +% \caption{Compressed Instructions Dependent on Encoding Mode} +% \label{table:riscv-capmode-instructions-rvc} +% \end{table} + +% Table~\ref{table:riscv-capmode-pseudo-remove} lists psuedoinstructions +% removed in capability mode. +% Table~\ref{table:riscv-capmode-pseudo-add} lists psuedoinstructions +% added in capability mode. + +% \begin{table} +% \begin{center} +% \begin{tabular}{ll} +% \toprule +% Pseudoinstruction & Meaning \\ +% \midrule +% \texttt{la rd, symbol} & Load address \\ +% \texttt{lla rd, symbol} & Load local address \\ +% \texttt{l\{b|h|w|d\} rd, symbol} & Load global \\ +% \texttt{s\{b|h|w|d\} rd, symbol, rt} & Store global \\ +% \texttt{fl\{w|d\} rd, symbol, rt} & Floating-point load global \\ +% \texttt{fs\{w|d\} rd, symbol, rt} & Floating-point store global \\ +% \midrule +% \texttt{call symbol} & Call far-away subroutine \\ +% \texttt{tail symbol} & Tail call far-away subroutine \\ +% \bottomrule +% \end{tabular} +% \end{center} +% \caption{Pseudoinstructions Removed in Capability Mode} +% \label{table:riscv-capmode-pseudo-remove} +% \end{table} + +% \begin{sidewaystable} +% \begin{center} +% \begin{tabular}{lll} +% \toprule +% Pseudoinstruction & Base Instruction(s) & Meaning \\ +% \midrule +% \texttt{clgc cd, sym} & +% \begin{tabular}{@{}l@{}} +% \texttt{1: auipcc cd, \%captab\_pcrel\_hi(sym)} \\ \texttt{\ \ \ \ clc cd, \%pcrel\_lo(1b)(cd)} +% \end{tabular} +% & Load from capability table \\ +% \texttt{cllc cd, sym} & +% \begin{tabular}{@{}l@{}} +% \texttt{1: auipcc cd, \%pcrel\_hi(sym)} \\ \texttt{\ \ \ \ cincoffset cd, cd, \%pcrel\_lo(1b)} +% \end{tabular} +% & Load PCC-relative capability \\ +% \midrule +% \texttt{cjr cs} & \texttt{cjalr cnull, cs} & Jump to capability \\ +% \texttt{cjalr cs} & \texttt{cjalr cra, cs} & Jump to capability and link \\ +% \texttt{cret} & \texttt{cjalr cnull, cra} & Return to capability \\ +% \midrule +% \texttt{cspecialr cd, scr} & \texttt{cspecialrw cd, scr, cnull} & Read special capability register \\ +% \texttt{cspecialw scr, cs} & \texttt{cspecialrw cnull, scr, cs} & Write special capability register \\ +% \bottomrule +% \end{tabular} +% \end{center} +% \caption{Pseudoinstructions Added in Capability Mode} +% \label{table:riscv-capmode-pseudo-add} +% % TODO: should the hyperrefs for these pseudos link to CJALR instead? +% \insnriscvlabel{cjr} +% \insnriscvlabel{cret} +% \insnriscvlabel{cspecialr} +% \insnriscvlabel{cspecialw} +% \insnriscvlabel{cllc} +% \insnriscvlabel{clgc} +% \end{sidewaystable} + + \section{Encoding Summary} + + The \cherimcuisa{} shares encodings with CHERI-RISC-V. + The general-purpose instructions use the 0x5b major opcode and use the RISC-V R-type or I-type encoding formats. + CHERI-RISC-V uses the funct3 field from bits 14-12 as a top-level opcode, and funct7 as a secondary + opcode for standard 3-register operand instructions. + Two-register operand instructions and single-register operand instructions are a subset + of the 3-register operand encodings. + + \subsection*{Top-level encoding allocation (funct3 field)} + {\rvcherienctablefontsize + \rvcherienctabletop + } + + \subsection*{Two Source \& Dest encoding allocation (funct7 field)} + All three-register-operand (two sources, one destination) CHERI-RISC-V instructions use the RISC-V R-type encoding format, with the same funct field stored in funct7 and a 0 value in funct3. + + \vspace{1em} + + \rvcherirawbitbox{srcsrcdest}{func}{cd}{cs1}{rs2/cs2} + + \vspace{1em} + + {\rvcherienctablefontsize + \def\rvcherireservedfootnotemark{$^\dagger$} + \rvcherienctablesrcsrcdest\\\\ + \footnotesize + $^\dagger$Reserved for future use. + } + + \clearpage + \subsection*{Two Source encoding allocation (rd field)} + There are currently no two source instructions but they would be of the following form: + \vspace{1em} + + \rvcheriheader + \rvcherirawbitbox{srcsrc}{func}{rs1/cs1}{rs2/cs2} + + \vspace{1em} + + {\rvcherienctablefontsize + \def\rvcherireservedfootnotemark{$^\dagger$} + \rvcherienctablesrcsrc\\\\ + \footnotesize + $^\dagger$Reserved for future use. + } + + \vspace{1em} + + \subsection*{One Source encoding allocation (rs2 field)} + There are currently no one source instructions but they would be of the following form: + + \vspace{1em} + + \rvcheriheader + \rvcherirawbitbox{src}{func}{rs1/cs1} + + \vspace{1em} + + {\rvcherienctablefontsize + \def\rvcherireservedfootnotemark{$^\dagger$} + \rvcherienctablesrc\\\\ + \footnotesize + $^\dagger$Reserved for future use. + } + + \vspace{1em} + + \subsection*{Source \& Dest encoding allocation (rs2 field)} + Source \& Dest instructions are of the following form: + + \vspace{1em} + + \rvcheriheader + \rvcherirawbitbox{srcdest}{func}{rd/cd}{rs1/cs1} + + \vspace{1em} + + {\rvcherienctablefontsize + \def\rvcherireservedfootnotemark{$^\dagger$} + \rvcherienctablesrcdest\\\\ + \footnotesize + $^\dagger$Reserved for future use. + } + + \vspace{1em} + + \subsection*{Dest-Only encoding allocation (rs1 field)} + We do not currently have any one-register-operand instructions, but any + future dest-only instructions will be of the following form: + + \vspace{1em} + + \rvcheriheader + \rvcherirawbitbox{dest}{func}{rd} + + \vspace{1em} + + {\rvcherienctablefontsize + \rvcherienctabledest + } diff --git a/archdoc/app-isaquick-table-macros.tex b/archdoc/app-isaquick-table-macros.tex new file mode 100644 index 0000000..0d05f8b --- /dev/null +++ b/archdoc/app-isaquick-table-macros.tex @@ -0,0 +1,85 @@ +\ifcsname @app@isaquick@table@macros@tex\endcsname + \ea\endinput +\fi +\ea\gdef\csname @app@isaquick@table@macros@tex\endcsname{1} + +\makeatletter +\newcount\@cherienctable@col +\newcount\@cherienctable@cols +\newcount\@cherienctable@colbits +\newcount\@cherienctable@row +\newcount\@cherienctable@rows +\newcount\@cherienctable@rowbits +\newcount\@cherienctable@tmp +\def\@cherienctable@addtoformat#1{\ea\global\ea\def\ea\@cherienctable@format\ea{\@cherienctable@format #1}} +\def\@cherienctable@addtobody#1{\ea\global\ea\def\ea\@cherienctable@body\ea{\@cherienctable@body #1}} +% cols func2str count +\newcommand{\@cherienctable}[3]{% + \@cherienctable@cols=\numexpr(#1)\relax% + \@cherienctable@rows=\numexpr(#3+\@cherienctable@cols-1)\relax% + \divide\@cherienctable@rows\@cherienctable@cols% + % + \let\@cherienctable@format\@empty% + \let\@cherienctable@body\@empty% + \ifnum\@cherienctable@rows>1% + \@cherienctable@addtoformat{r|}% + \@cherienctable@addtobody{ & }% + \fi% + % + \@cherienctable@colbits=1% + \@cherienctable@tmp=2% + \loop\ifnum\@cherienctable@tmp<\@cherienctable@cols% + \advance\@cherienctable@colbits 1% + \multiply\@cherienctable@tmp 2% + \repeat% + % + \@cherienctable@rowbits=1% + \@cherienctable@tmp=2% + \loop\ifnum\@cherienctable@tmp<\@cherienctable@rows% + \advance\@cherienctable@rowbits 1% + \multiply\@cherienctable@tmp 2% + \repeat% + % + \@cherienctable@col=0% + \loop\ifnum\@cherienctable@col<\@cherienctable@cols% + \@cherienctable@addtoformat{c}% + \ifnum\@cherienctable@col>0% + \@cherienctable@addtobody{ & }% + \fi% + \edef\@cherienctable@cell{\nbinary{\@cherienctable@colbits}{\the\@cherienctable@col}}% + \ea\@cherienctable@addtobody\ea{\@cherienctable@cell}% + \advance\@cherienctable@col 1% + \repeat% + \@cherienctable@addtobody{ \\ \hline}% + % + \@cherienctable@row=0% + \loop\ifnum\@cherienctable@row<\@cherienctable@rows% + \ifnum\@cherienctable@rows>1% + \edef\@cherienctable@cell{\nbinary{\@cherienctable@rowbits}{\the\@cherienctable@row}}% + \ea\@cherienctable@addtobody\ea{\@cherienctable@cell & }% + \fi% + \@cherienctable@col=0% + {% + \loop\ifnum\@cherienctable@col<\@cherienctable@cols% + \ifnum\@cherienctable@col>0% + \@cherienctable@addtobody{ & }% + \fi% + \edef\@cherienctable@cell{\csname #2\endcsname{\@cherienctable@row*\@cherienctable@cols + \@cherienctable@col}}% + \ifx\@cherienctable@cell\@empty% + \@cherienctable@addtobody{-}% + \else% + \ea\@cherienctable@addtobody\ea{\@cherienctable@cell}% + \fi% + \advance\@cherienctable@col 1% + \repeat% + }% + \@cherienctable@addtobody{ \\}% + \advance\@cherienctable@row 1% + \repeat% + % + \def\@cherienctable@begintabular{\begin{tabular}}% + \ea\@cherienctable@begintabular\ea{\@cherienctable@format}% + \@cherienctable@body% + \end{tabular}% +} +\makeatother diff --git a/archdoc/app-related.tex b/archdoc/app-related.tex new file mode 100644 index 0000000..8eec7a3 --- /dev/null +++ b/archdoc/app-related.tex @@ -0,0 +1,116 @@ +\chapter{Standing on the Shoulders of Giants} +\label{app:related} + +The \cherimcu{} design is heavily based on prior work by the CHERI project and its myriad contributors and collaborators. +Our targeted use case differs from those of earlier projects, so we present a brief tour through the existing landscape. + +\section{CTSRD CHERI, CHERI-RISC-V, Morello, and CheriBSD} + +The CTSRD project at the Cambridge University Computer Laboratory is the nucleation point for the growing CHERI ecosystem. +The project's current architecture, as well as detailed rationale and discussion of its historical evolution, can be found in the CHERI ISA document (version 8, as of this writing) \cite{UCAM-CL-TR-951}. +To summarize, however, its primary (micro)architectural focus has been on desktop- and server-class multi-core machines; these modern computers have 64-bit general data paths, Memory Management Units (MMUs) providing large virtual address spaces, caches, and so on. +Its CHERI-RISC-V proposal extends RV64 specifically; similarly, Arm's experimental Morello extends 64-bit ARMv8 \cite{arm-morello}. +Correspondingly, its primary software focus has been on UNIX-like operating systems, centered around its adaptation of FreeBSD, CheriBSD~\cite{Davis_CheriABIEnforcingValid_2019}. + +\subsection{Translation vs.\ Protection} + +CHERI is, informally, designed to ``compose well'' with modern (micro)architectures. +By contrast to many prior capability systems, CHERI does not demand additional lookup tables to interpret its capabilities or define its protection policies. +In the desktop/server space, CHERI sits atop existing MMUs: within a CheriBSD process, CHERI capabilities are interpreted relative to a MMU translation table. +This interpretation continues to benefit from existing TLB designs. + +By contrast, embedded systems have generally not had a notion of virtual addresses, conducting all their business using physical addresses as directly presented on a peripheral bus. +As such, there has not been a convenient translation layer to press into service as a memory \emph{protection} mechanism. +Attempts to add lookup-table based ``protection without translation'' to physical memory systems, such as ARM's MPU \cite{arm:mpu} and RISC-V's PMP \cite[\S 3.6]{RISCV:Privileged:1.10}, sit uncomfortably on the critical path for memory. +The need to adjudicate every operation with a minimum of delay necessitates small tables fit into expensive, fast (T)CAMs. +CHERI capabilities, by contrast, directly carry their permissions and bounds, obviating the need for tables and CAMs and necessitating only the check that each operation is authorized. +Removing the need for tabular storage allows for greater system flexibility, as authority is now per reference rather than per address, and also removes risk of a (ephemerally) misconfigured table. + +\section{Incorporated CHERI Extensions} + +The \cherimcuisa{} enshrines into its architecture several as-yet experimental aspects from the larger CHERI systems. + +\subsection{Multi-Root, Compressed Permission Encodings} + +The \cherimcuisa{} is the first fully-elaborated example of a ``multi-root,'' compressed permissions encoding scheme as first proposed in \cite[\S D.5]{UCAM-CL-TR-951}. +Its three roots capture two of the suggested splittings: first, memory addresses from sealing types, and second, write from execute memory access.% +% +\footnote{This latter splitting is often called either ``W xor X'' (``W\textasciicircum{}X''), following its introduction in OpenBSD 3.3 \cite{openbsd:3.3}, or ``Data Execution Prevention'' (DEP), after Windows XP \cite{msft:dep}.} + +\subsection{Recursive Permissions} + +The \cherimcuisa{} has two ``recursive'' permissions (recall \cref{sec:perms}), borrowing an idea from many earlier systems. +% +The first such is LM, directly analogous to Morello's recursive-load-mutable permission \cite[\S 2.7.4]{arm-morello} and the ``weak'' capabilities of KeyKOS and Coyotos \cite{hardy:keykos,doerrie2015:confinement,shapiro:coyotosspec}. +A capability lacking LM and yet authorized to load capabilities, by having both LD (``load'') and MC (``memory capabilities''), will cause both SD and LM to be stripped from capabilities loaded through it. +That is, the capability in the register file resulting from a load instruction may differ from the capability loaded from memory by having these permission bits cleared. +% +The other is LG and interacts with the 1-bit information flow system encoded in the GL (``global'') and SL (``store local'') permissions. +Like lacking LM clears SD and LM, lacking LG clears GL and LG: all capabilities viewed transitively through a capability without LG appear to be local. + +\subsection{Architectural Seals} + +The \cherimcuisa{} has a richer collection of architecturally-understood sealing types than the current larger CHERI-RISC-V baseline (see \cref{sec:sealing}). +(At the time of writing, Morello has its own set of additional architectural seals beyond those in CHERI-RISC-V.) +% +In a future revision of the \cherimcuisa{}, sentries will differentiate between forward and backward arcs, with the former requiring explicit authority to construct (unlike the larger systems, where the \texttt{CSealEnter} instruction has ambient authority) and the latter being constructable only as part of a jump. + +\subsection{Capability Load Barrriers and Memory-Capability Versioning} + +The \cherimcuisa{} adapts the larger systems' MMU-based \emph{capability load barriers} (CHERI-RISC-V \cite[\S 5.3.10]{UCAM-CL-TR-951} and Morello \cite[$\text{R}_\text{CPRKD}$ in \S 2.14]{arm-morello}) directly into the processor pipeline (recall \cref{sec:temporal}). +For this, \cherimcu{} adds a second metadata bit, in addition to the CHERI capability tag, to each capability-sized granule. +Capabilities whose base refers to a granule with this second metadata bit asserted are invalid and will have their tag cleared when loaded into the register file. +This behavior can be seen as a ``1-color-bit'' scaling-down of the proposed ``Memory-Capability Versioning'' scheme of CTSRD CHERI \cite[\S D.6]{UCAM-CL-TR-951}, which builds on technologies like Arm's Memory Tagging Extension \cite{arm:mte}. +However, \cherimcu{} has done away with the ``version'' field within the capability format, as we found it straightforward for the heap allocator to always internally use capabilities whose bounds cover the entire heap and, importantly, whose base granule is never made invalid. + +\section{Esswood's CheriOS} + +While the CTSRD group's focus has been largely on UNIX-like software, there have been deviations over the years. +Esswood's CheriOS \cite{esswood:cherios} describes a green-field microkernel operating system that presumes a CHERI ISA. +The entire system, OS and user programs alike, run in the same \emph{single-address-space}; the MMU is used for page mapping tricks, but all software perceives the same address space (albeit through different capabilities). +Like the \cherimcuos{}, CheriOS is \emph{ringless}; the traditional separation of a more-privileged supervisor operating over a less-privileged userspace is no more. +The core Trusted Computing Base for CheriOS, analogous to the \cherimcuos{}'s switch routines, consists of fewer than 2700 CHERI-MIPS instructions. +Both systems move functionality traditionally placed in inner rings out to minimally-privileged compartments. + +CheriOS software is generally composed of a number of libraries linked together; linkage policy articulates the trust relationships between callers and callees, offering all of mutually-trusting, sandbox, safebox, and mutually-distrusting call relationships. +% +The \cherimcuos{} also relies on linkage to define a capability graph, but it offers fewer flavors of cross-compartment calls (most calls are mutually-distrusting with library calls being a minimal safebox). + +CheriOS offers full memory safety for C/C++ programs. +As expected, CHERI provides integrity and monotonicity, and the memory allocators and compiler-generated code insert bounding instructions where appropriate for spatial safety. +CheriOS achieves heap and stack temporal safety by exploiting the large address spaces of server-class machines. +Heap temporal safety is achieved in the TCB by a combination of take-once ``reservations'' of address space and quarantining released virtual address space. +A hardware barrier added to CHERI-MIPS facilitates revoking capabilities pointing into a large contiguous region of released address space, which the TCB may then recycle for new reservations. +Stack temporal safety builds atop heap temporal safety, with the compiler arranging to construct ``slinky stacks'' \cite[\S 4.1]{esswood:cherios} that do not reuse possibly-escaped stack allocations' address space. +When a segment of a slinky stack has too little usable address space, it is recycled as heap memory and another large heap allocation is made to provide a fresh segment. +The \cherimcuos{}, by contrast, must operate on physical addresses and so builds its heap temporal safety using additional \cherimcuisa{} metadata and its slightly weaker notion of stack temporal safety using the store-local permission. + +\section{Xia's CheriRTOS} + +Similarly, there have been efforts within the CTSRD group to explore CHERI in smaller hardware. +Xia (also an author of this report) developed, for his Ph.D. thesis, CheriRTOS \cite{xia:cherirtos,xia:capprotembed}. +CheriRTOS introduces the first 64-bit CHERI capability encodings (for 32-bit address spaces) and explores its implementation in a derivative of CHERI-MIPS. +The capability scheme used here was largely a straightforward scaling-down of CTSRD's server-oriented CHERI. +While it was an important and admirable proof of concept, its deficiencies, especially with bounds precision and the large number of bits still devoted to permissions, significantly motivated the development of the \cherimcuisa{} capability format. + +CheriRTOS, like many RTOSes before it, takes a \emph{task-centric} perspective on the world, pairing together threads and their associated data and relying on inter-task communication when work requires access to multiple tasks' state. +Being the first of its kind, CheriRTOS is focused on aspects of cross-compartment invocation and allocator security; tasks are manually-specified concepts and are compiled with only a limited understanding of CHERI capabilities.% +% +\footnote{Specifically, task C/C++ code is compiled in a ``hybrid'' mode, where pointers lower to \emph{integers} unless a capability is explicitly requested. +These integers are interpreted relative to an architectural \emph{capability} register, either the program counter (for relative control transfers or PC-relative loads) or a ``default data capability'' (``DDC,'' which interposes legacy integer-based load and store instructions) \cite[\S 2.3.12]{UCAM-CL-TR-951}. +The \cherimcuisa{} does not have these legacy instructions or DDC; all \cherimcuos{} code is expected to be compiled ``purecap,'' with all pointers always lowered to capabilities.} +% +It then uses CHERI mechanisms to provide \emph{task isolation}. +By contrast, the \cherimcuos{} decomposes computations (threads and their runtime stacks) from persistent resources (compartments and their associated globals and import tables), allowing threads to enter and exit different compartments, as needed. + +\section{Almatary's CompartOS and CheriFreeRTOS} + +Almatary's Ph.D. thesis develops the ``CompartOS'' software model \cite{almatary:compartos} and instantiates it with an adaptation of FreeRTOS, called CheriFreeRTOS \cite{almatary:thesis}. +The Trusted Computing Base for CompartOS is its secure \emph{dynamic} code loader. +The unit of compartmentalization is, as in the \cherimcuos{}, a \emph{linkage unit} rather than a task (though the \cherimcuos{} provides only static code loading). +CompartOS includes compartment \emph{availability} in its design objectives, and so offers a multitude of fault-handling mechanisms, including per-compartment trap handlers and forced stack unwinds as offered in the \cherimcuos{}. +However, while CompartOS is a flexible model, the concrete CheriFreeRTOS does not consider temporal memory safety to be in scope; it lacks a mechanism for capability revocation and does not scrub stacks on compartment switches. + +CheriFreeRTOS was used in an extensive evaluation which explored the relative costs and security of both task- and linkage-based compartmentalization models atop both CHERI- and MPU/PMP-enabled ISAs \cite[\S 5]{almatary:thesis}. +This evaluation found that, while the microarchitectural area costs of CHERI and PMPs (and MMUs) were similar, the security benefits of CHERI were ``unparalleled'' and came with lower runtime cost than comparably-secure MPU/PMP-based approaches. +Further, the cost of adapting FreeRTOS to the CompartOS model was found to be minimal, with many applications requiring no source-level changes. diff --git a/archdoc/bib-sorting.conf b/archdoc/bib-sorting.conf new file mode 100644 index 0000000..aa1d456 --- /dev/null +++ b/archdoc/bib-sorting.conf @@ -0,0 +1,15 @@ + + + + year + month + day + + + author + + + title + + + diff --git a/archdoc/chap-abi.tex b/archdoc/chap-abi.tex new file mode 100644 index 0000000..78284af --- /dev/null +++ b/archdoc/chap-abi.tex @@ -0,0 +1,203 @@ +\chapter{ABI} +\label{chap:abi} + +\cherimcu{} is a hardware-software co-design project, where the ISA and ABI have been carefully designed together to provide the desired compartment model and security guarantees. + +\section{Compartment layout} + +Each compartment has two reachable regions, bounded by \PCC{} and \CGP{}. +The \PCC{} region contains the compartment's code, read-only data, and \textit{import table}. +Read-only data includes relocation read-only data, which is initialized by the loader at boot time. +A compartment's import table is a read-only table containing capabilities that are used for cross-compartment and cross-library calls, as well as any imported data. + +A compartment also has an export table associated with it. +The export table defines the set of functions that are exported from the compartment (callable by others). +This is read by the compartment switcher (see \cref{sec:cross-compart-abi}). + +Shared libraries are identical to compartments in structure, except that they lack a \CGP{}. + +\section{Access to globals} + +Read-only globals are accessed using PCC-relative addressing. +CHERI RISC-V extends the RISC-V \insnref{auipc} (add upper immediate to program counter) instruction to \insnref{auipcc} (add upper immediate to program counter \textit{capability}). +This adds a 20-bit immediate, left shifted by 12, to the current \PCC{} value, giving an address that is within the immediate range of a RISC-V load or store instruction of the target. + +Unfortunately, the result of the \insnref{auipcc} instruction may be out of the bounds of \PCC{}. +This does not matter on CHERI systems with 128-bit capabilities because the encoding guarantees that capabilities remain valid 4096 bytes out of bounds. +However, this is not the case with our 64-bit capability encoding that has much tighter `representable bounds'. +The tag bit is cleared if the capability is too far out of bounds, we must therefore modify the standard CHERI-RISC-V relocation scheme to avoid taking capabilities out of bounds in the middle of computing an address. + +We are able to solve this problem by having at least a 1-bit overlap between the immediate field of the loads and stores (or \insnref{cincoffset} instructions) and the \insnref{aupicc}. +The \insnref{auipcc} instruction and the second instruction must both displace the \PCC{} in the same direction, keeping the intermediate capability in bounds and hence representable. +If the target address is after the current instruction then both values must be positive, otherwise both values must be negative, which is a simple property for the linker to ensure when applying the relocations. +To make this possible we reduce the shift of \insnref{auipcc} by one, meaning \insnref{auipcc} can always produce a value within the $2$ KiB range required.\footnote{An alternative solution would be to increase the size of the immediate on loads and stores. +On RV32E this could be achieved using the register selection bits that are freed by moving from 32 to 16 registers. +Our first prototypes did this but we choose to remain compatible with RV32I by modifying \insnnoref{auipcc}. +} +This does limit the maximum offset for a relocation to less than $2^{31}$ but this is not a problem in practice due to the limited size of compartments. +Any system that needs more than 2 GiB compartments would likely benefit from a 64-bit address space. + +Accesses to read-write globals is very similar. +The \CGP{} register is biased by half the size of the combined globals section (\asm{.data}, \asm{.bss}, and so on). +This means that the full immediate range is accessible for displacements. +With a 12-bit immediate, a single compartment can access 4 KiB of globals in a single load or store (or take their address with a \insnref{cincoffset} instruction). +We define a new instruction, \insnref{auicgp}, and a relocation type that uses it to mirror the \PCC-relative addressing mode. + +We rely on linker relaxation to optimize both \PCC{} relative and \CGP{} relative relocations. +This means that relocations within $\pm2$ KiB of \PC{} or \CGP{} require only one instruction. +Given the security incentive to keep compartments small we expect relaxation to work well in the common case. +In particular, if a compartment has more than 4 KiB of mutable global state it may be advisable to split it into multiple compartments or use dynamic allocation. + +\section{Export table layout} + +\begin{figure} + \centering + \begin{bytefield}[bitwidth=\textwidth/32,boxformatting=\centering]{32} + \bitheader{0-31} \\ + \begin{rightwordgroup}{header} + \wordbox{2}{\PCC{}} \\ + \wordbox{2}{\CGP{}} \\ + \wordbox{1}{error handler offset} + \end{rightwordgroup} \\ + \begin{rightwordgroup}{entries}% + \bitbox{16}{entry point offset} & \bitbox{8}{stack size} & \bitbox{3}{\#args} & \bitbox{1}{ie} & \bitbox{1}{id} & \bitbox{3}{0} \\ + \wordbox[]{1}{\vdots} \\[1ex] + \bitbox{16}{entry point offset} & \bitbox{8}{stack size} & \bitbox{3}{\#args} & \bitbox{1}{ie} & \bitbox{1}{id} & \bitbox{3}{0} + \end{rightwordgroup} \\ +\end{bytefield} + + \caption{\label{fig:exporttable} Compartment export table layout} +\end{figure} + +\cref{fig:exporttable} shows the layout of the export table for a compartment. +Each export table starts with a copy of the \PCC{} and \CGP{} for the target compartment. +The next 32-bits is the offset of the compartment's error handler realtive to \PCC{}.\cbase{}, or $-1$ if the compartment does not have an error handler. +If an error occurs the switcher may jump to this as described in \cref{sec:errorhandling}. +After the header, the export table is comprised of one 32-bit entry per exported function. +The first 16 bits of each entry provide the displacement from the start of the compartment's \PCC{} to the entry point. +This limits a compartment to exporting functions in the first 64 KiB of its code section. +Most compartments have significantly under 64 KiB of code, the few that are larger can sort their internal layout to ensure that the exported functions all fit within the start. + +The next 8 bits are the minimum amount of stack space that the function requires. +This allows compartments to be defensive against callers that try to invoke them without enough stack space for their prologues. +If a function requires more than 256 bytes of stack space then it can add a dynamic check on the size of \CSP{} after the compartment switch. + +The final 8 bits are reserved for flags, described in the following table: + +\begin{center} + \begin{tabular}{r|l} + Bits & Meaning \\ \hline + 0-2 & Number of argument registers used. \\ + 3 & Interrupts enabled \\ + 4 & Interrupts disabled + \end{tabular} +\end{center} + +The compartment switcher is responsible for clearing all registers except for the used argument registers and so must know how many are used. +The compiler fills in this set. +This provides a value from 0 (no arguments) to 7 (all six argument registers used, plus \creg{5} carrying stack arguments. + +Exports from compartments must set either the interrupts-enabled or interrupts-disabled bit. +Code running in a different security context always runs with an explicit interrupt status, to make it easier to reason about compartment behavior. +Functions exposed from shared libraries may set neither, in which case the function will be invoked with the caller's interrupt status. + +Each export table entry from a compartment is exposed as a symbol of the form \texttt{\_\_export\_\{compartment name\}\_\{function name\}}. +Each export table entry from a library is exposed as a symbol of the form \texttt{\_\_library\_export\_\{library name\}\_\{function name\}}. +Libraries all use the same name in their export symbols because moving a function from one library to another does not involve running the target in a different security context. +\nwfnote{Eh? The export name has ``\texttt{library name}'' in it. What am I missing?} +The existence of multiple libraries is purely to improve auditing: libraries (their entry points, called functions, and the contents of their code sections) can be individually tracked, allowing code-signing rules to be driven by specific implementations of individual libraries. +For example, code signing might require a specific FIPS-certified binary of a crypto library, but allow the shared library providing \ccode{memcpy} to be replaced with a more optimised version. + +The function name in the export symbol is mangled according to the Itanium C++ ABI rules. +This provides some defense against accidental (non-malicious) type mismatches in the caller and callee. + +\section{Import table layout} + +The import table is similar to a captable in structure. +\nwfnote{``captable'' appears only here in this document.} +It is the only piece of state reachable from a compartment that is allowed to contain capabilities that point outside of the compartment's \PCC{} and \CGP{} on system start. +This makes it a single place to audit the compartment graph. +The import table is mutable only by the loader. +After the loader finishes it is reachable only by the read-execute \PCC{} for the compartment, not by any capabilities with store permission. +Import table entries, at run time, are one of three things: + +\begin{itemize} + \item Sealed capabilities to export table entries, used for cross-compartment calls. + \item Sentry capabilities to library functions. + \item Capabilities to memory-mapped I/O (MMIO) regions. +\end{itemize} + +The loader is responsible for initializing these, based on information provided by the compiler and linker. +Prior to the loader running, import table entries for the first two categories contain addresses of the corresponding export table entry. +Import table entries for MMIO regions contain the start address and the size of the region. +This allows a compartment to be granted a subset of an MMIO region, down to access to a single byte (for example, allowing a compartment to poll the `ready' status of a UART but requiring that it performs a call to the compartment that owns the UART to read or write data with it). +A future version will allow read- or write-only access to MMIO regions. + +The loader will populate the import table with capabilities. +Each import table entry that is used for cross-compartment calls will contain a sealed capability that has the bounds of the target compartment's export table and whose address points to the correct entry. +This allows the switcher to load the \PCC{} and \CGP{} values from the start and to jump to the correct address. + +The first entry in the import table has the (local) symbol name \ccode{.compartment_switcher}. +It is initialized to 0 at static link time and will be initialized by the loader with a sentry capability for jumping to the compartment switcher. + +\section{Cross-compartment calls} +\label{sec:cross-compart-abi} + +Cross-compartment calls pass their arguments in the same registers as the RV32E ABI (\creg{10}--\creg{15}). +In addition, any stack arguments are passed via \creg{5} (\creg{t0}). +The callee does not have access to the caller's stack other than via these arguments and so cannot use \CSP-relative addressing for on-stack arguments. + +The capability loaded from the import table is passed to the switcher in \creg{6} (\creg{t1}). +The last step on the caller side is to jump to the sentry pointed to by the \ccode{.compartment_switcher} symbol. + +If a compartment calls a function that it also exports, and that function has the same interrupt status as the caller, then the compiler may insert a direct call and skip the switcher. + + +\section{Cross-library calls} + +Cross-library calls are simple indirect calls via a capability provided in the import table. +The import table entry contains a sentry capability to the target function. +The \cherimcuisa{} has sentries that enable, disable, or inherit the current interrupt status and so cross-library calls can toggle or preserve the interrupt state. +This makes it easy to reason about the current interrupt state using structured programming idioms. +\nwfnote{Should we more explicitly emphasize that we do not expose any additional mechanism for managing IRQ state? Specifically we \emph{don't} have \texttt{enable\_interrupts()} and friends.} + +If a function explicitly changes interrupt state within a compartment then it will be handled as if it were a library function exported from and consumed by the function. +In this case, the symbol in the export table will be local. + +\section{Callbacks} + +In some situations, one compartment wishes to provide a callback that another compartment can invoke. +In the \cherimcu{} ABI, this callback is represented as the same form of sealed capability that would be loaded from the import table. +Functions used as cross-compartment callbacks are both exported and imported by the compartment that wishes to take their address. +Taking the address of such a function is simply a load from the import table. + +As with non-exported functions that change the interrupt status, the symbol in the export table will be local if the function is not also exported as a directly callable function. + +\section{Relocations} +\label{sec:relocs} + +The relocations added to RISC-V for \cherimcu{} ABI are listed in \cref{tab:relocs}. +As with existing RISC-V, some of these are in two forms because RISC-V loads and stores place their immediate operands in different locations. +The relocation numbers here are the ones used in the current prototype and are expected to change prior to standardization. + +\PCC{} or \CGP{} relative relocations consist of a pair of either \insnref{auipcc} or \insnref{auicgp} plus a 12-bit immediate instruction. +In most cases (when the offset is within $\pm2$ KiB) linker relaxation can reduce this to a single instruction. +The \insnref{AUICGP} instruction uses an entire major opcode and is rarely needed because it is uncommon for a compartment to have more than 4 KiB of read-write global data (arguably a large globals section is an indication that a compartment should be split or refactored). +Therefore, in future we could consider alternative relocations that don't require \insnref{auicgp}, such as a three instruction sequence consisting of \asm{lui}, \asm{addi} and \insnref{cincaddr}. +This would require more complex linker relaxations to retain good code size and efficiency and we have not yet attempted it. + +\begin{table} + \begin{center} + \begin{tabular}{l|l|p{7cm}} + Relocation & Value & Meaning \\ \hline + \asm{CHERI_COMPARTMENT_CGPREL_HI} & 220 & 20-bit, 11-bit shifted \CGP-relative displacement for use in \insnref{auicgp}. \\ + \asm{CHERI_COMPARTMENT_CGPREL_LO_I} & 221 & 12-bit \CGP-relative displacement for use in I-type instructions. \\ + \asm{CHERI_COMPARTMENT_CGPREL_LO_S} & 222 & 12-bit \CGP-relative displacement for use in S-type instructions. \\ + \asm{CHERI_COMPARTMENT_PCCREL_HI} & 223 & 20-bit, 11-bit shifted \PCC-relative displacement for use in \insnref{auipcc}. \\ + \asm{CHERI_COMPARTMENT_PCCREL_LO} & 224 & 12-bit displacement for use in I-type instructions. The displacement is relative to the \insnref{auipcc} instruction. \\ + \asm{CHERI_COMPARTMENT_SIZE} & 225 & The size of the referenced symbol, applied to a \insnref{CSetBounds} instruction. \\ + \end{tabular} + \caption{\label{tab:relocs}The relocations defined for the \cherimcu{} ABI} + \end{center} +\end{table} + diff --git a/archdoc/chap-altbounds.tex b/archdoc/chap-altbounds.tex new file mode 100644 index 0000000..1285d09 --- /dev/null +++ b/archdoc/chap-altbounds.tex @@ -0,0 +1,38 @@ +\chapter{Potential revised bound encoding} + +Here we describe some possible improvements to bounds encoding described in \cref{sec:bounds}. +In particular we seek to get a more efficient encoding (greater precision, fewer unusable encodings), and to reduce the complexity of the set bounds operation without using any more bits or excessive hardware complexity. +The proposed encoding is a minor alteration to the existing one based on two observations: +\begin{enumerate} +\item That incrementing $T$ in the set bounds operation would not be necessary if the lower $e$ bits of top were decoded as ones, instead of zeros. +\item That zero length capabilities are of little use, and potentially even harmful (see \cref{sec:zerolengthcaps}) +\end{enumerate} +As such we consider revising the existing bounds decoding as follows (note ones instead of zeros in low bits of top): +\begin{center} +{ +\renewcommand{\arraystretch}{1.5} +\begin{tabular}{r|c|c|c|} +\cline{2-4} +address, $a =$ & $a_\text{top} = a[31:e+9]$ & $a_\text{mid} = a[e+8:e]$ & $a_\text{low} = a[e-1:0]$ \\ \cline{2-4} +base, $b =$ & $a_\text{top}+c_\text{b}$ & $B $ & $0$ \\ \cline{2-4} +top, $t =$ & $a_\text{top}+c_\text{t}$ & $T $ & $1\dots{}1$ \\ \cline{2-4} +\end{tabular} +} +\end{center} +and further redefine the decoded top to be an \emph{inclusive} bound instead of exclusive. +The corrections $c_b$ and $c_t$ remain the same. +This has a number of consequences: +\begin{itemize} + \item The set bounds implementation no longer has to increment the value of $T$ if the requested top is not exactly represented because the decoding naturally rounds up as desired. + This may slightly simplify the implementation. + \item The smallest length encodable for a given $e$ is $2^e$ (when $B=T$). Zero length capabilities are no longer supported. + \item The largest length encodable for a given $e$ is $2^{e+9}$ (when $T-B=2^9-1$). + However in this case the representable range is equal to the dereferenceable range, so it may be necessary to limit the maximum value of $T-B$ to $2^9 - 2$. + This would ensure that `one past the end' remains within representable range, but would make the maximum \emph{usable} length $511 * 2^e$, which is the same as the current encoding. + \item Bounds can be set to the entire address space using $B=0$, $T=2^9-1$, $e=23$. + This means the maximum exponent is smaller by one and therefore the worst case granularity is now $2^{23}$, or 8 MiB instead of 16 MiB. +\end{itemize} +To retain software compatibility we do not propose to change the architectural definition of \ctop{}, therefore \insnriscvref{CGetLen} would have to take account of the inclusive top value (possibly by adding one to the result) and \insnriscvref{CSetBounds} would have to subtract one from the requested length prior to encoding. +Other instructions will have to adjust bounds checks accordingly. + +We have not yet fully evaluated this encoding to see if it is an overall improvement, but include it here for consideration. \ No newline at end of file diff --git a/archdoc/chap-cheri-riscv.tex b/archdoc/chap-cheri-riscv.tex new file mode 100644 index 0000000..8bdb093 --- /dev/null +++ b/archdoc/chap-cheri-riscv.tex @@ -0,0 +1,682 @@ +\chapter{The \cherimcuisa{}} +\label{chap:cheri-riscv} + + +\newcommand{\riscvloadcappagefault}{0x1A} +\newcommand{\riscvstorecappagefault}{0x1B} +\newcommand{\riscvcheriexception}{0x1C} +\newcommand{\caprootX}{$\top_{X}$} +\newcommand{\caprootM}{$\top_{M}$} +\newcommand{\caprootS}{$\top_{S}$} + +The \cherimcuisa{} extends RV32~\cite{RISCV:User:2.2} with CHERI~\cite{UCAM-CL-TR-951} memory safety features. +It is designed to be a very minimal subset of RISC-V and CHERI that supports strong spatial and temporal memory safety, and compartmentalization. +This is intended to be a concise description of the architecture and currently assumes some familiarity with both CHERI and RISC-V. + +\section{Starting subset of RV32} + +The \cherimcuisa{} is based on a minimal subset of RV32 supporting machine mode only (i.e. no virtual memory). +The C instruction compression extension is required (with minor modifications) and always enabled in the \asm{misa} CSR. +PMP support is optional, although we anticipate that it will not add value owing to the strong protections already offered by the \cherimcu{} ISA and RTOS combination. +Floating point is optional and may conflict with some encoding choices for compressed instructions. + +\section{Omitted CHERI features} + +Those familiar with CHERI-RISC-V will note that some features are omitted to simplify the architecture at the cost of a little flexibility and backwards compatibility. +In particular, CHERI hybrid mode is not supported, so there is no need for \DDC{} or a cap mode bit in \PCC{}. +Instead all code runs in pure-cap mode, where existing instructions use capabilities for address operands. +Offset addressing is also eliminated, so the \insnnoref{CGetOffset} and \insnnoref{CSetOffset} instructions are not present and special capabilities registers (including \PCC{}) are always interpreted simply as their address, rather than as an offset relative to the base as in CHERI-RISC-V. +This allows us to drop checks for the alignment of the base of executable capabilities as there is no possibility of confusion arising from an unaligned base, as there is in hybrid mode CHERI-RISC-V. + +\section{Changes to register file} + +The 16 32-bit integer registers from RV32 are extended into 65-bit \emph{capabilities} (64-bits $+$ tag). +Abstractly, capabilities have the following fields: +\begin{description} + \item[address] A 32-bit address or integer value. + \item[base] The 32-bit inclusive lower bound. + \item[top] The 32-bit exclusive upper bound. + \item[perms] The capability permissions (\cref{sec:perms}). + \item[otype] Used for sealing (\cref{sec:sealing}). + \item[tag] A single bit indicating valid or invalid. Capabilities with this bit set are called \emph{tagged}. +\end{description} +The actual capability encoding is compressed as described in \cref{sec:capenc}. +Instructions that read integer operands use only the lower 32-bits (the capability \caddress{}). +Instructions that produce integers write a NULL capability (\cref{sec:null}) with the \caddress{} set to the integer result. +In assembly the capability registers are referred to as \asm{\$c0..\$c15}, with \asm{$x0..$x15} referring to their address parts. +At reset the registers are initialized to the NULL capability. + +\section{Instruction encodings} + +As described in \cref{app:isaquick-riscv} the new capability instructions use major opcode 0x5b and the standard I-type and R-type formats. +Additionally \insnriscvref{AUICGP} uses major opcode 0x7b. + +\section{Changes to instruction fetch / control flow} + +The program counter is extended to a capability, \PCC{}, with \PCC{}.\caddress{} assuming the role of the \PC{}. +If \PCC{} is untagged, sealed, lacks \cappermX, or the instruction is not entirely within the bounds of \PCC{}, then an exception is raised. +Note that the bounds check must take account of whether the fetched instruction is 2 or 4 bytes. +Checks on jumps and branches mean the only way for \PCC{} to be untagged, sealed or non-executable is after an \asm{MRET} with an invalid \asm{MEPCC} or a trap with an invalid \asm{MTCC}. + +\insnriscvref{CJAL} and taken branch instructions check the destination address against the bounds of \PCC{}: if the bounds do not permit at least one 2-byte instruction to be loaded from the destination then a capability length violation exception is raised on the jump / branch instruction. + +\insnriscvref{CJALR} replaces the \asm{JALR} instruction and uses capabilities for the target and link register. +It checks that the target capability is tagged, unsealed, executable and the address is in bounds before it is installed in \PCC{}. +If the target is sealed with the reserved `sentry' type then it is unsealed before jumping to it. +The link register, including the current \PCC{}, is sealed as a sentry. + +\section{Changes to memory accesses} + +All existing load and store instructions are modified to take a capability for the base address. +The address of the capability is used as the base address for the memory operation and an exception is raised if the capability: + +\begin{itemize} + \item has the tag unset + \item is sealed + \item does not have the appropriate memory permissions (\cref{sec:perms}) + \item has bounds that do not cover the entire region being accessed + % \item TODO color check? +\end{itemize} + +\section{Tagged memory} + +Memory is extended with a single tag bit for each capability sized and aligned memory location. +The new capability load and store instructions, \insnriscvref{CLC} and \insnriscvref{CSC}, transfer a capability-sized-and-aligned region of memory to or from a register, including the tag bit. +The tag bits are not accessible directly and may be set to one only by a store of a tagged capability using \insnriscvref{CSC}. +To prevent tampering with valid capabilities in memory, non-capability stores (e.g. \asm{CSW}) clear the tag bits for the capability-aligned region(s) they touch. +If an unaligned store crosses a capability alignment boundary then two tag bits need to be cleared. + +The platform must define which regions of memory support capability tags. +In memory without tag support capability stores will silently drop the tag, and capability loads will always return untagged values. +The value of the tag bits is undefined at reset, so software should take care to zero all memory on start up unless running on a platform that defines them to be zero. + +\section{Temporal safety} +\label{sec:temporal} + +In addition to the capability tag bits there is a revocation bit for each \emph{revocation granule} (currently the same size as a capability, 8 bytes). +After loading a capability with the tag set, the \insnriscvref{CLC} instruction loads the revocation bit corresponding to the \cbase{} address of the capability (N.B. not the \caddress{}). +If the granule's revocation bit is set then the capability's tag is cleared before writing it to the destination register. +The revocation bits are memory mapped so that they can be manipulated by the allocator. +The platform defines the location of revocation bits in the address space and their mapping to addresses. +Not all mapped addresses need have corresponding revocation bits: +capabilities whose \cbase{} points to a region of address space without corresponding revocation bits will not be revoked by \asm{CLC}. +It is the responsibility of software to allocate capabilities in regions with revocation bits when support for revocation is desired. + +A typical implementation is expected to exclude all of the MMIO space from the revocation bitmap. +In addition, an implementation with multiple SRAM banks may support revocation only for some granules. +Memory used for code and globals will never be revoked (in the software model) and so may be excluded. +An implementation may also provide a configuration interface that allows software to specify the range of heap memory and avoid the cost of the load barrier on globals. + +The \cbase{} of sealing capabilities (see \cref{fig:compressedperms}) refers to a distinct namespace to that of memory capabilities, therefore they are not revoked using this mechanism. +Software should take care not to reallocate sealing capabilities unless there is some other mechanism to revoke previously issued ones. +Given the $2^{32}$ sized space for sealing capabilities we expect most applications will never have to reallocate them. + +Like the capability tag bits, the value of the revocation bits in memory is undefined on reset unless defined by the platform. + +\section{Controlling access to system registers} +\label{sec:asr} + +In the absence of supervisor or user modes, it is useful to be able to restrict access to sensitive control and status registers (CSRs) and special capability registers (SCRs). +The \cappermASR{} permission on executable capabilities can be used to enable or disable access to certain special registers. +If \cappermASR{} is set on the current \PCC{} then access to all registers is permitted, otherwise attempting to access restricted registers or execute \insnnoref{MRET} will cause a \cappermASR{} exception. +\cref{tab:risc-v-access-system-registers-whitelist} shows the allowlist of CSRs that can be accessed without \cappermASR{}. +Similarly \cref{tab:risc-v-special-capability-registers} lists the access requirements for special capability registers. + +\begin{table}[h!] +\centering +\begin{tabular}{cc} +\toprule +\textbf{CSR} & \textbf{Read/Write} \\ +\texttt{cycle(h)} & Read-Only \\ +\texttt{time(h)} & Read-Only \\ +\texttt{instret(h)} & Read-Only \\ +\texttt{hmpcounter(h)} & Read-Only \\ +[1.5em] +\texttt{fflags} & Read-Write \\ +\texttt{frm} & Read-Write \\ +\texttt{fcsr} & Read-Write \\ +\bottomrule +\end{tabular} +\caption{CSR allowlist. The accesses shown are the only CSR accesses that are permitted when the installed PCC does not have the \cappermASR{} permission bit set.} +\label{tab:risc-v-access-system-registers-whitelist} +\end{table} + +\section{Special capability registers} + +\label{subsection:cheri-riscv-scrs} + +Special Capability Registers (SCRs) are similar to CSRs in that they affect special functions such as exception delivery, except that they contain capabilities rather than integers. +SCRs are accessed via a new instruction, \insnriscvref{CSpecialRW}, which behaves similarly to the RISC-V \asm{CSRRW} instruction. +\asm{CSpecialRW} requires that \PCC{} has \cappermASR{}, otherwise it will raise an exception. + +Some SCRs replace existing RISC-V CSRs. +Attempting to access the legacy RISC-V CSR via the \asm{CSR*} instructions results in a Reserved Instruction exception. +Any special meaning or behavior associated with the CSR applies to the SCR's address field. +For example, the lower two bits of \MTCC{}.\caddress{} select the trap mode, and the remaining bits (including the capability metadata) form the trap base address in the same way as \mtvec{}. +Some RISC-V CSRs have write-any read-legal (WARL) bits that implicitly modify the written value to restrict the CSR to legal values. +This legalization must be applied to the SCR's address when reading or writing an SCR. +If this results in the capability becoming unrepresentable then the tag is cleared, as per \insnriscvref{CSetAddr}. +If a sealed capability is written to an SCR with WARL bits then the tag is cleared, even if the bits would be unchanged by legalization. + +\cref{tab:risc-v-special-capability-registers} lists the SCRs and their properties: +\textbf{Reset} indicates the reset value as one of the capability roots defined in \cref{sec:capenc}. + +\begin{table}[h!] + \centering + \begin{tabular}{clcccc@{}} + \toprule + & \textbf{Register} & \textbf{Reset} & \textbf{Replaces} \\ \midrule + \textbf{28} & Machine trap code capability (\MTCC{}) & \caprootX & \mtvec{} \\ + \textbf{29} & Machine trap data capability (\MTDC{}) & \caprootM & - \\ + \textbf{30} & Machine scratch capability (\MScratchC{}) & \caprootS & - \\ + \textbf{31} & Machine exception PC capability (\MEPCC{}) & \caprootX & \mepc{} \\ + \bottomrule + \end{tabular} + \caption{Special Capability Registers (SCRs) + \label{tab:risc-v-special-capability-registers} + } +\end{table} + +\section{Changes to exception handling} + +Exception handling is the same as RISC-V except that \mtvec{} and \mepc{} are replaced by their equivalent SCRs. +When taking an exception the current \PCC{}, with the address set to that of the trapping instruction, is placed in \MEPCC{}. \MTCC{} is then installed in \PCC{} and execution proceeds from the configured trap address according to the usual rules for \mtvec{}. +When executing an \asm{MRET} instruction \MEPCC{} is moved to \PCC{} and execution proceeds from \MEPCC{}.\caddress{}. + +A new RISC-V exception code, 0x1C, is used for all CHERI specific exceptions, with a more detailed CHERI cause placed in \mtval{} as shown in \cref{fig-cheri-tval}. + +\label{subsubsec-cheri-tval} + +\begin{figure}[!h] +\begin{center} +\begin{bytefield}[bitwidth=\textwidth/34]{32} + \bitheader[endianness=big]{0,4,5,10,31} \\ + \bitbox{21}{\textbf{WPRI}} + \bitbox{1}{\texttt{S}} + \bitbox{5}{\texttt{cap idx}} + \bitbox{5}{\texttt{cause}} +\end{bytefield} +\caption{\mtval{} register format for Capability Exception} +\label{fig-cheri-tval} +\end{center} +\end{figure} + +\begin{description} +\item [cause] The \texttt{cause} field reports the capability exception code as described in ~\cref{table:capability-cause}. +\item [cap idx] The \texttt{cap idx} field reports the index of the capability register that caused the last exception. When +the \texttt{S} bit is zero, it is the number of the general purpose register that caused the capability fault. +Otherwise, it is the number of a special purpose capability register given in +\cref{tab:risc-v-special-capability-registers} or zero if the fault was caused by \PCC{}. +\end{description} + +\begin{table} +\begin{center} +\begin{threeparttable} +\begin{tabular}{ll} +\toprule +Value & Description \\ +\midrule +0x00 & None \\ +0x01 & Bounds Violation \\ +0x02 & Tag Violation \\ +0x03 & Seal Violation \\ +% 0x04 & Type Violation \\ +% 0x0a & Representability Violation \\ +% 0x0b & Unaligned Base \\ +% 0x10 & \cappermG Violation \\ +0x11 & \cappermX Violation \\ +0x12 & \cappermL Violation \\ +0x13 & \cappermS Violation \\ +% 0x14 & \cappermLC Violation \\ +0x15 & \cappermSC Violation \\ +0x16 & \cappermSLC Violation \\ +% 0x17 & \cappermSeal Violation \\ +0x18 & \cappermASR Violation \\ +% 0x19 & \cappermCInvoke Violation \\ +% 0x1b & \cappermUnseal Violation \\ +\bottomrule +\end{tabular} +\end{threeparttable} +\end{center} +\caption{Capability Exception Codes. All unused codes are \emph{reserved}.} +\label{table:capability-cause} +\end{table} + + +\section{The AUIPC and AUICGP instructions} +\label{section:cheri-risc-v-auipc} +The RISC-V \insnnoref{AUIPC} instruction becomes \insnriscvref{AUIPCC}, which generates a capability derived from \PCC{} by incrementing the address by the 20-bit signed immediate left shifted by 11. +Note that this shift is reduced by one compared to the \asm{AUIPC} as this allows relocations that combine \asm{AUIPCC} with a 12-bit immediate instruction to always have immediates with matching signs. +This is necessary to ensure any intermediate capabilities created are in-bounds otherwise there is a risk they could be unrepresentable. +This does limit the maximum range of such relocations, but given our compartmentalization model and expected memory limitations this is not a problem in practice. + +Additionally, we use major opcode 0x7b to encode \insnriscvref{AUICGP}, which is similar to \asm{AUIPCC} except that the immediate is added to capability register \asm{\$c3} (the global pointer in the ABI). +\section{Capability encoding} +\label{sec:capenc} +\cref{fig:capformat} shows the 64-bit encoding of capabilities which is described in detail in the following sections. +\begin{figure} + \begin{bytefield}[bitwidth=\linewidth/32]{32} + \bitheader[endianness=big]{0,8,9,17,18,21,22,24,25,31} \\ + \bitbox{1}{R} & \bitbox{6}{$p$'6} & \bitbox{3}{otype'3} & \bitbox{4}{E'4} & \bitbox{9}{B'9} & \bitbox{9}{T'9} \\ + \bitbox[lrb]{32}{$a$'32} + \end{bytefield} + \begin{description} + \item[R] a reserved bit, which is zero in the root capabilities (and hence all tagged capabilities), but may be set if untagged data is loaded into a register. + In this case its value must be preserved. This is very important because memory copies are performed with capability load a store instructions in order to preserve the tag on any capabilities present, meaning these instructions must also faithfully copy arbitrary untagged data. + \item[p] a 6-bit compressed permissions field (see \cref{sec:perms}) + \item[otype] a 3-bit `object type' used for sealing capabilities (see \cref{sec:sealing}) + \item[E] a 4-bit exponent used for the bounds encoding (see \cref{sec:bounds}) + \item[B] a 9-bit base used for the bounds encoding (see \cref{sec:bounds}) + \item[T] a 9-bit top used in the bounds encoding (see \cref{sec:bounds}) + \item[a] the 32-bit address of the capability + \end{description} + \caption{\label{fig:capformat}Capability format} +\end{figure} +\subsection{Capability permissions} +\label{sec:perms} +\begin{figure}\begin{center} + \begin{bytefield}[bitwidth=\linewidth/16]{12} + \bitheader[endianness=big]{0-11} \\ + \bitbox{1}{U0} & + \bitbox{1}{SE} & + \bitbox{1}{US} & + \bitbox{1}{EX} & + \bitbox{1}{SR} & + \bitbox{1}{MC} & + \bitbox{1}{LD} & + \bitbox{1}{SL} & + \bitbox{1}{LM} & + \bitbox{1}{SD} & + \bitbox{1}{LG} & + \bitbox{1}{GL} & + \\ + \end{bytefield} + \caption{\label{fig:archperms}Architectural permissions} +\end{center}\end{figure} +\cref{fig:archperms} shows the architectural permissions as used by \insnriscvref{CGetPerm} and \insnriscvref{CAndPerm}. They have the following meanings: +\begin{description} +\item[EX] If \cappermX is set then this capability is executable and can be used as the target of \insnriscvref{CJALR} and in other contexts requiring an executable capability, such as \asm{TCC}. +\item[SR] \cappermASR{} may be set on executable capabilities. When set in \PCC{} access to all CSRs and SCRs is permitted, otherwise attempts to access restricted registers or execute an \asm{MRET} results in an exception (See \cref{sec:asr}). +\item[SE] If \cappermSeal is set then this capability may be used as the authority for \insnriscvref{CSeal}. +\item[US] If \cappermUnseal is set then this capability may be used as the authority for \insnriscvref{CUnseal}. +\item[U0] \cappermUZ is a user permission on capabilities with the sealing format. It has no special meaning to hardware but behaves like other permissions in that it may be cleared by \insnriscvref{CAndPerm} and cannot be set after being cleared. It is intended to be used as a software defined permission. +\item[GL] If \cappermG is set then this capability is global and can be stored anywhere, otherwise it is local and may be stored only via capabilities with the \cappermSLC permission. +\item[SL] If \cappermSLC is set (along with \cappermS and \cappermMC) then any capability may be stored via this capability, otherwise attempting to store a capability with GL cleared will result in an exception. +\item[LM] If \cappermLM is not set then any tagged capabilities loaded via this capability will have SD and LM cleared. +Thus, if SD and LM are cleared on a capability then it, and any capability loaded via it (including via indirection), will be read-only. +This is useful for delegating a read-only pointer to a data structure, for example to enforce a language level transitive \asm{const}. +Untagged or sealed capabilities that are loaded are unaffected and retain their existing SD and LM bits. +\item[LG] If \cappermILG is not set then any tagged capabilities loaded via this capability will have LG and GL cleared. +Thus, if LG and GL are cleared before delegating a capability then it, and any capability loaded via it (including via indirection), may be stored only via capabilities with \cappermSLC. +This limits the ability of the delegee to retain capabilities to a delegated data structure or part thereof, making it easier to later revoke access to the delegated data structure. +Note that GL and LG are cleared even on sealed capabilities that are loaded, making this an exception to the immutability of sealed capabilities. +This differs from the behavior of LM on sealed capabilities. Untagged capabilities are unaffected. +\item[MC] If \cappermMC is set then the load and store permissions for this capability are modified to enable capability loads (\cappermLC) and / or stores (\cappermSC). +The \insnriscvref{CLC} instruction logically ANDs the tag of the loaded capability with MC from the capability base operand, so only capabilities with MC and LD set can be used to load tagged capabilities. +The \insnriscvref{CSC} instruction raises an exception if the stored capability has the tag set and the capability base operand lacks either MC or SD permission, so only capabilities with MC and SD can be used to store tagged capabilities. +\item[SD] If \cappermS is set then this capability can be used as the base operand for stores, otherwise an exception is thrown. +\item[LD] If \cappermL is set then this capability can be used as the base operand for loads, otherwise an exception is thrown. +\end{description} + +Some combinations of permissions are not very useful (e.g. \cappermASR but not \cappermX), so permissions are stored in a compressed format that restricts the available combinations. +\cref{fig:compressedperms} shows the different formats of the compressed permission field. +Each format has some fixed bits (shown as 0s or 1s) that unambiguously identify the format. +A given format unconditionally grants some number of `implicit' permissions and the non-fixed bits encode the presence or absence of the permissions indicated by the two-letter abbreviation. + +For example the `cap-read-write' format has bits 3 and 4 of the permissions field set to one. Capabilities with this format implicitly have \cappermL, \cappermMC and \cappermS while bits 0, 1, 2 and 5 encode +\cappermILG, \cappermLM, \cappermSLC and \cappermG respectively (the permission is granted if the bit set to one). +The logic of this is that each format need only encode permissions that make sense given the set of implicitly present permissions, giving a dense encoding of useful permission encodings. +The format used to represent a capability may change if permissions are cleared by \insnriscvref{CAndPerm} or \insnriscvref{CLC}. +\cref{fig:perms5clustered} shows a graphical representation of the possible permissions combinations and possible transitions between them. + +\begin{figure}\begin{center} + \begin{bytefield}[bitwidth=\linewidth/16,leftcurly=.,rightcurly=.]{6} + \bitheader[endianness=big]{0-5} \\ + \begin{leftwordgroup}{Memory cap-read-write:} \begin{rightwordgroup}{Implicit: LD, MC, SD} + \bitboxes{1}{{GL} {1} {1} {SL} {LM} {LG}} + \end{leftwordgroup} \end{rightwordgroup} \\ + \\ + \begin{leftwordgroup}{Memory cap-read-only:} \begin{rightwordgroup}{Implicit: LD, MC} + \bitboxes{1}{{GL} {1} {0} {1} {LM} {LG}} + \end{leftwordgroup} \end{rightwordgroup} \\ + \\ + \begin{leftwordgroup}{Memory cap-write-only:} \begin{rightwordgroup}{Implicit: SD, MC} + \bitboxes{1}{{GL} {1} {0} {0} {0} {0}} + \end{leftwordgroup} \end{rightwordgroup} \\ + \\ + \begin{leftwordgroup}{Memory data-only:} \begin{rightwordgroup}{Implicit: None} + \bitboxes{1}{{GL} {1} {0} {0} {LD} {SD}} + \end{leftwordgroup} \end{rightwordgroup} \\ + \\ + \begin{leftwordgroup}{Executable:} \begin{rightwordgroup}{Implicit: EX, LD, MC} + \bitboxes{1}{{GL} {0} {1} {SR} {LM} {LG}} + \end{leftwordgroup} \end{rightwordgroup} \\ + \\ + \begin{leftwordgroup}{Sealing:} \begin{rightwordgroup}{Implicit: None} + \bitboxes{1}{{GL} {0} {0} {U0} {SE} {US}} + \end{leftwordgroup} \end{rightwordgroup} \\ + \end{bytefield} + \caption{\label{fig:compressedperms}Compressed permission formats} +\end{center}\end{figure} + +One consequence of this encoding is that is not possible to have a single capability with all permissions. +Instead there are three \emph{capability roots} corresponding to the three nodes with no edges leading to them in \cref{fig:perms5clustered}. We label these as follows: + +\begin{description} + \item[\caprootM] The memory root, with \cappermG, \cappermL, \cappermS, \cappermMC, \cappermSLC, \cappermILG and \cappermLM. The bounds are the entire address space. + \item[\caprootX] The executable root, with \cappermG, \cappermX, \cappermL, \cappermLC, \cappermILG, \cappermLM and \cappermASR. The bounds are the entire address space. + \item[\caprootS] the sealing root, with \cappermG, \cappermSeal, \cappermUnseal, and \cappermUZ. + The bounds are the entire address space even though only a limited set of \cotype{} values can be used with \insnriscvref{CSeal}. + This allows sealed, sealing-format capabilities with an address outside the range of valid \cotype{}s to be used as unforgeable tokens by software. +\end{description} + +On reset the SCRs are initialized to the different capability roots as shown in \cref{tab:risc-v-special-capability-registers}. +\PCC{} is initialized to \caprootX. + +See \cref{chap:permissions} for a description of the constraints on useful permission combinations that led to the encoding scheme. + +\newgeometry{margin=5mm} +\thispagestyle{empty} +\begin{landscape} + \begin{figure} + \centering + \includegraphics[width=\hsize]{misc/perms/perms5_clustered.pdf} + \caption{\label{fig:perms5clustered}Graph of allowed permission combinations, grouped by encoding format and ordered by inclusion. + Edges are labelled with the permission that is dropped by that transition. + Edges implied by transitivity are omitted. \cappermG is omitted because it is entirely orthogonal.} + \end{figure} +\end{landscape} +\restoregeometry + +\insnriscvref{CAndPerm} operates on the decompressed permissions so it is possible to request combinations that cannot be represented in the compressed encoding (for example \cappermX but not \cappermL). +In that case the resulting capability will have a (possibly empty) subset of the requested permissions. +The following procedure is used to encode a given set of requested permissions: +\begin{enumerate} +\item If the permissions include EX, LD and MC then encode SR, LM and LG using the executable format. +\item Otherwise, if the permissions include LD, MC and SD then encode SL, LM and LG using the cap-read-write format. +\item Otherwise, if the permissions include LD and MC then encode LM and LG using the cap-read-only format. +\item Otherwise, if the permissions include SD and MC then encode using the cap-write-only format. +\item Otherwise, if the permissions include LD \emph{or} SD then encode using the data-only format. +\item Otherwise, encode U0, SE and US using the sealing format. +\end{enumerate} +Any permissions that cannot be encoded using the chosen format are dropped. +The possible clearing of GL and LG or SD and LM during capability loads can be quite easily performed on the compressed format although note that clearing SD may require switching format and that SL may be cleared as a side-effect. + +Note that this legalization of permissions must happen at all points where permissions can change (\insnriscvref{CAndPerm} and \insnriscvref{CLC}). +For example, the result of \asm{CAndPerm} followed by \asm{CGetPerm} should be consistent regardless of whether the register file stores the permissions in the compressed or decompressed form. +Similarly, storing then loading a capability should not change the permissions except possibly GL, LG, LM and SD as specified by \insnriscvref{CLC}. + + +\subsection{Sealed capabilities} +\label{sec:sealing} +The \cotype{} field is used for \emph{sealing} capabilities. +A sealed capability cannot be modified or used as authority for operations except special unsealing ones, but can be passed as a token and later unsealed. +Two kinds of sealing are supported: + +\begin{description} + \item[Using otypes:] \insnriscvref{CSeal} allows the creation of sealed capabilities with a given value of \cotype{} given a capability to seal and an authorizing capability with \cappermSeal and the address set to the desired \cotype{}. + \insnriscvref{CUnseal} permits unsealing a sealed capability if provided with a capability with \cappermUnseal and bounds that contain the \cotype{} of the capability to be unsealed. + \item[Sealed entry capabilities (sentries):] Executable capabilities sealed with the special \emph{sentry} \cotype{}s can be used with \insnriscvref{CJALR}. + The capability is unsealed before jumping to it, creating a form of call gate. + Three kinds of sentry are defined that affect \asm{mstatus.MIE} in different ways: either leaving it unchanged, enabling interrupts or disabling interrupts. + Jumping to an interrupt enabling or disabling sentry will set or clear \asm{mstatus.MIE} accordingly. + Additionally, the link register stored by \insnriscvref{CJAL} and \insnriscvref{CJALR} is sealed as a sentry with the current interrupt status: if MIE is set it will produce an interrupt enabling sentry and if it is cleared it will produce an interrupt disabling sentry. +\end{description} +The \cotype{} field uses the following values: +\begin{description} + \item[0] unsealed + \item[1] sealed as sentry + \item[2] sealed as interrupt disabling sentry + \item[3] sealed as interrupt enabling sentry + \item[4-5] reserved for use as return sentries in future + \item[6-7] executable capability sealed with given \cotype{} + \item[8] reserved (due to encoding) + \item[9-15] non-executable capability sealed with given \cotype{} +\end{description} +The \cotype{}s $1-7$ can only be applied to executable capabilities, while memory and sealing format capabilities can only be sealed with \cotype{}s $9-15$. +If the \cotype{} field of a memory or sealing format capability is non-zero then bit 3 is implicitly set i.e. \cotype{}s $9-15$ are encoded using values $1-7$. +An attempt to use \insnriscvref{CSeal} or \insnriscvref{CUnseal} with a reserved \cotype{}, or with an \cotype{} not applicable to the capability format, will clear the capability tag. + +\subsection{Capability bounds} +\label{sec:bounds} + +The capability bounds (\cbase{} and \ctop{}) are stored in a compressed format relative to the \caddress{}, similar to CHERI Concentrate~\cite{Woodruff2019}. +The floating point encoding stores $2^e$-aligned bounds, where $e$ is the exponent. +An exponent of zero can express bounds with byte precision but limits the maximum length of the range to 511 bytes. +Larger exponent values can represent larger ranges, but require more aligned bounds. + +To form the \cbase{} and \ctop{} the 9-bit $B$ and $T$ fields from the encoding are inserted into the address at bit $e$ as follows: + +\begin{center} +% spread out the table a bit otherwise it is too tight for maths +{ +\renewcommand{\arraystretch}{1.5} +\begin{tabular}{r|c|c|c|} +\cline{2-4} +address, $a =$ & $a_\text{top} = a[31:e+9]$ & $a_\text{mid} = a[e+8:e]$ & $a_\text{low} = a[e-1:0]$ \\ \cline{2-4} +base, $b =$ & $a_\text{top}+c_\text{b}$ & $B $ & $0$ \\ \cline{2-4} +top, $t =$ & $a_\text{top}+c_\text{t}$ & $T $ & $0$ \\ \cline{2-4} +\end{tabular} +} +\end{center} + +where the top bits of the address are `corrected' according to the following formulae: + +\begin{center} +\begin{tabular}{r c l p{1em} r c l} +$c_b$ & = & $\begin{cases} +-1, & \text{if } a_\text{mid} < B \\ +0, & \text{otherwise} +\end{cases}$ +&& +$c_t$ & = & $\begin{cases} + -1, & \text{if } a_\text{mid} < B \text{ and } T \ge B \\ + 1, & \text{if } a_\text{mid} \ge B \text{ and } T < B \\ + 0, & \text{otherwise} +\end{cases}$ +\end{tabular} +\end{center} + +These corrections ensure that the decoded bounds remain the same provided the address is in $[b, b + 2^{e+9})$, the so-called \emph{representable range}. +They work by testing for conditions that indicate whether the \ctop{} and \caddress{} are in the same $2^{e+9}$ aligned region as \cbase{}. +The representable range spans two such regions (one if $B = 0$), which we will call the lower and upper regions, with $b$ always lying in the lower region. +The ISA is constructed to ensure that, for valid capabilities, $a$ and $t$ are in the representable range and $b \le t$. +Therefore if $a_{mid} \lt B$ then $a$ must be in the upper region, where the $a_{top}$ bits are one greater than those bits in $b$. +Similarly if $T \lt B$ then $t$ must lie in the upper region and we can compute the necessary correction based on whether $a$ also lies in the upper region. +To maintain the necessary invariant for this to work \insnriscvref{CSetAddr} and \insnriscvref{CIncAddr} clear the \ctag{} if the \caddress{} to goes outside the representable range (see \cref{sec:repcheck}). + +In order to permit the format to represent a range covering the entire address space using only a 4-bit exponent there is a special case when $E$ has its maximum value. +The effective exponent, $e$, is defined as: + +\begin{center} +\begin{tabular}{r c l} +$e$ &=& $ \begin{cases} + 24,& \text{if } E = 15 \\ + E,& \text{otherwise} +\end{cases} $ \\ +\end{tabular} +\end{center} + +Thus the root memory capability has $B =$ 0, $T =$ 0x100, $E = 15$ and decodes to the range $[0,2^{32})$. +Note that the decoded top is actually a 33-bit value to accommodate this. + +\begin{table} + \centering + \begin{tabular}{lrr} + \toprule + e & alignment, $2^e$ & maximum length, $511 \times 2^e$ \\ + \midrule + 0 & 1 & 511 \\ + 1 & 2 & 1,022 \\ + 2 & 4 & 2,044 \\ + 3 & 8 & 4,088 \\ + 4 & 16 & 8,176 \\ + 5 & 32 & 16,352 \\ + 6 & 64 & 32,704 \\ + 7 & 128 & 65,408 \\ + 8 & 256 & 130,816 \\ + 9 & 512 & 261,632 \\ + 10 & 1,024 & 523,264 \\ + 11 & 2,048 & 1,046,528 \\ + 12 & 4,096 & 2,093,056 \\ + 13 & 8,192 & 4,186,112 \\ + 14 & 16,384 & 8,372,224 \\ + 24 & 16,777,216 & 8,573,157,376 \\ + \bottomrule + \end{tabular} + \caption{\label{tab:caplen} + Capability bounds alignment and maximum length by exponent value. + Note that for $e=24$ the maximum length exceeds the size of the address space. + The length of the root capabilities is $2^{32} = 4,294,967,296$ so no valid capability will ever exceed this length. + } +\end{table} + +\subsection{Set bounds operation} +The \insnriscvref{CSetBounds} instruction must select values for $E$, $B$, and $T$ that encode a requested range defined by a given base, $b$, and length, $l$. +In the case that the requested range is not precisely representable \cbase{} is rounded down and \ctop{} up to multiples of $2^e$, where $e$ is the chosen exponent. +For maximum bounds precision, we desire the the smallest $e$ that can represent the requested region. +From the encoding we can observe that the largest encodable length for a given $e$ is given by $2^e \times (2^9 - 1)$. +Therefore we require a solution to the inequality: +\[ +\begin{array}{r c l l} +l & \le & 2^e \times (2^9 - 1)\\ +l & \le & 2^{e+9} - 2^e\\ +l & \le & 2^{e+9} & \text{approximation}\\ +\log_2 l & \le & e+9 \\ +\lfloor \log_2 l \rfloor & \le & e + 9 & \text{approximation} \\ +\msb(l) & \le & e + 9 & \text{index of most significant set bit is floor of } \log_2 \\ +32 - \clz(l) & \le & e + 9 & \text{also expressible as count leading zeros for 32-bit length} \\ +23 - \clz(l) & \le & e \\ +e & = & 23 - \clz(l) & \text{since we require the smallest e} \\ +\end{array} +\] +Since $e$ must be greater than or equal to zero the count leading zeros should be limited to the top 23 bits of $l$ (lengths smaller than 9-bits are expressed with $e = 0$). +% To ensure there is some representable buffer and to accommodate rounding we increment the chosen exponent by one if the length is close to the maximum representable: +% \[ +% e' = +% \begin{cases} +% e + 1,\text{ if }l[e+8:e+1] = \text{\asm{0xff}} \\ +% e,\text{ otherwise} +% \end{cases} +% \] +Since the exponent is limited to 4-bits, exponents greater than 14 are mapped to the special maximum exponent, 24, which is encoded as 15: +\[ +e'= +\begin{cases} + e,\text{ if } e \le 14 \\ + 24,\text{ otherwise} +\end{cases} +\] +Having chosen the exponent, the relevant bits of \cbase{} and \ctop{}, $t = b + l$, are extracted: +\[ + B = b[e' + 9: e'] \hspace{2em} T = t[e' + 9: e'] +\] +The bounds are exact if the bits below $e'$ in both $b$ and $t$ are all zero. +By discarding the lower bits of $b$ the \cbase{} is automatically rounded down to a representable value, +but if the top is not exact then we must round it up by incrementing by one to ensure the encoded range includes the requested top. +Note that the calculated $e'$ was based on the requested length, but having rounded the bounds the resulting length may be larger and may exceed the maximum representable length for $e'$. +To check for this we calculate the encoded length $T - B$ (in units of $2^e$), and compare it with the maximum encodable length, $2^9 - 1$. +Note that $B$ and $T$ above are one bit wider than the encoding can store for this purpose. +If the maximum encodable length is exceeded we increment $e$ by one and recompute $B$ and $T$, this time with a guarantee that the resulting length is encodable. +Finally, the oversized $B$ and $T$ can drop their extra most significant bit in the final encoding. +\subsection{Representability checks} +\label{sec:repcheck} + +To enable capabilities to be used to implement pointers in the C language the capability encoding is designed to allow the \caddress{} to vary within a limited range without changing the decoded bounds. +The \emph{representable range} of a capability is the set of addresses for which the decoded bounds remain the same. +We also wish to maintain the \emph{monotonicity} invariant that the bounds of a valid capability must be a subset of the bounds of the valid capability from which it is derived. +Therefore, whenever the \caddress{} of a capability changes the hardware must check whether the new address remains within the representable range, otherwise the new bounds would violate this invariant. +For example, if \insnriscvref{CSetAddr} or \insnriscvref{CIncAddr} detects that the new \caddress{} is outside of the representable range then the \ctag{} of the result is cleared. + +The representation guarantees that the bounds remain decodable provided the address, $a$, and base, $b$, satisfy $b \le a$ and $a \lt b + 2^{e+9}$. +Additionally, if $e$ is 24 then all addresses are representable. +The representable range always includes \ctop{}, although in some cases it is the highest representable address. +Therefore the representation meets the C-language requirement that pointers may range within object bounds or `one byte past the end'. +Other CHERI implementations include much larger representable ranges than this minimum in order to accommodate common C programming practices. +However, this comes at the cost of bits in the representation and our experience so far has shown that it is not necessary for embedded systems. + +The following instructions all set the capability \caddress{} and therefore require a representability check: +\begin{itemize} + \item \insnriscvref{AUIPCC} + \item \insnriscvref{AUICGP} + \item \insnriscvref{CSetAddr} + \item \insnriscvref{CIncAddr} +\end{itemize} +Note that although \insnriscvref{CJAL} and \insnriscvref{CJALR} also set the address on the link register, it is guaranteed to be representable because its \caddress{} can be at most equal to \PCC{}.\ctop{} given that the jump itself is in bounds. +Therefore no representability check is required for these instructions. + +Similarly, the value placed in \MEPCC{} on exception should always be representable given that \PC{} is always in bounds (or equal to \PCC{}.\ctop{} in the case of stepping off the end of \PCC{}). +One exception to this is if \MTCC{} is configured in vectored mode and a subsequent exception goes to a \PC{} that is out of the bounds of \MTCC{}. +This would cause a \PCC{} bounds exception and in this case \MEPCC{} might not be representable, in which case its tag should be cleared. +It may be preferable not to support vectored mode, although note that care should also be taken when legalizing \asm{mtvec} (\MTCC.\caddress{}) to ensure that this does not violate sealing or representability. +legalization of \asm{mepc} (clearing the least significant bit) may also cause values read from \MEPCC{} to be unrepresentable if it has been written with an unaligned address. +This includes the implicit read by \asm{MRET}. +In these cases the unrepresentable \MEPCC{} that results from the \PCC{} bounds exception should have its tag cleared. +\TODO{These cases are probably pretty annoying for hardware. Although less in keeping with RISC-V behavior it would probably be easier to clear tag if \MEPCC{} is written with an unaligned address.} + +\subsection{The NULL capability} +\label{sec:null} + +The NULL capability is defined as an untagged capability with an \caddress{} of zero and an encoding of all zeroes. +This definition is for maximum compatibility with the C language, where it is used to represent NULL pointers. +The NULL capability is also used as the value of the \asm{\$c0} register and to store integer results by setting the \caddress{} to the required value. +Although capability fields other than the \caddress{} are not meaningful on untagged capabilities they may be queried using the \asm{CGetX} instructions. +Thus it can be observed that the NULL capability decodes as an untagged, unsealed capability, with no permissions, \cbase{} $0$ and \clength{} $0$\footnote{ + On other CHERI architectures the NULL capability is defined to have maximum length. + This could be achieved by tweaking the encoding (e.g. by inverting the encoded exponent and making the zero value a special case), but there is no clear advantage to doing this. +}. +Note that NULL-derived capabilities with a non-zero address may have non-zero \cbase{} and \ctop{}, but will be untagged. + +\subsection{Zero length capabilities} +\label{sec:zerolengthcaps} + +The capability encoding described supports capabilities with zero length, where \cbase{} is equal to \ctop{}. +Such capabilities do not authorize access to any memory (or sealing rights), so it may be tempting to use them as unforgeable tokens (e.g. to implement file handles), however they come with a big drawback: +zero length capabilities can be derived with \cbase{} equal to the \ctop{} of an existing capability, even though that capability does not authorize access to \ctop{}. +To give an example of this suppose a memory allocator gives out two capabilities with adjacent ranges $[a,b)$ and $[b,c)$. +Later it may receive a call to `free' with a zero length capability $[b,b)$ and it has no way to tell which of the two ranges it was derived from. +If it relies only on the \cbase{} of the capability and does not validate the length the allocator may incorrectly free $[b,c)$. +The same problem arises during revocation sweeps as performed by Cornucopia~\cite{cornucopia}, meaning it is unable to revoke zero length capabilities. +Therefore we strongly discourage the use of zero length capabilities and encourage validating the length of untrusted capabilities. +As an alternative we suggest using capabilities of length one derived from the sealing root but without \cappermSeal or \cappermUnseal. +In this case \cappermUZ may be used as a software defined permission. + +\TODO{Consider having CSetBounds clear the tag on zero length caps to avoid these problems. This would also be necessary if we moved to an encoding that doesn't allow zero length caps.} + +\subsection{Zero permission capabilities} + +In a similar vein to zero length capabilities the encoding also supports capabilities with no permissions. +These are encoded using the sealing format but may be derived from any of the roots. +We therefore caution against using zero permission capabilities as tokens, because the ability to derive the same capability from either a memory or a sealing root may break the expected unforgeability property. +They may also behave unexpectedly with respect to revocation, since sealing capabilities are not subject to revocation but memory capabilities are. +Given these limitations it is not clear that zero permission capabilities should be allowed at all and support may be removed in future revisions. + +\subsection{Capability layout in memory} + +While \cref{fig:capformat} shows the nominal capability format, for microarchitectural reasons it may be preferable for the capability fields to appear in a different arrangement in memory. +Future versions of the architecture may also specify a different capability format. +Therefore software should not rely on the exact layout of capabilities in memory. +This said, we expect that certain software will need knowledge of the capability format. +For example, memory allocators and the toolchain will need to be aware of alignment requirements and a debugger will need to be able to decode capabilities from memory dumps. + +\subsection{Sail implementation} + +\cref{chap:sailenc} contains Sail code implementing the capability +encoding described here as well as properties validated using SMT. + +\section{Instruction compression} +\label{sec:c-extension} + +Compressed load and store extensions from the standard RV32 C extension decompress to their capability equivalents. +Similar to the encodings of \insnriscvref{CLC} and \insnriscvref{CSC} in uncompressed instructions, the C extension uses compressed \asm{C.LD} and \asm{C.SD} from RV64 to encode \insnriscvref{CLC} and \insnriscvref{CSC}. +In RV32 these opcodes are used to encode \asm{C.FLW} and \asm{C.FSW}, meaning these compressed encodings for floating point loads and stores are no longer available. +Note that this applies to C instructions with implicit stack operands, that is we use \asm{C.LDSP} (RV64) and \asm{C.SDSP} (RV64) as capability loads and stores relative to the stack capability, replacing the \asm{C.FLWSP} (RV32) and \asm{C.FSWSP} (RV32) encodings. +Such a decision is justified because capability loads and stores greatly outnumber floating point instructions in embedded code, and most devices this ISA is targeting do not have a floating point unit at all. + +Implicit stack pointer arithmetic instructions are not useful with CHERI, as adding an offset with \asm{ADD} will produce an untagged integer. +These instructions are modified to decode to \insnriscvref{CIncAddr} to produce valid stack-derived capabilities. +As a result, \asm{C.ADDI16SP imm} is decoded into \asm{CIncAddr \$csp, \$csp, imm} and \asm{C.ADDI4SPN \$rd, imm} into \asm{CIncAddr \$cd, \$csp, imm}. + +The \cherimcuisa{} introduces changes to mappings between certain compressed and uncompressed instructions, but no changes to the encodings of compressed instructions themselves. +This translates to minimum logic modifications when adding \cherimcuisa{} support to an existing RISC-V CPU. +However, experiments in \cref{chap:c-changes} show that further code size reduction can be achieved by introducing changes in the encoding themselves, to accommodate RV32E and CHERI instructions. diff --git a/archdoc/chap-cheri-rtos.tex b/archdoc/chap-cheri-rtos.tex new file mode 100644 index 0000000..85f2df7 --- /dev/null +++ b/archdoc/chap-cheri-rtos.tex @@ -0,0 +1,115 @@ +\chapter{RTOS implementation} +\label{chap:rtos} + +The \cherimcuos{} is intended to provide a minimal TCB. +The core of the RTOS comprises: + +\begin{description} + \item[A loader,] which runs before any untrusted data is encountered and sets up the capabilities for the rest of the system. + \item[Switch routines,] which add up to around 300 instructions in hand-written assembly, for switching between thread and compartments. + \item[A heap allocator,] which allocates memory from a shared heap for use by compartments. + \item[A scheduler,] which selects the next thread to run. +\end{description} + +Of these, only the loader and the switch routines run with access to the trusted stack and register save areas (that is, with the access-system-registers permission on their \PCC). +This means that these are the only two that can completely compromise all of the security properties on which the rest of the system is built. +The loader runs once on system start and then erases itself. +The loader is not needed on systems where the persistent storage (e.g. flash) can store tag bits. + +The switch routines (currently) add up to a total of around 300 instructions, with no memory allocation and very little control flow. +For comparison, the trusted (unverified) part of seL4 is 340 instructions~\cite{sel4-faq}, so \cherimcuos{} contains less code in its TCB than seL4 contains unverified code in its TCB. + +The heap allocator holds capabilities to the shared heap and the revocation bitmap for the shared heap and so is able to violate heap memory safety. +The scheduler is more or less an untrusted compartment, though with a private stack. +Importantly, the scheduler does not have access to the stacks, trusted stacks, or register-save areas of the threads that it manages. +It may choose the next thread to run, but it cannot tamper with a thread's state. + +\section{Per-thread state} + +Each thread has a stack (reachable from \CSP) and a \textit{trusted stack}. +The trusted stack maintains the state required for cross-domain calls. +The same data structure also contains the register save area, where the contents of the register file will be saved when an interrupt is delivered. + +A capability to the trusted stack and register save area for the running stack is stored in the \MScratchC{} register, which can be accessed only by code whose \PCC{} has the permission to access system registers. +\nwfnote{MScratchC is pretty badly named now, isn't it?} + +\section{The loader} + +The loader starts with access to the root capabilities and so has complete access to everything on start. +The majority of the loader is written in C++ with rich types conveying intentionality, including templates that provide capability permission sets as compile-time constants that can be statically checked + +The loader splits the architectural roots into four software-defined roots: + +\begin{description} + \item[Executable] capabilities are used for deriving capabilities that will end up installed in \PCC{}. + \item[Global] capabilities do not have permit-store-local and are used for deriving capabilities for globals, heap memory, and so on. + \item[Local] capabilities do not have the global permission and are used only for stacks, trusted stacks, and register save areas. + \item[Sealing] capabilities have no memory-related permissions and are used only for sealing and unsealing. +\end{description} + +Each capability that is derived from a root is derived via a mechanism that validates (at compile time) that the requested permissions are less than the permissions of the root. + +The C++ portion of the loader is stored in a portion of memory that will eventually become the heap. +Once it returns to a small assembly stub, this stub zeroes all of the memory used by the loader (stack, code, and globals) and almost all of the register file, ensuring that no capabilities are leaked. +It then yields to the scheduler (via an \insnnoref{ecall} instruction) and becomes a stackless idle thread. + +The loader is responsible for initializing import tables (the capabilities that may point outside of the compartment, see Chapter \ref{chap:abi} for details), preparing each thread's initial state, and applying caprelocs (dynamically initialized capabilities stored in globals). +For each capreloc, the loader finds the compartment that it refers to and attempts to derive the target from the compartment's \PCC{} and \CGP{}. +If this fails, then the boot image is corrupted and the loader resets (allowing a first-stage loader to perform A/B installations). +\nwfnote{A \emph{future} first-stage loader? I don't think we have one, yet?} + +\section{Interrupt handling} + +The interrupt handling code is part of the switcher and runs with permission to access \MScratchC{}. +It first saves the register file in the current thread's register save area and seals the capability to this area. +Next, it loads the other special-register values that describe the interrupt and prepares a context invoking the scheduler. + +The scheduler is always invoked with the same stack, with arguments containing a sealed capability to the register-save area of the interrupted and yielding thread. +It then returns a sealed capability to a register-save area for a thread to resume. +The scheduler runs with interrupts disabled and provides a simple static priority scheduler with round-robin scheduling within a priority level. +Threads are run when no thread with a higher priority is runnable. +If two threads at the same priority level are runnable, one runs until it either yields or an interrupt is delivered, then the next one runs. + +\section{Synchronization and scheduling primitives} + +The scheduler is a compartment and so can expose entry points that can be invoked via the switcher. +These include semaphore and message queue interfaces that will park a thread (mark it as not runnable) until some event happens. + +In addition, an \insnnoref{MCall} instruction will deliver an interrupt, causing the running thread to immediately yield. +This is used for an explicit yield operation that transfers control immediately to the switcher and then to the scheduler. +This mechanism can be used from inside the scheduler itself to allow a thread to yield after the scheduler has updated some data structures related to it. + +In combination, these can be used to build synchronization primitives with timeouts. +A thread that wishes to block waiting for an event calls the scheduler, which then records the conditions that will wake the thread (including the timeout) and yields via an \insnnoref{MCall}. +One resume, the scheduler can check how long it slept for and return from the cross-compartment call. + +\section{The memory allocator} + +The memory allocator currently provides a simple \ccode{malloc}-like API. +Future versions will add explicit memory pinning (no concurrent deallocation of an object during a compartment invocation) and explicit permission to deallocate objects. + +In addition, the allocator provides a mechanism for allocating sealable objects. +The \cherimcuisa{} has only a handful of sealing types and so it is not feasible for every compartment to be able to seal capabilities using the hardware mechanism. +Instead, the memory allocator reserves one hardware sealing type for allocating sealable objects. +A sealable object has a header describing the capability that is used to unseal it. +The allocator will provide a sealed capability to the whole object (including the header) and, if invoked with the correct unsealing capability) will return an unsealed capability to all of the object \textit{except} for the header. + +This mechanism allows compartments to provide opaque data types to software running outside of the compartment. + +\section{Error handling} +\label{sec:errorhandling} +One effect of the CHERI architecture is to turn errors that could result in memory corruption vulnerabilities into traps. +To mitigate the availability concerns this could create, the \cherimcuos{} provides a mechanism for recovering from faults in a controlled way. +Compartments can define an error handler that will be called if a fault occurs during execution of that compartment, or if a fault in a called compartment results an `unwind'. +The error handler can inspect the saved register context from the time of the fault and can choose either to resume execution with an amended register context or to unwind the trusted stack, returning an error to the calling compartment. + +Careful use of this mechanism can allow an application to continue even after it encounters an unexpected fault. +For example, a compartment error handler might reset the compartment state before returning an error to the calling compartment. +For more details of this mechanism and special security considerations please refer to the \cherimcuos{} documentation. + +\section{Other components} + +All other components, such as a network stack (taken from FreeRTOS), a TLS stack (from mBedTLS), and so on are untrusted. +They are treated no differently from any other user-provided code and are packaged only for convenience. +The bottom of the network stack talks to a device driver, which is simply another compartment whose import table is used to grant access to the MMIO region containing the network device's control registers. + diff --git a/archdoc/chap-compartment-model.tex b/archdoc/chap-compartment-model.tex new file mode 100644 index 0000000..5974861 --- /dev/null +++ b/archdoc/chap-compartment-model.tex @@ -0,0 +1,191 @@ +\chapter{Compartment model} +\label{chap:compartmentmodel} +CHERI is designed to support fine-grained compartmentalization. +A compartment, in the CHERI sense, is defined by the memory that is transitively reachable\footnote{i.e. including memory reachable from capabilities loadable from memory by any number of indirections} from the capability registers in the running code. +The mechanism for transitioning between compartments is key to any CHERI compartmentalization strategy. + +The original CHERI/MIPS prototype had an instruction that raised a synchronous abort, providing a transition into an in-kernel compartment switcher. +Morello and newer CHERI/RISC-V implementations for large systems have instructions that perform atomic unsealing and domain transition. +This provides a rich set of tools for building compartmentalization models but leaves concerns such as stack management to the software stack. +The \cherimcu{} model relies on a mixture of hardware and software to enforce compartment isolation. + +The threat model for this work assumes that compartments all exist in a mutual distrust relationship with each other. +Compartments should not be able to see or tamper with other compartments' data unless they are explicitly granted access to it via capabilities passed across an exposed interface. + +Compartments, in isolation, are not automatically trusted (or untrusted) with respect to availability. +Each compartment explicitly lists the entry points that it exposes or may invoke that run with interrupts disabled and it is the responsibility of the firmware integrator to determine whether this is acceptable. +For a compartment to run code with interrupts disabled, the linker and loader must have explicitly granted it these rights when initializing capabilities, and so it is possible for the firmware integrator to audit the compartment graph. + +This is intended to give flexibility for system integrators with different levels of real-time requirements. +At one extreme, a hard-realtime control loop can run in a realtime-priority thread, with interrupts disabled except at explicit yield points. +Other threads in such a system would not be allowed to call any compartment entry points that can invoke functions that run with interrupts disabled and so the realtime-priority thread can always resume in the context-switch time. +A somewhat softer realtime system may allow a small number of functions to be invoked from compartments that are exposed to lower-priority threads. +These functions would be audited to ensure that their worst-case execution time didn't cause realtime components to miss their guarantees. +At the weakest extreme, global forward progress is purely a best-effort objective and any compartment may be allowed to call functions that have no guarantees on bounded execution time and run with interrupts disabled. + +We expect that compartments may be provided by untrusted third parties and so it is important that every cross-compartment interaction is amenable to auditing. +In particular, the linker can see everything that the loader will set up and the loader is required to explicitly grant access to a compartment for every: + +\begin{itemize} + \item MMIO region that a compartment has access to. + \item Cross-compartment entry point that a compartment exposes (and its interrupt status on entry). + \item Internal function that a compartment may run with interrupts disabled. + \item Cross-compartment call that a compartment may perform to another compartment. + \item Shared library routine that a compartment may invoke. +\end{itemize} + +This is sufficient to retrieve a complete graph of cross-compartment communication, including which compartments may be running with interrupts disabled. +This provides tools for firmware integrators to write policies such as: + +\begin{itemize} + \item Only the specific code that the regulator approved may communicate directly with this device. + \item Any code may run on the device but only the TLS compartment may talk to the network stack and only a compartment that exposes a small set of well-defined APIs may call the TLS stack. + \item There must be no interaction between any of the compartments managing service A and the compartments managing service B on the device, except yielding via the scheduler. +\end{itemize} + +\section{Compartments define spatial ownership} + +At its most reductionist, a \cherimcuos{} compartment is defined by two registers: + +\begin{description} + \item[\PCC] is the program-counter capability, which is used to reach code and read-only globals. + \item[\CGP] is the capability global pointer, which is used to reach read-write globals. +\end{description} + +These define a set of code and data that represents a compartment. +A compartment is a single security context. +While running in a compartment, any code in the memory reachable by \PCC{} may be executed, any data in that memory may be read, and any data in the globals reachable from \CGP{} may be read or written. + +Note, in particular, that compartments are responsible for enforcing an object abstraction on top of their global memory. +The C/C++ compiler will automatically insert bounds when the address of a global is taken but an assembly programmer in a compartment is able to reach any globals. +Our security model assumes that all code within a compartment trusts all other code within that compartment. + +\section{Threads define temporal ownership} + +A \cherimcuos{} thread is a schedulable entity that owns a stack, a trusted stack, and a register set. +When a thread is scheduled, it owns the microcontroller's register file. +When it is suspended, the register file is stored in a register save area. + +Each thread is isolated from other threads. +The \cherimcuisa{} provides a simple 2-bit information-flow enforcement mechanism in the form of the global bit and the store-local permission. +Capabilities without the global bit can be stored only via capabilities that have the store-local permission. +In \cherimcuos{}, only three types of memory have the store-local permission: + +\begin{description}[before={\renewcommand\makelabel[1]{\textbf{##1},}}] + \item[Stacks] reachable from a running thread's \CSP{} and any capabilities derived from this (address-taken stack allocations). + \item[Register save areas] reachable only from a special capability register (SCR) that are used to store a thread's state on context switch. + \item[Trusted stacks] reachable only from a SCR, which are used to save and restore the stack pointer on compartment switch (more on this later). +\end{description} + +Of these, normal compartment code has access only to the stack. +The latter two are a single allocation that is reached via a SCR. +The switcher is the only code that runs (after the loader has exited) with the rights to access this SCR. +Threads' register files and stacks dynamically define a set of reachable objects. +\nwfnote{That last sentence is a bit of a non-sequitur for this paragraph.} + +\section{Execution at the intersection of threads and compartments} + +Threads do not own code and compartments do not own a register file. +Execution requires (at least) both of these and happens when a thread is scheduled to run within a specific compartment. +Each thread starts at an entry point within a compartment and execution continues within that compartment until either the thread calls another compartment or a context switch invokes another thread. + +This means that running code always has access to the code for the current compartment, the globals for the current compartment, the part of a thread's stack and register state associated with the current compartment invocation.. +Two threads might be in the same compartment at the same time (one of them preempted or yielded, the other running), if the compartment permits this. +If two threads enter the same compartment (either at the same time or sequentially) then they will see the same set of globals and can use them to communicate. + +\nwfnote{Perhaps this sentence should begin ``The loader ensures that globals'' or such... and it's not just caps derived from \CGP{} but also those (transitively) reachable from it, right?} +Globals (more specifically, capabilities derived from the value in the \CGP{} register) do not have store-local and so it is not possible to construct a capability that is reachable from a global and which points to a stack allocation. +This gives strong cross-thread isolation. +If a thread enters a compartment that is compromised, a thread running compromised code within that compartment cannot tamper with the victim thread's stack or register file and must use data-oriented attacks from data reachable from globals. + +\section{Compartment switches enforce compartment isolation} + +Cross-compartment calls require that a thread loses access to one compartment and gains access to another. +CHERI provides a \textit{sealing} mechanism to build this kind of model. +We use this with an explicit compartment switcher to build a robust compartment invocation mechanism for embedded systems. + +When a thread wishes to invoke another compartment, it loads two capabilities from its import table (see Chapter~\ref{chap:abi}). +The first is a sealed capability to a structure describing the entry point in the callee. +The second is a \textit{sentry} capability to the compartment switcher. +The sealed capability is passed in a register when the sentry capability is called. + +A CHERI sentry is a capability that can be jumped to but cannot be used for any other operations. +The \cherimcuisa{} extends this by allowing different kinds of sentry to control interrupt state. +The sentry for the compartment switcher implicitly disables interrupts on entry to the switcher, which makes it easier to reason about the execution flow within the switcher. + +The compartment switch routine unseals the target capability and uses it to find the \PCC{} and \CGP{} of the target compartment, and the offset within the \PCC{}. +It can then construct a target to invoke. +In addition, it reads the number of registers that the callee expects to have passed (which it uses to zero unused argument registers) and the interrupt status for the callee (which it uses to reenable interrupts immediately prior to invocation, if required). +The RV32E ABI defines only two callee-save registers. +The switcher saves these onto the trusted stack and then zeros all non-argument registers except for \CGP{} and \CSP{}, which have special handling. + +In addition to these steps, the compartment switcher is responsible for preventing the stack from being used to leak data between compartments (other than via explicit arguments). +This requires several steps. +First, the stack passed in the \CSP{} register must be shrunk to allow CHERI's spatial bounds protection to prevent any access by the callee to the caller's portion of the stack. +Second, both before a call and before completing the return transition, the compartment switcher zeroes the portion of the stack that is made available to the callee. +Zeroing the stack seems expensive but recall that in embedded systems a 2 KiB stack is considered \textit{very} large. +Our stacks are typically 1 KiB. +With a 33-bit memory bus, we need 256 stores (in the worst case) to zero the whole thing. +That's more expensive than a function call, but not vastly so. +\nwfnote{Perhaps a footnote referencing \cite{huyghebaert:uninitcaps} as a possible architectural extension to speed this up? +(Of note, if not proposed in the paper, csetbounds on an uninit cap could always give an initialized capability, which should limit the impact on the compiler?)} + +At the end of a compartment transition, the new compartment has access to: + +\begin{itemize} + \item Its own code (\PCC) + \item Its own globals (\CGP) + \item A portion of the thread's stack, excluding any frames owned by the caller, and full of zeroes. + \item Any memory pointed to by argument capability registers, passed explicitly from the caller. +\end{itemize} + +On return, any temporary state is cleared and the caller has access only to explicit return capabilities. + +This does not prevent one compartment from having access to another compartment's globals, but there are legitimate reasons for wanting this. +For example, a compartment may derive a read-only (no store permission) capability to one of its globals and use that to cheaply broadcast state updates to subscribers. + +\section{Context switches enforce thread isolation} + +Context switches happen as a result of an interrupt (including synchronous aborts / exceptions). +The context switcher code saves the register file into a save area pointed to by a SCR. +The register save area and the trusted stack are both reached by the same SCR and the two switchers (thread and compartment) are the only code in the system that runs with permission to access this register after the loader has finished. + +The context switch routine (part of the switcher's approximately 300 instructions) is the only code that is able to violate thread isolation. +It has access to two threads simultaneously: + +\begin{itemize} + \item The stack pointed to by \CSP{} on entry to the interrupt handler. + \item The stack that the scheduler will use, loaded from a read-only global in the switcher's \PCC{}. +\end{itemize} + +Before invoking the scheduler, the switcher will seal the capability to the register save area (from which the stashed \CSP{} is reachable) and pass it as an argument into the scheduler. +The scheduler is therefore in the TCB for availability but, crucially, not for confidentiality or integrity. + +The scheduler runs with interrupts disabled and selects the next thread to run, returning a (sealed) capability to the register save area to the switcher. +This must be sealed with the object type that the switcher expects. +The loader guarantees that nothing except the switcher has a permit-seal capability for that type and so the scheduler is able only to provide register save areas that were previously provided by the loader or the switcher. + +The current \cherimcuos{} scheduler is a very simple priority scheduler that does round-robin scheduling within a priority level. +A more complex one could be added for use cases that need something more complex without changing the security model. +Conversely, an even simpler scheduler that exposes a less rich set of inter-thread communication primitives could be used for safety-critical systems. + +The scheduler is a compartment just like any other and so can expose more complex scheduling operations such as message queues as cross-compartment calls that then explicitly yield. + +\section{Adding shared libraries} + +In a compartmentalized system it is very common to have routines that are required from many different compartments. +This is trivial to support by duplicating the code into all compartments that use it. +On large systems with a memory-management unit it's possible to logically duplicate the code in the virtual address space without duplicating it in the physical address space. +This is not possible on a system such as ours, without any virtual memory support. + +Instead, \cherimcuos{} provides a shared-library abstraction that is designed to work in concert with our compartmentalization model. +A shared library is much like half of a compartment: it may contain code and read-only data (\PCC) but may not contain read-write globals and so runs with the \CGP{} of the caller. +A function in a shared library runs with the context of the caller and so invoking a shared-library function does not need to go via the compartment switcher. + +Cross-library calls, as with cross-compartment calls, must change \PCC{} to a specific location in another block of code. +This is enforced by the loader providing callers with a sentry capability to the jump target. +This prevents the caller from being able to jump to arbitrary points in a shared library. +It also allows shared libraries to expose routines that run with interrupts disabled. +For example, on a core that doesn't provide native atomics, we can expose atomic-increment functions that perform a simple read-modify-write with interrupts disabled, without having to go via the compartment switcher. + + diff --git a/archdoc/chap-compressed-changes.tex b/archdoc/chap-compressed-changes.tex new file mode 100644 index 0000000..f495c18 --- /dev/null +++ b/archdoc/chap-compressed-changes.tex @@ -0,0 +1,26 @@ +\chapter{Proposed compressed instruction encoding changes} +\label{chap:c-changes} + +\cref{sec:c-extension} introduces changes to map certain compressed instructions to their CHERI counterparts, without changing the encoding of compressed instructions themselves. +This brings minimum changes to the instruction decoder of an existing RISC-V CPU. +However, further code size reduction can be achieved if we take advantage of the extra register index bits freed up by RV32E, or if we drastically redesign certain encodings in C extension entirely. + +\section{Compressed \asm{CMove} and \asm{CIncAddr}} +The compiler generates \asm{CMove} and \asm{mv} to copy registers for capabilities and integers respectively. +While \asm{mv} has a compressed \asm{c.mv} counterpart, \asm{CMove} does not. +Move instructions are often used to shuffle registers among argument, temporary and callee-saved registers for function calls, taking a significant proportion of the code size. + +We take advantage of the freed bits from RV32E and use one bit to differentiate between \asm{c.CMove} and \asm{c.mv}. +Initial code size investigations show a reduction of 5\%, which is significant. +An alternative for \asm{c.CMove} is to conflate \asm{c.CMove} with \asm{c.mv}, which requires no extra bits from RV32E. +However, implications of this conflation on ABI, architectural state and compiler have not been investigated. + +Similarly, the extra bit in \asm{c.addi} can encode \asm{c.CIncAddr}. +The benefit of a \asm{c.CIncAddr} is less significant, at around 1-2\%. + +\section{Three-operand compressed instructions} +Currently, RISC-V compressed instructions take at most two operands, with certain instructions having full 5-bit register indices to address all 32 registers. +Initial prototyping suggests that sacrificing the ability to address all registers and reducing immediate ranges to increase the number of operands gives further code size reduction. +Increasing the number of operands increases the chance of pattern-matching uncompressed instructions with compressed ones, and the code size reduction outweighs the number of instructions that can no longer be compressed with a smaller immediate or register index. +We currently see another 1-2\% reduction on top of compressed \asm{c.CMove} and \asm{c.CIncAddr}. +However, this is a drastic ISA change and needs further investigation for justification. diff --git a/archdoc/chap-encoding-sail.tex b/archdoc/chap-encoding-sail.tex new file mode 100644 index 0000000..ce7feb0 --- /dev/null +++ b/archdoc/chap-encoding-sail.tex @@ -0,0 +1,72 @@ + +\chapter{Sail listings for capability encoding} +\label{chap:sailenc} + +This chapter contains Sail types and functions that implement the +capability encoding scheme. + +\medskip +\sailRISCVtype{EncCapability} + +\medskip +\sailRISCVtype{Capability} + +\medskip +\label{sailRISCVzencCapabilityToCapability} +\sailRISCVfnencCapabilityToCapability + +\medskip +\sailRISCVfncapToEncCap + +\medskip +\sailRISCVfngetCapBoundsBits + +\medskip +\sailRISCVfnsetCapBounds + +\medskip +\sailRISCVfngetRepresentableAlignmentMask + +\medskip +\sailRISCVfngetRepresentableLength + +\section{SMT validation of properties of the capability encoding} + +The Sail compiler can translate Sail code into a Satisfiability Modulo Theories +(SMT) problem that can be given to a solver such as CVC4 or Z3 to check whether +a given function returns true for all input values. We have used this to +check important properties of the capability encoding as implemented in Sail. + +Some helper functions are used in the Sail properties: + +\medskip +\sailRISCVfn{encodeDecode} + +\medskip +\sailRISCVfn{capEncodable} + +The following functions have been checked to return true for all inputs. + +\medskip +\sailRISCVfn{prop\_decEnc} + +\medskip +\sailRISCVfn{prop\_andperms} + +\medskip +\sailRISCVfn{prop\_setbounds} + +\medskip +\sailRISCVfn{prop\_setbounds\_monotonic} + +\medskip +\sailRISCVfn{prop\_setaddr} + +\medskip +\sailRISCVfn{prop\_repbounds\_c} + +\medskip +\sailRISCVfn{prop\_repbounds} + +\medskip +\sailRISCVfn{prop\_crrl\_cram} \ No newline at end of file diff --git a/archdoc/chap-intro.tex b/archdoc/chap-intro.tex new file mode 100644 index 0000000..78ca19a --- /dev/null +++ b/archdoc/chap-intro.tex @@ -0,0 +1,158 @@ +\chapter{Introduction} + +The \cherimcu{} (Capability Hardware Extension to RISC-V for Internet of Things, pronounced like 'chariot') design is heavily based on prior work by the CHERI project. +Our RISC-V extension is based on the CHERI ISAv8\cite{UCAM-CL-TR-951} and would not have been possible without this work. + +This document describes the current status of the \cherimcuisa{}. +This ISA is not intended to be a final CHERI specification for embedded RISC-V devices but is a work-in-progress that is sufficiently close to final that feedback is valuable. +In particular, the current C extension to RISC-V makes a number of optimization decisions that are not useful in a CHERI context and so we would likely benefit from an alternative (as yet unspecified) 16-bit instruction extension for embedded CHERI targets. + +The \cherimcu{} project would not have been possible without the existing ``big CHERI'' research~\cite{UCAM-CL-TR-951,Davis_CheriABIEnforcingValid_2019}, +exploration of green-field CHERI-aware operating systems~\cite{esswood:cherios}, +and work to adapt CHERI software models to embedded systems~\cite{xia:cherirtos,xia:capprotembed,almatary:compartos,almatary:thesis}. +This ISA attempts to scale CHERI down yet further, into smaller embedded systems than previously considered; +we have taken the opportunity to simultaneously design our ISA, compartment model, programmer model, compiler, and RTOS~\cite{cheriot-rtos}. +The capability encoding and instruction set have been tuned to enable this use and validated by running existing embedded software in compartments. +Curious readers are invited to see our study of related works in \cref{app:related}. + +This document describes: + +\begin{itemize} + \item The RISC-V ISA extension (\cref{part:isa}). + \item The compartment model that the ISA is intended to support (\cref{chap:compartmentmodel}). + \item The RTOS implementation used to enforce the model (\cref{chap:rtos}) + \item The language extensions used to expose this model to developers (\cref{chap:language}). + \item The ABI used to implement the compartment model (\cref{chap:abi}). +\end{itemize} + +Performance, power, and area costs for the implementation are not part of this and will be presented in a follow-up publication. + +\section{The \cherimcuos{} Model} + +Because the ISA given here is the result of simultaneous design with software, we will often refer to software concepts for motivation or justification of design choices. +Particularly central to the discussion are the notions of memory safety, compartments, and threads. +We provide coarse definitions here and will refine them as we continue. + +A \defn{thread} is a schedulable entity associated with a general-purpose register file and a designated region of memory for use as a call stack. +Threads are either running, in which case their register file is the CPU's, or suspended, in which case the register file is saved to memory for later use. + +A system is said to be \defn{memory safe} if its references to memory are: +% +\begin{description} + + \item[Unforgeable] A reference to memory (in particular, the authority to access memory) can be constructed only from other references. + + \item[Monotonic] A constructed reference will have no more authority than its progenitor reference(s) (and may have less). + + \item[Spatially Safe] References to memory authorize access to a set of memory locations determined when the reference is constructed. + + \item[Temporally Safe] References to a region of memory will not remain usable across \emph{reuse} of memory for a different allocation. + +\end{description} +% +\cherimcu{} is based on CHERI and so language-level references are expected to compile down to CHERI capabilities. +We may gloss over subtle distinctions and conflate the terms ``capability,'' ``pointer,'' and ``reference.'' + +A \defn{compartment} is a collection of code, data, and capabilities that serves as an invocable security context. +Compartments statically export \keyword{entry-points}, which may be statically imported by other compartments or passed as opaque \keyword{cross-compartment function pointers}. +A compartment they (statically or dynamically) imports an entry point may then invoke it to perform a \keyword{cross-compartment call}. +Such calls are synchronous and transition the calling thread from one compartment to another. +The thread's stack is used, with appropriate bounds adjustment, in both the caller and callee compartment. + +\section{Security goals} + +We aim to provide a minimal TCB that can run user software (including third-party code) in compartments. +These compartments are not part of the TCB and are assumed to have a mutual distrust relationship with each other. + +We define a set of security guarantees that apply to all untrusted compartments. +These guarantees are enforced by three system components, which form the TCB for confidentiality and integrity. +These components are: + +\begin{description} + \item[The loader,] which is responsible for setting up all of the initial capabilities for everything in the system. + This never accesses any data that was not part of the initial firmware image. + \item[The switcher,] which is responsible for transitions between compartments and between threads. + This is around 300 instructions in hand-written assembly. + \item[The memory allocator,] which is responsible for providing the hardware with the information required to enforce heap memory safety. +\end{description} + +The code in these components must be carefully audited. + +An embedded system may have user-provided components that run at the highest priority level, with interrupts disabled. +Any code that runs with interrupts disabled is part of the TCB for availability. + +\TODO{rn: general thought that the following sections read less like goals and more like description of the implementation.} + +\subsection{Heap memory safety} + +\cherimcuos{} provides a \defn{heap}, a system-provided compartment with dedicated memory to which it grants other compartments dynamic, temporary access. + +The allocator ensures that the capabilities it gives out have bounds that do not overlap any other allocation, and so the CHERI bounds checks enforce spatial memory safety. +Heap memory is also temporally safe: no heap memory will be reused until the system has ensured that all dangling pointers to it are deallocated. +The hardware provides a guarantee that no capability can be loaded if the memory allocator has marked the memory it points to as deallocated. +This mechanism is described in detail in Section \ref{sec:temporal}. +A revocation service (which can be implemented in hardware or software) periodically scans all memory and deletes capabilities that point to revoked memory. + +The memory allocator is part of the TCB as it could violate confidentiality and integrity in a number of ways. +It holds a capability to the entire heap and so, in principle, can violate confidentiality of heap contents either directly or by failing to clear memory before issuing an allocation in reused space. +Similarly, it can violate integrity by directly using or improperly revealing capabilities held within heap memory. +It can violate spatial safety by not correctly bounding capabilities it returns. +Finally, it could violate temporal safety by either not marking freed objects as deallocated or by un-marking the memory and reusing it before revocation. + +However, despite all that, the memory allocator does not hold capabilities to normal compartment memory, only to region(s) reserved for the heap it manages. +As such, even a completely compromised memory allocator can violate safety properties of the heap only; it cannot directly violate memory safety for non-heap memory. + +\subsection{Local stack memory safety} + +Allocations on a thread's stack are bounded by CHERI capabilities -- the compiler generates instructions to derive these capabilities from the stack capability -- but are not guaranteed to be temporally safe. + +However, \cherimcuisa{} and \cherimcuos{} have mechanisms to ensure that capabilities to stack allocations can not be stored anywhere other than on the stack to which they point (which may include address-taken allocations on the caller's portion of the stack). +In practice, this means that violating stack temporal safety is very difficult: stack-derived capabilities cannot be stored onto the heap or into a global (it will deliver a trap). +Therefore, the only way of having a stack pointer outlive the allocation is to store it through another stack-derived pointer that points to a higher frame or return it directly in a register. + +% First, capabilities contain a bit distinguishing so-called ``global'' capabilities from ``local'' ones. +% Second, the capability permission to store a capability through another comes in two flavors: all capabilities or just global ones. +% Stack capabilities are ``local'' in this sense and have permission to store all capabilities, whereas, for example, capabilities to heap allocations or global data are ``global'' in this sense but have permission to store \emph{only} global capabilities. + +\subsection{Cross-compartment stack memory safety} + +During a cross-compartment call, the thread and its stack transition security contexts. +The stack bounds are restricted so that the callee has no access to the caller’s stack, except via capabilities that are explicitly passed as arguments. +This suffix of stack memory accessible to the callee is zeroed both on call and on return, which prevents any information leak from uninitialized memory. +The implicit stack pointer and stack-derived arguments provided by the caller are the only pointers that are both held by a compartment and capable of storing other stack-derived pointers. + +\subsubsection{Lexically-Scoped Delegation} + +\cherimcuisa{}'s capability permission scheme allows software to derive variants of capabilities that can be stored only to stack memory. +Additionally, \cherimcuisa{} can impose this derivation \emph{transitively} per capability: any capability loaded via such a capability becomes another such and, so, will impose the same on those loaded through it, and so on. + +These two mechanisms allow for \defn{lexically-scoped delegation}: a calling compartment may, for any capability it holds, construct a variant that can only be stored to the stack and can load only capabilities that can be stored only to the stack. +Passing this derived capability to the callee ensures that the callee compartment cannot capture either the passed capability or any loaded through it in memory not visible to (and mutable by) the caller after return. + +% Removing the global permission prevents the callee from storing the pointer anywhere other than its own stack. +% Removing the indirect-load-global permission enforces this on any pointers transitively loaded from the original delegated pointer. + +\subsection{Global memory safety} +All objects with static storage duration are compartment-local and are visible to any thread executing within a compartment. +Memory safety for globals is therefore advisory (untrusted code can simply access the global capability directly). +The compiler will insert bound for any address-taken global. +Immutable objects with static storage duration are derived from \PCC{} (with the execute permission removed) and so cannot be written to. + +\subsection{Higher-level security properties} + +The local security properties outlined above are used to build isolation between threads and compartments. +This leads to the following high-level security goals: + +\begin{itemize} + \item No compartment should be able to access another compartment's data, except where explicitly shared. + \item No thread should be able to access another thread's data, except where explicitly shared. +\end{itemize} + +Compartments that have not been explicitly granted the rights to run with interrupts disabled should also not be able to impact availability. + +\subsection{Threat model} + +We assume that code running in a compartment is untrusted. +As such, an attacker is assumed to have the ability to execute arbitrary code within a compartment. +It is not possible to prevent programmers from introducing bugs but we aim to provide a set of tools that will make it easy to write code in a compartment that is able to protect itself from another attacker-controlled compartment that can invoke its entry points. + diff --git a/archdoc/chap-isaref-riscv.tex b/archdoc/chap-isaref-riscv.tex new file mode 100644 index 0000000..ea921d6 --- /dev/null +++ b/archdoc/chap-isaref-riscv.tex @@ -0,0 +1,314 @@ +\chapter{Instruction reference} +\label{chap:isaref-riscv} + +\input{def-riscv-insns} +\def\rvcheriasminsnref#1{#1} +\def\rvcheriasminsnnoref#1{#1} +\providecommand{\rvcheriasmfmt}{} +\renewcommand{\rvcheriasmfmt}[2][]{% + #2% + \ifthenelse{\equal{#1}{}}{% + }{% + ~{\textit{\footnotesize{(#1)}}}% + }% +} + +In this chapter, we specify each instruction via both informal descriptions +and code in the Sail language. +To allow for more succinct code descriptions, we rely on a number of +common function definitions and constants also described in this chapter. + +\section{Sail language used in instruction descriptions} +\label{sec:sail-language-description} +The instruction descriptions contained in this chapter are accompanied +by code in the Sail language~\cite{sail-popl2019,sail-url} taken from the +\cherimcu{} Sail implementation~\cite{cheriot-sail}, which is derived from the CHERI-RISC-V Sail +implementation~\cite{sail-cheri-riscv}. +Sail is a domain specific imperative language designed for describing +processor architectures. It has a compiler that can output executable +code in OCaml or C for building executable models, and can also +translate to various theorem prover languages for automated reasoning +about the ISA. +The following is a brief description of the Sail language features used in document. +For a full description see the Sail language documentation~\cite{sail-url}. + +Types used in Sail: + +\label{sailMIPSzbits} +\label{sailRISCVzbits} +\begin{itemize} +\item \isail{int} Sail integers are of arbitrary precision (therefore there are no overflows) but can be constrained using simple first-order constraints. As a common case integer range types can be defined using \isail{range(a,b)} to indicate an integer in the range $a$ to $b$ inclusive. Operations on integers respect the constraints on their operands so, for example, if \isail{x} and \isail{y} have type \isail{range(a, b)} then \isail{x + y} has type \isail{range(a + a, b + b)}. Integer literals are written in decimal. +\item \isail{bits(n)} \label{zbits} is a bit vector of length \isail{n}. Vectors are indexed using square bracket notation with index 0 being the least significant bit. Arithmetic and logical operations on vectors are defined on two vectors of equal length producing a result of the same length and truncating on overflow. Where signedness is significant it is indicated in the operator name, for example \isail{<_s} performs signed comparison of bit vectors . Bit vector literals are written in hexadecimal for multiples of four bits or in binary with \isail{0x} or \isail{0b} prefixes, e.g. \isail{0x3} means `0011' and \isail{0b11} means `11'. The at symbol, \isail{@}, indicates concatenation of vectors. +\item \isail{structs} are similar to C structs with named, typed fields accessed with a dot as in \isail{struct_val.field_name}. Struct copying with field updates is also supported as in \isail{\{struct_val with field_name=new_val\}}. +\item Registers in Sail contain the architectural state that is modified by instruction execution. By convention register names in the CHERI specification start with a capital letter to distinguish them from local variables. Sail also supports a form of `assignment' to function calls as in \isail{wGPR(rd) = result}. This is just syntactic sugar for an extra argument to the function call. This syntax is used by functions that write registers or memory and have special behavior such as \isail{wGPR}, \isail{writeCapReg} and \isail{MEMw}. +\end{itemize} + +The following operators and expression syntax are used in the Sail code: + +\begin{itemize} +\item \label{sailRISCVznot}\label{sailMIPSznot}Boolean operators: +\isail{not}, \isail{|} (logical OR), \isail{&} (logical AND), \isail{^} (exclusive OR) + +\item Integer operators: +\isail{+} (addition), \isail{-} (subtraction), \isail{*} (multiplication), \isail{\%} (modulo) + +Sail operations on integers are the usual mathematical operators. Note \isail{a \% b} is the modulo operator that, for $b > 0$ returns a value in the range $0$ to $b-1$ regardless of the sign of $a$. Although Sail integers are notionally infinite in range, CHERI instructions can be implemented with finite arithmetic. + +\item Bit vector operators: +\isail{&} (bitwise AND), \isail{<_s} (signed less than), \isail{@} (bit vector concatenation) + +\item Equality: +\isail{==} (equal), \isail{!=} (not equal) + +\item Vector slice: + + \isail{v[a..b]} + +Creates a sub-range of a vector from index $a$ down to $b$ inclusive. + +\item Local variables: + + \isail{mutable_var = exp;} \\ + \isail{let immutable_var = exp;} + +Mutable variables are introduced by simply assigning to them (optionally prefixed with keyword \isail{var}). An explicit type may be given following a colon, but types can usually be inferred. Sail supports mutable or immutable variables where immutable ones are introduced by \isail{let} and assigned only once when created. + +\item Functional if: + +\isail{if cond then exp1 else exp2} + +May return a value, similar to C ternary operator. + + +\item Foreach loop: + +% XXX: for som reason sail generates a link to "to" for ccleartags/cloadtags +\begin{lstlisting}[language=sail,label=sailMIPSzto] +foreach(i from start_exp to end_exp) { + body +}; +\end{lstlisting} + +\item Function invocation: + +\isail{func_id (arg1, arg2)} + +\item Field selection from struct: + + \isail{struct\_val.field} + +Returns the value of the given field from structure. + +\item Functional update of structure: + +\isail{\{struct\_val with field=exp\}} + +A copy of the structure with the named field replaced with another value. + +\end{itemize} + +\section{Constant Definitions} +The following constants are used in various type and function definitions throughout the specification. + +\medskip +% Note: we can use \sailRISCVtype{foo\_bar} instead after rems-project/sail#100 +\phantomsection\label{sailRISCVzxlen} +\sailRISCVtype{xlen} +\sailRISCVtypecapAddrWidth{} +\sailRISCVtypecapLenWidth{} +\sailRISCVtype{cap\_E\_width} +\sailRISCVtype{cap\_cE\_width} +\sailRISCVtype{cap\_max\_E} +\sailRISCVtypecapSizze{} +\sailRISCVtypecapMantissaWidth{} +\sailRISCVtype{cap\_perms\_width} +\sailRISCVtype{cap\_cperms\_width} +\sailRISCVtype{cap\_otype\_width} +\sailRISCVtype{cap\_cotype\_width} +\sailRISCVtype{log2\_revocation\_granule\_size} + +% FIXME: These extra labels are required to allow markdown saildoc references such as [cap_uperms_width] to work correctly. +% \phantomsection\label{sailRISCVzcapzyotypezywidth} + +\section{Function Definitions} + +This section contains descriptions of convenience functions used by the Sail code featured in this chapter. + +\subsection*{Functions for integer and bit vector manipulation} + +The following functions convert between bit vectors and integers and manipulate bit vectors: + +\medskip +\sailRISCVval{unsigned} +\sailRISCVval{signed} +\sailRISCVval{to\_bits} +% Technically this is not a vector, but it seems appropriate to put these together +\sailRISCVval{bool\_to\_bit} +\sailRISCVval{bool\_to\_bits} +\sailRISCVval{truncate} +\sailRISCVval{truncateLSB} +\sailRISCVval{pow2} +\sailRISCVval{align\_down} + +% The following are overloads so we can't easily use the generated latex +% Hacky hspace to get rid of unwanted hangindent + +\phantomsection +\label{sailRISCVzEXTZ} +\saildocval{Adds zeros in most significant bits of vector to obtain a vector of desired length.}{\hspace{-\parindent}\isail{EXTZ}} + +\label{sailRISCVzEXTS} +\saildocval{Extends the most significant bits of vector preserving the sign bit.}{\hspace{-\parindent}\isail{EXTS}} + +\label{sailRISCVzzzeros} +\saildocval{Produces a bit vector of all zeros}{\hspace{-\parindent}\isail{zeros}} + +\label{sailRISCVzones} +\saildocval{Produces a bit vector of all ones}{\hspace{-\parindent}\isail{ones}} + +\subsection*{Types used in function definitions} + +\sailRISCVtype{CapBits} +\sailRISCVtype{CapAddrBits} +\sailRISCVtype{CapLenBits} +\sailRISCVtype{CapPermsBits} +% \sailRISCVtype{Capability} +% \medskip +% \noindent +Many functions also use \isail{struct Capability}, a structure holding a +partially-decompressed representation of CHERI capabilities. +% +% The following functions can be used to convert between the structure +% representation and the raw capability bits: + +% \medskip% +% \sailRISCVval{capBitsToCapability} +% \sailRISCVval{capToBits} + +\subsection*{Functions for reading and writing register and memory} + +%\label{sailRISCVzC} +\begin{lstlisting}[language=sail,label=sailRISCVzC] +C(n) : regno -> Capability +C(n) : (regno, Capability) -> unit +\end{lstlisting} +The overloaded function \isail{C(n)} is used to read or write capability register \isail{n}. + +\begin{lstlisting}[language=sail,label=sailRISCVzX] +X(n) : regno -> xlenbits +X(n) : (regno, xlenbits) -> unit +\end{lstlisting} +The overloaded function \isail{X(n)} is used to read or write integer register \isail{n}. + +\medskip +% \sailRISCVval{memBitsToCapability} +% \sailRISCVval{capToMemBits} +\sailRISCVval{mem\_read\_cap} +\sailRISCVval{mem\_read\_cap\_revoked} +\sailRISCVval{mem\_write\_ea\_cap} +\sailRISCVval{mem\_write\_cap} + +\subsection*{Functions for ISA exception behavior} +\sailRISCVval{handle\_exception} +\sailRISCVval{handle\_illegal} +\sailRISCVval{handle\_mem\_exception} +\sailRISCVval{handle\_cheri\_cap\_exception} +\sailRISCVval{handle\_cheri\_reg\_exception} + +\medskip +% \sailRISCVval{privLevel\_to\_bits} +\sailRISCVval{min\_instruction\_bytes} + +\medskip +\sailRISCVval{legalize\_epcc} +\sailRISCVval{legalize\_tcc} + +% TODO: \subsection*{Functions for control flow} + + +\subsection*{Functions for manipulating capabilities} + +The Sail code abstracts the capability representation using the following functions for getting and setting fields in the capability. +The base of the capability is the address of the first byte of memory to which it grants access and the top is one greater than the last byte, so the set of dereferenceable addresses is: +\[ +\{ a \in \mathbb{N} \mid \mathit{base} \leq a < \mathit{top}\} +\] +Note that the capability format can encode $\mathit{top}$ of $2^{32}$, meaning the entire 32-bit address space can be addressed. + +\medskip +\sailRISCVval{getCapBounds} +\sailRISCVval{getCapBaseBits} +\sailRISCVval{getCapTop} +\sailRISCVval{getCapLength} +\sailRISCVval{inCapBounds} + +\noindent The following functions adjust the bounds and address of capabilities. +Not all combinations of bounds and address are representable, so these functions return a boolean value indicating whether the requested operation was successful. +Even in the case of failure a capability is still returned, although it may not preserve the bounds of the original capability. + +\medskip +\sailRISCVval{setCapBounds} +\sailRISCVval{setCapAddr} +\sailRISCVval{incCapAddr} +% \sailRISCVval{setCapOffset} +% \sailRISCVval{incCapOffset} + +\medskip +\sailRISCVval{getRepresentableAlignmentMask} +\sailRISCVval{getRepresentableLength} + +\medskip +\arnote{TODO: short description of sealing and unsealing} +\sailRISCVval{sealCap} +\sailRISCVval{unsealCap} +\sailRISCVval{isCapSealed} +% \sailRISCVval{hasReservedOType} +\sailRISCVval{clearTag} +\sailRISCVval{clearTagIf} +\sailRISCVval{clearTagIfSealed} + +\noindent +The architectural permissions as described in \cref{sec:perms} are accessed using the following functions: + +\medskip +\sailRISCVval{getCapPerms} +\sailRISCVval{setCapPerms} + +\subsection*{Checking for availability of ISA features} +\sailRISCVval{haveRVC} +\sailRISCVval{haveFExt} + +\section{\cherimcu{} Instructions} + +\input{insn-riscv/auicgp} +\input{insn-riscv/auipcc} +\input{insn-riscv/candperm} +\input{insn-riscv/ccleartag} +\input{insn-riscv/cgetaddr} +\input{insn-riscv/cgetbase} +\input{insn-riscv/cgethigh} +\input{insn-riscv/cgetlen} +\input{insn-riscv/cgetperm} +\input{insn-riscv/cgettag} +\input{insn-riscv/cgettop} +\input{insn-riscv/cgettype} +\input{insn-riscv/cincoffset} +\input{insn-riscv/cincoffsetimm} +\input{insn-riscv/cjal} +\input{insn-riscv/cjalr} +\input{insn-riscv/lc} % [c]lc +\input{insn-riscv/cmove} +\input{insn-riscv/crepresentablealignmentmask} +\input{insn-riscv/croundrepresentablelength} +\input{insn-riscv/sc} % [c]sc +\input{insn-riscv/cseal} +\input{insn-riscv/csetaddr} +\input{insn-riscv/csetbounds} +\input{insn-riscv/csetboundsexact} +\input{insn-riscv/csetboundsimm} +\input{insn-riscv/csetequalexact} +\input{insn-riscv/csethigh} +\input{insn-riscv/cspecialrw} +\input{insn-riscv/csub} +\input{insn-riscv/ctestsubset} +\input{insn-riscv/cunseal} diff --git a/archdoc/chap-language-extensions.tex b/archdoc/chap-language-extensions.tex new file mode 100644 index 0000000..3ec306c --- /dev/null +++ b/archdoc/chap-language-extensions.tex @@ -0,0 +1,70 @@ +\chapter{C/C++ language and toolchain extensions} +\label{chap:language} + +In addition to the existing CHERI C/C++ extensions, we define a small number of additional extensions that are specific to \cherimcu{}. +CHERI C is already able to compile most existing embedded code that we have tried with no modifications. +Embedded code has to tolerate targets with Harvard architectures, different pointer sizes for different types of data, different memory banks, and so on. +In comparison, a CHERI target is far more like a conventional ISA. + +We have not had to change the CHERI C model at all for code running within a compartment. +Our extensions are focused on supporting the compartmentalization model. + +\section{Specifying compartments} + +We have added an attribute to specify the compartment that implements a given function. +This is used in conjunction with the \flag{-cheri-compartment=} flag passed to the compiler, which specifies the compartment in which the current compilation unit will end up. +The compiler will raise an error if the compartment name for the current compilation unit does not match the name of a function that has an implementation. +For example, if a header file contains the following declarations: + +\begin{ccodelisting} +__attribute__((cheri_compartment("example"))) void foo(int); +__attribute__((cheri_compartment("other"))) void bar(void); +\end{ccodelisting} + +If \ccode{foo} is implemented then the compiler must be invoked with \flag{-cheri-compartment=example}. +Any call to \ccode{bar} will then be treated as a cross-domain call. + +This mechanism allows lightweight annotations on functions that are exposed across compilation units. +Software that already supports a DLL-style linkage model may have macros on public functions for using this. +Other software can easily maintain these annotations for CHERI targets with a macro that expands to nothing for non-CHERI targets. + +Adding \ccode{__attribute__((cheri_ccallback))} to a function marks it as a cross-compartment callback. +Taking the address of such a function will give a pointer that can be passed across compartments and allow the recipient to recursively invoke this compartment. + +\section{Exposing library calls} + +Adding \ccode{__attribute__((cheri_libcall))} to a function marks it as a library call. +The compiler will always generate an indirect call (via a sealing capability from the import table) for all library functions, unless the callee and caller are in the same compilation unit and have compatible interrupt states. + +All of the functions that the compiler may insert calls to (such as \ccode{memcpy},\ccode{`__cxa_guard_acquire}, and so on) are assumed to implicitly carry this attribute. +The compiler must be able to insert calls to these without knowing the name of the library that provides them and so this attribute provides a single flat namespace for all such functions. + +\section{Controlling interrupt state} + +The \ccode{cheri_interrupt_state} attribute controls whether, during execution of the function, interrupts are enabled, disabled, or in whatever state there were for the caller. +It takes a single argument, which must be either \ccode{enabled}, \ccode{disabled}, or \ccode{inherited}. +The attribute can also be written as a C+11 / C2x-style attribute. +For example: + +\begin{ccodelisting} +// This function runs with interrupts disabled +[[cheri::interrupt_state(disabled)]] +int disabled(void); +// This function runs with interrupts enabled +__attribute__((cheri_interrupt_state(enabled))) +int enabled(void); +// This function runs with whatever interrupt state the caller has. +__attribute__((cheri_interrupt_state(inherit))) +int inherit(void); +\end{ccodelisting} + +All functions that are not exposed across compartment boundaries (including library calls) default to \ccode{inherit}. +Cross-compartment calls default to \ccode{enabled} and must be set to either \ccode{enabled} or \ccode{disabled}. + +\section{Linking compartments} + +The version of LLD used with \cherimcu{} provides a \flag{-compartment} flag for linking compartments. +This is somewhat similar to \flag{-r}, which creates a relocatable object file. +Linking in this mode marks all symbols except for those in the export table as local. +Unlike \flag{-r}, COMDATs are merged when linking a compartment. +In other respects, this is identical to \flag{-r}: relocations are not processed and will be handled in the final link step. diff --git a/archdoc/chap-permissions.tex b/archdoc/chap-permissions.tex new file mode 100644 index 0000000..2ec5360 --- /dev/null +++ b/archdoc/chap-permissions.tex @@ -0,0 +1,23 @@ +\chapter{Permission compression rationale} +\label{chap:permissions} + +To devise the permission compression scheme we initially observed a number of constraints on the useful permissions combinations: + +\vspace{1em} +\begin{tabularx}{\textwidth}{rX} +$MC \rightarrow (LD \lor SD)$ & Capability read / write is not useful without a load or store permission. \\ +$LG \rightarrow (MC \land LD)$ & Load global requires load capability. \\ +$LM \rightarrow (MC \land LD)$ & Load mutable requires load capability. \\ +$SL \rightarrow (MC \land SD)$ & Store local requires store capability. \\ +$SR \rightarrow EX$ & Access system registers only applies to executable capabilities. \\ +$EX \rightarrow (MC \land LD)$ & Executable capabilities require load capability for global access. \\ +$\neg(EX \land SD)$ & Executable capabilities should not be writable, to enhance security. \\ +$\neg((SE \lor US \lor U0) \land (LD \lor SD))$ & Memory permissions should be disjoint from sealing permissions due to separate namespaces. \\ +\end{tabularx} +\vspace{1em} + +If we apply all of these constraints we find there are only 33 useful permission combinations +(excluding the global bit, which we take to be orthogonal). +Eliminating just one of these combinations allows us to encode them using a 5-bit encoding. +We see limited uses for write-only capabilities outside MMIO, so we chose write-only store-local as the least useful combination, leading to the encoding described in \cref{sec:perms}. +This may be reassessed once we have a clearer picture of use cases for write-only capabilities. diff --git a/archdoc/chap-weaknesses.tex b/archdoc/chap-weaknesses.tex new file mode 100644 index 0000000..8591342 --- /dev/null +++ b/archdoc/chap-weaknesses.tex @@ -0,0 +1,82 @@ +\chapter{Known caveats} + +There are a small number of known caveats for developers attempting to secure a compartment. +Future iterations may have compiler mitigations for some of these. + +\section{Shared stacks} + +Compartments invoked by the same thread all use the same stack. +This is important for embedded systems. +Embedded stacks are often on the order of 1 KiB in size and so requiring a separate stack segment for every thread and compartment pair would quickly exhaust memory. +This sharing provides one useful tool for an attacker: The caller has access to all of the callee's stack prior to a call. + +A malicious compartment may construct a capability to a currently-unused part of the stack, which will become the callee's stack. +It cannot stash these on the heap or in globals but it can then pass these as arguments. +The compartment switcher will \dcnote{Real Soon Now!} check that these are not passed as direct arguments but a compartment may load a capability and corrupt its own state. +For example, consider the following interface: + +\begin{ccodelisting} +struct A +{ + char *outBuffer; + size_t length; +}; +__attribute__((cheri_compartment("victim"))) +void copyOutSomething(const struct A *out); +\end{ccodelisting} + +This API takes a structure containing a pointer to a buffer and a length and is expected to write something via this pointer. +If the attacker sets up the \ccode{outBuffer} field to point to something on the victim's stack, then the victim may corrupt its own stack. +The victim must check this. +The \ccode{check_pointer} function from \file{cheri.hh} validates that pointers do not do this. +This function takes a set of permissions that the capability must have and a size (optionally: if unspecified it assumes that the pointer must be big enough for one instance of pointee type) and returns true only if the pointer is not on the current compartment's stack, is tagged, unsealed, and has sufficient permissions. + +The following snippet is taken from the implementation of one of the scheduler functions. + +\begin{ccodelisting} +if (!check_pointer(ret)) +{ + return -EINVAL; +} +\end{ccodelisting} + +This ensures that the \ccode{void **ret} argument can be used to store a capability. +If this is not the case, the function returns early. + +\section{Explicit leakage} + +Passing a pointer to a cross-compartment function call at the C level grants the callee access to the pointee data. +Similarly, returning a pointer from a cross-compartment function call grants the caller access to the pointee. +The ISA provides several tools for restricting this: + +\begin{description} + \item[Sealing] allows pointers to be made unusable by anyone who lacks the matching permit-unseal capability and unforgeable by anyone who lacks the matching permit-seal capability. + \item[Deep immutability] (the permit-load-mutable permission) provides a mechanism for passing data structures between compartments that prevents the recipient from mutating any objects reached via the initial pointer. + \item[Local] capabilities (shallowly local, or deeply local capabilities that lack the permit-load-global permission) provide a mechanism to prevent the callee (including any indirect callee) from capturing a pointer. +\end{description} + +These tools provide a security benefit only if they are used. +It is good practice for any compartment-owned data that is returned to a caller to be sealed. +For example, a network stack returning a connection context should return a sealed capability. +As a rule of thumb, if you are not writing code that is correct in the presence of every possible bit pattern for a data structure then pointers to that data structure that are shared outside of a compartment should be sealed. + +Any pointer that is \ccode{const} should be marked as deeply immutable. +This is not done automatically because C and C++ both allow the \ccode{const} qualifier to be cast away. +Any pointer-typed function argument pointer that is not expected to be captured by the callee should be marked as local. + +Future versions of the compiler will provide declarative annotations that implicitly drop these permissions in the caller. + + +\section{Availability} + +In some embedded systems (most control systems), availability is a critical part of the TCB. +In such systems, an attacker who can prevent the system from responding can do real-world damage. +For example, preventing the brake-control system from engaging the brakes in response to a signal or preventing an emergency cut-out from being delivered can cause injury or loss of life. + +In such systems, the scheduler becomes part of the TCB. +The scheduler is not trusted for confidentiality or integrity and has a limited interface to the rest of the TCB and so can potentially be replaced by something simpler for these use cases (or something formally verified to ensure that the highest-priority thread will be scheduled in a timely fashion). + +Similarly, any lower-priority thread that can reach a compartment that can invoke an interrupts-disabled function is part of the TCB for availability. +It is important to carefully audit all such paths to ensure that they will not prevent interrupt delivery for long enough to violate hard realtime guarantees. + diff --git a/archdoc/cheri.bib b/archdoc/cheri.bib new file mode 100644 index 0000000..078267d --- /dev/null +++ b/archdoc/cheri.bib @@ -0,0 +1,16620 @@ + +@techreport{CHERI-FM15, + author = {Peter G. Neumann and Robert N. M. Watson and Nirav Dave and Alexandre Joannou and Matthew Naylor and Michael Roe and Anthony Fox and Jonathan Woodruff}, + title = {{CHERI Formal Methods, interim version 3.0}}, + year = {2015}, + source = {}, + institution = {SRI International and the University of Cambridge}, + address = {}, +} + + +@article{karger:performance, + author = {Karger, Paul A.}, + title = {Using registers to optimize cross-domain call performance}, + journal = {SIGARCH Computer Architecture News}, + volume = {17}, + number = {2}, + year = {1989}, + issn = {0163-5964}, + pages = {194--204}, + doi = {10.1145/68182.68201}, + publisher = {ACM}, + address = {New York, NY, USA}, +} + + +@inproceedings{demoura-etal07:VSTTE, + AUTHOR = {Leonardo de Moura and Sam Owre and Harald Rue{\ss} and + John Rushby and Natarajan Shankar}, + TITLE = {Integrating Verification Components}, + CROSSREF = {VSTTE07} +} + +@proceedings{VSTTE07, + TITLE = {Verified Software: + Theories, Tools, and Experiments}, + BOOKTITLE = {Verified Software: + Theories, Tools, and Experiments}, + EDITOR = {Bertrand Meyer and Jim Woodcock}, + NUMBER = 4171, + SERIES = {LNCS}, + YEAR = 2008 +} +@comment{ PUBLISHER = {Springer Verlag}, } + +@techreport{andrews:partitions, + author = {Andrews, Gregory R.}, + title = {Partitions and Principles for Secure Operating Systems}, + year = {1975}, + source = {http://www.ncstrl.org:8900/ncstrl/servlet/search?formname=detail\&id=oai%3Ancstrlh%3Acornellcs%3ACORNELLCS%3ATR75-228}, + institution = {Cornell University}, + address = {Ithaca, NY, USA}, +} + +@article{wulf:hydra, + author = {Wulf, W. and Cohen, E. and Corwin, W. and Jones, A. and Levin, R. and Pierson, C. and Pollack, F.}, + title = {{HYDRA: the kernel of a multiprocessor operating system}}, + journal = {Communications of the ACM}, + volume = {17}, + number = {6}, + year = {1974}, + issn = {0001-0782}, + pages = {337--345}, + doi = {10.1145/355616.364017}, + publisher = {ACM}, + address = {New York, NY, USA}, + } + +@article{walker:uclasecureunix, + author = {Walker, Bruce J. and Kemmerer, Richard A. and Popek, Gerald J.}, + title = {{Specification and verification of the UCLA Unix security kernel}}, + journal = {Communications of the ACM}, + volume = {23}, + number = {2}, + year = {1980}, + issn = {0001-0782}, + pages = {118--131}, + doi = {10.1145/358818.358825}, + publisher = {ACM}, + address = {New York, NY, USA}, +} + +@inproceedings{schroeder:multicssecuritykernel, + author = {Schroeder, Michael D.}, + title = {{Engineering a security kernel for Multics}}, + booktitle = {SOSP '75: Proceedings of the Fifth ACM Symposium on Operating Systems Principles}, + year = {1975}, + pages = {25--32}, + location = {Austin, Texas, United States}, + doi = {10.1145/800213.806518}, + publisher = {ACM}, + address = {New York, NY, USA}, +} + +@inproceedings{walker:adventtrusted, + author = {Walker, Stephen T.}, + title = {The advent of trusted computer operating systems}, + booktitle = {AFIPS '80: Proceedings of the May 19-22, 1980, national computer conference}, + year = {1980}, + pages = {655--665}, + location = {Anaheim, California}, + doi = {10.1145/1500518.1500626}, + publisher = {ACM}, + address = {New York, NY, USA}, +} + +@inproceedings{sebes:dtmach, +author = {E. J. Sebes}, +booktitle = {{Proceedings of the USENIX Mach Symposium}}, +title = {{Overview of the architecture of Distributed Trusted Mach}}, +pages = {20--22}, +month = nov, +year = {1991}, +pmid = {286502042582210013related:3VWJ-xbc-QMJ}, + publisher = {USENIX Association}, +} + +@InProceedings{spencer:flask, + author = "Ray Spencer and Stephen Smalley and Peter Loscocco and + Mike Hibler and David Andersen and Jay Lepreau", + title = "The {Flask} Security Architecture: System Support for + Diverse Security Policies", + annote = "Separate policy and mechanisms derived from DTOS and + somewhat consistant with GFAC. Not so suitable: + Capability systems (difficulty to control propagation) + and interception systesm (e.g., L4 Clan/Chief, problem + of exposure of all abstractions). Fluke (\& flask) + homepage: + \url{http://www.cs.utah.edu/flux/fluke/html/flask.html}", + pages = "123--139", + booktitle = "{Proceedings of the 8th {USENIX} Security Symposium}", + year = "1999", + publisher = {USENIX Association}, + month = aug, + address = "Washington, D.C., USA", +} + +@inproceedings{wang:gazelle, + author = {Wang, Helen J. and Grier, Chris and Moshchuk, Alexander and King, Samuel T. and Choudhury, Piali and Venter, Herman}, + title = {{The multi-principal OS construction of the Gazelle web browser}}, + booktitle = {Proceedings of the 18th USENIX Security Symposium}, + year = {2009}, + pages = {417--432}, + location = {Montreal, Canada}, + publisher = {USENIX Association}, + address = {Berkeley, CA, USA}, +} + +@inproceedings{remy:ocaml, + author = {R\'{e}my, Didier and Vouillon, J\'{e}r\^{o}me}, + title = {{Objective ML: a simple object-oriented extension of ML}}, + booktitle = {{POPL '97: Proceedings of the 24th ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages}}, + year = {1997}, + isbn = {0-89791-853-3}, + pages = {40--53}, + location = {Paris, France}, + doi = {10.1145/263699.263707}, + publisher = {ACM}, + address = {New York, NY, USA}, +} + +@book{mckusick:freebsd, + author = {McKusick, Marshall Kirk and Neville-Neil, George V. and Watson, + Robert N. M.}, + title = {{The Design and Implementation of the FreeBSD Operating System, + Second Edition}}, + year = {2014}, + publisher = {Pearson Education}, +} + +@misc{ruby, + title = {{Ruby Programming Language}}, + howpublished = {\url{http://www.ruby-lang.org/}}, + author = {{Ruby Users Group}}, + year = 2010, + month = oct, +} + +@inproceedings{trevor:cyclone, + author = {Jim, Trevor and Morrisett, J. Greg and Grossman, Dan and Hicks, Michael W. and Cheney, James and Wang, Yanling}, + title = {Cyclone: A Safe Dialect of~{C}}, + booktitle = {{ATEC '02: Proceedings of the USENIX Annual Technical Conference}}, + year = {2002}, + isbn = {1-880446-00-6}, + pages = {275--288}, + publisher = {USENIX Association}, + address = {Berkeley, CA, USA}, +} + +@inproceedings{cantrill:dtrace, + author = {Cantrill, Bryan M. and Shapiro, Michael W. and Leventhal, Adam H.}, + title = {Dynamic instrumentation of production systems}, + booktitle = {ATEC '04: Proceedings of the USENIX Annual Technical Conference}, + year = {2004}, + location = {Boston, MA}, + publisher = {{USENIX Association}}, + address = {Berkeley, CA, USA}, +} + +@inproceedings{necula:pcc, + author = {Necula, George C. and Lee, Peter}, + title = {Safe kernel extensions without run-time checking}, + booktitle = {OSDI '96: Proceedings of the Second USENIX symposium on Operating Systems Design and Implementation}, + year = {1996}, + isbn = {1-880446-82-0}, + pages = {229--243}, + location = {Seattle, Washington, United States}, + doi = {10.1145/238721.238781}, + publisher = {ACM}, + address = {New York, NY, USA}, +} + +@inproceedings{yee:nativeclient, + author = {Yee, Bennet and Sehr, David and Dardyk, Gregory and Chen, J. Bradley and Muth, Robert and Ormandy, Tavis and Okasaka, Shiki and Narula, Neha and Fullagar, Nicholas}, + title = {Native Client: A Sandbox for Portable, Untrusted x86 Native Code}, + booktitle = {SP '09: Proceedings of the 2009 30th IEEE Symposium on Security and Privacy}, + year = {2009}, + isbn = {978-0-7695-3633-0}, + pages = {79--93}, + doi = {10.1109/SP.2009.25}, + publisher = {IEEE Computer Society}, + address = {Washington, DC, USA}, +} + +@inproceedings{mccanne:bpf, + author = {McCanne, Steven and Jacobson, Van}, + title = {{The BSD packet filter: a new architecture for user-level packet capture}}, + booktitle = {{USENIX'93: Proceedings of the USENIX Winter 1993 Conference}}, + year = {1993}, + location = {San Diego, California}, + publisher = {USENIX Association}, + address = {Berkeley, CA, USA}, +} + +@inproceedings{bershad:spin, + author = {Bershad, B. N. and Savage, S. and Pardyak, P. and Sirer, E. G. and Fiuczynski, M. E. and Becker, D. and Chambers, C. and Eggers, S.}, + title = {{Extensibility safety and performance in the SPIN operating system}}, + booktitle = {{SOSP '95: Proceedings of the Fifteenth ACM Symposium on Operating Systems Principles}}, + year = {1995}, + isbn = {0-89791-715-4}, + pages = {267--283}, + location = {Copper Mountain, Colorado, United States}, + doi = {10.1145/224056.224077}, + publisher = {ACM}, + address = {New York, NY, USA}, +} + +@article{myers:difc, + author = {Myers, Andrew C. and Liskov, Barbara}, + title = {A decentralized model for information flow control}, + journal = {SIGOPS Oper. Syst. Rev.}, + volume = {31}, + issue = {5}, + month = oct, + year = {1997}, + issn = {0163-5980}, + pages = {129--142}, + numpages = {14}, + doi = {10.1145/269005.266669}, + acmid = {266669}, + publisher = {ACM}, + address = {New York, NY, USA}, +} + +@article{efstathopoulos:asbestos, + author = {Efstathopoulos, Petros and Krohn, Maxwell and VanDeBogart, Steve and Frey, Cliff and Ziegler, David and Kohler, Eddie and Mazi\`{e}res, David and Kaashoek, Frans and Morris, Robert}, + title = {Labels and event processes in the asbestos operating system}, + journal = {SIGOPS Oper. Syst. Rev.}, + volume = {39}, + issue = {5}, + month = oct, + year = {2005}, + issn = {0163-5980}, + pages = {17--30}, + numpages = {14}, + doi = {10.1145/1095809.1095813}, + acmid = {1095813}, + publisher = {ACM}, + address = {New York, NY, USA}, + keywords = {event processes, information flow, labels, mandatory access control, secure web servers}, +} + +@inproceedings{zeldovich:histar, + author = {Zeldovich, Nickolai and Boyd-Wickizer, Silas and Kohler, Eddie and Mazi\`{e}res, David}, + title = {Making information flow explicit in {HiStar}}, + booktitle = {Proceedings of the 7th symposium on Operating systems design and implementation}, + series = {OSDI '06}, + year = {2006}, + isbn = {1-931971-47-1}, + location = {Seattle, Washington}, + pages = {263--278}, + numpages = {16}, + url = {http://portal.acm.org/citation.cfm?id=1298455.1298481}, + acmid = {1298481}, + publisher = {USENIX Association}, + address = {Berkeley, CA, USA}, +} + +@inproceedings{boebert:inabilitystar, + title = {On the Inability of an Unmodified Capability Machine to Enforce the *-Property}, + booktitle = {Proc. 7th {{DoD}}/{{NBS Computer Security Conference}}}, + author = {Boebert, William Earl}, + date = {1984-09}, + pages = {291--293}, + url = {https://csrc.nist.gov/CSRC/media/Publications/conference-paper/1984/09/24/7th-dod-nbs-computer-security-conference/documents/1984-7th-conference-proceedings.pdf}, + eventtitle = {{{DoD}}/{{NBS Computer Security Conference}}} +} + + +@article{hardy:keykos, + author = {Hardy, Norman}, + title = {{KeyKOS architecture}}, + journal = {SIGOPS Operating Systems Review}, + volume = {19}, + number = {4}, + year = {1985}, + issn = {0163-5980}, + pages = {8--25}, + doi = {10.1145/858336.858337}, + publisher = {ACM}, + address = {New York, NY, USA}, + note = {Also available at \url{http://cap-lore.com/CapTheory/upenn/OSRpaper.html}} +} + +@inproceedings{shapiro:eros, +author = {Jonathan Shapiro and Jonathan Smith and David Farber}, +booktitle = {{SOSP '99: Proceedings of the seventeenth ACM Symposium on Operating Systems Principles}}, +title = {{EROS: a fast capability system}}, +abstract = {EROS is a capability-based operating system for commodity processors which uses a single level storage model. The single level store's persistence is transparent to applications. The performance consequences of support for transparent persistence and ...}, +year = {1999}, +month = dec, +pmid = {319151.319163}, +url = {http://portal.acm.org/citation.cfm?id=319151.319163}, +howpublished = {\url{http://portal.acm.org/citation.cfm?id=319151.319163}}, +} + +@misc{shapiro:coyotosspec, + author={Jonathan S. Shapiro and Jonathan W. Adams}, + title={Coyotos Microkernel Specification}, + subtitle={Version 0.6+}, + date={2007-09-10}, + url={https://web.archive.org/web/20160904092954/http://www.coyotos.org:80/docs/ukernel/spec.html} +} + +@inproceedings{mettler:joee, + author = {Mettler, Adrian and Wagner, David}, + title = {{Class properties for security review in an object-capability subset of Java}}, + booktitle = {PLAS '10: Proceedings of the 5th ACM SIGPLAN Workshop on Programming Languages and Analysis for Security}, + year = {2010}, + isbn = {978-1-60558-827-8}, + pages = {1--7}, + location = {Toronto, Canada}, + doi = {10.1145/1814217.1814224}, + publisher = {ACM}, + address = {New York, NY, USA}, + } + +@misc{miller:elang, + author = {Mark S. Miller}, + title = {The E Language}, + note = "\url{http://www.erights.org/}", +} + +@misc{miller:caja, + author = {Mark S. Miller and Mike Samuel and Ben Laurie and Ihab Awad and Mike Stay}, + title = {Caja: Safe active content in Sanitized JavaScript}, + month = may, + year = {2008}, + institution = {Google}, + url = {http://google-caja.googlecode.com/files/caja-spec-2008-06-07.pdf}, + note = "\url{http://google-caja.googlecode.com/files/caja-spec-2008-06-07.pdf}", +} + +@article{miller:capmyths, + title = {Capability {Myths} {Demolished}}, + abstract = {We address three common misconceptions about capability-based systems: the Equivalence Myth (access control list systems and capability systems are formally equivalent), the Confinement Myth (capability systems cannot enforce confinement), and the Irrevocability Myth (capability-based access cannot be revoked). The Equivalence Myth obscures the benefits of capabilities as compared to access control lists, while the Confinement Myth and the Irrevocability Myth lead people to see problems with capabilities that do not actually exist.}, + language = {en}, + author = {Miller, Mark S and Yee, Ka-Ping and Shapiro, Jonathan}, + pages = {15}, + url = {http://srl.cs.jhu.edu/pubs/SRL2003-02.pdf} +} + +@article{miller:paradigmregained, + address = {Berlin, Heidelberg}, + title = {Paradigm {Regained}: {Abstraction} {Mechanisms} for {Access} {Control}}, + isbn = {978-3-540-40965-6}, + abstract = {Access control systems must be evaluated in part on how well they enable one to distribute the access rights needed for cooperation, while simultaneously limiting the propagation of rights which would create vulnerabilities. Analysis to date implicitly assumes access is controlled only by manipulating a system's protection state – the arrangement of the access graph. Because of the limitations of this analysis, capability systems have been ”proven” unable to enforce some basic policies: revocation, confinement, and the *-properties (explained in the text).}, + booktitle = {Advances in {Computing} {Science} – {ASIAN} 2003. {Progamming} {Languages} and {Distributed} {Computation} {Programming} {Languages} and {Distributed} {Computation}}, + publisher = {Springer Berlin Heidelberg}, + author = {Miller, Mark S. and Shapiro, Jonathan S.}, + editor = {Saraswat, Vijay A.}, + year = {2003}, + pages = {224--242}, + url = {http://www.erights.org/talks/asian03/} +} + +@phdthesis{miller:robustcomposition, + author = {Miller, Mark Samuel}, + title = {Robust composition: towards a unified approach to access control and concurrency control}, + year = {2006}, + order_no = {AAI3245526}, + school = {Johns Hopkins University}, + address = {Baltimore, MD, USA}, +} + +@book{gosling:javalanguage, + author = {Gosling, James and Joy, Bill and Steele, Guy L.}, + title = {The Java Language Specification}, + year = {1996}, + isbn = {0201634511}, + publisher = {Addison-Wesley Longman Publishing Co., Inc.}, + address = {Boston, MA, USA}, +} + +@inproceedings{lipner:securitykernels, + author = {Lipner, Steven B. and Wulf, William A. and Schell, Roger R. and Popek, Gerald J. and Neumann, Peter G. and Weissman, Clark and Linden, Theodore A.}, + title = {Security kernels}, + booktitle = {AFIPS '74: Proceedings of the May 6-10, 1974, National Computer Conference and Exposition}, + year = {1974}, + pages = {973--980}, + location = {Chicago, Illinois}, + doi = {10.1145/1500175.1500361}, + publisher = {ACM}, + address = {New York, NY, USA}, +} + +@inproceedings{ackerman:multiprocessing, + author = {Ackerman, William B. and Plummer, William W.}, + title = {An implementation of a multiprocessing computer system}, + booktitle = {SOSP '67: Proceedings of the First ACM Symposium on Operating System Principles}, + year = {1967}, + pages = {5.1--5.10}, + doi = {10.1145/800001.811666}, + publisher = {ACM}, + address = {New York, NY, USA}, +} + +@article{ritchie:unix, + author = {Ritchie, Dennis M. and Thompson, Ken}, + title = {{The UNIX time-sharing system}}, + journal = {Communications of the ACM}, + volume = {17}, + number = {7}, + year = {1974}, + issn = {0001-0782}, + pages = {365--375}, + doi = {10.1145/361011.361061}, + publisher = {ACM}, + address = {New York, NY, USA}, +} + +@article{denning:faulttolerance, + author = {Denning, Peter J.}, + title = {Fault Tolerant Operating Systems}, + journal = {ACM Computing Surveys}, + volume = {8}, + number = {4}, + year = {1976}, + issn = {0360-0300}, + pages = {359--389}, + doi = {10.1145/356678.356680}, + publisher = {ACM}, + address = {New York, NY, USA}, +} + +@inproceedings{patterson:risc, + author = {Patterson, David A. and Sequin, Carlo H.}, + title = {{RISC I: A Reduced Instruction Set VLSI Computer}}, + booktitle = {ISCA '81: Proceedings of the 8th Annual Symposium on Computer Architecture}, + year = {1981}, + pages = {443--457}, + location = {Minneapolis, Minnesota, United States}, + publisher = {IEEE Computer Society Press}, + address = {Los Alamitos, CA, USA}, + } + +@inproceedings{corbato:multics, + author = {Corbat\'{o}, F. J. and Vyssotsky, V. A.}, + title = {{Introduction and overview of the Multics system}}, + booktitle = {AFIPS '65 (Fall, part I): Proceedings of the November 30--December 1, 1965, Fall Joint Computer Conference, part I}, + year = {1965}, + pages = {185--196}, + location = {Las Vegas, Nevada}, + doi = {10.1145/1463891.1463912}, + publisher = {ACM}, + address = {New York, NY, USA}, +} + +@inproceedings{corbato:timesharing, + author = {Corbat\'{o}, Fernando J. and Merwin-Daggett, Marjorie and Daley, Robert C.}, + title = {An experimental time-sharing system}, + booktitle = {AIEE-IRE '62 (Spring): Proceedings of the May 1--3, 1962, Spring Joint Computer Conference}, + year = {1962}, + pages = {335--344}, + location = {San Francisco, California}, + doi = {10.1145/1460833.1460871}, + publisher = {ACM}, + address = {New York, NY, USA}, +} + +@article{dennis:semantics, + author = {Dennis, Jack B. and Van Horn, Earl C.}, + title = {Programming semantics for multiprogrammed computations}, + journal = {Communications of the ACM}, + volume = {9}, + number = {3}, + year = {1966}, + issn = {0001-0782}, + pages = {143--155}, + doi = {10.1145/365230.365252}, + publisher = {ACM}, + address = {New York, NY, USA}, +} + +@inproceedings{reis:chromium, + author = {Reis, Charles and Gribble, Steven D.}, + title = {Isolating web programs in modern browser architectures}, + booktitle = {EuroSys '09: Proceedings of the 4th ACM European Conference on Computer Systems}, + year = {2009}, + isbn = {978-1-60558-482-9}, + pages = {219--232}, + location = {Nuremberg, Germany}, + doi = {10.1145/1519065.1519090}, + publisher = {ACM}, + address = {New York, NY, USA}, +} + +@inproceedings{provos:preventingprivesc, +author = {Neils Provos and Markus Friedl and Peter Honeyman}, +booktitle = {{Proceedings of the 12th USENIX Security Symposium}}, +title = {{Preventing Privilege Escalation}}, +year = {2003}, + publisher = {USENIX Association}, +} + +@inproceedings{bittau:wedge, +author = {Andrea Bittau and Petr Marchenko and Mark Handley and Brad Karp}, +booktitle = {{Proceedings of the 5th USENIX Symposium on Networked Systems Design and Implementation}}, +title = {{Wedge: Splitting Applications into Reduced-Privilege Compartments}}, +school = {University College London}, +pages = {309--322},year = {2008}, +url = {http://www.cs.ucl.ac.uk/staff/m.handley/papers/wedge.pdf}, +howpublished = {\url{http://www.cs.ucl.ac.uk/staff/m.handley/papers/wedge.pdf}}, + publisher = {USENIX Association}, +} + +@techreport{accetta:mach, + author = "M. Accetta and R. Baron and D. Golub and R. Rashid and A. + Tevanian and M. Young", + institution = "{Computer Science Department, Carnegie Mellon + University}", + title = "{Mach: A New Kernel Foundation for UNIX Development}", + year = "1986", + month = aug, +} + +@InProceedings{liedtke:l4, + author = {Jochen Liedtke}, + title = {On Microkernel Construction}, + booktitle = {SOSP'95: Proceedings of the + 15th ACM Symposium on Operating System Principles}, + address = {Copper Mountain Resort, CO}, + month = dec, + year = 1995, + url = {http://l4ka.org/publications/} +} + +@book{levy:capabilities, + author = {Levy, Henry M.}, + title = {Capability-Based Computer Systems}, + year = {1984}, + isbn = {0932376223}, + publisher = {Butterworth-Heinemann}, + address = {Newton, MA, USA}, + } + +@inproceedings{yee:nacl, + author = {Yee, Bennet and Sehr, David and Dardyk, Gregory and Chen, J. Bradley and Muth, Robert and Ormandy, Tavis and Okasaka, Shiki and Narula, Neha and Fullagar, Nicholas}, + title = {Native Client: A Sandbox for Portable, Untrusted x86 Native Code}, + booktitle = {Proceedings of the 2009 30th IEEE Symposium on Security and Privacy}, + year = {2009}, + isbn = {978-0-7695-3633-0}, + pages = {79--93}, + numpages = {15}, + url = {http://portal.acm.org/citation.cfm?id=1607723.1608126}, + doi = {10.1109/SP.2009.25}, + acmid = {1608126}, + publisher = {IEEE Computer Society}, + address = {Washington, DC, USA}, + keywords = {Security, World Wide Web}, +} + +@inproceedings{wahbe:sfi, + author = {Wahbe, Robert and Lucco, Steven and Anderson, Thomas E. and Graham, S +usan L.}, + title = {Efficient software-based fault isolation}, + booktitle = {SOSP '93: Proceedings of the Fourteenth ACM Symposium on Operating + Systems Principles}, + year = {1993}, + isbn = {0-89791-632-8}, + pages = {203--216}, + location = {Asheville, North Carolina, United States}, doi = {10.1145/168619.168635}, + publisher = {ACM}, + address = {New York, NY, USA}, +} + +@article{richards:bluespecreasoning, + author = {Richards, Dominic and Lester, David}, + affiliation = {School of Computer Science, The University of Manchester, Manchester, UK}, + title = {{A monadic approach to automated reasoning for Bluespec SystemVerilog}}, + journal = {Innovations in Systems and Software Engineering}, + publisher = {Springer London}, + issn = {1614-5046}, + keyword = {Computer Science}, + pages = {1-11}, + note = {10.1007/s11334-011-0149-0}, + year = {2011} +} + +@InProceedings{NeumannWatson10LAW, +Author={Peter G. Neumann and Robert N.~M. Watson}, +Title={Capabilities Revisited: A Holistic Approach to + Bottom-to-Top Assurance of Trustworthy Systems}, +BookTitle={Fourth Layered Assurance Workshop}, +Organization={U.S. Air Force Cryptographic Modernization Office and AFRL}, +Address={Austin, Texas}, +Year={2010}, Month=dec, pages={}, Note = + {http://www.csl.sri.com/neumann/law10.pdf}} + +@InProceedings{Watson07, +Author={Robert N.~M. Watson}, +Title={Exploiting Concurrency Vulnerabilities in System Call Wrappers}, +BookTitle={WOOT Workshop}, +Organization={USENIX Security}, Address={Gaithersburg, Maryland}, +Year={2007}, Month={}, pages={}, Note = { + http://www.watson.org/~robert/2007woot/20070806-woot-concurrency.pdf}} + +@PhdThesis{Drimer10, + author = {Saar Drimer}, + title = {Security for Volatile FPGAs}, + school = {University of Cambridge}, + year = {2010} } + +@inproceedings{Cadar:2008:KUA:1855741.1855756, + author = {Cadar, Cristian and Dunbar, Daniel and Engler, Dawson}, + title = {{KLEE}: unassisted and automatic generation of high-coverage tests for complex systems programs}, + booktitle = {Proceedings of the 8th USENIX conference on operating systems design and implementation}, + series = {OSDI'08}, + year = {2008}, + location = {San Diego, California}, + pages = {209--224}, + numpages = {16}, + url = {http://portal.acm.org/citation.cfm?id=1855741.1855756}, + acmid = {1855756}, + publisher = {USENIX Association}, + address = {Berkeley, CA, USA}, +} + +@inproceedings{Yanagisawa:2006:DAS:1173706.1173717, + author = {Yanagisawa, Yoshisato and Kourai, Kenichi and Chiba, Shigeru}, + title = {A dynamic aspect-oriented system for {OS} kernels}, + booktitle = {Proceedings of the 5th international conference on Generative programming and component engineering}, + series = {GPCE '06}, + year = {2006}, + isbn = {1-59593-237-2}, + location = {Portland, Oregon, USA}, + pages = {69--78}, + numpages = {10}, + doi = {10.1145/1173706.1173717}, + acmid = {1173717}, + publisher = {ACM}, + address = {New York, NY, USA}, + keywords = {Linux, aspect-oriented programming, dynamic AOP, operating system, profiling and debugging}, +} + +@article{Nethercote:2007:VFH:1273442.1250746, + author = {Nethercote, Nicholas and Seward, Julian}, + title = {Valgrind: a framework for heavyweight dynamic binary instrumentation}, + journal = {SIGPLAN Not.}, + volume = {42}, + issue = {6}, + month = jun, + year = {2007}, + issn = {0362-1340}, + pages = {89--100}, + numpages = {12}, + doi = {10.1145/1273442.1250746}, + acmid = {1250746}, + publisher = {ACM}, + address = {New York, NY, USA}, + keywords = {Memcheck, Valgrind, dynamic binary analysis, dynamic binary instrumentation, shadow values}, +} + +@INPROCEEDINGS{Weimer05miningtemporal, + author = {Westley Weimer and George C. Necula}, + title = {Mining Temporal Specifications for Error Detection}, + booktitle = {In TACAS}, + year = {2005}, + pages = {461--476} +} + + +@inproceedings{muvi:sosp2007, + author = "Shan Lu and Soyeon Park and Chongfeng Hu and Xiao Ma and Weihang Jiang and Zhenmin Li and Raluca A. Popa and Yuanyuan Zhou", + title = "MUVI: Automatically Inferring Multi-Variable Access Correlations and Detecting Related Semantic and Concurrency Bugs", + booktitle = "Proceedings of the 21st ACM Symposium on Operating Systems Principles (SOSP07)", + month = oct, + year = "2007", +} + + +@misc{rfc4252, + author="T. Ylonen and C. Lonvick", + title="{The Secure Shell (SSH) Authentication Protocol}", + series="Request for Comments", + number="4252", + howpublished="RFC 4252 (Proposed Standard)", + publisher="IETF", + organisation="Internet Engineering Task Force", + year=2006, + month=jan, + url="http://www.ietf.org/rfc/rfc4252.txt", +} + +@article{Bishop:2005:RSC:1090191.1080123, + author = {Bishop, Steve and Fairbairn, Matthew and Norrish, Michael and Sewell, Peter and Smith, Michael and Wansbrough, Keith}, + title = {Rigorous specification and conformance testing techniques for network protocols, as applied to {TCP}, {UDP}, and sockets}, + journal = {SIGCOMM Comput. Commun. Rev.}, + issue_date = {October 2005}, + volume = {35}, + issue = {4}, + month = aug, + year = {2005}, + issn = {0146-4833}, + pages = {265--276}, + numpages = {12}, + doi = {10.1145/1090191.1080123}, + acmid = {1080123}, + publisher = {ACM}, + address = {New York, NY, USA}, + keywords = {API, HOL, TCP/IP, conformance testing, higher-order logic, network protocols, operational semantics, sockets, specification}, +} + +@inproceedings{Madhavapeddy:2009:CSM:1695271.1695302, + author = {Madhavapeddy, Anil}, + title = {Combining Static Model Checking with Dynamic Enforcement Using the Statecall Policy Language}, + booktitle = {Proceedings of the 11th International Conference on Formal Engineering Methods: Formal Methods and Software Engineering}, + series = {ICFEM '09}, + year = {2009}, + isbn = {978-3-642-10372-8}, + location = {Rio de Janeiro, Brazil}, + pages = {446--465}, + numpages = {20}, + doi = {10.1007/978-3-642-10373-5_23}, + acmid = {1695302}, + publisher = {Springer-Verlag}, + address = {Berlin, Heidelberg}, +} + +@inproceedings{Baldwin:2002:LMF:1250894.1250898, + author = {Baldwin, John H.}, + title = {Locking in the multithreaded {FreeBSD} kernel}, + booktitle = {Proceedings of the BSD Conference 2002}, + series = {BSDC'02}, + year = {2002}, + location = {San Francisco, California}, + pages = {4--4}, + numpages = {1}, + url = {http://portal.acm.org/citation.cfm?id=1250894.1250898}, + acmid = {1250898}, + publisher = {USENIX Association}, + address = {Berkeley, CA, USA}, +} + +@inproceedings{LA04, + title = {{{LLVM}}: {{A Compilation Framework}} for {{Lifelong Program Analysis}} \& {{Transformation}}}, + shorttitle = {{{LLVM}}}, + booktitle = {Proceedings of the {{International Symposium}} on {{Code Generation}} and {{Optimization}}: {{Feedback}}-Directed and {{Runtime Optimization}}}, + author = {Lattner, Chris and Adve, Vikram}, + date = {2004-03}, + pages = {75--86}, + publisher = {{IEEE Computer Society}}, + location = {{Washington, DC, USA}}, + doi = {10.1109/CGO.2004.1281665}, + url = {http://dl.acm.org/citation.cfm?id=977395.977673}, + abstract = {This paper describes LLVM (Low Level Virtual Machine),a compiler framework designed to support transparent, lifelongprogram analysis and transformation for arbitrary programs,by providing high-level information to compilertransformations at compile-time, link-time, run-time, and inidle time between runs.LLVM defines a common, low-levelcode representation in Static Single Assignment (SSA) form,with several novel features: a simple, language-independenttype-system that exposes the primitives commonly used toimplement high-level language features; an instruction fortyped address arithmetic; and a simple mechanism that canbe used to implement the exception handling features ofhigh-level languages (and setjmp/longjmp in C) uniformlyand efficiently.The LLVM compiler framework and coderepresentation together provide a combination of key capabilitiesthat are important for practical, lifelong analysis andtransformation of programs.To our knowledge, no existingcompilation approach provides all these capabilities.We describethe design of the LLVM representation and compilerframework, and evaluate the design in three ways: (a) thesize and effectiveness of the representation, including thetype information it provides; (b) compiler performance forseveral interprocedural problems; and (c) illustrative examplesof the benefits LLVM provides for several challengingcompiler problems.}, + isbn = {978-0-7695-2102-2}, + series = {{{CGO}} '04}, + venue = {Palo Alto, California} +} + +@misc{rfc793, + author="J. Postel", + title="{Transmission Control Protocol}", + series="Request for Comments", + number="793", + howpublished="RFC 793 (Standard)", + publisher="IETF", + organisation="Internet Engineering Task Force", + year=1981, + month=sep, + day="1", + note="Updated by RFC 3168", + url="http://www.ietf.org/rfc/rfc793.txt", +} + +@inproceedings{BR02, + author = {Ball, Thomas and Rajamani, Sriram K.}, + title = {The {SLAM} project: debugging system software via static analysis}, + booktitle = {Proceedings of the 29th ACM SIGPLAN-SIGACT symposium on Principles of programming languages}, + series = {POPL '02}, + year = {2002}, + isbn = {1-58113-450-9}, + location = {Portland, Oregon}, + pages = {1--3}, + numpages = {3}, + doi = {10.1145/503272.503274}, + acmid = {503274}, + publisher = {ACM}, + address = {New York, NY, USA}, +} + +@inproceedings{CS04, + author = {Cantrill, Bryan M. and Shapiro, Michael W. and Leventhal, Adam H.}, + title = {Dynamic instrumentation of production systems}, + booktitle = {Proceedings of the USENIX Annual Technical Conference}, + series = {ATEC '04}, + year = {2004}, + location = {Boston, MA}, + pages = {2--2}, + numpages = {1}, + url = {http://portal.acm.org/citation.cfm?id=1247415.1247417}, + acmid = {1247417}, + publisher = {USENIX Association}, + address = {Berkeley, CA, USA}, +} + +@inproceedings{HJ02, +Address = {London, UK}, +Author = {Thomas A. Henzinger and Ranjit Jhala and Rupak Majumdar and George C. Necula and Gr\&\#233;goire Sutre and Westley Weimer}, +Booktitle = {Proceedings of the 14th International Conference on Computer Aided Verification (CAV)}, +Date-Added = {2005-11-09 11:43:39 +0000}, +Date-Modified = {2005-11-09 11:44:40 +0000}, +Isbn = {3-540-43997-8}, +Keywords = {security,systems}, +Pages = {526--538}, +Publisher = {Springer-Verlag}, +Title = {Temporal-Safety Proofs for Systems Code}, +Year = {2002}} + +@TechReport{BP81, +author={K.H. Britton and D.L. Parnas}, +Title={A-7E Software Module Guide}, +institution= {NRL Memorandum Report 4702, Naval Research Laboratory}, +address={Washington, D.C.}, month =dec, Year=1981 } + +@InProceedings{CCMT93, +Author = "G. Canfora and A. Cimitile and M. Munro and C. Taylor", +Title = "Extracting Abstract Data Types from {C} Programs: {A} Case Study", +Booktitle = "Proceedings of the International Conference on Software + Maintenance", +Organization = "", Address = "", Year = "1993", +Pages="200--209", Month = sep } + +@InProceedings{GK97, +Author = "J.F. Girard and R. Koschke", +Title = "Finding Components in a Hierarchy of Modules: A +Step Towards Architectural Understanding", +Booktitle = "Proceedings of the International Conference on Software + Maintenance", +Organization = "", Address = "", Year = "1997", +Pages="72--81", Month = oct } + +@InProceedings{Gligor86, +Author={V.D. Gligor et al.}, +Title={Design and Implementation of {Secure Xenix[TM]}}, +BookTitle={Proceedings of the 1986 Symposium on Security and Privacy}, +Organization={IEEE Computer Society}, Address={Oakland, California}, +Year={1986}, Month=apr, pages={}, +Note = {also in {\it IEEE Transactions on Software Engineering,} vol. SE-13, 2, +February 1987, 208--221} +} + +@InProceedings{GM93, + Author={R. Godin and H. Mili}, + Title={Building and Maintaining Analysis-Level Class + Hierarchies Using {Galois} Lattices}, + BookTitle = {Proceedings of the 8th Annual Conference + on Object-Oriented Programming Systems, Languages and Applications + (OOPSLA '93), SIGPLAN Notices, 28, 10}, + Year={1993}, + Month={}, + Pages={394--410} + } + +@article{GMMMAC98, + Author={R. Godin and H. Mili and G.W. Mineau and R. Missaoui + and A. Arfi and T.-T. Chau}, + Title={Design of Class Hierarchies Based on Concept {(Galois)} Lattices}, + Journal = {Theory and Practice of Object Systems}, + volume={4}, number={2}, year={1998}, pages={117-134}} + +@Article{Hoare74, + Author = {C.A.R. Hoare}, + Title = {Monitors: An Operating System Structuring Concept}, + Journal = {Communications of the ACM}, + Year = {1974}, + Volume = {17}, + Number = {10}, + Pages = {}, + Month = oct } + +@InProceedings{Janson75, + Author={P.A. Janson}, + Title={Dynamic Linking and Environment Initialization in a Multi-Domain Process}, + BookTitle={Proceedings of the Fifth ACM Symposium on Operating Systems Principles}, + Year={1975}, + Month=nov, + Note={(ACM Operating Systems Review, Vol 9, No. 5)}, + Pages = {43--50} + } + +@Article{Janson81, + Author={P.A. Janson}, + Journal={ACM Operating Systems Review}, + Title={Using Type Extension to Organize Virtual Memory Mechanisms}, + Year={1981}, + Month=oct, + Pages={6--38}, + Volume={15}, + Number={4} + } + +@InProceedings{LS97, +Author = "C. Lindig and G. Snelting", +Title = "Assessing Modular Structure of Legacy Code Based +On Mathematical Concept Analysis", +Booktitle = "Proceedings of the International Conference + on Software Engineering", +Organization = "", Address = "", Year = "1997", +Pages="349--359", Month = "" } + +@ARTICLE{LJ94, +Author={P.E Livadas and T. Johnson}, +TITLE = {A New Approach to finding Objects in Programs}, +JOURNAL = {Software Maintenance: Research and Practice}, +YEAR = {1994}, VOLUME = {6}, +NUMBER = {}, PAGES = {249--260}, MONTH = {} } + +@InProceedings{MMCG98, +Author = "S. Mancoridis and B.S. Mitchell and Y. Chen and E.R. Gansner", +Title = "Using Automatic + Clustering to produce High-Level System Organization of Source Code", +Booktitle = "Proceedings of the International Workshop on Program Comprehension", +Organization = "", Address = "", Year = "1998", +Pages="42--52", Month = "" } + +@InProceedings{MMCG99, +Author = "S. Mancoridis and B.S. Mitchell and Y. Chen and E.R. Gansner", +Title = "Bunch: A Clustering Tool for the Recovery and Maintenance of + Software System Structures", +Booktitle = "Proceedings of the International Conference on Software + Maintenance", +Organization = "", Address = "", Year = "1999", +Pages="50--59", Month = "" } + +@InProceedings{MH96, +Author = "S. Mancoridis and R.C. Holt", +Title = "Recovering the Structure of Software Systems +Using Tube Graph Interconnection Clustering", +Booktitle = "Proceedings of the International +Conference on Software Maintenance", +Organization = "", Address = "", Year = "1996", +Pages="23--32", Month = "" } + +@InProceedings{MK88, +Author = "M.K. McKusick and M.J. Karels", +Title = "Design of a General Purpose Memory Allocator for the + {4.3BSD UNIX} Kernel", +Booktitle = "1988 Summer USENIX Conference Proceedings", +Organization = "", Address = "San Francisco, California", Year = "1988", +Pages="295--304", Month = jun } + +@TechReport{Nelson81, +author={B.J. Nelson}, +Title={Remote Procedure Call}, +institution= {Research Report + CSL-79-9, XEROX Palo Alto Research Center}, +address={3333 Coyote Hill Road, +Palo Alto, California}, month =may, Year=1981 } + +@ARTICLE{Parnas79, +Author={D.L. Parnas}, +TITLE = {Designing Software for Ease of Extension and Contraction}, +JOURNAL = {IEEE Transactions on Software Engineering}, +YEAR = {1979}, VOLUME = {SE-5}, +NUMBER = {2}, PAGES = {128--138}, MONTH = mar } + +@InProceedings{S91, +Author = "R.W. Schwanke", +Title = "An Intelligent Tool for Re-engineering Software Modularity", +Booktitle = "Proceedings of the International Conference + On Software Engineering", +Organization = "", Address = "", Year = "1991", +Pages="83--92", Month = "" } + +@ARTICLE{SR99, +Author={M. Siff and T. Reps}, +TITLE = {Identifying Modules via Concept Analysis}, +JOURNAL = {IEEE Transactions on Software Engineering}, +YEAR = {1999}, VOLUME = {SE-25}, +NUMBER = {6}, PAGES = {749--768}, MONTH = {} } + +@ARTICLE{S96, +Author={G. Snelting}, +TITLE = {Reengineering of Configurations based on Mathematical Concept Analysis}, +JOURNAL = {IEEE Transactions on Software Engineering and Methodology}, +YEAR = {1996}, VOLUME = {5}, +NUMBER = {2}, PAGES = {146--189}, MONTH = {} } + +@InProceedings{ST98, +Author = "G. Snelting and F. Tip", +Title = "Reengineering Class Hierarchies Using Concept Analysis", +Booktitle = "Proceedings of the International Symposium on Foundations of + Software Engineering", +Organization = "", Address = "", Year = "1998", +Pages="", Month = "" } + +@InProceedings{SH89, +Author = "G. Snider and J. Hays", +Title = "The Modix Kernel", +Booktitle = "1989 Winter USENIX Conference Proceedings", +Organization = "", Address = "San Diego, California", Year = "1989", +Pages="377--392", Month = feb } + +@ARTICLE{T01, +Author={P. Tonella}, +TITLE = {Concept Analysis for Module Restructuring}, +JOURNAL = {IEEE Transactions on Software Engineering}, +YEAR = {2001}, VOLUME = {SE-27}, +NUMBER = {4}, PAGES = {351--363}, MONTH = {} } + +@Article{WS73, + Author={W. Wulf and M. Shaw}, + Journal={SIGPLAN Notices }, + Title={Global Variable Considered Harmful}, + Year={1973}, + Month=feb, + Pages={28--34}, + Volume={8}, + Number={2} + } + +@InProceedings{YHR95, +Author = "A. Yeh and D. Harris and H. Reubenstein", +Title = "Recovering Abstract Data Types and Object Instances + from a Conventional Procedural Language", +Booktitle = "Proceedings of the Working Conference on Reverse Engineering", +Organization = "", Address = "", Year = "1995", +Pages="227--236", Month = "" } + +@InProceedings{vonNeumann56, +Author = {J. {von Neumann}}, +Title = {Probabilistic logics and the synthesis of reliable organisms +from unreliable components}, +Booktitle = {Automata Studies}, +Address = {Princeton University, Princeton, New Jersey}, +Year = {1956}, +Pages={43--98}, Month = {} } + +@InProceedings{Moore56, +Author = "E.F. Moore", +Title = "Gedanken Experiments on Sequential Machines", +Booktitle = {Automata Studies, Annals of Mathematical Studies, 34, +Princeton University Press, 1956}, +Note = {C.E. Shannon and J. McCarthy, editors}, +Year = {1956}, +Pages ={129--153} } + +@ARTICLE{MooreShannon56, +Author={E.F. Moore and C.E. Shannon}, TITLE = {Reliable circuits +using less reliable relays}, +JOURNAL = {Journal of the Franklin Institute}, +YEAR = {1956}, VOLUME = {262}, +NUMBER = {}, PAGES = {191-208, 281-297}, MONTH = {September, October} } + +@TechReport{Baran60, +Author={P. Baran}, +title={Reliable Digital Communications Systems Using Unreliable + Network Repeater Nodes}, +institution={The RAND Corporaton}, +number={P-1995}, +year={1960}, month={May 27}} + +@article{Hamming50, +Key = {Hamming}, Author = {R.W. Hamming}, +Title = {Error Detecting and Error Correcting Codes}, +journal = {Bell System Technical Journal}, year = {1950}, volume = {29}, +number = {}, pages = {147--60}, month = {} } + +@ARTICLE{Huffman53, +Author={D.A. Huffman}, +TITLE = {A Method for the Construction of Minimum Redundancy Codes}, +JOURNAL = {Proceedings of the IRE}, YEAR = {1952}, VOLUME = {40}, +NUMBER = {}, PAGES = {}, MONTH = {} } + +@ARTICLE{Huffman59, +Author={D.A. Huffman}, +TITLE = {Canonical Forms for Information-Lossless Finite-State Machines}, +JOURNAL = {IRE Transactions on Circuit Theory (special supplement) + and IRE Transactions on Information Theory (special supplement)}, +YEAR = {1959}, VOLUME = {CT-6 and IT-5}, +NUMBER = {}, PAGES = {41-59}, MONTH = may, +NOTE = {A slightly revised version appeared in E.F. Moore, Editor, + {\it Sequential Machines: Selected Papers}, Addison-Wesley, Reading, + Massachusetts, 1964.} } + +@ARTICLE{Huffman76, +Author={D.A. Huffman}, +TITLE = {Curvatures and Creases: A Primer on Paper}, +JOURNAL = {IEEE Transactions on Computers}, YEAR = {1975}, VOLUME = {C-25}, +NUMBER = {10}, PAGES = {1010--1019}, MONTH = oct } + +@ARTICLE{Belevitch59, +Author={V. Belevitch}, +TITLE = {On the Statistical Laws of Linguistic Distributions}, +JOURNAL = {Annals of the Society of Science, Brussels, Belgium}, +YEAR = {1959}, VOLUME = {73}, +NUMBER = {III}, PAGES = {310--326}, MONTH = {} } + +@book{Peterson72, +Author={W.W. Peterson and E.J. {Weldon, Jr.}}, +Title={Error-Correcting Codes, 2nd ed.}, +Publisher={MIT Press, Cambridge, Massachusetts}, +Year={1972} } + +@article{Gilbert+74, +Key = {Gilbert}, Author = {E. Gilbert and J. MacWilliams and N. Sloane}, +Title = {Codes Which Detect Deception}, +journal = {Bell System Technical Journal}, year = {1974}, volume = {53}, +number = {3}, pages = {405--424}, month = {} } + +@book{Sloane, +Author={N.J.A. Sloane and F.J. MacWilliams}, +Title={The Theory of Error-Correcting Codes, 9th reprint}, +Publisher={North-Holland}, +Year={1998} } + +@book{Adamek, +Author={J. Adamek}, +Title={Foundations of Coding: Theory and Applications of +Error-Correcting Codes with an Introduction +to Cryptography and Information Theory}, +Publisher={Wiley-Interscience}, +Year={1991} } + +@book{Rao89, +Author={T.R.N. Rao}, +Title={Error-Control Coding for Computer Systems}, +Publisher={Prentice-Hall, Englewood Cliffs, New Jersey}, +Year={1989} } + +@book{Pless98, +Author={V. Pless}, +Title={Introduction to the Theory of Error-Correcting Codes}, +Publisher={John Wiley and Sons, New York}, +Year={1998} } + +@article{Dean+02, +Author={D. Dean and M. Franklin and A. Stubblefield}, +TITLE = {An algebraic approach to IP traceback}, +JOURNAL = {ACM Transactions on Information and System Security}, +YEAR={2002}, VOLUME = {5}, NUMBER = {2}, PAGES = {119--137}, MONTH = may} + +@INPROCEEDINGS{Adler02, + AUTHOR = {M. Adler}, + TITLE = {Tradeoffs in probabilistic packet marking for IP traceback}, + BOOKTITLE = {Proceedings of the Thirty-fourth Annual {ACM} Symposium on Theory of Computing}, + YEAR = {2002}, PAGES = {407--418}, MONTH = {} +} + +@INPROCEEDINGS{SudanGuruswami99, + AUTHOR = {V. Guruswami and M. Sudan}, + TITLE = {List decoding algorithms for certain contatenated codes}, + BOOKTITLE = {Proceedings of the Thirty-second Annual {ACM} Symposium on Theory of Computing}, + YEAR = {2000}, PAGES = {181--190}, MONTH = apr +} + +@article{KuijperPolderman04, +Author={M. Kuijper and J.W. Polderman}, +TITLE = {Reed-Solomon list decoding from a system-theoretic perspective}, +JOURNAL = {IEEE Transactions on Information Theory}, +YEAR = {2004}, VOLUME = {40}, NUMBER = {2}, PAGES = {259--271}, +MONTH = feb } + +@ARTICLE{BrooksMusic57, +Author={F.P. {Brooks, Jr.} and A.L. Hopkins and P.G. Neumann and W.V. Wright}, +TITLE = {An Experiment in Musical Composition}, +JOURNAL = {IRE Transactions on Electronic Computers}, +YEAR = {1957}, VOLUME = {EC-6}, +NUMBER = {}, PAGES = {175-182}, MONTH = sep } + +@PhDThesis{Neumann61, +Author={P.G. Neumann}, +School={Department of Applied Mathematics, Harvard University}, +Title={Efficient Error-Limiting Variable-Length Codes}, +Year={1961}, Month=may, +Note ={Published as report BL-28, + Theory of Switching, The Computation Laboratory, Harvard University.}} + +@Book{Neumann60, +Author={P.G. Neumann}, +Publisher={Thesis for Dr rerum naturum degree, + Department of Mathematics and Physics, Technische Hochschule, + Darmstadt, Germany}, +Title={Funktionale Prefixcodes als Grundlage der praktischen + Verschul\"{u}sselung}, +Year={1960}, Month=jun} + +@ARTICLE{NeumannRao75, +Author={P.G. Neumann and T.R.N. Rao}, +TITLE = {Error Correction Codes for Byte-Organized Arithmetic Processors}, +JOURNAL = {IEEE Transactions on Computers}, YEAR = {1975}, VOLUME = {C-24}, +NUMBER = {3}, PAGES = {226-232}, MONTH = mar } + +@ARTICLE{Neumann62a, +Author={P.G. Neumann}, +TITLE = {Efficient Error-Limiting Variable-Length Codes}, +JOURNAL = {IRE Transactions on Information Theory}, +YEAR = {1962}, VOLUME = {IT-8}, +NUMBER = {}, PAGES = {292-304}, MONTH = jul } + +@ARTICLE{Neumann62b, +Author={P.G. Neumann}, +TITLE = {On a Class of Efficient Error-Limiting Variable-Length Codes}, +JOURNAL = {IRE Transactions on Information Theory}, YEAR = {1962}, +VOLUME = {IT-8}, +NUMBER = {}, PAGES = {S260-266}, MONTH = sep } + +@ARTICLE{Neumann63, +Author={P.G. Neumann}, TITLE = {On Error-Limiting Variable-Length Codes}, +JOURNAL = {IEEE Transactions on Information Theory}, YEAR = {1963}, +VOLUME = {IT-9}, NUMBER = {}, PAGES = {209}, MONTH = jul } + +@ARTICLE{Neumann64, +Author={P.G. Neumann}, +TITLE = {Error-Limiting Coding Using Information-Lossless Sequential Machines}, +JOURNAL = {IEEE Transactions on Information Theory}, +YEAR = {1964}, VOLUME = {IT-10}, +NUMBER = {}, PAGES = {108-115}, MONTH = apr } + +@ARTICLE{Neumann65, +Author={P.G. Neumann}, +TITLE = {A Note on {Gilbert} Burst-Correcting Codes}, +JOURNAL = {IEEE Transactions on Information Theory}, +YEAR = {1965}, VOLUME = {IT-11}, +NUMBER = {}, PAGES = {377-384}, MONTH = jul } + +@article{Mealy55, +Key = {Mealy}, Author = {G.H. Mealy}, +Title = {A method for synthesizing sequential circuits}, +journal = {Bell System Technical Journal}, year = {1955}, volume = {34}, +number = {}, pages = {1045--79}, month = sep } + +@TechReport{Baron+87, +Key={Baron}, Author={R. {Baron et al.}}, Title={Mach Kernel Interface Manual}, +Institution={Computer Science Department, Carnegie-Mellon University, +Pittsburgh, Pennsylvania}, Month=apr, Year=1987 } + +@InProceedings{BranstadTMachDesign87, Author={M.A. Branstad and P.S. Cochrane +and H. Orman and J. Landauer and T. Parenty and T. Haley and D. Dalva and D. +Baggett}, Title={Trusted {M}ach Design Issues}, Booktitle={Proceedings of +the Third Aerospace Computer Security Applications Conference}, +Month=dec, Year=1987 } + +@InProceedings{Branstad+87, Author={M.A. Branstad and P.S. Cochrane and H. +Orman and J. Landauer and T. Parenty and T. Haley and D. Dalva and D. Baggett}, +Title={Trusted {M}ach Design Issues}, Booktitle={Proceedings of the Third +Aerospace Computer Security Applications Conference}, Month=dec, +Year=1987 } + +@inproceedings{Branstad+89, +author={M.A. Branstad and H. Tajalli and F. Mayer and +D. Dalva}, title={Access Mediation in a Message Passing Kernel}, +booktitle={Proceedings of the IEEE Symposium on Security and Privacy}, +address={Oakland, California}, pages={66--72}, month=may, year=1989 } + +@InProceedings{BranstadSecurityTMach88, +Author={M.A. Branstad and H. Tajalli and F. Mayer}, +Title={Security Issues of the {T}rusted {M}ach System}, +Booktitle={Proceedings of the Fourth Aerospace Computer Security Applications Conference}, +Month=dec, +Year=1988 } + +@InProceedings{xBranstadAccessMed88, +Author={M.A. Branstad and F.L. Mayer}, +Title={Access Mediation in Server-Oriented Systems: An Examination of Two Systems}, +Booktitle={Proceedings of the Eleventh National Computer Security Conference}, +Month=oct, +Year=1988 } + +@InProceedings{BranstadMayer88Server, +Author={M.A. Branstad and F.L. Mayer}, +Title={Access Mediation in Server-Oriented Systems: An Examination of Two +Systems}, Booktitle={Proceedings of the Eleventh National Computer Security +Conference}, Month=oct, Year=1988 } + +@TechReport{xBranstadMayer88ServerReport, +Author={M.A. Branstad and F.L. Mayer}, key ={Branstad}, +title={Access Mediation in Server-Oriented Systems: An Examination of Two Systems}, +institution={Trusted Information Systems, Inc., Glenwood, Maryland}, +number={Report 159}, +month=feb, year={1988} } + +@TechReport{Branstad88Extensions, +Author={M.A. {Branstad et al.}}, key ={Branstad}, +title={Trust Extensions to the {M}ach Message Passing System}, +institution={Trusted Information Systems, Inc., Glenwood, Maryland}, number={}, +year={1988} } + +@TechReport{TMachKernel89, +Author={D.I. Dalva}, +title={Mach Kernel Modifications for the Implementation of the Security Policy}, +institution={Trusted Information Systems, Inc., Glenwood, Maryland}, number={}, +year={1988}, day={19}, month=sep } + +@TechReport{TMachName89, +Author={H. Tajalli and J. Graham}, +title={Trusted {Mach} Name Server Interface Document}, +institution={Trusted Information Systems, Inc., Glenwood, Maryland}, number={}, +year={1988}, day={15}, month=sep } + +@TechReport{TMachFile89, +Author={J. Graham}, +title={Trusted {Mach} File Server Interface Document}, +institution={Trusted Information Systems, Inc., Glenwood, Maryland}, number={}, +year={1988}, day={15}, month=sep } + +@TechReport{TMachAudit89, +Author={J. Graham}, +title={Trusted {Mach} Audit Server Interface Document}, +institution={Trusted Information Systems, Inc., Glenwood, Maryland}, number={}, +year={1988}, day={19}, month=sep } + +@TechReport{TMachVerif89, +Author={K.D. Hendriksen and J. Graham}, +title={Trusted {Mach} Verification Server Interface Document}, +institution={Trusted Information Systems, Inc., Glenwood, Maryland}, number={}, +year={1988}, day={15}, month=sep } + +@TechReport{TMachShell89, +Author={D. Baggett and J. Graham}, +title={Trusted {Mach} Trusted Shell and Trusted Administrator Shell +Administrator's Guide}, +institution={Trusted Information Systems, Inc., Glenwood, Maryland}, number={}, +year={1988}, day={30}, month={August} } + +@inproceedings{BranstadLandauer89, +author={M.A. Branstad and J. Landauer}, +title={Assurance for the {Trusted Mach} Operating System}, +BookTitle={Proceedings of the Fourth Annual Conference on Computer +Assurance COMPASS '89}, Organization={IEEE}, Month=jun, year={1989}, +Pages={9--13}} + +@TechReport{RomulusIntegrity91, +Author={}, key ={Rome Laboratory}, +title={Romulus Theories of Integrity}, +institution={Rome Laboratory}, +number={}, +year={1991}, month=oct } + +@TechReport{Feiertag90DTMach, +Author={E.J. Sebes and R.J. Feiertag}, key ={Sebes}, +title={Distributed {Trusted Mach} Concept Exploration}, +institution={Rome Laboratory}, +number={RL-TR-91-246}, +year={1991}, month=sep, NOTE={Final Technical Report.} } + +@InProceedings{Cronus86, +Author={R. Schantz and R. Thomas and G. Bono}, +Title={The Architecture of the {C}ronus Distributed Operating System}, +Booktitle={Proceedings of the {IEEE} Sixth International Conference on +Distributed Computing Systems}, Month=may, Year={1986}, pages={250--259} } + +@TechReport{Cronus88, +Author={BBN}, Title={Cronus System/Subsystem Specification}, +Institution={5884 Revision 1.7, BBN Communications Corp.}, +Month=jan, Year={1989}} + +@Book{Firschein, +Author="O. Firschein and M.P. Georgeff and W. Park and P. +Cheeseman and J. Goldberg and P.G. Neumann and W.H. Kautz and K.N. Levitt and +R.J. Rom and A.A. Poggio", Title="Artificial Intelligence for {S}pace {S}tation +Automation: Crew Safety, Productivity, Autonomy, Augmented Capability", +Publisher= "Noyes, Park Ridge NJ", Key="Firschein", Year="1986", Note="(This +book is a verbatim copy of an SRI report, ``NASA Space Station Automation: +AI-Based Technology Review'', May 1985.)" } + +@InProceedings{Barton63, +Author={R.S. Barton}, +Title={A Critical Review of the State of the Programming Art}, +Booktitle={Proceedings of the Spring Joint Computer Conference}, +volume=23, +publisher={AFIPS Press}, +address={Montvale, New Jersey}, +Month =may, +Year=1963, +pages = {169--177} } + +@inProceedings{DaleyNeumann, +key="Daley", Author="Robert C. Daley and Peter G. Neumann", +Title="A General-Purpose File System for Secondary Storage", +Booktitle="{AFIPS} Conference Proceedings, Fall Joint Computer Conference", +Publisher="Spartan Books", Year="1965", Month=nov, Pages="213--229"} + +@InProceedings{Neumann69, +Key = {}, Author = {P.G. Neumann}, +Title = {The Role of Motherhood in the Pop Art of System Programming}, +Booktitle = {Proceedings of the {ACM} Second Symposium on Operating Systems +Principles, Princeton, New Jersey}, +Organization = {ACM}, Address = {}, Year = {1969}, +Pages={13--18}, Month = oct, +Note = {http://www.multicians.org/pgn-motherhood.html} +} + +@inProceedings{Neumann71, +key="Neumann",Author="P.G. Neumann", Title="System +Design for Computer Networks", Booktitle="Computer-Communication Networks +(Chapter 2)", Note ="N. Abramson and F.F. Kuo (editors)", Publisher = +"Prentice-Hall",Year="1971",Pages="29--81"} + +@Book{AbramsonKuo, +Author="N. Abramson and F.F. Kuo (editors.)", +Title="Computer-Communication Networks", +Publisher = "Prentice-Hall",Year="1971"} + +@TechReport{ARPA73, +Key="Neumann", Author="P.G. Neumann and J. Goldberg and +K.N. Levitt and J.H. Wensley", Title="A Study of Fault-Tolerant Computing", +Institution="Stanford Research Institute, Menlo Park, California", +Year="1973", Month=jul, +Type="Final Report for {ARPA}, {AD} 766 974"} + +@InProceedings{CAPRI, +Author="P.G. Neumann", +Title="Experiences with Formality in Software Development", +Booktitle="Theory and Practice of Software Technology", +Note ="D. Ferrari, M. Bolognani, and J. Goguen (editors)", +Publisher = "North-Holland",Year="1983",Pages="203--219", +Note="Reprinted in Rein Turn, editor, {\it Advances in Computer Security}, +Volume 2, Artech House, 1984."} + +@inProceedings{ZEN, +Author="P.G. Neumann", +Title="Psychosocial Implications of Computer Software Development and +Use: Zen and the Art of Computing", +Booktitle="Theory and Practice of Software Technology", +Note ="D. Ferrari, M. Bolognani, and J. Goguen (editors).", +Publisher = "North-Holland", +Year="1983", Pages="221--232"} + +@book{LeeTiger, +Author={M. Lee and E. Lee and J. Johnstone}, +Title={Ride the Tiger to the Mountain}, +Publisher={Addison-Wesley, Reading, Massachusetts}, +Year={1989} } + +@BOOK{LeeTigerx, +Note={ISBN 0-201-18077-4.} } + +@TechReport{RADC81, +Key="Lamport", Author="L. Lamport and W.H. Kautz and P.G. +Neumann and R.L. Schwartz and P.M. Melliar-Smith", Title="Formal Techniques for +Fault Tolerance in Distributed Data Processing", +Institution="Computer Science Laboratory, SRI International, Menlo Park, +California", Year="1981", Month=apr, +Note="For Rome Air Development Center"} + +@TechReport{NeumannLamport83, +Key="Neumann", Author="P.G. Neumann and L. Lamport", +Title="Highly Dependable Distributed Systems", +Institution="Computer Science Laboratory, SRI International, Menlo Park, +California", Year="1983", Month=jun, +Note="Final Report, Contract No. DAEA18-81-G-0062, for U.S. Army CECOM."} + +@TechReport{Neumann+lamportXXX, + Key={Neumann}, + Author={P.G. Neumann and L. Lamport}, + Institution={Computer Science Laboratory, SRI International}, + Title={Highly Dependable Distributed Systems}, + Year={1983}, + Month=jun, + Type={Final Report, Contract No. DAEA18-81-G-0062} + } + +@Article{Neumann86, +Title="On Hierarchical Design of Computer Systems for Critical Applications", +Author="P.G. Neumann", +Journal="{IEEE} Transactions on Software Engineering", +Year="1986", Volume="SE-12", Number="9", Month=sep, +Page="905--920",Key="Neumann", +Note="Reprinted in Rein Turn, editor, {\it Advances in +Computer System Security}, Vol. 3, Artech House, Dedham, Massachusetts, 1988" } + +@InProceedings{Neely, + Key="Neely", Author="R.B. Neely and J.W. Freeman", + BookTitle="Proc. 1985 Symposium on Security and Privacy", + Organization="IEEE Computer Society", + Title="Structuring Systems for Formal Verification", + Address="Oakland, California", Year="1985", Month=apr, pages=""} + +@article{Ames83, +Key="Ames", +author = "S.R. {Ames Jr.} and M. Gasser and R.R. Schell", +title = "Security Kernel Design and Implementation: An Introduction", +Month=jul, Year="1983", Journal="IEEE Computer", Volume="16", Number="7", +Pages="14-22"} + +@article{Schell83, +Key="Schell", author = "R. Schell", +title = "A Security Kernel for a Multiprocessor Microcomputer", +Month=jul, Year="1983", Journal="IEEE Computer", Volume="16", Number="7", +Pages="47-53"} + +@InProceedings{Arbo89, + Key = "Arbo", + Author = "R.S. Arbo and E.M. Johnson and R.L. Sharp", + Title = "Extending Mandatory Access + Controls to a Networked MLS Environment", + Booktitle = "Proc. 12th National Computer Security Conference", + Organization = "NCSC/NIST", Address = "Baltimore", Year = "1989", + Pages="286-295", month=oct } + +@book{Kane89, +author={P. Kane}, title={{V.I.R.U.S.}, Protection of {V}ital +{I}nformation {R}esources {U}nder {S}iege}, publisher={Bantam Software +Library, New York}, year=1989 } + +@article{parnasmay, +Title="A Technique for Software Module Specification with Examples", +Author="D.L. Parnas", +Journal="Communications of the ACM", Volume="15", Number="5", +Month=may, Year="1972", Page="330--336"} + +@Article{parnas72, +Title="On the Criteria to be Used in Decomposing Systems +into Modules", Journal="Communications of the ACM", Year="1972", +Month=dec, Page="1053--1058",Author="D.L. Parnas", Volume="15", +Number="12"} + +@ARTICLE{Courtois71, +Author={P.J. Courtois and F. Heymans and D.L. Parnas}, +TITLE = {Concurrent Control with Readers and Writers}, +JOURNAL = {Communications of the ACM}, YEAR = {1971}, VOLUME = {14}, +NUMBER = {10}, PAGES = {667-668}, MONTH = oct } + +@InProceedings{ParnasPrice73, +Author = {D.L. Parnas and W.R. Price}, +Title = {The Design of the Virtual Memory Aspects of a Virtual Machine}, +Booktitle = {Proceedings of the ACM SIGARCH-SIGOPS Workshop on Virtual +Computer Systems}, +Organization = {ACM}, Address = {}, +Year = {1973}, +Pages={}, Month = mar } + +@InProceedings{ParnasPrice74, +Author={D.L. Parnas and W.R. Price}, +TITLE = {Design of a Non-Random Access Virtual Memory Machine}, +Booktitle = {Proceedings of the International Workshop On Protection in + Operating Systems}, +YEAR = {1974}, Location = {IRIA, Rocquencourt, France}, +VOLUME = {}, +NUMBER = {}, PAGES = {177--181}, MONTH = aug } + +@ARTICLE{ParnasSiewiorek75, +Author={D.L. Parnas and D.L. Siewiorek}, +TITLE = {Use of the Concept of Transparency in the + Design of Hierarchically Structured Systems}, +JOURNAL = {Communications of the ACM}, YEAR = {1975}, VOLUME = {18}, +NUMBER = {7}, PAGES = {401-408}, MONTH = jul } + +@InProceedings{Parnas75ICRS, +Author={D.L. Parnas}, +TITLE = {The Influence of Software Structure on Reliability}, +Booktitle = {Proceedings of the International Conference on Reliable Software}, +YEAR = {1975}, Location = {Los Angeles, California}, +PAGES = {358--362}, MONTH = apr, +NOTE = {Reprinted with improvements in R. Yeh, +{\it Current Trends in Programming Methodology I}, Prentice-Hall, 1977, +111--119.} } + +@TechReport{ParnasHandzel75, +author={D.L. Parnas and G. Handzel}, +Title={More on Specification Techniques for Software Modules}, +institution= {Fachbereich Informatik, Technische Hochschule Darmstadt, +Research Report BS I 75/1}, +address={Germany}, month =apr, Year=1975 } + +@ARTICLE{Parnas76, +Author={D.L. Parnas}, +TITLE = {On the Design and Development of Program Families}, +JOURNAL = {IEEE Transactions on Software Engineering}, +YEAR = {1976}, VOLUME = {SE-2}, +NUMBER = {1}, PAGES = {1--9}, MONTH = mar } + +@ARTICLE{Parnas+85, +Author={D.L. Parnas and P.C. Clements and D.M. Weiss}, +TITLE = {The Modular Structure of Complex Systems}, +JOURNAL = {IEEE Transactions on Software Engineering}, YEAR = {1985}, +VOLUME = {SE-11}, NUMBER = {3}, PAGES = {259--266}, MONTH = mar } + +@inproceedings{Neumann74GI, +author={P.G. Neumann}, title={Toward a Methodology for Designing Large Systems +and Verifying Their Properties},month=oct,year={1974}, +booktitle={{GI} -- 4. Jahrestagung}, pages={52--66}, +publisher={Springer-Verlag, Berlin, +Lecture Notes in Computer Science, Vol. 26}, +editors={G. Goos and J. Hartmanis} } + +@InProceedings{buzzword, +Author = "D.L. Parnas", Title="On a ``Buzzword'': +Hierarchical Structure", key="Parnas", BookTitle = "Information Processing 74 +(Proceedings of the {IFIP} Congress 1974)", Publisher = "North-Holland, +Amsterdam", Volume = "Software", Pages="336--339", Year = "1974"} + +@InProceedings{ProctorRAP, +Key={Proctor}, Author={N.E. Proctor}, BookTitle={Proceedings of the 1985 +Symposium on Security and Privacy}, Organization={IEEE Computer Society}, +Title={The Restricted Access Processor: An Example of Formal Verification}, +Address="Oakland, California", Year={1985}, Month=apr, pages={49--55}} + +@InProceedings{Fray+86, +Author={J.-M. Fray and Y. Deswarte and D. Powell}, +BookTitle={Proceedings of the 1986 Symposium on Security and Privacy}, +Organization={IEEE Computer Society}, +Title={Intrusion Tolerance Using Fine-Grain Fragmentation-Scattering}, +Address="Oakland, California", Year={1986}, Month=apr, pages={194--201}} + +@InProceedings{Deswarte91, +Author={Y. Deswarte and L. Blain and J.-C. Fabre}, +BookTitle={Proceedings of the 1991 Symposium on Research in + Security and Privacy}, +Organization={IEEE Computer Society}, +Title={Intrusion Tolerance in Distributed Computing Systems}, +Address="Oakland, California", Year={1991}, Month=apr, pages={110--121}} + +@inproceedings{ProctorWong89, +author={N.E. Proctor and R. Wong}, title={The +Security Policy of the {S}ecure {D}istributed {O}perating {S}ystem Prototype}, +booktitle={Proceedings of the Fifth Aerospace Computer Security Applications +Conference}, address={Tucson AZ}, month=dec, year=1989 } + +@article{RochlisEichin89, +author={J.A. Rochlis and M.W. Eichin}, title={With +Microscope and Tweezers: {T}he {W}orm from {MIT's} perspective}, +journal={{Communications of the ACM}}, volume={32}, number={6}, pages={689--698}, month=jun, +year=1989 } + +@article{Seeley89, +author={D. Seeley}, title={Password Cracking: A Game of +Wits}, journal={{Communications of the ACM}}, volume={32}, number={6}, pages={700--703}, +month=jun, year=1989 } + +@article{Spafford89, +author={E.H. Spafford}, title={The {I}nternet {W}orm: +{Crisis} and aftermath}, journal={{Communications of the ACM}}, volume={32}, number={6}, +pages={678--687}, month=jun, year=1989 } + +@article{Stoll88, +author={C. Stoll}, title={Stalking the {W}ily +{H}acker}, journal={{Communications of the ACM}}, volume={31}, number={5}, pages={484--497}, +month=may, year=1988 } + +@book{Stoll89, +author={C. Stoll}, title={The Cuckoo's Egg: Tracking a Spy +Through the Maze of Computer Espionage}, publisher={Doubleday, +New York}, year=1989 } + +@manual{TCSEC, + title = {Department of {{Defense Trusted Computer System Evaluation Criteria}} ({{TCSEC}})}, + date = {1985-12-26}, + note = {\url{https://csrc.nist.gov/CSRC/media/Publications/white-paper/1985/12/26/dod-rainbow-series/final/documents/std001.txt} or \url{https://csrc.nist.gov/csrc/media/publications/conference-paper/1998/10/08/proceedings-of-the-21st-nissc-1998/documents/early-cs-papers/dod85.pdf}}, + number = {DoD 5200.28-STD, Orange Book}, +} + +@Manual{TCSEC-Glossary, +Key="NCSC", Author={NCSC}, Title ="Glossary of Computer Security Terms", +Year ="21 October 1988", Organization ="National Computer +Security Center", Note ="NCSC-TG-004 Version-1" } + +@Manual{TCSEC-TNIold, +Key="NCSC", Author={NCSC}, Title ="Trusted Network +Interpretation (TNI)", Year ="31 July 1987", Organization ="National Computer +Security Center", Note ="NCSC-TG-005 Version-1" } + +@Manual{TCSEC-TNI, +Key="NCSC", Author={NCSC}, Title ="Trusted Network +Interpretation (TNI)", +Year ="31 July 1987", Organization ="National Computer +Security Center", Note ="NCSC-TG-005 Version-1, Red Book" } + +@Manual{TCSEC-Guide, +Key="NCSC", Author={NCSC}, Title="Guidance for +Applying the Trusted Computer System Evaluation Criteria in Specific +Environments", date={1985-06}, +Organization="National Computer Security Center", Note="CSC-STD-003-85, +Yellow Book" } + +@Manual{TCSEC-TNI-guide, +Key="NCSC", Author={NCSC}, +Title ="Trusted Network Interpretation Environments Guideline", +Year ="1 August 1990", Organization ="National Computer +Security Center", Note ="NCSC-TG-011 Version-1" } + +@Manual{TCSEC-TDI, +Key="NCSC", Author={NCSC}, Title="Trusted Database +Management System Interpretation of the Trusted Computer System Evaluation +Criteria (TDI)", Year="April 1991", Organization="National Computer +Security Center", Note="NCSC-TG-021, Version-2, Lavender Book" } + +@Manual{TCSEC-TVI, +Key="Trusted", Author={Trusted Information Systems}, Title="A Proposed +Interpretation of the {TCSEC} for Virtual Machine Monitor Architectures +{(TVI)}, Volume 1: Strict Separation", Year="draft, 1 May 1990", +Organization="Trusted Information Systems, Inc., Glenwood, Maryland, TIS Report 325" +} + +@Manual{TCSEC-CSSI, +Key="NCSC", Author={NCSC}, Title="Computer System +Subsystem Interpretation of the Trusted Computer System Evaluation Criteria", +Year="16 September 1988", Organization="National Computer Security Center", +Note="NCSC-TG-009, Version-1." } + +@Manual{NCSC-79-91-Integrity, +Key="NCSC", Author={NCSC}, Title="Integrity in Automated Information Systems", +Year="1991", Month=sep, +Organization="National Computer Security Center", +Note="C Technical Report 79-91" } + +@Manual{ITSEC, +Author={{European Communities Commission}}, +Title="Information Technology Security Evaluation Criteria (ITSEC), Provisional +Harmonised Criteria (of France, Germany, the +Netherlands, and the United Kingdom)", Year="1991", month=jun, +Note="Version 1.2. Available from the Office for +Official Publications of the European Communities, L-2985 Luxembourg, +item CD-71-91-502-EN-C. Also available from U.K. CLEF, CESG Room 2/0805, +Fiddlers Green Lane, Cheltenham U.K. +GLOS GL52 5AJ, or GSA/GISA, Am Nippenkreuz 19, D 5300 Bonn 2, Germany", +Organization={} } + +@MANUAL{ITSECx, +NOTE = {ISBN 92-826-3004-8} } + +@Manual{ITSEC90, +Author={{European Communities Commission}}, +Title="Information Technology Security +Evaluation Criteria (ITSEC), Harmonised Criteria of France, Germany, the +Netherlands, and the United Kingdom", Year="2 May 1990", +Note="Draft, Version 1, Available from the U.K. CLEF, CESG Room 2/0805, +Fiddlers Green Lane, Cheltenham U.K. GLOS GL52 5AJ, or GSI/GISA, Am Nippenkreuz +19, D 5300 Bonn 2, Germany", +Organization={} +} + +@Manual{CC2000, +key ="International", +Author="{International Standards Organization}", +Title="The Common Criteria for Information Technology Security Evaluation, + Version 2.1, ISO 15408", +Month ="19 September", YEAR = "2000", +Organization={ISO/NIST/CCIB}, +NOTE = "(\xlink{http://csrc.nist.gov/cc}{http://csrc.nist.gov/cc})" +} + +@TechReport{UKSP01, +author={U.K.-CESG/DTI}, +Title={{U.K. IT} Security Evaluation and Certification Scheme: Description of +the Scheme (Publication No. 1, Issue 1.0)}, +institution= {Communications Electronics Security Group (Cheltenham) +and the Department of Trade and Industry}, +address={}, month ={1 March}, +Year=1991 } + +@TechReport{UKSP06, +author={U.K.-CESG/DTI}, +Title={{U.K. IT} Security Evaluation and Certification Scheme: {U.K.} +Certified Product List (Publication No. 6)}, +institution= {Communications Electronics Security Group (Cheltenham) +and the Department of Trade and Industry}, +address={}, month ={1 October}, +Year=1991 } + +@Manual{CTCPEC, +Key="Canada", Author={}, Title={Canadian Trusted Computer Product Evaluation +Criteria}, Month=dec, Year="1990", Note="Final Draft, version 2.0", +Organization={Canadian Systems Security Centre, Communications Security +Establishment, Government of Canada.} } + +@Manual{CTCPEC93, Key="Canada", +Author={{Canadian Systems Security Centre, + Communications Security Establishment, Government of Canada}}, +Title={Canadian Trusted Computer Product Evaluation Criteria, Version 3.0e}, +Month=jan, Year="1993" } + +@Manual{MoD89-55, +Author={U.K. Ministry of Defence}, +Title={Draft Interim Defence Standard 00-55, +Requirements for the procurement of safety critical software in defence +equipment}, +Year="1989", Note="({DefStan} 00-55)", Organization={U.K. Ministry of Defence} } + +@Manual{MoD89-56, +Author={U.K. Ministry of Defence}, +Title={Draft Interim Defence Standard 00-56, +Requirements for the analysis of safety-critical hazards}, +Year="1989", Note="({DefStan} 00-56)", Organization={U.K. Ministry of Defence} } + +@Manual{MoD91-55, +Key="MoD", Author={U.K.-MoD}, Title={Interim Defence Standard 00-55, +The Procurement of Safety-Critical Software in Defence Equipment}, Month="5 April", +Year="1991", Note="DefStan 00-55; Part 1, Issue 1: Requirements; +Part 2, Issue 1: Guidance", +Organization={U.K. Ministry of Defence} } + +@Manual{MoD91-56, +Key="MoD", Author={U.K.-MoD}, Title={Interim Defence Standard 00-56, +Hazard Analysis and Safety Classification of the Computer +and Programmable Electronic System Elements of Defence Equipment}, Month="5 April", +Year="1991", Note="DefStan 00-56", Organization={U.K. Ministry of Defence} } + +@Manual{FedCritI, +author={}, key={Federal01}, +Title={Federal Criteria for Information Technology Security, {Volume I}, +Protection Profile Development, +Version 1.0}, institution= {National Institute of Standards and Technology +and National Security Agency}, +address={}, month =dec, Year=1992 } + +@Manual{FedCritII, +author={}, key={Federal02}, +Title={Federal Criteria for Information Technology Security, {Volume II}, +Registry of Protection Profiles, Version 1.0}, +institution= {National Institute of Standards and Technology +and National Security Agency}, +address={}, month =dec, Year=1992 } + +@InProceedings{Tierney91, +Author = {M. Tierney}, +Title = {The Evolution of {DefStan} 00-55 and 00-56: an intensification +of the `formal methods debate' in the {U.K.}}, +Booktitle = {Software Workshop on Policy Issues in Systems and Software +Development}, Organization = {SPRU}, Address = {Brighton, U.K.}, +Year = {1991}, Pages={}, Month = {18-19 July}, +Note={Available from RCSS, Edinburgh University, 56 George Square, +Edinburgh EH8 9JU} } + +@Manual{TCCSEC, +Key={USAirForce}, Author={USAF}, Title={Air Force Trusted Critical Computer +System Evaluation Criteria (TCCSEC)}, day={25}, month={June}, Year={1990}, +Note={Draft}, Organization={U.S. Air Force HQ Electronic Security Command, +AFCSC/SRVC, San Antonio, TX 78243-5000} } + +@Manual{TECSECI, +Key={USAirForce}, Author={USAF}, Title={Air Force Trusted Embedded Computer +System Evaluation Criteria Interpretation (TECSECI)}, day={25}, month={June}, +Year={1990}, +Note={Draft}, Organization={U.S. Air Force HQ Electronic Security Command, +AFCSC/SRVC, San Antonio, TX 78243-5000} } + +@InProceedings{Arbo+89, +Key = "Arbo", Author = "R.S. Arbo and E.M. Johnson and +R.L. Sharp", Title = "Extending Mandatory Access Controls to a Networked {MLS} +Environment", Booktitle = {Proceedings of the Twelfth National Computer Security Conference}, +Organization = "NIST/NCSC", Address = "Baltimore, Maryland", Year = "1989", +Pages="286--295", month=oct } + +@InProceedings{Boeing-LAN89, +Author={Gary R. Stoneburner and Dean A. Snow}, +Booktitle = {Proceedings of the Twelfth National Computer Security Conference}, +Title={The {Boeing MLS LAN:} Headed Towards an {INFOSEC} Security Solution}, +Organization = {NIST/NCSC}, Address = {Baltimore, Maryland}, +Pages = {254--266}, Year = {1989}, Month = {10--13 October} } + +@InProceedings{Cohen, +Key="Cohen", Author = "F. Cohen", Title = "Computer Viruses", +BookTitle="Seventh DoD/NBS Computer Security Initiative Conference", +Organization = "National Bureau of Standards, Gaithersburg, Maryland", +Year="1984", Month="24--26 September", +Pages="240--263", +Note="Reprinted in Rein Turn, editor, +{\it Advances in Computer System Security}, +Vol. 3, Artech House, Dedham, Massachusetts, 1988" } + +@inProceedings{Neumann78, +key="Neumann3", Author="P.G. Neumann", +Title="Computer Security Evaluation", Booktitle="AFIPS Conference Proceedings, +NCC", Publisher="AFIPS Press", Year="1978", Month=jan, Pages="1087--1095", +Note="Reprinted in Rein Turn, editor, +{\it Advances in Computer Security}, Artech +House, Dedham, Massachusetts, 1981"} + +@InProceedings{Neumann+74, +Author={P.G. Neumann and R.S. Fabry and K.N. Levitt and L. Robinson + and J.H. Wensley}, +TITLE = {On the Design of a Provably Secure Operating System}, +Booktitle = {Proceedings of the International Workshop On Protection in + Operating Systems}, +YEAR = {1974}, Location = {IRIA, Rocquencourt, France}, +VOLUME = {}, +NUMBER = {}, PAGES = {161--175}, MONTH = aug } + +@InProceedings{Robinson+77, +Author={L. Robinson and K.N. Levitt and P.G. Neumann and A.R. Saxena}, +TITLE = {A Formal Methodology for the Design of Operating System Software}, +Booktitle = {R. Yeh (editors), {\it Current Trends in Programming Methodology +I}, Prentice-Hall, 61--110}, year = {1977} } + +@Inproceedings{BoyerElspas75, +Author="R.S. Boyer and B. Elspas and K.N. Levitt", +Title="{SELECT:} {A} formal system for testing and debugging +programs by symbolic execution", Booktitle="Proc. Int. Conf. Reliable +Software", Organization="IEEE", Publisher="IEEE", Pages="234-244", +Year="1975", Month=apr} + +@Techreport{PSOS75, +Author={P.G. Neumann and L. Robinson and K.N. Levitt and R.S. Boyer + and A.R. Saxena}, Title={A Provably Secure Operating System}, +Institution={Computer Science Laboratory +SRI International, Menlo Park, California}, Year={1975}, day={13}, month={June} } + +@Techreport{PSOS77, +Author={P.G. Neumann and R.S. Boyer and R.J. Feiertag and +K.N. Levitt and L. Robinson}, Title={A Provably Secure Operating System: The + System, Its Applications, and Proofs}, +Institution={Computer Science Laboratory +SRI International, Menlo Park, California}, Year={1977}, day={11}, month={February} } + +@Techreport{PSOS, Author={P. G. Neumann and R.S. Boyer and R.J. Feiertag and +K.N. Levitt and L. Robinson}, Title={{A Provably Secure Operating System}: +The System, Its Applications, and Proofs}, Institution={Computer Science +Laboratory, SRI International, Menlo Park, California}, Year={1980}, +Month=may, Note={2nd edition, Report CSL-116} } + +@InProceedings(PSOSreport, +Key="Feiertag", Author="R. J. Feiertag and P. G. Neumann", +Title="The Foundations of a {Provably Secure Operating System} ({PSOS})", +Publisher="AFIPS Press", +Booktitle="Proceedings of the National Computer Conference", +Year="1979", Pages = "329--334", +NOTE = "\url{http://www.csl.sri.com/neumann/psos.pdf}" +) + +@InProceedings{NeumannFeiertag03, +Author="P. G. Neumann and R. J. Feiertag", +Title="{PSOS} Revisited", +BookTitle="Proceedings of the 19th Annual Computer Security Applications +Conference (ACSAC 2003), Classic Papers section", +Organization="IEEE Computer Society", +Address="Las Vegas, Nevada", Year="2003", Month=dec, pages="208--216", +NOTE="http://www.acsac.org/ and http://www.csl.sri.com/neumann/psos03.pdf." +} + +@techreport(Feiertag79b, +Author="R.J. Feiertag and K.N. Levitt and P.M. +Melliar-Smith", Title="Tactical {E}xecutive ({TACEXEC}): A Real-Time Secure +Operating System for Tactical Applications", Year="1979", Month=jul, +Institution="Computer Science Laboratory, SRI International", +Note="Final Report, Project 5545", Key="Feiertag79b") + +@Article{proof, +Key="Robinson", Author="L. Robinson and K.N. Levitt", Title="Proof Techniques +for Hierarchically Structured Programs", Journal={Communications of the ACM}, +Year="1977", Volume="20", Number="4", Pages="271--283", Month=apr} + +@ARTICLE{Robinson+Levitt..., +AUTHOR = {Lawrence Robinson and Karl N. Levitt}, +TITLE = {Proof Techniques for Hierarchically Structured Programs}, +JOURNAL = {Communications of the ACM}, YEAR = {1977}, VOLUME = {20}, +NUMBER = {4}, PAGES = {271--283}, MONTH = apr } + +@Article{RobinsonLevitt77..., +Author={L. Robinson and K.N. Levitt}, +Title={Proof Techniques for Hierarchically Structured Programs}, +Journal={Communications of the ACM}, +volume=20, +number=4, +month=apr, +year=1977 } + +@article{Linden76, +author={T.A. Linden}, +title={Operating System Structures to Support Security and Reliable + Software}, +journal={ACM Computing Surveys}, +volume={5}, number={1}, month=mar, year={1973}, pages={}} + +@InProceedings{KargerHerbert84, +Key="Karger", Author="P.A. Karger and A.J. Herbert", +Title="An Augmented Capability Architecture to Support Lattice Security + and Traceability of Access", +BookTitle="Proceedings of the 1984 +Symposium on Security and Privacy", Organization="IEEE Computer Society", +Address="Oakland, California", Year="1984", Month=apr, pages="95--100"} + +@InProceedings{Karger87, +Key="Karger", Author="P.A. Karger", Title="Limiting the +Damage Potential of Discretionary {T}rojan Horses", +BookTitle="Proceedings of the 1987 Symposium on Security and Privacy", +Organization="IEEE Computer Society", +Address="Oakland, California", Year="1987", Month=apr, pages="32--37"} + +@InProceedings{Karger88, +Key="Karger", Author="P.A. Karger", Title="Implementing Commercial +Data Integrity with Secure Capabilities", BookTitle="Proceedings of the 1988 +Symposium on Security and Privacy", Organization="IEEE Computer Society", +Address="Oakland, California", Year="1988", Month=apr, pages="130--139"} + +@InProceedings{Karger78, +Author={P.A. Karger}, +Title={The lattice model in a public computing network}, +Booktitle={Proceedings of the ACM Annual Conference}, +volume=1, +month=dec, +year=1978 } + +@PhDThesis{KargerThesis, + Key={Karger}, Author={P.A. Karger}, + Title={Improving Security and Performance for Capability Systems}, + School={Computer Laboratory, University of Cambridge, + Cambridge, England}, + Year={1988}, Month=oct, Note={Technical Report No. 149} +} + +@InProceedings{KargerSchell74, +Author="P.A. Karger and R.R. Schell", +Title="Multics Security Evaluation: Vulnerability Analysis", +BookTitle="Proceedings of the 18th Annual Computer Security Applications +Conference (ACSAC), Classic Papers section", +Organization="", +Address="Las Vegas, Nevada", Year="2002", Month=dec, pages="", +NOTE="Originally available as U.S. Air Force report +ESD-TR-74-193, Vol. II, Hanscomb Air Force Base, Massachusetts." +} + +@InProceedings{KargerSchell02, +Author="P.A. Karger and R.R. Schell", +Title="Thirty Years Later: Lessons from the {Multics} Security Evaluation", +BookTitle="Proceedings of the 18th Annual Computer Security Applications +Conference (ACSAC), Classic Papers section", +Organization="", +Address="Las Vegas, Nevada", Year="2002", Month=dec, pages="", +NOTE="http://www.acsac.org/ ." +} + +@InProceedings{Lee88, +Key="Lee", Author="T.M.P. Lee", Title="Using Mandatory +Integrity", BookTitle="Proceedings of the 1988 +Symposium on Security and Privacy", Organization="IEEE Computer Society", +Address="Oakland, California", Year="1988", Month=apr, pages="140--146"} + +@article{Shoch82, +Title={The {``Worm''} Programs -- Early Experience with a Distributed +Computation}, Author={J.F. Shoch and J.A. Hupp}, Key="", Month=mar, +Year=1982, Journal= {Communications of the ACM}, Volume=25, Number=3, Pages="172--180", +NOTE={Reprinted in Denning (ed.), {\it Computers Under Attack}} } + +@book{Ford82, +Author={D. Ford}, +Title={Three Mile Island: Thirty Minutes to Meltdown}, +Publisher={Viking Press}, +Year={1982}, +NOTE="Sensor-related quote reproduced in {\it ACM SIGSOFT Software Engineering + Notes, 11,} 3, 9--10, July 1986."} + +@techreport{Shockley88, +author={W.R. Shockley}, Title="Implementing the {C}lark/{W}ilson Integrity +Policy Using Current Technology", institution="Gemini Computers, P.O. Box +222417, Carmel California", Year=1988, Note="GCI-88-6-01." } + +@article{MorrisThompson, +Title="Password Security: A Case History", +Author="R. Morris and K. Thompson", Key="Morris", Month=nov, +Year=1979, Journal= {Communications of the ACM}, Volume=22, Number=11, Pages="594--597"} + +@Article{Thompson84, + Key={Thompson}, Author={K.L. Thompson}, Journal={Communications of the ACM}, + Title={Reflections on Trusting Trust}, Year={1984}, + Month=aug, Pages={761--763}, Volume={27}, Number={8} } + +@TechReport{RTMorris85, +author={R.T. Morris}, +Title={Computer Science Technical Report 117}, +institution= {AT\&T Bell Laboratories}, +address={Murray Hill, New Jersey}, month ={25 February}, Year=1985} + +@book{Salus, +Author={P. Salus}, +Title={A Quarter-Century of Unix}, +Publisher={Addison-Wesley, Reading, Massachusetts}, +Year={1994} } + +@article(Rosen81, +Key="Rosen", Author="E. Rosen", Title="Vulnerabilities of +Network Control Protocols", Journal="ACM SIGSOFT Software Engineering Notes", +Year="1981", Volume="6", Number="1", Pages="6--8", Month=jan) + +@article{Garman, +Key="Garman", Author="J. Garman", Title="The Bug Heard 'Round the World", +Journal="ACM SIGSOFT Software Engineering Notes", Year="1981", +Month =oct, Volume="6", Number="5", Pages="3--10"} + +@article{Jaffe89, +Key="Jaffe", Author="M. {Jaffe, as reported by P.G. Neumann}", +Title="Aegis, {Vincennes,} and the {Iranian} {Airbus}", +Journal="ACM SIGSOFT Software Engineering Notes", +Year="1989", Volume="14", Number="5", Pages="20--21", Month=jul} + +@InProceedings{YoungMcHugh, +Key="Young", Author="W.D. Young and J. McHugh", +Title="Coding for a Believable Specification to Implementation Mapping", +BookTitle="Proceedings of the 1987 Symposium on Security and Privacy", Organization="IEEE +Computer Society", Address="Oakland, California", Year="1987", Month=apr, +pages="140--148"} + +@InProceedings{ClarkWilson87, +Author="D.D. {Clark and D.R. Wilson}", +Title="A Comparison of Commercial and Military Computer Security Policies", +BookTitle="Proceedings of the 1987 Symposium on Security and Privacy", Organization="IEEE +Computer Society", Address="Oakland, California", Year="1987", Month=apr, +pages="184--194"} + +@InProceedings{ClarkWilson87x, +NOTE = {IEEE 87CH2416-6, ISBN 0-8186-0771-8.}} + +@InProceedings{Lipner82, +Key="Lipner", Author = "S.B. Lipner", +Title="Non-Discretionary Controls for Commercial Applications", Year="1982", +Pages="2--10", Booktitle="Proceedings of the 1982 Symposium on Security and +Privacy", Publisher="IEEE", Note="Oakland, California, 26--28 April 1982" } + +@InProceedings(Sebe88, +Author="M.M. Sebring and E. Shellhouse and M.E. Hanna and R.A. Whitehurst", +Title="Expert System in Intrusion Detection: A Case Study", +BookTitle="Eleventh National Computer Security Conference", +Address = "Baltimore, Maryland", Year="1988", Month=oct) + +@InProceedings{GarveyLunt90, +Author={T.D. Garvey and T.F. Lunt}, +Title={Multilevel Security for Knowledge-based Systems}, +Booktitle={Proceedings of the EISS Workshop on Database Security}, +address={European Institute for System Security, Karlsruhe, Germany}, +month=apr, +Year=1990 } + +@TechReport{GarveyLuntReport90, +author={T.D. Garvey and T.F. Lunt}, +Title="Multilevel Security for Knowledge Based Systems", +institution="Computer Science Laboratory, SRI International", +address={Menlo Park, California}, +Year=1990 } + +@InProceedings(Lunt88, +Key="Lunt", Author="T.F. Lunt", +Title="Automated Audit Trail Analysis and Intrusion Detection: A Survey", +BookTitle="Eleventh National Computer Security Conference", +Address = "Baltimore, Maryland", Year="1988", Month=oct) + +@InProceedings{LuntJagannathan88, +Key="Lunt", Author="T.F. Lunt and R. Jagannathan", +Title="A Prototype Real-Time Intrusion-Detection Expert System", +BookTitle="Proceedings of the 1988 Symposium on Security and Privacy", Organization="IEEE +Computer Society", Address="Oakland, California", Year="1988", Month=apr, +pages="59--66"} + +@book{Johnson94, +Author={D. Johnson}, +Title={Computer Ethics (2nd ed.)}, +Publisher={Prentice-Hall, Englewood Cliffs, New Jersey}, +Year={1994} } + +@book{Johnson+95, +Author={D. Johnson and H. Nissenbaum}, +Title={Computer Ethics and Social Values}, +Publisher={Prentice-Hall, Englewood Cliffs, New Jersey}, +Year={1995} } + +@book{ParkerEthics, +Author={D.B. Parker}, Title={Ethical Conflicts in Information and Computer +Science, Technology, and Business}, +Publisher={QED Information Sciences, Wellesley, Massachusetts}, Year={1990} } + +@book{Parker83, +Author={D.B. Parker}, Title={Fighting Computer Crime}, Publisher={Scribner, +New York}, Year={1983} } + +@book{Parker76, +Author={D.B. Parker}, Title={Crime by Computer}, Publisher={Scribner, +New York}, Year={1976} } + +@book{Parker98, +Author={D.B. Parker}, Title={Fighting Computer Crime}, Publisher={John Wiley +\& Sons, New York}, Year={1998} } + +@InProceedings{NeumannParker89, +Key = "Neumann1", Author = "P. G. Neumann and +D.B. Parker", Title = "A Summary of Computer Misuse Techniques", Booktitle = +"Proceedings of the Twelfth National Computer Security Conference", Organization = "NIST/NCSC", +Address = "Baltimore, Maryland", Year = "1989", Pages="396--407", month=oct} + +@Manual{Washcloth1, +title = {A Study of Computer Abuse -- Volume One: Computer Abuse Techniques}, +author = {P.G. Neumann and D.B. Parker}, key={Neumannaa2}, +organization = {SRI International, Menlo Park, California}, +month = {Revised, 2 March}, +year = {1990}, note={Final report for SRI Project 6812, U.S. Government} } + +@Manual{Washcloth2, +title = {A Study of Computer Abuse -- Volume Two: +Information Exploitation Database}, +author = {P.G. Neumann and D.B. Parker}, key={Neumannbb3}, +organization = {SRI International, Menlo Park, California}, +month = {31 July}, +year = {1989}, note={Final report for SRI Project 6812, U.S. Government} } + +@InProceedings{Gasser+89, +Key = "Gasser", +Author = "M. Gasser and A. Goldstein and C. Kaufman and B. Lampson", +Title = "The {Digital} Distributed System Security Architecture", +Booktitle = "Proceedings of the Twelfth National Computer Security Conference", +Organization = "NIST/NCSC", Address = "Baltimore, Maryland", Year = "1989", +Pages="305--319", month=oct } + +@InProceedings{RussellSchaefer89, +Key = "Russell", Author = "T.T. Russell and +M. Schaefer", Title = "Toward a High {B} +Level Security Architecture for the {IBM} +{ES/3090} Processor Resource/Systems Manager {(PR/SM)}", +Booktitle = "Proceedings of the Twelfth +National Computer Security Conference", Organization = "NIST/NCSC", Address = +"Baltimore, Maryland", Year = "1989", Pages="184--196", month=oct } + +@InProceedings{Smid+89, +Key = "Smid", Author = "M. Smid and J. Dray and R.B.J. +Warnar", Title = "A Token Based Access Control System for Computer Networks", +Booktitle = "Proceedings of the Twelfth National Computer Security Conference", Organization = +"NIST/NCSC", Address = "Baltimore, Maryland", Year = "1989", Pages="232--253", Month = +"10--13 October" } + +@article{Fenton74, +Author={J.S. Fenton}, Title={Memoryless Subsystems}, +Key={Fenton}, Month=may, Year=1974, Journal={Computer Journal}, +Volume=17, Number=2, Pages={143--147}} + +@InProceedings{Denning74, +Key={Denning}, Author={D.E. Denning and P.J. Denning and G.S. Graham}, +BookTitle={Protection in Operating Systems, +Proceedings of the International Workshop on Protection in Operating Systems}, +Organization={IRIA, Rocquencourt, Le Chesnay, France}, +Title={Selectively Confining Subsystems}, Year={1974}, +Month=aug } + +@InProceedings{Jones74, +Key = {Jones}, Author = {A.K. Jones and W.A. Wulf}, +Title = {Towards the Design of Secure Systems}, +Booktitle = {Protection in Operating Systems, +Proceedings of the International Workshop on Protection in Operating Systems}, +Organization = {Institut de Recherche d'Informatique}, Address = {Rocquencourt, +Le Chesnay, France}, +Pages={121--135}, date={1974-08-13/1974-08-14}} + +@article{Jones_DesignSecureSystems_1975, + title = {Towards the Design of Secure Systems}, + author = {Jones, Anita K. and Wulf, William A.}, + date = {1975-10}, + journaltitle = {Software: Practice and Experience}, + volume = {5}, + pages = {321--336}, + doi = {10.1002/spe.4380050403}, + abstract = {Within a programmed system, we may distinguish between different kinds of information in order to control the use of each kind by separate security policies, where each policy is tailored to the sensitivity and desired dissemination of that one kind of information. This paper analyses the implications of implementing security policies and describes mechanisms which can be used as the basis for constructing operating systems with the desired security attributes.}, + langid = {english}, + number = {4} +} + +@InProceedings{CohenJefferson75, + title = {Protection in the {{Hydra Operating System}}}, + booktitle = {Proceedings of the Fifth {{ACM}} Symposium on {{Operating}} Systems Principles}, + author = {Cohen, Ellis and Jefferson, David}, + date = {1975-11-01}, + pages = {141--160}, + publisher = {{Association for Computing Machinery}}, + location = {{New York, NY, USA}}, + doi = {10.1145/800213.806532}, + abstract = {This paper describes the capability based protection mechanisms provided by the Hydra Operating System Kernel. These mechanisms support the construction of user-defined protected subsystems, including file and directory subsystems, which do not therefore need to be supplied directly by Hydra. In addition, we discuss a number of well known protection problems, including Mutual Suspicion, Confinement and Revocation, and we present the mechanisms that Hydra supplies in order to solve them.}, + isbn = {978-1-4503-7863-5}, + keywords = {Capability,Confinement,Mutual suspicion,Operating system,Protected subsystem,Protection,Protection problem,Revocation,Type}, + series = {{{SOSP}} '75} +} + +@book{Wulf81, + Title={Hydra/{C.mmp}: An Experimental Computer System}, + Author={W.A. Wulf and R. Levin and S.P. Harbison}, + Year={1981}, + publisher={McGraw-Hill, New York}, + } + +@InProceedings{Denning83, +Key={Denning}, Author={D.E. Denning}, BookTitle={Proceedings of CRYPTO '83}, +Organization={UCSB}, Title={Field Encryption and Authentication}, Year={1983}, +Month=aug } + +@TechReport{Kramer81, Key={Kramer}, Author={S.M. Kramer}, Institution={Mitre +Corporation}, Title={The {Ina} {Jo} Flow Table Generator}, Year={1981}, +Month=feb, Number={WP23103}, Address={Bedford, Massachusetts}, Type={Working +Paper} } + +@inproceedings{Rushby81, +key={Rushby}, author={J.M. Rushby} +,title={The Design and Verification of Secure Systems} +,booktitle={Proceedings of the Eighth ACM Symposium on Operating System Principles} ,address={Asilomar, California} +,month=dec ,year={1981} ,pages={12--21} , +note={(ACM Operating Systems Review, 15(5)).}, +url ="http://www.csl.sri.com/~{}rushby/abstracts/sosp81" +} + +@inproceedings{Rushby82, +key={Rushby} ,author={J.M. Rushby} ,title={{Proof of Separability}--a +Verification Technique for a Class of Security Kernels} ,month=apr +,year={1982} ,booktitle={Proceedings of the Fifth International Symposium on Programming} +,address={Turin, Italy} ,pages={352--367} , +publisher={M. Dezani-Cianaglini and U. Montanari, eds., Springer-Verlag, +Berlin, Lecture Notes in Computer Science, Vol. 137} } + +@article{HorningRandell73, +author={J. Horning and B. Randell}, +title={Process Structuring}, journal={ACM Computing Surveys}, +volume={5}, number={1}, month=mar, year={1973}, pages={}} + +@InCollection{Horning+74, +Publisher = "Springer-Verlag", +Author = "J.J. Horning and H.C. Lauer and P.M. Melliar-Smith and +B. Randell", +Title = "A Program Structure for Error Detection and Recovery", +Year = "1974", Pages = "171-187", Address = "Berlin", +Booktitle = "Operating Systems, Proceedings of an International Symposium, +Notes in Computer Science 16", +Editors = "E. Gelenbe and C. Kaiser" } + +@Article{Anderson+Knight, + Key={Anderson}, + Author={T. Anderson and J.C. Knight}, + Journal={IEEE Transactions on Software Engineering}, + Title={A Framework for Software Fault Tolerance in Real-Time Systems}, + Year={1983}, + Month=may, + Pages={355--364}, + Volume={SE-9}, + Number={3} + } + +@Book{Anderson+Lee, + Key={Anderson}, + Author={T. Anderson and P.A. Lee}, + Publisher={Prentice-Hall International, Englewood Cliffs, New Jersey}, + Title={Fault-Tolerance: Principles and Practice}, + Year={1981} + } + +@TechReport{Rushby+Randell83b, + Key={Rushby}, + Author={J.M. Rushby and B. Randell}, + Institution={Computing Laboratory, University of Newcastle upon Tyne}, + Title={A Distributed Secure System}, + Year={1983}, + Month=may, + Number={182} + } + +@InProceedings{Rushby+Randell83c, + Key={Rushby}, + Author={J.M. Rushby and B. Randell}, + BookTitle={Proceedings of the 1983 IEEE Symposium on Security and Privacy}, + Organization={IEEE Computer Society}, + Address={Oakland, California}, + Title={A Distributed Secure System (Extended Abstract)}, + Pages={127--135}, + Month=apr, + Year={1983} + } + +@Article{Rushby83, +Key={Rushby}, Author={J.M. Rushby and B. Randell}, Journal={IEEE Computer}, +Title={A Distributed Secure System}, Year={1983}, Month=jul, Pages={55--67}, +Volume={16}, Number={7} } + +@TechReport{Feiertag80, +Author={R.J. Feiertag}, Title={A Technique for Proving Specifications are +Multilevel Secure}, number={CSL-109}, +Institution={Computer Science Laboratory, SRI International}, +Address={Menlo Park, California}, month=jan, Year=1980 } + +@Manual{HDM:Handbook, +Key={Robinson}, +Author={L. Robinson and K.N. Levitt and B.A. Silverberg}, +Title={The {HDM} Handbook}, Year={1979}, Month=jun, +Organization={Computer Science Laboratory, SRI International}, +Note={Three Volumes}, Address={Menlo Park, California} } + +@InProceedings{L+N78, +Key={L+N78}, Author={H.C. Lauer and R.M. Needham}, BookTitle={Proceedings of the Second +International Symposium on Operating Systems}, Organization={IRIA, France}, +Title={On the Duality of Operating System Structures}, Year={1978}, +Month=oct, Note={(Reprinted in ACM Operating Systems Review, Vol 13, No +2, April 1979, pp.3--19)} } + +@book{WilkesNeedham79, +Author={M.V. Wilkes and R.M. Needham}, +Title={The {Cambridge} {CAP} Computer and Its Operating System}, +Publisher={Elsevier North Holland, New York}, +Year={1979} } + +@InProceedings{Boebert+Kain, + Key={Boebert}, + Author={W.E. Boebert and R.Y. Kain}, + BookTitle={Proceedings of the Eighth DoD/NBS Computer Security Initiative Conference}, + Title={A Practical Alternative to Hierarchical Integrity Policies}, + Address={Gaithersburg, Maryland}, + Year={1985}, + Month={1--3 October} } + +@Article{YBK85, + author = {W.D. Young and W.E. Boebert and R.Y. Kain}, + title = {Proving a Computer System Secure}, + journal = {Scientific Honeyweller}, + year = 1985, + volume = 6, + number = 2, + month = jul, + pages = {18--27}, + note = {Reprinted in Tutorial: Computer and Network Security, + M.D. Abrams and H.J. Podell, editors, IEEE Computer Society Press, 1987, + pp. 142--157.} +} + +@InProceedings{FLR77, Key={Feiertag}, Author={R.J. +Feiertag and K.N. Levitt and L. Robinson}, BookTitle={Proceedings of the Sixth ACM Symposium +on Operating System Principles}, Title={Proving Multilevel Security of a System +Design}, Year={1977}, Month=nov, Pages={57--65} } + +@techreport{B+LP76, +key={Bell76}, author={D.E. Bell and L.J. La Padula}, title={Secure Computer +System: Unified Exposition and {Multics} Interpretation}, +number={ESD-TR-75-306}, institution={The Mitre Corporation}, address={Bedford, +Massachusetts}, month=mar, year={1976}} + +@techreport{B+LP73, key={Bell73}, author={D.E. +Bell and L.J. La Padula}, title={Secure Computer Systems : Volume {I} -- +Mathematical Foundations; Volume {II} -- A Mathematical Model; Volume {III} -- +A Refinement of the Mathematical Model}, number={MTR-2547 (three volumes)}, +institution={The Mitre Corporation}, address={Bedford, Massachusetts}, +month={March--December}, year={1973}} + +@techreport{B+L73a, key={Bell73a}, +author={D.E. Bell and L.J. La Padula}, title={Secure Computer Systems : +Mathematical Foundations}, number={MTR-2547 Vol. I}, institution={Mitre +Corporation}, address={Bedford, Massachusetts}, month=mar, year={1973}} + +@techreport{B+L73b, key={Bell73b}, author={D.E. Bell and L.J. La Padula}, +title={Secure Computer Systems : A Mathematical Model}, number={MTR-2547 Vol. +{II}}, institution={Mitre Corporation}, address={Bedford, Massachusetts}, month=may, +year={1973}} + +@techreport{B+L73c, key={Bell73c}, author={D.E. Bell and L.J. La +Padula}, title={Secure Computer Systems : A Refinement of the Mathematical +Model}, number={MTR-2547 Vol. {III}}, institution={Mitre Corporation}, +address={Bedford, Massachusetts}, month=dec, year={1973}} + +@TechReport{Bell73, +Author={D.E. Bell and L.J. La Padula}, +Title={Secure Computer Systems: Mathematical Foundations and Model}, +Institution={The Mitre Corporation}, +Address={Bedford, Massachusetts}, +number={M74-244}, +Month=may, +Year=1973 } + +@InProceedings{Lampson69, +Author = "B.W. Lampson", +Title = "On reliable and extendible operating systems", +Booktitle = "Proceedings of the Second NATO Conference on + Techniques in Software Engineering", +Organization = "NATO", Address = "Rome, Italy", Year = "1969", +Pages="", Month = "" } + +@article{LampsonSturgis76, +author={B.W. Lampson and H. Sturgis}, +title={Reflections on an operating system design}, +journal={Communications of the ACM}, +volume={19}, number={5}, month=may, year={1976}, pages={251--265} } + +@article{lampson73, +key={Lampson}, author={B.W. Lampson}, title={A Note on the Confinement +Problem}, journal={Communications of the ACM}, volume={16}, number={10}, month=oct +,year={1973}, pages={613--615}} + +@InProceedings{LampsonRedund, +author={B.W. Lampson}, +title={Redundancy and Robustness in Memory Protection}, +Booktitle={Information {P}rocessing 74 ({Proceedings of the IFIP Congress} 1974)}, +Publisher={North-Holland, Amsterdam}, +year={1974}, volume = {Hardware II}, pages={128--132}} + +@Article{Fraim, +Key={Fraim}, Author={L.J. +Fraim}, Journal={Computer}, Title={{SCOMP}: A Solution to the Multilevel +Security Problem}, Year={1983}, Month=jul, Pages={26--34}, Volume={16}, +Number={7} } + +@InProceedings{Silverman, +Key={Silverman}, Author={J.M. +Silverman}, BookTitle={Proceedings of the Ninth ACM Symposium on Operating System Principles}, +Title={Reflections on the Verification of the Security of an Operating System}, +Year={1983}, Month=oct, Pages={143--154} } + +@InProceedings{Lipner, +Key={Lipner}, Author={S.B. Lipner}, BookTitle={Proceedings of the Fifth ACM Symposium on +Operating System Principles}, Organization={ACM}, Title={A Comment on the +Confinement Problem}, Year={1975}, Pages={192--196} } + +@TechReport{Denning:Derivation, +Key={Denning}, Author={D.E. Denning}, +Institution={Purdue University}, Title={On the Derivation of Lattice Structured +Information Flow Policies}, Year={1976}, Month=mar, Number={CSD TR 180} } + +@Article{Denning:Lattice, +Key={Denning}, Author={D.E. Denning}, Journal={Communications of the ACM}, +Title={A Lattice Model of Secure Information Flow}, Year={1976}, Month=may, +Pages={236--243}, Volume={19}, Number={5} } + +@misc{Goguen:Database, +title = {Secure Database Concepts}, author = {J.A. Goguen}, year = 1982, month = +jun, howpublished = {Working paper prepared for National Academy of Science, +AFSB Summer Study on Multilevel Database Security}, key = {Goguen}} + +@InProceedings{G+M82, +Key={Goguen}, Author={J.A. Goguen and J. +Meseguer}, Title={Security Policies and Security Models}, BookTitle={Proceedings of the 1982 +Symposium on Security and Privacy}, Organization={IEEE Computer Society}, +Address={Oakland, California}, Year={1982}, Month=apr, Pages={11--20} } + +@InProceedings{G+M84, + Key={Goguen}, + Author={J.A. Goguen and J. Meseguer}, + BookTitle={Proceedings of the 1984 Symposium on Security and Privacy}, + Organization={IEEE Computer Society}, + Address={Oakland, California}, + Title={Unwinding and Inference Control}, + Year={1984}, + Pages={75--86}, + Month=apr + } + +@misc{G+M:Unwinding, +author = {J.A. Goguen and J. Meseguer}, +title = {Unwinding of Noninterference Assertions}, +year = 1983, +howpublished= {Draft appears in \cite{psos83}}, +key = {Goguen + Meseguer}} + +@techreport{psos83, +author = {P.G. {Neumann et al.}}, +title = {Technology for Provably Secure Systems}, +institution = {Computer Science Laboratory, SRI International}, +Address={Menlo Park, California}, +year = 1983, +month = aug, +key = {Neumann} } + +@misc{Goguen:MMS, +title = {Formalization of {Landwehr}-{Heitmeyer} {SMMS} Model}, +author = {J.A. Goguen}, +year = 1982, month = jun, +howpublished = {Working paper prepared for National Academy of Science, AFSB + Summer Study on Multilevel Database Security}, +key = {Goguen}} + +@Book{Denning:Book, + Key={Denning}, + Author={D.E. Denning}, + Publisher={Addison-Wesley, Reading, Massachusetts}, + Title={Cryptography and Data Security}, + Year={1982} + } + +@Article{Fenton, + Key={Fenton}, + Author={J.S. Fenton}, + Journal={Computer Journal}, + Title={Memoryless Subsystems}, + Year={1974}, + Month=may, + Pages={143--147}, + Volume={17}, + Number={2} + } + +@TechReport{Rushby:Basis, + Key={Rushby}, + Author={J.M. Rushby}, + Institution={Computer Science Laboratory, SRI International}, + Title={Mathematical Foundations of the {MLS} Tool for Revised Special}, + Year={1986}, + Address={Menlo Park, California}, + Type={Forthcoming} + } + +@TechReport{Rushby:SRI, + Key={Rushby}, + Author={J.M. Rushby}, + Institution={Computer Science Laboratory, SRI International}, + Address={Menlo Park, California}, + Title={The {SRI} Security Model}, + Year={Forthcoming} + } + +@TechReport{Rushby:BLP, + Key={Rushby}, + Author={J.M. Rushby}, + Institution={Computer Science Laboratory, SRI International}, + Address={Menlo Park, California}, + Title={The {Bell} and {La Padula} Security Model}, + Year={1986}, + Month=jun, + Type={Draft Report} + } + +@TechReport{Rushby:Models, + Key={Rushby}, + Author={J.M. Rushby}, + Institution={Computer Science Laboratory, SRI International}, + Address={Menlo Park, California}, + Title={Computer Security Models}, + Year={1984}, + Type={Draft Internal note}, + Month=apr + } + +@TechReport{Rushby:Comparison, + Key={Rushby}, + Author={J.M. Rushby}, + Institution={Computer Science Laboratory, SRI International}, + Address={Menlo Park, California}, + Title={Comparison between the {Bell} and {La Padula} and the {SRI} Security Models}, + Year={1986}, + Type={Forthcoming} + } + +@Book{H+U69, + Key={Hopcroft}, + Author={J.E. Hopcroft and J.D. Ullman}, + Publisher={Addison-Wesley, Reading, Massachusetts}, + Title={Formal Languages and their Relation to Automata}, + Year={1969} + } + +@InCollection{Mesarovic, + Key={Mesarovic}, + Author={M.D. Mesarovi\'{c}}, + Booktitle={Trends in General Systems Theory}, + Publisher={John Wiley and Sons}, + Title={A Mathematical Theory of General Systems}, + Year={1972}, + Editor={G.J. Klir} + } + +@TechReport{Millen:Models, + Key={Millen}, + Author={J.K. Millen and C.M. Cerniglia}, + Institution={Mitre Corporation}, + Title={Computer Security Models}, + Year={1983}, + Month=sep, + Number={WP25068}, + Address={Bedford, Massachusetts}, + Type={Working Paper} + } + +@TechReport{McLean, + Key={Mclean}, + Author={J. McLean}, + Institution={Naval Research Laboratory}, + Title={A Comment on the ``Basic Security Theorem'' of {Bell} and {La Padula}}, + Year={1983}, + Type={Informal Note} + } + +@InProceedings{Lipner:Panel, + Key={Lipner}, + Author={S.B. Lipner (Moderator)}, + BookTitle={Proceedings of the 1983 IEEE Symposium on Security and Privacy}, + Organization={IEEE Computer Society}, + Address={Oakland, California}, + Title={Panel Session: {Bell/La Padula} and Alternative Models of Security}, + Month=apr, + Year={1983} + } + +@Manual{Revised:Special, + Author={SRI-CSL}, + Key={HDM}, + Title={{HDM} Verification Environment Enhancements, Interim Report on +Language Definition}, + Year={1983}, + note={SRI Project No. 5727, Contract No. MDA904-83-C-0461}, + Organization={Computer Science Laboratory, SRI International}, + Address={Menlo Park, California} + } + +@InProceedings{Bell:Retrospective, + Key={Bell}, + Author={D.E. Bell}, + BookTitle={Proceedings of the 1983 Symposium on Security and Privacy}, + Organization={IEEE Computer Society}, + Address={Oakland, California}, + Title={Secure Computer Systems: a Retrospective}, + Year={1983}, + Month=apr, + Pages={161--162} + } + +@InProceedings{hinke83, + Key={Hinke}, + Author={T. Hinke and J. Althouse and R.A. Kemmerer}, + BookTitle={Proceedings of the 1983 Symposium on Security and Privacy}, + Organization={IEEE Computer Society}, + Address={Oakland, California}, + Title={{SDC} Secure Release Terminal Project}, + Year={1983}, + Month=apr, + Pages={113--119} + } + +@InProceedings{Hartman84, + Key={Hartman}, + Author={B.A. Hartman}, + BookTitle={Proceedings of the 1984 Symposium on Security and Privacy}, + Organization={IEEE Computer Society}, + Address={Oakland, California}, + Title={A {Gypsy}-Based Kernel}, + Year={1984}, + Month=apr, + Pages={219--225} + } + +@InProceedings{Taylor84, + Key={Taylor}, + Author={T. Taylor}, + BookTitle={Proceedings of the 1984 Symposium on Security and Privacy}, + Organization={IEEE Computer Society}, + Address={Oakland, California}, + Title={Comparison Paper between the {Bell} and {La Padula} Model and + the {SRI} Model}, Year={1984}, Month=apr, pages={195--202} } + +@techreport{landwehr82 + ,key={Landwehr} + ,author={C.E. Landwehr and C.L. Heitmeyer} + ,title={Military Message Systems: Requirements and Security Model} + ,number={{NRL} Memorandum Report 4925} + ,institution={Naval Research Laboratory} + ,address={Washington, D.C.} + ,month=sep + ,year={1982}} + +@article{landwehr81 + ,key={Landwehr} + ,author={C.E. Landwehr} + ,title={A Survey of Formal Models for Computer Security} + ,journal={Computing Surveys} + ,volume={13} + ,number={3} + ,month=sep + ,year={1981} + ,pages={247--278}} + +@InProceedings{Graubart, + Key={Graubart}, + Title={A Preliminary Naval Surveillance {DBMS} Security Model}, + Author={R.D. Graubart and J.P.L. Woodward}, + BookTitle={Proceedings of the 1982 Symposium on Security and Privacy}, + Organization={IEEE Computer Society}, + Address={Oakland, California}, + Year={1982}, + Month=apr, + Pages={21--37} + } + +@inproceedings{ames80 + ,key={Ames80} + ,author={S.R. {Ames, Jr.} and J.G. Keeton-Williams} + ,title={Demonstrating Security for Trusted Applications on a Security Kernel Base} + ,booktitle={Proceedings of the 1980 Symposium on Security and Privacy} + ,organization={IEEE Computer Society} + ,address={Oakland, California} + ,month=apr + ,year={1980} + ,pages={145--156}} + +@techreport{anderson72 + ,key={Anderson} + ,author={J.P. Anderson} + ,title={Computer Security Technology Planning Study} + ,institution={U.S. Air Force Electronic Systems Division} + ,number={ESD-TR-73-51} + ,month=oct + ,year={1972} + ,note={(Two volumes)}} + +@inproceedings{barnes80 + ,key={Barnes} + ,author={D.H. Barnes} + ,title={Computer Security in the {RSRE PPSN}} + ,booktitle={Networks '80} + ,pages={605--620} + ,organization={Online Conferences} + ,month=jun + ,year={1980}} + +@inproceedings{barnes81 + ,key={Barnes} + ,author={D.H. Barnes} + ,title={The Provision of End To End Security for User Data on an Experimental Packet Switched Network} + ,booktitle={Proceedings of the Fourth International Conference on Software Engineering for Telecommunications Switching Systems} + ,organization={IEE} + ,address={Warwick, England} + ,pages={144--148} + ,month=jul + ,year={1981}} + +@inproceedings{Woodward + ,key={Woodward} + ,author={J.P.L. Woodward} + ,title={Applications for Multilevel Secure Operating Systems} + ,BookTitle={National Computer Conference} + ,Organization={AFIPS Conference Proceedings} + ,Note={Vol. 48} + ,year=1979 + ,pages={319--328}} + +@inproceedings{stotz + ,key={Stotz} + ,author={R. Stotz and R. Tugender and D. Wilczynski} + ,title={{SIGMA}--An interactive message service for the Military +Message Experiment} + ,BookTitle={National Computer Conference} + ,Organization={AFIPS Conference Proceedings} + ,Note={Vol. 48} + ,year=1979 + ,pages={839--846}} + +@InProceedings{Barnes83, + Key={Barnes}, + Author={D.H. Barnes}, + BookTitle={Proceedings of the 1983 IEEE Symposium on Security and Privacy}, + Organization={IEEE Computer Society}, + Address={Oakland, California}, + Month=apr, + Year={1983}, + Title={The Provision of Security for User Data on Packet Switched Networks}, + Pages={121--126} + } + +@Article{Sift, + Key={Melliarsmith}, + Author={P.M. Melliar-Smith and R.L. Schwartz}, + Journal={IEEE Transactions on Computers}, + Title={Formal Specification and Verification of {SIFT}: A +Fault-Tolerant Flight Control System}, + Year={1982}, + Month=jul, + Pages={616--630}, + Volume={C-31}, + Number={7} + } + +@Article{Cheheyl, + Key={Cheheyl}, + Author={M. {Cheheyl et al.}}, + Journal={Computing Surveys}, + Title={Verifying Security}, + Year={1981}, + Month=sep, + Pages={279--339}, + Volume={13}, + Number={3} + } + +@Article{Hebbard, + Key={Hebbard}, + Author={B. {Hebbard et al.}}, + Journal={ACM Operating Systems Review}, + Title={A Penetration Analysis of the Michigan Terminal System}, + Year={1980}, + Month=jan, + Pages={7--20}, + Volume={14}, + Number={1} + } + +@Article{Attanasio, + Key={Attanasio}, + Author={C.R. Attanasio and P.W. Markstein and R.J. Phillips}, + Journal={IBM Systems Journal}, + Title={Penetrating an Operating System: a Study of {VM}/370 Integrity}, + Year={1976}, + Pages={102--116}, + Volume={15}, + Number={1} + } + +@Article{Wilkinson, + Key={Wilkinson}, + Author={A.L. {Wilkinson et al.}}, + Journal={ACM Operating Systems Review}, + Title={A Penetration Study of a {Burroughs} Large System}, + Year={1981}, + Month=jan, + Pages={14--25}, + Volume={15}, + Number={1} + } + +@InProceedings{Linde, + Key={Linde}, + Author={R.R. Linde}, + BookTitle={National Computer Conference}, + Organization={AFIPS Conference Proceedings}, + Title={Operating System Penetration}, + Year={1975}, + Note={Vol. 44}, + Pages={361--368} + } + +@TechReport{Abbott, + Key={Abbott}, + Author={R.P. {Abbott et al.}}, + Institution={National Bureau of Standards}, + Title={Security Analysis and Enhancements of Computer Operating Systems}, + Year={1974}, + Note={Order No. S-413558-74} + } + +@InProceedings{Berson79, + Key={Berson}, + Author={T.A. Berson and G.L. {Barksdale Jr.}}, + BookTitle={National Computer Conference}, + Organization={AFIPS Conference Proceedings}, + Note={Vol. 48}, + Title={{KSOS}: Development Methodology for a Secure Operating System}, + Year={1979}, + Pages={365--371} + } + +@InProceedings{McCauley, + Key={Mccauley}, + Author={E.J. McCauley and P.J. Drongowski}, + BookTitle={National Computer Conference}, + Organization={AFIPS Conference Proceedings}, + Note={Vol. 48}, + Title={{KSOS}: The Design of a Secure Operating System}, + Year={1979}, + Pages={345--353} + } + +@TechReport{Craigen:Guard, + Key={Craigen}, + Author={D. Craigen}, + Institution={I.P. Sharp Associates}, + Title={A Formal Specification of the {LSI Guard}}, + Year={1982}, + Month=aug, + Number={TR-5031-82-2}, + Address={Ottawa} + } + +@TechReport{Stahl, + Key={Stahl}, + Author={S. Stahl}, + Institution={Mitre Corporation}, + Title={{LSI Guard} Security Specification}, + Year={1981}, + Month=sep, + Number={MTR 8451}, + Address={Bedford, Massachusetts} + } + +@TechReport{Good:MFM, + Key={Good}, + Author={D.I. Good and A.E. Siebert and L.M. Smith}, + Institution={Institute for Computing Science and Computer Applications, +The University of Texas}, + Title={The Message Flow Modulator, Final Report}, + Year={1982}, + Month=dec, + Number={34}, + Address={Austin, TX} + } + +@InProceedings{Berson83, + Key={Berson}, + Author={T.A. Berson and R.J. Feiertag and R.K. Bauer}, + BookTitle={Proceedings of the 1983 IEEE Symposium on Security and Privacy}, + Organization={IEEE Computer Society}, + Address={Oakland, California}, + Title={Processor-per-Domain Guard Architecture}, + Month=apr, + Year={1983}, + Pages={120}, + Note={(Abstract only)} + } + +@Article{Bic, + Key={Bic}, + Author={L. Bic}, + Journal={Communications of the ACM}, + Title={A Protection Model and its Implementation in a Dataflow System}, + Year={1982}, + Month=sep, + Pages={650--658}, + Volume={25}, + Number={9} + } + +@Article{Voydock, + Key={Voydock}, + Author={V.L. Voydock and S.T. Kent}, + Journal={ACM Computing Surveys}, + Title={Security Mechanisms in High-Level Network Protocols}, + Year={1983}, + Month=jun, + Pages={135--171}, + Volume={15}, + Number={2} + } + +@InProceedings{Denning84, + Key={Denning}, + Author={D.E. Denning}, + BookTitle={Proceedings of the 1984 Symposium on Security and Privacy}, + Organization={IEEE Computer Society}, + Address={Oakland, California}, + Title={Cryptographic Checksums for Multilevel Database Security}, + Year={1984}, + Month=apr, + pages={52--61} + } + +@InProceedings{Gold84, + Key={Gold}, + Author={B.D. Gold and R.R. Linde and P.F. Cudney}, + BookTitle={Proceedings of the 1984 Symposium on Security and Privacy}, + Organization={IEEE Computer Society}, + Address={Oakland, California}, + Title={{KVM/370} in Retrospect}, + Year={1984}, + Month=apr, + pages={13--23} + } + +@TechReport{Rushby:Scomp, + Key={Rushby}, + Author={J.M. {Rushby et al.}}, + Institution={Computer Science Laboratory, SRI International}, + Title={{SCOMP}-{CYBER} Security}, + Year={1984}, + Month=feb, + Address={Menlo Park, California}, + Note={(Client Confidential)}, + Type={Final Report, SRI Project 6121} + } + +@TechReport{Ashcroft, + Key={Ashcroft}, + Author={E.A Ashcroft}, + Institution={Computer Science Laboratory, SRI International}, + Title={An Eduction Engine}, + Year={1984}, + Month=apr, + Address={Menlo Park, California}, + Type={Draft Report} + } + +@TechReport{Feiertag:ICN, + Key={Feiertag}, + Author={R.J. Feiertag}, + Institution={Sytek Inc.}, + Title={A Model of Security Policy for the Integrated Computer Network}, + Year={1981}, + Month=apr, + Number={SYTEK-TR-81001}, + Address={Mountain View, California} + } + +@TechReport{Rushby81b, + Key={Rushby}, + Author={J.M. Rushby}, + Institution={Computing Laboratory, University of Newcastle upon Tyne}, + Title={Verification of Secure Systems}, + Year={1981}, + Month=aug, + Number={166} + } + +@TechReport{SMSV, + Key={Schwartz}, + Author={R.L. Schwartz, P.M. Melliar-Smith and F.H. Vogt}, + Institution={Computer Science Laboratory, SRI International}, + Title={An Interval Logic for Higher-Level Temporal Reasoning}, + Year={1983}, + Month=feb, + Number={CSL-138}, + Address={Menlo Park, California} + } + +@InProceedings{Pnueli, + Key={Pnueli}, + Author={A. Pnueli}, + BookTitle={Proceedings of the Eighteenth Symposium on Foundations of Computer Science}, + Organization={ACM}, + Title={The Temporal Logic of Programs}, + Year={1977}, + Address={Providence, RI}, + Month=nov, + Pages={46--57} + } + +@InProceedings{Lamport83, + Key={Lamport}, + Author={L. Lamport}, + BookTitle={Information Processing 83}, + Organization={North-Holland}, + Title={What Good is Temporal Logic?}, + Year={1983}, + Address={Paris}, + Editor={R.E.A. Mason}, + Pages={657--668} + } + +@Book{tunis, + Key={Holt}, + Author={R.C. Holt}, Publisher={Addison-Wesley, Reading, Massachusetts}, + Title={Concurrent {Euclid}, the {UNIX} System, and {TUNIS}}, Year={1983} } + +@Book{Thoth, + Key={Cheriton}, + Author={D.R. Cheriton}, + Publisher={North-Holland}, + Title={The {Thoth} System: Multi-Process Structuring and Portability}, + Year={1982}, + Series={Operating and Programming Systems Series} + } + +@inproceedings{Ames81, + key={Ames}, + author={S.R. {Ames Jr.}}, + title={Security Kernels: a Solution or a Problem?}, + booktitle={Proceedings of the 1981 Symposium on Security and Privacy}, + month=apr, + year={1981}, + address={Oakland, California}, + organization={IEEE Computer Society}, + pages={141--150}} + +@TechReport{Plan9-91, +author={R. Pike and D. Resotto and K. Thompson and H. Trickey and +T. Duff and G. Holzmann}, +Title={Plan 9: The Early Papers}, +institution= {AT\&T Bell Laboratories}, +address={Murray Hill, New Jersey}, month =jul, +Year=1991, Note={(Computing Science Technical Report 158. +This report contains seven conference papers presented during 1990 and 1991.) } } + +@TechReport{IX-92, +author={J.A. Reeds and M.D. McIlroy}, +Title={The {IX} Multilevel-Secure {UNIX} System}, +institution= {AT\&T Bell Laboratories}, +address={Murray Hill, New Jersey}, month =jan, +Year=1992, Note={Computing Science Technical Report No. 162. +This report contains 5 papers on IX. } } + +@ARTICLE{McIlroy90, +Author={M.D. McIlroy}, TITLE = {Green Light for Bad Software}, +JOURNAL = {Communications of the ACM}, YEAR = {1990}, VOLUME = {33}, +NUMBER = {5}, PAGES = {479}, MONTH = may } + +@BOOK{Holzmann91, +author={G.J. Holzmann}, +title={Design and Validation of Computer Protocols}, +publisher={Prentice-Hall, Englewood Cliffs, New Jersey}, Year={1991}} + +@MastersThesis{Fisher, + Key={Fisher}, Author={P.F. Fisher}, + School={Computing Laboratory, University of Newcastle upon Tyne, England}, + Title={An Operating System Security Kernel}, Year={1982}, Month=sep + } + +@Article{Wegner84, + Key={Wegner}, + Author={P. Wegner}, + Journal={IEEE Software}, + Title={Capital-Intensive Software Technology}, + Year={1984}, + Month=jul, + Volume={1}, + Number={3}, + Pages={7--45} + } + +@Article{Andrews83, + Key={Andrews}, + Author={G.R. Andrews and F.B. Schneider}, + Journal={ACM Computing Surveys}, + Title={Concepts and Notations for Concurrent Programming}, + Year={1983}, + Month=mar, + Pages={3--43}, + Volume={15}, + Number={1} + } + +@article{Alpern+Schneider, +AUTHOR = {B. Alpern and F.B. Schneider}, +TITLE = {Defining Liveness}, +JOURNAL = {Information Processing Letters}, +YEAR = {1985}, +VOLUME = {21}, +NUMBER = {4}, +PAGES = {181--185}, +MONTH = oct +} + +@book{Schneider97, +Author={F.B. Schneider}, +Title={On Concurrent Programming}, +Publisher={Springer Verlag, New York}, +Year={1997} } + +@Article{Nil:Language, + Key={Parr}, + Author={F.N. Parr and R.E. Strom}, + Journal={IBM Systems Journal}, + Title={{NIL}: A High-Level Language for Distributed Systems Programming}, + Year={1983}, + Pages={111--127}, + Volume={22}, + Number={1/2} + } + +@InProceedings{Nil:Security, + Key={Strom}, + Author={R.E. Strom}, + BookTitle={Proceedings of the 10th Symposium on Principles of Programming Languages}, + Title={Mechanisms for Compile-Time Enforcement of Security}, + Year={1983}, + Address={Austin, TX}, + Month=jan, + Pages={276--284} + } + +@InProceedings{Nil:System, + Key={Strom}, + Author={R.E. Strom and S. Yemini}, + BookTitle={Proceedings of the SIGPLAN '83 Symposium on Programming Language +Issues in Software Systems}, + Title={{NIL}: An Integrated Language and System for Distributed Programming}, + Year={1983}, + Address={San Francisco, California}, + Month=jun, + Note={(in SIGPLAN Notices Vol 18, No. 6, June 1983)}, + Pages={73--82} + } + +@Article{Gehani, + Key={Gehani}, + Author={N.H. Gehani and T.A. Cargill}, + Journal={Software--Practice and Experience}, + Title={Concurrent Programming in the {Ada} Language: the Polling Bias}, + Year={1984}, + Month=may, + Pages={413--427}, + Volume={14}, + Number={5} + } + +@InProceedings{Perrine, + Key={Perrine}, + Author={T. Perrine and J. Codd and B. Hardy}, + BookTitle={Proceedings of the Seventh DoD/NBS Computer Security Initiative Conference}, + Title={An Overview of the {Kernelized Secure Operating System ({KSOS})}}, + Address={Gaithersburg, Maryland}, + Pages={146--160}, + Year={1984}, + Month=sep + } + +@InProceedings{Barnes84, + Key={Barnes}, + Author={D.H. Barnes}, + BookTitle={Proceedings of the Seventh DoD/NBS Computer Security Initiative Conference}, + Title={Secure Communications Processor Research}, + Address={Gaithersburg, Maryland}, + Pages={312--317}, + Year={1984}, + Month=sep + } + +@InProceedings{Rushby:TCB, + Key={Rushby}, + Author={J.M. Rushby}, + BookTitle={Proceedings of the Seventh DoD/NBS Computer Security Initiative Conference}, + Title={A Trusted Computing Base for Embedded Systems}, + Address={Gaithersburg, Maryland}, + Pages={294--311}, + Year={1984}, + Month=sep + } + +@InProceedings{Rushby:HDM, +Key={Rushby}, Author={J.M. Rushby}, +BookTitle={Proceedings of the Seventh DoD/NBS Computer Security Initiative Conference}, +Title={The Security Model of {Enhanced HDM}}, Address={Gaithersburg, Maryland}, +Pages={120--136}, Year={1984}, Month=sep } + +@TechReport{Froscher+Carroll, + Key={Froscher}, + Author={J.N. Froscher and J.M. Carroll}, + Institution={Naval Research Laboratory}, + Title={Security Requirements for Navy Embedded Computers}, + Year={1984}, + Month=sep, + Number={5425}, + Type={{NRL} Memorandum Report} + } + +@Article{Leveson84, + Key={Leveson}, + Author={N.G. Leveson}, + Journal={Computer}, + Title={Software Safety in Computer Controlled Systems}, + Year={1984}, + Month=feb, + Pages={48--55}, + Volume={17}, + Number={2} + } + +@InProceedings{Leveson:Kernels, + Key={Leveson}, + Author={N.G. {Leveson et al.}}, + BookTitle={Proceedings of the AIAA Twenty-first Aerospace Sciences Meeting}, + Organization={American Institute of Aeronautics and Astronautics}, + Title={Design for Safe Software}, + Address={Reno, NV}, + Year={1983}, + Month=jan + } + +@Article{LevesonYoung14, + Author={Nancy G. Leveson and William Young}, + Journal={Communications of the ACM}, + Title={An Integrated Approach to Safety and Security Based on System Theory}, + Year={2014}, + Month=feb, + Pages={31--35}, + Volume={57}, + Number={2}, + note = {\url{http://www.csl.sri.com/neumann/insiderisks.html}} + } + +@Article{Landwehr:MMM, + Key={Landwehr}, + Author={C.E. Landwehr and C.L. Heitmeyer and J. McLean}, + Journal={ACM Transactions on Computer Systems}, + Title={A Security Model for Military Message Systems}, + Year={1984}, Month=aug, Pages={198--222}, Volume={2}, Number={3} } + +@inproceedings{Accent + ,key={Rashid} + ,author={R. Rashid and G. Robertson} + ,title={{Accent}: A Communications Oriented Network Operating System Kernel} + ,booktitle={Proceedings of the Eighth ACM Symposium on Operating System Principles} + ,address={Asilomar, California} + ,month=dec + ,year={1981} + ,pages={64--75} + ,note={(ACM Operating Systems Review, Vol. 15, No. 5)}} + +@TechReport{Carlstedt75, +author={J. Carlstedt and R. {Bisbey II} and G. Popek}, +Title={{Pattern-Directed Protection Evaluation}}, +institution= {USC Information Sciences Institute (ISI)}, +number={ISI/SR-75-31}, +address={Marina Del Rey, California}, month =jun, Year=1975} + +@TechReport{Bisbey75, +author={R. {Bisbey II} and G. Popek and J. Carlstedt}, +Title={{Protection Errors in Operating Systems: Inconsistency of a +single data value over time}}, +institution= {USC Information Sciences Institute (ISI)}, +number={ISI/SR-75-4}, +address={Marina Del Rey, California}, month =dec, Year=1975} + +@TechReport{Bisbey76, +author={R. {Bisbey II} and J. Carlstedt and D. Chase}, +Title={{Data Dependency Analysis}}, +institution= {USC Information Sciences Institute (ISI)}, +number={ISI/SR-76-45}, +address={Marina Del Rey, California}, month =feb, Year=1976} + +@TechReport{Carlstedt76, +author={J. Carlstedt}, +Title={{Protection Errors in Operating Systems: Validation of +critical conditions}}, +institution= {USC Information Sciences Institute (ISI)}, +number={ISI/SR-76-5}, +address={Marina Del Rey, California}, month =may, Year=1976} + +@TechReport{Hollingworth76, +author={D. Hollingworth and R. {Bisbey II}}, +Title={Protection Errors in Operating Systems: Allocation/Deallocation +Residuals}, +institution= {USC Information Sciences Institute (ISI)}, +address={Marina Del Rey, California}, month =jun, Year=1976} + +@TechReport{Bisbey78, +author={R. {Bisbey II} and D. Hollingworth}, +Title={{Protection Analysis: Project final report}}, +institution= {USC Information Sciences Institute (ISI)}, +address={Marina Del Rey, California}, month ={}, Year=1978} + +@book{LocusBook, +Author={G.J. Popek and B.J. Walker}, +Title={The Locus Distributed System Architecture}, +Publisher={MIT Press, Cambridge, Massachusetts}, +Year={1985} } + +@inproceedings{Locus + ,key={Popek} + ,author={G. Popek et al.} + ,title={{Locus}: A Network Transparent, High Reliability, Distributed +System} + ,booktitle={Proceedings of the Eighth ACM Symposium on Operating System Principles} + ,address={Asilomar, California} + ,month=dec + ,year={1981} + ,pages={169--177} + ,note={(ACM Operating Systems Review, Vol. 15, No. 5)}} + +@Article{Brownbridge, + Key={Brownbridge}, + Author={D.R. Brownbridge, L.F. Marshall and B. Randell}, + Journal={Software--Practice and Experience}, + Title={The {Newcastle Connection}, or {UNIXes} of the World Unite!}, + Year={1982}, + Month=dec, + Pages={1147--1162}, + Volume={12}, + Number={12} + } + +@InProceedings{cornwell84, + Key={Cornwell}, + Author={M. Cornwell and R. Jacob}, + BookTitle={Proceedings of the Seventh DoD/NBS Computer Security Initiative Conference}, + Title={Structure of a Rapid Prototype Secure Military Message System}, + Address={Gaithersburg, Maryland}, + Pages={48--57}, + Year={1984}, + Month=sep + } + +@InProceedings{verdix, + Key={Donaldson}, + Author={A.L. Donaldson}, + BookTitle={Proceedings of the Seventh DoD/NBS Computer Security Initiative Conference}, + Title={A Multi-Level Secure Local Area Network}, + Address={Gaithersburg, Maryland}, + Pages={341--350}, + Year={1984}, + Month=sep + } + +@InProceedings{Macewan84, + Key={Macewan}, + Author={G.H. MacEwan and B. Burwell and Z-J. Lu}, + BookTitle={Proceedings of the 1984 Symposium on Security and Privacy}, + Organization={IEEE Computer Society}, + Address={Oakland, California}, + Title={Multi-Level Security Based on Physical Distribution}, + Year={1984}, + Pages={167--177}, + Month=apr + } + +@article{Heitmeyer+Wilson, + Key={Heitmeyer}, + Author={C.L. Heitmeyer and S.L. Wilson}, + Journal={IEEE Transactions on Communications}, + Title={Military Message Systems: Current Status and Future Directions}, + Year={1980}, + Month=sep, + Pages={1645--1654}, + Volume={COM-28}, + Number={9} + } + +@Article{end-to-end, + Key={Saltzer}, + Author={J.H. Saltzer and D.P. Reed and D.D. Clark}, + Journal={ACM Transactions on Computer Systems}, + Title={End-To-End Arguments in System Design}, + Year={1984}, + Month=nov, + Pages={277--288}, + Volume={2}, + Number={4} + } + +@manual{Views:Proposal, + Key={Denning}, + Author={D.E. Denning and P.G. Neumann}, + Title={Secure Data Views}, + Year={1985}, + Month=mar, + Organization={SRI International}, + Note={Proposal for Research No. ECU 85-203} + } + +@manual{Ocrea:Proposal, + Key={Rushby}, + Author={J.M. Rushby}, + Title={Security Modeling for Complex Systems}, + Year={1984}, + Month=oct, + Organization={Computer Science Laboratory, SRI International}, + Number={Proposal for Research No. ECU 84-034R} + } + +@manual{Demonstrator:Proposal, + Key={Rushby}, + Author={J.M. Rushby}, + Title={A Verified Secure ``Demonstrator'' System}, + Year={1984}, + Month=dec, + FullOrganization={Computer Science Laboratory, SRI International}, + Number={Proposal for Research No. ECU 84-103} + } + +@article(VERKI, +Key="Neumann", Author="P.G. {Neumann, editor}", +Title={{VERkshop I}: {V}erification {W}orkshop}, +Journal="ACM SIGSOFT Software Engineering Notes", Year="1980", Volume="5", +Number="3", Pages="4-47", +Month=jul) + +@article{VERKII, +Key="Neumann", Author="P.G. {Neumann, editor}", +Title={{VERkshop II}: {V}erification {W}orkshop}, +Journal="ACM SIGSOFT Software Engineering Notes", Year="1981", Volume="6", +Number="3", Pages="1-63", +Month=jul} + +@article(VERKIII, +Author="K.N. Levitt and S. Crocker and D. {Craigen, editors}", +Title={{VERkshop III}: Verification Workshop}, +Journal="ACM SIGSOFT Software Engineering Notes", Year="1985", Volume="10", +Number="4", Pages="1-136", Month=aug) + +@InProceedings{Macdonald85, + Key={Macdonald}, + Author={R. Macdonald}, + BookTitle={Proceedings of the {VERkshop III}}, + Address={Watsonville, California}, + Title={Verifying a Real System Design: Some of the Problems}, + Year={1985}, + Pages={126--129}, + Month=feb, + Note={Published as ACM Software Engineering Notes, Vol. 10, No. 4, Aug. 85} + } + +@article{Clark85, +author={D.D. Clark}, +title={The Structuring of Systems Using Upcalls}, +journal={Operating Systems Review}, +month={}, +vol = {19}, +no = {5}, +pages = {171--180}, +year=1985} + +@Article{Atkins88, + Author={M.S. Atkins}, + Journal={ACM Transactions on Computer Systems}, + Title={Experiments in {SR} with Different Upcall Program Structures}, + Year={1988}, Month=nov, Pages={365--392}, Volume={6}, Number={4} } + +@Book{Modula2, + Key={Wirth}, + Author={N. Wirth}, + Publisher={Springer-Verlag, Berlin}, + Title={Programming in {MODULA}-2}, + Year={1982}, + note={second edition}, + Series={Texts and Monographs in Computer Science} + } + +@InProceedings{Anderson:TCB, + Key={Anderson}, Author={E.R. Anderson}, + BookTitle={Proceedings of the 1985 Symposium on Security and Privacy}, + Organization={IEEE Computer Society}, + Title={{Ada}'s Suitability for Trusted Computer Systems}, + Year={1985}, Address={Oakland, California}, Month=apr, Pages={184--189} + } + +@manual{Fletcher, + Key={Fletcher}, + Author={J.C. Fletcher}, + Organization={Department of Defense}, + Title={Report of the Study on Eliminating the Threat Posed by Nuclear Ballistic Missiles, Volume {V}: Battle Management, Communications, and Data Processing}, + Year={1984}, + Month=feb + } + +@Manual{Eastport, + Key={Eastport}, + Author={Eastport Study Group}, + Title={Report to the Director, {SDIO}}, + Year={December, 1985} + } + +@Article{Lamport:Clocks, + Key={Lamport}, + Author={L.Lamport}, + Journal={Communications of the ACM}, + Title={Time, Clocks, and the Ordering of Events in a Distributed System}, + Year={1978}, + Month=jul, + Pages={558--565}, + Volume={21}, + Number={7} + } + +@Article{Lamport:Specifying, + Key={Lamport}, + Author={L.Lamport}, + Journal={ACM Transactions on Programming Languages and Systems}, + Title={Specifying Concurrent Program Modules}, + Year={1983}, + Month=apr, + Pages={190--222}, + Volume={5}, + Number={2} + } + +@Article{Lamport:Specifying89, + Key={Lamport}, + Author={L. Lamport}, + Journal={Communications of the ACM}, + Title={A Simple Approach to Specifying Concurrent Program Systems}, + Year={1989}, + Month=jan, + Pages={32--45}, + Volume={32}, + Number={1} + } + +@Article{Lamport:Timeout, + Key={Lamport}, + Author={L.Lamport}, + Journal={ACM Transactions on Programming Languages and Systems}, + Title={Using Time Instead of Timeout for Fault-Tolerant Distributed Systems}, + Year={1984}, + Month=apr, + Pages={254--280}, + Volume={6}, + Number={2} + } + +@TechReport{Lamport:Interprocess, + Key={Lamport}, + Author={L. Lamport}, + Institution={Computer Science Laboratory, SRI International}, + Title={On Interprocess Communication}, + Year={1985} + } + +@InProceedings{Lamport:Sometime, + Key={Lamport}, + Author={L. Lamport}, + BookTitle={Proceedings of the 10th Symposium on Principles of Programming Languages}, + Title={Sometime is Sometimes Not Never}, + Year={1980}, + Month=jan, + Pages={174--185} + } + +@InProceedings{Lamport:Priority, + Key={Lamport}, + Author={L. Lamport}, + BookTitle={Proceedings of the 10th Symposium on Principles of Programming Languages}, + Title={What it Means for a Concurrent Program to Satisfy a +Specification: Why No One Has Specified Priority}, + Year={1985}, + Month=jan + } + +@Article{Bernstein+Goodman, + Key={Bernstein}, + Author={P.A. Bernstein and N. Goodman}, + Journal={ACM Computing Surveys}, + Title={Concurrency Control in Distributed Database Systems}, + Year={1981}, + Month=jun, + Pages={185--221}, + Volume={13}, + Number={2} + } + +@TechReport{Panzieri:Rajdoot-techrep, + Key={Panzieri}, + Author={F. Panzieri and S.K. Shrivastava}, + Institution={Computing Laboratory, University of Newcastle upon Tyne}, + Title={{Rajdoot}: a remote procedure call mechanism supporting orphan +detection and killing}, + Year={1985}, + Month=may, + Number={200} + } + +@Article{Traiger, + Key={Traiger}, + Author={I.L. Traiger and J. Gray and C.A. Galtieri and B.G. Lindsay}, + Journal={ACM TODS}, + Title={Transactions and Consistency in Distributed Database Systems}, + Year={1982}, + Month=sep, + Pages={323--342}, + Volume={7}, + Number={3} + } + +@Article{Lamport:Reliable, + Key={Lamport}, + Author={L. Lamport}, + Journal={Computer Networks}, + Title={The Implementation of Reliable Distributed Multiprocess Systems}, + Year={1978}, + Pages={95--114}, + Volume={2} + } + +@Article{Shrivastava, + Key={Shrivastava}, + Author={S.K. Shrivastava and F. Panzieri}, + Journal={IEEE Transactions on Computers}, + Title={The Design of a Reliable Remote Procedure Call Mechanism}, + Year={1982}, + Month=jul, + Pages={692--687}, + Volume={C-31}, + Number={7} + } + +@Article{Lamport:Byzantine, + Key={Lamport}, + Author={L. Lamport and R. Shostak and M. Pease}, + Journal={ACM Transactions on Programming Languages and Systems}, + Title={The {Byzantine} Generals Problem}, + Year={1982}, + Month=jul, + Pages={382--401}, + Volume={4}, + Number={3} + } + +@Article{Pease, + Key={Pease}, + Author={M. Pease and R. Shostak and L. Lamport}, + Journal={Journal of the ACM}, + Title={Reaching Agreement in the Presence of Faults}, + Year={1980}, + Month=apr, + Pages={228--234}, + Volume={27}, + Number={2} + } + +@Article{Lamport:Synchronizing, + Key={Lamport}, + Author={L. Lamport and P.M. Melliar-Smith}, + Journal={Journal of the ACM}, + Title={Synchronizing Clocks in the Presence of Faults}, + Year={1985}, + Month=jan, + Pages={52--78}, + Volume={32}, + Number={1} + } + +@InProceedings{Dobson+Randell, + Key={Dobson}, + Author={J.E. Dobson and B. Randell}, + BookTitle={Proceedings of the 1986 Symposium on Security and Privacy}, + Organization={IEEE Computer Society}, + Title={Building reliable Secure Computing Systems out of Unreliable +Unsecure Components}, + Year={1986}, + Address={Oakland, California}, + Month=apr, + Pages={187--193} + } + +@InProceedings{RandellDobson, + Key="Randell", Author="B. Randell and J.E. Dobson", + BookTitle="Proceedings of the Fifth Symposium on Reliability in + Distributed Software and Database Systems", + Organization="", + Title="Reliability and Security Issues in Distributed Computing Systems", + Address="Los Angeles, California", Year="1986", Month=jan, pages=""} + +@InProceedings{Haigh+Young, + Key={Haigh}, + Author={J.T. Haigh and W.D. Young}, + BookTitle={Proceedings of the 1986 Symposium on Security and Privacy}, + Organization={IEEE Computer Society}, + Title={Extending the Non-Interference Model of {MLS} for {SAT}}, + Year={1986}, + Address={Oakland, California}, + Month=apr, + Pages={232--239} + } + +@Article{Haigh+Young87, +author={J.T. Haigh and W.D. Young}, +Title={Extending the Non-Interference Model of {MLS} for {SAT}}, +Journal={IEEE Transactions on Software Engineering}, +volume={SE-13}, number=2, pages={141-150}, month=feb, year=1987 } + +@InProceedings{LOCK87, +Key={Saydjari}, Author={O.S. Saydjari and J.M. Beckman +and J.R. Leaman}, Title={{LOCKing} Computers Securely}, + BookTitle={10th National Computer Security Conference, Baltimore, Maryland}, +Year={1987}, Month={21-24 September}, +pages={129-141}, Note={Reprinted in Rein Turn, +editor, {\it Advances in Computer +System Security}, Vol. 3, Artech House, Dedham, Massachusetts, 1988 }} + +@InProceedings{LOCK87-, +Key={Saydjari}, Author={O.S. Saydjari and J.M. Beckman +and J.R. Leaman}, Title={{LOCKing} Computers Securely}, + BookTitle={10th National Computer Security Conference, Baltimore, Maryland}, +Year={1987}, Month={21-24 September}, +pages={129-141} } + +@TechReport{Fine+, +Author={T. Fine and J.T. Haigh and R.C. O'Brien and +D.L. Toups}, Title={An Overview of the {LOCK} {FTLS}}, +Institution={Honeywell}, Month={}, Year=1988 } + +@TechReport{HaighFTLS, +Author={J.T. Haigh}, Title={Top Level Security +Properties for the {LOCK} System}, Institution={Honeywell}, Month={}, Year=1988 } + +@TechReport{SCTC-B10, +Author={{Secure Computing Technology Center}}, +Title={{LOCK} Formal Top Level Specification, Volumes 1-6}, +Institution={SCTC}, Month={}, Year=1988 } + +@TechReport{SCTC-007, +Author={J.T. {Haigh et al.}}, Title={Assured Service Concepts and Models, +Final Technical Report, Volume 1: Summary}, +Institution={Secure Computing Technology Corporation}, Month=jul, Year=1991 } + +@TechReport{SCTC-B11, +Author={{Secure Computing Technology Center}}, +Title={{LOCK} Software {B}-Specification, Vol. 2}, +Institution={SCTC}, Month={}, Year=1988 } + +@TechReport{SCTC-005, +Author={J.T. {Haigh et al.}}, Title={Assured Service Concepts and Models, +Final Technical Report, Vol. 3: Security in Distributed Systems}, +Institution={Secure Computing Technology Corporation}, Month=jul, Year=1991 } + +@TechReport{SCTC-004, +Author={J.T. {Haigh et al.}}, Title={Assured Service Concepts and Models, +Final Technical Report, Vol. 4: Availability in Distributed {MLS} Systems}, +Institution={Secure Computing Technology Corporation}, Month=jul, Year=1991 } + +@TechReport{OBrien90, +Author={R.C. {O'Brien} and J.T. Haigh and D.J. Thomsen}, +Title={Trusted Database Consistency Policy}, +Institution={Rome Air Development Center}, +Address={Griffiss Air Force Base, NY}, +number={RADC-TR-90-387}, +Month=dec, Year={1990} } + +@TechReport{MoitraSchneider90, +Author={A. Moitra and E.A. Schneider}, +Title={Basic Technology for {SDI} Computer Security: {SDI} Real Time +Trusted Computer Based Requirements}, +Institution={Rome Air Development Center}, +Address={Griffiss Air Force Base, NY}, +number={RADC-TR-90-435, vol. III}, +Month=dec, Year={1990} } + +@manual{Net:Criteria, + Key={DoDCSC}, + Organization={Department of Defense Computer Security Center}, + Title={Proceedings of the Department of Defense Computer Security Center Invitational Workshop on Network Security}, + Month=mar, + Year={1985}, + Address={New Orleans, LA} + } + +@InProceedings{Rushby85a, + Key={Rushby}, + Author={J.M. Rushby}, + Booktitle={Proceedings of the Department of Defense Computer Security Center Invitational Workshop on Network Security}, + Organization={Publ. by Department of Defense Computer Security Center}, + Title={Report of the Working Group on Verification and Covert Channels}, + Month=mar, + Year={1985}, + Address={New Orleans, LA}, + Pages={7--5 to 7--12} + } + +@InProceedings{Rushby85, + Key={Rushby}, + Author={J.M. Rushby}, + Booktitle={Proceedings of the Department of Defense Computer Security Center Invitational Workshop on Network Security}, + Organization={publ. by Department of Defense Computer Security Center}, + Title={Networks are Systems}, + Month=mar, + Year={1985}, + Address={New Orleans, Louisiana}, + Pages={7--24 to 7--37} + } + +@TechReport{Ezhilchelvan, + Key={Ezhilchelvan}, + Author={P.D. Ezhilchelvan and S.K. Shrivastava}, + Institution={Computing Laboratory, University of Newcastle upon Tyne}, + Title={A Characterisation of Faults in Systems}, + Year={1985}, + Month=sep, + Number={206} + } + +@InProceedings{Schell84, + Key={Schell}, + Author={R.R. Schell and T.F. Tao}, + BookTitle={Proceedings of the Seventh DoD/NBS Computer Security Initiative Conference}, + Title={Microcomputer-Based Trusted Systems for Communications and +Workstation Applications}, + Address={Gaithersburg, Maryland}, + Pages={277--290}, + Year={1984}, + Month=sep + } + +@TechReport{Gordon:Why, + Key={Gordon}, + Author={M. Gordon}, + Institution={University of Cambridge Computer Laboratory}, + Title={Why Higher-Order Logic is a Good Formalism for Specifying and +Verifying Hardware}, + Year={1985}, + Month=sep, + Number={77} + } + +@TechReport{Gordon:HOL85, + Key={Gordon}, + Author={M. Gordon}, + Institution={University of Cambridge Computer Laboratory}, + Title={{HOL:} A Machine Oriented Formulation of Higher Order Logic}, + Address = {Cambridge, England}, + Year={1985}, + Month=jul, + Number={68} + } + +@Book{Barringer:Book, + Key={Barringer}, + Author={H. Barringer}, + Publisher={Springer-Verlag, Berlin, + Lecture Notes in Computer Science, Vol. 191}, + Title={A Survey of Verification Techniques for Parallel Programs}, + Year={1985} + } + +@Book{LCF, + Key={Gordon}, + Author={M. Gordon and R. Milner and C. Wadsworth}, + Publisher={Springer-Verlag, Berlin, + Lecture Notes in Computer Science, Vol. 78}, + Title={Edinburgh {LCF}: A Mechanized Logic of Computation}, + Year={1979} + } + +@InProceedings{Barringer:Compose, + Key={Barringer}, + Author={H. Barringer and R. Kuiper and A. Pnueli}, + BookTitle={Proceedings of the Sixteenth ACM Symposium on Theory of Computing}, + Title={Now you May Compose Temporal Logic Specifications}, + Year={1984}, + Address={Washington, D.C.}, + Month=may + } + +@Article{Joseph+Birman, + Key={Joseph}, + Author={T.A. Joseph and K.P. Birman}, + Journal={ACM TOCS}, + Title={Low Cost Management of Replicated Data in Fault-Tolerant +Distributed Systems}, + Year={1986}, + Month=feb, + Pages={54--70}, + Volume={4}, + Number={1} + } + +@Article{Bernstein84, + Key={Bernstein}, + Author={P.A. Bernstein and N. Goodman}, + Journal={ACM TODS}, + Title={An Algorithm for Concurrency Control and Recovery in +Replicated Distributed Databases}, + Year={1984}, + Month=dec, + Pages={596--615}, + Volume={9}, + Number={4} + } + +@InProceedings{Melliar-Smith+Rushby, + Key={Melliar-Smith}, + Author={P.M. Melliar-Smith and J.M. Rushby}, + BookTitle={Proceedings of the {VERkshop III}}, + Address={Watsonville, California}, + Title={The {Enhanced HDM} System for Specification and Verification}, + Year={1985}, + Pages={41--43}, + Month=feb, + Note={Published as ACM Software Engineering Notes, Vol. 10, No. 4, Aug. 85} + } + +@InProceedings{Musser85, + Author={D.R. Musser}, + BookTitle={Proceedings of the {VERkshop III}}, + Address={Watsonville, California}, + Title={Aids to Hierarchical Specification Structuring and Reusing Theorems in +{AFFIRM-85}}, + Year={1985}, + Pages={2--4}, + Month=feb, + Note={Published as ACM Software Engineering Notes, Vol. 10, No. 4, Aug. 85} + } + +@InProceedings{Guttman, + Key={Guttman}, + Author={Joshua Guttman}, + BookTitle={Proceedings of the 1987 IEEE Symposium on Security and Privacy}, + Organization={IEEE Computer Society}, + Address={Oakland, California}, + Title={Information Flow and Invariance}, + Pages={67--73}, + Month=apr, + Year={1987} + } + +@manual{EHDM:Userguide, +Author={SRI-CSL}, +Key = {EHDM}, Title= +{E{\sc HDM} Specification and Verification System -- Version 6.1: User's Guide}, +Organization={Computer Science Laboratory, SRI International}, +Year={1992}, Month={March 27,}, Address={Menlo Park, California} } + +@manual{EHDM:Language, +Author={SRI-CSL}, +Key = {EHDM}, +Organization={Computer Science Laboratory, SRI International}, Title={{\sc +Ehdm} Specification and Verification System Version 4.1: Preliminary +Definition of the {EHDM} Specification Language}, Year={1988}, +day={6}, month=sep, Address={Menlo Park, California} } + +@manual{EHDM:Tutorial, AUTHOR = {F. von Henke and J.M. Rushby}, +Key = {EHDM}, +Organization={Computer Science Laboratory, SRI International}, +Title={Introduction to {E\sc HDM}}, Year={1988}, Month=sep, +Address={Menlo Park, California} } + +@manual{EHDM:semantics, AUTHOR = {F. von Henke and N. Shankar and J.M. Rushby}, +Key = {EHDM}, +Organization={Computer Science Laboratory, SRI International}, +Title={Formal Semantics of EHDM}, +Year={1988}, Month={September 28,}, Address={Menlo Park, California} } + +@TechReport{EHDM:intro, AUTHOR = {J.M. Rushby and F. von Henke and S. Owre}, +Key = {Rushby}, +Organization={Computer Science Laboratory, SRI International}, +Title={An Introduction to Formal Specification and Verification +Using {EHDM}}, +Number = {SRI-CSL-91-02}, +Year={1991}, Month=feb, Address={Menlo Park, California} } + +@PhDThesis{Rushby77, Key={Rushby}, Author={J.M. Rushby}, School={Computing +Laboratory, University of Newcastle upon Tyne}, Title={{LR}(k) Sparse-Parsers +and their Optimisation}, Year={1977}, Month=sep } + +@InProceedings{CarlsonLunt86, Key="Carlson", + Author="R.A. Carlson and T.F. Lunt", + Title="The Trusted Domain Machine: A Secure Communication Device +for Security Guard Applications", + BookTitle="Proceedings of the 1986 Symposium on Security and Privacy", + Organization="IEEE Computer Society", + Address="Oakland, California", Year="1986", Month=apr, pages="182-186"} + +@InProceedings{Carlson+Lunt86, Key={Carlson}, Author={R.A. Carlson and T.F. +Lunt}, BookTitle={Proceedings of the 1986 Symposium on Security and Privacy}, +Organization={IEEE Computer Society}, Title={The {Trusted Domain Machine}: a +Secure Communication Device for Security Guard Applications}, Year={1986}, +Address={Oakland, California}, Month=apr, Pages={182--186} } + +@Article{Huguet, Key={Huguet}, Author={M. Huguet}, Journal={ACM Computer +Architecture News}, Title={The Protection of the Processor Status Word of the +{PDP}-11/60}, Year={1982}, Month=jun, Pages={27--30}, Volume={10}, +Number={4} } + +@Article{Popek+Goldberg, +Key={Popek}, Author={G.J. Popek and R.P. +Goldberg}, Journal={Communications of the ACM}, Title={Formal Requirements for Virtualizable Third +Generation Architectures}, Year={1974}, Month=jul, Pages={412--421}, +Volume={17}, Number={7} } + +@Article{Saltzer74, +Key={Saltzer}, Author={J.H. Saltzer}, Journal={Communications of the ACM}, +Title={Protection and the Control of Information Sharing in {Multics}}, +Year={1974}, Month=jul, Pages={388--402}, Volume={17}, Number={7} } + +@InProceedings{RedellFabry74, +Author={D.D. Redell and R.S. Fabry}, +TITLE = {Selective Revocation of Capabilities}, +Booktitle = {Proceedings of the International Workshop on Protection in + Operating Systems}, +YEAR = {1974}, Location = {IRIA, Rocquencourt, France}, +VOLUME = {}, +NUMBER = {}, PAGES = {197--209}, MONTH = aug } + +@PhDThesis{Redell74, +Author={D.D. Redell}, School={University of California at Berkeley}, +Title={Naming and Protection in Extendible Operating Systems}, +Note = {Also MIT Project MAC TR-104.}, +Year={1974}, Month={} } + +@Article{Fabry74, +Key={Fabry}, Author={R.S. Fabry}, Journal={Communications of the ACM}, +Title={Capability-Based Addressing}, +Year={1974}, Month=jul, Pages={403--412}, Volume={17}, Number={7} } + +@TechReport{Schiller75, Key={Schiller}, Author={W.L. +Schiller}, Institution={Mitre Corporation}, Title={The Design and Specification +of a Security Kernel for the {PDP}-11/45}, Year={1975}, Month=mar, +Number={MTR-2934}, Address={Bedford, Massachusetts} } + +@TechReport{Smith75, Key={Smith}, +Author={L. Smith}, Institution={Mitre Corporation}, Title={Architectures for +Secure Computer Systems}, Year={1975}, Month=apr, Number={ESD-TR-75-51}, +Address={Bedford, Massachusetts} } + +@Article{Hoare72, Key={Hoare}, Author={C.A.R. Hoare}, +Journal={Acta Informatica}, Title={Proof of Correctness of Data +Representations}, Year={1972}, Pages={271--281}, Volume={1} } + +@Article{Harrison:Protection, Key={Harrison}, Author={M.A. Harrison and W.L. +Ruzzo and J.D. Ullman}, Journal={Communications of the ACM}, Title={Protection in Operating +Systems}, Year={1976}, Month=aug, Pages={461--471}, Volume={19}, +Number={8} } + +@Article{Harrison76x, +Author={M.A. Harrison and W.L. Ruzzo and J.D. Ullman}, +Title={Protection in Operating Systems}, +Journal={Communications of the ACM}, +volume=19, +number=8, +month=aug, +year=1976 } + +@inproceedings{Anderson:Evaluation, Key={Anderson}, Author={T. +Anderson and P.A. Barrett and D.N. Halliwell and M.R. Moulding}, Title={An +Evaluation of Software Fault Tolerance in a Practical System}, +Booktitle={Digest of Papers, Fault Tolerant Computing Symposium 15}, +Address={Ann Arbor, Michigan}, +Organization={IEEE Computer Society}, Month=jun, Year={1985}, +Pages={140--145} } + +@Article{Alford85, Key={Alford}, Author={M.W. Alford}, +Journal={Computer}, Title={{SREM} at the Age of Eight; The +Distributed Computing Design System}, Year={1985}, Month=apr, +Pages={36--46}, Volume={18}, Number={4} } + +@Article{Roman85, Key={Roman}, +Author={G--C. Roman}, Journal={Computer}, Title={A Taxonomy of Current +Issues in Requirements Engineering}, Year={1985}, Month=apr, +Pages={14--21}, Volume={18}, Number={4} } + +@Article{Scheffer85, Key={Scheffer}, +Author={P.A. Scheffer and A.H. {Stone III} and W.E. Rzepka}, Journal={IEEE +Computer}, Title={A Case Study of {SREM}}, Year={1985}, Month=apr, +Pages={47--54}, Volume={18}, Number={4} } + +@InProceedings{Silverman83, + Key={Silverman}, + Author={J.M. Silverman}, + Title={Reflections on the Verification of the Security of an Operating System Kernel}, + BookTitle={Proceedings of the Ninth ACM Symposium on Operating Systems Principles}, + Year={1983}, + Address={Bretton Woods, NH}, + Month=oct, + Note={(ACM Operating Systems Review, Vol 17, No. 5)} + } + +@Article{Celko83, + Key={Celko}, + Author={J. Celko and J.S. Davis and J. Mitchell}, + Journal={SIGPLAN Notices }, + Title={A Demonstration of Three Requirements Language Systems}, + Year={1983}, + Month=jan, + Pages={9--14}, + Volume={18}, + Number={1} + } + +@Article{Bell77, + Key={Bell}, + Author={T.E. Bell and D.C. Bixler and M.E. Dyer}, + Journal={IEEE Transactions on Software Engineering}, + Title={An Extendable Approach to Computer--Aided Software Requirements Engineering}, + Year={1977}, + Month=jan, + Pages={49--59}, + Volume={SE--3}, + Number={1} + } + +@Article{Alford77, + Key={Alford}, + Author={M.W. Alford}, + Journal={IEEE Transactions on Software Engineering}, + Title={A Requirements Engineering Methodology for Real--Time Processing Requirements}, + Year={1977}, + Month=jan, + Pages={60--69}, + Volume={SE--3}, + Number={1} + } + +@Article{Davis77, + Key={Davis}, + Author={C.G. Davis and C.R. Vick}, + Journal={IEEE Transactions on Software Engineering}, + Title={The Software Development System}, + Year={1977}, + Month=jan, + Pages={69--84}, + Volume={SE--3}, + Number={1} + } + +@Article{Basili84, + Key={Basili}, + Author={V.R. Basili and B.T. Perricone}, + Journal={Communications of the ACM}, + Title={Software Errors and Complexity: {An} Empirical Investigation}, + Year={1984}, + Month=jan, + Pages={42--52}, + Volume={27}, + Number={1} + } + +@Article{Moriconi85, + Key={Moriconi}, + Author={M. Moriconi and D.F. Hare}, + Journal={Computer}, + Title={Visualizing Program Designs through {PegaSys}}, + Year={1985}, + Month=aug, + Volume={18}, + Number={8}, + Pages={72--85} + } + +@Article{Moriconi86a, + Key={Moriconi}, + Author={M. Moriconi and D.F. Hare}, + Journal={ACM Transactions on Programming Languages and Systems}, + Title={The {PegaSys} System: {Pictures} as Formal Documentation of Large Programs}, + Year={1986}, + Month=oct, + Pages={524--546}, + Volume={8}, + Number={4} + } + +@InProceedings{Moriconi86b, + Key={Moriconi}, + Author={M. Moriconi}, + Publisher={Springer-Verlag, Berlin, Lecture Notes in Computer Science}, + Title={{PegaSys} and the Role of Logic in Programming Environments}, + Year={1986}, + Month=jun, + Address={Trondheim, Norway}, + booktitle={Proceedings of the International Workshop on Advanced Programming Environments} + } + +@Article{Stevens74, + Key={Stevens}, + Author={W.P. Stevens and G.F. Myers and L.C. Constantine}, + Journal={IBM Systems Journal}, + Title={Structured Design}, + Year={1974}, + Volume={13}, + Number={2}, + Pages={115--139} + } + +@Article{Leveson86, + Author={N.G. Leveson}, Journal={ACM Computing Surveys}, + Title={Software Safety: {Why}, What, and How}, + Year={1986}, Volume={18}, Number={2}, Month=jun, Pages={125--163} +} + +@TechReport{IITRI, +Key={IITRI}, + Author={Anonymous}, + Title={{Ada} Verification System ({AVS}) Studies}, + Institution={IIT Research Institute}, + Year=1987, + Address={4550 Forbes Blvd., Suite 300, Lanham, Maryland 20706}, + Type={Draft Final Report}, + Month=feb, + Note={Prepared for: Defense Communications Engineering Center, 1860 +Wiehle Avenue, Reston, VA 22090-5500} +} + +@INPROCEEDINGS{MusserStepanov, + AUTHOR = {D.R. Musser and A.A. Stepanov}, + TITLE = {Generic Algorithms + Generic Data Structures = Reusable Software}, + BOOKTITLE = {Tenth Minnowbrook Workshop}, + YEAR = {1987} +} + +@BOOK{Booch, + AUTHOR = {G. Booch}, + TITLE = {Software Components in {Ada}}, + PUBLISHER = {Benjamin/Cummings}, + YEAR = {1987} +} + +@INPROCEEDINGS{Musser802, + AUTHOR = {D.R. Musser}, + TITLE = {On Proving Inductive Properties of Abstract Data Types}, + BOOKTITLE = {Seventh ACM Symposium on Principles of Programming Languages}, + YEAR = {1980}, + ADDRESS = {Las Vegas, NV}, + MONTH = Jan +} + +@INPROCEEDINGS{MOK87, +Author={Al Mok}, +Key={Mok}, +Year=1987, +Month=jul, +Title={Annotating {Ada} for Real Time Program Synthesis}, +BookTitle={Proceedings of the COMPASS 87}, +Organization={IEEE}, +Pages={63--66}} + +@Unpublished{MCHUGHMS, + Key={McHugh}, + Author={J. McHugh}, + Title={Structured Development and Constructive Proof of a Real Time +Data Acquisition System}, + Institution={University of Maryland at College Park}, + Year={1975}, + Location={University of Maryland, Computer Science Center Library}, + Note={M.S. Scholarly Paper, University of Maryland}} + +@TECHREPORT{Kemmerer:assess, + AUTHOR = {R.A. Kemmerer}, + TITLE = {Verification Assessment Study Final Report}, + INSTITUTION = {National Computer Security Center}, + YEAR = {1986}, + NUMBER = {C3-CR01-86}, + ADDRESS = {Ft. Meade, Maryland}, + NOTE = {5 Volumes. US distribution only} +} + +@manual{gypsy-methodology, + Author={ M.K. Smith and D.I. Good and B.L. DiVito}, + Key={Good}, + Title={Using the {Gypsy} Methodology: {DRAFT}, nov 1987}, + Year={1987}, + Organization={Computational Logic Inc.}} + +@manual{gypsy21, + Author={D.I. Good}, + Key={Good}, + Title={Revised Report on {Gypsy} 2.1: {DRAFT}, jul 1984}, + Year={1984}, + Organization={Institute for Computing Science, +The University of Texas at Austin}} + +@manual{gypsy205, + Author={D.I. Good and R.L. Akers and L.M. Smith}, + Key={Good}, + Title={Report on {Gypsy} 2.05: oct 1986}, + Year={1986}, + Organization={Computational Logic Inc.}} + +@TechReport{Bevier87, + AUTHOR = {W.R. Bevier}, + TITLE = {A Verified Operating System Kernel}, + Institution = {Ph.D. thesis, +Department of Computer Science, The University of Texas at Austin}, + YEAR = {1987} +} + +@MANUAL{KapurZhang, + TITLE = {{RRL}: A User's Manual}, + AUTHOR = {D. Kapur and H. Zhang}, + ORGANIZATION = {General Electric Corporate Research and Development}, + ADDRESS = {Schenectady, NY}, + MONTH = mar, + YEAR = {1986}, + NOTE = {Unpublished Manuscript} +} + +@ARTICLE{IOTA, + AUTHOR = {T. Yuasa and R. Nakajima}, + TITLE = {{IOTA}: A Modular Programming System}, + JOURNAL = {IEEE Transactions on Software Engineering}, + YEAR = {1985}, + VOLUME = {SE-11}, + NUMBER = {2}, + PAGES = {179--187}, + MONTH = feb +} + +@BOOK{ANNA, + AUTHOR = {David C. Luckham and Friedrich W. von Henke and Bernd Krieg-Br\"{u}ckner and Olaf Owe}, + TITLE = {{ANNA} A Language for Annotating {Ada} Programs}, + PUBLISHER = {Springer-Verlag, Berlin, + Lecture Notes in Computer Science, Vol 260}, + YEAR = {1987} } + +@BOOK{IOTA-book, + EDITOR = {R. Nakajima and T. Yuasa}, + TITLE = {The {IOTA} Programming System}, + PUBLISHER = {Springer-Verlag, Berlin, + Lecture Notes in Computer Science, Vol 160}, + YEAR = {1982} } + +@TECHREPORT{Gerhart:overview, + AUTHOR = {Susan L. Gerhart}, + TITLE = {Design Technology Assessment: Overview}, + INSTITUTION = {MCC}, + YEAR = {1986}, + NUMBER = {STP-078-86}, + ADDRESS = {Austin, TX}, + MONTH = feb +} + +@TECHREPORT{Harel:statecharts, + AUTHOR = {David Harel}, + TITLE = {Statecharts: a Visual Approach to Complex Systems}, + INSTITUTION = {MCC}, + YEAR = {1986}, + ADDRESS = {Austin, TX}, + MONTH = feb +} + + +@TECHREPORT{statecharts, + AUTHOR = {G.R. Burns and S.L. Gerhart and I. Forman and M. Graf}, + TITLE = {Design Technology Assessment: The Statecharts Approach}, + INSTITUTION = {MCC}, + YEAR = {1986}, + NUMBER = {STP-107-86}, + ADDRESS = {Austin, TX}, + MONTH = mar +} + +@ARTICLE{Clarke86, + AUTHOR = {E.M. Clarke and E.A. Emerson and A.P. Sistla}, + TITLE = {Automatic Verification of Finite-State Concurrent Systems using Temporal Logic Specifications}, + JOURNAL = {ACM Transactions on Programming Languages and Systems}, + YEAR = {1986}, + VOLUME = {8}, + NUMBER = {2}, + PAGES = {244--263}, + MONTH = apr +} + +@TECHREPORT{siftproof, + AUTHOR = {L. Moser and P.M. Melliar-Smith and R. Schwartz}, + TITLE = {Design Verification of {SIFT}}, + MONTH = sep, + YEAR = {1987}, + INSTITUTION = {NASA Langley Research Center}, + TYPE = {Contractor Report}, + NUMBER = 4097, + ADDRESS = {Hampton, Virginia} +} + +@ARTICLE{Church:types, + AUTHOR = {A. Church}, + TITLE = {A Formulation of the Simple Theory of Types}, + JOURNAL = {Journal of Symbolic Logic}, + YEAR = {1940}, + VOLUME = {5} } + +@inproceedings{metavcg, +author = {M. Moriconi and R.L. Schwartz}, +title = {Automatic Construction of Verification Condition + Generators from {Hoare} Logics}, +booktitle = {Proceedings of the Eighth International Colloquium on + Automata, Languages, and Programming}, +address = {Acre (Akko), Israel}, +pages = {363--377}, +month = jul, +publisher = {Springer-Verlag, Berlin, + Lecture Notes in Computer Science, No. 115}, +year = 1981 } + +@article{moriconi:dva, +author = {M. Moriconi}, +title = {A designer/verifier's assistant}, +journal = {ieeese}, +volume = {SE-5}, +number = 4, +month = jul, +year = {1979}, +pages = {387--401}, +note = {Reprinted in {\it Artificial Intelligence and Software +Engineering}, edited by C.\ Rich and R.\ Waters, Morgan Kaufmann +Publishers, Inc., 1986. Also reprinted in {\it Tutorial on +Software Maintenance}, edited by G.\ Parikh and N.\ Zvegintzov, +IEEE Computer Society Press, 1983.} } + +@phdthesis{moriconi:thesis, +author = {M. Moriconi}, +title = {A system for incrementally designing and verifying programs}, +school = {Computer Science Department, + The University of Texas at Austin}, +month = dec, +year = 1977, +note = {Also Technical Report CSL--73 and CSL--74, + Computer Science Laboratory, SRI International, + and Technical Reports ISI/RR--77--64 and + ISI/RR--77--66, USC/Information Sciences Institute} } + +@ARTICLE{MoriconiWinkler90, +Author={M. Moriconi and T.C. Winkler}, +TITLE = {Approximate Reasoning About the Semantic Effects of Program Changes}, +JOURNAL = {IEEE Transactions on Software Engineering}, YEAR = {1990}, VOLUME = {16}, +NUMBER = {9}, PAGES = {990-1004}, MONTH = sep } + +@manual{Ada83, + key={DoD}, + title={Reference Manual for the {Ada} Programming Language}, + month=jan, + year=1983, + organization={United States Department of Defense}, + note={ANSI/MIL-STD-1815 A}} + +@ARTICLE{Barringer+Mearns, + AUTHOR = {H. Barringer and I. Mearns}, + TITLE = {Axioms and Proof Rules for {Ada} Tasks}, + JOURNAL = {IEE Proceedings}, + YEAR = {1982}, + VOLUME = {129}, + NUMBER = {Part E, Number 2}, + MONTH = Mar +} + +@MASTERSTHESIS{Mearns, + AUTHOR = {I. Mearns}, + TITLE = {A Message-Based Run-Time System and proof Rules for {Ada} Tasks}, + SCHOOL = {Department of Computer Science, University of Manchester}, + YEAR = {1981}, + MONTH = Oct +} + +@TECHREPORT{Ada:libraries, + AUTHOR = {J.A. Goguen and K.N. Levitt}, + TITLE = {Report on {Ada} Program Libraries Workshop}, + INSTITUTION={Computer Science Laboratory, SRI International}, + YEAR = {1983}, + TYPE = {Report for SRI Project 6186}, + ADDRESS = {Menlo Park, California}, + MONTH = nov +} + +@ARTICLE{Goguen:LIL, + AUTHOR = {J.A. Goguen}, + TITLE = {Reusing and Interconnecting Software Components}, + JOURNAL = {Computer}, + YEAR = {1986}, + VOLUME = {19}, + NUMBER = {2}, + PAGES = {16--28}, + MONTH = feb +} + +@InProceedings{McCullough87, + Author={D. McCullough}, + BookTitle={Proceedings of the 1987 Symposium on Security and Privacy}, + Organization={IEEE Computer Society}, + Title={Specifications for Multi-Level Security and a Hook-Up Property}, + Year={1987}, + Address={Oakland, California}, + Month=apr, + Pages={161--166} +} + +@InProceedings{McCullough88, + Author={D. McCullough}, + BookTitle={Proceedings of the 1988 Symposium on Security and Privacy}, + Organization={IEEE Computer Society}, + Title={Noninterference and Composability of Security Properties}, + Year={1988}, Address={Oakland, California}, Month=apr, Pages={177--186} } + +@TechReport{McCullough88b, +author = {D. McCullough}, key = {McCullough}, +title = {Ulysses Security Properties Modeling Environment: The Theory of Security}, +institution = {Odyssey Research Associates}, +year = {1988}, address = {Ithaca, New York}, MONTH = jul } + +@inproceedings{Wong+89, +author={R. Wong and M. Chacko and E. Ding and B. Kahn +and N.E. Proctor and J. Sebes and R. Varadarajan}, title={The {SDOS} System: {A} +{S}ecure {D}istributed {O}perating {S}ystem Prototype}, +booktitle={Proceedings of the Twelfth National Computer Security Conference}, +address={Baltimore, Maryland}, +month=oct, pages={172-183}, year=1989 } + +@TechReport{SDOS89-SDD, +author = {{ORA Corp.}}, key = {ORA}, +title = {Software Design Document for the (THETA) Experimental Secure Distributed +Operating System Development (8 volumes)}, +institution = {Odyssey Research Associates}, +year = {1989}, address = {Ithaca, New York}, MONTH = {30 December} } + +@TechReport{SDOS89-FSM, +author = {{ORA Corp.}}, key = {ORA}, +title = {Formal Security Model +for the Experimental Secure Distributed Operating System Development}, +institution = {Odyssey Research Associates}, +year = {1989}, address = {Ithaca, New York}, MONTH = {7 October} } + +@TechReport{THETA91-SRS, +author = {{ORA Corp.}}, key = {ORA08}, +title = {Software Requirements Specification +for the {(THETA)} {E}xperimental {S}ecure {D}istributed {O}perating {S}ystem +Development}, institution = {ORA Corporation},year = {1991},address = {Ithaca, New York}, +day={15}, month=jul, Note ={Rome Laboratory Contract F30602-88-C-0146, +CDRL A008.} } + +@TechReport{THETA91-FSM, +author = {{ORA Corp.}}, key = {ORA09}, +title = {Formal security model specification +for the {(THETA)} {E}xperimental {S}ecure {D}istributed {O}perating {S}ystem +Development}, institution = {ORA Corporation},year = {1991},address = {Ithaca, New York}, +day={15}, month=jul, Note ={Rome Laboratory Contract F30602-88-C-0146, +CDRL A009.} } + +@TechReport{THETA91-SPM, +author = {{ORA Corp.}}, key = {ORA10}, +title = {Software programmer's manual +for the {(THETA)} {E}xperimental {S}ecure {D}istributed {O}perating {S}ystem +Development}, institution = {ORA Corporation},year = {1991},address = {Ithaca, New York}, +day={15}, month=jul, Note ={Rome Laboratory Contract F30602-88-C-0146, +CDRL A010.} } + +@TechReport{THETA91-SDD, +author = {{ORA Corp.}}, key = {ORA11}, +title = {Software Design Document for the +{(THETA)} {E}xperimental {S}ecure {D}istributed {O}perating {S}ystem Development}, +institution = {ORA Corporation}, +year = {1991}, address = {Ithaca, New York}, day={15}, month=jul, +Note ={Rome Laboratory Contract F30602-88-C-0146, +CDRL A011: Volume I, Part I, Volume II, Parts II-VIII.} } + +@TechReport{THETA91-SDDI, +author = {{ORA Corp.}}, key = {ORA11a}, +title = {Software Design Document for the +{(THETA)} {E}xperimental {S}ecure {D}istributed {O}perating {S}ystem Development}, +institution = {ORA Corporation}, +year = {1991}, address = {Ithaca, New York}, day={15}, month=jul, +Note ={Rome Laboratory Contract F30602-88-C-0146, +CDRL A011: Volume I, Part I.} } + +@TechReport{THETA91-SDDII, +author = {{ORA Corp.}}, key = {ORA11b}, +title = {Software Design Document for the +{(THETA)} {E}xperimental {S}ecure {D}istributed {O}perating {S}ystem Development}, +institution = {ORA Corporation}, +year = {1991}, address = {Ithaca, New York}, day={15}, month=jul, +Note ={Rome Laboratory Contract F30602-88-C-0146, +CDRL A011: Volume II, Parts II-VIII.} } + +@TechReport{THETA91-DP, +author = {{ORA Corp.}}, key = {ORA16}, +title = {Demonstration Plan +for the {(THETA)} {E}xperimental {S}ecure {D}istributed {O}perating {S}ystem +Development}, institution = {ORA Corporation},year = {1991},address = {Ithaca, New York}, +day={15}, month=jul, Note ={Rome Laboratory Contract F30602-88-C-0146, +CDRL A016.} } + +@TechReport{THETA91-SUM, +author = {{ORA Corp.}}, key = {ORA17}, +title = {Software user's manual +for the {(THETA)} {E}xperimental {S}ecure {D}istributed {O}perating {S}ystem +Development}, institution = {ORA Corporation},year = {1991},address = {Ithaca, New York}, +day={15}, month=jul, Note ={Rome Laboratory Contract F30602-88-C-0146, +CDRL A017.} } + +@TechReport{THETA91-FIN, +author = {{ORA Corp.}}, key = {ORA21}, +title = {Final Report for the +{(THETA)} {E}xperimental {S}ecure {D}istributed {O}perating {S}ystem +Development}, institution = {ORA Corporation},year = {1991}, +address = {Ithaca, New York}, day={15}, month=jul, +Note ={Rome Laboratory Contract F30602-88-C-0146, CDRL A021.} } + +@inproceedings{McEnerney90, +author={J.R. McEnerney and D.G. Weber and R. Brown}, +title={Automated Extensibility in {THETA}}, +booktitle={Proceedings of the Thirteenth National Computer Security Conference}, +address={Washington, D.C.}, +month=oct, pages={144--153}, year=1990 } + +@InProceedings{Jacob88, + Author={Jeremy Jacob}, + BookTitle={Proceedings of the 1988 Symposium on Security and Privacy}, + Organization={IEEE Computer Society}, + Title={Security Specifications}, + Year={1988}, + Address={Oakland, California}, + Month=apr, + Pages={14--23} +} + +@InProceedings{Gligor83, + Key={Gligor}, Author={V.D. Gligor}, + BookTitle={Proceedings of the 1983 Symposium on Security and Privacy}, + Organization={IEEE Computer Society}, + Title={A Note on the Denial-of-Service Problem}, + Address="Oakland, California", Year={1983}, Month=apr, pages={139-149} } + +@InProceedings{Yu88, +Key={Yu}, Author={C.-F. Yu and V.D. Gligor}, +Title={A Formal Specification and Verification Method for the Prevention of Denial of Service}, +BookTitle={Proceedings of the 1988 Symposium on Security and Privacy}, +Organization={IEEE Computer Society}, +Address="Oakland, California", Year={1988}, Month=apr, pages={187-202}, +Note={Also in {\it IEEE Transactions on Software +Engineering,} SE-16, 12, June 1990, 581--592)} + } + +@InProceedings{Glasgow+MacEwan88, Author={Janice I. Glasgow and Glenn + H. MacEwan}, BookTitle={Proceedings of the 1988 Symposium on + Security and Privacy}, Organization={IEEE Computer Society}, + Title={Reasoning about Knowledge in Multilevel Secure Distributed + Systems}, Year={1988}, Address={Oakland, California}, + Month=apr, Pages={122--128} } + +@ARTICLE{Glasgow+MacEwan87, + AUTHOR = {Janice I. Glasgow and Glenn H. MacEwan}, + TITLE = {The Development and Proof of a Formal Specification for a Multi-Level Secure System}, + JOURNAL = {tocs}, + YEAR = {1987}, + VOLUME = {5}, + NUMBER = {2}, + PAGES = {151--184}, + MONTH = may +} + +@TECHREPORT{Rushby:Calculus, + AUTHOR = {J.M. Rushby}, + TITLE = {Security Policies for Distributed Systems: A Model and Calculus}, + INSTITUTION = {Computer Science Laboratory, SRI International}, + YEAR = {1987}, + ADDRESS = {Menlo Park, California}, + MONTH = may, + NOTE = {(Draft)} +} + +@INPROCEEDINGS{Rushby:safety-original, + AUTHOR = {J.M. Rushby}, + TITLE = {Kernels for Safety?}, + BOOKTITLE = {Proceedings of the Safety and Security Symposium}, + YEAR = {1986}, + ORGANIZATION = {Centre for Software Reliability}, + ADDRESS = {Glasgow, Scotland}, + MONTH = oct +} + + +@INCOLLECTION{Rushby:safety, + AUTHOR = {J.M. Rushby}, + TITLE = {Kernels for Safety?}, + BOOKTITLE = {Safe and Secure Computing Systems}, + PUBLISHER = {Blackwell Scientific Publications}, + YEAR = {1989}, + EDITOR = {T. Anderson}, + CHAPTER = {13}, + PAGES = {210--220}, + NOTE = {Proceedings of a Symposium held in Glasgow, October 1986} +} + +@INCOLLECTION{Rushby:networks, + AUTHOR = {J.M. Rushby}, + TITLE = {Networks are Systems}, + BOOKTITLE = {Tutorial: Computer and Network Security}, + PUBLISHER = {IEEE Computer Society Press}, + YEAR = {1986}, + EDITOR = {Marshall D. Abrams and Harold J. Podell}, + PAGES = {300--316} +} + +@MANUAL{DRC:SDI, + TITLE = {Distributed Systems Technology Assessment for {SDI}}, + ORGANIZATION = {Dynamics Research Corporation}, + ADDRESS = {Wilmington, Massachusetts}, + MONTH = sep, + YEAR = {1986}, + NOTE = {Final Report to Rome Air Development Center, TEMS Task 0029, Contract F19628-84-D-0016} +} + +@ARTICLE{Schlichting+Schneider, + AUTHOR = {R.D. Schlichting and F.B. Schneider}, + TITLE = {Fail-Stop Processors: an approach to designing fault-tolerant computing systems}, + JOURNAL = {tocs}, + YEAR = {1983}, + VOLUME = {1}, + NUMBER = {3}, + PAGES = {222--238}, + MONTH = apr +} + +@INPROCEEDINGS{Butler:FTCS, + AUTHOR = {R.W. Butler and D.L. Palumbo and S.C. Johnson}, + TITLE = {Application of a Clock Synchronization Validation +Methodology to the {SIFT} Computer System}, + BOOKTITLE={Digest of Papers, FTCS 15}, + ADDRESS={Ann Arbor, Michigan}, + ORGANIZATION={IEEE Computer Society}, + PAGES = {194--199}, + MONTH=jun, + YEAR={1985}} + +@TECHREPORT{Butler:clock-survey, + AUTHOR = {R.W. Butler}, + TITLE = {A Survey of Provably Correct Fault-Tolerant Clock +Synchronization Techniques}, + YEAR = {1988}, + INSTITUTION = {NASA Langley Research Center}, + NUMBER ={TM-100553}, + MONTH = feb +} + +@INPROCEEDINGS{Dolev:possible, + AUTHOR = {D. Dolev and J.Y. Halpern and H.R. Strong}, + TITLE = {On the Possibility and Impossibility of Achieving Clock Synchronization}, + BOOKTITLE = {Proceedings of the Sixteenth Annual {ACM} Symposium on Theory of Computing}, + YEAR = {1984}, + PAGES = {504--511}, + ADDRESS = {Washington, D.C.}, + MONTH = apr +} + +@ARTICLE{Panzieri:Rajdoot, + AUTHOR = {F. Panzieri and S.K. Shrivastava}, + TITLE = {{Rajdoot}: a remote procedure call mechanism supporting orphan +detection and killing}, + JOURNAL = {IEEE Transactions on Software Engineering}, + YEAR = {1988}, + VOLUME = {SE-14}, + NUMBER = {1}, + PAGES = {30--37}, + MONTH = jan +} + +@MISC{OSCAR, + AUTHOR = {A.R. Downing and I.B. Greenberg and J.M. Peha}, + TITLE = {A Log-Based Replication and Consistency Scheme}, + HOWPUBLISHED = {Submitted for publication}, + MONTH = may, + YEAR = {1988} +} + +@INPROCEEDINGS{Cristian:delta, + AUTHOR = {Flaviu Cristian and Houtan Aghili and Ray Strong and Danny Dolev}, + TITLE = {Atomic Broadcast: from simple Message Diffusion to {Byzantine} Agreement}, + BOOKTITLE={Digest of Papers, FTCS 15}, + ADDRESS={Ann Arbor, Michigan}, + ORGANIZATION={IEEE Computer Society}, + PAGES = {200--206}, + MONTH=jun, + YEAR={1985}} + +@TECHREPORT{Cristian:membership, + AUTHOR = {Flaviu Cristian}, + TITLE = {Reaching Agreement on Processor Group Membership in Synchronous Distributed Systems}, + INSTITUTION = {IBM Almaden Research Center}, + YEAR = {1988}, + TYPE = {Research Report}, + NUMBER = {RJ 5964}, + ADDRESS = {San Jose, California}, + MONTH = mar +} + +@TECHREPORT{Cristian:issues, + AUTHOR = {Flaviu Cristian}, + TITLE = {Issues in the Design of Highly Available Computing Systems}, + INSTITUTION = {IBM Almaden Research Center}, + YEAR = {1987}, + TYPE = {Research Report}, + NUMBER = {RJ 5856}, + ADDRESS = {San Jose, California}, + MONTH = oct +} + +@INPROCEEDINGS{Cristian:presence, + AUTHOR = {Flaviu Cristian}, + TITLE = {Agreeing on who is Present and who is Absent in a Synchronous Distributed System}, + BOOKTITLE = {Digest of Papers, FTCS 18}, + YEAR = {1988}, + PAGES = {206--211}, + ORGANIZATION = {IEEE Computer Society}, + ADDRESS = {Tokyo, Japan}, + MONTH = jun +} + +@INPROCEEDINGS{Strom:volatile, + AUTHOR = {Robert E. Strom and David F. Bacon and Shaula A. Yemini}, + TITLE = {Volatile Logging in N-Fault-Tolerant Distributed Systems}, + BOOKTITLE = {Digest of Papers, FTCS 18}, + YEAR = {1988}, + PAGES = {44--49}, + ORGANIZATION = {IEEE Computer Society}, + ADDRESS = {Tokyo, Japan}, + MONTH = jun +} + +@ARTICLE{Birman:comms, + AUTHOR = {K.P. Birman and T.A. Joseph}, + TITLE = {Reliable Communication in the Presence of Failures}, + JOURNAL = {tocs}, + YEAR = {1987}, + VOLUME = {5}, + NUMBER = {1}, + PAGES = {47--76}, + MONTH = feb +} + +@ARTICLE{Strom:optimistic, + AUTHOR = {Robert E. Strom and Shaula Yemini}, + TITLE = {Optimistic Recovery in Distributed Systems}, + JOURNAL = {tocs}, + YEAR = {1988}, + VOLUME = {3}, + NUMBER = {3}, + PAGES = {204--226}, + MONTH = aug +} + +@TECHREPORT{Randell:duality, + AUTHOR = {S.K. Shrivastava and L.V. Mancini and B. Randell}, + TITLE = {On the Duality of Fault Tolerant System Structures}, + INSTITUTION = {Computing Laboratory, University of Newcastle upon Tyne}, + YEAR = {1987}, + NUMBER = {248}, + ADDRESS = {Newcastle upon Tyne, U.K.}, + MONTH = nov +} + +@ARTICLE{Randell:structure, + AUTHOR = {B. Randell}, + TITLE = {System Design and Structuring}, + JOURNAL = {Computer Journal}, + YEAR = {1986}, + VOLUME = {29}, + NUMBER = {4}, + PAGES = {300--306} +} + +@INPROCEEDINGS{Laprie:dependability, + AUTHOR = {J.-C. Laprie}, + TITLE = {Dependable Computing and Fault Tolerance: Concepts and Terminology}, + BOOKTITLE={Digest of Papers, FTCS 15}, + ADDRESS={Ann Arbor, Michigan}, + ORGANIZATION={IEEE Computer Society}, + PAGES = {2--11}, + MONTH=jun, + YEAR={1985}} + +@ARTICLE{Leveson+Knight86, +Author={J.C. Knight and N.G. Leveson}, +TITLE = {An Experimental Evaluation of the Assumption +of Independence in Multi-Version Programming}, +JOURNAL = {IEEE Transactions on Software Engineering}, +YEAR = {1986}, VOLUME = {SE-12}, +NUMBER = {1}, PAGES = {96-109}, MONTH = jan } + +@INPROCEEDINGS{Knight+Leveson:Vienna, + AUTHOR = {J.C. Knight and N.G. Leveson}, + TITLE = {An Empirical Study of Failure Probabilities in Multi-Version Software}, + BOOKTITLE={Digest of Papers, FTCS 16}, + ADDRESS={Vienna, Austria}, + ORGANIZATION={IEEE Computer Society}, + PAGES = {165--170}, + MONTH=jul, + YEAR={1986}} + +@ARTICLE{Brilliant89, +Author={S. Brilliant and J.C. Knight and N.G. Leveson}, +TITLE = {The Consistent Comparison Problem in N-Version Programming}, +JOURNAL = {IEEE Transactions on Software Engineering}, YEAR = {1989}, +VOLUME = {SE-15}, NUMBER = {11}, PAGES = {}, MONTH = nov } + +@ARTICLE{Brilliant90, +Author={S.S. Brilliant and J.C. Knight and N.G. Leveson}, +TITLE = {Analysis of Faults in an N-Version Software Experiment}, +JOURNAL = {IEEE Transactions on Software Engineering}, YEAR = {1990}, +VOLUME = {16}, NUMBER = {2}, PAGES = {238-247}, MONTH = feb } + +@ARTICLE{ShimeallLeveson91, +Author={T.J. Shimeall and N.G. Leveson}, +TITLE = {An Empirical Comparison of Software Fault +Tolerance and Fault Elimination}, +JOURNAL = {IEEE Transactions on Software Engineering}, YEAR = {1991}, +VOLUME = {SE-17}, NUMBER = {2}, PAGES = {173-183}, MONTH = feb } + +@ARTICLE{Leveson+90, +Author={N.G. Leveson and S.S. Cha and J.C. Knight and T.J. Shimeall}, +TITLE = {The Use of Self Checks and Voting in Software Error Detections: +An Empirical Study}, JOURNAL = {IEEE Transactions on Software Engineering}, +YEAR = {1990}, VOLUME = {SE-16}, +NUMBER = {4}, PAGES = {}, MONTH = apr } + +@ARTICLE{Leveson91Safety, +Author={N.G. Leveson}, +TITLE = {Software Safety in Embedded Computer Systems}, +JOURNAL = {Communications of the ACM}, +YEAR = {1991}, VOLUME = {34}, +NUMBER = {2}, PAGES = {}, MONTH = feb } + +@ARTICLE{Therac92, +author={N.G. Leveson and C. Turner}, +Title={An Investigation of the {Therac-25} Accidents}, +Journal={Computer}, pages ={18--41}, month =jul, Year=1993 } + +@ARTICLE{Leveson91Ada, +Author={N.G. Leveson and S.S. Cha and T.J. Shimeall}, +TITLE = {Safety Verification of {Ada} Programs using Software Fault Trees}, +JOURNAL = {IEEE Software}, YEAR = {1991}, VOLUME = {8}, +NUMBER = {7}, PAGES = {}, MONTH = jul } + +@book{Leveson95, +Author={N.G. Leveson}, +Title={Safeware: System Safety and Computers}, +Publisher={Addison-Wesley, Reading, Massachusetts}, +Year={1995} } + +@InProceedings{Leveson00, +Author = "N.G. Leveson", +Title = "Using {COTS} Components in Safety-Critical Systems", +Booktitle = "Proceedings of the NATO Conference on Commercial Off-The-Shelf + Products in Defence Applications: The Ruthless Pursuit of COTS", +Organization = "NATO", Address = "Brussels, Belgium", Year = "2000", +Pages="", Month = apr } + +@ARTICLE{Leveson04, +Author={N.G. Leveson}, TITLE = {A New Accident Model for Engineering + Safer Systems}, +JOURNAL = {Safety Science (Elsevier)}, YEAR = {2004}, VOLUME = {42}, +NUMBER = {4}, PAGES = {237--270}, MONTH = apr } + +@ARTICLE{Leveson05, +Author={N.G. Leveson}, TITLE = {A Systems-Theoretic Approach to + Safety in Software-Intensive Systems}, +JOURNAL = {IEEE Trans. on Dependable and Secure Computing}, +YEAR = {2005}, VOLUME = {1}, +NUMBER = {1}, PAGES = {}, MONTH = jan } + +@book{Oster92, +Author={C.V. Oster and J.S. Strong and C.K. Zorn}, +Title={Why Airplanes Crash: Aviation Safety in a Changing World}, +Publisher={Oxford University Press, New York}, +Year={1992} } + +@book{Nader94, +Author={R. Nader and W.J. Smith}, +Title={Collision Course: The Truth About Airline Safety}, +Publisher={TAB Books, McGraw-Hill, Blue Ridge Summit, Pennsylvania}, +Year={1994} } + +@book{Peterson94, +Author={I. Peterson}, +Title={Fatal Defect: Chasing Killer Computer Bugs}, +Publisher={Times Books (Random House), New York}, +Year={1995} } + +@InProceedings{EHDM:Overview88, + Key = {vonHenke}, + Author = {F.W. von Henke and J.S. Crow and R. Lee and J.M. Rushby and + R.A. Whitehurst}, + Booktitle = {Proceedings of the Eleventh National Computer Security Conference}, + Organization = {NBS/NCSC}, + Address = {Baltimore, Maryland}, + Title = {The {EHDM} Verification Environment: An Overview}, + pages={147--155}, + Year = {1988}, + Month = oct } + +@INPROCEEDINGS{Stickel:PTTP-conf, + AUTHOR = {M.E. Stickel}, + TITLE = {A {Prolog} Technology Theorem Prover}, + BOOKTITLE = {Proceedings of the Eighth International Conference on Automated Deduction}, + YEAR = {1986}, + PAGES = {573--587}, + ADDRESS = {Oxford, England}, + MONTH = jul +} + +@BOOK{Manna+Waldinger85, + AUTHOR = {Zohar Manna and Richard Waldinger}, + TITLE = {The Logical Basis for Computer Programming}, + PUBLISHER = {Addison-Wesley, Reading, Massachusetts}, + YEAR = {1985}, + VOLUME = {1} +} + +@BOOK{Manna+Waldinger88, + AUTHOR = {Zohar Manna and Richard Waldinger}, + TITLE = {The Logical Basis for Computer Programming}, + PUBLISHER = {Addison-Wesley, Reading, Massachusetts}, + YEAR = {1988}, + VOLUME = {2} +} + + +@book{Shoenfield, + Author={Jospeh R. Shoenfield}, + Title={Mathematical Logic}, + Publisher={Addison-Wesley}, + Address={Reading, Massachusetts}, + Year={1967}} + +@BOOK{Andrews:book, + AUTHOR = {Peter B. Andrews}, + TITLE = {An Introduction to Logic and Type Theory: To Truth through Proof}, + PUBLISHER = {Academic Press, New York}, + YEAR = {1986} +} + +@MANUAL{Gnu, + TITLE = {{GNU Emacs} Manual}, + AUTHOR = {Richard Stallman}, + ORGANIZATION = {Free Software Foundation}, + ADDRESS = {1000 Massachusetts Ave., Cambridge, Massachusetts}, + EDITION = {Fourth}, + MONTH = feb, + YEAR = {1986} +} + +@MANUAL{Rushby:sqa:part1, + TITLE = {Measures and Techniques for Software Quality Assurance}, + AUTHOR = {J.M. Rushby}, + ORGANIZATION = {Computer Science Laboratory, SRI International}, + ADDRESS = {333 Ravenswood Ave., Menlo Park, California}, + MONTH = sep, + YEAR = {1988} +} + +@Article{Hoare:69, + Author = {C.A.R. Hoare}, + Title = {An axiomatic basis of computer programming}, + Journal = {Communications of the ACM}, + Year = {1969}, + Volume = {12}, + Number = {10}, + Pages = {576--580}, + Month = oct } + +@ARTICLE{Yadav88, + AUTHOR = {Surya B. Yadav and Ralph R. Bravocco and Akemi T. Chatfield and T.M. Rajkumar}, + TITLE = {Comparison of Analysis Techniques for Information Requirement Determination}, + JOURNAL = {Communications of the ACM}, + YEAR = {1988}, + VOLUME = {31}, + NUMBER = {9}, + PAGES = {1090--1097}, + MONTH = sep +} + +@ARTICLE{Davis88, + AUTHOR = {Alan M. Davis}, + TITLE = {A Comparison of Techniques for the Specification of External System Behavior}, + JOURNAL = {Communications of the ACM}, + YEAR = {1988}, + VOLUME = {31}, + NUMBER = {9}, + PAGES = {1098--1115}, + MONTH = sep +} + +@ARTICLE{Johnson+Thayer88, + AUTHOR = {Dale M. Johnson and F. Javier Thayer}, + TITLE = {Stating Security Requirements with Tolerable Sets}, + JOURNAL = {tocs}, + YEAR = {1988}, + VOLUME = {6}, + NUMBER = {3}, + PAGES = {284--295}, + MONTH = aug +} + +@InProceedings{Millen84, + Author={Jonathan K. Millen}, + BookTitle={Proceedings of the 1984 Symposium on Security and Privacy}, + Organization={IEEE Computer Society}, + Address={Oakland, California}, + Title={The {Interrogator}: A Tool for Cryptographic Protocol Security}, + Year={1984}, + Pages={134--141}, + Month=apr + } + +@INPROCEEDINGS{Lu+Sundareshan86, + AUTHOR = {W.P. Lu and M.K. Sundareshan}, + TITLE = {A Hierarchical Key Management Scheme for End-to-End Encryption in {Internet} Environments}, + BOOKTITLE={Proceedings of the 1986 Symposium on Security and Privacy}, + YEAR = {1986}, + PAGES = {138--147}, + ORGANIZATION = {IEEE Computer Society} +} + +@ARTICLE{Kasami82, + AUTHOR = {Tadao Kasami and Saburo Yamamura and Kenichi Mori}, + TITLE = {A Key Management Scheme for End-to-End Encryption and a Formal Verification of its Security}, + JOURNAL = {Systems Computers Controls}, + YEAR = {1982}, + VOLUME = {13}, + NUMBER = {3}, + PAGES = {59--69} +} + +@INPROCEEDINGS{Sidhu+Leung, + AUTHOR = {Deepinder Sidhu and Ting-kau Leung}, + TITLE = {Experience with Test Generation for Real Protocols}, + BOOKTITLE = {SIGCOMM '88 Symposium}, + YEAR = {1988}, + PAGES = {257--261}, + ORGANIZATION = {ACM SIGCOMM}, + ADDRESS = {Stanford, California}, + MONTH = aug, + NOTE = {(Computer Communication Review, vol. 18, No. 4, August 88)} +} + +@TECHREPORT{Schneider:understanding, + AUTHOR = {F.B. Schneider}, + TITLE = {Understanding Protocols for {Byzantine} Clock Synchronization}, + INSTITUTION = {Department of Computer Science, Cornell University}, + YEAR = {1987}, + NUMBER = {87-859}, + ADDRESS = {Ithaca, New York}, + MONTH = aug +} + +@TECHREPORT{Lamport:servers, + AUTHOR = {Leslie Lamport}, + TITLE = {Synchronizing Time Servers}, + INSTITUTION = {DEC Systems Research Center}, + YEAR = {1987}, + NUMBER = {18}, + ADDRESS = {Palo Alto, California}, + MONTH = jun +} + +@Article{Lampson+91, +Author = {B. Lampson and M. Abadi and M. Burrows and E. Wobber}, +Title = {Authentication in Distributed Systems: Theory and Practice}, +Journal = {ACM Operating Systems Review}, +Note = {Proceedings of the Thirteenth ACM Symposium on Operating Systems Principles}, +Organization = {ACM}, +Year = {1991}, volume = {25}, number = {5}, +Pages={165-182}, Month = oct } + +@Article{Lampson+92, +Author = {B. Lampson and M. Abadi and M. Burrows and E. Wobber}, +Title = {Authentication in Distributed Systems: Theory and Practice}, +Journal = {ACM Transactions on Computer Systems}, +Year = {1992}, volume = {10}, number = {4}, +Pages={265-310}, Month = nov } + +@Article{Wobber+93, +Author = {E. Wobber and M. Abadi and M. Burrows and B. Lampson}, +Title = {Authentication in the {Taos} Operating System}, +Journal = {ACM Operating Systems Review}, +Note = {Proceedings of the Fourteenth ACM Symposium on Operating Systems + Principles}, Organization = {ACM}, +Year = {1993}, volume = {27}, number = {5}, +Pages={256-269}, Month = dec } + +@TECHREPORT{Abadi+91, + AUTHOR = {M. Abadi and M. Burrows and B. Lampson and G. Plotkin}, + TITLE = {A Calculus for Access Control in Distributed Systems}, + INSTITUTION = {DEC Systems Research Center}, + MONTH = {28 February}, + YEAR = {1991}, + NUMBER = {70}, + ADDRESS = {Palo Alto, California} +} + +@Article{Mitchell:1988:ATE, + author = "J.C. Mitchell and G.D. Plotkin", + title = "Abstract Types Have Existential Type", + journal = "ACM Transactions on Programming Languages and Systems", + volume = "10", + number = "3", + pages = "470--502", + month = jul, + year = "1988" +} + +@Article{BAN90, + Key={Burrows}, + Author={M. Burrows and M. Abadi and R. Needham}, + Journal={ACM Transactions on Computer Systems}, + Title={A Logic of Authentication}, + Year={1990}, Month=feb, Pages={18-36}, Volume={8}, Number={1} } + +@TechReport{AbadiNeedham94, + Author={M. Abadi and R. Needham}, + Institution={Digital Equipment Corporation, SRC Research Report}, + Title={Prudent Engineering Practice for Cryptographic Protocols}, + Address = {Palo Alto, California}, + Year={1994}, Month=jun } + +@TechReport{AbadiGordon98, + Author={M. Abadi and A.D. Gordon}, + Institution={Digital Equipment Corporation, SRC Research Report 149}, + Title={A Calculus for Cryptographic Protocols: The {Spi} Calculus}, + Address = {Palo Alto, California}, + Year={1998}, Month=jan } + +@InProceedings{Abadi+99, + Author={M. Abadi and A. Banerjee and N. Heintze and J.G. Riecke}, + BookTitle={POPL '99, Proceedings of the 26th SIGPLAN-SIGACT Symposium + on Principles of Programming Languages}, + Title={A Core Calculus of Dependency}, + Year={1999}, + Address={San Antonio, Texas}, + Month={January 20-22}, + Pages={147--160} + } + +@TechReport{AbadiLeino98, + Author={M. Abadi and K.R.M. Leino}, + Institution={Compaq Systems Research Center, SRC Research Report 161}, + Title={A Logic of Object-Oriented Programs}, + Address = {Palo Alto, California}, + Year={1998}, Month=sep } + +@InProceedings{Abadi94 + ,Author={M. Abadi and R.M. Needham} + ,BookTitle={Proceedings of the IEEE Symposium on Research in Security and Privacy} + ,Address={Oakland, California} + ,Title={Prudent Engineering Practice for Cryptographic Protocols} + ,Year={1994} + ,Month=may + ,Pages={122--136} + } + +@Article{AbadiNeedham96, + Author={M. Abadi and R. Needham}, + Journal={IEEE Transactions on Software Engineering}, + Title={Prudent Engineering Practice for Cryptographic Protocols}, + Year={1996}, Month=jan, Pages={6--15}, Volume={22}, Number={1} } + +@InProceedings{Simmons85, + Key={Simmons}, Author={G.E. Simmons}, + BookTitle={Proceedings of the 1985 Symposium on Security and Privacy}, + Organization={IEEE Computer Society}, + Title={How to (Selectively) Broadcast a Secret}, + Year={1985}, Address={Oakland, California}, Month=apr, Pages={108-113} + } + +@TECHREPORT{Cristian:probabilistic, + AUTHOR = {F. Cristian}, + TITLE = {Probabilistic Clock Synchronization}, + INSTITUTION = {IBM Almaden Research Center}, + YEAR = {1988}, + NUMBER = {RJ 6432}, + ADDRESS = {San Jose, California}, + MONTH = sep +} + +@INPROCEEDINGS{Cristian:prob, + AUTHOR = {F. Cristian}, + TITLE = {A probabilistic approach to distributed clock synchronization}, + BOOKTITLE={Proceedings of the Ninth International Conference on +Distributed Computing Systems}, + YEAR = {1989}, + PAGES = {288-296}, + ORGANIZATION = {IEEE Computer Society} +} + +@ARTICLE{Cristian:servers, +Author={F. Cristian}, TITLE={Understanding fault-tolerant distributed systems}, +JOURNAL = {Communications of the ACM}, YEAR = {1991}, VOLUME = {34}, +NUMBER = {2}, PAGES = {56-78}, MONTH = feb } + +@BOOK{Lakatos, + AUTHOR = {Imre Lakatos}, + TITLE = {Proofs and Refutations}, + PUBLISHER = {Cambridge University Press}, + YEAR = {1976}, + ADDRESS = {Cambridge, England} +} + +@Article{Fetzer, + Author = {James H. Fetzer}, + Title = {Program Verification: the Very Idea}, + Journal = {Communications of the ACM}, + Year = {1988}, + Volume = {31}, + Number = {9}, + Pages = {1048--1063}, + Month = sep } + +@ARTICLE{Maes+vanDijk, + AUTHOR = {R. Maes and J.E.M. van Dijk}, + TITLE = {On the Role of Ambiguity and Incompleteness in the Design of Decision Tables and Rule-Based Systems}, + JOURNAL = {Computer Journal}, + YEAR = {1988}, + VOLUME = {31}, + NUMBER = {6}, + PAGES = {481--489} +} + +@TECHREPORT{Gordon88:programs, + AUTHOR = {M.J.C. Gordon}, + TITLE = {Mechanizing Programming Logics in Higher Order Logic}, + INSTITUTION = {Cambridge Computer Science Research Centre, +SRI International}, + YEAR = {1988}, + NUMBER = {CCSRC-006}, + ADDRESS = {Suite 23, Millers Yard, Mill Lane, Cambridge CB2 1RQ, England}, + MONTH = sep +} + +@ARTICLE{Stickel:PTTP, + AUTHOR = {Mark E. Stickel}, + TITLE = {A {Prolog} Technology Theorem Prover: Implementation by an Extended {Prolog} Compiler}, + JOURNAL = {Journal of Automated Reasoning}, + YEAR = {1988}, + VOLUME = {4}, + NUMBER = {4}, + PAGES = {353--380}, + MONTH = dec +} + +@BOOK{F16, + AUTHOR = {Carl S. Droste and James E. Walker}, + TITLE = {The {General Dynamics} Case Study on the {F16} Fly-by-Wire Flight Control System}, + PUBLISHER = {American Institute of Aeronautics and Astronautics}, + YEAR = {Undated}, + SERIES = {AIAA Professional Study Series} +} + +@ARTICLE{Shostak:combination, + AUTHOR = {Robert E. Shostak}, + TITLE = {Deciding Combinations of Theories}, + Journal={Journal of the ACM}, + YEAR = {1984}, + VOLUME = {31}, + NUMBER = {1}, + PAGES = {1--12}, + MONTH = jan +} + +@ARTICLE{Shostak:arithmetic, + AUTHOR = {Robert E. Shostak}, + TITLE = {A Practical Decision Procedure for Arithmetic with Function Symbols}, + Journal={Journal of the ACM}, + YEAR = {1979}, + VOLUME = {26}, + NUMBER = {2}, + PAGES = {351--360}, + MONTH = apr +} + +@ARTICLE{Shostak:sup-inf, + AUTHOR = {Robert E. Shostak}, + TITLE = {On the {SUP-INF} Method for Proving {Presburger} Formulas}, + Journal={Journal of the ACM}, + YEAR = {1977}, + VOLUME = {24}, + NUMBER = {4}, + PAGES = {529--543}, + MONTH = oct +} + +@ARTICLE{Shostak:equality, + AUTHOR = {Robert E. Shostak}, + TITLE = {An Algorithm for Reasoning about Equality}, + JOURNAL = {Communications of the ACM}, + YEAR = {1978}, + VOLUME = {21}, + NUMBER = {7}, + PAGES = {583--585}, + MONTH = jul +} + +@INPROCEEDINGS{STP, + AUTHOR = {R.E. Shostak and R. Schwartz and P.M. Melliar-Smith}, + TITLE = {{STP}: A Mechanized Logic for Specification and Verification}, + BOOKTITLE = {Sixth International Conference on Automated Deduction ({CADE}-6)}, + PUBLISHER={Springer-Verlag, Berlin, + Lecture Notes in Computer Science, Vol. 138}, + YEAR = {1982} +} + +@INCOLLECTION{Shostak:circuits, + AUTHOR = {Robert E. Shostak}, + TITLE = {Formal Verification of Circuit Designs}, + BOOKTITLE = {Computer Hardware Description Languages}, + PUBLISHER = {North-Holland}, + YEAR = {1983}, + EDITOR = {T. Uehara and M. Barbacci}, + PAGES = {13--29} +} + +@INPROCEEDINGS{Avizienis:search, + AUTHOR = {Algirdas Avi\v{z}ienis and Michael R. Lyu and +Werner Sch\"{u}tz}, + TITLE = {In Search of Effective Diversity: {A} Six-Language +Study of Fault Tolerant Flight Control Software}, + BOOKTITLE = {Digest of Papers, FTCS 18}, + YEAR = {1988}, + PAGES = {15--22}, + ORGANIZATION = {IEEE Computer Society}, + ADDRESS = {Tokyo, Japan}, + MONTH = jun +} + +@INPROCEEDINGS{Kelly88, + AUTHOR = {John P.J. Kelly and others}, + TITLE = {A Large Scale Second Generation Experiment in +Multi-Version Software: Description and Early Results}, + BOOKTITLE = {Digest of Papers, FTCS 18}, + YEAR = {1988}, + PAGES = {9--14}, + ORGANIZATION = {IEEE Computer Society}, + ADDRESS = {Tokyo, Japan}, + MONTH = jun +} + +@INPROCEEDINGS{Brunelle, + AUTHOR = {J.E. Brunelle and D.E. {Eckhardt, Jr.}}, + TITLE = {Fault-Tolerant Software: An Experiment with the +{SIFT} Operating System}, + PAGES = {355--360}, + BOOKTITLE = {Proceedings of the Fifth AIAA Computers in Aerospace Conference}, + MONTH = oct, YEAR = {1985} } + +@ARTICLE{Eckhardt+Lee, +AUTHOR = {Dave E. {Eckhardt, Jr.} and Larry D. Lee}, +TITLE = {A Theoretical Basis for the Analysis of Multiversion +Software Subject to Coincident Errors}, +JOURNAL = {IEEE Transactions on Software Engineering}, YEAR = {1985}, +VOLUME = {SE-11}, NUMBER = {12}, PAGES = {1511--1517}, MONTH = dec } + +@ARTICLE{Eckhardt+91, +AUTHOR = {D.E. Eckhardt and A.K. Caglayan and J.C. Knight and L.D. Lee +and D.F. McAllister and M.A. Vouk and J.P.J. Kelly}, +TITLE = {An Experimental Evaluation of Software Redundancy as a Strategy +for Improving Reliability}, +JOURNAL = {IEEE Transactions on Software Engineering}, YEAR = {1991}, +VOLUME = {SE-11}, NUMBER = {12}, PAGES = {692-702}, MONTH = jul } + +@TECHREPORT{Rushby89:ica, + AUTHOR = {J.M. Rushby and F. von Henke}, + TITLE = {Formal Verification of the Interactive Convergence Clock Synchronization Algorithm using {EHDM}}, + INSTITUTION = {Computer Science Laboratory, SRI International}, + YEAR = {1989}, + NUMBER = {SRI-CSL-89-3}, + ADDRESS = {Menlo Park, California}, + MONTH = feb, + NOTE = {Also available as NASA Contractor Report 4239} +} +@comment{(Final Report for SRI Project 4616, Task 4, NASA Contract NSA1 17067), also forthcoming NASA Contractor Report} + +@inproceedings{Rushby94:icah, + AUTHOR = {J.M. Rushby}, + TITLE = {A Formally Verified Algorithm for Clock + Synchronization Under a Hybrid Fault Model}, + BOOKTITLE = {Proceedings of the Thirteenth Conference on + Principles of Distributed Computing}, + PAGES = {304--313}, + ORGANIZATION = {ACM}, + ADDRESS = {Los Angeles, California}, + MONTH = aug, + YEAR = 1994 +} + +@techreport{Lincoln+Rushby92:OMH, + AUTHOR = {Patrick Lincoln and John Rushby}, + TITLE = {Formal Verification of an Algorithm for Interactive + Consistency under a Hybrid Fault Model}, + NUMBER = {SRI-CSL-93-2}, + INSTITUTION = {Computer Science Laboratory, SRI International}, + YEAR = 1993, + ADDRESS = "Menlo Park, California", + MONTH = mar, + NOTE = {Also available as NASA Contractor Report 4527, July 1993}, +} + +@inproceedings{Lincoln+Rushby93:FTCS, + AUTHOR = {P.D. Lincoln and J.M. Rushby}, + TITLE = {A Formally Verified Algorithm for Interactive Consistency + under a Hybrid Fault Model}, + BOOKTITLE = {Fault Tolerant Computing Symposium 23}, + PAGES = {402--411}, + YEAR = {1993} +} + +@inproceedings{Lincoln95NASA, + AUTHOR = {P.D. Lincoln and J.M. Rushby and N. Suri and C. Walter}, + TITLE = {Hybrid Fault Algorithms}, +BookTitle={Proceedings of the Third NASA Langley Formal Methods Workshop, + May 10-12, 1995}, + MONTH = jun, + YEAR = {1995}, +ORGANIZATION={NASA Langley Research Center}, +Pages={193--209}} + +@inproceedings{Rushby95NASA, + AUTHOR = {J.M. Rushby}, + TITLE = {Fault-Tolerant Algorithms and the Design of {PVS}}, +BookTitle={Proceedings of the Third NASA Langley Formal Methods Workshop, + May 10-12, 1995}, + MONTH = jun, + YEAR = {1995}, +ORGANIZATION={NASA Langley Research Center}, +Pages={93--104}} + +@techreport{Lincoln+Rushby95, + AUTHOR = {P.D. Lincoln and J.M. Rushby}, + TITLE = {Formally Verified Algorithms for Diagnosis + of Manifest, Symmetric, Link, and {Byzantine} Faults}, + NUMBER = {SRI-CSL-95-14}, + INSTITUTION = {Computer Science Laboratory, SRI International}, + YEAR = "1995", + ADDRESS = "Menlo Park, California", + MONTH = oct, +} + +@techreport{LincolnRushby95, + AUTHOR = {P.D. Lincoln and J.M. Rushby}, + TITLE = {Formally Verified Algorithms for Diagnosis + of Manifest, Symmetric, Link, and {Byzantine} Faults}, + NUMBER = {SRI-CSL-95-14}, + INSTITUTION = {Computer Science Laboratory, SRI International}, + YEAR = "1995", + ADDRESS = "Menlo Park, California", + MONTH = oct, +} + +@techreport{DiVitoRoberts96, + AUTHOR = {B.L. DiVito and L.W. Roberts}, + TITLE = {Using Formal Methods to Assist in the Requirements Analysis + of the Space Shuttle {GPS} Change Request}, + NUMBER = {NASA Contractor Report 4652}, + INSTITUTION = {NASA Langley Research Center}, + YEAR = 1996, + ADDRESS = "Hampton, Virginia", + MONTH = aug, +} + +@inproceedings{Dill95NASA, + AUTHOR = {D.L. Dill}, + TITLE = {Model Checking}, +BookTitle={Proceedings of the Third NASA Langley Formal Methods Workshop, + May 10-12, 1995}, + MONTH = jun, + YEAR = {1995}, +ORGANIZATION={NASA Langley Research Center}, +Pages={211--216}} + +@BOOK{McMillan:SMV, + AUTHOR = {K.L. McMillan}, + TITLE = {Symbolic Model Checking}, + PUBLISHER = {Kluwer Academic Publishers}, + ADDRESS = {Boston, Massachusetts}, + YEAR = 1993 +} + +@ARTICLE{Burch-etal94, + AUTHOR = {J.R. Burch and E.M. Clarke and D.E. Long and + K.L. McMillan and D.L. Dill}, + TITLE = {Symbolic Model Checking for Sequential Circuit Verification}, + JOURNAL = {IEEE Transactions on Computer-Aided Design}, + YEAR = 1994, + VOLUME = 13, + NUMBER = 4, + PAGES = {401--424}, + MONTH = apr +} + +@article{Atlee+Gannon93, + AUTHOR = {J.M. Atlee and J. Gannon}, + TITLE = {State-Based Model Checking of Event-Driven System Requirements}, + JOURNAL = {IEEE Transactions on Software Engineering}, + YEAR = 1993, + VOLUME = 19, + NUMBER = 1, + PAGES = {24--40}, + MONTH = jan +} + +@ARTICLE{Clarke-etal94, + AUTHOR = {E.M. Clarke and O. Grumberg and D.E. Long}, + TITLE = {Model Checking and Abstraction}, + JOURNAL = {ACM Transactions on Programming Languages and Systems}, + YEAR = 1994, + VOLUME = 16, + NUMBER = 5, + PAGES = {1512--1542}, + MONTH = sep +} + +@TECHREPORT{Rushby88:SQA, + AUTHOR = {J.M. Rushby}, + TITLE = {Quality measures and Assurance for {AI} Software}, + INSTITUTION = {Computer Science Laboratory, SRI International}, + YEAR = {1988}, + NUMBER = {SRI-CSL-88-7R}, + ADDRESS = {Menlo Park, California}, + MONTH = sep, + NOTE = {Also available as NASA Contractor Report 4187} +} +@comment{(Final Report for SRI Project 4616, Task 5, NASA Contract NSA1 17067), also available as NASA Contractor Report 4187} + +@ARTICLE{Cohn83, + AUTHOR = {Avra Cohn}, + TITLE = {The Equivalence of Two Semantic Definitions: A Case Study in {LCF}}, + JOURNAL = {sicomp}, + YEAR = {1983}, + VOLUME = {12}, + NUMBER = {2}, + PAGES = {267--285}, + MONTH = may +} + +@BOOK{Boyer-Moore79, + AUTHOR = {R.S. Boyer and J S. Moore}, + TITLE = {A Computational Logic}, + PUBLISHER = {Academic Press}, + YEAR = {1979}, + ADDRESS = {New York} +} + +@BOOK{Kaufmann-Moore00, + AUTHOR = {M Kaufmann and J S. Moore and P. Manolios}, + TITLE = {Computer-Aided Reasoning: An Approach}, + PUBLISHER = {Kluwer Academic Publishing}, + YEAR = {2000}, + ADDRESS = {Norwell, Massachusetts} +} + +@INPROCEEDINGS{Littlewood+Miller, + AUTHOR = {B. Littlewood and D.R. Miller}, + TITLE = {A Conceptual Model of Multi-Version Software}, + BOOKTITLE={Digest of Papers, FTCS 17}, + ADDRESS={Pittsburgh, Pennsylvania}, + ORGANIZATION={IEEE Computer Society}, + PAGES = {150--155}, + MONTH=jul, + YEAR={1987}} + +@ARTICLE{Dunham86, + AUTHOR = {Janet R. Dunham}, + TITLE = {Experiments in Software Reliability: Life Critical Applications}, + JOURNAL = {IEEE Transactions on Software Engineering}, + YEAR = {1986}, + VOLUME = {SE-12}, + NUMBER = {1}, + PAGES = {110--123}, + MONTH = jan +} + +@TECHREPORT{Moore:piton-short, + AUTHOR = {J Strother Moore}, + TITLE = {A Mechanically Verified Language Implementation}, + INSTITUTION = {Computational Logic Incorporated}, + YEAR = {1988}, + NUMBER = {30}, + ADDRESS = {Austin, TX}, + MONTH = sep +} + +@TECHREPORT{Moore:piton-long, + AUTHOR = {J Strother Moore}, + TITLE = {Piton: A Verified Assembly Level Language}, + INSTITUTION = {Computational Logic Incorporated}, + YEAR = {1988}, + NUMBER = {22}, + ADDRESS = {Austin, TX}, + MONTH = sep +} + +@TECHREPORT{Young88, + AUTHOR = {W.D. Young}, + TITLE = {A Verified Code Generator for a Subset of {Gypsy}}, + INSTITUTION = {Computational Logic Incorporated}, + YEAR = {1988}, + NUMBER = {33}, + ADDRESS = {Austin, TX}, + MONTH = oct +} + +@ARTICLE{Scarl87, + AUTHOR = {E.A. Scarl and J.R. Jamieson and C.I. Delaune}, + TITLE = {Diagnosis and Sensor Validation through Knowledge of Structure and Function}, + JOURNAL = {IEEE Transactions on Systems, Man, and Cybernetics}, + YEAR = {1987}, + VOLUME = {SMC-17}, + NUMBER = {3}, + PAGES = {360--368}, + MONTH = {May/June} +} + +@INPROCEEDINGS{Chand87, + AUTHOR = {B. Chandraskeran and W.F. {Punch III}}, + TITLE = {Data Validation During Diagnosis, A Step Beyond Traditional Sensor Validation}, + BOOKTITLE = {Proceedings of the AAAI 87 (Vol. 2)}, + YEAR = {1987}, + PAGES = {778--782}, + ADDRESS = {Seattle, WA}, + MONTH = jul +} + +@TECHREPORT{MacEwan:realtime, + AUTHOR = {Glenn H. MacEwan}, + TITLE = {Using Higher-Order Logic for Modular Specification of Real-Time Distributed Systems}, + INSTITUTION = {Computer Science Laboratory, SRI International}, + YEAR = {1988}, + ADDRESS = {Menlo Park, California}, + Type = {Draft report} + +} + +@ARTICLE{Avizienis85, + AUTHOR = {Algirdas Avi\v{z}ienis}, + TITLE = {The {{\em N\/}-Version} Approach to Fault-Tolerant Software}, + JOURNAL = {IEEE Transactions on Software Engineering}, + YEAR = {1985}, + VOLUME = {SE-11}, + NUMBER = {12}, + PAGES = {1491--1501}, + MONTH = dec +} + +@INPROCEEDINGS{Barrow83, + AUTHOR = {Harry G. Barrow}, + TITLE = {Proving the Correctness of Digital Hardware Designs}, + BOOKTITLE = {Proceedings of the AAAI 83}, + YEAR = {1983}, + PAGES = {17--21}, + ADDRESS = {Washington, D.C.}, + MONTH = aug +} + +@ARTICLE{Infis+Moore88, + AUTHOR = {A.H. Infis and W.R. Moore}, + TITLE = {Economic Approach to Fault-Tolerant Synchronization}, + JOURNAL = {IEE Proceedings, Part E}, + YEAR = {1988}, + VOLUME = {135}, + NUMBER = {2}, + PAGES = {82--86}, + MONTH = mar +} + +@TECHREPORT{SIFT-report, + AUTHOR = {J.H. {Wensley et al.}}, + TITLE = {Design Study of Software-Implemented Fault-Tolerance {(SIFT)} Computer}, + INSTITUTION = {Computer Science Laboratory, SRI International}, + YEAR = {1982}, + ADDRESS = {Menlo Park, California}, + TYPE = {{NASA} Contractor Report 3011}, + MONTH = jun +} + +@TECHREPORT{Hunt:FM8501-short, + AUTHOR = {Warren A. {Hunt, Jr.}}, + TITLE = {The Mechanical Verification of a Microprocessor Design}, + INSTITUTION = {Computational Logic Incorporated}, + YEAR = {1987}, + NUMBER = {6}, + ADDRESS = {Austin, TX} +} + +@TECHREPORT{Bevier:kit-short, + AUTHOR = {W.R. Bevier}, + TITLE = {Kit: A Study in Operating System Verification}, + INSTITUTION = {Computational Logic Incorporated}, + YEAR = {1988}, + NUMBER = {28}, + ADDRESS = {Austin, TX}, + MONTH = aug +} + +@TECHREPORT{Bevier:kit-long, + AUTHOR = {W.R. Bevier}, + TITLE = {A Verified Operating System Kernel}, + INSTITUTION = {Computational Logic Incorporated}, + YEAR = {1987}, + NUMBER = {11}, + ADDRESS = {Austin, TX}, + MONTH = oct +} + +@article{Moore+JAR89, +author={J S. {Moore, editor}}, title = {System Verification}, +journal = {Journal of Automated Reasoning}, year = {1989}, volume = {5}, +number = {4}, pages = {409-530}, month = dec, +NOTE = {Includes five papers by Moore, W.R. Bevier, W.A. Hunt, Jr, +and W.D. Young.} +} + +@article{MooreJAR89, +author={J S. Moore}, title = {System Verification}, +journal = {Journal of Automated Reasoning}, year = {1989}, volume = {5}, +number = {4}, pages = {409-410}, month = dec } + +@article{Bevier+JAR89, +author={W.R. Bevier and W.A. {Hunt, Jr.} and J S. Moore and W.D. Young}, +title = {An Approach to Systems Verification}, +journal = {Journal of Automated Reasoning}, year = {1989}, volume = {5}, +number = {4}, pages = {411-428}, month = dec } + +@article{HuntJAR89, +author={W.A. {Hunt Jr.}}, title = {Microprocessor Design Verification}, +journal = {Journal of Automated Reasoning}, year = {1989}, volume = {5}, +number = {4}, pages = {429-460}, month = dec } + +@article{MooreJAR89a, +author={J S. Moore}, title = {A Mechanically Verified Language Implementation}, +journal = {Journal of Automated Reasoning}, year = {1989}, volume = {5}, +number = {4}, pages = {461-492}, month = dec } + +@article{YoungJAR89, +author={W.D. Young}, title = {A Mechanically Verified Code Generator}, +journal = {Journal of Automated Reasoning}, year = {1989}, volume = {5}, +number = {4}, pages = {493-518}, month = dec } + +@article{BevierJAR89, +author={W.R. Bevier}, title = {Kit and the Short Stack}, +journal = {Journal of Automated Reasoning}, year = {1989}, volume = {5}, +number = {4}, pages = {519-30}, month = dec } + +@ARTICLE{SIFT-design, + AUTHOR = {J.H. {Wensley et al.}}, + TITLE = {{SIFT} Design and Analysis of a Fault-Tolerant Computer for Aircraft Control}, + JOURNAL = {Proceedings of the IEEE}, + YEAR = {1978}, + VOLUME = {66}, + NUMBER = {10}, + PAGES = {1240--1255}, + MONTH = oct +} + +@ARTICLE{Spitzen:example, + AUTHOR = {J.M. Spitzen and K.N. Levitt and L. Robinson}, + TITLE = {An Example of Hierarchical Design and Proof}, + JOURNAL = {Communications of the ACM}, + YEAR = {1978}, + VOLUME = {21}, + NUMBER = {12}, + PAGES = {1064--1075}, + MONTH = dec +} + +@ARTICLE{Igarishi, + AUTHOR = {S. Igarishi and R.L. London and D.C. Luckham}, + TITLE = {Automatic Program Verification {I}: A Logical Basis and its Implementation}, + JOURNAL = {acta}, + YEAR = {1975}, + VOLUME = {4}, + PAGES = {145--182} +} + +@Article(DaleyDennis68, +key="Daley", Author="R.C. Daley and J.B. Dennis", +Title={Virtual Memory, Processes, and Sharing in {Multics}}, +Journal="Communications of the ACM", +Year="1968", Month=may, Page="306--312", Volume="11", Number="5",) + +@Article(Graham68, +key="Graham", Author="R.M. Graham", +Title={Protection in an Information Processing Utility}, +Journal="Communications of the ACM", +Year="1968", Month=may, Page="365--369", Volume="11", Number="5",) + +@Article(dijkstra68, +Author="E.W. Dijkstra", Key="Dijkstra", +Title={The Structure of the {THE} Multiprogramming System}, +Journal="Communications of the ACM", +Year="1968", Month=may, Page="341--346", Volume="11", Number="5",) + +@InProceedings{Dijkstra68CSP, +Author={E.W. Dijkstra}, +Title={Co-operating Sequential Processes}, +Booktitle={Programming {L}anguages, {F.} {G}enuys (editor)}, pages={43-112}, +Year=1968, Publisher={Academic Press} } + +@BOOK{Dijkstra:book, + AUTHOR = {E.W. Dijkstra}, + TITLE = {A Discipline of Programming}, + PUBLISHER = {Prentice-Hall}, + YEAR = {1976}, + ADDRESS = {Englewood Cliffs, New Jersey} +} + +@book{BrooksMMM, +Author={F.P. {Brooks}}, +Title={The Mythical Man-Month: Essays on Software Engineering}, +Publisher={Addison-Wesley, Reading, Massachusetts}, +Year={Second edition, 1995} } + +@book{Mills86, +Author={H.D. Mills}, +Title={Principles of Information Systems Analysis and Design}, +Publisher={Academic Press, New York}, +Year={1986} } + +@ARTICLE{Pascal-def, + AUTHOR = {C.A.R. Hoare and N. Wirth}, + TITLE = {An Axiomatic Definition of the Programming Language {Pascal}}, + JOURNAL = {acta}, + YEAR = {1973}, + VOLUME = {2}, + NUMBER = {4}, + PAGES = {335-355} +} + +@TECHREPORT{Gordon:proglog, + AUTHOR = {M.J.C. Gordon}, + TITLE = {Mechanizing Programming Logics in Higher Order Logic}, + INSTITUTION = {Cambridge Computer Science Research Center, SRI International}, + YEAR = {1988}, + NUMBER = {CCSRC-006}, + ADDRESS = {Cambridge, England}, + MONTH = sep +} + +@TECHREPORT{Cohn:parser, + AUTHOR = {Avra Cohn and Robin Milner}, + TITLE = {On using {Edinburgh LCF} to Prove the Correctness of a Parsing Algorithm}, + INSTITUTION = {Edinburgh University Computer Science Department}, + YEAR = {1982}, + NUMBER = {CSR-113-82}, + NOTE = {Also Cambridge University Computer Laboratory Technical Report 20.} +} + +@MANUAL{Stanford-verifier, + TITLE = {Stanford {Pascal} Verifier User's Manual}, + AUTHOR = {D. Luckham and others}, + ORGANIZATION = {Stanford University}, + ADDRESS = {Stanford, California}, + YEAR = {1979}, + NOTE = {AI memo CS-79-731} +} + +@BOOK{Polak:book, + AUTHOR = {W. Polak}, + TITLE = {Compiler Specification and Verification}, + PUBLISHER = {Springer-Verlag, Berlin}, + YEAR = {1981}, +} + +@TECHREPORT{OBJ:intro, + AUTHOR = {J.A. Goguen and T. Winkler}, + TITLE = {Introducing {OBJ3}}, + INSTITUTION = {Computer Science Laboratory, SRI International}, + YEAR = {1988}, + NUMBER = {SRI-CSL-88-9}, + ADDRESS = {Menlo Park, California}, + MONTH = aug +} + + +@Unpublished{ACohn:Notion, + Author = {A. Cohn}, + Title = {The Notion of Proof in Hardware Verification}, + Note = {Draft, Cambridge University Computer Laboratory}, + Address = {Cambridge, England}, + Year = {1988} } + + +@TechReport{NODEN, + Author = {C. H. Pygott}, + Title = {{NODEN}: An engineering approach to hardware verification}, + Institution = {RSRE}, + Number = {415-88}, + Year = {1988} } + +@ARTICLE{Johnson+Malek88, + AUTHOR = {Allen M. {Johnson, Jr.} and Miroslaw Malek}, + TITLE = {Survey of Software Tools for Evaluating Reliability, Availability and Serviceability}, + JOURNAL = {Computing Surveys}, + YEAR = {1988}, + VOLUME = {20}, + NUMBER = {4}, + PAGES = {227--269}, + MONTH = dec +} + +@ARTICLE{Flannagan86, + AUTHOR = {Im Flannagan}, + TITLE = {The Consistency of Negation as Failure}, + JOURNAL = {The Journal of Logic Programming}, + YEAR = {1986}, + VOLUME = {3}, + NUMBER = {2}, + PAGES = {93--114}, + MONTH = jul +} + +@PROCEEDINGS{SIFT:review, + AUTHOR = {NASA}, + TITLE = {Peer Review of a Formal Verification/Design Proof Methodology}, + YEAR = {1983}, + ORGANIZATION = {NASA Conference Publication 2377}, + MONTH = jul +} + +@TECHREPORT{RSRE:methodology, + AUTHOR = {W.J. Cullyer and C.H. Pygott}, + TITLE = {Hardware Proofs using {LCF-LSM} and {ELLA}}, + INSTITUTION = {Royal Signals and Radar Establishment}, + YEAR = {1985}, + TYPE = {Memorandum}, + NUMBER = {3832}, + MONTH = sep +} + +@TECHREPORT{Joyce:asynch, + AUTHOR = {Jeffrey J. Joyce}, + TITLE = {Formal Specification and Verification of Asynchronous Processes in Higher Order Logic}, + Institution={University of Cambridge Computer Laboratory}, + YEAR = {1988}, + NUMBER = {136}, + MONTH = jun +} + +@ARTICLE{Kopetz89:mars, + AUTHOR = {Hermann Kopetz and others}, + TITLE = {Distributed Fault-Tolerant Real-Time Systems: The {Mars} Approach}, + JOURNAL = {IEEE Micro}, + YEAR = {1989}, + VOLUME = {9}, + NUMBER = {1}, + PAGES = {25--40}, + MONTH = feb +} + +@InProceedings{Crocker88, + Author = {S.D. Crocker and E. Cohen and S. Landauer and H. Orman}, + Title = {Reverification of a Microprocessor}, + BookTitle={Proceedings of the 1988 Symposium on Security and Privacy}, + Organization={IEEE Computer Society}, + Address={Oakland, California}, + Year={1988}, + Pages={166-176}, + Month=apr + } + +@TECHREPORT{Rushby+Whitehurst89, + AUTHOR = {J.M. Rushby and R. Alan Whitehurst}, + TITLE = {Formal Verification of {AI} Software}, + INSTITUTION = {Computer Science Laboratory, SRI International}, + YEAR = {1989}, + TYPE = {Final Report, NASA Contract 18226 (Task5)}, + ADDRESS = {Menlo Park, California}, + MONTH = feb +} + +@MANUAL{CLIPS, + TITLE = {{CLIPS} User's Guide}, + AUTHOR = {Joseph C. Giarratano}, + ORGANIZATION = {Artificial Intelligence Center, Lyndon B. Johnson Space Center}, + MONTH = jun, + YEAR = {1988} +} + +@INPROCEEDINGS{Kapuretal, + AUTHOR = {D. Kapur and H. Zhang and G. Sivakumar}, + TITLE = {{RRL}: A Rewrite Rule Laboratory}, + BOOKTITLE = {Eighth International Conference on Automated Deduction +(CADE-8)}, + YEAR = {1986}, + PUBLISHER = {Springer-Verlag, Berlin, + Lecture Notes in Computer Science, Vol. 230}, + ADDRESS = {Oxford, England} +} + +@InProceedings{Benzel+Tavilla85, + Author={T.C. Vickers Benzel and D.A. Tavilla}, + BookTitle={Proceedings of the 1985 Symposium on Security and Privacy}, + Organization={IEEE Computer Society}, + Title={Trusted Software Verification: A Case Study}, + Year={1985}, + Address={Oakland, California}, + Month=apr, + Pages={14--31} + } + +@InProceedings{McHugh+Good85, + Author={J. McHugh and D.I. Good}, + BookTitle={Proceedings of the 1985 Symposium on Security and Privacy}, + Organization={IEEE Computer Society}, + Title={An Information Flow Tool for {Gypsy}}, + Year={1985}, + Address={Oakland, California}, + Month=apr, + Pages={46--48} + } + +@ARTICLE{Denning:views, + AUTHOR = {Dorothy E. Denning and others}, + TITLE = {Views for Multilevel Database Security}, + JOURNAL = {IEEE Transactions on Software Engineering}, + YEAR = {1987}, + VOLUME = {SE-13}, + NUMBER = {2}, + PAGES = {129--140}, + MONTH = feb +} + +@ARTICLE{Haigh+Young85, + AUTHOR = {J.T. Haigh and W.D. Young}, + TITLE = {Extending the Noninterference Version of {MLS} for {SAT}}, + JOURNAL = {IEEE Transactions on Software Engineering}, + YEAR = {1987}, + VOLUME = {SE-13}, + NUMBER = {2}, + PAGES = {141--150}, + MONTH = feb +} + +@ARTICLE{Haigh+others85, + AUTHOR = {J.T. Haigh and R.A. Kemmerer and J. McHugh and W.D. Young}, + TITLE = {An Experience Using Two Covert Channel Analysis Techniques on a Real System Design}, + JOURNAL = {IEEE Transactions on Software Engineering}, + YEAR = {1987}, + VOLUME = {SE-13}, + NUMBER = {2}, + PAGES = {157--168}, + MONTH = feb +} + +@book{GasserBook, +Author={M. Gasser}, +Title={Building a Secure Computer System}, +Publisher={Van Nostrand Reinhold Company, New York}, +Year={1988}, +URL = "http://www.acsac.org/secshelf/secshelf/book002.html" } + + @ARTICLE{Gasser89, + AUTHOR = {M. Gasser}, + TITLE = {An Optimization for Automated Information Flow Analysis}, + JOURNAL = {Cipher (Newsletter of the {IEEE} Technical Committee on Security and Privacy)}, + YEAR = {1989}, + MONTH = jan, + PAGES = {32--36} +} + +@ARTICLE{Fine+others89, + AUTHOR = {T.E. Fine and J.T. Haigh and R.C. O'Brien}, + TITLE = {A General Non-Interference Unwinding Theorem}, + JOURNAL = {Cipher (Newsletter of the {IEEE} Technical Committee on Security and Privacy)}, + YEAR = {1989}, + MONTH = apr, + PAGES = {38--40} +} + +@ARTICLE{Gasser+others80, + AUTHOR = {M. Gasser and J.K. Millen and W.F. Wilson}, + TITLE = {A Note on Information Flow into Arrays}, + JOURNAL = {ACM Software Engineering Notes}, + YEAR = {1980}, + VOLUME = {5}, + NUMBER = {1}, + PAGES = {28--29}, + MONTH = jan +} + +@ARTICLE{Denning80, + AUTHOR = {Dorothy E. Denning}, + TITLE = {Embellishments to the Note on Information Flow into Arrays}, + JOURNAL = {ACM Software Engineering Notes}, + YEAR = {1980}, + VOLUME = {5}, + NUMBER = {2}, + PAGES = {15--16}, + MONTH = apr +} + +@TECHREPORT{Platek+Sutherland84, + AUTHOR = {Richard Platek and David Sutherland}, + TITLE = {The Semantics of the {Feiertag MLS} Information Flow Tool and its Impact on Design Verification: Some {SCOMP} Examples}, + INSTITUTION = {Odyssey Research Associates}, + YEAR = {1984}, + ADDRESS = {Ithaca, New York}, + MONTH = jan } + +@InProceedings{Sutherland86, +Author={D.I. Sutherland}, +Title={A Model of Information Flow}, pages={175-183}, +Booktitle={Proceedings of the Ninth National Computer Security Conference}, +Year=1986, Month =sep } + +@TECHREPORT{Rushby:mls, + AUTHOR = {J.M. Rushby}, + TITLE = {Verifying Noninterference Security Policies}, + INSTITUTION = {Computer Science Laboratory, SRI International}, + YEAR = {1989}, + ADDRESS = {Menlo Park, California}, + MONTH = jun +} + +@ARTICLE{Kemmerer:protocols89, + AUTHOR = {R.A. Kemmerer}, + TITLE = {Analyzing Encryption Protocols Using Formal Verification Techniques}, + JOURNAL = {IEEE Journal on Selected Areas in Communications}, + YEAR = {1989}, + VOLUME = {7}, + NUMBER = {4}, + PAGES = {448--457}, + MONTH = may +} + +@ARTICLE{Moore:protocols88, + AUTHOR = {Judy H. Moore}, + TITLE = {Protocol Failures in Cryptosystems}, + JOURNAL = {Proceedings of the IEEE}, + YEAR = {1988}, + VOLUME = {76}, + NUMBER = {5}, + PAGES = {594--602}, + MONTH = may +} + +@TECHREPORT{Seaview:specs, + AUTHOR = {T.F. Lunt and R.A. Whitehurst}, + TITLE = {The {SeaView} Formal Top Level Specifications and Proofs}, + TYPE = {Final Report}, + INSTITUTION = {Computer Science Laboratory, SRI International}, + YEAR = {1989}, + NOTE = {Volumes 3A and 3B of ``Secure Distributed Data Views,'' SRI Project 1143}, + ADDRESS = {Menlo Park, California}, + MONTH = {January/February} +} + +@Unpublished{Gordon89:cells, + AUTHOR = {Mike Gordon and Paul Lowenstein and Moshe Shahaf}, + TITLE = {Formal Verification of A Cell Library--a case study in technology transfer}, + YEAR = {1989}, + NOTE = {Submitted for publication} + +} + +@BOOK{Gordon:book2, + AUTHOR = {Michael J.C. Gordon}, + TITLE = {Programming Language Theory and its Implementation}, + PUBLISHER = {Prentice-Hall International (U.K.) Ltd.}, + YEAR = {1988}, + ADDRESS = {Hemel Hempstead, U.K.} +} + +@BOOK{Jones:VDM, + AUTHOR = {Cliff B. Jones}, + TITLE = {Systematic Software Development Using {VDM}}, + PUBLISHER = {Prentice-Hall International (U.K.) Ltd.}, + YEAR = {1986}, + ADDRESS = {Hemel Hempstead, U.K.} +} + +@INPROCEEDINGS{Schaefer:harmful, + AUTHOR = {M. Schaefer}, + TITLE = {Symbol Security Condition Considered Harmful}, +BOOKTITLE = {Proceedings of the 1989 Symposium on Security and Privacy}, + YEAR = {1989}, + PAGES = {20--46}, + ORGANIZATION = {IEEE Computer Society}, + ADDRESS = {Oakland, California}, + MONTH = may +} + +@BOOK{Misra+Chandy:book, + AUTHOR = {K. Mani Chandy and Jayadev Misra}, + TITLE = {Parallel Program Design: A Foundation}, + PUBLISHER = {Addison-Wesley}, + YEAR = {1988}, + ADDRESS = {Reading, Massachusetts} +} + + + +@INPROCEEDINGS{Rushby88:AAAI, + AUTHOR = {J.M. Rushby}, + TITLE = {Validation and Testing of Knowledge-Based Systems: How Bad can it get?}, + BOOKTITLE = {Proceedings of the AAAI 88 Workshop on Validation and Testing Knowledge-Based Systems}, + YEAR = {1988}, + ADDRESS = {Saint Paul, MN}, + MONTH = aug +} + +@InProceedings{Benson89, + Author={G. Benson and W. Appelbe and I. Akyildiz}, + BookTitle={Proceedings of the 1989 Symposium on Security and Privacy}, + Organization={IEEE Computer Society}, + Address={Oakland, California}, + Title={The Hierarchical Model of Distributed System Security}, + Year={1989}, + Pages={194--203}, + Month=may + } + +@ARTICLE{Wood89, + AUTHOR = {Kem Wood and others}, + TITLE = {Shuttle Failure Detection}, + JOURNAL = {Aerospace America}, + YEAR = {1989}, + VOLUME = {27}, + NUMBER = {7}, + PAGES = {34--36}, + MONTH = jul +} + +@ARTICLE{Smith89, + AUTHOR = {David M. Smith}, + TITLE = {Expert System's Role Broadens}, + JOURNAL = {Aerospace America}, + YEAR = {1989}, + VOLUME = {27}, + NUMBER = {7}, + PAGES = {26--28}, + MONTH = jul +} + +@ARTICLE{Corrigan89, + AUTHOR = {J.D. Corrigan and K.J. Keller and S.A. Meyer}, + TITLE = {Promise of Decision Aiding}, + JOURNAL = {Aerospace America}, + YEAR = {1989}, + VOLUME = {27}, + NUMBER = {7}, + PAGES = {30--31}, + MONTH = jul +} + +@ARTICLE{Hosmer89, + AUTHOR = {Douglas M. Hosmer}, + TITLE = {A Pilot's View of Intelligent Systems}, + JOURNAL = {Aerospace America}, + YEAR = {1989}, + VOLUME = {27}, + NUMBER = {7}, + PAGES = {32--33}, + MONTH = jul +} + +@Article{GY1, +Author = {S.L. Gerhart and L. Yelowitz}, +Title = {Observations of Fallibility in Modern Programming Methodologies}, +Journal = {IEEE Transactions on Software Engineering}, +Year = {1976}, +Volume = {SE-2}, +Number = {3}, +pages = {195--207}, +Month = sep +} + +@ARTICLE{Avizienis+Laprie, + AUTHOR = {A. Avi\v{z}ienis and J-C. Laprie}, + TITLE = {Dependable Computing: {F}rom Concepts to Design Diversity}, + JOURNAL = {Proceedings of the IEEE}, + YEAR = {1986}, + VOLUME = {74}, + NUMBER = {5}, + PAGES = {629--638}, + MONTH = may +} + +@ARTICLE{Avizienis+04, + AUTHOR = {A. Avi\v{z}ienis and J.-C. Laprie and + B. Randell and C. Landwehr}, + TITLE = {Basic Concepts and Taxonomy of Dependable + and Secure Computing}, + JOURNAL = {IEEE Transactions on Dependable and Secure Computing}, + YEAR = {2004}, + VOLUME = {1}, + NUMBER = {1}, + PAGES = {11--33}, + MONTH = "January-March" +} + +@proceedings{DCCA1, + TITLE = {Dependable Computing for Critical Applications}, + BOOKTITLE = {Dependable Computing for Critical Applications}, + MONTH = aug, + YEAR = 1989, + VOLUME = 4, + ADDRESS = {Santa Barbara, California}, + EDITOR = {A. Avi\v{z}ienis and J. C. Laprie}, + PUBLISHER = {Springer-Verlag, Vienna, Austria}, + SERIES = {Dependable Computing and Fault-Tolerant Systems} +} + +@BOOK{PDCS95, + EDITOR = {B. Randell and J.-C. Laprie and + H. Kopetz and B. Littlewood}, + TITLE = {Predictably Dependable Computing Systems}, + PUBLISHER = {Springer-Verlag, Berlin}, + YEAR = 1995, + SERIES = {Basic Research Series} +} + +@book{Laprie90, +Author={J.C. {Laprie, editor}}, +Title={Dependability: {A} Unifying Concept + for Reliable Computing and Fault Tolerance}, +Publisher={Springer-Verlag}, +Year={1990} } + +@InProceedings{Kopetz00, +Author={H. Kopetz}, +Title={Composability in the Time-Triggered Architecture}, +BookTitle={Proceedings of the SAE World Congress}, +Organization={SAE Press}, Address={Detroit, Michigan}, +Year={2000}, Month={}, pages={1--8}} + +@INPROCEEDINGS{Santel:pacemaker, +AUTHOR = {D. Santel and C. Trautmann and W. Liu}, + TITLE = {The Integration of a Formal Safety Analysis into the Software Engineering Process: An Example from the Pacemaker Industry}, + BOOKTITLE = {Proceedings of the Symposium on the Engineering of Computer-Based Medical Systems}, + YEAR = {1988}, + PAGES = {152--154}, + ORGANIZATION = {IEEE Computer Society}, + ADDRESS = {Minneapolis, Minnesota}, + MONTH = jun +} + +@ARTICLE{lu89, + AUTHOR = {Meiliu Lu and Du Zhang and Tadai Murata}, + TITLE = {A Design Approach for Self-Diagnosis of Fault-Tolerant Clock Synchronization}, + JOURNAL = {IEEE Transactions on Computers}, + YEAR = {1989}, + VOLUME = {C-38}, + NUMBER = {9}, + PAGES = {1337--1341}, + MONTH = sep +} + +@ARTICLE{Jacky89, + AUTHOR = {Jonathan Jacky}, + TITLE = {Programmed for Disaster: Software Errors that Imperil Lives}, + JOURNAL = {The Sciences}, + YEAR = {1989}, + PAGES = {22--27}, + MONTH = {September/October} +} + +@ARTICLE{Cohn89, + AUTHOR = {Avra Cohn}, + TITLE = {The Notion of Proof in Hardware Verification}, + JOURNAL = {Journal of Automated Reasoning}, + YEAR = {1989}, + VOLUME = {5}, + NUMBER = {2}, + PAGES = {127--139}, + MONTH = jun +} + +@ARTICLE{Barwise89, + AUTHOR = {Jon Barwise}, + TITLE = {Mathematical proofs of computer system correctness}, + JOURNAL = {Notices of the AMS}, + YEAR = {1989}, + NOTE = {To appear} +} + +@MISC{00-55, +key={MoD}, + TITLE = {{U.K.} Draft Interim Defence Standards 00-55 and 00-56}, + YEAR = {1989} +} + +@BOOK{Scharbach, + EDITOR = {P.N. Scharbach}, + TITLE = {Formal Methods: Theory and Practice}, + PUBLISHER = {CRC Press}, + YEAR = {1989}, + ADDRESS = {Boca Raton, Florida} +} + +@PROCEEDINGS{CHDL89, + TITLE = {Ninth International Symposium on Computer Hardware Description Languages and their Applications}, + Year = {1989}, + EDITOR = {J.A. Darringer and F.J. Rammig}, + ORGANIZATION = {1FIP}, + ADDRESS = {Washington, D.C.}, + MONTH = jun +} + +@TECHREPORT{MMU:FDIR, + AUTHOR = {D.G. Lawler and L.J.F. Williams}, + TITLE = {{MMU FDIR} Automation Task}, + INSTITUTION = {McDonnell Douglas Astronautics Company}, + YEAR = {1988}, + TYPE = {Final Report}, + ADDRESS = {16055 Space Center Blvd., Houston, TX 77062}, + MONTH = feb +} + +@BOOK{GiarratanoRiley89, + AUTHOR = {Joseph Giarratano and Gary Riley}, + TITLE = {Expert Systems: Principles and Programming}, + PUBLISHER = {PWS-Kent Publishing Company}, + YEAR = {1989}, + ADDRESS = {Boston, Massachusetts} +} + +@BOOK{BFKM85, + AUTHOR = {L. Brownston and R. Farrell and E. Kant and N. Martin}, + TITLE = {Programming Expert Systems in OPS5}, + PUBLISHER = {Addison-Wesley, Reading, Massachusetts}, + ADDRESS = {Reading, Massachusetts}, + YEAR = {1985} +} + +@BOOK{Ll84, + AUTHOR = {J. Lloyd}, + TITLE = {Foundations of Logic Programming}, + PUBLISHER = {Springer-Verlag, Berlin}, + YEAR = {1984} +} + +@INPROCEEDINGS{Mo89, + AUTHOR = {C.K. Mohan}, + TITLE = {Priority rewriting: semantics, confluence, and conditionals}, + BOOKTITLE = {Proceedings of the Third International Conference +on Rewriting Techniques and Applications}, + YEAR = {1989}, + PAGES = {278--291}, + ADDRESS = {Chapel Hill, NC} +} + +@ARTICLE{Ve77, + AUTHOR = {S.A. Vere}, + TITLE = {Relational production systems}, + JOURNAL = {Artificial Intelligence}, + YEAR = {1977}, + VOLUME = {8}, + NUMBER = {1}, + PAGES = {47--68}, + MONTH = feb +} + +@inProceedings{SDOS, +author={R. {Wong et al.}}, +title={The {SDOS} System: {A} {S}ecure {D}istributed {O}perating {S}ystem Prototype}, +Booktitle={Proceedings of the Twelfth National Computer Security Conference}, +month=oct, +year=1989, note="USE Wong+89 instead."} + +@Article{McCullough90, +Author={D. McCullough}, Title={A Hookup Theorem for Multilevel Security}, +Journal={IEEE Transactions on Software Engineering}, Volume=16, Number=6, +month=jun, year=1990, pages={563-568} } + +@Article{S5, +Author={M. Akey and K. Dunkelberger and R. C. Erdman}, +Title={Case Studies in Tactical Decision Support Systems}, +Journal={Signal}, +Volume={XL(10)}, +Pages={73+}, +Month=jun, +Year=1986 } + +@InProceedings{DenningAkl87, +Author={S.G. Akl and D.E. Denning}, +Title={Checking Classification Constraints for Consistency and Completeness}, +Book@title={Proceedings of the 1987 IEEE Symposium on Security and Privacy}, +Month=apr, +Year=1987 } + +@TechReport{ANDE72, +Author={J.P. Anderson}, +Title={Computer Security Technology Planning Study}, +Institution={ESD/AFSC, Hanscom AFB}, +number={ESD-TR-73-51}, +Address={Bedford, Massachusetts}, +Month=oct, +Year=1972 } + +@TechReport{Anderson80, +Author={J.P. Anderson}, +Title={Computer Security Threat Monitoring and Surveillance}, +Institution={James P. Anderson Company}, +Address={Fort Washington, Pennsylvania}, +Month=apr, +Year=1980 } + +@InProceedings{GajnakRADC88, +Author={G.E. Gajnak}, +Title={Some Results from the Entity Relationship Multilevel Secure DBMS Project}, +Booktitle={Research Directions in Database Security (T.F. Lunt, ed.)}, +Year={forthcoming} } + +@TechReport{Gajnak87, +Author={AOG Systems and Gemini Computers}, +Title={Multilevel Secure Entity-Relationship Database Management System: + Security Policy and Interpretation}, +Institution={AOG Systems and Gemini Computers}, +type={Draft Report}, +Month=aug, +Year=1987 } + +@TechReport{AOG88, +author={AOG Systems Corporation and Gemini Systems Inc.}, +title={Multilevel Secure Entity-Relationship DBMS}, +type={Draft}, +institution={AOG Systems Corporation}, +month={May 19}, +year=1988 } + +@Article{SystemR, +Author={M.M. Astrahan and others}, +Title={System {R}: A Relational Database Management System}, +Journal={Computer}, +Volume=12, +number=5, +Year=1979 } + +@Article{BANE87, +author={J. Banerjee and H.-T. Chou and J. F. Garza and W. Kim and D. Woelk and N. Ballou and H.-J. Kim}, +title={Data Model Issues for Object-Oriented Applications}, +Journal={ACM Transactions on Office Information Systems}, +volume=5, +number=1, +month=jan, +year=1987 } + +@misc{AW6, +Title={Rome Air Development Center Focuses on Expert Systems Applications for C3, Natural Speech Technology}, +Journal={Aviation Week}, +Volume={CXXII(16)}, +pages=84, +month={April 22}, +year=1985 } + +@misc{AW7, +Title={{DARPA}'s Pilot's Associate Program Provides Development Challenges}, +Journal={Aviation Week}, +Volume={CXXIV(7)}, +pages=45, +month={February 17}, +year=1988 } + +@misc{AW8, +Title={{AFIT} Seeks Tactical Aid based on {AI}}, +Journal={Aviation Week}, +Volume={CXXIV(7)}, +pages={61+}, +month={February 17}, +year=1986 } + +@misc{AW5, +Title={Navy Looks Toward Operational Applications}, +Journal={Aviation Week}, +Volume={CXXII(16)}, +pages=67, +month={April 22}, +year=1985 } + +@misc{AW9, +Title={Boeing Accelerates Research, Dissemination of Technology}, +Journal={Aviation Week}, +Volume={CXXIV(7)}, +pages={71+}, +month={February 17}, +year=1986 } + +@misc{Beck80, +Author={L.L. Beck}, +Title={A security mechanism for statistical databases}, +Journal={ACM Transactions on Database Systems}, +Volume=5, +Number=3, +month=sep, +year=1980 } + +@InProceedings{BersonLuntIEEE87, +Author={T.A. Berson and T.F. Lunt}, +Title={Multilevel Security for Knowledge-Based Systems}, +Booktitle={Proceedings of the 1987 IEEE Symposium on Security and Privacy}, +Month=apr, +Year=1987 } + +@InProceedings{BersonLuntClassi87, +Author={T.F. Lunt and T.A. Berson}, +Title={An Expert System to Classify and Sanitize Text}, +Booktitle={Proceedings of the Third Aerospace Computer Security Conference}, +Month=dec, +Year=1987 } + +@TechReport{Biba, +Key="Biba", Author="K.J. Biba", Institution="The Mitre Corporation", +Title="Integrity Considerations for Secure Computer Systems", +Year="1975", Month=jun, Number="MTR 3153", Address="Bedford, Massachusetts" , +Note = {Also available from USAF Electronic Systems Division, Bedford, Massachusetts, +as ESD-TR-76-372, April 1977.} } + +@TechReport{Biba77, +Author={K.J. Biba}, +Title={Integrity Considerations for Secure Computer Systems}, +Institution={USAF Electronic Systems Division}, +Address={Bedford, Massachusetts}, +number={ESD-TR-76-372}, +Month=apr, +Year=1977 } + +@InProceedings{BlakleyDatabase85, +Author={G.R. Blakley and C. Meadows}, +Title={A Database Encryption Scheme which allows the Computation of Statistics using Encrypted Data}, +Booktitle={Proceedings of the 1985 IEEE Symposium on Security and Privacy}, +Month=apr, +Year=1985 } + +@InProceedings{BarkerCryptTMach88, +Author={W.C. Barker and P.S. Cochrane and M.A. Branstad}, +Title={Embedding Cryptography into a {T}rusted {M}ach System}, +Booktitle={Proceedings of the Fourth Aerospace Computer Security Applications Conference}, +Month=dec, +Year=1988 } + +@InProceedings{Burns86, +Author={R. Burns}, +Title={Towards practical {MLS} database management systems using the integrity lock technology}, +Booktitle={Proceedings of the Ninth National Computer Security Conference}, +Year=1986, Month=sep } + +@InProceedings{Casey88, +Author={T.A. {Casey, Jr.} and S.T. Vinter and D.G. Weber and R. Varadarajan and D. Rosenthal}, key={Casey}, +Title={A Secure Distributed Operating System}, +Booktitle={Proceedings of the 1988 IEEE Symposium on Security and Privacy}, +Month=apr, +Year=1988 } + +@InProceedings{Varadarajan89, +author= {R. {Varadarajan et al.}}, key={Varadarajan}, +title={The {S}ecure {D}istributed {O}perating {S}ystem: An Overview}, +Booktitle={1989 Workshop on Operating Systems for Mission Critical Computing, +University of Maryland}, Month=sep, Year={1989} } + +@TechReport{SDOS88, +Author={T.R. {Vinter et al.}}, key={Vinter}, +Title={The {S}ecure {D}istributed {O}perating {S}ystem Design Project}, +Institution={Rome Air Development Center}, +Address={Griffiss Air Force Base, NY}, +number={RADC-TR-88-127}, +Month=jun, Year={1988} } + +@TechReport{Schneider+90, +Author={E.A. Schneider and S. Perlo and D. Rosenthal}, +Title={Discretionary Access Control Mechanisms for Distributed Systems}, +Institution={Rome Air Development Center}, +Address={Griffiss Air Force Base, NY}, +number={RADC-TR-90-275}, +Month=nov, Year={1990} } + +@InProceedings{Chau87, +Author={R. Chau and J.I. Glasgow and M.A. Jenkins}, +Title={A Framework for Knowledge-Based Systems in {N}ial}, +Booktitle={Proceedings of the IEEE Phoenix Conference on Computers and Communications}, +Year=1987 } + +@InProceedings{Chen81, +Author={P.P. Chen}, +chapter={A Preliminary Framework for Entity-Relationship Models}, +Booktitle={Entity-Relationship Approach to Information Modeling and Analysis}, +publisher={ER Institute}, +Year=1981 } + +@Article{Chin82, +Author={F.Y. Chin and G. Ozsoyoglu}, +Title={Auditing and inference control in statistical databases}, +Journal={IEEE Transactions on Software Engineering}, +Volume=8, +Number=6, +month=nov, +year=1982 } + +@InProceedings{Chin79, +Author={F.Y. Chin and G. Ozsoyoglu}, +Title={Security in partitioned dynamic statistical databases}, +Booktitle={Proceedings of the IEEE COMPSAC Conference}, +Year=1979 } + +@Article{Chin81, +Author={F.Y. Chin and G. Ozsoyoglu}, +Title={Statistical database design}, +Journal={ACM Transactions on Database Systems}, +month=mar, +year=1981 } + +@InProceedings{Claybrook83, +Author={B.G. Claybrook}, +Title={Using Views in a Multilevel Secure Database Management System}, +Booktitle={Proceedings of the 1983 IEEE Symposium on Security and Privacy}, +Year=1983 } + +@InProceedings{ClydeInsider87, +Author={A.R. Clyde}, +Title={Insider Threat Identification Systems}, +Booktitle={Proceedings of the 10th National Computer Security Conference}, +month=sep, +Year=1987 } + +@Article{Codd70, +Author={E.F. Codd}, +Title={A Relational Model for Large Shared Data Banks}, +Journal={Communications of the ACM}, +volume=13, +number=6, +month=jun, +year=1970 } + +@Article{Codd79, +Author={E.F. Codd}, +Title={Extending the Database Relational Model to Capture More Meaning}, +Journal={ACM Transactions on Database Systems}, +volume=4, +number=6, +month=dec, +year=1979 } + +@Article{Conway72, +Author={R.W. Conway and W.L. Maxwell and H.L. Morgan}, +Title={On the implementation of security measures in information systems}, +Journal={Communications of the ACM}, +volume=15, +number=4, +month=apr, +year=1972 } + +@TechReport{Cox78, +Author={L.H. Cox}, +Title={Suppression Methodology and Statistical Disclosure Control}, +type={Technical Report~Confidentiality in Surveys}, +number=26, +Institution={Department of Statistics, University of Stockholm}, +Address={Stockholm, Sweden}, +Month=jan, +Year=1978 } + +@Article{Cox80, +Author={L.H. Cox}, +Title={Suppression methodology and statistical disclosure control}, +Journal={J. Amer. Stat. Assoc.}, +volume=75, +number=370, +month=jun, +year=1980 } + +@TechReport{Cox81, +Author={L.H. Cox and L.R. Ernst}, +Title={Controlled Rounding}, +type={Technical Report}, +Institution={U.S. Bureau of the Census}, +Address={Washington, D.C.}, +Month=jan, +Year=1981 } + +@TechReport{EHDMUserguide, +Author={J.S. Crow and S.T. Jefferson and R. Lee and P.M. Melliar-Smith and J.M. Rushby and R.L. Schwartz and R.E. Shostak and F.W. von Henke}, +Title={SRI Specification and Verification System Version 3.1 - User's Guide}, +Institution={Computer Science Laboratory, SRI International}, +Address={Menlo Park, California}, +Month=oct, +Year=1986 } + +@TechReport{EHDMLanguage, +Author={J.S. Crow and S.T. Jefferson and R. Lee and P.M. Melliar-Smith and J.M. Rushby and R.L. Schwartz and R.E. Shostak and F.W. von Henke}, +Title={SRI Specification and Verification System Version 3.0 - Preliminary Definition of the Revised SPECIAL Specification Language}, +Institution={Computer Science Laboratory, SRI International}, +Address={Menlo Park, California}, Month=may, +year=1986 } + +@misc{IEEEComputer86, +title={Special Issue on Expert System Applications}, +Journal={Computer}, +month=jul, +year=1986 } + +@TechReport{CCA85, +Author={CCA}, +Title={Robust Distributed Database Update System}, +type={Interim Technical Report}, +Institution={CCA}, +Month=feb, +year=1985 } + +@article{DSL7, +title={Silicon {V}alley Group Holds Second Meeting}, +journal={Data Security Letter}, +editor={T.F. Lunt}, +volume=1, +number=7, +month=jan, +year=1989 } + +@InProceedings{DaleniusReiss79, +Author={T. Dalenius and S.P. Reiss}, +Title={Data-swapping -- a technique for disclosure control}, +Booktitle={Proceedings of the Section on Survey Research Methods}, +organization={American Statistics Association}, +address={Washington, D.C.}, +Year=1979 } + +@Book{Date83, +Author={C.J. Date}, +Title={An Introduction to Database Systems}, +volume={II}, +publisher={Addison-Wesley, Reading, Massachusetts}, +year=1983 } + +@Book{Date86, +Author={C.J. Date}, +Title={An Introduction to Database Systems}, +volume={I}, +edition={Fourth}, +publisher={Addison-Wesley}, +address={Reading, Massachusetts}, +year=1986 } + +@Article{Davida81, +Author={G.I. Davida and D.L. Wells and J.B. Kam}, +Title={A Database Encryption System with Subkeys}, +Journal={ACM Transactions on Database Systems}, +volume=6, +number=2, +month=jun, +year=1981 } + +@Article{DAVID84, +Author={S.B. Davidson}, +Title={Optimism and Consistency in Partitioned Distributed Database Systems}, +Journal={ACM Transactions on Database Systems}, +volume=9, +number=3, +month=sep, +year=1984 } + +@Article{DAVID85, +Author={S.B. Davidson and H. Garcia-Molina and D. Skeen}, +Title={Consistency in Partitioned Networks}, +Journal={ACM Computing Surveys}, +volume=17, +number=3, +month=sep, +year=1985 } + +@misc{Davison88, +Author={J.W. Davison}, +title={Implementation Design for a Kernelized Trusted DBMS}, +booktitle={Research Directions in Database Security}, +editor={T.F. Lunt}, +note={to appear} } + +@InProceedings{Delisle86, +Author={N. Delisle and M. Schwartz}, +Title={Neptune: A Hypertext System for {CAD} Applications}, +Booktitle={ACM SIGMOD Conference Proceedings}, +Year=1986 } + +@Article{DenningTracker79, +Author={D.E. Denning and P.J. Denning and M.D. Schwartz}, +Title={The {T}racker: a Threat to Statistical Database Security}, +Journal={ACM Transactions on Database Systems}, +volume=4, +number=1, +month=mar, +year=1979 } + +@Article{DenningFast80, +Author={D.E. Denning and J. Schlorer}, +Title={A fast procedure for finding a tracker in a statistical database}, +Journal={ACM Transactions on Database Systems}, +volume=5, +number=1, +month=mar, +year=1980 } + +@Article{DenningRSQ80, +Author={D.E. Denning}, +Title={Secure Statistical Databases under Random Sample Queries}, +Journal={ACM Transactions on Database Systems}, +volume=5, +number=3, +month=sep, +year=1980 } + +@Article{DenningMemoryless82, +Author={D.E. Denning and J. Schlorer and E. Wehrle}, +Title={Memoryless inference controls for statistical databases}, +Journal={ACM Transactions on Database Systems}, +year=1982 } + +@misc{DenningWorking82, +Author={D.E. Denning}, +title={Multilevel Secure Database Systems: Requirements and Model}, +type={Working Paper}, +organization={NAS/AFSB Summer Study on Multilevel Databases}, +year=1982 } + +@Book{DenningBook82, +Author={D.E. Denning}, +Title={Cryptography and Data Security}, +publisher={Addison-Wesley}, +address={Reading, Massachusetts}, +year=1982 } + +@Article{DenningInference83, +Author={D.E. Denning and J. Schlorer}, +Title={Inference controls for statistical database security}, +Journal={Computer}, +volume=16, +number=7, +month=jul, +year=1983 } + +@InProceedings{DenningField83, +Author={D.E. Denning}, +Title={Field Encryption and Authentication}, +Booktitle={Proceedings of CRYPTO '83}, +publisher={Plenum Press}, +Year=1983 } + +@InProceedings{DenningModel83, +Author={D.E. Denning}, +Title={A Security Model for Statistical Databases}, +Booktitle={Proceedings of the Second International + Workshop on Statistical Database Management}, +organization={Lawrence Berkeley Laboratory}, +month=sep, +Year=1983 } + +@InProceedings{DenningChecksums84, +Author={D.E. Denning}, +Title={Cryptographic Checksums for Multilevel Data Security}, +Booktitle={Proceedings of the 1984 IEEE Symposium on Security and Privacy}, +Year=1984 } + +@InProceedings{DenningCommutative85, +Author={D.E. Denning}, +Title={Commutative Filters for Reducing Inference Threats in Multilevel + Database Systems}, +Booktitle={Proceedings of the 1985 IEEE Symposium on Security and Privacy}, +Year=1985 } + +@InProceedings{DenningSafety86, +Author={D.E. Denning}, +Title={Secure Databases and Safety: Some Unexpected Conflicts}, +Booktitle={Proceedings of the Safety and Security Symposium}, +organization={Centre for Software Reliability}, +month=oct, +Year=1986 } + +@InProceedings{DenningInfer86, +Author={D.E. Denning}, +Title={The Inference Problem in Multilevel Database Systems}, +Booktitle={Proceedings of the National Computer Security Center +Invitational Workshop on Database Management Security}, +month=jun, +Year=1986 } + +@TechReport{DenningCECOM86, +Author={D.E. Denning and M. Morgenstern}, +Title={Military Database Technology Study: AI Techniques for + Security and Reliability}, +Institution={Computer Science Laboratory, SRI International}, +Address={Menlo Park, California}, +Year=1986 } + +@TechReport{IDESFinal87, +Author={D.E. Denning and D.L. Edwards and R. Jagannathan and T.F. Lunt and P.G. +Neumann}, Title={A Prototype {IDES}: A Real-Time Intrusion-Detection Expert +System}, Institution={Computer Science Laboratory, SRI International}, +Address={Menlo Park, California}, Year=1987 } + +@Article{IDES87, +Author={D.E. Denning}, +Title={An Intrusion-Detection Model}, +Journal={IEEE Transactions on Software Engineering}, +volume=13, +number=2, +month=feb, +year=1987 } + +@InProceedings{DenningSocial87, +Author={D.E. Denning and P.G. Neumann and Donn B. Parker}, +Title={Social Aspects of Computer Security}, +Booktitle={Proceedings of the 10th National Computer Security Conference}, +month=sep, +Year=1987 } + +@Article{DenningViews87, +Author={D.E. Denning and S.G. Akl and M. Heckman and T.F. Lunt and M. Morgenstern and P.G. Neumann and R.R. Schell}, +Title={Views for Multilevel Database Security}, +Journal={IEEE Transactions on Software Engineering}, +volume=13, +number=2, +month=feb, +year=1987 } + +@InProceedings{DenningDataModel87, +Author={D.E. Denning and T.F. Lunt and R.R. Schell and M. Heckman and W.R. Shockley}, +Title={A Multilevel Relational Data Model}, +Booktitle={Proceedings of the 1987 IEEE Symposium on Security and Privacy}, +month=apr, +Year=1987 } + +@misc{DenningLessons87, +author={D.E. Denning}, +title={Lessons Learned from Modeling a Secure Multilevel Relational Database System}, +type={draft report}, +Institution={Computer Science Laboratory, SRI International}, +Address={Menlo Park, California}, +Year=1987 } + +@InProceedings{DenningModel88, +Author={D.E. Denning and T.F. Lunt and R.R. Schell and W.R. Shockley and M. Heckman}, +Title={The {SeaView} Security Model}, +Booktitle={Proceedings of the 1988 IEEE Symposium on Security and Privacy}, +month=apr, +Year=1988 } + +@Article{DeKleer86, +Author={J. de Kleer}, +Title={An Assumption-Based {TMS}}, +Journal={Artificial Intelligence Journal}, +volume=28, +number=2, +month=mar, +year=1986 } + +@InProceedings{Dillaway86, +Author={B.B. Dillaway and J.T. Haigh}, +Title={A Practical Design for a Multilevel Secure Database Management System}, +Booktitle={Proceedings of the Second Aerospace Computer Security Conference}, +month=dec, +Year=1986 } + +@Article{Dobkin79, +Author={D. Dobkin and A.K. Jones and R.J. Lipton}, +Title={Secure databases: protection against user inference}, +Journal={ACM Transactions on Database Systems}, +volume=4, +number=1, +month=mar, +year=1979 } + +@InProceedings{Downs77, +Author={D.Downs and G.J. Popek}, +Title={A Kernel Design for a Secure Data Base Management System}, +Booktitle={Proceedings of the Third Conference on Very Large Data Bases}, +Year=1977 } + +@TechReport{Duffy85, +Author={K.J. Duffy and J. Sullivan}, +Title={Integrity Lock Prototype}, +type={Technical Report}, +Institution={The Mitre Corporation}, +Address={Bedford, Massachusetts}, +month=dec, +Year=1985 } + +@TechReport{HoneywellPolicy87, +author={B.B. Dillaway and others}, +Title="Security Policy Extensions for a Database Management System", +type={Interim Report A002}, +institution="Honeywell Systems Research Center and + Corporate Systems Development Division", +Month=apr, +Year=1987 } + +@InProceedings{Dittrich88, +Author={K.R. Dittrich and M. Hartig and H. Pfefferle}, +Title={Discretionary Access Control in Structurally Object-Oriented Database Systems}, +Booktitle={Proceedings of the Second IFIP WG11.3 Workshop on Database Security}, +month=oct, +Year=1988 } + +@TechReport{Dwyer88, +author={P. Dwyer and E. Onuegbe and B.M. Thuraisingham}, +Title="Design of a Query Processor for a Multilevel Secure Relational Database Management System", +type={Technical Report}, +institution="Honeywell Systems Research Center and + Corporate Systems Development Division", +Year=1988 } + +@Article{Dwyer87, +Author={P.A. Dwyer and G.D. Jelatis and B.M. Thuraisingham}, +Title={Multilevel Security in Database Management Systems}, +Journal={Computers and Security}, +volume=6, +number=3, +month=jun, +year=1987 } + +@TechReport{HoneywellSpec88, +author={P.Dwyer and E. Onuegbe and P. Stachour and B. Thuraisingham}, +Title="Secure Distributed Data Views: Implementation Specifications", +type={Interim Report A005}, +institution="Honeywell Systems Research Center and + Corporate Systems Development Division", +Month=may, +Year=1988 } + +@Article{Erman80, +Author={L.D. Erman and F. Hayes-Roth and V.R. Lesser and D.R. Reddy}, +Title={The {H}earsay-{II} Speech Understanding System: Integrating Knowledge to Resolve Uncertainty}, +Journal={Computing Surveys}, +volume=12, +month=jun, +year=1980 } + +@InProceedings{Erman86, +Author={L.D. Erman and J.S. Lark and F. Hayes-Roth}, +Title={Engineering Intelligent Systems: Progress Report on {ABE}}, +Booktitle={Proceedings of the DARPA Expert Systems Workshop}, +month=apr, +Year=1986 } + +@TechReport{ECMA85, +author={European Computer Manufacturers' Assocation, Technical Committee 29}, +Title="Office Document Architecture", +type={Standard ECMA-101}, +address={Geneva}, +Month=sep, +Year=1985 } + +@Article{Fagin78, +Author={R. Fagin}, +Title={On an authorization mechanism}, +Journal={ACM Transactions on Database Systems}, +volume=3, +number=3, +month=sep, +year=1978 } + +@Book{Fernandez81, +Author={E.B. Fernandez and R.C. Summers and C. Wood}, +Title={Database Security and Integrity}, +publisher={Addison-Wesley}, +address={Reading, Massachusetts}, +year=1981 } + +@InProceedings{FISCH82, +Author={M.J. Fischer and A. Michael}, +Title={Sacrificing Serializability to Attain High Availability of Data + in an Unreliable Network}, +Booktitle={Proceedings of the ACM SIGACT-SIGMOD Symposium on + Principles of Database Systems}, +Year=1982 } + +@Book{Fodor, +Author={Fodor's Travel Guides}, +Title={FODOR's Germany West and East 1986}, +publisher={Fodor}, +year=1986, +note={page 443} } + +@Article{S4, +Author={J.P. Flynn and T.E. Senator}, +Title={DARPA Naval Battle Management Applications}, +Journal={Signal}, +volume={XL(10)}, +pages={59+}, +month=jun, +year=1986 } + +@InProceedings{Froscher88, +Author={J.N. Froscher and C. Meadows}, +Title={Achieving a Trusted Database Management System Using Parallelism}, +Booktitle={Proceedings of the 1988 IFIP WG 11.3 Workshop on Database Security}, +month=oct, +Year=1988 } + +@InProceedings{Gajnak88, +Author={G.E. Gajnak}, +Title={Some Results from the Entity/Relationship Multilevel Secure {DBMS} Project}, +Booktitle={Proceedings of the Fourth Aerospace Computer Security + Applications Conference}, +month=dec, +Year=1988 } + +@InProceedings{GARCI83, +Author={H. Garcia-Molina and others}, +Title={Data-{P}atch: Integrating Inconsistent Copies of a Database After a Partition}, +Booktitle={Proceedings of the Third IEEE Symposium on Reliability +in Distributed Software and Database Systems}, +Year=1983 } + +@InProceedings{GARV88, +Author={C. Garvey and N. Jenson and J. Wilson}, +Title={The Advanced Secure {DBMS}: Making Secure {DBMS}s Usable}, +Booktitle={Proceedings of the IFIP Working Group 11.3 Workshop on Database Security}, +month=oct, +Year=1988 } + +@TechReport{Garvey86, +author={C. Garvey}, +Title="Multilevel Data Store Design ({MLDS})", +type={Technical Report}, +institution="TRW Defense Systems Group", +Year=1986 } + +@InProceedings{Garvey88, +Author={C. Garvey}, +Title={{ASD} Views}, +Booktitle={Proceedings of the 1988 IEEE Symposium on Security and + Privacy}, +month=apr, +Year=1988 } + +@InProceedings{Ginsberg87, +Author={A. Ginsberg}, +Title={A New Approach to Checking Knowledge Bases for Inconsistency and Redundancy}, +Booktitle={Proceedings of the Third Expert Systems in Government Conference}, +Year=1987 } + +@InProceedings{Ginsberg88, +Author={A. Ginsberg}, +Title={Knowledge-Base Reduction: A New Approach to Checking Knowledge-Bases for +Inconsistency and Redundancy}, +Booktitle={Proceedings of the AAAI 88}, +volume=2, +Year=1988 } + +@InProceedings{Goguen84, +Author={J.A. Goguen and J. Meseguer}, +Title={Unwinding and Inference Control}, +Booktitle={Proceedings of the 1984 IEEE Symposium on Security and Privacy}, +Year=1984 } + +@InProceedings{Graham72, +Author={G.S. Graham and P.J. Denning}, +Title={Protection: Principles and Practice}, +Booktitle={Proceedings of the Spring Joint Computer Conference}, +volume=40, +publisher={AFIPS Press}, +address={Montvale, New Jersey}, +Year=1972 } + +@InProceedings{Graubart82, +Author={R.D. Graubart and J.P.L. Woodward}, +Title={A Preliminary Naval Surveillance {DBMS} Security Model}, +Booktitle={Proceedings of the 1982 IEEE Symposium on Security and Privacy}, +month=apr, +Year=1982 } + +@InProceedings{Graubart84, +Author={R.D. Graubart}, +Title={The integrity-lock approach to secure database management}, +Booktitle={Proceedings of the 1984 IEEE Symposium on Security and Privacy}, +Year=1984 } + +@Article{Griffiths76, +Author={P.P. Griffiths and B.W. Wade}, +Title={An Authorization Mechanism for a Relational Database System}, +Journal={ACM Transactions on Database Systems}, +volume=1, +number=3, +pages={59+}, +month=sep, +year=1976 } + +@TechReport{Grohn76, +author={M.J. Grohn}, +Title="A Model of a Protected Data Management System", +type={Technical Report}, +number={ESD-TR-76-289}, +institution="I.P. Sharp Associates Ltd.", +month=jun, +Year=1976 } + +@Book{LifeBerlin, +Author={Fredric V. Grunfeld and the Editors of Time-Life Books}, +Title={Berlin}, +publisher={Time-Life Books}, +year=1977 } + +@TechReport{Gusfield84, +author={D. Gusfield}, +Title="A Graph Theoretic Approach to Statistical Data Security", +type={Technical Report}, +number={327}, +institution="Computer Science Department, Yale University", +month=aug, +Year=1984 } + +@Article{DR87, +Author={D.W. Haskin}, +Title={Keeping Watch on a {VAX}}, +Journal={Digital Review}, +month={December 16}, +year=1987 } + +@Book{Hayes-RothBook, +editor={F. Hayes-Roth and D.A. Waterman and D.B. Lenat}, +Title={Building Expert Systems}, +publisher={Addison-Wesley}, +address={Reading, Massachusetts}, +year=1983 } + +@TechReport{Heitmeyer85, +Author={C.L. Heitmeyer and M. Cornwell}, +Title={Specifications for Three Members of the Military Message System {(MMS)} + Family}, Institution={Naval Research Laboratory}, +type={{NRL} Memorandum Report 5645}, +day={9}, month=sep, +Year=1985 } + +@TechReport{Heitmeyer86, +Author={C.L. Heitmeyer}, +Title={Requirements for the Military Message System Family: Data Types and User Commands}, +Institution={Naval Research Laboratory}, +type={{NRL} Memorandum Report 5670}, +day={11}, month=apr, +Year=1986 } + +@TechReport{HinkeSchaefer, +Author="T.H. Hinke and M. Schaefer", +Title="Secure Data Management System", Note = "RADC-TR-266 (NTIS AD A019201)", +Institution="Rome Air Development Center", Month=nov, Year="1975"} + +@InProceedings{Hinke86, +Author={T.H. Hinke}, +Title={Secure database management system architectural analysis}, +Booktitle={Proceedings of the National Computer Security Center Invitational + Workshop on Database Management Security}, +month=jun, +Year=1986 } + +@InProceedings{HINK88b, +Author={T.H. Hinke and C. Garvey and N. Jensen and J. Wilson and A. Wu}, +Title={A1 Secure {DBMS} Design}, +Booktitle={Proceedings of the Eleventh National Computer Security Conference - Appendix}, +month=oct, +Year=1988 } + +@InProceedings{HINK88c, +Author={T.H. Hinke}, +Title={Database Inference Engine Design Approach}, +Booktitle={Proceedings of the IFIP Working Group 11.3 Workshop on Database Security}, +month=oct, +Year=1988 } + +@InProceedings{Hinke88, +Author={T.H. Hinke}, +Title={Inference Aggregation Detection in Database Management Systems}, +Booktitle={Proceedings of the 1988 IEEE Symposium on Security and Privacy}, +month=apr, +Year=1988 } + +@InProceedings{Hinke88b, +Author={T.H. Hinke and C. Garvey and A. Wu}, +Title={A1 Secure {DBMS} Architecture}, +Booktitle={Research Directions in Database Security}, +editor={T.F. Lunt}, +year={forthcoming} } + +@Article{Hoffman70, +Author={L.J. Hoffman and W.F. Miller}, +Title={Getting a personal dossier from a statistical data bank}, +Journal={Datamation}, +volume=16, +number=5, +month=may, +year=1970 } + +@book{InvitationalWorkshop, +title={Proceedings of the National Computer Security Center Invitational Workshop on Database Security}, +address={Baltimore, Maryland}, +month=jun, +year=1986 } + +@Article{IrvingMonitoring86, +Author={R.H. Irving and C.A. Higgins and F.R. Safayeni}, +Title={Computerized Performance Monitoring Systems: Use and Abuse}, +Journal={Communications of the ACM}, +volume=29, +number=8, +year=1986 } + +@TechReport{Javitz86, +author={H.S. Javitz and A. Valdes and D.E. Denning and P.G. Neumann}, +Title="Analytical Techniques Development for a Statistical Intrusion-Detection System ({SIDS}) based on Accounting Records", +institution="SRI International", +address={Menlo Park, California}, +month=jul, +Year=1986 +} + +@InProceedings{JENS88, +Author={N. Jensen}, +Title={System Security Officer Functions in the A1 Secure DBMS}, +Booktitle={Proceedings of the IFIP Working Group 11.3 Workshop on Database Security}, +month=oct, +Year=1988 } + +@Article{DE1, +Author={J.F. Judge}, +Title={{SCP} Gets High Marks at Midterm}, +Journal={Defense Electronics}, +volume={XVII(5)}, +pages={65+}, +month=may, +year=1986 } + +@TechReport{Kao86, +author={M. Kao}, +Title="Systematic Protection of Precise Information on Two-Dimensional + Cross Tabulated Tables", +type={Technical Report}, +institution="Computer Science Department, Yale University", +Year=1986 } + +@Article{Kohonen88, +Author={T. Kohonen}, +Title={The ``Neural'' Phonetic Typewriter}, +Journal={Computer}, +month=mar, +year=1988 } + +@Article{Kung81, +Author={H.T. Kung and J.T. Robinson}, +Title={On Optimistic Methods for Concurrency Control}, +Journal={ACM Transactions on Database Systems}, +volume=6, +number=2, +month=jun, +year=1981 } + +@InProceedings{Lampson71, +Author={B.W. Lampson}, +Title={Protection}, +Booktitle={Proceedings of the + Fifth Princeton Symposium on Info. Sci. and Systems}, +month=mar, +Year=1971, +note={Reprinted in ACM Operating Systems Review, Vol. 8 (1), January 1974} } + + +@Book{LaurieBook, +editor={P. Laurie}, +Title={Beneath City Streets}, +publisher={Penguin Books}, +address={Reading, Massachusetts}, +year={circa 1970}, +note={This book's fascinating contents apparently offer an example of what security types call an ``aggregation problem.'' It is out of print} } + +@book{Lehner, +author={P.E. Lehner and T.M. Mullin and M.S. Cohen}, +title={When Should a Decision Maker Ignore the Advise of a Decision Aid?}, +year={to appear} } + +@Article{S9, +Author={L.B. Lenat and A. Clarkson}, +Title={Artificial Intelligence and {C3I}}, +Journal={Signal}, +volume={XL(10)}, +pages={115-119}, +month=jun, +year=1986 } + +@InProceedings{Linde75, +Author={R.R. Linde}, +Title={Operating System Penetration}, +Booktitle={Proceedings of the National Computer Conference}, +Year=1975 } + +@InProceedings{Lochovsky, +author={F.H. Lochovsky and C.C. Woo}, +title={Role-Based Security in Data Base Management Systems}, +booktitle={Database Security: Status and Prospects}, +editor={C.E. Landwehr}, +publisher={North-Holland}, +year=1988 } + +@article{DSL4TDI, +title={A First Glimpse at the {TDI}}, +journal={Data Security Letter}, +editor={T.F. Lunt}, +Volume=1, +number=4, +month=aug, +year=1988 } + +@InProceedings{LuntIDES89a, +Author={T.F. Lunt and R. Jagannathan and R. Lee and A. Whitehurst and S. Listgarten}, +Title={Knowledge-Based Intrusion Detection}, +Booktitle={Proceedings of the 1989 AI Systems in Government Conference}, +month=mar, +Year=1989 } + +@InProceedings{LuntIDES89b, +Author={T.F. Lunt}, +Title={Real-Time Intrusion Detection}, +Booktitle={Proceedings of the COMPCON Spring '89}, +month=mar, +Year=1989 } + +@TechReport{IDESFinal88, +author={T.F. Lunt and R. Jagannathan and R. Lee and S. Listgarten and D.L. Edwards and P.G. Neumann and H.S. Javitz and A. Valdes}, +Title="Development and Application of {IDES}: A Real-Time Intrusion-Detection + Expert System", +institution="Computer Science Laboratory, SRI International", +address={Menlo Park, California}, +Year=1988 } + +@TechReport{IDESFinal92, +author={T.F. Lunt and A. Tamaru and F. Gilham and R. Jagannathan +and C. Jalali and P.G. Neumann and H.S. Javitz and A. Valdes}, +Title="{A Real-Time Intrusion-Detection Expert System} {(IDES)}", +institution="Computer Science Laboratory, SRI International", +address={Menlo Park, California}, day={28}, month={February}, Year=1992 } + +@TechReport{NIDES-SDD93, +author={R. Jagannathan and T.F. Lunt and D. Anderson and C. Dodd and +F. Gilham and C. Jalali and H.S. Javitz and P.G. Neumann and +A. Tamaru and A. Valdes}, +Title="System {Design} {Document}: {Next-generation Intrusion-Detection +Expert System} {(NIDES)}", +institution="Computer Science Laboratory, SRI International", +address={Menlo Park, California}, day={9}, month={March}, Year=1993 } + +@TechReport{Safeguard93, +author={D. Anderson and T. Lunt and H. Javitz and A. Tamaru and A. Valdes}, +Title={Safeguard Final Report: Detecting Unusual Program Behavior Using +the {NIDES} Statistical Component}, +institution="Computer Science Laboratory, SRI International", +address={Menlo Park, California}, day={2}, month=dec, Year=1993 } + +@TechReport{Javi94, +author={H.S. Javitz and A. Valdes}, +Title={The {NIDES} Statistical Component Description and Justification}, +institution="Computer Science Laboratory, SRI International", +address={Menlo Park, California}, Month=mar, Year=1994 } + +@TechReport{CalderaraKo, +author={A.B. Calderara and Hai-Ping Ko}, +Title={Intrusion Detection with {NIDES} in a Simulated Environment}, +institution="GTE Government Systems Corporation", +address={Needham, Massachusetts}, Month={}, Year=1995 } + +@TechReport{NIDES-SOUI93, +author={D. Anderson and C. Dodd and +F. Gilham and C. Jalali and A. Tamaru and M. Tyson}, +Title="Next-generation Intrusion-Detection Expert System {(NIDES)}: +User Manual for Security Officer User Interface {(SOUI)}", +institution="Computer Science Laboratory, SRI International", +address={Menlo Park, California}, day={26}, month={March}, Year=1993 } + +@TechReport{NIDES-SOUI94, +author={D. Anderson and T. Frivold and A. Tamaru and A. Valdes}, +Title="{Next-generation Intrusion-Detection Expert System} {(NIDES)}: +User Manual for Security Officer User Interface {(SOUI)}", +institution="Computer Science Laboratory, SRI International", +address={Menlo Park, California}, day={19}, month={May}, Year=1994 } + +@TechReport{NIDES-final94, +author={D. Anderson and T. Frivold and A. Valdes}, +Title="{Next-generation Intrusion-Detection Expert System} {(NIDES)}: +Final Technical Report", +institution="Computer Science Laboratory, SRI International", +address={Menlo Park, California}, day={16}, month=nov, Year=1994 } + +@TechReport{NIDES95, +author={D. Anderson and T. Frivold and A. Valdes}, +Title="{Next-generation Intrusion-Detection Expert System} {(NIDES)}", +institution="Computer Science Laboratory, SRI International", +address={Menlo Park, California, SRI-CSL-95-07}, Month=may, Year=1995 } + +@TechReport{EMERALD1xxx, +author={P.A. Porras and P.G. Neumann}, +Title={{EMERALD: Event Monitoring Enabling Responses to Anomalous Live + Disturbances}}, +institution="Computer Science Laboratory, SRI International", +address={Menlo Park, California}, Month=feb, Year=1997, +Note = {Submitted for publication.} } + +@TechReport{EMERALD2, +author={P.A. Porras and P.G. Neumann}, +Title={{EMERALD Message System Requirements Statement}}, +institution="Computer Science Laboratory, SRI International", +address={Menlo Park, California}, Month=feb, Year=1997} + +@InProceedings{PorrasNeumann97, +Author = "P.A. Porras and P.G. Neumann", +Title = "{{EMERALD: Event Monitoring Enabling Responses to Anomalous + Live Disturbances}}", +Booktitle= + "Proceedings of the Nineteenth National Computer Security Conference", +Organization = "NIST/NCSC", Address = "Baltimore, Maryland", Year = "1997", +Pages="353--365", Month = "22-25 October" } + +@InProceedings{PorrasValdes97, +Author = "P.A. Porras and A. Valdes", +Title = "Live Traffic Analysis of {TCP/IP} Gateways", +Booktitle= "Proceedings of the Symposium on Network and + Distributed System Security", +Organization = "Internet Society", Year = "1998", +Pages="", Month = mar } + +@InProceedings{NeumannPorras99, +Author={P.G. Neumann and P.A. Porras}, +Title={Experience with {EMERALD} to Date}, +BookTitle={Proceedings of the First USENIX Workshop on +Intrusion Detection and Network Monitoring}, +Organization={USENIX}, Address={Santa Clara, California}, +Year={1999}, Month=apr, pages={73--80}, +Note = {Best paper}, +url = "http://www.csl.sri.com/neumann/det99.html"} + +@InProceedings{LindqvistPorras99, +Author={U. Lindqvist and P.A. Porras}, +Title={Detecting Computer and Network Misuse through the {Production-Based + Expert System Toolset (P-BEST)}}, +BookTitle={Proceedings of the 1999 Symposium on Security and Privacy}, +Organization={IEEE Computer Society}, Address={Oakland, California}, +Year={1999}, Month=may, pages={}} + +@InProceedings{Lindqvist:2001:EXPERTBSM, + Author={U. Lindqvist and P.A. Porras}, + title = "{eXpert-BSM}: A Host-based Intrusion-Detection + Solution for {Sun Solaris}", + booktitle = "Proceedings of the 17th Annual Computer Security + Applications Conference ({ACSAC} 2001)", + month = "10--14 December", + year = 2001, + address = "New Orleans, Louisiana", +} + +@InProceedings{Almgren:2001:AIDCFSM, + author = "M. Almgren and U. Lindqvist", + title = "Application-Integrated Data Collection for + Security Monitoring", + booktitle = "Recent Advances in Intrusion Detection + ({RAID~2001})", + month = "10--12 October", + year = 2001, + address = "Davis, California", +} + +@PhDThesis{Lindqvist99, +Author={U. Lindqvist}, +School={Department of Computer Engineering, Chalmers University of Technology}, +Title={On the Fundamentals of Analysis and Detection of Computer Misuse}, +Year={1999}, Month={}, Note = "ISBN 91-7197-832-1" } + +@TechReport{PorrasNitz03, +Author = "P.A. Porras and K. Nitz and U. Lindqvist and M. Fong and + P.G. Neumann", +Title = "Discerning Attacker Intent", +Institution={Computer Science Laboratory, SRI International, Project 10779}, +Year={2003}, Month=apr, Address={Menlo Park, California} } + +@TechReport{CIDF, +author={P.A. Porras}, +Title={Common Intrusion Detection Framework}, +institution= {Computer Science Lab, SRI International}, +address={Menlo Park, California}, month =apr, Year=1998 } + +@InProceedings{Jagan89GLU, +Author = {R. Jagannathan}, +Title = {Transparent Multiprocessing in the Presence of Fail-Stop Faults}, +Booktitle = {Proceedings of the 3rd Workshop on Large-Grain Parallelism}, +Organization = {}, Address = {Pittsburgh, Pennsylvania}, +Year = {1989}, +Pages={}, Month = oct } + +@TechReport{JaganGLU, +Author={R. Jagannathan and A.A. Faustini}, Key={Jagannathan}, +Institution={Computer Science Laboratory, SRI International}, +Title={The {GLU} Programming Language}, Note={CSL Technical Report CSL-90-11}, +Year={1990}, Month=nov, Address={Menlo Park, California} } + +@TechReport{Jagan94GLU, +Author={R. Jagannathan and C. Dodd}, Key={Jagannathan}, +Institution={Computer Science Laboratory, SRI International}, +Title={{GLU} Programmer's Guide v0.9}, Note={CSL Technical Report CSL-94-06}, +Year={1994}, Month=nov, Address={Menlo Park, California} } + +@InProceedings{Jagan95Coarse, +Author = {R. Jagannathan}, +Title = {Coarse-Grain Dataflow Programming of Conventional Parallel Computers}, +Booktitle = {{\it Advanced Topics in Dataflow Computing and Multithreading} + (edited by L. Bic, J-L. Gaudiot, and G. Gao)}, +Organization = {IEEE Computer Society}, Address = {}, Year = {1995}, +Pages={}, Month = apr } +% ISBN 0-8186-6542-4. + +@InProceedings{LuntSurvey88, +Author={T.F. Lunt}, +Title={Automated Audit-Trail Analysis and Intrusion Detection: A Survey}, +Booktitle={Proceedings of the Eleventh National Computer Security Conference}, +month=oct, pages={188-193}, Year=1988 } + +@InProceedings{LuntAudit86, +Author={T.F. Lunt and J. van Horne and L. Halme}, +Title={Automated Analysis of Computer System Audit Trails}, +Booktitle={Proceedings of the Ninth DOE Computer Security Group Conference}, +month=may, +Year=1986 } + +@TechReport{LuntSytek1, +author={T.F. Lunt and J. van Horne and L. Halme}, +Title="Analysis of Computer System Audit Trails: Initial Data Analysis", +type={Technical Report}, +number={TR-85009}, +institution="Sytek", +address={Mountain View, California}, +month=sep, +Year=1985 } + +@TechReport{LuntSytek2, +author={T.F. Lunt and J. van Horne and L. Halme}, +Title="Analysis of Computer System Audit Trails: Intrusion Characterization", +type={Technical Report}, +number={TR-85012}, +institution="Sytek", +address={Mountain View, California}, +month=oct, +Year=1985 } + +@TechReport{LuntSytek3, +author={T.F. Lunt and J. van Horne and L. Halme}, +Title="Analysis of Computer System Audit Trails: Feature Identification and + Selection", +type={Technical Report}, +number={TR-85018}, +institution="Sytek", +address={Mountain View, California}, +month=dec, +Year=1985 } + +@TechReport{LuntSytek4, +author={T.F. Lunt and J. van Horne and L. Halme}, +Title="Analysis of Computer System Audit Trails: Design and Program Classifier", +type={Technical Report}, +number={TR-86005}, +institution="Sytek", +address={Mountain View, California}, +month=mar, +Year=1986 } + +@InProceedings{LuntBerson87, +Author={T.F. Lunt and T.A. Berson}, +Title={Security Considerations for Knowledge-Based Systems}, +Booktitle={Proceedings of the Third Expert Systems in Government Conference}, +month=oct, +Year=1987 } + +@Article{LuntAssurance87, +Author={T.F. Lunt and D.E. Denning and R.R. Schell and M. Heckman and W.R. Shockley}, +Title={Element-Level Classification with {A}1 Assurance}, +Journal={Computers and Security}, +month=feb, +year=1988 } + +@MASTERSTHESIS{Porras92, +AUTHOR = {P.A. Porras}, +TITLE = {{STAT}: A {S}tate {T}ransition {A}nalysis {T}ool for Intrusion + Detection}, +SCHOOL={Computer Science Department, University of California, Santa Barbara}, +YEAR = {1992}, MONTH = jul } + +@TechReport{DenningPolicy86, +author={T.F. Lunt and D.E. Denning and P.G. Neumann and R.R. Schell and M. Heckman and W.R. Shockley}, +Title="Final Report Vol.\ 1: Security Policy and Policy Interpretation for a + Class A1 Multilevel Secure Relational Database System", +institution="Computer Science Laboratory, SRI International", +address={Menlo Park, California}, +Year=1988 } + +@Article{LuntQuestions88, +Author={T.F. Lunt}, +Title={Access Control Policies: Some Unanswered Questions}, +Journal={Computers and Security}, +month=feb, +year=1989 } + + +@InProceedings{LuntIFIP88, +Author={T.F. Lunt}, +Title={Access Control Policies for Database Systems}, +Booktitle={Proceedings of the Second IFIP WG11.3 Workshop on Database Security}, +month=oct, +Year=1988 } + +@TechReport{MillenLuntReport89, +author={J.K. Millen and T.F. Lunt}, +title={Secure Knowledge-Based Systems}, +institution={Computer Science Laboratory, SRI International}, +type={Technical Report}, +number={SRI-CSL-90-04}, +address={Menlo Park, California}, +month=aug, +year = 1989 } + +@TechReport{LuntDAC90, +Author={T.F. Lunt}, +Title={Discretionary Security for Object-Oriented Database Systems}, +type={Technical Report}, +number={RADC-TR-91-17}, +institution="Rome Air Development Center", +month=mar, Year=1991 } + +@inproceedings{issues89, author={A. Downing and I. Greenberg and T. Lunt}, +title={Issues in Distributed System Security}, booktitle={Proceedings of the Fifth +Aerospace Computer Security Conference}, month=dec, year=1989 } + +@InProceedings{LuntDistributed89xxx, +Author={T.F. Lunt and A. Downing and I. Greenberg}, +Title={Issues in Distributed Database Security}, +Booktitle={Proceedings of the Twelfth National Computer Security Conference}, +Year={submitted for publication, not accepted} } + +@InProceedings{LuntObject89, +Author={T.F. Lunt}, +Title={Multilevel Security for Object-Oriented Database Systems}, +Booktitle={Proceedings of the Third IFIP Database Security Workshop}, +month=sep, +Year=1989 } + +@InProceedings{VonHenke88, +author={J.S. Crow and R. Lee and J.M. Rushby and F.W. von Henke and R.A. Whitehurst}, +title={{EHDM} Verification Environment: An Overview}, +booktitle={Proceedings of the Eleventh National Computer Security Conference}, +month=oct, +year=1988 } + + +@TechReport{LuntSpec88, +author={T.F. Lunt and R.A. Whitehurst}, +Title={Final Report Vol.\ 3A: The {SeaView} Formal Top Level Specifications}, +institution="Computer Science Laboratory, SRI International", +address={Menlo Park, California}, +Year=1989 } + + +@TechReport{LuntDef89, +Author={T.F. Lunt}, +Title={Final Report Vol.\ 4: Secure Distributed Data Views: Identification of Deficiencies and Directions for Future Research}, +institution="Computer Science Laboratory, SRI International", +address={Menlo Park, California}, +Year=1989 } + + +@InProceedings{Shockley87, +Author={W.R. Shockley and R.R. Schell}, +Title={{TCB} Subsetting for Incremental Evaluation}, +Booktitle={Proceedings of the Second AIAA Conference on Computer Security}, +month=dec, +Year=1987 } + +@TechReport{vonGlahn83, +Author={P.G. {von Glahn}}, key={vonGlahn}, +Title={An Annotated Computer Network Security Bibliography}, +Institution={Rome Air Development Center}, +Address={Griffiss Air Force Base, NY 13441}, +number={RADC-TR-83-251}, +Month=nov, Year={1983} } + +@Article{Reed79, +Author={D.P. Reed and R.K. Kanodia}, +Title={Synchronization with Eventcounts and Sequencers}, +Journal={Communications of the ACM}, +volume=22, number=2, month=feb, year=1979 } + +@InProceedings{LuntA188, +Author={T.F. Lunt}, +Title={Multilevel Database Systems: Meeting Class {A}1}, +Booktitle={Proceedings of the Second IFIP WG11.3 Workshop on Database Security}, +month=oct, +Year=1988 } + +@TechReport{Greenberg90 + ,Key={} + ,Author={I.B. Greenberg and A.R. Downing and M. Morgenstern} + ,Institution={SRI International} + ,Title={{Distributed database integrity}} + ,Year={1990} + ,Month=apr + ,Number={} + ,Address={Menlo Park, California} + ,Type={Interim Report} + ,Note={For RADC Contract No. F30602-89-C-0055} + ,Read={y} + ,File={} + } + +@TechReport{Greenberg91a + ,Key={} + ,Author={I.B. Greenberg and P.K. Rathmann} + ,Institution={SRI International} + ,Title={{Distributed database integrity}} + ,Year={1990} + ,Month=nov + ,Number={} + ,Address={Menlo Park, California} + ,Type={Final Report} + ,Note={For RADC Contract No. F30602-89-C-0055} + ,Read={y} + ,File={} + } + +@TechReport{Greenberg91b + ,Key={} + ,Author={I.B. Greenberg and P.K. Rathmann} + ,Institution={SRI International} + ,Title={{Feasibility Implementation Plan}} + ,Year={1990} + ,Month=nov + ,Number={} + ,Address={Menlo Park, California} + ,Type={Interim Report} + ,Note={For RADC Contract No. F30602-89-C-0055} + ,Read={y} + ,File={} + } + +@InProceedings{LuntLargeAI88, +Author={T.F. Lunt and B.M. Thuraisingham}, +Title={Security for Large {AI} Systems}, +Booktitle={Proceedings of the AAAI-88 Workshop on Databases in Large AI Systems}, +month=aug, +Year=1988 } + +@InProceedings{LuntMSQL88, +Author={T.F. Lunt and R.R. Schell and W.R. Shockley and M. Heckman and D. Warren}, +Title={Toward a Multilevel Relational Data Language}, +Booktitle={Proceedings of the Fourth Aerospace Computer Security Applications + Conference, Orlando FL}, +month=dec, +Year=1988 } + + +@InProceedings{LuntInfer89, +Author={T.F. Lunt}, +Title={Aggregation and Inference: Facts and Fallacies}, +Booktitle={Proceedings of the 1989 IEEE Symposium on Research in Security and + Privacy}, +month=may, +Year=1989 } + +@InProceedings{MaimoneGreenberg90, +Author={W.T. Maimone and I.B. Greenberg}, +Title={Single-Level Multiversion Schedulers for Multilevel Secure + Database Systems}, +Booktitle={Proceedings of the Sixth Annual Computer Security Applications + Conference}, +Month=dec, +Year=1990 } + +@InProceedings{McHugh85, +Author={J. McHugh}, +Title={An {EMACS}-Based Downgrader for {SAT}}, +Booktitle={Proceedings of the Eighth National Computer Security Conference}, +month=oct, +Year=1985 } + +@InProceedings{McLean87, +Author={J. McLean}, +Title={Reasoning about Security Models}, +Booktitle={Proceedings of the 1987 IEEE Symposium on Security and + Privacy}, +month=apr, +Year=1987 } + +@InProceedings{Maier86, +Author={D. Maier and J. Stein and A. Otis and A. Purdy}, +Title={Development of an Object-Oriented {DBMS}}, +Booktitle={OOPSLA 86 Proceedings}, +Year=1986 } + +@InProceedings{Matloff86, +Author={N.S. Matloff}, +Title={Another look at the use of noise addition for database security}, +Booktitle={Proceedings of the IEEE 1986 Symposium on Security and Privacy}, +month=apr, +Year=1986 } + +@InProceedings{MayerInterp88, +Author={F.L. Mayer}, +Title={An Interpretation of a Refined {B}ell - {L}a {P}adula Model For the {TM}ach Kernel}, +Booktitle={Proceedings of the Fourth Aerospace Computer Security Applications Conference, Orlando FL}, +month=dec, +Year=1988 } + +@misc{Meadows88, +author={C. Meadows and C. Landwehr}, +title={Designing a Trusted Application Using an Object-Oriented Data Model}, +booktitle={Research Directions in Database Security}, +editor={T.F. Lunt}, +note={forthcoming} } + +@TechReport{Medlock88, +author={R.J. Medlock}, +Title="Secure Distributed Database Management System ({SD-DBMS}), Volume {II} (Draft): {SDI} {BM}/{C3} Application", +institution="Unisys +System Development Group", +month=sep, +Year=1988 } + +@Article{AW1, +Author={J.T. Merrifield}, +Title={{AI} System for Satellite Repair}, +Journal={Aviation Week}, +volume={CXXIV(19)}, +pages={89+}, +month={May 12}, +year=1986 } + +@Article{AW2, +Author={J.T. Merrifield}, +Title={Ames Readies Initial {AI} Demonstration for Space Station}, +Journal={Aviation Week}, +volume={CXXIV(21)}, +pages={129+}, +month={May 26}, +year=1986 } + +@Article{AW3, +Author={J.T. Merrifield}, +Title={{AI} Research at Ames Focuses on Increased Crew Effectiveness}, +Journal={Aviation Week}, +volume={CXXIV(22)}, +pages={73-75}, +month={June 2}, +year=1986 } + +@Article{AW4, +Author={J.T. Merrifield}, +Title={Ames Seeks {AI} Applications in Aeronautics, Space Programs}, +Journal={Aviation Week}, +volume={CXXIV(23)}, +pages={153+}, +month={June 9}, +year=1986 } + +@InProceedings{MOHAN84, +Author={C. Mohan}, +Title={Recent and Future Trends in Distributed Database Management}, +Booktitle={Proceedings of the NYU Symposium on New Directions in Database + Systems}, +Year=1984 } + +@InProceedings{Morgenstern84, +Author={M. Morgenstern}, +Title={Constraint equations: declarative expression of constraints with + automatic enforcement}, +Booktitle={Proceedings of the 10th International Conference on Very Large Databases}, +month=aug, +Year=1984 } + +@InProceedings{Morgenstern86, +Author={M. Morgenstern}, +title={The role of constraints in databases, expert systems, and knowledge + representation}, +Booktitle={Expert Database Systems, Proceedings of the +First International Workshop on Expert Database Systems}, +editor={L. Kerschberg}, +publisher={Benjamin Cummings Publishers}, +year=1986 } + +@InProceedings{Morgenstern87, +Author={M. Morgenstern}, +Title={Security and Inference in Multilevel Database and Knowledge-Base Systems}, +Booktitle={Proceedings of the ACM International Conference on Management of + Data (SIGMOD-87)}, +month=may, +Year=1987 } + +@InProceedings{Morgenstern88, +Author={M. Morgenstern}, +Title={Controlling Logical Inference in Multilevel Database Systems}, +Booktitle={Proceedings of the 1988 IEEE Symposium on Security and Privacy}, +month=apr, +Year=1988 } + +@InProceedings{Murray88, +Author={W.H. Murray}, +Title={Data Integrity in a Business Data Processing System}, +Booktitle={Report of the Invitational Workshop on Integrity Policy in Computer Information Systems (Appendix 6)}, +month=oct, +Year=1987 } + +@TechReport{Neumann80, +author={P. G. Neumann and R.S. Boyer and R.J. Feiertag and K.N. Levitt and L. Robinson}, +Title="A {Provably Secure Operating System}: The System, Its Applications, and Proofs", +institution="Computer Science Laboratory, SRI International", +number={CSL-116, Second edition}, +address={Menlo Park, California}, +month=may, +Year=1980 } + +@TechReport{Neumann85, +author={P.G. Neumann}, +Title="Audit Trail Analysis and Usage Data Collection and Processing, Part One", +institution="Computer Science Laboratory, SRI International", +address={Menlo Park, California}, +month=jan, +Year=1985 } + +@TechReport{Neumann87, +author={P.G. Neumann and F. Ostapik}, +Title="Audit Trail Analysis and Usage Data Collection and Processing, Part Two", +institution="Computer Science Laboratory, SRI International", +address={Menlo Park, California}, +month=may, +Year=1987 } + +@Article{Nguyen87, +Author={T. Nguyen and W. Perkins and T.J. Laffey and D. Pecora}, +Title={Knowledge Base Verification}, +Journal={AI Magazine}, +volume=8, +number=2, +year=1987 } + +@TechReport{OConnor88, +author={J.P. O'Connor and J.W. Gray and C. Jensen and D.T. Westby-Gibson}, +Title="Secure Distributed Database Management System ({SD-DBMS}), +Volume {I}: Architecture Definition, Tradeoff Analysis", +institution="Unisys +System Development Group", +month=aug, +Year=1988 } + +@TechReport{Olsson75, +author={L. Olsson}, +Title="Protection of Output and Stored Data in Statistical Databases", +institution="Statistika Centralbyran", +type={Technical Report~ADB-Information, 4}, +address={Stockholm, Sweden}, +Year=1975 } + +@InProceedings{Omar83, +Author={K.A. Omar and D.L. Wells}, +Title={Modified architecture for the subkeys model}, +Booktitle={Proceedings of the 1983 IEEE Symposium on Security and Privacy}, +month=apr, +Year=1983 } + +@InProceedings{Ozsoyoglu81, +Author={G. Ozsoyoglu and M. Ozsoyoglu}, +Title={Update handling techniques in statistical databases}, +Booktitle={Proceedings of the First LBL Workshop on Statistical Database Management}, +address={Lawrence Berkeley Lab, Berkeley, California}, +month=dec, +Year=1981 } + +@Article{S7, +Author={G.M. Powell and G. Loberg and H.H. Black and M.L. Gronberg}, +Title={{ARES}: Artificial Intelligence Research Project}, +Journal={Signal}, +volume={XL(10)}, +pages={106-109}, +month=jun, +year=1986 } + +@InProceedings{Rabitti88, +Author={F. Rabitti and D. Woeld and W. Kim}, +Title={A Model of Authorization for Object-Oriented and Semantic Databases}, +Booktitle={Proceedings of the International Conference on Extending Database +Technology}, +Year=1988 } + +@TechReport{Rapaport75, +author={E. Rapaport and B. Sundgren}, +Title="Output Protection in Statistical Databases", +institution="Nat. Central Bur. Stat.", +type={Technical Report~S/SYS-E04}, +address={Stockholm, Sweden}, +Year=1975 } + +@Article{RA86, +Author={R.F. Rashid}, +Title={Threads of a New System}, +Journal={UNIX Review}, +volume={4}, +number={8}, +month=aug, +year=1986 } + +@InProceedings{Reiss80, +Author={S.P. Reiss}, +Title={Practical data-swapping: the first steps}, +Booktitle={Proceedings of the 1980 IEEE Symposium on Security and Privacy}, +month=apr, +Year=1980 } + +@Article{S6, +Author={J.P. Retelle, Jr. and M. Kaul}, +Title={The Pilot's Associate -- Aerospace Application of Artificial Intelligence}, +Journal={Signal}, +volume={XL(10)}, +pages={100-105}, +month=jun, +year=1986 } + +@Book{RichBook, +author={E. Rich}, +Title={Artificial Intelligence}, +publisher={McGraw Hill, New York}, +year=1982 } + +@TechReport{HDM1, +author={L. Robinson}, +Title="{HDM} Handbook, Vol. 1: The Foundations of {HDM}", +institution="Computer Science Laboratory, SRI International", +address={Menlo Park, California}, +month=jun, +Year=1979 } + +@Article{Rosenkrantz84, +Author={D.J. Rosenkrantz and R.E. Stearns and P.M. Lewis}, +Title={Consistency and Serializability in Concurrent Database Systems}, +Journal={SIAM Journal on Computing}, +volume=13, +number=2, +month=aug, +year=1984 } + +@InProceedings{Sybase87, +Author={P.A. Rougeau and E.D. Sturms}, +Title={ Sybase Secure Dataserver: A Solution to the Multilevel Secure DBMS Problem}, +Booktitle={Proceedings of the 10th National Computer Security Conference}, +month=sep, +Year=1987 } + +@InProceedings{Rowe87, +author={L.A. Rowe}, +title={A Shared Object Hierarchy}, +booktitle={The POSTGRES Papers, Memorandum No. UCB/ERL M86/85}, +editor={M. Stonebraker and L.A. Rowe}, +publisher={Electronics Research Laboratory, College of Engineering, University +of California, Berkeley}, +year=1987 } + +@misc{Rowe86, +Author={N.C. Rowe}, +title={Security problems with inferences from the results of rule-based + expert systems}, +note={unpublished paper} } + +@TechReport{Rushby88, +author={J.M. Rushby}, +Title="Quality Measures and Assurance for AI Software", +institution="Computer Science Laboratory, SRI International", +address={Menlo Park, California}, +Year=1988 } + +@Article{SARIN85, +Author={S.K. Sarin and B. Blaustein and C. Kaufman}, +Title={System Architecture for Partition-Tolerant Distributed Databases}, +Journal={IEEE Transactions on Computers}, +volume={C-34}, +number=122, +month=dec, +year=1985 } + +@InProceedings{SARIN86b, +Author={S.K. Sarin}, +Title={Robust Application Design in Highly Available Distributed Databases}, +Booktitle={Proceedings of the Fifth IEEE Symposium on Reliability in Distributed + Software and Database Systems}, +month=jan, +Year=1986 } + +@InProceedings{SARIN86a, +Author={S.K. Sarin and C. Kaufman and J.E. Somers}, +Title={Using History Information To Process Delayed Database Updates}, +Booktitle={Proceedings of the Twelfth International Conference on + Very Large Data Bases}, +month=aug, +Year=1986 } + +@InProceedings{SchaeferSchell84, +Author={M. Schaefer and R.R. Schell}, +Title={Toward an Understanding of Extensible Architectures for + Evaluated Trusted Computer System Products}, +Booktitle={Proceedings of the 1984 IEEE Symposium on Security and Privacy}, +month=apr, +Year=1984 } + +@InProceedings{Schell85, +Author={R.R. Schell and T.F. Tao and M. Heckman}, +Title={Designing the {GEMSOS} Security Kernel for Security and Performance}, +Booktitle={Proceedings of the Eighth National Computer Security Conference}, +Year=1985 } + +@InProceedings{SchellIntegrity86, +Author={R.R. Schell and D.E. Denning}, +Title={Integrity in Trusted Database Systems}, +Booktitle={Proceedings of the Ninth National Computer Security Conference}, +Year=1986, Month =sep } + +@Article{Schlorer76, +Author={J. Schlorer}, +Title={Confidentiality of statistical records: a threat monitoring scheme + for on line dialogue}, +Journal={Methods Inf. Med.}, +volume=15, +number=1, +year=1976 } + +@Article{SchlorerQuantitative80, +Author={J. Schlorer}, +Title={Disclosure from statistical databases: quantitative aspects of + trackers}, +Journal={ACM Transactions on Database Systems}, +volume=5, +number=4, +month=dec, +year=1980 } + +@TechReport{SchlorerLoss83, +author={J. Schlorer}, +Title="Information Loss in Partitioned Statistical Databases", +type={Technical Report, Klinische Dokumentation}, +institution="Universit{\"a}t Ulm", +address={Ulm, Germany}, +Year=1983 } + +@TechReport{SchlorerOutput82, +author={J. Schlorer}, +Title="Query Based Output Perturbations to Protect Statistical + Databases", +type={Technical Report, Klinische Dokumentation}, +institution="Universit{\"a}t Ulm", +address={Ulm, Germany}, +month=oct, +Year=1982 } + +@Article{SchlorerMultidimensional81, +Author={J. Schlorer}, +Title={Security of statistical databases: multidimensional transformation}, +Journal={ACM Transactions on Database Systems}, +volume=6, +number=1, +month=mar, +year=1981 } + +@TechReport{Schroeder72, +author={M.D. Schroeder}, +Title="Cooperation of Mutually Suspicious Subsystems in a Computer Utility", +institution="Ph.D. Thesis, M.I.T., Cambridge, Massachusetts", +month=sep, +Year=1972 } + +@article{SchroederSaltzer72, +author={M.D. Schroeder and J.H. Saltzer}, title = {A Hardware +Architecture for Implementing Protection Rings}, +journal = {Communications of the ACM}, volume = {15}, number = {3}, +pages = {}, month = mar, year = {1972}} + +@article{SaltzerSchroeder75, + title = {The Protection of Information in Computer Systems}, + author = {Saltzer, Jerome H. and Schroeder, Michael D.}, + date = {1975-09}, + journaltitle = {Proceedings of the IEEE}, + volume = {63}, + pages = {1278--1308}, + doi = {10.1109/PROC.1975.9939}, + url = {http://cap-lore.com/CapTheory/ProtInf/}, + number = {9} +} + +@book{SaltzerKaashoek09, +Author={J.H. Saltzer and F. Kaashoek}, +Title={Principles of Computer System Design}, +Publisher={Morgan Kaufmann}, +Year={2009}, +NOTE = {Chapters 1-6 only. Chapters 7-11 are online:\\ + http://ocw.mit.edu/Saltzer-Kaashoek} +} + +@book{Organick, +Author={E.I. Organick}, +Title={The {Multics} System: An Examination of Its Structure}, +Publisher={MIT Press, Cambridge, Massachusetts}, +Year={1972} } + +@InProceedings{Schroeder77, +Author={M.D. Schroeder and D.D. Clark and J.H. Saltzer}, +Title={The {Multics} Kernel Design Project}, +Booktitle={Proceedings of the Sixth Symposium on Operating System Principles}, +Note={ACM Operating Systems Review 11(5)}, +month=nov, Year=1977 } + +@article{NeedhamSchroeder78, +author={R.M. Needham and M.D. Schroeder}, key={needham}, title = {Using +Encryption for Authentication and Authorization Systems}, +journal = {Communications of the ACM}, volume = {21}, number = {12}, +pages = {993-999}, month = dec, year = {1978}} + +@article{NeedhamSchroeder87, +author={R.M. Needham and M.D. Schroeder}, key={needham}, title = +{Authentication Revisited}, +journal = {Operating Systems Review}, volume = {21}, number = {1}, +pages = {7}, month = {}, year = {1987}} + +@article{OtwayRees87, +author={D. Otway and O. Rees}, title = {Efficient and Timely Mutual +Authentication}, +journal = {Operating Systems Review}, volume = {21}, number = {1}, +pages = {8--10}, month = {}, year = {1987}} + +@ARTICLE{SchroederGrape, +Author={M.D. Schroeder and A.D. Birrell and R.M. Needham}, +TITLE = {Experience with {Grapevine}: The Growth of a Distributed System}, +JOURNAL = {TOCS}, YEAR = {1984}, VOLUME = {2}, +NUMBER = {1}, PAGES = {3-23}, MONTH = feb } + +@article{DiffieHellman76, +author={W. Diffie and M.E. Hellman}, key={Diffie}, title = {New Directions +in Cryptography}, journal = {IEEE Transactions on Information Theory}, volume= {22}, +number = {5}, pages = {}, month = nov, year = {1976}} + +@article{Rivest+78, +author={R. Rivest and A. Shamir and L. Adleman}, key={Rivest}, +title = {A Method for Obtaining Digital Signatures and Public-Key +Cryptosystems}, journal = {Communications of the ACM}, volume = {21}, number = {2}, +pages = {120-126}, month = feb, year = {1978}} + +@TechReport{Rivest90, +author={R. Rivest}, +Title={The {MD4} message digest algorithm}, +institution={MIT Laboratory for Computer Science}, +address={}, month =oct, note={TM 434}, +Year= {1990} } + +@TechReport{RivestLampson96, +author={R. Rivest and B. Lampson}, +Title={{SDSI} -- A Simple Distributed Security Infrastructure}, +institution={MIT Laboratory for Computer Science}, +address={}, month ={}, note={Version 2.0 is +available online +(\xlink{http://theory.lcs.mit.edu/\~{}cis/sdsi.html}{http://theory.lcs.mit.edu/\~{}cis/sdsi.html}) +along with other documentation and source code}, +Year= {2000} } + +@TechReport{Ellison+99, +author={C.M. {Ellison et al.}}, +Title={{SPKI} Certificate Theory}, +institution={Internet Engineering Task Force}, +address={}, month =sep, +Year= {1999}, Note={\xlink{http://www.ietf.org/rfc/rfc2693.txt}{http://www.ietf.org/rfc/rfc2693.txt}) +}} + +@InProceedings{Abadi97, +Author={M. Abadi}, +Title={On {SDSI's} Linked Local Name Spaces}, +BookTitle={Proceedings of the 10th IEEE Computer Security Foundations + Workshop}, Address={Rockport, Massachusetts}, +Year={1997},Month=jun,Pages={98--108} } + +@TechReport{DES, +Author={NIST}, Institution={National Institute of Standards and Technology +(formerly NBS)}, Title={Data Encryption Standard}, Year={1977} } + +@InProceedings{ElGamal84, +Author = {T. ElGamal}, +Title = {A public key cryptosystem and a signature scheme +based on discrete logarithms}, +Booktitle = {Advances in Cryptology: Proceedings of CRYPTO '84}, +Organization = {G.R. Blakley and David Chaum, eds., Springer-Verlag, Berlin}, +Year = {1985}, Pages={10--18}, Month = {} } + +@article{ElGamal85, +author={T. ElGamal}, title = {A public key cryptosystem and a signature scheme +based on discrete logarithms}, journal = {IEEE Transactions on Information Theory}, +volume = {31}, number = {}, pages = {469--472}, month = {}, year = {1985}} + +@InProceedings{Schnorr89, +Author = {C.P. Schnorr}, +Title = {Efficient identification and signatures for smart cards}, +Booktitle = {Advances in Cryptology: Proceedings of CRYPTO '89}, +Organization = {G. Brassard, ed., Springer-Verlag, Berlin, LCNS 435}, +Year = {1990}, Pages={239-251}, Month = {} } + +@InProceedings{LaMacchiaOdlyzko91, +Author={B.A. LaMacchia and A.M. Odlyzko}, +Title={Computation of Discrete Logarithms in Prime Fields}, +Booktitle={Designs, Codes, and Cryptography 1}, pages={47-62}, +Year=1991, Publisher={Kluwer} } + +@ARTICLE{Kaliski+88, +Author={B.S. {Kaliski Jr.} and R.L. Rivest and A.T. Sherman}, +TITLE = {Is the {Data} {Encryption} {Standard} a Group? +(Results of Cycling Experiments on {DES})}, +JOURNAL = {Journal of Cryptology}, YEAR = {1988}, VOLUME = {1}, +NUMBER = {1}, PAGES = {3--36}, MONTH = {} } + +@InProceedings{Kaliski94, +Author={B.S. {Kaliski Jr.}}, +TITLE = {Public-Key Cryptography in Smart Cards}, +Booktitle = {CardTech/SecurTech '94}, YEAR = {1994}, +MONTH = {10--13 April}, +Organization = {}, Address = {Arlington, Virginia} } + +@ARTICLE{Merkle90, +Author={R.C. Merkle}, TITLE = {A fast software one-way hash function}, +JOURNAL = {Journal of Cryptology}, YEAR = {1990}, VOLUME = {3}, +NUMBER = {1}, PAGES = {43--58}, MONTH = {} } + +@ARTICLE{Schnorr91, +Author={C.P. Schnorr}, TITLE = {Efficient signature generation by smart cards}, +JOURNAL = {Journal of Cryptology}, YEAR = {1991}, VOLUME = {4}, +NUMBER = {3}, PAGES = {161--174}, MONTH = {} } + +@InProceedings{CampbellWiener92, +Author = {K.W. Campbell and M.J. Wiener}, +Title = {{DES} is not a Group}, +Booktitle = {Advances in Cryptology: Proceedings of CRYPTO '92 (E.F. Brickell, +editor)}, Organization = {Springer-Verlag, Berlin, LCNS 740}, +Year = {1992}, Pages={512-517}, Month = {} } + +@InProceedings{Micali92, +Author={S. Micali}, TITLE = {Fair Public-Key Cryptosystems}, +Booktitle = {Advances in Cryptology: Proceedings of CRYPTO '92 (E.F. Brickell, +editor)}, Organization = {Springer-Verlag, Berlin, LCNS 740}, +Year = {1992}, Pages={512-517}, Month = {} } + +@InProceedings{Blundo+94, +Author={C. Blundo and A. {De Santis} and G. {Di Crescenzo} and +A.G. Gaggia and U. Vaccaro}, +TITLE = {Multi-Secret Sharing Schemes}, +Booktitle = {Advances in Cryptology: Proceedings of CRYPTO '94 (Y.G. Desmedt, +editor)}, Organization = {Springer-Verlag, Berlin, LCNS 839}, +Year = {1994}, Pages={150--163}, Month = {} } + +@book{Schneier94, +Author={B. Schneier}, +Title={Applied Cryptography}, +Publisher={John Wiley and Sons, New York}, +Year={1994} } + +@book{Schneier96, +Author={B. Schneier}, +Title={Applied Cryptography: Protocols, Algorithms, and Source Code in C: + Second Edition}, +Publisher={John Wiley and Sons, New York}, +Year={1996} } + +@book{Schneier00, +Author={B. Schneier}, +Title={Secrets and Lies: Digital Security in a Networked World}, +Publisher={John Wiley and Sons, New York}, +Year={2000} } + +@book{Schneier95, +Author={B. Schneier}, +Title={E-Mail Security with {PGP} and {PEM}}, +Publisher={John Wiley and Sons, New York}, +Year={1995} } + +@book{Zimmermann95, +Author={P.R. Zimmermann}, +Title={The Official {PGP} User's Guide}, +Publisher={MIT Press, Cambridge, Massachusetts}, +Year={1995} } + +@article{Goldberg85, +author={A. Goldberg}, title = {Reliability of Computer Systems and +Risks to the Public}, journal = {Communications of the ACM}, year = {1985}, +volume = {28}, number = {2}, pages = {131-133}, month = feb } + +@ARTICLE{Bidzos91Risks, +Author={J. Bidzos}, TITLE = {Letter to {C}ongressman {T}im {V}alentine on +{NIST's} {DSS}}, JOURNAL = {RISKS FORUM +(comp.risks, online newsgroup)}, YEAR = {1991}, VOLUME = {12}, NUMBER = {37}, +PAGES = {}, MONTH = {20 September} } + +@ARTICLE{Bidzos91SENxxxxx, +Author={J. Bidzos}, TITLE = {Letter to {C}ongressman {T}im {V}alentine on +{NIST's} {DSS}}, +JOURNAL = {ACM Software Engineering Notes}, YEAR = {1991}, VOLUME = {16}, +NUMBER = {4}, PAGES = {}, MONTH = oct } + +@article{CommBib, +author={C. Partridge}, +title = {Bibliography of Recent Publications on Computer Communication}, +journal = {ACM SIGCOMM Computer Communication Review}, +year = {1991}, volume = {21}, number = {1}, pages = {132-145}, +month = jan } + +@article{ISOstatus, +author={L. Chapin}, title = {Status of {OSI} (and related) Standards}, +journal = {ACM SIGCOMM Computer Communication Review}, +year = {1991}, volume = {21}, number = {1}, pages = {111-131}, +month = jan } + +@TechReport{ISO7498-1, + Key={International}, Author={ISO}, Institution={International Standards + Organization}, Title={Open Systems Interconnection Architecture Basic + Reference Model}, Year={1984}, day={15}, month={October} } + +@TechReport{ISO7498-1C, + Key={International}, Author={ISO}, Institution={International Standards + Organization}, Title={Open Systems Interconnection Architecture Basic + Reference Model, Technical Corrigendum}, Year={1988}, day={15}, month=dec } + +@TechReport{ISO7498-2, + Key={International}, Author={ISO}, Institution={International Standards + Organization}, Title={Open Systems Interconnection Architecture Security + Architecture}, Year={1988}, day={19}, month={August} } + +@TechReport{ISO7498-3, + Key={International}, Author={ISO}, Institution={International Standards + Organization}, Title={Open Systems Interconnection Architecture Naming + and Addressing}, Year={1989}, day={1}, month={March} } + +@TechReport{ISO7498-4, + Key={International}, Author={ISO}, Institution={International Standards + Organization}, Title={Open Systems Interconnection Architecture + Management Framework}, Year={1989}, day={15}, month=nov } + +@TechReport{ISO7498-1Add1, + Key={International}, Author={ISO}, Institution={International Standards + Organization}, Title={Open Systems Interconnection Architecture, + Addendum 1: Connectionless Data}, Year={1987}, day={15}, month={August} } + +@TechReport{ISO7498-X, + Key={International}, Author={ISO}, Institution={International Standards + Organization}, Title={Open Systems Interconnection Architecture Basic + Reference Model}, Year={198}, Month={} } + +@InProceedings{Vissers90, +Key = {}, Author = {C.A. Vissers}, +Title = {Protocol specification: The first ten years, the next ten years}, +Booktitle = {Proceedings of the 10th International IFIP Symposium on Protocol Specification, +Testing, and Verification}, +Organization = {IFIP}, Address = {Ottawa, Canada}, +Year = {1990}, +Pages={}, Month = jun } + +@InProceedings{Miller90, +Key = {}, Author = {R.E. Miller}, +Title = {Protocol verification: The first ten years, the next ten years; +some personal observations}, +Booktitle = {Proceedings of the 10th International IFIP Symposium on Protocol Specification, +Testing, and Verification}, +Organization = {IFIP}, Address = {Ottawa, Canada}, +Year = {1990}, +Pages={}, Month = jun } + +@InProceedings{Sidhu90, +Key = {}, Author = {D. Sidhu}, +Title = {Protocol testing: The first ten years, the next ten years}, +Booktitle = {Proceedings of the 10th International IFIP Symposium on Protocol Specification, +Testing, and Verification}, +Organization = {IFIP}, Address = {Ottawa, Canada}, +Year = {1990}, +Pages={}, Month = jun } + +@article{Sidhu+91, +author={D. Sidhu and A. Chung and T.P. Blumer}, +title = {Experience with Formal Methods in Protocol Development}, +journal = {ACM SIGCOMM Computer Communication Review}, +year = {1991}, volume = {21}, number = {2}, pages = {81-101}, +month = apr } + +@ARTICLE{SidhuBlumer90, +Author={D. Sidhu and T.P. Blumer}, TITLE = {Semi-automatic implementation +of {OSI} protocols}, +JOURNAL = {Computer Networks \& ISDN System}, YEAR = {1990}, VOLUME = {18}, +NUMBER = {}, PAGES = {}, MONTH = {} } + +@TechReport{RFC1113, + Key={Kent}, Author={S. Kent}, Institution={Internet Activities Board Privacy + Task Force}, Month=aug, Year={1989}, + Title={Privacy Enhancement for {Internet} Electronic Mail: Part {I}. {RFC 1113}} } + +@TechReport{RFC1114, + Key={Kent}, Author={S. Kent and J. Linn}, + Institution={Internet Activities Board Privacy Task Force}, + Month=aug, Year={1989}, + Title={Privacy Enhancement for {Internet} Electronic Mail: Part {II}: + Certificate Based Key Management. {RFC 1114}} } + +@TechReport{RFC1115, + Key={Linn}, Author={J. Linn}, Institution={Internet Activities Board Privacy + Task Force}, Month=aug, Year={1989}, + Title={Privacy Enhancement for {Internet} Electronic Mail: Part {III}: + Algorithms, Models and Identifiers. {RFC 1115}} } + +@InProceedings{Linn90, +Key={Linn}, Author={J. Linn}, Title={Practical Authentication for +Distributed Computing}, BookTitle={Proceedings of the 1990 Symposium on Research in +Security and Privacy}, Organization={IEEE Computer Society}, Address={Oakland, +California}, Year={1990}, Month=may, pages={31--40}} + +@InProceedings{GongNeedhamYahalom90, +Author={L. Gong and R. Needham and R. Yahalom}, +Title={Reasoning about Belief in Cryptographic Protocols}, +BookTitle={Proceedings of the 1990 Symposium on Research in +Security and Privacy}, Organization={IEEE Computer Society}, Address={Oakland, +California}, Year={1990}, Month=may, pages={234-248}} + +@InProceedings{Yaholom+93, +Author={R. Yahalom and B. Klein and Th. Beth}, +Title={Trust Relationships in Secure Systems: A Distributed +Authentication Procedure}, +BookTitle={Proceedings of the 1993 Symposium on Research in +Security and Privacy}, Organization={IEEE Computer Society}, Address={Oakland, +California}, Year={1993}, Month=may, pages={150-164}} + +@Article{RavindranChanson89, +Key = {Ravindran}, Author = {K. Ravindran and S.T. Chanson}, +Title = {Failure Transparency in Remote Procedure Calls}, +Journal = {IEEE Transactions on Computers}, +Year = {1989}, volume ={32}, number = {8}, +Pages={1173-1187}, Month = aug } + +@Article{Birman85, +Key = {Birman}, Author = {K.P. Birman}, +Title = {Implementing Remote Procedure Calls}, +Journal = {ACM Transactions on Computer Systems}, +Year = {1985}, volume = {SE-11}, number = {6}, +Pages={502-8}, Month = jun } + +@InProceedings{PowellPresotto83, +Key = {Powell}, Author = {M.L. Powell and D.L. Presotto}, +Title = {{PUBLISHING}: A reliable broadcast communication mechanism}, +Booktitle = {Proceedings of the Ninth Symp. on Operating Systems Principles}, +Organization = {ACM SIGOPS}, Address = {}, +Year = {1983}, +Pages={100--109}, Month = jun } + +@Article{LiskovScheifler83, +Key = {Liskov}, Author = {B. Liskov and R. Scheifler}, +Title = {Guardians and Actions: Linguistic support for robust distributed programs}, +Journal = {ACM Transactions on Programming Language Systems}, +Year = {1983}, volume = {5}, Pages={381--404}, Month = jul } + +@article{Birrell85, +author={A.D. Birrell}, key={Birrell}, +title = {Secure Communication Using Remote Procedure Calls}, +journal = {ACM Transactions on Computer Systems}, +volume = {3}, number = {1}, pages = {1-14}, month = feb, year = {1985}} + +@TechReport{Kerberos87, + Key={Miller}, Author={S. Miller and B. Neuman and J. Schiller and +J. Saltzer}, + Institution={MIT Project Athena Technical Plan Section E.2.1}, + day={21}, month=dec, Year={1987}, + Title={Kerberos Authentication and Authorization System} } + +@Article{shamir79, +Author={A. Shamir},Journal={Communications of the ACM}, +Title={How to Share a Secret},Year={1979},Month=nov,Pages={612--613} +,Volume={22},Number={11} } + +@InProceedings{steiner88 + ,Author={J.G. Steiner and C. Neuman and J.I. Schiller} + ,BookTitle={Proceedings of the USENIX Winter Conference} + ,Title={Kerberos: An Authentication Service for Open Network Systems} + ,Year={1988},Month=feb,Pages={191--202} } + +@TechReport{Kohl+90, + Author={J. Kohl and B.C. Neuman and J. Steiner}, + Institution={MIT Project Athena}, + day={8}, month={October}, Year={1990}, + Title={The {Kerberos} Network Authentication Service (Version 5, draft 3) } } + +@TechReport{DavisSwick90, + Key={Davis}, Author={D. Davis and R. Swick}, + Institution={MIT Laboratory for Computer Science Tech. Mem. 424}, + Month=feb, Year={1990}, + Title={Workstation Services and {Kerberos} Authentication at {P}roject {A}thena} } + +@InProceedings{BellovinMerritt91, +author={S.M. Bellovin and M. Merritt}, +title = {Limitations of the {Kerberos} Authentication System}, +booktitle = {{USENIX} Conference Proceedings, Winter '91}, +volume = {}, number = {}, pages = {}, month = jan, year = {1991}, +note = {A version of this paper + appeared in {\it Computer Communications Review,} October 1990} } + +@article{Gong89, +author={L. Gong}, key={gong}, title = {Using One-Way Functions +for Authentication}, journal = {ACM Communications Review}, volume = {19}, +number = {5}, pages = {8-11}, month = oct, year = {1989}} + +@InProceedings{KailarGligor91, +author={R. Kailar and V.D. Gligor}, +Title={On the Evolution of Beliefs in Authentication Protocols}, +BookTitle={Proceedings of the IEEE Computer Security Foundations Workshop IV}, +Address={Franconia, New Hampshire}, +Year={1991}, Month=jun } + +@InProceedings{Gligor+91 + ,Author={V.D. Gligor and R. Kailar and S. Stubblebine and L. Gong} + ,BookTitle={Proceedings of the 4th IEEE Computer Security Foundations Workshop} + ,Address={Franconia, New Hampshire} + ,Title={Logics for Cryptographic Protocols -- Virtues and Limitations} + ,Year={1991} + ,Month=jun + ,Pages={219--226} + } + +@InProceedings{Millen94hookup, +author={J.K. Millen}, +Title={Hookup security for synchronous machines}, +BookTitle={Proceedings of the IEEE Computer Security Foundations Workshop VII}, +Organization = {IEEE Computer Society}, +Address={Franconia, New Hampshire}, pages = {2-10}, +Year={1994}, Month=jun } + +@InProceedings{StubblebineGligor92, +Author={S.G. Stubblebine and V.D. Gligor}, +Title={On Message Integrity in Cryptographic Protocols}, +BookTitle ={Proceedings of the 1992 Symposium on Research in Security and Privacy}, +Organization={IEEE Computer Society}, Address={Oakland, +California}, Year={1992}, Month=may, pages={85--104} } + +@InProceedings{ReiterBirmanGong92, +Author={M. Reiter and K. Birman and L. Gong}, +Title={Integrating Security in a Group Oriented Distributed System}, +BookTitle ={Proceedings of the 1992 Symposium on Research in Security and Privacy}, +Organization={IEEE Computer Society}, Address={Oakland, +California}, Year={1992}, Month=may, pages={18--32} } + +@ARTICLE{Gong93, +Author={L. Gong and T.M.A. Lomas and R.M. Needham and J.H. Saltzer}, +TITLE = {Protecting poorly chosen secrets from guessing attacks}, +JOURNAL = {IEEE Journal of Selected Areas in Communications}, +YEAR = {1993}, VOLUME = {11}, NUMBER = {5}, PAGES = {648-656}, MONTH = jun } + +@TechReport{Berson+93, +Author={T. Berson and L. Gong and T.M.A. Lomas}, +TITLE = {Secure, Keyed, and Collisionful Hash Functions}, +Institution = {SRI International, included in SRI-CSL-94-08}, +YEAR = {1993} } + +@Article{ReiterBirman94, +Author={M. Reiter and K. Birman}, +Journal={ACM Transactions on Programming Languages and Systems}, +Title={How to Securely Replicate Services}, +Year={1994},Month=may,Pages={986--1009},Volume={16},Number={3} } + +@Article{Neuman+94, +Author={B.C. Neuman and T. Ts'o}, Journal={IEEE Communications}, +Title={Kerberos: An Authentication Service for Computer Networks}, +Year={1994},Month=sep,Pages={33--38},Volume={32},Number={9} } + +@InProceedings{DesmedtFrankelYung92, +Author={Y. Desmedt and Y. Frankel and M. Yung}, +Title={Multi-receiver/multi-sender network security: Efficient +authenticated multicast/feedback}, +BookTitle={Proceedings of IEEE INFOCOM}, Organization={IEEE}, +Address={}, Year={1992}, Month={}, pages={}} + +@InProceedings{Kailar+94, +Author={R. Kailar and V.D. Gligor and L. Gong}, +Title={On the Security Effectiveness of Cryptographic Protocols}, +BookTitle ={Proceedings of the 1994 Conference on Dependable Computing for +Critical Applications}, +Organization={}, Address={San Diego, California}, +Year={1994}, Month=jan, pages={90--101} } + +@misc{ShockleyWorkshop88, +author={W.R. Shockley}, +title={Fundamental Limitations on View-Based Access Controls}, +booktitle={Research Directions in Database Security}, +editor={T.F. Lunt}, +note={to appear} } + +@TechReport{ShockleySpec89, +author={W.R. Shockley and R.R. Schell and T.F. Lunt and D. Warren and +M. Heckman}, Title="Final Report Vol.\ 5: The {S}ea{V}iew Implementation +Specifications (draft)", institution="Gemini Computers", Year=1989 } + +@InProceedings{Shirley81, +Author={L.J. Shirley and R.R. Schell}, +Title={Mechanism Sufficiency Validation by Assignment}, +Booktitle={Proceedings of the 1981 IEEE Symposium on Security and Privacy}, +month=apr, Year=1981 } + +@MastersThesis{Shirley81T, + Key={Shirley}, Author={L.J. Shirley}, + Title={Non-Discretionary Security Validation by Assignment}, Year={1981}, + School={Department of Computer Science, + Naval Postgraduate School, Monterey, California}, Month=jun } + +@misc{S1, +Title={Artificial Intelligence for {B}1-{B}}, +Journal={Signal}, +volume={XL(10)}, +pages=130, +month=jun, +year=1986 } + +@Article{S2, +Author={R.P. Shumaker and J. Franklin}, +Title={Artificial Intelligence in Military Applications}, +Journal={Signal}, +volume={XL(10)}, +pages={29+}, +month=jun, +year=1986 } + +@InProceedings{Smaha88, +Author={S.E. Smaha}, +Title={Haystack: An Intrusion Detection System}, +Booktitle={Proceedings of the Fourth Aerospace Computer Security Applications + Conference, Orlando FL}, +month=dec, +Year=1988 } + +@InProceedings{Smith88, +Author={G.W. Smith}, +Title={Identifying and Representing the Security Semantics of an Application}, +Booktitle={Proceedings of the Fourth Aerospace Computer Security Applications + Conference, Orlando FL}, +month=dec, +Year=1988 } + +@Article{Stefik86, +author={M. Stefik and D.G. Bobrow}, +title={Object-Oriented Programming: Themes and Variations}, +Journal={The AI Magazine}, +month={Winter}, +year=1986 } + +@Article{Stefik82, +Author={M. Stefik and J. Aikens and R. Balzer and J. Benoit and L. Birnbaum and F. Hayes-Roth and E.D. Sacerdoti}, +Title={The Organization of Expert Systems}, +Journal={Artificial Intelligence}, +volume=18, +pages={29+}, +year=1982 } + +@InProceedings{Stonebraker87, +author={M. Stonebraker and L.A. Rowe}, +title={The Design of {POSTGRES}}, +booktitle={The POSTGRES Papers, M86/85}, +editor={M. Stonebraker and L.A. Rowe}, +publisher={Electronics Research Laboratory, College of Engineering, University +of California, Berkeley}, +year=1987 } + +@InProceedings{Stonebraker74, +Author={M. Stonebraker and E. Wong}, +Title={Access Control in a Relational Data Base Management System by Query + Modification}, +Booktitle={Proceedings of the 1974 ACM Annual Conference}, +Year=1974 } + +@InProceedings{SuOz87, +Author={T. Su and G. Ozsoyoglu}, +Title={Data Dependencies and Inference Control in Multilevel Relational Database +Systems}, +Booktitle={Proceedings of the 1987 IEEE Symposium on Security and Privacy}, +month=apr, +Year=1987 } + +@Article{Suwa82, +Author={M. Suwa and A. Carlisle Scott and E.H. Shortliffe}, +Title={An Approach to Verifying Completeness and Consistency in a Rule-Based Expert +System}, +Journal={AI Magazine}, +volume=3, +number=4, +year=1982 } + +@Article{S8, +Author={A.J. Tachmindji and E.L. Lafferty}, +Title={Artificial Intelligence for Air Force Tactical Planning}, +Journal={Signal}, +volume={XL(10)}, +pages={110-114}, +month=jun, +year=1986 } + +@InProceedings{Tener86, +Author={W.T. Tener}, +Title={Discovery: An Expert System in the Commercial Data Security Environment}, +Booktitle={Proceedings of the IFIP Security Conference}, +address={Monte Carlo}, +Year=1986 } + +@Article{Thuraisingham87, +Author={M.B. Thuraisingham}, +Title={Security Checking in Relational Database Management Systems Augmented + with Inference Engines}, +Journal={Computers and Security}, +volume=6, +number=6, +year=1987 } + +@InProceedings{Thuraisingham88, +Author={T.F. Keefe and W.T. Tsai and M.B. Thuraisingham}, +Title={A Multilevel Security Model for Object-Oriented Systems}, +Booktitle={Proceedings of the Eleventh National Computer Security Conference}, +month=oct, +Year=1988 } + +@InProceedings{Keef90b, +Author={T.F. Keefe and W.T. Tsai}, +BookTitle={Proceedings of the 1990 Symposium on Research in Security and Privacy}, +Address={Oakland, California}, +Title={Multiversion Concurrency Control for Multilevel Secure Database Systems}, +Organization={IEEE Computer Society}, +Year={1990},Month=may,Pages={369-383} } + +@Article{VaradharajanBlack91, +Author={V. Varadharajan and S. Black}, +Title={Multilevel Security in a Distributed Object-Oriented System}, +Journal={Computers and Security}, +volume=10, number=1, year=1991, pages={51-68} } + +@Article{Traub84, +Author={J.F. Traub and H. Wozniakowski and Y. Yemini}, +Title={Statistical security of a statistical data base}, +Journal={ACM Transactions on Database Systems}, +volume=9, +number=4, +month=dec, +year=1984 } + +@Article{Trueblood83, +Author={R.P. Trueblood and H.R. Hartson and J.J. Martin}, +Title={{MULTISAFE}: {A} modular multiprocessing approach to secure database + management}, +Journal={ACM Transactions on Database Systems}, +volume=8, +number=3, +month=sep, +year=1983 } + +@TechReport{TRW86, +author={TRW Defense Systems Group}, +Title="Intrusion-Detection Expert System Feasiblity Study", +type={Final Report}, +institution="TRW", +number={46761}, +Year=1986 } + +@Book{Ullman88, +Author={J.D. Ullman}, +Title={Principles of Database and Knowledge-Base Systems}, +volume={1}, +publisher={Computer Science Press}, +address={Rockville, Maryland}, +year=1988 } + +@Book{Ullman82, +Author={J.D. Ullman}, +Title={Principles of Database Systems}, +publisher={Computer Science Press}, +address={Rockville, Maryland}, +year=1982 } + +@inproceedings{VaccaroLiepins89, +author={H.S. Vaccaro and G.E. Liepins}, +title={Detection of Anomalous Computer Session Activity}, +Booktitle={Proceedings of the 1989 IEEE Symposium on Research in Security and Privacy}, +pages={280-289}, month=may, Year=1989 } + +@TechReport{VanHorneSytek5, +author={J. van Horne and L.Halme}, +Title="Analysis of Computer System Audit Trails: Training and Experimentation + with Classifier", +institution="Sytek", +address={Mountain View, California}, +number={TR-85006}, +month=mar, +Year=1986 } + +@TechReport{VanHorneSytek6, +author={J. van Horne and L. Halme}, +Title="Analysis of Computer System Audit Trails: Final Report", +institution="Sytek", +address={Mountain View, California}, +number={TR-85007}, +month=may, +Year=1986 } + +@InProceedings{Vinter88, +author={S.T. Vinter}, +title={Extended Discretionary Access Controls}, +booktitle={Proceedings of the 1988 IEEE Symposium on Security and Privacy}, +month=apr, +year=1988 } + +@InProceedings{Watson81, +Author={R.W. Watson}, +title={Distributed Systems Architecture Model}, +Booktitle={Distributed Systems -- Architecture and Implementation: An +Advanced Course, volume 105 of Lecture Notes in Computer Science, +B.W. Lampson (ed.)}, +publisher={Springer-Verlag, Berlin}, pages={10-43}, Year=1981 } + +@inproceedings{Watson10, + title = {Capsicum: {{Practical Capabilities}} for {{UNIX}}}, + shorttitle = {Capsicum}, + booktitle = {Proceedings of the 19th {{USENIX Conference}} on {{Security}}}, + author = {Watson, Robert N. M. and Anderson, Jonathan and Laurie, Ben and Kennaway, Kris}, + date = {2010-08-11}, + publisher = {{USENIX Association}}, + location = {{Berkeley, CA, USA}}, + url = {https://www.cl.cam.ac.uk/research/security/capsicum/papers/2010usenix-security-capsicum-website.pdf}, + abstract = {Capsicum is a lightweight operating system capability and sandbox framework planned for inclusion in FreeBSD 9. Capsicum extends, rather than replaces, UNIX APIs, providing new kernel primitives (sandboxed capability mode and capabilities) and a userspace sandbox API. These tools support compartmentalisation of monolithic UNIX applications into logical applications, an increasingly common goal supported poorly by discretionary and mandatory access control. We demonstrate our approach by adapting core FreeBSD utilities and Google's Chromium web browser to use Capsicum primitives, and compare the complexity and robustness of Capsicum with other sandboxing techniques.}, + series = {{{USENIX Security}}'10} +} + + + +@TechReport{Watson10a, +author={Robert N.~M. Watson}, +Title="{New Approaches to Operating System Security Extensibility}", +institution="Ph.D. Thesis, University of Cambridge, Cambridge, UK", +month=oct, +Year=2010 +} + +@TechReport{UCAM-CL-TR-818, + author = {Watson, Robert N. M.}, + title = {{New approaches to operating system security extensibility}}, + year = 2012, + month = apr, + url = {http://www.cl.cam.ac.uk/techreports/UCAM-CL-TR-818.pdf}, + institution = {University of Cambridge, Computer Laboratory}, + number = {UCAM-CL-TR-818} +} + +@Book{Lampson81, +Author={B.W. {Lampson (ed.)}}, +Title={Distributed Systems -- Architecture and Implementation: An +Advanced Course}, +publisher={Springer-Verlag, Berlin, +Lecture Notes in Computer Science, Vol. 105}, +Year=1981 } + +@InProceedings{Lampson03, +author = {B.W. Lampson}, +Title = {Software Components: Only The Giants Survive}, +Booktitle = {Computer Systems: papers for Roger Needham, K. Spark-Jones and A. Herbert (editors)}, +publisher = {Microsoft Research, Cambridge, U.K.}, +month = feb, +year = {2003}, +pages = {113-120} } + +@book{McKBKQ96, +Author = {M.K. McKusick and K. Bostic and M.J. Karels and J.S. Quarterman}, +Title = {The Design and Implementation of the 4.4~BSD Operating System}, +Publisher = {Addison-Wesley, Reading, Massachusetts}, +Year ={1996} } + +@TechReport{WhitehurstProofs89, +author={R. Alan Whitehurst and T.F. Lunt}, +Title="Final Report Vol.\ 3B: The {SeaView} Formal Verification: Proofs", +institution="Computer Science Laboratory, SRI International", +address={Menlo Park, California}, +Year=1989 } + +@InProceedings{Wilson88, +Author={J. Wilson}, +Title={Views as the Security Objects in a Multilevel Secure Relational + Database Management System}, +Booktitle={Proceedings of the 1988 IEEE Symposium on Security and + Privacy}, +month=apr, +Year=1988 } + +@InProceedings{Woodward87, +Author={J. Woodward}, +Title={Exploiting the Dual Nature of Sensitivity Labels}, +Booktitle={Proceedings of the 1987 IEEE Symposium on Security and + Privacy}, +month=apr, +Year=1987 } + +@Article{S3, +Author={M. Youngers and J. Franklin and C. Lackey Carmody and A. Meyrowitz}, +Title={Improving {C}3: The Potential of Artificial Intelligence}, +Journal={Signal}, +volume={XL(10)}, +pages={51+}, +month=jun, +year=1986 } + +@InProceedings{Wagner86, +Author={N.R. Wagner and P.S. Putter and M.R. Cain}, +Title={Encrypted database design: specialized approaches}, +Booktitle={Proceedings of the 1986 IEEE Symposium on Security and + Privacy}, +month=apr, +Year=1986 } + +@Article{Waltz83, +Author={D.L. Waltz}, +Title={Helping Computers Understand Natural Languages}, +Journal={IEEE Spectrum}, +month=nov, +year=1983 } + +@TechReport{Wehrle83, +author={E. Wehrle and J. Schlorer}, +Title="The Partner Algorithm for Protecting Statistical Databases", +type={Technical Report, Klinische Dokumentation}, +institution="Universit{\"a}t Ulm", +address={Ulm, Germany}, +month=mar, +Year=1983 } + +@TechReport{Whitehurst87, +author={R. Alan Whitehurst}, +Title="Expert Systems in Intrusion-Detection: A Case Study", +institution="Computer Science Laboratory, SRI International", +address={Menlo Park, California}, +month=nov, +Year=1987 } + +@InProceedings{Whitehurst89, +Author={R. Alan Whitehurst and T.F. Lunt}, +Title={The {SeaView} Verification}, +Booktitle={Proceedings of the Second Workshop on the Foundations of Computer Security}, +month=jun, +Year=1989 } + +@InProceedings{Woelk86, +Author={D. Woelk and W. Kim and W. Luther}, +Title={An Object-Oriented Approach to Multimedia Databases}, +Booktitle={ACM SIGMOD Conference Proceedings}, +Year=1986 } + +@Article{Yankelovich88, +Author={N. Yankelovich and B. Haan and N. Meyrowitz and S. Drucker}, +Title={Intermedia: The Concept and the Construction of a Seamless Information + Environment}, +Journal={Computer}, +month=jan, +year=1988 } + +@TechReport{DoD87, +author={National Computer Security Center}, +title={A guide to Understanding Discretionary Access Controls in Trusted Systems}, +number={NCSC-TG-003}, +institution={National Computer Security Center}, +month=sep, +year=1987 } + +@TechReport{2167A, +author={Department of Defense}, +title={Defense System Software Development}, +number={DoD-STD-2167A}, +institution={Department of Defense}, +month=feb, +year=1988 } + +@TechReport{JDN88031, +Author={J.D. Northcutt and R.K. Clark and S.E. Shipman and D.P. +Maynard and D. C. Lindsay and E.D. Jensen and J.M. Smith and R.B. +Kegley and P.J. Keleher and B.A. Zimmerman}, +Title={{A}lpha Preview: A Briefing and Technology Demonstration for +{DoD}}, +Institution={Department of Computer Science}, +Type={Archons Project Technical Report 88031}, +Address={Carnegie-Mellon University, Pittsburgh, Pennsylvania}, +Month=mar, +Year=1988} + +@TechReport{EDJ88121, +Author={E.D. Jensen and J.D. Northcutt and R.K. Clark and S.E. +Shipman and D.P. Maynard and D.C. Lindsay}, +Title={The {A}lpha Operating System: An Overview}, +Type={Archons Project Technical Report 88121}, +Institution={Department of Computer Science}, +Address={Carnegie-Mellon University, Pittsburgh, Pennsylvania}, +Month=dec, +Year=1980 } + +@TechReport{JDN88011, +Author={J.D. Northcutt}, +Title={The {A}lpha Operating System: Requirements and Rationale}, +Type={Archons Project, technical report 88011}, +Institution={Department of Computer Science}, +Address={Carnegie-Mellon University, Pittsburgh, Pennsylvania}, +Month=jan, +Year=1988 } + +@TechReport{JDN88011a, +Author={J.D. Northcutt and R.K. Clark}, +Title={The {A}lpha Operating System: Programming Model}, +Type={Archons Project Technical Report 88021}, +Institution={Department of Computer Science}, +Address={Carnegie-Mellon University, Pittsburgh, Pennsylvania}, +Month=feb, +Year=1988 } + +@TechReport{JDN88122, +Author={J.D. Northcutt and R.K. Clark and S.E. Shipman and D.C. +Lindsay}, +Title={The {Alpha} Operating System: System/Subsystem Specification}, +Type={Archons Project Technical Report 88122}, +Institution={Department of Computer Science}, +Address={Carnegie-Mellon University, Pittsburgh, Pennsylvania}, +Month=dec, +Year=1988 } + +@TechReport{JDN88111, +Author={J.D. Northcutt}, +Title={The {A}lpha Operating System: Kernel Programmer's Interface +Manual}, +Type={Archons Project Technical Report 88111}, +Institution={Department of Computer Science}, +Address={Carnegie-Mellon University, Pittsburgh, Pennsylvania}, +Month=nov, +Year=1988 } + +@TechReport{JET88123, +Author={J.E. Trull and J.D. Northcutt and R.K. Clark and S.E. +Shipman}, +Title={An Evaluation of {A}lpha Real-Time Scheduling Policies}, +Type={Archons Project Technical Report 88123}, +Institution={Department of Computer Science}, +Address={Carnegie-Mellon University, Pittsburgh, Pennsylvania}, +Month=dec, +Year=1988 } + +@TechReport{RKC88032, +Author={R.K. Clark and R.B. Kegley and P.J. Keleher and D.P. +Maynard and J.D. Northcutt and S.E. Shipman and B.A. Zimmerman}, +Title={An Example Real-Time Command and Control Application on {A}lpha}, +Type={Archons Project Technical Report 88032}, +Institution={Department of Computer Science}, +Address={Carnegie-Mellon University, Pittsburgh, Pennsylvania}, +Month=mar, +Year=1988} + +@TechReport{JDN88123, +Author={J.D. Northcutt and S.E. Shipman}, +Title={The {A}lpha Operating System: Program Maintenance Manual}, +Type={Archons Project Technical Report 88123}, +Institution={Department of Computer Science}, +Address={Carnegie-Mellon University}, +Month=dec, +Year=1988} + +@TechReport{JDN88041, +Author={J.D. Northcutt and S.E. Shipman}, +Title={The {A}lpha Operating System: Programming Utilities}, +Type={Archons Project Technical Report 88041}, +Institution={Department of Computer Science}, +Address={Carnegie-Mellon University, Pittsburgh, Pennsylvania}, +Month=apr, +Year=1988} + +@TechReport{JDN88033, +Author={J.D. Northcutt}, +Title={The {A}lpha Distributed Computer System Testbed}, +Type={Archons Project Technical Report 88033}, +Institution={Department of Computer Science}, +Address={Carnegie-Mellon University, Pittsburgh, Pennsylvania}, +Month=mar, +Year=1988 } + +@book{JDN87, +Author={J.D. Northcutt}, +Title={Mechanisms for Reliable, Distributed Real-Time Operating Systems: The +{A}lpha Kernel}, +Publisher={Academic Press, New York}, +Year=1987} + +@TechReport{EDJ88120, +Author={E.D. Jensen and J.A. Test and R.D. Reynolds and E. Burke +and J.G. Hanko}, +Title={Alpha Release 2 Design Summary Report}, +Type={Technical Report 88120}, +Institution={Kendall Square Research Corporation, Cambridge, Massachusetts}, +Month=sep, +Year=1988} + +@TechReport{FDR88121, +Author={F.D. Reynolds and J.G. Hanko and J.A. Test and E. Burke +and E.D. Jensen}, +Title={Alpha Release 2 Kernel Interface Specification}, +Type={Technical Report 88121}, +Institution={Concurrent Computer Corporation, Cambridge, Massachusetts}, +Month=dec, +year=1988} + +@TechReport{RDR88122, +Author={F.D. Reynolds and J.G. Hanko and E.D. Jensen}, +Title={Alpha Release 2 Preliminary System/Subsystem Description}, +Type={Technical Report 88122}, +Institution={Concurrent Computer Corporation}, +Month=dec, +year=1988} + +@manual{Clark90, + Organization={Ph.D. Thesis, School of Computer + Science, Carnegie-Mellon University}, + Title={Scheduling Dependent Real-Time Activities}, + Author={R.K. {Clark}}, Year={1990}, Address={Pittsburgh, Pennsylvania}, + } + +@TechReport{DenningSecurityModel87, +author={T.F. Lunt and D.E. Denning and R.R. Schell +and M. Heckman and W.R. Shockley}, Title="Secure Distributed Data Views: +Formal Security Policy Model", +type={Technical Report}, number={RADC-TR-89-313, vol. II (of five)}, +institution="Rome Air Development Center", Year=1989 } + +@Article{LuntSeaViewModel90, +author={T.F. Lunt and D.E. Denning and R.R. Schell and M. Heckman and +W.R. Shockley}, Title="The {SeaView} Security Model", +Journal={IEEE Transactions on Software Engineering}, +volume=16, +number=6, +pages={593-607}, +month=jun, +year=1990 } + +@TechReport{Denning86Policy, +Author={D.E. Denning and T. Lunt and P.G. Neumann +and R.R. Schell and M. Heckman and W. Shockley}, Institution={Computer Science +Laboratory, SRI International}, Title={Security Policy and Interpretation for a +Class A1 Multilevel Secure Relational Database System}, Year={1986}, +Month=nov, Address={Menlo Park, California}} + +@InProceedings{KeyKOS, +Author={S.A. Rajunas and N. Hardy and A.C. Bomberger and W.S. Frantz and C.R. Landau}, +Title={Security in {K}ey{KOS}}, +Booktitle={Proceedings of the 1986 IEEE Sympsium on Security and Privacy}, +Month=apr, +Year=1986 } + +@Article{ShapiroHardy02, + Author={J.S. Shapiro and N. Hardy}, + Journal={IEEE Software}, + Title={{EROS:} A Principle-Driven Operating System from the Ground Up}, + Year={2002}, + Month={January/February}, + Volume={19}, + Number={1}, + Pages={26--33} + } + +@inproceedings{Kain86, +author = "R.Y. Kain and C.E. Landwehr", +title = "On Access Checking in Capability-Based Systems", +booktitle = {Proceedings of the 1986 IEEE Symposium on Security and Privacy}, +month = apr, +year = 1986 } + +@book{KainArch, +Author={R.Y. Kain}, +Title={Computer Architecture: Software and Hardware}, +Publisher={Prentice-Hall}, +Year={1988} } + +@InProceedings{Gong89c, +Author={L. Gong}, Title={A Secure Identity-Based Capability System}, +BookTitle ={Proceedings of the 1989 Symposium on Research in Security and Privacy}, +Organization={IEEE Computer Society}, Address={Oakland, +California}, Year={1989}, Month=may, pages={56--63} } + +@book{Soltis-400, +Author={F.G. Soltis}, +Title={Inside the AS/400}, +Publisher={29th Street Press, Loveland, Colorado, second edition}, +Year={1997} } + +@book{Soltis-i, +Author={F.G. Soltis}, +Title={Fortress Rochester: The Inside Story of the IBM iSeries}, +Publisher={29th Street Press, Loveland, Colorado}, +Year={2001} } + +@InProceedings{LuntDesign88, +Key={Lunt}, Author={T.F. Lunt and R.R. Schell and W.R. +Shockley and M. Heckman and D. Warren}, Title={A Near-Term Design for the +\mbox{{SeaView}} Multilevel Database System}, +BookTitle={Proceedings of the 1988 Symposium on +Security and Privacy}, Organization={IEEE Computer Society}, Address={Oakland, +California}, Year={1988}, Month=apr, pages={234-244}} + +@InProceedings{LuntDonovan90, +Author={T.F. Lunt and D. Hsieh}, +Title={The {SeaView} Secure Database System: A Progress Report}, +BookTitle={Proceedings of the European Symposium on Research in Computer Security +(ESORICS 90)}, Organization={IEEE Computer Society}, Address={Toulouse, +France}, Year={1990}, Month=oct, pages={}} + +@TechReport{DenningNeumann85, +Author={D.E. Denning and P.G. Neumann}, +Institution={Computer Science Laboratory, SRI International}, +Title={Requirements and Model for {IDES}: {A} Real-Time Intrusion-Detection +Expert System}, Year={1985}, Month=aug, Address={Menlo Park, California} } + +@TechReport{NCIC89, +Author={J.J. Horning and P.G. Neumann and D.D. Redell and J. Goldman and D.R. Gordon}, +Institution={Computer Professionals for Social Responsibility}, +Title={A Review of NCIC 2000 (report to the Subcommittee on Civil and +Constitutional Rights of the Committee on the Judiciary, United States House of +Representatives)}, Year={1989}, Month=feb, Address={Palo Alto, California} } + +@TechReport{NCIC90, +Author={P.G. Neumann}, +Institution={Computer Science Laboratory, SRI International}, +Title={Security Controls for NCIC Computer System Use: Federal, State, and Local}, +Year={1990}, day={29}, month={June}, Address= {Menlo Park, California} } + +@TechReport{TECSSecReq, +Author={T.F. Lunt and P.G. Neumann and J. Rushby and M. Moriconi}, +Institution={Computer Science Laboratory, SRI International}, +Title={{FBI-Customs Trusted Guard}: Security Policy and Security Requirements}, +Year={1990}, day={12}, month=nov, Address= {Menlo Park, California}, +NOTE= {Prepared for Roger Woods, FBI, Washington, D.C., under +Contract No.~N00174-89-C-0188. } } + +@InProceedings{Neumann90Halifax, +Author={P.G. Neumann}, Title={Whither Formal Methods?}, Booktitle={Formal +Methods for Trustworthy Computer Systems (FM'89), A Workshop on the Assessment +of Formal Methods for Trustworthy Computer Systems}, Note={23-27 July 1989, +Nova Scotia, Canada, D. Craigen and K. Summerskill (eds.)}, Year=1990, +isbn={3-540-19635-8}, +Publisher={Springer-Verlag, Berlin} } + +@Book{Craigen90, +Author={D. Craigen and K. {Summerskill (eds.)}}, Title={Formal +Methods for Trustworthy Computer Systems (FM'89), A Workshop on the Assessment +of Formal Methods for Trustworthy Computer Systems}, Note={23-27 July 1989, +Nova Scotia, Canada}, Year=1990, +isbn={3-540-19635-8}, +Publisher={Springer-Verlag, Berlin} } + +@Book{Srivas+96, +Author={M. Srivas and A. {Camilleri, editors}}, +Title={Formal Methods in Computer-Aided Design}, +publisher={Springer-Verlag, Berlin, +Lecture Notes in Computer Science, Vol. 1166}, +Year=1996 } + +@INPROCEEDINGS{Neumann87COMPASS, +Author={P.G. Neumann}, Key={Neumann}, +Year=1987, Month="Jun-Jul", Title={The {N} Best (or Worst) +Computer-Related Risk Cases}, +BookTitle={Proceedings of the Second Annual Conference on Computer +Assurance COMPASS '87, IEEE 87TH0196-6}, Organization={IEEE}, Pages={xi-xiii}} + +@INPROCEEDINGS{Neumann88COMPASS, +Author={P.G. Neumann}, Key={Neumann}, +Year=1988, Month=Jun, Title={The Computer-Related Risk of the Year: Computer +Abuse}, BookTitle={Proceedings of the Third Annual Conference on Computer +Assurance COMPASS '88, IEEE 88CH2628-6}, Organization={IEEE}, Pages={8-12}} + +@INPROCEEDINGS{Neumann89COMPASS, +Author={P.G. Neumann}, Key={Neumann}, +Year=1989, Month=Jun, Title={The Computer-Related Risk of the Year: +Misplaced Trust in Computer Systems}, +BookTitle={Proceedings of the Fourth Annual Conference on Computer +Assurance, COMPASS '89}, Organization={IEEE}, Pages={9-13}} + +@INPROCEEDINGS{Neumann90COMPASSa, +Author={P.G. Neumann}, Key={Neumann}, +Year=1990, Month=Jun, Title={The Computer-Related Risk of the Year: Distributed +Control}, BookTitle={Proceedings of the Fifth Annual Conference on Computer +Assurance, COMPASS '90, IEEE 90CH2830}, Organization={IEEE}, Pages={173-177}} + +@INPROCEEDINGS{Neumann90COMPASSb, +Author={P.G. Neumann}, Key={Neumann}, +Year=1990, Month=Jun, Title={Towards Standards and Criteria for Critical +Computer Systems}, BookTitle={Proceedings of the Fifth Annual Conference on +Computer Assurance, COMPASS '90}, Organization={IEEE}, Pages={186-188}} + +@INPROCEEDINGS{Neumann91COMPASS, +Author={P.G. Neumann}, Key={Neumann}, +Year=1991, Month=Jun, Title={The Computer-Related Risk of the Year: +Weak Links and Correlated Events}, +BookTitle={Proceedings of the Sixth Annual Conference on Computer +Assurance, COMPASS 91}, Organization={NIST, IEEE 91CH3033-8}, Pages={5-8}} + +@INPROCEEDINGS{Neumann93COMPASS, +Author={P.G. Neumann}, Key={Neumann}, +Year=1993, Month=Jun, Title={Myths of Dependable Computing: +Shooting the Straw Herrings in Midstream}, +BookTitle={Proceedings of the Eighth Annual Conference on Computer +Assurance, COMPASS 93}, Organization={NIST}, Pages={1--4}} + +@InProceedings{Neumann90EWD, +Key={Neumann}, Author={P.G. Neumann}, +title={Beauty and the Beast of Software Complexity -- Elegance versus Elephants}, +organization={Springer-Verlag, Berlin, New York}, +pages={346-351 (Chapter 39)}, +Year="11 May 1990", +booktitle= "Beauty Is Our Business, A Birthday Salute to Edsger W. Dijkstra", +note = {W.H.J. Feijen, A.J.M. van Gasteren, D. Gries, J. Misra, eds.} } + +@book{DijkstraBeauty, +Author={W.H.J. Feijen and A.J.M. van Gasteren and D. Gries and J. {Misra, editors}}, +Title={Beauty is our Business, A Birthday Salute to Edsger W. Dijkstra}, +Publisher={Springer-Verlag, Berlin}, +isbn={0-387-97299-4}, +Year={11 May 1990} } + +@InProceedings{Neumann90NCS, +Key = "Neumann", Author = "P.G. Neumann", +Title="Rainbows and Arrows: How the Security Criteria Address Computer Misuse", +Booktitle="Proceedings of the Thirteenth National Computer Security + Conference", +Organization = "NIST/NCSC", Address = "Washington, D.C.", Year = "1990", +Pages="414-422", month=oct } + +@InProceedings{Ware95NCS, +Key = "Ware", Author = "W.H. Ware", +Title="A Retrospective of the Criteria Movement", +Booktitle = "Proceedings of the Eighteenth +National Information Systems Security Conference", +Organization = "NIST/NCSC", Address = "Baltimore, Maryland", Year = "1995", +Pages="582-588", month=oct } + +@TechReport{Ware70, +author={W.H. Ware}, +Title={Security Controls for Computer Systems}, +institution= {RAND report for the Defense Science Board}, +address={}, month ={}, Year=1970, +note = {http://cryptome.org/sccs.htm} } + +@InProceedings{Neumann90Complexity, +Key = "Neumann", Author = "P.G. Neumann", +Title = "Managing Complexity in Critical Systems", +Booktitle = "Managing Complexity and Modeling Reality: Strategic Issues +and an Action Agenda", +Note="In a report edited by D. Frailey, based on an ACM +Conference on Critical Issues, Arlington, Virginia, +6-7 November 1990. This paper +includes a discussion of papers by David Parnas, Edward +S. Cheevers and R. Leddy in the conference track on Managing Complexity", +Address = "ACM, New York", Year = "1991", +ISBN={0-89791-458-9}, Pages="2-36 -- 2-42" } + +@TechReport{Neumann90NSF, +Author={P.G. Neumann}, Key={Neumann}, +Institution={Computer Science Laboratory, SRI International}, +Title={On the Design of Dependable Computer Systems for +Critical Applications}, Note={CSL Technical Report CSL-90-10}, +Year={1990}, Month=oct, Address={Menlo Park, California} } + +@TechReport{Neumann90RADC, +Author={P.G. Neumann and N.E. Proctor and T.F. Lunt}, Key={Neumann}, +Title={Secure Distributed Systems: Vulnerabilities, Defenses, and Analyses}, +Institution={Computer Science Laboratory, SRI International}, +Note={Project 1021, Interim Report}, +Year={1990}, Month=nov, Address={Menlo Park, California} } + +@TechReport{Neumann91RADC1, +Author={P.G. Neumann and N.E. Proctor and T.F. Lunt}, Key={Neumann}, +Title={A Designer's Handbook for Secure Distributed Systems -- Preventing +System Misuse: Analysis and Synthesis}, +Institution={Computer Science Laboratory, SRI International}, +Note={Project 1021, Interim Report}, +Year={1991}, Month=apr, Address={Menlo Park, California} } + +@TechReport{NeumannProctor91Handbook, +Author={P.G. Neumann and N.E. Proctor and T.F. Lunt}, +Title={Preventing Security Misuse in Distributed Systems}, +Institution={Computer Science Laboratory, SRI International}, +Note={Project 1021, Final Report}, +Year={1992}, day={20}, month={March}, Address={Menlo Park, California} } + +@TechReport{Neumann92RL, +Author={P.G. Neumann and N.E. Proctor and T.F. Lunt}, +Title={Preventing Security Misuse in Distributed Systems}, +Institution={Rome Laboratory Air Force Systems Command, +Griffiss Air Force Base, N.Y., 13441-5700}, +Note={RL-TR-92-152. For Official Use Only: +US Government Agencies and their +Contractors -- Critical Technology.}, +Year={1992}, Month=jun, Address={} } + +@TechReport{NeumannProctorLunt92, +Author={P.G. Neumann and N.E. Proctor and T.F. Lunt}, Key={Neumann}, +Title={Preventing Security Misuse in Distributed Systems}, +Institution={Computer Science Laboratory, SRI International}, +Note={Issued as Rome Laboratory report RL-TR-92-152, +Rome Laboratory C3AB, Griffiss AFB NY 13441-5700. +For Official Use Only.}, +Year={1992}, Month=jun, Address={Menlo Park, California} } + +@TechReport{LABCOM92, +Author={A. Barnes and A. Hollway and P.G. Neumann}, +Title={Survivable Computer-Communication Systems: The Problem and + Preliminary Recommendations}, +Institution={U.S. Army Vulnerability Assessment Laboratory}, +Note={For Official Use Only.}, +Year={1992}, Month=nov, Address={U.S. Army Vulnerability +Assessment Laboratory, SLCVA-D, White Sands Missile Range, NM 88002-5513} } + +@TechReport{LABCOM93, +Author={A. Barnes and A. Hollway and P.G. Neumann}, +Title={Survivable Computer-Communication Systems: The Problem and + Working Group Recommendations. {VAL-CE-TR-92-22} (revision 1)}, +Note={For Official Use Only.}, +Year={1993}, Month=may, Institution={U.S. Army Research +Laboratory, AMSRL-SL-E, White Sands Missile Range, NM 88002-5513} } + +@TechReport{Greenberg93, +Author={I. Greenberg and P. Boucher and R. Clark and E.D. Jensen and +T.F. Lunt and P.G. Neumann and D. Wells}, +Title={The Multilevel Secure Real-Time Distributed Operating System Study}, +Institution={Computer Science Laboratory, SRI International}, +Note={Issued as Rome Laboratory report RL-TR-93-101, +Rome Laboratory C3AB, Griffiss AFB NY 13441-5700. Contact Emilie Siarkiewicz, +Internet: SiarkiewiczE@CS.RL.AF.MIL, phone 315-330-3241. +For Official Use Only.}, +Year={1992}, Month=jun, Address={Menlo Park, California} } + +@TechReport{Proctor91RADC, +Author={N.E. Proctor}, Key={Proctor}, +Title={{SeaView} formal specifications}, +Institution={Computer Science Laboratory, SRI International}, +Year={1991}, Month=apr, Address={Menlo Park, California} } + +@TechReport{Gree91 + ,Author={I.B. Greenberg}, Institution={SRI International} + ,Title={Distributed Database Security}, Year={1991} + ,Month=apr, Address={Menlo Park, California}, Type={Final Report} + ,Note={For Contract No. MDA904-90-C-7708} } + +@InProceedings{Gree91b, +Author={I.B. Greenberg}, +BookTitle={Proceedings of the Fourth RADC Multilevel Database Security Works +hop},Organization={},Address={Little Compton, RI}, +Title={Should Serializability be Enforced in Multilevel Database Systems}, +Year={1991},Month=apr,Pages={} } + +@ARTICLE{NeumannRISKSindex91, +Author={P.G. Neumann}, TITLE = {Illustrative Risks to the Public in the +Use of Computer Systems and Related Technology, Index to {RISKS} cases +as of 23 {D}ecember 1991}, +JOURNAL = {ACM Software Engineering Notes}, YEAR = {1992}, VOLUME = {17}, +NUMBER = {1}, PAGES = {23-32}, MONTH = jan , NOTE = {(Cumulative +updates are available on request.)}} + +@ARTICLE{NeumannRISKSindex94, +Author={P.G. Neumann}, TITLE = {Illustrative Risks to the Public in the +Use of Computer Systems and Related Technology, Index to {RISKS} cases, +as of 7 {O}ctober 1993}, +JOURNAL = {ACM Software Engineering Notes}, YEAR = {1994}, VOLUME = {19}, +NUMBER = {1}, PAGES = {16--29}, MONTH = jan, +NOTE = {(At-least quarterly cumulative updates to this index are available +on request.)}} + +@ARTICLE{NeumannRISKSindex96, +Author={P.G. Neumann}, TITLE = {Illustrative Risks to the Public in the +Use of Computer Systems and Related Technology, Index to {RISKS} cases +as of 27 {N}ovember 1995}, +JOURNAL = {ACM Software Engineering Notes}, YEAR = {1996}, VOLUME = {21}, +NUMBER = {1}, PAGES = {16--30}, MONTH = jan, +NOTE = {(This refers to the most recent published version. +Cumulative updates to this index are available online +at \verb+ftp://ftp.csl.sri.com/pub/users/neumann/illustrative.ps+ +and \verb+.pdf+ .)}} + +@TechReport{NeumannRISKSindex, +Author={P.G. Neumann}, TITLE = {Illustrative Risks to the Public in the +Use of Computer Systems and Related Technology, Index to {RISKS} cases}, +Institution = {Computer Science Laboratory, SRI International}, +Address = {Menlo Park, California}, +YEAR = {2010}, +NOTE = {Updated now and then: http://www.csl.sri.com/neumann/illustrative.html; +also in .ps and .pdf form for printing in a denser format.} +} + +@TechReport{NeumannRISKSindexVot, +Author={P.G. Neumann}, TITLE = {Illustrative Risks to the Public in the +Use of Computer Systems and Related Technology, Index to {RISKS} cases}, +Institution = {Computer Science Laboratory, SRI International}, +Address = {Menlo Park, California}, +YEAR = {2004}, +NOTE = {The most recent version is available online +in html form for browsing at \xlink{http://www.csl.sri.com/neumann/illustrative.html}{http://www.csl.sri.com/neumann/illustrative.html}. +Click on ``Election Problems''.}} + +@article{InsideRISKS, +author={P.G. Neumann}, key={neumann}, title = {Inside +RISKS}, journal = {Communications of the ACM}, year = {1990-}, volume = {33-}, number = {}, +pages = {inside back cover}, month = {}, year = {}, Note = {monthly column +since Jul 1990} } + +@InProceedings{Neumann91NCCV, +Key = {Neumann}, Author = {P.G. Neumann}, +Title = {Computer Security and Human Values}, +Booktitle = {Proceedings of the National Conference on Computing and Values}, +Organization = {Southern Connecticut State University, New Haven, +Connecticut}, Year = {1991}, Pages={}, Month = {12-16 August} } + +@InProceedings{Neumann92GI, +author={P.G. Neumann}, +Title={Developing Complex Software for Critical Systems}, +BookTitle={22. Jahrestagung der Gesellschaft f\"{u}r Informatik}, +Year="1992", Month="30 Sept -- 2 October", pages="117-131" } + +@InProceedings{ProctorNeumann92, +author={N.E. Proctor and P.G. Neumann}, +Title={Architectural Implications of Covert Channels}, +BookTitle="Proceedings of the Fifteenth National Computer Security Conference", +Address = "Baltimore, Maryland", Year="1992", Month="13--16 October", +pages="28--43", +url="http://www.csl.sri.com/neumann/ncs92.html" } + +@TechReport{NeumannGong94, +author={P.G. Neumann and L. Gong}, +Title={Minimizing Trust in Multilevel-Secure Systems}, +Institution = "SRI International, Menlo Park, California", +Year="1994", Month="15 March" } + +@InProceedings{Gong94, +Author={L. Gong}, TITLE = {New Protocols for Third-Party-Based +Authentication and Secure Broadcast}, +Booktitle = {Second ACM Conference on Computer and Communications Security}, +Organization = {ACM SIGSAC}, Address = {Fairfax, Virginia}, +Year = {1994}, +Pages={176--163}, Month = nov } + +@TechReport{Gong94CSL, +author={L. Gong}, +Title={Authentication, Key Distribution, and Secure Broadcast in +Computer Networks Using No Encryption or Decryption}, +Institution = "SRI International, Menlo Park, California, SRI-CSL-94-08", +Year="1994", Month=may, Note = {This report contains two earlier related +papers on hash functions.} } + +@TechReport{gong96f + ,Author={S. Keung and L. Gong} + ,Title={{Enclaves in Java: APIs and Implementations}} + ,Institution={SRI International, Computer Science Laboratory} + ,Address={333 Ravenswood Avenue, Menlo Park, California 94025} + ,Year={1996} + ,Month=jul + ,Number={SRI-CSL-96-07} + } + +@TechReport{Gong96, +author={L. Gong}, +Title={An Overview of {Enclaves} 1.0}, +Institution = "SRI International, Menlo Park, California, SRI-CSL-96-01", +Year="1996", Month=jan, +Note = "(\xlink{http://www.csl.sri.com/papers/346/}{http://www.csl.sri.com/papers/346/})" } + +@ARTICLE{Dugger88, +Author={R. Dugger}, TITLE = {Annals of Democracy (Voting by Computer)}, +JOURNAL = {New Yorker}, YEAR = {1988}, VOLUME = {}, +NUMBER = {}, PAGES = {}, MONTH = {November 7,} } + +@TechReport{Saltman88, +author={R.G. Saltman}, +Title={Accuracy, Integrity, and Security in Computerized Vote-Tallying}, +institution= {National Bureau of Standards (now NIST) special publication}, +address={Gaithersburg, Maryland}, month ={}, Year=1988} + +@InProceedings{Shamos93, +Author={M. Shamos}, TITLE = {Electronic Voting: Evaluating the Threat}, +Booktitle = {Computers, Freedom and Privacy '93}, YEAR = {1993}, +PAGES = {3.18--3.25}, MONTH = mar } + +@InProceedings{Saltman93, +Author={R.G. Saltman}, TITLE = {Assuring Accuracy, Integrity and Security +in National Elections: The Role of the {U.S.} {Congress}}, +Booktitle = {Computers, Freedom and Privacy '93}, YEAR = {1993}, +PAGES = {3.8--3.17}, MONTH = mar } + +@InProceedings{Saltman93b, +Author={R.G. Saltman}, TITLE = {An integrity model is needed for +computerized voting and similar systems}, +BookTitle="Proceedings of the Sixteenth National Computer Security Conference", +Address = "Baltimore, Maryland", Year="1993", Month=sep, +pages="471--473" } + +@InProceedings{Neumann93NCS, +author={P.G. Neumann}, +Title={Security Criteria for Electronic Voting}, +BookTitle="Proceedings of the Sixteenth National Computer Security Conference", +Address = "Baltimore, Maryland", Year="1993", Month=sep, +pages="478--482" } + +@InProceedings{Greenhalgh93, +Author = "G.L. Greenhalgh", +Title = "Security and Auditability of Electronic Vote +Tabulation Systems: One Vendor's Perspective", +Booktitle = "Proceedings of the Sixteenth National Computer Security Conference", +Organization = "NIST/NCSC", Address = "Baltimore, Maryland", Year = "1993", +Pages="483--489", month=sep} + +@InProceedings{Mercuri92, +Author = "R.T. Mercuri", +Title = "Physical Verifiability of Computer Systems", +Booktitle = "5th International Computer Virus and Security Conference", +Year = "1992", Month = mar} + +@InProceedings{Mercuri93, +Author = "R. Mercuri", +Title = "Threats to Suffrage Security", +Booktitle = "Proceedings of the Sixteenth National Computer Security Conference", +Organization = "NIST/NCSC", Address = "Baltimore, Maryland", Year = "1993", +Pages="474--477", month=sep } + +@InProceedings{NRM, +Key="Fellows", Author="J. Fellows and J. Hemenway and N. Kelem", +Title="The Architecture of a Distributed Trusted Computing Base", +BookTitle="10th National Computer Security Conference", +Address = "Baltimore, Maryland", Year="1987", Month="21-24 September", pages="68-77", +Note="Reprinted in Rein Turn, editor, +{\it Advances in Computer System Security}, +Vol. 3, Artech House, Dedham, Massachusetts, 1988" } + +@InProceedings{Weissman88, +Author={C. Weissman}, Title={Blacker: Security for the {DDN}. {E}xamples of +{A1} Security Engineering Trades}, +BookTitle ={Proceedings of the 1992 Symposium on Research in Security and Privacy}, +Organization={IEEE Computer Society}, Address={Oakland, +California}, Year={1992}, Month=may, pages={286-292}, +Note={This paper was originally presented at the April 1988 Symposium, +but not published for four years because of a release problem.}} + +@InProceedings{Weissman88N, +Author={C. Weissman}, Title={Blacker: Security for the {DDN}. {E}xamples of +{A1} Security Engineering Trades}, +BookTitle ={Proceedings of the 1992 Symposium on Research in Security and Privacy}, +Organization={IEEE Computer Society}, Address={Oakland, +California}, Year={1992}, Month=may, pages={286-292}, +Note = {This paper was the recipient of the 1988 SSP Best Paper award, but +was not published until 1992.} } + +@article{Weissman91, +author={C. Weissman}, title = {A National Debate on Encryption Exportation}, +journal = {Communications of the ACM}, year = {1991}, volume = {34}, number = {10}, +pages = {162}, month = oct, Note = {Guest contribution to P.G. Neumann's +{\it Inside Risks} column} } + +@article{Neumann90CACM, +author={P.G. Neumann}, title = {Risks in Computerized Elections}, +journal = {Communications of the ACM}, year = {1990}, volume = {33}, +number = {11}, pages = {170}, month = nov, +Note= {{\it Inside Risks} column.} } + +@article{NeumannCACM94-4, +author={P.G. Neumann}, title = {Risks of Passwords}, +journal = {Communications of the ACM}, year = {1994}, volume = {37}, +number = {4}, pages = {126}, month = apr, +Note= {{\it Inside Risks} column.} } + +@article{NeumannCACM94-5, +author={P.G. Neumann}, title = {Alternative Passwords}, +journal = {Communications of the ACM}, year = {1994}, volume = {37}, +number = {5}, pages = {146}, month = may, +Note= {{\it Inside Risks} column.} } + +@article{MercuriNeumannCACM01-1, +author={R. Mercuri and P.G. Neumann}, title = {System Integrity Revisited}, +journal = {Communications of the ACM}, year = {2001}, volume = {44}, +number = {1}, pages = {}, month = jan, +Note= {{\it Inside Risks} column.} } + +@article{MercuriCACM92-11, +author={R. Mercuri}, title = {Voting-Machine Risks}, +journal = {Communications of the ACM}, year = {1992}, volume = {35}, +number = {11}, pages = {}, month = nov, +Note= {{\it Inside Risks} column.} } + +@article{MercuriCACM93-11, +author={R. Mercuri}, title = {Corrupted Polling}, +journal = {Communications of the ACM}, year = {1993}, volume = {36}, +number = {11}, pages = {}, month = nov, +Note= {{\it Inside Risks} column.} } + +@article{MercuriCACM02-1, +author={R. Mercuri}, title = {Uncommon Criteria}, +journal = {Communications of the ACM}, year = {2002}, volume = {45}, +number = {1}, pages = {}, month = jan, +Note= {{\it Inside Risks} column.} } + +@article{MercuriCACM02-11, +author={R. Mercuri}, +title = {Florida 2002: Sluggish Systems, Vanishing Votes}, +journal = {Communications of the ACM}, year = {2002}, volume = {45}, +number = {11}, pages = {}, month = nov, +Note= {{\it Inside Risks} column.} } + +@article{MercuriCACM03-1, +author={R. Mercuri}, +title = {On Auditing Audit Trails}, +journal = {Communications of the ACM}, year = {2003}, volume = {46}, +number = {1}, pages = {}, month = jan, +Note= {{\it Security Watch} column.} } + +@ARTICLE{NeumannMercuriWeinstein01, +Author={P.G. Neumann and R. Mercuri and L. Weinstein}, +TITLE = {Internet and Electronic Voting}, +JOURNAL = {ACM Software Engineering Notes}, YEAR = {2001}, VOLUME = {26}, +NUMBER = {2}, PAGES = {8}, MONTH = mar, +NOTE ={Earlier version in the Risks Forum, volume 21 number 14.} } + +@InCollection{MercuriNeumann02, +Publisher = "Kluwer Academic Publishers", +Author = "R. Mercuri and P.G. Neumann", +Title = "Verification for Electronic Balloting Systems", +Year = "2002", Pages = "", Address = "Boston, Massachusetts", +Booktitle = "Secure Electronic Voting, Advances in Information + Security, Volume 7", +Editors = "D. Grizalis" } + +@inProceedings{MercuriNeumann02x, +Author="R. Mercuri and P.G. Neumann", +Title="Verification for Electronic Balloting Systems", +Booktitle="Secure Electronic Voting", +Note ="D. Gritzalis (editor)", Publisher = +"Kluwer Academic Publishers, Boston",Year="2002",Pages=""} + +@book{Boehm89, +Author={B. Boehm}, +Title={Tutorial: Software Risk Management}, +Publisher={IEEE Computer Society Press, Piscataway, New Jersey}, +Year={1989} } + +@book{Charette89, +Author={R.N. Charette}, +Title={Software Engineering Risk Analysis and Management}, +Publisher={McGraw-Hill, New York}, +Year={1989} } + +@book{Charette90, +Author={R.N. Charette}, +Title={Application Strategies for Risk Analysis}, +Publisher={McGraw-Hill, New York}, +Year={1990} } + +@book{Charette93, +Author={R.N. Charette and F. Scarff and A. Carty}, +Title={Introduction to the Management of Risk}, +Publisher={HMSO (Her Majesty's Stationary Office)}, +NOTE = {ISBN 0 11 330648 2}, +Year={1993} } + +@InProceedings{Charette97, +Author={R.N. Charette}, +TITLE = {Managing the Risks in Information Systems and Technology}, +Booktitle = {Advances in Computers}, YEAR = {1997}, VOLUME = {44}, +Publisher = {Academic Press}, +PAGES = {1--58} } + +@proceedings{LSSI, +Title={SEI/NSIA Conference on Risks in the Acquisition and Development of +Large-Scale Software Intensive (LSSI) Systems}, +ORGANIZATION={SEI/NSIA}, +Address ={Pittsburgh, Pennsylvania}, +Month={October 8-10}, +Year={1991} } + +@book{Jones94, +Author={C. Jones}, +Title={Assessment and Control of Software Risks}, +Publisher={Yourdon Press}, +Year={1994} } + +@InProceedings{BrunnsteinTrust, +Key = {Brunnstein}, Author = {Klaus Brunnstein, Simone Fischer-Huebner}, +Title = {Risk Analysis of "Trusted Computer Systems"}, +Booktitle = {Sixth International Conference on Information Security: SEC'90}, +Organization = {IFIP TC-11}, Address = {Helsinki-Espoo}, Year = {1990}, +Pages={}, Month = {23-25 May} } + +@Manual{DTI, +KEY={GreatBritain}, TITLE = {Dark Green Books}, +ORGANIZATION={Commercial Computer Security Centre, Department of Trade and Industry}, +AUTHOR={U.K.-DTI}, +NOTE = {Volumes V01 (Overview Manual), V02 (Glossary), V03 (Index), V11 (Users' +Code of Practice), V21 (Security Functionality Manual), V22 (Evaluation +Levels Manual), V23 (Evaluation and Certification Manual), V31 (Vendors' +Code of Practice), Version 3.0}, +MONTH = feb, +YEAR={1989}} + +@Manual{GISA, +TITLE = {IT-Security Criteria, Criteria for the Evaluation of +Trustworthiness of Information Technology (IT) Systems}, +ORGANIZATION = {German Information Security Agency (ZSI), +Am Nippenkreuz 19, D 5300 Bonn 2}, AUTHOR={GISA}, +NOTE = {Translation of Kriterien +f\"{u}r die Bewertung der Sicherheit von Systemen der Informationstechnik (IT), +Zentralstelle f\"{u}r Sicherheit in der Informationstechnik (formerly +ZSI, now CSI), +first edition, Bundesanzeiger, K\"{o}ln, Postfach +108006, 5000 Germany}, +MONTH = {11 January}, YEAR= {1989} } + +@article{TanenbaumVanRenesse, +key={tanenbaum}, Author={A.S. Tanenbaum and R. van Renesse}, +TITLE = {Distributed Operating Systems}, JOURNAL = {ACM Computing Surveys}, +YEAR={1985}, VOLUME = {17}, NUMBER = {4}, PAGES = {419-470}, MONTH = dec } + +@book{Mullender89, +Author={S.J. {Mullender (ed.)}}, key={Mullender}, +Title={Distributed Systems}, Publisher={ACM Press, New York, +and Addison-Wesley, Reading, Massachusetts}, Year={1989} } + +@book{Tanenbaum92, +Author={A.S. Tanenbaum}, +Title={Modern Operating Systems}, +Publisher={Prentice-Hall, Englewood Cliffs, New Jersey}, +Year={1992} } + +@article{Amoeba90, +Author={S.J. Mullender and G. van Rossum and A.S. Tanenbaum and R. van Renesse +and H. van Staveren}, TITLE = {Amoeba, A distributed operating system for the +1990s}, JOURNAL = {Computer}, YEAR = {1990}, VOLUME = {33}, NUMBER = {5}, +PAGES = {44-53}, MONTH = may } + +@article{Amoeba90a, +key={tanenbaum}, Author={A.S. Tanenbaum and R. van Renesse and H. van Staveren +and G.J. Sharp and S.J. Mullender and G. van Rossum}, TITLE = {Experiences with +the {A}moeba distributed operating system}, +JOURNAL = {Communications of the ACM}, +YEAR = {1990}, VOLUME = {33}, NUMBER = {12}, PAGES = {46-63}, MONTH = dec } + +@book{Schach, +Author={S.R. Schach}, +Title={Software Engineering, 2nd ed.}, +Publisher={Aksen Associates, Homewood, Illinois}, +Year={1993} } + +@TechReport{Bull+90, +Author={C.E. Landwehr and A.R. Bull and J.P. McDermott and W.S. Choi}, +Institution={Center for Secure Information Technology, +Information Technology Division, Naval Research Laboratory}, +Title={A Taxonomy of Computer Program Security Flaws, with Examples}, +Year={1993}, Month=nov, Address={Washington, D.C.} } + +@book{Hoffman90, +Author={L.J. {Hoffman (ed.)}}, key={Hoffman}, +Title={Rogue Programs: Viruses, Worms, and Trojan Horses}, +Publisher={Van Nostrand Reinhold, New York}, +isbn={0-442-00454-0}, +Year={1990}} + +@book{DenningACM90, +Author={P.J. {Denning (ed.)}}, key={Denning}, +Title={Computers Under Attack: Intruders, Worms, and Viruses}, +Publisher={ACM Press, New York, and Addison-Wesley, Reading, Massachusetts}, +Year={1990}, Note={ACM order number 706900} } + +@book{DenningDenning97, +Author={P.J. Denning and D.D. Denning}, +Title={Internet Besieged}, +Publisher={ACM Press, New York, and Addison-Wesley, Reading, Massachusetts}, +Year={1997} } + +@InProceedings{NeumannACM90, +Author = {P.G. Neumann}, Title = {A Perspective from the Risks Forum}, +Booktitle = {Computers Under Attack: Intruders, Worms, and Viruses}, +Organization = {ACM Press, New York}, +Year = {1990}, Pages={Article 39, 535-543}, Month = {}, NOTE={} } + +@InProceedings{NeumannAAAS93, +Author = {P.G. Neumann}, +Title = {Limitations of Computer-Communication Technology}, +Booktitle = {Proceedings of an Invitational Conference on Legal, Ethical, +and Technological Aspects of Computer and Network Use and Abuse}, +Organization = {AAAS}, Address = {}, +Year = {1993}, Pages={}, Month = dec } + +@TechReport{Paul90, +author={J. Paul}, +Title={Bugs in the Program}, +institution= {Report by the Subcommittee on Investigations and Oversight +of the Committee on Science, Space and Technology}, +address={U.S. House of Representatives}, month ={}, Year=1990} + +@book{NeumannRisksBook, +Author={P.G. Neumann}, +Title={Computer-Related Risks}, +Publisher={ACM Press, New York, and Addison-Wesley, Reading, Massachusetts}, +Year={1995} } + +@book{NeumannRisksBookISBN, +Author={P.G. Neumann}, +Title={Computer-Related Risks}, +Note = {ISBN 0-201-55805-X.}, +Publisher={ACM Press, New York, and Addison-Wesley, Reading, Massachusetts}, +Year={1995} } + +@book{Bernstein96, +Author={P.L. Bernstein}, +Title={Against the Gods: The Remarkable Story of Risk}, +Publisher={John Wiley \& Sons, New York}, +Year={1996} } + +@TechReport{Neumann94crypto, +author={P.G. Neumann}, +Title={Can Systems Be Trustworthy with Software-Implemented Crypto?}, +institution= {Final Report, Project 6402, SRI International}, +Note={For Official Use Only, NOFORN.}, +address={Menlo Park, California}, month =oct, Year={1994}} + +@TechReport{Neumann95Arch, +author={P.G. Neumann}, +Title={Architectures and Formal Representations for Secure Systems}, +institution= {Final Report, Project 6401, SRI International}, +Note={CSL report 96-05.}, +address={Menlo Park, California}, month =oct, Year={1995} } + +@TechReport{Neumann99ARL, +author={P.G. Neumann}, +Title={Practical Architectures for Survivable Systems and Networks}, +institution= {Final Report, Phase One, Project 1688, SRI International}, +address={Menlo Park, California}, +month =jan, Year={1999}, +URL="http://www.csl.sri.com/neumann/arl-one.html", +NOTE = {also available in .ps and .pdf form} } + +@TechReport{Neumann00ARL, +author={P.G. Neumann}, +Title={Practical Architectures for Survivable Systems and Networks}, +institution= {Final Report, Phase Two, Project 1688, SRI International}, +address={Menlo Park, California}, +month =jun, Year={2000}, +NOTE = "http://www.csl.sri.com/neumann/survivability.html" +} + +@TechReport{NeumannCHATS01a, +author={Peter G. Neumann}, +Title={Composability Revisited}, +institution= {Computer Science Laboratory, SRI International}, +Note = {Interim report, SRI Project 11459, updated occasionally as noted, at +\xlink{http://www.csl.sri.com/neumann/chats1.html}{http://www.csl.sri.com/neumann/chats1.html}; also chats1.ps and chats1.pdf.}, +address={Menlo Park, California}, month ={28 September}, Year=2001 } + +@TechReport{NeumannCHATS01b, +author={Peter G. Neumann}, +Title={{CHATS} Principles}, +institution= {Computer Science Laboratory, SRI International}, +Note = {Interim report, SRI Project 11459, updated occasionally as noted, at +\xlink{http://www.csl.sri.com/neumann/chats2.html}{http://www.csl.sri.com/neumann/chats2.html}; also chats2.ps and chats2.pdf.}, +address={Menlo Park, California}, day=29, month=dec, Year=2001 } + +@TechReport{NeumannCHATS02a, +author={P. G. Neumann}, +Title={Principled Composable Trustworthy Architectures}, +institution= {Computer Science Laboratory, SRI International}, +Note = {Interim report, SRI Project 11459, updated occasionally as noted, at +\xlink{http://www.csl.sri.com/neumann/chats3.html}{http://www.csl.sri.com/neumann/chats3.html}; also chats3.ps and chats3.pdf.}, +address={Menlo Park, California}, day=29, month=mar, Year=2002 } + +@TechReport{NeumannCHATS02b, +author={P.G. Neumann}, +Title={Principled Assuredly Trustworthy Composable Architectures}, +institution= {Computer Science Laboratory, SRI International}, +Note = {First-year final report, SRI Project 11459, +\xlink{http://www.csl.sri.com/neumann/chats4.html}{http://www.csl.sri.com/neumann/chats4.html}; also chats4.ps and chats4.pdf.}, +address={Menlo Park, California}, day=29, month=jun, Year=2002 } + +@TechReport{NeumannCHATS04, +author={Peter G. Neumann}, +Title={Principled Assuredly Trustworthy Composable Architectures}, +institution= {Computer Science Laboratory, SRI International}, +address={Menlo Park, California}, month=dec, Year=2004, +NOTE = "http://www.csl.sri.com/neumann/chats4.html, .pdf, and .ps, Final report, SRI Project 11459" + } + +@InProceedings{Neumann03DISCEX3, +Author={P.G. Neumann}, +Title={Achieving Principled Assuredly Trustworthy Composable Systems + and Networks}, +BookTitle={Proceedings of the DARPA Information Survivability Conference + and Exhibition, DISCEX3, volume 2}, +Organization={DARPA and IEEE Computer Society}, Address={}, +Year={2003}, Month=apr, pages={182--187}} + +@TechReport{Lee+92, +author={E.S. Lee and P.I.P. Boulton and B.W. Thomson and R.E. Soper}, +Title={Composable Trusted Systems}, +institution= {Computer Systems Research Institute}, +Note = {CSRI-272}, +address={University of Toronto, Ontario}, month ={31 May}, Year=1992 } + +@TechReport{Dinolt94, +author={L.A. Benzinger and G.W. Dinolt and M.G. Yatabe}, +Title={Final Report: A distributed system multiple security policy model}, +institution= {Loral Western Development Laboratories, report WDL-TR00777}, +address={San Jose, California}, month =oct, Year={1994} } + +@InProceedings{Dinolt94b, +author={L.A. Benzinger and G.W. Dinolt and M.G. Yatabe}, +Title={Combining components and policies}, +Booktitle={Proceedings of the Computer Security Foundations + Workshop VII, J. Guttman, editor}, +institution= {IEEE Computer Society Press}, +month =jun, Year={1994} } + +@InProceedings{DinoltWilliams87, + author = "G.W. Dinolt and J.C. Williams", + title = "{A Graph-Theoretic Formulation of Multilevel Secure + Distributed Systems: An overview}", + booktitle = "1987 IEEE Symposium on Security and Privacy", + year = "1987", + pages = "99-103", + organization = "The Computer Society of the IEEE", + publisher = "IEEE Computer Society Press", + address = "1730 Massachusetts Avenue, N.W., Washington, D.C. 20036-1903", + month = Apr} + +@book{BurnhamRise, +Author={D. Burnham}, +Title={The Rise of the Computer State}, +Publisher={Random House, New York}, +Year={1982} } + +@book{BurnhamIRS, +Author={D. Burnham}, +Title={A Law Unto Itself: The {IRS} and the Abuse of Power}, +Publisher={Vintage Books, Random House, New York}, +Year={1989} } + +@book{GarfinkelSpafford91, +Author={S. Garfinkel and E. Spafford}, key={Garfinkel}, +Title={Practical {UNIX} Security}, +Publisher={O'Reilly \& Associates, Sebastopol, California}, +Year={1991} } + +@book{GarfinkelSpafford03, +Author={S. Garfinkel and E. Spafford and A. Schwartz}, key={Garfinkel}, +Title={Practical {UNIX} and Internet Security, 3rd Edition}, +Publisher={O'Reilly \& Associates, Sebastopol, California}, +Year={2003} } + +@book{Garfinkel95, +Author={S. Garfinkel}, +Title={PGP: Pretty Good Privacy}, +Publisher={O'Reilly \& Associates, Sebastopol, California 95472}, +Year={1995} } + +@book{Ferbrache92, +Author={D. Ferbrache}, +Title={A Pathology of Computer Viruses}, +Publisher={Springer-Verlag, Berlin}, +Year={1992} } + +@InProceedings{Bonyun, +Author = "D. Bonyun", +Title = "Rules as the Basis of Access Control in Database Management Systems", +BookTitle="7th DoD/NBS Computer Security Initiative Conf., +NBS, Gaithersburg, Maryland", Year="1984", Month="24-26 September", Pages="38-47"} + +@Manual{AFSB83, +Author={M. {Schaefer et al.}}, key={Schaefer}, +Title={Multilevel Data Management Security}, +organization={Air Force Studies Board, National Research Council, +National Academies Press}, Year=1983, +Note={Final report of the 1982 Multilevel Data Management Security + Committee.} } + +@Book{NAS, +Key="Schaefer", Author = {M. {Schaefer (editor)}}, +Title ="Multilevel Data Management Security", Note = "Report of the 1982 +Summer Study, National Academy of Sciences, +Air Force Studies Board, Marvin Schaefer, Chairman, For Official Use Only)", +Publisher ="National Academies Press, Air Force Studies Board, National +Research Council", Address = "Washington, D.C.", Year= "1983"} + +@Book{NASdb, Key="Schaefer", Author = {M. {Schaefer (editor)}}, Title +="Multilevel Data Management Security", Note = "Report of the 1982 +Summer Study, National Academy of Sciences, +Air Force Studies Board, Marvin Schaefer, Chairman; published in 1983). +In particular, see Chapter 3 +-- General Security Policy, D.E. Denning and P.G. Neumann (eds)", +Publisher ="National Academies Press, Air Force Studies Board, National +Research Council", Address = "Washington, D.C.", Year= "1983"} + +@InProceedings{NASsdb, +Author = {D.E. Denning and P.G. {Neumann, editors}}, +title ={General Security Policy}, +Booktitle ={Multilevel Data Management Security}, +Note={Chapter 3 of the Report of the 1982 Summer Study, + National Academy of Sciences, + Air Force Studies Board, Marvin Schaefer, Chairman}, +Address = "Washington, D.C.", Year= "1983"} + +@manual{NAS90, +author = {D.D. {Clark et al.}}, title = {Computers at Risk: Safe +Computing in the Information Age}, organization = {National Research Council, +National Academies Press, 2101 Constitution Ave., Washington, +D.C.}, month = {5 December}, year = {1990}, note={Final report of the +System Security Study Committee.} } + +@book{NRC96, +author = {K.W. Dam and H.S. {Lin, editors}}, +title = {Cryptography's Role In Securing the Information Society}, +publisher = {National Research Council, National Academies Press, +2101 Constitution Ave., Washington, D.C.}, +year = {1996}, note={Final report of the Cryptographic Policy Study +Committee, ISBN 0-309-05475-3.} } + +@book{NRC98trust, +author = {F.B. Schneider and M. {Blumenthal, editor}}, +title = {Trust in Cyberspace}, +publisher = {National Research Council, National Academies Press, +2101 Constitution Ave., Washington, D.C.}, +year = {1998}, note={Final report of the National Research +Council Committee on Information Trustworthiness.} } + +@book{NRC00, +author = {S.H. Fuller and D.G. {Messerschmitt, editors}}, +title = {Making It Better: Expanding Information Technology + Research To Meet Society's Needs}, +publisher = {National Research Council, National Academies Press, +2101 Constitution Ave., Washington, D.C.}, +month = may, year = {2000}, note={Final report of the National Research +Council Committee.} } + +@article{SchneiderCACM98-11, +author={F.B. Schneider}, title = {Toward Trustworthy Networked Information + Systems}, +journal = {Communications of the ACM}, year = {1998}, volume = {41}, +number = {11}, pages = {}, month = nov, +Note= {{\it Inside Risks} column.} } + +@TechReport{Schneider02, +Author={F.B. {Schneider, editor}}, +Title={Research to Support Robust Cyber Defense}, +Institution={Study Committee for J. Lala, DARPA}, +Month =may, Year={2000}, Note={Slides only.} } + +@BOOK{NAS90x, +NOTE = {ISBN 0-309-04388-3} } + +@article{Loepere85, +author={K. P. Loepere}, +title={Resolving Covert Channels within a {B}2 Class Secure System}, +journal={Operating Systems Review}, +month=jul, +year=1985} + +@InProceedings{LuntReal90, +Key = "Loepere", Author = "K.P. Loepere and F.D. Reynolds and E.D. Jensen and +T.F. Lunt", Title = "Security for real-time systems", +Booktitle = "Proceedings of the Thirteenth National Computer Security Conference", +Organization = "NIST/NCSC", Address = "Washington, D.C.", Year = "1990", +Pages="318-332", month=oct } + +@book{LeviAgrawala90, +Author={S.-T. Levi and A.K. Agrawala}, +Title={Real-Time System Design}, +Publisher={McGraw-Hill, New York}, +Year={1990} } + +@InProceedings{SandhuJajodia90, +Key = "Sandhu", Author = "R.S. Sandhu and S. Jajodia", +Title = "Integrity mechanisms in database management systems", +Booktitle = "Proceedings of the Thirteenth National Computer Security Conference", +Organization = "NIST/NCSC", Address = "Washington, D.C.", Year = "1990", +Pages="526-540", month=oct } + +@InProceedings{SandhuJajodia91, +Key = "Sandhu", Author = "R.S. Sandhu and S. Jajodia", +Title = "Honest Databases That Can Keep Secrets", +Booktitle = "Proceedings of the Fourteenth National Computer Security Conference", +Organization = "NIST/NCSC", Address = "Washington, D.C.", Year = "1991", +Pages="267-282", month=oct } + +@TechReport{Gray89, +author={J. Gray}, Title={Transparency in Its Place}, +institution={TR89.1, Tandem Computers}, +address={Cupertino, California}, month ={}, +Year= 1989 } + +@TechReport{GrayTandem, Key={Gray}, Author={J. Gray}, +Title={Why Do Computers Stop, and What Can Be Done About It?}, +Institution={TR85.7, Tandem Computers, Inc.}, Year={1985}, +Month ={}, Address={Cupertino, California}, } + +@article{OszuValduriez91a, +author={M.T. \"{O}szu and P. Valduriez}, title = {Distributed Database Systems: +Where Are We Now?}, +journal = {Computer}, year = {1991}, volume = {24}, +number = {8}, pages = {68-78}, month = aug } + +@book{OszuValduriez91b, +Author={M.T. \"{O}szu and P. Valduriez}, +Title={Principles of Distributed Database Systems}, +Publisher={Prentice-Hall, Englewood Cliffs, New Jersey}, +Year={1991} } + +@TechReport{Wallace+91a, +author={D.R. Wallace and D.R. Kuhn and J.C. Cherniavsky}, +Title={Proceedings of the Workshop on High Integrity Software}, +institution= {National Institute of Standards and Technology}, +address={Gaithersburg, Maryland}, month ={22-23 January }, +Year=1991, Note = {NIST Special Publication 500-190} } + +@TechReport{Wallace+91b, +author={D.R. Wallace and M. Brown and A. {McKinlay VI}}, +Title={Proceedings of the Forum on Standards for High Integrity Software +({DoD, Goverment, Industry})}, +institution= {National Institute of Standards and Technology}, +address={Gaithersburg, Maryland}, month ={22-23 January }, +Year=1991, Note = {NISTIR 4656} } + +@InProceedings{Roskos90, +Key = "Roskos", Author = "J.E. Roskos and S.R. Welke and J.M. Boone +and T. Mayfield", Title = "A taxonomy of integrity models, implementations +and mechanisms", Booktitle = "Proceedings of the Thirteenth National Computer Security Conference", +Organization = "NIST/NCSC", Address = "Washington, D.C.", Year = "1990", +Pages="541-551", month=oct } + +@InProceedings{Levin90, +Key = "Levin", Author = "T.E. Levin and A. Tao and S.J. Padilla", +Title = "Covert storage channel analysis: a worked example", +Booktitle = "Proceedings of the Thirteenth National Computer Security Conference", +Organization = "NIST/NCSC", Address = "Washington, D.C.", Year = "1990", +Pages="10-19", month=oct } + +@InProceedings{Thompson90, +Author = "M.F. Thompson and R.R. Schell and A. Tao and T.E. Levin", +Title = "Introduction to the Gemini Trusted Network Processor", +Booktitle = "Proceedings of the Thirteenth National Computer Security Conference", +Organization = "NIST/NCSC", Address = "Washington, D.C.", Year = "1990", +Pages="211-217", month=oct } + +@TechReport{GEMSOS91, +author={Gemini}, +Title={Programmer's Guide to the GEMSOS Security Kernel Interface}, +institution= {Gemini Computers, Inc.}, +address={Carmel, California}, month =jul, +Year=1991 } + +@InProceedings{King90, +Key = "", Author = "G. King", +Title = "Considerations for {VSLAN} Integrators and {DAAs}", +Booktitle = "Proceedings of the Thirteenth National Computer Security Conference", +Organization = "NIST/NCSC", Address = "Washington, D.C.", Year = "1990", +Pages="201-210", month=oct } + +@InProceedings{Bell90, +Key = "", Author = "D.E. Bell", +Title = "Trusted {Xenix} Interpretation: Phase 1", +Booktitle = "Proceedings of the Thirteenth National Computer Security Conference", +Organization = "NIST/NCSC", Address = "Washington, D.C.", Year = "1990", +Pages="333-339", month=oct } + +@InProceedings{WinklerJ90, +Key = "", Author = "J.R. Winkler", +Title = "A {Unix} Prototype for Intrusion and Anomaly Detection in +Secure Networks", +Booktitle = "Proceedings of the Thirteenth National Computer Security Conference", +Organization = "NIST/NCSC", Address = "Washington, D.C.", Year = "1990", +Pages="115-124", month=oct } + +@InProceedings{Winkler90, +Key = "", Author = "H.B. Winkler-Parenty", +Title = "Trusted System Interoperability", +Booktitle = "Proceedings of the Thirteenth National Computer Security Conference", +Organization = "NIST/NCSC", Address = "Washington, D.C.", Year = "1990", +Pages="567-569", month=oct } + +@InProceedings{Vetter90, +Key = "", Author = "L.L. Vetter", +Title = "Oracle Secure Systems: 1989-1990 A `Year in Review", +Booktitle = "Proceedings of the Thirteenth National Computer Security Conference", +Organization = "NIST/NCSC", Address = "Washington, D.C.", Year = "1990", +Pages="570-571", month=oct } + +@InProceedings{Alstad+90, +Author = "J.P Alstad and C.M. Brophy and T.C. Vickers Benzel and M.M. Bernstein +and R.J. Feiertag", +Title = "The Role of {``System Build''} in Trusted Embedded Systems", +Booktitle = "Proceedings of the Thirteenth National Computer Security Conference", +Organization = "NIST/NCSC", Address = "Washington, D.C.", Year = "1990", +Pages="172-181", month=oct } + +@article{Ramanathan90, +author={P. Ramanathan and K.G. Shin and R.W. Butler}, key= {Ramanathan}, +title = {Fault-Tolerant Clock Synchronization in Distributed Systems}, +journal = {Computer}, year = {1990}, volume = {23}, +number = {10}, pages = {33-42}, month = oct } + +@article{Manber90, +author={U. Manber}, key={Manber}, +title = {Chain Reactions in Networks}, +journal = {Computer}, year = {1990}, volume = {23}, +number = {10}, pages = {57-63}, month = oct } + +@InProceedings{Meadows90, +Key={Meadows}, Author={C. Meadows}, Title={Extending the Brewer-Nash + Model to a Multilevel Context}, +BookTitle={Proceedings of the 1990 Symposium on Research in +Security and Privacy}, Organization={IEEE Computer Society}, Address={Oakland, +California}, Year={1990}, Month=may, pages={95--102}} + +@InProceedings{Wray91, +Key={Wray}, Author={J.C. Wray}, Title={An Analysis of Covert Timing Channels}, +BookTitle={Proceedings of the 1991 Symposium on Research in +Security and Privacy}, Organization={IEEE Computer Society}, Address={Oakland, +California}, Year={1991}, Month=may, pages={2-7}} + +@InProceedings{Hu91, +Key={Hu}, Author={W.-M. Hu}, Title={Reducing Timing Channels with Fuzzy Time}, +BookTitle={Proceedings of the 1991 Symposium on Research in +Security and Privacy}, Organization={IEEE Computer Society}, Address={Oakland, +California}, Year={1991}, Month=may, pages={8-20}} + +@InProceedings{Gray91, +Key={Gray}, Author={J.W. {Gray III}}, Title={Toward a Mathematical +Foundation for Information Flow Security}, +BookTitle={Proceedings of the 1991 Symposium on Research in +Security and Privacy}, Organization={IEEE Computer Society}, Address={Oakland, +California}, Year={1991}, Month=may, pages={21-34}} + +@InProceedings{PorrasKemmerer91, +Key={Porras}, Author={P.A. Porras and R.A. Kemmerer}, Title={Analyzing +Covert Storage Channels}, BookTitle={Proceedings of the 1991 Symposium on Research in +Security and Privacy}, Organization={IEEE Computer Society}, Address={Oakland, +California}, Year={1991}, Month=may, pages={36-51}} + +@InProceedings{KargerWray91, +Key={Karger}, Author={P.A. Karger and J.C. Wray}, Title={Storage Channels +in Disk Arm Optimization}, BookTitle={Proceedings of the 1991 Symposium on Research in +Security and Privacy}, Organization={IEEE Computer Society}, Address={Oakland, +California}, Year={1991}, Month=may, pages={52-61}} + +@InProceedings{KargerKurth04, +Key={Karger}, Author={P.A. Karger and H. Kurth }, Title={Increased + Information Flow Needs for High-Assurance Composite Evaluations}, + BookTitle={Proceedings of the Second International Information Assurance + Workshop (IWIA 2004)}, + Organization={IEEE Computer Society}, Address={Charlotte, + North Carolina}, Year={2004}, Month=may, pages={129--140}} + +@InProceedings{Meadows91, +Key={Meadows}, Author={C. Meadows}, Title={A System for the Specification +and Analysis of Key Management Protocols}, +BookTitle={Proceedings of the 1991 Symposium on Research in +Security and Privacy}, Organization={IEEE Computer Society}, Address={Oakland, +California}, Year={1991}, Month=may, pages={}} + +@InProceedings{Tardo+91, +Key={Tardo}, Author={J.J. Tardo and K. Alagappan}, Title={{SPX}: Global +Authentication Using Public Key Certificates}, +BookTitle={Proceedings of the 1991 Symposium on Research in +Security and Privacy}, Organization={IEEE Computer Society}, Address={Oakland, +California}, Year={1991}, Month=may, pages={232-244}} + +@Manual{CCITT509, +Key="CCITT", Author={CCITT}, Title="{CCITT} Draft Recommendation {X.509}: +The Directory-Authentication Framework, version 7", +Year="November 1987", +Organization="{CCITT}, Gloucester" } + +@TECHREPORT{Abadi+Lamport:refinement, + AUTHOR = {M. Abadi and L. Lamport}, + TITLE = {The Existence of Refinement Mappings}, + INSTITUTION = {DEC Systems Research Center}, + YEAR = {1988}, NUMBER = {29}, ADDRESS = {Palo Alto, California}, + MONTH = aug } + +@INPROCEEDINGS{Lamport+Abadi89, + AUTHOR = {M. Abadi and L. Lamport}, + TITLE = {Composing Specifications}, + BOOKTITLE = {Stepwise Refinement of Distributed Systems: Models, Formalisms, Correctness}, + YEAR = {1989}, + EDITOR = {J.W. de Bakker and W.-P. de Roever and G. Rozenberg}, + PAGES = {1--41}, + PUBLISHER = {Springer-Verlag, Berlin, + Lecture Notes in Computer Science, vol.~230}, + ADDRESS = {REX Workshop, Mook, The Netherlands}, + MONTH = {May-June} +} + +@TechReport{Rushby91Composing, +author={J.M. Rushby}, +Title="Composing Trustworthy Systems", +institution="Computer Science Laboratory, SRI International", +address={Menlo Park, California}, month =jul, +Year=1991 } + +@techreport{Rushby92:intransitive-noninterference, +AUTHOR = {J.M. Rushby}, +TITLE = {Noninterference, Transitivity, and Channel-Control Security Policies}, +INSTITUTION = {Computer Science Laboratory, SRI International}, +NUMBER = {SRI-CSL-92-2}, +YEAR = {1992}, +ADDRESS = {Menlo Park, California}, MONTH = dec } + +@techreport{Rushby91:intransitive-verification, +AUTHOR = {J.M. Rushby}, +TITLE = {Formal Verification of the Unwinding Theorem for Intransitive +Noninterference Security Policies}, +INSTITUTION = {SRI Computer Science Laboratory}, YEAR = {1991}, +ADDRESS = {Menlo Park, California}, MONTH = mar } + +@InProceedings{McLean94, +Author={J. McLean}, +Title={A General Theory of Composition for Trace Sets Closed under Selective + Interleaving Functions}, +BookTitle={Proceedings of the 1994 Symposium on Research in +Security and Privacy}, Organization={IEEE Computer Society}, Address={Oakland, +California}, Year={1994}, Month=may, pages={79--93}} + +@InProceedings{Seagar+95, +Author={M. Seagar and D. Guaspari and M. Stillerman and C. Marceau}, +Title={Formal Methods in the Theta Kernel}, +BookTitle={Proceedings of the 1995 Symposium on +Security and Privacy}, Organization={IEEE Computer Society}, Address={Oakland, +California}, Year={1993}, Month=may, pages={88--100}} + +@InProceedings{Badger+95, +Author={L. Badger and D.F. Sterne and D.L. Sherman and K.M. Walker +and S.A. Haghighat}, +Title={Practical Domain and Type Enforcement for {Unix}}, +BookTitle={Proceedings of the 1995 Symposium on +Security and Privacy}, Organization={IEEE Computer Society}, Address={Oakland, +California}, Year={1993}, Month=may, pages={66--77}} + +@article{Spafford92, +author={E. Spafford}, title = {Are Computer Hacker Break-ins Ethical?}, +journal = {Journal of Systems and Software}, year = {1992}, volume = {}, +number = {}, pages = {}, month = jan, +note = {Purdue Report CSD-TR-994, March 1991} } + +@book{Petroski, +Author={H. Petroski}, +Title={To Engineer Is Human: The Role of Failure in Successful Design}, +Publisher={St.~Martin's Press, New York}, +Year={1985} } + +@book{Petroski94, +Author={H. Petroski}, +Title={Design Paradigms: Case Histories of Error and Judgment in Engineering}, +Publisher={Cambridge University Press, Cambridge, England}, +Year={1994} } + +@book{HoareCSP, +Author={C.A.R. Hoare}, +Title={Communicating Sequential Processes}, +Publisher={Prentice-Hall, Englewood Cliffs, New Jersey}, +Year={1985} } + +@article{Sinha91, +author={P.K. {Sinha et al.}}, title = {The {Galaxy} Distributed Operating +System}, journal = {Computer}, year = {1991}, volume = {24}, +number = {8}, pages = {34-41}, month = aug } + +@article{NitzbergLo91, +author={B. Nitzberg and V. Lo}, title = {Distributed Shared Memory: +A Survey of Issues and Algorithms}, +journal = {Computer}, year = {1991}, volume = {24}, +number = {8}, pages = {52-60}, month = aug } + +@article{Ousterhout88, +author={J.K. {Ousterhout et al.}}, +title = {The {Sprite} Network Operating System}, +journal = {Computer}, year = {1988}, volume = {21}, +number = {2}, pages = {23-36}, month = feb } + +@article{BakerOusterhout91, +author={M. Baker and J.K. Ousterhout}, +title = {Availability in the {Sprite} Distributed File System}, +journal = {ACM SIGOPS Operating Systems Review}, year = {1991}, volume = {25}, +number = {2}, pages = {95-98}, month = apr } + +@article{Yokote+91, +author={Y. Yokote and F. Teraoka and A. Mitsuzawa and N. Fujinami and M. Tokoro}, +title = {The {Muse} Object Architecture: a New Operating System +Structuring Concept}, +journal = {ACM SIGOPS Operating Systems Review}, year = {1991}, volume = {25}, +number = {2}, pages = {22-46}, month = apr } + +@article{KaashoekTanenbaum91, +author={M.F. Kaashoek and A.S. Tanenbaum}, +title = {Fault Tolerance Using Group Communication}, +journal = {ACM SIGOPS Operating Systems Review}, year = {1991}, volume = {25}, +number = {2}, pages = {71-74}, month = apr } + +@TechReport{Engler98, +author={D.R. Engler}, +Title="{The Exokernel Operating System Architecture}", +institution="Ph.D. Thesis, M.I.T., Cambridge, Massachusetts", +month=oct, +Year=1998 } + +@Article{Engler+95, +author={D.R. Engler and M.F. Kaashoek and J. {O'Toole Jr.}}, +title = {Exokernel: An Operating System Architecture for + Application-Level Resource Management}, +Journal = {Operating Systems Review}, year = {1995}, +Organization = {ACM}, +Note = {Proceedings of the Fifteenth Symposium on Operating + Systems Principles (SOSP '95)}, +volume = {29}, +number = {}, pages = {251--266}, month = dec } + +@ARTICLE{LubaCourtois98, +Author={M. Lubaszewski and B. Courtois}, +TITLE = {A Reliable Fail-Safe System}, +JOURNAL = {IEEE Transactions on Computers}, YEAR = {1998}, VOLUME = {C-47}, +NUMBER = {2}, PAGES = {236-241}, MONTH = feb } + +@ARTICLE{Blaum+98, +Author={M. Blaum and J. Bruck and K. Rubin and W. Lenth}, +TITLE = {A Coding Approach for Detection of Tampering in Write-Once +Optical Disks}, +JOURNAL = {IEEE Transactions on Computers}, YEAR = {1998}, VOLUME = {C-47}, +NUMBER = {1}, PAGES = {120--125}, MONTH = jan } + +@article{StephensonBirman91, +author={P. Stephenson and K. Birman}, +title = {Fast Causal Multicast}, +journal = {ACM SIGOPS Operating Systems Review}, year = {1991}, volume = {25}, +number = {2}, pages = {75-79}, month = apr } + +@article{CheritonV, +Author={D.R. Cheriton}, TITLE = {The {V} Distributed System}, +JOURNAL = {Communications of the ACM}, +YEAR = {1988}, VOLUME = {31}, NUMBER = {3}, PAGES = {314-333}, +MONTH = mar } + +@PhDThesis{RussoThesis, + Key={}, Author={V.F. Russo}, + Title={An Object-Oriented Operating System}, + School={Univ. of Illinois, Computer Science Dept}, + Year={1991}, Month=jan, Note={UIUCDCS-R-919-1640} +} + +@TechReport{Dykstra91, +author={D.W. Dykstra}, +Title={Hardware Enforced Protection for Object-Oriented Operating Systems}, +institution= {Univ. of Illinois, Computer Science Dept}, +address={Urbana-Champaign, IL}, month =mar, Year=1991, +Note={UIUCDCS-R-91-1666} } + +@TechReport{DykstraCampbell91, +author={D.W. Dykstra and R.H. Campbell}, +Title={Object-Oriented Hierarchies Across Protection Boundaries}, +institution= {Univ. of Illinois, Computer Science Dept}, +address={Urbana-Champaign, IL}, month =mar, Year=1991, +Note={UIUCDCS-R-919-1667} } + +@TechReport{CampbellMadany91, +author={R.H. Campbell and P.W. Madany}, +Title={Considerations of Persistence and Security in Choices, an +Object-Oriented Operating System}, +institution= {Univ. of Illinois, Computer Science Dept}, +address={Urbana-Champaign, IL}, month =mar, Year=1991, +note={UIUCDCS-R-91-1670} } + +@TechReport{JensenReed91, +author={D.W. Jensen and D.A. Reed}, +Title={File Archive Activity in a Supercomputer Environment}, +institution= {Univ. of Illinois, Computer Science Dept}, +address={Urbana-Champaign, IL}, month =apr, Year=1991, +note={UIUCDCS-R-91-1672} } + +@TechReport{Lu91, +author={S. Lu}, +Title={A Distributed Concurrency Control Protocol Considering + Read-Only Transactions}, +institution= {Univ. of Illinois, Computer Science Dept}, +address={Urbana-Champaign, IL}, month =apr, Year=1991, +note={UIUCDCS-R-91-1678} } + +@TechReport{Shi91, +author={S.-B. Shi}, +Title={Building Reliable Programs Through Active Replication}, +institution= {Univ. of Illinois, Computer Science Dept}, +address={Urbana-Champaign, IL}, month ={}, Year=1991, +note={UIUCDCS-R-91-1679} } + +@TechReport{Enc86, +author={Encore}, key={Encore}, +Title={{UMAX} 4.2 Programmer's Reference Manual}, +institution= {Encore Computer Corp.}, +address={Marlboro, Massachusetts}, month ={}, Year=1986 } + +@TechReport{Enc89, +author={Encore}, key={Encore}, +Title={Multimax Technical Summary}, +institution= {Encore Computer Corp.}, +address={Marlboro, Massachusetts}, month ={}, Year=1989 } + +@TechReport{DCICThreat89, +Author={DCIC}, +Title={Threat to Intelligence Community Automated +Information Systems and Networks}, +institution= {DCIC 10002-89}, +Month = {19 January}, Year = {1989}, Note={SECRET/NOFORN/WNINTEL.} } + +@TechReport{Hollway92, +Author={A. Hollway}, +Title={Worldwide Threat to Computers and Automated Control Systems}, +institution= {U.S. Army VAL FIO}, +Month = oct, Year = {1992}, Note={SECRET/NOFORN/WNINTEL.} } + +@TechReport{NIST92, +Author={D. Steinauer and M. Swanson}, +Title={Matrix Questions Answered at a National Level}, +institution= {NIST}, Month = {3 April}, Year = {1989}, +NOTE={Produced for the Survivability-Vulnerability Working Group.} } + +@InProceedings{Neumann97surv, +Author={P.G. Neumann and P.A. Porras}, +Title={A Global View of Information Survivability}, +BookTitle={Proceedings of the 1997 Workshop on Survivability}, +Organization={IEEE Computer Society}, Address={San Diego, California}, +Year={1997}, Month=feb, pages={}} + +@PhDThesis{Mounji97, +Author={A. Mounji}, +School={Notre-Dame de la Paix, Namur, Belgium}, +Title={Languages and Tools for Rule-Based Distributed Intrusion Detection}, +Year={1997}, Month=sep } + +@TechReport{DISA92, +Author={DISA}, +Title ={Security Analysis (Draft), Background Security Description and +Defense Message System Security Documentation Instructions}, +Institution = {Defense Information Systems Agency}, +Month=mar, Year={1992} } + +@TechReport{FriedmanOlson92, +Author={A.R. Friedman and I.M. Olson}, +Title={Introduction to Certification and Accreditation Concepts (Draft)}, +Institution={Mitre Corporation, under contract to the National Security Agency}, +Month=jun, Year={1992} } + +@Article{Munro92, +Author={N. Munro}, +Title={DoD Planners Prepare New Security Stategy}, +Journal={Defense News}, +Volume=7, Number=18, Month={4-10 May}, Year={1992} } + +@InProceedings{Corbato+72, +Author={F.J. Corbat\'{o} and J. Saltzer and C.T. Clingen}, +Title={Multics: {The} first seven years}, +Booktitle={Proceedings of the Spring Joint Computer Conference}, +volume=40, +publisher={AFIPS Press}, +address={Montvale, New Jersey}, +Year=1972 } + +@article{Corbato91, +Title="On Building Systems That Will Fail (1990 {T}uring {A}ward {L}ecture, +with a following interview by {Karen Frenkel})", +Author="F.J. Corbat\'{o}", Key="", Month=sep, +Year=1991, Journal= {Communications of the ACM}, Volume=34, Number=9, Pages="72-90" } + +@InProceedings{Bell91, +Author = "D.E. Bell", +Title = "Putting Policy Commonalities to Work", +Booktitle = "Proceedings of the Fourteenth National Computer Security Conference", +Organization = "NIST/NCSC", Address = "Washington, D.C.", Year = "1991", +Pages="456-471 (Volume II)", month=oct } + +@InProceedings{Branstad+91, +Author="M.A. Branstad and C.P. Pfleeger and D. Brewer and C. Jahl and H. Kurth", +Title = "Apparent Differences Between the {U.S.} {TCSEC} and the {E}uropean +{ITSEC}", +Booktitle = "Proceedings of the Fourteenth National Computer Security Conference", +Organization = "NIST/NCSC", Address = "Washington, D.C.", Year = "1991", +Pages="45-58 (Volume I)", month=oct } + +@InProceedings{FaganStraw91, +Author = "P. Fagan and J. Straw", +Title = "Experience of Commercial Security Evaluation", +Booktitle = "Proceedings of the Fourteenth National Computer Security Conference", +Organization = "NIST/NCSC", Address = "Washington, D.C.", Year = "1991", +Pages="195-204", month=oct } + +@InProceedings{EpsteinPicciotto91, +Author = "J. Epstein and J. Picciotto", +Title = {Trusting {X}: Issues in Building Trusted {X} {Window} {Systems}}, +Booktitle = "Proceedings of the Fourteenth National Computer Security Conference", +Organization = "NIST/NCSC", Address = "Washington, D.C.", Year = "1991", +Pages="619-629", month=oct } + +@InProceedings{Faden91, +Author = "G. Faden", +Title = {Reconciling {CMW} Requirements with those of {X11} Applications}, +Booktitle = "Proceedings of the Fourteenth National Computer Security Conference", +Organization = "NIST/NCSC", Address = "Washington, D.C.", Year = "1991", +Pages="472-479", month=oct } + +@InProceedings{SandhuSuri91, +Author = "R.S. Sandhu and G.S. Suri", +Title = "A Distributed Impementation of the Transform Model", +Booktitle = "Proceedings of the Fourteenth National Computer Security Conference", +Organization = "NIST/NCSC", Address = "Washington, D.C.", Year = "1991", +Pages="177-187", month=oct } + +@TechReport{Binns91, +author={L.J. Binns}, +Title={Inference Through Polyinstantiation}, +institution= {Office of INFOSEC Computer Science}, +address={U.S. Department of Defense, Ft. George G. Meade, Maryland}, month ={}, +Year=1991 } + +@InProceedings{SebesFeiertag91, +Author = "E.J. Sebes and R.J. Feiertag", +Title = "Trusted Distributed Computing: Using Untrusted Network Software", +Booktitle = "Proceedings of the Fourteenth National Computer Security Conference", +Organization = "NIST/NCSC", Address = "Washington, D.C.", Year = "1991", +Pages="608-618", month=oct } + +@InProceedings{Parker91, +Author = "T.A. Parker", +Title = "A Secure {E}uropean System for Applications in a Multi-vendor +Environment ({T}he {SESAME} {P}roject)", +Booktitle = "Proceedings of the Fourteenth National Computer Security Conference", +Organization = "NIST/NCSC", Address = "Washington, D.C.", Year = "1991", +Pages="505--513", month=oct } + +@InProceedings{GarveyLunt91, +Author = "T.D. Garvey and T.F. Lunt", +Title = "Model-Based Intrusion Detection", +Booktitle = "Proceedings of the Fourteenth National Computer Security Conference", +Organization = "NIST/NCSC", Address = "Washington, D.C.", Year = "1991", +Pages="372--385", month=oct } + +@Article{Lunt93CS, +Author={T.F. Lunt}, Title={A survey of intrusion detection techniques}, +Journal={Computers and Security}, pages={405--418}, +volume=12, number={4}, year=1993 } + +@InProceedings{DIDS91, +Author = "S.R. Snapp and J. Brentano and G.V. Dias and T.L Goan and +L.T. Heberlein and C.-L. Ho and K.N. Levitt and B. Mukherjee and +S. Smaha and T. Grance and D.M. Teal and D. Mansur", +Title = "{DIDS (Distributed Intrusion Detection System)} -- +Motivation, Architecture, and an Early Prototype", +Booktitle = "Proceedings of the Fourteenth National Computer Security Conference", +Organization = "NIST/NCSC", Address = "Washington, D.C.", Year = "1991", +Pages="167--176", month=oct } + +@InProceedings{Heberlein+91, +Author = "L.T. Heberlein and K.N. Levitt and B. Mukherjee", +Title = "A Method to Detect Intrusive Activity in a Networked Environment", +Booktitle = "Proceedings of the Fourteenth National Computer Security Conference", +Organization = "NIST/NCSC", Address = "Washington, D.C.", Year = "1991", +Pages="362--371", month=oct } + +@InProceedings{Banning+91, +Author = "D. Banning and G. Ellingwood and C. Franklin and C. Muckenhirn and +D. Price", +Title = "Auditing of Distributed Systems", +Booktitle = "Proceedings of the Fourteenth National Computer Security Conference", +Organization = "NIST/NCSC", Address = "Washington, D.C.", Year = "1991", +Pages="59--68", month=oct } + +@InProceedings{Jackson+91, +Author = "K.A. Jackson and D.H. DuBois and C.A. Stallings", +Title = "An Expert System Application for Network Intrusion Detection", +Booktitle = "Proceedings of the Fourteenth National Computer Security Conference", +Organization = "NIST/NCSC", Address = "Washington, D.C.", Year = "1991", +Pages="215--225", month=oct } + +@InProceedings{King91, +Author = "M.M. King", +Title = "Identifying and Controlling Undesirable Program Behaviors", +Booktitle = "Proceedings of the Fourteenth National Computer Security Conference", +Organization = "NIST/NCSC", Address = "Washington, D.C.", Year = "1991", +Pages="283--294", month=oct } + +@InProceedings{ParkerDB91, +Author = "D.B. Parker", +Title = "Restating the Foundations of Information Security", +Booktitle = "Proceedings of the Fourteenth National Computer Security Conference", +Organization = "NIST/NCSC", Address = "Washington, D.C.", Year = "1991", +Pages="", month=oct } + +@TechReport{Irvine+91, +author={C.E. Irvine and R.R. Schell and M.F. Thompson}, +Title={Using {TNI} Concepts for the Near Term Use of High Assurance +Database Management Systems}, +institution= {Gemini Computers, Inc.}, +address={Carmel California}, month ={}, +Year=1991, Note={Presented at the 1991 Rome Laboratory Database Security Workshop} } + +@ARTICLE{DeTreville, +Author={J. DeTreville}, TITLE = {A Cautionary Tale}, +JOURNAL = {ACM Software Engineering Notes}, YEAR = {1991}, VOLUME = {16}, +NUMBER = {2}, PAGES = {19--22}, MONTH = apr } + +@ARTICLE{XuParnas91, +Author={J. Xu and D. Parnas}, TITLE = {On Satisfying Timing Constraints in +Hard-Real-Time Systems}, +JOURNAL = {ACM Software Engineering Notes}, YEAR = {1991}, VOLUME = {16}, +NUMBER = {5}, PAGES = {132--146}, MONTH = dec } + +@InProceedings{Parnas94, +Author = {D.L. Parnas}, +Title = {Mathematical Descriptions and Specification of Software}, +Booktitle = {Proceedings of the IFIP World Congress 1994, Volume I}, +Organization = {IFIP}, Address = {}, +Year = {1994}, +Pages={354--359}, Month = aug } + +@InProceedings{ParnasRespons94, +Author = {D.L. Parnas}, +Title = {Professional Responsibilities of Software Engineers}, +Booktitle = {Proc. of IFIP World Congress 1994, Volume II}, +Organization = {IFIP}, Address = {}, +Year = {1994}, +Pages={332--339}, Month = aug } + +@ARTICLE{Parnas+94, +Author={D.L. Parnas and J. Madey and M. Iglewski}, +TITLE = {Precise Documentation of Well-Structured Programs}, +JOURNAL = {IEEE Transactions on Software Engineering}, YEAR = {1994}, +VOLUME = {20}, +NUMBER = {12}, PAGES = {948--976}, MONTH = dec } + +@article{Parnas+94b, +author={D.L. Parnas and A.J. {van Schouwen} and S.P. Kwan}, +title = {Evaluation of Safety-Critical Software}, +journal = {Communications of the ACM}, volume = {33}, number = {6}, +pages = {636--648}, month = jun, year = {1990} } + +@article{ParnasWang94, +Author = {D.L. Parnas and Y. Wang}, +Title={Simulating the Behaviour of Software Modules by + Trace Rewriting Systems}, +Journal = {IEEE Transactions of Software Engineering}, +VOLUME = {19}, NUMBER = {10}, +Month = oct, Year = {1994}, PAGES = {750--759} } + +@article{Parnas97SE, +author={D.L. Parnas}, +title = {Software Engineering: An Unconsummated Marriage}, +journal = {Communications of the ACM}, year = {1997}, volume = {40}, +number = {9}, pages = {128}, month = sep, +Note= {{\it Inside Risks} column.} } + +@article{DenningDivorce, +author={D.L. Parnas}, +title = {Computer Science and Software Engineering: Filing for Divorce?}, +journal = {Communications of the ACM}, year = {1998}, volume = {41}, +number = {8}, pages = {}, month = aug, +Note= {{\it Inside Risks} column.} } + +@ARTICLE{RushbyvonHenke91, +Author={J.M. Rushby and F. {von Henke}}, TITLE = {Formal Verification of +Algorithms for Critical Systems}, +JOURNAL = {ACM Software Engineering Notes}, YEAR = {1991}, VOLUME = {16}, +NUMBER = {5}, PAGES = {1--15}, MONTH = dec } + +@TechReport{Rushby+95PVS, +author={J.M. Rushby and D.W.J. Stringer-Calvert}, +Title={A less elementary tutorial for the {PVS} specification and + verification system}, +institution= {SRI International, Menlo Park, California, CSL-95-10}, +address={}, month =oct, Year=1995 } + +@TechReport{Rushby95FMAir, +author={J.M. Rushby}, +Title={Formal Methods and Their Role in Digital Systems Validation +for Airborne Systems}, +institution= {SRI International, Menlo Park, California, CSL-95-01}, +address={}, month =mar, Year=1995 } + +@TechReport{Rushby95KerVer, +author={J.M. Rushby}, +Title={A Foundation for Security Kernel Verification}, +institution= {SRI International, Menlo Park, California}, +address={}, month =oct, Year=1995 } + +@TECHREPORT{Rushby99:partitioning, + AUTHOR = {J. Rushby}, + TITLE = {Partitioning for Avionics Architectures: + Requirements, Mechanisms, and Assurance}, + INSTITUTION={NASA Langley Research Center}, + NOTE = {Contractor Report CR-1999-209347; also issued as + FAA DOT/FAA/AR-99/58.}, + MONTH = jun, + YEAR = "1999", + url ="http://www.csl.sri.com/~{}rushby/abstracts/partitioning"} + +@TECHREPORT{Rushby01:modcert, + AUTHOR = {J. Rushby}, + TITLE = {Modular Certification}, + INSTITUTION="Computer Science Laboratory, SRI International, Menlo Park, + California", + MONTH = jun, + YEAR = 2002, + url ="http://www.csl.sri.com/~{}rushby/abstracts/modcert"} + +@TECHREPORT{Rushby04:separation, + AUTHOR = {J. Rushby}, + TITLE = {A separation kernel formal security policy in PVS}, + INSTITUTION="Computer Science Laboratory, SRI International, Menlo Park, + California", + MONTH = mar, + YEAR = 2004, + url ="http://www.csl.sri.com/~{}rushby/abstracts/"} + +@TechReport{Butler93, +author={R.W. Butler}, +Title={An elementary tutorial on formal specification and verification + using {PVS}}, +institution= {NASA Langley Research Center}, +address={Hampton, Virginia}, month =jun, Year=1993 } + +@InProceedings{Butler+95, +Author={R.W. Butler and J.L. Caldwell and V.A. {Carre\~{n}o} and +C.M. Holloway and P.S. Miner and B.L. DiVito}, +TITLE = {{NASA} {Langley's} Research and Technology-Transfer Program + in Formal Methods}, +BookTitle={Proceedings of the Tenth Annual Conference on Computer +Assurance, COMPASS 95}, Organization={IEEE}, Year=1995, Month=jun, +Pages={135--149}, + NOTE = {(A longer version is available in {\it Proceedings of +the Third NASA Langley Formal Methods Workshop,} May 1995, 247--268.)} +} + +@InProceedings{Butler+95o, +Author={R.W. Butler and J.L. Caldwell and V.A. {Carre\~{n}o} and +C.M. Holloway and P.S. Miner and B.L. DiVito}, +TITLE = {{NASA} {Langley's} Research and Technology-Transfer Program + in Formal Methods}, +BookTitle={Proceedings of the Third NASA {Langley} Formal Methods Workshop, +May 10-12, 1995}, +ORGANIZATION={NASA Langley Research Center}, +Year=1995, Month= jun, +Note = {This is a longer but earlier version of~\cite{Butler+95}, +and includes 28 more references.}, +Pages={247--268}} + +@Proceedings{NASALaRC95, +Editor={C.M. Holloway}, +Title={Third {NASA} {Langley} Formal Methods Workshop}, +ORGANIZATION={NASA Langley Research Center}, +Address ={Hampton, Virginia}, +Month={May 10-12}, +Note ={NASA Conference Publication 10176, June 1995.}, +Year={1995} } + +@book{NASA95-1, +Author={{NASA Langley Research Center}}, +Title={Formal Methods Specification and Verification, Volume I}, +Publisher={NASA}, +Month =jun, Year={1995} } + +@book{NASA95-2, +Author={{NASA Langley Research Center}}, +Title={Formal Methods Specification and Verification, Volume II}, +Publisher={NASA}, +Month ={Fall}, Year={1995} } + +@ARTICLE{ButlerFinelli91, +Author={R.W. Butler and G.B. Finelli}, TITLE = {The Infeasibility of +Experimental Quantification of Life-Critical Software Reliability}, +JOURNAL = {ACM Software Engineering Notes}, YEAR = {1991}, VOLUME = {16}, +NUMBER = {5}, PAGES = {66--76}, MONTH = dec } + +@book{Spivey88, +Author={J.M. Spivey}, +Title={Understanding Z: a specification language and its formal semantics}, +Publisher={Cambridge University Press, Cambridge, England}, +Year={1988} } + +@book{Potter91, +Author={B. Potter and J. Sinclair and D. Till}, +Title={An Introduction to Formal Specification and Z}, +Publisher={Prentice-Hall International, Hemel Hempstead, Great Britain}, +Year={1991} } + +@book{Turner93, +Author={K. J. {Turner, ed.}}, +Title={Using Formal Description Languages}, +Publisher={John Wiley, Chichester}, +Year={1993} } + +@InProceedings{Jirach95, +Author={A. Jirachiefpattana and R. Lai}, +TITLE = {An {Estelle-NPN} based system for protocol verification}, +BookTitle={Proceedings of the Tenth Annual Conference on Computer +Assurance, COMPASS 95}, Organization={IEEE}, Year=1995, Month=jun, +Pages={245--259}} + +@Article{HarelKurshan90, +Author = {Z. {Har'El} and R.P. Kurshan}, +TITLE = {Software for Analytic Development of Communications Protocols}, +JOURNAL = {AT\&T Technical Journal}, +YEAR = {1990}, VOLUME = {69}, MONTH = {January-February}, NUMBER = {1}, +PAGES = {45--59} } + +@TechReport{Craigen+93, +Author={D. Craigen and S. Gerhart and T. Ralston}, +TITLE = {An International Survey of Industrial Applications of Formal Methods}, +institution= {U.S. National Institute of Standards and Technology}, +Note = {Also available from U.S. Naval Research Laboratory and the Atomic +Energy Board of Canada.}, +address={Gaithersburg, Maryland}, month =mar, Year=1993 } + +@ARTICLE{Boswell95, +Author={A. Boswell}, +TITLE = {Specification and Validation of a Security Policy Model}, +JOURNAL = {IEEE Transactions on Software Engineering}, +NOTE = {Special section on Formal Methods Europe '93.}, +YEAR = {1995}, VOLUME = {21}, MONTH = feb, NUMBER = {2}, +PAGES = {63--69} } + +@ARTICLE{Barrett95, +Author={G. Barrett}, +TITLE = {Model Checking in Practice: The T9000 Virtual Channel Processor}, +JOURNAL = {IEEE Transactions on Software Engineering}, +NOTE = {Special section on Formal Methods Europe '93.}, +YEAR = {1995}, VOLUME = {21}, MONTH = feb, NUMBER = {2}, +PAGES = {69--78} } + +@ARTICLE{BicarreguiRitchie95, +Author={J. Bicarregui and B. Ritchie}, +TITLE = {Invariants, Frames, and Postconditions: +A Comparison of the {VDM} and {B} Notations}, +JOURNAL = {IEEE Transactions on Software Engineering}, +NOTE = {Special section on Formal Methods Europe '93.}, +YEAR = {1995}, VOLUME = {21}, MONTH = feb, NUMBER = {2}, +PAGES = {79--89} } + +@ARTICLE{Craigen+95, +Author={D. Craigen and S. Gerhart and T. Ralston}, +TITLE = {Formal Methods Reality Check: Industrial Usage}, +JOURNAL = {IEEE Transactions on Software Engineering}, +NOTE = {Special section on Formal Methods Europe '93.}, +YEAR = {1995}, VOLUME = {21}, MONTH = feb, NUMBER = {2}, +PAGES = {90--98} } + +@ARTICLE{Jacky95, +Author={J. Jacky}, +TITLE = {Specifying a Safety-Critical Control System in {Z}}, +JOURNAL = {IEEE Transactions on Software Engineering}, +NOTE = {Special section on Formal Methods Europe '93.}, +YEAR = {1995}, VOLUME = {21}, MONTH = feb, NUMBER = {2}, +PAGES = {99-106} } + +@ARTICLE{Owre+95, +Author={S. Owre and J. Rushby and N. Shankar and F. {von Henke}}, +TITLE = {Formal Verification for Fault-Tolerant Architectures: + Prolegomena to the Design of {PVS}}, +JOURNAL = {IEEE Transactions on Software Engineering}, +NOTE = {Special section on Formal Methods Europe '93.}, +YEAR = {1995}, VOLUME = {21}, MONTH = feb, NUMBER = {2}, +PAGES = {107-125} } + +@techreport{PVS:Interpretations, + Author= {S. Owre and N. Shankar}, + Title= {Theory Interpretations in {PVS}}, + Number= {SRI-CSL-01-01}, + Institution= {Computer Science Laboratory, SRI International}, + Address= {Menlo Park, CA}, + Month= apr, + Year= {2001}, +NOTE="\xlink{http://www.csl.sri.com/\~{}owre}{http://www.csl.sri.com/\~{}owre}" + } + +@ARTICLE{MoriconiQian94, +Author={M. Moriconi and X. Qian}, +TITLE = {Correctness and Composition of Software Architectures}, +JOURNAL = {ACM Software Engineering Notes}, YEAR = {1994}, VOLUME = {19}, +NUMBER = {5}, PAGES = {164--174}, MONTH = dec, +NOTE = {Proceedings of the Second ACM SIGSOFT Symposium on Foundations +of Software Engineering} } + +@ARTICLE{Moriconi+95, +Author={M. Moriconi and X. Qian and R.A. Riemenschneider}, +TITLE = {Correct Architecture Refinement}, +JOURNAL = {IEEE Transactions on Software Engineering}, +YEAR = {1995}, VOLUME = {21}, MONTH = apr, NUMBER = {4}, +PAGES = {356--372} } + +@TechReport{IntegrityWG91, +author={M.D. Abrams and E. Amoroso and L.J. LaPadula and T.F. Lunt and +J.N. Williams}, +Title={Report of an Integrity Working Group}, +institution= {Mitre Corp. (Abrams)}, +address={McLean, Virginia}, month =nov, +Year=1991 } + +@TechReport{JonesKluepfel92, +author={A. Jones and H.M. Kluepfel}, +Title={A Systems Engineering Approach to Security Baselines for {SS7}: +A contribution in support of {Network Operations Forum, Issue} 138 -- +{SS7} Network Integrity-Security}, institution= {Pac$\star$Bell and Bellcore}, +address={}, month ={}, Year=1992 } + +@TechReport{DISSP91, +author={DISSPO}, key = {DISSP}, +Title={Defense-Wide Information Systems Security Program {(DISSP)}, Action Plan}, +institution= {Defense-Wide Information Systems Security Program Office}, +note= {6 volumes, Prepared for the Assistant Secretary of Defense for Command, +Control, Communications, and Intelligence.}, +address={}, month ={15 August}, Year=1991 } + +@book{Golde76, +Author={R.A. Golde}, +Title={{Muddling Through}: The Art of Properly Unbusinesslike Management}, +Publisher={AMACOM (a division of the American Management Associations), +New York}, +note={ISBN 0-8144-5411-9, 0-8144-7523-X paperback}, +Year={1976} } + +@book{Mander78, +Author={J. Mander}, +Title={Four Arguments for the Elimination of Television}, +Publisher={William Morrow/Quill, New York}, +Year={1978} } + +@book{Mander92, +Author={J. Mander}, +Title={In the Absence of the Sacred: The Failure of Technology \& +the Survival of the {Indian} {Nations}}, +Publisher={Sierra Club Books, San Francisco, California}, +isbn={0-87156-509-9.}, +Year={1991, paperback 1992}} + +@book{Perrow, +Author={C. Perrow}, +Title={Normal Accidents}, +Publisher={Basic Books, New York}, +Year={1984} } + +@book{Norman88, +Author={D.A. Norman}, +Title={The Psychology of Everyday Things}, +Publisher={Basic Books, New York}, +Year={1988} } + +@article{Norman90, +Title= {Human error and the design of computer systems}, +Author={D.A. Norman}, Month=jan, +Year=1990, Journal= {Communications of the ACM}, Volume=33, Number=1, Pages="4--5,7" } + +@article{Denning90, +Title= {Human error and the search for blame}, +Author={P.J. Denning}, Month=jan, +Year=1990, Journal= {Communications of the ACM}, Volume=33, Number=1, Pages="6--7" } + +@article{Denning93Sense, +Title= {Designing new principles to sustain research in our universities}, +Author={P.J. Denning}, Month=jul, +Year=1993, Journal= {Communications of the ACM}, Volume=36, Number=7, Pages="98-104" } + +@InProceedings{Denning91NCCV, +Author={D.E. Denning}, TITLE = {Responsibility and blame in computer security}, +Booktitle = {Proceedings of the National Conference on Computing and Values}, +Organization = {Southern Connecticut State University, New Haven, +Connecticut}, Year = {1991}, Pages={}, Month = {12--16 August} } + +@Article{Denning93AmSci, +Author={D.E. Denning}, +Title={The {Clipper} Encryption System}, Journal={American Scientist}, +volume=81, number=4, month={July-August}, pages={319-323}, year=1993 } + +@article{Kent93, +Title= {Internet Privacy Enhanced Mail}, +Author={S.T. Kent}, Month=aug, +Year=1993, Journal= {Communications of the ACM}, Volume=36, Number=8, Pages="48--60" } + +@TechReport{Synergy93, +author={O.S. Saydjari and S.J. Turner and D.E. Peele and J.F. Farrell +and P.A. Loscocco and W. Kutz and G.L. Bock}, +Title={Synergy: A distributed, microkernel-based security architecture}, +institution= {NSA INFOSEC Research and Technology}, +address={}, month ={November 22}, Year=1993 } + +@article{Rotenberg93, +Title= {Communications Privacy: Implications for Network Design}, +Author={M. Rotenberg}, Month=aug, +Year=1993, Journal= {Communications of the ACM}, Volume=36, Number=8, Pages="61--68" } + +@article{Tuerkheimer93, +Title= {The Underpinnings of Privacy Protection}, +Author={Tuerkheimer}, Month=aug, +Year=1993, Journal= {Communications of the ACM}, Volume=36, Number=8, Pages="69--73" } + +@book{Pfleeger89, +Author={C.P. Pfleeger}, Title={Security in Computing}, +Publisher={Prentice-Hall, Englewood Cliffs, New Jersey}, Year={1989} } + +@book{Pfleeger96, +Author={C.P. Pfleeger}, Title={Security in Computing}, +Publisher={Prentice-Hall, Englewood Cliffs, New Jersey}, Year={1996}, +Note ={Second edition} +} + +@book{SLPfleeger98x, +Author={S.L. Pfleeger}, +Title={Software Engineering: The Production of Quality Software}, +Publisher={Prentice-Hall, Englewood Cliffs, New Jersey}, Year={1998} } + +@book{SLPfleeger98, +Author={S.L. Pfleeger}, +Title={Software Engineering: Theory and Practice}, +Publisher={Prentice-Hall, Englewood Cliffs, New Jersey}, Year={1998} } + +@book{BloomBecker, +Author={B. BloomBecker}, +Title={Spectacular Computer Crimes: What They Are and How They Cost American +Business Half a Billion Dollars a Year}, +Publisher={Dow Jones--Irwin, New York}, Year={1990} } + +@book{Wiener93, +Author={L. Wiener}, +Title={Digital Woes: Why We Should Not Depend on Software}, +Publisher={Addison--Wesley, Reading, Massachusetts}, +Year={1993} } + +@book{Casey93, +Author={S.M. Casey}, +Title={Set Phasers on Stun, and Other True Tales +of Design Technology and Human Error}, +Publisher={Aegean Publishing Company, Santa Barbara, California}, +Year={1993} } + +@book{Talbott94, +Author={S. Talbott}, +Title={The Future Does Not Compute}, +Publisher={O'Reilly \& Associates, Sebastopol, California 95472}, +Year={1994} } + +@book{Neuromancer, +Author={W. Gibson}, +Title={Neuromancer}, +Publisher={Ace Books}, +note = {ISBN 0-441-56959-5, reprinted as ISBN 0-932096-41-7}, +Year={1948}, Note={Reprinted by Phantasia Press, 1986.} } + +@ARTICLE{AsimovRobots, +Author={I. Asimov}, TITLE = {Runaround}, +JOURNAL = {Astounding Science Fiction}, YEAR = {1941}, VOLUME = {}, +NUMBER = {}, PAGES = {}, MONTH = apr, +NOTE={Also anthologized in {\it I, Robot} and {\it The Complete Robot.} } } + +@book{AsimovRobots0, +Author={I. Asimov}, +Title={Forward the Foundation}, +Publisher={Doubleday, New York}, +isbn={0-553-56507-9}, +Year={1993}, Note={Also Bantam paperback, 1994.} } + +@book{Sterling92, +Author={B. Sterling}, +Title={The Hacker Crackdown: Law and Disorder on the Electronic Frontier}, +Publisher={Bantam, New York}, +isbn={0-553-56370-X}, +Year={1992 (paperback 1993)} } + +@book{Borenstein91, +Author={N.S. Borenstein}, +Title={Programming As If People Mattered: Friendly Programs, Software +Engineering, and Other Noble Delusions}, +Publisher = {Princeton University Press, Princeton, New Jersey}, +Year={1991} } + +@book{Gall75, +Author={J. Gall}, +Title={Systemantics: How Systems Work and Especially How They Fail}, +Publisher={Quadrangle/New York Times Book Co., New York}, Year={1977}, +Note = {Also, Pocket Books, New York, 1975} } + +@book{Gall86, +Author={J. Gall}, +Title={Systemantics : The Underground Text of Systems Lore : How Systems + Really Work and Especially How They Fail}, +Publisher={General Systemantics Press, 3200 W. Liberty, Ann Arbor 48103}, +Year={1986} } + +@book{Illuminatus, +Author={R.J. Shea and R.A. Wilson}, +Title={The Illuminatus! Trilogy}, +Publisher={Dell, New York}, +Year={1975} } + +@book{PirsigZen, +Author={R.M. Pirsig}, +Title={Zen and the Art of Motorcycle Maintenance}, +Publisher={William Morrow and Bantam Books, New York}, +Year={1974} } + +@book{PirsigLila, +Author={R.M. Pirsig}, +Title={Lila, An Inquiry into Morals}, +Publisher={Bantam Books, New York}, +Year={1991} } + +@book{Papert93, +Author={S. Papert}, +Title={The Children's Machine: Rethinking School in the Age of the Computer}, +Publisher={Basic Books, New York}, Year={1993} } + +@book{Swasy93, +Author={A. Swasy}, +Title={Soap Opera: The Inside Story of Proctor \& Gamble}, +Publisher={Times Books, New York}, +Year={1993} } + +@book{Formaini90, +Author={R. Formaini}, +Title={The Myth of Scientific Public Policy}, +Publisher={Transaction Publishers (Social Philosophy \& Policy Center), +New Brunswick, New Jersey}, +isbn={0-88738-852-3}, +Year={1990} } + +@book{Beck92, +Author={U. Beck}, Title={Risk Society: Towards a New Modernity}, +Publisher={Sage Publications, Beverly Hills, California}, Year={1992}, +isbn={0-8039-8346-8}} + +@book{Unger94, +Author={S.H. Unger}, +Title={Controlling Technology: Ethics and the Responsible Engineer}, +Publisher={John Wiley and Sons, New York, 2nd ed.}, +Year={1994}, isbn={0-471-59181-5.} } + +@book{Asseline, +Author={M. Asseline}, +Title={Le pilote --- est-il coupable? (The Pilot: Is He To Blame?)}, +Publisher={Edition \#1 (4, rue Galleria, 75116 Paris)}, +Year={1992}, isbn={2-86-39-1517-7.} } + +@article{Weingarten94, +Title= {Public Interest and the {NII}}, +Author={F.W. Weingarten}, Month=mar, Year=1994, +Journal= {Communications of the ACM}, Volume=37, Number=3, Pages="17--19" } + +@book{Kling95, +Author={R. {Kling (ed.)}}, +Title={Computerization and Controversy: Value Conflicts and Social Choices}, +Publisher={Academic Press, New York}, +Year={1995} } + +@book{Firewalls94, +Author={W.R. Cheswick and S.M. Bellovin}, +Title={Firewalls and Internet Security: Repelling the Wily Hacker}, +Publisher={Addison-Wesley, Reading, Massachusetts}, +Year={1994} } + +@book{Firewalls03, +Author={W.R. Cheswick and S.M. Bellovin and A.D. Rubin}, +Title={Firewalls and Internet Security: Repelling the Wily Hacker, + Second Edition}, +Publisher={Addison-Wesley, Reading, Massachusetts}, +Year={2003} } + +@InProceedings{Blaze93, +Author={M. Blaze}, TITLE = {A Cryptographic File System for {UNIX}}, +Booktitle = {First ACM Conference on Computer and Communications Security}, +Organization = {ACM SIGSAC}, Address = {Fairfax, Virginia}, +Year = {1993}, +Pages={9--16}, Month = nov } + +@InProceedings{Blaze94, +Author={M. Blaze}, TITLE = {Protocol failure in the escrowed encryption +standard}, +Booktitle = {Second ACM Conference on Computer and Communications Security}, +Organization = {ACM SIGSAC}, Address = {Fairfax, Virginia}, +Year = {1994}, +Pages={59-67}, Month = nov } + +@InProceedings{Reiter94, +Author={M.K. Reiter}, TITLE = {Reliable and Atomic Group Multicast +in {Rampart}}, +Booktitle = {Second ACM Conference on Computer and Communications Security}, +Organization = {ACM SIGSAC}, Address = {Fairfax, Virginia}, +Year = {1994}, +Pages={68--80}, Month = nov } + +@TechReport{Landau94, +Author={S. Landau and S. Kent and C. Brooks and S. Charney and D. Denning +and W. Diffie and A. Lauck and D. Miller and P. Neumann and D. Sobel}, +TITLE = {Codes, Keys, and Conflicts: Issues in {U.S.} Crypto Policy}, +INSTITUTION = {ACM}, YEAR = {1994}, MONTH = jun } + +@ARTICLE{Landau94s, +Author={S. Landau and S. Kent and C. Brooks and S. Charney and D. Denning +and W. Diffie and A. Lauck and D. Miller and P. Neumann and D. Sobel}, +TITLE = {Crypto Policy Perspectives}, +JOURNAL = {Communications of the ACM}, YEAR = {1994}, VOLUME = {37}, +NUMBER = {8}, PAGES = {115-121}, MONTH = aug } + +@TechReport{Landau94x, +Author={S. Landau and S. Kent and C. Brooks and S. Charney and D. Denning +and W. Diffie and A. Lauck and D. Miller and P. Neumann and D. Sobel}, +TITLE = {Codes, Keys, and Conflicts: Issues in {U.S.} Crypto Policy}, +INSTITUTION = {ACM}, YEAR = {1994}, MONTH = jun, NOTE = +{A summary of this report by the same authors is available as ``Crypto Policy +Perspectives'' in the {\it Communications of the ACM, 37,} 8, 115-121, +August 1994.} } + +@InProceedings{Anderson94, +Author={R. Anderson}, Title={A Note on Correlation Attacks}, +BookTitle={Proceedings of the 1994 Leuven conference}, +Organization={}, Address={Leuven}, +Year={1994}, Month=dec, pages={}} + +@InProceedings{AndersonKuhn96, +Author={R. Anderson and M. Kuhn}, +Title={Tamper Resistance --- a Cautionary Note}, +BookTitle={Proceedings of the Second Usenix Workshop on Electronic Commerce}, +Organization={USENIX}, Address={}, +url={http://www.cl.cam.ac.uk/users/rja14/tamper.html}, +Year={1996}, Month=nov, pages={1--11}} + +@TechReport{Boneh+95, +author={D. Boneh and R.A. DeMillo and R.J. Lipton}, +Title={}, +institution= {Princeton University}, +month ={}, Year=1995 } + +@Article{Boneh+97, +Author={D. Boneh and R.A. DeMillo and R.J. Lipton}, +Title={On the Importance of Checking Cryptographic Protocols for Faults}, +Journal={Journal of Cryptology}, +Volume = {14}, Number = {2}, +Year={1997}, Month={}, pages={101--119}, +url ="http://www.stanford.edu/\~{}dabo/abstracts/faults.html"} + +@TechReport{Kocher95, +author={P. Kocher}, +Title={Cryptanalysis of {Diffie-Hellman, RSA, DSS,} and +Other Systems Using Timing Attacks (extended abstract)}, +institution= {Cryptography Research Inc.}, +address={607 Market St, San Francisco, California 94105}, +month ={December 7}, Year=1995 } + +@InProceedings{Kocher96, +Author={P.C. Kocher}, +Title={Timing Attacks on Implementations of {Diffie-Hellman}, +{RSA}, {DSS}, and Other Systems}, +BookTitle={Springer-Verlag, Berlin, + Lecture Notes in Computer Science, Advances in Cryptology, +Proceedings of Crypto '96}, +Organization={}, Address={Santa Barbara, California}, +Year={1996}, Month=aug, pages={104--113}} + +@InProceedings{AsonovAgrawal04, +Author={D. Asonov and R. Agrawal}, +Title={Keyboard Acoustic Emanations}, +BookTitle={Proceedings of the 2004 Symposium on Security and Privacy}, +Organization={IEEE Computer Society}, Address={Oakland, California}, +Year={2003}, Month=may, pages={3--11}} + +@ARTICLE{ShamirTromer04, +Author={A. Shamir and E. Tromer}, +TITLE = {Acoustic cryptanalysis: On nosy people and noisy machines}, +JOURNAL = {preliminary proof-of-concept presentation}, +YEAR = {2004}, VOLUME = {}, NUMBER = {}, PAGES = {}, MONTH = {}, +url ="http://www.wisdom.weizmann.ac.il/\~{}tromer/acoustic/" } + +@book{DES-crack, +Author={Electronic Frontier Foundation}, +Title={Cracking {DES}: Secrets of Encryption Research, Wiretap + Politics \& Chip Design}, +Publisher={O'Reilly and Associates, Sebastopol, California}, +Year={1998}, +Note = {See also the Risks Forum, volume 19, number 87, 17 July 1998.} } + +@InProceedings{PetersenMichels97, +Author={H. Petersen and M. Michels}, +Title={On Signature Schemes with Threshold Verification + Detecting Malicious Verifiers}, +BookTitle={Springer-Verlag, Berlin, + Lecture Notes in Computer Science, Security Protocols, +Proceedings of 5th International Workshop}, +Organization={}, Address={Paris, France}, +Year={1997}, Month=apr, pages={67--77}} + +@InProceedings{Kelsey+97, +Author={J. Kelsey and B. Schneier and D. Wagner}, +Title={Protocol Interactions and the Chosen Protocol Attacks}, +BookTitle={Springer-Verlag, Berlin, + Lecture Notes in Computer Science, Security Protocols, +Proceedings of 5th International Workshop}, +Organization={}, Address={Paris, France}, +Year={1997}, Month=apr, pages={91--104}} + +@InProceedings{Bao+97, +Author={F. Bao and R.H. Deng and Y. Han and A. Jeng and A.D. Narasimhalu + and T. Ngair}, +Title={Breaking Public Key Cryptosystems on Tamper Resistant Devices + in the Presence of Transient Faults}, +BookTitle={Springer-Verlag, Berlin, + Lecture Notes in Computer Science, Security Protocols, +Proceedings of 5th International Workshop}, +Organization={}, Address={Paris, France}, +Year={1997}, Month=apr, pages={115---123}} + +@InProceedings{AndersonKuhn97, +Author={R. Anderson and M. Kuhn}, +Title={Low Cost Attacks on Tamper Resistant Devices}, +BookTitle={Springer-Verlag, Berlin, + Lecture Notes in Computer Science, Security Protocols, +Proceedings of 5th International Workshop}, +Organization={}, Address={Paris, France}, +Year={1997}, Month=apr, pages={125--136}} + +@InProceedings{Zabarsky98, +Author={J. Zabarsky}, +Title={Failure Recovery for Distributed Processes in Single System Image + Clusters}, +BookTitle={Springer-Verlag, Berlin, + Lecture Notes in Computer Science, vol.~1388, + Parallel and Distributed Processing}, +Organization={}, Address={Berlin, Germany}, +Year={1998}, Month=apr, pages={564--583}} + +@book{RSI, +Author={Emil Pascarelli and Deborah Quilter}, +Title={Repetitive Strain Injury: A Computer User's Guide}, +Publisher={John Wiley and Sons, New York}, +Year={1994} } + +@InProceedings{Parker94, +Author = "D.B. Parker", +Title = "Demonstrating the Elements of Information Security with Threats", +Booktitle = "Proceedings of the Seventeenth National Computer Security Conference", +Organization = "NIST/NCSC", Address = "Baltimore, Maryland", Year = "1994", +Pages="", Month = "11-14 October" } + +@InProceedings{NISSC95N, +Author = "P.G. Neumann", +Title = "The Future of Formal Methods for Security: Overview statement", +Booktitle = "Proceedings of the Eighteenth National Computer Security Conference", +Organization = "NIST/NCSC", Address = "Baltimore, Maryland", Year = "1995", +Pages="", month=oct } + +@TechReport{NeumannBoucher96, +author={P.G. Neumann and P. Boucher}, +Title={An Evaluation of the Security aspects of the {Army Technical +Architecture (ATA)} Document Drafts}, +institution= {Computer Science Laboratory, SRI International}, +Note = {Final report, SRI Project 7104-200, for U.S. Army CECOM, +Fort Monmouth, New Jersey}, +address={Menlo Park, California}, month ={2 January}, Year=1996 } + +@inProceedings{Neumann96CRC, +key="Neumann",Author="P.G. Neumann", Title="Security and Privacy Issues +in Computer and Communication Systems", +Booktitle="The Computer Science and Engineering Handbook (Chapter 89))", +Note =" (A.B. Tucker, ed.)", Publisher ="CRC Press, Inc.",Year="1996",Pages=""} + +@inProceedings{Neumann03CRC, +key="Neumann",Author="P.G. Neumann", Title="Network Security and Privacy", +Booktitle="The Computer Science and Engineering Handbook, 2nd Edition", +Note =" (A.B. Tucker, ed.)", Publisher ="CRC Press, Inc.",Year="2003", +Pages=""} + +@article{Neumann96Senate, +author = {P.G. Neumann}, +title = {Security Risks in the Emerging Infrastructure}, +journal = {Security in Cyberspace, Hearings, S. Hrg. 104-701}, +Pages = "350-363", Month = jun, Year = {1996}, +Note = {ISBN 0-16-053913-7. + Written testimony for the U.S. Senate Permanent Subcommittee on + Investigations of the Senate Committee on Governmental Affairs. + Oral testimony is on pages 106-111 +(\xlink{http://www.csl.sri.com/neumann/senate96.html}{http://www.csl.sri.com/neumann/senate96.html}) +}, +} + +@MANUAL{USSenate96, +author = {US-Senate}, +title = {Security in Cyberspace}, +organization = {U.S. Senate Permanent Subcommittee on Investigations + of the Senate Committee on Governmental Affairs, + Hearings, S. Hrg. 104-701}, +Note = {ISBN 0-16-053913-7}, +Pages = "", Month = jun, Year = {1996} } + +@InProceedings{Neumann98Senate, +Author = "P.G. Neumann", +Title = "Computer-Related Infrastructure Risks for Federal Agencies", +Booktitle = "Weak Computer Security in Government: Is the Public at Risk? + Hearing, Senate Hearing 105-609, ISBN 0-16-057456-0", +Organization = "U.S. Government Printing Office", +Address = "Washington, D.C.", +Year = "1998", Pages ={52--70}, +Month = "19 May", +NOTE ={(\xlink{http://www.csl.sri.com/neumann/senate98.html}{http://www.csl.sri.com/neumann/senate98.html}); +Oral testimony is on pages 5--22.} } + +@InProceedings{L0pht98Senate, +Author = "{Mudge et al.}", +Title = "Testimony of {L0pht Heavy Industries}", +Booktitle = "Weak Computer Security in Government: Is the Public at Risk? + Hearing, Senate Hearing 105-609, ISBN 0-16-057456-0", +Organization = "U.S. Government Printing Office", +Address = "Washington, D.C.", +Year = "1998", Pages ={71--91}, +Month = "19 May", +NOTE = {Oral testimony is on pages 22--41.} } + +@inProceedings{Neumann97air, +key="Neumann",Author="P.G. Neumann", Title= + "Computer Security in Aviation: Vulnerabilities, Threats, and Risks", +Booktitle="International Conference on Aviation Safety and Security + in the 21st Century, White House Commission on Safety and Security, and + George Washington University", + Year="1997", Month= "January 13-15", Pages="", + Note ="(\xlink{http://www.csl.sri.com/neumann/air.html}{http://www.csl.sri.com/neumann/air.html})" +} + +@article{Cryptographers97, +author = {Hal Abelson and Ross Anderson and Steven M. Bellovin and + Josh Benaloh and Matt Blaze and Whitfield Diffie and John Gilmore + and Peter G. Neumann and Ronald L. Rivest and Jeffrey I. Schiller + and Bruce Schneier}, +title = {The Risks of Key Recovery, Key Escrow, and + Trusted Third-Party Encryption}, +journal = {World Wide Web Journal (Web Security: A Matter of Trust)}, +NOTE = {This report was first distributed via the Internet on May 27, 1997.}, +publisher = {O'Reilly \& Associates}, volume = {2}, number = {3}, +pages = "241-257", month = {Summer}, year = {1997} } + +@article{Cryptographers98x, +author = {H. Abelson and R. Anderson and S.M. Bellovin and + J. Benaloh and M. Blaze and W. Diffie and J. Gilmore + and P.G. Neumann and R.L. Rivest and J.I. Schiller + and B. Schneier}, +title = {The Risks of Key Recovery, Key Escrow, and + Trusted Third-Party Encryption}, +journal = {(\xlink{http://www.cdt.org/crypto/risks98/}{http://www.cdt.org/crypto/risks98/})}, +NOTE = {This is a reissue of the May 27, 1997 report, with a new +preface evaluating what happened in the intervening year.}, +month = jun, year = {1998} } + +@InProceedings{Bellovin97, +Author = "S.M. Bellovin", +Title = "Probable Plaintext Cryptanalysis of the {IP} Protocols", +Booktitle= "Proceedings of the Symposium on Network and + Distributed System Security", +Organization = "Internet Society", Year = "1997", +Pages="52--59", Month = feb } + +@PhDThesis{Bellovin82, +Author={S.M. Bellovin}, +School={Department of Computer Science, University of North Carolina + at Chapel Hill}, +Title={Verifiably Correct Code Generation Using Predicate Transformers}, +Year={1982}, Month=dec, +Note="(\xlink{http://www.research.att.com/\~{}smb/dissabstract.html}{http://www.research.att.com/\~{}smb/dissabstract.html})" +} + +@InProceedings{NISSC95B, +Author = "R.W. Butler", +Title = "Formal Methods and {NASA}", +Booktitle = "Proceedings of the Eighteenth National Computer Security Conference", +Organization = "NIST/NCSC", Address = "Baltimore, Maryland", Year = "1995", +Pages="", month=oct } + +@InProceedings{NISSC95K, +Author = "R. Kurshan", +Title = "Algorithmic Verification", +Booktitle = "Proceedings of the Eighteenth National Computer Security Conference", +Organization = "NIST/NCSC", Address = "Baltimore, Maryland", Year = "1995", +Pages="", month=oct } + +@book{Kurshan94, +Author={R. Kurshan}, +Title={Computer-Aided Verification of Coordinating Processes}, +Publisher={Princeton University Press}, +Address = {Princeton, New Jersey}, +Year={1994} } + +@ARTICLE{BoyerYu96, + AUTHOR = {R.S. Boyer and Y. Yu}, + TITLE = {Automated proofs of object code for a widely used microprocessor}, + Journal={Journal of the ACM}, + YEAR = {1996}, VOLUME = {43}, NUMBER = {1}, PAGES = {529--543}, + MONTH = jan } + +@InProceedings{NISSC95L, +Author = "W. Legato", +Title = "Formal Methods: Changing Directions", +Booktitle = "Proceedings of the Eighteenth National Computer Security Conference", +Organization = "NIST/NCSC", Address = "Baltimore, Maryland", Year = "1995", +Pages="", month=oct } + +@TechReport{JohnsonNSA+95, +author={D.R. Johnson and F.F. Saydjari and J.P. {Van Tassel}}, +Title={{MISSI} Security Policy: A Formal Approach}, +institution= {NSA R2SPO-TR001-95}, +address={}, month ={18 August}, Year=1995 } + +@article{Saiedian+, +author={H. {Saiedian et al.}}, +title = {An Invitation to Formal Methods}, +journal = {Computer}, year = {1996}, volume = {29}, +number = {4}, pages = {16-30}, month = apr } + +@book{SmartCards, +Author={J.L. Zoreda}, +Title={Smart Cards}, +Publisher={Artech House, Boston, Massachusetts}, +Year={1994} } + +@book{Orr90, +Author={K. Orr}, +Title={The One Minute Methodology}, +Publisher={Dorset House, New York}, +Year={1990} } + +@ARTICLE{MacKenzie94, +Author={D. MacKenzie}, +TITLE = {Computer-related accidental death: an empirical exploration}, +JOURNAL = {Science and Public Policy}, YEAR = {1994}, VOLUME = {21}, +NUMBER = {4}, PAGES = {233-248}, MONTH = aug } + +@ARTICLE{MacKenzie95, +Author={D. MacKenzie}, +TITLE = {The Automation of Proof: A Historical and Sociological Explanation}, +JOURNAL = {IEEE Annals of the History of Computing}, YEAR = {1995}, +VOLUME = {17}, NUMBER = {3}, PAGES = {7--29}, MONTH = {Fall} } + +@InProceedings{RoscoeWulf95, +Author={A.W. Roscoe and L. Wulf}, +Title={Composing and Decomposing Systems under Security Properties}, +BookTitle={Proceedings of the 8th IEEE Computer Security Foundations Workshop}, +Address={Kenmare, County Kerry, Ireland}, +Year={1995},Month=jun,Pages={} } + +@InProceedings{ZakinthinosLee95, +Author={A. Zakinthinos and E.S. Lee}, +Title={The Composability of Non-Interference}, +BookTitle={Proceedings of the 8th IEEE Computer Security Foundations Workshop}, +Address={Kenmare, County Kerry, Ireland}, +Year={1995},Month=jun,Pages={} } + +@InProceedings{ZakinthinosLee98, +Author={A. Zakinthinos and E.S. Lee}, +Title={Composing Secure Systems that have Emergent Properties}, +BookTitle={Proceedings of the 11th IEEE Computer Security + Foundations Workshop}, +Address={Rockport, Massachusetts}, +Year={1998},Month=jun,Pages={117--122} } + +@InProceedings{Maneki95, +Author={A.P. Maneki}, +Title={Algebraic Properties of System Composition in the {Loral}, + {Ulysses} and {McLean} Trace Models}, +BookTitle={Proceedings of the 8th IEEE Computer Security Foundations Workshop}, +Address={Kenmare, County Kerry, Ireland}, +Year={1995},Month=jun,Pages={} } + +@InProceedings{Mao95, +Author={W. Mao}, +Title={An Augmentation of {BAN}-Like Logics}, +BookTitle={Proceedings of the 8th IEEE Computer Security Foundations Workshop}, +Address={Kenmare, County Kerry, Ireland}, +Year={1995},Month=jun,Pages={} } + +@PhDThesis{Hinton95, +Author={H.M. Hinton}, School={University of Toronto}, +Title={Composable Safety and Progress Properties}, +Year={1995}, Month={} } + +@InProceedings{Knight+94, +Author = {J.C. Knight and J.C. Prey and W.A. Wulf}, +Title = {Undergraduate Computer Science Education: A New Curriculum + Philosophy and Overview}, +Booktitle = {Proceedings of the ACMCSE}, +Organization = {}, Address = {Phoenix, Arizona}, +Year = {1994}, +Pages={}, Month = mar } + +@InProceedings{Browne96, +Author={J.C. Browne}, +TITLE = {Compositional Development for Parallel Object-Oriented Systems}, +Booktitle = {Proceedings of the Second International Workshop on + Object-oriented Real-time Dependable Systems (WORDS 96)}, +Organization = {IEEE Computer Society Technical Committee on Distributed Processing}, +Address = {Laguna Beach, California}, Year = {1996}, Pages={}, Month = feb } + +@Article{Sibert+96, +Title="An Analysis of the {Intel} + 80x86 Security Architecture and Implementations", +Author="O. Sibert and P.A. Porras and R. Lindell", +Journal="{IEEE} Transactions on Software Engineering", +Year="1996", Volume="SE-22", Number="4", Month=may, +Page="283--293" } + +@Article{Corbett96, +Title="Evaluating Deadlock Detection Methods for Concurrent Software", +Author="J.C. Corbett", +Journal="{IEEE} Transactions on Software Engineering", +Year="1996", Volume="SE-22", Number="3", Month=mar, +Page="161--180" } + +@PhDThesis{Perlman88, +Author={R. Perlman}, +School={MIT, Cambridge, Massachusetts}, +Title={Network Layer Protocols with {Byzantine} Robustness}, +Year={1988}, Month={} } + +@book{Wayner96, +Author={P. Wayner}, +Title={Disappearing Cryptography: Being and Nothingness on the Net}, +Publisher={AP Professional (Academic Press), Chestnut Hill, Massachusetts}, +Year={1996} } + +@book{Wayner02, +Author={P. Wayner}, +Title={Translucent Databases}, +Publisher={Flyzone Press, Baltimore, Maryland}, +Year={2002} } + +@InProceedings{Dean+96, +Author={D. Dean and E.W. Felten and D.S. Wallach}, +Title={{Java} Security: From {HotJava} to {Netscape} and Beyond}, +BookTitle={Proceedings of the 1996 Symposium on +Security and Privacy}, Organization={IEEE Computer Society}, Address={Oakland, +California}, Year={1996}, Month=may, pages={190--200}} + +@book{McGrawFelten97, +Author={G. McGraw and E.W. Felten}, +Title={{Java} Security: Hostile Applets, Holes, and Antidotes}, +Publisher={John Wiley and Sons, New York}, +Year={1997} } + +@book{McGrawFelten99, +Author={G. McGraw and E.W. Felten}, +Title={Securing {Java}: Getting Down to Business with Mobile Code}, +Publisher={John Wiley and Sons, New York}, +Note={This is the second edition of~\cite{McGrawFelten97}.}, +Year={1999} } + +@book{FriedmanVoas95, +Author={M. Friedman and J.M. Voas}, +Title={Software Assessment: Reliability, Safety, and Testability}, +Publisher={John Wiley and Sons, New York}, +Year={1998} } + +@book{VoasMcGraw98, +Author={J.M. Voas and G. McGraw}, +Title={Software Fault Injection: Inoculating Programs Against Errors}, +Publisher={John Wiley and Sons, New York}, +Year={1998} } + +@book{ViegaMcGraw02, +Author={J. Viega and G. McGraw}, +Title={Building Secure Software: How to Avoid Security Problems the + Right Way}, +Publisher={Addison-Wesley, Reading, Massachusetts}, +Year={2002} } + +@book{McGraw06, +Author={G. McGraw}, +Title={Software Security: Building Secure In}, +Publisher={Addison-Wesley, Reading, Massachusetts}, +Year={2006} } + +@Article{Kulkarni97, + author = {S.S. Kulkarni and A. Arora}, + title = {Compositional Design of Multitolerant Repetitive {Byzantine} + Agreement}, + journal = {Proceedings of the Seventeenth International Conference on + Foundations of Software Technology and Theoretical Computer Science, + Kharagpur, India}, + year = {1997}, + month = dec, + pages = {169-183}, +} + +@Article{AroraKulkarni98Multitolerance, + author = {A. Arora and S.S. Kulkarni}, + title = {Component Based Design of Multitolerance}, + journal = {IEEE Transactions on Software Engineering}, + year = {1998}, + volume = {24}, + number = {1}, + month = jan, + pages = {63--78}, +} + +@InProceedings{AroraKulkarni98Detectors, + author = {A. Arora and S.S. Kulkarni}, + title = {Detectors and Correctors: A Theory of Fault-Tolerance Components}, + booktitle = {Proceedings of the Eighteenth International Conference on + Distributed Computing Systems}, Month=may, Year={1998}, pages={}, + organization = {IEEE Computer Society} } + +@InProceedings{LeLann98a, +Author={G. {Le Lann}}, +Title={Predictability in Critical Systems}, +BookTitle={Springer-Verlag, Berlin, + Lecture Notes in Computer Science, + Formal Techniques in Real-Time and Fault-Tolerant Systems}, +Organization={}, Address={Lyngby, Denmark}, +Year={1998}, Month=sep, pages={}} + +@InProceedings{LeLann98b, +Author={G. {Le Lann}}, +Title={Proof-Based System Engineering and Embedded Systems}, +BookTitle={Springer-Verlag, Berlin, + Lecture Notes in Computer Science, + Embedded Systems}, +Organization={}, Address={}, +Year={1998}, Month={}, pages={}} + +@Article{Fugetta+98, + author = {A. Fuggetta and G.P. Picco and G. Vigna}, + title = {Understanding Code Mobility}, + journal = {IEEE Transactions on Software Engineering}, + year = {1998}, + volume = {24}, + number = {5}, + month = may, + pages = {342--361}, +} + +@Article{Heitmeyer+98, + author = {C. Heitmeyer and J. {Kirby, Jr.} and B. Labaw and + M. Archer and R. Bharadwaj}, + title = {Using Abstraction and Model Checking to Detect + Safety Violations in Requirements Specifications}, + journal = {IEEE Transactions on Software Engineering}, + year = {1998}, + volume = {24}, + number = {11}, + month = nov, + pages = {927--948}, +} + +@Article{Feather98, + author = {M. Feather}, + title = {Rapid Application of Lightweight Formal Methods + for Consistency Analyses}, + journal = {IEEE Transactions on Software Engineering}, + year = {1998}, + volume = {24}, + number = {11}, + month = nov, + pages = {949--959}, +} + +@PhDThesis{Blume97, +Author={M. Blume}, +School={Computer Science Department, Princeton University}, +Title={Hierarchical Modularity and Intermodule Optimization}, +Year={1997}, Month=nov } + +@ARTICLE{BlumeAppel97, +Author={M. Blume and A.W. Appel}, +TITLE = {Hierarchical Modularity: Compilation Management for Standard ML}, +JOURNAL = {}, YEAR = {1997}, VOLUME = {}, +NUMBER = {}, PAGES = {}, MONTH = {} } + +@Article{BauerAppelFelten03, + Author={L. Bauer and A.W. Appel and E.W. Felten}, + Journal={Software--Practice and Experience}, + Title={Mechanisms for Secure Modular Programming in {Java}}, + Year={2003}, + Month={}, + Pages={461--480}, + Volume={33}, + Number={} + } + +@article{BlumeAppel99, + author = "M. Blume and A.W. Appel", + title = "Hierarchical modularity", + journal = "ACM Transactions on Programming Languages and Systems", + volume = "21", + number = "4", + pages = "813--847", + year = "1999", + url = "citeseer.nj.nec.com/blume98hierarchical.html" } + +@inproceedings{HarperLilligridge94, + author = "R. Harper and M. Lillibridge", + title = "A type-theoretic approach to higher-order modules with sharing", + booktitle = "Conference Record of {POPL '94}: 21st {ACM {SIGPLAN}-{SIGACT}} + {S}ymposium on {P}rinciples of {P}rogramming {L}anguages", + month = jan, + address = "Portland, Oregon", + pages = "123--137", + year = "1994", + url = "citeseer.nj.nec.com/harper94typetheoretic.html" } + +@InProceedings{Bren91, +Author = "J. Brentano and S.R. Snapp and G.V. Dias and T.L. Goan and + L.T. Heberlein and C.H. Ho and K.N. Levitt and B. Mukherjee", +Key = "Bren91", +Title = "An Architecture for a Distributed Intrusion Detection System", +Booktitle = "Fourteenth Department of Energy + Computer Security Group Conference", +Organization = "Department of Energy", Address = "Concord, California", +Year = "1991", Pages="25-45 in section 17", Month = May } + +@TechReport{Cros95, +author={M. Crosbie and E.H. Spafford}, key ={Cros95}, +Title={Active Defense of a Computer System Using Autonomous Agents}, +institution= {Department of Computer Sciences, CSD-TR-95-008}, +address={Purdue University, West Lafayette, Indiana}, month ={}, Year=1995 } + +@InProceedings{Hebe91, +Author = "T.L Heberlein and B. Mukherjee and K.N. Levitt", Key = {Hebe91}, +Title = "A Method to Detect Intrusive Activity in a Networked Environment", +Booktitle = "Proceedings of the Fourteenth National Computer Security Conference", +Organization = "NIST/NCSC", Address = "Washington, D.C.", Year = "1991", +Pages="362-371", month=oct } + +@PhDThesis{Ko96, +Author={C. Ko}, +School={Computer Science Department, University of California at Davis}, +Title={Execution Monitoring of Security-Critical Programs in a Distributed + System: A Specification-Based Approach}, +Year={1996}, Month={} } + +@ARTICLE{Jako93, +Author={G. Jakobson and M.D. Weissman}, key = {Jako93}, +TITLE = {Alarm Correlation}, +JOURNAL = {IEEE Network}, YEAR = {1993}, VOLUME = {}, +NUMBER = {}, PAGES = {52-59}, MONTH = nov } + +@ARTICLE{Mans93, +Author={M. Mansouri-Samani and M. Sloman}, key = {Mans93}, +TITLE = {Monitoring Distributed Systems}, +JOURNAL = {IEEE Network}, YEAR = {1993}, VOLUME = {}, +NUMBER = {}, PAGES = {20-30}, MONTH = nov } + +@InProceedings{Meye95, +Author = "K. Meyer and M. Erlinger and J. Betser and C. Sunshine and + G. Goldszmidt and Y. Yemini", Key = "Meye95", +Title = "Decentralizing Control and Intelligence in Network Management", +Booktitle = "Proceedings of the Fourth International Symposium on + Integrated Network Management (IFIP/IEEE), + Santa Barbara, California, May 1995", +Organization = "Chapman \& Hall, London, England", +Year = "1995", Pages="4-16" } + +@Article{Ricc97, +Author = "L. Ricciulli and N. Shacham", key= "Ricc97", +Title = "Modelling correlated alarms in network management systems", +Journal = "Communications Networks and Distributed Systems Modeling + and Simulation", Year = "1997"} + +@InProceedings{SCLH95, +Author={S. Saniford-Chen and L.T. Heberlein}, +Title={Holding Intruders Accountable on the {Internet}}, +BookTitle={Proceedings of the 1995 Symposium on Security and Privacy}, +Organization={IEEE Computer Society}, Address={Oakland, California}, +Year={1995}, Month=may, pages={}} + +@InProceedings{Klig95, +Author={S. Kliger and S. Yemini and Y. Yemini and D. Ohsie and S. Stolfo}, + Key ={Klig96}, +TITLE = {A coding approach to event correlation}, +Booktitle = "Proceedings of the Fourth International Symposium on + Integrated Network Management (IFIP/IEEE), + Santa Barbara, California, May 1995", +Organization = "Chapman \& Hall, London, England", +YEAR = {1995}, PAGES = {266-277} } + +@InProceedings{Wies95, +Author = "R. Wies", +Title = "Using a Classification of Management Policies for Policy + Specification and Policy Transformation", +Booktitle = "Proceedings of the Fourth International Symposium on + Integrated Network Management (IFIP/IEEE), + Santa Barbara, California, May 1995", +Organization = "Chapman \& Hall, London, England", +Year = "1995", Pages="44--56" } + +@InProceedings{Alpers+95, +Author = "B. Alpers and H. Plansky", +Title = "Concepts and Application of Policy-Based Management", +Booktitle = "Proceedings of the Fourth International Symposium on + Integrated Network Management (IFIP/IEEE), + Santa Barbara, California, May 1995", +Organization = "Chapman \& Hall, London, England", +Year = "1995", Pages="57--68" } + +@InProceedings{Putter+95, +Author = "P. Putter and J. Bishop and J. Roos", +Title = "Toward Policy Driven Systems Management", +Booktitle = "Proceedings of the Fourth International Symposium on + Integrated Network Management (IFIP/IEEE), + Santa Barbara, California, May 1995", +Organization = "Chapman \& Hall, London, England", +Year = "1995", Pages="69--80" } + +@InProceedings{Lowe96, +Author={G. Lowe}, +Title={Breaking and fixing the {Needham-Schroeder} public-key protocol: + {A} comparison of two approaches}, +BookTitle={Springer-Verlag, Berlin, + Lecture Notes in Computer Science, vol.~1055, + 2nd International Workshop on Tools and Algorithms for + the Construction and Analysis of Systems}, +Organization={}, Address={}, +Year={1998}, Month={}, pages={147-166}} + +@InProceedings{Mitchell+97, +Author={J.C. Mitchell and M. Mitchell and U. Stern}, +Title={Automated Analysis of Cryptographic Protocols Using Mur$\varphi$}, +BookTitle={Proceedings of the 1997 Symposium on Security and Privacy}, +Organization={IEEE Computer Society}, Address={Oakland, California}, +Year={1997}, Month=may, pages={141--151}} + +@InProceedings{Syverson97, +Author={P.F. Syverson and D.M. Goldschlag and M.G. Reed}, +Title={Anonymous Connections and Onion Routing}, +BookTitle={Proceedings of the 1997 Symposium on Security and Privacy}, +Organization={IEEE Computer Society}, Address={Oakland, California}, +Year={1997}, Month=may, pages={44-54}} + +@InProceedings{Moriconi97, +Author={M. Moriconi and X. Qian and R.A. Riemenschneider and L. Gong}, +Title={Secure Software Architectures}, +BookTitle={Proceedings of the 1997 Symposium on Security and Privacy}, +Organization={IEEE Computer Society}, Address={Oakland, California}, +Year={1997}, Month=may, pages={94-93}} + +@InProceedings{Zakinthos97, +Author={A. Zakinthos and E.S. Lee}, +Title={A General Theory of Security Properties}, +BookTitle={Proceedings of the 1997 Symposium on Security and Privacy}, +Organization={IEEE Computer Society}, Address={Oakland, California}, +Year={1997}, Month=may, pages={94-102}} + +@InProceedings{Lindqvist, +Author={U. Lindqvist and E. Jonsson}, +Title={How to Systematically Classify Computer System Intrusions}, +BookTitle={Proceedings of the 1997 Symposium on Security and Privacy}, +Organization={IEEE Computer Society}, Address={Oakland, California}, +Year={1997}, Month=may, pages={154-163}} + +@book{Amoroso99, +Author={E. Amoroso}, +Title={Intrusion Detection: An Introduction to Internet Surveillance, +Correlation, Trace Back, Traps, and Response}, +Publisher={Intrusion.Net Books}, +Year={1999} } + +@InProceedings{Ammann97, +Author={P. Ammann and S. Jajodia and C.D. McCollum and B.T. Blaustein}, +Title={Surviving Information Warfare Attacks on Databases}, +BookTitle={Proceedings of the 1997 Symposium on Security and Privacy}, +Organization={IEEE Computer Society}, Address={Oakland, California}, +Year={1997}, Month=may, pages={164-174}} + +@InProceedings{Ko97, +Author={C. Ko and M. Ruschitzka and K. Levitt}, +Title={Execution Monitoring of Security-Critical Programs in + Distributed Systems: A Specification-Based Approach}, +BookTitle={Proceedings of the 1997 Symposium on Security and Privacy}, +Organization={IEEE Computer Society}, Address={Oakland, California}, +Year={1997}, Month=may, pages={175-187}} + +@InProceedings{Gligor98, +Author={V.D. Gligor and S.I. Gavrila}, +Title={Application-Oriented Security Policies + and Their Composition}, +BookTitle={Proceedings of the 1998 Workshop on + Security Paradigms}, +Organization={}, Address={Cambridge, England}, +Year={1998}, Month={}, pages={}} + +@InProceedings{GligorGavrila98, +Author={V.D. Gligor and S.I. Gavrila and D. Ferraiolo}, +Title={On the Formal Definition of Separation-of-Duty Policies and their + Composition}, +BookTitle={Proceedings of the 1998 Symposium on Security and Privacy}, +Organization={IEEE Computer Society}, Address={Oakland, California}, +Year={1998}, Month=may, pages={}} + +@book{ShimomuraMarkoff, +Author={T. Shimomura and J. Markoff}, +Title={Takedown: The Pursuit and Capture of Kevin Mitnick, America's Most +Wanted Computer Outlaw -- By the Man Who Did It}, +Publisher={Hyperion, New York, New York}, Year={1996} } + +@book{AlexanderC, +Author={C. Alexander}, +Title={The Timeless Way of Building}, +Publisher={Oxford University Press, Oxford, England}, +Year={1979} } + +@book{Coplien95, +Author = {J.O. Coplien and D.C. {Schmidt (eds.)}}, +Title = {Pattern Languages of Program Design}, +Publisher = {Addison-Wesley, Reading, Massachusetts}, +Year = {1995} } + +@book{Forrester94, +Author = {T. Forester and P. Morrison}, +title = {Computer Ethics (2nd ed.)}, +Publisher = {The MIT Press, Cambridge, Massachusetts}, +Year = {1994}} + +@book{DiffieLandau98, +Author={W. Diffie and S. Landau}, +Title={Privacy on the Line: The Politics of Wiretapping and Encryption}, +Publisher={MIT Press}, +Year={1998} } + +@book{Agre97, +Author={P.E. Agre}, +Title={Computation and Human Experience}, +Publisher={Cambridge University Press}, +Year={1997} } + +@book{AgreRotenberg97, +Author={P.E. Agre and M. {Rotenberg, editors}}, +Title={Technology and Privacy: The New Landscape}, +Publisher={MIT Press, Cambridge, Massachusetts}, +Year={1997} } + +@book{SchneierBanisar97, +Author={B. Schneier and D. Banisar}, +Title={The Electronic Privacy Papers}, +Publisher={John Wiley and Sons, New York}, +Year={1997} } + +@ARTICLE{Ewusi-Mensah97, +Author={K. Ewusi-Mensah}, +TITLE={Critical Issues in Abandoned Information Systems Development Projects}, +JOURNAL = {Communications of the ACM}, YEAR = {1997}, VOLUME = {40}, +NUMBER = {9}, PAGES = {74--80}, MONTH = sep } + +@ARTICLE{BrynHitt98, +Author={E. Brynjolfsson and L.M. Hitt}, +TITLE={Beyond the Productivity Paradox}, +JOURNAL = {Communications of the ACM}, YEAR = {1998}, VOLUME = {41}, +NUMBER = {8}, PAGES = {11--12}, MONTH = aug } + +@InProceedings{RothfussParrett97, +Author = "J.S. Rothfuss and J.W. Parrett", +Title = "Go ahead, visit those {Websites}, you can't get hurt ... can you? ", +Booktitle = "Proceedings of the Nineteenth National Computer Security Conference", +Organization = "NIST/NCSC", Address = "Baltimore, Maryland", Year = "1997", +Pages="80--94", month=oct } + +@TechReport{PCCIP, +author={T. {Marsh (ed.)}}, +Title={{Critical Foundations: Protecting America's Infrastructures}}, +institution= {President's Commission on Critical Infrastructure Protection}, +address={}, month =oct, Year=1997 } + +@InProceedings{Felten97+, +Author = "E.W. Felten and D. Balfanz and D. Dean and D.S. Wallach", +Title = "Web spoofing: An {Internet} con game", +Booktitle = "Proceedings of the Nineteenth National Computer Security Conference", +Organization = "NIST/NCSC", Address = "Baltimore, Maryland", Year = "1997", +Pages="95--103", month=oct } + +@InProceedings{Ladue97, +Author = "M.D. Ladue", +Title = "When {Java} was one: Threats from hostile byte code", +Booktitle="Proceedings of the Nineteenth National Computer Security Conference", +Organization = "NIST/NCSC", Address = "Baltimore, Maryland", Year = "1997", +Pages="104--115", month=oct } + +@InProceedings{GongQian94, +Author={L. Gong and X. Qian}, +Title={The Complexibility and Composability of Secure Interoperation}, +BookTitle={Proceedings of the 1994 Symposium on Research in +Security and Privacy}, Organization={IEEE Computer Society}, Address={Oakland, +California}, Year={1994}, Month=may, pages={190--200}} + +@InProceedings{Gong+97, +Author = {L. Gong and M. Mueller and H. Prafullchandra and R. Schemers}, +Title = {Going Beyond the Sandbox: An Overview of the New Security + Architecture in the {Java Development Kit} 1.2}, +Booktitle = {Proceedings of the USENIX Symposium on Internet Technologies + and Systems}, +Organization = {}, Address = {Monterey, California}, +Year = {1997}, +Pages={}, Month = dec } + +@InProceedings{Gong+98, +Author = {L. Gong and R. Schemers}, +Title = {Implementing Protection Domains in the {Java Development Kit} 1.2}, +Booktitle = {Proceedings of the Internet Society Symposium on Network and + Distributed System Security}, +Organization = {}, Address = {San Diego, California}, +Year = {1998}, +Pages={}, Month = mar } + +@Book{Gong99, +Author={L. Gong}, +Title={Inside Java(TM) 2 Platform Security: Architecture, {API} Design, + and Implementation}, +Publisher={Addison-Wesley, Reading, Massachusetts}, +Year={1999} } + +@article{FeustelMayfield98, +author={E.A. Feustel and T. Mayfield}, +title = {The {DGSA}: Unmet Information Security Challenges for + Operating System Designers}, +journal = {Operating Systems Review}, volume = {32}, number = {1}, +pages = {3--22}, month = jan, year = {1998}} + +@InProceedings{LowmanMosier97, +Author = {T. Lowman and D. Mosier}, +Title = {Applying the {DoD} {Goal} {Security} {Architecture} as a Methodology + for the Development of System and Enterprise Security Architectures}, +Booktitle = {Proceedings of the Thirteenth Annual Computer Security + Applications Conference}, +Organization = {IEEE Computer Society}, Address = {San Diego, California}, +Year = {1997}, +Pages={183--193}, Month = dec } + +@InProceedings{Kang+96, +Author = {M.H. Kang and I. Moskowitz and B. Montrose and J. Parsonese}, +Title = {A Case Study of Two {NRL} Pump Prototypes}, +Booktitle = {Proceedings of the Twelfth Annual Computer Security + Applications Conference}, +Organization = {IEEE Computer Society}, Address = {San Diego, California}, +Year = {1996}, +Pages={32--43}, Month = dec } + +@InProceedings{Davidson96, +Author = {J.A. Davidson}, +Title = {Asymmetric Isolation}, +Booktitle = {Proceedings of the Twelfth Annual Computer Security + Applications Conference}, +Organization = {IEEE Computer Society}, Address = {San Diego, California}, +Year = {1996}, +Pages={44--54}, Month = dec } + +@InProceedings{Anderson+96, +Author = {M. Anderson and C. North and J. Griffin and J. Yesberg and K. Yiu}, +Title = {Starlight: Interactive Link}, +Booktitle = {Proceedings of the Twelfth Annual Computer Security + Applications Conference}, +Organization = {IEEE Computer Society}, Address = {San Diego, California}, +Year = {1996}, +Pages={55--63}, Month = dec } + +@InProceedings{Kang+97, +Author = {M.H. Kang and J.N. Froscher and I.S. Moskowitz}, +Title = {An Architecture for Multilevel Secure Interoperability}, +Booktitle = {Proceedings of the Thirteenth Annual Computer Security + Applications Conference}, +Organization = {IEEE Computer Society}, Address = {San Diego, California}, +Year = {1997}, +Pages={194--204}, Month = dec } + +@InProceedings{Pollitt97, +Author = "M. Pollitt", +Title = "Cyberterrorism: Fact or fancy?", +Booktitle = "Proceedings of the Nineteenth National Computer Security Conference", +Organization = "NIST/NCSC", Address = "Baltimore, Maryland", Year = "1997", +Pages="285--289", month=oct } + +@InProceedings{Alves-Foss97, +Author = "J. Alves-Foss", +Title = "The Use of Belief Logics in the Presence of Causal Consistency + Attacks", +Booktitle = "Proceedings of the Nineteenth National Computer Security Conference", +Organization = "NIST/NCSC", Address = "Baltimore, Maryland", Year = "1997", +Pages="406--417", month=oct } + +@techreport{Lincoln+94, + AUTHOR = {P.D. Lincoln and N. Marti-Oliet and J. Meseguer}, + TITLE = {Specification, Transformation, and Programming + of Concurrent Systems in Rewriting Logic}, + NUMBER = {SRI-CSL-94-11}, + INSTITUTION = {Computer Science Laboratory, SRI International}, + YEAR = "1994", + ADDRESS = "Menlo Park, California", + MONTH = may, +} + +@InProceedings{Meseguer93, +Author = "J. Meseguer", +Title = "A Logical Theory of Concurrent Objects and its + Realization in the {Maude} Language", +Booktitle = "Research Directions on Concurrent Object-Oriented Programming", +editors = {P. Wegner and A. Yonezawa}, +Publisher = {MIT Press, Cambridge, Massachusetts}, +Year = "1993" } + +@TechReport{JTA97, +author={{Department of the Army}}, +Title={{Joint Technical Architecture,} Version 5.0}, +institution= {Office of the Secretary of the Army}, +address={}, month =sep, Year=1997 } + +@InProceedings{Green97, +Author = "P. Green", +Title = "The Art of Creating Reliable Software-based Systems Using + Off-the-Shelf Software Components", +Booktitle = "Proceedings of the + Sixteenth International Symposium on Reliable Distributed Systems", +Organization = "IEEE Computer Society", +Address = {Durham, North Carolina}, Year = "1997", +Pages="118--120", Month = "22-24 October" } + +@InProceedings{Arbaugh+97, +Author={W.A. Arbaugh and D.J. Farber and J.M. Smith}, +Title={A Secure and Reliable Bootstrap Architecture}, +BookTitle={Proceedings of the 1997 Symposium on Security and Privacy}, +Organization={IEEE Computer Society}, Address={Oakland, California}, +Year={1997}, Month=may, pages={65--71}} + +@InProceedings{Arbaugh+98a, +Author={W.A. Arbaugh and A.D. Keromytis and D.J. Farber and J.M. Smith}, +Title={Automated Recovery in a Secure Bootstrap Process}, +BookTitle={Proceedings of the 1998 Network and Distributed System + Security Symposium}, +Organization={Internet Society}, Address={San Diego, California}, +Year={1998}, Month=mar, pages={}} + +@Article{Arbaugh+98b, +Author={W.A. Arbaugh and J.R. Davin and D.J. Farber and J.M. Smith}, +Title={Security for Private Intranets}, +Journal={IEEE Computer}, +Volume={31}, +number={9}, +pages = {48--55}, +Note = {Special issue on broadband networking security.}, +Year={1998} } + +@Article{MelliarMoser98, + Author={P.M. Melliar-Smith and L.E. Moser}, + Journal={Computer}, + Title={Surviving Network Partitioning}, + Year={1998}, + Month=mar, + Pages={62--68}, + Volume={31}, + Number={3} + } + +@InProceedings{Raynal98, +Author={M. Raynal}, +Title={A Case Study of Agreement Problems in Distributed Systems: + Non-Blocking Atomic Commitment}, +BookTitle={Proceedings of the 1997 High-Assurance Systems + Engineering Workshop}, +Organization={IEEE Computer Society}, Address={Washington, D.C.}, +Year={1997}, Month=aug, pages={209--214}} + +@InProceedings{NeculaLee97, +Author={G.C. Necula and P. Lee}, +Title={Research on Proof-Carrying Code for Untrusted-Code Security}, +BookTitle={Proceedings of the 1997 Symposium on Security and Privacy}, +Organization={IEEE Computer Society}, Address={Oakland, California}, +Year={1997}, Month=may, pages={204}} + +@PhDThesis{Necula98, +Author={G.C. Necula}, +School={Computer Science Department, Carnegie-Mellon University}, +Title={Compiling with Proofs}, +Year={1998}, Month={} } + +@PhDThesis{Dean99, +Author={D. Dean}, +School={Computer Science Department, Princeton University}, +Title={Formal Aspects of Mobile Code Security}, +Note = +{(\xlink{http://www.cs.princeton.edu/sip/pub/ddean-dissertation.php3}{http://www.cs.princeton.edu/sip/pub/ddean-dissertation.php3})}, +Year={1999}, Month=jan } + +@PhDThesis{Wallach99, +Author={D.S. Wallach}, +School={Computer Science Department, Princeton University}, +Title={A New Approach to Mobile Code Security}, +Note = +{(\xlink{http://www.cs.rice.edu/\~{}dwallach/}{http://www.cs.rice.edu/\~{}dwallach/})}, +Year={1999}, Month=jan } + +@PhDThesis{Stringer-Calvert98, +Author={D.W.J. Stringer-Calvert}, +School={Department of Computer Science, University of York}, +Title={Mechanical Verification of Compiler Correctness}, +Year={1998}, Month={} } + +@TechReport{Dold+02, +author={A. Dold and F.W. von Henke and V. Vialard and W. Goerigk}, +Title="A Mechanically Verified Compiling Specification for + a Realistic Compiler", +type={Technical Report {UIB} 03-02}, +institution="Universit{\"a}t Ulm, Fakult{\"a}t f{\"u}r Informatik", +address={Ulm, Germany}, +Month = dec, Year=2002 } + +@TechReport{Dold++02, +author={A. Dold and F.W. von Henke and V. Vialard and W. Goerigk}, +Title="A Mechanically Verified Compiling Specification for + a Realistic Compiler", +type={Technical Report {UIB} 03-02}, +institution="Universit{\"a}t Ulm, Fakult{\"a}t f{\"u}r Informatik", +address={Ulm, Germany}, +Month = dec, Year=2002, +NOTE = "\xlink{http://www.informatik.uni-ulm.de/ki/Verifix/initcomp\_uib-02-03.html}{http://www.informatik.uni-ulm.de/ki/Verifix/initcomp_uib-02-03.html}" } + +@PhDThesis{Prasad98, +Author={D. Prasad}, +School={Department of Computer Science, University of York}, +Title={Dependable Systems Integration Using the Theories of + Measurement and Decision Analysis}, +Year={1998}, Month=aug } + +@InProceedings{Prasad98b, +Author = {D. Prasad and J. McDermid}, +Title = {Dependability Evaluation using a Multi-Criteria + Decision Analysis Procedure}, +Booktitle = {To appear}, +Year = "1999", +Pages="", Month = "" } + +@Proceedings{CNLS, +Editor={S. Forrest}, +Title={Emergent Computation}, +ORGANIZATION={Proceedings of the Ninth Annual CNLS Conference}, +Address ={MIT Press, Cambridge, Massachusetts}, +Month={}, +Year={1991} } + +@InProceedings{Hinton97, +Author={H.M. Hinton}, +Title={Under-Specification, Composition, and Emergent Properties}, +BookTitle={Proceedings of the 1997 New Security Paradigms Workshop}, +Organization={ACM SIGSAC}, Address={Langdale, Cumbria, United Kingdom}, +Year={1997}, Month=sep, pages={83--93}} + +@InProceedings{Hinton98, +Author={H.M. Hinton}, +Title={Composing Partially-Specified Systems}, +BookTitle={Proceedings of the 1998 Symposium on Security and Privacy}, +Organization={IEEE Computer Society}, Address={Oakland, California}, +Year={1998}, Month=may, pages={}} + +@InProceedings{Bradley+98, +Author={K.A. Bradley and B. Mukherjee and R.A. Olsson and N. Puketza}, +Title={Detecting Disruptive Routers: + A Distributed Network Monitoring Approach}, +BookTitle={Proceedings of the 1998 Symposium on Security and Privacy}, +Organization={IEEE Computer Society}, Address={Oakland, California}, +Year={1998}, Month=may, pages={}} + +@InProceedings{Trostle98, +Author={J.T. Trostle}, +Title={Timing Attacks Against Trusted Path}, +BookTitle={Proceedings of the 1998 Symposium on Security and Privacy}, +Organization={IEEE Computer Society}, Address={Oakland, California}, +Year={1998}, Month=may, pages={}} + +@InProceedings{Malkhi+98, +Author={D. Malkhi and M.K. Reiter and A.D. Rubin}, +Title={Secure Execution of {Java} Applets using a Remote Playground}, +BookTitle={Proceedings of the 1998 Symposium on Security and Privacy}, +Organization={IEEE Computer Society}, Address={Oakland, California}, +Year={1998}, Month=may, pages={}} + +@InProceedings{WallachFelten98, +Author={D.S. Wallach and E.W. Felten}, +Title={Understanding {Java} Stack Inspection}, +BookTitle={Proceedings of the 1998 Symposium on Security and Privacy}, +Organization={IEEE Computer Society}, Address={Oakland, California}, +Year={1998}, Month=may, pages={}} + +@InProceedings{SanderTschudin98, +Author={T. Sander and C.F. Tschudin}, +Title={Towards Mobile Cryptography}, +BookTitle={Proceedings of the 1998 Symposium on Security and Privacy}, +Organization={IEEE Computer Society}, Address={Oakland, California}, +Year={1998}, Month=may, pages={}} + +@InProceedings{Salter+98, +author={C. Salter and O.S. Saydjari and B. Schneier and J. Wallner}, +Title={Toward A Secure System Engineering Methodology}, +BookTitle = {New Security Paradigms Workshop}, +NOTE= {(\xlink{http://www.counterpane.com/secure-methodology.html}{http://www.counterpane.com/secure-methodology.html}), Draft was at +\xlink{http://www.hokie.bs1.prc.com/ipa/PREPUB\~{}2.html}{http://www.hokie.bs1.prc.com/ipa/PREPUB\~{}2.html}}, +address={}, month =sep, Year=1998 } + +@TechReport{Blumenstiel85, +author={A.D. Blumenstiel}, +Title={Security Assessment Considerations for {ADL ADP} Systems}, +institution= {U.S. Department of Transportation/RSPA/Volpe Center}, +address={Cambridge, Massachusetts}, month ={}, Year=1985 } + +@TechReport{Blumenstiel86a, +author={A.D. Blumenstiel}, +Title={Potential Consequences of and Countermeasures for Advanced Automation + System Electronic Penetration}, +institution= {U.S. Department of Transportation/RSPA/Volpe Center}, +address={Cambridge, Massachusetts}, month ={}, Year=1986 } + +@TechReport{Blumenstiel86b, +author={A.D. Blumenstiel}, +Title={{FAA} Computer Security Candidate Countermeasures for Electronic + Penetration of {ADP} Systems}, +institution= {U.S. Department of Transportation/RSPA/Volpe Center}, +address={Cambridge, Massachusetts}, month ={}, Year=1986 } + +@TechReport{Blumenstiel86c, +author={A.D. Blumenstiel}, +Title={Operation Manual for the {HH-65A} Data Link}, +institution= {U.S. Department of Transportation/RSPA/Volpe Center}, +address={Cambridge, Massachusetts}, month ={}, Year=1986 } + +@TechReport{BlumenstielManning86, +author={A.D. Blumenstiel and P.E. Manning}, +Title={{Advanced Automation System} Vulnerabilities to Electronic Attack}, +institution= {U.S. Department of Transportation/RSPA/Volpe Center}, +address={Cambridge, Massachusetts}, month =jul, Year=1986 } + +@TechReport{Blumenstiel87, +author={A.D. Blumenstiel}, +Title={Guidelines for {National Airspace System} Electronic Security}, +institution= {U.S. Department of Transportation/RSPA/Volpe Center}, +address={Cambridge, Massachusetts}, month ={}, Year=1987 } + +@TechReport{Blumenstiel88a, +author={A.D. Blumenstiel}, +Title={{Federal Aviation Administration} Computer Security Plans}, +institution= {U.S. Department of Transportation/RSPA/Volpe Center, +produced by Science Resources Associates}, +address={Cambridge, Massachusetts}, month ={}, Year=1988 } + +@TechReport{Blumenstiel88b, +author={A.D. Blumenstiel}, +Title={{National Airspace System} Electronic Security}, +institution= {U.S. Department of Transportation/RSPA/Volpe Center}, +address={Cambridge, Massachusetts}, month ={}, Year=1988 } + +@TechReport{Blumenstiel88c, +author={A.D. Blumenstiel and J. Itz}, +Title={{National Airspace System} {Data Interchange Network} + Electronic Security}, +institution= {U.S. Department of Transportation/RSPA/Volpe Center}, +address={Cambridge, Massachusetts}, month ={}, Year=1988 } + +@TechReport{Blumenstiel90, +author={A.D. Blumenstiel}, +Title={{Federal Aviation Administration AIS} Security Accreditation Guidelines}, +institution= {National Institute on Standards and Technology}, +address={Gaithersburg, Maryland}, month ={}, Year=1990 } + +@TechReport{Blumenstiel91, +author={A.D. Blumenstiel}, +Title={{Federal Aviation Administration AIS} Security + Accreditation Application Design}, +institution= {U.S. Department of Transportation/RSPA/Volpe Center}, +address={Cambridge, Massachusetts}, month ={}, Year=1991 } + +@TechReport{Blumenstiel92a, +author={A.D. Blumenstiel}, +Title={{Federal Aviation Administration AIS} Security Accreditation Program + Instructions}, +institution= {U.S. Department of Transportation/RSPA/Volpe Center}, +address={Cambridge, Massachusetts}, month ={}, Year=1992 } + +@TechReport{Blumenstiel92b, +author={A.D. Blumenstiel}, +Title={{Federal Aviation Administration} Sensitive Application Security + Accreditation Guideline}, +institution= {U.S. Department of Transportation/RSPA/Volpe Center}, +address={Cambridge, Massachusetts}, month ={}, Year=1992 } + +@TechReport{Blumenstiel93, +author={A.D. {Blumenstiel et al.}}, +Title={{Federal Aviation Administration} Report to {Congress} on Air Traffic + Control Data and Communications Vulnerabilities and Security}, +institution= {U.S. Department of Transportation/RSPA/Volpe Center}, +address={Cambridge, Massachusetts}, month ={}, Year=1993 } + +@TechReport{Blumenstiel94, +author={A.D. Blumenstiel}, +Title={Briefing on Electronic Security in the {Communications,} {Navigation} + and {Surveillance} {(CNS)} Environment}, +institution= {U.S. Department of Transportation/RSPA/Volpe Center}, +address={Cambridge, Massachusetts}, month ={}, Year=1994 } + +@TechReport{HeathTeramac97, +Author={J.R. Heath and P.J. Kuekes and R.S. Williams}, +TITLE = {A Defect Tolerant Architecture for Chemically Assembled Computers: + The Lessons of {Teramac} for the Aspiring Nanotechnologist}, +institution ={UCLA}, +YEAR = {1997}, VOLUME = {}, NUMBER = {}, PAGES = {}, MONTH = {}, +NOTE = {(\xlink{http://neon.chem.ucla.edu/\~{}schung/Hgrp/teramac.html}{http://neon.chem.ucla.edu/\~{}schung/Hgrp/teramac.html})} +} + +@ARTICLE{Vaidya98, +Author={N.H. Vaidya}, +TITLE = {A Case for Two-Level Recovery Schemes}, +JOURNAL = {IEEE Transactions on Computers}, YEAR = {1998}, VOLUME = {47}, +NUMBER = {6}, PAGES = {656--666}, MONTH = jun } + +@TechReport{RielyHennessy98, +author={J. Riely and M. Hennessy}, +Title={Trust and Partial Typing in Open Systems of Mobile Agents}, +institution= {University of Sussex}, +address={}, month =jul, Year=1998, +Note ={ftp://ftp.cogs.susx.ac.uk/pub/reports/compsci/cs0498.ps.Z}} + +@TechReport{IEEE-P1363, +author={IEEE}, +Title={Standard Specifications for Public Key Cryptography}, +institution= {IEEE Standards Department}, +address={445 Hoes Lane, P.O. Box 1331, Piscataway, New Jersey 08855-1331}, +month ={}, Year={2000 and ongoing}, +note = {(\xlink{http://grouper.ieee.org/groups/1363/}{http://grouper.ieee.org/groups/1363/})} } + +@TechReport{JASAdraft, +author={JASA Standards Working Group}, +Title={Joint Airborne {SIGINT} Architecture}, +institution= {TASC}, +address={131 National Business Parkway, + Annapolis Junction, MD 20701}, +month ={June-July}, Year=1998, +note ={Draft, Version 3; + contact Paul L. Washington, Jr., 1-301-483-6000, ext. 2017, + \verb+PLWashington@jswg.org+} } + +@ARTICLE{Stevenson98, +Author={D.E. Stevenson}, TITLE = {Validation and Verification Methodologies + for Large Scale Simulations: There are no Silver Hammers, Either}, +JOURNAL = {IEEE Computational Science and Engineering}, +YEAR = {1998}, VOLUME = {}, +NUMBER = {}, PAGES = {}, MONTH = {} } + +@ARTICLE{Stevenson98x, +Author={D.E. Stevenson}, TITLE = {Validation and Verification Methodologies + for Large Scale Simulations: There are no Silver Hammers, Either}, +JOURNAL = {IEEE Computational Science and Engineering}, +YEAR = {1998}, VOLUME = {}, +NUMBER = {}, PAGES = {}, MONTH = {} } + +@book{Bass+98, +Author={L. Bass and P. Clements and R. Kazman}, +Title={Software Architecture in Practice}, +Publisher={Addison-Wesley, Reading, Massachusetts}, +Year={1998} } + +@TechReport{OSTF98, +author={W.L. {O'Hern, Jr., task force chairman}}, +Title={An Open Systems Process for {DoD}}, +institution= {Open Systems Task Force, Defense Science Board}, +address={}, month =oct, Year="1998" } + +@Book{VignaEd98, +Author={G. {Vigna, ed.}}, +Title={Mobile Agents and Security}, +Publisher={Springer-Verlag, Berlin, Lecture Notes in Computer Science 1419}, +Organization={}, Address={}, +Year={1998}, Month={}, pages={}} + +@InProceedings{Chess98, +Author={D.M. Chess}, +Title={Security Issues in Mobile Code Systems}, +BookTitle={Springer-Verlag, Berlin, Lecture Notes in Computer Science, + vol.~1419, Mobile Agents and Security}, +Organization={}, Address={}, +Year={1998}, Month={}, pages={1--14}} + +@InProceedings{RiordanSchneier98, +Author={J. Riordan and B. Schneier}, +Title={Environmental Key Generation Toward Clueless Agents}, +BookTitle={Springer-Verlag, Berlin, Lecture Notes in Computer Science + vol.~1419, Mobile Agents and Security}, +Organization={}, Address={}, +Year={1998}, Month={}, pages={15--24}} + +@InProceedings{VolpanoSmith98, +Author={D. Volpano and G. Smith}, +Title={Language Issues in Mobile Program Security}, +BookTitle={Springer-Verlag, Berlin, Lecture Notes in Computer Science, + vol.~1419, Mobile Agents and Security}, +Organization={}, Address={}, +Year={1998}, Month={}, pages={25--43}} + +@InProceedings{SanderTschudin, +Author={T. Sander and C.F. Tschudin}, +Title={Protecting Mobile Agents Against Malicious Hosts}, +BookTitle={Springer-Verlag, Berlin, Lecture Notes in Computer Science 1419, + Mobile Agents and Security}, +Organization={}, Address={}, +Year={1998}, Month={}, pages={44--60}} + +@InProceedings{NeculaLee98, +Author={G.C. Necula and P. Lee}, +Title={Safe, Untrusted Agents Using Proof-Carrying Code}, +BookTitle={Springer-Verlag, Berlin, Lecture Notes in Computer Science, + vol.~1419, Mobile Agents and Security}, +Organization={}, Address={}, +Year={1998}, Month={}, pages={61--91}} + +@InProceedings{Hohl98, +Author={F. Hohl}, +Title={Time Limited Blackbox Security: Protecting Mobile Agents from + Malicious Hosts}, +BookTitle={Springer-Verlag, Berlin, Lecture Notes in Computer Science, + vol.~1419, Mobile Agents and Security}, +Organization={}, Address={}, +Year={1998}, Month={}, pages={92--113}} + +@InProceedings{Berkovits+98, +Author={S. Berkovits and J.D. Guttman and V. Swarup}, +Title={Authentication for Mobile Agents}, +BookTitle={Springer-Verlag, Berlin, Lecture Notes in Computer Science, + vol.~1419, Mobile Agents and Security}, +Organization={}, Address={}, +Year={1998}, Month={}, pages={114--136}} + +@InProceedings{Vigna98, +Author={G. Vigna}, +Title={Cryptographic Traces for Mobile Agents}, +BookTitle={Springer-Verlag, Berlin, Lecture Notes in Computer Science, + vol.~1419, Mobile Agents and Security}, +Organization={}, Address={}, +Year={1998}, Month={}, pages={137--153}} + +@InProceedings{Gray+98, +Author={R.S. Gray and D. Kotz and G. Cybenko and D. Rus}, +Title={D'Agents: Security in a Multiple-Language, Mobile-Agent System}, +BookTitle={Springer-Verlag, Berlin, Lecture Notes in Computer Science 1419, + Mobile Agents and Security}, +Organization={}, Address={}, +Year={1998}, Month={}, pages={154--187}} + +@InProceedings{Karjoth+98, +Author={G. Karjoth and D.B. Lange and M. Oshima}, +Title={A Security Model for Aglets}, +BookTitle={Springer-Verlag, Berlin, Lecture Notes in Computer Science, + vol.~1419, Mobile Agents and Security}, +Organization={}, Address={}, +Year={1998}, Month={}, pages={188--205}} + +@InProceedings{GongSchemers98, +Author={L. Gong and R. Schemers}, +Title={Signing, Sealing, and Guarding {Java} Objects}, +BookTitle={Springer-Verlag, Berlin, Lecture Notes in Computer Science 1419, + Mobile Agents and Security}, +Organization={}, Address={}, +Year={1998}, Month={}, pages={206--216}} + +@InProceedings{Ousterhout+98, +Author={J.K. Ousterhout and J.Y. Levy and B.B. Welch}, +Title={The {Safe-Tcl} Security Model}, +BookTitle={Springer-Verlag, Berlin, Lecture Notes in Computer Science, + vol.~1419, Mobile Agents and Security}, +Organization={}, Address={}, +Year={1998}, Month={}, pages={217--234}} + +@InProceedings{DePaoli+98, +Author={F. {De Paoli} and A.L. {Dos Santos} and R.A. Kemmerer}, +Title={Web Browsers and Security}, +BookTitle={Springer-Verlag, Berlin, Lecture Notes in Computer Science, + vol.~1419, Mobile Agents and Security}, +Organization={}, Address={}, +Year={1998}, Month={}, pages={235--256}} + +@TechReport{PDD63, +author={W.J. Clinton}, +Title={{The Clinton Administration's Policy on Critical Infrastructure + Protection: Presidential Decision Directive 63}}, +institution= {U.S. Government White Paper}, +address={}, month ={22 May}, Year=1998 } + +@InProceedings{Anderson98, +Author = "R.H. Anderson", +Title = "A ``Minimum Essential Information + Infrastructure'' {(MEII)} for {U.S.} Defense + Systems: Meaningful? Feasible? Useful?", +Booktitle = "Position Papers for the 1998 Information Survivability Workshop +--- ISW '98", +Organization = "IEEE", Address = "Orlando, Florida", Year = "1998", +Pages="11--14", month=oct } + +@InProceedings{Winkler98, +Author = "I.S. Winkler", +Title = "Position Paper", +Booktitle = "Position Papers for the 1998 Information Survivability Workshop +--- ISW '98", +Organization = "IEEE", Address = "Orlando, Florida", Year = "1998", +Pages="189--191", month=oct } + +@InProceedings{CowanPu98, +Author = "C. Cowan and C. Pu", +Title = "Survivability from a Sow's Ear: The Retrofit Security Requirement", +Booktitle = "Position Papers for the 1998 Information Survivability Workshop +--- ISW '98", +Organization = "IEEE", Address = "Orlando, Florida", Year = "1998", +Pages="43--47", month=oct } + +@InProceedings{LevesonHeimdahl98, +Author = "N.G. Leveson and M.P.E. Heimdahl", +Title = "New Approaches to Critical-System Survivability", +Booktitle = "Position Papers for the 1998 Information Survivability Workshop +--- ISW '98", +Organization = "IEEE", Address = "Orlando, Florida", Year = "1998", +Pages="111--114", month=oct } + +@InProceedings{ThomasFeiertag98, +Author = "R. Thomas and R. Feiertag", +Title = "Addressing Survivability in the Composable Replaceable + Security Services Infrastructure", +Booktitle = "Position Papers for the 1998 Information Survivability Workshop +--- ISW '98", +Organization = "IEEE", Address = "Orlando, Florida", Year = "1998", +Pages="159--162", month=oct } + +@InProceedings{TidswellPotter98, +Author={J.E. Tidswell and J.M. Potter}, +Title={A Dynamically Typed Access Control Model}, +BookTitle={Springer-Verlag, Berlin, Lecture Notes in Computer Science + vol.~1438, + Information Security and Privacy, Third Australasian Conference, + ACISP'98, Brisbane, Australia}, +Organization={}, Address={}, +Year={1998}, Month=jun, pages={308--319}} + +@InProceedings{Goldberg98, +Author={A. Goldberg}, +TITLE = {A specification of {Java} loading and bytecode verification}, +Booktitle = {Fifth ACM Conference on Computer and Communications Security}, +Organization = {ACM SIGSAC}, Address = {San Francisco, California}, +Year = {1998}, +Pages={49--58}, Month = nov } + +@InProceedings{Lincoln+98, +Author={P. Lincoln and J. Mitchell and M. Mitchell and A. Scedrov}, +TITLE = {A probabilistic poly-time framework for protocol analysis}, +Booktitle = {Fifth ACM Conference on Computer and Communications Security}, +Organization = {ACM SIGSAC}, Address = {San Francisco, California}, +Year = {1998}, +Pages={112--121}, Month = nov } + +@InProceedings{HaleviKrawczyk98, +Author={S. Halevi and H. Krawczyk}, +TITLE = {Public-key cryptography and password protocols}, +Booktitle = {Fifth ACM Conference on Computer and Communications Security}, +Organization = {ACM SIGSAC}, Address = {San Francisco, California}, +Year = {1998}, +Pages={122--131}, Month = nov } + +@InProceedings{SchneierMudge98, +Author={B. Schneier and {Mudge}}, +TITLE = {{Cryptanalysis of Microsoft's Point-to-Point Tunneling Protocol} + {(PPTP)}}, +Booktitle = {Fifth ACM Conference on Computer and Communications Security}, +Organization = {ACM SIGSAC}, Address = {San Francisco, California}, +Year = {1998}, +Pages={132--141}, Month = nov } + +@InProceedings{SchneierKelsey98, +Author = {B. Schneier and J. Kelsey}, +Title = {Cryptographic support for secure logs on untrusted machines}, +Booktitle = {Proceedings of the Seventh USENIX Security Symposium}, +Organization = {USENIX}, Address = {}, +Year = {1998}, +Pages={53--62}, Month = jan} + +@InProceedings{An+02, +Author={J.H. An and Y. Dodis and T. Rabin}, +Title={On the Security of Joint Signature and Encryption}, +BookTitle={Advances in Cryptology, EUROCRYPT 2002, Amsterdam, The + Netherlands, Springer-Verlag, Berlin, Lecture Notes in Computer Science}, +Organization={}, Address={}, +Year={2002}, Month=may, pages={83--107}} + +@InProceedings{Paulson97a, +Author={L. Paulson}, +Title={Mechanized Proofs for a Recursive Authentication Protocol}, +BookTitle={10th IEEE Computer Security Foundations Workshop}, +Organization={IEEE Computer Society}, Address={}, +Year={1997}, Month={}, pages={84--95}} + +@InProceedings{Paulson97b, +Author={L. Paulson}, +Title={Proving Properties of Security Protocols by Induction}, +BookTitle={10th IEEE Computer Security Foundations Workshop}, +Organization={IEEE Computer Society}, Address={}, +Year={1997}, Month={}, pages={70--83}} + +@InProceedings{Sullivan+99, +Author = "K. Sullivan and J.C. Knight and X. Du and S. Geist", +Title = "Information Survivability Control Systems", +Booktitle = "Proceedings of the 1999 International Conference on + Software Engineering (ICSE)", +Organization = "", Address = "", Year = "1999", +Pages="", Month = "" } + +@InProceedings{FetzerCristian99, +Author={C. Fetzer and F. Cristian}, +Title={Building Fault-Tolerant Hardware Clocks from {COTS} Components}, +BookTitle ={Proceedings of the 1999 Conference on Dependable Computing for +Critical Applications}, +Organization={}, Address={San Jose, California}, +Year={1998}, Month=jan, pages={59--78} } + +@InProceedings{PfeiferSchwier+vonHenke99, +Author={H. Pfeifer and D. Schwier and F.W. {von Henke}}, +Title={Formal Verification for Time-Triggered Clock Synchronization}, +BookTitle ={Proceedings of the 1999 Conference on Dependable Computing for +Critical Applications}, +Organization={}, Address={San Jose, California}, +Year={1998}, Month=jan, pages={193--212} } + +@TechReport{Millen98, +author={J.K. Millen}, +Title={Service Survivability}, +institution= {SRI International Computer Science Laboratory}, +address={Menlo Park, California}, month ={draft, June}, Year=1998 } + +@InProceedings{Millen99, +Author={J. Millen}, +Title={20 years of covert channel modeling and analysis}, +BookTitle={Proceedings of the 1999 Symposium on Security and Privacy}, +Organization={IEEE Computer Society}, Address={Oakland, California}, +Year={1999}, Month=may, pages={113--114}, + NOTE= {(\xlink{http://www.csl.sri.com/\~{}millen/papers/20yrcc.ps}{http://www.csl.sri.com/\~{}millen/paper/20yrcc.ps})} +} + +@InProceedings{Millen99b, +author={J.K. Millen}, +Title={Local Reconfiguration Policies}, +BookTitle ={Proceedings of the 1999 Symposium on Security and Privacy}, +Organization={IEEE Computer Society}, Address={Oakland, +California}, Year={1999}, Month=may, pages={48--56}, + NOTE= {(\xlink{http://www.csl.sri.com/\~{}millen/papers/reconfig.ps}{http://www.csl.sri.com/\~{}millen/paper/reconfig.ps})} + } + +@TechReport{Millen99a, +author={J.K. Millen}, +Title={Survivability Measure}, +institution= {SRI International Computer Science Laboratory}, +address={Menlo Park, California}, month =jan, Year=1999, + } + +@TechReport{Millen00b, +author={J.K. Millen}, +Title={Survivability Measure}, +institution= {SRI International Computer Science Laboratory}, +address={Menlo Park, California}, month =jun, Year=2000, +NOTE= {(\xlink{http://www.csl.sri.com/\~{}millen/papers/measure.ps}{http://www.csl.sri.com/\~{}millen/papers/measure.ps})} + } + +@InProceedings{MillenWright98, +author={J.K. Millen and R. Wright}, +Title={Certificate revocation the responsible way}, +BookTitle ={Proceedings of a workshop on + Computer Security, Dependability, and Assurance (CSDA '98): + From Needs to Solutions workshop}, +Organization={}, Address={}, Year={1998}, Month={}, pages={}, + NOTE= {(\xlink{http://www.csl.sri.com/\~{}millen/papers/needs.ps}{http://www.csl.sri.com/\~{}millen/papers/needs.ps})} + } + +@InProceedings{MillenWright00, +author={J.K. Millen and R. Wright}, +Title={Reasoning about trust and insurance in a public-key infrastructure}, +BookTitle ={Proceedings of the Computer Security Foundations Workshop}, +Organization={}, Address={Cambridge, England}, Year={2000}, Month=jul, + pages={}, + NOTE={(\xlink{http://www.csl.sri.com/\~{}millen/papers/insurance.ps}{http://www.csl.sri.com/\~{}millen/papers/insurance.ps})} + } + +@InProceedings{Millen00a, +Author={J. Millen}, +TITLE = {Efficient Fault-Tolerant Certificate Revocation}, +Booktitle = {Seventh ACM Conference on Computer and Communications Security}, +Organization = {ACM SIGSAC}, Address = {}, +Year = {2000}, Note = {Submitted.}, +Pages={}, Month = {} } + +@InProceedings{BI93, +author = {M. Boyd and D. Iverson}, +title={Digraphs and fault trees: a tale of two combinatorial modeling methods}, +Booktitle ={Proceedings of the Annual Reliability and Maintainability Symposium}, +Organization = {},Pages={}, Month = {}, +Year = {1993} } + +@TechReport{Carney98, +author={D.J. Carney}, +Title={Quotations from {Chairman David}: A {Little Red Book} of Truths to + Enlighten and Guide on the Long March Toward the {COTS} Revolution}, +institution= {Carnegie-Mellon University Software Engineering Institute}, +address={Pittsburgh, Pennsylvania}, +month ={}, Year=1998, url={http://www.sei.cmu.edu/publications/documents/99.reports/lrb/little-red-book.html} + } + +@article{Bacon99, +author={J. Bacon}, +title = {Report on the {Eighth} {ACM SIGOPS} {European Workshop}, + {System Support for Composing Distributed Applications}}, +journal = {Operating Systems Review}, volume = {33}, number = {1}, +pages = {6--17}, month = jan, year = {1999} } + +@article{OSDebate99, +author={T. Kindberg}, +title = {Debate: This house believes the development of robust + distributed systems from components to be impossible}, +journal = {Operating Systems Review}, volume = {33}, number = {1}, +pages = {15--17}, month = jan, year = {1999}, +Note={The description of this debate appeared in ``Report on the Eighth + ACM SIGOPS European Workshop,'' System Support for Composing Distributed + Applications, {\it loc.cit.}, pp. 6--17.}} + +@book{SecDepAss99, +Author={P. Ammann and B.H. Barnes and S. Jajodia and {E.H. Sibley (editors)}}, +Title={Computer Security, Dependability, and Assurance}, +Publisher={IEEE Computer Society}, +Year={1999} } + +@book{SDolev00, +Author={S. Dolev}, +Title={Self-Stabilization}, +Publisher={MIT Press, Cambridge, Massachusetts}, +Year={2000} } + +@Proceedings{NATO00, +Author = "NATO", +Title = "Proceedings of the NATO Conference on Commercial Off-The-Shelf + Products in Defence Applications: The Ruthless Pursuit of COTS", +Organization = "NATO", Address = "Brussels, Belgium", Year = "2000", +Pages="", Month = apr } + +@InProceedings{Neumann00NATO, +Author = "P.G. Neumann", +Title = "The Potentials of Open-Box Source Code in Developing + Robust Systems", +Booktitle = "Proceedings of the NATO Conference on Commercial Off-The-Shelf + Products in Defence Applications: The Ruthless Pursuit of COTS", +Organization = "NATO", Address = "Brussels, Belgium", Year = "2000", +Pages="", Month = apr } + +@InProceedings{White00, +Author = "I. White", +Title = "Wrapping the {COTS} Dilemma", +Booktitle = "Proceedings of the NATO Conference on Commercial Off-The-Shelf + Products in Defence Applications: The Ruthless Pursuit of COTS", +Organization = "NATO", Address = "Brussels, Belgium", Year = "2000", +Pages="", Month = apr } + +@InProceedings{PeelingTaylor00, +Author = {N. Peeling and R. Taylor}, +Title = {Standards -- Myths, Delusions and Opportunities}, +Booktitle = "Proceedings of the NATO Conference on Commercial Off-The-Shelf + Products in Defence Applications: The Ruthless Pursuit of COTS", +Organization = "NATO", Address = "Brussels, Belgium", Year = "2000", +Pages="", Month = apr } + +@InProceedings{Barbarello00, +Author = {J. Bararello and W. Kasian}, +Title = {{United States Army Commercial Off-The-Shelf (COTS)} Experience: + The Promises and Realities}, +Booktitle = "Proceedings of the NATO Conference on Commercial Off-The-Shelf + Products in Defence Applications: The Ruthless Pursuit of COTS", +Organization = "NATO", Address = "Brussels, Belgium", Year = "2000", +Pages="", Month = apr } + +@InProceedings{VidgerDean00, +Author = {M. Vidger and J. Dean}, +Title = {Maintaining {COTS}-Based Systems}, +Booktitle = "Proceedings of the NATO Conference on Commercial Off-The-Shelf + Products in Defence Applications: The Ruthless Pursuit of COTS", +Organization = "NATO", Address = "Brussels, Belgium", Year = "2000", +Pages="", Month = apr } + +@InProceedings{Jantsch00, +Author = {S. Jantsch}, +Title = {Risks by Using {COTS} Products and Commercial {ICT} Services}, +Booktitle = "Proceedings of the NATO Conference on Commercial Off-The-Shelf + Products in Defence Applications: The Ruthless Pursuit of COTS", +Organization = "NATO", Address = "Brussels, Belgium", Year = "2000", +Pages="", Month = apr } + +@InProceedings{Charpentier00, +Author = "R. Charpentier and M. Salois", +Title = "{MaliCOTS:} Detecting Malicious Code in {COTS} Software", +Booktitle = "Proceedings of the NATO Conference on Commercial Off-The-Shelf + Products in Defence Applications: The Ruthless Pursuit of COTS", +Organization = "NATO", Address = "Brussels, Belgium", Year = "2000", +Pages="", Month = apr } + +@InProceedings{Salois00, +Author = "M. Salois and R. Charpentier", +Title = "Dynamic Detection of Malicious Code in {COTS} Software", +Booktitle = "Proceedings of the NATO Conference on Commercial Off-The-Shelf + Products in Defence Applications: The Ruthless Pursuit of COTS", +Organization = "NATO", Address = "Brussels, Belgium", Year = "2000", +Pages="", Month = apr } + +@InProceedings{Rowlingson00, +Author = {R. Rowlingson}, +Title = {The Convergence of Military and Civil Approaches to Information + Security}, +Booktitle = "Proceedings of the NATO Conference on Commercial Off-The-Shelf + Products in Defence Applications: The Ruthless Pursuit of COTS", +Organization = "NATO", Address = "Brussels, Belgium", Year = "2000", +Pages="", Month = apr } + +@InProceedings{Schneidewind00, +Author = {N. Schneidewind}, +Title = {The Ruthless Pursuit of the Truth about {COTS}}, +Booktitle = "Proceedings of the NATO Conference on Commercial Off-The-Shelf + Products in Defence Applications: The Ruthless Pursuit of COTS", +Organization = "NATO", Address = "Brussels, Belgium", Year = "2000", +Pages="", Month = apr } + +@InProceedings{KerrMcCarthy00, +Author = "P. Kerr and J. McCarthy", +Title = "Application of {COTS} Communications Services for Command and + Control of Military Forces", +Booktitle = "Proceedings of the NATO Conference on Commercial Off-The-Shelf + Products in Defence Applications: The Ruthless Pursuit of COTS", +Organization = "NATO", Address = "Brussels, Belgium", Year = "2000", +Pages="", Month = apr } + +@InProceedings{Spinellis99, +Author={D. Spinellis}, +Title={Software Reliability: Modern Challenges}, +BookTitle={Proceedings of ESREL 99, Tenth European Conference on + Safety and Reliablity}, +Organization={}, Address={Munich-Garching, Germany}, +Year={1999}, Month=sep, pages={589--592}, +Note={Summarized in the Risks Forum, volume 20, number 64, 4 November 1998 + and ACM SIGSOFT {\it Software Engineering Notes 25,} 2, 17--18, March 2000.}} + +@InProceedings{Neumann00ICRE, +Author = "P.G. Neumann", +Title = "Certitude and Rectitude", +BookTitle={Proceedings of the 2000 International Conference on + Requirements Engineering}, +Organization={IEEE Computer Society}, Address={Schaumberg, Illinois}, +Year={2000}, Month=jun, pages={153}} + +@InProceedings{Parnas00ICRE, +Author = "D.L. Parnas", +Title = "Two Positions on Licensing", +BookTitle={Proceedings of the 2000 International Conference on + Requirements Engineering}, +Organization={IEEE Computer Society}, Address={Schaumberg, Illinois}, +Year={2000}, Month=jun, pages={154--155}} + +@InProceedings{Neumann00IEEE, +Author = "P.G. Neumann", +Title = "Robust Nonproprietary Software", +BookTitle={Proceedings of the 2000 Symposium on Security and Privacy}, +Organization={IEEE Computer Society}, Address={Oakland, California}, +Year={2000}, Month=may, pages={122--123}, +NOTE = {(\xlink{http://www.csl.sri.com/neumann/ieee00.ps}{http://www.csl.sri.com/neumann/ieee00.ps} and +\xlink{http://www.csl.sri.com/neumann/ieee00.pdf}{http://www.csl.sri.com/neumann/ieee00.pdf}) } } + +@InProceedings{Lipner00, +Author={S.B. Lipner}, +Title={Security and Source Code Access: Issues and Realities}, +BookTitle={Proceedings of the 2000 Symposium on Security and Privacy}, +Organization={IEEE Computer Society}, Address={Oakland, California}, +Year={2000}, Month=may, pages={124--125}} + +@InProceedings{Schneider00, +Author={F.B. Schneider}, +Title={Open Source in Security: Visiting the Bizarre}, +BookTitle={Proceedings of the 2000 Symposium on Security and Privacy}, +Organization={IEEE Computer Society}, Address={Oakland, California}, +Year={2000}, Month=may, pages={126--127}} + +@InProceedings{McGraw00, +Author={G. McGraw}, +Title={Will openish source really improve security?}, +BookTitle={Proceedings of the 2000 Symposium on Security and Privacy}, +Organization={IEEE Computer Society}, Address={Oakland, California}, +Year={2000}, Month=may, pages={128--129}} + +@InProceedings{Witten00, +Author={B. Witten and C. Landwehr and M. Caloyannides}, +Title={Will Open Source Really Improve Security?}, +BookTitle={2000 Symposium on Security and Privacy, oral presentation only}, +Organization={IEEE Computer Society}, Address={Oakland, California}, +Year={2000}, Month=may, pages={}, +NOTE = "Paper available online: +\xlink{http://www.csl.sri.com/neumann/witten.pdf}{http://www.csl.sri.com/neumann/witten.pdf}."} + +@TechReport{Hissam01, +author={S. Hissam and C.B. Weinstock and D. Plakosh and J. Asundi}, +Title={Perspectives on Open Source Software}, +institution= {Carnegie-Mellon Software Engineering Institute}, +address={Pittsburgh, Pennsylvania 15213-3890}, +month =nov, Year=2001, +NOTE = {CMU/SEI-2001-TR-019\\ +(\xlink{http://www.sei.cmu.edu/publications/pubweb.html}{http://www.sei.cmu.edu/publications/pubweb.html}) } } + +@TechReport{Gacek01a, +author={C. Gacek and T. Lawrie and B. Arief}, +Title={The Many Meanings of Open Source}, +institution= {Department of Computing Science, + University of Newcastle upon Tyne}, +NOTE = "Technical Report CS-TR-737", +address={Newcastle, England}, month =aug, Year=2001 +} + +@TechReport{Gacek01b, +author={C. Gacek and C. Jones}, +Title={Dependability Issues in Open Source Software}, +institution= {Department of Computing Science, Dependable Interdisciplinary + Research Collaboration, University of Newcastle upon Tyne}, +NOTE = "Final report for PA5, part of ongoing related work.", +address={Newcastle, England}, month ={}, Year=2001 +} + +@TechReport{Jones02a, +author={C. Jones}, +Title={Providing a Formal Basis for Dependability Notions}, +institution= {Department of Computing Science, Dependable Interdisciplinary + Research Collaboration, University of Newcastle upon Tyne}, +NOTE = "UNU/IIST Anniversary Colloquium.", +address={Newcastle, England}, month ={}, Year=2002 +} + +@InProceedings{Balfanz+00, +Author={D. Balfanz and D. Dean and M. Spreitzer}, +Title={A Security Infrastructure for Distributed {Java} Applications}, +BookTitle={Proceedings of the 2000 Symposium on Security and Privacy}, +Organization={IEEE Computer Society}, Address={Oakland, California}, +Year={2000}, Month=may, pages={15--26}} + +@InProceedings{MillenRuess00, +Author={J. Millen and H. Ruess}, +Title={Protocol-Independent Secrecy}, +BookTitle={Proceedings of the 2000 Symposium on Security and Privacy}, +Organization={IEEE Computer Society}, Address={Oakland, California}, +Year={2000}, Month=may, pages={110--119}} + +@InProceedings{DM00, + author = {G. Denker and J. Millen}, + title = {{CAPSL} Integrated Protocol Environment}, + booktitle = {DARPA Information Survivability Conference (DISCEX 2000)}, + pages = {207--221}, + year = 2000, + publisher = {IEEE Computer Society} +} + +@Article{MD02, + author = {J. Millen and G. Denker}, + title = {{CAPSL} and {MuCAPSL}}, + journal = {Journal of Telecommunications and Information Technology}, + year = 2002, + volume = {}, + number = {4}, + pages = {16--27} +} + +@Unpublished{CAP02, + author = {J. Millen}, + title = {{CAPSL} {W}eb Site}, + year = 2002, + note = {{\tt http://www.csl.sri.com/\~{}millen/capsl}} +} + +@book{BowenHinchey, +Author={J.P. Bowen and M.G. Hinchey}, +Title={High-Integrity System Specification and Design}, +Publisher={Springer-Verlag, Berlin}, +Year={1999} } + +@article{Simons00UCITA, +author={B. Simons}, title = {Shrink-Wrapping Our Rights}, +journal = {Communications of the ACM}, volume = {43}, number = {8}, +pages = {}, month = aug, year = {2000} } + +@PhDThesis{MercuriThesis00, +Author={R. Mercuri}, +School={Department of Computer Science, University of Pennsylvania}, +Title={Electronic Vote Tabulation Checks and Balances}, +Year={2001}, Month={}, +NOTE = +"\xlink{http://www.notablesoftware.com/evote.html}{http://www.notablesoftware.com/evote.html}" } + +@Article{Mercuri02, +Author={R. Mercuri}, +Title={A Better Ballot Box: New electronic voting systems + pose risks as well as solutions}, +Journal={IEEE Spectrum}, +month=oct, pages ={46--50}, +year="2002"} + +@Article{Mercuri02x, +Author={H. Riebeek}, +Title={Brazil Holds All-Electronic National Election}, +Journal={IEEE Spectrum}, +month=nov, pages ={25--26}, +year="2002"} + +@article{Mercuri03, +author={R. Mercuri}, title = {On Auditing Audit Trails}, +journal = {Communications of the ACM}, volume = {46}, number = {1}, +pages = {17--20}, month = jan, year = {2003} } + +@InProceedings{Holt03, +Author={R. Holt}, +Title={Introduction of the Voter Confidence and Increased +Accessibility Act of 2003}, +BookTitle={U.S. Congressional Record, Extensions of Remarks}, +Organization={U.S. Congress}, Address={}, +Year={2003}, Month={May 23}, pages={E1081-2}} + +@inProceedings{Neumann03Open, +Author="P.G. Neumann", +Title="Attaining Robust Open-Source Software", +Booktitle= + "Making Sense of the Bazaar: Perspectives on Open Source and Free Software", +Note ="Joseph Feller, Brian Fitzgerald, Scott Hissam and Karim Lakhani + (editors)", +Publisher = "O'Reilly and Associates, Sebastopol, California", + Year="2003", Pages="123--126"} + +@Book{Feller+05, +Author="J. Feller and B. Fitzgerald and S.A. Hissam and {K.R. Lakhani, +editors}", +Title="Perspectives on Free and Open Source Software", +Publisher = "MIT Press, Cambridge, Massachusetts", + Year="2005", +NOTE = "The entire book is now available as a pdf file, courtesy of +the MIT Press: +http://mitpress.mit.edu/catalog/item/default.asp?ttype=2\&tid=10477\&mode=toc" +} + +@TechReport{CaltechMIT01, +author={{Caltech MIT Voting Technology Project}}, +Title={Voting What Is What Could Be}, +institution= {Caltech and MIT}, +address={}, month =jul, Year=2001 } + +@TechReport{GWU01, +author={{Democracy Online Project}}, +Title={A Debate on Computerized Voting: A New Solution for a New + Generation of Voters}, +institution= {George Washington University, Washington, D.C.}, +address={}, month =jan, Year=2001} + +@TechReport{Chaum02, +author={D. Chaum}, +Title={Secret-Ballot Receipts and Transparent Integrity: + Improving voter confidence \& electronic voting at polling places}, +institution= {}, +address={}, month =mar, Year=2002, +NOTE = "(\xlink{http://www.chaum.org}{http://www.chaum.org})" } + +@article{Rubin02, +author={A. Rubin}, title = {Security Considerations for Remote + Electronic Voting}, +journal = {Communications of the ACM}, volume = {45}, number = {12}, +pages = {39--44}, month = dec, year = {2002} } + +@article{SERVE04, +author={D. Jefferson and A.D. Rubin and B. Simons and D. Wagner}, +title = {Analyzing Internet Voting Security}, +journal = {Communications of the ACM}, volume = {47}, number = {10}, +pages = {}, month = oct, year = {2004} } + +@PhDThesis{ChenxiThesis, +Author={C. Wang}, +School={Department of Computer Science, University of Virginia}, +Title={A Security Architecture for Survivable Systems}, +Year={2001}, Month=jan, +Note="(\xlink{http://www.cs.virginia.edu}{http://www.cs.virginia.edu})" } + +@PhDThesis{WagnerThesis00, +Author={D. Wagner}, +School={Division of Computer Science, University of California, Berkeley}, +Title={Static Analysis and Computer Security: New Techniques for Software + Assurance}, +Year={2000}, Month=dec, +Note="(\xlink{http://www.cs.berkeley.edu/\~{}daw}{http://www.cs.berkeley.edu/\~{}daw})" } + +@InProceedings{WagnerDean01, +Author={D. Dean and D. Wagner}, +Title={Intrusion Detection via Static Analysis}, +BookTitle={Proceedings of the 2001 Symposium on Security and Privacy}, +Organization={IEEE Computer Society}, Address={Oakland, California}, +Year={2001}, Month=may, pages={}} + +@InProceedings{ChenWagnerDean02, +Author={H. Chen and D. Wagner and D. Dean}, +Title={Setuid Demystified}, +BookTitle={Proceedings of the 11th USENIX Security 2002}, +Organization={USENIX}, Address={San Francisco, California}, +Year={2002}, Month=aug, pages={171--190}} + +@InProceedings{ChenDeanWagner03, +Author={H. Chen and D. Dean and D. Wagner}, +Title={Model Checking One Million Lines of Code}, +BookTitle={Proceedings of the Symposium on Network and Distributed + System Security}, +Organization={Internet Society}, Address={San Diego, California}, +Year={2004}, Month=feb, pages={171--185}} + +@InProceedings{SastryKohnoWagner06, +Author={N. Sastry and T. Kohno and D. Wagner}, +Title={Designing voting machines for verification}, +BookTitle={Proceedings of the 11th USENIX Security 2006}, +Organization={USENIX}, Address={San Francisco, California}, +Year={2006}, Month=aug, pages={}, +url ="http://www.cs.berkeley.edu/~{}daw/papers/varch-use06.pdf"} + +@InProceedings{ChenWagner02, +Author={H. Chen and D. Wagner}, +Title={{MOPS:} {An} Infrastructure for Examining Security Properties + of Software}, +Organization={ACM}, Address={Washington, D.C.}, +BookTitle={Ninth ACM Conference on Computer and Communications Security}, +Year={2002}, Month=nov, pages={} } + +% http://www.cs.berkeley.edu/~daw/papers/varch-use06.pd + +@InProceedings{Chen:2004:EROS, + author = {H. Chen and J. Shapiro}, + title = {Using Build-Integrated Static Checking to Preserve +Correctness Invariants}, + booktitle = {Proceedings of the Eleventh ACM Conference on Computer and +Communications Security (CCS)}, + year = {2004}, + address = {Washington, D.C.}, + month = nov, + pages = {} +} + +@PhdThesis{Chen:2004:dissertation, + author = {H. Chen}, + title = {Lightweight Model Checking for Improving Software Security}, + school = {University of California, Berkeley}, + year = {2004}, +NOTE = "\xlink{http://www.cs.ucdavis.edu/\~{}hchen/paper/phddis.ps}{http://www.cs.ucdavis.edu/\~{}hchen/paper/phddis.ps}" +} + +@PhdThesis{Yee07, + author = {K.-P. {Yee}}, + title = {Building Reliable Voting Machine Software}, + school = {University of California, Berkeley}, + year = {2007}, + NOTE = {Technical Report 2007-167; see also Technical Note 2007-136 for + the security review; http://pvote.org} +} + +@InProceedings{Backes+03, +Author={M. Backes and B. Pfitzmann and M. Waidner}, +Title={A Universally Composable Cryptographic Library with Nested Operations}, +Organization={ACM}, Address={Washington, D.C.}, +BookTitle={Tenth ACM Conference on Computer and Communications Security}, +Year={2003}, Month=oct, pages={} } + +@InProceedings{BackesPfitzmann03, +Author={M. Backes and B. Pfitzmann}, +Title={A Cryptographically Sound Security Proof of + the {Needham-Schroeder-Lowe} Public-Key Protocol}, +Organization={}, Address={Mumbai, India}, +BookTitle={23rd Conference on Foundations of Software Technology + and Theoretical Computer Science (FSTTCS)}, +Year={2003}, Month=dec, pages={} } + +@InProceedings{Weeks01, +Author={S. Weeks}, +Title={Understanding Trust Management Systems}, +BookTitle={Proceedings of the 2001 Symposium on Security and Privacy}, +Organization={IEEE Computer Society}, Address={Oakland, California}, +Year={2001}, Month=may, pages={}, +NOTE="(\xlink{http://www.star-lab.com/tr/star-tr-01-02.html}{http://www.star-lab.com/tr/star-tr-01-02.html})" +} + +@InProceedings{Gunter+01, +Author={C. Gunter and S. Weeks and A. Wright}, +Title={Models and Languages for Digital Rights}, +BookTitle={Proceedings of the 2001 Hawaii Intenational Conference + on Systems Science}, +Organization={}, Address={Honolulu, Hawaii}, +Year={2001}, Month=mar, pages={}, +NOTE = "\xlink{http://www.star-lab.com/tr/star-tr-01-04.html}{http://www.star-lab.com/tr/star-tr-01-04.html}" +} + +@InProceedings{Goerigk00, +Author = "W. Goerigk", +Title = "Compiler Verification Revisited", +Booktitle = "{Computer Aided Reasoning: {ACL2} Case Studies}", +Editor = "M. Kaufmann and P. Maniolis and J S. Moore", +Organization = "Kluwer Academic Publishers", Address = "", Year = "2000", +Note ="Chapter 15", Pages="", Month = "" } + +@TechReport{Faughn01, +author={A.W. Faughn}, +Title={Interoperability: Is It Achievable?}, +institution= {Harvard University PIRP report}, +address={}, month ={}, Year=2001 } + +@book{Curtin02, +Author={M. Curtin}, +Title={Developing Trust: Online Security and Privacy}, +Publisher={Apress, Berkeley, California, and Springer-Verlag, Berlin}, +Year={2002} } + +@TechReport{Boudra92, +author={P. {Boudra, Jr.}}, +Title={Minutes of the Meetings of the System Composition Working Group, + Volume 1}, +institution= {National Security Agency, Information Systems Security + Organization, Office of Infosec Systems Engineering, S9 Technical + Report 6-92, Library No. S-239, 646}, +address={}, month =oct, Year=1992, NOTE ="For Official Use Only." } + +@TechReport{NSAcompose92xxx, +author={P. {Boudra, Jr.}}, +Title={Minutes of the Meetings of the System Composition Working Group, +volume 1}, +institution= {Information Systems Security Organization, Office of +INFOSEC Systems Engineering, NSA}, +Note = {S9 Technical Report 6-92, For Official Use Only}, +address={}, month ={5 October}, Year=1992 } + +@TechReport{Boudra93, +author={P. {Boudra, Jr.}}, +Title={Report on Rules of System Composition: Principles of Secure + System Design}, +institution= {National Security Agency, Information Systems Security + Organization, Office of Infosec Systems Engineering, I9 Technical + Report 1-93, Library No. S-240, 330}, +address={}, month =mar, Year=1993, NOTE ="For Official Use Only." } + +@TechReport{Lee92, +author={E.S. Lee and P.I.P. Boulton and B.W. Thompson and R.E. Soper}, +Title={Composable Trusted Systems}, +institution= {Computer Systems Research Institute, University of + Toronto, Technical Report CSRI-272}, +address={}, month =may, Year=1992 } + +@TechReport{ICS94, +author={Unspecified}, +Title={Composability Constraints of Multilevel Systems}, +institution= {Integrated Computer Systems, Inc.}, +address={215 South Rutgers Ave., Oak Ridge, Tennessee}, +month =jun, Year=1994 } + +@TechReport{Tinto92, +author={M. Tinto}, +Title={The Design and Evaluation of {INFOSEC} Systems: The Computer + Security Contribution to the Composition Discussion}, +institution= {National Computer Security Center}, +address={}, month =jun, Year=1992, Note="C Technical Report 32-92" } + +@TechReport{Abrams92, +author={M.D. Abrams and M.V. Joyce}, +Title={Composition of Trusted {IT} Systems}, +institution= {MITRE}, +address={}, month =sep, Year=1992, Note ="Draft." } + +@InProceedings{Hemenway92, +author={J. Hemenway and D. Gambel}, +Title={Issues in the Specification of Composite Trustworthy Systems}, +Booktitle = "Fourth Annual Canadian Computer Security Symposium", +address={}, month =may, Year=1992 } + +@TechReport{Ozier, +author={W. Ozier}, +Title={{GASSP: Generally Accepted Systems Security Principles}}, +institution= {International Information Security Foundation}, +address={}, month =jun, Year=1997, +NOTE ="\xlink{web.mit.edu/security/www/gassp1.html}{http://web.mit.edu/security/www/gassp1.html}" + } + +@book{Beck99, +Author={K. Beck}, +Title={Extreme Programming Explained: Embrace Change}, +Publisher={Addison-Wesley, Reading, Massachusetts}, +Year={1999}, +Note="(\xlink{http://www.extremeprogramming.org}{http://www.extremeprogramming.org})" +} + +@InProceedings{Chander+01, +author={A. Chander and D. Dean and J.C. Mitchell}, +Title={A State-Transition Model of Trust Management}, +BookTitle ={Proceedings of the 14th IEEE Computer Security Foundations Workshop}, +Organization= + {IEEE Computer Society Technical Committee on Security and Privacy}, + Address={Cape Breton, Nova Scotia, Canada}, + Year={2001}, Month=jun, pages={27--43} + } + +@InProceedings{Chander+02, +Author={A. Chander and D. Dean and J.C. Mitchell}, +Title={Deconstructing Trust Management}, +BookTitle= + {Proceedings of the 2002 Workshop on Issues in the Theory of Security}, +Organization={IFIP Working Group 1.7}, Address={Portland, Oregon}, +Year={2002}, Month=jan, pages={}} + +@InProceedings{Chander+04a, +Author={A. Chander and D. Dean and J.C. Mitchell}, +Title={A Distributed High Assurance Reference Monitor}, +BookTitle= {Proceedings of the Seventh Information Security Conference + Lecture Notes in Computer Science vol. 3225}, +Year={2004}, Month=sep, pages={231--244}, +Organization={Springer-Verlag}, Address={Berlin}, +url = "http://www.csl.sri.com/users/ddean/papers/isc04.pdf"} + +@Article{Chander+04, +Author={A. Chander and D. Dean and J.C. Mitchell}, +Title={Reconstructing Trust Management}, +Journal= {Journal of Computer Security}, +Volume = {12}, Number = {1}, +Year={2004}, Month=jan, pages={131--164}, +url = "http://www.csl.sri.com/users/ddean/papers/jcs04.pdf"} + +@book{deRoever01, +Author={W.-P. {de Roever} and F. de Boer and U. Hanneman and J. Hooman and + Y. Lakhnech and M. Poel and J. Zwiers}, +Title={Concurrency Verification: Introduction to Compositional and + Noncompositional Methods}, +Publisher={Cambridge University Press, New York, NY}, +Note = {Cambridge Tracts in Theoretical Computer Science no. 54}, +Year={2001} } + +@InProceedings{McDanielPrakash02, +Author={P. McDaniel and A. Prakash}, +Title={Methods and Limitations of Security Policy Reconciliation}, +BookTitle={Proceedings of the 2002 Symposium on Security and Privacy}, +Organization={IEEE Computer Society}, Address={Oakland, California}, +Year={2002}, Month=may, pages={73--87}} + +@InProceedings{Mantel01IEEE, +Author={H. Mantel}, +Title={Preserving information flow properties under refinement}, +BookTitle={Proceedings of the 2001 Symposium on Security and Privacy}, +Organization={IEEE Computer Society}, Address={Oakland, California}, +Year={2001}, Month=may, pages={78--91}} + +@InProceedings{Mantel02IEEE, +Author={H. Mantel}, +Title={On the composition of secure systems}, +BookTitle={Proceedings of the 2002 Symposium on Security and Privacy}, +Organization={IEEE Computer Society}, Address={Oakland, California}, +Year={2002}, Month=may, pages={88--101}} + +@InProceedings{AshcraftEngler02, +Author={K. Ashcraft and D. Engler}, +Title={Detecting Lots of Security Holes Using System-Specific Static Analysis}, +BookTitle={Proceedings of the 2002 Symposium on Security and Privacy}, +Organization={IEEE Computer Society}, Address={Oakland, California}, +Year={2002}, Month=may, pages={143--159}} + +@InProceedings{Chess02, +Author={B.V. Chess}, +Title={Improving Computer Security Using Extended Static Checking}, +BookTitle={Proceedings of the 2002 Symposium on Security and Privacy}, +Organization={IEEE Computer Society}, Address={Oakland, California}, +Year={2002}, Month=may, pages={160--173}} + +@InProceedings{Ko02, +Author={C. Ko}, +Title={Noninterference and Intrusion Detection}, +BookTitle={Proceedings of the 2002 Symposium on Security and Privacy}, +Organization={IEEE Computer Society}, Address={Oakland, California}, +Year={2002}, Month=may, pages={177--187}} + +@InProceedings{Dutertre02, +Author={B. Dutertre and V. Crettaz and V. Stavridou}, +Title={Intrusion-Tolerant Enclaves}, +BookTitle={Proceedings of the 2002 Symposium on Security and Privacy}, +Organization={IEEE Computer Society}, Address={Oakland, California}, +Year={2002}, Month=may, pages={216--224}} + +@InProceedings{Park+02, +Author={J.M. Park and E.K.P. Chong and H.J. Siegel}, +Title={Efficient Multicast Packet Authentication Using Signature + Amortization}, +BookTitle={Proceedings of the 2002 Symposium on Security and Privacy}, +Organization={IEEE Computer Society}, Address={Oakland, California}, +Year={2002}, Month=may, pages={227--240}} + +@InProceedings{Staddon+02, +Author={J. Staddon and S. Miner and M. Franklin and D. Balfanz and M. Malkin + and D. Dean }, +Title={Self-Healing Key Distribution with Revocation}, +BookTitle={Proceedings of the 2002 Symposium on Security and Privacy}, +Organization={IEEE Computer Society}, Address={Oakland, California}, +Year={2002}, Month=may, pages={241--257}} + +@InProceedings{Song+02, +Author={D. Song and D. Zuckerman and J.D. Tygar}, +Title={Expander Graphs for Digital Stream Authentication and Robust + Overlay Networks}, +BookTitle={Proceedings of the 2002 Symposium on Security and Privacy}, +Organization={IEEE Computer Society}, Address={Oakland, California}, +Year={2002}, Month=may, pages={258--270}} + +@InProceedings{Dean02, +Author={D. Dean}, +Title={The Impact of Programming Language Theory on Computer Security}, +BookTitle={Proceedings of the Mathematical Foundations of Programming + Semantics (MFPS)}, +Organization={}, Address={New Orleans, Louisiana}, +Year={2002}, Month=mar, pages={}, +NOTE={Slides at \xlink{http://www.csl.sri.com/neumann/ddean-MFPS02.ppt}{http://www.csl.sri.com/neumann/ddean-MFPS02.ppt}} +} + +@article{Neumann04Opt, +author={P.G. Neumann}, +title = {Optimistic Optimization}, +journal = {Communications of the ACM}, year = {2004}, volume = {47}, +number = {6}, pages = {112}, month = jun, +Note= {{\it Inside Risks} column.} } + +@article{Neumann06comp, +author={P.G. Neumann}, +title = {Risks Relating to System Compositions}, +journal = {Communications of the ACM}, year = {2006}, volume = {49}, +number = {7}, pages = {128}, month = jul, +Note= {{\it Inside Risks} column.} } + +@article{Bellovin06, +author={Steven M. Bellovin}, +title = {Virtual Machines, Virtual Security?}, +journal = {Communications of the ACM}, year = {2006}, volume = {49}, +number = {10}, pages = {104}, month = oct, +Note= {{\it Inside Risks} column.} } + +@InProceedings{Neumann06CCS, + author = {P.G. Neumann}, + title = {System and Network Trustworthiness in Perspective}, + booktitle = {Proceedings of the Thirteenth ACM Conference on Computer and +Communications Security (CCS)}, + year = {2006}, + address = {Alexandria, Virginia}, + month = nov, + pages = {1--5} +} + +@InProceedings{Neumann06ACSAC, +Author="P.G. Neumann", +Title="Risks of Untrustworthiness", +BookTitle="Proceedings of the 22nd Annual Computer Security Applications +Conference (ACSAC 2006), Classic Papers section", +Organization="IEEE Computer Society", +Address="Miami, Florida", Year="2006", Month=dec, pages="", +url={http://www.acsac.org/ and http://www.csl.sri.com/neumann/psos03.pdf} +} + +@ARTICLE{Neumann06holistic, +Author={Peter G. Neumann}, +TITLE = {Holistic Systems}, +JOURNAL = {ACM Software Engineering Notes}, YEAR = {2006}, VOLUME = {31}, +NUMBER = {6}, PAGES = {4--5}, MONTH = nov +} + +@InProceedings{Neumann07EEVS, +Author={P.G. Neumann}, +Title={Security and Privacy in the Employment Eligibility + Verification System (EEVS) and Related Systems}, +BookTitle={Congressional Record}, +Organization={U.S. House of Representatives}, Address={Washington, DC}, +Year={2007}, Month={Jun 7}, pages={}, +URL ="http://www.csl.sri.com/neumann/house07.pdf" } + +@InCollection{Neumann07Reflections, +Author = "P.G. Neumann", +Title = "Reflections on System Trustworthiness", +Editor = "Marvin Zelkowitz", +Booktitle = "Advances in Computers, volume 70", +Publisher = "Elsevier Inc.", Year = "2007 ", +Pages="269--310" } + +@book{NRC07cyber, +author = {S.E. Goodman and H.S. {Lin, editors}}, +title = {Toward a Safer and More Secure Cyberspace}, +publisher = {National Research Council, National Academies Press, +2101 Constitution Ave., Washington, D.C.}, +year = {2007}, note={Final report of the National Research +Council Committee on Improving Cybersecurity Research in the United States.} } + +@InProceedings{Neumann09CSH, +Author={P.G. Neumann}, +Title={The Future of Information Assurance}, +BookTitle={Computer Security Handbook}, +Organization={John Wiley \& Sons}, Address={New York}, +Year={2009}, Month={}, pages={}, NOTE={Volume 2, invited final chapter.}} + +@InProceedings{Neumann09LAW, +Author={P.G. Neumann}, +Title={Hierarchies, Lowerarchies, Anarchies, and Plutarchies: + Historical Perspectives of Composable High-Assurance Architectures}, +BookTitle={Third Layered Assurance Workshop}, +Organization={AFRL}, Address={San Antonio CA}, +Year={2009}, Month=aug, pages={}, Note ={Slides at + http://www.csl.sri.com/neumann/law09+x4.pdf}} + +@InProceedings{Neumann09idtrust, +Author={P.G. Neumann}, +Title={IDentity and Trust in Context}, +BookTitle={IDtrust Workshop}, +Organization={NIST}, Address={Gaithersburg, Maryland}, +Year={2009}, Month=apr, pages={}, Note ={Slides at + http://www.csl.sri.com/neumann/itrust09+x4.pdf}} + +@InProceedings{NeumannDag08, +Author={P.G. Neumann}, +Title={Combatting Insider Misuse, with Relevance to Integrity and + Accountability in Elections and Other Applications}, +BookTitle={Dagstuhl Workshop on Insider Threats}, +Organization={}, Address={Schloss Dagstuhl, Germany}, +Year={2008}, Month=jul, pages={}} + +@Inbook{Neumann09insiders, +Author={P.G. Neumann}, +Title={Combatting Insider Threats}, +BookTitle = {Insider Threats in Cybersecurity -- and Beyond}, +Editors= {M. Bishop and C.W. Probst}, +Publisher={Springer Verlag}, +Year={2010} } + +@Inbook{Neumann10Dagbook, +Author={P.G. Neumann}, +Title={Combatting Insider Threats}, +Chapter = {2}, +Note = {In {\it Insider Threats in Cybersecurity -- and Beyond,} + C.W. Probst and J. Hunker and D. Gollman and M. Bishop + (editors), Springer Verlag}, +Publisher={Springer Verlag}, +Year = {2010}, +} + +@InProceedings{Ox, +Author={P.G. Neumann and M. Bishop and S. Peisert and M. Schaefer}, +Title={Reflections on the 30th Anniversary of the IEEE Symposium on + Security and Privacy}, +BookTitle={Proceedings of the 2010 Symposium on Security and Privacy}, +Organization={IEEE Computer Society}, Address={Oakland, California}, +Year={2010}, Month=may, pages={}} + +@TechReport{HPL05, +author={IRC}, +Title={Hard Problem List}, +institution= {INFOSEC Research Council}, +address={}, month =nov, Year=2005, +url ="http://www.cyber.st.dhs.gov" +} + +@TechReport{Roadmap09, +author={D. {Maughan et al.}}, +Title={A Roadmap for Cybersecurity Research}, +institution= {Department of Homeland Security}, +address={}, month =nov, Year=2009, +url ="http://www.cyber.st.dhs.gov" +} + +@Article{Bellovin+07, +Author={}, +Title={}, +Journal={IEEE Security and Privacy}, VOLUME = {6}, NUMBER = {1}, +Year={2008}, Month={January-February}, pages={}} + +@book{HennessyPatterson95, +Author={J.L. Hennessy and D.A. Patterson}, +Title={Computer Architecture: A Quantitative Approach, Second Edition}, +Publisher={Morgan Kaufmann}, +Year={1996} } + +@book{PattersonHennessy97, +Author={D.A. Patterson and J.L. Hennessy}, +Title={Computer Organization and Design: The Hardware/Software + Interface, Second Edition}, +Publisher={Morgan Kaufmann}, +Year={1997} } + +@InProceedings{Zuck+02, +Author={L. Zuck and A. Pnueli and Y. Fang and B. Goldberg}, +Title={{VOC:} {A} Translation Validator for Optimizing Compilers}, +BookTitle={Electronic Notes in Theoretical Computer Science}, +Organization={}, Address={}, +Year={2002}, Month={}, pages={}, +URL = "http://www.cs.nyu.edu/\~{}zuck/pubs/" +} + +@book{Bishop02, +Author={M. Bishop}, +Title={Computer Security: Art and Science}, +Publisher={Addison-Wesley, Reading, Massachusetts}, +Year={2002} } + +@book{Bishop04, +Author={M. Bishop}, +Title={Introduction to Computer Security}, +Publisher={Addison-Wesley, Reading, Massachusetts}, +Year={2004} } + +@book{Bish2003, + Address = {Boston, MA}, + Author = {M. Bishop}, + Date-Modified = {2007-04-18 11:50:16 -0700}, + Publisher = {Addison-Wesley Professional}, + Title = {Computer Security: Art and Science}, + Year = {2003}} + +@InProceedings{Bishop05, +Author={M. Bishop}, +Title={Position: {`Insider'} is relative}, +BookTitle={Proceedings of the 2005 New Security Paradigms Workshop}, +Organization={}, Address={Lake Arrowhead, California}, +Year={2005}, Month=oct, pages={77-78}} + +@InProceedings{Bishop08+, +Author={M. Bishop and S. Engle and C. Gates and S. Peisert and S. Whalen}, +Title={We Have Met the Enemy and He Is Us}, +BookTitle={Proceedings of the 2008 New Security Paradigms Workshop}, +Organization={}, Address={Olympic Valley, California}, +Year={2008}, Month={}, pages={}} + +@book{Stolfo+08, +Author={S. Stolfo and S. Bellovin and S. Hershkop and S. Sinclair and + S. Smith}, +Title={Insider Attack and Cyber Security: Beyond the Hacker}, +Publisher={Springer}, +Year={2008} } + +@book{Anderson01, +Author={R.J. Anderson}, +Title={Security Engineering: {A} guide to + Building Dependable Distributed Systems}, +Publisher={John Wiley and Sons, New York}, +Year={2001} } + +@book{Sommerville01, +Author={I. Sommerville}, +Title={Software Engineering}, +Publisher={Addison-Wesley, Reading, Massachusetts}, +Note = {Sixth Edition.}, +Year={2001} } + +@book{Reppy99, +Author={J.H. Reppy}, +Title={Concurrent Programming in ML}, +Publisher={Cambridge University Press, Cambridge, U.K.}, +Year={1999} } + +@InProceedings{Giffin+02, +Author={J.T. Giffin and S. Jha and B.P. Miller}, +Title={Detecting Manipulated Remote Call Streams}, +BookTitle={Proceedings of the 11th USENIX Security 2002}, +Organization={USENIX}, Address={San Francisco, California}, +Year={2002}, Month=aug, pages={61--79}} + +@InProceedings{AppelMacQueen91, +Author={A.W. Appel and D.B. MacQueen}, +Title={Standard {ML} of {New Jersey}}, +BookTitle={Programming Language Implementation and Logic Programming, + Lecture Notes in Computer Science vol. 528}, +Organization={Springer-Verlag}, Address={Berlin}, +Year={1991}, Month={}, pages={1--26}} + +@book{Milner+97, +Author={R. Milner and M. Tofte and R. Harper and D. MacQueen}, +Title={The Definition of Standard ML}, +Publisher={MIT Press, Cambridge, Massachusetts}, +Year={1997} } + +@book{WrightStevens95, +Author={G.R. Wright and W.R. Stevens}, +Title={TCP/IP Illustrated, Volume 2}, +Publisher={Addison-Wesley, Reading, Massachusetts}, +Year={1995} } + +@book{HuntTCP/IP02, +Author={C. Hunt}, +Title={TCP/IP Network Administration, 3rd Edition}, +Publisher={O'Reilly \& Associates, Sebastopol, California}, +Year={2002} } + +@InProceedings{Sheyner+02, +author={O. Sheyner and J. Haines and S. Jha and R. Lippmann and J.M. Wing}, +Title={Automated Generation and Analysis of Attack Graphs}, +BookTitle={Proceedings of the 2003 Symposium on Security and Privacy}, +Organization={IEEE Computer Society}, Address={Oakland, California}, +Year={2003}, Month=may, pages={273--284}} + +@InProceedings{JhaSheynerWing02, +author={S. Jha and O. Sheyner and J. Wing}, +Title={Two Formal Analyses of Attack Graphs}, +BookTitle ={Proceedings of the 15th IEEE Computer Security Foundations Workshop}, +Organization= + {IEEE Computer Society Technical Committee on Security and Privacy}, + Address={Cape Breton, Nova Scotia, Canada}, + Year={2002}, Month=jun, pages={49--64} + } + +@InProceedings{Govinda+03, +Author={S. Govindavajhala and A.W. Appel}, +Title={Using Memory Errors to Attack a Virtual Machine}, +BookTitle={Proceedings of the 2003 Symposium on Security and Privacy}, +Organization={IEEE Computer Society}, Address={Oakland, California}, +Year={2003}, Month=may, pages={154--165}} + +@book{Barnes03, +Author={J. Barnes}, +Title={High Integrity Software: The SPARK Approach to Safety and Security}, +Publisher={Addison-Wesley, Reading, Massachusetts}, +NOTE = {Reviewed in The ACM Risks Forum, 23, 01.}, +Year={2003} } + +@article{Weinstein03-12, +author={L. Weinstein}, +title = {The Devil You Know}, +journal = {Communications of the ACM}, year = {2003}, volume = {46}, +number = {12}, pages = {144}, month = dec } + +@TechReport{Weinstein:tripoli, +author = {L. Weinstein}, +title = {{TRIPOLI: An Empowered E-Mail Environment}}, +institution ={People for Internet Responsibility}, +url = "http://www.pfir.org/tripoli-overview", +year ={2004}, month = jan +} + +@TechReport{Cusumano03, +author={M. Cusumano and A. MacCormack and C.F. Kemerer and W. Crandall}, +Title={A Global Survey of Software Development Practices}, +institution= {MIT Sloan School of Management}, +address={Cambridge, Massachusetts}, month =jun, Year=2003, +url = "http://ebusiness.mit.edu/research/papers/178_Cusumano_Intl_Comp.pdf" } + +@Article{McGraw04, +Author={G. McGraw}, +Title={Software Security}, +Journal={IEEE Security and Privacy}, +Organization={IEEE Computer Society}, +Year={2004}, Month={March-April}, volume ={2}, number = {2}, pages={80--83}} + +@article{Chaum04, +author={D. Chaum}, +Title={Secret-Ballot Receipts: True Voter-Verifiable Elections}, +Journal={IEEE Security and Privacy}, +Organization={IEEE Computer Society}, +Year={2004}, Month={January-February}, volume ={2}, number = {1}, +pages={38--47}} + +@TechReport{Rivest06, +author={R.L. Rivest}, +Title={The {ThreeBallot Voting System}}, +institution= {MIT}, +address={Cambridge, Massachusetts}, month =oct, Year=2006, +URL= +"http://theory.csail.mit.edu/~{}rivest/Rivest-TheThreeBallotVotingSystem.pdf" +} + +@InProceedings{Ratan+96, +Author={V. Ratan and K. Partridge and J. Reese and N. Leveson}, +Title={Safety Analysis Tools for Requirements Specification}, +BookTitle={Proceedings of the Eleventh Annual Conference on Computer + Assurance, COMPASS '96}, +Organization={IEEE Computer Society}, Address={}, +Year={1996}, Month={}, pages={149--160}, + url ="http://www.safeware-eng.com/index.php/publications/SafAnTooReq"} + +@TechReport{DSB01a, +author={Defense Science Board}, +Title={Protecting the Homeland, Volume I}, +institution= {Defense Science Board Task Force on Defensive Information + Operations 2000 Summer Study}, +address={}, month =feb, Year="2001" } + +@TechReport{DSB01b, +author={Defense Science Board}, +Title={Protecting the Homeland, Volume II}, +institution= {Defense Science Board Task Force on Defensive Information + Operations 2000 Summer Study}, +address={}, month =mar, Year="2001" } + +@InProceedings{Kohno+04, +Author={T. Kohno and A. Stubblefield and A.D. Rubin and D.S. Wallach}, +Title={Analysis of an Electronic Voting System}, +BookTitle={Proceedings of the 2004 Symposium on Security and Privacy}, +Organization={IEEE Computer Society}, Address={Oakland, California}, +Year={2004}, Month=may, pages={27--40}} + +@InProceedings{Datta+04, +Author={A. Datta and R. K\"{u}sters and J.C. Mitchell and A. Ramanathan and + V. Shmatikov}, +Title={Unifying Equivalence-Based Definitions of Protocol Security}, +BookTitle={Proceedings of the ACM SIGPLAN and IFIP WG 1.7 Fourth Workshop + on Issues in the Theory of Security}, +Organization={IEEE Computer Society}, Address={Oakland, California}, +Year={2004}, Month=apr, pages={}} + +@TechReport{GAO04Acq, +author={USGAO}, +Title={Defense Acquisitions: Knowledge of Software Suppliers Needed + to Manage Risks}, +institution= {U.S. General Accounting Office, GAO-04-078}, +address={Washington, D.C.}, month =may, Year=2004 } + +@Article{Clarke04IEEE, +Author={G. Goth}, +Title={Richard {Clarke} Talks Cybersecurity and {JELL-O}}, +Journal={IEEE Security and Privacy}, VOLUME = {2}, NUMBER = {3}, +Year={2004}, Month={May-June}, pages={11--15}} + +@Article{Tsik06, +Author={K. Tsikpenyuk and B. Chess and G. McGraw}, +Title={Seven Pernicious Kingdoms: A Taxonomy of Software Security Errors}, +Journal={IEEE Security and Privacy}, VOLUME = {3}, NUMBER = {6}, +Year={2005}, Month={November-December}, pages={}, +doi="10.1109/MSP.2005.159"} + +@ARTICLE{Jackson02, +Author={D. Jackson}, TITLE = {Alloy: + {A} lightweight object modelling notation}, +JOURNAL = {ACM Transactions on Software Engineering Methodology}, +YEAR = {20}, VOLUME = {11}, +NUMBER = {2}, PAGES = {256--290}, MONTH = {}, +url ="http://sdg.lcs.mit.edu/~{}dnj/", +url ="http://alloy.mit.edu/" } + +@TechReport{Shands04+, +author={D. Shands and E. Wu and J. Horning and S. Weeks}, +Title={SPiCE: Configurationa Synthesis for Policies Enforcement}, +institution= {MacAfee Research Technical Report 04-018}, +address={}, month =jun, Year=2004 } + +@ARTICLE{Wheeler04, +Author={D.A. Wheeler}, TITLE = {Secure programmer: Minimizing Privileges; +Taking the fangs out of bugs}, +JOURNAL = {}, YEAR = {2004}, VOLUME = {}, +NUMBER = {}, PAGES = {}, MONTH = may, +URL= "http://www-106.ibm.com/developerworks/linux/library/l-sppriv.html?ca=dgr-lnxw04Privileges" } + +@book{WheelerBook, +Author={D.A. Wheeler}, +Title={Secure Programming for Linux and Unix {HOWTO}}, +Publisher={}, +Year={2003}, +URL = "http://www.dwheeler.com/secure-programs" } + +@book{USDP99, +Author={I. Jacobson and G. Booch and J. Rumbaugh}, +Title={The Unified Software Development Process}, +Publisher={Addison-Wesley, Reading, Massachusetts}, +Year={1999} } + +@book{Bejtlich04, +Author={R. Bejtlich}, +Title={The Tao of Network Security Monitoring}, +Publisher={Addison-Wesley, Reading, Massachusetts}, +Year={2004} } + +@Article{Smith04, + Author = {M.A. Smith}, +Title = {Portals: Toward an Application Framework for Interoperability}, + Journal = {Communications of the ACM}, + Year = {2004}, + Volume = {47}, + Number = {10}, + Pages = {93--97}, + Month = oct } + +@book{KrafzigSOA, +Author={D. Krafzig and K. Banke and D. Slama}, +Title={Enterprise SOA Service-Oriented Architecture Best Practices}, +Publisher={Prentice-Hall, Upper Saddle River, New Jersey}, +Year={2004} } + +@ARTICLE{ERCIM04, +Author={Numerous authors}, +TITLE = {Automated Software Engineering (special section)}, +JOURNAL = {ERCIM News}, YEAR = {2004}, VOLUME = {}, +NUMBER = {58}, PAGES = {12--51}, MONTH = jul } + +@ARTICLE{Blanc04, +Author={B. Blanc}, +TITLE = {{GATeL:} {A}utomatic Test Generation from {Lustre} Descriptions}, +JOURNAL = {ERCIM News}, YEAR = {2004}, VOLUME = {}, +NUMBER = {58}, PAGES = {29--30}, MONTH = jul } + +@inCollection{PetersonClark04, +author = {L. Peterson and D. Clark}, +title = {The {Internet:} {An} Experiment that Escaped from the Lab}, +booktitle = {Computer Science: Reflections on the Field, Reflections + from the Field}, +publisher = {National Research Council, + National Academies Press, 500 Fifth Ave., Washington, D.C. 20001}, +pages = {129--133}, +year = {2004} } + +@InProceedings{Crnkovic04, +Author = "I. Crnkovic and M. Larsson", +Title = "Classification of Quality Attributes for Predictability in + Component-based Systems", +Booktitle = "Workshop on Architecting Dependable Systems (DSN WADS 2004)", +Organization = "", Address = "Florence, Italy", Year = "2004", +Pages="", Month = jun, +NOTE = "\xlink{http://www.cs.kent.ac.uk/events/conf/2004/wads/DSN-WADS2004/indexProgDSN2004.html}{http://www.cs.kent.ac.uk/events/conf/2004/wads/DSN-WADS2004/indexProgDSN2004.html}" + } + +@INCOLLECTION{Smith2004, + AUTHOR = {Jonathan M. Smith and Michael B. Greenwald and Sotiris + Ioannidis and Angelos D. Keromytis and Ben Laurie and Douglas Maughan + and Dale Rahn and Jason Wright}, + TITLE = {Experiences Enhancing Open Source Security in the POSSE Project}, + BOOKTITLE = {Free/Open Source Software Development}, + EDITOR = {Stefan Koch}, + PUBLISHER = {Idea Group Publishing}, + ADDRESS = {Hershey, PA}, + YEAR = {2004}, + PAGES = {242-257} +} + +@book{Celeste+06, +author = {R. Celeste and R. Thornburg and {H. Lin (editors)}}, +title = {Asking the Right Questions about Electronic Voting}, +publisher = {National Research Council, National Academies Press, + 500 Fifth Ave., Washington, D.C. 20001}, +month = {}, year = {2006} } + +@book{Rubin06, +Author={A. Rubin}, +Title={Brave New Ballot}, +Publisher={Random House}, +Year={2006} } + +@InProceedings{Adida+06, +Author = "B. Adida and C.A. Neff", +Title = "Ballot Casting Assurance", +Booktitle = "Workshop on Electronic Voting Technology Workshop", +Organization = "USENIX", Address = "Vancouver, BC, Canada", Year = "2006 ", +Pages="", Month = aug } + +@InProceedings{Benaloh06, +Author = "J. Benaloh", +Title = "Simple Verifiable Elections", +Booktitle = "Workshop on Electronic Voting Technology Workshop", +Organization = "USENIX", Address = "Vancouver, BC, Canada", Year = "2006 ", +Pages="", Month = aug } + +@InProceedings{Neff01, +Author = "C.A. Neff", +Title = "A Verifiable Secret Shuffle and Its Application to E-Voting", +Booktitle = "Proceedings of the ACM Conference on Computer and + Communications Security", +Organization = "", Address = "Philadelphia, Pennsylvania", Year = "2001 ", +Pages="116--125", Month = nov } + +@ARTICLE{Borg06, +Author={K. Borg}, TITLE = {Re: {LA} power outages}, +JOURNAL = {ACM Risks Forum}, YEAR = {2006}, VOLUME = {24}, NUMBER = {39}, +PAGES = {}, MONTH = {August}, day=22, +NOTE="http://catless.ncl.ac.uk/Risks/24.39.html\#subj8" } + +@Book{Springer-3938, +Editor={R.H. {Reussner et al.}}, +Title={Architecting Systems with Trustworthy Components, + International Seminar, Dagstuhl, Germany, + Lecture Notes in Computer Science vol. 3938}, +Publisher={Springer-Verlag}, Address={Berlin}, +Year={2004}, Month=dec, pages={}} + +@Book{Springer-4063, +Editor={I. {Gorton et al.}}, +Title={Component-Based Software Engineering, + 9th International Symposium, + Lecture Notes in Computer Science vol. 4063}, +Publisher={Springer-Verlag}, Address={Berlin}, +Year={2006}, Month={June/July}, pages={}} + +@Book{Springer-4089, +Editor={W. {L\"{o}we et al.}}, +Title={Software Composition, +5th International Workshop, +Lecture Notes in Computer Science vol. 4089}, +Publisher={Springer-Verlag}, Address={Berlin}, +Year={2006}, Month=mar, pages={}} + +@Book{Springer-4111, +Editor={F.S. {de Boer et al.}}, +Title={Formal Methods for Components and Objects, + 4th International Symposium, + Lecture Notes in Computer Science vol. 4111}, +Publisher={Springer-Verlag}, Address={Berlin}, +Year={2005}, Month=nov, pages={}} + +@TechReport{RushbyDeLong06, +Author="J.M. Rushby and R. DeLong", +Title="Toward an Integration Framework for High-Assurance Secure Components", +Institution="Computer Science Laboratory, SRI International, Menlo Park, +California", Year="2006", Month=dec} + +@string{dasc = { AIAA/IEEE Digital Avionics Systems Conference}} +@INPROCEEDINGS{Rushby-etal:DASC08, + AUTHOR = {Carolyn Boettcher and Rance DeLong + and John Rushby and Wilmar Sifre}, + TITLE = {The {MILS} Component Integration Approach + To Secure Information Sharing}, + BOOKTITLE = {27th} # dasc, + YEAR = 2008, + ORGANIZATION = {IEEE}, + ADDRESS = {St.\ Paul MN}, + MONTH = oct +} + + +@article{Zegans08, +author={L.S. Zegans}, +title = {The Psychology of Risks}, +journal = {Communications of the ACM}, year = {2008}, volume = {51}, +number = {1}, pages = {152}, month = jan, +Note= {{\it Inside Risks} column.} } + +@InProceedings{GPYF07, +Author={G. Gu and P. Porras and V. Yegneswaran and M. Fong and W. Lee}, +Title={BotHunter: Detecting Malware Infection through IDS-driven + Dialog Correlation}, +BookTitle={Proceedings of the 16th USENIX Security 2007}, +Organization={USENIX}, Address={Boston, Massachusetts}, +Year={2007}, Month=aug, pages={}} + +@InProceedings{CLF03, +Author={S. Cheung and U. Lindqvist and M.W. Fong}, +Title={Modeling Multistep Cyber Attacks for Scenario Recognition}, +BookTitle={Proceedings of the DARPA Information Survivability Conference + and Exposition}, +Organization={DARPA}, Address={Washington, DC}, +Year={2003}, Month={}, pages={}} + +@article{Porras09, +author={P. Porras}, +title = {Reflections on Conficker}, +journal = {Communications of the ACM}, year = {2009}, volume = {52}, +number = {10}, pages = {}, month = oct, +Note= {Inside Risks column, http://www.csl.sri.com/neumann/insiderisks.html\#219} } + +@conference{blaze1996decentralized, + title={{Decentralized trust management}}, + author={M. Blaze and J. Feigenbaum and J. Lacy}, + booktitle={IEEE Symposium on Security and Privacy}, + pages={164--173}, + year={1996}, + organization={IEEE Computer Society} +} + +@conference{chan2003random, + title={{Random key predistribution schemes for sensor networks}}, + author={H. Chan and A. Perrig and D. Song}, + booktitle={IEEE Symposium on Security and Privacy}, + pages={197--215}, + year={2003}, + organization={IEEE Computer Society} +} + +@conference{forrest1996sense, + title={{A sense of self for {Unix} processes}}, + author={S. Forrest and S.A. Hofmeyr and A. Somayaji and T.A. Longstaff + {et al.}}, + booktitle={IEEE Symposium on Security and Privacy}, + pages={120--128}, + year={1996}, + organization={IEEE Computer Society} +} + +@Proceedings{Schaefer1999, +Author = "Marv Schaefer and W.C. Barker and Chuck Pfleeger", +Title = "The Tea and I: An Allergy", +Booktitle={IEEE Symposium on Security and Privacy}, +Organization={IEEE Computer Society}, +Address = "", Year = "1999", +Pages="", Month = "" } + +@ARTICLE{ABM10, +Author={R. Bobba and O. Fatemieh and F. Khan and A. Khan and C.A. Gunter and +H. Khurana and M. Prabhakaran}, +TITLE = {Attribute-Based Messaging: Access Control and Confidentiality}, +JOURNAL = {ACM Transactions on Information and Systems Security (TISSEC)}, +YEAR = {2010}, VOLUME = {}, NUMBER = {}, PAGES = {}, MONTH = {} } + +@TechReport{Kroll09, +Author={J. Kroll and D. Dean}, +TITLE = {BakerSFIeld: Bringing Software Fault Isolation to x64}, +Institution = {Princeton and SRI}, +YEAR = {2010}, MONTH = feb, +Note = {\url{http://www.cs.princeton.edu/~kroll/papers/bakersfield-sfi.pdf +}} + } + +@article{morris:protectionprogramming, + author = {Morris,Jr., James H.}, + title = {Protection in programming languages}, + journal = {Communications of the ACM}, + volume = {16}, + number = {1}, + year = {1973}, + issn = {0001-0782}, + pages = {15--21}, + doi = {10.1145/361932.361937}, + publisher = {ACM}, + address = {New York, NY, USA}, + } + +@misc{apple:macosx, + author = {{Apple Inc.}}, + title = {{Mac OS X Snow Leopard}}, + howpublished={\url{http://www.apple.com/macosx/}}, + year = 2010, +} + +@inproceedings{fabry:caseforcapabilities, + author = {Fabry, R. S.}, + title = {The case for capability based computers (Extended Abstract)}, + booktitle = {SOSP '73: Proceedings of the Fourth ACM Symposium on Operating System Principles}, + year = {1973}, + pages = {120}, + doi = {10.1145/800009.808060}, + publisher = {ACM}, + address = {New York, NY, USA}, + } + +@article{lampson:protection, + author = {Lampson, Butler W.}, + title = {Protection}, + journal = {SIGOPS Operating Systems Review}, + volume = {8}, + number = {1}, + year = {1974}, + issn = {0163-5980}, + pages = {18--24}, + doi = {10.1145/775265.775268}, + publisher = {ACM}, + address = {New York, NY, USA}, + } + + @inproceedings{lampson:dynamicprotection, + author = {Lampson, B. W.}, + title = {Dynamic protection structures}, + booktitle = {{AFIPS '69 (Fall): Proceedings of the November 18-20, 1969, Fall Joint + Computer Conference}}, + year = {1969}, + pages = {27--38}, + location = {Las Vegas, Nevada}, + doi = {10.1145/1478559.1478563}, + publisher = {ACM}, + address = {New York, NY, USA}, + } + + +@article{klein:sel4, + author = {Klein, Gerwin and Andronick, June and Elphinstone, Kevin and Heiser, Gernot and Cock, David and Derrin, Philip and Elkaduwe, Dhammika and Engelhardt, Kai and Kolanski, Rafal and Norrish, Michael and Sewell, Thomas and Tuch, Harvey and Winwood, Simon}, + title = {seL4: formal verification of an operating-system kernel}, + journal = {Communications of the ACM}, + volume = {53}, + issue = {6}, + month = jun, + year = {2009}, + issn = {0001-0782}, + pages = {107--115}, + numpages = {9}, + doi = {10.1145/1743546.1743574}, + acmid = {1743574}, + publisher = {ACM}, + address = {New York, NY, USA}, +} + +@article{Madhavapeddy:2007:MCF:1272998.1273009, + author = {Madhavapeddy, Anil and Ho, Alex and Deegan, Tim and Scott, David and Sohan, Ripduman}, + title = {Melange: creating a "functional" internet}, + journal = {SIGOPS Oper. Syst. Rev.}, + volume = {41}, + issue = {3}, + month = mar, + year = {2007}, + issn = {0163-5980}, + pages = {101--114}, + numpages = {14}, + doi = {10.1145/1272998.1273009}, + acmid = {1273009}, + publisher = {ACM}, + address = {New York, NY, USA}, +} + +@inproceedings{madhavapeddy:mirageos, + author = {Madhavapeddy, Anil and Mortier, Richard and Sohan, Ripduman and Gazagnaire, Thomas and Hand, Steven and Deegan, Tim and McAuley, Derek and Crowcroft, Jon}, + title = {Turning down the LAMP: software specialisation for the cloud}, + booktitle = {Proceedings of the 2nd USENIX conference on Hot topics in cloud computing}, + series = {HotCloud'10}, + year = {2010}, + location = {Boston, MA}, + pages = {11--11}, + numpages = {1}, + url = {http://portal.acm.org/citation.cfm?id=1863103.1863114}, + acmid = {1863114}, + publisher = {USENIX Association}, + address = {Berkeley, CA, USA}, +} + +@inproceedings{pnueli:ltl, + author = {Pnueli, Amir}, + title = {The temporal logic of programs}, + booktitle = {Proceedings of the 18th Annual Symposium on Foundations of Computer Science}, + year = {1977}, + pages = {46--57}, + numpages = {12}, + url = {http://portal.acm.org/citation.cfm?id=1398506.1382534}, + doi = {10.1109/SFCS.1977.32}, + acmid = {1382534}, + publisher = {IEEE Computer Society}, + address = {Washington, DC, USA}, +} + +@INPROCEEDINGS{watson:discexmac, + author = "Robert N.~M. Watson and Brian Feldman and Adam Migus and Christopher Vance", + title = "{Design and Implementation of the {TrustedBSD MAC Framework}}", + booktitle = {{Proceedings of the Third DARPA Information Survivability Conference and + Exhibition (DISCEX), IEEE}}, + month = apr, + year = "2003" +} + +@inproceedings{lamport:sometimes, + author = {Lamport, Leslie}, + title = {``Sometime'' is sometimes ``not never'': on the temporal logic of programs}, + booktitle = {Proceedings of the 7th ACM SIGPLAN-SIGACT symposium on Principles of programming languages}, + series = {POPL '80}, + year = {1980}, + isbn = {0-89791-011-7}, + location = {Las Vegas, Nevada}, + pages = {174--185}, + numpages = {12}, + doi = {10.1145/567446.567463}, + acmid = {567463}, + publisher = {ACM}, + address = {New York, NY, USA}, +} + +@article{clark:modelchecking, + author = {Clarke, Edmund M. and Emerson, E. Allen and Sifakis, Joseph}, + title = {Model checking: algorithmic verification and debugging}, + journal = {Communications of the ACM}, + issue_date = {November 2009}, + volume = {52}, + issue = {11}, + month = nov, + year = {2009}, + issn = {0001-0782}, + pages = {74--84}, + numpages = {11}, + doi = {10.1145/1592761.1592781}, + acmid = {1592781}, + publisher = {ACM}, + address = {New York, NY, USA}, +} + +@article{holzmann:spin, + author = {Holzmann, Gerard J.}, + title = {The Model Checker {SPIN}}, + journal = {IEEE Transactions on Software Engineering}, + volume = {23}, + issue = {5}, + month = may, + year = {1997}, + issn = {0098-5589}, + pages = {279--295}, + numpages = {17}, + url = {http://portal.acm.org/citation.cfm?id=260897.260902}, + doi = {10.1109/32.588521}, + acmid = {260902}, + publisher = {IEEE Press}, + address = {Piscataway, NJ, USA}, + keywords = {Formal methods, program verification, design verification, model checking, distributed systems, concurrency.}, +} + +@MISC{eisner:truncatedpaths, + author = {Cindy Eisner and Dana Fisman and John Havlicek and Yoad Lustig and Anthony Mcisaac and David Van Campenhout}, + title = {Reasoning with Temporal Logic on Truncated Paths }, + year = {2003} +} + +@inproceedings{kwon:lowfat, + title = {Low-Fat Pointers: Compact Encoding and Efficient Gate-Level Implementation of Fat Pointers for Spatial Safety and Capability-based Security}, + author = {Albert Kwon and Udit Dhawan and Jonathan M. Smith and Thomas F. {Knight, Jr.} and André DeHon}, + year = 2013, + month = nov, + booktitle = {20th ACM Conference on Computer and Communications Security} +} + +@inproceedings{woodruff:cheriisca2014, + title = {The {{CHERI Capability Model}}: {{Revisiting RISC}} in an {{Age}} of {{Risk}}}, + shorttitle = {The {{CHERI Capability Model}}}, + booktitle = {Proceeding of the 41st {{Annual International Symposium}} on {{Computer Architecuture}}}, + author = {Woodruff, Jonathan and Watson, Robert N. M. and Chisnall, David and Moore, Simon W. and Anderson, Jonathan and Davis, Brooks and Laurie, Ben and Neumann, Peter G. and Norton, Robert and Roe, Michael}, + date = {2014-06}, + pages = {457--468}, + publisher = {{IEEE Press}}, + location = {{Piscataway, NJ, USA}}, + doi = {10.1109/ISCA.2014.6853201}, + url = {https://www.cl.cam.ac.uk/research/security/ctsrd/pdfs/201406-isca2014-cheri.pdf}, + series = {{{ISCA}} '14}, + venue = {Minneapolis, Minnesota, USA} +} + +@inproceedings{watson:cheriresolve2012, + title = {{CHERI: a research platform deconflating hardware virtualization and protection}}, + author = {Robert N. M. Watson and Peter G. Neumann Jonathan Woodruff and Jonathan Anderson and Ross Anderson and Nirav Dave and Ben Laurie and Simon W. Moore and Steven J. Murdoch and Philip Paeps and Michael Roe and Hassen Saidi}, + year = 2012, + month = mar, + booktitle = {{Runtime Environments, Systems, Layering and Virtualized Environments (RESoLVE 2012)}} +} + +@TechReport{UCAM-CL-TR-850, + author = {Watson, Robert N. M. and Neumann, Peter G. and Woodruff, + Jonathan and Anderson, Jonathan and Chisnall, David and + Davis, Brooks and Laurie, Ben and Moore, Simon W. and + Murdoch, Steven J. and Roe, Michael}, + title = {{Capability Hardware Enhanced RISC Instructions (CHERI): + Instruction-Set Architecture}}, + year = 2014, + month = jun, + institution = {University of Cambridge, Computer Laboratory}, + address = {15 JJ Thomson Avenue, Cambridge CB3 0FD, United Kingdom}, + url = {http://www.cl.cam.ac.uk/techreports/UCAM-CL-TR-850.pdf}, + number = {UCAM-CL-TR-850} +} + +@TechReport{UCAM-CL-TR-851, + author = {Watson, Robert N. M. and Chisnall, David and Davis, Brooks + and Koszek, Wojciech and Moore, Simon W. and Murdoch, + Steven J. and Neumann, Peter G. and Woodruff, Jonathan}, + title = {{Capability Hardware Enhanced RISC Instructions (CHERI): + User's guide}}, + year = 2014, + month = jun, + institution = {University of Cambridge, Computer Laboratory}, + address = {15 JJ Thomson Avenue, Cambridge CB3 0FD, United Kingdom}, + url = {http://www.cl.cam.ac.uk/techreports/UCAM-CL-TR-851.pdf}, + number = {UCAM-CL-TR-851} +} + +@TechReport{UCAM-CL-TR-852, + author = {Watson, Robert N. M. and Woodruff, Jonathan and Chisnall, + David and Davis, Brooks and Koszek, Wojciech and Markettos, A. Theodore and Moore, + Simon W. and Murdoch, Steven J. and Neumann, Peter G. and + Norton, Robert and Roe, Michael}, + title = {{Bluespec Extensible RISC Implementation (BERI): Hardware + Reference}}, + year = 2014, + month = jun, + institution = {University of Cambridge, Computer Laboratory}, + address = {15 JJ Thomson Avenue, Cambridge CB3 0FD, United Kingdom}, + url = {http://www.cl.cam.ac.uk/techreports/UCAM-CL-TR-852.pdf}, + number = {UCAM-CL-TR-852} +} + +@TechReport{UCAM-CL-TR-853, + author = {Watson, Robert N. M. and Chisnall, David and Davis, Brooks + and Koszek, Wojciech and Moore, Simon W. and Murdoch, + Steven J. and Neumann, Peter G. and Woodruff, Jonathan}, + title = {{Bluespec Extensible RISC Implementation (BERI): Software + Reference}}, + year = 2014, + month = jun, + institution = {University of Cambridge, Computer Laboratory}, + address = {15 JJ Thomson Avenue, Cambridge CB3 0FD, United Kingdom}, + url = {http://www.cl.cam.ac.uk/techreports/UCAM-CL-TR-853.pdf}, + number = {UCAM-CL-TR-853} +} + +@TechReport{UCAM-CL-TR-858, + author = {Woodruff, Jonathan D.}, + title = {{CHERI: A RISC capability machine for practical memory + safety}}, + year = 2014, + month = jul, + url = {http://www.cl.cam.ac.uk/techreports/UCAM-CL-TR-858.pdf}, + institution = {University of Cambridge, Computer Laboratory}, + number = {UCAM-CL-TR-858} +} + +@TechReport{UCAM-CL-TR-864, + author = {Watson, Robert N. M. and Neumann, Peter G. and Woodruff, + Jonathan and Anderson, Jonathan and Chisnall, David and + Davis, Brooks and Laurie, Ben and Moore, Simon W. and + Murdoch, Steven J. and Roe, Michael}, + title = {{Capability Hardware Enhanced RISC Instructions: CHERI + Instruction-Set Architecture}}, + year = 2014, + month = dec, + url = {http://www.cl.cam.ac.uk/techreports/UCAM-CL-TR-864.pdf}, + institution = {University of Cambridge, Computer Laboratory}, + number = {UCAM-CL-TR-864} +} + +@TechReport{UCAM-CL-TR-868, + author = {Watson, Robert N. M. and Woodruff, Jonathan and Chisnall, + David and Davis, Brooks and Koszek, Wojciech and Markettos, + A. Theodore and Moore, Simon W. and Murdoch, Steven J. and + Neumann, Peter G. and Norton, Robert and Roe, Michael}, + title = {{Bluespec Extensible RISC Implementation: BERI Hardware + reference}}, + year = 2015, + month = apr, + url = {http://www.cl.cam.ac.uk/techreports/UCAM-CL-TR-868.pdf}, + institution = {University of Cambridge, Computer Laboratory}, + number = {UCAM-CL-TR-868} +} + +@TechReport{UCAM-CL-TR-869, + author = {Watson, Robert N. M. and Chisnall, David and Davis, Brooks + and Koszek, Wojciech and Moore, Simon W. and Murdoch, + Steven J. and Neumann, Peter G. and Woodruff, Jonathan}, + title = {{Bluespec Extensible RISC Implementation: BERI Software + reference}}, + year = 2015, + month = apr, + url = {http://www.cl.cam.ac.uk/techreports/UCAM-CL-TR-869.pdf}, + institution = {University of Cambridge, Computer Laboratory}, + number = {UCAM-CL-TR-869} +} + +@TechReport{UCAM-CL-TR-873, + author = {Gudka, Khilan and Watson, Robert N.M. and Anderson, + Jonathan and Chisnall, David and Davis, Brooks and Laurie, + Ben and Marinos, Ilias and Murdoch, Steven J. and Neumann, + Peter G. and Richardson, Alex}, + title = {{Clean application compartmentalization with SOAAP + (extended version)}}, + year = 2015, + month = dec, + institution = {University of Cambridge, Computer Laboratory}, + address = {15 JJ Thomson Avenue, Cambridge CB3 0FD, United Kingdom}, + url = {http://www.cl.cam.ac.uk/techreports/UCAM-CL-TR-873.pdf}, + number = {UCAM-CL-TR-873} +} + +@TechReport{UCAM-CL-TR-876, + author = {Watson, Robert N. M. and Neumann, Peter G. and Woodruff, + Jonathan and Roe, Michael and Anderson, Jonathan and + Chisnall, David and Davis, Brooks and Joannou, Alexandre and + Laurie, Ben and Moore, Simon W. and Murdoch, Steven J. and + Norton, Robert and Son, Stacey}, + title = {{Capability Hardware Enhanced RISC Instructions: CHERI + Instruction-Set Architecture}}, + year = 2015, + month = nov, + institution = {University of Cambridge, Computer Laboratory}, + address = {15 JJ Thomson Avenue, Cambridge CB3 0FD, United Kingdom}, + url = {http://www.cl.cam.ac.uk/techreports/UCAM-CL-TR-876.pdf}, + number = {UCAM-CL-TR-876} +} + +@TechReport{UCAM-CL-TR-877, + author = {Watson, Robert N. M. and Chisnall, David and Davis, Brooks + and Koszek, Wojciech and Moore, Simon W. and Murdoch, + Steven J. and Neumann, Peter G. and Woodruff, Jonathan}, + title = {{Capability Hardware Enhanced RISC Instructions: CHERI + Programmer's Guide}}, + year = 2015, + month = nov, + institution = {University of Cambridge, Computer Laboratory}, + address = {15 JJ Thomson Avenue, Cambridge CB3 0FD, United Kingdom}, + url = {http://www.cl.cam.ac.uk/techreports/UCAM-CL-TR-877.pdf}, + number = {UCAM-CL-TR-877} +} + +@TechReport{UCAM-CL-TR-927, + author = {Watson, Robert N. M. and Neumann, Peter G. and Woodruff, + Jonathan and Roe, Michael and Almatary, Hesham and + Anderson, Jonathan and Baldwin, John and Chisnall, David + and Davis, Brooks and Filardo, Nathaniel Wesley and + Joannou, Alexandre and Laurie, Ben and Moore, Simon W. and + Murdoch, Steven J. and Nienhuis, Kyndylan and Norton, + Robert and Richardson, Alex and Sewell, Peter and Son, + Stacey and Xia, Hongyan}, + title = {{Capability Hardware Enhanced RISC Instructions: CHERI + Instruction-Set Architecture (Version 7)}}, + year = 2018, + month = oct, + institution = {University of Cambridge, Computer Laboratory}, + address = {15 JJ Thomson Avenue, Cambridge CB3 0FD, United Kingdom, + phone +44 1223 763500}, + url = {http://www.cl.cam.ac.uk/techreports/UCAM-CL-TR-927.pdf}, + number = {UCAM-CL-TR-927} +} + +@inproceedings{Necula:2002:CTR:503272.503286, + author = {Necula, George C. and McPeak, Scott and Weimer, Westley}, + title = {CCured: Type-safe Retrofitting of Legacy Code}, + booktitle = {Proceedings of the 29th ACM SIGPLAN-SIGACT Symposium on +Principles of Programming Languages}, + series = {POPL '02}, + year = {2002}, + isbn = {1-58113-450-9}, + location = {Portland, Oregon}, + pages = {128--139}, + numpages = {12}, + doi = {10.1145/503272.503286}, + acmid = {503286}, + publisher = {ACM}, + address = {New York, NY, USA}, +} + +@inproceedings{Nagarakatte:2009:SHC:1542476.1542504, + author = {Nagarakatte, Santosh and Zhao, Jianzhou and Martin, Milo M.K. and Zdancewic, Steve}, + title = {SoftBound: Highly Compatible and Complete Spatial Memory Safety for {C}}, + booktitle = {Proceedings of the 2009 ACM SIGPLAN Conference on Programming Language Design and Implementation}, + series = {PLDI '09}, + year = {2009}, + isbn = {978-1-60558-392-1}, + location = {Dublin, Ireland}, + pages = {245--258}, + numpages = {14}, + doi = {10.1145/1542476.1542504}, + acmid = {1542504}, + publisher = {ACM}, + address = {New York, NY, USA}, + keywords = {buffer overflows, c, spatial memory safety}, +} + +@article{Devietti:2008:HAS:1353536.1346295, + author = {Devietti, Joe and Blundell, Colin and Martin, Milo M. K. and Zdancewic, Steve}, + title = {Hardbound: Architectural Support for Spatial Safety of the {C} Programming Language}, + journal = {SIGPLAN Not.}, + issue_date = {March 2008}, + volume = {43}, + number = {3}, + month = mar, + year = {2008}, + issn = {0362-1340}, + pages = {103--114}, + numpages = {12}, + doi = {10.1145/1353536.1346295}, + acmid = {1346295}, + publisher = {ACM}, + address = {New York, NY, USA}, + keywords = {C programming language, spatial memory safety}, +} + +@MANUAL{Bluespec:TFRG, + TITLE = "Bluespec SystemVerilog Version~3.8 Reference Guide", + ORGANIZATION = "Bluespec,~Inc.", + ADDRESS = {Waltham,~MA}, + MONTH = nov, + YEAR = {2004} +} + +@article{watson13, + author = {Watson, Robert N. M.}, + title = {A Decade of {{OS}} Access-Control Extensibility}, + date = {2013-02-01}, + journaltitle = {Communications of the ACM}, + shortjournal = {Commun. ACM}, + volume = {56}, + pages = {52--63}, + issn = {0001-0782}, + doi = {10.1145/2408776.2408792}, + number = {2} +} + +@inproceedings{ChisnallCPDP11, +author = {David Chisnall and Colin Rothwell and Brooks Davis and Robert N. M. Watson and Jonathan Woodruff and Simon W. Moore and Peter G. Neumann and Michael Roe}, +title = {Beyond the {PDP}-11: Architectural support for a memory-safe C abstract machine}, +booktitle = {Proceedings of the Twentieth International Conference on Architectural Support for Programming Languages and Operating Systems}, +series = {ASPLOS '15}, +year = {2015}, +location = {Istanbul, Turkey}, +numpages = {14}, +publisher = {ACM}, +address = {New York, NY, USA}, +keywords = {C, memory safety, memory models, code generation}, +} + +@inproceedings{watson15:cheri, + title = {{{CHERI}}: {{A Hybrid Capability}}-{{System Architecture}} for {{Scalable Software Compartmentalization}}}, + shorttitle = {{{CHERI}}}, + booktitle = {Proceedings of the 2015 {{IEEE Symposium}} on {{Security}} and {{Privacy}}}, + author = {Watson, Robert N. M. and Woodruff, Jonathan and Neumann, Peter G. and Moore, Simon W. and Anderson, Jonathan and Chisnall, David and Dave, Nirav and Davis, Brooks and Gudka, Khilan and Laurie, Ben and Murdoch, Steven J. and Norton, Robert and Roe, Michael and Son, Stacey and Vadera, Munraj}, + date = {2015-05}, + pages = {20--37}, + publisher = {{IEEE Computer Society}}, + location = {{Washington, DC, USA}}, + doi = {10.1109/SP.2015.9}, + url = {https://www.cl.cam.ac.uk/research/security/ctsrd/pdfs/201505-oakland2015-cheri-compartmentalization.pdf}, + eventtitle = {2015 {{IEEE Symposium}} on {{Security}} and {{Privacy}} ({{SP}})}, + isbn = {978-1-4673-6949-7}, + series = {{{SP}} '15} +} + +@inproceedings{gudka15:soaap, + author = {Khilan Gudka and Robert N. M. Watson and Jonathan Anderson and David Chisnall and Brooks Davis and Ben Laurie and Ilias Marinos and Peter G. Neumann and Alex Richardson}, + title = {{Clean Application Compartmentalization with SOAAP}}, + booktitle = {{Proceedings of the 22nd ACM Conference on Computer and Communications Security (CCS 2015)}}, + month = oct, + year = {2015}, +} + +@inproceedings{Keromytis2003, + author = {Gaurav S. Kc and Angelos D. Keromytis and Vassilis Prevelakis}, + title = {Countering Code-Injection Attacks With Instruction-Set + Randomization}, + booktitle = {Proceedings of the Tenth ACM Conference on Computer and +Communications Security (CCS)}, + month = oct, + year = 2003 +} + +@inproceedings{dhawan2014pump, + title={PUMP: a programmable unit for metadata processing}, + author={Dhawan, Udit and Vasilakis, Nikos and Rubin, Raphael and Chiricescu, Silviu and Smith, Jonathan M and Knight Jr, Thomas F and Pierce, Benjamin C and DeHon, Andr{\'e}}, + booktitle={Proceedings of the Third Workshop on Hardware and Architectural Support for Security and Privacy}, + pages={8}, + year={2014}, + organization={ACM} +} + +@phdthesis{gonzalez2015taxi, + title={Taxi: Defeating Code Reuse Attacks with Tagged Memory}, + author={Gonz{\'a}lez, Juli{\'a}n Armando}, + year={2015}, + school={Massachusetts Institute of Technology} +} + +@inproceedings{abadi2005control, + title={{Control-Flow Integrity}}, + author={Abadi, Mart{\'\i}n and Budiu, Mihai and Erlingsson, Ulfar and Ligatti, Jay}, + booktitle={Proceedings of the 12th ACM conference on Computer and communications security}, + pages={340--353}, + year={2005}, + organization={ACM} +} + +@article{mashtizadeh2014cryptographically, + title={Cryptographically enforced control flow integrity}, + author={Mashtizadeh, Ali Jose and Bittau, Andrea and Mazieres, David and Boneh, Dan}, + journal={arXiv preprint arXiv:1408.1451}, + year={2014} +} + +@inproceedings{Mashtizadeh_CCFICryptographicallyEnforced_2015, + title = {{{CCFI}}: {{Cryptographically Enforced Control Flow Integrity}}}, + shorttitle = {{{CCFI}}}, + booktitle = {Proceedings of the 22nd {{ACM SIGSAC Conference}} on {{Computer}} and {{Communications Security}}}, + author = {Mashtizadeh, Ali Jose and Bittau, Andrea and Boneh, Dan and Mazi\`eres, David}, + date = {2015-10-12}, + pages = {941--951}, + publisher = {{Association for Computing Machinery}}, + location = {{New York, NY, USA}}, + doi = {10.1145/2810103.2813676}, + urldate = {2020-09-30}, + abstract = {Control flow integrity (CFI) restricts jumps and branches within a program to prevent attackers from executing arbitrary code in vulnerable programs. However, traditional CFI still offers attackers too much freedom to chose between valid jump targets, as seen in recent attacks. We present a new approach to CFI based on cryptographic message authentication codes (MACs). Our approach, called cryptographic CFI (CCFI), uses MACs to protect control flow elements such as return addresses, function pointers, and vtable pointers. Through dynamic checks, CCFI enables much finer-grained classification of sensitive pointers than previous approaches, thwarting all known attacks and resisting even attackers with arbitrary access to program memory. We implemented CCFI in Clang/LLVM, taking advantage of recently available cryptographic CPU instructions (AES-NI). We evaluate our system on several large software packages (including nginx, Apache and memcache) as well as all their dependencies. The cost of protection ranges from a 3--18\% decrease in server request rate. We also expect this overhead to shrink as Intel improves the performance AES-NI.}, + isbn = {978-1-4503-3832-5}, + keywords = {control flow integrity,return oriented programming,vulnerabilities}, + series = {{{CCS}} '15} +} + +@inproceedings{evans2015control, + title={Control jujutsu: On the weaknesses of fine-grained control flow integrity}, + author={Evans, Isaac and Long, Fan and Otgonbaatar, Ulziibayar and Shrobe, Howard and Rinard, Martin and Okhravi, Hamed and Sidiroglou-Douskos, Stelios}, + booktitle={ACM SIGSAC Conference on Computer and Communications Security, CCS}, + year={2015} +} + +@inproceedings{conti2015losing, + title={Losing Control: On the Effectiveness of Control-Flow Integrity under Stack Attacks}, + author={Conti, Mauro and Crane, Stephen and Davi, Lucas and Franz, Michael and Larsen, Per and Liebchen, Christopher and Negro, Marco and Qunaibit, Mohaned and Sadeghi, Ahmad-Reza}, + booktitle={Proceedings of the 22nd ACM SIGSAC Conference on Computer and Communications Security}, + pages={952--963}, + year={2015}, + organization={ACM} +} + +@inproceedings{kuznetsov2014code, + title={Code-pointer integrity}, + author={Kuznetsov, Volodymyr and Szekeres, L{\'a}szl{\'o} and Payer, Mathias and Candea, George and Sekar, R and Song, Dawn}, + booktitle={USENIX Symposium on Operating Systems Design and Implementation (OSDI)}, + year={2014} +} + +@TECHREPORT{Bletsch10jump-orientedprogramming:, + author = {Tyler Bletsch and Xuxian Jiang and Vince W. Freeh and Zhenkai Liang}, + title = {Jump-Oriented Programming: A New Class of Code-Reuse Attack}, + institution = {NC State University}, + year = {2010} +} + +@article{Hardy1988, +author = "Norman Hardy", +title = "The Confused Deputy (or why capabilities might have been invented)", +journal = "{ACM SIGOPS} Operating Systems Review", +volume = 22, +number = 4, +month = oct, +year = 1988} + +@TechReport{UCAM-CL-TR-887, + author = {Norton, Robert M.}, + title = {{Hardware support for compartmentalisation}}, + year = 2016, + month = may, + url = {http://www.cl.cam.ac.uk/techreports/UCAM-CL-TR-887.pdf}, + institution = {University of Cambridge, Computer Laboratory}, + number = {UCAM-CL-TR-887} +} + +@TechReport{UCAM-CL-TR-891, + author = {Watson, Robert N. M. and Neumann, Peter G. and Woodruff, + Jonathan and Roe, Michael and Anderson, Jonathan and + Chisnall, David and Davis, Brooks and Joannou, Alexandre + and Laurie, Ben and Moore, Simon W. and Murdoch, Steven J. + and Norton, Robert and Son, Stacey and Xia, Hongyan}, + title = {{Capability Hardware Enhanced RISC Instructions: CHERI + Instruction-Set Architecture (Version 5)}}, + year = 2016, + month = jun, + url = {http://www.cl.cam.ac.uk/techreports/UCAM-CL-TR-891.pdf}, + institution = {University of Cambridge, Computer Laboratory}, + number = {UCAM-CL-TR-891} +} + +@manual{SKPP, +title = "U.S. Government Protection Profile for Separation Kernels in +Environments Requiring High Robustness", +key = "National Security Agency", +organization = "National Security Agency Information Assurance Directorate", +month = jun, +year = 2007} + +@manual{CC2017-1, +title = {Common Criteria for Information Technology Security Evaluation -- + Part 1: Introduction and General Model}, +author="{International Standards Organization}", +key = "International", +note = "Version 3.1, revision 5", +month = apr, +year = 2017} + +@manual{CC2012-3, +title = "Common Criteria for Information Technology Security Evaluation -- + Part 3: Security assurance components", +author="{International Standards Organization}", +key = "International", +note = "Version 3.1, revision 4.", +month = sep, +year = 2012} + +@InProceedings{Cerberus-PLDI16, + author = { +Kayvan Memarian and +Justus Matthiesen and +James Lingard and +Kyndylan Nienhuis and +David Chisnall and +Robert N.M. Watson and +Peter Sewell +}, + title = {Into the depths of {C}: elaborating the de facto standards}, + booktitle = {{Proceedings of PLDI 2016}}, + year = {2016}, + month = jun, + publisher = {ACM}, +} + +@Inbook{Fox2015, +author="Fox, Anthony", +editor="Urban, Christian +and Zhang, Xingyuan", +title="Improved Tool Support for Machine-Code Decompilation in HOL4", +bookTitle="Interactive Theorem Proving: 6th International Conference, ITP 2015, Nanjing, China, August 24-27, 2015, Proceedings", +year="2015", +publisher="Springer International Publishing", +address="Cham", +pages="187--202", +isbn="978-3-319-22102-1", +} + +@article{Gligor1979, +author = "Virgil Gligor and Bruce G. Lindsay", +title = "Object Migration and Authentication", +journal = "{IEEE} Transactions on Software Engineering", +volume = "SE-5", +number = 6, +month = nov, +year = 1979} + +@book{Heinrich:1993:MRU:154056, + author = {Heinrich, Joseph}, + title = {MIPS R4000 User's Manual}, + year = {1993}, + isbn = {0-13-105925-4}, + publisher = {Prentice-Hall, Inc.}, + address = {Upper Saddle River, NJ, USA}, +} + +@ARTICLE{watson2016:microjournal, +author={R. N. M. Watson and R. M. Norton and J. Woodruff and S. W. Moore and P. G. Neumann and J. Anderson and D. Chisnall and B. Davis and B. Laurie and M. Roe and N. H. Dave and K. Gudka and A. Joannou and A. T. Markettos and E. Maste and S. J. Murdoch and C. Rothwell and S. D. Son and M. Vadera}, +journal={IEEE Micro}, +title={{Fast Protection-Domain Crossing in the CHERI Capability-System Architecture}}, +year={2016}, +volume={36}, +number={5}, +pages={38-49}, +keywords={reduced instruction set computing;storage management chips;CHERI capability system architecture;ISA;MMU;capability hardware enhanced RISC instructions;conventional memory management unit;fast protection domain;flow-control model;hardware-software object-capability model;instruction set architecture;memory sharing;software defined protection domain transition model;Capability engineering;Memory management;Program processors;Reduced instruction set computing;Systems modeling;CHERI;ISA;capabilities;capability;capability system;compartmentalization;hardware;instruction set architecture;memory management unit;memory protection;processor;security;software;vulnerability mitigation}, +doi={10.1109/MM.2016.84}, +ISSN={0272-1732}, +month=sep,} + +@inproceedings{chisnall2017:cherijni, + title = {{{CHERI JNI}}: {{Sinking}} the {{Java Security Model}} into the {{C}}}, + shorttitle = {{{CHERI JNI}}}, + booktitle = {Proceedings of the {{Twenty}}-{{Second International Conference}} on {{Architectural Support}} for {{Programming Languages}} and {{Operating Systems}}}, + author = {Chisnall, David and Davis, Brooks and Gudka, Khilan and Brazdil, David and Joannou, Alexandre and Woodruff, Jonathan and Markettos, A. Theodore and Maste, J. Edward and Norton, Robert and Son, Stacey and Roe, Michael and Moore, Simon W. and Neumann, Peter G. and Laurie, Ben and Watson, Robert N.M.}, + date = {2017-04}, + pages = {569--583}, + publisher = {{ACM}}, + location = {{New York, NY, USA}}, + doi = {10.1145/3037697.3037725}, + url = {https://www.cl.cam.ac.uk/research/security/ctsrd/pdfs/201704-asplos-cherijni.pdf}, + isbn = {978-1-4503-4465-4}, + keywords = {architecture,capability systems,cheri,compartmentalization,compilers,hardware security,java,jni,language security,memory protection,sandboxing}, + series = {{{ASPLOS}} '17}, + venue = {Xi'an, China} +} + + +@TechReport{UCAM-CL-TR-907, + author = {Watson, Robert N. M. and Neumann, Peter G. and Woodruff, + Jonathan and Roe, Michael and Anderson, Jonathan and + Baldwin, John and Chisnall, David and Davis, Brooks and + Joannou, Alexandre and Laurie, Ben and Moore, Simon W. and + Murdoch, Steven J. and Norton, Robert and Son, Stacey and + Xia, Hongyan}, + title = {{Capability Hardware Enhanced RISC Instructions: CHERI + Instruction-Set Architecture (Version 6)}}, + year = 2017, + month = apr, + institution = {University of Cambridge, Computer Laboratory}, + address = {15 JJ Thomson Avenue, Cambridge CB3 0FD, United Kingdom, + phone +44 1223 763500}, + url = {http://www.cl.cam.ac.uk/techreports/UCAM-CL-TR-907.pdf}, + number = {UCAM-CL-TR-907} +} + +@TechReport{UCAM-CL-TR-916, + author = {Watson, Robert N. M. and Woodruff, Jonathan and Roe, + Michael and Moore, Simon W. and Neumann, Peter G.}, + title = {{Capability Hardware Enhanced RISC Instructions (CHERI): + Notes on the Meltdown and Spectre Attacks}}, + year = 2018, + month = feb, + url = {http://www.cl.cam.ac.uk/techreports/UCAM-CL-TR-916.pdf}, + institution = {University of Cambridge, Computer Laboratory}, + number = {UCAM-CL-TR-916} +} + +@thesis{WatermanThesis2016, + author = {Waterman, Andrew}, + title = {{Design of the RISC-V Instruction Set Architecture}}, + institution = {EECS Department, University of California, Berkeley}, + year = {2016}, + url = {http://digitalassets.lib.berkeley.edu/etd/ucb/text/Waterman_berkeley_0028E_15908.pdf} +} + +@techreport{Waterman:EECS-2016-118, + Author = {Waterman, Andrew and Lee, Yunsup and Patterson, David A. and Asanovi\'c, Krste}, + Title = {{The RISC-V Instruction Set Manual, Volume I: User-Level ISA, Version 2.1}}, + Institution = {EECS Department, University of California, Berkeley}, + Year = {2016}, + Month = may, + URL = {http://www2.eecs.berkeley.edu/Pubs/TechRpts/2016/EECS-2016-118.html}, + Number = {UCB/EECS-2016-118} +} + +@techreport{Waterman:EECS-2016-161, + Author = {Waterman, Andrew and Lee, Yunsup and Avizienis, Rimas and Patterson, David A. and Asanovi\'c, Krste}, + Title = {{The RISC-V Instruction Set Manual Volume II: Privileged Architecture Version 1.9.1}}, + Institution = {EECS Department, University of California, Berkeley}, + Year = {2016}, + Month = nov, + URL = {http://www2.eecs.berkeley.edu/Pubs/TechRpts/2016/EECS-2016-161.html}, + Number = {UCB/EECS-2016-161} +} + +@Book{RISCV:User:2.2, + Editor = {Waterman, Andrew and Asanovi\'c, Krste}, + Title = {{The RISC-V Instruction Set Manual, Volume I: User-Level ISA, Version 2.2}}, + Institution = {RISC-V Foundation}, + Year = {2017}, + Month = may, + URL = {https://content.riscv.org/wp-content/uploads/2017/05/riscv-spec-v2.2.pdf} +} + +@Book{RISCV:Privileged:1.10, + Editor = {Waterman, Andrew and Asanovi\'c, Krste}, + Title = {{The RISC-V Instruction Set Manual, Volume II: Privileged Architecture, Version 1.10}}, + Institution = {RISC-V Foundation}, + Year = {2017}, + Month = may, + URL = {https://content.riscv.org/wp-content/uploads/2017/05/riscv-privileged-v1.10.pdf} +} + +@incollection{watson2017:cheri-deployability, + author = {Robert N. M. Watson and Peter G Neumann and Simon W. Moore}, + title = {{Balancing Disruption and Deployability in the CHERI Instruction-Set Architecture (ISA)}}, + editor = {H. Shrobe and D. L. Shrier and A. Pentland}, + booktitle = {New Solutions for Cybersecurity}, + publisher = {MIT Press/Connection Science}, + city = {Cambridge}, + state = {MA}, + year = {2018}, + chapter = {5} +} + +@incollection{neumann2017:cheri-principles, + author = {Peter G. Neumann}, + title = {{Fundamental Trustworthiness Principles in CHERI}}, + editor = {H. Shrobe and D. L. Shrier and A. Pentland}, + booktitle = {New Solutions for Cybersecurity}, + publisher = {MIT Press/Connection Science}, + city = {Cambridge}, + state = {MA}, + year = {2018}, + chapter = {6} +} + +@article{Lipp2018meltdown, + author = {Lipp, Moritz and Schwarz, Michael and Gruss, Daniel and Prescher, + Thomas and Haas, Werner and Mangard, Stefan and Kocher, Paul and Genkin, + Daniel and Yarom, Yuval and Hamburg, Mike}, + title = {Meltdown}, + journal = {ArXiv e-prints}, + archivePrefix = "arXiv", + eprint = {1801.01207}, + year = 2018, + month = jan, +} + +@inproceedings{Foreshadow, + title = {Foreshadow: {{Extracting}} the {{Keys}} to the {{Intel}} \{\vphantom\}{{SGX}}\vphantom\{\} {{Kingdom}} with {{Transient Out}}-of-{{Order Execution}}}, + shorttitle = {Foreshadow}, + author = {Bulck, Jo Van and Minkin, Marina and Weisse, Ofir and Genkin, Daniel and Kasikci, Baris and Piessens, Frank and Silberstein, Mark and Wenisch, Thomas F. and Yarom, Yuval and Strackx, Raoul}, + date = {2018-08}, + pages = {991--1008}, + publisher = {{USENIX Association}}, + location = {{Baltimore, MD}}, + url = {https://www.usenix.org/conference/usenixsecurity18/presentation/bulck}, + urldate = {2020-09-29}, + annotation = {http://foreshadowattack.eu/foreshadowattack.pdf}, + eventtitle = {27th {{USENIX Security Symposium}}}, + isbn = {978-1-939133-04-5}, + NOTE = {\url{http://foreshadowattack.eu/foreshadowattack.pdf}}, + series = {{{USENIX Security}} 18} +} + +@article{Foreshadow-NG, +title={Foreshadow: Breaking the Virtual Memory + Abstraction with Transient Out-of-Order Execution}, +author={Ofir Weisse and Jo {Van Bulck} and Marina Minkin and Daniel Genkin and + Boris Kasikci and Frank Piessens and Mark Silberstein and Raoul Strackx and + Thomas F. Wenisch and Yucal Yarom}, +journal={}, +year={2018}, +volume = {}, +number = {}, +day={14}, +month=aug, +publisher = {}, +NOTE = {\url{http://foreshadowattack.eu/foreshadow-NG.pdf}} +} + + +@article{Kocher2018spectre, + author = {Kocher, Paul and Genkin, Daniel and Gruss, Daniel and Haas, Werner + and Hamburg, Mike and Lipp, Moritz and Mangard, Stefan and Prescher, Thomas + and Schwarz, Michael and Yarom, Yuval}, + title = {Spectre Attacks: Exploiting Speculative Execution}, + journal = {ArXiv e-prints}, + archivePrefix = "arXiv", + eprint = {1801.01203}, + year = 2018, + month = jan, +} + +@article{N32handbook, + author = {George, Pirocanac and Susan, Wilkening and Jean, Wilson and Glen, Traefald}, + title = {{MIPSpro\textsuperscript{TM} N32 ABI Handbook}}, + publisher = {Silicon Graphics, SGI}, + year = 2002, +} + +@inproceedings{Creech69, + author={B. A. Creech}, + title={Architecture of the B-6500}, + pages={29-43}, + booktitle={Software Engineering: Proceedings of the Third Symposium on Computer and Information Sciences}, + month=dec, + year={1970}, + volume={1}, + editor={Tou, Julius T.}, + isbn={9780323157445}, +} + +@article{Organick73, + author={Elliott I. Organick}, + title={Computer System Organization}, + isbn={978-0125282505}, + publisher={Academic Press, Inc.}, + month=may, + year={1973}, + url={http://bitsavers.org/pdf/burroughs/B5000_5500_5700/Organick_Computer_System_Organization_The_B5700_B6700_Series_1973.pdf}, +} + +@article{Mayer82, + author = {Mayer, Alastair J. W.}, + title = {The Architecture of the {{Burroughs B5000}}: 20 Years Later and Still Ahead of the Times?}, + shorttitle = {The Architecture of the {{Burroughs B5000}}}, + journaltitle = {ACM SIGARCH Computer Architecture News}, + shortjournal = {SIGARCH Comput. Archit. News}, + issue_date = {June 1982}, + volume = {10}, + number = {4}, + month = jun, + year = {1982}, + issn = {0163-5964}, + pages = {3--10}, + numpages = {8}, + doi = {10.1145/641542.641543}, + acmid = {641543}, + publisher = {ACM}, + address = {New York, NY, USA}, +} + +@article{Barton87, + author={R. S. Barton and H. Berce and G. A. Collins and B. A. Creech and D. M. Dahm and B. A. Dent and V. J. Ford and B. A. Galler and J. E. S. Hale and E. A. Hauck and J. T. Hootman and P. D. King and N. L. Kreuder and W. R. Lonergan and D. MacDonald and F. B. MacKenzie and C. Oliphint and R. Pearson and R. F. Rosin and L. D. Turner and R. Waychoff}, + journal={Annals of the History of Computing}, + title={Discussion: The Burroughs B 5000 in Retrospect}, + year={1987}, + volume={9}, + number={1}, + pages={37-92}, + keywords={Computers;Hardware}, + doi={10.1109/MAHC.1987.10006}, + ISSN={0164-1239}, + month=jan, +} + +@report{Burroughs-B6700, + author={Burroughs Corporation}, + title={B 6700 Information Processing System Reference Manual}, + year={1972}, + url={http://bitsavers.trailing-edge.com/pdf/burroughs/B6500_6700/1058633_B6700_RefMan_May72.pdf} +} + +@phdthesis{Gumpertz81, + title={Error Detection with Memory Tags}, + author={Richard H. Gumpertz}, + month=dec, + year={1981}, + institution={Carnegie Mellon University}, + url={http://reports-archive.adm.cs.cmu.edu/anon/scan/CMU-CS-84-122.pdf} +} + +@inproceedings{joannou2017:tagged-memory, + author={Alexandre Joannou and Jonathan Woodruff and Robert Kovacsics and Simon W. Moore and Alex Bradbury and Hongyan Xia and Robert N. M. Watson and David Chisnall and Michael Roe and Brooks Davis and Edward Napierala and John Baldwin and Khilan Gudka and Peter G. Neumann and Alfredo Mazzinghi and Alex Richardson and Stacey Son and A. Theodore Markettos}, + title = {Efficient Tagged Memory}, + booktitle = {{Proceedings of the 2017 IEEE 35th International Conference on Computer Design (ICCD)}}, + month = nov, + year = {2017}, + city = {Boston}, + state = {MA}, + country = {USA}, +} + +@INPROCEEDINGS{Popek79, +author = {G. J. Popek and M. Kampe and M. Urban and A. Stoughton and E. J. Walton and C. S. Kline}, +booktitle = {International Workshop on Managing Requirements Knowledge (AFIPS)}, +title = {UCLA Secure UNIX}, +year = {1979}, +pages = {355}, +doi = {10.1109/AFIPS.1979.128}, +month={6} +} + +@phdthesis{doerrie2015:confinement, + author={M. Scott Doerrie}, + title={Confidence in Confinement: An Axiom-free, Mechanized Verification +of Confinement in Capability-based Systems}, + year={2015}, + institution={Johns Hopkins University}, + url={http://www.doerrie.us/assets/doerrie-dissertation-jhu.pdf} +} + +@article{Skorstengaard:2019:stktokens, + title = {{{StkTokens}}: Enforcing Well-Bracketed Control Flow and Stack Encapsulation Using Linear Capabilities}, + shorttitle = {{{StkTokens}}}, + author = {Skorstengaard, Lau and Devriese, Dominique and Birkedal, Lars}, + date = {2019-01}, + journaltitle = {Proceedings of the ACM on Programming Languages}, + shortjournal = {Proc. ACM Program. Lang.}, + volume = {3}, + pages = {19:1--19:28}, + doi = {10.1145/3290332}, + urldate = {2020-09-15}, + issue = {POPL}, + keywords = {capability machines,fully abstract compilation,fully abstract overlay semantics,linear capabilities,secure compilation,stack frame encapsulation,well-bracketed control flow} +} + +@inproceedings{chiricescu2013safe, + title={SAFE: A clean-slate architecture for secure systems}, + author={Chiricescu, Silviu and DeHon, Andr{\'e} and Demange, Delphine and Iyer, Suraj and Kliger, Aleksey and Morrisett, Greg and Pierce, Benjamin C and Reubenstein, Howard and Smith, Jonathan M and Sullivan, Gregory T and others}, + booktitle={IEEE International Conference on Technologies for Homeland Security (HST)}, + pages={570--576}, + year={2013} +} + +@INPROCEEDINGS{shapiro:2004, + author = {Jonathan Shapiro and Michael Scott Doerrie and Eric Northup and Mark Miller}, + title = {Towards a verified, general-purpose operating system kernel}, + booktitle = {Proceedings of the NICTA Invitational Workshop on Operating System Verification}, + year = {2004}, + pages = {1--19}, + url={http://www.cs.jhu.edu/~swaroop/osverify-2004.pdf} +} + +@inproceedings{carter:mmachine94, + title = {Hardware {{Support}} for {{Fast Capability}}-Based {{Addressing}}}, + booktitle = {Proceedings of the {{Sixth International Conference}} on {{Architectural Support}} for {{Programming Languages}} and {{Operating Systems}}}, + author = {Carter, Nicholas P. and Keckler, Stephen W. and Dally, William J.}, + date = {1994-11}, + pages = {319--327}, + publisher = {{ACM}}, + location = {{New York, NY, USA}}, + doi = {10.1145/195473.195579}, + url = {https://www.cs.utexas.edu/users/skeckler/pubs/asplos94.pdf}, + abstract = {Traditional methods of providing protection in memory systems do so at the cost of increased context switch time and/or increased storage to record access permissions for processes. With the advent of computers that supported cycle-by-cycle multithreading, protection schemes that increase the time to perform a context switch are unacceptable, but protecting unrelated processes from each other is still necessary if such machines are to be used in non-trusting environments. This paper examines guarded pointers, a hardware technique which uses tagged 64-bit pointer objects to implement capability-based addressing. Guarded pointers encode a segment descriptor into the upper bits of every pointer, eliminating the indirection and related performance penalties associated with traditional implementations of capabilities. All processes share a single 54-bit virtual address space, and access is limited to the data that can be referenced through the pointers that a process has been issued. Only one level of address translation is required to perform a memory reference. Sharing data between processes is efficient, and protection states are defined to allow fast protected subsystem calls and create unforgeable data keys.}, + isbn = {978-0-89791-660-8}, + series = {{{ASPLOS VI}}}, + venue = {San Jose, California, USA} +} + +@inproceedings{Fillo_MMachineMulticomputer_1995, + title = {The {{M}}-{{Machine}} Multicomputer}, + booktitle = {Proceedings of the 28th Annual International Symposium on {{Microarchitecture}}}, + author = {Fillo, Marco and Keckler, Stephen W. and Dally, William J. and Carter, Nicholas P. and Chang, Andrew and Gurevich, Yevgeny and Lee, Whay S.}, + date = {1995-12-01}, + pages = {146--156}, + publisher = {{IEEE Computer Society Press}}, + location = {{Washington, DC, USA}}, + doi = {10.1109/MICRO.1995.476822}, + abstract = {The M-Machine is an experimental multicomputer being developed to test architectural concepts motivated by the constraints of modern semiconductor technology and the demands of programming systems. The M-Machine computing nodes are connected with a 3-D mesh network; each node is a multithreaded processor incorporating 12 function units, on-chip cache, and local memory. The multiple function units are used to exploit both instruction-level and thread-level parallelism. A user accessible message passing system yields fast communication and synchronization between nodes. Rapid access to remote memory is provided transparently to the user with a combination of hardware and software mechanisms. This paper presents the architecture of the M-Machine and describes how its mechanisms attempt to maximize both single thread performance and overall system throughput. The architecture is complete and the MAP chip, which will serve as the M-Machine processing node, is currently being implemented.}, + isbn = {978-0-8186-7349-8}, + keywords = {3-D mesh network,architectural concepts testing,computer architecture,Computer architecture,Computer networks,Hardware,hardware mechanisms,instruction-level,local memory,M-Machine multicomputer,Mesh networks,message passing,Message passing,multiprocessing systems,multithreaded processor,Network-on-a-chip,on-chip cache,overall system throughput,Parallel processing,programming systems,Semiconductor device testing,single thread performance,software mechanisms,synchronisation,System testing,thread-level parallelism,user accessible message passing system,Yarn}, + series = {{{MICRO}} 28} +} + +@inproceedings{Davis_CheriABIEnforcingValid_2019, + ids = {davis2019:cheriabi}, + title = {{{CheriABI}}: {{Enforcing Valid Pointer Provenance}} and {{Minimizing Pointer Privilege}} in the {{POSIX C Run}}-Time {{Environment}}}, + shorttitle = {{{CheriABI}}}, + booktitle = {Proceedings of the {{Twenty}}-{{Fourth International Conference}} on {{Architectural Support}} for {{Programming Languages}} and {{Operating Systems}}}, + author = {Davis, Brooks and Watson, Robert N. M. and Richardson, Alexander and Neumann, Peter G. and Moore, Simon W. and Baldwin, John and Chisnall, David and Clarke, Jessica and Filardo, Nathaniel Wesley and Gudka, Khilan and Joannou, Alexandre and Laurie, Ben and Markettos, A. Theodore and Maste, J. Edward and Mazzinghi, Alfredo and Napierala, Edward Tomasz and Norton, Robert M. and Roe, Michael and Sewell, Peter and Son, Stacey and Woodruff, Jonathan}, + date = {2019-04}, + pages = {379--393}, + publisher = {{ACM}}, + location = {{New York, NY, USA}}, + doi = {10.1145/3297858.3304042}, + url = {https://www.cl.cam.ac.uk/research/security/ctsrd/pdfs/201904-asplos-cheriabi.pdf}, + urldate = {2019-06-10}, + eventtitle = {{{ASPLOS}} 2019}, + isbn = {978-1-4503-6240-5}, + series = {{{ASPLOS}} '19}, + venue = {Providence, RI, USA} +} + +@inproceedings{sail-popl2019, + author = {Alasdair Armstrong and Thomas Bauereiss and Brian Campbell and Alastair Reid and Kathryn E. Gray and Robert M. Norton and Prashanth Mundkur and Mark Wassell and Jon French and Christopher Pulte and Shaked Flur and Ian Stark and Neel Krishnaswami and Peter Sewell}, + title = {{ISA} Semantics for {ARMv8-A, RISC-V, and CHERI-MIPS}}, + optcrossref = {}, + optkey = {}, + conf = {POPL 2019}, + booktitle = {\textbf{POPL 2019}: Proc. 46th ACM SIGPLAN Symposium on Principles of Programming Languages}, + optbooktitle = {}, + year = {2019}, + opteditor = {}, + optvolume = {}, + optnumber = {}, + optseries = {}, + optpages = {}, + month = jan, + optaddress = {}, + optorganization = {}, + optpublisher = {}, + note = {Proc. ACM Program. Lang. 3, POPL, Article 71}, + optnote = {}, + optannote = {}, + doi = {10.1145/3290384}, + abstract = {Architecture specifications notionally define the fundamental interface between hardware and software: the envelope of allowed behaviour for processor implementations, and the basic assumptions for software development and verification. But in practice, they are typically prose and pseudocode documents, not rigorous or executable artifacts, leaving software and verification on shaky ground. + +In this paper, we present rigorous semantic models for the sequential behaviour of large parts of the mainstream ARMv8-A, RISC-V, and MIPS architectures, and the research CHERI-MIPS architecture, that are complete enough to boot operating systems, variously Linux, FreeBSD, or seL4. Our ARMv8-A models are automatically translated from authoritative ARM-internal definitions, and (in one variant) tested against the ARM Architecture Validation Suite. + +We do this using a custom language for ISA semantics, Sail, with a lightweight dependent type system, that supports automatic generation of emulator code in C and OCaml, and automatic generation of proof-assistant definitions for Isabelle, HOL4, and (currently only for MIPS) Coq. We use the former for validation, and to assess specification coverage. To demonstrate the usability of the latter, we prove (in Isabelle) correctness of a purely functional characterisation of ARMv8-A address translation. We moreover integrate the RISC-V model into the RMEM tool for (user-mode) relaxed-memory concurrency exploration. We prove (on paper) the soundness of the core Sail type system. + +We thereby take a big step towards making the architectural abstraction actually well-defined, establishing foundations for verification and reasoning. +}, + pdf = {http://www.cl.cam.ac.uk/users/pes20/sail/sail-popl2019.pdf}, + topic = {ISA_semantics}, + project = {http://www.cl.cam.ac.uk/~pes20/sail/}, + recent = {true} +} + +@misc{sail-url, + author = {{REMS Project}}, + title = {{Sail Language}}, + howpublished={\url{https://www.cl.cam.ac.uk/~pes20/sail/}}, + year = 2018, +} + +@inproceedings{cerberus-popl2019, + author = {Kayvan Memarian and Victor B. F. Gomes and Brooks Davis and Stephen Kell and Alexander Richardson and Robert N. M. Watson and Peter Sewell}, + title = {Exploring {C} Semantics and Pointer Provenance}, + optcrossref = {}, + optkey = {}, + conf = {POPL 2019}, + booktitle = {\textbf{POPL 2019}: Proc. 46th ACM SIGPLAN Symposium on Principles of Programming Languages}, + optbooktitle = {}, + year = {2019}, + opteditor = {}, + optvolume = {}, + optnumber = {}, + optseries = {}, + optpages = {}, + month = jan, + optaddress = {}, + optorganization = {}, + optpublisher = {}, + note = {Proc. ACM Program. Lang. 3, POPL, Article 67}, + optannote = {}, + doi = {10.1145/3290380}, + pdf = {http://www.cl.cam.ac.uk/users/pes20/cerberus/cerberus-popl2019.pdf}, + supplementarymaterial = {http://www.cl.cam.ac.uk/users/pes20/cerberus/supplementary-material-popl2019}, + topic = {Cerberus}, + project = {http://www.cl.cam.ac.uk/~pes20/cerberus}, + abstract = {The semantics of pointers and memory objects in C has been a vexed question for many years. C values cannot be treated as either purely abstract or purely concrete entities: the language exposes their representations, but compiler optimisations rely on analyses that reason about provenance and initialisation status, not just runtime representations. The ISO WG14 standard leaves much of this unclear, and in some respects differs with de facto standard usage --- which itself is difficult to investigate. + +In this paper we explore the possible source-language semantics for memory objects and pointers, in ISO C and in C as it is used and implemented in practice, focussing especially on pointer provenance. We aim to, as far as possible, reconcile the ISO C standard, mainstream compiler behaviour, and the semantics relied on by the corpus of existing C code. We present two coherent proposals, tracking provenance via integers and not; both address many design questions. We highlight some pros and cons and open questions, and illustrate the discussion with a library of test cases. We make our semantics executable as a test oracle, integrating it with the Cerberus semantics for much of the rest of C, which we have made substantially more complete and robust, and equipped with a web-interface GUI. This allows us to experimentally assess our proposals on those test cases. To assess their viability with respect to larger bodies of C code, we analyse the changes required and the resulting behaviour for a port of FreeBSD to CHERI, a research architecture supporting hardware capabilities, which (roughly speaking) traps on the memory safety violations which our proposals deem undefined behaviour. We also develop a new runtime instrumentation tool to detect possible provenance violations in normal C code, and apply it to some of the SPEC benchmarks. We compare our proposal with a source-language variant of the twin-allocation LLVM semantics proposal of Lee et al. Finally, we describe ongoing interactions with WG14, exploring how our proposals could be incorporated into the ISO standard. +}, + recent = {true} +} + +@software{sail-cheri-mips, + title = {{{CTSRD-CHERI/sail-cheri-mips: CHERI-MIPS model written in Sail}}}, + author = {{Capability Hardware Enhanced RISC Instructions}}, + shorttitle = {{{sail-cheri-riscv}}}, + url = {https://github.com/CTSRD-CHERI/sail-cheri-mips}, +} + +@software{sail-cheri-riscv, + title = {{{CTSRD-CHERI/sail-cheri-riscv: CHERI-RISC-V model written in Sail}}}, + author = {{Capability Hardware Enhanced RISC Instructions}}, + shorttitle = {{{sail-cheri-riscv}}}, + url = {https://github.com/CTSRD-CHERI/sail-cheri-riscv}, +} + +@software{cheriot-sail, + title = {{{CHERIoT ISA model written in Sail}}}, + author = {{Microsoft}}, + shorttitle = {{{cheriot-sail}}}, + url = {https://github.com/microsoft/cheriot-sail}, +} + +@software{cheriot-rtos, + title = {{{CHERIoT RTOS}}}, + author = {{Microsoft}}, + shorttitle = {{{cheriot-rtos}}}, + url = {https://github.com/microsoft/cheriot-rtos}, +} + +@manual{arm-a64-v8-a-beta, + title={{ARM® A64 Instruction Set Architecture ARMv8, for ARMv8-A architecture profile}}, + organization={Arm Limited}, + howpublished={\url{https://static.docs.arm.com/ddi0596/a/DDI_0596_ARM_a64_instruction_set_architecture.pdf}}, + year = 2020, +} + +@misc{sparc-m7-adi, + title={{Introduction to SPARC M7 and Application Data Integrity (ADI)}}, + howpublished={\url{https://swisdev.oracle.com/_files/What-Is-ADI.html}} +} + +@inproceedings{mazzinghi:pointer-provenance, + author={Alfredo Mazzinghi and Ripduman Sohan and Robert N. M. Watson}, + title={{Pointer Provenance in a Capability Architecture}}, + booktitle={{Proceedings of the 10th USENIX Workshop on the Theory and Practice of Provenance (TaPP'18)}}, + city={London}, + month=jul, + year=2018 +} + +@inproceedings{xia:cherirtos, + title = {{{CheriRTOS}}: {{A Capability Model}} for {{Embedded Devices}}}, + shorttitle = {{{CheriRTOS}}}, + booktitle = {2018 {{IEEE}} 36th {{International Conference}} on {{Computer Design}} ({{ICCD}})}, + author = {Xia, Hongyan and Woodruff, Jonathan and Barral, Hadrien and Esswood, Lawrence and Joannou, Alexandre and Kovacsics, Robert and Chisnall, David and Roe, Michael and Davis, Brooks and Napierala, Edward and Baldwin, John and Gudka, Khilan and Neumann, Peter G. and Richardson, Alexander and Moore, Simon W. and Watson, Robert N. M.}, + date = {2018-10}, + pages = {92--99}, + publisher = {{IEEE}}, + location = {{Orlando, FL, USA}}, + doi = {10.1109/ICCD.2018.00023}, + url = {https://www.cl.cam.ac.uk/research/security/ctsrd/pdfs/201810-iccd2018-cheri-rtos.pdf}, + abstract = {Embedded systems are deployed ubiquitously among various sectors including automotive, medical, robotics and avionics. As these devices become increasingly connected, the attack surface also increases tremendously; new mechanisms must be deployed to defend against more sophisticated attacks while not violating resource constraints. In this paper we present CheriRTOS on CHERI-64, a hardware-software platform atop Capability Hardware Enhanced RISC Instructions (CHERI) for embedded systems. Our system provides efficient and scalable task isolation, fast and secure inter-task communication, fine-grained memory safety, and real-time guarantees, using hardware capabilities as the sole protection mechanism. We summarize state-of-the-art security and memory safety for embedded systems for comparison with our platform, illustrating the superior substrate provided by CHERI's capabilities. Finally, our evaluations show that a capability system can be implemented within the constraints of embedded systems.}, + eventtitle = {2018 {{IEEE}} 36th {{International Conference}} on {{Computer Design}} ({{ICCD}})}, + keywords = {attack surface,Capability Hardware Enhanced RISC Instructions,Capability model,capability system,capability systems,CHERI,CHERI-64,CheriRTOS,embedded devices,embedded systems,Embedded systems,fine-grained memory safety,Hardware,hardware capabilities,hardware-software platform,Kernel,memory safety,real time operating systems,Real-time systems,reduced instruction set computing,Safety,security,Security,storage management,Task analysis}, + series = {{{ICCD}}} +} + +@article{Woodruff2019, + title = {{{CHERI Concentrate}}: {{Practical Compressed Capabilities}}}, + shorttitle = {{{CHERI Concentrate}}}, + author = {Woodruff, Jonathan and Joannou, Alexandre and Xia, Hongyan and Fox, Anthony and Norton, Robert and Baureiss, Thomas and Chisnall, David and Davis, Brooks and Gudka, Khilan and Filardo, Nathaniel Wesley and Markettos, A. Theodore and Roe, Michael and Neumann, Peter G. and Watson, Robert N. M. and Moore, Simon W.}, + date = {2019-10}, + journaltitle = {IEEE Transactions on Computers}, + shortjournal = {TC}, + volume = {68}, + pages = {1455--1469}, + issn = {1557-9956}, + doi = {10.1109/TC.2019.2914037}, + url = {https://www.cl.cam.ac.uk/research/security/ctsrd/pdfs/2019tc-cheri-concentrate.pdf}, + urldate = {2019-06-16}, + keywords = {Capabilities,capability compression,capability fat pointers,CHERI concentrate,commodity operating system,compiled capability code,compressed encoding,compression,computer architecture,data compression,decode,decoding,Delays,design inefficiencies,developed capability-pointer system,efficiency 75.0 percent,encoding,Encoding,encoding format,existing software base,fat pointers,fat-pointer compression scheme,field programmable gate arrays,future computer systems,increased pointer size,legacy instruction sets,legacy software stack,memory safety,microprocessor chips,nonbypassable security properties,open-source CHERI prototype processor design,pipeline problems,pipeline processing,Pipelines,pointer arithmetic,pointer-modify operations,practical compressed capabilities,program compilers,reduced instruction set computing,Registers,RISC-style processor pipelines,Safety,Semantics,Software,state-of-the-art region-encoding efficiency,storage management,theorem proving,tree data structures}, + langid = {english}, + number = {10} +} + +@TechReport{UCAM-CL-TR-936, + author = {Joannou, Alexandre J. P.}, + title = {{High-performance memory safety: optimizing the CHERI + capability machine}}, + year = 2019, + month = may, + url = {https://www.cl.cam.ac.uk/techreports/UCAM-CL-TR-936.pdf}, + institution = {University of Cambridge, Computer Laboratory}, + number = {UCAM-CL-TR-936} +} + +@article{DBLP:journals/scp/CampbellS16, + author = {Brian Campbell and + Ian Stark}, + title = {Randomised testing of a microprocessor model using {SMT}-solver state + generation}, + journal = {Sci. Comput. Program.}, + volume = {118}, + pages = {60--76}, + year = {2016}, + doi = {10.1016/j.scico.2015.10.012}, + timestamp = {Sat, 27 May 2017 14:22:55 +0200}, + biburl = {https://dblp.org/rec/bib/journals/scp/CampbellS16}, + bibsource = {dblp computer science bibliography, https://dblp.org} +} + +@inproceedings{Xia_CHERIvokeCharacterisingPointer_2019, + title = {{{CHERIvoke}}: {{Characterising Pointer Revocation}} Using {{CHERI Capabilities}} for {{Temporal Memory Safety}}}, + shorttitle = {{{CHERIvoke}}}, + booktitle = {Proceedings of the 52nd {{Annual IEEE}}/{{ACM International Symposium}} on {{Microarchitecture}}}, + author = {Xia, Hongyan and Woodruff, Jonathan and Ainsworth, Sam and Filardo, Nathaniel W. and Roe, Michael and Richardson, Alexander and Rugg, Peter and Neumann, Peter G. and Moore, Simon W. and Watson, Robert N. M. and Jones, Timothy M.}, + date = {2019-10-12}, + pages = {545--557}, + publisher = {{ACM}}, + location = {{New York, NY, USA}}, + doi = {10.1145/3352460.3358288}, + url = {https://www.cl.cam.ac.uk/research/security/ctsrd/pdfs/201910micro-cheri-temporal-safety.pdf}, + abstract = {A lack of temporal safety in low-level languages has led to an epidemic of use-after-free exploits. These have surpassed in number and severity even the infamous buffer-overflow exploits violating spatial safety. Capability addressing can directly enforce spatial safety for the C language by enforcing bounds on pointers and by rendering pointers unforgeable. Nevertheless, an efficient solution for strong temporal memory safety remains elusive. CHERI is an architectural extension to provide hardware capability addressing that is seeing significant commercial and open-source interest. We show that CHERI capabilities can be used as a foundation to enable low-cost heap temporal safety by facilitating out-of-date pointer revocation, as capabilities enable precise and efficient identification and invalidation of pointers, even when using unsafe languages such as C. We develop CHERIvoke, a technique for deterministic and fast sweeping revocation to enforce temporal safety on CHERI systems. CHERIvoke quarantines freed data before periodically using a small shadow map to revoke all dangling pointers in a single sweep of memory, and provides a tunable trade-off between performance and heap growth. We evaluate the performance of such a system using high-performance x86 processors, and further analytically examine its primary overheads. When configured with a heap-size overhead of 25\%, we find that CHERIvoke achieves an average execution-time overhead of under 5\%, far below the overheads associated with traditional garbage collection, revocation, or page-table systems.}, + isbn = {978-1-4503-6938-1}, + keywords = {architecture,security,temporal safety,use-after-free}, + series = {{{MICRO}} '52}, + venue = {Columbus, OH, USA} +} + +@article{skillicorn:partreeskel, +title = "Parallel Implementation of Tree Skeletons", +journal = "Journal of Parallel and Distributed Computing", +volume = "39", +number = "2", +pages = "115 - 125", +year = "1996", +issn = "0743-7315", +doi = "10.1006/jpdc.1996.0160", +url = "http://www.sciencedirect.com/science/article/pii/S0743731596901604", +author = "D.B. Skillicorn", +abstract = "Trees are a useful data type, but they are not routinely included in parallel programming systems, in part because their irregular structure makes partitioning and scheduling difficult. We present a method for algebraically constructing implementations of tree skeletons, high-level homomorphic operations that execute in parallel. Many computations on binary trees can be performed inO(logn) parallel time usingnprocessors, even taking account of communication costs. We extend these results to trees with arbitrary and variable degree. Then we show that it is possible to implement a distributed version of homomorphisms on binary trees, takingO(n/p+ log2p) parallel time onp < nprocessors, for trees of any skew and taking full account of communication costs. Under slightly stronger restrictions on the underlying functions, this can be improved toO(n/p+ logp). Furthermore, the technique for deriving distributed versions is algebraic, allowing the automatic generation of code for SPMD and data-parallel architectures." +} + +@TechReport{UCAM-CL-TR-951, + author = {Watson, Robert N. M. and Neumann, Peter G. and Woodruff, + Jonathan and Roe, Michael and Almatary, Hesham and + Anderson, Jonathan and Baldwin, John and Chisnall, David + and Clarke, Jessica and Davis, Brooks and Filardo, + Nathaniel Wesley and Joannou, Alexandre and Laurie, Ben and + Markettos, A. Theodore and Moore, Simon W. and Murdoch, + Steven J. and Nienhuis, Kyndylan and Norton, Robert and + Richardson, Alexander and Rugg, Peter and Sewell, Peter and + Son, Stacey and Xia, Hongyan}, + title = {{Capability Hardware Enhanced RISC Instructions: CHERI + Instruction-Set Architecture (Version 8)}}, + institution = {University of Cambridge, Computer Laboratory}, + address = {15 JJ Thomson Avenue, Cambridge CB3 0FD, United Kingdom}, + number = {UCAM-CL-TR-951}, + year = 2020, + month = sep, + url = {https://www.cl.cam.ac.uk/techreports/UCAM-CL-TR-951.pdf}, +} + +@inproceedings{cheri-formal-SP2020, + author = {Kyndylan Nienhuis and Alexandre Joannou and Thomas Bauereiss and Anthony Fox and Michael Roe and Brian Campbell and Matthew Naylor and Robert M. Norton and Moore, Simon W. and Neumann, Peter G. and Ian Stark and Watson, Robert N. M. and Peter Sewell}, + title = {Rigorous engineering for hardware security: Formal modelling and proof in the {CHERI} design and implementation process}, + optcrossref = {}, + optkey = {}, + conf = {Security and Privacy 2020}, + booktitle = {Proceedings of the 41st IEEE Symposium on Security and Privacy (SP)}, + year = {2020}, + opteditor = {}, + optvolume = {}, + optnumber = {}, + optseries = {}, + pages = {1007--1024}, + month = may, + optaddress = {}, + optorganization = {}, + optpublisher = {}, + optnote = {}, + optannote = {}, + abstract = {The root causes of many security vulnerabilities include a pernicious combination of two problems, often regarded as inescapable aspects of computing. First, the protection mechanisms provided by the mainstream processor architecture and C/C++ language abstractions, dating back to the 1970s and before, provide only coarse-grain virtual-memory-based protection. Second, mainstream system engineering relies almost exclusively on test-and-debug methods, with (at best) prose specifications. These methods have historically sufficed commercially for much of the computer industry, but they fail to prevent large numbers of exploitable bugs, and the security problems that this causes are becoming ever more acute. + +In this paper we show how more rigorous engineering methods can be applied to the development of a new security-enhanced processor architecture, with its accompanying hardware implementation and software stack. We use formal models of the complete instruction-set architecture (ISA) at the heart of the design and engineering process, both in lightweight ways that support and improve normal engineering practice -- as documentation, in emulators used as a test oracle for hardware and for running software, and for test generation -- and for formal verification. We formalise key intended security properties of the design, and establish that these hold with mechanised proof. This is for the same complete ISA models (complete enough to boot operating systems), without idealisation. + +We do this for CHERI, an architecture with \emph{hardware capabilities} that supports fine-grained memory protection and scalable secure compartmentalisation, while offering a smooth adoption path for existing software. CHERI is a maturing research architecture, developed since 2010, with work now underway on an Arm industrial prototype to explore its possible adoption in mass-market commercial processors. The rigorous engineering work described here has been an integral part of its development to date, enabling more rapid and confident experimentation, and boosting confidence in the design. +}, + pdf = {https://www.cl.cam.ac.uk/users/pes20/cheri-formal.pdf}, + apollourl = {https://www.repository.cam.ac.uk/handle/1810/302580}, + publisherurl = {https://www.computer.org/csdl/proceedings-article/sp/2020/349700b007/1j2Lg3o6fdK}, + doi = {10.1109/SP40000.2020.00055}, + project = {https://www.cl.cam.ac.uk/research/security/ctsrd/cheri/}, + topic = {cheri}, + cheriformal = {true}, + recent = {true} +} + +@inproceedings{cornucopia, + author = {Nathaniel Wesley Filardo and Brett F. Gutstein and Jonathan Woodruff and Sam Ainsworth and Lucian Paul-Trifu and Brooks Davis and Hongyan Xia and Edward Tomasz Napierala and Alexander Richardson and John Baldwin and David Chisnall and Jessica Clarke and Khilan Gudka and Alexandre Joannou and A. Theodore Markettos and Alfredo Mazzinghi and Robert M. Norton and Michael Roe and Peter Sewell and Stacey Son and Timothy M. Jones and Simon W. Moore and Peter G. Neumann and Robert N. M. Watson}, + conf = {Security and Privacy 2020}, + booktitle = {Proceedings of the 41st IEEE Symposium on Security and Privacy (SP)}, + title = {Cornucopia: {{Temporal Safety}} for {{CHERI Heaps}}}, + date = {2020-05}, + volume = {}, + issn = {2375-1207}, + pages = {1507--1524}, + keywords = {}, + doi = {10.1109/SP40000.2020.00098}, + pdf = {https://www.cl.cam.ac.uk/research/security/ctsrd/pdfs/2020oakland-cornucopia.pdf}, + url = {https://www.cl.cam.ac.uk/research/security/ctsrd/pdfs/2020oakland-cornucopia.pdf}, + apollourl = {https://www.repository.cam.ac.uk/handle/1810/304040}, + publisherurl = {https://doi.ieeecomputersociety.org/10.1109/SP40000.2020.00098}, + publisher = {IEEE Computer Society}, + address = {Los Alamitos, CA, USA}, + month = may, + abstract = {Use-after-free violations of temporal memory safety continue to plague software systems, underpinning many high-impact exploits. The CHERI capability system shows great promise in achieving C and C++language spatial memory safety, preventing out-of-bounds accesses. Enforcing language-level temporal safety on CHERI requires capability revocation, traditionally achieved either via table lookups (avoided for performance in the CHERI design) or by identifying capabilities in memory to revoke them (similar to a garbage-collector sweep). CHERIvoke,a prior feasibility study, suggested that CHERI’s tagged capabilities could make this latter strategy viable, but modeled only architectural limits and did not consider the full implementation or evaluation of the approach. + +Cornucopia is a lightweight capability revocation system for CHERI that implements non-probabilistic C/C++temporal memory safety for standard heap allocations. It extends the CheriBSD virtual-memory subsystem to track capability flow through memory and provides a concurrent kernel-resident revocation service that is amenable to multi-processor and hardware acceleration. We demonstrate an average overhead of less than 2\% and a worst-case of 8.9\% for concurrent revocation on compatible SPECCPU2006 benchmarks on a multi-core CHERI CPU on FPGA, and we validate Cornucopia against the Juliet test suite’s corpus of temporally unsafe programs. We test its compatibility with a large corpus of C programs by using a revoking allocator as the system allocator while booting multi-user CheriBSD. Cornucopia is a viable strategy for always-on temporal heap memory safety, suitable for production environments. +}, + project = {https://www.cl.cam.ac.uk/research/security/ctsrd/cheri/}, + topic = {cheri}, + recent = {true} +} + +@TechReport{UCAM-CL-TR-940, + author = {Nienhuis, Kyndylan and Joannou, Alexandre and Fox, Anthony + and Roe, Michael and Bauereiss, Thomas and Campbell, Brian + and Naylor, Matthew and Norton, Robert M. and Moore, Simon + W. and Neumann, Peter G. and Stark, Ian and Watson, Robert + N. M. and Sewell, Peter}, + title = {{Rigorous engineering for hardware security: formal + modelling and proof in the CHERI design and implementation + process}}, + year = 2019, + month = sep, + url = {https://www.cl.cam.ac.uk/techreports/UCAM-CL-TR-940.pdf}, + institution = {University of Cambridge, Computer Laboratory}, + number = {UCAM-CL-TR-940} +} + +@TechReport{UCAM-CL-TR-941, + author = {Watson, Robert N. M. and Moore, Simon W. and Sewell, Peter + and Neumann, Peter G.}, + title = {{An Introduction to CHERI}}, + year = 2019, + month = sep, + url = {https://www.cl.cam.ac.uk/techreports/UCAM-CL-TR-941.pdf}, + institution = {University of Cambridge, Computer Laboratory}, + number = {UCAM-CL-TR-941} +} + +@TechReport{UCAM-CL-TR-947, + author = {Watson, Robert N. M. and Richardson, Alexander and Davis, + Brooks and Baldwin, John and Chisnall, David and Clarke, + Jessica and Filardo, Nathaniel and Moore, Simon W. and + Napierala, Edward and Sewell, Peter and Neumann, Peter G.}, + title = {{CHERI C/C++ Programming Guide}}, + year = 2020, + month = jun, + url = {https://www.cl.cam.ac.uk/techreports/UCAM-CL-TR-947.pdf}, + institution = {University of Cambridge, Computer Laboratory}, + number = {UCAM-CL-TR-947} +} + +@TechReport{UCAM-CL-TR-949, + author = {Richardson, Alexander}, + title = {{Complete spatial safety for C and C++ using CHERI + capabilities}}, + year = 2020, + month = jun, + url = {https://www.cl.cam.ac.uk/techreports/UCAM-CL-TR-949.pdf}, + institution = {University of Cambridge, Computer Laboratory}, + number = {UCAM-CL-TR-949} +} +@inproceedings{yu2019speculative, + langid = {english}, + title={{Speculative Taint Tracking (STT) A Comprehensive Protection for + Speculatively Accessed Data}}, + author={Yu, Jiyong and Yan, Mengjia and Khyzha, Artem and Morrison, Adam and + Torrellas, Josep and Fletcher, Christopher W}, + booktitle={Proceedings of the 52nd {{IEEE}}/{{ACM International Symposium}} on {{Microarchitecture}} ({{IEEE MICRO}} 2019)}, + series = {{{MICRO}}-52 '17}, + date = {2019-10}, + venue = {Columbus, Ohio, USA} +} + +@online{CHERI-cheri-cpu, + title = {{CTSRD-CHERI/cheri-cpu: CHERI-MIPS implementation in a 6-stage pipeline with associative caches and multi-core support}}, + url = {https://github.com/CTSRD-CHERI/cheri-cpu}, + urldate = {2020-09-16} +} + +@online{CHERI-Piccolo, + title = {{CTSRD-CHERI/Piccolo: RISC-V CPU, simple 3-stage pipeline, for low-end applications (e.g., embedded, IoT)}}, + url = {https://github.com/CTSRD-CHERI/Piccolo}, + urldate = {2020-09-16} +} + +@online{CHERI-Flute, + title = {{CTSRD-CHERI/Flute: RISC-V CPU, simple 5-stage in-order pipeline, for low-end applications needing MMUs and some performance}}, + url = {https://github.com/CTSRD-CHERI/Flute}, + urldate = {2020-09-16} +} + +@online{CHERI-Toooba, + title = {{CTSRD-CHERI/Toooba: RISC-V Core; superscalar, out-of-order, multi-core capable; based on RISCY-OOO from MIT}}, + url = {https://github.com/CTSRD-CHERI/Toooba}, + urldate = {2020-09-16} +} + +@online{CHERI-TagController, + title = {{CTSRD-CHERI/TagController: Multi-level tag controller for emulating a tagged memory using an in-memory table}}, + url = {https://github.com/CTSRD-CHERI/TagController}, + urldate = {2020-09-16} +} + +@online{CHERI-cheri-cap-lib, + title = {{CTSRD-CHERI/cheri-cap-lib: A library of specific implementations of cheri and providing an abstract interface to those implementations}}, + url = {https://github.com/CTSRD-CHERI/cheri-cap-lib}, + urldate = {2020-09-16} +} + +@manual{arm-morello, + title={{Arm Architecture Reference Manual Supplement: Morello for A-profile + Architecture}}, + url = {https://developer.arm.com/documentation/ddi0606/latest}, + urldate = {2020-10-22}, + organization = {Arm Limited}, + version = {A.k}, + year = 2020, +} + +@inproceedings{margaritov2019prefetched, + title={Prefetched address translation}, + author={Margaritov, Artemiy and Ustiugov, Dmitrii and Bugnion, Edouard and Grot, Boris}, + booktitle={Proceedings of the 52nd Annual IEEE/ACM International Symposium on Microarchitecture}, + pages={1023--1036}, + year={2019} +} + +@misc{sel4-faq, + author = {{LF Projects, LLC}}, + title = {{seL4 FAQ}}, + howpublished={\url{https://www.sel4.systems/Info/FAQ/proof.pml}}, + year = 2023, +} + +@article{huyghebaert:uninitcaps, + author = {Sander Huyghebaert and + Thomas Van Strydonck and + Steven Keuchel and + Dominique Devriese}, + title = {Uninitialized Capabilities}, + journal = {CoRR}, + year = {2020}, + url = {https://arxiv.org/abs/2006.01608}, +} + +@misc{arm:mte, + author = {Arm Limited}, + title = {{Armv8.5-A} Memory Tagging Extension White Paper}, + url = {https://developer.arm.com/documentation/102925/0100/}, + urldate = {2023 Feb 5} +} + +@misc{arm:mpu, + author = {Arm Limited}, + title = {{Armv8-M} Memory Model and Memory Protection User Guide}, + url = {https://developer.arm.com/documentation/107565/0100/}, + urldate = {2023 Feb 5} +} + +@phdthesis{xia:capprotembed, + author = {Xia, Hongyan}, + title = {{Capability memory protection for embedded systems}}, + year = 2021, + month = feb, + url = {https://www.cl.cam.ac.uk/techreports/UCAM-CL-TR-955.pdf}, + institution = {University of Cambridge, Computer Laboratory}, + doi = {10.48456/tr-955}, + number = {UCAM-CL-TR-955} +} + +@phdthesis{esswood:cherios, + author = {Esswood, Lawrence G.}, + title = {{CheriOS: designing an untrusted single-address-space + capability operating system utilising capability hardware + and a minimal hypervisor}}, + year = 2021, + month = sep, + url = {https://www.cl.cam.ac.uk/techreports/UCAM-CL-TR-961.pdf}, + institution = {University of Cambridge, Computer Laboratory}, + doi = {10.48456/tr-961}, + number = {UCAM-CL-TR-961} +} + +@article{almatary:compartos, + author = {Almatary, Hesham and Dodson, Michael and Clarke, Jessica and Rugg, Peter and Gomes, Ivan and Podhradsky, Michal and Neumann, Peter G. and Moore, Simon W. and Watson, Robert N. M.}, + title = {CompartOS: CHERI Compartmentalization for Embedded Systems}, + year = {2022}, + url = {https://arxiv.org/abs/2206.02852} +} + +@phdthesis{almatary:thesis, + author = {Almatary, Hesham}, + title = {{CHERI compartmentalisation for embedded systems}}, + year = 2022, + month = nov, + url = {https://www.cl.cam.ac.uk/techreports/UCAM-CL-TR-976.pdf}, + institution = {University of Cambridge, Computer Laboratory}, + doi = {10.48456/tr-976}, + number = {UCAM-CL-TR-976} +} + +@misc{openbsd:3.3, + author = {Theo de Raadt}, + title = {OpenBSD 3.3}, + url = {https://www.openbsd.org/33.html}, + urldate = {2023 Feb 5} +} + +@misc{msft:dep, + author = {Microsoft Inc.}, + title = {Data Execution Prevention - Win32 apps}, + url = {https://learn.microsoft.com/en-us/windows/win32/memory/data-execution-prevention}, + urldate = {2023 Feb 5} +} diff --git a/archdoc/cheriot-architecture.tex b/archdoc/cheriot-architecture.tex new file mode 100644 index 0000000..2305ccc --- /dev/null +++ b/archdoc/cheriot-architecture.tex @@ -0,0 +1,110 @@ +%%%% University of Cambridge tech-report formatting; enable when producing +%%%% tech-report versions of these documents; otherwise, disable. +%\documentclass[12pt,twoside,openright,a4paper]{report} +%\setlength{\oddsidemargin}{-0.4mm} % 25 mm left margin +%\setlength{\evensidemargin}{\oddsidemargin} +%\setlength{\textwidth}{160mm} % 25 mm right margin +%\setlength{\topmargin}{-5.4mm} % 20 mm top margin +%\setlength{\headheight}{5mm} +%\setlength{\headsep}{5mm} +%\setlength{\footskip}{10mm} +%\setlength{\textheight}{237mm} % 20 mm bottom margin +%%%% .. or regular document +\documentclass[12pt,letterpaper,twoside,openright,fleqn]{report} +\usepackage{etex} +% \usepackage{lineno} +% \linenumbers +%%%% End of tech-report vs. regular +%%%% + +\input{preamble} + +\begin{document} +\title{\cherimcu{}: Rethinking security\\ for low-cost embedded systems \\ + {\large Microsoft Technical Report MSR-TR-2023-6}} +\author{ + \parbox{\linewidth}{\centering% + Saar~Amar, + Tony~Chen, + David~Chisnall, + Felix~Domke, + Nathaniel~Wesley~Filardo, + Kunyan~Liu, + Robert~M.~Norton, + Yucong~Tao, + Robert~N.~M.~Watson, + Hongyan~Xia + }% +} + +\begin{minipage}[h]{\textwidth} + \vspace{-.2cm} + \maketitle +\end{minipage} + +\normalsize + +%% For revisions sent for editing, prefer double spacing. +%\doublespacing +%% + +\clearpage + +\chapter*{Abstract} + +Small embedded cores have little area to spare for security features and yet must often run code written in unsafe languages and, increasingly, are exposed to the hostile Internet. +CHERIoT  (Capability Hardware Extension to RISC-V for Internet of Things) builds on top of CHERI and RISC-V to provide an ISA and software model that lets software depend on object-granularity spatial memory safety, deterministic use-after-free protection, and lightweight compartmentalization exposed directly to the C/C++ language model. +This can run existing embedded software components on a clean-slate RTOS that scales up to large numbers of isolated (yet securely communicating) compartments, even on systems with under 256 KiB of SRAM. + +\clearpage + +\input{acknowledgments} + +\clearpage + +\input{LICENSE-sail-cheri-riscv} + +\clearpage + +\input{LICENSE-sail-riscv} + +\clearpage + +\tableofcontents + +\part{Software model and toolchain} +\label{part:sw} + +\input{chap-intro} +\input{chap-compartment-model} +\input{chap-cheri-rtos} +\input{chap-language-extensions} +\input{chap-abi} +\input{chap-weaknesses} + +\part{Architecture specification} +\label{part:isa} + +\input{chap-cheri-riscv} +\input{app-isaquick-riscv} +\input{chap-isaref-riscv} + +\appendix + +\input{chap-encoding-sail} +\input{chap-permissions} +\input{chap-altbounds} +\input{chap-compressed-changes} +\input{app-related} + +% \glsaddall +% \printglossaries + +\cleardoublepage +\phantomsection +\addcontentsline{toc}{chapter}{Bibliography} +\printbibliography + +%\chapter*{Index} + +\end{document} diff --git a/archdoc/def-riscv-insns-macros.tex b/archdoc/def-riscv-insns-macros.tex new file mode 100644 index 0000000..fba4291 --- /dev/null +++ b/archdoc/def-riscv-insns-macros.tex @@ -0,0 +1,319 @@ +\ifcsname @def@riscv@insns@macros@tex\endcsname + \ea\endinput +\fi +\ea\gdef\csname @def@riscv@insns@macros@tex\endcsname{1} + +\makeatletter +% class func name tablestr +\newcommand{\@rvcheriencdef}[4]{% + \ea\ifx\csname @rvcheri@enc@func2name@#1@\the\numexpr(#2)\endcsname\relax% + \csgdef{@rvcheri@enc@func2name@#1@\the\numexpr(#2)}{#3}% + \csgdef{@rvcheri@enc@func2tablestr@#1@\the\numexpr(#2)}{#4}% + \else% + \def\@rvcheriencdef@duperror##1{% + \GenericError{[RISC-V (#1)] }{Duplicate encoding}{% + [RISC-V (#1)] Function code 0x##1 for #3\MessageBreak% + is already assigned to \csname @rvcheri@enc@func2name@#1@\the\numexpr(#2)\endcsname% + }{}% + }% + \ea\@rvcheriencdef@duperror\ea{\hex{\the\numexpr(#2)}}% + \fi% +} +\newcommand{\@rvcheriencusetablestr}[2]{\csuse{@rvcheri@enc@func2tablestr@#1@\the\numexpr(#2)}} +\newcommand{\@rvcherimakeencusetablestrcmd}[1]{% + \ea\newcommand\csname @rvcheriencusetablestr@#1\endcsname[1]{% + \@rvcheriencusetablestr{#1}{##1}% + }% +} +\@rvcherimakeencusetablestrcmd{top} +\@rvcherimakeencusetablestrcmd{srcsrcdest} +\@rvcherimakeencusetablestrcmd{srcsrc} +\@rvcherimakeencusetablestrcmd{src} +\@rvcherimakeencusetablestrcmd{srcdest} +\@rvcherimakeencusetablestrcmd{dest} +\@rvcherimakeencusetablestrcmd{expload} +\@rvcherimakeencusetablestrcmd{expstore} + +\let\@rvcherisubclass@tablesuffix\@empty +\define@key{@rvcherisubclass}{tablesuffix}{\def\@rvcherisubclass@tablesuffix{#1}} +\newcommand{\rvcherisubclass}[4][]{{% + \setkeys{@rvcherisubclass}{#1}% + \def\@rvcheriencdef@partial##1{\@rvcheriencdef{#2}{"#3}{#4}{#4##1}}% + \ea\@rvcheriencdef@partial\ea{\@rvcherisubclass@tablesuffix}% +}} + +\newbool{@rvcheri@header} +\newcommand{\rvcheriheader}{\booltrue{@rvcheri@header}} +\newcommand{\@rvcheri@ifheader}[1]{% + \ifbool{@rvcheri@header}{% + \global\boolfalse{@rvcheri@header}% + #1% + }{}% +} +\newcommand{\@rvcherisrcsrcdest}[4]{ + \begin{bytefield}{32} + \@rvcheri@ifheader{% + \bitheader[endianness=big]{0,6,7,11,12,14,15,19,20,24,25,31}\\ + }% + \bitbox{7}{#1} + \bitbox{5}{#4} + \bitbox{5}{#3} + \bitbox{3}{0x0} + \bitbox{5}{#2} + \bitbox{7}{0x5b} + \end{bytefield}% +} +\newcommand{\@rvcherisrcsrcdestimm}[4]{ + \begin{bytefield}{32} + \@rvcheri@ifheader{% + \bitheader[endianness=big]{0,6,7,11,12,14,15,19,20,31}\\ + }% + \bitbox{12}{#4[11:0]} + \bitbox{5}{#3} + \bitbox{3}{#1} + \bitbox{5}{#2} + \bitbox{7}{0x5b} + \end{bytefield}% +} +\newcommand{\@rvcherisrcsrcdestclear}[4]{ + \begin{bytefield}{32} + \@rvcheri@ifheader{% + \bitheader[endianness=big]{0,6,7,11,12,14,15,17,18,19,20,24,25,31}\\ + }% + \bitbox{7}{#1} + \bitbox{5}{#4} + \bitbox{2}{#3} + \bitbox{3}{#2$_{[7:5]}$} + \bitbox{3}{0x0} + \bitbox{5}{#2$_{[4:0]}$} + \bitbox{7}{0x5b} + \end{bytefield}% +} + +\newcommand{\@rvcherisrcsrc}[3]{\@rvcherisrcsrcdest{0x7e}{#1}{#2}{#3}} +\newcommand{\@rvcherisrc}[2]{\@rvcherisrcsrc{0x1f}{#2}{#1}} +\newcommand{\@rvcherisrcdest}[3]{\@rvcherisrcsrcdest{0x7f}{#2}{#3}{#1}} +\newcommand{\@rvcheridest}[2]{\@rvcherisrcdest{0x1f}{#2}{#1}} +\newcommand{\@rvcheriscr}[4]{\@rvcherisrcsrcdest{#1}{#2}{#4}{#3}} +\newcommand{\@rvchericlear}[1]{\@rvcherisrcsrcdestclear{0x7f}{m}{q}{#1}} +\newcommand{\@rvcheristorever}[3]{\@rvcherisrcsrcdest{0x7e}{#1}{#3}{#2}} +\newcommand{\@rvcheriexpload}[3]{\@rvcherisrcsrcdest{0x7d}{#2}{#3}{#1}} +\newcommand{\@rvcheriexpstore}[3]{\@rvcherisrcsrcdest{0x7c}{#1}{#3}{#2}} +\newcommand{\@rvcheriexpstorecond}[4]{\@rvcherisrcsrcdest{0x7c}{#1}{#4}{#2/#3}} + +\newcommand{\@rvcheriasmdef}[2]{% + \ea\ifx\csname @rvcheri@asm@#1\endcsname\relax% + \csgdef{@rvcheri@asm@#1}{#2}% + \else% + \def\@rvcheriasmdef@duperror##1{% + \GenericError{[RISC-V] }{Duplicate assembly ID}{% + [RISC-V] Instruction ID ##1 already has an assembly definition% + }% + }% + \@rvcheriasmdef@duperror{#1}% + \fi% +} + +\newcommand{\@rvcheriasmencdef}[3]{% + \ifthenelse{\equal{\@rvcheriinsn@noref}{true}}{% + \def\@rvcheriasmencdef@insnref{rvcheriasminsnnoref}% + }{% + \def\@rvcheriasmencdef@insnref{rvcheriasminsnref}% + }% + \ifthenelse{\equal{\@rvcheriinsn@name}{}}{% + }{% + \ea\def% + \ea\@rvcheriasmencdef@asm@partial% + \ea##\ea1% + \ea{% + \csname rvcheriasmfmt\ea\ea\ea\endcsname% + \ea\ea\ea[\ea\@rvcheriinsn@restriction\ea]\ea{% + \csname\@rvcheriasmencdef@insnref\endcsname{##1} #3}}% + \ea\ea\ea\def% + \ea\ea\ea\@rvcheriasmencdef@asm% + \ea\ea\ea{% + \ea\@rvcheriasmencdef@asm@partial% + \ea{\@rvcheriinsn@name}}% + \ea\ea\ea\@rvcheriasmdef\ea\ea\ea{\ea\@rvcheriinsn@id\ea}\ea{\@rvcheriasmencdef@asm}% + \ifthenelse{\equal{\@rvcheriinsn@id}{\@rvcheriinsn@shortid}}{% + }{% + \ea\ea\ea\@rvcheriasmdef\ea\ea\ea{\ea\@rvcheriinsn@shortid\ea}\ea{\@rvcheriasmencdef@asm}% + }% + \ifthenelse{\equal{\@rvcheriinsn@notable}{true}}{% + }{% + \def\@rvcheriasmencdef@rvcheriencdef@partial{\@rvcheriencdef{#1}{#2}}% + \ea\def\ea\@rvcheriasmencdef@hypershortname\ea{% + \csname\@rvcheriasmencdef@insnref\ea\endcsname\ea*\ea{\@rvcheriinsn@shortname}% + }% + \ea\ea\ea\def\ea\ea\ea\@rvcheriasmencdef@tablestr\ea\ea\ea{% + \ea\@rvcheriasmencdef@hypershortname\@rvcheriinsn@tablesuffix% + }% + \ea\ea\ea\@rvcheriasmencdef@rvcheriencdef@partial% + \ea\ea\ea{% + \ea\@rvcheriinsn@name% + \ea}% + \ea{% + \ea\unexpanded\ea{\@rvcheriasmencdef@tablestr}% + }% + }% + }% +} + +\let\@rvcheriinsn@name\@empty +\def\@rvcheriinsn@noref{false} +\def\@rvcheriinsn@notable{false} +\def\@rvcheriinsn@rawfunc{false} +\let\@rvcheriinsn@tablesuffix\@empty +\define@key{@rvcheriinsn}{name}{\def\@rvcheriinsn@name{#1}} +\define@key{@rvcheriinsn}{noref}[true]{\def\@rvcheriinsn@noref{#1}} +\define@key{@rvcheriinsn}{notable}[true]{\def\@rvcheriinsn@notable{#1}} +\define@key{@rvcheriinsn}{rawfunc}[true]{\def\@rvcheriinsn@rawfunc{#1}} +\define@key{@rvcheriinsn}{restriction}{\def\@rvcheriinsn@restriction{#1}} +\define@key{@rvcheriinsn}{shortname}{\def\@rvcheriinsn@shortname{#1}} +\define@key{@rvcheriinsn}{tablesuffix}{\def\@rvcheriinsn@tablesuffix{#1}} +\def\@rvcheriinsnsetkeys#1{% + \setkeys{@rvcheriinsn}{#1}% + \ea\ifx\csname @rvcheriinsn@shortname\endcsname\relax% + \let\@rvcheriinsn@shortname\@rvcheriinsn@name% + \fi% + \ea\ifx\csname @rvcheriinsn@name\endcsname\relax% + \else% + \ea\def\ea\@rvcheriinsn@id\ea{\@rvcheriinsn@name}% + \ea\def\ea\@rvcheriinsn@shortid\ea{\@rvcheriinsn@shortname}% + \ea\ifx\csname @rvcheriinsn@restriction\endcsname\relax% + \let\@rvcheriinsn@restriction\@empty% + \else% + \ea\ea\ea\def\ea\ea\ea\@rvcheriinsn@id\ea\ea\ea{\ea\@rvcheriinsn@id\ea:\@rvcheriinsn@restriction}% + \ea\ea\ea\def\ea\ea\ea\@rvcheriinsn@shortid\ea\ea\ea{\ea\@rvcheriinsn@shortid\ea:\@rvcheriinsn@restriction}% + \fi% + \fi% +} +\def\@rvcheriinsnfmtfunc#1{% + \ifthenelse{\equal{\@rvcheriinsn@rawfunc}{true}}{% + #1% + }{% + 0x\lowercase{#1}% + }% +} + +\newcommand{\@rvcheribitboxdef@single}[2]{% + \ea\ifx\csname @rvcheri@bitbox@#1\endcsname\relax% + \csgdef{@rvcheri@bitbox@#1}{#2}% + \else% + \def\@rvcheribitboxdef@duperror##1{% + \GenericError{[RISC-V] }{Duplicate bitbox ID}{% + [RISC-V] Instruction ID ##1 already has a bitbox definition% + }% + }% + \@rvcheribitboxdef@duperror{#1}% + \fi% +} + +\newcommand{\@rvcheribitboxdef}[1]{% + \ea\@rvcheribitboxdef@single\ea{\@rvcheriinsn@id}{#1}% + \ifthenelse{\equal{\@rvcheriinsn@id}{\@rvcheriinsn@shortid}}{% + }{% + \ea\@rvcheribitboxdef@single\ea{\@rvcheriinsn@shortid}{#1}% + }% +} + +\def\@rvcherirawbitbox#1{% + \csname @rvcheri#1\endcsname% +} +\let\rvcherirawbitbox\@rvcherirawbitbox + +\newcommand{\rvcherisrcsrcdest}[5][]{{% + \@rvcheriinsnsetkeys{#1}% + \@rvcheribitboxdef{\@rvcherirawbitbox{srcsrcdest}{\@rvcheriinsnfmtfunc{#2}}{#3}{#4}{#5}}% + \@rvcheriasmencdef{srcsrcdest}{"#2}{#3, #4, #5}% +}} +\newcommand{\rvcherisrcsrcdestimm}[5][]{{% + \@rvcheriinsnsetkeys{#1}% + \@rvcheribitboxdef{\@rvcherirawbitbox{srcsrcdestimm}{\@rvcheriinsnfmtfunc{#2}}{#3}{#4}{#5}}% + \@rvcheriasmencdef{top}{"#2}{#3, #4, #5}% +}} +\newcommand{\rvcherisrcsrc}[4][]{{% + \@rvcheriinsnsetkeys{#1}% + \@rvcheribitboxdef{\@rvcherirawbitbox{srcsrc}{\@rvcheriinsnfmtfunc{#2}}{#3}{#4}}% + \@rvcheriasmencdef{srcsrc}{"#2}{#3, #4}% +}} +\newcommand{\rvcherisrc}[3][]{{% + \@rvcheriinsnsetkeys{#1}% + \@rvcheribitboxdef{\@rvcherirawbitbox{src}{\@rvcheriinsnfmtfunc{#2}}{#3}}% + \@rvcheriasmencdef{src}{"#2}{#3}% +}} +\newcommand{\rvcherisrcdest}[4][]{{% + \@rvcheriinsnsetkeys{#1}% + \@rvcheribitboxdef{\@rvcherirawbitbox{srcdest}{\@rvcheriinsnfmtfunc{#2}}{#3}{#4}}% + \@rvcheriasmencdef{srcdest}{"#2}{#3, #4}% +}} +\newcommand{\rvcheridest}[3][]{{% + \@rvcheriinsnsetkeys{#1}% + \@rvcheribitboxdef{\@rvcherirawbitbox{dest}{\@rvcheriinsnfmtfunc{#2}}{#3}}% + \@rvcheriasmencdef{dest}{"#2}{#3}% +}} + +\newcommand{\rvcheriscr}[5][]{{% + \@rvcheriinsnsetkeys{#1}% + \@rvcheribitboxdef{\@rvcherirawbitbox{scr}{\@rvcheriinsnfmtfunc{#2}}{#3}{#4}{#5}}% + \@rvcheriasmencdef{srcsrcdest}{"#2}{#3, #4, #5}% +}} +\newcommand{\rvchericlear}[2][]{{% + \@rvcheriinsnsetkeys{#1}% + \@rvcheribitboxdef{\@rvcherirawbitbox{clear}{\@rvcheriinsnfmtfunc{#2}}}% + \@rvcheriasmencdef{srcdest}{"#2}{q(uarter), m(ask)}% +}} + +\newcommand{\rvcheristorever}[4][]{{% + \@rvcheriinsnsetkeys{#1}% + \@rvcheribitboxdef{\@rvcherirawbitbox{storever}{\@rvcheriinsnfmtfunc{#2}}{#3}{#4}}% + \@rvcheriasmencdef{srcsrc}{"#2}{#3, #4}% +}} + +\newcommand{\rvcheriexpload}[4][]{{% + \@rvcheriinsnsetkeys{#1}% + \@rvcheribitboxdef{\@rvcherirawbitbox{expload}{\@rvcheriinsnfmtfunc{#2}}{#3}{#4}}% + \@rvcheriasmencdef{expload}{"#2}{#3, #4}% +}} +\newcommand{\rvcheriexploadres}[4][]{{% + \@rvcheriinsnsetkeys{#1}% + \@rvcheribitboxdef{\@rvcherirawbitbox{expload}{\@rvcheriinsnfmtfunc{#2}}{#3}{#4}}% + \@rvcheriasmencdef{expload}{"#2}{#3, #4}% +}} +\newcommand{\rvcheriexpstore}[4][]{{% + \@rvcheriinsnsetkeys{#1}% + \@rvcheribitboxdef{\@rvcherirawbitbox{expstore}{\@rvcheriinsnfmtfunc{#2}}{#3}{#4}}% + \@rvcheriasmencdef{expstore}{"#2}{#3, #4}% +}} +\newcommand{\rvcheriexpstorecond}[5][]{{% + \@rvcheriinsnsetkeys{#1}% + \@rvcheribitboxdef{\@rvcherirawbitbox{expstorecond}{\@rvcheriinsnfmtfunc{#2}}{#3}{#4}{#5}}% + \@rvcheriasmencdef{expstore}{"#2}{#4, #5}% +}} + +\newcommand{\rvcheribitbox}[1]{% + \ea\ifx\csname @rvcheri@bitbox@#1\endcsname\relax% + \def\rvcheribitbox@unknownerr##1{% + \GenericError{[RISC-V] }{Unknown bitbox ID}{% + [RISC-V] Instruction ID ##1 has no known bitbox definition% + }{}% + }% + \rvcheribitbox@unknownerr{#1}% + \else% + \csname @rvcheri@bitbox@#1\endcsname% + \fi% +} + +\newcommand{\rvcheriasm}[1]{% + \ea\ifx\csname @rvcheri@asm@#1\endcsname\relax% + \def\rvcheriasm@unknownerr##1{% + \GenericError{[RISC-V] }{Unknown assembly ID}{% + [RISC-V] Instruction ID ##1 has no known assembly definition% + }{}% + }% + \rvcheriasm@unknownerr{#1}% + \else% + \csname @rvcheri@asm@#1\endcsname% + \fi% +} +\makeatother diff --git a/archdoc/def-riscv-insns.tex b/archdoc/def-riscv-insns.tex new file mode 100644 index 0000000..54cade0 --- /dev/null +++ b/archdoc/def-riscv-insns.tex @@ -0,0 +1,66 @@ +\ifcsname @def@riscv@insns@tex\endcsname + \ea\endinput +\fi +\ea\gdef\csname @def@riscv@insns@tex\endcsname{1} + +\input{def-riscv-insns-macros} + +\rvcherisubclass{top}{0}{Two Source \& Dest} + +\rvcherisubclass{srcsrcdest}{7C}{Stores} +\rvcherisubclass{srcsrcdest}{7D}{Loads} +\rvcherisubclass{srcsrcdest}{7E}{Two Source} +\rvcherisubclass{srcsrcdest}{7F}{Source \& Dest} + +\rvcherisubclass{srcsrc}{1F}{One Source} + +\rvcherisubclass{srcdest}{1F}{Dest-Only} + +\rvcherisrcdest[name=CGetPerm]{0}{rd}{cs1} +\rvcherisrcdest[name=CGetType]{1}{rd}{cs1} +\rvcherisrcdest[name=CGetBase]{2}{rd}{cs1} +\rvcherisrcdest[name=CGetLen]{3}{rd}{cs1} +\rvcherisrcdest[name=CGetTag]{4}{rd}{cs1} +\rvcherisrcdest[name=CGetAddr]{F}{rd}{cs1} +\rvcherisrcdest[name=CGetHigh]{17}{rd}{cs1} +\rvcherisrcdest[name=CGetTop]{18}{rd}{cs1} + +\rvcherisrcsrcdest[name=CSeal]{B}{cd}{cs1}{cs2} +\rvcherisrcsrcdest[name=CUnseal]{C}{cd}{cs1}{cs2} +\rvcherisrcsrcdest[name=CAndPerm]{D}{cd}{cs1}{rs2} +\rvcherisrcsrcdest[name=CSetAddr]{10}{cd}{cs1}{rs2} +\rvcherisrcsrcdest[name=CIncAddr]{11}{cd}{cs1}{rs2} +\rvcherisrcsrcdestimm[name=CIncAddrImm]{1}{cd}{cs1}{imm} +\rvcherisrcsrcdest[name=CSetBounds]{8}{cd}{cs1}{rs2} +\rvcherisrcsrcdest[name=CSetBoundsExact]{9}{cd}{cs1}{rs2} +\rvcherisrcsrcdestimm[name=CSetBoundsImm]{2}{cd}{cs1}{uimm} +\rvcherisrcsrcdest[name=CSetHigh]{16}{cd}{cs1}{rs2} +\rvcherisrcdest[name=CClearTag]{B}{cd}{cs1} +% \rvcherisrcsrcdest[name=CRelocate,noref,tablesuffix=\rvcherireservedfootnotemark]{15}{cd}{cs1}{rs2} + +\rvcherisrcsrcdest[name=CSub]{14}{rd}{cs1}{cs2} +\rvcherisrcdest[name=CMove]{A}{cd}{cs1} + +\rvcherisrcsrcdest[name=CTestSubset]{20}{rd}{cs1}{cs2} +\rvcherisrcsrcdest[name=CSetEqualExact,shortname=CSEQX]{21}{rd}{cs1}{cs2} + +\rvcheriscr[name=CSpecialRW]{1}{cd}{scr}{cs1} + +\rvcherisrcdest[name=CRoundRepresentableLength,shortname=CRRL]{8}{rd}{rs1} +\rvcherisrcdest[name=CRepresentableAlignmentMask,shortname=CRAM]{9}{rd}{rs1} + +% \rvcheriexploadres[name=LR.B.CAP,noref,tablesuffix=\rvcheriatomicfootnotemark]{18}{rd}{cs1} +% \rvcheriexploadres[name=LR.H.CAP,noref,tablesuffix=\rvcheriatomicfootnotemark]{19}{rd}{cs1} +% \rvcheriexploadres[name=LR.W.CAP,noref,tablesuffix=\rvcheriatomicfootnotemark]{1A}{rd}{cs1} +% \rvcheriexploadres[name=LR.C.CAP,restriction=RV32,noref,tablesuffix=\rvcheriatomicfootnotemark,notable]{1B}{cd}{cs1} +% \rvcheriexploadres[name=LR.D.CAP,restriction=RV64/128,noref,tablesuffix=\rvcheriatomicfootnotemark]{1B}{rd}{cs1} +% \rvcheriexploadres[name=LR.C.CAP,restriction=RV64,noref,tablesuffix=\rvcheriatomicfootnotemark,notable]{1C}{cd}{cs1} +% \rvcheriexploadres[name=LR.Q.CAP,restriction=RV128,noref,tablesuffix=\rvcheriatomicfootnotemark]{1C}{rd}{cs1} + +% \rvcheriexpstorecond[name=SC.B.CAP,noref,tablesuffix=\rvcheriatomicfootnotemark]{18}{rd}{rs2}{cs1} +% \rvcheriexpstorecond[name=SC.H.CAP,noref,tablesuffix=\rvcheriatomicfootnotemark]{19}{rd}{rs2}{cs1} +% \rvcheriexpstorecond[name=SC.W.CAP,noref,tablesuffix=\rvcheriatomicfootnotemark]{1A}{rd}{rs2}{cs1} +% \rvcheriexpstorecond[name=SC.C.CAP,restriction=RV32,noref,tablesuffix=\rvcheriatomicfootnotemark,notable]{1B}{cd}{cs2}{cs1} +% \rvcheriexpstorecond[name=SC.D.CAP,restriction=RV64/128,noref,tablesuffix=\rvcheriatomicfootnotemark]{1B}{rd}{rs2}{cs1} +% \rvcheriexpstorecond[name=SC.C.CAP,restriction=RV64,noref,tablesuffix=\rvcheriatomicfootnotemark,notable]{1C}{cd}{cs2}{cs1} +% \rvcheriexpstorecond[name=SC.Q.CAP,restriction=RV128,noref,tablesuffix=\rvcheriatomicfootnotemark]{1C}{rd}{rs2}{cs1} diff --git a/archdoc/fig-representable-regions.tex b/archdoc/fig-representable-regions.tex new file mode 100644 index 0000000..5faaf7a --- /dev/null +++ b/archdoc/fig-representable-regions.tex @@ -0,0 +1,100 @@ +\documentclass[tikz]{standalone} +\input{preamble} % include all the common macros and font settings + +\colorlet{fred}{red!60} +\colorlet{fgreen}{olive!40!green} +\colorlet{famber}{orange!60} +\colorlet{dred}{red!60} +\colorlet{dgreen}{olive!40!green} +\colorlet{damber}{orange!80} + +\begin{document} + +\begin{tikzpicture}[x=\linewidth/15,y=\linewidth/15] + +% parameter coordinates +\coordinate (redbl) at (0,0); +\coordinate (redtr) at (1,7); +\coordinate (repbl) at (0,12 / 16 * 7 / 2); +\coordinate (reptr) at (1,28 / 16 * 7 / 2); +\coordinate (derbl) at (0.3,14 / 16 * 7 / 2); % Not to scale, but close, so example labels don't merge +\coordinate (dertr) at (1 ,20 / 16 * 7 / 2); +\def\extextx{-4} % Example Text X +\def\slubracex{-2.25}% Space {L,U} brace X +\def\sluseplx{-2} % Space {L,U} sep left X +\def\sluarrx{-1.5} % Space {L,U} arrow X +\def\srseplx{-1} % Space R sep left X +\def\srarrx{-0.5} % Space R arrow X +\def\rlabelx{-0.3} % R phase label x +\def\sdseplx{0.3} % Space D sep left X +\def\sdseprx{1.5} % Space D sep right X +\def\srseprx{1.5} % Space R sep right X +\def\sluseprx{2} % Space {L,U} sep right X +\def\srbracex{2.25} % Space R brace X +\def\sdbracex{2.5} % Space D brace X + +% central rectangles +\filldraw[pattern=crosshatch, pattern color=fred, draw=dred, thick] (redbl) rectangle coordinate (redc) (redtr); +\draw[preaction={fill, white}, pattern=north west lines, pattern color=famber, draw=damber, thick] (repbl) rectangle (reptr); +\draw[preaction={fill, white}, pattern=north east lines, pattern color=fgreen, draw=dgreen, thick] (derbl) rectangle (dertr); + +% dereferencable region (space D) labels +\coordinate (sdseplx) at (\sdseplx,0); +\coordinate (sdseprx) at (\sdseprx,0); +\draw[dgreen] (sdseplx |- derbl) -- (sdseprx |- derbl) node [pos=1,anchor=base west] {$b$}; +\draw[dgreen] (sdseplx |- dertr) -- (sdseprx |- dertr) node [pos=1,anchor=base west] {$t$}; +\coordinate (sdbracex) at (\sdbracex,0); +\draw[dgreen,decoration={brace,mirror},decorate] (sdbracex |- derbl) -- (sdbracex |- dertr) node [midway,anchor=west,align=left,xshift=5pt] {dereferenceable\\region}; + +% represenatable region (space R) labels +\coordinate (srseplx) at (\srseplx,0); +\coordinate (srseprx) at (\srseprx,0); +\coordinate (srarrx) at (\srarrx,0); +\draw[damber] (srseplx |- repbl) -- (srseprx |- repbl) node [pos=1,anchor=base west] {$r_b$}; +\draw[damber] (srseplx |- reptr) -- (srseprx |- reptr) node [pos=1,anchor=base west] {$r_t$}; +\draw[<->,thick,damber] (srarrx |- repbl) -- (srarrx |- reptr) node [midway,left]{$s$}; +\coordinate (srbracex) at (\srbracex,0); +\draw[damber,decoration={brace,mirror,aspect=.85},decorate] (srbracex |- repbl) -- (srbracex |- reptr) node [pos=.85,anchor=west,align=left,xshift=5pt] {representable\\space, $space_\text{R}$}; + +\coordinate (rlabelx) at (\rlabelx,0); +\draw[<->,thick,dashed,damber] (rlabelx |- redbl) -- (rlabelx |- repbl) node [midway,left=-2pt] {\footnotesize $R 2^{E}$} ; + +\coordinate (multextbase) at ({(\sluseprx,0)} |- redbl); +\node[anchor=base west,inner sep=0pt,black,align=left] at ($(multextbase)+(0.25,0)$) {multiple of $s = 2^{E+14}$}; + +\coordinate (extextx) at (\extextx,0); +\node[anchor=base east,gray] (exbase) at (extextx |- redbl) {\footnotesize\texttt{0x10000}}; +\draw[dotted,gray] (exbase.base east) -- ({(\sluseplx,0)} |- redbl) ; +\node[anchor=base east,gray] (exsmid) at (extextx |- redc) {\footnotesize\texttt{0x20000}}; +\draw[dotted,gray] (exsmid.base east) -- ({(\sluseplx,0)} |- redc); +\node[anchor=north,gray,inner sep=0pt] (exshi) at (redtr -| exsmid) {\footnotesize\texttt{0x30000}}; +\draw[dotted,gray] (exshi.north east -| exsmid.east) -- ({(\sluseplx,0)} |- redtr); + +\node[anchor=base east,gray] (exrb) at (extextx |- repbl) {\footnotesize\texttt{0x1C000}}; +\draw[dotted,gray] (exrb.base east) -- ({(\srseplx,0)} |- repbl); + +\node[anchor=base east,gray] (exrb) at (extextx |- derbl) {\footnotesize\texttt{0x1E000}}; +\draw[dotted,gray] (exrb.base east) -- ({(\sdseplx,0)} |- derbl); + +\node[anchor=base east,gray] (exrb) at (extextx |- dertr) {\footnotesize\texttt{0x24000}}; +\draw[dotted,gray] (exrb.base east) -- ({(\sdseplx,0)} |- dertr); + +\node[anchor=base east,gray] (exrb) at (extextx |- reptr) {\footnotesize\texttt{0x2C000}}; +\draw[dotted,gray] (exrb.base east) -- ({(\srseplx,0)} |- reptr); + +% space L,U partiton lines +\draw[black] ({(\sluseplx,0)} |- redbl) -- ({(\sluseprx,0)} |- redbl); +\draw[black] ({(\sluseplx,0)} |- redc) -- ({(\sluseprx,0)} |- redc); +\draw[black] ({(\sluseplx,0)} |- redtr) -- ({(\sluseprx,0)} |- redtr); +\draw[<->,thick,black,xshift=-.5pt] ({(\sluarrx,0)} |- redbl) -- ({(\sluarrx,0)} |- redc) node [midway,left] {$s$} ; +\draw[<->,thick,black,xshift=.5pt] ({(\sluarrx,0)} |- redc) -- ({(\sluarrx,0)} |- redtr) node [midway,left] {$s$} ; + +% space label braces +\coordinate (spacebraceb) at ({(\slubracex,0)} |- redbl); +\coordinate (spacebracem) at (spacebraceb |- redc); +\coordinate (spacebracet) at (spacebraceb |- redtr); +\draw[decoration={brace},decorate] (spacebraceb) -- (spacebracem) node [midway,left] {$space_\text{L}$}; +\draw[decoration={brace},decorate] (spacebracem) -- (spacebracet) node [midway,left] {$space_\text{U}$}; + +\end{tikzpicture} +\end{document} diff --git a/archdoc/fig-sentry-plt.tex b/archdoc/fig-sentry-plt.tex new file mode 100644 index 0000000..928962f --- /dev/null +++ b/archdoc/fig-sentry-plt.tex @@ -0,0 +1,43 @@ +\documentclass[tikz]{standalone} +\input{preamble} % include all the common macros and font settings + +\begin{document} +\begin{tikzpicture} + + \matrix [row sep=20pt, column sep=10pt] { + % + \node[draw] (i1w) {instance 1 read-write region} ; + % + & \node[draw] (ro) {read-only region} ; + % + & \node[draw] (i2w) {instance 2 read-write region} ; + % + \\ + % + \node[draw] (i1p) {instance 1 PLT} ; + % + & + % + & \node[draw] (i2p) {instance 2 PLT} ; \\ + % + } ; + + \draw [->] (i1p) -| (ro.230) ; + \draw [->] (i2p) -| (ro.300) ; + + \draw [dotted,->] ([xshift=-10pt]i1w.south) -- ([xshift=-20pt]i1p.north) ; + \draw [->] ([xshift=20pt]i1p.north) -- ([xshift=10pt]i1w.south) ; + + \draw [dotted,->] ([xshift=-10pt]i2w.south) -- ([xshift=-20pt]i2p.north) ; + \draw [->] ([xshift=20pt]i2p.north) -- ([xshift=10pt]i2w.south) ; + + \coordinate (i1s) at ([xshift=-05pt,yshift=-10pt]i1p.south) {} ; \draw [->] (i1s) -- ([xshift=-05pt]i1p.south) ; + \coordinate (i1s) at ([xshift=-10pt,yshift=-10pt]i1p.south) {} ; \draw [->] (i1s) -- ([xshift=-10pt]i1p.south) ; + \coordinate (i1s) at ([xshift=-15pt,yshift=-10pt]i1p.south) {} ; \draw [->] (i1s) -- ([xshift=-15pt]i1p.south) ; + + \coordinate (i2s) at ([xshift=-05pt,yshift=-10pt]i2p.south) {} ; \draw [->] (i2s) -- ([xshift=-05pt]i2p.south) ; + \coordinate (i2s) at ([xshift=-10pt,yshift=-10pt]i2p.south) {} ; \draw [->] (i2s) -- ([xshift=-10pt]i2p.south) ; + \coordinate (i2s) at ([xshift=-15pt,yshift=-10pt]i2p.south) {} ; \draw [->] (i2s) -- ([xshift=-15pt]i2p.south) ; + +\end{tikzpicture} +\end{document} diff --git a/archdoc/fig-type-token.tex b/archdoc/fig-type-token.tex new file mode 100644 index 0000000..59c4b0d --- /dev/null +++ b/archdoc/fig-type-token.tex @@ -0,0 +1,84 @@ +\documentclass[tikz]{standalone} +\input{preamble} % include all the common macros and font settings + +\begin{document} +\begin{tikzpicture} + + \node[draw] (pcode) at (9.5,2) {class code} ; + + \matrix (pgtm) at (7,0) [matrix of nodes, inner sep=1pt, row sep=0pt, draw] { + unsealing right \\ + method 1 guard \\ + method 2 guard \\ + }; + \path (pgtm-1-1.south) -- (pgtm-2-1.north) coordinate (x) [midway] ; \draw (x -| pgtm.west) -- (x -| pgtm.east); + \path (pgtm-2-1.south) -- (pgtm-3-1.north) coordinate (x) [midway] ; \draw (x -| pgtm.west) -- (x -| pgtm.east); + + \draw [->,dotted] (pgtm-1-1.east -| pgtm.east) -| (pcode.south west) ; + \draw [->] (pgtm-2-1 -| pgtm.east) -| ([xshift=3pt]pcode.south) ; + \draw [->] (pgtm-3-1 -| pgtm.east) -| ([xshift=8pt]pcode.south) ; + + \matrix (pvtm) at ([xshift=-15pt]pgtm.south west) [anchor=south east, matrix of nodes, inner sep=1pt, row sep=0pt, draw] { + method 1 sentry\vphantom{guard} \\ + method 2 sentry\vphantom{guard} \\ + } ; + \path (pvtm-1-1.south) -- (pvtm-2-1.north) coordinate (x) [midway] ; \draw (x -| pvtm.west) -- (x -| pvtm.east); + + \node [above=2pt of pvtm.north west,anchor=south west,inner sep=0pt] {\emph{VTable}:} ; + + \draw [->] (pvtm-1-1 -| pvtm.east) -- (pgtm-2-1 -| pgtm.west); + \draw [->] (pvtm-2-1 -| pvtm.east) -- (pgtm-3-1 -| pgtm.west); + + \matrix (o) at (0,0.5) [matrix of nodes, inner sep=1pt, row sep=0pt, align=center] { + type token \\ + instance data \\ + {\vphantom{x}} \\ + {\vphantom{x}} \\ + {\vphantom{x}} \\ + } ; + + \matrix (oh) [matrix of nodes, inner sep=1pt, row sep=0pt, draw, above=2 pt of o.north, anchor=south] { + VTable capability \\ + |[align=center]{ sealed RW \\ data capability };| \\ + } ; + \path (oh-1-1.south) -- (oh-2-1.north) coordinate (x) [midway] ; \draw (x -| oh.west) -- (x -| oh.east); + + \draw [->] (oh-1-1 -| oh.east) -| ([xshift=-10pt]pvtm.north west) -- (pvtm.north west) ; + + \node (ofit) [draw,inner sep=0pt,outer sep=0pt,fit=(o-1-1.west -| oh.west)(o-1-1.east -| oh.east)(o)] {} ; + \path (o-1-1.south) -- (o-2-1.north) coordinate (x) [midway] ; + \draw (x -| ofit.west) -- (x -| ofit.east); + + \draw [->,dotted] (o-1-1 -| ofit.east) -| (pcode.south west) ; + + \draw [->] (oh-2-1 -| oh.east) -- +(5pt,0) |- (ofit.north east); + + \draw [decorate,decoration={brace,amplitude=10pt,mirror},xshift=0,yshift=-4pt] + ([yshift=-10pt,xshift=-5pt]pvtm.south -| ofit.west) -- ([yshift=-10pt,xshift=5pt]pvtm.south -| ofit.east) + node [midway,below=10pt] {Per instance} ; + + \matrix (pgtc) [matrix of nodes, inner sep=1pt, row sep=0pt, draw, above=55pt of pgtm.north, anchor=south east] { + constructor guard \\ + sealing capability \\ + }; + \path (pgtc-1-1.south) -- (pgtc-2-1.north) coordinate (x) [midway] ; \draw (x -| pgtc.west) -- (x -| pgtc.east); + + \draw [->,dotted] (pgtc-2-1 -| pgtc.east) -| (pcode.north west) ; + \draw [->] (pgtc-1-1 -| pgtc.east) -| ([xshift=-3pt]pcode.north) ; + + \draw [decorate,decoration={brace,amplitude=10pt,mirror},xshift=0,yshift=-4pt] + ([yshift=-10pt,xshift=-5pt]pvtm.south west) -- ([yshift=-10pt,xshift=5pt]pvtm.south -| pcode.east) + node [midway,below=10pt] {Per class} ; + + \node [anchor=east] (csentry) at ([xshift=-30pt]pgtc-1-1 -| oh.west) {constructor sentry} ; + \draw [->] (csentry.east) -- (pgtc-1-1 -| pgtc.west) ; + + \node [anchor=east] (optr) at (csentry.east |- oh.north west) {object capability} ; + \draw [->] (optr.east) -- (oh.north west) ; + + \draw [decorate,decoration={brace,amplitude=10pt,mirror},xshift=0,yshift=-4pt] + ([yshift=-10pt,xshift=-5pt]pvtm.south -| csentry.west) -- ([yshift=-10pt,xshift=5pt]pvtm.south -| optr.east) + node [midway,below=10pt] {Held by caller} ; + + \end{tikzpicture} +\end{document} diff --git a/archdoc/glossary.tex b/archdoc/glossary.tex new file mode 100644 index 0000000..41f7ee1 --- /dev/null +++ b/archdoc/glossary.tex @@ -0,0 +1,928 @@ +\newglossaryentry{abstract capability} +{ + name=abstract capability, + description={ +% Abstract capabilities maintain the appearance of capability +% lifespan across operations that violate architectural \gls{capability +% provenance}. +% For example, abstract capabilities remain valid despite an OS kernel +% swapping them to and from disk, which requires that any architectural +% \gls{capability} in the swapped memory have its \gls{capability tag} +% restored through re-derivation + Abstract capabilities are a conceptual abstraction that overlays the + concrete capabilities of the architecture to describe the intended + maintenance of capability lifespan across operations that violate + architectural \gls{capability provenance}. + For example, if an OS kernel + swaps a page containing a capability to and from disk, + it will have to have its \gls{capability tag} + restored through re-derivation, so there is no longer an + architectural provenance relationship between the two, but for + application-level reasoning it is sometimes useful to regard there + to be one} +} + +\newglossaryentry{address} +{ + name=address, + description={An integer address suitable for dereference within an address + space. + In \gls{CHERI-MIPS}, \glspl{capability} are always interpreted in terms of + \glspl{virtual address}. + In \gls{CHERI-RISC-V}, \glspl{capability} may be interpreted as + \glspl{virtual address} -- or \glspl{physical address} when operating in + Machine Mode} +} + +\longnewglossaryentry{capability} +{ + name=capability, + plural=capabilities, +} +{ + A capability contains an \gls{address}, \gls{capability bounds} + describing a range of bytes within which addresses may be + \glslink{dereference}{dereferenced}, \gls{capability permissions} + controlling the forms of dereference that may be permitted (e.g., load or + store), a \gls{capability tag} protecting \gls{capability validity} + (integrity and \gls{capability provenance}), and a \gls{capability object type} + indicating whether it is a \gls{sealed capability} + (and, if so, under which \gls{capability object type} they are sealed) + or \gls{unsealed capability}. + The address embedded within a capability may be a \gls{virtual address} or + a \glspl{physical address} depending on the current addressing mode; when + used to authorize (un)sealing, the address is instead a + \gls{capability object type}. + + In CHERI, capabilities are used to implement \glspl{pointer} with additional + protections in aid of \gls{fine-grained memory protection}, + \gls{control-flow robustness}, and other higher-level protection models such + as \gls{software compartmentalization}. + Unlike a \gls{fat pointer}, capabilities are subject to + \gls{capability provenance}, ensuring that they are derived from a prior + valid capability only via valid manipulations, and \gls{capability + monotonicity}, which ensures that manipulation can lead only to + non-increasing rights. + CHERI capabilities provide strong compatibility with C-language pointers and + Memory Management Unit (MMU)-based system-software designs, by virtue of + its \gls{hybrid capability model}. + + Architecturally, a capability can be viewed as an \gls{address} equal to the + sum of the \gls{capability base} and \gls{capability offset}, as well as + associated metadata. +%\psnote{Perhaps this base/offset view should now be de-emphasised? It's +%arguably implementation detail in any case} + Dereferencing a capability is done relative to that address. +% The implementation may choose to store the pre-computed address +% combining the base and offset, to avoid an implied addition on each memory +% access, and to similarly store the base and length as pre-computed +% addresses. + The size of an in-memory capability may be smaller than the sum of its + architectural fields (such as base, offset, and permissions) if a + \gls{compressed capability} mechanism, such as \gls{CHERI Concentrate}, is + used. + + In the ISA, capabilities may be used explicitly via \gls{capability-based + instructions}, an application of the \gls{principle of intentional use}, + but also implicitly using \glslink{legacy instructions}{legacy load + and store instructions} via the \gls{default data capability}, and + instruction fetch via the \gls{program-counter capability}. + A capability is either sealed or unsealed, controlling whether it has + software-defined or instruction-set-defined behavior, and whether or not its + fields are immutable. + + Capabilities may be held in a \gls{capability register} in a dedicated + \gls{capability register file}, a \gls{merged register file}, or a + suitably aligned \gls{tagged memory}. +} + +\newglossaryentry{capability base} +{ + name=capability base, + description={The lower of the two \gls{capability bounds}, from which + the \gls{address} of a \gls{capability} can be calculated by using + the \gls{capability offset}} +} + +\newglossaryentry{capability bounds} +{ + name=capability bounds, + description={Upper and lower bounds, associated with each + \gls{capability}, describing a range of \glspl{address} that may + be \glslink{dereference}{dereferenced} via the capability. + Architecturally, bounds are with respect to the \gls{capability base}, + which provides the lower bound, and \gls{capability length}, which + provides the upper bound when added to the base. + The bounds may be empty, connoting no right to dereference at any + address. + The address of a capability may float outside of the + dereferenceable bounds; with a \gls{compressed capability}, it may not + be possible to represent all possible \glslink{out of + bounds}{out-of-bounds} addresses. + Bounds may be manipulated subject to \gls{capability monotonicity} + using \gls{capability-based instructions}} +} + +\newglossaryentry{capability length} +{ + name=capability length, + description={The distance between the lower and upper \gls{capability + bounds}} +} + +\newglossaryentry{capability monotonicity} +{ + name=capability monotonicity, + description={Capability monotonicity is a property of the instruction set + that any requested manipulation of a \gls{capability}, whether in a + \gls{capability register} or in memory, either leads to strictly + non-increasing rights, clearing of the \gls{capability tag}, or a + hardware exception. + \knnote{I presume that the ``rights'' of a capability are + determined by its permissions and its bounds, but not by its + sealedness. In other words, increasing the permissions or bounds + of a capability would increase its rights, but unsealing a + capability would not increase its right. If this is correct, + perhaps it could help to explicitly state this here.} + Controlled violation of monotonicity can be achieved via the exception + delivery mechanism, which grants rights to additional capability + register, and also by the \gls{CInvoke} instruction, which may + unseal (and jump to) suitably checked \glspl{sealed + capability}. + \knnote{The exception delivery mechanism and the CCall instruction + do not violate monotonicity, since they do not increase the rights of + any capability. They do violate the monotonicity of the set of + reachable rights (see \ref{sec:model-monotonicity}), because an + exception makes a capability reachable that might not have been + reachable before (namely the KCC) and the CCall instruction + unseals capabilities without needing a capability that has the + authority to unseal them. Perhaps it would be worth creating a + glossary entry for the set of reachable rights, and mention that + this set is monotonic as long as no exceptions are raised or + CCalls are executed.}} +} + +\newglossaryentry{capability object type} +{ + name=capability object type, + description={In addition to \glslink{fat pointer}{fat-pointer} metadata such + as \gls{capability bounds} and \gls{capability permissions}, \glspl{capability} also contain an integer object type. + The object type space is partitioned into a range of non-reserved and + \gls{reserved capability object type} types. + The \glspl{reserved capability object type} are hardware-interpreted and + include \glspl{unsealed capability} or \glspl{sealed entry capability}. + If the object type is one of the non-\glspl{reserved capability object type}, + the capability is a \gls{sealed capability with an object type}. + For \glspl{sealed capability with an object type}, the object type is set during a + sealing operation to the \gls{address} of the \gls{sealing capability}. + Object types can be used to link a sealed \gls{code capability} and a + sealed \gls{data capability} when used with \gls{CInvoke} to implement a + software object model or to implement software-defined tokens of authority} +} + +\newglossaryentry{capability offset} +{ + name=capability offset, + description={The distance between \gls{capability base} and the + \gls{address} accessed when the \gls{capability} is used as a \gls{pointer}} +} + +\newglossaryentry{capability permissions} +{ + name=capability permissions, + description={A bitmask, associated with each \gls{capability}, + describing a set of ISA- or software-defined operations that may be + performed via the capability. + ISA-defined permissions include load data, store data, instruction fetch, + load capability, and store capability. + Permissions may be manipulated subject to \gls{capability monotonicity} + using \gls{capability-based instructions}} +} + +\newglossaryentry{capability provenance} +{ + name=capability provenance, + description={ +% The property that, following manipulation, a \gls{capability} +% remains valid for use only if it is derived from another valid capability +% using a valid capability operation. +% Provenance is implemented using a \gls{capability tag} combined with +% \gls{capability monotonicity}, and will be preserved whether a +% capability is held in a \gls{capability register} or \gls{tagged memory}, +% subject to suitable use of \gls{capability-based instructions} +The property that a valid-for-use \gls{capability} can only be + constructed by deriving it from another valid capability + using a valid capability operation. +% PS: not totally clear what a ``valid capability operation'' is. An +% execution of a capability instruction that doesn't raise an exception? + Provenance is implemented using a \gls{capability tag} combined with + \gls{capability monotonicity}, +% PS: the text (both previous version and mine) defines provenance as +% a property of the architecture, not ``the provenance of a +% capability'' as the source capability or derivation chain, so we +% can't say ``will be preserved'' like the text did. +% Maybe we should define that more explicit notion of provenance, and +% replace this glossary entry with one for ``capability provenance +% preservation'', but I've not for now. +irrespective of +% +whether a + capability is held in a \gls{capability register} or \gls{tagged memory}} +% PS: surely ``capability provenance'' should hold universally, not only +% ``subject to suitable use of \gls{capability-based instructions''? +} + +\newglossaryentry{capability register} +{ + name=capability register, + description={A capability register is an architectural register able to hold + a \gls{capability} including its \gls{capability tag}, \gls{address}, + other \glslink{fat pointer}{fat-pointer} metadata such as + its \gls{capability bounds} and \gls{capability permissions}, and optional + \gls{capability object type}. + Capability registers may be held in a \gls{capability register file}, a + \gls{merged register file}, or be a \gls{special capability register} + accessed by dedicated instructions. + A capability register might be a dedicated register intended primarily for + capability-related operations (e.g., the capability registers described + in \gls{CHERI-MIPS}), or a general-purpose integer + register that has been extended with capability metadata (such as the + \gls{program-counter capability}, or the capability registers described in + \gls{CHERI-RISC-V} when using a merged register file). + Capability registers must be used to retain tag bits on capabilities + transiting through memory, as only \gls{capability-based instructions} + enforce \gls{capability provenance} and \gls{capability monotonicity}} +} + +\newglossaryentry{capability register file} +{ + name=capability register file, + description={The capability register file is a register file dedicated to + holding general-purpose \glspl{capability}, in contrast to a \gls{merged + register file}, in which general-purpose integer registers are extended to + be able to hold tagged capabilities. + Some general-purpose capability registers have well-known conventions for + their use in software, including the \gls{return capability} and the + \gls{stack capability}} +} + +\newglossaryentry{capability tag} +{ + name=capability tag, + description={A capability tag is a 1-bit integrity tag associated with each + \gls{capability register}, and also with each capability-sized, + capability-aligned location in memory. + If the tag is set, the \gls{capability} is valid and can be + \glslink{dereference}{dereferenced} via the ISA. + If the tag is clear, then the capability is invalid and cannot be + dereferenced via the ISA. + Tags are preserved +by ISA +operations that conform to \gls{capability + provenance} and \gls{capability monotonicity} rules -- for example, + that any attempted modification of \gls{capability bounds} leads to + non-increasing bounds, +%was ``writes'', not ``bounds'' - presume just a typo? + and that in-memory capabilities are written only + via capability stores, not data stores -- otherwise, tags are cleared} +% +% Subject to these constraints, tags will be preserved by +% \gls{capability-based instructions} +} + +\newglossaryentry{capability validity} +{ + name=capability validity, + description={A \gls{capability} is valid if its \gls{capability tag} + is set, which permits use of the capability subject to its + \gls{capability bounds}, \gls{capability permissions}, and so on. + Attempts to \gls{dereference} a capability without a tag set will lead + to a hardware exception} +} + +\newglossaryentry{capability-based instructions} +{ + name=capability-based instructions, + description={These instructions accept capabilities as operands, allowing + capabilities to be loaded from and stored memory, manipulated subject to + \gls{capability provenance} and \gls{capability monotonicity} rules, + and used for a variety of operations such as loading and storing data and + capabilities, as branch targets, and to retrieve and manipulate capability + fields -- subject to \gls{capability permissions}} +} + +\longnewglossaryentry{CInvoke} +{ + name=CInvoke +} +{ + The \insnref{CInvoke} instruction is a source of controlled + non-monotonicity in the \gls{CHERI-MIPS} and \gls{CHERI-RISC-V} ISAs. +\psnote{See Kyndylan's note for capability monotonicity} + It can directly enter any userspace domain described by a pair + of sealed capabilities with the \emph{Permit\_CInvoke} permission set. + In particular, it can + safely enter userspace domain-transition code + described by the sealed \gls{code capability} while also unsealing + the sealed \gls{data capability}. + The sealed operand \glspl{capability register} + are checked for suitable properties and correspondence, and the userspace + domain-transition routine can store any return information, perform further error + checking, and so on. +} + +\newglossaryentry{CHERI Concentrate} +{ + name=CHERI Concentrate, + description={CHERI Concentrate is a specific \gls{compressed capability} + format that represents a 64-bit \gls{address} with full precision, and + \gls{capability bounds} relative to that address with reduced precision. + Bounds have a floating-point representation, requiring that as the size of + a bounded object increases, greater alignment of its \gls{capability base} + and \gls{capability length} are required. + CHERI Concentrate is the successor compression format to \gls{CHERI-128}} +} + +\newglossaryentry{CHERI-128} +{ + name=CHERI-128, + description={CHERI-128 is a specific \gls{compressed capability} format that + represents a 64-bit \gls{address} with full precision, and + \gls{capability bounds} relative to that address with reduced precision. + Bounds have a floating-point representation, requiring that as the size of + a bounded object increases, greater alignment of its \gls{capability base} + and \gls{capability length} are required. + CHERI-128 has been replaced with \gls{CHERI Concentrate}} +} + +\newglossaryentry{CHERI-MIPS} +{ + name=CHERI-MIPS, + description={An application of the CHERI protection model to the 64-bit MIPS + ISA} +} + +\newglossaryentry{CHERI-RISC-V} +{ + name=CHERI-RISC-V, + description={An application of the CHERI protection model to the RISC-V ISA} +} + +\newglossaryentry{CHERI-x86-64} +{ + name=CHERI-x86-64, + description={An application of the CHERI protection model to the x86-64 ISA} +} + +\newglossaryentry{code capability} +{ + name=code capability, + plural=code capabilities, + description={A \gls{capability} whose \gls{capability permissions} have been + configured to permit instruction fetch (i.e., execute) rights; typically, + write permission will not be granted via an executable capability, in + contrast to a \gls{data capability}. + Code capabilities are used to implement \gls{control-flow robustness} by + constraining the available branch and jump targets} +} + +\newglossaryentry{compressed capability} +{ + name=compressed capability, + plural=compressed capabilities, + description={A \gls{capability} whose \gls{capability bounds} are + compressed with respect to its \gls{address}, allowing its + in-memory footprint to be reduced -- e.g., to 128 bits, rather than the + roughly + architectural 256 bits visible to the instruction set when a capability + is loaded into a register file. + Certain architecturally valid \glslink{out of bounds}{out-of-bounds} + addresses may not be \glslink{representable + capability}{representable} with capability compression; operations leading + to \glslink{unrepresentable capability}{unrepresentable capabilities} + will clear the \gls{capability tag} or throw an exception in order to + ensure continuing \gls{capability monotonicity}. + \gls{CHERI-128} and \gls{CHERI Concentrate} are specific compressed + capability models that select particular points in the tradeoff space + around in-memory capability size, bounds alignment requirements, and + representability} +} + +\newglossaryentry{control-flow robustness} +{ + name=control-flow robustness, + description={The use of \glspl{code capability} to constrain the set of + available branch and jump targets for executing code, such that the + potential for attacker manipulation of the \gls{program-counter + capability} to simulate injection of arbitrary code is severely + constrained; a form of \gls{vulnerability mitigation} implemented via + the \gls{principle of least privilege}} +} + +\newglossaryentry{data capability} +{ + name=data capability, + plural=data capabilities, + description={A \gls{capability} whose \gls{capability permissions} have been + configured to permit data load and store, but not instruction fetch (i.e., + execute) rights; in contrast to a \gls{code capability}} +} + +\newglossaryentry{default data capability} +{ + name=default data capability (\DDC{}), + description={A \gls{special capability register} constraining + \glslink{legacy instructions}{legacy} non-\gls{capability-based + instructions} that load and store data without awareness of the capability + model. + Any attempts to load and store will be relocated relative to the default + data capability's \gls{capability base} and \gls{capability offset}, and + controlled by its \gls{capability bounds} and \gls{capability + permissions}. + Use of the default data capability violates the \gls{principle of + intentional use}, but permits compatibility with legacy software. + A suitably configured default data capability will prevent the use of + non-capability-based load and store instructions} +} + +\newglossaryentry{dereference} +{ + name=dereference, + description={Dereferencing a \gls{address} means that it is the + target address for a load, store, or instruction fetch. + A \gls{capability} may be dereferenced only subject to it being valid + -- i.e., that its \gls{capability tag} is present -- and is also subject + to appropriate checks of its \gls{capability bounds}, \gls{capability permissions}, and + so on. + Dereference may occur as a result of explicit use of a capability via + \gls{capability-based instructions}, or implicitly as a result of the + \gls{program-counter capability} or \gls{default data capability}} +} + +\newglossaryentry{exception program-counter capability} +{ + name=exception program-counter capability (\EPCC{}), + description={A \gls{special capability register} into which the running + \gls{program-counter capability} will be moved into on an exception, and + whose value will be moved back into the program-counter capability on + exception return} +} + +\newglossaryentry{fat pointer} +{ + name=fat pointer, + description={A \gls{pointer} (\gls{address}) that has been extended + with additional metadata such as \gls{capability bounds} and + \gls{capability permissions}. + In conventional fat-pointer designs, fat pointers to not have a notion of + sealing (i.g., as in \glspl{sealed capability} and \glspl{unsealed + capability}), nor rules implementing \gls{capability provenance} and + \gls{capability monotonicity}} +} + +\newglossaryentry{fine-grained memory protection} +{ + name=fine-grained memory protection, + description={The granular description of available code and data in which + \gls{capability bounds} and \gls{capability permissions} are made as + small as possible, in order to limit the potential effects of software + bugs and vulnerabilities. + This approach applies both to \glspl{code capability} and \glspl{data + capability}, offering effective \gls{vulnerability mitigation} via + techniques such as \gls{control-flow robustness}, as well as supporting + higher-level mitigation techniques such as \gls{software + compartmentalization}. + Fine-grained memory protection will typically be driven by the goal of + implementing the \gls{principle of least privilege}} +} + +\newglossaryentry{hybrid capability model} +{ + name=hybrid capability model, + description={A \gls{capability} model in which not all interfaces to use or + manipulate capabilities conform to the \gls{principle of intentional + use}, such that legacy software is able to execute around, or within, + capability-constrained environments, as well as other features required + to improve compatibility with conventional software designs permitting + easier incremental adoption of a capability-system model. + In CHERI, composition of the capability-system model with the conventional + Memory Management Unit (MMU), the support for \gls{legacy instructions} + via the \gls{program-counter capability} and \gls{default data + capability}, and strong compatibility with the C-language \gls{pointer} + model, all constitute hybrid aspects of its design, in comparison to a + more pure capability-system model that might elide those behaviors at a + cost to compatibility and adoptability} +} + +\newglossaryentry{principle of intentional use} +{ + name=principle of intentional use, + description={A design principle in capability systems in which rights are + always explicitly, rather than implicitly exercised. + This arises in the CHERI instruction set through explicit \gls{capability} + operands to \gls{capability-based instructions}, which contributes to the + effectiveness of \gls{fine-grained memory protection} and + \gls{control-flow robustness}. + When applied, the principle limits not just the rights available in the + presence of a software vulnerability, but the extent to which software can + be manipulated into using rights in an unintended (and exploitable) + manner} +} + +\newglossaryentry{invoked data capability} +{ + name=invoked data capability (\IDC{}), + plural=invoked data capabilities, + description={A capability register reserved by convention to hold the + unsealed \gls{data capability} on the callee side of \gls{CInvoke}. + Typically, for the caller side, this will point at a frame on the caller + stack sufficient to safely restore any caller state. + On the callee side, the invoked data capability will be a data capability + describing the object's internal state} +} + +\newglossaryentry{kernel code capability} +{ + name=kernel code capability (\KCC{}), + description={A \gls{special capability register} reserved to hold a + privileged \gls{code capability} for use by the kernel during exception + handling. + This value will be installed in the \gls{program-counter capability} on + exception entry, with the previous value of the program-counter + capability stored in the \gls{exception program-counter capability}} +} + +\newglossaryentry{kernel data capability} +{ + name=kernel data capability (\KDC{}), + description={A \gls{special capability register} reserved to hold a + privileged \gls{data capability} for use by the kernel during exception + handling. + Typically, this will refer either to the data segment for a microkernel + intended to field exceptions, or for the full kernel. + Kernels compiled to primarily use \gls{legacy instructions} might install + this in the \gls{default data capability} for the duration of kernel + execution. + Use of this register is controlled by \gls{capability permissions} on + the currently executing \gls{program-counter capability}} +} + +\newglossaryentry{kernel reserved capabilities} +{ + name=kernel reserved capabilities, + description={These \glspl{capability}, modeled on the MIPS kernel reserved + registers, are set aside for use by a \gls{CHERI-MIPS} operating-system + kernel in + exception handling -- in particular, in allowing userspace registers to + be saved so that the kernel context can be installed. + As with the MIPS registers, the userspace ABI is not able to use + capability registers set aside for kernel use; unlike the MIPS registers, + the kernel reserved capabilities are available for use in the ISA only + with a suitably authorized \gls{program-counter capability} installed. + Due to a different exception-handling model in \gls{CHERI-RISC-V}, that + ISA does not have kernel reserved capabilities} +} + +\newglossaryentry{legacy instructions} +{ + name=legacy instructions, + description={Legacy instructions are those that accept integer addresses, + rather than capabilities, as their operands, requiring use of the + \gls{default data capability} for loads and stores, or that explicitly set + the program counter to a address, rather than doing setting the + \gls{program-counter capability}. + These instructions allow legacy binaries (those compiled without CHERI + awareness) to execute, but only without the benefits of + \gls{fine-grained memory protection}, granular \gls{control-flow + robustness}, or more efficient \gls{software compartmentalization}. + While still constrained, these instructions do not conform to the + \gls{principle of intentional use}} +} + +\newglossaryentry{merged register file} +{ + name=merged register file, + description={A single general-purpose register file able to hold both + integer and tagged \gls{capability} values. + In \gls{CHERI-MIPS}, a dedicated \gls{capability register file} is used, + separate from the general-purpose integer register file. + In \gls{CHERI-RISC-V} and \gls{Morello}, a merged register file is supported, reducing the + amount of control logic required for a separate register file} +} + +\newglossaryentry{Morello} +{ + name=Morello, + description={An application of the CHERI protection model to the ARMv8-A architecture} +} + +\newglossaryentry{out of bounds} +{ + name=out of bounds, + description={When a \gls{capability}'s \gls{capability offset} falls outside + of its \gls{capability bounds}, it is out of bounds, and cannot be + \glslink{dereference}{dereferenced}. + Even if a capability's offset is in bounds, the width of a data access may + cause a load, store, or instruction fetch to fall out of bounds, or the + further offset introduced via a register index or immediate operand to an + instruction. +% With 256-bit capabilities, all out-of-bounds pointers are +% \glspl{representable capability}. + With \glspl{compressed capability}, if an instruction shifts the offset + too far out of bounds, this may result in an \gls{unrepresentable + capability}, leading to the \gls{capability tag} being cleared, or an + exception being thrown} +} + +\newglossaryentry{physical address} +{ + name=physical address, + plural=physical addresses, + description={An \gls{address} that is passed directly to the memory + hierarchy without \glslink{virtual address}{virtual-address} translation. + In \gls{CHERI-MIPS}, \glspl{capability} contain only virtual addresses. + In \gls{CHERI-RISC-V}, \glspl{capability} addresses may be interpreted as + physical addresses in Machine Mode} +} + +\newglossaryentry{pointer} +{ + name=pointer, + description={A pointer is a language-level reference to a memory object. + In conventional ISAs, a pointer is typically represented as an + \gls{address}. + In CHERI, pointers can be represented either as an address + indirected via the \gls{default data capability} or \gls{program-counter + capability}, or as a \gls{capability}. + In the latter cases, its integrity and \gls{capability provenance} are + protected by the \gls{capability tag}, and its use is limited by + \gls{capability bounds} and \gls{capability permissions}. + \Gls{capability-based instructions} preserve the tag as required across + both \glspl{capability register} and \gls{tagged memory}, and also + enforce \gls{capability monotonicity}: legitimate operations on the + pointer cannot broaden the set of rights described by the capability} +} + +\newglossaryentry{principle of least privilege} +{ + name=principle of least privilege, + description={A principle of software design in which the set of rights + available to running code is minimized to only those required for it to + function, often with the aim of \gls{vulnerability mitigation}. + In CHERI, this concept applies via fine-grained memory protection for + both data and code, and also higher-level \gls{software + compartmentalization}} +} + +\newglossaryentry{program-counter capability} +{ + name=program-counter capability (\PCC{}), + description={A \gls{special capability register} that extends the existing + program counter to include + \gls{capability} metadata such as a \gls{capability tag}, \gls{capability + bounds}, and \gls{capability permissions}. + The program-counter capability ensures that instruction fetch occurs only + subject to capability protections. + When an exception fires, the value of the program-counter capability will + be moved to the \gls{exception program-counter capability}, and the value + of the \gls{kernel data capability} moved into the program-counter + capability. + On exception return, the value of the exception program-counter capability + will be moved into the program-counter capability} +} + +\newglossaryentry{representable capability} +{ + name=representable capability, + plural=representable capabilities, + description={A \gls{compressed capability} whose \gls{capability offset} + is representable with respect to its \gls{capability bounds}; this + does not imply that the offset is ``within bounds'', but does require + that it be within some broader window around the bounds} +} + +\newglossaryentry{reserved capability object type} +{ + name=reserved capability object type, + plural=reserved capability object types, + description={Certain \glspl{capability object type} are not available for software use and instead have hardware-defined semantics. + On \gls{CHERI-MIPS} and \gls{CHERI-RISC-V}, all negative \glspl{capability object type} are + reserved: \glspl{unsealed capability} use the value $2^{64}-1$ and \glspl{sealed entry capability} + have an object type of $2^{64}-2$. + The remaining \glspl{capability object type} are used for \glspl{sealed capability with an object type}} +} + +\newglossaryentry{return capability} +{ + name=return capability, + plural=return capabilities, + description={A \gls{capability} designated as the destination for the + return address when using a capability jump-and-link instruction. + A degree of \gls{control-flow robustness} is provided due to + \gls{capability bounds}, \gls{capability permissions}, and the + \gls{capability tag} on the resulting capability, which limits sites that + may be jumped back to using the return capability} +} + +\newglossaryentry{sealed capability} +{ + name=sealed capability, + plural=sealed capabilities, + description={A sealed \gls{capability} is one whose \gls{capability object type} + is not equal to the unsealed object type ($2^{64}-1$ for \gls{CHERI-MIPS} and \gls{CHERI-RISC-V}). + A sealed capability's \gls{address}, \gls{capability bounds}, + \gls{capability permissions}, and other fields are immutable -- i.e., + cannot be modified using \gls{capability-based instructions}. + A sealed capability cannot be directly \glslink{dereference}{dereferenced} + using the instruction set, and must be unsealed before it can be used. + This can be used to implement non-monotonic domain transition, as a + sealed capability may carry rights not otherwise present in the + \gls{capability register file}. + Two types exist: \glspl{sealed capability with an object type} and + \glspl{sealed entry capability}. + They have different properties catering to different use cases} +} + +\newglossaryentry{sealed capability with an object type} +{ + name=sealed capability with an object type, + plural=sealed capabilities with object types, + description={A \gls{sealed capability} whose \gls{capability object type} + is not one of the \glspl{reserved capability object type}. + These sealed capability have a \gls{capability object type} derived + from their \glspl{sealing capability}'s \gls{address}. + CHERI's sealing feature allows capabilities to be used to describe + software-defined objects, permitting implementation of encapsulation. + Unsealing can be performed using the \gls{CInvoke} instruction, or + using the \insnref{CUnseal} instruction combined with a suitable + \gls{sealing capability}. + Sealed capabilities with object types provide the necessary architectural + encapsulation support to efficiently implement fine-grained + compartmentalization using an object-oriented model} +} + +\newglossaryentry{sealed entry capability} +{ + name=sealed entry capability, + plural=sealed entry capabilities, + description={A sealed entry \gls{capability} (also known as + \gls{sentry capability}) is a \gls{sealed capability} + whose \gls{capability object type} is set to the sentry \gls{reserved capability object type} ($2^{64}-2$ for \gls{CHERI-MIPS} and \gls{CHERI-RISC-V}). + Sealed entry capabilities are commonly referred to as \glspl{sentry + capability}. + Sealed entry capabilities are do not support linking sealed code and + data capabilities, unlike \glspl{sealed capability with an object type}. + A sealed entry capability is unsealed by jumping to it using a regular + capability jump instruction} +} + +\newglossaryentry{sealing capability} +{ + name=sealing capability, + plural=sealing capabilities, + description={A sealing capability is one with the \cappermSeal + permission, allowing it to be used to create \glspl{sealed capability} + using a \gls{capability object type} set to the sealing capability's + \gls{address}, and subject to its bounds} +} + +\newglossaryentry{sentry capability} +{ + name=sentry capability, + plural=sentry capabilities, + description={Sentry capability is a convenient shorthand for a + \gls{sealed entry capability}} +} + +\newglossaryentry{software compartmentalization} +{ + name=software compartmentalization, + description={The configuration of \glspl{code capability} and \glspl{data + capability} available via the \gls{capability register file} or + \gls{merged register file}, accessible \glspl{special capability + register}, and \gls{tagged memory} such that software components can be + isolated from one another, enabling \gls{vulnerability mitigation} via the + application of the \gls{principle of least privilege} at the application + layer. + One approach to implementing software compartmentalization on CHERI is to + use \gls{CInvoke} to jump into sealed code + and data capabilities describing a trusted intermediary and destination + protection domain} +} + +\newglossaryentry{stack capability} +{ + name=stack capability, + plural=stack capabilities, + description={A \gls{capability} referring to the current stack, whose + \gls{capability bounds} are suitably configured to allow access only to + the remaining stack available to allocate at a given point in execution} +} + +\newglossaryentry{special capability register} +{ + name=special capability register, + description={Special capability registers have special architectural + meanings, and include the \gls{program-counter capability}, the + \gls{default data capability}, the \gls{exception program-counter + capability}, the \gls{kernel code capability}, and the \gls{kernel data + capability}. + Not all registers are accessible at all times; for example, some may be + available only in certain rings, or when \PCC{} has the + Access\_System\_Registers permission set} +} + +\newglossaryentry{tagged memory} +{ + name=tagged memory, + description={Tagged memory associates a 1-bit \gls{capability tag} with + each \gls{capability}-aligned, capability-sized word in memory. + \Gls{capability-based instructions} that load and store capabilities + maintain the tag as the capability transits between memory and the + \gls{capability register file}, tracking \gls{capability provenance}. + When data stores (i.e., stores of non-capabilities), the tag on the + memory location will be atomically cleared, ensuring the integrity of + in-memory capabilities} +} + +\newglossaryentry{trusted computing base} +{ + name=Trusted Computing Base (TCB), + description={The subset of hardware and software that is critical to the + security of a system; + in secure system designs, there is often a goal to minimize the size of + the TCB in order to minimize the opportunity for exploitable software + vulnerabilities} +} + +\newglossaryentry{trusted stack} +{ + name=trusted stack, + description={Some software-defined object-capability models offer strong + call-return semantics -- i.e., that if a return is issued by an invoked + object, or an uncaught exception is generated, then the appropriate caller + will be returned to -- exactly once. + This can be implemented via a trusted stack, maintained by the software + \gls{trusted computing base} via one or more handlers invoked by \gls{CInvoke}. + A trusted stack for an object-oriented model will likely maintain at least + the caller's \gls{program-counter capability} and \gls{invoked data + capability} to be restored on return} +} + +\newglossaryentry{unrepresentable capability} +{ + name=unrepresentable capability, + plural=unrepresentable capabilities, + description={A \gls{compressed capability} whose \gls{capability offset} is + sufficiently outside of its \gls{capability bounds} that the combined + \gls{pointer} value and bounds cannot be represented in the compressed format; + constructing an unrepresentable capability will lead to the tag being + cleared (and information loss) or an exception, rather than a violation + of \gls{capability provenance} or \gls{capability monotonicity}} +} + +\newglossaryentry{unsealed capability} +{ + name=unsealed capability, + plural=unsealed capabilities, + description={An unsealed \gls{capability} is one whose \gls{capability object type} + is the unsealed object type ($2^{64}-1$ for \gls{CHERI-MIPS} and \gls{CHERI-RISC-V}). + Its remaining capability fields are mutable, subject to \gls{capability + provenance} and \gls{capability monotonicity} rules. + These capabilities have hardware-defined behaviors -- i.e., subject to + \gls{capability bounds}, \gls{capability permissions}, and so on, + can be \glslink{dereference}{dereferenced}} +} + +\newglossaryentry{virtual address} +{ + name=virtual address, + plural=virtual addresses, + description={An integer \gls{address} translated by the Memory Management + Unit (MMU) into a \gls{physical address} for the purposes of load, store, + and instruction fetch. + \Glspl{capability} embed an address, represented in the instruction + set as the sum of the \gls{capability base} and \gls{capability offset}, + as well as \gls{capability bounds} relative to the address. + The integer addresses passed to \glslink{legacy instructions}{legacy load + and store instructions} that would previously have been interpreted as + virtual addresses are, with CHERI, transformed (and checked) using the + \gls{default data capability}. + Similarly, the integer addresses passed to legacy branch and jump + instructions are transformed (and checked) using the \gls{program-counter + capability}. + This in effect introduces a further relocation of legacy addresses prior + to virtual address translation} +} + +\newglossaryentry{vulnerability mitigation} +{ + name=vulnerability mitigation, + description={A set of techniques limiting the effectiveness of the attacker + to exploit a software vulnerability, typically achieved through use of + the \gls{principle of least privilege} to constrain injection of + arbitrary code, control of the \gls{program-counter capability} via + \gls{control-flow robustness} using \glspl{code capability}, minimization of + data rights granted via available \glspl{data capability}, and higher-level + \gls{software compartmentalization}} +} diff --git a/archdoc/insn-riscv/auicgp.tex b/archdoc/insn-riscv/auicgp.tex new file mode 100644 index 0000000..aa89c83 --- /dev/null +++ b/archdoc/insn-riscv/auicgp.tex @@ -0,0 +1,20 @@ +\clearpage +\phantomsection +\addcontentsline{toc}{subsection}{AUICGP} +\insnriscvlabel{auicgp} +\subsection*{AUICGP} + +\subsubsection*{Format} + +\rvcheriasmfmt{\rvcheriasminsnnoref{AUICGP} cd, imm} + +\begin{center} +\begin{bytefield}{32} + \bitheader[endianness=big]{0,6,7,11,12,31}\\ + \bitbox{20}{imm[31:12]} + \bitbox{5}{cd} + \bitbox{7}{0x7b} +\end{bytefield} +\end{center} + +\sailRISCVisarefbody{AUICGP} diff --git a/archdoc/insn-riscv/auipcc.tex b/archdoc/insn-riscv/auipcc.tex new file mode 100644 index 0000000..3abd658 --- /dev/null +++ b/archdoc/insn-riscv/auipcc.tex @@ -0,0 +1,20 @@ +\clearpage +\phantomsection +\addcontentsline{toc}{subsection}{AUIPCC} +\insnriscvlabel{auipcc} +\subsection*{AUIPCC} + +\subsubsection*{Format} + +\rvcheriasmfmt{\rvcheriasminsnnoref{AUIPCC} cd, imm} + +\begin{center} +\begin{bytefield}{32} + \bitheader[endianness=big]{0,6,7,11,12,31}\\ + \bitbox{20}{imm[31:12]} + \bitbox{5}{cd} + \bitbox{7}{0x17} +\end{bytefield} +\end{center} + +\sailRISCVisarefbody{AUIPCC} diff --git a/archdoc/insn-riscv/candperm.tex b/archdoc/insn-riscv/candperm.tex new file mode 100644 index 0000000..c6c6976 --- /dev/null +++ b/archdoc/insn-riscv/candperm.tex @@ -0,0 +1,16 @@ +\clearpage +\phantomsection +\addcontentsline{toc}{subsection}{CAndPerm} +\insnriscvlabel{candperm} +\subsection*{CAndPerm} + +\subsubsection*{Format} + +\rvcheriasm{CAndPerm} + +\begin{center} +\rvcheriheader +\rvcheribitbox{CAndPerm} +\end{center} + +\sailRISCVisarefbody{CAndPerm} diff --git a/archdoc/insn-riscv/ccleartag.tex b/archdoc/insn-riscv/ccleartag.tex new file mode 100644 index 0000000..1c6231c --- /dev/null +++ b/archdoc/insn-riscv/ccleartag.tex @@ -0,0 +1,16 @@ +\clearpage +\phantomsection +\addcontentsline{toc}{subsection}{CClearTag} +\insnriscvlabel{ccleartag} +\subsection*{CClearTag} + +\subsubsection*{Format} + +\rvcheriasm{CClearTag} + +\begin{center} +\rvcheriheader +\rvcheribitbox{CClearTag} +\end{center} + +\sailRISCVisarefbody{CClearTag} diff --git a/archdoc/insn-riscv/cgetaddr.tex b/archdoc/insn-riscv/cgetaddr.tex new file mode 100644 index 0000000..441ddb2 --- /dev/null +++ b/archdoc/insn-riscv/cgetaddr.tex @@ -0,0 +1,16 @@ +\clearpage +\phantomsection +\addcontentsline{toc}{subsection}{CGetAddr} +\insnriscvlabel{cgetaddr} +\subsection*{CGetAddr} + +\subsubsection*{Format} + +\rvcheriasm{CGetAddr} + +\begin{center} +\rvcheriheader +\rvcheribitbox{CGetAddr} +\end{center} + +\sailRISCVisarefbody{CGetAddr} diff --git a/archdoc/insn-riscv/cgetbase.tex b/archdoc/insn-riscv/cgetbase.tex new file mode 100644 index 0000000..88336b5 --- /dev/null +++ b/archdoc/insn-riscv/cgetbase.tex @@ -0,0 +1,16 @@ +\clearpage +\phantomsection +\addcontentsline{toc}{subsection}{CGetBase} +\insnriscvlabel{cgetbase} +\subsection*{CGetBase} + +\subsubsection*{Format} + +\rvcheriasm{CGetBase} + +\begin{center} +\rvcheriheader +\rvcheribitbox{CGetBase} +\end{center} + +\sailRISCVisarefbody{CGetBase} diff --git a/archdoc/insn-riscv/cgethigh.tex b/archdoc/insn-riscv/cgethigh.tex new file mode 100644 index 0000000..5bad72a --- /dev/null +++ b/archdoc/insn-riscv/cgethigh.tex @@ -0,0 +1,16 @@ +\clearpage +\phantomsection +\addcontentsline{toc}{subsection}{CGetHigh} +\insnriscvlabel{cgethigh} +\subsection*{CGetHigh} + +\subsubsection*{Format} + +\rvcheriasm{CGetHigh} + +\begin{center} +\rvcheriheader +\rvcheribitbox{CGetHigh} +\end{center} + +\sailRISCVisarefbody{CGetHigh} diff --git a/archdoc/insn-riscv/cgetlen.tex b/archdoc/insn-riscv/cgetlen.tex new file mode 100644 index 0000000..f9468d8 --- /dev/null +++ b/archdoc/insn-riscv/cgetlen.tex @@ -0,0 +1,16 @@ +\clearpage +\phantomsection +\addcontentsline{toc}{subsection}{CGetLen} +\insnriscvlabel{cgetlen} +\subsection*{CGetLen} + +\subsubsection*{Format} + +\rvcheriasm{CGetLen} + +\begin{center} +\rvcheriheader +\rvcheribitbox{CGetLen} +\end{center} + +\sailRISCVisarefbody{CGetLen} diff --git a/archdoc/insn-riscv/cgetperm.tex b/archdoc/insn-riscv/cgetperm.tex new file mode 100644 index 0000000..f9a1ff8 --- /dev/null +++ b/archdoc/insn-riscv/cgetperm.tex @@ -0,0 +1,16 @@ +\clearpage +\phantomsection +\addcontentsline{toc}{subsection}{CGetPerm} +\insnriscvlabel{cgetperm} +\subsection*{CGetPerm} + +\subsubsection*{Format} + +\rvcheriasm{CGetPerm} + +\begin{center} +\rvcheriheader +\rvcheribitbox{CGetPerm} +\end{center} + +\sailRISCVisarefbody{CGetPerm} diff --git a/archdoc/insn-riscv/cgettag.tex b/archdoc/insn-riscv/cgettag.tex new file mode 100644 index 0000000..bb09190 --- /dev/null +++ b/archdoc/insn-riscv/cgettag.tex @@ -0,0 +1,16 @@ +\clearpage +\phantomsection +\addcontentsline{toc}{subsection}{CGetTag} +\insnriscvlabel{cgettag} +\subsection*{CGetTag} + +\subsubsection*{Format} + +\rvcheriasm{CGetTag} + +\begin{center} +\rvcheriheader +\rvcheribitbox{CGetTag} +\end{center} + +\sailRISCVisarefbody{CGetTag} diff --git a/archdoc/insn-riscv/cgettop.tex b/archdoc/insn-riscv/cgettop.tex new file mode 100644 index 0000000..1f17e77 --- /dev/null +++ b/archdoc/insn-riscv/cgettop.tex @@ -0,0 +1,16 @@ +\clearpage +\phantomsection +\addcontentsline{toc}{subsection}{CGetTop} +\insnriscvlabel{cgettop} +\subsection*{CGetTop} + +\subsubsection*{Format} + +\rvcheriasm{CGetTop} + +\begin{center} +\rvcheriheader +\rvcheribitbox{CGetTop} +\end{center} + +\sailRISCVisarefbody{CGetTop} diff --git a/archdoc/insn-riscv/cgettype.tex b/archdoc/insn-riscv/cgettype.tex new file mode 100644 index 0000000..ce5833a --- /dev/null +++ b/archdoc/insn-riscv/cgettype.tex @@ -0,0 +1,16 @@ +\clearpage +\phantomsection +\addcontentsline{toc}{subsection}{CGetType} +\insnriscvlabel{cgettype} +\subsection*{CGetType} + +\subsubsection*{Format} + +\rvcheriasm{CGetType} + +\begin{center} +\rvcheriheader +\rvcheribitbox{CGetType} +\end{center} + +\sailRISCVisarefbody{CGetType} diff --git a/archdoc/insn-riscv/cincoffset.tex b/archdoc/insn-riscv/cincoffset.tex new file mode 100644 index 0000000..de239ef --- /dev/null +++ b/archdoc/insn-riscv/cincoffset.tex @@ -0,0 +1,18 @@ +\clearpage +\phantomsection +\addcontentsline{toc}{subsection}{CIncAddr} +\insnriscvlabel{cincaddr} +\subsection*{CIncAddr} + +\subsubsection*{Format} + +\rvcheriasm{CIncAddr} + +\begin{center} +\rvcheriheader +\rvcheribitbox{CIncAddr} +\end{center} + +\asm{CIncOffset} is an alias for this instruction. + +\sailRISCVisarefbody{CIncAddr} diff --git a/archdoc/insn-riscv/cincoffsetimm.tex b/archdoc/insn-riscv/cincoffsetimm.tex new file mode 100644 index 0000000..56c860f --- /dev/null +++ b/archdoc/insn-riscv/cincoffsetimm.tex @@ -0,0 +1,18 @@ +\clearpage +\phantomsection +\addcontentsline{toc}{subsection}{CIncAddrImm} +\insnriscvlabel{cincaddrimm} +\subsection*{CIncAddrImm} + +\subsubsection*{Format} + +\rvcheriasm{CIncAddrImm} + +\begin{center} + \rvcheriheader + \rvcheribitbox{CIncAddrImm} +\end{center} + +\asm{CIncOffsetImm} is an alias for this instruction. + +\sailRISCVisarefbody{CIncAddrImmediate} diff --git a/archdoc/insn-riscv/cjal.tex b/archdoc/insn-riscv/cjal.tex new file mode 100644 index 0000000..d8422b0 --- /dev/null +++ b/archdoc/insn-riscv/cjal.tex @@ -0,0 +1,23 @@ +\clearpage +\phantomsection +\addcontentsline{toc}{subsection}{CJAL} +\insnriscvlabel{cjal} +\subsection*{CJAL} + +\subsubsection*{Format} + +\rvcheriasmfmt{\rvcheriasminsnnoref{CJAL} cd, imm} + +\begin{center} +\begin{bytefield}{32} + \bitheader[endianness=big]{0,6,7,11,12,19,20,21,30,31}\\ + \bitbox{1}{\rotateinbitbox{\scriptsize i[20]}} + \bitbox{10}{imm$_{[10:1]}$} + \bitbox{1}{\rotateinbitbox{\scriptsize i[11]}} + \bitbox{8}{imm$_{[19:12]}$} + \bitbox{5}{cd} + \bitbox{7}{0x6f} +\end{bytefield} +\end{center} + +\sailRISCVisarefbody{CJAL} diff --git a/archdoc/insn-riscv/cjalr.tex b/archdoc/insn-riscv/cjalr.tex new file mode 100644 index 0000000..736628a --- /dev/null +++ b/archdoc/insn-riscv/cjalr.tex @@ -0,0 +1,22 @@ +\clearpage +\phantomsection +\addcontentsline{toc}{subsection}{CJALR} +\insnriscvlabel{cjalr} +\subsection*{CJALR} + +\subsubsection*{Format} + +\rvcheriasmfmt{\rvcheriasminsnnoref{CJALR} cd, cs1, imm} + +\begin{center} +\begin{bytefield}{32} + \bitheader[endianness=big]{0,6,7,11,12,14,15,19,20,31}\\ + \bitbox{12}{imm[11:0]} + \bitbox{5}{cs1} + \bitbox{3}{0} + \bitbox{5}{cd} + \bitbox{7}{0x67} +\end{bytefield} +\end{center} + +\sailRISCVisarefbody{CJALR} diff --git a/archdoc/insn-riscv/cmove.tex b/archdoc/insn-riscv/cmove.tex new file mode 100644 index 0000000..596f43f --- /dev/null +++ b/archdoc/insn-riscv/cmove.tex @@ -0,0 +1,16 @@ +\clearpage +\phantomsection +\addcontentsline{toc}{subsection}{CMove} +\insnriscvlabel{cmove} +\subsection*{CMove} + +\subsubsection*{Format} + +\rvcheriasm{CMove} + +\begin{center} +\rvcheriheader +\rvcheribitbox{CMove} +\end{center} + +\sailRISCVisarefbody{CMove} diff --git a/archdoc/insn-riscv/crepresentablealignmentmask.tex b/archdoc/insn-riscv/crepresentablealignmentmask.tex new file mode 100644 index 0000000..4836e92 --- /dev/null +++ b/archdoc/insn-riscv/crepresentablealignmentmask.tex @@ -0,0 +1,17 @@ +\clearpage +\phantomsection +\addcontentsline{toc}{subsection}{CRepresentableAlignmentMask} +\insnriscvlabel{crepresentablealignmentmask} +\insnriscvlabel{cram} +\subsection*{CRepresentableAlignmentMask} + +\subsubsection*{Format} + +\rvcheriasm{CRepresentableAlignmentMask} + +\begin{center} +\rvcheriheader +\rvcheribitbox{CRepresentableAlignmentMask} +\end{center} + +\sailRISCVisarefbody{CRAM} diff --git a/archdoc/insn-riscv/croundrepresentablelength.tex b/archdoc/insn-riscv/croundrepresentablelength.tex new file mode 100644 index 0000000..015b96e --- /dev/null +++ b/archdoc/insn-riscv/croundrepresentablelength.tex @@ -0,0 +1,17 @@ +\clearpage +\phantomsection +\addcontentsline{toc}{subsection}{CRoundRepresentableLength} +\insnriscvlabel{croundrepresentablelength} +\insnriscvlabel{crrl} +\subsection*{CRoundRepresentableLength} + +\subsubsection*{Format} + +\rvcheriasm{CRoundRepresentableLength} + +\begin{center} +\rvcheriheader +\rvcheribitbox{CRoundRepresentableLength} +\end{center} + +\sailRISCVisarefbody{CRRL} diff --git a/archdoc/insn-riscv/cseal.tex b/archdoc/insn-riscv/cseal.tex new file mode 100644 index 0000000..d70e40a --- /dev/null +++ b/archdoc/insn-riscv/cseal.tex @@ -0,0 +1,16 @@ +\clearpage +\phantomsection +\addcontentsline{toc}{subsection}{CSeal} +\insnriscvlabel{cseal} +\subsection*{CSeal} + +\subsubsection*{Format} + +\rvcheriasm{CSeal} + +\begin{center} +\rvcheriheader +\rvcheribitbox{CSeal} +\end{center} + +\sailRISCVisarefbody{CSeal} diff --git a/archdoc/insn-riscv/csetaddr.tex b/archdoc/insn-riscv/csetaddr.tex new file mode 100644 index 0000000..ebc338e --- /dev/null +++ b/archdoc/insn-riscv/csetaddr.tex @@ -0,0 +1,16 @@ +\clearpage +\phantomsection +\addcontentsline{toc}{subsection}{CSetAddr} +\insnriscvlabel{csetaddr} +\subsection*{CSetAddr} + +\subsubsection*{Format} + +\rvcheriasm{CSetAddr} + +\begin{center} +\rvcheriheader +\rvcheribitbox{CSetAddr} +\end{center} + +\sailRISCVisarefbody{CSetAddr} diff --git a/archdoc/insn-riscv/csetbounds.tex b/archdoc/insn-riscv/csetbounds.tex new file mode 100644 index 0000000..fac728d --- /dev/null +++ b/archdoc/insn-riscv/csetbounds.tex @@ -0,0 +1,16 @@ +\clearpage +\phantomsection +\addcontentsline{toc}{subsection}{CSetBounds} +\insnriscvlabel{csetbounds} +\subsection*{CSetBounds} + +\subsubsection*{Format} + +\rvcheriasm{CSetBounds} + +\begin{center} +\rvcheriheader +\rvcheribitbox{CSetBounds} +\end{center} + +\sailRISCVisarefbody{CSetBounds} diff --git a/archdoc/insn-riscv/csetboundsexact.tex b/archdoc/insn-riscv/csetboundsexact.tex new file mode 100644 index 0000000..d42612f --- /dev/null +++ b/archdoc/insn-riscv/csetboundsexact.tex @@ -0,0 +1,16 @@ +\clearpage +\phantomsection +\addcontentsline{toc}{subsection}{CSetBoundsExact} +\insnriscvlabel{csetboundsexact} +\subsection*{CSetBoundsExact} + +\subsubsection*{Format} + +\rvcheriasm{CSetBoundsExact} + +\begin{center} +\rvcheriheader +\rvcheribitbox{CSetBoundsExact} +\end{center} + +\sailRISCVisarefbody{CSetBoundsExact} diff --git a/archdoc/insn-riscv/csetboundsimm.tex b/archdoc/insn-riscv/csetboundsimm.tex new file mode 100644 index 0000000..89cb40f --- /dev/null +++ b/archdoc/insn-riscv/csetboundsimm.tex @@ -0,0 +1,16 @@ +\clearpage +\phantomsection +\addcontentsline{toc}{subsection}{CSetBoundsImm} +\insnriscvlabel{csetboundsimm} +\subsection*{CSetBoundsImm} + +\subsubsection*{Format} + +\rvcheriasm{CSetBoundsImm} + +\begin{center} +\rvcheriheader +\rvcheribitbox{CSetBoundsImm} +\end{center} + +\sailRISCVisarefbody{CSetBoundsImmediate} diff --git a/archdoc/insn-riscv/csetequalexact.tex b/archdoc/insn-riscv/csetequalexact.tex new file mode 100644 index 0000000..091635a --- /dev/null +++ b/archdoc/insn-riscv/csetequalexact.tex @@ -0,0 +1,17 @@ +\clearpage +\phantomsection +\addcontentsline{toc}{subsection}{CSetEqualExact} +\insnriscvlabel{csetequalexact} +\insnriscvlabel{cseqx} +\subsection*{CSetEqualExact} + +\subsubsection*{Format} + +\rvcheriasm{CSetEqualExact} + +\begin{center} +\rvcheriheader +\rvcheribitbox{CSetEqualExact} +\end{center} + +\sailRISCVisarefbody{CSEQX} diff --git a/archdoc/insn-riscv/csethigh.tex b/archdoc/insn-riscv/csethigh.tex new file mode 100644 index 0000000..70e05da --- /dev/null +++ b/archdoc/insn-riscv/csethigh.tex @@ -0,0 +1,16 @@ +\clearpage +\phantomsection +\addcontentsline{toc}{subsection}{CSetHigh} +\insnriscvlabel{csethigh} +\subsection*{CSetHigh} + +\subsubsection*{Format} + +\rvcheriasm{CSetHigh} + +\begin{center} +\rvcheriheader +\rvcheribitbox{CSetHigh} +\end{center} + +\sailRISCVisarefbody{CSetHigh} diff --git a/archdoc/insn-riscv/cspecialrw.tex b/archdoc/insn-riscv/cspecialrw.tex new file mode 100644 index 0000000..c8f2d17 --- /dev/null +++ b/archdoc/insn-riscv/cspecialrw.tex @@ -0,0 +1,16 @@ +\clearpage +\phantomsection +\addcontentsline{toc}{subsection}{CSpecialRW} +\insnriscvlabel{cspecialrw} +\subsection*{CSpecialRW} + +\subsubsection*{Format} + +\rvcheriasm{CSpecialRW} + +\begin{center} +\rvcheriheader +\rvcheribitbox{CSpecialRW} +\end{center} + +\sailRISCVisarefbody{CSpecialRW} diff --git a/archdoc/insn-riscv/csub.tex b/archdoc/insn-riscv/csub.tex new file mode 100644 index 0000000..a439a7a --- /dev/null +++ b/archdoc/insn-riscv/csub.tex @@ -0,0 +1,16 @@ +\clearpage +\phantomsection +\addcontentsline{toc}{subsection}{CSub} +\insnriscvlabel{csub} +\subsection*{CSub} + +\subsubsection*{Format} + +\rvcheriasm{CSub} + +\begin{center} +\rvcheriheader +\rvcheribitbox{CSub} +\end{center} + +\sailRISCVisarefbody{CSub} diff --git a/archdoc/insn-riscv/ctestsubset.tex b/archdoc/insn-riscv/ctestsubset.tex new file mode 100644 index 0000000..f6b647b --- /dev/null +++ b/archdoc/insn-riscv/ctestsubset.tex @@ -0,0 +1,16 @@ +\clearpage +\phantomsection +\addcontentsline{toc}{subsection}{CTestSubset} +\insnriscvlabel{ctestsubset} +\subsection*{CTestSubset} + +\subsubsection*{Format} + +\rvcheriasm{CTestSubset} + +\begin{center} +\rvcheriheader +\rvcheribitbox{CTestSubset} +\end{center} + +\sailRISCVisarefbody{CTestSubset} diff --git a/archdoc/insn-riscv/cunseal.tex b/archdoc/insn-riscv/cunseal.tex new file mode 100644 index 0000000..462f795 --- /dev/null +++ b/archdoc/insn-riscv/cunseal.tex @@ -0,0 +1,16 @@ +\clearpage +\phantomsection +\addcontentsline{toc}{subsection}{CUnseal} +\insnriscvlabel{cunseal} +\subsection*{CUnseal} + +\subsubsection*{Format} + +\rvcheriasm{CUnseal} + +\begin{center} +\rvcheriheader +\rvcheribitbox{CUnseal} +\end{center} + +\sailRISCVisarefbody{CUnseal} diff --git a/archdoc/insn-riscv/lc.tex b/archdoc/insn-riscv/lc.tex new file mode 100644 index 0000000..ed52aa9 --- /dev/null +++ b/archdoc/insn-riscv/lc.tex @@ -0,0 +1,26 @@ +\clearpage +\phantomsection +\addcontentsline{toc}{subsection}{CLC} +\insnriscvlabel{lc} +\insnriscvlabel{clc} +\subsection*{CLC} + +\subsubsection*{Format} + +\noindent\rvcheriasmfmt{\rvcheriasminsnref{CLC} cd, cs1, imm} + +\begin{center} +\begin{bytefield}{32} + \bitheader[endianness=big]{0,6,7,11,12,14,15,19,20,31}\\ + \bitbox{12}{imm} + \bitbox{5}{cs1} + \bitbox{3}{0x3} + \bitbox{5}{cd} + \bitbox{7}{0x3} +\end{bytefield} +\end{center} + +% XXX: Ideally we would be able to use [LC](LoadCapImm) in the saildoc but that +% generates a link to the literal LoadCapImm. +\label{sailRISCVzLC} +\sailRISCVisarefbody{LoadCapImm} diff --git a/archdoc/insn-riscv/sc.tex b/archdoc/insn-riscv/sc.tex new file mode 100644 index 0000000..4f4f95d --- /dev/null +++ b/archdoc/insn-riscv/sc.tex @@ -0,0 +1,24 @@ +\clearpage +\phantomsection +\addcontentsline{toc}{subsection}{CSC} +\insnriscvlabel{sc} +\insnriscvlabel{csc} +\subsection*{CSC} + +\subsubsection*{Format} + +\noindent\rvcheriasmfmt{\rvcheriasminsnref{CSC} cs2, cs1, imm} + +\begin{center} +\begin{bytefield}{32} + \bitheader[endianness=big]{0,6,7,11,12,14,15,19,20,24,25,31}\\ + \bitbox{7}{imm[11:5]} + \bitbox{5}{cs2} + \bitbox{5}{cs1} + \bitbox{3}{0x3} + \bitbox{5}{imm[4:0]} + \bitbox{7}{0x23} +\end{bytefield} +\end{center} + +\sailRISCVisarefbody{StoreCapImm} diff --git a/archdoc/latexmkrc b/archdoc/latexmkrc new file mode 100644 index 0000000..ea458ca --- /dev/null +++ b/archdoc/latexmkrc @@ -0,0 +1,168 @@ +# makeglossaries support from latexmk/example_rcfiles/glossary_latexmkrc +add_cus_dep( 'acn', 'acr', 0, 'makeglossaries' ); +add_cus_dep( 'glo', 'gls', 0, 'makeglossaries' ); +$clean_ext .= " acr acn acnh alg glo gls glg lg tmp run.xml tdo upa upb"; +$cleanup_includes_generated = 1; + +sub makeglossaries { + my ($base_name, $path) = fileparse( $_[0] ); + pushd $path; + my $return = system "makeglossaries '$base_name'"; + popd; + return $return; +} + +sub latexmk_version_at_least { + use version; + + my ($minimum_num) = @_; + + my ($version_num_version_str, $version_num_revision) = split /(?<=[0-9.])(?=([^0-9.]|$))/, $version_num, 2; + my ($minimum_num_version_str, $minimum_num_revision) = split /(?<=[0-9.])(?=([^0-9.]|$))/, $minimum_num, 2; + + my $version_num_version = version->parse($version_num_version_str); + my $minimum_num_version = version->parse($minimum_num_version_str); + + return $version_num_version > $minimum_num_version || ($version_num_version == $minimum_num_version && $version_num_revision ge $minimum_num_revision); +} + +push @generated_exts, 'glo', 'gls', 'glg'; +push @generated_exts, 'acn', 'acr', 'alg', 'acnh'; +push @generated_exts, 'soc', 'loc'; +$clean_ext .= ' %R.ist %R.xdy'; + +$bibtex_use = 2; +@default_files = ('cheri-architecture.tex'); +$pdf_mode = 1; # Default to -pdf flag + + +# We need version 4.67 to use success_cmd on normal builds: +if (latexmk_version_at_least("4.67")) { + # Use a separate aux dir and output dir, and copy the pdf from the build + # directory and scan for warnings after building: + $aux_dir = 'build'; + $out_dir = 'build'; + # + # The texloganalyser tool can be used to find all warning messages in the latex + # logfile which is useful when using interaction=batchmode. There is also + # a python package pydflatex that does the same thing (but with colours). + # However, texloganalyser is included by default in some TeX distributions so + # prefer that one. + # TODO: fix the broken sail hyperrefs so we don't have to filter the out. + $scan_logfile = "if command -v texloganalyser >/dev/null 2>/dev/null; then texloganalyser -w %Y/%R.log; fi"; + # Delete the copied file on failure: + $failure_cmd = "rm -vf %D %R.pdf; " . $scan_logfile; + # Otherwise copy it (and possibly the synctex.gz file) out of the build dir and scan the logfile. + $copy_files = "cp -v %D %R.pdf; test -f %R.synctex.gz && cp -fv %R.synctex.gz %R.synctex.gz"; + $warning_cmd = $copy_files . "; " . $scan_logfile; + $success_cmd = $copy_files . "; " . $scan_logfile; +} else { + print("Using aux dir workaround for latexmk < 4.67. Current version is " . $version_num . "\n"); + # Use a separate aux dir but output the build results in the same directory as + # the .tex file. + $aux_dir = 'build'; + # The code below is copied from CTAN/support/latexmk/example_rcfiles/fix-aux.latexmkrc + + #--------------------------- + # This shows how to implement the use of different values for $aux_dir and + # $out_dir when the latex (etc) engines don't support the -aux-directory + # option. (Of the standard distributions, MiKTeX supports -aux-directory, + # but TeXLive does not.) + foreach my $cmd ('latex', 'lualatex', 'pdflatex', 'xelatex' ) { + ${$cmd} = "internal latex_fix_aux $cmd %O %S"; + } + $xelatex =~ s/%O/-no-pdf %O/; + + sub latex_fix_aux { + # Fudge to allow use of -aux_directory option with non-MiKTeX system. + # This subroutine is called to do a compilation by one of latex, pdflatex, + # etc. It's arguments are the command name, and the command-line arguments, + # including possible uses of the options -aux-directory, -output-directory. + # Functioning: + # 1. Obtain the values of the aux and output directories from the options + # on the command line, with appropriate defaults if one or both options + # is not used. + # 2. Change the command line (a) to avoid the use of the -aux-directory + # option, and (b) to use the -output-directory to get all output + # sent to the intended aux-directory. If neither an -aux-directory + # nor an -output-directory option is used, no change is made to the + # command line. + # 3. Run the command. + # 4. If the aux and output directories are different, move any of the dvi, + # fls, pdf, ps and synctex.gz files that are present in the intended aux + # directory to the intended output directory. + # N.B. It might seem more appropriate to keep the fls file in the aux + # directory. But MiKTeX puts it in the output directory, so we must do + # the same to copy its behavior. + # It might also seem appropriate for an xdv file to go in the output + # directory, like a dvi file. But xelatex under MiKTeX puts it in the + # aux directory, so we must copy that behavior. + + my @move_exts = ('dvi', 'fls', 'pdf', 'ps', 'synctex.gz' ); + + # Determine aux and output directories from command line: + my $auxD = ''; + my $outD = ''; + foreach (@_) { + if ( /^-{1,2}aux-directory=(.*)$/ ) { + $auxD = $1; + } + elsif ( /^-{1,2}output-directory=(.*)$/ ) { + $outD = $1; + } + } + if ( $outD eq '' ) { $outD = '.'; } + if ( $auxD eq '' ) { $auxD = $outD; } + + # Construct modified command line, with at most one occurrence of -output-directory + my @args_act = (); + my $set_outD = 0; + foreach (@_) { + if ( /^-{1,2}(aux|output)-directory=.*$/ ) { + if ( ! $set_outD ) { + push @args_act, "-output-directory=$auxD"; + $set_outD = 1; + } + } else { + push @args_act, $_; + } + } + + # Construct strings for aux and output directories that are suitable + # for prepending to a file name, so that they have any necessary + # directory separators: + my $outD1 = $outD; + my $auxD1 = $auxD; + foreach ( $auxD1, $outD1 ) { + # Append directory separator '/', but only for a non-empty name + # that isn't simple an MSWin drive name. + if ( ($_ ne '') && ! m([\\/\:]$) ) { + $_ .= '/'; + } + # Clean up by removing any sequence of './'. These refer to + # current directory. + while ( s[^\.\/][] ) {} + } + + print "Running: '@args_act'\n"; + my $ret = system @args_act; + if ($auxD ne $outD) { + print "Move @move_exts files from '$auxD' to '$outD'\n"; + # Use copy and unlink, not rename, since some viewers appear to keep the + # viewed file open. So if rename were used, such viewers would see the + # old version of the file, rather than the new one. With copy, the + # contents of the old file are normally overwritten by the new contents. + # + # In addition, copy works across file system boundaries, but rename + # doesn't. + foreach my $ext (@move_exts) { + copy "$auxD1$root_filename.$ext", "$outD1$root_filename.$ext"; + unlink "$auxD1$root_filename.$ext"; + } + } + return $ret; + } + + #--------------------------- + +} # end of workaround for latexmk < 4.67 diff --git a/archdoc/misc/cap_alignment_table.ipynb b/archdoc/misc/cap_alignment_table.ipynb new file mode 100644 index 0000000..d55c90e --- /dev/null +++ b/archdoc/misc/cap_alignment_table.ipynb @@ -0,0 +1,46 @@ +{ + "cells": [ + { + "cell_type": "code", + "execution_count": null, + "metadata": {}, + "outputs": [], + "source": [ + "import pandas\n", + "es=list(range(0,15)) + [24]\n", + "df=pandas.DataFrame([(2**e, 511* (2**e)) for e in es], columns=('alignment','max length'), index=es)\n", + "df.index.name='e'\n", + "# df['hex max'] = df['max length'].apply(hex)\n", + "print(df.to_latex())\n", + "df" + ] + } + ], + "metadata": { + "kernelspec": { + "display_name": "Python 3.6.9 64-bit", + "language": "python", + "name": "python3" + }, + "language_info": { + "codemirror_mode": { + "name": "ipython", + "version": 3 + }, + "file_extension": ".py", + "mimetype": "text/x-python", + "name": "python", + "nbconvert_exporter": "python", + "pygments_lexer": "ipython3", + "version": "3.6.9" + }, + "orig_nbformat": 4, + "vscode": { + "interpreter": { + "hash": "31f2aee4e71d21fbe5cf8b01ff0e069b9275f58929596ceb00d14d90e3e16cd6" + } + } + }, + "nbformat": 4, + "nbformat_minor": 2 +} diff --git a/archdoc/misc/perms/Makefile b/archdoc/misc/perms/Makefile new file mode 100644 index 0000000..9fcdac7 --- /dev/null +++ b/archdoc/misc/perms/Makefile @@ -0,0 +1,20 @@ +.PHONY: all +all: perms.svg + +perms.dot: perms.py + ./perms.py > $@ + +%.svg : %.dot + dot -Tsvg -o $@ $< + + +%.png : %.dot + dot -Tpng -o $@ $< + + +%.pdf : %.dot + dot -Tpdf -o $@ $< + +.PHONY: clean +clean: + rm perms.svg perms.dot diff --git a/archdoc/misc/perms/perms.py b/archdoc/misc/perms/perms.py new file mode 100755 index 0000000..7ac974a --- /dev/null +++ b/archdoc/misc/perms/perms.py @@ -0,0 +1,161 @@ +#!/usr/bin/env python3 +from itertools import chain, combinations +import collections +import sys + +""" +Script to analyse useful permission combinations according to given constraints. +Outputs the number of useful combinations on stderr and a dot graph +representation on stdout. +""" + +# We support a tiny constraint language of boolean expressions that are +# evaluated with respect to a context consisting of a set of permissions that +# are true. We then evaluate the constraints for all subsets of the permissions +# keeping only those subsets that are consistent with all the constraints. +class Expr: + pass + +class Id(Expr): + def __init__(self, name): + self.name = name + def eval(self, context): + # A name is true if it is in the context, otherwise false + return self.name in context + +class Not(Expr): + def __init__(self, e): + self.e = e + def eval(self, context): + return not self.e.eval(context) + +class And(Expr): + def __init__(self, l, r): + self.l = l + self.r = r + def eval(self, context): + return self.l.eval(context) and self.r.eval(context) + +class Or(Expr): + def __init__(self, l, r): + self.l = l + self.r = r + def eval(self, context): + return self.l.eval(context) or self.r.eval(context) + +class Implies(Expr): + def __init__(self, l, r): + self.l = l + self.r = r + def eval(self, context): + return (not self.l.eval(context)) or self.r.eval(context) + +""" +Builder class that allows us to construct constraints using operator +overloading. Supports ~ (not), &, |, >> (implies) +""" +class Builder: + def __init__(self, val): + self.val = val + def __invert__(self): + return Builder(Not(self.val)) + def __and__(self, other): + return Builder(And(self.val, other.val)) + def __or__(self,other): + return Builder(Or(self.val, other.val)) + def __rshift__(self, other): + return Builder(Implies(self.val, other.val)) + +# The set of permissions +perms=set("""\ +EX +SR +LG +LM +SL +MC +SD +LD +SE +US +U0 +""".split()) +# Create a python variable with the name of each permission containing a +# Builder identifying that permission. +for perm in perms: + locals()[perm]=Builder(Id(perm)) + +constraints = [ +# Read / write cap without data is not useful + MC >> (LD | SD), +# Access system regs only makes sense on exe caps + SR >> EX, +# Load global requires load cap + LG >> (MC & LD), +# Load mutable requires load cap + LM >> (MC & LD), +# Store local requires store cap + SL >> (MC & SD), +# We want executable caps to have load cap + EX >> (MC & LD), +# We do not permit writable and executable caps + ~(EX & SD), +# Sealing and data permissions are mutually exclusive + ~((SE | US | U0) & (SD | LD)), +# We originally forbade write-only but had some spare encodings so were able +# to reintroduce it. As a compromise to get us down to 32 combinations and +# a 5-bit encoding we eliminate write-only store-local. + # SD >> LD, # forbid write-only? + SL >> LD, # eliminating store-local write-only gets us down to 32 combinations +] + +def powerset(iterable): + """list(powerset([1,2,3])) --> [(), (1,), (2,), (3,), (1,2), (1,3), (2,3), (1,2,3)] + Example from https://docs.python.org/3/library/itertools.html#itertools-recipes""" + s = list(iterable) + return chain.from_iterable(combinations(s, r) for r in range(len(s)+1)) + +def filter_expr(ss, e): + for s in ss: + if e.eval(s): + yield s + +subsets = powerset(perms) +for constraint in constraints: + subsets = filter_expr(subsets, constraint.val) + +useful_combinations = list(subsets) +sys.stderr.write(f"{len(useful_combinations)} combinations\n") + +def comb_to_str(c): + """Creates a string from a permission combination. + Used as node names in dot graph.""" + cs = sorted(c) + return '_'.join(cs) or "0" + +# Now we output a graph representation of the useful combinations in dot format. +# To make it pretty we add edges for the subset partial order, excluding edges +# implied by transitivity. + +print("digraph {") + +# Output the names of nodes in the graph +for x in useful_combinations: + print(comb_to_str(x)) + +# Output the edges for the subset relation. To exclude transitive edges +# we stick to pairs of combinations that differ in size by one. This +# doesn't work for all graphs but seems to be OK for us. +for x in useful_combinations: + for y in useful_combinations: + if len(x) + 1 == len(y): + xs = set(x) + ys = set(y) + if xs.issubset(ys): + # find the permission in ys not in xs to use as label + diff = (ys - xs).pop() + x_str=comb_to_str(x) + y_str=comb_to_str(y) + print(f"{y_str} -> {x_str} [label=\"{diff}\", fontsize=10]") + +print("}") diff --git a/archdoc/misc/perms/perms5_clustered.dot b/archdoc/misc/perms/perms5_clustered.dot new file mode 100644 index 0000000..418a2e9 --- /dev/null +++ b/archdoc/misc/perms/perms5_clustered.dot @@ -0,0 +1,122 @@ +digraph { +margin=0 + +subgraph cluster_seal { +label="sealing" +margin=8 +0 +U0 +SE +US +SE_U0 +U0_US +SE_US +SE_U0_US [xlabel=<⊤S>] +} + +subgraph cluster_mem_data { +label="mem-rw" +margin=8 +subgraph cluster_mem_wo_cap { +label="mem-cap-wo" +margin=8 +MC_SD +} +SD +LD +LD_SD +} +subgraph cluster_mem_ro_cap { +label="mem-cap-ro"; +margin=8 +LD_MC +LD_LG_MC +LD_LM_MC +LD_LG_LM_MC +} +subgraph cluster_mem_rw_cap { +label="mem-cap-rw"; +margin=8 +LD_MC_SD +LD_LG_MC_SD +LD_LM_MC_SD +LD_MC_SD_SL +LD_LG_LM_MC_SD +LD_LG_MC_SD_SL +LD_LM_MC_SD_SL +LD_LG_LM_MC_SD_SL [xlabel=<⊤M>] +} + +subgraph cluster_exe { +label="exe"; +margin=8 +EX_LD_MC +EX_LD_LG_MC +EX_LD_LM_MC +EX_LD_LG_LM_MC +EX_LD_MC_SR +EX_LD_LG_MC_SR +EX_LD_LM_MC_SR +EX_LD_LG_LM_MC_SR [xlabel=<⊤X>] +} + +SD -> 0 [label="SD", fontsize=10] +LD -> 0 [label="LD", fontsize=10] +US -> 0 [label="US", fontsize=10] +SE -> 0 [label="SE", fontsize=10] +U0 -> 0 [label="U0", fontsize=10] +LD_SD -> SD [label="LD", fontsize=10] +LD_SD -> LD [label="SD", fontsize=10] +LD_MC -> LD [label="MC", fontsize=10] +SE_US -> US [label="SE", fontsize=10] +U0_US -> US [label="U0", fontsize=10] +SE_US -> SE [label="US", fontsize=10] +SE_U0 -> SE [label="U0", fontsize=10] +U0_US -> U0 [label="US", fontsize=10] +SE_U0 -> U0 [label="SE", fontsize=10] +LD_MC_SD -> LD_SD [label="MC", fontsize=10] +LD_MC_SD -> LD_MC [label="SD", fontsize=10] +LD_LM_MC -> LD_MC [label="LM", fontsize=10] +LD_LG_MC -> LD_MC [label="LG", fontsize=10] +EX_LD_MC -> LD_MC [label="EX", fontsize=10] +SE_U0_US -> SE_US [label="U0", fontsize=10] +SE_U0_US -> U0_US [label="SE", fontsize=10] +SE_U0_US -> SE_U0 [label="US", fontsize=10] +LD_MC_SD_SL -> LD_MC_SD [label="SL", fontsize=10] +LD_LM_MC_SD -> LD_MC_SD [label="LM", fontsize=10] +LD_LG_MC_SD -> LD_MC_SD [label="LG", fontsize=10] +LD_LM_MC_SD -> LD_LM_MC [label="SD", fontsize=10] +LD_LG_LM_MC -> LD_LM_MC [label="LG", fontsize=10] +EX_LD_LM_MC -> LD_LM_MC [label="EX", fontsize=10] +LD_LG_MC_SD -> LD_LG_MC [label="SD", fontsize=10] +LD_LG_LM_MC -> LD_LG_MC [label="LM", fontsize=10] +EX_LD_LG_MC -> LD_LG_MC [label="EX", fontsize=10] +EX_LD_MC_SR -> EX_LD_MC [label="SR", fontsize=10] +EX_LD_LM_MC -> EX_LD_MC [label="LM", fontsize=10] +EX_LD_LG_MC -> EX_LD_MC [label="LG", fontsize=10] +EX_LD_LM_MC_SR -> EX_LD_MC_SR [label="LM", fontsize=10] +EX_LD_LG_MC_SR -> EX_LD_MC_SR [label="LG", fontsize=10] +LD_LM_MC_SD_SL -> LD_MC_SD_SL [label="LM", fontsize=10] +LD_LG_MC_SD_SL -> LD_MC_SD_SL [label="LG", fontsize=10] +LD_LM_MC_SD_SL -> LD_LM_MC_SD [label="SL", fontsize=10] +LD_LG_LM_MC_SD -> LD_LM_MC_SD [label="LG", fontsize=10] +LD_LG_MC_SD_SL -> LD_LG_MC_SD [label="SL", fontsize=10] +LD_LG_LM_MC_SD -> LD_LG_MC_SD [label="LM", fontsize=10] +LD_LG_LM_MC_SD -> LD_LG_LM_MC [label="SD", fontsize=10] +EX_LD_LG_LM_MC -> LD_LG_LM_MC [label="EX", fontsize=10] +EX_LD_LM_MC_SR -> EX_LD_LM_MC [label="SR", fontsize=10] +EX_LD_LG_LM_MC -> EX_LD_LM_MC [label="LG", fontsize=10] +EX_LD_LG_MC_SR -> EX_LD_LG_MC [label="SR", fontsize=10] +EX_LD_LG_LM_MC -> EX_LD_LG_MC [label="LM", fontsize=10] +EX_LD_LG_LM_MC_SR -> EX_LD_LM_MC_SR [label="LG", fontsize=10] +EX_LD_LG_LM_MC_SR -> EX_LD_LG_MC_SR [label="LM", fontsize=10] +LD_LG_LM_MC_SD_SL -> LD_LM_MC_SD_SL [label="LG", fontsize=10] +LD_LG_LM_MC_SD_SL -> LD_LG_MC_SD_SL [label="LM", fontsize=10] +LD_LG_LM_MC_SD_SL -> LD_LG_LM_MC_SD [label="SL", fontsize=10] +EX_LD_LG_LM_MC_SR -> EX_LD_LG_LM_MC [label="SR", fontsize=10] + + +LD_MC_SD -> MC_SD [label="LD", fontsize=10] +MC_SD -> SD [label="MC", fontsize=10] + +} diff --git a/archdoc/misc/perms/perms5_clustered.pdf b/archdoc/misc/perms/perms5_clustered.pdf new file mode 100644 index 0000000..f5e4253 Binary files /dev/null and b/archdoc/misc/perms/perms5_clustered.pdf differ diff --git a/archdoc/misc/perms/perms_clustered.png b/archdoc/misc/perms/perms_clustered.png new file mode 100644 index 0000000..39e7a38 Binary files /dev/null and b/archdoc/misc/perms/perms_clustered.png differ diff --git a/archdoc/preamble-saildoc-macros.tex b/archdoc/preamble-saildoc-macros.tex new file mode 100644 index 0000000..729c142 --- /dev/null +++ b/archdoc/preamble-saildoc-macros.tex @@ -0,0 +1,280 @@ +\makeatletter +\newcommand{\makesailcmds@core}[2]{% + \input{#2/commands.tex} + \ea\newcommand\csname #1code\endcsname[1]{% + \csname #1fcl##1execute\endcsname% + \bigskip% + }% + \ea\WithSuffix\ea\newcommand\csname #1code\endcsname*[1]{% + \csname #1fcl##1execute\endcsname% + }% + \ea\newcommand\csname #1valandfun\endcsname[1]{% + \csname #1##1\endcsname \csname #1fn#1\endcsname% + }% +} + +% We could have sail macro call us back for more formatting flexibility. +%\newcommand{\saildescribe}[2]{ +% \lstinputlisting[language=sail]{#2} +% +% \hangindent=\parindent #1 +%} + +% The following macros define how we would like sail code to be documented. +% There is one per category of sail top-level (val spec, typedef, function, function clause etc) +% currently we only use val and fcl. +% They are called by latex generated by sail with +% #1 the latex for any doc-comment from the sail +% #2 a lstinputlisting invocation that +\newcommand{\saildocval}[2]{% +#2% +\par% +\hangindent=\parindent #1% +\medskip% +} +\newcommand{\saildocfcl}[2]{% +#1 #2% +} +\newcommand{\saildocfn}[2]{% +#1 #2% +} +\newcommand{\saildoctype}[2]{% +#1 #2% +} + +\newcommand{\@saildoclabelled@capture}[2]{% + \global\def\@saildoclabelled@name{#1}% + \global\def\@saildoclabelled@body{#2}% +} + +\newcommand{\@saildocfcl@capture}[2]{% + \global\def\@saildocfcl@doc{#1}% + \global\def\@saildocfcl@fcl{#2}% +} + +\newcommand{\@saildoc@makeerrcmd}[1]{% + \ea\def\csname #1@error\endcsname{% + \GenericError{[saildoc] }{Missing definition}{% + [saildoc] \@backslashchar#1 should have been defined.\MessageBreak% + Check your Sail version if you re-generated the LaTeX.% + }{}% + }% +} + +\@saildoc@makeerrcmd{@saildoclabelled@name} +\@saildoc@makeerrcmd{@saildoclabelled@body} +\@saildoc@makeerrcmd{@saildocfcl@doc} +\@saildoc@makeerrcmd{@saildocfcl@fcl} + +\newcommand{\@saildoc@makeforbiddenseccmd}[1]{% + \ea\def\csname @saildoc@#1\ea\endcsname{% + \GenericError{[saildoc] }{Forbidden command}{% + [saildoc] \@backslashchar#1 is not allowed.% + }{}% + }% +} + +% Always use starred variant +\newcommand{\@saildoc@makenestedseccmd}[2]{% + \ea\def\csname @saildoc@#1\endcsname{% + \@ifstar{}{}\csname #2\endcsname*% + }% +} + +\@saildoc@makeforbiddenseccmd{part} +\@saildoc@makeforbiddenseccmd{chapter} +\@saildoc@makeforbiddenseccmd{section} +% subsection is special (but still maps to subsubsection); see below +\@saildoc@makenestedseccmd{subsubsection}{paragraph} +\@saildoc@makenestedseccmd{paragraph}{subparagraph} +\@saildoc@makeforbiddenseccmd{subparagraph} + +\let\@saildoc@subsection@allowed\@empty +\newcommand{\@saildoc@subsection@allow}[1]{% + \ea\def\ea\@saildoc@subsection@allowed\ea{% + \@saildoc@subsection@allowed% + \@saildoc@subsection@allowed@iter{#1}% + }% +} +\@saildoc@subsection@allow{Description} +\@saildoc@subsection@allow{Exceptions} +\@saildoc@subsection@allow{Notes} + +\newcommand{\@saildoc@subsection@valid}[1]{} + +\newcommand{\@saildoc@subsection@invalid}[1]{% + \GenericError{[saildoc] }{Invalid subsection}{% + [saildoc] `#1' is not a valid subsection.% + }{}% +} + +\newcommand{\@saildoc@subsection@duplicate}[1]{% + \GenericError{[saildoc] }{Duplicate subsection}{% + [saildoc] `#1' is defined more than once.% + }{}% +} + +\newcommand{\@saildoc@subsection@validate}[1]{{% + \def\@saildoc@subsection@allowed@iter##1{% + \ifthenelse{\equal{#1}{##1}}{% + \let\@saildoc@subsection@validate@action\@saildoc@subsection@valid% + }{% + }% + }% + \ea\ifx\csname @saildoc@subsection@body@#1\endcsname\relax% + \let\@saildoc@subsection@validate@action\@saildoc@subsection@invalid% + \@saildoc@subsection@allowed% + \else% + \let\@saildoc@subsection@validate@action\@saildoc@subsection@duplicate% + \fi% + \@saildoc@subsection@validate@action{#1}% +}} + +\NewEnviron{@saildoc@subsection}[1]{% + \@saildoc@subsection@validate{#1}% + \ea\ea\ea\global\ea\ea\ea\def\ea\csname @saildoc@subsection@body@#1\ea\endcsname\ea{\BODY}% +} + +\newcommand{\@saildoc@subsection@print}[1]{% + \ea\ifx\csname @saildoc@subsection@body@#1\endcsname\relax% + \else% + \ea\ifx\csname @saildoc@subsection@body@#1\endcsname\@empty% + \else% + \subsubsection*{#1}% + \csname @saildoc@subsection@body@#1\endcsname% + \fi% + \fi% +} + +\newcommand{\@saildoc@subsection@clear}{{% + \def\@saildoc@subsection@allowed@iter##1{% + \ea\global\ea\let\csname @saildoc@subsection@body@##1\endcsname\@undefined% + }% + \@saildoc@subsection@allowed% +}} + +\newcommand{\@saildoc@xpatchcmd@repeat}[3]{% + \xpatchcmd{#1}{#2}{#3}{\@saildoc@xpatchcmd@repeat{#1}{#2}{#3}}{}% +} + +\newcommand{\@saildoc@environ@guard}[2]{% + % See \makesailcmds for why this space is needed + #1{#2} % +} + +\newcommand{\@saildoc@textbf}[1]{% + \ifcsname @capperm@\detokenize{#1}\endcsname% + \csname @capperm@\detokenize{#1}\endcsname% + \else% + \textbf{#1}% + \fi% +} + +\newcommand{\makesailcmds}[2]{% + \makesailcmds@core{#1}{#2}% + \ea\newcommand\csname #1isarefbody\endcsname[1]{{% + % + % Given: + % + % \saildoclabelled{foo}{\saildocfcl{bar}{baz}} + % + % we expand to capture foo, and expand the second argument again to capture + % bar and baz. + % + \global\let\@saildoclabelled@name\@saildoclabelled@name@error% + \global\let\@saildoclabelled@body\@saildoclabelled@body@error% + \global\let\@saildocfcl@doc\@saildocfcl@doc@error% + \global\let\@saildocfcl@fcl\@saildocfcl@fcl@error% + % + \let\saildoclabelled\@saildoclabelled@capture% + \let\saildocfcl\@saildocfcl@capture% + % + \csname #1code\endcsname*{##1}% + \@saildoclabelled@body% + % + \ea\ea\ea\ifx\ea\ea\ea\relax\ea\detokenize\ea{\@saildocfcl@doc}\relax% + \GenericWarning{}{#1 Warning: `##1` is not documented}% + \fi% + % + % Now for the fcl body, rewrite: + % + % Foo + % \subsection*{Exceptions} + % Bar + % \subsection*{Notes} + % Baz + % + % to: + % + % \@saildoc@environ@guard{\begin{@saildoc@subsection}}{Description} + % Foo + % \end{@saildoc@subsection} + % \@saildoc@environ@guard{\begin{@saildoc@subsection}}{Exceptions} + % Bar + % \end{@saildoc@subsection} + % \@saildoc@environ@guard{\begin{@saildoc@subsection}}{Notes} + % Baz + % \end{@saildoc@subsection} + % + % as well as using \@saildoc@subsubsection etc for all the other section + % commands. We allow the non-starred \subsection too. + % + % The extra space inserted by \@saildoc@environ@guard is required to avoid: + % + % \begin{@saildoc@subsection}{Foo}\end{@saildoc@subsection} + % + % as the lack of a token before \end confuses environ and makes it split + % Foo into argument "F" and body "oo". The space gets stripped away so + % \BODY will be empty. + % + \xpretocmd{\@saildocfcl@doc}{\@saildoc@environ@guard{\begin{@saildoc@subsection}}{Description}}{}{}% + \@saildoc@xpatchcmd@repeat{\@saildocfcl@doc}{\part}{\@saildoc@part}% + \@saildoc@xpatchcmd@repeat{\@saildocfcl@doc}{\chapter}{\@saildoc@chapter}% + \@saildoc@xpatchcmd@repeat{\@saildocfcl@doc}{\section}{\@saildoc@section}% + \@saildoc@xpatchcmd@repeat{\@saildocfcl@doc}{\subsection*}{\end{@saildoc@subsection}\@saildoc@environ@guard{\begin{@saildoc@subsection}}}% + \@saildoc@xpatchcmd@repeat{\@saildocfcl@doc}{\subsection}{\end{@saildoc@subsection}\@saildoc@environ@guard{\begin{@saildoc@subsection}}}% + \@saildoc@xpatchcmd@repeat{\@saildocfcl@doc}{\subsubsection}{\@saildoc@subsubsection}% + \@saildoc@xpatchcmd@repeat{\@saildocfcl@doc}{\paragraph}{\@saildoc@paragraph}% + \@saildoc@xpatchcmd@repeat{\@saildocfcl@doc}{\subparagraph}{\@saildoc@subparagraph}% + \xapptocmd{\@saildocfcl@doc}{\end{@saildoc@subsection}}{}{}% + % + % We also want to format various special names in our own way, all of which + % currently use \textbf in the saildoc output. + % + \@saildoc@xpatchcmd@repeat{\@saildocfcl@doc}{\textbf}{\@saildoc@textbf}% + % + % Now we have the right \begin and \end macros, with the latter directly + % visible to environ without any expansion, we can capture their contents + % by expanding again. + % + \@saildocfcl@doc% + % + % Finally reassemble the documentation in the right order with the Sail in + % the right place. We use \csuse to avoid having to pre-initialise + % everything to \@empty. + % + % Also add a label so that instruction references from saildoc resolve + % correctly. This label is not added by the saildoc generator so we insert + % it manually here using the sail mangling: z. This is + % really a valspec mangling, which allows us to link to the description + % rather than the function body and so saildoc's inability to reference + % function clauses in markdown turns out to be useful. + % + \label{#1z##1}% + \@saildoc@subsection@print{Description}% + % + \subsubsection*{Semantics}% + \phantomsection% + \label{\@saildoclabelled@name}% + \noindent\@saildocfcl@fcl% + % + \@saildoc@subsection@print{Exceptions}% + % + \@saildoc@subsection@print{Notes}% + % + % Reset state for next time + % + \@saildoc@subsection@clear% + }}% +} +\makeatother diff --git a/archdoc/preamble.tex b/archdoc/preamble.tex new file mode 100644 index 0000000..1e1770e --- /dev/null +++ b/archdoc/preamble.tex @@ -0,0 +1,556 @@ +\errorcontextlines 10000 +\usepackage{xparse} +\usepackage{xspace} +\usepackage{environ} +\usepackage{suffix} +\usepackage{xpatch} + +%\renewcommand{\baselinestretch}{2} % double space for editors +\usepackage[headings]{fullpage} +\usepackage{bitset} +\usepackage{comment} +\usepackage{graphicx} +\usepackage{marginnote} +\usepackage{booktabs} +\usepackage{ifthen} +\usepackage{bytefield} +\usepackage{rotating} +\usepackage{pdflscape} +\usepackage{tabularx} +\usepackage{multirow, bigdelim} +\usepackage{geometry} +\input{binhex} +\makeatletter\@ifclassloaded{standalone}{% +% The svgnames option conflicts with \documentclass[tikz]{standalone} +\usepackage{xcolor} +}{% else +\usepackage[svgnames]{xcolor} +}\makeatother % end of \@ifclassloaded{standalone} +\definecolor{lightgray}{gray}{0.8} +\usepackage{times} +\usepackage{algpseudocode} +\newcommand{\note}[2]{{\color{blue}[ Note: #1 - #2]}} +%%%% +%%%% For releases, uncomment to cause notes to disappear: +%%%% +\renewcommand{\note}[2]{\relax\ifhmode\unskip\fi} +\newcommand{\deprecated}[2]{{\color{grey}[ Note: #1 - #2]}} +\newcommand{\arnote}[1]{\note{#1}{Alex R.}} +\newcommand{\dcnote}[1]{\note{#1}{David C.}} +\newcommand{\jrtcnote}[1]{\note{#1}{Jess C.}} +\newcommand{\jwnote}[1]{\note{#1}{Jon W.}} +\newcommand{\knnote}[1]{\note{#1}{Kyndylan N.}} +\newcommand{\nwfnote}[1]{\note{#1}{nwf}} +\newcommand{\psnote}[1]{\note{#1}{Peter S.}} +\newcommand{\rmnnote}[1]{\note{#1}{Robert N.}} + +% \newcommand{\TODO}[1]{{\color{red}TODO #1}} +\newcommand{\TODO}[1]{} + +\usepackage{listings} +\usepackage{rotating} +\usepackage{setspace} +\usepackage{enumitem} +\setlist{noitemsep} +\usepackage{amsmath} +\usepackage{amssymb} +\usepackage{makecell} +\usepackage{hyphenat} + +\usepackage[utf8]{inputenc} +\usepackage[T1]{fontenc} + +\usepackage{tikz} + \usetikzlibrary{calc} + \usetikzlibrary{decorations.pathreplacing} + \usetikzlibrary{fit} + \usetikzlibrary{matrix} + \usetikzlibrary{positioning} + \usetikzlibrary{shapes} + \usetikzlibrary{patterns} + +\newcommand*{\circnum}[2][gray!25]{% + \protect\tikz[baseline={([yshift=-1.5pt]n.base)}]% + \protect\node[fill=#1,shape=circle,inner sep=1pt,draw](n){\tiny #2};} +\newlist{inenum}{enumerate*}{1} +\setlist[inenum]{label={\circnum{\arabic*}}} + +% Makes complex expansions slightly more readable +\let\ea\expandafter + +\usepackage[scaled=0.82]{beramono} + +\input{preamble-saildoc-macros} + +\makesailcmds{sailRISCV}{sail_latex_riscv} +\newcommand{\isail}[1]{\lstinline[language=sail]{#1}} +\newcommand{\optype}[1]{\subsection{#1 Instructions}} + +% Must be included later than setspace, otherwise all footnote hyperlinks +% point to the title page. +% PS HACK +%\usepackage[hidelinks]{hyperref} +\usepackage[colorlinks]{hyperref} +% Glossaries must be included after hyperref. +\usepackage[toc,nonumberlist]{glossaries} +\usepackage[nottoc]{tocbibind} +\usepackage[capitalise]{cleveref} + \Crefname{appendix}{Appendix}{Appendices} + \Crefname{figure}{Figure}{Figures} +\usepackage{footnote} +\usepackage{threeparttable} +\definecolor{CodeColour}{rgb}{0.9,0.9,0.9} %Light grey +\lstset{basicstyle=\small\ttfamily, + stringstyle=\textit, %italic strings + keywordstyle=\textbf, %Bold keywords + commentstyle=, + breaklines=true, % Wrap long lines + numbers=left, % Line numbers on the left + frame=l, %Border on the left + framerule=0.8pt, % Thick border + backgroundcolor=\color{CodeColour}, %Coloured code listings + numberstyle={\small \oldstylenums}, %tiny, old style line numbers + %stepnumber=5, % Number every fifth line + numbersep=5pt, % Five points between the line numbers and the text + tabsize=4 +} +\lstdefinelanguage{llvm} +{ + morekeywords={private, constant, i8, i32, define, icmp, label, i64, call, void, ret, getelementptr, br, load, align, nounwind}, + morekeywords={addrspace, inttoptr, ptrtoint, tail}, + morecomment=[l]; +}% + +\lstdefinelanguage{sail} + { morekeywords={val,function,cast,type,forall,foreach,from,to,overload,operator,enum,union,undefined,exit,and,assert,sizeof, + scattered,register,inc,dec,if,then,else,effect,let,as,@,in,end,Type,Int,Order,match,clause,struct}, + morestring=[b]", + stringstyle={\ttfamily\color{red}}, + showstringspaces=false, + morecomment=[l][\itshape\color{DarkGreen}]{//}, + morecomment=[s][\itshape\color{DarkGreen}]{/*}{*/}, + deletestring=[bd]{'}, + escapechar=\#, + emphstyle={\it}, + numbers=none, + frame=none, + backgroundcolor=\color{White}, + aboveskip=0em, + belowskip=0em, + } + +\lstdefinelanguage{bluespec} +{ morekeywords={function,endfunction,for,struct,typedef,Integer,Bit,Bool,TSub,TAdd,return,if,method}, + morestring=[b]"'=’-<>, + stringstyle={\ttfamily\color{red}}, + morecomment=[l][\itshape\color{DarkGreen}]{//}, + morecomment=[s][\itshape\color{DarkGreen}]{/*}{*/}, + emphstyle={\it}, +} + +\lstnewenvironment{ccodelisting}{\lstset{language=C}}{} +\lstnewenvironment{llvmlisting}{\lstset{language={llvm}}}{} +\newcommand{\ccode}[1]{\lstinline[backgroundcolor=\color{white},language=C]|#1|} +\newcommand{\llvmir}[1]{\lstinline[backgroundcolor=\color{white},language={llvm}]|#1|} +\newcommand{\asm}[1]{\lstinline[backgroundcolor=\color{white},language={}]|#1|} +\lstnewenvironment{asmcode}{\lstset{language=}}{} +\newcommand{\regname}[1]{{\small\ttfamily\$#1}} + +\newcommand{\baselineboxformatting}[1]{% + % Measure size of contents + \sbox0{#1}% + % Use the difference between the contents' height and the bitbox's height, + % clamped to [-.44\baselineskip, 0], as our minimum depth. + \setlength{\skip0}{\ht0 - \height}% + \ifdim\skip0>0pt% + \setlength{\skip0}{0}% + \else% + \ifdim\skip0<-.44\baselineskip% + \setlength{\skip0}{-.44\baselineskip}% + \fi% + \fi% + \centering\rule[\skip0]{0pt}{\height}#1% +} +\bytefieldsetup{boxformatting=\baselineboxformatting} + +% Well this is gross, but it lets us align baselines between labels and +% bytefields in tabular environments... by pretending that the label is +% a "bytefield" of one bit of the right width, with no bounding lines. +\newcommand{\raiseforbf}[1]{% + {\begin{bytefield}[bitwidth=\widthof{#1}]{1} \bitbox[]{1}{#1} \end{bytefield}}% +} + +\makeatletter +\newdimen\rotateinbitbox@height +\newcommand{\rotateinbitbox}[1]{% + \rotateinbitbox@height=\height% + \rotatebox{90}{\makebox[\rotateinbitbox@height][c]{#1}}% +} +\makeatother + +\hyphenation{CheriBSD} +\hyphenation{FreeBSD} +\hyphenation{CTSRD} +\hyphenation{CheriRTOS} +\hyphenation{CompartOS} + +\newcommand{\cheriot}{CHERIoT} +\newcommand{\cherimcu}{\cheriot{}} +\newcommand{\cherimcuos}{\cheriot{} RTOS} +\newcommand{\cherimcuisa}{\cheriot{} ISA} + +\reversemarginpar +\setlength{\marginparwidth}{1.2in} +\let\oldmarginpar\marginpar +\renewcommand\marginpar[1]{\-\oldmarginpar[\raggedright\footnotesize #1]% +{\raggedright\footnotesize #1}} + +\newcommand{\defn}[1]{\textbf{#1}} +\newcommand{\flag}[1]{{\tt \small #1}} +\newcommand{\literal}[1]{{\tt \small #1}} +\newcommand{\function}[1]{{\tt \small #1}} +\newcommand{\keyword}[1]{\textit{#1}} + +% Register names +\newcommand{\reg}[1]{{\bf R#1}} % MIPS register numbers +\newcommand{\creg}[1]{{\bf C#1}} % Capability register numbers +\newcommand{\mreg}[1]{{\bf \$#1}} % MIPS ABI register names +\newcommand{\PC}{{\bf PC}} +\newcommand{\SP}{{\bf SP}} +\newcommand{\EPC}{{\bf EPC}} +\newcommand{\PCC}{{\bf PCC}} +\newcommand{\CGP}{{\bf CGP}} +\newcommand{\DDC}{{\bf DDC}} +\newcommand{\CNULL}{{\bf CNULL}} +\newcommand{\IDC}{{\bf IDC}} +\newcommand{\TSC}{{\bf TSC}} +\newcommand{\KRC}{{\bf KR1C}} +\newcommand{\KQC}{{\bf KR2C}} +\newcommand{\KCC}{{\bf KCC}} +\newcommand{\KDC}{{\bf KDC}} +\newcommand{\ErrorEPCC}{{\bf ErrorEPCC}} +\newcommand{\EPCC}{{\bf EPCC}} +\newcommand{\CULR}{{\bf CULR}} +\newcommand{\CPLR}{{\bf CPLR}} +\newcommand{\EXL}{{\bf EXL}} +\newcommand{\KSU}{{\bf KSU}} +\newcommand{\ErrorEPC}{{\bf ErrorEPC}} +\newcommand{\causereg}{{\bf cause}} +\newcommand{\capcausereg}{{\bf capcause}} + +% RISC-V new register names +\newcommand{\UTCC}{{\bf UTCC}} +\newcommand{\UTDC}{{\bf UTDC}} +\newcommand{\UScratchC}{{\bf UScratchC}} +\newcommand{\UEPCC}{{\bf UEPCC}} +\newcommand{\STCC}{{\bf STCC}} +\newcommand{\STDC}{{\bf STDC}} +\newcommand{\SScratchC}{{\bf SScratchC}} +\newcommand{\SEPCC}{{\bf SEPCC}} +\newcommand{\MTCC}{{\bf MTCC}} +\newcommand{\MTDC}{{\bf MTDC}} +\newcommand{\MScratchC}{{\bf MScratchC}} +\newcommand{\MEPCC}{{\bf MEPCC}} +\newcommand{\xTCC}{{\bf {\it x}TCC}} +\newcommand{\xTDC}{{\bf {\it x}TDC}} +\newcommand{\xScratchC}{{\bf {\it x}ScratchC}} +\newcommand{\xEPCC}{{\bf {\it x}EPCC}} +\newcommand{\xccsr}{\texttt{{\it x}ccsr}} +\newcommand{\mccsr}{\texttt{mccsr}} +\newcommand{\sccsr}{\texttt{sccsr}} +\newcommand{\uccsr}{\texttt{uccsr}} +% RISC-V existing registers +\newcommand{\xtval}{\texttt{{\it x}tval}} +\newcommand{\xtvec}{\texttt{{\it x}tvec}} +\newcommand{\mtval}{\texttt{mtval}} +\newcommand{\mtvec}{\texttt{mtvec}} +\newcommand{\stvec}{\texttt{stvec}} +\newcommand{\utvec}{\texttt{utvec}} +\newcommand{\xepc}{\texttt{{\it x}epc}} +\newcommand{\mepc}{\texttt{mepc}} +\newcommand{\sepc}{\texttt{sepc}} +\newcommand{\uepc}{\texttt{uepc}} +\newcommand{\xcause}{\texttt{{\it x}cause}} +\newcommand{\mcause}{\texttt{mcause}} +\newcommand{\scause}{\texttt{scause}} +\newcommand{\ucause}{\texttt{ucause}} +\newcommand{\xRET}{\insnnoref{{\it x}RET}} + +\newcommand{\AL}{{\bf AL}} +\newcommand{\AX}{{\bf AX}} +\newcommand{\FS}{{\bf FS}} +\newcommand{\GS}{{\bf GS}} +\newcommand{\EAX}{{\bf EAX}} +\newcommand{\CAX}{{\bf CAX}} +\newcommand{\CBP}{{\bf CBP}} +\newcommand{\CBX}{{\bf CBX}} +\newcommand{\CFS}{{\bf CFS}} +\newcommand{\CGS}{{\bf CGS}} +\newcommand{\CDI}{{\bf CDI}} +\newcommand{\CIP}{{\bf CIP}} +\newcommand{\KGS}{{\bf KGS}} +\newcommand{\CRTWO}{{\bf CR2}} +\newcommand{\CRFOUR}{{\bf CR4}} +\newcommand{\CRFIVE}{{\bf CR5}} +\newcommand{\CRTWELVE}{{\bf CR12}} +\newcommand{\CS}{{\bf CS}} +\newcommand{\CSI}{{\bf CSI}} +\newcommand{\CSP}{{\bf CSP}} +\newcommand{\IDT}{{\bf IDT}} +\newcommand{\IST}{{\bf IST}} +\newcommand{\KSC}{{\bf KSC}} +\newcommand{\RAX}{{\bf RAX}} +\newcommand{\RBP}{{\bf RBP}} +\newcommand{\RBX}{{\bf RBX}} +\newcommand{\RCX}{{\bf RCX}} +\newcommand{\RDI}{{\bf RDI}} +\newcommand{\REX}{{\bf REX}} +\newcommand{\RIP}{{\bf RIP}} +\newcommand{\RSI}{{\bf RSI}} +\newcommand{\RSP}{{\bf RSP}} +\newcommand{\RFLAGS}{{\bf RFLAGS}} +\newcommand{\TSS}{{\bf TSS}} +\newcommand{\CSTAR}{{\bf CSTAR}} +\newcommand{\STAR}{{\bf IA32\_STAR}} +\newcommand{\LSTAR}{{\bf IA32\_LSTAR}} +\newcommand{\KGSBASE}{{\bf IA32\_KERNEL\_GS\_BASE}} + +% Capability register fields +\newcommand{\ctag}{{\bf tag}} +\newcommand{\csealed}{{\bf s}} +\newcommand{\cperms}{{\bf perms}} +\newcommand{\cuperms}{{\bf uperms}} +\newcommand{\cflags}{{\bf flags}} +\newcommand{\cotype}{{\bf otype}} +\newcommand{\ccursor}{{\bf cursor}} +\newcommand{\caddress}{{\bf address}} +\newcommand{\cbase}{{\bf base}} +\newcommand{\clength}{{\bf length}} +\newcommand{\coffset}{{\bf offset}} +\newcommand{\cbound}{{\bf top}} + +% CHERI-128 v1 capability fields +\newcommand{\ctobase}{{\bf toBase}} +\newcommand{\ctobound}{{\bf toBound}} +\newcommand{\cformat}{{\bf FT}} +\newcommand{\cexponent}{{\bf e}} +\newcommand{\csign}{{\bf SN}} + +% CHERI-128 v1 capability fields +\newcommand{\cbasebits}{{\bf baseBits}} +\newcommand{\ctopbits}{{\bf topBits}} +\newcommand{\ccarries}{{\bf C}} + +% CHERI-128 candidate 3 fields +\newcommand{\ctop}{{\bf top}} +%\newcommand{\rbase}{\textbf{base\textsubscript{req}}} +\newcommand{\rbase}{\textbf{base\_req}} +\newcommand{\cbasecorrection}{\textbf{c\textsubscript{b}}} +%\newcommand{\cbasecorrection}{\textbf{c\_b}} +%\newcommand{\rlength}{\textbf{length\textsubscript{req}}} +\newcommand{\rlength}{\textbf{rlength}} +\newcommand{\ctopcorrection}{\textbf{c\textsubscript{t}}} +%\newcommand{\ctopcorrection}{\textbf{ctop}} - SWM: why use this version? +\newcommand{\cB}{{\bf B}} +\newcommand{\cT}{{\bf T}} +\newcommand{\caddr}{{\bf a}} + +% Architectural parameters +\newcommand{\xlen}{{\texttt{XLEN}}} +\newcommand{\clen}{{\texttt{CLEN}}} + +% Field used in several compression formats +\newcommand{\cmuperms}{$\boldsymbol{\mu}\textbf{perms}$} + +% Stylized permission bit. Starred form omits Permit\_ prefix for informal +% references. +\NewDocumentCommand{\capperm}{sm}{\textsc{\small\IfBooleanTF{#1}{}{Permit\_}#2}\xspace} +% Permission bit convenience macros +% We define a short form for normal use and a long @-command form for internal +% use by saildoc. +\makeatletter +\NewDocumentCommand{\makecapperm}{smm}{% + \def\@make@capperm##1##2{% + \ea\NewDocumentCommand\csname @capperm@\detokenize{##2#3}\endcsname{s}{% + \IfBooleanTF{####1}{\capperm*}{\capperm##1}{#3}% + }% + \ea\ea\ea\let\ea\csname capperm#2\ea\endcsname% + \csname @capperm@\detokenize{##2#3}\endcsname% + }% + \IfBooleanTF{#1}{\@make@capperm{*}{}}{\@make@capperm{}{Permit\_}}% + \let\@make@capperm\undefined% +} +\makeatother +\makecapperm{ASR}{Access\_System\_Registers} +\makecapperm*{ID}{Iterrupt\_Disable} +\makecapperm{Cid}{Set\_CID} +\makecapperm{CInvoke}{CInvoke} +\makecapperm{L}{Load} +\makecapperm{LC}{Load\_Capability} +\makecapperm{LM}{Load\_Mutable} +\makecapperm{S}{Store} +\makecapperm{Seal}{Seal} +\makecapperm{MC}{Load\_Store\_Capability} +\makecapperm{SC}{Store\_Capability} +\makecapperm{SLC}{Store\_Local\_Capability} +\makecapperm{Unseal}{Unseal} +\makecapperm{X}{Execute} +% No Permit_, so always use starred form even if not given +\makecapperm*{G}{Global} +\makecapperm{ILG}{Load\_Global} +\makecapperm*{AL}{Allocator} +\makecapperm*{UZ}{User\_Perm0} + +\makeatletter +\newcommand{\@insnlabelname}[2]{insn:#1:#2} +\newcommand{\@insnlabel}[2]{\label{\@insnlabelname{#1}{#2}}} + +% If no optional argument is passed (internally, if an empty second argument is +% passed), the lowercased text is the label reference +\newcommand{\@insnrefnofont}[3]{{% + \if\relax\detokenize{#2}\relax% optional arg not passed + % NB: \lowercase is not expandable so is outside the \def. + \lowercase{\def\@insnrefnofont@insnname{#3}}% + \else% optional arg passed + \def\@insnrefnofont@insnname{#2}% + \fi% + \hyperref[\@insnlabelname{#1}{\@insnrefnofont@insnname}]{#3}% +}} + +\NewDocumentCommand{\@insnfmt}{sm}{% + \IfBooleanTF{#1}{#2}{{\tt \small #2}}% +} + +\NewDocumentCommand{\@insnref}{smmm}{% + \IfBooleanTF{#1}{\@insnfmt*}{\@insnfmt}{\@insnrefnofont{#2}{#3}{#4}}% +} + +\newcommand{\@makeinsncmds@explicit}[2]{% + \ea\newcommand\csname insn#1labelname\endcsname[1]{\@insnlabelname{#2}{##1}}% + \ea\newcommand\csname insn#1label\endcsname[1]{\@insnlabel{#2}{##1}}% + \ea\NewDocumentCommand\csname insn#1ref\endcsname{sO{}m}{% + \IfBooleanTF{##1}{\@insnref*}{\@insnref}{#2}{##2}{##3}% + }% +} +\newcommand{\@makeinsncmds}[1]{\@makeinsncmds@explicit{#1}{#1}} + +\@makeinsncmds{mips} +\@makeinsncmds{riscv} + +\newcommand{\definsnarch}[1]{\def\@definsnarch{#1}} +\@makeinsncmds@explicit{}{\@definsnarch} + +\let\insnnoref\@insnfmt +\makeatother + +% Default is RISC-V +\definsnarch{riscv} + +\newcommand{\cherithreeop}[5][NOHEADER]{ +\begin{bytefield}{32} + \ifthenelse{\equal{#1}{NOHEADER}}{} + {\bitheader[endianness=big]{0,5,6,10,11,15,16,20,21,25,26,31}}\\ + \bitbox{6}{{\color{Grey}0x12}} + \bitbox{5}{0x0} + \bitbox{5}{#3} + \bitbox{5}{#4} + \bitbox{5}{#5} + \bitbox{6}{#2} +\end{bytefield}% +} +\newcommand{\cheritwoop}[4][NOHEADER]{\cherithreeop[#1]{{\color{Grey}0x3f}}{#3}{#4}{#2}} +\newcommand{\cherioneop}[3][NOHEADER]{\cheritwoop[#1]{{\color{Grey}0x1f}}{#3}{#2}} + + +\newcommand{\usesDDCinsteadofNULL}[1]{% +\paragraph{Note:} +If the encoded value of \emph{#1} is zero, this instruction will use +\DDC{} as the \emph{#1} operand +} + +% When specifying instructions in pseudocode: +\newcommand{\algorithmicnot}{\textbf{not}} +\newcommand{\algorithmicand}{\textbf{and}} +\newcommand{\algorithmicor}{\textbf{or}} +\newcommand{\algorithmictrue}{\textbf{true}} +\newcommand{\algorithmicfalse}{\textbf{false}} +\newcommand{\algorithmicwith}{\textbf{with}} + +\DeclareMathOperator{\msb}{msb} +\DeclareMathOperator{\clz}{clz} + +% Markdown and Sail's LaTeX backend don't do well with literal < and >, so add +% \lt and \gt macros like \le and \ge. +\let\lt< +\let\gt> + +\makeatletter +\newcount\@autogrid@col +\newcount\@autogrid@cols +\def\@autogrid@cr{% + \global\advance\@autogrid@col 1\relax% + \ifnum\@autogrid@col=\@autogrid@cols% + \def\@autogrid@cr@body{\cr}% + \global\@autogrid@col=0\relax% + \else% + \def\@autogrid@cr@body{&}% + \fi% + \@autogrid@cr@body% + \let\\\@autogrid@cr% +} +\newenvironment{autogrid}[1]{% + \let\@autogrid@format\@empty% + \@autogrid@cols=\numexpr(#1)\relax% + \@autogrid@col=0\relax% + \loop\ifnum\@autogrid@col<\@autogrid@cols% + \ea\def\ea\@autogrid@format\ea{\@autogrid@format l}% + \advance\@autogrid@col 1\relax% + \repeat% + \@autogrid@col=0\relax% + \def\@autogrid@begintabular{\begin{tabular}}% + \ea\@autogrid@begintabular\ea{\@autogrid@format}% + \let\\\@autogrid@cr% +}{% + \end{tabular}% +} +\makeatother + + +\makeatletter\@ifclassloaded{standalone}{% +% No need for glossary or bibliography when building tikz figures +}{% else +\renewcommand{\glossarypreamble}{\label{glossary}} +\makeglossaries + +\input{glossary} + + +%% bibliography setup: +% UK date format in bibliography: +\usepackage[british]{babel} +\usepackage{csquotes} % recommended for biblatex +% list up to 99 names instead of the default 3 and set +% giveninits=true to match the abbrv bibtex style. +\usepackage[backend=bibtex,bibencoding=utf8,style=numeric,sortcites,maxnames=99,giveninits=true]{biblatex} +\addbibresource{cheri.bib} +% Note: \citetitle formats the title differently depending on the type of entry, +% whereas this macro always uses \textit{} +\newcommand*{\citetitleit}[1]{\textit{\citefield{#1}{title}}} + + +% Skip unncessary bibtex fields in the bibliography +\AtEveryBibitem{% +\clearfield{issn}% +\clearfield{urldate}% +\clearfield{urlyear}% +\clearfield{review}% +\clearfield{series}% +\clearfield{note}% +\clearfield{address}% +% avoid printing both isbn and DOI +\iffieldundef{doi}{}{\clearfield{isbn}}% +% we don't want 15 JJ Thomson Avenue, Cambridge for every techreport +% Note: location is a list not a field so we need \clearlist +\clearlist{location}% +} +}\makeatother % end of \@ifclassloaded{standalone}