Bibliography

1
M. D. Abrams.
Renewed Understanding of Access Control Policies.
In Proceedings of the 16th National Computer Security Conference, pages 87-96, Oct. 1993.
2
M. D. Abrams, L. J. LaPadula, K. W. Eggers, and I. M. Olson.
A Generalized Framework for Access Control: An Informal Description.
In Proceedings of the 13th National Computer Security Conference, pages 135-143, Oct. 1990.
3
D. E. Bell and L. J. La Padula.
Secure Computer Systems: Mathematical Foundations and Model.
Technical Report M74-244, The MITRE Corporation, Bedford, MA, May 1973.
4
T. C. V. Benzel, E. J. Sebes, and H. Tajalli.
Identification of Subjects and Objects in a Trusted Extensible Client Server Architecture.
In Proceedings of the 18th National Information Systems Security Conference, pages 83-99, 1995.
5
B. N. Bershad, S. Savage, P. Pardyak, E. G. Sirer, M. E. Fiuczynski, D. Becker, C. Chambers, and S. Eggers.
Extensibility, Safety, and Performance in the SPIN Operating System.
In Proc. of the 15th ACM Symp. on Operating Systems Principles, pages 267-284, Copper Mountain, CO, Dec. 1995.
6
W. E. Boebert and R. Y. Kain.
A Practical Alternative to Hierarchical Integrity Policies.
In Proceedings of the Eighth National Computer Security Conference, 1985.
7
M. I. Bushnell.
Towards a New Strategy of OS Design.
GNU's Bulletin, 1(16), Jan. 1994.
8
M. Carney and B. Loe.
A Comparison of Methods for Implementing Adaptive Security Policies.
In Proceedings of the Seventh USENIX Security Symposium, pages 1-14, Jan. 1998.
9
A. Chitturi.
Implementing Mandatory Network Security in a Policy-flexible System.
Master's thesis, University of Utah, 1998.
pp. 70. http://www.cs.utah.edu/projects/flux/fluke/html/flask.shtml.
10
D. F. Ferraiolo, J. A. Cugini, and D. R. Kuhn.
Role-Based Access Control (RBAC): Features and Motivations.
In Proceedings of the Eleventh Annual Computer Security Applications Conference, Dec. 1995.
11
T. Fine and S. E. Minear.
Assuring Distributed Trusted Mach.
In Proceedings IEEE Computer Society Symposium on Research in Security and Privacy, pages 206-218, May 1993.
12
B. Ford, G. Back, G. Benson, J. Lepreau, A. Lin, and O. Shivers.
The Flux OSKit: A Substrate for OS and Language Research.
In Proc. of the 16th ACM Symp. on Operating Systems Principles, pages 38-51, St. Malo, France, Oct. 1997.
13
B. Ford, M. Hibler, J. Lepreau, R. McGrath, and P. Tullmann.
Interface and Execution Models in the Fluke Kernel.
In Proceedings of the 3rd USENIX Symposium on Operating Systems Design and Implementation, pages 101-116, Feb. 1999.
14
B. Ford, M. Hibler, J. Lepreau, P. Tullmann, G. Back, and S. Clawson.
Microkernels Meet Recursive Virtual Machines.
In Proceedings of the Symposium on Operating Systems Design and Implementations, pages 137-151, Oct. 1996.
15
T. Fraser and L. Badger.
Ensuring Continuity During Dynamic Security Policy Reconfiguration in DTE.
In Proceedings of the 1998 IEEE Symposium on Security and Privacy, pages 15-26, May 1998.
16
M. Gasser.
Building a Secure Computer Systems.
Van Nostrand Reinhold Company, 1988.
17
I. Goldberg, D. Wagner, R. Thomas, and E. A. Brewer.
A Secure Environment for Untrusted Helper Applications.
In Proceedings of the 6th Usenix Security Symposium, July 1996.
18
L. Gong.
A Secure Identity-Based Capability System.
In Proceedings of the 1989 IEEE Symposium on Security and Privacy, pages 56-63, May 1989.
19
R. Graubart.
On the Need for a Third Form of Access Control.
In Proceedings of the 12th National Computer Security Conference, pages 296-304, Oct. 1989.
20
R. Grimm and B. N. Bershad.
Providing Policy-Neutral and Transparent Access Control in Extensible Systems.
In J. Vitek and C. Jensen, editors, Secure Internet Programming: Security Issues for Distributed and Mobile Objects, volume 1603 of Lecture Notes in Computer Science. Springer-Verlag, June 1999.
21
N. Hardy.
The Confused Deputy.
Operating Systems Review, 22(4):36-38, Oct. 1988.
22
T. Jaeger, J. Liedtke, and N. Islam.
Operating System Protection for Fine-Grained Programs.
In Proceedings of the Seventh USENIX Security Symposium, pages 143-157, Jan. 1998.
23
R. Kain and C. Landwehr.
On Access Checking in Capability-Based Systems.
In Proceedings of the 1986 IEEE Symposium on Security and Privacy, pages 66-77, May 1986.
24
P. A. Karger.
New Methods for Immediate Revocation.
In Proceedings of the 1989 IEEE Symposium on Security and Privacy, pages 48-55, May 1989.
25
P. A. Karger and A. J. Herbert.
An Augmented Capability Architecture to Support Lattice Security and Traceability of Access.
In Proceedings of the 1984 IEEE Symposium on Security and Privacy, pages 2-12, May 1984.
26
S. Kent and R. Atkinson.
Security Architecture for the Internet Protocol.
RFC 2401, Internet Engineering Task Force, Nov. 1998.
ftp://ftp.isi.edu/in-notes/rfc2401.txt.
27
S. R. Kleiman.
Vnodes: An Architecture for Multiple File System Types in Sun UNIX.
In Proc. of the Summer 1986 USENIX Conf., pages 238-247, Atlanta, GA, June 1986.
28
C. R. Landau.
Security in a Secure Capability-Based System.
Operating Systems Review, pages 2-4, Oct. 1989.
29
R. Levin, E. Cohen, W. Corwin, P. F., and W. Wulf.
Policy/mechanism separation in Hydra.
In Proceedings of the Fifth Symposium on Operating Systems Principles, pages 132-140, Unversity of Texas at Austin, Nov. 1975. ACM/SIGOPS.
30
J. Liedtke.
Clans and Chiefs.
In Architektur von Rechensystemen. Springer-Verlag, Mar. 1992.
31
K. Loepere.
Mach 3 Kernel Interfaces.
Open Software Foundation and Carnegie Mellon University, Nov. 1992.
32
P. A. Loscocco, S. D. Smalley, P. A. Muckelbauer, R. C. Taylor, S. J. Turner, and J. F. Farrell.
The Inevitability of Failure: The Flawed Assumption of Security in Modern Computing Environments.
In Proceedings of the 21st National Information Systems Security Conference, pages 303-314, Oct. 1998.
http://csrc.nist.gov/nissc/1998/proceedings/paperF1.pdf.
33
D. Maughan, M. Schertler, M. Schneider, and J. Turner.
Internet Security Association and Key Management Protocol (ISAKMP).
RFC 2408, Internet Engineering Task Force, Nov. 1998.
ftp://ftp.isi.edu/in-notes/rfc2408.txt.
34
C. J. McCollum, J. R. Messing, and L. Notargiacomo.
Beyond the pale of MAC and DAC - defining new forms of access control.
In Proceedings of the 1990 IEEE Symposium on Security and Privacy, pages 190-200, May 1990.
35
S. E. Minear.
Providing Policy Control Over Object Operations in a Mach Based System.
In Proceedings of the Fifth USENIX UNIX Security Symposium, pages 141-156, June 1995.
36
J. G. Mitchell, J. J. Gibbons, G. Hamilton, P. B. Kessler, Y. A. Khalidi, P. Kougiouris, P. W. Madany, M. N. Nelson, M. L. Powell, and S. R. Radia.
An Overview of the Spring System.
In A Spring Collection. Sun Microsystems, Inc., 1994.
37
T. Mitchem, R. Lu, and R. O'Brien.
Using Kernel Hypervisors to Secure Applications.
In Proceedings of the Annual Computer Security Applications Conference, Dec. 1997.
38
D. Olawsky, T. Fine, E. Schneider, and R. Spencer.
Developing and Using a ``Policy Neutral'' Access Control Policy.
In Proceedings of the New Security Paradigms Workshop. ACM, Sept. 1996.
39
E. I. Organick.
The Multics System : An Examination of its Structure.
MIT Press, 1972.
40
S. A. Rajunas, N. Hardy, A. C. Bomberger, W. S. Frantz, and C. R. Landau.
Security in KeyKOS.
In Proceedings of the 1986 IEEE Symposium on Security and Privacy, pages 78-85, Apr. 1986.
41
S. G. Ravi Sandhu, Venkata Bhamidipati and C. Youman.
The ARBAC97 Model for Role-Based Administration of Roles: Preliminary Description and Outline.
In Proceedings of the Second ACM Workshop on Role-Based Access Control, pages 41-50, Nov. 1997.
42
D. Redell and R. Fabry.
Selective Revocation of Capabilities.
In Proceedings of the International Workshop on Protection in Operating Systems, pages 192-209, Aug. 1974.
43
Secure Computing Corp.
DTOS Generalized Security Policy Specification.
DTOS CDRL A019, 2675 Long Lake Rd, Roseville, MN 55113, June 1997.
http://www.securecomputing.com/randt/HTML/dtos.shtml.
44
Secure Computing Corp.
Assurance in the Fluke Microkernel: Formal Security Policy Model.
CDRL A003, 2675 Long Lake Rd, Roseville, MN 55113, Feb. 1999.
http://www.cs.utah.edu/projects/flux/fluke/html/flask.shtml.
45
Secure Computing Corp.
Assurance in the Fluke Microkernel: Formal Top-Level Specification.
CDRL A004, 2675 Long Lake Rd, Roseville, MN 55113, Feb. 1999.
http://www.cs.utah.edu/projects/flux/fluke/html/flask.shtml.
46
M. I. Seltzer, Y. Endo, C. Small, and K. A. Smith.
Dealing With Disaster: Surviving Misbehaved Kernel Extensions.
In Proc. of the Second Symp. on Operating Systems Design and Implementation, pages 213-227, Seattle, WA, Oct. 1996. USENIX Assoc.
47
J. S. Shapiro.
EROS: A Capability System.
Technical Report Technical Report MS-CIS-97-04, University of Pennsylvania, Department of Computer and Information Science, 1997.
48
D. F. Sterne, M. Branstad, B. Hubbard, and B. M. D. Wolcott.
An Analysis of Application Specific Security Policies.
In Proceedings of the 14th National Computer Security Conference, pages 25-36, Oct. 1991.
49
SunSoft, Inc.
Spring Programmer's Guide, 1995.
On-line documentation included in the Spring Research Distribution 1.0.
50
D. S. Wallach, D. Balfanz, D. Dean, and E. W. Felten.
Extensible Security Architectures for Java.
In Proc. of the 16th ACM Symp. on Operating Systems Principles, pages 116-128, Oct. 1997.
51
R. M. Wong.
A Comparison of Secure Unix Operating Systems.
In Proceedings of the Sixth Annual Computer Security Applications Conference, pages 322-333, Dec. 1990.
52
W. Wulf, R. Levin, and P. Harbison.
Hydra/C.mmp: An Experimental Computer System.
McGraw-Hill, 1981.
53
M. E. Zurko and R. Simon.
User-Centered Security.
In Proceedings of the New Security Paradigms Workshop, Sept. 1996.