Coordinating multiple overlapping defense mechanisms, at differing levels of abstraction, is fraught with the potential for misconfiguration, so there is strong motivation to generate policies for those mechanisms from a single specification in order to avoid that risk. This paper presents our experience and the lessons learned as we developed, validated and coordinated network communication security policies for a defense-in-depth enabled system that withstood sustained red team attack. Network communication was mediated by host-based firewalls, process domain mechanisms and application-level security policies enforced by the Java virtual machine. We coordinated the policies across the layers using a variety of tools, but we discovered that, at least for defense-in-depth enabled systems, constructing a single specification from which to derive all policies is probably neither practical nor even desirable.

We report on the results of applying classical planning techniques to the problem of analyzing computer network vulnerabilities. Specifically, we are concerned with the generation of Adversary Courses of Action, which are extended sequences of exploits leading from some initial state to an attacker’s goal. In this application, we have demonstrated the generation of attack plans for a simple but realistic web-based document control system, with excellent performance com- pared to the prevailing state of the art in this area. In addition to the new capabilities gained in the area of vulnerability analysis, this implementation provided some insights into performance and modeling issues for classical planning systems, both specifically with regard to METRIC-FF and other forward heuristic planners, and more generally for classical planning. To facilitate additional work in this area, the domain model on which this work was done will be made freely available. See the paper’s Conclusion for details.

In 2002, the Defense Advanced Research Projects Agency (DARPA) challenged the research community to design and demonstrate an unprecedented level of survivability for an existing US Department of Defense (DoD) information system by combining Commercial-Off-The-Shelf (COTS) technologies with those developed by DARPA. The development team, led by BBN Technologies, produced a solution architecture entitled Designing Protection and Adaptation into a Survivability Architecture (DPASA).

The Avionics Full Duplex Switched Ethernet (AFDX) has been developed to provide reliable data exchange with strong data transmission time guarantees in internal communication of the aircraft. The AFDX design is based on the principle of a switched network with physically redundant links to support availability and be tolerant to transmission and link failures in the network. In this work, we develop a formal model of the AFDX frame management to ascertain the reliability properties of the design. To capture the precise temporal semantics, we model the system as a network of timed automata and use UPPAAL to model-check for the desired properties expressed in CTL. Our analysis indicates that the design of the AFDX frame management is vulnerable to faults such as network babbling which can trigger unwarranted system resets. We show that these problems can be alleviated by modifying the original design to include a priority queue at the receiver for storing the frames. We also suggest communicating redundant copies of the reset message to achieve tolerance to network babbling.

An extremely secure method for keying source contents to a source storage medium provided to prevent use of unauthorized copies at minimal cost. The host processor combines a unique, immutable and verifiable physical attribute of a hard disk drive, i.e., the drive’s defect list, with the content to be secured to write a corresponding fingerprinted encrypted content on a source medium. When a local processor wants to use the sanctioned source content, the fingerprinted content is read from a local storage medium. The local processor then decrypts and separates the defect list out of the source content and reads the local storage medium defect list. If the decrypted defect list matches the local storage medium defect list, then the local processor recognizes the local sanctioned medium and continues processing the source contents. Otherwise, a non-matching defect list indicates an unauthorized copy from the source to the local storage medium.

The annual ICAPS conference series was formed in 2003 through the merger of two pre-existing biennial conferences, the International Conference on Artificial Intelligence Planning Systems (AIPS) and the European Conference on Planning(ECP). ICAPS continues the traditional high standards of AIPS and ECP as an archival forum for new research in the field of automated planning and scheduling. In 2007 ICAPS is collocated with the Constraint Programming conference (CP). The intention behind this collocation is to encourage communication between the two communities, build on existing collaborations, and encourage the development of new opportunities for the cross-fertilization of ideas.

This paper is based on a conjecture that the more confidence one needs in a task execution time bound (the less tolerant one is of missed deadlines), the larger and more conservative that bound tends to become in practice. We assume different tasks perform functions having different criticalities and requiring different levels of assurance. We assume a task may have a set of alternative worst-case execution times, each assured to a different level of confidence. This paper presents ways to use this information to obtain more precise schedulability analysis and more efficient preemptive fixed priority scheduling. These methods are evaluated using workloads abstracted from production avionics systems.

A method of determining ranges for algorithmic variables for a processor that uses fixed point arithmetic is provided. The method comprises expressing overflow requirements of processor instructions as inequalities. The method also expresses precision requirements and expressiveness requirements as inequalities and merit functions. A global constraint and optimizer tool is used to find ranges for algorithmic variables based on the inequalities and the merit functions. The use of constraint equation solving and optimization finds optimal algorithmic ranges that provide overflow-free arithmetic as well as optimal expressiveness and precision.

US Patent Number 7,308,702
A system and method for defining and enforcing a security policy. Security mechanism application specific information for each security mechanism is encapsulated as a key and exported to a semantic layer. Keys are combined to form key chains within the semantic layer. The key chains are in turn encapsulated as keys and passed to another semantic layer. A security policy is defined by forming key chains from keys and associating users with the key chains. The security policy is translated and exported to the security mechanisms. The security policy is then enforced via the security mechanisms.

The Language for Investigating Myriad Eventualities (LIME) is intended to serve as a domain modeling and inter-module communication language within Deep Green (DG). Given the representational requirements of DG, LIME needs to be able to encompass uncertain action outcomes, limited information and contingent planning and execution, reasoning about resources, state abstraction, trajectory constraints, temporally extended and overlapping actions, adversary planning and action, dynamically created and destroyed objects and resources, and task decomposition, among other things.
The goal of the seedling is to provide a head start to the Deep Green program, by defining language requirements and a set of design recommendations. This report describes the current status of those design recommendations. To the extent possible, the recommendations are implementation-neutral, because there is more than one way to approach these problems and, more pragmatically, the DG program has not yet started, so exactly how the software gets implemented depends on who gets the contract.