Center for High Assurance Computer Systems (CHACS) Publications


McLean, John D. and Meadows, Catherine A. "Composable Security Properties," Proc. Computer Security Foundations Workshop II, in Cipher, Fall, 1989.


McLean, John D. and Meadows, Catherine A. "The Reliable Specification of Software," Proc. COMPASS '88, IEEE Press, 1988.

McLean, John D. "The Algebra of Security," Proc. 1988 IEEE Symposium on Research in Security and Privacy, IEEE Press, 1988.


Kain, Richard Y. and Landwehr, Carl E. "On Access Checking in Capability-Based Systems," IEEE Trans. on Software Engineering Vol. SE-13, No. 2 (Feb. 1987) pp. 202-207; reprinted from Proc. 1986 IEEE Symposium on Security and Privacy, April, 1986, Oakland, CA; shared the symposium Best Paper award. PostScript, PDF

Public descriptions of capability-based system designs often do not clarify the necessary details concerning the propagation of access rights within the systems. A casual reader may assume that it is adequate for capabilities to be passed in accordance with the rules for data copying. A system using such a rule cannot enforce either the military security policy or the Bell and LaPadula rules. The paper shows why this problem arises and provides a taxonomy of capability-based designs. Within the space of design options defined by the taxonomy we identify a class of designs that cannot enforce the Bell-LaPadula rules and two designs that do allow their enforcement.
McLean, John D. "The Computer Security Foundations Workshop," Cipher, 1987.

McLean, John D. "Reasoning about Security Models," Proc. 1987 IEEE Symposium on Research in Security and Privacy, IEEE Press, 1987.


Landwehr, Carl E. and H.O. Lubbes. "Determining Security Requirements for Complex Systems with the Orange Book," Proc. Eighth National Computer Security Conference, Gaithersburg, MD, Oct., 1985. pp. 156-162. ASCII, HTML

McLean, John D. "A Comment on the 'Basic Security Theorem' of Bell and LaPadula," Information Processing Letters, vol. 20, no. 2, Feb. 1985. PostScript, PDF


Landwehr, Carl E., and J.M. Carroll. "Hardware Requirements for Secure Computer Systems: A Framework," in Proc. 1984 IEEE Symposium on Security and Privacy, Oakland, CA, April 23-26, 1984. PostScript, PDF

This report develops a new set of criteria for evaluating computer architectures that are to support systems with security requirements. Central to these criteria is the concept of a `domain', here interpreted as a set of information and authorizations for the manipulation of that information in a computer system. Architectural requirements are grouped in three categories: logical structure, the processing of logical structures, and physical structure. These criteria were developed in order to assess the utility of Navy standard computers as bases for secure embedded systems, but they are not specific to those computers.
Landwehr, Carl E., C.L. Heitmeyer, and J. McLean. "A Security Model for Military Message Systems," ACM Trans. on Computer Systems Vol. 9, No. 3 (Aug. 1984), pp. 198-222. PostScript, PDF
Military systems that process classified information must operate in a secure manner; i.e., they must adequately protect information against unauthorized disclosure, modification, and withholding. A goal of current research in computer security is to facilitate the construction of "multilevel secure systems," systems that protect information of different classifications from users with different clearances. Security models are used to define the concept of security embodied by a computer system. A single model, called the Bell and LaPadula model, has dominated recent efforts to build secure systems but has deficiencies. We are developing a new approach to defining security models based on the idea that a security model should be derived from a specific application. To evaluate our approach, we have formulated a security model for a family of military message systems. This paper introduces the message system application, describes the problems of using the Bell-LaPadula model in real applications, and presents our security model both informally and formally. Significant aspects of the security model are its definition of multi-level objects and its inclusion of application-dependent security assertions. Prototypes based on this model are being developed.
McLean, John D. "A Formal Method for the Abstract Specification of Software," Journal of the ACM, vol. 31, no. 3, July 1984. PostScript, PDF

McLean, John D. Landwehr and C. Heitmeyer. "A Formal Statement of the MMS Security Model," Proc. 1984 IEEE Symposium on Research in Security and Privacy, IEEE Press, 1984.


Heitmeyer, Constance L. and McLean, John D. "Abstract Requirements Specification: A New Approach and Its Application," IEEE Transactions on Software Engineering, vol. 9, no. 5, Sept. 1983.

Landwehr, Carl E. "Best Available Technologies for Computer Security," IEEE COMPUTER, Vol. 16, No. 7 (July 1983), pp.86-100. [Reprinted in Advances in Computer System Security, Volume II, Rein Turn, Ed., Artech House, Dedham, MA, 1984, pp. 76-107.]


Landwehr, Carl E. "Formal Models for Computer Security," ACM Computing Surveys, Vol. 13, Number 3 (September, 1981). Also published as NRL Report 8494, September, 1981. Translated and reprinted in Japanese computer journal "bit," Shuppan Kyoritsu, Tokyo, 1983, No. 1 (January), pp. 95-124. [Reprinted in Advances in Computer System Security, Volume II, Rein Turn, Ed., Artech House, Dedham, MA, 1984, pp. 108-122.]

Back to the CHACS Publications Page.

Back to the Publications Page.