About
158
Publications
72,627
Reads
How we measure 'reads'
A 'read' is counted each time someone views a publication summary (such as the title, abstract, and list of authors), clicks on a figure, or views or downloads the full-text. Learn more
1,898
Citations
Introduction
Dr. Jim Alves-Foss is a cyber security researcher with over 30
years experience in the design and analysis of secure systems. He has conducted research into secure system architectures, formal methods, network security, cryptographic protocols, embedded system security, operating system security, and computer forensics.
Most notably he was team lead on the 2-person CSDS team that qualified as finalists in the DARPA Cyber Grand Challenge.
Current institution
Additional affiliations
August 2001 - July 2003
August 1991 - present
Publications
Publications (158)
Automated software vulnerability analysis is a very difficult—and generally unsolvable— problem. Thus, in June 2014, DARPA launched the Cyber Grand Challenge (CGC), a competition designed to spur innovation in fully automated software vulnerability analysis and repair. In this article, we discuss the challenges we faced in this competition.
DARPA initiated the Cyber Grand Challenge (CGC) in 2014 to encourage innovation in fully automated software vulnerability analysis and repair. In the June 2015 CGC Qualifying Event, the competitors' automated systems were given one day to evaluate 131 challenges. The top seven teams, including the University of Idaho's Center for Secure and Dependa...
High-assurance systems require a level of rigor, in both design and analysis, not typical of conventional systems. This paper provides an overview of the Multiple Independent Levels of Security and Safety (MILS) approach to high-assurance system design for security and safety critical embedded systems. MILS enables the development of a system using...
Hardware-based security tagging schemes are promising mechanisms for enhancing the security of computer systems. The idea behind security tagging schemes is to attach labels to memory locations and/or registers to carry security information about the tagged data throughout the system. These tags are then used to protect system and user software fro...
Increasingly complex Android OS applications demand additional software initialization and configuration during startup, which slows system boot time and inconveniences users. The authors propose an approach based on existing snapshot-imaging techniques that can reduce startup time by 80.5 percent and shutdown time by half while avoiding the system...
Formal method tools are used in the initial stages of the software development cycle and have advanced in to deal with the design difficulties related to ensuring strong cybersecurity an reliability in high-assurance systems. Operating system kernels are the security keystone of most computer systems. Their continuous advances require formal verifi...
The effectiveness of binary analysis tools and techniques is often measured with respect to how well they map to a ground truth. We have found that not all ground truths are created equal. This paper challenges the binary analysis community to take a long look at the concept of ground truth, to ensure that we are in agreement with definition(s) of...
Due to the characteristics and connectivity of today’s critical infrastructure systems, cyber-attacks on these systems are currently difficult to prevent in an efficient and sustainable manner. Prevention and mitigation strategies need accurate identification and evaluation of: system vulnerabilities, potential threats and attacks, and applicable h...
If an attacker is able to successfully subvert a device within a network, that often gives them easier access to spread the intrusion to other devices in the network. Common guidance, such as that provided in NIST SP 800-82, recommends network separation and segregation to enforce least privilege within a network, to act as a mitigation against suc...
Automated cyber defense tools require the ability to analyze binary applications, detect vulnerabilities and automatically patch those vulnerabilities. The insertion of security mechanisms that operate at function boundaries (e.g, control flow mitigation, stack guards) require automated detection of those boundaries. This paper introduces a publicl...
Cyber-attack attempts against critical infrastructure have been increasing in recent years. In the event of a successful cyber-attack on critical infrastructure, the potential for widespread loss of access to a critical resource, like electricity, is high. Automated and adversary-aware risk assessment approaches may be useful in defending the natio...
For ease of use and access, web browsers are now being used to access and modify sensitive data and systems including critical control systems. Due to their computational capabilities and network connectivity, browsers are vulnerable to several types of attacks, even when fully updated. Browsers are also the main target of phishing attacks. Many br...
The current global workforce's cybersecurity skills shortage has attained a critical level. Training and educating well-skilled cybersecurity personnel in the numbers needed will require steady, successful, and scalable efforts. One of the best practices for learning cybersecurity skills is the use of hands-on exercises. We have developed and succe...
The electric power research and education communities and industry have been successfully sharing and using common IEEE Bus power system models for many years. This has enabled researchers, engineers, and educators to better communicate their findings and comparatively validate power analysis solutions using a common model set. However, today’s pow...
Due to the characteristics and connectivity of today’s Cyber-Physical Control Systems (CPCS) and critical infrastructures, cyber-attacks on these systems are currently difficult to prevent in an efficient and sustainable manner. Prevention and mitigation need accurate identification and evaluation of: system vulnerabilities, likely threats and atta...
Active network threats are substantial hurdles for achieving absolute network security. This hurdle is due to the ability of highly infectious threats, like viruses and worms to propagate and duplicate autonomously and automatically, over a network. Currently, many of these active threats have been programmed to "evolve" during their duplication an...
Power grids are undergoing their largest technological transformation since their invention. They are adopting technologies like Phasor Measurement Units (PMU) to obtain real- time measurements of the system and report them to the control center for contingency analysis. These additional technologies may enhance reliability by providing a better re...
Currently, preventing and mitigating cyber-attacks on cyber-physical control systems (CPCS) is a major challenge. A successful process for cyber-attack prevention and mitigation requires continuous vulnerability identification, threat modelling, risk assessment, hardening strategy design, and timely and correct implementation. These processes requi...
Network segmentation and encrypted tunnels are very effective means for increasing the security of today's networks. The needed functionality is already present in all enterprise-class network devices such as routers and switches. These network devices are currently configured using low-level configuration files. In order to ensure that implemented...
SQL injection attacks (SQLIA) still remain one of the most commonly occurring and exploited vulnerabilities. A considerable amount of research concerning SQLIA mitigation techniques has been conducted with the primary resulting solution requiring developers to code defensively. Although, defensive coding is a valid solution, the current market dema...
This paper discusses a research project that develops enhanced security protections for operating systems running on security enhanced microprocessors. Security tagging schemes are promising mechanisms for enhancing the security of computer systems. The idea of tagging schemes is to attach metadata tags to memory and registers to carry information...
Security tagging schemes are known as promising mechanisms for providing security features in computer systems. Tags carry information about the tagged data throughout the system to be used in access control and other security mechanisms. This paper discusses several different uses of security tags related to different security policies, highlighti...
Typical real-time systems handle a hybrid task set consisting of periodic
and aperiodic tasks. This paper addresses the covert timing channel issues
in scheduling a set of hybrid tasks for Multi-Level Secure (MLS) real-time
systems. After identifying timing vulnerabilities
in several existing hybrid scheduling algorithms, we propose security mea...
A variation of the suspend-resume technique eliminates the need to initialize the Linux kernel, and when combined with approaches to enhance external memory read speed and shrink the suspend image, can decrease Android OS boot time by up to 90 percent.
Abstract This report outlines an approach to formal modelling and reasoning about security of multi-partition execution environments (MPS). Several different,models of MPS are presented, starting with a simple two-partition system where the partitions are completely isolated from one another to a full n-partition system, where specific partitions a...
Securing computer systems is an ongoing task that requires involvement of users, system administrators, and developers. There has been a lot of discussion of embedded computer security in the computer science curriculum, but that is insufficient. It's necessary to provide training to keep workers up to date, and to educate them. In this article, th...
Security and privacy policies are stated in the context of abstract concepts such as users/roles, objects and actions that relate to a specific level of abstraction in the system design. Refinement of the abstract design down to lower level implementations can result in a disconnect between the implementation and the more abstract security policy....
The C integer types are prone to errors due to unchecked casting that can leave programs vulnerable to a host of security exploits. These errors manifest themselves when there is a semantic disconnect between the programmer’s view of the language and the actual implementation of the programming language. To help detect these errors, we are developi...
Most modern software is vulnerable to attack from a wide range of sources. To assist the system developer,
researchers are looking at hardware-based security tagging schemes to enhance system security. This paper addresses the design and implementation of a new tagging scheme for access control and information flow; specifically the implementation...
Introduction to Software Cyber security Assurance and Testing Minitrack
In previous simulation studies, attackers were assumed to respond to changes in reward with an S shaped curve and to changes in security with a declining S shaped curve. This paper reports experimental work that investigates the validity of those assumptions. In general, the results suggest that the assumptions are reasonable.
A lot of effort has been put into researching client-side attacks, including vulnerabilities like cross-site scripting, cross-site request forgery, and more recently, clickjacking. Similar to other client-side attacks, a clickjacking vulnerability can use the browser to exploit weaknesses in cross domain isolation and the same origin policy. It doe...
![Figure 1. Dividing data (Adapted from [1])](profile/Jim-Alves-Foss/publication/220496658/figure/fig1/AS:276981255032835@1443048885556/Dividing-data-Adapted-from-1_Q320.jpg)
Database-as-a-service is one of many services being marketed as part of cloud computing. It has several major issues and concerns related to security, including data security, trust, expectations, regulations, and performance issues. Proposed resolutions include risk management and better contractual agreements, while solutions include database enc...
As the demand for system virtualization grows, so does the need to securely virtualize a wider range of underlying physical resources which can be shared among multiple guest OSs. Recently, hardware support for virtualization has become available on commodity processors, and is poised to replace software support. Intel and AMD, have rolled out hard...
Resiliency and cyber security of modern critical infrastructures is becoming increasingly important with the growing number of threats in the cyber environment. This paper proposes an extension to a previously developed fuzzy logic based anomaly detection network security cyber sensor via incorporating Type-2 Fuzzy Logic (T2 FL). In general, fuzzy...
Many computational intelligence techniques for anomaly based network intrusion detection can be found in literature. Translating a newly discovered intrusion recognition criteria into a distributable rule can be a human intensive effort. This paper explores a multi-modal genetic algorithm solution for autonomous rule creation. This algorithm focuse...
The DOD community is interested in multicore system-on-a-chip architectures to host Multi-Level Secure (MLS) command and control systems. These systems must be secure and resilient, not unlike hardened real-time control systems used in critical infrastructures. In this paper we discuss how Smart Grid features will fundamentally change our power gri...
We introduce TG/MC, a Monte Carlo approach for evaluating the impact of uncertainty about vulnerabilities upon forecasts of security for a real-world system modeled by a protection graph. A TG/MC model defines a vulnerability as a potential change to an otherwise safe initial protection graph that, if exploited, leads to an unauthorized state, a vi...
1.2 The Processor Model............................... 5
The Cell Broadband Engine processor is a multicore processor that provides high throughput for vector processing that is being considered for use in secure communication and data processing environments. Prior to its acceptance in these facilities, its security features and flaws must be fully explored. However, as a the Cell BE is a multicore syst...
We view Multi-Level Secure (MLS) real-time systems as systems in which MLS real-time tasks are scheduled and execute, according to a scheduling algorithm employed by the system. From this perspective, we develop a general trace-based framework that can carry out a covert-timing channel analysis of a real-time system. In addition, we propose a set o...
The original focus of this project was to investigate cryptographic protocols, and methods for formal design and analysis of those protocols. As time progressed, we found a need to broaden the scope of this work to include the foundational system architecture support needed for these protocols. In this report we provide a summary of the work we con...
Although security plays a major role in the design of software systems, securityrequirements and policies are usually added to an already existing system, not created in conjunctionwith the product. As a result, there are often numerous problems with the overall design. In this paper,we discuss the relationship between software engineering, securit...
Computer science educators have long been concerned over the difficulty with which some students learn to write computer programs; especially the wide disparity in students' abilities to locate and fix faults in the programs they write. We hypothesized that requiring students to categorize faults (as the faults are encountered) would help them bett...
Verified and validated security policies are essential components of high assurance computer systems. The design and implementation of security policies are fundamental processes in the development, deployment, and maintenance of such systems. In this paper, we introduce an expert system that helps with the design and implementation of security pol...
The successful design and implementation of secure systems must include security concerns from the beginning. A component that processes data at multiple security levels is critical and must go through additional evaluation to ensure the processing is secure. It is common practice to isolate and separate the processing of data at different levels i...
The need for rapidly configurable, secure communica-tion among groups of participants has resulted in the study of group key agreement protocols. The study of these protocols has been primarily theoretical. In this paper, we present the results of simu-lation studies of the methods provided by four group-key agreement protocols, EGK, TGDH, STR and...
System security involves decisions in at least three areas: identification of well-defined security policies, selection of cost-effective defence strategies, and implementation of real-time defence tactics. Although choices made in each of these areas affect the others, existing decision models typically handle these three decision areas in isolati...
This paper discusses the design and implementation of a middleware guard for purposes of content filtering and information flow control in the Multiple Independent Levels of Security (MILS) architecture. The MILS initiative is a joint research effort between academia, industry, and government to develop and implement a high assurance real-time arch...
We provide a formal framework for specifying the secure behaviors of a Separation Kernel (SK) with Inter-Partition Communication (IPC) capability which satisfy two requirements: 1) the Multi-Level Secure (MLS) partitioned components (called partitions) running on a SK must communicate with each other through designated communication channels, 2) IP...
As the use of computer systems becomes more commonly employed, managing security becomes more complex. One fundamental key to effective enforcement of security standards is the support of security policies. We present a novel graph-based approach to the specification of security policies and verification of designs that enforce the policies. This m...
There are at least three key decision layers in cost-effective network defense to counter immediate threats: security policies, defense strategies, and real-time defense tactics. A layered decision model (LDM) has been developed to capture the essence of this decision process. The LDM helps decision-makers gain insight into the hierarchical relatio...
To enable the growth of wireless networks in high assurance computer systems, it is essential to establish a security engineering methodology that provides system security managers with a procedural engineering process to develop computer security policies. Our research demonstrates how wireless communication technology is deployed using the Multip...
Multi-level data security is a requirement in many of today’s advanced, real-time embedded systems. Current approaches to meeting multi-level security requirements are based on expensive custom or proprietary hardware and software. However, real-time embedded systems are evolving towards open-system architectures and Commercial Off-The-Shelf (COTS)...
The management of secure communication among groups of participants requires a set of secure and efficient operations. In this paper we extend existing work to present a Communication–Computation Efficient Group Key Algorithm (CCEGK) designed to provide both efficient communication and computation, addressing performance, security and authenticatio...
In this paper, we present the design of a high assurance file server model developed to operate within the Multiple Independent Levels of Security framework. The file server model is a multilevel application that utilizes separation to mediate information flow by adhering to a security policy formulated from a modified version of the Bell and LaPad...
We propose a framework for constructing secure sys- tems at the architectural level. This framework is com- posed of an implementation-oriented formalization of a system's architecture, which we call the formal implemen- tation model, along with a method for the construction of a system based on elementary analysis, implementation, and synthesis st...
Cost-effective network defense includes at least three decision layers: security policies, defense strategies, and real-time defense tactics for countering immediate threats. A layered decision model (LDM) has been proposed to capture this decision process, and help us select cost-effective defense mechanisms to safeguard computer networks. This pa...
The most efficient contributory group key agreement protocols conduct their operations using a tree-based structure to guide communication and computation. Existing performance comparisons of group key protocols have only evaluated the cost of single operations in isolation. This paper expands this work by evaluating the performance impact of tree...
Critical and catastrophic failures in high assurance and critical computing systems can arise from unfounded assumptions of independence between system components, requirements, and constraints (work product sections), which can stem from misunderstandings and miscommunication between system engineers, managers, and operators and from inadequate or...
One fundamental key to successful implementation of secure high assurance computer systems is the design and implementation of security policies. For systems enforcing multiple concurrent policies, the design and implementation is a challenging and difficult task. To simplify this task, we present an Inter-Enclave Multi-Policy (IEMP) paradigm for i...
The successful design and implementation of secure systems must occur from the beginning. A component that must process data at multiple security levels is very critical and must go through additional evaluation to ensure the processing is secure. It is common practice to isolate and separate the processing of data at different levels into differen...
Safeguarding practices for networked systems involves decisions in at least three areas: identification of well- defined security policies, selection of cost-effective defense strategies, and implementation of real-time defense tactics. These practices also apply to the language-based defense mechanism for a software system, which is a subset of a...
The modern digital battlesphere requires the development and deployment of multi-level secure computing systems and networks. A portion of these systems are necessarily be operating under real-time processing constraints. High assurance systems processing national security information must be analyzed for possible information leakages, including co...
![Figure 1: CERT-Number of Reported Security Vulnerabilities Since 1995 [2]](profile/Jim-Alves-Foss/publication/4216457/figure/fig1/AS:647948304146434@1531494322471/CERT-Number-of-Reported-Security-Vulnerabilities-Since-1995-2_Q320.jpg)
Over the last several years, the Computer Science (CS) community has put a great deal of effort in to the area of security research, and have made great advances. Counterintuitively, however, the number and severity of cyber threats is not declining, and further, the overall security of computer systems is not improving. Because of the magnitude of...
The use of security policy enforcement mechanisms has been a topic in recent literature. Particular focus has been on the class of policies that can be enforced by these mechanisms but not on the security policy guiding the execution of the monitoring mechanisms. It has been a challenge to enforce information confidentiality in a multi-level secure...
Real-time systems must satisfy timing constraints. In our previous work, we showed that a covert timing channel cannot be completely closed in some system configura- tions due to the timing constraints imposed by the Rate- Monotonic (RM) real-time scheduling algorithm. In this paper, we construct a probabilistic model to measure two quantities of a...
Multiple Independent Lewis of Security and Safety (MILS) is a joint research effort between academia, industry, and government to develop and implement a high-assurance, real-time architecture for embedded systems. The goal of the MILS architecture is to ensure that all system security policies are non-bypassable, evaluatable, always invoked, and t...
Network safeguarding practices involve decisions in at least three areas: identification of well-defined security policies, selection of cost-effective defense strategies and implementation of real-time defense tactics. Although choices made in each of these three affect the others, many existing decision models handle these three decision areas in...
Establishing verifiably secure communications is a daunting task, especially in unbounded computing networks such as the Internet and the global information grid. The multiple independent levels of security (MILS) architecture has been developed to facilitate this task. Wrappers, filters and mediators, both hardware and software, have been proposed...
A few group key protocols are analyzed, implemented and deployed, but the costs associated with them have been poorly understood. Their analysis of group key agreements performance is based on the cost of performing a single op- eration. In this paper we extend this analysis to examine the performance behavior of five group key protocols after ex-...
We present a formal framework for the analysis of intrusion detection systems (IDS) that employ declarative rules for attack recog- nition, e.g. specification-based intrusion detection. Our approach allows reasoning about the effectiveness of an IDS. A formal framework is built with the theorem prover ACL2 to analyze and improve detection rules of...
Many problems found in complex real-time control systems can be transformed into graph and scheduling problems, thereby inheriting a wealth of potential solutions and prior knowledge. This paper describes a transformation from a real-time control system problem into a graph theoretical formulation in order to leverage existing knowledge of graph th...
Today's critical systems increasingly rely on computers and software. However, market pressure, problems in the application of formal methods, and ineffective traceability techniques may all exacerbate the difficulty of applying adequate assurance techniques to the design and development of safe and trustworthy systems. Necessity dictates that engi...
We propose a security approach for mobile agents, which protects mobile agents from malicious hosts. Our new approach prevents privacy attacks and integrity attacks to mobile agents from malicious hosts. It is an extension of mobile cryptography that removes many problems found in the original ideas of mobile cryptography while preserving most of t...
Mobile agent technology is a new paradigm of dis- tributed computing that can replace the conventional client- server model. However, it has not become popular due to some problems such as security. The fact that computers have complete control over all the programs makes it very hard to protect mobile agents from untrusted hosts. In this paper we...
Past efforts at designing and implementing ultra high assurance systems for government security and safety have centered on the concept of a monolithic security kernel responsible for a system-wide security policy. This approach leads to inflexible, overly complex operating systems that are too large to evaluate at the highest assurance levels (e.g...
Intrusion detection is considered to be an effective technique to detect attacks that violate the security policy of systems. There are basically three different kinds of intrusion detection: Anomaly detection, misuse detection and specification-based intrusion detection [MB02]. Specification-based intrusion detection differs from the others by des...
If a protocol is implemented using a poor password, then the password can be guessed and verified from the messages in the protocol run. This is termed as a guessing attack. Published design and analysis efforts always lacked a general definition for guessing attacks. Further, they never considered possible type-aws in the protocol runs or using me...
If a protocol is implemented using a poor password, then the password can be guessed and verified from the messages in the protocol run. This is termed as a guessing attack. Published design and analysis
efforts always lacked a general definition for guessing attacks. Further, they never considered possible type-flaws in the protocol runs or using...
This paper extends and builds on previous work that presented a signature-based attack recognition technique. We present general requirements for "survivable attack recognition" and discuss how our approach fits the requirements. Empirical results are given along with an estimate of the measured performance. Other work is reviewed within the contex...
Efficient distribution of data is a major challenge in distributed databases. The problem is even more se- vere for distributed object oriented databases because of inheritance, encapsulation and the more complex problem involved when methods invoke other meth- ods. This problem is a harder version of the relational database allocation problem(DAP)...
This paper presents a formal model that interprets authorization policy behaviors. The model establishes a connection of applying authorization policies on an administration domain with dissecting the domain into the authorized, denied, and undefined divisions. This connection enables us to analyze authorization policy development problems such as...
In this paper, we present a model developed for Electric Power Management Systems (EPMS) and Supervisory Control and Data Acquisition (SCADA) systems that allows us to calculate device vulnerability and help power substation operators and administrators identify and harden those portions of the control system that are most vulnerable to cyber attac...
Security protocols involving the use of poorly chosen secrets, usually low-entropy user passwords, are vulnerable to guessing attacks. Here, a penetrator guesses a value in place of the poorly chosen secret and then tries to verify the guess using other information. In this paper we develop a new framework extending strand space theory in the conte...
A new approach to intrusion detection is needed to solve the problems of larger and faster networks and the constraints on system administrator's time to manage security systems. Current network intrusion detection systems lack solutions to these two problems being complex in design and generally incurring larger costs in terms of operation and mai...
This paper presents results of an empirical analysis of NATE (Network Analysis of Anomalous Traffic Events), a lightweight, anomaly based intrusion detection tool. Previous work was based on the simulated Lincoln Labs data set. Here, we show that NATE can operate under the constraints of real data inconsistencies. In addition, new TCP sampling and...
This paper presents an engineering process for authorization policy development. This process includes formal specification, verification, testing and integration. A general architecture along with supporting toolset is described. In addition, a practical solution based on logic programming is further discussed. Finally, an example demonstrating th...
Replay attacks on security protocols have been discussed for quite some time in the literature. However, the efforts to address these attacks have been largely incomplete, lacking generality and many times in fact, proven unsuccessful. In this paper we address these issues and prove the efficacy of a simple and general scheme in defending a protoco...
