Simon Wiseman

Forcepoint

A model of online services is developed that covers the data layer as well as networking. This recognises that the complexity of useful services is such that they cannot be made free of flaws, and so to defend against cyber-attack the system must be designed to ensure the flaws cannot be exploitable.

Content Transform is a way of defeating cyber attacks by eliminating code and scripts from digital content. However, there are several different ways of achieving this. This paper describes four classes of content transform, each having different properties regards user experience and security, and compares their properties.

Stegware is the use of steganography by malware to avoid detection. It can be used to penetrate a system, to leak sensitive information and to run a command and control channel without detection. Stegware cannot be stopped by defences based on detection, but can be defeated by Content Threat Removal, as this eliminates the redundancy used by stegan...

All businesses must share digital content in some way, but this brings a cyber security risk because attackers use content to carry attacks. To compare the efficacy of the different strategies taken to combat this risk, a framework for understanding the nature of content and how it relates to attacks is developed. This is then used to compare anti-...

A poster that describes the categories of content developed to describe the threat and defences, and shows a summary of the comparison of various techniques based on this.

A poster that shows how the content threat can be described in terms of passive content, active content and exploitive content, plus how different content threat defences compare in these terms.

A poster showing how steganography hides a secret message inside an image, creating a new image that is indistinguishable from the original. There are many different methods for hiding messages, and these can be categorised according to the way they encode the information, how well hidden the secret message is and how well the hidden information su...

Steganography concerns hiding a secret message inside another. There are many different methods for doing this and these have quite different characteristics. The methods can be classified according to how hard it is to detect the hidden message, how well the hidden messages survive routine manipulation of the carrier message and the nature of the...

Organisations have to exchange content with others, but there is an inherent risk in doing so. Incoming content might be carrying malware, outgoing content might be leaking sensitive information and content being exchanged might form a command and control channel for an existing attack. Sharing data with other organisations is risky. The content mi...

All forms of digital content carry a threat. This is often, but not always, malicious. Efforts to defeat the threat by detecting unsafe data continue to fail, despite considerable resources being applied to the problem by security vendors worldwide. Attackers continually outpace efforts to detect their activity, finding new vulnerabilities to explo...

Methods and apparatus for network security content-checking, in particular simplifying the critical element of a content-checker so that it can be trusted and implemented in hardware logic. A method comprises determining whether a digitally encoded document contains any embedded documents; content-checking, by means of at least one hard-ware-implem...

Methods, apparatus, and programs for a computer for network security content checking: in particular ones which simplify the critical element of a content checker so it can be trusted and implemented in logic.

Methods and apparatus for use in quantum key distribution (QKD) are described. A quantum QKD signal is generated at a source and transmitted through a fiber optic network to an endpoint, a key being agreed with communication over a classical QKD channel. The classical QKD channel contains additional information relevant to a network over which keys...

Protection of a computer system against attacks using malformed files is applied to an application configured to process files of a predefined Headerless format indicated by a Characteristic pattern of bytes. An incoming file's Characteristic pattern is checked by comparing its leading bytes with Characteristic patterns. If its leading bytes have s...

A method of establishing a quantum key for use between a first network node (QNode1) and a second network node (QNode3) in a network for carrying out quantum cryptography includes a key agreement step carried out by a third node (QNode2) and the second node (QNode3) and a subsequent authentication step carried out by the first and second nodes dire...

A method of authentication between first (QNodeX) and second (QNodeY) network nodes within a network suitable for implementing quantum cryptography comprises steps in which the first and second nodes each generate a cryptographic hash ([MXY]AI, [MYX]AJ) of a message ([MXY], [MYX]) using respective authentication keys (AI, AJ) shared with a third ne...

The invention relates to methods and apparatus for Quantum key distribution. Such methods including authenticating a first node in a communications network with a remote node in the communications network. The authentication may include connecting an authentication device to the first node, agreeing a quantum key between the first node and the remo...

A method of key distribution from a first entity to a second entity including the first entity communicating with a moveable key device so as to share a secret data with said moveable key device, relocating said moveable key device to a location having a quantum link with said second entity, transmitting a quantum signal from said moveable key devi...

A method of performing quantum key distribution across a network. The method involves a first node first agreeing a quantum key with a first intermediate node in the path. Next the intermediate node exchanges a quantum signal with the next node in the path—which is a targeted node. The intermediate node communicates with the first node using the pr...

The method involves exchange of a quantum signal between a first quantum node and a second quantum node as is usual in known quantum key distribution (QKD) scheme. The first quantum node communicates details of the quantum signal it sent or received with a first remote node. The first remote node thus has all the information to required to take the...

This invention relates to an optical star network in which different communities of users, such as different businesses, are provided through use of quantum key distribution (QKD). At least one QKD device is located at the central hub of the star network and communicates with QKD devices at the endpoints to establish a separate quantum key, i.e. a...

Method and apparatus for mitigating the effects of security threat involving malicious code concealed in computer files (for example computer viruses, etc.). The method operates by inserting additional strings of arbitrary length within computer files of known type which may contain such security threats. The strings are chosen to have no substanti...

Domain Based Security ( DBSy) is an approach to information security that is focused on people and the way they share information. It provides a language for modelling the security needs of an organisation and of systematically analysing the associated security risks. This approach also helps with analysing the risks that arise at different layers...

Computer system protection to protect against harmful data from an external computer network (e.g. the Internet) involves supplying incoming data to a software checker as the data enters a computer system. The checker routes any suspect data to an encryptor which encrypts it to render it unusable and harmless. Encrypted data passes to a computer in...

If sensitive information is to be included in a shared Web, access controls will be required. However, the complex software needed to provide a Web service is prone to failure. To provide access control without relying on such software, encryption can be used. Bob is a prototype system that supports complex access control expressions through the tr...

Modern interconnected computer systems handling classified information can be built using mainstream COTS software platforms. The technique provides each user with a private desktop in which to work, along with services for sharing data. Within a desktop, the user is helped to label their data. When data is shared, labelling prevents accidental com...

A form of security labelling is added to a COTS object relational DBMS. The labelling is discretionary and so provides mediated access to data, but does not defend against the inappropriate release of data through the database, whether by Trojan Horse software or a treacherous user. To counter these risks, business constraints are imposed to ensure...

It is shown how compartmented mode workstation (CMW) technology can be used as the basis of simple assured firewalls, where the vast majority of the evaluation effort required is reused from the evaluation of the CMW. The generic bastion host architecture described provides ITSEC E3 assurance that the unevaluated proxies cannot be bypassed. Assuran...

The UK MOD's emerging strategy for Infosec is described. The strategy accommodates the use of modern COTS software, whilst providing security of equivalent strength to established techniques and supporting the working practices of end-users. The strategy encompasses a new approach to security policy documentation and new implementation techniques w...

SPEAR is an Entity-Relationship approach to modelling database systems which not only captures static requirements, but also dynamic behaviour. The notation can be used to give high level abstract requirements, or more detailed implementation level designs, and an additional refinement notation can be used to describe how specifications at differen...

An efficient machine-oriented representation for security labels is described, along with the means of converting between this and a wide variety of human readable, textual formats. The technique is used in the SWORD secure DBMS to support multilingual applications. Examples show that the UK, US and Canadian marking schemes can be supported.

An instruction set architecture is proposed which aims to reduce overall complexity in the high level language compilation process. The RISC approach moves complexity from the hardware into the compiler, while high level language instruction set computers move complexity from the compiler into the hardware. An alternative is proposed: the HOLISTIC...

Some new security models are presented as a means of understanding the complexities of the Compartmented Mode Workstation dual-label design and the different implementations that are available. The security models, which are based upon a realistic abstraction of a computer, have floating security labels. The models are pessimistic, in that they ass...

Secure systems are often characterised by a mode of operation. This acts as a shorthand for the degree of risk to the information on the system and the minimum security functionality required as a countermeasure. This paper examines the UK definitions of these modes and proposes a model of a system which can be used to capture the distinctions betw...

Although much work has been performed in the areas of database design and MLS DBMSs, little has been done to marry the two areas together. It is shown that the implementation of a secure database design is not a trivial matter. Two MLS DBMSs, SWORD and SeaView, are used to demonstrate the problems of implementing simple secure application requireme...

Some security properties of SWORD are described and mathematically specified in Z using an extended form of Noninterference. These properties relate to SWORD's support for trusted clients, in particular the ability to issue queries that are themselves multi-level objects and receive results structured similarly.

It is proposed that all database security controls except those which provide information flow security can be built using a suitable trigger mechanism. The implementation of an example application, which has a variety of requirements for confidentially, integrity and accountability, is shown to illustrate the technique. The trigger mechanism is to...

SWORD is a multilevel secure relational database management system. It adopts the 'Insert Low' approach to the provision of confidentiality controls, rather than the more commonly adopted technique of 'Polyinstantiation'. This allows SWORD to enforce confidentiality and elementary integrity constraints, such as uniqueness. Special techniques allow...

It is widely thought that secure applications requiring cover stories must use a DBMS that forces the application to polyinstantiate. An example of the use of cover stories is given and it is shown that this can be implemented satisfactorily, without resorting to polyinstantiation, by using the SWORD secure DBMS. The example application is modelled...

The author discusses the relationship between confidentiality controls, integrity controls and security. There are two kinds of integrity control, defensive checks and voting, and confidentiality controls are an example of automated voting. He discusses polyinstantiation and database security. He looks at SWORD designed for databases. Polyinstantia...

A database is usually expected to give correct and complete answers to queries. However, some applications take confidentiality to an extreme and require the database to deceive some users by supplying incorrect answers. This paper examines these requirements and studies the effectiveness of three database security techniques in this area.

Providing confidentiality of the information held in a database is one of the most important aspects of database security. The problems are described and solutions are considered, with particular reference to the impact of the confidentiality controls on basic database integrity and the availability of the database.

The protections facilities required for computer security are expressed as four basic mechanisms. It is shown how a security model maps to these mechanisms and how they can be implemented on conventional architectures, capability architecture and in high level languages. Great Britain.

Viruses may attack computer systems and carry with them a variety of symptoms. Details of the many ways in which they spread are given and it is shown how this is prevented in conventional systems using procedural controls. More effective measures, which are to be employed in the SMITE secure system, are also described.

A model of security is presented which integrates notions of confidentiality and integrity. This model has been developed to fulfil the needs of the RSRE SMITE project because existing modeling approaches proved to be inadequate. The authors introduce the model and subsequently compare and contrast it with existing approaches. Both an inductive con...

Viruses may attack computer systems and carry with them a variety of symptoms. Details of the many ways in which they spread are given and it is shown how this is prevented in conventional system using procedural controls. More effective measures, which are to be employed in the SMITE secure system, are also described. Great Britain.

A new security model is proposed which allows the notions of confidentiality and integrity to be expressed in one coherent framework. Confidentiality is taken to be solely concerned with the observation of classified information, while separation of duty is employed as the technique for assuring the integrity of the security labels which are the ba...

Smite is a novel computer architecture implementing a new security policy model which is proposed for use in Government and Military environments where high assurance of complex confidentiality and integrity based security policies is required. This report records results of a one year contract (A94c/ 2711) carried out by TSL Communications Ltd. Th...

If signaling channels can only be driven by a trusted path, they cannot be exploited by trojan horses in untrusted software. To this end, the SMITE secure computer system provides a general-purpose trusted path, based on a screen editor, which would act as the users' normal interface to the system. The feasibility of the approach relies on the use...

If signaling channels can only be driven by the Trusted Path, they cannot be exploited by Trojan Horses in untrusted software. To this end, the SMITE system aims to provide a general purpose Trusted path, based on a screen editor, which would act as the users' normal interface to the system. The feasibility of the approach relies on the use of a sy...

The SMITE computer system is to be provided with a write once backing store that allows objects to be stored permanently. Capabilities are used for addressing objects and on the fly garbage collection is used to recover inaccessible objects. This paper describes the proposed implementation of the backing store and its garbage collector. Keywords: R...

The SMITE system will support high assurance, yet flexible multi-level secure applications. The SMITE multi-processor capability computer is being developed, based on RSRFE's Flex computer architecture, to provide a suitable environment. This paper describes the protection mechanisms provided by the microcoded hardware and introduces the security m...