The Need for a Failure Model for Security

Abstract

Researchers in fault tolerance have long made use of the notion of a failure model, which describes the different ways a component in a system can fail. For example, a node can fail quietly (that is, it send out no information), it can fail with respect to timing (that is, send out information too late), it can fail arbitrarily, or it can fail maliciously. The intent of the failure model for fault tolerance is to make it possible to develop different types of algorithms that address different kinds of failures. Security has traditionally followed a different type of approach. When security is modeled, it is assumed that the system is trying to operate in the face of a hostile adversary with unlimited capabilities in certain areas. For example, the modeling of secure operating systems assumes the existence of Trojan Horse code that is able to signal information along covert channels, while the modeling of secure protocols assumes the existence of an intruder who is able to read and modify all traffic, gain control of nodes, and compromise old secret information. In the actual development of secure systems, such assumptions may be relaxed, of course, but, for theoretical models the most stringent assumptions usually apply.

Open PDF

Document Details

Document Type
Technical Report
Publication Date
Jan 01, 1994
Accession Number
ADA462531

Entities

People

  • Catherine Meadows

Organizations

  • United States Naval Research Laboratory

Tags

Communities of Interest

  • Cyber

DTIC Thesaurus Topics

  • Abstracts
  • Computer Access Control
  • Computer Programs
  • Computers
  • Cybersecurity
  • Denial Of Service Attack
  • Fault Tolerance
  • Information Operations
  • Language
  • Military Research
  • Natural Language Processing
  • Natural Languages
  • Operating Systems
  • Security
  • Trojan Horse

Fields of Study

  • Computer science
  • Engineering

Readers

  • Computational Modeling and Simulation
  • Cybersecurity.
  • Educational Psychology