This paper presents a visual language called Miro for specifying and restricting operating system security configurations. A Miro picture specifies exactly what rights users have on files. A Miro constraint, also stated visually, restricts the set of Miro pictures which are considered legal. Such constraints on pictures give an exact specification of security policies and a practical method for alerting users to potential security holes. The language is easy to use and succinct. This research was sponsored by IBM and the Maryland Procurement Office under Contract No. MDA904-88-C-6005. Additional support for J. Wing was provided in part by the National Science Foundation under grant CCR-8620027 and for J. D. Tygar under a Presidential Young Investigator Award, Contract No, CCR-8858087. M. Maimone (under contract N00014-88-K-0641) and A. Moormann are also supported by fellowships from the Office of Naval Research. The views and conclusions contained in this document are those of the authors and should not be interpreted as representing the official policies, either expressed or implied, of the Defense Advanced Research Projects Agency or the US Government.
[1]
Mahadev Satyanarayanan,et al.
The ITC distributed file system: principles and design
,
1985,
SOSP '85.
[2]
P. S. Tasker,et al.
DEPARTMENT OF DEFENSE TRUSTED COMPUTER SYSTEM EVALUATION CRITERIA
,
1985
.
[3]
J. D. Tygar,et al.
An Integrated Toolkit for Operating System Security
,
1986
.
[4]
J. Doug Tygar,et al.
Miro semantics for security
,
1988,
[Proceedings] 1988 IEEE Workshop on Visual Languages.
[5]
David Harel,et al.
On visual formalisms
,
1988,
CACM.
[6]
Terry V. Benzel.
Analysis of a Kernel Verification
,
1984,
IEEE Symposium on Security and Privacy.
[7]
Mahadev Satyanarayanan,et al.
The ITC distributed file system: principles and design
,
1985,
SOSP 1985.
[8]
Brad A. Myers,et al.
The Garnet user interface development environment : a proposal
,
1988
.