David M. Chess, Charles C. Palmer, and Steve R. White. Security in an Autonomic Computing Environment. IBM Systems Journal, vol. 42, 2003.

Abstract:
System and network security are vital parts of any autonomic computing solution. The ability of a system to react consistently and correctly to situations ranging from benign but unusual events to outright attacks is key to the achievement of the goals of self-protection,self-healing, and self-optimization. Because they are often built around the interconnection of elements from different administrative domains, autonomic systems raise additional security challenges, including the establishment of a trustworthy system identity, automatically handling changes in system configuration and interconnections,and greatly increased configuration complexity. On the other hand, the techniques of autonomic computing offer the promise of making systems more secure, by effectively and automatically enforcing high-level security policies. In this paper, we discuss these and other security and privacy challenges posed by autonomic systems and provide some recommendations for how these challenges may be met.

J.G. Dyer, M. Lindemann, Ronald Perez, Rainer Sailer, S.W Smith, Leendert van Doorn, S. Weingart. The IBM Secure Coprocessor: Overview and Retrospective. IEEE Computer, October 2001.

Abstract:
We describe the 4758 (officially, the IBM Cryptographic Coprocessor), a programmable secure coprocessor manufactured by IBM. We provide an overview of the architecture, emphasizing the reasoning behind some of the major decisions and the implementation choices that were faced. This is combined with a retrospective commentary on our choices and the constraints we encountered, inlight of our experience of producing the IBM 4758 product and attempting to influence and encourage its use. We also mention some possible directions for our current research.

Larry Koved, Aaron Kershenbaum, and Marco Pistoia. Access Rights Analysis for Java. ACM SIGPLAN Notices, vol. 37, no. 11, p. 359-72, November 2002, 2002.

Abstract:
Java 2 has a security architecture that protects systems from unauthorized access by mobile or statically configured code. The problem is in manually determining the set of security access rights required to execute a library or application. The commonly used strategy is to execute the code, note authorization failures, allocate additional access rights, and test again. This process iterates until the code successfully runs for the test cases in hand. Test cases usually do not cover all paths through the code, so failures can occur in deployed systems. Conversely, a broad set of access rights is allocated to the code to prevent authorization failures from occurring. However, this often leads to a violation of the "Principle of Least Privilege."
This paper presents a technique for computing the access rights requirements by using a context sensitive, flow sensitive, interprocedural data flow analysis. By using this analysis, we compute at each program point the set of access rights required by the code. We model features such as multi-threading, implicitly defined security policies, the semantics of the permission implies method and generation of a security policy description. We implemented the algorithms and present the results of our analysis on a set of programs. While the analysis techniques described in this paper are in the context of Java code, the basic techniques are applicable to access rights analysis issues in non-Java-based systems.

Victor Shoup, and Rosario Gennaro. Securing Threshold Cryptosystems against Chosen Ciphertext Attack. Journal of Cryptology, vol. 15, 2002.

Abstract:
For the most compelling applications of threshold cryptosystems, security against chosen ciphertext attack is a requirement. However, prior to the results presented here, there appeared to be no practical threshold cryptosystems in the literature that were provably chosen-ciphertext Securing Threshold Cryptosystems against Chosen Ciphertext Attack (p3 of 233) secure, even in the idealized random oracle model. The contribution of this paper is to present two very practical threshold cryptosystems, and to prove that they are secure against chosen ciphertext attack in the random oracle model. Not only are these protocols computationally very efficient, but they are also non-interactive, which means they can be easily run over an asynchronous communication network.

Xiaolan Zhang, Antony Edwards, Trent Jaeger. Using CQUAL for Static Analysis of Authorization Hook Placement. Proc. of Usenix Security Symposium, 2002, San Francisco, CA, 33-48.

Abstract:
The Linux Security Modules (LSM) framework is a set of authorization hooks for implementing flexible access control in the Linux kernel. While much effort has been devoted to defining the module interfaces, little attention has been paid to verifying the correctness of hook placement. This paper presents a novel approach to the verification of LSM authorization hook placement using CQUAL, a type-based static analysis tool. With a simple CQUAL lattice configuration and some GCC-based analyses, we are able to verify complete mediation of operations on key kernel data structures. Our results reveal some potential security vulnerabilities of the current LSM framework, one of which we demonstrate to be exploitable. Our experiences demonstrate that combinations of conceptually simple tools can be used to perform fairly complex analyses.