security

security

[Steve Vestal]

I would appreciate receiving pointers to any (proposed) standards, surveys, or
"typical" requirements for security in embedded systems.  I'm not talking
about Orange book type stuff, but rather about compartmentalized or red/black
security requirements that might be imposed on embedded systems.  Thanks in
advance.

Steve Vestal
Mail: Honeywell S&RC MN65-2100, 3660 Technology Drive, Minneapolis MN 55418 
Phone: (612) 782-7049                    Internet: vestal@src.honeywell.com

Security

[Frank Cheung]

Hello!

I have written a program in Ada83, and would like to provide some security
features to it:

(1) the user should not be able to exit using ctrl-d, ctrl-z, etc.
(2) password access to enter and exit the program.

Are there any routines or packages available to do this?  Thank you very
much in advance.

Regards,
Frank.

  ________________Frank Cheung | Computer Science (BSc) Year 2_______________
 /   fktc101@york.ac.uk | 0881-800800 a/c 841276 | +44-1904-430000 ext 4250  \
|James College, University of York, Heslington, Y01 5DD, York, United Kingdom|

Re: Security

[Theodore E. Dennison]

Frank Cheung wrote:
> 
> I have written a program in Ada83, and would like to provide some security
> features to it:
> 
> (1) the user should not be able to exit using ctrl-d, ctrl-z, etc.
> (2) password access to enter and exit the program.
> 
> Are there any routines or packages available to do this?  Thank you very
> much in advance.
> 

In Ada? No. Bundled with your compiler? Probably.



-- 
T.E.D.          
                |  Work - mailto:dennison@escmail.orl.mmc.com  |
                |  Home - mailto:dennison@iag.net              |
                |  URL  - http://www.iag.net/~dennison         |

Re: Security

[Wayne Lawton]

Theodore E. Dennison wrote:
> 
> Frank Cheung wrote:
> >
> > I have written a program in Ada83, and would like to provide some security
> > features to it:
> >
> > (1) the user should not be able to exit using ctrl-d, ctrl-z, etc.
> > (2) password access to enter and exit the program.
> >
> > Are there any routines or packages available to do this?  Thank you very
> > much in advance.
> >
> 
> In Ada? No. Bundled with your compiler? Probably.
> 

Actually, there is such a package.  I wrote a security package a few 
years ago for an Army system called MPMIS.  I have since been told that 
a version of the package found its way into the Army Reuse Center 
repository.

If that version isn't right, you may take a look at an Air Force system 
called the Combat Ammunition System (CAS).

I would recommend the CAS version as being the more mature.  

The algorithm uses a database to pass "I called/I was called by" 
information between modules in the system.  The package supports 
multi-level security based on the UNIX model.  That is users and groups 
of users have no access, read access, or execute access to a particular 
module in the system.  The package does require a database to support 
the tables.  The package supports encryption of the userids and 
passwords.

The package has been implemented in a multiple executable environment, 
as well as a multi-thread cooperative processing environment.

Hope one of these pointers helps...

Wayne Lawton
WLawton@servtech.com

Security

[Victor Porton]

In article <HN+$5lQxL8E6@eisner.encompasserve.org>,
	Kilgallen@SpamCop.net (Larry Kilgallen) writes:
> In article <E18sSIU-00040M-00@porton.narod.ru>, porton@ex-code.com (Victor Porton) writes:
>> In article <At42tLB25j0M@eisner.encompasserve.org>,
>> 	Kilgallen@SpamCop.net (Larry Kilgallen) writes:
> 
> Why do you want physical media ?
> 
> 	Security policies that forbid copying software over the Internet.

If I will sign by 2048 bit GnuPG key is it a replacement for physical 
media? (Well, except of transferring the key itself. However if I'll 
upload it to central keyservers and sign with it my further messages 
here, is it OK? I'm not against making a CD, just ask.)

P.S. As we posters in c.l.a deal with security so much, shouldn't we
introduce the "spoken rule" to digitally sign messages? Maybe we
should have our own keyserver at a place like AdaPower?

Re: Security

[Larry Kilgallen]

In article <E18sSch-0004Iv-00@porton.narod.ru>, porton@ex-code.com (Victor Porton) writes:
> In article <HN+$5lQxL8E6@eisner.encompasserve.org>,
> 	Kilgallen@SpamCop.net (Larry Kilgallen) writes:

>> Why do you want physical media ?
>> 
>> 	Security policies that forbid copying software over the Internet.
> 
> If I will sign by 2048 bit GnuPG key is it a replacement for physical 
> media? (Well, except of transferring the key itself. However if I'll 
> upload it to central keyservers and sign with it my further messages 
> here, is it OK? I'm not against making a CD, just ask.)

I don't understand how that avoids copying software over the Internet.
It seems to be aimed more at proposing a different policy than complying
with the existing policy.

> P.S. As we posters in c.l.a deal with security so much, shouldn't we
> introduce the "spoken rule" to digitally sign messages? Maybe we
> should have our own keyserver at a place like AdaPower?

Perhaps those of you who use PGP should.

Re: Security

[Preben Randhol]

Larry Kilgallen wrote:
> In article <E18sSch-0004Iv-00@porton.narod.ru>, porton@ex-code.com (Victor Porton) writes:
>> P.S. As we posters in c.l.a deal with security so much, shouldn't we
>> introduce the "spoken rule" to digitally sign messages? Maybe we
>> should have our own keyserver at a place like AdaPower?
> 
> Perhaps those of you who use PGP should.

Signing messages has little to do with security. It only deals with
authenticity.

-- 
  ()   Join the worldwide campaign to protect fundamental human rights.
 +||-.
.+--+'
'+||-                                           http://www.amnesty.org/

Re: Security

[Larry Kilgallen]

In article <slrnb6r7e2.1fn.randhol+news@kiuk0152.chembio.ntnu.no>, Preben Randhol <randhol+news@pvv.org> writes:
> Larry Kilgallen wrote:
>> In article <E18sSch-0004Iv-00@porton.narod.ru>, porton@ex-code.com (Victor Porton) writes:
>>> P.S. As we posters in c.l.a deal with security so much, shouldn't we
>>> introduce the "spoken rule" to digitally sign messages? Maybe we
>>> should have our own keyserver at a place like AdaPower?
>> 
>> Perhaps those of you who use PGP should.
> 
> Signing messages has little to do with security. It only deals with
> authenticity.

My training has been to associate security with the initials C.I.A.,
standing for the words:

	Confidentiality
	Integrity
	Availability

And I would count Authenticity as part of Integrity.

Re: Security

[Preben Randhol]

Larry Kilgallen wrote:
> My training has been to associate security with the initials C.I.A.,
> standing for the words:
> 
> 	Confidentiality
> 	Integrity
> 	Availability
> 
> And I would count Authenticity as part of Integrity.

Yes, but if you cannot download software (source that is, I'm not
talking about binary executables) then how can you download pgp-keys
from the net?

-- 
  ()   Join the worldwide campaign to protect fundamental human rights.
 +||-.
.+--+'
'+||-                                           http://www.amnesty.org/

Re: Security

[Victor Porton]

In article <slrnb6rkeb.8lc.randhol+news@kiuk0152.chembio.ntnu.no>,
	Preben Randhol <randhol+news@pvv.org> writes:
> Yes, but if you cannot download software (source that is, I'm not
> talking about binary executables) then how can you download pgp-keys
> from the net?

Using pgp/gpg keys would be able to eliminate the need for physical 
media for every new update of software. It would be enough to only once 
send the key on floppy/CD and then using this key to send authentied 
software through Internet.

Re: Security

[Preben Randhol]

Victor Porton wrote:
> Using pgp/gpg keys would be able to eliminate the need for physical 
> media for every new update of software. It would be enough to only once 
> send the key on floppy/CD and then using this key to send authentied 
> software through Internet.

Yes, to some extent. However things can be forged. Although signing is
done by f.ex RedHat and Microsoft.  However with security there is only
one rule: Nothing is secure. :-)

-- 
  ()   Join the worldwide campaign to protect fundamental human rights.
 +||-.
.+--+'
'+||-                                           http://www.amnesty.org/

Re: Security

[Larry Kilgallen]

In article <slrnb6rkeb.8lc.randhol+news@kiuk0152.chembio.ntnu.no>, Preben Randhol <randhol+news@pvv.org> writes:
> Larry Kilgallen wrote:
>> My training has been to associate security with the initials C.I.A.,
>> standing for the words:
>> 
>> 	Confidentiality
>> 	Integrity
>> 	Availability
>> 
>> And I would count Authenticity as part of Integrity.
> 
> Yes, but if you cannot download software (source that is, I'm not
> talking about binary executables) then how can you download pgp-keys
> from the net?

You seem to be confusing multiple discussions that have a common root.

_I_ am not a PGP user.