Reading List

Papers Using Logical Methods in Information Security

D. Dolev and A. Yao. "On the security of public key protocols". IEEE Transactions on Information Theory, Mar 1983.
M Burrows, M Abadi, R Needham. "A logic of authentication"
Gavin Lowe. "Breaking and fixing the Needham-Schroeder public-key protocol using FDR"
FJT Fabrega, JC Herzog, JD Guttman. "Strand spaces: Proving security protocols correct"

P. Ammann, D. Wijesekera, and S. Kaushik. Scalable, graph-based network vulnerability analysis, ACM CCS 2002.

O. Sheyner, J. Haines, S. Jha, R. Lippmann, J.M. Wing, Automated Generation and Analysis of Attack Graphs. In IEEE S&P 2002.

Xinming Ou, Wayne F. Boyer, and Miles A. McQueen. A scalable approach to attack graph generation. In ACM CCS 2006.

P.R. Lippmann and K. W. Ingols. An Annotated Review of Past Papers on Attack Graphs. Lincoln Lab Technical Report.

M. Gouda and A. Liu: Firewall Design: Consistency, Completeness and Compactness. ICDCS 2004.
A. Liu and M. Gouda: Complete Redundancy Detection in Firewalls. DAS 2005.
L. Yuan, J. Mai, Z. Su, H. Chen, C. Chuah, P. Mohapatra: FIREMAN: A Toolkit for FIREwall Modeling and ANalysis. In IEEE SSP 2006.

K. Fisler, S. Krishnamurthi, L.A. Meyerovich, and M. C. Tschantz: Verification and Change-Impact Analysis of Access-Control Policies. ICSE 2005.
A. Liu: Change-Impact Analysis of Firewall Policies. ESORICS 2007.

Ninghui Li, John C. Mitchell, and William H. Winsborough: Beyond Proof-of-compliance: Security Analysis in Trust Management. Journal of the ACM. 52(3):474--514, May 2005.
Ninghui Li and John C. Mitchell: Understanding SPKI/SDSI Using First-Order Logic. International Journal of Information Security. 5(1):48--64, January 2006.

A. Sasturkar, P. Yang, S.D. Stoller, and C.R. Ramakrishnan. Policy Analysis for Administrative Role Based Access Control. In CSFW 2006.
A. Singh, C. R. Ramakrishnan, I. V. Ramakrishnan, S. D. Stoller, and D. S. Warren. Security Policy Analysis using Deductive Spreadsheets. In FMSE, 2007.
S. Jha, N. Li, M.V. Tripunitara, Q. Wang, and W.H. Winsborough. Towards Formal Verification of Role-Based Access Control Policies. To appear in IEEE TDSC.

José Meseguer, Ralf Sasse, Helen J. Wang, Yi-Min Wang: A Systematic Approach to Uncover Security Flaws in GUI Logic. In SSP 2007.
John Whaley, Dzintars Avots, Michael Carbin, Monica S. Lam. Using Datalog with Binary Decision Diagrams for Program Analysis

8. SELinux Policy Analysis

Trent Jaeger, Reiner Sailer, and Xiaolan Zhang. Analyzing integrity protection in the SELinux example policy. In Proceedings of the 11th USENIX Security Symposium, pages 59-74, August 2003.
Umesh Shankar, Trent Jaeger, and Reiner Sailer. Toward automated information-flow integrity verification for security-critical applications. In Proceedings of the 2006 Network and Distributed Systems Security Symposium, pages 267-280, February 2006.
Boniface Hicks, Sandra Rueda, Luke St. Clair, Trent Jaeger, and Patrick McDaniel. A logical specification and analysis for SELinux MLS policy. In Proceedings of the 12th ACM Symposium on Access Control Models and Technologies, pages 91-100, June 2007.

9. Privacy Policies

A. Barth, A. Datta, J. C. Mitchell, H. Nissenbaum: Privacy and Contextual Integrity: Framework and Applications. In IEEE SSP 2006.
A. Barth, A. Datta, J. C. Mitchell, S. Sundaram: Privacy and Utility in Business Processes. In CSFW 2007.
N. Li, T. Yu, and A. I. Anton. A Semantics-based Approach to Privacy Policies. To appear in the Computer Science and System Engineering Journal.

10. Access Control Policy Integration

Michael Backes, Markus Duermuth, and Rainer Steinwandt. An algebra for composing enterprise privacy policies. In ESORICS 2004.
P. Bonatti, S. D. C. D. Vimercati, and P. Samarati. An algebra for composing access control policies. In ACM TISSEC, 2002.
D. Wijesekera and S. Jajodia. A propositional policy algebra for access control. In ACM TISSEC, 2003.

11. Obligation Policies

Application of Fuzzy Logic to Security