%%% -*-BibTeX-*-
%%% ====================================================================
%%%  BibTeX-file{
%%%     author          = "Nelson H. F. Beebe",
%%%     version         = "1.47",
%%%     date            = "11 August 2014",
%%%     time            = "19:19:24 MDT",
%%%     filename        = "tissec.bib",
%%%     address         = "University of Utah
%%%                        Department of Mathematics, 110 LCB
%%%                        155 S 1400 E RM 233
%%%                        Salt Lake City, UT 84112-0090
%%%                        USA",
%%%     telephone       = "+1 801 581 5254",
%%%     FAX             = "+1 801 581 4148",
%%%     URL             = "http://www.math.utah.edu/~beebe",
%%%     checksum        = "34269 10999 55892 537488",
%%%     email           = "beebe at math.utah.edu, beebe at acm.org,
%%%                        beebe at computer.org (Internet)",
%%%     codetable       = "ISO/ASCII",
%%%     keywords        = "bibliography, BibTeX, ACM Transactions
%%%                        on Information and System Security",
%%%     license         = "public domain",
%%%     supported       = "yes",
%%%     docstring       = "This is a COMPLETE BibTeX bibliography for
%%%                        the journal ACM Transactions on Information
%%%                        and System Security (CODEN ATISBQ, ISSN
%%%                        1094-9224 (print), 1557-7406 (electronic)),
%%%                        covering all journal issues from 1998 --
%%%                        date.
%%%
%%%                        At version 1.47, the COMPLETE journal
%%%                        coverage looked like this:
%%%
%%%                             1998 (   5)    2004 (  20)    2010 (  31)
%%%                             1999 (  15)    2005 (  16)    2011 (  32)
%%%                             2000 (  12)    2006 (  16)    2012 (  14)
%%%                             2001 (  14)    2007 (  12)    2013 (  16)
%%%                             2002 (  17)    2008 (  42)    2014 (   9)
%%%                             2003 (  17)    2009 (  19)
%%%
%%%                             Article:        307
%%%
%%%                             Total entries:  307
%%%
%%%                        The journal Web page can be found at:
%%%
%%%                            http://www.acm.org/pubs/tissec
%%%
%%%                        The journal table of contents page is at:
%%%
%%%                            http://www.acm.org/pubs/contents/journals/tissec/
%%%                            http://portal.acm.org/browse_dl.cfm?idx=J789
%%%
%%%                        The initial draft was extracted from the
%%%                        journal Web site.
%%%
%%%                        ACM copyrights explicitly permit abstracting
%%%                        with credit, so article abstracts, keywords,
%%%                        and subject classifications have been
%%%                        included in this bibliography wherever
%%%                        available.  Article reviews have been
%%%                        omitted, until their copyright status has
%%%                        been clarified.
%%%
%%%                        URL keys in the bibliography point to
%%%                        World Wide Web locations of additional
%%%                        information about the entry.
%%%
%%%                        Numerous errors in the sources noted above
%%%                        have been corrected.   Spelling has been
%%%                        verified with the UNIX spell and GNU ispell
%%%                        programs using the exception dictionary
%%%                        stored in the companion file with extension
%%%                        .sok.
%%%
%%%                        BibTeX citation tags are uniformly chosen
%%%                        as name:year:abbrev, where name is the
%%%                        family name of the first author or editor,
%%%                        year is a 4-digit number, and abbrev is a
%%%                        3-letter condensation of important title
%%%                        words. Citation tags were automatically
%%%                        generated by software developed for the
%%%                        BibNet Project.
%%%
%%%                        In this bibliography, entries are sorted in
%%%                        publication order, using ``bibsort -byvolume.''
%%%
%%%                        The checksum field above contains a CRC-16
%%%                        checksum as the first value, followed by the
%%%                        equivalent of the standard UNIX wc (word
%%%                        count) utility output of lines, words, and
%%%                        characters.  This is produced by Robert
%%%                        Solovay's checksum utility.",
%%%  }
%%% ====================================================================

@Preamble{"\input bibnames.sty"}

%%% ====================================================================
%%% Acknowledgement abbreviations:

@String{ack-nhfb = "Nelson H. F. Beebe,
                    University of Utah,
                    Department of Mathematics, 110 LCB,
                    155 S 1400 E RM 233,
                    Salt Lake City, UT 84112-0090, USA,
                    Tel: +1 801 581 5254,
                    FAX: +1 801 581 4148,
                    e-mail: \path|beebe@math.utah.edu|,
                            \path|beebe@acm.org|,
                            \path|beebe@computer.org| (Internet),
                    URL: \path|http://www.math.utah.edu/~beebe/|"}

%%% ====================================================================
%%% Journal abbreviations:

@String{j-TISSEC                = "ACM Transactions on Information and System
                                  Security"}

%%% ====================================================================
%%% Bibliography entries:

@Article{Sandhu:1998:E,
  author =       "Ravi Sandhu",
  title =        "Editorial",
  journal =      j-TISSEC,
  volume =       "1",
  number =       "1",
  pages =        "1--2",
  month =        nov,
  year =         "1998",
  CODEN =        "ATISBQ",
  ISSN =         "1094-9224 (print), 1557-7406 (electronic)",
  ISSN-L =       "1094-9224",
  bibdate =      "Tue Jul 27 17:35:45 MDT 1999",
  bibsource =    "http://www.acm.org/tissec/;
                 http://www.math.utah.edu/pub/tex/bib/tissec.bib",
  URL =          "http://www.acm.org:80/pubs/citations/journals/tissec/1998-1-1/p1-sandhu/",
  acknowledgement = ack-nhfb,
  fjournal =     "ACM Transactions on Information and System Security",
  journal-URL =  "http://portal.acm.org/browse_dl.cfm?idx=J789",
}

@Article{Bergadano:1998:HDC,
  author =       "Francesco Bergadano and Bruno Crispo and Giancarlo
                 Ruffo",
  title =        "High dictionary compression for proactive password
                 checking",
  journal =      j-TISSEC,
  volume =       "1",
  number =       "1",
  pages =        "3--25",
  month =        nov,
  year =         "1998",
  CODEN =        "ATISBQ",
  ISSN =         "1094-9224 (print), 1557-7406 (electronic)",
  ISSN-L =       "1094-9224",
  bibdate =      "Tue Jul 27 17:35:45 MDT 1999",
  bibsource =    "http://www.acm.org/tissec/;
                 http://www.math.utah.edu/pub/tex/bib/tissec.bib",
  URL =          "http://www.acm.org:80/pubs/citations/journals/tissec/1998-1-1/p3-bergadano/",
  abstract =     "The important problem of user password selection is
                 addressed and a new proactive password-checking
                 technique is presented. In a training phase, a decision
                 tree is generated based on a given dictionary of weak
                 passwords. Then, the decision tree is used to determine
                 whether a user password should be accepted.
                 Experimental results described here show that the
                 method leads to a very high dictionary compression (up
                 to 1000 to 1) with low error rates (of the order of
                 1\%). A prototype implementation, called ProCheck, is
                 made available online. We survey previous approaches to
                 proactive password checking, and provide an in-depth
                 comparison.",
  acknowledgement = ack-nhfb,
  fjournal =     "ACM Transactions on Information and System Security",
  journal-URL =  "http://portal.acm.org/browse_dl.cfm?idx=J789",
  keywords =     "experimentation; management; performance; security",
  subject =      "{\bf D.4.6} Software, OPERATING SYSTEMS, Security and
                 Protection, Authentication. {\bf K.6.5} Computing
                 Milieux, MANAGEMENT OF COMPUTING AND INFORMATION
                 SYSTEMS, Security and Protection, Authentication.",
}

@Article{Bertino:1998:EBI,
  author =       "Elisa Bertino and Sabrina {De Capitani Di Vimercati}
                 and Elena Ferrari and Pierangela Samarati",
  title =        "Exception-based information flow control in
                 object-oriented systems",
  journal =      j-TISSEC,
  volume =       "1",
  number =       "1",
  pages =        "26--65",
  month =        nov,
  year =         "1998",
  CODEN =        "ATISBQ",
  ISSN =         "1094-9224 (print), 1557-7406 (electronic)",
  ISSN-L =       "1094-9224",
  bibdate =      "Tue Jul 27 17:35:45 MDT 1999",
  bibsource =    "http://www.acm.org/tissec/;
                 http://www.math.utah.edu/pub/tex/bib/tissec.bib",
  URL =          "http://www.acm.org:80/pubs/citations/journals/tissec/1998-1-1/p26-bertino/",
  abstract =     "We present an approach to control information flow in
                 object-oriented systems. The decision of whether an
                 information flow is permitted or denied depends on both
                 the authorizations specified on the objects and the
                 process by which information is obtained and
                 transmitted. Depending on the specific computations, a
                 process accessing sensitive information could still be
                 allowed to release information to users who are not
                 allowed to directly access it. Exceptions to the
                 permissions and restrictions stated by the
                 authorizations are specified by means of exceptions
                 associated with methods. Two kinds of exceptions are
                 considered: {\em invoke exceptions,\/} applicable
                 during a method execution and {\em reply exceptions\/}
                 applicable to the information returned by a method.
                 Information flowing from one object into another or
                 returned to the user is subject to the different
                 exceptions specified for the methods enforcing the
                 transmission. We formally characterize information
                 transmission and flow in a transaction and define the
                 conditions for safe information flow. We define
                 security specifications and characterize safe
                 information flows. We propose an approach to control
                 unsafe flows and present an algorithm to enforce it. We
                 also illustrate an efficient implementation of our
                 controls and present some experimental results
                 evaluating its performance.",
  acknowledgement = ack-nhfb,
  fjournal =     "ACM Transactions on Information and System Security",
  journal-URL =  "http://portal.acm.org/browse_dl.cfm?idx=J789",
  keywords =     "security",
  subject =      "{\bf H.2.7} Information Systems, DATABASE MANAGEMENT,
                 Database Administration, Security, integrity, and
                 protection. {\bf H.2.4} Information Systems, DATABASE
                 MANAGEMENT, Systems, Object-oriented databases.",
}

@Article{Reiter:1998:CAW,
  author =       "Michael K. Reiter and Aviel D. Rubin",
  title =        "Crowds: anonymity for {Web} transactions",
  journal =      j-TISSEC,
  volume =       "1",
  number =       "1",
  pages =        "66--92",
  month =        nov,
  year =         "1998",
  CODEN =        "ATISBQ",
  ISSN =         "1094-9224 (print), 1557-7406 (electronic)",
  ISSN-L =       "1094-9224",
  bibdate =      "Tue Jul 27 17:35:45 MDT 1999",
  bibsource =    "http://www.acm.org/tissec/;
                 http://www.math.utah.edu/pub/tex/bib/tissec.bib",
  URL =          "http://www.acm.org:80/pubs/citations/journals/tissec/1998-1-1/p66-reiter/",
  abstract =     "In this paper we introduce a system called Crowds for
                 protecting users' anonymity on the world-wide-web.
                 Crowds, named for the notion of ``blending into a
                 crowd,'' operates by grouping users into a large and
                 geographically diverse group (crowd) that collectively
                 issues requests on behalf of its members. Web servers
                 are unable to learn the true source of a request
                 because it is equally likely to have originated from
                 any member of the crowd, and even collaborating crowd
                 members cannot distinguish the originator of a request
                 from a member who is merely forwarding the request on
                 behalf of another. We describe the design,
                 implementation, security, performance, and scalability
                 of our system. Our security analysis introduces {\em
                 degrees of anonymity\/} as an important tool for
                 describing and proving anonymity properties.",
  acknowledgement = ack-nhfb,
  fjournal =     "ACM Transactions on Information and System Security",
  journal-URL =  "http://portal.acm.org/browse_dl.cfm?idx=J789",
  keywords =     "security",
  subject =      "{\bf C.2.2} Computer Systems Organization,
                 COMPUTER-COMMUNICATION NETWORKS, Network Protocols,
                 Applications (SMTP, FTP, etc.). {\bf C.2.0} Computer
                 Systems Organization, COMPUTER-COMMUNICATION NETWORKS,
                 General, Security and protection (e.g., firewalls).
                 {\bf K.4.1} Computing Milieux, COMPUTERS AND SOCIETY,
                 Public Policy Issues, Privacy. {\bf K.4.4} Computing
                 Milieux, COMPUTERS AND SOCIETY, Electronic Commerce,
                 Security.",
}

@Article{Sandhu:1998:MRM,
  author =       "Ravi Sandhu and Fang Chen",
  title =        "The multilevel relational ({MLR}) data model",
  journal =      j-TISSEC,
  volume =       "1",
  number =       "1",
  pages =        "93--132",
  month =        nov,
  year =         "1998",
  CODEN =        "ATISBQ",
  ISSN =         "1094-9224 (print), 1557-7406 (electronic)",
  ISSN-L =       "1094-9224",
  bibdate =      "Tue Jul 27 17:35:45 MDT 1999",
  bibsource =    "http://www.acm.org/tissec/;
                 http://www.math.utah.edu/pub/tex/bib/tissec.bib",
  URL =          "http://www.acm.org:80/pubs/citations/journals/tissec/1998-1-1/p93-sandhu/",
  abstract =     "Many multilevel relational models have been proposed;
                 different models offer different advantages. In this
                 paper, we adapt and refine several of the best ideas
                 from previous models and add new ones to build the new
                 Multilevel Relational (MLR) data model. MLR provides
                 multilevel relations with element-level labeling as a
                 natural extension of the traditional relational data
                 model. MLR introduces several new concepts (notably,
                 data-borrow integrity and the UPLEVEL statement) and
                 significantly redefines existing concepts
                 (polyinstantiation and referential integrity as well as
                 data manipulation operations). A central contribution
                 of this paper is proofs of soundness, completeness, and
                 security of MLR. A new {\em data-based\/} semantics is
                 given for the MLR data model by combining ideas from
                 SeaView, belief-based semantics, and LDV. This new
                 semantics has the advantages of both eliminating
                 ambiguity and retaining upward information flow. MLR is
                 secure, unambiguous, and powerful. It has five
                 integrity properties and five operations for
                 manipulating multilevel relations. Soundness,
                 completeness, and security show that any of the five
                 database manipulation operations will keep database
                 states legal (i.e., satisfy all integrity properties),
                 that every legal database state can be constructed, and
                 that MLR is noninterfering. The expressive power of MLR
                 also compares favorably with several other models.",
  acknowledgement = ack-nhfb,
  fjournal =     "ACM Transactions on Information and System Security",
  journal-URL =  "http://portal.acm.org/browse_dl.cfm?idx=J789",
  keywords =     "security",
  subject =      "{\bf H.2.7} Information Systems, DATABASE MANAGEMENT,
                 Database Administration, Security, integrity, and
                 protection.",
}

@Article{Sandhu:1999:E,
  author =       "Ravi Sandhu",
  title =        "Editorial",
  journal =      j-TISSEC,
  volume =       "2",
  number =       "1",
  pages =        "1--2",
  month =        feb,
  year =         "1999",
  CODEN =        "ATISBQ",
  ISSN =         "1094-9224 (print), 1557-7406 (electronic)",
  ISSN-L =       "1094-9224",
  bibdate =      "Thu Oct 26 10:21:44 MDT 2000",
  bibsource =    "http://www.acm.org/tissec/;
                 http://www.math.utah.edu/pub/tex/bib/tissec.bib",
  URL =          "http://www.acm.org/pubs/citations/journals/tissec/1999-2-1/p1-sandhu/",
  acknowledgement = ack-nhfb,
  fjournal =     "ACM Transactions on Information and System Security",
  journal-URL =  "http://portal.acm.org/browse_dl.cfm?idx=J789",
}

@Article{Nyanchama:1999:RGM,
  author =       "Matunda Nyanchama and Sylvia Osborn",
  title =        "The role graph model and conflict of interest",
  journal =      j-TISSEC,
  volume =       "2",
  number =       "1",
  pages =        "3--33",
  month =        feb,
  year =         "1999",
  CODEN =        "ATISBQ",
  ISSN =         "1094-9224 (print), 1557-7406 (electronic)",
  ISSN-L =       "1094-9224",
  bibdate =      "Tue Jul 27 17:35:45 MDT 1999",
  bibsource =    "http://www.acm.org/tissec/;
                 http://www.math.utah.edu/pub/tex/bib/tissec.bib",
  URL =          "http://www.acm.org:80/pubs/citations/journals/tissec/1999-2-1/p3-nyanchama/",
  abstract =     "We describe in more detail than before the reference
                 model for role-based access control introduced by
                 Nyanchama and Osborn, and the role-graph model with its
                 accompanying algorithms, which is one way of
                 implementing role-role relationships. An alternative
                 role insertion algorithm is added, and it is shown how
                 the role creation policies of Fernandez et al.
                 correspond to role addition algorithms in our model. We
                 then use our reference model to provide a taxonomy for
                 kinds of conflict. We then go on to consider in some
                 detail privilege-privilege and role-role conflicts in
                 conjunction with the role graph model. We show how
                 role-role conflicts lead to a partitioning of the role
                 graph into nonconflicting collections that can together
                 be safely authorized to a given user. Finally, in an
                 appendix, we present the role graph algorithms with
                 additional logic to disallow roles that contain
                 conflicting privileges.",
  acknowledgement = ack-nhfb,
  fjournal =     "ACM Transactions on Information and System Security",
  journal-URL =  "http://portal.acm.org/browse_dl.cfm?idx=J789",
  keywords =     "algorithms; management; security",
  subject =      "{\bf D.4.6} Software, OPERATING SYSTEMS, Security and
                 Protection, Access controls. {\bf K.6.5} Computing
                 Milieux, MANAGEMENT OF COMPUTING AND INFORMATION
                 SYSTEMS, Security and Protection. {\bf G.2.2}
                 Mathematics of Computing, DISCRETE MATHEMATICS, Graph
                 Theory, Graph algorithms.",
}

@Article{Ferraiolo:1999:RBA,
  author =       "David F. Ferraiolo and John F. Barkley and D. Richard
                 Kuhn",
  title =        "A role-based access control model and reference
                 implementation within a corporate intranet",
  journal =      j-TISSEC,
  volume =       "2",
  number =       "1",
  pages =        "34--64",
  month =        feb,
  year =         "1999",
  CODEN =        "ATISBQ",
  ISSN =         "1094-9224 (print), 1557-7406 (electronic)",
  ISSN-L =       "1094-9224",
  bibdate =      "Tue Jul 27 17:35:45 MDT 1999",
  bibsource =    "http://www.acm.org/tissec/;
                 http://www.math.utah.edu/pub/tex/bib/tissec.bib",
  URL =          "http://www.acm.org:80/pubs/citations/journals/tissec/1999-2-1/p34-ferraiolo/",
  abstract =     "This paper describes NIST's enhanced RBAC model and
                 our approach to designing and implementing RBAC
                 features for networked Web servers. The RBAC model
                 formalized in this paper is based on the properties
                 that were first described in Ferraiolo and Kuhn [1992]
                 and Ferraiolo et al. [1995], with adjustments resulting
                 from experience gained by prototype implementations,
                 market analysis, and observations made by Jansen [1988]
                 and Hoffman [1996]. The implementation of RBAC for the
                 Web (RBAC/Web) provides an alternative to the
                 conventional means of administering and enforcing
                 authorization policy on a server-by-server basis.
                 RBAC/Web provides administrators with a means of
                 managing authorization data at the enterprise level, in
                 a manner consistent with the current set of laws,
                 regulations, and practices.",
  acknowledgement = ack-nhfb,
  fjournal =     "ACM Transactions on Information and System Security",
  journal-URL =  "http://portal.acm.org/browse_dl.cfm?idx=J789",
  keywords =     "security; standardization",
  subject =      "{\bf C.2.4} Computer Systems Organization,
                 COMPUTER-COMMUNICATION NETWORKS, Distributed Systems.
                 {\bf C.2.5} Computer Systems Organization,
                 COMPUTER-COMMUNICATION NETWORKS, Local and Wide-Area
                 Networks. {\bf D.4.6} Software, OPERATING SYSTEMS,
                 Security and Protection, Access controls. {\bf D.4.7}
                 Software, OPERATING SYSTEMS, Organization and Design,
                 Distributed systems.",
}

@Article{Bertino:1999:SEA,
  author =       "Elisa Bertino and Elena Ferrari and Vijay Atluri",
  title =        "The specification and enforcement of authorization
                 constraints in workflow management systems",
  journal =      j-TISSEC,
  volume =       "2",
  number =       "1",
  pages =        "65--104",
  month =        feb,
  year =         "1999",
  CODEN =        "ATISBQ",
  ISSN =         "1094-9224 (print), 1557-7406 (electronic)",
  ISSN-L =       "1094-9224",
  bibdate =      "Tue Jul 27 17:35:45 MDT 1999",
  bibsource =    "http://www.acm.org/tissec/;
                 http://www.math.utah.edu/pub/tex/bib/tissec.bib",
  URL =          "http://www.acm.org:80/pubs/citations/journals/tissec/1999-2-1/p65-bertino/",
  abstract =     "In recent years, workflow management systems (WFMSs)
                 have gained popularity in both research and commercial
                 sectors. WFMSs are used to coordinate and streamline
                 business processes. Very large WFMSs are often used in
                 organizations with users in the range of several
                 thousands and process instances in the range of tens
                 and thousands. To simplify the complexity of security
                 administration, it is common practice in many
                 businesses to allocate a role for each activity in the
                 process and then assign one or more users to each
                 role---granting an authorization to roles rather than
                 to users. Typically, security policies are expressed as
                 constraints (or rules) on users and roles; {\em
                 separation of duties\/} is a well-known constraint.
                 Unfortunately, current role-based access control models
                 are not adequate to model such constraints. To address
                 this issue we (1) present a language to express both
                 static and dynamic authorization constraints as clauses
                 in a logic program; (2) provide formal notions of
                 constraint consistency; and (3) propose algorithms to
                 check the consistency of constraints and assign users
                 and roles to tasks that constitute the workflow in such
                 a way that no constraints are violated.",
  acknowledgement = ack-nhfb,
  fjournal =     "ACM Transactions on Information and System Security",
  journal-URL =  "http://portal.acm.org/browse_dl.cfm?idx=J789",
  keywords =     "security",
  subject =      "{\bf H.2.0} Information Systems, DATABASE MANAGEMENT,
                 General, Security, integrity, and protection**.",
}

@Article{Sandhu:1999:AMR,
  author =       "Ravi Sandhu and Venkata Bhamidipati and Qamar
                 Munawer",
  title =        "The {ARBAC97} model for role-based administration of
                 roles",
  journal =      j-TISSEC,
  volume =       "2",
  number =       "1",
  pages =        "105--135",
  month =        feb,
  year =         "1999",
  CODEN =        "ATISBQ",
  ISSN =         "1094-9224 (print), 1557-7406 (electronic)",
  ISSN-L =       "1094-9224",
  bibdate =      "Tue Jul 27 17:35:45 MDT 1999",
  bibsource =    "http://www.acm.org/tissec/;
                 http://www.math.utah.edu/pub/tex/bib/tissec.bib",
  URL =          "http://www.acm.org:80/pubs/citations/journals/tissec/1999-2-1/p105-sandhu/",
  abstract =     "In role-based access control (RBAC), permissions are
                 associated with roles' and users are made members of
                 roles, thereby acquiring the roles; permissions. RBAC's
                 motivation is to simplify administration of
                 authorizations. An appealing possibility is to use RBAC
                 itself to manage RBAC, to further provide
                 administrative convenience and scalability, especially
                 in decentralizing administrative authority,
                 responsibility, and chores. This paper describes the
                 motivation, intuition, and formal definition of a new
                 role-based model for RBAC administration. This model is
                 called ARBAC97 (administrative RBAC '97) and has three
                 components: URA97 (user-role assignment '97), RPA97
                 (permission-role assignment '97), and RRA97 (role-role
                 assignment '97) dealing with different aspects of RBAC
                 administration. URA97, PRA97, and an outline of RRA97
                 were defined in 1997, hence the designation given to
                 the entire model. RRA97 was completed in 1998. ARBAC97
                 is described completely in this paper for the first
                 time. We also discusses possible extensions of
                 ARBAC97.",
  acknowledgement = ack-nhfb,
  fjournal =     "ACM Transactions on Information and System Security",
  journal-URL =  "http://portal.acm.org/browse_dl.cfm?idx=J789",
  keywords =     "algorithms; management; security",
  subject =      "{\bf C.2.4} Computer Systems Organization,
                 COMPUTER-COMMUNICATION NETWORKS, Distributed Systems.
                 {\bf D.4.6} Software, OPERATING SYSTEMS, Security and
                 Protection, Access controls. {\bf D.4.7} Software,
                 OPERATING SYSTEMS, Organization and Design, Distributed
                 systems. {\bf G.2.2} Mathematics of Computing, DISCRETE
                 MATHEMATICS, Graph Theory, Graph algorithms. {\bf
                 H.2.0} Information Systems, DATABASE MANAGEMENT,
                 General, Security, integrity, and protection**. {\bf
                 K.6.5} Computing Milieux, MANAGEMENT OF COMPUTING AND
                 INFORMATION SYSTEMS, Security and Protection.",
}

@Article{Reiter:1999:AMA,
  author =       "Michael K. Reiter and Stuart G. Stubblebine",
  title =        "Authentication metric analysis and design",
  journal =      j-TISSEC,
  volume =       "2",
  number =       "2",
  pages =        "138--158",
  month =        may,
  year =         "1999",
  CODEN =        "ATISBQ",
  ISSN =         "1094-9224 (print), 1557-7406 (electronic)",
  ISSN-L =       "1094-9224",
  bibdate =      "Thu Oct 26 11:39:38 MDT 2000",
  bibsource =    "http://www.acm.org/tissec/;
                 http://www.math.utah.edu/pub/tex/bib/tissec.bib",
  URL =          "http://www.acm.org/pubs/citations/journals/tissec/1999-2-2/p138-reiter/",
  abstract =     "Authentication using a path of trusted intermediaries,
                 each able to authenticate the next in the path, is a
                 well-known technique for authenticating entities in a
                 large-scale system. Recent work has extended this
                 technique to include multiple paths in an effort to
                 bolster authentication, but the success of this
                 approach may be unclear in the face of intersecting
                 paths, ambiguities in the meaning of certificates, and
                 interdependencies in the use of different keys. Thus,
                 several authors have proposed metrics to evaluate the
                 confidence afforded by a set of paths. In this paper we
                 develop a set of guiding principles for the design of
                 such metrics. We motivate our principles by showing how
                 previous approaches failed with respect to these
                 principles and what the consequences to authentication
                 might be. We then propose a new metric that appears to
                 meet our principles, and so to be a satisfactory metric
                 of authentication.",
  acknowledgement = ack-nhfb,
  fjournal =     "ACM Transactions on Information and System Security",
  generalterms = "Measurement; Security",
  journal-URL =  "http://portal.acm.org/browse_dl.cfm?idx=J789",
  keywords =     "metrics of authentication; public key infrastructure",
  subject =      "Software --- Operating Systems --- Security and
                 Protection (D.4.6): {\bf Authentication}; Computing
                 Milieux --- Management of Computing and Information
                 Systems --- Security and Protection (K.6.5): {\bf
                 Authentication}",
}

@Article{Schneier:1999:SAL,
  author =       "Bruce Schneier and John Kelsey",
  title =        "Secure Audit Logs to Support Computer Forensics",
  journal =      j-TISSEC,
  volume =       "2",
  number =       "2",
  pages =        "159--176",
  month =        may,
  year =         "1999",
  CODEN =        "ATISBQ",
  ISSN =         "1094-9224 (print), 1557-7406 (electronic)",
  ISSN-L =       "1094-9224",
  bibdate =      "Thu Oct 26 11:39:38 MDT 2000",
  bibsource =    "http://www.acm.org/tissec/contents/v2no2.html;
                 http://www.math.utah.edu/pub/tex/bib/tissec.bib",
  URL =          "http://www.acm.org/pubs/citations/journals/tissec/1999-2-2/p159-schneier/",
  abstract =     "In many real-world applications, sensitive information
                 must be kept it log files on an untrusted machine. In
                 the event that an attacker captures this machine, we
                 would like to guarantee that he will gain little or no
                 information from the log files and to limit his ability
                 to corrupt the log files. We describe a computationally
                 cheap method for making all log entries generated prior
                 to the logging machine's compromise impossible for the
                 attacker to read, and also impossible to modify or
                 destroy undetectably.",
  acknowledgement = ack-nhfb,
  fjournal =     "ACM Transactions on Information and System Security",
  generalterms = "Security",
  journal-URL =  "http://portal.acm.org/browse_dl.cfm?idx=J789",
  keywords =     "audit logs; auditing; authentication; computer
                 forensics; hash chains; intrusion detection",
  subject =      "Computer Systems Organization ---
                 Computer-Communication Networks --- Distributed Systems
                 (C.2.4); Computer Systems Organization ---
                 Computer-Communication Networks (C.2); Computer Systems
                 Organization --- Computer-Communication Networks ---
                 General (C.2.0); Computer Systems Organization ---
                 Computer-Communication Networks --- Network Protocols
                 (C.2.2)",
}

@Article{Jaeger:1999:FCD,
  author =       "Trent Jaeger and Atul Prakash and Jochen Liedtke and
                 Nayeem Islam",
  title =        "Flexible Control of Downloaded Executable Content",
  journal =      j-TISSEC,
  volume =       "2",
  number =       "2",
  pages =        "177--228",
  month =        may,
  year =         "1999",
  CODEN =        "ATISBQ",
  ISSN =         "1094-9224 (print), 1557-7406 (electronic)",
  ISSN-L =       "1094-9224",
  bibdate =      "Thu Oct 26 11:39:38 MDT 2000",
  bibsource =    "http://www.acm.org/tissec/contents/v2no2.html;
                 http://www.math.utah.edu/pub/tex/bib/tissec.bib",
  URL =          "http://www.acm.org/pubs/citations/journals/tissec/1999-2-2/p177-jaeger/",
  abstract =     "We present a security architecture that enables system
                 and application access control requirements to be
                 enforced on applications composed from downloaded
                 executable content. Downloaded executable content
                 consists of messages downloaded from remote hosts that
                 contain executables that run, upon receipt, on the
                 downloading principal's machine. Unless restricted,
                 this content can perform malicious actions, including
                 accessing its downloading principal's private data and
                 sending messages on this principal's behalf. Current
                 security architectures for controlling downloaded
                 executable content (e.g., JDK 1.2) enable specification
                 of access control requirements for content based on its
                 provider and identity. Since these access control
                 requirements must cover every legal use of the class,
                 they may include rights that are not necessary for a
                 particular application of content. Therefore, using
                 these systems, an application composed from downloaded
                 executable content cannot enforce its access control
                 requirements without the addition of
                 application-specific security mechanisms. In this
                 paper, we define an access control model with the
                 following properties: (1) system administrators can
                 define system access control requirements on
                 applications and (2) application developers can use the
                 same model to enforce application access control
                 requirements without the need for ad hoc security
                 mechanisms. This access control model uses features of
                 role-based access control models to enable (1)
                 specification of a single role that applies to multiple
                 application instances; (2) selection of a content's
                 access rights based on the content's application and
                 role in the application; (3) consistency maintained
                 between application state and content access rights;
                 and (4) control of role administration. We detail a
                 system architecture that uses this access control model
                 to implement secure collaborative applications. Lastly,
                 we describe an implementation of this architecture,
                 called the Lava security architecture.",
  acknowledgement = ack-nhfb,
  fjournal =     "ACM Transactions on Information and System Security",
  generalterms = "Management; Security",
  journal-URL =  "http://portal.acm.org/browse_dl.cfm?idx=J789",
  keywords =     "access control models; authentication; authorization
                 mechanisms; collaborative systems; role-based access
                 control",
  subject =      "Software --- Software Engineering --- Management
                 (D.2.9): {\bf Software configuration management};
                 Software --- Operating Systems --- Security and
                 Protection (D.4.6): {\bf Access controls}; Software ---
                 Operating Systems --- Security and Protection (D.4.6):
                 {\bf Invasive software}; Computing Milieux ---
                 Management of Computing and Information Systems ---
                 System Management (K.6.4): {\bf
                 Centralization/decentralization}; Computing Milieux ---
                 Management of Computing and Information Systems ---
                 Security and Protection (K.6.5): {\bf Invasive
                 software}",
}

@Article{Halevi:1999:PKC,
  author =       "Shai Halevi and Hugo Krawczyk",
  title =        "Public-Key Cryptography and Password Protocols",
  journal =      j-TISSEC,
  volume =       "2",
  number =       "3",
  pages =        "230--268",
  month =        aug,
  year =         "1999",
  CODEN =        "ATISBQ",
  ISSN =         "1094-9224 (print), 1557-7406 (electronic)",
  ISSN-L =       "1094-9224",
  bibdate =      "Thu Oct 26 11:39:38 MDT 2000",
  bibsource =    "http://www.acm.org/tissec/contents/v2no3.html;
                 http://www.math.utah.edu/pub/tex/bib/tissec.bib",
  URL =          "http://www.acm.org/pubs/citations/journals/tissec/1999-2-3/p230-halevi/",
  abstract =     "We study protocols for strong authentication and key
                 exchange in asymmetric scenarios where the
                 authentication server possesses a pair of private and
                 public keys while the client has only a weak
                 human-memorizable password as its authentication key.
                 We present and analyze several simple password
                 authentication protocols in this scenario, and show
                 that the security of these protocols can be formally
                 proven based on standard cryptographic assumptions.
                 Remarkably, our analysis shows optimal resistance to
                 off-line password guessing attacks under the choice of
                 suitable public key encryption functions. In addition
                 to user authentication, we describe ways to enhance
                 these protocols to provide two-way authentication,
                 authenticated key exchange, defense against server's
                 compromise, and user anonymity. We complement these
                 results with a proof that strongly indicates that
                 public key techniques are unavoidable for password
                 protocols that resist off-line guessing attacks.
                 \par

                 As a further contribution, we introduce the notion of
                 {\em public passwords\/} that enables the use of the
                 above protocols in situations where the client's
                 machine does not have the means to validate the
                 server's public key. Public passwords serve as
                 ``hand-held certificates'' that the user can carry
                 without the need for special computing devices.",
  acknowledgement = ack-nhfb,
  fjournal =     "ACM Transactions on Information and System Security",
  journal-URL =  "http://portal.acm.org/browse_dl.cfm?idx=J789",
  keywords =     "dictionary attacks; hand-held certificates; key
                 exchange; passwords; public passwords; public-key
                 protocols",
  subject =      "Computer Systems Organization ---
                 Computer-Communication Networks --- General (C.2.0):
                 {\bf Security and protection (e.g., firewalls)};
                 Computing Milieux --- Management of Computing and
                 Information Systems --- Security and Protection
                 (K.6.5): {\bf Authentication}",
}

@Article{Xu:1999:DHP,
  author =       "Jun Xu and Mukesh Singhal",
  title =        "Design of a High-Performance {ATM} Firewall",
  journal =      j-TISSEC,
  volume =       "2",
  number =       "3",
  pages =        "269--294",
  month =        aug,
  year =         "1999",
  CODEN =        "ATISBQ",
  ISSN =         "1094-9224 (print), 1557-7406 (electronic)",
  ISSN-L =       "1094-9224",
  bibdate =      "Thu Oct 26 11:39:38 MDT 2000",
  bibsource =    "http://www.acm.org/tissec/contents/v2no3.html;
                 http://www.math.utah.edu/pub/tex/bib/tissec.bib",
  URL =          "http://www.acm.org/pubs/citations/journals/tissec/1999-2-3/p269-xu/",
  abstract =     "A router-based packet-filtering firewall is an
                 effective way of protecting an enterprise network from
                 unauthorized access. However, it will not work
                 efficiently in an ATM network because it requires the
                 termination of end-to-end ATM connections at a
                 packet-filtering router, which incurs huge overhead of
                 SAR (Segmentation and Reassembly). Very few approaches
                 to this problem have been proposed in the literature,
                 and none is completely satisfactory. In this paper we
                 present the hardware design of a high-speed ATM
                 firewall that does not require the termination of an
                 end-to-end connection in the middle. We propose a novel
                 firewall design philosophy, called Quality of
                 Firewalling (QoF), that applies security measures of
                 different strength to traffic with different risk
                 levels and show how it can be implemented in our
                 firewall. Compared with the traditional firewalls, this
                 ATM firewall performs exactly the same packet-level
                 filtering without compromising the performance and has
                 the same ``look and feel'' by sitting at the chokepoint
                 between the trusted ATM LAN and untrusted ATM WAN. It
                 is also easy to manage and flexible to use.",
  acknowledgement = ack-nhfb,
  fjournal =     "ACM Transactions on Information and System Security",
  journal-URL =  "http://portal.acm.org/browse_dl.cfm?idx=J789",
  keywords =     "asynchronous transfer mode; firewall; packet
                 filtering; switch architecture; TCP/IP",
  subject =      "Computer Systems Organization --- Performance of
                 Systems (C.4): {\bf Performance attributes}; Computer
                 Systems Organization --- Performance of Systems (C.4);
                 Computer Systems Organization ---
                 Computer-Communication Networks --- General (C.2.0);
                 Computer Systems Organization ---
                 Computer-Communication Networks --- Network
                 Architecture and Design (C.2.1): {\bf Asynchronous
                 Transfer Mode (ATM)}; Computer Systems Organization ---
                 Computer-Communication Networks --- Internetworking
                 (C.2.6): {\bf Routers}; Computer Systems Organization
                 --- Computer-Communication Networks --- Local and
                 Wide-Area Networks (C.2.5)",
}

@Article{Lane:1999:TSL,
  author =       "Terran Lane and Carla E. Brodley",
  title =        "Temporal sequence learning and data reduction for
                 anomaly detection",
  journal =      j-TISSEC,
  volume =       "2",
  number =       "3",
  pages =        "295--331",
  month =        aug,
  year =         "1999",
  CODEN =        "ATISBQ",
  ISSN =         "1094-9224 (print), 1557-7406 (electronic)",
  ISSN-L =       "1094-9224",
  bibdate =      "Thu Oct 26 11:39:38 MDT 2000",
  bibsource =    "http://www.acm.org/tissec/contents/v2no3.html;
                 http://www.math.utah.edu/pub/tex/bib/tissec.bib",
  URL =          "http://www.acm.org/pubs/citations/journals/tissec/1999-2-3/p295-lane/",
  abstract =     "The anomaly-detection problem can be formulated as one
                 of learning to characterize the behaviors of an
                 individual, system, or network in terms of temporal
                 sequences of discrete data. We present an approach on
                 the basis of instance-based learning (IBL) techniques.
                 To cast the anomaly-detection task in an IBL framework,
                 we employ an approach that transforms temporal
                 sequences of discrete, unordered observations into a
                 metric space via a similarity measure that encodes
                 intra-attribute dependencies. Classification boundaries
                 are selected from an {\em a posteriori\/}
                 characterization of valid user behaviors, coupled with
                 a domain heuristic. An empirical evaluation of the
                 approach on user command data demonstrates that we can
                 accurately differentiate the profiled user from
                 alternative users when the available features encode
                 sufficient information. Furthermore, we demonstrate
                 that the system detects anomalous conditions {\em
                 quickly\/} --- an important quality for reducing
                 potential damage by a malicious user. We present
                 several techniques for reducing data storage
                 requirements of the user profile, including
                 instance-selection methods and clustering. As empirical
                 evaluation shows that a new greedy clustering algorithm
                 reduces the size of the user model by 70\%, with only a
                 small loss in accuracy.",
  acknowledgement = ack-nhfb,
  fjournal =     "ACM Transactions on Information and System Security",
  journal-URL =  "http://portal.acm.org/browse_dl.cfm?idx=J789",
  keywords =     "anomaly detection; clustering; data reduction;
                 empirical evaluation; instance based learning; machine
                 learning; user profiling",
  subject =      "Software --- Operating Systems --- Security and
                 Protection (D.4.6)",
}

@Article{Paulson:1999:IAI,
  author =       "Lawrence C. Paulson",
  title =        "Inductive analysis of the {Internet} protocol {TLS}",
  journal =      j-TISSEC,
  volume =       "2",
  number =       "3",
  pages =        "332--351",
  month =        aug,
  year =         "1999",
  CODEN =        "ATISBQ",
  ISSN =         "1094-9224 (print), 1557-7406 (electronic)",
  ISSN-L =       "1094-9224",
  bibdate =      "Thu Oct 26 11:39:38 MDT 2000",
  bibsource =    "http://www.acm.org/tissec/contents/v2no3.html;
                 http://www.math.utah.edu/pub/tex/bib/tissec.bib",
  URL =          "http://www.acm.org/pubs/citations/journals/tissec/1999-2-3/p332-paulson/",
  abstract =     "Internet browsers use security protocols to protect
                 sensitive messages. An inductive analysis of TLS (a
                 descendant of SSL 3.0) has been performed using the
                 theorem prover Isabelle. Proofs are based on
                 higher-order logic and make no assumptions concerning
                 beliefs of finiteness. All the obvious security goals
                 can be proved; session resumption appears to be secure
                 even if old session keys are compromised. The proofs
                 suggest minor changes to simplify the analysis.
                 \par

                 TLS, even at an abstract level, is much more
                 complicated than most protocols verified by
                 researchers. Session keys are negotiated rather than
                 distributed, and the protocol has many optional parts.
                 Netherless, the resources needed to verify TLS are
                 modest: six man-weeks of effort and three minutes of
                 processor time.",
  acknowledgement = ack-nhfb,
  fjournal =     "ACM Transactions on Information and System Security",
  generalterms = "Security; Verification",
  journal-URL =  "http://portal.acm.org/browse_dl.cfm?idx=J789",
  keywords =     "authentication; inductive method; Isabelle; proof
                 tools; TLS",
  subject =      "Theory of Computation --- Logics and Meanings of
                 Programs --- Specifying and Verifying and Reasoning
                 about Programs (F.3.1): {\bf Mechanical verification};
                 Computer Systems Organization ---
                 Computer-Communication Networks --- Network Protocols
                 (C.2.2): {\bf Protocol verification}",
}

@Article{Stubblebine:1999:UST,
  author =       "Stuart G. Stubblebine and Paul F. Syverson and David
                 M. Goldschlag",
  title =        "Unlinkable serial transactions: protocols and
                 applications",
  journal =      j-TISSEC,
  volume =       "2",
  number =       "4",
  pages =        "354--389",
  month =        nov,
  year =         "1999",
  CODEN =        "ATISBQ",
  ISSN =         "1094-9224 (print), 1557-7406 (electronic)",
  ISSN-L =       "1094-9224",
  bibdate =      "Thu Oct 26 11:39:38 MDT 2000",
  bibsource =    "http://www.acm.org/tissec/;
                 http://www.math.utah.edu/pub/tex/bib/tissec.bib",
  URL =          "http://www.acm.org/pubs/articles/journals/tissec/1999-2-4/p354-stubblebine/p354-stubblebine.pdf;
                 http://www.acm.org/pubs/citations/journals/tissec/1999-2-4/p354-stubblebine/",
  abstract =     "We present a protocol for unlinkable serial
                 transactions suitable for a variety of network-based
                 subscription services. It is the first protocol to use
                 cryptographic blinding to enable subscription services.
                 The protocol prevents the service from tracking the
                 behavior of its customers, while protecting the service
                 vendor from abuse due to simultaneous or cloned use by
                 a single subscriber. Our basic protocol structure and
                 recovery protocol are robust against failure in
                 protocol termination. We evaluate the security of the
                 basic protocol and extend the basic protocol to include
                 auditing, which further deters subscription sharing. We
                 describe other applications of unlinkable serial
                 transactions for pay-per-use trans subscription,
                 third-party subscription management, multivendor
                 coupons, proof of group membership, and voting.",
  acknowledgement = ack-nhfb,
  fjournal =     "ACM Transactions on Information and System Security",
  generalterms = "Design; Security; Verification",
  journal-URL =  "http://portal.acm.org/browse_dl.cfm?idx=J789",
  keywords =     "anonymity; blinding; cryptographic protocols;
                 unlinkable serial transactions",
  subject =      "Computer Applications --- Administrative Data
                 Processing (J.1); Software --- Operating Systems ---
                 Security and Protection (D.4.6): {\bf Access controls};
                 Software --- Operating Systems --- Security and
                 Protection (D.4.6): {\bf Cryptographic controls};
                 Software --- Operating Systems --- Security and
                 Protection (D.4.6): {\bf Authentication}; Computing
                 Milieux --- Management of Computing and Information
                 Systems --- Security and Protection (K.6.5); Computing
                 Milieux --- Management of Computing and Information
                 Systems --- Security and Protection (K.6.5): {\bf
                 Authentication}; Computing Milieux --- Management of
                 Computing and Information Systems --- Security and
                 Protection (K.6.5): {\bf Unauthorized access (e.g.,
                 hacking, phreaking)}; Information Systems ---
                 Information Storage and Retrieval --- Systems and
                 Software (H.3.4): {\bf User profiles and alert
                 services}; Information Systems --- Database Management
                 --- Systems (H.2.4): {\bf Transaction processing};
                 Information Systems --- Information Storage and
                 Retrieval --- Digital Libraries (H.3.7): {\bf User
                 issues}",
}

@Article{Gabber:1999:SPC,
  author =       "Eran Gabber and Phillip B. Gibbons and David M.
                 Kristol and Yossi Matias and Alain Mayer",
  title =        "On secure and pseudonymous client-relationships with
                 multiple servers",
  journal =      j-TISSEC,
  volume =       "2",
  number =       "4",
  pages =        "390--415",
  month =        nov,
  year =         "1999",
  CODEN =        "ATISBQ",
  ISSN =         "1094-9224 (print), 1557-7406 (electronic)",
  ISSN-L =       "1094-9224",
  bibdate =      "Thu Oct 26 11:39:38 MDT 2000",
  bibsource =    "http://www.acm.org/tissec/;
                 http://www.math.utah.edu/pub/tex/bib/tissec.bib",
  URL =          "http://www.acm.org/pubs/citations/journals/tissec/1999-2-4/p390-gabber/",
  abstract =     "This paper introduces a cryptographic engine, Janus,
                 which assists clients in establishing and maintaining
                 secure and pseudonymous relationships with multiple
                 servers. The setting is such that clients reside on a
                 particular subnet (e.g., corporate intranet, ISP) and
                 the servers reside anywhere on the Internet. The Janus
                 engine allows each client-server relationship to use
                 either weak or strong authentication on each
                 interaction. At the same time, each interaction
                 preserves privacy by neither revealing a clients true
                 identity (except for the subnet) nor the set of servers
                 with which a particular client interacts. Furthermore,
                 clients do not need any secure long-term memory,
                 enabling scalability and mobility. The interaction
                 model extends to allow servers to send data back to
                 clients via e-mail at a later date. Hence, our results
                 complement the functionality of current network
                 anonymity tools and remailers. The paper also describes
                 the design and implementation of the Lucent
                 Personalized Web Assistant (LPWA), which is a practical
                 system that provides secure and pseudonymous relations
                 with multiple servers on the Internet. LPWA employs the
                 Janus function to generate site-specific person?, which
                 consist of alias usernames, passwords, and e-mail
                 addresses.",
  acknowledgement = ack-nhfb,
  fjournal =     "ACM Transactions on Information and System Security",
  generalterms = "Algorithms; Experimentation; Security",
  journal-URL =  "http://portal.acm.org/browse_dl.cfm?idx=J789",
  keywords =     "anonymity; Janus function; mailbox; persistent
                 relationship; privacy; pseudonym",
  subject =      "Computing Milieux --- Management of Computing and
                 Information Systems --- Security and Protection
                 (K.6.5): {\bf Authentication}",
}

@Article{Hevia:1999:STD,
  author =       "Alejandro Hevia and Marcos Kiwi",
  title =        "Strength of Two {Data Encryption Standard}
                 Implementations under Timing Attack",
  journal =      j-TISSEC,
  volume =       "2",
  number =       "4",
  pages =        "416--437",
  month =        nov,
  year =         "1999",
  CODEN =        "ATISBQ",
  ISSN =         "1094-9224 (print), 1557-7406 (electronic)",
  ISSN-L =       "1094-9224",
  bibdate =      "Thu Oct 26 11:39:38 MDT 2000",
  bibsource =    "http://www.acm.org/tissec/contents/v2no2.html;
                 http://www.math.utah.edu/pub/tex/bib/tissec.bib",
  URL =          "http://www.acm.org/pubs/citations/journals/tissec/1999-2-4/p416-hevia/",
  abstract =     "We study the vulnerability of two implementations of
                 the Data Encryption Standard (DES) cryptosystem under a
                 timing attack. A timing attack is a method, recently
                 proposed by Paul Kocher, that is designed to break
                 cryptographic systems. It exploits the engineering
                 aspects involved in the implementation of cryptosystems
                 and might succeed even against cryptosystems that
                 remain impervious to sophisticated cryptanalytic
                 techniques. A timing attack is, essentially, a way of
                 obtaining some users private information by carefully
                 measuring the time it takes the user to carry out
                 cryptographic operations. In this work, we analyze two
                 implementations of DES. We show that a timing attack
                 yields the Hamming weight of the key used by both DES
                 implementations. Moreover, the attack is
                 computationally inexpensive. We also show that all the
                 design characteristics of the target system, necessary
                 to carry out the timing attack, can be inferred from
                 timing measurements.",
  acknowledgement = ack-nhfb,
  fjournal =     "ACM Transactions on Information and System Security",
  generalterms = "Security",
  journal-URL =  "http://portal.acm.org/browse_dl.cfm?idx=J789",
  keywords =     "cryptanalysis; cryptography; data encryption standard;
                 timing attack",
  subject =      "Data --- Data Encryption (E.3): {\bf Data encryption
                 standard (DES)**}; Computer Systems Organization ---
                 Special-Purpose and Application-Based Systems (C.3)",
}

@Article{Frincke:2000:BCR,
  author =       "Deborah Frincke",
  title =        "Balancing Cooperation and Risk in Intrusion
                 Detection",
  journal =      j-TISSEC,
  volume =       "3",
  number =       "1",
  pages =        "1--29",
  month =        feb,
  year =         "2000",
  CODEN =        "ATISBQ",
  ISSN =         "1094-9224 (print), 1557-7406 (electronic)",
  ISSN-L =       "1094-9224",
  bibdate =      "Mon Feb 25 16:47:22 MST 2002",
  bibsource =    "http://www.acm.org/tissec/v3no1.html;
                 http://www.math.utah.edu/pub/tex/bib/tissec.bib",
  acknowledgement = ack-nhfb,
  fjournal =     "ACM Transactions on Information and System Security",
  journal-URL =  "http://portal.acm.org/browse_dl.cfm?idx=J789",
}

@Article{Schneider:2000:ESP,
  author =       "Fred B. Schneider",
  title =        "Enforceable Security Policies",
  journal =      j-TISSEC,
  volume =       "3",
  number =       "1",
  pages =        "30--50",
  month =        feb,
  year =         "2000",
  CODEN =        "ATISBQ",
  ISSN =         "1094-9224 (print), 1557-7406 (electronic)",
  ISSN-L =       "1094-9224",
  bibdate =      "Mon Feb 25 16:47:22 MST 2002",
  bibsource =    "http://www.acm.org/tissec/v3no1.html;
                 http://www.math.utah.edu/pub/tex/bib/tissec.bib",
  acknowledgement = ack-nhfb,
  fjournal =     "ACM Transactions on Information and System Security",
  journal-URL =  "http://portal.acm.org/browse_dl.cfm?idx=J789",
}

@Article{Spinellis:2000:RMS,
  author =       "Diomidis Spinellis",
  title =        "Reflection as a Mechanism for Software Integrity
                 Verification",
  journal =      j-TISSEC,
  volume =       "3",
  number =       "1",
  pages =        "51--62",
  month =        feb,
  year =         "2000",
  CODEN =        "ATISBQ",
  ISSN =         "1094-9224 (print), 1557-7406 (electronic)",
  ISSN-L =       "1094-9224",
  bibdate =      "Mon Feb 25 16:47:22 MST 2002",
  bibsource =    "http://www.acm.org/tissec/v3no1.html;
                 http://www.math.utah.edu/pub/tex/bib/tissec.bib",
  acknowledgement = ack-nhfb,
  fjournal =     "ACM Transactions on Information and System Security",
  journal-URL =  "http://portal.acm.org/browse_dl.cfm?idx=J789",
}

@Article{Dolev:2000:XTE,
  author =       "Shlomi Dolev and Rafail Ostrovsky",
  title =        "Xor-Trees for Efficient Anonymous Multicast and
                 Reception",
  journal =      j-TISSEC,
  volume =       "3",
  number =       "2",
  pages =        "63--84",
  month =        may,
  year =         "2000",
  CODEN =        "ATISBQ",
  ISSN =         "1094-9224 (print), 1557-7406 (electronic)",
  ISSN-L =       "1094-9224",
  bibdate =      "Mon Feb 25 16:47:22 MST 2002",
  bibsource =    "http://www.acm.org/tissec/v3no2.html;
                 http://www.math.utah.edu/pub/tex/bib/tissec.bib",
  acknowledgement = ack-nhfb,
  fjournal =     "ACM Transactions on Information and System Security",
  journal-URL =  "http://portal.acm.org/browse_dl.cfm?idx=J789",
}

@Article{Osborn:2000:CRB,
  author =       "Sylvia Osborn and Ravi Sandhu and Qamar Munawer",
  title =        "Configuring Role-Based Access Control to Enforce
                 Mandatory and Discretionary Access Control Policies",
  journal =      j-TISSEC,
  volume =       "3",
  number =       "2",
  pages =        "85--106",
  month =        may,
  year =         "2000",
  CODEN =        "ATISBQ",
  ISSN =         "1094-9224 (print), 1557-7406 (electronic)",
  ISSN-L =       "1094-9224",
  bibdate =      "Mon Feb 25 16:47:22 MST 2002",
  bibsource =    "http://www.acm.org/tissec/v3no2.html;
                 http://www.math.utah.edu/pub/tex/bib/tissec.bib",
  acknowledgement = ack-nhfb,
  fjournal =     "ACM Transactions on Information and System Security",
  journal-URL =  "http://portal.acm.org/browse_dl.cfm?idx=J789",
}

@Article{Wool:2000:KME,
  author =       "Avishai Wool",
  title =        "Key Management for Encrypted Broadcast",
  journal =      j-TISSEC,
  volume =       "3",
  number =       "2",
  pages =        "107--134",
  month =        may,
  year =         "2000",
  CODEN =        "ATISBQ",
  ISSN =         "1094-9224 (print), 1557-7406 (electronic)",
  ISSN-L =       "1094-9224",
  bibdate =      "Mon Feb 25 16:47:22 MST 2002",
  bibsource =    "http://www.acm.org/tissec/v3no2.html;
                 http://www.math.utah.edu/pub/tex/bib/tissec.bib",
  acknowledgement = ack-nhfb,
  fjournal =     "ACM Transactions on Information and System Security",
  journal-URL =  "http://portal.acm.org/browse_dl.cfm?idx=J789",
}

@Article{Molva:2000:SMS,
  author =       "Refik Molva and Alain Pannetrat",
  title =        "Scalable Multicast Security with Dynamic Recipient
                 Groups",
  journal =      j-TISSEC,
  volume =       "3",
  number =       "3",
  pages =        "136--160",
  month =        aug,
  year =         "2000",
  CODEN =        "ATISBQ",
  ISSN =         "1094-9224 (print), 1557-7406 (electronic)",
  ISSN-L =       "1094-9224",
  bibdate =      "Mon Feb 25 16:47:22 MST 2002",
  bibsource =    "http://www.acm.org/tissec/v3no3.html;
                 http://www.math.utah.edu/pub/tex/bib/tissec.bib",
  acknowledgement = ack-nhfb,
  fjournal =     "ACM Transactions on Information and System Security",
  journal-URL =  "http://portal.acm.org/browse_dl.cfm?idx=J789",
}

@Article{Cramer:2000:SSB,
  author =       "Ronald Cramer and Victor Shoup",
  title =        "Signature Schemes Based on the Strong {RSA}
                 Assumption",
  journal =      j-TISSEC,
  volume =       "3",
  number =       "3",
  pages =        "161--185",
  month =        aug,
  year =         "2000",
  CODEN =        "ATISBQ",
  ISSN =         "1094-9224 (print), 1557-7406 (electronic)",
  ISSN-L =       "1094-9224",
  bibdate =      "Mon Feb 25 16:47:22 MST 2002",
  bibsource =    "http://www.acm.org/tissec/v3no3.html;
                 http://www.math.utah.edu/pub/tex/bib/tissec.bib",
  acknowledgement = ack-nhfb,
  fjournal =     "ACM Transactions on Information and System Security",
  journal-URL =  "http://portal.acm.org/browse_dl.cfm?idx=J789",
}

@Article{Axelsson:2000:BRF,
  author =       "Stefan Axelsson",
  title =        "The Base-Rate Fallacy and the Difficulty of Intrusion
                 Detection",
  journal =      j-TISSEC,
  volume =       "3",
  number =       "3",
  pages =        "186--205",
  month =        aug,
  year =         "2000",
  CODEN =        "ATISBQ",
  ISSN =         "1094-9224 (print), 1557-7406 (electronic)",
  ISSN-L =       "1094-9224",
  bibdate =      "Mon Feb 25 16:47:22 MST 2002",
  bibsource =    "http://www.acm.org/tissec/v3no3.html;
                 http://www.math.utah.edu/pub/tex/bib/tissec.bib",
  acknowledgement = ack-nhfb,
  fjournal =     "ACM Transactions on Information and System Security",
  journal-URL =  "http://portal.acm.org/browse_dl.cfm?idx=J789",
}

@Article{Ahn:2000:RBA,
  author =       "Gail-Joon Ahn and Ravi Sandhu",
  title =        "Role-based Authorization Constraints Specification",
  journal =      j-TISSEC,
  volume =       "3",
  number =       "4",
  pages =        "207--226",
  month =        nov,
  year =         "2000",
  CODEN =        "ATISBQ",
  ISSN =         "1094-9224 (print), 1557-7406 (electronic)",
  ISSN-L =       "1094-9224",
  bibdate =      "Mon Feb 25 16:47:22 MST 2002",
  bibsource =    "http://www.acm.org/tissec/v3no4.html;
                 http://www.math.utah.edu/pub/tex/bib/tissec.bib",
  acknowledgement = ack-nhfb,
  fjournal =     "ACM Transactions on Information and System Security",
  journal-URL =  "http://portal.acm.org/browse_dl.cfm?idx=J789",
}

@Article{Lee:2000:FCF,
  author =       "Wenke Lee and Salvatore J. Stolfo",
  title =        "A Framework for Constructing Features and Models for
                 Intrusion Detection Systems",
  journal =      j-TISSEC,
  volume =       "3",
  number =       "4",
  pages =        "227--261",
  month =        nov,
  year =         "2000",
  CODEN =        "ATISBQ",
  ISSN =         "1094-9224 (print), 1557-7406 (electronic)",
  ISSN-L =       "1094-9224",
  bibdate =      "Mon Feb 25 16:47:22 MST 2002",
  bibsource =    "http://www.acm.org/tissec/v3no4.html;
                 http://www.math.utah.edu/pub/tex/bib/tissec.bib",
  acknowledgement = ack-nhfb,
  fjournal =     "ACM Transactions on Information and System Security",
  journal-URL =  "http://portal.acm.org/browse_dl.cfm?idx=J789",
}

@Article{McHugh:2000:TID,
  author =       "John McHugh",
  title =        "Testing Intrusion detection systems: a critique of the
                 1998 and 1999 {DARPA} intrusion detection system
                 evaluations as performed by {Lincoln Laboratory}",
  journal =      j-TISSEC,
  volume =       "3",
  number =       "4",
  pages =        "262--294",
  month =        nov,
  year =         "2000",
  CODEN =        "ATISBQ",
  ISSN =         "1094-9224 (print), 1557-7406 (electronic)",
  ISSN-L =       "1094-9224",
  bibdate =      "Mon Feb 25 16:47:22 MST 2002",
  bibsource =    "http://www.acm.org/tissec/v3no4.html;
                 http://www.math.utah.edu/pub/tex/bib/tissec.bib",
  acknowledgement = ack-nhfb,
  fjournal =     "ACM Transactions on Information and System Security",
  journal-URL =  "http://portal.acm.org/browse_dl.cfm?idx=J789",
}

@Article{Chang:2001:RTP,
  author =       "Ho-Yen Chang and S. Felix Wu and Y. Frank Jou",
  title =        "Real-Time Protocol Analysis for Detecting Link-State
                 Routing Protocol Attacks",
  journal =      j-TISSEC,
  volume =       "4",
  number =       "1",
  pages =        "1--36",
  month =        feb,
  year =         "2001",
  CODEN =        "ATISBQ",
  ISSN =         "1094-9224 (print), 1557-7406 (electronic)",
  ISSN-L =       "1094-9224",
  bibdate =      "Mon Feb 25 16:47:22 MST 2002",
  bibsource =    "http://www.acm.org/tissec/v4no1.html;
                 http://www.math.utah.edu/pub/tex/bib/tissec.bib",
  acknowledgement = ack-nhfb,
  fjournal =     "ACM Transactions on Information and System Security",
  journal-URL =  "http://portal.acm.org/browse_dl.cfm?idx=J789",
}

@Article{Park:2001:RBA,
  author =       "Joon S. Park and Ravi Sandhu and Gail-Joon Ahn",
  title =        "Role-based access control on the {Web}",
  journal =      j-TISSEC,
  volume =       "4",
  number =       "1",
  pages =        "37--71",
  month =        feb,
  year =         "2001",
  CODEN =        "ATISBQ",
  ISSN =         "1094-9224 (print), 1557-7406 (electronic)",
  ISSN-L =       "1094-9224",
  bibdate =      "Mon Feb 25 16:47:22 MST 2002",
  bibsource =    "http://www.math.utah.edu/pub/tex/bib/tissec.bib",
  acknowledgement = ack-nhfb,
  fjournal =     "ACM Transactions on Information and System Security",
  journal-URL =  "http://portal.acm.org/browse_dl.cfm?idx=J789",
}

@Article{Smith:2001:CPH,
  author =       "Richard E. Smith",
  title =        "Cost Profile of a Highly Assured, Secure Operating
                 System",
  journal =      j-TISSEC,
  volume =       "4",
  number =       "1",
  pages =        "72--101",
  month =        feb,
  year =         "2001",
  CODEN =        "ATISBQ",
  ISSN =         "1094-9224 (print), 1557-7406 (electronic)",
  ISSN-L =       "1094-9224",
  bibdate =      "Mon Feb 25 16:47:22 MST 2002",
  bibsource =    "http://www.acm.org/tissec/v4no1.html;
                 http://www.math.utah.edu/pub/tex/bib/tissec.bib",
  acknowledgement = ack-nhfb,
  fjournal =     "ACM Transactions on Information and System Security",
  journal-URL =  "http://portal.acm.org/browse_dl.cfm?idx=J789",
}

@Article{Shands:2001:SVE,
  author =       "Deborah Shands and Jay Jacobs and Richard Yee and E.
                 John Sebes",
  title =        "Secure Virtual Enclaves: Supporting Coalition Use of
                 Distributed Application Technologies",
  journal =      j-TISSEC,
  volume =       "4",
  number =       "2",
  pages =        "103--133",
  month =        may,
  year =         "2001",
  CODEN =        "ATISBQ",
  ISSN =         "1094-9224 (print), 1557-7406 (electronic)",
  ISSN-L =       "1094-9224",
  bibdate =      "Mon Feb 25 16:47:22 MST 2002",
  bibsource =    "http://www.acm.org/tissec/contents/v4no2.html;
                 http://www.math.utah.edu/pub/tex/bib/tissec.bib",
  acknowledgement = ack-nhfb,
  fjournal =     "ACM Transactions on Information and System Security",
  journal-URL =  "http://portal.acm.org/browse_dl.cfm?idx=J789",
}

@Article{Steiner:2001:SPB,
  author =       "Michael Steiner and Peter Buhler and Thomas Eirich and
                 Michael Waidner",
  title =        "Secure Password-Based Cipher Suite for {TLS}",
  journal =      j-TISSEC,
  volume =       "4",
  number =       "2",
  pages =        "134--157",
  month =        may,
  year =         "2001",
  CODEN =        "ATISBQ",
  ISSN =         "1094-9224 (print), 1557-7406 (electronic)",
  ISSN-L =       "1094-9224",
  bibdate =      "Mon Feb 25 16:47:22 MST 2002",
  bibsource =    "http://www.acm.org/tissec/contents/v4no2.html;
                 http://www.math.utah.edu/pub/tex/bib/tissec.bib",
  acknowledgement = ack-nhfb,
  fjournal =     "ACM Transactions on Information and System Security",
  journal-URL =  "http://portal.acm.org/browse_dl.cfm?idx=J789",
}

@Article{Jaeger:2001:PSF,
  author =       "Trent Jaeger and Jonathon E. Tidswell",
  title =        "Practical Safety in Flexible Access Control Models",
  journal =      j-TISSEC,
  volume =       "4",
  number =       "2",
  pages =        "158--190",
  month =        may,
  year =         "2001",
  CODEN =        "ATISBQ",
  ISSN =         "1094-9224 (print), 1557-7406 (electronic)",
  ISSN-L =       "1094-9224",
  bibdate =      "Mon Feb 25 16:47:22 MST 2002",
  bibsource =    "http://www.acm.org/tissec/contents/v4no3.html;
                 http://www.math.utah.edu/pub/tex/bib/tissec.bib",
  acknowledgement = ack-nhfb,
  fjournal =     "ACM Transactions on Information and System Security",
  journal-URL =  "http://portal.acm.org/browse_dl.cfm?idx=J789",
}

@Article{Bertino:2001:TTR,
  author =       "Elisa Bertino and Piero Andrea Bonatti and Elena
                 Ferrari",
  title =        "{TRBAC}: a Temporal Role-based Access Control Model",
  journal =      j-TISSEC,
  volume =       "4",
  number =       "3",
  pages =        "191--223",
  month =        aug,
  year =         "2001",
  CODEN =        "ATISBQ",
  ISSN =         "1094-9224 (print), 1557-7406 (electronic)",
  ISSN-L =       "1094-9224",
  bibdate =      "Mon Feb 25 16:47:23 MST 2002",
  bibsource =    "http://www.acm.org/tissec/contents/v4no3.html;
                 http://www.math.utah.edu/pub/tex/bib/tissec.bib",
  acknowledgement = ack-nhfb,
  fjournal =     "ACM Transactions on Information and System Security",
  journal-URL =  "http://portal.acm.org/browse_dl.cfm?idx=J789",
}

@Article{Ferraiolo:2001:PNS,
  author =       "David F. Ferraiolo and Ravi Sandhu and Serban Gavrila
                 and D. Richard Kuhn and Ramaswamy Chandramouli",
  title =        "Proposed {NIST} standard for role-based access
                 control",
  journal =      j-TISSEC,
  volume =       "4",
  number =       "3",
  pages =        "224--274",
  month =        aug,
  year =         "2001",
  CODEN =        "ATISBQ",
  ISSN =         "1094-9224 (print), 1557-7406 (electronic)",
  ISSN-L =       "1094-9224",
  bibdate =      "Mon Feb 25 16:47:23 MST 2002",
  bibsource =    "http://www.math.utah.edu/pub/tex/bib/tissec.bib",
  acknowledgement = ack-nhfb,
  fjournal =     "ACM Transactions on Information and System Security",
  journal-URL =  "http://portal.acm.org/browse_dl.cfm?idx=J789",
}

@Article{Kaliski:2001:UKS,
  author =       "Burton S. Kaliski",
  title =        "An unknown key-share attack on the {MQV} key agreement
                 protocol",
  journal =      j-TISSEC,
  volume =       "4",
  number =       "3",
  pages =        "275--288",
  month =        aug,
  year =         "2001",
  CODEN =        "ATISBQ",
  ISSN =         "1094-9224 (print), 1557-7406 (electronic)",
  ISSN-L =       "1094-9224",
  bibdate =      "Mon Feb 25 16:47:23 MST 2002",
  bibsource =    "http://www.math.utah.edu/pub/tex/bib/tissec.bib",
  acknowledgement = ack-nhfb,
  fjournal =     "ACM Transactions on Information and System Security",
  journal-URL =  "http://portal.acm.org/browse_dl.cfm?idx=J789",
}

@Article{Rodeh:2001:APS,
  author =       "Ohad Rodeh and Kenneth P. Birman and Danny Dolev",
  title =        "The Architecture and Performance of Security Protocols
                 in the {Ensemble Group Communication System}: Using
                 Diamonds to Guard the Castle",
  journal =      j-TISSEC,
  volume =       "4",
  number =       "3",
  pages =        "289--319",
  month =        aug,
  year =         "2001",
  CODEN =        "ATISBQ",
  ISSN =         "1094-9224 (print), 1557-7406 (electronic)",
  ISSN-L =       "1094-9224",
  bibdate =      "Mon Feb 25 16:47:23 MST 2002",
  bibsource =    "http://www.acm.org/tissec/contents/v4no4.html;
                 http://www.math.utah.edu/pub/tex/bib/tissec.bib",
  acknowledgement = ack-nhfb,
  fjournal =     "ACM Transactions on Information and System Security",
  journal-URL =  "http://portal.acm.org/browse_dl.cfm?idx=J789",
}

@Article{Bertino:2001:NTM,
  author =       "Elisa Bertino and Barbara Catania and Elena Ferrari",
  title =        "A Nested Transaction Model for Multilevel Secure
                 Database Management Systems",
  journal =      j-TISSEC,
  volume =       "4",
  number =       "4",
  pages =        "321--370",
  month =        nov,
  year =         "2001",
  CODEN =        "ATISBQ",
  ISSN =         "1094-9224 (print), 1557-7406 (electronic)",
  ISSN-L =       "1094-9224",
  bibdate =      "Mon Feb 25 16:47:23 MST 2002",
  bibsource =    "http://www.acm.org/tissec/contents/v4no4.html;
                 http://www.math.utah.edu/pub/tex/bib/tissec.bib",
  acknowledgement = ack-nhfb,
  fjournal =     "ACM Transactions on Information and System Security",
  journal-URL =  "http://portal.acm.org/browse_dl.cfm?idx=J789",
}

@Article{Kihlstrom:2001:SGC,
  author =       "Kim Potter Kihlstrom and L. E. Moser and P. M.
                 Melliar-Smith",
  title =        "The SecureRing group communication system",
  journal =      j-TISSEC,
  volume =       "4",
  number =       "4",
  pages =        "371--406",
  month =        nov,
  year =         "2001",
  CODEN =        "ATISBQ",
  ISSN =         "1094-9224 (print), 1557-7406 (electronic)",
  ISSN-L =       "1094-9224",
  bibdate =      "Mon Feb 25 16:47:23 MST 2002",
  bibsource =    "http://www.math.utah.edu/pub/tex/bib/tissec.bib",
  acknowledgement = ack-nhfb,
  fjournal =     "ACM Transactions on Information and System Security",
  journal-URL =  "http://portal.acm.org/browse_dl.cfm?idx=J789",
}

@Article{Ning:2001:ABI,
  author =       "Peng Ning and Sushil Jajodia and Xiaoyang Sean Wang",
  title =        "Abstraction-based intrusion detection in distributed
                 environments",
  journal =      j-TISSEC,
  volume =       "4",
  number =       "4",
  pages =        "407--452",
  month =        nov,
  year =         "2001",
  CODEN =        "ATISBQ",
  ISSN =         "1094-9224 (print), 1557-7406 (electronic)",
  ISSN-L =       "1094-9224",
  bibdate =      "Mon Feb 25 16:47:23 MST 2002",
  bibsource =    "http://www.acm.org/tissec/contents/v4no4.html;
                 http://www.math.utah.edu/pub/tex/bib/tissec.bib",
  acknowledgement = ack-nhfb,
  fjournal =     "ACM Transactions on Information and System Security",
  journal-URL =  "http://portal.acm.org/browse_dl.cfm?idx=J789",
}

@Article{Samarati:2001:AMP,
  author =       "Pierangela Samarati and Michael K. Reiter and Sushil
                 Jajodia",
  title =        "An authorization model for a public key management
                 service",
  journal =      j-TISSEC,
  volume =       "4",
  number =       "4",
  pages =        "453--482",
  month =        nov,
  year =         "2001",
  CODEN =        "ATISBQ",
  ISSN =         "1094-9224 (print), 1557-7406 (electronic)",
  ISSN-L =       "1094-9224",
  bibdate =      "Mon Feb 25 16:47:23 MST 2002",
  bibsource =    "http://www.math.utah.edu/pub/tex/bib/tissec.bib",
  acknowledgement = ack-nhfb,
  fjournal =     "ACM Transactions on Information and System Security",
  journal-URL =  "http://portal.acm.org/browse_dl.cfm?idx=J789",
}

@Article{Bonatti:2002:ACA,
  author =       "Piero Bonatti and Sabrina {De Capitani di Vimercati}
                 and Pierangela Samarati",
  title =        "An Algebra for Composing Access Control Policies",
  journal =      j-TISSEC,
  volume =       "5",
  number =       "1",
  pages =        "1--35",
  month =        feb,
  year =         "2002",
  CODEN =        "ATISBQ",
  ISSN =         "1094-9224 (print), 1557-7406 (electronic)",
  ISSN-L =       "1094-9224",
  bibdate =      "Thu Aug 7 09:02:35 MDT 2003",
  bibsource =    "http://portal.acm.org/;
                 http://www.acm.org/tissec/contents/v5no1.html;
                 http://www.math.utah.edu/pub/tex/bib/tissec.bib",
  acknowledgement = ack-nhfb,
  fjournal =     "ACM Transactions on Information and System Security",
  journal-URL =  "http://portal.acm.org/browse_dl.cfm?idx=J789",
}

@Article{Bernaschi:2002:RSE,
  author =       "Massimo Bernaschi and Emanuele Gabrielli and Luigi V.
                 Mancini",
  title =        "{REMUS}: a Security-Enhanced Operating System",
  journal =      j-TISSEC,
  volume =       "5",
  number =       "1",
  pages =        "36--61",
  month =        feb,
  year =         "2002",
  CODEN =        "ATISBQ",
  ISSN =         "1094-9224 (print), 1557-7406 (electronic)",
  ISSN-L =       "1094-9224",
  bibdate =      "Thu Aug 7 09:02:35 MDT 2003",
  bibsource =    "http://portal.acm.org/;
                 http://www.acm.org/tissec/contents/v5no1.html;
                 http://www.math.utah.edu/pub/tex/bib/tissec.bib",
  acknowledgement = ack-nhfb,
  fjournal =     "ACM Transactions on Information and System Security",
  journal-URL =  "http://portal.acm.org/browse_dl.cfm?idx=J789",
}

@Article{Atluri:2002:AMT,
  author =       "Vijayalakshmi Atluri and Avigdor Gal",
  title =        "An authorization model for temporal and derived data:
                 securing information portals",
  journal =      j-TISSEC,
  volume =       "5",
  number =       "1",
  pages =        "62--94",
  month =        feb,
  year =         "2002",
  CODEN =        "ATISBQ",
  ISSN =         "1094-9224 (print), 1557-7406 (electronic)",
  ISSN-L =       "1094-9224",
  bibdate =      "Thu Aug 7 09:02:35 MDT 2003",
  bibsource =    "http://portal.acm.org/;
                 http://www.math.utah.edu/pub/tex/bib/tissec.bib",
  acknowledgement = ack-nhfb,
  fjournal =     "ACM Transactions on Information and System Security",
  journal-URL =  "http://portal.acm.org/browse_dl.cfm?idx=J789",
}

@Article{Blaze:2002:TMI,
  author =       "Matt Blaze and John Ioannidis and Angelos D.
                 Keromytis",
  title =        "Trust Management for {IPsec}",
  journal =      j-TISSEC,
  volume =       "5",
  number =       "2",
  pages =        "95--118",
  month =        may,
  year =         "2002",
  CODEN =        "ATISBQ",
  ISSN =         "1094-9224 (print), 1557-7406 (electronic)",
  ISSN-L =       "1094-9224",
  bibdate =      "Wed Jul 25 16:54:06 MDT 2001",
  bibsource =    "http://portal.acm.org/;
                 http://www.math.utah.edu/pub/tex/bib/tissec.bib",
  acknowledgement = ack-nhfb,
  fjournal =     "ACM Transactions on Information and System Security",
  journal-URL =  "http://portal.acm.org/browse_dl.cfm?idx=J789",
}

@Article{Dean:2002:AAI,
  author =       "Drew Dean and Matt Franklin and Adam Stubblefield",
  title =        "An Algebraic Approach to {IP} Traceback",
  journal =      j-TISSEC,
  volume =       "5",
  number =       "2",
  pages =        "119--137",
  month =        may,
  year =         "2002",
  CODEN =        "ATISBQ",
  ISSN =         "1094-9224 (print), 1557-7406 (electronic)",
  ISSN-L =       "1094-9224",
  bibdate =      "Thu Aug 7 09:02:35 MDT 2003",
  bibsource =    "http://portal.acm.org/;
                 http://www.acm.org/tissec/contents/v5no3.html;
                 http://www.math.utah.edu/pub/tex/bib/tissec.bib",
  acknowledgement = ack-nhfb,
  fjournal =     "ACM Transactions on Information and System Security",
  journal-URL =  "http://portal.acm.org/browse_dl.cfm?idx=J789",
}

@Article{Rudys:2002:TLB,
  author =       "Algis Rudys and Dan S. Wallach",
  title =        "Termination in language-based systems",
  journal =      j-TISSEC,
  volume =       "5",
  number =       "2",
  pages =        "138--168",
  month =        may,
  year =         "2002",
  CODEN =        "ATISBQ",
  ISSN =         "1094-9224 (print), 1557-7406 (electronic)",
  ISSN-L =       "1094-9224",
  bibdate =      "Thu Aug 7 09:02:35 MDT 2003",
  bibsource =    "http://portal.acm.org/;
                 http://www.math.utah.edu/pub/tex/bib/tissec.bib",
  acknowledgement = ack-nhfb,
  fjournal =     "ACM Transactions on Information and System Security",
  journal-URL =  "http://portal.acm.org/browse_dl.cfm?idx=J789",
}

@Article{Damiani:2002:FGA,
  author =       "Ernesto Damiani and Sabrina {De Capitani di Vimercati}
                 and Stefano Paraboschi and Pierangela Samarati",
  title =        "A Fine-Grained Access Control System for {XML}
                 Documents",
  journal =      j-TISSEC,
  volume =       "5",
  number =       "2",
  pages =        "169--202",
  month =        may,
  year =         "2002",
  CODEN =        "ATISBQ",
  ISSN =         "1094-9224 (print), 1557-7406 (electronic)",
  ISSN-L =       "1094-9224",
  bibdate =      "Thu Aug 7 09:02:35 MDT 2003",
  bibsource =    "http://portal.acm.org/;
                 http://www.acm.org/tissec/contents/v5no2.html;
                 http://www.math.utah.edu/pub/tex/bib/tissec.bib",
  acknowledgement = ack-nhfb,
  fjournal =     "ACM Transactions on Information and System Security",
  journal-URL =  "http://portal.acm.org/browse_dl.cfm?idx=J789",
}

@Article{Michael:2002:SSB,
  author =       "C. C. Michael and Anup Ghosh",
  title =        "Simple, state-based approaches to program-based
                 anomaly detection",
  journal =      j-TISSEC,
  volume =       "5",
  number =       "3",
  pages =        "203--237",
  month =        aug,
  year =         "2002",
  CODEN =        "ATISBQ",
  ISSN =         "1094-9224 (print), 1557-7406 (electronic)",
  ISSN-L =       "1094-9224",
  bibdate =      "Thu Aug 7 09:02:36 MDT 2003",
  bibsource =    "http://portal.acm.org/;
                 http://www.math.utah.edu/pub/tex/bib/tissec.bib",
  acknowledgement = ack-nhfb,
  fjournal =     "ACM Transactions on Information and System Security",
  journal-URL =  "http://portal.acm.org/browse_dl.cfm?idx=J789",
}

@Article{Viega:2002:TBS,
  author =       "John Viega and J. T. Bloch and Tadayoshi Kohno and
                 Gary McGraw",
  title =        "Token-based scanning of source code for security
                 problems",
  journal =      j-TISSEC,
  volume =       "5",
  number =       "3",
  pages =        "238--261",
  month =        aug,
  year =         "2002",
  CODEN =        "ATISBQ",
  ISSN =         "1094-9224 (print), 1557-7406 (electronic)",
  ISSN-L =       "1094-9224",
  bibdate =      "Thu Aug 7 09:02:36 MDT 2003",
  bibsource =    "http://portal.acm.org/;
                 http://www.math.utah.edu/pub/tex/bib/tissec.bib",
  acknowledgement = ack-nhfb,
  fjournal =     "ACM Transactions on Information and System Security",
  journal-URL =  "http://portal.acm.org/browse_dl.cfm?idx=J789",
  keywords =     "ITS4",
}

@Article{Loughry:2002:ILO,
  author =       "Joe Loughry and David A. Umphress",
  title =        "Information leakage from optical emanations",
  journal =      j-TISSEC,
  volume =       "5",
  number =       "3",
  pages =        "262--289",
  month =        aug,
  year =         "2002",
  CODEN =        "ATISBQ",
  ISSN =         "1094-9224 (print), 1557-7406 (electronic)",
  ISSN-L =       "1094-9224",
  bibdate =      "Thu Aug 7 09:02:36 MDT 2003",
  bibsource =    "http://portal.acm.org/;
                 http://www.math.utah.edu/pub/tex/bib/tissec.bib",
  acknowledgement = ack-nhfb,
  fjournal =     "ACM Transactions on Information and System Security",
  journal-URL =  "http://portal.acm.org/browse_dl.cfm?idx=J789",
}

@Article{Bertino:2002:SSD,
  author =       "Elisa Bertino and Elena Ferrari",
  title =        "Secure and Selective Dissemination of {XML}
                 Documents",
  journal =      j-TISSEC,
  volume =       "5",
  number =       "3",
  pages =        "290--331",
  month =        aug,
  year =         "2002",
  CODEN =        "ATISBQ",
  ISSN =         "1094-9224 (print), 1557-7406 (electronic)",
  ISSN-L =       "1094-9224",
  bibdate =      "Thu Aug 7 09:02:36 MDT 2003",
  bibsource =    "http://portal.acm.org/;
                 http://www.acm.org/tissec/contents/v5no2.html;
                 http://www.math.utah.edu/pub/tex/bib/tissec.bib",
  acknowledgement = ack-nhfb,
  fjournal =     "ACM Transactions on Information and System Security",
  journal-URL =  "http://portal.acm.org/browse_dl.cfm?idx=J789",
}

@Article{Koch:2002:GBF,
  author =       "Manuel Koch and Luigi V. Mancini and Francesco
                 Parisi-Presicce",
  title =        "A graph-based formalism for {RBAC}",
  journal =      j-TISSEC,
  volume =       "5",
  number =       "3",
  pages =        "332--365",
  month =        aug,
  year =         "2002",
  CODEN =        "ATISBQ",
  ISSN =         "1094-9224 (print), 1557-7406 (electronic)",
  ISSN-L =       "1094-9224",
  bibdate =      "Thu Aug 7 09:02:36 MDT 2003",
  bibsource =    "http://portal.acm.org/;
                 http://www.math.utah.edu/pub/tex/bib/tissec.bib",
  acknowledgement = ack-nhfb,
  fjournal =     "ACM Transactions on Information and System Security",
  journal-URL =  "http://portal.acm.org/browse_dl.cfm?idx=J789",
}

@Article{Bergadano:2002:UAT,
  author =       "Francesco Bergadano and Daniele Gunetti and Claudia
                 Picardi",
  title =        "User authentication through keystroke dynamics",
  journal =      j-TISSEC,
  volume =       "5",
  number =       "4",
  pages =        "367--397",
  month =        nov,
  year =         "2002",
  CODEN =        "ATISBQ",
  ISSN =         "1094-9224 (print), 1557-7406 (electronic)",
  ISSN-L =       "1094-9224",
  bibdate =      "Thu Aug 7 09:02:36 MDT 2003",
  bibsource =    "http://portal.acm.org/;
                 http://www.math.utah.edu/pub/tex/bib/tissec.bib",
  acknowledgement = ack-nhfb,
  fjournal =     "ACM Transactions on Information and System Security",
  journal-URL =  "http://portal.acm.org/browse_dl.cfm?idx=J789",
}

@Article{Swift:2002:IGA,
  author =       "Michael M. Swift and Anne Hopkins and Peter Brundrett
                 and Cliff Van Dyke and Praerit Garg and Shannon Chan
                 and Mario Goertzel and Gregory Jensenworth",
  title =        "Improving the granularity of access control for
                 {Windows 2000}",
  journal =      j-TISSEC,
  volume =       "5",
  number =       "4",
  pages =        "398--437",
  month =        nov,
  year =         "2002",
  CODEN =        "ATISBQ",
  ISSN =         "1094-9224 (print), 1557-7406 (electronic)",
  ISSN-L =       "1094-9224",
  bibdate =      "Thu Aug 7 09:02:36 MDT 2003",
  bibsource =    "http://portal.acm.org/;
                 http://www.acm.org/tissec/contents/v5no4.html;
                 http://www.math.utah.edu/pub/tex/bib/tissec.bib",
  acknowledgement = ack-nhfb,
  fjournal =     "ACM Transactions on Information and System Security",
  journal-URL =  "http://portal.acm.org/browse_dl.cfm?idx=J789",
}

@Article{Gordon:2002:EIS,
  author =       "Lawrence A. Gordon and Martin P. Loeb",
  title =        "The economics of information security investment",
  journal =      j-TISSEC,
  volume =       "5",
  number =       "4",
  pages =        "438--457",
  month =        nov,
  year =         "2002",
  CODEN =        "ATISBQ",
  ISSN =         "1094-9224 (print), 1557-7406 (electronic)",
  ISSN-L =       "1094-9224",
  bibdate =      "Thu Aug 7 09:02:36 MDT 2003",
  bibsource =    "http://portal.acm.org/;
                 http://www.math.utah.edu/pub/tex/bib/tissec.bib",
  acknowledgement = ack-nhfb,
  fjournal =     "ACM Transactions on Information and System Security",
  journal-URL =  "http://portal.acm.org/browse_dl.cfm?idx=J789",
}

@Article{Harbitter:2002:MAP,
  author =       "Alan Harbitter and Daniel A. Menasc{\'e}",
  title =        "A methodology for analyzing the performance of
                 authentication protocols",
  journal =      j-TISSEC,
  volume =       "5",
  number =       "4",
  pages =        "458--491",
  month =        nov,
  year =         "2002",
  CODEN =        "ATISBQ",
  ISSN =         "1094-9224 (print), 1557-7406 (electronic)",
  ISSN-L =       "1094-9224",
  bibdate =      "Thu Aug 7 09:02:36 MDT 2003",
  bibsource =    "http://portal.acm.org/;
                 http://www.math.utah.edu/pub/tex/bib/tissec.bib",
  acknowledgement = ack-nhfb,
  fjournal =     "ACM Transactions on Information and System Security",
  journal-URL =  "http://portal.acm.org/browse_dl.cfm?idx=J789",
}

@Article{Bacon:2002:MOR,
  author =       "Jean Bacon and Ken Moody and Walt Yao",
  title =        "A model of {OASIS} role-based access control and its
                 support for active security",
  journal =      j-TISSEC,
  volume =       "5",
  number =       "4",
  pages =        "492--540",
  month =        nov,
  year =         "2002",
  CODEN =        "ATISBQ",
  ISSN =         "1094-9224 (print), 1557-7406 (electronic)",
  ISSN-L =       "1094-9224",
  bibdate =      "Thu Aug 7 09:02:36 MDT 2003",
  bibsource =    "http://portal.acm.org/;
                 http://www.math.utah.edu/pub/tex/bib/tissec.bib",
  acknowledgement = ack-nhfb,
  fjournal =     "ACM Transactions on Information and System Security",
  journal-URL =  "http://portal.acm.org/browse_dl.cfm?idx=J789",
}

@Article{Yu:2003:SSC,
  author =       "Ting Yu and Marianne Winslett and Kent E. Seamons",
  title =        "Supporting structured credentials and sensitive
                 policies through interoperable strategies for automated
                 trust negotiation",
  journal =      j-TISSEC,
  volume =       "6",
  number =       "1",
  pages =        "1--42",
  month =        feb,
  year =         "2003",
  CODEN =        "ATISBQ",
  ISSN =         "1094-9224 (print), 1557-7406 (electronic)",
  ISSN-L =       "1094-9224",
  bibdate =      "Thu Aug 7 09:02:37 MDT 2003",
  bibsource =    "http://portal.acm.org/;
                 http://www.math.utah.edu/pub/tex/bib/tissec.bib",
  acknowledgement = ack-nhfb,
  fjournal =     "ACM Transactions on Information and System Security",
  journal-URL =  "http://portal.acm.org/browse_dl.cfm?idx=J789",
}

@Article{Halpern:2003:RBS,
  author =       "Joseph Y. Halpern and Riccardo Pucella",
  title =        "On the relationship between strand spaces and
                 multi-agent systems",
  journal =      j-TISSEC,
  volume =       "6",
  number =       "1",
  pages =        "43--70",
  month =        feb,
  year =         "2003",
  CODEN =        "ATISBQ",
  ISSN =         "1094-9224 (print), 1557-7406 (electronic)",
  ISSN-L =       "1094-9224",
  bibdate =      "Thu Aug 7 09:02:37 MDT 2003",
  bibsource =    "http://portal.acm.org/;
                 http://www.math.utah.edu/pub/tex/bib/tissec.bib",
  acknowledgement = ack-nhfb,
  fjournal =     "ACM Transactions on Information and System Security",
  journal-URL =  "http://portal.acm.org/browse_dl.cfm?idx=J789",
}

@Article{Bertino:2003:LFR,
  author =       "Elisa Bertino and Barbara Catania and Elena Ferrari
                 and Paolo Perlasca",
  title =        "A Logical Framework for Reasoning about Access Control
                 Models",
  journal =      j-TISSEC,
  volume =       "6",
  number =       "1",
  pages =        "71--127",
  month =        feb,
  year =         "2003",
  CODEN =        "ATISBQ",
  ISSN =         "1094-9224 (print), 1557-7406 (electronic)",
  ISSN-L =       "1094-9224",
  bibdate =      "Thu Aug 7 09:02:37 MDT 2003",
  bibsource =    "http://portal.acm.org/;
                 http://www.acm.org/tissec/contents/v5no4.html;
                 http://www.math.utah.edu/pub/tex/bib/tissec.bib",
  acknowledgement = ack-nhfb,
  fjournal =     "ACM Transactions on Information and System Security",
  journal-URL =  "http://portal.acm.org/browse_dl.cfm?idx=J789",
}

@Article{Li:2003:DLL,
  author =       "Ninghui Li and Benjamin N. Grosof and Joan
                 Feigenbaum",
  title =        "Delegation logic: a logic-based approach to
                 distributed authorization",
  journal =      j-TISSEC,
  volume =       "6",
  number =       "1",
  pages =        "128--171",
  month =        feb,
  year =         "2003",
  CODEN =        "ATISBQ",
  ISSN =         "1094-9224 (print), 1557-7406 (electronic)",
  ISSN-L =       "1094-9224",
  bibdate =      "Thu Aug 7 09:02:37 MDT 2003",
  bibsource =    "http://portal.acm.org/;
                 http://www.math.utah.edu/pub/tex/bib/tissec.bib",
  acknowledgement = ack-nhfb,
  fjournal =     "ACM Transactions on Information and System Security",
  journal-URL =  "http://portal.acm.org/browse_dl.cfm?idx=J789",
}

@Article{Chari:2003:BPD,
  author =       "Suresh N. Chari and Pau-Chen Cheng",
  title =        "{BlueBoX}: a policy-driven, host-based intrusion
                 detection system",
  journal =      j-TISSEC,
  volume =       "6",
  number =       "2",
  pages =        "173--200",
  month =        may,
  year =         "2003",
  CODEN =        "ATISBQ",
  ISSN =         "1094-9224 (print), 1557-7406 (electronic)",
  ISSN-L =       "1094-9224",
  bibdate =      "Thu Aug 7 09:02:37 MDT 2003",
  bibsource =    "http://portal.acm.org/;
                 http://www.math.utah.edu/pub/tex/bib/tissec.bib",
  acknowledgement = ack-nhfb,
  fjournal =     "ACM Transactions on Information and System Security",
  journal-URL =  "http://portal.acm.org/browse_dl.cfm?idx=J789",
}

@Article{Crampton:2003:ASF,
  author =       "Jason Crampton and George Loizou",
  title =        "Administrative scope: a foundation for role-based
                 administrative models",
  journal =      j-TISSEC,
  volume =       "6",
  number =       "2",
  pages =        "201--231",
  month =        may,
  year =         "2003",
  CODEN =        "ATISBQ",
  ISSN =         "1094-9224 (print), 1557-7406 (electronic)",
  ISSN-L =       "1094-9224",
  bibdate =      "Thu Aug 7 09:02:37 MDT 2003",
  bibsource =    "http://portal.acm.org/;
                 http://www.math.utah.edu/pub/tex/bib/tissec.bib",
  acknowledgement = ack-nhfb,
  fjournal =     "ACM Transactions on Information and System Security",
  journal-URL =  "http://portal.acm.org/browse_dl.cfm?idx=J789",
}

@Article{Karjoth:2003:ACI,
  author =       "G{\"u}nter Karjoth",
  title =        "Access control with {IBM Tivoli} access manager",
  journal =      j-TISSEC,
  volume =       "6",
  number =       "2",
  pages =        "232--257",
  month =        may,
  year =         "2003",
  CODEN =        "ATISBQ",
  ISSN =         "1094-9224 (print), 1557-7406 (electronic)",
  ISSN-L =       "1094-9224",
  bibdate =      "Thu Aug 7 09:02:37 MDT 2003",
  bibsource =    "http://portal.acm.org/;
                 http://www.math.utah.edu/pub/tex/bib/tissec.bib",
  acknowledgement = ack-nhfb,
  fjournal =     "ACM Transactions on Information and System Security",
  journal-URL =  "http://portal.acm.org/browse_dl.cfm?idx=J789",
}

@Article{Park:2003:EMS,
  author =       "Jung Min Park and Edwin K. P. Chong and Howard Jay
                 Siegel",
  title =        "Efficient multicast stream authentication using
                 erasure codes",
  journal =      j-TISSEC,
  volume =       "6",
  number =       "2",
  pages =        "258--285",
  month =        may,
  year =         "2003",
  CODEN =        "ATISBQ",
  ISSN =         "1094-9224 (print), 1557-7406 (electronic)",
  ISSN-L =       "1094-9224",
  bibdate =      "Thu Aug 7 09:02:37 MDT 2003",
  bibsource =    "http://portal.acm.org/;
                 http://www.math.utah.edu/pub/tex/bib/tissec.bib",
  acknowledgement = ack-nhfb,
  fjournal =     "ACM Transactions on Information and System Security",
  journal-URL =  "http://portal.acm.org/browse_dl.cfm?idx=J789",
}

@Article{Wijesekera:2003:PPA,
  author =       "Duminda Wijesekera and Sushil Jajodia",
  title =        "A propositional policy algebra for access control",
  journal =      j-TISSEC,
  volume =       "6",
  number =       "2",
  pages =        "286--325",
  month =        may,
  year =         "2003",
  CODEN =        "ATISBQ",
  ISSN =         "1094-9224 (print), 1557-7406 (electronic)",
  ISSN-L =       "1094-9224",
  bibdate =      "Thu Aug 7 09:02:37 MDT 2003",
  bibsource =    "http://portal.acm.org/;
                 http://www.math.utah.edu/pub/tex/bib/tissec.bib",
  acknowledgement = ack-nhfb,
  fjournal =     "ACM Transactions on Information and System Security",
  journal-URL =  "http://portal.acm.org/browse_dl.cfm?idx=J789",
}

@Article{Jaeger:2003:PMU,
  author =       "Trent Jaeger and Xiaolan Zhang and Fidel Cacheda",
  title =        "Policy management using access control spaces",
  journal =      j-TISSEC,
  volume =       "6",
  number =       "3",
  pages =        "327--364",
  month =        aug,
  year =         "2003",
  CODEN =        "ATISBQ",
  ISSN =         "1094-9224 (print), 1557-7406 (electronic)",
  ISSN-L =       "1094-9224",
  bibdate =      "Mon Dec 22 17:56:09 MST 2003",
  bibsource =    "http://portal.acm.org/;
                 http://www.math.utah.edu/pub/tex/bib/tissec.bib",
  acknowledgement = ack-nhfb,
  fjournal =     "ACM Transactions on Information and System Security",
  journal-URL =  "http://portal.acm.org/browse_dl.cfm?idx=J789",
}

@Article{Rogaway:2003:OBC,
  author =       "Phillip Rogaway and Mihir Bellare and John Black",
  title =        "{OCB}: a block-cipher mode of operation for efficient
                 authenticated encryption",
  journal =      j-TISSEC,
  volume =       "6",
  number =       "3",
  pages =        "365--403",
  month =        aug,
  year =         "2003",
  CODEN =        "ATISBQ",
  ISSN =         "1094-9224 (print), 1557-7406 (electronic)",
  ISSN-L =       "1094-9224",
  bibdate =      "Mon Dec 22 17:56:09 MST 2003",
  bibsource =    "http://portal.acm.org/;
                 http://www.math.utah.edu/pub/tex/bib/tissec.bib",
  acknowledgement = ack-nhfb,
  fjournal =     "ACM Transactions on Information and System Security",
  journal-URL =  "http://portal.acm.org/browse_dl.cfm?idx=J789",
}

@Article{Zhang:2003:RBF,
  author =       "Longhua Zhang and Gail-Joon Ahn and Bei-Tseng Chu",
  title =        "A rule-based framework for role-based delegation and
                 revocation",
  journal =      j-TISSEC,
  volume =       "6",
  number =       "3",
  pages =        "404--441",
  month =        aug,
  year =         "2003",
  CODEN =        "ATISBQ",
  ISSN =         "1094-9224 (print), 1557-7406 (electronic)",
  ISSN-L =       "1094-9224",
  bibdate =      "Mon Dec 22 17:56:09 MST 2003",
  bibsource =    "http://portal.acm.org/;
                 http://www.math.utah.edu/pub/tex/bib/tissec.bib",
  acknowledgement = ack-nhfb,
  fjournal =     "ACM Transactions on Information and System Security",
  journal-URL =  "http://portal.acm.org/browse_dl.cfm?idx=J789",
}

@Article{Julisch:2003:CID,
  author =       "Klaus Julisch",
  title =        "Clustering intrusion detection alarms to support root
                 cause analysis",
  journal =      j-TISSEC,
  volume =       "6",
  number =       "4",
  pages =        "443--471",
  month =        nov,
  year =         "2003",
  CODEN =        "ATISBQ",
  ISSN =         "1094-9224 (print), 1557-7406 (electronic)",
  ISSN-L =       "1094-9224",
  bibdate =      "Mon Dec 22 17:56:10 MST 2003",
  bibsource =    "http://portal.acm.org/;
                 http://www.math.utah.edu/pub/tex/bib/tissec.bib",
  acknowledgement = ack-nhfb,
  fjournal =     "ACM Transactions on Information and System Security",
  journal-URL =  "http://portal.acm.org/browse_dl.cfm?idx=J789",
}

@Article{Persiano:2003:SPS,
  author =       "Pino Persiano and Ivan Visconti",
  title =        "A secure and private system for subscription-based
                 remote services",
  journal =      j-TISSEC,
  volume =       "6",
  number =       "4",
  pages =        "472--500",
  month =        nov,
  year =         "2003",
  CODEN =        "ATISBQ",
  ISSN =         "1094-9224 (print), 1557-7406 (electronic)",
  ISSN-L =       "1094-9224",
  bibdate =      "Mon Dec 22 17:56:10 MST 2003",
  bibsource =    "http://portal.acm.org/;
                 http://www.math.utah.edu/pub/tex/bib/tissec.bib",
  acknowledgement = ack-nhfb,
  fjournal =     "ACM Transactions on Information and System Security",
  journal-URL =  "http://portal.acm.org/browse_dl.cfm?idx=J789",
}

@Article{Barker:2003:FAC,
  author =       "Steve Barker and Peter J. Stuckey",
  title =        "Flexible access control policy specification with
                 constraint logic programming",
  journal =      j-TISSEC,
  volume =       "6",
  number =       "4",
  pages =        "501--546",
  month =        nov,
  year =         "2003",
  CODEN =        "ATISBQ",
  ISSN =         "1094-9224 (print), 1557-7406 (electronic)",
  ISSN-L =       "1094-9224",
  bibdate =      "Mon Dec 22 17:56:10 MST 2003",
  bibsource =    "http://portal.acm.org/;
                 http://www.math.utah.edu/pub/tex/bib/tissec.bib",
  acknowledgement = ack-nhfb,
  fjournal =     "ACM Transactions on Information and System Security",
  journal-URL =  "http://portal.acm.org/browse_dl.cfm?idx=J789",
}

@Article{Ellison:2003:PKS,
  author =       "Carl Ellison and Steve Dohrmann",
  title =        "Public-key support for group collaboration",
  journal =      j-TISSEC,
  volume =       "6",
  number =       "4",
  pages =        "547--565",
  month =        nov,
  year =         "2003",
  CODEN =        "ATISBQ",
  ISSN =         "1094-9224 (print), 1557-7406 (electronic)",
  ISSN-L =       "1094-9224",
  bibdate =      "Mon Dec 22 17:56:10 MST 2003",
  bibsource =    "http://portal.acm.org/;
                 http://www.math.utah.edu/pub/tex/bib/tissec.bib",
  acknowledgement = ack-nhfb,
  fjournal =     "ACM Transactions on Information and System Security",
  journal-URL =  "http://portal.acm.org/browse_dl.cfm?idx=J789",
}

@Article{Thompson:2003:CBA,
  author =       "Mary R. Thompson and Abdelilah Essiari and Srilekha
                 Mudumbai",
  title =        "Certificate-based authorization policy in a {PKI}
                 environment",
  journal =      j-TISSEC,
  volume =       "6",
  number =       "4",
  pages =        "566--588",
  month =        nov,
  year =         "2003",
  CODEN =        "ATISBQ",
  ISSN =         "1094-9224 (print), 1557-7406 (electronic)",
  ISSN-L =       "1094-9224",
  bibdate =      "Mon Dec 22 17:56:10 MST 2003",
  bibsource =    "http://portal.acm.org/;
                 http://www.math.utah.edu/pub/tex/bib/tissec.bib",
  acknowledgement = ack-nhfb,
  fjournal =     "ACM Transactions on Information and System Security",
  journal-URL =  "http://portal.acm.org/browse_dl.cfm?idx=J789",
}

@Article{Ateniese:2004:VED,
  author =       "Giuseppe Ateniese",
  title =        "Verifiable encryption of digital signatures and
                 applications",
  journal =      j-TISSEC,
  volume =       "7",
  number =       "1",
  pages =        "1--20",
  month =        feb,
  year =         "2004",
  CODEN =        "ATISBQ",
  ISSN =         "1094-9224 (print), 1557-7406 (electronic)",
  ISSN-L =       "1094-9224",
  bibdate =      "Thu Nov 4 08:41:51 MST 2004",
  bibsource =    "http://portal.acm.org/;
                 http://www.math.utah.edu/pub/tex/bib/tissec.bib",
  acknowledgement = ack-nhfb,
  fjournal =     "ACM Transactions on Information and System Security",
  journal-URL =  "http://portal.acm.org/browse_dl.cfm?idx=J789",
}

@Article{Levi:2004:UNC,
  author =       "Albert Levi and M. Ufuk Caglayan and Cetin K. Koc",
  title =        "Use of nested certificates for efficient, dynamic, and
                 trust preserving public key infrastructure",
  journal =      j-TISSEC,
  volume =       "7",
  number =       "1",
  pages =        "21--59",
  month =        feb,
  year =         "2004",
  CODEN =        "ATISBQ",
  ISSN =         "1094-9224 (print), 1557-7406 (electronic)",
  ISSN-L =       "1094-9224",
  bibdate =      "Thu Nov 4 08:41:51 MST 2004",
  bibsource =    "http://portal.acm.org/;
                 http://www.math.utah.edu/pub/tex/bib/tissec.bib",
  acknowledgement = ack-nhfb,
  fjournal =     "ACM Transactions on Information and System Security",
  journal-URL =  "http://portal.acm.org/browse_dl.cfm?idx=J789",
}

@Article{Kim:2004:TBG,
  author =       "Yongdae Kim and Adrian Perrig and Gene Tsudik",
  title =        "Tree-based group key agreement",
  journal =      j-TISSEC,
  volume =       "7",
  number =       "1",
  pages =        "60--96",
  month =        feb,
  year =         "2004",
  CODEN =        "ATISBQ",
  ISSN =         "1094-9224 (print), 1557-7406 (electronic)",
  ISSN-L =       "1094-9224",
  bibdate =      "Thu Nov 4 08:41:51 MST 2004",
  bibsource =    "http://portal.acm.org/;
                 http://www.math.utah.edu/pub/tex/bib/tissec.bib",
  acknowledgement = ack-nhfb,
  fjournal =     "ACM Transactions on Information and System Security",
  journal-URL =  "http://portal.acm.org/browse_dl.cfm?idx=J789",
}

@Article{Montenegro:2004:CBI,
  author =       "Gabriel Montenegro and Claude Castelluccia",
  title =        "Crypto-based identifiers {(CBIDs)}: {Concepts} and
                 applications",
  journal =      j-TISSEC,
  volume =       "7",
  number =       "1",
  pages =        "97--127",
  month =        feb,
  year =         "2004",
  CODEN =        "ATISBQ",
  ISSN =         "1094-9224 (print), 1557-7406 (electronic)",
  ISSN-L =       "1094-9224",
  bibdate =      "Thu Nov 4 08:41:51 MST 2004",
  bibsource =    "http://portal.acm.org/;
                 http://www.math.utah.edu/pub/tex/bib/tissec.bib",
  acknowledgement = ack-nhfb,
  fjournal =     "ACM Transactions on Information and System Security",
  journal-URL =  "http://portal.acm.org/browse_dl.cfm?idx=J789",
}

@Article{Park:2004:UUC,
  author =       "Jaehong Park and Ravi Sandhu",
  title =        "The {UCON$_{ABC}$} usage control model",
  journal =      j-TISSEC,
  volume =       "7",
  number =       "1",
  pages =        "128--174",
  month =        feb,
  year =         "2004",
  CODEN =        "ATISBQ",
  ISSN =         "1094-9224 (print), 1557-7406 (electronic)",
  ISSN-L =       "1094-9224",
  bibdate =      "Thu Nov 4 08:41:51 MST 2004",
  bibsource =    "http://portal.acm.org/;
                 http://www.math.utah.edu/pub/tex/bib/tissec.bib",
  acknowledgement = ack-nhfb,
  fjournal =     "ACM Transactions on Information and System Security",
  journal-URL =  "http://portal.acm.org/browse_dl.cfm?idx=J789",
}

@Article{Jaeger:2004:CAA,
  author =       "Trent Jaeger and Antony Edwards and Xiaolan Zhang",
  title =        "Consistency analysis of authorization hook placement
                 in the {Linux} security modules framework",
  journal =      j-TISSEC,
  volume =       "7",
  number =       "2",
  pages =        "175--205",
  month =        may,
  year =         "2004",
  CODEN =        "ATISBQ",
  ISSN =         "1094-9224 (print), 1557-7406 (electronic)",
  ISSN-L =       "1094-9224",
  bibdate =      "Thu Nov 4 08:41:51 MST 2004",
  bibsource =    "http://portal.acm.org/;
                 http://www.math.utah.edu/pub/tex/bib/tissec.bib",
  acknowledgement = ack-nhfb,
  fjournal =     "ACM Transactions on Information and System Security",
  journal-URL =  "http://portal.acm.org/browse_dl.cfm?idx=J789",
}

@Article{Bellare:2004:BPR,
  author =       "Mihir Bellare and Tadayoshi Kohno and Chanathip
                 Namprempre",
  title =        "Breaking and provably repairing the {SSH}
                 authenticated encryption scheme: a case study of the
                 Encode-then-Encrypt-and-{MAC} paradigm",
  journal =      j-TISSEC,
  volume =       "7",
  number =       "2",
  pages =        "206--241",
  month =        may,
  year =         "2004",
  CODEN =        "ATISBQ",
  ISSN =         "1094-9224 (print), 1557-7406 (electronic)",
  ISSN-L =       "1094-9224",
  bibdate =      "Thu Nov 4 08:41:51 MST 2004",
  bibsource =    "http://portal.acm.org/;
                 http://www.math.utah.edu/pub/tex/bib/tissec.bib",
  acknowledgement = ack-nhfb,
  fjournal =     "ACM Transactions on Information and System Security",
  journal-URL =  "http://portal.acm.org/browse_dl.cfm?idx=J789",
}

@Article{Aiello:2004:JFK,
  author =       "William Aiello and Steven M. Bellovin and Matt Blaze
                 and Ran Canetti and John Ioannidis and Angelos
                 D. Keromytis and Omer Reingold",
  title =        "Just fast keying: {Key} agreement in a hostile
                 {Internet}",
  journal =      j-TISSEC,
  volume =       "7",
  number =       "2",
  pages =        "242--273",
  month =        may,
  year =         "2004",
  CODEN =        "ATISBQ",
  ISSN =         "1094-9224 (print), 1557-7406 (electronic)",
  ISSN-L =       "1094-9224",
  bibdate =      "Thu Nov 4 08:41:51 MST 2004",
  bibsource =    "http://portal.acm.org/;
                 http://www.math.utah.edu/pub/tex/bib/tissec.bib",
  acknowledgement = ack-nhfb,
  fjournal =     "ACM Transactions on Information and System Security",
  journal-URL =  "http://portal.acm.org/browse_dl.cfm?idx=J789",
}

@Article{Ning:2004:TTA,
  author =       "Peng Ning and Yun Cui and Douglas S. Reeves and
                 Dingbang Xu",
  title =        "Techniques and tools for analyzing intrusion alerts",
  journal =      j-TISSEC,
  volume =       "7",
  number =       "2",
  pages =        "274--318",
  month =        may,
  year =         "2004",
  CODEN =        "ATISBQ",
  ISSN =         "1094-9224 (print), 1557-7406 (electronic)",
  ISSN-L =       "1094-9224",
  bibdate =      "Thu Nov 4 08:41:51 MST 2004",
  bibsource =    "http://portal.acm.org/;
                 http://www.math.utah.edu/pub/tex/bib/tissec.bib",
  acknowledgement = ack-nhfb,
  fjournal =     "ACM Transactions on Information and System Security",
  journal-URL =  "http://portal.acm.org/browse_dl.cfm?idx=J789",
}

@Article{Stubblefield:2004:KRA,
  author =       "Adam Stubblefield and John Ioannidis and Aviel D.
                 Rubin",
  title =        "A key recovery attack on the 802.11b wired equivalent
                 privacy protocol {(WEP)}",
  journal =      j-TISSEC,
  volume =       "7",
  number =       "2",
  pages =        "319--332",
  month =        may,
  year =         "2004",
  CODEN =        "ATISBQ",
  DOI =          "http://doi.acm.org/10.1145/996943.996948",
  ISSN =         "1094-9224 (print), 1557-7406 (electronic)",
  ISSN-L =       "1094-9224",
  bibdate =      "Thu Nov 4 08:41:51 MST 2004",
  bibsource =    "http://portal.acm.org/;
                 http://www.math.utah.edu/pub/tex/bib/tissec.bib",
  abstract =     "In this paper, we present a practical key recovery
                 attack on WEP, the link-layer security protocol for
                 802.11b wireless networks. The attack is based on a
                 partial key exposure vulnerability in the RC4 stream
                 cipher discovered by Fluhrer, Mantin, and Shamir. This
                 paper describes how to apply this flaw to breaking WEP,
                 our implementation of the attack, and optimizations
                 that can be used to reduce the number of packets
                 required for the attack. We conclude that the 802.11b
                 WEP standard is completely insecure, and we provide
                 recommendations on how this vulnerability could be
                 mitigated and repaired.",
  acknowledgement = ack-nhfb,
  fjournal =     "ACM Transactions on Information and System Security",
  journal-URL =  "http://portal.acm.org/browse_dl.cfm?idx=J789",
}

@Article{Carrier:2004:STP,
  author =       "Brian Carrier and Clay Shields",
  title =        "The session token protocol for forensics and
                 traceback",
  journal =      j-TISSEC,
  volume =       "7",
  number =       "3",
  pages =        "333--362",
  month =        aug,
  year =         "2004",
  CODEN =        "ATISBQ",
  ISSN =         "1094-9224 (print), 1557-7406 (electronic)",
  ISSN-L =       "1094-9224",
  bibdate =      "Thu Nov 4 08:41:51 MST 2004",
  bibsource =    "http://portal.acm.org/;
                 http://www.math.utah.edu/pub/tex/bib/tissec.bib",
  acknowledgement = ack-nhfb,
  fjournal =     "ACM Transactions on Information and System Security",
  journal-URL =  "http://portal.acm.org/browse_dl.cfm?idx=J789",
}

@Article{Wedde:2004:MAA,
  author =       "Horst F. Wedde and Mario Lischka",
  title =        "Modular authorization and administration",
  journal =      j-TISSEC,
  volume =       "7",
  number =       "3",
  pages =        "363--391",
  month =        aug,
  year =         "2004",
  CODEN =        "ATISBQ",
  ISSN =         "1094-9224 (print), 1557-7406 (electronic)",
  ISSN-L =       "1094-9224",
  bibdate =      "Thu Nov 4 08:41:51 MST 2004",
  bibsource =    "http://portal.acm.org/;
                 http://www.math.utah.edu/pub/tex/bib/tissec.bib",
  acknowledgement = ack-nhfb,
  fjournal =     "ACM Transactions on Information and System Security",
  journal-URL =  "http://portal.acm.org/browse_dl.cfm?idx=J789",
}

@Article{Strembeck:2004:IAE,
  author =       "Mark Strembeck and Gustaf Neumann",
  title =        "An integrated approach to engineer and enforce context
                 constraints in {RBAC} environments",
  journal =      j-TISSEC,
  volume =       "7",
  number =       "3",
  pages =        "392--427",
  month =        aug,
  year =         "2004",
  CODEN =        "ATISBQ",
  ISSN =         "1094-9224 (print), 1557-7406 (electronic)",
  ISSN-L =       "1094-9224",
  bibdate =      "Thu Nov 4 08:41:51 MST 2004",
  bibsource =    "http://portal.acm.org/;
                 http://www.math.utah.edu/pub/tex/bib/tissec.bib",
  acknowledgement = ack-nhfb,
  fjournal =     "ACM Transactions on Information and System Security",
  journal-URL =  "http://portal.acm.org/browse_dl.cfm?idx=J789",
}

@Article{Hess:2004:CTT,
  author =       "Adam Hess and Jason Holt and Jared Jacobson and Kent
                 E. Seamons",
  title =        "Content-triggered trust negotiation",
  journal =      j-TISSEC,
  volume =       "7",
  number =       "3",
  pages =        "428--456",
  month =        aug,
  year =         "2004",
  CODEN =        "ATISBQ",
  ISSN =         "1094-9224 (print), 1557-7406 (electronic)",
  ISSN-L =       "1094-9224",
  bibdate =      "Thu Nov 4 08:41:51 MST 2004",
  bibsource =    "http://portal.acm.org/;
                 http://www.math.utah.edu/pub/tex/bib/tissec.bib",
  acknowledgement = ack-nhfb,
  fjournal =     "ACM Transactions on Information and System Security",
  journal-URL =  "http://portal.acm.org/browse_dl.cfm?idx=J789",
}

@Article{Amir:2004:PGK,
  author =       "Yair Amir and Yongdae Kim and Cristina Nita-Rotaru and
                 Gene Tsudik",
  title =        "On the performance of group key agreement protocols",
  journal =      j-TISSEC,
  volume =       "7",
  number =       "3",
  pages =        "457--488",
  month =        aug,
  year =         "2004",
  CODEN =        "ATISBQ",
  ISSN =         "1094-9224 (print), 1557-7406 (electronic)",
  ISSN-L =       "1094-9224",
  bibdate =      "Thu Nov 4 08:41:51 MST 2004",
  bibsource =    "http://portal.acm.org/;
                 http://www.math.utah.edu/pub/tex/bib/tissec.bib",
  acknowledgement = ack-nhfb,
  fjournal =     "ACM Transactions on Information and System Security",
  journal-URL =  "http://portal.acm.org/browse_dl.cfm?idx=J789",
}

@Article{Wright:2004:PAA,
  author =       "Matthew K. Wright and Micah Adler and Brian Neil
                 Levine and Clay Shields",
  title =        "The predecessor attack: {An} analysis of a threat to
                 anonymous communications systems",
  journal =      j-TISSEC,
  volume =       "7",
  number =       "4",
  pages =        "489--522",
  month =        nov,
  year =         "2004",
  CODEN =        "ATISBQ",
  ISSN =         "1094-9224 (print), 1557-7406 (electronic)",
  ISSN-L =       "1094-9224",
  bibdate =      "Thu Mar 24 15:53:55 MST 2005",
  bibsource =    "http://portal.acm.org/;
                 http://www.math.utah.edu/pub/tex/bib/tissec.bib",
  acknowledgement = ack-nhfb,
  fjournal =     "ACM Transactions on Information and System Security",
  journal-URL =  "http://portal.acm.org/browse_dl.cfm?idx=J789",
}

@Article{Huang:2004:KCB,
  author =       "Dijiang Huang and Deep Medhi",
  title =        "A key-chain-based keying scheme for many-to-many
                 secure group communication",
  journal =      j-TISSEC,
  volume =       "7",
  number =       "4",
  pages =        "523--552",
  month =        nov,
  year =         "2004",
  CODEN =        "ATISBQ",
  ISSN =         "1094-9224 (print), 1557-7406 (electronic)",
  ISSN-L =       "1094-9224",
  bibdate =      "Thu Mar 24 15:53:55 MST 2005",
  bibsource =    "http://portal.acm.org/;
                 http://www.math.utah.edu/pub/tex/bib/tissec.bib",
  acknowledgement = ack-nhfb,
  fjournal =     "ACM Transactions on Information and System Security",
  journal-URL =  "http://portal.acm.org/browse_dl.cfm?idx=J789",
}

@Article{Shacham:2004:CSC,
  author =       "Hovav Shacham and Dan Boneh and Eric Rescorla",
  title =        "Client-side caching for {TLS}",
  journal =      j-TISSEC,
  volume =       "7",
  number =       "4",
  pages =        "553--575",
  month =        nov,
  year =         "2004",
  CODEN =        "ATISBQ",
  ISSN =         "1094-9224 (print), 1557-7406 (electronic)",
  ISSN-L =       "1094-9224",
  bibdate =      "Thu Mar 24 15:53:55 MST 2005",
  bibsource =    "http://portal.acm.org/;
                 http://www.math.utah.edu/pub/tex/bib/tissec.bib",
  acknowledgement = ack-nhfb,
  fjournal =     "ACM Transactions on Information and System Security",
  journal-URL =  "http://portal.acm.org/browse_dl.cfm?idx=J789",
}

@Article{Walcott:2004:TMR,
  author =       "Tom Walcott and Matt Bishop",
  title =        "Traducement: a model for record security",
  journal =      j-TISSEC,
  volume =       "7",
  number =       "4",
  pages =        "576--590",
  month =        nov,
  year =         "2004",
  CODEN =        "ATISBQ",
  ISSN =         "1094-9224 (print), 1557-7406 (electronic)",
  ISSN-L =       "1094-9224",
  bibdate =      "Thu Mar 24 15:53:55 MST 2005",
  bibsource =    "http://portal.acm.org/;
                 http://www.math.utah.edu/pub/tex/bib/tissec.bib",
  acknowledgement = ack-nhfb,
  fjournal =     "ACM Transactions on Information and System Security",
  journal-URL =  "http://portal.acm.org/browse_dl.cfm?idx=J789",
}

@Article{Ning:2004:HRA,
  author =       "Peng Ning and Dingbang Xu",
  title =        "Hypothesizing and reasoning about attacks missed by
                 intrusion detection systems",
  journal =      j-TISSEC,
  volume =       "7",
  number =       "4",
  pages =        "591--627",
  month =        nov,
  year =         "2004",
  CODEN =        "ATISBQ",
  ISSN =         "1094-9224 (print), 1557-7406 (electronic)",
  ISSN-L =       "1094-9224",
  bibdate =      "Thu Mar 24 15:53:55 MST 2005",
  bibsource =    "http://portal.acm.org/;
                 http://www.math.utah.edu/pub/tex/bib/tissec.bib",
  acknowledgement = ack-nhfb,
  fjournal =     "ACM Transactions on Information and System Security",
  journal-URL =  "http://portal.acm.org/browse_dl.cfm?idx=J789",
}

@Article{Sandhu:2005:E,
  author =       "Ravi Sandhu",
  title =        "Editorial",
  journal =      j-TISSEC,
  volume =       "8",
  number =       "1",
  pages =        "1--1",
  month =        feb,
  year =         "2005",
  CODEN =        "ATISBQ",
  ISSN =         "1094-9224 (print), 1557-7406 (electronic)",
  ISSN-L =       "1094-9224",
  bibdate =      "Thu Mar 24 15:53:55 MST 2005",
  bibsource =    "http://portal.acm.org/;
                 http://www.math.utah.edu/pub/tex/bib/tissec.bib",
  acknowledgement = ack-nhfb,
  fjournal =     "ACM Transactions on Information and System Security",
  journal-URL =  "http://portal.acm.org/browse_dl.cfm?idx=J789",
}

@Article{Atluri:2005:P,
  author =       "Vijay Atluri",
  title =        "Preface",
  journal =      j-TISSEC,
  volume =       "8",
  number =       "1",
  pages =        "2--2",
  month =        feb,
  year =         "2005",
  CODEN =        "ATISBQ",
  ISSN =         "1094-9224 (print), 1557-7406 (electronic)",
  ISSN-L =       "1094-9224",
  bibdate =      "Thu Mar 24 15:53:55 MST 2005",
  bibsource =    "http://portal.acm.org/;
                 http://www.math.utah.edu/pub/tex/bib/tissec.bib",
  acknowledgement = ack-nhfb,
  fjournal =     "ACM Transactions on Information and System Security",
  journal-URL =  "http://portal.acm.org/browse_dl.cfm?idx=J789",
}

@Article{Barrantes:2005:RIS,
  author =       "Elena Gabriela Barrantes and David H. Ackley and
                 Stephanie Forrest and Darko Stefanovi{\'c}",
  title =        "Randomized instruction set emulation",
  journal =      j-TISSEC,
  volume =       "8",
  number =       "1",
  pages =        "3--40",
  month =        feb,
  year =         "2005",
  CODEN =        "ATISBQ",
  ISSN =         "1094-9224 (print), 1557-7406 (electronic)",
  ISSN-L =       "1094-9224",
  bibdate =      "Thu Mar 24 15:53:55 MST 2005",
  bibsource =    "http://portal.acm.org/;
                 http://www.math.utah.edu/pub/tex/bib/tissec.bib",
  acknowledgement = ack-nhfb,
  fjournal =     "ACM Transactions on Information and System Security",
  journal-URL =  "http://portal.acm.org/browse_dl.cfm?idx=J789",
}

@Article{Liu:2005:EPK,
  author =       "Donggang Liu and Peng Ning and Rongfang Li",
  title =        "Establishing pairwise keys in distributed sensor
                 networks",
  journal =      j-TISSEC,
  volume =       "8",
  number =       "1",
  pages =        "41--77",
  month =        feb,
  year =         "2005",
  CODEN =        "ATISBQ",
  ISSN =         "1094-9224 (print), 1557-7406 (electronic)",
  ISSN-L =       "1094-9224",
  bibdate =      "Thu Mar 24 15:53:55 MST 2005",
  bibsource =    "http://portal.acm.org/;
                 http://www.math.utah.edu/pub/tex/bib/tissec.bib",
  acknowledgement = ack-nhfb,
  fjournal =     "ACM Transactions on Information and System Security",
  journal-URL =  "http://portal.acm.org/browse_dl.cfm?idx=J789",
}

@Article{Liu:2005:IBM,
  author =       "Peng Liu and Wanyu Zang and Meng Yu",
  title =        "Incentive-based modeling and inference of attacker
                 intent, objectives, and strategies",
  journal =      j-TISSEC,
  volume =       "8",
  number =       "1",
  pages =        "78--118",
  month =        feb,
  year =         "2005",
  CODEN =        "ATISBQ",
  ISSN =         "1094-9224 (print), 1557-7406 (electronic)",
  ISSN-L =       "1094-9224",
  bibdate =      "Thu Mar 24 15:53:55 MST 2005",
  bibsource =    "http://portal.acm.org/;
                 http://www.math.utah.edu/pub/tex/bib/tissec.bib",
  acknowledgement = ack-nhfb,
  fjournal =     "ACM Transactions on Information and System Security",
  journal-URL =  "http://portal.acm.org/browse_dl.cfm?idx=J789",
}

@Article{Ceselli:2005:MAI,
  author =       "Alberto Ceselli and Ernesto Damiani and Sabrina {De
                 Capitani Di Vimercati} and Sushil Jajodia and Stefano
                 Paraboschi and Pierangela Samarati",
  title =        "Modeling and assessing inference exposure in encrypted
                 databases",
  journal =      j-TISSEC,
  volume =       "8",
  number =       "1",
  pages =        "119--152",
  month =        feb,
  year =         "2005",
  CODEN =        "ATISBQ",
  ISSN =         "1094-9224 (print), 1557-7406 (electronic)",
  ISSN-L =       "1094-9224",
  bibdate =      "Thu Mar 24 15:53:55 MST 2005",
  bibsource =    "http://portal.acm.org/;
                 http://www.math.utah.edu/pub/tex/bib/tissec.bib",
  acknowledgement = ack-nhfb,
  fjournal =     "ACM Transactions on Information and System Security",
  journal-URL =  "http://portal.acm.org/browse_dl.cfm?idx=J789",
}

@Article{Ye:2005:TPB,
  author =       "Zishuang (Eileen) Ye and Sean Smith and Denise
                 Anthony",
  title =        "Trusted paths for browsers",
  journal =      j-TISSEC,
  volume =       "8",
  number =       "2",
  pages =        "153--186",
  month =        may,
  year =         "2005",
  CODEN =        "ATISBQ",
  ISSN =         "1094-9224 (print), 1557-7406 (electronic)",
  ISSN-L =       "1094-9224",
  bibdate =      "Thu Jul 7 12:29:10 MDT 2005",
  bibsource =    "http://portal.acm.org/;
                 http://www.math.utah.edu/pub/tex/bib/tissec.bib",
  acknowledgement = ack-nhfb,
  fjournal =     "ACM Transactions on Information and System Security",
  journal-URL =  "http://portal.acm.org/browse_dl.cfm?idx=J789",
}

@Article{Bhatti:2005:XGX,
  author =       "Rafae Bhatti and Arif Ghafoor and Elisa Bertino and
                 James B. D. Joshi",
  title =        "{X-GTRBAC}: an {XML}-based policy specification
                 framework and architecture for enterprise-wide access
                 control",
  journal =      j-TISSEC,
  volume =       "8",
  number =       "2",
  pages =        "187--227",
  month =        may,
  year =         "2005",
  CODEN =        "ATISBQ",
  ISSN =         "1094-9224 (print), 1557-7406 (electronic)",
  ISSN-L =       "1094-9224",
  bibdate =      "Thu Jul 7 12:29:10 MDT 2005",
  bibsource =    "http://portal.acm.org/;
                 http://www.math.utah.edu/pub/tex/bib/tissec.bib",
  acknowledgement = ack-nhfb,
  fjournal =     "ACM Transactions on Information and System Security",
  journal-URL =  "http://portal.acm.org/browse_dl.cfm?idx=J789",
}

@Article{Du:2005:PKP,
  author =       "Wenliang Du and Jing Deng and Yunghsiang S. Han and
                 Pramod K. Varshney and Jonathan Katz and Aram Khalili",
  title =        "A pairwise key predistribution scheme for wireless
                 sensor networks",
  journal =      j-TISSEC,
  volume =       "8",
  number =       "2",
  pages =        "228--258",
  month =        may,
  year =         "2005",
  CODEN =        "ATISBQ",
  ISSN =         "1094-9224 (print), 1557-7406 (electronic)",
  ISSN-L =       "1094-9224",
  bibdate =      "Thu Jul 7 12:29:10 MDT 2005",
  bibsource =    "http://portal.acm.org/;
                 http://www.math.utah.edu/pub/tex/bib/tissec.bib",
  acknowledgement = ack-nhfb,
  fjournal =     "ACM Transactions on Information and System Security",
  journal-URL =  "http://portal.acm.org/browse_dl.cfm?idx=J789",
}

@Article{Zhou:2005:APS,
  author =       "Lidong Zhou and Fred B. Schneider and Robbert {Van
                 Renesse}",
  title =        "{APSS}: proactive secret sharing in asynchronous
                 systems",
  journal =      j-TISSEC,
  volume =       "8",
  number =       "3",
  pages =        "259--286",
  month =        aug,
  year =         "2005",
  CODEN =        "ATISBQ",
  ISSN =         "1094-9224 (print), 1557-7406 (electronic)",
  ISSN-L =       "1094-9224",
  bibdate =      "Sat Sep 17 15:42:03 MDT 2005",
  bibsource =    "http://portal.acm.org/;
                 http://www.math.utah.edu/pub/tex/bib/tissec.bib",
  acknowledgement = ack-nhfb,
  fjournal =     "ACM Transactions on Information and System Security",
  journal-URL =  "http://portal.acm.org/browse_dl.cfm?idx=J789",
}

@Article{Dojen:2005:CLP,
  author =       "Reiner Dojen and Tom Coffey",
  title =        "The concept of layered proving trees and its
                 application to the automation of security protocol
                 verification",
  journal =      j-TISSEC,
  volume =       "8",
  number =       "3",
  pages =        "287--311",
  month =        aug,
  year =         "2005",
  CODEN =        "ATISBQ",
  ISSN =         "1094-9224 (print), 1557-7406 (electronic)",
  ISSN-L =       "1094-9224",
  bibdate =      "Sat Sep 17 15:42:03 MDT 2005",
  bibsource =    "http://portal.acm.org/;
                 http://www.math.utah.edu/pub/tex/bib/tissec.bib",
  acknowledgement = ack-nhfb,
  fjournal =     "ACM Transactions on Information and System Security",
  journal-URL =  "http://portal.acm.org/browse_dl.cfm?idx=J789",
}

@Article{Gunetti:2005:KAF,
  author =       "Daniele Gunetti and Claudia Picardi",
  title =        "Keystroke analysis of free text",
  journal =      j-TISSEC,
  volume =       "8",
  number =       "3",
  pages =        "312--347",
  month =        aug,
  year =         "2005",
  CODEN =        "ATISBQ",
  ISSN =         "1094-9224 (print), 1557-7406 (electronic)",
  ISSN-L =       "1094-9224",
  bibdate =      "Sat Sep 17 15:42:03 MDT 2005",
  bibsource =    "http://portal.acm.org/;
                 http://www.math.utah.edu/pub/tex/bib/tissec.bib",
  acknowledgement = ack-nhfb,
  fjournal =     "ACM Transactions on Information and System Security",
  journal-URL =  "http://portal.acm.org/browse_dl.cfm?idx=J789",
}

@Article{Ferrari:2005:GES,
  author =       "Elena Ferrari",
  title =        "Guest editorial: {Special} issue on access control
                 models and technologies",
  journal =      j-TISSEC,
  volume =       "8",
  number =       "4",
  pages =        "349--350",
  month =        nov,
  year =         "2005",
  CODEN =        "ATISBQ",
  ISSN =         "1094-9224 (print), 1557-7406 (electronic)",
  ISSN-L =       "1094-9224",
  bibdate =      "Tue Jan 10 07:44:45 MST 2006",
  bibsource =    "http://portal.acm.org/;
                 http://www.math.utah.edu/pub/tex/bib/tissec.bib",
  acknowledgement = ack-nhfb,
  fjournal =     "ACM Transactions on Information and System Security",
  journal-URL =  "http://portal.acm.org/browse_dl.cfm?idx=J789",
}

@Article{Zhang:2005:FMP,
  author =       "Xinwen Zhang and Francesco Parisi-Presicce and Ravi
                 Sandhu and Jaehong Park",
  title =        "Formal model and policy specification of usage
                 control",
  journal =      j-TISSEC,
  volume =       "8",
  number =       "4",
  pages =        "351--387",
  month =        nov,
  year =         "2005",
  CODEN =        "ATISBQ",
  ISSN =         "1094-9224 (print), 1557-7406 (electronic)",
  ISSN-L =       "1094-9224",
  bibdate =      "Tue Jan 10 07:44:45 MST 2006",
  bibsource =    "http://portal.acm.org/;
                 http://www.math.utah.edu/pub/tex/bib/tissec.bib",
  acknowledgement = ack-nhfb,
  fjournal =     "ACM Transactions on Information and System Security",
  journal-URL =  "http://portal.acm.org/browse_dl.cfm?idx=J789",
}

@Article{Bhatti:2005:XGA,
  author =       "Rafae Bhatti and Basit Shafiq and Elisa Bertino and
                 Arif Ghafoor and James B. D. Joshi",
  title =        "{X-gtrbac} admin: a decentralized administration model
                 for enterprise-wide access control",
  journal =      j-TISSEC,
  volume =       "8",
  number =       "4",
  pages =        "388--423",
  month =        nov,
  year =         "2005",
  CODEN =        "ATISBQ",
  ISSN =         "1094-9224 (print), 1557-7406 (electronic)",
  ISSN-L =       "1094-9224",
  bibdate =      "Tue Jan 10 07:44:45 MST 2006",
  bibsource =    "http://portal.acm.org/;
                 http://www.math.utah.edu/pub/tex/bib/tissec.bib",
  acknowledgement = ack-nhfb,
  fjournal =     "ACM Transactions on Information and System Security",
  journal-URL =  "http://portal.acm.org/browse_dl.cfm?idx=J789",
}

@Article{Hengartner:2005:ACP,
  author =       "Urs Hengartner and Peter Steenkiste",
  title =        "Access control to people location information",
  journal =      j-TISSEC,
  volume =       "8",
  number =       "4",
  pages =        "424--456",
  month =        nov,
  year =         "2005",
  CODEN =        "ATISBQ",
  ISSN =         "1094-9224 (print), 1557-7406 (electronic)",
  ISSN-L =       "1094-9224",
  bibdate =      "Tue Jan 10 07:44:45 MST 2006",
  bibsource =    "http://portal.acm.org/;
                 http://www.math.utah.edu/pub/tex/bib/tissec.bib",
  acknowledgement = ack-nhfb,
  fjournal =     "ACM Transactions on Information and System Security",
  journal-URL =  "http://portal.acm.org/browse_dl.cfm?idx=J789",
}

@Article{Ateniese:2006:IPR,
  author =       "Giuseppe Ateniese and Kevin Fu and Matthew Green and
                 Susan Hohenberger",
  title =        "Improved proxy re-encryption schemes with applications
                 to secure distributed storage",
  journal =      j-TISSEC,
  volume =       "9",
  number =       "1",
  pages =        "1--30",
  month =        feb,
  year =         "2006",
  CODEN =        "ATISBQ",
  ISSN =         "1094-9224 (print), 1557-7406 (electronic)",
  ISSN-L =       "1094-9224",
  bibdate =      "Sat Apr 29 09:23:50 MDT 2006",
  bibsource =    "http://portal.acm.org/;
                 http://www.math.utah.edu/pub/tex/bib/tissec.bib",
  acknowledgement = ack-nhfb,
  fjournal =     "ACM Transactions on Information and System Security",
  journal-URL =  "http://portal.acm.org/browse_dl.cfm?idx=J789",
}

@Article{Malvestuto:2006:ASQ,
  author =       "Francesco M. Malvestuto and Mauro Mezzini and Marina
                 Moscarini",
  title =        "Auditing sum-queries to make a statistical database
                 secure",
  journal =      j-TISSEC,
  volume =       "9",
  number =       "1",
  pages =        "31--60",
  month =        feb,
  year =         "2006",
  CODEN =        "ATISBQ",
  ISSN =         "1094-9224 (print), 1557-7406 (electronic)",
  ISSN-L =       "1094-9224",
  bibdate =      "Sat Apr 29 09:23:50 MDT 2006",
  bibsource =    "http://portal.acm.org/;
                 http://www.math.utah.edu/pub/tex/bib/tissec.bib",
  acknowledgement = ack-nhfb,
  fjournal =     "ACM Transactions on Information and System Security",
  journal-URL =  "http://portal.acm.org/browse_dl.cfm?idx=J789",
}

@Article{Mutz:2006:ASC,
  author =       "Darren Mutz and Fredrik Valeur and Giovanni Vigna and
                 Christopher Kruegel",
  title =        "Anomalous system call detection",
  journal =      j-TISSEC,
  volume =       "9",
  number =       "1",
  pages =        "61--93",
  month =        feb,
  year =         "2006",
  CODEN =        "ATISBQ",
  ISSN =         "1094-9224 (print), 1557-7406 (electronic)",
  ISSN-L =       "1094-9224",
  bibdate =      "Sat Apr 29 09:23:50 MDT 2006",
  bibsource =    "http://portal.acm.org/;
                 http://www.math.utah.edu/pub/tex/bib/tissec.bib",
  acknowledgement = ack-nhfb,
  fjournal =     "ACM Transactions on Information and System Security",
  journal-URL =  "http://portal.acm.org/browse_dl.cfm?idx=J789",
}

@Article{Futoransky:2006:FAS,
  author =       "Ariel Futoransky and Emiliano Kargieman and Carlos
                 Sarraute and Ariel Waissbein",
  title =        "Foundations and applications for secure triggers",
  journal =      j-TISSEC,
  volume =       "9",
  number =       "1",
  pages =        "94--112",
  month =        feb,
  year =         "2006",
  CODEN =        "ATISBQ",
  ISSN =         "1094-9224 (print), 1557-7406 (electronic)",
  ISSN-L =       "1094-9224",
  bibdate =      "Sat Apr 29 09:23:50 MDT 2006",
  bibsource =    "http://portal.acm.org/;
                 http://www.math.utah.edu/pub/tex/bib/tissec.bib",
  acknowledgement = ack-nhfb,
  fjournal =     "ACM Transactions on Information and System Security",
  journal-URL =  "http://portal.acm.org/browse_dl.cfm?idx=J789",
}

@Article{Oh:2006:ERA,
  author =       "Sejong Oh and Ravi Sandhu and Xinwen Zhang",
  title =        "An effective role administration model using
                 organization structure",
  journal =      j-TISSEC,
  volume =       "9",
  number =       "2",
  pages =        "113--137",
  month =        may,
  year =         "2006",
  CODEN =        "ATISBQ",
  DOI =          "http://doi.acm.org/10.1145/1151414.1151415",
  ISSN =         "1094-9224 (print), 1557-7406 (electronic)",
  ISSN-L =       "1094-9224",
  bibdate =      "Sat Aug 26 08:10:38 MDT 2006",
  bibsource =    "http://portal.acm.org/;
                 http://www.math.utah.edu/pub/tex/bib/tissec.bib",
  acknowledgement = ack-nhfb,
  fjournal =     "ACM Transactions on Information and System Security",
  journal-URL =  "http://portal.acm.org/browse_dl.cfm?idx=J789",
}

@Article{Bella:2006:APF,
  author =       "Giampaolo Bella and Lawrence C. Paulson",
  title =        "Accountability protocols: {Formalized} and verified",
  journal =      j-TISSEC,
  volume =       "9",
  number =       "2",
  pages =        "138--161",
  month =        may,
  year =         "2006",
  CODEN =        "ATISBQ",
  DOI =          "http://doi.acm.org/10.1145/1151414.1151416",
  ISSN =         "1094-9224 (print), 1557-7406 (electronic)",
  ISSN-L =       "1094-9224",
  bibdate =      "Sat Aug 26 08:10:38 MDT 2006",
  bibsource =    "http://portal.acm.org/;
                 http://www.math.utah.edu/pub/tex/bib/tissec.bib",
  acknowledgement = ack-nhfb,
  fjournal =     "ACM Transactions on Information and System Security",
  journal-URL =  "http://portal.acm.org/browse_dl.cfm?idx=J789",
}

@Article{Chandramouli:2006:BPA,
  author =       "R. Chandramouli and S. Bapatla and K. P. Subbalakshmi
                 and R. N. Uma",
  title =        "Battery power-aware encryption",
  journal =      j-TISSEC,
  volume =       "9",
  number =       "2",
  pages =        "162--180",
  month =        may,
  year =         "2006",
  CODEN =        "ATISBQ",
  DOI =          "http://doi.acm.org/10.1145/1151414.1151417",
  ISSN =         "1094-9224 (print), 1557-7406 (electronic)",
  ISSN-L =       "1094-9224",
  bibdate =      "Sat Aug 26 08:10:38 MDT 2006",
  bibsource =    "http://portal.acm.org/;
                 http://www.math.utah.edu/pub/tex/bib/tissec.bib",
  abstract =     "Minimizing power consumption is crucial in battery
                 power-limited secure wireless mobile networks. In this
                 paper, we (a) introduce a hardware/software set-up to
                 measure the battery power consumption of encryption
                 algorithms through real-life experimentation, (b) based
                 on the profiled data, propose mathematical models to
                 capture the relationships between power consumption and
                 security, and (c) formulate and solve security
                 maximization subject to power constraints. Numerical
                 results are presented to illustrate the gains that can
                 be achieved in using solutions of the proposed security
                 maximization problems subject to power constraints.",
  acknowledgement = ack-nhfb,
  fjournal =     "ACM Transactions on Information and System Security",
  journal-URL =  "http://portal.acm.org/browse_dl.cfm?idx=J789",
}

@Article{Gennaro:2006:FPB,
  author =       "Rosario Gennaro and Yehuda Lindell",
  title =        "A framework for password-based authenticated key
                 exchange",
  journal =      j-TISSEC,
  volume =       "9",
  number =       "2",
  pages =        "181--234",
  month =        may,
  year =         "2006",
  CODEN =        "ATISBQ",
  DOI =          "http://doi.acm.org/10.1145/1151414.1151418",
  ISSN =         "1094-9224 (print), 1557-7406 (electronic)",
  ISSN-L =       "1094-9224",
  bibdate =      "Sat Aug 26 08:10:38 MDT 2006",
  bibsource =    "http://portal.acm.org/;
                 http://www.math.utah.edu/pub/tex/bib/tissec.bib",
  abstract =     "In this paper, we present a general framework for
                 password-based authenticated key exchange protocols, in
                 the common reference string model. Our protocol is
                 actually an abstraction of the key exchange protocol of
                 Katz et al. and is based on the recently introduced
                 notion of smooth projective hashing by Cramer and
                 Shoup. We gain a number of benefits from this
                 abstraction. First, we obtain a modular protocol that
                 can be described using just three high-level
                 cryptographic tools. This allows a simple and intuitive
                 understanding of its security. Second, our proof of
                 security is significantly simpler and more modular.
                 Third, we are able to derive analogs to the Katz et al.
                 protocol under additional cryptographic assumptions.
                 Specifically, in addition to the DDH assumption used by
                 Katz et al., we obtain protocols under both the
                 quadratic and N-residuosity assumptions. In order to
                 achieve this, we construct new smooth projective hash
                 functions.",
  acknowledgement = ack-nhfb,
  fjournal =     "ACM Transactions on Information and System Security",
  journal-URL =  "http://portal.acm.org/browse_dl.cfm?idx=J789",
}

@Article{VanOorschot:2006:COD,
  author =       "Paul C. {Van Oorschot} and Stuart Stubblebine",
  title =        "On countering online dictionary attacks with login
                 histories and humans-in-the-loop",
  journal =      j-TISSEC,
  volume =       "9",
  number =       "3",
  pages =        "235--258",
  month =        aug,
  year =         "2006",
  CODEN =        "ATISBQ",
  ISSN =         "1094-9224 (print), 1557-7406 (electronic)",
  ISSN-L =       "1094-9224",
  bibdate =      "Wed Nov 15 06:44:34 MST 2006",
  bibsource =    "http://portal.acm.org/;
                 http://www.math.utah.edu/pub/tex/bib/tissec.bib",
  acknowledgement = ack-nhfb,
  fjournal =     "ACM Transactions on Information and System Security",
  journal-URL =  "http://portal.acm.org/browse_dl.cfm?idx=J789",
}

@Article{McDaniel:2006:MLS,
  author =       "Patrick McDaniel and Atul Prakash",
  title =        "Methods and limitations of security policy
                 reconciliation",
  journal =      j-TISSEC,
  volume =       "9",
  number =       "3",
  pages =        "259--291",
  month =        aug,
  year =         "2006",
  CODEN =        "ATISBQ",
  ISSN =         "1094-9224 (print), 1557-7406 (electronic)",
  ISSN-L =       "1094-9224",
  bibdate =      "Wed Nov 15 06:44:34 MST 2006",
  bibsource =    "http://portal.acm.org/;
                 http://www.math.utah.edu/pub/tex/bib/tissec.bib",
  acknowledgement = ack-nhfb,
  fjournal =     "ACM Transactions on Information and System Security",
  journal-URL =  "http://portal.acm.org/browse_dl.cfm?idx=J789",
}

@Article{Murata:2006:XAC,
  author =       "Makoto Murata and Akihiko Tozawa and Michiharu Kudo
                 and Satoshi Hada",
  title =        "{XML} access control using static analysis",
  journal =      j-TISSEC,
  volume =       "9",
  number =       "3",
  pages =        "292--324",
  month =        aug,
  year =         "2006",
  CODEN =        "ATISBQ",
  ISSN =         "1094-9224 (print), 1557-7406 (electronic)",
  ISSN-L =       "1094-9224",
  bibdate =      "Wed Nov 15 06:44:34 MST 2006",
  bibsource =    "http://portal.acm.org/;
                 http://www.math.utah.edu/pub/tex/bib/tissec.bib",
  acknowledgement = ack-nhfb,
  fjournal =     "ACM Transactions on Information and System Security",
  journal-URL =  "http://portal.acm.org/browse_dl.cfm?idx=J789",
}

@Article{Kogan:2006:PRS,
  author =       "Noam Kogan and Yuval Shavitt and Avishai Wool",
  title =        "A practical revocation scheme for broadcast encryption
                 using smartcards",
  journal =      j-TISSEC,
  volume =       "9",
  number =       "3",
  pages =        "325--351",
  month =        aug,
  year =         "2006",
  CODEN =        "ATISBQ",
  ISSN =         "1094-9224 (print), 1557-7406 (electronic)",
  ISSN-L =       "1094-9224",
  bibdate =      "Wed Nov 15 06:44:34 MST 2006",
  bibsource =    "http://portal.acm.org/;
                 http://www.math.utah.edu/pub/tex/bib/tissec.bib",
  acknowledgement = ack-nhfb,
  fjournal =     "ACM Transactions on Information and System Security",
  journal-URL =  "http://portal.acm.org/browse_dl.cfm?idx=J789",
}

@Article{Winsborough:2006:SAT,
  author =       "William H. Winsborough and Ninghui Li",
  title =        "Safety in automated trust negotiation",
  journal =      j-TISSEC,
  volume =       "9",
  number =       "3",
  pages =        "352--390",
  month =        aug,
  year =         "2006",
  CODEN =        "ATISBQ",
  ISSN =         "1094-9224 (print), 1557-7406 (electronic)",
  ISSN-L =       "1094-9224",
  bibdate =      "Wed Nov 15 06:44:34 MST 2006",
  bibsource =    "http://portal.acm.org/;
                 http://www.math.utah.edu/pub/tex/bib/tissec.bib",
  acknowledgement = ack-nhfb,
  fjournal =     "ACM Transactions on Information and System Security",
  journal-URL =  "http://portal.acm.org/browse_dl.cfm?idx=J789",
}

@Article{Li:2006:SAR,
  author =       "Ninghui Li and Mahesh V. Tripunitara",
  title =        "Security analysis in role-based access control",
  journal =      j-TISSEC,
  volume =       "9",
  number =       "4",
  pages =        "391--420",
  month =        nov,
  year =         "2006",
  CODEN =        "ATISBQ",
  DOI =          "http://doi.acm.org/10.1145/1187441.1187442",
  ISSN =         "1094-9224 (print), 1557-7406 (electronic)",
  ISSN-L =       "1094-9224",
  bibdate =      "Thu Jun 12 17:51:51 MDT 2008",
  bibsource =    "http://portal.acm.org/;
                 http://www.math.utah.edu/pub/tex/bib/tissec.bib",
  abstract =     "The administration of large role-based access control
                 (RBAC) systems is a challenging problem. In order to
                 administer such systems, decentralization of
                 administration tasks by the use of delegation is an
                 effective approach. While the use of delegation greatly
                 enhances flexibility and scalability, it may reduce the
                 control that an organization has over its resources,
                 thereby diminishing a major advantage RBAC has over
                 discretionary access control (DAC). We propose to use
                 security analysis techniques to maintain desirable
                 security properties while delegating administrative
                 privileges. We give a precise definition of a family of
                 security analysis problems in RBAC, which is more
                 general than safety analysis that is studied in the
                 literature. We show that two classes of problems in the
                 family can be reduced to similar analysis in the
                 RT[$\leftarrow,\cap$] role-based trust-management
                 language, thereby establishing an interesting
                 relationship between RBAC and the RT framework. The
                 reduction gives efficient algorithms for answering most
                 kinds of queries in these two classes and establishes
                 the complexity bounds for the intractable cases.",
  acknowledgement = ack-nhfb,
  fjournal =     "ACM Transactions on Information and System Security",
  journal-URL =  "http://portal.acm.org/browse_dl.cfm?idx=J789",
  keywords =     "delegation; role-based access control; role-based
                 administration; trust management",
}

@Article{Mella:2006:CCU,
  author =       "Giovanni Mella and Elena Ferrari and Elisa Bertino and
                 Yunhua Koglin",
  title =        "Controlled and cooperative updates of {XML} documents
                 in {Byzantine} and failure-prone distributed systems",
  journal =      j-TISSEC,
  volume =       "9",
  number =       "4",
  pages =        "421--460",
  month =        nov,
  year =         "2006",
  CODEN =        "ATISBQ",
  DOI =          "http://doi.acm.org/10.1145/1187441.1187443",
  ISSN =         "1094-9224 (print), 1557-7406 (electronic)",
  ISSN-L =       "1094-9224",
  bibdate =      "Thu Jun 12 17:51:51 MDT 2008",
  bibsource =    "http://portal.acm.org/;
                 http://www.math.utah.edu/pub/tex/bib/tissec.bib",
  abstract =     "This paper proposes an infrastructure and related
                 algorithms for the controlled and cooperative updates
                 of XML documents. Key components of the proposed system
                 are a set of XML-based languages for specifying
                 access-control policies and the path that the document
                 must follow during its update. Such path can be fully
                 specified before the update process begins or can be
                 dynamically modified by properly authorized subjects
                 while being transmitted. Our approach is fully
                 distributed in that each party involved in the process
                 can verify the correctness of the operations performed
                 until that point on the document without relying on a
                 central authority. More importantly, the recovery
                 procedure also does not need the participation of a
                 central authority. Our approach is based on the use of
                 some special control information that is transmitted
                 together with the document and a suite of protocols. We
                 formally specify the structure of such control
                 information and the protocols. We also analyze security
                 and complexity of the proposed protocols.",
  acknowledgement = ack-nhfb,
  fjournal =     "ACM Transactions on Information and System Security",
  journal-URL =  "http://portal.acm.org/browse_dl.cfm?idx=J789",
  keywords =     "Byzantine and distributed systems; policy languages;
                 updates; XML documents",
}

@Article{Kogan:2006:IER,
  author =       "Noam Kogan and Tamir Tassa",
  title =        "Improved efficiency for revocation schemes via
                 {Newton} interpolation",
  journal =      j-TISSEC,
  volume =       "9",
  number =       "4",
  pages =        "461--486",
  month =        nov,
  year =         "2006",
  CODEN =        "ATISBQ",
  DOI =          "http://doi.acm.org/10.1145/1187441.1187444",
  ISSN =         "1094-9224 (print), 1557-7406 (electronic)",
  ISSN-L =       "1094-9224",
  bibdate =      "Thu Jun 12 17:51:51 MDT 2008",
  bibsource =    "http://portal.acm.org/;
                 http://www.math.utah.edu/pub/tex/bib/tissec.bib",
  abstract =     "We present a novel way to implement the
                 secret-sharing-based family of revocation schemes of
                 Naor and Pinkas [2003]. The basic scheme of [Naor and
                 Pinkas 2000] uses Shamir's polynomial secret-sharing to
                 revoke up to r users, where r is the degree of the
                 secret-sharing polynomial, and it is information
                 theoretically secure against coalitions of up to r
                 collaborators. The nonrevoked users use Lagrange
                 interpolation in order to compute the new key. Our
                 basic scheme uses a novel modification of Shamir's
                 polynomial secret-sharing: The secret equals the
                 leading coefficient of the polynomial (as opposed to
                 the free coefficient as in the original scheme) and the
                 polynomial is reconstructed by Newton interpolation
                 (rather than Lagrange interpolation). Comparing our
                 scheme to one variant of the Naor--Pinkas scheme, we
                 offer revocation messages that are shorter by a factor
                 of almost 2, while the computation cost at the user end
                 is smaller by a constant factor of approximately 13/2.
                 Comparing to a second variant of the Naor--Pinkas
                 scheme, our scheme offers a reduction of O ( r ) in the
                 computation cost at the user end, without affecting any
                 of the other performance parameters. We then extend our
                 basic scheme to perform multiround revocation for
                 stateless and stateful receivers, along the lines
                 offered by Naor and Pinkas [2000] and Kogan et al.
                 [2003]. We show that using Newton rather than Lagrange
                 interpolants enables a significantly more efficient
                 transmission of the new revocation message and shorter
                 response time for each round. Pay TV systems that
                 implement broadcast encryption techniques can benefit
                 significantly from the improved efficiency offered by
                 our revocation schemes.",
  acknowledgement = ack-nhfb,
  fjournal =     "ACM Transactions on Information and System Security",
  journal-URL =  "http://portal.acm.org/browse_dl.cfm?idx=J789",
  keywords =     "broadcast encryption; Newton interpolation; secret
                 sharing; User revocation",
}

@Article{Ahn:2007:GES,
  author =       "Gail-Joon Ahn",
  title =        "Guest editorial: {Special} issue on access control
                 models and technologies",
  journal =      j-TISSEC,
  volume =       "10",
  number =       "1",
  pages =        "1:1--1:??",
  month =        feb,
  year =         "2007",
  CODEN =        "ATISBQ",
  DOI =          "http://doi.acm.org/10.1145/1210263.1216576",
  ISSN =         "1094-9224 (print), 1557-7406 (electronic)",
  ISSN-L =       "1094-9224",
  bibdate =      "Thu Jun 12 17:51:58 MDT 2008",
  bibsource =    "http://portal.acm.org/;
                 http://www.math.utah.edu/pub/tex/bib/tissec.bib",
  acknowledgement = ack-nhfb,
  articleno =    "1",
  fjournal =     "ACM Transactions on Information and System Security",
  journal-URL =  "http://portal.acm.org/browse_dl.cfm?idx=J789",
}

@Article{Damiani:2007:GRS,
  author =       "Maria Luisa Damiani and Elisa Bertino and Barbara
                 Catania and Paolo Perlasca",
  title =        "{GEO-RBAC}: a spatially aware {RBAC}",
  journal =      j-TISSEC,
  volume =       "10",
  number =       "1",
  pages =        "2:1--2:??",
  month =        feb,
  year =         "2007",
  CODEN =        "ATISBQ",
  DOI =          "http://doi.acm.org/10.1145/1210263.1210265",
  ISSN =         "1094-9224 (print), 1557-7406 (electronic)",
  ISSN-L =       "1094-9224",
  bibdate =      "Thu Jun 12 17:51:58 MDT 2008",
  bibsource =    "http://portal.acm.org/;
                 http://www.math.utah.edu/pub/tex/bib/tissec.bib",
  abstract =     "Securing access to data in location-based services and
                 mobile applications requires the definition of
                 spatially aware access-control systems. Even if some
                 approaches have already been proposed either in the
                 context of geographic database systems or context-aware
                 applications, a comprehensive framework, general and
                 flexible enough to deal with spatial aspects in real
                 mobile applications, is still missing. In this paper,
                 we make one step toward this direction and present
                 GEO-RBAC, an extension of the RBAC model enhanced with
                 spatial-and location-based information. In GEORBAC,
                 spatial entities are used to model objects, user
                 positions, and geographically bounded roles. Roles are
                 activated based on the position of the user. Besides a
                 physical position, obtained from a given mobile
                 terminal or a cellular phone, users are also assigned a
                 logical and device-independent position, representing
                 the feature (the road, the town, the region) in which
                 they are located. To enhance flexibility and
                 reusability, we also introduce the concept of role
                 schema, specifying the name of the role, as well as the
                 type of the role spatial boundary and the granularity
                 of the logical position. We then extend GEO-RBAC to
                 support hierarchies, modeling permission, user, and
                 activation inheritance, and separation of duty
                 constraints. The proposed classes of constraints extend
                 the conventional ones to deal with different
                 granularities (schema/instance level) and spatial
                 information. We conclude the paper with an analysis of
                 several properties concerning the resulting model.",
  acknowledgement = ack-nhfb,
  articleno =    "2",
  fjournal =     "ACM Transactions on Information and System Security",
  journal-URL =  "http://portal.acm.org/browse_dl.cfm?idx=J789",
  keywords =     "access-control model; GIS; location-based services",
}

@Article{Iwaihara:2007:RBA,
  author =       "Mizuho Iwaihara and Ryotaro Hayashi and Somchai
                 Chatvichienchai and Chutiporn Anutariya and Vilas
                 Wuwongse",
  title =        "Relevancy-based access control and its evaluation on
                 versioned {XML} documents",
  journal =      j-TISSEC,
  volume =       "10",
  number =       "1",
  pages =        "3:1--3:??",
  month =        feb,
  year =         "2007",
  CODEN =        "ATISBQ",
  DOI =          "http://doi.acm.org/10.1145/1210263.1210266",
  ISSN =         "1094-9224 (print), 1557-7406 (electronic)",
  ISSN-L =       "1094-9224",
  bibdate =      "Thu Jun 12 17:51:58 MDT 2008",
  bibsource =    "http://portal.acm.org/;
                 http://www.math.utah.edu/pub/tex/bib/tissec.bib",
  abstract =     "Integration of version and access control of XML
                 documents has the benefit of regulating access to
                 rapidly growing archives of XML documents. Versioned
                 XML documents provide us with valuable information on
                 dependencies between document nodes, but, at the same
                 time, presenting the risk of undesirable data
                 disclosure. In this article, we introduce the notion of
                 relevancy-based access control, which realizes
                 protection of versioned XML documents by various types
                 of relevancy, such as version dependencies, schema
                 similarities, and temporal proximity. We define a new
                 path query language XVerPath over XML document
                 versions, which can be utilized for specifying
                 relevancy-based access-control policies. We also
                 introduce the notion of relevancy class, for
                 collectively and compactly specifying relevancy-based
                 policies. Regarding efficient processing of access
                 requests, we propose the packed version model, which
                 realizes space-efficient difference-based archives of
                 versioned XML documents and, at the same time,
                 providing efficient evaluation of XVerPath queries.
                 Experimental results show reasonable performance
                 superiority over conventional methods, which do not
                 utilize version differences.",
  acknowledgement = ack-nhfb,
  articleno =    "3",
  fjournal =     "ACM Transactions on Information and System Security",
  journal-URL =  "http://portal.acm.org/browse_dl.cfm?idx=J789",
  keywords =     "access control; query language; security; version
                 control; XML; XPath",
}

@Article{Zhou:2007:MNI,
  author =       "Jingmin Zhou and Mark Heckman and Brennen Reynolds and
                 Adam Carlson and Matt Bishop",
  title =        "Modeling network intrusion detection alerts for
                 correlation",
  journal =      j-TISSEC,
  volume =       "10",
  number =       "1",
  pages =        "4:1--4:??",
  month =        feb,
  year =         "2007",
  CODEN =        "ATISBQ",
  DOI =          "http://doi.acm.org/10.1145/1210263.1210267",
  ISSN =         "1094-9224 (print), 1557-7406 (electronic)",
  ISSN-L =       "1094-9224",
  bibdate =      "Thu Jun 12 17:51:58 MDT 2008",
  bibsource =    "http://portal.acm.org/;
                 http://www.math.utah.edu/pub/tex/bib/tissec.bib",
  abstract =     "Signature-based network intrusion-detection systems
                 (NIDSs) often report a massive number of simple alerts
                 of low-level security-related events. Many of these
                 alerts are logically involved in a single multi-stage
                 intrusion incident and a security officer often wants
                 to analyze the complete incident instead of each
                 individual simple alert. This paper proposes a
                 well-structured model that abstracts the logical
                 relation between the alerts in order to support
                 automatic correlation of those alerts involved in the
                 same intrusion. The basic building block of the model
                 is a logical formula called a capability. We use
                 capability to abstract consistently and precisely all
                 levels of accesses obtained by the attacker in each
                 step of a multistage intrusion. We then derive
                 inference rules to define logical relations between
                 different capabilities. Based on the model and the
                 inference rules, we have developed several novel alert
                 correlation algorithms and implemented a prototype
                 alert correlator. The experimental results of the
                 correlator using several intrusion datasets demonstrate
                 that the approach is effective in both alert fusion and
                 alert correlation and has the ability to correlate
                 alerts of complex multistage intrusions. In several
                 instances, the alert correlator successfully correlated
                 more than two thousand Snort alerts involved in massive
                 scanning incidents. It also helped us find two
                 multistage intrusions that were missed in auditing by
                 the security officers.",
  acknowledgement = ack-nhfb,
  articleno =    "4",
  fjournal =     "ACM Transactions on Information and System Security",
  journal-URL =  "http://portal.acm.org/browse_dl.cfm?idx=J789",
  keywords =     "alert correlation; alert fusion; capability; intrusion
                 detection",
}

@Article{Li:2007:MER,
  author =       "Ninghui Li and Mahesh V. Tripunitara and Ziad Bizri",
  title =        "On mutually exclusive roles and separation-of-duty",
  journal =      j-TISSEC,
  volume =       "10",
  number =       "2",
  pages =        "5:1--5:??",
  month =        may,
  year =         "2007",
  CODEN =        "ATISBQ",
  DOI =          "http://doi.acm.org/10.1145/1237500.1237501",
  ISSN =         "1094-9224 (print), 1557-7406 (electronic)",
  ISSN-L =       "1094-9224",
  bibdate =      "Thu Jun 12 17:52:05 MDT 2008",
  bibsource =    "http://portal.acm.org/;
                 http://www.math.utah.edu/pub/tex/bib/tissec.bib",
  abstract =     "Separation-of-duty (SoD) is widely considered to be a
                 fundamental principle in computer security. A static
                 SoD (SSoD) policy states that in order to have all
                 permissions necessary to complete a sensitive task, the
                 cooperation of at least a certain number of users is
                 required. Role-based access control (RBAC) is today's
                 dominant access-control model. It is widely believed
                 that one of RBAC's main strengths is that it enables
                 the use of constraints to support policies, such as
                 separation-of-duty. In the literature on RBAC,
                 statically mutually exclusive roles (SMER) constraints
                 are used to enforce SSoD policies. In this paper, we
                 formulate and study fundamental computational problems
                 related to the use of SMER constraints to enforce SSoD
                 policies. We show that directly enforcing SSoD policies
                 is intractable (coNP-complete), while checking whether
                 an RBAC state satisfies a set of SMER constraints is
                 efficient; however, verifying whether a given set of
                 SMER constraints enforces an SSoD policy is also
                 intractable (coNP-complete). We discuss the
                 implications of these results. We show also how to
                 generate SMER constraints that are as accurate as
                 possible for enforcing an SSoD policy.",
  acknowledgement = ack-nhfb,
  articleno =    "5",
  fjournal =     "ACM Transactions on Information and System Security",
  journal-URL =  "http://portal.acm.org/browse_dl.cfm?idx=J789",
  keywords =     "computational complexity; constraints; role-based
                 access control; separation-of-duty; verification",
}

@Article{Peng:2007:BZK,
  author =       "Kun Peng and Colin Boyd and Ed Dawson",
  title =        "Batch zero-knowledge proof and verification and its
                 applications",
  journal =      j-TISSEC,
  volume =       "10",
  number =       "2",
  pages =        "6:1--6:??",
  month =        may,
  year =         "2007",
  CODEN =        "ATISBQ",
  DOI =          "http://doi.acm.org/10.1145/1237500.1237502",
  ISSN =         "1094-9224 (print), 1557-7406 (electronic)",
  ISSN-L =       "1094-9224",
  bibdate =      "Thu Jun 12 17:52:05 MDT 2008",
  bibsource =    "http://portal.acm.org/;
                 http://www.math.utah.edu/pub/tex/bib/tissec.bib",
  abstract =     "The batch verification technique of Bellare et al. is
                 extended to verification of several frequently employed
                 zero-knowledge proofs. The new techniques are correct,
                 sound, efficient, and can be widely applied. Specific
                 applications are discussed in detail, including batch
                 ZK proof and verification of validity of encryption (or
                 reencryption) and batch ZK proof and verification of
                 validity of decryption. Considerable efficiency
                 improvements are gained in these two applications
                 without compromising security. As a result, efficiency
                 of the practical cryptographic systems (such as mix
                 networks) based on these two applications is
                 dramatically improved.",
  acknowledgement = ack-nhfb,
  articleno =    "6",
  fjournal =     "ACM Transactions on Information and System Security",
  journal-URL =  "http://portal.acm.org/browse_dl.cfm?idx=J789",
  keywords =     "batch proof and verification of decryption; batch
                 proof and verification of reencryption; mix network",
}

@Article{Ahmed:2007:SVS,
  author =       "Tanvir Ahmed and Anand R. Tripathi",
  title =        "Specification and verification of security
                 requirements in a programming model for decentralized
                 {CSCW} systems",
  journal =      j-TISSEC,
  volume =       "10",
  number =       "2",
  pages =        "7:1--7:??",
  month =        may,
  year =         "2007",
  CODEN =        "ATISBQ",
  DOI =          "http://doi.acm.org/10.1145/1237500.1237503",
  ISSN =         "1094-9224 (print), 1557-7406 (electronic)",
  ISSN-L =       "1094-9224",
  bibdate =      "Thu Jun 12 17:52:05 MDT 2008",
  bibsource =    "http://portal.acm.org/;
                 http://www.math.utah.edu/pub/tex/bib/tissec.bib",
  abstract =     "We present, in this paper, a role-based model for
                 programming distributed CSCW systems. This model
                 supports specification of dynamic security and
                 coordination requirements in such systems. We also
                 present here a model-checking methodology for verifying
                 the security properties of a design expressed in this
                 model. The verification methodology presented here is
                 used to ensure correctness and consistency of a design
                 specification. It is also used to ensure that sensitive
                 security requirements cannot be violated when policy
                 enforcement functions are distributed among the
                 participants. Several aspect-specific verification
                 models are developed to check security properties, such
                 as task-flow constraints, information flow,
                 confidentiality, and assignment of administrative
                 privileges.",
  acknowledgement = ack-nhfb,
  articleno =    "7",
  fjournal =     "ACM Transactions on Information and System Security",
  journal-URL =  "http://portal.acm.org/browse_dl.cfm?idx=J789",
  keywords =     "finite state-based model checking; methodology for
                 access-control policy design; role-based access
                 control; Security policy specification",
}

@Article{Bhargavan:2007:SSW,
  author =       "Karthikeyan Bhargavan and Ricardo Corin and C{\'e}dric
                 Fournet and Andrew D. Gordon",
  title =        "Secure sessions for {Web} services",
  journal =      j-TISSEC,
  volume =       "10",
  number =       "2",
  pages =        "8:1--8:??",
  month =        may,
  year =         "2007",
  CODEN =        "ATISBQ",
  DOI =          "http://doi.acm.org/10.1145/1237500.1237504",
  ISSN =         "1094-9224 (print), 1557-7406 (electronic)",
  ISSN-L =       "1094-9224",
  bibdate =      "Thu Jun 12 17:52:05 MDT 2008",
  bibsource =    "http://portal.acm.org/;
                 http://www.math.utah.edu/pub/tex/bib/tissec.bib",
  abstract =     "We address the problem of securing sequences of SOAP
                 messages exchanged between web services and their
                 clients. The WS-Security standard defines basic
                 mechanisms to secure SOAP traffic, one message at a
                 time. For typical web services, however, using
                 WS-Security independently for each message is rather
                 inefficient; moreover, it is often important to secure
                 the integrity of a whole session, as well as each
                 message. To these ends, recent specifications provide
                 further SOAP-level mechanisms. WS-SecureConversation
                 defines security contexts, which can be used to secure
                 sessions between two parties. WS-Trust specifies how
                 security contexts are issued and obtained. We develop a
                 semantics for the main mechanisms of WS-Trust and
                 WS-SecureConversation, expressed as a library for
                 TulaFale, a formal scripting language for security
                 protocols. We model typical protocols relying on these
                 mechanisms and automatically prove their main security
                 properties. We also informally discuss some pitfalls
                 and limitations of these specifications.",
  acknowledgement = ack-nhfb,
  articleno =    "8",
  fjournal =     "ACM Transactions on Information and System Security",
  journal-URL =  "http://portal.acm.org/browse_dl.cfm?idx=J789",
  keywords =     "Web services; XML security",
}

@Article{Abadi:2007:JFK,
  author =       "Mart{\'\i}n Abadi and Bruno Blanchet and C{\'e}dric
                 Fournet",
  title =        "Just fast keying in the pi calculus",
  journal =      j-TISSEC,
  volume =       "10",
  number =       "3",
  pages =        "9:1--9:??",
  month =        jul,
  year =         "2007",
  CODEN =        "ATISBQ",
  DOI =          "http://doi.acm.org/10.1145/1266977.1266978",
  ISSN =         "1094-9224 (print), 1557-7406 (electronic)",
  ISSN-L =       "1094-9224",
  bibdate =      "Thu Jun 12 17:52:14 MDT 2008",
  bibsource =    "http://portal.acm.org/;
                 http://www.math.utah.edu/pub/tex/bib/tissec.bib",
  abstract =     "JFK is a recent, attractive protocol for fast key
                 establishment as part of securing IP communication. In
                 this paper, we formally analyze this protocol in the
                 applied pi calculus (partly in terms of observational
                 equivalences and partly with the assistance of an
                 automatic protocol verifier). We treat JFK's core
                 security properties and also other properties that are
                 rarely articulated and rigorously studied, such as
                 plausible deniability and resistance to
                 denial-of-service attacks. In the course of this
                 analysis, we found some ambiguities and minor problems,
                 such as limitations in identity protection, but we
                 mostly obtain positive results about JFK. For this
                 purpose, we develop ideas and techniques that should be
                 more generally useful in the specification and
                 verification of security protocols.",
  acknowledgement = ack-nhfb,
  articleno =    "9",
  fjournal =     "ACM Transactions on Information and System Security",
  journal-URL =  "http://portal.acm.org/browse_dl.cfm?idx=J789",
  keywords =     "IP security; key exchange; process calculus",
}

@Article{Bresson:2007:PSA,
  author =       "Emmanuel Bresson and Olivier Chevassut and David
                 Pointcheval",
  title =        "Provably secure authenticated group {Diffie--Hellman}
                 key exchange",
  journal =      j-TISSEC,
  volume =       "10",
  number =       "3",
  pages =        "10:1--10:??",
  month =        jul,
  year =         "2007",
  CODEN =        "ATISBQ",
  DOI =          "http://doi.acm.org/10.1145/1266977.1266979",
  ISSN =         "1094-9224 (print), 1557-7406 (electronic)",
  ISSN-L =       "1094-9224",
  bibdate =      "Thu Jun 12 17:52:14 MDT 2008",
  bibsource =    "http://portal.acm.org/;
                 http://www.math.utah.edu/pub/tex/bib/tissec.bib",
  abstract =     "Authenticated key-exchange protocols allow two
                 participants A and B, communicating over a public
                 network and each holding an authentication means to
                 exchange a shared secret value. Methods designed to
                 deal with this cryptographic problem ensure A (resp. B
                 ) that no other participants aside from B (resp. A )
                 can learn any information about the agreed value and
                 often also ensure A and B that their respective partner
                 has actually computed this value. A natural extension
                 to this cryptographic method is to consider a pool of
                 participants exchanging a shared secret value and to
                 provide a formal treatment for it. Starting from the
                 famous two-party Diffie--Hellman (DH) key-exchange
                 protocol and from its authenticated variants, security
                 experts have extended it to the multiparty setting for
                 over a decade and, in the past few years, completed a
                 formal analysis in the framework of modern
                 cryptography. The present paper synthesizes this body
                 of work on the provably-secure authenticated group DH
                 key exchange.",
  acknowledgement = ack-nhfb,
  articleno =    "10",
  fjournal =     "ACM Transactions on Information and System Security",
  journal-URL =  "http://portal.acm.org/browse_dl.cfm?idx=J789",
  keywords =     "cryptography; Diffie--Hellman; Group Key Exchange",
}

@Article{vanOorschot:2007:IRS,
  author =       "P. C. van Oorschot and Tao Wan and Evangelos
                 Kranakis",
  title =        "On interdomain routing security and pretty secure {BGP
                 (psBGP)}",
  journal =      j-TISSEC,
  volume =       "10",
  number =       "3",
  pages =        "11:1--11:??",
  month =        jul,
  year =         "2007",
  CODEN =        "ATISBQ",
  DOI =          "http://doi.acm.org/10.1145/1266977.1266980",
  ISSN =         "1094-9224 (print), 1557-7406 (electronic)",
  ISSN-L =       "1094-9224",
  bibdate =      "Thu Jun 12 17:52:14 MDT 2008",
  bibsource =    "http://portal.acm.org/;
                 http://www.math.utah.edu/pub/tex/bib/tissec.bib",
  abstract =     "It is well known that the Border Gateway Protocol
                 (BGP), the IETF standard interdomain routing protocol,
                 is vulnerable to a variety of attacks, and that a
                 single misconfigured or malicious BGP speaker could
                 result in large-scale service disruption. In this
                 paper, we present Pretty Secure BGP (psBGP) ---a
                 proposal for securing BGP, including an architectural
                 overview, design details for significant aspects, and
                 preliminary security and operational analysis. psBGP
                 differs from other security proposals (e. g. , S-BGP
                 and soBGP) in that it makes use of a single-level PKI
                 for AS number authentication, a decentralized trust
                 model for verifying the propriety of IP prefix origin,
                 and a rating-based stepwise approach for AS\_PATH
                 (integrity) verification. psBGP trades off the strong
                 security guarantees of S-BGP for presumed-simpler
                 operation, e. g. , using a PKI with a simple structure,
                 with a small number of certificate types, and of
                 manageable size. psBGP is designed to successfully
                 defend against various (nonmalicious and malicious)
                 threats from uncoordinated BGP speakers, and to be
                 incrementally deployed with incremental benefits.",
  acknowledgement = ack-nhfb,
  articleno =    "11",
  fjournal =     "ACM Transactions on Information and System Security",
  journal-URL =  "http://portal.acm.org/browse_dl.cfm?idx=J789",
  keywords =     "authentication; BGP; certificates; interdomain
                 routing; public-key infrastructure; secure routing
                 protocols; trust",
}

@Article{Squicciarini:2007:PTX,
  author =       "A. Squicciarini and E. Bertino and Elena Ferrari and
                 F. Paci and B. Thuraisingham",
  title =        "{PP-trust-X}: a system for privacy preserving trust
                 negotiations",
  journal =      j-TISSEC,
  volume =       "10",
  number =       "3",
  pages =        "12:1--12:??",
  month =        jul,
  year =         "2007",
  CODEN =        "ATISBQ",
  DOI =          "http://doi.acm.org/10.1145/1266977.1266981",
  ISSN =         "1094-9224 (print), 1557-7406 (electronic)",
  ISSN-L =       "1094-9224",
  bibdate =      "Thu Jun 12 17:52:14 MDT 2008",
  bibsource =    "http://portal.acm.org/;
                 http://www.math.utah.edu/pub/tex/bib/tissec.bib",
  abstract =     "Trust negotiation is a promising approach for
                 establishing trust in open systems, in which sensitive
                 interactions may often occur between entities with no
                 prior knowledge of each other. Although, to date
                 several trust negotiation systems have been proposed,
                 none of them fully address the problem of privacy
                 preservation. Today, privacy is one of the major
                 concerns of users when exchanging information through
                 the Web and thus we believe that trust negotiation
                 systems must effectively address privacy issues in
                 order to be widely applicable. For these reasons, in
                 this paper, we investigate privacy in the context of
                 trust negotiations. We propose a set of
                 privacy-preserving features for inclusion in any trust
                 negotiation system, such as the support for the P3P
                 standard, as well as a number of innovative features,
                 such as a novel format for encoding digital credentials
                 specifically designed for preserving privacy. Further,
                 we present a variety of interoperable strategies to
                 carry on the negotiation with the aim of improving both
                 privacy and efficiency.",
  acknowledgement = ack-nhfb,
  articleno =    "12",
  fjournal =     "ACM Transactions on Information and System Security",
  journal-URL =  "http://portal.acm.org/browse_dl.cfm?idx=J789",
  keywords =     "access control; attribute-based access control;
                 automated trust negotiation; credentials; privacy;
                 strategy",
}

@Article{Chakrabarti:2008:ETR,
  author =       "Deepayan Chakrabarti and Yang Wang and Chenxi Wang and
                 Jurij Leskovec and Christos Faloutsos",
  title =        "Epidemic thresholds in real networks",
  journal =      j-TISSEC,
  volume =       "10",
  number =       "4",
  pages =        "1:1--1:??",
  month =        jan,
  year =         "2008",
  CODEN =        "ATISBQ",
  DOI =          "http://doi.acm.org/10.1145/1284680.1284681",
  ISSN =         "1094-9224 (print), 1557-7406 (electronic)",
  ISSN-L =       "1094-9224",
  bibdate =      "Thu Jun 12 17:52:24 MDT 2008",
  bibsource =    "http://portal.acm.org/;
                 http://www.math.utah.edu/pub/tex/bib/tissec.bib",
  abstract =     "How will a virus propagate in a real network? How long
                 does it take to disinfect a network given particular
                 values of infection rate and virus death rate? What is
                 the single best node to immunize? Answering these
                 questions is essential for devising network-wide
                 strategies to counter viruses. In addition, viral
                 propagation is very similar in principle to the spread
                 of rumors, information, and ``fads,'' implying that the
                 solutions for viral propagation would also offer
                 insights into these other problem settings. We answer
                 these questions by developing a nonlinear dynamical
                 system ( NLDS ) that accurately models viral
                 propagation in any arbitrary network, including real
                 and synthesized network graphs. We propose a general
                 epidemic threshold condition for the NLDS system: we
                 prove that the epidemic threshold for a network is
                 exactly the inverse of the largest eigenvalue of its
                 adjacency matrix. Finally, we show that below the
                 epidemic threshold, infections die out at an
                 exponential rate. Our epidemic threshold model subsumes
                 many known thresholds for special-case graphs (e.g.,
                 Erd{\"o}s--R{\'e}nyi, BA powerlaw, homogeneous). We
                 demonstrate the predictive power of our model with
                 extensive experiments on real and synthesized graphs,
                 and show that our threshold condition holds for
                 arbitrary graphs. Finally, we show how to utilize our
                 threshold condition for practical uses: It can dictate
                 which nodes to immunize; it can assess the effects of a
                 throttling policy; it can help us design network
                 topologies so that they are more resistant to
                 viruses.",
  acknowledgement = ack-nhfb,
  articleno =    "1",
  fjournal =     "ACM Transactions on Information and System Security",
  journal-URL =  "http://portal.acm.org/browse_dl.cfm?idx=J789",
  keywords =     "eigenvalue; epidemic threshold; viral propagation",
}

@Article{Joshi:2008:FFH,
  author =       "James B. D. Joshi and Elisa Bertino and Arif Ghafoor
                 and Yue Zhang",
  title =        "Formal foundations for hybrid hierarchies in
                 {GTRBAC}",
  journal =      j-TISSEC,
  volume =       "10",
  number =       "4",
  pages =        "2:1--2:??",
  month =        jan,
  year =         "2008",
  CODEN =        "ATISBQ",
  DOI =          "http://doi.acm.org/10.1145/1284680.1284682",
  ISSN =         "1094-9224 (print), 1557-7406 (electronic)",
  ISSN-L =       "1094-9224",
  bibdate =      "Thu Jun 12 17:52:24 MDT 2008",
  bibsource =    "http://portal.acm.org/;
                 http://www.math.utah.edu/pub/tex/bib/tissec.bib",
  abstract =     "A role hierarchy defines permission acquisition and
                 role-activation semantics through role--role
                 relationships. It can be utilized for efficiently and
                 effectively structuring functional roles of an
                 organization having related access-control needs. The
                 focus of this paper is the analysis of hybrid role
                 hierarchies in the context of the generalized temporal
                 role-based access control (GTRBAC) model that allows
                 specification of a comprehensive set of temporal
                 constraints on role, user-role, and role-permission
                 assignments. We introduce the notion of uniquely
                 activable set (UAS) associated with a role hierarchy
                 that indicates the access capabilities of a user
                 resulting from his membership to a role in the
                 hierarchy. Identifying such a role set is essential,
                 while making an authorization decision about whether or
                 not a user should be allowed to activate a particular
                 combination of roles in a single session. We formally
                 show how UAS can be determined for a hybrid hierarchy.
                 Furthermore, within a hybrid hierarchy, various
                 hierarchical relations may be derived between an
                 arbitrary pair of roles. We present a set of inference
                 rules that can be used to generate all the possible
                 derived relations that can be inferred from a specified
                 set of hierarchical relations and show that it is sound
                 and complete. We also present an analysis of hierarchy
                 transformations with respect to role addition,
                 deletion, and partitioning, and show how various cases
                 of these transformations allow the original permission
                 acquisition and role-activation semantics to be
                 managed. The formal results presented here provide a
                 basis for developing efficient security administration
                 and management tools.",
  acknowledgement = ack-nhfb,
  articleno =    "2",
  fjournal =     "ACM Transactions on Information and System Security",
  journal-URL =  "http://portal.acm.org/browse_dl.cfm?idx=J789",
  keywords =     "derived relation; role hierarchy",
}

@Article{Gassend:2008:CPR,
  author =       "Blaise Gassend and Marten {Van Dijk} and Dwaine Clarke
                 and Emina Torlak and Srinivas Devadas and Pim Tuyls",
  title =        "Controlled physical random functions and
                 applications",
  journal =      j-TISSEC,
  volume =       "10",
  number =       "4",
  pages =        "3:1--3:??",
  month =        jan,
  year =         "2008",
  CODEN =        "ATISBQ",
  DOI =          "http://doi.acm.org/10.1145/1284680.1284683",
  ISSN =         "1094-9224 (print), 1557-7406 (electronic)",
  ISSN-L =       "1094-9224",
  bibdate =      "Thu Jun 12 17:52:24 MDT 2008",
  bibsource =    "http://portal.acm.org/;
                 http://www.math.utah.edu/pub/tex/bib/tissec.bib",
  abstract =     "The cryptographic protocols that we use in everyday
                 life rely on the secure storage of keys in consumer
                 devices. Protecting these keys from invasive attackers,
                 who open a device to steal its key, is a challenging
                 problem. We propose controlled physical random
                 functions (CPUFs) as an alternative to storing keys and
                 describe the core protocols that are needed to use
                 CPUFs. A physical random functions (PUF) is a physical
                 system with an input and output. The functional
                 relationship between input and output looks like that
                 of a random function. The particular relationship is
                 unique to a specific instance of a PUF, hence, one
                 needs access to a particular PUF instance to evaluate
                 the function it embodies. The cryptographic
                 applications of a PUF are quite limited unless the PUF
                 is combined with an algorithm that limits the ways in
                 which the PUF can be evaluated; this is a CPUF. A major
                 difficulty in using CPUFs is that you can only know a
                 small set of outputs of the PUF---the unknown outputs
                 being unrelated to the known ones. We present protocols
                 that get around this difficulty and allow a chain of
                 trust to be established between the CPUF manufacturer
                 and a party that wishes to interact securely with the
                 PUF device. We also present some elementary
                 applications, such as certified execution.",
  acknowledgement = ack-nhfb,
  articleno =    "3",
  fjournal =     "ACM Transactions on Information and System Security",
  journal-URL =  "http://portal.acm.org/browse_dl.cfm?idx=J789",
  keywords =     "certified execution; physical random function;
                 physical security; physical unclonable function;
                 trusted computing",
}

@Article{Bouganim:2008:DAC,
  author =       "Luc Bouganim and Fran{\c{c}}ois Dang Ngoc and Philippe
                 Pucheral",
  title =        "Dynamic access-control policies on {XML} encrypted
                 data",
  journal =      j-TISSEC,
  volume =       "10",
  number =       "4",
  pages =        "4:1--4:??",
  month =        jan,
  year =         "2008",
  CODEN =        "ATISBQ",
  DOI =          "http://doi.acm.org/10.1145/1284680.1284684",
  ISSN =         "1094-9224 (print), 1557-7406 (electronic)",
  ISSN-L =       "1094-9224",
  bibdate =      "Thu Jun 12 17:52:24 MDT 2008",
  bibsource =    "http://portal.acm.org/;
                 http://www.math.utah.edu/pub/tex/bib/tissec.bib",
  abstract =     "The erosion of trust put in traditional database
                 servers and in Database Service Providers and the
                 growing interest for different forms of selective data
                 dissemination are different factors that lead to move
                 the access-control from servers to clients. Different
                 data encryption and key dissemination schemes have been
                 proposed to serve this purpose. By compiling the
                 access-control rules into the encryption process, all
                 these methods suffer from a static way of sharing data.
                 With the emergence of hardware security elements on
                 client devices, more dynamic client-based
                 access-control schemes can be devised. This paper
                 proposes a tamper-resistant client-based XML
                 access-right controller supporting flexible and dynamic
                 access-control policies. The access-control engine is
                 embedded in a hardware-secure device and, therefore,
                 must cope with specific hardware resources. This engine
                 benefits from a dedicated index to quickly converge
                 toward the authorized parts of a potentially streaming
                 XML document. Pending situations (i. e. , where data
                 delivery is conditioned by predicates, which apply to
                 values encountered afterward in the document stream)
                 are handled gracefully, skipping, whenever possible the
                 pending elements and reassembling relevant parts when
                 the pending situation is solved. Additional security
                 mechanisms guarantee that (1) the input document is
                 protected from any form of tampering and (2) no
                 forbidden information can be gained by replay attacks
                 on different versions of the XML document and of the
                 access-control rules. Performance measurements on
                 synthetic and real datasets demonstrate the
                 effectiveness of the approach. Finally, the paper
                 reports on two experiments conducted with a prototype
                 running on a secured hardware platform.",
  acknowledgement = ack-nhfb,
  articleno =    "4",
  fjournal =     "ACM Transactions on Information and System Security",
  journal-URL =  "http://portal.acm.org/browse_dl.cfm?idx=J789",
  keywords =     "access-control; data confidentiality; smartcard;
                 ubiquitous data management",
}

@Article{vanOorschot:2008:PMU,
  author =       "P. C. van Oorschot and Julie Thorpe",
  title =        "On predictive models and user-drawn graphical
                 passwords",
  journal =      j-TISSEC,
  volume =       "10",
  number =       "4",
  pages =        "5:1--5:??",
  month =        jan,
  year =         "2008",
  CODEN =        "ATISBQ",
  DOI =          "http://doi.acm.org/10.1145/1284680.1284685",
  ISSN =         "1094-9224 (print), 1557-7406 (electronic)",
  ISSN-L =       "1094-9224",
  bibdate =      "Thu Jun 12 17:52:24 MDT 2008",
  bibsource =    "http://portal.acm.org/;
                 http://www.math.utah.edu/pub/tex/bib/tissec.bib",
  abstract =     "In commonplace text-based password schemes, users
                 typically choose passwords that are easy to recall,
                 exhibit patterns, and are thus vulnerable to
                 brute-force dictionary attacks. This leads us to ask
                 whether other types of passwords (e. g. , graphical)
                 are also vulnerable to dictionary attack because of
                 users tending to choose memorable passwords. We suggest
                 a method to predict and model a number of such classes
                 for systems where passwords are created solely from a
                 user's memory. We hypothesize that these classes define
                 weak password subspaces suitable for an attack
                 dictionary. For user-drawn graphical passwords, we
                 apply this method with cognitive studies on visual
                 recall. These cognitive studies motivate us to define a
                 set of password complexity factors (e. g. , reflective
                 symmetry and stroke count), which define a set of
                 classes. To better understand the size of these classes
                 and, thus, how weak the password subspaces they define
                 might be, we use the ``Draw-A-Secret'' (DAS) graphical
                 password scheme of Jermyn et al. [1999] as an example.
                 We analyze the size of these classes for DAS under
                 convenient parameter choices and show that they can be
                 combined to define apparently popular subspaces that
                 have bit sizes ranging from 31 to 41---a surprisingly
                 small proportion of the full password space (58 bits).
                 Our results quantitatively support suggestions that
                 user-drawn graphical password systems employ measures,
                 such as graphical password rules or guidelines and
                 proactive password checking.",
  acknowledgement = ack-nhfb,
  articleno =    "5",
  fjournal =     "ACM Transactions on Information and System Security",
  journal-URL =  "http://portal.acm.org/browse_dl.cfm?idx=J789",
  keywords =     "dictionary attack; Draw-a-Secret; graphical
                 dictionary; Graphical passwords; memorable passwords;
                 modeling user choice; password complexity factors",
}

@Article{Awerbuch:2008:ODS,
  author =       "Baruch Awerbuch and Reza Curtmola and David Holmer and
                 Cristina Nita-Rotaru and Herbert Rubens",
  title =        "{ODSBR}: {An} on-demand secure {Byzantine} resilient
                 routing protocol for wireless ad hoc networks",
  journal =      j-TISSEC,
  volume =       "10",
  number =       "4",
  pages =        "6:1--6:??",
  month =        jan,
  year =         "2008",
  CODEN =        "ATISBQ",
  DOI =          "http://doi.acm.org/10.1145/1284680.1341892",
  ISSN =         "1094-9224 (print), 1557-7406 (electronic)",
  ISSN-L =       "1094-9224",
  bibdate =      "Thu Jun 12 17:52:24 MDT 2008",
  bibsource =    "http://portal.acm.org/;
                 http://www.math.utah.edu/pub/tex/bib/tissec.bib",
  abstract =     "Ah hoc networks offer increased coverage by using
                 multihop communication. This architecture makes
                 services more vulnerable to internal attacks coming
                 from compromised nodes that behave arbitrarily to
                 disrupt the network, also referred to as Byzantine
                 attacks. In this work, we examine the impact of several
                 Byzantine attacks performed by individual or colluding
                 attackers. We propose ODSBR, the first on-demand
                 routing protocol for ad hoc wireless networks that
                 provides resilience to Byzantine attacks caused by
                 individual or colluding nodes. The protocol uses an
                 adaptive probing technique that detects a malicious
                 link after log n faults have occurred, where n is the
                 length of the path. Problematic links are avoided by
                 using a route discovery mechanism that relies on a new
                 metric that captures adversarial behavior. Our protocol
                 never partitions the network and bounds the amount of
                 damage caused by attackers. We demonstrate through
                 simulations ODSBR's effectiveness in mitigating
                 Byzantine attacks. Our analysis of the impact of these
                 attacks versus the adversary's effort gives insights
                 into their relative strengths, their interaction, and
                 their importance when designing multihop wireless
                 routing protocols.",
  acknowledgement = ack-nhfb,
  articleno =    "6",
  fjournal =     "ACM Transactions on Information and System Security",
  journal-URL =  "http://portal.acm.org/browse_dl.cfm?idx=J789",
  keywords =     "ad hoc wireless networks; Byzantine failures;
                 on-demand routing; security",
}

@Article{Ray:2008:E,
  author =       "Indrakshi Ray",
  title =        "Editorial",
  journal =      j-TISSEC,
  volume =       "11",
  number =       "1",
  pages =        "1:1--1:??",
  month =        feb,
  year =         "2008",
  CODEN =        "ATISBQ",
  DOI =          "http://doi.acm.org/10.1145/1330295.1330296",
  ISSN =         "1094-9224 (print), 1557-7406 (electronic)",
  ISSN-L =       "1094-9224",
  bibdate =      "Thu Jun 12 17:52:35 MDT 2008",
  bibsource =    "http://portal.acm.org/;
                 http://www.math.utah.edu/pub/tex/bib/tissec.bib",
  acknowledgement = ack-nhfb,
  articleno =    "1",
  fjournal =     "ACM Transactions on Information and System Security",
  journal-URL =  "http://portal.acm.org/browse_dl.cfm?idx=J789",
}

@Article{Lee:2008:TAS,
  author =       "Adam J. Lee and Marianne Winslett and Jim Basney and
                 Von Welch",
  title =        "The {Traust Authorization Service}",
  journal =      j-TISSEC,
  volume =       "11",
  number =       "1",
  pages =        "2:1--2:??",
  month =        feb,
  year =         "2008",
  CODEN =        "ATISBQ",
  DOI =          "http://doi.acm.org/10.1145/1330295.1330297",
  ISSN =         "1094-9224 (print), 1557-7406 (electronic)",
  ISSN-L =       "1094-9224",
  bibdate =      "Thu Jun 12 17:52:35 MDT 2008",
  bibsource =    "http://portal.acm.org/;
                 http://www.math.utah.edu/pub/tex/bib/tissec.bib",
  abstract =     "In recent years, trust negotiation has been proposed
                 as a novel authorization solution for use in
                 open-system environments, in which resources are shared
                 across organizational boundaries. Researchers have
                 shown that trust negotiation is indeed a viable
                 solution for these environments by developing a number
                 of policy languages and strategies for trust
                 negotiation that have desirable theoretical properties.
                 Further, existing protocols, such as TLS, have been
                 altered to interact with prototype trust negotiation
                 systems, thereby illustrating the utility of trust
                 negotiation. Unfortunately, modifying existing
                 protocols is often a time-consuming and bureaucratic
                 process that can hinder the adoption of this promising
                 technology. \par

                 In this paper, we present Traust, a third-party
                 authorization service that leverages the strengths of
                 existing prototype trust negotiation systems. Traust
                 acts as an authorization broker that issues access
                 tokens for resources in an open system after entities
                 use trust negotiation to satisfy the appropriate
                 resource access policies. The Traust architecture was
                 designed to allow Traust to be integrated either
                 directly with newer trust-aware applications or
                 indirectly with existing legacy applications; this
                 flexibility paves the way for the incremental adoption
                 of trust negotiation technologies without requiring
                 widespread software or protocol upgrades. We discuss
                 the design and implementation of Traust, the
                 communication protocol used by the Traust system, and
                 its performance. We also discuss our experiences using
                 Traust to broker access to legacy resources, our
                 proposal for a Traust-aware version of the GridFTP
                 protocol, and Traust's resilience to attack.",
  acknowledgement = ack-nhfb,
  articleno =    "2",
  fjournal =     "ACM Transactions on Information and System Security",
  journal-URL =  "http://portal.acm.org/browse_dl.cfm?idx=J789",
  keywords =     "attribute-based access control; credentials; trust
                 negotiation",
}

@Article{Zhang:2008:TUB,
  author =       "Xinwen Zhang and Masayuki Nakae and Michael J.
                 Covington and Ravi Sandhu",
  title =        "Toward a {Usage-Based Security Framework} for
                 {Collaborative Computing Systems}",
  journal =      j-TISSEC,
  volume =       "11",
  number =       "1",
  pages =        "3:1--3:??",
  month =        feb,
  year =         "2008",
  CODEN =        "ATISBQ",
  DOI =          "http://doi.acm.org/10.1145/1330295.1330298",
  ISSN =         "1094-9224 (print), 1557-7406 (electronic)",
  ISSN-L =       "1094-9224",
  bibdate =      "Thu Jun 12 17:52:35 MDT 2008",
  bibsource =    "http://portal.acm.org/;
                 http://www.math.utah.edu/pub/tex/bib/tissec.bib",
  abstract =     "Collaborative systems such as Grids provide efficient
                 and scalable access to distributed computing
                 capabilities and enable seamless resource sharing
                 between users and platforms. This heterogeneous
                 distribution of resources and the various modes of
                 collaborations that exist between users, virtual
                 organizations, and resource providers require scalable,
                 flexible, and fine-grained access control to protect
                 both individual and shared computing resources. In this
                 article we propose a usage control (UCON) based
                 security framework for collaborative applications, by
                 following a layered approach with policy, enforcement,
                 and implementation models, called the PEI framework. In
                 the policy model layer, UCON policies are specified
                 with predicates on subject and object attributes, along
                 with system attributes as conditional constraints and
                 user actions as obligations. General attributes include
                 not only persistent attributes such as role and group
                 memberships but also mutable usage attributes of
                 subjects and objects. Conditions in UCON can be used to
                 support context-based authorizations in ad hoc
                 collaborations. In the enforcement model layer, our
                 novel framework uses a hybrid approach for subject
                 attribute acquisition with both push and pull modes. By
                 leveraging attribute propagations between a centralized
                 attribute repository and distributed policy decision
                 points, our architecture supports decision continuity
                 and attribute mutability of the UCON policy model, as
                 well as obligation evaluations during policy
                 enforcement. As a proof-of-concept, we implement a
                 prototype system based on our proposed architecture and
                 conduct experimental studies to demonstrate the
                 feasibility and performance of our approach.",
  acknowledgement = ack-nhfb,
  articleno =    "3",
  fjournal =     "ACM Transactions on Information and System Security",
  journal-URL =  "http://portal.acm.org/browse_dl.cfm?idx=J789",
  keywords =     "access control; Authorization; collaborative
                 computing; security architecture; UCON; usage control",
}

@Article{Mazzoleni:2008:XPI,
  author =       "Pietro Mazzoleni and Bruno Crispo and Swaminathan
                 Sivasubramanian and Elisa Bertino",
  title =        "{XACML Policy Integration Algorithms}",
  journal =      j-TISSEC,
  volume =       "11",
  number =       "1",
  pages =        "4:1--4:??",
  month =        feb,
  year =         "2008",
  CODEN =        "ATISBQ",
  DOI =          "http://doi.acm.org/10.1145/1330295.1330299",
  ISSN =         "1094-9224 (print), 1557-7406 (electronic)",
  ISSN-L =       "1094-9224",
  bibdate =      "Thu Jun 12 17:52:35 MDT 2008",
  bibsource =    "http://portal.acm.org/;
                 http://www.math.utah.edu/pub/tex/bib/tissec.bib",
  abstract =     "XACML is the OASIS standard language specifically
                 aimed at the specification of authorization policies.
                 While XACML fits well with the security requirements of
                 a single enterprise (even if large and composed by
                 multiple departments), it does not address the
                 requirements of virtual enterprises in which several
                 autonomous subjects collaborate by sharing their
                 resources to provide better services to customers. In
                 this article we highlight such limitation, and we
                 propose an XACML extension, the policy integration
                 algorithms, to address them. In the article we also
                 present the implementation of a system that makes use
                 of the policy integration algorithms to securely
                 replicate information in a P2P-like environment. In our
                 solution, the data replication process considers the
                 policies specified by both the owners of the data
                 shared and the peers sharing data storage.",
  acknowledgement = ack-nhfb,
  articleno =    "4",
  fjournal =     "ACM Transactions on Information and System Security",
  journal-URL =  "http://portal.acm.org/browse_dl.cfm?idx=J789",
  keywords =     "content distributed networks; distributed systems;
                 security policies integration; SOA; Web services;
                 XACML",
}

@Article{Lee:2008:CPK,
  author =       "Jooyoung Lee and Douglas R. Stinson",
  title =        "On the Construction of Practical Key Predistribution
                 Schemes for Distributed Sensor Networks Using
                 Combinatorial Designs",
  journal =      j-TISSEC,
  volume =       "11",
  number =       "2",
  pages =        "1:1--1:??",
  month =        mar,
  year =         "2008",
  CODEN =        "ATISBQ",
  DOI =          "http://doi.acm.org/10.1145/1330332.1330333",
  ISSN =         "1094-9224 (print), 1557-7406 (electronic)",
  ISSN-L =       "1094-9224",
  bibdate =      "Thu Jun 12 17:52:41 MDT 2008",
  bibsource =    "http://portal.acm.org/;
                 http://www.math.utah.edu/pub/tex/bib/tissec.bib",
  abstract =     "In this paper, we discuss the use of combinatorial set
                 systems (combinatorial designs) in the design of key
                 predistribution schemes (KPSs) for sensor networks. We
                 show that the performance of a KPS can be improved by
                 carefully choosing a certain class of set systems as
                 ``key ring spaces''. Especially, we analyze KPSs based
                 on a type of combinatorial design known as a
                 {$<$}it{$>$}transversal design{$<$}/it{$>$}. We employ
                 two types of transversal designs, which are represented
                 by the set of all linear polynomials and the set of
                 quadratic polynomials (over some finite field),
                 respectively. These KPSs turn out to have significant
                 efficiency in a shared-key discovery phase without
                 degrading connectivity and resiliency.",
  acknowledgement = ack-nhfb,
  articleno =    "1",
  fjournal =     "ACM Transactions on Information and System Security",
  journal-URL =  "http://portal.acm.org/browse_dl.cfm?idx=J789",
  keywords =     "key predistribution; security; wireless sensor
                 networks",
}

@Article{Mano:2008:RRI,
  author =       "Chad D. Mano and Andrew Blaich and Qi Liao and Yingxin
                 Jiang and David A. Cieslak and David C. Salyers and
                 Aaron Striegel",
  title =        "{RIPPS}: {Rogue Identifying Packet Payload Slicer
                 Detecting Unauthorized Wireless Hosts Through Network
                 Traffic Conditioning}",
  journal =      j-TISSEC,
  volume =       "11",
  number =       "2",
  pages =        "2:1--2:??",
  month =        mar,
  year =         "2008",
  CODEN =        "ATISBQ",
  DOI =          "http://doi.acm.org/10.1145/1330332.1330334",
  ISSN =         "1094-9224 (print), 1557-7406 (electronic)",
  ISSN-L =       "1094-9224",
  bibdate =      "Thu Jun 12 17:52:41 MDT 2008",
  bibsource =    "http://portal.acm.org/;
                 http://www.math.utah.edu/pub/tex/bib/tissec.bib",
  abstract =     "Wireless network access has become an integral part of
                 computing both at home and at the workplace. The
                 convenience of wireless network access at work may be
                 extremely beneficial to employees, but can be a burden
                 to network security personnel. This burden is magnified
                 by the threat of inexpensive wireless access points
                 being installed in a network without the knowledge of
                 network administrators. These devices, termed
                 {$<$}it{$>$}Rogue Wireless Access Points{$<$}/it{$>$},
                 may allow a malicious outsider to access valuable
                 network resources, including confidential communication
                 and other stored data. For this reason, wireless
                 connectivity detection is an essential capability, but
                 remains a difficult problem. We present a method of
                 detecting wireless hosts using a local RTT metric and a
                 novel packet payload slicing technique. The local RTT
                 metric provides the means to identify physical
                 transmission media while packet payload slicing
                 conditions network traffic to enhance the accuracy of
                 the detections. Most importantly, the packet payload
                 slicing method is transparent to both clients and
                 servers and does not require direct communication
                 between the monitoring system and monitored hosts.",
  acknowledgement = ack-nhfb,
  articleno =    "2",
  fjournal =     "ACM Transactions on Information and System Security",
  journal-URL =  "http://portal.acm.org/browse_dl.cfm?idx=J789",
  keywords =     "network security; rogue systems; traffic
                 conditioning",
}

@Article{Wright:2008:PLA,
  author =       "Matthew K. Wright and Micah Adler and Brian Neil
                 Levine and Clay Shields",
  title =        "Passive-Logging {Attacks Against Anonymous
                 Communications Systems}",
  journal =      j-TISSEC,
  volume =       "11",
  number =       "2",
  pages =        "3:1--3:??",
  month =        mar,
  year =         "2008",
  CODEN =        "ATISBQ",
  DOI =          "http://doi.acm.org/10.1145/1330332.1330335",
  ISSN =         "1094-9224 (print), 1557-7406 (electronic)",
  ISSN-L =       "1094-9224",
  bibdate =      "Thu Jun 12 17:52:41 MDT 2008",
  bibsource =    "http://portal.acm.org/;
                 http://www.math.utah.edu/pub/tex/bib/tissec.bib",
  abstract =     "Using analysis, simulation, and experimentation, we
                 examine the threat against anonymous communications
                 posed by passive-logging attacks. In previous work, we
                 analyzed the success of such attacks under various
                 assumptions. Here, we evaluate the effects of these
                 assumptions more closely. First, we analyze the Onion
                 Routing-based model used in prior work in which a fixed
                 set of nodes remains in the system indefinitely. We
                 show that for this model, by removing the assumption of
                 uniformly random selection of nodes for placement in
                 the path, initiators can greatly improve their
                 anonymity. Second, we show by simulation that attack
                 times are significantly lower in practice than bounds
                 given by analytical results from prior work. Third, we
                 analyze the effects of a dynamic membership model, in
                 which nodes are allowed to join and leave the system;
                 we show that all known defenses fail more quickly when
                 the assumption of a static node set is relaxed. Fourth,
                 intersection attacks against peer-to-peer systems are
                 shown to be an additional danger, either on their own
                 or in conjunction with the predecessor attack. Finally,
                 we address the question of whether the regular
                 communication patterns required by the attacks exist in
                 real traffic. We collected and analyzed the Web
                 requests of users to determine the extent to which
                 basic patterns can be found. We show that, for our
                 study, frequent and repeated communication to the same
                 Web site is common.",
  acknowledgement = ack-nhfb,
  articleno =    "3",
  fjournal =     "ACM Transactions on Information and System Security",
  journal-URL =  "http://portal.acm.org/browse_dl.cfm?idx=J789",
  keywords =     "anonymity; anonymous communication; intersection
                 attack; predecessor attack; privacy",
}

@Article{Cheon:2008:PST,
  author =       "Jung Hee Cheon and Nicholas Hopper and Yongdae Kim and
                 Ivan Osipkov",
  title =        "Provably {Secure Timed-Release Public Key
                 Encryption}",
  journal =      j-TISSEC,
  volume =       "11",
  number =       "2",
  pages =        "4:1--4:??",
  month =        mar,
  year =         "2008",
  CODEN =        "ATISBQ",
  DOI =          "http://doi.acm.org/10.1145/1330332.1330336",
  ISSN =         "1094-9224 (print), 1557-7406 (electronic)",
  ISSN-L =       "1094-9224",
  bibdate =      "Thu Jun 12 17:52:41 MDT 2008",
  bibsource =    "http://portal.acm.org/;
                 http://www.math.utah.edu/pub/tex/bib/tissec.bib",
  abstract =     "A timed-release cryptosystem allows a sender to
                 encrypt a message so that only the intended recipient
                 can read it only after a specified time. We formalize
                 the concept of a secure timed-release public-key
                 cryptosystem and show that, if a third party is relied
                 upon to guarantee decryption after the specified date,
                 this concept is equivalent to identity-based
                 encryption; this explains the observation that all
                 known constructions use identity-based encryption to
                 achieve timed-release security. We then give several
                 provably-secure constructions of timed-release
                 encryption: a generic scheme based on any
                 identity-based encryption scheme, and two more
                 efficient schemes based on the existence of
                 cryptographically admissible bilinear mappings. The
                 first of these is essentially as efficient as the
                 Boneh--Franklin Identity-Based encryption scheme, and
                 is provably secure and authenticated in the random
                 oracle model; the final scheme is not authenticated but
                 is provably secure in the standard model (i. e. ,
                 without random oracles).",
  acknowledgement = ack-nhfb,
  articleno =    "4",
  fjournal =     "ACM Transactions on Information and System Security",
  journal-URL =  "http://portal.acm.org/browse_dl.cfm?idx=J789",
  keywords =     "authenticated encryption; key-insulated encryption;
                 timed-release",
}

@Article{Pang:2008:VCR,
  author =       "Hweehwa Pang and Kian-Lee Tan",
  title =        "Verifying Completeness of Relational Query Answers
                 from Online Servers",
  journal =      j-TISSEC,
  volume =       "11",
  number =       "2",
  pages =        "5:1--5:??",
  month =        mar,
  year =         "2008",
  CODEN =        "ATISBQ",
  DOI =          "http://doi.acm.org/10.1145/1330332.1330337",
  ISSN =         "1094-9224 (print), 1557-7406 (electronic)",
  ISSN-L =       "1094-9224",
  bibdate =      "Thu Jun 12 17:52:41 MDT 2008",
  bibsource =    "http://portal.acm.org/;
                 http://www.math.utah.edu/pub/tex/bib/tissec.bib",
  abstract =     "The number of successful attacks on the Internet shows
                 that it is very difficult to guarantee the security of
                 online servers over extended periods of time. A
                 breached server that is not detected in time may return
                 incorrect query answers to users. In this article, we
                 introduce authentication schemes for users to verify
                 that their query answers from an online server are
                 complete (i. e. , no qualifying tuples are omitted) and
                 authentic (i. e. , all the result values are
                 legitimate). We introduce a scheme that supports range
                 selection, projection as well as primary key-foreign
                 key join queries on relational databases. We also
                 present authentication schemes for single- and
                 multi-attribute range aggregate queries. The schemes
                 complement access control mechanisms that rewrite
                 queries dynamically, and are computationally secure. We
                 have implemented the proposed schemes, and experiment
                 results showed that they are practical and feasible
                 schemes with low overheads.",
  acknowledgement = ack-nhfb,
  articleno =    "5",
  fjournal =     "ACM Transactions on Information and System Security",
  journal-URL =  "http://portal.acm.org/browse_dl.cfm?idx=J789",
  keywords =     "query answer verification; secure database systems",
}

@Article{Brandt:2008:EUP,
  author =       "Felix Brandt and Tuomas Sandholm",
  title =        "On the Existence of Unconditionally Privacy-Preserving
                 Auction Protocols",
  journal =      j-TISSEC,
  volume =       "11",
  number =       "2",
  pages =        "6:1--6:??",
  month =        mar,
  year =         "2008",
  CODEN =        "ATISBQ",
  DOI =          "http://doi.acm.org/10.1145/1330332.1330338",
  ISSN =         "1094-9224 (print), 1557-7406 (electronic)",
  ISSN-L =       "1094-9224",
  bibdate =      "Thu Jun 12 17:52:41 MDT 2008",
  bibsource =    "http://portal.acm.org/;
                 http://www.math.utah.edu/pub/tex/bib/tissec.bib",
  abstract =     "We investigate whether it is possible to preserve
                 privacy in sealed-bid auctions to a maximal extent. In
                 particular, this paper focuses on
                 {$<$}it{$>$}unconditional full privacy{$<$}/it{$>$}, i.
                 e. , privacy that relies neither on trusted third
                 parties (like auctioneers), nor on computational
                 intractability assumptions (like the hardness of
                 factoring). These constraints imply a scenario in which
                 bidders exchange messages according to some predefined
                 protocol in order to jointly determine the auction
                 outcome without revealing any additional information.
                 It turns out that the first-price sealed-bid auction
                 can be emulated by an unconditionally fully private
                 protocol. However, the protocol's round complexity is
                 exponential in the bid size, and there is no more
                 efficient protocol. On the other hand, we prove the
                 impossibility of privately emulating the second-price
                 sealed-bid auction for more than two bidders. This
                 impossibility holds even when relaxing various privacy
                 constraints such as allowing the revelation of all but
                 one losing bid (while maintaining anonymity) or
                 allowing the revelation of the second highest bidder's
                 identity.",
  acknowledgement = ack-nhfb,
  articleno =    "6",
  fjournal =     "ACM Transactions on Information and System Security",
  journal-URL =  "http://portal.acm.org/browse_dl.cfm?idx=J789",
  keywords =     "auctions; multiparty computation",
}

@Article{Tsudik:2008:E,
  author =       "Gene Tsudik",
  title =        "Editorial",
  journal =      j-TISSEC,
  volume =       "11",
  number =       "3",
  pages =        "11:1--11:??",
  month =        mar,
  year =         "2008",
  CODEN =        "ATISBQ",
  DOI =          "http://doi.acm.org/10.1145/1341731.1341732",
  ISSN =         "1094-9224 (print), 1557-7406 (electronic)",
  ISSN-L =       "1094-9224",
  bibdate =      "Thu Jun 12 17:52:50 MDT 2008",
  bibsource =    "http://portal.acm.org/;
                 http://www.math.utah.edu/pub/tex/bib/tissec.bib",
  acknowledgement = ack-nhfb,
  articleno =    "11",
  fjournal =     "ACM Transactions on Information and System Security",
  journal-URL =  "http://portal.acm.org/browse_dl.cfm?idx=J789",
}

@Article{Zhang:2008:FIC,
  author =       "Qing Zhang and Ting Yu and Peng Ning",
  title =        "A Framework for Identifying Compromised Nodes in
                 Wireless Sensor Networks",
  journal =      j-TISSEC,
  volume =       "11",
  number =       "3",
  pages =        "12:1--12:??",
  month =        mar,
  year =         "2008",
  CODEN =        "ATISBQ",
  DOI =          "http://doi.acm.org/10.1145/1341731.1341733",
  ISSN =         "1094-9224 (print), 1557-7406 (electronic)",
  ISSN-L =       "1094-9224",
  bibdate =      "Thu Jun 12 17:52:50 MDT 2008",
  bibsource =    "http://portal.acm.org/;
                 http://www.math.utah.edu/pub/tex/bib/tissec.bib",
  abstract =     "Sensor networks are often subject to physical attacks.
                 Once a node's cryptographic key is compromised, an
                 attacker may completely impersonate it and introduce
                 arbitrary false information into the network. Basic
                 cryptographic mechanisms are often not effective in
                 this situation. Most techniques to address this problem
                 focus on detecting and tolerating false information
                 introduced by compromised nodes. They cannot pinpoint
                 exactly where the false information is introduced and
                 who is responsible for it. \par

                 In this article, we propose an application-independent
                 framework for accurately identifying compromised sensor
                 nodes. The framework provides an appropriate
                 abstraction of application-specific detection
                 mechanisms and models the unique properties of sensor
                 networks. Based on the framework, we develop alert
                 reasoning algorithms to identify compromised nodes. The
                 algorithm assumes that compromised nodes may collude at
                 will. We show that our algorithm is optimal in the
                 sense that it identifies the largest number of
                 compromised nodes without introducing false positives.
                 We evaluate the effectiveness of the designed algorithm
                 through comprehensive experiments.",
  acknowledgement = ack-nhfb,
  articleno =    "12",
  fjournal =     "ACM Transactions on Information and System Security",
  journal-URL =  "http://portal.acm.org/browse_dl.cfm?idx=J789",
  keywords =     "intrusion detection; sensor networks",
}

@Article{DiPietro:2008:RSN,
  author =       "Roberto {Di Pietro} and Luigi V. Mancini and
                 Alessandro Mei and Alessandro Panconesi and Jaikumar
                 Radhakrishnan",
  title =        "Redoubtable Sensor Networks",
  journal =      j-TISSEC,
  volume =       "11",
  number =       "3",
  pages =        "13:1--13:??",
  month =        mar,
  year =         "2008",
  CODEN =        "ATISBQ",
  DOI =          "http://doi.acm.org/10.1145/1341731.1341734",
  ISSN =         "1094-9224 (print), 1557-7406 (electronic)",
  ISSN-L =       "1094-9224",
  bibdate =      "Thu Jun 12 17:52:50 MDT 2008",
  bibsource =    "http://portal.acm.org/;
                 http://www.math.utah.edu/pub/tex/bib/tissec.bib",
  abstract =     "We give, for the first time, a precise mathematical
                 analysis of the connectivity and security properties of
                 sensor networks that make use of the random
                 predistribution of keys. We also show how to set the
                 parameters---pool and key ring size---in such a way
                 that the network is not only connected with high
                 probability via secure links but also provably
                 resilient, in the following sense: We formally show
                 that any adversary that captures sensors at random with
                 the aim of compromising a constant fraction of the
                 secure links must capture at least a constant fraction
                 of the nodes of the network. In the context of wireless
                 sensor networks where random predistribution of keys is
                 employed, we are the first to provide a mathematically
                 precise proof, with a clear indication of parameter
                 choice, that two crucial properties---connectivity via
                 secure links and resilience against malicious
                 attacks---can be obtained simultaneously. We also show
                 in a mathematically rigorous way that the network
                 enjoys another strong security property. The adversary
                 cannot partition the network into two linear size
                 components, compromising all the links between them,
                 unless it captures linearly many nodes. This implies
                 that the network is also fault tolerant with respect to
                 node failures. Our theoretical results are complemented
                 by extensive simulations that reinforce our main
                 conclusions.",
  acknowledgement = ack-nhfb,
  articleno =    "13",
  fjournal =     "ACM Transactions on Information and System Security",
  journal-URL =  "http://portal.acm.org/browse_dl.cfm?idx=J789",
  keywords =     "connectivity; probabilistic key sharing; random
                 graphs; Wireless sensor network",
}

@Article{Chang:2008:DAP,
  author =       "Katharine Chang and Kang G. Shin",
  title =        "Distributed Authentication of Program Integrity
                 Verification in Wireless Sensor Networks",
  journal =      j-TISSEC,
  volume =       "11",
  number =       "3",
  pages =        "14:1--14:??",
  month =        mar,
  year =         "2008",
  CODEN =        "ATISBQ",
  DOI =          "http://doi.acm.org/10.1145/1341731.1341735",
  ISSN =         "1094-9224 (print), 1557-7406 (electronic)",
  ISSN-L =       "1094-9224",
  bibdate =      "Thu Jun 12 17:52:50 MDT 2008",
  bibsource =    "http://portal.acm.org/;
                 http://www.math.utah.edu/pub/tex/bib/tissec.bib",
  abstract =     "Security in wireless sensor networks has become
                 important as they are being developed and deployed for
                 an increasing number of applications. The severe
                 resource constraints in each sensor make it very
                 challenging to secure sensor networks. Moreover,
                 sensors are usually deployed in hostile and unattended
                 environments and hence are susceptible to various
                 attacks, including node capture, physical tampering,
                 and manipulation of the sensor program. Park and Shin
                 [2005] proposed a soft tamper-proofing scheme that
                 verifies the integrity of the program in each sensor
                 device, called the program integrity verification
                 (PIV), in which sensors authenticate PIV servers
                 (PIVSs) using centralized and trusted third-party
                 entities, such as authentication servers (ASs). This
                 article presents a distributed authentication protocol
                 of PIVSs (DAPP) without requiring the commonly used
                 ASs. DAPP uses the Blundo scheme [Blundo et al. 1992]
                 for sensors and PIVSs to establish pairwise keys and
                 for PIVSs to authenticate one another. We also present
                 a protocol for PIVSs to cooperatively detect and revoke
                 malicious PIVSs in the network. We implement and
                 evaluate both DAPP and PIV on Mica2 Motes and laptops,
                 showing that DAPP reduces the sensors' communication
                 traffic in the network by more than 90\% and the energy
                 consumption on each sensor by up to 85\%, as compared
                 to the case of using a centralized AS for
                 authenticating PIVSs. We also analyze the security of
                 DAPP under various attack models, demonstrating its
                 capability in dealing with diverse types of attacks.",
  acknowledgement = ack-nhfb,
  articleno =    "14",
  fjournal =     "ACM Transactions on Information and System Security",
  journal-URL =  "http://portal.acm.org/browse_dl.cfm?idx=J789",
  keywords =     "distributed authentication; node revocation; program
                 integrity verification; wireless sensor networks",
}

@Article{Xie:2008:MDA,
  author =       "Liang Xie and Sencun Zhu",
  title =        "Message Dropping Attacks in Overlay Networks: Attack
                 Detection and Attacker Identification",
  journal =      j-TISSEC,
  volume =       "11",
  number =       "3",
  pages =        "15:1--15:??",
  month =        mar,
  year =         "2008",
  CODEN =        "ATISBQ",
  DOI =          "http://doi.acm.org/10.1145/1341731.1341736",
  ISSN =         "1094-9224 (print), 1557-7406 (electronic)",
  ISSN-L =       "1094-9224",
  bibdate =      "Thu Jun 12 17:52:50 MDT 2008",
  bibsource =    "http://portal.acm.org/;
                 http://www.math.utah.edu/pub/tex/bib/tissec.bib",
  abstract =     "Overlay multicast networks are used by service
                 providers to distribute contents such as Web pages,
                 static and streaming multimedia data, or security
                 updates to a large number of users. However, such
                 networks are extremely vulnerable to message-dropping
                 attacks by malicious or selfish nodes that
                 intentionally drop the packets they are required to
                 forward to others. It is difficult to detect such
                 attacks both efficiently and effectively and to further
                 identify the attackers, especially when members in the
                 overlay switch between online/offline statuses
                 frequently. In this article, we consider various
                 attacking strategies of an attacker and propose an
                 optimal sampling-based scheme to detect such attacks in
                 the overlay network. We analyze the detection problem
                 from a game-theoretical viewpoint and show that our
                 scheme outperforms a random sampling-based scheme in
                 terms of detection rate. In addition, based on a
                 reputation system, we propose a sampling-based
                 path-resolving scheme to identify compromised or
                 selfish nodes. Unlike other existing approaches, our
                 schemes do not assume global knowledge of the overlay
                 hierarchy and work for dynamic overlay networks as
                 well. Extensive analysis and simulation results show
                 that besides being band width efficient, our schemes
                 have high detection and identification rates and low
                 false-positive rates.",
  acknowledgement = ack-nhfb,
  articleno =    "15",
  fjournal =     "ACM Transactions on Information and System Security",
  journal-URL =  "http://portal.acm.org/browse_dl.cfm?idx=J789",
  keywords =     "attack detection; attacker identification; message
                 dropping attacks; Overlay networks",
}

@Article{Traynor:2008:NMH,
  author =       "Patrick Traynor and Michael Chien and Scott Weaver and
                 Boniface Hicks and Patrick McDaniel",
  title =        "Noninvasive Methods for Host Certification",
  journal =      j-TISSEC,
  volume =       "11",
  number =       "3",
  pages =        "16:1--16:??",
  month =        mar,
  year =         "2008",
  CODEN =        "ATISBQ",
  DOI =          "http://doi.acm.org/10.1145/1341731.1341737",
  ISSN =         "1094-9224 (print), 1557-7406 (electronic)",
  ISSN-L =       "1094-9224",
  bibdate =      "Thu Jun 12 17:52:50 MDT 2008",
  bibsource =    "http://portal.acm.org/;
                 http://www.math.utah.edu/pub/tex/bib/tissec.bib",
  abstract =     "Determining whether a user or system is exercising
                 appropriate security practices is difficult in any
                 context. Such difficulties are particularly pronounced
                 when uncontrolled or unknown platforms join public
                 networks. Commonly practiced techniques used to vet
                 these hosts, such as system scans, have the potential
                 to infringe on the privacy of users. In this article,
                 we show that it is possible for clients to prove both
                 the presence and proper functioning of security
                 infrastructure without allowing unrestricted access to
                 their system. We demonstrate this approach,
                 specifically applied to antivirus security, by
                 requiring clients seeking admission to a network to
                 positively identify the presence or absence of malcode
                 in a series of puzzles. The implementation of this
                 mechanism and its application to real networks are also
                 explored. In so doing, we demonstrate that it is not
                 necessary for an administrator to be invasive to
                 determine whether a client implements required security
                 practices.",
  acknowledgement = ack-nhfb,
  articleno =    "16",
  fjournal =     "ACM Transactions on Information and System Security",
  journal-URL =  "http://portal.acm.org/browse_dl.cfm?idx=J789",
  keywords =     "assurance; certification; malware; network security",
}

@Article{Avoine:2008:CIT,
  author =       "Gildas Avoine and Pascal Junod and Philippe
                 Oechslin",
  title =        "Characterization and Improvement of Time-Memory
                 Trade-Off Based on Perfect Tables",
  journal =      j-TISSEC,
  volume =       "11",
  number =       "4",
  pages =        "17:1--17:??",
  month =        jul,
  year =         "2008",
  CODEN =        "ATISBQ",
  DOI =          "http://doi.acm.org/10.1145/1380564.1380565",
  ISSN =         "1094-9224 (print), 1557-7406 (electronic)",
  ISSN-L =       "1094-9224",
  bibdate =      "Tue Aug 5 19:37:22 MDT 2008",
  bibsource =    "http://portal.acm.org/;
                 http://www.math.utah.edu/pub/tex/bib/tissec.bib",
  abstract =     "Cryptanalytic time-memory trade-offs have been studied
                 for 25 years and have benefited from several
                 improvements since the original work of Hellman. The
                 ensuing variants definitely improve the original
                 trade-off but their real impact has never been
                 evaluated in practice. We fill this lack by analyzing
                 the {\em perfect\/} form of classic tables,
                 distinguished point-based tables, and rainbow tables.
                 We especially provide a thorough analysis of the latter
                 variant, whose performances have never been formally
                 calculated yet. Our analysis leads to the concept of a
                 {\em characteristic\/} that enables to measure the
                 intrinsic quality of a trade-off. We finally introduce
                 a new technique based on {\em checkpoints\/} that still
                 reduces the cryptanalysis time by ruling out false
                 alarms probabilistically. Our analysis yields the exact
                 gain of this approach and establishes its efficiency
                 when applied on rainbow tables.",
  acknowledgement = ack-nhfb,
  articleno =    "17",
  fjournal =     "ACM Transactions on Information and System Security",
  journal-URL =  "http://portal.acm.org/browse_dl.cfm?idx=J789",
  keywords =     "cryptography; Hellman's time-memory trade-off;
                 password cracking; rainbow tables",
}

@Article{Yang:2008:SSH,
  author =       "Yi Yang and Xinran Wang and Sencun Zhu and Guohong
                 Cao",
  title =        "{SDAP}: a Secure Hop-by-Hop Data Aggregation Protocol
                 for Sensor Networks",
  journal =      j-TISSEC,
  volume =       "11",
  number =       "4",
  pages =        "18:1--18:??",
  month =        jul,
  year =         "2008",
  CODEN =        "ATISBQ",
  DOI =          "http://doi.acm.org/10.1145/1380564.1380568",
  ISSN =         "1094-9224 (print), 1557-7406 (electronic)",
  ISSN-L =       "1094-9224",
  bibdate =      "Tue Aug 5 19:37:22 MDT 2008",
  bibsource =    "http://portal.acm.org/;
                 http://www.math.utah.edu/pub/tex/bib/tissec.bib",
  abstract =     "Hop-by-hop data aggregation is a very important
                 technique for reducing the communication overhead and
                 energy expenditure of sensor nodes during the process
                 of data collection in a sensor network. However,
                 because individual sensor readings are lost in the
                 per-hop aggregation process, compromised nodes in the
                 network may forge false values as the aggregation
                 results of other nodes, tricking the base station into
                 accepting spurious aggregation results. Here a
                 fundamental challenge is how can the base station
                 obtain a good approximation of the fusion result when a
                 fraction of sensor nodes are compromised?\par

                 To answer this challenge, we propose SDAP, a Secure
                 Hop-by-hop Data Aggregation Protocol for sensor
                 networks. SDAP is a general-purpose secure data
                 aggregation protocol applicable to multiple aggregation
                 functions. The design of SDAP is based on the
                 principles of {\em divide-and-conquer\/} and {\em
                 commit-and-attest}. First, SDAP uses a novel
                 probabilistic grouping technique to dynamically
                 partition the nodes in a tree topology into multiple
                 logical groups (subtrees) of similar sizes. A
                 commitment-based hop-by-hop aggregation is performed in
                 each group to generate a group aggregate. The base
                 station then identifies the suspicious groups based on
                 the set of group aggregates. Finally, each group under
                 suspect participates in an attestation process to prove
                 the correctness of its group aggregate. The aggregate
                 by the base station is calculated over all the group
                 aggregates that are either normal or have passed the
                 attestation procedure. Extensive analysis and
                 simulations show that SDAP can achieve the level of
                 efficiency close to an ordinary hop-by-hop aggregation
                 protocol while providing high assurance on the
                 trustworthiness of the aggregation result. Last,
                 prototype implementation on top of TinyOS shows that
                 our scheme is practical on current generation sensor
                 nodes such as Mica2 motes.",
  acknowledgement = ack-nhfb,
  articleno =    "18",
  fjournal =     "ACM Transactions on Information and System Security",
  journal-URL =  "http://portal.acm.org/browse_dl.cfm?idx=J789",
  keywords =     "commit-and-attest; data aggregation; hop-by-hop;
                 probabilistic grouping; sensor network security",
}

@Article{Radosavac:2008:AFM,
  author =       "Svetlana Radosavac and George Moustakides and John S.
                 Baras and Iordanis Koutsopoulos",
  title =        "An Analytic Framework for Modeling and Detecting
                 Access Layer Misbehavior in Wireless Networks",
  journal =      j-TISSEC,
  volume =       "11",
  number =       "4",
  pages =        "19:1--19:??",
  month =        jul,
  year =         "2008",
  CODEN =        "ATISBQ",
  DOI =          "http://doi.acm.org/10.1145/1380564.1380567",
  ISSN =         "1094-9224 (print), 1557-7406 (electronic)",
  ISSN-L =       "1094-9224",
  bibdate =      "Tue Aug 5 19:37:22 MDT 2008",
  bibsource =    "http://portal.acm.org/;
                 http://www.math.utah.edu/pub/tex/bib/tissec.bib",
  abstract =     "The widespread deployment of wireless networks and hot
                 spots that employ the IEEE 802.11 technology has forced
                 network designers to put emphasis on the importance of
                 ensuring efficient and fair use of network resources.
                 In this work we propose a novel framework for detection
                 of intelligent adaptive adversaries in the IEEE 802.11
                 MAC by addressing the problem of detection of the
                 worst-case scenario attacks. Utilizing the nature of
                 this protocol we employ sequential detection methods
                 for detecting greedy behavior and illustrate their
                 performance for detection of least favorable attacks.
                 By using robust statistics in our problem formulation,
                 we attempt to utilize the precision given by parametric
                 tests, while avoiding the specification of the
                 adversarial distribution. This approach establishes the
                 lowest performance bound of a given Intrusion Detection
                 System (IDS) in terms of detection delay and is
                 applicable in online detection systems where users who
                 pay for their services want to obtain the information
                 about the best and the worst case scenarios and
                 performance bounds of the system. This framework is
                 meaningful for studying misbehavior due to the fact
                 that it does not focus on specific adversarial
                 strategies and therefore is applicable to a wide class
                 of adversarial strategies.",
  acknowledgement = ack-nhfb,
  articleno =    "19",
  fjournal =     "ACM Transactions on Information and System Security",
  journal-URL =  "http://portal.acm.org/browse_dl.cfm?idx=J789",
  keywords =     "MAC layer; min-max robust detection; protocol
                 misbehavior; wireless networks",
}

@Article{Ryu:2008:EID,
  author =       "Young U. Ryu and Hyeun-Suk Rhee",
  title =        "Evaluation of Intrusion Detection Systems Under a
                 Resource Constraint",
  journal =      j-TISSEC,
  volume =       "11",
  number =       "4",
  pages =        "20:1--20:??",
  month =        jul,
  year =         "2008",
  CODEN =        "ATISBQ",
  DOI =          "http://doi.acm.org/10.1145/1380564.1380566",
  ISSN =         "1094-9224 (print), 1557-7406 (electronic)",
  ISSN-L =       "1094-9224",
  bibdate =      "Tue Aug 5 19:37:22 MDT 2008",
  bibsource =    "http://portal.acm.org/;
                 http://www.math.utah.edu/pub/tex/bib/tissec.bib",
  abstract =     "An intrusion detection system plays an important role
                 in a firm's overall security protection. Its main
                 purpose is to identify potentially intrusive events and
                 alert the security personnel to the danger. A typical
                 intrusion detection system, however, is known to be
                 imperfect in detection of intrusive events, resulting
                 in high false-alarm rates. Nevertheless, current
                 intrusion detection models unreasonably assume that
                 upon alerts raised by a system, an information security
                 officer responds to all alarms without any delay and
                 avoids damages of hostile activities. This assumption
                 of responding to all alarms with no time lag is often
                 impracticable. As a result, the benefit of an intrusion
                 detection system can be overestimated by current
                 intrusion detection models. In this article, we extend
                 previous models by including an information security
                 officer's alarm inspection under a constraint as a part
                 of the process in determining the optimal intrusion
                 detection policy. Given a potentially hostile
                 environment for a firm, in which the intrusion rates
                 and costs associated with intrusion and security
                 officers' inspection can be estimated, we outline a
                 framework to establish the optimal operating points for
                 intrusion detection systems under security officers'
                 inspection constraint. The optimal solution to the
                 model will provide not only a basis of better
                 evaluation of intrusion detection systems but also
                 useful insights into operations of intrusion detection
                 systems. The firm can estimate expected benefits for
                 running intrusion detection systems and establish a
                 basis for increase in security personnel to relax
                 security officers' inspection constraint.",
  acknowledgement = ack-nhfb,
  articleno =    "20",
  fjournal =     "ACM Transactions on Information and System Security",
  journal-URL =  "http://portal.acm.org/browse_dl.cfm?idx=J789",
  keywords =     "computer security; intrusion detection; optimal
                 inspection rates; optimal operating points",
}

@Article{Halpern:2008:UFO,
  author =       "Joseph Y. Halpern and Vicky Weissman",
  title =        "Using First-Order Logic to Reason about Policies",
  journal =      j-TISSEC,
  volume =       "11",
  number =       "4",
  pages =        "21:1--21:??",
  month =        jul,
  year =         "2008",
  CODEN =        "ATISBQ",
  DOI =          "http://doi.acm.org/10.1145/1380564.1380569",
  ISSN =         "1094-9224 (print), 1557-7406 (electronic)",
  ISSN-L =       "1094-9224",
  bibdate =      "Tue Aug 5 19:37:22 MDT 2008",
  bibsource =    "http://portal.acm.org/;
                 http://www.math.utah.edu/pub/tex/bib/tissec.bib",
  abstract =     "A policy describes the conditions under which an
                 action is permitted or forbidden. We show that a
                 fragment of (multi-sorted) first-order logic can be
                 used to represent and reason about policies. Because we
                 use first-order logic, policies have a clear syntax and
                 semantics. We show that further restricting the
                 fragment results in a language that is still quite
                 expressive yet is also tractable. More precisely,
                 questions about entailment, such as ``May Alice access
                 the file?'', can be answered in time that is a
                 low-order polynomial (indeed, almost linear in some
                 cases), as can questions about the consistency of
                 policy sets.",
  acknowledgement = ack-nhfb,
  articleno =    "21",
  fjournal =     "ACM Transactions on Information and System Security",
  journal-URL =  "http://portal.acm.org/browse_dl.cfm?idx=J789",
  keywords =     "digital rights management",
}

@Article{Liu:2008:ARL,
  author =       "Donggang Liu and Peng Ning and An Liu and Cliff Wang
                 and Wenliang Kevin Du",
  title =        "Attack-Resistant Location Estimation in Wireless
                 Sensor Networks",
  journal =      j-TISSEC,
  volume =       "11",
  number =       "4",
  pages =        "22:1--22:??",
  month =        jul,
  year =         "2008",
  CODEN =        "ATISBQ",
  DOI =          "http://doi.acm.org/10.1145/1380564.1380570",
  ISSN =         "1094-9224 (print), 1557-7406 (electronic)",
  ISSN-L =       "1094-9224",
  bibdate =      "Tue Aug 5 19:37:22 MDT 2008",
  bibsource =    "http://portal.acm.org/;
                 http://www.math.utah.edu/pub/tex/bib/tissec.bib",
  abstract =     "Many sensor network applications require sensors'
                 locations to function correctly. Despite the recent
                 advances, location discovery for sensor networks in
                 {\em hostile environments\/} has been mostly
                 overlooked. Most of the existing localization protocols
                 for sensor networks are vulnerable in hostile
                 environments. The security of location discovery can
                 certainly be enhanced by authentication. However, the
                 possible node compromises and the fact that location
                 determination uses certain physical features (e.g.,
                 received signal strength) of radio signals make
                 authentication not as effective as in traditional
                 security applications. This article presents two
                 methods to tolerate malicious attacks against
                 range-based location discovery in sensor networks. The
                 first method filters out malicious beacon signals on
                 the basis of the ``consistency'' among multiple beacon
                 signals, while the second method tolerates malicious
                 beacon signals by adopting an iteratively refined
                 voting scheme. Both methods can survive malicious
                 attacks even if the attacks bypass authentication,
                 provided that the benign beacon signals constitute the
                 majority of the beacon signals. This article also
                 presents the implementation and experimental evaluation
                 (through both field experiments and simulation) of all
                 the secure and resilient location estimation schemes
                 that can be used on the current generation of sensor
                 platforms (e.g., MICA series of motes), including the
                 techniques proposed in this article, in a network of
                 MICAz motes. The experimental results demonstrate the
                 effectiveness of the proposed methods, and also give
                 the secure and resilient location estimation scheme
                 most suitable for the current generation of sensor
                 networks.",
  acknowledgement = ack-nhfb,
  articleno =    "22",
  fjournal =     "ACM Transactions on Information and System Security",
  journal-URL =  "http://portal.acm.org/browse_dl.cfm?idx=J789",
  keywords =     "localization; security; sensor networks",
}

@Article{Ganeriwal:2008:STS,
  author =       "Saurabh Ganeriwal and Christina P{\"o}pper and Srdjan
                 {\v{C}}apkun and Mani B. Srivastava",
  title =        "Secure Time Synchronization in Sensor Networks",
  journal =      j-TISSEC,
  volume =       "11",
  number =       "4",
  pages =        "23:1--23:??",
  month =        jul,
  year =         "2008",
  CODEN =        "ATISBQ",
  DOI =          "http://doi.acm.org/10.1145/1380564.1380571",
  ISSN =         "1094-9224 (print), 1557-7406 (electronic)",
  ISSN-L =       "1094-9224",
  bibdate =      "Tue Aug 5 19:37:22 MDT 2008",
  bibsource =    "http://portal.acm.org/;
                 http://www.math.utah.edu/pub/tex/bib/tissec.bib",
  abstract =     "Time synchronization is critical in sensor networks at
                 many layers of their design. It enables better
                 duty-cycling of the radio, accurate and secure
                 localization, beamforming, and other collaborative
                 signal processing tasks. These benefits make
                 time-synchronization protocols a prime target of
                 malicious adversaries who want to disrupt the normal
                 operation of a sensor network. In this article, we
                 analyze attacks on existing time synchronization
                 protocols for wireless sensor networks and we propose a
                 secure time synchronization toolbox to counter these
                 attacks. This toolbox includes protocols for secure
                 pairwise and group synchronization of nodes that either
                 lie in the neighborhood of each other or are separated
                 by multiple hops. We provide an in-depth analysis of
                 the security and the energy overhead of the proposed
                 protocols. The efficiency of these protocols has been
                 tested through an experimental study on Mica2 motes.",
  acknowledgement = ack-nhfb,
  articleno =    "23",
  fjournal =     "ACM Transactions on Information and System Security",
  journal-URL =  "http://portal.acm.org/browse_dl.cfm?idx=J789",
  keywords =     "delay; message authentication code; sensor networks;
                 time synchronization",
}

@Article{Barker:2008:SBA,
  author =       "Steve Barker and Marek J. Sergot and Duminda
                 Wijesekera",
  title =        "Status-Based Access Control",
  journal =      j-TISSEC,
  volume =       "12",
  number =       "1",
  pages =        "1:1--1:??",
  month =        oct,
  year =         "2008",
  CODEN =        "ATISBQ",
  DOI =          "http://doi.acm.org/10.1145/1410234.1410235",
  ISSN =         "1094-9224 (print), 1557-7406 (electronic)",
  ISSN-L =       "1094-9224",
  bibdate =      "Tue Nov 11 15:54:06 MST 2008",
  bibsource =    "http://portal.acm.org/;
                 http://www.math.utah.edu/pub/tex/bib/tissec.bib",
  abstract =     "Despite their widespread adoption, Role-based Access
                 Control (RBAC) models exhibit certain shortcomings that
                 make them less than ideal for deployment in, for
                 example, distributed access control. In the distributed
                 case, standard RBAC assumptions (e.g., of relatively
                 static access policies, managed by human users, with
                 complete information available about users and job
                 functions) do not necessarily apply. Moreover, RBAC is
                 restricted in the sense that it is based on one type of
                 ascribed status, an assignment of a user to a role. In
                 this article, we introduce the status-based access
                 control (SBAC) model for distributed access control.
                 The SBAC model (or family of models) is based on the
                 notion of users having an action status as well as an
                 ascribed status. A user's action status is established,
                 in part, from a history of events that relate to the
                 user; this history enables changing access policy
                 requirements to be naturally accommodated. The approach
                 can be implemented as an autonomous agent that reasons
                 about the events, actions, and a history (of events and
                 actions), which relates to a requester for access to
                 resources, in order to decide whether the requester is
                 permitted the access sought. We define a number of
                 algebras for composing SBAC policies, algebras that
                 exploit the language that we introduce for SBAC policy
                 representation: identification-based logic programs.
                 The SBAC model is richer than RBAC models and the
                 policies that can be represented in our approach are
                 more expressive than the policies admitted by a number
                 of monotonic languages that have been hitherto
                 described for representing distributed access control
                 requirements. Our algebras generalize existing algebras
                 that have been defined for access policy composition.
                 We also describe an approach for the efficient
                 implementation of SBAC policies.",
  acknowledgement = ack-nhfb,
  articleno =    "1",
  fjournal =     "ACM Transactions on Information and System Security",
  journal-URL =  "http://portal.acm.org/browse_dl.cfm?idx=J789",
  keywords =     "algebras; distributed security; logic; status-based
                 access control",
}

@Article{Xu:2008:DSB,
  author =       "Shouhuai Xu and Srdjan {\v{C}}apkun",
  title =        "Distributed and Secure Bootstrapping of Mobile Ad Hoc
                 Networks: Framework and Constructions",
  journal =      j-TISSEC,
  volume =       "12",
  number =       "1",
  pages =        "2:1--2:??",
  month =        oct,
  year =         "2008",
  CODEN =        "ATISBQ",
  DOI =          "http://doi.acm.org/10.1145/1410234.1410236",
  ISSN =         "1094-9224 (print), 1557-7406 (electronic)",
  ISSN-L =       "1094-9224",
  bibdate =      "Tue Nov 11 15:54:06 MST 2008",
  bibsource =    "http://portal.acm.org/;
                 http://www.math.utah.edu/pub/tex/bib/tissec.bib",
  abstract =     "Secure bootstrapping of mobile ad hoc networks
                 (MANETs) is a challenging problem in scenarios in which
                 network users (or nodes) do not share trust
                 relationships prior to the network deployment. In
                 recent years, a number of schemes have been proposed to
                 solve this problem, assuming either no or limited trust
                 between the nodes prior to their deployment. Despite
                 numerous proposals, there is no common understanding of
                 the proposed schemes and of the trade-offs that they
                 provide. This has consequences for both researchers and
                 practitioners, who do not have a clear idea how to
                 compare the schemes and how to select a scheme for a
                 given application. In this article, we present a
                 framework that helps in understanding and comparing
                 schemes for secure bootstrapping of MANETs. The
                 framework is general because it is policy-neutral and
                 can accommodate many existing bootstrapping schemes.
                 The proposed framework can equally serve as a good
                 basis for the development of new MANET bootstrapping
                 schemes; we show how the development of the framework
                 leads to two new (classes of) distributed bootstrapping
                 schemes. Within the framework, we not only investigate
                 and characterize the properties of the relevant
                 bootstrapping schemes, but also give methods for
                 practitioners to select the relevant system parameters
                 in the Random Walk and the (Restricted) Random Waypoint
                 mobility models.",
  acknowledgement = ack-nhfb,
  articleno =    "2",
  fjournal =     "ACM Transactions on Information and System Security",
  journal-URL =  "http://portal.acm.org/browse_dl.cfm?idx=J789",
  keywords =     "MANETs; secure communication; security bootstrapping",
}

@Article{Boldyreva:2008:NMS,
  author =       "Alexandra Boldyreva and Craig Gentry and Adam O'Neill
                 and Dae Hyun Yum",
  title =        "New Multiparty Signature Schemes for Network Routing
                 Applications",
  journal =      j-TISSEC,
  volume =       "12",
  number =       "1",
  pages =        "3:1--3:??",
  month =        oct,
  year =         "2008",
  CODEN =        "ATISBQ",
  DOI =          "http://doi.acm.org/10.1145/1410234.1410237",
  ISSN =         "1094-9224 (print), 1557-7406 (electronic)",
  ISSN-L =       "1094-9224",
  bibdate =      "Tue Nov 11 15:54:06 MST 2008",
  bibsource =    "http://portal.acm.org/;
                 http://www.math.utah.edu/pub/tex/bib/tissec.bib",
  abstract =     "We construct two new multiparty digital signature
                 schemes that allow multiple signers to sequentially and
                 non-interactively produce a compact, fixed-length
                 signature. First, we introduce a new primitive that we
                 call {\em ordered multisignature\/} (OMS) scheme, which
                 allows signers to attest to a common message as well as
                 the order in which they signed. Our OMS construction
                 substantially improves computational efficiency and
                 scalability over any existing scheme with suitable
                 functionality. Second, we design a new identity-based
                 sequential aggregate signature scheme, where signers
                 can attest to different messages and signature
                 verification does not require knowledge of traditional
                 public keys. The latter property permits savings on
                 bandwidth and storage as compared to public-key
                 solutions. In contrast to the only prior scheme to
                 provide this functionality, ours offers improved
                 security that does not rely on synchronized clocks or a
                 trusted first signer. We provide formal security
                 definitions and support the proposed schemes with
                 security proofs under appropriate computational
                 assumptions. We focus on applications of our schemes to
                 secure network routing, but we believe that they will
                 find other applications as well.",
  acknowledgement = ack-nhfb,
  articleno =    "3",
  fjournal =     "ACM Transactions on Information and System Security",
  journal-URL =  "http://portal.acm.org/browse_dl.cfm?idx=J789",
  keywords =     "aggregate signatures; digital signatures;
                 identity-based signatures; multisignatures; network
                 security; pairings",
}

@Article{Wang:2008:GBA,
  author =       "Wei Wang and Thomas E. Daniels",
  title =        "A Graph Based Approach Toward Network Forensics
                 Analysis",
  journal =      j-TISSEC,
  volume =       "12",
  number =       "1",
  pages =        "4:1--4:??",
  month =        oct,
  year =         "2008",
  CODEN =        "ATISBQ",
  DOI =          "http://doi.acm.org/10.1145/1410234.1410238",
  ISSN =         "1094-9224 (print), 1557-7406 (electronic)",
  ISSN-L =       "1094-9224",
  bibdate =      "Tue Nov 11 15:54:06 MST 2008",
  bibsource =    "http://portal.acm.org/;
                 http://www.math.utah.edu/pub/tex/bib/tissec.bib",
  abstract =     "In this article we develop a novel graph-based
                 approach toward network forensics analysis. Central to
                 our approach is the evidence graph model that
                 facilitates evidence presentation and automated
                 reasoning. Based on the evidence graph, we propose a
                 hierarchical reasoning framework that consists of two
                 levels. Local reasoning aims to infer the functional
                 states of network entities from local observations.
                 Global reasoning aims to identify important entities
                 from the graph structure and extract groups of densely
                 correlated participants in the attack scenario. This
                 article also presents a framework for interactive
                 hypothesis testing, which helps to identify the
                 attacker's nonexplicit attack activities from secondary
                 evidence. We developed a prototype system that
                 implements the techniques discussed. Experimental
                 results on various attack datasets demonstrate that our
                 analysis mechanism achieves good coverage and accuracy
                 in attack group and scenario extraction with less
                 dependence on hard-coded expert knowledge.",
  acknowledgement = ack-nhfb,
  articleno =    "4",
  fjournal =     "ACM Transactions on Information and System Security",
  journal-URL =  "http://portal.acm.org/browse_dl.cfm?idx=J789",
  keywords =     "evidence graph; hierarchical reasoning; network
                 forensics",
}

@Article{Halpern:2008:SMS,
  author =       "Joseph Y. Halpern and Kevin R. O'Neill",
  title =        "Secrecy in Multiagent Systems",
  journal =      j-TISSEC,
  volume =       "12",
  number =       "1",
  pages =        "5:1--5:??",
  month =        oct,
  year =         "2008",
  CODEN =        "ATISBQ",
  DOI =          "http://doi.acm.org/10.1145/1410234.1410239",
  ISSN =         "1094-9224 (print), 1557-7406 (electronic)",
  ISSN-L =       "1094-9224",
  bibdate =      "Tue Nov 11 15:54:06 MST 2008",
  bibsource =    "http://portal.acm.org/;
                 http://www.math.utah.edu/pub/tex/bib/tissec.bib",
  abstract =     "We introduce a general framework for reasoning about
                 secrecy requirements in multiagent systems. Our
                 definitions extend earlier definitions of secrecy and
                 nondeducibility given by Shannon and Sutherland.
                 Roughly speaking, one agent maintains secrecy with
                 respect to another if the second agent cannot rule out
                 any possibilities for the behavior or state of the
                 first agent. We show that the framework can handle
                 probability and nondeterminism in a clean way, is
                 useful for reasoning about asynchronous systems as well
                 as synchronous systems, and suggests generalizations of
                 secrecy that may be useful for dealing with issues such
                 as resource-bounded reasoning. We also show that a
                 number of well-known attempts to characterize the
                 absence of information flow are special cases of our
                 definitions of secrecy.",
  acknowledgement = ack-nhfb,
  articleno =    "5",
  fjournal =     "ACM Transactions on Information and System Security",
  journal-URL =  "http://portal.acm.org/browse_dl.cfm?idx=J789",
  keywords =     "information flow; secrecy",
}

@Article{Yao:2008:PIR,
  author =       "Danfeng Yao and Keith B. Frikken and Mikhail J.
                 Atallah and Roberto Tamassia",
  title =        "Private Information: To Reveal or not to Reveal",
  journal =      j-TISSEC,
  volume =       "12",
  number =       "1",
  pages =        "6:1--6:??",
  month =        oct,
  year =         "2008",
  CODEN =        "ATISBQ",
  DOI =          "http://doi.acm.org/10.1145/1410234.1410240",
  ISSN =         "1094-9224 (print), 1557-7406 (electronic)",
  ISSN-L =       "1094-9224",
  bibdate =      "Tue Nov 11 15:54:06 MST 2008",
  bibsource =    "http://portal.acm.org/;
                 http://www.math.utah.edu/pub/tex/bib/tissec.bib",
  abstract =     "This article studies the notion of quantitative
                 policies for trust management and gives protocols for
                 realizing them in a disclosure-minimizing fashion.
                 Specifically, Bob values each credential with a certain
                 number of points, and requires a minimum total
                 threshold of points before granting Alice access to a
                 resource. In turn, Alice values each of her credentials
                 with a privacy score that indicates her degree of
                 reluctance to reveal that credential. Bob's valuation
                 of credentials and his threshold are private. Alice's
                 privacy-valuation of her credentials is also private.
                 Alice wants to find a subset of her credentials that
                 achieves Bob's required threshold for access, yet is of
                 as small a value to her as possible. We give protocols
                 for computing such a subset of Alice's credentials
                 without revealing any of the two parties'
                 above-mentioned private information. Furthermore, we
                 develop a fingerprint method that allows Alice to
                 independently and easily recover the optimal knapsack
                 solution, once the computed optimal value is given, but
                 also enables verification of the integrity of the
                 optimal value. The fingerprint method is useful beyond
                 the specific authorization problem studied, and can be
                 applied to any integer knapsack dynamic programming in
                 a private setting.",
  acknowledgement = ack-nhfb,
  articleno =    "6",
  fjournal =     "ACM Transactions on Information and System Security",
  journal-URL =  "http://portal.acm.org/browse_dl.cfm?idx=J789",
  keywords =     "authorization; policies; secure multi-party
                 computation",
}

@Article{Wright:2008:GES,
  author =       "Rebecca N. Wright and {Sabrina De Capitanidi
                 Vimercati}",
  title =        "Guest Editorial: Special Issue on Computer and
                 Communications Security",
  journal =      j-TISSEC,
  volume =       "12",
  number =       "2",
  pages =        "7:1--7:??",
  month =        dec,
  year =         "2008",
  CODEN =        "ATISBQ",
  DOI =          "http://doi.acm.org/10.1145/1455518.1455519",
  ISSN =         "1094-9224 (print), 1557-7406 (electronic)",
  ISSN-L =       "1094-9224",
  bibdate =      "Tue Dec 23 11:58:14 MST 2008",
  bibsource =    "http://portal.acm.org/;
                 http://www.math.utah.edu/pub/tex/bib/tissec.bib",
  acknowledgement = ack-nhfb,
  articleno =    "7",
  fjournal =     "ACM Transactions on Information and System Security",
  journal-URL =  "http://portal.acm.org/browse_dl.cfm?idx=J789",
}

@Article{Lee:2008:ESC,
  author =       "Adam J. Lee and Marianne Winslett",
  title =        "Enforcing Safety and Consistency Constraints in
                 Policy-Based Authorization Systems",
  journal =      j-TISSEC,
  volume =       "12",
  number =       "2",
  pages =        "8:1--8:??",
  month =        dec,
  year =         "2008",
  CODEN =        "ATISBQ",
  DOI =          "http://doi.acm.org/10.1145/1455518.1455520",
  ISSN =         "1094-9224 (print), 1557-7406 (electronic)",
  ISSN-L =       "1094-9224",
  bibdate =      "Tue Dec 23 11:58:14 MST 2008",
  bibsource =    "http://portal.acm.org/;
                 http://www.math.utah.edu/pub/tex/bib/tissec.bib",
  abstract =     "In trust negotiation and other forms of distributed
                 proving, networked entities cooperate to form proofs of
                 authorization that are justified by collections of
                 certified attribute credentials. These attributes may
                 be obtained through interactions with any number of
                 external entities and are collected and validated over
                 an extended period of time. Although these collections
                 of credentials in some ways resemble partial system
                 snapshots, current trust negotiation and distributed
                 proving systems lack the notion of a consistent global
                 state in which the satisfaction of authorization
                 policies should be checked. In this article, we argue
                 that unlike the notions of consistency studied in other
                 areas of distributed computing, the level of
                 consistency required during policy evaluation is
                 predicated solely upon the security requirements of the
                 policy evaluator. As such, there is little incentive
                 for entities to participate in complicated consistency
                 preservation schemes like those used in distributed
                 computing, distributed databases, and distributed
                 shared memory. We go on to show that the most intuitive
                 notion of consistency fails to provide basic safety
                 guarantees under certain circumstances and then propose
                 several more refined notions of consistency that
                 provide stronger safety guarantees. We provide
                 algorithms that allow each of these refined notions of
                 consistency to be attained in practice with minimal
                 overheads and formally prove several security and
                 privacy properties of these algorithms. Lastly, we
                 explore the notion of strategic design trade-offs in
                 the consistency enforcement algorithm space and propose
                 several modifications to the core algorithms presented
                 in this article. These modifications enhance the
                 privacy-preservation or completeness properties of
                 these algorithms without altering the consistency
                 constraints that they enforce.",
  acknowledgement = ack-nhfb,
  articleno =    "8",
  fjournal =     "ACM Transactions on Information and System Security",
  journal-URL =  "http://portal.acm.org/browse_dl.cfm?idx=J789",
  keywords =     "consistency; credentials; distributed proving; trust
                 negotiation",
}

@Article{Golle:2008:DCS,
  author =       "Philippe Golle and Frank McSherry and Ilya Mironov",
  title =        "Data Collection with Self-Enforcing Privacy",
  journal =      j-TISSEC,
  volume =       "12",
  number =       "2",
  pages =        "9:1--9:??",
  month =        dec,
  year =         "2008",
  CODEN =        "ATISBQ",
  DOI =          "http://dx.doi.org/10.1145/1455518.1455521.",
  ISSN =         "1094-9224 (print), 1557-7406 (electronic)",
  ISSN-L =       "1094-9224",
  bibdate =      "Tue Dec 23 11:58:14 MST 2008",
  bibsource =    "http://portal.acm.org/;
                 http://www.math.utah.edu/pub/tex/bib/tissec.bib",
  abstract =     "Consider a pollster who wishes to collect private,
                 sensitive data from a number of distrustful
                 individuals. How might the pollster convince the
                 respondents that it is trustworthy? Alternately, what
                 mechanism could the respondents insist upon to ensure
                 that mismanagement of their data is detectable and
                 publicly demonstrable?\par

                 We detail this problem, and provide simple data
                 submission protocols with the properties that (a)
                 leakage of private data by the pollster results in
                 evidence of the transgression and (b) the evidence
                 cannot be fabricated without breaking cryptographic
                 assumptions. With such guarantees, a responsible
                 pollster could post a ``privacy-bond,'' forfeited to
                 anyone who can provide evidence of leakage. The
                 respondents are assured that appropriate penalties are
                 applied to a leaky pollster, while the protection from
                 spurious indictment ensures that any honest pollster
                 has no disincentive to participate in such a scheme.",
  acknowledgement = ack-nhfb,
  articleno =    "9",
  fjournal =     "ACM Transactions on Information and System Security",
  journal-URL =  "http://portal.acm.org/browse_dl.cfm?idx=J789",
  keywords =     "data collection; privacy",
}

@Article{Cadar:2008:EAG,
  author =       "Cristian Cadar and Vijay Ganesh and Peter M. Pawlowski
                 and David L. Dill and Dawson R. Engler",
  title =        "{EXE}: Automatically Generating Inputs of Death",
  journal =      j-TISSEC,
  volume =       "12",
  number =       "2",
  pages =        "10:1--10:??",
  month =        dec,
  year =         "2008",
  CODEN =        "ATISBQ",
  DOI =          "http://doi.acm.org/10.1145/1455518.1455522",
  ISSN =         "1094-9224 (print), 1557-7406 (electronic)",
  ISSN-L =       "1094-9224",
  bibdate =      "Tue Dec 23 11:58:14 MST 2008",
  bibsource =    "http://portal.acm.org/;
                 http://www.math.utah.edu/pub/tex/bib/tissec.bib",
  abstract =     "This article presents EXE, an effective bug-finding
                 tool that automatically generates inputs that crash
                 real code. Instead of running code on manually or
                 randomly constructed input, EXE runs it on symbolic
                 input initially allowed to be anything. As checked code
                 runs, EXE tracks the constraints on each symbolic
                 (i.e., input-derived) memory location. If a statement
                 uses a symbolic value, EXE does not run it, but instead
                 adds it as an input-constraint; all other statements
                 run as usual. If code conditionally checks a symbolic
                 expression, EXE forks execution, constraining the
                 expression to be true on the true branch and false on
                 the other. Because EXE reasons about all possible
                 values on a path, it has much more power than a
                 traditional runtime tool: (1) it can force execution
                 down any feasible program path and (2) at dangerous
                 operations (e.g., a pointer dereference), it detects if
                 the current path constraints allow {\em any\/} value
                 that causes a bug. When a path terminates or hits a
                 bug, EXE automatically generates a test case by solving
                 the current path constraints to find concrete values
                 using its own co-designed constraint solver, STP.
                 Because EXE's constraints have no approximations,
                 feeding this concrete input to an uninstrumented
                 version of the checked code will cause it to follow the
                 same path and hit the same bug (assuming deterministic
                 code).\par

                 EXE works well on real code, finding bugs along with
                 inputs that trigger them in: the BSD and Linux packet
                 filter implementations, the dhcpd DHCP server, the pcre
                 regular expression library, and three Linux file
                 systems.",
  acknowledgement = ack-nhfb,
  articleno =    "10",
  fjournal =     "ACM Transactions on Information and System Security",
  journal-URL =  "http://portal.acm.org/browse_dl.cfm?idx=J789",
  keywords =     "attack generation; bug finding; constraint solving;
                 dynamic analysis; symbolic execution; test case
                 generation",
}

@Article{Wang:2008:FBB,
  author =       "Xiaofeng Wang and Zhuowei Li and Jong Youl Choi and
                 Jun Xu and Michael K. Reiter and Chongkyung Kil",
  title =        "Fast and Black-box Exploit Detection and Signature
                 Generation for Commodity Software",
  journal =      j-TISSEC,
  volume =       "12",
  number =       "2",
  pages =        "11:1--11:??",
  month =        dec,
  year =         "2008",
  CODEN =        "ATISBQ",
  DOI =          "http://doi.acm.org/10.1145/1455518.1455523",
  ISSN =         "1094-9224 (print), 1557-7406 (electronic)",
  ISSN-L =       "1094-9224",
  bibdate =      "Tue Dec 23 11:58:14 MST 2008",
  bibsource =    "http://portal.acm.org/;
                 http://www.math.utah.edu/pub/tex/bib/tissec.bib",
  abstract =     "In biology, a {\em vaccine\/} is a weakened strain of
                 a virus or bacterium that is intentionally injected
                 into the body for the purpose of stimulating antibody
                 production. Inspired by this idea, we propose a {\em
                 packet vaccine\/} mechanism that randomizes
                 address-like strings in packet payloads to carry out
                 fast exploit detection and signature generation. An
                 exploit with a randomized jump address behaves like a
                 vaccine: it will likely cause an exception in a
                 vulnerable program's process when attempting to hijack
                 the control flow, and thereby expose itself. Taking
                 that exploit as a template, our signature generator
                 creates a set of new vaccines to probe the program in
                 an attempt to uncover the necessary conditions for the
                 exploit to happen. A signature is built upon these
                 conditions to shield the underlying vulnerability from
                 further attacks. In this way, packet vaccine detects
                 exploits and generates signatures in a black-box
                 fashion, that is, not relying on the knowledge of a
                 vulnerable program's source and binary code. Therefore,
                 it even works on the commodity software obfuscated for
                 the purpose of copyright protection. In addition, since
                 our approach avoids the expense of tracking the
                 program's execution flow, it performs almost as fast as
                 a normal run of the program and is capable of
                 generating a signature of high quality within seconds
                 or even subseconds. We present the design of the packet
                 vaccine mechanism and an example of its application. We
                 also describe our proof-of-concept implementation and
                 the evaluation of our technique using real exploits.",
  acknowledgement = ack-nhfb,
  articleno =    "11",
  fjournal =     "ACM Transactions on Information and System Security",
  journal-URL =  "http://portal.acm.org/browse_dl.cfm?idx=J789",
  keywords =     "black-box defense; exploit detection; signature
                 generation; vaccine injection; worm",
}

@Article{Antonatos:2008:PMW,
  author =       "Spiros Antonatos and Periklis Akritidis and Vinh The
                 Lam and Kostas G. Anagnostakis",
  title =        "Puppetnets: Misusing {Web} Browsers as a Distributed
                 Attack Infrastructure",
  journal =      j-TISSEC,
  volume =       "12",
  number =       "2",
  pages =        "12:1--12:??",
  month =        dec,
  year =         "2008",
  CODEN =        "ATISBQ",
  DOI =          "http://dx.doi.org/10.1145/1455518.1455524.",
  ISSN =         "1094-9224 (print), 1557-7406 (electronic)",
  ISSN-L =       "1094-9224",
  bibdate =      "Tue Dec 23 11:58:14 MST 2008",
  bibsource =    "http://portal.acm.org/;
                 http://www.math.utah.edu/pub/tex/bib/tissec.bib",
  abstract =     "Most of the recent work on Web security focuses on
                 preventing attacks that directly harm the browser's
                 host machine and user. In this paper we attempt to
                 quantify the threat of browsers being indirectly
                 misused for attacking third parties. Specifically, we
                 look at how the existing Web infrastructure (e.g., the
                 languages, protocols, and security policies) can be
                 exploited by malicious or subverted Web sites to
                 remotely instruct browsers to orchestrate actions
                 including denial of service attacks, worm propagation,
                 and reconnaissance scans. We show that attackers are
                 able to create powerful botnet-like infrastructures
                 that can cause significant damage. We explore the
                 effectiveness of countermeasures including anomaly
                 detection and more fine-grained browser security
                 policies.",
  acknowledgement = ack-nhfb,
  articleno =    "12",
  fjournal =     "ACM Transactions on Information and System Security",
  journal-URL =  "http://portal.acm.org/browse_dl.cfm?idx=J789",
  keywords =     "distributed attacks; malicious software; Web
                 security",
}

@Article{Xie:2008:TMS,
  author =       "Mengjun Xie and Heng Yin and Haining Wang",
  title =        "Thwarting {E}-mail Spam Laundering",
  journal =      j-TISSEC,
  volume =       "12",
  number =       "2",
  pages =        "13:1--13:??",
  month =        dec,
  year =         "2008",
  CODEN =        "ATISBQ",
  DOI =          "http://doi.acm.org/10.1145/1455518.1455525",
  ISSN =         "1094-9224 (print), 1557-7406 (electronic)",
  ISSN-L =       "1094-9224",
  bibdate =      "Tue Dec 23 11:58:14 MST 2008",
  bibsource =    "http://portal.acm.org/;
                 http://www.math.utah.edu/pub/tex/bib/tissec.bib",
  abstract =     "Laundering e-mail spam through open-proxies or
                 compromised PCs is a widely-used trick to conceal real
                 spam sources and reduce spamming cost in the
                 underground e-mail spam industry. Spammers have plagued
                 the Internet by exploiting a large number of spam
                 proxies. The facility of breaking spam laundering and
                 deterring spamming activities close to their sources,
                 which would greatly benefit not only e-mail users but
                 also victim ISPs, is in great demand but still missing.
                 In this article, we reveal one salient characteristic
                 of proxy-based spamming activities, namely packet
                 symmetry, by analyzing protocol semantics and timing
                 causality. Based on the packet symmetry exhibited in
                 spam laundering, we propose a simple and effective
                 technique, DBSpam, to online detect and break spam
                 laundering activities inside a customer network.
                 Monitoring the bidirectional traffic passing through a
                 network gateway, DBSpam utilizes a simple statistical
                 method, Sequential Probability Ratio Test, to detect
                 the occurrence of spam laundering in a timely manner.
                 To balance the goals of promptness and accuracy, we
                 introduce a noise-reduction technique in DBSpam, after
                 which the laundering path can be identified more
                 accurately. Then DBSpam activates its spam suppressing
                 mechanism to break the spam laundering. We implement a
                 prototype of DBSpam based on {\em libpcap}, and
                 validate its efficacy on spam detection and suppression
                 through both theoretical analyses and trace-based
                 experiments.",
  acknowledgement = ack-nhfb,
  articleno =    "13",
  fjournal =     "ACM Transactions on Information and System Security",
  journal-URL =  "http://portal.acm.org/browse_dl.cfm?idx=J789",
  keywords =     "proxy; Spam; SPRT",
}

@Article{Liang:2009:AIE,
  author =       "Zhenkai Liang and Weiqing Sun and V. N.
                 Venkatakrishnan and R. Sekar",
  title =        "{Alcatraz}: An Isolated Environment for Experimenting
                 with Untrusted Software",
  journal =      j-TISSEC,
  volume =       "12",
  number =       "3",
  pages =        "14:1--14:37",
  month =        jan,
  year =         "2009",
  CODEN =        "ATISBQ",
  DOI =          "http://doi.acm.org/10.1145/1455526.1455527",
  ISSN =         "1094-9224 (print), 1557-7406 (electronic)",
  ISSN-L =       "1094-9224",
  bibdate =      "Mon Feb 2 18:03:37 MST 2009",
  bibsource =    "http://portal.acm.org/;
                 http://www.math.utah.edu/pub/tex/bib/tissec.bib",
  abstract =     "In this article, we present an approach for realizing
                 a {\em safe execution environment (SEE)\/} that enables
                 users to ``try out'' new software (or configuration
                 changes to existing software) without the fear of
                 damaging the system in any manner. A key property of
                 our SEE is that it faithfully reproduces the behavior
                 of applications, as if they were running natively on
                 the underlying (host) operating system. This is
                 accomplished via {\em one-way isolation\/}: processes
                 running within the SEE are given read-access to the
                 environment provided by the host OS, but their write
                 operations are prevented from escaping outside the SEE.
                 As a result, SEE processes cannot impact the behavior
                 of host OS processes, or the integrity of data on the
                 host OS. SEEs support a wide range of tasks, including:
                 study of malicious code, controlled execution of
                 untrusted software, experimentation with software
                 configuration changes, testing of software patches, and
                 so on. It provides a convenient way for users to
                 inspect system changes made within the SEE. If these
                 changes are not accepted, they can be rolled back at
                 the click of a button. Otherwise, the changes can be
                 committed so as to become visible outside the SEE. We
                 provide consistency criteria that ensure semantic
                 consistency of the committed results. We develop two
                 different implementation approaches, one in {\em
                 user-land\/} and the other in the {\em OS kernel}, for
                 realizing a safe-execution environment. Our
                 implementation results show that most software,
                 including fairly complex server and client
                 applications, can run successfully within our SEEs. It
                 introduces low performance overheads, typically below
                 10 percent.",
  acknowledgement = ack-nhfb,
  articleno =    "14",
  fjournal =     "ACM Transactions on Information and System Security",
  journal-URL =  "http://portal.acm.org/browse_dl.cfm?idx=J789",
  keywords =     "Isolation; one-way isolation",
}

@Article{Yao:2009:CAR,
  author =       "Danfeng Yao and Roberto Tamassia",
  title =        "Compact and Anonymous Role-Based Authorization Chain",
  journal =      j-TISSEC,
  volume =       "12",
  number =       "3",
  pages =        "15:1--15:??",
  month =        jan,
  year =         "2009",
  CODEN =        "ATISBQ",
  DOI =          "http://doi.acm.org/10.1145/1455526.1455528",
  ISSN =         "1094-9224 (print), 1557-7406 (electronic)",
  ISSN-L =       "1094-9224",
  bibdate =      "Mon Feb 2 18:03:37 MST 2009",
  bibsource =    "http://portal.acm.org/;
                 http://www.math.utah.edu/pub/tex/bib/tissec.bib",
  abstract =     "We introduce a decentralized delegation model called
                 anonymous role-based cascaded delegation. In this
                 model, a delegator can issue authorizations on behalf
                 of her role without revealing her identity. This type
                 of delegation protects the sensitive membership
                 information of a delegator and hides the internal
                 structure of an organization. To provide an efficient
                 storage and transmission mechanism for credentials used
                 in anonymous role-based cascaded delegation, we present
                 a new digital signature scheme that supports both
                 signer anonymity and signature aggregation. Our scheme
                 has compact role signatures that make it especially
                 suitable for ubiquitous computing environments, where
                 users may have mobile computing devices with narrow
                 communication bandwidth and small storage units.",
  acknowledgement = ack-nhfb,
  articleno =    "15",
  fjournal =     "ACM Transactions on Information and System Security",
  journal-URL =  "http://portal.acm.org/browse_dl.cfm?idx=J789",
  keywords =     "aggregate signature; anonymity; Delegation",
}

@Article{Bethencourt:2009:NTP,
  author =       "John Bethencourt and Dawn Song and Brent Waters",
  title =        "New Techniques for Private Stream Searching",
  journal =      j-TISSEC,
  volume =       "12",
  number =       "3",
  pages =        "16:1--16:??",
  month =        jan,
  year =         "2009",
  CODEN =        "ATISBQ",
  DOI =          "http://doi.acm.org/10.1145/1455526.1455529",
  ISSN =         "1094-9224 (print), 1557-7406 (electronic)",
  ISSN-L =       "1094-9224",
  bibdate =      "Mon Feb 2 18:03:37 MST 2009",
  bibsource =    "http://portal.acm.org/;
                 http://www.math.utah.edu/pub/tex/bib/tissec.bib",
  abstract =     "A system for private stream searching, introduced by
                 Ostrovsky and Skeith, allows a client to provide an
                 untrusted server with an encrypted search query. The
                 server uses the query on a stream of documents and
                 returns the matching documents to the client while
                 learning nothing about the nature of the query. We
                 present a new scheme for conducting private keyword
                 search on streaming data which requires $O(m)$ server
                 to client communication complexity to return the
                 content of the matching documents, where $m$ is an
                 upper bound on the size of the documents. The required
                 storage on the server conducting the search is also
                 $O(m)$. The previous best scheme for private stream
                 searching was shown to have $O(m \log m)$ communication
                 and storage complexity. Our solution employs a novel
                 construction in which the user reconstructs the
                 matching files by solving a system of linear equations.
                 This allows the matching documents to be stored in a
                 compact buffer rather than relying on redundancies to
                 avoid collisions in the storage buffer as in previous
                 work. This technique requires a small amount of
                 metadata to be returned in addition to the documents;
                 for this the original scheme of Ostrovsky and Skeith
                 may be employed with $O(m \log m)$ communication and
                 storage complexity. We also present an alternative
                 method for returning the necessary metadata based on a
                 unique encrypted Bloom filter construction. This method
                 requires $O(m \log(t / m))$ communication and storage
                 complexity, where $t$ is the number of documents in the
                 stream. In this article we describe our scheme, prove
                 it secure, analyze its asymptotic performance, and
                 describe a number of extensions. We also provide an
                 experimental analysis of its scalability in practice.
                 Specifically, we consider its performance in the
                 demanding scenario of providing a privacy preserving
                 version of the Google News Alerts service.",
  acknowledgement = ack-nhfb,
  articleno =    "16",
  fjournal =     "ACM Transactions on Information and System Security",
  journal-URL =  "http://portal.acm.org/browse_dl.cfm?idx=J789",
  keywords =     "Bloom filter; private information retrieval; private
                 stream searching; public key program obfuscation",
}

@Article{Crosby:2009:OLR,
  author =       "Scott A. Crosby and Dan S. Wallach and Rudolf H.
                 Riedi",
  title =        "Opportunities and Limits of Remote Timing Attacks",
  journal =      j-TISSEC,
  volume =       "12",
  number =       "3",
  pages =        "17:1--17:??",
  month =        jan,
  year =         "2009",
  CODEN =        "ATISBQ",
  DOI =          "http://doi.acm.org/10.1145/1455526.1455530",
  ISSN =         "1094-9224 (print), 1557-7406 (electronic)",
  ISSN-L =       "1094-9224",
  bibdate =      "Mon Feb 2 18:03:37 MST 2009",
  bibsource =    "http://portal.acm.org/;
                 http://www.math.utah.edu/pub/tex/bib/tissec.bib",
  abstract =     "Many algorithms can take a variable amount of time to
                 complete depending on the data being processed. These
                 timing differences can sometimes disclose confidential
                 information. Indeed, researchers have been able to
                 reconstruct an RSA private key purely by querying an
                 SSL Web server and timing the results. Our work
                 analyzes the limits of attacks based on accurately
                 measuring network response times and jitter over a
                 local network and across the Internet. We present the
                 design of filters to significantly reduce the effects
                 of jitter, allowing an attacker to measure events with
                 15--100$\mu$s accuracy across the Internet, and as good
                 as 100ns over a local network. Notably,
                 security-related algorithms on Web servers and other
                 network servers need to be carefully engineered to
                 avoid timing channel leaks at the accuracy demonstrated
                 in this article.",
  acknowledgement = ack-nhfb,
  articleno =    "17",
  fjournal =     "ACM Transactions on Information and System Security",
  journal-URL =  "http://portal.acm.org/browse_dl.cfm?idx=J789",
  keywords =     "Information leakage; jitter; timing attacks",
}

@Article{Atallah:2009:DEK,
  author =       "Mikhail J. Atallah and Marina Blanton and Nelly Fazio
                 and Keith B. Frikken",
  title =        "Dynamic and Efficient Key Management for Access
                 Hierarchies",
  journal =      j-TISSEC,
  volume =       "12",
  number =       "3",
  pages =        "18:1--18:??",
  month =        jan,
  year =         "2009",
  CODEN =        "ATISBQ",
  DOI =          "http://doi.acm.org/10.1145/1455526.1455531",
  ISSN =         "1094-9224 (print), 1557-7406 (electronic)",
  ISSN-L =       "1094-9224",
  bibdate =      "Mon Feb 2 18:03:37 MST 2009",
  bibsource =    "http://portal.acm.org/;
                 http://www.math.utah.edu/pub/tex/bib/tissec.bib",
  abstract =     "Hierarchies arise in the context of access control
                 whenever the user population can be modeled as a set of
                 partially ordered classes (represented as a directed
                 graph). A user with access privileges for a class
                 obtains access to objects stored at that class and all
                 descendant classes in the hierarchy. The problem of key
                 management for such hierarchies then consists of
                 assigning a key to each class in the hierarchy so that
                 keys for descendant classes can be obtained via
                 efficient key derivation.\par

                 We propose a solution to this problem with the
                 following properties: (1) the space complexity of the
                 public information is the same as that of storing the
                 hierarchy; (2) the private information at a class
                 consists of a single key associated with that class;
                 (3) updates (i.e., revocations and additions) are
                 handled {\em locally\/} in the hierarchy; (4) the
                 scheme is provably secure against collusion; and (5)
                 each node can derive the key of any of its descendant
                 with a number of symmetric-key operations bounded by
                 the length of the path between the nodes. Whereas many
                 previous schemes had some of these properties, ours is
                 the first that satisfies all of them. The security of
                 our scheme is based on pseudorandom functions, without
                 reliance on the Random Oracle Model.\par

                 Another substantial contribution of this work is that
                 we are able to lower the key derivation time at the
                 expense of modestly increasing the public storage
                 associated with the hierarchy. Insertion of additional,
                 so-called shortcut, edges, allows to lower the key
                 derivation to a small constant number of steps for
                 graphs that are total orders and trees by increasing
                 the total number of edges by a small asymptotic factor
                 such as $O(\log^* n)$ for an $n$-node hierarchy. For
                 more general access hierarchies of dimension $d$, we
                 use a technique that consists of adding dummy nodes and
                 dimension reduction. The key derivation work for such
                 graphs is then linear in $d$ and the increase in the
                 number of edges is by the factor $O(\log^{d - 1} n)$
                 compared to the one-dimensional case.\par

                 Finally, by making simple modifications to our scheme,
                 we show how to handle extensions proposed by Crampton
                 [2003] of the standard hierarchies to ``limited depth''
                 and reverse inheritance.",
  acknowledgement = ack-nhfb,
  articleno =    "18",
  fjournal =     "ACM Transactions on Information and System Security",
  journal-URL =  "http://portal.acm.org/browse_dl.cfm?idx=J789",
  keywords =     "Efficient key derivation; hierarchical access control;
                 key management",
}

@Article{Ligatti:2009:RTE,
  author =       "Jay Ligatti and Lujo Bauer and David Walker",
  title =        "Run-Time Enforcement of Nonsafety Policies",
  journal =      j-TISSEC,
  volume =       "12",
  number =       "3",
  pages =        "19:1--19:??",
  month =        jan,
  year =         "2009",
  CODEN =        "ATISBQ",
  DOI =          "http://doi.acm.org/10.1145/1455526.1455532",
  ISSN =         "1094-9224 (print), 1557-7406 (electronic)",
  ISSN-L =       "1094-9224",
  bibdate =      "Mon Feb 2 18:03:37 MST 2009",
  bibsource =    "http://portal.acm.org/;
                 http://www.math.utah.edu/pub/tex/bib/tissec.bib",
  abstract =     "A common mechanism for ensuring that software behaves
                 securely is to monitor programs at run time and check
                 that they dynamically adhere to constraints specified
                 by a security policy. Whenever a program monitor
                 detects that untrusted software is attempting to
                 execute a dangerous action, it takes remedial steps to
                 ensure that only safe code actually gets
                 executed.\par

                 This article improves our understanding of the space of
                 policies enforceable by monitoring the run-time
                 behaviors of programs. We begin by building a formal
                 framework for analyzing policy enforcement: we
                 precisely define policies, monitors, and enforcement.
                 This framework allows us to prove that monitors enforce
                 an interesting set of policies that we call the
                 infinite renewal properties. We show how to construct a
                 program monitor that provably enforces any reasonable
                 infinite renewal property. We also show that the set of
                 infinite renewal properties includes some nonsafety
                 policies, that is, that monitors can enforce some
                 nonsafety (including some purely liveness) policies.
                 Finally, we demonstrate concrete examples of nonsafety
                 policies enforceable by practical run-time monitors.",
  acknowledgement = ack-nhfb,
  articleno =    "19",
  fjournal =     "ACM Transactions on Information and System Security",
  journal-URL =  "http://portal.acm.org/browse_dl.cfm?idx=J789",
  keywords =     "liveness; monitoring; policy enforcement; safety;
                 security automata; security policies",
}

@Article{Li:2009:RPA,
  author =       "Ninghui Li and Qihua Wang and Mahesh Tripunitara",
  title =        "Resiliency Policies in Access Control",
  journal =      j-TISSEC,
  volume =       "12",
  number =       "4",
  pages =        "20:1--20:??",
  month =        apr,
  year =         "2009",
  CODEN =        "ATISBQ",
  DOI =          "http://doi.acm.org/10.1145/1513601.1513602",
  ISSN =         "1094-9224 (print), 1557-7406 (electronic)",
  ISSN-L =       "1094-9224",
  bibdate =      "Thu May 14 13:53:50 MDT 2009",
  bibsource =    "http://portal.acm.org/;
                 http://www.math.utah.edu/pub/tex/bib/tissec.bib",
  abstract =     "We introduce the notion of resiliency policies in the
                 context of access control systems. Such policies
                 require an access control system to be resilient to the
                 absence of users. An example resiliency policy requires
                 that upon removal of any $s$ users, there should still
                 exist $d$ disjoint sets of users such that the users in
                 each set together possess certain permissions of
                 interest. Such a policy ensures that even when
                 emergency situations cause some users to be absent,
                 there still exist independent teams of users that have
                 the permissions necessary for carrying out critical
                 tasks. The Resiliency Checking Problem determines
                 whether an access control state satisfies a given
                 resiliency policy. We show that the general case of the
                 problem and several subcases are intractable (NP hard),
                 and identify two subcases that are solvable in linear
                 time. For the intractable cases, we also identify the
                 complexity class in the polynomial hierarchy to which
                 these problems belong. We discuss the design and
                 evaluation of an algorithm that can efficiently solve
                 instances of nontrivial sizes that belong to the
                 intractable cases of the problem. Furthermore, we study
                 the consistency problem between resiliency policies and
                 static separation of duty policies. Finally, we combine
                 the notions of resiliency and separation of duty to
                 introduce the resilient separation of duty policy,
                 which is useful in situations where both
                 fault-tolerance and fraud-prevention are desired.",
  acknowledgement = ack-nhfb,
  articleno =    "20",
  fjournal =     "ACM Transactions on Information and System Security",
  journal-URL =  "http://portal.acm.org/browse_dl.cfm?idx=J789",
  keywords =     "access control; fault-tolerant; policy design",
}

@Article{Burmester:2009:UCR,
  author =       "Mike Burmester and Tri Van Le and Breno {De Medeiros}
                 and Gene Tsudik",
  title =        "Universally Composable {RFID} Identification and
                 Authentication Protocols",
  journal =      j-TISSEC,
  volume =       "12",
  number =       "4",
  pages =        "21:1--21:??",
  month =        apr,
  year =         "2009",
  CODEN =        "ATISBQ",
  DOI =          "http://doi.acm.org/10.1145/1513601.1513603",
  ISSN =         "1094-9224 (print), 1557-7406 (electronic)",
  ISSN-L =       "1094-9224",
  bibdate =      "Thu May 14 13:53:50 MDT 2009",
  bibsource =    "http://portal.acm.org/;
                 http://www.math.utah.edu/pub/tex/bib/tissec.bib",
  abstract =     "As the number of RFID applications grows, concerns
                 about their security and privacy become greatly
                 amplified. At the same time, the acutely restricted and
                 cost-sensitive nature of RFID tags rules out simple
                 reuse of traditional security/privacy solutions and
                 calls for a new generation of extremely lightweight
                 identification and authentication protocols.\par

                 This article describes a universally composable
                 security framework designed especially for RFID
                 applications. We adopt RFID-specific setup,
                 communication, and concurrency assumptions in a model
                 that guarantees strong security, privacy, and
                 availability properties. In particular, the framework
                 supports modular deployment, which is most appropriate
                 for ubiquitous applications. We also describe a set of
                 simple, efficient, secure, and anonymous (untraceable)
                 RFID identification and authentication protocols that
                 instantiate the proposed framework. These protocols
                 involve minimal interaction between tags and readers
                 and place only a small computational load on the tag,
                 and a light computational burden on the back-end
                 server. We show that our protocols are provably secure
                 within the proposed framework.",
  acknowledgement = ack-nhfb,
  articleno =    "21",
  fjournal =     "ACM Transactions on Information and System Security",
  journal-URL =  "http://portal.acm.org/browse_dl.cfm?idx=J789",
  keywords =     "authentication and key-exchange protocols; RFID
                 security; universal composability",
}

@Article{Cabuk:2009:ICC,
  author =       "Serdar Cabuk and Carla E. Brodley and Clay Shields",
  title =        "{IP} Covert Channel Detection",
  journal =      j-TISSEC,
  volume =       "12",
  number =       "4",
  pages =        "22:1--22:29",
  month =        apr,
  year =         "2009",
  CODEN =        "ATISBQ",
  DOI =          "http://doi.acm.org/10.1145/1513601.1513604",
  ISSN =         "1094-9224 (print), 1557-7406 (electronic)",
  ISSN-L =       "1094-9224",
  bibdate =      "Thu May 14 13:53:50 MDT 2009",
  bibsource =    "http://portal.acm.org/;
                 http://www.math.utah.edu/pub/tex/bib/tissec.bib",
  abstract =     "A covert channel can occur when an attacker finds and
                 exploits a shared resource that is not designed to be a
                 communication mechanism. A network covert channel
                 operates by altering the timing of otherwise legitimate
                 network traffic so that the arrival times of packets
                 encode confidential data that an attacker wants to
                 exfiltrate from a secure area from which she has no
                 other means of communication. In this article, we
                 present the first public implementation of an IP covert
                 channel, discuss the subtle issues that arose in its
                 design, and present a discussion on its efficacy. We
                 then show that an IP covert channel can be
                 differentiated from legitimate channels and present new
                 detection measures that provide detection rates over
                 95\%. We next take the simple step an attacker would of
                 adding noise to the channel to attempt to conceal the
                 covert communication. For these noisy IP covert timing
                 channels, we show that our online detection measures
                 can fail to identify the covert channel for noise
                 levels higher than 10\%. We then provide effective
                 offline search mechanisms that identify the noisy
                 channels.",
  acknowledgement = ack-nhfb,
  articleno =    "22",
  fjournal =     "ACM Transactions on Information and System Security",
  journal-URL =  "http://portal.acm.org/browse_dl.cfm?idx=J789",
  keywords =     "channel detection; information hiding; network covert
                 channels",
}

@Article{Meadows:2009:IAT,
  author =       "Catherine Meadows",
  title =        "Introduction to {ACM TISSEC} special issue on {CCS
                 2005}",
  journal =      j-TISSEC,
  volume =       "13",
  number =       "1",
  pages =        "1:1--1:??",
  month =        oct,
  year =         "2009",
  CODEN =        "ATISBQ",
  DOI =          "http://doi.acm.org/10.1145/1609956.1609957",
  ISSN =         "1094-9224 (print), 1557-7406 (electronic)",
  ISSN-L =       "1094-9224",
  bibdate =      "Tue Mar 16 10:18:12 MDT 2010",
  bibsource =    "http://portal.acm.org/;
                 http://www.math.utah.edu/pub/tex/bib/tissec.bib",
  acknowledgement = ack-nhfb,
  articleno =    "1",
  fjournal =     "ACM Transactions on Information and System Security",
  journal-URL =  "http://portal.acm.org/browse_dl.cfm?idx=J789",
}

@Article{Li:2009:ATN,
  author =       "Jiangtao Li and Ninghui Li and William H.
                 Winsborough",
  title =        "Automated trust negotiation using cryptographic
                 credentials",
  journal =      j-TISSEC,
  volume =       "13",
  number =       "1",
  pages =        "2:1--2:??",
  month =        oct,
  year =         "2009",
  CODEN =        "ATISBQ",
  DOI =          "http://doi.acm.org/10.1145/1609956.1609958",
  ISSN =         "1094-9224 (print), 1557-7406 (electronic)",
  ISSN-L =       "1094-9224",
  bibdate =      "Tue Mar 16 10:18:12 MDT 2010",
  bibsource =    "http://portal.acm.org/;
                 http://www.math.utah.edu/pub/tex/bib/tissec.bib",
  acknowledgement = ack-nhfb,
  articleno =    "2",
  fjournal =     "ACM Transactions on Information and System Security",
  journal-URL =  "http://portal.acm.org/browse_dl.cfm?idx=J789",
}

@Article{Zhuang:2009:KAE,
  author =       "Li Zhuang and Feng Zhou and J. D. Tygar",
  title =        "Keyboard acoustic emanations revisited",
  journal =      j-TISSEC,
  volume =       "13",
  number =       "1",
  pages =        "3:1--3:??",
  month =        oct,
  year =         "2009",
  CODEN =        "ATISBQ",
  DOI =          "http://doi.acm.org/10.1145/1609956.1609959",
  ISSN =         "1094-9224 (print), 1557-7406 (electronic)",
  ISSN-L =       "1094-9224",
  bibdate =      "Tue Mar 16 10:18:12 MDT 2010",
  bibsource =    "http://portal.acm.org/;
                 http://www.math.utah.edu/pub/tex/bib/tissec.bib",
  acknowledgement = ack-nhfb,
  articleno =    "3",
  fjournal =     "ACM Transactions on Information and System Security",
  journal-URL =  "http://portal.acm.org/browse_dl.cfm?idx=J789",
}

@Article{Abadi:2009:CFI,
  author =       "Mart{\'\i}n Abadi and Mihai Budiu and {\'U}lfar
                 Erlingsson and Jay Ligatti",
  title =        "Control-flow integrity principles, implementations,
                 and applications",
  journal =      j-TISSEC,
  volume =       "13",
  number =       "1",
  pages =        "4:1--4:??",
  month =        oct,
  year =         "2009",
  CODEN =        "ATISBQ",
  DOI =          "http://doi.acm.org/10.1145/1609956.1609960",
  ISSN =         "1094-9224 (print), 1557-7406 (electronic)",
  ISSN-L =       "1094-9224",
  bibdate =      "Tue Mar 16 10:18:12 MDT 2010",
  bibsource =    "http://portal.acm.org/;
                 http://www.math.utah.edu/pub/tex/bib/tissec.bib",
  acknowledgement = ack-nhfb,
  articleno =    "4",
  fjournal =     "ACM Transactions on Information and System Security",
  journal-URL =  "http://portal.acm.org/browse_dl.cfm?idx=J789",
}

@Article{Etalle:2009:MCW,
  author =       "Sandro Etalle and William H. Winsborough",
  title =        "Maintaining control while delegating trust: Integrity
                 constraints in trust management",
  journal =      j-TISSEC,
  volume =       "13",
  number =       "1",
  pages =        "5:1--5:??",
  month =        oct,
  year =         "2009",
  CODEN =        "ATISBQ",
  DOI =          "http://doi.acm.org/10.1145/1609956.1609961",
  ISSN =         "1094-9224 (print), 1557-7406 (electronic)",
  ISSN-L =       "1094-9224",
  bibdate =      "Tue Mar 16 10:18:12 MDT 2010",
  bibsource =    "http://portal.acm.org/;
                 http://www.math.utah.edu/pub/tex/bib/tissec.bib",
  acknowledgement = ack-nhfb,
  articleno =    "5",
  fjournal =     "ACM Transactions on Information and System Security",
  journal-URL =  "http://portal.acm.org/browse_dl.cfm?idx=J789",
}

@Article{Carminati:2009:EAC,
  author =       "Barbara Carminati and Elena Ferrari and Andrea
                 Perego",
  title =        "Enforcing access control in {Web}-based social
                 networks",
  journal =      j-TISSEC,
  volume =       "13",
  number =       "1",
  pages =        "6:1--6:??",
  month =        oct,
  year =         "2009",
  CODEN =        "ATISBQ",
  DOI =          "http://doi.acm.org/10.1145/1609956.1609962",
  ISSN =         "1094-9224 (print), 1557-7406 (electronic)",
  ISSN-L =       "1094-9224",
  bibdate =      "Tue Mar 16 10:18:12 MDT 2010",
  bibsource =    "http://portal.acm.org/;
                 http://www.math.utah.edu/pub/tex/bib/tissec.bib",
  acknowledgement = ack-nhfb,
  articleno =    "6",
  fjournal =     "ACM Transactions on Information and System Security",
  journal-URL =  "http://portal.acm.org/browse_dl.cfm?idx=J789",
}

@Article{Juels:2009:DSP,
  author =       "Ari Juels and Stephen A. Weis",
  title =        "Defining strong privacy for {RFID}",
  journal =      j-TISSEC,
  volume =       "13",
  number =       "1",
  pages =        "7:1--7:??",
  month =        oct,
  year =         "2009",
  CODEN =        "ATISBQ",
  DOI =          "http://doi.acm.org/10.1145/1609956.1609963",
  ISSN =         "1094-9224 (print), 1557-7406 (electronic)",
  ISSN-L =       "1094-9224",
  bibdate =      "Tue Mar 16 10:18:12 MDT 2010",
  bibsource =    "http://portal.acm.org/;
                 http://www.math.utah.edu/pub/tex/bib/tissec.bib",
  acknowledgement = ack-nhfb,
  articleno =    "7",
  fjournal =     "ACM Transactions on Information and System Security",
  journal-URL =  "http://portal.acm.org/browse_dl.cfm?idx=J789",
}

@Article{Zhu:2009:CAC,
  author =       "Ye Zhu and Riccardo Bettati",
  title =        "Compromising anonymous communication systems using
                 blind source separation",
  journal =      j-TISSEC,
  volume =       "13",
  number =       "1",
  pages =        "8:1--8:??",
  month =        oct,
  year =         "2009",
  CODEN =        "ATISBQ",
  DOI =          "http://doi.acm.org/10.1145/1609956.1609964",
  ISSN =         "1094-9224 (print), 1557-7406 (electronic)",
  ISSN-L =       "1094-9224",
  bibdate =      "Tue Mar 16 10:18:12 MDT 2010",
  bibsource =    "http://portal.acm.org/;
                 http://www.math.utah.edu/pub/tex/bib/tissec.bib",
  acknowledgement = ack-nhfb,
  articleno =    "8",
  fjournal =     "ACM Transactions on Information and System Security",
  journal-URL =  "http://portal.acm.org/browse_dl.cfm?idx=J789",
}

@Article{Sang:2009:ESP,
  author =       "Yingpeng Sang and Hong Shen",
  title =        "Efficient and secure protocols for privacy-preserving
                 set operations",
  journal =      j-TISSEC,
  volume =       "13",
  number =       "1",
  pages =        "9:1--9:??",
  month =        oct,
  year =         "2009",
  CODEN =        "ATISBQ",
  DOI =          "http://doi.acm.org/10.1145/1609956.1609965",
  ISSN =         "1094-9224 (print), 1557-7406 (electronic)",
  ISSN-L =       "1094-9224",
  bibdate =      "Tue Mar 16 10:18:12 MDT 2010",
  bibsource =    "http://portal.acm.org/;
                 http://www.math.utah.edu/pub/tex/bib/tissec.bib",
  acknowledgement = ack-nhfb,
  articleno =    "9",
  fjournal =     "ACM Transactions on Information and System Security",
  journal-URL =  "http://portal.acm.org/browse_dl.cfm?idx=J789",
}

@Article{Dorrendorf:2009:CRN,
  author =       "Leo Dorrendorf and Zvi Gutterman and Benny Pinkas",
  title =        "Cryptanalysis of the random number generator of the
                 {Windows} operating system",
  journal =      j-TISSEC,
  volume =       "13",
  number =       "1",
  pages =        "10:1--10:32",
  month =        oct,
  year =         "2009",
  CODEN =        "ATISBQ",
  DOI =          "http://doi.acm.org/10.1145/1609956.1609966",
  ISSN =         "1094-9224 (print), 1557-7406 (electronic)",
  ISSN-L =       "1094-9224",
  bibdate =      "Tue Mar 16 10:18:12 MDT 2010",
  bibsource =    "http://portal.acm.org/;
                 http://www.math.utah.edu/pub/tex/bib/tissec.bib",
  abstract =     "The PseudoRandom Number Generator (PRNG) used by the
                 Windows operating system is the most commonly used
                 PRNG. The pseudorandomness of the output of this
                 generator is crucial for the security of almost any
                 application running in Windows. Nevertheless, its exact
                 algorithm was never published.\par

                 We examined the binary code of a distribution of
                 Windows 2000. This investigation was done without any
                 help from Microsoft.We reconstructed the algorithm used
                 by the pseudorandom number generator (namely, the
                 function CryptGenRandom). We analyzed the security of
                 the algorithm and found a nontrivial attack: Given the
                 internal state of the generator, the previous state can
                 be computed in 223 steps. This attack on forward
                 security demonstrates that the design of the generator
                 is flawed, since it is well known how to prevent such
                 attacks. After our analysis was published, Microsoft
                 acknowledged that Windows XP is vulnerable to the same
                 attack.\par

                 We also analyzed the way in which the generator is used
                 by the operating system and found that it amplifies the
                 effect of the attack: The generator is run in user mode
                 rather than in kernel mode; therefore, it is easy to
                 access its state even without administrator privileges.
                 The initial values of part of the state of the
                 generator are not set explicitly, but rather are
                 defined by whatever values are present on the stack
                 when the generator is called. Furthermore, each process
                 runs a different copy of the generator, and the state
                 of the generator is refreshed with system-generated
                 entropy only after generating 128KB of output for the
                 process running it. The result of combining this
                 observation with our attack is that learning a single
                 state may reveal 128KB of the past and future output of
                 the generator.\par

                 The implication of these findings is that a buffer
                 overflow attack or a similar attack can be used to
                 learn a single state of the generator, which can then
                 be used to predict all random values, such as SSL keys,
                 used by a process in all its past and future
                 operations. This attack is more severe and more
                 efficient than known attacks in which an attack",
  acknowledgement = ack-nhfb,
  articleno =    "10",
  fjournal =     "ACM Transactions on Information and System Security",
  journal-URL =  "http://portal.acm.org/browse_dl.cfm?idx=J789",
}

@Article{diVimercati:2010:GES,
  author =       "Sabrina de Capitani di Vimercati and Paul Syverson",
  title =        "Guest editorial: Special issue on computer and
                 communications security",
  journal =      j-TISSEC,
  volume =       "13",
  number =       "2",
  pages =        "11:1--11:??",
  month =        feb,
  year =         "2010",
  CODEN =        "ATISBQ",
  DOI =          "http://doi.acm.org/10.1145/1698750.1698751",
  ISSN =         "1094-9224 (print), 1557-7406 (electronic)",
  ISSN-L =       "1094-9224",
  bibdate =      "Tue Mar 16 10:18:15 MDT 2010",
  bibsource =    "http://portal.acm.org/;
                 http://www.math.utah.edu/pub/tex/bib/tissec.bib",
  acknowledgement = ack-nhfb,
  articleno =    "11",
  fjournal =     "ACM Transactions on Information and System Security",
  journal-URL =  "http://portal.acm.org/browse_dl.cfm?idx=J789",
}

@Article{Jiang:2010:SMD,
  author =       "Xuxian Jiang and Xinyuan Wang and Dongyan Xu",
  title =        "Stealthy malware detection and monitoring through
                 {VMM}-based ``out-of-the-box'' semantic view
                 reconstruction",
  journal =      j-TISSEC,
  volume =       "13",
  number =       "2",
  pages =        "12:1--12:??",
  month =        feb,
  year =         "2010",
  CODEN =        "ATISBQ",
  DOI =          "http://doi.acm.org/10.1145/1698750.1698752",
  ISSN =         "1094-9224 (print), 1557-7406 (electronic)",
  ISSN-L =       "1094-9224",
  bibdate =      "Tue Mar 16 10:18:15 MDT 2010",
  bibsource =    "http://portal.acm.org/;
                 http://www.math.utah.edu/pub/tex/bib/tissec.bib",
  acknowledgement = ack-nhfb,
  articleno =    "12",
  fjournal =     "ACM Transactions on Information and System Security",
  journal-URL =  "http://portal.acm.org/browse_dl.cfm?idx=J789",
}

@Article{Hopper:2010:HMA,
  author =       "Nicholas Hopper and Eugene Y. Vasserman and Eric
                 Chan-TIN",
  title =        "How much anonymity does network latency leak?",
  journal =      j-TISSEC,
  volume =       "13",
  number =       "2",
  pages =        "13:1--13:??",
  month =        feb,
  year =         "2010",
  CODEN =        "ATISBQ",
  DOI =          "http://doi.acm.org/10.1145/1698750.1698753",
  ISSN =         "1094-9224 (print), 1557-7406 (electronic)",
  ISSN-L =       "1094-9224",
  bibdate =      "Tue Mar 16 10:18:15 MDT 2010",
  bibsource =    "http://portal.acm.org/;
                 http://www.math.utah.edu/pub/tex/bib/tissec.bib",
  acknowledgement = ack-nhfb,
  articleno =    "13",
  fjournal =     "ACM Transactions on Information and System Security",
  journal-URL =  "http://portal.acm.org/browse_dl.cfm?idx=J789",
}

@Article{Bisht:2010:CDC,
  author =       "Prithvi Bisht and P. Madhusudan and V. N.
                 Venkatakrishnan",
  title =        "{CANDID}: Dynamic candidate evaluations for automatic
                 prevention of {SQL} injection attacks",
  journal =      j-TISSEC,
  volume =       "13",
  number =       "2",
  pages =        "14:1--14:??",
  month =        feb,
  year =         "2010",
  CODEN =        "ATISBQ",
  DOI =          "http://doi.acm.org/10.1145/1698750.1698754",
  ISSN =         "1094-9224 (print), 1557-7406 (electronic)",
  ISSN-L =       "1094-9224",
  bibdate =      "Tue Mar 16 10:18:15 MDT 2010",
  bibsource =    "http://portal.acm.org/;
                 http://www.math.utah.edu/pub/tex/bib/tissec.bib",
  acknowledgement = ack-nhfb,
  articleno =    "14",
  fjournal =     "ACM Transactions on Information and System Security",
  journal-URL =  "http://portal.acm.org/browse_dl.cfm?idx=J789",
}

@Article{Ponec:2010:NPA,
  author =       "Miroslav Ponec and Paul Giura and Joel Wein and
                 Herv{\'e} Br{\"o}nnimann",
  title =        "New payload attribution methods for network forensic
                 investigations",
  journal =      j-TISSEC,
  volume =       "13",
  number =       "2",
  pages =        "15:1--15:??",
  month =        feb,
  year =         "2010",
  CODEN =        "ATISBQ",
  DOI =          "http://doi.acm.org/10.1145/1698750.1698755",
  ISSN =         "1094-9224 (print), 1557-7406 (electronic)",
  ISSN-L =       "1094-9224",
  bibdate =      "Tue Mar 16 10:18:15 MDT 2010",
  bibsource =    "http://portal.acm.org/;
                 http://www.math.utah.edu/pub/tex/bib/tissec.bib",
  acknowledgement = ack-nhfb,
  articleno =    "15",
  fjournal =     "ACM Transactions on Information and System Security",
  journal-URL =  "http://portal.acm.org/browse_dl.cfm?idx=J789",
}

@Article{Moran:2010:SBV,
  author =       "Tal Moran and Moni Naor",
  title =        "Split-ballot voting: Everlasting privacy with
                 distributed trust",
  journal =      j-TISSEC,
  volume =       "13",
  number =       "2",
  pages =        "16:1--16:??",
  month =        feb,
  year =         "2010",
  CODEN =        "ATISBQ",
  DOI =          "http://doi.acm.org/10.1145/1698750.1698756",
  ISSN =         "1094-9224 (print), 1557-7406 (electronic)",
  ISSN-L =       "1094-9224",
  bibdate =      "Tue Mar 16 10:18:15 MDT 2010",
  bibsource =    "http://portal.acm.org/;
                 http://www.math.utah.edu/pub/tex/bib/tissec.bib",
  acknowledgement = ack-nhfb,
  articleno =    "16",
  fjournal =     "ACM Transactions on Information and System Security",
  journal-URL =  "http://portal.acm.org/browse_dl.cfm?idx=J789",
}

@Article{Lysyanskaya:2010:AEC,
  author =       "Anna Lysyanskaya and Roberto Tamassia and Nikos
                 Triandopoulos",
  title =        "Authenticated error-correcting codes with applications
                 to multicast authentication",
  journal =      j-TISSEC,
  volume =       "13",
  number =       "2",
  pages =        "17:1--17:??",
  month =        feb,
  year =         "2010",
  CODEN =        "ATISBQ",
  DOI =          "http://doi.acm.org/10.1145/1698750.1698757",
  ISSN =         "1094-9224 (print), 1557-7406 (electronic)",
  ISSN-L =       "1094-9224",
  bibdate =      "Tue Mar 16 10:18:15 MDT 2010",
  bibsource =    "http://portal.acm.org/;
                 http://www.math.utah.edu/pub/tex/bib/tissec.bib",
  acknowledgement = ack-nhfb,
  articleno =    "17",
  fjournal =     "ACM Transactions on Information and System Security",
  journal-URL =  "http://portal.acm.org/browse_dl.cfm?idx=J789",
}

@Article{Wang:2010:DVT,
  author =       "Xiaofeng Wang and Philippe Golle and Markus Jakobsson
                 and Alex Tsow",
  title =        "Deterring voluntary trace disclosure in re-encryption
                 mix-networks",
  journal =      j-TISSEC,
  volume =       "13",
  number =       "2",
  pages =        "18:1--18:??",
  month =        feb,
  year =         "2010",
  CODEN =        "ATISBQ",
  DOI =          "http://doi.acm.org/10.1145/1698750.1698758",
  ISSN =         "1094-9224 (print), 1557-7406 (electronic)",
  ISSN-L =       "1094-9224",
  bibdate =      "Tue Mar 16 10:18:15 MDT 2010",
  bibsource =    "http://portal.acm.org/;
                 http://www.math.utah.edu/pub/tex/bib/tissec.bib",
  acknowledgement = ack-nhfb,
  articleno =    "18",
  fjournal =     "ACM Transactions on Information and System Security",
  journal-URL =  "http://portal.acm.org/browse_dl.cfm?idx=J789",
}

@Article{Biskup:2010:EE,
  author =       "Joachim Biskup and Javier Lopez",
  title =        "Editorial: {ESORICS 2007}",
  journal =      j-TISSEC,
  volume =       "13",
  number =       "3",
  pages =        "19:1--19:??",
  month =        jul,
  year =         "2010",
  CODEN =        "ATISBQ",
  DOI =          "http://doi.acm.org/10.1145/1805974.1805975",
  ISSN =         "1094-9224 (print), 1557-7406 (electronic)",
  ISSN-L =       "1094-9224",
  bibdate =      "Wed Jul 28 14:57:15 MDT 2010",
  bibsource =    "http://portal.acm.org/;
                 http://www.math.utah.edu/pub/tex/bib/tissec.bib",
  acknowledgement = ack-nhfb,
  articleno =    "19",
  fjournal =     "ACM Transactions on Information and System Security",
  journal-URL =  "http://portal.acm.org/browse_dl.cfm?idx=J789",
}

@Article{Becker:2010:LSM,
  author =       "Moritz Y. Becker and Sebastian Nanz",
  title =        "A logic for state-modifying authorization policies",
  journal =      j-TISSEC,
  volume =       "13",
  number =       "3",
  pages =        "20:1--20:??",
  month =        jul,
  year =         "2010",
  CODEN =        "ATISBQ",
  DOI =          "http://doi.acm.org/10.1145/1805974.1805976",
  ISSN =         "1094-9224 (print), 1557-7406 (electronic)",
  ISSN-L =       "1094-9224",
  bibdate =      "Wed Jul 28 14:57:15 MDT 2010",
  bibsource =    "http://portal.acm.org/;
                 http://www.math.utah.edu/pub/tex/bib/tissec.bib",
  abstract =     "Administering and maintaining access control systems
                 is a challenging task, especially in environments with
                 complex and changing authorization requirements. A
                 number of authorization logics have been proposed that
                 aim at simplifying access control by factoring the
                 authorization policy out of the hard-coded resource
                 guard. However, many policies require the authorization
                 state to be updated after a granted access request, for
                 example, to reflect the fact that a user has activated
                 or deactivated a role. Current authorization languages
                 cannot express such state modifications; these still
                 have to be hard-coded into the resource guard. We
                 present a logic for specifying policies where access
                 requests can have effects on the authorization state.
                 The logic is semantically defined by a mapping to
                 Transaction Logic. Using this approach, updates to the
                 state are factored out of the resource guard, thus
                 enhancing maintainability and facilitating more
                 expressive policies that take the history of access
                 requests into account. We also present a sound and
                 complete proof system for reasoning about sequences of
                 access requests. This gives rise to a goal-oriented
                 algorithm for finding minimal sequences that lead to a
                 specified target authorization state.",
  acknowledgement = ack-nhfb,
  articleno =    "20",
  fjournal =     "ACM Transactions on Information and System Security",
  journal-URL =  "http://portal.acm.org/browse_dl.cfm?idx=J789",
  keywords =     "access control; Authorization; Hoare logic; policy",
}

@Article{Barthe:2010:SMP,
  author =       "Gilles Barthe and Tamara Rezk and Alejandro Russo and
                 Andrei Sabelfeld",
  title =        "Security of multithreaded programs by compilation",
  journal =      j-TISSEC,
  volume =       "13",
  number =       "3",
  pages =        "21:1--21:??",
  month =        jul,
  year =         "2010",
  CODEN =        "ATISBQ",
  DOI =          "http://doi.acm.org/10.1145/1805974.1895977",
  ISSN =         "1094-9224 (print), 1557-7406 (electronic)",
  ISSN-L =       "1094-9224",
  bibdate =      "Wed Jul 28 14:57:15 MDT 2010",
  bibsource =    "http://portal.acm.org/;
                 http://www.math.utah.edu/pub/tex/bib/tissec.bib",
  abstract =     "End-to-End security of mobile code requires that the
                 code neither intentionally nor accidentally propagates
                 sensitive information to an adversary. Although mobile
                 code is commonly multithreaded low-level code, there
                 lack enforcement mechanisms that ensure information
                 security for such programs. The modularity is
                 three-fold: we give modular extensions of sequential
                 semantics, sequential security typing, and sequential
                 security-type preserving compilation that allow us
                 enforcing security for multithreaded programs. Thanks
                 to the modularity, there are no more restrictions on
                 multithreaded source programs than on sequential ones,
                 and yet we guarantee that their compilations are
                 provably secure for a wide class of schedulers.",
  acknowledgement = ack-nhfb,
  articleno =    "21",
  fjournal =     "ACM Transactions on Information and System Security",
  journal-URL =  "http://portal.acm.org/browse_dl.cfm?idx=J789",
  keywords =     "compilers; Noninterference; schedulers; type systems",
}

@Article{Ciriani:2010:CFE,
  author =       "Valentina Ciriani and Sabrina {De Capitani Di
                 Vimercati} and Sara Foresti and Sushil Jajodia and
                 Stefano Paraboschi and Pierangela Samarati",
  title =        "Combining fragmentation and encryption to protect
                 privacy in data storage",
  journal =      j-TISSEC,
  volume =       "13",
  number =       "3",
  pages =        "22:1--22:??",
  month =        jul,
  year =         "2010",
  CODEN =        "ATISBQ",
  DOI =          "http://doi.acm.org/10.1145/1805974.1805978",
  ISSN =         "1094-9224 (print), 1557-7406 (electronic)",
  ISSN-L =       "1094-9224",
  bibdate =      "Wed Jul 28 14:57:15 MDT 2010",
  bibsource =    "http://portal.acm.org/;
                 http://www.math.utah.edu/pub/tex/bib/tissec.bib",
  abstract =     "The impact of privacy requirements in the development
                 of modern applications is increasing very quickly. Many
                 commercial and legal regulations are driving the need
                 to develop reliable solutions for protecting sensitive
                 information whenever it is stored, processed, or
                 communicated to external parties. To this purpose,
                 encryption techniques are currently used in many
                 scenarios where data protection is required since they
                 provide a layer of protection against the disclosure of
                 personal information, which safeguards companies from
                 the costs that may arise from exposing their data to
                 privacy breaches. However, dealing with encrypted data
                 may make query processing more expensive.\par

                 In this article, we address these issues by proposing a
                 solution to enforce the privacy of data collections
                 that combines data fragmentation with encryption. We
                 model privacy requirements as confidentiality
                 constraints expressing the sensitivity of attributes
                 and their associations. We then use encryption as an
                 underlying (conveniently available) measure for making
                 data unintelligible while exploiting fragmentation as a
                 way to break sensitive associations among attributes.
                 We formalize the problem of minimizing the impact of
                 fragmentation in terms of number of fragments and their
                 affinity and present two heuristic algorithms for
                 solving such problems. We also discuss experimental
                 results, comparing the solutions returned by our
                 heuristics with respect to optimal solutions, which
                 show that the heuristics, while guaranteeing a
                 polynomial-time computation cost are able to retrieve
                 solutions close to optimum.",
  acknowledgement = ack-nhfb,
  articleno =    "22",
  fjournal =     "ACM Transactions on Information and System Security",
  journal-URL =  "http://portal.acm.org/browse_dl.cfm?idx=J789",
  keywords =     "encryption; fragmentation; Privacy",
}

@Article{Thuraisingham:2010:ES,
  author =       "Bhavani Thuraisingham",
  title =        "Editorial: {SACMAT 2007}",
  journal =      j-TISSEC,
  volume =       "13",
  number =       "3",
  pages =        "23:1--23:??",
  month =        jul,
  year =         "2010",
  CODEN =        "ATISBQ",
  DOI =          "http://doi.acm.org/10.1145/1805974.1805979",
  ISSN =         "1094-9224 (print), 1557-7406 (electronic)",
  ISSN-L =       "1094-9224",
  bibdate =      "Wed Jul 28 14:57:15 MDT 2010",
  bibsource =    "http://portal.acm.org/;
                 http://www.math.utah.edu/pub/tex/bib/tissec.bib",
  acknowledgement = ack-nhfb,
  articleno =    "23",
  fjournal =     "ACM Transactions on Information and System Security",
  journal-URL =  "http://portal.acm.org/browse_dl.cfm?idx=J789",
}

@Article{Ni:2010:PAR,
  author =       "Qun Ni and Elisa Bertino and Jorge Lobo and Carolyn
                 Brodie and Clare-Marie Karat and John Karat and Alberto
                 Trombeta",
  title =        "Privacy-aware role-based access control",
  journal =      j-TISSEC,
  volume =       "13",
  number =       "3",
  pages =        "24:1--24:??",
  month =        jul,
  year =         "2010",
  CODEN =        "ATISBQ",
  DOI =          "http://doi.acm.org/10.1145/1805974.1805980",
  ISSN =         "1094-9224 (print), 1557-7406 (electronic)",
  ISSN-L =       "1094-9224",
  bibdate =      "Wed Jul 28 14:57:15 MDT 2010",
  bibsource =    "http://portal.acm.org/;
                 http://www.math.utah.edu/pub/tex/bib/tissec.bib",
  abstract =     "In this article, we introduce a comprehensive
                 framework supporting a privacy-aware access control
                 mechanism, that is, a mechanism tailored to enforce
                 access control to data containing personally
                 identifiable information and, as such, privacy
                 sensitive. The key component of the framework is a
                 family of models (P-RBAC) that extend the well-known
                 RBAC model in order to provide full support for
                 expressing highly complex privacy-related policies,
                 taking into account features like purposes and
                 obligations. We formally define the notion of
                 privacy-aware permissions and the notion of conflicting
                 permission assignments in P-RBAC, together with
                 efficient conflict-checking algorithms. The framework
                 also includes a flexible authoring tool, based on the
                 use of the SPARCLE system, supporting the high-level
                 specification of P-RBAC permissions. SPARCLE supports
                 the use of natural language for authoring policies and
                 is able to automatically generate P-RBAC permissions
                 from these natural language specifications. In the
                 article, we also report performance evaluation results
                 and contrast our approach with other relevant access
                 control and privacy policy frameworks such as P3P,
                 EPAL, and XACML.",
  acknowledgement = ack-nhfb,
  articleno =    "24",
  fjournal =     "ACM Transactions on Information and System Security",
  journal-URL =  "http://portal.acm.org/browse_dl.cfm?idx=J789",
  keywords =     "model; Privacy; purpose; Role-based access control",
}

@Article{Lee:2010:CDP,
  author =       "Adam J. Lee and Kazuhiro Minami and Marianne
                 Winslett",
  title =        "On the consistency of distributed proofs with hidden
                 subtrees",
  journal =      j-TISSEC,
  volume =       "13",
  number =       "3",
  pages =        "25:1--25:??",
  month =        jul,
  year =         "2010",
  CODEN =        "ATISBQ",
  DOI =          "http://doi.acm.org/10.1145/1805974.1805981",
  ISSN =         "1094-9224 (print), 1557-7406 (electronic)",
  ISSN-L =       "1094-9224",
  bibdate =      "Wed Jul 28 14:57:15 MDT 2010",
  bibsource =    "http://portal.acm.org/;
                 http://www.math.utah.edu/pub/tex/bib/tissec.bib",
  abstract =     "Previous work has shown that distributed authorization
                 systems that fail to sample a consistent snapshot of
                 the underlying system during policy evaluation are
                 vulnerable to a number of attacks. Unfortunately, the
                 consistency enforcement solutions presented in previous
                 work were designed for systems in which only
                 CA-certified evidence is used during the
                 decision-making process, all of which is available to
                 the decision-making node at runtime. In this article,
                 we generalize previous results and present light-weight
                 mechanisms through which consistency constraints can be
                 enforced in proof systems in which the full details of
                 a proof may be unavailable to the querier due to
                 information release policies, and the existence of
                 certificate authorities for certifying evidence is
                 unlikely; these types of distributed proof systems are
                 likely candidates for use in pervasive computing and
                 sensor network environments. We present modifications
                 to one such distributed proof system that enable three
                 types of consistency constraints to be enforced while
                 still respecting the same confidentiality and integrity
                 policies as the original proof system. We then discuss
                 how these techniques can be adapted and applied to
                 other, less restrictive, distributed proof systems.
                 Further, we detail a performance analysis that
                 illustrates the modest overheads of our consistency
                 enforcement schemes.",
  acknowledgement = ack-nhfb,
  articleno =    "25",
  fjournal =     "ACM Transactions on Information and System Security",
  journal-URL =  "http://portal.acm.org/browse_dl.cfm?idx=J789",
  keywords =     "Consistency; distributed proving; pervasive
                 computing",
}

@Article{Hicks:2010:LSA,
  author =       "Boniface Hicks and Sandra Rueda and Luke {St. Clair}
                 and Trent Jaeger and Patrick McDaniel",
  title =        "A logical specification and analysis for {SELinux MLS}
                 policy",
  journal =      j-TISSEC,
  volume =       "13",
  number =       "3",
  pages =        "26:1--26:??",
  month =        jul,
  year =         "2010",
  CODEN =        "ATISBQ",
  DOI =          "http://dx.doi.org/10.1145/1805874.1805982",
  ISSN =         "1094-9224 (print), 1557-7406 (electronic)",
  ISSN-L =       "1094-9224",
  bibdate =      "Wed Jul 28 14:57:15 MDT 2010",
  bibsource =    "http://portal.acm.org/;
                 http://www.math.utah.edu/pub/tex/bib/linux.bib;
                 http://www.math.utah.edu/pub/tex/bib/tissec.bib;
                 http://www.math.utah.edu/pub/tex/bib/unix.bib",
  abstract =     "The SELinux mandatory access control (MAC) policy has
                 recently added a multilevel security (MLS) model which
                 is able to express a fine granularity of control over a
                 subject's access rights. The problem is that the
                 richness of the SELinux MLS model makes it impractical
                 to manually evaluate that a given policy meets certain
                 specific properties. To address this issue, we have
                 modeled the SELinux MLS model, using a logical
                 specification and implemented that specification in the
                 Prolog language. Furthermore, we have developed some
                 analyses for testing information flow properties of a
                 given policy as well as an algorithm to determine
                 whether one policy is compliant with another. We have
                 implemented these analyses in Prolog and compiled our
                 implementation into a tool for SELinux MLS policy
                 analysis, called PALMS. Using PALMS, we verified some
                 important properties of the SELinux MLS reference
                 policy, namely that it satisfies the simple security
                 condition and $\star$-property defined by Bell and
                 LaPadula. We also evaluated whether the policy
                 associated to a given application is compliant with the
                 policy of the SELinux system in which it would be
                 deployed.",
  acknowledgement = ack-nhfb,
  articleno =    "26",
  fjournal =     "ACM Transactions on Information and System Security",
  journal-URL =  "http://portal.acm.org/browse_dl.cfm?idx=J789",
  keywords =     "multilevel security; policy analysis; policy
                 compliance; SELinux",
}

@Article{Vaidya:2010:RMP,
  author =       "Jaideep Vaidya and Vijayalakshmi Atluri and Qi Guo",
  title =        "The role mining problem: a formal perspective",
  journal =      j-TISSEC,
  volume =       "13",
  number =       "3",
  pages =        "27:1--27:??",
  month =        jul,
  year =         "2010",
  CODEN =        "ATISBQ",
  DOI =          "http://doi.acm.org/10.1145/1805974.1895983",
  ISSN =         "1094-9224 (print), 1557-7406 (electronic)",
  ISSN-L =       "1094-9224",
  bibdate =      "Wed Jul 28 14:57:15 MDT 2010",
  bibsource =    "http://portal.acm.org/;
                 http://www.math.utah.edu/pub/tex/bib/tissec.bib",
  abstract =     "Devising a complete and correct set of roles has been
                 recognized as one of the most important and challenging
                 tasks in implementing role-based access control. A key
                 problem related to this is the notion of
                 goodness/interestingness --- when is a role
                 good/interesting? In this article, we define the {\em
                 Role Mining Problem\/} (RMP) as the problem of
                 discovering an optimal set of roles from existing user
                 permissions. The main contribution of this article is
                 to formally define RMP and analyze its theoretical
                 bounds. In addition to the above basic RMP, we
                 introduce two different variations of the RMP, called
                 the {\em $\delta$-Approx RMP\/} and the {\em
                 minimal-noise RMP\/} that have pragmatic implications.
                 We reduce the known ``Set Basis Problem'' to RMP to
                 show that RMP is an NP-complete problem. An important
                 contribution of this article is also to show the
                 relation of the RMP to several problems already
                 identified in the data mining and data analysis
                 literature. By showing that the RMP is in essence
                 reducible to these known problems, we can directly
                 borrow the existing implementation solutions and guide
                 further research in this direction. We also develop a
                 heuristic solution based on the previously proposed
                 FastMiner algorithm, which is very accurate and
                 efficient.",
  acknowledgement = ack-nhfb,
  articleno =    "27",
  fjournal =     "ACM Transactions on Information and System Security",
  journal-URL =  "http://portal.acm.org/browse_dl.cfm?idx=J789",
  keywords =     "RBAC; role engineering; role mining",
}

@Article{Carminati:2010:FEA,
  author =       "Barbara Carminati and Elena Ferrari and Jianneng Cao
                 and Kian Lee Tan",
  title =        "A framework to enforce access control over data
                 streams",
  journal =      j-TISSEC,
  volume =       "13",
  number =       "3",
  pages =        "28:1--28:??",
  month =        jul,
  year =         "2010",
  CODEN =        "ATISBQ",
  DOI =          "http://doi.acm.org/10.1145/1805974.1805984",
  ISSN =         "1094-9224 (print), 1557-7406 (electronic)",
  ISSN-L =       "1094-9224",
  bibdate =      "Wed Jul 28 14:57:15 MDT 2010",
  bibsource =    "http://portal.acm.org/;
                 http://www.math.utah.edu/pub/tex/bib/tissec.bib",
  abstract =     "Although access control is currently a key component
                 of any computational system, it is only recently that
                 mechanisms to guard against unauthorized access to
                 streaming data have started to be investigated. To cope
                 with this lack, in this article, we propose a general
                 framework to protect streaming data, which is, as much
                 as possible, independent from the target stream engine.
                 Differently from RDBMSs, up to now a standard query
                 language for data streams has not yet emerged and this
                 makes the development of a general solution to access
                 control enforcement more difficult. The framework we
                 propose in this article is based on an expressive
                 role-based access control model proposed by us. It
                 exploits a query rewriting mechanism, which rewrites
                 user queries in such a way that they do not return
                 tuples/attributes that should not be accessed according
                 to the specified access control policies. Furthermore,
                 the framework contains a deployment module able to
                 translate the rewritten query in such a way that it can
                 be executed by different stream engines, therefore,
                 overcoming the lack of standardization. In the article,
                 besides presenting all the components of our framework,
                 we prove the correctness and completeness of the query
                 rewriting algorithm, and we present some experiments
                 that show the feasibility of the developed
                 techniques.",
  acknowledgement = ack-nhfb,
  articleno =    "28",
  fjournal =     "ACM Transactions on Information and System Security",
  journal-URL =  "http://portal.acm.org/browse_dl.cfm?idx=J789",
  keywords =     "access control; Data stream; secure query rewriting",
}

@Article{Kate:2010:PBO,
  author =       "Aniket Kate and Greg M. Zaverucha and Ian Goldberg",
  title =        "Pairing-Based Onion Routing with Improved Forward
                 Secrecy",
  journal =      j-TISSEC,
  volume =       "13",
  number =       "4",
  pages =        "29:1--29:??",
  month =        dec,
  year =         "2010",
  CODEN =        "ATISBQ",
  DOI =          "http://dx.doi.org/10.1145/1880022.1880023",
  ISSN =         "1094-9224 (print), 1557-7406 (electronic)",
  ISSN-L =       "1094-9224",
  bibdate =      "Wed Jan 12 17:10:07 MST 2011",
  bibsource =    "http://portal.acm.org/;
                 http://www.math.utah.edu/pub/tex/bib/tissec.bib",
  abstract =     "This article presents new protocols for onion routing
                 anonymity networks. We define a provably secure
                 privacy-preserving key agreement scheme in an
                 identity-based infrastructure setting, and use it to
                 design new onion routing circuit constructions. These
                 constructions, based on a user's selection, offer
                 immediate or eventual forward secrecy at each node in a
                 circuit and require significantly less computation and
                 communication than the telescoping mechanism used by
                 the Tor project. Further, the use of an identity-based
                 infrastructure also leads to a reduction in the
                 required amount of authenticated directory
                 information.",
  acknowledgement = ack-nhfb,
  articleno =    "29",
  fjournal =     "ACM Transactions on Information and System Security",
  journal-URL =  "http://portal.acm.org/browse_dl.cfm?idx=J789",
}

@Article{Pennington:2010:SBI,
  author =       "Adam G. Pennington and John Linwood Griffin and John
                 S. Bucy and John D. Strunk and Gregory R. Ganger",
  title =        "Storage-Based Intrusion Detection",
  journal =      j-TISSEC,
  volume =       "13",
  number =       "4",
  pages =        "30:1--30:??",
  month =        dec,
  year =         "2010",
  CODEN =        "ATISBQ",
  DOI =          "http://dx.doi.org/10.1145/1880022.1880024",
  ISSN =         "1094-9224 (print), 1557-7406 (electronic)",
  ISSN-L =       "1094-9224",
  bibdate =      "Wed Jan 12 17:10:07 MST 2011",
  bibsource =    "http://portal.acm.org/;
                 http://www.math.utah.edu/pub/tex/bib/tissec.bib",
  abstract =     "Storage-based intrusion detection consists of storage
                 systems watching for and identifying data access
                 patterns characteristic of system intrusions. Storage
                 systems can spot several common intruder actions, such
                 as adding backdoors, inserting Trojan horses, and
                 tampering with audit logs. For example, examination of
                 18 real intrusion tools reveals that most (15) can be
                 detected based on their changes to stored files.
                 Further, an Intrusion Detection System (IDS) embedded
                 in a storage device continues to operate even after
                 client operating systems are compromised. We describe
                 and evaluate a prototype storage IDS, built into a disk
                 emulator, to demonstrate both feasibility and
                 efficiency of storage-based intrusion detection.",
  acknowledgement = ack-nhfb,
  articleno =    "30",
  fjournal =     "ACM Transactions on Information and System Security",
  journal-URL =  "http://portal.acm.org/browse_dl.cfm?idx=J789",
}

@Article{Bobba:2010:ABM,
  author =       "Rakesh Bobba and Omid Fatemieh and Fariba Khan and
                 Arindam Khan and Carl A. Gunter and Himanshu Khurana
                 and Manoj Prabhakaran",
  title =        "Attribute-Based Messaging: Access Control and
                 Confidentiality",
  journal =      j-TISSEC,
  volume =       "13",
  number =       "4",
  pages =        "31:1--31:??",
  month =        dec,
  year =         "2010",
  CODEN =        "ATISBQ",
  DOI =          "http://dx.doi.org/10.1145/1880022.1880025",
  ISSN =         "1094-9224 (print), 1557-7406 (electronic)",
  ISSN-L =       "1094-9224",
  bibdate =      "Wed Jan 12 17:10:07 MST 2011",
  bibsource =    "http://portal.acm.org/;
                 http://www.math.utah.edu/pub/tex/bib/tissec.bib",
  abstract =     "Attribute-Based Messaging (ABM) enables messages to be
                 addressed using attributes of recipients rather than an
                 explicit list of recipients. Such messaging offers
                 benefits of efficiency, exclusiveness, and
                 intensionality, but faces challenges in access control
                 and confidentiality. In this article we explore an
                 approach to intraenterprise ABM based on providing
                 access control and confidentiality using information
                 from the same attribute database exploited by the
                 addressing scheme. We show how to address three key
                 challenges. First, we demonstrate a manageable access
                 control system based on attributes. Second, we
                 demonstrate use of attribute-based encryption to
                 provide end-to-end confidentiality. Third, we show that
                 such a system can be efficient enough to support ABM
                 for mid-size enterprises.",
  acknowledgement = ack-nhfb,
  articleno =    "31",
  fjournal =     "ACM Transactions on Information and System Security",
  journal-URL =  "http://portal.acm.org/browse_dl.cfm?idx=J789",
}

@Article{Li:2010:AIS,
  author =       "Feifei Li and Marios Hadjieleftheriou and George
                 Kollios and Leonid Reyzin",
  title =        "Authenticated Index Structures for Aggregation
                 Queries",
  journal =      j-TISSEC,
  volume =       "13",
  number =       "4",
  pages =        "32:1--32:??",
  month =        dec,
  year =         "2010",
  CODEN =        "ATISBQ",
  DOI =          "http://dx.doi.org/10.1145/1880022.1880026",
  ISSN =         "1094-9224 (print), 1557-7406 (electronic)",
  ISSN-L =       "1094-9224",
  bibdate =      "Wed Jan 12 17:10:07 MST 2011",
  bibsource =    "http://portal.acm.org/;
                 http://www.math.utah.edu/pub/tex/bib/tissec.bib",
  abstract =     "Query authentication is an essential component in
                 Outsourced DataBase (ODB) systems. This article
                 introduces efficient index structures for
                 authenticating aggregation queries over large datasets.
                 First, we design an index that features good
                 performance characteristics for static environments.
                 Then, we propose more involved structures for the
                 dynamic case. Our structures feature excellent
                 performance for authenticating queries with multiple
                 aggregate attributes and multiple selection predicates.
                 Furthermore, our techniques cover a large number of
                 aggregate types, including distributive aggregates
                 (such as SUM, COUNT, MIN, and MAX), algebraic
                 aggregates (such as the AVG), and holistic aggregates
                 (such as MEDIAN and QUANTILE). We have also addressed
                 the issue of authenticating aggregation queries
                 efficiently when the database is encrypted to protect
                 data confidentiality.",
  acknowledgement = ack-nhfb,
  articleno =    "32",
  fjournal =     "ACM Transactions on Information and System Security",
  journal-URL =  "http://portal.acm.org/browse_dl.cfm?idx=J789",
}

@Article{Sarkar:2010:SGC,
  author =       "Palash Sarkar",
  title =        "A Simple and Generic Construction of Authenticated
                 Encryption with Associated Data",
  journal =      j-TISSEC,
  volume =       "13",
  number =       "4",
  pages =        "33:1--33:??",
  month =        dec,
  year =         "2010",
  CODEN =        "ATISBQ",
  DOI =          "http://dx.doi.org/10.1145/1880022.1880027",
  ISSN =         "1094-9224 (print), 1557-7406 (electronic)",
  ISSN-L =       "1094-9224",
  bibdate =      "Wed Jan 12 17:10:07 MST 2011",
  bibsource =    "http://portal.acm.org/;
                 http://www.math.utah.edu/pub/tex/bib/tissec.bib",
  abstract =     "We revisit the problem of constructing a protocol for
                 performing Authenticated Encryption with Associated
                 Data (AEAD). A technique is described which combines a
                 collision-resistant hash function with a protocol for
                 Authenticated Encryption (AE). The technique is both
                 simple and generic and does not require any additional
                 key material beyond that of the AE protocol. Concrete
                 instantiations are shown where a 256-bit hash function
                 is combined with some known single-pass AE protocols
                 employing either 128-bit or 256-bit block ciphers. This
                 results in possible efficiency improvement in the
                 processing of the header.",
  acknowledgement = ack-nhfb,
  articleno =    "33",
  fjournal =     "ACM Transactions on Information and System Security",
  journal-URL =  "http://portal.acm.org/browse_dl.cfm?idx=J789",
}

@Article{Schultz:2010:MMP,
  author =       "David Schultz and Barbara Liskov and Moses Liskov",
  title =        "{MPSS}: {Mobile Proactive Secret Sharing}",
  journal =      j-TISSEC,
  volume =       "13",
  number =       "4",
  pages =        "34:1--34:??",
  month =        dec,
  year =         "2010",
  CODEN =        "ATISBQ",
  DOI =          "http://dx.doi.org/10.1145/1880022.1880028",
  ISSN =         "1094-9224 (print), 1557-7406 (electronic)",
  ISSN-L =       "1094-9224",
  bibdate =      "Wed Jan 12 17:10:07 MST 2011",
  bibsource =    "http://portal.acm.org/;
                 http://www.math.utah.edu/pub/tex/bib/tissec.bib",
  abstract =     "This article describes MPSS, a new way to do proactive
                 secret sharing. MPSS provides mobility: The group of
                 nodes holding the shares of the secret can change at
                 each resharing, which is essential in a long-lived
                 system. MPSS additionally allows the number of
                 tolerated faulty shareholders to change when the secret
                 is moved so that the system can tolerate more (or
                 fewer) corruptions; this allows reconfiguration
                 on-the-fly to accommodate changes in the environment.
                 MPSS includes an efficient protocol that is intended to
                 be used in practice. The protocol is optimized for the
                 common case of no or few failures, but degradation when
                 there are more failures is modest.",
  acknowledgement = ack-nhfb,
  articleno =    "34",
  fjournal =     "ACM Transactions on Information and System Security",
  journal-URL =  "http://portal.acm.org/browse_dl.cfm?idx=J789",
}

@Article{Wright:2010:USP,
  author =       "Charles V. Wright and Lucas Ballard and Scott E. Coull
                 and Fabian Monrose and Gerald M. Masson",
  title =        "Uncovering Spoken Phrases in Encrypted Voice over {IP}
                 Conversations",
  journal =      j-TISSEC,
  volume =       "13",
  number =       "4",
  pages =        "35:1--35:??",
  month =        dec,
  year =         "2010",
  CODEN =        "ATISBQ",
  DOI =          "http://dx.doi.org/10.1145/1880022.1880029",
  ISSN =         "1094-9224 (print), 1557-7406 (electronic)",
  ISSN-L =       "1094-9224",
  bibdate =      "Wed Jan 12 17:10:07 MST 2011",
  bibsource =    "http://portal.acm.org/;
                 http://www.math.utah.edu/pub/tex/bib/tissec.bib",
  abstract =     "Although Voice over IP (VoIP) is rapidly being
                 adopted, its security implications are not yet fully
                 understood. Since VoIP calls may traverse untrusted
                 networks, packets should be encrypted to ensure
                 confidentiality. However, we show that it is possible
                 to identify the phrases spoken within encrypted VoIP
                 calls when the audio is encoded using variable bit rate
                 codecs. To do so, we train a hidden Markov model using
                 only knowledge of the phonetic pronunciations of words,
                 such as those provided by a dictionary, and search
                 packet sequences for instances of specified phrases.
                 Our approach does not require examples of the speaker's
                 voice, or even example recordings of the words that
                 make up the target phrase. We evaluate our techniques
                 on a standard speech recognition corpus containing over
                 2,000 phonetically rich phrases spoken by 630 distinct
                 speakers from across the continental United States. Our
                 results indicate that we can identify phrases within
                 encrypted calls with an average accuracy of 50\%, and
                 with accuracy greater than 90\% for some phrases.
                 Clearly, such an attack calls into question the
                 efficacy of current VoIP encryption standards. In
                 addition, we examine the impact of various features of
                 the underlying audio on our performance and discuss
                 methods for mitigation.",
  acknowledgement = ack-nhfb,
  articleno =    "35",
  fjournal =     "ACM Transactions on Information and System Security",
  journal-URL =  "http://portal.acm.org/browse_dl.cfm?idx=J789",
}

@Article{Molloy:2010:MRM,
  author =       "Ian Molloy and Hong Chen and Tiancheng Li and Qihua
                 Wang and Ninghui Li and Elisa Bertino and Seraphin Calo
                 and Jorge Lobo",
  title =        "Mining Roles with Multiple Objectives",
  journal =      j-TISSEC,
  volume =       "13",
  number =       "4",
  pages =        "36:1--36:??",
  month =        dec,
  year =         "2010",
  CODEN =        "ATISBQ",
  DOI =          "http://dx.doi.org/10.1145/1880022.1880030",
  ISSN =         "1094-9224 (print), 1557-7406 (electronic)",
  ISSN-L =       "1094-9224",
  bibdate =      "Wed Jan 12 17:10:07 MST 2011",
  bibsource =    "http://portal.acm.org/;
                 http://www.math.utah.edu/pub/tex/bib/tissec.bib",
  abstract =     "With the growing adoption of Role-Based Access Control
                 (RBAC) in commercial security and identity management
                 products, how to facilitate the process of migrating a
                 non-RBAC system to an RBAC system has become a problem
                 with significant business impact. Researchers have
                 proposed to use data mining techniques to discover
                 roles to complement the costly top-down approaches for
                 RBAC system construction. An important problem is how
                 to construct RBAC systems with low complexity. In this
                 article, we define the notion of weighted structural
                 complexity measure and propose a role mining algorithm
                 that mines RBAC systems with low structural complexity.
                 Another key problem that has not been adequately
                 addressed by existing role mining approaches is how to
                 discover roles with semantic meanings.",
  acknowledgement = ack-nhfb,
  articleno =    "36",
  fjournal =     "ACM Transactions on Information and System Security",
  journal-URL =  "http://portal.acm.org/browse_dl.cfm?idx=J789",
}

@Article{Libert:2010:KES,
  author =       "Beno{\^\i}t Libert and Jean-Jacques Quisquater and
                 Moti Yung",
  title =        "Key Evolution Systems in Untrusted Update
                 Environments",
  journal =      j-TISSEC,
  volume =       "13",
  number =       "4",
  pages =        "37:1--37:??",
  month =        dec,
  year =         "2010",
  CODEN =        "ATISBQ",
  DOI =          "http://dx.doi.org/10.1145/1880022.1880031",
  ISSN =         "1094-9224 (print), 1557-7406 (electronic)",
  ISSN-L =       "1094-9224",
  bibdate =      "Wed Jan 12 17:10:07 MST 2011",
  bibsource =    "http://portal.acm.org/;
                 http://www.math.utah.edu/pub/tex/bib/tissec.bib",
  abstract =     "Forward-Secure Signatures (FSS) prevent forgeries for
                 past time periods when an attacker obtains full access
                 to the signer's storage by evolving the private key in
                 a one-way fashion. To simplify the integration of these
                 primitives into standard security architectures, Boyen
                 et al. [2006] recently introduced the concept of
                 forward-secure signatures with untrusted updates where
                 private keys are additionally protected by a second
                 factor (derived from a password). Key updates can be
                 made on encrypted version of signing keys so that
                 passwords only come into play for signing messages and
                 not at update time (since update is not user-driven).
                 The scheme put forth by Boyen et al.",
  acknowledgement = ack-nhfb,
  articleno =    "37",
  fjournal =     "ACM Transactions on Information and System Security",
  journal-URL =  "http://portal.acm.org/browse_dl.cfm?idx=J789",
}

@Article{Zage:2010:RDV,
  author =       "David Zage and Cristina Nita-Rotaru",
  title =        "Robust Decentralized Virtual Coordinate Systems in
                 Adversarial Environments",
  journal =      j-TISSEC,
  volume =       "13",
  number =       "4",
  pages =        "38:1--38:??",
  month =        dec,
  year =         "2010",
  CODEN =        "ATISBQ",
  DOI =          "http://dx.doi.org/10.1145/1880022.1880032",
  ISSN =         "1094-9224 (print), 1557-7406 (electronic)",
  ISSN-L =       "1094-9224",
  bibdate =      "Wed Jan 12 17:10:07 MST 2011",
  bibsource =    "http://portal.acm.org/;
                 http://www.math.utah.edu/pub/tex/bib/tissec.bib",
  abstract =     "Virtual coordinate systems provide an accurate and
                 efficient service that allows hosts on the Internet to
                 determine the latency to arbitrary hosts without
                 actively monitoring all of the nodes in the network.
                 Many of the proposed systems were designed with the
                 assumption that all of the nodes are altruistic.
                 However, this assumption may be violated by compromised
                 nodes acting maliciously to degrade the accuracy of the
                 coordinate system. As numerous peer-to-peer
                 applications come to rely on virtual coordinate systems
                 to achieve good performance, it is critical to address
                 the security of such systems. In this work, we
                 demonstrate the vulnerability of decentralized virtual
                 coordinate systems to insider (or Byzantine) attacks.",
  acknowledgement = ack-nhfb,
  articleno =    "38",
  fjournal =     "ACM Transactions on Information and System Security",
  journal-URL =  "http://portal.acm.org/browse_dl.cfm?idx=J789",
}

@Article{Tsang:2010:BRR,
  author =       "Patrick P. Tsang and Man Ho Au and Apu Kapadia and
                 Sean W. Smith",
  title =        "{BLAC}: Revoking Repeatedly Misbehaving Anonymous
                 Users without Relying on {TTPs}",
  journal =      j-TISSEC,
  volume =       "13",
  number =       "4",
  pages =        "39:1--39:??",
  month =        dec,
  year =         "2010",
  CODEN =        "ATISBQ",
  DOI =          "http://dx.doi.org/10.1145/1880022.1880033",
  ISSN =         "1094-9224 (print), 1557-7406 (electronic)",
  ISSN-L =       "1094-9224",
  bibdate =      "Wed Jan 12 17:10:07 MST 2011",
  bibsource =    "http://portal.acm.org/;
                 http://www.math.utah.edu/pub/tex/bib/tissec.bib",
  abstract =     "Several credential systems have been proposed in which
                 users can authenticate to service providers
                 anonymously. Since anonymity can give users the license
                 to misbehave, some variants allow the selective
                 deanonymization (or linking) of misbehaving users upon
                 a complaint to a Trusted Third Party (TTP). The ability
                 of the TTP to revoke a user's privacy at any time,
                 however, is too strong a punishment for misbehavior. To
                 limit the scope of deanonymization, some systems have
                 been proposed in which users can be deanonymized only
                 if they authenticate ``too many times,'' such as
                 ``double spending'' with electronic cash. While useful
                 in some applications, such techniques cannot be
                 generalized to more subjective definitions of
                 misbehavior, for example, using such schemes it is not
                 possible to block anonymous users who ``deface too many
                 Web pages'' on a Web site.",
  acknowledgement = ack-nhfb,
  articleno =    "39",
  fjournal =     "ACM Transactions on Information and System Security",
  journal-URL =  "http://portal.acm.org/browse_dl.cfm?idx=J789",
}

@Article{Wang:2010:SRW,
  author =       "Qihua Wang and Ninghui Li",
  title =        "Satisfiability and Resiliency in Workflow
                 Authorization Systems",
  journal =      j-TISSEC,
  volume =       "13",
  number =       "4",
  pages =        "40:1--40:??",
  month =        dec,
  year =         "2010",
  CODEN =        "ATISBQ",
  DOI =          "http://dx.doi.org/10.1145/1880022.1880034",
  ISSN =         "1094-9224 (print), 1557-7406 (electronic)",
  ISSN-L =       "1094-9224",
  bibdate =      "Wed Jan 12 17:10:07 MST 2011",
  bibsource =    "http://portal.acm.org/;
                 http://www.math.utah.edu/pub/tex/bib/tissec.bib",
  abstract =     "We propose the role-and-relation-based access control
                 (R2BAC) model for workflow authorization systems. In
                 R2BAC, in addition to a user's role memberships, the
                 user's relationships with other users help determine
                 whether the user is allowed to perform a certain step
                 in a workflow. For example, a constraint may require
                 that two steps must not be performed by users who have
                 conflicts of interests. We study computational
                 complexity of the workflow satisfiability problem,
                 which asks whether a set of users can complete a
                 workflow. In particular, we apply tools from
                 parameterized complexity theory to better understand
                 the complexities of this problem. Furthermore, we
                 reduce the workflow satisfiability problem to SAT and
                 apply SAT solvers to address the problem.",
  acknowledgement = ack-nhfb,
  articleno =    "40",
  fjournal =     "ACM Transactions on Information and System Security",
  journal-URL =  "http://portal.acm.org/browse_dl.cfm?idx=J789",
}

@Article{Mukhamedov:2010:IEP,
  author =       "Aybek Mukhamedov and Mark D. Ryan",
  title =        "Identity Escrow Protocol and Anonymity Analysis in the
                 Applied Pi-Calculus",
  journal =      j-TISSEC,
  volume =       "13",
  number =       "4",
  pages =        "41:1--41:??",
  month =        dec,
  year =         "2010",
  CODEN =        "ATISBQ",
  DOI =          "http://dx.doi.org/10.1145/1880022.1880035",
  ISSN =         "1094-9224 (print), 1557-7406 (electronic)",
  ISSN-L =       "1094-9224",
  bibdate =      "Wed Jan 12 17:10:07 MST 2011",
  bibsource =    "http://portal.acm.org/;
                 http://www.math.utah.edu/pub/tex/bib/tissec.bib",
  abstract =     "Anonymity with identity escrow attempts to allow users
                 of an online service to remain anonymous, while
                 providing the possibility that the service owner can
                 break the anonymity in exceptional circumstances, such
                 as to assist in a criminal investigation. In the
                 article, we propose an identity escrow protocol that
                 distributes user identity among several escrow agents.
                 The main feature of our scheme is it is based on
                 standard encryption algorithms and it provides user
                 anonymity even if all but one escrow holders are
                 dishonest acting in a coalition. We also present
                 analysis of the anonymity property of our protocol in
                 the applied pi-calculus.",
  acknowledgement = ack-nhfb,
  articleno =    "41",
  fjournal =     "ACM Transactions on Information and System Security",
  journal-URL =  "http://portal.acm.org/browse_dl.cfm?idx=J789",
}

@Article{Li:2011:ISS,
  author =       "Ninghui Li",
  title =        "Introduction to special section {SACMAT'08}",
  journal =      j-TISSEC,
  volume =       "14",
  number =       "1",
  pages =        "1:1--1:??",
  month =        may,
  year =         "2011",
  CODEN =        "ATISBQ",
  DOI =          "http://dx.doi.org/10.1145/1952982.1952983",
  ISSN =         "1094-9224 (print), 1557-7406 (electronic)",
  ISSN-L =       "1094-9224",
  bibdate =      "Thu Jun 2 07:27:23 MDT 2011",
  bibsource =    "http://portal.acm.org/;
                 http://www.math.utah.edu/pub/tex/bib/tissec.bib",
  acknowledgement = ack-nhfb,
  articleno =    "1",
  fjournal =     "ACM Transactions on Information and System Security",
  journal-URL =  "http://portal.acm.org/browse_dl.cfm?idx=J789",
}

@Article{Bauer:2011:DRP,
  author =       "Lujo Bauer and Scott Garriss and Michael K. Reiter",
  title =        "Detecting and resolving policy misconfigurations in
                 access-control systems",
  journal =      j-TISSEC,
  volume =       "14",
  number =       "1",
  pages =        "2:1--2:??",
  month =        may,
  year =         "2011",
  CODEN =        "ATISBQ",
  DOI =          "http://dx.doi.org/10.1145/1952982.1952984",
  ISSN =         "1094-9224 (print), 1557-7406 (electronic)",
  ISSN-L =       "1094-9224",
  bibdate =      "Thu Jun 2 07:27:23 MDT 2011",
  bibsource =    "http://portal.acm.org/;
                 http://www.math.utah.edu/pub/tex/bib/tissec.bib",
  abstract =     "Access-control policy misconfigurations that cause
                 requests to be erroneously denied can result in wasted
                 time, user frustration, and, in the context of
                 particular applications (e.g., health care), very
                 severe consequences. In this article we apply
                 association rule mining to the history of accesses to
                 predict changes to access-control policies that are
                 likely to be consistent with users' intentions, so that
                 these changes can be instituted in advance of
                 misconfigurations interfering with legitimate accesses.
                 Instituting these changes requires the consent of the
                 appropriate administrator, of course, and so a primary
                 contribution of our work is how to automatically
                 determine from whom to seek consent and how to minimize
                 the costs of doing so.",
  acknowledgement = ack-nhfb,
  articleno =    "2",
  fjournal =     "ACM Transactions on Information and System Security",
  journal-URL =  "http://portal.acm.org/browse_dl.cfm?idx=J789",
}

@Article{Wei:2011:ARH,
  author =       "Qiang Wei and Jason Crampton and Konstantin Beznosov
                 and Matei Ripeanu",
  title =        "Authorization recycling in hierarchical {RBAC}
                 systems",
  journal =      j-TISSEC,
  volume =       "14",
  number =       "1",
  pages =        "3:1--3:??",
  month =        may,
  year =         "2011",
  CODEN =        "ATISBQ",
  DOI =          "http://dx.doi.org/10.1145/1952982.1952985",
  ISSN =         "1094-9224 (print), 1557-7406 (electronic)",
  ISSN-L =       "1094-9224",
  bibdate =      "Thu Jun 2 07:27:23 MDT 2011",
  bibsource =    "http://portal.acm.org/;
                 http://www.math.utah.edu/pub/tex/bib/tissec.bib",
  abstract =     "As distributed applications increase in size and
                 complexity, traditional authorization architectures
                 based on a dedicated authorization server become
                 increasingly fragile because this decision point
                 represents a single point of failure and a performance
                 bottleneck. Authorization caching, which enables the
                 reuse of previous authorization decisions, is one
                 technique that has been used to address these
                 challenges. This article introduces and evaluates the
                 mechanisms for authorization ``recycling'' in RBAC
                 enterprise systems. The algorithms that support these
                 mechanisms allow making precise and approximate
                 authorization decisions, thereby masking possible
                 failures of the authorization server and reducing its
                 load. We evaluate these algorithms analytically as well
                 as using simulation and a prototype implementation.",
  acknowledgement = ack-nhfb,
  articleno =    "3",
  fjournal =     "ACM Transactions on Information and System Security",
  journal-URL =  "http://portal.acm.org/browse_dl.cfm?idx=J789",
}

@Article{Bohli:2011:RAP,
  author =       "Jens-Matthias Bohli and Andreas Pashalidis",
  title =        "Relations among privacy notions",
  journal =      j-TISSEC,
  volume =       "14",
  number =       "1",
  pages =        "4:1--4:??",
  month =        may,
  year =         "2011",
  CODEN =        "ATISBQ",
  DOI =          "http://dx.doi.org/10.1145/1952982.1952986",
  ISSN =         "1094-9224 (print), 1557-7406 (electronic)",
  ISSN-L =       "1094-9224",
  bibdate =      "Thu Jun 2 07:27:23 MDT 2011",
  bibsource =    "http://portal.acm.org/;
                 http://www.math.utah.edu/pub/tex/bib/tissec.bib",
  abstract =     "This article presents a hierarchy of privacy notions
                 that covers multiple anonymity and unlinkability
                 variants. The underlying definitions, which are based
                 on the idea of indistinguishability between two worlds,
                 provide new insights into the relation between, and the
                 fundamental structure of, different privacy notions. We
                 furthermore place previous privacy definitions
                 concerning group signature, anonymous communication,
                 and secret voting systems in the context of our
                 hierarchy; this renders these traditionally
                 disconnected notions comparable.",
  acknowledgement = ack-nhfb,
  articleno =    "4",
  fjournal =     "ACM Transactions on Information and System Security",
  journal-URL =  "http://portal.acm.org/browse_dl.cfm?idx=J789",
}

@Article{Oligeri:2011:REA,
  author =       "Gabriele Oligeri and Stefano Chessa and Roberto {Di
                 Pietro} and Gaetano Giunta",
  title =        "Robust and efficient authentication of video stream
                 broadcasting",
  journal =      j-TISSEC,
  volume =       "14",
  number =       "1",
  pages =        "5:1--5:??",
  month =        may,
  year =         "2011",
  CODEN =        "ATISBQ",
  DOI =          "http://dx.doi.org/10.1145/1952982.1952987",
  ISSN =         "1094-9224 (print), 1557-7406 (electronic)",
  ISSN-L =       "1094-9224",
  bibdate =      "Thu Jun 2 07:27:23 MDT 2011",
  bibsource =    "http://portal.acm.org/;
                 http://www.math.utah.edu/pub/tex/bib/tissec.bib",
  abstract =     "We present a novel video stream authentication scheme
                 which combines signature amortization by means of hash
                 chains and an advanced watermarking technique. We
                 propose a new hash chain construction, the Duplex Hash
                 Chain, which allows us to achieve bit-by-bit
                 authentication that is robust to low bit error rates.
                 This construction is well suited for wireless broadcast
                 communications characterized by low packet losses such
                 as in satellite networks. Moreover, neither hardware
                 upgrades nor specific end-user equipment are needed to
                 enjoy the authentication services. The computation
                 overhead experienced on the receiver only sums to two
                 hashes per block of pictures and one digital signature
                 verification for the whole received stream.",
  acknowledgement = ack-nhfb,
  articleno =    "5",
  fjournal =     "ACM Transactions on Information and System Security",
  journal-URL =  "http://portal.acm.org/browse_dl.cfm?idx=J789",
}

@Article{Demsky:2011:CAD,
  author =       "Brian Demsky",
  title =        "Cross-application data provenance and policy
                 enforcement",
  journal =      j-TISSEC,
  volume =       "14",
  number =       "1",
  pages =        "6:1--6:??",
  month =        may,
  year =         "2011",
  CODEN =        "ATISBQ",
  DOI =          "http://dx.doi.org/10.1145/1952982.1952988",
  ISSN =         "1094-9224 (print), 1557-7406 (electronic)",
  ISSN-L =       "1094-9224",
  bibdate =      "Thu Jun 2 07:27:23 MDT 2011",
  bibsource =    "http://portal.acm.org/;
                 http://www.math.utah.edu/pub/tex/bib/tissec.bib",
  abstract =     "We present a new technique that can trace data
                 provenance and enforce data access policies across
                 multiple applications and machines. We have developed
                 Garm, a tool that uses binary rewriting to implement
                 this technique on arbitrary binaries. Users can use
                 Garm to attach access policies to data and Garm
                 enforces the policy on all accesses to the data (and
                 any derived data) across all applications and
                 executions. Garm uses static analysis to generate
                 optimized instrumentation that traces the provenance of
                 an application's state and the policies that apply to
                 this state. Garm monitors the interactions of the
                 application with the underlying operating system to
                 enforce policies.",
  acknowledgement = ack-nhfb,
  articleno =    "6",
  fjournal =     "ACM Transactions on Information and System Security",
  journal-URL =  "http://portal.acm.org/browse_dl.cfm?idx=J789",
}

@Article{Dong:2011:PDA,
  author =       "Jing Dong and Reza Curtmola and Cristina
                 Nita-Rotaru",
  title =        "Practical defenses against pollution attacks in
                 wireless network coding",
  journal =      j-TISSEC,
  volume =       "14",
  number =       "1",
  pages =        "7:1--7:??",
  month =        may,
  year =         "2011",
  CODEN =        "ATISBQ",
  DOI =          "http://dx.doi.org/10.1145/1952982.1952989",
  ISSN =         "1094-9224 (print), 1557-7406 (electronic)",
  ISSN-L =       "1094-9224",
  bibdate =      "Thu Jun 2 07:27:23 MDT 2011",
  bibsource =    "http://portal.acm.org/;
                 http://www.math.utah.edu/pub/tex/bib/tissec.bib",
  abstract =     "Recent studies have shown that network coding can
                 provide significant benefits to network protocols, such
                 as increased throughput, reduced network congestion,
                 higher reliability, and lower power consumption. The
                 core principle of network coding is that intermediate
                 nodes actively mix input packets to produce output
                 packets. This mixing subjects network coding systems to
                 a severe security threat, known as a pollution attack,
                 where attacker nodes inject corrupted packets into the
                 network. Corrupted packets propagate in an epidemic
                 manner, depleting network resources and significantly
                 decreasing throughput. Pollution attacks are
                 particularly dangerous in wireless networks, where
                 attackers can easily inject packets or compromise
                 devices due to the increased network vulnerability.",
  acknowledgement = ack-nhfb,
  articleno =    "7",
  fjournal =     "ACM Transactions on Information and System Security",
  journal-URL =  "http://portal.acm.org/browse_dl.cfm?idx=J789",
}

@Article{Schneider:2011:NAL,
  author =       "Fred B. Schneider and Kevin Walsh and Emin G{\"u}n
                 Sirer",
  title =        "{Nexus Authorization Logic (NAL)}: Design rationale
                 and applications",
  journal =      j-TISSEC,
  volume =       "14",
  number =       "1",
  pages =        "8:1--8:??",
  month =        may,
  year =         "2011",
  CODEN =        "ATISBQ",
  DOI =          "http://dx.doi.org/10.1145/1952982.1952990",
  ISSN =         "1094-9224 (print), 1557-7406 (electronic)",
  ISSN-L =       "1094-9224",
  bibdate =      "Thu Jun 2 07:27:23 MDT 2011",
  bibsource =    "http://portal.acm.org/;
                 http://www.math.utah.edu/pub/tex/bib/tissec.bib",
  abstract =     "Nexus Authorization Logic (NAL) provides a principled
                 basis for specifying and reasoning about credentials
                 and authorization policies. It extends prior access
                 control logics that are based on ``says'' and ``speaks
                 for'' operators. NAL enables authorization of access
                 requests to depend on (i) the source or pedigree of the
                 requester, (ii) the outcome of any mechanized analysis
                 of the requester, or (iii) the use of trusted software
                 to encapsulate or modify the requester. To illustrate
                 the convenience and expressive power of this approach
                 to authorization, a suite of document-viewer
                 applications was implemented to run on the Nexus
                 operating system.",
  acknowledgement = ack-nhfb,
  articleno =    "8",
  fjournal =     "ACM Transactions on Information and System Security",
  journal-URL =  "http://portal.acm.org/browse_dl.cfm?idx=J789",
}

@Article{Bruns:2011:ACB,
  author =       "Glenn Bruns and Michael Huth",
  title =        "Access control via {Belnap} logic: Intuitive,
                 expressive, and analyzable policy composition",
  journal =      j-TISSEC,
  volume =       "14",
  number =       "1",
  pages =        "9:1--9:??",
  month =        may,
  year =         "2011",
  CODEN =        "ATISBQ",
  DOI =          "http://dx.doi.org/10.1145/1952982.1952991",
  ISSN =         "1094-9224 (print), 1557-7406 (electronic)",
  ISSN-L =       "1094-9224",
  bibdate =      "Thu Jun 2 07:27:23 MDT 2011",
  bibsource =    "http://portal.acm.org/;
                 http://www.math.utah.edu/pub/tex/bib/tissec.bib",
  abstract =     "Access control to IT systems increasingly relies on
                 the ability to compose policies. Hence there is benefit
                 in any framework for policy composition that is
                 intuitive, formal (and so ``analyzable'' and
                 ``implementable''), expressive, independent of specific
                 application domains, and yet able to be extended to
                 create domain-specific instances. Here we develop such
                 a framework based on Belnap logic. An access-control
                 policy is interpreted as a four-valued predicate that
                 maps access requests to either grant, deny, conflict,
                 or unspecified -- the four values of the Belnap
                 bilattice. We define an expressive access-control
                 policy language PBel, having composition operators
                 based on the operators of Belnap logic.",
  acknowledgement = ack-nhfb,
  articleno =    "9",
  fjournal =     "ACM Transactions on Information and System Security",
  journal-URL =  "http://portal.acm.org/browse_dl.cfm?idx=J789",
}

@Article{Coull:2011:ACO,
  author =       "Scott E. Coull and Matthew Green and Susan
                 Hohenberger",
  title =        "Access controls for oblivious and anonymous systems",
  journal =      j-TISSEC,
  volume =       "14",
  number =       "1",
  pages =        "10:1--10:??",
  month =        may,
  year =         "2011",
  CODEN =        "ATISBQ",
  DOI =          "http://dx.doi.org/10.1145/1952982.1952992",
  ISSN =         "1094-9224 (print), 1557-7406 (electronic)",
  ISSN-L =       "1094-9224",
  bibdate =      "Thu Jun 2 07:27:23 MDT 2011",
  bibsource =    "http://portal.acm.org/;
                 http://www.math.utah.edu/pub/tex/bib/tissec.bib",
  abstract =     "The use of privacy-enhancing cryptographic protocols,
                 such as anonymous credentials and oblivious transfer,
                 could have a detrimental effect on the ability of
                 providers to effectively implement access controls on
                 their content. In this article, we propose a stateful
                 anonymous credential system that allows the provider to
                 implement nontrivial, real-world access controls on
                 oblivious protocols conducted with anonymous users. Our
                 system models the behavior of users as a state machine
                 and embeds that state within an anonymous credential to
                 restrict access to resources based on the state
                 information. The use of state machine models of user
                 behavior allows the provider to restrict the users'
                 actions according to a wide variety of access control
                 models without learning anything about the users'
                 identities or actions.",
  acknowledgement = ack-nhfb,
  articleno =    "10",
  fjournal =     "ACM Transactions on Information and System Security",
  journal-URL =  "http://portal.acm.org/browse_dl.cfm?idx=J789",
}

@Article{Burmester:2011:LRA,
  author =       "Mike Burmester and Jorge Munilla",
  title =        "Lightweight {RFID} authentication with forward and
                 backward security",
  journal =      j-TISSEC,
  volume =       "14",
  number =       "1",
  pages =        "11:1--11:??",
  month =        may,
  year =         "2011",
  CODEN =        "ATISBQ",
  DOI =          "http://dx.doi.org/10.1145/1952982.1952993",
  ISSN =         "1094-9224 (print), 1557-7406 (electronic)",
  ISSN-L =       "1094-9224",
  bibdate =      "Thu Jun 2 07:27:23 MDT 2011",
  bibsource =    "http://portal.acm.org/;
                 http://www.math.utah.edu/pub/tex/bib/tissec.bib",
  abstract =     "We propose a lightweight RFID authentication protocol
                 that supports forward and backward security. The only
                 cryptographic mechanism that this protocol uses is a
                 pseudorandom number generator (PRNG) that is shared
                 with the backend Server. Authentication is achieved by
                 exchanging a few numbers (3 or 5) drawn from the PRNG.
                 The lookup time is constant, and the protocol can be
                 easily adapted to prevent online man-in-the-middle
                 relay attacks. Security is proven in the UC security
                 framework.",
  acknowledgement = ack-nhfb,
  articleno =    "11",
  fjournal =     "ACM Transactions on Information and System Security",
  journal-URL =  "http://portal.acm.org/browse_dl.cfm?idx=J789",
}

@Article{Ateniese:2011:RDC,
  author =       "Giuseppe Ateniese and Randal Burns and Reza Curtmola
                 and Joseph Herring and Osama Khan and Lea Kissner and
                 Zachary Peterson and Dawn Song",
  title =        "Remote data checking using provable data possession",
  journal =      j-TISSEC,
  volume =       "14",
  number =       "1",
  pages =        "12:1--12:??",
  month =        may,
  year =         "2011",
  CODEN =        "ATISBQ",
  DOI =          "http://dx.doi.org/10.1145/1952982.1952994",
  ISSN =         "1094-9224 (print), 1557-7406 (electronic)",
  ISSN-L =       "1094-9224",
  bibdate =      "Thu Jun 2 07:27:23 MDT 2011",
  bibsource =    "http://portal.acm.org/;
                 http://www.math.utah.edu/pub/tex/bib/tissec.bib",
  abstract =     "We introduce a model for provable data possession
                 (PDP) that can be used for remote data checking: A
                 client that has stored data at an untrusted server can
                 verify that the server possesses the original data
                 without retrieving it. The model generates
                 probabilistic proofs of possession by sampling random
                 sets of blocks from the server, which drastically
                 reduces I/O costs. The client maintains a constant
                 amount of metadata to verify the proof. The
                 challenge/response protocol transmits a small, constant
                 amount of data, which minimizes network communication.
                 Thus, the PDP model for remote data checking is
                 lightweight and supports large data sets in distributed
                 storage systems.",
  acknowledgement = ack-nhfb,
  articleno =    "12",
  fjournal =     "ACM Transactions on Information and System Security",
  journal-URL =  "http://portal.acm.org/browse_dl.cfm?idx=J789",
}

@Article{Liu:2011:FDI,
  author =       "Yao Liu and Peng Ning and Michael K. Reiter",
  title =        "False data injection attacks against state estimation
                 in electric power grids",
  journal =      j-TISSEC,
  volume =       "14",
  number =       "1",
  pages =        "13:1--13:??",
  month =        may,
  year =         "2011",
  CODEN =        "ATISBQ",
  DOI =          "http://dx.doi.org/10.1145/1952982.1952995",
  ISSN =         "1094-9224 (print), 1557-7406 (electronic)",
  ISSN-L =       "1094-9224",
  bibdate =      "Thu Jun 2 07:27:23 MDT 2011",
  bibsource =    "http://portal.acm.org/;
                 http://www.math.utah.edu/pub/tex/bib/tissec.bib",
  abstract =     "A power grid is a complex system connecting electric
                 power generators to consumers through power
                 transmission and distribution networks across a large
                 geographical area. System monitoring is necessary to
                 ensure the reliable operation of power grids, and state
                 estimation is used in system monitoring to best
                 estimate the power grid state through analysis of meter
                 measurements and power system models. Various
                 techniques have been developed to detect and identify
                 bad measurements, including interacting bad
                 measurements introduced by arbitrary, nonrandom causes.
                 At first glance, it seems that these techniques can
                 also defeat malicious measurements injected by
                 attackers. In this article, we expose an unknown
                 vulnerability of existing bad measurement detection
                 algorithms by presenting and analyzing a new class of
                 attacks, called false data injection attacks, against
                 state estimation in electric power grids.",
  acknowledgement = ack-nhfb,
  articleno =    "13",
  fjournal =     "ACM Transactions on Information and System Security",
  journal-URL =  "http://portal.acm.org/browse_dl.cfm?idx=J789",
}

@Article{Crampton:2011:PEC,
  author =       "Jason Crampton",
  title =        "Practical and efficient cryptographic enforcement of
                 interval-based access control policies",
  journal =      j-TISSEC,
  volume =       "14",
  number =       "1",
  pages =        "14:1--14:??",
  month =        may,
  year =         "2011",
  CODEN =        "ATISBQ",
  DOI =          "http://dx.doi.org/10.1145/1952982.1952996",
  ISSN =         "1094-9224 (print), 1557-7406 (electronic)",
  ISSN-L =       "1094-9224",
  bibdate =      "Thu Jun 2 07:27:23 MDT 2011",
  bibsource =    "http://portal.acm.org/;
                 http://www.math.utah.edu/pub/tex/bib/tissec.bib",
  abstract =     "The enforcement of access control policies using
                 cryptography has received considerable attention in
                 recent years and the security of such enforcement
                 schemes is increasingly well understood. Recent work in
                 the area has considered the efficient enforcement of
                 temporal and geo-spatial access control policies, and
                 asymptotic results for the time and space complexity of
                 efficient enforcement schemes have been obtained.
                 However, for practical purposes, it is useful to have
                 explicit bounds for the complexity of enforcement
                 schemes. In this article we consider interval-based
                 access control policies, of which temporal and
                 geo-spatial access control policies are special cases.
                 We define enforcement schemes for interval-based access
                 control policies for which it is possible, in almost
                 all cases, to obtain exact values for the schemes'
                 complexity, thereby subsuming a substantial body of
                 work in the literature.",
  acknowledgement = ack-nhfb,
  articleno =    "14",
  fjournal =     "ACM Transactions on Information and System Security",
  journal-URL =  "http://portal.acm.org/browse_dl.cfm?idx=J789",
}

@Article{Wang:2011:CAF,
  author =       "Tielei Wang and Tao Wei and Guofei Gu and Wei Zou",
  title =        "Checksum-Aware Fuzzing Combined with Dynamic Taint
                 Analysis and Symbolic Execution",
  journal =      j-TISSEC,
  volume =       "14",
  number =       "2",
  pages =        "15:1--15:??",
  month =        sep,
  year =         "2011",
  CODEN =        "ATISBQ",
  DOI =          "http://dx.doi.org/10.1145/2019599.2019600",
  ISSN =         "1094-9224 (print), 1557-7406 (electronic)",
  ISSN-L =       "1094-9224",
  bibdate =      "Sat Oct 22 08:53:59 MDT 2011",
  bibsource =    "http://portal.acm.org/;
                 http://www.math.utah.edu/pub/tex/bib/tissec.bib",
  acknowledgement = ack-nhfb,
  articleno =    "15",
  fjournal =     "ACM Transactions on Information and System Security",
  journal-URL =  "http://portal.acm.org/browse_dl.cfm?idx=J789",
}

@Article{Basin:2011:FRA,
  author =       "David Basin and Srdjan Capkun and Patrick Schaller and
                 Benedikt Schmidt",
  title =        "Formal Reasoning about Physical Properties of Security
                 Protocols",
  journal =      j-TISSEC,
  volume =       "14",
  number =       "2",
  pages =        "16:1--16:??",
  month =        sep,
  year =         "2011",
  CODEN =        "ATISBQ",
  DOI =          "http://dx.doi.org/10.1145/2019599.2019601",
  ISSN =         "1094-9224 (print), 1557-7406 (electronic)",
  ISSN-L =       "1094-9224",
  bibdate =      "Sat Oct 22 08:53:59 MDT 2011",
  bibsource =    "http://portal.acm.org/;
                 http://www.math.utah.edu/pub/tex/bib/tissec.bib",
  acknowledgement = ack-nhfb,
  articleno =    "16",
  fjournal =     "ACM Transactions on Information and System Security",
  journal-URL =  "http://portal.acm.org/browse_dl.cfm?idx=J789",
}

@Article{Crosby:2011:ADR,
  author =       "Scott A. Crosby and Dan S. Wallach",
  title =        "Authenticated Dictionaries: Real-World Costs and
                 Trade-Offs",
  journal =      j-TISSEC,
  volume =       "14",
  number =       "2",
  pages =        "17:1--17:??",
  month =        sep,
  year =         "2011",
  CODEN =        "ATISBQ",
  DOI =          "http://dx.doi.org/10.1145/2019599.2019602",
  ISSN =         "1094-9224 (print), 1557-7406 (electronic)",
  ISSN-L =       "1094-9224",
  bibdate =      "Sat Oct 22 08:53:59 MDT 2011",
  bibsource =    "http://portal.acm.org/;
                 http://www.math.utah.edu/pub/tex/bib/tissec.bib",
  acknowledgement = ack-nhfb,
  articleno =    "17",
  fjournal =     "ACM Transactions on Information and System Security",
  journal-URL =  "http://portal.acm.org/browse_dl.cfm?idx=J789",
}

@Article{Appel:2011:SSV,
  author =       "Andrew W. Appel",
  title =        "Security Seals on Voting Machines: a Case Study",
  journal =      j-TISSEC,
  volume =       "14",
  number =       "2",
  pages =        "18:1--18:??",
  month =        sep,
  year =         "2011",
  CODEN =        "ATISBQ",
  DOI =          "http://dx.doi.org/10.1145/2019599.2019603",
  ISSN =         "1094-9224 (print), 1557-7406 (electronic)",
  ISSN-L =       "1094-9224",
  bibdate =      "Sat Oct 22 08:53:59 MDT 2011",
  bibsource =    "http://portal.acm.org/;
                 http://www.math.utah.edu/pub/tex/bib/tissec.bib",
  acknowledgement = ack-nhfb,
  articleno =    "18",
  fjournal =     "ACM Transactions on Information and System Security",
  journal-URL =  "http://portal.acm.org/browse_dl.cfm?idx=J789",
}

@Article{Schreuders:2011:EEU,
  author =       "Z. Cliffe Schreuders and Tanya McGill and Christian
                 Payne",
  title =        "Empowering End Users to Confine Their Own
                 Applications: The Results of a Usability Study
                 Comparing {SELinux}, {AppArmor}, and {FBAC-LSM}",
  journal =      j-TISSEC,
  volume =       "14",
  number =       "2",
  pages =        "19:1--19:??",
  month =        sep,
  year =         "2011",
  CODEN =        "ATISBQ",
  DOI =          "http://dx.doi.org/10.1145/2019599.2019604",
  ISSN =         "1094-9224 (print), 1557-7406 (electronic)",
  ISSN-L =       "1094-9224",
  bibdate =      "Sat Oct 22 08:53:59 MDT 2011",
  bibsource =    "http://portal.acm.org/;
                 http://www.math.utah.edu/pub/tex/bib/tissec.bib",
  acknowledgement = ack-nhfb,
  articleno =    "19",
  fjournal =     "ACM Transactions on Information and System Security",
  journal-URL =  "http://portal.acm.org/browse_dl.cfm?idx=J789",
}

@Article{Williams:2011:POO,
  author =       "Peter Williams and Radu Sion and Miroslava Sotakova",
  title =        "Practical Oblivious Outsourced Storage",
  journal =      j-TISSEC,
  volume =       "14",
  number =       "2",
  pages =        "20:1--20:??",
  month =        sep,
  year =         "2011",
  CODEN =        "ATISBQ",
  DOI =          "http://dx.doi.org/10.1145/2019599.2019605",
  ISSN =         "1094-9224 (print), 1557-7406 (electronic)",
  ISSN-L =       "1094-9224",
  bibdate =      "Sat Oct 22 08:53:59 MDT 2011",
  bibsource =    "http://portal.acm.org/;
                 http://www.math.utah.edu/pub/tex/bib/tissec.bib",
  acknowledgement = ack-nhfb,
  articleno =    "20",
  fjournal =     "ACM Transactions on Information and System Security",
  journal-URL =  "http://portal.acm.org/browse_dl.cfm?idx=J789",
}

@Article{Xiang:2011:CFR,
  author =       "Guang Xiang and Jason Hong and Carolyn P. Rose and
                 Lorrie Cranor",
  title =        "{CANTINA+}: a Feature-Rich Machine Learning Framework
                 for Detecting Phishing {Web} Sites",
  journal =      j-TISSEC,
  volume =       "14",
  number =       "2",
  pages =        "21:1--21:??",
  month =        sep,
  year =         "2011",
  CODEN =        "ATISBQ",
  DOI =          "http://dx.doi.org/10.1145/2019599.2019606",
  ISSN =         "1094-9224 (print), 1557-7406 (electronic)",
  ISSN-L =       "1094-9224",
  bibdate =      "Sat Oct 22 08:53:59 MDT 2011",
  bibsource =    "http://portal.acm.org/;
                 http://www.math.utah.edu/pub/tex/bib/tissec.bib",
  acknowledgement = ack-nhfb,
  articleno =    "21",
  fjournal =     "ACM Transactions on Information and System Security",
  journal-URL =  "http://portal.acm.org/browse_dl.cfm?idx=J789",
}

@Article{Joshi:2011:GES,
  author =       "James Joshi and Barbara Carminati",
  title =        "Guest Editorial: {SACMAT 2009} and 2010",
  journal =      j-TISSEC,
  volume =       "14",
  number =       "3",
  pages =        "22:1--22:??",
  month =        nov,
  year =         "2011",
  CODEN =        "ATISBQ",
  DOI =          "http://dx.doi.org/10.1145/2043621.2043622",
  ISSN =         "1094-9224 (print), 1557-7406 (electronic)",
  ISSN-L =       "1094-9224",
  bibdate =      "Thu Dec 15 09:12:37 MST 2011",
  bibsource =    "http://portal.acm.org/;
                 http://www.math.utah.edu/pub/tex/bib/tissec.bib",
  acknowledgement = ack-nhfb,
  articleno =    "22",
  fjournal =     "ACM Transactions on Information and System Security",
  journal-URL =  "http://portal.acm.org/browse_dl.cfm?idx=J789",
}

@Article{Krishnan:2011:GCS,
  author =       "Ram Krishnan and Jianwei Niu and Ravi Sandhu and
                 William H. Winsborough",
  title =        "Group-Centric Secure Information-Sharing Models for
                 Isolated Groups",
  journal =      j-TISSEC,
  volume =       "14",
  number =       "3",
  pages =        "23:1--23:??",
  month =        nov,
  year =         "2011",
  CODEN =        "ATISBQ",
  DOI =          "http://dx.doi.org/10.1145/2043621.2043623",
  ISSN =         "1094-9224 (print), 1557-7406 (electronic)",
  ISSN-L =       "1094-9224",
  bibdate =      "Thu Dec 15 09:12:37 MST 2011",
  bibsource =    "http://portal.acm.org/;
                 http://www.math.utah.edu/pub/tex/bib/tissec.bib",
  abstract =     "Group-Centric Secure Information Sharing (g-SIS)
                 envisions bringing users and objects together in a
                 group to facilitate agile sharing of information
                 brought in from external sources as well as creation of
                 new information within the group. We expect g-SIS to be
                 orthogonal and complementary to authorization systems
                 deployed within participating organizations. The
                 metaphors ``secure meeting room'' and ``subscription
                 service'' characterize the g-SIS approach. The focus of
                 this article is on developing the foundations of
                 isolated g-SIS models. Groups are isolated in the sense
                 that membership of a user or an object in a group does
                 not affect their authorizations in other groups.",
  acknowledgement = ack-nhfb,
  articleno =    "23",
  fjournal =     "ACM Transactions on Information and System Security",
  journal-URL =  "http://portal.acm.org/browse_dl.cfm?idx=J789",
}

@Article{Mao:2011:CDP,
  author =       "Ziqing Mao and Ninghui Li and Hong Chen and Xuxian
                 Jiang",
  title =        "Combining Discretionary Policy with Mandatory
                 Information Flow in Operating Systems",
  journal =      j-TISSEC,
  volume =       "14",
  number =       "3",
  pages =        "24:1--24:??",
  month =        nov,
  year =         "2011",
  CODEN =        "ATISBQ",
  DOI =          "http://dx.doi.org/10.1145/2043621.2043624",
  ISSN =         "1094-9224 (print), 1557-7406 (electronic)",
  ISSN-L =       "1094-9224",
  bibdate =      "Thu Dec 15 09:12:37 MST 2011",
  bibsource =    "http://portal.acm.org/;
                 http://www.math.utah.edu/pub/tex/bib/tissec.bib",
  abstract =     "Discretionary Access Control (DAC) is the primary
                 access control mechanism in today's major operating
                 systems. It is, however, vulnerable to Trojan Horse
                 attacks and attacks exploiting buggy software. We
                 propose to combine the discretionary policy in DAC with
                 the dynamic information flow techniques in MAC,
                 therefore achieving the best of both worlds, that is,
                 the DAC's easy-to-use discretionary policy
                 specification and MAC's defense against threats caused
                 by Trojan Horses and buggy programs. We propose the
                 Information Flow Enhanced Discretionary Access Control
                 (IFEDAC) model that implements this design philosophy.
                 We describe our design of IFEDAC, and discuss its
                 relationship with the Usable Mandatory Integrity
                 Protection (UMIP) model proposed earlier by us.",
  acknowledgement = ack-nhfb,
  articleno =    "24",
  fjournal =     "ACM Transactions on Information and System Security",
  journal-URL =  "http://portal.acm.org/browse_dl.cfm?idx=J789",
}

@Article{Leighton:2011:ACP,
  author =       "Gregory Leighton and Denilson Barbosa",
  title =        "Access Control Policy Translation, Verification, and
                 Minimization within Heterogeneous Data Federations",
  journal =      j-TISSEC,
  volume =       "14",
  number =       "3",
  pages =        "25:1--25:??",
  month =        nov,
  year =         "2011",
  CODEN =        "ATISBQ",
  DOI =          "http://dx.doi.org/10.1145/2043621.2043625",
  ISSN =         "1094-9224 (print), 1557-7406 (electronic)",
  ISSN-L =       "1094-9224",
  bibdate =      "Thu Dec 15 09:12:37 MST 2011",
  bibsource =    "http://portal.acm.org/;
                 http://www.math.utah.edu/pub/tex/bib/tissec.bib",
  abstract =     "Data federations provide seamless access to multiple
                 heterogeneous and autonomous data sources pertaining to
                 a large organization. As each source database defines
                 its own access control policies for a set of local
                 identities, enforcing such policies across the
                 federation becomes a challenge. In this article, we
                 first consider the problem of translating existing
                 access control policies defined over source databases
                 in a manner that allows the original semantics to be
                 observed while becoming applicable across the entire
                 data federation. We show that such a translation is
                 always possible, and provide an algorithm for
                 automating the translation. We show that verifying
                 whether a translated policy obeys the semantics of the
                 original access control policy defined over a source
                 database is intractable, even under restrictive
                 scenarios.",
  acknowledgement = ack-nhfb,
  articleno =    "25",
  fjournal =     "ACM Transactions on Information and System Security",
  journal-URL =  "http://portal.acm.org/browse_dl.cfm?idx=J789",
}

@Article{Chan:2011:PCR,
  author =       "T.-H. Hubert Chan and Elaine Shi and Dawn Song",
  title =        "Private and Continual Release of Statistics",
  journal =      j-TISSEC,
  volume =       "14",
  number =       "3",
  pages =        "26:1--26:??",
  month =        nov,
  year =         "2011",
  CODEN =        "ATISBQ",
  DOI =          "http://dx.doi.org/10.1145/2043621.2043626",
  ISSN =         "1094-9224 (print), 1557-7406 (electronic)",
  ISSN-L =       "1094-9224",
  bibdate =      "Thu Dec 15 09:12:37 MST 2011",
  bibsource =    "http://portal.acm.org/;
                 http://www.math.utah.edu/pub/tex/bib/tissec.bib",
  abstract =     "We ask the question: how can Web sites and data
                 aggregators continually release updated statistics, and
                 meanwhile preserve each individual user's privacy?
                 Suppose we are given a stream of 0's and 1's. We
                 propose a differentially private continual counter that
                 outputs at every time step the approximate number of
                 1's seen thus far. Our counter construction has error
                 that is only poly-log in the number of time steps. We
                 can extend the basic counter construction to allow Web
                 sites to continually give top-k and hot items
                 suggestions while preserving users' privacy.",
  acknowledgement = ack-nhfb,
  articleno =    "26",
  fjournal =     "ACM Transactions on Information and System Security",
  journal-URL =  "http://portal.acm.org/browse_dl.cfm?idx=J789",
}

@Article{Chan-Tin:2011:FBA,
  author =       "Eric Chan-Tin and Victor Heorhiadi and Nicholas Hopper
                 and Yongdae Kim",
  title =        "The {Frog-Boiling} Attack: Limitations of Secure
                 Network Coordinate Systems",
  journal =      j-TISSEC,
  volume =       "14",
  number =       "3",
  pages =        "27:1--27:??",
  month =        nov,
  year =         "2011",
  CODEN =        "ATISBQ",
  DOI =          "http://dx.doi.org/10.1145/2043621.2043627",
  ISSN =         "1094-9224 (print), 1557-7406 (electronic)",
  ISSN-L =       "1094-9224",
  bibdate =      "Thu Dec 15 09:12:37 MST 2011",
  bibsource =    "http://portal.acm.org/;
                 http://www.math.utah.edu/pub/tex/bib/tissec.bib",
  abstract =     "A network coordinate system assigns Euclidean
                 ``virtual'' coordinates to every node in a network to
                 allow easy estimation of network latency between pairs
                 of nodes that have never contacted each other. These
                 systems have been implemented in a variety of
                 applications, most notably the popular Vuze BitTorrent
                 client. Zage and Nita-Rotaru (at CCS 2007) and
                 independently, Kaafar et al. (at SIGCOMM 2007),
                 demonstrated that several widely-cited network
                 coordinate systems are prone to simple attacks, and
                 proposed mechanisms to defeat these attacks using
                 outlier detection to filter out adversarial inputs.
                 Kaafar et al. goes a step further and requires that a
                 fraction of the network is trusted. More recently,
                 Sherr et al. (at USENIX ATC 2009) proposed Veracity, a
                 distributed reputation system to secure network
                 coordinate systems. We describe a new attack on network
                 coordinate systems, Frog-Boiling, that defeats all of
                 these defenses. Thus, even a system with trusted
                 entities is still vulnerable to attacks. Moreover,
                 having witnesses vouch for your coordinates as in
                 Veracity does not prevent our attack. Finally, we
                 demonstrate empirically that the Frog-Boiling attack is
                 more disruptive than the previously known attacks:
                 systems that attempt to reject ``bad'' inputs by
                 statistical means or reputation cannot be used to
                 secure a network coordinate system.",
  acknowledgement = ack-nhfb,
  articleno =    "27",
  fjournal =     "ACM Transactions on Information and System Security",
  journal-URL =  "http://portal.acm.org/browse_dl.cfm?idx=J789",
}

@Article{Gorantla:2011:MKC,
  author =       "M. C. Gorantla and Colin Boyd and Juan Manuel
                 Gonz{\'a}lez Nieto and Mark Manulis",
  title =        "Modeling key compromise impersonation attacks on group
                 key exchange protocols",
  journal =      j-TISSEC,
  volume =       "14",
  number =       "4",
  pages =        "28:1--28:??",
  month =        dec,
  year =         "2011",
  CODEN =        "ATISBQ",
  DOI =          "http://dx.doi.org/10.1145/2043628.2043629",
  ISSN =         "1094-9224 (print), 1557-7406 (electronic)",
  ISSN-L =       "1094-9224",
  bibdate =      "Thu Dec 22 18:15:07 MST 2011",
  bibsource =    "http://portal.acm.org/;
                 http://www.math.utah.edu/pub/tex/bib/tissec.bib",
  abstract =     "Two-party key exchange (2PKE) protocols have been
                 rigorously analyzed under various models considering
                 different adversarial actions. However, the analysis of
                 group key exchange (GKE) protocols has not been as
                 extensive as that of 2PKE protocols. Particularly, an
                 important security attribute called key compromise
                 impersonation (KCI) resilience has been completely
                 ignored for the case of GKE protocols. Informally, a
                 protocol is said to provide KCI resilience if the
                 compromise of the long-term secret key of a protocol
                 participant A does not allow the adversary to
                 impersonate an honest participant B to A. In this
                 paper, we argue that KCI resilience for GKE protocols
                 is at least as important as it is for 2PKE protocols.",
  acknowledgement = ack-nhfb,
  articleno =    "28",
  fjournal =     "ACM Transactions on Information and System Security",
  journal-URL =  "http://portal.acm.org/browse_dl.cfm?idx=J789",
}

@Article{Au:2011:PPT,
  author =       "M. Ho Au and P. P. Tsang and A. Kapadia",
  title =        "{PEREA}: Practical {TTP}-free revocation of repeatedly
                 misbehaving anonymous users",
  journal =      j-TISSEC,
  volume =       "14",
  number =       "4",
  pages =        "29:1--29:??",
  month =        dec,
  year =         "2011",
  CODEN =        "ATISBQ",
  DOI =          "http://dx.doi.org/10.1145/2043628.2043630",
  ISSN =         "1094-9224 (print), 1557-7406 (electronic)",
  ISSN-L =       "1094-9224",
  bibdate =      "Thu Dec 22 18:15:07 MST 2011",
  bibsource =    "http://portal.acm.org/;
                 http://www.math.utah.edu/pub/tex/bib/tissec.bib",
  abstract =     "Several anonymous authentication schemes allow servers
                 to revoke a misbehaving user's ability to make future
                 accesses. Traditionally, these schemes have relied on
                 powerful Trusted Third Parties (TTPs) capable of
                 deanonymizing (or linking) users' connections. Such
                 TTPs are undesirable because users' anonymity is not
                 guaranteed, and users must trust them to judge
                 misbehaviors fairly. Recent schemes such as
                 Blacklistable Anonymous Credentials (BLAC) and Enhanced
                 Privacy ID (EPID) support ``privacy-enhanced
                 revocation''--- servers can revoke misbehaving users
                 without a TTP's involvement, and without learning the
                 revoked users' identities. In BLAC and EPID, however,
                 the computation required for authentication at the
                 server is linear in the size (L) of the revocation
                 list, which is impractical as the size approaches
                 thousands of entries.",
  acknowledgement = ack-nhfb,
  articleno =    "29",
  fjournal =     "ACM Transactions on Information and System Security",
  journal-URL =  "http://portal.acm.org/browse_dl.cfm?idx=J789",
}

@Article{Li:2011:TRP,
  author =       "Yingjiu Li and Robert H. Deng and Junzuo Lai and
                 Changshe Ma",
  title =        "On two {RFID} privacy notions and their relations",
  journal =      j-TISSEC,
  volume =       "14",
  number =       "4",
  pages =        "30:1--30:??",
  month =        dec,
  year =         "2011",
  CODEN =        "ATISBQ",
  DOI =          "http://dx.doi.org/10.1145/2043628.2043631",
  ISSN =         "1094-9224 (print), 1557-7406 (electronic)",
  ISSN-L =       "1094-9224",
  bibdate =      "Thu Dec 22 18:15:07 MST 2011",
  bibsource =    "http://portal.acm.org/;
                 http://www.math.utah.edu/pub/tex/bib/tissec.bib",
  abstract =     "Privacy of RFID systems is receiving increasing
                 attention in the RFID community. Basically, there are
                 two kinds of RFID privacy notions in the literature:
                 one based on the indistinguishability of two tags,
                 denoted as ind-privacy, and the other based on the
                 unpredictability of the output of an RFID protocol,
                 denoted as unp-privacy. In this article, we first
                 revisit the existing unpredictability-based RFID
                 privacy models and point out their limitations. We then
                 propose a new RFID privacy model, denoted as
                 unp*-privacy, based on the indistinguishability of a
                 real tag and a virtual tag. We formally clarify its
                 relationship with the ind-privacy model.",
  acknowledgement = ack-nhfb,
  articleno =    "30",
  fjournal =     "ACM Transactions on Information and System Security",
  journal-URL =  "http://portal.acm.org/browse_dl.cfm?idx=J789",
}

@Article{Burkhart:2011:PPD,
  author =       "Martin Burkhart and Xenofontas Dimitropoulos",
  title =        "Privacy-preserving distributed network
                 troubleshooting---bridging the gap between theory and
                 practice",
  journal =      j-TISSEC,
  volume =       "14",
  number =       "4",
  pages =        "31:1--31:??",
  month =        dec,
  year =         "2011",
  CODEN =        "ATISBQ",
  DOI =          "http://dx.doi.org/10.1145/2043628.2043632",
  ISSN =         "1094-9224 (print), 1557-7406 (electronic)",
  ISSN-L =       "1094-9224",
  bibdate =      "Thu Dec 22 18:15:07 MST 2011",
  bibsource =    "http://portal.acm.org/;
                 http://www.math.utah.edu/pub/tex/bib/tissec.bib",
  abstract =     "Today, there is a fundamental imbalance in
                 cybersecurity. While attackers act more and more
                 globally and coordinated, network defense is limited to
                 examine local information only due to privacy concerns.
                 To overcome this privacy barrier, we use secure
                 multiparty computation (MPC) for the problem of
                 aggregating network data from multiple domains. We
                 first optimize MPC comparison operations for processing
                 high volume data in near real-time by not enforcing
                 protocols to run in a constant number of
                 synchronization rounds. We then implement a complete
                 set of basic MPC primitives in the SEPIA library. For
                 parallel invocations, SEPIA's basic operations are
                 between 35 and several hundred times faster than those
                 of comparable MPC frameworks.",
  acknowledgement = ack-nhfb,
  articleno =    "31",
  fjournal =     "ACM Transactions on Information and System Security",
  journal-URL =  "http://portal.acm.org/browse_dl.cfm?idx=J789",
}

@Article{Bethea:2011:SSV,
  author =       "Darrell Bethea and Robert A. Cochran and Michael K.
                 Reiter",
  title =        "Server-side verification of client behavior in online
                 games",
  journal =      j-TISSEC,
  volume =       "14",
  number =       "4",
  pages =        "32:1--32:??",
  month =        dec,
  year =         "2011",
  CODEN =        "ATISBQ",
  DOI =          "http://dx.doi.org/10.1145/2043628.2043633",
  ISSN =         "1094-9224 (print), 1557-7406 (electronic)",
  ISSN-L =       "1094-9224",
  bibdate =      "Thu Dec 22 18:15:07 MST 2011",
  bibsource =    "http://portal.acm.org/;
                 http://www.math.utah.edu/pub/tex/bib/tissec.bib",
  abstract =     "Online gaming is a lucrative and growing industry but
                 one that is slowed by cheating that compromises the
                 gaming experience and hence drives away players (and
                 revenue). In this paper we develop a technique by which
                 game developers can enable game operators to validate
                 the behavior of game clients as being consistent with
                 valid execution of the sanctioned client software. Our
                 technique employs symbolic execution of the client
                 software to extract constraints on client-side state
                 implied by each client-to-server message, and then uses
                 constraint solving to determine whether the sequence of
                 client-to-server messages can be ``explained'' by any
                 possible user inputs, in light of the server-to-client
                 messages already received.",
  acknowledgement = ack-nhfb,
  articleno =    "32",
  fjournal =     "ACM Transactions on Information and System Security",
  journal-URL =  "http://portal.acm.org/browse_dl.cfm?idx=J789",
}

@Article{Syverson:2012:GES,
  author =       "Paul Syverson and Somesh Jha",
  title =        "Guest Editorial: Special Issue on Computer and
                 Communications Security",
  journal =      j-TISSEC,
  volume =       "15",
  number =       "1",
  pages =        "1:1--1:??",
  month =        mar,
  year =         "2012",
  CODEN =        "ATISBQ",
  DOI =          "http://dx.doi.org/10.1145/2133375.2133376",
  ISSN =         "1094-9224 (print), 1557-7406 (electronic)",
  ISSN-L =       "1094-9224",
  bibdate =      "Sat Mar 24 09:45:43 MDT 2012",
  bibsource =    "http://portal.acm.org/;
                 http://www.math.utah.edu/pub/tex/bib/tissec.bib",
  acknowledgement = ack-nhfb,
  articleno =    "1",
  fjournal =     "ACM Transactions on Information and System Security",
  journal-URL =  "http://portal.acm.org/browse_dl.cfm?idx=J789",
}

@Article{Roemer:2012:ROP,
  author =       "Ryan Roemer and Erik Buchanan and Hovav Shacham and
                 Stefan Savage",
  title =        "Return-Oriented Programming: Systems, Languages, and
                 Applications",
  journal =      j-TISSEC,
  volume =       "15",
  number =       "1",
  pages =        "2:1--2:??",
  month =        mar,
  year =         "2012",
  CODEN =        "ATISBQ",
  DOI =          "http://dx.doi.org/10.1145/2133375.2133377",
  ISSN =         "1094-9224 (print), 1557-7406 (electronic)",
  ISSN-L =       "1094-9224",
  bibdate =      "Sat Mar 24 09:45:43 MDT 2012",
  bibsource =    "http://portal.acm.org/;
                 http://www.math.utah.edu/pub/tex/bib/tissec.bib",
  abstract =     "We introduce return-oriented programming, a technique
                 by which an attacker can induce arbitrary behavior in a
                 program whose control flow he has diverted, without
                 injecting any code. A return-oriented program chains
                 together short instruction sequences already present in
                 a program's address space, each of which ends in a
                 ``return'' instruction. Return-oriented programming
                 defeats the $W \oplus X$ protections recently deployed
                 by Microsoft, Intel, and AMD; in this context, it can
                 be seen as a generalization of traditional
                 return-into-libc attacks. But the threat is more
                 general. Return-oriented programming is readily
                 exploitable on multiple architectures and systems. It
                 also bypasses an entire category of security
                 measures---those that seek to prevent malicious
                 computation by preventing the execution of malicious
                 code. To demonstrate the wide applicability of
                 return-oriented programming, we construct a
                 Turing-complete set of building blocks called gadgets
                 using the standard C libraries of two very different
                 architectures: Linux/x86 and Solaris/SPARC. To
                 demonstrate the power of return-oriented programming,
                 we present a high-level, general-purpose language for
                 describing return-oriented exploits and a compiler that
                 translates it to gadgets.",
  acknowledgement = ack-nhfb,
  articleno =    "2",
  fjournal =     "ACM Transactions on Information and System Security",
  journal-URL =  "http://portal.acm.org/browse_dl.cfm?idx=J789",
}

@Article{Bhargavan:2012:VCI,
  author =       "Karthikeyan Bhargavan and C{\'e}dric Fournet and
                 Ricardo Corin and Eugen Zalinescu",
  title =        "Verified Cryptographic Implementations for {TLS}",
  journal =      j-TISSEC,
  volume =       "15",
  number =       "1",
  pages =        "3:1--3:??",
  month =        mar,
  year =         "2012",
  CODEN =        "ATISBQ",
  DOI =          "http://dx.doi.org/10.1145/2133375.2133378",
  ISSN =         "1094-9224 (print), 1557-7406 (electronic)",
  ISSN-L =       "1094-9224",
  bibdate =      "Sat Mar 24 09:45:43 MDT 2012",
  bibsource =    "http://portal.acm.org/;
                 http://www.math.utah.edu/pub/tex/bib/tissec.bib",
  abstract =     "We narrow the gap between concrete implementations of
                 cryptographic protocols and their verified models. We
                 develop and verify a small functional implementation of
                 the Transport Layer Security protocol (TLS 1.0). We
                 make use of the same executable code for
                 interoperability testing against mainstream
                 implementations for automated symbolic cryptographic
                 verification and automated computational cryptographic
                 verification. We rely on a combination of recent tools
                 and also develop a new tool for extracting
                 computational models from executable code. We obtain
                 strong security guarantees for TLS as used in typical
                 deployments.",
  acknowledgement = ack-nhfb,
  articleno =    "3",
  fjournal =     "ACM Transactions on Information and System Security",
  journal-URL =  "http://portal.acm.org/browse_dl.cfm?idx=J789",
}

@Article{Camenisch:2012:EAA,
  author =       "Jan Camenisch and Thomas Gro{\ss}",
  title =        "Efficient Attributes for Anonymous Credentials",
  journal =      j-TISSEC,
  volume =       "15",
  number =       "1",
  pages =        "4:1--4:??",
  month =        mar,
  year =         "2012",
  CODEN =        "ATISBQ",
  DOI =          "http://dx.doi.org/10.1145/2133375.2133379",
  ISSN =         "1094-9224 (print), 1557-7406 (electronic)",
  ISSN-L =       "1094-9224",
  bibdate =      "Sat Mar 24 09:45:43 MDT 2012",
  bibsource =    "http://portal.acm.org/;
                 http://www.math.utah.edu/pub/tex/bib/tissec.bib",
  abstract =     "We extend the Camenisch-Lysyanskaya anonymous
                 credential system such that selective disclosure of
                 attributes becomes highly efficient. The resulting
                 system significantly improves upon existing approaches,
                 which suffer from a linear number of modular
                 exponentiations in the total number of attributes. This
                 limitation makes them unfit for many practical
                 applications, such as electronic identity cards. Our
                 novel approach can incorporate a large number of binary
                 and finite-set attributes without significant
                 performance impact. It compresses all such attributes
                 into a single attribute base and, thus, boosts the
                 efficiency of all proofs of possession. The core idea
                 is to encode discrete binary and finite-set values as
                 prime numbers. We then use the divisibility property
                 for efficient proofs of their presence or absence. In
                 addition, we contribute efficient methods for
                 conjunctions and disjunctions. The system builds on the
                 strong RSA assumption. We demonstrate the aptness of
                 our method in realistic application scenarios, notably
                 electronic identity cards, and show its advantages for
                 small devices, such as smartcards and cell phones.",
  acknowledgement = ack-nhfb,
  articleno =    "4",
  fjournal =     "ACM Transactions on Information and System Security",
  journal-URL =  "http://portal.acm.org/browse_dl.cfm?idx=J789",
}

@Article{Mittal:2012:ILS,
  author =       "Prateek Mittal and Nikita Borisov",
  title =        "Information Leaks in Structured Peer-to-Peer Anonymous
                 Communication Systems",
  journal =      j-TISSEC,
  volume =       "15",
  number =       "1",
  pages =        "5:1--5:??",
  month =        mar,
  year =         "2012",
  CODEN =        "ATISBQ",
  DOI =          "http://dx.doi.org/10.1145/2133375.2133380",
  ISSN =         "1094-9224 (print), 1557-7406 (electronic)",
  ISSN-L =       "1094-9224",
  bibdate =      "Sat Mar 24 09:45:43 MDT 2012",
  bibsource =    "http://portal.acm.org/;
                 http://www.math.utah.edu/pub/tex/bib/tissec.bib",
  abstract =     "We analyze information leaks in the lookup mechanisms
                 of structured peer-to-peer (P2P) anonymous
                 communication systems and how these leaks can be used
                 to compromise anonymity. We show that the techniques
                 used to combat active attacks on the lookup mechanism
                 dramatically increase information leaks and the
                 efficacy of passive attacks, resulting in a tradeoff
                 between robustness to active and passive attacks. We
                 study this tradeoff in two P2P anonymous systems: Salsa
                 and AP3. In both cases, we find that, by combining both
                 passive and active attacks, anonymity can be
                 compromised much more effectively than previously
                 thought, rendering these systems insecure for most
                 proposed uses. Our results hold even if security
                 parameters are changed or other improvements to the
                 systems are considered. Our study, therefore, shows the
                 importance of considering these attacks in P2P
                 anonymous communication.",
  acknowledgement = ack-nhfb,
  articleno =    "5",
  fjournal =     "ACM Transactions on Information and System Security",
  journal-URL =  "http://portal.acm.org/browse_dl.cfm?idx=J789",
}

@Article{Gilad:2012:LDA,
  author =       "Yossi Gilad and Amir Herzberg",
  title =        "{LOT}: a Defense Against {IP} Spoofing and Flooding
                 Attacks",
  journal =      j-TISSEC,
  volume =       "15",
  number =       "2",
  pages =        "6:1--6:??",
  month =        jul,
  year =         "2012",
  CODEN =        "ATISBQ",
  DOI =          "http://dx.doi.org/10.1145/2240276.2240277",
  ISSN =         "1094-9224 (print), 1557-7406 (electronic)",
  ISSN-L =       "1094-9224",
  bibdate =      "Tue Jul 31 17:02:31 MDT 2012",
  bibsource =    "http://portal.acm.org/;
                 http://www.math.utah.edu/pub/tex/bib/tissec.bib",
  abstract =     "We present LOT, a lightweight plug and play secure
                 tunneling protocol deployed at network gateways. Two
                 communicating gateways, A and B, running LOT would
                 automatically detect each other and establish an
                 efficient tunnel, securing communication between them.
                 LOT tunnels allow A to discard spoofed packets that
                 specify source addresses in B's network and vice versa.
                 This helps to mitigate many attacks, including DNS
                 poisoning, network scans, and most notably
                 (Distributed) Denial of Service (DoS). LOT tunnels
                 provide several additional defenses against DoS
                 attacks. Specifically, since packets received from
                 LOT-protected networks cannot be spoofed, LOT gateways
                 implement quotas, identifying and blocking packet
                 floods from specific networks. Furthermore, a receiving
                 LOT gateway (e.g., B) can send the quota assigned to
                 each tunnel to the peer gateway (A), which can then
                 enforce near-source quotas, reducing waste and
                 congestion by filtering excessive traffic before it
                 leaves the source network. Similarly, LOT tunnels
                 facilitate near-source filtering, where the sending
                 gateway discards packets based on filtering rules
                 defined by the destination gateway. LOT gateways also
                 implement an intergateway congestion detection
                 mechanism, allowing sending gateways to detect when
                 their packets get dropped before reaching the
                 destination gateway and to perform appropriate
                 near-source filtering to block the congesting traffic;
                 this helps against DoS attacks on the backbone
                 connecting the two gateways. LOT is practical: it is
                 easy to manage (plug and play, requires no coordination
                 between gateways), deployed incrementally at edge
                 gateways (not at hosts and core routers), and has
                 negligible overhead in terms of bandwidth and
                 processing, as we validate experimentally. LOT storage
                 requirements are also modest.",
  acknowledgement = ack-nhfb,
  articleno =    "6",
  fjournal =     "ACM Transactions on Information and System Security",
  journal-URL =  "http://portal.acm.org/browse_dl.cfm?idx=J789",
}

@Article{Danev:2012:TPI,
  author =       "Boris Danev and Srdjan Capkun and Ramya Jayaram Masti
                 and Thomas S. Benjamin",
  title =        "Towards Practical Identification of {HF RFID}
                 Devices",
  journal =      j-TISSEC,
  volume =       "15",
  number =       "2",
  pages =        "7:1--7:??",
  month =        jul,
  year =         "2012",
  CODEN =        "ATISBQ",
  DOI =          "http://dx.doi.org/10.1145/2240276.2240278",
  ISSN =         "1094-9224 (print), 1557-7406 (electronic)",
  ISSN-L =       "1094-9224",
  bibdate =      "Tue Jul 31 17:02:31 MDT 2012",
  bibsource =    "http://portal.acm.org/;
                 http://www.math.utah.edu/pub/tex/bib/tissec.bib",
  abstract =     "The deployment of RFID poses a number of security and
                 privacy threats such as cloning, unauthorized tracking,
                 etc. Although the literature contains many
                 investigations of these issues on the logical level,
                 few works have explored the security implications of
                 the physical communication layer. Recently, related
                 studies have shown the feasibility of identifying
                 RFID-enabled devices based on physical-layer
                 fingerprints. In this work, we leverage on these
                 findings and demonstrate that physical-layer
                 identification of HF RFID devices is also practical,
                 that is, can achieve high accuracy and stability. We
                 propose an improved hardware setup and enhanced
                 techniques for fingerprint extraction and matching. Our
                 new system enables device identification with an Equal
                 Error Rate as low as 0.005 (0.5\%) on a set 50 HF RFID
                 smart cards of the same manufacturer and type. We
                 further investigate the fingerprint stability over an
                 extended period of time and across different
                 acquisition setups. In the latter case, we propose a
                 solution based on channel equalization that preserves
                 the fingerprint quality across setups. Our results
                 strengthen the practical use of physical-layer
                 identification of RFID devices in product and document
                 anti-counterfeiting solutions.",
  acknowledgement = ack-nhfb,
  articleno =    "7",
  fjournal =     "ACM Transactions on Information and System Security",
  journal-URL =  "http://portal.acm.org/browse_dl.cfm?idx=J789",
}

@Article{Abadi:2012:PLR,
  author =       "Mart{\'\i}n Abadi and Gordon D. Plotkin",
  title =        "On Protection by Layout Randomization",
  journal =      j-TISSEC,
  volume =       "15",
  number =       "2",
  pages =        "8:1--8:??",
  month =        jul,
  year =         "2012",
  CODEN =        "ATISBQ",
  DOI =          "http://dx.doi.org/10.1145/2240276.2240279",
  ISSN =         "1094-9224 (print), 1557-7406 (electronic)",
  ISSN-L =       "1094-9224",
  bibdate =      "Tue Jul 31 17:02:31 MDT 2012",
  bibsource =    "http://portal.acm.org/;
                 http://www.math.utah.edu/pub/tex/bib/tissec.bib",
  abstract =     "Layout randomization is a powerful, popular technique
                 for software protection. We present it and study it in
                 programming-language terms. More specifically, we
                 consider layout randomization as part of an
                 implementation for a high-level programming language;
                 the implementation translates this language to a
                 lower-level language in which memory addresses are
                 numbers. We analyze this implementation, by relating
                 low-level attacks against the implementation to
                 contexts in the high-level programming language, and by
                 establishing full abstraction results.",
  acknowledgement = ack-nhfb,
  articleno =    "8",
  fjournal =     "ACM Transactions on Information and System Security",
  journal-URL =  "http://portal.acm.org/browse_dl.cfm?idx=J789",
}

@Article{Yavuz:2012:BFB,
  author =       "Attila A. Yavuz and Peng Ning and Michael K. Reiter",
  title =        "{BAF} and {FI-BAF}: Efficient and Publicly Verifiable
                 Cryptographic Schemes for Secure Logging in
                 Resource-Constrained Systems",
  journal =      j-TISSEC,
  volume =       "15",
  number =       "2",
  pages =        "9:1--9:??",
  month =        jul,
  year =         "2012",
  CODEN =        "ATISBQ",
  DOI =          "http://dx.doi.org/10.1145/2240276.2240280",
  ISSN =         "1094-9224 (print), 1557-7406 (electronic)",
  ISSN-L =       "1094-9224",
  bibdate =      "Tue Jul 31 17:02:31 MDT 2012",
  bibsource =    "http://portal.acm.org/;
                 http://www.math.utah.edu/pub/tex/bib/tissec.bib",
  abstract =     "Audit logs are an integral part of modern computer
                 systems due to their forensic value. Protecting audit
                 logs on a physically unprotected machine in hostile
                 environments is a challenging task, especially in the
                 presence of active adversaries. It is critical for such
                 a system to have forward security and append-only
                 properties such that when an adversary compromises a
                 logging machine, she cannot forge or selectively delete
                 the log entries accumulated before the compromise.
                 Existing public-key-based secure logging schemes are
                 computationally costly. Existing symmetric secure
                 logging schemes are not publicly verifiable and open to
                 certain attacks. In this article, we develop a new
                 forward-secure and aggregate signature scheme called
                 Blind-Aggregate-Forward (BAF), which is suitable for
                 secure logging in resource-constrained systems. BAF is
                 the only cryptographic secure logging scheme that can
                 produce publicly verifiable, forward-secure and
                 aggregate signatures with low computation,
                 key/signature storage, and signature communication
                 overheads for the loggers, without requiring any online
                 trusted third party support. A simple variant of BAF
                 also allows a fine-grained verification of log entries
                 without compromising the security or computational
                 efficiency of BAF. We prove that our schemes are secure
                 in Random Oracle Model (ROM). We also show that they
                 are significantly more efficient than all the previous
                 publicly verifiable cryptographic secure logging
                 schemes.",
  acknowledgement = ack-nhfb,
  articleno =    "9",
  fjournal =     "ACM Transactions on Information and System Security",
  journal-URL =  "http://portal.acm.org/browse_dl.cfm?idx=J789",
}

@Article{Khoury:2012:CEN,
  author =       "Rapha{\"e}l Khoury and Nadia Tawbi",
  title =        "Corrective Enforcement: a New Paradigm of Security
                 Policy Enforcement by Monitors",
  journal =      j-TISSEC,
  volume =       "15",
  number =       "2",
  pages =        "10:1--10:??",
  month =        jul,
  year =         "2012",
  CODEN =        "ATISBQ",
  DOI =          "http://dx.doi.org/10.1145/2240276.2240281",
  ISSN =         "1094-9224 (print), 1557-7406 (electronic)",
  ISSN-L =       "1094-9224",
  bibdate =      "Tue Jul 31 17:02:31 MDT 2012",
  bibsource =    "http://portal.acm.org/;
                 http://www.math.utah.edu/pub/tex/bib/tissec.bib",
  abstract =     "Runtime monitoring is an increasingly popular method
                 to ensure the safe execution of untrusted codes.
                 Monitors observe and transform the execution of these
                 codes, responding when needed to correct or prevent a
                 violation of a user-defined security policy. Prior
                 research has shown that the set of properties monitors
                 can enforce correlates with the latitude they are given
                 to transform and alter the target execution. But for
                 enforcement to be meaningful this capacity must be
                 constrained, otherwise the monitor can enforce any
                 property, but not necessarily in a manner that is
                 useful or desirable. However, such constraints have not
                 been significantly addressed in prior work. In this
                 article, we develop a new paradigm of security policy
                 enforcement in which the behavior of the enforcement
                 mechanism is restricted to ensure that valid aspects
                 present in the execution are preserved notwithstanding
                 any transformation it may perform. These restrictions
                 capture the desired behavior of valid executions of the
                 program, and are stated by way of a preorder over
                 sequences. The resulting model is closer than previous
                 ones to what would be expected of a real-life monitor,
                 from which we demand a minimal footprint on both valid
                 and invalid executions. We illustrate this framework
                 with examples of real-life security properties. Since
                 several different enforcement alternatives of the same
                 property are made possible by the flexibility of this
                 type of enforcement, our study also provides metrics
                 that allow the user to compare monitors objectively and
                 choose the best enforcement paradigm for a given
                 situation.",
  acknowledgement = ack-nhfb,
  articleno =    "10",
  fjournal =     "ACM Transactions on Information and System Security",
  journal-URL =  "http://portal.acm.org/browse_dl.cfm?idx=J789",
}

@Article{Danner:2012:EDD,
  author =       "Norman Danner and Sam Defabbia-Kane and Danny Krizanc
                 and Marc Liberatore",
  title =        "Effectiveness and detection of denial-of-service
                 attacks in {Tor}",
  journal =      j-TISSEC,
  volume =       "15",
  number =       "3",
  pages =        "11:1--11:??",
  month =        nov,
  year =         "2012",
  CODEN =        "ATISBQ",
  DOI =          "http://dx.doi.org/10.1145/2382448.2382449",
  ISSN =         "1094-9224 (print), 1557-7406 (electronic)",
  ISSN-L =       "1094-9224",
  bibdate =      "Wed Nov 28 17:25:14 MST 2012",
  bibsource =    "http://portal.acm.org/;
                 http://www.math.utah.edu/pub/tex/bib/tissec.bib",
  abstract =     "Tor is one of the more popular systems for anonymizing
                 near-real-time communications on the Internet. Borisov
                 et al. [2007] proposed a denial-of-service-based attack
                 on Tor (and related systems) that significantly
                 increases the probability of compromising the anonymity
                 provided. In this article, we analyze the effectiveness
                 of the attack using both an analytic model and
                 simulation. We also describe two algorithms for
                 detecting such attacks, one deterministic and proved
                 correct, the other probabilistic and verified in
                 simulation.",
  acknowledgement = ack-nhfb,
  articleno =    "11",
  fjournal =     "ACM Transactions on Information and System Security",
  journal-URL =  "http://portal.acm.org/browse_dl.cfm?idx=J789",
}

@Article{Brennan:2012:ASC,
  author =       "Michael Brennan and Sadia Afroz and Rachel
                 Greenstadt",
  title =        "Adversarial stylometry: Circumventing authorship
                 recognition to preserve privacy and anonymity",
  journal =      j-TISSEC,
  volume =       "15",
  number =       "3",
  pages =        "12:1--12:??",
  month =        nov,
  year =         "2012",
  CODEN =        "ATISBQ",
  DOI =          "http://dx.doi.org/10.1145/2382448.2382450",
  ISSN =         "1094-9224 (print), 1557-7406 (electronic)",
  ISSN-L =       "1094-9224",
  bibdate =      "Wed Nov 28 17:25:14 MST 2012",
  bibsource =    "http://portal.acm.org/;
                 http://www.math.utah.edu/pub/tex/bib/tissec.bib",
  abstract =     "The use of stylometry, authorship recognition through
                 purely linguistic means, has contributed to literary,
                 historical, and criminal investigation breakthroughs.
                 Existing stylometry research assumes that authors have
                 not attempted to disguise their linguistic writing
                 style. We challenge this basic assumption of existing
                 stylometry methodologies and present a new area of
                 research: adversarial stylometry. Adversaries have a
                 devastating effect on the robustness of existing
                 classification methods. Our work presents a framework
                 for creating adversarial passages including
                 obfuscation, where a subject attempts to hide her
                 identity, and imitation, where a subject attempts to
                 frame another subject by imitating his writing style,
                 and translation where original passages are obfuscated
                 with machine translation services. This research
                 demonstrates that manual circumvention methods work
                 very well while automated translation methods are not
                 effective. The obfuscation method reduces the
                 techniques' effectiveness to the level of random
                 guessing and the imitation attempts succeed up to 67\%
                 of the time depending on the stylometry technique used.
                 These results are more significant given the fact that
                 experimental subjects were unfamiliar with stylometry,
                 were not professional writers, and spent little time on
                 the attacks. This article also contributes to the field
                 by using human subjects to empirically validate the
                 claim of high accuracy for four current techniques
                 (without adversaries). We have also compiled and
                 released two corpora of adversarial stylometry texts to
                 promote research in this field with a total of 57
                 unique authors. We argue that this field is important
                 to a multidisciplinary approach to privacy, security,
                 and anonymity.",
  acknowledgement = ack-nhfb,
  articleno =    "12",
  fjournal =     "ACM Transactions on Information and System Security",
  journal-URL =  "http://portal.acm.org/browse_dl.cfm?idx=J789",
}

@Article{Basin:2012:DEA,
  author =       "David Basin and Samuel J. Burri and G{\"u}nter
                 Karjoth",
  title =        "Dynamic enforcement of abstract separation of duty
                 constraints",
  journal =      j-TISSEC,
  volume =       "15",
  number =       "3",
  pages =        "13:1--13:??",
  month =        nov,
  year =         "2012",
  CODEN =        "ATISBQ",
  DOI =          "http://dx.doi.org/10.1145/2382448.2382451",
  ISSN =         "1094-9224 (print), 1557-7406 (electronic)",
  ISSN-L =       "1094-9224",
  bibdate =      "Wed Nov 28 17:25:14 MST 2012",
  bibsource =    "http://portal.acm.org/;
                 http://www.math.utah.edu/pub/tex/bib/tissec.bib",
  abstract =     "Separation of Duties (SoD) aims at preventing fraud
                 and errors by distributing tasks and associated
                 authorizations among multiple users. Li and Wang [2008]
                 proposed an algebra (SoDA) for specifying SoD
                 requirements, which is both expressive in the
                 requirements it formalizes and abstract in that it is
                 not bound to a workflow model. In this article, we
                 bridge the gap between the specification of SoD
                 constraints modeled in SoDA and their enforcement in a
                 dynamic, service-oriented enterprise environment. We
                 proceed by generalizing SoDA's semantics to traces,
                 modeling workflow executions that satisfy the
                 respective SoDA terms. We then refine the set of traces
                 induced by a SoDA term to also account for a workflow's
                 control-flow and role-based authorizations. Our
                 formalization, which is based on the process algebra
                 CSP, supports the enforcement of SoD on general
                 workflows and handles changing role assignments during
                 workflow execution, addressing a well-known source of
                 fraud. The resulting CSP model serves as blueprint for
                 a distributed and loosely coupled architecture where
                 SoD enforcement is provisioned as a service. This
                 concept, which we call SoD as a Service, facilitates a
                 separation of concerns between business experts and
                 security professionals. As a result, integration and
                 configuration efforts are minimized and enterprises can
                 quickly adapt to organizational, regulatory, and
                 technological changes. We describe an implementation of
                 SoD as a Service, which combines commercial components
                 such as a workflow engine with newly developed
                 components such as an SoD enforcement monitor. To
                 evaluate our design decisions and to demonstrate the
                 feasibility of our approach, we present a case study of
                 a drug dispensation workflow deployed in a hospital.",
  acknowledgement = ack-nhfb,
  articleno =    "13",
  fjournal =     "ACM Transactions on Information and System Security",
  journal-URL =  "http://portal.acm.org/browse_dl.cfm?idx=J789",
}

@Article{Feigenbaum:2012:PAO,
  author =       "Joan Feigenbaum and Aaron Johnson and Paul Syverson",
  title =        "Probabilistic analysis of onion routing in a black-box
                 model",
  journal =      j-TISSEC,
  volume =       "15",
  number =       "3",
  pages =        "14:1--14:??",
  month =        nov,
  year =         "2012",
  CODEN =        "ATISBQ",
  DOI =          "http://dx.doi.org/10.1145/2382448.2382452",
  ISSN =         "1094-9224 (print), 1557-7406 (electronic)",
  ISSN-L =       "1094-9224",
  bibdate =      "Wed Nov 28 17:25:14 MST 2012",
  bibsource =    "http://portal.acm.org/;
                 http://www.math.utah.edu/pub/tex/bib/tissec.bib",
  abstract =     "We perform a probabilistic analysis of onion routing.
                 The analysis is presented in a black-box model of
                 anonymous communication in the Universally Composable
                 (UC) framework that abstracts the essential properties
                 of onion routing in the presence of an active adversary
                 who controls a portion of the network and knows all a
                 priori distributions on user choices of destination.
                 Our results quantify how much the adversary can gain in
                 identifying users by exploiting knowledge of their
                 probabilistic behavior. In particular, we show that, in
                 the limit as the network gets large, a user u's
                 anonymity is worst either when the other users always
                 choose the destination u is least likely to visit or
                 when the other users always choose the destination u
                 chooses. This worst-case anonymity with an adversary
                 that controls a fraction b of the routers is shown to
                 be comparable to the best-case anonymity against an
                 adversary that controls a fraction $\sqrt b$.",
  acknowledgement = ack-nhfb,
  articleno =    "14",
  fjournal =     "ACM Transactions on Information and System Security",
  journal-URL =  "http://portal.acm.org/browse_dl.cfm?idx=J789",
}

@Article{Frank:2013:RMP,
  author =       "Mario Frank and Joachim M. Buhman and David Basin",
  title =        "Role Mining with Probabilistic Models",
  journal =      j-TISSEC,
  volume =       "15",
  number =       "4",
  pages =        "15:1--15:??",
  month =        apr,
  year =         "2013",
  CODEN =        "ATISBQ",
  DOI =          "http://dx.doi.org/10.1145/2445566.2445567",
  ISSN =         "1094-9224 (print), 1557-7406 (electronic)",
  ISSN-L =       "1094-9224",
  bibdate =      "Thu Apr 4 18:18:20 MDT 2013",
  bibsource =    "http://portal.acm.org/;
                 http://www.math.utah.edu/pub/tex/bib/tissec.bib",
  abstract =     "Role mining tackles the problem of finding a
                 role-based access control (RBAC) configuration, given
                 an access-control matrix assigning users to access
                 permissions as input. Most role-mining approaches work
                 by constructing a large set of candidate roles and use
                 a greedy selection strategy to iteratively pick a small
                 subset such that the differences between the resulting
                 RBAC configuration and the access control matrix are
                 minimized. In this article, we advocate an alternative
                 approach that recasts role mining as an inference
                 problem rather than a lossy compression problem.
                 Instead of using combinatorial algorithms to minimize
                 the number of roles needed to represent the
                 access-control matrix, we derive probabilistic models
                 to learn the RBAC configuration that most likely
                 underlies the given matrix. Our models are generative
                 in that they reflect the way that permissions are
                 assigned to users in a given RBAC configuration. We
                 additionally model how user-permission assignments that
                 conflict with an RBAC configuration emerge and we
                 investigate the influence of constraints on role
                 hierarchies and on the number of assignments. In
                 experiments with access-control matrices from
                 real-world enterprises, we compare our proposed models
                 with other role-mining methods. Our results show that
                 our probabilistic models infer roles that generalize
                 well to new system users for a wide variety of data,
                 while other models' generalization abilities depend on
                 the dataset given.",
  acknowledgement = ack-nhfb,
  articleno =    "15",
  fjournal =     "ACM Transactions on Information and System Security",
  journal-URL =  "http://portal.acm.org/browse_dl.cfm?idx=J789",
}

@Article{Gilad:2013:FCV,
  author =       "Yossi Gilad and Amir Herzberg",
  title =        "Fragmentation Considered Vulnerable",
  journal =      j-TISSEC,
  volume =       "15",
  number =       "4",
  pages =        "16:1--16:??",
  month =        apr,
  year =         "2013",
  CODEN =        "ATISBQ",
  DOI =          "http://dx.doi.org/10.1145/2445566.2445568",
  ISSN =         "1094-9224 (print), 1557-7406 (electronic)",
  ISSN-L =       "1094-9224",
  bibdate =      "Thu Apr 4 18:18:20 MDT 2013",
  bibsource =    "http://portal.acm.org/;
                 http://www.math.utah.edu/pub/tex/bib/tissec.bib",
  abstract =     "We show that fragmented IPv4 and IPv6 traffic is
                 vulnerable to effective interception and
                 denial-of-service (DoS) attacks by an off-path
                 attacker. Specifically, we demonstrate a weak attacker
                 intercepting more than 80\% of the data between peers
                 and causing over 94\% loss rate. We show that our
                 attacks are practical through experimental validation
                 on popular industrial and open-source products, with
                 realistic network setups that involve NAT or tunneling
                 and include concurrent legitimate traffic as well as
                 packet losses. The interception attack requires a
                 zombie agent behind the same NAT or tunnel-gateway as
                 the victim destination; the DoS attack only requires a
                 puppet agent, that is, a sandboxed applet or script
                 running in web-browser context. The complexity of our
                 attacks depends on the predictability of the IP
                 Identification (ID) field which is typically
                 implemented as one or multiple counters, as allowed and
                 recommended by the IP specifications. The attacks are
                 much simpler and more efficient for implementations,
                 such as Windows, which use one ID counter for all
                 destinations. Therefore, much of our focus is on
                 presenting effective attacks for implementations, such
                 as Linux, which use per-destination ID counters. We
                 present practical defenses for the attacks presented in
                 this article, the defenses can be deployed on network
                 firewalls without changes to hosts or operating system
                 kernel.",
  acknowledgement = ack-nhfb,
  articleno =    "16",
  fjournal =     "ACM Transactions on Information and System Security",
  journal-URL =  "http://portal.acm.org/browse_dl.cfm?idx=J789",
}

@Article{Ali:2013:AAD,
  author =       "Muhammad Qasim Ali and Ehab Al-Shaer and Hassan Khan
                 and Syed Ali Khayam",
  title =        "Automated Anomaly Detector Adaptation using Adaptive
                 Threshold Tuning",
  journal =      j-TISSEC,
  volume =       "15",
  number =       "4",
  pages =        "17:1--17:??",
  month =        apr,
  year =         "2013",
  CODEN =        "ATISBQ",
  DOI =          "http://dx.doi.org/10.1145/2445566.2445569",
  ISSN =         "1094-9224 (print), 1557-7406 (electronic)",
  ISSN-L =       "1094-9224",
  bibdate =      "Thu Apr 4 18:18:20 MDT 2013",
  bibsource =    "http://portal.acm.org/;
                 http://www.math.utah.edu/pub/tex/bib/tissec.bib",
  abstract =     "Real-time network- and host-based Anomaly Detection
                 Systems (ADSs) transform a continuous stream of input
                 data into meaningful and quantifiable anomaly scores.
                 These scores are subsequently compared to a fixed
                 detection threshold and classified as either benign or
                 malicious. We argue that a real-time ADS' input changes
                 considerably over time and a fixed threshold value
                 cannot guarantee good anomaly detection accuracy for
                 such a time-varying input. In this article, we propose
                 a simple and generic technique to adaptively tune the
                 detection threshold of any ADS that works on threshold
                 method. To this end, we first perform statistical and
                 information-theoretic analysis of network- and
                 host-based ADSs' anomaly scores to reveal a consistent
                 time correlation structure during benign activity
                 periods. We model the observed correlation structure
                 using Markov chains, which are in turn used in a
                 stochastic target tracking framework to adapt an ADS'
                 detection threshold in accordance with real-time
                 measurements. We also use statistical techniques to
                 make the proposed algorithm resilient to sporadic
                 changes and evasion attacks. In order to evaluate the
                 proposed approach, we incorporate the proposed adaptive
                 thresholding module into multiple ADSs and evaluate
                 those ADSs over comprehensive and independently
                 collected network and host attack datasets. We show
                 that, while reducing the need of human threshold
                 configuration, the proposed technique provides
                 considerable and consistent accuracy improvements for
                 all evaluated ADSs.",
  acknowledgement = ack-nhfb,
  articleno =    "17",
  fjournal =     "ACM Transactions on Information and System Security",
  journal-URL =  "http://portal.acm.org/browse_dl.cfm?idx=J789",
}

@Article{Jayaraman:2013:MAR,
  author =       "Karthick Jayaraman and Mahesh Tripunitara and Vijay
                 Ganesh and Martin Rinard and Steve Chapin",
  title =        "{Mohawk}: Abstraction-Refinement and Bound-Estimation
                 for Verifying Access Control Policies",
  journal =      j-TISSEC,
  volume =       "15",
  number =       "4",
  pages =        "18:1--18:??",
  month =        apr,
  year =         "2013",
  CODEN =        "ATISBQ",
  DOI =          "http://dx.doi.org/10.1145/2445566.2445570",
  ISSN =         "1094-9224 (print), 1557-7406 (electronic)",
  ISSN-L =       "1094-9224",
  bibdate =      "Thu Apr 4 18:18:20 MDT 2013",
  bibsource =    "http://portal.acm.org/;
                 http://www.math.utah.edu/pub/tex/bib/tissec.bib",
  abstract =     "Verifying that access-control systems maintain desired
                 security properties is recognized as an important
                 problem in security. Enterprise access-control systems
                 have grown to protect tens of thousands of resources,
                 and there is a need for verification to scale
                 commensurately. We present techniques for
                 abstraction-refinement and bound-estimation for bounded
                 model checkers to automatically find errors in
                 Administrative Role-Based Access Control (ARBAC)
                 security policies. ARBAC is the first and most
                 comprehensive administrative scheme for Role-Based
                 Access Control (RBAC) systems. In the
                 abstraction-refinement portion of our approach, we
                 identify and discard roles that are unlikely to be
                 relevant to the verification question (the abstraction
                 step). We then restore such abstracted roles
                 incrementally (the refinement steps). In the
                 bound-estimation portion of our approach, we lower the
                 estimate of the diameter of the reachability graph from
                 the worst-case by recognizing relationships between
                 roles and state-change rules. Our techniques complement
                 one another, and are used with conventional bounded
                 model checking. Our approach is sound and complete: an
                 error is found if and only if it exists. We have
                 implemented our technique in an access-control policy
                 analysis tool called Mohawk. We show empirically that
                 Mohawk scales well to realistic policies, and provide a
                 comparison with prior tools.",
  acknowledgement = ack-nhfb,
  articleno =    "18",
  fjournal =     "ACM Transactions on Information and System Security",
  journal-URL =  "http://portal.acm.org/browse_dl.cfm?idx=J789",
}

@Article{Philippaerts:2013:CMC,
  author =       "Pieter Philippaerts and Yves Younan and Stijn Muylle
                 and Frank Piessens and Sven Lachmund and Thomas
                 Walter",
  title =        "{CPM}: Masking Code Pointers to Prevent Code Injection
                 Attacks",
  journal =      j-TISSEC,
  volume =       "16",
  number =       "1",
  pages =        "1:1--1:??",
  month =        jun,
  year =         "2013",
  CODEN =        "ATISBQ",
  DOI =          "http://dx.doi.org/10.1145/2487222.2487223",
  ISSN =         "1094-9224 (print), 1557-7406 (electronic)",
  ISSN-L =       "1094-9224",
  bibdate =      "Fri Jun 14 19:25:26 MDT 2013",
  bibsource =    "http://portal.acm.org/;
                 http://www.math.utah.edu/pub/tex/bib/tissec.bib",
  abstract =     "Code Pointer Masking (CPM) is a novel countermeasure
                 against code injection attacks on native code. By
                 enforcing the correct semantics of code pointers, CPM
                 thwarts attacks that modify code pointers to divert the
                 application's control flow. It does not rely on secret
                 values such as stack canaries and protects against
                 attacks that are not addressed by state-of-the-art
                 countermeasures of similar performance. This article
                 reports on two prototype implementations on very
                 distinct processor architectures, showing that the idea
                 behind CPM is portable. The evaluation also shows that
                 the overhead of using our countermeasure is very small
                 and the security benefits are substantial.",
  acknowledgement = ack-nhfb,
  articleno =    "1",
  fjournal =     "ACM Transactions on Information and System Security",
  journal-URL =  "http://portal.acm.org/browse_dl.cfm?idx=J789",
}

@Article{Cobb:2013:LMS,
  author =       "William E. Cobb and Rusty O. Baldwin and Eric D.
                 Laspe",
  title =        "Leakage Mapping: a Systematic Methodology for
                 Assessing the Side-Channel Information Leakage of
                 Cryptographic Implementations",
  journal =      j-TISSEC,
  volume =       "16",
  number =       "1",
  pages =        "2:1--2:??",
  month =        jun,
  year =         "2013",
  CODEN =        "ATISBQ",
  DOI =          "http://dx.doi.org/10.1145/2487222.2487224",
  ISSN =         "1094-9224 (print), 1557-7406 (electronic)",
  ISSN-L =       "1094-9224",
  bibdate =      "Fri Jun 14 19:25:26 MDT 2013",
  bibsource =    "http://portal.acm.org/;
                 http://www.math.utah.edu/pub/tex/bib/tissec.bib",
  abstract =     "We propose a generalized framework to evaluate the
                 side-channel information leakage of symmetric block
                 ciphers. The leakage mapping methodology enables the
                 systematic and efficient identification and mitigation
                 of problematic information leakages by exhaustively
                 considering relevant leakage models. The evaluation
                 procedure bounds the anticipated resistance of an
                 implementation to the general class of univariate
                 differential side-channel analysis techniques. Typical
                 applications are demonstrated using the well-known
                 Hamming weight and Hamming distance leakage models,
                 with recommendations for the incorporation of more
                 accurate models. The evaluation results are empirically
                 validated against correlation-based differential
                 side-channel analysis attacks on two typical
                 unprotected implementations of the Advanced Encryption
                 Standard.",
  acknowledgement = ack-nhfb,
  articleno =    "2",
  fjournal =     "ACM Transactions on Information and System Security",
  journal-URL =  "http://portal.acm.org/browse_dl.cfm?idx=J789",
}

@Article{Basin:2013:ESP,
  author =       "David Basin and Vincent Jug{\'e} and Felix Klaedtke
                 and Eugen Zalinescu",
  title =        "Enforceable Security Policies Revisited",
  journal =      j-TISSEC,
  volume =       "16",
  number =       "1",
  pages =        "3:1--3:??",
  month =        jun,
  year =         "2013",
  CODEN =        "ATISBQ",
  DOI =          "http://dx.doi.org/10.1145/2487222.2487225",
  ISSN =         "1094-9224 (print), 1557-7406 (electronic)",
  ISSN-L =       "1094-9224",
  bibdate =      "Fri Jun 14 19:25:26 MDT 2013",
  bibsource =    "http://portal.acm.org/;
                 http://www.math.utah.edu/pub/tex/bib/tissec.bib",
  abstract =     "We revisit Schneider's work on policy enforcement by
                 execution monitoring. We overcome limitations of
                 Schneider's setting by distinguishing between system
                 actions that are controllable by an enforcement
                 mechanism and those actions that are only observable,
                 that is, the enforcement mechanism sees them but cannot
                 prevent their execution. For this refined setting, we
                 give necessary and sufficient conditions on when a
                 security policy is enforceable. To state these
                 conditions, we generalize the standard notion of safety
                 properties. Our classification of system actions also
                 allows one, for example, to reason about the
                 enforceability of policies that involve timing
                 constraints. Furthermore, for different specification
                 languages, we investigate the decision problem of
                 whether a given policy is enforceable. We provide
                 complexity results and show how to synthesize an
                 enforcement mechanism from an enforceable policy.",
  acknowledgement = ack-nhfb,
  articleno =    "3",
  fjournal =     "ACM Transactions on Information and System Security",
  journal-URL =  "http://portal.acm.org/browse_dl.cfm?idx=J789",
}

@Article{Crampton:2013:PCK,
  author =       "Jason Crampton and Gregory Gutin and Anders Yeo",
  title =        "On the Parameterized Complexity and Kernelization of
                 the Workflow Satisfiability Problem",
  journal =      j-TISSEC,
  volume =       "16",
  number =       "1",
  pages =        "4:1--4:??",
  month =        jun,
  year =         "2013",
  CODEN =        "ATISBQ",
  DOI =          "http://dx.doi.org/10.1145/2487222.2487226",
  ISSN =         "1094-9224 (print), 1557-7406 (electronic)",
  ISSN-L =       "1094-9224",
  bibdate =      "Fri Jun 14 19:25:26 MDT 2013",
  bibsource =    "http://portal.acm.org/;
                 http://www.math.utah.edu/pub/tex/bib/tissec.bib",
  abstract =     "A workflow specification defines a set of steps and
                 the order in which these steps must be executed.
                 Security requirements may impose constraints on which
                 groups of users are permitted to perform subsets of
                 these steps. A workflow specification is said to be
                 satisfiable if there exists an assignment of users to
                 workflow steps that satisfies all the constraints. An
                 algorithm for determining whether such an assignment
                 exists is important, both as a static analysis tool for
                 workflow specifications and for the construction of
                 runtime reference monitors for workflow management
                 systems. Finding such an assignment is a hard problem
                 in general, but work by Wang and Li [2010] using the
                 theory of parameterized complexity suggests that
                 efficient algorithms exist under reasonable assumptions
                 about workflow specifications. In this article, we
                 improve the complexity bounds for the workflow
                 satisfiability problem. We also generalize and extend
                 the types of constraints that may be defined in a
                 workflow specification and prove that the
                 satisfiability problem remains fixed-parameter
                 tractable for such constraints. Finally, we consider
                 preprocessing for the problem and prove that in an
                 important special case, in polynomial time, we can
                 reduce the given input into an equivalent one where the
                 number of users is at most the number of steps. We also
                 show that no such reduction exists for two natural
                 extensions of this case, which bounds the number of
                 users by a polynomial in the number of steps, provided
                 a widely accepted complexity-theoretical assumption
                 holds.",
  acknowledgement = ack-nhfb,
  articleno =    "4",
  fjournal =     "ACM Transactions on Information and System Security",
  journal-URL =  "http://portal.acm.org/browse_dl.cfm?idx=J789",
}

@Article{Leonard:2013:MAP,
  author =       "Thomas Leonard and Martin Hall-May and Mike Surridge",
  title =        "Modelling Access Propagation in Dynamic Systems",
  journal =      j-TISSEC,
  volume =       "16",
  number =       "2",
  pages =        "5:1--5:??",
  month =        sep,
  year =         "2013",
  CODEN =        "ATISBQ",
  DOI =          "http://dx.doi.org/10.1145/2516951.2516952",
  ISSN =         "1094-9224 (print), 1557-7406 (electronic)",
  ISSN-L =       "1094-9224",
  bibdate =      "Mon Sep 23 17:04:07 MDT 2013",
  bibsource =    "http://portal.acm.org/;
                 http://www.math.utah.edu/pub/tex/bib/tissec.bib",
  abstract =     "Access control is a critical feature of many systems,
                 including networks of services, processes within a
                 computer, and objects within a running process. The
                 security consequences of a particular architecture or
                 access control policy are often difficult to determine,
                 especially where some components are not under our
                 control, where components are created dynamically, or
                 where access policies are updated dynamically. The
                 SERSCIS Access Modeller (SAM) takes a model of a system
                 and explores how access can propagate through it. It
                 can both prove defined safety properties and discover
                 unwanted properties. By defining expected behaviours,
                 recording the results as a baseline, and then
                 introducing untrusted actors, SAM can discover a wide
                 variety of design flaws. SAM is designed to handle
                 dynamic systems (i.e., at runtime, new objects are
                 created and access policies modified) and systems where
                 some objects are not trusted. It extends previous
                 approaches such as Scollar and Authodox to provide a
                 programmer-friendly syntax for specifying behaviour,
                 and allows modelling of services with mutually
                 suspicious clients. Taking the Confused Deputy example
                 from Authodox we show that SAM detects the attack
                 automatically; using a web-based backup service, we
                 show how to model RBAC systems, detecting a missing
                 validation check; and using a proxy certificate system,
                 we show how to extend it to model new access
                 mechanisms. On discovering that a library fails to
                 follow an RFC precisely, we re-evaluate our existing
                 models under the new assumption and discover that the
                 proxy certificate design is not safe with this
                 library.",
  acknowledgement = ack-nhfb,
  articleno =    "5",
  fjournal =     "ACM Transactions on Information and System Security",
  journal-URL =  "http://portal.acm.org/browse_dl.cfm?idx=J789",
}

@Article{Cheng:2013:DVB,
  author =       "Yueqiang Cheng and Xuhua Ding and Robert H. Deng",
  title =        "{DriverGuard}: Virtualization-Based Fine-Grained
                 Protection on {I/O} Flows",
  journal =      j-TISSEC,
  volume =       "16",
  number =       "2",
  pages =        "6:1--6:??",
  month =        sep,
  year =         "2013",
  CODEN =        "ATISBQ",
  DOI =          "http://dx.doi.org/10.1145/2505123",
  ISSN =         "1094-9224 (print), 1557-7406 (electronic)",
  ISSN-L =       "1094-9224",
  bibdate =      "Mon Sep 23 17:04:07 MDT 2013",
  bibsource =    "http://portal.acm.org/;
                 http://www.math.utah.edu/pub/tex/bib/tissec.bib;
                 http://www.math.utah.edu/pub/tex/bib/virtual-machines.bib",
  abstract =     "Most commodity peripheral devices and their drivers
                 are geared to achieve high performance with security
                 functions being opted out. The absence of strong
                 security measures invites attacks on the I/O data and
                 consequently posts threats to those services feeding on
                 them, such as fingerprint-based biometric
                 authentication. In this article, we present a generic
                 solution called DriverGuard, which dynamically protects
                 the secrecy of I/O flows such that the I/O data are not
                 exposed to the malicious kernel. Our design leverages a
                 composite of cryptographic and virtualization
                 techniques to achieve fine-grained protection without
                 using any extra devices and modifications on user
                 applications. We implement the DriverGuard prototype on
                 Xen by adding around 1.7K SLOC. DriverGuard is
                 lightweight as it only needs to protect around 2\% of
                 the driver code's execution. We measure the performance
                 and evaluate the security of DriverGuard with three
                 input devices (keyboard, fingerprint reader and camera)
                 and three output devices (printer, graphic card, and
                 sound card). The experiment results show that
                 DriverGuard induces negligible overhead to the
                 applications.",
  acknowledgement = ack-nhfb,
  articleno =    "6",
  fjournal =     "ACM Transactions on Information and System Security",
  journal-URL =  "http://portal.acm.org/browse_dl.cfm?idx=J789",
}

@Article{Fu:2013:BSG,
  author =       "Yangchun Fu and Zhiqiang Lin",
  title =        "Bridging the Semantic Gap in Virtual Machine
                 Introspection via Online Kernel Data Redirection",
  journal =      j-TISSEC,
  volume =       "16",
  number =       "2",
  pages =        "7:1--7:??",
  month =        sep,
  year =         "2013",
  CODEN =        "ATISBQ",
  DOI =          "http://dx.doi.org/10.1145/2505124",
  ISSN =         "1094-9224 (print), 1557-7406 (electronic)",
  ISSN-L =       "1094-9224",
  bibdate =      "Mon Sep 23 17:04:07 MDT 2013",
  bibsource =    "http://portal.acm.org/;
                 http://www.math.utah.edu/pub/tex/bib/tissec.bib;
                 http://www.math.utah.edu/pub/tex/bib/virtual-machines.bib",
  abstract =     "It is generally believed to be a tedious,
                 time-consuming, and error-prone process to develop a
                 virtual machine introspection (VMI) tool because of the
                 semantic gap. Recent advance shows that the
                 semantic-gap can be largely narrowed by reusing the
                 executed code from a trusted OS kernel. However, the
                 limitation for such an approach is that it only reuses
                 the exercised code through a training process, which
                 suffers the code coverage issues. Thus, in this
                 article, we present Vmst, a new technique that can
                 seamlessly bridge the semantic gap and automatically
                 generate the VMI tools. The key idea is that, through
                 system wide instruction monitoring, Vmst automatically
                 identifies the introspection related data from a
                 secure-VM and online redirects these data accesses to
                 the kernel memory of a product-VM, without any
                 training. Vmst offers a number of new features and
                 capabilities. Particularly, it enables an in-VM
                 inspection program (e.g., ps) to automatically become
                 an out-of-VM introspection program. We have tested Vmst
                 with over 25 commonly used utilities on top of a number
                 of different OS kernels including Linux and Microsoft
                 Windows. The experimental results show that our
                 technique is general (largely OS-independent), and it
                 introduces 9.3X overhead for Linux utilities and 19.6X
                 overhead for Windows utilities on average for the
                 introspected program compared to the native in-VM
                 execution without data redirection.",
  acknowledgement = ack-nhfb,
  articleno =    "7",
  fjournal =     "ACM Transactions on Information and System Security",
  journal-URL =  "http://portal.acm.org/browse_dl.cfm?idx=J789",
}

@Article{Serwadda:2013:ELK,
  author =       "Abdul Serwadda and Vir V. Phoha",
  title =        "Examining a Large Keystroke Biometrics Dataset for
                 Statistical-Attack Openings",
  journal =      j-TISSEC,
  volume =       "16",
  number =       "2",
  pages =        "8:1--8:??",
  month =        sep,
  year =         "2013",
  CODEN =        "ATISBQ",
  DOI =          "http://dx.doi.org/10.1145/2516960",
  ISSN =         "1094-9224 (print), 1557-7406 (electronic)",
  ISSN-L =       "1094-9224",
  bibdate =      "Mon Sep 23 17:04:07 MDT 2013",
  bibsource =    "http://portal.acm.org/;
                 http://www.math.utah.edu/pub/tex/bib/cryptography2010.bib;
                 http://www.math.utah.edu/pub/tex/bib/tissec.bib",
  abstract =     "Research on keystroke-based authentication has
                 traditionally assumed human impostors who generate
                 forgeries by physically typing on the keyboard. With
                 bots now well understood to have the capacity to
                 originate precisely timed keystroke sequences, this
                 model of attack is likely to underestimate the threat
                 facing a keystroke-based system in practice. In this
                 work, we investigate how a keystroke-based
                 authentication system would perform if it were
                 subjected to synthetic attacks designed to mimic the
                 typical user. To implement the attacks, we perform a
                 rigorous statistical analysis on keystroke biometrics
                 data collected over a 2-year period from more than 3000
                 users, and then use the observed statistical traits to
                 design and launch algorithmic attacks against three
                 state-of-the-art password-based keystroke verification
                 systems. Relative to the zero-effort attacks typically
                 used to test the performance of keystroke biometric
                 systems, we show that our algorithmic attack increases
                 the mean Equal Error Rates (EERs) of three high
                 performance keystroke verifiers by between 28.6\% and
                 84.4\%. We also find that the impact of the attack is
                 more pronounced when the keystroke profiles subjected
                 to the attack are based on shorter strings, and that
                 some users see considerably greater performance
                 degradation under the attack than others. This article
                 calls for a shift from the traditional zero-effort
                 approach of testing the performance of password-based
                 keystroke verifiers, to a more rigorous algorithmic
                 approach that captures the threat posed by today's
                 bots.",
  acknowledgement = ack-nhfb,
  articleno =    "8",
  fjournal =     "ACM Transactions on Information and System Security",
  journal-URL =  "http://portal.acm.org/browse_dl.cfm?idx=J789",
}

@Article{Sun:2013:BJW,
  author =       "Mengtao Sun and Gang Tan and Joseph Siefers and Bin
                 Zeng and Greg Morrisett",
  title =        "Bringing {Java}'s wild native world under control",
  journal =      j-TISSEC,
  volume =       "16",
  number =       "3",
  pages =        "9:1--9:??",
  month =        nov,
  year =         "2013",
  CODEN =        "ATISBQ",
  DOI =          "http://dx.doi.org/10.1145/2535505",
  ISSN =         "1094-9224 (print), 1557-7406 (electronic)",
  ISSN-L =       "1094-9224",
  bibdate =      "Mon Dec 9 11:22:22 MST 2013",
  bibsource =    "http://portal.acm.org/;
                 http://www.math.utah.edu/pub/tex/bib/java2010.bib;
                 http://www.math.utah.edu/pub/tex/bib/tissec.bib;
                 http://www.math.utah.edu/pub/tex/bib/virtual-machines.bib",
  abstract =     "For performance and for incorporating legacy
                 libraries, many Java applications contain native-code
                 components written in unsafe languages such as C and
                 C++. Native-code components interoperate with Java
                 components through the Java Native Interface (JNI). As
                 native code is not regulated by Java's security model,
                 it poses serious security threats to the managed Java
                 world. We introduce a security framework that extends
                 Java's security model and brings native code under
                 control. Leveraging software-based fault isolation, the
                 framework puts native code in a separate sandbox and
                 allows the interaction between the native world and the
                 Java world only through a carefully designed pathway.
                 Two different implementations were built. In one
                 implementation, the security framework is integrated
                 into a Java Virtual Machine (JVM). In the second
                 implementation, the framework is built outside of the
                 JVM and takes advantage of JVM-independent interfaces.
                 The second implementation provides JVM portability, at
                 the expense of some performance degradation. Evaluation
                 of our framework demonstrates that it incurs modest
                 runtime overhead while significantly enhancing the
                 security of Java applications.",
  acknowledgement = ack-nhfb,
  articleno =    "9",
  fjournal =     "ACM Transactions on Information and System Security",
  journal-URL =  "http://portal.acm.org/browse_dl.cfm?idx=J789",
}

@Article{Driessen:2013:ESA,
  author =       "Benedikt Driessen and Ralf Hund and Carsten Willems
                 and Christof Paar and Thorsten Holz",
  title =        "An experimental security analysis of two satphone
                 standards",
  journal =      j-TISSEC,
  volume =       "16",
  number =       "3",
  pages =        "10:1--10:??",
  month =        nov,
  year =         "2013",
  CODEN =        "ATISBQ",
  DOI =          "http://dx.doi.org/10.1145/2535522",
  ISSN =         "1094-9224 (print), 1557-7406 (electronic)",
  ISSN-L =       "1094-9224",
  bibdate =      "Mon Dec 9 11:22:22 MST 2013",
  bibsource =    "http://portal.acm.org/;
                 http://www.math.utah.edu/pub/tex/bib/cryptography2010.bib;
                 http://www.math.utah.edu/pub/tex/bib/tissec.bib",
  abstract =     "General-purpose communication systems such as GSM and
                 UMTS have been in the focus of security researchers for
                 over a decade now. Recently also technologies that are
                 only used under more specific circumstances have come
                 into the spotlight of academic research and the hacker
                 scene alike. A striking example of this is recent work
                 [Driessen et al. 2012] that analyzed the security of
                 the over-the-air encryption in the two existing ETSI
                 satphone standards GMR-1 and GMR-2. The firmware of
                 handheld devices was reverse-engineered and the
                 previously unknown stream ciphers A5-GMR-1 and A5-GMR-2
                 were recovered. In a second step, both ciphers were
                 cryptanalized, resulting in a ciphertext-only attack on
                 A5-GMR-1 and a known-plaintext attack on A5-GMR-2. In
                 this work, we extend the aforementioned results in the
                 following ways: First, we improve the proposed attack
                 on A5-GMR-1 and reduce its average-case complexity from
                 $2^{32}$ to $2^{21}$ steps. Second, we implement a
                 practical attack to successfully record communications
                 in the Thuraya network and show that it can be done
                 with moderate effort for approximately \$5,000. We
                 describe the implementation of our modified attack and
                 the crucial aspects to make it practical. Using our
                 eavesdropping setup, we recorded 30 seconds of our own
                 satellite-to-satphone communication and show that we
                 are able to recover Thuraya session keys in half an
                 hour (on average). We supplement these results with
                 experiments designed to highlight the feasibility of
                 also eavesdropping on the satphone's emanations. The
                 purpose of this article is threefold: Develop and
                 demonstrate more practical attacks on A5-GMR-1,
                 summarize current research results in the field of
                 GMR-1 and GMR-2 security, and shed light on the amount
                 of work and expertise it takes from setting out to
                 analyze a complex system to actually break it in the
                 real world.",
  acknowledgement = ack-nhfb,
  articleno =    "10",
  fjournal =     "ACM Transactions on Information and System Security",
  journal-URL =  "http://portal.acm.org/browse_dl.cfm?idx=J789",
}

@Article{Blanton:2013:SVO,
  author =       "Marina Blanton and Yihua Zhang and Keith B. Frikken",
  title =        "Secure and verifiable outsourcing of large-scale
                 biometric computations",
  journal =      j-TISSEC,
  volume =       "16",
  number =       "3",
  pages =        "11:1--11:??",
  month =        nov,
  year =         "2013",
  CODEN =        "ATISBQ",
  DOI =          "http://dx.doi.org/10.1145/2535523",
  ISSN =         "1094-9224 (print), 1557-7406 (electronic)",
  ISSN-L =       "1094-9224",
  bibdate =      "Mon Dec 9 11:22:22 MST 2013",
  bibsource =    "http://portal.acm.org/;
                 http://www.math.utah.edu/pub/tex/bib/tissec.bib",
  abstract =     "Cloud computing services are becoming more prevalent
                 and readily available today, bringing to us economies
                 of scale and making large-scale computation feasible.
                 Security and privacy considerations, however, stand in
                 the way of fully utilizing the benefits of such
                 services and architectures. In this work we address the
                 problem of secure outsourcing of large-scale biometric
                 experiments to a cloud or grid in a way that the client
                 can verify that with very high probability the task was
                 computed correctly. We conduct thorough theoretical
                 analysis of the proposed techniques and provide
                 implementation results that indicate that our solution
                 imposes modest overhead.",
  acknowledgement = ack-nhfb,
  articleno =    "11",
  fjournal =     "ACM Transactions on Information and System Security",
  journal-URL =  "http://portal.acm.org/browse_dl.cfm?idx=J789",
}

@Article{Williams:2013:APC,
  author =       "Peter Williams and Radu Sion",
  title =        "Access privacy and correctness on untrusted storage",
  journal =      j-TISSEC,
  volume =       "16",
  number =       "3",
  pages =        "12:1--12:??",
  month =        nov,
  year =         "2013",
  CODEN =        "ATISBQ",
  DOI =          "http://dx.doi.org/10.1145/2535524",
  ISSN =         "1094-9224 (print), 1557-7406 (electronic)",
  ISSN-L =       "1094-9224",
  bibdate =      "Mon Dec 9 11:22:22 MST 2013",
  bibsource =    "http://portal.acm.org/;
                 http://www.math.utah.edu/pub/tex/bib/tissec.bib",
  abstract =     "We introduce a new practical mechanism for remote data
                 storage with access pattern privacy and correctness. A
                 storage client can deploy this mechanism to issue
                 encrypted reads, writes, and inserts to a potentially
                 curious and malicious storage service provider, without
                 revealing information or access patterns. The provider
                 is unable to establish any correlation between
                 successive accesses, or even to distinguish between a
                 read and a write. Moreover, the client is provided with
                 strong correctness assurances for its
                 operations --- illicit provider behavior does not go
                 undetected. We describe a practical system that can
                 execute an unprecedented several queries per second on
                 terabyte-plus databases while maintaining full
                 computational privacy and correctness.",
  acknowledgement = ack-nhfb,
  articleno =    "12",
  fjournal =     "ACM Transactions on Information and System Security",
  journal-URL =  "http://portal.acm.org/browse_dl.cfm?idx=J789",
}

@Article{Gilad:2014:PTI,
  author =       "Yossi Gilad and Amir Herzberg",
  title =        "Off-Path {TCP} Injection Attacks",
  journal =      j-TISSEC,
  volume =       "16",
  number =       "4",
  pages =        "13:1--13:??",
  month =        apr,
  year =         "2014",
  CODEN =        "ATISBQ",
  DOI =          "http://dx.doi.org/10.1145/2597173",
  ISSN =         "1094-9224 (print), 1557-7406 (electronic)",
  ISSN-L =       "1094-9224",
  bibdate =      "Mon May 5 18:00:10 MDT 2014",
  bibsource =    "http://portal.acm.org/;
                 http://www.math.utah.edu/pub/tex/bib/tissec.bib",
  abstract =     "We present practical off-path TCP injection attacks
                 for connections between current, nonbuggy browsers and
                 Web servers. The attacks allow Web-cache poisoning with
                 malicious objects such as spoofed Web pages and
                 scripts; these objects can be cached for a long period
                 of time, exposing any user of that cache to cross-site
                 scripting, cross-site request forgery, and phishing
                 attacks. In contrast to previous TCP injection attacks,
                 we do not require MitM capabilities or malware running
                 on the client machine. Instead, our attacks rely on a
                 weaker assumption, that the user only enters a
                 malicious Web site, but does not download or install
                 any application. Our attacks exploit subtle details of
                 the TCP and HTTP specifications, and features of
                 legitimate (and very common) browser implementations.
                 An empirical evaluation of our techniques with current
                 versions of browsers shows that connections with most
                 popular Web sites are vulnerable. We conclude this work
                 with practical client- and server-end defenses against
                 our attacks.",
  acknowledgement = ack-nhfb,
  articleno =    "13",
  fjournal =     "ACM Transactions on Information and System Security",
  journal-URL =  "http://portal.acm.org/browse_dl.cfm?idx=J789",
}

@Article{Bilge:2014:EPD,
  author =       "Leyla Bilge and Sevil Sen and Davide Balzarotti and
                 Engin Kirda and Christopher Kruegel",
  title =        "{EXPOSURE}: a Passive {DNS} Analysis Service to Detect
                 and Report Malicious Domains",
  journal =      j-TISSEC,
  volume =       "16",
  number =       "4",
  pages =        "14:1--14:??",
  month =        apr,
  year =         "2014",
  CODEN =        "ATISBQ",
  DOI =          "http://dx.doi.org/10.1145/2584679",
  ISSN =         "1094-9224 (print), 1557-7406 (electronic)",
  ISSN-L =       "1094-9224",
  bibdate =      "Mon May 5 18:00:10 MDT 2014",
  bibsource =    "http://portal.acm.org/;
                 http://www.math.utah.edu/pub/tex/bib/tissec.bib",
  abstract =     "A wide range of malicious activities rely on the
                 domain name service (DNS) to manage their large,
                 distributed networks of infected machines. As a
                 consequence, the monitoring and analysis of DNS queries
                 has recently been proposed as one of the most promising
                 techniques to detect and blacklist domains involved in
                 malicious activities (e.g., phishing, spam, botnets
                 command-and-control, etc.). EXPOSURE is a system we
                 designed to detect such domains in real time, by
                 applying 15 unique features grouped in four categories.
                 We conducted a controlled experiment with a large,
                 real-world dataset consisting of billions of DNS
                 requests. The extremely positive results obtained in
                 the tests convinced us to implement our techniques and
                 deploy it as a free, online service. In this article,
                 we present the Exposure system and describe the results
                 and lessons learned from 17 months of its operation.
                 Over this amount of time, the service detected over
                 100K malicious domains. The statistics about the time
                 of usage, number of queries, and target IP addresses of
                 each domain are also published on a daily basis on the
                 service Web page.",
  acknowledgement = ack-nhfb,
  articleno =    "14",
  fjournal =     "ACM Transactions on Information and System Security",
  journal-URL =  "http://portal.acm.org/browse_dl.cfm?idx=J789",
}

@Article{Chen:2014:CDP,
  author =       "Liqun Chen and Hoon Wei Lim and Guomin Yang",
  title =        "Cross-Domain Password-Based Authenticated Key Exchange
                 Revisited",
  journal =      j-TISSEC,
  volume =       "16",
  number =       "4",
  pages =        "15:1--15:??",
  month =        apr,
  year =         "2014",
  CODEN =        "ATISBQ",
  DOI =          "http://dx.doi.org/10.1145/2584681",
  ISSN =         "1094-9224 (print), 1557-7406 (electronic)",
  ISSN-L =       "1094-9224",
  bibdate =      "Mon May 5 18:00:10 MDT 2014",
  bibsource =    "http://portal.acm.org/;
                 http://www.math.utah.edu/pub/tex/bib/tissec.bib",
  abstract =     "We revisit the problem of secure cross-domain
                 communication between two users belonging to different
                 security domains within an open and distributed
                 environment. Existing approaches presuppose that either
                 the users are in possession of public key certificates
                 issued by a trusted certificate authority (CA), or the
                 associated domain authentication servers share a
                 long-term secret key. In this article, we propose a
                 generic framework for designing four-party
                 password-based authenticated key exchange (4PAKE)
                 protocols. Our framework takes a different approach
                 from previous work. The users are not required to have
                 public key certificates, but they simply reuse their
                 login passwords, which they share with their respective
                 domain authentication servers. On the other hand, the
                 authentication servers, assumed to be part of a
                 standard PKI, act as ephemeral CAs that certify some
                 key materials that the users can subsequently use to
                 exchange and agree on as a session key. Moreover, we
                 adopt a compositional approach. That is, by treating
                 any secure two-party password-based key exchange
                 (2PAKE) protocol and two-party
                 asymmetric-key/symmetric-key-based key exchange
                 (2A/SAKE) protocol as black boxes, we combine them to
                 obtain generic and provably secure 4PAKE protocols.",
  acknowledgement = ack-nhfb,
  articleno =    "15",
  fjournal =     "ACM Transactions on Information and System Security",
  journal-URL =  "http://portal.acm.org/browse_dl.cfm?idx=J789",
}

@Article{Chen:2014:APS,
  author =       "Teh-Chung Chen and Torin Stepan and Scott Dick and
                 James Miller",
  title =        "An Anti-Phishing System Employing Diffused
                 Information",
  journal =      j-TISSEC,
  volume =       "16",
  number =       "4",
  pages =        "16:1--16:??",
  month =        apr,
  year =         "2014",
  CODEN =        "ATISBQ",
  DOI =          "http://dx.doi.org/10.1145/2584680",
  ISSN =         "1094-9224 (print), 1557-7406 (electronic)",
  ISSN-L =       "1094-9224",
  bibdate =      "Mon May 5 18:00:10 MDT 2014",
  bibsource =    "http://portal.acm.org/;
                 http://www.math.utah.edu/pub/tex/bib/tissec.bib",
  abstract =     "The phishing scam and its variants are estimated to
                 cost victims billions of dollars per year. Researchers
                 have responded with a number of anti-phishing systems,
                 based either on blacklists or on heuristics. The former
                 cannot cope with the churn of phishing sites, while the
                 latter usually employ decision rules that are not
                 congruent to human perception. We propose a novel
                 heuristic anti-phishing system that explicitly employs
                 gestalt and decision theory concepts to model
                 perceptual similarity. Our system is evaluated on three
                 corpora contrasting legitimate Web sites with
                 real-world phishing scams. The proposed system's
                 performance was equal or superior to current
                 best-of-breed systems. We further analyze current
                 anti-phishing warnings from the perspective of warning
                 theory, and propose a new warning design employing our
                 Gestalt approach.",
  acknowledgement = ack-nhfb,
  articleno =    "16",
  fjournal =     "ACM Transactions on Information and System Security",
  journal-URL =  "http://portal.acm.org/browse_dl.cfm?idx=J789",
}

@Article{Arkoudas:2014:SAC,
  author =       "Konstantine Arkoudas and Ritu Chadha and Jason
                 Chiang",
  title =        "Sophisticated Access Control via {SMT} and Logical
                 Frameworks",
  journal =      j-TISSEC,
  volume =       "16",
  number =       "4",
  pages =        "17:1--17:??",
  month =        apr,
  year =         "2014",
  CODEN =        "ATISBQ",
  DOI =          "http://dx.doi.org/10.1145/2595222",
  ISSN =         "1094-9224 (print), 1557-7406 (electronic)",
  ISSN-L =       "1094-9224",
  bibdate =      "Mon May 5 18:00:10 MDT 2014",
  bibsource =    "http://portal.acm.org/;
                 http://www.math.utah.edu/pub/tex/bib/tissec.bib",
  abstract =     "We introduce a new methodology for formulating,
                 analyzing, and applying access-control policies.
                 Policies are expressed as formal theories in the SMT
                 (satisfiability-modulo-theories) subset of typed
                 first-order logic, and represented in a programmable
                 logical framework, with each theory extending a core
                 ontology of access control. We reduce both request
                 evaluation and policy analysis to SMT solving, and
                 provide experimental results demonstrating the
                 practicality of these reductions. We also introduce a
                 class of canonical requests and prove that such
                 requests can be evaluated in linear time. In many
                 application domains, access requests are either
                 naturally canonical or can easily be put into canonical
                 form. The resulting policy framework is more expressive
                 than XACML and languages in the Datalog family, without
                 compromising efficiency. Using the computational logic
                 facilities of the framework, a wide range of
                 sophisticated policy analyses (including consistency,
                 coverage, observational equivalence, and change impact)
                 receive succinct formulations whose correctness can be
                 straightforwardly verified. The use of SMT solving
                 allows us to efficiently analyze policies with
                 complicated numeric (integer and real) constraints, a
                 weak point of previous policy analysis systems.
                 Further, by leveraging the programmability of the
                 underlying logical framework, our system provides
                 exceptionally flexible ways of resolving conflicts and
                 composing policies. Specifically, we show that our
                 system subsumes FIA (Fine-grained Integration Algebra),
                 an algebra recently developed for the purpose of
                 integrating complex policies.",
  acknowledgement = ack-nhfb,
  articleno =    "17",
  fjournal =     "ACM Transactions on Information and System Security",
  journal-URL =  "http://portal.acm.org/browse_dl.cfm?idx=J789",
}

@Article{Allodi:2014:CVS,
  author =       "Luca Allodi and Fabio Massacci",
  title =        "Comparing Vulnerability Severity and Exploits Using
                 Case-Control Studies",
  journal =      j-TISSEC,
  volume =       "17",
  number =       "1",
  pages =        "1:1--1:??",
  month =        aug,
  year =         "2014",
  CODEN =        "ATISBQ",
  DOI =          "http://dx.doi.org/10.1145/2630069",
  ISSN =         "1094-9224 (print), 1557-7406 (electronic)",
  ISSN-L =       "1094-9224",
  bibdate =      "Mon Aug 11 19:17:17 MDT 2014",
  bibsource =    "http://portal.acm.org/;
                 http://www.math.utah.edu/pub/tex/bib/tissec.bib",
  abstract =     "(U.S.) Rule-based policies for mitigating software
                 risk suggest using the CVSS score to measure the risk
                 of an individual vulnerability and act accordingly. A
                 key issue is whether the `danger' score does actually
                 match the risk of exploitation in the wild, and if and
                 how such a score could be improved. To address this
                 question, we propose using a case-control study
                 methodology similar to the procedure used to link lung
                 cancer and smoking in the 1950s. A case-control study
                 allows the researcher to draw conclusions on the
                 relation between some risk factor (e.g., smoking) and
                 an effect (e.g., cancer) by looking backward at the
                 cases (e.g., patients) and comparing them with controls
                 (e.g., randomly selected patients with similar
                 characteristics). The methodology allows us to quantify
                 the risk reduction achievable by acting on the risk
                 factor. We illustrate the methodology by using publicly
                 available data on vulnerabilities, exploits, and
                 exploits in the wild to (1) evaluate the performances
                 of the current risk factor in the industry, the CVSS
                 base score; (2) determine whether it can be improved by
                 considering additional factors such the existence of a
                 proof-of-concept exploit, or of an exploit in the black
                 markets. Our analysis reveals that (a) fixing a
                 vulnerability just because it was assigned a high CVSS
                 score is equivalent to randomly picking vulnerabilities
                 to fix; (b) the existence of proof-of-concept exploits
                 is a significantly better risk factor; (c) fixing in
                 response to exploit presence in black markets yields
                 the largest risk reduction.",
  acknowledgement = ack-nhfb,
  articleno =    "1",
  fjournal =     "ACM Transactions on Information and System Security",
  journal-URL =  "http://portal.acm.org/browse_dl.cfm?idx=J789",
}

@Article{Marinovic:2014:RIB,
  author =       "Srdjan Marinovic and Naranker Dulay and Morris
                 Sloman",
  title =        "{Rumpole}: an Introspective Break-Glass Access Control
                 Language",
  journal =      j-TISSEC,
  volume =       "17",
  number =       "1",
  pages =        "2:1--2:??",
  month =        aug,
  year =         "2014",
  CODEN =        "ATISBQ",
  DOI =          "http://dx.doi.org/10.1145/2629502",
  ISSN =         "1094-9224 (print), 1557-7406 (electronic)",
  ISSN-L =       "1094-9224",
  bibdate =      "Mon Aug 11 19:17:17 MDT 2014",
  bibsource =    "http://portal.acm.org/;
                 http://www.math.utah.edu/pub/tex/bib/tissec.bib",
  abstract =     "Access control policies define what resources can be
                 accessed by which subjects and under which conditions.
                 It is, however, often not possible to anticipate all
                 subjects that should be permitted access and the
                 conditions under which they should be permitted. For
                 example, predicting and correctly encoding all
                 emergency and exceptional situations is impractical.
                 Traditional access control models simply deny all
                 requests that are not permitted, and in doing so may
                 cause unpredictable and unacceptable consequences. To
                 overcome this issue, break-glass access control models
                 permit a subject to override an access control denial
                 if he accepts a set of obligatory actions and certain
                 override conditions are met. Existing break-glass
                 models are limited in how the override decision is
                 specified. They either grant overrides for a predefined
                 set of exceptional situations, or they grant unlimited
                 overrides to selected subjects, and as such, they
                 suffer from the difficulty of correctly encoding and
                 predicting all override situations and permissions. To
                 address this, we develop Rumpole, a novel break-glass
                 language that explicitly represents and infers
                 knowledge gaps and knowledge conflicts about the
                 subject's attributes and the contextual conditions,
                 such as emergencies. For example, a Rumpole policy can
                 distinguish whether or not it is known that an
                 emergency holds. This leads to a more informed decision
                 for an override request, whereas current break-glass
                 languages simply assume that there is no emergency if
                 the evidence for it is missing. To formally define
                 Rumpole, we construct a novel many-valued logic
                 programming language called Beagle. It has a simple
                 syntax similar to that of Datalog, and its semantics is
                 an extension of Fitting's bilattice-based semantics for
                 logic programs. Beagle is a knowledge non-monotonic
                 language, and as such, is strictly more expressive than
                 current many-valued logic programming languages.",
  acknowledgement = ack-nhfb,
  articleno =    "2",
  fjournal =     "ACM Transactions on Information and System Security",
  journal-URL =  "http://portal.acm.org/browse_dl.cfm?idx=J789",
}

@Article{Jafari:2014:FEE,
  author =       "Mohammad Jafari and Reihaneh Safavi-Naini and Philip
                 W. L. Fong and Ken Barker",
  title =        "A Framework for Expressing and Enforcing Purpose-Based
                 Privacy Policies",
  journal =      j-TISSEC,
  volume =       "17",
  number =       "1",
  pages =        "3:1--3:??",
  month =        aug,
  year =         "2014",
  CODEN =        "ATISBQ",
  DOI =          "http://dx.doi.org/10.1145/2629689",
  ISSN =         "1094-9224 (print), 1557-7406 (electronic)",
  ISSN-L =       "1094-9224",
  bibdate =      "Mon Aug 11 19:17:17 MDT 2014",
  bibsource =    "http://portal.acm.org/;
                 http://www.math.utah.edu/pub/tex/bib/tissec.bib",
  abstract =     "Purpose is a key concept in privacy policies. Although
                 some models have been proposed for enforcing
                 purpose-based privacy policies, little has been done in
                 defining formal semantics for purpose, and therefore an
                 effective enforcement mechanism for such policies has
                 remained a challenge. We have developed a framework for
                 expressing and enforcing such policies by giving a
                 formal definition of purpose and proposing a
                 modal-logic language for formally expressing purpose
                 constraints. The semantics of this language are defined
                 over an abstract model of workflows. Based on this
                 formal framework, we discuss some properties of
                 purpose, show how common forms of purpose constraints
                 can be formalized, how purpose-based constraints can be
                 connected to more general access control policies, and
                 how they can be enforced in a workflow-based
                 information system by extending common access control
                 technologies.",
  acknowledgement = ack-nhfb,
  articleno =    "3",
  fjournal =     "ACM Transactions on Information and System Security",
  journal-URL =  "http://portal.acm.org/browse_dl.cfm?idx=J789",
}

@Article{Syta:2014:SAA,
  author =       "Ewa Syta and Henry Corrigan-Gibbs and Shu-Chun Weng
                 and David Wolinsky and Bryan Ford and Aaron Johnson",
  title =        "Security Analysis of Accountable Anonymity in
                 {Dissent}",
  journal =      j-TISSEC,
  volume =       "17",
  number =       "1",
  pages =        "4:1--4:??",
  month =        aug,
  year =         "2014",
  CODEN =        "ATISBQ",
  DOI =          "http://dx.doi.org/10.1145/2629621",
  ISSN =         "1094-9224 (print), 1557-7406 (electronic)",
  ISSN-L =       "1094-9224",
  bibdate =      "Mon Aug 11 19:17:17 MDT 2014",
  bibsource =    "http://portal.acm.org/;
                 http://www.math.utah.edu/pub/tex/bib/cryptography2010.bib;
                 http://www.math.utah.edu/pub/tex/bib/tissec.bib",
  abstract =     "Users often wish to communicate anonymously on the
                 Internet, for example, in group discussion or instant
                 messaging forums. Existing solutions are vulnerable to
                 misbehaving users, however, who may abuse their
                 anonymity to disrupt communication. Dining
                 Cryptographers Networks (DC-nets) leave groups
                 vulnerable to denial-of-service and Sybil attacks; mix
                 networks are difficult to protect against traffic
                 analysis; and accountable voting schemes are unsuited
                 to general anonymous messaging. Dissent is the first
                 general protocol offering provable anonymity and
                 accountability for moderate-size groups, while
                 efficiently handling unbalanced communication demands
                 among users. We present an improved and hardened
                 dissent protocol, define its precise security
                 properties, and offer rigorous proofs of these
                 properties. The improved protocol systematically
                 addresses the delicate balance between provably hiding
                 the identities of well-behaved users, while provably
                 revealing the identities of disruptive users, a
                 challenging task because many forms of misbehavior are
                 inherently undetectable. The new protocol also
                 addresses several nontrivial attacks on the original
                 dissent protocol stemming from subtle design flaws.",
  acknowledgement = ack-nhfb,
  articleno =    "4",
  fjournal =     "ACM Transactions on Information and System Security",
  journal-URL =  "http://portal.acm.org/browse_dl.cfm?idx=J789",
}