Surviving Insider Attacks: A Call for System Experiments

  • Virgil D. Gligor
  • C. Sekar Chandersekaran
Part of the Advances in Information Security book series (ADIS, volume 39)


The handling of insider attacks is a significant technical challenge as little assurance theory and design practice exists to guide the design of effective, credible countermeasures for large systems and applications. Much of the relevant theory has focused on insider attacks on individual security protocols and smallscale applications. In this position paper, we suggest that confidence in a system’s resilience to insider attacks can emerge by the application of well-accepted survivability principles and design methods. We caution, however, that different tradeoffs emerge in applying these principles to practical designs, thereby requiring a careful balance among the costs of countering insider attacks, recovery from attack, and attack deterrence, and between the fine granularity of access permissions and ability to administer these permissions is a safe manner. In view of the dearth of practical solutions for surviving insider attacks in any significant-size system, we suggest that experiments in applying well-accepted principles and design methods to critical subsystems (e.g., user authentication, DNS) are necessary to provide effective and quantifiable assurances.


Critical Function Survivability Principle Fine Granularity Inside Attack Access Permission 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. [1]
    A. Avizienis and J.-C. Laprie, “Dependable Computing: From Concepts to Design Diversity,” Proceedings of the IEEE, vol. 74, no. 5, May 1986.Google Scholar
  2. [2]
    A. Avizienis, J.-C. Laprie, B. Rendell, and C. Landwehr, “Basic Concepts and Taxonomy of Dependable and Secure Computing,” IEEE Transactions on Dependable and Secure Computing, vol.1, no. 1, Jan-Mar 2004Google Scholar
  3. [3]
    R. Bobba, S.I. Gavrila, V.D. Gligor, H. Khurana, and R. Koleva, “Administering Access Control in Dynamic Coalitions,” Proc. of the 19th USENIX Large Installation System Administration Conference (LISA), San Diego, CA, December 2005.Google Scholar
  4. [4]
    D. Boneh and M. Franklin, “Efficinet Generation of Shared RSA Keys,” Journal of the ACM (JACM), Vol. 48, Issue 4, July 2001Google Scholar
  5. [5]
    D. D. Clark and D.R. Wilson, “Evolution of a Model for Computer Security,” in Report of the Invitational Workshop on Data Integrity, Z. Ruthberg and W.T. Polk (eds.) NIST Special Publication 500=168, Appendix A, September 1989.Google Scholar
  6. [6]
    V.D. Gligor, S. I. Gavrila and D. Ferraiolo, “On the Formal Definition of Separation-of-Duty Policies and their Composition,” IEEE Symposium on Security and Privacy, Oakland, California, May 1998, pp. 172-185.Google Scholar
  7. [7]
    J. Gray, “The Transaction Concept: Virtues and Limitations,” Proceedings of the VLDB, Cannes, France, 1981.Google Scholar
  8. [8]
    P. Gupta, V. Shmatikov. Key Confirmation and Adaptive Corruptions in the Protocol Security Logic,” Joint Workshop on Foundations of Computer Security and Automated Reasoning for Security Protocol Analysis Seattle, August 15 - 16, 2006Google Scholar
  9. [9]
    M.S. Hecht, M.E. Carson, C.S. Chandersekaran, R.S. Chapman, L.J. Dotterer, V.D. Gligor, W.D. Jiang, A. Johri, G. L. Luckenbaugh, and N. Vasudevan, “Unix without the Superuser,” Proc. of the USENIX Conference, Phoenix, Arizona, June 1987, pp. 243-256.Google Scholar
  10. [10]
    J. Katz, R. Ostrovsky and M. Yung, “Efficient Password-Based Authenticated Key Exchange Using Human-Memorable Passwords,” Advanced in Cryptography - Eurocrypt 2001, Innsbruck, Austria, May 2001.Google Scholar
  11. [11]
    "Two-Server Password-Only Authenticated Key Exchange," J. Katz, P. MacKenzie, G.Taban, and V. Gligor, in Proccedings of Applied Cryptography and Network Security (ACNS), N.Y. 2005Google Scholar
  12. [12]
    H. Khurana, V.D. Gligor, and J. Linn, “Reasoning about Joint Administration of Access Policies for Coalition Resources,” Proc. of the IEEE International Conference for Distributed Computer Systems - ICDCS, Vienna, Austria, July 2002.Google Scholar
  13. [13]
    National Security Agency, “A Guide to Understanding Trusted Facility Management,” National Computer Security Center, NCSC-TG-015, Version 1, 1989.Google Scholar
  14. [14]
    National Security Agency, “A Guide to Understanding Audit in Trusted Systems,” National Computer Security Center, NCSC-TG-001, Version 1, 1988Google Scholar
  15. [15]
    P. G. Neumann, “Principled Assuredly Trustworthy Compusable Architectures,” DARPA Final Report, SRI Project P11459, December 28, 2004.Google Scholar
  16. [16]
    R. Reeder and R. Maxion, “User Interface Dependability through Goal-Error Prevention,” International Conference on Dependable Systems and Networks, Yokohama, Japan, June 2005.Google Scholar
  17. [17]
    J. H. Saltzer and M.D. Schroeder, “The Protection of Information in Computer Systems, “ Proccedings of the IEEE, vol. 63, no. 9, Sept. 1975.Google Scholar
  18. [18]
    R. T. Simon and M.E. Zurko, “Separation of Duty in Role-Based Environments,” Proceedings of the Computer Security Foundations Workshop, Rockport, Mass. June 1997.Google Scholar

Copyright information

© Springer Science+Business Media, LLC 2008

Authors and Affiliations

  • Virgil D. Gligor
    • 1
  • C. Sekar Chandersekaran
    • 2
  1. 1.Carnegie Mellon UniversityUSA
  2. 2.Institute for Defense AnalysesAlexandriaUSA

Personalised recommendations