Computer security models are specifications designed, among other things, to limit the damage caused by Trojan Horse programs such as computer viruses. Recent work in such models has revealed limitations of the widely accepted model of Bell and LaPadula. This paper provides an introduction to computer security modeling in general, the Bell and LaPadula model in particular, and the limitations of the model. Many of the issues raised are of interest not simply to the security community, but for the software specification community as a whole. We then construct a framework for security models that address these limitations. The result is a model that not only better addresses government security policies, but nongovernment security policies as well.

The protection mechanisms of current mainstream operating systems are inadequate to support confidentiality and integrity requirements for end systems. Mandatory access control (MAC) is needed to address such requirements, but the limitations of traditional MAC have inhibited its adoption into mainstream operating systems. The National Security Agency (NSA) worked with Secure Computing Corporation (SCC) to develop a flexible MAC architecture called Flask to overcome the limitations of traditional MAC. The NSA has implemented this architecture in the Linux operating system, producing a Security-Enhanced Linux (SELinux) prototype, to make the technology available to a wider community and to enable further research into secure operating systems. NAI Labs has developed an example security policy configuration to demonstrate the benefits of the architecture and to provide a foundation for others to use. This paper describes the security architecture, security mechanisms, application programming interface, security policy configuration, and performance of SELinux.

We consider routing security in wireless sensor networks. Many sensor network routing protocols have been proposed, but none of them have been designed with security as a goal. We propose security goals for routing in sensor networks, show how attacks against ad-hoc and peer-to-peer networks can be adapted into powerful attacks against sensor networks, introduce two classes of novel attacks against sensor networks - sinkholes and HELLO floods, and analyze the security of all the major sensor network routing protocols. We describe crippling attacks against all of them and suggest countermeasures and design considerations. This is the first such analysis of secure routing in sensor networks.