cheri.bib

@techreport{CHERI-FM15,
 author = {Peter G. Neumann and Robert N. M. Watson and Nirav Dave and Alexandre Joannou and Matthew Naylor and Michael Roe and Anthony Fox and Jonathan Woodruff},
 title = {{CHERI Formal Methods, interim version 3.0}},
 year = {2015},
 source = {},
 institution = {SRI International and the University of Cambridge},
 address = {},
}


@article{karger:performance,
 author = {Karger, Paul A.},
 title = {Using registers to optimize cross-domain call performance},
 journal = {SIGARCH Computer Architecture News},
 volume = {17},
 number = {2},
 year = {1989},
 issn = {0163-5964},
 pages = {194--204},
 doi = {10.1145/68182.68201},
 publisher = {ACM},
 address = {New York, NY, USA},
}


@inproceedings{demoura-etal07:VSTTE,
        AUTHOR = {Leonardo de Moura and Sam Owre and Harald Rue{\ss} and
                John Rushby and Natarajan Shankar},
        TITLE = {Integrating Verification Components},
        CROSSREF = {VSTTE07}
}

@proceedings{VSTTE07,
        TITLE = {Verified Software:
                 Theories, Tools, and Experiments},
        BOOKTITLE = {Verified Software:
                 Theories, Tools, and Experiments},
        EDITOR = {Bertrand Meyer and Jim Woodcock},
        NUMBER = 4171,
        SERIES = {LNCS},
        YEAR = 2008
}
@comment{ PUBLISHER = {Springer Verlag}, }

@techreport{andrews:partitions,
 author = {Andrews, Gregory R.},
 title = {Partitions and Principles for Secure Operating Systems},
 year = {1975},
 source = {http://www.ncstrl.org:8900/ncstrl/servlet/search?formname=detail\&id=oai%3Ancstrlh%3Acornellcs%3ACORNELLCS%3ATR75-228},
 institution = {Cornell University},
 address = {Ithaca, NY, USA},
}

@article{wulf:hydra,
 author = {Wulf, W. and Cohen, E. and Corwin, W. and Jones, A. and Levin, R. and Pierson, C. and Pollack, F.},
 title = {{HYDRA: the kernel of a multiprocessor operating system}},
 journal = {Communications of the ACM},
 volume = {17},
 number = {6},
 year = {1974},
 issn = {0001-0782},
 pages = {337--345},
 doi = {10.1145/355616.364017},
 publisher = {ACM},
 address = {New York, NY, USA},
 }

@article{walker:uclasecureunix,
 author = {Walker, Bruce J. and Kemmerer, Richard A. and Popek, Gerald J.},
 title = {{Specification and verification of the UCLA Unix security kernel}},
 journal = {Communications of the ACM},
 volume = {23},
 number = {2},
 year = {1980},
 issn = {0001-0782},
 pages = {118--131},
 doi = {10.1145/358818.358825},
 publisher = {ACM},
 address = {New York, NY, USA},
}

@inproceedings{schroeder:multicssecuritykernel,
 author = {Schroeder, Michael D.},
 title = {{Engineering a security kernel for Multics}},
 booktitle = {SOSP '75: Proceedings of the Fifth ACM Symposium on Operating Systems Principles},
 year = {1975},
 pages = {25--32},
 location = {Austin, Texas, United States},
 doi = {10.1145/800213.806518},
 publisher = {ACM},
 address = {New York, NY, USA},
}

@inproceedings{walker:adventtrusted,
 author = {Walker, Stephen T.},
 title = {The advent of trusted computer operating systems},
 booktitle = {AFIPS '80: Proceedings of the May 19-22, 1980, national computer conference},
 year = {1980},
 pages = {655--665},
 location = {Anaheim, California},
 doi = {10.1145/1500518.1500626},
 publisher = {ACM},
 address = {New York, NY, USA},
}

@inproceedings{sebes:dtmach,
author = {E. J. Sebes},
booktitle = {{Proceedings of the USENIX Mach Symposium}},
title = {{Overview of the architecture of Distributed Trusted Mach}},
pages = {20--22},
month = nov,
year = {1991},
pmid = {286502042582210013related:3VWJ-xbc-QMJ},
 publisher = {USENIX Association},
}

@InProceedings{spencer:flask,
  author =       "Ray Spencer and Stephen Smalley and Peter Loscocco and
                 Mike Hibler and David Andersen and Jay Lepreau",
  title =        "The {Flask} Security Architecture: System Support for
                 Diverse Security Policies",
  annote =       "Separate policy and mechanisms derived from DTOS and
                 somewhat consistant with GFAC. Not so suitable:
                 Capability systems (difficulty to control propagation)
                 and interception systesm (e.g., L4 Clan/Chief, problem
                 of exposure of all abstractions). Fluke (\& flask)
                 homepage:
                 \url{http://www.cs.utah.edu/flux/fluke/html/flask.html}",
  pages =        "123--139",
 booktitle =    "{Proceedings of the 8th {USENIX} Security Symposium}",
  year =         "1999",
 publisher = {USENIX Association},
  month =        aug,
  address =      "Washington, D.C., USA",
}

@inproceedings{wang:gazelle,
 author = {Wang, Helen J. and Grier, Chris and Moshchuk, Alexander and King, Samuel T. and Choudhury, Piali and Venter, Herman},
 title = {{The multi-principal OS construction of the Gazelle web browser}},
 booktitle = {Proceedings of the 18th USENIX Security Symposium},
 year = {2009},
 pages = {417--432},
 location = {Montreal, Canada},
 publisher = {USENIX Association},
 address = {Berkeley, CA, USA},
}

@inproceedings{remy:ocaml,
 author = {R\'{e}my, Didier and Vouillon, J\'{e}r\^{o}me},
 title = {{Objective ML: a simple object-oriented extension of ML}},
 booktitle = {{POPL '97: Proceedings of the 24th ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages}},
 year = {1997},
 isbn = {0-89791-853-3},
 pages = {40--53},
 location = {Paris, France},
 doi = {10.1145/263699.263707},
 publisher = {ACM},
 address = {New York, NY, USA},
}

@book{mckusick:freebsd,
 author = {McKusick, Marshall Kirk and Neville-Neil, George V. and Watson,
  Robert N. M.},
 title = {{The Design and Implementation of the FreeBSD Operating System,
  Second Edition}},
 year = {2014},
 publisher = {Pearson Education},
}

@misc{ruby,
                title = {{Ruby Programming Language}},
                howpublished = {\url{http://www.ruby-lang.org/}},
                author = {{Ruby Users Group}},
                                year = 2010,
                                month = oct,
}

@inproceedings{trevor:cyclone,
 author = {Jim, Trevor and Morrisett, J. Greg and Grossman, Dan and Hicks, Michael W. and Cheney, James and Wang, Yanling},
 title = {Cyclone: A Safe Dialect of~{C}},
 booktitle = {{ATEC '02: Proceedings of the USENIX Annual Technical Conference}},
 year = {2002},
 isbn = {1-880446-00-6},
 pages = {275--288},
 publisher = {USENIX Association},
 address = {Berkeley, CA, USA},
}

@inproceedings{cantrill:dtrace,
 author = {Cantrill, Bryan M. and Shapiro, Michael W. and Leventhal, Adam H.},
 title = {Dynamic instrumentation of production systems},
 booktitle = {ATEC '04: Proceedings of the USENIX Annual Technical Conference},
 year = {2004},
 location = {Boston, MA},
 publisher = {{USENIX Association}},
 address = {Berkeley, CA, USA},
}

@inproceedings{necula:pcc,
 author = {Necula, George C. and Lee, Peter},
 title = {Safe kernel extensions without run-time checking},
 booktitle = {OSDI '96: Proceedings of the Second USENIX symposium on Operating Systems Design and Implementation},
 year = {1996},
 isbn = {1-880446-82-0},
 pages = {229--243},
 location = {Seattle, Washington, United States},
 doi = {10.1145/238721.238781},
 publisher = {ACM},
 address = {New York, NY, USA},
}

@inproceedings{yee:nativeclient,
 author = {Yee, Bennet and Sehr, David and Dardyk, Gregory and Chen, J. Bradley and Muth, Robert and Ormandy, Tavis and Okasaka, Shiki and Narula, Neha and Fullagar, Nicholas},
 title = {Native Client: A Sandbox for Portable, Untrusted x86 Native Code},
 booktitle = {SP '09: Proceedings of the 2009 30th IEEE Symposium on Security and Privacy},
 year = {2009},
 isbn = {978-0-7695-3633-0},
 pages = {79--93},
 doi = {10.1109/SP.2009.25},
 publisher = {IEEE Computer Society},
 address = {Washington, DC, USA},
}

@inproceedings{mccanne:bpf,
 author = {McCanne, Steven and Jacobson, Van},
 title = {{The BSD packet filter: a new architecture for user-level packet capture}},
 booktitle = {{USENIX'93: Proceedings of the USENIX Winter 1993 Conference}},
 year = {1993},
 location = {San Diego, California},
 publisher = {USENIX Association},
 address = {Berkeley, CA, USA},
}

@inproceedings{bershad:spin,
 author = {Bershad, B. N. and Savage, S. and Pardyak, P. and Sirer, E. G. and Fiuczynski, M. E. and Becker, D. and Chambers, C. and Eggers, S.},
 title = {{Extensibility safety and performance in the SPIN operating system}},
 booktitle = {{SOSP '95: Proceedings of the Fifteenth ACM Symposium on Operating Systems Principles}},
 year = {1995},
 isbn = {0-89791-715-4},
 pages = {267--283},
 location = {Copper Mountain, Colorado, United States},
 doi = {10.1145/224056.224077},
 publisher = {ACM},
 address = {New York, NY, USA},
}

@article{myers:difc,
 author = {Myers, Andrew C. and Liskov, Barbara},
 title = {A decentralized model for information flow control},
 journal = {SIGOPS Oper. Syst. Rev.},
 volume = {31},
 issue = {5},
 month = oct,
 year = {1997},
 issn = {0163-5980},
 pages = {129--142},
 numpages = {14},
 doi = {10.1145/269005.266669},
 acmid = {266669},
 publisher = {ACM},
 address = {New York, NY, USA},
}

@article{efstathopoulos:asbestos,
 author = {Efstathopoulos, Petros and Krohn, Maxwell and VanDeBogart, Steve and Frey, Cliff and Ziegler, David and Kohler, Eddie and Mazi\`{e}res, David and Kaashoek, Frans and Morris, Robert},
 title = {Labels and event processes in the asbestos operating system},
 journal = {SIGOPS Oper. Syst. Rev.},
 volume = {39},
 issue = {5},
 month = oct,
 year = {2005},
 issn = {0163-5980},
 pages = {17--30},
 numpages = {14},
 doi = {10.1145/1095809.1095813},
 acmid = {1095813},
 publisher = {ACM},
 address = {New York, NY, USA},
 keywords = {event processes, information flow, labels, mandatory access control, secure web servers},
}

@inproceedings{zeldovich:histar,
 author = {Zeldovich, Nickolai and Boyd-Wickizer, Silas and Kohler, Eddie and Mazi\`{e}res, David},
 title = {Making information flow explicit in {HiStar}},
 booktitle = {Proceedings of the 7th symposium on Operating systems design and implementation},
 series = {OSDI '06},
 year = {2006},
 isbn = {1-931971-47-1},
 location = {Seattle, Washington},
 pages = {263--278},
 numpages = {16},
 url = {http://portal.acm.org/citation.cfm?id=1298455.1298481},
 acmid = {1298481},
 publisher = {USENIX Association},
 address = {Berkeley, CA, USA},
}

@inproceedings{boebert:inabilitystar,
  title = {On the Inability of an Unmodified Capability Machine to Enforce the *-Property},
  booktitle = {Proc. 7th {{DoD}}/{{NBS Computer Security Conference}}},
  author = {Boebert, William Earl},
  date = {1984-09},
  pages = {291--293},
  url = {https://csrc.nist.gov/CSRC/media/Publications/conference-paper/1984/09/24/7th-dod-nbs-computer-security-conference/documents/1984-7th-conference-proceedings.pdf},
  eventtitle = {{{DoD}}/{{NBS Computer Security Conference}}}
}


@article{hardy:keykos,
 author = {Hardy, Norman},
 title = {{KeyKOS architecture}},
 journal = {SIGOPS Operating Systems Review},
 volume = {19},
 number = {4},
 year = {1985},
 issn = {0163-5980},
 pages = {8--25},
 doi = {10.1145/858336.858337},
 publisher = {ACM},
 address = {New York, NY, USA},
 note = {Also available at \url{http://cap-lore.com/CapTheory/upenn/OSRpaper.html}}
}

@inproceedings{shapiro:eros,
author = {Jonathan Shapiro and Jonathan Smith and David Farber},
booktitle = {{SOSP '99: Proceedings of the seventeenth ACM Symposium on Operating Systems Principles}},
title = {{EROS: a fast capability system}},
abstract = {EROS is a capability-based operating system for commodity processors which uses a single level storage model. The single level store's persistence is transparent to applications. The performance consequences of support for transparent persistence and ...},
year = {1999},
month = dec,
pmid = {319151.319163},
url = {http://portal.acm.org/citation.cfm?id=319151.319163},
howpublished = {\url{http://portal.acm.org/citation.cfm?id=319151.319163}},
}

@misc{shapiro:coyotosspec,
  author={Jonathan S. Shapiro and Jonathan W. Adams},
  title={Coyotos Microkernel Specification},
  subtitle={Version 0.6+},
  date={2007-09-10},
  url={https://web.archive.org/web/20160904092954/http://www.coyotos.org:80/docs/ukernel/spec.html}
}

@inproceedings{mettler:joee,
 author = {Mettler, Adrian and Wagner, David},
 title = {{Class properties for security review in an object-capability subset of Java}},
 booktitle = {PLAS '10: Proceedings of the 5th ACM SIGPLAN Workshop on Programming Languages and Analysis for Security},
 year = {2010},
 isbn = {978-1-60558-827-8},
 pages = {1--7},
 location = {Toronto, Canada},
 doi = {10.1145/1814217.1814224},
 publisher = {ACM},
 address = {New York, NY, USA},
 }

@misc{miller:elang,
  author = {Mark S. Miller},
  title = {The E Language},
  note = "\url{http://www.erights.org/}",
}

@misc{miller:caja,
  author = {Mark S. Miller and Mike Samuel and Ben Laurie and Ihab Awad and Mike Stay},
  title = {Caja: Safe active content in Sanitized JavaScript},
  month = may,
  year = {2008},
  institution = {Google},
  url = {http://google-caja.googlecode.com/files/caja-spec-2008-06-07.pdf},
  note = "\url{http://google-caja.googlecode.com/files/caja-spec-2008-06-07.pdf}",
}

@article{miller:capmyths,
	title = {Capability {Myths} {Demolished}},
	abstract = {We address three common misconceptions about capability-based systems: the Equivalence Myth (access control list systems and capability systems are formally equivalent), the Confinement Myth (capability systems cannot enforce confinement), and the Irrevocability Myth (capability-based access cannot be revoked). The Equivalence Myth obscures the benefits of capabilities as compared to access control lists, while the Confinement Myth and the Irrevocability Myth lead people to see problems with capabilities that do not actually exist.},
	language = {en},
	author = {Miller, Mark S and Yee, Ka-Ping and Shapiro, Jonathan},
	pages = {15},
	url = {http://srl.cs.jhu.edu/pubs/SRL2003-02.pdf}
}

@article{miller:paradigmregained,
	address = {Berlin, Heidelberg},
	title = {Paradigm {Regained}: {Abstraction} {Mechanisms} for {Access} {Control}},
	isbn = {978-3-540-40965-6},
	abstract = {Access control systems must be evaluated in part on how well they enable one to distribute the access rights needed for cooperation, while simultaneously limiting the propagation of rights which would create vulnerabilities. Analysis to date implicitly assumes access is controlled only by manipulating a system's protection state – the arrangement of the access graph. Because of the limitations of this analysis, capability systems have been ”proven” unable to enforce some basic policies: revocation, confinement, and the *-properties (explained in the text).},
	booktitle = {Advances in {Computing} {Science} – {ASIAN} 2003. {Progamming} {Languages} and {Distributed} {Computation} {Programming} {Languages} and {Distributed} {Computation}},
	publisher = {Springer Berlin Heidelberg},
	author = {Miller, Mark S. and Shapiro, Jonathan S.},
	editor = {Saraswat, Vijay A.},
	year = {2003},
	pages = {224--242},
	url = {http://www.erights.org/talks/asian03/}
}

@phdthesis{miller:robustcomposition,
 author = {Miller, Mark Samuel},
 title = {Robust composition: towards a unified approach to access control and concurrency control},
 year = {2006},
 order_no = {AAI3245526},
 school = {Johns Hopkins University},
 address = {Baltimore, MD, USA},
}

@book{gosling:javalanguage,
 author = {Gosling, James and Joy, Bill and Steele, Guy L.},
 title = {The  Java Language Specification},
 year = {1996},
 isbn = {0201634511},
 publisher = {Addison-Wesley Longman Publishing Co., Inc.},
 address = {Boston, MA, USA},
}

@inproceedings{lipner:securitykernels,
 author = {Lipner, Steven B. and Wulf, William A. and Schell, Roger R. and Popek, Gerald J. and Neumann, Peter G. and Weissman, Clark and Linden, Theodore A.},
 title = {Security kernels},
 booktitle = {AFIPS '74: Proceedings of the May 6-10, 1974, National Computer Conference and Exposition},
 year = {1974},
 pages = {973--980},
 location = {Chicago, Illinois},
 doi = {10.1145/1500175.1500361},
 publisher = {ACM},
 address = {New York, NY, USA},
}

@inproceedings{ackerman:multiprocessing,
 author = {Ackerman, William B. and Plummer, William W.},
 title = {An implementation of a multiprocessing computer system},
 booktitle = {SOSP '67: Proceedings of the First ACM Symposium on Operating System Principles},
 year = {1967},
 pages = {5.1--5.10},
 doi = {10.1145/800001.811666},
 publisher = {ACM},
 address = {New York, NY, USA},
}

@article{ritchie:unix,
 author = {Ritchie, Dennis M. and Thompson, Ken},
 title = {{The UNIX time-sharing system}},
 journal = {Communications of the ACM},
 volume = {17},
 number = {7},
 year = {1974},
 issn = {0001-0782},
 pages = {365--375},
 doi = {10.1145/361011.361061},
 publisher = {ACM},
 address = {New York, NY, USA},
}

@article{denning:faulttolerance,
 author = {Denning, Peter J.},
 title = {Fault Tolerant Operating Systems},
 journal = {ACM Computing Surveys},
 volume = {8},
 number = {4},
 year = {1976},
 issn = {0360-0300},
 pages = {359--389},
 doi = {10.1145/356678.356680},
 publisher = {ACM},
 address = {New York, NY, USA},
}

@inproceedings{patterson:risc,
 author = {Patterson, David A. and Sequin, Carlo H.},
 title = {{RISC I: A Reduced Instruction Set VLSI Computer}},
 booktitle = {ISCA '81: Proceedings of the 8th Annual Symposium on Computer Architecture},
 year = {1981},
 pages = {443--457},
 location = {Minneapolis, Minnesota, United States},
 publisher = {IEEE Computer Society Press},
 address = {Los Alamitos, CA, USA},
 }

@inproceedings{corbato:multics,
 author = {Corbat\'{o}, F. J. and Vyssotsky, V. A.},
 title = {{Introduction and overview of the Multics system}},
 booktitle = {AFIPS '65 (Fall, part I): Proceedings of the November 30--December 1, 1965, Fall Joint Computer Conference, part I},
 year = {1965},
 pages = {185--196},
 location = {Las Vegas, Nevada},
 doi = {10.1145/1463891.1463912},
 publisher = {ACM},
 address = {New York, NY, USA},
}

@inproceedings{corbato:timesharing,
 author = {Corbat\'{o}, Fernando J. and Merwin-Daggett, Marjorie and Daley, Robert C.},
 title = {An experimental time-sharing system},
 booktitle = {AIEE-IRE '62 (Spring): Proceedings of the May 1--3, 1962, Spring Joint Computer Conference},
 year = {1962},
 pages = {335--344},
 location = {San Francisco, California},
 doi = {10.1145/1460833.1460871},
 publisher = {ACM},
 address = {New York, NY, USA},
}

@article{dennis:semantics,
 author = {Dennis, Jack B. and Van Horn, Earl C.},
 title = {Programming semantics for multiprogrammed computations},
 journal = {Communications of the ACM},
 volume = {9},
 number = {3},
 year = {1966},
 issn = {0001-0782},
 pages = {143--155},
 doi = {10.1145/365230.365252},
 publisher = {ACM},
 address = {New York, NY, USA},
}

@inproceedings{reis:chromium,
 author = {Reis, Charles and Gribble, Steven D.},
 title = {Isolating web programs in modern browser architectures},
 booktitle = {EuroSys '09: Proceedings of the 4th ACM European Conference on Computer Systems},
 year = {2009},
 isbn = {978-1-60558-482-9},
 pages = {219--232},
 location = {Nuremberg, Germany},
 doi = {10.1145/1519065.1519090},
 publisher = {ACM},
 address = {New York, NY, USA},
}

@inproceedings{provos:preventingprivesc,
author = {Neils Provos and Markus Friedl and Peter Honeyman},
booktitle = {{Proceedings of the 12th USENIX Security Symposium}},
title = {{Preventing Privilege Escalation}},
year = {2003},
 publisher = {USENIX Association},
}

@inproceedings{bittau:wedge,
author = {Andrea Bittau and Petr Marchenko and Mark Handley and Brad Karp},
booktitle = {{Proceedings of the 5th USENIX Symposium on Networked Systems Design and Implementation}},
title = {{Wedge: Splitting Applications into Reduced-Privilege Compartments}},
school = {University College London},
pages = {309--322},year = {2008},
url = {http://www.cs.ucl.ac.uk/staff/m.handley/papers/wedge.pdf},
howpublished = {\url{http://www.cs.ucl.ac.uk/staff/m.handley/papers/wedge.pdf}},
 publisher = {USENIX Association},
}

@techreport{accetta:mach,
        author = "M. Accetta and R. Baron and D. Golub and R. Rashid and A.
            Tevanian and M. Young",
        institution = "{Computer Science Department, Carnegie Mellon
            University}",
        title = "{Mach: A New Kernel Foundation for UNIX Development}",
        year = "1986",
        month = aug,
}

@InProceedings{liedtke:l4,
  author =       {Jochen Liedtke},
  title =        {On Microkernel Construction},
  booktitle =    {SOSP'95: Proceedings of the
                  15th ACM Symposium on Operating System Principles},
  address =      {Copper Mountain Resort, CO},
  month =         dec,
  year =          1995,
  url =          {http://l4ka.org/publications/}
}

@book{levy:capabilities,
 author = {Levy, Henry M.},
 title = {Capability-Based Computer Systems},
 year = {1984},
 isbn = {0932376223},
 publisher = {Butterworth-Heinemann},
 address = {Newton, MA, USA},
 }

@inproceedings{yee:nacl,
 author = {Yee, Bennet and Sehr, David and Dardyk, Gregory and Chen, J. Bradley and Muth, Robert and Ormandy, Tavis and Okasaka, Shiki and Narula, Neha and Fullagar, Nicholas},
 title = {Native Client: A Sandbox for Portable, Untrusted x86 Native Code},
 booktitle = {Proceedings of the 2009 30th IEEE Symposium on Security and Privacy},
 year = {2009},
 isbn = {978-0-7695-3633-0},
 pages = {79--93},
 numpages = {15},
 url = {http://portal.acm.org/citation.cfm?id=1607723.1608126},
 doi = {10.1109/SP.2009.25},
 acmid = {1608126},
 publisher = {IEEE Computer Society},
 address = {Washington, DC, USA},
 keywords = {Security, World Wide Web},
}

@inproceedings{wahbe:sfi,
 author = {Wahbe, Robert and Lucco, Steven and Anderson, Thomas E. and Graham, S
usan L.},
 title = {Efficient software-based fault isolation},
 booktitle = {SOSP '93: Proceedings of the Fourteenth ACM Symposium on Operating
 Systems Principles},
 year = {1993},
 isbn = {0-89791-632-8},
 pages = {203--216},
 location = {Asheville, North Carolina, United States}, doi = {10.1145/168619.168635},
 publisher = {ACM},
 address = {New York, NY, USA},
}

@article{richards:bluespecreasoning,
   author = {Richards, Dominic and Lester, David},
   affiliation = {School of Computer Science, The University of Manchester, Manchester, UK},
   title = {{A monadic approach to automated reasoning for Bluespec SystemVerilog}},
   journal = {Innovations in Systems and Software Engineering},
   publisher = {Springer London},
   issn = {1614-5046},
   keyword = {Computer Science},
   pages = {1-11},
   note = {10.1007/s11334-011-0149-0},
   year = {2011}
}

@InProceedings{NeumannWatson10LAW,
Author={Peter G. Neumann and Robert N.~M. Watson},
Title={Capabilities Revisited: A Holistic Approach to
     Bottom-to-Top Assurance of Trustworthy Systems},
BookTitle={Fourth Layered Assurance Workshop},
Organization={U.S. Air Force Cryptographic Modernization Office and AFRL},
Address={Austin, Texas},
Year={2010}, Month=dec, pages={}, Note =
  {http://www.csl.sri.com/neumann/law10.pdf}}

@InProceedings{Watson07,
Author={Robert N.~M. Watson},
Title={Exploiting Concurrency Vulnerabilities in System Call Wrappers},
BookTitle={WOOT Workshop},
Organization={USENIX Security}, Address={Gaithersburg, Maryland},
Year={2007}, Month={}, pages={}, Note = {
  http://www.watson.org/~robert/2007woot/20070806-woot-concurrency.pdf}}

@PhdThesis{Drimer10,
   author =      {Saar Drimer},
   title =       {Security for Volatile FPGAs},
   school =      {University of Cambridge},
   year =        {2010} }

@inproceedings{Cadar:2008:KUA:1855741.1855756,
 author = {Cadar, Cristian and Dunbar, Daniel and Engler, Dawson},
 title = {{KLEE}: unassisted and automatic generation of high-coverage tests for complex systems programs},
 booktitle = {Proceedings of the 8th USENIX conference on operating systems design and implementation},
 series = {OSDI'08},
 year = {2008},
 location = {San Diego, California},
 pages = {209--224},
 numpages = {16},
 url = {http://portal.acm.org/citation.cfm?id=1855741.1855756},
 acmid = {1855756},
 publisher = {USENIX Association},
 address = {Berkeley, CA, USA},
}

@inproceedings{Yanagisawa:2006:DAS:1173706.1173717,
 author = {Yanagisawa, Yoshisato and Kourai, Kenichi and Chiba, Shigeru},
 title = {A dynamic aspect-oriented system for {OS} kernels},
 booktitle = {Proceedings of the 5th international conference on Generative programming and component engineering},
 series = {GPCE '06},
 year = {2006},
 isbn = {1-59593-237-2},
 location = {Portland, Oregon, USA},
 pages = {69--78},
 numpages = {10},
 doi = {10.1145/1173706.1173717},
 acmid = {1173717},
 publisher = {ACM},
 address = {New York, NY, USA},
 keywords = {Linux, aspect-oriented programming, dynamic AOP, operating system, profiling and debugging},
}

@article{Nethercote:2007:VFH:1273442.1250746,
 author = {Nethercote, Nicholas and Seward, Julian},
 title = {Valgrind: a framework for heavyweight dynamic binary instrumentation},
 journal = {SIGPLAN Not.},
 volume = {42},
 issue = {6},
 month = jun,
 year = {2007},
 issn = {0362-1340},
 pages = {89--100},
 numpages = {12},
 doi = {10.1145/1273442.1250746},
 acmid = {1250746},
 publisher = {ACM},
 address = {New York, NY, USA},
 keywords = {Memcheck, Valgrind, dynamic binary analysis, dynamic binary instrumentation, shadow values},
}

@INPROCEEDINGS{Weimer05miningtemporal,
    author = {Westley Weimer and George C. Necula},
    title = {Mining Temporal Specifications for Error Detection},
    booktitle = {In TACAS},
    year = {2005},
    pages = {461--476}
}


@inproceedings{muvi:sosp2007,
    author = "Shan Lu and Soyeon Park and Chongfeng Hu and Xiao Ma and Weihang Jiang and Zhenmin Li and Raluca A. Popa and Yuanyuan Zhou",
    title  = "MUVI: Automatically Inferring Multi-Variable Access Correlations and Detecting Related Semantic and Concurrency Bugs",
    booktitle = "Proceedings of the 21st ACM Symposium on Operating Systems Principles (SOSP07)",
    month  = oct,
    year   = "2007",
}


@misc{rfc4252,
  author="T. Ylonen and C. Lonvick",
  title="{The Secure Shell (SSH) Authentication Protocol}",
  series="Request for Comments",
  number="4252",
  howpublished="RFC 4252 (Proposed Standard)",
  publisher="IETF",
  organisation="Internet Engineering Task Force",
  year=2006,
  month=jan,
    url="http://www.ietf.org/rfc/rfc4252.txt",
}

@article{Bishop:2005:RSC:1090191.1080123,
 author = {Bishop, Steve and Fairbairn, Matthew and Norrish, Michael and Sewell, Peter and Smith, Michael and Wansbrough, Keith},
 title = {Rigorous specification and conformance testing techniques for network protocols, as applied to {TCP}, {UDP}, and sockets},
 journal = {SIGCOMM Comput. Commun. Rev.},
 issue_date = {October 2005},
 volume = {35},
 issue = {4},
 month = aug,
 year = {2005},
 issn = {0146-4833},
 pages = {265--276},
 numpages = {12},
 doi = {10.1145/1090191.1080123},
 acmid = {1080123},
 publisher = {ACM},
 address = {New York, NY, USA},
 keywords = {API, HOL, TCP/IP, conformance testing, higher-order logic, network protocols, operational semantics, sockets, specification},
}

@inproceedings{Madhavapeddy:2009:CSM:1695271.1695302,
 author = {Madhavapeddy, Anil},
 title = {Combining Static Model Checking with Dynamic Enforcement Using the Statecall Policy Language},
 booktitle = {Proceedings of the 11th International Conference on Formal Engineering Methods: Formal Methods and Software Engineering},
 series = {ICFEM '09},
 year = {2009},
 isbn = {978-3-642-10372-8},
 location = {Rio de Janeiro, Brazil},
 pages = {446--465},
 numpages = {20},
 doi = {10.1007/978-3-642-10373-5_23},
 acmid = {1695302},
 publisher = {Springer-Verlag},
 address = {Berlin, Heidelberg},
}

@inproceedings{Baldwin:2002:LMF:1250894.1250898,
 author = {Baldwin, John H.},
 title = {Locking in the multithreaded {FreeBSD} kernel},
 booktitle = {Proceedings of the BSD Conference 2002},
 series = {BSDC'02},
 year = {2002},
 location = {San Francisco, California},
 pages = {4--4},
 numpages = {1},
 url = {http://portal.acm.org/citation.cfm?id=1250894.1250898},
 acmid = {1250898},
 publisher = {USENIX Association},
 address = {Berkeley, CA, USA},
}

@inproceedings{LA04,
  title = {{{LLVM}}: {{A Compilation Framework}} for {{Lifelong Program Analysis}} \& {{Transformation}}},
  shorttitle = {{{LLVM}}},
  booktitle = {Proceedings of the {{International Symposium}} on {{Code Generation}} and {{Optimization}}: {{Feedback}}-Directed and {{Runtime Optimization}}},
  author = {Lattner, Chris and Adve, Vikram},
  date = {2004-03},
  pages = {75--86},
  publisher = {{IEEE Computer Society}},
  location = {{Washington, DC, USA}},
  doi = {10.1109/CGO.2004.1281665},
  url = {http://dl.acm.org/citation.cfm?id=977395.977673},
  abstract = {This paper describes LLVM (Low Level Virtual Machine),a compiler framework designed to support transparent, lifelongprogram analysis and transformation for arbitrary programs,by providing high-level information to compilertransformations at compile-time, link-time, run-time, and inidle time between runs.LLVM defines a common, low-levelcode representation in Static Single Assignment (SSA) form,with several novel features: a simple, language-independenttype-system that exposes the primitives commonly used toimplement high-level language features; an instruction fortyped address arithmetic; and a simple mechanism that canbe used to implement the exception handling features ofhigh-level languages (and setjmp/longjmp in C) uniformlyand efficiently.The LLVM compiler framework and coderepresentation together provide a combination of key capabilitiesthat are important for practical, lifelong analysis andtransformation of programs.To our knowledge, no existingcompilation approach provides all these capabilities.We describethe design of the LLVM representation and compilerframework, and evaluate the design in three ways: (a) thesize and effectiveness of the representation, including thetype information it provides; (b) compiler performance forseveral interprocedural problems; and (c) illustrative examplesof the benefits LLVM provides for several challengingcompiler problems.},
  isbn = {978-0-7695-2102-2},
  series = {{{CGO}} '04},
  venue = {Palo Alto, California}
}

@misc{rfc793,
  author="J. Postel",
  title="{Transmission Control Protocol}",
  series="Request for Comments",
  number="793",
  howpublished="RFC 793 (Standard)",
  publisher="IETF",
  organisation="Internet Engineering Task Force",
  year=1981,
  month=sep,
  day="1",
  note="Updated by RFC 3168",
  url="http://www.ietf.org/rfc/rfc793.txt",
}

@inproceedings{BR02,
 author = {Ball, Thomas and Rajamani, Sriram K.},
 title = {The {SLAM} project: debugging system software via static analysis},
 booktitle = {Proceedings of the 29th ACM SIGPLAN-SIGACT symposium on Principles of programming languages},
 series = {POPL '02},
 year = {2002},
 isbn = {1-58113-450-9},
 location = {Portland, Oregon},
 pages = {1--3},
 numpages = {3},
 doi = {10.1145/503272.503274},
 acmid = {503274},
 publisher = {ACM},
 address = {New York, NY, USA},
}

@inproceedings{CS04,
 author = {Cantrill, Bryan M. and Shapiro, Michael W. and Leventhal, Adam H.},
 title = {Dynamic instrumentation of production systems},
 booktitle = {Proceedings of the USENIX Annual Technical Conference},
 series = {ATEC '04},
 year = {2004},
 location = {Boston, MA},
 pages = {2--2},
 numpages = {1},
 url = {http://portal.acm.org/citation.cfm?id=1247415.1247417},
 acmid = {1247417},
 publisher = {USENIX Association},
 address = {Berkeley, CA, USA},
}

@inproceedings{HJ02,
Address = {London, UK},
Author = {Thomas A. Henzinger and Ranjit Jhala and Rupak Majumdar and George C. Necula and Gr\&\#233;goire Sutre and Westley Weimer},
Booktitle = {Proceedings of the 14th International Conference on Computer Aided Verification (CAV)},
Date-Added = {2005-11-09 11:43:39 +0000},
Date-Modified = {2005-11-09 11:44:40 +0000},
Isbn = {3-540-43997-8},
Keywords = {security,systems},
Pages = {526--538},
Publisher = {Springer-Verlag},
Title = {Temporal-Safety Proofs for Systems Code},
Year = {2002}}

@TechReport{BP81,
author={K.H. Britton and D.L. Parnas},
Title={A-7E Software Module Guide},
institution= {NRL Memorandum Report 4702, Naval Research Laboratory},
address={Washington, D.C.}, month =dec, Year=1981 }

@InProceedings{CCMT93,
Author = "G. Canfora and A. Cimitile and M. Munro and C. Taylor",
Title = "Extracting Abstract Data Types from {C} Programs: {A} Case Study",
Booktitle = "Proceedings of the International Conference on Software
  Maintenance",
Organization = "", Address = "", Year = "1993",
Pages="200--209", Month = sep  }

@InProceedings{GK97,
Author = "J.F. Girard and R. Koschke",
Title = "Finding Components in a Hierarchy of Modules: A
Step Towards Architectural Understanding",
Booktitle = "Proceedings of the International Conference on Software
  Maintenance",
Organization = "", Address = "", Year = "1997",
Pages="72--81", Month = oct  }

@InProceedings{Gligor86,
Author={V.D. Gligor et al.},
Title={Design and Implementation of {Secure Xenix[TM]}},
BookTitle={Proceedings of the 1986 Symposium on Security and Privacy},
Organization={IEEE Computer Society}, Address={Oakland, California},
Year={1986}, Month=apr, pages={},
Note = {also in {\it IEEE Transactions on Software Engineering,} vol. SE-13, 2,
February 1987, 208--221}
}

@InProceedings{GM93,
   Author={R. Godin and H. Mili},
   Title={Building and Maintaining Analysis-Level Class
     Hierarchies Using {Galois} Lattices},
   BookTitle = {Proceedings of the 8th Annual Conference
   on Object-Oriented Programming Systems, Languages and Applications
   (OOPSLA '93), SIGPLAN Notices, 28, 10},
   Year={1993},
   Month={},
   Pages={394--410}
   }

@article{GMMMAC98,
   Author={R. Godin and H. Mili and G.W. Mineau and R. Missaoui
      and A. Arfi and T.-T. Chau},
   Title={Design of Class Hierarchies Based on Concept {(Galois)} Lattices},
   Journal = {Theory and Practice of Object Systems},
   volume={4}, number={2}, year={1998}, pages={117-134}}

@Article{Hoare74,
	Author = {C.A.R. Hoare},
	Title = {Monitors:  An Operating System Structuring Concept},
	Journal = {Communications of the ACM},
	Year = {1974},
	Volume = {17},
	Number = {10},
	Pages = {},
	Month = oct }

@InProceedings{Janson75,
   Author={P.A. Janson},
   Title={Dynamic Linking and Environment Initialization in a Multi-Domain Process},
   BookTitle={Proceedings of the Fifth ACM Symposium on Operating Systems Principles},
   Year={1975},
   Month=nov,
   Note={(ACM Operating Systems Review, Vol 9, No. 5)},
   Pages = {43--50}
   }

@Article{Janson81,
   Author={P.A. Janson},
   Journal={ACM Operating Systems Review},
   Title={Using Type Extension to Organize Virtual Memory Mechanisms},
   Year={1981},
   Month=oct,
   Pages={6--38},
   Volume={15},
   Number={4}
   }

@InProceedings{LS97,
Author = "C. Lindig and G. Snelting",
Title = "Assessing Modular Structure of Legacy Code Based
On Mathematical Concept Analysis",
Booktitle = "Proceedings of the International Conference
  on Software Engineering",
Organization = "", Address = "", Year = "1997",
Pages="349--359", Month = ""  }

@ARTICLE{LJ94,
Author={P.E Livadas and T. Johnson},
TITLE = {A New Approach to finding Objects in Programs},
JOURNAL = {Software Maintenance: Research and Practice},
YEAR = {1994}, VOLUME = {6},
NUMBER = {}, PAGES = {249--260}, MONTH = {} }

@InProceedings{MMCG98,
Author = "S. Mancoridis and B.S. Mitchell and Y. Chen and E.R. Gansner",
Title = "Using Automatic
  Clustering to produce High-Level System Organization of Source Code",
Booktitle = "Proceedings of the International Workshop on Program Comprehension",
Organization = "", Address = "", Year = "1998",
Pages="42--52", Month = ""  }

@InProceedings{MMCG99,
Author = "S. Mancoridis and B.S. Mitchell and Y. Chen and E.R. Gansner",
Title = "Bunch: A Clustering Tool for the Recovery and Maintenance of
  Software System Structures",
Booktitle = "Proceedings of the International Conference on Software
  Maintenance",
Organization = "", Address = "", Year = "1999",
Pages="50--59", Month = ""  }

@InProceedings{MH96,
Author = "S. Mancoridis and R.C. Holt",
Title = "Recovering the Structure of Software Systems
Using Tube Graph Interconnection Clustering",
Booktitle = "Proceedings of the International
Conference on Software Maintenance",
Organization = "", Address = "", Year = "1996",
Pages="23--32", Month = ""  }

@InProceedings{MK88,
Author = "M.K. McKusick and M.J. Karels",
Title = "Design of a General Purpose Memory Allocator for the
  {4.3BSD UNIX} Kernel",
Booktitle = "1988 Summer USENIX Conference Proceedings",
Organization = "", Address = "San Francisco, California", Year = "1988",
Pages="295--304", Month = jun  }

@TechReport{Nelson81,
author={B.J. Nelson},
Title={Remote Procedure Call},
institution= {Research Report
  CSL-79-9, XEROX Palo Alto Research Center},
address={3333 Coyote Hill Road,
Palo Alto, California}, month =may, Year=1981 }

@ARTICLE{Parnas79,
Author={D.L. Parnas},
TITLE = {Designing Software for Ease of Extension and Contraction},
JOURNAL = {IEEE Transactions on Software Engineering},
YEAR = {1979}, VOLUME = {SE-5},
NUMBER = {2},  PAGES = {128--138}, MONTH = mar }

@InProceedings{S91,
Author = "R.W. Schwanke",
Title = "An Intelligent Tool for Re-engineering Software Modularity",
Booktitle = "Proceedings of the International Conference
  On Software Engineering",
Organization = "", Address = "", Year = "1991",
Pages="83--92", Month = ""  }

@ARTICLE{SR99,
Author={M. Siff and T. Reps},
TITLE = {Identifying Modules via Concept Analysis},
JOURNAL = {IEEE Transactions on Software Engineering},
YEAR = {1999}, VOLUME = {SE-25},
NUMBER = {6},  PAGES = {749--768}, MONTH = {} }

@ARTICLE{S96,
Author={G. Snelting},
TITLE = {Reengineering of Configurations based on Mathematical Concept Analysis},
JOURNAL = {IEEE Transactions on Software Engineering and Methodology},
YEAR = {1996}, VOLUME = {5},
NUMBER = {2},  PAGES = {146--189}, MONTH = {} }

@InProceedings{ST98,
Author = "G. Snelting and F. Tip",
Title = "Reengineering Class Hierarchies Using Concept Analysis",
Booktitle = "Proceedings of the International Symposium on Foundations of
  Software Engineering",
Organization = "", Address = "", Year = "1998",
Pages="", Month = ""  }

@InProceedings{SH89,
Author = "G. Snider and J. Hays",
Title = "The Modix Kernel",
Booktitle = "1989 Winter USENIX Conference Proceedings",
Organization = "", Address = "San Diego, California", Year = "1989",
Pages="377--392", Month = feb  }

@ARTICLE{T01,
Author={P. Tonella},
TITLE = {Concept Analysis for Module Restructuring},
JOURNAL = {IEEE Transactions on Software Engineering},
YEAR = {2001}, VOLUME = {SE-27},
NUMBER = {4},  PAGES = {351--363}, MONTH = {} }

@Article{WS73,
   Author={W. Wulf and M. Shaw},
   Journal={SIGPLAN Notices },
   Title={Global Variable Considered Harmful},
   Year={1973},
   Month=feb,
   Pages={28--34},
   Volume={8},
   Number={2}
   }

@InProceedings{YHR95,
Author = "A. Yeh and D. Harris and H. Reubenstein",
Title = "Recovering Abstract Data Types and Object Instances
   from a Conventional Procedural Language",
Booktitle = "Proceedings of the Working Conference on Reverse Engineering",
Organization = "", Address = "", Year = "1995",
Pages="227--236", Month = ""  }

@InProceedings{vonNeumann56,
Author = {J. {von Neumann}},
Title = {Probabilistic logics and the synthesis of reliable organisms
from unreliable components},
Booktitle = {Automata Studies},
Address = {Princeton University, Princeton, New Jersey},
Year = {1956},
Pages={43--98}, Month = {} }

@InProceedings{Moore56,
Author = "E.F. Moore",
Title = "Gedanken Experiments on Sequential Machines",
Booktitle = {Automata Studies, Annals of Mathematical Studies, 34,
Princeton University Press, 1956},
Note = {C.E. Shannon and J. McCarthy, editors},
Year = {1956},
Pages ={129--153} }

@ARTICLE{MooreShannon56,
Author={E.F. Moore and C.E. Shannon}, TITLE = {Reliable circuits
using less reliable relays},
JOURNAL = {Journal of the Franklin Institute},
YEAR = {1956}, VOLUME = {262},
NUMBER = {}, PAGES = {191-208, 281-297}, MONTH = {September, October} }

@TechReport{Baran60,
Author={P. Baran},
title={Reliable Digital Communications Systems Using Unreliable
  Network Repeater Nodes},
institution={The RAND Corporaton},
number={P-1995},
year={1960}, month={May 27}}

@article{Hamming50,
Key = {Hamming}, Author = {R.W. Hamming},
Title = {Error Detecting and Error Correcting Codes},
journal = {Bell System Technical Journal}, year = {1950}, volume = {29},
number = {}, pages = {147--60}, month = {} }

@ARTICLE{Huffman53,
Author={D.A. Huffman},
TITLE = {A Method for the Construction of Minimum Redundancy Codes},
JOURNAL = {Proceedings of the IRE}, YEAR = {1952}, VOLUME = {40},
NUMBER = {}, PAGES = {}, MONTH = {} }

@ARTICLE{Huffman59,
Author={D.A. Huffman},
TITLE = {Canonical Forms for Information-Lossless Finite-State Machines},
JOURNAL = {IRE Transactions on Circuit Theory (special supplement)
   and IRE Transactions on Information Theory (special supplement)},
YEAR = {1959}, VOLUME = {CT-6 and IT-5},
NUMBER = {}, PAGES = {41-59}, MONTH = may,
NOTE = {A slightly revised version appeared in E.F. Moore, Editor,
  {\it Sequential Machines: Selected Papers}, Addison-Wesley, Reading,
  Massachusetts, 1964.} }

@ARTICLE{Huffman76,
Author={D.A. Huffman},
TITLE = {Curvatures and Creases: A Primer on Paper},
JOURNAL = {IEEE Transactions on Computers}, YEAR = {1975}, VOLUME = {C-25},
NUMBER = {10}, PAGES = {1010--1019}, MONTH = oct }

@ARTICLE{Belevitch59,
Author={V. Belevitch},
TITLE = {On the Statistical Laws of Linguistic Distributions},
JOURNAL = {Annals of the Society of Science, Brussels, Belgium},
YEAR = {1959}, VOLUME = {73},
NUMBER = {III}, PAGES = {310--326}, MONTH = {} }

@book{Peterson72,
Author={W.W. Peterson and E.J. {Weldon, Jr.}},
Title={Error-Correcting Codes, 2nd ed.},
Publisher={MIT Press, Cambridge, Massachusetts},
Year={1972} }

@article{Gilbert+74,
Key = {Gilbert}, Author = {E. Gilbert and J. MacWilliams and N. Sloane},
Title = {Codes Which Detect Deception},
journal = {Bell System Technical Journal}, year = {1974}, volume = {53},
number = {3}, pages = {405--424}, month = {} }

@book{Sloane,
Author={N.J.A. Sloane and F.J. MacWilliams},
Title={The Theory of Error-Correcting Codes, 9th reprint},
Publisher={North-Holland},
Year={1998} }

@book{Adamek,
Author={J. Adamek},
Title={Foundations of Coding: Theory and Applications of
Error-Correcting Codes with an Introduction
to Cryptography and Information Theory},
Publisher={Wiley-Interscience},
Year={1991} }

@book{Rao89,
Author={T.R.N. Rao},
Title={Error-Control Coding for Computer Systems},
Publisher={Prentice-Hall, Englewood Cliffs, New Jersey},
Year={1989} }

@book{Pless98,
Author={V. Pless},
Title={Introduction to the Theory of Error-Correcting Codes},
Publisher={John Wiley and Sons, New York},
Year={1998} }

@article{Dean+02,
Author={D. Dean and M. Franklin and A. Stubblefield},
TITLE = {An algebraic approach to IP traceback},
JOURNAL = {ACM Transactions on Information and System Security},
YEAR={2002}, VOLUME = {5}, NUMBER = {2}, PAGES = {119--137}, MONTH = may}

@INPROCEEDINGS{Adler02,
  AUTHOR = {M. Adler},
  TITLE = {Tradeoffs in probabilistic packet marking for IP traceback},
  BOOKTITLE = {Proceedings of the Thirty-fourth Annual {ACM} Symposium on Theory of Computing},
   YEAR = {2002}, PAGES = {407--418}, MONTH = {}
}

@INPROCEEDINGS{SudanGuruswami99,
	AUTHOR = {V. Guruswami and M. Sudan},
	TITLE = {List decoding algorithms for certain contatenated codes},
   BOOKTITLE = {Proceedings of the Thirty-second Annual {ACM} Symposium on Theory of Computing},
   YEAR = {2000}, PAGES = {181--190}, MONTH = apr
}

@article{KuijperPolderman04,
Author={M. Kuijper and J.W. Polderman},
TITLE = {Reed-Solomon list decoding from a system-theoretic perspective},
JOURNAL = {IEEE Transactions on Information Theory},
YEAR = {2004}, VOLUME = {40}, NUMBER = {2}, PAGES = {259--271},
MONTH = feb }

@ARTICLE{BrooksMusic57,
Author={F.P. {Brooks, Jr.} and A.L. Hopkins and P.G. Neumann and W.V. Wright},
TITLE = {An Experiment in Musical Composition},
JOURNAL = {IRE Transactions on Electronic Computers},
YEAR = {1957}, VOLUME = {EC-6},
NUMBER = {}, PAGES = {175-182}, MONTH = sep }

@PhDThesis{Neumann61,
Author={P.G. Neumann},
School={Department of Applied Mathematics, Harvard University},
Title={Efficient Error-Limiting Variable-Length Codes},
Year={1961}, Month=may,
Note ={Published as report BL-28,
  Theory of Switching, The Computation Laboratory, Harvard University.}}

@Book{Neumann60,
Author={P.G. Neumann},
Publisher={Thesis for Dr rerum naturum degree,
  Department of Mathematics and Physics, Technische Hochschule,
  Darmstadt, Germany},
Title={Funktionale Prefixcodes als Grundlage der praktischen
  Verschul\"{u}sselung},
Year={1960}, Month=jun}

@ARTICLE{NeumannRao75,
Author={P.G. Neumann and T.R.N. Rao},
TITLE = {Error Correction Codes for Byte-Organized Arithmetic Processors},
JOURNAL = {IEEE Transactions on Computers}, YEAR = {1975}, VOLUME = {C-24},
NUMBER = {3}, PAGES = {226-232}, MONTH = mar }

@ARTICLE{Neumann62a,
Author={P.G. Neumann},
TITLE = {Efficient Error-Limiting Variable-Length Codes},
JOURNAL = {IRE Transactions on Information Theory},
YEAR = {1962}, VOLUME = {IT-8},
NUMBER = {}, PAGES = {292-304}, MONTH = jul }

@ARTICLE{Neumann62b,
Author={P.G. Neumann},
TITLE = {On a Class of Efficient Error-Limiting Variable-Length Codes},
JOURNAL = {IRE Transactions on Information Theory}, YEAR = {1962},
VOLUME = {IT-8},
NUMBER = {}, PAGES = {S260-266}, MONTH = sep }

@ARTICLE{Neumann63,
Author={P.G. Neumann}, TITLE = {On Error-Limiting Variable-Length Codes},
JOURNAL = {IEEE Transactions on Information Theory}, YEAR = {1963},
VOLUME = {IT-9}, NUMBER = {}, PAGES = {209}, MONTH = jul }

@ARTICLE{Neumann64,
Author={P.G. Neumann},
TITLE = {Error-Limiting Coding Using Information-Lossless Sequential Machines},
JOURNAL = {IEEE Transactions on Information Theory},
YEAR = {1964}, VOLUME = {IT-10},
NUMBER = {}, PAGES = {108-115}, MONTH = apr }

@ARTICLE{Neumann65,
Author={P.G. Neumann},
TITLE = {A Note on {Gilbert} Burst-Correcting Codes},
JOURNAL = {IEEE Transactions on Information Theory},
YEAR = {1965}, VOLUME = {IT-11},
NUMBER = {}, PAGES = {377-384}, MONTH = jul }

@article{Mealy55,
Key = {Mealy}, Author = {G.H. Mealy},
Title = {A method for synthesizing sequential circuits},
journal = {Bell System Technical Journal}, year = {1955}, volume = {34},
number = {}, pages = {1045--79}, month = sep }

@TechReport{Baron+87,
Key={Baron}, Author={R. {Baron et al.}}, Title={Mach Kernel Interface Manual},
Institution={Computer Science Department, Carnegie-Mellon University,
Pittsburgh, Pennsylvania}, Month=apr, Year=1987 }

@InProceedings{BranstadTMachDesign87, Author={M.A. Branstad and P.S. Cochrane
and H. Orman and J. Landauer and T. Parenty and T. Haley and D. Dalva and D.
Baggett}, Title={Trusted {M}ach Design Issues}, Booktitle={Proceedings of
the Third Aerospace Computer Security Applications Conference},
Month=dec, Year=1987 }

@InProceedings{Branstad+87, Author={M.A. Branstad and P.S. Cochrane and H.
Orman and J. Landauer and T. Parenty and T. Haley and D. Dalva and D. Baggett},
Title={Trusted {M}ach Design Issues}, Booktitle={Proceedings of the Third
Aerospace Computer Security Applications Conference}, Month=dec,
Year=1987 }

@inproceedings{Branstad+89,
author={M.A. Branstad and H. Tajalli and F. Mayer and
D. Dalva}, title={Access Mediation in a Message Passing Kernel},
booktitle={Proceedings of the IEEE Symposium on Security and Privacy},
address={Oakland, California}, pages={66--72}, month=may, year=1989 }

@InProceedings{BranstadSecurityTMach88,
Author={M.A. Branstad and H. Tajalli and F. Mayer},
Title={Security Issues of the {T}rusted {M}ach System},
Booktitle={Proceedings of the Fourth Aerospace Computer Security Applications Conference},
Month=dec,
Year=1988 }

@InProceedings{xBranstadAccessMed88,
Author={M.A. Branstad and F.L. Mayer},
Title={Access Mediation in Server-Oriented Systems: An Examination of Two Systems},
Booktitle={Proceedings of the Eleventh National Computer Security Conference},
Month=oct,
Year=1988 }

@InProceedings{BranstadMayer88Server,
Author={M.A. Branstad and F.L. Mayer},
Title={Access Mediation in Server-Oriented Systems: An Examination of Two
Systems}, Booktitle={Proceedings of the Eleventh National Computer Security
Conference}, Month=oct, Year=1988 }

@TechReport{xBranstadMayer88ServerReport,
Author={M.A. Branstad and F.L. Mayer}, key ={Branstad},
title={Access Mediation in Server-Oriented Systems: An Examination of Two Systems},
institution={Trusted Information Systems, Inc., Glenwood, Maryland},
number={Report 159},
month=feb, year={1988} }

@TechReport{Branstad88Extensions,
Author={M.A. {Branstad et al.}}, key ={Branstad},
title={Trust Extensions to the {M}ach Message Passing System},
institution={Trusted Information Systems, Inc., Glenwood, Maryland}, number={},
year={1988} }

@TechReport{TMachKernel89,
Author={D.I. Dalva},
title={Mach Kernel Modifications for the Implementation of the Security Policy},
institution={Trusted Information Systems, Inc., Glenwood, Maryland}, number={},
year={1988}, day={19}, month=sep }

@TechReport{TMachName89,
Author={H. Tajalli and J. Graham},
title={Trusted {Mach} Name Server Interface Document},
institution={Trusted Information Systems, Inc., Glenwood, Maryland}, number={},
year={1988}, day={15}, month=sep }

@TechReport{TMachFile89,
Author={J. Graham},
title={Trusted {Mach} File Server Interface Document},
institution={Trusted Information Systems, Inc., Glenwood, Maryland}, number={},
year={1988}, day={15}, month=sep }

@TechReport{TMachAudit89,
Author={J. Graham},
title={Trusted {Mach} Audit Server Interface Document},
institution={Trusted Information Systems, Inc., Glenwood, Maryland}, number={},
year={1988}, day={19}, month=sep }

@TechReport{TMachVerif89,
Author={K.D. Hendriksen and J. Graham},
title={Trusted {Mach} Verification Server Interface Document},
institution={Trusted Information Systems, Inc., Glenwood, Maryland}, number={},
year={1988}, day={15}, month=sep }

@TechReport{TMachShell89,
Author={D. Baggett and J. Graham},
title={Trusted {Mach} Trusted Shell and Trusted Administrator Shell
Administrator's Guide},
institution={Trusted Information Systems, Inc., Glenwood, Maryland}, number={},
year={1988}, day={30}, month={August} }

@inproceedings{BranstadLandauer89,
author={M.A. Branstad and J. Landauer},
title={Assurance for the {Trusted Mach} Operating System},
BookTitle={Proceedings of the Fourth Annual Conference on Computer
Assurance COMPASS '89}, Organization={IEEE}, Month=jun, year={1989},
Pages={9--13}}

@TechReport{RomulusIntegrity91,
Author={}, key ={Rome Laboratory},
title={Romulus Theories of Integrity},
institution={Rome Laboratory},
number={},
year={1991}, month=oct }

@TechReport{Feiertag90DTMach,
Author={E.J. Sebes and R.J. Feiertag}, key ={Sebes},
title={Distributed {Trusted Mach} Concept Exploration},
institution={Rome Laboratory},
number={RL-TR-91-246},
year={1991}, month=sep, NOTE={Final Technical Report.}  }

@InProceedings{Cronus86,
Author={R. Schantz and R. Thomas and G. Bono},
Title={The Architecture of the {C}ronus Distributed Operating System},
Booktitle={Proceedings of the {IEEE} Sixth International Conference on
Distributed Computing Systems}, Month=may, Year={1986}, pages={250--259} }

@TechReport{Cronus88,
Author={BBN}, Title={Cronus System/Subsystem Specification},
Institution={5884 Revision 1.7, BBN Communications Corp.},
Month=jan, Year={1989}}

@Book{Firschein,
Author="O. Firschein and M.P. Georgeff and W. Park and P.
Cheeseman and J. Goldberg and P.G. Neumann and W.H. Kautz and K.N. Levitt and
R.J. Rom and A.A. Poggio", Title="Artificial Intelligence for {S}pace {S}tation
Automation: Crew Safety, Productivity, Autonomy, Augmented Capability",
Publisher= "Noyes, Park Ridge NJ", Key="Firschein", Year="1986", Note="(This
book is a verbatim copy of an SRI report, ``NASA Space Station Automation:
AI-Based Technology Review'', May 1985.)" }

@InProceedings{Barton63,
Author={R.S. Barton},
Title={A Critical Review of the State of the Programming Art},
Booktitle={Proceedings of the Spring Joint Computer Conference},
volume=23,
publisher={AFIPS Press},
address={Montvale, New Jersey},
Month =may,
Year=1963,
pages = {169--177} }

@inProceedings{DaleyNeumann,
key="Daley", Author="Robert C. Daley and Peter G. Neumann",
Title="A General-Purpose File System for Secondary Storage",
Booktitle="{AFIPS} Conference Proceedings, Fall Joint Computer Conference",
Publisher="Spartan Books", Year="1965", Month=nov, Pages="213--229"}

@InProceedings{Neumann69,
Key = {}, Author = {P.G. Neumann},
Title = {The Role of Motherhood in the Pop Art of System Programming},
Booktitle = {Proceedings of the {ACM} Second Symposium on Operating Systems
Principles, Princeton, New Jersey},
Organization = {ACM}, Address = {}, Year = {1969},
Pages={13--18}, Month = oct,
Note = {http://www.multicians.org/pgn-motherhood.html}
}

@inProceedings{Neumann71,
key="Neumann",Author="P.G. Neumann", Title="System
Design for Computer Networks", Booktitle="Computer-Communication Networks
(Chapter 2)", Note ="N. Abramson and F.F. Kuo (editors)", Publisher =
"Prentice-Hall",Year="1971",Pages="29--81"}

@Book{AbramsonKuo,
Author="N. Abramson and F.F. Kuo (editors.)",
Title="Computer-Communication Networks",
Publisher = "Prentice-Hall",Year="1971"}

@TechReport{ARPA73,
Key="Neumann", Author="P.G. Neumann and J. Goldberg and
K.N. Levitt and J.H. Wensley", Title="A Study of Fault-Tolerant Computing",
Institution="Stanford Research Institute, Menlo Park, California",
Year="1973", Month=jul,
Type="Final Report for {ARPA}, {AD} 766 974"}

@InProceedings{CAPRI,
Author="P.G. Neumann",
Title="Experiences with Formality in Software Development",
Booktitle="Theory and Practice of Software Technology",
Note ="D. Ferrari, M. Bolognani, and J. Goguen (editors)",
Publisher = "North-Holland",Year="1983",Pages="203--219",
Note="Reprinted in Rein Turn, editor, {\it Advances in Computer Security},
Volume 2, Artech House, 1984."}

@inProceedings{ZEN,
Author="P.G. Neumann",
Title="Psychosocial Implications of Computer Software Development and
Use: Zen and the Art of Computing",
Booktitle="Theory and Practice of Software Technology",
Note ="D. Ferrari, M. Bolognani, and J. Goguen (editors).",
Publisher = "North-Holland",
Year="1983", Pages="221--232"}

@book{LeeTiger,
Author={M. Lee and E. Lee and J. Johnstone},
Title={Ride the Tiger to the Mountain},
Publisher={Addison-Wesley, Reading, Massachusetts},
Year={1989} }

@BOOK{LeeTigerx,
Note={ISBN 0-201-18077-4.} }

@TechReport{RADC81,
Key="Lamport", Author="L. Lamport and W.H. Kautz and P.G.
Neumann and R.L. Schwartz and P.M. Melliar-Smith", Title="Formal Techniques for
Fault Tolerance in Distributed Data Processing",
Institution="Computer Science Laboratory, SRI International, Menlo Park,
California", Year="1981", Month=apr,
Note="For Rome Air Development Center"}

@TechReport{NeumannLamport83,
Key="Neumann", Author="P.G. Neumann and L. Lamport",
Title="Highly Dependable Distributed Systems",
Institution="Computer Science Laboratory, SRI International, Menlo Park,
California", Year="1983", Month=jun,
Note="Final Report, Contract No. DAEA18-81-G-0062, for U.S. Army CECOM."}

@TechReport{Neumann+lamportXXX,
   Key={Neumann},
   Author={P.G. Neumann and L. Lamport},
   Institution={Computer Science Laboratory, SRI International},
   Title={Highly Dependable Distributed Systems},
   Year={1983},
   Month=jun,
   Type={Final Report, Contract No. DAEA18-81-G-0062}
   }

@Article{Neumann86,
Title="On Hierarchical Design of Computer Systems for Critical Applications",
Author="P.G. Neumann",
Journal="{IEEE} Transactions on Software Engineering",
Year="1986", Volume="SE-12", Number="9", Month=sep,
Page="905--920",Key="Neumann",
Note="Reprinted in Rein Turn, editor, {\it Advances in
Computer System Security}, Vol. 3, Artech House, Dedham, Massachusetts, 1988" }

@InProceedings{Neely,
   Key="Neely", Author="R.B. Neely and J.W. Freeman",
   BookTitle="Proc. 1985 Symposium on Security and Privacy",
   Organization="IEEE Computer Society",
   Title="Structuring Systems for Formal Verification",
   Address="Oakland, California", Year="1985", Month=apr, pages=""}

@article{Ames83,
Key="Ames",
author = "S.R. {Ames Jr.} and M. Gasser and R.R. Schell",
title = "Security Kernel Design and Implementation: An Introduction",
Month=jul, Year="1983", Journal="IEEE Computer", Volume="16", Number="7",
Pages="14-22"}

@article{Schell83,
Key="Schell", author = "R. Schell",
title = "A Security Kernel for a Multiprocessor Microcomputer",
Month=jul, Year="1983", Journal="IEEE Computer", Volume="16", Number="7",
Pages="47-53"}

@InProceedings{Arbo89,
   Key = "Arbo",
   Author = "R.S. Arbo and E.M. Johnson and R.L. Sharp",
   Title = "Extending Mandatory Access
     Controls to a Networked MLS Environment",
   Booktitle = "Proc. 12th National Computer Security Conference",
   Organization = "NCSC/NIST", Address = "Baltimore",   Year = "1989",
   Pages="286-295", month=oct }

@book{Kane89,
author={P. Kane}, title={{V.I.R.U.S.}, Protection of {V}ital
{I}nformation {R}esources {U}nder {S}iege}, publisher={Bantam Software
Library, New York}, year=1989 }

@article{parnasmay,
Title="A Technique for Software Module Specification with Examples",
Author="D.L. Parnas",
Journal="Communications of the ACM", Volume="15", Number="5",
Month=may, Year="1972", Page="330--336"}

@Article{parnas72,
Title="On the Criteria to be Used in Decomposing Systems
into Modules", Journal="Communications of the ACM", Year="1972",
Month=dec, Page="1053--1058",Author="D.L. Parnas", Volume="15",
Number="12"}

@ARTICLE{Courtois71,
Author={P.J. Courtois and F. Heymans and D.L. Parnas},
TITLE = {Concurrent Control with Readers and Writers},
JOURNAL = {Communications of the ACM}, YEAR = {1971}, VOLUME = {14},
NUMBER = {10}, PAGES = {667-668}, MONTH = oct }

@InProceedings{ParnasPrice73,
Author = {D.L. Parnas and W.R. Price},
Title = {The Design of the Virtual Memory Aspects of a Virtual Machine},
Booktitle = {Proceedings of the ACM SIGARCH-SIGOPS Workshop on Virtual
Computer Systems},
Organization = {ACM}, Address = {},
Year = {1973},
Pages={}, Month = mar }

@InProceedings{ParnasPrice74,
Author={D.L. Parnas and W.R. Price},
TITLE = {Design of a Non-Random Access Virtual Memory Machine},
Booktitle = {Proceedings of the International Workshop On Protection in
   Operating Systems},
YEAR = {1974}, Location = {IRIA, Rocquencourt, France},
VOLUME = {},
NUMBER = {}, PAGES = {177--181}, MONTH = aug }

@ARTICLE{ParnasSiewiorek75,
Author={D.L. Parnas and D.L. Siewiorek},
TITLE = {Use of the Concept of Transparency in the
    Design of Hierarchically Structured Systems},
JOURNAL = {Communications of the ACM}, YEAR = {1975}, VOLUME = {18},
NUMBER = {7}, PAGES = {401-408}, MONTH = jul }

@InProceedings{Parnas75ICRS,
Author={D.L. Parnas},
TITLE = {The Influence of Software Structure on Reliability},
Booktitle = {Proceedings of the International Conference on Reliable Software},
YEAR = {1975},  Location = {Los Angeles, California},
PAGES = {358--362}, MONTH = apr,
NOTE = {Reprinted with improvements in R. Yeh,
{\it Current Trends in Programming Methodology I}, Prentice-Hall, 1977,
111--119.} }

@TechReport{ParnasHandzel75,
author={D.L. Parnas and G. Handzel},
Title={More on Specification Techniques for Software Modules},
institution= {Fachbereich Informatik, Technische Hochschule Darmstadt,
Research Report BS I 75/1},
address={Germany}, month =apr, Year=1975 }

@ARTICLE{Parnas76,
Author={D.L. Parnas},
TITLE = {On the Design and Development of Program Families},
JOURNAL = {IEEE Transactions on Software Engineering},
YEAR = {1976}, VOLUME = {SE-2},
NUMBER = {1},  PAGES = {1--9}, MONTH = mar }

@ARTICLE{Parnas+85,
Author={D.L. Parnas and P.C. Clements and D.M. Weiss},
TITLE = {The Modular Structure of Complex Systems},
JOURNAL = {IEEE Transactions on Software Engineering}, YEAR = {1985},
VOLUME = {SE-11}, NUMBER = {3}, PAGES = {259--266}, MONTH = mar }

@inproceedings{Neumann74GI,
author={P.G. Neumann}, title={Toward a Methodology for Designing Large Systems
and Verifying Their Properties},month=oct,year={1974},
booktitle={{GI} -- 4. Jahrestagung}, pages={52--66},
publisher={Springer-Verlag, Berlin,
Lecture Notes in Computer Science, Vol. 26},
editors={G. Goos and J. Hartmanis} }

@InProceedings{buzzword,
Author = "D.L. Parnas", Title="On a ``Buzzword'':
Hierarchical Structure", key="Parnas", BookTitle = "Information Processing 74
(Proceedings of the {IFIP} Congress 1974)", Publisher = "North-Holland,
Amsterdam", Volume = "Software", Pages="336--339", Year = "1974"}

@InProceedings{ProctorRAP,
Key={Proctor}, Author={N.E. Proctor}, BookTitle={Proceedings of the 1985
Symposium on Security and Privacy}, Organization={IEEE Computer Society},
Title={The Restricted Access Processor: An Example of Formal Verification},
Address="Oakland, California", Year={1985}, Month=apr, pages={49--55}}

@InProceedings{Fray+86,
Author={J.-M. Fray and Y. Deswarte and D. Powell},
BookTitle={Proceedings of the 1986 Symposium on Security and Privacy},
Organization={IEEE Computer Society},
Title={Intrusion Tolerance Using Fine-Grain Fragmentation-Scattering},
Address="Oakland, California", Year={1986}, Month=apr, pages={194--201}}

@InProceedings{Deswarte91,
Author={Y. Deswarte and L. Blain and J.-C. Fabre},
BookTitle={Proceedings of the 1991 Symposium on Research in
  Security and Privacy},
Organization={IEEE Computer Society},
Title={Intrusion Tolerance in Distributed Computing Systems},
Address="Oakland, California", Year={1991}, Month=apr, pages={110--121}}

@inproceedings{ProctorWong89,
author={N.E. Proctor and R. Wong}, title={The
Security Policy of the {S}ecure {D}istributed {O}perating {S}ystem Prototype},
booktitle={Proceedings of the Fifth Aerospace Computer Security Applications
Conference}, address={Tucson AZ}, month=dec, year=1989 }

@article{RochlisEichin89,
author={J.A. Rochlis and M.W. Eichin}, title={With
Microscope and Tweezers: {T}he {W}orm from {MIT's} perspective},
journal={{Communications of the ACM}}, volume={32}, number={6}, pages={689--698}, month=jun,
year=1989 }

@article{Seeley89,
author={D. Seeley}, title={Password Cracking: A Game of
Wits}, journal={{Communications of the ACM}}, volume={32}, number={6}, pages={700--703},
month=jun, year=1989 }

@article{Spafford89,
author={E.H. Spafford}, title={The {I}nternet {W}orm:
{Crisis} and aftermath}, journal={{Communications of the ACM}}, volume={32}, number={6},
pages={678--687}, month=jun, year=1989 }

@article{Stoll88,
author={C. Stoll}, title={Stalking the {W}ily
{H}acker}, journal={{Communications of the ACM}}, volume={31}, number={5}, pages={484--497},
month=may, year=1988 }

@book{Stoll89,
author={C. Stoll}, title={The Cuckoo's Egg: Tracking a Spy
Through the Maze of Computer Espionage}, publisher={Doubleday,
New York}, year=1989 }

@manual{TCSEC,
  title = {Department of {{Defense Trusted Computer System Evaluation Criteria}} ({{TCSEC}})},
  date = {1985-12-26},
  note = {\url{https://csrc.nist.gov/CSRC/media/Publications/white-paper/1985/12/26/dod-rainbow-series/final/documents/std001.txt} or \url{https://csrc.nist.gov/csrc/media/publications/conference-paper/1998/10/08/proceedings-of-the-21st-nissc-1998/documents/early-cs-papers/dod85.pdf}},
  number = {DoD 5200.28-STD, Orange Book},
  label = {DoD}
}

@Manual{TCSEC-Glossary,
Key="NCSC", Author={NCSC}, Title ="Glossary of Computer Security Terms",
Year ="21 October 1988", Organization ="National Computer
Security Center", Note ="NCSC-TG-004 Version-1" }

@Manual{TCSEC-TNIold,
Key="NCSC", Author={NCSC}, Title ="Trusted Network
Interpretation (TNI)", Year ="31 July 1987", Organization ="National Computer
Security Center", Note ="NCSC-TG-005 Version-1" }

@Manual{TCSEC-TNI,
Key="NCSC", Author={NCSC}, Title ="Trusted Network
Interpretation (TNI)",
Year ="31 July 1987", Organization ="National Computer
Security Center", Note ="NCSC-TG-005 Version-1, Red Book" }

@Manual{TCSEC-Guide,
Key="NCSC", Author={NCSC}, Title="Guidance for
Applying the Trusted Computer System Evaluation Criteria in Specific
Environments", date={1985-06},
Organization="National Computer Security Center", Note="CSC-STD-003-85,
Yellow Book" }

@Manual{TCSEC-TNI-guide,
Key="NCSC", Author={NCSC},
Title ="Trusted Network Interpretation Environments Guideline",
Year ="1 August 1990", Organization ="National Computer
Security Center", Note ="NCSC-TG-011 Version-1" }

@Manual{TCSEC-TDI,
Key="NCSC", Author={NCSC}, Title="Trusted Database
Management System Interpretation of the Trusted Computer System Evaluation
Criteria (TDI)", Year="April 1991", Organization="National Computer
Security Center", Note="NCSC-TG-021, Version-2, Lavender Book" }

@Manual{TCSEC-TVI,
Key="Trusted", Author={Trusted Information Systems}, Title="A Proposed
Interpretation of the {TCSEC} for Virtual Machine Monitor Architectures
{(TVI)}, Volume 1: Strict Separation", Year="draft, 1 May 1990",
Organization="Trusted Information Systems, Inc., Glenwood, Maryland, TIS Report 325"
}

@Manual{TCSEC-CSSI,
Key="NCSC", Author={NCSC}, Title="Computer System
Subsystem Interpretation of the Trusted Computer System Evaluation Criteria",
Year="16 September 1988", Organization="National Computer Security Center",
Note="NCSC-TG-009, Version-1." }

@Manual{NCSC-79-91-Integrity,
Key="NCSC", Author={NCSC}, Title="Integrity in Automated Information Systems",
Year="1991", Month=sep,
Organization="National Computer Security Center",
Note="C Technical Report 79-91" }

@Manual{ITSEC,
Author={{European Communities Commission}},
Title="Information Technology Security Evaluation Criteria (ITSEC), Provisional
Harmonised Criteria (of France, Germany, the
Netherlands, and the United Kingdom)", Year="1991", month=jun,
Note="Version 1.2.  Available from the Office for
Official Publications of the European Communities, L-2985 Luxembourg,
item CD-71-91-502-EN-C.  Also available from U.K. CLEF, CESG Room 2/0805,
Fiddlers Green Lane, Cheltenham U.K.
GLOS GL52 5AJ, or GSA/GISA, Am Nippenkreuz 19, D 5300 Bonn 2, Germany",
Organization={} }

@MANUAL{ITSECx,
NOTE = {ISBN 92-826-3004-8} }

@Manual{ITSEC90,
Author={{European Communities Commission}},
Title="Information Technology Security
Evaluation Criteria (ITSEC), Harmonised Criteria of France, Germany, the
Netherlands, and the United Kingdom", Year="2 May 1990",
Note="Draft, Version 1, Available from the U.K. CLEF, CESG Room 2/0805,
Fiddlers Green Lane, Cheltenham U.K. GLOS GL52 5AJ, or GSI/GISA, Am Nippenkreuz
19, D 5300 Bonn 2, Germany",
Organization={}
}

@Manual{CC2000,
key ="International",
Author="{International Standards Organization}",
Title="The Common Criteria for Information Technology Security Evaluation,
  Version 2.1, ISO 15408",
Month ="19 September", YEAR = "2000",
Organization={ISO/NIST/CCIB},
NOTE = "(\xlink{http://csrc.nist.gov/cc}{http://csrc.nist.gov/cc})"
}

@TechReport{UKSP01,
author={U.K.-CESG/DTI},
Title={{U.K. IT} Security Evaluation and Certification Scheme: Description of
the Scheme (Publication No. 1, Issue 1.0)},
institution= {Communications Electronics Security Group (Cheltenham)
and the Department of Trade and Industry},
address={}, month ={1 March},
Year=1991 }

@TechReport{UKSP06,
author={U.K.-CESG/DTI},
Title={{U.K. IT} Security Evaluation and Certification Scheme: {U.K.}
Certified Product List (Publication No. 6)},
institution= {Communications Electronics Security Group (Cheltenham)
and the Department of Trade and Industry},
address={}, month ={1 October},
Year=1991 }

@Manual{CTCPEC,
Key="Canada", Author={}, Title={Canadian Trusted Computer Product Evaluation
Criteria}, Month=dec, Year="1990", Note="Final Draft, version 2.0",
Organization={Canadian Systems Security Centre, Communications Security
Establishment, Government of Canada.} }

@Manual{CTCPEC93, Key="Canada",
Author={{Canadian Systems Security Centre,
  Communications Security Establishment, Government of Canada}},
Title={Canadian Trusted Computer Product Evaluation Criteria, Version 3.0e},
Month=jan, Year="1993" }

@Manual{MoD89-55,
Author={U.K. Ministry of Defence},
Title={Draft Interim Defence Standard 00-55,
Requirements for the procurement of safety critical software in defence
equipment},
Year="1989", Note="({DefStan} 00-55)", Organization={U.K. Ministry of Defence} }

@Manual{MoD89-56,
Author={U.K. Ministry of Defence},
Title={Draft Interim Defence Standard 00-56,
Requirements for the analysis of safety-critical hazards},
Year="1989", Note="({DefStan} 00-56)", Organization={U.K. Ministry of Defence} }

@Manual{MoD91-55,
Key="MoD", Author={U.K.-MoD}, Title={Interim Defence Standard 00-55,
The Procurement of Safety-Critical Software in Defence Equipment}, Month="5 April",
Year="1991", Note="DefStan 00-55; Part 1, Issue 1: Requirements;
Part 2, Issue 1: Guidance",
Organization={U.K. Ministry of Defence} }

@Manual{MoD91-56,
Key="MoD", Author={U.K.-MoD}, Title={Interim Defence Standard 00-56,
Hazard Analysis and Safety Classification of the Computer
and Programmable Electronic System Elements of Defence Equipment}, Month="5 April",
Year="1991", Note="DefStan 00-56", Organization={U.K. Ministry of Defence} }

@Manual{FedCritI,
author={}, key={Federal01},
Title={Federal Criteria for Information Technology Security, {Volume I},
Protection Profile Development,
Version 1.0}, institution= {National Institute of Standards and Technology
and National Security Agency},
address={}, month =dec, Year=1992 }

@Manual{FedCritII,
author={}, key={Federal02},
Title={Federal Criteria for Information Technology Security, {Volume II},
Registry of Protection Profiles, Version 1.0},
institution= {National Institute of Standards and Technology
and National Security Agency},
address={}, month =dec, Year=1992 }

@InProceedings{Tierney91,
Author = {M. Tierney},
Title = {The Evolution of {DefStan} 00-55 and 00-56: an intensification
of the `formal methods debate' in the {U.K.}},
Booktitle = {Software Workshop on Policy Issues in Systems and Software
Development}, Organization = {SPRU}, Address = {Brighton, U.K.},
Year = {1991}, Pages={}, Month = {18-19 July},
Note={Available from RCSS, Edinburgh University, 56 George Square,
Edinburgh EH8 9JU} }

@Manual{TCCSEC,
Key={USAirForce}, Author={USAF}, Title={Air Force Trusted Critical Computer
System Evaluation Criteria (TCCSEC)}, day={25}, month={June}, Year={1990},
Note={Draft}, Organization={U.S. Air Force HQ Electronic Security Command,
AFCSC/SRVC, San Antonio, TX 78243-5000} }

@Manual{TECSECI,
Key={USAirForce}, Author={USAF}, Title={Air Force Trusted Embedded Computer
System Evaluation Criteria Interpretation (TECSECI)}, day={25}, month={June},
Year={1990},
Note={Draft}, Organization={U.S. Air Force HQ Electronic Security Command,
AFCSC/SRVC, San Antonio, TX 78243-5000} }

@InProceedings{Arbo+89,
Key = "Arbo", Author = "R.S. Arbo and E.M. Johnson and
R.L. Sharp", Title = "Extending Mandatory Access Controls to a Networked {MLS}
Environment", Booktitle = {Proceedings of the Twelfth National Computer Security Conference},
Organization = "NIST/NCSC", Address = "Baltimore, Maryland", Year = "1989",
Pages="286--295", month=oct }

@InProceedings{Boeing-LAN89,
Author={Gary R. Stoneburner and Dean A. Snow},
Booktitle = {Proceedings of the Twelfth National Computer Security Conference},
Title={The {Boeing MLS LAN:} Headed Towards an {INFOSEC} Security Solution},
Organization = {NIST/NCSC}, Address = {Baltimore, Maryland},
Pages = {254--266}, Year = {1989}, Month = {10--13 October} }

@InProceedings{Cohen,
Key="Cohen", Author = "F. Cohen", Title = "Computer Viruses",
BookTitle="Seventh DoD/NBS Computer Security Initiative Conference",
Organization = "National Bureau of Standards, Gaithersburg, Maryland",
Year="1984", Month="24--26 September",
Pages="240--263",
Note="Reprinted in Rein Turn, editor,
{\it Advances in Computer System Security},
Vol. 3, Artech House, Dedham, Massachusetts, 1988" }

@inProceedings{Neumann78,
key="Neumann3", Author="P.G. Neumann",
Title="Computer Security Evaluation", Booktitle="AFIPS Conference Proceedings,
NCC", Publisher="AFIPS Press", Year="1978", Month=jan, Pages="1087--1095",
Note="Reprinted in Rein Turn, editor,
{\it Advances in Computer Security}, Artech
House, Dedham, Massachusetts, 1981"}

@InProceedings{Neumann+74,
Author={P.G. Neumann and R.S. Fabry and K.N. Levitt and L. Robinson
        and J.H. Wensley},
TITLE = {On the Design of a Provably Secure Operating System},
Booktitle = {Proceedings of the International Workshop On Protection in
   Operating Systems},
YEAR = {1974}, Location = {IRIA, Rocquencourt, France},
VOLUME = {},
NUMBER = {}, PAGES = {161--175}, MONTH = aug }

@InProceedings{Robinson+77,
Author={L. Robinson and K.N. Levitt and P.G. Neumann and A.R. Saxena},
TITLE = {A Formal Methodology for the Design of Operating System Software},
Booktitle = {R. Yeh (editors), {\it Current Trends in Programming Methodology
I}, Prentice-Hall, 61--110}, year = {1977} }

@Inproceedings{BoyerElspas75,
Author="R.S. Boyer and B. Elspas and K.N. Levitt",
Title="{SELECT:} {A} formal system for testing and debugging
programs by symbolic execution", Booktitle="Proc. Int. Conf. Reliable
Software", Organization="IEEE", Publisher="IEEE", Pages="234-244",
Year="1975", Month=apr}

@Techreport{PSOS75,
Author={P.G. Neumann and L. Robinson and K.N. Levitt and R.S. Boyer
  and A.R. Saxena}, Title={A Provably Secure Operating System},
Institution={Computer Science Laboratory
SRI International, Menlo Park, California}, Year={1975}, day={13}, month={June} }

@Techreport{PSOS77,
Author={P.G. Neumann and R.S. Boyer and R.J. Feiertag and
K.N. Levitt and L. Robinson}, Title={A Provably Secure Operating System: The
  System, Its Applications, and Proofs},
Institution={Computer Science Laboratory
SRI International, Menlo Park, California}, Year={1977}, day={11}, month={February} }

@Techreport{PSOS, Author={P. G. Neumann and R.S. Boyer and R.J. Feiertag and
K.N. Levitt and L. Robinson}, Title={{A Provably Secure Operating System}:
The System, Its Applications, and Proofs}, Institution={Computer Science
Laboratory, SRI International, Menlo Park, California}, Year={1980},
Month=may, Note={2nd edition, Report CSL-116} }

@InProceedings(PSOSreport,
Key="Feiertag", Author="R. J. Feiertag and P. G. Neumann",
Title="The Foundations of a {Provably Secure Operating System} ({PSOS})",
Publisher="AFIPS Press",
Booktitle="Proceedings of the National Computer Conference",
Year="1979", Pages = "329--334",
NOTE = "\url{http://www.csl.sri.com/neumann/psos.pdf}"
)

@InProceedings{NeumannFeiertag03,
Author="P. G. Neumann and R. J. Feiertag",
Title="{PSOS} Revisited",
BookTitle="Proceedings of the 19th Annual Computer Security Applications
Conference (ACSAC 2003), Classic Papers section",
Organization="IEEE Computer Society",
Address="Las Vegas, Nevada", Year="2003", Month=dec, pages="208--216",
NOTE="http://www.acsac.org/ and http://www.csl.sri.com/neumann/psos03.pdf."
}

@techreport(Feiertag79b,
Author="R.J. Feiertag and K.N. Levitt and P.M.
Melliar-Smith", Title="Tactical {E}xecutive ({TACEXEC}): A Real-Time Secure
Operating System for Tactical Applications", Year="1979", Month=jul,
Institution="Computer Science Laboratory, SRI International",
Note="Final Report, Project 5545", Key="Feiertag79b")

@Article{proof,
Key="Robinson", Author="L. Robinson and K.N. Levitt", Title="Proof Techniques
for Hierarchically Structured Programs", Journal={Communications of the ACM},
Year="1977", Volume="20", Number="4", Pages="271--283", Month=apr}

@ARTICLE{Robinson+Levitt...,
AUTHOR = {Lawrence Robinson and Karl N. Levitt},
TITLE = {Proof Techniques for  Hierarchically Structured Programs},
JOURNAL = {Communications of the ACM},	YEAR = {1977}, VOLUME = {20},
NUMBER = {4}, PAGES = {271--283}, MONTH = apr }

@Article{RobinsonLevitt77...,
Author={L. Robinson and K.N. Levitt},
Title={Proof Techniques for Hierarchically Structured Programs},
Journal={Communications of the ACM},
volume=20,
number=4,
month=apr,
year=1977 }

@article{Linden76,
author={T.A. Linden},
title={Operating System Structures to Support Security and Reliable
  Software},
journal={ACM Computing Surveys},
volume={5}, number={1}, month=mar, year={1973}, pages={}}

@InProceedings{KargerHerbert84,
Key="Karger", Author="P.A. Karger and A.J. Herbert",
Title="An Augmented Capability Architecture to Support Lattice Security
  and Traceability of Access",
BookTitle="Proceedings of the 1984
Symposium on Security and Privacy", Organization="IEEE Computer Society",
Address="Oakland, California", Year="1984", Month=apr, pages="95--100"}

@InProceedings{Karger87,
Key="Karger", Author="P.A. Karger", Title="Limiting the
Damage Potential of Discretionary {T}rojan Horses",
BookTitle="Proceedings of the 1987 Symposium on Security and Privacy",
Organization="IEEE Computer Society",
Address="Oakland, California", Year="1987", Month=apr, pages="32--37"}

@InProceedings{Karger88,
Key="Karger", Author="P.A. Karger", Title="Implementing Commercial
Data Integrity with Secure Capabilities", BookTitle="Proceedings of the 1988
Symposium on Security and Privacy", Organization="IEEE Computer Society",
Address="Oakland, California", Year="1988", Month=apr, pages="130--139"}

@InProceedings{Karger78,
Author={P.A. Karger},
Title={The lattice model in a public computing network},
Booktitle={Proceedings of the ACM Annual Conference},
volume=1,
month=dec,
year=1978 }

@PhDThesis{KargerThesis,
   Key={Karger}, Author={P.A. Karger},
   Title={Improving Security and Performance for Capability Systems},
   School={Computer Laboratory, University of Cambridge,
      Cambridge, England},
   Year={1988}, Month=oct, Note={Technical Report No. 149}
}

@InProceedings{KargerSchell74,
Author="P.A. Karger and R.R. Schell",
Title="Multics Security Evaluation: Vulnerability Analysis",
BookTitle="Proceedings of the 18th Annual Computer Security Applications
Conference (ACSAC), Classic Papers section",
Organization="",
Address="Las Vegas, Nevada", Year="2002", Month=dec, pages="",
NOTE="Originally available as U.S. Air Force report
ESD-TR-74-193, Vol. II, Hanscomb Air Force Base, Massachusetts."
}

@InProceedings{KargerSchell02,
Author="P.A. Karger and R.R. Schell",
Title="Thirty Years Later: Lessons from the {Multics} Security Evaluation",
BookTitle="Proceedings of the 18th Annual Computer Security Applications
Conference (ACSAC), Classic Papers section",
Organization="",
Address="Las Vegas, Nevada", Year="2002", Month=dec, pages="",
NOTE="http://www.acsac.org/ ."
}

@InProceedings{Lee88,
Key="Lee", Author="T.M.P. Lee", Title="Using Mandatory
Integrity", BookTitle="Proceedings of the 1988
Symposium on Security and Privacy", Organization="IEEE Computer Society",
Address="Oakland, California", Year="1988", Month=apr, pages="140--146"}

@article{Shoch82,
Title={The {``Worm''} Programs -- Early Experience with a Distributed
Computation}, Author={J.F. Shoch and J.A. Hupp}, Key="", Month=mar,
Year=1982, Journal= {Communications of the ACM}, Volume=25, Number=3, Pages="172--180",
NOTE={Reprinted in Denning (ed.), {\it Computers Under Attack}} }

@book{Ford82,
Author={D. Ford},
Title={Three Mile Island: Thirty Minutes to Meltdown},
Publisher={Viking Press},
Year={1982},
NOTE="Sensor-related quote reproduced in {\it ACM SIGSOFT Software Engineering
  Notes, 11,} 3, 9--10, July 1986."}

@techreport{Shockley88,
author={W.R. Shockley}, Title="Implementing the {C}lark/{W}ilson Integrity
Policy Using Current Technology", institution="Gemini Computers, P.O. Box
222417, Carmel California", Year=1988, Note="GCI-88-6-01." }

@article{MorrisThompson,
Title="Password Security: A Case History",
Author="R. Morris and K. Thompson", Key="Morris", Month=nov,
Year=1979, Journal= {Communications of the ACM}, Volume=22, Number=11, Pages="594--597"}

@Article{Thompson84,
   Key={Thompson}, Author={K.L. Thompson}, Journal={Communications of the ACM},
   Title={Reflections on Trusting Trust}, Year={1984},
   Month=aug, Pages={761--763}, Volume={27}, Number={8}   }

@TechReport{RTMorris85,
author={R.T. Morris},
Title={Computer Science Technical Report 117},
institution= {AT\&T Bell Laboratories},
address={Murray Hill, New Jersey}, month ={25 February}, Year=1985}

@book{Salus,
Author={P. Salus},
Title={A Quarter-Century of Unix},
Publisher={Addison-Wesley, Reading, Massachusetts},
Year={1994} }

@article(Rosen81,
Key="Rosen", Author="E. Rosen", Title="Vulnerabilities of
Network Control Protocols", Journal="ACM SIGSOFT Software Engineering Notes",
Year="1981", Volume="6", Number="1", Pages="6--8", Month=jan)

@article{Garman,
Key="Garman", Author="J. Garman", Title="The Bug Heard 'Round the World",
Journal="ACM SIGSOFT Software Engineering Notes", Year="1981",
Month =oct, Volume="6", Number="5", Pages="3--10"}

@article{Jaffe89,
Key="Jaffe", Author="M. {Jaffe, as reported by P.G. Neumann}",
Title="Aegis, {Vincennes,} and the {Iranian} {Airbus}",
Journal="ACM SIGSOFT Software Engineering Notes",
Year="1989", Volume="14", Number="5", Pages="20--21", Month=jul}

@InProceedings{YoungMcHugh,
Key="Young", Author="W.D. Young and J. McHugh",
Title="Coding for a Believable Specification to Implementation Mapping",
BookTitle="Proceedings of the 1987 Symposium on Security and Privacy", Organization="IEEE
Computer Society", Address="Oakland, California", Year="1987", Month=apr,
pages="140--148"}

@InProceedings{ClarkWilson87,
Author="D.D. {Clark and D.R. Wilson}",
Title="A Comparison of Commercial and Military Computer Security Policies",
BookTitle="Proceedings of the 1987 Symposium on Security and Privacy", Organization="IEEE
Computer Society", Address="Oakland, California", Year="1987", Month=apr,
pages="184--194"}

@InProceedings{ClarkWilson87x,
NOTE = {IEEE 87CH2416-6, ISBN 0-8186-0771-8.}}

@InProceedings{Lipner82,
Key="Lipner", Author = "S.B. Lipner",
Title="Non-Discretionary Controls for Commercial Applications", Year="1982",
Pages="2--10", Booktitle="Proceedings of the 1982 Symposium on Security and
Privacy", Publisher="IEEE", Note="Oakland, California, 26--28 April 1982" }

@InProceedings(Sebe88,
Author="M.M. Sebring and E. Shellhouse and M.E. Hanna and R.A. Whitehurst",
Title="Expert System in Intrusion Detection: A Case Study",
BookTitle="Eleventh National Computer Security Conference",
Address = "Baltimore, Maryland", Year="1988", Month=oct)

@InProceedings{GarveyLunt90,
Author={T.D. Garvey and T.F. Lunt},
Title={Multilevel Security for Knowledge-based Systems},
Booktitle={Proceedings of the EISS Workshop on Database Security},
address={European Institute for System Security, Karlsruhe, Germany},
month=apr,
Year=1990 }

@TechReport{GarveyLuntReport90,
author={T.D. Garvey and T.F. Lunt},
Title="Multilevel Security for Knowledge Based Systems",
institution="Computer Science Laboratory, SRI International",
address={Menlo Park, California},
Year=1990 }

@InProceedings(Lunt88,
Key="Lunt", Author="T.F. Lunt",
Title="Automated Audit Trail Analysis and Intrusion Detection: A Survey",
BookTitle="Eleventh National Computer Security Conference",
Address = "Baltimore, Maryland", Year="1988", Month=oct)

@InProceedings{LuntJagannathan88,
Key="Lunt", Author="T.F. Lunt and R. Jagannathan",
Title="A Prototype Real-Time Intrusion-Detection Expert System",
BookTitle="Proceedings of the 1988 Symposium on Security and Privacy", Organization="IEEE
Computer Society", Address="Oakland, California", Year="1988", Month=apr,
pages="59--66"}

@book{Johnson94,
Author={D. Johnson},
Title={Computer Ethics (2nd ed.)},
Publisher={Prentice-Hall, Englewood Cliffs, New Jersey},
Year={1994} }

@book{Johnson+95,
Author={D. Johnson and H. Nissenbaum},
Title={Computer Ethics and Social Values},
Publisher={Prentice-Hall, Englewood Cliffs, New Jersey},
Year={1995} }

@book{ParkerEthics,
Author={D.B. Parker}, Title={Ethical Conflicts in Information and Computer
Science, Technology, and Business},
Publisher={QED Information Sciences, Wellesley, Massachusetts}, Year={1990} }

@book{Parker83,
Author={D.B. Parker}, Title={Fighting Computer Crime}, Publisher={Scribner,
New York}, Year={1983} }

@book{Parker76,
Author={D.B. Parker}, Title={Crime by Computer}, Publisher={Scribner,
New York}, Year={1976} }

@book{Parker98,
Author={D.B. Parker}, Title={Fighting Computer Crime}, Publisher={John Wiley
\& Sons, New York}, Year={1998} }

@InProceedings{NeumannParker89,
Key = "Neumann1", Author = "P. G. Neumann and
D.B. Parker", Title = "A Summary of Computer Misuse Techniques", Booktitle =
"Proceedings of the Twelfth National Computer Security Conference", Organization = "NIST/NCSC",
Address = "Baltimore, Maryland", Year = "1989", Pages="396--407", month=oct}

@Manual{Washcloth1,
title = {A Study of Computer Abuse -- Volume One: Computer Abuse Techniques},
author = {P.G. Neumann and D.B. Parker}, key={Neumannaa2},
organization = {SRI International, Menlo Park, California},
month = {Revised, 2 March},
year = {1990}, note={Final report for SRI Project 6812, U.S. Government} }

@Manual{Washcloth2,
title = {A Study of Computer Abuse -- Volume Two:
Information Exploitation Database},
author = {P.G. Neumann and D.B. Parker}, key={Neumannbb3},
organization = {SRI International, Menlo Park, California},
month = {31 July},
year = {1989}, note={Final report for SRI Project 6812, U.S. Government} }

@InProceedings{Gasser+89,
Key = "Gasser",
Author = "M. Gasser and A. Goldstein and C. Kaufman and B. Lampson",
Title = "The {Digital} Distributed System Security Architecture",
Booktitle = "Proceedings of the Twelfth National Computer Security Conference",
Organization = "NIST/NCSC", Address = "Baltimore, Maryland", Year = "1989",
Pages="305--319", month=oct }

@InProceedings{RussellSchaefer89,
Key = "Russell", Author = "T.T. Russell and
M. Schaefer", Title = "Toward a High {B}
Level Security Architecture for the {IBM}
{ES/3090} Processor Resource/Systems Manager {(PR/SM)}",
Booktitle = "Proceedings of the Twelfth
National Computer Security Conference", Organization = "NIST/NCSC", Address =
"Baltimore, Maryland", Year = "1989", Pages="184--196", month=oct }

@InProceedings{Smid+89,
Key = "Smid", Author = "M. Smid and J. Dray and R.B.J.
Warnar", Title = "A Token Based Access Control System for Computer Networks",
Booktitle = "Proceedings of the Twelfth National Computer Security Conference", Organization =
"NIST/NCSC", Address = "Baltimore, Maryland", Year = "1989", Pages="232--253", Month =
"10--13 October" }

@article{Fenton74,
Author={J.S. Fenton}, Title={Memoryless Subsystems},
Key={Fenton}, Month=may, Year=1974, Journal={Computer Journal},
Volume=17, Number=2, Pages={143--147}}

@InProceedings{Denning74,
Key={Denning}, Author={D.E. Denning and P.J. Denning and G.S. Graham},
BookTitle={Protection in Operating Systems,
Proceedings of the International Workshop on Protection in Operating Systems},
Organization={IRIA, Rocquencourt, Le Chesnay, France},
Title={Selectively Confining Subsystems}, Year={1974},
Month=aug }

@InProceedings{Jones74,
Key = {Jones}, Author = {A.K. Jones and W.A. Wulf},
Title = {Towards the Design of Secure Systems},
Booktitle = {Protection in Operating Systems,
Proceedings of the International Workshop on Protection in Operating Systems},
Organization = {Institut de Recherche d'Informatique}, Address = {Rocquencourt,
Le Chesnay, France},
Pages={121--135}, date={1974-08-13/1974-08-14}}

@article{Jones_DesignSecureSystems_1975,
  title = {Towards the Design of Secure Systems},
  author = {Jones, Anita K. and Wulf, William A.},
  date = {1975-10},
  journaltitle = {Software: Practice and Experience},
  volume = {5},
  pages = {321--336},
  doi = {10.1002/spe.4380050403},
  abstract = {Within a programmed system, we may distinguish between different kinds of information in order to control the use of each kind by separate security policies, where each policy is tailored to the sensitivity and desired dissemination of that one kind of information. This paper analyses the implications of implementing security policies and describes mechanisms which can be used as the basis for constructing operating systems with the desired security attributes.},
  langid = {english},
  number = {4}
}

@InProceedings{CohenJefferson75,
  title = {Protection in the {{Hydra Operating System}}},
  booktitle = {Proceedings of the Fifth {{ACM}} Symposium on {{Operating}} Systems Principles},
  author = {Cohen, Ellis and Jefferson, David},
  date = {1975-11-01},
  pages = {141--160},
  publisher = {{Association for Computing Machinery}},
  location = {{New York, NY, USA}},
  doi = {10.1145/800213.806532},
  abstract = {This paper describes the capability based protection mechanisms provided by the Hydra Operating System Kernel. These mechanisms support the construction of user-defined protected subsystems, including file and directory subsystems, which do not therefore need to be supplied directly by Hydra. In addition, we discuss a number of well known protection problems, including Mutual Suspicion, Confinement and Revocation, and we present the mechanisms that Hydra supplies in order to solve them.},
  isbn = {978-1-4503-7863-5},
  keywords = {Capability,Confinement,Mutual suspicion,Operating system,Protected subsystem,Protection,Protection problem,Revocation,Type},
  series = {{{SOSP}} '75}
}

@book{Wulf81,
   Title={Hydra/{C.mmp}: An Experimental Computer System},
   Author={W.A. Wulf and R. Levin and S.P. Harbison},
   Year={1981},
   publisher={McGraw-Hill, New York},
   }

@InProceedings{Denning83,
Key={Denning}, Author={D.E. Denning}, BookTitle={Proceedings of CRYPTO '83},
Organization={UCSB}, Title={Field Encryption and Authentication}, Year={1983},
Month=aug }

@TechReport{Kramer81, Key={Kramer}, Author={S.M. Kramer}, Institution={Mitre
Corporation}, Title={The {Ina} {Jo} Flow Table Generator}, Year={1981},
Month=feb, Number={WP23103}, Address={Bedford, Massachusetts}, Type={Working
Paper} }

@inproceedings{Rushby81,
key={Rushby}, author={J.M. Rushby}
,title={The Design and Verification of Secure Systems}
,booktitle={Proceedings of the Eighth ACM Symposium on Operating System Principles} ,address={Asilomar, California}
,month=dec ,year={1981} ,pages={12--21} ,
note={(ACM Operating Systems Review, 15(5)).},
url ="http://www.csl.sri.com/~{}rushby/abstracts/sosp81"
}

@inproceedings{Rushby82,
key={Rushby} ,author={J.M. Rushby} ,title={{Proof of Separability}--a
Verification Technique for a Class of Security Kernels} ,month=apr
,year={1982} ,booktitle={Proceedings of the Fifth International Symposium on Programming}
,address={Turin, Italy} ,pages={352--367} ,
publisher={M. Dezani-Cianaglini and U. Montanari, eds., Springer-Verlag,
Berlin, Lecture Notes in Computer Science, Vol. 137} }

@article{HorningRandell73,
author={J. Horning and B. Randell},
title={Process Structuring}, journal={ACM Computing Surveys},
volume={5}, number={1}, month=mar, year={1973}, pages={}}

@InCollection{Horning+74,
Publisher = "Springer-Verlag",
Author = "J.J. Horning and H.C. Lauer and P.M. Melliar-Smith and
B. Randell",
Title = "A Program Structure for Error Detection and Recovery",
Year = "1974", Pages = "171-187", Address = "Berlin",
Booktitle = "Operating Systems, Proceedings of an International Symposium,
Notes in Computer Science 16",
Editors = "E. Gelenbe and C. Kaiser" }

@Article{Anderson+Knight,
   Key={Anderson},
   Author={T. Anderson and J.C. Knight},
   Journal={IEEE Transactions on Software Engineering},
   Title={A Framework for Software Fault Tolerance in Real-Time Systems},
   Year={1983},
   Month=may,
   Pages={355--364},
   Volume={SE-9},
   Number={3}
   }

@Book{Anderson+Lee,
   Key={Anderson},
   Author={T. Anderson and P.A. Lee},
   Publisher={Prentice-Hall International, Englewood Cliffs, New Jersey},
   Title={Fault-Tolerance: Principles and Practice},
   Year={1981}
   }

@TechReport{Rushby+Randell83b,
   Key={Rushby},
   Author={J.M. Rushby and B. Randell},
   Institution={Computing Laboratory, University of Newcastle upon Tyne},
   Title={A Distributed Secure System},
   Year={1983},
   Month=may,
   Number={182}
   }

@InProceedings{Rushby+Randell83c,
   Key={Rushby},
   Author={J.M. Rushby and B. Randell},
   BookTitle={Proceedings of the 1983 IEEE Symposium on Security and Privacy},
   Organization={IEEE Computer Society},
   Address={Oakland, California},
   Title={A Distributed Secure System (Extended Abstract)},
   Pages={127--135},
   Month=apr,
   Year={1983}
   }

@Article{Rushby83,
Key={Rushby}, Author={J.M. Rushby and B. Randell}, Journal={IEEE Computer},
Title={A Distributed Secure System}, Year={1983}, Month=jul, Pages={55--67},
Volume={16}, Number={7} }

@TechReport{Feiertag80,
Author={R.J. Feiertag}, Title={A Technique for Proving Specifications are
Multilevel Secure}, number={CSL-109},
Institution={Computer Science Laboratory, SRI International},
Address={Menlo Park, California}, month=jan, Year=1980 }

@Manual{HDM:Handbook,
Key={Robinson},
Author={L. Robinson and K.N. Levitt and B.A. Silverberg},
Title={The {HDM} Handbook}, Year={1979}, Month=jun,
Organization={Computer Science Laboratory, SRI International},
Note={Three Volumes}, Address={Menlo Park, California} }

@InProceedings{L+N78,
Key={L+N78}, Author={H.C. Lauer and R.M. Needham}, BookTitle={Proceedings of the Second
International Symposium on Operating Systems}, Organization={IRIA, France},
Title={On the Duality of Operating System Structures}, Year={1978},
Month=oct, Note={(Reprinted in ACM Operating Systems Review, Vol 13, No
2, April 1979, pp.3--19)} }

@book{WilkesNeedham79,
Author={M.V. Wilkes and R.M. Needham},
Title={The {Cambridge} {CAP} Computer and Its Operating System},
Publisher={Elsevier North Holland, New York},
Year={1979} }

@InProceedings{Boebert+Kain,
   Key={Boebert},
   Author={W.E. Boebert and R.Y. Kain},
   BookTitle={Proceedings of the Eighth DoD/NBS Computer Security Initiative Conference},
   Title={A Practical Alternative to Hierarchical Integrity Policies},
   Address={Gaithersburg, Maryland},
   Year={1985},
   Month={1--3 October}     }

@Article{YBK85,
  author =       {W.D. Young and W.E. Boebert and R.Y. Kain},
  title =        {Proving a Computer System Secure},
  journal =      {Scientific Honeyweller},
  year =         1985,
  volume =       6,
  number =       2,
  month =        jul,
  pages =        {18--27},
  note =  {Reprinted in Tutorial: Computer and Network Security,
  M.D. Abrams and H.J. Podell, editors, IEEE Computer Society Press, 1987,
  pp. 142--157.}
}

@InProceedings{FLR77, Key={Feiertag}, Author={R.J.
Feiertag and K.N. Levitt and L. Robinson}, BookTitle={Proceedings of the Sixth ACM Symposium
on Operating System Principles}, Title={Proving Multilevel Security of a System
Design}, Year={1977}, Month=nov, Pages={57--65} }

@techreport{B+LP76,
key={Bell76}, author={D.E. Bell and L.J. La Padula}, title={Secure Computer
System: Unified Exposition and {Multics} Interpretation},
number={ESD-TR-75-306}, institution={The Mitre Corporation}, address={Bedford,
Massachusetts}, month=mar, year={1976}}

@techreport{B+LP73, key={Bell73}, author={D.E.
Bell and L.J. La Padula}, title={Secure Computer Systems : Volume {I} --
Mathematical Foundations; Volume {II} -- A Mathematical Model; Volume {III} --
A Refinement of the Mathematical Model}, number={MTR-2547 (three volumes)},
institution={The Mitre Corporation}, address={Bedford, Massachusetts},
month={March--December}, year={1973}}

@techreport{B+L73a, key={Bell73a},
author={D.E. Bell and L.J. La Padula}, title={Secure Computer Systems :
Mathematical Foundations}, number={MTR-2547 Vol. I}, institution={Mitre
Corporation}, address={Bedford, Massachusetts}, month=mar, year={1973}}

@techreport{B+L73b, key={Bell73b}, author={D.E. Bell and L.J. La Padula},
title={Secure Computer Systems : A Mathematical Model}, number={MTR-2547 Vol.
{II}}, institution={Mitre Corporation}, address={Bedford, Massachusetts}, month=may,
year={1973}}

@techreport{B+L73c, key={Bell73c}, author={D.E. Bell and L.J. La
Padula}, title={Secure Computer Systems : A Refinement of the Mathematical
Model}, number={MTR-2547 Vol. {III}}, institution={Mitre Corporation},
address={Bedford, Massachusetts}, month=dec, year={1973}}

@TechReport{Bell73,
Author={D.E. Bell and L.J. La Padula},
Title={Secure Computer Systems: Mathematical Foundations and Model},
Institution={The Mitre Corporation},
Address={Bedford, Massachusetts},
number={M74-244},
Month=may,
Year=1973 }

@InProceedings{Lampson69,
Author = "B.W. Lampson",
Title = "On reliable and extendible operating systems",
Booktitle = "Proceedings of the Second NATO Conference on
  Techniques in Software Engineering",
Organization = "NATO", Address = "Rome, Italy", Year = "1969",
Pages="", Month = "" }

@article{LampsonSturgis76,
author={B.W. Lampson and H. Sturgis},
title={Reflections on an operating system design},
journal={Communications of the ACM},
volume={19}, number={5}, month=may, year={1976}, pages={251--265} }

@article{lampson73,
key={Lampson}, author={B.W. Lampson}, title={A Note on the Confinement
Problem}, journal={Communications of the ACM}, volume={16}, number={10}, month=oct
,year={1973}, pages={613--615}}

@InProceedings{LampsonRedund,
author={B.W. Lampson},
title={Redundancy and Robustness in Memory Protection},
Booktitle={Information {P}rocessing 74 ({Proceedings of the IFIP Congress} 1974)},
Publisher={North-Holland, Amsterdam},
year={1974}, volume = {Hardware II}, pages={128--132}}

@Article{Fraim,
Key={Fraim}, Author={L.J.
Fraim}, Journal={Computer}, Title={{SCOMP}: A Solution to the Multilevel
Security Problem}, Year={1983}, Month=jul, Pages={26--34}, Volume={16},
Number={7} }

@InProceedings{Silverman,
Key={Silverman}, Author={J.M.
Silverman}, BookTitle={Proceedings of the Ninth ACM Symposium on Operating System Principles},
Title={Reflections on the Verification of the Security of an Operating System},
Year={1983}, Month=oct, Pages={143--154} }

@InProceedings{Lipner,
Key={Lipner}, Author={S.B. Lipner}, BookTitle={Proceedings of the Fifth ACM Symposium on
Operating System Principles}, Organization={ACM}, Title={A Comment on the
Confinement Problem}, Year={1975}, Pages={192--196} }

@TechReport{Denning:Derivation,
Key={Denning}, Author={D.E. Denning},
Institution={Purdue University}, Title={On the Derivation of Lattice Structured
Information Flow Policies}, Year={1976}, Month=mar, Number={CSD TR 180} }

@Article{Denning:Lattice,
Key={Denning}, Author={D.E. Denning}, Journal={Communications of the ACM},
Title={A Lattice Model of Secure Information Flow}, Year={1976}, Month=may,
Pages={236--243}, Volume={19}, Number={5} }

@misc{Goguen:Database,
title = {Secure Database Concepts}, author = {J.A. Goguen}, year = 1982, month =
jun, howpublished = {Working paper prepared for National Academy of Science,
AFSB Summer Study on Multilevel Database Security}, key = {Goguen}}

@InProceedings{G+M82,
Key={Goguen}, Author={J.A. Goguen and J.
Meseguer}, Title={Security Policies and Security Models}, BookTitle={Proceedings of the 1982
Symposium on Security and Privacy}, Organization={IEEE Computer Society},
Address={Oakland, California}, Year={1982}, Month=apr, Pages={11--20} }

@InProceedings{G+M84,
   Key={Goguen},
   Author={J.A. Goguen and J. Meseguer},
   BookTitle={Proceedings of the 1984 Symposium on Security and Privacy},
   Organization={IEEE Computer Society},
   Address={Oakland, California},
   Title={Unwinding and Inference Control},
   Year={1984},
   Pages={75--86},
   Month=apr
   }

@misc{G+M:Unwinding,
author = {J.A. Goguen and J. Meseguer},
title = {Unwinding of Noninterference Assertions},
year = 1983,
howpublished= {Draft appears in \cite{psos83}},
key = {Goguen + Meseguer}}

@techreport{psos83,
author = {P.G. {Neumann et al.}},
title = {Technology for Provably Secure Systems},
institution = {Computer Science Laboratory, SRI International},
Address={Menlo Park, California},
year = 1983,
month = aug,
key = {Neumann} }

@misc{Goguen:MMS,
title = {Formalization of {Landwehr}-{Heitmeyer} {SMMS} Model},
author = {J.A. Goguen},
year = 1982, month = jun,
howpublished = {Working paper prepared for National Academy of Science, AFSB
  Summer Study on Multilevel Database Security},
key = {Goguen}}

@Book{Denning:Book,
   Key={Denning},
   Author={D.E. Denning},
   Publisher={Addison-Wesley, Reading, Massachusetts},
   Title={Cryptography and Data Security},
   Year={1982}
   }

@Article{Fenton,
   Key={Fenton},
   Author={J.S. Fenton},
   Journal={Computer Journal},
   Title={Memoryless Subsystems},
   Year={1974},
   Month=may,
   Pages={143--147},
   Volume={17},
   Number={2}
   }

@TechReport{Rushby:Basis,
   Key={Rushby},
   Author={J.M. Rushby},
   Institution={Computer Science Laboratory, SRI International},
   Title={Mathematical Foundations of the {MLS} Tool for Revised Special},
   Year={1986},
   Address={Menlo Park, California},
   Type={Forthcoming}
   }

@TechReport{Rushby:SRI,
   Key={Rushby},
   Author={J.M. Rushby},
   Institution={Computer Science Laboratory, SRI International},
   Address={Menlo Park, California},
   Title={The {SRI} Security Model},
   Year={Forthcoming}
   }

@TechReport{Rushby:BLP,
   Key={Rushby},
   Author={J.M. Rushby},
   Institution={Computer Science Laboratory, SRI International},
   Address={Menlo Park, California},
   Title={The {Bell} and {La Padula} Security Model},
   Year={1986},
   Month=jun,
   Type={Draft Report}
   }

@TechReport{Rushby:Models,
   Key={Rushby},
   Author={J.M. Rushby},
   Institution={Computer Science Laboratory, SRI International},
   Address={Menlo Park, California},
   Title={Computer Security Models},
   Year={1984},
   Type={Draft Internal note},
   Month=apr
   }

@TechReport{Rushby:Comparison,
   Key={Rushby},
   Author={J.M. Rushby},
   Institution={Computer Science Laboratory, SRI International},
   Address={Menlo Park, California},
   Title={Comparison between the {Bell} and {La Padula} and the {SRI} Security Models},
   Year={1986},
   Type={Forthcoming}
   }

@Book{H+U69,
   Key={Hopcroft},
   Author={J.E. Hopcroft and J.D. Ullman},
   Publisher={Addison-Wesley, Reading, Massachusetts},
   Title={Formal Languages and their Relation to Automata},
   Year={1969}
   }

@InCollection{Mesarovic,
   Key={Mesarovic},
   Author={M.D. Mesarovi\'{c}},
   Booktitle={Trends in General Systems Theory},
   Publisher={John Wiley and Sons},
   Title={A Mathematical Theory of General Systems},
   Year={1972},
   Editor={G.J. Klir}
   }

@TechReport{Millen:Models,
   Key={Millen},
   Author={J.K. Millen and C.M. Cerniglia},
   Institution={Mitre Corporation},
   Title={Computer Security Models},
   Year={1983},
   Month=sep,
   Number={WP25068},
   Address={Bedford, Massachusetts},
   Type={Working Paper}
   }

@TechReport{McLean,
   Key={Mclean},
   Author={J. McLean},
   Institution={Naval Research Laboratory},
   Title={A Comment on the ``Basic Security Theorem'' of {Bell} and {La Padula}},
   Year={1983},
   Type={Informal Note}
   }

@InProceedings{Lipner:Panel,
   Key={Lipner},
   Author={S.B. Lipner (Moderator)},
   BookTitle={Proceedings of the 1983 IEEE Symposium on Security and Privacy},
   Organization={IEEE Computer Society},
   Address={Oakland, California},
   Title={Panel Session: {Bell/La Padula} and Alternative Models of Security},
   Month=apr,
   Year={1983}
   }

@Manual{Revised:Special,
   Author={SRI-CSL},
   Key={HDM},
   Title={{HDM} Verification Environment Enhancements, Interim Report on
Language Definition},
   Year={1983},
   note={SRI Project No. 5727, Contract No. MDA904-83-C-0461},
   Organization={Computer Science Laboratory, SRI International},
   Address={Menlo Park, California}
   }

@InProceedings{Bell:Retrospective,
   Key={Bell},
   Author={D.E. Bell},
   BookTitle={Proceedings of the 1983 Symposium on Security and Privacy},
   Organization={IEEE Computer Society},
   Address={Oakland, California},
   Title={Secure Computer Systems: a Retrospective},
   Year={1983},
   Month=apr,
   Pages={161--162}
   }

@InProceedings{hinke83,
   Key={Hinke},
   Author={T. Hinke and J. Althouse and R.A. Kemmerer},
   BookTitle={Proceedings of the 1983 Symposium on Security and Privacy},
   Organization={IEEE Computer Society},
   Address={Oakland, California},
   Title={{SDC} Secure Release Terminal Project},
   Year={1983},
   Month=apr,
   Pages={113--119}
   }

@InProceedings{Hartman84,
   Key={Hartman},
   Author={B.A. Hartman},
   BookTitle={Proceedings of the 1984 Symposium on Security and Privacy},
   Organization={IEEE Computer Society},
   Address={Oakland, California},
   Title={A {Gypsy}-Based Kernel},
   Year={1984},
   Month=apr,
   Pages={219--225}
   }

@InProceedings{Taylor84,
   Key={Taylor},
   Author={T. Taylor},
   BookTitle={Proceedings of the 1984 Symposium on Security and Privacy},
   Organization={IEEE Computer Society},
   Address={Oakland, California},
   Title={Comparison Paper between the {Bell} and {La Padula} Model and
   the {SRI} Model},     Year={1984},   Month=apr,   pages={195--202}   }

@techreport{landwehr82
   ,key={Landwehr}
   ,author={C.E. Landwehr and C.L. Heitmeyer}
   ,title={Military Message Systems: Requirements and Security Model}
   ,number={{NRL} Memorandum Report 4925}
   ,institution={Naval Research Laboratory}
   ,address={Washington, D.C.}
   ,month=sep
   ,year={1982}}

@article{landwehr81
   ,key={Landwehr}
   ,author={C.E. Landwehr}
   ,title={A Survey of Formal Models for Computer Security}
   ,journal={Computing Surveys}
   ,volume={13}
   ,number={3}
   ,month=sep
   ,year={1981}
   ,pages={247--278}}

@InProceedings{Graubart,
   Key={Graubart},
   Title={A Preliminary Naval Surveillance {DBMS} Security Model},
   Author={R.D. Graubart and J.P.L. Woodward},
   BookTitle={Proceedings of the 1982 Symposium on Security and Privacy},
   Organization={IEEE Computer Society},
   Address={Oakland, California},
   Year={1982},
   Month=apr,
   Pages={21--37}
   }

@inproceedings{ames80
   ,key={Ames80}
   ,author={S.R. {Ames, Jr.} and J.G. Keeton-Williams}
   ,title={Demonstrating Security for Trusted Applications on a Security Kernel Base}
   ,booktitle={Proceedings of the 1980 Symposium on Security and Privacy}
   ,organization={IEEE Computer Society}
   ,address={Oakland, California}
   ,month=apr
   ,year={1980}
   ,pages={145--156}}

@techreport{anderson72
   ,key={Anderson}
   ,author={J.P. Anderson}
   ,title={Computer Security Technology Planning Study}
   ,institution={U.S. Air Force Electronic Systems Division}
   ,number={ESD-TR-73-51}
   ,month=oct
   ,year={1972}
   ,note={(Two volumes)}}

@inproceedings{barnes80
   ,key={Barnes}
   ,author={D.H. Barnes}
   ,title={Computer Security in the {RSRE PPSN}}
   ,booktitle={Networks '80}
   ,pages={605--620}
   ,organization={Online Conferences}
   ,month=jun
   ,year={1980}}

@inproceedings{barnes81
   ,key={Barnes}
   ,author={D.H. Barnes}
   ,title={The Provision of End To End Security for User Data on an Experimental Packet Switched Network}
   ,booktitle={Proceedings of the Fourth International Conference on Software Engineering for Telecommunications Switching Systems}
   ,organization={IEE}
   ,address={Warwick, England}
   ,pages={144--148}
   ,month=jul
   ,year={1981}}

@inproceedings{Woodward
   ,key={Woodward}
   ,author={J.P.L. Woodward}
   ,title={Applications for Multilevel Secure Operating Systems}
   ,BookTitle={National Computer Conference}
   ,Organization={AFIPS Conference Proceedings}
   ,Note={Vol. 48}
   ,year=1979
   ,pages={319--328}}

@inproceedings{stotz
   ,key={Stotz}
   ,author={R. Stotz and R. Tugender and D. Wilczynski}
   ,title={{SIGMA}--An interactive message service for the Military
Message Experiment}
   ,BookTitle={National Computer Conference}
   ,Organization={AFIPS Conference Proceedings}
   ,Note={Vol. 48}
   ,year=1979
   ,pages={839--846}}

@InProceedings{Barnes83,
   Key={Barnes},
   Author={D.H. Barnes},
   BookTitle={Proceedings of the 1983 IEEE Symposium on Security and Privacy},
   Organization={IEEE Computer Society},
   Address={Oakland, California},
   Month=apr,
   Year={1983},
   Title={The Provision of Security for User Data on Packet Switched Networks},
   Pages={121--126}
   }

@Article{Sift,
   Key={Melliarsmith},
   Author={P.M. Melliar-Smith and R.L. Schwartz},
   Journal={IEEE Transactions on Computers},
   Title={Formal Specification and Verification of {SIFT}: A
Fault-Tolerant Flight Control System},
   Year={1982},
   Month=jul,
   Pages={616--630},
   Volume={C-31},
   Number={7}
   }

@Article{Cheheyl,
   Key={Cheheyl},
   Author={M. {Cheheyl et al.}},
   Journal={Computing Surveys},
   Title={Verifying Security},
   Year={1981},
   Month=sep,
   Pages={279--339},
   Volume={13},
   Number={3}
   }

@Article{Hebbard,
   Key={Hebbard},
   Author={B. {Hebbard et al.}},
   Journal={ACM Operating Systems Review},
   Title={A Penetration Analysis of the Michigan Terminal System},
   Year={1980},
   Month=jan,
   Pages={7--20},
   Volume={14},
   Number={1}
   }

@Article{Attanasio,
   Key={Attanasio},
   Author={C.R. Attanasio and P.W. Markstein and R.J. Phillips},
   Journal={IBM Systems Journal},
   Title={Penetrating an Operating System: a Study of {VM}/370 Integrity},
   Year={1976},
   Pages={102--116},
   Volume={15},
   Number={1}
   }

@Article{Wilkinson,
   Key={Wilkinson},
   Author={A.L. {Wilkinson et al.}},
   Journal={ACM Operating Systems Review},
   Title={A Penetration Study of a {Burroughs} Large System},
   Year={1981},
   Month=jan,
   Pages={14--25},
   Volume={15},
   Number={1}
   }

@InProceedings{Linde,
   Key={Linde},
   Author={R.R. Linde},
   BookTitle={National Computer Conference},
   Organization={AFIPS Conference Proceedings},
   Title={Operating System Penetration},
   Year={1975},
   Note={Vol. 44},
   Pages={361--368}
   }

@TechReport{Abbott,
   Key={Abbott},
   Author={R.P. {Abbott et al.}},
   Institution={National Bureau of Standards},
   Title={Security Analysis and Enhancements of Computer Operating Systems},
   Year={1974},
   Note={Order No. S-413558-74}
   }

@InProceedings{Berson79,
   Key={Berson},
   Author={T.A. Berson and G.L. {Barksdale Jr.}},
   BookTitle={National Computer Conference},
   Organization={AFIPS Conference Proceedings},
   Note={Vol. 48},
   Title={{KSOS}: Development Methodology for a Secure Operating System},
   Year={1979},
   Pages={365--371}
   }

@InProceedings{McCauley,
   Key={Mccauley},
   Author={E.J. McCauley and P.J. Drongowski},
   BookTitle={National Computer Conference},
   Organization={AFIPS Conference Proceedings},
   Note={Vol. 48},
   Title={{KSOS}: The Design of a Secure Operating System},
   Year={1979},
   Pages={345--353}
   }

@TechReport{Craigen:Guard,
   Key={Craigen},
   Author={D. Craigen},
   Institution={I.P. Sharp Associates},
   Title={A Formal Specification of the {LSI Guard}},
   Year={1982},
   Month=aug,
   Number={TR-5031-82-2},
   Address={Ottawa}
   }

@TechReport{Stahl,
   Key={Stahl},
   Author={S. Stahl},
   Institution={Mitre Corporation},
   Title={{LSI Guard} Security Specification},
   Year={1981},
   Month=sep,
   Number={MTR 8451},
   Address={Bedford, Massachusetts}
   }

@TechReport{Good:MFM,
   Key={Good},
   Author={D.I. Good and A.E. Siebert and L.M. Smith},
   Institution={Institute for Computing Science and Computer Applications,
The University of Texas},
   Title={The Message Flow Modulator, Final Report},
   Year={1982},
   Month=dec,
   Number={34},
   Address={Austin, TX}
   }

@InProceedings{Berson83,
   Key={Berson},
   Author={T.A. Berson and R.J. Feiertag and R.K. Bauer},
   BookTitle={Proceedings of the 1983 IEEE Symposium on Security and Privacy},
   Organization={IEEE Computer Society},
   Address={Oakland, California},
   Title={Processor-per-Domain Guard Architecture},
   Month=apr,
   Year={1983},
   Pages={120},
   Note={(Abstract only)}
   }

@Article{Bic,
   Key={Bic},
   Author={L. Bic},
   Journal={Communications of the ACM},
   Title={A Protection Model and its Implementation in a Dataflow System},
   Year={1982},
   Month=sep,
   Pages={650--658},
   Volume={25},
   Number={9}
   }

@Article{Voydock,
   Key={Voydock},
   Author={V.L. Voydock and S.T. Kent},
   Journal={ACM Computing Surveys},
   Title={Security Mechanisms in High-Level Network Protocols},
   Year={1983},
   Month=jun,
   Pages={135--171},
   Volume={15},
   Number={2}
   }

@InProceedings{Denning84,
   Key={Denning},
   Author={D.E. Denning},
   BookTitle={Proceedings of the 1984 Symposium on Security and Privacy},
   Organization={IEEE Computer Society},
   Address={Oakland, California},
   Title={Cryptographic Checksums for Multilevel Database Security},
   Year={1984},
   Month=apr,
   pages={52--61}
   }

@InProceedings{Gold84,
   Key={Gold},
   Author={B.D. Gold and R.R. Linde and P.F. Cudney},
   BookTitle={Proceedings of the 1984 Symposium on Security and Privacy},
   Organization={IEEE Computer Society},
   Address={Oakland, California},
   Title={{KVM/370} in Retrospect},
   Year={1984},
   Month=apr,
   pages={13--23}
   }

@TechReport{Rushby:Scomp,
   Key={Rushby},
   Author={J.M. {Rushby et al.}},
   Institution={Computer Science Laboratory, SRI International},
   Title={{SCOMP}-{CYBER} Security},
   Year={1984},
   Month=feb,
   Address={Menlo Park, California},
   Note={(Client Confidential)},
   Type={Final Report, SRI Project 6121}
   }

@TechReport{Ashcroft,
   Key={Ashcroft},
   Author={E.A Ashcroft},
   Institution={Computer Science Laboratory, SRI International},
   Title={An Eduction Engine},
   Year={1984},
   Month=apr,
   Address={Menlo Park, California},
   Type={Draft Report}
   }

@TechReport{Feiertag:ICN,
   Key={Feiertag},
   Author={R.J. Feiertag},
   Institution={Sytek Inc.},
   Title={A Model of Security Policy for the Integrated Computer Network},
   Year={1981},
   Month=apr,
   Number={SYTEK-TR-81001},
   Address={Mountain View, California}
   }

@TechReport{Rushby81b,
   Key={Rushby},
   Author={J.M. Rushby},
   Institution={Computing Laboratory, University of Newcastle upon Tyne},
   Title={Verification of Secure Systems},
   Year={1981},
   Month=aug,
   Number={166}
   }

@TechReport{SMSV,
   Key={Schwartz},
   Author={R.L. Schwartz, P.M. Melliar-Smith and F.H. Vogt},
   Institution={Computer Science Laboratory, SRI International},
   Title={An Interval Logic for Higher-Level Temporal Reasoning},
   Year={1983},
   Month=feb,
   Number={CSL-138},
   Address={Menlo Park, California}
   }

@InProceedings{Pnueli,
   Key={Pnueli},
   Author={A. Pnueli},
   BookTitle={Proceedings of the Eighteenth Symposium on Foundations of Computer Science},
   Organization={ACM},
   Title={The Temporal Logic of Programs},
   Year={1977},
   Address={Providence, RI},
   Month=nov,
   Pages={46--57}
   }

@InProceedings{Lamport83,
   Key={Lamport},
   Author={L. Lamport},
   BookTitle={Information Processing 83},
   Organization={North-Holland},
   Title={What Good is Temporal Logic?},
   Year={1983},
   Address={Paris},
   Editor={R.E.A. Mason},
   Pages={657--668}
   }

@Book{tunis,
   Key={Holt},
   Author={R.C. Holt}, Publisher={Addison-Wesley, Reading, Massachusetts},
   Title={Concurrent {Euclid}, the {UNIX} System, and {TUNIS}}, Year={1983}   }

@Book{Thoth,
   Key={Cheriton},
   Author={D.R. Cheriton},
   Publisher={North-Holland},
   Title={The {Thoth} System: Multi-Process Structuring and Portability},
   Year={1982},
   Series={Operating and Programming Systems Series}
   }

@inproceedings{Ames81,
   key={Ames},
   author={S.R. {Ames Jr.}},
   title={Security Kernels: a Solution or a Problem?},
   booktitle={Proceedings of the 1981 Symposium on Security and Privacy},
   month=apr,
   year={1981},
   address={Oakland, California},
   organization={IEEE Computer Society},
   pages={141--150}}

@TechReport{Plan9-91,
author={R. Pike and D. Resotto and K. Thompson and H. Trickey and
T. Duff and G. Holzmann},
Title={Plan 9: The Early Papers},
institution= {AT\&T Bell Laboratories},
address={Murray Hill, New Jersey}, month =jul,
Year=1991, Note={(Computing Science Technical Report 158.
This report contains seven conference papers presented during 1990 and 1991.) } }

@TechReport{IX-92,
author={J.A. Reeds and M.D. McIlroy},
Title={The {IX} Multilevel-Secure {UNIX} System},
institution= {AT\&T Bell Laboratories},
address={Murray Hill, New Jersey}, month =jan,
Year=1992, Note={Computing Science Technical Report No. 162.
This report contains 5 papers on IX. } }

@ARTICLE{McIlroy90,
Author={M.D. McIlroy}, TITLE = {Green Light for Bad Software},
JOURNAL = {Communications of the ACM}, YEAR = {1990}, VOLUME = {33},
NUMBER = {5}, PAGES = {479}, MONTH = may }

@BOOK{Holzmann91,
author={G.J. Holzmann},
title={Design and Validation of Computer Protocols},
publisher={Prentice-Hall, Englewood Cliffs, New Jersey}, Year={1991}}

@MastersThesis{Fisher,
   Key={Fisher},    Author={P.F. Fisher},
   School={Computing Laboratory, University of Newcastle upon Tyne, England},
   Title={An Operating System Security Kernel}, Year={1982}, Month=sep
   }

@Article{Wegner84,
   Key={Wegner},
   Author={P. Wegner},
   Journal={IEEE Software},
   Title={Capital-Intensive Software Technology},
   Year={1984},
   Month=jul,
   Volume={1},
   Number={3},
   Pages={7--45}
   }

@Article{Andrews83,
   Key={Andrews},
   Author={G.R. Andrews and F.B. Schneider},
   Journal={ACM Computing Surveys},
   Title={Concepts and Notations for Concurrent Programming},
   Year={1983},
   Month=mar,
   Pages={3--43},
   Volume={15},
   Number={1}
   }

@article{Alpern+Schneider,
AUTHOR = {B. Alpern and F.B. Schneider},
TITLE = {Defining Liveness},
JOURNAL = {Information Processing Letters},
YEAR = {1985},
VOLUME = {21},
NUMBER = {4},
PAGES = {181--185},
MONTH = oct
}

@book{Schneider97,
Author={F.B. Schneider},
Title={On Concurrent Programming},
Publisher={Springer Verlag, New York},
Year={1997} }

@Article{Nil:Language,
   Key={Parr},
   Author={F.N. Parr and R.E. Strom},
   Journal={IBM Systems Journal},
   Title={{NIL}: A High-Level Language for Distributed Systems Programming},
   Year={1983},
   Pages={111--127},
   Volume={22},
   Number={1/2}
   }

@InProceedings{Nil:Security,
   Key={Strom},
   Author={R.E. Strom},
   BookTitle={Proceedings of the 10th Symposium on Principles of Programming Languages},
   Title={Mechanisms for Compile-Time Enforcement of Security},
   Year={1983},
   Address={Austin, TX},
   Month=jan,
   Pages={276--284}
   }

@InProceedings{Nil:System,
   Key={Strom},
   Author={R.E. Strom and S. Yemini},
   BookTitle={Proceedings of the SIGPLAN '83 Symposium on Programming Language
Issues in Software Systems},
   Title={{NIL}: An Integrated Language and System for Distributed Programming},
   Year={1983},
   Address={San Francisco, California},
   Month=jun,
   Note={(in SIGPLAN Notices Vol 18, No. 6, June 1983)},
   Pages={73--82}
   }

@Article{Gehani,
   Key={Gehani},
   Author={N.H. Gehani and T.A. Cargill},
   Journal={Software--Practice and Experience},
   Title={Concurrent Programming in the {Ada} Language: the Polling Bias},
   Year={1984},
   Month=may,
   Pages={413--427},
   Volume={14},
   Number={5}
   }

@InProceedings{Perrine,
   Key={Perrine},
   Author={T. Perrine and J. Codd and B. Hardy},
   BookTitle={Proceedings of the Seventh DoD/NBS Computer Security Initiative Conference},
   Title={An Overview of the {Kernelized Secure Operating System ({KSOS})}},
   Address={Gaithersburg, Maryland},
   Pages={146--160},
   Year={1984},
   Month=sep
   }

@InProceedings{Barnes84,
   Key={Barnes},
   Author={D.H. Barnes},
   BookTitle={Proceedings of the Seventh DoD/NBS Computer Security Initiative Conference},
   Title={Secure Communications Processor Research},
   Address={Gaithersburg, Maryland},
   Pages={312--317},
   Year={1984},
   Month=sep
   }

@InProceedings{Rushby:TCB,
   Key={Rushby},
   Author={J.M. Rushby},
   BookTitle={Proceedings of the Seventh DoD/NBS Computer Security Initiative Conference},
   Title={A Trusted Computing Base for Embedded Systems},
   Address={Gaithersburg, Maryland},
   Pages={294--311},
   Year={1984},
   Month=sep
   }

@InProceedings{Rushby:HDM,
Key={Rushby}, Author={J.M. Rushby},
BookTitle={Proceedings of the Seventh DoD/NBS Computer Security Initiative Conference},
Title={The Security Model of {Enhanced HDM}}, Address={Gaithersburg, Maryland},
Pages={120--136}, Year={1984}, Month=sep }

@TechReport{Froscher+Carroll,
   Key={Froscher},
   Author={J.N. Froscher and J.M. Carroll},
   Institution={Naval Research Laboratory},
   Title={Security Requirements for Navy Embedded Computers},
   Year={1984},
   Month=sep,
   Number={5425},
   Type={{NRL} Memorandum Report}
   }

@Article{Leveson84,
   Key={Leveson},
   Author={N.G. Leveson},
   Journal={Computer},
   Title={Software Safety in Computer Controlled Systems},
   Year={1984},
   Month=feb,
   Pages={48--55},
   Volume={17},
   Number={2}
   }

@InProceedings{Leveson:Kernels,
   Key={Leveson},
   Author={N.G. {Leveson et al.}},
   BookTitle={Proceedings of the AIAA Twenty-first Aerospace Sciences Meeting},
   Organization={American Institute of Aeronautics and Astronautics},
   Title={Design for Safe Software},
   Address={Reno, NV},
   Year={1983},
   Month=jan
   }

@Article{LevesonYoung14,
   Author={Nancy G. Leveson and William Young},
   Journal={Communications of the ACM},
   Title={An Integrated Approach to Safety and Security Based on System Theory},
   Year={2014},
   Month=feb,
   Pages={31--35},
   Volume={57},
   Number={2},
   note = {\url{http://www.csl.sri.com/neumann/insiderisks.html}}
   }

@Article{Landwehr:MMM,
   Key={Landwehr},
   Author={C.E. Landwehr and C.L. Heitmeyer and J. McLean},
   Journal={ACM Transactions on Computer Systems},
   Title={A Security Model for Military Message Systems},
   Year={1984}, Month=aug, Pages={198--222}, Volume={2}, Number={3}  }

@inproceedings{Accent
   ,key={Rashid}
   ,author={R. Rashid and G. Robertson}
   ,title={{Accent}: A Communications Oriented Network Operating System Kernel}
   ,booktitle={Proceedings of the Eighth ACM Symposium on Operating System Principles}
   ,address={Asilomar, California}
   ,month=dec
   ,year={1981}
   ,pages={64--75}
   ,note={(ACM Operating Systems Review, Vol. 15, No. 5)}}

@TechReport{Carlstedt75,
author={J. Carlstedt and R. {Bisbey II} and G. Popek},
Title={{Pattern-Directed Protection Evaluation}},
institution= {USC Information Sciences Institute (ISI)},
number={ISI/SR-75-31},
address={Marina Del Rey, California}, month =jun, Year=1975}

@TechReport{Bisbey75,
author={R. {Bisbey II} and G. Popek and J. Carlstedt},
Title={{Protection Errors in Operating Systems: Inconsistency of a
single data value over time}},
institution= {USC Information Sciences Institute (ISI)},
number={ISI/SR-75-4},
address={Marina Del Rey, California}, month =dec, Year=1975}

@TechReport{Bisbey76,
author={R. {Bisbey II} and J. Carlstedt and D. Chase},
Title={{Data Dependency Analysis}},
institution= {USC Information Sciences Institute (ISI)},
number={ISI/SR-76-45},
address={Marina Del Rey, California}, month =feb, Year=1976}

@TechReport{Carlstedt76,
author={J. Carlstedt},
Title={{Protection Errors in Operating Systems: Validation of
critical conditions}},
institution= {USC Information Sciences Institute (ISI)},
number={ISI/SR-76-5},
address={Marina Del Rey, California}, month =may, Year=1976}

@TechReport{Hollingworth76,
author={D. Hollingworth and R. {Bisbey II}},
Title={Protection Errors in Operating Systems: Allocation/Deallocation
Residuals},
institution= {USC Information Sciences Institute (ISI)},
address={Marina Del Rey, California}, month =jun, Year=1976}

@TechReport{Bisbey78,
author={R. {Bisbey II} and D. Hollingworth},
Title={{Protection Analysis: Project final report}},
institution= {USC Information Sciences Institute (ISI)},
address={Marina Del Rey, California}, month ={}, Year=1978}

@book{LocusBook,
Author={G.J. Popek and B.J. Walker},
Title={The Locus Distributed System Architecture},
Publisher={MIT Press, Cambridge, Massachusetts},
Year={1985} }

@inproceedings{Locus
   ,key={Popek}
   ,author={G. Popek et al.}
   ,title={{Locus}: A Network Transparent, High Reliability, Distributed
System}
   ,booktitle={Proceedings of the Eighth ACM Symposium on Operating System Principles}
   ,address={Asilomar, California}
   ,month=dec
   ,year={1981}
   ,pages={169--177}
   ,note={(ACM Operating Systems Review, Vol. 15, No. 5)}}

@Article{Brownbridge,
   Key={Brownbridge},
   Author={D.R. Brownbridge, L.F. Marshall and B. Randell},
   Journal={Software--Practice and Experience},
   Title={The {Newcastle Connection}, or {UNIXes} of the World Unite!},
   Year={1982},
   Month=dec,
   Pages={1147--1162},
   Volume={12},
   Number={12}
   }

@InProceedings{cornwell84,
   Key={Cornwell},
   Author={M. Cornwell and R. Jacob},
   BookTitle={Proceedings of the Seventh DoD/NBS Computer Security Initiative Conference},
   Title={Structure of a Rapid Prototype Secure Military Message System},
   Address={Gaithersburg, Maryland},
   Pages={48--57},
   Year={1984},
   Month=sep
   }

@InProceedings{verdix,
   Key={Donaldson},
   Author={A.L. Donaldson},
   BookTitle={Proceedings of the Seventh DoD/NBS Computer Security Initiative Conference},
   Title={A Multi-Level Secure Local Area Network},
   Address={Gaithersburg, Maryland},
   Pages={341--350},
   Year={1984},
   Month=sep
   }

@InProceedings{Macewan84,
   Key={Macewan},
   Author={G.H. MacEwan and B. Burwell and Z-J. Lu},
   BookTitle={Proceedings of the 1984 Symposium on Security and Privacy},
   Organization={IEEE Computer Society},
   Address={Oakland, California},
   Title={Multi-Level Security Based on Physical Distribution},
   Year={1984},
   Pages={167--177},
   Month=apr
   }

@article{Heitmeyer+Wilson,
   Key={Heitmeyer},
   Author={C.L. Heitmeyer and S.L. Wilson},
   Journal={IEEE Transactions on Communications},
   Title={Military Message Systems: Current Status and Future Directions},
   Year={1980},
   Month=sep,
   Pages={1645--1654},
   Volume={COM-28},
   Number={9}
   }

@Article{end-to-end,
   Key={Saltzer},
   Author={J.H. Saltzer and D.P. Reed and D.D. Clark},
   Journal={ACM Transactions on Computer Systems},
   Title={End-To-End Arguments in System Design},
   Year={1984},
   Month=nov,
   Pages={277--288},
   Volume={2},
   Number={4}
   }

@manual{Views:Proposal,
   Key={Denning},
   Author={D.E. Denning and P.G. Neumann},
   Title={Secure Data Views},
   Year={1985},
   Month=mar,
   Organization={SRI International},
   Note={Proposal for Research No. ECU 85-203}
   }

@manual{Ocrea:Proposal,
   Key={Rushby},
   Author={J.M. Rushby},
   Title={Security Modeling for Complex Systems},
   Year={1984},
   Month=oct,
   Organization={Computer Science Laboratory, SRI International},
   Number={Proposal for Research No. ECU 84-034R}
   }

@manual{Demonstrator:Proposal,
   Key={Rushby},
   Author={J.M. Rushby},
   Title={A Verified Secure ``Demonstrator'' System},
   Year={1984},
   Month=dec,
   FullOrganization={Computer Science Laboratory, SRI International},
   Number={Proposal for Research No. ECU 84-103}
   }

@article(VERKI,
Key="Neumann", Author="P.G. {Neumann, editor}",
Title={{VERkshop I}: {V}erification {W}orkshop},
Journal="ACM SIGSOFT Software Engineering Notes", Year="1980", Volume="5",
Number="3", Pages="4-47",
Month=jul)

@article{VERKII,
Key="Neumann", Author="P.G. {Neumann, editor}",
Title={{VERkshop II}: {V}erification {W}orkshop},
Journal="ACM SIGSOFT Software Engineering Notes", Year="1981", Volume="6",
Number="3", Pages="1-63",
Month=jul}

@article(VERKIII,
Author="K.N. Levitt and S. Crocker and D. {Craigen, editors}",
Title={{VERkshop III}: Verification Workshop},
Journal="ACM SIGSOFT Software Engineering Notes", Year="1985", Volume="10",
Number="4", Pages="1-136", Month=aug)

@InProceedings{Macdonald85,
   Key={Macdonald},
   Author={R. Macdonald},
   BookTitle={Proceedings of the {VERkshop III}},
   Address={Watsonville, California},
   Title={Verifying a Real System Design: Some of the Problems},
   Year={1985},
   Pages={126--129},
   Month=feb,
   Note={Published as ACM Software Engineering Notes, Vol. 10, No. 4, Aug. 85}
   }

@article{Clark85,
author={D.D. Clark},
title={The Structuring of Systems Using Upcalls},
journal={Operating Systems Review},
month={},
vol = {19},
no = {5},
pages = {171--180},
year=1985}

@Article{Atkins88,
   Author={M.S. Atkins},
   Journal={ACM Transactions on Computer Systems},
   Title={Experiments in {SR} with Different Upcall Program Structures},
   Year={1988}, Month=nov, Pages={365--392}, Volume={6}, Number={4}  }

@Book{Modula2,
   Key={Wirth},
   Author={N. Wirth},
   Publisher={Springer-Verlag, Berlin},
   Title={Programming in {MODULA}-2},
   Year={1982},
   note={second edition},
   Series={Texts and Monographs in Computer Science}
   }

@InProceedings{Anderson:TCB,
   Key={Anderson},  Author={E.R. Anderson},
   BookTitle={Proceedings of the 1985 Symposium on Security and Privacy},
   Organization={IEEE Computer Society},
   Title={{Ada}'s Suitability for Trusted Computer Systems},
   Year={1985}, Address={Oakland, California}, Month=apr, Pages={184--189}
   }

@manual{Fletcher,
   Key={Fletcher},
   Author={J.C. Fletcher},
   Organization={Department of Defense},
   Title={Report of the Study on Eliminating the Threat Posed by Nuclear Ballistic Missiles, Volume {V}: Battle Management, Communications, and Data Processing},
   Year={1984},
   Month=feb
   }

@Manual{Eastport,
   Key={Eastport},
   Author={Eastport Study Group},
   Title={Report to the Director, {SDIO}},
   Year={December, 1985}
   }

@Article{Lamport:Clocks,
   Key={Lamport},
   Author={L.Lamport},
   Journal={Communications of the ACM},
   Title={Time, Clocks, and the Ordering of Events in a Distributed System},
   Year={1978},
   Month=jul,
   Pages={558--565},
   Volume={21},
   Number={7}
   }

@Article{Lamport:Specifying,
   Key={Lamport},
   Author={L.Lamport},
   Journal={ACM Transactions on Programming Languages and Systems},
   Title={Specifying Concurrent Program Modules},
   Year={1983},
   Month=apr,
   Pages={190--222},
   Volume={5},
   Number={2}
   }

@Article{Lamport:Specifying89,
   Key={Lamport},
   Author={L. Lamport},
   Journal={Communications of the ACM},
   Title={A Simple Approach to Specifying Concurrent Program Systems},
   Year={1989},
   Month=jan,
   Pages={32--45},
   Volume={32},
   Number={1}
   }

@Article{Lamport:Timeout,
   Key={Lamport},
   Author={L.Lamport},
   Journal={ACM Transactions on Programming Languages and Systems},
   Title={Using Time Instead of Timeout for Fault-Tolerant Distributed Systems},
   Year={1984},
   Month=apr,
   Pages={254--280},
   Volume={6},
   Number={2}
   }

@TechReport{Lamport:Interprocess,
   Key={Lamport},
   Author={L. Lamport},
   Institution={Computer Science Laboratory, SRI International},
   Title={On Interprocess Communication},
   Year={1985}
   }

@InProceedings{Lamport:Sometime,
   Key={Lamport},
   Author={L. Lamport},
   BookTitle={Proceedings of the 10th Symposium on Principles of Programming Languages},
   Title={Sometime is Sometimes Not Never},
   Year={1980},
   Month=jan,
   Pages={174--185}
   }

@InProceedings{Lamport:Priority,
   Key={Lamport},
   Author={L. Lamport},
     BookTitle={Proceedings of the 10th Symposium on Principles of Programming Languages},
   Title={What it Means for a Concurrent Program to Satisfy a
Specification: Why No One Has Specified Priority},
   Year={1985},
   Month=jan
   }

@Article{Bernstein+Goodman,
   Key={Bernstein},
   Author={P.A. Bernstein and N. Goodman},
   Journal={ACM Computing Surveys},
   Title={Concurrency Control in Distributed Database Systems},
   Year={1981},
   Month=jun,
   Pages={185--221},
   Volume={13},
   Number={2}
   }

@TechReport{Panzieri:Rajdoot-techrep,
   Key={Panzieri},
   Author={F. Panzieri and S.K. Shrivastava},
   Institution={Computing Laboratory, University of Newcastle upon Tyne},
   Title={{Rajdoot}: a remote procedure call mechanism supporting orphan
detection and killing},
   Year={1985},
   Month=may,
   Number={200}
   }

@Article{Traiger,
   Key={Traiger},
   Author={I.L. Traiger and J. Gray and C.A. Galtieri and B.G. Lindsay},
   Journal={ACM TODS},
   Title={Transactions and Consistency in Distributed Database Systems},
   Year={1982},
   Month=sep,
   Pages={323--342},
   Volume={7},
   Number={3}
   }

@Article{Lamport:Reliable,
   Key={Lamport},
   Author={L. Lamport},
   Journal={Computer Networks},
   Title={The Implementation of Reliable Distributed Multiprocess Systems},
   Year={1978},
   Pages={95--114},
   Volume={2}
   }

@Article{Shrivastava,
   Key={Shrivastava},
   Author={S.K. Shrivastava and F. Panzieri},
   Journal={IEEE Transactions on Computers},
   Title={The Design of a Reliable Remote Procedure Call Mechanism},
   Year={1982},
   Month=jul,
   Pages={692--687},
   Volume={C-31},
   Number={7}
   }

@Article{Lamport:Byzantine,
   Key={Lamport},
   Author={L. Lamport and R. Shostak and M. Pease},
   Journal={ACM Transactions on Programming Languages and Systems},
   Title={The {Byzantine} Generals Problem},
   Year={1982},
   Month=jul,
   Pages={382--401},
   Volume={4},
   Number={3}
   }

@Article{Pease,
   Key={Pease},
   Author={M. Pease and R. Shostak and L. Lamport},
   Journal={Journal of the ACM},
   Title={Reaching Agreement in the Presence of Faults},
   Year={1980},
   Month=apr,
   Pages={228--234},
   Volume={27},
   Number={2}
   }

@Article{Lamport:Synchronizing,
   Key={Lamport},
   Author={L. Lamport and P.M. Melliar-Smith},
   Journal={Journal of the ACM},
   Title={Synchronizing Clocks in the Presence of Faults},
   Year={1985},
   Month=jan,
   Pages={52--78},
   Volume={32},
   Number={1}
   }

@InProceedings{Dobson+Randell,
   Key={Dobson},
   Author={J.E. Dobson and B. Randell},
   BookTitle={Proceedings of the 1986 Symposium on Security and Privacy},
   Organization={IEEE Computer Society},
   Title={Building reliable Secure Computing Systems out of Unreliable
Unsecure Components},
   Year={1986},
   Address={Oakland, California},
   Month=apr,
   Pages={187--193}
   }

@InProceedings{RandellDobson,
   Key="Randell", Author="B. Randell and J.E. Dobson",
   BookTitle="Proceedings of the Fifth Symposium on Reliability in
     Distributed Software and Database Systems",
   Organization="",
   Title="Reliability and Security Issues in Distributed Computing Systems",
   Address="Los Angeles, California", Year="1986", Month=jan, pages=""}

@InProceedings{Haigh+Young,
   Key={Haigh},
   Author={J.T. Haigh and W.D. Young},
   BookTitle={Proceedings of the 1986 Symposium on Security and Privacy},
   Organization={IEEE Computer Society},
   Title={Extending the Non-Interference Model of {MLS} for {SAT}},
   Year={1986},
   Address={Oakland, California},
   Month=apr,
   Pages={232--239}
   }

@Article{Haigh+Young87,
author={J.T. Haigh and W.D. Young},
Title={Extending the Non-Interference Model of {MLS} for {SAT}},
Journal={IEEE Transactions on Software Engineering},
volume={SE-13}, number=2, pages={141-150}, month=feb, year=1987 }

@InProceedings{LOCK87,
Key={Saydjari}, Author={O.S. Saydjari and J.M. Beckman
and J.R. Leaman}, Title={{LOCKing} Computers Securely},
  BookTitle={10th National Computer Security Conference, Baltimore, Maryland},
Year={1987}, Month={21-24 September},
pages={129-141}, Note={Reprinted in Rein Turn,
editor, {\it Advances in Computer
System Security}, Vol. 3, Artech House, Dedham, Massachusetts, 1988 }}

@InProceedings{LOCK87-,
Key={Saydjari}, Author={O.S. Saydjari and J.M. Beckman
and J.R. Leaman}, Title={{LOCKing} Computers Securely},
  BookTitle={10th National Computer Security Conference, Baltimore, Maryland},
Year={1987}, Month={21-24 September},
pages={129-141} }

@TechReport{Fine+,
Author={T. Fine and J.T. Haigh and R.C. O'Brien and
D.L. Toups}, Title={An Overview of the {LOCK} {FTLS}},
Institution={Honeywell}, Month={}, Year=1988 }

@TechReport{HaighFTLS,
Author={J.T. Haigh}, Title={Top Level Security
Properties for the {LOCK} System}, Institution={Honeywell}, Month={}, Year=1988 }

@TechReport{SCTC-B10,
Author={{Secure Computing Technology Center}},
Title={{LOCK} Formal Top Level Specification, Volumes 1-6},
Institution={SCTC}, Month={}, Year=1988 }

@TechReport{SCTC-007,
Author={J.T. {Haigh et al.}}, Title={Assured Service Concepts and Models,
Final Technical Report, Volume 1: Summary},
Institution={Secure Computing Technology Corporation}, Month=jul, Year=1991 }

@TechReport{SCTC-B11,
Author={{Secure Computing Technology Center}},
Title={{LOCK} Software {B}-Specification, Vol. 2},
Institution={SCTC}, Month={}, Year=1988 }

@TechReport{SCTC-005,
Author={J.T. {Haigh et al.}}, Title={Assured Service Concepts and Models,
Final Technical Report, Vol. 3: Security in Distributed Systems},
Institution={Secure Computing Technology Corporation}, Month=jul, Year=1991 }

@TechReport{SCTC-004,
Author={J.T. {Haigh et al.}}, Title={Assured Service Concepts and Models,
Final Technical Report, Vol. 4: Availability in Distributed {MLS} Systems},
Institution={Secure Computing Technology Corporation}, Month=jul, Year=1991 }

@TechReport{OBrien90,
Author={R.C. {O'Brien} and J.T. Haigh and D.J. Thomsen},
Title={Trusted Database Consistency Policy},
Institution={Rome Air Development Center},
Address={Griffiss Air Force Base, NY},
number={RADC-TR-90-387},
Month=dec, Year={1990} }

@TechReport{MoitraSchneider90,
Author={A. Moitra and E.A. Schneider},
Title={Basic Technology for {SDI} Computer Security: {SDI} Real Time
Trusted Computer Based Requirements},
Institution={Rome Air Development Center},
Address={Griffiss Air Force Base, NY},
number={RADC-TR-90-435, vol. III},
Month=dec, Year={1990} }

@manual{Net:Criteria,
   Key={DoDCSC},
   Organization={Department of Defense Computer Security Center},
   Title={Proceedings of the Department of Defense Computer Security Center Invitational Workshop on Network Security},
   Month=mar,
   Year={1985},
   Address={New Orleans, LA}
   }

@InProceedings{Rushby85a,
   Key={Rushby},
   Author={J.M. Rushby},
   Booktitle={Proceedings of the Department of Defense Computer Security Center Invitational Workshop on Network Security},
   Organization={Publ. by Department of Defense Computer Security Center},
   Title={Report of the Working Group on Verification and Covert Channels},
   Month=mar,
   Year={1985},
   Address={New Orleans, LA},
   Pages={7--5 to 7--12}
   }

@InProceedings{Rushby85,
   Key={Rushby},
   Author={J.M. Rushby},
   Booktitle={Proceedings of the Department of Defense Computer Security Center Invitational Workshop on Network Security},
   Organization={publ. by Department of Defense Computer Security Center},
   Title={Networks are Systems},
   Month=mar,
   Year={1985},
   Address={New Orleans, Louisiana},
   Pages={7--24 to 7--37}
   }

@TechReport{Ezhilchelvan,
   Key={Ezhilchelvan},
   Author={P.D. Ezhilchelvan and S.K. Shrivastava},
   Institution={Computing Laboratory, University of Newcastle upon Tyne},
   Title={A Characterisation of Faults in Systems},
   Year={1985},
   Month=sep,
   Number={206}
   }

@InProceedings{Schell84,
   Key={Schell},
   Author={R.R. Schell and T.F. Tao},
   BookTitle={Proceedings of the Seventh DoD/NBS Computer Security Initiative Conference},
   Title={Microcomputer-Based Trusted Systems for Communications and
Workstation Applications},
   Address={Gaithersburg, Maryland},
   Pages={277--290},
   Year={1984},
   Month=sep
   }

@TechReport{Gordon:Why,
   Key={Gordon},
   Author={M. Gordon},
   Institution={University of Cambridge Computer Laboratory},
   Title={Why Higher-Order Logic is a Good Formalism for Specifying and
Verifying Hardware},
   Year={1985},
   Month=sep,
   Number={77}
   }

@TechReport{Gordon:HOL85,
   Key={Gordon},
   Author={M. Gordon},
   Institution={University of Cambridge Computer Laboratory},
   Title={{HOL:} A Machine Oriented Formulation of Higher Order Logic},
   Address = {Cambridge, England},
   Year={1985},
   Month=jul,
   Number={68}
   }

@Book{Barringer:Book,
   Key={Barringer},
   Author={H. Barringer},
   Publisher={Springer-Verlag, Berlin,
       Lecture Notes in Computer Science, Vol. 191},
   Title={A Survey of Verification Techniques for Parallel Programs},
   Year={1985}
   }

@Book{LCF,
   Key={Gordon},
   Author={M. Gordon and R. Milner and C. Wadsworth},
   Publisher={Springer-Verlag, Berlin,
     Lecture Notes in Computer Science, Vol. 78},
   Title={Edinburgh {LCF}: A Mechanized Logic of Computation},
   Year={1979}
   }

@InProceedings{Barringer:Compose,
   Key={Barringer},
   Author={H. Barringer and R. Kuiper and A. Pnueli},
   BookTitle={Proceedings of the Sixteenth ACM Symposium on Theory of Computing},
   Title={Now you May Compose Temporal Logic Specifications},
   Year={1984},
   Address={Washington, D.C.},
   Month=may
   }

@Article{Joseph+Birman,
   Key={Joseph},
   Author={T.A. Joseph and K.P. Birman},
   Journal={ACM TOCS},
   Title={Low Cost Management of Replicated Data in Fault-Tolerant
Distributed Systems},
   Year={1986},
   Month=feb,
   Pages={54--70},
   Volume={4},
   Number={1}
   }

@Article{Bernstein84,
   Key={Bernstein},
   Author={P.A. Bernstein and N. Goodman},
   Journal={ACM TODS},
   Title={An Algorithm for Concurrency Control and Recovery in
Replicated Distributed Databases},
   Year={1984},
   Month=dec,
   Pages={596--615},
   Volume={9},
   Number={4}
   }

@InProceedings{Melliar-Smith+Rushby,
   Key={Melliar-Smith},
   Author={P.M. Melliar-Smith and J.M. Rushby},
   BookTitle={Proceedings of the {VERkshop III}},
   Address={Watsonville, California},
   Title={The {Enhanced HDM} System for Specification and Verification},
   Year={1985},
   Pages={41--43},
   Month=feb,
   Note={Published as ACM Software Engineering Notes, Vol. 10, No. 4, Aug. 85}
   }

@InProceedings{Musser85,
   Author={D.R. Musser},
   BookTitle={Proceedings of the {VERkshop III}},
   Address={Watsonville, California},
   Title={Aids to Hierarchical Specification Structuring and Reusing Theorems in
{AFFIRM-85}},
   Year={1985},
   Pages={2--4},
   Month=feb,
   Note={Published as ACM Software Engineering Notes, Vol. 10, No. 4, Aug. 85}
   }

@InProceedings{Guttman,
   Key={Guttman},
   Author={Joshua Guttman},
   BookTitle={Proceedings of the 1987 IEEE Symposium on Security and Privacy},
   Organization={IEEE Computer Society},
   Address={Oakland, California},
   Title={Information Flow and Invariance},
   Pages={67--73},
   Month=apr,
   Year={1987}
   }

@manual{EHDM:Userguide,
Author={SRI-CSL},
Key = {EHDM}, Title=
{E{\sc HDM} Specification and Verification System -- Version 6.1: User's Guide},
Organization={Computer Science Laboratory, SRI International},
Year={1992}, Month={March 27,}, Address={Menlo Park, California} }

@manual{EHDM:Language,
Author={SRI-CSL},
Key = {EHDM},
Organization={Computer Science Laboratory, SRI International}, Title={{\sc
Ehdm} Specification and Verification System Version 4.1: Preliminary
Definition of the {EHDM} Specification Language}, Year={1988},
day={6}, month=sep, Address={Menlo Park, California} }

@manual{EHDM:Tutorial, AUTHOR = {F. von Henke and J.M. Rushby},
Key = {EHDM},
Organization={Computer Science Laboratory, SRI International},
Title={Introduction to {E\sc HDM}}, Year={1988}, Month=sep,
Address={Menlo Park, California} }

@manual{EHDM:semantics, AUTHOR = {F. von Henke and N. Shankar and J.M. Rushby},
Key = {EHDM},
Organization={Computer Science Laboratory, SRI International},
Title={Formal Semantics of EHDM},
Year={1988}, Month={September 28,}, Address={Menlo Park, California} }

@TechReport{EHDM:intro, AUTHOR = {J.M. Rushby and F. von Henke and S. Owre},
Key = {Rushby},
Organization={Computer Science Laboratory, SRI International},
Title={An Introduction to Formal Specification and Verification
Using {EHDM}},
Number = {SRI-CSL-91-02},
Year={1991}, Month=feb, Address={Menlo Park, California} }

@PhDThesis{Rushby77, Key={Rushby}, Author={J.M. Rushby}, School={Computing
Laboratory, University of Newcastle upon Tyne}, Title={{LR}(k) Sparse-Parsers
and their Optimisation}, Year={1977}, Month=sep }

@InProceedings{CarlsonLunt86, Key="Carlson",
   Author="R.A. Carlson and T.F. Lunt",
   Title="The Trusted Domain Machine: A Secure Communication Device
for Security Guard Applications",
   BookTitle="Proceedings of the 1986 Symposium on Security and Privacy",
   Organization="IEEE Computer Society",
   Address="Oakland, California", Year="1986", Month=apr, pages="182-186"}

@InProceedings{Carlson+Lunt86, Key={Carlson}, Author={R.A. Carlson and T.F.
Lunt}, BookTitle={Proceedings of the 1986 Symposium on Security and Privacy},
Organization={IEEE Computer Society}, Title={The {Trusted Domain Machine}: a
Secure Communication Device for Security Guard Applications}, Year={1986},
Address={Oakland, California}, Month=apr, Pages={182--186} }

@Article{Huguet, Key={Huguet}, Author={M. Huguet}, Journal={ACM Computer
Architecture News}, Title={The Protection of the Processor Status Word of the
{PDP}-11/60}, Year={1982}, Month=jun, Pages={27--30}, Volume={10},
Number={4} }

@Article{Popek+Goldberg,
Key={Popek}, Author={G.J. Popek and R.P.
Goldberg}, Journal={Communications of the ACM}, Title={Formal Requirements for Virtualizable Third
Generation Architectures}, Year={1974}, Month=jul, Pages={412--421},
Volume={17}, Number={7} }

@Article{Saltzer74,
Key={Saltzer}, Author={J.H. Saltzer}, Journal={Communications of the ACM},
Title={Protection and the Control of Information Sharing in {Multics}},
Year={1974}, Month=jul, Pages={388--402}, Volume={17}, Number={7} }

@InProceedings{RedellFabry74,
Author={D.D. Redell and R.S. Fabry},
TITLE = {Selective Revocation of Capabilities},
Booktitle = {Proceedings of the International Workshop on Protection in
   Operating Systems},
YEAR = {1974}, Location = {IRIA, Rocquencourt, France},
VOLUME = {},
NUMBER = {}, PAGES = {197--209}, MONTH = aug }

@PhDThesis{Redell74,
Author={D.D. Redell}, School={University of California at Berkeley},
Title={Naming and Protection in Extendible Operating Systems},
Note = {Also MIT Project MAC TR-104.},
Year={1974}, Month={} }

@Article{Fabry74,
Key={Fabry}, Author={R.S. Fabry}, Journal={Communications of the ACM},
Title={Capability-Based Addressing},
Year={1974}, Month=jul, Pages={403--412}, Volume={17}, Number={7} }

@TechReport{Schiller75, Key={Schiller}, Author={W.L.
Schiller}, Institution={Mitre Corporation}, Title={The Design and Specification
of a Security Kernel for the {PDP}-11/45}, Year={1975}, Month=mar,
Number={MTR-2934}, Address={Bedford, Massachusetts} }

@TechReport{Smith75, Key={Smith},
Author={L. Smith}, Institution={Mitre Corporation}, Title={Architectures for
Secure Computer Systems}, Year={1975}, Month=apr, Number={ESD-TR-75-51},
Address={Bedford, Massachusetts} }

@Article{Hoare72, Key={Hoare}, Author={C.A.R. Hoare},
Journal={Acta Informatica}, Title={Proof of Correctness of Data
Representations}, Year={1972}, Pages={271--281}, Volume={1} }

@Article{Harrison:Protection, Key={Harrison}, Author={M.A. Harrison and W.L.
Ruzzo and J.D. Ullman}, Journal={Communications of the ACM}, Title={Protection in Operating
Systems}, Year={1976}, Month=aug, Pages={461--471}, Volume={19},
Number={8} }

@Article{Harrison76x,
Author={M.A. Harrison and W.L. Ruzzo and J.D. Ullman},
Title={Protection in Operating Systems},
Journal={Communications of the ACM},
volume=19,
number=8,
month=aug,
year=1976 }

@inproceedings{Anderson:Evaluation, Key={Anderson}, Author={T.
Anderson and P.A. Barrett and D.N. Halliwell and M.R. Moulding}, Title={An
Evaluation of Software Fault Tolerance in a Practical System},
Booktitle={Digest of Papers, Fault Tolerant Computing Symposium 15},
Address={Ann Arbor, Michigan},
Organization={IEEE Computer Society}, Month=jun, Year={1985},
Pages={140--145} }

@Article{Alford85, Key={Alford}, Author={M.W. Alford},
Journal={Computer},	 Title={{SREM} at the Age of Eight; The
Distributed Computing Design System}, Year={1985}, Month=apr,
Pages={36--46}, Volume={18}, Number={4} }

@Article{Roman85, Key={Roman},
Author={G--C. Roman}, Journal={Computer}, Title={A Taxonomy of Current
Issues in Requirements Engineering}, Year={1985}, Month=apr,
Pages={14--21}, Volume={18}, Number={4} }

@Article{Scheffer85, Key={Scheffer},
Author={P.A. Scheffer and A.H. {Stone III} and W.E. Rzepka}, Journal={IEEE
Computer}, Title={A Case Study of {SREM}}, Year={1985}, Month=apr,
Pages={47--54}, Volume={18}, Number={4} }

@InProceedings{Silverman83,
   Key={Silverman},
   Author={J.M. Silverman},
   Title={Reflections on the Verification of the Security of an Operating System Kernel},
   BookTitle={Proceedings of the Ninth ACM Symposium on Operating Systems Principles},
   Year={1983},
   Address={Bretton Woods, NH},
   Month=oct,
   Note={(ACM Operating Systems Review, Vol 17, No. 5)}
   }

@Article{Celko83,
   Key={Celko},
   Author={J. Celko and J.S. Davis and J. Mitchell},
   Journal={SIGPLAN Notices },
   Title={A Demonstration of Three Requirements Language Systems},
   Year={1983},
   Month=jan,
   Pages={9--14},
   Volume={18},
   Number={1}
   }

@Article{Bell77,
   Key={Bell},
   Author={T.E. Bell and D.C. Bixler and M.E. Dyer},
   Journal={IEEE Transactions on Software Engineering},
   Title={An Extendable Approach to Computer--Aided Software Requirements Engineering},
   Year={1977},
   Month=jan,
   Pages={49--59},
   Volume={SE--3},
   Number={1}
   }

@Article{Alford77,
   Key={Alford},
   Author={M.W. Alford},
   Journal={IEEE Transactions on Software Engineering},
   Title={A Requirements Engineering Methodology for Real--Time Processing Requirements},
   Year={1977},
   Month=jan,
   Pages={60--69},
   Volume={SE--3},
   Number={1}
   }

@Article{Davis77,
   Key={Davis},
   Author={C.G. Davis and C.R. Vick},
   Journal={IEEE Transactions on Software Engineering},
   Title={The Software Development System},
   Year={1977},
   Month=jan,
   Pages={69--84},
   Volume={SE--3},
   Number={1}
   }

@Article{Basili84,
   Key={Basili},
   Author={V.R. Basili and B.T. Perricone},
   Journal={Communications of the ACM},
   Title={Software Errors and Complexity: {An} Empirical Investigation},
   Year={1984},
   Month=jan,
   Pages={42--52},
   Volume={27},
   Number={1}
   }

@Article{Moriconi85,
   Key={Moriconi},
   Author={M. Moriconi and D.F. Hare},
   Journal={Computer},
   Title={Visualizing Program Designs through {PegaSys}},
   Year={1985},
   Month=aug,
   Volume={18},
   Number={8},
   Pages={72--85}
   }

@Article{Moriconi86a,
   Key={Moriconi},
   Author={M. Moriconi and D.F. Hare},
   Journal={ACM Transactions on Programming Languages and Systems},
   Title={The {PegaSys} System: {Pictures} as Formal Documentation of Large Programs},
   Year={1986},
   Month=oct,
   Pages={524--546},
   Volume={8},
   Number={4}
   }

@InProceedings{Moriconi86b,
   Key={Moriconi},
   Author={M. Moriconi},
   Publisher={Springer-Verlag, Berlin, Lecture Notes in Computer Science},
   Title={{PegaSys} and the Role of Logic in Programming Environments},
   Year={1986},
   Month=jun,
   Address={Trondheim, Norway},
   booktitle={Proceedings of the International Workshop on Advanced Programming Environments}
   }

@Article{Stevens74,
   Key={Stevens},
   Author={W.P. Stevens and G.F. Myers and L.C. Constantine},
   Journal={IBM Systems Journal},
   Title={Structured Design},
   Year={1974},
   Volume={13},
   Number={2},
   Pages={115--139}
   }

@Article{Leveson86,
   Author={N.G. Leveson}, Journal={ACM Computing Surveys},
   Title={Software Safety: {Why}, What, and How},
   Year={1986}, Volume={18}, Number={2}, Month=jun, Pages={125--163}
}

@TechReport{IITRI,
Key={IITRI},
	Author={Anonymous},
	Title={{Ada} Verification System ({AVS}) Studies},
	Institution={IIT Research Institute},
	Year=1987,
	Address={4550 Forbes Blvd., Suite 300, Lanham, Maryland 20706},
	Type={Draft Final Report},
	Month=feb,
	Note={Prepared for: Defense Communications Engineering Center, 1860
Wiehle Avenue, Reston, VA 22090-5500}
}

@INPROCEEDINGS{MusserStepanov,
	AUTHOR = {D.R. Musser and A.A. Stepanov},
	TITLE = {Generic Algorithms + Generic Data Structures = Reusable Software},
	BOOKTITLE = {Tenth Minnowbrook Workshop},
	YEAR = {1987}
}

@BOOK{Booch,
	AUTHOR = {G. Booch},
	TITLE = {Software Components in {Ada}},
	PUBLISHER = {Benjamin/Cummings},
	YEAR = {1987}
}

@INPROCEEDINGS{Musser802,
	AUTHOR = {D.R. Musser},
	TITLE = {On Proving Inductive Properties of Abstract Data Types},
	BOOKTITLE = {Seventh ACM Symposium on Principles of Programming Languages},
	YEAR = {1980},
	ADDRESS = {Las Vegas, NV},
	MONTH = Jan
}

@INPROCEEDINGS{MOK87,
Author={Al Mok},
Key={Mok},
Year=1987,
Month=jul,
Title={Annotating {Ada} for Real Time Program Synthesis},
BookTitle={Proceedings of the COMPASS 87},
Organization={IEEE},
Pages={63--66}}

@Unpublished{MCHUGHMS,
   Key={McHugh},
   Author={J. McHugh},
   Title={Structured Development and Constructive Proof of a Real Time
Data Acquisition System},
   Institution={University of Maryland at College Park},
   Year={1975},
   Location={University of Maryland, Computer Science Center Library},
   Note={M.S. Scholarly Paper, University of Maryland}}

@TECHREPORT{Kemmerer:assess,
	AUTHOR = {R.A. Kemmerer},
	TITLE = {Verification Assessment Study Final Report},
	INSTITUTION = {National Computer Security Center},
	YEAR = {1986},
	NUMBER = {C3-CR01-86},
	ADDRESS = {Ft. Meade, Maryland},
	NOTE = {5 Volumes.  US distribution only}
}

@manual{gypsy-methodology,
   Author={ M.K. Smith and D.I. Good and B.L. DiVito},
   Key={Good},
   Title={Using the {Gypsy} Methodology: {DRAFT}, nov 1987},
   Year={1987},
   Organization={Computational Logic Inc.}}

@manual{gypsy21,
   Author={D.I. Good},
   Key={Good},
   Title={Revised Report on {Gypsy} 2.1: {DRAFT}, jul 1984},
   Year={1984},
   Organization={Institute for Computing Science,
The University of Texas at Austin}}

@manual{gypsy205,
   Author={D.I. Good and R.L. Akers and L.M. Smith},
   Key={Good},
   Title={Report on {Gypsy} 2.05: oct 1986},
   Year={1986},
   Organization={Computational Logic Inc.}}

@TechReport{Bevier87,
	AUTHOR = {W.R. Bevier},
	TITLE = {A Verified Operating System Kernel},
	Institution = {Ph.D. thesis,
Department of Computer Science, The University of Texas at Austin},
	YEAR = {1987}
}

@MANUAL{KapurZhang,
	TITLE = {{RRL}: A User's Manual},
	AUTHOR = {D. Kapur and H. Zhang},
	ORGANIZATION = {General Electric Corporate Research and Development},
	ADDRESS = {Schenectady, NY},
	MONTH = mar,
	YEAR = {1986},
	NOTE = {Unpublished Manuscript}
}

@ARTICLE{IOTA,
	AUTHOR = {T. Yuasa and R. Nakajima},
	TITLE = {{IOTA}: A Modular Programming System},
	JOURNAL = {IEEE Transactions on Software Engineering},
	YEAR = {1985},
	VOLUME = {SE-11},
	NUMBER = {2},
	PAGES = {179--187},
	MONTH = feb
}

@BOOK{ANNA,
	AUTHOR = {David C. Luckham and Friedrich W. von Henke and Bernd Krieg-Br\"{u}ckner and Olaf Owe},
	TITLE = {{ANNA} A Language for Annotating {Ada} Programs},
	PUBLISHER = {Springer-Verlag,  Berlin,
           Lecture Notes in Computer Science, Vol 260},
	YEAR = {1987} }

@BOOK{IOTA-book,
	EDITOR = {R. Nakajima and T. Yuasa},
	TITLE = {The {IOTA} Programming System},
	PUBLISHER = {Springer-Verlag, Berlin,
   Lecture Notes in Computer Science, Vol 160},
	YEAR = {1982} }

@TECHREPORT{Gerhart:overview,
	AUTHOR = {Susan L. Gerhart},
	TITLE = {Design Technology Assessment: Overview},
	INSTITUTION = {MCC},
	YEAR = {1986},
	NUMBER = {STP-078-86},
	ADDRESS = {Austin, TX},
	MONTH = feb
}

@TECHREPORT{Harel:statecharts,
	AUTHOR = {David Harel},
	TITLE = {Statecharts: a Visual Approach to Complex Systems},
	INSTITUTION = {MCC},
	YEAR = {1986},
	ADDRESS = {Austin, TX},
	MONTH = feb
}


@TECHREPORT{statecharts,
	AUTHOR = {G.R. Burns and S.L. Gerhart and I. Forman and M. Graf},
	TITLE = {Design Technology Assessment: The Statecharts Approach},
	INSTITUTION = {MCC},
	YEAR = {1986},
	NUMBER = {STP-107-86},
	ADDRESS = {Austin, TX},
	MONTH = mar
}

@ARTICLE{Clarke86,
	AUTHOR = {E.M. Clarke and E.A. Emerson and A.P. Sistla},
	TITLE = {Automatic Verification of Finite-State Concurrent Systems using Temporal Logic Specifications},
	JOURNAL = {ACM Transactions on Programming Languages and Systems},
	YEAR = {1986},
	VOLUME = {8},
	NUMBER = {2},
	PAGES = {244--263},
	MONTH = apr
}

@TECHREPORT{siftproof,
	AUTHOR = {L. Moser and P.M. Melliar-Smith and R. Schwartz},
	TITLE = {Design Verification of {SIFT}},
	MONTH = sep,
	YEAR = {1987},
	INSTITUTION = {NASA Langley Research Center},
	TYPE = {Contractor Report},
	NUMBER = 4097,
	ADDRESS = {Hampton, Virginia}
}

@ARTICLE{Church:types,
	AUTHOR = {A. Church},
	TITLE = {A Formulation of the Simple Theory of Types},
	JOURNAL = {Journal of Symbolic Logic},
	YEAR = {1940},
	VOLUME = {5}  }

@inproceedings{metavcg,
author = {M. Moriconi and R.L. Schwartz},
title = {Automatic Construction of Verification Condition
         Generators from {Hoare} Logics},
booktitle = {Proceedings of the Eighth International Colloquium on
             Automata, Languages, and Programming},
address = {Acre (Akko), Israel},
pages = {363--377},
month = jul,
publisher = {Springer-Verlag, Berlin,
    Lecture Notes in Computer Science, No. 115},
year = 1981 }

@article{moriconi:dva,
author = {M. Moriconi},
title = {A designer/verifier's assistant},
journal = {ieeese},
volume = {SE-5},
number = 4,
month = jul,
year = {1979},
pages = {387--401},
note = {Reprinted in {\it Artificial Intelligence and Software
Engineering}, edited by C.\ Rich and R.\ Waters, Morgan Kaufmann
Publishers, Inc., 1986.  Also reprinted in {\it Tutorial on
Software Maintenance},  edited by G.\ Parikh and N.\ Zvegintzov,
IEEE Computer Society Press, 1983.}   }

@phdthesis{moriconi:thesis,
author = {M. Moriconi},
title = {A system for incrementally designing and verifying programs},
school = {Computer Science Department,
          The University of Texas at Austin},
month = dec,
year = 1977,
note = {Also Technical Report CSL--73 and CSL--74,
        Computer Science Laboratory, SRI International,
        and Technical Reports ISI/RR--77--64 and
        ISI/RR--77--66, USC/Information Sciences Institute} }

@ARTICLE{MoriconiWinkler90,
Author={M. Moriconi and T.C. Winkler},
TITLE = {Approximate Reasoning About the Semantic Effects of Program Changes},
JOURNAL = {IEEE Transactions on Software Engineering}, YEAR = {1990}, VOLUME = {16},
NUMBER = {9}, PAGES = {990-1004}, MONTH = sep }

@manual{Ada83,
	key={DoD},
	title={Reference Manual for the {Ada} Programming Language},
        month=jan,
	year=1983,
	organization={United States Department of Defense},
        note={ANSI/MIL-STD-1815 A}}

@ARTICLE{Barringer+Mearns,
	AUTHOR = {H. Barringer and I. Mearns},
	TITLE = {Axioms and Proof Rules for {Ada} Tasks},
	JOURNAL = {IEE Proceedings},
	YEAR = {1982},
	VOLUME = {129},
	NUMBER = {Part E, Number 2},
	MONTH = Mar
}

@MASTERSTHESIS{Mearns,
	AUTHOR = {I. Mearns},
	TITLE = {A Message-Based Run-Time System and proof Rules for {Ada} Tasks},
	SCHOOL = {Department of Computer Science, University of Manchester},
	YEAR = {1981},
	MONTH = Oct
}

@TECHREPORT{Ada:libraries,
	AUTHOR = {J.A. Goguen and K.N. Levitt},
	TITLE = {Report on {Ada} Program Libraries Workshop},
        INSTITUTION={Computer Science Laboratory, SRI International},
	YEAR = {1983},
	TYPE = {Report for SRI Project 6186},
	ADDRESS = {Menlo Park, California},
	MONTH = nov
}

@ARTICLE{Goguen:LIL,
	AUTHOR = {J.A. Goguen},
	TITLE = {Reusing and Interconnecting Software Components},
	JOURNAL = {Computer},
	YEAR = {1986},
	VOLUME = {19},
	NUMBER = {2},
	PAGES = {16--28},
	MONTH = feb
}

@InProceedings{McCullough87,
   Author={D. McCullough},
   BookTitle={Proceedings of the 1987 Symposium on Security and Privacy},
   Organization={IEEE Computer Society},
   Title={Specifications for Multi-Level Security and a Hook-Up Property},
   Year={1987},
   Address={Oakland, California},
   Month=apr,
   Pages={161--166}
}

@InProceedings{McCullough88,
   Author={D. McCullough},
   BookTitle={Proceedings of the 1988 Symposium on Security and Privacy},
   Organization={IEEE Computer Society},
   Title={Noninterference and Composability of Security Properties},
   Year={1988}, Address={Oakland, California},    Month=apr,    Pages={177--186} }

@TechReport{McCullough88b,
author = {D. McCullough}, key = {McCullough},
title = {Ulysses Security Properties Modeling Environment: The Theory of Security},
institution = {Odyssey Research Associates},
year = {1988}, 	address = {Ithaca, New York}, MONTH = jul  }

@inproceedings{Wong+89,
author={R. Wong and M. Chacko and E. Ding and B. Kahn
and N.E. Proctor and J. Sebes and R. Varadarajan}, title={The {SDOS} System: {A}
{S}ecure {D}istributed {O}perating {S}ystem Prototype},
booktitle={Proceedings of the Twelfth National Computer Security Conference},
address={Baltimore, Maryland},
month=oct, pages={172-183}, year=1989 }

@TechReport{SDOS89-SDD,
author = {{ORA Corp.}}, key = {ORA},
title = {Software Design Document for the (THETA) Experimental Secure Distributed
Operating System Development (8 volumes)},
institution = {Odyssey Research Associates},
year = {1989}, 	address = {Ithaca, New York}, 	MONTH = {30 December}  }

@TechReport{SDOS89-FSM,
author = {{ORA Corp.}}, key = {ORA},
title = {Formal Security Model
for the Experimental Secure Distributed Operating System Development},
institution = {Odyssey Research Associates},
year = {1989}, 	address = {Ithaca, New York}, 	MONTH = {7 October} }

@TechReport{THETA91-SRS,
author = {{ORA Corp.}}, key = {ORA08},
title = {Software Requirements Specification
for the {(THETA)} {E}xperimental {S}ecure {D}istributed {O}perating {S}ystem
Development}, institution = {ORA Corporation},year = {1991},address = {Ithaca, New York},
day={15}, month=jul, Note ={Rome Laboratory Contract F30602-88-C-0146,
CDRL A008.} }

@TechReport{THETA91-FSM,
author = {{ORA Corp.}}, key = {ORA09},
title = {Formal security model specification
for the {(THETA)} {E}xperimental {S}ecure {D}istributed {O}perating {S}ystem
Development}, institution = {ORA Corporation},year = {1991},address = {Ithaca, New York},
day={15}, month=jul, Note ={Rome Laboratory Contract F30602-88-C-0146,
CDRL A009.} }

@TechReport{THETA91-SPM,
author = {{ORA Corp.}}, key = {ORA10},
title = {Software programmer's manual
for the {(THETA)} {E}xperimental {S}ecure {D}istributed {O}perating {S}ystem
Development}, institution = {ORA Corporation},year = {1991},address = {Ithaca, New York},
day={15}, month=jul, Note ={Rome Laboratory Contract F30602-88-C-0146,
CDRL A010.} }

@TechReport{THETA91-SDD,
author = {{ORA Corp.}}, key = {ORA11},
title = {Software Design Document for the
{(THETA)} {E}xperimental {S}ecure {D}istributed {O}perating {S}ystem Development},
institution = {ORA Corporation},
year = {1991}, 	address = {Ithaca, New York}, 	day={15}, month=jul,
Note ={Rome Laboratory Contract F30602-88-C-0146,
CDRL A011: Volume I, Part I, Volume II, Parts II-VIII.} }

@TechReport{THETA91-SDDI,
author = {{ORA Corp.}}, key = {ORA11a},
title = {Software Design Document for the
{(THETA)} {E}xperimental {S}ecure {D}istributed {O}perating {S}ystem Development},
institution = {ORA Corporation},
year = {1991}, 	address = {Ithaca, New York}, 	day={15}, month=jul,
Note ={Rome Laboratory Contract F30602-88-C-0146,
CDRL A011: Volume I, Part I.} }

@TechReport{THETA91-SDDII,
author = {{ORA Corp.}}, key = {ORA11b},
title = {Software Design Document for the
{(THETA)} {E}xperimental {S}ecure {D}istributed {O}perating {S}ystem Development},
institution = {ORA Corporation},
year = {1991}, 	address = {Ithaca, New York}, 	day={15}, month=jul,
Note ={Rome Laboratory Contract F30602-88-C-0146,
CDRL A011: Volume II, Parts II-VIII.} }

@TechReport{THETA91-DP,
author = {{ORA Corp.}}, key = {ORA16},
title = {Demonstration Plan
for the {(THETA)} {E}xperimental {S}ecure {D}istributed {O}perating {S}ystem
Development}, institution = {ORA Corporation},year = {1991},address = {Ithaca, New York},
day={15}, month=jul, Note ={Rome Laboratory Contract F30602-88-C-0146,
CDRL A016.} }

@TechReport{THETA91-SUM,
author = {{ORA Corp.}}, key = {ORA17},
title = {Software user's manual
for the {(THETA)} {E}xperimental {S}ecure {D}istributed {O}perating {S}ystem
Development}, institution = {ORA Corporation},year = {1991},address = {Ithaca, New York},
day={15}, month=jul, Note ={Rome Laboratory Contract F30602-88-C-0146,
CDRL A017.} }

@TechReport{THETA91-FIN,
author = {{ORA Corp.}}, key = {ORA21},
title = {Final Report for the
{(THETA)} {E}xperimental {S}ecure {D}istributed {O}perating {S}ystem
Development}, institution = {ORA Corporation},year = {1991},
address = {Ithaca, New York}, day={15}, month=jul,
Note ={Rome Laboratory Contract F30602-88-C-0146, CDRL A021.} }

@inproceedings{McEnerney90,
author={J.R. McEnerney and D.G. Weber and R. Brown},
title={Automated Extensibility in {THETA}},
booktitle={Proceedings of the Thirteenth National Computer Security Conference},
address={Washington, D.C.},
month=oct, pages={144--153}, year=1990 }

@InProceedings{Jacob88,
   Author={Jeremy Jacob},
   BookTitle={Proceedings of the 1988 Symposium on Security and Privacy},
   Organization={IEEE Computer Society},
   Title={Security Specifications},
   Year={1988},
   Address={Oakland, California},
   Month=apr,
   Pages={14--23}
}

@InProceedings{Gligor83,
   Key={Gligor}, Author={V.D. Gligor},
   BookTitle={Proceedings of the 1983 Symposium on Security and Privacy},
   Organization={IEEE Computer Society},
   Title={A Note on the Denial-of-Service Problem},
   Address="Oakland, California", Year={1983}, Month=apr, pages={139-149} }

@InProceedings{Yu88,
Key={Yu}, Author={C.-F. Yu and V.D. Gligor},
Title={A Formal Specification and Verification Method for the Prevention of Denial of Service},
BookTitle={Proceedings of the 1988 Symposium on Security and Privacy},
Organization={IEEE Computer Society},
Address="Oakland, California", Year={1988}, Month=apr, pages={187-202},
Note={Also in {\it IEEE Transactions on Software
Engineering,} SE-16, 12, June 1990, 581--592)}
 }

@InProceedings{Glasgow+MacEwan88, Author={Janice I. Glasgow and Glenn
   H. MacEwan}, BookTitle={Proceedings of the 1988 Symposium on
   Security and Privacy}, Organization={IEEE Computer Society},
   Title={Reasoning about Knowledge in Multilevel Secure Distributed
   Systems}, Year={1988}, Address={Oakland, California},
   Month=apr, Pages={122--128} }

@ARTICLE{Glasgow+MacEwan87,
	AUTHOR = {Janice I. Glasgow and Glenn H. MacEwan},
	TITLE = {The Development and Proof of a Formal Specification for a Multi-Level Secure System},
	JOURNAL = {tocs},
	YEAR = {1987},
	VOLUME = {5},
	NUMBER = {2},
	PAGES = {151--184},
	MONTH = may
}

@TECHREPORT{Rushby:Calculus,
	AUTHOR = {J.M. Rushby},
	TITLE = {Security Policies for Distributed Systems: A Model and Calculus},
	INSTITUTION = {Computer Science Laboratory, SRI International},
	YEAR = {1987},
	ADDRESS = {Menlo Park, California},
	MONTH = may,
	NOTE = {(Draft)}
}

@INPROCEEDINGS{Rushby:safety-original,
	AUTHOR = {J.M. Rushby},
	TITLE = {Kernels for Safety?},
	BOOKTITLE = {Proceedings of the Safety and Security Symposium},
	YEAR = {1986},
	ORGANIZATION = {Centre for Software Reliability},
	ADDRESS = {Glasgow, Scotland},
	MONTH = oct
}


@INCOLLECTION{Rushby:safety,
	AUTHOR = {J.M. Rushby},
	TITLE = {Kernels for Safety?},
	BOOKTITLE = {Safe and Secure Computing Systems},
	PUBLISHER = {Blackwell Scientific Publications},
	YEAR = {1989},
	EDITOR = {T. Anderson},
	CHAPTER = {13},
	PAGES = {210--220},
	NOTE = {Proceedings of a Symposium held in Glasgow, October 1986}
}

@INCOLLECTION{Rushby:networks,
	AUTHOR = {J.M. Rushby},
	TITLE = {Networks are Systems},
	BOOKTITLE = {Tutorial: Computer and Network Security},
	PUBLISHER = {IEEE Computer Society Press},
	YEAR = {1986},
	EDITOR = {Marshall D. Abrams and Harold J. Podell},
	PAGES = {300--316}
}

@MANUAL{DRC:SDI,
	TITLE = {Distributed Systems Technology Assessment for {SDI}},
	ORGANIZATION = {Dynamics Research Corporation},
	ADDRESS = {Wilmington, Massachusetts},
	MONTH = sep,
	YEAR = {1986},
	NOTE = {Final Report to Rome Air Development Center, TEMS Task 0029, Contract F19628-84-D-0016}
}

@ARTICLE{Schlichting+Schneider,
	AUTHOR = {R.D. Schlichting and  F.B. Schneider},
	TITLE = {Fail-Stop Processors: an approach to designing fault-tolerant computing systems},
	JOURNAL = {tocs},
	YEAR = {1983},
	VOLUME = {1},
	NUMBER = {3},
	PAGES = {222--238},
	MONTH = apr
}

@INPROCEEDINGS{Butler:FTCS,
	AUTHOR = {R.W. Butler and D.L. Palumbo and S.C. Johnson},
	TITLE = {Application of a Clock Synchronization Validation
Methodology to the {SIFT} Computer System},
	BOOKTITLE={Digest of Papers, FTCS 15},
	ADDRESS={Ann Arbor, Michigan},
	ORGANIZATION={IEEE Computer Society},
	PAGES = {194--199},
	MONTH=jun,
	YEAR={1985}}

@TECHREPORT{Butler:clock-survey,
	AUTHOR = {R.W. Butler},
	TITLE = {A Survey of Provably Correct Fault-Tolerant Clock
Synchronization Techniques},
	YEAR = {1988},
        INSTITUTION = {NASA Langley Research Center},
	NUMBER ={TM-100553},
	MONTH = feb
}

@INPROCEEDINGS{Dolev:possible,
	AUTHOR = {D. Dolev and J.Y. Halpern and H.R. Strong},
	TITLE = {On the Possibility and Impossibility of Achieving Clock Synchronization},
	BOOKTITLE = {Proceedings of the Sixteenth Annual {ACM} Symposium on Theory of Computing},
	YEAR = {1984},
	PAGES = {504--511},
	ADDRESS = {Washington, D.C.},
	MONTH = apr
}

@ARTICLE{Panzieri:Rajdoot,
	AUTHOR = {F. Panzieri and S.K. Shrivastava},
	TITLE = {{Rajdoot}: a remote procedure call mechanism supporting orphan
detection and killing},
	JOURNAL = {IEEE Transactions on Software Engineering},
	YEAR = {1988},
	VOLUME = {SE-14},
	NUMBER = {1},
	PAGES = {30--37},
	MONTH = jan
}

@MISC{OSCAR,
	AUTHOR = {A.R. Downing and I.B. Greenberg and J.M. Peha},
	TITLE = {A Log-Based Replication and Consistency Scheme},
	HOWPUBLISHED = {Submitted for publication},
	MONTH = may,
	YEAR = {1988}
}

@INPROCEEDINGS{Cristian:delta,
	AUTHOR = {Flaviu Cristian and Houtan Aghili and Ray Strong and Danny Dolev},
	TITLE = {Atomic Broadcast: from simple Message Diffusion to {Byzantine} Agreement},
	BOOKTITLE={Digest of Papers, FTCS 15},
	ADDRESS={Ann Arbor, Michigan},
	ORGANIZATION={IEEE Computer Society},
	PAGES = {200--206},
	MONTH=jun,
	YEAR={1985}}

@TECHREPORT{Cristian:membership,
	AUTHOR = {Flaviu Cristian},
	TITLE = {Reaching Agreement on Processor Group Membership in Synchronous Distributed Systems},
	INSTITUTION = {IBM Almaden Research Center},
	YEAR = {1988},
	TYPE = {Research Report},
	NUMBER = {RJ 5964},
	ADDRESS = {San Jose, California},
	MONTH = mar
}

@TECHREPORT{Cristian:issues,
	AUTHOR = {Flaviu Cristian},
	TITLE = {Issues in the Design of Highly Available Computing Systems},
	INSTITUTION = {IBM Almaden Research Center},
	YEAR = {1987},
	TYPE = {Research Report},
	NUMBER = {RJ 5856},
	ADDRESS = {San Jose, California},
	MONTH = oct
}

@INPROCEEDINGS{Cristian:presence,
	AUTHOR = {Flaviu Cristian},
	TITLE = {Agreeing on who is Present and who is Absent in a Synchronous Distributed System},
	BOOKTITLE = {Digest of Papers, FTCS 18},
	YEAR = {1988},
	PAGES = {206--211},
	ORGANIZATION = {IEEE Computer Society},
	ADDRESS = {Tokyo, Japan},
	MONTH = jun
}

@INPROCEEDINGS{Strom:volatile,
	AUTHOR = {Robert E. Strom and David F. Bacon and Shaula A. Yemini},
	TITLE = {Volatile Logging in N-Fault-Tolerant Distributed Systems},
	BOOKTITLE = {Digest of Papers, FTCS 18},
	YEAR = {1988},
	PAGES = {44--49},
	ORGANIZATION = {IEEE Computer Society},
	ADDRESS = {Tokyo, Japan},
	MONTH = jun
}

@ARTICLE{Birman:comms,
	AUTHOR = {K.P. Birman and T.A. Joseph},
	TITLE = {Reliable Communication in the Presence of Failures},
	JOURNAL = {tocs},
	YEAR = {1987},
	VOLUME = {5},
	NUMBER = {1},
	PAGES = {47--76},
	MONTH = feb
}

@ARTICLE{Strom:optimistic,
	AUTHOR = {Robert E. Strom and Shaula Yemini},
	TITLE = {Optimistic Recovery in Distributed Systems},
	JOURNAL = {tocs},
	YEAR = {1988},
	VOLUME = {3},
	NUMBER = {3},
	PAGES = {204--226},
	MONTH = aug
}

@TECHREPORT{Randell:duality,
	AUTHOR = {S.K. Shrivastava and L.V. Mancini and B. Randell},
	TITLE = {On the Duality of Fault Tolerant System Structures},
	INSTITUTION = {Computing Laboratory, University of Newcastle upon Tyne},
	YEAR = {1987},
	NUMBER = {248},
	ADDRESS = {Newcastle upon Tyne, U.K.},
	MONTH = nov
}

@ARTICLE{Randell:structure,
	AUTHOR = {B. Randell},
	TITLE = {System Design and Structuring},
	JOURNAL = {Computer Journal},
	YEAR = {1986},
	VOLUME = {29},
	NUMBER = {4},
	PAGES = {300--306}
}

@INPROCEEDINGS{Laprie:dependability,
	AUTHOR = {J.-C. Laprie},
	TITLE = {Dependable Computing and Fault Tolerance: Concepts and Terminology},
	BOOKTITLE={Digest of Papers, FTCS 15},
	ADDRESS={Ann Arbor, Michigan},
	ORGANIZATION={IEEE Computer Society},
	PAGES = {2--11},
	MONTH=jun,
	YEAR={1985}}

@ARTICLE{Leveson+Knight86,
Author={J.C. Knight and N.G. Leveson},
TITLE = {An Experimental Evaluation of the Assumption
of Independence in Multi-Version Programming},
JOURNAL = {IEEE Transactions on Software Engineering},
YEAR = {1986}, VOLUME = {SE-12},
NUMBER = {1}, PAGES = {96-109}, MONTH = jan }

@INPROCEEDINGS{Knight+Leveson:Vienna,
	AUTHOR = {J.C. Knight and N.G. Leveson},
	TITLE = {An Empirical Study of Failure Probabilities in Multi-Version Software},
	BOOKTITLE={Digest of Papers, FTCS 16},
	ADDRESS={Vienna, Austria},
	ORGANIZATION={IEEE Computer Society},
	PAGES = {165--170},
	MONTH=jul,
	YEAR={1986}}

@ARTICLE{Brilliant89,
Author={S. Brilliant and J.C. Knight and N.G. Leveson},
TITLE = {The Consistent Comparison Problem in N-Version Programming},
JOURNAL = {IEEE Transactions on Software Engineering}, YEAR = {1989},
VOLUME = {SE-15}, NUMBER = {11}, PAGES = {}, MONTH = nov }

@ARTICLE{Brilliant90,
Author={S.S. Brilliant and J.C. Knight and N.G. Leveson},
TITLE = {Analysis of Faults in an N-Version Software Experiment},
JOURNAL = {IEEE Transactions on Software Engineering}, YEAR = {1990},
VOLUME = {16}, NUMBER = {2}, PAGES = {238-247}, MONTH = feb }

@ARTICLE{ShimeallLeveson91,
Author={T.J. Shimeall and N.G. Leveson},
TITLE = {An Empirical Comparison of Software Fault
Tolerance and Fault Elimination},
JOURNAL = {IEEE Transactions on Software Engineering}, YEAR = {1991},
VOLUME = {SE-17}, NUMBER = {2}, PAGES = {173-183}, MONTH = feb }

@ARTICLE{Leveson+90,
Author={N.G. Leveson and S.S. Cha and J.C. Knight and T.J. Shimeall},
TITLE = {The Use of Self Checks and Voting in Software Error Detections:
An Empirical Study}, JOURNAL = {IEEE Transactions on Software Engineering},
YEAR = {1990}, VOLUME = {SE-16},
NUMBER = {4}, PAGES = {}, MONTH = apr }

@ARTICLE{Leveson91Safety,
Author={N.G. Leveson},
TITLE = {Software Safety in Embedded Computer Systems},
JOURNAL = {Communications of the ACM},
YEAR = {1991}, VOLUME = {34},
NUMBER = {2}, PAGES = {}, MONTH = feb }

@ARTICLE{Therac92,
author={N.G. Leveson and C. Turner},
Title={An Investigation of the {Therac-25} Accidents},
Journal={Computer}, pages ={18--41}, month =jul, Year=1993 }

@ARTICLE{Leveson91Ada,
Author={N.G. Leveson and S.S. Cha and T.J. Shimeall},
TITLE = {Safety Verification of {Ada} Programs using Software Fault Trees},
JOURNAL = {IEEE Software}, YEAR = {1991}, VOLUME = {8},
NUMBER = {7}, PAGES = {}, MONTH = jul }

@book{Leveson95,
Author={N.G. Leveson},
Title={Safeware: System Safety and Computers},
Publisher={Addison-Wesley, Reading, Massachusetts},
Year={1995} }

@InProceedings{Leveson00,
Author = "N.G. Leveson",
Title = "Using {COTS} Components in Safety-Critical Systems",
Booktitle = "Proceedings of the NATO Conference on Commercial Off-The-Shelf
  Products in Defence Applications: The Ruthless Pursuit of COTS",
Organization = "NATO", Address = "Brussels, Belgium", Year = "2000",
Pages="", Month = apr }

@ARTICLE{Leveson04,
Author={N.G. Leveson}, TITLE = {A New Accident Model for Engineering
  Safer Systems},
JOURNAL = {Safety Science (Elsevier)}, YEAR = {2004}, VOLUME = {42},
NUMBER = {4}, PAGES = {237--270}, MONTH = apr }

@ARTICLE{Leveson05,
Author={N.G. Leveson}, TITLE = {A Systems-Theoretic Approach to
  Safety in Software-Intensive Systems},
JOURNAL = {IEEE Trans. on Dependable and Secure Computing},
YEAR = {2005}, VOLUME = {1},
NUMBER = {1}, PAGES = {}, MONTH = jan }

@book{Oster92,
Author={C.V. Oster and J.S. Strong and C.K. Zorn},
Title={Why Airplanes Crash: Aviation Safety in a Changing World},
Publisher={Oxford University Press, New York},
Year={1992} }

@book{Nader94,
Author={R. Nader and W.J. Smith},
Title={Collision Course: The Truth About Airline Safety},
Publisher={TAB Books, McGraw-Hill, Blue Ridge Summit, Pennsylvania},
Year={1994} }

@book{Peterson94,
Author={I. Peterson},
Title={Fatal Defect: Chasing Killer Computer Bugs},
Publisher={Times Books (Random House), New York},
Year={1995} }

@InProceedings{EHDM:Overview88,
   Key = {vonHenke},
   Author = {F.W. von Henke and J.S. Crow and R. Lee and J.M. Rushby and
      R.A. Whitehurst},
   Booktitle = {Proceedings of the Eleventh National Computer Security Conference},
   Organization = {NBS/NCSC},
   Address = {Baltimore, Maryland},
   Title = {The {EHDM} Verification Environment: An Overview},
   pages={147--155},
   Year = {1988},
   Month = oct }

@INPROCEEDINGS{Stickel:PTTP-conf,
	AUTHOR = {M.E. Stickel},
	TITLE = {A {Prolog} Technology Theorem Prover},
	BOOKTITLE = {Proceedings of the Eighth International Conference on Automated Deduction},
	YEAR = {1986},
	PAGES = {573--587},
	ADDRESS = {Oxford, England},
	MONTH = jul
}

@BOOK{Manna+Waldinger85,
	AUTHOR = {Zohar Manna and Richard Waldinger},
	TITLE = {The Logical Basis for Computer Programming},
	PUBLISHER = {Addison-Wesley, Reading, Massachusetts},
	YEAR = {1985},
	VOLUME = {1}
}

@BOOK{Manna+Waldinger88,
	AUTHOR = {Zohar Manna and Richard Waldinger},
	TITLE = {The Logical Basis for Computer Programming},
	PUBLISHER = {Addison-Wesley, Reading, Massachusetts},
	YEAR = {1988},
	VOLUME = {2}
}


@book{Shoenfield,
	Author={Jospeh R. Shoenfield},
	Title={Mathematical Logic},
	Publisher={Addison-Wesley},
	Address={Reading, Massachusetts},
	Year={1967}}

@BOOK{Andrews:book,
	AUTHOR = {Peter B. Andrews},
	TITLE = {An Introduction to Logic and Type Theory: To Truth through Proof},
	PUBLISHER = {Academic Press, New York},
	YEAR = {1986}
}

@MANUAL{Gnu,
	TITLE = {{GNU Emacs} Manual},
	AUTHOR = {Richard Stallman},
	ORGANIZATION = {Free Software Foundation},
	ADDRESS = {1000 Massachusetts Ave., Cambridge, Massachusetts},
	EDITION = {Fourth},
	MONTH = feb,
	YEAR = {1986}
}

@MANUAL{Rushby:sqa:part1,
	TITLE = {Measures and Techniques for Software Quality Assurance},
	AUTHOR = {J.M. Rushby},
	ORGANIZATION = {Computer Science Laboratory, SRI International},
	ADDRESS = {333 Ravenswood Ave., Menlo Park, California},
	MONTH = sep,
	YEAR = {1988}
}

@Article{Hoare:69,
	Author = {C.A.R. Hoare},
	Title = {An axiomatic basis of computer programming},
	Journal = {Communications of the ACM},
	Year = {1969},
	Volume = {12},
	Number = {10},
	Pages = {576--580},
	Month = oct }

@ARTICLE{Yadav88,
	AUTHOR = {Surya B. Yadav and Ralph R. Bravocco and Akemi T. Chatfield and T.M. Rajkumar},
	TITLE = {Comparison of Analysis Techniques for Information Requirement Determination},
	JOURNAL = {Communications of the ACM},
	YEAR = {1988},
	VOLUME = {31},
	NUMBER = {9},
	PAGES = {1090--1097},
	MONTH = sep
}

@ARTICLE{Davis88,
	AUTHOR = {Alan M. Davis},
	TITLE = {A Comparison of Techniques for the Specification of External System Behavior},
	JOURNAL = {Communications of the ACM},
	YEAR = {1988},
	VOLUME = {31},
	NUMBER = {9},
	PAGES = {1098--1115},
	MONTH = sep
}

@ARTICLE{Johnson+Thayer88,
	AUTHOR = {Dale M. Johnson and F. Javier Thayer},
	TITLE = {Stating Security Requirements with Tolerable Sets},
	JOURNAL = {tocs},
	YEAR = {1988},
	VOLUME = {6},
	NUMBER = {3},
	PAGES = {284--295},
	MONTH = aug
}

@InProceedings{Millen84,
   Author={Jonathan K. Millen},
   BookTitle={Proceedings of the 1984 Symposium on Security and Privacy},
   Organization={IEEE Computer Society},
   Address={Oakland, California},
   Title={The {Interrogator}: A Tool for Cryptographic Protocol Security},
   Year={1984},
   Pages={134--141},
   Month=apr
   }

@INPROCEEDINGS{Lu+Sundareshan86,
	AUTHOR = {W.P. Lu and M.K. Sundareshan},
	TITLE = {A Hierarchical Key Management Scheme for End-to-End Encryption in {Internet} Environments},
	BOOKTITLE={Proceedings of the 1986 Symposium on Security and Privacy},
	YEAR = {1986},
	PAGES = {138--147},
	ORGANIZATION = {IEEE Computer Society}
}

@ARTICLE{Kasami82,
	AUTHOR = {Tadao Kasami and Saburo Yamamura and Kenichi Mori},
	TITLE = {A Key Management Scheme for End-to-End Encryption and a Formal Verification of its Security},
	JOURNAL = {Systems Computers Controls},
	YEAR = {1982},
	VOLUME = {13},
	NUMBER = {3},
	PAGES = {59--69}
}

@INPROCEEDINGS{Sidhu+Leung,
	AUTHOR = {Deepinder Sidhu and Ting-kau Leung},
	TITLE = {Experience with Test Generation for Real Protocols},
	BOOKTITLE = {SIGCOMM '88 Symposium},
	YEAR = {1988},
	PAGES = {257--261},
	ORGANIZATION = {ACM SIGCOMM},
	ADDRESS = {Stanford, California},
	MONTH = aug,
	NOTE = {(Computer Communication Review, vol. 18, No. 4, August 88)}
}

@TECHREPORT{Schneider:understanding,
	AUTHOR = {F.B. Schneider},
	TITLE = {Understanding Protocols for {Byzantine} Clock Synchronization},
	INSTITUTION = {Department of Computer Science, Cornell University},
	YEAR = {1987},
	NUMBER = {87-859},
	ADDRESS = {Ithaca, New York},
	MONTH = aug
}

@TECHREPORT{Lamport:servers,
	AUTHOR = {Leslie Lamport},
	TITLE = {Synchronizing Time Servers},
	INSTITUTION = {DEC Systems Research Center},
	YEAR = {1987},
	NUMBER = {18},
	ADDRESS = {Palo Alto, California},
	MONTH = jun
}

@Article{Lampson+91,
Author = {B. Lampson and M. Abadi and M. Burrows and E. Wobber},
Title = {Authentication in Distributed Systems: Theory and Practice},
Journal = {ACM Operating Systems Review},
Note = {Proceedings of the Thirteenth ACM Symposium on Operating Systems Principles},
Organization = {ACM},
Year = {1991}, volume = {25}, number = {5},
Pages={165-182}, Month = oct }

@Article{Lampson+92,
Author = {B. Lampson and M. Abadi and M. Burrows and E. Wobber},
Title = {Authentication in Distributed Systems: Theory and Practice},
Journal = {ACM Transactions on Computer Systems},
Year = {1992}, volume = {10}, number = {4},
Pages={265-310}, Month = nov }

@Article{Wobber+93,
Author = {E. Wobber and M. Abadi and M. Burrows and B. Lampson},
Title = {Authentication in the {Taos} Operating System},
Journal = {ACM Operating Systems Review},
Note = {Proceedings of the Fourteenth ACM Symposium on Operating Systems
   Principles}, Organization = {ACM},
Year = {1993}, volume = {27}, number = {5},
Pages={256-269}, Month = dec }

@TECHREPORT{Abadi+91,
	AUTHOR = {M. Abadi and M. Burrows and B. Lampson and G. Plotkin},
	TITLE = {A Calculus for Access Control in Distributed Systems},
	INSTITUTION = {DEC Systems Research Center},
	MONTH = {28 February},
	YEAR = {1991},
	NUMBER = {70},
	ADDRESS = {Palo Alto, California}
}

@Article{Mitchell:1988:ATE,
  author =       "J.C. Mitchell and G.D. Plotkin",
  title =        "Abstract Types Have Existential Type",
  journal =      "ACM Transactions on Programming Languages and Systems",
  volume =       "10",
  number =       "3",
  pages =        "470--502",
  month =        jul,
  year =         "1988"
}

@Article{BAN90,
   Key={Burrows},
   Author={M. Burrows and M. Abadi and R. Needham},
   Journal={ACM Transactions on Computer Systems},
   Title={A Logic of Authentication},
   Year={1990},  Month=feb,  Pages={18-36},  Volume={8}, Number={1} }

@TechReport{AbadiNeedham94,
   Author={M. Abadi and R. Needham},
   Institution={Digital Equipment Corporation, SRC Research Report},
   Title={Prudent Engineering Practice for Cryptographic Protocols},
   Address = {Palo Alto, California},
   Year={1994},  Month=jun }

@TechReport{AbadiGordon98,
   Author={M. Abadi and A.D. Gordon},
   Institution={Digital Equipment Corporation, SRC Research Report 149},
   Title={A Calculus for Cryptographic Protocols: The {Spi} Calculus},
   Address = {Palo Alto, California},
   Year={1998},  Month=jan }

@InProceedings{Abadi+99,
   Author={M. Abadi and A. Banerjee and N. Heintze and J.G. Riecke},
   BookTitle={POPL '99, Proceedings of the 26th SIGPLAN-SIGACT Symposium
   on Principles of Programming Languages},
   Title={A Core Calculus of Dependency},
   Year={1999},
   Address={San Antonio, Texas},
   Month={January 20-22},
   Pages={147--160}
   }

@TechReport{AbadiLeino98,
   Author={M. Abadi and K.R.M. Leino},
   Institution={Compaq Systems Research Center, SRC Research Report 161},
   Title={A Logic of Object-Oriented Programs},
   Address = {Palo Alto, California},
   Year={1998},  Month=sep }

@InProceedings{Abadi94
   ,Author={M. Abadi and R.M. Needham}
   ,BookTitle={Proceedings of the IEEE Symposium on Research in Security and Privacy}
   ,Address={Oakland, California}
   ,Title={Prudent Engineering Practice for Cryptographic Protocols}
   ,Year={1994}
   ,Month=may
   ,Pages={122--136}
   }

@Article{AbadiNeedham96,
   Author={M. Abadi and R. Needham},
   Journal={IEEE Transactions on Software Engineering},
   Title={Prudent Engineering Practice for Cryptographic Protocols},
   Year={1996},  Month=jan,  Pages={6--15},  Volume={22}, Number={1} }

@InProceedings{Simmons85,
   Key={Simmons},  Author={G.E. Simmons},
   BookTitle={Proceedings of the 1985 Symposium on Security and Privacy},
   Organization={IEEE Computer Society},
   Title={How to (Selectively) Broadcast a Secret},
   Year={1985}, Address={Oakland, California}, Month=apr, Pages={108-113}
   }

@TECHREPORT{Cristian:probabilistic,
	AUTHOR = {F. Cristian},
	TITLE = {Probabilistic Clock Synchronization},
	INSTITUTION = {IBM Almaden Research Center},
	YEAR = {1988},
	NUMBER = {RJ 6432},
	ADDRESS = {San Jose, California},
	MONTH = sep
}

@INPROCEEDINGS{Cristian:prob,
	AUTHOR = {F. Cristian},
	TITLE = {A probabilistic approach to distributed clock synchronization},
	BOOKTITLE={Proceedings of the Ninth International Conference on
Distributed Computing Systems},
	YEAR = {1989},
	PAGES = {288-296},
	ORGANIZATION = {IEEE Computer Society}
}

@ARTICLE{Cristian:servers,
Author={F. Cristian}, TITLE={Understanding fault-tolerant distributed systems},
JOURNAL = {Communications of the ACM}, YEAR = {1991}, VOLUME = {34},
NUMBER = {2}, PAGES = {56-78}, MONTH = feb }

@BOOK{Lakatos,
	AUTHOR = {Imre Lakatos},
	TITLE = {Proofs and Refutations},
	PUBLISHER = {Cambridge University Press},
	YEAR = {1976},
	ADDRESS = {Cambridge, England}
}

@Article{Fetzer,
	Author = {James H. Fetzer},
	Title = {Program Verification: the Very Idea},
	Journal = {Communications of the ACM},
	Year = {1988},
	Volume = {31},
	Number = {9},
	Pages = {1048--1063},
	Month = sep }

@ARTICLE{Maes+vanDijk,
	AUTHOR = {R. Maes and J.E.M. van Dijk},
	TITLE = {On the Role of Ambiguity and Incompleteness in the Design of Decision Tables and Rule-Based Systems},
	JOURNAL = {Computer Journal},
	YEAR = {1988},
	VOLUME = {31},
	NUMBER = {6},
	PAGES = {481--489}
}

@TECHREPORT{Gordon88:programs,
	AUTHOR = {M.J.C. Gordon},
	TITLE = {Mechanizing Programming Logics in Higher Order Logic},
	INSTITUTION = {Cambridge Computer Science Research Centre,
SRI International},
	YEAR = {1988},
	NUMBER = {CCSRC-006},
	ADDRESS = {Suite 23, Millers Yard, Mill Lane, Cambridge CB2 1RQ, England},
	MONTH = sep
}

@ARTICLE{Stickel:PTTP,
	AUTHOR = {Mark E. Stickel},
	TITLE = {A {Prolog} Technology Theorem Prover: Implementation by an Extended {Prolog} Compiler},
	JOURNAL = {Journal of Automated Reasoning},
	YEAR = {1988},
	VOLUME = {4},
	NUMBER = {4},
	PAGES = {353--380},
	MONTH = dec
}

@BOOK{F16,
	AUTHOR = {Carl S. Droste and James E. Walker},
	TITLE = {The {General Dynamics} Case Study on the {F16} Fly-by-Wire Flight Control System},
	PUBLISHER = {American Institute of Aeronautics and Astronautics},
	YEAR = {Undated},
	SERIES = {AIAA Professional Study Series}
}

@ARTICLE{Shostak:combination,
	AUTHOR = {Robert E. Shostak},
	TITLE = {Deciding Combinations of Theories},
   Journal={Journal of the ACM},
	YEAR = {1984},
	VOLUME = {31},
	NUMBER = {1},
	PAGES = {1--12},
	MONTH = jan
}

@ARTICLE{Shostak:arithmetic,
	AUTHOR = {Robert E. Shostak},
	TITLE = {A Practical Decision Procedure for Arithmetic with Function Symbols},
   Journal={Journal of the ACM},
	YEAR = {1979},
	VOLUME = {26},
	NUMBER = {2},
	PAGES = {351--360},
	MONTH = apr
}

@ARTICLE{Shostak:sup-inf,
	AUTHOR = {Robert E. Shostak},
	TITLE = {On the {SUP-INF} Method for Proving {Presburger} Formulas},
   Journal={Journal of the ACM},
	YEAR = {1977},
	VOLUME = {24},
	NUMBER = {4},
	PAGES = {529--543},
	MONTH = oct
}

@ARTICLE{Shostak:equality,
	AUTHOR = {Robert E. Shostak},
	TITLE = {An Algorithm for Reasoning about Equality},
	JOURNAL = {Communications of the ACM},
	YEAR = {1978},
	VOLUME = {21},
	NUMBER = {7},
	PAGES = {583--585},
	MONTH = jul
}

@INPROCEEDINGS{STP,
	AUTHOR = {R.E. Shostak and R. Schwartz and P.M. Melliar-Smith},
	TITLE = {{STP}: A Mechanized Logic for Specification and Verification},
	BOOKTITLE = {Sixth International Conference on Automated Deduction ({CADE}-6)},
	PUBLISHER={Springer-Verlag, Berlin,
    Lecture Notes in Computer Science, Vol. 138},
	YEAR = {1982}
}

@INCOLLECTION{Shostak:circuits,
	AUTHOR = {Robert E. Shostak},
	TITLE = {Formal Verification of Circuit Designs},
	BOOKTITLE = {Computer Hardware Description Languages},
	PUBLISHER = {North-Holland},
	YEAR = {1983},
	EDITOR = {T. Uehara and M. Barbacci},
	PAGES = {13--29}
}

@INPROCEEDINGS{Avizienis:search,
	AUTHOR = {Algirdas Avi\v{z}ienis and Michael R. Lyu and
Werner Sch\"{u}tz},
	TITLE = {In Search of Effective Diversity: {A} Six-Language
Study of Fault Tolerant Flight Control Software},
	BOOKTITLE = {Digest of Papers, FTCS 18},
	YEAR = {1988},
	PAGES = {15--22},
	ORGANIZATION = {IEEE Computer Society},
	ADDRESS = {Tokyo, Japan},
	MONTH = jun
}

@INPROCEEDINGS{Kelly88,
	AUTHOR = {John P.J. Kelly and others},
	TITLE = {A Large Scale Second Generation Experiment in
Multi-Version Software: Description and Early Results},
	BOOKTITLE = {Digest of Papers, FTCS 18},
	YEAR = {1988},
	PAGES = {9--14},
	ORGANIZATION = {IEEE Computer Society},
	ADDRESS = {Tokyo, Japan},
	MONTH = jun
}

@INPROCEEDINGS{Brunelle,
	AUTHOR = {J.E. Brunelle and D.E. {Eckhardt, Jr.}},
	TITLE = {Fault-Tolerant Software: An Experiment with the
{SIFT} Operating System},
	PAGES = {355--360},
	BOOKTITLE = {Proceedings of the Fifth AIAA Computers in Aerospace Conference},
        MONTH = oct, YEAR = {1985}  }

@ARTICLE{Eckhardt+Lee,
AUTHOR = {Dave E. {Eckhardt, Jr.} and Larry D. Lee},
TITLE = {A Theoretical Basis for the Analysis of Multiversion
Software Subject to Coincident Errors},
JOURNAL = {IEEE Transactions on Software Engineering}, YEAR = {1985},
VOLUME = {SE-11}, NUMBER = {12}, PAGES = {1511--1517}, MONTH = dec }

@ARTICLE{Eckhardt+91,
AUTHOR = {D.E. Eckhardt and A.K. Caglayan and J.C. Knight and L.D. Lee
and D.F. McAllister and M.A. Vouk and J.P.J. Kelly},
TITLE = {An Experimental Evaluation of Software Redundancy as a Strategy
for Improving Reliability},
JOURNAL = {IEEE Transactions on Software Engineering}, YEAR = {1991},
VOLUME = {SE-11}, NUMBER = {12}, PAGES = {692-702}, MONTH = jul }

@TECHREPORT{Rushby89:ica,
	AUTHOR = {J.M. Rushby and F. von Henke},
	TITLE = {Formal Verification of the Interactive Convergence Clock Synchronization Algorithm using {EHDM}},
	INSTITUTION = {Computer Science Laboratory, SRI International},
	YEAR = {1989},
        NUMBER = {SRI-CSL-89-3},
	ADDRESS = {Menlo Park, California},
	MONTH = feb,
	NOTE = {Also available as NASA Contractor Report 4239}
}
@comment{(Final Report for SRI Project 4616, Task 4, NASA Contract NSA1 17067), also forthcoming NASA Contractor Report}

@inproceedings{Rushby94:icah,
	AUTHOR = {J.M. Rushby},
	TITLE = {A Formally Verified Algorithm for Clock
		Synchronization Under a Hybrid Fault Model},
	BOOKTITLE = {Proceedings of the Thirteenth Conference on
            Principles of Distributed Computing},
	PAGES = {304--313},
	ORGANIZATION = {ACM},
	ADDRESS = {Los Angeles, California},
	MONTH = aug,
	YEAR = 1994
}

@techreport{Lincoln+Rushby92:OMH,
	AUTHOR = {Patrick Lincoln and John Rushby},
	TITLE = {Formal Verification of an Algorithm for Interactive
		Consistency under a Hybrid Fault Model},
	NUMBER = {SRI-CSL-93-2},
	INSTITUTION = {Computer Science Laboratory, SRI International},
	YEAR = 1993,
	ADDRESS = "Menlo Park, California",
	MONTH = mar,
	NOTE = {Also available as NASA Contractor Report 4527, July 1993},
}

@inproceedings{Lincoln+Rushby93:FTCS,
	AUTHOR = {P.D. Lincoln and J.M. Rushby},
	TITLE = {A Formally Verified Algorithm for Interactive Consistency
		under a Hybrid Fault Model},
        BOOKTITLE = {Fault Tolerant Computing Symposium 23},
	PAGES = {402--411},
        YEAR = {1993}
}

@inproceedings{Lincoln95NASA,
	AUTHOR = {P.D. Lincoln and J.M. Rushby and N. Suri and C. Walter},
	TITLE = {Hybrid Fault Algorithms},
BookTitle={Proceedings of the Third NASA Langley Formal Methods Workshop,
           May 10-12, 1995},
        MONTH = jun,
        YEAR = {1995},
ORGANIZATION={NASA Langley Research Center},
Pages={193--209}}

@inproceedings{Rushby95NASA,
	AUTHOR = {J.M. Rushby},
	TITLE = {Fault-Tolerant Algorithms and the Design of {PVS}},
BookTitle={Proceedings of the Third NASA Langley Formal Methods Workshop,
           May 10-12, 1995},
        MONTH = jun,
        YEAR = {1995},
ORGANIZATION={NASA Langley Research Center},
Pages={93--104}}

@techreport{Lincoln+Rushby95,
	AUTHOR = {P.D. Lincoln and J.M. Rushby},
	TITLE = {Formally Verified Algorithms for Diagnosis
		of Manifest, Symmetric, Link, and {Byzantine} Faults},
	NUMBER = {SRI-CSL-95-14},
	INSTITUTION = {Computer Science Laboratory, SRI International},
	YEAR = "1995",
	ADDRESS = "Menlo Park, California",
	MONTH = oct,
}

@techreport{LincolnRushby95,
	AUTHOR = {P.D. Lincoln and J.M. Rushby},
	TITLE = {Formally Verified Algorithms for Diagnosis
		of Manifest, Symmetric, Link, and {Byzantine} Faults},
	NUMBER = {SRI-CSL-95-14},
	INSTITUTION = {Computer Science Laboratory, SRI International},
	YEAR = "1995",
	ADDRESS = "Menlo Park, California",
	MONTH = oct,
}

@techreport{DiVitoRoberts96,
	AUTHOR = {B.L. DiVito and L.W. Roberts},
	TITLE = {Using Formal Methods to Assist in the Requirements Analysis
          of the Space Shuttle {GPS} Change Request},
	NUMBER = {NASA Contractor Report 4652},
	INSTITUTION = {NASA Langley Research Center},
	YEAR = 1996,
	ADDRESS = "Hampton, Virginia",
	MONTH = aug,
}

@inproceedings{Dill95NASA,
	AUTHOR = {D.L. Dill},
	TITLE = {Model Checking},
BookTitle={Proceedings of the Third NASA Langley Formal Methods Workshop,
           May 10-12, 1995},
        MONTH = jun,
        YEAR = {1995},
ORGANIZATION={NASA Langley Research Center},
Pages={211--216}}

@BOOK{McMillan:SMV,
	AUTHOR = {K.L. McMillan},
	TITLE = {Symbolic Model Checking},
	PUBLISHER = {Kluwer Academic Publishers},
	ADDRESS = {Boston, Massachusetts},
	YEAR = 1993
}

@ARTICLE{Burch-etal94,
	AUTHOR = {J.R. Burch and E.M. Clarke and D.E. Long and
		K.L. McMillan and D.L. Dill},
	TITLE = {Symbolic Model Checking for Sequential Circuit Verification},
	JOURNAL = {IEEE Transactions on Computer-Aided Design},
	YEAR = 1994,
	VOLUME = 13,
	NUMBER = 4,
	PAGES = {401--424},
	MONTH = apr
}

@article{Atlee+Gannon93,
	AUTHOR = {J.M. Atlee and J. Gannon},
	TITLE = {State-Based Model Checking of Event-Driven System Requirements},
	JOURNAL = {IEEE Transactions on Software Engineering},
	YEAR = 1993,
	VOLUME = 19,
	NUMBER = 1,
	PAGES = {24--40},
	MONTH = jan
}

@ARTICLE{Clarke-etal94,
	AUTHOR = {E.M. Clarke and O. Grumberg and D.E. Long},
	TITLE = {Model Checking and Abstraction},
	JOURNAL = {ACM Transactions on Programming Languages and Systems},
	YEAR = 1994,
	VOLUME = 16,
	NUMBER = 5,
	PAGES = {1512--1542},
	MONTH = sep
}

@TECHREPORT{Rushby88:SQA,
	AUTHOR = {J.M. Rushby},
	TITLE = {Quality measures and Assurance for {AI} Software},
	INSTITUTION = {Computer Science Laboratory, SRI International},
	YEAR = {1988},
        NUMBER = {SRI-CSL-88-7R},
	ADDRESS = {Menlo Park, California},
	MONTH = sep,
	NOTE = {Also available as NASA Contractor Report 4187}
}
@comment{(Final Report for SRI Project 4616, Task 5, NASA Contract NSA1 17067), also available as NASA Contractor Report 4187}

@ARTICLE{Cohn83,
	AUTHOR = {Avra Cohn},
	TITLE = {The Equivalence of Two Semantic Definitions: A Case Study in {LCF}},
	JOURNAL = {sicomp},
	YEAR = {1983},
	VOLUME = {12},
	NUMBER = {2},
	PAGES = {267--285},
	MONTH = may
}

@BOOK{Boyer-Moore79,
	AUTHOR = {R.S. Boyer and J S. Moore},
	TITLE = {A Computational Logic},
	PUBLISHER = {Academic Press},
	YEAR = {1979},
	ADDRESS = {New York}
}

@BOOK{Kaufmann-Moore00,
	AUTHOR = {M Kaufmann and J S. Moore and P. Manolios},
	TITLE = {Computer-Aided Reasoning: An Approach},
	PUBLISHER = {Kluwer Academic Publishing},
	YEAR = {2000},
	ADDRESS = {Norwell, Massachusetts}
}

@INPROCEEDINGS{Littlewood+Miller,
	AUTHOR = {B. Littlewood and D.R. Miller},
	TITLE = {A Conceptual Model of Multi-Version Software},
	BOOKTITLE={Digest of Papers, FTCS 17},
	ADDRESS={Pittsburgh, Pennsylvania},
	ORGANIZATION={IEEE Computer Society},
	PAGES = {150--155},
	MONTH=jul,
	YEAR={1987}}

@ARTICLE{Dunham86,
	AUTHOR = {Janet R. Dunham},
	TITLE = {Experiments in Software Reliability: Life Critical Applications},
	JOURNAL = {IEEE Transactions on Software Engineering},
	YEAR = {1986},
	VOLUME = {SE-12},
	NUMBER = {1},
	PAGES = {110--123},
	MONTH = jan
}

@TECHREPORT{Moore:piton-short,
	AUTHOR = {J Strother Moore},
	TITLE = {A Mechanically Verified Language Implementation},
	INSTITUTION = {Computational Logic Incorporated},
	YEAR = {1988},
	NUMBER = {30},
	ADDRESS = {Austin, TX},
	MONTH = sep
}

@TECHREPORT{Moore:piton-long,
	AUTHOR = {J Strother Moore},
	TITLE = {Piton: A Verified Assembly Level Language},
	INSTITUTION = {Computational Logic Incorporated},
	YEAR = {1988},
	NUMBER = {22},
	ADDRESS = {Austin, TX},
	MONTH = sep
}

@TECHREPORT{Young88,
	AUTHOR = {W.D. Young},
	TITLE = {A Verified Code Generator for a Subset of {Gypsy}},
	INSTITUTION = {Computational Logic Incorporated},
	YEAR = {1988},
	NUMBER = {33},
	ADDRESS = {Austin, TX},
	MONTH = oct
}

@ARTICLE{Scarl87,
	AUTHOR = {E.A. Scarl and J.R. Jamieson and C.I. Delaune},
	TITLE = {Diagnosis and Sensor Validation through Knowledge of Structure and Function},
	JOURNAL = {IEEE Transactions on Systems, Man, and Cybernetics},
	YEAR = {1987},
	VOLUME = {SMC-17},
	NUMBER = {3},
	PAGES = {360--368},
	MONTH = {May/June}
}

@INPROCEEDINGS{Chand87,
	AUTHOR = {B. Chandraskeran and W.F. {Punch III}},
	TITLE = {Data Validation During Diagnosis, A Step Beyond Traditional Sensor Validation},
	BOOKTITLE = {Proceedings of the AAAI 87 (Vol. 2)},
	YEAR = {1987},
	PAGES = {778--782},
	ADDRESS = {Seattle, WA},
	MONTH = jul
}

@TECHREPORT{MacEwan:realtime,
	AUTHOR = {Glenn H. MacEwan},
	TITLE = {Using Higher-Order Logic for Modular Specification of Real-Time Distributed Systems},
	INSTITUTION = {Computer Science Laboratory, SRI International},
	YEAR = {1988},
	ADDRESS = {Menlo Park, California},
        Type = {Draft report}

}

@ARTICLE{Avizienis85,
	AUTHOR = {Algirdas Avi\v{z}ienis},
	TITLE = {The {{\em N\/}-Version} Approach to Fault-Tolerant Software},
	JOURNAL = {IEEE Transactions on Software Engineering},
	YEAR = {1985},
	VOLUME = {SE-11},
	NUMBER = {12},
	PAGES = {1491--1501},
	MONTH = dec
}

@INPROCEEDINGS{Barrow83,
	AUTHOR = {Harry G. Barrow},
	TITLE = {Proving the Correctness of Digital Hardware Designs},
	BOOKTITLE = {Proceedings of the AAAI 83},
	YEAR = {1983},
	PAGES = {17--21},
	ADDRESS = {Washington, D.C.},
	MONTH = aug
}

@ARTICLE{Infis+Moore88,
	AUTHOR = {A.H. Infis and W.R. Moore},
	TITLE = {Economic Approach to Fault-Tolerant Synchronization},
	JOURNAL = {IEE Proceedings, Part E},
	YEAR = {1988},
	VOLUME = {135},
	NUMBER = {2},
	PAGES = {82--86},
	MONTH = mar
}

@TECHREPORT{SIFT-report,
	AUTHOR = {J.H. {Wensley et al.}},
	TITLE = {Design Study of Software-Implemented Fault-Tolerance {(SIFT)} Computer},
	INSTITUTION = {Computer Science Laboratory, SRI International},
	YEAR = {1982},
	ADDRESS = {Menlo Park, California},
	TYPE = {{NASA} Contractor Report 3011},
	MONTH = jun
}

@TECHREPORT{Hunt:FM8501-short,
	AUTHOR = {Warren A. {Hunt, Jr.}},
	TITLE = {The Mechanical Verification of a Microprocessor Design},
	INSTITUTION = {Computational Logic Incorporated},
	YEAR = {1987},
	NUMBER = {6},
	ADDRESS = {Austin, TX}
}

@TECHREPORT{Bevier:kit-short,
	AUTHOR = {W.R. Bevier},
	TITLE = {Kit: A Study in Operating System Verification},
	INSTITUTION = {Computational Logic Incorporated},
	YEAR = {1988},
	NUMBER = {28},
	ADDRESS = {Austin, TX},
        MONTH = aug
}

@TECHREPORT{Bevier:kit-long,
	AUTHOR = {W.R. Bevier},
	TITLE = {A Verified Operating System Kernel},
	INSTITUTION = {Computational Logic Incorporated},
	YEAR = {1987},
	NUMBER = {11},
	ADDRESS = {Austin, TX},
        MONTH = oct
}

@article{Moore+JAR89,
author={J S. {Moore, editor}}, title = {System Verification},
journal = {Journal of Automated Reasoning}, year = {1989}, volume = {5},
number = {4}, pages = {409-530}, month = dec,
NOTE = {Includes five papers by Moore, W.R. Bevier, W.A. Hunt, Jr,
and W.D. Young.}
}

@article{MooreJAR89,
author={J S. Moore}, title = {System Verification},
journal = {Journal of Automated Reasoning}, year = {1989}, volume = {5},
number = {4}, pages = {409-410}, month = dec }

@article{Bevier+JAR89,
author={W.R. Bevier and W.A. {Hunt, Jr.} and J S. Moore and W.D. Young},
title = {An Approach to Systems Verification},
journal = {Journal of Automated Reasoning}, year = {1989}, volume = {5},
number = {4}, pages = {411-428}, month = dec }

@article{HuntJAR89,
author={W.A. {Hunt Jr.}}, title = {Microprocessor Design Verification},
journal = {Journal of Automated Reasoning}, year = {1989}, volume = {5},
number = {4}, pages = {429-460}, month = dec }

@article{MooreJAR89a,
author={J S. Moore}, title = {A Mechanically Verified Language Implementation},
journal = {Journal of Automated Reasoning}, year = {1989}, volume = {5},
number = {4}, pages = {461-492}, month = dec }

@article{YoungJAR89,
author={W.D. Young}, title = {A Mechanically Verified Code Generator},
journal = {Journal of Automated Reasoning}, year = {1989}, volume = {5},
number = {4}, pages = {493-518}, month = dec }

@article{BevierJAR89,
author={W.R. Bevier}, title = {Kit and the Short Stack},
journal = {Journal of Automated Reasoning}, year = {1989}, volume = {5},
number = {4}, pages = {519-30}, month = dec }

@ARTICLE{SIFT-design,
	AUTHOR = {J.H. {Wensley et al.}},
	TITLE = {{SIFT} Design and Analysis of a Fault-Tolerant Computer for Aircraft Control},
	JOURNAL = {Proceedings of the IEEE},
	YEAR = {1978},
	VOLUME = {66},
	NUMBER = {10},
	PAGES = {1240--1255},
	MONTH = oct
}

@ARTICLE{Spitzen:example,
	AUTHOR = {J.M. Spitzen and K.N. Levitt and L. Robinson},
	TITLE = {An Example of Hierarchical Design and Proof},
	JOURNAL = {Communications of the ACM},
	YEAR = {1978},
	VOLUME = {21},
	NUMBER = {12},
	PAGES = {1064--1075},
	MONTH = dec
}

@ARTICLE{Igarishi,
	AUTHOR = {S. Igarishi and R.L. London and D.C. Luckham},
	TITLE = {Automatic Program Verification {I}: A Logical Basis and its Implementation},
	JOURNAL = {acta},
	YEAR = {1975},
	VOLUME = {4},
	PAGES = {145--182}
}

@Article(DaleyDennis68,
key="Daley", Author="R.C. Daley and J.B. Dennis",
Title={Virtual Memory, Processes, and Sharing in {Multics}},
Journal="Communications of the ACM",
Year="1968", Month=may, Page="306--312", Volume="11", Number="5",)

@Article(Graham68,
key="Graham", Author="R.M. Graham",
Title={Protection in an Information Processing Utility},
Journal="Communications of the ACM",
Year="1968", Month=may, Page="365--369", Volume="11", Number="5",)

@Article(dijkstra68,
Author="E.W. Dijkstra", Key="Dijkstra",
Title={The Structure of the {THE} Multiprogramming System},
Journal="Communications of the ACM",
Year="1968", Month=may, Page="341--346", Volume="11", Number="5",)

@InProceedings{Dijkstra68CSP,
Author={E.W. Dijkstra},
Title={Co-operating Sequential Processes},
Booktitle={Programming {L}anguages, {F.} {G}enuys (editor)}, pages={43-112},
Year=1968, Publisher={Academic Press} }

@BOOK{Dijkstra:book,
	AUTHOR = {E.W. Dijkstra},
	TITLE = {A Discipline of Programming},
	PUBLISHER = {Prentice-Hall},
	YEAR = {1976},
	ADDRESS = {Englewood Cliffs, New Jersey}
}

@book{BrooksMMM,
Author={F.P. {Brooks}},
Title={The Mythical Man-Month: Essays on Software Engineering},
Publisher={Addison-Wesley, Reading, Massachusetts},
Year={Second edition, 1995} }

@book{Mills86,
Author={H.D. Mills},
Title={Principles of Information Systems Analysis and Design},
Publisher={Academic Press, New York},
Year={1986} }

@ARTICLE{Pascal-def,
	AUTHOR = {C.A.R. Hoare and N. Wirth},
	TITLE = {An Axiomatic Definition of the Programming Language {Pascal}},
	JOURNAL = {acta},
	YEAR = {1973},
	VOLUME = {2},
	NUMBER = {4},
	PAGES = {335-355}
}

@TECHREPORT{Gordon:proglog,
	AUTHOR = {M.J.C. Gordon},
	TITLE = {Mechanizing Programming Logics in Higher Order Logic},
	INSTITUTION = {Cambridge Computer Science Research Center, SRI International},
	YEAR = {1988},
	NUMBER = {CCSRC-006},
	ADDRESS = {Cambridge, England},
	MONTH = sep
}

@TECHREPORT{Cohn:parser,
	AUTHOR = {Avra Cohn and Robin Milner},
	TITLE = {On using {Edinburgh LCF} to Prove the Correctness of a Parsing Algorithm},
	INSTITUTION = {Edinburgh University Computer Science Department},
	YEAR = {1982},
	NUMBER = {CSR-113-82},
	NOTE = {Also Cambridge University Computer Laboratory Technical Report 20.}
}

@MANUAL{Stanford-verifier,
	TITLE = {Stanford {Pascal} Verifier User's Manual},
	AUTHOR = {D. Luckham and others},
	ORGANIZATION = {Stanford University},
	ADDRESS = {Stanford, California},
	YEAR = {1979},
	NOTE = {AI memo CS-79-731}
}

@BOOK{Polak:book,
	AUTHOR = {W. Polak},
	TITLE = {Compiler Specification and Verification},
	PUBLISHER = {Springer-Verlag, Berlin},
	YEAR = {1981},
}

@TECHREPORT{OBJ:intro,
	AUTHOR = {J.A. Goguen and T. Winkler},
	TITLE = {Introducing {OBJ3}},
	INSTITUTION = {Computer Science Laboratory, SRI International},
	YEAR = {1988},
        NUMBER = {SRI-CSL-88-9},
	ADDRESS = {Menlo Park, California},
	MONTH = aug
}


@Unpublished{ACohn:Notion,
	Author = {A. Cohn},
	Title = {The Notion of Proof in Hardware Verification},
	Note = {Draft, Cambridge University Computer Laboratory},
	Address = {Cambridge, England},
	Year = {1988} }


@TechReport{NODEN,
	Author = {C. H. Pygott},
	Title = {{NODEN}: An engineering approach to hardware verification},
	Institution = {RSRE},
	Number = {415-88},
	Year = {1988} }

@ARTICLE{Johnson+Malek88,
	AUTHOR = {Allen M. {Johnson, Jr.} and Miroslaw Malek},
	TITLE = {Survey of Software Tools for Evaluating Reliability, Availability and Serviceability},
	JOURNAL = {Computing Surveys},
	YEAR = {1988},
	VOLUME = {20},
	NUMBER = {4},
	PAGES = {227--269},
	MONTH = dec
}

@ARTICLE{Flannagan86,
	AUTHOR = {Im Flannagan},
	TITLE = {The Consistency of Negation as Failure},
	JOURNAL = {The Journal of Logic Programming},
	YEAR = {1986},
	VOLUME = {3},
	NUMBER = {2},
	PAGES = {93--114},
	MONTH = jul
}

@PROCEEDINGS{SIFT:review,
        AUTHOR = {NASA},
	TITLE = {Peer Review of a Formal Verification/Design Proof Methodology},
	YEAR = {1983},
	ORGANIZATION = {NASA Conference Publication 2377},
	MONTH = jul
}

@TECHREPORT{RSRE:methodology,
	AUTHOR = {W.J. Cullyer and C.H. Pygott},
	TITLE = {Hardware Proofs using {LCF-LSM} and {ELLA}},
	INSTITUTION = {Royal Signals and Radar Establishment},
	YEAR = {1985},
	TYPE = {Memorandum},
	NUMBER = {3832},
	MONTH = sep
}

@TECHREPORT{Joyce:asynch,
	AUTHOR = {Jeffrey J. Joyce},
	TITLE = {Formal Specification and Verification of Asynchronous Processes in Higher Order Logic},
   Institution={University of Cambridge Computer Laboratory},
	YEAR = {1988},
	NUMBER = {136},
	MONTH = jun
}

@ARTICLE{Kopetz89:mars,
	AUTHOR = {Hermann Kopetz and others},
	TITLE = {Distributed Fault-Tolerant Real-Time Systems: The {Mars} Approach},
	JOURNAL = {IEEE Micro},
	YEAR = {1989},
	VOLUME = {9},
	NUMBER = {1},
	PAGES = {25--40},
	MONTH = feb
}

@InProceedings{Crocker88,
   Author = {S.D. Crocker and E. Cohen and S. Landauer and H. Orman},
   Title = {Reverification of a Microprocessor},
   BookTitle={Proceedings of the 1988 Symposium on Security and Privacy},
   Organization={IEEE Computer Society},
   Address={Oakland, California},
   Year={1988},
   Pages={166-176},
   Month=apr
   }

@TECHREPORT{Rushby+Whitehurst89,
	AUTHOR = {J.M. Rushby and R. Alan Whitehurst},
	TITLE = {Formal Verification of {AI} Software},
	INSTITUTION = {Computer Science Laboratory, SRI International},
	YEAR = {1989},
	TYPE = {Final Report, NASA Contract 18226 (Task5)},
	ADDRESS = {Menlo Park, California},
	MONTH = feb
}

@MANUAL{CLIPS,
	TITLE = {{CLIPS} User's Guide},
	AUTHOR = {Joseph C. Giarratano},
	ORGANIZATION = {Artificial Intelligence Center, Lyndon B. Johnson Space Center},
	MONTH = jun,
	YEAR = {1988}
}

@INPROCEEDINGS{Kapuretal,
	AUTHOR = {D. Kapur and H. Zhang and G. Sivakumar},
	TITLE = {{RRL}: A Rewrite Rule Laboratory},
	BOOKTITLE = {Eighth International Conference on Automated Deduction
(CADE-8)},
	YEAR = {1986},
        PUBLISHER = {Springer-Verlag, Berlin,
   Lecture Notes in Computer Science, Vol. 230},
	ADDRESS = {Oxford, England}
}

@InProceedings{Benzel+Tavilla85,
   Author={T.C. Vickers Benzel and D.A. Tavilla},
   BookTitle={Proceedings of the 1985 Symposium on Security and Privacy},
   Organization={IEEE Computer Society},
   Title={Trusted Software Verification: A Case Study},
   Year={1985},
   Address={Oakland, California},
   Month=apr,
   Pages={14--31}
   }

@InProceedings{McHugh+Good85,
   Author={J. McHugh and D.I. Good},
   BookTitle={Proceedings of the 1985 Symposium on Security and Privacy},
   Organization={IEEE Computer Society},
   Title={An Information Flow Tool for {Gypsy}},
   Year={1985},
   Address={Oakland, California},
   Month=apr,
   Pages={46--48}
   }

@ARTICLE{Denning:views,
	AUTHOR = {Dorothy E. Denning and others},
	TITLE = {Views for Multilevel Database Security},
	JOURNAL = {IEEE Transactions on Software Engineering},
	YEAR = {1987},
	VOLUME = {SE-13},
	NUMBER = {2},
	PAGES = {129--140},
	MONTH = feb
}

@ARTICLE{Haigh+Young85,
	AUTHOR = {J.T. Haigh and W.D. Young},
	TITLE = {Extending the Noninterference Version of {MLS} for {SAT}},
	JOURNAL = {IEEE Transactions on Software Engineering},
	YEAR = {1987},
	VOLUME = {SE-13},
	NUMBER = {2},
	PAGES = {141--150},
	MONTH = feb
}

@ARTICLE{Haigh+others85,
	AUTHOR = {J.T. Haigh and R.A. Kemmerer and J. McHugh and W.D. Young},
	TITLE = {An Experience Using Two Covert Channel Analysis Techniques on a Real System Design},
	JOURNAL = {IEEE Transactions on Software Engineering},
	YEAR = {1987},
	VOLUME = {SE-13},
	NUMBER = {2},
	PAGES = {157--168},
	MONTH = feb
}

@book{GasserBook,
Author={M. Gasser},
Title={Building a Secure Computer System},
Publisher={Van Nostrand Reinhold Company, New York},
Year={1988},
URL = "http://www.acsac.org/secshelf/secshelf/book002.html" }

	@ARTICLE{Gasser89,
	AUTHOR = {M. Gasser},
	TITLE = {An Optimization for Automated Information Flow Analysis},
	JOURNAL = {Cipher (Newsletter of the {IEEE} Technical Committee on Security and Privacy)},
	YEAR = {1989},
	MONTH = jan,
	PAGES = {32--36}
}

@ARTICLE{Fine+others89,
	AUTHOR = {T.E. Fine and J.T. Haigh and R.C. O'Brien},
	TITLE = {A General Non-Interference Unwinding Theorem},
	JOURNAL = {Cipher (Newsletter of the {IEEE} Technical Committee on Security and Privacy)},
	YEAR = {1989},
	MONTH = apr,
	PAGES = {38--40}
}

@ARTICLE{Gasser+others80,
	AUTHOR = {M. Gasser and J.K. Millen and W.F. Wilson},
	TITLE = {A Note on Information Flow into Arrays},
	JOURNAL = {ACM Software Engineering Notes},
	YEAR = {1980},
	VOLUME = {5},
	NUMBER = {1},
	PAGES = {28--29},
	MONTH = jan
}

@ARTICLE{Denning80,
	AUTHOR = {Dorothy E. Denning},
	TITLE = {Embellishments to the  Note on Information Flow into Arrays},
	JOURNAL = {ACM Software Engineering Notes},
	YEAR = {1980},
	VOLUME = {5},
	NUMBER = {2},
	PAGES = {15--16},
	MONTH = apr
}

@TECHREPORT{Platek+Sutherland84,
	AUTHOR = {Richard Platek and David Sutherland},
	TITLE = {The Semantics of the {Feiertag MLS} Information Flow Tool and its Impact on Design Verification: Some {SCOMP} Examples},
	INSTITUTION = {Odyssey Research Associates},
	YEAR = {1984},
	ADDRESS = {Ithaca, New York},
	MONTH = jan }

@InProceedings{Sutherland86,
Author={D.I. Sutherland},
Title={A Model of Information Flow}, pages={175-183},
Booktitle={Proceedings of the Ninth National Computer Security Conference},
Year=1986, Month =sep }

@TECHREPORT{Rushby:mls,
	AUTHOR = {J.M. Rushby},
	TITLE = {Verifying Noninterference Security Policies},
	INSTITUTION = {Computer Science Laboratory, SRI International},
	YEAR = {1989},
	ADDRESS = {Menlo Park, California},
	MONTH = jun
}

@ARTICLE{Kemmerer:protocols89,
	AUTHOR = {R.A. Kemmerer},
	TITLE = {Analyzing Encryption Protocols Using Formal Verification Techniques},
	JOURNAL = {IEEE Journal on Selected Areas in Communications},
	YEAR = {1989},
	VOLUME = {7},
	NUMBER = {4},
	PAGES = {448--457},
	MONTH = may
}

@ARTICLE{Moore:protocols88,
	AUTHOR = {Judy H. Moore},
	TITLE = {Protocol Failures in Cryptosystems},
	JOURNAL = {Proceedings of the IEEE},
	YEAR = {1988},
	VOLUME = {76},
	NUMBER = {5},
	PAGES = {594--602},
	MONTH = may
}

@TECHREPORT{Seaview:specs,
	AUTHOR = {T.F. Lunt and R.A. Whitehurst},
	TITLE = {The {SeaView} Formal Top Level Specifications and Proofs},
	TYPE = {Final Report},
	INSTITUTION = {Computer Science Laboratory, SRI International},
	YEAR = {1989},
	NOTE = {Volumes 3A and 3B of ``Secure Distributed Data Views,'' SRI Project 1143},
	ADDRESS = {Menlo Park, California},
	MONTH = {January/February}
}

@Unpublished{Gordon89:cells,
	AUTHOR = {Mike Gordon and Paul Lowenstein and Moshe Shahaf},
	TITLE = {Formal Verification of A Cell Library--a case study in technology transfer},
	YEAR = {1989},
	NOTE = {Submitted for publication}

}

@BOOK{Gordon:book2,
	AUTHOR = {Michael J.C. Gordon},
	TITLE = {Programming Language Theory and its Implementation},
	PUBLISHER = {Prentice-Hall International (U.K.) Ltd.},
	YEAR = {1988},
	ADDRESS = {Hemel Hempstead, U.K.}
}

@BOOK{Jones:VDM,
	AUTHOR = {Cliff B. Jones},
	TITLE = {Systematic Software Development Using {VDM}},
	PUBLISHER = {Prentice-Hall International (U.K.) Ltd.},
	YEAR = {1986},
	ADDRESS = {Hemel Hempstead, U.K.}
}

@INPROCEEDINGS{Schaefer:harmful,
	AUTHOR = {M. Schaefer},
	TITLE = {Symbol Security Condition Considered Harmful},
BOOKTITLE = {Proceedings of the 1989  Symposium on Security and Privacy},
	YEAR = {1989},
	PAGES = {20--46},
	ORGANIZATION = {IEEE Computer Society},
	ADDRESS = {Oakland, California},
	MONTH = may
}

@BOOK{Misra+Chandy:book,
	AUTHOR = {K. Mani Chandy and Jayadev Misra},
	TITLE = {Parallel Program Design: A Foundation},
	PUBLISHER = {Addison-Wesley},
	YEAR = {1988},
	ADDRESS = {Reading, Massachusetts}
}



@INPROCEEDINGS{Rushby88:AAAI,
	AUTHOR = {J.M. Rushby},
	TITLE = {Validation and Testing of Knowledge-Based Systems: How Bad can it get?},
	BOOKTITLE = {Proceedings of the AAAI 88 Workshop on Validation and Testing Knowledge-Based Systems},
	YEAR = {1988},
	ADDRESS = {Saint Paul, MN},
	MONTH = aug
}

@InProceedings{Benson89,
   Author={G. Benson and W. Appelbe and I. Akyildiz},
   BookTitle={Proceedings of the 1989 Symposium on Security and Privacy},
   Organization={IEEE Computer Society},
   Address={Oakland, California},
   Title={The Hierarchical Model of Distributed System Security},
   Year={1989},
   Pages={194--203},
   Month=may
   }

@ARTICLE{Wood89,
	AUTHOR = {Kem Wood and others},
	TITLE = {Shuttle Failure Detection},
	JOURNAL = {Aerospace America},
	YEAR = {1989},
	VOLUME = {27},
	NUMBER = {7},
	PAGES = {34--36},
	MONTH = jul
}

@ARTICLE{Smith89,
	AUTHOR = {David M. Smith},
	TITLE =  {Expert System's Role Broadens},
	JOURNAL = {Aerospace America},
	YEAR = {1989},
	VOLUME = {27},
	NUMBER = {7},
	PAGES = {26--28},
	MONTH = jul
}

@ARTICLE{Corrigan89,
	AUTHOR = {J.D. Corrigan and K.J. Keller and S.A. Meyer},
	TITLE = {Promise of Decision Aiding},
	JOURNAL = {Aerospace America},
	YEAR = {1989},
	VOLUME = {27},
	NUMBER = {7},
	PAGES = {30--31},
	MONTH = jul
}

@ARTICLE{Hosmer89,
	AUTHOR = {Douglas M. Hosmer},
	TITLE = {A Pilot's View of Intelligent Systems},
	JOURNAL = {Aerospace America},
	YEAR = {1989},
	VOLUME = {27},
	NUMBER = {7},
	PAGES = {32--33},
	MONTH = jul
}

@Article{GY1,
Author = {S.L. Gerhart and L. Yelowitz},
Title = {Observations of Fallibility in Modern Programming Methodologies},
Journal = {IEEE Transactions on Software Engineering},
Year = {1976},
Volume = {SE-2},
Number = {3},
pages = {195--207},
Month = sep
}

@ARTICLE{Avizienis+Laprie,
	AUTHOR = {A. Avi\v{z}ienis and J-C. Laprie},
	TITLE = {Dependable Computing: {F}rom Concepts to Design Diversity},
	JOURNAL = {Proceedings of the IEEE},
	YEAR = {1986},
	VOLUME = {74},
	NUMBER = {5},
	PAGES = {629--638},
	MONTH = may
}

@ARTICLE{Avizienis+04,
	AUTHOR = {A. Avi\v{z}ienis and J.-C. Laprie and
    B. Randell and C. Landwehr},
	TITLE = {Basic Concepts and Taxonomy of Dependable
    and Secure Computing},
	JOURNAL = {IEEE Transactions on Dependable and Secure Computing},
	YEAR = {2004},
	VOLUME = {1},
	NUMBER = {1},
	PAGES = {11--33},
	MONTH = "January-March"
}

@proceedings{DCCA1,
	TITLE = {Dependable Computing for Critical Applications},
	BOOKTITLE = {Dependable Computing for Critical Applications},
	MONTH = aug,
	YEAR = 1989,
	VOLUME = 4,
	ADDRESS = {Santa Barbara, California},
	EDITOR = {A. Avi\v{z}ienis and J. C. Laprie},
	PUBLISHER = {Springer-Verlag, Vienna, Austria},
	SERIES = {Dependable Computing and Fault-Tolerant Systems}
}

@BOOK{PDCS95,
	EDITOR = {B. Randell and J.-C. Laprie and
		H. Kopetz and B. Littlewood},
	TITLE = {Predictably Dependable Computing Systems},
	PUBLISHER = {Springer-Verlag, Berlin},
	YEAR = 1995,
	SERIES = {Basic Research Series}
}

@book{Laprie90,
Author={J.C. {Laprie, editor}},
Title={Dependability: {A} Unifying Concept
  for Reliable Computing and Fault Tolerance},
Publisher={Springer-Verlag},
Year={1990} }

@InProceedings{Kopetz00,
Author={H. Kopetz},
Title={Composability in the Time-Triggered Architecture},
BookTitle={Proceedings of the SAE World Congress},
Organization={SAE Press}, Address={Detroit, Michigan},
Year={2000}, Month={}, pages={1--8}}

@INPROCEEDINGS{Santel:pacemaker,
AUTHOR = {D. Santel and C. Trautmann and W. Liu},
	TITLE = {The Integration of a Formal Safety Analysis into the Software Engineering Process: An Example from the Pacemaker Industry},
	BOOKTITLE = {Proceedings of the Symposium on the Engineering of Computer-Based Medical Systems},
	YEAR = {1988},
	PAGES = {152--154},
	ORGANIZATION = {IEEE Computer Society},
	ADDRESS = {Minneapolis, Minnesota},
	MONTH = jun
}

@ARTICLE{lu89,
	AUTHOR = {Meiliu Lu and Du Zhang and Tadai Murata},
	TITLE = {A Design Approach for Self-Diagnosis of Fault-Tolerant Clock Synchronization},
	JOURNAL = {IEEE Transactions on Computers},
	YEAR = {1989},
	VOLUME = {C-38},
	NUMBER = {9},
	PAGES = {1337--1341},
	MONTH = sep
}

@ARTICLE{Jacky89,
	AUTHOR = {Jonathan Jacky},
	TITLE = {Programmed for Disaster: Software Errors that Imperil Lives},
	JOURNAL = {The Sciences},
	YEAR = {1989},
	PAGES = {22--27},
	MONTH = {September/October}
}

@ARTICLE{Cohn89,
	AUTHOR = {Avra Cohn},
	TITLE = {The Notion of Proof in Hardware Verification},
	JOURNAL = {Journal of Automated Reasoning},
	YEAR = {1989},
	VOLUME = {5},
	NUMBER = {2},
	PAGES = {127--139},
	MONTH = jun
}

@ARTICLE{Barwise89,
	AUTHOR = {Jon Barwise},
	TITLE = {Mathematical proofs of computer system correctness},
	JOURNAL = {Notices of the AMS},
	YEAR = {1989},
	NOTE = {To appear}
}

@MISC{00-55,
key={MoD},
	TITLE = {{U.K.} Draft Interim Defence Standards 00-55 and 00-56},
	YEAR = {1989}
}

@BOOK{Scharbach,
	EDITOR = {P.N. Scharbach},
	TITLE = {Formal Methods: Theory and Practice},
	PUBLISHER = {CRC Press},
	YEAR = {1989},
	ADDRESS = {Boca Raton, Florida}
}

@PROCEEDINGS{CHDL89,
	TITLE = {Ninth International Symposium on Computer Hardware Description Languages and their Applications},
	Year = {1989},
	EDITOR = {J.A. Darringer and F.J. Rammig},
	ORGANIZATION = {1FIP},
	ADDRESS = {Washington, D.C.},
	MONTH = jun
}

@TECHREPORT{MMU:FDIR,
	AUTHOR = {D.G. Lawler and L.J.F. Williams},
	TITLE = {{MMU FDIR} Automation Task},
	INSTITUTION = {McDonnell Douglas Astronautics Company},
	YEAR = {1988},
	TYPE = {Final Report},
	ADDRESS = {16055 Space Center Blvd., Houston, TX 77062},
	MONTH = feb
}

@BOOK{GiarratanoRiley89,
	AUTHOR = {Joseph Giarratano and Gary Riley},
	TITLE = {Expert Systems: Principles and Programming},
	PUBLISHER = {PWS-Kent Publishing Company},
	YEAR = {1989},
	ADDRESS = {Boston, Massachusetts}
}

@BOOK{BFKM85,
	AUTHOR = {L. Brownston and R. Farrell and E. Kant and N. Martin},
	TITLE = {Programming Expert Systems in OPS5},
	PUBLISHER = {Addison-Wesley, Reading, Massachusetts},
	ADDRESS = {Reading, Massachusetts},
	YEAR = {1985}
}

@BOOK{Ll84,
	AUTHOR = {J. Lloyd},
	TITLE = {Foundations of Logic Programming},
	PUBLISHER = {Springer-Verlag, Berlin},
	YEAR = {1984}
}

@INPROCEEDINGS{Mo89,
	AUTHOR = {C.K. Mohan},
	TITLE = {Priority rewriting: semantics, confluence, and conditionals},
	BOOKTITLE = {Proceedings of the Third International Conference
on Rewriting Techniques and Applications},
	YEAR = {1989},
	PAGES = {278--291},
	ADDRESS = {Chapel Hill, NC}
}

@ARTICLE{Ve77,
	AUTHOR = {S.A. Vere},
	TITLE = {Relational production systems},
	JOURNAL = {Artificial Intelligence},
	YEAR = {1977},
	VOLUME = {8},
	NUMBER = {1},
	PAGES = {47--68},
	MONTH = feb
}

@inProceedings{SDOS,
author={R. {Wong et al.}},
title={The {SDOS} System: {A} {S}ecure {D}istributed {O}perating {S}ystem Prototype},
Booktitle={Proceedings of the Twelfth National Computer Security Conference},
month=oct,
year=1989, note="USE Wong+89 instead."}

@Article{McCullough90,
Author={D. McCullough}, Title={A Hookup Theorem for Multilevel Security},
Journal={IEEE Transactions on Software Engineering}, Volume=16, Number=6,
month=jun, year=1990, pages={563-568} }

@Article{S5,
Author={M. Akey and K. Dunkelberger and R. C. Erdman},
Title={Case Studies in Tactical Decision Support Systems},
Journal={Signal},
Volume={XL(10)},
Pages={73+},
Month=jun,
Year=1986 }

@InProceedings{DenningAkl87,
Author={S.G. Akl and D.E. Denning},
Title={Checking Classification Constraints for Consistency and Completeness},
Book@title={Proceedings of the 1987 IEEE Symposium on Security and Privacy},
Month=apr,
Year=1987 }

@TechReport{ANDE72,
Author={J.P. Anderson},
Title={Computer Security Technology Planning Study},
Institution={ESD/AFSC, Hanscom AFB},
number={ESD-TR-73-51},
Address={Bedford, Massachusetts},
Month=oct,
Year=1972 }

@TechReport{Anderson80,
Author={J.P. Anderson},
Title={Computer Security Threat Monitoring and Surveillance},
Institution={James P. Anderson Company},
Address={Fort Washington, Pennsylvania},
Month=apr,
Year=1980 }

@InProceedings{GajnakRADC88,
Author={G.E. Gajnak},
Title={Some Results from the Entity Relationship Multilevel Secure DBMS Project},
Booktitle={Research Directions in Database Security (T.F. Lunt, ed.)},
Year={forthcoming} }

@TechReport{Gajnak87,
Author={AOG Systems and Gemini Computers},
Title={Multilevel Secure Entity-Relationship Database Management System:
  Security Policy and Interpretation},
Institution={AOG Systems and Gemini Computers},
type={Draft Report},
Month=aug,
Year=1987 }

@TechReport{AOG88,
author={AOG Systems Corporation and Gemini Systems Inc.},
title={Multilevel Secure Entity-Relationship DBMS},
type={Draft},
institution={AOG Systems Corporation},
month={May 19},
year=1988 }

@Article{SystemR,
Author={M.M. Astrahan and others},
Title={System {R}: A Relational Database Management System},
Journal={Computer},
Volume=12,
number=5,
Year=1979 }

@Article{BANE87,
author={J. Banerjee and H.-T. Chou and J. F. Garza and W. Kim and D. Woelk and N. Ballou and  H.-J. Kim},
title={Data  Model  Issues for Object-Oriented  Applications},
Journal={ACM Transactions on Office Information Systems},
volume=5,
number=1,
month=jan,
year=1987 }

@misc{AW6,
Title={Rome Air Development Center Focuses on Expert Systems Applications for C3, Natural Speech Technology},
Journal={Aviation Week},
Volume={CXXII(16)},
pages=84,
month={April 22},
year=1985 }

@misc{AW7,
Title={{DARPA}'s Pilot's Associate Program Provides Development Challenges},
Journal={Aviation Week},
Volume={CXXIV(7)},
pages=45,
month={February 17},
year=1988 }

@misc{AW8,
Title={{AFIT} Seeks Tactical Aid based on {AI}},
Journal={Aviation Week},
Volume={CXXIV(7)},
pages={61+},
month={February 17},
year=1986 }

@misc{AW5,
Title={Navy Looks Toward Operational Applications},
Journal={Aviation Week},
Volume={CXXII(16)},
pages=67,
month={April 22},
year=1985 }

@misc{AW9,
Title={Boeing Accelerates Research, Dissemination of Technology},
Journal={Aviation Week},
Volume={CXXIV(7)},
pages={71+},
month={February 17},
year=1986 }

@misc{Beck80,
Author={L.L. Beck},
Title={A security mechanism for statistical databases},
Journal={ACM Transactions on Database Systems},
Volume=5,
Number=3,
month=sep,
year=1980 }

@InProceedings{BersonLuntIEEE87,
Author={T.A. Berson and T.F. Lunt},
Title={Multilevel Security for Knowledge-Based Systems},
Booktitle={Proceedings of the 1987 IEEE Symposium on Security and Privacy},
Month=apr,
Year=1987 }

@InProceedings{BersonLuntClassi87,
Author={T.F. Lunt and T.A. Berson},
Title={An Expert System to Classify and Sanitize Text},
Booktitle={Proceedings of the Third Aerospace Computer Security Conference},
Month=dec,
Year=1987 }

@TechReport{Biba,
Key="Biba", Author="K.J. Biba", Institution="The Mitre Corporation",
Title="Integrity Considerations for Secure Computer Systems",
Year="1975", Month=jun, Number="MTR 3153", Address="Bedford, Massachusetts" ,
Note = {Also available from USAF Electronic Systems Division, Bedford, Massachusetts,
as ESD-TR-76-372, April 1977.} }

@TechReport{Biba77,
Author={K.J. Biba},
Title={Integrity Considerations for Secure Computer Systems},
Institution={USAF Electronic Systems Division},
Address={Bedford, Massachusetts},
number={ESD-TR-76-372},
Month=apr,
Year=1977 }

@InProceedings{BlakleyDatabase85,
Author={G.R. Blakley and C. Meadows},
Title={A Database Encryption Scheme which allows the Computation of Statistics using Encrypted Data},
Booktitle={Proceedings of the 1985 IEEE Symposium on Security and Privacy},
Month=apr,
Year=1985 }

@InProceedings{BarkerCryptTMach88,
Author={W.C. Barker and P.S. Cochrane and M.A. Branstad},
Title={Embedding Cryptography into a {T}rusted {M}ach System},
Booktitle={Proceedings of the Fourth Aerospace Computer Security Applications Conference},
Month=dec,
Year=1988 }

@InProceedings{Burns86,
Author={R. Burns},
Title={Towards practical {MLS} database management systems using the integrity lock technology},
Booktitle={Proceedings of the Ninth National Computer Security Conference},
Year=1986, Month=sep }

@InProceedings{Casey88,
Author={T.A. {Casey, Jr.} and S.T. Vinter and D.G. Weber and R. Varadarajan and D. Rosenthal}, key={Casey},
Title={A Secure Distributed Operating System},
Booktitle={Proceedings of the 1988 IEEE Symposium on Security and Privacy},
Month=apr,
Year=1988 }

@InProceedings{Varadarajan89,
author= {R. {Varadarajan et al.}}, key={Varadarajan},
title={The {S}ecure {D}istributed {O}perating {S}ystem: An Overview},
Booktitle={1989 Workshop on Operating Systems for Mission Critical Computing,
University of Maryland}, Month=sep, Year={1989} }

@TechReport{SDOS88,
Author={T.R. {Vinter et al.}}, key={Vinter},
Title={The {S}ecure {D}istributed {O}perating {S}ystem Design Project},
Institution={Rome Air Development Center},
Address={Griffiss Air Force Base, NY},
number={RADC-TR-88-127},
Month=jun, Year={1988} }

@TechReport{Schneider+90,
Author={E.A. Schneider and S. Perlo and D. Rosenthal},
Title={Discretionary Access Control Mechanisms for Distributed Systems},
Institution={Rome Air Development Center},
Address={Griffiss Air Force Base, NY},
number={RADC-TR-90-275},
Month=nov, Year={1990} }

@InProceedings{Chau87,
Author={R. Chau and J.I. Glasgow and  M.A. Jenkins},
Title={A Framework for Knowledge-Based Systems in {N}ial},
Booktitle={Proceedings of the IEEE Phoenix Conference on Computers and Communications},
Year=1987 }

@InProceedings{Chen81,
Author={P.P. Chen},
chapter={A Preliminary Framework for Entity-Relationship Models},
Booktitle={Entity-Relationship Approach to Information Modeling and Analysis},
publisher={ER Institute},
Year=1981 }

@Article{Chin82,
Author={F.Y. Chin and G. Ozsoyoglu},
Title={Auditing and inference control in statistical databases},
Journal={IEEE Transactions on Software Engineering},
Volume=8,
Number=6,
month=nov,
year=1982 }

@InProceedings{Chin79,
Author={F.Y. Chin and G. Ozsoyoglu},
Title={Security in partitioned dynamic statistical databases},
Booktitle={Proceedings of the IEEE COMPSAC Conference},
Year=1979 }

@Article{Chin81,
Author={F.Y. Chin and G. Ozsoyoglu},
Title={Statistical database design},
Journal={ACM Transactions on Database Systems},
month=mar,
year=1981 }

@InProceedings{Claybrook83,
Author={B.G. Claybrook},
Title={Using Views in a Multilevel Secure Database Management System},
Booktitle={Proceedings of the 1983 IEEE Symposium on Security and Privacy},
Year=1983 }

@InProceedings{ClydeInsider87,
Author={A.R. Clyde},
Title={Insider Threat Identification Systems},
Booktitle={Proceedings of the 10th National Computer Security Conference},
month=sep,
Year=1987 }

@Article{Codd70,
Author={E.F. Codd},
Title={A Relational Model for Large Shared Data Banks},
Journal={Communications of the ACM},
volume=13,
number=6,
month=jun,
year=1970 }

@Article{Codd79,
Author={E.F. Codd},
Title={Extending the Database Relational Model to Capture More Meaning},
Journal={ACM Transactions on Database Systems},
volume=4,
number=6,
month=dec,
year=1979 }

@Article{Conway72,
Author={R.W. Conway and W.L. Maxwell and H.L. Morgan},
Title={On the implementation of security measures in information systems},
Journal={Communications of the ACM},
volume=15,
number=4,
month=apr,
year=1972 }

@TechReport{Cox78,
Author={L.H. Cox},
Title={Suppression Methodology and Statistical Disclosure Control},
type={Technical Report~Confidentiality in Surveys},
number=26,
Institution={Department of Statistics, University of Stockholm},
Address={Stockholm, Sweden},
Month=jan,
Year=1978 }

@Article{Cox80,
Author={L.H. Cox},
Title={Suppression methodology and statistical disclosure control},
Journal={J. Amer. Stat. Assoc.},
volume=75,
number=370,
month=jun,
year=1980 }

@TechReport{Cox81,
Author={L.H. Cox and L.R. Ernst},
Title={Controlled Rounding},
type={Technical Report},
Institution={U.S. Bureau of the Census},
Address={Washington, D.C.},
Month=jan,
Year=1981 }

@TechReport{EHDMUserguide,
Author={J.S. Crow and S.T. Jefferson and R. Lee and P.M. Melliar-Smith and J.M. Rushby and R.L. Schwartz and R.E. Shostak and F.W. von Henke},
Title={SRI Specification and Verification System Version 3.1 - User's Guide},
Institution={Computer Science Laboratory, SRI International},
Address={Menlo Park, California},
Month=oct,
Year=1986 }

@TechReport{EHDMLanguage,
Author={J.S. Crow and S.T. Jefferson and R. Lee and P.M. Melliar-Smith and J.M. Rushby and R.L. Schwartz and R.E. Shostak and F.W. von Henke},
Title={SRI Specification and Verification System Version 3.0 - Preliminary Definition of the Revised SPECIAL Specification Language},
Institution={Computer Science Laboratory, SRI International},
Address={Menlo Park, California}, Month=may,
year=1986 }

@misc{IEEEComputer86,
title={Special Issue on Expert System Applications},
Journal={Computer},
month=jul,
year=1986 }

@TechReport{CCA85,
Author={CCA},
Title={Robust Distributed Database Update System},
type={Interim Technical Report},
Institution={CCA},
Month=feb,
year=1985 }

@article{DSL7,
title={Silicon {V}alley Group Holds Second Meeting},
journal={Data Security Letter},
editor={T.F. Lunt},
volume=1,
number=7,
month=jan,
year=1989 }

@InProceedings{DaleniusReiss79,
Author={T. Dalenius and S.P. Reiss},
Title={Data-swapping -- a technique for disclosure control},
Booktitle={Proceedings of the Section on Survey Research Methods},
organization={American Statistics Association},
address={Washington, D.C.},
Year=1979 }

@Book{Date83,
Author={C.J. Date},
Title={An Introduction to Database Systems},
volume={II},
publisher={Addison-Wesley, Reading, Massachusetts},
year=1983 }

@Book{Date86,
Author={C.J. Date},
Title={An Introduction to Database Systems},
volume={I},
edition={Fourth},
publisher={Addison-Wesley},
address={Reading, Massachusetts},
year=1986 }

@Article{Davida81,
Author={G.I. Davida and D.L. Wells and J.B. Kam},
Title={A Database Encryption System with Subkeys},
Journal={ACM Transactions on Database Systems},
volume=6,
number=2,
month=jun,
year=1981 }

@Article{DAVID84,
Author={S.B. Davidson},
Title={Optimism and Consistency in Partitioned Distributed Database Systems},
Journal={ACM Transactions on Database Systems},
volume=9,
number=3,
month=sep,
year=1984 }

@Article{DAVID85,
Author={S.B. Davidson and H. Garcia-Molina and D. Skeen},
Title={Consistency in Partitioned Networks},
Journal={ACM Computing Surveys},
volume=17,
number=3,
month=sep,
year=1985 }

@misc{Davison88,
Author={J.W. Davison},
title={Implementation Design for a Kernelized Trusted DBMS},
booktitle={Research Directions in Database Security},
editor={T.F. Lunt},
note={to appear} }

@InProceedings{Delisle86,
Author={N. Delisle and M. Schwartz},
Title={Neptune: A Hypertext System for {CAD} Applications},
Booktitle={ACM SIGMOD Conference Proceedings},
Year=1986 }

@Article{DenningTracker79,
Author={D.E. Denning and P.J. Denning and M.D. Schwartz},
Title={The {T}racker: a Threat to Statistical Database Security},
Journal={ACM Transactions on Database Systems},
volume=4,
number=1,
month=mar,
year=1979 }

@Article{DenningFast80,
Author={D.E. Denning and J. Schlorer},
Title={A fast procedure for finding a tracker in a statistical database},
Journal={ACM Transactions on Database Systems},
volume=5,
number=1,
month=mar,
year=1980 }

@Article{DenningRSQ80,
Author={D.E. Denning},
Title={Secure Statistical Databases under Random Sample Queries},
Journal={ACM Transactions on Database Systems},
volume=5,
number=3,
month=sep,
year=1980 }

@Article{DenningMemoryless82,
Author={D.E. Denning and J. Schlorer and E. Wehrle},
Title={Memoryless inference controls for statistical databases},
Journal={ACM Transactions on Database Systems},
year=1982 }

@misc{DenningWorking82,
Author={D.E. Denning},
title={Multilevel Secure Database Systems: Requirements and Model},
type={Working Paper},
organization={NAS/AFSB Summer Study on Multilevel Databases},
year=1982  }

@Book{DenningBook82,
Author={D.E. Denning},
Title={Cryptography and Data Security},
publisher={Addison-Wesley},
address={Reading, Massachusetts},
year=1982 }

@Article{DenningInference83,
Author={D.E. Denning and J. Schlorer},
Title={Inference controls for statistical database security},
Journal={Computer},
volume=16,
number=7,
month=jul,
year=1983 }

@InProceedings{DenningField83,
Author={D.E. Denning},
Title={Field Encryption and Authentication},
Booktitle={Proceedings of CRYPTO '83},
publisher={Plenum Press},
Year=1983 }

@InProceedings{DenningModel83,
Author={D.E. Denning},
Title={A Security Model for Statistical Databases},
Booktitle={Proceedings of the Second International
 Workshop on Statistical Database Management},
organization={Lawrence Berkeley Laboratory},
month=sep,
Year=1983 }

@InProceedings{DenningChecksums84,
Author={D.E. Denning},
Title={Cryptographic Checksums for Multilevel Data Security},
Booktitle={Proceedings of the 1984 IEEE Symposium on Security and Privacy},
Year=1984 }

@InProceedings{DenningCommutative85,
Author={D.E. Denning},
Title={Commutative Filters for Reducing Inference Threats in Multilevel
  Database Systems},
Booktitle={Proceedings of the 1985 IEEE Symposium on Security and Privacy},
Year=1985 }

@InProceedings{DenningSafety86,
Author={D.E. Denning},
Title={Secure Databases and Safety: Some Unexpected Conflicts},
Booktitle={Proceedings of the Safety and Security Symposium},
organization={Centre for Software Reliability},
month=oct,
Year=1986 }

@InProceedings{DenningInfer86,
Author={D.E. Denning},
Title={The Inference Problem in Multilevel Database Systems},
Booktitle={Proceedings of the National Computer Security Center
Invitational Workshop on Database Management Security},
month=jun,
Year=1986 }

@TechReport{DenningCECOM86,
Author={D.E. Denning and M. Morgenstern},
Title={Military Database Technology Study: AI Techniques for
       Security and Reliability},
Institution={Computer Science Laboratory, SRI International},
Address={Menlo Park, California},
Year=1986 }

@TechReport{IDESFinal87,
Author={D.E. Denning and D.L. Edwards and R. Jagannathan and T.F. Lunt and P.G.
Neumann}, Title={A Prototype {IDES}: A Real-Time Intrusion-Detection Expert
System}, Institution={Computer Science Laboratory, SRI International},
Address={Menlo Park, California}, Year=1987 }

@Article{IDES87,
Author={D.E. Denning},
Title={An Intrusion-Detection Model},
Journal={IEEE Transactions on Software Engineering},
volume=13,
number=2,
month=feb,
year=1987 }

@InProceedings{DenningSocial87,
Author={D.E. Denning and P.G. Neumann and Donn B. Parker},
Title={Social Aspects of Computer Security},
Booktitle={Proceedings of the 10th National Computer Security Conference},
month=sep,
Year=1987 }

@Article{DenningViews87,
Author={D.E. Denning and S.G. Akl and M. Heckman and T.F. Lunt and M. Morgenstern and P.G. Neumann and R.R. Schell},
Title={Views for Multilevel Database Security},
Journal={IEEE Transactions on Software Engineering},
volume=13,
number=2,
month=feb,
year=1987 }

@InProceedings{DenningDataModel87,
Author={D.E. Denning and T.F. Lunt and R.R. Schell and M. Heckman and W.R. Shockley},
Title={A Multilevel Relational Data Model},
Booktitle={Proceedings of the 1987 IEEE Symposium on Security and Privacy},
month=apr,
Year=1987 }

@misc{DenningLessons87,
author={D.E. Denning},
title={Lessons Learned from Modeling a Secure Multilevel Relational Database System},
type={draft report},
Institution={Computer Science Laboratory, SRI International},
Address={Menlo Park, California},
Year=1987 }

@InProceedings{DenningModel88,
Author={D.E. Denning and T.F. Lunt and R.R. Schell and W.R. Shockley and M. Heckman},
Title={The {SeaView} Security Model},
Booktitle={Proceedings of the 1988 IEEE Symposium on Security and Privacy},
month=apr,
Year=1988 }

@Article{DeKleer86,
Author={J. de Kleer},
Title={An Assumption-Based {TMS}},
Journal={Artificial Intelligence Journal},
volume=28,
number=2,
month=mar,
year=1986 }

@InProceedings{Dillaway86,
Author={B.B. Dillaway and J.T. Haigh},
Title={A Practical Design for a Multilevel Secure Database Management System},
Booktitle={Proceedings of the Second Aerospace Computer Security Conference},
month=dec,
Year=1986 }

@Article{Dobkin79,
Author={D. Dobkin and A.K. Jones and R.J. Lipton},
Title={Secure databases: protection against user inference},
Journal={ACM Transactions on Database Systems},
volume=4,
number=1,
month=mar,
year=1979 }

@InProceedings{Downs77,
Author={D.Downs and G.J. Popek},
Title={A Kernel Design for a Secure Data Base Management System},
Booktitle={Proceedings of the Third Conference on Very Large Data Bases},
Year=1977 }

@TechReport{Duffy85,
Author={K.J. Duffy and J. Sullivan},
Title={Integrity Lock Prototype},
type={Technical Report},
Institution={The Mitre Corporation},
Address={Bedford, Massachusetts},
month=dec,
Year=1985 }

@TechReport{HoneywellPolicy87,
author={B.B. Dillaway and others},
Title="Security Policy Extensions for a Database Management System",
type={Interim Report A002},
institution="Honeywell Systems Research Center and
     Corporate Systems Development Division",
Month=apr,
Year=1987 }

@InProceedings{Dittrich88,
Author={K.R. Dittrich and M. Hartig and H. Pfefferle},
Title={Discretionary Access Control in Structurally Object-Oriented Database Systems},
Booktitle={Proceedings of the Second IFIP WG11.3 Workshop on Database Security},
month=oct,
Year=1988 }

@TechReport{Dwyer88,
author={P. Dwyer and E. Onuegbe and B.M. Thuraisingham},
Title="Design of a Query Processor for a Multilevel Secure Relational Database Management System",
type={Technical Report},
institution="Honeywell Systems Research Center and
     Corporate Systems Development Division",
Year=1988 }

@Article{Dwyer87,
Author={P.A. Dwyer and G.D. Jelatis and B.M. Thuraisingham},
Title={Multilevel Security in Database Management Systems},
Journal={Computers and Security},
volume=6,
number=3,
month=jun,
year=1987 }

@TechReport{HoneywellSpec88,
author={P.Dwyer and E. Onuegbe and P. Stachour and B. Thuraisingham},
Title="Secure Distributed Data Views: Implementation Specifications",
type={Interim Report A005},
institution="Honeywell Systems Research Center and
     Corporate Systems Development Division",
Month=may,
Year=1988 }

@Article{Erman80,
Author={L.D. Erman and F. Hayes-Roth and V.R. Lesser and D.R. Reddy},
Title={The {H}earsay-{II} Speech Understanding System:  Integrating Knowledge to Resolve Uncertainty},
Journal={Computing Surveys},
volume=12,
month=jun,
year=1980 }

@InProceedings{Erman86,
Author={L.D. Erman and J.S. Lark and F. Hayes-Roth},
Title={Engineering Intelligent Systems:  Progress Report on {ABE}},
Booktitle={Proceedings of the DARPA Expert Systems Workshop},
month=apr,
Year=1986 }

@TechReport{ECMA85,
author={European Computer Manufacturers' Assocation, Technical Committee 29},
Title="Office Document Architecture",
type={Standard ECMA-101},
address={Geneva},
Month=sep,
Year=1985 }

@Article{Fagin78,
Author={R. Fagin},
Title={On an authorization mechanism},
Journal={ACM Transactions on Database Systems},
volume=3,
number=3,
month=sep,
year=1978 }

@Book{Fernandez81,
Author={E.B. Fernandez and R.C. Summers and C. Wood},
Title={Database Security and Integrity},
publisher={Addison-Wesley},
address={Reading, Massachusetts},
year=1981 }

@InProceedings{FISCH82,
Author={M.J. Fischer and A. Michael},
Title={Sacrificing Serializability to Attain High Availability of Data
     in an Unreliable Network},
Booktitle={Proceedings of the ACM SIGACT-SIGMOD Symposium on
      Principles of Database Systems},
Year=1982 }

@Book{Fodor,
Author={Fodor's Travel Guides},
Title={FODOR's Germany West and East 1986},
publisher={Fodor},
year=1986,
note={page 443} }

@Article{S4,
Author={J.P. Flynn and T.E. Senator},
Title={DARPA Naval Battle Management Applications},
Journal={Signal},
volume={XL(10)},
pages={59+},
month=jun,
year=1986 }

@InProceedings{Froscher88,
Author={J.N. Froscher and C. Meadows},
Title={Achieving a Trusted Database Management System Using Parallelism},
Booktitle={Proceedings of the 1988 IFIP WG 11.3 Workshop on Database Security},
month=oct,
Year=1988 }

@InProceedings{Gajnak88,
Author={G.E. Gajnak},
Title={Some Results from the Entity/Relationship Multilevel Secure {DBMS} Project},
Booktitle={Proceedings of the Fourth Aerospace Computer Security
    Applications Conference},
month=dec,
Year=1988 }

@InProceedings{GARCI83,
Author={H. Garcia-Molina and others},
Title={Data-{P}atch: Integrating Inconsistent Copies of a Database After a Partition},
Booktitle={Proceedings of the Third IEEE Symposium on Reliability
in Distributed Software and Database Systems},
Year=1983 }

@InProceedings{GARV88,
Author={C. Garvey and N. Jenson and J. Wilson},
Title={The Advanced Secure {DBMS}: Making Secure {DBMS}s Usable},
Booktitle={Proceedings of the IFIP Working Group 11.3 Workshop on Database Security},
month=oct,
Year=1988 }

@TechReport{Garvey86,
author={C. Garvey},
Title="Multilevel Data Store Design ({MLDS})",
type={Technical Report},
institution="TRW Defense Systems Group",
Year=1986 }

@InProceedings{Garvey88,
Author={C. Garvey},
Title={{ASD} Views},
Booktitle={Proceedings of the 1988 IEEE Symposium on Security and
  Privacy},
month=apr,
Year=1988 }

@InProceedings{Ginsberg87,
Author={A. Ginsberg},
Title={A New Approach to Checking Knowledge Bases for Inconsistency and Redundancy},
Booktitle={Proceedings of the Third Expert Systems in Government Conference},
Year=1987 }

@InProceedings{Ginsberg88,
Author={A. Ginsberg},
Title={Knowledge-Base Reduction: A New Approach to Checking Knowledge-Bases for
Inconsistency and Redundancy},
Booktitle={Proceedings of the AAAI 88},
volume=2,
Year=1988 }

@InProceedings{Goguen84,
Author={J.A. Goguen and J. Meseguer},
Title={Unwinding and Inference Control},
Booktitle={Proceedings of the 1984 IEEE Symposium on Security and Privacy},
Year=1984 }

@InProceedings{Graham72,
Author={G.S. Graham and P.J. Denning},
Title={Protection: Principles and Practice},
Booktitle={Proceedings of the Spring Joint Computer Conference},
volume=40,
publisher={AFIPS Press},
address={Montvale, New Jersey},
Year=1972 }

@InProceedings{Graubart82,
Author={R.D. Graubart and J.P.L. Woodward},
Title={A Preliminary Naval Surveillance {DBMS} Security Model},
Booktitle={Proceedings of the 1982 IEEE Symposium on Security and Privacy},
month=apr,
Year=1982 }

@InProceedings{Graubart84,
Author={R.D. Graubart},
Title={The integrity-lock approach to secure database management},
Booktitle={Proceedings of the 1984 IEEE Symposium on Security and Privacy},
Year=1984 }

@Article{Griffiths76,
Author={P.P. Griffiths and B.W. Wade},
Title={An Authorization Mechanism for a Relational Database System},
Journal={ACM Transactions on Database Systems},
volume=1,
number=3,
pages={59+},
month=sep,
year=1976 }

@TechReport{Grohn76,
author={M.J. Grohn},
Title="A Model of a Protected Data Management System",
type={Technical Report},
number={ESD-TR-76-289},
institution="I.P. Sharp Associates Ltd.",
month=jun,
Year=1976 }

@Book{LifeBerlin,
Author={Fredric V. Grunfeld and the Editors of Time-Life Books},
Title={Berlin},
publisher={Time-Life Books},
year=1977 }

@TechReport{Gusfield84,
author={D. Gusfield},
Title="A Graph Theoretic Approach to Statistical Data Security",
type={Technical Report},
number={327},
institution="Computer Science Department, Yale University",
month=aug,
Year=1984 }

@Article{DR87,
Author={D.W. Haskin},
Title={Keeping Watch on a {VAX}},
Journal={Digital Review},
month={December 16},
year=1987 }

@Book{Hayes-RothBook,
editor={F. Hayes-Roth and D.A. Waterman and D.B. Lenat},
Title={Building Expert Systems},
publisher={Addison-Wesley},
address={Reading, Massachusetts},
year=1983 }

@TechReport{Heitmeyer85,
Author={C.L. Heitmeyer and M. Cornwell},
Title={Specifications for Three Members of the Military Message System {(MMS)}
  Family}, Institution={Naval Research Laboratory},
type={{NRL} Memorandum Report 5645},
day={9}, month=sep,
Year=1985 }

@TechReport{Heitmeyer86,
Author={C.L. Heitmeyer},
Title={Requirements for the Military Message System  Family: Data Types and User Commands},
Institution={Naval Research Laboratory},
type={{NRL} Memorandum Report 5670},
day={11}, month=apr,
Year=1986 }

@TechReport{HinkeSchaefer,
Author="T.H. Hinke and M. Schaefer",
Title="Secure Data Management System", Note = "RADC-TR-266 (NTIS AD A019201)",
Institution="Rome Air Development Center", Month=nov, Year="1975"}

@InProceedings{Hinke86,
Author={T.H. Hinke},
Title={Secure database management system architectural analysis},
Booktitle={Proceedings of the National Computer Security Center Invitational
  Workshop on Database Management Security},
month=jun,
Year=1986 }

@InProceedings{HINK88b,
Author={T.H. Hinke and C. Garvey and N. Jensen and J. Wilson and A. Wu},
Title={A1 Secure {DBMS} Design},
Booktitle={Proceedings of the Eleventh National Computer Security Conference - Appendix},
month=oct,
Year=1988 }

@InProceedings{HINK88c,
Author={T.H. Hinke},
Title={Database Inference Engine Design Approach},
Booktitle={Proceedings of the IFIP Working Group 11.3 Workshop on Database Security},
month=oct,
Year=1988 }

@InProceedings{Hinke88,
Author={T.H. Hinke},
Title={Inference Aggregation Detection in Database Management Systems},
Booktitle={Proceedings of the 1988 IEEE Symposium on Security and Privacy},
month=apr,
Year=1988 }

@InProceedings{Hinke88b,
Author={T.H. Hinke and C. Garvey and A. Wu},
Title={A1 Secure {DBMS} Architecture},
Booktitle={Research Directions in Database Security},
editor={T.F. Lunt},
year={forthcoming} }

@Article{Hoffman70,
Author={L.J. Hoffman and W.F. Miller},
Title={Getting a personal dossier from a statistical data bank},
Journal={Datamation},
volume=16,
number=5,
month=may,
year=1970 }

@book{InvitationalWorkshop,
title={Proceedings of the National Computer Security Center Invitational Workshop on Database Security},
address={Baltimore, Maryland},
month=jun,
year=1986 }

@Article{IrvingMonitoring86,
Author={R.H. Irving and C.A. Higgins and F.R. Safayeni},
Title={Computerized Performance Monitoring Systems:  Use and Abuse},
Journal={Communications of the ACM},
volume=29,
number=8,
year=1986 }

@TechReport{Javitz86,
author={H.S. Javitz and A. Valdes and D.E. Denning and P.G. Neumann},
Title="Analytical Techniques Development for a Statistical Intrusion-Detection System ({SIDS}) based on Accounting Records",
institution="SRI International",
address={Menlo Park, California},
month=jul,
Year=1986
}

@InProceedings{JENS88,
Author={N. Jensen},
Title={System Security Officer Functions in the A1 Secure DBMS},
Booktitle={Proceedings of the IFIP Working Group 11.3 Workshop on Database Security},
month=oct,
Year=1988 }

@Article{DE1,
Author={J.F. Judge},
Title={{SCP} Gets High Marks at Midterm},
Journal={Defense Electronics},
volume={XVII(5)},
pages={65+},
month=may,
year=1986 }

@TechReport{Kao86,
author={M. Kao},
Title="Systematic Protection of Precise Information on Two-Dimensional
  Cross Tabulated Tables",
type={Technical Report},
institution="Computer Science Department, Yale University",
Year=1986 }

@Article{Kohonen88,
Author={T. Kohonen},
Title={The ``Neural'' Phonetic Typewriter},
Journal={Computer},
month=mar,
year=1988 }

@Article{Kung81,
Author={H.T. Kung and J.T. Robinson},
Title={On Optimistic Methods for Concurrency Control},
Journal={ACM Transactions on Database Systems},
volume=6,
number=2,
month=jun,
year=1981 }

@InProceedings{Lampson71,
Author={B.W. Lampson},
Title={Protection},
Booktitle={Proceedings of the
  Fifth Princeton Symposium on Info. Sci. and Systems},
month=mar,
Year=1971,
note={Reprinted in ACM Operating Systems Review, Vol. 8 (1), January 1974} }


@Book{LaurieBook,
editor={P. Laurie},
Title={Beneath City Streets},
publisher={Penguin Books},
address={Reading, Massachusetts},
year={circa 1970},
note={This book's fascinating contents apparently offer an example of what security types call an ``aggregation problem.'' It is out of print} }

@book{Lehner,
author={P.E. Lehner and T.M. Mullin and M.S. Cohen},
title={When Should a Decision Maker Ignore the Advise of a Decision Aid?},
year={to appear} }

@Article{S9,
Author={L.B. Lenat and A. Clarkson},
Title={Artificial Intelligence and {C3I}},
Journal={Signal},
volume={XL(10)},
pages={115-119},
month=jun,
year=1986 }

@InProceedings{Linde75,
Author={R.R. Linde},
Title={Operating System Penetration},
Booktitle={Proceedings of the National Computer Conference},
Year=1975 }

@InProceedings{Lochovsky,
author={F.H. Lochovsky and C.C. Woo},
title={Role-Based Security in Data Base Management Systems},
booktitle={Database Security:  Status and Prospects},
editor={C.E. Landwehr},
publisher={North-Holland},
year=1988 }

@article{DSL4TDI,
title={A First Glimpse at the {TDI}},
journal={Data Security Letter},
editor={T.F. Lunt},
Volume=1,
number=4,
month=aug,
year=1988 }

@InProceedings{LuntIDES89a,
Author={T.F. Lunt and R. Jagannathan and R. Lee and A. Whitehurst and S. Listgarten},
Title={Knowledge-Based Intrusion Detection},
Booktitle={Proceedings of the 1989 AI Systems in Government Conference},
month=mar,
Year=1989 }

@InProceedings{LuntIDES89b,
Author={T.F. Lunt},
Title={Real-Time Intrusion Detection},
Booktitle={Proceedings of the COMPCON Spring '89},
month=mar,
Year=1989 }

@TechReport{IDESFinal88,
author={T.F. Lunt and R. Jagannathan and R. Lee and S. Listgarten and D.L. Edwards and P.G. Neumann and H.S. Javitz and A. Valdes},
Title="Development and Application of {IDES}: A Real-Time Intrusion-Detection
    Expert System",
institution="Computer Science Laboratory, SRI International",
address={Menlo Park, California},
Year=1988 }

@TechReport{IDESFinal92,
author={T.F. Lunt and A. Tamaru and F. Gilham and R. Jagannathan
and C. Jalali and P.G. Neumann and H.S. Javitz and A. Valdes},
Title="{A Real-Time Intrusion-Detection Expert System} {(IDES)}",
institution="Computer Science Laboratory, SRI International",
address={Menlo Park, California}, day={28}, month={February}, Year=1992 }

@TechReport{NIDES-SDD93,
author={R. Jagannathan and T.F. Lunt and D. Anderson and C. Dodd and
F. Gilham and C. Jalali and H.S. Javitz and P.G. Neumann and
A. Tamaru and A. Valdes},
Title="System {Design} {Document}: {Next-generation Intrusion-Detection
Expert System} {(NIDES)}",
institution="Computer Science Laboratory, SRI International",
address={Menlo Park, California}, day={9}, month={March}, Year=1993 }

@TechReport{Safeguard93,
author={D. Anderson and T. Lunt and H. Javitz and A. Tamaru and A. Valdes},
Title={Safeguard Final Report: Detecting Unusual Program Behavior Using
the {NIDES} Statistical Component},
institution="Computer Science Laboratory, SRI International",
address={Menlo Park, California}, day={2}, month=dec, Year=1993 }

@TechReport{Javi94,
author={H.S. Javitz and A. Valdes},
Title={The {NIDES} Statistical Component Description and Justification},
institution="Computer Science Laboratory, SRI International",
address={Menlo Park, California}, Month=mar, Year=1994 }

@TechReport{CalderaraKo,
author={A.B. Calderara and Hai-Ping Ko},
Title={Intrusion Detection with {NIDES} in a Simulated Environment},
institution="GTE Government Systems Corporation",
address={Needham, Massachusetts}, Month={}, Year=1995 }

@TechReport{NIDES-SOUI93,
author={D. Anderson and C. Dodd and
F. Gilham and C. Jalali and A. Tamaru and M. Tyson},
Title="Next-generation Intrusion-Detection Expert System {(NIDES)}:
User Manual for Security Officer User Interface {(SOUI)}",
institution="Computer Science Laboratory, SRI International",
address={Menlo Park, California}, day={26}, month={March}, Year=1993 }

@TechReport{NIDES-SOUI94,
author={D. Anderson and T. Frivold and A. Tamaru and A. Valdes},
Title="{Next-generation Intrusion-Detection Expert System} {(NIDES)}:
User Manual for Security Officer User Interface {(SOUI)}",
institution="Computer Science Laboratory, SRI International",
address={Menlo Park, California}, day={19}, month={May}, Year=1994 }

@TechReport{NIDES-final94,
author={D. Anderson and T. Frivold and A. Valdes},
Title="{Next-generation Intrusion-Detection Expert System} {(NIDES)}:
Final Technical Report",
institution="Computer Science Laboratory, SRI International",
address={Menlo Park, California}, day={16}, month=nov, Year=1994 }

@TechReport{NIDES95,
author={D. Anderson and T. Frivold and A. Valdes},
Title="{Next-generation Intrusion-Detection Expert System} {(NIDES)}",
institution="Computer Science Laboratory, SRI International",
address={Menlo Park, California, SRI-CSL-95-07}, Month=may, Year=1995 }

@TechReport{EMERALD1xxx,
author={P.A. Porras and P.G. Neumann},
Title={{EMERALD: Event Monitoring Enabling Responses to Anomalous Live
  Disturbances}},
institution="Computer Science Laboratory, SRI International",
address={Menlo Park, California}, Month=feb, Year=1997,
Note = {Submitted for publication.} }

@TechReport{EMERALD2,
author={P.A. Porras and P.G. Neumann},
Title={{EMERALD Message System Requirements Statement}},
institution="Computer Science Laboratory, SRI International",
address={Menlo Park, California}, Month=feb, Year=1997}

@InProceedings{PorrasNeumann97,
Author = "P.A. Porras and P.G. Neumann",
Title = "{{EMERALD: Event Monitoring Enabling Responses to Anomalous
         Live Disturbances}}",
Booktitle=
  "Proceedings of the Nineteenth National Computer Security Conference",
Organization = "NIST/NCSC", Address = "Baltimore, Maryland", Year = "1997",
Pages="353--365", Month = "22-25 October"  }

@InProceedings{PorrasValdes97,
Author = "P.A. Porras and A. Valdes",
Title = "Live Traffic Analysis of {TCP/IP} Gateways",
Booktitle= "Proceedings of the Symposium on Network and
   Distributed System Security",
Organization = "Internet Society", Year = "1998",
Pages="", Month = mar  }

@InProceedings{NeumannPorras99,
Author={P.G. Neumann and P.A. Porras},
Title={Experience with {EMERALD} to Date},
BookTitle={Proceedings of the First USENIX Workshop on
Intrusion Detection and Network Monitoring},
Organization={USENIX}, Address={Santa Clara, California},
Year={1999}, Month=apr, pages={73--80},
Note = {Best paper},
url = "http://www.csl.sri.com/neumann/det99.html"}

@InProceedings{LindqvistPorras99,
Author={U. Lindqvist and P.A. Porras},
Title={Detecting Computer and Network Misuse through the {Production-Based
  Expert System Toolset (P-BEST)}},
BookTitle={Proceedings of the 1999 Symposium on Security and Privacy},
Organization={IEEE Computer Society}, Address={Oakland, California},
Year={1999}, Month=may, pages={}}

@InProceedings{Lindqvist:2001:EXPERTBSM,
  Author={U. Lindqvist and P.A. Porras},
  title =        "{eXpert-BSM}: A Host-based Intrusion-Detection
                  Solution for {Sun Solaris}",
  booktitle =    "Proceedings of the 17th Annual Computer Security
                  Applications Conference ({ACSAC} 2001)",
  month =        "10--14 December",
  year =         2001,
  address =      "New Orleans, Louisiana",
}

@InProceedings{Almgren:2001:AIDCFSM,
  author =       "M. Almgren and U. Lindqvist",
  title =        "Application-Integrated Data Collection for
    Security Monitoring",
  booktitle =    "Recent Advances in Intrusion Detection
                  ({RAID~2001})",
  month =        "10--12 October",
  year =         2001,
  address =      "Davis, California",
}

@PhDThesis{Lindqvist99,
Author={U. Lindqvist},
School={Department of Computer Engineering, Chalmers University of Technology},
Title={On the Fundamentals of Analysis and Detection of Computer Misuse},
Year={1999}, Month={}, Note = "ISBN 91-7197-832-1" }

@TechReport{PorrasNitz03,
Author = "P.A. Porras and K. Nitz and U. Lindqvist and M. Fong and
  P.G. Neumann",
Title = "Discerning Attacker Intent",
Institution={Computer Science Laboratory, SRI International, Project 10779},
Year={2003}, Month=apr, Address={Menlo Park, California} }

@TechReport{CIDF,
author={P.A. Porras},
Title={Common Intrusion Detection Framework},
institution= {Computer Science Lab, SRI International},
address={Menlo Park, California}, month =apr, Year=1998 }

@InProceedings{Jagan89GLU,
Author = {R. Jagannathan},
Title = {Transparent Multiprocessing in the Presence of Fail-Stop Faults},
Booktitle = {Proceedings of the 3rd Workshop on Large-Grain Parallelism},
Organization = {}, Address = {Pittsburgh, Pennsylvania},
Year = {1989},
Pages={}, Month = oct }

@TechReport{JaganGLU,
Author={R. Jagannathan and A.A. Faustini}, Key={Jagannathan},
Institution={Computer Science Laboratory, SRI International},
Title={The {GLU} Programming Language}, Note={CSL Technical Report CSL-90-11},
Year={1990}, Month=nov, Address={Menlo Park, California} }

@TechReport{Jagan94GLU,
Author={R. Jagannathan and C. Dodd}, Key={Jagannathan},
Institution={Computer Science Laboratory, SRI International},
Title={{GLU} Programmer's Guide v0.9}, Note={CSL Technical Report CSL-94-06},
Year={1994}, Month=nov, Address={Menlo Park, California} }

@InProceedings{Jagan95Coarse,
Author = {R. Jagannathan},
Title = {Coarse-Grain Dataflow Programming of Conventional Parallel Computers},
Booktitle = {{\it Advanced Topics in Dataflow Computing and Multithreading}
  (edited by L. Bic, J-L. Gaudiot, and G. Gao)},
Organization = {IEEE Computer Society}, Address = {}, Year = {1995},
Pages={}, Month = apr }
% ISBN 0-8186-6542-4.

@InProceedings{LuntSurvey88,
Author={T.F. Lunt},
Title={Automated Audit-Trail Analysis and Intrusion Detection: A Survey},
Booktitle={Proceedings of the Eleventh National Computer Security Conference},
month=oct, pages={188-193}, Year=1988 }

@InProceedings{LuntAudit86,
Author={T.F. Lunt and J. van Horne and L. Halme},
Title={Automated Analysis of Computer System Audit Trails},
Booktitle={Proceedings of the Ninth DOE Computer Security Group Conference},
month=may,
Year=1986 }

@TechReport{LuntSytek1,
author={T.F. Lunt and J. van Horne and L. Halme},
Title="Analysis of Computer System Audit Trails: Initial Data Analysis",
type={Technical Report},
number={TR-85009},
institution="Sytek",
address={Mountain View, California},
month=sep,
Year=1985 }

@TechReport{LuntSytek2,
author={T.F. Lunt and J. van Horne and L. Halme},
Title="Analysis of Computer System Audit Trails: Intrusion Characterization",
type={Technical Report},
number={TR-85012},
institution="Sytek",
address={Mountain View, California},
month=oct,
Year=1985 }

@TechReport{LuntSytek3,
author={T.F. Lunt and J. van Horne and L. Halme},
Title="Analysis of Computer System Audit Trails: Feature Identification and
   Selection",
type={Technical Report},
number={TR-85018},
institution="Sytek",
address={Mountain View, California},
month=dec,
Year=1985 }

@TechReport{LuntSytek4,
author={T.F. Lunt and J. van Horne and L. Halme},
Title="Analysis of Computer System Audit Trails: Design and Program Classifier",
type={Technical Report},
number={TR-86005},
institution="Sytek",
address={Mountain View, California},
month=mar,
Year=1986 }

@InProceedings{LuntBerson87,
Author={T.F. Lunt and T.A. Berson},
Title={Security Considerations for Knowledge-Based Systems},
Booktitle={Proceedings of the  Third Expert Systems in Government Conference},
month=oct,
Year=1987 }

@Article{LuntAssurance87,
Author={T.F. Lunt and D.E. Denning and R.R. Schell and M. Heckman and W.R. Shockley},
Title={Element-Level Classification with {A}1 Assurance},
Journal={Computers and Security},
month=feb,
year=1988 }

@MASTERSTHESIS{Porras92,
AUTHOR = {P.A. Porras},
TITLE = {{STAT}: A {S}tate {T}ransition {A}nalysis {T}ool for Intrusion
        Detection},
SCHOOL={Computer Science Department, University of California, Santa Barbara},
YEAR = {1992}, 	MONTH = jul }

@TechReport{DenningPolicy86,
author={T.F. Lunt and D.E. Denning and P.G. Neumann and R.R. Schell and  M. Heckman and W.R. Shockley},
Title="Final Report Vol.\ 1: Security Policy and Policy Interpretation for a
      Class A1 Multilevel Secure Relational Database System",
institution="Computer Science Laboratory, SRI International",
address={Menlo Park, California},
Year=1988 }

@Article{LuntQuestions88,
Author={T.F. Lunt},
Title={Access Control Policies: Some Unanswered Questions},
Journal={Computers and Security},
month=feb,
year=1989 }


@InProceedings{LuntIFIP88,
Author={T.F. Lunt},
Title={Access Control Policies for Database Systems},
Booktitle={Proceedings of the Second IFIP WG11.3 Workshop on Database Security},
month=oct,
Year=1988 }

@TechReport{MillenLuntReport89,
author={J.K. Millen and T.F. Lunt},
title={Secure Knowledge-Based Systems},
institution={Computer Science Laboratory, SRI International},
type={Technical Report},
number={SRI-CSL-90-04},
address={Menlo Park, California},
month=aug,
year = 1989 }

@TechReport{LuntDAC90,
Author={T.F. Lunt},
Title={Discretionary Security for Object-Oriented Database Systems},
type={Technical Report},
number={RADC-TR-91-17},
institution="Rome Air Development Center",
month=mar, Year=1991 }

@inproceedings{issues89, author={A. Downing and I. Greenberg and T. Lunt},
title={Issues in Distributed System Security}, booktitle={Proceedings of the Fifth
Aerospace Computer Security Conference}, month=dec, year=1989 }

@InProceedings{LuntDistributed89xxx,
Author={T.F. Lunt and A. Downing and I. Greenberg},
Title={Issues in Distributed Database Security},
Booktitle={Proceedings of the Twelfth National Computer Security Conference},
Year={submitted for publication, not accepted} }

@InProceedings{LuntObject89,
Author={T.F. Lunt},
Title={Multilevel Security for Object-Oriented Database Systems},
Booktitle={Proceedings of the Third IFIP Database Security Workshop},
month=sep,
Year=1989 }

@InProceedings{VonHenke88,
author={J.S. Crow and R. Lee and J.M. Rushby and F.W. von Henke and R.A. Whitehurst},
title={{EHDM} Verification Environment: An Overview},
booktitle={Proceedings of the Eleventh National Computer Security Conference},
month=oct,
year=1988 }


@TechReport{LuntSpec88,
author={T.F. Lunt and R.A. Whitehurst},
Title={Final Report Vol.\ 3A: The {SeaView} Formal Top Level Specifications},
institution="Computer Science Laboratory, SRI International",
address={Menlo Park, California},
Year=1989 }


@TechReport{LuntDef89,
Author={T.F. Lunt},
Title={Final Report Vol.\ 4: Secure Distributed Data Views: Identification of Deficiencies and Directions for Future Research},
institution="Computer Science Laboratory, SRI International",
address={Menlo Park, California},
Year=1989 }


@InProceedings{Shockley87,
Author={W.R. Shockley and R.R. Schell},
Title={{TCB} Subsetting for Incremental Evaluation},
Booktitle={Proceedings of the Second AIAA Conference on Computer Security},
month=dec,
Year=1987 }

@TechReport{vonGlahn83,
Author={P.G. {von Glahn}}, key={vonGlahn},
Title={An Annotated Computer Network Security Bibliography},
Institution={Rome Air Development Center},
Address={Griffiss Air Force Base, NY 13441},
number={RADC-TR-83-251},
Month=nov, Year={1983} }

@Article{Reed79,
Author={D.P. Reed and R.K. Kanodia},
Title={Synchronization with Eventcounts and Sequencers},
Journal={Communications of the ACM},
volume=22, number=2, month=feb, year=1979 }

@InProceedings{LuntA188,
Author={T.F. Lunt},
Title={Multilevel Database Systems:  Meeting Class {A}1},
Booktitle={Proceedings of the Second IFIP WG11.3 Workshop on Database Security},
month=oct,
Year=1988 }

@TechReport{Greenberg90
   ,Key={}
   ,Author={I.B. Greenberg and A.R. Downing and M. Morgenstern}
   ,Institution={SRI International}
   ,Title={{Distributed database integrity}}
   ,Year={1990}
   ,Month=apr
   ,Number={}
   ,Address={Menlo Park, California}
   ,Type={Interim Report}
   ,Note={For RADC Contract No. F30602-89-C-0055}
   ,Read={y}
   ,File={}
   }

@TechReport{Greenberg91a
   ,Key={}
   ,Author={I.B. Greenberg and P.K. Rathmann}
   ,Institution={SRI International}
   ,Title={{Distributed database integrity}}
   ,Year={1990}
   ,Month=nov
   ,Number={}
   ,Address={Menlo Park, California}
   ,Type={Final Report}
   ,Note={For RADC Contract No. F30602-89-C-0055}
   ,Read={y}
   ,File={}
   }

@TechReport{Greenberg91b
   ,Key={}
   ,Author={I.B. Greenberg and P.K. Rathmann}
   ,Institution={SRI International}
   ,Title={{Feasibility Implementation Plan}}
   ,Year={1990}
   ,Month=nov
   ,Number={}
   ,Address={Menlo Park, California}
   ,Type={Interim Report}
   ,Note={For RADC Contract No. F30602-89-C-0055}
   ,Read={y}
   ,File={}
   }

@InProceedings{LuntLargeAI88,
Author={T.F. Lunt and B.M. Thuraisingham},
Title={Security for Large {AI} Systems},
Booktitle={Proceedings of the AAAI-88 Workshop on Databases in Large AI Systems},
month=aug,
Year=1988 }

@InProceedings{LuntMSQL88,
Author={T.F. Lunt and R.R. Schell and W.R. Shockley and M. Heckman and D. Warren},
Title={Toward a Multilevel Relational Data Language},
Booktitle={Proceedings of the Fourth Aerospace Computer Security Applications
    Conference, Orlando FL},
month=dec,
Year=1988 }


@InProceedings{LuntInfer89,
Author={T.F. Lunt},
Title={Aggregation and Inference: Facts and Fallacies},
Booktitle={Proceedings of the 1989 IEEE Symposium on Research in Security and
  Privacy},
month=may,
Year=1989 }

@InProceedings{MaimoneGreenberg90,
Author={W.T. Maimone and I.B. Greenberg},
Title={Single-Level Multiversion Schedulers for Multilevel Secure
    Database Systems},
Booktitle={Proceedings of the Sixth Annual Computer Security Applications
   Conference},
Month=dec,
Year=1990 }

@InProceedings{McHugh85,
Author={J. McHugh},
Title={An {EMACS}-Based Downgrader for {SAT}},
Booktitle={Proceedings of the Eighth National Computer Security Conference},
month=oct,
Year=1985 }

@InProceedings{McLean87,
Author={J. McLean},
Title={Reasoning about Security Models},
Booktitle={Proceedings of the 1987 IEEE Symposium on Security and
  Privacy},
month=apr,
Year=1987 }

@InProceedings{Maier86,
Author={D. Maier and J. Stein and A. Otis and A. Purdy},
Title={Development of an Object-Oriented {DBMS}},
Booktitle={OOPSLA 86 Proceedings},
Year=1986 }

@InProceedings{Matloff86,
Author={N.S. Matloff},
Title={Another look at the use of noise addition for database security},
Booktitle={Proceedings of the IEEE 1986 Symposium on Security and Privacy},
month=apr,
Year=1986 }

@InProceedings{MayerInterp88,
Author={F.L. Mayer},
Title={An Interpretation of a Refined {B}ell - {L}a {P}adula Model For the {TM}ach Kernel},
Booktitle={Proceedings of the Fourth Aerospace Computer Security Applications Conference, Orlando FL},
month=dec,
Year=1988 }

@misc{Meadows88,
author={C. Meadows and C. Landwehr},
title={Designing a Trusted Application Using an Object-Oriented Data Model},
booktitle={Research Directions in Database Security},
editor={T.F. Lunt},
note={forthcoming} }

@TechReport{Medlock88,
author={R.J. Medlock},
Title="Secure Distributed Database Management System ({SD-DBMS}), Volume {II} (Draft): {SDI} {BM}/{C3} Application",
institution="Unisys
System Development Group",
month=sep,
Year=1988 }

@Article{AW1,
Author={J.T. Merrifield},
Title={{AI} System for Satellite Repair},
Journal={Aviation Week},
volume={CXXIV(19)},
pages={89+},
month={May 12},
year=1986 }

@Article{AW2,
Author={J.T. Merrifield},
Title={Ames Readies Initial {AI} Demonstration for Space Station},
Journal={Aviation Week},
volume={CXXIV(21)},
pages={129+},
month={May 26},
year=1986 }

@Article{AW3,
Author={J.T. Merrifield},
Title={{AI} Research at Ames Focuses on Increased Crew Effectiveness},
Journal={Aviation Week},
volume={CXXIV(22)},
pages={73-75},
month={June 2},
year=1986 }

@Article{AW4,
Author={J.T. Merrifield},
Title={Ames Seeks {AI} Applications in Aeronautics, Space Programs},
Journal={Aviation Week},
volume={CXXIV(23)},
pages={153+},
month={June 9},
year=1986 }

@InProceedings{MOHAN84,
Author={C. Mohan},
Title={Recent and Future Trends in Distributed Database Management},
Booktitle={Proceedings of the NYU Symposium on New Directions in Database
     Systems},
Year=1984 }

@InProceedings{Morgenstern84,
Author={M. Morgenstern},
Title={Constraint equations: declarative expression of constraints with
  automatic enforcement},
Booktitle={Proceedings of the 10th International Conference on Very Large Databases},
month=aug,
Year=1984 }

@InProceedings{Morgenstern86,
Author={M. Morgenstern},
title={The role of constraints in databases, expert systems, and knowledge
  representation},
Booktitle={Expert Database Systems, Proceedings of the
First International Workshop on Expert Database Systems},
editor={L. Kerschberg},
publisher={Benjamin Cummings Publishers},
year=1986 }

@InProceedings{Morgenstern87,
Author={M. Morgenstern},
Title={Security and Inference in Multilevel Database and Knowledge-Base Systems},
Booktitle={Proceedings of the ACM International Conference on Management of
   Data (SIGMOD-87)},
month=may,
Year=1987 }

@InProceedings{Morgenstern88,
Author={M. Morgenstern},
Title={Controlling Logical Inference in Multilevel Database Systems},
Booktitle={Proceedings of the 1988 IEEE Symposium on Security and Privacy},
month=apr,
Year=1988 }

@InProceedings{Murray88,
Author={W.H. Murray},
Title={Data Integrity in a Business Data Processing System},
Booktitle={Report of the Invitational Workshop on Integrity Policy in Computer Information Systems (Appendix 6)},
month=oct,
Year=1987 }

@TechReport{Neumann80,
author={P. G. Neumann and R.S. Boyer and R.J. Feiertag and K.N. Levitt and L. Robinson},
Title="A {Provably Secure Operating System}: The System, Its Applications, and Proofs",
institution="Computer Science Laboratory, SRI International",
number={CSL-116, Second edition},
address={Menlo Park, California},
month=may,
Year=1980 }

@TechReport{Neumann85,
author={P.G. Neumann},
Title="Audit Trail Analysis and Usage Data Collection and Processing, Part One",
institution="Computer Science Laboratory, SRI International",
address={Menlo Park, California},
month=jan,
Year=1985 }

@TechReport{Neumann87,
author={P.G. Neumann and F. Ostapik},
Title="Audit Trail Analysis and Usage Data Collection and Processing, Part Two",
institution="Computer Science Laboratory, SRI International",
address={Menlo Park, California},
month=may,
Year=1987 }

@Article{Nguyen87,
Author={T. Nguyen and W. Perkins and T.J. Laffey and D. Pecora},
Title={Knowledge Base Verification},
Journal={AI Magazine},
volume=8,
number=2,
year=1987 }

@TechReport{OConnor88,
author={J.P. O'Connor and J.W. Gray and C. Jensen and D.T. Westby-Gibson},
Title="Secure Distributed Database Management System ({SD-DBMS}),
Volume {I}: Architecture Definition, Tradeoff Analysis",
institution="Unisys
System Development Group",
month=aug,
Year=1988 }

@TechReport{Olsson75,
author={L. Olsson},
Title="Protection of Output and Stored Data in Statistical Databases",
institution="Statistika Centralbyran",
type={Technical Report~ADB-Information, 4},
address={Stockholm, Sweden},
Year=1975 }

@InProceedings{Omar83,
Author={K.A. Omar and D.L. Wells},
Title={Modified architecture for the subkeys model},
Booktitle={Proceedings of the 1983 IEEE Symposium on Security and Privacy},
month=apr,
Year=1983 }

@InProceedings{Ozsoyoglu81,
Author={G. Ozsoyoglu and M. Ozsoyoglu},
Title={Update handling techniques in statistical databases},
Booktitle={Proceedings of the First LBL Workshop on Statistical Database Management},
address={Lawrence Berkeley Lab, Berkeley, California},
month=dec,
Year=1981 }

@Article{S7,
Author={G.M. Powell and G. Loberg and H.H. Black and M.L. Gronberg},
Title={{ARES}:  Artificial Intelligence Research Project},
Journal={Signal},
volume={XL(10)},
pages={106-109},
month=jun,
year=1986 }

@InProceedings{Rabitti88,
Author={F. Rabitti and D. Woeld and W. Kim},
Title={A Model of Authorization for Object-Oriented and Semantic Databases},
Booktitle={Proceedings of the International Conference on Extending Database
Technology},
Year=1988 }

@TechReport{Rapaport75,
author={E. Rapaport and B. Sundgren},
Title="Output Protection in Statistical Databases",
institution="Nat. Central Bur. Stat.",
type={Technical Report~S/SYS-E04},
address={Stockholm, Sweden},
Year=1975 }

@Article{RA86,
Author={R.F. Rashid},
Title={Threads of a New System},
Journal={UNIX Review},
volume={4},
number={8},
month=aug,
year=1986 }

@InProceedings{Reiss80,
Author={S.P. Reiss},
Title={Practical data-swapping: the first steps},
Booktitle={Proceedings of the 1980 IEEE Symposium on Security and Privacy},
month=apr,
Year=1980 }

@Article{S6,
Author={J.P. Retelle, Jr. and M. Kaul},
Title={The Pilot's Associate -- Aerospace Application of Artificial Intelligence},
Journal={Signal},
volume={XL(10)},
pages={100-105},
month=jun,
year=1986 }

@Book{RichBook,
author={E. Rich},
Title={Artificial Intelligence},
publisher={McGraw Hill, New York},
year=1982 }

@TechReport{HDM1,
author={L. Robinson},
Title="{HDM} Handbook, Vol. 1: The Foundations of {HDM}",
institution="Computer Science Laboratory, SRI International",
address={Menlo Park, California},
month=jun,
Year=1979 }

@Article{Rosenkrantz84,
Author={D.J. Rosenkrantz and R.E. Stearns and P.M. Lewis},
Title={Consistency and Serializability in Concurrent Database Systems},
Journal={SIAM Journal on Computing},
volume=13,
number=2,
month=aug,
year=1984 }

@InProceedings{Sybase87,
Author={P.A. Rougeau and E.D. Sturms},
Title={ Sybase Secure Dataserver: A Solution to the Multilevel Secure DBMS Problem},
Booktitle={Proceedings of the 10th National Computer Security Conference},
month=sep,
Year=1987 }

@InProceedings{Rowe87,
author={L.A. Rowe},
title={A Shared Object Hierarchy},
booktitle={The POSTGRES Papers, Memorandum  No. UCB/ERL  M86/85},
editor={M. Stonebraker and L.A. Rowe},
publisher={Electronics Research Laboratory, College of Engineering, University
of California, Berkeley},
year=1987 }

@misc{Rowe86,
Author={N.C. Rowe},
title={Security problems with inferences from the results of rule-based
  expert systems},
note={unpublished paper} }

@TechReport{Rushby88,
author={J.M. Rushby},
Title="Quality Measures and Assurance for AI Software",
institution="Computer Science Laboratory, SRI International",
address={Menlo Park, California},
Year=1988 }

@Article{SARIN85,
Author={S.K. Sarin and B. Blaustein and C. Kaufman},
Title={System Architecture for Partition-Tolerant Distributed Databases},
Journal={IEEE Transactions on Computers},
volume={C-34},
number=122,
month=dec,
year=1985 }

@InProceedings{SARIN86b,
Author={S.K. Sarin},
Title={Robust Application Design in Highly Available Distributed Databases},
Booktitle={Proceedings of the Fifth IEEE Symposium on Reliability in Distributed
   Software and Database Systems},
month=jan,
Year=1986 }

@InProceedings{SARIN86a,
Author={S.K. Sarin and C. Kaufman and J.E. Somers},
Title={Using History Information To Process Delayed Database Updates},
Booktitle={Proceedings of the Twelfth International Conference on
         Very Large Data Bases},
month=aug,
Year=1986 }

@InProceedings{SchaeferSchell84,
Author={M. Schaefer and R.R. Schell},
Title={Toward an Understanding of Extensible Architectures for
      Evaluated Trusted Computer System Products},
Booktitle={Proceedings of the 1984 IEEE Symposium on Security and Privacy},
month=apr,
Year=1984 }

@InProceedings{Schell85,
Author={R.R. Schell and T.F. Tao and M. Heckman},
Title={Designing the {GEMSOS} Security Kernel for Security and Performance},
Booktitle={Proceedings of the Eighth National Computer Security Conference},
Year=1985 }

@InProceedings{SchellIntegrity86,
Author={R.R. Schell and D.E. Denning},
Title={Integrity in Trusted Database Systems},
Booktitle={Proceedings of the Ninth National Computer Security Conference},
Year=1986, Month =sep }

@Article{Schlorer76,
Author={J. Schlorer},
Title={Confidentiality of statistical records: a threat monitoring scheme
  for on line dialogue},
Journal={Methods Inf. Med.},
volume=15,
number=1,
year=1976 }

@Article{SchlorerQuantitative80,
Author={J. Schlorer},
Title={Disclosure from statistical databases: quantitative aspects of
  trackers},
Journal={ACM Transactions on Database Systems},
volume=5,
number=4,
month=dec,
year=1980 }

@TechReport{SchlorerLoss83,
author={J. Schlorer},
Title="Information Loss in Partitioned Statistical Databases",
type={Technical Report, Klinische Dokumentation},
institution="Universit{\"a}t Ulm",
address={Ulm, Germany},
Year=1983 }

@TechReport{SchlorerOutput82,
author={J. Schlorer},
Title="Query Based Output Perturbations to Protect Statistical
  Databases",
type={Technical Report, Klinische Dokumentation},
institution="Universit{\"a}t Ulm",
address={Ulm, Germany},
month=oct,
Year=1982 }

@Article{SchlorerMultidimensional81,
Author={J. Schlorer},
Title={Security of statistical databases: multidimensional transformation},
Journal={ACM Transactions on Database Systems},
volume=6,
number=1,
month=mar,
year=1981 }

@TechReport{Schroeder72,
author={M.D. Schroeder},
Title="Cooperation of Mutually Suspicious Subsystems in a Computer Utility",
institution="Ph.D. Thesis, M.I.T., Cambridge, Massachusetts",
month=sep,
Year=1972 }

@article{SchroederSaltzer72,
author={M.D. Schroeder and J.H. Saltzer}, title = {A Hardware
Architecture for Implementing Protection Rings},
journal = {Communications of the ACM}, volume = {15}, number = {3},
pages = {}, month = mar, year = {1972}}

@article{SaltzerSchroeder75,
  title = {The Protection of Information in Computer Systems},
  author = {Saltzer, Jerome H. and Schroeder, Michael D.},
  date = {1975-09},
  journaltitle = {Proceedings of the IEEE},
  volume = {63},
  pages = {1278--1308},
  doi = {10.1109/PROC.1975.9939},
  url = {http://cap-lore.com/CapTheory/ProtInf/},
  number = {9}
}

@book{SaltzerKaashoek09,
Author={J.H. Saltzer and F. Kaashoek},
Title={Principles of Computer System Design},
Publisher={Morgan Kaufmann},
Year={2009},
NOTE = {Chapters 1-6 only. Chapters 7-11 are online:\\
  http://ocw.mit.edu/Saltzer-Kaashoek}
}

@book{Organick,
Author={E.I. Organick},
Title={The {Multics} System: An Examination of Its Structure},
Publisher={MIT Press, Cambridge, Massachusetts},
Year={1972} }

@InProceedings{Schroeder77,
Author={M.D. Schroeder and  D.D. Clark and J.H. Saltzer},
Title={The {Multics} Kernel Design Project},
Booktitle={Proceedings of the Sixth Symposium on Operating System Principles},
Note={ACM Operating Systems Review 11(5)},
month=nov, Year=1977 }

@article{NeedhamSchroeder78,
author={R.M. Needham and M.D. Schroeder}, key={needham}, title = {Using
Encryption for Authentication and Authorization Systems},
journal = {Communications of the ACM}, volume = {21}, number = {12},
pages = {993-999}, month = dec, year = {1978}}

@article{NeedhamSchroeder87,
author={R.M. Needham and M.D. Schroeder}, key={needham}, title =
{Authentication Revisited},
journal = {Operating Systems Review}, volume = {21}, number = {1},
pages = {7}, month = {}, year = {1987}}

@article{OtwayRees87,
author={D. Otway and O. Rees}, title = {Efficient and Timely Mutual
Authentication},
journal = {Operating Systems Review}, volume = {21}, number = {1},
pages = {8--10}, month = {}, year = {1987}}

@ARTICLE{SchroederGrape,
Author={M.D. Schroeder and A.D. Birrell and R.M. Needham},
TITLE = {Experience with {Grapevine}: The Growth of a Distributed System},
JOURNAL = {TOCS}, YEAR = {1984}, VOLUME = {2},
NUMBER = {1}, PAGES = {3-23}, MONTH = feb }

@article{DiffieHellman76,
author={W. Diffie and M.E. Hellman}, key={Diffie}, title = {New Directions
in Cryptography}, journal = {IEEE Transactions  on Information Theory}, volume= {22},
number = {5}, pages = {}, month = nov, year = {1976}}

@article{Rivest+78,
author={R. Rivest and A. Shamir and L. Adleman}, key={Rivest},
title = {A Method for Obtaining Digital Signatures and Public-Key
Cryptosystems}, journal = {Communications of the ACM}, volume = {21}, number = {2},
pages = {120-126}, month = feb, year = {1978}}

@TechReport{Rivest90,
author={R. Rivest},
Title={The {MD4} message digest algorithm},
institution={MIT Laboratory for Computer Science},
address={}, month =oct, note={TM 434},
Year= {1990} }

@TechReport{RivestLampson96,
author={R. Rivest and B. Lampson},
Title={{SDSI} -- A Simple Distributed Security Infrastructure},
institution={MIT Laboratory for Computer Science},
address={}, month ={}, note={Version 2.0 is
available online
(\xlink{http://theory.lcs.mit.edu/\~{}cis/sdsi.html}{http://theory.lcs.mit.edu/\~{}cis/sdsi.html})
along with other documentation and source code},
Year= {2000} }

@TechReport{Ellison+99,
author={C.M. {Ellison et al.}},
Title={{SPKI} Certificate Theory},
institution={Internet Engineering Task Force},
address={}, month =sep,
Year= {1999}, Note={\xlink{http://www.ietf.org/rfc/rfc2693.txt}{http://www.ietf.org/rfc/rfc2693.txt})
}}

@InProceedings{Abadi97,
Author={M. Abadi},
Title={On {SDSI's} Linked Local Name Spaces},
BookTitle={Proceedings of the 10th IEEE Computer Security Foundations
  Workshop}, Address={Rockport, Massachusetts},
Year={1997},Month=jun,Pages={98--108}  }

@TechReport{DES,
Author={NIST}, Institution={National Institute of Standards and Technology
(formerly NBS)}, Title={Data Encryption Standard}, Year={1977}    }

@InProceedings{ElGamal84,
Author = {T. ElGamal},
Title = {A public key cryptosystem and a signature scheme
based on discrete logarithms},
Booktitle = {Advances in Cryptology: Proceedings of CRYPTO '84},
Organization = {G.R. Blakley and David Chaum, eds., Springer-Verlag, Berlin},
Year = {1985}, Pages={10--18}, Month = {} }

@article{ElGamal85,
author={T. ElGamal}, title = {A public key cryptosystem and a signature scheme
based on discrete logarithms}, journal = {IEEE Transactions on Information Theory},
volume = {31}, number = {}, pages = {469--472}, month = {}, year = {1985}}

@InProceedings{Schnorr89,
Author = {C.P. Schnorr},
Title = {Efficient identification and signatures for smart cards},
Booktitle = {Advances in Cryptology: Proceedings of CRYPTO '89},
Organization = {G. Brassard, ed., Springer-Verlag, Berlin, LCNS 435},
Year = {1990}, Pages={239-251}, Month = {} }

@InProceedings{LaMacchiaOdlyzko91,
Author={B.A. LaMacchia and A.M. Odlyzko},
Title={Computation of Discrete Logarithms in Prime Fields},
Booktitle={Designs, Codes, and Cryptography 1}, pages={47-62},
Year=1991, Publisher={Kluwer} }

@ARTICLE{Kaliski+88,
Author={B.S. {Kaliski Jr.} and R.L. Rivest and A.T. Sherman},
TITLE = {Is the {Data} {Encryption} {Standard} a Group?
(Results of Cycling Experiments on {DES})},
JOURNAL = {Journal of Cryptology}, YEAR = {1988}, VOLUME = {1},
NUMBER = {1}, PAGES = {3--36}, MONTH = {} }

@InProceedings{Kaliski94,
Author={B.S. {Kaliski Jr.}},
TITLE = {Public-Key Cryptography in Smart Cards},
Booktitle = {CardTech/SecurTech '94}, YEAR = {1994},
MONTH = {10--13 April},
Organization = {}, Address = {Arlington, Virginia} }

@ARTICLE{Merkle90,
Author={R.C. Merkle}, TITLE = {A fast software one-way hash function},
JOURNAL = {Journal of Cryptology}, YEAR = {1990}, VOLUME = {3},
NUMBER = {1}, PAGES = {43--58}, MONTH = {} }

@ARTICLE{Schnorr91,
Author={C.P. Schnorr}, TITLE = {Efficient signature generation by smart cards},
JOURNAL = {Journal of Cryptology}, YEAR = {1991}, VOLUME = {4},
NUMBER = {3}, PAGES = {161--174}, MONTH = {} }

@InProceedings{CampbellWiener92,
Author = {K.W. Campbell and M.J. Wiener},
Title = {{DES} is not a Group},
Booktitle = {Advances in Cryptology: Proceedings of CRYPTO '92 (E.F. Brickell,
editor)}, Organization = {Springer-Verlag, Berlin, LCNS 740},
Year = {1992}, Pages={512-517}, Month = {} }

@InProceedings{Micali92,
Author={S. Micali}, TITLE = {Fair Public-Key Cryptosystems},
Booktitle = {Advances in Cryptology: Proceedings of CRYPTO '92 (E.F. Brickell,
editor)}, Organization = {Springer-Verlag, Berlin, LCNS 740},
Year = {1992}, Pages={512-517}, Month = {} }

@InProceedings{Blundo+94,
Author={C. Blundo and A. {De Santis} and G. {Di Crescenzo} and
A.G. Gaggia and U. Vaccaro},
TITLE = {Multi-Secret Sharing Schemes},
Booktitle = {Advances in Cryptology: Proceedings of CRYPTO '94 (Y.G. Desmedt,
editor)}, Organization = {Springer-Verlag, Berlin, LCNS 839},
Year = {1994}, Pages={150--163}, Month = {} }

@book{Schneier94,
Author={B. Schneier},
Title={Applied Cryptography},
Publisher={John Wiley and Sons, New York},
Year={1994} }

@book{Schneier96,
Author={B. Schneier},
Title={Applied Cryptography: Protocols, Algorithms, and Source Code in C:
  Second Edition},
Publisher={John Wiley and Sons, New York},
Year={1996} }

@book{Schneier00,
Author={B. Schneier},
Title={Secrets and Lies: Digital Security in a Networked World},
Publisher={John Wiley and Sons, New York},
Year={2000} }

@book{Schneier95,
Author={B. Schneier},
Title={E-Mail Security with {PGP} and {PEM}},
Publisher={John Wiley and Sons, New York},
Year={1995} }

@book{Zimmermann95,
Author={P.R. Zimmermann},
Title={The Official {PGP} User's Guide},
Publisher={MIT Press, Cambridge, Massachusetts},
Year={1995} }

@article{Goldberg85,
author={A. Goldberg}, title = {Reliability of Computer Systems and
Risks to the Public}, journal = {Communications of the ACM}, year = {1985},
volume = {28}, number = {2}, pages = {131-133}, month = feb }

@ARTICLE{Bidzos91Risks,
Author={J. Bidzos}, TITLE = {Letter to {C}ongressman {T}im {V}alentine on
{NIST's} {DSS}}, JOURNAL = {RISKS FORUM
(comp.risks, online newsgroup)}, YEAR = {1991}, VOLUME = {12}, NUMBER = {37},
PAGES = {}, MONTH = {20 September} }

@ARTICLE{Bidzos91SENxxxxx,
Author={J. Bidzos}, TITLE = {Letter to {C}ongressman {T}im {V}alentine on
{NIST's} {DSS}},
JOURNAL = {ACM Software Engineering Notes}, YEAR = {1991}, VOLUME = {16},
NUMBER = {4}, PAGES = {}, MONTH = oct }

@article{CommBib,
author={C. Partridge},
title = {Bibliography of Recent Publications on Computer Communication},
journal = {ACM SIGCOMM Computer Communication Review},
year = {1991}, volume = {21}, number = {1}, pages = {132-145},
month = jan }

@article{ISOstatus,
author={L. Chapin}, title = {Status of {OSI} (and related) Standards},
journal = {ACM SIGCOMM Computer Communication Review},
year = {1991}, volume = {21}, number = {1}, pages = {111-131},
month = jan }

@TechReport{ISO7498-1,
   Key={International}, Author={ISO}, Institution={International Standards
   Organization}, Title={Open Systems Interconnection Architecture Basic
   Reference Model}, Year={1984}, day={15}, month={October}  }

@TechReport{ISO7498-1C,
   Key={International}, Author={ISO}, Institution={International Standards
   Organization}, Title={Open Systems Interconnection Architecture Basic
   Reference Model, Technical Corrigendum}, Year={1988}, day={15}, month=dec  }

@TechReport{ISO7498-2,
   Key={International}, Author={ISO}, Institution={International Standards
   Organization}, Title={Open Systems Interconnection Architecture Security
   Architecture}, Year={1988}, day={19}, month={August}  }

@TechReport{ISO7498-3,
   Key={International}, Author={ISO}, Institution={International Standards
   Organization}, Title={Open Systems Interconnection Architecture Naming
   and Addressing}, Year={1989}, day={1}, month={March}  }

@TechReport{ISO7498-4,
   Key={International}, Author={ISO}, Institution={International Standards
   Organization}, Title={Open Systems Interconnection Architecture
   Management Framework}, Year={1989}, day={15}, month=nov  }

@TechReport{ISO7498-1Add1,
   Key={International}, Author={ISO}, Institution={International Standards
   Organization}, Title={Open Systems Interconnection Architecture,
   Addendum 1: Connectionless Data}, Year={1987}, day={15}, month={August}  }

@TechReport{ISO7498-X,
   Key={International}, Author={ISO}, Institution={International Standards
   Organization}, Title={Open Systems Interconnection Architecture Basic
   Reference Model}, Year={198}, Month={}  }

@InProceedings{Vissers90,
Key = {}, Author = {C.A. Vissers},
Title = {Protocol specification: The first ten years, the next ten years},
Booktitle = {Proceedings of the 10th International IFIP Symposium on Protocol Specification,
Testing, and Verification},
Organization = {IFIP}, Address = {Ottawa, Canada},
Year = {1990},
Pages={}, Month = jun }

@InProceedings{Miller90,
Key = {}, Author = {R.E. Miller},
Title = {Protocol verification: The first ten years, the next ten years;
some personal observations},
Booktitle = {Proceedings of the 10th International IFIP Symposium on Protocol Specification,
Testing, and Verification},
Organization = {IFIP}, Address = {Ottawa, Canada},
Year = {1990},
Pages={}, Month = jun }

@InProceedings{Sidhu90,
Key = {}, Author = {D. Sidhu},
Title = {Protocol testing: The first ten years, the next ten years},
Booktitle = {Proceedings of the 10th International IFIP Symposium on Protocol Specification,
Testing, and Verification},
Organization = {IFIP}, Address = {Ottawa, Canada},
Year = {1990},
Pages={}, Month = jun }

@article{Sidhu+91,
author={D. Sidhu and A. Chung and T.P. Blumer},
title = {Experience with Formal Methods in Protocol Development},
journal = {ACM SIGCOMM Computer Communication Review},
year = {1991}, volume = {21}, number = {2}, pages = {81-101},
month = apr }

@ARTICLE{SidhuBlumer90,
Author={D. Sidhu and T.P. Blumer}, TITLE = {Semi-automatic implementation
of {OSI} protocols},
JOURNAL = {Computer Networks \& ISDN System}, YEAR = {1990}, VOLUME = {18},
NUMBER = {}, PAGES = {}, MONTH = {} }

@TechReport{RFC1113,
   Key={Kent}, Author={S. Kent}, Institution={Internet Activities Board Privacy
   Task Force}, Month=aug, Year={1989},
   Title={Privacy Enhancement for {Internet} Electronic Mail: Part {I}.  {RFC 1113}} }

@TechReport{RFC1114,
   Key={Kent}, Author={S. Kent and J. Linn},
   Institution={Internet Activities Board Privacy Task Force},
   Month=aug, Year={1989},
   Title={Privacy Enhancement for {Internet} Electronic Mail: Part {II}:
     Certificate Based Key Management.  {RFC 1114}} }

@TechReport{RFC1115,
   Key={Linn}, Author={J. Linn}, Institution={Internet Activities Board Privacy
   Task Force}, Month=aug, Year={1989},
   Title={Privacy Enhancement for {Internet} Electronic Mail: Part {III}:
     Algorithms, Models and Identifiers.  {RFC 1115}} }

@InProceedings{Linn90,
Key={Linn}, Author={J. Linn}, Title={Practical Authentication for
Distributed Computing}, BookTitle={Proceedings of the 1990 Symposium on Research in
Security and Privacy}, Organization={IEEE Computer Society}, Address={Oakland,
California}, Year={1990}, Month=may, pages={31--40}}

@InProceedings{GongNeedhamYahalom90,
Author={L. Gong and R. Needham and R. Yahalom},
Title={Reasoning about Belief in Cryptographic Protocols},
BookTitle={Proceedings of the 1990 Symposium on Research in
Security and Privacy}, Organization={IEEE Computer Society}, Address={Oakland,
California}, Year={1990}, Month=may, pages={234-248}}

@InProceedings{Yaholom+93,
Author={R. Yahalom and B. Klein and Th. Beth},
Title={Trust Relationships in Secure Systems: A Distributed
Authentication Procedure},
BookTitle={Proceedings of the 1993 Symposium on Research in
Security and Privacy}, Organization={IEEE Computer Society}, Address={Oakland,
California}, Year={1993}, Month=may, pages={150-164}}

@Article{RavindranChanson89,
Key = {Ravindran}, Author = {K. Ravindran and S.T. Chanson},
Title = {Failure Transparency in Remote Procedure Calls},
Journal = {IEEE Transactions on Computers},
Year = {1989}, volume ={32}, number = {8},
Pages={1173-1187}, Month = aug }

@Article{Birman85,
Key = {Birman}, Author = {K.P. Birman},
Title = {Implementing Remote Procedure Calls},
Journal = {ACM Transactions on Computer Systems},
Year = {1985}, volume = {SE-11}, number = {6},
Pages={502-8}, Month = jun }

@InProceedings{PowellPresotto83,
Key = {Powell}, Author = {M.L. Powell and D.L. Presotto},
Title = {{PUBLISHING}: A reliable broadcast communication mechanism},
Booktitle = {Proceedings of the Ninth Symp. on Operating Systems Principles},
Organization = {ACM SIGOPS}, Address = {},
Year = {1983},
Pages={100--109}, Month = jun }

@Article{LiskovScheifler83,
Key = {Liskov}, Author = {B. Liskov and R. Scheifler},
Title = {Guardians and Actions: Linguistic support for robust distributed programs},
Journal = {ACM Transactions on Programming Language Systems},
Year = {1983}, volume = {5}, Pages={381--404}, Month = jul }

@article{Birrell85,
author={A.D. Birrell}, key={Birrell},
title = {Secure Communication Using Remote Procedure Calls},
journal = {ACM Transactions on Computer Systems},
volume = {3}, number = {1}, pages = {1-14}, month = feb, year = {1985}}

@TechReport{Kerberos87,
   Key={Miller}, Author={S. Miller and B. Neuman and J. Schiller and
J. Saltzer},
   Institution={MIT Project Athena Technical Plan Section E.2.1},
   day={21}, month=dec, Year={1987},
   Title={Kerberos Authentication and Authorization System} }

@Article{shamir79,
Author={A. Shamir},Journal={Communications of the ACM},
Title={How to Share a Secret},Year={1979},Month=nov,Pages={612--613}
,Volume={22},Number={11}  }

@InProceedings{steiner88
   ,Author={J.G. Steiner and C. Neuman and J.I. Schiller}
   ,BookTitle={Proceedings of the USENIX Winter Conference}
   ,Title={Kerberos: An Authentication Service for Open Network Systems}
   ,Year={1988},Month=feb,Pages={191--202}   }

@TechReport{Kohl+90,
   Author={J. Kohl and B.C. Neuman and J. Steiner},
   Institution={MIT Project Athena},
   day={8}, month={October}, Year={1990},
   Title={The {Kerberos} Network Authentication Service (Version 5, draft 3) } }

@TechReport{DavisSwick90,
   Key={Davis}, Author={D. Davis and R. Swick},
   Institution={MIT Laboratory for Computer Science Tech. Mem. 424},
   Month=feb, Year={1990},
   Title={Workstation Services and {Kerberos} Authentication at {P}roject {A}thena} }

@InProceedings{BellovinMerritt91,
author={S.M. Bellovin and M. Merritt},
title = {Limitations of the {Kerberos} Authentication System},
booktitle = {{USENIX} Conference Proceedings, Winter '91},
volume = {}, number = {}, pages = {}, month = jan, year = {1991},
note = {A version of this paper
 appeared in {\it Computer Communications Review,} October 1990} }

@article{Gong89,
author={L. Gong}, key={gong}, title = {Using One-Way Functions
for Authentication}, journal = {ACM Communications Review}, volume = {19},
number = {5}, pages = {8-11}, month = oct, year = {1989}}

@InProceedings{KailarGligor91,
author={R. Kailar and V.D. Gligor},
Title={On the Evolution of Beliefs in Authentication Protocols},
BookTitle={Proceedings of the IEEE Computer Security Foundations Workshop IV},
Address={Franconia, New Hampshire},
Year={1991}, Month=jun }

@InProceedings{Gligor+91
   ,Author={V.D. Gligor and R. Kailar and S. Stubblebine and L. Gong}
   ,BookTitle={Proceedings of the 4th IEEE Computer Security Foundations Workshop}
   ,Address={Franconia, New Hampshire}
   ,Title={Logics for Cryptographic Protocols -- Virtues and Limitations}
   ,Year={1991}
   ,Month=jun
   ,Pages={219--226}
   }

@InProceedings{Millen94hookup,
author={J.K. Millen},
Title={Hookup security for synchronous machines},
BookTitle={Proceedings of the IEEE Computer Security Foundations Workshop VII},
Organization = {IEEE Computer Society},
Address={Franconia, New Hampshire}, pages = {2-10},
Year={1994}, Month=jun }

@InProceedings{StubblebineGligor92,
Author={S.G. Stubblebine and V.D. Gligor},
Title={On Message Integrity in Cryptographic Protocols},
BookTitle ={Proceedings of the 1992 Symposium on Research in Security and Privacy},
Organization={IEEE Computer Society}, Address={Oakland,
California}, Year={1992}, Month=may, pages={85--104} }

@InProceedings{ReiterBirmanGong92,
Author={M. Reiter and K. Birman and L. Gong},
Title={Integrating Security in a Group Oriented Distributed System},
BookTitle ={Proceedings of the 1992 Symposium on Research in Security and Privacy},
Organization={IEEE Computer Society}, Address={Oakland,
California}, Year={1992}, Month=may, pages={18--32} }

@ARTICLE{Gong93,
Author={L. Gong and T.M.A. Lomas and R.M. Needham and J.H. Saltzer},
TITLE = {Protecting poorly chosen secrets from guessing attacks},
JOURNAL = {IEEE Journal of Selected Areas in Communications},
YEAR = {1993}, VOLUME = {11}, NUMBER = {5}, PAGES = {648-656}, MONTH = jun }

@TechReport{Berson+93,
Author={T. Berson and L. Gong and T.M.A. Lomas},
TITLE = {Secure, Keyed, and Collisionful Hash Functions},
Institution = {SRI International, included in SRI-CSL-94-08},
YEAR = {1993} }

@Article{ReiterBirman94,
Author={M. Reiter and K. Birman},
Journal={ACM Transactions on Programming Languages and Systems},
Title={How to Securely Replicate Services},
Year={1994},Month=may,Pages={986--1009},Volume={16},Number={3}   }

@Article{Neuman+94,
Author={B.C. Neuman and T. Ts'o}, Journal={IEEE Communications},
Title={Kerberos: An Authentication Service for Computer Networks},
Year={1994},Month=sep,Pages={33--38},Volume={32},Number={9} }

@InProceedings{DesmedtFrankelYung92,
Author={Y. Desmedt and Y. Frankel and M. Yung},
Title={Multi-receiver/multi-sender network security: Efficient
authenticated multicast/feedback},
BookTitle={Proceedings of IEEE INFOCOM}, Organization={IEEE},
Address={}, Year={1992}, Month={}, pages={}}

@InProceedings{Kailar+94,
Author={R. Kailar and V.D. Gligor and L. Gong},
Title={On the Security Effectiveness of Cryptographic Protocols},
BookTitle ={Proceedings of the 1994 Conference on Dependable Computing for
Critical Applications},
Organization={}, Address={San Diego, California},
Year={1994}, Month=jan, pages={90--101} }

@misc{ShockleyWorkshop88,
author={W.R. Shockley},
title={Fundamental Limitations on View-Based Access Controls},
booktitle={Research Directions in Database Security},
editor={T.F. Lunt},
note={to appear} }

@TechReport{ShockleySpec89,
author={W.R. Shockley and R.R. Schell and T.F. Lunt and D. Warren and
M. Heckman}, Title="Final Report Vol.\ 5: The {S}ea{V}iew Implementation
Specifications (draft)", institution="Gemini Computers", Year=1989 }

@InProceedings{Shirley81,
Author={L.J. Shirley and R.R. Schell},
Title={Mechanism Sufficiency Validation by Assignment},
Booktitle={Proceedings of the 1981 IEEE Symposium on Security and Privacy},
month=apr, Year=1981 }

@MastersThesis{Shirley81T,
   Key={Shirley},    Author={L.J. Shirley},
   Title={Non-Discretionary Security Validation by Assignment}, Year={1981},
   School={Department of Computer Science,
     Naval Postgraduate School, Monterey, California},   Month=jun }

@misc{S1,
Title={Artificial Intelligence for {B}1-{B}},
Journal={Signal},
volume={XL(10)},
pages=130,
month=jun,
year=1986 }

@Article{S2,
Author={R.P. Shumaker and J. Franklin},
Title={Artificial Intelligence in Military Applications},
Journal={Signal},
volume={XL(10)},
pages={29+},
month=jun,
year=1986 }

@InProceedings{Smaha88,
Author={S.E. Smaha},
Title={Haystack: An Intrusion Detection System},
Booktitle={Proceedings of the Fourth Aerospace Computer Security Applications
   Conference, Orlando FL},
month=dec,
Year=1988 }

@InProceedings{Smith88,
Author={G.W. Smith},
Title={Identifying and Representing the Security Semantics of an Application},
Booktitle={Proceedings of the Fourth Aerospace Computer Security Applications
   Conference, Orlando FL},
month=dec,
Year=1988 }

@Article{Stefik86,
author={M. Stefik and D.G. Bobrow},
title={Object-Oriented  Programming:  Themes and Variations},
Journal={The AI Magazine},
month={Winter},
year=1986 }

@Article{Stefik82,
Author={M. Stefik and J. Aikens and R. Balzer and J. Benoit and L. Birnbaum and F. Hayes-Roth and E.D. Sacerdoti},
Title={The Organization of Expert Systems},
Journal={Artificial Intelligence},
volume=18,
pages={29+},
year=1982 }

@InProceedings{Stonebraker87,
author={M. Stonebraker  and  L.A. Rowe},
title={The Design of {POSTGRES}},
booktitle={The POSTGRES Papers, M86/85},
editor={M. Stonebraker and L.A. Rowe},
publisher={Electronics Research Laboratory, College of Engineering, University
of California, Berkeley},
year=1987 }

@InProceedings{Stonebraker74,
Author={M. Stonebraker and E. Wong},
Title={Access Control in a Relational Data Base Management System by Query
     Modification},
Booktitle={Proceedings of the 1974 ACM Annual Conference},
Year=1974 }

@InProceedings{SuOz87,
Author={T. Su and G. Ozsoyoglu},
Title={Data Dependencies and Inference Control in Multilevel Relational Database
Systems},
Booktitle={Proceedings of the 1987 IEEE Symposium on Security and Privacy},
month=apr,
Year=1987 }

@Article{Suwa82,
Author={M. Suwa and A. Carlisle Scott and E.H. Shortliffe},
Title={An Approach to Verifying Completeness and Consistency in a Rule-Based Expert
System},
Journal={AI Magazine},
volume=3,
number=4,
year=1982 }

@Article{S8,
Author={A.J. Tachmindji and E.L. Lafferty},
Title={Artificial Intelligence for Air Force Tactical Planning},
Journal={Signal},
volume={XL(10)},
pages={110-114},
month=jun,
year=1986 }

@InProceedings{Tener86,
Author={W.T. Tener},
Title={Discovery:  An Expert System in the Commercial Data Security Environment},
Booktitle={Proceedings of the IFIP Security Conference},
address={Monte Carlo},
Year=1986 }

@Article{Thuraisingham87,
Author={M.B. Thuraisingham},
Title={Security Checking in Relational Database Management Systems Augmented
  with Inference Engines},
Journal={Computers and Security},
volume=6,
number=6,
year=1987 }

@InProceedings{Thuraisingham88,
Author={T.F. Keefe and W.T. Tsai and M.B. Thuraisingham},
Title={A Multilevel Security Model for Object-Oriented Systems},
Booktitle={Proceedings of the Eleventh National Computer Security Conference},
month=oct,
Year=1988 }

@InProceedings{Keef90b,
Author={T.F. Keefe and W.T. Tsai},
BookTitle={Proceedings of the 1990 Symposium on Research in Security and Privacy},
Address={Oakland, California},
Title={Multiversion Concurrency Control for Multilevel Secure Database Systems},
Organization={IEEE Computer Society},
Year={1990},Month=may,Pages={369-383}   }

@Article{VaradharajanBlack91,
Author={V. Varadharajan and S. Black},
Title={Multilevel Security in a Distributed Object-Oriented System},
Journal={Computers and Security},
volume=10, number=1, year=1991, pages={51-68} }

@Article{Traub84,
Author={J.F. Traub and H. Wozniakowski and Y. Yemini},
Title={Statistical security of a statistical data base},
Journal={ACM Transactions on Database Systems},
volume=9,
number=4,
month=dec,
year=1984 }

@Article{Trueblood83,
Author={R.P. Trueblood and H.R. Hartson and J.J. Martin},
Title={{MULTISAFE}: {A} modular multiprocessing approach to secure database
  management},
Journal={ACM Transactions on Database Systems},
volume=8,
number=3,
month=sep,
year=1983 }

@TechReport{TRW86,
author={TRW Defense Systems Group},
Title="Intrusion-Detection Expert System Feasiblity Study",
type={Final Report},
institution="TRW",
number={46761},
Year=1986 }

@Book{Ullman88,
Author={J.D. Ullman},
Title={Principles of Database and Knowledge-Base Systems},
volume={1},
publisher={Computer Science Press},
address={Rockville, Maryland},
year=1988 }

@Book{Ullman82,
Author={J.D. Ullman},
Title={Principles of Database Systems},
publisher={Computer Science Press},
address={Rockville, Maryland},
year=1982 }

@inproceedings{VaccaroLiepins89,
author={H.S. Vaccaro and G.E. Liepins},
title={Detection of Anomalous Computer Session Activity},
Booktitle={Proceedings of the 1989 IEEE Symposium on Research in Security and Privacy},
pages={280-289}, month=may, Year=1989 }

@TechReport{VanHorneSytek5,
author={J. van Horne and L.Halme},
Title="Analysis of Computer System Audit Trails: Training and Experimentation
   with Classifier",
institution="Sytek",
address={Mountain View, California},
number={TR-85006},
month=mar,
Year=1986 }

@TechReport{VanHorneSytek6,
author={J. van Horne and L. Halme},
Title="Analysis of Computer System Audit Trails: Final Report",
institution="Sytek",
address={Mountain View, California},
number={TR-85007},
month=may,
Year=1986 }

@InProceedings{Vinter88,
author={S.T. Vinter},
title={Extended Discretionary Access Controls},
booktitle={Proceedings of the 1988 IEEE Symposium on Security and Privacy},
month=apr,
year=1988 }

@InProceedings{Watson81,
Author={R.W. Watson},
title={Distributed Systems Architecture Model},
Booktitle={Distributed Systems -- Architecture and Implementation: An
Advanced Course, volume 105 of Lecture Notes in Computer Science,
B.W. Lampson (ed.)},
publisher={Springer-Verlag, Berlin}, pages={10-43}, Year=1981 }

@inproceedings{Watson10,
  title = {Capsicum: {{Practical Capabilities}} for {{UNIX}}},
  shorttitle = {Capsicum},
  booktitle = {Proceedings of the 19th {{USENIX Conference}} on {{Security}}},
  author = {Watson, Robert N. M. and Anderson, Jonathan and Laurie, Ben and Kennaway, Kris},
  date = {2010-08-11},
  publisher = {{USENIX Association}},
  location = {{Berkeley, CA, USA}},
  url = {https://www.cl.cam.ac.uk/research/security/capsicum/papers/2010usenix-security-capsicum-website.pdf},
  abstract = {Capsicum is a lightweight operating system capability and sandbox framework planned for inclusion in FreeBSD 9. Capsicum extends, rather than replaces, UNIX APIs, providing new kernel primitives (sandboxed capability mode and capabilities) and a userspace sandbox API. These tools support compartmentalisation of monolithic UNIX applications into logical applications, an increasingly common goal supported poorly by discretionary and mandatory access control. We demonstrate our approach by adapting core FreeBSD utilities and Google's Chromium web browser to use Capsicum primitives, and compare the complexity and robustness of Capsicum with other sandboxing techniques.},
  series = {{{USENIX Security}}'10}
}



@TechReport{Watson10a,
author={Robert N.~M. Watson},
Title="{New Approaches to Operating System Security Extensibility}",
institution="Ph.D. Thesis, University of Cambridge, Cambridge, UK",
month=oct,
Year=2010
}

@TechReport{UCAM-CL-TR-818,
  author =	 {Watson, Robert N. M.},
  title = 	 {{New approaches to operating system security extensibility}},
  year = 	 2012,
  month = 	 apr,
  url = 	 {http://www.cl.cam.ac.uk/techreports/UCAM-CL-TR-818.pdf},
  institution =  {University of Cambridge, Computer Laboratory},
  number = 	 {UCAM-CL-TR-818}
}

@Book{Lampson81,
Author={B.W. {Lampson (ed.)}},
Title={Distributed Systems -- Architecture and Implementation: An
Advanced Course},
publisher={Springer-Verlag, Berlin,
Lecture Notes in Computer Science, Vol. 105},
Year=1981 }

@InProceedings{Lampson03,
author = {B.W. Lampson},
Title = {Software Components: Only The Giants Survive},
Booktitle = {Computer Systems: papers for Roger Needham, K. Spark-Jones and A. Herbert (editors)},
publisher = {Microsoft Research, Cambridge, U.K.},
month = feb,
year = {2003},
pages = {113-120} }

@book{McKBKQ96,
Author = {M.K. McKusick and K. Bostic and M.J. Karels and J.S. Quarterman},
Title = {The Design and Implementation of the 4.4~BSD Operating System},
Publisher = {Addison-Wesley, Reading, Massachusetts},
Year ={1996} }

@TechReport{WhitehurstProofs89,
author={R. Alan Whitehurst and T.F. Lunt},
Title="Final Report Vol.\ 3B: The {SeaView} Formal Verification: Proofs",
institution="Computer Science Laboratory, SRI International",
address={Menlo Park, California},
Year=1989 }

@InProceedings{Wilson88,
Author={J. Wilson},
Title={Views as the Security Objects in a Multilevel Secure Relational
     Database Management System},
Booktitle={Proceedings of the 1988 IEEE Symposium on Security and
  Privacy},
month=apr,
Year=1988 }

@InProceedings{Woodward87,
Author={J. Woodward},
Title={Exploiting the Dual Nature of Sensitivity Labels},
Booktitle={Proceedings of the 1987 IEEE Symposium on Security and
  Privacy},
month=apr,
Year=1987 }

@Article{S3,
Author={M. Youngers and J. Franklin and C. Lackey Carmody and A. Meyrowitz},
Title={Improving {C}3:  The Potential of Artificial Intelligence},
Journal={Signal},
volume={XL(10)},
pages={51+},
month=jun,
year=1986 }

@InProceedings{Wagner86,
Author={N.R. Wagner and P.S. Putter and M.R. Cain},
Title={Encrypted database design: specialized approaches},
Booktitle={Proceedings of the 1986 IEEE Symposium on Security and
  Privacy},
month=apr,
Year=1986 }

@Article{Waltz83,
Author={D.L. Waltz},
Title={Helping Computers Understand Natural Languages},
Journal={IEEE Spectrum},
month=nov,
year=1983 }

@TechReport{Wehrle83,
author={E. Wehrle and J. Schlorer},
Title="The Partner Algorithm for Protecting Statistical Databases",
type={Technical Report, Klinische Dokumentation},
institution="Universit{\"a}t Ulm",
address={Ulm, Germany},
month=mar,
Year=1983 }

@TechReport{Whitehurst87,
author={R. Alan Whitehurst},
Title="Expert Systems in Intrusion-Detection: A Case Study",
institution="Computer Science Laboratory, SRI International",
address={Menlo Park, California},
month=nov,
Year=1987 }

@InProceedings{Whitehurst89,
Author={R. Alan Whitehurst and T.F. Lunt},
Title={The {SeaView} Verification},
Booktitle={Proceedings of the Second Workshop on the Foundations of Computer Security},
month=jun,
Year=1989 }

@InProceedings{Woelk86,
Author={D. Woelk and W. Kim and W. Luther},
Title={An Object-Oriented Approach to Multimedia Databases},
Booktitle={ACM SIGMOD Conference Proceedings},
Year=1986 }

@Article{Yankelovich88,
Author={N. Yankelovich and B. Haan and N. Meyrowitz and S. Drucker},
Title={Intermedia: The Concept and the Construction of a Seamless Information
   Environment},
Journal={Computer},
month=jan,
year=1988 }

@TechReport{DoD87,
author={National Computer Security Center},
title={A guide to Understanding Discretionary Access Controls in Trusted Systems},
number={NCSC-TG-003},
institution={National Computer Security Center},
month=sep,
year=1987 }

@TechReport{2167A,
author={Department of Defense},
title={Defense System Software Development},
number={DoD-STD-2167A},
institution={Department of Defense},
month=feb,
year=1988 }

@TechReport{JDN88031,
Author={J.D. Northcutt and R.K. Clark and S.E. Shipman and D.P.
Maynard and D. C. Lindsay and E.D. Jensen and J.M. Smith and R.B.
Kegley and P.J. Keleher and B.A. Zimmerman},
Title={{A}lpha Preview: A Briefing and Technology Demonstration for
{DoD}},
Institution={Department of Computer Science},
Type={Archons Project Technical Report 88031},
Address={Carnegie-Mellon University, Pittsburgh, Pennsylvania},
Month=mar,
Year=1988}

@TechReport{EDJ88121,
Author={E.D. Jensen and J.D. Northcutt and R.K. Clark and S.E.
Shipman and D.P. Maynard and D.C. Lindsay},
Title={The {A}lpha Operating System: An Overview},
Type={Archons Project Technical Report 88121},
Institution={Department of Computer Science},
Address={Carnegie-Mellon University, Pittsburgh, Pennsylvania},
Month=dec,
Year=1980 }

@TechReport{JDN88011,
Author={J.D. Northcutt},
Title={The {A}lpha Operating System: Requirements and Rationale},
Type={Archons Project, technical report 88011},
Institution={Department of Computer Science},
Address={Carnegie-Mellon University, Pittsburgh, Pennsylvania},
Month=jan,
Year=1988 }

@TechReport{JDN88011a,
Author={J.D. Northcutt and R.K. Clark},
Title={The {A}lpha Operating System: Programming Model},
Type={Archons Project Technical Report 88021},
Institution={Department of Computer Science},
Address={Carnegie-Mellon University, Pittsburgh, Pennsylvania},
Month=feb,
Year=1988 }

@TechReport{JDN88122,
Author={J.D. Northcutt and R.K. Clark and S.E. Shipman and D.C.
Lindsay},
Title={The {Alpha} Operating System: System/Subsystem Specification},
Type={Archons Project Technical Report 88122},
Institution={Department of Computer Science},
Address={Carnegie-Mellon University, Pittsburgh, Pennsylvania},
Month=dec,
Year=1988 }

@TechReport{JDN88111,
Author={J.D. Northcutt},
Title={The {A}lpha Operating System: Kernel Programmer's Interface
Manual},
Type={Archons Project Technical Report 88111},
Institution={Department of Computer Science},
Address={Carnegie-Mellon University, Pittsburgh, Pennsylvania},
Month=nov,
Year=1988 }

@TechReport{JET88123,
Author={J.E. Trull and J.D. Northcutt and R.K. Clark and S.E.
Shipman},
Title={An Evaluation of {A}lpha Real-Time Scheduling Policies},
Type={Archons Project Technical Report 88123},
Institution={Department of Computer Science},
Address={Carnegie-Mellon University, Pittsburgh, Pennsylvania},
Month=dec,
Year=1988 }

@TechReport{RKC88032,
Author={R.K. Clark and R.B. Kegley and P.J. Keleher and D.P.
Maynard and J.D. Northcutt and S.E. Shipman and B.A. Zimmerman},
Title={An Example Real-Time Command and Control Application on {A}lpha},
Type={Archons Project Technical Report 88032},
Institution={Department of Computer Science},
Address={Carnegie-Mellon University, Pittsburgh, Pennsylvania},
Month=mar,
Year=1988}

@TechReport{JDN88123,
Author={J.D. Northcutt and S.E. Shipman},
Title={The {A}lpha Operating System: Program Maintenance Manual},
Type={Archons Project Technical Report 88123},
Institution={Department of Computer Science},
Address={Carnegie-Mellon University},
Month=dec,
Year=1988}

@TechReport{JDN88041,
Author={J.D. Northcutt and S.E. Shipman},
Title={The {A}lpha Operating System: Programming Utilities},
Type={Archons Project Technical Report 88041},
Institution={Department of Computer Science},
Address={Carnegie-Mellon University, Pittsburgh, Pennsylvania},
Month=apr,
Year=1988}

@TechReport{JDN88033,
Author={J.D. Northcutt},
Title={The {A}lpha Distributed Computer System Testbed},
Type={Archons Project Technical Report 88033},
Institution={Department of Computer Science},
Address={Carnegie-Mellon University, Pittsburgh, Pennsylvania},
Month=mar,
Year=1988 }

@book{JDN87,
Author={J.D. Northcutt},
Title={Mechanisms for Reliable, Distributed Real-Time Operating Systems: The
{A}lpha Kernel},
Publisher={Academic Press, New York},
Year=1987}

@TechReport{EDJ88120,
Author={E.D. Jensen and J.A. Test and R.D. Reynolds and E. Burke
and J.G. Hanko},
Title={Alpha Release 2 Design Summary Report},
Type={Technical Report 88120},
Institution={Kendall Square Research Corporation, Cambridge, Massachusetts},
Month=sep,
Year=1988}

@TechReport{FDR88121,
Author={F.D. Reynolds and  J.G. Hanko and  J.A. Test and  E. Burke
and  E.D. Jensen},
Title={Alpha Release 2 Kernel Interface Specification},
Type={Technical Report 88121},
Institution={Concurrent Computer Corporation, Cambridge, Massachusetts},
Month=dec,
year=1988}

@TechReport{RDR88122,
Author={F.D. Reynolds and J.G. Hanko and E.D. Jensen},
Title={Alpha Release 2 Preliminary System/Subsystem Description},
Type={Technical Report 88122},
Institution={Concurrent Computer Corporation},
Month=dec,
year=1988}

@manual{Clark90,
   Organization={Ph.D. Thesis, School of Computer
  Science, Carnegie-Mellon University},
   Title={Scheduling Dependent Real-Time Activities},
   Author={R.K. {Clark}}, Year={1990}, Address={Pittsburgh, Pennsylvania},
   }

@TechReport{DenningSecurityModel87,
author={T.F. Lunt and D.E. Denning and R.R. Schell
and M. Heckman and W.R. Shockley}, Title="Secure Distributed Data Views:
Formal Security Policy Model",
type={Technical Report}, number={RADC-TR-89-313, vol. II (of five)},
institution="Rome Air Development Center", Year=1989 }

@Article{LuntSeaViewModel90,
author={T.F. Lunt and D.E. Denning and R.R. Schell and M. Heckman and
W.R. Shockley}, Title="The {SeaView} Security Model",
Journal={IEEE Transactions on Software Engineering},
volume=16,
number=6,
pages={593-607},
month=jun,
year=1990 }

@TechReport{Denning86Policy,
Author={D.E. Denning and T. Lunt and P.G. Neumann
and R.R. Schell and M. Heckman and W. Shockley}, Institution={Computer Science
Laboratory, SRI International}, Title={Security Policy and Interpretation for a
Class A1 Multilevel Secure Relational Database System}, Year={1986},
Month=nov, Address={Menlo Park, California}}

@InProceedings{KeyKOS,
Author={S.A. Rajunas and N. Hardy and A.C. Bomberger and W.S. Frantz and C.R. Landau},
Title={Security in {K}ey{KOS}},
Booktitle={Proceedings of the 1986 IEEE Sympsium on Security and Privacy},
Month=apr,
Year=1986 }

@Article{ShapiroHardy02,
   Author={J.S. Shapiro and N. Hardy},
   Journal={IEEE Software},
   Title={{EROS:} A Principle-Driven Operating System from the Ground Up},
   Year={2002},
   Month={January/February},
   Volume={19},
   Number={1},
   Pages={26--33}
   }

@inproceedings{Kain86,
author = "R.Y. Kain and C.E. Landwehr",
title = "On Access Checking in Capability-Based Systems",
booktitle = {Proceedings of the 1986 IEEE Symposium on Security and Privacy},
month = apr,
year = 1986 }

@book{KainArch,
Author={R.Y. Kain},
Title={Computer Architecture: Software and Hardware},
Publisher={Prentice-Hall},
Year={1988} }

@InProceedings{Gong89c,
Author={L. Gong}, Title={A Secure Identity-Based Capability System},
BookTitle ={Proceedings of the 1989 Symposium on Research in Security and Privacy},
Organization={IEEE Computer Society}, Address={Oakland,
California}, Year={1989}, Month=may, pages={56--63} }

@book{Soltis-400,
Author={F.G. Soltis},
Title={Inside the AS/400},
Publisher={29th Street Press, Loveland, Colorado, second edition},
Year={1997} }

@book{Soltis-i,
Author={F.G. Soltis},
Title={Fortress Rochester: The Inside Story of the IBM iSeries},
Publisher={29th Street Press, Loveland, Colorado},
Year={2001} }

@InProceedings{LuntDesign88,
Key={Lunt}, Author={T.F. Lunt and R.R. Schell and W.R.
Shockley and M. Heckman and D. Warren}, Title={A Near-Term Design for the
\mbox{{SeaView}} Multilevel Database System},
BookTitle={Proceedings of the 1988 Symposium on
Security and Privacy}, Organization={IEEE Computer Society}, Address={Oakland,
California}, Year={1988}, Month=apr, pages={234-244}}

@InProceedings{LuntDonovan90,
Author={T.F. Lunt and D. Hsieh},
Title={The {SeaView} Secure Database System: A Progress Report},
BookTitle={Proceedings of the European Symposium on Research in Computer Security
(ESORICS 90)}, Organization={IEEE Computer Society}, Address={Toulouse,
France}, Year={1990}, Month=oct, pages={}}

@TechReport{DenningNeumann85,
Author={D.E. Denning and P.G. Neumann},
Institution={Computer Science Laboratory, SRI International},
Title={Requirements and Model for {IDES}: {A} Real-Time Intrusion-Detection
Expert System}, Year={1985}, Month=aug, Address={Menlo Park, California} }

@TechReport{NCIC89,
Author={J.J. Horning and P.G. Neumann and D.D. Redell and J. Goldman and D.R. Gordon},
Institution={Computer Professionals for Social Responsibility},
Title={A Review of NCIC 2000 (report to the Subcommittee on Civil and
Constitutional Rights of the Committee on the Judiciary, United States House of
Representatives)}, Year={1989}, Month=feb, Address={Palo Alto, California} }

@TechReport{NCIC90,
Author={P.G. Neumann},
Institution={Computer Science Laboratory, SRI International},
Title={Security Controls for NCIC Computer System Use: Federal, State, and Local},
Year={1990}, day={29}, month={June}, Address= {Menlo Park, California} }

@TechReport{TECSSecReq,
Author={T.F. Lunt and P.G. Neumann and J. Rushby and M. Moriconi},
Institution={Computer Science Laboratory, SRI International},
Title={{FBI-Customs Trusted Guard}: Security Policy and Security Requirements},
Year={1990}, day={12}, month=nov, Address= {Menlo Park, California},
NOTE= {Prepared for Roger Woods, FBI, Washington, D.C., under
Contract No.~N00174-89-C-0188. }  }

@InProceedings{Neumann90Halifax,
Author={P.G. Neumann}, Title={Whither Formal Methods?}, Booktitle={Formal
Methods for Trustworthy Computer Systems (FM'89), A Workshop on the Assessment
of Formal Methods for Trustworthy Computer Systems}, Note={23-27 July 1989,
Nova Scotia, Canada, D. Craigen and K. Summerskill (eds.)}, Year=1990,
isbn={3-540-19635-8},
Publisher={Springer-Verlag, Berlin} }

@Book{Craigen90,
Author={D. Craigen and K. {Summerskill (eds.)}}, Title={Formal
Methods for Trustworthy Computer Systems (FM'89), A Workshop on the Assessment
of Formal Methods for Trustworthy Computer Systems}, Note={23-27 July 1989,
Nova Scotia, Canada}, Year=1990,
isbn={3-540-19635-8},
Publisher={Springer-Verlag, Berlin} }

@Book{Srivas+96,
Author={M. Srivas and A. {Camilleri, editors}},
Title={Formal Methods in Computer-Aided Design},
publisher={Springer-Verlag, Berlin,
Lecture Notes in Computer Science, Vol. 1166},
Year=1996 }

@INPROCEEDINGS{Neumann87COMPASS,
Author={P.G. Neumann}, Key={Neumann},
Year=1987, Month="Jun-Jul", Title={The {N} Best (or Worst)
Computer-Related Risk Cases},
BookTitle={Proceedings of the Second Annual Conference on Computer
Assurance COMPASS '87, IEEE 87TH0196-6}, Organization={IEEE}, Pages={xi-xiii}}

@INPROCEEDINGS{Neumann88COMPASS,
Author={P.G. Neumann}, Key={Neumann},
Year=1988, Month=Jun, Title={The Computer-Related Risk of the Year: Computer
Abuse}, BookTitle={Proceedings of the Third Annual Conference on Computer
Assurance COMPASS '88, IEEE 88CH2628-6}, Organization={IEEE}, Pages={8-12}}

@INPROCEEDINGS{Neumann89COMPASS,
Author={P.G. Neumann}, Key={Neumann},
Year=1989, Month=Jun, Title={The Computer-Related Risk of the Year:
Misplaced Trust in Computer Systems},
BookTitle={Proceedings of the Fourth Annual Conference on Computer
Assurance, COMPASS '89}, Organization={IEEE}, Pages={9-13}}

@INPROCEEDINGS{Neumann90COMPASSa,
Author={P.G. Neumann}, Key={Neumann},
Year=1990, Month=Jun, Title={The Computer-Related Risk of the Year: Distributed
Control}, BookTitle={Proceedings of the Fifth Annual Conference on Computer
Assurance, COMPASS '90, IEEE 90CH2830}, Organization={IEEE}, Pages={173-177}}

@INPROCEEDINGS{Neumann90COMPASSb,
Author={P.G. Neumann}, Key={Neumann},
Year=1990, Month=Jun, Title={Towards Standards and Criteria for Critical
Computer Systems}, BookTitle={Proceedings of the Fifth Annual Conference on
Computer Assurance, COMPASS '90}, Organization={IEEE}, Pages={186-188}}

@INPROCEEDINGS{Neumann91COMPASS,
Author={P.G. Neumann}, Key={Neumann},
Year=1991, Month=Jun, Title={The Computer-Related Risk of the Year:
Weak Links and Correlated Events},
BookTitle={Proceedings of the Sixth Annual Conference on Computer
Assurance, COMPASS 91}, Organization={NIST, IEEE 91CH3033-8}, Pages={5-8}}

@INPROCEEDINGS{Neumann93COMPASS,
Author={P.G. Neumann}, Key={Neumann},
Year=1993, Month=Jun, Title={Myths of Dependable Computing:
Shooting the Straw Herrings in Midstream},
BookTitle={Proceedings of the Eighth Annual Conference on Computer
Assurance, COMPASS 93}, Organization={NIST}, Pages={1--4}}

@InProceedings{Neumann90EWD,
Key={Neumann}, Author={P.G. Neumann},
title={Beauty and the Beast of Software Complexity -- Elegance versus Elephants},
organization={Springer-Verlag, Berlin, New York},
pages={346-351 (Chapter 39)},
Year="11 May 1990",
booktitle= "Beauty Is Our Business, A Birthday Salute to Edsger W. Dijkstra",
note = {W.H.J. Feijen, A.J.M. van Gasteren, D. Gries, J. Misra, eds.} }

@book{DijkstraBeauty,
Author={W.H.J. Feijen and A.J.M. van Gasteren and D. Gries and J. {Misra, editors}},
Title={Beauty is our Business, A Birthday Salute to Edsger W. Dijkstra},
Publisher={Springer-Verlag, Berlin},
isbn={0-387-97299-4},
Year={11 May 1990} }

@InProceedings{Neumann90NCS,
Key = "Neumann", Author = "P.G. Neumann",
Title="Rainbows and Arrows: How the Security Criteria Address Computer Misuse",
Booktitle="Proceedings of the Thirteenth National Computer Security
  Conference",
Organization = "NIST/NCSC", Address = "Washington, D.C.", Year = "1990",
Pages="414-422", month=oct }

@InProceedings{Ware95NCS,
Key = "Ware", Author = "W.H. Ware",
Title="A Retrospective of the Criteria Movement",
Booktitle = "Proceedings of the Eighteenth
National Information Systems Security Conference",
Organization = "NIST/NCSC", Address = "Baltimore, Maryland", Year = "1995",
Pages="582-588", month=oct }

@TechReport{Ware70,
author={W.H. Ware},
Title={Security Controls for Computer Systems},
institution= {RAND report for the Defense Science Board},
address={}, month ={}, Year=1970,
note = {http://cryptome.org/sccs.htm} }

@InProceedings{Neumann90Complexity,
Key = "Neumann", Author = "P.G. Neumann",
Title = "Managing Complexity in Critical Systems",
Booktitle = "Managing Complexity and Modeling Reality: Strategic Issues
and an Action Agenda",
Note="In a report edited by D. Frailey, based on an ACM
Conference on Critical Issues, Arlington, Virginia,
6-7 November 1990.  This paper
includes a discussion of papers by David Parnas, Edward
S. Cheevers and R. Leddy in the conference track on Managing Complexity",
Address = "ACM, New York", Year = "1991",
ISBN={0-89791-458-9}, Pages="2-36 -- 2-42" }

@TechReport{Neumann90NSF,
Author={P.G. Neumann}, Key={Neumann},
Institution={Computer Science Laboratory, SRI International},
Title={On the Design of Dependable Computer Systems for
Critical Applications}, Note={CSL Technical Report CSL-90-10},
Year={1990}, Month=oct, Address={Menlo Park, California} }

@TechReport{Neumann90RADC,
Author={P.G. Neumann and N.E. Proctor and T.F. Lunt}, Key={Neumann},
Title={Secure Distributed Systems: Vulnerabilities, Defenses, and Analyses},
Institution={Computer Science Laboratory, SRI International},
Note={Project 1021, Interim Report},
Year={1990}, Month=nov, Address={Menlo Park, California} }

@TechReport{Neumann91RADC1,
Author={P.G. Neumann and N.E. Proctor and T.F. Lunt}, Key={Neumann},
Title={A Designer's Handbook for Secure Distributed Systems -- Preventing
System Misuse: Analysis and Synthesis},
Institution={Computer Science Laboratory, SRI International},
Note={Project 1021, Interim Report},
Year={1991}, Month=apr, Address={Menlo Park, California} }

@TechReport{NeumannProctor91Handbook,
Author={P.G. Neumann and N.E. Proctor and T.F. Lunt},
Title={Preventing Security Misuse in Distributed Systems},
Institution={Computer Science Laboratory, SRI International},
Note={Project 1021, Final Report},
Year={1992}, day={20}, month={March}, Address={Menlo Park, California} }

@TechReport{Neumann92RL,
Author={P.G. Neumann and N.E. Proctor and T.F. Lunt},
Title={Preventing Security Misuse in Distributed Systems},
Institution={Rome Laboratory Air Force Systems Command,
Griffiss Air Force Base, N.Y., 13441-5700},
Note={RL-TR-92-152.  For Official Use Only:
US Government Agencies and their
Contractors -- Critical Technology.},
Year={1992}, Month=jun, Address={} }

@TechReport{NeumannProctorLunt92,
Author={P.G. Neumann and N.E. Proctor and T.F. Lunt}, Key={Neumann},
Title={Preventing Security Misuse in Distributed Systems},
Institution={Computer Science Laboratory, SRI International},
Note={Issued as Rome Laboratory report RL-TR-92-152,
Rome Laboratory C3AB, Griffiss AFB NY 13441-5700.
For Official Use Only.},
Year={1992}, Month=jun, Address={Menlo Park, California} }

@TechReport{LABCOM92,
Author={A. Barnes and A. Hollway and P.G. Neumann},
Title={Survivable Computer-Communication Systems: The Problem and
       Preliminary Recommendations},
Institution={U.S. Army Vulnerability Assessment Laboratory},
Note={For Official Use Only.},
Year={1992}, Month=nov, Address={U.S. Army Vulnerability
Assessment Laboratory, SLCVA-D, White Sands Missile Range, NM 88002-5513} }

@TechReport{LABCOM93,
Author={A. Barnes and A. Hollway and P.G. Neumann},
Title={Survivable Computer-Communication Systems: The Problem and
       Working Group Recommendations.  {VAL-CE-TR-92-22} (revision 1)},
Note={For Official Use Only.},
Year={1993}, Month=may, Institution={U.S. Army Research
Laboratory, AMSRL-SL-E, White Sands Missile Range, NM 88002-5513} }

@TechReport{Greenberg93,
Author={I. Greenberg and P. Boucher and R. Clark and E.D. Jensen and
T.F. Lunt and P.G. Neumann and D. Wells},
Title={The Multilevel Secure Real-Time Distributed Operating System Study},
Institution={Computer Science Laboratory, SRI International},
Note={Issued as Rome Laboratory report RL-TR-93-101,
Rome Laboratory C3AB, Griffiss AFB NY 13441-5700.  Contact Emilie Siarkiewicz,
Internet: SiarkiewiczE@CS.RL.AF.MIL, phone 315-330-3241.
For Official Use Only.},
Year={1992}, Month=jun, Address={Menlo Park, California} }

@TechReport{Proctor91RADC,
Author={N.E. Proctor}, Key={Proctor},
Title={{SeaView} formal specifications},
Institution={Computer Science Laboratory, SRI International},
Year={1991}, Month=apr, Address={Menlo Park, California} }

@TechReport{Gree91
   ,Author={I.B. Greenberg}, Institution={SRI International}
   ,Title={Distributed Database Security}, Year={1991}
   ,Month=apr, Address={Menlo Park, California}, Type={Final Report}
   ,Note={For Contract No. MDA904-90-C-7708}    }

@InProceedings{Gree91b,
Author={I.B. Greenberg},
BookTitle={Proceedings of the Fourth RADC Multilevel Database Security Works
hop},Organization={},Address={Little Compton, RI},
Title={Should Serializability be Enforced in Multilevel Database Systems},
Year={1991},Month=apr,Pages={}   }

@ARTICLE{NeumannRISKSindex91,
Author={P.G. Neumann}, TITLE = {Illustrative Risks to the Public in the
Use of Computer Systems and Related Technology, Index to {RISKS} cases
as of 23 {D}ecember 1991},
JOURNAL = {ACM Software Engineering Notes}, YEAR = {1992}, VOLUME = {17},
NUMBER = {1}, PAGES = {23-32}, MONTH = jan , NOTE = {(Cumulative
updates are available on request.)}}

@ARTICLE{NeumannRISKSindex94,
Author={P.G. Neumann}, TITLE = {Illustrative Risks to the Public in the
Use of Computer Systems and Related Technology, Index to {RISKS} cases,
as of 7 {O}ctober 1993},
JOURNAL = {ACM Software Engineering Notes}, YEAR = {1994}, VOLUME = {19},
NUMBER = {1}, PAGES = {16--29}, MONTH = jan,
NOTE = {(At-least quarterly cumulative updates to this index are available
on request.)}}

@ARTICLE{NeumannRISKSindex96,
Author={P.G. Neumann}, TITLE = {Illustrative Risks to the Public in the
Use of Computer Systems and Related Technology, Index to {RISKS} cases
as of 27 {N}ovember 1995},
JOURNAL = {ACM Software Engineering Notes}, YEAR = {1996}, VOLUME = {21},
NUMBER = {1}, PAGES = {16--30}, MONTH = jan,
NOTE = {(This refers to the most recent published version.
Cumulative updates to this index are available online
at \verb+ftp://ftp.csl.sri.com/pub/users/neumann/illustrative.ps+
and \verb+.pdf+ .)}}

@TechReport{NeumannRISKSindex,
Author={P.G. Neumann}, TITLE = {Illustrative Risks to the Public in the
Use of Computer Systems and Related Technology, Index to {RISKS} cases},
Institution = {Computer Science Laboratory, SRI International},
Address = {Menlo Park, California},
YEAR = {2010},
NOTE = {Updated now and then: http://www.csl.sri.com/neumann/illustrative.html;
also in .ps and .pdf form for printing in a denser format.}
}

@TechReport{NeumannRISKSindexVot,
Author={P.G. Neumann}, TITLE = {Illustrative Risks to the Public in the
Use of Computer Systems and Related Technology, Index to {RISKS} cases},
Institution = {Computer Science Laboratory, SRI International},
Address = {Menlo Park, California},
YEAR = {2004},
NOTE = {The most recent version is available online
in html form for browsing at \xlink{http://www.csl.sri.com/neumann/illustrative.html}{http://www.csl.sri.com/neumann/illustrative.html}.
Click on ``Election Problems''.}}

@article{InsideRISKS,
author={P.G. Neumann}, key={neumann}, title = {Inside
RISKS}, journal = {Communications of the ACM}, year = {1990-}, volume = {33-}, number = {},
pages = {inside back cover}, month = {}, year = {}, Note = {monthly column
since Jul 1990} }

@InProceedings{Neumann91NCCV,
Key = {Neumann}, Author = {P.G. Neumann},
Title = {Computer Security and Human Values},
Booktitle = {Proceedings of the National Conference on Computing and Values},
Organization = {Southern Connecticut State University, New Haven,
Connecticut}, Year = {1991}, Pages={}, Month = {12-16 August} }

@InProceedings{Neumann92GI,
author={P.G. Neumann},
Title={Developing Complex Software for Critical Systems},
BookTitle={22. Jahrestagung der Gesellschaft f\"{u}r Informatik},
Year="1992", Month="30 Sept -- 2 October", pages="117-131" }

@InProceedings{ProctorNeumann92,
author={N.E. Proctor and P.G. Neumann},
Title={Architectural Implications of Covert Channels},
BookTitle="Proceedings of the Fifteenth National Computer Security Conference",
Address = "Baltimore, Maryland", Year="1992", Month="13--16 October",
pages="28--43",
url="http://www.csl.sri.com/neumann/ncs92.html" }

@TechReport{NeumannGong94,
author={P.G. Neumann and L. Gong},
Title={Minimizing Trust in Multilevel-Secure Systems},
Institution = "SRI International, Menlo Park, California",
Year="1994", Month="15 March" }

@InProceedings{Gong94,
Author={L. Gong}, TITLE = {New Protocols for Third-Party-Based
Authentication and Secure Broadcast},
Booktitle = {Second ACM Conference on Computer and Communications Security},
Organization = {ACM SIGSAC}, Address = {Fairfax, Virginia},
Year = {1994},
Pages={176--163}, Month = nov }

@TechReport{Gong94CSL,
author={L. Gong},
Title={Authentication, Key Distribution, and Secure Broadcast in
Computer Networks Using No Encryption or Decryption},
Institution = "SRI International, Menlo Park, California, SRI-CSL-94-08",
Year="1994", Month=may, Note = {This report contains two earlier related
papers on hash functions.} }

@TechReport{gong96f
   ,Author={S. Keung and L. Gong}
   ,Title={{Enclaves in Java: APIs and Implementations}}
   ,Institution={SRI International, Computer Science Laboratory}
   ,Address={333 Ravenswood Avenue, Menlo Park, California 94025}
   ,Year={1996}
   ,Month=jul
   ,Number={SRI-CSL-96-07}
   }

@TechReport{Gong96,
author={L. Gong},
Title={An Overview of {Enclaves} 1.0},
Institution = "SRI International, Menlo Park, California, SRI-CSL-96-01",
Year="1996", Month=jan,
Note = "(\xlink{http://www.csl.sri.com/papers/346/}{http://www.csl.sri.com/papers/346/})" }

@ARTICLE{Dugger88,
Author={R. Dugger}, TITLE = {Annals of Democracy (Voting by Computer)},
JOURNAL = {New Yorker}, YEAR = {1988}, VOLUME = {},
NUMBER = {}, PAGES = {}, MONTH = {November 7,} }

@TechReport{Saltman88,
author={R.G. Saltman},
Title={Accuracy, Integrity, and Security in Computerized Vote-Tallying},
institution= {National Bureau of Standards (now NIST) special publication},
address={Gaithersburg, Maryland}, month ={}, Year=1988}

@InProceedings{Shamos93,
Author={M. Shamos}, TITLE = {Electronic Voting: Evaluating the Threat},
Booktitle = {Computers, Freedom and Privacy '93}, YEAR = {1993},
PAGES = {3.18--3.25}, MONTH = mar }

@InProceedings{Saltman93,
Author={R.G. Saltman}, TITLE = {Assuring Accuracy, Integrity and Security
in National Elections: The Role of the {U.S.} {Congress}},
Booktitle = {Computers, Freedom and Privacy '93}, YEAR = {1993},
PAGES = {3.8--3.17}, MONTH = mar }

@InProceedings{Saltman93b,
Author={R.G. Saltman}, TITLE = {An integrity model is needed for
computerized voting and similar systems},
BookTitle="Proceedings of the Sixteenth National Computer Security Conference",
Address = "Baltimore, Maryland", Year="1993", Month=sep,
pages="471--473" }

@InProceedings{Neumann93NCS,
author={P.G. Neumann},
Title={Security Criteria for Electronic Voting},
BookTitle="Proceedings of the Sixteenth National Computer Security Conference",
Address = "Baltimore, Maryland", Year="1993", Month=sep,
pages="478--482" }

@InProceedings{Greenhalgh93,
Author = "G.L. Greenhalgh",
Title = "Security and Auditability of Electronic Vote
Tabulation Systems: One Vendor's Perspective",
Booktitle = "Proceedings of the Sixteenth National Computer Security Conference",
Organization = "NIST/NCSC", Address = "Baltimore, Maryland", Year = "1993",
Pages="483--489", month=sep}

@InProceedings{Mercuri92,
Author = "R.T. Mercuri",
Title = "Physical Verifiability of Computer Systems",
Booktitle = "5th International Computer Virus and Security Conference",
Year = "1992", Month = mar}

@InProceedings{Mercuri93,
Author = "R. Mercuri",
Title = "Threats to Suffrage Security",
Booktitle = "Proceedings of the Sixteenth National Computer Security Conference",
Organization = "NIST/NCSC", Address = "Baltimore, Maryland", Year = "1993",
Pages="474--477", month=sep  }

@InProceedings{NRM,
Key="Fellows", Author="J. Fellows and J. Hemenway and N. Kelem",
Title="The Architecture of a Distributed Trusted Computing Base",
BookTitle="10th National Computer Security Conference",
Address = "Baltimore, Maryland", Year="1987", Month="21-24 September", pages="68-77",
Note="Reprinted in Rein Turn, editor,
{\it Advances in Computer System Security},
Vol. 3, Artech House, Dedham, Massachusetts, 1988" }

@InProceedings{Weissman88,
Author={C. Weissman}, Title={Blacker: Security for the {DDN}.  {E}xamples of
{A1} Security Engineering Trades},
BookTitle ={Proceedings of the 1992 Symposium on Research in Security and Privacy},
Organization={IEEE Computer Society}, Address={Oakland,
California}, Year={1992}, Month=may, pages={286-292},
Note={This paper was originally presented at the April 1988 Symposium,
but not published for four years because of a release problem.}}

@InProceedings{Weissman88N,
Author={C. Weissman}, Title={Blacker: Security for the {DDN}.  {E}xamples of
{A1} Security Engineering Trades},
BookTitle ={Proceedings of the 1992 Symposium on Research in Security and Privacy},
Organization={IEEE Computer Society}, Address={Oakland,
California}, Year={1992}, Month=may, pages={286-292},
Note = {This paper was the recipient of the 1988 SSP Best Paper award, but
was not published until 1992.}  }

@article{Weissman91,
author={C. Weissman}, title = {A National Debate on Encryption Exportation},
journal = {Communications of the ACM}, year = {1991}, volume = {34}, number = {10},
pages = {162}, month = oct, Note = {Guest contribution to P.G. Neumann's
{\it Inside Risks} column} }

@article{Neumann90CACM,
author={P.G. Neumann}, title = {Risks in Computerized Elections},
journal = {Communications of the ACM}, year = {1990}, volume = {33},
number = {11}, pages = {170}, month = nov,
Note= {{\it Inside Risks} column.} }

@article{NeumannCACM94-4,
author={P.G. Neumann}, title = {Risks of Passwords},
journal = {Communications of the ACM}, year = {1994}, volume = {37},
number = {4}, pages = {126}, month = apr,
Note= {{\it Inside Risks} column.} }

@article{NeumannCACM94-5,
author={P.G. Neumann}, title = {Alternative Passwords},
journal = {Communications of the ACM}, year = {1994}, volume = {37},
number = {5}, pages = {146}, month = may,
Note= {{\it Inside Risks} column.} }

@article{MercuriNeumannCACM01-1,
author={R. Mercuri and P.G. Neumann}, title = {System Integrity Revisited},
journal = {Communications of the ACM}, year = {2001}, volume = {44},
number = {1}, pages = {}, month = jan,
Note= {{\it Inside Risks} column.} }

@article{MercuriCACM92-11,
author={R. Mercuri}, title = {Voting-Machine Risks},
journal = {Communications of the ACM}, year = {1992}, volume = {35},
number = {11}, pages = {}, month = nov,
Note= {{\it Inside Risks} column.} }

@article{MercuriCACM93-11,
author={R. Mercuri}, title = {Corrupted Polling},
journal = {Communications of the ACM}, year = {1993}, volume = {36},
number = {11}, pages = {}, month = nov,
Note= {{\it Inside Risks} column.} }

@article{MercuriCACM02-1,
author={R. Mercuri}, title = {Uncommon Criteria},
journal = {Communications of the ACM}, year = {2002}, volume = {45},
number = {1}, pages = {}, month = jan,
Note= {{\it Inside Risks} column.} }

@article{MercuriCACM02-11,
author={R. Mercuri},
title = {Florida 2002: Sluggish Systems, Vanishing Votes},
journal = {Communications of the ACM}, year = {2002}, volume = {45},
number = {11}, pages = {}, month = nov,
Note= {{\it Inside Risks} column.} }

@article{MercuriCACM03-1,
author={R. Mercuri},
title = {On Auditing Audit Trails},
journal = {Communications of the ACM}, year = {2003}, volume = {46},
number = {1}, pages = {}, month = jan,
Note= {{\it Security Watch} column.} }

@ARTICLE{NeumannMercuriWeinstein01,
Author={P.G. Neumann and R. Mercuri and L. Weinstein},
TITLE = {Internet and Electronic Voting},
JOURNAL = {ACM Software Engineering Notes}, YEAR = {2001}, VOLUME = {26},
NUMBER = {2}, PAGES = {8}, MONTH = mar,
NOTE ={Earlier version in the Risks Forum, volume 21 number 14.} }

@InCollection{MercuriNeumann02,
Publisher = "Kluwer Academic Publishers",
Author = "R. Mercuri and P.G. Neumann",
Title = "Verification for Electronic Balloting Systems",
Year = "2002", Pages = "", Address = "Boston, Massachusetts",
Booktitle = "Secure Electronic Voting, Advances in Information
  Security, Volume 7",
Editors = "D. Grizalis" }

@inProceedings{MercuriNeumann02x,
Author="R. Mercuri and P.G. Neumann",
Title="Verification for Electronic Balloting Systems",
Booktitle="Secure Electronic Voting",
Note ="D. Gritzalis (editor)", Publisher =
"Kluwer Academic Publishers, Boston",Year="2002",Pages=""}

@book{Boehm89,
Author={B. Boehm},
Title={Tutorial: Software Risk Management},
Publisher={IEEE Computer Society Press, Piscataway, New Jersey},
Year={1989} }

@book{Charette89,
Author={R.N. Charette},
Title={Software Engineering Risk Analysis and Management},
Publisher={McGraw-Hill, New York},
Year={1989} }

@book{Charette90,
Author={R.N. Charette},
Title={Application Strategies for Risk Analysis},
Publisher={McGraw-Hill, New York},
Year={1990} }

@book{Charette93,
Author={R.N. Charette and F. Scarff and A. Carty},
Title={Introduction to the Management of Risk},
Publisher={HMSO (Her Majesty's Stationary Office)},
NOTE = {ISBN 0 11 330648 2},
Year={1993} }

@InProceedings{Charette97,
Author={R.N. Charette},
TITLE = {Managing the Risks in Information Systems and Technology},
Booktitle = {Advances in Computers}, YEAR = {1997}, VOLUME = {44},
Publisher = {Academic Press},
PAGES = {1--58} }

@proceedings{LSSI,
Title={SEI/NSIA Conference on Risks in the Acquisition and Development of
Large-Scale Software Intensive (LSSI) Systems},
ORGANIZATION={SEI/NSIA},
Address ={Pittsburgh, Pennsylvania},
Month={October 8-10},
Year={1991} }

@book{Jones94,
Author={C. Jones},
Title={Assessment and Control of Software Risks},
Publisher={Yourdon Press},
Year={1994} }

@InProceedings{BrunnsteinTrust,
Key = {Brunnstein}, Author = {Klaus Brunnstein, Simone Fischer-Huebner},
Title = {Risk Analysis of "Trusted Computer Systems"},
Booktitle = {Sixth International Conference on Information Security: SEC'90},
Organization = {IFIP TC-11}, Address = {Helsinki-Espoo}, Year = {1990},
Pages={}, Month = {23-25 May} }

@Manual{DTI,
KEY={GreatBritain}, TITLE = {Dark Green Books},
ORGANIZATION={Commercial Computer Security Centre, Department of Trade and Industry},
AUTHOR={U.K.-DTI},
NOTE = {Volumes V01 (Overview Manual), V02 (Glossary), V03 (Index), V11 (Users'
Code of Practice), V21 (Security Functionality Manual), V22 (Evaluation
Levels Manual), V23 (Evaluation and Certification Manual), V31 (Vendors'
Code of Practice), Version 3.0},
MONTH = feb,
YEAR={1989}}

@Manual{GISA,
TITLE = {IT-Security Criteria, Criteria for the Evaluation of
Trustworthiness of Information Technology (IT) Systems},
ORGANIZATION = {German Information Security Agency (ZSI),
Am Nippenkreuz 19, D 5300  Bonn 2},  AUTHOR={GISA},
NOTE = {Translation of Kriterien
f\"{u}r die Bewertung der Sicherheit von Systemen der Informationstechnik (IT),
Zentralstelle f\"{u}r Sicherheit in der Informationstechnik (formerly
ZSI, now CSI),
first edition, Bundesanzeiger, K\"{o}ln, Postfach
108006, 5000 Germany},
MONTH = {11 January}, YEAR= {1989} }

@article{TanenbaumVanRenesse,
key={tanenbaum}, Author={A.S. Tanenbaum and R. van Renesse},
TITLE = {Distributed Operating Systems}, JOURNAL = {ACM Computing Surveys},
YEAR={1985}, VOLUME = {17}, NUMBER = {4}, PAGES = {419-470}, MONTH = dec }

@book{Mullender89,
Author={S.J. {Mullender (ed.)}}, key={Mullender},
Title={Distributed Systems}, Publisher={ACM Press, New York,
and Addison-Wesley, Reading, Massachusetts}, Year={1989} }

@book{Tanenbaum92,
Author={A.S. Tanenbaum},
Title={Modern Operating Systems},
Publisher={Prentice-Hall, Englewood Cliffs, New Jersey},
Year={1992} }

@article{Amoeba90,
Author={S.J. Mullender and G. van Rossum and A.S. Tanenbaum and R. van Renesse
and H. van Staveren}, TITLE = {Amoeba, A distributed operating system for the
1990s}, JOURNAL = {Computer}, YEAR = {1990}, VOLUME = {33}, NUMBER = {5},
PAGES = {44-53}, MONTH = may }

@article{Amoeba90a,
key={tanenbaum}, Author={A.S. Tanenbaum and R. van Renesse and H. van Staveren
and G.J. Sharp and S.J. Mullender and G. van Rossum}, TITLE = {Experiences with
the {A}moeba distributed operating system},
JOURNAL = {Communications of the ACM},
YEAR = {1990}, VOLUME = {33}, NUMBER = {12}, PAGES = {46-63}, MONTH = dec }

@book{Schach,
Author={S.R. Schach},
Title={Software Engineering, 2nd ed.},
Publisher={Aksen Associates, Homewood, Illinois},
Year={1993} }

@TechReport{Bull+90,
Author={C.E. Landwehr and A.R. Bull and J.P. McDermott and W.S. Choi},
Institution={Center for Secure Information Technology,
Information Technology Division, Naval Research Laboratory},
Title={A Taxonomy of Computer Program Security Flaws, with Examples},
Year={1993}, Month=nov, Address={Washington, D.C.} }

@book{Hoffman90,
Author={L.J. {Hoffman (ed.)}}, key={Hoffman},
Title={Rogue Programs: Viruses, Worms, and Trojan Horses},
Publisher={Van Nostrand Reinhold, New York},
isbn={0-442-00454-0},
Year={1990}}

@book{DenningACM90,
Author={P.J. {Denning (ed.)}}, key={Denning},
Title={Computers Under Attack: Intruders, Worms, and Viruses},
Publisher={ACM Press, New York, and Addison-Wesley, Reading, Massachusetts},
Year={1990}, Note={ACM order number 706900} }

@book{DenningDenning97,
Author={P.J. Denning and D.D. Denning},
Title={Internet Besieged},
Publisher={ACM Press, New York, and Addison-Wesley, Reading, Massachusetts},
Year={1997} }

@InProceedings{NeumannACM90,
Author = {P.G. Neumann}, Title = {A Perspective from the Risks Forum},
Booktitle = {Computers Under Attack: Intruders, Worms, and Viruses},
Organization = {ACM Press, New York},
Year = {1990}, Pages={Article 39, 535-543}, Month = {}, NOTE={} }

@InProceedings{NeumannAAAS93,
Author = {P.G. Neumann},
Title = {Limitations of Computer-Communication Technology},
Booktitle = {Proceedings of an Invitational Conference on Legal, Ethical,
and Technological Aspects of Computer and Network Use and Abuse},
Organization = {AAAS}, Address = {},
Year = {1993}, Pages={}, Month = dec }

@TechReport{Paul90,
author={J. Paul},
Title={Bugs in the Program},
institution= {Report by the Subcommittee on Investigations and Oversight
of the Committee on Science, Space and Technology},
address={U.S. House of Representatives}, month ={}, Year=1990}

@book{NeumannRisksBook,
Author={P.G. Neumann},
Title={Computer-Related Risks},
Publisher={ACM Press, New York, and Addison-Wesley, Reading, Massachusetts},
Year={1995} }

@book{NeumannRisksBookISBN,
Author={P.G. Neumann},
Title={Computer-Related Risks},
Note = {ISBN 0-201-55805-X.},
Publisher={ACM Press, New York, and Addison-Wesley, Reading, Massachusetts},
Year={1995} }

@book{Bernstein96,
Author={P.L. Bernstein},
Title={Against the Gods: The Remarkable Story of Risk},
Publisher={John Wiley \& Sons, New York},
Year={1996} }

@TechReport{Neumann94crypto,
author={P.G. Neumann},
Title={Can Systems Be Trustworthy with Software-Implemented Crypto?},
institution= {Final Report, Project 6402, SRI International},
Note={For Official Use Only, NOFORN.},
address={Menlo Park, California}, month =oct, Year={1994}}

@TechReport{Neumann95Arch,
author={P.G. Neumann},
Title={Architectures and Formal Representations for Secure Systems},
institution= {Final Report, Project 6401, SRI International},
Note={CSL report 96-05.},
address={Menlo Park, California}, month =oct, Year={1995} }

@TechReport{Neumann99ARL,
author={P.G. Neumann},
Title={Practical Architectures for Survivable Systems and Networks},
institution= {Final Report, Phase One, Project 1688, SRI International},
address={Menlo Park, California},
month =jan, Year={1999},
URL="http://www.csl.sri.com/neumann/arl-one.html",
NOTE = {also available in .ps and .pdf form} }

@TechReport{Neumann00ARL,
author={P.G. Neumann},
Title={Practical Architectures for Survivable Systems and Networks},
institution= {Final Report, Phase Two, Project 1688, SRI International},
address={Menlo Park, California},
month =jun, Year={2000},
NOTE = "http://www.csl.sri.com/neumann/survivability.html"
}

@TechReport{NeumannCHATS01a,
author={Peter G. Neumann},
Title={Composability Revisited},
institution= {Computer Science Laboratory, SRI International},
Note = {Interim report, SRI Project 11459, updated occasionally as noted, at
\xlink{http://www.csl.sri.com/neumann/chats1.html}{http://www.csl.sri.com/neumann/chats1.html}; also chats1.ps and chats1.pdf.},
address={Menlo Park, California}, month ={28 September}, Year=2001 }

@TechReport{NeumannCHATS01b,
author={Peter G. Neumann},
Title={{CHATS} Principles},
institution= {Computer Science Laboratory, SRI International},
Note = {Interim report, SRI Project 11459, updated occasionally as noted, at
\xlink{http://www.csl.sri.com/neumann/chats2.html}{http://www.csl.sri.com/neumann/chats2.html}; also chats2.ps and chats2.pdf.},
address={Menlo Park, California}, day=29, month=dec, Year=2001 }

@TechReport{NeumannCHATS02a,
author={P. G. Neumann},
Title={Principled Composable Trustworthy Architectures},
institution= {Computer Science Laboratory, SRI International},
Note = {Interim report, SRI Project 11459, updated occasionally as noted, at
\xlink{http://www.csl.sri.com/neumann/chats3.html}{http://www.csl.sri.com/neumann/chats3.html}; also chats3.ps and chats3.pdf.},
address={Menlo Park, California}, day=29, month=mar, Year=2002 }

@TechReport{NeumannCHATS02b,
author={P.G. Neumann},
Title={Principled Assuredly Trustworthy Composable Architectures},
institution= {Computer Science Laboratory, SRI International},
Note = {First-year final report, SRI Project 11459,
\xlink{http://www.csl.sri.com/neumann/chats4.html}{http://www.csl.sri.com/neumann/chats4.html}; also chats4.ps and chats4.pdf.},
address={Menlo Park, California}, day=29, month=jun, Year=2002 }

@TechReport{NeumannCHATS04,
author={Peter G. Neumann},
Title={Principled Assuredly Trustworthy Composable Architectures},
institution= {Computer Science Laboratory, SRI International},
address={Menlo Park, California}, month=dec, Year=2004,
NOTE = "http://www.csl.sri.com/neumann/chats4.html, .pdf, and .ps, Final report, SRI Project 11459"
 }

@InProceedings{Neumann03DISCEX3,
Author={P.G. Neumann},
Title={Achieving Principled Assuredly Trustworthy Composable Systems
  and Networks},
BookTitle={Proceedings of the DARPA Information Survivability Conference
  and Exhibition, DISCEX3, volume 2},
Organization={DARPA and IEEE Computer Society}, Address={},
Year={2003}, Month=apr, pages={182--187}}

@TechReport{Lee+92,
author={E.S. Lee and P.I.P. Boulton and B.W. Thomson and R.E. Soper},
Title={Composable Trusted Systems},
institution= {Computer Systems Research Institute},
Note = {CSRI-272},
address={University of Toronto, Ontario}, month ={31 May}, Year=1992 }

@TechReport{Dinolt94,
author={L.A. Benzinger and G.W. Dinolt and M.G. Yatabe},
Title={Final Report: A distributed system multiple security policy model},
institution= {Loral Western Development Laboratories, report WDL-TR00777},
address={San Jose, California}, month =oct, Year={1994} }

@InProceedings{Dinolt94b,
author={L.A. Benzinger and G.W. Dinolt and M.G. Yatabe},
Title={Combining components and policies},
Booktitle={Proceedings of the Computer Security Foundations
  Workshop VII, J. Guttman, editor},
institution= {IEEE Computer Society Press},
month =jun, Year={1994} }

@InProceedings{DinoltWilliams87,
  author =      "G.W. Dinolt and J.C. Williams",
  title =       "{A Graph-Theoretic Formulation of Multilevel Secure
                 Distributed Systems: An overview}",
  booktitle =   "1987 IEEE Symposium on Security and Privacy",
  year =        "1987",
  pages =       "99-103",
  organization =        "The Computer Society of the IEEE",
  publisher =   "IEEE Computer Society Press",
  address =     "1730 Massachusetts Avenue, N.W., Washington, D.C. 20036-1903",
  month =       Apr}

@book{BurnhamRise,
Author={D. Burnham},
Title={The Rise of the Computer State},
Publisher={Random House, New York},
Year={1982} }

@book{BurnhamIRS,
Author={D. Burnham},
Title={A Law Unto Itself: The {IRS} and the Abuse of Power},
Publisher={Vintage Books, Random House, New York},
Year={1989} }

@book{GarfinkelSpafford91,
Author={S. Garfinkel and E. Spafford}, key={Garfinkel},
Title={Practical {UNIX} Security},
Publisher={O'Reilly \& Associates, Sebastopol, California},
Year={1991} }

@book{GarfinkelSpafford03,
Author={S. Garfinkel and E. Spafford and A. Schwartz}, key={Garfinkel},
Title={Practical {UNIX} and Internet Security, 3rd Edition},
Publisher={O'Reilly \& Associates, Sebastopol, California},
Year={2003} }

@book{Garfinkel95,
Author={S. Garfinkel},
Title={PGP: Pretty Good Privacy},
Publisher={O'Reilly \& Associates, Sebastopol, California 95472},
Year={1995} }

@book{Ferbrache92,
Author={D. Ferbrache},
Title={A Pathology of Computer Viruses},
Publisher={Springer-Verlag, Berlin},
Year={1992} }

@InProceedings{Bonyun,
Author = "D. Bonyun",
Title = "Rules as the Basis of Access Control in Database Management Systems",
BookTitle="7th DoD/NBS Computer Security Initiative Conf.,
NBS, Gaithersburg, Maryland", Year="1984", Month="24-26 September", Pages="38-47"}

@Manual{AFSB83,
Author={M. {Schaefer et al.}}, key={Schaefer},
Title={Multilevel Data Management Security},
organization={Air Force Studies Board, National Research Council,
National Academies Press}, Year=1983,
Note={Final report of the 1982 Multilevel Data Management Security
  Committee.} }

@Book{NAS,
Key="Schaefer", Author = {M. {Schaefer (editor)}},
Title ="Multilevel Data Management Security", Note = "Report of the 1982
Summer Study, National Academy of Sciences,
Air Force Studies Board, Marvin Schaefer, Chairman, For Official Use Only)",
Publisher ="National Academies Press, Air Force Studies Board, National
Research Council", Address = "Washington, D.C.", Year= "1983"}

@Book{NASdb, Key="Schaefer", Author = {M. {Schaefer (editor)}}, Title
="Multilevel Data Management Security", Note = "Report of the 1982
Summer Study, National Academy of Sciences,
Air Force Studies Board, Marvin Schaefer, Chairman; published in 1983).
In particular, see Chapter 3
-- General Security Policy, D.E. Denning and P.G. Neumann (eds)",
Publisher ="National Academies Press, Air Force Studies Board, National
Research Council", Address = "Washington, D.C.", Year= "1983"}

@InProceedings{NASsdb,
Author = {D.E. Denning and P.G. {Neumann, editors}},
title ={General Security Policy},
Booktitle ={Multilevel Data Management Security},
Note={Chapter 3 of the Report of the 1982 Summer Study,
  National Academy of Sciences,
  Air Force Studies Board, Marvin Schaefer, Chairman},
Address = "Washington, D.C.", Year= "1983"}

@manual{NAS90,
author = {D.D. {Clark et al.}}, title = {Computers at Risk: Safe
Computing in the Information Age}, organization = {National Research Council,
National Academies Press, 2101 Constitution Ave., Washington,
D.C.}, month = {5 December}, year = {1990}, note={Final report of the
System Security Study Committee.} }

@book{NRC96,
author = {K.W. Dam and H.S. {Lin, editors}},
title = {Cryptography's Role In Securing the Information Society},
publisher = {National Research Council, National Academies Press,
2101 Constitution Ave., Washington, D.C.},
year = {1996}, note={Final report of the Cryptographic Policy Study
Committee, ISBN 0-309-05475-3.} }

@book{NRC98trust,
author = {F.B. Schneider and M. {Blumenthal, editor}},
title = {Trust in Cyberspace},
publisher = {National Research Council, National Academies Press,
2101 Constitution Ave., Washington, D.C.},
year = {1998}, note={Final report of the National Research
Council Committee on Information Trustworthiness.} }

@book{NRC00,
author = {S.H. Fuller and D.G. {Messerschmitt, editors}},
title = {Making It Better: Expanding Information Technology
  Research To Meet Society's Needs},
publisher = {National Research Council, National Academies Press,
2101 Constitution Ave., Washington, D.C.},
month = may, year = {2000}, note={Final report of the National Research
Council Committee.} }

@article{SchneiderCACM98-11,
author={F.B. Schneider}, title = {Toward Trustworthy Networked Information
  Systems},
journal = {Communications of the ACM}, year = {1998}, volume = {41},
number = {11}, pages = {}, month = nov,
Note= {{\it Inside Risks} column.} }

@TechReport{Schneider02,
Author={F.B. {Schneider, editor}},
Title={Research to Support Robust Cyber Defense},
Institution={Study Committee for J. Lala, DARPA},
Month =may, Year={2000}, Note={Slides only.} }

@BOOK{NAS90x,
NOTE = {ISBN 0-309-04388-3} }

@article{Loepere85,
author={K. P. Loepere},
title={Resolving Covert Channels within a {B}2 Class Secure System},
journal={Operating Systems Review},
month=jul,
year=1985}

@InProceedings{LuntReal90,
Key = "Loepere", Author = "K.P. Loepere and F.D. Reynolds and E.D. Jensen and
T.F. Lunt", Title = "Security for real-time systems",
Booktitle = "Proceedings of the Thirteenth National Computer Security Conference",
Organization = "NIST/NCSC", Address = "Washington, D.C.", Year = "1990",
Pages="318-332", month=oct }

@book{LeviAgrawala90,
Author={S.-T. Levi and A.K. Agrawala},
Title={Real-Time System Design},
Publisher={McGraw-Hill, New York},
Year={1990} }

@InProceedings{SandhuJajodia90,
Key = "Sandhu", Author = "R.S. Sandhu and S. Jajodia",
Title = "Integrity mechanisms in database management systems",
Booktitle = "Proceedings of the Thirteenth National Computer Security Conference",
Organization = "NIST/NCSC", Address = "Washington, D.C.", Year = "1990",
Pages="526-540", month=oct }

@InProceedings{SandhuJajodia91,
Key = "Sandhu", Author = "R.S. Sandhu and S. Jajodia",
Title = "Honest Databases That Can Keep Secrets",
Booktitle = "Proceedings of the Fourteenth National Computer Security Conference",
Organization = "NIST/NCSC", Address = "Washington, D.C.", Year = "1991",
Pages="267-282", month=oct }

@TechReport{Gray89,
author={J. Gray}, Title={Transparency in Its Place},
institution={TR89.1, Tandem Computers},
address={Cupertino, California}, month ={},
Year= 1989 }

@TechReport{GrayTandem, Key={Gray}, Author={J. Gray},
Title={Why Do Computers Stop, and What Can Be Done About It?},
Institution={TR85.7, Tandem Computers, Inc.}, Year={1985},
Month ={}, Address={Cupertino, California},  }

@article{OszuValduriez91a,
author={M.T. \"{O}szu and P. Valduriez}, title = {Distributed Database Systems:
Where Are We Now?},
journal = {Computer}, year = {1991}, volume = {24},
number = {8}, pages = {68-78}, month = aug }

@book{OszuValduriez91b,
Author={M.T. \"{O}szu and P. Valduriez},
Title={Principles of Distributed Database Systems},
Publisher={Prentice-Hall, Englewood Cliffs, New Jersey},
Year={1991} }

@TechReport{Wallace+91a,
author={D.R. Wallace and D.R. Kuhn and J.C. Cherniavsky},
Title={Proceedings of the Workshop on High Integrity Software},
institution= {National Institute of Standards and Technology},
address={Gaithersburg, Maryland}, month ={22-23 January },
Year=1991, Note = {NIST Special Publication 500-190}  }

@TechReport{Wallace+91b,
author={D.R. Wallace and M. Brown and A. {McKinlay VI}},
Title={Proceedings of the Forum on Standards for High Integrity Software
({DoD, Goverment, Industry})},
institution= {National Institute of Standards and Technology},
address={Gaithersburg, Maryland}, month ={22-23 January },
Year=1991, Note = {NISTIR 4656}  }

@InProceedings{Roskos90,
Key = "Roskos", Author = "J.E. Roskos and S.R. Welke and J.M. Boone
and T. Mayfield", Title = "A taxonomy of integrity models, implementations
and mechanisms", Booktitle = "Proceedings of the Thirteenth National Computer Security Conference",
Organization = "NIST/NCSC", Address = "Washington, D.C.", Year = "1990",
Pages="541-551", month=oct }

@InProceedings{Levin90,
Key = "Levin", Author = "T.E. Levin and A. Tao and S.J. Padilla",
Title = "Covert storage channel analysis: a worked example",
Booktitle = "Proceedings of the Thirteenth National Computer Security Conference",
Organization = "NIST/NCSC", Address = "Washington, D.C.", Year = "1990",
Pages="10-19", month=oct }

@InProceedings{Thompson90,
Author = "M.F. Thompson and R.R. Schell and A. Tao and T.E. Levin",
Title = "Introduction to the Gemini Trusted Network Processor",
Booktitle = "Proceedings of the Thirteenth National Computer Security Conference",
Organization = "NIST/NCSC", Address = "Washington, D.C.", Year = "1990",
Pages="211-217", month=oct }

@TechReport{GEMSOS91,
author={Gemini},
Title={Programmer's Guide to the GEMSOS Security Kernel Interface},
institution= {Gemini Computers, Inc.},
address={Carmel, California}, month =jul,
Year=1991 }

@InProceedings{King90,
Key = "", Author = "G. King",
Title = "Considerations for {VSLAN} Integrators and {DAAs}",
Booktitle = "Proceedings of the Thirteenth National Computer Security Conference",
Organization = "NIST/NCSC", Address = "Washington, D.C.", Year = "1990",
Pages="201-210", month=oct }

@InProceedings{Bell90,
Key = "", Author = "D.E. Bell",
Title = "Trusted {Xenix} Interpretation: Phase 1",
Booktitle = "Proceedings of the Thirteenth National Computer Security Conference",
Organization = "NIST/NCSC", Address = "Washington, D.C.", Year = "1990",
Pages="333-339", month=oct }

@InProceedings{WinklerJ90,
Key = "", Author = "J.R. Winkler",
Title = "A {Unix} Prototype for Intrusion and Anomaly Detection in
Secure Networks",
Booktitle = "Proceedings of the Thirteenth National Computer Security Conference",
Organization = "NIST/NCSC", Address = "Washington, D.C.", Year = "1990",
Pages="115-124", month=oct }

@InProceedings{Winkler90,
Key = "", Author = "H.B. Winkler-Parenty",
Title = "Trusted System Interoperability",
Booktitle = "Proceedings of the Thirteenth National Computer Security Conference",
Organization = "NIST/NCSC", Address = "Washington, D.C.", Year = "1990",
Pages="567-569", month=oct }

@InProceedings{Vetter90,
Key = "", Author = "L.L. Vetter",
Title = "Oracle Secure Systems: 1989-1990 A `Year in Review",
Booktitle = "Proceedings of the Thirteenth National Computer Security Conference",
Organization = "NIST/NCSC", Address = "Washington, D.C.", Year = "1990",
Pages="570-571", month=oct }

@InProceedings{Alstad+90,
Author = "J.P Alstad and C.M. Brophy and T.C. Vickers Benzel and M.M. Bernstein
and R.J. Feiertag",
Title = "The Role of {``System Build''} in Trusted Embedded Systems",
Booktitle = "Proceedings of the Thirteenth National Computer Security Conference",
Organization = "NIST/NCSC", Address = "Washington, D.C.", Year = "1990",
Pages="172-181", month=oct }

@article{Ramanathan90,
author={P. Ramanathan and K.G. Shin and R.W. Butler}, key= {Ramanathan},
title = {Fault-Tolerant Clock Synchronization in Distributed Systems},
journal = {Computer}, year = {1990}, volume = {23},
number = {10}, pages = {33-42}, month = oct }

@article{Manber90,
author={U. Manber}, key={Manber},
title = {Chain Reactions in Networks},
journal = {Computer}, year = {1990}, volume = {23},
number = {10}, pages = {57-63}, month = oct }

@InProceedings{Meadows90,
Key={Meadows}, Author={C. Meadows}, Title={Extending the Brewer-Nash
  Model to a Multilevel Context},
BookTitle={Proceedings of the 1990 Symposium on Research in
Security and Privacy}, Organization={IEEE Computer Society}, Address={Oakland,
California}, Year={1990}, Month=may, pages={95--102}}

@InProceedings{Wray91,
Key={Wray}, Author={J.C. Wray}, Title={An Analysis of Covert Timing Channels},
BookTitle={Proceedings of the 1991 Symposium on Research in
Security and Privacy}, Organization={IEEE Computer Society}, Address={Oakland,
California}, Year={1991}, Month=may, pages={2-7}}

@InProceedings{Hu91,
Key={Hu}, Author={W.-M. Hu}, Title={Reducing Timing Channels with Fuzzy Time},
BookTitle={Proceedings of the 1991 Symposium on Research in
Security and Privacy}, Organization={IEEE Computer Society}, Address={Oakland,
California}, Year={1991}, Month=may, pages={8-20}}

@InProceedings{Gray91,
Key={Gray}, Author={J.W. {Gray III}}, Title={Toward a Mathematical
Foundation for Information Flow Security},
BookTitle={Proceedings of the 1991 Symposium on Research in
Security and Privacy}, Organization={IEEE Computer Society}, Address={Oakland,
California}, Year={1991}, Month=may, pages={21-34}}

@InProceedings{PorrasKemmerer91,
Key={Porras}, Author={P.A. Porras and R.A. Kemmerer}, Title={Analyzing
Covert Storage Channels}, BookTitle={Proceedings of the 1991 Symposium on Research in
Security and Privacy}, Organization={IEEE Computer Society}, Address={Oakland,
California}, Year={1991}, Month=may, pages={36-51}}

@InProceedings{KargerWray91,
Key={Karger}, Author={P.A. Karger and J.C. Wray}, Title={Storage Channels
in Disk Arm Optimization}, BookTitle={Proceedings of the 1991 Symposium on Research in
Security and Privacy}, Organization={IEEE Computer Society}, Address={Oakland,
California}, Year={1991}, Month=may, pages={52-61}}

@InProceedings{KargerKurth04,
Key={Karger}, Author={P.A. Karger and H. Kurth }, Title={Increased
  Information Flow Needs for High-Assurance Composite Evaluations},
  BookTitle={Proceedings of the Second International Information Assurance
  Workshop (IWIA 2004)},
  Organization={IEEE Computer Society}, Address={Charlotte,
  North Carolina}, Year={2004}, Month=may, pages={129--140}}

@InProceedings{Meadows91,
Key={Meadows}, Author={C. Meadows}, Title={A System for the Specification
and Analysis of Key Management Protocols},
BookTitle={Proceedings of the 1991 Symposium on Research in
Security and Privacy}, Organization={IEEE Computer Society}, Address={Oakland,
California}, Year={1991}, Month=may, pages={}}

@InProceedings{Tardo+91,
Key={Tardo}, Author={J.J. Tardo and K. Alagappan}, Title={{SPX}: Global
Authentication Using Public Key Certificates},
BookTitle={Proceedings of the 1991 Symposium on Research in
Security and Privacy}, Organization={IEEE Computer Society}, Address={Oakland,
California}, Year={1991}, Month=may, pages={232-244}}

@Manual{CCITT509,
Key="CCITT", Author={CCITT}, Title="{CCITT} Draft Recommendation {X.509}:
The Directory-Authentication Framework, version 7",
Year="November 1987",
Organization="{CCITT}, Gloucester" }

@TECHREPORT{Abadi+Lamport:refinement,
	AUTHOR = {M. Abadi and L. Lamport},
	TITLE = {The Existence of Refinement Mappings},
	INSTITUTION = {DEC Systems Research Center},
	YEAR = {1988},	NUMBER = {29},	ADDRESS = {Palo Alto, California},
	MONTH = aug  }

@INPROCEEDINGS{Lamport+Abadi89,
	AUTHOR = {M. Abadi and L. Lamport},
	TITLE = {Composing Specifications},
	BOOKTITLE = {Stepwise Refinement of Distributed Systems: Models, Formalisms, Correctness},
	YEAR = {1989},
	EDITOR = {J.W. de Bakker and W.-P. de Roever and G. Rozenberg},
	PAGES = {1--41},
	PUBLISHER = {Springer-Verlag, Berlin,
    Lecture Notes in Computer Science, vol.~230},
	ADDRESS = {REX Workshop, Mook, The Netherlands},
	MONTH = {May-June}
}

@TechReport{Rushby91Composing,
author={J.M. Rushby},
Title="Composing Trustworthy Systems",
institution="Computer Science Laboratory, SRI International",
address={Menlo Park, California}, month =jul,
Year=1991 }

@techreport{Rushby92:intransitive-noninterference,
AUTHOR = {J.M. Rushby},
TITLE = {Noninterference, Transitivity, and Channel-Control Security Policies},
INSTITUTION = {Computer Science Laboratory, SRI International},
NUMBER = {SRI-CSL-92-2},
YEAR = {1992},
ADDRESS = {Menlo Park, California}, MONTH = dec  }

@techreport{Rushby91:intransitive-verification,
AUTHOR = {J.M. Rushby},
TITLE = {Formal Verification of the Unwinding Theorem for Intransitive
Noninterference Security Policies},
INSTITUTION = {SRI Computer Science Laboratory}, YEAR = {1991},
ADDRESS = {Menlo Park, California}, MONTH = mar }

@InProceedings{McLean94,
Author={J. McLean},
Title={A General Theory of Composition for Trace Sets Closed under Selective
        Interleaving Functions},
BookTitle={Proceedings of the 1994 Symposium on Research in
Security and Privacy}, Organization={IEEE Computer Society}, Address={Oakland,
California}, Year={1994}, Month=may, pages={79--93}}

@InProceedings{Seagar+95,
Author={M. Seagar and D. Guaspari and M. Stillerman and C. Marceau},
Title={Formal Methods in the Theta Kernel},
BookTitle={Proceedings of the 1995 Symposium on
Security and Privacy}, Organization={IEEE Computer Society}, Address={Oakland,
California}, Year={1993}, Month=may, pages={88--100}}

@InProceedings{Badger+95,
Author={L. Badger and D.F. Sterne and D.L. Sherman and K.M. Walker
and S.A. Haghighat},
Title={Practical Domain and Type Enforcement for {Unix}},
BookTitle={Proceedings of the 1995 Symposium on
Security and Privacy}, Organization={IEEE Computer Society}, Address={Oakland,
California}, Year={1993}, Month=may, pages={66--77}}

@article{Spafford92,
author={E. Spafford}, title = {Are Computer Hacker Break-ins Ethical?},
journal = {Journal of Systems and Software}, year = {1992}, volume = {},
number = {}, pages = {}, month = jan,
note = {Purdue Report CSD-TR-994, March 1991} }

@book{Petroski,
Author={H. Petroski},
Title={To Engineer Is Human: The Role of Failure in Successful Design},
Publisher={St.~Martin's Press, New York},
Year={1985} }

@book{Petroski94,
Author={H. Petroski},
Title={Design Paradigms: Case Histories of Error and Judgment in Engineering},
Publisher={Cambridge University Press, Cambridge, England},
Year={1994} }

@book{HoareCSP,
Author={C.A.R. Hoare},
Title={Communicating Sequential Processes},
Publisher={Prentice-Hall, Englewood Cliffs, New Jersey},
Year={1985} }

@article{Sinha91,
author={P.K. {Sinha et al.}}, title = {The {Galaxy} Distributed Operating
System}, journal = {Computer}, year = {1991}, volume = {24},
number = {8}, pages = {34-41}, month = aug }

@article{NitzbergLo91,
author={B. Nitzberg and V. Lo}, title = {Distributed Shared Memory:
A Survey of Issues and Algorithms},
journal = {Computer}, year = {1991}, volume = {24},
number = {8}, pages = {52-60}, month = aug }

@article{Ousterhout88,
author={J.K. {Ousterhout et al.}},
title = {The {Sprite} Network Operating System},
journal = {Computer}, year = {1988}, volume = {21},
number = {2}, pages = {23-36}, month = feb }

@article{BakerOusterhout91,
author={M. Baker and J.K. Ousterhout},
title = {Availability in the {Sprite} Distributed File System},
journal = {ACM SIGOPS Operating Systems Review}, year = {1991}, volume = {25},
number = {2}, pages = {95-98}, month = apr }

@article{Yokote+91,
author={Y. Yokote and F. Teraoka and A. Mitsuzawa and N. Fujinami and M. Tokoro},
title = {The {Muse} Object Architecture: a New Operating System
Structuring Concept},
journal = {ACM SIGOPS Operating Systems Review}, year = {1991}, volume = {25},
number = {2}, pages = {22-46}, month = apr }

@article{KaashoekTanenbaum91,
author={M.F. Kaashoek and A.S. Tanenbaum},
title = {Fault Tolerance Using Group Communication},
journal = {ACM SIGOPS Operating Systems Review}, year = {1991}, volume = {25},
number = {2}, pages = {71-74}, month = apr }

@TechReport{Engler98,
author={D.R. Engler},
Title="{The Exokernel Operating System Architecture}",
institution="Ph.D. Thesis, M.I.T., Cambridge, Massachusetts",
month=oct,
Year=1998 }

@Article{Engler+95,
author={D.R. Engler and  M.F. Kaashoek and J. {O'Toole Jr.}},
title = {Exokernel: An Operating System Architecture for
  Application-Level Resource Management},
Journal = {Operating Systems Review}, year = {1995},
Organization = {ACM},
Note = {Proceedings of the Fifteenth Symposium on Operating
  Systems Principles (SOSP '95)},
volume = {29},
number = {}, pages = {251--266}, month = dec }

@ARTICLE{LubaCourtois98,
Author={M. Lubaszewski and B. Courtois},
TITLE = {A Reliable Fail-Safe System},
JOURNAL = {IEEE Transactions on Computers}, YEAR = {1998}, VOLUME = {C-47},
NUMBER = {2}, PAGES = {236-241}, MONTH = feb }

@ARTICLE{Blaum+98,
Author={M. Blaum and J. Bruck and K. Rubin and W. Lenth},
TITLE = {A Coding Approach for Detection of Tampering in Write-Once
Optical Disks},
JOURNAL = {IEEE Transactions on Computers}, YEAR = {1998}, VOLUME = {C-47},
NUMBER = {1}, PAGES = {120--125}, MONTH = jan }

@article{StephensonBirman91,
author={P. Stephenson and K. Birman},
title = {Fast Causal Multicast},
journal = {ACM SIGOPS Operating Systems Review}, year = {1991}, volume = {25},
number = {2}, pages = {75-79}, month = apr }

@article{CheritonV,
Author={D.R. Cheriton}, TITLE = {The {V} Distributed System},
JOURNAL = {Communications of the ACM},
YEAR = {1988}, VOLUME = {31}, NUMBER = {3}, PAGES = {314-333},
MONTH = mar }

@PhDThesis{RussoThesis,
   Key={}, Author={V.F. Russo},
   Title={An Object-Oriented Operating System},
   School={Univ. of Illinois, Computer Science Dept},
   Year={1991}, Month=jan, Note={UIUCDCS-R-919-1640}
}

@TechReport{Dykstra91,
author={D.W. Dykstra},
Title={Hardware Enforced Protection for Object-Oriented Operating Systems},
institution= {Univ. of Illinois, Computer Science Dept},
address={Urbana-Champaign, IL}, month =mar, Year=1991,
Note={UIUCDCS-R-91-1666} }

@TechReport{DykstraCampbell91,
author={D.W. Dykstra and R.H. Campbell},
Title={Object-Oriented Hierarchies Across Protection Boundaries},
institution= {Univ. of Illinois, Computer Science Dept},
address={Urbana-Champaign, IL}, month =mar, Year=1991,
Note={UIUCDCS-R-919-1667} }

@TechReport{CampbellMadany91,
author={R.H. Campbell and P.W. Madany},
Title={Considerations of Persistence and Security in Choices, an
Object-Oriented Operating System},
institution= {Univ. of Illinois, Computer Science Dept},
address={Urbana-Champaign, IL}, month =mar, Year=1991,
note={UIUCDCS-R-91-1670} }

@TechReport{JensenReed91,
author={D.W. Jensen and D.A. Reed},
Title={File Archive Activity in a Supercomputer Environment},
institution= {Univ. of Illinois, Computer Science Dept},
address={Urbana-Champaign, IL}, month =apr, Year=1991,
note={UIUCDCS-R-91-1672} }

@TechReport{Lu91,
author={S. Lu},
Title={A Distributed Concurrency Control Protocol Considering
       Read-Only Transactions},
institution= {Univ. of Illinois, Computer Science Dept},
address={Urbana-Champaign, IL}, month =apr, Year=1991,
note={UIUCDCS-R-91-1678} }

@TechReport{Shi91,
author={S.-B. Shi},
Title={Building Reliable Programs Through Active Replication},
institution= {Univ. of Illinois, Computer Science Dept},
address={Urbana-Champaign, IL}, month ={}, Year=1991,
note={UIUCDCS-R-91-1679} }

@TechReport{Enc86,
author={Encore}, key={Encore},
Title={{UMAX} 4.2 Programmer's Reference Manual},
institution= {Encore Computer Corp.},
address={Marlboro, Massachusetts}, month ={}, Year=1986  }

@TechReport{Enc89,
author={Encore}, key={Encore},
Title={Multimax Technical Summary},
institution= {Encore Computer Corp.},
address={Marlboro, Massachusetts}, month ={}, Year=1989  }

@TechReport{DCICThreat89,
Author={DCIC},
Title={Threat to Intelligence Community Automated
Information Systems and Networks},
institution= {DCIC 10002-89},
Month = {19 January}, Year = {1989}, Note={SECRET/NOFORN/WNINTEL.}  }

@TechReport{Hollway92,
Author={A. Hollway},
Title={Worldwide Threat to Computers and Automated Control Systems},
institution= {U.S. Army VAL FIO},
Month = oct, Year = {1992}, Note={SECRET/NOFORN/WNINTEL.}  }

@TechReport{NIST92,
Author={D. Steinauer and M. Swanson},
Title={Matrix Questions Answered at a National Level},
institution= {NIST}, Month = {3 April}, Year = {1989},
NOTE={Produced for the Survivability-Vulnerability Working Group.} }

@InProceedings{Neumann97surv,
Author={P.G. Neumann and P.A. Porras},
Title={A Global View of Information Survivability},
BookTitle={Proceedings of the 1997 Workshop on Survivability},
Organization={IEEE Computer Society}, Address={San Diego, California},
Year={1997}, Month=feb, pages={}}

@PhDThesis{Mounji97,
Author={A. Mounji},
School={Notre-Dame de la Paix, Namur, Belgium},
Title={Languages and Tools for Rule-Based Distributed Intrusion Detection},
Year={1997}, Month=sep }

@TechReport{DISA92,
Author={DISA},
Title ={Security Analysis (Draft), Background  Security Description  and
Defense Message System  Security  Documentation Instructions},
Institution = {Defense Information Systems Agency},
Month=mar, Year={1992} }

@TechReport{FriedmanOlson92,
Author={A.R. Friedman and I.M. Olson},
Title={Introduction to Certification and Accreditation Concepts (Draft)},
Institution={Mitre Corporation, under contract to the National Security Agency},
Month=jun, Year={1992}  }

@Article{Munro92,
Author={N. Munro},
Title={DoD Planners Prepare New Security Stategy},
Journal={Defense News},
Volume=7, Number=18, Month={4-10 May}, Year={1992}  }

@InProceedings{Corbato+72,
Author={F.J. Corbat\'{o} and J. Saltzer and C.T. Clingen},
Title={Multics: {The} first seven years},
Booktitle={Proceedings of the Spring Joint Computer Conference},
volume=40,
publisher={AFIPS Press},
address={Montvale, New Jersey},
Year=1972 }

@article{Corbato91,
Title="On Building Systems That Will Fail (1990 {T}uring {A}ward {L}ecture,
with a following interview by {Karen Frenkel})",
Author="F.J. Corbat\'{o}", Key="", Month=sep,
Year=1991, Journal= {Communications of the ACM}, Volume=34, Number=9, Pages="72-90" }

@InProceedings{Bell91,
Author = "D.E. Bell",
Title = "Putting Policy Commonalities to Work",
Booktitle = "Proceedings of the Fourteenth National Computer Security Conference",
Organization = "NIST/NCSC", Address = "Washington, D.C.", Year = "1991",
Pages="456-471 (Volume II)", month=oct }

@InProceedings{Branstad+91,
Author="M.A. Branstad and C.P. Pfleeger and D. Brewer and C. Jahl and H. Kurth",
Title = "Apparent Differences Between the {U.S.} {TCSEC} and the {E}uropean
{ITSEC}",
Booktitle = "Proceedings of the Fourteenth National Computer Security Conference",
Organization = "NIST/NCSC", Address = "Washington, D.C.", Year = "1991",
Pages="45-58 (Volume I)", month=oct }

@InProceedings{FaganStraw91,
Author = "P. Fagan and J. Straw",
Title = "Experience of Commercial Security Evaluation",
Booktitle = "Proceedings of the Fourteenth National Computer Security Conference",
Organization = "NIST/NCSC", Address = "Washington, D.C.", Year = "1991",
Pages="195-204", month=oct }

@InProceedings{EpsteinPicciotto91,
Author = "J. Epstein and J. Picciotto",
Title = {Trusting {X}: Issues in Building Trusted {X} {Window} {Systems}},
Booktitle = "Proceedings of the Fourteenth National Computer Security Conference",
Organization = "NIST/NCSC", Address = "Washington, D.C.", Year = "1991",
Pages="619-629", month=oct }

@InProceedings{Faden91,
Author = "G. Faden",
Title = {Reconciling {CMW} Requirements with those of {X11} Applications},
Booktitle = "Proceedings of the Fourteenth National Computer Security Conference",
Organization = "NIST/NCSC", Address = "Washington, D.C.", Year = "1991",
Pages="472-479", month=oct }

@InProceedings{SandhuSuri91,
Author = "R.S. Sandhu and G.S. Suri",
Title = "A Distributed Impementation of the Transform Model",
Booktitle = "Proceedings of the Fourteenth National Computer Security Conference",
Organization = "NIST/NCSC", Address = "Washington, D.C.", Year = "1991",
Pages="177-187", month=oct }

@TechReport{Binns91,
author={L.J. Binns},
Title={Inference Through Polyinstantiation},
institution= {Office of INFOSEC Computer Science},
address={U.S. Department of Defense, Ft. George G. Meade, Maryland}, month ={},
Year=1991 }

@InProceedings{SebesFeiertag91,
Author = "E.J. Sebes and R.J. Feiertag",
Title = "Trusted Distributed Computing: Using Untrusted Network Software",
Booktitle = "Proceedings of the Fourteenth National Computer Security Conference",
Organization = "NIST/NCSC", Address = "Washington, D.C.", Year = "1991",
Pages="608-618", month=oct }

@InProceedings{Parker91,
Author = "T.A. Parker",
Title = "A Secure {E}uropean System for Applications in a Multi-vendor
Environment ({T}he {SESAME} {P}roject)",
Booktitle = "Proceedings of the Fourteenth National Computer Security Conference",
Organization = "NIST/NCSC", Address = "Washington, D.C.", Year = "1991",
Pages="505--513", month=oct }

@InProceedings{GarveyLunt91,
Author = "T.D. Garvey and T.F. Lunt",
Title = "Model-Based Intrusion Detection",
Booktitle = "Proceedings of the Fourteenth National Computer Security Conference",
Organization = "NIST/NCSC", Address = "Washington, D.C.", Year = "1991",
Pages="372--385", month=oct }

@Article{Lunt93CS,
Author={T.F. Lunt}, Title={A survey of intrusion detection techniques},
Journal={Computers and Security}, pages={405--418},
volume=12, number={4}, year=1993 }

@InProceedings{DIDS91,
Author = "S.R. Snapp and J. Brentano and G.V. Dias and T.L Goan and
L.T. Heberlein and C.-L. Ho and K.N. Levitt and B. Mukherjee and
S. Smaha and T. Grance and D.M. Teal and D. Mansur",
Title = "{DIDS (Distributed Intrusion Detection System)} --
Motivation, Architecture, and an Early Prototype",
Booktitle = "Proceedings of the Fourteenth National Computer Security Conference",
Organization = "NIST/NCSC", Address = "Washington, D.C.", Year = "1991",
Pages="167--176", month=oct }

@InProceedings{Heberlein+91,
Author = "L.T. Heberlein and K.N. Levitt and B. Mukherjee",
Title = "A Method to Detect Intrusive Activity in a Networked Environment",
Booktitle = "Proceedings of the Fourteenth National Computer Security Conference",
Organization = "NIST/NCSC", Address = "Washington, D.C.", Year = "1991",
Pages="362--371", month=oct }

@InProceedings{Banning+91,
Author = "D. Banning and G. Ellingwood and C. Franklin and C. Muckenhirn and
D. Price",
Title = "Auditing of Distributed Systems",
Booktitle = "Proceedings of the Fourteenth National Computer Security Conference",
Organization = "NIST/NCSC", Address = "Washington, D.C.", Year = "1991",
Pages="59--68", month=oct }

@InProceedings{Jackson+91,
Author = "K.A. Jackson and D.H. DuBois and C.A. Stallings",
Title = "An Expert System Application for Network Intrusion Detection",
Booktitle = "Proceedings of the Fourteenth National Computer Security Conference",
Organization = "NIST/NCSC", Address = "Washington, D.C.", Year = "1991",
Pages="215--225", month=oct }

@InProceedings{King91,
Author = "M.M. King",
Title = "Identifying and Controlling Undesirable Program Behaviors",
Booktitle = "Proceedings of the Fourteenth National Computer Security Conference",
Organization = "NIST/NCSC", Address = "Washington, D.C.", Year = "1991",
Pages="283--294", month=oct }

@InProceedings{ParkerDB91,
Author = "D.B. Parker",
Title = "Restating the Foundations of Information Security",
Booktitle = "Proceedings of the Fourteenth National Computer Security Conference",
Organization = "NIST/NCSC", Address = "Washington, D.C.", Year = "1991",
Pages="", month=oct }

@TechReport{Irvine+91,
author={C.E. Irvine and R.R. Schell and M.F. Thompson},
Title={Using {TNI} Concepts for the Near Term Use of High Assurance
Database Management Systems},
institution= {Gemini Computers, Inc.},
address={Carmel California}, month ={},
Year=1991, Note={Presented at the 1991 Rome Laboratory Database Security Workshop} }

@ARTICLE{DeTreville,
Author={J. DeTreville}, TITLE = {A Cautionary Tale},
JOURNAL = {ACM Software Engineering Notes}, YEAR = {1991}, VOLUME = {16},
NUMBER = {2}, PAGES = {19--22}, MONTH = apr }

@ARTICLE{XuParnas91,
Author={J. Xu and D. Parnas}, TITLE = {On Satisfying Timing Constraints in
Hard-Real-Time Systems},
JOURNAL = {ACM Software Engineering Notes}, YEAR = {1991}, VOLUME = {16},
NUMBER = {5}, PAGES = {132--146}, MONTH = dec }

@InProceedings{Parnas94,
Author = {D.L. Parnas},
Title = {Mathematical Descriptions and Specification of Software},
Booktitle = {Proceedings of the IFIP World Congress 1994, Volume I},
Organization = {IFIP}, Address = {},
Year = {1994},
Pages={354--359}, Month = aug }

@InProceedings{ParnasRespons94,
Author = {D.L. Parnas},
Title = {Professional Responsibilities of Software Engineers},
Booktitle = {Proc. of IFIP World Congress 1994, Volume II},
Organization = {IFIP}, Address = {},
Year = {1994},
Pages={332--339}, Month = aug }

@ARTICLE{Parnas+94,
Author={D.L. Parnas and J. Madey and M. Iglewski},
TITLE = {Precise Documentation of Well-Structured Programs},
JOURNAL = {IEEE Transactions on Software Engineering}, YEAR = {1994},
VOLUME = {20},
NUMBER = {12}, PAGES = {948--976}, MONTH = dec }

@article{Parnas+94b,
author={D.L. Parnas and A.J. {van Schouwen} and S.P. Kwan},
title = {Evaluation of Safety-Critical Software},
journal = {Communications of the ACM}, volume = {33}, number = {6},
pages = {636--648}, month = jun, year = {1990} }

@article{ParnasWang94,
Author = {D.L. Parnas and Y. Wang},
Title={Simulating the Behaviour of Software Modules by
       Trace Rewriting Systems},
Journal = {IEEE Transactions of Software Engineering},
VOLUME = {19}, NUMBER = {10},
Month = oct, Year = {1994}, PAGES = {750--759} }

@article{Parnas97SE,
author={D.L. Parnas},
title = {Software Engineering: An Unconsummated Marriage},
journal = {Communications of the ACM}, year = {1997}, volume = {40},
number = {9}, pages = {128}, month = sep,
Note= {{\it Inside Risks} column.} }

@article{DenningDivorce,
author={D.L. Parnas},
title = {Computer Science and Software Engineering: Filing for Divorce?},
journal = {Communications of the ACM}, year = {1998}, volume = {41},
number = {8}, pages = {}, month = aug,
Note= {{\it Inside Risks} column.} }

@ARTICLE{RushbyvonHenke91,
Author={J.M. Rushby and F. {von Henke}}, TITLE = {Formal Verification of
Algorithms for Critical Systems},
JOURNAL = {ACM Software Engineering Notes}, YEAR = {1991}, VOLUME = {16},
NUMBER = {5}, PAGES = {1--15}, MONTH = dec }

@TechReport{Rushby+95PVS,
author={J.M. Rushby and D.W.J. Stringer-Calvert},
Title={A less elementary tutorial for the {PVS} specification and
  verification system},
institution= {SRI International, Menlo Park, California, CSL-95-10},
address={}, month =oct, Year=1995 }

@TechReport{Rushby95FMAir,
author={J.M. Rushby},
Title={Formal Methods and Their Role in Digital Systems Validation
for Airborne Systems},
institution= {SRI International, Menlo Park, California, CSL-95-01},
address={}, month =mar, Year=1995 }

@TechReport{Rushby95KerVer,
author={J.M. Rushby},
Title={A Foundation for Security Kernel Verification},
institution= {SRI International, Menlo Park, California},
address={}, month =oct, Year=1995 }

@TECHREPORT{Rushby99:partitioning,
	AUTHOR = {J. Rushby},
	TITLE = {Partitioning for Avionics Architectures:
           Requirements, Mechanisms, and Assurance},
   INSTITUTION={NASA Langley Research Center},
   NOTE = {Contractor Report CR-1999-209347; also issued as
     FAA DOT/FAA/AR-99/58.},
	MONTH = jun,
	YEAR = "1999",
   url ="http://www.csl.sri.com/~{}rushby/abstracts/partitioning"}

@TECHREPORT{Rushby01:modcert,
	AUTHOR = {J. Rushby},
	TITLE = {Modular Certification},
   INSTITUTION="Computer Science Laboratory, SRI International, Menlo Park,
     California",
	MONTH = jun,
	YEAR = 2002,
   url ="http://www.csl.sri.com/~{}rushby/abstracts/modcert"}

@TECHREPORT{Rushby04:separation,
	AUTHOR = {J. Rushby},
	TITLE = {A separation kernel formal security policy in PVS},
   INSTITUTION="Computer Science Laboratory, SRI International, Menlo Park,
     California",
	MONTH = mar,
	YEAR = 2004,
   url ="http://www.csl.sri.com/~{}rushby/abstracts/"}

@TechReport{Butler93,
author={R.W. Butler},
Title={An elementary tutorial on formal specification and verification
   using {PVS}},
institution= {NASA Langley Research Center},
address={Hampton, Virginia}, month =jun, Year=1993 }

@InProceedings{Butler+95,
Author={R.W. Butler and J.L. Caldwell and V.A. {Carre\~{n}o} and
C.M. Holloway and P.S. Miner and B.L. DiVito},
TITLE = {{NASA} {Langley's} Research and Technology-Transfer Program
         in Formal Methods},
BookTitle={Proceedings of the Tenth Annual Conference on Computer
Assurance, COMPASS 95}, Organization={IEEE}, Year=1995, Month=jun,
Pages={135--149},
  NOTE = {(A longer version is available in {\it Proceedings of
the Third NASA Langley Formal Methods Workshop,} May 1995, 247--268.)}
}

@InProceedings{Butler+95o,
Author={R.W. Butler and J.L. Caldwell and V.A. {Carre\~{n}o} and
C.M. Holloway and P.S. Miner and B.L. DiVito},
TITLE = {{NASA} {Langley's} Research and Technology-Transfer Program
         in Formal Methods},
BookTitle={Proceedings of the Third NASA {Langley} Formal Methods Workshop,
May 10-12, 1995},
ORGANIZATION={NASA Langley Research Center},
Year=1995, Month= jun,
Note = {This is a longer but earlier version of~\cite{Butler+95},
and includes 28 more references.},
Pages={247--268}}

@Proceedings{NASALaRC95,
Editor={C.M. Holloway},
Title={Third {NASA} {Langley} Formal Methods Workshop},
ORGANIZATION={NASA Langley Research Center},
Address ={Hampton, Virginia},
Month={May 10-12},
Note ={NASA Conference Publication 10176, June 1995.},
Year={1995} }

@book{NASA95-1,
Author={{NASA Langley Research Center}},
Title={Formal Methods Specification and Verification, Volume I},
Publisher={NASA},
Month =jun, Year={1995} }

@book{NASA95-2,
Author={{NASA Langley Research Center}},
Title={Formal Methods Specification and Verification, Volume II},
Publisher={NASA},
Month ={Fall}, Year={1995} }

@ARTICLE{ButlerFinelli91,
Author={R.W. Butler and G.B. Finelli}, TITLE = {The Infeasibility of
Experimental Quantification of Life-Critical Software Reliability},
JOURNAL = {ACM Software Engineering Notes}, YEAR = {1991}, VOLUME = {16},
NUMBER = {5}, PAGES = {66--76}, MONTH = dec }

@book{Spivey88,
Author={J.M. Spivey},
Title={Understanding Z: a specification language and its formal semantics},
Publisher={Cambridge University Press, Cambridge, England},
Year={1988} }

@book{Potter91,
Author={B. Potter and J. Sinclair and D. Till},
Title={An Introduction to Formal Specification and Z},
Publisher={Prentice-Hall International, Hemel Hempstead, Great Britain},
Year={1991} }

@book{Turner93,
Author={K. J. {Turner, ed.}},
Title={Using Formal Description Languages},
Publisher={John Wiley, Chichester},
Year={1993} }

@InProceedings{Jirach95,
Author={A. Jirachiefpattana and R. Lai},
TITLE = {An {Estelle-NPN} based system for protocol verification},
BookTitle={Proceedings of the Tenth Annual Conference on Computer
Assurance, COMPASS 95}, Organization={IEEE}, Year=1995, Month=jun,
Pages={245--259}}

@Article{HarelKurshan90,
Author = {Z. {Har'El} and R.P. Kurshan},
TITLE = {Software for Analytic Development of Communications Protocols},
JOURNAL = {AT\&T Technical Journal},
YEAR = {1990}, VOLUME = {69}, MONTH = {January-February}, NUMBER = {1},
PAGES = {45--59} }

@TechReport{Craigen+93,
Author={D. Craigen and S. Gerhart and T. Ralston},
TITLE = {An International Survey of Industrial Applications of Formal Methods},
institution= {U.S. National Institute of Standards and Technology},
Note = {Also available from U.S. Naval Research Laboratory and the Atomic
Energy Board of Canada.},
address={Gaithersburg, Maryland}, month =mar, Year=1993 }

@ARTICLE{Boswell95,
Author={A. Boswell},
TITLE = {Specification and Validation of a Security Policy Model},
JOURNAL = {IEEE Transactions on Software Engineering},
NOTE = {Special section on Formal Methods Europe '93.},
YEAR = {1995}, VOLUME = {21}, MONTH = feb, NUMBER = {2},
PAGES = {63--69} }

@ARTICLE{Barrett95,
Author={G. Barrett},
TITLE = {Model Checking in Practice: The T9000 Virtual Channel Processor},
JOURNAL = {IEEE Transactions on Software Engineering},
NOTE = {Special section on Formal Methods Europe '93.},
YEAR = {1995}, VOLUME = {21}, MONTH = feb, NUMBER = {2},
PAGES = {69--78} }

@ARTICLE{BicarreguiRitchie95,
Author={J. Bicarregui and B. Ritchie},
TITLE = {Invariants, Frames, and Postconditions:
A Comparison of the {VDM} and {B} Notations},
JOURNAL = {IEEE Transactions on Software Engineering},
NOTE = {Special section on Formal Methods Europe '93.},
YEAR = {1995}, VOLUME = {21}, MONTH = feb, NUMBER = {2},
PAGES = {79--89} }

@ARTICLE{Craigen+95,
Author={D. Craigen and S. Gerhart and T. Ralston},
TITLE = {Formal Methods Reality Check: Industrial Usage},
JOURNAL = {IEEE Transactions on Software Engineering},
NOTE = {Special section on Formal Methods Europe '93.},
YEAR = {1995}, VOLUME = {21}, MONTH = feb, NUMBER = {2},
PAGES = {90--98} }

@ARTICLE{Jacky95,
Author={J. Jacky},
TITLE = {Specifying a Safety-Critical Control System in {Z}},
JOURNAL = {IEEE Transactions on Software Engineering},
NOTE = {Special section on Formal Methods Europe '93.},
YEAR = {1995}, VOLUME = {21}, MONTH = feb, NUMBER = {2},
PAGES = {99-106} }

@ARTICLE{Owre+95,
Author={S. Owre and J. Rushby and N. Shankar and F. {von Henke}},
TITLE = {Formal Verification for Fault-Tolerant Architectures:
  Prolegomena to the Design of {PVS}},
JOURNAL = {IEEE Transactions on Software Engineering},
NOTE = {Special section on Formal Methods Europe '93.},
YEAR = {1995}, VOLUME = {21}, MONTH = feb, NUMBER = {2},
PAGES = {107-125} }

@techreport{PVS:Interpretations,
        Author= {S. Owre and N. Shankar},
        Title= {Theory Interpretations in {PVS}},
        Number= {SRI-CSL-01-01},
        Institution= {Computer Science Laboratory, SRI International},
        Address= {Menlo Park, CA},
        Month= apr,
        Year= {2001},
NOTE="\xlink{http://www.csl.sri.com/\~{}owre}{http://www.csl.sri.com/\~{}owre}"
        }

@ARTICLE{MoriconiQian94,
Author={M. Moriconi and X. Qian},
TITLE = {Correctness and Composition of Software Architectures},
JOURNAL = {ACM Software Engineering Notes}, YEAR = {1994}, VOLUME = {19},
NUMBER = {5}, PAGES = {164--174}, MONTH = dec,
NOTE = {Proceedings of the Second ACM SIGSOFT Symposium on Foundations
of Software Engineering} }

@ARTICLE{Moriconi+95,
Author={M. Moriconi and X. Qian and R.A. Riemenschneider},
TITLE = {Correct Architecture Refinement},
JOURNAL = {IEEE Transactions on Software Engineering},
YEAR = {1995}, VOLUME = {21}, MONTH = apr, NUMBER = {4},
PAGES = {356--372} }

@TechReport{IntegrityWG91,
author={M.D. Abrams and E. Amoroso and L.J. LaPadula and T.F. Lunt and
J.N. Williams},
Title={Report of an Integrity Working Group},
institution= {Mitre Corp. (Abrams)},
address={McLean, Virginia}, month =nov,
Year=1991 }

@TechReport{JonesKluepfel92,
author={A. Jones and H.M. Kluepfel},
Title={A Systems Engineering Approach to Security Baselines for {SS7}:
A contribution in support of {Network Operations Forum, Issue} 138 --
{SS7} Network Integrity-Security}, institution= {Pac$\star$Bell and Bellcore},
address={}, month ={}, Year=1992 }

@TechReport{DISSP91,
author={DISSPO}, key = {DISSP},
Title={Defense-Wide Information Systems Security Program {(DISSP)}, Action Plan},
institution= {Defense-Wide Information Systems Security Program Office},
note= {6 volumes, Prepared for the Assistant Secretary of Defense for Command,
Control, Communications, and Intelligence.},
address={}, month ={15 August}, Year=1991 }

@book{Golde76,
Author={R.A. Golde},
Title={{Muddling Through}: The Art of Properly Unbusinesslike Management},
Publisher={AMACOM (a division of the American Management Associations),
New York},
note={ISBN 0-8144-5411-9, 0-8144-7523-X paperback},
Year={1976} }

@book{Mander78,
Author={J. Mander},
Title={Four Arguments for the Elimination of Television},
Publisher={William Morrow/Quill, New York},
Year={1978} }

@book{Mander92,
Author={J. Mander},
Title={In the Absence of the Sacred: The Failure of Technology \&
the Survival of the {Indian} {Nations}},
Publisher={Sierra Club Books, San Francisco, California},
isbn={0-87156-509-9.},
Year={1991, paperback 1992}}

@book{Perrow,
Author={C. Perrow},
Title={Normal Accidents},
Publisher={Basic Books, New York},
Year={1984} }

@book{Norman88,
Author={D.A. Norman},
Title={The Psychology of Everyday Things},
Publisher={Basic Books, New York},
Year={1988} }

@article{Norman90,
Title= {Human error and the design of computer systems},
Author={D.A. Norman}, Month=jan,
Year=1990, Journal= {Communications of the ACM}, Volume=33, Number=1, Pages="4--5,7" }

@article{Denning90,
Title= {Human error and the search for blame},
Author={P.J. Denning}, Month=jan,
Year=1990, Journal= {Communications of the ACM}, Volume=33, Number=1, Pages="6--7" }

@article{Denning93Sense,
Title= {Designing new principles to sustain research in our universities},
Author={P.J. Denning}, Month=jul,
Year=1993, Journal= {Communications of the ACM}, Volume=36, Number=7, Pages="98-104" }

@InProceedings{Denning91NCCV,
Author={D.E. Denning}, TITLE = {Responsibility and blame in computer security},
Booktitle = {Proceedings of the National Conference on Computing and Values},
Organization = {Southern Connecticut State University, New Haven,
Connecticut}, Year = {1991}, Pages={}, Month = {12--16 August} }

@Article{Denning93AmSci,
Author={D.E. Denning},
Title={The {Clipper} Encryption System}, Journal={American Scientist},
volume=81, number=4, month={July-August}, pages={319-323}, year=1993 }

@article{Kent93,
Title= {Internet Privacy Enhanced Mail},
Author={S.T. Kent}, Month=aug,
Year=1993, Journal= {Communications of the ACM}, Volume=36, Number=8, Pages="48--60" }

@TechReport{Synergy93,
author={O.S. Saydjari and S.J. Turner and D.E. Peele and J.F. Farrell
and P.A. Loscocco and W. Kutz and G.L. Bock},
Title={Synergy: A distributed, microkernel-based security architecture},
institution= {NSA INFOSEC Research and Technology},
address={}, month ={November 22}, Year=1993 }

@article{Rotenberg93,
Title= {Communications Privacy: Implications for Network Design},
Author={M. Rotenberg}, Month=aug,
Year=1993, Journal= {Communications of the ACM}, Volume=36, Number=8, Pages="61--68" }

@article{Tuerkheimer93,
Title= {The Underpinnings of Privacy Protection},
Author={Tuerkheimer}, Month=aug,
Year=1993, Journal= {Communications of the ACM}, Volume=36, Number=8, Pages="69--73" }

@book{Pfleeger89,
Author={C.P. Pfleeger}, Title={Security in Computing},
Publisher={Prentice-Hall, Englewood Cliffs, New Jersey}, Year={1989} }

@book{Pfleeger96,
Author={C.P. Pfleeger}, Title={Security in Computing},
Publisher={Prentice-Hall, Englewood Cliffs, New Jersey}, Year={1996},
Note ={Second edition}
}

@book{SLPfleeger98x,
Author={S.L. Pfleeger},
Title={Software Engineering: The Production of Quality Software},
Publisher={Prentice-Hall, Englewood Cliffs, New Jersey}, Year={1998} }

@book{SLPfleeger98,
Author={S.L. Pfleeger},
Title={Software Engineering: Theory and Practice},
Publisher={Prentice-Hall, Englewood Cliffs, New Jersey}, Year={1998} }

@book{BloomBecker,
Author={B. BloomBecker},
Title={Spectacular Computer Crimes: What They Are and How They Cost American
Business Half a Billion Dollars a Year},
Publisher={Dow Jones--Irwin, New York}, Year={1990} }

@book{Wiener93,
Author={L. Wiener},
Title={Digital Woes: Why We Should Not Depend on Software},
Publisher={Addison--Wesley, Reading, Massachusetts},
Year={1993} }

@book{Casey93,
Author={S.M. Casey},
Title={Set Phasers on Stun, and Other True Tales
of Design Technology and Human Error},
Publisher={Aegean Publishing Company, Santa Barbara, California},
Year={1993} }

@book{Talbott94,
Author={S. Talbott},
Title={The Future Does Not Compute},
Publisher={O'Reilly \& Associates, Sebastopol, California 95472},
Year={1994} }

@book{Neuromancer,
Author={W. Gibson},
Title={Neuromancer},
Publisher={Ace Books},
note = {ISBN 0-441-56959-5, reprinted as ISBN 0-932096-41-7},
Year={1948}, Note={Reprinted by Phantasia Press, 1986.} }

@ARTICLE{AsimovRobots,
Author={I. Asimov}, TITLE = {Runaround},
JOURNAL = {Astounding Science Fiction}, YEAR = {1941}, VOLUME = {},
NUMBER = {}, PAGES = {}, MONTH = apr,
NOTE={Also anthologized in {\it I, Robot} and {\it The Complete Robot.} } }

@book{AsimovRobots0,
Author={I. Asimov},
Title={Forward the Foundation},
Publisher={Doubleday, New York},
isbn={0-553-56507-9},
Year={1993}, Note={Also Bantam paperback, 1994.}  }

@book{Sterling92,
Author={B. Sterling},
Title={The Hacker Crackdown: Law and Disorder on the Electronic Frontier},
Publisher={Bantam, New York},
isbn={0-553-56370-X},
Year={1992 (paperback 1993)} }

@book{Borenstein91,
Author={N.S. Borenstein},
Title={Programming As If People Mattered: Friendly Programs, Software
Engineering, and Other Noble Delusions},
Publisher = {Princeton University Press, Princeton, New Jersey},
Year={1991} }

@book{Gall75,
Author={J. Gall},
Title={Systemantics: How Systems Work and Especially How They Fail},
Publisher={Quadrangle/New York Times Book Co., New York}, Year={1977},
Note = {Also, Pocket Books, New York, 1975} }

@book{Gall86,
Author={J. Gall},
Title={Systemantics : The Underground Text of Systems Lore : How Systems
      Really Work and Especially How They Fail},
Publisher={General Systemantics Press, 3200 W. Liberty, Ann Arbor 48103},
Year={1986} }

@book{Illuminatus,
Author={R.J. Shea and R.A. Wilson},
Title={The Illuminatus! Trilogy},
Publisher={Dell, New York},
Year={1975} }

@book{PirsigZen,
Author={R.M. Pirsig},
Title={Zen and the Art of Motorcycle Maintenance},
Publisher={William Morrow and Bantam Books, New York},
Year={1974} }

@book{PirsigLila,
Author={R.M. Pirsig},
Title={Lila, An Inquiry into Morals},
Publisher={Bantam Books, New York},
Year={1991} }

@book{Papert93,
Author={S. Papert},
Title={The Children's Machine: Rethinking School in the Age of the Computer},
Publisher={Basic Books, New York}, Year={1993} }

@book{Swasy93,
Author={A. Swasy},
Title={Soap Opera: The Inside Story of Proctor \& Gamble},
Publisher={Times Books, New York},
Year={1993} }

@book{Formaini90,
Author={R. Formaini},
Title={The Myth of Scientific Public Policy},
Publisher={Transaction Publishers (Social Philosophy \& Policy Center),
New Brunswick, New Jersey},
isbn={0-88738-852-3},
Year={1990} }

@book{Beck92,
Author={U. Beck}, Title={Risk Society: Towards a New Modernity},
Publisher={Sage Publications, Beverly Hills, California}, Year={1992},
isbn={0-8039-8346-8}}

@book{Unger94,
Author={S.H. Unger},
Title={Controlling Technology: Ethics and the Responsible Engineer},
Publisher={John Wiley and Sons, New York, 2nd ed.},
Year={1994}, isbn={0-471-59181-5.} }

@book{Asseline,
Author={M. Asseline},
Title={Le pilote --- est-il coupable? (The Pilot: Is He To Blame?)},
Publisher={Edition \#1 (4, rue Galleria, 75116 Paris)},
Year={1992}, isbn={2-86-39-1517-7.} }

@article{Weingarten94,
Title= {Public Interest and the {NII}},
Author={F.W. Weingarten}, Month=mar, Year=1994,
Journal= {Communications of the ACM}, Volume=37, Number=3, Pages="17--19" }

@book{Kling95,
Author={R. {Kling (ed.)}},
Title={Computerization and Controversy: Value Conflicts and Social Choices},
Publisher={Academic Press, New York},
Year={1995} }

@book{Firewalls94,
Author={W.R. Cheswick and S.M. Bellovin},
Title={Firewalls and Internet Security: Repelling the Wily Hacker},
Publisher={Addison-Wesley, Reading, Massachusetts},
Year={1994} }

@book{Firewalls03,
Author={W.R. Cheswick and S.M. Bellovin and A.D. Rubin},
Title={Firewalls and Internet Security: Repelling the Wily Hacker,
  Second Edition},
Publisher={Addison-Wesley, Reading, Massachusetts},
Year={2003} }

@InProceedings{Blaze93,
Author={M. Blaze}, TITLE = {A Cryptographic File System for {UNIX}},
Booktitle = {First ACM Conference on Computer and Communications Security},
Organization = {ACM SIGSAC}, Address = {Fairfax, Virginia},
Year = {1993},
Pages={9--16}, Month = nov }

@InProceedings{Blaze94,
Author={M. Blaze}, TITLE = {Protocol failure in the escrowed encryption
standard},
Booktitle = {Second ACM Conference on Computer and Communications Security},
Organization = {ACM SIGSAC}, Address = {Fairfax, Virginia},
Year = {1994},
Pages={59-67}, Month = nov }

@InProceedings{Reiter94,
Author={M.K. Reiter}, TITLE = {Reliable and Atomic Group Multicast
in {Rampart}},
Booktitle = {Second ACM Conference on Computer and Communications Security},
Organization = {ACM SIGSAC}, Address = {Fairfax, Virginia},
Year = {1994},
Pages={68--80}, Month = nov }

@TechReport{Landau94,
Author={S. Landau and S. Kent and C. Brooks and S. Charney and D. Denning
and W. Diffie and A. Lauck and D. Miller and P. Neumann and D. Sobel},
TITLE = {Codes, Keys, and Conflicts: Issues in {U.S.} Crypto Policy},
INSTITUTION = {ACM}, YEAR = {1994}, MONTH = jun }

@ARTICLE{Landau94s,
Author={S. Landau and S. Kent and C. Brooks and S. Charney and D. Denning
and W. Diffie and A. Lauck and D. Miller and P. Neumann and D. Sobel},
TITLE = {Crypto Policy Perspectives},
JOURNAL = {Communications of the ACM}, YEAR = {1994}, VOLUME = {37},
NUMBER = {8}, PAGES = {115-121}, MONTH = aug }

@TechReport{Landau94x,
Author={S. Landau and S. Kent and C. Brooks and S. Charney and D. Denning
and W. Diffie and A. Lauck and D. Miller and P. Neumann and D. Sobel},
TITLE = {Codes, Keys, and Conflicts: Issues in {U.S.} Crypto Policy},
INSTITUTION = {ACM}, YEAR = {1994}, MONTH = jun, NOTE =
{A summary of this report by the same authors is available as ``Crypto Policy
Perspectives'' in the {\it Communications of the ACM, 37,} 8, 115-121,
August 1994.} }

@InProceedings{Anderson94,
Author={R. Anderson}, Title={A Note on Correlation Attacks},
BookTitle={Proceedings of the 1994 Leuven conference},
Organization={}, Address={Leuven},
Year={1994}, Month=dec, pages={}}

@InProceedings{AndersonKuhn96,
Author={R. Anderson and M. Kuhn},
Title={Tamper Resistance --- a Cautionary Note},
BookTitle={Proceedings of the Second Usenix Workshop on Electronic Commerce},
Organization={USENIX}, Address={},
url={http://www.cl.cam.ac.uk/users/rja14/tamper.html},
Year={1996}, Month=nov, pages={1--11}}

@TechReport{Boneh+95,
author={D. Boneh and R.A. DeMillo and R.J. Lipton},
Title={},
institution= {Princeton University},
month ={}, Year=1995 }

@Article{Boneh+97,
Author={D. Boneh and R.A. DeMillo and R.J. Lipton},
Title={On the Importance of Checking Cryptographic Protocols for Faults},
Journal={Journal of Cryptology},
Volume = {14}, Number = {2},
Year={1997}, Month={}, pages={101--119},
url ="http://www.stanford.edu/\~{}dabo/abstracts/faults.html"}

@TechReport{Kocher95,
author={P. Kocher},
Title={Cryptanalysis of {Diffie-Hellman, RSA, DSS,} and
Other Systems Using Timing Attacks (extended abstract)},
institution= {Cryptography Research Inc.},
address={607 Market St, San Francisco, California 94105},
month ={December 7}, Year=1995 }

@InProceedings{Kocher96,
Author={P.C. Kocher},
Title={Timing Attacks on Implementations of {Diffie-Hellman},
{RSA}, {DSS}, and Other Systems},
BookTitle={Springer-Verlag, Berlin,
   Lecture Notes in Computer Science, Advances in Cryptology,
Proceedings of Crypto '96},
Organization={}, Address={Santa Barbara, California},
Year={1996}, Month=aug, pages={104--113}}

@InProceedings{AsonovAgrawal04,
Author={D. Asonov and R. Agrawal},
Title={Keyboard Acoustic Emanations},
BookTitle={Proceedings of the 2004 Symposium on Security and Privacy},
Organization={IEEE Computer Society}, Address={Oakland, California},
Year={2003}, Month=may, pages={3--11}}

@ARTICLE{ShamirTromer04,
Author={A. Shamir and E. Tromer},
TITLE = {Acoustic cryptanalysis: On nosy people and noisy machines},
JOURNAL = {preliminary proof-of-concept presentation},
YEAR = {2004}, VOLUME = {}, NUMBER = {}, PAGES = {}, MONTH = {},
url ="http://www.wisdom.weizmann.ac.il/\~{}tromer/acoustic/" }

@book{DES-crack,
Author={Electronic Frontier Foundation},
Title={Cracking {DES}: Secrets of Encryption Research, Wiretap
  Politics \& Chip Design},
Publisher={O'Reilly and Associates, Sebastopol, California},
Year={1998},
Note = {See also the Risks Forum, volume 19, number 87, 17 July 1998.} }

@InProceedings{PetersenMichels97,
Author={H. Petersen and M. Michels},
Title={On Signature Schemes with Threshold Verification
   Detecting Malicious Verifiers},
BookTitle={Springer-Verlag, Berlin,
   Lecture Notes in Computer Science, Security Protocols,
Proceedings of 5th International Workshop},
Organization={}, Address={Paris, France},
Year={1997}, Month=apr, pages={67--77}}

@InProceedings{Kelsey+97,
Author={J. Kelsey and B. Schneier and D. Wagner},
Title={Protocol Interactions and the Chosen Protocol Attacks},
BookTitle={Springer-Verlag, Berlin,
   Lecture Notes in Computer Science, Security Protocols,
Proceedings of 5th International Workshop},
Organization={}, Address={Paris, France},
Year={1997}, Month=apr, pages={91--104}}

@InProceedings{Bao+97,
Author={F. Bao and R.H. Deng and Y. Han and A. Jeng and A.D. Narasimhalu
   and T. Ngair},
Title={Breaking Public Key Cryptosystems on Tamper Resistant Devices
   in the Presence of Transient Faults},
BookTitle={Springer-Verlag, Berlin,
   Lecture Notes in Computer Science, Security Protocols,
Proceedings of 5th International Workshop},
Organization={}, Address={Paris, France},
Year={1997}, Month=apr, pages={115---123}}

@InProceedings{AndersonKuhn97,
Author={R. Anderson and M. Kuhn},
Title={Low Cost Attacks on Tamper Resistant Devices},
BookTitle={Springer-Verlag, Berlin,
   Lecture Notes in Computer Science, Security Protocols,
Proceedings of 5th International Workshop},
Organization={}, Address={Paris, France},
Year={1997}, Month=apr, pages={125--136}}

@InProceedings{Zabarsky98,
Author={J. Zabarsky},
Title={Failure Recovery for Distributed Processes in Single System Image
   Clusters},
BookTitle={Springer-Verlag, Berlin,
   Lecture Notes in Computer Science, vol.~1388,
   Parallel and Distributed Processing},
Organization={}, Address={Berlin, Germany},
Year={1998}, Month=apr, pages={564--583}}

@book{RSI,
Author={Emil Pascarelli and Deborah Quilter},
Title={Repetitive Strain Injury: A Computer User's Guide},
Publisher={John Wiley and Sons, New York},
Year={1994} }

@InProceedings{Parker94,
Author = "D.B. Parker",
Title = "Demonstrating the Elements of Information Security with Threats",
Booktitle = "Proceedings of the Seventeenth National Computer Security Conference",
Organization = "NIST/NCSC", Address = "Baltimore, Maryland", Year = "1994",
Pages="", Month = "11-14 October"  }

@InProceedings{NISSC95N,
Author = "P.G. Neumann",
Title = "The Future of Formal Methods for Security: Overview statement",
Booktitle = "Proceedings of the Eighteenth National Computer Security Conference",
Organization = "NIST/NCSC", Address = "Baltimore, Maryland", Year = "1995",
Pages="", month=oct  }

@TechReport{NeumannBoucher96,
author={P.G. Neumann and P. Boucher},
Title={An Evaluation of the Security aspects of the {Army Technical
Architecture (ATA)} Document Drafts},
institution= {Computer Science Laboratory, SRI International},
Note = {Final report, SRI Project 7104-200, for U.S. Army CECOM,
Fort Monmouth, New Jersey},
address={Menlo Park, California}, month ={2 January}, Year=1996 }

@inProceedings{Neumann96CRC,
key="Neumann",Author="P.G. Neumann", Title="Security and Privacy Issues
in Computer and Communication Systems",
Booktitle="The Computer Science and Engineering Handbook (Chapter 89))",
Note =" (A.B. Tucker, ed.)", Publisher ="CRC Press, Inc.",Year="1996",Pages=""}

@inProceedings{Neumann03CRC,
key="Neumann",Author="P.G. Neumann", Title="Network Security and Privacy",
Booktitle="The Computer Science and Engineering Handbook, 2nd Edition",
Note =" (A.B. Tucker, ed.)", Publisher ="CRC Press, Inc.",Year="2003",
Pages=""}

@article{Neumann96Senate,
author = {P.G. Neumann},
title = {Security Risks in the Emerging Infrastructure},
journal = {Security in Cyberspace, Hearings, S. Hrg. 104-701},
Pages = "350-363", Month = jun, Year =  {1996},
Note = {ISBN 0-16-053913-7.
  Written testimony for the U.S. Senate Permanent Subcommittee on
  Investigations of the Senate Committee on Governmental Affairs.
  Oral testimony is on pages 106-111
(\xlink{http://www.csl.sri.com/neumann/senate96.html}{http://www.csl.sri.com/neumann/senate96.html})
},
}

@MANUAL{USSenate96,
author = {US-Senate},
title = {Security in Cyberspace},
organization = {U.S. Senate Permanent Subcommittee on Investigations
   of the Senate Committee on Governmental Affairs,
    Hearings, S. Hrg. 104-701},
Note = {ISBN 0-16-053913-7},
Pages = "", Month = jun, Year =  {1996} }

@InProceedings{Neumann98Senate,
Author = "P.G. Neumann",
Title = "Computer-Related Infrastructure Risks for Federal Agencies",
Booktitle = "Weak Computer Security in Government: Is the Public at Risk?
   Hearing, Senate Hearing 105-609, ISBN 0-16-057456-0",
Organization = "U.S. Government Printing Office",
Address = "Washington, D.C.",
Year = "1998", Pages ={52--70},
Month = "19 May",
NOTE ={(\xlink{http://www.csl.sri.com/neumann/senate98.html}{http://www.csl.sri.com/neumann/senate98.html});
Oral testimony is on pages 5--22.} }

@InProceedings{L0pht98Senate,
Author = "{Mudge et al.}",
Title = "Testimony of {L0pht Heavy Industries}",
Booktitle = "Weak Computer Security in Government: Is the Public at Risk?
   Hearing, Senate Hearing 105-609, ISBN 0-16-057456-0",
Organization = "U.S. Government Printing Office",
Address = "Washington, D.C.",
Year = "1998", Pages ={71--91},
Month = "19 May",
NOTE = {Oral testimony is on pages 22--41.} }

@inProceedings{Neumann97air,
key="Neumann",Author="P.G. Neumann", Title=
 "Computer Security in Aviation: Vulnerabilities, Threats, and Risks",
Booktitle="International Conference on Aviation Safety and Security
  in the 21st Century, White House Commission on Safety and Security, and
  George Washington University",
  Year="1997", Month= "January 13-15", Pages="",
  Note ="(\xlink{http://www.csl.sri.com/neumann/air.html}{http://www.csl.sri.com/neumann/air.html})"
}

@article{Cryptographers97,
author = {Hal Abelson and Ross Anderson and Steven M. Bellovin and
  Josh Benaloh and Matt Blaze and Whitfield Diffie and John Gilmore
  and Peter G. Neumann and Ronald L. Rivest and Jeffrey I. Schiller
  and Bruce Schneier},
title = {The Risks of Key Recovery, Key Escrow, and
  Trusted Third-Party Encryption},
journal = {World Wide Web Journal (Web Security: A Matter of Trust)},
NOTE = {This report was first distributed via the Internet on May 27, 1997.},
publisher = {O'Reilly \& Associates}, volume = {2}, number = {3},
pages = "241-257", month = {Summer}, year =  {1997} }

@article{Cryptographers98x,
author = {H. Abelson and R. Anderson and S.M. Bellovin and
  J. Benaloh and M. Blaze and W. Diffie and J. Gilmore
  and P.G. Neumann and R.L. Rivest and J.I. Schiller
  and B. Schneier},
title = {The Risks of Key Recovery, Key Escrow, and
  Trusted Third-Party Encryption},
journal = {(\xlink{http://www.cdt.org/crypto/risks98/}{http://www.cdt.org/crypto/risks98/})},
NOTE = {This is a reissue of the May 27, 1997 report, with a new
preface evaluating what happened in the intervening year.},
month = jun, year =  {1998} }

@InProceedings{Bellovin97,
Author = "S.M. Bellovin",
Title = "Probable Plaintext Cryptanalysis of the {IP} Protocols",
Booktitle= "Proceedings of the Symposium on Network and
   Distributed System Security",
Organization = "Internet Society", Year = "1997",
Pages="52--59", Month = feb  }

@PhDThesis{Bellovin82,
Author={S.M. Bellovin},
School={Department of Computer Science, University of North Carolina
   at Chapel Hill},
Title={Verifiably Correct Code Generation Using Predicate Transformers},
Year={1982}, Month=dec,
Note="(\xlink{http://www.research.att.com/\~{}smb/dissabstract.html}{http://www.research.att.com/\~{}smb/dissabstract.html})"
}

@InProceedings{NISSC95B,
Author = "R.W. Butler",
Title = "Formal Methods and {NASA}",
Booktitle = "Proceedings of the Eighteenth National Computer Security Conference",
Organization = "NIST/NCSC", Address = "Baltimore, Maryland", Year = "1995",
Pages="", month=oct  }

@InProceedings{NISSC95K,
Author = "R. Kurshan",
Title = "Algorithmic Verification",
Booktitle = "Proceedings of the Eighteenth National Computer Security Conference",
Organization = "NIST/NCSC", Address = "Baltimore, Maryland", Year = "1995",
Pages="", month=oct  }

@book{Kurshan94,
Author={R. Kurshan},
Title={Computer-Aided Verification of Coordinating Processes},
Publisher={Princeton University Press},
Address = {Princeton, New Jersey},
Year={1994} }

@ARTICLE{BoyerYu96,
	AUTHOR = {R.S. Boyer and Y. Yu},
  TITLE = {Automated proofs of object code for a widely used microprocessor},
  Journal={Journal of the ACM},
	YEAR = {1996}, VOLUME = {43}, NUMBER = {1}, PAGES = {529--543},
	MONTH = jan  }

@InProceedings{NISSC95L,
Author = "W. Legato",
Title = "Formal Methods: Changing Directions",
Booktitle = "Proceedings of the Eighteenth National Computer Security Conference",
Organization = "NIST/NCSC", Address = "Baltimore, Maryland", Year = "1995",
Pages="", month=oct  }

@TechReport{JohnsonNSA+95,
author={D.R. Johnson and F.F. Saydjari and J.P. {Van Tassel}},
Title={{MISSI} Security Policy: A Formal Approach},
institution= {NSA R2SPO-TR001-95},
address={}, month ={18 August}, Year=1995 }

@article{Saiedian+,
author={H. {Saiedian et al.}},
title = {An Invitation to Formal Methods},
journal = {Computer}, year = {1996}, volume = {29},
number = {4}, pages = {16-30}, month = apr }

@book{SmartCards,
Author={J.L. Zoreda},
Title={Smart Cards},
Publisher={Artech House, Boston, Massachusetts},
Year={1994} }

@book{Orr90,
Author={K. Orr},
Title={The One Minute Methodology},
Publisher={Dorset House, New York},
Year={1990} }

@ARTICLE{MacKenzie94,
Author={D. MacKenzie},
TITLE = {Computer-related accidental death: an empirical exploration},
JOURNAL = {Science and Public Policy}, YEAR = {1994}, VOLUME = {21},
NUMBER = {4}, PAGES = {233-248}, MONTH = aug }

@ARTICLE{MacKenzie95,
Author={D. MacKenzie},
TITLE = {The Automation of Proof: A Historical and Sociological Explanation},
JOURNAL = {IEEE Annals of the History of Computing}, YEAR = {1995},
VOLUME = {17}, NUMBER = {3}, PAGES = {7--29}, MONTH = {Fall} }

@InProceedings{RoscoeWulf95,
Author={A.W. Roscoe and L. Wulf},
Title={Composing and Decomposing Systems under Security Properties},
BookTitle={Proceedings of the 8th IEEE Computer Security Foundations Workshop},
Address={Kenmare, County Kerry, Ireland},
Year={1995},Month=jun,Pages={}  }

@InProceedings{ZakinthinosLee95,
Author={A. Zakinthinos and E.S. Lee},
Title={The Composability of Non-Interference},
BookTitle={Proceedings of the 8th IEEE Computer Security Foundations Workshop},
Address={Kenmare, County Kerry, Ireland},
Year={1995},Month=jun,Pages={}  }

@InProceedings{ZakinthinosLee98,
Author={A. Zakinthinos and E.S. Lee},
Title={Composing Secure Systems that have Emergent Properties},
BookTitle={Proceedings of the 11th IEEE Computer Security
   Foundations Workshop},
Address={Rockport, Massachusetts},
Year={1998},Month=jun,Pages={117--122}  }

@InProceedings{Maneki95,
Author={A.P. Maneki},
Title={Algebraic Properties of System Composition in the {Loral},
   {Ulysses} and {McLean} Trace Models},
BookTitle={Proceedings of the 8th IEEE Computer Security Foundations Workshop},
Address={Kenmare, County Kerry, Ireland},
Year={1995},Month=jun,Pages={}  }

@InProceedings{Mao95,
Author={W. Mao},
Title={An Augmentation of {BAN}-Like Logics},
BookTitle={Proceedings of the 8th IEEE Computer Security Foundations Workshop},
Address={Kenmare, County Kerry, Ireland},
Year={1995},Month=jun,Pages={}  }

@PhDThesis{Hinton95,
Author={H.M. Hinton}, School={University of Toronto},
Title={Composable Safety and Progress Properties},
Year={1995}, Month={} }

@InProceedings{Knight+94,
Author = {J.C. Knight and J.C. Prey and W.A. Wulf},
Title = {Undergraduate Computer Science Education: A New Curriculum
         Philosophy and Overview},
Booktitle = {Proceedings of the ACMCSE},
Organization = {}, Address = {Phoenix, Arizona},
Year = {1994},
Pages={}, Month = mar }

@InProceedings{Browne96,
Author={J.C. Browne},
TITLE = {Compositional Development for Parallel Object-Oriented Systems},
Booktitle = {Proceedings of the Second International Workshop on
             Object-oriented Real-time Dependable Systems (WORDS 96)},
Organization = {IEEE Computer Society Technical Committee on Distributed Processing},
Address = {Laguna Beach, California}, Year = {1996}, Pages={}, Month = feb }

@Article{Sibert+96,
Title="An Analysis of the {Intel}
       80x86 Security Architecture and Implementations",
Author="O. Sibert and P.A. Porras and R. Lindell",
Journal="{IEEE} Transactions on Software Engineering",
Year="1996", Volume="SE-22", Number="4", Month=may,
Page="283--293" }

@Article{Corbett96,
Title="Evaluating Deadlock Detection Methods for Concurrent Software",
Author="J.C. Corbett",
Journal="{IEEE} Transactions on Software Engineering",
Year="1996", Volume="SE-22", Number="3", Month=mar,
Page="161--180" }

@PhDThesis{Perlman88,
Author={R. Perlman},
School={MIT, Cambridge, Massachusetts},
Title={Network Layer Protocols with {Byzantine} Robustness},
Year={1988}, Month={} }

@book{Wayner96,
Author={P. Wayner},
Title={Disappearing Cryptography: Being and Nothingness on the Net},
Publisher={AP Professional (Academic Press), Chestnut Hill, Massachusetts},
Year={1996} }

@book{Wayner02,
Author={P. Wayner},
Title={Translucent Databases},
Publisher={Flyzone Press, Baltimore, Maryland},
Year={2002} }

@InProceedings{Dean+96,
Author={D. Dean and E.W. Felten and D.S. Wallach},
Title={{Java} Security: From {HotJava} to {Netscape} and Beyond},
BookTitle={Proceedings of the 1996 Symposium on
Security and Privacy}, Organization={IEEE Computer Society}, Address={Oakland,
California}, Year={1996}, Month=may, pages={190--200}}

@book{McGrawFelten97,
Author={G. McGraw and E.W. Felten},
Title={{Java} Security: Hostile Applets, Holes, and Antidotes},
Publisher={John Wiley and Sons, New York},
Year={1997} }

@book{McGrawFelten99,
Author={G. McGraw and E.W. Felten},
Title={Securing {Java}: Getting Down to Business with Mobile Code},
Publisher={John Wiley and Sons, New York},
Note={This is the second edition of~\cite{McGrawFelten97}.},
Year={1999} }

@book{FriedmanVoas95,
Author={M. Friedman and J.M. Voas},
Title={Software Assessment: Reliability, Safety, and Testability},
Publisher={John Wiley and Sons, New York},
Year={1998} }

@book{VoasMcGraw98,
Author={J.M. Voas and G. McGraw},
Title={Software Fault Injection: Inoculating Programs Against Errors},
Publisher={John Wiley and Sons, New York},
Year={1998} }

@book{ViegaMcGraw02,
Author={J. Viega and G. McGraw},
Title={Building Secure Software: How to Avoid Security Problems the
  Right Way},
Publisher={Addison-Wesley, Reading, Massachusetts},
Year={2002} }

@book{McGraw06,
Author={G. McGraw},
Title={Software Security: Building Secure In},
Publisher={Addison-Wesley, Reading, Massachusetts},
Year={2006} }

@Article{Kulkarni97,
  author = {S.S. Kulkarni and A. Arora},
  title =  {Compositional Design of Multitolerant Repetitive {Byzantine}
     Agreement},
  journal =      {Proceedings of the Seventeenth International Conference on
   Foundations of Software Technology and Theoretical Computer Science,
   Kharagpur, India},
  year =         {1997},
  month =     dec,
  pages =     {169-183},
}

@Article{AroraKulkarni98Multitolerance,
  author =       {A. Arora and S.S. Kulkarni},
  title =        {Component Based Design of Multitolerance},
  journal =      {IEEE Transactions on Software Engineering},
  year =         {1998},
  volume =       {24},
  number =       {1},
  month =        jan,
  pages =        {63--78},
}

@InProceedings{AroraKulkarni98Detectors,
  author = {A. Arora and S.S. Kulkarni},
  title =  {Detectors and Correctors: A Theory of Fault-Tolerance Components},
  booktitle = {Proceedings of the Eighteenth International Conference on
  Distributed Computing Systems}, Month=may, Year={1998}, pages={},
  organization = {IEEE Computer Society} }

@InProceedings{LeLann98a,
Author={G. {Le Lann}},
Title={Predictability in Critical Systems},
BookTitle={Springer-Verlag, Berlin,
   Lecture Notes in Computer Science,
   Formal Techniques in Real-Time and Fault-Tolerant Systems},
Organization={}, Address={Lyngby, Denmark},
Year={1998}, Month=sep, pages={}}

@InProceedings{LeLann98b,
Author={G. {Le Lann}},
Title={Proof-Based System Engineering and Embedded Systems},
BookTitle={Springer-Verlag, Berlin,
   Lecture Notes in Computer Science,
   Embedded Systems},
Organization={}, Address={},
Year={1998}, Month={}, pages={}}

@Article{Fugetta+98,
  author =       {A. Fuggetta and G.P. Picco and G. Vigna},
  title =        {Understanding Code Mobility},
  journal =      {IEEE Transactions on Software Engineering},
  year =         {1998},
  volume =       {24},
  number =       {5},
  month =        may,
  pages =        {342--361},
}

@Article{Heitmeyer+98,
  author =       {C. Heitmeyer and J. {Kirby, Jr.} and B. Labaw and
      M. Archer and R. Bharadwaj},
  title =        {Using Abstraction and Model Checking to Detect
      Safety Violations in Requirements Specifications},
  journal =      {IEEE Transactions on Software Engineering},
  year =         {1998},
  volume =       {24},
  number =       {11},
  month =        nov,
  pages =        {927--948},
}

@Article{Feather98,
  author =       {M. Feather},
  title =        {Rapid Application of Lightweight Formal Methods
     for Consistency Analyses},
  journal =      {IEEE Transactions on Software Engineering},
  year =         {1998},
  volume =       {24},
  number =       {11},
  month =        nov,
  pages =        {949--959},
}

@PhDThesis{Blume97,
Author={M. Blume},
School={Computer Science Department, Princeton University},
Title={Hierarchical Modularity and Intermodule Optimization},
Year={1997}, Month=nov }

@ARTICLE{BlumeAppel97,
Author={M. Blume and A.W. Appel},
TITLE = {Hierarchical Modularity: Compilation Management for Standard ML},
JOURNAL = {}, YEAR = {1997}, VOLUME = {},
NUMBER = {}, PAGES = {}, MONTH = {} }

@Article{BauerAppelFelten03,
   Author={L. Bauer and A.W. Appel and E.W. Felten},
   Journal={Software--Practice and Experience},
   Title={Mechanisms for Secure Modular Programming in {Java}},
   Year={2003},
   Month={},
   Pages={461--480},
   Volume={33},
   Number={}
   }

@article{BlumeAppel99,
    author = "M. Blume and A.W. Appel",
    title = "Hierarchical modularity",
    journal = "ACM Transactions on Programming Languages and Systems",
    volume = "21",
    number = "4",
    pages = "813--847",
    year = "1999",
    url = "citeseer.nj.nec.com/blume98hierarchical.html" }

@inproceedings{HarperLilligridge94,
  author = "R. Harper and M. Lillibridge",
  title = "A type-theoretic approach to higher-order modules with sharing",
  booktitle = "Conference Record of {POPL '94}: 21st {ACM {SIGPLAN}-{SIGACT}}
       {S}ymposium on {P}rinciples of {P}rogramming {L}anguages",
  month = jan,
  address = "Portland, Oregon",
  pages = "123--137",
  year = "1994",
  url = "citeseer.nj.nec.com/harper94typetheoretic.html" }

@InProceedings{Bren91,
Author = "J. Brentano and S.R. Snapp and G.V. Dias and T.L. Goan and
 L.T. Heberlein and C.H. Ho and K.N. Levitt and B. Mukherjee",
Key = "Bren91",
Title = "An Architecture for a Distributed Intrusion Detection System",
Booktitle = "Fourteenth Department of Energy
   Computer Security Group Conference",
Organization = "Department of Energy", Address = "Concord, California",
Year = "1991", Pages="25-45 in section 17", Month = May  }

@TechReport{Cros95,
author={M. Crosbie and E.H. Spafford}, key ={Cros95},
Title={Active Defense of a Computer System Using Autonomous Agents},
institution= {Department of Computer Sciences, CSD-TR-95-008},
address={Purdue University, West Lafayette, Indiana}, month ={}, Year=1995 }

@InProceedings{Hebe91,
Author = "T.L Heberlein and B. Mukherjee and K.N. Levitt", Key = {Hebe91},
Title = "A Method to Detect Intrusive Activity in a Networked Environment",
Booktitle = "Proceedings of the Fourteenth National Computer Security Conference",
Organization = "NIST/NCSC", Address = "Washington, D.C.", Year = "1991",
Pages="362-371", month=oct }

@PhDThesis{Ko96,
Author={C. Ko},
School={Computer Science Department, University of California at Davis},
Title={Execution Monitoring of Security-Critical Programs in a Distributed
       System: A Specification-Based Approach},
Year={1996}, Month={} }

@ARTICLE{Jako93,
Author={G. Jakobson and M.D. Weissman}, key = {Jako93},
TITLE = {Alarm Correlation},
JOURNAL = {IEEE Network}, YEAR = {1993}, VOLUME = {},
NUMBER = {}, PAGES = {52-59}, MONTH = nov }

@ARTICLE{Mans93,
Author={M. Mansouri-Samani and M. Sloman}, key = {Mans93},
TITLE = {Monitoring Distributed Systems},
JOURNAL = {IEEE Network}, YEAR = {1993}, VOLUME = {},
NUMBER = {}, PAGES = {20-30}, MONTH = nov }

@InProceedings{Meye95,
Author = "K. Meyer and M. Erlinger and J. Betser and C. Sunshine and
  G. Goldszmidt and Y. Yemini", Key = "Meye95",
Title = "Decentralizing Control and Intelligence in Network Management",
Booktitle = "Proceedings of the Fourth International Symposium on
  Integrated Network Management (IFIP/IEEE),
  Santa Barbara, California, May 1995",
Organization = "Chapman \& Hall, London, England",
Year = "1995", Pages="4-16"  }

@Article{Ricc97,
Author = "L. Ricciulli and N. Shacham", key= "Ricc97",
Title = "Modelling correlated alarms in network management systems",
Journal = "Communications Networks and Distributed Systems Modeling
  and Simulation", Year = "1997"}

@InProceedings{SCLH95,
Author={S. Saniford-Chen and L.T. Heberlein},
Title={Holding Intruders Accountable on the {Internet}},
BookTitle={Proceedings of the 1995 Symposium on Security and Privacy},
Organization={IEEE Computer Society}, Address={Oakland, California},
Year={1995}, Month=may, pages={}}

@InProceedings{Klig95,
Author={S. Kliger and S. Yemini and Y. Yemini and D. Ohsie and S. Stolfo},
  Key ={Klig96},
TITLE = {A coding approach to event correlation},
Booktitle = "Proceedings of the Fourth International Symposium on
  Integrated Network Management (IFIP/IEEE),
  Santa Barbara, California, May 1995",
Organization = "Chapman \& Hall, London, England",
YEAR = {1995}, PAGES = {266-277} }

@InProceedings{Wies95,
Author = "R. Wies",
Title = "Using a Classification of Management Policies for Policy
  Specification and Policy Transformation",
Booktitle = "Proceedings of the Fourth International Symposium on
  Integrated Network Management (IFIP/IEEE),
  Santa Barbara, California, May 1995",
Organization = "Chapman \& Hall, London, England",
Year = "1995", Pages="44--56"  }

@InProceedings{Alpers+95,
Author = "B. Alpers and H. Plansky",
Title = "Concepts and Application of Policy-Based Management",
Booktitle = "Proceedings of the Fourth International Symposium on
  Integrated Network Management (IFIP/IEEE),
  Santa Barbara, California, May 1995",
Organization = "Chapman \& Hall, London, England",
Year = "1995", Pages="57--68"  }

@InProceedings{Putter+95,
Author = "P. Putter and J. Bishop and J. Roos",
Title = "Toward Policy Driven Systems Management",
Booktitle = "Proceedings of the Fourth International Symposium on
  Integrated Network Management (IFIP/IEEE),
  Santa Barbara, California, May 1995",
Organization = "Chapman \& Hall, London, England",
Year = "1995", Pages="69--80"  }

@InProceedings{Lowe96,
Author={G. Lowe},
Title={Breaking and fixing the {Needham-Schroeder} public-key protocol:
   {A} comparison of two approaches},
BookTitle={Springer-Verlag, Berlin,
   Lecture Notes in Computer Science, vol.~1055,
   2nd International Workshop on Tools and Algorithms for
   the Construction and Analysis of Systems},
Organization={}, Address={},
Year={1998}, Month={}, pages={147-166}}

@InProceedings{Mitchell+97,
Author={J.C. Mitchell and M. Mitchell and U. Stern},
Title={Automated Analysis of Cryptographic Protocols Using Mur$\varphi$},
BookTitle={Proceedings of the 1997 Symposium on Security and Privacy},
Organization={IEEE Computer Society}, Address={Oakland, California},
Year={1997}, Month=may, pages={141--151}}

@InProceedings{Syverson97,
Author={P.F. Syverson and D.M. Goldschlag and M.G. Reed},
Title={Anonymous Connections and Onion Routing},
BookTitle={Proceedings of the 1997 Symposium on Security and Privacy},
Organization={IEEE Computer Society}, Address={Oakland, California},
Year={1997}, Month=may, pages={44-54}}

@InProceedings{Moriconi97,
Author={M. Moriconi and X. Qian and R.A. Riemenschneider and L. Gong},
Title={Secure Software Architectures},
BookTitle={Proceedings of the 1997 Symposium on Security and Privacy},
Organization={IEEE Computer Society}, Address={Oakland, California},
Year={1997}, Month=may, pages={94-93}}

@InProceedings{Zakinthos97,
Author={A. Zakinthos and E.S. Lee},
Title={A General Theory of Security Properties},
BookTitle={Proceedings of the 1997 Symposium on Security and Privacy},
Organization={IEEE Computer Society}, Address={Oakland, California},
Year={1997}, Month=may, pages={94-102}}

@InProceedings{Lindqvist,
Author={U. Lindqvist and E. Jonsson},
Title={How to Systematically Classify Computer System Intrusions},
BookTitle={Proceedings of the 1997 Symposium on Security and Privacy},
Organization={IEEE Computer Society}, Address={Oakland, California},
Year={1997}, Month=may, pages={154-163}}

@book{Amoroso99,
Author={E. Amoroso},
Title={Intrusion Detection: An Introduction to Internet Surveillance,
Correlation, Trace Back, Traps, and Response},
Publisher={Intrusion.Net Books},
Year={1999} }

@InProceedings{Ammann97,
Author={P. Ammann and S. Jajodia and C.D. McCollum and B.T. Blaustein},
Title={Surviving Information Warfare Attacks on Databases},
BookTitle={Proceedings of the 1997 Symposium on Security and Privacy},
Organization={IEEE Computer Society}, Address={Oakland, California},
Year={1997}, Month=may, pages={164-174}}

@InProceedings{Ko97,
Author={C. Ko and M. Ruschitzka and K. Levitt},
Title={Execution Monitoring of Security-Critical Programs in
      Distributed Systems: A Specification-Based Approach},
BookTitle={Proceedings of the 1997 Symposium on Security and Privacy},
Organization={IEEE Computer Society}, Address={Oakland, California},
Year={1997}, Month=may, pages={175-187}}

@InProceedings{Gligor98,
Author={V.D. Gligor and S.I. Gavrila},
Title={Application-Oriented Security Policies
   and Their Composition},
BookTitle={Proceedings of the 1998 Workshop on
  Security Paradigms},
Organization={}, Address={Cambridge, England},
Year={1998}, Month={}, pages={}}

@InProceedings{GligorGavrila98,
Author={V.D. Gligor and S.I. Gavrila and D. Ferraiolo},
Title={On the Formal Definition of Separation-of-Duty Policies and their
   Composition},
BookTitle={Proceedings of the 1998 Symposium on Security and Privacy},
Organization={IEEE Computer Society}, Address={Oakland, California},
Year={1998}, Month=may, pages={}}

@book{ShimomuraMarkoff,
Author={T. Shimomura and J. Markoff},
Title={Takedown: The Pursuit and Capture of Kevin Mitnick, America's Most
Wanted Computer Outlaw -- By the Man Who Did It},
Publisher={Hyperion, New York, New York}, Year={1996} }

@book{AlexanderC,
Author={C. Alexander},
Title={The Timeless Way of Building},
Publisher={Oxford University Press, Oxford, England},
Year={1979} }

@book{Coplien95,
Author = {J.O. Coplien and D.C. {Schmidt (eds.)}},
Title = {Pattern Languages of Program Design},
Publisher = {Addison-Wesley, Reading, Massachusetts},
Year = {1995} }

@book{Forrester94,
Author = {T. Forester and P. Morrison},
title = {Computer Ethics (2nd ed.)},
Publisher = {The MIT Press, Cambridge, Massachusetts},
Year = {1994}}

@book{DiffieLandau98,
Author={W. Diffie and S. Landau},
Title={Privacy on the Line: The Politics of Wiretapping and Encryption},
Publisher={MIT Press},
Year={1998} }

@book{Agre97,
Author={P.E. Agre},
Title={Computation and Human Experience},
Publisher={Cambridge University Press},
Year={1997} }

@book{AgreRotenberg97,
Author={P.E. Agre and M. {Rotenberg, editors}},
Title={Technology and Privacy: The New Landscape},
Publisher={MIT Press, Cambridge, Massachusetts},
Year={1997} }

@book{SchneierBanisar97,
Author={B. Schneier and D. Banisar},
Title={The Electronic Privacy Papers},
Publisher={John Wiley and Sons, New York},
Year={1997} }

@ARTICLE{Ewusi-Mensah97,
Author={K. Ewusi-Mensah},
TITLE={Critical Issues in Abandoned Information Systems Development Projects},
JOURNAL = {Communications of the ACM}, YEAR = {1997}, VOLUME = {40},
NUMBER = {9}, PAGES = {74--80}, MONTH = sep }

@ARTICLE{BrynHitt98,
Author={E. Brynjolfsson and L.M. Hitt},
TITLE={Beyond the Productivity Paradox},
JOURNAL = {Communications of the ACM}, YEAR = {1998}, VOLUME = {41},
NUMBER = {8}, PAGES = {11--12}, MONTH = aug }

@InProceedings{RothfussParrett97,
Author = "J.S. Rothfuss and J.W. Parrett",
Title = "Go ahead, visit those {Websites}, you can't get hurt ... can you? ",
Booktitle = "Proceedings of the Nineteenth National Computer Security Conference",
Organization = "NIST/NCSC", Address = "Baltimore, Maryland", Year = "1997",
Pages="80--94", month=oct  }

@TechReport{PCCIP,
author={T. {Marsh (ed.)}},
Title={{Critical Foundations: Protecting America's Infrastructures}},
institution= {President's Commission on Critical Infrastructure Protection},
address={}, month =oct, Year=1997 }

@InProceedings{Felten97+,
Author = "E.W. Felten and D. Balfanz and D. Dean and D.S. Wallach",
Title = "Web spoofing: An {Internet} con game",
Booktitle = "Proceedings of the Nineteenth National Computer Security Conference",
Organization = "NIST/NCSC", Address = "Baltimore, Maryland", Year = "1997",
Pages="95--103", month=oct  }

@InProceedings{Ladue97,
Author = "M.D. Ladue",
Title = "When {Java} was one: Threats from hostile byte code",
Booktitle="Proceedings of the Nineteenth National Computer Security Conference",
Organization = "NIST/NCSC", Address = "Baltimore, Maryland", Year = "1997",
Pages="104--115", month=oct  }

@InProceedings{GongQian94,
Author={L. Gong and X. Qian},
Title={The Complexibility and Composability of Secure Interoperation},
BookTitle={Proceedings of the 1994 Symposium on Research in
Security and Privacy}, Organization={IEEE Computer Society}, Address={Oakland,
California}, Year={1994}, Month=may, pages={190--200}}

@InProceedings{Gong+97,
Author = {L. Gong and M. Mueller and H. Prafullchandra and R. Schemers},
Title = {Going Beyond the Sandbox: An Overview of the New Security
  Architecture in the {Java Development Kit} 1.2},
Booktitle = {Proceedings of the USENIX Symposium on Internet Technologies
  and Systems},
Organization = {}, Address = {Monterey, California},
Year = {1997},
Pages={}, Month = dec }

@InProceedings{Gong+98,
Author = {L. Gong and R. Schemers},
Title = {Implementing Protection Domains in the {Java Development Kit} 1.2},
Booktitle = {Proceedings of the Internet Society Symposium on Network and
  Distributed System Security},
Organization = {}, Address = {San Diego, California},
Year = {1998},
Pages={}, Month = mar }

@Book{Gong99,
Author={L. Gong},
Title={Inside Java(TM) 2 Platform Security: Architecture, {API} Design,
  and Implementation},
Publisher={Addison-Wesley, Reading, Massachusetts},
Year={1999} }

@article{FeustelMayfield98,
author={E.A. Feustel and T. Mayfield},
title = {The {DGSA}: Unmet Information Security Challenges for
  Operating System Designers},
journal = {Operating Systems Review}, volume = {32}, number = {1},
pages = {3--22}, month = jan, year = {1998}}

@InProceedings{LowmanMosier97,
Author = {T. Lowman and D. Mosier},
Title = {Applying the {DoD} {Goal} {Security} {Architecture} as a Methodology
  for the Development of System and Enterprise Security Architectures},
Booktitle = {Proceedings of the Thirteenth Annual Computer Security
  Applications Conference},
Organization = {IEEE Computer Society}, Address = {San Diego, California},
Year = {1997},
Pages={183--193}, Month = dec }

@InProceedings{Kang+96,
Author = {M.H. Kang and I. Moskowitz and B. Montrose and J. Parsonese},
Title = {A Case Study of Two {NRL} Pump Prototypes},
Booktitle = {Proceedings of the Twelfth Annual Computer Security
  Applications Conference},
Organization = {IEEE Computer Society}, Address = {San Diego, California},
Year = {1996},
Pages={32--43}, Month = dec }

@InProceedings{Davidson96,
Author = {J.A. Davidson},
Title = {Asymmetric Isolation},
Booktitle = {Proceedings of the Twelfth Annual Computer Security
  Applications Conference},
Organization = {IEEE Computer Society}, Address = {San Diego, California},
Year = {1996},
Pages={44--54}, Month = dec }

@InProceedings{Anderson+96,
Author = {M. Anderson and C. North and J. Griffin and J. Yesberg and K. Yiu},
Title = {Starlight: Interactive Link},
Booktitle = {Proceedings of the Twelfth Annual Computer Security
  Applications Conference},
Organization = {IEEE Computer Society}, Address = {San Diego, California},
Year = {1996},
Pages={55--63}, Month = dec }

@InProceedings{Kang+97,
Author = {M.H. Kang and J.N. Froscher and I.S. Moskowitz},
Title = {An Architecture for Multilevel Secure Interoperability},
Booktitle = {Proceedings of the Thirteenth Annual Computer Security
  Applications Conference},
Organization = {IEEE Computer Society}, Address = {San Diego, California},
Year = {1997},
Pages={194--204}, Month = dec }

@InProceedings{Pollitt97,
Author = "M. Pollitt",
Title = "Cyberterrorism: Fact or fancy?",
Booktitle = "Proceedings of the Nineteenth National Computer Security Conference",
Organization = "NIST/NCSC", Address = "Baltimore, Maryland", Year = "1997",
Pages="285--289", month=oct  }

@InProceedings{Alves-Foss97,
Author = "J. Alves-Foss",
Title = "The Use of Belief Logics in the Presence of Causal Consistency
  Attacks",
Booktitle = "Proceedings of the Nineteenth National Computer Security Conference",
Organization = "NIST/NCSC", Address = "Baltimore, Maryland", Year = "1997",
Pages="406--417", month=oct  }

@techreport{Lincoln+94,
	AUTHOR = {P.D. Lincoln and N. Marti-Oliet and J. Meseguer},
	TITLE = {Specification, Transformation, and Programming
		of Concurrent Systems in Rewriting Logic},
	NUMBER = {SRI-CSL-94-11},
	INSTITUTION = {Computer Science Laboratory, SRI International},
	YEAR = "1994",
	ADDRESS = "Menlo Park, California",
	MONTH = may,
}

@InProceedings{Meseguer93,
Author = "J. Meseguer",
Title = "A Logical Theory of Concurrent Objects and its
  Realization in the {Maude} Language",
Booktitle = "Research Directions on Concurrent Object-Oriented Programming",
editors = {P. Wegner and A. Yonezawa},
Publisher = {MIT Press, Cambridge, Massachusetts},
Year = "1993" }

@TechReport{JTA97,
author={{Department of the Army}},
Title={{Joint Technical Architecture,} Version 5.0},
institution= {Office of the Secretary of the Army},
address={}, month =sep, Year=1997 }

@InProceedings{Green97,
Author = "P. Green",
Title = "The Art of Creating Reliable Software-based Systems Using
  Off-the-Shelf Software Components",
Booktitle = "Proceedings of the
  Sixteenth International Symposium on Reliable Distributed Systems",
Organization = "IEEE Computer Society",
Address = {Durham, North Carolina}, Year = "1997",
Pages="118--120", Month = "22-24 October"  }

@InProceedings{Arbaugh+97,
Author={W.A. Arbaugh and D.J. Farber and J.M. Smith},
Title={A Secure and Reliable Bootstrap Architecture},
BookTitle={Proceedings of the 1997 Symposium on Security and Privacy},
Organization={IEEE Computer Society}, Address={Oakland, California},
Year={1997}, Month=may, pages={65--71}}

@InProceedings{Arbaugh+98a,
Author={W.A. Arbaugh and A.D. Keromytis and D.J. Farber and J.M. Smith},
Title={Automated Recovery in a Secure Bootstrap Process},
BookTitle={Proceedings of the 1998 Network and Distributed System
  Security Symposium},
Organization={Internet Society}, Address={San Diego, California},
Year={1998}, Month=mar, pages={}}

@Article{Arbaugh+98b,
Author={W.A. Arbaugh and J.R. Davin and D.J. Farber and J.M. Smith},
Title={Security for Private Intranets},
Journal={IEEE Computer},
Volume={31},
number={9},
pages = {48--55},
Note = {Special issue on broadband networking security.},
Year={1998} }

@Article{MelliarMoser98,
   Author={P.M. Melliar-Smith and L.E. Moser},
   Journal={Computer},
   Title={Surviving Network Partitioning},
   Year={1998},
   Month=mar,
   Pages={62--68},
   Volume={31},
   Number={3}
   }

@InProceedings{Raynal98,
Author={M. Raynal},
Title={A Case Study of Agreement Problems in Distributed Systems:
   Non-Blocking Atomic Commitment},
BookTitle={Proceedings of the 1997 High-Assurance Systems
   Engineering Workshop},
Organization={IEEE Computer Society}, Address={Washington, D.C.},
Year={1997}, Month=aug, pages={209--214}}

@InProceedings{NeculaLee97,
Author={G.C. Necula and P. Lee},
Title={Research on Proof-Carrying Code for Untrusted-Code Security},
BookTitle={Proceedings of the 1997 Symposium on Security and Privacy},
Organization={IEEE Computer Society}, Address={Oakland, California},
Year={1997}, Month=may, pages={204}}

@PhDThesis{Necula98,
Author={G.C. Necula},
School={Computer Science Department, Carnegie-Mellon University},
Title={Compiling with Proofs},
Year={1998}, Month={} }

@PhDThesis{Dean99,
Author={D. Dean},
School={Computer Science Department, Princeton University},
Title={Formal Aspects of Mobile Code Security},
Note =
{(\xlink{http://www.cs.princeton.edu/sip/pub/ddean-dissertation.php3}{http://www.cs.princeton.edu/sip/pub/ddean-dissertation.php3})},
Year={1999}, Month=jan }

@PhDThesis{Wallach99,
Author={D.S. Wallach},
School={Computer Science Department, Princeton University},
Title={A New Approach to Mobile Code Security},
Note =
{(\xlink{http://www.cs.rice.edu/\~{}dwallach/}{http://www.cs.rice.edu/\~{}dwallach/})},
Year={1999}, Month=jan }

@PhDThesis{Stringer-Calvert98,
Author={D.W.J. Stringer-Calvert},
School={Department of Computer Science, University of York},
Title={Mechanical Verification of Compiler Correctness},
Year={1998}, Month={} }

@TechReport{Dold+02,
author={A. Dold and F.W. von Henke and V. Vialard and W. Goerigk},
Title="A Mechanically Verified Compiling Specification for
  a Realistic Compiler",
type={Technical Report {UIB} 03-02},
institution="Universit{\"a}t Ulm, Fakult{\"a}t f{\"u}r Informatik",
address={Ulm, Germany},
Month = dec, Year=2002 }

@TechReport{Dold++02,
author={A. Dold and F.W. von Henke and V. Vialard and W. Goerigk},
Title="A Mechanically Verified Compiling Specification for
  a Realistic Compiler",
type={Technical Report {UIB} 03-02},
institution="Universit{\"a}t Ulm, Fakult{\"a}t f{\"u}r Informatik",
address={Ulm, Germany},
Month = dec, Year=2002,
NOTE = "\xlink{http://www.informatik.uni-ulm.de/ki/Verifix/initcomp\_uib-02-03.html}{http://www.informatik.uni-ulm.de/ki/Verifix/initcomp_uib-02-03.html}" }

@PhDThesis{Prasad98,
Author={D. Prasad},
School={Department of Computer Science, University of York},
Title={Dependable Systems Integration Using the Theories of
   Measurement and Decision Analysis},
Year={1998}, Month=aug }

@InProceedings{Prasad98b,
Author = {D. Prasad and J. McDermid},
Title = {Dependability Evaluation using a Multi-Criteria
   Decision Analysis Procedure},
Booktitle = {To appear},
Year = "1999",
Pages="", Month = "" }

@Proceedings{CNLS,
Editor={S. Forrest},
Title={Emergent Computation},
ORGANIZATION={Proceedings of the Ninth Annual CNLS Conference},
Address ={MIT Press, Cambridge, Massachusetts},
Month={},
Year={1991} }

@InProceedings{Hinton97,
Author={H.M. Hinton},
Title={Under-Specification, Composition, and Emergent Properties},
BookTitle={Proceedings of the 1997 New Security Paradigms Workshop},
Organization={ACM SIGSAC}, Address={Langdale, Cumbria, United Kingdom},
Year={1997}, Month=sep, pages={83--93}}

@InProceedings{Hinton98,
Author={H.M. Hinton},
Title={Composing Partially-Specified Systems},
BookTitle={Proceedings of the 1998 Symposium on Security and Privacy},
Organization={IEEE Computer Society}, Address={Oakland, California},
Year={1998}, Month=may, pages={}}

@InProceedings{Bradley+98,
Author={K.A. Bradley and B. Mukherjee and R.A. Olsson and N. Puketza},
Title={Detecting Disruptive Routers:
  A Distributed Network Monitoring Approach},
BookTitle={Proceedings of the 1998 Symposium on Security and Privacy},
Organization={IEEE Computer Society}, Address={Oakland, California},
Year={1998}, Month=may, pages={}}

@InProceedings{Trostle98,
Author={J.T. Trostle},
Title={Timing Attacks Against Trusted Path},
BookTitle={Proceedings of the 1998 Symposium on Security and Privacy},
Organization={IEEE Computer Society}, Address={Oakland, California},
Year={1998}, Month=may, pages={}}

@InProceedings{Malkhi+98,
Author={D. Malkhi and M.K. Reiter and A.D. Rubin},
Title={Secure Execution of {Java} Applets using a Remote Playground},
BookTitle={Proceedings of the 1998 Symposium on Security and Privacy},
Organization={IEEE Computer Society}, Address={Oakland, California},
Year={1998}, Month=may, pages={}}

@InProceedings{WallachFelten98,
Author={D.S. Wallach and E.W. Felten},
Title={Understanding {Java} Stack Inspection},
BookTitle={Proceedings of the 1998 Symposium on Security and Privacy},
Organization={IEEE Computer Society}, Address={Oakland, California},
Year={1998}, Month=may, pages={}}

@InProceedings{SanderTschudin98,
Author={T. Sander and C.F. Tschudin},
Title={Towards Mobile Cryptography},
BookTitle={Proceedings of the 1998 Symposium on Security and Privacy},
Organization={IEEE Computer Society}, Address={Oakland, California},
Year={1998}, Month=may, pages={}}

@InProceedings{Salter+98,
author={C. Salter and O.S. Saydjari and B. Schneier and J. Wallner},
Title={Toward A Secure System Engineering Methodology},
BookTitle = {New Security Paradigms Workshop},
NOTE= {(\xlink{http://www.counterpane.com/secure-methodology.html}{http://www.counterpane.com/secure-methodology.html}), Draft was at
\xlink{http://www.hokie.bs1.prc.com/ipa/PREPUB\~{}2.html}{http://www.hokie.bs1.prc.com/ipa/PREPUB\~{}2.html}},
address={}, month =sep, Year=1998 }

@TechReport{Blumenstiel85,
author={A.D. Blumenstiel},
Title={Security Assessment Considerations for {ADL ADP} Systems},
institution= {U.S. Department of Transportation/RSPA/Volpe Center},
address={Cambridge, Massachusetts}, month ={}, Year=1985 }

@TechReport{Blumenstiel86a,
author={A.D. Blumenstiel},
Title={Potential Consequences of and Countermeasures for Advanced Automation
   System Electronic Penetration},
institution= {U.S. Department of Transportation/RSPA/Volpe Center},
address={Cambridge, Massachusetts}, month ={}, Year=1986 }

@TechReport{Blumenstiel86b,
author={A.D. Blumenstiel},
Title={{FAA} Computer Security Candidate Countermeasures for Electronic
   Penetration of {ADP} Systems},
institution= {U.S. Department of Transportation/RSPA/Volpe Center},
address={Cambridge, Massachusetts}, month ={}, Year=1986 }

@TechReport{Blumenstiel86c,
author={A.D. Blumenstiel},
Title={Operation Manual for the {HH-65A} Data Link},
institution= {U.S. Department of Transportation/RSPA/Volpe Center},
address={Cambridge, Massachusetts}, month ={}, Year=1986 }

@TechReport{BlumenstielManning86,
author={A.D. Blumenstiel and P.E. Manning},
Title={{Advanced Automation System} Vulnerabilities to Electronic Attack},
institution= {U.S. Department of Transportation/RSPA/Volpe Center},
address={Cambridge, Massachusetts}, month =jul, Year=1986 }

@TechReport{Blumenstiel87,
author={A.D. Blumenstiel},
Title={Guidelines for {National Airspace System} Electronic Security},
institution= {U.S. Department of Transportation/RSPA/Volpe Center},
address={Cambridge, Massachusetts}, month ={}, Year=1987 }

@TechReport{Blumenstiel88a,
author={A.D. Blumenstiel},
Title={{Federal Aviation Administration} Computer Security Plans},
institution= {U.S. Department of Transportation/RSPA/Volpe Center,
produced by Science Resources Associates},
address={Cambridge, Massachusetts}, month ={}, Year=1988 }

@TechReport{Blumenstiel88b,
author={A.D. Blumenstiel},
Title={{National Airspace System} Electronic Security},
institution= {U.S. Department of Transportation/RSPA/Volpe Center},
address={Cambridge, Massachusetts}, month ={}, Year=1988 }

@TechReport{Blumenstiel88c,
author={A.D. Blumenstiel and J. Itz},
Title={{National Airspace System} {Data Interchange Network}
  Electronic Security},
institution= {U.S. Department of Transportation/RSPA/Volpe Center},
address={Cambridge, Massachusetts}, month ={}, Year=1988 }

@TechReport{Blumenstiel90,
author={A.D. Blumenstiel},
Title={{Federal Aviation Administration AIS} Security Accreditation Guidelines},
institution= {National Institute on Standards and Technology},
address={Gaithersburg, Maryland}, month ={}, Year=1990 }

@TechReport{Blumenstiel91,
author={A.D. Blumenstiel},
Title={{Federal Aviation Administration AIS} Security
   Accreditation Application Design},
institution= {U.S. Department of Transportation/RSPA/Volpe Center},
address={Cambridge, Massachusetts}, month ={}, Year=1991 }

@TechReport{Blumenstiel92a,
author={A.D. Blumenstiel},
Title={{Federal Aviation Administration AIS} Security Accreditation Program
   Instructions},
institution= {U.S. Department of Transportation/RSPA/Volpe Center},
address={Cambridge, Massachusetts}, month ={}, Year=1992 }

@TechReport{Blumenstiel92b,
author={A.D. Blumenstiel},
Title={{Federal Aviation Administration} Sensitive Application Security
   Accreditation Guideline},
institution= {U.S. Department of Transportation/RSPA/Volpe Center},
address={Cambridge, Massachusetts}, month ={}, Year=1992 }

@TechReport{Blumenstiel93,
author={A.D. {Blumenstiel et al.}},
Title={{Federal Aviation Administration} Report to {Congress} on Air Traffic
  Control Data and Communications Vulnerabilities and Security},
institution= {U.S. Department of Transportation/RSPA/Volpe Center},
address={Cambridge, Massachusetts}, month ={}, Year=1993 }

@TechReport{Blumenstiel94,
author={A.D. Blumenstiel},
Title={Briefing on Electronic Security in the {Communications,} {Navigation}
  and {Surveillance} {(CNS)} Environment},
institution= {U.S. Department of Transportation/RSPA/Volpe Center},
address={Cambridge, Massachusetts}, month ={}, Year=1994 }

@TechReport{HeathTeramac97,
Author={J.R. Heath and P.J. Kuekes and R.S. Williams},
TITLE = {A Defect Tolerant Architecture for Chemically Assembled Computers:
  The Lessons of {Teramac} for the Aspiring Nanotechnologist},
institution ={UCLA},
YEAR = {1997}, VOLUME = {}, NUMBER = {}, PAGES = {}, MONTH = {},
NOTE = {(\xlink{http://neon.chem.ucla.edu/\~{}schung/Hgrp/teramac.html}{http://neon.chem.ucla.edu/\~{}schung/Hgrp/teramac.html})}
}

@ARTICLE{Vaidya98,
Author={N.H. Vaidya},
TITLE = {A Case for Two-Level Recovery Schemes},
JOURNAL = {IEEE Transactions on Computers}, YEAR = {1998}, VOLUME = {47},
NUMBER = {6}, PAGES = {656--666}, MONTH = jun }

@TechReport{RielyHennessy98,
author={J. Riely and M. Hennessy},
Title={Trust and Partial Typing in Open Systems of Mobile Agents},
institution= {University of Sussex},
address={}, month =jul, Year=1998,
Note ={ftp://ftp.cogs.susx.ac.uk/pub/reports/compsci/cs0498.ps.Z}}

@TechReport{IEEE-P1363,
author={IEEE},
Title={Standard Specifications for Public Key Cryptography},
institution= {IEEE Standards Department},
address={445 Hoes Lane, P.O. Box 1331, Piscataway, New Jersey 08855-1331},
month ={}, Year={2000 and ongoing},
note = {(\xlink{http://grouper.ieee.org/groups/1363/}{http://grouper.ieee.org/groups/1363/})} }

@TechReport{JASAdraft,
author={JASA Standards Working Group},
Title={Joint Airborne {SIGINT} Architecture},
institution= {TASC},
address={131 National Business Parkway,
       Annapolis Junction, MD 20701},
month ={June-July}, Year=1998,
note ={Draft, Version 3;
       contact Paul L. Washington, Jr., 1-301-483-6000, ext. 2017,
       \verb+PLWashington@jswg.org+} }

@ARTICLE{Stevenson98,
Author={D.E. Stevenson}, TITLE = {Validation and Verification Methodologies
   for Large Scale Simulations: There are no Silver Hammers, Either},
JOURNAL = {IEEE Computational Science and Engineering},
YEAR = {1998}, VOLUME = {},
NUMBER = {}, PAGES = {}, MONTH = {} }

@ARTICLE{Stevenson98x,
Author={D.E. Stevenson}, TITLE = {Validation and Verification Methodologies
   for Large Scale Simulations: There are no Silver Hammers, Either},
JOURNAL = {IEEE Computational Science and Engineering},
YEAR = {1998}, VOLUME = {},
NUMBER = {}, PAGES = {}, MONTH = {} }

@book{Bass+98,
Author={L. Bass and P. Clements and R. Kazman},
Title={Software Architecture in Practice},
Publisher={Addison-Wesley, Reading, Massachusetts},
Year={1998} }

@TechReport{OSTF98,
author={W.L. {O'Hern, Jr., task force chairman}},
Title={An Open Systems Process for {DoD}},
institution= {Open Systems Task Force, Defense Science Board},
address={}, month =oct, Year="1998" }

@Book{VignaEd98,
Author={G. {Vigna, ed.}},
Title={Mobile Agents and Security},
Publisher={Springer-Verlag, Berlin, Lecture Notes in Computer Science 1419},
Organization={}, Address={},
Year={1998}, Month={}, pages={}}

@InProceedings{Chess98,
Author={D.M. Chess},
Title={Security Issues in Mobile Code Systems},
BookTitle={Springer-Verlag, Berlin, Lecture Notes in Computer Science,
  vol.~1419, Mobile Agents and Security},
Organization={}, Address={},
Year={1998}, Month={}, pages={1--14}}

@InProceedings{RiordanSchneier98,
Author={J. Riordan and B. Schneier},
Title={Environmental Key Generation Toward Clueless Agents},
BookTitle={Springer-Verlag, Berlin, Lecture Notes in Computer Science
  vol.~1419, Mobile Agents and Security},
Organization={}, Address={},
Year={1998}, Month={}, pages={15--24}}

@InProceedings{VolpanoSmith98,
Author={D. Volpano and G. Smith},
Title={Language Issues in Mobile Program Security},
BookTitle={Springer-Verlag, Berlin, Lecture Notes in Computer Science,
  vol.~1419, Mobile Agents and Security},
Organization={}, Address={},
Year={1998}, Month={}, pages={25--43}}

@InProceedings{SanderTschudin,
Author={T. Sander and C.F. Tschudin},
Title={Protecting Mobile Agents Against Malicious Hosts},
BookTitle={Springer-Verlag, Berlin, Lecture Notes in Computer Science 1419,
   Mobile Agents and Security},
Organization={}, Address={},
Year={1998}, Month={}, pages={44--60}}

@InProceedings{NeculaLee98,
Author={G.C. Necula and P. Lee},
Title={Safe, Untrusted Agents Using Proof-Carrying Code},
BookTitle={Springer-Verlag, Berlin, Lecture Notes in Computer Science,
  vol.~1419, Mobile Agents and Security},
Organization={}, Address={},
Year={1998}, Month={}, pages={61--91}}

@InProceedings{Hohl98,
Author={F. Hohl},
Title={Time Limited Blackbox Security: Protecting Mobile Agents from
   Malicious Hosts},
BookTitle={Springer-Verlag, Berlin, Lecture Notes in Computer Science,
   vol.~1419, Mobile Agents and Security},
Organization={}, Address={},
Year={1998}, Month={}, pages={92--113}}

@InProceedings{Berkovits+98,
Author={S. Berkovits and J.D. Guttman and V. Swarup},
Title={Authentication for Mobile Agents},
BookTitle={Springer-Verlag, Berlin, Lecture Notes in Computer Science,
  vol.~1419, Mobile Agents and Security},
Organization={}, Address={},
Year={1998}, Month={}, pages={114--136}}

@InProceedings{Vigna98,
Author={G. Vigna},
Title={Cryptographic Traces for Mobile Agents},
BookTitle={Springer-Verlag, Berlin, Lecture Notes in Computer Science,
  vol.~1419, Mobile Agents and Security},
Organization={}, Address={},
Year={1998}, Month={}, pages={137--153}}

@InProceedings{Gray+98,
Author={R.S. Gray and D. Kotz and G. Cybenko and D. Rus},
Title={D'Agents: Security in a Multiple-Language, Mobile-Agent System},
BookTitle={Springer-Verlag, Berlin, Lecture Notes in Computer Science 1419,
   Mobile Agents and Security},
Organization={}, Address={},
Year={1998}, Month={}, pages={154--187}}

@InProceedings{Karjoth+98,
Author={G. Karjoth and D.B. Lange and M. Oshima},
Title={A Security Model for Aglets},
BookTitle={Springer-Verlag, Berlin, Lecture Notes in Computer Science,
  vol.~1419, Mobile Agents and Security},
Organization={}, Address={},
Year={1998}, Month={}, pages={188--205}}

@InProceedings{GongSchemers98,
Author={L. Gong and R. Schemers},
Title={Signing, Sealing, and Guarding {Java} Objects},
BookTitle={Springer-Verlag, Berlin, Lecture Notes in Computer Science 1419,
   Mobile Agents and Security},
Organization={}, Address={},
Year={1998}, Month={}, pages={206--216}}

@InProceedings{Ousterhout+98,
Author={J.K. Ousterhout and J.Y. Levy and B.B. Welch},
Title={The {Safe-Tcl} Security Model},
BookTitle={Springer-Verlag, Berlin, Lecture Notes in Computer Science,
   vol.~1419, Mobile Agents and Security},
Organization={}, Address={},
Year={1998}, Month={}, pages={217--234}}

@InProceedings{DePaoli+98,
Author={F. {De Paoli} and A.L. {Dos Santos} and R.A. Kemmerer},
Title={Web Browsers and Security},
BookTitle={Springer-Verlag, Berlin, Lecture Notes in Computer Science,
   vol.~1419, Mobile Agents and Security},
Organization={}, Address={},
Year={1998}, Month={}, pages={235--256}}

@TechReport{PDD63,
author={W.J. Clinton},
Title={{The Clinton Administration's Policy on Critical Infrastructure
  Protection: Presidential Decision Directive 63}},
institution= {U.S. Government White Paper},
address={}, month ={22 May}, Year=1998 }

@InProceedings{Anderson98,
Author = "R.H. Anderson",
Title = "A ``Minimum Essential Information
  Infrastructure'' {(MEII)} for {U.S.} Defense
  Systems: Meaningful?  Feasible?  Useful?",
Booktitle = "Position Papers for the 1998 Information Survivability Workshop
--- ISW '98",
Organization = "IEEE", Address = "Orlando, Florida", Year = "1998",
Pages="11--14", month=oct }

@InProceedings{Winkler98,
Author = "I.S. Winkler",
Title = "Position Paper",
Booktitle = "Position Papers for the 1998 Information Survivability Workshop
--- ISW '98",
Organization = "IEEE", Address = "Orlando, Florida", Year = "1998",
Pages="189--191", month=oct }

@InProceedings{CowanPu98,
Author = "C. Cowan and C. Pu",
Title = "Survivability from a Sow's Ear: The Retrofit Security Requirement",
Booktitle = "Position Papers for the 1998 Information Survivability Workshop
--- ISW '98",
Organization = "IEEE", Address = "Orlando, Florida", Year = "1998",
Pages="43--47", month=oct }

@InProceedings{LevesonHeimdahl98,
Author = "N.G. Leveson and M.P.E. Heimdahl",
Title = "New Approaches to Critical-System Survivability",
Booktitle = "Position Papers for the 1998 Information Survivability Workshop
--- ISW '98",
Organization = "IEEE", Address = "Orlando, Florida", Year = "1998",
Pages="111--114", month=oct }

@InProceedings{ThomasFeiertag98,
Author = "R. Thomas and R. Feiertag",
Title = "Addressing Survivability in the Composable Replaceable
  Security Services Infrastructure",
Booktitle = "Position Papers for the 1998 Information Survivability Workshop
--- ISW '98",
Organization = "IEEE", Address = "Orlando, Florida", Year = "1998",
Pages="159--162", month=oct }

@InProceedings{TidswellPotter98,
Author={J.E. Tidswell and J.M. Potter},
Title={A Dynamically Typed Access Control Model},
BookTitle={Springer-Verlag, Berlin, Lecture Notes in Computer Science
   vol.~1438,
   Information Security and Privacy, Third Australasian Conference,
   ACISP'98, Brisbane, Australia},
Organization={}, Address={},
Year={1998}, Month=jun, pages={308--319}}

@InProceedings{Goldberg98,
Author={A. Goldberg},
TITLE = {A specification of {Java} loading and bytecode verification},
Booktitle = {Fifth ACM Conference on Computer and Communications Security},
Organization = {ACM SIGSAC}, Address = {San Francisco, California},
Year = {1998},
Pages={49--58}, Month = nov }

@InProceedings{Lincoln+98,
Author={P. Lincoln and J. Mitchell and M. Mitchell and A. Scedrov},
TITLE = {A probabilistic poly-time framework for protocol analysis},
Booktitle = {Fifth ACM Conference on Computer and Communications Security},
Organization = {ACM SIGSAC}, Address = {San Francisco, California},
Year = {1998},
Pages={112--121}, Month = nov }

@InProceedings{HaleviKrawczyk98,
Author={S. Halevi and H. Krawczyk},
TITLE = {Public-key cryptography and password protocols},
Booktitle = {Fifth ACM Conference on Computer and Communications Security},
Organization = {ACM SIGSAC}, Address = {San Francisco, California},
Year = {1998},
Pages={122--131}, Month = nov }

@InProceedings{SchneierMudge98,
Author={B. Schneier and {Mudge}},
TITLE = {{Cryptanalysis of Microsoft's Point-to-Point Tunneling Protocol}
   {(PPTP)}},
Booktitle = {Fifth ACM Conference on Computer and Communications Security},
Organization = {ACM SIGSAC}, Address = {San Francisco, California},
Year = {1998},
Pages={132--141}, Month = nov }

@InProceedings{SchneierKelsey98,
Author = {B. Schneier and J. Kelsey},
Title = {Cryptographic support for secure logs on untrusted machines},
Booktitle = {Proceedings of the Seventh USENIX Security Symposium},
Organization = {USENIX}, Address = {},
Year = {1998},
Pages={53--62}, Month = jan}

@InProceedings{An+02,
Author={J.H. An and Y. Dodis and T. Rabin},
Title={On the Security of Joint Signature and Encryption},
BookTitle={Advances in Cryptology, EUROCRYPT 2002, Amsterdam, The
   Netherlands, Springer-Verlag, Berlin, Lecture Notes in Computer Science},
Organization={}, Address={},
Year={2002}, Month=may, pages={83--107}}

@InProceedings{Paulson97a,
Author={L. Paulson},
Title={Mechanized Proofs for a Recursive Authentication Protocol},
BookTitle={10th IEEE Computer Security Foundations Workshop},
Organization={IEEE Computer Society}, Address={},
Year={1997}, Month={}, pages={84--95}}

@InProceedings{Paulson97b,
Author={L. Paulson},
Title={Proving Properties of Security Protocols by Induction},
BookTitle={10th IEEE Computer Security Foundations Workshop},
Organization={IEEE Computer Society}, Address={},
Year={1997}, Month={}, pages={70--83}}

@InProceedings{Sullivan+99,
Author = "K. Sullivan and J.C. Knight and X. Du and S. Geist",
Title = "Information Survivability Control Systems",
Booktitle = "Proceedings of the 1999 International Conference on
  Software Engineering (ICSE)",
Organization = "", Address = "", Year = "1999",
Pages="", Month = "" }

@InProceedings{FetzerCristian99,
Author={C. Fetzer and F. Cristian},
Title={Building Fault-Tolerant Hardware Clocks from {COTS} Components},
BookTitle ={Proceedings of the 1999 Conference on Dependable Computing for
Critical Applications},
Organization={}, Address={San Jose, California},
Year={1998}, Month=jan, pages={59--78} }

@InProceedings{PfeiferSchwier+vonHenke99,
Author={H. Pfeifer and D. Schwier and F.W. {von Henke}},
Title={Formal Verification for Time-Triggered Clock Synchronization},
BookTitle ={Proceedings of the 1999 Conference on Dependable Computing for
Critical Applications},
Organization={}, Address={San Jose, California},
Year={1998}, Month=jan, pages={193--212} }

@TechReport{Millen98,
author={J.K. Millen},
Title={Service Survivability},
institution= {SRI International Computer Science Laboratory},
address={Menlo Park, California}, month ={draft, June}, Year=1998 }

@InProceedings{Millen99,
Author={J. Millen},
Title={20 years of covert channel modeling and analysis},
BookTitle={Proceedings of the 1999 Symposium on Security and Privacy},
Organization={IEEE Computer Society}, Address={Oakland, California},
Year={1999}, Month=may, pages={113--114},
  NOTE= {(\xlink{http://www.csl.sri.com/\~{}millen/papers/20yrcc.ps}{http://www.csl.sri.com/\~{}millen/paper/20yrcc.ps})}
}

@InProceedings{Millen99b,
author={J.K. Millen},
Title={Local Reconfiguration Policies},
BookTitle ={Proceedings of the 1999 Symposium on Security and Privacy},
Organization={IEEE Computer Society}, Address={Oakland,
California}, Year={1999}, Month=may, pages={48--56},
  NOTE= {(\xlink{http://www.csl.sri.com/\~{}millen/papers/reconfig.ps}{http://www.csl.sri.com/\~{}millen/paper/reconfig.ps})}
 }

@TechReport{Millen99a,
author={J.K. Millen},
Title={Survivability Measure},
institution= {SRI International Computer Science Laboratory},
address={Menlo Park, California}, month =jan, Year=1999,
 }

@TechReport{Millen00b,
author={J.K. Millen},
Title={Survivability Measure},
institution= {SRI International Computer Science Laboratory},
address={Menlo Park, California}, month =jun, Year=2000,
NOTE= {(\xlink{http://www.csl.sri.com/\~{}millen/papers/measure.ps}{http://www.csl.sri.com/\~{}millen/papers/measure.ps})}
 }

@InProceedings{MillenWright98,
author={J.K. Millen and R. Wright},
Title={Certificate revocation the responsible way},
BookTitle ={Proceedings of a workshop on
  Computer Security, Dependability, and Assurance (CSDA '98):
  From Needs to Solutions workshop},
Organization={}, Address={}, Year={1998}, Month={}, pages={},
  NOTE= {(\xlink{http://www.csl.sri.com/\~{}millen/papers/needs.ps}{http://www.csl.sri.com/\~{}millen/papers/needs.ps})}
 }

@InProceedings{MillenWright00,
author={J.K. Millen and R. Wright},
Title={Reasoning about trust and insurance in a public-key infrastructure},
BookTitle ={Proceedings of the Computer Security Foundations Workshop},
Organization={}, Address={Cambridge, England}, Year={2000}, Month=jul,
  pages={},
  NOTE={(\xlink{http://www.csl.sri.com/\~{}millen/papers/insurance.ps}{http://www.csl.sri.com/\~{}millen/papers/insurance.ps})}
 }

@InProceedings{Millen00a,
Author={J. Millen},
TITLE = {Efficient Fault-Tolerant Certificate Revocation},
Booktitle = {Seventh ACM Conference on Computer and Communications Security},
Organization = {ACM SIGSAC}, Address = {},
Year = {2000}, Note = {Submitted.},
Pages={}, Month = {} }

@InProceedings{BI93,
author = {M. Boyd and D. Iverson},
title={Digraphs and fault trees: a tale of two combinatorial modeling methods},
Booktitle ={Proceedings of the Annual Reliability and Maintainability Symposium},
Organization = {},Pages={}, Month = {},
Year = {1993} }

@TechReport{Carney98,
author={D.J. Carney},
Title={Quotations from {Chairman David}: A {Little Red Book} of Truths to
  Enlighten and Guide on the Long March Toward the {COTS} Revolution},
institution= {Carnegie-Mellon University Software Engineering Institute},
address={Pittsburgh, Pennsylvania},
month ={}, Year=1998, url={http://www.sei.cmu.edu/publications/documents/99.reports/lrb/little-red-book.html}
 }

@article{Bacon99,
author={J. Bacon},
title = {Report on the {Eighth} {ACM SIGOPS} {European Workshop},
  {System Support for Composing Distributed Applications}},
journal = {Operating Systems Review}, volume = {33}, number = {1},
pages = {6--17}, month = jan, year = {1999} }

@article{OSDebate99,
author={T. Kindberg},
title = {Debate: This house believes the development of robust
  distributed systems from components to be impossible},
journal = {Operating Systems Review}, volume = {33}, number = {1},
pages = {15--17}, month = jan, year = {1999},
Note={The description of this debate appeared in ``Report on the Eighth
   ACM SIGOPS European Workshop,'' System Support for Composing Distributed
   Applications, {\it loc.cit.}, pp. 6--17.}}

@book{SecDepAss99,
Author={P. Ammann and B.H. Barnes and S. Jajodia and {E.H. Sibley (editors)}},
Title={Computer Security, Dependability, and Assurance},
Publisher={IEEE Computer Society},
Year={1999} }

@book{SDolev00,
Author={S. Dolev},
Title={Self-Stabilization},
Publisher={MIT Press, Cambridge, Massachusetts},
Year={2000} }

@Proceedings{NATO00,
Author = "NATO",
Title = "Proceedings of the NATO Conference on Commercial Off-The-Shelf
  Products in Defence Applications: The Ruthless Pursuit of COTS",
Organization = "NATO", Address = "Brussels, Belgium", Year = "2000",
Pages="", Month = apr }

@InProceedings{Neumann00NATO,
Author = "P.G. Neumann",
Title = "The Potentials of Open-Box Source Code in Developing
  Robust Systems",
Booktitle = "Proceedings of the NATO Conference on Commercial Off-The-Shelf
  Products in Defence Applications: The Ruthless Pursuit of COTS",
Organization = "NATO", Address = "Brussels, Belgium", Year = "2000",
Pages="", Month = apr }

@InProceedings{White00,
Author = "I. White",
Title = "Wrapping the {COTS} Dilemma",
Booktitle = "Proceedings of the NATO Conference on Commercial Off-The-Shelf
  Products in Defence Applications: The Ruthless Pursuit of COTS",
Organization = "NATO", Address = "Brussels, Belgium", Year = "2000",
Pages="", Month = apr }

@InProceedings{PeelingTaylor00,
Author = {N. Peeling and R. Taylor},
Title = {Standards -- Myths, Delusions and Opportunities},
Booktitle = "Proceedings of the NATO Conference on Commercial Off-The-Shelf
  Products in Defence Applications: The Ruthless Pursuit of COTS",
Organization = "NATO", Address = "Brussels, Belgium", Year = "2000",
Pages="", Month = apr }

@InProceedings{Barbarello00,
Author = {J. Bararello and W. Kasian},
Title = {{United States Army Commercial Off-The-Shelf (COTS)} Experience:
      The Promises and Realities},
Booktitle = "Proceedings of the NATO Conference on Commercial Off-The-Shelf
  Products in Defence Applications: The Ruthless Pursuit of COTS",
Organization = "NATO", Address = "Brussels, Belgium", Year = "2000",
Pages="", Month = apr }

@InProceedings{VidgerDean00,
Author = {M. Vidger and J. Dean},
Title = {Maintaining {COTS}-Based Systems},
Booktitle = "Proceedings of the NATO Conference on Commercial Off-The-Shelf
  Products in Defence Applications: The Ruthless Pursuit of COTS",
Organization = "NATO", Address = "Brussels, Belgium", Year = "2000",
Pages="", Month = apr }

@InProceedings{Jantsch00,
Author = {S. Jantsch},
Title = {Risks by Using {COTS} Products and Commercial {ICT} Services},
Booktitle = "Proceedings of the NATO Conference on Commercial Off-The-Shelf
  Products in Defence Applications: The Ruthless Pursuit of COTS",
Organization = "NATO", Address = "Brussels, Belgium", Year = "2000",
Pages="", Month = apr }

@InProceedings{Charpentier00,
Author = "R. Charpentier and M. Salois",
Title = "{MaliCOTS:} Detecting Malicious Code in {COTS} Software",
Booktitle = "Proceedings of the NATO Conference on Commercial Off-The-Shelf
  Products in Defence Applications: The Ruthless Pursuit of COTS",
Organization = "NATO", Address = "Brussels, Belgium", Year = "2000",
Pages="", Month = apr }

@InProceedings{Salois00,
Author = "M. Salois and R. Charpentier",
Title = "Dynamic Detection of Malicious Code in {COTS} Software",
Booktitle = "Proceedings of the NATO Conference on Commercial Off-The-Shelf
  Products in Defence Applications: The Ruthless Pursuit of COTS",
Organization = "NATO", Address = "Brussels, Belgium", Year = "2000",
Pages="", Month = apr }

@InProceedings{Rowlingson00,
Author = {R. Rowlingson},
Title = {The Convergence of Military and Civil Approaches to Information
  Security},
Booktitle = "Proceedings of the NATO Conference on Commercial Off-The-Shelf
  Products in Defence Applications: The Ruthless Pursuit of COTS",
Organization = "NATO", Address = "Brussels, Belgium", Year = "2000",
Pages="", Month = apr }

@InProceedings{Schneidewind00,
Author = {N. Schneidewind},
Title = {The Ruthless Pursuit of the Truth about {COTS}},
Booktitle = "Proceedings of the NATO Conference on Commercial Off-The-Shelf
  Products in Defence Applications: The Ruthless Pursuit of COTS",
Organization = "NATO", Address = "Brussels, Belgium", Year = "2000",
Pages="", Month = apr }

@InProceedings{KerrMcCarthy00,
Author = "P. Kerr and J. McCarthy",
Title = "Application of {COTS} Communications Services for Command and
  Control of Military Forces",
Booktitle = "Proceedings of the NATO Conference on Commercial Off-The-Shelf
  Products in Defence Applications: The Ruthless Pursuit of COTS",
Organization = "NATO", Address = "Brussels, Belgium", Year = "2000",
Pages="", Month = apr }

@InProceedings{Spinellis99,
Author={D. Spinellis},
Title={Software Reliability: Modern Challenges},
BookTitle={Proceedings of ESREL 99, Tenth European Conference on
   Safety and Reliablity},
Organization={}, Address={Munich-Garching, Germany},
Year={1999}, Month=sep, pages={589--592},
Note={Summarized in the Risks Forum, volume 20, number 64, 4 November 1998
  and ACM SIGSOFT {\it Software Engineering Notes 25,} 2, 17--18, March 2000.}}

@InProceedings{Neumann00ICRE,
Author = "P.G. Neumann",
Title = "Certitude and Rectitude",
BookTitle={Proceedings of the 2000 International Conference on
  Requirements Engineering},
Organization={IEEE Computer Society}, Address={Schaumberg, Illinois},
Year={2000}, Month=jun, pages={153}}

@InProceedings{Parnas00ICRE,
Author = "D.L. Parnas",
Title = "Two Positions on Licensing",
BookTitle={Proceedings of the 2000 International Conference on
  Requirements Engineering},
Organization={IEEE Computer Society}, Address={Schaumberg, Illinois},
Year={2000}, Month=jun, pages={154--155}}

@InProceedings{Neumann00IEEE,
Author = "P.G. Neumann",
Title = "Robust Nonproprietary Software",
BookTitle={Proceedings of the 2000 Symposium on Security and Privacy},
Organization={IEEE Computer Society}, Address={Oakland, California},
Year={2000}, Month=may, pages={122--123},
NOTE = {(\xlink{http://www.csl.sri.com/neumann/ieee00.ps}{http://www.csl.sri.com/neumann/ieee00.ps} and
\xlink{http://www.csl.sri.com/neumann/ieee00.pdf}{http://www.csl.sri.com/neumann/ieee00.pdf}) } }

@InProceedings{Lipner00,
Author={S.B. Lipner},
Title={Security and Source Code Access: Issues and Realities},
BookTitle={Proceedings of the 2000 Symposium on Security and Privacy},
Organization={IEEE Computer Society}, Address={Oakland, California},
Year={2000}, Month=may, pages={124--125}}

@InProceedings{Schneider00,
Author={F.B. Schneider},
Title={Open Source in Security: Visiting the Bizarre},
BookTitle={Proceedings of the 2000 Symposium on Security and Privacy},
Organization={IEEE Computer Society}, Address={Oakland, California},
Year={2000}, Month=may, pages={126--127}}

@InProceedings{McGraw00,
Author={G. McGraw},
Title={Will openish source really improve security?},
BookTitle={Proceedings of the 2000 Symposium on Security and Privacy},
Organization={IEEE Computer Society}, Address={Oakland, California},
Year={2000}, Month=may, pages={128--129}}

@InProceedings{Witten00,
Author={B. Witten and C. Landwehr and M. Caloyannides},
Title={Will Open Source Really Improve Security?},
BookTitle={2000 Symposium on Security and Privacy, oral presentation only},
Organization={IEEE Computer Society}, Address={Oakland, California},
Year={2000}, Month=may, pages={},
NOTE = "Paper available online:
\xlink{http://www.csl.sri.com/neumann/witten.pdf}{http://www.csl.sri.com/neumann/witten.pdf}."}

@TechReport{Hissam01,
author={S. Hissam and C.B. Weinstock and D. Plakosh and J. Asundi},
Title={Perspectives on Open Source Software},
institution= {Carnegie-Mellon Software Engineering Institute},
address={Pittsburgh, Pennsylvania 15213-3890},
month =nov, Year=2001,
NOTE = {CMU/SEI-2001-TR-019\\
(\xlink{http://www.sei.cmu.edu/publications/pubweb.html}{http://www.sei.cmu.edu/publications/pubweb.html}) } }

@TechReport{Gacek01a,
author={C. Gacek and T. Lawrie and B. Arief},
Title={The Many Meanings of Open Source},
institution= {Department of Computing Science,
   University of Newcastle upon Tyne},
NOTE = "Technical Report CS-TR-737",
address={Newcastle, England}, month =aug, Year=2001
}

@TechReport{Gacek01b,
author={C. Gacek and C. Jones},
Title={Dependability Issues in Open Source Software},
institution= {Department of Computing Science, Dependable Interdisciplinary
   Research Collaboration, University of Newcastle upon Tyne},
NOTE = "Final report for PA5, part of ongoing related work.",
address={Newcastle, England}, month ={}, Year=2001
}

@TechReport{Jones02a,
author={C. Jones},
Title={Providing a Formal Basis for Dependability Notions},
institution= {Department of Computing Science, Dependable Interdisciplinary
   Research Collaboration, University of Newcastle upon Tyne},
NOTE = "UNU/IIST Anniversary Colloquium.",
address={Newcastle, England}, month ={}, Year=2002
}

@InProceedings{Balfanz+00,
Author={D. Balfanz and D. Dean and M. Spreitzer},
Title={A Security Infrastructure for Distributed {Java} Applications},
BookTitle={Proceedings of the 2000 Symposium on Security and Privacy},
Organization={IEEE Computer Society}, Address={Oakland, California},
Year={2000}, Month=may, pages={15--26}}

@InProceedings{MillenRuess00,
Author={J. Millen and H. Ruess},
Title={Protocol-Independent Secrecy},
BookTitle={Proceedings of the 2000 Symposium on Security and Privacy},
Organization={IEEE Computer Society}, Address={Oakland, California},
Year={2000}, Month=may, pages={110--119}}

@InProceedings{DM00,
  author = 	 {G. Denker and J. Millen},
  title = 	 {{CAPSL} Integrated Protocol Environment},
  booktitle = 	 {DARPA Information Survivability Conference (DISCEX 2000)},
  pages =	 {207--221},
  year =	 2000,
  publisher =	 {IEEE Computer Society}
}

@Article{MD02,
  author = 	 {J. Millen and G. Denker},
  title = 	 {{CAPSL} and {MuCAPSL}},
  journal = 	 {Journal of Telecommunications and Information Technology},
  year = 	 2002,
  volume =       {},
  number =	 {4},
  pages =	 {16--27}
}

@Unpublished{CAP02,
  author = 	 {J. Millen},
  title = 	 {{CAPSL} {W}eb Site},
  year =         2002,
  note = 	 {{\tt http://www.csl.sri.com/\~{}millen/capsl}}
}

@book{BowenHinchey,
Author={J.P. Bowen and M.G. Hinchey},
Title={High-Integrity System Specification and Design},
Publisher={Springer-Verlag, Berlin},
Year={1999} }

@article{Simons00UCITA,
author={B. Simons}, title = {Shrink-Wrapping Our Rights},
journal = {Communications of the ACM}, volume = {43}, number = {8},
pages = {}, month = aug, year = {2000} }

@PhDThesis{MercuriThesis00,
Author={R. Mercuri},
School={Department of Computer Science, University of Pennsylvania},
Title={Electronic Vote Tabulation Checks and Balances},
Year={2001}, Month={},
NOTE =
"\xlink{http://www.notablesoftware.com/evote.html}{http://www.notablesoftware.com/evote.html}" }

@Article{Mercuri02,
Author={R. Mercuri},
Title={A Better Ballot Box: New electronic voting systems
  pose risks as well as solutions},
Journal={IEEE Spectrum},
month=oct, pages ={46--50},
year="2002"}

@Article{Mercuri02x,
Author={H. Riebeek},
Title={Brazil Holds All-Electronic National Election},
Journal={IEEE Spectrum},
month=nov, pages ={25--26},
year="2002"}

@article{Mercuri03,
author={R. Mercuri}, title = {On Auditing Audit Trails},
journal = {Communications of the ACM}, volume = {46}, number = {1},
pages = {17--20}, month = jan, year = {2003} }

@InProceedings{Holt03,
Author={R. Holt},
Title={Introduction of the Voter Confidence and Increased
Accessibility Act of 2003},
BookTitle={U.S. Congressional Record, Extensions of Remarks},
Organization={U.S. Congress}, Address={},
Year={2003}, Month={May 23}, pages={E1081-2}}

@inProceedings{Neumann03Open,
Author="P.G. Neumann",
Title="Attaining Robust Open-Source Software",
Booktitle=
  "Making Sense of the Bazaar: Perspectives on Open Source and Free Software",
Note ="Joseph Feller, Brian Fitzgerald, Scott Hissam and Karim Lakhani
   (editors)",
Publisher = "O'Reilly and Associates, Sebastopol, California",
 Year="2003", Pages="123--126"}

@Book{Feller+05,
Author="J. Feller and B. Fitzgerald and S.A. Hissam and {K.R. Lakhani,
editors}",
Title="Perspectives on Free and Open Source Software",
Publisher = "MIT Press, Cambridge, Massachusetts",
 Year="2005",
NOTE = "The entire book is now available as a pdf file, courtesy of
the MIT Press:
http://mitpress.mit.edu/catalog/item/default.asp?ttype=2\&tid=10477\&mode=toc"
}

@TechReport{CaltechMIT01,
author={{Caltech MIT Voting Technology Project}},
Title={Voting What Is What Could Be},
institution= {Caltech and MIT},
address={}, month =jul, Year=2001 }

@TechReport{GWU01,
author={{Democracy Online Project}},
Title={A Debate on Computerized Voting: A New Solution for a New
  Generation of Voters},
institution= {George Washington University, Washington, D.C.},
address={}, month =jan, Year=2001}

@TechReport{Chaum02,
author={D. Chaum},
Title={Secret-Ballot Receipts and Transparent Integrity:
  Improving voter confidence \& electronic voting at polling places},
institution= {},
address={}, month =mar, Year=2002,
NOTE = "(\xlink{http://www.chaum.org}{http://www.chaum.org})" }

@article{Rubin02,
author={A. Rubin}, title = {Security Considerations for Remote
  Electronic Voting},
journal = {Communications of the ACM}, volume = {45}, number = {12},
pages = {39--44}, month = dec, year = {2002} }

@article{SERVE04,
author={D. Jefferson and A.D. Rubin and B. Simons and D. Wagner},
title = {Analyzing Internet Voting Security},
journal = {Communications of the ACM}, volume = {47}, number = {10},
pages = {}, month = oct, year = {2004} }

@PhDThesis{ChenxiThesis,
Author={C. Wang},
School={Department of Computer Science, University of Virginia},
Title={A Security Architecture for Survivable Systems},
Year={2001}, Month=jan,
Note="(\xlink{http://www.cs.virginia.edu}{http://www.cs.virginia.edu})"  }

@PhDThesis{WagnerThesis00,
Author={D. Wagner},
School={Division of Computer Science, University of California, Berkeley},
Title={Static Analysis and Computer Security: New Techniques for Software
       Assurance},
Year={2000}, Month=dec,
Note="(\xlink{http://www.cs.berkeley.edu/\~{}daw}{http://www.cs.berkeley.edu/\~{}daw})"  }

@InProceedings{WagnerDean01,
Author={D. Dean and D. Wagner},
Title={Intrusion Detection via Static Analysis},
BookTitle={Proceedings of the 2001 Symposium on Security and Privacy},
Organization={IEEE Computer Society}, Address={Oakland, California},
Year={2001}, Month=may, pages={}}

@InProceedings{ChenWagnerDean02,
Author={H. Chen and D. Wagner and D. Dean},
Title={Setuid Demystified},
BookTitle={Proceedings of the 11th USENIX Security 2002},
Organization={USENIX}, Address={San Francisco, California},
Year={2002}, Month=aug, pages={171--190}}

@InProceedings{ChenDeanWagner03,
Author={H. Chen and D. Dean and D. Wagner},
Title={Model Checking One Million Lines of Code},
BookTitle={Proceedings of the Symposium on Network and Distributed
  System Security},
Organization={Internet Society}, Address={San Diego, California},
Year={2004}, Month=feb, pages={171--185}}

@InProceedings{SastryKohnoWagner06,
Author={N. Sastry and T. Kohno and D. Wagner},
Title={Designing voting machines for verification},
BookTitle={Proceedings of the 11th USENIX Security 2006},
Organization={USENIX}, Address={San Francisco, California},
Year={2006}, Month=aug, pages={},
url ="http://www.cs.berkeley.edu/~{}daw/papers/varch-use06.pdf"}

@InProceedings{ChenWagner02,
Author={H. Chen and D. Wagner},
Title={{MOPS:} {An} Infrastructure for Examining Security Properties
  of Software},
Organization={ACM}, Address={Washington, D.C.},
BookTitle={Ninth ACM Conference on Computer and Communications Security},
Year={2002}, Month=nov, pages={} }

% http://www.cs.berkeley.edu/~daw/papers/varch-use06.pd

@InProceedings{Chen:2004:EROS,
   author =      {H. Chen and J. Shapiro},
   title =       {Using Build-Integrated Static Checking to Preserve
Correctness Invariants},
   booktitle = {Proceedings of the Eleventh ACM Conference on Computer and
Communications Security (CCS)},
   year =        {2004},
   address =     {Washington, D.C.},
   month =       nov,
   pages =    {}
}

@PhdThesis{Chen:2004:dissertation,
   author =      {H. Chen},
   title =       {Lightweight Model Checking for Improving Software Security},
   school =      {University of California, Berkeley},
   year =        {2004},
NOTE = "\xlink{http://www.cs.ucdavis.edu/\~{}hchen/paper/phddis.ps}{http://www.cs.ucdavis.edu/\~{}hchen/paper/phddis.ps}"
}

@PhdThesis{Yee07,
   author =      {K.-P. {Yee}},
   title =       {Building Reliable Voting Machine Software},
   school =      {University of California, Berkeley},
   year =        {2007},
   NOTE = {Technical Report 2007-167; see also Technical Note 2007-136 for
     the security review; http://pvote.org}
}

@InProceedings{Backes+03,
Author={M. Backes and B. Pfitzmann and M. Waidner},
Title={A Universally Composable Cryptographic Library with Nested Operations},
Organization={ACM}, Address={Washington, D.C.},
BookTitle={Tenth ACM Conference on Computer and Communications Security},
Year={2003}, Month=oct, pages={} }

@InProceedings{BackesPfitzmann03,
Author={M. Backes and B. Pfitzmann},
Title={A Cryptographically Sound Security Proof of
  the {Needham-Schroeder-Lowe} Public-Key Protocol},
Organization={}, Address={Mumbai, India},
BookTitle={23rd Conference on Foundations of Software Technology
  and Theoretical Computer Science (FSTTCS)},
Year={2003}, Month=dec, pages={} }

@InProceedings{Weeks01,
Author={S. Weeks},
Title={Understanding Trust Management Systems},
BookTitle={Proceedings of the 2001 Symposium on Security and Privacy},
Organization={IEEE Computer Society}, Address={Oakland, California},
Year={2001}, Month=may, pages={},
NOTE="(\xlink{http://www.star-lab.com/tr/star-tr-01-02.html}{http://www.star-lab.com/tr/star-tr-01-02.html})"
}

@InProceedings{Gunter+01,
Author={C. Gunter and S. Weeks and A. Wright},
Title={Models and Languages for Digital Rights},
BookTitle={Proceedings of the 2001   Hawaii Intenational Conference
 on Systems Science},
Organization={}, Address={Honolulu, Hawaii},
Year={2001}, Month=mar, pages={},
NOTE = "\xlink{http://www.star-lab.com/tr/star-tr-01-04.html}{http://www.star-lab.com/tr/star-tr-01-04.html}"
}

@InProceedings{Goerigk00,
Author = "W. Goerigk",
Title = "Compiler Verification Revisited",
Booktitle = "{Computer Aided Reasoning: {ACL2} Case Studies}",
Editor = "M. Kaufmann and P. Maniolis and J S. Moore",
Organization = "Kluwer Academic Publishers", Address = "", Year = "2000",
Note ="Chapter 15", Pages="", Month = ""  }

@TechReport{Faughn01,
author={A.W. Faughn},
Title={Interoperability: Is It Achievable?},
institution= {Harvard University PIRP report},
address={}, month ={}, Year=2001 }

@book{Curtin02,
Author={M. Curtin},
Title={Developing Trust: Online Security and Privacy},
Publisher={Apress, Berkeley, California, and Springer-Verlag, Berlin},
Year={2002} }

@TechReport{Boudra92,
author={P. {Boudra, Jr.}},
Title={Minutes of the Meetings of the System Composition Working Group,
  Volume 1},
institution= {National Security Agency, Information Systems Security
  Organization, Office of Infosec Systems Engineering, S9 Technical
  Report 6-92, Library No. S-239, 646},
address={}, month =oct, Year=1992, NOTE ="For Official Use Only." }

@TechReport{NSAcompose92xxx,
author={P. {Boudra, Jr.}},
Title={Minutes of the Meetings of the System Composition Working Group,
volume 1},
institution= {Information Systems Security Organization, Office of
INFOSEC Systems Engineering, NSA},
Note = {S9 Technical Report 6-92, For Official Use Only},
address={}, month ={5 October}, Year=1992 }

@TechReport{Boudra93,
author={P. {Boudra, Jr.}},
Title={Report on Rules of System Composition: Principles of Secure
  System Design},
institution= {National Security Agency, Information Systems Security
  Organization, Office of Infosec Systems Engineering, I9 Technical
  Report 1-93, Library No. S-240, 330},
address={}, month =mar, Year=1993, NOTE ="For Official Use Only." }

@TechReport{Lee92,
author={E.S. Lee and P.I.P. Boulton and B.W. Thompson and R.E. Soper},
Title={Composable Trusted Systems},
institution= {Computer Systems Research Institute, University of
  Toronto, Technical Report CSRI-272},
address={}, month =may, Year=1992 }

@TechReport{ICS94,
author={Unspecified},
Title={Composability Constraints of Multilevel Systems},
institution= {Integrated Computer Systems, Inc.},
address={215 South Rutgers Ave., Oak Ridge, Tennessee},
month =jun, Year=1994 }

@TechReport{Tinto92,
author={M. Tinto},
Title={The Design and Evaluation of {INFOSEC} Systems: The Computer
  Security Contribution to the Composition Discussion},
institution= {National Computer Security Center},
address={}, month =jun, Year=1992, Note="C Technical Report 32-92" }

@TechReport{Abrams92,
author={M.D. Abrams and M.V. Joyce},
Title={Composition of Trusted {IT} Systems},
institution= {MITRE},
address={}, month =sep, Year=1992, Note ="Draft." }

@InProceedings{Hemenway92,
author={J. Hemenway and D. Gambel},
Title={Issues in the Specification of Composite Trustworthy Systems},
Booktitle = "Fourth Annual Canadian Computer Security Symposium",
address={}, month =may, Year=1992 }

@TechReport{Ozier,
author={W. Ozier},
Title={{GASSP: Generally Accepted Systems Security Principles}},
institution= {International Information Security Foundation},
address={}, month =jun, Year=1997,
NOTE ="\xlink{web.mit.edu/security/www/gassp1.html}{http://web.mit.edu/security/www/gassp1.html}"
 }

@book{Beck99,
Author={K. Beck},
Title={Extreme Programming Explained: Embrace Change},
Publisher={Addison-Wesley, Reading, Massachusetts},
Year={1999},
Note="(\xlink{http://www.extremeprogramming.org}{http://www.extremeprogramming.org})"
}

@InProceedings{Chander+01,
author={A. Chander and D. Dean and J.C. Mitchell},
Title={A State-Transition Model of Trust Management},
BookTitle ={Proceedings of the 14th IEEE Computer Security Foundations Workshop},
Organization=
  {IEEE Computer Society Technical Committee on Security and Privacy},
  Address={Cape Breton, Nova Scotia, Canada},
  Year={2001}, Month=jun, pages={27--43}
 }

@InProceedings{Chander+02,
Author={A. Chander and D. Dean and J.C. Mitchell},
Title={Deconstructing Trust Management},
BookTitle=
  {Proceedings of the 2002 Workshop on Issues in the Theory of Security},
Organization={IFIP Working Group 1.7}, Address={Portland, Oregon},
Year={2002}, Month=jan, pages={}}

@InProceedings{Chander+04a,
Author={A. Chander and D. Dean and J.C. Mitchell},
Title={A Distributed High Assurance Reference Monitor},
BookTitle= {Proceedings of the Seventh Information Security Conference
  Lecture Notes in Computer Science vol. 3225},
Year={2004}, Month=sep, pages={231--244},
Organization={Springer-Verlag}, Address={Berlin},
url = "http://www.csl.sri.com/users/ddean/papers/isc04.pdf"}

@Article{Chander+04,
Author={A. Chander and D. Dean and J.C. Mitchell},
Title={Reconstructing Trust Management},
Journal= {Journal of Computer Security},
Volume = {12}, Number = {1},
Year={2004}, Month=jan, pages={131--164},
url = "http://www.csl.sri.com/users/ddean/papers/jcs04.pdf"}

@book{deRoever01,
Author={W.-P. {de Roever} and  F. de Boer and U. Hanneman and J. Hooman and
  Y. Lakhnech and M. Poel and J. Zwiers},
Title={Concurrency Verification: Introduction to Compositional and
  Noncompositional Methods},
Publisher={Cambridge University Press, New York, NY},
Note = {Cambridge Tracts in Theoretical Computer Science no. 54},
Year={2001} }

@InProceedings{McDanielPrakash02,
Author={P. McDaniel and A. Prakash},
Title={Methods and Limitations of Security Policy Reconciliation},
BookTitle={Proceedings of the 2002 Symposium on Security and Privacy},
Organization={IEEE Computer Society}, Address={Oakland, California},
Year={2002}, Month=may, pages={73--87}}

@InProceedings{Mantel01IEEE,
Author={H. Mantel},
Title={Preserving information flow properties under refinement},
BookTitle={Proceedings of the 2001 Symposium on Security and Privacy},
Organization={IEEE Computer Society}, Address={Oakland, California},
Year={2001}, Month=may, pages={78--91}}

@InProceedings{Mantel02IEEE,
Author={H. Mantel},
Title={On the composition of secure systems},
BookTitle={Proceedings of the 2002 Symposium on Security and Privacy},
Organization={IEEE Computer Society}, Address={Oakland, California},
Year={2002}, Month=may, pages={88--101}}

@InProceedings{AshcraftEngler02,
Author={K. Ashcraft and D. Engler},
Title={Detecting Lots of Security Holes Using System-Specific Static Analysis},
BookTitle={Proceedings of the 2002 Symposium on Security and Privacy},
Organization={IEEE Computer Society}, Address={Oakland, California},
Year={2002}, Month=may, pages={143--159}}

@InProceedings{Chess02,
Author={B.V. Chess},
Title={Improving Computer Security Using Extended Static Checking},
BookTitle={Proceedings of the 2002 Symposium on Security and Privacy},
Organization={IEEE Computer Society}, Address={Oakland, California},
Year={2002}, Month=may, pages={160--173}}

@InProceedings{Ko02,
Author={C. Ko},
Title={Noninterference and Intrusion Detection},
BookTitle={Proceedings of the 2002 Symposium on Security and Privacy},
Organization={IEEE Computer Society}, Address={Oakland, California},
Year={2002}, Month=may, pages={177--187}}

@InProceedings{Dutertre02,
Author={B. Dutertre and V. Crettaz and V. Stavridou},
Title={Intrusion-Tolerant Enclaves},
BookTitle={Proceedings of the 2002 Symposium on Security and Privacy},
Organization={IEEE Computer Society}, Address={Oakland, California},
Year={2002}, Month=may, pages={216--224}}

@InProceedings{Park+02,
Author={J.M. Park and E.K.P. Chong and H.J. Siegel},
Title={Efficient Multicast Packet Authentication Using Signature
  Amortization},
BookTitle={Proceedings of the 2002 Symposium on Security and Privacy},
Organization={IEEE Computer Society}, Address={Oakland, California},
Year={2002}, Month=may, pages={227--240}}

@InProceedings{Staddon+02,
Author={J. Staddon and S. Miner and M. Franklin and D. Balfanz and M. Malkin
  and D. Dean },
Title={Self-Healing Key Distribution with Revocation},
BookTitle={Proceedings of the 2002 Symposium on Security and Privacy},
Organization={IEEE Computer Society}, Address={Oakland, California},
Year={2002}, Month=may, pages={241--257}}

@InProceedings{Song+02,
Author={D. Song and D. Zuckerman and J.D. Tygar},
Title={Expander Graphs for Digital Stream Authentication and Robust
  Overlay Networks},
BookTitle={Proceedings of the 2002 Symposium on Security and Privacy},
Organization={IEEE Computer Society}, Address={Oakland, California},
Year={2002}, Month=may, pages={258--270}}

@InProceedings{Dean02,
Author={D. Dean},
Title={The Impact of Programming Language Theory on Computer Security},
BookTitle={Proceedings of the Mathematical Foundations of Programming
  Semantics (MFPS)},
Organization={}, Address={New Orleans, Louisiana},
Year={2002}, Month=mar, pages={},
NOTE={Slides at \xlink{http://www.csl.sri.com/neumann/ddean-MFPS02.ppt}{http://www.csl.sri.com/neumann/ddean-MFPS02.ppt}}
}

@article{Neumann04Opt,
author={P.G. Neumann},
title = {Optimistic Optimization},
journal = {Communications of the ACM}, year = {2004}, volume = {47},
number = {6}, pages = {112}, month = jun,
Note= {{\it Inside Risks} column.} }

@article{Neumann06comp,
author={P.G. Neumann},
title = {Risks Relating to System Compositions},
journal = {Communications of the ACM}, year = {2006}, volume = {49},
number = {7}, pages = {128}, month = jul,
Note= {{\it Inside Risks} column.} }

@article{Bellovin06,
author={Steven M. Bellovin},
title = {Virtual Machines, Virtual Security?},
journal = {Communications of the ACM}, year = {2006}, volume = {49},
number = {10}, pages = {104}, month = oct,
Note= {{\it Inside Risks} column.} }

@InProceedings{Neumann06CCS,
   author =      {P.G. Neumann},
   title =       {System and Network Trustworthiness in Perspective},
   booktitle = {Proceedings of the Thirteenth ACM Conference on Computer and
Communications Security (CCS)},
   year =        {2006},
   address =     {Alexandria, Virginia},
   month =       nov,
   pages =    {1--5}
}

@InProceedings{Neumann06ACSAC,
Author="P.G. Neumann",
Title="Risks of Untrustworthiness",
BookTitle="Proceedings of the 22nd Annual Computer Security Applications
Conference (ACSAC 2006), Classic Papers section",
Organization="IEEE Computer Society",
Address="Miami, Florida", Year="2006", Month=dec, pages="",
url={http://www.acsac.org/ and http://www.csl.sri.com/neumann/psos03.pdf}
}

@ARTICLE{Neumann06holistic,
Author={Peter G. Neumann},
TITLE = {Holistic Systems},
JOURNAL = {ACM Software Engineering Notes}, YEAR = {2006}, VOLUME = {31},
NUMBER = {6}, PAGES = {4--5}, MONTH = nov
}

@InProceedings{Neumann07EEVS,
Author={P.G. Neumann},
Title={Security and Privacy in the Employment Eligibility
  Verification System (EEVS) and Related Systems},
BookTitle={Congressional Record},
Organization={U.S. House of Representatives}, Address={Washington, DC},
Year={2007}, Month={Jun 7}, pages={},
URL ="http://www.csl.sri.com/neumann/house07.pdf" }

@InCollection{Neumann07Reflections,
Author = "P.G. Neumann",
Title = "Reflections on System Trustworthiness",
Editor = "Marvin Zelkowitz",
Booktitle = "Advances in Computers, volume 70",
Publisher = "Elsevier Inc.", Year = "2007 ",
Pages="269--310" }

@book{NRC07cyber,
author = {S.E. Goodman and H.S. {Lin, editors}},
title = {Toward a Safer and More Secure Cyberspace},
publisher = {National Research Council, National Academies Press,
2101 Constitution Ave., Washington, D.C.},
year = {2007}, note={Final report of the National Research
Council Committee on Improving Cybersecurity Research in the United States.} }

@InProceedings{Neumann09CSH,
Author={P.G. Neumann},
Title={The Future of Information Assurance},
BookTitle={Computer Security Handbook},
Organization={John Wiley \& Sons}, Address={New York},
Year={2009}, Month={}, pages={}, NOTE={Volume 2, invited final chapter.}}

@InProceedings{Neumann09LAW,
Author={P.G. Neumann},
Title={Hierarchies, Lowerarchies, Anarchies, and Plutarchies:
  Historical Perspectives of Composable High-Assurance Architectures},
BookTitle={Third Layered Assurance Workshop},
Organization={AFRL}, Address={San Antonio CA},
Year={2009}, Month=aug, pages={}, Note ={Slides at
  http://www.csl.sri.com/neumann/law09+x4.pdf}}

@InProceedings{Neumann09idtrust,
Author={P.G. Neumann},
Title={IDentity and Trust in Context},
BookTitle={IDtrust Workshop},
Organization={NIST}, Address={Gaithersburg, Maryland},
Year={2009}, Month=apr, pages={}, Note ={Slides at
  http://www.csl.sri.com/neumann/itrust09+x4.pdf}}

@InProceedings{NeumannDag08,
Author={P.G. Neumann},
Title={Combatting Insider Misuse, with Relevance to Integrity and
  Accountability in Elections and Other Applications},
BookTitle={Dagstuhl Workshop on Insider Threats},
Organization={}, Address={Schloss Dagstuhl, Germany},
Year={2008}, Month=jul, pages={}}

@Inbook{Neumann09insiders,
Author={P.G. Neumann},
Title={Combatting Insider Threats},
BookTitle = {Insider Threats in Cybersecurity -- and Beyond},
Editors= {M. Bishop and C.W. Probst},
Publisher={Springer Verlag},
Year={2010} }

@Inbook{Neumann10Dagbook,
Author={P.G. Neumann},
Title={Combatting Insider Threats},
Chapter = {2},
Note = {In {\it Insider Threats in Cybersecurity -- and Beyond,}
  C.W. Probst and J. Hunker and D. Gollman and M. Bishop
  (editors), Springer Verlag},
Publisher={Springer Verlag},
Year = {2010},
}

@InProceedings{Ox,
Author={P.G. Neumann and M. Bishop and S. Peisert and M. Schaefer},
Title={Reflections on the 30th Anniversary of the IEEE Symposium on
   Security and Privacy},
BookTitle={Proceedings of the 2010 Symposium on Security and Privacy},
Organization={IEEE Computer Society}, Address={Oakland, California},
Year={2010}, Month=may, pages={}}

@TechReport{HPL05,
author={IRC},
Title={Hard Problem List},
institution= {INFOSEC Research Council},
address={}, month =nov, Year=2005,
url ="http://www.cyber.st.dhs.gov"
}

@TechReport{Roadmap09,
author={D. {Maughan et al.}},
Title={A Roadmap for Cybersecurity Research},
institution= {Department of Homeland Security},
address={}, month =nov, Year=2009,
url ="http://www.cyber.st.dhs.gov"
}

@Article{Bellovin+07,
Author={},
Title={},
Journal={IEEE Security and Privacy}, VOLUME = {6}, NUMBER = {1},
Year={2008}, Month={January-February}, pages={}}

@book{HennessyPatterson95,
Author={J.L. Hennessy and D.A. Patterson},
Title={Computer Architecture: A Quantitative Approach, Second Edition},
Publisher={Morgan Kaufmann},
Year={1996} }

@book{PattersonHennessy97,
Author={D.A. Patterson and J.L. Hennessy},
Title={Computer Organization and Design: The Hardware/Software
  Interface, Second Edition},
Publisher={Morgan Kaufmann},
Year={1997} }

@InProceedings{Zuck+02,
Author={L. Zuck and A. Pnueli and Y. Fang and B. Goldberg},
Title={{VOC:} {A} Translation Validator for Optimizing Compilers},
BookTitle={Electronic Notes in Theoretical Computer Science},
Organization={}, Address={},
Year={2002}, Month={}, pages={},
URL = "http://www.cs.nyu.edu/\~{}zuck/pubs/"
}

@book{Bishop02,
Author={M. Bishop},
Title={Computer Security: Art and Science},
Publisher={Addison-Wesley, Reading, Massachusetts},
Year={2002} }

@book{Bishop04,
Author={M. Bishop},
Title={Introduction to Computer Security},
Publisher={Addison-Wesley, Reading, Massachusetts},
Year={2004} }

@book{Bish2003,
  Address = {Boston, MA},
  Author = {M. Bishop},
  Date-Modified = {2007-04-18 11:50:16 -0700},
  Publisher = {Addison-Wesley Professional},
  Title = {Computer Security: Art and Science},
  Year = {2003}}

@InProceedings{Bishop05,
Author={M. Bishop},
Title={Position: {`Insider'} is relative},
BookTitle={Proceedings of the 2005 New Security Paradigms Workshop},
Organization={}, Address={Lake Arrowhead, California},
Year={2005}, Month=oct, pages={77-78}}

@InProceedings{Bishop08+,
Author={M. Bishop and S. Engle and C. Gates and S. Peisert and S. Whalen},
Title={We Have Met the Enemy and He Is Us},
BookTitle={Proceedings of the 2008 New Security Paradigms Workshop},
Organization={}, Address={Olympic Valley, California},
Year={2008}, Month={}, pages={}}

@book{Stolfo+08,
Author={S. Stolfo and S. Bellovin and S. Hershkop and S. Sinclair and
  S. Smith},
Title={Insider Attack and Cyber Security: Beyond the Hacker},
Publisher={Springer},
Year={2008} }

@book{Anderson01,
Author={R.J. Anderson},
Title={Security Engineering: {A} guide to
  Building Dependable Distributed Systems},
Publisher={John Wiley and Sons, New York},
Year={2001} }

@book{Sommerville01,
Author={I. Sommerville},
Title={Software Engineering},
Publisher={Addison-Wesley, Reading, Massachusetts},
Note = {Sixth Edition.},
Year={2001} }

@book{Reppy99,
Author={J.H. Reppy},
Title={Concurrent Programming in ML},
Publisher={Cambridge University Press, Cambridge, U.K.},
Year={1999} }

@InProceedings{Giffin+02,
Author={J.T. Giffin and S. Jha and B.P. Miller},
Title={Detecting Manipulated Remote Call Streams},
BookTitle={Proceedings of the 11th USENIX Security 2002},
Organization={USENIX}, Address={San Francisco, California},
Year={2002}, Month=aug, pages={61--79}}

@InProceedings{AppelMacQueen91,
Author={A.W. Appel and D.B. MacQueen},
Title={Standard {ML} of {New Jersey}},
BookTitle={Programming Language Implementation and Logic Programming,
  Lecture Notes in Computer Science vol. 528},
Organization={Springer-Verlag}, Address={Berlin},
Year={1991}, Month={}, pages={1--26}}

@book{Milner+97,
Author={R. Milner and M. Tofte and R. Harper and D. MacQueen},
Title={The Definition of Standard ML},
Publisher={MIT Press, Cambridge, Massachusetts},
Year={1997} }

@book{WrightStevens95,
Author={G.R. Wright and W.R. Stevens},
Title={TCP/IP Illustrated, Volume 2},
Publisher={Addison-Wesley, Reading, Massachusetts},
Year={1995} }

@book{HuntTCP/IP02,
Author={C. Hunt},
Title={TCP/IP Network Administration, 3rd Edition},
Publisher={O'Reilly \& Associates, Sebastopol, California},
Year={2002} }

@InProceedings{Sheyner+02,
author={O. Sheyner and J. Haines and S. Jha and R. Lippmann and J.M. Wing},
Title={Automated Generation and Analysis of Attack Graphs},
BookTitle={Proceedings of the 2003 Symposium on Security and Privacy},
Organization={IEEE Computer Society}, Address={Oakland, California},
Year={2003}, Month=may, pages={273--284}}

@InProceedings{JhaSheynerWing02,
author={S. Jha and O. Sheyner and J. Wing},
Title={Two Formal Analyses of Attack Graphs},
BookTitle ={Proceedings of the 15th IEEE Computer Security Foundations Workshop},
Organization=
  {IEEE Computer Society Technical Committee on Security and Privacy},
  Address={Cape Breton, Nova Scotia, Canada},
  Year={2002}, Month=jun, pages={49--64}
 }

@InProceedings{Govinda+03,
Author={S. Govindavajhala and A.W. Appel},
Title={Using Memory Errors to Attack a Virtual Machine},
BookTitle={Proceedings of the 2003 Symposium on Security and Privacy},
Organization={IEEE Computer Society}, Address={Oakland, California},
Year={2003}, Month=may, pages={154--165}}

@book{Barnes03,
Author={J. Barnes},
Title={High Integrity Software: The SPARK Approach to Safety and Security},
Publisher={Addison-Wesley, Reading, Massachusetts},
NOTE = {Reviewed in The ACM Risks Forum, 23, 01.},
Year={2003} }

@article{Weinstein03-12,
author={L. Weinstein},
title = {The Devil You Know},
journal = {Communications of the ACM}, year = {2003}, volume = {46},
number = {12}, pages = {144}, month = dec }

@TechReport{Weinstein:tripoli,
author = {L. Weinstein},
title = {{TRIPOLI: An Empowered E-Mail Environment}},
institution ={People for Internet Responsibility},
url = "http://www.pfir.org/tripoli-overview",
year ={2004}, month = jan
}

@TechReport{Cusumano03,
author={M. Cusumano and A. MacCormack and C.F. Kemerer and W. Crandall},
Title={A Global Survey of Software Development Practices},
institution= {MIT Sloan School of Management},
address={Cambridge, Massachusetts}, month =jun, Year=2003,
url = "http://ebusiness.mit.edu/research/papers/178_Cusumano_Intl_Comp.pdf" }

@Article{McGraw04,
Author={G. McGraw},
Title={Software Security},
Journal={IEEE Security and Privacy},
Organization={IEEE Computer Society},
Year={2004}, Month={March-April}, volume ={2}, number = {2}, pages={80--83}}

@article{Chaum04,
author={D. Chaum},
Title={Secret-Ballot Receipts: True Voter-Verifiable Elections},
Journal={IEEE Security and Privacy},
Organization={IEEE Computer Society},
Year={2004}, Month={January-February}, volume ={2}, number = {1},
pages={38--47}}

@TechReport{Rivest06,
author={R.L. Rivest},
Title={The {ThreeBallot Voting System}},
institution= {MIT},
address={Cambridge, Massachusetts}, month =oct, Year=2006,
URL=
"http://theory.csail.mit.edu/~{}rivest/Rivest-TheThreeBallotVotingSystem.pdf"
}

@InProceedings{Ratan+96,
Author={V. Ratan and K. Partridge and J. Reese and N. Leveson},
Title={Safety Analysis Tools for Requirements Specification},
BookTitle={Proceedings of the Eleventh Annual Conference on Computer
  Assurance, COMPASS '96},
Organization={IEEE Computer Society}, Address={},
Year={1996}, Month={}, pages={149--160},
  url ="http://www.safeware-eng.com/index.php/publications/SafAnTooReq"}

@TechReport{DSB01a,
author={Defense Science Board},
Title={Protecting the Homeland, Volume I},
institution= {Defense Science Board Task Force on Defensive Information
  Operations 2000 Summer Study},
address={}, month =feb, Year="2001" }

@TechReport{DSB01b,
author={Defense Science Board},
Title={Protecting the Homeland, Volume II},
institution= {Defense Science Board Task Force on Defensive Information
  Operations 2000 Summer Study},
address={}, month =mar, Year="2001" }

@InProceedings{Kohno+04,
Author={T. Kohno and A. Stubblefield and A.D. Rubin and D.S. Wallach},
Title={Analysis of an Electronic Voting System},
BookTitle={Proceedings of the 2004 Symposium on Security and Privacy},
Organization={IEEE Computer Society}, Address={Oakland, California},
Year={2004}, Month=may, pages={27--40}}

@InProceedings{Datta+04,
Author={A. Datta and R. K\"{u}sters and J.C. Mitchell and A. Ramanathan and
   V. Shmatikov},
Title={Unifying Equivalence-Based Definitions of Protocol Security},
BookTitle={Proceedings of the ACM SIGPLAN and IFIP WG 1.7 Fourth Workshop
  on Issues in the Theory of Security},
Organization={IEEE Computer Society}, Address={Oakland, California},
Year={2004}, Month=apr, pages={}}

@TechReport{GAO04Acq,
author={USGAO},
Title={Defense Acquisitions: Knowledge of Software Suppliers Needed
  to Manage Risks},
institution= {U.S. General Accounting Office, GAO-04-078},
address={Washington, D.C.}, month =may, Year=2004 }

@Article{Clarke04IEEE,
Author={G. Goth},
Title={Richard {Clarke} Talks Cybersecurity and {JELL-O}},
Journal={IEEE Security and Privacy}, VOLUME = {2}, NUMBER = {3},
Year={2004}, Month={May-June}, pages={11--15}}

@Article{Tsik06,
Author={K. Tsikpenyuk and B. Chess and G. McGraw},
Title={Seven Pernicious Kingdoms: A Taxonomy of Software Security Errors},
Journal={IEEE Security and Privacy}, VOLUME = {3}, NUMBER = {6},
Year={2005}, Month={November-December}, pages={},
doi="10.1109/MSP.2005.159"}

@ARTICLE{Jackson02,
Author={D. Jackson}, TITLE = {Alloy:
  {A} lightweight object modelling notation},
JOURNAL = {ACM Transactions on Software Engineering Methodology},
YEAR = {20}, VOLUME = {11},
NUMBER = {2}, PAGES = {256--290}, MONTH = {},
url ="http://sdg.lcs.mit.edu/~{}dnj/",
url ="http://alloy.mit.edu/" }

@TechReport{Shands04+,
author={D. Shands and E. Wu and J. Horning and S. Weeks},
Title={SPiCE: Configurationa Synthesis for Policies Enforcement},
institution= {MacAfee Research Technical Report 04-018},
address={}, month =jun, Year=2004 }

@ARTICLE{Wheeler04,
Author={D.A. Wheeler}, TITLE = {Secure programmer: Minimizing Privileges;
Taking the fangs out of bugs},
JOURNAL = {}, YEAR = {2004}, VOLUME = {},
NUMBER = {}, PAGES = {}, MONTH = may,
URL= "http://www-106.ibm.com/developerworks/linux/library/l-sppriv.html?ca=dgr-lnxw04Privileges" }

@book{WheelerBook,
Author={D.A. Wheeler},
Title={Secure Programming for Linux and Unix {HOWTO}},
Publisher={},
Year={2003},
URL = "http://www.dwheeler.com/secure-programs" }

@book{USDP99,
Author={I. Jacobson and G. Booch and J. Rumbaugh},
Title={The Unified Software Development Process},
Publisher={Addison-Wesley, Reading, Massachusetts},
Year={1999} }

@book{Bejtlich04,
Author={R. Bejtlich},
Title={The Tao of Network Security Monitoring},
Publisher={Addison-Wesley, Reading, Massachusetts},
Year={2004} }

@Article{Smith04,
	Author = {M.A. Smith},
Title = {Portals: Toward an Application Framework for Interoperability},
	Journal = {Communications of the ACM},
	Year = {2004},
	Volume = {47},
	Number = {10},
	Pages = {93--97},
	Month = oct }

@book{KrafzigSOA,
Author={D. Krafzig and K. Banke and D. Slama},
Title={Enterprise SOA Service-Oriented Architecture Best Practices},
Publisher={Prentice-Hall, Upper Saddle River, New Jersey},
Year={2004} }

@ARTICLE{ERCIM04,
Author={Numerous authors},
TITLE = {Automated Software Engineering (special section)},
JOURNAL = {ERCIM News}, YEAR = {2004}, VOLUME = {},
NUMBER = {58}, PAGES = {12--51}, MONTH = jul }

@ARTICLE{Blanc04,
Author={B. Blanc},
TITLE = {{GATeL:} {A}utomatic Test Generation from {Lustre} Descriptions},
JOURNAL = {ERCIM News}, YEAR = {2004}, VOLUME = {},
NUMBER = {58}, PAGES = {29--30}, MONTH = jul }

@inCollection{PetersonClark04,
author = {L. Peterson and D. Clark},
title = {The {Internet:} {An} Experiment that Escaped from the Lab},
booktitle = {Computer Science: Reflections on the Field, Reflections
  from the Field},
publisher = {National Research Council,
  National Academies Press, 500 Fifth Ave., Washington, D.C. 20001},
pages = {129--133},
year = {2004} }

@InProceedings{Crnkovic04,
Author = "I. Crnkovic and M. Larsson",
Title = "Classification of Quality Attributes for Predictability in
  Component-based Systems",
Booktitle = "Workshop on Architecting Dependable Systems (DSN WADS 2004)",
Organization = "", Address = "Florence, Italy", Year = "2004",
Pages="", Month = jun,
NOTE = "\xlink{http://www.cs.kent.ac.uk/events/conf/2004/wads/DSN-WADS2004/indexProgDSN2004.html}{http://www.cs.kent.ac.uk/events/conf/2004/wads/DSN-WADS2004/indexProgDSN2004.html}"
  }

@INCOLLECTION{Smith2004,
  AUTHOR = {Jonathan M. Smith and Michael B. Greenwald and Sotiris
 Ioannidis and Angelos D. Keromytis and Ben Laurie and Douglas Maughan
 and Dale Rahn and Jason Wright},
  TITLE = {Experiences Enhancing Open Source Security in the POSSE Project},
  BOOKTITLE = {Free/Open Source Software Development},
  EDITOR = {Stefan Koch},
  PUBLISHER = {Idea Group Publishing},
  ADDRESS = {Hershey, PA},
  YEAR = {2004},
  PAGES = {242-257}
}

@book{Celeste+06,
author = {R. Celeste and R. Thornburg and {H. Lin (editors)}},
title = {Asking the Right Questions about Electronic Voting},
publisher = {National Research Council, National Academies Press,
  500 Fifth Ave., Washington, D.C. 20001},
month = {}, year = {2006} }

@book{Rubin06,
Author={A. Rubin},
Title={Brave New Ballot},
Publisher={Random House},
Year={2006} }

@InProceedings{Adida+06,
Author = "B. Adida and C.A. Neff",
Title = "Ballot Casting Assurance",
Booktitle = "Workshop on Electronic Voting Technology Workshop",
Organization = "USENIX", Address = "Vancouver, BC, Canada", Year = "2006 ",
Pages="", Month = aug  }

@InProceedings{Benaloh06,
Author = "J. Benaloh",
Title = "Simple Verifiable Elections",
Booktitle = "Workshop on Electronic Voting Technology Workshop",
Organization = "USENIX", Address = "Vancouver, BC, Canada", Year = "2006 ",
Pages="", Month = aug  }

@InProceedings{Neff01,
Author = "C.A. Neff",
Title = "A Verifiable Secret Shuffle and Its Application to E-Voting",
Booktitle = "Proceedings of the ACM Conference on Computer and
   Communications Security",
Organization = "", Address = "Philadelphia, Pennsylvania", Year = "2001 ",
Pages="116--125", Month = nov  }

@ARTICLE{Borg06,
Author={K. Borg}, TITLE = {Re: {LA} power outages},
JOURNAL = {ACM Risks Forum}, YEAR = {2006}, VOLUME = {24}, NUMBER = {39},
PAGES = {}, MONTH = {August}, day=22,
NOTE="http://catless.ncl.ac.uk/Risks/24.39.html\#subj8" }

@Book{Springer-3938,
Editor={R.H. {Reussner et al.}},
Title={Architecting Systems with Trustworthy Components,
  International Seminar, Dagstuhl, Germany,
  Lecture Notes in Computer Science vol. 3938},
Publisher={Springer-Verlag}, Address={Berlin},
Year={2004}, Month=dec, pages={}}

@Book{Springer-4063,
Editor={I. {Gorton et al.}},
Title={Component-Based Software Engineering,
  9th International Symposium,
  Lecture Notes in Computer Science vol. 4063},
Publisher={Springer-Verlag}, Address={Berlin},
Year={2006}, Month={June/July}, pages={}}

@Book{Springer-4089,
Editor={W. {L\"{o}we et al.}},
Title={Software Composition,
5th International Workshop,
Lecture Notes in Computer Science vol. 4089},
Publisher={Springer-Verlag}, Address={Berlin},
Year={2006}, Month=mar, pages={}}

@Book{Springer-4111,
Editor={F.S. {de Boer et al.}},
Title={Formal Methods for Components and Objects,
  4th International Symposium,
  Lecture Notes in Computer Science vol. 4111},
Publisher={Springer-Verlag}, Address={Berlin},
Year={2005}, Month=nov, pages={}}

@TechReport{RushbyDeLong06,
Author="J.M. Rushby and R. DeLong",
Title="Toward an Integration Framework for High-Assurance Secure Components",
Institution="Computer Science Laboratory, SRI International, Menlo Park,
California", Year="2006", Month=dec}

@string{dasc = { AIAA/IEEE Digital Avionics Systems Conference}}
@INPROCEEDINGS{Rushby-etal:DASC08,
    AUTHOR = {Carolyn Boettcher and Rance DeLong
        and John Rushby and Wilmar Sifre},
    TITLE = {The {MILS} Component Integration Approach
        To Secure Information Sharing},
    BOOKTITLE = {27th} # dasc,
    YEAR = 2008,
    ORGANIZATION = {IEEE},
    ADDRESS = {St.\ Paul MN},
    MONTH = oct
}


@article{Zegans08,
author={L.S. Zegans},
title = {The Psychology of Risks},
journal = {Communications of the ACM}, year = {2008}, volume = {51},
number = {1}, pages = {152}, month = jan,
Note= {{\it Inside Risks} column.} }

@InProceedings{GPYF07,
Author={G. Gu and P. Porras and V. Yegneswaran and M. Fong and W. Lee},
Title={BotHunter: Detecting Malware Infection through IDS-driven
  Dialog Correlation},
BookTitle={Proceedings of the 16th USENIX Security 2007},
Organization={USENIX}, Address={Boston, Massachusetts},
Year={2007}, Month=aug, pages={}}

@InProceedings{CLF03,
Author={S. Cheung and U. Lindqvist and M.W. Fong},
Title={Modeling Multistep Cyber Attacks for Scenario Recognition},
BookTitle={Proceedings of the DARPA Information Survivability Conference
  and Exposition},
Organization={DARPA}, Address={Washington, DC},
Year={2003}, Month={}, pages={}}

@article{Porras09,
author={P. Porras},
title = {Reflections on Conficker},
journal = {Communications of the ACM}, year = {2009}, volume = {52},
number = {10}, pages = {}, month = oct,
Note= {Inside Risks column, http://www.csl.sri.com/neumann/insiderisks.html\#219} }

@conference{blaze1996decentralized,
  title={{Decentralized trust management}},
  author={M. Blaze and J. Feigenbaum and J. Lacy},
  booktitle={IEEE Symposium on Security and Privacy},
  pages={164--173},
  year={1996},
  organization={IEEE Computer Society}
}

@conference{chan2003random,
  title={{Random key predistribution schemes for sensor networks}},
  author={H. Chan and A. Perrig and D. Song},
  booktitle={IEEE Symposium on Security and Privacy},
  pages={197--215},
  year={2003},
  organization={IEEE Computer Society}
}

@conference{forrest1996sense,
  title={{A sense of self for {Unix} processes}},
  author={S. Forrest and  S.A. Hofmeyr and A. Somayaji and T.A. Longstaff
  {et al.}},
  booktitle={IEEE Symposium on Security and Privacy},
  pages={120--128},
  year={1996},
  organization={IEEE Computer Society}
}

@Proceedings{Schaefer1999,
Author = "Marv Schaefer and W.C. Barker and Chuck Pfleeger",
Title = "The Tea and I: An Allergy",
Booktitle={IEEE Symposium on Security and Privacy},
Organization={IEEE Computer Society},
Address = "", Year = "1999",
Pages="", Month = ""  }

@ARTICLE{ABM10,
Author={R. Bobba and O. Fatemieh and F. Khan and A. Khan and C.A. Gunter and
H. Khurana and M. Prabhakaran},
TITLE = {Attribute-Based Messaging: Access Control and Confidentiality},
JOURNAL = {ACM Transactions on Information and Systems Security (TISSEC)},
YEAR = {2010}, VOLUME = {}, NUMBER = {}, PAGES = {}, MONTH = {} }

@TechReport{Kroll09,
Author={J. Kroll and D. Dean},
TITLE = {BakerSFIeld: Bringing Software Fault Isolation to x64},
Institution = {Princeton and SRI},
YEAR = {2010}, MONTH = feb,
Note = {\url{http://www.cs.princeton.edu/~kroll/papers/bakersfield-sfi.pdf
}}
 }

@article{morris:protectionprogramming,
 author = {Morris,Jr., James H.},
 title = {Protection in programming languages},
 journal = {Communications of the ACM},
 volume = {16},
 number = {1},
 year = {1973},
 issn = {0001-0782},
 pages = {15--21},
 doi = {10.1145/361932.361937},
 publisher = {ACM},
 address = {New York, NY, USA},
 }

@misc{apple:macosx,
	author = {{Apple Inc.}},
	title = {{Mac OS X Snow Leopard}},
	howpublished={\url{http://www.apple.com/macosx/}},
	year = 2010,
}

@inproceedings{fabry:caseforcapabilities,
 author = {Fabry, R. S.},
 title = {The case for capability based computers (Extended Abstract)},
 booktitle = {SOSP '73: Proceedings of the Fourth ACM Symposium on Operating System Principles},
 year = {1973},
 pages = {120},
 doi = {10.1145/800009.808060},
 publisher = {ACM},
 address = {New York, NY, USA},
 }

@article{lampson:protection,
 author = {Lampson, Butler W.},
 title = {Protection},
 journal = {SIGOPS Operating Systems Review},
 volume = {8},
 number = {1},
 year = {1974},
 issn = {0163-5980},
 pages = {18--24},
 doi = {10.1145/775265.775268},
 publisher = {ACM},
 address = {New York, NY, USA},
 }

 @inproceedings{lampson:dynamicprotection,
 author = {Lampson, B. W.},
 title = {Dynamic protection structures},
 booktitle = {{AFIPS '69 (Fall): Proceedings of the November 18-20, 1969, Fall Joint
   Computer Conference}},
 year = {1969},
 pages = {27--38},
 location = {Las Vegas, Nevada},
 doi = {10.1145/1478559.1478563},
 publisher = {ACM},
 address = {New York, NY, USA},
 }


@article{klein:sel4,
 author = {Klein, Gerwin and Andronick, June and Elphinstone, Kevin and Heiser, Gernot and Cock, David and Derrin, Philip and Elkaduwe, Dhammika and Engelhardt, Kai and Kolanski, Rafal and Norrish, Michael and Sewell, Thomas and Tuch, Harvey and Winwood, Simon},
 title = {seL4: formal verification of an operating-system kernel},
 journal = {Communications of the ACM},
 volume = {53},
 issue = {6},
 month = jun,
 year = {2009},
 issn = {0001-0782},
 pages = {107--115},
 numpages = {9},
 doi = {10.1145/1743546.1743574},
 acmid = {1743574},
 publisher = {ACM},
 address = {New York, NY, USA},
}

@article{Madhavapeddy:2007:MCF:1272998.1273009,
 author = {Madhavapeddy, Anil and Ho, Alex and Deegan, Tim and Scott, David and Sohan, Ripduman},
 title = {Melange: creating a "functional" internet},
 journal = {SIGOPS Oper. Syst. Rev.},
 volume = {41},
 issue = {3},
 month = mar,
 year = {2007},
 issn = {0163-5980},
 pages = {101--114},
 numpages = {14},
 doi = {10.1145/1272998.1273009},
 acmid = {1273009},
 publisher = {ACM},
 address = {New York, NY, USA},
}

@inproceedings{madhavapeddy:mirageos,
 author = {Madhavapeddy, Anil and Mortier, Richard and Sohan, Ripduman and Gazagnaire, Thomas and Hand, Steven and Deegan, Tim and McAuley, Derek and Crowcroft, Jon},
 title = {Turning down the LAMP: software specialisation for the cloud},
 booktitle = {Proceedings of the 2nd USENIX conference on Hot topics in cloud computing},
 series = {HotCloud'10},
 year = {2010},
 location = {Boston, MA},
 pages = {11--11},
 numpages = {1},
 url = {http://portal.acm.org/citation.cfm?id=1863103.1863114},
 acmid = {1863114},
 publisher = {USENIX Association},
 address = {Berkeley, CA, USA},
}

@inproceedings{pnueli:ltl,
 author = {Pnueli, Amir},
 title = {The temporal logic of programs},
 booktitle = {Proceedings of the 18th Annual Symposium on Foundations of Computer Science},
 year = {1977},
 pages = {46--57},
 numpages = {12},
 url = {http://portal.acm.org/citation.cfm?id=1398506.1382534},
 doi = {10.1109/SFCS.1977.32},
 acmid = {1382534},
 publisher = {IEEE Computer Society},
 address = {Washington, DC, USA},
}

@INPROCEEDINGS{watson:discexmac,
    author = "Robert N.~M. Watson and Brian Feldman and Adam Migus and Christopher Vance",
    title = "{Design and Implementation of the {TrustedBSD MAC Framework}}",
    booktitle = {{Proceedings of the Third DARPA Information Survivability Conference and
	Exhibition (DISCEX), IEEE}},
    month = apr,
    year = "2003"
}

@inproceedings{lamport:sometimes,
 author = {Lamport, Leslie},
 title = {``Sometime'' is sometimes ``not never'': on the temporal logic of programs},
 booktitle = {Proceedings of the 7th ACM SIGPLAN-SIGACT symposium on Principles of programming languages},
 series = {POPL '80},
 year = {1980},
 isbn = {0-89791-011-7},
 location = {Las Vegas, Nevada},
 pages = {174--185},
 numpages = {12},
 doi = {10.1145/567446.567463},
 acmid = {567463},
 publisher = {ACM},
 address = {New York, NY, USA},
}

@article{clark:modelchecking,
 author = {Clarke, Edmund M. and Emerson, E. Allen and Sifakis, Joseph},
 title = {Model checking: algorithmic verification and debugging},
 journal = {Communications of the ACM},
 issue_date = {November 2009},
 volume = {52},
 issue = {11},
 month = nov,
 year = {2009},
 issn = {0001-0782},
 pages = {74--84},
 numpages = {11},
 doi = {10.1145/1592761.1592781},
 acmid = {1592781},
 publisher = {ACM},
 address = {New York, NY, USA},
}

@article{holzmann:spin,
 author = {Holzmann, Gerard J.},
 title = {The Model Checker {SPIN}},
 journal = {IEEE Transactions on Software Engineering},
 volume = {23},
 issue = {5},
 month = may,
 year = {1997},
 issn = {0098-5589},
 pages = {279--295},
 numpages = {17},
 url = {http://portal.acm.org/citation.cfm?id=260897.260902},
 doi = {10.1109/32.588521},
 acmid = {260902},
 publisher = {IEEE Press},
 address = {Piscataway, NJ, USA},
 keywords = {Formal methods, program verification, design verification, model checking, distributed systems, concurrency.},
}

@MISC{eisner:truncatedpaths,
    author = {Cindy Eisner and Dana Fisman and John Havlicek and Yoad Lustig and Anthony Mcisaac and David Van Campenhout},
    title = {Reasoning with Temporal Logic on Truncated Paths },
    year = {2003}
}

@inproceedings{kwon:lowfat,
  title = {Low-Fat Pointers: Compact Encoding and Efficient Gate-Level Implementation of Fat Pointers for Spatial Safety and Capability-based Security},
  author = {Albert Kwon and Udit Dhawan and Jonathan M. Smith and Thomas F. {Knight, Jr.} and André DeHon},
  year = 2013,
  month = nov,
  booktitle = {20th ACM Conference on Computer and Communications Security}
}

@inproceedings{woodruff:cheriisca2014,
  title = {The {{CHERI Capability Model}}: {{Revisiting RISC}} in an {{Age}} of {{Risk}}},
  shorttitle = {The {{CHERI Capability Model}}},
  booktitle = {Proceeding of the 41st {{Annual International Symposium}} on {{Computer Architecuture}}},
  author = {Woodruff, Jonathan and Watson, Robert N. M. and Chisnall, David and Moore, Simon W. and Anderson, Jonathan and Davis, Brooks and Laurie, Ben and Neumann, Peter G. and Norton, Robert and Roe, Michael},
  date = {2014-06},
  pages = {457--468},
  publisher = {{IEEE Press}},
  location = {{Piscataway, NJ, USA}},
  doi = {10.1109/ISCA.2014.6853201},
  url = {https://www.cl.cam.ac.uk/research/security/ctsrd/pdfs/201406-isca2014-cheri.pdf},
  series = {{{ISCA}} '14},
  venue = {Minneapolis, Minnesota, USA}
}

@inproceedings{watson:cheriresolve2012,
	title = {{CHERI: a research platform deconflating hardware virtualization and protection}},
	author = {Robert N. M. Watson and  Peter G. Neumann Jonathan Woodruff and  Jonathan Anderson and Ross Anderson and Nirav Dave and Ben Laurie and Simon W. Moore and Steven J. Murdoch and Philip Paeps and Michael Roe and Hassen Saidi},
	year = 2012,
	month = mar,
	booktitle = {{Runtime Environments, Systems, Layering and Virtualized Environments (RESoLVE 2012)}}
}

@TechReport{UCAM-CL-TR-850,
  author =	 {Watson, Robert N. M. and Neumann, Peter G. and Woodruff,
          	  Jonathan and Anderson, Jonathan and Chisnall, David and
          	  Davis, Brooks and Laurie, Ben and Moore, Simon W. and
          	  Murdoch, Steven J. and Roe, Michael},
  title = 	 {{Capability Hardware Enhanced RISC Instructions (CHERI):
         	   Instruction-Set Architecture}},
  year = 	 2014,
  month = 	 jun,
  institution =  {University of Cambridge, Computer Laboratory},
  address =	 {15 JJ Thomson Avenue, Cambridge CB3 0FD, United Kingdom},
  url = 	 {http://www.cl.cam.ac.uk/techreports/UCAM-CL-TR-850.pdf},
  number = 	 {UCAM-CL-TR-850}
}

@TechReport{UCAM-CL-TR-851,
  author =	 {Watson, Robert N. M. and Chisnall, David and Davis, Brooks
          	  and Koszek, Wojciech and Moore, Simon W. and Murdoch,
          	  Steven J. and Neumann, Peter G. and Woodruff, Jonathan},
  title = 	 {{Capability Hardware Enhanced RISC Instructions (CHERI):
         	   User's guide}},
  year = 	 2014,
  month = 	 jun,
  institution =  {University of Cambridge, Computer Laboratory},
  address =	 {15 JJ Thomson Avenue, Cambridge CB3 0FD, United Kingdom},
  url = 	 {http://www.cl.cam.ac.uk/techreports/UCAM-CL-TR-851.pdf},
  number = 	 {UCAM-CL-TR-851}
}

@TechReport{UCAM-CL-TR-852,
  author =	 {Watson, Robert N. M. and Woodruff, Jonathan and Chisnall,
          	  David and Davis, Brooks and Koszek, Wojciech and Markettos, A. Theodore and Moore,
          	  Simon W. and Murdoch, Steven J. and Neumann, Peter G. and
          	  Norton, Robert and Roe, Michael},
  title = 	 {{Bluespec Extensible RISC Implementation (BERI): Hardware
         	   Reference}},
  year = 	 2014,
  month = 	 jun,
  institution =  {University of Cambridge, Computer Laboratory},
  address =	 {15 JJ Thomson Avenue, Cambridge CB3 0FD, United Kingdom},
  url = 	 {http://www.cl.cam.ac.uk/techreports/UCAM-CL-TR-852.pdf},
  number = 	 {UCAM-CL-TR-852}
}

@TechReport{UCAM-CL-TR-853,
  author =	 {Watson, Robert N. M. and Chisnall, David and Davis, Brooks
          	  and Koszek, Wojciech and Moore, Simon W. and Murdoch,
          	  Steven J. and Neumann, Peter G. and Woodruff, Jonathan},
  title = 	 {{Bluespec Extensible RISC Implementation (BERI): Software
         	   Reference}},
  year = 	 2014,
  month = 	 jun,
  institution =  {University of Cambridge, Computer Laboratory},
  address =	 {15 JJ Thomson Avenue, Cambridge CB3 0FD, United Kingdom},
  url = 	 {http://www.cl.cam.ac.uk/techreports/UCAM-CL-TR-853.pdf},
  number = 	 {UCAM-CL-TR-853}
}

@TechReport{UCAM-CL-TR-858,
  author =	 {Woodruff, Jonathan D.},
  title = 	 {{CHERI: A RISC capability machine for practical memory
         	   safety}},
  year = 	 2014,
  month = 	 jul,
  url = 	 {http://www.cl.cam.ac.uk/techreports/UCAM-CL-TR-858.pdf},
  institution =  {University of Cambridge, Computer Laboratory},
  number = 	 {UCAM-CL-TR-858}
}

@TechReport{UCAM-CL-TR-864,
  author =	 {Watson, Robert N. M. and Neumann, Peter G. and Woodruff,
          	  Jonathan and Anderson, Jonathan and Chisnall, David and
          	  Davis, Brooks and Laurie, Ben and Moore, Simon W. and
          	  Murdoch, Steven J. and Roe, Michael},
  title = 	 {{Capability Hardware Enhanced RISC Instructions: CHERI
         	   Instruction-Set Architecture}},
  year = 	 2014,
  month = 	 dec,
  url = 	 {http://www.cl.cam.ac.uk/techreports/UCAM-CL-TR-864.pdf},
  institution =  {University of Cambridge, Computer Laboratory},
  number = 	 {UCAM-CL-TR-864}
}

@TechReport{UCAM-CL-TR-868,
  author =	 {Watson, Robert N. M. and Woodruff, Jonathan and Chisnall,
          	  David and Davis, Brooks and Koszek, Wojciech and Markettos,
          	  A. Theodore and Moore, Simon W. and Murdoch, Steven J. and
          	  Neumann, Peter G. and Norton, Robert and Roe, Michael},
  title = 	 {{Bluespec Extensible RISC Implementation: BERI Hardware
         	   reference}},
  year = 	 2015,
  month = 	 apr,
  url = 	 {http://www.cl.cam.ac.uk/techreports/UCAM-CL-TR-868.pdf},
  institution =  {University of Cambridge, Computer Laboratory},
  number = 	 {UCAM-CL-TR-868}
}

@TechReport{UCAM-CL-TR-869,
  author =	 {Watson, Robert N. M. and Chisnall, David and Davis, Brooks
          	  and Koszek, Wojciech and Moore, Simon W. and Murdoch,
          	  Steven J. and Neumann, Peter G. and Woodruff, Jonathan},
  title = 	 {{Bluespec Extensible RISC Implementation: BERI Software
         	   reference}},
  year = 	 2015,
  month = 	 apr,
  url = 	 {http://www.cl.cam.ac.uk/techreports/UCAM-CL-TR-869.pdf},
  institution =  {University of Cambridge, Computer Laboratory},
  number = 	 {UCAM-CL-TR-869}
}

@TechReport{UCAM-CL-TR-873,
  author =	 {Gudka, Khilan and Watson, Robert N.M. and Anderson,
          	  Jonathan and Chisnall, David and Davis, Brooks and Laurie,
          	  Ben and Marinos, Ilias and Murdoch, Steven J. and Neumann,
          	  Peter G. and Richardson, Alex},
  title = 	 {{Clean application compartmentalization with SOAAP
         	   (extended version)}},
  year = 	 2015,
  month = 	 dec,
  institution =  {University of Cambridge, Computer Laboratory},
  address =	 {15 JJ Thomson Avenue, Cambridge CB3 0FD, United Kingdom},
  url = 	 {http://www.cl.cam.ac.uk/techreports/UCAM-CL-TR-873.pdf},
  number = 	 {UCAM-CL-TR-873}
}

@TechReport{UCAM-CL-TR-876,
  author =	 {Watson, Robert N. M. and Neumann, Peter G. and Woodruff,
          	  Jonathan and Roe, Michael and Anderson, Jonathan and
          	  Chisnall, David and Davis, Brooks and Joannou, Alexandre and
		  Laurie, Ben and Moore, Simon W. and Murdoch, Steven J. and
		  Norton, Robert and Son, Stacey},
  title = 	 {{Capability Hardware Enhanced RISC Instructions: CHERI
         	   Instruction-Set Architecture}},
  year = 	 2015,
  month = 	 nov,
  institution =  {University of Cambridge, Computer Laboratory},
  address =	 {15 JJ Thomson Avenue, Cambridge CB3 0FD, United Kingdom},
  url = 	 {http://www.cl.cam.ac.uk/techreports/UCAM-CL-TR-876.pdf},
  number = 	 {UCAM-CL-TR-876}
}

@TechReport{UCAM-CL-TR-877,
  author =	 {Watson, Robert N. M. and Chisnall, David and Davis, Brooks
          	  and Koszek, Wojciech and Moore, Simon W. and Murdoch,
          	  Steven J. and Neumann, Peter G. and Woodruff, Jonathan},
  title = 	 {{Capability Hardware Enhanced RISC Instructions: CHERI
         	   Programmer's Guide}},
  year = 	 2015,
  month = 	 nov,
  institution =  {University of Cambridge, Computer Laboratory},
  address =	 {15 JJ Thomson Avenue, Cambridge CB3 0FD, United Kingdom},
  url = 	 {http://www.cl.cam.ac.uk/techreports/UCAM-CL-TR-877.pdf},
  number = 	 {UCAM-CL-TR-877}
}

@TechReport{UCAM-CL-TR-927,
  author =	 {Watson, Robert N. M. and Neumann, Peter G. and Woodruff,
          	  Jonathan and Roe, Michael and Almatary, Hesham and
          	  Anderson, Jonathan and Baldwin, John and Chisnall, David
          	  and Davis, Brooks and Filardo, Nathaniel Wesley and
          	  Joannou, Alexandre and Laurie, Ben and Moore, Simon W. and
          	  Murdoch, Steven J. and Nienhuis, Kyndylan and Norton,
          	  Robert and Richardson, Alex and Sewell, Peter and Son,
          	  Stacey and Xia, Hongyan},
  title = 	 {{Capability Hardware Enhanced RISC Instructions: CHERI
         	   Instruction-Set Architecture (Version 7)}},
  year = 	 2018,
  month = 	 oct,
  institution =  {University of Cambridge, Computer Laboratory},
  address =	 {15 JJ Thomson Avenue, Cambridge CB3 0FD, United Kingdom,
          	  phone +44 1223 763500},
  url = 	 {http://www.cl.cam.ac.uk/techreports/UCAM-CL-TR-927.pdf},
  number = 	 {UCAM-CL-TR-927}
}

@inproceedings{Necula:2002:CTR:503272.503286,
 author = {Necula, George C. and McPeak, Scott and Weimer, Westley},
 title = {CCured: Type-safe Retrofitting of Legacy Code},
 booktitle = {Proceedings of the 29th ACM SIGPLAN-SIGACT Symposium on
Principles of Programming Languages},
 series = {POPL '02},
 year = {2002},
 isbn = {1-58113-450-9},
 location = {Portland, Oregon},
 pages = {128--139},
 numpages = {12},
 doi = {10.1145/503272.503286},
 acmid = {503286},
 publisher = {ACM},
 address = {New York, NY, USA},
}

@inproceedings{Nagarakatte:2009:SHC:1542476.1542504,
 author = {Nagarakatte, Santosh and Zhao, Jianzhou and Martin, Milo M.K. and Zdancewic, Steve},
 title = {SoftBound: Highly Compatible and Complete Spatial Memory Safety for {C}},
 booktitle = {Proceedings of the 2009 ACM SIGPLAN Conference on Programming Language Design and Implementation},
 series = {PLDI '09},
 year = {2009},
 isbn = {978-1-60558-392-1},
 location = {Dublin, Ireland},
 pages = {245--258},
 numpages = {14},
 doi = {10.1145/1542476.1542504},
 acmid = {1542504},
 publisher = {ACM},
 address = {New York, NY, USA},
 keywords = {buffer overflows, c, spatial memory safety},
}

@article{Devietti:2008:HAS:1353536.1346295,
 author = {Devietti, Joe and Blundell, Colin and Martin, Milo M. K. and Zdancewic, Steve},
 title = {Hardbound: Architectural Support for Spatial Safety of the {C} Programming Language},
 journal = {SIGPLAN Not.},
 issue_date = {March 2008},
 volume = {43},
 number = {3},
 month = mar,
 year = {2008},
 issn = {0362-1340},
 pages = {103--114},
 numpages = {12},
 doi = {10.1145/1353536.1346295},
 acmid = {1346295},
 publisher = {ACM},
 address = {New York, NY, USA},
 keywords = {C programming language, spatial memory safety},
}

@MANUAL{Bluespec:TFRG,
        TITLE = "Bluespec SystemVerilog Version~3.8 Reference Guide",
        ORGANIZATION = "Bluespec,~Inc.",
        ADDRESS = {Waltham,~MA},
        MONTH = nov,
        YEAR = {2004},
        LABEL = "BSV"
}

@article{watson13,
  author = {Watson, Robert N. M.},
  title = {A Decade of {{OS}} Access-Control Extensibility},
  date = {2013-02-01},
  journaltitle = {Communications of the ACM},
  shortjournal = {Commun. ACM},
  volume = {56},
  pages = {52--63},
  issn = {0001-0782},
  doi = {10.1145/2408776.2408792},
  number = {2}
}

@inproceedings{ChisnallCPDP11,
author = {David Chisnall and Colin Rothwell and Brooks Davis and Robert N. M. Watson and Jonathan Woodruff and Simon W. Moore and Peter G. Neumann and Michael Roe},
title = {Beyond the {PDP}-11: Architectural support for a memory-safe C abstract machine},
booktitle = {Proceedings of the Twentieth International Conference on Architectural Support for Programming Languages and Operating Systems},
series = {ASPLOS '15},
year = {2015},
location = {Istanbul, Turkey},
numpages = {14},
publisher = {ACM},
address = {New York, NY, USA},
keywords = {C, memory safety, memory models, code generation},
}

@inproceedings{watson15:cheri,
  title = {{{CHERI}}: {{A Hybrid Capability}}-{{System Architecture}} for {{Scalable Software Compartmentalization}}},
  shorttitle = {{{CHERI}}},
  booktitle = {Proceedings of the 2015 {{IEEE Symposium}} on {{Security}} and {{Privacy}}},
  author = {Watson, Robert N. M. and Woodruff, Jonathan and Neumann, Peter G. and Moore, Simon W. and Anderson, Jonathan and Chisnall, David and Dave, Nirav and Davis, Brooks and Gudka, Khilan and Laurie, Ben and Murdoch, Steven J. and Norton, Robert and Roe, Michael and Son, Stacey and Vadera, Munraj},
  date = {2015-05},
  pages = {20--37},
  publisher = {{IEEE Computer Society}},
  location = {{Washington, DC, USA}},
  doi = {10.1109/SP.2015.9},
  url = {https://www.cl.cam.ac.uk/research/security/ctsrd/pdfs/201505-oakland2015-cheri-compartmentalization.pdf},
  eventtitle = {2015 {{IEEE Symposium}} on {{Security}} and {{Privacy}} ({{SP}})},
  isbn = {978-1-4673-6949-7},
  series = {{{SP}} '15}
}

@inproceedings{gudka15:soaap,
  author = {Khilan Gudka and Robert N. M. Watson and Jonathan Anderson and David Chisnall and Brooks Davis and Ben Laurie and Ilias Marinos and Peter G. Neumann and Alex Richardson},
  title = {{Clean Application Compartmentalization with SOAAP}},
  booktitle = {{Proceedings of the 22nd ACM Conference on Computer and Communications Security (CCS 2015)}},
  month = oct,
  year = {2015},
}

@inproceedings{Keromytis2003,
  author = {Gaurav S. Kc and Angelos D. Keromytis and Vassilis Prevelakis},
  title = {Countering Code-Injection Attacks With Instruction-Set
   Randomization},
  booktitle = {Proceedings of the Tenth ACM Conference on Computer and
Communications Security (CCS)},
  month = oct,
  year = 2003
}

@inproceedings{dhawan2014pump,
  title={PUMP: a programmable unit for metadata processing},
  author={Dhawan, Udit and Vasilakis, Nikos and Rubin, Raphael and Chiricescu, Silviu and Smith, Jonathan M and Knight Jr, Thomas F and Pierce, Benjamin C and DeHon, Andr{\'e}},
  booktitle={Proceedings of the Third Workshop on Hardware and Architectural Support for Security and Privacy},
  pages={8},
  year={2014},
  organization={ACM}
}

@phdthesis{gonzalez2015taxi,
  title={Taxi: Defeating Code Reuse Attacks with Tagged Memory},
  author={Gonz{\'a}lez, Juli{\'a}n Armando},
  year={2015},
  school={Massachusetts Institute of Technology}
}

@inproceedings{abadi2005control,
  title={{Control-Flow Integrity}},
  author={Abadi, Mart{\'\i}n and Budiu, Mihai and Erlingsson, Ulfar and Ligatti, Jay},
  booktitle={Proceedings of the 12th ACM conference on Computer and communications security},
  pages={340--353},
  year={2005},
  organization={ACM}
}

@article{mashtizadeh2014cryptographically,
  title={Cryptographically enforced control flow integrity},
  author={Mashtizadeh, Ali Jose and Bittau, Andrea and Mazieres, David and Boneh, Dan},
  journal={arXiv preprint arXiv:1408.1451},
  year={2014}
}

@inproceedings{Mashtizadeh_CCFICryptographicallyEnforced_2015,
  title = {{{CCFI}}: {{Cryptographically Enforced Control Flow Integrity}}},
  shorttitle = {{{CCFI}}},
  booktitle = {Proceedings of the 22nd {{ACM SIGSAC Conference}} on {{Computer}} and {{Communications Security}}},
  author = {Mashtizadeh, Ali Jose and Bittau, Andrea and Boneh, Dan and Mazi\`eres, David},
  date = {2015-10-12},
  pages = {941--951},
  publisher = {{Association for Computing Machinery}},
  location = {{New York, NY, USA}},
  doi = {10.1145/2810103.2813676},
  urldate = {2020-09-30},
  abstract = {Control flow integrity (CFI) restricts jumps and branches within a program to prevent attackers from executing arbitrary code in vulnerable programs. However, traditional CFI still offers attackers too much freedom to chose between valid jump targets, as seen in recent attacks. We present a new approach to CFI based on cryptographic message authentication codes (MACs). Our approach, called cryptographic CFI (CCFI), uses MACs to protect control flow elements such as return addresses, function pointers, and vtable pointers. Through dynamic checks, CCFI enables much finer-grained classification of sensitive pointers than previous approaches, thwarting all known attacks and resisting even attackers with arbitrary access to program memory. We implemented CCFI in Clang/LLVM, taking advantage of recently available cryptographic CPU instructions (AES-NI). We evaluate our system on several large software packages (including nginx, Apache and memcache) as well as all their dependencies. The cost of protection ranges from a 3--18\% decrease in server request rate. We also expect this overhead to shrink as Intel improves the performance AES-NI.},
  isbn = {978-1-4503-3832-5},
  keywords = {control flow integrity,return oriented programming,vulnerabilities},
  series = {{{CCS}} '15}
}

@inproceedings{evans2015control,
  title={Control jujutsu: On the weaknesses of fine-grained control flow integrity},
  author={Evans, Isaac and Long, Fan and Otgonbaatar, Ulziibayar and Shrobe, Howard and Rinard, Martin and Okhravi, Hamed and Sidiroglou-Douskos, Stelios},
  booktitle={ACM SIGSAC Conference on Computer and Communications Security, CCS},
  year={2015}
}

@inproceedings{conti2015losing,
  title={Losing Control: On the Effectiveness of Control-Flow Integrity under Stack Attacks},
  author={Conti, Mauro and Crane, Stephen and Davi, Lucas and Franz, Michael and Larsen, Per and Liebchen, Christopher and Negro, Marco and Qunaibit, Mohaned and Sadeghi, Ahmad-Reza},
  booktitle={Proceedings of the 22nd ACM SIGSAC Conference on Computer and Communications Security},
  pages={952--963},
  year={2015},
  organization={ACM}
}

@inproceedings{kuznetsov2014code,
  title={Code-pointer integrity},
  author={Kuznetsov, Volodymyr and Szekeres, L{\'a}szl{\'o} and Payer, Mathias and Candea, George and Sekar, R and Song, Dawn},
  booktitle={USENIX Symposium on Operating Systems Design and Implementation (OSDI)},
  year={2014}
}

@TECHREPORT{Bletsch10jump-orientedprogramming:,
    author = {Tyler Bletsch and Xuxian Jiang and Vince W. Freeh and Zhenkai Liang},
    title = {Jump-Oriented Programming: A New Class of Code-Reuse Attack},
    institution = {NC State University},
    year = {2010}
}

@article{Hardy1988,
author = "Norman Hardy",
title = "The Confused Deputy (or why capabilities might have been invented)",
journal = "{ACM SIGOPS} Operating Systems Review",
volume = 22,
number = 4,
month = oct,
year = 1988}

@TechReport{UCAM-CL-TR-887,
  author =	 {Norton, Robert M.},
  title = 	 {{Hardware support for compartmentalisation}},
  year = 	 2016,
  month = 	 may,
  url = 	 {http://www.cl.cam.ac.uk/techreports/UCAM-CL-TR-887.pdf},
  institution =  {University of Cambridge, Computer Laboratory},
  number = 	 {UCAM-CL-TR-887}
}

@TechReport{UCAM-CL-TR-891,
  author =	 {Watson, Robert N. M. and Neumann, Peter G. and Woodruff,
          	  Jonathan and Roe, Michael and Anderson, Jonathan and
          	  Chisnall, David and Davis, Brooks and Joannou, Alexandre
          	  and Laurie, Ben and Moore, Simon W. and Murdoch, Steven J.
          	  and Norton, Robert and Son, Stacey and Xia, Hongyan},
  title = 	 {{Capability Hardware Enhanced RISC Instructions: CHERI
         	   Instruction-Set Architecture (Version 5)}},
  year = 	 2016,
  month = 	 jun,
  url = 	 {http://www.cl.cam.ac.uk/techreports/UCAM-CL-TR-891.pdf},
  institution =  {University of Cambridge, Computer Laboratory},
  number = 	 {UCAM-CL-TR-891}
}

@manual{SKPP,
title = "U.S. Government Protection Profile for Separation Kernels in
Environments Requiring High Robustness",
key = "National Security Agency",
organization = "National Security Agency Information Assurance Directorate",
month = jun,
year = 2007}

@manual{CC2017-1,
title = {Common Criteria for Information Technology Security Evaluation --
  Part 1: Introduction and General Model},
author="{International Standards Organization}",
key = "International",
note = "Version 3.1, revision 5",
month = apr,
year = 2017}

@manual{CC2012-3,
title = "Common Criteria for Information Technology Security Evaluation --
    Part 3: Security assurance components",
author="{International Standards Organization}",
key = "International",
note = "Version 3.1, revision 4.",
month = sep,
year = 2012}

@InProceedings{Cerberus-PLDI16,
  author =       {
Kayvan Memarian and
Justus Matthiesen and
James Lingard and
Kyndylan Nienhuis and
David Chisnall and
Robert N.M. Watson and
Peter Sewell
},
  title =        {Into the depths of {C}: elaborating the de facto standards},
  booktitle =    {{Proceedings of PLDI 2016}},
  year =         {2016},
  month =        jun,
  publisher =	 {ACM},
}

@Inbook{Fox2015,
author="Fox, Anthony",
editor="Urban, Christian
and Zhang, Xingyuan",
title="Improved Tool Support for Machine-Code Decompilation in HOL4",
bookTitle="Interactive Theorem Proving: 6th International Conference, ITP 2015, Nanjing, China, August 24-27, 2015, Proceedings",
year="2015",
publisher="Springer International Publishing",
address="Cham",
pages="187--202",
isbn="978-3-319-22102-1",
}

@article{Gligor1979,
author = "Virgil Gligor and Bruce G. Lindsay",
title = "Object Migration and Authentication",
journal = "{IEEE} Transactions on Software Engineering",
volume = "SE-5",
number = 6,
month = nov,
year = 1979}

@book{Heinrich:1993:MRU:154056,
 author = {Heinrich, Joseph},
 title = {MIPS R4000 User's Manual},
 year = {1993},
 isbn = {0-13-105925-4},
 publisher = {Prentice-Hall, Inc.},
 address = {Upper Saddle River, NJ, USA},
}

@ARTICLE{watson2016:microjournal,
author={R. N. M. Watson and R. M. Norton and J. Woodruff and S. W. Moore and P. G. Neumann and J. Anderson and D. Chisnall and B. Davis and B. Laurie and M. Roe and N. H. Dave and K. Gudka and A. Joannou and A. T. Markettos and E. Maste and S. J. Murdoch and C. Rothwell and S. D. Son and M. Vadera},
journal={IEEE Micro},
title={{Fast Protection-Domain Crossing in the CHERI Capability-System Architecture}},
year={2016},
volume={36},
number={5},
pages={38-49},
keywords={reduced instruction set computing;storage management chips;CHERI capability system architecture;ISA;MMU;capability hardware enhanced RISC instructions;conventional memory management unit;fast protection domain;flow-control model;hardware-software object-capability model;instruction set architecture;memory sharing;software defined protection domain transition model;Capability engineering;Memory management;Program processors;Reduced instruction set computing;Systems modeling;CHERI;ISA;capabilities;capability;capability system;compartmentalization;hardware;instruction set architecture;memory management unit;memory protection;processor;security;software;vulnerability mitigation},
doi={10.1109/MM.2016.84},
ISSN={0272-1732},
month=sep,}

@inproceedings{chisnall2017:cherijni,
  title = {{{CHERI JNI}}: {{Sinking}} the {{Java Security Model}} into the {{C}}},
  shorttitle = {{{CHERI JNI}}},
  booktitle = {Proceedings of the {{Twenty}}-{{Second International Conference}} on {{Architectural Support}} for {{Programming Languages}} and {{Operating Systems}}},
  author = {Chisnall, David and Davis, Brooks and Gudka, Khilan and Brazdil, David and Joannou, Alexandre and Woodruff, Jonathan and Markettos, A. Theodore and Maste, J. Edward and Norton, Robert and Son, Stacey and Roe, Michael and Moore, Simon W. and Neumann, Peter G. and Laurie, Ben and Watson, Robert N.M.},
  date = {2017-04},
  pages = {569--583},
  publisher = {{ACM}},
  location = {{New York, NY, USA}},
  doi = {10.1145/3037697.3037725},
  url = {https://www.cl.cam.ac.uk/research/security/ctsrd/pdfs/201704-asplos-cherijni.pdf},
  isbn = {978-1-4503-4465-4},
  keywords = {architecture,capability systems,cheri,compartmentalization,compilers,hardware security,java,jni,language security,memory protection,sandboxing},
  series = {{{ASPLOS}} '17},
  venue = {Xi'an, China}
}


@TechReport{UCAM-CL-TR-907,
  author =	 {Watson, Robert N. M. and Neumann, Peter G. and Woodruff,
          	  Jonathan and Roe, Michael and Anderson, Jonathan and
          	  Baldwin, John and Chisnall, David and Davis, Brooks and
          	  Joannou, Alexandre and Laurie, Ben and Moore, Simon W. and
          	  Murdoch, Steven J. and Norton, Robert and Son, Stacey and
          	  Xia, Hongyan},
  title = 	 {{Capability Hardware Enhanced RISC Instructions: CHERI
         	   Instruction-Set Architecture (Version 6)}},
  year = 	 2017,
  month = 	 apr,
  institution =  {University of Cambridge, Computer Laboratory},
  address =	 {15 JJ Thomson Avenue, Cambridge CB3 0FD, United Kingdom,
          	  phone +44 1223 763500},
  url = 	 {http://www.cl.cam.ac.uk/techreports/UCAM-CL-TR-907.pdf},
  number = 	 {UCAM-CL-TR-907}
}

@TechReport{UCAM-CL-TR-916,
  author =	 {Watson, Robert N. M. and Woodruff, Jonathan and Roe,
          	  Michael and Moore, Simon W. and Neumann, Peter G.},
  title = 	 {{Capability Hardware Enhanced RISC Instructions (CHERI):
         	   Notes on the Meltdown and Spectre Attacks}},
  year = 	 2018,
  month = 	 feb,
  url = 	 {http://www.cl.cam.ac.uk/techreports/UCAM-CL-TR-916.pdf},
  institution =  {University of Cambridge, Computer Laboratory},
  number = 	 {UCAM-CL-TR-916}
}

@thesis{WatermanThesis2016,
  author = {Waterman, Andrew},
  title = {{Design of the RISC-V Instruction Set Architecture}},
  institution = {EECS Department, University of California, Berkeley},
  year = {2016},
  url = {http://digitalassets.lib.berkeley.edu/etd/ucb/text/Waterman_berkeley_0028E_15908.pdf}
}

@techreport{Waterman:EECS-2016-118,
    Author = {Waterman, Andrew and Lee, Yunsup and Patterson, David A. and Asanovi\'c, Krste},
    Title = {{The RISC-V Instruction Set Manual, Volume I: User-Level ISA, Version 2.1}},
    Institution = {EECS Department, University of California, Berkeley},
    Year = {2016},
    Month = may,
    URL = {http://www2.eecs.berkeley.edu/Pubs/TechRpts/2016/EECS-2016-118.html},
    Number = {UCB/EECS-2016-118}
}

@techreport{Waterman:EECS-2016-161,
    Author = {Waterman, Andrew and Lee, Yunsup and Avizienis, Rimas and Patterson, David A. and Asanovi\'c, Krste},
    Title = {{The RISC-V Instruction Set Manual Volume II: Privileged Architecture Version 1.9.1}},
    Institution = {EECS Department, University of California, Berkeley},
    Year = {2016},
    Month = nov,
    URL = {http://www2.eecs.berkeley.edu/Pubs/TechRpts/2016/EECS-2016-161.html},
    Number = {UCB/EECS-2016-161}
}

@Book{RISCV:User:2.2,
    Editor = {Waterman, Andrew and Asanovi\'c, Krste},
    Title = {{The RISC-V Instruction Set Manual, Volume I: User-Level ISA, Version 2.2}},
    Institution = {RISC-V Foundation},
    Year = {2017},
    Month = may,
    URL = {https://content.riscv.org/wp-content/uploads/2017/05/riscv-spec-v2.2.pdf}
}

@Book{RISCV:Privileged:1.11,
    Editor = {Waterman, Andrew and Asanovi\'c, Krste},
    Title = {{The RISC-V Instruction Set Manual, Volume II: Privileged Architecture, Document Version 20190608-Priv-MSU-Ratified}},
    Institution = {RISC-V Foundation},
    Year = {2019},
    Month = jun,
    URL = {https://github.com/riscv/riscv-isa-manual/releases/download/Ratified-IMFDQC-and-Priv-v1.11/riscv-privileged-20190608.pdf}
}

@incollection{watson2017:cheri-deployability,
    author = {Robert N. M. Watson and Peter G Neumann and Simon W. Moore},
    title = {{Balancing Disruption and Deployability in the CHERI Instruction-Set Architecture (ISA)}},
    editor = {H. Shrobe and D. L. Shrier and A. Pentland},
    booktitle = {New Solutions for Cybersecurity},
    publisher = {MIT Press/Connection Science},
    city = {Cambridge},
    state = {MA},
    year = {2018},
    chapter = {5}
}

@incollection{neumann2017:cheri-principles,
    author = {Peter G. Neumann},
    title = {{Fundamental Trustworthiness Principles in CHERI}},
    editor = {H. Shrobe and D. L. Shrier and A. Pentland},
    booktitle = {New Solutions for Cybersecurity},
    publisher = {MIT Press/Connection Science},
    city = {Cambridge},
    state = {MA},
    year = {2018},
    chapter = {6}
}

@article{Lipp2018meltdown,
  author = {Lipp, Moritz and Schwarz, Michael and Gruss, Daniel and Prescher,
    Thomas and Haas, Werner and Mangard, Stefan and Kocher, Paul and Genkin,
    Daniel and Yarom, Yuval and Hamburg, Mike},
  title = {Meltdown},
  journal = {ArXiv e-prints},
  archivePrefix = "arXiv",
  eprint = {1801.01207},
  year = 2018,
  month = jan,
}

@inproceedings{Foreshadow,
  title = {Foreshadow: {{Extracting}} the {{Keys}} to the {{Intel}} \{\vphantom\}{{SGX}}\vphantom\{\} {{Kingdom}} with {{Transient Out}}-of-{{Order Execution}}},
  shorttitle = {Foreshadow},
  author = {Bulck, Jo Van and Minkin, Marina and Weisse, Ofir and Genkin, Daniel and Kasikci, Baris and Piessens, Frank and Silberstein, Mark and Wenisch, Thomas F. and Yarom, Yuval and Strackx, Raoul},
  date = {2018-08},
  pages = {991--1008},
  publisher = {{USENIX Association}},
  location = {{Baltimore, MD}},
  url = {https://www.usenix.org/conference/usenixsecurity18/presentation/bulck},
  urldate = {2020-09-29},
  annotation = {http://foreshadowattack.eu/foreshadowattack.pdf},
  eventtitle = {27th {{USENIX Security Symposium}}},
  isbn = {978-1-939133-04-5},
  NOTE = {\url{http://foreshadowattack.eu/foreshadowattack.pdf}},
  series = {{{USENIX Security}} 18}
}

@article{Foreshadow-NG,
title={Foreshadow: Breaking the Virtual Memory
  Abstraction with Transient Out-of-Order Execution},
author={Ofir Weisse and Jo {Van Bulck} and Marina Minkin and Daniel Genkin and
  Boris Kasikci and Frank Piessens and Mark Silberstein and Raoul Strackx and
  Thomas F. Wenisch and Yucal Yarom},
journal={},
year={2018},
volume = {},
number = {},
day={14},
month=aug,
publisher = {},
NOTE = {\url{http://foreshadowattack.eu/foreshadow-NG.pdf}}
}


@article{Kocher2018spectre,
  author = {Kocher, Paul and Genkin, Daniel and Gruss, Daniel and Haas, Werner
  and Hamburg, Mike and Lipp, Moritz and Mangard, Stefan and Prescher, Thomas
  and Schwarz, Michael and Yarom, Yuval},
  title = {Spectre Attacks: Exploiting Speculative Execution},
  journal = {ArXiv e-prints},
  archivePrefix = "arXiv",
  eprint = {1801.01203},
  year = 2018,
  month = jan,
}

@article{N32handbook,
  author = {George, Pirocanac and Susan, Wilkening and Jean, Wilson and Glen, Traefald},
  title = {{MIPSpro\textsuperscript{TM} N32 ABI Handbook}},
  publisher = {Silicon Graphics, SGI},
  year = 2002,
}

@inproceedings{Creech69,
  author={B. A. Creech},
  title={Architecture of the B-6500},
  pages={29-43},
  booktitle={Software Engineering: Proceedings of the Third Symposium on Computer and Information Sciences},
  month=dec,
  year={1970},
  volume={1},
  editor={Tou, Julius T.},
  isbn={9780323157445},
}

@article{Organick73,
  author={Elliott I. Organick},
  title={Computer System Organization},
  isbn={978-0125282505},
  publisher={Academic Press, Inc.},
  month=may,
  year={1973},
  url={http://bitsavers.org/pdf/burroughs/B5000_5500_5700/Organick_Computer_System_Organization_The_B5700_B6700_Series_1973.pdf},
}

@article{Mayer82,
 author = {Mayer, Alastair J. W.},
 title = {The Architecture of the {{Burroughs B5000}}: 20 Years Later and Still Ahead of the Times?},
 shorttitle = {The Architecture of the {{Burroughs B5000}}},
 journaltitle = {ACM SIGARCH Computer Architecture News},
 shortjournal = {SIGARCH Comput. Archit. News},
 issue_date = {June 1982},
 volume = {10},
 number = {4},
 month = jun,
 year = {1982},
 issn = {0163-5964},
 pages = {3--10},
 numpages = {8},
 doi = {10.1145/641542.641543},
 acmid = {641543},
 publisher = {ACM},
 address = {New York, NY, USA},
}

@article{Barton87,
  author={R. S. Barton and H. Berce and G. A. Collins and B. A. Creech and D. M. Dahm and B. A. Dent and V. J. Ford and B. A. Galler and J. E. S. Hale and E. A. Hauck and J. T. Hootman and P. D. King and N. L. Kreuder and W. R. Lonergan and D. MacDonald and F. B. MacKenzie and C. Oliphint and R. Pearson and R. F. Rosin and L. D. Turner and R. Waychoff},
  journal={Annals of the History of Computing},
  title={Discussion: The Burroughs B 5000 in Retrospect},
  year={1987},
  volume={9},
  number={1},
  pages={37-92},
  keywords={Computers;Hardware},
  doi={10.1109/MAHC.1987.10006},
  ISSN={0164-1239},
  month=jan,
}

@report{Burroughs-B6700,
  author={Burroughs Corporation},
  title={B 6700 Information Processing System Reference Manual},
  year={1972},
  url={http://bitsavers.trailing-edge.com/pdf/burroughs/B6500_6700/1058633_B6700_RefMan_May72.pdf}
}

@phdthesis{Gumpertz81,
  title={Error Detection with Memory Tags},
  author={Richard H. Gumpertz},
  month=dec,
  year={1981},
  institution={Carnegie Mellon University},
  url={http://reports-archive.adm.cs.cmu.edu/anon/scan/CMU-CS-84-122.pdf}
}

@inproceedings{joannou2017:tagged-memory,
  author={Alexandre Joannou and Jonathan Woodruff and Robert Kovacsics and Simon W. Moore and Alex Bradbury and Hongyan Xia and Robert N. M. Watson and David Chisnall and Michael Roe and Brooks Davis and Edward Napierala and John Baldwin and Khilan Gudka and Peter G. Neumann and Alfredo Mazzinghi and Alex Richardson and Stacey Son and A. Theodore Markettos},
  title = {Efficient Tagged Memory},
  booktitle = {{Proceedings of the 2017 IEEE 35th International Conference on Computer Design (ICCD)}},
  month = nov,
  year = {2017},
  city = {Boston},
  state = {MA},
  country = {USA},
}

@INPROCEEDINGS{Popek79,
author = {G. J. Popek and M. Kampe and M. Urban and A. Stoughton and E. J. Walton and C. S. Kline},
booktitle = {International Workshop on Managing Requirements Knowledge (AFIPS)},
title = {UCLA Secure UNIX},
year = {1979},
pages = {355},
doi = {10.1109/AFIPS.1979.128},
month={6}
}

@phdthesis{doerrie2015:confinement,
  author={M. Scott Doerrie},
  title={Confidence in Confinement: An Axiom-free, Mechanized Verification
of Confinement in Capability-based Systems},
  year={2015},
  institution={Johns Hopkins University},
  url={http://www.doerrie.us/assets/doerrie-dissertation-jhu.pdf}
}

@article{Skorstengaard:2019:stktokens,
  title = {{{StkTokens}}: Enforcing Well-Bracketed Control Flow and Stack Encapsulation Using Linear Capabilities},
  shorttitle = {{{StkTokens}}},
  author = {Skorstengaard, Lau and Devriese, Dominique and Birkedal, Lars},
  date = {2019-01},
  journaltitle = {Proceedings of the ACM on Programming Languages},
  shortjournal = {Proc. ACM Program. Lang.},
  volume = {3},
  pages = {19:1--19:28},
  doi = {10.1145/3290332},
  urldate = {2020-09-15},
  issue = {POPL},
  keywords = {capability machines,fully abstract compilation,fully abstract overlay semantics,linear capabilities,secure compilation,stack frame encapsulation,well-bracketed control flow}
}

@inproceedings{chiricescu2013safe,
  title={SAFE: A clean-slate architecture for secure systems},
  author={Chiricescu, Silviu and DeHon, Andr{\'e} and Demange, Delphine and Iyer, Suraj and Kliger, Aleksey and Morrisett, Greg and Pierce, Benjamin C and Reubenstein, Howard and Smith, Jonathan M and Sullivan, Gregory T and others},
  booktitle={IEEE International Conference on Technologies for Homeland Security (HST)},
  pages={570--576},
  year={2013}
}

@INPROCEEDINGS{shapiro:2004,
    author = {Jonathan Shapiro and Michael Scott Doerrie and Eric Northup and Mark Miller},
    title = {Towards a verified, general-purpose operating system kernel},
    booktitle = {Proceedings of the NICTA Invitational Workshop on Operating System Verification},
    year = {2004},
    pages = {1--19},
    url={http://www.cs.jhu.edu/~swaroop/osverify-2004.pdf}
}

@inproceedings{carter:mmachine94,
  title = {Hardware {{Support}} for {{Fast Capability}}-Based {{Addressing}}},
  booktitle = {Proceedings of the {{Sixth International Conference}} on {{Architectural Support}} for {{Programming Languages}} and {{Operating Systems}}},
  author = {Carter, Nicholas P. and Keckler, Stephen W. and Dally, William J.},
  date = {1994-11},
  pages = {319--327},
  publisher = {{ACM}},
  location = {{New York, NY, USA}},
  doi = {10.1145/195473.195579},
  url = {https://www.cs.utexas.edu/users/skeckler/pubs/asplos94.pdf},
  abstract = {Traditional methods of providing protection in memory systems do so at the cost of increased context switch time and/or increased storage to record access permissions for processes. With the advent of computers that supported cycle-by-cycle multithreading, protection schemes that increase the time to perform a context switch are unacceptable, but protecting unrelated processes from each other is still necessary if such machines are to be used in non-trusting environments. This paper examines guarded pointers, a hardware technique which uses tagged 64-bit pointer objects to implement capability-based addressing. Guarded pointers encode a segment descriptor into the upper bits of every pointer, eliminating the indirection and related performance penalties associated with traditional implementations of capabilities. All processes share a single 54-bit virtual address space, and access is limited to the data that can be referenced through the pointers that a process has been issued. Only one level of address translation is required to perform a memory reference. Sharing data between processes is efficient, and protection states are defined to allow fast protected subsystem calls and create unforgeable data keys.},
  isbn = {978-0-89791-660-8},
  series = {{{ASPLOS VI}}},
  venue = {San Jose, California, USA}
}

@inproceedings{Fillo_MMachineMulticomputer_1995,
  title = {The {{M}}-{{Machine}} Multicomputer},
  booktitle = {Proceedings of the 28th Annual International Symposium on {{Microarchitecture}}},
  author = {Fillo, Marco and Keckler, Stephen W. and Dally, William J. and Carter, Nicholas P. and Chang, Andrew and Gurevich, Yevgeny and Lee, Whay S.},
  date = {1995-12-01},
  pages = {146--156},
  publisher = {{IEEE Computer Society Press}},
  location = {{Washington, DC, USA}},
  doi = {10.1109/MICRO.1995.476822},
  abstract = {The M-Machine is an experimental multicomputer being developed to test architectural concepts motivated by the constraints of modern semiconductor technology and the demands of programming systems. The M-Machine computing nodes are connected with a 3-D mesh network; each node is a multithreaded processor incorporating 12 function units, on-chip cache, and local memory. The multiple function units are used to exploit both instruction-level and thread-level parallelism. A user accessible message passing system yields fast communication and synchronization between nodes. Rapid access to remote memory is provided transparently to the user with a combination of hardware and software mechanisms. This paper presents the architecture of the M-Machine and describes how its mechanisms attempt to maximize both single thread performance and overall system throughput. The architecture is complete and the MAP chip, which will serve as the M-Machine processing node, is currently being implemented.},
  isbn = {978-0-8186-7349-8},
  keywords = {3-D mesh network,architectural concepts testing,computer architecture,Computer architecture,Computer networks,Hardware,hardware mechanisms,instruction-level,local memory,M-Machine multicomputer,Mesh networks,message passing,Message passing,multiprocessing systems,multithreaded processor,Network-on-a-chip,on-chip cache,overall system throughput,Parallel processing,programming systems,Semiconductor device testing,single thread performance,software mechanisms,synchronisation,System testing,thread-level parallelism,user accessible message passing system,Yarn},
  series = {{{MICRO}} 28}
}

@inproceedings{Davis_CheriABIEnforcingValid_2019,
  ids = {davis2019:cheriabi},
  title = {{{CheriABI}}: {{Enforcing Valid Pointer Provenance}} and {{Minimizing Pointer Privilege}} in the {{POSIX C Run}}-Time {{Environment}}},
  shorttitle = {{{CheriABI}}},
  booktitle = {Proceedings of the {{Twenty}}-{{Fourth International Conference}} on {{Architectural Support}} for {{Programming Languages}} and {{Operating Systems}}},
  author = {Davis, Brooks and Watson, Robert N. M. and Richardson, Alexander and Neumann, Peter G. and Moore, Simon W. and Baldwin, John and Chisnall, David and Clarke, Jessica and Filardo, Nathaniel Wesley and Gudka, Khilan and Joannou, Alexandre and Laurie, Ben and Markettos, A. Theodore and Maste, J. Edward and Mazzinghi, Alfredo and Napierala, Edward Tomasz and Norton, Robert M. and Roe, Michael and Sewell, Peter and Son, Stacey and Woodruff, Jonathan},
  date = {2019-04},
  pages = {379--393},
  publisher = {{ACM}},
  location = {{New York, NY, USA}},
  doi = {10.1145/3297858.3304042},
  url = {https://www.cl.cam.ac.uk/research/security/ctsrd/pdfs/201904-asplos-cheriabi.pdf},
  urldate = {2019-06-10},
  eventtitle = {{{ASPLOS}} 2019},
  isbn = {978-1-4503-6240-5},
  series = {{{ASPLOS}} '19},
  venue = {Providence, RI, USA}
}

@inproceedings{sail-popl2019,
  author = {Alasdair Armstrong and Thomas Bauereiss and Brian Campbell and Alastair Reid and Kathryn E. Gray and Robert M. Norton and Prashanth Mundkur and Mark Wassell and Jon French and Christopher Pulte and Shaked Flur and Ian Stark and Neel Krishnaswami and Peter Sewell},
  title = {{ISA} Semantics for {ARMv8-A, RISC-V, and CHERI-MIPS}},
  optcrossref = {},
  optkey = {},
  conf = {POPL 2019},
  booktitle = {\textbf{POPL 2019}: Proc. 46th ACM SIGPLAN Symposium on Principles of Programming Languages},
  optbooktitle = {},
  year = {2019},
  opteditor = {},
  optvolume = {},
  optnumber = {},
  optseries = {},
  optpages = {},
  month = jan,
  optaddress = {},
  optorganization = {},
  optpublisher = {},
  note = {Proc. ACM Program. Lang. 3, POPL, Article 71},
  optnote = {},
  optannote = {},
  doi = {10.1145/3290384},
  abstract = {Architecture specifications notionally define the fundamental interface between hardware and software: the envelope of allowed behaviour for processor implementations, and the basic assumptions for software development and verification.  But in practice, they are typically prose and pseudocode documents, not rigorous or executable artifacts, leaving software and verification on shaky ground.

In this paper, we present rigorous semantic models for the sequential behaviour of large parts of the mainstream ARMv8-A, RISC-V, and MIPS architectures, and the research CHERI-MIPS architecture, that are complete enough to boot operating systems, variously Linux, FreeBSD, or seL4.  Our ARMv8-A models are automatically translated from authoritative ARM-internal definitions, and (in one variant) tested against the ARM Architecture Validation Suite.

We do this using a custom language for ISA semantics, Sail, with a lightweight dependent type system, that supports automatic generation of emulator code in C and OCaml, and automatic generation of proof-assistant definitions for Isabelle, HOL4, and (currently only for MIPS) Coq.  We use the former for validation, and to assess specification coverage.  To demonstrate the usability of the latter, we prove (in Isabelle) correctness of a purely functional characterisation of ARMv8-A address translation.  We moreover integrate the RISC-V model into the RMEM tool for (user-mode) relaxed-memory concurrency exploration.  We prove (on paper) the soundness of the core Sail type system.

We thereby take a big step towards making the architectural abstraction actually well-defined, establishing foundations for verification and reasoning.
},
  pdf = {http://www.cl.cam.ac.uk/users/pes20/sail/sail-popl2019.pdf},
  topic = {ISA_semantics},
  project = {http://www.cl.cam.ac.uk/~pes20/sail/},
  recent = {true}
}

@misc{sail-url,
  author = {{REMS Project}},
  title = {{Sail Language}},
  howpublished={\url{https://www.cl.cam.ac.uk/~pes20/sail/}},
  year = 2018,
}

@inproceedings{cerberus-popl2019,
  author = {Kayvan Memarian and Victor B. F. Gomes and Brooks Davis and Stephen Kell and Alexander Richardson and Robert N. M. Watson and Peter Sewell},
  title = {Exploring {C} Semantics and Pointer Provenance},
  optcrossref = {},
  optkey = {},
  conf = {POPL 2019},
  booktitle = {\textbf{POPL 2019}: Proc. 46th ACM SIGPLAN Symposium on Principles of Programming Languages},
  optbooktitle = {},
  year = {2019},
  opteditor = {},
  optvolume = {},
  optnumber = {},
  optseries = {},
  optpages = {},
  month = jan,
  optaddress = {},
  optorganization = {},
  optpublisher = {},
  note = {Proc. ACM Program. Lang. 3, POPL, Article 67},
  optannote = {},
  doi = {10.1145/3290380},
  pdf = {http://www.cl.cam.ac.uk/users/pes20/cerberus/cerberus-popl2019.pdf},
  supplementarymaterial = {http://www.cl.cam.ac.uk/users/pes20/cerberus/supplementary-material-popl2019},
  topic = {Cerberus},
  project = {http://www.cl.cam.ac.uk/~pes20/cerberus},
  abstract = {The semantics of pointers and memory objects in C has been a vexed question for many years.  C values cannot be treated as either purely abstract or purely concrete entities: the language exposes their representations, but compiler optimisations rely on analyses that reason about provenance and initialisation status, not just runtime representations. The ISO WG14 standard leaves much of this unclear, and in some respects differs with de facto standard usage --- which itself is difficult to investigate.

In this paper we explore the possible source-language semantics for memory objects and pointers, in ISO C and in C as it is used and implemented in practice, focussing especially on pointer provenance.  We aim to, as far as possible, reconcile the ISO C standard, mainstream compiler behaviour, and the semantics relied on by the corpus of existing C code.  We present two coherent proposals, tracking provenance via integers and not; both address many design questions. We highlight some pros and cons and open questions, and illustrate the discussion with a library of test cases.  We make our semantics executable as a test oracle, integrating it with the Cerberus semantics for much of the rest of C, which we have made substantially more complete and robust, and equipped with a web-interface GUI.  This allows us to experimentally assess our proposals on those test cases.  To assess their viability with respect to larger bodies of C code, we analyse the changes required and the resulting behaviour for a port of FreeBSD to CHERI, a research architecture supporting hardware capabilities, which (roughly speaking) traps on the memory safety violations which our proposals deem undefined behaviour. We also develop a new runtime instrumentation tool to detect possible provenance violations in normal C code, and apply it to some of the SPEC benchmarks.  We compare our proposal with a source-language variant of the twin-allocation LLVM semantics proposal of Lee et al.  Finally, we describe ongoing interactions with WG14, exploring how our proposals could be incorporated into the ISO standard.
},
  recent = {true}
}

@software{sail-cheri-mips,
  title = {{{CTSRD-CHERI/sail-cheri-mips: CHERI-MIPS model written in Sail}}},
  label = {{CHERI}},
  shorttitle = {{{sail-cheri-riscv}}},
  url = {https://github.com/CTSRD-CHERI/sail-cheri-mips},
}

@software{sail-cheri-riscv,
  title = {{{CTSRD-CHERI/sail-cheri-riscv: CHERI-RISC-V model written in Sail}}},
  label = {{CHERI}},
  shorttitle = {{{sail-cheri-riscv}}},
  url = {https://github.com/CTSRD-CHERI/sail-cheri-riscv},
}

@manual{arm-a64-v8-a-beta,
	title={{ARM® A64 Instruction Set Architecture ARMv8, for ARMv8-A architecture profile}},
	organization={Arm Limited},
	howpublished={\url{https://static.docs.arm.com/ddi0596/a/DDI_0596_ARM_a64_instruction_set_architecture.pdf}},
	year = 2020,
	label = {Arm}
}

@manual{intel-sdm-vol2,
	title={Intel® 64 and IA-32 Architectures Software Developer’s Manual: Volume 2 (2A, 2B, 2C \& 2D): Instruction Set Reference, A-Z},
	organization={Intel Corporation},
	howpublished={\url{https://software.intel.com/content/www/us/en/develop/download/intel-64-and-ia-32-architectures-sdm-combined-volumes-2a-2b-2c-and-2d-instruction-set-reference-a-z.html}},
	volume=2,
	number=325383,
	version={070US},
	month=may,
	year=2019,
	label={Intel}
}

@misc{sparc-m7-adi,
	title={{Introduction to SPARC M7 and Application Data Integrity (ADI)}},
	howpublished={\url{https://swisdev.oracle.com/_files/What-Is-ADI.html}},
	label={Oracle}
}

@inproceedings{mazzinghi:pointer-provenance,
	author={Alfredo Mazzinghi and Ripduman Sohan and Robert N. M. Watson},
	title={{Pointer Provenance in a Capability Architecture}},
	booktitle={{Proceedings of the 10th USENIX Workshop on the Theory and Practice of Provenance (TaPP'18)}},
	city={London},
	month=jul,
	year=2018
}

@inproceedings{xia:cherirtos,
  title = {{{CheriRTOS}}: {{A Capability Model}} for {{Embedded Devices}}},
  shorttitle = {{{CheriRTOS}}},
  booktitle = {2018 {{IEEE}} 36th {{International Conference}} on {{Computer Design}} ({{ICCD}})},
  author = {Xia, Hongyan and Woodruff, Jonathan and Barral, Hadrien and Esswood, Lawrence and Joannou, Alexandre and Kovacsics, Robert and Chisnall, David and Roe, Michael and Davis, Brooks and Napierala, Edward and Baldwin, John and Gudka, Khilan and Neumann, Peter G. and Richardson, Alexander and Moore, Simon W. and Watson, Robert N. M.},
  date = {2018-10},
  pages = {92--99},
  publisher = {{IEEE}},
  location = {{Orlando, FL, USA}},
  doi = {10.1109/ICCD.2018.00023},
  url = {https://www.cl.cam.ac.uk/research/security/ctsrd/pdfs/201810-iccd2018-cheri-rtos.pdf},
  abstract = {Embedded systems are deployed ubiquitously among various sectors including automotive, medical, robotics and avionics. As these devices become increasingly connected, the attack surface also increases tremendously; new mechanisms must be deployed to defend against more sophisticated attacks while not violating resource constraints. In this paper we present CheriRTOS on CHERI-64, a hardware-software platform atop Capability Hardware Enhanced RISC Instructions (CHERI) for embedded systems. Our system provides efficient and scalable task isolation, fast and secure inter-task communication, fine-grained memory safety, and real-time guarantees, using hardware capabilities as the sole protection mechanism. We summarize state-of-the-art security and memory safety for embedded systems for comparison with our platform, illustrating the superior substrate provided by CHERI's capabilities. Finally, our evaluations show that a capability system can be implemented within the constraints of embedded systems.},
  eventtitle = {2018 {{IEEE}} 36th {{International Conference}} on {{Computer Design}} ({{ICCD}})},
  keywords = {attack surface,Capability Hardware Enhanced RISC Instructions,Capability model,capability system,capability systems,CHERI,CHERI-64,CheriRTOS,embedded devices,embedded systems,Embedded systems,fine-grained memory safety,Hardware,hardware capabilities,hardware-software platform,Kernel,memory safety,real time operating systems,Real-time systems,reduced instruction set computing,Safety,security,Security,storage management,Task analysis},
  series = {{{ICCD}}}
}

@article{Woodruff2019,
  title = {{{CHERI Concentrate}}: {{Practical Compressed Capabilities}}},
  shorttitle = {{{CHERI Concentrate}}},
  author = {Woodruff, Jonathan and Joannou, Alexandre and Xia, Hongyan and Fox, Anthony and Norton, Robert and Baureiss, Thomas and Chisnall, David and Davis, Brooks and Gudka, Khilan and Filardo, Nathaniel Wesley and Markettos, A. Theodore and Roe, Michael and Neumann, Peter G. and Watson, Robert N. M. and Moore, Simon W.},
  date = {2019-10},
  journaltitle = {IEEE Transactions on Computers},
  shortjournal = {TC},
  volume = {68},
  pages = {1455--1469},
  issn = {1557-9956},
  doi = {10.1109/TC.2019.2914037},
  url = {https://www.cl.cam.ac.uk/research/security/ctsrd/pdfs/2019tc-cheri-concentrate.pdf},
  urldate = {2019-06-16},
  keywords = {Capabilities,capability compression,capability fat pointers,CHERI concentrate,commodity operating system,compiled capability code,compressed encoding,compression,computer architecture,data compression,decode,decoding,Delays,design inefficiencies,developed capability-pointer system,efficiency 75.0 percent,encoding,Encoding,encoding format,existing software base,fat pointers,fat-pointer compression scheme,field programmable gate arrays,future computer systems,increased pointer size,legacy instruction sets,legacy software stack,memory safety,microprocessor chips,nonbypassable security properties,open-source CHERI prototype processor design,pipeline problems,pipeline processing,Pipelines,pointer arithmetic,pointer-modify operations,practical compressed capabilities,program compilers,reduced instruction set computing,Registers,RISC-style processor pipelines,Safety,Semantics,Software,state-of-the-art region-encoding efficiency,storage management,theorem proving,tree data structures},
  langid = {english},
  number = {10}
}

@TechReport{UCAM-CL-TR-936,
  author =	 {Joannou, Alexandre J. P.},
  title = 	 {{High-performance memory safety: optimizing the CHERI
                   capability machine}},
  year = 	 2019,
  month = 	 may,
  url = 	 {https://www.cl.cam.ac.uk/techreports/UCAM-CL-TR-936.pdf},
  institution =  {University of Cambridge, Computer Laboratory},
  number = 	 {UCAM-CL-TR-936}
}

@article{DBLP:journals/scp/CampbellS16,
  author    = {Brian Campbell and
               Ian Stark},
  title     = {Randomised testing of a microprocessor model using {SMT}-solver state
               generation},
  journal   = {Sci. Comput. Program.},
  volume    = {118},
  pages     = {60--76},
  year      = {2016},
  doi       = {10.1016/j.scico.2015.10.012},
  timestamp = {Sat, 27 May 2017 14:22:55 +0200},
  biburl    = {https://dblp.org/rec/bib/journals/scp/CampbellS16},
  bibsource = {dblp computer science bibliography, https://dblp.org}
}

@inproceedings{Xia_CHERIvokeCharacterisingPointer_2019,
  title = {{{CHERIvoke}}: {{Characterising Pointer Revocation}} Using {{CHERI Capabilities}} for {{Temporal Memory Safety}}},
  shorttitle = {{{CHERIvoke}}},
  booktitle = {Proceedings of the 52nd {{Annual IEEE}}/{{ACM International Symposium}} on {{Microarchitecture}}},
  author = {Xia, Hongyan and Woodruff, Jonathan and Ainsworth, Sam and Filardo, Nathaniel W. and Roe, Michael and Richardson, Alexander and Rugg, Peter and Neumann, Peter G. and Moore, Simon W. and Watson, Robert N. M. and Jones, Timothy M.},
  date = {2019-10-12},
  pages = {545--557},
  publisher = {{ACM}},
  location = {{New York, NY, USA}},
  doi = {10.1145/3352460.3358288},
  url = {https://www.cl.cam.ac.uk/research/security/ctsrd/pdfs/201910micro-cheri-temporal-safety.pdf},
  abstract = {A lack of temporal safety in low-level languages has led to an epidemic of use-after-free exploits. These have surpassed in number and severity even the infamous buffer-overflow exploits violating spatial safety. Capability addressing can directly enforce spatial safety for the C language by enforcing bounds on pointers and by rendering pointers unforgeable. Nevertheless, an efficient solution for strong temporal memory safety remains elusive. CHERI is an architectural extension to provide hardware capability addressing that is seeing significant commercial and open-source interest. We show that CHERI capabilities can be used as a foundation to enable low-cost heap temporal safety by facilitating out-of-date pointer revocation, as capabilities enable precise and efficient identification and invalidation of pointers, even when using unsafe languages such as C. We develop CHERIvoke, a technique for deterministic and fast sweeping revocation to enforce temporal safety on CHERI systems. CHERIvoke quarantines freed data before periodically using a small shadow map to revoke all dangling pointers in a single sweep of memory, and provides a tunable trade-off between performance and heap growth. We evaluate the performance of such a system using high-performance x86 processors, and further analytically examine its primary overheads. When configured with a heap-size overhead of 25\%, we find that CHERIvoke achieves an average execution-time overhead of under 5\%, far below the overheads associated with traditional garbage collection, revocation, or page-table systems.},
  isbn = {978-1-4503-6938-1},
  keywords = {architecture,security,temporal safety,use-after-free},
  series = {{{MICRO}} '52},
  venue = {Columbus, OH, USA}
}

@article{skillicorn:partreeskel,
title = "Parallel Implementation of Tree Skeletons",
journal = "Journal of Parallel and Distributed Computing",
volume = "39",
number = "2",
pages = "115 - 125",
year = "1996",
issn = "0743-7315",
doi = "10.1006/jpdc.1996.0160",
url = "http://www.sciencedirect.com/science/article/pii/S0743731596901604",
author = "D.B. Skillicorn",
abstract = "Trees are a useful data type, but they are not routinely included in parallel programming systems, in part because their irregular structure makes partitioning and scheduling difficult. We present a method for algebraically constructing implementations of tree skeletons, high-level homomorphic operations that execute in parallel. Many computations on binary trees can be performed inO(logn) parallel time usingnprocessors, even taking account of communication costs. We extend these results to trees with arbitrary and variable degree. Then we show that it is possible to implement a distributed version of homomorphisms on binary trees, takingO(n/p+ log2p) parallel time onp < nprocessors, for trees of any skew and taking full account of communication costs. Under slightly stronger restrictions on the underlying functions, this can be improved toO(n/p+ logp). Furthermore, the technique for deriving distributed versions is algebraic, allowing the automatic generation of code for SPMD and data-parallel architectures."
}

@TechReport{UCAM-CL-TR-951,
  author =	 {Watson, Robert N. M. and Neumann, Peter G. and Woodruff,
          	  Jonathan and Roe, Michael and Almatary, Hesham and
		  Anderson, Jonathan and Baldwin, John and Barnes,
		  Grame and Chisnall, David
		  and Clarke, Jessica and Davis, Brooks and Eisen, Lee
		  and Filardo,
		  Nathaniel Wesley and Grisenthwaite, Richard and
		  Joannou, Alexandre and Laurie, Ben and
          	  Markettos, A. Theodore and Moore, Simon W. and Murdoch,
          	  Steven J. and Nienhuis, Kyndylan and Norton, Robert and
          	  Richardson, Alexander and Rugg, Peter and Sewell, Peter and
          	  Son, Stacey and Xia, Hongyan},
  title = 	 {{Capability Hardware Enhanced RISC Instructions: CHERI
         	   Instruction-Set Architecture (Version 8)}},
  institution =  {University of Cambridge, Computer Laboratory},
  address =	 {15 JJ Thomson Avenue, Cambridge CB3 0FD, United Kingdom,
          	  phone +44 1223 763500},
  number = 	 {UCAM-CL-TR-951},
  year = 	 2020,
  month = 	 sep,
  url = 	 {https://www.cl.cam.ac.uk/techreports/UCAM-CL-TR-951.pdf},
}

@inproceedings{cheri-formal-SP2020,
  author = {Kyndylan Nienhuis and Alexandre Joannou and Thomas Bauereiss and Anthony Fox and Michael Roe and Brian Campbell and Matthew Naylor and Robert M. Norton and Moore, Simon W.  and Neumann, Peter G.  and Ian Stark and Watson, Robert N. M.  and Peter Sewell},
  title = {Rigorous engineering for hardware security: Formal modelling and proof in the {CHERI} design and implementation process},
  optcrossref = {},
  optkey = {},
  conf = {Security and Privacy 2020},
  booktitle = {Proceedings of the 41st IEEE Symposium on Security and Privacy (SP)},
  year = {2020},
  opteditor = {},
  optvolume = {},
  optnumber = {},
  optseries = {},
  pages = {1007--1024},
  month = may,
  optaddress = {},
  optorganization = {},
  optpublisher = {},
  optnote = {},
  optannote = {},
  abstract = {The root causes of many security vulnerabilities include a pernicious combination of two problems, often regarded as inescapable aspects of computing.  First, the protection mechanisms provided by the mainstream processor architecture and C/C++ language abstractions, dating back to the 1970s and before, provide only coarse-grain virtual-memory-based protection.  Second, mainstream system engineering relies almost exclusively on test-and-debug methods, with (at best) prose specifications.  These methods have historically sufficed commercially for much of the computer industry, but they fail to prevent large numbers of exploitable bugs, and the security problems that this causes are becoming ever more acute.

In this paper we show how more rigorous engineering methods can be applied to the development of a new security-enhanced processor architecture, with its accompanying hardware implementation and software stack.  We use formal models of the complete instruction-set architecture (ISA) at the heart of the design and engineering process, both in lightweight ways that support and improve normal engineering practice -- as documentation, in emulators used as a test oracle for hardware and for running software, and for test generation -- and for formal verification.  We formalise key intended security properties of the design, and establish that these hold with mechanised proof.  This is for the same complete ISA models (complete enough to boot operating systems), without idealisation.

We do this for CHERI, an architecture with \emph{hardware capabilities} that supports fine-grained memory protection and scalable secure compartmentalisation, while offering a smooth adoption path for existing software.  CHERI is a maturing research architecture, developed since 2010, with work now underway on an Arm industrial prototype to explore its possible adoption in mass-market commercial processors.  The rigorous engineering work described here has been an integral part of its development to date, enabling more rapid and confident experimentation, and boosting confidence in the design.
},
  pdf = {https://www.cl.cam.ac.uk/users/pes20/cheri-formal.pdf},
  apollourl = {https://www.repository.cam.ac.uk/handle/1810/302580},
  publisherurl = {https://www.computer.org/csdl/proceedings-article/sp/2020/349700b007/1j2Lg3o6fdK},
  doi = {10.1109/SP40000.2020.00055},
  project = {https://www.cl.cam.ac.uk/research/security/ctsrd/cheri/},
  topic = {cheri},
  cheriformal = {true},
  recent = {true}
}

@inproceedings{cornucopia,
  author = {Nathaniel Wesley Filardo and Brett F. Gutstein and Jonathan Woodruff and Sam Ainsworth and Lucian Paul-Trifu and Brooks Davis and Hongyan Xia and Edward Tomasz Napierala and Alexander Richardson and John Baldwin and David Chisnall and Jessica Clarke and Khilan Gudka and Alexandre Joannou and A. Theodore Markettos and Alfredo Mazzinghi and Robert M. Norton and Michael Roe and Peter Sewell and Stacey Son and Timothy M. Jones and Simon W. Moore and Peter G. Neumann and Robert N. M. Watson},
  conf = {Security and Privacy 2020},
  booktitle = {Proceedings of the 41st IEEE Symposium on Security and Privacy (SP)},
  title = {Cornucopia: {{Temporal Safety}} for {{CHERI Heaps}}},
  date = {2020-05},
  volume = {},
  issn = {2375-1207},
  pages = {1507--1524},
  keywords = {},
  doi = {10.1109/SP40000.2020.00098},
  pdf = {https://www.cl.cam.ac.uk/research/security/ctsrd/pdfs/2020oakland-cornucopia.pdf},
  url = {https://www.cl.cam.ac.uk/research/security/ctsrd/pdfs/2020oakland-cornucopia.pdf},
  apollourl = {https://www.repository.cam.ac.uk/handle/1810/304040},
  publisherurl = {https://doi.ieeecomputersociety.org/10.1109/SP40000.2020.00098},
  publisher = {IEEE Computer Society},
  address = {Los Alamitos, CA, USA},
  month = may,
  abstract = {Use-after-free violations of temporal memory safety continue to plague software systems, underpinning many high-impact exploits. The CHERI capability system shows great promise in achieving C and C++language spatial memory safety, preventing out-of-bounds accesses. Enforcing language-level temporal safety on CHERI requires capability revocation, traditionally achieved either via table lookups (avoided for performance in the CHERI design) or by identifying capabilities in memory to revoke them (similar to a garbage-collector sweep). CHERIvoke,a prior feasibility study, suggested that CHERI’s tagged capabilities could make this latter strategy viable, but modeled only architectural limits and did not consider the full implementation or evaluation of the approach.

Cornucopia is a lightweight capability revocation system for CHERI that implements non-probabilistic C/C++temporal memory safety for standard heap allocations. It extends the CheriBSD virtual-memory subsystem to track capability flow through memory and provides a concurrent kernel-resident revocation service that is amenable to multi-processor and hardware acceleration. We demonstrate an average overhead of less than 2\% and a worst-case of 8.9\% for concurrent revocation on compatible SPECCPU2006 benchmarks on a multi-core CHERI CPU on FPGA, and we validate Cornucopia against the Juliet test suite’s corpus of temporally unsafe programs. We test its compatibility with a large corpus of C programs by using a revoking allocator as the system allocator while booting multi-user CheriBSD. Cornucopia is a viable strategy for always-on temporal heap memory safety, suitable for production environments.
},
  project = {https://www.cl.cam.ac.uk/research/security/ctsrd/cheri/},
  topic = {cheri},
  recent = {true}
}

@TechReport{UCAM-CL-TR-940,
  author =	 {Nienhuis, Kyndylan and Joannou, Alexandre and Fox, Anthony
          	  and Roe, Michael and Bauereiss, Thomas and Campbell, Brian
          	  and Naylor, Matthew and Norton, Robert M. and Moore, Simon
          	  W. and Neumann, Peter G. and Stark, Ian and Watson, Robert
          	  N. M. and Sewell, Peter},
  title = 	 {{Rigorous engineering for hardware security: formal
         	   modelling and proof in the CHERI design and implementation
         	   process}},
  year = 	 2019,
  month = 	 sep,
  url = 	 {https://www.cl.cam.ac.uk/techreports/UCAM-CL-TR-940.pdf},
  institution =  {University of Cambridge, Computer Laboratory},
  number = 	 {UCAM-CL-TR-940}
}

@TechReport{UCAM-CL-TR-941,
  author =	 {Watson, Robert N. M. and Moore, Simon W. and Sewell, Peter
          	  and Neumann, Peter G.},
  title = 	 {{An Introduction to CHERI}},
  year = 	 2019,
  month = 	 sep,
  url = 	 {https://www.cl.cam.ac.uk/techreports/UCAM-CL-TR-941.pdf},
  institution =  {University of Cambridge, Computer Laboratory},
  number = 	 {UCAM-CL-TR-941}
}

@TechReport{UCAM-CL-TR-947,
  author =	 {Watson, Robert N. M. and Richardson, Alexander and Davis,
          	  Brooks and Baldwin, John and Chisnall, David and Clarke,
          	  Jessica and Filardo, Nathaniel and Moore, Simon W. and
          	  Napierala, Edward and Sewell, Peter and Neumann, Peter G.},
  title = 	 {{CHERI C/C++ Programming Guide}},
  year = 	 2020,
  month = 	 jun,
  url = 	 {https://www.cl.cam.ac.uk/techreports/UCAM-CL-TR-947.pdf},
  institution =  {University of Cambridge, Computer Laboratory},
  number = 	 {UCAM-CL-TR-947}
}

@TechReport{UCAM-CL-TR-949,
  author =	 {Richardson, Alexander},
  title = 	 {{Complete spatial safety for C and C++ using CHERI
         	   capabilities}},
  year = 	 2020,
  month = 	 jun,
  url = 	 {https://www.cl.cam.ac.uk/techreports/UCAM-CL-TR-949.pdf},
  institution =  {University of Cambridge, Computer Laboratory},
  number = 	 {UCAM-CL-TR-949}
}

@inproceedings{yu2019speculative,
  langid = {english},
  title={{Speculative Taint Tracking (STT) A Comprehensive Protection for
          Speculatively Accessed Data}},
  author={Yu, Jiyong and Yan, Mengjia and Khyzha, Artem and Morrison, Adam and
          Torrellas, Josep and Fletcher, Christopher W},
  booktitle={Proceedings of the 52nd {{IEEE}}/{{ACM International Symposium}} on {{Microarchitecture}} ({{IEEE MICRO}} 2019)},
  series = {{{MICRO}}-52 '17},
  date = {2019-10},
  venue = {Columbus, Ohio, USA}
}

@online{CHERI-cheri-cpu,
    title = {{CTSRD-CHERI/cheri-cpu: CHERI-MIPS implementation in a 6-stage pipeline with associative caches and multi-core support}},
    label = {{CHERI}},
    url = {https://github.com/CTSRD-CHERI/cheri-cpu},
    urldate = {2020-09-16}
}

@online{CHERI-Piccolo,
    title = {{CTSRD-CHERI/Piccolo: RISC-V CPU, simple 3-stage pipeline, for low-end applications (e.g., embedded, IoT)}},
    label = {{CHERI}},
    url = {https://github.com/CTSRD-CHERI/Piccolo},
    urldate = {2020-09-16}
}

@online{CHERI-Flute,
    title = {{CTSRD-CHERI/Flute: RISC-V CPU, simple 5-stage in-order pipeline, for low-end applications needing MMUs and some performance}},
    label = {{CHERI}},
    url = {https://github.com/CTSRD-CHERI/Flute},
    urldate = {2020-09-16}
}

@online{CHERI-Toooba,
    title = {{CTSRD-CHERI/Toooba: RISC-V Core; superscalar, out-of-order, multi-core capable; based on RISCY-OOO from MIT}},
    label = {{CHERI}},
    url = {https://github.com/CTSRD-CHERI/Toooba},
    urldate = {2020-09-16}
}

@online{CHERI-TagController,
    title = {{CTSRD-CHERI/TagController: Multi-level tag controller for emulating a tagged memory using an in-memory table}},
    label = {{CHERI}},
    url = {https://github.com/CTSRD-CHERI/TagController},
    urldate = {2020-09-16}
}

@online{CHERI-cheri-cap-lib,
    title = {{CTSRD-CHERI/cheri-cap-lib: A library of specific implementations of cheri and providing an abstract interface to those implementations}},
    label = {{CHERI}},
    url = {https://github.com/CTSRD-CHERI/cheri-cap-lib},
    urldate = {2020-09-16}
}

@manual{arm-morello,
  title={{Arm Architecture Reference Manual Supplement: Morello for A-profile
    Architecture}},
  %url = {https://documentation-service.arm.com/static/5f8da6fef86e16515cdb861e},
  organization = {Arm Limited},
  year = 2020,
  month = 10,
  day = 22,
  label = {Arm}
}

@inproceedings{margaritov2019prefetched,
  title={Prefetched address translation},
  author={Margaritov, Artemiy and Ustiugov, Dmitrii and Bugnion, Edouard and Grot, Boris},
  booktitle={Proceedings of the 52nd Annual IEEE/ACM International Symposium on Microarchitecture},
  pages={1023--1036},
  year={2019}
}


@inproceedings{DBLP:conf/esop/BauereissCSAESB22,
  author    = {Thomas Bauereiss and
               Brian Campbell and
               Thomas Sewell and
               Alasdair Armstrong and
               Lawrence Esswood and
               Ian Stark and
               Graeme Barnes and
               Robert N. M. Watson and
               Peter Sewell},
  editor    = {Ilya Sergey},
  title     = {Verified Security for the Morello Capability-enhanced Prototype Arm
               Architecture},
  OPTbooktitle = {Programming Languages and Systems - 31st European Symposium on Programming,
               {ESOP} 2022, Held as Part of the European Joint Conferences on Theory
               and Practice of Software, {ETAPS} 2022, Munich, Germany, April 2-7,
               2022, Proceedings},
  booktitle = {31st European Symposium on Programming, {ESOP} 2022},
  series    = {Lecture Notes in Computer Science},
  volume    = {13240},
  pages     = {174--203},
  publisher = {Springer},
  year      = {2022},
  url       = {https://doi.org/10.1007/978-3-030-99336-8\_7},
  doi       = {10.1007/978-3-030-99336-8\_7},
  timestamp = {Fri, 29 Apr 2022 14:50:41 +0200},
  biburl    = {https://dblp.org/rec/conf/esop/BauereissCSAESB22.bib},
  bibsource = {dblp computer science bibliography, https://dblp.org}
}


@misc{miller2019trends,
    author = {Matt Miller},
    note={{Microsoft Security Response Center}},
    title = {Trends, challenge, and shifts in software vulnerability
    mitigation},
    year = {2019},
    month = feb,
    howpublished = {\url{https://github.com/Microsoft/MSRC-Security-Research/tree/master/presentations/2019\_02\_BlueHatIL}}
}

@Misc{chromium-memory,
  OPTkey = 	 {},
  title =	 {Chromium Security},
  author = {Chromium},
  OPTtitle = 	 {},
  howpublished = {\url{https://www.chromium.org/Home/chromium-security/memory-safety}},
  OPTmonth = 	 {},
  OPTyear = 	 {},
  note =	 {Accessed 2021-06-29},
  OPTannote = 	 {}
}

@ARTICLE{grisenthwaite:morello,
  author={Grisenthwaite, Richard and Barnes, Graeme and Watson, Robert N. M. and Moore, Simon W. and Sewell, Peter and Woodruff, Jonathan},
  journal={IEEE Micro},
  title={The Arm Morello Evaluation Platform—Validating CHERI-Based Security in a High-Performance System},
  year={2023},
  volume={43},
  number={3},
  pages={50-57},
  doi={10.1109/MM.2023.3264676}}

@inproceedings{DBLP:conf/micro/MarkettosBBNMW20,
  author       = {A. Theodore Markettos and
                  John Baldwin and
                  Ruslan Bukin and
                  Peter G. Neumann and
                  Simon W. Moore and
                  Robert N. M. Watson},
  editor       = {Jakub Szefer and
                  Weidong Shi and
                  Ruby B. Lee},
  title        = {Position Paper: Defending Direct Memory Access with {CHERI} Capabilities},
  booktitle    = {HASP@MICRO 2020: Hardware and Architectural Support for Security and
                  Privacy, Virtual Event, Greece, 17 October 2020},
  pages        = {7:1--7:9},
  publisher    = {{ACM}},
  year         = {2020},
  url          = {https://doi.org/10.1145/3458903.3458910},
  doi          = {10.1145/3458903.3458910},
  timestamp    = {Tue, 26 Oct 2021 15:45:59 +0200},
  biburl       = {https://dblp.org/rec/conf/micro/MarkettosBBNMW20.bib},
  bibsource    = {dblp computer science bibliography, https://dblp.org}
}

@inproceedings{fuchs2021framework,
  title={Developing a Test Suite for Transient-Execution Attacks on RISC-V and CHERI-RISC-V},
  author={Fuchs, Franz A. and Woodruff, Jonathan and Moore, Simon W. and Neumann, Peter G. and Watson, Robert N.M.},
  booktitle={Workshop on Computer Architecture Research with RISC-V},
  year={2021}
}

@TechReport{UCAM-CL-TR-955,
  author =	 {Xia, Hongyan},
  title = 	 {{Capability memory protection for embedded systems}},
  year = 	 2021,
  month = 	 feb,
  url = 	 {https://www.cl.cam.ac.uk/techreports/UCAM-CL-TR-955.pdf},
  institution =  {University of Cambridge, Computer Laboratory},
  doi = 	 {10.48456/tr-955},
  number = 	 {UCAM-CL-TR-955}
}

@TechReport{UCAM-CL-TR-959,
  author =	 {Bauereiss, Thomas and Campbell, Brian and Sewell, Thomas
          	  and Armstrong, Alasdair and Esswood, Lawrence and Stark,
          	  Ian and Barnes, Graeme and Watson, Robert N. M. and Sewell,
          	  Peter},
  title = 	 {{Verified security for the Morello capability-enhanced
         	   prototype Arm architecture}},
  year = 	 2021,
  month = 	 sep,
  url = 	 {https://www.cl.cam.ac.uk/techreports/UCAM-CL-TR-959.pdf},
  institution =  {University of Cambridge, Computer Laboratory},
  doi = 	 {10.48456/tr-959},
  number = 	 {UCAM-CL-TR-959}
}

@TechReport{UCAM-CL-TR-961,
  author =	 {Esswood, Lawrence G.},
  title = 	 {{CheriOS: designing an untrusted single-address-space
         	   capability operating system utilising capability hardware
         	   and a minimal hypervisor}},
  year = 	 2021,
  month = 	 sep,
  url = 	 {https://www.cl.cam.ac.uk/techreports/UCAM-CL-TR-961.pdf},
  institution =  {University of Cambridge, Computer Laboratory},
  doi = 	 {10.48456/tr-961},
  number = 	 {UCAM-CL-TR-961}
}

@TechReport{UCAM-CL-TR-963,
  author =	 {Dodson, Michael G.},
  title = 	 {{Capability-based access control for cyber physical systems}},
  year = 	 2021,
  month = 	 oct,
  url = 	 {https://www.cl.cam.ac.uk/techreports/UCAM-CL-TR-963.pdf},
  institution =  {University of Cambridge, Computer Laboratory},
  doi = 	 {10.48456/tr-963},
  number = 	 {UCAM-CL-TR-963}
}

@TechReport{UCAM-CL-TR-975,
  author =	 {Gutstein, Brett},
  title = 	 {{Memory safety with CHERI capabilities: security analysis,
         	   language interpreters, and heap temporal safety}},
  year = 	 2022,
  month = 	 nov,
  url = 	 {https://www.cl.cam.ac.uk/techreports/UCAM-CL-TR-975.pdf},
  institution =  {University of Cambridge, Computer Laboratory},
  doi = 	 {10.48456/tr-975},
  number = 	 {UCAM-CL-TR-975}
}

@TechReport{UCAM-CL-TR-976,
  author =	 {Almatary, Hesham},
  title = 	 {{CHERI compartmentalisation for embedded systems}},
  year = 	 2022,
  month = 	 nov,
  url = 	 {https://www.cl.cam.ac.uk/techreports/UCAM-CL-TR-976.pdf},
  institution =  {University of Cambridge, Computer Laboratory},
  doi = 	 {10.48456/tr-976},
  number = 	 {UCAM-CL-TR-976}
}

@TechReport{UCAM-CL-TR-981,
  author =	 {Memarian, Kayvan},
  title = 	 {{The Cerberus C semantics}},
  year = 	 2023,
  month = 	 may,
  url = 	 {https://www.cl.cam.ac.uk/techreports/UCAM-CL-TR-981.pdf},
  institution =  {University of Cambridge, Computer Laboratory},
  doi = 	 {10.48456/tr-981},
  number = 	 {UCAM-CL-TR-981}
}

@TechReport{UCAM-CL-TR-982,
  author =	 {Watson, Robert N. M. and Barnes, Graeme and Clarke, Jessica
          	  and Grisenthwaite, Richard and Sewell, Peter and Moore,
          	  Simon W. and Woodruff, Jonathan},
  title = 	 {{Arm Morello Programme: Architectural security goals and
         	   known limitations}},
  year = 	 2023,
  month = 	 jul,
  url = 	 {https://www.cl.cam.ac.uk/techreports/UCAM-CL-TR-982.pdf},
  institution =  {University of Cambridge, Computer Laboratory},
  doi = 	 {10.48456/tr-982},
  number = 	 {UCAM-CL-TR-982}
}

@TechReport{UCAM-CL-TR-984,
  author =	 {Rugg, Peter David},
  title = 	 {{Efficient spatial and temporal safety for microcontrollers
         	   and application-class processors}},
  year = 	 2023,
  month = 	 jul,
  url = 	 {https://www.cl.cam.ac.uk/techreports/UCAM-CL-TR-984.pdf},
  institution =  {University of Cambridge, Computer Laboratory},
  doi = 	 {10.48456/tr-984},
  number = 	 {UCAM-CL-TR-984}
}

@TechReport{UCAM-CL-TR-987,
  author =	 {Watson, Robert N. M. and
		  Neumann, Peter G. and
		  Woodruff, Jonathan and
		  Roe, Michael and
		  Almatary, Hesham and
		  Anderson, Jonathan and
		  Baldwin, John and
		  Barnes, Grame and
		  Chisnall, David and
		  Clarke, Jessica and
		  Davis, Brooks and
		  Eisen, Lee and
		  Filardo, Nathaniel Wesley and
		  Fuchs, Franz A. and
		  Grisenthwaite, Richard and
		  Joannou, Alexandre and
		  Laurie, Ben and
		  Markettos, A. Theodore and
		  Moore, Simon W. and
		  Murdoch, Steven J. and
		  Nienhuis, Kyndylan and
		  Norton, Robert and
		  Richardson, Alexander and
		  Rugg, Peter and
		  Sewell, Peter and
		  Son, Stacey and
		  Xia, Hongyan},
  title =	 {{Capability Hardware Enhanced RISC Instructions: CHERI
		   Instruction-Set Architecture (Version 9)}},
  institution =	 {University of Cambridge, Computer Laboratory},
  address =	 {15 JJ Thomson Avenue, Cambridge CB3 0FD, United Kingdom,
		  phone +44 1223 763500},
  number =	 {UCAM-CL-TR-987},
  year =	 2023,
  month =	 sep,
  url =		 {https://www.cl.cam.ac.uk/techreports/UCAM-CL-TR-987.pdf}
}


@INPROCEEDINGS{Tera1998,
  author={Snavely, A. and Carter, L. and Boisseau, J. and Majumdar, A. and Kang Su Gatlin and Mitchell, N. and Feo, J. and Koblenz, B.},
  booktitle={SC '98: Proceedings of the 1998 ACM/IEEE Conference on Supercomputing},
  title={Multi-processor Performance on the Tera MTA},
  year={1998},
  volume={},
  number={},
  pages={4-4},
  doi={10.1109/SC.1998.10049}}


@INPROCEEDINGS{Monsoon1990,
  author={Papadopoulos, G.M. and Culler, D.E.},
  booktitle={[1990] Proceedings. The 17th Annual International Symposium on Computer Architecture},
  title={Monsoon: an explicit token-store architecture},
  year={1990},
  volume={},
  number={},
  pages={82-91},
  doi={10.1109/ISCA.1990.134511}}

@TechReport{UCAM-CL-TR-358,
  author =	 {Moore, Simon William},
  title = 	 {{Multithreaded processor design}},
  year = 	 1995,
  month = 	 feb,
  url = 	 {https://www.cl.cam.ac.uk/techreports/UCAM-CL-TR-358.pdf},
  institution =  {University of Cambridge, Computer Laboratory},
  doi = 	 {10.48456/tr-358},
  number = 	 {UCAM-CL-TR-358}
}

@inproceedings{Amar:CHERIoT,
  author = {Amar, Saar and Chisnall, David and Chen, Tony and Filardo, Nathaniel Wesley and Laurie, Ben and Liu, Kunyan and Norton, Robert and Moore, Simon W. and Tao, Yucong and Watson, Robert N. M. and Xia, Hongyan},
  title = {CHERIoT: Complete Memory Safety for Embedded Devices},
  year = {2023},
  isbn = {9798400703294},
  publisher = {Association for Computing Machinery},
  address = {New York, NY, USA},
  url = {https://doi.org/10.1145/3613424.3614266},
  doi = {10.1145/3613424.3614266},
  abstract = {The ubiquity of embedded devices is apparent. The desire for increased functionality and connectivity drives ever larger software stacks, with components from multiple vendors and entities. These stacks should be replete with isolation and memory safety technologies, but existing solutions impinge upon development, unit cost, power, scalability, and/or real-time constraints, limiting their adoption and production-grade deployments. As memory safety vulnerabilities mount, the situation is clearly not tenable and a new approach is needed. To slake this need, we present a novel adaptation of the CHERI capability architecture, co-designed with a green-field, security-centric RTOS. It is scaled for embedded systems, is capable of fine-grained software compartmentalization, and provides affordances for full inter-compartment memory safety. We highlight central design decisions and offloads and summarize how our prototype RTOS uses these to enable memory-safe, compartmentalized applications. Unlike many state-of-the-art schemes, our solution deterministically (not probabilistically) eliminates memory safety vulnerabilities while maintaining source-level compatibility. We characterize the power, performance, and area microarchitectural impacts, run microbenchmarks of key facilities, and exhibit the practicality of an end-to-end IoT application. The implementation shows that full memory safety for compartmentalized embedded systems is achievable without violating resource constraints or real-time guarantees, and that hardware assists need not be expensive, intrusive, or power-hungry.},
  booktitle = {Proceedings of the 56th Annual IEEE/ACM International Symposium on Microarchitecture},
  pages = {641--653},
  numpages = {13},
  location = {<conf-loc>, <city>Toronto</city>, <state>ON</state>, <country>Canada</country>, </conf-loc>},
  series = {MICRO '23}
}