1

Hosmer, H.H. "Tim Multipolicy Machine: A New Paradigm For Multilevel Secure Systems," Proceedings of Standard Security Label for GOSIP, an btvitational Workshop, April 1991, NISTIR 4614, June 1991.

2

Hilary H. Hosmer, Metapolicies I, ACM SIGSAC Review, v.10 n.2-3, p.18-43, Spring/Summer 1992  [doi>10.1145/147092.147097]

3

Hosmer, H., "Integrating Security Policies," Proceedings of the Third RADC MLS DBMS Workshop, Castile, NY. june 1990, MITRE Technical Paper MTP 385.

4

Hosmer, H.H., "Shared Sensitivity Labels," Database Securily, Status and Prospects, North- Holland, 1991.

5

Hosmer, H.H. "The Multipolicy Model, A Working Paper," Proceedings of the Fourth RADC Workshop on Multilevel Secure Database Systelo.s, Little Compton, Rhode Island, ,June 1991,

6

Kuhn, T., The Structure of Scientific Revolutions, 2nd Edition, University of Chicago Press, Chicago, 1970.

7

Ware; W., Comments from Computer Security Panel, AFCEA Conference, Washington, D.C., Feb. 5-7,1991.

8

Department of Defense, Trusted Computer System Evaluation Criteria, DOD 5200.28-STD, December 1985.

9

National Computer Security Center, Trusted Network Interpretation of the Trusted Computer System Evaluation. Criteria, 31 July 1987.

10

National Computer Security Center, Trusted Database Interpretation. of the Trusted Computer System. Evaluation Criteria, April 1991

11

Information Technology Securily Evaluation C, riteria, draft of 2 May 1991.

12

Sterne, D., "On the Buzzword Security Policy," Proceedings of the 1991 IEEE Computer Security Coymposium on Research. in. Security and Privacy, May 1991, Oakland, CA.

13

Crawford, D.S. "Modelling Security Policy a.nd Labelling Unclassified but Sensitive inforlna.tion- A Ca.nadian Perspective," Proceedit~gs of,5'landard Security Label for GOSIP An lnt'ilational ll"ol'kshop, NISTIR 4614, June 1991.

14

Biba, K.J., Integrity Considerations for Secure Computer Syst.enas, MTR-3153, Rev. 1, Electronic Systems Division, Air Force Systems Command, United States Air Force. Hansconl Air Force Base, Bedford, MA, April 1977 (ESD-TR-76-372).

15

Clark, D.D., and Wilson, D.R., "'A C.omparison of Conamercial and Military C, oml)liter Security Policies," Proceedings of the 19871EEE ,~;ymlwsiunt oo Security and Privacy, Oakland, ('A. A1)ril 1987.

16

Comnaents made by Williana Wilson in San Antonio, Dec. 1991 that t.he SEX,'I~iS i~lt.egrity portion is not well-utilized because of the absence of a standard integrity user clearance structure like t.he widely-implemented DO D ~ser clearances for confidentiality.

17

European Computer Manufacturers Associat.ion, Security in Open Systems, A Security Franlework. ECI~IA TR/46, July 1988.

18

Dobson, J. and McDermid, J., "A Fra.nlework for Expressing Models of Security Policy," P~vceedi,gs of the 1989 1EEE Computer Society Symposium on Security and Privacy, May 1-3. 1989, Oakland, CA.

19

Sterne, D., Branstad, M., Hubl)ard, B., Meyer, B., and Wolcott, D., "An Analysis of Application- Specific Security Policies," Proceedil~gs of the .l.{th National Compuler Security ('ol~ference. October 1-4, 1991, Washington, D.C.

20

Haigh, T., O'Brien, F., Endrizzi, W., and Yalnmalachi, "Assured Service Concepts and Models," draft Final Technical Report, Contract Number F30602-90-C-0025, October 1991, CDRL A007, vol. 1 and 2.

21

Burns, R.K., "Referential Secrecy," Proceedings of the IEEE Computer Security Symposium, Oakland, CA, 1990.

22

Maimone, B. and Allen, R., "Methods for Resolving the Security vs. Integrity Conflict," Proceedings of the Fourth RADC Database Security Workshop, Little Compton, R.I. April 1991.

23

Feiler, P., "Experiences with Software Process Models, Session Summary: Policies," Proceedings 5th International Software Process Workshop, Kennebunkport, ME, October 10-13, 1989.

24

Jonathan D. Moffett , Morris S. Sloman, The Source of Authority for Commercial Access Control, Computer, v.21 n.2, p.59-69, February 1988  [doi>10.1109/2.19]

25

Sibley, E.H., Michael, J.B., and Wexelblat, R.L., "An Approach to Formalizing Policy Management," P. Bourgine and B. Walliser, eds., Economics and Cognitive Science. Pergalnon Press, Oxford, England, 1992.

26

Grenier, G.-L., Holt, R., and Funkelahauser, M., "Policy VS Mechanism in the Secure Tunis Operating System," Proceedings of the 1989 IEEE Computer Society Symposium on Security and Privacy, May 1-3, 1989, Oakland, California.

27

Page, J., Heaney, J., Adkins, M., and Dolsen, G., "Evaluation of Security Model Rule Bases," Proceedings of the 12th National Computer Security Conference, Baltimore, Maryland, 1989.

28

Abrams, M., LaPadula, L., Eggers, K., and OI- son, I., "A Generalized Framework for Access Control: An Informal Description," Proceedings of the 13th National Computer Security Conference, Washington, D.C., October 1990.

29

Bell, D.E., and LaPadula, L.J., "Secure Computer System: Unified Exposition and Multics Interpretation," MTR-2997, The MITRE Corporation, July 1975.

30

Brewer, D.F.C. and Nash, M.J., "The Chinese Wall Security Policy," Proceedings of the 1989 IEEE Computer Security Symposium on Security and Privacy, Oakland, CA, 1989.

31

Bell, D.E., "Putting Policy Commonalities to Work," Proceedings of the 14th National Computer Security Conference, October 1-4, 1991.

32

Alndahl Corporation, Multiple Domain Feature, General Information Manual, Amdahl MM001501001 {1" 1016-89.

33

Honeywell Inc. B-Level Design Specification for the LOCK Operating System, CDRL A009, C, ontract MDA 904-87-C-6011, June 1987.

34

LaPadula, L.J., "A Rule-Base Approach to Formal Modeling of a Trusted Colnpl,ter Systeln," M91-021, Allgust 1991.

35

The diagram and descrii)tion combine our visualization of metapolicies resolving policy conflicts

1

with Marshall Abrams' diagram of a proposed ISO conflict resolution process for access control policies (unpublished) using Leonard LaPadula's voting concept for rule-based systems.

H. M. Hinton, Under-specification, composition and emergent properties, Proceedings of the 1997 workshop on New security paradigms, p.83-93, September 23-26, 1997, Langdale, Cumbria, United Kingdom

Wm A. Wulf , Chenxi Wang , Darrell Kienzle, A new model of security for distributed systems, Proceedings of the 1996 workshop on New security paradigms, p.34-43, September 17-20, 1996, Lake Arrowhead, California, United States

Dixie B. Baker, Fortresses built upon sand, Proceedings of the 1996 workshop on New security paradigms, p.148-153, September 17-20, 1996, Lake Arrowhead, California, United States

Steven J. Greenwald, Discussion topic: what is the old security paradigm?, Proceedings of the 1998 workshop on New security paradigms, p.107-118, September 22-26, 1998, Charlottesville, Virginia, United States

Heather M. Hinton , E. Stewart Lee, The compatibility of policies, Proceedings of the 2nd ACM Conference on Computer and communications security, p.258-269, November 1994, Fairfax, Virginia, United States

Hilary H. Hosmer: colleagues