Monographs in Computer Science Editors David Gries Fred B Schneider This page intentionally left blank Andrew Herbert Karen Spaărck Jones Editors Computer Systems Theory, Technology, and Applications A Tribute to Roger Needham With 110 Illustrations Andrew Herbert Microsoft Research Ltd Roger Needham Building JJ Thomson Avenue Cambridge CB3 0FB UK Karen Spaărck Jones Computer Laboratory University of Cambridge JJ Thomson Avenue Cambridge CB3 0FD UK Series Editors: David Gries Department of Computer Science The University of Georgia 415 Boyd Graduate Studies Research Center Athens, GA 30602-7404 USA Fred B Schneider Department of Computer Science Cornell University 4115C Upson Hall Ithaca, NY 14853-7501 USA Library of Congress Cataloging-in-Publication Data Herbert, A.J (Andrew J.), 1954– Computer systems: theory, technology, and applications/[edited by] Andrew J Herbert, Karen I.B Spaărck Jones p cm — (Monographs in computer science) Includes bibliographical references ISBN 0-387-20170-X (alk paper) System design Computer science I Spaărck Jones, Karen I.B II Needham, R.M (Roger Michael) III Title IV Series QA276.9.S88H45 2004 005.1′2—dc21 ISBN 0-387-20170-X 2003066215 Printed on acid-free paper  2004 Springer-Verlag New York, Inc All rights reserved This work may not be translated or copied in whole or in part without the written permission of the publisher (Springer-Verlag New York, Inc., 175 Fifth Avenue, New York, NY 10010, USA), except for brief excerpts in connection with reviews or scholarly analysis Use in connection with any form of information storage and retrieval, electronic adaptation, computer software, or by similar or dissimilar methodology now known or hereafter developed is forbidden The use in this publication of trade names, trademarks, service marks, and similar terms, even if they are not identified as such, is not to be taken as an expression of opinion as to whether or not they are subject to proprietary rights Printed in the United States of America (SBA) SPIN 10944769 Springer-Verlag is part of Springer Science+Business Media springeronline.com Roger Needham 1935 – 2003 This page intentionally left blank Contents Preface 10 11 12 13 14 15 16 17 xi Roger Needham: 50 + Meeting Programme xiii Contributors xv Introduction: Roger Needham Rick Rashid On Access Control, Data Integration, and Their Languages Martín Abadi Protocol Analysis, Composability and Computation Ross Anderson, Michael Bond 15 Access Control in Distributed Systems Jean Bacon, Ken Moody 21 Implementing Condition Variables with Semaphores Andrew D Birrell 29 Clumps, Clusters and Classification Christopher M Bishop 39 How to Implement Unnecessary Mutexes Mike Burrows 51 Bioware Languages Luca Cardelli 59 The Economics of Open Systems David D Clark 67 From Universe to Global Internet Jon Crowcroft 73 Needham-Schroeder Goes to Court Dorothy E Denning 77 The Design of Reliable Operating Systems Peter Denning 79 An Historical Connection between Time-Sharing and Virtual Circuits Sandy Fraser 85 On Cross-Platform Security Li Gong 89 Distributed Computing Economics Jim Gray 93 The Titan Influence David Hartley 103 Middleware? Muddleware? Andrew Herbert 109 Grand Challenges for Computing Research viii 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 Contents Tony Hoare Sentient Computing Andy Hopper Cyber Security in Open Systems Anita Jones Software Components: Only the Giants Survive Butler W Lampson Security Protocols: Who Knows What Exactly? Peter Landrock Volume Rendering by Ray-Casting in Shear-Image Order Hugh C Lauer, Yin Wu, Vishal Bhatia, Larry Seiler A Conceptual Authorization Model for Web Services Paul J Leach, Chris Kaler, Blair Dillaway, Praerit Garg, Brian LaMacchia, Butler Lampson, John Manferdelli, Rick Rashid, John Shewchuk, Dan Simon, Richard Ward The Trouble with Standards E Stewart Lee Novelty in the Nemesis Operating System Ian Leslie A Technology Transfer Retrospective Roy Levin An Optical LAN Derek McAuley What’s in a Name? Robin Milner The Cryptographic Role of the Cleaning Lady Bob Morris Real Time in a Real Operating System Sape J Mullender, Pierre G Jansen Zen and the Art of Research Management John Naughton, Robert W Taylor The Descent of BAN Lawrence C Paulson Brief Encounters Brian Randell Retrieval System Models: What’s New? Stephen Robertson, Karen Spärck Jones Slammer: An Urgent Wake-Up Call Jerome H Saltzer Caching Trust Rather Than Content M Satyanarayanan Least Privilege and More Fred B Schneider Using Sharing to Simplify System Management Michael D Schroeder 117 125 133 137 147 153 165 173 177 185 195 205 211 213 223 225 229 237 243 249 253 259 Contents 39 40 41 42 43 44 45 46 An RSA-Related Number-Theoretic Surprise Gustavus J Simmons Application-Private Networks Jonathan M Smith Using the CORAL System to Discover Attacks on Security Protocols Graham Steel, Alan Bundy, Ewen Denney On the Role of Binding and Rate Adaptation in Packet Networks David Tennenhouse Technologies for Portable Computing Chuck Thacker Multiple Alternative Voting David Wheeler The Semiotics of Umbrellas John Wilkes Computers for Specialized Application Areas Maurice Wilkes Computer Security? Roger Needham Roger Needham: Publications Karen Spärck Jones ix 269 273 279 287 295 305 311 317 319 327 324 Needham than on the individual integrity of five thousand counter clerks who are paid a little If we contemplate this conclusion, heretical as it is for a computerist, we can see other good reasons for it Error in handling metadata is at least as likely to forbid necessary actions as to permit unwanted ones It is not unusual for a new employee not to be able to his or her job properly for several weeks because permissions have not been set up It has happened that the administration of my research lab came to a halt because of an erroneous change to access controls in Redmond, Washington, eight time zones away Of course when we noticed the problem the person responsible was asleep in bed, and we just had to wait until the next day This does not matter too much for a research lab, but it would be very damaging for a supermarket or a stockbroker An extreme case is a military one, where more and more use of computers and data is being made in support of deployed operations You can’t stop a battle while access controls are fixed All our experience is that things that should not or even logically cannot happen sometimes happen, and the more complex the web of technical restraints the more difficult it is likely to be to recover effectively To illustrate very simply the importance of recovery issues, there is a well-known attack on the Needham-Schroeder authentication protocol [1] The attack depends on something happening that in the proper course of the protocol should not be able to happen; but the seriousness of the attack comes from the fact that there is no way to recover at all when it has happened The recovery issue is a very serious one, and compounds the complexity discussed at length above It is really hard to catalogue, and to find out how to recover from, the things that should not happen but will If organizational authority can over-ride protocol, then recovery can occur by use of human ingenuity For example a high-ranking officer can say ‘Fire the goddam thing anyway!’ Logging If we follow this line of thought we can go further This is where it matters that we are talking about security within an organisation rather than in the world in general In an organisation there are more ties among the individuals than there are in the outside world; for example soldiers are subject to military discipline, and there is an assumption that employees in general not want to get fired To some extent we can exploit this to simplify security matters Keeping a record of what has been done can be a simple solution to otherwise difficult problems Here’s an example Anyone can buy a copy of my bank statement from a dubious enquiry agent for some 200 pounds This is because any teller in the employ of my bank can ask for it, and since the bank is a large one there are enough tellers over all branches that some will be willing to earn a little money on the side Yet having all the tellers able to have access is in other ways a good thing The security would be much improved if the act of generating a copy of a statement were Computer Security? 325 recorded in the statement itself, so that when I got my regular monthly printout I could see that a statement was asked for by teller number in the Penzance branch, and I could raise a complaint if I was in Philadelphia at the relevant time It is not clear to me why banks not this, but that is another question It is worth noting that maintaining logs is often rejected as a security technique on the bogus argument that there is too much log material for anyone to look at The present case is an example where parallel processing at the level of millions makes light of the volume of stuff After all, most of us give our bank statements at least a cursory scan People To compound the effects of complexity, humans involved in managing security are fallible, lazy, and uncomprehending The first applies to all of us, but the other two may seem surprising I shall now try to explain why they are mentioned here Security is a nuisance It gets in the way, in the manner that a locked door gets in the way even if you have a key to it Even if you have brought the key with you the door is an obstruction, and is even more so if you have to go back to wherever you left the key A local security officer has the duty of making sure that the features that make for inconvenience are in place and effective The life of a local security administrator is much easier, and the administrator much less unpopular with colleagues, if the administrator’s job is not done ‘properly’ The incentives on the security administrator are thus not very appropriate I am credibly advised that units in the armed services are particularly adept at simplifying their lives in this sort of way but so are bank branch managers, hospital administrators, and so forth Wherever there are devolved units that have a certain amount of discretion in the management of their internal affairs, burdensome security will be circumvented As much damage cane be done because people are uncomprehending A well-known story describes two senior bank managers being sent two parts of a cryptographic key to load into a security module They were sufficiently senior that they didn’t care to use keyboards, so they gave the two pieces of paper to the same technician to enter, thus losing the entire purpose of the two parts They didn’t understand why it was supposed to be done the way it was supposed to be done Another tale, not directly connected with security, concerns a distributed and devolved naming service, that replicated data widely for easy access For such a system to work it is clearly necessary to have a lot of discipline about the processes of installing new instances so that update messages can be sent to the required places Local managers simply didn’t understand all this, and if one of their instances misbehaved they would simply shoot it and make a new one Update messages would be directed to the instance that no longer existed, and would be returned undelivered They would not be delivered to the new instance 326 Needham which soon stopped being current Confusion reigned These examples show the results of overestimating the understanding and probably even the intelligence of the local agents The system was designed by very well educated and well informed people who simply did not think of the contrast between themselves and the people on the ground An agenda for research The conclusion I draw from this in some ways depressing tale is that there is a great scope for research in a number of areas First, can we find means of expressing security policies such that machine aids may be used to help check whether available technical measures are capable of implementing the policies? It may be impossible, but it would be nice to know Note that I said ‘machine aids.’ Researchers working on theorem proving spent a lot of time trying to get fully automatic proof engines, and eventually realised that machine aided proof was much more effective Second, can we find tools to assist in auditing security data to check for policy compliance? Third, can we find means to express local operating rules so that their rationale is apparent to local operations people, who might therefore take them more seriously? Alternatively, can we find ways to simplify the task of local security administrators so that there is less encouragement for circumvention? These issues are partly technical and partly managerial It is greatly to be hoped that the managerial content does not deter computing researchers from tackling them, for their importance is great Computing researchers need to climb down from their ivory towers to look at the real world contexts in which their systems will be deployed Reference NEEDHAM, R.M., AND SCHROEDER, M.D., ‘Using encryption for authentication in large networks of computers,’ Comm ACM, vol 21, no 12, 1978, pp 993–999 Roger Needham: Publications Compiled by Karen Spärck Jones With T Joyce: ‘The thesaurus approach to information retrieval,’ American Documentation, (3), 1958, 192–197; reprinted in Readings in information retrieval, ed K Spärck Jones and P Willett, San Francisco, CA: Morgan Kaufmann, 1997 With M Masterman and K Spärck Jones: ‘The analogy between mechanical translation and library retrieval,’ Proceedings of the International Conference on Scientific Information (1958), National Academy of Sciences—National Research Council, Washington, DC, 1959, vol 2, 917–935 With A.F Parker-Rhodes: ‘A reduction method for non-arithmetic data, and its application to thesauric translation,’ Information Processing: Proceedings of the International Conference on Information Processing (1959), Paris, 1960, 321–327 With A.F Parker-Rhodes: ‘The theory of clumps,’ Cambridge Language Research Unit, Report M.L 126, 1960 With A.H.J Miller and K Spärck Jones: ‘The information retrieval system of the Cambridge Language Research Unit,’ Cambridge Language Research Unit, Report M.L 109, 1960 ‘The theory of clumps II,’ Cambridge Language Research Unit, Report M.L 139, 1961 Research on information retrieval, classification and grouping 1957–1961, Ph.D thesis, University of Cambridge; Cambridge Language Research Unit, Report M.L 149, 1961 ‘A method for using computers in information classification,’ Information Processing 62: Proceedings of IFIP Congress 1962, ed C Popplewell, Amsterdam: North-Holland, 1963, 284–287 328 Roger Needham: Publications ‘Automatic classification for information retrieval,’ in Information retrieval, ed Serbanescu, I.B.M European Education Centre, Blaricum, Holland, 1963 ‘Automatic classification for information retrieval,’ lectures given at the NATO Advanced Study Institute on Automatic Document Analysis, Venice, 1963; abstracts published as Cambridge Language Research Unit Report M.L 166, 1963 ‘The exploitation of redundancy in programs,’ in The Impact of Users’ Needs on the Design of Data Processing Systems, Conference Proceedings, United Kingdom Automation Council, 1964, 6–7 With K Spärck Jones: ‘Keywords and clumps,’ Journal of Documentation, 20 (1), 1964, 5–15 ‘Information retrieval,’ Computing science, Report to the Science Research Council, ed D Michie, 1965, 92–94 ‘Automatic classification—models and problems,’ in Mathematics and computer science in biology and medicine, London: Medical Research Council, 1965, 111–114 ‘Computer methods for classification and grouping,’ in The use of computers in anthropology, ed D Hymes, The Hague: Mouton, 1965, 345–356 ‘Applications of the theory of clumps,’ Mechanical Translation, (3/4), 1965, 113–127 ‘Semantic problems of machine translation,’ Information Processing 65: Proceedings of IFIP Congress 1965, ed W Kalenich, Washington DC: Spartan Books, 1965, vol 1, 65–69 ‘Information retrieval and some cognate computing problems,’ in Advances in programming and non-numerical computation, ed L Fox, London: Pergamon Press, 1966, 201–218 ‘The termination of certain iterative processes,’ Rand Corporation, Santa Monica, Report RM-5188-PR, 1966 ‘Automatic classification in linguistics,’ The Statistician, 17 (1), 1967, 45–54 With D.W Barron, A.G Fraser, D.F Hartley, and B Landy: ‘File handling at Cambridge University,’ Proceedings of the 1967 Spring Joint Computer Conference, AFIPS Conference Proceedings, vol 30, 1967, 163–167 Roger Needham: Publications 329 With K Spärck Jones: ‘Automatic term classifications and retrieval,’ Information Storage and Retrieval, (2), 1968, 91–100 With M.V Wilkes: ‘The design of multiple-access computer systems: part 2,’ Computer Journal, 10, 1968, 315–320 With D.F Hartley and B Landy: ‘The structure of a multiprogramming supervisor,’ Computer Journal, 11, 1968, 247–255 ‘Consoles in the cloisters,’ Datamation, January 1969 With D.F Hartley: ‘Operational experience with the Cambridge multiple-access system,’ Computer Science and Technology, Conference Publication 55, Institution of Electrical Engineers, London, 1969, 255–260 ‘Computer operating systems,’ in Encyclopedia of linguistics, computation and control, ed A.R Meetham and R.A Hudson, London: Pergamon Press, 1969, 57–58 With D.F Hartley: ‘Theory and practice in operating system design,’ 2nd ACM Symposium on Operating System Principles, Princeton, 1969, New York: ACM, 1969, 8–12 ‘Software engineering techniques and operating system design and production’ and, with D Aron, ‘Software engineering and computer science,’ in Software engineering techniques, ed J Buxton and B Randell, NATO Scientific Affairs Committee, NATO, Brussels, 1970, 111–113 and 113–114 ‘Handling difficult faults in operating systems,’ 3rd ACM Symposium on Operating System Principles, Stanford, 1971, New York: ACM, 1971, 55–57 With B Landy: ‘Software engineering techniques used in the development of the Cambridge multiple access system,’ Software—Practice and Experience, (2), 1971, 167– 173 ‘Tuning the Titan operating system,’ in Operating systems techniques, ed C.A.R Hoare and R Perrott, London: Academic Press, 1972, 277–281 ‘Protection systems and protection implementations,’ Proceedings of the 1972 Fall Joint Computer Conference, AFIPS Conference Proceedings, vol 41, 1972, 330 Roger Needham: Publications 571–578; reprinted in The Auerbach Annual, 1972—Best Computer Papers, ed I.L Auerbach, Philadelphia, PA: Auerbach (?), 1972 ‘Protection—a current research area in operating systems,’ Proceedings of the International Computing Symposium 1973, ed G Gunter, B Levrat, and H Lipps, Amsterdam: North-Holland, 1974, 123–126 With M.V Wilkes: ‘Domains of protection and the management of processes,’ Computer Journal, 17 (2), 1974, 117–120; reprinted in The Auerbach Annual, 1975—Best Computer Papers, ed I.L Auerbach, New York: Petrocelli/Charter, 1975; reprinted in Japanese, 1976 With R.D.H Walker: ‘Protection and process management in the CAP computer,’ Proceedings of the International Workshop on Protection in Operating Systems, IRIA, Paris, 1974, 155–160 ‘The future of central computing services,’ Proceedings of the 1976 Computing Services Management Conference, ed D.H McClain, Inter University Computing Committee, 1976, 74–76 Articles in Encyclopedia of computer science, ed A Ralston and C Meek, New York: Petrocelli/Charter 1976 ‘The CAP project—an interim evaluation’ (6th ACM Symposium on Operating System Principles, 1977), Operating Systems Review, 11 (5), 1978, 17–22 With R.D.H Walker: ‘The Cambridge CAP computer and its protection system’ (6th ACM Symposium on Computer Operating System Principles, 1977), Operating Systems Review, 11 (5), 1978, 1–10 With A.D Birrell: ‘The CAP filing system’ (6th ACM Symposium on Computer Operating System Principles, 1977), Operating Systems Review, 11 (5), 1978, 11–16 With M.D Schroeder: ‘Using encryption for authentication in large networks of computers,’ Xerox Palo Alto Research Centre, Report CSL-78-4, 1978; Communications of the ACM, 21 (12), 1978, 993–999; reprinted in Advances in computer security, ed R Turn, Dedham, MA: Artech House, 1988 Roger Needham: Publications 331 With A.D Birrell: ‘An asynchronous garbage collector for the CAP filing system,’ Operating Systems Review, 12 (2), 1978, 31–33 With A.D Birrell: ‘Character streams,’ Operating Systems Review, 12 (3), 1978, 29–31 With H.C Lauer: ‘On the duality of operating system structures’ (Second International Conference on Operating Systems, 1978), Operating systems: theory and practice, ed D Lanciaux, Amsterdam: North-Holland, 1979, 371–384; reprinted in Operating Systems Review, 13 (2), 1979, 3–19 ‘Protection’ (Advanced Course on Computing Systems Reliability, Newcastle, 1978); in Computer systems reliability, ed T Anderson and B Randell, Cambridge: Cambridge University Press, 1979, 264–287 ‘Protection—theory and practice,’ Proceedings of the SEAS Anniversary Meeting 1978, vol 1, 1978, 80–84 With M.V Wilkes: The CAP computer and its operating system, New York: Elsevier NorthHolland, 1979 ‘Adding capability access to conventional file servers,’ Operating Systems Review, 13 (1), 1979, 3–4 ‘Systems aspects of the Cambridge Ring’ (7th ACM Symposium on Operating System Principles, 1979), Operating Systems Review, 13 (5), 1979, 82–85 With M.V Wilkes: ‘The Cambridge model distributed system,’ Operating Systems Review, 14 (1), 1980, 21–29 With A.D Birrell: ‘A universal file server,’ IEEE Transactions on Software Engineering, vol SE-6 (5), 1980, 450–453 With N.H Garnett: ‘An asynchronous garbage collector for the Cambridge file server,’ Operating Systems Review, 14 (4), 1980, 36–40 With A.J Herbert: ‘Sequencing computation steps in a network’ (8th ACM Symposium on Operating System Principles, 1981), Operating Systems Review, 15 (5), 1981, 59–63 332 Roger Needham: Publications ‘Design considerations for a processing server,’ Proceedings of the 8th Annual Symposium on Computer Architecture, 1981, IEEE, 501–504 ‘Capabilities and protection’ (Proceedings, GI-10, Saarbrücken, 1980), GI-10 Jahrestagung, ed R Wilhelm, Berlin: Springer-Verlag, 1980, 45–53 With A.D Birrell, R Levin, and M.D Schroeder: ‘Grapevine: an exercise in distributed computing’ (presented at the 8th ACM Symposium on Operating Systems Principles, 1981), Communications of the ACM, 25, 1982, 260–274; reprinted in Birrell et al., ‘Grapevine: two papers and a report,’ Xerox Palo Alto Research Centre, Report CSL-83-12, 1983 With A.J Herbert: The Cambridge distributed computing system, Reading, Mass.: Addison-Wesley, 1982 With M.F Richardson: ‘The Tripos Filing Machine—a front-end to a file server’ (9th ACM Symposium on Operating Systems Principles, 1983), Operating Systems Review, 17 (5), 1983, 120–128 With A.J Herbert and J.G Mitchell: ‘How to connect stable memory to a computer,’ Operating Systems Review 17 (1), 1983, 16 With M.D Schroeder and A.D Birrell: ‘Experience with Grapevine: the growth of a distributed system,’ ACM Transactions on Computer Systems, (1), 1984, 3–23; reprinted in Birrell et al ‘Grapevine: two papers and a report,’ Xerox Palo Alto Research Center, Report CSL83-12, 1983 With I.M Leslie, J.W Burren, and G.C Adams: ‘The architecture of the Universe network’ (SIGCOMM 84 Tutorials and Symposium: Communications Architectures and Protocols), Computer Communications Review, 14 (2), 1984, 2–9 With A.G Waters, C.G Adams, and I.M Leslie: ‘The use of broadcast techniques on the Universe network’ (SIGCOMM 84 Tutorials and Symposium: Communications Architectures and Protocols), Computer Communications Review, 14 (2), 1984, 52–57 ‘Fifth generation computing,’ in Information comes of age, ed C Oppenheim, London: Rossendale, 1984, 71–77 Roger Needham: Publications 333 ‘Protection,’ in Local area networks: an advanced course, ed D Hutchison, J Mariani and D Shepherd, Lecture Notes in Computer Science 184, Berlin: Springer, 1985, 261–281 With M.D Schroeder and D.K Gifford: ‘A caching file system for a programmer’s workstation,’ DEC Systems Research Centre, Palo Alto, Report 6; (10th ACM Symposium on Operating Systems Principles, 1985), Operating Systems Review, 19 (5), 1985, 25–34 ‘Is there anything special about AI?’ (Workshop on the Foundations of Artificial Intelligence, 1986), in The foundations of artificial intelligence: A source book, ed D Partridge and Y Wilks, Cambridge: Cambridge University Press, 1990, 269–273 With A.D Birrell, B.W Lampson, and M.D Schroeder: ‘A global authentication service without global trust,’ Proceedings of the IEEE Symposium on Security and Privacy, 1986, 223–230 With D.L Tennenhouse, I.M Leslie, C.A Adams, J.W Burren, and C.S Cooper: ‘Exploiting wideband ISDN: the Unison exchange,’ IEEE INFOCOM Conference Proceedings, San Francisco, 1987, 1018–1026 With M.D Schroeder: ‘Authentication revisited,’ Operating Systems Review, 21 (1), 1987, ‘The Unison experience,’ Proceedings of the 23rd Annual Convention of the Computer Society of India, ed S Raghavan and S Venkatasubramanian, New Delhi: Macmillan, 1988, 51–57 With D.K Gifford and M.D Schroeder: ‘The Cedar file system,’ Communications of the ACM, 31 (3), 1988, 288–298; reprinted, in Japanese, in Bit, November 1989, 30–50 With A Hopper: ‘The Cambridge fast ring networking system,’ IEEE Transactions on Computers, 37 (10), 1988, 1214–1223 With M Burrows and M Abadi: ‘Authentication: a practical study of belief and action,’ Proceedings of the 2nd Conference on Theoretical Aspects of Reasoning about Knowledge, ed M Vardi, Los Altos, CA: Morgan Kaufmann, 1988, 325–342 334 Roger Needham: Publications With M Burrows: ‘Locks in distributed systems—an observation,’ Operating Systems Review 22 (3), 1988, 44 With M Burrows and M Abadi: ‘A logic of authentication,’ DEC Systems Research Centre, Palo Alto, Report 39, 1989; Proceedings of the Royal Society of London, Series A, 426, 1989, 233–271; reprinted in Practical cryptography for data internetworks, ed W Stallings, Washington DC: IEEE Computer Society Press, 1996 With M Burrows and M Abadi: ‘A logic of authentication’ (12th ACM Symposium on Operating System Principles, 1989), Operating Systems Review, 23 (5), 1989, 1–13; and ACM Transactions on Computer Systems, (1), 1990, 18–36 [Refers to the previous Report 39, etc., version as fuller.] With T.M.A Lomas, L Gong, and J.H Saltzer: ‘Reducing risks from poorly chosen keys’ (12th ACM Symposium on Operating System Principles, 1989), Operating Systems Review, 23 (5), 1989, 14–18 ‘Authentication,’ in Safe and secure computing systems, ed T Anderson, Oxford: Blackwell Scientific, 1989, 189–196 ‘Names’ and ‘Using cryptography for authentication’ (Arctic 88; Fingerlakes 89: Advanced Courses on Distributed Systems), in Distributed systems, ed S Mullender, New York: ACM Press and Addison-Wesley, 1989, 89–101 and 103–116 With J.M Bacon and I.M Leslie: ‘Distributed computing with a processor bank,’ Technical Report 168, Computer Laboratory, University of Cambridge, 1989 With M Burrows and M Abadi: ‘The scope of a logic of authentication,’ Proceedings of the DIMACS Workshop on Distributed Computing and Cryptography (1989), ed J Feigenbaum and M Merritt, New York: American Mathematical Society, 1991, 119–126 With A Herbert: ‘Report on the Third European SIGOPS Workshop, “Autonomy or Interdependence in Distributed Systems’,’’ Operating Systems Review, 23 (2), 1989, 3–19 With L Gong and R Yahalom: ‘Reasoning about belief in cryptographic protocols,’ Proceedings of the 1990 IEEE Symposium on Security and Privacy, 1990, 234–248 Roger Needham: Publications 335 With M Burrows and M Abadi: ‘Rejoinder to Nessett,’ Operating Systems Review, 24 (2), 1990, 39–40 ‘Capabilities and security,’ in Security and Persistence: Proceedings of the International Workshop on Computer Architectures to Support Security and Persistence of Information, ed J Rosenberg and J Keedy, Bremen, Germany, 1990, 1–8 With M.D Schroeder and others: ‘Autonet: a high-speed, self-configuring local area network using point-to-point links,’ DEC Systems Research Centre, Palo Alto, Report 59, 1990; IEEE Journal on Selected Areas in Communications, (8), 1991, 1318–1335 ‘What next? Some speculations,’ in Operating systems of the 90s and beyond, ed A.I Karshmer and J Nehmer, Berlin: Springer Verlag, 1991, 220–222 ‘Later developments at Cambridge: Titan, CAP, and the Cambridge Ring,’ IEEE Annals of the History of Computing, 14 (4), 1992, 57–58 With A Nakamura: ‘An approach to real-time scheduling—but is it really a problem for multimedia?’ (NOSSDAV 92), in Network and Operating System Support for Digital Audio and Video, ed P Venkat Randan, Lecture Notes in Computer Science 712, Berlin: Springer-Verlag, 1992, 32–39 ‘Names’ and ‘Cryptography and secure channels,’ in Distributed systems, ed S Mullender, 2nd ed., Reading, MA: Addison-Wesley, 1993, 315–326 and 531– 541 With M.A Lomas, L Gong and J.H Saltzer: ‘Protecting poorly chosen secrets from guessing attacks,’ IEEE Journal on Selected Areas in Communications, 11 (5), 1993, 648–656 Abraham Award for Best Paper in the Journal for 1993 ‘Denial of service,’ Proceedings of the 1st ACM Conference on Communications and Computing Security, 1993, 151–153 ‘Distributed computing,’ Guest Editorial, Computer Bulletin, (2), 1994, With M Abadi: ‘Prudent engineering practice for cryptographic protocols,’ Proceedings of the 1994 IEEE Symposium on Security and Privacy, 1994, 122–136 Outstanding paper award 336 Roger Needham: Publications ‘Computers and communications,’ Computer Science and Informatics (Computer Society of India), 23 (4), 1993, 1–6 ‘Denial of service: an example,’ expanded version of 1993 paper, Communications of the ACM 37 (11), 1994, 42–46 With M Abadi: ‘Prudent engineering practice for cryptographic protocols,’ expanded version of 1994 IEEE Symposium paper, DEC Systems Research Centre, Palo Alto, Report 125, 1994; IEEE Transactions on Software Engineering, 22 (1), 1996, 6–15 With A Nakamura: ‘The dependency protocol for real-time synchronisation,’ RTESA 94, Proceedings of the First International Workshop on Real-Time Computing Systems and Applications, IEEE, Seoul, 1994 With D Wheeler: ‘Two cryptographic notes,’ Technical Report 355, Computer Laboratory, University of Cambridge, 1994 With D.J Wheeler: ‘TEA, a tiny encryption algorithm,’ Fast Software Encryption, 1994, 363–366 With A Nakamura: ‘The dependency protocol for real-time synchronisation,’ Transactions of the Institute of Electronic, Information and Communication Engineers, vol J78-D-I no 8, 1995, 649–660 With P.W Jardetsky and C.J Sreenan: ‘Storage and synchronisation for distributed continuous media,’ Multimedia Systems, (4), 1995, 151–161 With R.J Anderson: ‘Programming Satan’s computer,’ in Computer science today, ed J van Leeuwen, Lecture Notes in Computer Science 1000, Berlin: Springer, 1995, 426–440 With R.J Anderson: ‘Robustness principles for public key protocols,’ in Advances in cryptology— CRYPTO 95, ed D Coppersmith, Lecture Notes in Computer Science 963, Berlin: Springer, 1995, 236–247 ‘Fast communication and slow computers,’ Twelfth International Conference on Computer Communication, Seoul, 1995 Roger Needham: Publications 337 ‘Computers and communications,’ in Computing tomorrow, ed I Wand and R Milner, Cambridge: Cambridge University Press, 1996, 284–294 ‘The changing environment for security protocols,’ IEEE Network, 11 (3), 1997, 12–15 ‘Logic and oversimplification,’ Proceedings of the Thirteenth Annual IEEE Symposium on Logic in Computer Science, 1998, 2–3 With R.J Anderson and others: ‘A new family of authentication protocols,’ Operating Systems Review, 32 (4), 1998, 9–20 With R.J Anderson and A Shamir: ‘The steganographic file system,’ in Information hiding (Second International Workshop on Information Hiding), ed D Aucsmith, Lecture Notes in Computer Science 1525, Berlin: Springer, 1998, 73–84 ‘The changing environment’ (transcript, with discussion), Security Protocols, 7th International Workshop, Cambridge, ed B Christianson et al., Lecture Notes in Computer Science 1796, Berlin: Springer, 1999, 1–5 ‘The hardware environment,’ Proceedings of the 1999 IEEE Symposium on Security and Privacy, 1999, 236 Editor, with K Spärck Jones and G Gazdar: ‘Computers, language and speech: formal theories and statistical data,’ Philosophical Transactions of the Royal Society of London, Series A, Mathematical, Physical and Engineering Sciences, vol 358, no 1769, 2000, 1225–1431 With K Spärck Jones and G Gazdar: ‘Introduction: combining formal theories and statistical data in natural language processing,’ ‘Computers, language and speech: formal theories and statistical data,’ Philosophical Transactions of the Royal Society of London, Series A, Mathematical, Physical and Engineering Sciences, vol 358, no 1769, 2000, 1225–1238 ‘Distributed computing: opportunity, challenge, or misfortune?’ in Millennial perspectives in computer science (Proceedings of the 1999 Oxford-Microsoft Symposium in honour of Sir Tony Hoare), ed J Davies, B Roscoe, and J Woodcock, Basingstoke, Hants: Palgrave, 2000, 283–287 ‘Mobile computing versus immobile security’ (transcript), Security Protocols, 9th International Workshop, Cambridge, ed B Christianson et al., Lecture Notes in Computer Science 2467, Berlin: Springer, 2001, 1–3 338 Roger Needham: Publications ‘Security—a technical problem or a people problem?’ Proceedings, Information Security Summit, Prague: Tate International, 2001, 7–9 ‘Donald Watts Davies CBE,’ Biographical Memoirs of Fellows of the Royal Society, 48, 2002, 87–96 ‘Computer security?’ Philosophical Transactions of the Royal Society, Series A, Mathematical, Physical and Engineering Sciences, 361, 2003, 1549–1555 ... Cataloging-in-Publication Data Herbert, A.J (Andrew J.), 1954– Computer systems: theory, technology, and applications/ [edited by] Andrew J Herbert, Karen I.B Spaărck Jones p cm — (Monographs in computer science) Includes...Monographs in Computer Science Editors David Gries Fred B Schneider This page intentionally left blank Andrew Herbert Karen Spaărck Jones Editors Computer Systems Theory, Technology, and Applications. .. on Operating Systems Principles, and is believed to be the only person to have achieved a 100% attendance record With Ross Anderson and others he significantly developed and expanded Cambridge