Computer Security Art and Science

Summary

"This is an excellent text that should be read by every computer security professional and student." -Dick Kemmerer, University of California, Santa Barbara. "This is the most complete book on information security theory, technology, and practice that I have encountered anywhere!" -Marvin Schaefer, Former Chief Scientist, National Computer Security Center, NSA This highly anticipated book fully introduces the theory and practice of computer security. It is both a comprehensive text, explaining the most fundamental and pervasive aspects of the field, and a detailed reference filled with valuable information for even the most seasoned practitioner. In this one extraordinary volume the author incorporates concepts from computer systems, networks, human factors, and cryptography. In doing so, he effectively demonstrates that computer security is an art as well as a science. Computer Security: Art and Science includes detailed discussions on: bull;The nature and challenges of computer security bull;The relationship between policy and security bull;The role and application of cryptography bull;The mechanisms used to implement policies bull;Methodologies and technologies for assurance bull;Vulnerability analysis and intrusion detection Computer Security discusses different policy models, and presents mechanisms that can be used to enforce these policies. It concludes with examples that show how to apply the principles discussed in earlier sections, beginning with networks and moving on to systems, users, and programs. This important work is essential for anyone who needs to understand, implement, or maintain a secure network or computer system. 0201440997B10252002

Author Biography

Matt Bishop is Associate Professor in the Department of Computer Science at the University of California at Davis.

Preface	p. xxxi
Goals	p. xxxii
Philosophy	p. xxxiii
Organization	p. xxxv
Roadmap	p. xxxvi
Dependencies	p. xxxvi
Background	p. xxxvii
Undergraduate Level	p. xxxviii
Graduate Level	p. xxxviii
Practitioners	p. xl
Special Acknowledgment	p. xl
Acknowledgments	p. xl
Introduction	p. 1
An Overview of Computer Security	p. 3
The Basic Components	p. 3
Threats	p. 6
Policy and Mechanism	p. 9
Assumptions and Trust	p. 11
Assurance	p. 12
Operational Issues	p. 16
Human Issues	p. 19
Tying It All Together	p. 22
Summary	p. 23
Research Issues	p. 24
Further Reading	p. 24
Exercises	p. 25
Foundations	p. 29
Access Control Matrix	p. 31
Protection State	p. 31
Access Control Matrix Model	p. 32
Protection State Transitions	p. 37
Copying, Owning, and the Attenuation of Privilege	p. 41
Summary	p. 43
Research Issues	p. 44
Further Reading	p. 44
Exercises	p. 44
Foundational Results	p. 47
The General Question	p. 47
Basic Results	p. 48
The Take-Grant Protection Model	p. 53
Closing the Gap	p. 65
Expressive Power and the Models	p. 78
Summary	p. 90
Research Issues	p. 90
Further Reading	p. 91
Exercises	p. 91
Policy	p. 93
Security Policies	p. 95
Security Policies	p. 95
Types of Security Policies	p. 99
The Role of Trust	p. 101
Types of Access Control	p. 103
Policy Languages	p. 104
Example: Academic Computer Security Policy	p. 111
Security and Precision	p. 114
Summary	p. 119
Research Issues	p. 119
Further Reading	p. 120
Exercises	p. 120
Confidentiality Policies	p. 123
Goals of Confidentiality Policies	p. 123
The Bell-LaPadula Model	p. 124
Tranquility	p. 142
The Controversy over the Bell-LaPadula Model	p. 143
Summary	p. 148
Research Issues	p. 148
Further Reading	p. 149
Exercises	p. 150
Integrity Policies	p. 151
Goals	p. 151
Biba Integrity Model	p. 153
Lipner's Integrity Matrix Model	p. 156
Clark-Wilson Integrity Model	p. 160
Summary	p. 166
Research Issues	p. 166
Further Reading	p. 167
Exercises	p. 167
Hybrid Policies	p. 169
Chinese Wall Model	p. 169
Clinical Information Systems Security Policy	p. 177
Originator Controlled Access Control	p. 180
Role-Based Access Control	p. 182
Summary	p. 184
Research Issues	p. 184
Further Reading	p. 184
Exercises	p. 185
Noninterference and Policy Composition	p. 187
The Problem	p. 187
Deterministic Noninterference	p. 191
Nondeducibility	p. 202
Generalized Noninterference	p. 205
Restrictiveness	p. 208
Summary	p. 210
Research Issues	p. 211
Further Reading	p. 211
Exercises	p. 212
Implementation I: Cryptography	p. 215
Basic Cryptography	p. 217
What Is Cryptography?	p. 217
Classical Cryptosystems	p. 218
Public Key Cryptography	p. 233
Cryptographic Checksums	p. 237
Summary	p. 239
Research Issues	p. 240
Further Reading	p. 240
Exercises	p. 241
Key Management	p. 245
Session and Interchange Keys	p. 246
Key Exchange	p. 246
Key Generation	p. 252
Cryptographic Key Infrastructures	p. 254
Storing and Revoking Keys	p. 261
Digital Signatures	p. 266
Summary	p. 270
Research Issues	p. 271
Further Reading	p. 272
Exercises	p. 272
Cipher Techniques	p. 275
Problems	p. 275
Stream and Block Ciphers	p. 277
Networks and Cryptography	p. 283
Example Protocols	p. 286
Summary	p. 306
Research Issues	p. 306
Further Reading	p. 306
Exercises	p. 307
Authentication	p. 309
Authentication Basics	p. 309
Passwords	p. 310
Challenge-Response	p. 324
Biometrics	p. 328
Location	p. 331
Multiple Methods	p. 331
Summary	p. 333
Research Issues	p. 334
Further Reading	p. 335
Exercises	p. 335
Implementation II: Systems	p. 339
Design Principles	p. 341
Overview	p. 341
Design Principles	p. 343
Summary	p. 349
Research Issues	p. 350
Further Reading	p. 350
Exercises	p. 351
Representing Identity	p. 353
What Is Identity?	p. 353
Files and Objects	p. 354
Users	p. 355
Groups and Roles	p. 356
Naming and Certificates	p. 357
Identity on the Web	p. 366
Summary	p. 377
Research Issues	p. 378
Further Reading	p. 378
Exercises	p. 379
Access Control Mechanisms	p. 381
Access Control Lists	p. 381
Capabilities	p. 390
Locks and Keys	p. 396
Ring-Based Access Control	p. 400
Propagated Access Control Lists	p. 402
Summary	p. 404
Research Issues	p. 404
Further Reading	p. 405
Exercises	p. 405
Information Flow	p. 407
Basics and Background	p. 407
Nonlattice Information Flow Policies	p. 410
Compiler-Based Mechanisms	p. 415
Execution-Based Mechanisms	p. 429
Example Information Flow Controls	p. 433
Summary	p. 436
Research Issues	p. 436
Further Reading	p. 437
Exercises	p. 437
Confinement Problem	p. 439
The Confinement Problem	p. 439
Isolation	p. 442
Covert Channels	p. 446
Summary	p. 470
Research Issues	p. 471
Further Reading	p. 472
Exercises	p. 472
Assurance	p. 475
Introduction to Assurance	p. 477
Assurance and Trust	p. 477
Building Secure and Trusted Systems	p. 484
Summary	p. 492
Research Issues	p. 493
Further Reading	p. 494
Exercises	p. 494
Building Systems with Assurance	p. 497
Assurance in Requirements Definition and Analysis	p. 497
Assurance During System and Software Design	p. 510
Assurance in Implementation and Integration	p. 531
Assurance During Operation and Maintenance	p. 541
Summary	p. 541
Research Issues	p. 542
Further Reading	p. 542
Exercises	p. 543
Formal Methods	p. 545
Formal Verification Techniques	p. 545
Formal Specification	p. 548
Early Formal Verification Techniques	p. 551
Current Verification Systems	p. 559
Summary	p. 567
Research Issues	p. 568
Further Reading	p. 568
Exercises	p. 569
Evaluating Systems	p. 571
Goals of Formal Evaluation	p. 571
TCSEC: 1983-1999	p. 574
International Efforts and the ITSEC: 1991-2001	p. 581
Commercial International Security Requirements: 1991	p. 586
Other Commercial Efforts: Early 1990s	p. 587
The Federal Criteria: 1992	p. 587
FIPS 140: 1994-Present	p. 589
The Common Criteria: 1998-Present	p. 591
SSE-CMM: 1997-Present	p. 604
Summary	p. 607
Research Issues	p. 608
Further Reading	p. 608
Exercises	p. 609
Special Topics	p. 611
Malicious Logic	p. 613
Introduction	p. 613
Trojan Horses	p. 614
Computer Viruses	p. 615
Computer Worms	p. 623
Other Forms of Malicious Logic	p. 624
Theory of Malicious Logic	p. 626
Defenses	p. 630
Summary	p. 640
Research Issues	p. 640
Further Reading	p. 641
Exercises	p. 642
Vulnerability Analysis	p. 645
Introduction	p. 645
Penetration Studies	p. 647
Vulnerability Classification	p. 660
Frameworks	p. 662
Gupta and Gligor's Theory of Penetration Analysis	p. 678
Summary	p. 683
Research Issues	p. 683
Further Reading	p. 684
Exercises	p. 685
Auditing	p. 689
Definitions	p. 689
Anatomy of an Auditing System	p. 690
Designing an Auditing System	p. 693
A Posteriori Design	p. 701
Auditing Mechanisms	p. 705
Examples: Auditing File Systems	p. 708
Audit Browsing	p. 715
Summary	p. 718
Research Issues	p. 718
Further Reading	p. 719
Exercises	p. 720
Intrusion Detection	p. 723
Principles	p. 723
Basic Intrusion Detection	p. 724
Models	p. 727
Architecture	p. 742
Organization of Intrusion Detection Systems	p. 748
Intrusion Response	p. 754
Summary	p. 765
Research Issues	p. 765
Further Reading	p. 767
Exercises	p. 767
Practicum	p. 771
Network Security	p. 773
Introduction	p. 773
Policy Development	p. 774
Network Organization	p. 779
Availability and Network Flooding	p. 793
Anticipating Attacks	p. 796
Summary	p. 798
Research Issues	p. 798
Further Reading	p. 799
Exercises	p. 799
System Security	p. 805
Introduction	p. 805
Policy	p. 806
Networks	p. 811
Users	p. 817
Authentication	p. 822
Processes	p. 825
Files	p. 831
Retrospective	p. 837
Summary	p. 838
Research Issues	p. 839
Further Reading	p. 840
Exercises	p. 840
User Security	p. 845
Policy	p. 845
Access	p. 846
Files and Devices	p. 852
Processes	p. 860
Electronic Communications	p. 865
Summary	p. 866
Research Issues	p. 867
Further Reading	p. 867
Exercises	p. 868
Program Security	p. 869
Introduction	p. 869
Requirements and Policy	p. 870
Design	p. 873
Refinement and Implementation	p. 880
Common Security-Related Programming Problems	p. 887
Testing, Maintenance, and Operation	p. 913
Distribution	p. 917
Conclusion	p. 919
Summary	p. 919
Research Issues	p. 919
Further Reading	p. 920
Exercises	p. 920
End Matter	p. 923
Lattices	p. 925
Basics	p. 925
Lattices	p. 926
Exercises	p. 927
The Extended Euclidean Algorithm	p. 929
The Euclidean Algorithm	p. 929
The Extended Euclidean Algorithm	p. 930
Solving ax mod n = 1	p. 932
Solving ax mod n = b	p. 932
Exercises	p. 933
Entropy and Uncertainty	p. 935
Conditional and Joint Probability	p. 935
Entropy and Uncertainty	p. 937
Joint and Conditional Entropy	p. 938
Exercises	p. 940
Virtual Machines	p. 941
Virtual Machine Structure	p. 941
Virtual Machine Monitor	p. 942
Exercises	p. 946
Symbolic Logic	p. 947
Propositional Logic	p. 947
Predicate Logic	p. 952
Temporal Logic Systems	p. 954
Exercises	p. 956
Example Academic Security Policy	p. 959
University of California E-mail Policy	p. 959
The Acceptable Use Policy for the University of California, Davis	p. 989
Bibliography	p. 993
Index	p. 1063
Table of Contents provided by Syndetics. All Rights Reserved.

Supplemental Materials

What is included with this book?

The New copy of this book will include any supplemental materials advertised. Please check the title of the book to determine if it should include any access cards, study guides, lab manuals, CDs, etc.

The Used, Rental and eBook copies of this book are not guaranteed to include any supplemental materials. Typically, only the book itself is included. This is true even if the title states it includes any access cards, study guides, lab manuals, CDs, etc.

Excerpts

Hortensio: Madam, before you touch the instrument To learn the order of my fingering, I must begin with rudiments of art To teach you gamouth in a briefer sort, More pleasant, pithy and effectual, Than hath been taught by any of my trade; And there it is in writing, fairly drawn. The Taming of the Shrew,III, i, 62-68. On September 11, 2001, terrorists seized control of four airplanes. Three were flown into buildings, and a fourth crashed, with catastrophic loss of life. In the aftermath, the security and reliability of many aspects of society drew renewed scrutiny. One of these aspects was the widespread use of computers and their interconnecting networks. The issue is not new. In 1988, approximately 5,000 computers throughout the Internet were rendered unusable within 4 hours by a program called a worm. While the spread, and the effects, of this program alarmed computer scientists, most people were not worried because the worm did not affect their lives or their ability to do their jobs. In 1993, more users of computer systems were alerted to such dangers when a set of programs called sniffers were placed on many computers run by network service providers and recorded login names and passwords. After an attack on Tsutomu Shimomura's computer system, and the fascinating way Shimomura followed the attacker's trail, which led to his arrest, the public's interest and apprehension were finally aroused. Computers were now vulnerable. Their once reassuring protections were now viewed as flimsy. Several films explored these concerns. Movies such asWar GamesandHackersprovided images of people who can, at will, wander throughout computers and networks, maliciously or frivolously corrupting or destroying information it may have taken millions of dollars to amass. (Reality intruded on Hackers when the World Wide Web page set up by MGM/United Artists was quickly altered to present an irreverent commentary on the movie and to suggest that viewers seeThe Netinstead. Paramount Pictures denied doing this.) Another film,Sneakers,presented a picture of those who test the security of computer (and other) systems for their owners and for the government. Goals This book has three goals. The first is to show the importance of theory to practice and of practice to theory. All too often, practitioners regard theory as irrelevant and theoreticians think of practice as trivial. In reality, theory and practice are symbiotic. For example, the theory of covert channels, in which the goal is to limit the ability of processes to communicate through shared resources, provides a mechanism for evaluating the effectiveness of mechanisms that confine processes, such as sandboxes and firewalls. Similarly, business practices in the commercial world led to the development of several security policy models such as the Clark-Wilson model and the Chinese Wall model. These models in turn help the designers of security policies better understand and evaluate the mechanisms and procedures needed to secure their sites. The second goal is to emphasize that computer security and cryptography are different. Although cryptography is an essential component of computer security, it is by no means the only component. Cryptography provides a mechanism for performing specific functions, such as preventing unauthorized people from reading and altering messages on a network. However, unless developers understand the context in which they are using cryptography, and unless the assumptions underlying the protocol and the cryptographic mechanisms apply to the context, the cryptography may not add to the security of the system. The canonical example is the use of cryptography to secure communications between two low-security systems. If only trusted users can access the two systems, cryptography protects messages in transit. But if untrusted users can access either system