Computer Security Art and Science
- ISBN13:
9780201440997
- ISBN10:
0201440997
- Edition: 1st
- Format: Hardcover
- Copyright: 2002-12-02
- Publisher: Addison-Wesley Professional
- View Upgraded Edition
- More Book Details
Note: Supplemental materials are not guaranteed with Rental or Used book purchases.
Purchase Benefits
-
Free Shipping On Orders Over $35!
Your order must be $35 or more to qualify for free economy shipping. Bulk sales, PO's, Marketplace items, eBooks and apparel do not qualify for this offer. -
Get Rewarded for Ordering Your Textbooks! Enroll Now
-
Customer Reviews Read Reviews
-
Write a Review
Free ShippingSupplemental Materials
What is included with this book?
- The Used copy of this book is not guaranteed to include any supplemental materials. Typically, only the book itself is included. This is true even if the title states it includes any access cards, study guides, lab manuals, CDs, etc.
Summary
"This is an excellent text that should be read by every computer security professional and student." -Dick Kemmerer, University of California, Santa Barbara. "This is the most complete book on information security theory, technology, and practice that I have encountered anywhere!" -Marvin Schaefer, Former Chief Scientist, National Computer Security Center, NSA This highly anticipated book fully introduces the theory and practice of computer security. It is both a comprehensive text, explaining the most fundamental and pervasive aspects of the field, and a detailed reference filled with valuable information for even the most seasoned practitioner. In this one extraordinary volume the author incorporates concepts from computer systems, networks, human factors, and cryptography. In doing so, he effectively demonstrates that computer security is an art as well as a science. Computer Security: Art and Science includes detailed discussions on: bull;The nature and challenges of computer security bull;The relationship between policy and security bull;The role and application of cryptography bull;The mechanisms used to implement policies bull;Methodologies and technologies for assurance bull;Vulnerability analysis and intrusion detection Computer Security discusses different policy models, and presents mechanisms that can be used to enforce these policies. It concludes with examples that show how to apply the principles discussed in earlier sections, beginning with networks and moving on to systems, users, and programs. This important work is essential for anyone who needs to understand, implement, or maintain a secure network or computer system. 0201440997B10252002
Author Biography
Matt Bishop is Associate Professor in the Department of Computer Science at the University of California at Davis.
Table of Contents
| Preface | p. xxxi |
| Goals | p. xxxii |
| Philosophy | p. xxxiii |
| Organization | p. xxxv |
| Roadmap | p. xxxvi |
| Dependencies | p. xxxvi |
| Background | p. xxxvii |
| Undergraduate Level | p. xxxviii |
| Graduate Level | p. xxxviii |
| Practitioners | p. xl |
| Special Acknowledgment | p. xl |
| Acknowledgments | p. xl |
| Introduction | p. 1 |
| An Overview of Computer Security | p. 3 |
| The Basic Components | p. 3 |
| Threats | p. 6 |
| Policy and Mechanism | p. 9 |
| Assumptions and Trust | p. 11 |
| Assurance | p. 12 |
| Operational Issues | p. 16 |
| Human Issues | p. 19 |
| Tying It All Together | p. 22 |
| Summary | p. 23 |
| Research Issues | p. 24 |
| Further Reading | p. 24 |
| Exercises | p. 25 |
| Foundations | p. 29 |
| Access Control Matrix | p. 31 |
| Protection State | p. 31 |
| Access Control Matrix Model | p. 32 |
| Protection State Transitions | p. 37 |
| Copying, Owning, and the Attenuation of Privilege | p. 41 |
| Summary | p. 43 |
| Research Issues | p. 44 |
| Further Reading | p. 44 |
| Exercises | p. 44 |
| Foundational Results | p. 47 |
| The General Question | p. 47 |
| Basic Results | p. 48 |
| The Take-Grant Protection Model | p. 53 |
| Closing the Gap | p. 65 |
| Expressive Power and the Models | p. 78 |
| Summary | p. 90 |
| Research Issues | p. 90 |
| Further Reading | p. 91 |
| Exercises | p. 91 |
| Policy | p. 93 |
| Security Policies | p. 95 |
| Security Policies | p. 95 |
| Types of Security Policies | p. 99 |
| The Role of Trust | p. 101 |
| Types of Access Control | p. 103 |
| Policy Languages | p. 104 |
| Example: Academic Computer Security Policy | p. 111 |
| Security and Precision | p. 114 |
| Summary | p. 119 |
| Research Issues | p. 119 |
| Further Reading | p. 120 |
| Exercises | p. 120 |
| Confidentiality Policies | p. 123 |
| Goals of Confidentiality Policies | p. 123 |
| The Bell-LaPadula Model | p. 124 |
| Tranquility | p. 142 |
| The Controversy over the Bell-LaPadula Model | p. 143 |
| Summary | p. 148 |
| Research Issues | p. 148 |
| Further Reading | p. 149 |
| Exercises | p. 150 |
| Integrity Policies | p. 151 |
| Goals | p. 151 |
| Biba Integrity Model | p. 153 |
| Lipner's Integrity Matrix Model | p. 156 |
| Clark-Wilson Integrity Model | p. 160 |
| Summary | p. 166 |
| Research Issues | p. 166 |
| Further Reading | p. 167 |
| Exercises | p. 167 |
| Hybrid Policies | p. 169 |
| Chinese Wall Model | p. 169 |
| Clinical Information Systems Security Policy | p. 177 |
| Originator Controlled Access Control | p. 180 |
| Role-Based Access Control | p. 182 |
| Summary | p. 184 |
| Research Issues | p. 184 |
| Further Reading | p. 184 |
| Exercises | p. 185 |
| Noninterference and Policy Composition | p. 187 |
| The Problem | p. 187 |
| Deterministic Noninterference | p. 191 |
| Nondeducibility | p. 202 |
| Generalized Noninterference | p. 205 |
| Restrictiveness | p. 208 |
| Summary | p. 210 |
| Research Issues | p. 211 |
| Further Reading | p. 211 |
| Exercises | p. 212 |
| Implementation I: Cryptography | p. 215 |
| Basic Cryptography | p. 217 |
| What Is Cryptography? | p. 217 |
| Classical Cryptosystems | p. 218 |
| Public Key Cryptography | p. 233 |
| Cryptographic Checksums | p. 237 |
| Summary | p. 239 |
| Research Issues | p. 240 |
| Further Reading | p. 240 |
| Exercises | p. 241 |
| Key Management | p. 245 |
| Session and Interchange Keys | p. 246 |
| Key Exchange | p. 246 |
| Key Generation | p. 252 |
| Cryptographic Key Infrastructures | p. 254 |
| Storing and Revoking Keys | p. 261 |
| Digital Signatures | p. 266 |
| Summary | p. 270 |
| Research Issues | p. 271 |
| Further Reading | p. 272 |
| Exercises | p. 272 |
| Cipher Techniques | p. 275 |
| Problems | p. 275 |
| Stream and Block Ciphers | p. 277 |
| Networks and Cryptography | p. 283 |
| Example Protocols | p. 286 |
| Summary | p. 306 |
| Research Issues | p. 306 |
| Further Reading | p. 306 |
| Exercises | p. 307 |
| Authentication | p. 309 |
| Authentication Basics | p. 309 |
| Passwords | p. 310 |
| Challenge-Response | p. 324 |
| Biometrics | p. 328 |
| Location | p. 331 |
| Multiple Methods | p. 331 |
| Summary | p. 333 |
| Research Issues | p. 334 |
| Further Reading | p. 335 |
| Exercises | p. 335 |
| Implementation II: Systems | p. 339 |
| Design Principles | p. 341 |
| Overview | p. 341 |
| Design Principles | p. 343 |
| Summary | p. 349 |
| Research Issues | p. 350 |
| Further Reading | p. 350 |
| Exercises | p. 351 |
| Representing Identity | p. 353 |
| What Is Identity? | p. 353 |
| Files and Objects | p. 354 |
| Users | p. 355 |
| Groups and Roles | p. 356 |
| Naming and Certificates | p. 357 |
| Identity on the Web | p. 366 |
| Summary | p. 377 |
| Research Issues | p. 378 |
| Further Reading | p. 378 |
| Exercises | p. 379 |
| Access Control Mechanisms | p. 381 |
| Access Control Lists | p. 381 |
| Capabilities | p. 390 |
| Locks and Keys | p. 396 |
| Ring-Based Access Control | p. 400 |
| Propagated Access Control Lists | p. 402 |
| Summary | p. 404 |
| Research Issues | p. 404 |
| Further Reading | p. 405 |
| Exercises | p. 405 |
| Information Flow | p. 407 |
| Basics and Background | p. 407 |
| Nonlattice Information Flow Policies | p. 410 |
| Compiler-Based Mechanisms | p. 415 |
| Execution-Based Mechanisms | p. 429 |
| Example Information Flow Controls | p. 433 |
| Summary | p. 436 |
| Research Issues | p. 436 |
| Further Reading | p. 437 |
| Exercises | p. 437 |
| Confinement Problem | p. 439 |
| The Confinement Problem | p. 439 |
| Isolation | p. 442 |
| Covert Channels | p. 446 |
| Summary | p. 470 |
| Research Issues | p. 471 |
| Further Reading | p. 472 |
| Exercises | p. 472 |
| Assurance | p. 475 |
| Introduction to Assurance | p. 477 |
| Assurance and Trust | p. 477 |
| Building Secure and Trusted Systems | p. 484 |
| Summary | p. 492 |
| Research Issues | p. 493 |
| Further Reading | p. 494 |
| Exercises | p. 494 |
| Building Systems with Assurance | p. 497 |
| Assurance in Requirements Definition and Analysis | p. 497 |
| Assurance During System and Software Design | p. 510 |
| Assurance in Implementation and Integration | p. 531 |
| Assurance During Operation and Maintenance | p. 541 |
| Summary | p. 541 |
| Research Issues | p. 542 |
| Further Reading | p. 542 |
| Exercises | p. 543 |
| Formal Methods | p. 545 |
| Formal Verification Techniques | p. 545 |
| Formal Specification | p. 548 |
| Early Formal Verification Techniques | p. 551 |
| Current Verification Systems | p. 559 |
| Summary | p. 567 |
| Research Issues | p. 568 |
| Further Reading | p. 568 |
| Exercises | p. 569 |
| Evaluating Systems | p. 571 |
| Goals of Formal Evaluation | p. 571 |
| TCSEC: 1983-1999 | p. 574 |
| International Efforts and the ITSEC: 1991-2001 | p. 581 |
| Commercial International Security Requirements: 1991 | p. 586 |
| Other Commercial Efforts: Early 1990s | p. 587 |
| The Federal Criteria: 1992 | p. 587 |
| FIPS 140: 1994-Present | p. 589 |
| The Common Criteria: 1998-Present | p. 591 |
| SSE-CMM: 1997-Present | p. 604 |
| Summary | p. 607 |
| Research Issues | p. 608 |
| Further Reading | p. 608 |
| Exercises | p. 609 |
| Special Topics | p. 611 |
| Malicious Logic | p. 613 |
| Introduction | p. 613 |
| Trojan Horses | p. 614 |
| Computer Viruses | p. 615 |
| Computer Worms | p. 623 |
| Other Forms of Malicious Logic | p. 624 |
| Theory of Malicious Logic | p. 626 |
| Defenses | p. 630 |
| Summary | p. 640 |
| Research Issues | p. 640 |
| Further Reading | p. 641 |
| Exercises | p. 642 |
| Vulnerability Analysis | p. 645 |
| Introduction | p. 645 |
| Penetration Studies | p. 647 |
| Vulnerability Classification | p. 660 |
| Frameworks | p. 662 |
| Gupta and Gligor's Theory of Penetration Analysis | p. 678 |
| Summary | p. 683 |
| Research Issues | p. 683 |
| Further Reading | p. 684 |
| Exercises | p. 685 |
| Auditing | p. 689 |
| Definitions | p. 689 |
| Anatomy of an Auditing System | p. 690 |
| Designing an Auditing System | p. 693 |
| A Posteriori Design | p. 701 |
| Auditing Mechanisms | p. 705 |
| Examples: Auditing File Systems | p. 708 |
| Audit Browsing | p. 715 |
| Summary | p. 718 |
| Research Issues | p. 718 |
| Further Reading | p. 719 |
| Exercises | p. 720 |
| Intrusion Detection | p. 723 |
| Principles | p. 723 |
| Basic Intrusion Detection | p. 724 |
| Models | p. 727 |
| Architecture | p. 742 |
| Organization of Intrusion Detection Systems | p. 748 |
| Intrusion Response | p. 754 |
| Summary | p. 765 |
| Research Issues | p. 765 |
| Further Reading | p. 767 |
| Exercises | p. 767 |
| Practicum | p. 771 |
| Network Security | p. 773 |
| Introduction | p. 773 |
| Policy Development | p. 774 |
| Network Organization | p. 779 |
| Availability and Network Flooding | p. 793 |
| Anticipating Attacks | p. 796 |
| Summary | p. 798 |
| Research Issues | p. 798 |
| Further Reading | p. 799 |
| Exercises | p. 799 |
| System Security | p. 805 |
| Introduction | p. 805 |
| Policy | p. 806 |
| Networks | p. 811 |
| Users | p. 817 |
| Authentication | p. 822 |
| Processes | p. 825 |
| Files | p. 831 |
| Retrospective | p. 837 |
| Summary | p. 838 |
| Research Issues | p. 839 |
| Further Reading | p. 840 |
| Exercises | p. 840 |
| User Security | p. 845 |
| Policy | p. 845 |
| Access | p. 846 |
| Files and Devices | p. 852 |
| Processes | p. 860 |
| Electronic Communications | p. 865 |
| Summary | p. 866 |
| Research Issues | p. 867 |
| Further Reading | p. 867 |
| Exercises | p. 868 |
| Program Security | p. 869 |
| Introduction | p. 869 |
| Requirements and Policy | p. 870 |
| Design | p. 873 |
| Refinement and Implementation | p. 880 |
| Common Security-Related Programming Problems | p. 887 |
| Testing, Maintenance, and Operation | p. 913 |
| Distribution | p. 917 |
| Conclusion | p. 919 |
| Summary | p. 919 |
| Research Issues | p. 919 |
| Further Reading | p. 920 |
| Exercises | p. 920 |
| End Matter | p. 923 |
| Lattices | p. 925 |
| Basics | p. 925 |
| Lattices | p. 926 |
| Exercises | p. 927 |
| The Extended Euclidean Algorithm | p. 929 |
| The Euclidean Algorithm | p. 929 |
| The Extended Euclidean Algorithm | p. 930 |
| Solving ax mod n = 1 | p. 932 |
| Solving ax mod n = b | p. 932 |
| Exercises | p. 933 |
| Entropy and Uncertainty | p. 935 |
| Conditional and Joint Probability | p. 935 |
| Entropy and Uncertainty | p. 937 |
| Joint and Conditional Entropy | p. 938 |
| Exercises | p. 940 |
| Virtual Machines | p. 941 |
| Virtual Machine Structure | p. 941 |
| Virtual Machine Monitor | p. 942 |
| Exercises | p. 946 |
| Symbolic Logic | p. 947 |
| Propositional Logic | p. 947 |
| Predicate Logic | p. 952 |
| Temporal Logic Systems | p. 954 |
| Exercises | p. 956 |
| Example Academic Security Policy | p. 959 |
| University of California E-mail Policy | p. 959 |
| The Acceptable Use Policy for the University of California, Davis | p. 989 |
| Bibliography | p. 993 |
| Index | p. 1063 |
| Table of Contents provided by Syndetics. All Rights Reserved. |
Excerpts
Hortensio: Madam, before you touch the instrument To learn the order of my fingering, I must begin with rudiments of art To teach you gamouth in a briefer sort, More pleasant, pithy and effectual, Than hath been taught by any of my trade; And there it is in writing, fairly drawn. The Taming of the Shrew,III, i, 62-68. On September 11, 2001, terrorists seized control of four airplanes. Three were flown into buildings, and a fourth crashed, with catastrophic loss of life. In the aftermath, the security and reliability of many aspects of society drew renewed scrutiny. One of these aspects was the widespread use of computers and their interconnecting networks. The issue is not new. In 1988, approximately 5,000 computers throughout the Internet were rendered unusable within 4 hours by a program called a worm. While the spread, and the effects, of this program alarmed computer scientists, most people were not worried because the worm did not affect their lives or their ability to do their jobs. In 1993, more users of computer systems were alerted to such dangers when a set of programs called sniffers were placed on many computers run by network service providers and recorded login names and passwords. After an attack on Tsutomu Shimomura's computer system, and the fascinating way Shimomura followed the attacker's trail, which led to his arrest, the public's interest and apprehension were finally aroused. Computers were now vulnerable. Their once reassuring protections were now viewed as flimsy. Several films explored these concerns. Movies such asWar GamesandHackersprovided images of people who can, at will, wander throughout computers and networks, maliciously or frivolously corrupting or destroying information it may have taken millions of dollars to amass. (Reality intruded on Hackers when the World Wide Web page set up by MGM/United Artists was quickly altered to present an irreverent commentary on the movie and to suggest that viewers seeThe Netinstead. Paramount Pictures denied doing this.) Another film,Sneakers,presented a picture of those who test the security of computer (and other) systems for their owners and for the government. Goals This book has three goals. The first is to show the importance of theory to practice and of practice to theory. All too often, practitioners regard theory as irrelevant and theoreticians think of practice as trivial. In reality, theory and practice are symbiotic. For example, the theory of covert channels, in which the goal is to limit the ability of processes to communicate through shared resources, provides a mechanism for evaluating the effectiveness of mechanisms that confine processes, such as sandboxes and firewalls. Similarly, business practices in the commercial world led to the development of several security policy models such as the Clark-Wilson model and the Chinese Wall model. These models in turn help the designers of security policies better understand and evaluate the mechanisms and procedures needed to secure their sites. The second goal is to emphasize that computer security and cryptography are different. Although cryptography is an essential component of computer security, it is by no means the only component. Cryptography provides a mechanism for performing specific functions, such as preventing unauthorized people from reading and altering messages on a network. However, unless developers understand the context in which they are using cryptography, and unless the assumptions underlying the protocol and the cryptographic mechanisms apply to the context, the cryptography may not add to the security of the system. The canonical example is the use of cryptography to secure communications between two low-security systems. If only trusted users can access the two systems, cryptography protects messages in transit. But if untrusted users can access either system
