| |
| |
Preface | |
| |
| |
Goals | |
| |
| |
Philosophy | |
| |
| |
Organization | |
| |
| |
Roadmap | |
| |
| |
Dependencies | |
| |
| |
Background | |
| |
| |
Undergraduate Level | |
| |
| |
Graduate Level | |
| |
| |
Practitioners | |
| |
| |
Special Acknowledgment | |
| |
| |
Acknowledgments | |
| |
| |
| |
Introduction | |
| |
| |
| |
An Overview of Computer Security | |
| |
| |
| |
The Basic Components | |
| |
| |
| |
Threats | |
| |
| |
| |
Policy and Mechanism | |
| |
| |
| |
Assumptions and Trust | |
| |
| |
| |
Assurance | |
| |
| |
| |
Operational Issues | |
| |
| |
| |
Human Issues | |
| |
| |
| |
Tying It All Together | |
| |
| |
| |
Summary | |
| |
| |
| |
Research Issues | |
| |
| |
| |
Further Reading | |
| |
| |
| |
Exercises | |
| |
| |
| |
Foundations | |
| |
| |
| |
Access Control Matrix | |
| |
| |
| |
Protection State | |
| |
| |
| |
Access Control Matrix Model | |
| |
| |
| |
Protection State Transitions | |
| |
| |
| |
Copying, Owning, and the Attenuation of Privilege | |
| |
| |
| |
Summary | |
| |
| |
| |
Research Issues | |
| |
| |
| |
Further Reading | |
| |
| |
| |
Exercises | |
| |
| |
| |
Foundational Results | |
| |
| |
| |
The General Question | |
| |
| |
| |
Basic Results | |
| |
| |
| |
The Take-Grant Protection Model | |
| |
| |
| |
Closing the Gap | |
| |
| |
| |
Expressive Power and the Models | |
| |
| |
| |
Summary | |
| |
| |
| |
Research Issues | |
| |
| |
| |
Further Reading | |
| |
| |
| |
Exercises | |
| |
| |
| |
Policy | |
| |
| |
| |
Security Policies | |
| |
| |
| |
Security Policies | |
| |
| |
| |
Types of Security Policies | |
| |
| |
| |
The Role of Trust | |
| |
| |
| |
Types of Access Control | |
| |
| |
| |
Policy Languages | |
| |
| |
| |
Example: Academic Computer Security Policy | |
| |
| |
| |
Security and Precision | |
| |
| |
| |
Summary | |
| |
| |
| |
Research Issues | |
| |
| |
| |
Further Reading | |
| |
| |
| |
Exercises | |
| |
| |
| |
Confidentiality Policies | |
| |
| |
| |
Goals of Confidentiality Policies | |
| |
| |
| |
The Bell-LaPadula Model | |
| |
| |
| |
Tranquility | |
| |
| |
| |
The Controversy over the Bell-LaPadula Model | |
| |
| |
| |
Summary | |
| |
| |
| |
Research Issues | |
| |
| |
| |
Further Reading | |
| |
| |
| |
Exercises | |
| |
| |
| |
Integrity Policies | |
| |
| |
| |
Goals | |
| |
| |
| |
Biba Integrity Model | |
| |
| |
| |
Lipner's Integrity Matrix Model | |
| |
| |
| |
Clark-Wilson Integrity Model | |
| |
| |
| |
Summary | |
| |
| |
| |
Research Issues | |
| |
| |
| |
Further Reading | |
| |
| |
| |
Exercises | |
| |
| |
| |
Hybrid Policies | |
| |
| |
| |
Chinese Wall Model | |
| |
| |
| |
Clinical Information Systems Security Policy | |
| |
| |
| |
Originator Controlled Access Control | |
| |
| |
| |
Role-Based Access Control | |
| |
| |
| |
Summary | |
| |
| |
| |
Research Issues | |
| |
| |
| |
Further Reading | |
| |
| |
| |
Exercises | |
| |
| |
| |
Noninterference and Policy Composition | |
| |
| |
| |
The Problem | |
| |
| |
| |
Deterministic Noninterference | |
| |
| |
| |
Nondeducibility | |
| |
| |
| |
Generalized Noninterference | |
| |
| |
| |
Restrictiveness | |
| |
| |
| |
Summary | |
| |
| |
| |
Research Issues | |
| |
| |
| |
Further Reading | |
| |
| |
| |
Exercises | |
| |
| |
| |
Implementation I: Cryptography | |
| |
| |
| |
Basic Cryptography | |
| |
| |
| |
What Is Cryptography? | |
| |
| |
| |
Classical Cryptosystems | |
| |
| |
| |
Public Key Cryptography | |
| |
| |
| |
Cryptographic Checksums | |
| |
| |
| |
Summary | |
| |
| |
| |
Research Issues | |
| |
| |
| |
Further Reading | |
| |
| |
| |
Exercises | |
| |
| |
| |
Key Management | |
| |
| |
| |
Session and Interchange Keys | |
| |
| |
| |
Key Exchange | |
| |
| |
| |
Key Generation | |
| |
| |
| |
Cryptographic Key Infrastructures | |
| |
| |
| |
Storing and Revoking Keys | |
| |
| |
| |
Digital Signatures | |
| |
| |
| |
Summary | |
| |
| |
| |
Research Issues | |
| |
| |
| |
Further Reading | |
| |
| |
| |
Exercises | |
| |
| |
| |
Cipher Techniques | |
| |
| |
| |
Problems | |
| |
| |
| |
Stream and Block Ciphers | |
| |
| |
| |
Networks and Cryptography | |
| |
| |
| |
Example Protocols | |
| |
| |
| |
Summary | |
| |
| |
| |
Research Issues | |
| |
| |
| |
Further Reading | |
| |
| |
| |
Exercises | |
| |
| |
| |
Authentication | |
| |
| |
| |
Authentication Basics | |
| |
| |
| |
Passwords | |
| |
| |
| |
Challenge-Response | |
| |
| |
| |
Biometrics | |
| |
| |
| |
Location | |
| |
| |
| |
Multiple Methods | |
| |
| |
| |
Summary | |
| |
| |
| |
Research Issues | |
| |
| |
| |
Further Reading | |
| |
| |
| |
Exercises | |
| |
| |
| |
Implementation II: Systems | |
| |
| |
| |
Design Principles | |
| |
| |
| |
Overview | |
| |
| |
| |
Design Principles | |
| |
| |
| |
Summary | |
| |
| |
| |
Research Issues | |
| |
| |
| |
Further Reading | |
| |
| |
| |
Exercises | |
| |
| |
| |
Representing Identity | |
| |
| |
| |
What Is Identity? | |
| |
| |
| |
Files and Objects | |
| |
| |
| |
Users | |
| |
| |
| |
Groups and Roles | |
| |
| |
| |
Naming and Certificates | |
| |
| |
| |
Identity on the Web | |
| |
| |
| |
Summary | |
| |
| |
| |
Research Issues | |
| |
| |
| |
Further Reading | |
| |
| |
| |
Exercises | |
| |
| |
| |
Access Control Mechanisms | |
| |
| |
| |
Access Control Lists | |
| |
| |
| |
Capabilities | |
| |
| |
| |
Locks and Keys | |
| |
| |
| |
Ring-Based Access Control | |
| |
| |
| |
Propagated Access Control Lists | |
| |
| |
| |
Summary | |
| |
| |
| |
Research Issues | |
| |
| |
| |
Further Reading | |
| |
| |
| |
Exercises | |
| |
| |
| |
Information Flow | |
| |
| |
| |
Basics and Background | |
| |
| |
| |
Nonlattice Information Flow Policies | |
| |
| |
| |
Compiler-Based Mechanisms | |
| |
| |
| |
Execution-Based Mechanisms | |
| |
| |
| |
Example Information Flow Controls | |
| |
| |
| |
Summary | |
| |
| |
| |
Research Issues | |
| |
| |
| |
Further Reading | |
| |
| |
| |
Exercises | |
| |
| |
| |
Confinement Problem | |
| |
| |
| |
The Confinement Problem | |
| |
| |
| |
Isolation | |
| |
| |
| |
Covert Channels | |
| |
| |
| |
Summary | |
| |
| |
| |
Research Issues | |
| |
| |
| |
Further Reading | |
| |
| |
| |
Exercises | |
| |
| |
| |
Assurance | |
| |
| |
| |
Introduction to Assurance | |
| |
| |
| |
Assurance and Trust | |
| |
| |
| |
Building Secure and Trusted Systems | |
| |
| |
| |
Summary | |
| |
| |
| |
Research Issues | |
| |
| |
| |
Further Reading | |
| |
| |
| |
Exercises | |
| |
| |
| |
Building Systems with Assurance | |
| |
| |
| |
Assurance in Requirements Definition and Analysis | |
| |
| |
| |
Assurance During System and Software Design | |
| |
| |
| |
Assurance in Implementation and Integration | |
| |
| |
| |
Assurance During Operation and Maintenance | |
| |
| |
| |
Summary | |
| |
| |
| |
Research Issues | |
| |
| |
| |
Further Reading | |
| |
| |
| |
Exercises | |
| |
| |
| |
Formal Methods | |
| |
| |
| |
Formal Verification Techniques | |
| |
| |
| |
Formal Specification | |
| |
| |
| |
Early Formal Verification Techniques | |
| |
| |
| |
Current Verification Systems | |
| |
| |
| |
Summary | |
| |
| |
| |
Research Issues | |
| |
| |
| |
Further Reading | |
| |
| |
| |
Exercises | |
| |
| |
| |
Evaluating Systems | |
| |
| |
| |
Goals of Formal Evaluation | |
| |
| |
| |
TCSEC: 1983-1999 | |
| |
| |
| |
International Efforts and the ITSEC: 1991-2001 | |
| |
| |
| |
Commercial International Security Requirements: 1991 | |
| |
| |
| |
Other Commercial Efforts: Early 1990s | |
| |
| |
| |
The Federal Criteria: 1992 | |
| |
| |
| |
FIPS 140: 1994-Present | |
| |
| |
| |
The Common Criteria: 1998-Present | |
| |
| |
| |
SSE-CMM: 1997-Present | |
| |
| |
| |
Summary | |
| |
| |
| |
Research Issues | |
| |
| |
| |
Further Reading | |
| |
| |
| |
Exercises | |
| |
| |
| |
Special Topics | |
| |
| |
| |
Malicious Logic | |
| |
| |
| |
Introduction | |
| |
| |
| |
Trojan Horses | |
| |
| |
| |
Computer Viruses | |
| |
| |
| |
Computer Worms | |
| |
| |
| |
Other Forms of Malicious Logic | |
| |
| |
| |
Theory of Malicious Logic | |
| |
| |
| |
Defenses | |
| |
| |
| |
Summary | |
| |
| |
| |
Research Issues | |
| |
| |
| |
Further Reading | |
| |
| |
| |
Exercises | |
| |
| |
| |
Vulnerability Analysis | |
| |
| |
| |
Introduction | |
| |
| |
| |
Penetration Studies | |
| |
| |
| |
Vulnerability Classification | |
| |
| |
| |
Frameworks | |
| |
| |
| |
Gupta and Gligor's Theory of Penetration Analysis | |
| |
| |
| |
Summary | |
| |
| |
| |
Research Issues | |
| |
| |
| |
Further Reading | |
| |
| |
| |
Exercises | |
| |
| |
| |
Auditing | |
| |
| |
| |
Definitions | |
| |
| |
| |
Anatomy of an Auditing System | |
| |
| |
| |
Designing an Auditing System | |
| |
| |
| |
A Posteriori Design | |
| |
| |
| |
Auditing Mechanisms | |
| |
| |
| |
Examples: Auditing File Systems | |
| |
| |
| |
Audit Browsing | |
| |
| |
| |
Summary | |
| |
| |
| |
Research Issues | |
| |
| |
| |
Further Reading | |
| |
| |
| |
Exercises | |
| |
| |
| |
Intrusion Detection | |
| |
| |
| |
Principles | |
| |
| |
| |
Basic Intrusion Detection | |
| |
| |
| |
Models | |
| |
| |
| |
Architecture | |
| |
| |
| |
Organization of Intrusion Detection Systems | |
| |
| |
| |
Intrusion Response | |
| |
| |
| |
Summary | |
| |
| |
| |
Research Issues | |
| |
| |
| |
Further Reading | |
| |
| |
| |
Exercises | |
| |
| |
| |
Practicum | |
| |
| |
| |
Network Security | |
| |
| |
| |
Introduction | |
| |
| |
| |
Policy Development | |
| |
| |
| |
Network Organization | |
| |
| |
| |
Availability and Network Flooding | |
| |
| |
| |
Anticipating Attacks | |
| |
| |
| |
Summary | |
| |
| |
| |
Research Issues | |
| |
| |
| |
Further Reading | |
| |
| |
| |
Exercises | |
| |
| |
| |
System Security | |
| |
| |
| |
Introduction | |
| |
| |
| |
Policy | |
| |
| |
| |
Networks | |
| |
| |
| |
Users | |
| |
| |
| |
Authentication | |
| |
| |
| |
Processes | |
| |
| |
| |
Files | |
| |
| |
| |
Retrospective | |
| |
| |
| |
Summary | |
| |
| |
| |
Research Issues | |
| |
| |
| |
Further Reading | |
| |
| |
| |
Exercises | |
| |
| |
| |
User Security | |
| |
| |
| |
Policy | |
| |
| |
| |
Access | |
| |
| |
| |
Files and Devices | |
| |
| |
| |
Processes | |
| |
| |
| |
Electronic Communications | |
| |
| |
| |
Summary | |
| |
| |
| |
Research Issues | |
| |
| |
| |
Further Reading | |
| |
| |
| |
Exercises | |
| |
| |
| |
Program Security | |
| |
| |
| |
Introduction | |
| |
| |
| |
Requirements and Policy | |
| |
| |
| |
Design | |
| |
| |
| |
Refinement and Implementation | |
| |
| |
| |
Common Security-Related Programming Problems | |
| |
| |
| |
Testing, Maintenance, and Operation | |
| |
| |
| |
Distribution | |
| |
| |
| |
Conclusion | |
| |
| |
| |
Summary | |
| |
| |
| |
Research Issues | |
| |
| |
| |
Further Reading | |
| |
| |
| |
Exercises | |
| |
| |
| |
End Matter | |
| |
| |
| |
Lattices | |
| |
| |
| |
Basics | |
| |
| |
| |
Lattices | |
| |
| |
| |
Exercises | |
| |
| |
| |
The Extended Euclidean Algorithm | |
| |
| |
| |
The Euclidean Algorithm | |
| |
| |
| |
The Extended Euclidean Algorithm | |
| |
| |
| |
Solving ax mod n = 1 | |
| |
| |
| |
Solving ax mod n = b | |
| |
| |
| |
Exercises | |
| |
| |
| |
Entropy and Uncertainty | |
| |
| |
| |
Conditional and Joint Probability | |
| |
| |
| |
Entropy and Uncertainty | |
| |
| |
| |
Joint and Conditional Entropy | |
| |
| |
| |
Exercises | |
| |
| |
| |
Virtual Machines | |
| |
| |
| |
Virtual Machine Structure | |
| |
| |
| |
Virtual Machine Monitor | |
| |
| |
| |
Exercises | |
| |
| |
| |
Symbolic Logic | |
| |
| |
| |
Propositional Logic | |
| |
| |
| |
Predicate Logic | |
| |
| |
| |
Temporal Logic Systems | |
| |
| |
| |
Exercises | |
| |
| |
| |
Example Academic Security Policy | |
| |
| |
| |
University of California E-mail Policy | |
| |
| |
| |
The Acceptable Use Policy for the University of California, Davis | |
| |
| |
Bibliography | |
| |
| |
Index | |