| |
| |
Preface | |
| |
| |
Goals | |
| |
| |
Philosophy | |
| |
| |
Organization | |
| |
| |
Differences Between this Book and Computer Security: Art and Science | |
| |
| |
Special Acknowledgment | |
| |
| |
Acknowledgments | |
| |
| |
| |
An Overview of Computer Security | |
| |
| |
| |
The Basic Components | |
| |
| |
| |
Confidentiality | |
| |
| |
| |
Integrity | |
| |
| |
| |
Availability | |
| |
| |
| |
Threats | |
| |
| |
| |
Policy and Mechanism | |
| |
| |
| |
Goals of Security | |
| |
| |
| |
Assumptions and Trust | |
| |
| |
| |
Assurance | |
| |
| |
| |
Specification | |
| |
| |
| |
Design | |
| |
| |
| |
Implementation | |
| |
| |
| |
Operational Issues | |
| |
| |
| |
Cost-Benefit Analysis | |
| |
| |
| |
Risk Analysis | |
| |
| |
| |
Laws and Customs | |
| |
| |
| |
Human Issues | |
| |
| |
| |
Organizational Problems | |
| |
| |
| |
People Problems | |
| |
| |
| |
Tying It All Together | |
| |
| |
| |
Summary | |
| |
| |
| |
Further Reading | |
| |
| |
| |
Exercises | |
| |
| |
| |
Access Control Matrix | |
| |
| |
| |
Protection State | |
| |
| |
| |
Access Control Matrix Model | |
| |
| |
| |
Protection State Transitions | |
| |
| |
| |
Conditional Commands | |
| |
| |
| |
Summary | |
| |
| |
| |
Further Reading | |
| |
| |
| |
Exercises | |
| |
| |
| |
Foundational Results | |
| |
| |
| |
The General Question | |
| |
| |
| |
Basic Results | |
| |
| |
| |
Summary | |
| |
| |
| |
Further Reading | |
| |
| |
| |
Exercises | |
| |
| |
| |
Security Policies | |
| |
| |
| |
Security Policies | |
| |
| |
| |
Types of Security Policies | |
| |
| |
| |
The Role of Trust | |
| |
| |
| |
Types of Access Control | |
| |
| |
| |
Example: Academic Computer Security Policy | |
| |
| |
| |
General University Policy | |
| |
| |
| |
Electronic Mail Policy | |
| |
| |
| |
Summary | |
| |
| |
| |
Further Reading | |
| |
| |
| |
Exercises | |
| |
| |
| |
Confidentiality Policies | |
| |
| |
| |
Goals of Confidentiality Policies | |
| |
| |
| |
The Bell-LaPadula Model | |
| |
| |
| |
Informal Description | |
| |
| |
| |
Example: The Data General B2 UNIX System | |
| |
| |
| |
Summary | |
| |
| |
| |
Further Reading | |
| |
| |
| |
Exercises | |
| |
| |
| |
Integrity Policies | |
| |
| |
| |
Goals | |
| |
| |
| |
Biba Integrity Model | |
| |
| |
| |
Clark-Wilson Integrity Model | |
| |
| |
| |
The Model | |
| |
| |
| |
Comparison with the Requirements | |
| |
| |
| |
Comparison with Other Models | |
| |
| |
| |
Summary | |
| |
| |
| |
Further Reading | |
| |
| |
| |
Exercises | |
| |
| |
| |
Hybrid Policies | |
| |
| |
| |
Chinese Wall Model | |
| |
| |
| |
Bell-LaPadula and Chinese Wall Models | |
| |
| |
| |
Clark-Wilson and Chinese Wall Models | |
| |
| |
| |
Clinical Information Systems Security Policy | |
| |
| |
| |
Bell-LaPadula and Clark-Wilson Models | |
| |
| |
| |
Originator Controlled Access Control | |
| |
| |
| |
Role-Based Access Control | |
| |
| |
| |
Summary | |
| |
| |
| |
Further Reading | |
| |
| |
| |
Exercises | |
| |
| |
| |
Basic Cryptography | |
| |
| |
| |
What Is Cryptography? | |
| |
| |
| |
Classical Cryptosystems | |
| |
| |
| |
Transposition Ciphers | |
| |
| |
| |
Substitution Ciphers | |
| |
| |
| |
Data Encryption Standard | |
| |
| |
| |
Other Classical Ciphers | |
| |
| |
| |
Public Key Cryptography | |
| |
| |
| |
RSA | |
| |
| |
| |
Cryptographic Checksums | |
| |
| |
| |
HMAC | |
| |
| |
| |
Summary | |
| |
| |
| |
Further Reading | |
| |
| |
| |
Exercises | |
| |
| |
| |
Key Management | |
| |
| |
| |
Session and Interchange Keys | |
| |
| |
| |
Key Exchange | |
| |
| |
| |
Classical Cryptographic Key Exchange and Authentication | |
| |
| |
| |
Kerberos | |
| |
| |
| |
Public Key Cryptographic Key Exchange and Authentication | |
| |
| |
| |
Cryptographic Key Infrastructures | |
| |
| |
| |
Certificate Signature Chains | |
| |
| |
| |
Summary | |
| |
| |
| |
Storing and Revoking Keys | |
| |
| |
| |
Key Storage | |
| |
| |
| |
Key Revocation | |
| |
| |
| |
Digital Signatures | |
| |
| |
| |
Classical Signatures | |
| |
| |
| |
Public Key Signatures | |
| |
| |
| |
Summary | |
| |
| |
| |
Further Reading | |
| |
| |
| |
Exercises | |
| |
| |
| |
Cipher Techniques | |
| |
| |
| |
Problems | |
| |
| |
| |
Precomputing the Possible Messages | |
| |
| |
| |
Misordered Blocks | |
| |
| |
| |
Statistical Regularities | |
| |
| |
| |
Summary | |
| |
| |
| |
Stream and Block Ciphers | |
| |
| |
| |
Stream Ciphers | |
| |
| |
| |
Block Ciphers | |
| |
| |
| |
Networks and Cryptography | |
| |
| |
| |
Example Protocols | |
| |
| |
| |
Secure Electronic Mail: PEM | |
| |
| |
| |
Security at the Network Layer: IPsec | |
| |
| |
| |
Conclusion | |
| |
| |
| |
Summary | |
| |
| |
| |
Further Reading | |
| |
| |
| |
Exercises | |
| |
| |
| |
Authentication | |
| |
| |
| |
Authentication Basics | |
| |
| |
| |
Passwords | |
| |
| |
| |
Attacking a Password System | |
| |
| |
| |
Countering Password Guessing | |
| |
| |
| |
Password Aging | |
| |
| |
| |
Challenge-Response | |
| |
| |
| |
Pass Algorithms | |
| |
| |
| |
One-Time Passwords | |
| |
| |
| |
Hardware-Supported Challenge-Response Procedures | |
| |
| |
| |
Challenge-Response and Dictionary Attacks | |
| |
| |
| |
Biometrics | |
| |
| |
| |
Fingerprints | |
| |
| |
| |
Voices | |
| |
| |
| |
Eyes | |
| |
| |
| |
Faces | |
| |
| |
| |
Keystrokes | |
| |
| |
| |
Combinations | |
| |
| |
| |
Caution | |
| |
| |
| |
Location | |
| |
| |
| |
Multiple Methods | |
| |
| |
| |
Summary | |
| |
| |
| |
Further Reading | |
| |
| |
| |
Exercises | |
| |
| |
| |
Design Principles | |
| |
| |
| |
Overview | |
| |
| |
| |
Design Principles | |
| |
| |
| |
Principle of Least Privilege | |
| |
| |
| |
Principle of Fail-Safe Defaults | |
| |
| |
| |
Principle of Economy of Mechanism | |
| |
| |
| |
Principle of Complete Mediation | |
| |
| |
| |
Principle of Open Design | |
| |
| |
| |
Principle of Separation of Privilege | |
| |
| |
| |
Principle of Least Common Mechanism | |
| |
| |
| |
Principle of Psychological Acceptability | |
| |
| |
| |
Summary | |
| |
| |
| |
Further Reading | |
| |
| |
| |
Exercises | |
| |
| |
| |
Representing Identity | |
| |
| |
| |
What Is Identity? | |
| |
| |
| |
Files and Objects | |
| |
| |
| |
Users | |
| |
| |
| |
Groups and Roles | |
| |
| |
| |
Naming and Certificates | |
| |
| |
| |
The Meaning of the Identity | |
| |
| |
| |
Trust | |
| |
| |
| |
Identity on the Web | |
| |
| |
| |
Host Identity | |
| |
| |
| |
State and Cookies | |
| |
| |
| |
Anonymity on the Web | |
| |
| |
| |
Summary | |
| |
| |
| |
Further Reading | |
| |
| |
| |
Exercises | |
| |
| |
| |
Access Control Mechanisms | |
| |
| |
| |
Access Control Lists | |
| |
| |
| |
Abbreviations of Access Control Lists | |
| |
| |
| |
Creation and Maintenance of Access Control Lists | |
| |
| |
| |
Revocation of Rights | |
| |
| |
| |
Example: Windows NT Access Control Lists | |
| |
| |
| |
Capabilities | |
| |
| |
| |
Implementation of Capabilities | |
| |
| |
| |
Copying and Amplifying Capabilities | |
| |
| |
| |
Revocation of Rights | |
| |
| |
| |
Limits of Capabilities | |
| |
| |
| |
Comparison with Access Control Lists | |
| |
| |
| |
Locks and Keys | |
| |
| |
| |
Type Checking | |
| |
| |
| |
Ring-Based Access Control | |
| |
| |
| |
Propagated Access Control Lists | |
| |
| |
| |
Summary | |
| |
| |
| |
Further Reading | |
| |
| |
| |
Exercises | |
| |
| |
| |
Information Flow | |
| |
| |
| |
Basics and Background | |
| |
| |
| |
Information Flow Models and Mechanisms | |
| |
| |
| |
Compiler-Based Mechanisms | |
| |
| |
| |
Declarations | |
| |
| |
| |
Program Statements | |
| |
| |
| |
Exceptions and Infinite Loops | |
| |
| |
| |
Concurrency | |
| |
| |
| |
Soundness | |
| |
| |
| |
Execution-Based Mechanisms | |
| |
| |
| |
Fenton's Data Mark Machine | |
| |
| |
| |
Variable Classes | |
| |
| |
| |
Example Information Flow Controls | |
| |
| |
| |
Security Pipeline Interface | |
| |
| |
| |
Secure Network Server Mail Guard | |
| |
| |
| |
Summary | |
| |
| |
| |
Further Reading | |
| |
| |
| |
Exercises | |
| |
| |
| |
Confinement Problem | |
| |
| |
| |
The Confinement Problem | |
| |
| |
| |
Isolation | |
| |
| |
| |
Virtual Machines | |
| |
| |
| |
Sandboxes | |
| |
| |
| |
Covert Channels | |
| |
| |
| |
Detection of Covert Channels | |
| |
| |
| |
Mitigation of Covert Channels | |
| |
| |
| |
Summary | |
| |
| |
| |
Further Reading | |
| |
| |
| |
Exercises | |
| |
| |
| |
Introduction to Assurance | |
| |
| |
| |
Assurance and Trust | |
| |
| |
| |
The Need for Assurance | |
| |
| |
| |
The Role of Requirements in Assurance | |
| |
| |
| |
Assurance Throughout the Life Cycle | |
| |
| |
| |
Building Secure and Trusted Systems | |
| |
| |
| |
Life Cycle | |
| |
| |
| |
The Waterfall Life Cycle Model | |
| |
| |
| |
Other Models of Software Development | |
| |
| |
| |
Building Security In or Adding Security Later | |
| |
| |
| |
Summary | |
| |
| |
| |
Further Reading | |
| |
| |
| |
Exercises | |
| |
| |
| |
Evaluating Systems | |
| |
| |
| |
Goals of Formal Evaluation | |
| |
| |
| |
Deciding to Evaluate | |
| |
| |
| |
Historical Perspective of Evaluation Methodologies | |
| |
| |
| |
TCSEC: 1983-1999 | |
| |
| |
| |
TCSEC Requirements | |
| |
| |
| |
The TCSEC Evaluation Classes | |
| |
| |
| |
The TCSEC Evaluation Process | |
| |
| |
| |
Impacts | |
| |
| |
| |
FIPS 140: 1994-Present | |
| |
| |
| |
FIPS 140 Requirements | |
| |
| |
| |
FIPS 140-2 Security Levels | |
| |
| |
| |
Impact | |
| |
| |
| |
The Common Criteria: 1998-Present | |
| |
| |
| |
Overview of the Methodology | |
| |
| |
| |
CC Requirements | |
| |
| |
| |
CC Security Functional Requirements | |
| |
| |
| |
Assurance Requirements | |
| |
| |
| |
Evaluation Assurance Levels | |
| |
| |
| |
Evaluation Process | |
| |
| |
| |
Impacts | |
| |
| |
| |
Future of the Common Criteria | |
| |
| |
| |
SSE-CMM: 1997-Present | |
| |
| |
| |
The SSE-CMM Model | |
| |
| |
| |
Using the SSE-CMM | |
| |
| |
| |
Summary | |
| |
| |
| |
Further Reading | |
| |
| |
| |
Exercises | |
| |
| |
| |
Malicious Logic | |
| |
| |
| |
Introduction | |
| |
| |
| |
Trojan Horses | |
| |
| |
| |
Computer Viruses | |
| |
| |
| |
Boot Sector Infectors | |
| |
| |
| |
Executable Infectors | |
| |
| |
| |
Multipartite Viruses | |
| |
| |
| |
TSR Viruses | |
| |
| |
| |
Stealth Viruses | |
| |
| |
| |
Encrypted Viruses | |
| |
| |
| |
Polymorphic Viruses | |
| |
| |
| |
Macro Viruses | |
| |
| |
| |
Computer Worms | |
| |
| |
| |
Other Forms of Malicious Logic | |
| |
| |
| |
Rabbits and Bacteria | |
| |
| |
| |
Logic Bombs | |
| |
| |
| |
Defenses | |
| |
| |
| |
Malicious Logic Acting as Both Data and Instructions | |
| |
| |
| |
Malicious Logic Assuming the Identity of a User | |
| |
| |
| |
Malicious Logic Crossing Protection Domain Boundaries by Sharing | |
| |
| |
| |
Malicious Logic Altering Files | |
| |
| |
| |
Malicious Logic Performing Actions Beyond Specification | |
| |
| |
| |
Malicious Logic Altering Statistical Characteristics | |
| |
| |
| |
The Notion of Trust | |
| |
| |
| |
Summary | |
| |
| |
| |
Further Reading | |
| |
| |
| |
Exercises | |
| |
| |
| |
Vulnerability Analysis | |
| |
| |
| |
Introduction | |
| |
| |
| |
Penetration Studies | |
| |
| |
| |
Goals | |
| |
| |
| |
Layering of Tests | |
| |
| |
| |
Methodology at Each Layer | |
| |
| |
| |
Flaw Hypothesis Methodology | |
| |
| |
| |
Example: Penetration of the Michigan Terminal System | |
| |
| |
| |
Example: Compromise of a Burroughs System | |
| |
| |
| |
Example: Penetration of a Corporate Computer System | |
| |
| |
| |
Example: Penetrating a UNIX System | |
| |
| |
| |
Example: Penetrating a Windows NT System | |
| |
| |
| |
Debate | |
| |
| |
| |
Conclusion | |
| |
| |
| |
Vulnerability Classification | |
| |
| |
| |
Two Security Flaws | |
| |
| |
| |
Frameworks | |
| |
| |
| |
The RISOS Study | |
| |
| |
| |
Protection Analysis Model | |
| |
| |
| |
The NRL Taxonomy | |
| |
| |
| |
Aslam's Model | |
| |
| |
| |
Comparison and Analysis | |
| |
| |
| |
Further Reading | |
| |
| |
| |
Exercises | |
| |
| |
| |
Auditing | |
| |
| |
| |
Definitions | |
| |
| |
| |
Anatomy of an Auditing System | |
| |
| |
| |
Logger | |
| |
| |
| |
Analyzer | |
| |
| |
| |
Notifier | |
| |
| |
| |
Designing an Auditing System | |
| |
| |
| |
Implementation Considerations | |
| |
| |
| |
Syntactic Issues | |
| |
| |
| |
Log Sanitization | |
| |
| |
| |
Application and System Logging | |
| |
| |
| |
A Posteriori Design | |
| |
| |
| |
Auditing to Detect Violations of a Known Policy | |
| |
| |
| |
Auditing to Detect Known Violations of a Policy | |
| |
| |
| |
Auditing Mechanisms | |
| |
| |
| |
Secure Systems | |
| |
| |
| |
Nonsecure Systems | |
| |
| |
| |
Examples: Auditing File Systems | |
| |
| |
| |
Audit Analysis of the NFS Version 2 Protocol | |
| |
| |
| |
The Logging and Auditing File System (LAFS) | |
| |
| |
| |
Comparison | |
| |
| |
| |
Audit Browsing | |
| |
| |
| |
Summary | |
| |
| |
| |
Further Reading | |
| |
| |
| |
Exercises | |
| |
| |
| |
Intrusion Detection | |
| |
| |
| |
Principles | |
| |
| |
| |
Basic Intrusion Detection | |
| |
| |
| |
Models | |
| |
| |
| |
Anomaly Modeling | |
| |
| |
| |
Misuse Modeling | |
| |
| |
| |
Specification Modeling | |
| |
| |
| |
Summary | |
| |
| |
| |
Architecture | |
| |
| |
| |
Agent | |
| |
| |
| |
Director | |
| |
| |
| |
Notifier | |
| |
| |
| |
Organization of Intrusion Detection Systems | |
| |
| |
| |
Monitoring Network Traffic for Intrusions: NSM | |
| |
| |
| |
Combining Host and Network Monitoring: DIDS | |
| |
| |
| |
Autonomous Agents: AAFID | |
| |
| |
| |
Intrusion Response | |
| |
| |
| |
Incident Prevention | |
| |
| |
| |
Intrusion Handling | |
| |
| |
| |
Exercises | |
| |
| |
| |
Network Security | |
| |
| |
| |
Introduction | |
| |
| |
| |
Policy Development | |
| |
| |
| |
Data Classes | |
| |
| |
| |
User Classes | |
| |
| |
| |
Availability | |
| |
| |
| |
Consistency Check | |
| |
| |
| |
Network Organization | |
| |
| |
| |
Firewalls and Proxies | |
| |
| |
| |
Analysis of the Network Infrastructure | |
| |
| |
| |
In the DMZ | |
| |
| |
| |
In the Internal Network | |
| |
| |
| |
General Comment on Assurance | |
| |
| |
| |
Availability and Network Flooding | |
| |
| |
| |
Intermediate Hosts | |
| |
| |
| |
TCP State and Memory Allocations | |
| |
| |
| |
Anticipating Attacks | |
| |
| |
| |
Summary | |
| |
| |
| |
Further Reading | |
| |
| |
| |
Exercises | |
| |
| |
| |
System Security | |
| |
| |
| |
Introduction | |
| |
| |
| |
Policy | |
| |
| |
| |
The Web Server System in the DMZ | |
| |
| |
| |
The Development System | |
| |
| |
| |
Comparison | |
| |
| |
| |
Conclusion | |
| |
| |
| |
Networks | |
| |
| |
| |
The Web Server System in the DMZ | |
| |
| |
| |
The Development System | |
| |
| |
| |
Comparison | |
| |
| |
| |
Users | |
| |
| |
| |
The Web Server System in the DMZ | |
| |
| |
| |
The Development System | |
| |
| |
| |
Comparison | |
| |
| |
| |
Authentication | |
| |
| |
| |
The Web Server System in the DMZ | |
| |
| |
| |
Development Network System | |
| |
| |
| |
Comparison | |
| |
| |
| |
Processes | |
| |
| |
| |
The Web Server System in the DMZ | |
| |
| |
| |
The Development System | |
| |
| |
| |
Comparison | |
| |
| |
| |
Files | |
| |
| |
| |
The Web Server System in the DMZ | |
| |
| |
| |
The Development System | |
| |
| |
| |
Comparison | |
| |
| |
| |
Retrospective | |
| |
| |
| |
The Web Server System in the DMZ | |
| |
| |
| |
The Development System | |
| |
| |
| |
Summary | |
| |
| |
| |
Further Reading | |
| |
| |
| |
Exercises | |
| |
| |
| |
User Security | |
| |
| |
| |
Policy | |
| |
| |
| |
Access | |
| |
| |
| |
Passwords | |
| |
| |
| |
The Login Procedure | |
| |
| |
| |
Leaving the System | |
| |
| |
| |
Files and Devices | |
| |
| |
| |
Files | |
| |
| |
| |
Devices | |
| |
| |
| |
Processes | |
| |
| |
| |
Copying and Moving Files | |
| |
| |
| |
Accidentally Overwriting Files | |
| |
| |
| |
Encryption, Cryptographic Keys, and Passwords | |
| |
| |
| |
Start-up Settings | |
| |
| |
| |
Limiting Privileges | |
| |
| |
| |
Malicious Logic | |
| |
| |
| |
Electronic Communications | |
| |
| |
| |
Automated Electronic Mail Processing | |
| |
| |
| |
Failure to Check Certificates | |
| |
| |
| |
Sending Unexpected Content | |
| |
| |
| |
Summary | |
| |
| |
| |
Further Reading | |
| |
| |
| |
Exercises | |
| |
| |
| |
Program Security | |
| |
| |
| |
Introduction | |
| |
| |
| |
Requirements and Policy | |
| |
| |
| |
Requirements | |
| |
| |
| |
Threats | |
| |
| |
| |
Design | |
| |
| |
| |
Framework | |
| |
| |
| |
Access to Roles and Commands | |
| |
| |
| |
Refinement and Implementation | |
| |
| |
| |
First-Level Refinement | |
| |
| |
| |
Second-Level Refinement | |
| |
| |
| |
Functions | |
| |
| |
| |
Summary | |
| |
| |
| |
Common Security-Related Programming Problems | |
| |
| |
| |
Improper Choice of Initial Protection Domain | |
| |
| |
| |
Improper Isolation of Implementation Detail | |
| |
| |
| |
Improper Change | |
| |
| |
| |
Improper Naming | |
| |
| |
| |
Improper Deallocation or Deletion | |
| |
| |
| |
Improper Validation | |
| |
| |
| |
Improper Indivisibility | |
| |
| |
| |
Improper Sequencing | |
| |
| |
| |
Improper Choice of Operand or Operation | |
| |
| |
| |
Summary | |
| |
| |
| |
Testing, Maintenance, and Operation | |
| |
| |
| |
Testing | |
| |
| |
| |
Testing Composed Modules | |
| |
| |
| |
Testing the Program | |
| |
| |
| |
Distribution | |
| |
| |
| |
Conclusion | |
| |
| |
| |
Summary | |
| |
| |
| |
Further Reading | |
| |
| |
| |
Exercises | |
| |
| |
| |
Lattices | |
| |
| |
| |
Basics | |
| |
| |
| |
Lattices | |
| |
| |
| |
Exercises | |
| |
| |
| |
The Extended Euclidean Algorithm | |
| |
| |
| |
The Euclidean Algorithm | |
| |
| |
| |
The Extended Euclidean Algorithm | |
| |
| |
| |
Solving ax mod n = 1 | |
| |
| |
| |
Solving ax mod n = b | |
| |
| |
| |
Exercises | |
| |
| |
| |
Virtual Machines | |
| |
| |
| |
Virtual Machine Structure | |
| |
| |
| |
Virtual Machine Monitor | |
| |
| |
| |
Privilege and Virtual Machines | |
| |
| |
| |
Physical Resources and Virtual Machines | |
| |
| |
| |
Paging and Virtual Machines | |
| |
| |
| |
Exercises | |
| |
| |
Bibliography | |
| |
| |
Index | |