| |
| |
List of Tables | |
| |
| |
List of Figures | |
| |
| |
Preface | |
| |
| |
| |
Access Control, Security, Trust, and Logic | |
| |
| |
| |
Deconstructing Access-Control Decisions | |
| |
| |
| |
A Logical Approach to Access Control | |
| |
| |
| |
Preliminaries | |
| |
| |
| |
A Language for Access Control | |
| |
| |
| |
Sets and Relations | |
| |
| |
| |
Notation | |
| |
| |
| |
Approaches for Mathematical Proofs | |
| |
| |
| |
Syntax | |
| |
| |
| |
Principal Expressions | |
| |
| |
| |
Access-Control Statements | |
| |
| |
| |
Well-Formed Formulas | |
| |
| |
| |
Semantics | |
| |
| |
| |
Kripke Structures | |
| |
| |
| |
Semantics of the Logic | |
| |
| |
| |
Summary | |
| |
| |
| |
Further Reading | |
| |
| |
| |
Reasoning about Access Control | |
| |
| |
| |
Logical Rules | |
| |
| |
| |
The Taut Rule | |
| |
| |
| |
The Modus Ponens Rule | |
| |
| |
| |
The Says Rule | |
| |
| |
| |
The MP Says Rule | |
| |
| |
| |
The Speaks For Rule | |
| |
| |
| |
The & Says and Quoting Rules | |
| |
| |
| |
Properties of → | |
| |
| |
| |
The Equivalence Rule | |
| |
| |
| |
The Controls Definition | |
| |
| |
| |
Formal Proofs and Theorems | |
| |
| |
| |
Soundness of Logical Rules | |
| |
| |
| |
Summary | |
| |
| |
| |
Further Reading | |
| |
| |
| |
Basic Concepts | |
| |
| |
| |
Reference Monitors | |
| |
| |
| |
Access-Control Mechanisms: Tickets and Lists | |
| |
| |
| |
Tickets | |
| |
| |
| |
Lists | |
| |
| |
| |
Logical and Pragmatic Implications | |
| |
| |
| |
Authentication | |
| |
| |
| |
Two-Factor Authentication | |
| |
| |
| |
Using Credentials from Other Authorities | |
| |
| |
| |
Groups | |
| |
| |
| |
Summary | |
| |
| |
| |
Further Reading | |
| |
| |
| |
Security Policies | |
| |
| |
| |
Confidentiality, Integrity, and Availability | |
| |
| |
| |
Discretionary Security Policies | |
| |
| |
| |
Mandatory Security Policies | |
| |
| |
| |
Military Security Policies | |
| |
| |
| |
Extending the Logic with Security levels | |
| |
| |
| |
Expressing Military Security Policies | |
| |
| |
| |
Military Security Policies: An Extended Example | |
| |
| |
| |
Commercial Policies | |
| |
| |
| |
Extending the Logic with Integrity Levels | |
| |
| |
| |
Protecting Integrity | |
| |
| |
| |
Strict Integrity | |
| |
| |
| |
An Extended Example of a Strict Integrity Policy | |
| |
| |
| |
Summary | |
| |
| |
| |
Further Reading | |
| |
| |
| |
Distributed Access Control | |
| |
| |
| |
Digital Authentication | |
| |
| |
| |
Public-Key Cryptography | |
| |
| |
| |
Efficiency Mechanisms | |
| |
| |
| |
Cryptographic Hash Functions | |
| |
| |
| |
Data-Encryption Keys | |
| |
| |
| |
Digital Signatures | |
| |
| |
| |
Reasoning about Cryptographic Communications | |
| |
| |
| |
Certificates, Certificate Authorities, and Trust | |
| |
| |
| |
Symmetric-Key Cryptography | |
| |
| |
| |
Summary | |
| |
| |
| |
Further Reading | |
| |
| |
| |
Delegation | |
| |
| |
| |
Simple Delegations | |
| |
| |
| |
Delegation and Its Properties | |
| |
| |
| |
A Delegation Example: Simple Checking | |
| |
| |
| |
Formal Definitions of Checks | |
| |
| |
| |
Bank Policies on Checks | |
| |
| |
| |
Operating Rules for Checks | |
| |
| |
| |
Summary | |
| |
| |
| |
Further Reading | |
| |
| |
| |
Networks: Case Studies | |
| |
| |
| |
SSL and TLS: Authentication across the Web | |
| |
| |
| |
Handshake Protocol | |
| |
| |
| |
Record Protocol | |
| |
| |
| |
Kerberos: Authentication for Distributed Systems | |
| |
| |
| |
Initial Authentication Requests | |
| |
| |
| |
Requests for Service-Specific Tickets | |
| |
| |
| |
Requests for Services | |
| |
| |
| |
Proxiable Tickets | |
| |
| |
| |
Financial Networks | |
| |
| |
| |
Electronic Clearinghouses | |
| |
| |
| |
Bank Authorities, Jurisdiction, and Policies | |
| |
| |
| |
Bank Operating Rules | |
| |
| |
| |
Summary | |
| |
| |
| |
Further Reading | |
| |
| |
| |
Isolation and Sharing | |
| |
| |
| |
A Primer on Computer Hardware | |
| |
| |
| |
Ones and Zeros | |
| |
| |
| |
Synchronous Design | |
| |
| |
| |
Synchronous Registers | |
| |
| |
| |
Registers with Load Control | |
| |
| |
| |
Registers with Tri-State Outputs | |
| |
| |
| |
Combinational Logic and Functions | |
| |
| |
| |
Arithmetic Logic Units | |
| |
| |
| |
Microcode | |
| |
| |
| |
Data Paths and Control Paths | |
| |
| |
| |
Microprogramming | |
| |
| |
| |
Summary | |
| |
| |
| |
Further Reading | |
| |
| |
| |
Virtual Machines and Memory Protection | |
| |
| |
| |
A Simple Processor | |
| |
| |
| |
Processor Components | |
| |
| |
| |
Machine Instructions | |
| |
| |
| |
Processors with Memory Segmentation | |
| |
| |
| |
Segmentation Using a Relocation Register | |
| |
| |
| |
Processor State and Instructions | |
| |
| |
| |
Program Status Word | |
| |
| |
| |
Traps | |
| |
| |
| |
Controlling Access to Memory and Segmentation Registers | |
| |
| |
| |
Access to Program Memory | |
| |
| |
| |
Implementation Details | |
| |
| |
| |
Access to the Relocation Register | |
| |
| |
| |
Setting the Mode Bit | |
| |
| |
| |
Design of the Virtual Machine Monitor | |
| |
| |
| |
Privileged Instructions | |
| |
| |
| |
Sensitive Instructions | |
| |
| |
| |
Virtualizable Processor Architectures | |
| |
| |
| |
Summary | |
| |
| |
| |
Further Reading | |
| |
| |
| |
Access Control Using Descriptors and Capabilities | |
| |
| |
| |
Address Descriptors and Capabilities | |
| |
| |
| |
Tagged Architectures | |
| |
| |
| |
Capability Systems | |
| |
| |
| |
Catalogs | |
| |
| |
| |
Creating New Segments | |
| |
| |
| |
Dynamic Sharing | |
| |
| |
| |
Revocation of Capabilities | |
| |
| |
| |
Summary | |
| |
| |
| |
Further Reading | |
| |
| |
| |
Access Control Using Lists and Rings | |
| |
| |
| |
Generalized Addresses | |
| |
| |
| |
Segment Access Controllers | |
| |
| |
| |
ACL-Based Access Policy for Memory Accesses | |
| |
| |
| |
Ring-Based Access Control | |
| |
| |
| |
Access Brackets | |
| |
| |
| |
Call Brackets | |
| |
| |
| |
Summary | |
| |
| |
| |
Further Reading | |
| |
| |
| |
Access Policies | |
| |
| |
| |
Confidentiality and Integrity Policies | |
| |
| |
| |
Classifications and Categories | |
| |
| |
| |
Bell-La Padula Model, Revisited | |
| |
| |
| |
Confidentiality levels: Some Practical Considerations | |
| |
| |
| |
Biba's Strict Integrity, Revisited | |
| |
| |
| |
Lipner's Integrity Model | |
| |
| |
| |
Commercial Integrity Requirements | |
| |
| |
| |
Commercial Integrity via Bell-La Padula | |
| |
| |
| |
Commercial Integrity via Bell-La Padula and Strict Integrity | |
| |
| |
| |
Summary | |
| |
| |
| |
Further Reading | |
| |
| |
| |
Role-Based Access Control | |
| |
| |
| |
RBAC Fundamentals | |
| |
| |
| |
Role Inheritance | |
| |
| |
| |
Sessions | |
| |
| |
| |
Separation of Duty | |
| |
| |
| |
Static Separation of Duty | |
| |
| |
| |
Dynamic Separation of Duty | |
| |
| |
| |
Representing RBAC Systems in the Logic | |
| |
| |
| |
RBAC Extensions to the Logic | |
| |
| |
| |
Translating RBAC into the Logic | |
| |
| |
| |
Summary | |
| |
| |
| |
Further Reading | |
| |
| |
| |
Summary of the Access-Control Logic | |
| |
| |
| |
Syntax | |
| |
| |
| |
Core Rules, Derived Rules, and Extensions | |
| |
| |
Bibliography | |
| |
| |
Notation Index | |
| |
| |
General Index | |