| |
| |
| List of Tables | |
| |
| |
| List of Figures | |
| |
| |
| Preface | |
| |
| |
| |
| Access Control, Security, Trust, and Logic | |
| |
| |
| |
| Deconstructing Access-Control Decisions | |
| |
| |
| |
| A Logical Approach to Access Control | |
| |
| |
| |
| Preliminaries | |
| |
| |
| |
| A Language for Access Control | |
| |
| |
| |
| Sets and Relations | |
| |
| |
| |
| Notation | |
| |
| |
| |
| Approaches for Mathematical Proofs | |
| |
| |
| |
| Syntax | |
| |
| |
| |
| Principal Expressions | |
| |
| |
| |
| Access-Control Statements | |
| |
| |
| |
| Well-Formed Formulas | |
| |
| |
| |
| Semantics | |
| |
| |
| |
| Kripke Structures | |
| |
| |
| |
| Semantics of the Logic | |
| |
| |
| |
| Summary | |
| |
| |
| |
| Further Reading | |
| |
| |
| |
| Reasoning about Access Control | |
| |
| |
| |
| Logical Rules | |
| |
| |
| |
| The Taut Rule | |
| |
| |
| |
| The Modus Ponens Rule | |
| |
| |
| |
| The Says Rule | |
| |
| |
| |
| The MP Says Rule | |
| |
| |
| |
| The Speaks For Rule | |
| |
| |
| |
| The & Says and Quoting Rules | |
| |
| |
| |
| Properties of → | |
| |
| |
| |
| The Equivalence Rule | |
| |
| |
| |
| The Controls Definition | |
| |
| |
| |
| Formal Proofs and Theorems | |
| |
| |
| |
| Soundness of Logical Rules | |
| |
| |
| |
| Summary | |
| |
| |
| |
| Further Reading | |
| |
| |
| |
| Basic Concepts | |
| |
| |
| |
| Reference Monitors | |
| |
| |
| |
| Access-Control Mechanisms: Tickets and Lists | |
| |
| |
| |
| Tickets | |
| |
| |
| |
| Lists | |
| |
| |
| |
| Logical and Pragmatic Implications | |
| |
| |
| |
| Authentication | |
| |
| |
| |
| Two-Factor Authentication | |
| |
| |
| |
| Using Credentials from Other Authorities | |
| |
| |
| |
| Groups | |
| |
| |
| |
| Summary | |
| |
| |
| |
| Further Reading | |
| |
| |
| |
| Security Policies | |
| |
| |
| |
| Confidentiality, Integrity, and Availability | |
| |
| |
| |
| Discretionary Security Policies | |
| |
| |
| |
| Mandatory Security Policies | |
| |
| |
| |
| Military Security Policies | |
| |
| |
| |
| Extending the Logic with Security levels | |
| |
| |
| |
| Expressing Military Security Policies | |
| |
| |
| |
| Military Security Policies: An Extended Example | |
| |
| |
| |
| Commercial Policies | |
| |
| |
| |
| Extending the Logic with Integrity Levels | |
| |
| |
| |
| Protecting Integrity | |
| |
| |
| |
| Strict Integrity | |
| |
| |
| |
| An Extended Example of a Strict Integrity Policy | |
| |
| |
| |
| Summary | |
| |
| |
| |
| Further Reading | |
| |
| |
| |
| Distributed Access Control | |
| |
| |
| |
| Digital Authentication | |
| |
| |
| |
| Public-Key Cryptography | |
| |
| |
| |
| Efficiency Mechanisms | |
| |
| |
| |
| Cryptographic Hash Functions | |
| |
| |
| |
| Data-Encryption Keys | |
| |
| |
| |
| Digital Signatures | |
| |
| |
| |
| Reasoning about Cryptographic Communications | |
| |
| |
| |
| Certificates, Certificate Authorities, and Trust | |
| |
| |
| |
| Symmetric-Key Cryptography | |
| |
| |
| |
| Summary | |
| |
| |
| |
| Further Reading | |
| |
| |
| |
| Delegation | |
| |
| |
| |
| Simple Delegations | |
| |
| |
| |
| Delegation and Its Properties | |
| |
| |
| |
| A Delegation Example: Simple Checking | |
| |
| |
| |
| Formal Definitions of Checks | |
| |
| |
| |
| Bank Policies on Checks | |
| |
| |
| |
| Operating Rules for Checks | |
| |
| |
| |
| Summary | |
| |
| |
| |
| Further Reading | |
| |
| |
| |
| Networks: Case Studies | |
| |
| |
| |
| SSL and TLS: Authentication across the Web | |
| |
| |
| |
| Handshake Protocol | |
| |
| |
| |
| Record Protocol | |
| |
| |
| |
| Kerberos: Authentication for Distributed Systems | |
| |
| |
| |
| Initial Authentication Requests | |
| |
| |
| |
| Requests for Service-Specific Tickets | |
| |
| |
| |
| Requests for Services | |
| |
| |
| |
| Proxiable Tickets | |
| |
| |
| |
| Financial Networks | |
| |
| |
| |
| Electronic Clearinghouses | |
| |
| |
| |
| Bank Authorities, Jurisdiction, and Policies | |
| |
| |
| |
| Bank Operating Rules | |
| |
| |
| |
| Summary | |
| |
| |
| |
| Further Reading | |
| |
| |
| |
| Isolation and Sharing | |
| |
| |
| |
| A Primer on Computer Hardware | |
| |
| |
| |
| Ones and Zeros | |
| |
| |
| |
| Synchronous Design | |
| |
| |
| |
| Synchronous Registers | |
| |
| |
| |
| Registers with Load Control | |
| |
| |
| |
| Registers with Tri-State Outputs | |
| |
| |
| |
| Combinational Logic and Functions | |
| |
| |
| |
| Arithmetic Logic Units | |
| |
| |
| |
| Microcode | |
| |
| |
| |
| Data Paths and Control Paths | |
| |
| |
| |
| Microprogramming | |
| |
| |
| |
| Summary | |
| |
| |
| |
| Further Reading | |
| |
| |
| |
| Virtual Machines and Memory Protection | |
| |
| |
| |
| A Simple Processor | |
| |
| |
| |
| Processor Components | |
| |
| |
| |
| Machine Instructions | |
| |
| |
| |
| Processors with Memory Segmentation | |
| |
| |
| |
| Segmentation Using a Relocation Register | |
| |
| |
| |
| Processor State and Instructions | |
| |
| |
| |
| Program Status Word | |
| |
| |
| |
| Traps | |
| |
| |
| |
| Controlling Access to Memory and Segmentation Registers | |
| |
| |
| |
| Access to Program Memory | |
| |
| |
| |
| Implementation Details | |
| |
| |
| |
| Access to the Relocation Register | |
| |
| |
| |
| Setting the Mode Bit | |
| |
| |
| |
| Design of the Virtual Machine Monitor | |
| |
| |
| |
| Privileged Instructions | |
| |
| |
| |
| Sensitive Instructions | |
| |
| |
| |
| Virtualizable Processor Architectures | |
| |
| |
| |
| Summary | |
| |
| |
| |
| Further Reading | |
| |
| |
| |
| Access Control Using Descriptors and Capabilities | |
| |
| |
| |
| Address Descriptors and Capabilities | |
| |
| |
| |
| Tagged Architectures | |
| |
| |
| |
| Capability Systems | |
| |
| |
| |
| Catalogs | |
| |
| |
| |
| Creating New Segments | |
| |
| |
| |
| Dynamic Sharing | |
| |
| |
| |
| Revocation of Capabilities | |
| |
| |
| |
| Summary | |
| |
| |
| |
| Further Reading | |
| |
| |
| |
| Access Control Using Lists and Rings | |
| |
| |
| |
| Generalized Addresses | |
| |
| |
| |
| Segment Access Controllers | |
| |
| |
| |
| ACL-Based Access Policy for Memory Accesses | |
| |
| |
| |
| Ring-Based Access Control | |
| |
| |
| |
| Access Brackets | |
| |
| |
| |
| Call Brackets | |
| |
| |
| |
| Summary | |
| |
| |
| |
| Further Reading | |
| |
| |
| |
| Access Policies | |
| |
| |
| |
| Confidentiality and Integrity Policies | |
| |
| |
| |
| Classifications and Categories | |
| |
| |
| |
| Bell-La Padula Model, Revisited | |
| |
| |
| |
| Confidentiality levels: Some Practical Considerations | |
| |
| |
| |
| Biba's Strict Integrity, Revisited | |
| |
| |
| |
| Lipner's Integrity Model | |
| |
| |
| |
| Commercial Integrity Requirements | |
| |
| |
| |
| Commercial Integrity via Bell-La Padula | |
| |
| |
| |
| Commercial Integrity via Bell-La Padula and Strict Integrity | |
| |
| |
| |
| Summary | |
| |
| |
| |
| Further Reading | |
| |
| |
| |
| Role-Based Access Control | |
| |
| |
| |
| RBAC Fundamentals | |
| |
| |
| |
| Role Inheritance | |
| |
| |
| |
| Sessions | |
| |
| |
| |
| Separation of Duty | |
| |
| |
| |
| Static Separation of Duty | |
| |
| |
| |
| Dynamic Separation of Duty | |
| |
| |
| |
| Representing RBAC Systems in the Logic | |
| |
| |
| |
| RBAC Extensions to the Logic | |
| |
| |
| |
| Translating RBAC into the Logic | |
| |
| |
| |
| Summary | |
| |
| |
| |
| Further Reading | |
| |
| |
| |
| Summary of the Access-Control Logic | |
| |
| |
| |
| Syntax | |
| |
| |
| |
| Core Rules, Derived Rules, and Extensions | |
| |
| |
| Bibliography | |
| |
| |
| Notation Index | |
| |
| |
| General Index | |