Verfügbarkeit: Computer security

Computer security: art and science

Gespeichert in:

Bibliographische Detailangaben
1. Verfasser:	Bishop, Matt (VerfasserIn)
Format:	Buch
Sprache:	English
Veröffentlicht:	Boston ; Munich [u.a.] Addison-Wesley 2006
Ausgabe:	9. printing
Schlagworte:	Computersicherheit Datensicherung
Online-Zugang:	Inhaltsverzeichnis
Beschreibung:	XLI, 1084 S.
ISBN:	0201440997

Internformat

MARC


LEADER	00000nam a2200000zc 4500
001	BV022289754
003	DE-604
005	20080605
007	t
008	070227s2006 xxu \|\|\|\| 00\|\|\| eng d
020			\|a 0201440997 \|9 0-201-44099-7
035			\|a (OCoLC)255712417
035			\|a (DE-599)BVBBV022289754
040			\|a DE-604 \|b ger \|e aacr
041	0		\|a eng
044			\|a xxu \|c US
049			\|a DE-739
084			\|a ST 273 \|0 (DE-625)143640: \|2 rvk
084			\|a ST 276 \|0 (DE-625)143642: \|2 rvk
084			\|a ST 277 \|0 (DE-625)143643: \|2 rvk
084			\|a DAT 050f \|2 stub
084			\|a DAT 460f \|2 stub
100	1		\|a Bishop, Matt \|e Verfasser \|0 (DE-588)129811564 \|4 aut
245	1	0	\|a Computer security \|b art and science \|c Matt Bishop
250			\|a 9. printing
264		1	\|a Boston ; Munich [u.a.] \|b Addison-Wesley \|c 2006
300			\|a XLI, 1084 S.
336			\|b txt \|2 rdacontent
337			\|b n \|2 rdamedia
338			\|b nc \|2 rdacarrier
650		4	\|a Computersicherheit
650	0	7	\|a Datensicherung \|0 (DE-588)4011144-1 \|2 gnd \|9 rswk-swf
650	0	7	\|a Computersicherheit \|0 (DE-588)4274324-2 \|2 gnd \|9 rswk-swf
689	0	0	\|a Computersicherheit \|0 (DE-588)4274324-2 \|D s
689	0		\|5 DE-604
689	1	0	\|a Datensicherung \|0 (DE-588)4011144-1 \|D s
689	1		\|8 1\p \|5 DE-604
856	4	2	\|m GBV Datenaustausch \|q application/pdf \|u http://bvbr.bib-bvb.de:8991/F?func=service&doc_library=BVB01&local_base=BVB01&doc_number=015499949&sequence=000001&line_number=0001&func_code=DB_RECORDS&service_type=MEDIA \|3 Inhaltsverzeichnis
999			\|a oai:aleph.bib-bvb.de:BVB01-015499949
883	1		\|8 1\p \|a cgwrk \|d 20201028 \|q DE-101 \|u https://d-nb.info/provenance/plan#cgwrk

Datensatz im Suchindex

_version_	1804136303352086528
adam_text	COMPUTER SECURITY ART AND SCIENCE MATT BISHOP VADDISON-WESLEY BOSTON SAN FRANCISCO * NEW YORK * TORONTO * MONTREAL LONDON * MUNICH * PARIS * MADRID CAPETOWN * SYDNEY * TOKYO * SINGAPORE * MEXICO CITY CONTENTS PREFACE XXXI GOALS XXXII PHILOSOPHY XXXIII ORGANIZATION XXXV ROADMAP XXXVI DEPENDENCIES XXXVI BACKGROUND XXXVII UNDERGRADUATE LEVEL XXXVIII GRADUATE LEVEL XXXVIII PRACTITIONERS XL SPECIAL ACKNOWLEDGMENT XL ACKNOWLEDGMENTS XL PARTI: INTRODUCTION 1 CHAPTER 1 AN OVERVIEW OF COMPUTER SECURITY 3 1.1 THE BASIC COMPONENTS 3 1.1.1 CONFIDENTIALITY 4 1.1.2 INTEGRITY 5 1.1.3 AVAILABILITY 6 1.2 THREATS 6 1.3 POLICY AND MECHANISM 9 1.3.1 GOALS OF SECURITY 10 1.4 ASSUMPTIONS AND TRUST 11 1.5 ASSURANCE 12 1.5.1 SPECIFICATION 13 1.5.2 DESIGN 14 1.5.3 IMPLEMENTATION 14 1.6 OPERATIONAL ISSUES 16 1.6.1 COST-BENEFIT ANALYSIS 16 1.6.2 RISK ANALYSIS 17 1.6.3 LAWS AND CUSTOMS 18 VII VIII CONTENTS 1.7 HUMAN ISSUES 19 1.7.1 ORGANIZATIONAL PROBLEMS 20 1.7.2 PEOPLE PROBLEMS 21 1.8 TYING IT ALL TOGETHER 22 1.9 SUMMARY 23 1.10 RESEARCH ISSUES 24 1.11 FURTHER READING 24 1.12 EXERCISES 25 PART 2: FOUNDATIONS 29 CHAPTER 2 ACCESS CONTROL MATRIX 31 2.1 PROTECTION STATE 31 2.2 ACCESS CONTROL MATRIX MODEL 32 2.2.1 ACCESS CONTROL BY BOOLEAN EXPRESSION EVALUATION 35 2.2.2 ACCESS CONTROLLED BY HISTORY 36 2.3 PROTECTION STATE TRANSITIONS 37 2.3.1 CONDITIONAL COMMANDS 40 2.4 COPYING, OWNING, AND THE ATTENUATION OF PRIVILEGE 41 2.4.1 COPY RIGHT 42 2.4.2 OWN RIGHT 42 2.4.3 PRINCIPLE OF ATTENUATION OF PRIVILEGE 43 2.5 SUMMARY 43 2.6 RESEARCH ISSUES 44 2.7 FURTHER READING 44 2.8 EXERCISES 44 CHAPTER 3 FOUNDATIONAL RESUITS 47 3.1 THE GENERAL QUESTION 47 3.2 BASIC RESUITS 48 3.3 THE TAKE-GRANT PROTECTION MODEL 53 3.3.1 SHARING OF RIGHTS 55 3.3.2 INTERPRETATION OF THE MODEL 58 3.3.3 THEFT IN THE TAKE-GRANT PROTECTION MODEL 60 3.3.4 CONSPIRACY 63 3.3.5 SUMMARY 65 3.4 CLOSING THE GAP 65 3.4.1 SCHEMATIC PROTECTION MODEL 66 3.4.1.1 LINK PREDICATE 66 CONTENTS IX 3.4.1.2 FILTER FUNCTION 68 3.4.1.3 PUTTING ITALL TOGETHER 6 8 3.4.1.4 DEMAND AND CREATE OPERATIONS 69 3.4.1.5 SAFETY ANALYSIS 72 3.5 EXPRESSIVE POWER AND THE MODELS 78 3.5.1 BRIEF COMPARISON OF HRU AND SPM 78 3.5.2 EXTENDING SPM 79 3.5.3 SIMULATION AND EXPRESSIVENESS 83 3.5.4 TYPED ACCESS MATRIX MODEL 88 3.6 SUMMARY 90 3.7 RESEARCH ISSUES 90 3.8 FURTHER READING 91 3.9 EXERCISES 91 PART 3: POLICY 93 CHAPTER4 SECURITY POLICIES .95 4.1 SECURITY POLICIES 95 4.2 TYPES OF SECURITY POLICIES 99 4.3 THE ROLE OF TRUST , 101 4.4 TYPES OF ACCESS CONTROL 103 4.5 POLICY LANGUAGES 104 4.5.1 HIGH-LEVEL POLICY LANGUAGES 104 4.5.2 LOW-LEVEL POLICY LANGUAGES 109 4.6 EXAMPLE: ACADEMIC COMPUTER SECURITY POLICY 111 4.6.1 GENERAL UNIVERSITY POLICY 111 4.6.2 ELECTRONIC MAIL POLICY 112 4.6.2.1 THE ELECTRONIC MAIL POLICY SUMMARY 112 4.6.2.2 THE FUELL POLICY 113 4.6.2.3 IMPLEMENTATION AT UC DAVIS 114 4.7 SECURITY AND PRECISION 114 4.8 SUMMARY 119 4.9 RESEARCH ISSUES 119 4.10 FURTHER READING 120 4.11 EXERCISES 120 CHAPTER 5 CONFIDENTIALITY POLICIES 123 5.1 GOALS OF CONFIDENTIALITY POLICIES 123 5.2 THE BELL-LAPADULA MODEL 124 X CONTENTS 5.2.1 INFORMAL DESCRIPTION 124 5.2.2 EXAMPLE: THE DATA GENERAL B2 UNIX SYSTEM 128 5.2.2.1 ASSIGNING MAC LABELS 128 5.2.2.2 USING MAC LABELS 131 5.2.3 FORMAL MODEL 132 5.2.3.1 BASIC SECURITY THEOREM 134 5.2.3.2 RULES OF TRANSFORMATION 136 5.2.4 EXAMPLE MODEL INSTANTIATION: MULTICS 139 5.2.4.1 THE GET-READ RULE 140 5.2.4.2 THE GIVE-READ RULE 141 5.3 TRANQUILITY 142 5.4 THE CONTROVERSY OVER THE BELL-LAPADULA MODEL 143 5.4.1 MCLEAN S T-PROPERTY AND THE BASIC SECURITY THEOREM 143 5.4.2 MCLEAN S SYSTEM Z AND MORE QUESTIONS 146 5.4.3 SUMMARY 148 5.5 SUMMARY 148 5.6 RESEARCH ISSUES 148 5.7 FURTHER READING 149 5.8 EXERCISES 150 CHAPTER 6 INTEGRITY POLICIES 151 6.1 GOALS 151 6.2 BIBA INTEGRITY MODEL 153 6.2.1 LOW-WATER-MARK POLICY 154 6.2.2 RING POLICY 155 6.2.3 BIBA S MODEL (STRICT INTEGRITY POLICY) 155 6.3 LIPNER S INTEGRITY MATRIX MODEL 156 6.3.1 LIPNER S USE OF THE BELL-LAPADULA MODEL 156 6.3.2 LIPNER S FUELL MODEL 158 6.3.3 COMPARISON WITH BIBA 160 6.4 CLARK-WILSON INTEGRITY MODEL 160 6.4.1 THE MODEL 161 6.4.1.1 A UNIX APPROXIMATION TO CLARK-WILSON 164 6.4.2 COMPARISON WITH THE REQUIREMENTS 164 6.4.3 COMPARISON WITH OTHER MODELS 165 6.5 SUMMARY 166 6.6 RESEARCH ISSUES 166 6.7 FURTHER READING 167 6.8 EXERCISES 167 CHAPTER 7 HYBRID POLICIES 169 7.1 CHINESE WALL MODEL 169 CONTENTS XI 7.1.1 INFORMAL DESCRIPTION 170 7.1.2 FORMAL MODEL 172 7.1.3 BELL-LAPADULA AND CHINESE WALL MODELS 175 7.1.4 CLARK-WILSON AND CHINESE WALL MODELS 177 7.2 CLINICAL INFORMATION SYSTEMS SECURITY POLICY 177 7.2.1 BELL-LAPADULA AND CLARK-WILSON MODELS 179 7.3 ORIGINATOR CONTROLLED ACCESS CONTROL 180 7.4 ROLE-BASED ACCESS CONTROL 182 7.5 SUMMARY 184 7.6 RESEARCH ISSUES 184 7.7 FURTHER READING 184 7.8 EXERCISES 185 CHAPTER 8 NONINTERFERENCE AND POLICY COMPOSITION 187 8.1 THE PROBLEM 187 8.1.1 COMPOSITION OF BELL-LAPADULA MODELS 188 8.2 DETERMINISTIC NONINTERFERENCE 191 8.2.1 UNWINDING THEOREM 195 8.2.2 ACCESS CONTROL MATRIX INTERPRETATION 197 8.2.3 SECURITY POLICIES THAT CHANGE OVER TIME 200 8.2.4 COMPOSITION OF DETERMINISTIC NONINTERFERENCE-SECURE SYSTEMS ... .201 8.3 NONDEDUCIBILITY 202 8.3.1 COMPOSITION OF DEDUCIBLY SECURE SYSTEMS 204 8.4 GENERALIZED NONINTERFERENCE 205 8.4.1 COMPOSITION OF GENERALIZED NONINTERFERENCE SYSTEMS 206 8.5 RESTRICTIVENESS 208 8.5.1 STATE MACHINE MODEL 208 8.5.2 COMPOSITION OF RESTRICTIVE SYSTEMS 209 8.6 SUMMARY 210 8.7 RESEARCH ISSUES 211 8.8 FURTHER READING 211 8.9 EXERCISES 212 PART 4: IMPLEMENTATION I: CRYPTOGRAPHY 215 CHAPTER 9 BASIC CRYPTOGRAPHY 217 9.1 WHAT IS CRYPTOGRAPHY? 217 9.2 CLASSICAL CRYPTOSYSTEMS 218 9.2.1 TRANSPOSITION CIPHERS 219 9.2.2 SUBSTITUTION CIPHERS 220 XII CONTENTS 9.2.2.1 VIGENERE CIPHER 221 9.2.2.2 ONE-TIME PAED 227 9.2.3 DATA ENCRYPTION STANDARD 228 9.2.4 OTHER CLASSICAL CIPHERS 232 9.3 PUBLIC KEY CRYPTOGRAPHY 233 9.3.1 DIFFIE-HELLMAN 233 9.3.2 RSA 234 9.4 CRYPTOGRAPHIC CHECKSUMS 237 9.4.1 HMAC 239 9.5 SUMMARY 239 9.6 RESEARCH ISSUES 240 9.7 FURTHER READING 240 9.8 EXERCISES 241 CHAPTER 10 KEY MANAGEMENT 245 10.1 SESSION AND INTERCHANGE KEYS 246 10.2 KEY EXCHANGE 246 10.2.1 CLASSICAL CRYPTOGRAPHIC KEY EXCHANGE AND AUTHENTICATION 247 10.2.2 KERBEROS 250 10.2.3 PUBLIC KEY CRYPTOGRAPHIC KEY EXCHANGE AND AUTHENTICATION... 251 10.3 KEY GENERATION 252 10.4 CRYPTOGRAPHIC KEY INFRASTRUCTURES 254 10.4.1 MERKLE S TREE AUTHENTICATION SCHEINE 255 10.4.2 CERTIFICATE SIGNATARE CHAINS 256 10.4.2.1 X.509: CERTIFICATION SIGNATURE CHAINS 256 10.4.2.2 PGP CERTIFICATE SIGNATURE CHAINS 258 10.4.3 SUMMARY 260 10.5 STORING AND REVOKING KEYS 261 10.5.1 KEY STORAGE 261 10.5.1.1 KEY ESCROW 262 10.5.1.2 KEY ESCROW SYSTEM AND THE CLIPPER CHIP 263 10.5.1.3 THE YAKSHA SECURITY SYSTEM 264 10.5.1.4 OTHER APPROACHES 265 10.5.2 KEY REVOCATION 265 10.6 DIGITAL SIGNATURES 266 10.6.1 CLASSICAL SIGNATURES 267 10.6.2 PUBLIC KEY SIGNATURES 267 10.6.2.1 RSA DIGITAL SIGNATURES 267 10.6.2.2 EL GAMAL DIGITAL SIGNATURE 269 10.7 SUMMARY 270 10.8 RESEARCH ISSUES 271 CONTENTS XIII 10.9 FURTHER READING 272 10.10 EXERCISES 272 CHAPTER 11 CIPHER TECHNIQUES 275 11.1 PROBLEMS 275 11.1.1 PRECOMPUTING THE POSSIBLE MESSAGES 275 11.1.2 MISORDERED BLOCKS 276 11.1.3 STATISTICAL REGULARITIES 276 11.1.4 SUMMARY 277 11.2 STREAM AND BLOCK CIPHERS 277 11.2.1 STREAM CIPHERS 277 11.2.1.1 SYNCHRONOUS STREAM CIPHERS 278 11.2.1.2 SELF-SYNCHRONOUS STREAM CIPHERS 28 0 11.2.2 BLOCK CIPHERS 281 11.2.2.1 MULTIPLE ENCRYPTION 282 11.3 NETWORKS AND CRYPTOGRAPHY 283 11.4 EXAMPLE PROTOCOLS 286 11.4.1 SECURE ELECTRONIC MAIL: PEM 286 11.4.1.1 DESIGN PRINCIPLES 287 11.4.1.2 BASIC DESIGN 288 11.4.1.3 OTHER CONSIDERATIONS 289 11.4.1.4 CONCLUSION 290 11.4.2 SECURITY AT THE TRANSPORT LAYER: SSL 291 11.4.2.1 SUPPORTING CRYPTOGRAPHIC MECHANISMS 292 11.4.2.2 LOWER LAYER: SSL RECORD PROTOCOL 294 11.4.2.3 UPPER LAYER: SSL HANDSHAKE PROTOCOL 295 11.4.2.4 UPPER LAYER: SSL CHANGE CIPHER SPEC PROTOCOL 297 11.4.2.5 UPPER LAYER: SSL ALERT PROTOCOL 297 11.4.2.6 UPPER LAYER: APPLICATION DATA PROTOCOL 298 11.4.2.7 SUMMARY 298 11.4.3 SECURITY AT THE NETWORK LAYER: IPSEC 298 11.4.3.1 IPSEC ARCHITECTURE 299 11.4.3.2 AUTHENTICATION HEADER PROTOCOL 303 11.4.3.3 ENCAPSULATING SECURITY PAYLOAD PROTOCOL 304 11.4.4 CONCLUSION 305 11.5 SUMMARY 306 11.6 RESEARCH ISSUES 306 11.7 FURTHER READING 306 11.8 EXERCISES 307 XIV CONTENTS CHAPTER 12 AUTHENTICATION 309 12.1 AUTHENTICATION BASICS 309 12.2 PASSWORDS 310 12.2.1 ATTACKING A PASSWORD SYSTEM 312 12.2.2 COUNTERING PASSWORD GUESSING 313 12.2.2.1 RANDOM SELECTION OF PASSWORDS 314 12.2.2.2 PRONOUNCEABLE AND OTHER COMPUTER-GENERATED PASSWORDS 315 12.2.2.3 USER SELECTION OF PASSWORDS 316 12.2.2.4 REUSABLE PASSWORDS AND DICTIONARY ATTACKS 320 12.2.2.5 GUESSING THROUGH AUTHENTICATION FUNCTIONS 321 12.2.3 PASSWORD AGING 322 12.3 CHALLENGE-RESPONSE 324 12.3.1 PASS ALGORITHMS 324 12.3.2 ONE-TIME PASSWORDS 325 12.3.3 HARDWARE-SUPPORTED CHALLENGE-RESPONSE PROCEDURES 326 12.3.4 CHALLENGE-RESPONSE AND DICTIONARY ATTACKS 327 12.4 BIOMETRICS 328 12.4.1 FINGERPRINTS 328 12.4.2 VOICES 329 12.4.3 EYES 329 12.4.4 FACES 329 12.4.5 KEYSTROKES 330 12.4.6 COMBINATIONS 330 12.4.7 CAUTION 330 12.5 LOCATION 331 12.6 MULTIPLE METHODS 331 12.7 SUMMARY 333 12.8 RESEARCH ISSUES 334 12.9 FURTHER READING 335 12.10 EXERCISES 335 PART 5: IMPLEMENTATION II: SYSTEMS 339 CHAPTER 13 DESIGN PRINCIPLES 341 13.1 OVERVIEW 341 13.2 DESIGN PRINCIPLES 343 13.2.1 PRINCIPLE OF LEAST PRIVILEGE 343 13.2.2 PRINCIPLE OF FAIL-SAFE DEFAULTS 344 13.2.3 PRINCIPLE OF ECONOMY OF MECHANISM 344 13.2.4 PRINCIPLE OF COMPLETE MEDIATION 345 CONTENTS XV 13.2.5 PRINCIPLE OF OPEN DESIGN 346 13.2.6 PRINCIPLE OF SEPARATION OF PRIVILEGE 347 13.2.7 PRINCIPLE OF LEAST COMMON MECHANISM 348 13.2.8 PRINCIPLE OF PSYCHOLOGICAL ACCEPTABILITY 348 13.3 SUMMARY 349 13.4 RESEARCH ISSUES 350 13.5 FURTHER READING 350 13.6 EXERCISES 351 CHAPTER 14 REPRESENTING IDENTITY 353 14.1 WHAT IS IDENTITY? 353 14.2 FILES AND OBJECTS 354 14.3 USERS 355 14.4 GROUPS AND ROLES 356 14.5 NAMING AND CERTIFICATES 357 14.5.1 CONFLICTS 360 14.5.2 THE MEANING OF THE IDENTITY 363 14.5.3 TRUST 364 14.6 IDENTITY ON THE WEB 366 14.6.1 HOST IDENTITY 366 14.6.1.1 STATIC AND DYNAMIC IDENTIFIERS 367 14.6.1.2 SECURITY ISSUES WITH THE DOMAIN NAME SERVICE 368 14.6.2 STATE AND COOKIES 369 14.6.3 ANONYMITY ON THE WEB 371 14.6.3.1 ANONYMITY FOR BETTER OR WORSE 375 14.7 SUMMARY 377 14.8 RESEARCH ISSUES 378 14.9 FURTHER READING 378 14.10 EXERCISES 379 CHAPTER 15 ACCESS CONTROL MECHANISMS 381 15.1 ACCESS CONTROL LISTS 381 15.1.1 ABBREVIATIONS OF ACCESS CONTROL LISTS 382 15.1.2 CREATION AND MAINTENANCE OF ACCESS CONTROL LISTS 384 15.1.2.1 WHICH SUBJECTS CAN MODIFY AN OBJECT S ACL? 385 15.1.2.2 DO THE ACLS APPLY TO A PRIVILEGED USER? 385 15.1.2.3 DOES THE ACL SUPPORT GROUPS AND WILDCARDS? 386 15.1.2.4 CONFLICTS 386 15.1.2.5 ACLS AND DEFAULT PERMISSIONS 387 15.1.3 REVOCATION OF RIGHTS 387 15.1.4 EXAMPLE: WINDOWS NT ACCESS CONTROL LISTS 388 XVI CONTENTS 15.2 CAPABILITIES 390 15.2.1 IMPLEMENTATION OF CAPABILITIES 391 15.2.2 COPYING AND AMPLIFYING CAPABILITIES 392 15.2.3 REVOCATIONOF RIGHTS 393 15.2.4 LIMITS OF CAPABILITIES 394 15.2.5 COMPARISON WITH ACCESS CONTROL LISTS 395 15.3 LOCKS AND KEYS 396 15.3.1 TYPE CHECKING 397 15.3.2 SHARING SECRETS 399 15.4 RING-BASED ACCESS CONTROL 400 15.5 PROPAGATED ACCESS CONTROL LISTS 402 15.6 SUMMARY 404 15.7 RESEARCH ISSUES 404 15.8 FURTHER READING 405 15.9 EXERCISES 405 CHAPTER 16 INFORMATION FLOW 407 16.1 BASICS AND BACKGROUND 407 16.1.1 ENTROPY-BASED ANALYSIS 408 16.1.2 INFORMATION FLOW MODELS AND MECHANISMS 409 16.2 NONLATTICE INFORMATION FLOW POLICIES 410 16.2.1 CONFINEMENT FLOW MODEL 411 16.2.2 TRANSITIVE NONLATTICE INFORMATION FLOW POLICIES 412 16.2.3 NONTRANSITIVE INFORMATION FLOW POLICIES 413 16.3 COMPILER-BASED MECHANISMS 415 16.3.1 DECLARATIONS 416 16.3.2 PROGRAM STATEMENTS 418 16.3.2.1 ASSIGNMENT STATEMENTS 418 16.3.2.2 COMPOUND STATEMENTS 419 16.3.2.3 CONDITIONAL STATEMENTS 419 16.3.2.4 ITERATIVE STATEMENTS 420 16.3.2.5 GOTO STATEMENTS 421 16.3.2.6 PROCEDURE CALLS 424 16.3.3 EXCEPTIONS AND INFINITE LOOPS 424 16.3.4 CONCURRENCY 426 16.3.5 SOUNDNESS 428 16.4 EXECUTION-BASED MECHANISMS 429 16.4.1 FENTON S DATA MARK MACHINE 430 16.4.2 VARIABLE CLASSES 432 16.5 EXAMPLE INFORMATION FLOW CONTROLS 433 16.5.1 SECURITY PIPELINE INTERFACE 434 16.5.2 SECURE NETWORK SERVER MAIL GUARD 434 CONTENTS XVII 16.6 SUMMARY 436 16.7 RESEARCH ISSUES 436 16.8 FURTHER READING 437 16.9 EXERCISES 437 CHAPTER 17 CONFINEMENT PROBLEM 439 17.1 THE CONFINEMENT PROBLEM 439 17.2 ISOLATION 442 17.2.1 VIRTUAL MACHINES 442 17.2.2 SANDBOXES 444 17.3 COVERT CHANNELS 446 17.3.1 DETECTION OF COVERT CHANNELS 448 17.3.1.1 NONINTERFERENCE 448 17.3.1.2 THE SHARED RESOURCE MATRIX METHODOLOGY 45 0 17.3.1.3 INFORMATION FLOW ANALYSIS 453 17.3.1.4 COVERT FLOW TREES 454 17.3.2 ANALYSIS OF COVERT CHANNELS 462 17.3.2.1 COVERT CHANNEL CAPACITY AND NONINTERFERENCE 462 17.3.2.2 MEASURING COVERT CHANNEL CAPACITY 464 17.3.2.3 ANALYZING A NOISY COVERT CHANNEL S CAPACITY 465 17.3.3 MITIGATION OF COVERT CHANNELS 467 17.4 SUMMARY 470 17.5 RESEARCH ISSUES 471 17.6 FURTHER READING 472 17.7 EXERCISES 472 PART 6: ASSURANCE 475 CONTRIBUTED BY ELISABETH SULLIVAN CHAPTER 18 INTRODUCTION TO ASSURANCE 477 18.1 ASSURANCE AND TRUST 477 18.1.1 THE NEED FOR ASSURANCE 479 18.1.2 THE ROLE OF REQUIREMENTS IN ASSURANCE 481 18.1.3 ASSURANCE THROUGHOUT THE LIFE CYCLE 482 18.2 BUILDING SECURE AND TRUSTED SYSTEMS 484 18.2.1 LIFE CYCLE 484 18.2.1.1 CONCEPTION 485 18.2.1.2 MANUFACTURE 486 18.2.1.3 DEPLOYMENT 487 18.2.1.4 FIELDED PRODUCT LIFE 488 XVIII CONTENTS 18.2.2 THE WATERFALL LIFE CYCLE MODEL 488 18.2.2.1 REQUIREMENTS DEFINITION AND ANALYSIS 488 18.2.2.2 SYSTEM AND SOFTWARE DESIGN 48 9 18.2.2.3 IMPLEMENTATION AND UNIT TESTING 489 18.2.2.4 INTEGRATION AND SYSTEM TESTING 490 18.2.2.5 OPERATION AND MAINTENANCE 490 18.2.2.6 DISCUSSION 490 18.2.3 OTHER MODELS OF SOFTWARE DEVELOPMENT 491 18.2.3.1 EXPLORATORY PROGRAMMING 491 18.2.3.2 PROTOTYPING 491 18.2.3.3 FORMAL TRANSFORMATION 491 18.2.3.4 SYSTEM ASSEMBLY FROM REUSABLE COMPONENTS 492 18.2.3.5 EXTREME PROGRAMMING 492 18.3 SUMMARY 492 18.4 RESEARCH ISSUES 493 18.5 FURTHER READING 494 18.6 EXERCISES 494 CHAPTER 19 BUILDING SYSTEMS WITH ASSURANCE 497 19.1 ASSURANCE IN REQUIREMENTS DEFINITION AND ANALYSIS 497 19.1.1 THREATS AND SECURITY OBJECTIVES 498 19.1.2 ARCHITECTURAL CONSIDERATIONS 499 19.1.2.1 SECURITY MECHANISMS AND LAYERED ARCHITECTURE 500 19.1.2.2 BUILDING SECURITY IN ORADDING SECURITY LATER 501 19.1.3 POLICY DEFINITION AND REQUIREMENTS SPECIFICATION 505 19.1.4 JUSTIFYING REQUIREMENTS 508 19.2 ASSURANCE DURING SYSTEM AND SOFTWARE DESIGN 510 19.2.1 DESIGN TECHNIQUES THAT SUPPORT ASSURANCE 510 19.2.2 DESIGN DOCUMENT CONTENTS 512 19.2.2.1 SECURITY FUNCTIONS SUMMARY SPECIFICATION 51 3 19.2.2.2 EXTERNALFUNCTIONAL SPECIFICATION 513 19.2.2.3 INTERNAL DESIGN DESCRIPTION 515 19.2.2.4 INTERNAL DESIGN SPECIFICATION 520 19.2.3 BUILDING DOCUMENTATION AND SPECIFICATIONS 521 19.2.3.1 MODIFIKATION SPECIFICATIONS 521 19.2.3.2 SECURITY SPECIFICATIONS 522 19.2.3.3 FORMAL SPECIFICATIONS 523 19.2.4 JUSTIFYING THAT DESIGN MEETS REQUIREMENTS 523 19.2.4.1 REQUIREMENTS TRACING AND INFORMAL CORRESPONDENCE . 523 19.2.4.2 INFORMAL ARGUMENTS 526 19.2.4.3 FORMAL METHODS: PROOFTECHNIQUES 527 19.2.4.4 REVIEW 528 CONTENTS XIX 19.3 ASSURANCE IN IMPLEMENTATION AND INTEGRATION 531 19.3.1 IMPLEMENTATION CONSIDERATIONS THAT SUPPORT ASSURANCE 531 19.3.2 ASSURANCE THROUGH IMPLEMENTATION MANAGEMENT 532 19.3.3 JUSTIFYING THAT THE IMPLEMENTATION MEETS THE DESIGN 533 19.3.3.1 SECURITY TESTING 533 19.3.3.2 SECURITY TESTING USING PGWG 536 19.3.3.2 TEST MATRICES 536 19.3.3.3 FORMAL METHODS: PROVING THAT PROGRAMS ARE CORRECT 541 19.4 ASSURANCE DURING OPERATION AND MAINTENANCE 541 19.5 SUMMARY 541 19.6 RESEARCH ISSUES 542 19.7 FURTHER READING 542 19.8 EXERCISES 543 CHAPTER 20 FORMAL METHODS 545 20.1 FORMAL VERIFICATION TECHNIQUES 545 20.2 FORMAL SPECIFICATION 548 20.3 EARLY FORMAL VERIFICATION TECHNIQUES 551 20.3.1 THE HIERARCHICAL DEVELOPMENT METHODOLOGY 551 20.3.1.1 VERIFICATION IN HDM 553 20.3.1.2 THE BOYER-MOORE THEOREM PROVER 555 20.3.2 ENHANCED HDM 556 20.3.3 THE GYPSY VERIFICATION ENVIRONMENT 557 20.3.3.1 THE GYPSY LANGUAGE 557 20.3.3.2 THE BLEDSOE THEOREM PROVER 558 20.4 CURRENT VERIFICATION SYSTEMS 559 20.4.1 THE PROTOTYPE VERIFICATION SYSTEM 559 20.4.1.1 THE PVS SPECIFICATION LANGUAGE 559 20.4.1.2 THE PVS PROOF CHECKER 561 20.4.1.3 EXPERIENCE WITH PVS 562 20.4.2 THE SYMBOLIC MODEL VERIFIER 562 20.4.2.1 THE SMV LANGUAGE 562 20.4.2.2 THE SMV PROOF THEORY 564 20.4.2.3 SMV EXPERIENCE 566 20.4.3 THE NAVAL RESEARCH LABORATORY PROTOCOL ANALYZER 566 20.4.3.1 NPA LANGUAGES 566 20.4.3.2 NPA EXPERIENCE 567 20.5 SUMMARY 567 20.6 RESEARCH ISSUES 568 20.7 FURTHER READING 568 20.8 EXERCISES 569 XX CONTENTS CHAPTER 21 EVALUATING SYSTEMS 571 21.1 GOALS OF FORMAL EVALUATION 571 21.1.1 DECIDING TO EVALUATE 572 21.1.2 HISTORICAL PERSPECTIVE OF EVALUATION METHODOLOGIES 573 21.2 TCSEC: 1983-1999 574 21.2.1 TCSEC REQUIREMENTS 575 21.2.1.1 TCSEC FUNCTIONAL REQUIREMENTS 575 21.2.1.2 TCSEC ASSURANCE REQUIREMENTS 576 21.2.2 THE TCSEC EVALUATION CLASSES 577 21.2.3 THE TCSEC EVALUATION PROCESS 578 21.2.4 IMPACTS 578 21.2.4.1 SCOPE LIMITATIONS 579 21.2.4.2 PROCESS LIMITATIONS 579 21.2.4.3 CONTRIBUTIONS 580 21.3 INTERNATIONAL EFFORTS AND THE ITSEC: 1991-2001 581 21.3.1 ITSEC ASSURANCE REQUIREMENTS 582 21.3.1.1 REQUIREMENTS IN THE TCSEC NOT FOUND IN THE ITSEC . 582 21.3.1.2 REQUIREMENTS IN THE ITSEC NOT FOUND IN THE TCSEC . 583 21.3.2 THE ITSEC EVALUATION LEVELS 583 21.3.3 THE ITSEC EVALUATION PROCESS 584 21.3.4 IMPACTS 585 21.3.4.1 VENDOR-PROVIDED SECURITY TARGETS 585 21.3.4.2 PROCESS LIMITATIONS 585 21.4 COMMERCIAL INTERNATIONAL SECURITY REQUIREMENTS: 1991 586 21.4.1 CISR REQUIREMENTS 586 21.4.2 IMPACTS 587 21.5 OTHER COMMERCIAL EFFORTS: EARLY 1990S 587 21.6 THE FEDERAL CRITERIA: 1992 587 21.6.1 FC REQUIREMENTS 588 21.6.2 IMPACTS 588 21.7 FIPS 140: 1994-PRESENT 589 21.7.1 FIPS 140 REQUIREMENTS 589 21.7.2 FIPS 140-2 SECURITY LEVELS 590 21.7.3 IMPACT 591 21.8 THE COMMON CRITERIA: 1998-PRESENT 591 21.8.1 OVERVIEW OF THE METHODOLOGY 592 21.8.2 CC REQUIREMENTS 596 21.8.3 CC SECURITY FUNCTIONAL REQUIREMENTS 597 21.8.4 ASSURANCE REQUIREMENTS 599 21.8.5 EVALUATION ASSURANCE LEVELS 599 21.8.6 EVALUATION PROCESS 601 21.8.7 IMPACTS 602 CONTENTS XXI L 21.8.8 FUTURE OF THE COMMON CRITERIA 602 21.8.8.1 INTERPRETATIONS 602 21.8.8.2 ASSURANCE CLASS AMA AND FAMILY ALC FLR 603 21.8.8.3 PRODUCTS VERSUS SYSTEMS 603 21.8.8.4 PROTECTION PROFILES AND SECURITY TARGETS 603 21.8.8.5 ASSURANCE CLASS AVA 603 21.8.8.6 EAL5 604 21.9 SSE-CMM: 1997-PRESENT 604 21.9.1 THE SSE-CMM MODEL 604 21.9.2 USING THE SSE-CMM 606 21.10 SUMMARY 607 21.11 RESEARCH ISSUES 608 21.12 FURTHER READING 608 21.13 EXERCISES 609 PART 7: SPECIAL TOPICS 611 CHAPTER 22 MALICIOUS LOGIC 613 22.1 INTRODUCTION 613 22.2 TROJAN HORSES 614 22.3 COMPUTER VIRUSES 615 22.3.1 BOOT SECTOR INFECTORS 617 22.3.2 EXECUTABLE INFECTORS 618 22.3.3 MULTIPARAE VIRUSES 619 22.3.4 TSR VIRUSES 620 22.3.5 STEALTH VIRUSES 620 22.3.6 ENCRYPTED VIRUSES 620 22.3.7 POLYMORPHIE VIRUSES 621 22.3.8 MACRO VIRUSES 622 22.4 COMPUTER WORMS C 623 22.5 OTHER FORMS OF MALICIOUS LOGIC 624 22.5.1 RABBITS AND BACTERIA 624 22.5.2 LOGIC BOMBS 625 22.6 THEORY OF MALICIOUS LOGIC 626 22.6.1 THEORY OF COMPUTER VIRUSES 626 22.7 DEFENSES 630 22.7.1 MALICIOUS LOGIC ACTING AS BOTH DATA AND INSTRUCTIONS 630 22.7.2 MALICIOUS LOGIC ASSUMING THE IDENTITY OF A USER 631 22.7.2.1 INFORMATION FLOW METRICS 631 22.7.2.2 REDUCING THE RIGHTS 632 22.7.23 SANDBOXING 635 XXII CONTENTS 22.7.3 MALICIOUS LOGIC CROSSING PROTECTION DOMAIN BOUNDARIES BY SHARING 636 22.7.4 MALICIOUS LOGIC ALTERING FILES 637 22.7.5 MALICIOUS LOGIC PERFORMING ACTIONS BEYOND SPECIFICATION 638 22.7.5.1 PROOF-CARRYING CODE 638 22.7.6 MALICIOUS LOGIC ALTERING STATISTICAL CHARACTERISTICS 639 22.7.7 THE NOTION OF TRUST 640 22.8 SUMMARY 640 22.9 RESEARCH ISSUES 640 22.10 FURTHER READING 641 22.11 EXERCISES 642 CHAPTER 23 VULNERABILITY ANALYSIS 645 23.1 INTRODUCTION 645 23.2 PENETRATION STUDIES 647 23.2.1 GOALS 647 23.2.2 LAYERING OF TESTS 648 23.2.3 METHODOLOGY AT EACH LAYER 649 23.2.4 FLAW HYPOTHESIS METHODOLOGY 649 23.2.4.1 INFORMATION GATHERING AND FLAW HYPOTHESIS 650 23.2.4.2 FLAW TESTING 651 23.2.4.3 FLAW GENERALIZATION 651 23.2.4.4 FLAW ELIMINATION 652 23.2.5 EXAMPLE: PENETRATION OF THE MICHIGAN TERMINAL SYSTEM 652 23.2.6 EXAMPLE: COMPROMISE OF A BURROUGHS SYSTEM 654 23.2.7 EXAMPLE: PENETRATION OF A CORPORATE COMPUTER SYSTEM 655 23.2.8 EXAMPLE: PENETRATING A UNIX SYSTEM 656 23.2.9 EXAMPLE: PENETRATING A WINDOWS NT SYSTEM 658 23.2.10 DEBATE 659 23.2.11 CONCLUSION 660 23.3 VULNERABILITY CLASSIFICATION 660 23.3.1 TWO SECURITY FLAWS 661 23.4 FRAMEWORKS 662 23.4.1 THE RISOS STUDY 662 23.4.1.1 THE FLAW CLASSES 664 23.4.1.2 LEGACY 665 23.4.2 PROTECTION ANALYSIS MODEL 665 23.4.2.1 THE FLAW CLASSES 666 23.4.2.2 ANALYSIS PROCEDURE 668 23.4.2.3 LEGACY 670 CONTENTS XXIII 23.4.3 THE NRL TAXONOMY 671 23.4.3.1 THE FLAW CLASSES 671 23.4.3.2 LEGACY 672 23.4.4 ASLAM S MODEL 673 23.4.4.1 THE FLOW CLASSES 673 23.4.4.2 LEGACY 673 23.4.5 COMPARISON AND ANALYSIS 674 23.4.5.1 THE XTERM LOG FILE FLAW 674 23.4.5.2 THE FINGERD BUFFER OVERFLOW FLAW 676 23.4.5.3 SUMMARY 678 23.5 GUPTA AND GLIGOR S THEORY OF PENETRATION ANALYSIS 678 23.5.1 THE FLOW-BASED MODEL OF PENETRATION ANALYSIS 679 23.5.2 THE AUTOMATED PENETRATION ANALYSIS TOOL 682 23.5.3 DISCUSSION 682 23.6 SUMMARY 683 23.7 RESEARCH ISSUES 683 23.8 FURTHER READING 684 23.9 EXERCISES 685 CHAPTER 24 AUDITING 689 24.1 DEFINITIONS 689 24.2 ANATOMY OF AN AUDITING SYSTEM 690 24.2.1 LOGGER 690 24.2.2 ANALYZER 692 24.2.3 NOTIFIER 693 24.3 DESIGNING AN AUDITING SYSTEM 693 24.3.1 IMPLEMENTATION CONSIDERATIONS 696 24.3.2 SYNTACTIC ISSUES 696 24.3.3 LOG SANITIZATION 698 24.3.4 APPLICATION AND SYSTEM LOGGING 700 24.4 A POSTERIORI DESIGN 701 24.4.1 AUDITING TO DETECT VIOLATIONS OF A KNOWN POLICY 702 24.4.1.1 STATE-BASED AUDITING 70 2 24.4.1.2 TRANSITION-BASED AUDITING 703 24.4.2 AUDITING TO DETECT KNOWN VIOLATIONS OF A POLICY 704 24.5 AUDITING MECHANISMS 705 24.5.1 SECURE SYSTEMS 706 24.5.2 NONSECURE SYSTEMS 707 24.6 EXAMPLES: AUDITING FILE SYSTEMS 708 24.6.1 AUDIT ANALYSIS OF THE NFS VERSION 2 PROTOCOL 709 24.6.2 THE LOGGING AND AUDITING FILE SYSTEM (LAFS) 713 24.6.3 COMPARISON 714 XXIV CONTENTS 24.7 AUDIT BROWSING 715 24.8 SUMMARY 718 24.9 RESEARCH ISSUES 718 24.10 FURTHER READING 719 24.11 EXERCISES 720 CHAPTER 25 INTRUSION DETECTION 723 25.1 PRINCIPLES 723 25.2 BASIC INTRUSION DETECTION 724 25.3 MODELS 727 25.3.1 ANOMALY MODELING 727 253.1.1 DERIVATION OFSTATISTICS 730 25.3.2 MISUSE MODELING 733 25.3.3 SPECIFICATION MODELING 738 25.3.4 SUMMARY 740 25.4 ARCHITECTURE 742 25.4.1 AGENT 742 25.4.1.1 HOST-BASED INFORMATION GATHERING 744 25.4.1.2 NETWORK-BASED INFORMATION GATHERING 744 25.4.1.3 COMBINING SOURCES 745 25.4.2 DIRECTOR 746 25.4.3 NOTIFIER 747 25.5 ORGANIZATION OF INTRUSION DETECTION SYSTEMS 748 25.5.1 MONITORING NETWORK TRAFFIC FOR INTRUSIONS: NSM 749 25.5.2 COMBINING HOST AND NETWORK MONITORING: DIDS 750 25.5.3 AUTONOMOUS AGENTS: AAFID 752 25.6 INTRUSION RESPONSE 754 25.6.1 INCIDENT PREVENTION 754 25.6.2 INTRUSION HANDLING 755 25.6.2.1 CONTAINMENT PHASE 756 25.6.2.2 ERADICATION PHASE 757 25.6.2.3 FOLLOW-UP PHASE 760 25.7 SUMMARY 765 25.8 RESEARCH ISSUES 765 25.9 FURTHER READING 767 25.10 EXERCISES 767 PART 8: PRACTICUM 771 CHAPTER 26 NETWORK SECURITY 773 26.1 INTRODUCTION 773 26.2 POLICY DEVELOPMENT 774 CONTENTS XXV 26.2.1 DATA CLASSES 775 26.2.2 USER CLASSES 776 26.2.3 AVAILABILITY 778 26.2.4 CONSISTENCY CHECK 778 26.3 NETWORK ORGANIZATION 779 26.3.1 FIREWALLS AND PROXIES 780 26.3.2 ANALYSIS OF THE NETWORK INFRASTRUCTURE 782 26.3.2.1 OUTER FIREWALL CONFIGURATION 783 263.2.2 INNER FIREWALL CONFIGURATION 785 26.3.3 IN THE DMZ 786 26.3.3.1 DMZ MAIL SERVER 786 26.3.3.2 DMZ WWW SERVER 787 26.3.3.3 DMZ DNS SERVER 789 26.3.3.4 DMZ LOG SERVER 789 26.3.3.5 SUMMARY 790 26.3.4 IN THE INTERNAL NETWORK 790 26.3.5 GENERAL COMMENT ON ASSURANCE 792 26.4 AVAILABILITY AND NETWORK FLOODING 793 26.4.1 INTERMEDIATE HOSTS 793 26.4.2 TCP STATE AND MEMORY ALLOCATIONS 794 26.5 ANTICIPATING ATTACKS 796 26.6 SUMMARY 798 26.7 RESEARCH ISSUES 798 26.8 FURTHER READING 799 26.9 EXERCISES 799 CHAPTER 27 SYSTEM SECURITY 805 27.1 INTRODUCTION 805 27.2 POLICY 806 27.2.1 THE WEB SERVER SYSTEM IN THE DMZ 806 27.2.2 THE DEVELOPMENT SYSTEM 807 27.2.3 COMPARISON 810 27.2.4 CONCLUSION 811 27.3 NETWORKS 811 27.3.1 THE WEB SERVER SYSTEM IN THE DMZ 812 27.3.2 THE DEVELOPMENT SYSTEM 814 27.3.3 COMPARISON 816 27.4 USERS 817 27.4.1 THE WEB SERVER SYSTEM IN THE DMZ 817 27.4.2 THE DEVELOPMENT SYSTEM 819 27.4.3 COMPARISON 822 XXVI CONTENTS 27.5 AUTHENTICATION 822 27.5.1 THE WEB SERVER SYSTEM IN THE DMZ 823 27.5.2 DEVELOPMENT NETWORK SYSTEM 823 27.5.3 COMPARISON 825 27.6 PROCESSES 825 27.6.1 THE WEB SERVER SYSTEM IN THE DMZ 825 27.6.2 THE DEVELOPMENT SYSTEM 829 27.6.3 COMPARISON 830 27.7 FILES 831 27.7.1 THE WEB SERVER SYSTEM IN THE DMZ 831 27.7.2 THE DEVELOPMENT SYSTEM 833 27.7.3 COMPARISON 835 27.8 RETROSPECTIVE 837 27.8.1 THE WEB SERVER SYSTEM IN THE DMZ 837 27.8.2 THE DEVELOPMENT SYSTEM 838 27.9 SUMMARY 838 27.10 RESEARCH ISSUES 839 27.11 FURTHER READING 840 27.12 EXERCISES 840 CHAPTER 28 USER SECURITY 845 28.1 POLICY 845 28.2 ACCESS 846 28.2.1 PASSWORDS 846 28.2.2 THE LOGIN PROCEDURE 848 28.2.2.1 TRUSTED HOSTS 850 28.2.3 LEAVING THE SYSTEM 850 28.3 FILES AND DEVICES 852 28.3.1 FILES 852 28.3.1.1 FILE PERMISSIONS ON CREATION 853 28.3.1.2 GROUP ACCESS 854 28.3.1.3 FILE DELETION 855 28.3.2 DEVICES 857 28.3.2.1 WRITABLE DEVICES 857 28.3.2.2 SMART TERMINALS 857 28.3.2.3 MONITORS AND WINDOW SYSTEMS 859 28.4 PROCESSES 860 28.4.1 COPYING AND MOVING FILES 860 28.4.2 ACCIDENTALLY OVERWRITING FILES 861 28.4.3 ENCRYPTION, CRYPTOGRAPHIC KEYS, AND PASSWORDS 861 28.4.4 START-UP SETTINGS 863 28.4.5 LIMITING PRIVILEGES 863 CONTENTS XXVII 28.4.6 MALICIOUS LOGIC 864 28.5 ELECTRONIC COMMUNICATIONS 865 28.5.1 AUTOMATED ELECTRONIC MAIL PROCESSING 865 28.5.2 FAILURE TO CHECK CERTIFICATES 865 28.5.3 SENDING UNEXPECTED CONTENT 866 28.6 SUMMARY 866 28.7 RESEARCH ISSUES 867 28.8 FURTHER READING 867 28.9 EXERCISES 868 CHAPTER 29 PROGRAM SECURITY 869 29.1 INTRODUCTION 869 29.2 REQUIREMENTS AND POLICY 870 29.2.1 REQUIREMENTS 870 29.2.2 THREATS 871 29.2.2.1 GROUP 1: UNAUTHORIZED USERS ACCESSING ROLE ACCOUNTS 871 29.2.2.2 GROUP 2: AUTHORIZED USERS ACCESSING ROLE ACCOUNTS 872 29.2.2.3 SUMMARY 873 29.3 DESIGN 873 29.3.1 FRAMEWORK 874 29.3.1.1 USER INTERFACE 874 29.3.1.2 HIGH-LEVEL DESIGN 874 29.3.2 ACCESS TO ROLES AND COMMANDS 875 29.3.2.1 INTERFACE 876 29.3.2.2 INTERNAIS 876 29.3.2.3 STORAGE OFT HE ACCESS CONTROL DATA 877 29.4 REFINEMENT AND IMPLEMENTATION 880 29.4.1 FIRST-LEVEL REFINEMENT 880 29.4.2 SECOND-LEVEL REFINEMENT 881 29.4.3 FUNCTIONS 884 29.4.3.1 OBTAINING LOCATION 884 29.4.3.2 THE ACCESS CONTROL RECORD 885 29.4.3.3 ERROR HANDLING IN THE READING AND MATCHING ROUTINES 886 29.4.4 SUMMARY 887 29.5 COMMON SECURITY-RELATED PROGRAMMING PROBLEMS 887 29.5.1 IMPROPER CHOICE OF INITIAL PROTECTION DOMAIN 888 29.5.1.1 PROCESS PRIVILEGES 88 8 29.5.1.2 ACCESS CONTROL FILE PERMISSIONS 890 XXVIII CONTENTS 29.5.13 MEMORY PROTECTION 891 29.5.1.4 TRUST IN THE SYSTEM 892 29.5.2 IMPROPER ISOLATION OF IMPLEMENTATION DETAIL 893 29.5.2.1 RESOURCE EXHAUSTION AND USER IDENTIFIERS 893 29.5.2.2 VALIDATING THE ACCESS CONTROL ENTRIES 894 29.5.2.3 RESTRICTING THE PROTECTION DOMAIN OFTHE ROLE PROCESS 894 29.5.3 IMPROPER CHANGE 895 29.5.3.1 MEMORY 895 29.5.3.2 CHANGES IN FILE CONTENTS 898 29.5.3.3 RACE CONDITIONS IN FILE ACCESSES 898 29.5.4 IMPROPER NAMING 899 29.5.5 IMPROPER DEALLOCATION OR DELETION 901 29.5.6 IMPROPER VALIDATION 902 29.5.6.1 BOUNDS CHECKING 902 29.5.6.2 TYPE CHECKING 903 29.5.6.3 ERROR CHECKING 904 29.5.6.4 CHECKING FOR VALID, NOT INVALID, DATA 904 29.5.6.5 CHECKING INPUT 905 29.5.6.6 DESIGNINGFOR VALIDATION 907 29.5.7 IMPROPER INDIVISIBILITY 907 29.5.8 IMPROPER SEQUENCING 908 29.5.9 IMPROPER CHOICE OF OPERAND OR OPERATION 909 29.5.10 SUMMARY 911 29.6 TESTING, MAINTENANCE, AND OPERATION 913 29.6.1 TESTING 914 29.6.1.1 TESTING THE MODULE 915 29.6.2 TESTING COMPOSED MODULES 916 29.6.3 TESTING THE PROGRAM 917 29.7 DISTRIBUTION 917 29.8 CONCLUSION 919 29.9 SUMMARY 919 29.10 RESEARCH ISSUES 919 29.11 FURTHER READING 920 29.12 EXERCISES 920 PART 9: END MATTER 923 CHAPTER 30 LATTICES 925 30.1 BASICS 925 30.2 LATTICES 926 30.3 EXERCISES 927 CONTENTS XXIX CHAPTER 31 THE EXTENDED EUCLIDEAN ALGORITHM 929 31.1 THE EUCLIDEAN ALGORITHM 929 31.2 THE EXTENDED EUCLIDEAN ALGORITHM 930 31.3 SOLVING AX MOD N= 932 31.4 SOLVING AX MOD N = B 932 31.5 EXERCISES 933 CHAPTER 32 ENTROPY AND UNCERTAINTY 935 32.1 CONDITIONAL AND JOINT PROBABILITY 935 32.2 ENTROPY AND UNCERTAINTY 937 32.3 JOINT AND CONDITIONAL ENTROPY 938 32.3.1 JOINT ENTROPY 938 32.3.2 CONDITIONAL ENTROPY 939 32.3.3 PERFECT SECRECY 940 32.4 EXERCISES 940 CHAPTER 33 VIRTUAL MACHINES 941 33.1 VIRTUAL MACHINE STRUCTURE 941 33.2 VIRTUAL MACHINE MONITOR 942 33.2.1 PRIVILEGE AND VIRTUAL MACHINES 943 33.2.2 PHYSICAL RESOURCES AND VIRTUAL MACHINES 944 33.2.3 PAGING AND VIRTUAL MACHINES 945 33.3 EXERCISES 946 CHAPTER 34 SYMBOLIC LOGIC 947 34.1 PROPOSITIONAL LOGIC 947 34.1.1 NATURAL DEDUCTION IN PROPOSITIONAL LOGIC 948 34.1.1.1 RULES 949 34.1.1.2 DERIVEDRULES 950 34.1.2 WELL-FORMED FORMULAS 950 34.1.3 TRUTH TABLES 950 34.1.4 MATHEMATICAL INDUCTION 951 34.2 PREDICATE LOGIC 952 34.2.1 NATURAL DEDUCTION IN PREDICATE LOGIC 953 34.3 TEMPORAL LOGIC SYSTEMS 954 34.3.1 SYNTAX OF CTL .954 34.3.2 SEMANTICS OF CTL 955 34.4 EXERCISES 956 CHAPTER 35 EXAMPLE ACADEMIC SECURITY POLICY 959 35.1 UNIVERSITY OF CALIFORNIA E-MAIL POLICY 959 XXX CONTENTS 35.1.1 SUMMARY: E-MAIL POLICY HIGHLIGHTS 959 35.1.1.1 CAUTIONS 959 35.1.1.2 DO 960 35.1.1.3 DONOT 961 35.1.1.4 DOES THIS POLICY APPLY TO YOU? 961 35.1.2 UNIVERSITY OF CALIFORNIA ELECTRONIC MAIL POLICY 961 35.1.2.1 INTRODUCTION 961 35.1.2.2 PURPOSE 963 35.1.2.3 DEFINITIONS 963 35.1.2.4 SCOPE 96 4 35.1.2.5 GENERAL PROVISIONS 965 35.1.2.6 SPECIFIC PROVISIONS 967 35.1.2.7 POLICY VIOLATIONS 971 35.1.2.8 RESPONSIBILITY FOR POLICY 971 35.1.2.9 CAMPUS RESPONSIBILITIES AND DISCRETION 971 35.1.2.10 APPENDIX A * DEFINITIONS 972 35.1.2.11 APPENDIX B * REFERENCES 975 35.1.2.12 APPENDIX C * POLICIES RELATING TO NONCONSENSUAL ACCESS 976 35.1.3 UC DAVIS IMPLEMENTATION OF THE ELECTRONIC MAIL POLICY 977 35.1.3.1 PURPOSE AND SCOPE 978 35.1.3.2 DEFINITIONS 978 35.1.3.3 POLICY 978 35.1.4 REFERENCES AND RELATED POLICY 988 35.2 THE ACCEPTABLE USE POLICY FOR THE UNIVERSITY OF CALIFORNIA, DAVIS 989 35.2.1 PART I 989 35.2.1.1 INTRODUCTION 989 35.2.1.2 RIGHTS AND RESPONSIBILITIES 989 35.2.1.3 EXISTING LEGAL CONTEXT 989 35.2.1.4 ENFORCEMENT 990 35.2.2 PART II 990 BIBLIOGRAPHY 993 INDEX 1063
adam_txt	COMPUTER SECURITY ART AND SCIENCE MATT BISHOP VADDISON-WESLEY BOSTON SAN FRANCISCO * NEW YORK * TORONTO * MONTREAL LONDON * MUNICH * PARIS * MADRID CAPETOWN * SYDNEY * TOKYO * SINGAPORE * MEXICO CITY CONTENTS PREFACE XXXI GOALS XXXII PHILOSOPHY XXXIII ORGANIZATION XXXV ROADMAP XXXVI DEPENDENCIES XXXVI BACKGROUND XXXVII UNDERGRADUATE LEVEL XXXVIII GRADUATE LEVEL XXXVIII PRACTITIONERS XL SPECIAL ACKNOWLEDGMENT XL ACKNOWLEDGMENTS XL PARTI: INTRODUCTION 1 CHAPTER 1 AN OVERVIEW OF COMPUTER SECURITY 3 1.1 THE BASIC COMPONENTS 3 1.1.1 CONFIDENTIALITY 4 1.1.2 INTEGRITY 5 1.1.3 AVAILABILITY 6 1.2 THREATS 6 1.3 POLICY AND MECHANISM 9 1.3.1 GOALS OF SECURITY 10 1.4 ASSUMPTIONS AND TRUST 11 1.5 ASSURANCE 12 1.5.1 SPECIFICATION 13 1.5.2 DESIGN 14 1.5.3 IMPLEMENTATION 14 1.6 OPERATIONAL ISSUES 16 1.6.1 COST-BENEFIT ANALYSIS 16 1.6.2 RISK ANALYSIS 17 1.6.3 LAWS AND CUSTOMS 18 VII VIII CONTENTS 1.7 HUMAN ISSUES 19 1.7.1 ORGANIZATIONAL PROBLEMS 20 1.7.2 PEOPLE PROBLEMS 21 1.8 TYING IT ALL TOGETHER 22 1.9 SUMMARY 23 1.10 RESEARCH ISSUES 24 1.11 FURTHER READING 24 1.12 EXERCISES 25 PART 2: FOUNDATIONS 29 CHAPTER 2 ACCESS CONTROL MATRIX 31 2.1 PROTECTION STATE 31 2.2 ACCESS CONTROL MATRIX MODEL 32 2.2.1 ACCESS CONTROL BY BOOLEAN EXPRESSION EVALUATION 35 2.2.2 ACCESS CONTROLLED BY HISTORY 36 2.3 PROTECTION STATE TRANSITIONS 37 2.3.1 CONDITIONAL COMMANDS 40 2.4 COPYING, OWNING, AND THE ATTENUATION OF PRIVILEGE 41 2.4.1 COPY RIGHT 42 2.4.2 OWN RIGHT 42 2.4.3 PRINCIPLE OF ATTENUATION OF PRIVILEGE 43 2.5 SUMMARY 43 2.6 RESEARCH ISSUES 44 2.7 FURTHER READING 44 2.8 EXERCISES 44 CHAPTER 3 FOUNDATIONAL RESUITS 47 3.1 THE GENERAL QUESTION 47 3.2 BASIC RESUITS 48 3.3 THE TAKE-GRANT PROTECTION MODEL 53 3.3.1 SHARING OF RIGHTS 55 3.3.2 INTERPRETATION OF THE MODEL 58 3.3.3 THEFT IN THE TAKE-GRANT PROTECTION MODEL 60 3.3.4 CONSPIRACY 63 3.3.5 SUMMARY 65 3.4 CLOSING THE GAP 65 3.4.1 SCHEMATIC PROTECTION MODEL 66 3.4.1.1 LINK PREDICATE 66 CONTENTS IX 3.4.1.2 FILTER FUNCTION 68 3.4.1.3 PUTTING ITALL TOGETHER 6 8 3.4.1.4 DEMAND AND CREATE OPERATIONS 69 3.4.1.5 SAFETY ANALYSIS 72 3.5 EXPRESSIVE POWER AND THE MODELS 78 3.5.1 BRIEF COMPARISON OF HRU AND SPM 78 3.5.2 EXTENDING SPM 79 3.5.3 SIMULATION AND EXPRESSIVENESS 83 3.5.4 TYPED ACCESS MATRIX MODEL 88 3.6 SUMMARY 90 3.7 RESEARCH ISSUES 90 3.8 FURTHER READING 91 3.9 EXERCISES 91 PART 3: POLICY 93 CHAPTER4 SECURITY POLICIES .95 4.1 SECURITY POLICIES 95 4.2 TYPES OF SECURITY POLICIES 99 4.3 THE ROLE OF TRUST , 101 4.4 TYPES OF ACCESS CONTROL 103 4.5 POLICY LANGUAGES 104 4.5.1 HIGH-LEVEL POLICY LANGUAGES 104 4.5.2 LOW-LEVEL POLICY LANGUAGES 109 4.6 EXAMPLE: ACADEMIC COMPUTER SECURITY POLICY 111 4.6.1 GENERAL UNIVERSITY POLICY 111 4.6.2 ELECTRONIC MAIL POLICY 112 4.6.2.1 THE ELECTRONIC MAIL POLICY SUMMARY 112 4.6.2.2 THE FUELL POLICY 113 4.6.2.3 IMPLEMENTATION AT UC DAVIS 114 4.7 SECURITY AND PRECISION 114 4.8 SUMMARY 119 4.9 RESEARCH ISSUES 119 4.10 FURTHER READING 120 4.11 EXERCISES 120 CHAPTER 5 CONFIDENTIALITY POLICIES 123 5.1 GOALS OF CONFIDENTIALITY POLICIES 123 5.2 THE BELL-LAPADULA MODEL 124 X CONTENTS 5.2.1 INFORMAL DESCRIPTION 124 5.2.2 EXAMPLE: THE DATA GENERAL B2 UNIX SYSTEM 128 5.2.2.1 ASSIGNING MAC LABELS 128 5.2.2.2 USING MAC LABELS 131 5.2.3 FORMAL MODEL 132 5.2.3.1 BASIC SECURITY THEOREM 134 5.2.3.2 RULES OF TRANSFORMATION 136 5.2.4 EXAMPLE MODEL INSTANTIATION: MULTICS 139 5.2.4.1 THE GET-READ RULE 140 5.2.4.2 THE GIVE-READ RULE 141 5.3 TRANQUILITY 142 5.4 THE CONTROVERSY OVER THE BELL-LAPADULA MODEL 143 5.4.1 MCLEAN'S T-PROPERTY AND THE BASIC SECURITY THEOREM 143 5.4.2 MCLEAN'S SYSTEM Z AND MORE QUESTIONS 146 5.4.3 SUMMARY 148 5.5 SUMMARY 148 5.6 RESEARCH ISSUES 148 5.7 FURTHER READING 149 5.8 EXERCISES 150 CHAPTER 6 INTEGRITY POLICIES 151 6.1 GOALS 151 6.2 BIBA INTEGRITY MODEL 153 6.2.1 LOW-WATER-MARK POLICY 154 6.2.2 RING POLICY 155 6.2.3 BIBA'S MODEL (STRICT INTEGRITY POLICY) 155 6.3 LIPNER'S INTEGRITY MATRIX MODEL 156 6.3.1 LIPNER'S USE OF THE BELL-LAPADULA MODEL 156 6.3.2 LIPNER'S FUELL MODEL 158 6.3.3 COMPARISON WITH BIBA 160 6.4 CLARK-WILSON INTEGRITY MODEL 160 6.4.1 THE MODEL 161 6.4.1.1 A UNIX APPROXIMATION TO CLARK-WILSON 164 6.4.2 COMPARISON WITH THE REQUIREMENTS 164 6.4.3 COMPARISON WITH OTHER MODELS 165 6.5 SUMMARY 166 6.6 RESEARCH ISSUES 166 6.7 FURTHER READING 167 6.8 EXERCISES 167 CHAPTER 7 HYBRID POLICIES 169 7.1 CHINESE WALL MODEL 169 CONTENTS XI 7.1.1 INFORMAL DESCRIPTION 170 7.1.2 FORMAL MODEL 172 7.1.3 BELL-LAPADULA AND CHINESE WALL MODELS 175 7.1.4 CLARK-WILSON AND CHINESE WALL MODELS 177 7.2 CLINICAL INFORMATION SYSTEMS SECURITY POLICY 177 7.2.1 BELL-LAPADULA AND CLARK-WILSON MODELS 179 7.3 ORIGINATOR CONTROLLED ACCESS CONTROL 180 7.4 ROLE-BASED ACCESS CONTROL 182 7.5 SUMMARY 184 7.6 RESEARCH ISSUES 184 7.7 FURTHER READING' 184 7.8 EXERCISES 185 CHAPTER 8 NONINTERFERENCE AND POLICY COMPOSITION 187 8.1 THE PROBLEM 187 8.1.1 COMPOSITION OF BELL-LAPADULA MODELS 188 8.2 DETERMINISTIC NONINTERFERENCE 191 8.2.1 UNWINDING THEOREM 195 8.2.2 ACCESS CONTROL MATRIX INTERPRETATION 197 8.2.3 SECURITY POLICIES THAT CHANGE OVER TIME 200 8.2.4 COMPOSITION OF DETERMINISTIC NONINTERFERENCE-SECURE SYSTEMS . .201 8.3 NONDEDUCIBILITY 202 8.3.1 COMPOSITION OF DEDUCIBLY SECURE SYSTEMS 204 8.4 GENERALIZED NONINTERFERENCE 205 8.4.1 COMPOSITION OF GENERALIZED NONINTERFERENCE SYSTEMS 206 8.5 RESTRICTIVENESS 208 8.5.1 STATE MACHINE MODEL 208 8.5.2 COMPOSITION OF RESTRICTIVE SYSTEMS 209 8.6 SUMMARY 210 8.7 RESEARCH ISSUES 211 8.8 FURTHER READING 211 8.9 EXERCISES 212 PART 4: IMPLEMENTATION I: CRYPTOGRAPHY 215 CHAPTER 9 BASIC CRYPTOGRAPHY 217 9.1 WHAT IS CRYPTOGRAPHY? 217 9.2 CLASSICAL CRYPTOSYSTEMS 218 9.2.1 TRANSPOSITION CIPHERS 219 9.2.2 SUBSTITUTION CIPHERS 220 XII CONTENTS 9.2.2.1 VIGENERE CIPHER 221 9.2.2.2 ONE-TIME PAED 227 9.2.3 DATA ENCRYPTION STANDARD 228 9.2.4 OTHER CLASSICAL CIPHERS 232 9.3 PUBLIC KEY CRYPTOGRAPHY 233 9.3.1 DIFFIE-HELLMAN 233 9.3.2 RSA 234 9.4 CRYPTOGRAPHIC CHECKSUMS 237 9.4.1 HMAC 239 9.5 SUMMARY 239 9.6 RESEARCH ISSUES 240 9.7 FURTHER READING 240 9.8 EXERCISES 241 CHAPTER 10 KEY MANAGEMENT 245 10.1 SESSION AND INTERCHANGE KEYS 246 10.2 KEY EXCHANGE 246 10.2.1 CLASSICAL CRYPTOGRAPHIC KEY EXCHANGE AND AUTHENTICATION 247 10.2.2 KERBEROS 250 10.2.3 PUBLIC KEY CRYPTOGRAPHIC KEY EXCHANGE AND AUTHENTICATION. 251 10.3 KEY GENERATION 252 10.4 CRYPTOGRAPHIC KEY INFRASTRUCTURES 254 10.4.1 MERKLE'S TREE AUTHENTICATION SCHEINE' 255 10.4.2 CERTIFICATE SIGNATARE CHAINS 256 10.4.2.1 X.509: CERTIFICATION SIGNATURE CHAINS 256 10.4.2.2 PGP CERTIFICATE SIGNATURE CHAINS 258 10.4.3 SUMMARY 260 10.5 STORING AND REVOKING KEYS 261 10.5.1 KEY STORAGE 261 10.5.1.1 KEY ESCROW 262 10.5.1.2 KEY ESCROW SYSTEM AND THE CLIPPER CHIP 263 10.5.1.3 THE YAKSHA SECURITY SYSTEM 264 10.5.1.4 OTHER APPROACHES 265 10.5.2 KEY REVOCATION 265 10.6 DIGITAL SIGNATURES 266 10.6.1 CLASSICAL SIGNATURES 267 10.6.2 PUBLIC KEY SIGNATURES 267 10.6.2.1 RSA DIGITAL SIGNATURES 267 10.6.2.2 EL GAMAL DIGITAL SIGNATURE 269 10.7 SUMMARY 270 10.8 RESEARCH ISSUES 271 CONTENTS XIII 10.9 FURTHER READING 272 10.10 EXERCISES 272 CHAPTER 11 CIPHER TECHNIQUES 275 11.1 PROBLEMS 275 11.1.1 PRECOMPUTING THE POSSIBLE MESSAGES 275 11.1.2 MISORDERED BLOCKS 276 11.1.3 STATISTICAL REGULARITIES 276 11.1.4 SUMMARY 277 11.2 STREAM AND BLOCK CIPHERS 277 11.2.1 STREAM CIPHERS 277 11.2.1.1 SYNCHRONOUS STREAM CIPHERS 278 11.2.1.2 SELF-SYNCHRONOUS STREAM CIPHERS 28 0 11.2.2 BLOCK CIPHERS 281 11.2.2.1 MULTIPLE ENCRYPTION 282 11.3 NETWORKS AND CRYPTOGRAPHY 283 11.4 EXAMPLE PROTOCOLS 286 11.4.1 SECURE ELECTRONIC MAIL: PEM 286 11.4.1.1 DESIGN PRINCIPLES 287 11.4.1.2 BASIC DESIGN 288 11.4.1.3 OTHER CONSIDERATIONS 289 11.4.1.4 CONCLUSION 290 11.4.2 SECURITY AT THE TRANSPORT LAYER: SSL 291 11.4.2.1 SUPPORTING CRYPTOGRAPHIC MECHANISMS 292 11.4.2.2 LOWER LAYER: SSL RECORD PROTOCOL 294 11.4.2.3 UPPER LAYER: SSL HANDSHAKE PROTOCOL 295 11.4.2.4 UPPER LAYER: SSL CHANGE CIPHER SPEC PROTOCOL 297 11.4.2.5 UPPER LAYER: SSL ALERT PROTOCOL 297 11.4.2.6 UPPER LAYER: APPLICATION DATA PROTOCOL 298 11.4.2.7 SUMMARY 298 11.4.3 SECURITY AT THE NETWORK LAYER: IPSEC 298 11.4.3.1 IPSEC ARCHITECTURE 299 11.4.3.2 AUTHENTICATION HEADER PROTOCOL 303 11.4.3.3 ENCAPSULATING SECURITY PAYLOAD PROTOCOL 304 11.4.4 CONCLUSION 305 11.5 SUMMARY 306 11.6 RESEARCH ISSUES 306 11.7 FURTHER READING 306 11.8 EXERCISES 307 XIV CONTENTS CHAPTER 12 AUTHENTICATION 309 12.1 AUTHENTICATION BASICS 309 12.2 PASSWORDS 310 12.2.1 ATTACKING A PASSWORD SYSTEM 312 12.2.2 COUNTERING PASSWORD GUESSING 313 12.2.2.1 RANDOM SELECTION OF PASSWORDS 314 12.2.2.2 PRONOUNCEABLE AND OTHER COMPUTER-GENERATED PASSWORDS 315 12.2.2.3 USER SELECTION OF PASSWORDS 316 12.2.2.4 REUSABLE PASSWORDS AND DICTIONARY ATTACKS 320 12.2.2.5 GUESSING THROUGH AUTHENTICATION FUNCTIONS 321 12.2.3 PASSWORD AGING 322 12.3 CHALLENGE-RESPONSE 324 12.3.1 PASS ALGORITHMS 324 12.3.2 ONE-TIME PASSWORDS 325 12.3.3 HARDWARE-SUPPORTED CHALLENGE-RESPONSE PROCEDURES 326 12.3.4 CHALLENGE-RESPONSE AND DICTIONARY ATTACKS 327 12.4 BIOMETRICS 328 12.4.1 FINGERPRINTS 328 12.4.2 VOICES 329 12.4.3 EYES 329 12.4.4 FACES 329 12.4.5 KEYSTROKES 330 12.4.6 COMBINATIONS 330 12.4.7 CAUTION 330 12.5 LOCATION 331 12.6 MULTIPLE METHODS 331 12.7 SUMMARY 333 12.8 RESEARCH ISSUES 334 12.9 FURTHER READING 335 12.10 EXERCISES 335 PART 5: IMPLEMENTATION II: SYSTEMS 339 CHAPTER 13 DESIGN PRINCIPLES 341 13.1 OVERVIEW 341 13.2 DESIGN PRINCIPLES 343 13.2.1 PRINCIPLE OF LEAST PRIVILEGE 343 13.2.2 PRINCIPLE OF FAIL-SAFE DEFAULTS 344 13.2.3 PRINCIPLE OF ECONOMY OF MECHANISM 344 13.2.4 PRINCIPLE OF COMPLETE MEDIATION 345 CONTENTS XV 13.2.5 PRINCIPLE OF OPEN DESIGN 346 13.2.6 PRINCIPLE OF SEPARATION OF PRIVILEGE 347 13.2.7 PRINCIPLE OF LEAST COMMON MECHANISM 348 13.2.8 PRINCIPLE OF PSYCHOLOGICAL ACCEPTABILITY 348 13.3 SUMMARY 349 13.4 RESEARCH ISSUES 350 13.5 FURTHER READING 350 13.6 EXERCISES 351 CHAPTER 14 REPRESENTING IDENTITY 353 14.1 WHAT IS IDENTITY? 353 14.2 FILES AND OBJECTS 354 14.3 USERS 355 14.4 GROUPS AND ROLES 356 14.5 NAMING AND CERTIFICATES 357 14.5.1 CONFLICTS 360 14.5.2 THE MEANING OF THE IDENTITY 363 14.5.3 TRUST 364 14.6 IDENTITY ON THE WEB 366 14.6.1 HOST IDENTITY 366 14.6.1.1 STATIC AND DYNAMIC IDENTIFIERS 367 14.6.1.2 SECURITY ISSUES WITH THE DOMAIN NAME SERVICE 368 14.6.2 STATE AND COOKIES 369 14.6.3 ANONYMITY ON THE WEB 371 14.6.3.1 ANONYMITY FOR BETTER OR WORSE 375 14.7 SUMMARY 377 14.8 RESEARCH ISSUES 378 14.9 FURTHER READING 378 14.10 EXERCISES 379 CHAPTER 15 ACCESS CONTROL MECHANISMS 381 15.1 ACCESS CONTROL LISTS 381 15.1.1 ABBREVIATIONS OF ACCESS CONTROL LISTS 382 15.1.2 CREATION AND MAINTENANCE OF ACCESS CONTROL LISTS 384 15.1.2.1 WHICH SUBJECTS CAN MODIFY AN OBJECT'S ACL? 385 15.1.2.2 DO THE ACLS APPLY TO A PRIVILEGED USER? 385 15.1.2.3 DOES THE ACL SUPPORT GROUPS AND WILDCARDS? 386 15.1.2.4 CONFLICTS 386 15.1.2.5 ACLS AND DEFAULT PERMISSIONS 387 15.1.3 REVOCATION OF RIGHTS 387 15.1.4 EXAMPLE: WINDOWS NT ACCESS CONTROL LISTS 388 XVI CONTENTS 15.2 CAPABILITIES 390 15.2.1 IMPLEMENTATION OF CAPABILITIES 391 15.2.2 COPYING AND AMPLIFYING CAPABILITIES 392 15.2.3 REVOCATIONOF RIGHTS 393 15.2.4 LIMITS OF CAPABILITIES 394 15.2.5 COMPARISON WITH ACCESS CONTROL LISTS 395 15.3 LOCKS AND KEYS 396 15.3.1 TYPE CHECKING 397 15.3.2 SHARING SECRETS 399 15.4 RING-BASED ACCESS CONTROL 400 15.5 PROPAGATED ACCESS CONTROL LISTS 402 15.6 SUMMARY 404 15.7 RESEARCH ISSUES 404 15.8 FURTHER READING 405 15.9 EXERCISES 405 CHAPTER 16 INFORMATION FLOW 407 16.1 BASICS AND BACKGROUND 407 16.1.1 ENTROPY-BASED ANALYSIS 408 16.1.2 INFORMATION FLOW MODELS AND MECHANISMS 409 16.2 NONLATTICE INFORMATION FLOW POLICIES 410 16.2.1 CONFINEMENT FLOW MODEL 411 16.2.2 TRANSITIVE NONLATTICE INFORMATION FLOW POLICIES 412 16.2.3 NONTRANSITIVE INFORMATION FLOW POLICIES 413 16.3 COMPILER-BASED MECHANISMS 415 16.3.1 DECLARATIONS 416 16.3.2 PROGRAM STATEMENTS 418 16.3.2.1 ASSIGNMENT STATEMENTS 418 16.3.2.2 COMPOUND STATEMENTS 419 16.3.2.3 CONDITIONAL STATEMENTS 419 16.3.2.4 ITERATIVE STATEMENTS 420 16.3.2.5 GOTO STATEMENTS 421 16.3.2.6 PROCEDURE CALLS 424 16.3.3 EXCEPTIONS AND INFINITE LOOPS 424 16.3.4 CONCURRENCY 426 16.3.5 SOUNDNESS 428 16.4 EXECUTION-BASED MECHANISMS 429 16.4.1 FENTON'S DATA MARK MACHINE 430 16.4.2 VARIABLE CLASSES 432 16.5 EXAMPLE INFORMATION FLOW CONTROLS 433 16.5.1 SECURITY PIPELINE INTERFACE 434 16.5.2 SECURE NETWORK SERVER MAIL GUARD 434 CONTENTS XVII 16.6 SUMMARY 436 16.7 RESEARCH ISSUES 436 16.8 FURTHER READING 437 16.9 EXERCISES 437 CHAPTER 17 CONFINEMENT PROBLEM 439 17.1 THE CONFINEMENT PROBLEM 439 17.2 ISOLATION 442 17.2.1 VIRTUAL MACHINES 442 17.2.2 SANDBOXES 444 17.3 COVERT CHANNELS 446 17.3.1 DETECTION OF COVERT CHANNELS 448 17.3.1.1 NONINTERFERENCE 448 17.3.1.2 THE SHARED RESOURCE MATRIX METHODOLOGY 45 0 17.3.1.3 INFORMATION FLOW ANALYSIS 453 17.3.1.4 COVERT FLOW TREES 454 17.3.2 ANALYSIS OF COVERT CHANNELS 462 17.3.2.1 COVERT CHANNEL CAPACITY AND NONINTERFERENCE 462 17.3.2.2 MEASURING COVERT CHANNEL CAPACITY 464 17.3.2.3 ANALYZING A NOISY COVERT CHANNEL'S CAPACITY 465 17.3.3 MITIGATION OF COVERT CHANNELS 467 17.4 SUMMARY 470 17.5 RESEARCH ISSUES 471 17.6 FURTHER READING 472 17.7 EXERCISES 472 PART 6: ASSURANCE 475 CONTRIBUTED BY ELISABETH SULLIVAN CHAPTER 18 INTRODUCTION TO ASSURANCE 477 18.1 ASSURANCE AND TRUST 477 18.1.1 THE NEED FOR ASSURANCE 479 18.1.2 THE ROLE OF REQUIREMENTS IN ASSURANCE 481 18.1.3 ASSURANCE THROUGHOUT THE LIFE CYCLE 482 18.2 BUILDING SECURE AND TRUSTED SYSTEMS 484 18.2.1 LIFE CYCLE 484 18.2.1.1 CONCEPTION 485 18.2.1.2 MANUFACTURE 486 18.2.1.3 DEPLOYMENT 487 18.2.1.4 FIELDED PRODUCT LIFE 488 XVIII CONTENTS 18.2.2 THE WATERFALL LIFE CYCLE MODEL 488 18.2.2.1 REQUIREMENTS DEFINITION AND ANALYSIS 488 18.2.2.2 SYSTEM AND SOFTWARE DESIGN 48 9 18.2.2.3 IMPLEMENTATION AND UNIT TESTING 489 18.2.2.4 INTEGRATION AND SYSTEM TESTING 490 18.2.2.5 OPERATION AND MAINTENANCE 490 18.2.2.6 DISCUSSION 490 18.2.3 OTHER MODELS OF SOFTWARE DEVELOPMENT 491 18.2.3.1 EXPLORATORY PROGRAMMING 491 18.2.3.2 PROTOTYPING 491 18.2.3.3 FORMAL TRANSFORMATION 491 18.2.3.4 SYSTEM ASSEMBLY FROM REUSABLE COMPONENTS 492 18.2.3.5 EXTREME PROGRAMMING 492 18.3 SUMMARY 492 18.4 RESEARCH ISSUES 493 18.5 FURTHER READING 494 18.6 EXERCISES 494 CHAPTER 19 BUILDING SYSTEMS WITH ASSURANCE 497 19.1 ASSURANCE IN REQUIREMENTS DEFINITION AND ANALYSIS 497 19.1.1 THREATS AND SECURITY OBJECTIVES 498 19.1.2 ARCHITECTURAL CONSIDERATIONS 499 19.1.2.1 SECURITY MECHANISMS AND LAYERED ARCHITECTURE 500 19.1.2.2 BUILDING SECURITY IN ORADDING SECURITY LATER 501 19.1.3 POLICY DEFINITION AND REQUIREMENTS SPECIFICATION 505 19.1.4 JUSTIFYING REQUIREMENTS 508 19.2 ASSURANCE DURING SYSTEM AND SOFTWARE DESIGN 510 19.2.1 DESIGN TECHNIQUES THAT SUPPORT ASSURANCE 510 19.2.2 DESIGN DOCUMENT CONTENTS 512 19.2.2.1 SECURITY FUNCTIONS SUMMARY SPECIFICATION 51 3 19.2.2.2 EXTERNALFUNCTIONAL SPECIFICATION 513 19.2.2.3 INTERNAL DESIGN DESCRIPTION 515 19.2.2.4 INTERNAL DESIGN SPECIFICATION 520 19.2.3 BUILDING DOCUMENTATION AND SPECIFICATIONS 521 19.2.3.1 MODIFIKATION SPECIFICATIONS 521 19.2.3.2 SECURITY SPECIFICATIONS 522 19.2.3.3 FORMAL SPECIFICATIONS 523 19.2.4 JUSTIFYING THAT DESIGN MEETS REQUIREMENTS 523 19.2.4.1 REQUIREMENTS TRACING AND INFORMAL CORRESPONDENCE . 523 19.2.4.2 INFORMAL ARGUMENTS 526 19.2.4.3 FORMAL METHODS: PROOFTECHNIQUES 527 19.2.4.4 REVIEW 528 CONTENTS XIX 19.3 ASSURANCE IN IMPLEMENTATION AND INTEGRATION 531 19.3.1 IMPLEMENTATION CONSIDERATIONS THAT SUPPORT ASSURANCE 531 19.3.2 ASSURANCE THROUGH IMPLEMENTATION MANAGEMENT 532 19.3.3 JUSTIFYING THAT THE IMPLEMENTATION MEETS THE DESIGN 533 19.3.3.1 SECURITY TESTING 533 19.3.3.2 SECURITY TESTING USING PGWG 536 19.3.3.2 TEST MATRICES 536 19.3.3.3 FORMAL METHODS: PROVING THAT PROGRAMS ARE CORRECT 541 19.4 ASSURANCE DURING OPERATION AND MAINTENANCE 541 19.5 SUMMARY 541 19.6 RESEARCH ISSUES 542 19.7 FURTHER READING 542 19.8 EXERCISES 543 CHAPTER 20 FORMAL METHODS 545 20.1 FORMAL VERIFICATION TECHNIQUES 545 20.2 FORMAL SPECIFICATION 548 20.3 EARLY FORMAL VERIFICATION TECHNIQUES 551 20.3.1 THE HIERARCHICAL DEVELOPMENT METHODOLOGY 551 20.3.1.1 VERIFICATION IN HDM 553 20.3.1.2 THE BOYER-MOORE THEOREM PROVER 555 20.3.2 ENHANCED HDM 556 20.3.3 THE GYPSY VERIFICATION ENVIRONMENT 557 20.3.3.1 THE GYPSY LANGUAGE 557 20.3.3.2 THE BLEDSOE THEOREM PROVER 558 20.4 CURRENT VERIFICATION SYSTEMS 559 20.4.1 THE PROTOTYPE VERIFICATION SYSTEM 559 20.4.1.1 THE PVS SPECIFICATION LANGUAGE 559 20.4.1.2 THE PVS PROOF CHECKER 561 20.4.1.3 EXPERIENCE WITH PVS 562 20.4.2 THE SYMBOLIC MODEL VERIFIER 562 20.4.2.1 THE SMV LANGUAGE 562 20.4.2.2 THE SMV PROOF THEORY 564 20.4.2.3 SMV EXPERIENCE 566 20.4.3 THE NAVAL RESEARCH LABORATORY PROTOCOL ANALYZER 566 20.4.3.1 NPA LANGUAGES 566 20.4.3.2 NPA EXPERIENCE 567 20.5 SUMMARY 567 20.6 RESEARCH ISSUES 568 20.7 FURTHER READING 568 20.8 EXERCISES 569 XX CONTENTS CHAPTER 21 EVALUATING SYSTEMS 571 21.1 GOALS OF FORMAL EVALUATION 571 21.1.1 DECIDING TO EVALUATE 572 21.1.2 HISTORICAL PERSPECTIVE OF EVALUATION METHODOLOGIES 573 21.2 TCSEC: 1983-1999 574 21.2.1 TCSEC REQUIREMENTS 575 21.2.1.1 TCSEC FUNCTIONAL REQUIREMENTS 575 21.2.1.2 TCSEC ASSURANCE REQUIREMENTS 576 21.2.2 THE TCSEC EVALUATION CLASSES 577 21.2.3 THE TCSEC EVALUATION PROCESS 578 21.2.4 IMPACTS 578 21.2.4.1 SCOPE LIMITATIONS 579 21.2.4.2 PROCESS LIMITATIONS 579 21.2.4.3 CONTRIBUTIONS 580 21.3 INTERNATIONAL EFFORTS AND THE ITSEC: 1991-2001 581 21.3.1 ITSEC ASSURANCE REQUIREMENTS 582 21.3.1.1 REQUIREMENTS IN THE TCSEC NOT FOUND IN THE ITSEC . 582 21.3.1.2 REQUIREMENTS IN THE ITSEC NOT FOUND IN THE TCSEC . 583 21.3.2 THE ITSEC EVALUATION LEVELS 583 21.3.3 THE ITSEC EVALUATION PROCESS 584 21.3.4 IMPACTS 585 21.3.4.1 VENDOR-PROVIDED SECURITY TARGETS 585 21.3.4.2 PROCESS LIMITATIONS 585 21.4 COMMERCIAL INTERNATIONAL SECURITY REQUIREMENTS: 1991 586 21.4.1 CISR REQUIREMENTS 586 21.4.2 IMPACTS 587 21.5 OTHER COMMERCIAL EFFORTS: EARLY 1990S 587 21.6 THE FEDERAL CRITERIA: 1992 587 21.6.1 FC REQUIREMENTS 588 21.6.2 IMPACTS 588 21.7 FIPS 140: 1994-PRESENT 589 21.7.1 FIPS 140 REQUIREMENTS 589 21.7.2 FIPS 140-2 SECURITY LEVELS 590 21.7.3 IMPACT 591 21.8 THE COMMON CRITERIA: 1998-PRESENT 591 21.8.1 OVERVIEW OF THE METHODOLOGY 592 21.8.2 CC REQUIREMENTS 596 21.8.3 CC SECURITY FUNCTIONAL REQUIREMENTS 597 21.8.4 ASSURANCE REQUIREMENTS 599 21.8.5 EVALUATION ASSURANCE LEVELS 599 21.8.6 EVALUATION PROCESS 601 21.8.7 IMPACTS 602 CONTENTS XXI L 21.8.8 FUTURE OF THE COMMON CRITERIA 602 21.8.8.1 INTERPRETATIONS 602 21.8.8.2 ASSURANCE CLASS AMA AND FAMILY ALC FLR 603 21.8.8.3 PRODUCTS VERSUS SYSTEMS 603 21.8.8.4 PROTECTION PROFILES AND SECURITY TARGETS 603 21.8.8.5 ASSURANCE CLASS AVA 603 21.8.8.6 EAL5 604 21.9 SSE-CMM: 1997-PRESENT 604 21.9.1 THE SSE-CMM MODEL 604 21.9.2 USING THE SSE-CMM 606 21.10 SUMMARY 607 21.11 RESEARCH ISSUES 608 21.12 FURTHER READING 608 21.13 EXERCISES 609 PART 7: SPECIAL TOPICS 611 CHAPTER 22 MALICIOUS LOGIC 613 22.1 INTRODUCTION 613 22.2 TROJAN HORSES 614 22.3 COMPUTER VIRUSES 615 22.3.1 BOOT SECTOR INFECTORS 617 22.3.2 EXECUTABLE INFECTORS 618 22.3.3 MULTIPARAE VIRUSES 619 22.3.4 TSR VIRUSES 620 22.3.5 STEALTH VIRUSES 620 22.3.6 ENCRYPTED VIRUSES 620 22.3.7 POLYMORPHIE VIRUSES 621 22.3.8 MACRO VIRUSES 622 22.4 COMPUTER WORMS C 623 22.5 OTHER FORMS OF MALICIOUS LOGIC 624 22.5.1 RABBITS AND BACTERIA 624 22.5.2 LOGIC BOMBS 625 22.6 THEORY OF MALICIOUS LOGIC 626 22.6.1 THEORY OF COMPUTER VIRUSES 626 22.7 DEFENSES 630 22.7.1 MALICIOUS LOGIC ACTING AS BOTH DATA AND INSTRUCTIONS 630 22.7.2 MALICIOUS LOGIC ASSUMING THE IDENTITY OF A USER 631 22.7.2.1 INFORMATION FLOW METRICS 631 22.7.2.2 REDUCING THE RIGHTS 632 22.7.23 SANDBOXING 635 XXII CONTENTS 22.7.3 MALICIOUS LOGIC CROSSING PROTECTION DOMAIN BOUNDARIES BY SHARING 636 22.7.4 MALICIOUS LOGIC ALTERING FILES 637 22.7.5 MALICIOUS LOGIC PERFORMING ACTIONS BEYOND SPECIFICATION 638 22.7.5.1 PROOF-CARRYING CODE 638 22.7.6 MALICIOUS LOGIC ALTERING STATISTICAL CHARACTERISTICS 639 22.7.7 THE NOTION OF TRUST 640 22.8 SUMMARY 640 22.9 RESEARCH ISSUES 640 22.10 FURTHER READING 641 22.11 EXERCISES 642 CHAPTER 23 VULNERABILITY ANALYSIS 645 23.1 INTRODUCTION 645 23.2 PENETRATION STUDIES 647 23.2.1 GOALS 647 23.2.2 LAYERING OF TESTS 648 23.2.3 METHODOLOGY AT EACH LAYER 649 23.2.4 FLAW HYPOTHESIS METHODOLOGY 649 23.2.4.1 INFORMATION GATHERING AND FLAW HYPOTHESIS 650 23.2.4.2 FLAW TESTING 651 23.2.4.3 FLAW GENERALIZATION 651 23.2.4.4 FLAW ELIMINATION 652 23.2.5 EXAMPLE: PENETRATION OF THE MICHIGAN TERMINAL SYSTEM 652 23.2.6 EXAMPLE: COMPROMISE OF A BURROUGHS SYSTEM 654 23.2.7 EXAMPLE: PENETRATION OF A CORPORATE COMPUTER SYSTEM 655 23.2.8 EXAMPLE: PENETRATING A UNIX SYSTEM 656 23.2.9 EXAMPLE: PENETRATING A WINDOWS NT SYSTEM 658 23.2.10 DEBATE 659 23.2.11 CONCLUSION 660 23.3 VULNERABILITY CLASSIFICATION 660 23.3.1 TWO SECURITY FLAWS 661 23.4 FRAMEWORKS 662 23.4.1 THE RISOS STUDY 662 23.4.1.1 THE FLAW CLASSES 664 23.4.1.2 LEGACY 665 23.4.2 PROTECTION ANALYSIS MODEL 665 23.4.2.1 THE FLAW CLASSES 666 23.4.2.2 ANALYSIS PROCEDURE 668 23.4.2.3 LEGACY 670 CONTENTS XXIII 23.4.3 THE NRL TAXONOMY 671 23.4.3.1 THE FLAW CLASSES 671 23.4.3.2 LEGACY 672 23.4.4 ASLAM'S MODEL 673 23.4.4.1 THE FLOW CLASSES 673 23.4.4.2 LEGACY 673 23.4.5 COMPARISON AND ANALYSIS 674 23.4.5.1 THE XTERM LOG FILE FLAW 674 23.4.5.2 THE FINGERD BUFFER OVERFLOW FLAW 676 23.4.5.3 SUMMARY 678 23.5 GUPTA AND GLIGOR'S THEORY OF PENETRATION ANALYSIS 678 23.5.1 THE FLOW-BASED MODEL OF PENETRATION ANALYSIS 679 23.5.2 THE AUTOMATED PENETRATION ANALYSIS TOOL 682 23.5.3 DISCUSSION 682 23.6 SUMMARY 683 23.7 RESEARCH ISSUES 683 23.8 FURTHER READING 684 23.9 EXERCISES 685 CHAPTER 24 AUDITING 689 24.1 DEFINITIONS 689 24.2 ANATOMY OF AN AUDITING SYSTEM 690 24.2.1 LOGGER 690 24.2.2 ANALYZER 692 24.2.3 NOTIFIER 693 24.3 DESIGNING AN AUDITING SYSTEM 693 24.3.1 IMPLEMENTATION CONSIDERATIONS 696 24.3.2 SYNTACTIC ISSUES 696 24.3.3 LOG SANITIZATION 698 24.3.4 APPLICATION AND SYSTEM LOGGING 700 24.4 A POSTERIORI DESIGN 701 24.4.1 AUDITING TO DETECT VIOLATIONS OF A KNOWN POLICY 702 24.4.1.1 STATE-BASED AUDITING 70 2 24.4.1.2 TRANSITION-BASED AUDITING 703 24.4.2 AUDITING TO DETECT KNOWN VIOLATIONS OF A POLICY 704 24.5 AUDITING MECHANISMS 705 24.5.1 SECURE SYSTEMS 706 24.5.2 NONSECURE SYSTEMS 707 24.6 EXAMPLES: AUDITING FILE SYSTEMS 708 24.6.1 AUDIT ANALYSIS OF THE NFS VERSION 2 PROTOCOL 709 24.6.2 THE LOGGING AND AUDITING FILE SYSTEM (LAFS) 713 24.6.3 COMPARISON 714 XXIV CONTENTS 24.7 AUDIT BROWSING 715 24.8 SUMMARY 718 24.9 RESEARCH ISSUES 718 24.10 FURTHER READING 719 24.11 EXERCISES 720 CHAPTER 25 INTRUSION DETECTION 723 25.1 PRINCIPLES 723 25.2 BASIC INTRUSION DETECTION 724 25.3 MODELS 727 25.3.1 ANOMALY MODELING 727 253.1.1 DERIVATION OFSTATISTICS 730 25.3.2 MISUSE MODELING 733 25.3.3 SPECIFICATION MODELING 738 25.3.4 SUMMARY 740 25.4 ARCHITECTURE 742 25.4.1 AGENT 742 25.4.1.1 HOST-BASED INFORMATION GATHERING 744 25.4.1.2 NETWORK-BASED INFORMATION GATHERING 744 25.4.1.3 COMBINING SOURCES 745 25.4.2 DIRECTOR 746 25.4.3 NOTIFIER 747 25.5 ORGANIZATION OF INTRUSION DETECTION SYSTEMS 748 25.5.1 MONITORING NETWORK TRAFFIC FOR INTRUSIONS: NSM 749 25.5.2 COMBINING HOST AND NETWORK MONITORING: DIDS 750 25.5.3 AUTONOMOUS AGENTS: AAFID 752 25.6 INTRUSION RESPONSE 754 25.6.1 INCIDENT PREVENTION 754 25.6.2 INTRUSION HANDLING 755 25.6.2.1 CONTAINMENT PHASE 756 25.6.2.2 ERADICATION PHASE 757 25.6.2.3 FOLLOW-UP PHASE 760 25.7 SUMMARY 765 25.8 RESEARCH ISSUES 765 25.9 FURTHER READING 767 25.10 EXERCISES 767 PART 8: PRACTICUM 771 CHAPTER 26 NETWORK SECURITY 773 26.1 INTRODUCTION 773 26.2 POLICY DEVELOPMENT 774 CONTENTS XXV 26.2.1 DATA CLASSES 775 26.2.2 USER CLASSES 776 26.2.3 AVAILABILITY 778 26.2.4 CONSISTENCY CHECK 778 26.3 NETWORK ORGANIZATION 779 26.3.1 FIREWALLS AND PROXIES 780 26.3.2 ANALYSIS OF THE NETWORK INFRASTRUCTURE 782 26.3.2.1 OUTER FIREWALL CONFIGURATION 783 263.2.2 INNER FIREWALL CONFIGURATION 785 26.3.3 IN THE DMZ 786 26.3.3.1 DMZ MAIL SERVER 786 26.3.3.2 DMZ WWW SERVER 787 26.3.3.3 DMZ DNS SERVER 789 26.3.3.4 DMZ LOG SERVER 789 26.3.3.5 SUMMARY 790 26.3.4 IN THE INTERNAL NETWORK 790 26.3.5 GENERAL COMMENT ON ASSURANCE 792 26.4 AVAILABILITY AND NETWORK FLOODING 793 26.4.1 INTERMEDIATE HOSTS 793 26.4.2 TCP STATE AND MEMORY ALLOCATIONS 794 26.5 ANTICIPATING ATTACKS 796 26.6 SUMMARY 798 26.7 RESEARCH ISSUES 798 26.8 FURTHER READING 799 26.9 EXERCISES 799 CHAPTER 27 SYSTEM SECURITY 805 27.1 INTRODUCTION 805 27.2 POLICY 806 27.2.1 THE WEB SERVER SYSTEM IN THE DMZ 806 27.2.2 THE DEVELOPMENT SYSTEM 807 27.2.3 COMPARISON 810 27.2.4 CONCLUSION 811 27.3 NETWORKS 811 27.3.1 THE WEB SERVER SYSTEM IN THE DMZ 812 27.3.2 THE DEVELOPMENT SYSTEM 814 27.3.3 COMPARISON 816 27.4 USERS 817 27.4.1 THE WEB SERVER SYSTEM IN THE DMZ 817 27.4.2 THE DEVELOPMENT SYSTEM 819 27.4.3 COMPARISON 822 XXVI CONTENTS 27.5 AUTHENTICATION 822 27.5.1 THE WEB SERVER SYSTEM IN THE DMZ 823 27.5.2 DEVELOPMENT NETWORK SYSTEM 823 27.5.3 COMPARISON 825 27.6 PROCESSES 825 27.6.1 THE WEB SERVER SYSTEM IN THE DMZ 825 27.6.2 THE DEVELOPMENT SYSTEM 829 27.6.3 COMPARISON 830 27.7 FILES 831 27.7.1 THE WEB SERVER SYSTEM IN THE DMZ 831 27.7.2 THE DEVELOPMENT SYSTEM 833 27.7.3 COMPARISON 835 27.8 RETROSPECTIVE 837 27.8.1 THE WEB SERVER SYSTEM IN THE DMZ 837 27.8.2 THE DEVELOPMENT SYSTEM 838 27.9 SUMMARY 838 27.10 RESEARCH ISSUES 839 27.11 FURTHER READING 840 27.12 EXERCISES 840 CHAPTER 28 USER SECURITY 845 28.1 POLICY 845 28.2 ACCESS 846 28.2.1 PASSWORDS 846 28.2.2 THE LOGIN PROCEDURE 848 28.2.2.1 TRUSTED HOSTS 850 28.2.3 LEAVING THE SYSTEM 850 28.3 FILES AND DEVICES 852 28.3.1 FILES 852 28.3.1.1 FILE PERMISSIONS ON CREATION 853 28.3.1.2 GROUP ACCESS 854 28.3.1.3 FILE DELETION 855 28.3.2 DEVICES 857 28.3.2.1 WRITABLE DEVICES 857 28.3.2.2 SMART TERMINALS 857 28.3.2.3 MONITORS AND WINDOW SYSTEMS 859 28.4 PROCESSES 860 28.4.1 COPYING AND MOVING FILES 860 28.4.2 ACCIDENTALLY OVERWRITING FILES 861 28.4.3 ENCRYPTION, CRYPTOGRAPHIC KEYS, AND PASSWORDS 861 28.4.4 START-UP SETTINGS 863 28.4.5 LIMITING PRIVILEGES 863 CONTENTS XXVII 28.4.6 MALICIOUS LOGIC 864 28.5 ELECTRONIC COMMUNICATIONS 865 28.5.1 AUTOMATED ELECTRONIC MAIL PROCESSING 865 28.5.2 FAILURE TO CHECK CERTIFICATES 865 28.5.3 SENDING UNEXPECTED CONTENT 866 28.6 SUMMARY 866 28.7 RESEARCH ISSUES 867 28.8 FURTHER READING 867 28.9 EXERCISES 868 CHAPTER 29 PROGRAM SECURITY 869 29.1 INTRODUCTION 869 29.2 REQUIREMENTS AND POLICY 870 29.2.1 REQUIREMENTS 870 29.2.2 THREATS 871 29.2.2.1 GROUP 1: UNAUTHORIZED USERS ACCESSING ROLE ACCOUNTS 871 29.2.2.2 GROUP 2: AUTHORIZED USERS ACCESSING ROLE ACCOUNTS 872 29.2.2.3 SUMMARY 873 29.3 DESIGN 873 29.3.1 FRAMEWORK 874 29.3.1.1 USER INTERFACE 874 29.3.1.2 HIGH-LEVEL DESIGN 874 29.3.2 ACCESS TO ROLES AND COMMANDS 875 29.3.2.1 INTERFACE 876 29.3.2.2 INTERNAIS 876 29.3.2.3 STORAGE OFT HE ACCESS CONTROL DATA 877 29.4 REFINEMENT AND IMPLEMENTATION 880 29.4.1 FIRST-LEVEL REFINEMENT 880 29.4.2 SECOND-LEVEL REFINEMENT 881 29.4.3 FUNCTIONS 884 29.4.3.1 OBTAINING LOCATION 884 29.4.3.2 THE ACCESS CONTROL RECORD 885 29.4.3.3 ERROR HANDLING IN THE READING AND MATCHING ROUTINES 886 29.4.4 SUMMARY 887 29.5 COMMON SECURITY-RELATED PROGRAMMING PROBLEMS 887 29.5.1 IMPROPER CHOICE OF INITIAL PROTECTION DOMAIN 888 29.5.1.1 PROCESS PRIVILEGES 88 8 29.5.1.2 ACCESS CONTROL FILE PERMISSIONS 890 XXVIII CONTENTS 29.5.13 MEMORY PROTECTION 891 29.5.1.4 TRUST IN THE SYSTEM 892 29.5.2 IMPROPER ISOLATION OF IMPLEMENTATION DETAIL 893 29.5.2.1 RESOURCE EXHAUSTION AND USER IDENTIFIERS 893 29.5.2.2 VALIDATING THE ACCESS CONTROL ENTRIES 894 29.5.2.3 RESTRICTING THE PROTECTION DOMAIN OFTHE ROLE PROCESS 894 29.5.3 IMPROPER CHANGE 895 29.5.3.1 MEMORY 895 29.5.3.2 CHANGES IN FILE CONTENTS 898 29.5.3.3 RACE CONDITIONS IN FILE ACCESSES 898 29.5.4 IMPROPER NAMING 899 29.5.5 IMPROPER DEALLOCATION OR DELETION 901 29.5.6 IMPROPER VALIDATION 902 29.5.6.1 BOUNDS CHECKING 902 29.5.6.2 TYPE CHECKING 903 29.5.6.3 ERROR CHECKING 904 29.5.6.4 CHECKING FOR VALID, NOT INVALID, DATA 904 29.5.6.5 CHECKING INPUT 905 29.5.6.6 DESIGNINGFOR VALIDATION 907 29.5.7 IMPROPER INDIVISIBILITY 907 29.5.8 IMPROPER SEQUENCING 908 29.5.9 IMPROPER CHOICE OF OPERAND OR OPERATION 909 29.5.10 SUMMARY 911 29.6 TESTING, MAINTENANCE, AND OPERATION 913 29.6.1 TESTING 914 29.6.1.1 TESTING THE MODULE 915 29.6.2 TESTING COMPOSED MODULES 916 29.6.3 TESTING THE PROGRAM 917 29.7 DISTRIBUTION 917 29.8 CONCLUSION 919 29.9 SUMMARY 919 29.10 RESEARCH ISSUES 919 29.11 FURTHER READING 920 29.12 EXERCISES 920 PART 9: END MATTER 923 CHAPTER 30 LATTICES 925 30.1 BASICS 925 30.2 LATTICES 926 30.3 EXERCISES 927 CONTENTS XXIX CHAPTER 31 THE EXTENDED EUCLIDEAN ALGORITHM 929 31.1 THE EUCLIDEAN ALGORITHM 929 31.2 THE EXTENDED EUCLIDEAN ALGORITHM 930 31.3 SOLVING AX MOD N=\ 932 31.4 SOLVING AX MOD N = B 932 31.5 EXERCISES 933 CHAPTER 32 ENTROPY AND UNCERTAINTY 935 32.1 CONDITIONAL AND JOINT PROBABILITY 935 32.2 ENTROPY AND UNCERTAINTY 937 32.3 JOINT AND CONDITIONAL ENTROPY 938 32.3.1 JOINT ENTROPY 938 32.3.2 CONDITIONAL ENTROPY 939 32.3.3 PERFECT SECRECY 940 32.4 EXERCISES 940 CHAPTER 33 VIRTUAL MACHINES 941 33.1 VIRTUAL MACHINE STRUCTURE 941 33.2 VIRTUAL MACHINE MONITOR 942 33.2.1 PRIVILEGE AND VIRTUAL MACHINES 943 33.2.2 PHYSICAL RESOURCES AND VIRTUAL MACHINES 944 33.2.3 PAGING AND VIRTUAL MACHINES 945 33.3 EXERCISES 946 CHAPTER 34 SYMBOLIC LOGIC 947 34.1 PROPOSITIONAL LOGIC 947 34.1.1 NATURAL DEDUCTION IN PROPOSITIONAL LOGIC 948 34.1.1.1 RULES 949 34.1.1.2 DERIVEDRULES 950 34.1.2 WELL-FORMED FORMULAS 950 34.1.3 TRUTH TABLES 950 34.1.4 MATHEMATICAL INDUCTION 951 34.2 PREDICATE LOGIC 952 34.2.1 NATURAL DEDUCTION IN PREDICATE LOGIC 953 34.3 TEMPORAL LOGIC SYSTEMS 954 34.3.1 SYNTAX OF CTL .954 34.3.2 SEMANTICS OF CTL 955 34.4 EXERCISES 956 CHAPTER 35 EXAMPLE ACADEMIC SECURITY POLICY 959 35.1 UNIVERSITY OF CALIFORNIA E-MAIL POLICY 959 XXX CONTENTS 35.1.1 SUMMARY: E-MAIL POLICY HIGHLIGHTS 959 35.1.1.1 CAUTIONS 959 35.1.1.2 DO 960 35.1.1.3 DONOT 961 35.1.1.4 DOES THIS POLICY APPLY TO YOU? 961 35.1.2 UNIVERSITY OF CALIFORNIA ELECTRONIC MAIL POLICY 961 35.1.2.1 INTRODUCTION 961 35.1.2.2 PURPOSE 963 35.1.2.3 DEFINITIONS 963 35.1.2.4 SCOPE 96 4 35.1.2.5 GENERAL PROVISIONS 965 35.1.2.6 SPECIFIC PROVISIONS 967 35.1.2.7 POLICY VIOLATIONS 971 35.1.2.8 RESPONSIBILITY FOR POLICY 971 35.1.2.9 CAMPUS RESPONSIBILITIES AND DISCRETION 971 35.1.2.10 APPENDIX A * DEFINITIONS 972 35.1.2.11 APPENDIX B * REFERENCES 975 35.1.2.12 APPENDIX C * POLICIES RELATING TO NONCONSENSUAL ACCESS 976 35.1.3 UC DAVIS IMPLEMENTATION OF THE ELECTRONIC MAIL POLICY 977 35.1.3.1 PURPOSE AND SCOPE 978 35.1.3.2 DEFINITIONS 978 35.1.3.3 POLICY 978 35.1.4 REFERENCES AND RELATED POLICY 988 35.2 THE ACCEPTABLE USE POLICY FOR THE UNIVERSITY OF CALIFORNIA, DAVIS 989 35.2.1 PART I 989 35.2.1.1 INTRODUCTION 989 35.2.1.2 RIGHTS AND RESPONSIBILITIES 989 35.2.1.3 EXISTING LEGAL CONTEXT 989 35.2.1.4 ENFORCEMENT 990 35.2.2 PART II 990 BIBLIOGRAPHY 993 INDEX 1063
any_adam_object	1
any_adam_object_boolean	1
author	Bishop, Matt
author_GND	(DE-588)129811564
author_facet	Bishop, Matt
author_role	aut
author_sort	Bishop, Matt
author_variant	m b mb
building	Verbundindex
bvnumber	BV022289754
classification_rvk	ST 273 ST 276 ST 277
classification_tum	DAT 050f DAT 460f
ctrlnum	(OCoLC)255712417 (DE-599)BVBBV022289754
discipline	Informatik
discipline_str_mv	Informatik
edition	9. printing
format	Book
fullrecord	<?xml version="1.0" encoding="UTF-8"?><collection xmlns="http://www.loc.gov/MARC21/slim"><record><leader>01628nam a2200445zc 4500</leader><controlfield tag="001">BV022289754</controlfield><controlfield tag="003">DE-604</controlfield><controlfield tag="005">20080605 </controlfield><controlfield tag="007">t</controlfield><controlfield tag="008">070227s2006 xxu \|\|\|\| 00\|\|\| eng d</controlfield><datafield tag="020" ind1=" " ind2=" "><subfield code="a">0201440997</subfield><subfield code="9">0-201-44099-7</subfield></datafield><datafield tag="035" ind1=" " ind2=" "><subfield code="a">(OCoLC)255712417</subfield></datafield><datafield tag="035" ind1=" " ind2=" "><subfield code="a">(DE-599)BVBBV022289754</subfield></datafield><datafield tag="040" ind1=" " ind2=" "><subfield code="a">DE-604</subfield><subfield code="b">ger</subfield><subfield code="e">aacr</subfield></datafield><datafield tag="041" ind1="0" ind2=" "><subfield code="a">eng</subfield></datafield><datafield tag="044" ind1=" " ind2=" "><subfield code="a">xxu</subfield><subfield code="c">US</subfield></datafield><datafield tag="049" ind1=" " ind2=" "><subfield code="a">DE-739</subfield></datafield><datafield tag="084" ind1=" " ind2=" "><subfield code="a">ST 273</subfield><subfield code="0">(DE-625)143640:</subfield><subfield code="2">rvk</subfield></datafield><datafield tag="084" ind1=" " ind2=" "><subfield code="a">ST 276</subfield><subfield code="0">(DE-625)143642:</subfield><subfield code="2">rvk</subfield></datafield><datafield tag="084" ind1=" " ind2=" "><subfield code="a">ST 277</subfield><subfield code="0">(DE-625)143643:</subfield><subfield code="2">rvk</subfield></datafield><datafield tag="084" ind1=" " ind2=" "><subfield code="a">DAT 050f</subfield><subfield code="2">stub</subfield></datafield><datafield tag="084" ind1=" " ind2=" "><subfield code="a">DAT 460f</subfield><subfield code="2">stub</subfield></datafield><datafield tag="100" ind1="1" ind2=" "><subfield code="a">Bishop, Matt</subfield><subfield code="e">Verfasser</subfield><subfield code="0">(DE-588)129811564</subfield><subfield code="4">aut</subfield></datafield><datafield tag="245" ind1="1" ind2="0"><subfield code="a">Computer security</subfield><subfield code="b">art and science</subfield><subfield code="c">Matt Bishop</subfield></datafield><datafield tag="250" ind1=" " ind2=" "><subfield code="a">9. printing</subfield></datafield><datafield tag="264" ind1=" " ind2="1"><subfield code="a">Boston ; Munich [u.a.]</subfield><subfield code="b">Addison-Wesley</subfield><subfield code="c">2006</subfield></datafield><datafield tag="300" ind1=" " ind2=" "><subfield code="a">XLI, 1084 S.</subfield></datafield><datafield tag="336" ind1=" " ind2=" "><subfield code="b">txt</subfield><subfield code="2">rdacontent</subfield></datafield><datafield tag="337" ind1=" " ind2=" "><subfield code="b">n</subfield><subfield code="2">rdamedia</subfield></datafield><datafield tag="338" ind1=" " ind2=" "><subfield code="b">nc</subfield><subfield code="2">rdacarrier</subfield></datafield><datafield tag="650" ind1=" " ind2="4"><subfield code="a">Computersicherheit</subfield></datafield><datafield tag="650" ind1="0" ind2="7"><subfield code="a">Datensicherung</subfield><subfield code="0">(DE-588)4011144-1</subfield><subfield code="2">gnd</subfield><subfield code="9">rswk-swf</subfield></datafield><datafield tag="650" ind1="0" ind2="7"><subfield code="a">Computersicherheit</subfield><subfield code="0">(DE-588)4274324-2</subfield><subfield code="2">gnd</subfield><subfield code="9">rswk-swf</subfield></datafield><datafield tag="689" ind1="0" ind2="0"><subfield code="a">Computersicherheit</subfield><subfield code="0">(DE-588)4274324-2</subfield><subfield code="D">s</subfield></datafield><datafield tag="689" ind1="0" ind2=" "><subfield code="5">DE-604</subfield></datafield><datafield tag="689" ind1="1" ind2="0"><subfield code="a">Datensicherung</subfield><subfield code="0">(DE-588)4011144-1</subfield><subfield code="D">s</subfield></datafield><datafield tag="689" ind1="1" ind2=" "><subfield code="8">1\p</subfield><subfield code="5">DE-604</subfield></datafield><datafield tag="856" ind1="4" ind2="2"><subfield code="m">GBV Datenaustausch</subfield><subfield code="q">application/pdf</subfield><subfield code="u">http://bvbr.bib-bvb.de:8991/F?func=service&doc_library=BVB01&local_base=BVB01&doc_number=015499949&sequence=000001&line_number=0001&func_code=DB_RECORDS&service_type=MEDIA</subfield><subfield code="3">Inhaltsverzeichnis</subfield></datafield><datafield tag="999" ind1=" " ind2=" "><subfield code="a">oai:aleph.bib-bvb.de:BVB01-015499949</subfield></datafield><datafield tag="883" ind1="1" ind2=" "><subfield code="8">1\p</subfield><subfield code="a">cgwrk</subfield><subfield code="d">20201028</subfield><subfield code="q">DE-101</subfield><subfield code="u">https://d-nb.info/provenance/plan#cgwrk</subfield></datafield></record></collection>
id	DE-604.BV022289754
illustrated	Not Illustrated
index_date	2024-07-02T16:51:21Z
indexdate	2024-07-09T20:54:15Z
institution	BVB
isbn	0201440997
language	English
oai_aleph_id	oai:aleph.bib-bvb.de:BVB01-015499949
oclc_num	255712417
open_access_boolean
owner	DE-739
owner_facet	DE-739
physical	XLI, 1084 S.
publishDate	2006
publishDateSearch	2006
publishDateSort	2006
publisher	Addison-Wesley
record_format	marc
spelling	Bishop, Matt Verfasser (DE-588)129811564 aut Computer security art and science Matt Bishop 9. printing Boston ; Munich [u.a.] Addison-Wesley 2006 XLI, 1084 S. txt rdacontent n rdamedia nc rdacarrier Computersicherheit Datensicherung (DE-588)4011144-1 gnd rswk-swf Computersicherheit (DE-588)4274324-2 gnd rswk-swf Computersicherheit (DE-588)4274324-2 s DE-604 Datensicherung (DE-588)4011144-1 s 1\p DE-604 GBV Datenaustausch application/pdf http://bvbr.bib-bvb.de:8991/F?func=service&doc_library=BVB01&local_base=BVB01&doc_number=015499949&sequence=000001&line_number=0001&func_code=DB_RECORDS&service_type=MEDIA Inhaltsverzeichnis 1\p cgwrk 20201028 DE-101 https://d-nb.info/provenance/plan#cgwrk
spellingShingle	Bishop, Matt Computer security art and science Computersicherheit Datensicherung (DE-588)4011144-1 gnd Computersicherheit (DE-588)4274324-2 gnd
subject_GND	(DE-588)4011144-1 (DE-588)4274324-2
title	Computer security art and science
title_auth	Computer security art and science
title_exact_search	Computer security art and science
title_exact_search_txtP	Computer security art and science
title_full	Computer security art and science Matt Bishop
title_fullStr	Computer security art and science Matt Bishop
title_full_unstemmed	Computer security art and science Matt Bishop
title_short	Computer security
title_sort	computer security art and science
title_sub	art and science
topic	Computersicherheit Datensicherung (DE-588)4011144-1 gnd Computersicherheit (DE-588)4274324-2 gnd
topic_facet	Computersicherheit Datensicherung
url	http://bvbr.bib-bvb.de:8991/F?func=service&doc_library=BVB01&local_base=BVB01&doc_number=015499949&sequence=000001&line_number=0001&func_code=DB_RECORDS&service_type=MEDIA
work_keys_str_mv	AT bishopmatt computersecurityartandscience

Verfügbarkeit

Es ist kein Print-Exemplar vorhanden.

Fernleihe Bestellen Achtung: Nicht im THWS-Bestand! Inhaltsverzeichnis

MARC

Datensatz im Suchindex

Es ist kein Print-Exemplar vorhanden.

Ähnliche Einträge