书籍详情
计算机安全:艺术与科学 英文版
作者:美Matt Bishop著
出版社:清华大学出版社
出版时间:2004-05-01
ISBN:9787302083412
定价:¥96.00
购买这本书可以去
内容简介
在社会信息化的进程中,信息已成为社会发展的重要资源,信息安全也成为21世纪国际竞争的重要战场。为了保护国家的政治利益和经济利益,各国政府都非常重视信息和网络安全,信息安全已成为一个世纪性、全球性的研究课题。我国的信息安全事业正在蓬勃发展,国家领导高度重视,各部门通力合作、统筹规划,大大加快了我国信息安全产业发展的步伐。随着信息安全产业的快速发展,社会对信息安全人才的需求在不断增加,在高等教育领域大力推进信息安全的专业化教育,将是国家在信息安全领域掌握自主权、占领先机的重要举措。目前,许多大学和科研院所已设立了信息安全专业或是开设了相关课程。很高兴中国计算机学会教育专业委员会和清华大学出版社在近期联合组织了一系列信息安全专业的研讨活动。他们以严谨负责的态度,认真组织全国各高校和科研院所的专家、学者,共同研讨信息安全专业的教育方法和课程体系,并在进行大量前瞻性研究工作的基础上,启动了“高等院校信息安全专业系列教材”的编写工作。这套教材将是我国信息安全专业的第一套完整、权威的教材,相信可以对全国的高等院校信息安全专业的建设起到很好的促进作用。希望中国计算机学会教育专业委员会和清华大学出版社能够将这个研究课题一直做下去,也希望这套教材能够取得成功并不断完善,以促进各高等院校培养出更多、更好的信息安全专门人才,为我国的信息安全事业做出更大的贡献。
作者简介
暂缺《计算机安全:艺术与科学 英文版》作者简介
目录
Preface
Goals
Philosophy
Organization
Roadmap
Dependencies
Background
Undergraduate Level
Graduate Level
Practitioners
Special Acknowledgment
Acknowledgments
PART 1:INTRODUCTION
Chapter 1 An Overview of Computer Security
1.1 The Basic Components
1.1.1 Confidentiality
1.1.2 Integrity
1.1.3 Availability
1.2 Threats
1.3 Policy and Mechanism
1.3.1 Goals of Security
1.4 Assumptions and Trust
1.5 Assurance
1.5.1 Specification
1.5.2 Design
1.5.3 Implementation
1.6 Operational Issues
1.6.1 Cost-Benefit Analysis
1.6.2 Risk Analysis
1.6.3 Laws and Customs
1.7 Human Issues
1.7.1 Organizational Problems
1.7.2 People Problems
1.8 Tying It All Together
1.9 Summary
1.10 Research Issues
1.11 Further Reading
1.12 Exercises
PART 2:FOUNDATIONS
Chapter 2 Access Control Matrix
2.1 Protection State
2.2 Access Control Matrix Model
2.2.1 Access Control by Boolean Expression Evaluation
2.2.2 Access Controlled by History
2.3 Protection State Transitions
2.3.1 Conditional Commands
2.4 Copying,Owning,and the Attenuation of Privilege
2.4.1 Copy Right
2.4.2 Own Right
2.4.3 Principle of Attenuation of Privilege
2.5 Summary
2.6 Research Issues
2.7 Further Reading
2.8 Exercises
Chapter 3 Foundational Results
3.1 The General Question
3.2 Basic Results
3.3 The Take-Grant Protection Model
3.3.1 Sharing of Rights
3.3.2 Interpretation of the Model
3.3.3 Theft in the Take-Grant Protection Model
3.3.4 Conspiracy
3.3.5 Summary
3.4 Closing the Gap
3.4.1 Schematic Protection Model
3.4.1.1 Link Predicate
3.4.1.2 Filter Function
3.4.1.3 Putting It All Together
3.4.1.4 Demand and Create Operations
3.4.1.5 Safety Analysis
3.5 Expressive Power and the Models
3.5.1 Brief Comparison of HRU and SPM
3.5.2 Extending SPM
3.5.3 Simulation and Expressiveness
3.5.4 Typed Access Matrix Model
3.6 Summary
3.7 Research Issues
3.8 Further Reading
3.9 Exercises
PART 3:POLICY
Chapter 4 Security Policies
4.1 Security Policies
4.2 Types of Security Policies
4.3 The Role of Trust
4.4 Types of Access Control
4.5 Policy Languages
4.5.1 High-Level Policy Languages
4.5.2 Low-Level Policy Languages
4.6 Example:Academic Computer Security Policy
4.6.1 general University Policy
4.6.2 Electronic Mail Policy
4.6.2.1 The Electronic Mail Policy Summary
4.6.2.2 The Full Policy
4.6.2.3 Implementation at UC Davis
4.7 Security and Precision
4.8 Summary
4.9 Research Issues
4.10 Further Reading
4.11 Exercises
Chapter 5 Confidentiality Policies
5.1 Goals of Confidentiality Policies
5.2 The Bell-LaPadula Model
5.2.1 Informal Description
5.2.2 Example:The Data General B2 UNIX System
5.2.2.1 Assigning MAC Labels
5.2.2.2 Using MAC Labels
5.2.3 Formal Model
5.2.3.1 Basic Security Theorem
5.2.3.2 Rules of Transformation
5.2.4 Example Model Instantiation:Multics
5.2.4.1 The get-read Rule
5.2.4.2 The give-read Rule
5.3 Tranquility
5.4 The Controversy over the Bell-LaPadula Model
5.4.1 McLean's +-Property and the Basic Security Theorem
5.4.2 McLean's System Z and More Questions
5.4.3 Summary
5.5 Summary
5.6 Research Issues
5.7 Further Reading
5.8 Exercises
Chapter 6 Integrity Policies
6.1 Goals
6.2 Biba Integrity Model
6.2.1 Low-Water-Mark Policy
6.2.2 Ring Policy
6.2.3 Biba's Model(Strict Integrity Policy)
6.3 Lipner's Integrity Matrix Model
6.3.1 Lipner's Use of the Bell-LaPadula Model
6.3.2 Lipner's Full Model
6.3.3 Comparison with Biba
6.4 Clark-Wilson Integrity Model
6.4.1 The Model
6.4.1.1 A UNIX Approximation to Clark-Wilson
6.4.2 Comparison with the Requirements
6.4.3 Comparison with Other Models
6.5 Summary
6.6 Research Issues
6.7 Further Reading
6.8 Exercises
Chapter 7 Hybrid Policies
7.1 Chinese Wall Model
7.1.1 Informal Description
7.1.2 Formal Model
7.1.3 Bell-LaPadula and Chinese Wall Models
7.1.4 Clark-Wilson and Chinese Wall Models
7.2 Clinical Information Systems Security Policy
7.2.1 Bell-LaPadula and Clark-Wilson Models
7.3 Originator Controlled Access Control
7.4 Role-Based Access Control
7.5 Summary
7.6 Research Issues
7.7 Further Reading
7.8 Exercises
Chapter 8 Noninterference and Policy Composition
8.1 The Problem
8.1.1 Composition of Bell-LaPadula Models
8.2 Deterministic Noninterference
8.2.1 Unwinding Theorem
8.2.2 Access Control Matrix Interpretation
8.2.3 Security Policies That Change over Time
8.2.4 Composition of Deterministic Noninterference-Secure Systems
8.3 Nondeducibility
8.3.1 Composition of Deducibly Secure Systems
8.4 Generalized Noninterference
8.4.1 Composition of Generalized Noninterference Systems
8.5 Restrictiveness
8.5.1 State Machine Model
8.5.2 Composition of Restrictive Systems
8.6 Summary
8.7 Research Issues
8.8 Further Reading
8.9 Exercises
PART 4:IMPLEMENTATION I:CRYPTOGRAPHY
Chapter 9 Basic Cryptography
9.1 What Is Cryptography?
9.2 Classical Cryptosystems
9.2.1 Transposition Ciphers
9.2.2 Substitution Ciphers
9.2.2.1 Vigenere Cipher
9.2.2.2 One-Time Pad
9.2.3 Data Encryption Standard
9.2.4 Other Classical Ciphers
9.3 Public Key Cryptography
9.3.1 Diffie-Hellman
9.3.2 RSA
9.4 Cryptographic Checksums
9.4.1 HMAC
9.5 Summary
9.6 Research Issues
9.7 Further Reading
9.8 Exercises
Chapter 10 Key Management
10.1 Session and Interchange Keys
10.2 Key Exchange
10.2.1 Classical Cryptographic Key Exchange and Authentication
10.2.2 Kerberos
10.2.3 Public Key Cryptographic Key Exchange and Authentication
10.3 Key Generation
10.4 Cryptographic Key Infrastructures
10.4.1 Merkle's Tree authentication Scheme
10.4.2 Certificate Signature Chains
10.4.2.1 X.509:Certification Signature Chains
10.4.2.2 PGP Certificate Signature Chains
10.4.3 Summary
10.5 Storing and Revoking Keys
10.5.1 Key Storage
10.5.1.1 Key Escrow
10.5.1.2 Key Escrow System and the Clipper Chip
10.5.1.3 The yaksha Security System
10.5.1.4 Other Approaches
10.5.2 Key Revocation
10.6 Digital Signatures
10.6.1 Classical Signatures
10.6.2 Public Key Signatures
10.6.2.1 RSA Digital Signatures
10.6.2.2 El Gamal Digital Signature
10.7 Summary
10.8 Research Issues
10.9 Further Reading
10.10 Exercises
Chapter 11 Cipher Techniques
11.1 Problems
11.1.1 Precomputing the Possible Messages
11.1.2 Misordered Blocks
11.1.3 Statistical Regularities
11.1.4 Summary
11.2 Stream and Block Ciphers
11.2.1 Stream Ciphers
11.2.1.1 Synchronous Stream Ciphers
11.2.1.2 Self-Synchronous Stream Ciphers
11.2.2 Block Ciphers
11.2.2.1 Multiple Encryption
11.3 Networks and Cryptography
11.4 Example Protocols
11.4.1 Secure Electronic Mail:PEM
11.4.1.1 Design Principles
11.4.1.2 Basic Design
11.4.1.3 Other Considerations
11.4.1.4 Conclusion
11.4.2 Security at the Transport Layer:SSL
11.4.2.1 Supporting Cryptographic Mechanisms
11.4.2.2 Lower Layper:SSL Record Protocol
11.4.2.3 Upper Layer:SSL Handshake Protocol
11.4.2.4 Upper Layer:SSL Change Cipher Spec Protocol
11.4.2.5 Upper Layer:SSL Alert Protocol
11.4.2.6 Upper Layer:Application Data Protocol
11.4.2.7 Summary
11.4.3 Security at the Network Layer:IPsec
11.4.3.1 IPsec Architecture
11.4.3.2 Authentication Header Protocol
11.4.3.3 Encapsulating Security Payload Protocol
11.4.4 Conclusion
11.5 Summary
11.6 Research Issues
11.7 Further Reading
11.8 Exercises
Chapter 12 Authentication
12.1 Authentication Basics
12.2 Passwords
12.2.1 Attacking a Password System
12.2.2 Countering Password Guessing
12.2.2.1 Random Selection of Passwords
12.2.2.2 Pronounceable and Other Computer-Generated Passwords
12.2.2.3 User Selection of Passwords
12.2.2.4 Reusable Passwords and Dictionary Attacks
12.2.2.5 Guessing Through Authentication Functions
12.2.3 Password Aging
12.3 Challenge-Response
12.3.1 Pass Algorithms
12.3.2 One-Time Passwords
12.3.3 Hardware-Supported Challenge-Response Procedures
12.3.4 Challenge-Response and Dictionary Attacks
12.4 Biometrics
12.4.1 Fingerprints
12.4.2 Voices
12.4.3 Eyes
12.4.4 Faces
12.4.5 Keystrokes
12.4.6 Combinations
12.4.7 Caution
12.5 Location
12.6 Multiple Methods
12.7 Summary
12.8 Research Issues
12.9 Further Reading
12.10 Exercises
PART 5:IMPLEMENTATION II:SYSTEMS
Chapter 13 Design Principles
13.1 Overview
13.2 Design Principles
13.2.1 Principle of Least Privilege
13.2.2 Principle of Fail-Safe Defaults
13.2.3 Principle of Economy of Mechanism
13.2.4 Principle of Complete Mediation
13.2.5 Principle of Open Design
13.2.6 Principle of Separation of Privilege
13.2.7 Principle of Least Common Mechanism
13.2.8 Principle of Psychological Acceptability
13.3 Summary
13.4 Research Issues
13.5 Further Reading
13.6 Exercises
Chapter 14 Representing Identity
14.1 What Is Identity?
14.2 Files and Objects
14.3 Users
14.4 Groups and Roles
14.5 Naming and Certificates
14.5.1 Conflicts
14.5.2 The Meaning of the Identity
14.5.3 Trust
14.6 Identity on the Web
14.6.1 Host Identity
14.6.1.1 Static and Dynamic Identifiers
14.6.1.2 Security Issues with the Domain Name Service
14.6.2 State and Cookies
14.6.3 Anonymity on the Web
14.6.3.1 Anonymity for Better or Worse
14.7 Summary
14.8 Research Issues
14.9 Further Reading
14.10 Exercises
Chapter 15 Access Control Mechanisms
15.1 Access Control Lists
15.1.1 Abbreviations of Access Control Lists
15.1.2 Creation and Maintenance of Access Control Lists
15.1.2.1 Which Subjects Can Modify an Object's ACL?
15.1.2.2 Do the ACLs Apply to a Privileged User?
15.1.2.3 Does the ACL Support Groups and Wildcards?
15.1.2.4 Conflicts
15.1.2.5 ACLs and Default Permissions
15.1.3 Revocation of Rights
15.1.4 Example:Windows NT Access Control Lists
15.2 Capabilities
15.2.1 Implementation of Capabilities
15.2.2 Copying and Amplifying Capabilities
15.2.3 Revocation of Rights
15.2.4 Limits of Capabilities
15.2.5 Comparison with Access Control Lists
15.3 Locks and Keys
15.3.1 Type Checking
15.3.2 Sharing Secrets
15.4 Ring-Based Access Control
15.5 Propagated Access Control Lists
15.6 Summary
15.7 Research Issues
15.8 Further Reading
15.9 Exercises
Chapter 16 Information Flow
16.1 Basics and Background
16.1.1 Entropy-Based Analysis
16.1.2 Information Flow Models and Mechanisms
16.2 Nonlattice Information Flow Policies
16.2.1 Confinement Flow Model
16.2.2 Transitive Nonlattice Information Flow Policies
16.2.3 Nontransitive Information Flow Policies
16.3 Compiler-Based Mechanisms
16.3.1 Declarations
16.3.2 Program Statements
16.3.2.1 Assignment Statements
16.3.2.2 Compound Statements
16.3.2.3 Conditional Statements
16.3.2.4 Iterative Statements
16.3.2.5 Goto Statements
16.3.2.6 Procedure Calls
16.3.3 Exceptions and Infinite Loops
16.3.4 Concurrency
16.3.5 Soundness
16.4 Execuition-Based Mechanisms
16.4.1 Fenton's Data Mark Machine
16.4.2 Variable Classes
16.5 Example Information Flow Controls
16.5.1 Security Pipeline Interface
16.5.2 Secure Network Server Mail Guard
16.6 Summary
16.7 Research Issues
16.8 Further Reading
16.9 Exercises
Chapter 17 Confinement Problem
17.1 The Confinement Problem
17.2 Isolation
17.2.1 Virtual Machines
17.2.2 Sandboxes
17.3 Covert Channels
17.3.1 Detection of Covert Channels
17.3.1.1 Noninterference
17.3.1.2 The Shared Resource Matrix Methodology
17.3.1.3 Information Flow Analysis
17.3.1.4 Covert Flow Trees
17.3.2 Analysis of Covert Channels
17.3.2.1 Covert Channel Capacity and Noninterference
17.3.2.2 Measuring Covert Channel Capacity
17.3.2.3 Analyzing a Noisy Covert Channel's Capacity
17.3.3 Mitigation of Covert Channels
17.4 Summary
17.5 Research Issues
17.6 Further Reading
17.7 Exercises
PART 6:ASSURANCE Contributed by Elisabeth Sullivan
Chapter 18 Introduction to Assurance
18.1 Assurance and Trust
18.1.1 The Need for Assurance
18.1.2 The Role of Requirements in Assurance
18.1.3 Assurance Throughout the Life Cycle
18.2 Building Secure and Trusted Systems
18.2.1 Life Cycle
18.2.1.1 Conception
18.2.1.2 Manufacture
18.2.1.3 Deployment
18.2.1.4 Fielded Product Life
18.2.2 The Waterfall Life Cycle Model
18.2.2.1 Requirements Definition and Analysis
18.2.2.2 System and Software Design
18.2.2.3 Implementation and Unit Testing
18.2.2.4 Integration and System Testing
18.2.2.5 Operation and Maintenance
18.2.2.6 Discussion
18.2.3 Other Mdoels of Software Development
18.2.3.1 Exploratory Programming
18.2.3.2 Prototyping
18.2.3.3 Formal Transformation
18.2.3.4 System Assembly from Reusable Components
18.2.3.5 Extreme Programming
18.3 Summary
18.4 Research Issues
18.5 Further Reading
18.6 Exercises
Chapter 19 Building Systems with Assurance
19.1 Assurance in Requirements Definition and Analysis
19.1.1 Threats and Security Objectives
19.1.2 Architectural Considerations
19.1.2.1 Security Mechanisms and Layered Architecture
19.1.2.2 Building Security in or Adding Security Later
19.1.3 Policy Definition and Requirements Specification
19.1.4 Justifying Requirements
19.2 Assurance During System and Software Design
19.2.1 Design Techniques That Support Assurance
19.2.2 Design Document Contents
19.2.2.1 Security Functions Summary Specification
19.2.2.2 External Functional Specification
19.2.2.3 Internal Design Description
19.2.2.4 Internal Design Specification
19.2.3 Building Documentation and Specifications
19.2.3.1 Modification Specifications
19.2.3.2 Security Specifications
19.2.3.3 Formal Specifications
19.2.4 Justifying That Design Meets Requirements
19.2.4.1 Requirements Tracing and Informal Correspondence
19.2.4.2 Informal Arguments
19.2.4.3 Formal Methods:Proof Techniques
19.2.4.4 Review
19.3 Assurance in Implementation and Integration
19.3.1 Implementation Considerations That Support Assurance
19.3.2 Assurance Through Implementation Management
19.3.3 Justifying That the Implementation Meets the Design
19.3.3.1 Security Testing
19.3.3.2 Security Testing Using PGWG
19.3.3.2 Test Matrices
19.3.3.3 Formal Methods:Proving That Programs Are Correct
19.4 Assurance During Operation and Maintenance
19.5 Summary
19.6 Research Issues
19.7 Further Reading
19.8 Exercises
Chapter 20 Formal Methods
20.1 Formal Verification Techniques
20.2 Formal Specification
20.3 Early Formal Verification Techniques
20.3.1 The Hierarchical Development Methodology
20.3.1.1 Verification in HDM
20.3.1.2 The Boyer-Moore Theorem Prover
20.3.2 Enhanced HDM
20.3.3 The Gypsy Verification Environment
20.3.3.1 The Gypsy Language
20.3.3.2 The Bledsoe Theorem Prover
20.4 Current Verification Systems
20.4.1 The Prototype Verification System
20.4.1.1 The PVS Specification Language
20.4.1.2 The PVS Proof Checker
20.4.1.3 Experience with PVS
20.4.2 The Symbolic Model Verifier
20.4.2.1 The SMV Language
20.4.2.2 The XMV ProofTheory
20.4.2.3 SMV Experience
20.4.3 The Naval Research Laboratory Protocol Analyzer
20.4.3.1 NPA Languages
20.4.3.2 NPA Experience
20.5 Summary
20.6 Research Issues
20.7 Further Reading
20.8 Exercises
Chapter 21 Evaluating Systems
21.1 Goals of Formal Evaluation
21.1.1 Deciding to Evaluate
21.1.2 Historical Perspective of Evaluation Methodologies
21.2 TCSEC:1983-1999
21.2.1 TCSEC Requirements
21.2.1.1 TCSEC Functional Requirements
21.2.1.2 TCSEC Assurance Requirements
21.2.2 The TCSEC Evaluatoin Classes
21.2.3 The TCSEC Evaluatoin Process
21.2.4 Impacts
21.2.4.1 Scope Limitations
21.2.4.2 Process Limitations
24.2.4.3 Contributions
21.3 International Efforts and the ITSEC:1991-2001
21.3.1 ITSEC Assurance Requirements
21.3.1.1 Requirements in the TCSEC Not Found in the ITSEC
21.3.1.2 Requirements in the ITSEC Not Found in the TCSEC
21.3.2 The ITSEC Evaluation Levels
21.3.3 The ITSEC Evaluation Process
21.3.4 Impacts
21.3.4.1 Vendor-Provided Security Targets
21.3.4.2 Process Limitations
21.4 Commercial International Security Requirements:1991
21.4.1 CISR Requirements
21.4.2 Impacts
21.5 Other Commercial Efforts:Early 1990s
21.6 The Federal Criteria:1992
21.6.1 FC Requirements
21.6.2 Impacts
21.7 FIPS 140:1994-Present
21.7.1 FIPS 140 Requirements
21.7.2 FIPS 140-2 Security Levels
21.7.3 Impact
21.8 The Common Criteria:1998-Present
21.8.1 Overview of the Methodology
21.8.2 CC Requirements
21.8.3 CC Security Functional Requirements
21.8.4 Assurance Requirements
21.8.5 Evaluation Assurance Levels
21.8.6 Evaluation Process
21.8.7 Impacts
21.8.8 Future of the Common Criteria
21.8.8.1 Interpretations
21.8.8.2 Assurance Class AMA and Family ALC_FLR
21.8.8.3 Products Versus Systems
21.8.8.4 Protection Profiles and Security Targets
21.8.8.5 Assurance Class AVA
21.8.8.6 EAL5
21.9 SSE-CMM:1997-Present
21.9.1 The SSE-CMM Model
21.9.2 Using the SSE-CMM
21.10 Summary
21.11 Research Issues
21.12 Further Reading
21.13 Exercises
PART 7:SPECIAL TOPICS
Chapter 22 Malicious Logic
22.1 Introduction
22.2 Trojan Horses
22.3 Computer Viruses
22.3.1 Boot Sector Infectors
22.3.2 Executable Infectors
22.3.3 Multipartite Viruses
22.3.4 TSR Viruses
22.3.5 Stealth Viruses
22.3.6 Encrypted Viruses
22.3.7 Polymorphic Viruses
22.3.8 Macro Viruses
22.4 Computer Worms
22.5 Other Forms of Malicious Logic
22.5.1 Rabbits and Bacteria
22.5.2 Logic Bombs
22.6 Theory of Malicious Logic
22.6.1 Theory of Computer Viruses
22.7 Defenses
22.7.1 Malicious Logic Acting as Both Data and Instructions
22.7.2 Malicious Logic Assuming the Identity of a User
22.7.2.1 Information Flow Metrics
22.7.2.2 Reducing the Rights
22.7.2.3 Sandboxing
22.7.3 Malicious Logic Crossing Protection Domain Boundaries by Sharing
22.7.4 Malicious Logic Altering Files
22.7.5 Malicious Logic Performing Actions Beyond Specification
22.7.5.1 Proof-Carrying Code
22.7.6 Malicious Logic Altering Statistical Characteristics
22.7.7 The Notion of Trust
22.8 Summary
22.9 Research Issues
22.10 Further Reading
22.11 Exercises
Chapter 23 Vulnerability Analysis
23.1 Introduction
23.2 Penetration Studies
23.2.1 Goals
23.2.2 Layering of Tests
23.2.3 Methodology at Each Layer
23.2.4 Flaw Hypothesis Methodology
23.2.4.1 Information Gathering and Flaw Hypothesis
23.2.4.2 Flaw Testing
23.2.4.3 Flaw Generalization
23.2.4.4 Flaw Elimination
23.2.5 Example:Penetration of the Michigan Terminal System
23.2.6 Example:Compromise of a Burroughs System
23.2.7 Example:Penetration of a Corporate Computer System
23.2.8 Example:Penetrating a UNIX System
23.2.9 Example:Penetrating a Windows NT System
23.2.10 Debate
23.2.11 Conclusion
23.3 Vulnerability Classification
23.3.1 Two Security Flaws
23.4 Frameworks
23.4.1 The RISOS Study
23.4.1.1 The Flaw Classes
23.4.1.2 Legacy
23.4.2 Protection Analysis Model
23.4.2.1 The Flaw Classes
23.4.2.2 Analysis Procedure
23.4.2.3 Legacy
23.4.3 The NRL Taxonomy
23.4.3.1 The Flaw Classes
23.4.3.2 Legacy
23.4.4 Aslam's Model
23.4.4.1 The Flaw Classes
23.4.4.2 Legacy
23.4.5 Comparison and Analysis
23.4.5.1 The xterm Log File Flaw
23.4.5.2 The fingerd Buffer Overflow Flaw
23.4.5.3 Summary
23.5 Gupta Gligor's Theory of Penetration Analysis
23.5.1 The Flow-Based Model of Penetration Analysis
23.5.2 The Automated Penetration Analysis Tool
23.5.3 Discussion
23.6 Summary
23.7 Research Issues
23.8 Further Reading
23.9 Exercises
Chapter 24 Auditing
24.1 Definitions
24.2 Anatomy of an Auditing System
24.2.1 Logger
24.2.2 Analyzer
24.2.3 Notifier
24.3 Designing an Auditing System
24.3.1 Implementation Considerations
24.3.2 Syntactic Issues
24.3.3 Log Sanitization
24.3.4 Application and System Logging
24.4 A Posteriori Design
24.4.1 Auditing to Detect Violations of a Known Policy
24.4.1.1 State-Based Auditing
24.4.1.2 Transition-Based Auditing
24.4.2 Auditing to Detect Known Violations of a Policy
24.5 Auditing Mechanisms
24.5.1 Secure Systems
24.5.2 Nonsecure Systems
24.6 Examples:Auditing File Systems
24.6.1 Audit Analysis of the NFS Version 2 Protocol
24.6.2 The Logging and Auditing File System(LAFS)
24.6.3 Comparison
24.7 Audit Browsing
24.8 Summary
24.9 Research Issues
24.10 Further Reading
24.11 Exercises
Chapter 25 Intrusion Detection
25.1 Principles
25.2 Basic Intrusion Detection
25.3 Models
25.3.1 Anomaly Modeling
25.3.1.1 Derivation of Statistics
25.3.2 Misuse Modeling
25.3.3 Specification Modeling
25.3.4 Summary
25.4 Architecture
25.4.1 Agent
25.4.1.1 Host-Based Information Gathering
25.4.1.2 Network-Baseed Information Gathering
25.4.1.3 Combining Sources
25.4.2 Director
25.4.3 Notifier
25.5 Organization of Intrusion Detection Systems
25.5.1 Monitoring Network Traffic for Intrusions:NSM
25.5.2 Combining Host and Network Monitoring:DIDS
25.5.3 Autonomous Agents:AAFID
25.6 Intrusion Response
25.6.1 Incident Prevention
25.6.2 Intrusion Handling
25.6.2.1 Containment Phase
25.6.2.2 Eradication Phase
25.6.2.3 Follow-Up Phase
25.7 Summary
25.8 Research Issues
25.9 Further Reading
25.10 Exercises
PART 8:PRACTICUM
Chapter 26 Network Security
26.1 Introduction
26.2 Policy Development
26.2.1 Data Classes
26.2.2 User Classes
26.2.3 Availability
26.2.4 Consistency Check
26.3 Network Organization
26.3.1 Firewalls and Proxies
26.3.2 Analysis of the Network Infrastructure
26.3.2.1 Outer Firewall Configuration
26.3.2.2 Inner Firewall Configuration
26.3.3 In the DMZ
26.3.3.1 DMZ Mail Server
26.3.3.2 DMZ WWW Server
26.3.3.3 DMZ DNS Server
26.3.3.4 DMZ Log Server
26.3.3.5 Summary
26.3.4 In the Internal Network
26.3.5 General Comment on Assurance
26.4 Availability and Network Flooding
26.4.1 Intermediate Hosts
26.4.2 TCP State and Memory Allocations
26.5 Anticipating Attacks
26.6 Summary
26.7 Research Issues
26.8 Further Reading
26.9 Exercises
Chapter 27 System Security
27.1 Introduction
27.2 Policy
27.2.1 The Web Server System in the DMZ
27.2.2 The Development System
27.2.3 Comparison
27.2.4 Conclusion
27.3 Networks
27.3.1 The Web Server System in the DMZ
27.3.2 The Development System
27.3.3 Comparison
27.4 Users
27.4.1 The Web Server System in the DMZ
27.4.2 The Development System
27.4.3 Comparison
27.5 Authentication
27.5.1 The Web Server System in the DMZ
27.5.2 Development Network System
27.5.3 Comparison
27.6 Processes
27.6.1 The Web Server System in the DMZ
27.6.2 The Development System
27.6.3 Comparison
27.7 Files
27.7.1 The Web Server System in the DMZ
27.7.2 The Development System
27.7.3 Comparison
27.8 Retrospective
27.8.1 The Web Server System in the DMZ
27.8.2 The Development System
27.9 Summary
27.10 Research Issues
27.11 Further Reading
27.12 Exercises
Chapter 28 User Security
28.1 Policy
28.2 Access
28.2.1 Passwords
28.2.2 The Login Procedure
28.2.2.1 Trusted Hosts
28.2.3 Leaving the System
28.3 Files and Devices
28.3.1 Files
28.3.1.1 File Permissions on Creation
28.3.1.2 Group Access
28.3.1.3 File Deletion
28.3.2 Devices
28.3.2.1 Writable Devices
28.3.2.2 Smart Terminals
28.3.2.3 Monitors and Window Systems
28.4 Processes
28.4.1 Copying and Moving Files
28.4.2 Accidentally Overwriting Files
28.4.3 Encryption,Cryptographic Keys,and Passwords
28.4.4 Start-up Settings
28.4.5 Limiting Privileges
28.4.6 Malicious Logic
28.5 Electronic Communications
28.5.1 Automated Electronic Mail Processing
28.5.2 Failure to Check Certificates
28.5.3 Sending Unexpected Conteht
28.6 Summary
28.7 Research Issues
28.8 Further Reading
28.9 Exercises
Chapter 29 Program Security
29.1 Introduction
29.2 Requirements and Policy
29.2.1 Requirements
29.2.2 Threats
29.2.2.1 Group 1:Unauthorized Users Accessing Role Accounts
29.2.2.2 Group 2:Authorized Users Accessing Role Accounts
29.2.2.3 Summary
29.3 Design
29.3.1 Framework
29.3.1.1 User Interface
29.3.1.2 High-Level Design
29.3.2 Access to Roles and Commands
29.3.2.1 Interface
29.3.2.2 Internals
29.3.2.3 Storage of the Access Control Data
29.4 Refinement and Implementation
29.4.1 First-Level Refinement
29.4.2 Second-Level Refinement
29.4.3 Functions
29.4.3.1 Obtaining Location
29.4.3.2 The Access Control Record
29.4.3.3 Error Handling in the Reading and Matching Routines
29.4.4 Summary
29.5 Common Security-Related Programming Problems
29.5.1 Improper Choice of Initial Protection Domain
29.5.1.1 Process Privileges
29.5.1.2 Access Control File Permissions
29.5.1.3 Memory Protection
29.5.1.4 Trust in the System
29.5.2 Improper Isolation of Implementation Detail
29.5.2.1 Resource Exhaustion and User Identifiers
29.5.2.2 Validating the Access Control Entries
29.5.2.3 Restricting the Protection Domain of the Role Process
29.5.3 Improper Change
29.5.3.1 Memory
29.5.3.2 Changes in File Contents
29.5.3.3 Race Conditions in File Accesses
29.5.4 Improper Naming
29.5.5 Improper Deallocation or Deletion
29.5.6 Improper Validation
29.5.6.1 Bounds Checking
29.5.6.2 Type Checking
29.5.6.3 Error Checking
29.5.6.4 Checking for Valid,not Invalid,Data
29.5.6.5 Checking Input
29.5.6.6 Designing for Validation
29.5.7 Improper Indivisibility
29.5.8 Improper Sequencing
29.5.9 Improper Choice of Operand or Operation
29.5.10 Summary
29.6 Testing,Maintenance,and Operation
29.6.1 Testing
29.6.1.1 Testing the Modules
29.6.2 Testing Composed Modules
29.6.3 Testing the Program
29.7 Distribution
29.8 Conclusion
29.9 Summary
29.10 Research Issues
29.11 Further Reading
29.12 Exercises
PART 9:END MATTER
Chapter 30 Lattices
30.1 Basics
30.2 Lattices
30.3 Exercises
Chapter 31 The Extended Euclidean Algorithm
31.1 The Euclidean Algorithm
31.2 The Extended Euclidean Algorithm
31.3 Solving ax mod n=1
31.4 Solving ax mod n=b
31.5 Exercises
Chapter 32 Entropy and Uncertainty
32.1 Conditional and Joint Probability
32.2 Entropy and Uncertainty
32.3 Joint and Conditional Entropy
32.3.1 Joint Entropy
32.3.2 Conditional Entropy
32.3.3 Perfect Secrecy
32.4 Exercises
Chapter 33 Virtual Machines
33.1 Virtual Machine Structure
33.2 Virtual Machine Monitor
33.2.1 Privilege and Virtual Machines
33.2.2 Physical Resources and Virtual Machines
33.2.3 Paging and Virtual Machines
33.3 Exercises
Chapter 34 Symbolic Logic
34.1 Propositional Logic
34.1.1 Natural Deduction in Propositional Logic
34.1.1.1 Rules
34.1.1.2 Derived Rules
34.1.2 Well-Formed Formulas
34.1.3 Truth Tables
34.1.4 Mathematical Induction
34.2 Predicate Logic
34.2.1 Natural Deduction in Predicate Logic
34.3 Temporal Logic Systems
34.3.1 Syntax of CTL
34.3.2 Semantics of CTL
34.4 Exercises
Chapter 35 Example Academic Security Policy
35.1 University of Califormia E-mail Policy
35.1.1 Summary:E-mail Policy Highlights
35.1.1.1 Cautions
35.1.1.2 Do
35.1.1.3 Do Not
35.1.1.4 Does This Policy Apply to You?
35.1.2 University of California Electronic Mail Policy
35.1.2.1 Introduction
35.1.2.2 Purpose
35.1.2.3 Definitions
35.1.2.4 Scope
35.1.2.5 General Provisions
35.1.2.6 Specific Provisions
35.1.2.7 Policy Violations
35.1.2.8 Responsibility for Policy
35.1.2.9 Campus Responsibilities and Discretion
35.1.2.10 Appendix A-Definitions
35.1.2.11 Appendix B-References
35.1.2.12 Appendix C-Policies Relating to Nonconsensual Access
35.1.3 UC Davis Implementation of the Electronic Mail Policy
35.1.3.1 Purpose and Scope
35.1.3.2 Definitions
35.1.3.3 Policy
35.1.4 References and Related Policy
35.2 The Acceptable Use Policy for the University of California,Davis
35.2.1 Part I
35.2.1.1 Introduction
35.2.1.2 Rights and Responsibilities
35.2.1.3 Existing Legal Context
35.2.1.4 Enforcement
35.2.2 Part II
Bibliography
Index
Goals
Philosophy
Organization
Roadmap
Dependencies
Background
Undergraduate Level
Graduate Level
Practitioners
Special Acknowledgment
Acknowledgments
PART 1:INTRODUCTION
Chapter 1 An Overview of Computer Security
1.1 The Basic Components
1.1.1 Confidentiality
1.1.2 Integrity
1.1.3 Availability
1.2 Threats
1.3 Policy and Mechanism
1.3.1 Goals of Security
1.4 Assumptions and Trust
1.5 Assurance
1.5.1 Specification
1.5.2 Design
1.5.3 Implementation
1.6 Operational Issues
1.6.1 Cost-Benefit Analysis
1.6.2 Risk Analysis
1.6.3 Laws and Customs
1.7 Human Issues
1.7.1 Organizational Problems
1.7.2 People Problems
1.8 Tying It All Together
1.9 Summary
1.10 Research Issues
1.11 Further Reading
1.12 Exercises
PART 2:FOUNDATIONS
Chapter 2 Access Control Matrix
2.1 Protection State
2.2 Access Control Matrix Model
2.2.1 Access Control by Boolean Expression Evaluation
2.2.2 Access Controlled by History
2.3 Protection State Transitions
2.3.1 Conditional Commands
2.4 Copying,Owning,and the Attenuation of Privilege
2.4.1 Copy Right
2.4.2 Own Right
2.4.3 Principle of Attenuation of Privilege
2.5 Summary
2.6 Research Issues
2.7 Further Reading
2.8 Exercises
Chapter 3 Foundational Results
3.1 The General Question
3.2 Basic Results
3.3 The Take-Grant Protection Model
3.3.1 Sharing of Rights
3.3.2 Interpretation of the Model
3.3.3 Theft in the Take-Grant Protection Model
3.3.4 Conspiracy
3.3.5 Summary
3.4 Closing the Gap
3.4.1 Schematic Protection Model
3.4.1.1 Link Predicate
3.4.1.2 Filter Function
3.4.1.3 Putting It All Together
3.4.1.4 Demand and Create Operations
3.4.1.5 Safety Analysis
3.5 Expressive Power and the Models
3.5.1 Brief Comparison of HRU and SPM
3.5.2 Extending SPM
3.5.3 Simulation and Expressiveness
3.5.4 Typed Access Matrix Model
3.6 Summary
3.7 Research Issues
3.8 Further Reading
3.9 Exercises
PART 3:POLICY
Chapter 4 Security Policies
4.1 Security Policies
4.2 Types of Security Policies
4.3 The Role of Trust
4.4 Types of Access Control
4.5 Policy Languages
4.5.1 High-Level Policy Languages
4.5.2 Low-Level Policy Languages
4.6 Example:Academic Computer Security Policy
4.6.1 general University Policy
4.6.2 Electronic Mail Policy
4.6.2.1 The Electronic Mail Policy Summary
4.6.2.2 The Full Policy
4.6.2.3 Implementation at UC Davis
4.7 Security and Precision
4.8 Summary
4.9 Research Issues
4.10 Further Reading
4.11 Exercises
Chapter 5 Confidentiality Policies
5.1 Goals of Confidentiality Policies
5.2 The Bell-LaPadula Model
5.2.1 Informal Description
5.2.2 Example:The Data General B2 UNIX System
5.2.2.1 Assigning MAC Labels
5.2.2.2 Using MAC Labels
5.2.3 Formal Model
5.2.3.1 Basic Security Theorem
5.2.3.2 Rules of Transformation
5.2.4 Example Model Instantiation:Multics
5.2.4.1 The get-read Rule
5.2.4.2 The give-read Rule
5.3 Tranquility
5.4 The Controversy over the Bell-LaPadula Model
5.4.1 McLean's +-Property and the Basic Security Theorem
5.4.2 McLean's System Z and More Questions
5.4.3 Summary
5.5 Summary
5.6 Research Issues
5.7 Further Reading
5.8 Exercises
Chapter 6 Integrity Policies
6.1 Goals
6.2 Biba Integrity Model
6.2.1 Low-Water-Mark Policy
6.2.2 Ring Policy
6.2.3 Biba's Model(Strict Integrity Policy)
6.3 Lipner's Integrity Matrix Model
6.3.1 Lipner's Use of the Bell-LaPadula Model
6.3.2 Lipner's Full Model
6.3.3 Comparison with Biba
6.4 Clark-Wilson Integrity Model
6.4.1 The Model
6.4.1.1 A UNIX Approximation to Clark-Wilson
6.4.2 Comparison with the Requirements
6.4.3 Comparison with Other Models
6.5 Summary
6.6 Research Issues
6.7 Further Reading
6.8 Exercises
Chapter 7 Hybrid Policies
7.1 Chinese Wall Model
7.1.1 Informal Description
7.1.2 Formal Model
7.1.3 Bell-LaPadula and Chinese Wall Models
7.1.4 Clark-Wilson and Chinese Wall Models
7.2 Clinical Information Systems Security Policy
7.2.1 Bell-LaPadula and Clark-Wilson Models
7.3 Originator Controlled Access Control
7.4 Role-Based Access Control
7.5 Summary
7.6 Research Issues
7.7 Further Reading
7.8 Exercises
Chapter 8 Noninterference and Policy Composition
8.1 The Problem
8.1.1 Composition of Bell-LaPadula Models
8.2 Deterministic Noninterference
8.2.1 Unwinding Theorem
8.2.2 Access Control Matrix Interpretation
8.2.3 Security Policies That Change over Time
8.2.4 Composition of Deterministic Noninterference-Secure Systems
8.3 Nondeducibility
8.3.1 Composition of Deducibly Secure Systems
8.4 Generalized Noninterference
8.4.1 Composition of Generalized Noninterference Systems
8.5 Restrictiveness
8.5.1 State Machine Model
8.5.2 Composition of Restrictive Systems
8.6 Summary
8.7 Research Issues
8.8 Further Reading
8.9 Exercises
PART 4:IMPLEMENTATION I:CRYPTOGRAPHY
Chapter 9 Basic Cryptography
9.1 What Is Cryptography?
9.2 Classical Cryptosystems
9.2.1 Transposition Ciphers
9.2.2 Substitution Ciphers
9.2.2.1 Vigenere Cipher
9.2.2.2 One-Time Pad
9.2.3 Data Encryption Standard
9.2.4 Other Classical Ciphers
9.3 Public Key Cryptography
9.3.1 Diffie-Hellman
9.3.2 RSA
9.4 Cryptographic Checksums
9.4.1 HMAC
9.5 Summary
9.6 Research Issues
9.7 Further Reading
9.8 Exercises
Chapter 10 Key Management
10.1 Session and Interchange Keys
10.2 Key Exchange
10.2.1 Classical Cryptographic Key Exchange and Authentication
10.2.2 Kerberos
10.2.3 Public Key Cryptographic Key Exchange and Authentication
10.3 Key Generation
10.4 Cryptographic Key Infrastructures
10.4.1 Merkle's Tree authentication Scheme
10.4.2 Certificate Signature Chains
10.4.2.1 X.509:Certification Signature Chains
10.4.2.2 PGP Certificate Signature Chains
10.4.3 Summary
10.5 Storing and Revoking Keys
10.5.1 Key Storage
10.5.1.1 Key Escrow
10.5.1.2 Key Escrow System and the Clipper Chip
10.5.1.3 The yaksha Security System
10.5.1.4 Other Approaches
10.5.2 Key Revocation
10.6 Digital Signatures
10.6.1 Classical Signatures
10.6.2 Public Key Signatures
10.6.2.1 RSA Digital Signatures
10.6.2.2 El Gamal Digital Signature
10.7 Summary
10.8 Research Issues
10.9 Further Reading
10.10 Exercises
Chapter 11 Cipher Techniques
11.1 Problems
11.1.1 Precomputing the Possible Messages
11.1.2 Misordered Blocks
11.1.3 Statistical Regularities
11.1.4 Summary
11.2 Stream and Block Ciphers
11.2.1 Stream Ciphers
11.2.1.1 Synchronous Stream Ciphers
11.2.1.2 Self-Synchronous Stream Ciphers
11.2.2 Block Ciphers
11.2.2.1 Multiple Encryption
11.3 Networks and Cryptography
11.4 Example Protocols
11.4.1 Secure Electronic Mail:PEM
11.4.1.1 Design Principles
11.4.1.2 Basic Design
11.4.1.3 Other Considerations
11.4.1.4 Conclusion
11.4.2 Security at the Transport Layer:SSL
11.4.2.1 Supporting Cryptographic Mechanisms
11.4.2.2 Lower Layper:SSL Record Protocol
11.4.2.3 Upper Layer:SSL Handshake Protocol
11.4.2.4 Upper Layer:SSL Change Cipher Spec Protocol
11.4.2.5 Upper Layer:SSL Alert Protocol
11.4.2.6 Upper Layer:Application Data Protocol
11.4.2.7 Summary
11.4.3 Security at the Network Layer:IPsec
11.4.3.1 IPsec Architecture
11.4.3.2 Authentication Header Protocol
11.4.3.3 Encapsulating Security Payload Protocol
11.4.4 Conclusion
11.5 Summary
11.6 Research Issues
11.7 Further Reading
11.8 Exercises
Chapter 12 Authentication
12.1 Authentication Basics
12.2 Passwords
12.2.1 Attacking a Password System
12.2.2 Countering Password Guessing
12.2.2.1 Random Selection of Passwords
12.2.2.2 Pronounceable and Other Computer-Generated Passwords
12.2.2.3 User Selection of Passwords
12.2.2.4 Reusable Passwords and Dictionary Attacks
12.2.2.5 Guessing Through Authentication Functions
12.2.3 Password Aging
12.3 Challenge-Response
12.3.1 Pass Algorithms
12.3.2 One-Time Passwords
12.3.3 Hardware-Supported Challenge-Response Procedures
12.3.4 Challenge-Response and Dictionary Attacks
12.4 Biometrics
12.4.1 Fingerprints
12.4.2 Voices
12.4.3 Eyes
12.4.4 Faces
12.4.5 Keystrokes
12.4.6 Combinations
12.4.7 Caution
12.5 Location
12.6 Multiple Methods
12.7 Summary
12.8 Research Issues
12.9 Further Reading
12.10 Exercises
PART 5:IMPLEMENTATION II:SYSTEMS
Chapter 13 Design Principles
13.1 Overview
13.2 Design Principles
13.2.1 Principle of Least Privilege
13.2.2 Principle of Fail-Safe Defaults
13.2.3 Principle of Economy of Mechanism
13.2.4 Principle of Complete Mediation
13.2.5 Principle of Open Design
13.2.6 Principle of Separation of Privilege
13.2.7 Principle of Least Common Mechanism
13.2.8 Principle of Psychological Acceptability
13.3 Summary
13.4 Research Issues
13.5 Further Reading
13.6 Exercises
Chapter 14 Representing Identity
14.1 What Is Identity?
14.2 Files and Objects
14.3 Users
14.4 Groups and Roles
14.5 Naming and Certificates
14.5.1 Conflicts
14.5.2 The Meaning of the Identity
14.5.3 Trust
14.6 Identity on the Web
14.6.1 Host Identity
14.6.1.1 Static and Dynamic Identifiers
14.6.1.2 Security Issues with the Domain Name Service
14.6.2 State and Cookies
14.6.3 Anonymity on the Web
14.6.3.1 Anonymity for Better or Worse
14.7 Summary
14.8 Research Issues
14.9 Further Reading
14.10 Exercises
Chapter 15 Access Control Mechanisms
15.1 Access Control Lists
15.1.1 Abbreviations of Access Control Lists
15.1.2 Creation and Maintenance of Access Control Lists
15.1.2.1 Which Subjects Can Modify an Object's ACL?
15.1.2.2 Do the ACLs Apply to a Privileged User?
15.1.2.3 Does the ACL Support Groups and Wildcards?
15.1.2.4 Conflicts
15.1.2.5 ACLs and Default Permissions
15.1.3 Revocation of Rights
15.1.4 Example:Windows NT Access Control Lists
15.2 Capabilities
15.2.1 Implementation of Capabilities
15.2.2 Copying and Amplifying Capabilities
15.2.3 Revocation of Rights
15.2.4 Limits of Capabilities
15.2.5 Comparison with Access Control Lists
15.3 Locks and Keys
15.3.1 Type Checking
15.3.2 Sharing Secrets
15.4 Ring-Based Access Control
15.5 Propagated Access Control Lists
15.6 Summary
15.7 Research Issues
15.8 Further Reading
15.9 Exercises
Chapter 16 Information Flow
16.1 Basics and Background
16.1.1 Entropy-Based Analysis
16.1.2 Information Flow Models and Mechanisms
16.2 Nonlattice Information Flow Policies
16.2.1 Confinement Flow Model
16.2.2 Transitive Nonlattice Information Flow Policies
16.2.3 Nontransitive Information Flow Policies
16.3 Compiler-Based Mechanisms
16.3.1 Declarations
16.3.2 Program Statements
16.3.2.1 Assignment Statements
16.3.2.2 Compound Statements
16.3.2.3 Conditional Statements
16.3.2.4 Iterative Statements
16.3.2.5 Goto Statements
16.3.2.6 Procedure Calls
16.3.3 Exceptions and Infinite Loops
16.3.4 Concurrency
16.3.5 Soundness
16.4 Execuition-Based Mechanisms
16.4.1 Fenton's Data Mark Machine
16.4.2 Variable Classes
16.5 Example Information Flow Controls
16.5.1 Security Pipeline Interface
16.5.2 Secure Network Server Mail Guard
16.6 Summary
16.7 Research Issues
16.8 Further Reading
16.9 Exercises
Chapter 17 Confinement Problem
17.1 The Confinement Problem
17.2 Isolation
17.2.1 Virtual Machines
17.2.2 Sandboxes
17.3 Covert Channels
17.3.1 Detection of Covert Channels
17.3.1.1 Noninterference
17.3.1.2 The Shared Resource Matrix Methodology
17.3.1.3 Information Flow Analysis
17.3.1.4 Covert Flow Trees
17.3.2 Analysis of Covert Channels
17.3.2.1 Covert Channel Capacity and Noninterference
17.3.2.2 Measuring Covert Channel Capacity
17.3.2.3 Analyzing a Noisy Covert Channel's Capacity
17.3.3 Mitigation of Covert Channels
17.4 Summary
17.5 Research Issues
17.6 Further Reading
17.7 Exercises
PART 6:ASSURANCE Contributed by Elisabeth Sullivan
Chapter 18 Introduction to Assurance
18.1 Assurance and Trust
18.1.1 The Need for Assurance
18.1.2 The Role of Requirements in Assurance
18.1.3 Assurance Throughout the Life Cycle
18.2 Building Secure and Trusted Systems
18.2.1 Life Cycle
18.2.1.1 Conception
18.2.1.2 Manufacture
18.2.1.3 Deployment
18.2.1.4 Fielded Product Life
18.2.2 The Waterfall Life Cycle Model
18.2.2.1 Requirements Definition and Analysis
18.2.2.2 System and Software Design
18.2.2.3 Implementation and Unit Testing
18.2.2.4 Integration and System Testing
18.2.2.5 Operation and Maintenance
18.2.2.6 Discussion
18.2.3 Other Mdoels of Software Development
18.2.3.1 Exploratory Programming
18.2.3.2 Prototyping
18.2.3.3 Formal Transformation
18.2.3.4 System Assembly from Reusable Components
18.2.3.5 Extreme Programming
18.3 Summary
18.4 Research Issues
18.5 Further Reading
18.6 Exercises
Chapter 19 Building Systems with Assurance
19.1 Assurance in Requirements Definition and Analysis
19.1.1 Threats and Security Objectives
19.1.2 Architectural Considerations
19.1.2.1 Security Mechanisms and Layered Architecture
19.1.2.2 Building Security in or Adding Security Later
19.1.3 Policy Definition and Requirements Specification
19.1.4 Justifying Requirements
19.2 Assurance During System and Software Design
19.2.1 Design Techniques That Support Assurance
19.2.2 Design Document Contents
19.2.2.1 Security Functions Summary Specification
19.2.2.2 External Functional Specification
19.2.2.3 Internal Design Description
19.2.2.4 Internal Design Specification
19.2.3 Building Documentation and Specifications
19.2.3.1 Modification Specifications
19.2.3.2 Security Specifications
19.2.3.3 Formal Specifications
19.2.4 Justifying That Design Meets Requirements
19.2.4.1 Requirements Tracing and Informal Correspondence
19.2.4.2 Informal Arguments
19.2.4.3 Formal Methods:Proof Techniques
19.2.4.4 Review
19.3 Assurance in Implementation and Integration
19.3.1 Implementation Considerations That Support Assurance
19.3.2 Assurance Through Implementation Management
19.3.3 Justifying That the Implementation Meets the Design
19.3.3.1 Security Testing
19.3.3.2 Security Testing Using PGWG
19.3.3.2 Test Matrices
19.3.3.3 Formal Methods:Proving That Programs Are Correct
19.4 Assurance During Operation and Maintenance
19.5 Summary
19.6 Research Issues
19.7 Further Reading
19.8 Exercises
Chapter 20 Formal Methods
20.1 Formal Verification Techniques
20.2 Formal Specification
20.3 Early Formal Verification Techniques
20.3.1 The Hierarchical Development Methodology
20.3.1.1 Verification in HDM
20.3.1.2 The Boyer-Moore Theorem Prover
20.3.2 Enhanced HDM
20.3.3 The Gypsy Verification Environment
20.3.3.1 The Gypsy Language
20.3.3.2 The Bledsoe Theorem Prover
20.4 Current Verification Systems
20.4.1 The Prototype Verification System
20.4.1.1 The PVS Specification Language
20.4.1.2 The PVS Proof Checker
20.4.1.3 Experience with PVS
20.4.2 The Symbolic Model Verifier
20.4.2.1 The SMV Language
20.4.2.2 The XMV ProofTheory
20.4.2.3 SMV Experience
20.4.3 The Naval Research Laboratory Protocol Analyzer
20.4.3.1 NPA Languages
20.4.3.2 NPA Experience
20.5 Summary
20.6 Research Issues
20.7 Further Reading
20.8 Exercises
Chapter 21 Evaluating Systems
21.1 Goals of Formal Evaluation
21.1.1 Deciding to Evaluate
21.1.2 Historical Perspective of Evaluation Methodologies
21.2 TCSEC:1983-1999
21.2.1 TCSEC Requirements
21.2.1.1 TCSEC Functional Requirements
21.2.1.2 TCSEC Assurance Requirements
21.2.2 The TCSEC Evaluatoin Classes
21.2.3 The TCSEC Evaluatoin Process
21.2.4 Impacts
21.2.4.1 Scope Limitations
21.2.4.2 Process Limitations
24.2.4.3 Contributions
21.3 International Efforts and the ITSEC:1991-2001
21.3.1 ITSEC Assurance Requirements
21.3.1.1 Requirements in the TCSEC Not Found in the ITSEC
21.3.1.2 Requirements in the ITSEC Not Found in the TCSEC
21.3.2 The ITSEC Evaluation Levels
21.3.3 The ITSEC Evaluation Process
21.3.4 Impacts
21.3.4.1 Vendor-Provided Security Targets
21.3.4.2 Process Limitations
21.4 Commercial International Security Requirements:1991
21.4.1 CISR Requirements
21.4.2 Impacts
21.5 Other Commercial Efforts:Early 1990s
21.6 The Federal Criteria:1992
21.6.1 FC Requirements
21.6.2 Impacts
21.7 FIPS 140:1994-Present
21.7.1 FIPS 140 Requirements
21.7.2 FIPS 140-2 Security Levels
21.7.3 Impact
21.8 The Common Criteria:1998-Present
21.8.1 Overview of the Methodology
21.8.2 CC Requirements
21.8.3 CC Security Functional Requirements
21.8.4 Assurance Requirements
21.8.5 Evaluation Assurance Levels
21.8.6 Evaluation Process
21.8.7 Impacts
21.8.8 Future of the Common Criteria
21.8.8.1 Interpretations
21.8.8.2 Assurance Class AMA and Family ALC_FLR
21.8.8.3 Products Versus Systems
21.8.8.4 Protection Profiles and Security Targets
21.8.8.5 Assurance Class AVA
21.8.8.6 EAL5
21.9 SSE-CMM:1997-Present
21.9.1 The SSE-CMM Model
21.9.2 Using the SSE-CMM
21.10 Summary
21.11 Research Issues
21.12 Further Reading
21.13 Exercises
PART 7:SPECIAL TOPICS
Chapter 22 Malicious Logic
22.1 Introduction
22.2 Trojan Horses
22.3 Computer Viruses
22.3.1 Boot Sector Infectors
22.3.2 Executable Infectors
22.3.3 Multipartite Viruses
22.3.4 TSR Viruses
22.3.5 Stealth Viruses
22.3.6 Encrypted Viruses
22.3.7 Polymorphic Viruses
22.3.8 Macro Viruses
22.4 Computer Worms
22.5 Other Forms of Malicious Logic
22.5.1 Rabbits and Bacteria
22.5.2 Logic Bombs
22.6 Theory of Malicious Logic
22.6.1 Theory of Computer Viruses
22.7 Defenses
22.7.1 Malicious Logic Acting as Both Data and Instructions
22.7.2 Malicious Logic Assuming the Identity of a User
22.7.2.1 Information Flow Metrics
22.7.2.2 Reducing the Rights
22.7.2.3 Sandboxing
22.7.3 Malicious Logic Crossing Protection Domain Boundaries by Sharing
22.7.4 Malicious Logic Altering Files
22.7.5 Malicious Logic Performing Actions Beyond Specification
22.7.5.1 Proof-Carrying Code
22.7.6 Malicious Logic Altering Statistical Characteristics
22.7.7 The Notion of Trust
22.8 Summary
22.9 Research Issues
22.10 Further Reading
22.11 Exercises
Chapter 23 Vulnerability Analysis
23.1 Introduction
23.2 Penetration Studies
23.2.1 Goals
23.2.2 Layering of Tests
23.2.3 Methodology at Each Layer
23.2.4 Flaw Hypothesis Methodology
23.2.4.1 Information Gathering and Flaw Hypothesis
23.2.4.2 Flaw Testing
23.2.4.3 Flaw Generalization
23.2.4.4 Flaw Elimination
23.2.5 Example:Penetration of the Michigan Terminal System
23.2.6 Example:Compromise of a Burroughs System
23.2.7 Example:Penetration of a Corporate Computer System
23.2.8 Example:Penetrating a UNIX System
23.2.9 Example:Penetrating a Windows NT System
23.2.10 Debate
23.2.11 Conclusion
23.3 Vulnerability Classification
23.3.1 Two Security Flaws
23.4 Frameworks
23.4.1 The RISOS Study
23.4.1.1 The Flaw Classes
23.4.1.2 Legacy
23.4.2 Protection Analysis Model
23.4.2.1 The Flaw Classes
23.4.2.2 Analysis Procedure
23.4.2.3 Legacy
23.4.3 The NRL Taxonomy
23.4.3.1 The Flaw Classes
23.4.3.2 Legacy
23.4.4 Aslam's Model
23.4.4.1 The Flaw Classes
23.4.4.2 Legacy
23.4.5 Comparison and Analysis
23.4.5.1 The xterm Log File Flaw
23.4.5.2 The fingerd Buffer Overflow Flaw
23.4.5.3 Summary
23.5 Gupta Gligor's Theory of Penetration Analysis
23.5.1 The Flow-Based Model of Penetration Analysis
23.5.2 The Automated Penetration Analysis Tool
23.5.3 Discussion
23.6 Summary
23.7 Research Issues
23.8 Further Reading
23.9 Exercises
Chapter 24 Auditing
24.1 Definitions
24.2 Anatomy of an Auditing System
24.2.1 Logger
24.2.2 Analyzer
24.2.3 Notifier
24.3 Designing an Auditing System
24.3.1 Implementation Considerations
24.3.2 Syntactic Issues
24.3.3 Log Sanitization
24.3.4 Application and System Logging
24.4 A Posteriori Design
24.4.1 Auditing to Detect Violations of a Known Policy
24.4.1.1 State-Based Auditing
24.4.1.2 Transition-Based Auditing
24.4.2 Auditing to Detect Known Violations of a Policy
24.5 Auditing Mechanisms
24.5.1 Secure Systems
24.5.2 Nonsecure Systems
24.6 Examples:Auditing File Systems
24.6.1 Audit Analysis of the NFS Version 2 Protocol
24.6.2 The Logging and Auditing File System(LAFS)
24.6.3 Comparison
24.7 Audit Browsing
24.8 Summary
24.9 Research Issues
24.10 Further Reading
24.11 Exercises
Chapter 25 Intrusion Detection
25.1 Principles
25.2 Basic Intrusion Detection
25.3 Models
25.3.1 Anomaly Modeling
25.3.1.1 Derivation of Statistics
25.3.2 Misuse Modeling
25.3.3 Specification Modeling
25.3.4 Summary
25.4 Architecture
25.4.1 Agent
25.4.1.1 Host-Based Information Gathering
25.4.1.2 Network-Baseed Information Gathering
25.4.1.3 Combining Sources
25.4.2 Director
25.4.3 Notifier
25.5 Organization of Intrusion Detection Systems
25.5.1 Monitoring Network Traffic for Intrusions:NSM
25.5.2 Combining Host and Network Monitoring:DIDS
25.5.3 Autonomous Agents:AAFID
25.6 Intrusion Response
25.6.1 Incident Prevention
25.6.2 Intrusion Handling
25.6.2.1 Containment Phase
25.6.2.2 Eradication Phase
25.6.2.3 Follow-Up Phase
25.7 Summary
25.8 Research Issues
25.9 Further Reading
25.10 Exercises
PART 8:PRACTICUM
Chapter 26 Network Security
26.1 Introduction
26.2 Policy Development
26.2.1 Data Classes
26.2.2 User Classes
26.2.3 Availability
26.2.4 Consistency Check
26.3 Network Organization
26.3.1 Firewalls and Proxies
26.3.2 Analysis of the Network Infrastructure
26.3.2.1 Outer Firewall Configuration
26.3.2.2 Inner Firewall Configuration
26.3.3 In the DMZ
26.3.3.1 DMZ Mail Server
26.3.3.2 DMZ WWW Server
26.3.3.3 DMZ DNS Server
26.3.3.4 DMZ Log Server
26.3.3.5 Summary
26.3.4 In the Internal Network
26.3.5 General Comment on Assurance
26.4 Availability and Network Flooding
26.4.1 Intermediate Hosts
26.4.2 TCP State and Memory Allocations
26.5 Anticipating Attacks
26.6 Summary
26.7 Research Issues
26.8 Further Reading
26.9 Exercises
Chapter 27 System Security
27.1 Introduction
27.2 Policy
27.2.1 The Web Server System in the DMZ
27.2.2 The Development System
27.2.3 Comparison
27.2.4 Conclusion
27.3 Networks
27.3.1 The Web Server System in the DMZ
27.3.2 The Development System
27.3.3 Comparison
27.4 Users
27.4.1 The Web Server System in the DMZ
27.4.2 The Development System
27.4.3 Comparison
27.5 Authentication
27.5.1 The Web Server System in the DMZ
27.5.2 Development Network System
27.5.3 Comparison
27.6 Processes
27.6.1 The Web Server System in the DMZ
27.6.2 The Development System
27.6.3 Comparison
27.7 Files
27.7.1 The Web Server System in the DMZ
27.7.2 The Development System
27.7.3 Comparison
27.8 Retrospective
27.8.1 The Web Server System in the DMZ
27.8.2 The Development System
27.9 Summary
27.10 Research Issues
27.11 Further Reading
27.12 Exercises
Chapter 28 User Security
28.1 Policy
28.2 Access
28.2.1 Passwords
28.2.2 The Login Procedure
28.2.2.1 Trusted Hosts
28.2.3 Leaving the System
28.3 Files and Devices
28.3.1 Files
28.3.1.1 File Permissions on Creation
28.3.1.2 Group Access
28.3.1.3 File Deletion
28.3.2 Devices
28.3.2.1 Writable Devices
28.3.2.2 Smart Terminals
28.3.2.3 Monitors and Window Systems
28.4 Processes
28.4.1 Copying and Moving Files
28.4.2 Accidentally Overwriting Files
28.4.3 Encryption,Cryptographic Keys,and Passwords
28.4.4 Start-up Settings
28.4.5 Limiting Privileges
28.4.6 Malicious Logic
28.5 Electronic Communications
28.5.1 Automated Electronic Mail Processing
28.5.2 Failure to Check Certificates
28.5.3 Sending Unexpected Conteht
28.6 Summary
28.7 Research Issues
28.8 Further Reading
28.9 Exercises
Chapter 29 Program Security
29.1 Introduction
29.2 Requirements and Policy
29.2.1 Requirements
29.2.2 Threats
29.2.2.1 Group 1:Unauthorized Users Accessing Role Accounts
29.2.2.2 Group 2:Authorized Users Accessing Role Accounts
29.2.2.3 Summary
29.3 Design
29.3.1 Framework
29.3.1.1 User Interface
29.3.1.2 High-Level Design
29.3.2 Access to Roles and Commands
29.3.2.1 Interface
29.3.2.2 Internals
29.3.2.3 Storage of the Access Control Data
29.4 Refinement and Implementation
29.4.1 First-Level Refinement
29.4.2 Second-Level Refinement
29.4.3 Functions
29.4.3.1 Obtaining Location
29.4.3.2 The Access Control Record
29.4.3.3 Error Handling in the Reading and Matching Routines
29.4.4 Summary
29.5 Common Security-Related Programming Problems
29.5.1 Improper Choice of Initial Protection Domain
29.5.1.1 Process Privileges
29.5.1.2 Access Control File Permissions
29.5.1.3 Memory Protection
29.5.1.4 Trust in the System
29.5.2 Improper Isolation of Implementation Detail
29.5.2.1 Resource Exhaustion and User Identifiers
29.5.2.2 Validating the Access Control Entries
29.5.2.3 Restricting the Protection Domain of the Role Process
29.5.3 Improper Change
29.5.3.1 Memory
29.5.3.2 Changes in File Contents
29.5.3.3 Race Conditions in File Accesses
29.5.4 Improper Naming
29.5.5 Improper Deallocation or Deletion
29.5.6 Improper Validation
29.5.6.1 Bounds Checking
29.5.6.2 Type Checking
29.5.6.3 Error Checking
29.5.6.4 Checking for Valid,not Invalid,Data
29.5.6.5 Checking Input
29.5.6.6 Designing for Validation
29.5.7 Improper Indivisibility
29.5.8 Improper Sequencing
29.5.9 Improper Choice of Operand or Operation
29.5.10 Summary
29.6 Testing,Maintenance,and Operation
29.6.1 Testing
29.6.1.1 Testing the Modules
29.6.2 Testing Composed Modules
29.6.3 Testing the Program
29.7 Distribution
29.8 Conclusion
29.9 Summary
29.10 Research Issues
29.11 Further Reading
29.12 Exercises
PART 9:END MATTER
Chapter 30 Lattices
30.1 Basics
30.2 Lattices
30.3 Exercises
Chapter 31 The Extended Euclidean Algorithm
31.1 The Euclidean Algorithm
31.2 The Extended Euclidean Algorithm
31.3 Solving ax mod n=1
31.4 Solving ax mod n=b
31.5 Exercises
Chapter 32 Entropy and Uncertainty
32.1 Conditional and Joint Probability
32.2 Entropy and Uncertainty
32.3 Joint and Conditional Entropy
32.3.1 Joint Entropy
32.3.2 Conditional Entropy
32.3.3 Perfect Secrecy
32.4 Exercises
Chapter 33 Virtual Machines
33.1 Virtual Machine Structure
33.2 Virtual Machine Monitor
33.2.1 Privilege and Virtual Machines
33.2.2 Physical Resources and Virtual Machines
33.2.3 Paging and Virtual Machines
33.3 Exercises
Chapter 34 Symbolic Logic
34.1 Propositional Logic
34.1.1 Natural Deduction in Propositional Logic
34.1.1.1 Rules
34.1.1.2 Derived Rules
34.1.2 Well-Formed Formulas
34.1.3 Truth Tables
34.1.4 Mathematical Induction
34.2 Predicate Logic
34.2.1 Natural Deduction in Predicate Logic
34.3 Temporal Logic Systems
34.3.1 Syntax of CTL
34.3.2 Semantics of CTL
34.4 Exercises
Chapter 35 Example Academic Security Policy
35.1 University of Califormia E-mail Policy
35.1.1 Summary:E-mail Policy Highlights
35.1.1.1 Cautions
35.1.1.2 Do
35.1.1.3 Do Not
35.1.1.4 Does This Policy Apply to You?
35.1.2 University of California Electronic Mail Policy
35.1.2.1 Introduction
35.1.2.2 Purpose
35.1.2.3 Definitions
35.1.2.4 Scope
35.1.2.5 General Provisions
35.1.2.6 Specific Provisions
35.1.2.7 Policy Violations
35.1.2.8 Responsibility for Policy
35.1.2.9 Campus Responsibilities and Discretion
35.1.2.10 Appendix A-Definitions
35.1.2.11 Appendix B-References
35.1.2.12 Appendix C-Policies Relating to Nonconsensual Access
35.1.3 UC Davis Implementation of the Electronic Mail Policy
35.1.3.1 Purpose and Scope
35.1.3.2 Definitions
35.1.3.3 Policy
35.1.4 References and Related Policy
35.2 The Acceptable Use Policy for the University of California,Davis
35.2.1 Part I
35.2.1.1 Introduction
35.2.1.2 Rights and Responsibilities
35.2.1.3 Existing Legal Context
35.2.1.4 Enforcement
35.2.2 Part II
Bibliography
Index
猜您喜欢