Académique Documents
Professionnel Documents
Culture Documents
Matt Bishop
A Addison-Wesley
Boston San Francisco New York Toronto Montreal
London Munich Paris Madrid
Capetown Sydney Tokyo Singapore Mexico City
Contents
Preface
Goals
Philosophy
Organization
Roadmap
Dependencies
Background
Undergraduate Level
Graduate Level
Practitioners
Special Acknowledgment
Acknowledgments
PART 1: INTRODUCTION
Chapter 1 An Overview of Computer Security
1.1 The Basic Components
1.1.1 Confidentiality
1.1.2 Integrity
1.1.3 Availability
1.2 Threats
1.3 Policy and Mechanism
1.3.1 Goals of Security
1.4 Assumptions and Trust
1.5 Assurance
1.5.1 Specification
1.5.2 Design
1.5.3 Implementation
1.6 Operational Issues
1.6.1 Cost-Benefit Analysis
1.6.2 Risk Analysis
1.6.3 Laws and Customs
xxxi
xxxii
xxxiii
xxxv
xxxvi
xxxvi
xxxvii
xxxviii
xxxviii
xl
xl
xl
1
3
3
4
5
6
6
9
10
11
12
13
14
14
16
16
17
18
vii
viii
Contents
19
20
21
22
23
24
24
25
PART 2: FOUNDATIONS
29
31
31
32
35
36
37
40
41
42
42
43
43
44
44
44
47
47
48
53
55
58
60
63
65
65
66
66
Contents
3.5
3.6
3.7
3.8
3.9
ix
68
68
69
72
78
78
79
83
88
90
90
91
91
PART 3: POLICY
93
Chapter 4
95
4.1
4.2
4.3
4.4
4.5
4.6
4.7
4.8
4.9
4.10
4.11
Security Policies
Security Policies
Types of Security Policies
The Role of Trust
Types of Access Control
Policy Languages
4.5.1 High-Level Policy Languages
4.5.2 Low-Level Policy Languages
Example: Academic Computer Security Policy
4.6.1 General University Policy
4.6.2 Electronic Mail Policy
4.6.2.1 The Electronic Mail Policy Summary
4.6.2.2 The Full Policy
4.6.2.3 Implementation at UC Davis
Security and Precision
Summary
Research Issues
Further Reading
Exercises
Chapter 5
95
99
101
; . . . 103
104
104
109
Ill
Ill
112
112
113
114
114
119
119
120
120
Confidentiality Policies
123
123
124
Contents
5.3
5.4
5.5
5.6
5.7
5.8
Chapter 6
Integrity Policies
124
128
128
131
132
134
136
139
140
141
142
143
143
146
148
148
148
149
150
151
6.1 Goals
6.2 Biba Integrity Model
6.2.1 Low-Water-Mark Policy
6.2.2 Ring Policy
6.2.3 Biba's Model (Strict Integrity Policy)
6.3 Lipner's Integrity Matrix Model
6.3.1 Lipner's Use of the Bell-LaPadula Model
6.3.2 Lipner's Full Model
6.3.3 Comparison with Biba
6.4 Clark-Wilson Integrity Model
6.4.1 The Model
6.4.1.1 A UNIX Approximation to Clark-Wilson
6.4.2 Comparison with the Requirements
6.4.3 Comparison with Other Models
6.5 Summary
6.6 Research Issues
6.7 Further Reading
6.8 Exercises
151
153
154
155
155
156
156
158
160
160
161
164
164
165
166
166
167
167
Chapter 7
169
Hybrid Policies
169
Contents
7.2
7.3
7.4
7.5
7.6
7.7
7.8
Chapter 8
8.1
8.2
8.3
8.4
8.5
8.6
8.7
8.8
8.9
170
172
175
177
177
179
180
182
184
184
184
185
187
The Problem
187
8.1.1 Composition of Bell-LaPadula Models
188
Deterministic Noninterference
191
8.2.1 Unwinding Theorem
195
8.2.2 Access Control Matrix Interpretation
197
8.2.3 Security Policies That Change over Time
200
8.2.4 Composition of Deterministic Noninterference-Secure Systems . . . .201
Nondeducibility
202
8.3.1 Composition of Deducibly Secure Systems
204
Generalized Noninterference
205
8.4.1 Composition of Generalized Noninterference Systems
206
Restrictiveness
208
8.5.1 State Machine Model
208
8.5.2 Composition of Restrictive Systems
209
Summary
210
Research Issues
211
Further Reading
211
Exercises
212
215
217
217
218
219
220
xii
9.3
9.4
9.5
9.6
9.7
9.8
Contents
221
227
228
232
233
233
234
237
239
239
240
240
241
245
246
246
247
250
251
252
254
255
256
256
258
260
261
261
262
263
264
265
265
266
267
267
267
269
270
271
Contents
xiii
272
272
275
11.1 Problems
11.1.1 Precomputing the Possible Messages
11.1.2 Misordered Blocks
11.1.3 Statistical Regularities
11.1.4 Summary
11.2 Stream and Block Ciphers
11.2.1 Stream Ciphers
11.2.1.1 Synchronous Stream Ciphers
11.2.1.2 Self-Synchronous Stream Ciphers
11.2.2 Block Ciphers
11.2.2.1 Multiple Encryption
11.3 Networks and Cryptography
11.4 Example Protocols
11.4.1 Secure Electronic Mail: PEM
11.4.1.1 Design Principles
11.4.1.2 Basic Design
11.4.1.3 Other Considerations
11.4.1.4 Conclusion
11.4.2 Security at the Transport Layer: SSL
11.4.2.1 Supporting Cryptographic Mechanisms
11.4.2.2 Lower Layer: SSL Record Protocol
11.4.2.3 Upper Layer: SSL Handshake Protocol
11.4.2.4 Upper Layer: SSL Change Cipher Spec Protocol
11.4.2.5 Upper Layer: SSL Alert Protocol
11.4.2.6 Upper Layer: Application Data Protocol
11.4.2.7 Summary
11.4.3 Security at the Network Layer: IPsec
11.4.3.1 IPsec Architecture
11.4.3.2 Authentication Header Protocol
11.4.3.3 Encapsulating Security Payload Protocol
11.4.4 Conclusion
11.5 Summary
11.6 Research Issues
11.7 Further Reading
11.8 Exercises
275
275
276
276
277
277
277
278
280
281
282
283
286
286
287
288
289
290
291
292
294
295
297
297
298
298
298
299
303
304
305
306
306
306
307
xiv
Contents
Chapter 12 Authentication
309
309
310
312
313
314
339
341
341
343
343
344
344
345
315
316
320
321
322
324
324
325
326
327
328
328
329
329
329
330
330
330
331
331
333
334
335
335
Contents
13.3
13.4
13.5
13.6
13.2.5 Principle
13.2.6 Principle
13.2.7 Principle
13.2.8 Principle
Summary
Research Issues
Further Reading
Exercises
of Open Design
of Separation of Privilege
of Least Common Mechanism
of Psychological Acceptability
xv
346
347
348
348
349
350
350
351
353
14.1
14.2
14.3
14.4
14.5
353
354
355
356
357
360
363
364
366
366
367
368
369
371
375
377
378
378
379
14.6
14.7
14.8
14.9
14.10
What Is Identity?
Files and Objects
Users
Groups and Roles
Naming and Certificates
14.5.1 Conflicts
14.5.2 The Meaning of the Identity
14.5.3 Trust
Identity on the Web
14.6.1 Host Identity
14.6.1.1 Static and Dynamic Identifiers
14.6.1.2 Security Issues with the Domain Name Service
14.6.2 State and Cookies
14.6.3 Anonymity on the Web
14.6.3.1 Anonymity for Better or Worse
Summary
Research Issues
Further Reading
Exercises
381
381
382
384
385
385
386
386
387
387
388
xvi
Contents
15.2 Capabilities
15.2.1 Implementation of Capabilities
15.2.2 Copying and Amplifying Capabilities
15.2.3 Revocation of Rights
15.2.4 Limits of Capabilities
15.2.5 Comparison with Access Control Lists
15.3 Locks and Keys
15.3.1 Type Checking
15.3.2 Sharing Secrets
15.4 Ring-Based Access Control
15.5 Propagated Access Control Lists
15.6 Summary
15.7 Research Issues
15.8 Further Reading
15.9 Exercises
390
391
392
393
394
395
396
397
399
400
402
404
404
405
405
407
407
408
409
410
411
412
413
415
416
418
418
419
419
420
421
424
424
426
428
429
430
432
433
434
434
Contents
16.6
16.7
16.8
16.9
Summary
Research Issues
Further Reading
Exercises
xvii
436
436
437
437
439
439
442
442
444
446
448
448
450
453
454
462
. . . . . .462
464
465
467
470
471
472
.472
17.3.2
17.4
17.5
17.6
17.7
17.3.1.3
17.3.1.4
Analysis
17.3.2.1
17.3.2.2
PART 6: ASSURANCE
Contributed by Elisabeth Sullivan
475
477
477
479
481
482
484
484
485
486
487
488
xviii
18.3
18.4
18.5
18.6
Contents
488
488
489
489
490
490
490
491
491
491
491
492
492
492
493
494
494
497
497
498
499
500
501
505
508
510
510
512
513
513
515
520
521
521
522
523
523
. 523
526
527
528
Contents
xix
531
531
532
533
533
536
536
541
541
541
542
542
543
545
545
548
551
551
553
555
556
557
557
558
559
559
559
561
562
562
562
564
566
566
566
567
567
568
568
569
xx
Contents
571
571
572
573
574
575
575
576
577
578
578
579
579
580
581
582
. 582
. 583
583
584
585
585
585
586
586
587
587
587
588
588
589
589
590
591
591
592
596
597
599
599
601
602
Contents
21.8.8
21.9
21.10
21.11
21.12
21.13
xxi
602
602
603
603
603
603
604
604
604
606
607
608
608
609
611
613
613
614
615
617
618
619
620
620
620
621
622
623
624
624
625
626
626
630
630
631
631
632
635
xxii
Contents
22.7.3
22.8
22.9
22.10
22.11
636
637
638
638
639
640
640
640
641
642
645
23.1 Introduction
23.2 Penetration Studies
23.2.1 Goals
23.2.2 Layering of Tests
23.2.3 Methodology at Each Layer
23.2.4 Flaw Hypothesis Methodology
23.2.4.1 Information Gathering and Flaw Hypothesis
23.2.4.2 Flaw Testing
23.2.4.3 Flaw Generalization
23.2.4.4 Flaw Elimination
23.2.5 Example: Penetration of the Michigan Terminal System
23.2.6 Example: Compromise of a Burroughs System
23.2.7 Example: Penetration of a Corporate Computer System
23.2.8 Example: Penetrating a UNIX System
23.2.9 Example: Penetrating a Windows NT System
23.2.10 Debate
23.2.11 Conclusion
23.3 Vulnerability Classification
23.3.1 Two Security Flaws
23.4 Frameworks
23.4.1 The RISOS Study
23.4.1.1 The Flaw Classes
23.4.1.2 Legacy
23.4.2 Protection Analysis Model
23.4.2.1 The Flaw Classes
23.4.2.2 Analysis Procedure
23.4.2.3 Legacy
645
647
647
648
649
649
650
651
651
652
652
654
655
656
658
659
660
660
661
662
662
664
665
665
666
668
670
Contents
23.4.3
23.5
23.6
23.7
23.8
23.9
xxiii
671
671
672
673
673
673
674
674
676
678
678
679
682
682
683
683
684
685
Chapter 24 Auditing
689
24.1 Definitions
24.2 Anatomy of an Auditing System
24.2.1 Logger
24.2.2 Analyzer
24.2.3 Notifier
24.3 Designing an Auditing System
24.3.1 Implementation Considerations
24.3.2 Syntactic Issues
24.3.3 Log Sanitization
24.3.4 Application and System Logging
24.4 A Posteriori Design
24.4.1 Auditing to Detect Violations of a Known Policy
24.4.1.1 State-Based Auditing
24.4.1.2 Transition-Based Auditing
24.4.2 Auditing to Detect Known Violations of a Policy
24.5 Auditing Mechanisms
24.5.1 Secure Systems
24.5.2 Nonsecure Systems
24.6 Examples: Auditing File Systems
24.6.1 Audit Analysis of the NFS Version 2 Protocol
24.6.2 The Logging and Auditing File System (LAFS)
24.6.3 Comparison
689
690
690
692
693
693
696
696
698
700
701
702
702
703
704
705
706
707
708
709
713
714
xxiv
24.7
24.8
24.9
24.10
24.11
Contents
Audit Browsing
Summary
Research Issues
Further Reading
Exercises
715
718
718
719
720
723
25.1 Principles
25.2 Basic Intrusion Detection
25.3 Models
25.3.1 Anomaly Modeling
25.3.1.1 Derivation of Statistics
25.3.2 Misuse Modeling
25.3.3 Specification Modeling
25.3.4 Summary
25.4 Architecture
25.4.1 Agent
25.4.1.1 Host-Based Information Gathering
25.4.1.2 Network-Based Information Gathering
25.4.1.3 Combining Sources
25.4.2 Director
25.4.3 Notifier
25.5 Organization of Intrusion Detection Systems
25.5.1 Monitoring Network Traffic for Intrusions: NSM
25.5.2 Combining Host and Network Monitoring: DIDS
25.5.3 Autonomous Agents: AAFID
25.6 Intrusion Response
25.6.1 Incident Prevention
25.6.2 Intrusion Handling
25.6.2.1 Containment Phase
25.6.2.2 Eradication Phase
25.6.2.3 Follow-Up Phase
25.7 Summary
25.8 Research Issues
25.9 Further Reading
25.10 Exercises
723
724
727
727
730
733
738
740
742
742
744
744
745
746
747
748
749
750
752
754
754
755
756
757
760
765
765
767
767
PART 8: PRACTICUM
771
773
773
774
Contents
26.3
26.4
26.5
26.6
26.7
26.8
26.9
xxv
775
776
778
778
779
780
782
783
785
786
786
787
789
789
790
790
792
793
793
794
796
798
798
799
799
805
805
806
806
807
810
811
811
812
814
816
817
817
819
822
xxvi
Contents
27.5 Authentication
27.5.1 The Web Server System in the DMZ
27.5.2 Development Network System
27.5.3 Comparison
27.6 Processes
27.6.1 The Web Server System in the DMZ
27.6.2 The Development System
27.6.3 Comparison
27.7 Files
27.7.1 The Web Server System in the DMZ
27.7.2 The Development System
27.7.3 Comparison
27.8 Retrospective
27.8.1 The Web Server System in the DMZ
27.8.2 The Development System
27.9 Summary
27.10 Research Issues
27.11 Further Reading
27.12 Exercises
822
823
823
825
825
825
829
830
831
831
833
835
837
837
838
838
839
840
840
845
28.1 Policy
28.2 Access
28.2.1 Passwords
28.2.2 The Login Procedure
28.2.2.1 Trusted Hosts
28.2.3 Leaving the System
28.3 Files and Devices
28.3.1 Files
28.3.1.1 File Permissions on Creation
28.3.1.2 Group Access
28.3.1.3 File Deletion
28.3.2 Devices
'.
28.3.2.1 Writable Devices
28.3.2.2 Smart Terminals
28.3.2.3 Monitors and Window Systems
28.4 Processes
28.4.1 Copying and Moving Files
28.4.2 Accidentally Overwriting Files
28.4.3 Encryption, Cryptographic Keys, and Passwords
28.4.4 Start-up Settings
28.4.5 Limiting Privileges
845
846
846
848
850
850
852
852
853
854
855
857
857
857
859
860
860
861
861
863,
863
Contents
xxvii
864
865
865
865
866
866
867
867
868
869
29.1 Introduction
29.2 Requirements and Policy
29.2.1 Requirements
29.2.2 Threats
29.2.2.1 Group 1: Unauthorized Users
Accessing Role Accounts
29.2.2.2 Group 2: Authorized Users
Accessing Role Accounts
29.2.2.3 Summary
29.3 Design
29.3.1 Framework
29.3.1.1 User Interface
29.3.1.2 High-Level Design
29.3.2 Access to Roles and Commands
29.3.2.1 Interface
29.3.2.2 Internals
29.3.2.3 Storage of the Access Control Data
29.4 Refinement and Implementation
29.4.1 First-Level Refinement
29.4.2 Second-Level Refinement
29.4.3 Functions
29.4.3.1 Obtaining Location
29.4.3.2 The Access Control Record
29.4.3.3 Error Handling in the Reading and
Matching Routines
29.4.4 Summary
29.5 Common Security-Related Programming Problems
29.5.1 Improper Choice of Initial Protection Domain
29.5.1.1 Process Privileges
29.5.1.2 Access Control File Permissions
869
870
870
871
871
872
873
873
874
874
874
875
876
876
877
880
880
881
884
884
885
886
887
887
888
888
890
xxviii
29.6
29.7
29.8
29.9
29.10
29.11
29.12
Contents
891
892
893
893
894
894
895
895
898
898
899
901
902
902
903
904
904
905
907
907
908
909
911
913
914
915
916
917
917
919
919
919
920
920
923
Chapter 30 Lattices
30.1 Basics
30.2 Lattices
30.3 Exercises
925
925
926
927
Contents
XXIX
929
31.1
31.2
31.3
31.4
31.5
929
930
932
932
933
935
935
937
938
938
939
940
940
941
941
942
943
944
945
946
947
947
948
949
950
950
950
951
952
953
954
954
955
956
959
959
xxx
Contents
35.1.1
959
959
960
961
961
961
961
963
963
964
965
967
971
971
971
972
975
Bibliography
993
Index
976
977
978
978
978
988
989
989
989
989
989
990
990
1063