Security Engineering
A Guide to Building
Dependable Distributed
Systems
Second Edition
Ross J. Anderson

Wiley Publishing, Inc.


Security Engineering: A Guide to Building Dependable Distributed Systems,
Second Edition
Published by
Wiley Publishing, Inc.
10475 Crosspoint Boulevard
Indianapolis, IN 46256
Copyright © 2008 by Ross J. Anderson. All Rights Reserved.
Published by Wiley Publishing, Inc., Indianapolis, Indiana
Published simultaneously in Canada
ISBN: 978-0-470-06852-6
Manufactured in the United States of America
10 9 8 7 6 5 4 3 2 1
No part of this publication may be reproduced, stored in a retrieval system or transmitted in any form or by any
means, electronic, mechanical, photocopying, recording, scanning or otherwise, except as permitted under Sections
107 or 108 of the 1976 United States Copyright Act, without either the prior written permission of the Publisher, or
authorization through payment of the appropriate per-copy fee to the Copyright Clearance Center, 222 Rosewood
Drive, Danvers, MA 01923, (978) 750-8400, fax (978) 646-8600. Requests to the Publisher for permission should be
addressed to the Legal Department, Wiley Publishing, Inc., 10475 Crosspoint Blvd., Indianapolis, IN 46256, (317)
572-3447, fax (317) 572-4355, or online at />Limit of Liability/Disclaimer of Warranty: The publisher and the author make no representations or warranties with

respect to the accuracy or completeness of the contents of this work and specifically disclaim all warranties, including
without limitation warranties of fitness for a particular purpose. No warranty may be created or extended by sales or
promotional materials. The advice and strategies contained herein may not be suitable for every situation. This work
is sold with the understanding that the publisher is not engaged in rendering legal, accounting, or other professional
services. If professional assistance is required, the services of a competent professional person should be sought.
Neither the publisher nor the author shall be liable for damages arising herefrom. The fact that an organization or
Website is referred to in this work as a citation and/or a potential source of further information does not mean that
the author or the publisher endorses the information the organization or Website may provide or recommendations
it may make. Further, readers should be aware that Internet Websites listed in this work may have changed or
disappeared between when this work was written and when it is read.
For general information on our other products and services or to obtain technical support, please contact our Customer
Care Department within the U.S. at (800) 762-2974, outside the U.S. at (317) 572-3993 or fax (317) 572-4002.
Library of Congress Cataloging-in-Publication Data
Anderson, Ross, 1956Security engineering : a guide to building dependable distributed systems / Ross J Anderson. — 2nd ed.
p. cm.
Includes bibliographical references and index.
ISBN 978-0-470-06852-6 (cloth)
1. Computer security. 2. Electronic data processing–Distributed processing. I. Title.
QA76.9.A25A54 2008
005.1–dc22
2008006392
Trademarks: Wiley, the Wiley logo, and related trade dress are trademarks or registered trademarks of John Wiley
& Sons, Inc. and/or its affiliates, in the United States and other countries, and may not be used without written
permission. All other trademarks are the property of their respective owners. Wiley Publishing, Inc. is not associated
with any product or vendor mentioned in this book.
Wiley also publishes its books in a variety of electronic formats. Some content that appears in print may not be
available in electronic books.


To Shireen




Credits

Executive Editor
Carol Long
Senior Development
Editor
Tom Dinse
Production Editor
Tim Tate
Editorial Manager
Mary Beth Wakefield
Production Manager
Tim Tate
Vice President
and Executive Group
Publisher
Richard Swadley

Vice President
and Executive
Publisher
Joseph B. Wikert
Project Coordinator,
Cover
Lynsey Stanford
Proofreader
Nancy Bell

Indexer
Jack Lewis
Cover Image
© Digital Vision/Getty Images
Cover Design
Michael E. Trent

v



Contents at a Glance

Preface to the Second Edition

xxv

Foreword by Bruce Schneier

xxvii

Preface

xxix

Acknowledgments

xxxv

Part I

Chapter 1

What Is Security Engineering?

3

Chapter 2

Usability and Psychology

17

Chapter 3

Protocols

63

Chapter 4

Access Control

93

Chapter 5

Cryptography

129


Chapter 6

Distributed Systems

185

Chapter 7

Economics

215

Chapter 8

Multilevel Security

239

Chapter 9

Multilateral Security

275

Part II

Chapter 10 Banking and Bookkeeping

313


Chapter 11 Physical Protection

365

Chapter 12 Monitoring and Metering

389

Chapter 13 Nuclear Command and Control

415
vii


viii

Contents at a Glance
Chapter 14 Security Printing and Seals

433

Chapter 15 Biometrics

457

Chapter 16 Physical Tamper Resistance

483

Chapter 17 Emission Security


523

Chapter 18 API Attacks

547

Chapter 19 Electronic and Information Warfare

559

Chapter 20 Telecom System Security

595

Chapter 21 Network Attack and Defense

633

Chapter 22 Copyright and DRM

679

Chapter 23 The Bleeding Edge

727

Part III
Chapter 24 Terror, Justice and Freedom


769

Chapter 25 Managing the Development of Secure Systems

815

Chapter 26 System Evaluation and Assurance

857

Chapter 27 Conclusions

889

Bibliography

893

Index

997


Contents

Preface to the Second Edition

xxv

Foreword by Bruce Schneier


xxvii

Preface

xxix

Acknowledgments

xxxv

Part I
Chapter 1

What Is Security Engineering?
Introduction
A Framework
Example 1–A Bank
Example 2–A Military Base
Example 3–A Hospital
Example 4–The Home
Definitions
Summary

3
3
4
6
7
9

10
11
15

Chapter 2

Usability and Psychology
Introduction
Attacks Based on Psychology
Pretexting
Phishing
Insights from Psychology Research
What the Brain Does Worse Than the Computer
Perceptual Bias and Behavioural Economics
Different Aspects of Mental Processing
Differences Between People
Social Psychology
What the Brain Does Better Than Computer

17
17
18
19
21
22
23
24
26
27
28

30
ix


x

Contents

Chapter 3

Passwords
Difficulties with Reliable Password Entry
Difficulties with Remembering the Password
Naive Password Choice
User Abilities and Training
Design Errors
Operational Issues
Social-Engineering Attacks
Trusted Path
Phishing Countermeasures
Password Manglers
Client Certs or Specialist Apps
Using the Browser’s Password Database
Soft Keyboards
Customer Education
Microsoft Passport
Phishing Alert Toolbars
Two-Factor Authentication
Trusted Computing
Fortified Password Protocols

Two-Channel Authentication
The Future of Phishing
System Issues
Can You Deny Service?
Protecting Oneself or Others?
Attacks on Password Entry
Interface Design
Eavesdropping
Technical Defeats of Password Retry Counters
Attacks on Password Storage
One-Way Encryption
Password Cracking
Absolute Limits
CAPTCHAs
Summary
Research Problems
Further Reading

31
32
33
34
35
37
39
40
42
43
43
44

44
45
45
46
47
47
48
49
49
50
52
53
53
54
54
55
55
56
56
57
57
59
60
61
61

Protocols
Introduction
Password Eavesdropping Risks
Who Goes There? — Simple Authentication

Challenge and Response
The MIG-in-the-Middle Attack
Reflection Attacks
Manipulating the Message
Changing the Environment

63
63
65
66
70
73
76
78
79


Contents
Chosen Protocol Attacks
Managing Encryption Keys
Basic Key Management
The Needham-Schroeder Protocol
Kerberos
Practical Key Management
Getting Formal
A Typical Smartcard Banking Protocol
The BAN Logic
Verifying the Payment Protocol
Limitations of Formal Verification
Summary

Research Problems
Further Reading
Chapter 4

Access Control
Introduction
Operating System Access Controls
Groups and Roles
Access Control Lists
Unix Operating System Security
Apple’s OS/X
Windows — Basic Architecture
Capabilities
Windows — Added Features
Middleware
Database Access Controls
General Middleware Issues
ORBs and Policy Languages
Sandboxing and Proof-Carrying Code
Virtualization
Trusted Computing
Hardware Protection
Intel Processors, and ‘Trusted Computing’
ARM Processors
Security Processors
What Goes Wrong
Smashing the Stack
Other Technical Attacks
User Interface Failures
Why So Many Things Go Wrong

Remedies
Environmental Creep
Summary
Research Problems
Further Reading

80
82
83
84
85
86
87
87
88
89
90
91
92
92
93
93
96
98
99
100
101
102
103
104

107
107
108
109
110
111
111
113
114
116
116
117
118
119
121
122
124
125
126
127
127

xi


xii

Contents
Chapter 5


Cryptography
Introduction
Historical Background
An Early Stream Cipher — The Vigen`ere
The One-Time Pad
An Early Block Cipher — Playfair
One-Way Functions
Asymmetric Primitives
The Random Oracle Model
Random Functions — Hash Functions
Properties
The Birthday Theorem
Random Generators — Stream Ciphers
Random Permutations — Block Ciphers
Public Key Encryption and Trapdoor One-Way Permutations
Digital Signatures
Symmetric Crypto Primitives
SP-Networks
Block Size
Number of Rounds
Choice of S-Boxes
Linear Cryptanalysis
Differential Cryptanalysis
Serpent
The Advanced Encryption Standard (AES)
Feistel Ciphers
The Luby-Rackoff Result
DES
Modes of Operation
Electronic Code Book

Cipher Block Chaining
Output Feedback
Counter Encryption
Cipher Feedback
Message Authentication Code
Composite Modes of Operation
Hash Functions
Extra Requirements on the Underlying Cipher
Common Hash Functions and Applications
Asymmetric Crypto Primitives
Cryptography Based on Factoring
Cryptography Based on Discrete Logarithms
Public Key Encryption — Diffie Hellman and ElGamal
Key Establishment
Digital Signature
Special Purpose Primitives

129
129
130
131
132
134
136
138
138
140
141
142
143

144
146
147
149
149
150
150
151
151
152
153
153
155
157
157
160
160
161
161
162
163
163
164
165
166
167
170
170
173
174

175
176
178


Contents
Elliptic Curve Cryptography
Certification
The Strength of Asymmetric Cryptographic Primitives

179
179
181

Summary
Research Problems
Further Reading

182
183
183

Chapter 6

Distributed Systems
Introduction
Concurrency
Using Old Data Versus Paying to Propagate State
Locking to Prevent Inconsistent Updates
The Order of Updates

Deadlock
Non-Convergent State
Secure Time
Fault Tolerance and Failure Recovery
Failure Models
Byzantine Failure
Interaction with Fault Tolerance
What Is Resilience For?
At What Level Is the Redundancy?
Service-Denial Attacks
Naming
The Distributed Systems View of Naming
What Else Goes Wrong
Naming and Identity
Cultural Assumptions
Semantic Content of Names
Uniqueness of Names
Stability of Names and Addresses
Adding Social Context to Naming
Restrictions on the Use of Names
Types of Name
Summary
Research Problems
Further Reading

185
185
186
186
188

188
189
190
191
192
193
193
194
195
197
198
200
200
204
204
206
207
207
208
209
210
211
211
212
213

Chapter 7

Economics
Introduction

Classical Economics
Monopoly
Public Goods
Information Economics
The Price of Information
The Value of Lock-In
Asymmetric Information

215
215
216
217
219
220
220
221
223

xiii


xiv

Contents
Game Theory
The Prisoners’ Dilemma
Evolutionary Games
The Economics of Security and Dependability
Weakest Link, or Sum of Efforts?
Managing the Patching Cycle

Why Is Windows So Insecure?
Economics of Privacy
Economics of DRM
Summary
Research Problems
Further Reading

223
225
226
228
229
229
230
232
233
234
235
235

Multilevel Security
Introduction
What Is a Security Policy Model?
The Bell-LaPadula Security Policy Model
Classifications and Clearances
Information Flow Control
The Standard Criticisms of Bell-LaPadula
Alternative Formulations
The Biba Model and Vista
Historical Examples of MLS Systems

SCOMP
Blacker
MLS Unix and Compartmented Mode Workstations
The NRL Pump
Logistics Systems
Sybard Suite
Wiretap Systems
Future MLS Systems
Vista
Linux
Virtualization
Embedded Systems
What Goes Wrong
Composability
The Cascade Problem
Covert Channels
The Threat from Viruses
Polyinstantiation
Other Practical Problems
Broader Implications of MLS

239
239
240
242
243
245
246
248
250

252
252
253
253
254
255
256
256
257
257
258
260
261
261
261
262
263
265
266
267
269

Part II
Chapter 8


Contents

Chapter 9


Summary
Research Problems
Further Reading

272
272
272

Multilateral Security
Introduction
Compartmentation, the Chinese Wall and the BMA Model
Compartmentation and the Lattice Model
The Chinese Wall
The BMA Model
The Threat Model
The Security Policy
Pilot Implementations
Current Privacy Issues
Inference Control
Basic Problems of Inference Control in Medicine
Other Applications of Inference Control
The Theory of Inference Control
Query Set Size Control
Trackers
More Sophisticated Query Controls
Cell Suppression
Maximum Order Control and the Lattice Model
Audit Based Control
Randomization
Limitations of Generic Approaches

Active Attacks
The Value of Imperfect Protection
The Residual Problem
Summary
Research Problems
Further Reading

275
275
277
277
281
282
284
287
289
290
293
293
296
297
298
298
298
299
300
300
301
302
304

305
306
309
310
310

Chapter 10 Banking and Bookkeeping
Introduction
The Origins of Bookkeeping
Double-Entry Bookkeeping
A Telegraphic History of E-commerce
How Bank Computer Systems Work
The Clark-Wilson Security Policy Model
Designing Internal Controls
What Goes Wrong
Wholesale Payment Systems
SWIFT
What Goes Wrong
Automatic Teller Machines
ATM Basics

313
313
315
316
316
317
319
320
324

328
329
331
333
334

xv


xvi

Contents
What Goes Wrong
Incentives and Injustices

Credit Cards
Fraud
Forgery
Automatic Fraud Detection
The Economics of Fraud
Online Credit Card Fraud — the Hype and the Reality
Smartcard-Based Banking
EMV
Static Data Authentication
Dynamic Data Authentication
Combined Data Authentication
RFID
Home Banking and Money Laundering
Summary
Research Problems

Further Reading

337
341

343
344
345
346
347
348
350
351
352
356
356
357
358
361
362
363

Chapter 11 Physical Protection
Introduction
Threats and Barriers
Threat Model
Deterrence
Walls and Barriers
Mechanical Locks
Electronic Locks

Alarms
How not to Protect a Painting
Sensor Defeats
Feature Interactions
Attacks on Communications
Lessons Learned
Summary
Research Problems
Further Reading

365
365
366
367
368
370
372
376
378
379
380
382
383
386
387
388
388

Chapter 12 Monitoring and Metering
Introduction

Prepayment Meters
Utility Metering
How the System Works
What Goes Wrong
Taxi Meters, Tachographs and Truck Speed Limiters
The Tachograph
What Goes Wrong
How Most Tachograph Manipulation Is Done

389
389
390
392
393
395
397
398
399
400


Contents
Tampering with the Supply
Tampering with the Instrument
High-Tech Attacks
The Digital Tachograph Project
System Level Problems
Other Problems
The Resurrecting Duckling


Postage Meters
Summary
Research Problems
Further Reading

401
401
402
403
404
405
407

408
412
413
414

Chapter 13 Nuclear Command and Control
Introduction
The Evolution of Command and Control
The Kennedy Memorandum
Authorization, Environment, Intent
Unconditionally Secure Authentication
Shared Control Schemes
Tamper Resistance and PALs
Treaty Verification
What Goes Wrong
Secrecy or Openness?
Summary

Research Problems
Further Reading

415
415
417
418
419
420
422
424
426
427
429
430
430
430

Chapter 14 Security Printing and Seals
Introduction
History
Security Printing
Threat Model
Security Printing Techniques
Packaging and Seals
Substrate Properties
The Problems of Glue
PIN Mailers
Systemic Vulnerabilities
Peculiarities of the Threat Model

Anti-Gundecking Measures
The Effect of Random Failure
Materials Control
Not Protecting the Right Things
The Cost and Nature of Inspection
Evaluation Methodology
Summary
Research Problems
Further Reading

433
433
434
435
436
437
443
443
444
445
446
447
448
449
450
451
451
453
454
454

455

xvii


xviii Contents
Chapter 15 Biometrics
Introduction
Handwritten Signatures
Face Recognition
Bertillonage
Fingerprints
Verifying Positive or Negative Identity Claims
Crime Scene Forensics
Iris Codes
Voice Recognition
Other Systems
What Goes Wrong
Summary
Research Problems
Further Reading

457
457
458
461
464
464
466
469

472
475
476
477
481
482
482

Chapter 16 Physical Tamper Resistance
Introduction
History
High-End Physically Secure Processors
Evaluation
Medium Security Processors
The iButton
The Dallas 5000 Series
FPGA Security, and the Clipper Chip
Smartcards and Microcontrollers
History
Architecture
Security Evolution
The State of the Art
Defense in Depth
Stop Loss
What Goes Wrong
The Trusted Interface Problem
Conflicts
The Lemons Market, Risk Dumping and Evaluation
Security-By-Obscurity
Interaction with Policy

Function Creep
So What Should One Protect?
Summary
Research Problems
Further Reading

483
483
485
486
492
494
494
495
496
499
500
501
501
512
513
513
514
514
515
516
517
517
518
518

520
520
520

Chapter 17 Emission Security
Introduction
History

523
523
524


Contents
Technical Surveillance and Countermeasures
Passive Attacks
Leakage Through Power and Signal Cables
Red/Black Separation
Timing Analysis
Power Analysis
Leakage Through RF Signals
Active Attacks
Tempest Viruses
Nonstop
Glitching
Differential Fault Analysis
Combination Attacks
Commercial Exploitation
Defenses
Optical, Acoustic and Thermal Side Channels

How Serious are Emsec Attacks?
Governments
Businesses
Summary
Research Problems
Further Reading

526
530
530
530
531
531
534
538
538
539
540
540
540
541
541
542
544
544
545
546
546
546


Chapter 18 API Attacks
Introduction
API Attacks on Security Modules
The XOR-To-Null-Key Attack
The Attack on the 4758
Multiparty Computation, and Differential Protocol Attacks
The EMV Attack
API Attacks on Operating Systems
Summary
Research Problems
Further Reading

547
547
548
549
551
552
553
554
555
557
557

Chapter 19 Electronic and Information Warfare
Introduction
Basics
Communications Systems
Signals Intelligence Techniques
Attacks on Communications

Protection Techniques
Frequency Hopping
DSSS
Burst Communications
Combining Covertness and Jam Resistance
Interaction Between Civil and Military Uses

559
559
560
561
563
565
567
568
569
570
571
572

xix


xx

Contents
Surveillance and Target Acquisition
Types of Radar
Jamming Techniques
Advanced Radars and Countermeasures

Other Sensors and Multisensor Issues
IFF Systems
Improvised Explosive Devices
Directed Energy Weapons
Information Warfare
Definitions
Doctrine
Potentially Useful Lessons from Electronic Warfare
Differences Between E-war and I-war
Summary
Research Problems
Further Reading

574
574
575
577
578
579
582
584
586
587
588
589
591
592
592
593


Chapter 20 Telecom System Security
Introduction
Phone Phreaking
Attacks on Metering
Attacks on Signaling
Attacks on Switching and Configuration
Insecure End Systems
Feature Interaction
Mobile Phones
Mobile Phone Cloning
GSM Security Mechanisms
Third Generation Mobiles — 3gpp
Platform Security
So Was Mobile Security a Success or a Failure?
VOIP
Security Economics of Telecomms
Frauds by Phone Companies
Billing Mechanisms
Summary
Research Problems
Further Reading

595
595
596
596
599
601
603
605

606
607
608
617
619
621
623
624
625
627
630
631
632

Chapter 21 Network Attack and Defense
Introduction
Vulnerabilities in Network Protocols
Attacks on Local Networks
Attacks Using Internet Protocols and Mechanisms
SYN Flooding
Smurfing
Distributed Denial of Service Attacks

633
633
635
636
638
638
639

640


Contents
Spam
DNS Security and Pharming

Trojans, Viruses, Worms and Rootkits
Early History of Malicious Code
The Internet Worm
How Viruses and Worms Work
The History of Malware
Countermeasures
Defense Against Network Attack
Configuration Management and Operational Security
Filtering: Firewalls, Spam Filters, Censorware and Wiretaps
Packet Filtering
Circuit Gateways
Application Relays
Ingress Versus Egress Filtering
Architecture
Intrusion Detection
Types of Intrusion Detection
General Limitations of Intrusion Detection
Specific Problems Detecting Network Attacks
Encryption
SSH
WiFi
Bluetooth
HomePlug

IPsec
TLS
PKI
Topology
Summary
Research Problems
Further Reading
Chapter 22 Copyright and DRM
Introduction
Copyright
Software
Books
Audio
Video and Pay-TV
Typical System Architecture
Video Scrambling Techniques
Attacks on Hybrid Scrambling Systems
DVB
DVD
HD-DVD and Blu-ray
AACS — Broadcast Encryption and Traitor Tracing

642
643

644
644
645
646
647

650
652
652
654
654
655
655
657
657
660
661
662
664
665
665
666
668
668
669
670
672
675
676
677
678
679
679
680
681
688

689
690
690
691
693
697
698
701
701

xxi


xxii

Contents
Blu-ray and SPDC
General Platforms
Windows Media Rights Management
Other Online Rights-Management Systems
Peer-to-Peer Systems
Rights Management of Semiconductor IP
Information Hiding
Watermarks and Copy Generation Management
General Information Hiding Techniques
Attacks on Copyright Marking Schemes
Applications of Copyright Marking Schemes
Policy
The IP Lobby
Who Benefits?

Accessory Control
Summary
Research Problems
Further Reading

Chapter 23 The Bleeding Edge
Introduction
Computer Games
Types of Cheating
Aimbots and Other Unauthorized Software
Virtual Worlds, Virtual Economies
Web Applications
eBay
Google
Social Networking Sites
Privacy Technology
Anonymous Email — The Dining Cryptographers and Mixes
Anonymous Web Browsing — Tor
Confidential and Anonymous Phone Calls
Email Encryption
Steganography and Forensics Countermeasures
Putting It All Together
Elections
Summary
Research Problems
Further Reading

703
704
705

706
707
709
710
711
712
714
718
718
720
722
723
725
725
726

727
727
728
730
732
733
734
735
736
739
745
747
749
751

753
755
757
759
764
764
765

Part III
Chapter 24 Terror, Justice and Freedom
Introduction
Terrorism
Causes of Political Violence

769
769
771
772


Contents xxiii
The Psychology of Political Violence
The Role of Political Institutions
The Role of the Press
The Democratic Response

Surveillance
The History of Government Wiretapping
The Growing Controversy about Traffic Analysis
Unlawful Surveillance

Access to Search Terms and Location Data
Data Mining
Surveillance via ISPs — Carnivore and its Offspring
Communications Intelligence on Foreign Targets
Intelligence Strengths and Weaknesses
The Crypto Wars
The Back Story to Crypto Policy
DES and Crypto Research
The Clipper Chip
Did the Crypto Wars Matter?
Export Control
Censorship
Censorship by Authoritarian Regimes
Network Neutrality
Peer-to-Peer, Hate Speech and Child Porn
Forensics and Rules of Evidence
Forensics
Admissibility of Evidence
Privacy and Data Protection
European Data Protection
Differences between Europe and the USA
Summary
Research Problems
Further Reading
Chapter 25 Managing the Development of Secure Systems
Introduction
Managing a Security Project
A Tale of Three Supermarkets
Risk Management
Organizational Issues

The Complacency Cycle and the Risk Thermostat
Interaction with Reliability
Solving the Wrong Problem
Incompetent and Inexperienced Security Managers
Moral Hazard
Methodology
Top-Down Design
Iterative Design

772
774
775
775

776
776
779
781
782
783
784
785
787
789
790
792
793
794
796
797

798
800
801
803
803
806
808
809
810
812
813
813
815
815
816
816
818
819
820
821
822
823
823
824
826
827