TheCraftofSystemSecurity
bySeanSmith;JohnMarchesini
Publisher:AddisonWesleyProfessional
PubDate:November21,2007
PrintISBN-10:0-321-43483-8
PrintISBN-13:978-0-321-43483-8
Pages:592
TableofContents|Index
Overview
"IbelieveTheCraftofSystemSecurityisoneofthebest
softwaresecuritybooksonthemarkettoday.Ithasnotonly
breadth,butdepth,coveringtopicsrangingfromcryptography,
networking,andoperatingsystems--totheWeb,computerhumaninteraction,andhowtoimprovethesecurityofsoftware
systemsbyimprovinghardware.Bottomline,thisbookshould
berequiredreadingforallwhoplantocallthemselvessecurity
practitioners,andaninvaluablepartofeveryuniversity's
computersciencecurriculum."
--EdwardBonver,CISSP,SeniorSoftwareQAEngineer,Product
Security,SymantecCorporation
"Here'stoafun,excitingread:auniquebookchock-fullof
practicalexamplesoftheusesandthemisusesofcomputer
security.Iexpectthatitwillmotivateagoodnumberofcollege
studentstowanttolearnmoreaboutthefield,atthesame
timethatitwillsatisfythemoreexperiencedprofessional."
--L.FelipePerrone,DepartmentofComputerScience,Bucknell
University
Whetheryou'reasecuritypractitioner,developer,manager,or
administrator,thisbookwillgiveyouthedeepunderstanding
necessarytomeettoday'ssecuritychallenges--andanticipate
tomorrow's.Unlikemostbooks,TheCraftofSystemSecurity
doesn'tjustreviewthemodernsecuritypractitioner'stoolkit:It
explainswhyeachtoolexists,anddiscusseshowtouseitto
solverealproblems.
Afterquicklyreviewingthehistoryofcomputersecurity,the
authorsmoveontodiscussthemodernlandscape,showing
howsecuritychallengesandresponseshaveevolved,and
offeringacoherentframeworkforunderstandingtoday's
systemsandvulnerabilities.Next,theysystematicallyintroduce
thebasicbuildingblocksforsecuringcontemporarysystems,
applythosebuildingblockstotoday'sapplications,andconsider
importantemergingtrendssuchashardware-basedsecurity.
Afterreadingthisbook,youwillbeableto
UnderstandtheclassicOrangeBookapproachtosecurity,
anditslimitations
Useoperatingsystemsecuritytoolsandstructures--with
examplesfromWindows,Linux,BSD,andSolaris
Learnhownetworking,theWeb,andwirelesstechnologies
affectsecurity
Identifysoftwaresecuritydefects,frombufferoverflowsto
developmentprocessflaws
Understandcryptographicprimitivesandtheiruseinsecure
systems
Usebestpracticetechniquesforauthenticatingpeopleand
computersystemsindiversesettings
Usevalidation,standards,andtestingtoenhance
confidenceinasystem'ssecurity
Discoverthesecurity,privacy,andtrustissuesarisingfrom
desktopproductivitytools
Understanddigitalrightsmanagement,watermarking,
informationhiding,andpolicyexpression
Learnprinciplesofhuman-computerinteraction(HCI)
designforimprovedsecurity
Understandthepotentialofemergingworkinhardwarebasedsecurityandtrustedcomputing
TheCraftofSystemSecurity
bySeanSmith;JohnMarchesini
Publisher:AddisonWesleyProfessional
PubDate:November21,2007
PrintISBN-10:0-321-43483-8
PrintISBN-13:978-0-321-43483-8
Pages:592
TableofContents|Index
Copyright
ListofFigures
Preface
Acknowledgments
AbouttheAuthors
PartI:History
Chapter1.Introduction
Section1.1.TheStandardRubric
Section1.2.TheMatrix
Section1.3.OtherViews
Section1.4.SafeStatesandtheAccessControlMatrix
Section1.5.OtherHardQuestions
Section1.6.TheTake-HomeMessage
Section1.7.ProjectIdeas
Chapter2.TheOldTestament
Section2.1.TheBasicFramework
Section2.2.SecurityModels
Section2.3.TheOrangeBook
Section2.4.INFOSEC,OPSEC,JOBSEC
Section2.5.TheTake-HomeMessage
Section2.6.ProjectIdeas
Chapter3.OldPrinciples,NewWorld
Section3.1.SolvingtheWrongProblem?
Section3.2.LackofFollow-Through?
Section3.3.TooUnwieldy?
Section3.4.SaltzerandSchroeder
Section3.5.ModernRelevance
Section3.6.TheTake-HomeMessage
Section3.7.ProjectIdeas
PartII:SecurityandtheModernComputingLandscape
Chapter4.OSSecurity
Section4.1.OSBackground
Section4.2.OSSecurityPrimitivesandPrinciples
Section4.3.RealOSes:EverythingbuttheKitchenSink
Section4.4.WhentheFoundationCracks
Section4.5.WhereAreWe?
Section4.6.TheTake-HomeMessage
Section4.7.ProjectIdeas
Chapter5.NetworkSecurity
Section5.1.BasicFramework
Section5.2.Protocols
Section5.3.TheNetworkasaBattlefield
Section5.4.TheBraveNewWorld
Section5.5.TheTake-HomeMessage
Section5.6.ProjectIdeas
Chapter6.ImplementationSecurity
Section6.1.BufferOverflow
Section6.2.ArgumentValidationandOtherMishaps
Section6.3.TOCTOU
Section6.4.Malware
Section6.5.ProgrammingLanguageSecurity
Section6.6.SecurityintheDevelopmentLifecycle
Section6.7.TheTake-HomeMessage
Section6.8.ProjectIdeas
PartIII:BuildingBlocksforSecureSystems
Chapter7.UsingCryptography
Section7.1.FrameworkandTerminology
Section7.2.Randomness
Section7.3.SymmetricCryptography
Section7.4.ApplicationsofSymmetricCryptography
Section7.5.Public-KeyCryptography
Section7.6.HashFunctions
Section7.7.PracticalIssues:PublicKey
Section7.8.PastandFuture
Section7.9.TheTake-HomeMessage
Section7.10.ProjectIdeas
Chapter8.SubvertingCryptography
Section8.1.BreakingSymmetricKeywithoutBruteForce
Section8.2.BreakingSymmetricKeywithBruteForce
Section8.3.BreakingPublicKeywithoutFactoring
Section8.4.BreakingCryptographyviatheRealWorld
Section8.5.ThePotentialofEfficientlyFactoringModuli
Section8.6.TheTake-HomeMessage
Section8.7.ProjectIdeas
Chapter9.Authentication
Section9.1.BasicFramework
Section9.2.AuthenticatingHumans
Section9.3.HumanFactors
Section9.4.FromtheMachine'sPointofView
Section9.5.AdvancedApproaches
Section9.6.CaseStudies
Section9.7.BroaderIssues
Section9.8.TheTake-HomeMessage
Section9.9.ProjectIdeas
Chapter10.PublicKeyInfrastructure
Section10.1.BasicDefinitions
Section10.2.BasicStructure
Section10.3.ComplexityArrives
Section10.4.MultipleCAs
Section10.5.Revocation
Section10.6.TheX.509World
Section10.7.Dissent
Section10.8.OngoingTrouble
Section10.9.TheTake-HomeMessage
Section10.10.ProjectIdeas
Chapter11.Standards,Compliance,andTesting
Section11.1.Standards
Section11.2.PolicyCompliance
Section11.3.Testing
Section11.4.TheTake-HomeMessage
Section11.5.ProjectIdeas
PartIV:Applications
Chapter12.TheWebandSecurity
Section12.1.BasicStructure
Section12.2.SecurityTechniques
Section12.3.PrivacyIssues
Section12.4.WebServices
Section12.5.TheTake-HomeMessage
Section12.6.ProjectIdeas
Chapter13.OfficeToolsandSecurity
Section13.1.Word
Section13.2.Lotus1-2-3
Section13.3.PDF
Section13.4.Cut-and-Paste
Section13.5.PKIandOfficeTools
Section13.6.MentalModels
Section13.7.TheTake-HomeMessage
Section13.8.ProjectIdeas
Chapter14.Money,Time,Property
Section14.1.Money
Section14.2.Time
Section14.3.Property
Section14.4.TheTake-HomeMessage
Section14.5.ProjectIdeas
PartV:EmergingTools
Chapter15.FormalMethodsandSecurity
Section15.1.Specification
Section15.2.Logics
Section15.3.CrankingtheHandle
Section15.4.CaseStudies
Section15.5.SpinningYourBankAccount
Section15.6.Limits
Section15.7.TheTake-HomeMessage
Section15.8.ProjectIdeas
Chapter16.Hardware-BasedSecurity
Section16.1.DataRemanence
Section16.2.AttacksandDefenses
Section16.3.Tools
Section16.4.AlternativeArchitectures
Section16.5.ComingTrends
Section16.6.TheTake-HomeMessage
Section16.7.ProjectIdeas
Chapter17.InSearchoftheEvilBit
Section17.1.TheAIToolbox
Section17.2.ApplicationTaxonomy
Section17.3.CaseStudy
Section17.4.MakingItReal
Section17.5.TheTake-HomeMessage
Section17.6.ProjectIdeas
Chapter18.HumanIssues
Section18.1.TheLastMile
Section18.2.DesignPrinciples
Section18.3.OtherHuman-SpaceIssues
Section18.4.Trust
Section18.5.TheTake-HomeMessage
Section18.6.ProjectIdeas
TheTake-HomeLesson
AppendixA.ExiledTheory
A.1Relations,Orders,andLattices
A.2Functions
A.3ComputabilityTheory
A.4Frameworks
A.5QuantumPhysicsandQuantumComputation
Bibliography
Index
Copyright
Manyofthedesignationsusedbymanufacturersandsellersto
distinguishtheirproductsareclaimedastrademarks.Where
thosedesignationsappearinthisbook,andthepublisherwas
awareofatrademarkclaim,thedesignationshavebeenprinted
withinitialcapitallettersorinallcapitals.
Theauthorsandpublisherhavetakencareinthepreparationof
thisbook,butmakenoexpressedorimpliedwarrantyofany
kindandassumenoresponsibilityforerrorsoromissions.No
liabilityisassumedforincidentalorconsequentialdamagesin
connectionwithorarisingoutoftheuseoftheinformationor
programscontainedherein.
Thepublisheroffersexcellentdiscountsonthisbookwhen
orderedinquantityforbulkpurchasesorspecialsales,which
mayincludeelectronicversionsand/orcustomcoversand
contentparticulartoyourbusiness,traininggoals,marketing
focus,andbrandinginterests.Formoreinformation,please
contact:
U.S.CorporateandGovernmentSales
(800)382-3419
ForsalesoutsidetheUnitedStatespleasecontact:
InternationalSales
VisitusontheWeb:www.awprofessional.com
LibraryofCongressCataloging-in-PublicationData
Smith,SeanW.,1964Thecraftofsystemsecurity/SeanSmith,JohnMarchesini.
p.cm.
Includesbibliographicalreferencesandindex.
ISBN0-321-43483-8(pbk.:alk.paper)
Copyright©2008PearsonEducation,Inc.
Allrightsreserved.PrintedintheUnitedStatesofAmerica.This
publicationisprotectedbycopyright,andpermissionmustbe
obtainedfromthepublisherpriortoanyprohibited
reproduction,storageinaretrievalsystem,ortransmissionin
anyformorbyanymeans,electronic,mechanical,
photocopying,recording,orlikewise.Forinformationregarding
permissions,writeto:
PearsonEducation,Inc.
RightsandContractsDepartment
501BoylstonStreet,Suite900
Boston,MA02116
Fax:(617)671-3447
ISBN13:978-0-321-43483-8
TextprintedintheUnitedStatesonrecycledpaperCourierin
Stoughton,Massachusetts.
Firstprinting,November2007
Dedication
ToNancy,Hannah,Natalie,andthecommunityatSt.
FrancisofAssisiinNorwich,Vermont
—SeanSmith
ForWendy
—JohnMarchesini
ListofFigures
1.1
Anaccesscontrolmatrix
7
1.2
Securityandstatespaces
10
2.1
Exampleclearanceorder
26
2.2
Examplecategoriesorder
27
2.3
ExampleMLSlattice
28
2.4
The*-Property
30
2.5
TheChineseWall
32
2.6
Functionalityversusassurance
33
2.7
Objectreusewithlocalvariables
37
2.8
TheOrangeBook'spaththroughthe
functionality/assurancespace
41
4.1
Basiccomputerarchitecture
62
4.2
Thememorymanagementunit
65
4.3
Addressspaces
66
4.4
Systemcallarchitecture
67
5.1
LANsandWANs
89
5.2
SwitchedEthernet
90
5.3
Networkaddresstranslation
91
5.4
Resolutionandroutinginthenet
93
5.5
Networkports
93
5.6
Networkprotocollayers
94
5.7
Networkprotocolstack
95
5.8
Firewall
98
5.9
BGP
103
5.10
Subnets
110
5.11
DMZ
111
5.12
BasicWLANarchitecture
113
5.13
SniffingWebtrafficonWLANs
114
5.14
Sniffinge-mailtrafficonWLANs
115
5.15
AcommonenterpriseWLANstrategy
117
5.16
WLANauthorizationarchitecture
117
6.1
Aprocess'saddressspace
126
6.2
Stackframe
127
6.3
Integeroverflow
135
6.4
Integeroverflowwithsignedintegers
136
6.5
Errorsinsigned/unsignedconversion
137
6.6
Type-safetyandmemory-safety
146
7.1
Framingcryptographyasapairof
transformations
158
7.2
Explicitprivileges
159
7.3
RNG
161
7.4
PRNG
162
7.5
Symmetriccryptography
163
7.6
Streamcipher
166
7.7
Blockcipher
167
7.8
BlockcipherswithCBC
168
7.9
Meet-in-the-middleattack
170
7.10
Inner-CBCEDEforablockcipherintriple
mode
171
7.11
Outer-CBCEDEforablockcipherintriple
mode
171
7.12
CBCresidueMAC
173
7.13
Public-keycryptography
175
7.14
Encryptingwithpublickey
175
7.15
Digitalsignatures
176
7.16
Signatureswithpublickey
176
7.17
Diffie-Hellman
179
7.18
TheMerkle-Damgardapproach
181
7.19
AMerkletree
182
7.20
Iteratedhashfunctions
182
7.21
Squareandmultiply
184
7.22
Public-keyencryption,inpractice
185
7.23
Digitalsignatures,inpractice
186
8.1
TheBirthdayParadoxonhashvalues
200
8.2
TheWangattackonMD5
201
8.3
TimingattackonRSA
204
9.1
A"ladderdiagram"
216
9.2
ACAPTCHA
218
9.3
ExampleROCcurve
219
9.4
One-timepasswordsbasedontime
227
9.5
One-timepasswordsbasedoniterated
hashing
228
9.6
Thesmall-nattack
229
9.7
TheDNDauthenticationprotocol
231
9.8
KeyderivationinDND
232
9.9
Howtheadversarycanchoosethe
challenge
232
9.10
TheISOSC27protocol
233
9.11
ChessGrandmasterattack
234
9.12
Reflectionattack
234
9.13
Usinggraphisomorphismforzeroknowledgeauthentication
236
9.14
GettingaserverticketinKerberos
239
9.15
Gettingaticket-grantingticketinKerberos
240
9.16
SSH
242
9.17
TheEllisontriangle
245
10.1
BasicPKIarchitecture
251
10.2
UsingahamstertokeeptheCAoffline
255
10.3
Cross-certification
260
10.4
BridgeCAs
261
11.1
Timelineofstandards
277
12.1
Framesets
312
12.2
Server-sideSSL
319
12.3
Client-sideSSL
325
12.4
Deviousframeset
329
12.5
JavaScripttosneakilysendPOSTs
330
13.1
Examplesequenceofletters
341
13.2
LookingatWorddocumentswithemacs
342
13.3
Interestingrelicsinthebinary
342
13.4
TurningFastSaveoff
343
13.5
Filehistoryinthebinary
343
13.6
Craptastic!
345
13.7
MemopurportedlyreleasedbyAlcatel
346
13.8
AphysicspaperinWordformat
346
13.9
Turning"TrackChanges"on
347
13.10 CarefulwiththatDistinguishedName!
350
13.11 Alteringaboardingpass
354
13.12 ExcelrelicsinPowerPoint
356
13.13 End-of-linemisinterpretation
358
14.1
Secretsharing
371
14.2
Fewerthankpoints
372
14.3
Thebasicelectronictokencashscheme
373
14.4
Digitaltimestamping
378
14.5
Renewingoldtimestamps
379
14.6
Multicollisions
380
14.7
Steganography
384
15.1
Statetransitions
393
15.2
Partialcorrectness
394
15.3
Propositionallogic
396
15.4
First-orderlogic
397
15.5
Temporallogic
398
15.6
BANlogic
401
15.7
Samplebankaccountcode
405
15.8
Promelaspecificationforbankwithdrawals
406
15.9
Spinrevealsaracecondition
407
15.10 Promelaspecificationforfixedcode
408
16.1
Theboot-timeexecutionsequence
428
16.2
Checkingintegrityatboottime
429
16.3
Separationinconventionalsystem
437
16.4
SeparationwithTypeIvirtualization
438
16.5
SeparationwithTypeIIvirtualization
441
16.6
SeparationwithOS-levelvirtualization
442
17.1
Thegeneralmachinelearningframework
453
17.2
Aneuralnetwork
454
18.1
Conceptualmodels
474
18.2
ANormandoor
479
18.3
ROIandsecurity
481
A.1
Asimplelattice
491
A.2
Iftherealnumberswerecountable
493
A.3
Cantor'sdiagonalization
494
A.4
AnenumerationofTuringmachines
495
A.5
Anuncomputablefunction
495
Preface
Computersecurity,oncethearcaneconcernofspecialists,is
becomingeveryone'sprobleminsociety.Becausesomany
aspectsofsocietynowdependoncomputing,coaxingor
trickingacomputerintomisbehavingcanhaveserious
consequences.Attemptstograspthenuancesofthisproblem
arebedeviledbyitssheercomplexity—intheindividual
componentsandcomputerhardware,intheoperatingsystems
thatmakethishardwareuseful,intheapplicationprograms,in
thenetworkprotocols—andinthehumanprocessesthatuse
andmaintainthesesystems.
Sincesecurityiseveryone'sproblem,anaturalquestionishow
togiveeachcybercitizentheknowledgeandperspectiveneeded
toreasonabouttheseissues.Innavigatingtheircareersas
softwareengineers,managers,lawyers,oranythingelse,
studentsandpractitionersneedtobeexposedtonotonlythe
breadthofthespaceofthissecuritychallengebutalsowhat
trendsandprinciplestolookoutfor.
Toomanyexistingtextsseemtofocusonhacks-du-jouror
systemadministrationorcryptographicspecialistsorthe
OrangeBook/NSAcriteria.Thecomputersciencestudentor
computersecuritypractitionercaneasilyfindbooksdetailing
particulartoolsthatcanbeusedtoassessthesecurityofa
systembutnotbooksthattakethereaderintothedeeper
worldofwhythesetoolsexistorexplainhowandwhentoapply
theappropriatetooltoaparticularproblem.Furthermore,many
ofthepopulartextsfailtoaidonewhoistryingtobuilda
system;manyofthetoolcatalogsouttherearegearedtoward
theauditor,nottheartisan.
Wewrotethisbooktobethatmissingdoorway.Thisbook
presentsthemodernsecuritypractitioner'stoolkit;more
important,thisbookalsoexplainswhythesetoolsexistand
howtousetheminordertosolverealproblems.Wewantto
givestudentsenoughpracticalknowledgetobeusefulandto
givepractitionersenoughofthefundamentalstofosteradeep
understandingoftheissues.Suchmasteryofthetoolkitis
necessarytounderstandthecraftofsystemsecurity.
Howdoesonegetsuchasecurityeducation?Onecouldread
throughabookshelfofmaterialoraccessalargesetofCDROMstogetthenecessarydepth,butmostpeopledonothave
thattime.Furthermore,muchofthatmaterialmaypertainto
finedetailsofcurrentsystemsandisthusdoomedtoashort
shelflife.Thematerialwilllikelybestalebythetimethereader
finishesreadingitall.
Thisbookitselfgrewoutofacollegecoursethefirstauthor
developed(andthenthesecondauthorhelpedwith)tosolve
justthisproblem:toprovidetherightsecurityeducationto
studentswhomayonlyevertakeonesecuritycourseandthen
moveontowardawiderangeofprofessionalcareers.We
wantedtoarmthesestudentswithadeepunderstandingof
whattheyneedtoknowinordertomeettoday'sand
tomorrow'ssecuritychallenges.Inthecourse,andthroughout
thisbook,wedrawonourexperienceassecuritypractitioners
andtrytorelaysomeofthelessonswehavelearned.
Oneofushadthegoodfortunetobeworkinginagovernment
securitylaboratoryatthedawnoftheWeb—whentheveryfirst
forward-thinkinggovernmentagenciesstartedconsideringusing
thisnewmediumforservicedeliverytowidepopulations.[1]
Thisexperienceprovidedsomeimportantlessonstoframewhat
hasfollowed.Computingtechnologywillkeepchanging
explosively,inwaysthataffecteveryone,notonlycomputer
scientists—comparethestateofhomeorofficecomputingand
oftheWebin1994totoday.However,securitymustbeviewed
inthecontextofthesocialimpactofthesystems.Ifoneis
goingtobuild,deploy,workwith,manage,orperhapssimply
usethesystemsthatkeepfloodingsociety,oneneedsto
understandtheseissues.
[1]In2006,thissameauthorrenewedhisamateurradiolicenseandcarriedout
theentireprocessviatheFCCWebsite.It'samazingtothinkhowfare-
governmenthascomeinthese12years.
Theotherauthorhasspenttimeworkinginthesecurity
softwareindustry,shippingsecurityproductstosuchinstitutions
asbanks,airlines,andgovernmentagencies.Thisexperience
hasmadeitclearwhyvendorsdealwithsecuritybyshipping
patchesonaregularschedule.Softwarevendorsareunder
continualpressuretoreleaseproductsthatareloadedwithnew
featuresandmustgetthesereleasesoutasquicklyaspossible.
Ateverystageofthedevelopmentcycle,securityisatodds
withthisgoal.Therequirementphasetendstofavorfeatures—
andthuscomplexity—overrobustness;thedesignphase
typicallyfavorseleganceandreuseoverdurability;the
implementationphaseusuallyfavorsspeedoversafety;the
qualityassurancephasetraditionallyfocusesonfeaturetesting
ratherthancrashtesting.Theresultisthatmanycompanies
shipsoftwarethatisneitherrobust,durable,norsafeandthat
hasnotbeentestedtoseehowwellitholdsupagainst
malicioususers.AnessentiallyinfinitelistofBugTraq[Sec06]
identifiersisjustwaitingtogetassignedtosuchproducts.If
onehopestobuildsystemsthatbreakthismold,oneneedsto
understandthesetypesofissuesaswell.
Thedynamicnatureofthesecuritygamemakesitdifferent
fromothertypesofengineering,suchasbuildingabridgeor
buildingasafe.Whenbuildingabridge,onecalculatesthe
strengthrequired,buystheappropriatematerials,and
constructsthebridgeaccordingtothespecification.Insecurity,
thebuildingblocksagequickly—sometimesfasterthan
predictedandsometimesdramaticallyfaster.Stayingontopof
thissituationrequirescontinuedvigilance,aswellasasolid
graspofthefundamentals.That'swhywewrotethisbook.
StructureoftheBook
Webeginbypresentingthehistoricalbackgroundofcomputer
security(PartI).Wethendescribethemoderncomputing
landscape(PartII),presentthebasicbuildingblocksfor
securingsystems(PartIII),applytheseblockstomodern
computingapplications(PartIV),andconsideremergingtools
andtrendsthatwillchangethefuturelandscapeofsystem
security(PartV).
History
PartIlooksathistory.Today,computerspermeatenearlyevery
aspectoflife.Decadesago,however,themigrationof
computationfromlaboratorytoystoreal-worldapplicationswas
justbeginning.Militaryanddefenseprovidedmanyofthese
earlyapplications,aswellassignificantfunding.Thesedomains
traditionallyfeaturedrealadversariesinterestedinsuchmatters
asespionage,sabotage,andwarfighting.Themoveinto
computerizedsettingsbroughtalongtheseconcerns.These
earlydaysofcomputinggaverisetomuchthinkingaboutnew
problemsofcomputersecurity.Someinourfieldregardthis
thinkingasgospel,nevertobechallengedorextended;others
dismissitoutofhand.Webelievethatthetruthliessomewhere
inbetween.
Introduction
Weusetheserootsasthefoundationforourjourney.Our
discussionofcomputersystemsecuritystartsoutinChapter1
withdiscussionsofthetermssecurityandsystem.Weconsider
thestandardnotionof"system"asacomputerprovidingsimple
informationapplicationsand"security"asthestandard
confidentiality,integrity,andavailability(CIA)rubric.Wealso
introducethebasicsofaccesscontrol/protection—subjects,
domains,andobjects—andthematrixthatdescribeswhocan
dowhattowhomwhen.Wefinishbytalkingaboutthe
theoreticalimplicationsandpracticalinstantiationsofthis
matrix.
TheOldTestament
Asubsetofthesecuritycommunitybelievesthatallcomputer
securityproblemsweresolvedafewdecadesago,inthebody
ofDepartmentofDefense(DoD)-sponsoredworkpopularly
identifiedwiththeOrangeBook[DoD85].WhenRogerSchell
espousedthisviewataDecember2001talk[Sch01],a
curmudgeonintheaudiencecharacterizedhimastheOld
TestamentprophetJeremiah,castigatingthecommunityfor
turningawayfromthetruepath.Itisimportanttounderstand
Schell'spointofview,whetherornotoneacceptsit.InChapter
2,wepresentthispointofview.
OldPrinciples,NewWorld
InChapter3,wediscusshowthe"ancienthistory"from
Chapters1and2applies—andfailstoapply—tomodern
computingscenarios.Welookathowtheconfidentialityintegrity-availabilityrubriccan,whenappliedcarelessly,miss
importantaspectsofsystemsecurity,andwepresentan
alternativecharacterizationintermsofcorrectnessagainst
adversaries.Wealsolookatthedifficultyofestablishingthe
systemboundary.WecritiquetheOrangeBook—whatworks
nowandwhatdoesn't.Weclosebyreviewingsomeother
systemdesignprinciplesanddiscusshowtheystillapplytothis
newworld.
Landscape
Afterstudyingthehistory,weexaminewherethathistoryhas
takenus.InPartII,welookatthesecurityoftheelements
usedtobuildapplications.
OSSecurity
Inthecyberinfrastructure,theoperatingsystem(OS)lies
betweenauser'scomputingexperienceandtherestofthe
world.TheOSprovidesthefirstlineofdefensebetweenthe
userandexternaladversariesand,sinceitshapesandconfines
theuser'scomputingexperience,alsoprovidesthefirstlineof
defenseagainstinternaladversaries.Chapter4presentsthe
basicstructuresandtoolstheOSbringstothesecuritybattle.
Wepresentthebasicprinciplesanddiscusshowtheyare
manifestedincommonWindowssystemsandtheUNIXfamily
(e.g.,OSX,Linux,BSD,Solaris).
NetworkSecurity
Funnythingshappenwhenoneletscomputerstalktoeach
other.InChapter5,wepresentsomeofthebasicpiecesof
networkingandhighlightsomeoftheprincipalareasofconcern
forsecuritypractitioners.Wealsofocusontheemerging
networkingtechnologyofwireless.Rarefouryearsago,wireless
technologyisnowstandardonnewlaptops.Forhotels,
industrialcampuses,anduniversities,notofferingwireless
almostseemsasbackwardasnotofferingelectricity.However,
thenewtechnologyalsocomeswithrisks.Aswehave
personallyseen,informationpracticesthatweresafewitha
tetherednetworkbecomeratherdangerouswhenmigratedto
wireless;onecanenlivenboringconferencesbydiscoveringand
browsingtheBluetooth-equippeddevicesinrangethathave
accidentallybeenleftopentotheworld.
ImplementationSecurity
Abstractionsareallwellandgood,butcomputingeventually
consistsofrealcodeexecutingonrealmachines.Alongtime
sourceofcomputersecurityproblemsconsistsofbasicflawsin
theseimplementations.InChapter6,wesurveytheseflaws—
bothcommonblunders,suchasbufferoverflow,lackof
argumentvalidation,escapesequences,andtime-ofcheck/time-of-use,andmoresubtleproblems,suchas
developmentprocess,tool-chainissues,andhardwareissues.
Foreach,wepresentrealexamplesandgeneralprinciplesand
discussdefensivecodingpracticesandothercountermeasures.
Wealsodiscusshowprogramminglanguagetechniquesand
softwaredevelopmentprocessescanimpactsecurity—andwhat
wecandoaboutit.
BuildingBlocksforSecureSystems
InPartIII,wesurveythebasicbuildingblockscriticalto
designing,building,anddeployingsecuresystemstoday.
UsingCryptography
Cryptographicprimitivesareafundamentalbuildingblockfor
securesystemstoday.Computerprofessionalsneedtohavea
goodworkingunderstandingofwhattheseprimitivesareand
howtousetheminlargerapplications.Chapter7introduces
thestandardprimitives(publickey,symmetricblockciphers,
andsoon)andthestandardwaysofusingthem(hashing
functions,paddingalgorithms,hybridcryptography,andMACs,
andsoon).Inourteachingexperience,wehaveencountered
toomanystudentswhohave"learnedRSA"buthavenotknown
aboutallthestepsinvolvedinconstructingdigitalsignatures.
SubvertingCryptography
Humansliketodealwithsimpleabstractions.However,dangers
haveoftenlurkedinthemessydetailsofrealizingcryptographic
primitivesinrealsystems.Thesedangerscanbreakasystem
thatseemedsafewhenexaminedascleanabstractions.Aswith
cryptographicprimitives,computerprofessionalsneedtohavea
goodworkingunderstandingofthetypesofissuesthatcan
ariseinpractice.Chapter8considersproblemareasandrealworldcasestudiesinordertohelpcultivateahealthywariness.
Authentication
Talkingabout"securesystems"makessenseonlywhenthere's
apossibilityofmorethanoneplayerbeinginvolved.Chapter9
coversthebasicsofauthentication,aswellastechniqueswhen
authenticatinghumansandsystemsinvarioussettings:direct
machineaccess,overanuntrustednetwork,oroveranuntrustednetworkthroughanuntrustedclient.Wealsodiscuss
thedifferencebetweenauthenticationandauthorization.
PublicKeyInfrastructure
Byremovingtheneedforsharingsecretsapriori,publickey
cryptographyenablestrustedcommunicationacrossboundaries
ofspace,time,andorganizations.However,theinfrastructure
necessarytorealizethepublickeyvisionisstillemerging;some
dissidentsevenfeelthatthewholeapproachisfundamentally
flawed.InChapter10,welookattheproblemspace,themain
approaches,theissuesthatcomplicatedeploymentand
progressinthisspace,andthedissentingpointsofview.
Validation,Standards,andTesting
Whyshouldonebelievethatagivensystemissecure?Whether
oneisavendor,animplementer,anadministrator,ora
customer,thisquestionisfundamental.InChapter11,wetalk
aboutpenetrationtesting,validation,andstandards:howthey
canworktohelpachievesecurityandprivacyandwhattheir
limitationsare.Wedrawonourownexperienceinvalidation
andtestingandprovidesomesuggestionstoguidethereader
throughthecloudofemergingstandards.
Applications
Wehaveexaminedthehistoryandthebuildingblocks.InPart
IV,wenowapplytheseprinciplesandtoolstoprincipalwaysin
whichoursocietyusescomputing.
TheWebandSecurity
Createdbyphysiciststoolazytogotothelibrary,theWebis
nowthecentralmediumforelectronicservicesinoursociety.
WereviewhowtheWebworksandthenpresentthevarious
securityandprivacythreatsitfaces—andtheprincipal
solutions.InChapter12,wecoverboththestandardmaterial
(e.g.,SSLandcookies)andmoresubtlematerial.
Wealsodiscussrecentcasestudiesofhowinstitutionsthat
shouldhaveknownbetterendedupinadvertentlydisclosing
informationviaWeb-basedservices.Forexample,hadeditorial
writersreadthischapter,theywouldnothavecondemnedthe
businessschoolapplicantsfor"hacking"theApplyYourselfsite
tolearnapplicationdecisionsprematurely;hadtheschoolsin