Table of Contents
(NOTE: Each chapter, except chapter 29, concludes with a Summary,
Research Issues, Further Reading, and Exercises.)
Preface.
Goals.Philosophy.Organization.Roadmap.Dependencies.Background.Undergraduate
Level.Graduate Level.Practitioners.Special
Acknowledgment.Acknowledgments.
I. INTRODUCTION.
1. An Overview of Computer Security.
The Basic
Components.Confidentiality.Integrity.Availability.Threats.Policy
and Mechanism.Goals of Security.Assumptions and
Trust.Assurance.Specification.Design.Implementation.Operational
Issues.Cost-Benefit Analysis.Risk Analysis.Laws and Customs.Human
Issues.Organizational Problems.People Problems.Tying It All
Together.
II. FOUNDATIONS.
2. Access Control Matrix.
Protection State.Access Control Matrix Model.Access Control by
Boolean Expression Evaluation.Access Controlled by
History.Protection State Transitions.Conditional Commands.Copying,
Owning, and the Attenuation of Privilege.Copy Right.Own
Right.Principle of Attenuation of Privilege.
3. Foundational
Results.
The General Question.Basic Results.The Take-Grant Protection
Model.Sharing of Rights.Interpretation of the Model.Theft in the
Take-Grant Protection Model.Conspiracy.Summary.Closing the
Gap.Schematic Protection Model.Expressive Power and the
Models.Brief Comparison of HRU and SPM.Extending SPM.Simulation and
Expressiveness.Typed Access Matrix Model.
III. POLICY.
4. Security Policies.
Security Policies.Types of Security Policies.The Role of
Trust.Types of Access Control.Policy Languages.High-Level Policy
Languages.Low-Level Policy Languages.Example: Academic Computer
Security Policy.General University Policy.Electronic Mail
Policy.Security and Precision.
5. Confidentiality
Policies.
Goals of Confidentiality Policies.The Bell-LaPadula Model.Informal
Description.Example: The Data General B2 UNIX System.Formal
Model.Example Model Instantiation: Multics.Tranquility.The
Controversy over the Bell-LaPadula Model.McLean's *-Property and
the Basic Security Theorem.McLean's System Z and More
Questions.Summary.
6. Integrity Policies.
Goals.Biba Integrity Model.Low-Water-Mark Policy.Ring Policy.Biba's
Model (Strict Integrity Policy).Lipner's Integrity Matrix
Model.Lipner's Use of the Bell-LaPadula Model.Lipner's Full
Model.Comparison with Biba.Clark-Wilson Integrity Model.The
Model.Comparison with the Requirements.Comparison with Other
Models.
7. Hybrid Policies.
Chinese Wall Model.Informal Description.Formal Model.Bell-LaPadula
and Chinese Wall Models.Clark-Wilson and Chinese Wall
Models.Clinical Information Systems Security Policy.Bell-LaPadula
and Clark-Wilson Models.Originator Controlled Access
Control.Role-Based Access Control.
8. Noninterference and Policy
Composition.
The Problem.Composition of Bell-LaPadula Models.Deterministic
Noninterference.Unwinding Theorem.Access Control Matrix
Interpretation.Security Policies That Change over Time.Composition
of Deterministic Noninterference-Secure
Systems.Nondeducibility.Composition of Deducibly Secure
Systems.Generalized Noninterference.Composition of Generalized
Noninterference Systems.Restrictiveness.State Machine
Model.Composition of Restrictive Systems.
IV. IMPLEMENTATION I: CRYPTOGRAPHY.
9. Basic Cryptography.
What Is Cryptography?Classical Cryptosystems.Transposition
Ciphers.Substitution Ciphers.Data Encryption Standard.Other
Classical Ciphers.Public Key
Cryptography.Diffie-Hellman.RSA.Cryptographic Checksums.HMAC.
10.
Key Management.
Session and Interchange Keys.Key Exchange.Classical Cryptographic
Key Exchange and Authentication.Kerberos.Public Key Cryptographic
Key Exchange and Authentication.Key Generation.Cryptographic Key
Infrastructures.Merkle's Tree Authentication Scheme.Certificate
Signature Chains.Summary.Storing and Revoking Keys.Key Storage.Key
Revocation.Digital Signatures.Classical Signatures.Public Key
Signatures.
11. Cipher Techniques.
Problems.Precomputing the Possible Messages.Misordered
Blocks.Statistical Regularities.Summary.Stream and Block
Ciphers.Stream Ciphers.Block Ciphers.Networks and
Cryptography.Example Protocols.Secure Electronic Mail: PEM.Security
at the Transport Layer: SSL.Security at the Network Layer:
IPsec.Conclusion.
12. Authentication.
Authentication Basics.Passwords.Attacking a Password
System.Countering Password Guessing.Password
Aging.Challenge-Response.Pass Algorithms.One-Time
Passwords.Hardware-Supported Challenge-Response
Procedures.Challenge-Response and Dictionary
Attacks.Biometrics.Fingerprints.Voices.Eyes.Faces.Keystrokes.Combinations.Caution.Location.Multiple
Methods.
V. IMPLEMENTATION II: SYSTEMS.
13. Design Principles.
Overview.Design Principles.Principle of Least Privilege.Principle
of Fail-Safe Defaults.Principle of Economy of Mechanism.Principle
of Complete Mediation.Principle of Open Design.Principle of
Separation of Privilege.Principle of Least Common
Mechanism.Principle of Psychological Acceptability.
14.
Representing Identity.
What Is Identity?Files and Objects.Users.Groups and Roles.Naming
and Certificates.Conflicts.The Meaning of the
Identity.Trust.Identity on the Web.Host Identity.State and
Cookies.Anonymity on the Web.
15. Access Control
Mechanisms.
Access Control Lists.Abbreviations of Access Control Lists.Creation
and Maintenance of Access Control Lists.Revocation of
Rights.Example: Windows NT Access Control
Lists.Capabilities.Implementation of Capabilities.Copying and
Amplifying Capabilities.Revocation of Rights.Limits of
Capabilities.Comparison with Access Control Lists.Locks and
Keys.Type Checking.Sharing Secrets.Ring-Based Access
Control.Propagated Access Control Lists.
16. Information
Flow.
Basics and Background.Entropy-Based Analysis.Information Flow
Models and Mechanisms.Nonlattice Information Flow
Policies.Confinement Flow Model.Transitive Nonlattice Information
Flow Policies.Nontransitive Information Flow
Policies.Compiler-Based Mechanisms.Declarations.Program
Statements.Exceptions and Infinite
Loops.Concurrency.Soundness.Execution-Based Mechanisms.Fenton's
Data Mark Machine.Variable Classes.Example Information Flow
Controls.Security Pipeline Interface.Secure Network Server Mail
Guard.
17. Confinement Problem.
The Confinement Problem.Isolation.Virtual Machines.Sandboxes.Covert
Channels.Detection of Covert Channels.Analysis of Covert
Channels.Mitigation of Covert Channels.
VI. ASSURANCE.
Contributed by Elisabeth Sullivan.
18. Introduction to Assurance.
Assurance and Trust.The Need for Assurance.The Role of Requirements
in Assurance.Assurance Throughout the Life Cycle.Building Secure
and Trusted Systems.Life Cycle.The Waterfall Life Cycle Model.Other
Models of Software Development.
19. Building Systems with Assurance.
Assurance in Requirements Definition and Analysis.Threats and
Security Objectives.Architectural Considerations.Policy Definition
and Requirements Specification.Justifying Requirements.Assurance
During System and Software Design.Design Techniques That Support
Assurance.Design Document Contents.Building Documentation and
Specifications.Justifying That Design Meets Requirements.Assurance
in Implementation and Integration.Implementation Considerations
That Support Assurance.Assurance Through Implementation
Management.Justifying That the Implementation Meets the
Design.Assurance During Operation and Maintenance.
20. Formal Methods.
Formal Verification Techniques.Formal Specification.Early Formal
Verification Techniques.The Hierarchical Development
Methodology.Enhanced HDM.The Gypsy Verification Environment.Current
Verification Systems.The Prototype Verification System.The Symbolic
Model Verifier.The Naval Research Laboratory Protocol Analyzer.
21. Evaluating Systems.
Goals of Formal Evaluation.Deciding to Evaluate.Historical
Perspective of Evaluation Methodologies.TCSEC: 1983-1999.TCSEC
Requirements.The TCSEC Evaluation Classes.The TCSEC Evaluation
Process.Impacts.International Efforts and the ITSEC:
1991-2001.ITSEC Assurance Requirements.The ITSEC Evaluation
Levels.The ITSEC Evaluation Process.Impacts.Commercial
International Security Requirements:1991.CISR
Requirements.Impacts.Other Commercial Efforts: Early 1990s.The
Federal Criteria: 1992.FC Requirements.Impacts.FIPS 140:
1994-Present.FIPS 140 Requirements.FIPS 140-2 Security
Levels.Impact.The Common Criteria:1998-Present.Overview of the
Methodology.CC Requirements.CC Security Functional
Requirements.Assurance Requirements.Evaluation Assurance
Levels.Evaluation Process.Impacts.Future of the Common
Criteria.SSE-CMM:1997-Present.The SSE-CMM Model.Using the SSE-CMM.
VII. SPECIAL TOPICS.
22. Malicious Logic.
Introduction.Trojan Horses.Computer Viruses.Boot Sector
Infectors.Executable Infectors.Multipartite Viruses.TSR
Viruses.Stealth Viruses.Encrypted Viruses.Polymorphic Viruses.Macro
Viruses.Computer Worms.Other Forms of Malicious Logic.Rabbits and
Bacteria.Logic Bombs.Theory of Malicious Logic.Theory of Computer
Viruses.Defenses.Malicious Logic Acting as Both Data and
Instructions.Malicious Logic Assuming the Identity of a
User.Malicious Logic Crossing Protection.Malicious Logic Altering
Files.Malicious Logic Performing Actions Beyond
Specification.Malicious Logic Altering Statistical
Characteristics.The Notion of Trust.
23. Vulnerability
Analysis.
Introduction.Penetration Studies.Goals.Layering of
Tests.Methodology at Each Layer.Flaw Hypothesis
Methodology.Example: Penetration of the Michigan Terminal
System.Example: Compromise of a Burroughs System.Example:
Penetration of a Corporate Computer System.Example: Penetrating a
UNIX System.Example: Penetrating a Windows NT
System.Debate.Conclusion.Vulnerability Classification.Two Security
Flaws.Frameworks.The RISOS Study.Protection Analysis Model.The NRL
Taxonomy.Aslam's Model.Comparison and Analysis.Gupta and Gligor's
Theory of Penetration Analysis.The Flow-Based Model of Penetration
Analysis.The Automated Penetration Analysis Tool.Discussion.
24.
Auditing.
Definitions.Anatomy of an Auditing
System.Logger.Analyzer.Notifier.Designing an Auditing
System.Implementation Considerations.Syntactic Issues.Log
Sanitization.Application and System Logging.A Posteriori
Design.Auditing to Detect Violations of a Known Policy.Auditing to
Detect Known Violations of a Policy.Auditing Mechanisms.Secure
Systems.Nonsecure Systems.Examples: Auditing File Systems.Audit
Analysis of the NFS Version 2 Protocol.The Logging and Auditing
File System (LAFS).Comparison.Audit Browsing.
25. Intrusion
Detection.
Principles.Basic Intrusion Detection.Models.Anomaly Modeling.Misuse
Modeling.Specification
Modeling.Summary.Architecture.Agent.Director.Notifier.Organization
of Intrusion Detection Systems.Monitoring Network Traffic for
Intrusions: NSM.Combining Host and Network Monitoring:
DIDS.Autonomous Agents: AAFID.Intrusion Response.Incident
Prevention.Intrusion Handling.
VIII. PRACTICUM.
26. Network Security.
Introduction.Policy Development.Data Classes.User
Classes.Availability.Consistency Check.Network
Organization.Firewalls and Proxies.Analysis of the Network
Infrastructure.In the DMZ.In the Internal Network.General Comment
on Assurance.Availability and Network Flooding.Intermediate
Hosts.TCP State and Memory Allocations.Anticipating Attacks.
27.
System Security.
Introduction.Policy.The Web Server System in the DMZ.The
Development System.Comparison.Conclusion.Networks.The Web Server
System in the DMZ.The Development System.Comparison.Users.The Web
Server System in the DMZ.The Development
System.Comparison.Authentication.The Web Server System in the
DMZ.Development Network System.Comparison.Processes.The Web Server
System in the DMZ.The Development System.Comparison.Files.The Web
Server System in the DMZ.The Development
System.Comparison.Retrospective.The Web Server System in the
DMZ.The Development System.
28. User Security.
Policy.Access.Passwords.The Login Procedure.Leaving the
System.Files and Devices.Files.Devices.Processes.Copying and Moving
Files.Accidentally Overwriting Files.Encryption, Cryptographic
Keys, and Passwords.Start-up Settings.Limiting Privileges.Malicious
Logic.Electronic Communications.Automated Electronic Mail
Processing.Failure to Check Certificates.Sending Unexpected
Content.
29. Program Security.
Introduction.Requirements and
Policy.Requirements.Threats.Design.Framework.Access to Roles and
Commands.Refinement and Implementation.First-Level
Refinement.Second-Level Refinement.Functions.Summary.Common
Security-Related Programming Problems.Improper Choice of Initial
Protection Domain.Improper Isolation of Implementation
Detail.Improper Change.Improper Naming.Improper Deallocation or
Deletion.Improper Validation.Improper Indivisibility.Improper
Sequencing.Improper Choice of Operand or Operation.Summary.Testing,
Maintenance, and Operation.Testing.Testing Composed Modules
0201440997T11042002
Promotional Information
The importance of computer security has increased dramatically
during the past few years. Bishop provides a monumental reference
for the theory and practice of computer security. This is a
textbook intended for use at the advanced undergraduate and
introductory graduate levels, non-University training courses, as
well as reference and self-study for security professionals.
Comprehensive in scope, this covers applied and practical elements,
theory, and the reasons for the design of applications and security
techniques. Bishop treats the management and engineering issues of
computer. Excellent examples of ideas and mechanisms show how
disparate techniques and principles are combined (or not) in
widely-used systems. Features a distillation of a vast number of
conference papers, dissertations and books that have appeared over
the years, providing a valuable synthesis. This book is acclaimed
for its scope, clear and lucid writing, and its combination of
formal and theoretical aspects with real systems, technologies,
techniques, and policies.
About the Author
Matt Bishop is a professor in the Department of Computer
Science at the University of California at Davis. A recognized
expert in vulnerability analysis, secure systems/software design,
network security, access control, authentication, and UNIX
security, Bishop also works to improve computer security
instruction.