- Copyright
- Preface
- 1. Introduction
- 2. Foundations
- 2. Access Control Matrix
- 3. Foundational Results
- 3. Policy
- 4. Security Policies
- 5. Confidentiality Policies
- 5.1. Goals of Confidentiality Policies
- 5.2. The Bell-LaPadula Model
- 5.3. Tranquility
- 5.4. The Controversy over the Bell-LaPadula Model
- 5.5. Summary
- 5.6. Research Issues
- 5.7. Further Reading
- 5.8. Exercises
- 6. Integrity Policies
- 7. Hybrid Policies
- 8. Noninterference and Policy Composition
- 4. Implementation I: Cryptography
- 9. Basic Cryptography
- 10. Key Management
- 11. Cipher Techniques
- 11.1. Problems
- 11.2. Stream and Block Ciphers
- 11.3. Networks and Cryptography
- 11.4. Example Protocols
- 11.5. Summary
- 11.6. Research Issues
- 11.7. Further Reading
- 11.8. Exercises
- 12. Authentication
- 5. Implementation II: Systems
- 13. Design Principles
- 13.1. Overview
- 13.2. Design Principles
- 13.2.1. Principle of Least Privilege
- 13.2.2. Principle of Fail-Safe Defaults
- 13.2.3. Principle of Economy of Mechanism
- 13.2.4. Principle of Complete Mediation
- 13.2.5. Principle of Open Design
- 13.2.6. Principle of Separation of Privilege
- 13.2.7. Principle of Least Common Mechanism
- 13.2.8. Principle of Psychological Acceptability
- 13.3. Summary
- 13.4. Research Issues
- 13.5. Further Reading
- 13.6. Exercises
- 14. Representing Identity
- 15. Access Control Mechanisms
- 15.1. Access Control Lists
- 15.2. Capabilities
- 15.3. Locks and Keys
- 15.4. Ring-Based Access Control
- 15.5. Propagated Access Control Lists
- 15.6. Summary
- 15.7. Research Issues
- 15.8. Further Reading
- 15.9. Exercises
- 16. Information Flow
- 16.1. Basics and Background
- 16.2. Nonlattice Information Flow Policies
- 16.3. Compiler-Based Mechanisms
- 16.4. Execution-Based Mechanisms
- 16.5. Example Information Flow Controls
- 16.6. Summary
- 16.7. Research Issues
- 16.8. Further Reading
- 16.9. Exercises
- 17. Confinement Problem
- 13. Design Principles
- 6. Assurance
- 18. Introduction to Assurance
- 19. Building Systems with Assurance
- 19.1. Assurance in Requirements Definition and Analysis
- 19.2. Assurance During System and Software Design
- 19.3. Assurance in Implementation and Integration
- 19.4. Assurance During Operation and Maintenance
- 19.5. Summary
- 19.6. Research Issues
- 19.7. Further Reading
- 19.8. Exercises
- 20. Formal Methods
- 20.1. Formal Verification Techniques
- 20.2. Formal Specification
- 20.3. Early Formal Verification Techniques
- 20.4. Current Verification Systems
- 20.5. Summary
- 20.6. Research Issues
- 20.7. Further Reading
- 20.8. Exercises
- 21. Evaluating Systems
- 21.1. Goals of Formal Evaluation
- 21.2. TCSEC: 1983–1999
- 21.3. International Efforts and the ITSEC: 1991–2001
- 21.4. Commercial International Security Requirements: 1991
- 21.5. Other Commercial Efforts: Early 1990s
- 21.6. The Federal Criteria: 1992
- 21.7. FIPS 140: 1994–Present
- 21.8. The Common Criteria: 1998–Present
- 21.9. SSE-CMM: 1997–Present
- 21.10. Summary
- 21.11. Research Issues
- 21.12. Further Reading
- 21.13. Exercises
- 7. Special Topics
- 22. Malicious Logic
- 22.1. Introduction
- 22.2. Trojan Horses
- 22.3. Computer Viruses
- 22.4. Computer Worms
- 22.5. Other Forms of Malicious Logic
- 22.6. Theory of Malicious Logic
- 22.7. Defenses
- 22.7.1. Malicious Logic Acting as Both Data and Instructions
- 22.7.2. Malicious Logic Assuming the Identity of a User
- 22.7.3. Malicious Logic Crossing Protection Domain Boundaries by Sharing
- 22.7.4. Malicious Logic Altering Files
- 22.7.5. Malicious Logic Performing Actions Beyond Specification
- 22.7.6. Malicious Logic Altering Statistical Characteristics
- 22.7.7. The Notion of Trust
- 22.8. Summary
- 22.9. Research Issues
- 22.10. Further Reading
- 22.11. Exercises
- 23. Vulnerability Analysis
- 23.1. Introduction
- 23.2. Penetration Studies
- 23.2.1. Goals
- 23.2.2. Layering of Tests
- 23.2.3. Methodology at Each Layer
- 23.2.4. Flaw Hypothesis Methodology
- 23.2.5. Example: Penetration of the Michigan Terminal System
- 23.2.6. Example: Compromise of a Burroughs System
- 23.2.7. Example: Penetration of a Corporate Computer System
- 23.2.8. Example: Penetrating a UNIX System
- 23.2.9. Example: Penetrating a Windows NT System
- 23.2.10. Debate
- 23.2.11. Conclusion
- 23.3. Vulnerability Classification
- 23.4. Frameworks
- 23.5. Gupta and Gligor's Theory of Penetration Analysis
- 23.6. Summary
- 23.7. Research Issues
- 23.8. Further Reading
- 23.9. Exercises
- 24. Auditing
- 25. Intrusion Detection
- 22. Malicious Logic
- 8. Practicum
- 26. Network Security
- 26.1. Introduction
- 26.2. Policy Development
- 26.3. Network Organization
- 26.4. Availability and Network Flooding
- 26.5. Anticipating Attacks
- 26.6. Summary
- 26.7. Research Issues
- 26.8. Further Reading
- 26.9. Exercises
- 27. System Security
- 28. User Security
- 29. Program Security
- 29.1. Introduction
- 29.2. Requirements and Policy
- 29.3. Design
- 29.4. Refinement and Implementation
- 29.5. Common Security-Related Programming Problems
- 29.5.1. Improper Choice of Initial Protection Domain
- 29.5.2. Improper Isolation of Implementation Detail
- 29.5.3. Improper Change
- 29.5.4. Improper Naming
- 29.5.5. Improper Deallocation or Deletion
- 29.5.6. Improper Validation
- 29.5.7. Improper Indivisibility
- 29.5.8. Improper Sequencing
- 29.5.9. Improper Choice of Operand or Operation
- 29.5.10. Summary
- 29.6. Testing, Maintenance, and Operation
- 29.7. Distribution
- 29.8. Conclusion
- 29.9. Summary
- 29.10. Research Issues
- 29.11. Further Reading
- 29.12. Exercises
- 26. Network Security
- 9. End Matter
- 30. Lattices
- 31. The Extended Euclidean Algorithm
- 32. Entropy and Uncertainty
- 33. Virtual Machines
- 34. Symbolic Logic
- 35. Example Academic Security Policy
- 35.1. University of California E-mail Policy
- 35.1.1. Summary: E-mail Policy Highlights
- 35.1.2. University of California Electronic Mail Policy
- 35.1.2.1. Introduction
- 35.1.2.2. Purpose
- 35.1.2.3. Definitions
- 35.1.2.4. Scope
- 35.1.2.5. General Provisions
- 35.1.2.6. Specific Provisions
- 35.1.2.7. Policy Violations
- 35.1.2.8. Responsibility for Policy
- 35.1.2.9. Campus Responsibilities and Discretion
- 35.1.2.10. Appendix A—Definitions
- 35.1.2.11. Appendix B—References
- 35.1.2.12. Appendix C—Policies Relating to Nonconsensual Access
- 35.1.3. UC Davis Implementation of the Electronic Mail Policy
- 35.1.4. References and Related Policy
- 35.2. The Acceptable Use Policy for the University of California, Davis
- 35.1. University of California E-mail Policy
- Bibliography
Security analysts organize the needs of a site in order to define a security policy. From this policy, analysts develop and implement mechanisms for enforcing the policy. The mechanisms may be procedural, technical, or physical. Part 3 describes the notion of policy and how it can be expressed and formalized, and how different types of policies affect accesses.
Chapter 4, “Security Policies,” presents the abstract notion of a security policy and some ways to represent policies. Policy languages abstract some of the common elements of policies and allow expression of policies both at abstract levels and in terms of the properties of the particular systems under consideration.
Chapter 5, “Confidentiality Policies,” discusses policies designed primarily for confidentiality. Many government organizations, especially the military, must keep information secret, as described by these policies. Chapter 5 focuses on the Bell-LaPadula security policy.
Chapter 6, “Integrity Policies,” discusses policies designed primarily for integrity. Banks, insurance companies, and other commercial and industrial firms worry more about data and programs being corrupted than about them being read, and use these policies.
Chapter 7, “Hybrid Policies,” presents policies that are hybrids of confidentiality and integrity security policies. One comes from the world of stock brokerage, and another from medical systems. Other types of policy models discussed here are originator controlled models and role-based models.
Chapter 8, “Noninterference and Policy Composition,” discusses the noninterference and nondeducibility models of security policies and the composition of security policies in general.
-
No Comment