Little prior knowledge is needed to use this long-needed reference. Computer professionals and software engineers will learn how to design secure operating. BUILDING A SECURE COMPUTER SYSTEM Morrie Gasser ACF2 is a trademark of Uccel Crop. AOS is a trademark of Data General Corp. DEC, PDP, VMS. : Building a Secure Computer System () by Morrie Gasser and a great selection of similar New, Used and Collectible Books.
|Published (Last):||11 August 2009|
|PDF File Size:||15.97 Mb|
|ePub File Size:||9.68 Mb|
|Price:||Free* [*Free Regsitration Required]|
Intel,iapx are trademarks of Intel Corp. Motorola, are trademarks of Intel Corp. No part of this work covered by the copyright hereon may be eecure or used in any form or by any means graphic, electronic, or mechanical, including photocopying, recording, taping, or information storage and retrieval systems without written permission of the publisher.
Compatible Operating System Emulation vii. Removing this obstacle required an author thoroughly conversant with the technology, skilled in writing, and fully dedicated to completion of a most difficult undertaking. Gasser has accepted this formidable challenge and has succeeded beyond what even we optimists would expect. Although I recognized that Mr.
Gasser scure unquestionably qualified, I was frankly skeptical about whether or not it was possible to produce a practical, understandable, and thoroughly accurate first book on the subject. As I secjre to read the book for the first time I found myself engrossed into the wee hours of the morning, and came away impressed that this singular effort had at long last given the field a definitive reference work for technical solutions to computer security problems.
The field of computer security did not begin to emerge until the late s, with the growing recognition by several groups gasssr the government and private sector that computers were bui,ding vulnerable. The landmark report by Willis Ware of RAND in alerted those within the Department of Defense to many of the technical weaknesses of computer security.
The publicity associated with IBM s commitment of forty million dollars to address computer security in the early s brought the problem to the public s attention as well. Unfortunately, many of those building computer systems took the position that internal computer controls those that are embodied in software within the operating system could effectively limit the access of users to authorized information only. For a number of years many were lulled into the belief that computer security was a people problem that could be addressed by encouraging people to follow the rules of ysstem road.
A few organizations, especially in the buildijg, formed tiger teams to simulate adversaries trying to obtain unauthorized access to information. These tiger teams consistently found that circumventing the internal computer control was an easy way to compromise security.
Building a Secure Computer System
Even when the system builder made a major and concerted effort the find and patch all the holes, the technical controls were usually penetrated with ease. In recent years the media coverage of the exploits of hackers have increased general awareness of such computer vulnerabilities.
However, awareness that a problem existed did little to help the designers and builders of systems understand the underlying issues needing to be addressed in order to respond to the problem. This book brings together the problems and technical solutions in a balanced perspective that pinpoints constructive responses to some of the most significant aspects of the problem of computer security.
Any computer system can only be secure with respect to some specific policy that defines what information people are authorized to read or modify. This book presents the two major classes of policies discretionary and mandatory and shows how the information contained in rules and regulations can be fine-tuned for use in building a specific computer system to meet a xi. This is the first design step. Fortunately it is now understood that policy can be mathematically modeled abstractly, so that a wide range of end-user policies are represented by a single model.
This means that a single system design can be used effectively for private and commercial as well as civil and military uses.
Building a secure computer system
The nub of the problem of secure computers is how to determine if a computer is in fact secure. In fact, in practical terms, one of the most serious and difficult impediments to widespread introduction of highly secure systems is the gasseg number of evaluators who can accurately and consistently judge the security of a computer.
The key to this problem lies in specifying a chain of objective evidence that bridges the gap from policy to implemented system. Although the steps identified in this book fully support the Trusted Computer System Evaluation Criteria produced by the National Computer Security Center, the technical elements of an objective evaluation are not tied to any particular organization or class of users. Reproducible design steps that are carefully documented make it possible for a third party to objectively judge the efficacy of the builder s use of the technology.
Understanding and using these steps make it possible not only to build a secure computer, but also to have an evaluator confirm that you have succeeded. There can be little doubt that it is unusually difficult to build and understand a highly secure computer system.
Building a Secure Computer System by Gasser, Morrie
One of the most delightful aspects of this book commputer its readable style that presents difficult and subtle topics clearly, without excessive jargon or superficiality, sscure achieving the needed breadth of coverage. This book distinguishes the technical aspects of computer security, and identifies the significance of the vulnerabilities being addressed. If I had but one book that I could recommend to the computer professional on computer security, Building a Secure Computer System would be my unqualified choice.
It covers the state of the art of applied computer security technology developed over the last fifteen or twenty buildiny. It is a guide to building systems, not an exhaustive academic study, and provides enough information about selected techniques to give you a well-rounded understanding of the problems and solutions.
It is not possible in one book to treat all applications of security while retaining the technical depth needed to cover each topic adequately.
I have concentrated on applications for which prevailing literature is weak: Subjects about which books are already available, such as database security and cryptographic algorithms, receive less discussion here. In selecting techniques for discussion, I have given primary attention to demonstrable practicality. Many interesting techniques have been implemented in experimental systems but have never seen production buildong.
Some sophisticated features appear in research systems that are used daily at universities, proving that the concepts are viable, but for various reasons not the fault of the researchers the systems remain one-of-a-kind. Important technological advances in computer security are only now beginning to see the light of day, as interest in security grows among computer system vendors and users.
Experience with many sophisticated techniques is in its infancy, and examples are few and far between. Therefore, despite my attempt to stick to practical techniques, I have included some advanced concepts that are not quite ready for production use but follow logically from today s technology and show reasonable promise. The technology of computer security is controversial.
While everyone agrees that we have a serious computer security problem, few agree on the best response. Many would address the problem through better control of personnel, better administrative procedures, and more suitable laws; others believe that technical solutions are most appropriate. While this book concentrates solely on the technical approach, the ultimate answer will surely be a combination of many approaches.
Even among those who agree that technology is the answer, there is some disagreement on the value of different techniques. While I wish to be fair to all points of view, I emphasize approaches in this book that I believe work, and I make only token mention of others. This manner of selection is not meant to discredit alternatives: In addition, some good techniques may have xiii. If you are looking for a hacker s guide, this is the wrong place.
Part I of this book provides an overview of elementary concepts and serves as an introduction to the chapters in parts II and III that will enable you to read only the chapters of interest, without getting lost. I would like to express my sincere appreciation to those who have taken the time out of their busy schedules to review and comment on drafts of this book: I am especially grateful to my most critical reviewer: The meaning of the term computer security has evolved in recent years.
Before the problem of data security became widely publicized in the media, most people s idea of computer security focused on the physical machine. Traditionally, computer facilities have been physically protected for three reasons: To prevent theft of or damage to the hardware To prevent theft of or damage to the information To prevent disruption of service Strict procedures for access to the machine room are used by most organizations, and these procedures are often an organization s only obvious computer security measures.
Today, however, with pervasive remote terminal access, communications, and networking, physical measures rarely provide meaningful protection for either the information or the service; only the hardware is secure.
Nonetheless, most computer facilities continue to protect their physical machine far better than they do their data, even when the value of the data is several times greater than the value of the hardware. You probably are not reading this book to learn how to padlock your PC. Information security is the subject of this book. Furthermore, we are limiting our study to the insider problem: Most computer crimes are in fact committed by insiders, and most of the research in computer security since has been directed at the insider problem.
You may find it disconcerting, as you read this book, that information integrity-protecting information from unauthorized modification or destruction-seems to be receiving no sustained attention. There are two reasons for this seemingly one-sided point of view, one historic and one technical. First, having been funded primarily by the United States government, most computer 3. This tradition has persisted even in commercial applications, where classified information is not the concern and where integrity, not secrecy, is often the primary goal.
And second, the information disclosure problem is technically more interesting to computer security researchers, and the literature reflects this bias.
Fortunately, techniques to protect against information modification are almost always the same as or a subset of techniques to protect against information disclosure. This fact is consistently borne out in the technical measures we will discuss. In the rare cases where the techniques differ, that fact will be pointed out explicitly. While the definition of computer security used in this book does, therefore, include both secrecy and integrity, the closely related area termed denial of service is rarely discussed here.
Denial of service can be defined as a temporary reduction in system performance, a system crash requiring manual restart, or a major crash with permanent loss of data. Although reliable operation of the computer is a serious concern in most cases, denial of service has not traditionally been a topic of computer security research. As in the case of data integrity, one reason for the lack of concern is historic: But there is also an important technical reason.
While great strides have been made since the early s toward ensuring secrecy and integrity, little progress has been made in solving denial of service because the problem is fundamentally much harder: If denial of service is your only concern, you should refer to such topics as structured development, fault tolerance, and software reliability.
Most of the techniques for building secure systems, however, also help you build more robust and reliable systems. In addition, some security techniques do address certain denial-of-service problems, especially problems related to data integrity.
This book will indicate when those techniques apply. To sum up, security relates to secrecy first, integrity second, and denial of service a distant third. To help you remember this, memorize the computer security researcher s favorite tonguein-cheek phrase: I don t care if it works, as long as it is secure.
The document employs the concept of a trusted computing base, a combination of computer hardware and an operating system that supports untrusted applications and users. The seven levels of trust identified by the Criteria range from systems that have minimal protection features to those that provide the highest level of security modern technology can produce table The Criteria attempts to define objective guidelines on which to base evaluations of both commercial systems and those developed for military applications.
The National Computer 4. The Criteria is a technical document that defines many computer security concepts and provides guidelines for their implementation. It focuses primarily on general-purpose operating systems. To assist in the evaluation of networks, the National Computer Security Center has published the Trusted Network Interpretation National Computer Security Centerthat interprets the Criteria from the point of view of network security.
The Trusted Network Interpretation identifies security features not mentioned in the Criteria that apply to networks and individual components within networks, and shows how they fit into the Criteria ratings. Class Title Key Features A1 Verified Design Formal top-level specification and verification, formal covert channel analysis, informal code correspondence demonstration B3 Security Domains Reference monitor security kernelhighly resistant to penetration B2 B1 C2 Structured Protection Labeled Security Protection Controlled Access Formal model, covert channels constrained, security-oriented architecture, relatively resistant to penetration Mandatory access controls, security labeling, removal of security-related flaws Individual accountability, extensive auditing, add-on packages C1 Discretionary Discretionary access controls, protection against accidents among cooperating users D Minimal Protection Unrated Table Trusted System Evaluation Criteria Ratings.