Foreword Preface PART I OVERVIEW Chapter 1 What is Computer Security? 3 1.1 Secrecy, Integrity, and Denial of Service 3 1.2 Trusted System Evaluation Criteria 4 References 6 Chapter 2 Why Systems Are Not Secure 7 2.1 Security is Fundamentally Difficult 7 2.2 Security Is an Afterthought 8 2.3 Security Is an Impediment 9 2.4 False Solutions Impede Progress 10 2.5 The Problem is People, Not Computers 11 2.6 Technology is Oversold 12 References 13 Chapter 3 General Concepts 15 3.1 Internal and External Security 15 3.3 The System Boundary and the Security Perimeter 16 3.3 Users and Trust 18 3.3.1 Protecting the User from Self-betrayal 18 3.3.2 Identification and Authentication 18 3.4 Trusted Systems 19 3.4.1 Trojan Horses 21 3.5 Subjects, Objects, and Access Control 21 3.5.1 Access Control 22 3.5.2 Security Policy 23 Chapter 4 Design Techniques 24 4.1 System Structures 24 4.1.1 Structure of a Computer System 25 4.1.2 System States 27 4.2 The Reference Monitor and Security Kernels 28 vi 4.3 System Development Process 30 References 32 PART II DETAILED CONCEPTS Chapter 5 Principles of a Security Architecture 35 5.1 Consider Security from the Start 36 5.2 Anticipate Future Security Requirements 36 5.3 Minimize and Isolate Security Controls 38 5.4 Enforce Least Privilege 39 5.5 Structure the Security-Relevant Functions 41 5.6 Make Security Friendly 41 5.7 Do Not Depend on Secrecy for Security 43 References 44 Chapter 6 Access Control and Multilevel Security 45 6.1 Access to the System 45 6.2 Discretionary Access Control 47 6.2.1 Passwords for File Access 47 6.2.2 Capability List 48 6.2.3 Owner/Group/Other 48 6.2.4 Access Control Lists 49 6.2.5 Trojan Horse Threats 50 6.3 Mandatory Access Control 50 6.4 Multilevel Security 51 6.4.1 Military Security Policy 51 6.4.2 A Note on Terminology 52 6.4.3 Mathematical Relationships 53 6.4.4 Multilevel Security Rules 53 6.5 Integrity 56 References 58

Chapter 7 Trojan Horses and Covert Channels 60 7.1 Trojan Horses and Viruses 61 7.1.1 Trojan Horse Examples 61 7.1.2 Limiting the Trojan Horse 63 7.2 Covert Channels 67 7.2.1 Covert Storage Channels 68 7.2.2 Covert Timing Channels 70 7.3 Trap Doors 71 References 72 PART III IMPLEMENTATION Chapter 8 Hardware Security Mechanisms 75 8.1 Hardware/Firmware/Software Trade-offs 76 vii 8.2 Process Support 77 8.3 Memory Protection 78 8.3.1 Virtual Address Space 78 8.3.2 Virtual Memory Mapping 78 8.3.3 Demand Paging 79 8.3.4 Segmentation 80 8.3.5 Access Control with Memory Management 83 8.4 Execution Domains 86 8.4.1 Transfer of Control Across Domains 89 8.4.2 Argument Passing Across Domains 91 8.5 Input/Output Access Control 96 8.5.1 Programmed I/O 99 8.5.2 Unmapped I/O 100 8.5.3 Premapped I/O 101 8.5.4 Fully Mapped I/O 101 References 103 Chapter 9 Security Models 105 9.1 Role of a Security Model 105 9.2 Practical Applications of a Model 108 9.3 Types of Security Models 109 9.4 Characteristics of a Security Model 110 9.5 State-Machine Models 111 9.5.1 Examples of a State Machine Model 112 9.5.2 Adding Constraints to State-Machine Access Models 117 9.5.3 The Bell and La Padula Security Model 121 9.6 Information-Flow Models 125 9.7 Informal Model-to-System Correspondence 127 9.7.1 Mapping the Functions 127 9.7.2 Mapping the Variables 128 9.7.3 Unmapped Functions and Variables 128 References 129 Chapter 10 Security Kernels 131 10.1 The Reference Monitor 132 10.2 The Three Principles 133 10.2.1 Completeness 133 10.2.2 Isolation 134 10.2.3 Verifiability 134 10.3 Virtualization and Sharing 136 10.4 Trusted Path 137 10.5 Trusted Functions 139 10.6 Kernel Security Policies 140 10.7 Kernel Implementation Strategies 141 10.7.1 Case (a): Identical Operating System (Virtual Machine) 143 10.7.2 Case (b): Compatible Operating System (Emulation) 145 viii 10.7.3 Case (c): New Operating System 148 References 148

Chapter 11 Architectural Considerations 151 11.1 Operating System Layering 151 11.2 Asynchronous Attacks and Argument Validation 153 11.3 Protected Subsystems 154 11.4 Secure File Systems 157 11.4.1 Naming Structures 157 11.4.2 Unique Identifiers 159 11.5 Security Guards 160 11.6 Capability-based Architectures 162 References 163 Chapter 12 Formal Specification and Verification 165 12.1 Formal Specification Techniques 167 12.2 Properties of Formal Specifications 168 12.3 Example of a Formal Specification 172 12.4 Specification-to-Model Correspondence 174 12.5 Techniques for Proving Specifications 175 12.6 Methods of Decomposition 177 12.6.1 Data Structure Refinement 177 12.6.2 Algorithmic Refinement 178 12.6.3 Procedural Abstraction 181 12.7 Information-Flow Analysis 182 12.7.1 Flow Rules 184 12.7.2 Flow Analysis Process 188 12.8 Code Correspondence Proofs 189 References 192 Chapter 13 Networks and Distributed Systems 195 13.1 Overview of Networking Concepts 195 13.1.1 Protocol Hierarchies and Models 195 13.1.2 Characteristics of Protocols 198 13.1.3 Network Topologies and Components 199 13.2 Encryption 200 13.2.1 Fundamentals of Encryption 201 13.2.2 Security Services 205 13.2.3 Integrating Packet Encryption into a Protocol Architecture 209 13.2.4 Key Management 210 13.3 A Network Security Architecture 212 13.3.1 Network Subjects, Objects, and Access Control 213 13.3.2 Network Security Perimeter and Protected Path 215 13.3.3 Distributed Secure System 216 13.3.4 Mutually Suspicious Systems 218 13.4 Network Servers 220 13.4.1 Authentication and Authorization Servers 221 13.4.2 Name Servers 221 13.4.3 Other Servers 222 13.5 Security Kernel on a Network 222 13.6 The Future of Secure Distributed Systems 224 References 224 Bibliography 226 Index 229