Computer Security Art and Science, 2nd Edition

Computer Security Art and Science, 2nd Edition

by Matt Bishop
Released November 2018
Publisher(s): Addison-Wesley Professional
ISBN: 9780134097145

Read it now on the O’Reilly learning platform with a 10-day free trial.

O’Reilly members get unlimited access to books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.

Start your free trial

Book description

The Comprehensive Guide to Computer Security, Extensively Revised with Newer Technologies, Methods, Ideas, and Examples

 

In this updated guide, University of California at Davis Computer Security Laboratory co-director Matt Bishop offers clear, rigorous, and thorough coverage of modern computer security. Reflecting dramatic growth in the quantity, complexity, and consequences of security incidents, Computer Security, Second Edition, links core principles with technologies, methodologies, and ideas that have emerged since the first edition’s publication.

 

Writing for advanced undergraduates, graduate students, and IT professionals, Bishop covers foundational issues, policies, cryptography, systems design, assurance, and much more. He thoroughly addresses malware, vulnerability analysis, auditing, intrusion detection, and best-practice responses to attacks. In addition to new examples throughout, Bishop presents entirely new chapters on availability policy models and attack analysis.

  • Understand computer security goals, problems, and challenges, and the deep links between theory and practice
  • Learn how computer scientists seek to prove whether systems are secure
  • Define security policies for confidentiality, integrity, availability, and more
  • Analyze policies to reflect core questions of trust, and use them to constrain operations and change
  • Implement cryptography as one component of a wider computer and network security strategy
  • Use system-oriented techniques to establish effective security mechanisms, defining who can act and what they can do
  • Set appropriate security goals for a system or product, and ascertain how well it meets them
  • Recognize program flaws and malicious logic, and detect attackers seeking to exploit them

This is both a comprehensive text, explaining the most fundamental and pervasive aspects of the field, and a detailed reference. It will help you align security concepts with realistic policies, successfully implement your policies, and thoughtfully manage the trade-offs that inevitably arise.

 

Register your book for convenient access to downloads, updates, and/or corrections as they become available. See inside book for details.

Table of contents

  1. Cover Page
  2. About This E-Book
  3. Title Page
  4. Copyright Page
  5. Dedication Page
  6. Contents
  7. Preface
    1. Preface to the Second Edition
    2. Preface to the First Edition
  8. Acknowledgments
    1. Special Acknowledgments
    2. Acknowledgments
  9. About the Author
  10. Part I: Introduction
    1. Chapter 1 An Overview of Computer Security
      1. 1.1 The Basic Components
      2. 1.2 Threats
      3. 1.3 Policy and Mechanism
      4. 1.4 Assumptions and Trust
      5. 1.5 Assurance
      6. 1.6 Operational Issues
      7. 1.7 Human Issues
      8. 1.8 Tying It All Together
      9. 1.9 Summary
      10. 1.10 Research Issues
      11. 1.11 Further Reading
      12. 1.12 Exercises
  11. Part II: Foundations
    1. Chapter 2 Access Control Matrix
      1. 2.1 Protection State
      2. 2.2 Access Control Matrix Model
      3. 2.3 Protection State Transitions
      4. 2.4 Copying, Owning, and the Attenuation of Privilege
      5. 2.5 Summary
      6. 2.6 Research Issues
      7. 2.7 Further Reading
      8. 2.8 Exercises
    2. Chapter 3 Foundational Results
      1. 3.1 The General Question
      2. 3.2 Basic Results
      3. 3.3 The Take-Grant Protection Model
      4. 3.4 Closing the Gap: The Schematic Protection Model
      5. 3.5 Expressive Power and the Models
      6. 3.6 Comparing Security Properties of Models
      7. 3.7 Summary
      8. 3.8 Research Issues
      9. 3.9 Further Reading
      10. 3.10 Exercises
  12. Part III: Policy
    1. Chapter 4 Security Policies
      1. 4.1 The Nature of Security Policies
      2. 4.2 Types of Security Policies
      3. 4.3 The Role of Trust
      4. 4.4 Types of Access Control
      5. 4.5 Policy Languages
      6. 4.6 Example: Academic Computer Security Policy
      7. 4.7 Security and Precision
      8. 4.8 Summary
      9. 4.9 Research Issues
      10. 4.10 Further Reading
      11. 4.11 Exercises
    2. Chapter 5 Confidentiality Policies
      1. 5.1 Goals of Confidentiality Policies
      2. 5.2 The Bell-LaPadula Model
      3. 5.3 Tranquility
      4. 5.4 The Controversy over the Bell-LaPadula Model
      5. 5.5 Summary
      6. 5.6 Research Issues
      7. 5.7 Further Reading
      8. 5.8 Exercises
    3. Chapter 6 Integrity Policies
      1. 6.1 Goals
      2. 6.2 The Biba Model
      3. 6.3 Lipner’s Integrity Matrix Model
      4. 6.4 Clark-Wilson Integrity Model
      5. 6.5 Trust Models
      6. 6.6 Summary
      7. 6.7 Research Issues
      8. 6.8 Further Reading
      9. 6.9 Exercises
    4. Chapter 7 Availability Policies
      1. 7.1 Goals of Availability Policies
      2. 7.2 Deadlock
      3. 7.3 Denial of Service Models
      4. 7.4 Example: Availability and Network Flooding
      5. 7.5 Summary
      6. 7.6 Research Issues
      7. 7.7 Further Reading
      8. 7.8 Exercises
    5. Chapter 8 Hybrid Policies
      1. 8.1 Chinese Wall Model
      2. 8.2 Clinical Information Systems Security Policy
      3. 8.3 Originator Controlled Access Control
      4. 8.4 Role-Based Access Control
      5. 8.5 Break-the-Glass Policies
      6. 8.6 Summary
      7. 8.7 Research Issues
      8. 8.8 Further Reading
      9. 8.9 Exercises
    6. Chapter 9 Noninterference and Policy Composition
      1. 9.1 The Problem
      2. 9.2 Deterministic Noninterference
      3. 9.3 Nondeducibility
      4. 9.4 Generalized Noninterference
      5. 9.5 Restrictiveness
      6. 9.6 Side Channels and Deducibility
      7. 9.7 Summary
      8. 9.8 Research Issues
      9. 9.9 Further Reading
      10. 9.10 Exercises
  13. Part IV: Implementation I: Cryptography
    1. Chapter 10 Basic Cryptography
      1. 10.1 Cryptography
      2. 10.2 Symmetric Cryptosystems
      3. 10.3 Public Key Cryptography
      4. 10.4 Cryptographic Checksums
      5. 10.5 Digital Signatures
      6. 10.6 Summary
      7. 10.7 Research Issues
      8. 10.8 Further Reading
      9. 10.9 Exercises
    2. Chapter 11 Key Management
      1. 11.1 Session and Interchange Keys
      2. 11.2 Key Exchange
      3. 11.3 Key Generation
      4. 11.4 Cryptographic Key Infrastructures
      5. 11.5 Storing and Revoking Keys
      6. 11.6 Summary
      7. 11.7 Research Issues
      8. 11.8 Further Reading
      9. 11.9 Exercises
    3. Chapter 12 Cipher Techniques
      1. 12.1 Problems
      2. 12.2 Stream and Block Ciphers
      3. 12.3 Authenticated Encryption
      4. 12.4 Networks and Cryptography
      5. 12.5 Example Protocols
      6. 12.6 Summary
      7. 12.7 Research Issues
      8. 12.8 Further Reading
      9. 12.9 Exercises
    4. Chapter 13 Authentication
      1. 13.1 Authentication Basics
      2. 13.2 Passwords
      3. 13.3 Password Selection
      4. 13.4 Attacking Passwords
      5. 13.5 Password Aging
      6. 13.6 Challenge-Response
      7. 13.7 Biometrics
      8. 13.8 Location
      9. 13.9 Multifactor Authentication
      10. 13.10 Summary
      11. 13.11 Research Issues
      12. 13.12 Further Reading
      13. 13.13 Exercises
  14. Part V: Implementation II: Systems
    1. Chapter 14 Design Principles
      1. 14.1 Underlying Ideas
      2. 14.2 Principles of Secure Design
      3. 14.3 Summary
      4. 14.4 Research Issues
      5. 14.5 Further Reading
      6. 14.6 Exercises
    2. Chapter 15 Representing Identity
      1. 15.1 What Is Identity?
      2. 15.2 Files and Objects
      3. 15.3 Users
      4. 15.4 Groups and Roles
      5. 15.5 Naming and Certificates
      6. 15.6 Identity on the Web
      7. 15.7 Anonymity on the Web
      8. 15.8 Summary
      9. 15.9 Research Issues
      10. 15.10 Further Reading
      11. 15.11 Exercises
    3. Chapter 16 Access Control Mechanisms
      1. 16.1 Access Control Lists
      2. 16.2 Capabilities
      3. 16.3 Locks and Keys
      4. 16.4 Ring-Based Access Control
      5. 16.5 Propagated Access Control Lists
      6. 16.6 Summary
      7. 16.7 Research Issues
      8. 16.8 Further Reading
      9. 16.9 Exercises
    4. Chapter 17 Information Flow
      1. 17.1 Basics and Background
      2. 17.2 Nonlattice Information Flow Policies
      3. 17.3 Static Mechanisms
      4. 17.4 Dynamic Mechanisms
      5. 17.5 Integrity Mechanisms
      6. 17.6 Example Information Flow Controls
      7. 17.7 Summary
      8. 17.8 Research Issues
      9. 17.9 Further Reading
      10. 17.10 Exercises
    5. Chapter 18 Confinement Problem
      1. 18.1 The Confinement Problem
      2. 18.2 Isolation
      3. 18.3 Covert Channels
      4. 18.4 Summary
      5. 18.5 Research Issues
      6. 18.6 Further Reading
      7. 18.7 Exercises
  15. Part VI: Assurance
    1. Chapter 19 Introduction to Assurance
      1. 19.1 Assurance and Trust
      2. 19.2 Building Secure and Trusted Systems
      3. 19.3 Summary
      4. 19.4 Research Issues
      5. 19.5 Further Reading
      6. 19.6 Exercises
    2. Chapter 20 Building Systems with Assurance
      1. 20.1 Assurance in Requirements Definition and Analysis
      2. 20.2 Assurance during System and Software Design
      3. 20.3 Assurance in Implementation and Integration
      4. 20.4 Assurance during Operation and Maintenance
      5. 20.5 Summary
      6. 20.6 Research Issues
      7. 20.7 Further Reading
      8. 20.8 Exercises
    3. Chapter 21 Formal Methods
      1. 21.1 Formal Verification Techniques
      2. 21.2 Formal Specification
      3. 21.3 Early Formal Verification Techniques
      4. 21.4 Current Verification Systems
      5. 21.5 Functional Programming Languages
      6. 21.6 Formally Verified Products
      7. 21.7 Summary
      8. 21.8 Research Issues
      9. 21.9 Further Reading
      10. 21.10 Exercises
    4. Chapter 22 Evaluating Systems
      1. 22.1 Goals of Formal Evaluation
      2. 22.2 TCSEC: 1983–1999
      3. 22.3 International Efforts and the ITSEC: 1991–2001
      4. 22.4 Commercial International Security Requirements: 1991
      5. 22.5 Other Commercial Efforts: Early 1990s
      6. 22.6 The Federal Criteria: 1992
      7. 22.7 FIPS 140: 1994–Present
      8. 22.8 The Common Criteria: 1998–Present
      9. 22.9 SSE-CMM: 1997–Present
      10. 22.10 Summary
      11. 22.11 Research Issues
      12. 22.12 Further Reading
      13. 22.13 Exercises
  16. Part VII: Special Topics
    1. Chapter 23 Malware
      1. 23.1 Introduction
      2. 23.2 Trojan Horses
      3. 23.3 Computer Viruses
      4. 23.4 Computer Worms
      5. 23.5 Bots and Botnets
      6. 23.6 Other Malware
      7. 23.7 Combinations
      8. 23.8 Theory of Computer Viruses
      9. 23.9 Defenses
      10. 23.10 Summary
      11. 23.11 Research Issues
      12. 23.12 Further Reading
      13. 23.13 Exercises
    2. Chapter 24 Vulnerability Analysis
      1. 24.1 Introduction
      2. 24.2 Penetration Studies
      3. 24.3 Vulnerability Classification
      4. 24.4 Frameworks
      5. 24.5 Standards
      6. 24.6 Gupta and Gligor’s Theory of Penetration Analysis
      7. 24.7 Summary
      8. 24.8 Research Issues
      9. 24.9 Further Reading
      10. 24.10 Exercises
    3. Chapter 25 Auditing
      1. 25.1 Definition
      2. 25.2 Anatomy of an Auditing System
      3. 25.3 Designing an Auditing System
      4. 25.4 A Posteriori Design
      5. 25.5 Auditing Mechanisms
      6. 25.6 Examples: Auditing File Systems
      7. 25.7 Summary
      8. 25.8 Research Issues
      9. 25.9 Further Reading
      10. 25.10 Exercises
    4. Chapter 26 Intrusion Detection
      1. 26.1 Principles
      2. 26.2 Basic Intrusion Detection
      3. 26.3 Models
      4. 26.4 Architecture
      5. 26.5 Organization of Intrusion Detection Systems
      6. 26.6 Summary
      7. 26.7 Research Issues
      8. 26.8 Further Reading
      9. 26.9 Exercises
    5. Chapter 27 Attacks and Responses
      1. 27.1 Attacks
      2. 27.2 Representing Attacks
      3. 27.3 Intrusion Response
      4. 27.4 Digital Forensics
      5. 27.5 Summary
      6. 27.6 Research Issues
      7. 27.7 Further Reading
      8. 27.8 Exercises
  17. Part VIII: Practicum
    1. Chapter 28 Network Security
      1. 28.1 Introduction
      2. 28.2 Policy Development
      3. 28.3 Network Organization
      4. 28.4 Availability
      5. 28.5 Anticipating Attacks
      6. 28.6 Summary
      7. 28.7 Research Issues
      8. 28.8 Further Reading
      9. 28.9 Exercises
    2. Chapter 29 System Security
      1. 29.1 Introduction
      2. 29.2 Policy
      3. 29.3 Networks
      4. 29.4 Users
      5. 29.5 Authentication
      6. 29.6 Processes
      7. 29.7 Files
      8. 29.8 Retrospective
      9. 29.9 Summary
      10. 29.10 Research Issues
      11. 29.11 Further Reading
      12. 29.12 Exercises
    3. Chapter 30 User Security
      1. 30.1 Policy
      2. 30.2 Access
      3. 30.3 Files and Devices
      4. 30.4 Processes
      5. 30.5 Electronic Communications
      6. 30.6 Summary
      7. 30.7 Research Issues
      8. 30.8 Further Reading
      9. 30.9 Exercises
    4. Chapter 31 Program Security
      1. 31.1 Problem
      2. 31.2 Requirements and Policy
      3. 31.3 Design
      4. 31.4 Refinement and Implementation
      5. 31.5 Common Security-Related Programming Problems
      6. 31.6 Testing, Maintenance, and Operation
      7. 31.7 Distribution
      8. 31.8 Summary
      9. 31.9 Research Issues
      10. 31.10 Further Reading
      11. 31.11 Exercises
  18. Part IX: Appendices
    1. Appendix A Lattices
      1. A.1 Basics
      2. A.2 Lattices
      3. A.3 Exercises
    2. Appendix B The Extended Euclidean Algorithm
      1. B.1 The Euclidean Algorithm
      2. B.2 The Extended Euclidean Algorithm
      3. B.3 Solving ax mod n = 1
      4. B.4 Solving ax mod n = b
      5. B.5 Exercises
    3. Appendix C Entropy and Uncertainty
      1. C.1 Conditional and Joint Probability
      2. C.2 Entropy and Uncertainty
      3. C.3 Joint and Conditional Entropy
      4. C.4 Exercises
    4. Appendix D Virtual Machines
      1. D.1 Virtual Machine Structure
      2. D.2 Virtual Machine Monitor
      3. D.3 Exercises
    5. Appendix E Symbolic Logic
      1. E.1 Propositional Logic
      2. E.2 Predicate Logic
      3. E.3 Temporal Logic Systems
      4. E.4 Exercises
    6. Appendix F The Encryption Standards
      1. F.1 Data Encryption Standard
      2. F.2 Advanced Encryption Standard
      3. F.3 Exercises
    7. Appendix G Example Academic Security Policy
      1. G.1 Acceptable Use Policy
      2. G.2 University of California Electronic Communications Policy
      3. G.3 User Advisories
      4. G.4 Electronic Communications—Allowable Use
    8. Appendix H Programming Rules
      1. H.1 Implementation Rules
      2. H.2 Management Rules
  19. References
  20. Index
  21. Credits
  22. Code Snippets

Product information

  • Title: Computer Security Art and Science, 2nd Edition
  • Author(s): Matt Bishop
  • Release date: November 2018
  • Publisher(s): Addison-Wesley Professional
  • ISBN: 9780134097145