You are previewing Introduction to Computer Security.
O'Reilly logo
Introduction to Computer Security

Book Description

In this authoritative book, widely respected practitioner and teacher Matt Bishop presents a clear and useful introduction to the art and science of information security. Bishop's insights and realistic examples will help any practitioner or student understand the crucial links between security theory and the day-to-day security challenges of IT environments.

Bishop explains the fundamentals of security: the different types of widely used policies, the mechanisms that implement these policies, the principles underlying both policies and mechanisms, and how attackers can subvert these tools--as well as how to defend against attackers. A practicum demonstrates how to apply these ideas and mechanisms to a realistic company.

Coverage includes

  • Confidentiality, integrity, and availability

  • Operational issues, cost-benefit and risk analyses, legal and human factors

  • Planning and implementing effective access control

  • Defining security, confidentiality, and integrity policies

  • Using cryptography and public-key systems, and recognizing their limits

  • Understanding and using authentication: from passwords to biometrics

  • Security design principles: least-privilege, fail-safe defaults, open design, economy of mechanism, and more

  • Controlling information flow through systems and networks

  • Assuring security throughout the system lifecycle

  • Malicious logic: Trojan horses, viruses, boot sector and executable infectors, rabbits, bacteria, logic bombs--and defenses against them

  • Vulnerability analysis, penetration studies, auditing, and intrusion detection and prevention

  • Applying security principles to networks, systems, users, and programs

Introduction to Computer Security is adapted from Bishop's comprehensive and widely praised book, Computer Security: Art and Science. This shorter version of the original work omits much mathematical formalism, making it more accessible for professionals and students who have a less formal mathematical background, or for readers with a more practical than theoretical interest.



Table of Contents

  1. Copyright
    1. Dedication
  2. Preface
    1. Goals
    2. Philosophy
    3. Organization
    4. Differences Between this Book and Computer Security: Art and Science
    5. Special Acknowledgment
    6. Acknowledgments
  3. 1. An Overview of Computer Security
    1. 1.1. The Basic Components
      1. 1.1.1. Confidentiality
      2. 1.1.2. Integrity
      3. 1.1.3. Availability
    2. 1.2. Threats
    3. 1.3. Policy and Mechanism
      1. 1.3.1. Goals of Security
    4. 1.4. Assumptions and Trust
    5. 1.5. Assurance
      1. 1.5.1. Specification
      2. 1.5.2. Design
      3. 1.5.3. Implementation
    6. 1.6. Operational Issues
      1. 1.6.1. Cost-Benefit Analysis
      2. 1.6.2. Risk Analysis
      3. 1.6.3. Laws and Customs
    7. 1.7. Human Issues
      1. 1.7.1. Organizational Problems
      2. 1.7.2. People Problems
    8. 1.8. Tying It All Together
    9. 1.9. Summary
    10. 1.10. Further Reading
    11. 1.11. Exercises
  4. 2. Access Control Matrix
    1. 2.1. Protection State
    2. 2.2. Access Control Matrix Model
    3. 2.3. Protection State Transitions
      1. 2.3.1. Conditional Commands
    4. 2.4. Summary
    5. 2.5. Further Reading
    6. 2.6. Exercises
  5. 3. Foundational Results
    1. 3.1. The General Question
    2. 3.2. Basic Results
    3. 3.3. Summary
    4. 3.4. Further Reading
    5. 3.5. Exercises
  6. 4. Security Policies
    1. 4.1. Security Policies
    2. 4.2. Types of Security Policies
    3. 4.3. The Role of Trust
    4. 4.4. Types of Access Control
    5. 4.5. Example: Academic Computer Security Policy
      1. 4.5.1. General University Policy
      2. 4.5.2. Electronic Mail Policy
        1. 4.5.2.1. The Electronic Mail Policy Summary
        2. 4.5.2.2. The Full Policy
        3. 4.5.2.3. Implementation at UC Davis
    6. 4.6. Summary
    7. 4.7. Further Reading
    8. 4.8. Exercises
  7. 5. Confidentiality Policies
    1. 5.1. Goals of Confidentiality Policies
    2. 5.2. The Bell-LaPadula Model
      1. 5.2.1. Informal Description
      2. 5.2.2. Example: The Data General B2 UNIX System
        1. 5.2.2.1. Assigning MAC Labels
        2. 5.2.2.2. Using MAC Labels
    3. 5.3. Summary
    4. 5.4. Further Reading
    5. 5.5. Exercises
  8. 6. Integrity Policies
    1. 6.1. Goals
    2. 6.2. Biba Integrity Model
    3. 6.3. Clark-Wilson Integrity Model
      1. 6.3.1. The Model
      2. 6.3.2. Comparison with the Requirements
      3. 6.3.3. Comparison with Other Models
    4. 6.4. Summary
    5. 6.5. Further Reading
    6. 6.6. Exercises
  9. 7. Hybrid Policies
    1. 7.1. Chinese Wall Model
      1. 7.1.1. Bell-LaPadula and Chinese Wall Models
      2. 7.1.2. Clark-Wilson and Chinese Wall Models
    2. 7.2. Clinical Information Systems Security Policy
      1. 7.2.1. Bell-LaPadula and Clark-Wilson Models
    3. 7.3. Originator Controlled Access Control
    4. 7.4. Role-Based Access Control
    5. 7.5. Summary
    6. 7.6. Further Reading
    7. 7.7. Exercises
  10. 8. Basic Cryptography
    1. 8.1. What Is Cryptography?
    2. 8.2. Classical Cryptosystems
      1. 8.2.1. Transposition Ciphers
      2. 8.2.2. Substitution Ciphers
        1. 8.2.2.1. Vigenère Cipher
        2. 8.2.2.2. One-Time Pad
      3. 8.2.3. Data Encryption Standard
      4. 8.2.4. Other Classical Ciphers
    3. 8.3. Public Key Cryptography
      1. 8.3.1. RSA
    4. 8.4. Cryptographic Checksums
      1. 8.4.1. HMAC
    5. 8.5. Summary
    6. 8.6. Further Reading
    7. 8.7. Exercises
  11. 9. Key Management
    1. 9.1. Session and Interchange Keys
    2. 9.2. Key Exchange
      1. 9.2.1. Classical Cryptographic Key Exchange and Authentication
      2. 9.2.2. Kerberos
      3. 9.2.3. Public Key Cryptographic Key Exchange and Authentication
    3. 9.3. Cryptographic Key Infrastructures
      1. 9.3.1. Certificate Signature Chains
        1. 9.3.1.1. X.509: Certification Signature Chains
        2. 9.3.1.2. PGP Certificate Signature Chains
      2. 9.3.2. Summary
    4. 9.4. Storing and Revoking Keys
      1. 9.4.1. Key Storage
      2. 9.4.2. Key Revocation
    5. 9.5. Digital Signatures
      1. 9.5.1. Classical Signatures
      2. 9.5.2. Public Key Signatures
    6. 9.6. Summary
    7. 9.7. Further Reading
    8. 9.8. Exercises
  12. 10. Cipher Techniques
    1. 10.1. Problems
      1. 10.1.1. Precomputing the Possible Messages
      2. 10.1.2. Misordered Blocks
      3. 10.1.3. Statistical Regularities
      4. 10.1.4. Summary
    2. 10.2. Stream and Block Ciphers
      1. 10.2.1. Stream Ciphers
        1. 10.2.1.1. Synchronous Stream Ciphers
        2. 10.2.1.2. Self-Synchronous Stream Ciphers
      2. 10.2.2. Block Ciphers
        1. 10.2.2.1. Multiple Encryption
    3. 10.3. Networks and Cryptography
    4. 10.4. Example Protocols
      1. 10.4.1. Secure Electronic Mail: PEM
        1. 10.4.1.1. Design Principles
        2. 10.4.1.2. Basic Design
        3. 10.4.1.3. Other Considerations
        4. 10.4.1.4. Conclusion
      2. 10.4.2. Security at the Network Layer: IPsec
        1. 10.4.2.1. IPsec Architecture
        2. 10.4.2.2. Authentication Header Protocol
        3. 10.4.2.3. Encapsulating Security Payload Protocol
      3. 10.4.3. Conclusion
    5. 10.5. Summary
    6. 10.6. Further Reading
    7. 10.7. Exercises
  13. 11. Authentication
    1. 11.1. Authentication Basics
    2. 11.2. Passwords
      1. 11.2.1. Attacking a Password System
      2. 11.2.2. Countering Password Guessing
        1. 11.2.2.1. Random Selection of Passwords
        2. 11.2.2.2. Pronounceable and Other Computer-Generated Passwords
        3. 11.2.2.3. User Selection of Passwords
        4. 11.2.2.4. Reusable Passwords and Dictionary Attacks
        5. 11.2.2.5. Guessing Through Authentication Functions
      3. 11.2.3. Password Aging
    3. 11.3. Challenge-Response
      1. 11.3.1. Pass Algorithms
      2. 11.3.2. One-Time Passwords
      3. 11.3.3. Hardware-Supported Challenge-Response Procedures
      4. 11.3.4. Challenge-Response and Dictionary Attacks
    4. 11.4. Biometrics
      1. 11.4.1. Fingerprints
      2. 11.4.2. Voices
      3. 11.4.3. Eyes
      4. 11.4.4. Faces
      5. 11.4.5. Keystrokes
      6. 11.4.6. Combinations
      7. 11.4.7. Caution
    5. 11.5. Location
    6. 11.6. Multiple Methods
    7. 11.7. Summary
    8. 11.8. Further Reading
    9. 11.9. Exercises
  14. 12. Design Principles
    1. 12.1. Overview
    2. 12.2. Design Principles
      1. 12.2.1. Principle of Least Privilege
      2. 12.2.2. Principle of Fail-Safe Defaults
      3. 12.2.3. Principle of Economy of Mechanism
      4. 12.2.4. Principle of Complete Mediation
      5. 12.2.5. Principle of Open Design
      6. 12.2.6. Principle of Separation of Privilege
      7. 12.2.7. Principle of Least Common Mechanism
      8. 12.2.8. Principle of Psychological Acceptability
    3. 12.3. Summary
    4. 12.4. Further Reading
    5. 12.5. Exercises
  15. 13. Representing Identity
    1. 13.1. What Is Identity?
    2. 13.2. Files and Objects
    3. 13.3. Users
    4. 13.4. Groups and Roles
    5. 13.5. Naming and Certificates
      1. 13.5.1. The Meaning of the Identity
      2. 13.5.2. Trust
    6. 13.6. Identity on the Web
      1. 13.6.1. Host Identity
        1. 13.6.1.1. Static and Dynamic Identifiers
        2. 13.6.1.2. Security Issues with the Domain Name Service
      2. 13.6.2. State and Cookies
      3. 13.6.3. Anonymity on the Web
        1. 13.6.3.1. Anonymity for Better or Worse
    7. 13.7. Summary
    8. 13.8. Further Reading
    9. 13.9. Exercises
  16. 14. Access Control Mechanisms
    1. 14.1. Access Control Lists
      1. 14.1.1. Abbreviations of Access Control Lists
      2. 14.1.2. Creation and Maintenance of Access Control Lists
        1. 14.1.2.1. Which Subjects Can Modify an Object's ACL?
        2. 14.1.2.2. Do the ACLs Apply to a Privileged User?
        3. 14.1.2.3. Does the ACL Support Groups and Wildcards?
        4. 14.1.2.4. Conflicts
        5. 14.1.2.5. ACLs and Default Permissions
      3. 14.1.3. Revocation of Rights
      4. 14.1.4. Example: Windows NT Access Control Lists
    2. 14.2. Capabilities
      1. 14.2.1. Implementation of Capabilities
      2. 14.2.2. Copying and Amplifying Capabilities
      3. 14.2.3. Revocation of Rights
      4. 14.2.4. Limits of Capabilities
      5. 14.2.5. Comparison with Access Control Lists
    3. 14.3. Locks and Keys
      1. 14.3.1. Type Checking
    4. 14.4. Ring-Based Access Control
    5. 14.5. Propagated Access Control Lists
    6. 14.6. Summary
    7. 14.7. Further Reading
    8. 14.8. Exercises
  17. 15. Information Flow
    1. 15.1. Basics and Background
      1. 15.1.1. Information Flow Models and Mechanisms
    2. 15.2. Compiler-Based Mechanisms
      1. 15.2.1. Declarations
      2. 15.2.2. Program Statements
        1. 15.2.2.1. Assignment Statements
        2. 15.2.2.2. Compound Statements
        3. 15.2.2.3. Conditional Statements
        4. 15.2.2.4. Iterative Statements
        5. 15.2.2.5. Goto Statements
        6. 15.2.2.6. Procedure Calls
      3. 15.2.3. Exceptions and Infinite Loops
      4. 15.2.4. Concurrency
      5. 15.2.5. Soundness
    3. 15.3. Execution-Based Mechanisms
      1. 15.3.1. Fenton's Data Mark Machine
      2. 15.3.2. Variable Classes
    4. 15.4. Example Information Flow Controls
      1. 15.4.1. Security Pipeline Interface
      2. 15.4.2. Secure Network Server Mail Guard
    5. 15.5. Summary
    6. 15.6. Further Reading
    7. 15.7. Exercises
  18. 16. Confinement Problem
    1. 16.1. The Confinement Problem
    2. 16.2. Isolation
      1. 16.2.1. Virtual Machines
      2. 16.2.2. Sandboxes
    3. 16.3. Covert Channels
      1. 16.3.1. Detection of Covert Channels
      2. 16.3.2. Mitigation of Covert Channels
    4. 16.4. Summary
    5. 16.5. Further Reading
    6. 16.6. Exercises
  19. 17. Introduction to Assurance
    1. 17.1. Assurance and Trust
      1. 17.1.1. The Need for Assurance
      2. 17.1.2. The Role of Requirements in Assurance
      3. 17.1.3. Assurance Throughout the Life Cycle
    2. 17.2. Building Secure and Trusted Systems
      1. 17.2.1. Life Cycle
        1. 17.2.1.1. Conception
        2. 17.2.1.2. Manufacture
        3. 17.2.1.3. Deployment
        4. 17.2.1.4. Fielded Product Life
      2. 17.2.2. The Waterfall Life Cycle Model
        1. 17.2.2.1. Requirements Definition and Analysis
        2. 17.2.2.2. System and Software Design
        3. 17.2.2.3. Implementation and Unit Testing
        4. 17.2.2.4. Integration and System Testing
        5. 17.2.2.5. Operation and Maintenance
        6. 17.2.2.6. Discussion
      3. 17.2.3. Other Models of Software Development
        1. 17.2.3.1. Exploratory Programming
        2. 17.2.3.2. Prototyping
        3. 17.2.3.3. Formal Transformation
        4. 17.2.3.4. System Assembly from Reusable Components
        5. 17.2.3.5. Extreme Programming
    3. 17.3. Building Security In or Adding Security Later
    4. 17.4. Summary
    5. 17.5. Further Reading
    6. 17.6. Exercises
  20. 18. Evaluating Systems
    1. 18.1. Goals of Formal Evaluation
      1. 18.1.1. Deciding to Evaluate
      2. 18.1.2. Historical Perspective of Evaluation Methodologies
    2. 18.2. TCSEC: 1983–1999
      1. 18.2.1. TCSEC Requirements
        1. 18.2.1.1. TCSEC Functional Requirements
        2. 18.2.1.2. TCSEC Assurance Requirements
      2. 18.2.2. The TCSEC Evaluation Classes
      3. 18.2.3. The TCSEC Evaluation Process
      4. 18.2.4. Impacts
        1. 18.2.4.1. Scope Limitations
        2. 18.2.4.2. Process Limitations
        3. 18.2.4.3. Contributions
    3. 18.3. FIPS 140: 1994–Present
      1. 18.3.1. FIPS 140 Requirements
      2. 18.3.2. FIPS 140-2 Security Levels
      3. 18.3.3. Impact
    4. 18.4. The Common Criteria: 1998–Present
      1. 18.4.1. Overview of the Methodology
      2. 18.4.2. CC Requirements
      3. 18.4.3. CC Security Functional Requirements
      4. 18.4.4. Assurance Requirements
      5. 18.4.5. Evaluation Assurance Levels
      6. 18.4.6. Evaluation Process
      7. 18.4.7. Impacts
      8. 18.4.8. Future of the Common Criteria
        1. 18.4.8.1. Interpretations
        2. 18.4.8.2. Assurance Class AMA and Family ALC_FLR
        3. 18.4.8.3. Products Versus Systems
        4. 18.4.8.4. Protection Profiles and Security Targets
        5. 18.4.8.5. Assurance Class AVA
        6. 18.4.8.6. EAL5
    5. 18.5. SSE-CMM: 1997–Present
      1. 18.5.1. The SSE-CMM Model
      2. 18.5.2. Using the SSE-CMM
    6. 18.6. Summary
    7. 18.7. Further Reading
    8. 18.8. Exercises
  21. 19. Malicious Logic
    1. 19.1. Introduction
    2. 19.2. Trojan Horses
    3. 19.3. Computer Viruses
      1. 19.3.1. Boot Sector Infectors
      2. 19.3.2. Executable Infectors
      3. 19.3.3. Multipartite Viruses
      4. 19.3.4. TSR Viruses
      5. 19.3.5. Stealth Viruses
      6. 19.3.6. Encrypted Viruses
      7. 19.3.7. Polymorphic Viruses
      8. 19.3.8. Macro Viruses
    4. 19.4. Computer Worms
    5. 19.5. Other Forms of Malicious Logic
      1. 19.5.1. Rabbits and Bacteria
      2. 19.5.2. Logic Bombs
    6. 19.6. Defenses
      1. 19.6.1. Malicious Logic Acting as Both Data and Instructions
      2. 19.6.2. Malicious Logic Assuming the Identity of a User
        1. 19.6.2.1. Information Flow Metrics
        2. 19.6.2.2. Reducing the Rights
        3. 19.6.2.3. Sandboxing
      3. 19.6.3. Malicious Logic Crossing Protection Domain Boundaries by Sharing
      4. 19.6.4. Malicious Logic Altering Files
      5. 19.6.5. Malicious Logic Performing Actions Beyond Specification
        1. 19.6.5.1. Proof-Carrying Code
      6. 19.6.6. Malicious Logic Altering Statistical Characteristics
      7. 19.6.7. The Notion of Trust
    7. 19.7. Summary
    8. 19.8. Further Reading
    9. 19.9. Exercises
  22. 20. Vulnerability Analysis
    1. 20.1. Introduction
    2. 20.2. Penetration Studies
      1. 20.2.1. Goals
      2. 20.2.2. Layering of Tests
      3. 20.2.3. Methodology at Each Layer
      4. 20.2.4. Flaw Hypothesis Methodology
        1. 20.2.4.1. Information Gathering and Flaw Hypothesis
        2. 20.2.4.2. Flaw Testing
        3. 20.2.4.3. Flaw Generalization
        4. 20.2.4.4. Flaw Elimination
      5. 20.2.5. Example: Penetration of the Michigan Terminal System
      6. 20.2.6. Example: Compromise of a Burroughs System
      7. 20.2.7. Example: Penetration of a Corporate Computer System
      8. 20.2.8. Example: Penetrating a UNIX System
      9. 20.2.9. Example: Penetrating a Windows NT System
      10. 20.2.10. Debate
      11. 20.2.11. Conclusion
    3. 20.3. Vulnerability Classification
      1. 20.3.1. Two Security Flaws
    4. 20.4. Frameworks
      1. 20.4.1. The RISOS Study
        1. 20.4.1.1. The Flaw Classes
        2. 20.4.1.2. Legacy
      2. 20.4.2. Protection Analysis Model
        1. 20.4.2.1. The Flaw Classes
        2. 20.4.2.2. Legacy
      3. 20.4.3. The NRL Taxonomy
        1. 20.4.3.1. The Flaw Classes
        2. 20.4.3.2. Legacy
      4. 20.4.4. Aslam's Model
        1. 20.4.4.1. The Flaw Classes
        2. 20.4.4.2. Legacy
      5. 20.4.5. Comparison and Analysis
        1. 20.4.5.1. The xterm Log File Flaw
        2. 20.4.5.2. The fingerd Buffer Overflow Flaw
        3. 20.4.5.3. Summary
    5. 20.5. Summary
    6. 20.6. Further Reading
    7. 20.7. Exercises
  23. 21. Auditing
    1. 21.1. Definitions
    2. 21.2. Anatomy of an Auditing System
      1. 21.2.1. Logger
      2. 21.2.2. Analyzer
      3. 21.2.3. Notifier
    3. 21.3. Designing an Auditing System
      1. 21.3.1. Implementation Considerations
      2. 21.3.2. Syntactic Issues
      3. 21.3.3. Log Sanitization
      4. 21.3.4. Application and System Logging
    4. 21.4. A Posteriori Design
      1. 21.4.1. Auditing to Detect Violations of a Known Policy
        1. 21.4.1.1. State-Based Auditing
        2. 21.4.1.2. Transition-Based Auditing
      2. 21.4.2. Auditing to Detect Known Violations of a Policy
    5. 21.5. Auditing Mechanisms
      1. 21.5.1. Secure Systems
      2. 21.5.2. Nonsecure Systems
    6. 21.6. Examples: Auditing File Systems
      1. 21.6.1. Audit Analysis of the NFS Version 2 Protocol
      2. 21.6.2. The Logging and Auditing File System (LAFS)
      3. 21.6.3. Comparison
    7. 21.7. Audit Browsing
    8. 21.8. Summary
    9. 21.9. Further Reading
    10. 21.10. Exercises
  24. 22. Intrusion Detection
    1. 22.1. Principles
    2. 22.2. Basic Intrusion Detection
    3. 22.3. Models
      1. 22.3.1. Anomaly Modeling
      2. 22.3.2. Misuse Modeling
      3. 22.3.3. Specification Modeling
      4. 22.3.4. Summary
    4. 22.4. Architecture
      1. 22.4.1. Agent
        1. 22.4.1.1. Host-Based Information Gathering
        2. 22.4.1.2. Network-Based Information Gathering
        3. 22.4.1.3. Combining Sources
      2. 22.4.2. Director
      3. 22.4.3. Notifier
    5. 22.5. Organization of Intrusion Detection Systems
      1. 22.5.1. Monitoring Network Traffic for Intrusions: NSM
      2. 22.5.2. Combining Host and Network Monitoring: DIDS
      3. 22.5.3. Autonomous Agents: AAFID
    6. 22.6. Intrusion Response
      1. 22.6.1. Incident Prevention
      2. 22.6.2. Intrusion Handling
        1. 22.6.2.1. Containment Phase
        2. 22.6.2.2. Eradication Phase
        3. 22.6.2.3. Follow-Up Phase
    7. 22.7. Summary
    8. 22.8. Further Reading
    9. 22.9. Exercises
  25. 23. Network Security
    1. 23.1. Introduction
    2. 23.2. Policy Development
      1. 23.2.1. Data Classes
      2. 23.2.2. User Classes
      3. 23.2.3. Availability
      4. 23.2.4. Consistency Check
    3. 23.3. Network Organization
      1. 23.3.1. Firewalls and Proxies
      2. 23.3.2. Analysis of the Network Infrastructure
        1. 23.3.2.1. Outer Firewall Configuration
        2. 23.3.2.2. Inner Firewall Configuration
      3. 23.3.3. In the DMZ
        1. 23.3.3.1. DMZ Mail Server
        2. 23.3.3.2. DMZ WWW Server
        3. 23.3.3.3. DMZ DNS Server
        4. 23.3.3.4. DMZ Log Server
        5. 23.3.3.5. Summary
      4. 23.3.4. In the Internal Network
      5. 23.3.5. General Comment on Assurance
    4. 23.4. Availability and Network Flooding
      1. 23.4.1. Intermediate Hosts
      2. 23.4.2. TCP State and Memory Allocations
    5. 23.5. Anticipating Attacks
    6. 23.6. Summary
    7. 23.7. Further Reading
    8. 23.8. Exercises
  26. 24. System Security
    1. 24.1. Introduction
    2. 24.2. Policy
      1. 24.2.1. The Web Server System in the DMZ
      2. 24.2.2. The Development System
      3. 24.2.3. Comparison
      4. 24.2.4. Conclusion
    3. 24.3. Networks
      1. 24.3.1. The Web Server System in the DMZ
      2. 24.3.2. The Development System
      3. 24.3.3. Comparison
    4. 24.4. Users
      1. 24.4.1. The Web Server System in the DMZ
      2. 24.4.2. The Development System
      3. 24.4.3. Comparison
    5. 24.5. Authentication
      1. 24.5.1. The Web Server System in the DMZ
      2. 24.5.2. Development Network System
      3. 24.5.3. Comparison
    6. 24.6. Processes
      1. 24.6.1. The Web Server System in the DMZ
      2. 24.6.2. The Development System
      3. 24.6.3. Comparison
    7. 24.7. Files
      1. 24.7.1. The Web Server System in the DMZ
      2. 24.7.2. The Development System
      3. 24.7.3. Comparison
    8. 24.8. Retrospective
      1. 24.8.1. The Web Server System in the DMZ
      2. 24.8.2. The Development System
    9. 24.9. Summary
    10. 24.10. Further Reading
    11. 24.11. Exercises
  27. 25. User Security
    1. 25.1. Policy
    2. 25.2. Access
      1. 25.2.1. Passwords
      2. 25.2.2. The Login Procedure
        1. 25.2.2.1. Trusted Hosts
      3. 25.2.3. Leaving the System
    3. 25.3. Files and Devices
      1. 25.3.1. Files
        1. 25.3.1.1. File Permissions on Creation
        2. 25.3.1.2. Group Access
        3. 25.3.1.3. File Deletion
      2. 25.3.2. Devices
        1. 25.3.2.1. Writable Devices
        2. 25.3.2.2. Smart Terminals
        3. 25.3.2.3. Monitors and Window Systems
    4. 25.4. Processes
      1. 25.4.1. Copying and Moving Files
      2. 25.4.2. Accidentally Overwriting Files
      3. 25.4.3. Encryption, Cryptographic Keys, and Passwords
      4. 25.4.4. Start-up Settings
      5. 25.4.5. Limiting Privileges
      6. 25.4.6. Malicious Logic
    5. 25.5. Electronic Communications
      1. 25.5.1. Automated Electronic Mail Processing
      2. 25.5.2. Failure to Check Certificates
      3. 25.5.3. Sending Unexpected Content
    6. 25.6. Summary
    7. 25.7. Further Reading
    8. 25.8. Exercises
  28. 26. Program Security
    1. 26.1. Introduction
    2. 26.2. Requirements and Policy
      1. 26.2.1. Requirements
      2. 26.2.2. Threats
        1. 26.2.2.1. Group 1: Unauthorized Users Accessing Role Accounts
        2. 26.2.2.2. Group 2: Authorized Users Accessing Role Accounts
        3. 26.2.2.3. Summary
    3. 26.3. Design
      1. 26.3.1. Framework
        1. 26.3.1.1. User Interface
        2. 26.3.1.2. High-Level Design
      2. 26.3.2. Access to Roles and Commands
        1. 26.3.2.1. Interface
        2. 26.3.2.2. Internals
        3. 26.3.2.3. Storage of the Access Control Data
    4. 26.4. Refinement and Implementation
      1. 26.4.1. First-Level Refinement
      2. 26.4.2. Second-Level Refinement
      3. 26.4.3. Functions
        1. 26.4.3.1. Obtaining Location
        2. 26.4.3.2. The Access Control Record
        3. 26.4.3.3. Error Handling in the Reading and Matching Routines
      4. 26.4.4. Summary
    5. 26.5. Common Security-Related Programming Problems
      1. 26.5.1. Improper Choice of Initial Protection Domain
        1. 26.5.1.1. Process Privileges
        2. 26.5.1.2. Access Control File Permissions
        3. 26.5.1.3. Memory Protection
        4. 26.5.1.4. Trust in the System
      2. 26.5.2. Improper Isolation of Implementation Detail
        1. 26.5.2.1. Resource Exhaustion and User Identifiers
        2. 26.5.2.2. Validating the Access Control Entries
        3. 26.5.2.3. Restricting the Protection Domain of the Role Process
      3. 26.5.3. Improper Change
        1. 26.5.3.1. Memory
        2. 26.5.3.2. Changes in File Contents
        3. 26.5.3.3. Race Conditions in File Accesses
      4. 26.5.4. Improper Naming
      5. 26.5.5. Improper Deallocation or Deletion
      6. 26.5.6. Improper Validation
        1. 26.5.6.1. Bounds Checking
        2. 26.5.6.2. Type Checking
        3. 26.5.6.3. Error Checking
        4. 26.5.6.4. Checking for Valid, not Invalid, Data
        5. 26.5.6.5. Checking Input
        6. 26.5.6.6. Designing for Validation
      7. 26.5.7. Improper Indivisibility
      8. 26.5.8. Improper Sequencing
      9. 26.5.9. Improper Choice of Operand or Operation
      10. 26.5.10. Summary
    6. 26.6. Testing, Maintenance, and Operation
      1. 26.6.1. Testing
        1. 26.6.1.1. Testing the Module
      2. 26.6.2. Testing Composed Modules
      3. 26.6.3. Testing the Program
    7. 26.7. Distribution
    8. 26.8. Conclusion
    9. 26.9. Summary
    10. 26.10. Further Reading
    11. 26.11. Exercises
  29. 27. Lattices
    1. 27.1. Basics
    2. 27.2. Lattices
    3. 27.3. Exercises
  30. 28. The Extended Euclidean Algorithm
    1. 28.1. The Euclidean Algorithm
    2. 28.2. The Extended Euclidean Algorithm
    3. 28.3. Solving ax mod n = 1
    4. 28.4. Solving ax mod n = b
    5. 28.5. Exercises
  31. 29. Virtual Machines
    1. 29.1. Virtual Machine Structure
    2. 29.2. Virtual Machine Monitor
      1. 29.2.1. Privilege and Virtual Machines
      2. 29.2.2. Physical Resources and Virtual Machines
      3. 29.2.3. Paging and Virtual Machines
    3. 29.3. Exercises
  32. Bibliography