Computers at Risk Safe Computing in the Information Age (1991) / Chapter Skim
Currently Skimming:
Technology to Achieve Secure Computer
Technology to Achieve Secure Computer
Pages 74-101
The Chapter Skim interface presents what we've algorithmically identified as the most significant single chunk of text within every page in the chapter.
Select key terms on the right to highlight them within pages of the chapter.
From page 74... ...
Suggesting developments that may occur in the next few years, it provides some of the rationale for the r~rrh No Cat {^rfh in Chapter 8. ~' ' ~-~- ~ Vat I L AA L Appendix B of this report discusses in more detail several topics that are either fundamental to computer security technology or of special current interest including how some important things (such as passwords)
|
From page 75... ...
In systems for which confidentiality and integrity are the primary goals of security policies, performance is not relevant to security because a system can provide confidentiality and integrity regardless of how well or badly it performs. But for systems for which availability and integrity are paramount, performance specifications may be relevant to security.
|
From page 76... ...
Technology for security addresses these problems by providing methods for the following: - r ~ · Integrating a computer system into a larger system, comprising people and a physical environment as well as computers, that meets its security policies; · Giving a precise specification, called a security model, for the security-relevant behavior of the computer system; · Building, with components that provide and use security services, a system that meets the specifications; and · Establishing confidence, or assurance, that a system actually does meet its specifications. This is a tall order that at the moment can be only partially filled.
|
From page 77... ...
Implementing a security model requires mechanisms that provide particular security services. A small number of fundamental mechanisms have been identified that seem adequate to implement most of the highly developed security policies currently in use.
|
From page 78... ...
Directive 5000.1, the basic directive for protecting classified information.2 The DOD computer security policy is based on security levels. Given two levels, one may be lower than the other, or the two may not be comparable.
|
From page 79... ...
Thus the classification never decreases. The DOD computer security policy specifies that a person is cleared to a particular security level and can see information only at that, or a lower, level.
|
From page 80... ...
Flow Model The flow model is derived from the DOD computer security policy described above. In this model (Denning, 1976)
|
From page 81... ...
If the user sets the terminal level lower than the level of his clearance, he is trusted not to take high-level information out of his head and introduce it into the system. Although not logically required, the flow model policy has generally been viewed as mandatory; neither users nor programs in a system can break the flow rule or change levels.
|
From page 82... ...
A reference monitor acts as the guard to ensure that the rules are followed (Lampson, 1985~. An example of a set of access rules follows: Subject Operation Object Smith Read file "1990 pay raises" White Send "Hello" Terminal 23 Process 1274 Rewind Tape unit 7 Black Fire three rounds Bow gun Jones Pay invoice 432567 Account Q34 There are many ways to express the access rules.
|
From page 83... ...
The security services used to support creation of protected subsystems also may be used to confine suspected Trojan horses or viruses, thus limiting the potential for damage from such programs. This can be done by running a suspect program as a subject that is different from the principal invoking it, in this case a subject that can access fewer objects.
|
From page 84... ...
If so, the reference monitor allows the operation to proceed; otherwise, it cancels the operation. In either case, it uses auditing to record the event.
|
From page 85... ...
The CCITT also defines a standard (X.509) for authenticating a principal with an X.500 name; the section on authentication techniques below discusses how this is done (CCI11, 1989b)
|
From page 86... ...
If not, we use the cryptographic methods discussed in the section below titled "Secure Channels." To answer the second question, we need some evidence that Smith has delegated to Workstation 4 the authority to act on his behalf. We cannot ask for direct evidence that Smith asked to read the file if we could have that, then he would not be acting through the workstation.
|
From page 87... ...
An aggressive form of authentication, called nonrepudiation, can be accomplished by a digital analog of notarizing, in which a trusted authority records the signature and the time it was made (see "Digital Signatures" in Appendix B)
|
From page 88... ...
In addition to establishing accountability, an audit trail may also reveal suspicious patterns of access and so enable detection of improper behavior by both legitimate users and masqueraders. However, limitations to this use of audit information often restrict its use to detecting unsophisticated intruders.
|
From page 89... ...
For example, if the power fails, a system may stop providing service; thus the power source must be trusted for availability. Another example: every system has security officers who set security levels, authorize users, and so on; they must be trusted to do this properly.
|
From page 90... ...
The basic method for finding depenclencies, relevant to ensuring TCB access to protected data and programs and to making the TCB tamperproof, is careful analysis of how each step in building and executing a system is carried out. Ideally assurance for each system is given by a formal mathematical proof that the system satisfies its specification provided all its components do.
|
From page 91... ...
It is possible to get higher assurance by using formal methods to design and verify the hardware; this has been done in several projects, of which the VIPER verified microprocessor chip (for a detailed description see Appendix B) is an example (Cullyer, 1989~.
|
From page 92... ...
In particular it can enforce a flow model, which is sufficient for the DOD confidentiality policy, as long as it is able to keep track of security levels at the coarse granularity of whole files. To enforce an integrity policy like the purchasing system policy described above, there must be some trusted applications to handle functions like approving orders.
|
From page 93... ...
It is necessary to use a different operating system object for information at each security level, and often these objects are large and expensive. And to implement an integrity policy, it is always necessary to trust some application code.
|
From page 94... ...
, or both.6 The process of finding out who can send or receive on a secure channel is called authenticating the channel; once a channel has been authenticated, statements and requests arriving on it are also authenticated. Typically the secure channels between subjects and objects inside a computer are physically protected: the wires in the computer are assumed to be secure, and the operating system protects the paths by which programs communicate with each other, using methods described above for implementing TCBs.
|
From page 95... ...
All the parties that know the encryption rules are possible senders, and those that know the decryption rules are possible receivers. Obtaining many secure channels requires having many sets of rules, one for each channel, and dividing the rules into two parts, the algorithm and the key.
|
From page 96... ...
, whereas it is possible to buy hardware that implements DES at rates of up to 45 megabits per second, and an implementation at a rate of 1 gigabit per second is feasible with current technology. A practical design therefore uses symmetric encryption for handling bulk data and uses asymmetric encryption only for distributing symmetric keys and for a few other special purposes.
|
From page 97... ...
The challenger decrypts the result using his private key and the principal's public key; if he gets back the original number, he knows that the principal must have done the encrypting.8 How does the challenger learn the principal's public key? The CCITT X.509 standard defines a framework for authenticating a secure channel to a principal with an X.500 name; this is done by authenticating the principal's public key using certificates that are digitally signed.
|
From page 98... ...
Alternatively, anyone who can bypass the physical reader and simply inject the bits derived from the biometric scanning can impersonate the person, a crust concern In a a~str~outea system environment. Perhaps the greatest problem associated with biometric authentication technology to date has been the cost of equipping terminals and workstations with the input devices necessary for most of these techniques.9 By providing the user with a tiny computer that can be carried around and will act as an agent of authentication, a smart card or token reduces the problem of authenticating a user to the problem of authenticating a computer (NIST, 1988~.
|
From page 99... ...
But this is unlikely to happen by mistake, for it requires much more deliberate planning than do the more direct ways of communicating inside the perimeter using terminal connections. Furthermore, a mailonly perimeter is an important reminder of system security concerns.
|
From page 100... ...
~D, 1985d) spedhes security evaluation criteria for computers that me used to protect class~ed (or Assad)
|
From page 101... ...
9. Another problem with retina scans is that individuals concerned about potential health effects sometimes object to use of the technology.
|
Key Terms
This material may be derived from roughly machine-read images, and so is provided only to facilitate research.
More
information on Chapter Skim is available.