Computer Security - Startseite · 2013. 7. 23. · CHAPTER 10 – Software Security 177 10.1...

Computer SecurityT H I R D E D I T I O N

Computer SecurityT H I R D E D I T I O N

Dieter GollmannHamburg University of Technology

A John Wiley and Sons, Ltd., Publication

This edition first published 2011 2011 John Wiley & Sons, Ltd

Registered officeJohn Wiley & Sons Ltd, The Atrium, Southern Gate, Chichester, West Sussex, PO19 8SQ, United Kingdom

For details of our global editorial offices, for customer services and for information about how to apply forpermission to reuse the copyright material in this book please see our website at www.wiley.com.

The right of Dieter Gollmann to be identified as the author of this work has been asserted in accordance with theCopyright, Designs and Patents Act 1988.

All rights reserved. No part of this publication may be reproduced, stored in a retrieval system, or transmitted, inany form or by any means, electronic, mechanical, photocopying, recording or otherwise, except as permitted bythe UK Copyright, Designs and Patents Act 1988, without the prior permission of the publisher.

Wiley also publishes its books in a variety of electronic formats. Some content that appears in print may not beavailable in electronic books.

Designations used by companies to distinguish their products are often claimed as trademarks. All brand namesand product names used in this book are trade names, service marks, trademarks or registered trademarks oftheir respective owners. The publisher is not associated with any product or vendor mentioned in this book. Thispublication is designed to provide accurate and authoritative information in regard to the subject matter covered.It is sold on the understanding that the publisher is not engaged in rendering professional services. If professionaladvice or other expert assistance is required, the services of a competent professional should be sought.

Library of Congress Cataloging-in-Publication Data

Gollmann, Dieter.Computer security / Dieter Gollmann. – 3rd ed.

p. cm.Includes bibliographical references and index.ISBN 978-0-470-74115-3 (pbk.)1. Computer security. I. Title.QA76.9.A25G65 2011005.8 – dc22

2010036859

A catalogue record for this book is available from the British Library.

Set in 9/12 Sabon by Laserwords Private Limited, Chennai, IndiaPrinted in Great Britain by TJ International Ltd, Padstow

http://www.wiley.com

ContentsPreface xvii

C H A P T E R 1 – History of Computer Security 11.1 The Dawn of Computer Security 21.2 1970s – Mainframes 31.3 1980s – Personal Computers 4

1.3.1 An Early Worm 51.3.2 The Mad Hacker 6

1.4 1990s – Internet 61.5 2000s – The Web 81.6 Conclusions – The Benefits of Hindsight 101.7 Exercises 11

C H A P T E R 2 – Managing Security 132.1 Attacks and Attackers 142.2 Security Management 15

2.2.1 Security Policies 162.2.2 Measuring Security 172.2.3 Standards 19

2.3 Risk and Threat Analysis 212.3.1 Assets 222.3.2 Threats 232.3.3 Vulnerabilities 242.3.4 Attacks 242.3.5 Common Vulnerability Scoring System 262.3.6 Quantitative and Qualitative Risk Analysis 262.3.7 Countermeasures – Risk Mitigation 28

2.4 Further Reading 292.5 Exercises 29

C H A P T E R 3 – Foundations of Computer Security 313.1 Definitions 32

3.1.1 Security 323.1.2 Computer Security 343.1.3 Confidentiality 343.1.4 Integrity 353.1.5 Availability 363.1.6 Accountability 373.1.7 Non-repudiation 38

vi CONTENTS

3.1.8 Reliability 383.1.9 Our Definition 39

3.2 The Fundamental Dilemma of Computer Security 403.3 Data vs Information 403.4 Principles of Computer Security 41

3.4.1 Focus of Control 423.4.2 The Man–Machine Scale 423.4.3 Complexity vs Assurance 443.4.4 Centralized or Decentralized Controls 44

3.5 The Layer Below 453.6 The Layer Above 473.7 Further Reading 473.8 Exercises 48

C H A P T E R 4 – Identification and Authentication 494.1 Username and Password 504.2 Bootstrapping Password Protection 514.3 Guessing Passwords 524.4 Phishing, Spoofing, and Social Engineering 54

4.4.1 Password Caching 554.5 Protecting the Password File 564.6 Single Sign-on 584.7 Alternative Approaches 594.8 Further Reading 634.9 Exercises 63

C H A P T E R 5 – Access Control 655.1 Background 665.2 Authentication and Authorization 665.3 Access Operations 68

5.3.1 Access Modes 685.3.2 Access Rights of the Bell–LaPadula Model 685.3.3 Administrative Access Rights 70

5.4 Access Control Structures 715.4.1 Access Control Matrix 715.4.2 Capabilities 725.4.3 Access Control Lists 72

5.5 Ownership 735.6 Intermediate Controls 74

5.6.1 Groups and Negative Permissions 745.6.2 Privileges 755.6.3 Role-Based Access Control 765.6.4 Protection Rings 78

CONTENTS vii

5.7 Policy Instantiation 795.8 Comparing Security Attributes 79

5.8.1 Partial Orderings 795.8.2 Abilities in the VSTa Microkernel 805.8.3 Lattice of Security Levels 815.8.4 Multi-level Security 82


C H A P T E R 6 – Reference Monitors 876.1 Introduction 88

6.1.1 Placing the Reference Monitor 896.1.2 Execution Monitors 90

6.2 Operating System Integrity 906.2.1 Modes of Operation 916.2.2 Controlled Invocation 91

6.3 Hardware Security Features 916.3.1 Security Rationale 926.3.2 A Brief Overview of Computer Architecture 926.3.3 Processes and Threads 956.3.4 Controlled Invocation – Interrupts 956.3.5 Protection on the Intel 80386/80486 966.3.6 The Confused Deputy Problem 98

6.4 Protecting Memory 996.4.1 Secure Addressing 100


C H A P T E R 7 – Unix Security 1077.1 Introduction 108

7.1.1 Unix Security Architecture 1097.2 Principals 109

7.2.1 User Accounts 1107.2.2 Superuser (Root) 1107.2.3 Groups 111

7.3 Subjects 1117.3.1 Login and Passwords 1127.3.2 Shadow Password File 113

7.4 Objects 1137.4.1 The Inode 1137.4.2 Default Permissions 1147.4.3 Permissions for Directories 115

viii CONTENTS

7.5 Access Control 1167.5.1 Set UserID and Set GroupID 1177.5.2 Changing Permissions 1187.5.3 Limitations of Unix Access Control 119

7.6 Instances of General Security Principles 1197.6.1 Applying Controlled Invocation 1197.6.2 Deleting Files 1207.6.3 Protection of Devices 1207.6.4 Changing the Root of the Filesystem 1217.6.5 Mounting Filesystems 1227.6.6 Environment Variables 1227.6.7 Searchpath 1237.6.8 Wrappers 124

7.7 Management Issues 1257.7.1 Managing the Superuser 1257.7.2 Trusted Hosts 1267.7.3 Audit Logs and Intrusion Detection 1267.7.4 Installation and Configuration 127


C H A P T E R 8 – Windows Security 1318.1 Introduction 132

8.1.1 Architecture 1328.1.2 The Registry 1338.1.3 Domains 134

8.2 Components of Access Control 1358.2.1 Principals 1358.2.2 Subjects 1378.2.3 Permissions 1398.2.4 Objects 141

8.3 Access Decisions 1428.3.1 The DACL 1438.3.2 Decision Algorithm 144

8.4 Managing Policies 1458.4.1 Property Sets 1458.4.2 ACE Inheritance 145

8.5 Task-Dependent Access Rights 1478.5.1 Restricted Tokens 1488.5.2 User Account Control 149

8.6 Administration 1508.6.1 User Accounts 1508.6.2 Default User Accounts 150

CONTENTS ix

8.6.3 Audit 1528.6.4 Summary 152


C H A P T E R 9 – Database Security 1559.1 Introduction 1569.2 Relational Databases 158

9.2.1 Database Keys 1609.2.2 Integrity Rules 161

9.3 Access Control 1629.3.1 The SQL Security Model 1639.3.2 Granting and Revocation of Privileges 1639.3.3 Access Control through Views 164

9.4 Statistical Database Security 1679.4.1 Aggregation and Inference 1689.4.2 Tracker Attacks 1699.4.3 Countermeasures 170

9.5 Integration with the Operating System 1729.6 Privacy 1739.7 Further Reading 1759.8 Exercises 175

C H A P T E R 10 – Software Security 17710.1 Introduction 178

10.1.1 Security and Reliability 17810.1.2 Malware Taxonomy 17810.1.3 Hackers 17810.1.4 Change in Environment 17910.1.5 Dangers of Abstraction 179

10.2 Characters and Numbers 17910.2.1 Characters (UTF-8 Encoding) 17910.2.2 The rlogin Bug 18110.2.3 Integer Overflows 181

10.3 Canonical Representations 18310.4 Memory Management 184

10.4.1 Buffer Overruns 18510.4.2 Stack Overruns 18610.4.3 Heap Overruns 18710.4.4 Double-Free Vulnerabilities 18710.4.5 Type Confusion 189

10.5 Data and Code 19110.5.1 Scripting 19110.5.2 SQL Injection 192

x CONTENTS

10.6 Race Conditions 19310.7 Defences 194

10.7.1 Prevention: Hardware 19410.7.2 Prevention: Modus Operandi 19510.7.3 Prevention: Safer Functions 19510.7.4 Prevention: Filtering 19510.7.5 Prevention: Type Safety 19710.7.6 Detection: Canaries 19710.7.7 Detection: Code Inspection 19710.7.8 Detection: Testing 19910.7.9 Mitigation: Least Privilege 20010.7.10 Reaction: Keeping Up to Date 201


C H A P T E R 11 – Bell–LaPadula Model 20511.1 State Machine Models 20611.2 The Bell–LaPadula Model 206

11.2.1 The State Set 20711.2.2 Security Policies 20811.2.3 The Basic Security Theorem 21011.2.4 Tranquility 21011.2.5 Aspects and Limitations of BLP 211

11.3 The Multics Interpretation of BLP 21211.3.1 Subjects and Objects in Multics 21311.3.2 Translating the BLP Policies 21411.3.3 Checking the Kernel Primitives 214


C H A P T E R 12 – Security Models 21912.1 The Biba Model 220

12.1.1 Static Integrity Levels 22012.1.2 Dynamic Integrity Levels 22012.1.3 Policies for Invocation 221

12.2 Chinese Wall Model 22112.3 The Clark–Wilson Model 22312.4 The Harrison–Ruzzo–Ullman Model 22512.5 Information-Flow Models 228

12.5.1 Entropy and Equivocation 22812.5.2 A Lattice-Based Model 229

12.6 Execution Monitors 23012.6.1 Properties of Executions 23112.6.2 Safety and Liveness 232

CONTENTS xi


C H A P T E R 13 – Security Evaluation 23513.1 Introduction 23613.2 The Orange Book 23913.3 The Rainbow Series 24113.4 Information Technology Security Evaluation Criteria 24213.5 The Federal Criteria 24313.6 The Common Criteria 243

13.6.1 Protection Profiles 24413.6.2 Evaluation Assurance Levels 24513.6.3 Evaluation Methodology 24613.6.4 Re-evaluation 246

13.7 Quality Standards 24613.8 An Effort Well Spent? 24713.9 Summary 24813.10 Further Reading 24813.11 Exercises 249

C H A P T E R 14 – Cryptography 25114.1 Introduction 252

14.1.1 The Old Paradigm 25214.1.2 New Paradigms 25314.1.3 Cryptographic Keys 25414.1.4 Cryptography in Computer Security 255

14.2 Modular Arithmetic 25614.3 Integrity Check Functions 257

14.3.1 Collisions and the Birthday Paradox 25714.3.2 Manipulation Detection Codes 25714.3.3 Message Authentication Codes 25914.3.4 Cryptographic Hash Functions 259

14.4 Digital Signatures 26014.4.1 One-Time Signatures 26114.4.2 ElGamal Signatures and DSA 26114.4.3 RSA Signatures 263

14.5 Encryption 26414.5.1 Data Encryption Standard 26514.5.2 Block Cipher Modes 26614.5.3 RSA Encryption 26814.5.4 ElGamal Encryption 269

14.6 Strength of Mechanisms 27014.7 Performance 27114.8 Further Reading 27214.9 Exercises 273

xii CONTENTS

C H A P T E R 15 – Key Establishment 27515.1 Introduction 27615.2 Key Establishment and Authentication 276

15.2.1 Remote Authentication 27715.2.2 Key Establishment 278

15.3 Key Establishment Protocols 27915.3.1 Authenticated Key Exchange Protocol 27915.3.2 The Diffie–Hellman Protocol 28015.3.3 Needham–Schroeder Protocol 28115.3.4 Password-Based Protocols 282

15.4 Kerberos 28315.4.1 Realms 28515.4.2 Kerberos and Windows 28615.4.3 Delegation 28615.4.4 Revocation 28715.4.5 Summary 287

15.5 Public-Key Infrastructures 28815.5.1 Certificates 28815.5.2 Certificate Authorities 28915.5.3 X.509/PKIX Certificates 28915.5.4 Certificate Chains 29115.5.5 Revocation 29215.5.6 Electronic Signatures 292

15.6 Trusted Computing – Attestation 29315.7 Further Reading 29515.8 Exercises 295

C H A P T E R 16 – Communications Security 29716.1 Introduction 298

16.1.1 Threat Model 29816.1.2 Secure Tunnels 299

16.2 Protocol Design Principles 29916.3 IP Security 301

16.3.1 Authentication Header 30216.3.2 Encapsulating Security Payloads 30216.3.3 Security Associations 30416.3.4 Internet Key Exchange Protocol 30416.3.5 Denial of Service 30616.3.6 IPsec Policies 30716.3.7 Summary 308

16.4 IPsec and Network Address Translation 30816.5 SSL/TLS 310

16.5.1 Implementation Issues 31216.5.2 Summary 313

CONTENTS xiii

16.6 Extensible Authentication Protocol 31416.7 Further Reading 31616.8 Exercises 316

C H A P T E R 17 – Network Security 31917.1 Introduction 320

17.1.1 Threat Model 32017.1.2 TCP Session Hijacking 32117.1.3 TCP SYN Flooding Attacks 322

17.2 Domain Name System 32217.2.1 Lightweight Authentication 32417.2.2 Cache Poisoning Attack 32417.2.3 Additional Resource Records 32417.2.4 Dan Kaminsky’s Attack 32517.2.5 DNSSec 32617.2.6 DNS Rebinding Attack 327

17.3 Firewalls 32817.3.1 Packet Filters 32917.3.2 Stateful Packet Filters 33017.3.3 Circuit-Level Proxies 33017.3.4 Application-Level Proxies 33017.3.5 Firewall Policies 33117.3.6 Perimeter Networks 33117.3.7 Limitations and Problems 331

17.4 Intrusion Detection 33217.4.1 Vulnerability Assessment 33317.4.2 Misuse Detection 33317.4.3 Anomaly Detection 33417.4.4 Network-Based IDS 33417.4.5 Host-Based IDS 33417.4.6 Honeypots 335


C H A P T E R 18 – Web Security 33918.1 Introduction 340

18.1.1 Transport Protocol and Data Formats 34018.1.2 Web Browser 34118.1.3 Threat Model 342

18.2 Authenticated Sessions 34218.2.1 Cookie Poisoning 34318.2.2 Cookies and Privacy 34318.2.3 Making Ends Meet 344

18.3 Code Origin Policies 346

xiv CONTENTS

18.3.1 HTTP Referer 34718.4 Cross-Site Scripting 347

18.4.1 Cookie Stealing 34918.4.2 Defending against XSS 349

18.5 Cross-Site Request Forgery 35018.5.1 Authentication for Credit 351

18.6 JavaScript Hijacking 35218.6.1 Outlook 354

18.7 Web Services Security 35418.7.1 XML Digital Signatures 35518.7.2 Federated Identity Management 35718.7.3 XACML 359


C H A P T E R 19 – Mobility 36319.1 Introduction 36419.2 GSM 364

19.2.1 Components 36519.2.2 Temporary Mobile Subscriber Identity 36519.2.3 Cryptographic Algorithms 36619.2.4 Subscriber Identity Authentication 36619.2.5 Encryption 36719.2.6 Location-Based Services 36819.2.7 Summary 368

19.3 UMTS 36919.3.1 False Base Station Attacks 36919.3.2 Cryptographic Algorithms 37019.3.3 UMTS Authentication and Key Agreement 370

19.4 Mobile IPv6 Security 37219.4.1 Mobile IPv6 37319.4.2 Secure Binding Updates 37319.4.3 Ownership of Addresses 375

19.5 WLAN 37719.5.1 WEP 37819.5.2 WPA 37919.5.3 IEEE 802.11i – WPA2 381

19.6 Bluetooth 38119.7 Further Reading 38319.8 Exercises 383

C H A P T E R 20 – New Access Control Paradigms 38520.1 Introduction 386

20.1.1 Paradigm Shifts in Access Control 386

CONTENTS xv

20.1.2 Revised Terminology for Access Control 38720.2 SPKI 38820.3 Trust Management 39020.4 Code-Based Access Control 391

20.4.1 Stack Inspection 39320.4.2 History-Based Access Control 394

20.5 Java Security 39520.5.1 The Execution Model 39620.5.2 The Java 1 Security Model 39620.5.3 The Java 2 Security Model 39720.5.4 Byte Code Verifier 39720.5.5 Class Loaders 39820.5.6 Policies 39920.5.7 Security Manager 39920.5.8 Summary 400

20.6 .NET Security Framework 40020.6.1 Common Language Runtime 40020.6.2 Code-Identity-Based Security 40120.6.3 Evidence 40120.6.4 Strong Names 40220.6.5 Permissions 40320.6.6 Security Policies 40320.6.7 Stack Walk 40420.6.8 Summary 405

20.7 Digital Rights Management 40520.8 Further Reading 40620.9 Exercises 406

Bibliography 409

Index 423

PrefaceEg geng ı hring.ı kringum allt, sem er.Og utan þessa hringser verold mın

Steinn Steinarr

Security is a fashion industry. There is more truth in this statement than one would liketo admit to a student of computer security. Security buzzwords come and go; withoutdoubt security professionals and security researchers can profit from dropping the rightbuzzword at the right time. Still, this book is not intended as a fashion guide.

This is a textbook on computer security. A textbook has to convey the fundamentalprinciples of its discipline. In this spirit, the attempt has been made to extract essentialideas that underpin the plethora of security mechanisms one finds deployed in today’sIT landscape. A textbook should also instruct the reader when and how to apply thesefundamental principles. As the IT landscape keeps changing, security practitioners haveto understand when familiar security mechanisms no longer address newly emergingthreats. Of course, they also have to understand how to apply the security mechanismsat their disposal.

This is a challenge to the author of a textbook on computer security. To appreciatehow security principles manifest themselves in any given IT system the reader needssufficient background knowledge about that system. A textbook on computer securityis limited in the space it can devote to covering the broader features of concrete ITsystems. Moreover, the speed at which those features keep changing implies that anybook trying to capture current systems at a fine level of detail is out of date by the time itreaches its readers. This book tries to negotiate the route from security principles to theirapplication by stopping short of referring to details specific to certain product versions.For the last steps towards any given version the reader will have to consult the technicalliterature on that product.

Computer security has changed in important aspects since the first edition of this bookwas published. Once, operating systems security was at the heart of this subject. Manyconcepts in computer security have their origin in operating systems research. Sincethe emergence of the web as a global distributed application platform, the focus of

xviii PREFACE

computer security has shifted to the browser and web applications. This observationapplies equally to access control and to software security. This third edition of ComputerSecurity reflects this development by including new material on web security. The readermust note that this is still an active area with unresolved open challenges.

This book has been structured as follows. The first three chapters provide context andfundamental concepts. Chapter 1 gives a brief history of the field, Chapter 2 coverssecurity management, and Chapter 3 provides initial conceptual foundations. The nextthree chapters deal with access control in general. Chapter 4 discusses identificationand authentication of users, Chapter 5 introduces the principles of access control, withChapter 6 focused on the reference monitor. Chapter 7 on Unix/Linux, Chapter 8 onWindows, and Chapter 9 on databases are intended as case studies to illustrate theconcepts introduced in previous chapters. Chapter 10 presents the essentials of softwaresecurity.

This is followed by three chapters that have security evaluation as their common theme.Chapter 11 takes the Bell–LaPadula model as a case study for the formal analysis of anaccess control system. Chapter 12 introduces further security models. Chapter 13 dealswith the process of evaluating security products.

The book then moves away from stand-alone systems. The next three chapters constitutea basis for distributed systems security. Chapter 14 gives a condensed overview ofcryptography, a field that provides the foundations for many communications securitymechanisms. Chapter 15 looks in more detail at key management, and Chapter 16 atInternet security protocols such as IPsec and SSL/TLS.

Chapter 17 proceeds beyond communications security and covers aspects of networksecurity such as Domain Name System security, firewalls, and intrusion detection systems.Chapter 18 analyzes the current state of web security. Chapter 19 reaches into anotherarea increasingly relevant for computer security – security solutions for mobile systems.Chapter 20 concludes the book with a discussion of recent developments in accesscontrol.

Almost every chapter deserves to be covered by a book of its own. By necessity, only asubset of relevant topics can therefore be discussed within the limits of a single chapter.Because this is a textbook, I have sometimes included important material in exercisesthat could otherwise be expected to have a place in the main body of a handbook oncomputer security. Hopefully, the general coverage is still reasonably comprehensive andpointers to further sources are included.

Exercises are included with each chapter but I cannot claim to have succeeded to myown satisfaction in all instances. In my defence, I can only note that computer securityis not simply a collection of recipes that can be demonstrated within the confines of

PREFACE xix

a typical textbook exercise. In some areas, such as password security or cryptography,it is easy to construct exercises with precise answers that can be found by goingthrough the correct sequence of steps. Other areas are more suited to projects, essays, ordiscussions. Although it is naturally desirable to support a course on computer securitywith experiments on real systems, suggestions for laboratory sessions are not includedin this book. Operating systems, database management systems, and firewalls are primecandidates for practical exercises. The actual examples will depend on the particularsystems available to the teacher. For specific systems there are often excellent booksavailable that explain how to use the system’s security mechanisms.

This book is based on material from a variety of courses, taught over several years atmaster’s but also at bachelor’s degree level. I have to thank the students on these coursesfor their feedback on points that needed better explanations. Equally, I have to thankcommentators on earlier versions for their error reports and the reviewers of the draft ofthis third edition for constructive advice.

Dieter GollmannHamburg, December 2010

Chapter1History of Computer Security

Those who do not learn from the past will repeat it.George Santanya

Security is a journey, not a destination. Computer security has been travellingfor 40 years, and counting. On this journey, the challenges faced have keptchanging, as have the answers to familiar challenges. This first chapter willtrace the history of computer security, putting security mechanisms into theperspective of the IT landscape they were developed for.

OBJECT I VES

• Give an outline of the history of computer security.• Explain the context in which familiar security mechanisms were originally

developed.• Show how changes in the application of IT pose new challenges in

computer security.• Discuss the impact of disruptive technologies on computer security.

2 1 HISTORY OF COMPUTER SECURITY

1.1 T H E D AW N O F C O M P U T E R S E C U R I T YNew security challenges arise when new – or old – technologies are put to new use.The code breakers at Bletchley Park pioneered the use of electronic programmablecomputers during World War II [117, 233]. The first electronic computers were builtin the 1940s (Colossus, EDVAC, ENIAC) and found applications in academia (FerrantiMark I, University of Manchester), commercial organizations (LEO, J. Lyons & Co.),and government agencies (Univac I, US Census Bureau) in the early 1950s. Computersecurity can trace its origins back to the 1960s. Multi-user systems emerged, needingmechanisms for protecting the system from its users, and the users from each other.Protection rings (Section 5.6.4) are a concept dating from this period [108].

Two reports in the early 1970s signal the start of computer security as a field of researchin its own right. The RAND report by Willis Ware [231] summarized the technicalfoundations computer security had acquired by the end of the 1960s. The report alsoproduced a detailed analysis of the policy requirements of one particular applicationarea, the protection of classified information in the US defence sector. This report wasfollowed shortly after by the Anderson report [9] that laid out a research programme forthe design of secure computer systems, again dominated by the requirement of protectingclassified information.

In recent years the Air Force has become increasingly aware of the problem of computersecurity. This problem has intruded on virtually any aspect of USAF operations andadministration. The problem arises from a combination of factors that includes: greaterreliance on the computer as a data-processing and decision-making tool in sensitivefunctional areas; the need to realize economies by consolidating ADP [automated dataprocessing] resources thereby integrating or co-locating previously separate data-processingoperations; the emergence of complex resource sharing computer systems providing userswith capabilities for sharing data and processes with other users; the extension of resourcesharing concepts to networks of computers; and the slowly growing recognition of securityinadequacies of currently available computer systems. [9]

We will treat the four decades starting with the 1970s as historical epochs. We notefor each decade the leading innovation in computer technology, the characteristicapplications of that technology, the security problems raised by these applications, andthe developments and state of the art in finding solutions for these problems. Informationtechnologies may appear in our time line well after their original inception. However, anew technology becomes a real issue for computer security only when it is sufficientlymature and deployed widely enough for new applications with new security problemsto materialize. With this consideration in mind, we observe that computer security haspassed through the following epochs:

• 1970s: age of the mainframe,• 1980s: age of the PC,• 1990s: age of the Internet,• 2000s: age of the web.

1.2 1970s – MAINFRAMES 3

1.2 1 9 70 s – M A I N F R A M E SAdvances in the design of memory devices (IBM’s Winchester disk offered a capacity of35–70 megabytes) facilitated the processing of large amounts of data (for that time).Mainframes were deployed mainly in government departments and in large commercialorganizations. Two applications from public administration are of particular significance.First, the defence sector saw the potential benefits of using computers, but classifiedinformation would have to be processed securely. This led the US Air Force to create thestudy group that reported its finding in the Anderson report.

The research programmes triggered by this report developed a formal state machine modelfor the multi-level security policies regulating access to classified data, the Bell–LaPadulamodel (Chapter 11), which proved to be highly influential on computer security researchwell into the 1980s [23]. The Multics project [187] developed an operating system thathad security as one of its main design objectives. Processor architectures were developedwith support for primitives such as segmentations or capabilities that were the basis forthe security mechanisms adopted at the operating system level [92].

The second application field was the processing of ‘unclassified but sensitive’ data suchas personal information about citizens in government departments. Government depart-ments had been collecting and processing personal data before, but with mainframesdata-processing at a much larger scale became a possibility. It was also much easier forstaff to remain undetected when snooping around in filesystems looking for informationthey had no business in viewing. Both aspects were considered serious threats to privacy,and a number of protection mechanisms were developed in response.

Access control mechanisms in the operating system had to support multi-user security.Users should be kept apart, unless data sharing was explicitly permitted, and preventedfrom interfering with the management of the mainframe system. The fundamentalconcepts for access control in Chapter 5 belong to this epoch.

Encryption was seen to provide the most comprehensive protection for data stored incomputer memory and on backup media. The US Federal Bureau of Standards issued acall for a data encryption standard for the protection of unclassified data. Eventually,IBM submitted the algorithm that became known as the Data Encryption Standard[221]. This call was the decisive event that began the public discussion about encryptionalgorithms and gave birth to cryptography as an academic discipline, a developmentdeeply resented at that time by those working on communications security in the securityservices. A first key contribution from academic research was the concept of public-keycryptography published by Diffie and Hellman in 1976 [82]. Cryptography is the topicof Chapter 14.

In the context of statistical database queries, a typical task in social services, a new threatwas observed. Even if individual queries were guaranteed to cover a large enough query


set so as not to leak information about individual entries, an attacker could use a clevercombination of such ‘safe’ statistical queries to infer information about a single entry.Aggregation and inference, and countermeasures such as randomization of query data,were studied in database security. These issues are taken up in Section 9.4.

Thirdly, the legal system was adapted and data protection legislation was introducedin the US and in European countries and harmonized in the OECD privacy guidelines[188]; several legal initiatives on computer security issues followed (Section 9.6).

Since then, research on cryptography has reached a high level of maturity. When theUS decided to update the Data Encryption Standard in the 1990s, a public reviewprocess led to the adoption of the new Advanced Encryption Standard. This ‘civilian’algorithm developed by Belgian researchers was later also approved in the US for theprotection of classified data [68]. For the inference problem in statistical databases,pragmatic solutions were developed, but there is no perfect solution and the datamining community is today re-examining (or reinventing?) some of the approaches fromthe 1970s. Multi-level security dominated security research into the following decade,posing interesting research questions which still engage theoreticians today – researchon non-interference is going strong – and leading to the development of high-assurancesystems whose design had been verified employing formal methods. However, thesehigh-assurance systems did not solve the problems of the following epochs and nowappear more as specialized offerings for a niche market than a foundation for the securitysystems of the next epoch.

1.3 1 9 8 0 s – P E R S O N A L C O M P U T E R SMiniaturization and integration of switching components had reached the stage wherecomputers no longer needed to be large machines housed in special rooms but were smallenough to fit on a desk. Graphical user interfaces and mouse facilitated user-friendlyinput/output. This was the technological basis for the personal computer (PC), theinnovation that, indirectly, changed the focus of computer security during the 1980s. ThePC was cheap enough to be bought directly by smaller units in organizations, bypassingthe IT department. The liberation from the tutelage of the IT department resoundedthrough Apple’s famous launch of the Macintosh in 1984. The PC was a single-user machine, the first successful applications were word processors and spreadsheetprograms, and users were working on documents that may have been commerciallysensitive but were rarely classified data. At a stroke, multi-level security and multi-user security became utterly irrelevant. To many security experts the 1980s triggered aretrograde development, leading to less protected systems, which in fairness only becameless secure when they were later used outside their original environment.

While this change in application patterns was gathering momentum, security researchstill took its main cues from multi-level security. Information-flow models and

1.3 1980s – PERSONAL COMPUTERS 5

non-interference models were proposed to capture aspects not addressed in theBell–LaPadula model. The Orange Book [224] strongly influenced the commonperception of computer security (Section 13.2). High security assurance and multi-levelsecurity went hand in hand. Research on multi-level secure databases inventedpolyinstantiation so that users cleared at different security levels could enter data intothe same table without creating covert channels [157].

We have to wait for the Clark–Wilson model (1987) [66] and the Chinese Wall model(1989) [44] to get research contributions influenced by commercial IT applicationsand coming from authors with a commercial background. Clark and Wilson presentwell-formed transactions and separation of duties as two important design principles forsecuring commercial systems. The Chinese Wall model was inspired by the requirementto prevent conflicts of interest in financial consultancy businesses. Chapter 12 coversboth models.

A less visible change occurred in the development of processor architectures. TheIntel 80286 processor supported segmentation, a feature used by multi-user operatingsystems. In the 80386 processor this feature was no longer present as it was not used byMicrosoft’s DOS. The 1980s also saw the first worms and viruses, interestingly enoughfirst in research papers [209, 69] before they later appeared in the wild. The damagethat could be done by attacking computer systems became visible to a wider public. Wewill briefly describe two incidents from this decade. Both ultimately led to convictionsin court.

1.3.1 An Early WormThe Internet worm of 1988 exploited a number of known vulnerabilities such as bruteforce password guessing for remote login, bad configurations (sendmail in debug mode),a buffer overrun in the fingerd daemon, and unauthenticated login from trusted hostsidentified by their network address which could be forged. The worm penetrated 5–10%of the machines on the Internet, which totalled approximately 60,000 machines at thetime. The buffer overrun in the fingerd daemon broke into VAX systems running Unix4BSD. A special 536-byte message to the fingerd was used to overwrite the system stack:

pushl $68732f push ’/sh, ‹NUL›’pushl $6e69622f push ’/bin’movl sp, r10 save address of start of stringpushl $0 push 0 (arg 3 to execve)pushl $0 push 0 (arg 2 to execve)pushl r10 push string addr (arg 1 to execve)pushl $3 push argument countmovl sp, ap set argument pointerchmk $3b do "execve" kernel call

The stack is thus set up so that the command execve("/bin/sh",0,0) will beexecuted on return to the main routine, opening a connection to a remote shell via


TCP [213]. Chapter 10 presents technical background on buffer overruns. The personresponsible for the worm was brought to court and sentenced to a $10,050 fine and 400hours of community service, with a three-year probation period (4 May 1990).

1.3.2 The Mad Hacker

This security incident affected ICL’s VME/B operating system. VME/B stored informationabout files in file descriptors. All file descriptors were owned by the user :STD. Forclassified file descriptors this would create a security problem: system operators wouldrequire clearance to access classified information. Hence, :STD was not given accessto classified file descriptors. In consequence, these descriptors could not be restoredduring a normal backup. A new user :STD/CLASS was therefore created who ownedthe classified file descriptors. This facility was included in a routine systems update.

The user :STD/CLASS had no other purpose than owning file descriptors. Hence, itwas undesirable and unnecessary for anybody to log in as :STD/CLASS. To makelogin impossible, the password for :STD/CLASS was defined to be the RETURN key.Nobody could login because RETURN would always be interpreted as the delimiterof the password and not as part of the password. The password in the user profile of:STD/CLASS was set by patching hexadecimal code. Unfortunately, the wrong fieldwas changed and instead of a user who could not log in, a user with an unrecognizablesecurity level was created. This unrecognizable security level was interpreted as ‘nosecurity’ so the designers had achieved the opposite of their goal.

There was still one line of defence left. User :STD/CLASS could only log in from themaster console. However, once the master console was switched off, the next deviceopening a connection would be treated as the master console.

These flaws were exploited by a hacker who himself was managing a VME/B system. Hethus had ample opportunity for detailed analysis and experimentation. He broke into anumber of university computers via dial-up lines during nighttime when the computercentre was not staffed, modifying and deleting system and user files and leaving messagesfrom The Mad Hacker. He was successfully tracked, brought to court, convicted (underthe UK Criminal Damage Act of 1971), and handed a prison sentence. The conviction,the first of a computer hacker in the United Kingdom, was upheld by the Court of Appealin 1991.

1.4 1 9 9 0 s – I N T E R N E TAt the end of 1980s it was still undecided whether fax (a service offered by traditionaltelephone operators) or email (an Internet service) would prevail as the main methodof document exchange. By the 1990s this question had been settled and this decadebecame without doubt the epoch of the Internet. Not because the Internet was created

1.4 1990s – INTERNET 7

in the 1990s – it is much older – but because new technology became available andbecause the Internet was opened to commercial use in 1992. The HTTP protocol andHTML provided the basis for visually more interesting applications than email or remoteprocedure calls. The World Wide Web (1991) and graphical web browsers (Mosaic,1993) created a whole new ‘user experience’. Both developments facilitated a whole newrange of applications.

The Internet is a communications system so it may be natural that Internet securitywas initially equated with communications security, and in particular with strongcryptography. In the 1990s, the ‘crypto wars’ between the defenders of (US) exportrestrictions on encryption algorithms with more than 40-bit keys and advocates for theuse of unbreakable (or rather, not obviously breakable) encryption was fought to an end,with the proponents of strong cryptography emerging victorious. Chapter 16 presentsthe communications security solutions developed for the Internet in the 1990s.

Communications security, however, only solves the easy problem, i.e. protecting datain transit. It should have been clear from the start that the real problems residedelsewhere. The typical end system was a PC, no longer stand-alone or connected toa LAN, but connected to the Internet. Connecting a machine to the Internet has twomajor ramifications. The system owner no longer controls who can send inputs to thismachine; the system owner no longer controls what input is sent to the machine. Thefirst observation rules out traditional identity-based access control as a viable protectionmechanism. The second observation points to a new kind of attack, as described by AlephOne in his paper on ‘Smashing the Stack for Fun and Profit’ (1996) [6]. The attackersends intentionally malformed inputs to an open port on the machine that causes a bufferoverrun in the program handling the input, transferring control to shellcode inserted bythe attacker. Chapter 10 is devoted to software security.

The Java security model addressed both issues. Privileges are assigned depending on theorigin of code, not according to the identity of the user running a program. Remote code(applets) is put in a sandbox where it runs with restricted privileges only. As a type-safelanguage, the Java runtime system offers memory safety guarantees that prevent bufferoverruns and the like. Chapter 20 explores the current state of code-based access control.

With the steep rise in the number of exploitable software vulnerabilities reported in theaftermath of Aleph One’s paper and with several high profile email-based virus attackssweeping through the Internet, ‘trust and confidence’ in the PC was at a low ebb. Inreaction, Compaq, Hewlett-Packard, IBM, Intel, and Microsoft founded the TrustedComputing Platform Alliance in 1999, with the goal of ‘making the web a safer placeto surf’.

Advances in computer graphics turned the PC into a viable home entertainment platformfor computer games, video, and music. The Internet became an attractive new distribution


channel for companies offering entertainment services, but they had to grapple withtechnical issues around copy protection (not provided on a standard PC platform ofthat time). Copy protection had been explored in the 1980s but in the end deemedunsuitable for mass market software; see [110, p. 59). In computer security, digital rightsmanagement (DRM) added a new twist to access control. For the first time access controldid not protect the system owner from external parties. DRM enforces the security policyof an external party against actions by the system owner. For a short period, DRMmania reached a stage where access control was treated as a special case of DRM, beforea more sober view returned. DRM was the second driving force of trusted computing,introducing remote attestation as a mechanism that would allow a document ownerto check the software configuration of the intended destination before releasing thedocument. This development is taken up in Sections 15.6 and 20.7.

Availability, one of the ‘big three’ security properties, had always been of paramountimportance in commercial applications. In previous epochs, availability had beenaddressed by organizational measures such as contingency plans, regular backup ofdata, and fall-back servers preferably located at a distance from a company’s mainpremises. With the Internet, on-line denial-of-service attacks became a possibility andtowards the end of the 1990s a fact. In response, firewalls and intrusion detection systemsbecame common components of network security architectures (Chapter 17).

The emergence of on-line denial-of-service attacks led to a reconsideration of the engineer-ing principles underpinning the design of cryptographic protocols. Strong cryptographycan make protocols more exploitable by denial-of-service attacks. Today protocols aredesigned to balance the workload between initiator and responder so that an attackerwould have to expend the same computational effort as the victim.

1.5 2 0 0 0 s – T H E W E BWhen we talk about the web, there is on one side the technology: the browser asthe main software component at the client managing the interaction with servers anddisplaying pages to the user; HTTP as the application-level communications protocol;HTML and XML for data formats; client-side and server-side scripting languages fordynamic interactions; WLAN and mobile phone systems providing ubiquitous networkaccess. On the other side, there are the users of the web: providers offering content andservices, and the customers of those offerings.

The technology is mainly from the 1990s. The major step forward in the 2000swas the growth of the user base. Once sufficiently many private users had regularand mobile Internet access, companies had the opportunity of directly interactingwith their customers and reducing costs by eliminating middlemen and unnecessarytransaction steps. In the travel sector budget airlines were among the first to offer webbooking of flights, demonstrating that paper tickets can be virtualized. Other airlines

Date post:	30-Mar-2021
Category:	Documents
Upload:	others
View:	2 times
Download:	0 times

Computer Security - Startseite · 2013. 7. 23. · CHAPTER 10 – Software Security 177 10.1...

Documents