Building A Secure Computer System.pdf-资料库

no2nd-942465-4744300845169321312.pdf-第1页.png

第1页 / 共251页

no2nd-942465-4744300845169321312.pdf-第2页.png

第2页 / 共251页

no2nd-942465-4744300845169321312.pdf-第3页.png

第3页 / 共251页

no2nd-942465-4744300845169321312.pdf-第4页.png

第4页 / 共251页

no2nd-942465-4744300845169321312.pdf-第5页.png

第5页 / 共251页

no2nd-942465-4744300845169321312.pdf-第6页.png

第6页 / 共251页

no2nd-942465-4744300845169321312.pdf-第7页.png

第7页 / 共251页

no2nd-942465-4744300845169321312.pdf-第8页.png

第8页 / 共251页

BUILDING A SECURE COMPUTER SYSTEM Morrie Gasser

ACF2 is a trademark of Uccel Crop. AOS is a trademark of Data General Corp. DEC, PDP-11, VMS, SES/VMS are trademarks of Digital Equipment Corp. IBM is a registered trademark of International Business Machines, Inc. Intel, 80286, iAPX 432 are trademarks of Intel Corp. Motorola, 68000 are trademarks of Intel Corp. TOP SECRET is a trademark of CGA Software Products Group, Inc. Unix is a trademark of American Telephone & Telegraph Co. Copyright © 1988 by Van Nostrand Reinhold Library of Congress Catalog Card Number 87-27838 ISBN 0-442-23022-2 All rights reserved. No part of this work covered by the copyright hereon may be reproduced or used in any form or by any means—graphic, electronic, or mechanical, including photocopying, recording, taping, or information storage and retrieval systems—without written permission of the publisher. Printed in the United States of America Designed by Beth Tondreau Van Nostrand Reinhold 115 Fifth Avenue New York, New York 10003 Van Nostrand Reinhold International Company Limited 11 New Fetter Lane London EC4P 4EE, England Van Nostrand Reinhold 480 La Trobe Street Melbourne, Victoria 3000, Australia Macmillan of Canada Division of Canada Publishing Corporation 164 Commander Boulevard Agincourt, Ontario M1S 3C7, Canada 16 15 14 13 12 11 10 9 8 7 6 5 4 3 2 Library of Congress Cataloging-in-Publication Data Gasser, Morrie, 1947– Building a secure computer system. Bibliography: p. Includes index. 1. Computers—Access control. 2. System design. 1. Title. QA76.9.A25G37 1988 005.8 87-27838 ISBN 0-442-23022-2

TO MY WIFE, KATE, AND MY CHILDREN, BECKY AND DANNY.

CONTENTS Foreword Preface PART I OVERVIEW Chapter 1 What is Computer Security? 1.1 Secrecy, Integrity, and Denial of Service 1.2 Trusted System Evaluation Criteria References Chapter 2 Why Systems Are Not Secure 2.1 Security is Fundamentally Difficult 2.2 Security Is an Afterthought 2.3 Security Is an Impediment 2.4 False Solutions Impede Progress 2.5 The Problem is People, Not Computers 2.6 Technology is Oversold References Chapter 3 General Concepts 3.1 Internal and External Security 3.3 The System Boundary and the Security Perimeter 3.3 Users and Trust 3.3.1 Protecting the User from Self-betrayal 3.3.2 Identification and Authentication 3.4 Trusted Systems 3.4.1 Trojan Horses 3.5 Subjects, Objects, and Access Control 3.5.1 Access Control 3.5.2 Security Policy Chapter 4 Design Techniques 4.1 System Structures 4.1.1 Structure of a Computer System 4.1.2 System States 4.2 The Reference Monitor and Security Kernels xi xiii 3 3 4 6 7 7 8 9 10 11 12 13 15 15 16 18 18 18 19 21 21 22 23 24 24 25 27 28 v

4.3 System Development Process References PART II DETAILED CONCEPTS Chapter 5 Principles of a Security Architecture 5.1 Consider Security from the Start 5.2 Anticipate Future Security Requirements 5.3 Minimize and Isolate Security Controls 5.4 Enforce Least Privilege 5.5 Structure the Security-Relevant Functions 5.6 Make Security Friendly 5.7 Do Not Depend on Secrecy for Security References Chapter 6 Access Control and Multilevel Security 6.1 Access to the System 6.2 Discretionary Access Control 7.2 Covert Channels 7.2.1 Covert Storage Channels 7.2.2 Covert Timing Channels 7.3 Trap Doors References PART III IMPLEMENTATION Chapter 8 Hardware Security Mechanisms 8.1 Hardware/Firmware/Software Trade-offs 6.2.1 Passwords for File Access 6.2.2 Capability List 6.2.3 Owner/Group/Other 6.2.4 Access Control Lists 6.2.5 Trojan Horse Threats 6.3 Mandatory Access Control 6.4 Multilevel Security 6.4.1 Military Security Policy 6.4.2 A Note on Terminology 6.4.3 Mathematical Relationships 6.4.4 Multilevel Security Rules 6.5 Integrity References Chapter 7 Trojan Horses and Covert Channels 7.1 Trojan Horses and Viruses 7.1.1 Trojan Horse Examples 7.1.2 Limiting the Trojan Horse 30 32 35 36 36 38 39 41 41 43 44 45 45 47 47 48 48 49 50 50 51 51 52 53 53 56 58 60 61 61 63 67 68 70 71 72 75 76 vi

8.2 Process Support 8.3 Memory Protection 8.3.1 Virtual Address Space 8.3.2 Virtual Memory Mapping 8.3.3 Demand Paging 8.3.4 Segmentation 8.3.5 Access Control with Memory Management 8.4 Execution Domains 8.4.1 Transfer of Control Across Domains 8.4.2 Argument Passing Across Domains 8.5 Input/Output Access Control 8.5.1 Programmed I/O 8.5.2 Unmapped I/O 8.5.3 Premapped I/O 8.5.4 Fully Mapped I/O References Chapter 9 Security Models 9.1 Role of a Security Model 9.2 Practical Applications of a Model 9.3 Types of Security Models 9.4 Characteristics of a Security Model 9.5 State-Machine Models 9.5.1 Examples of a State Machine Model 9.5.2 Adding Constraints to State-Machine Access Models 9.5.3 The Bell and La Padula Security Model 9.6 Information-Flow Models 9.7 Informal Model-to-System Correspondence 9.7.1 Mapping the Functions 9.7.2 Mapping the Variables 9.7.3 Unmapped Functions and Variables References Chapter 10 Security Kernels 10.1 The Reference Monitor 10.2 The Three Principles 10.2.1 Completeness 10.2.2 Isolation 10.2.3 Verifiability 10.3 Virtualization and Sharing 10.4 Trusted Path 10.5 Trusted Functions 10.6 Kernel Security Policies 10.7 Kernel Implementation Strategies 10.7.1 Case (a): Identical Operating System (Virtual Machine) 10.7.2 Case (b): Compatible Operating System (Emulation) 77 78 78 78 79 80 83 86 89 91 96 99 100 101 101 103 105 105 108 109 110 111 112 117 121 125 127 127 128 128 129 131 132 133 133 134 134 136 137 139 140 141 143 145 vii

10.7.3 Case (c): New Operating System References Chapter 11 Architectural Considerations 11.1 Operating System Layering 11.2 Asynchronous Attacks and Argument Validation 11.3 Protected Subsystems 11.4 Secure File Systems 11.4.1 Naming Structures 11.4.2 Unique Identifiers 11.5 Security Guards 11.6 Capability-based Architectures References Chapter 12 Formal Specification and Verification 12.1 Formal Specification Techniques 12.2 Properties of Formal Specifications 12.3 Example of a Formal Specification 12.4 Specification-to-Model Correspondence 12.5 Techniques for Proving Specifications 12.6 Methods of Decomposition 13.2.1 Fundamentals of Encryption 13.2.2 Security Services 13.2.3 Integrating Packet Encryption into a Protocol Architecture 13.2.4 Key Management 13.3 A Network Security Architecture 13.3.1 Network Subjects, Objects, and Access Control 13.3.2 Network Security Perimeter and Protected Path 13.3.3 Distributed Secure System 13.3.4 Mutually Suspicious Systems 13.4 Network Servers 12.6.1 Data Structure Refinement 12.6.2 Algorithmic Refinement 12.6.3 Procedural Abstraction 12.7 Information-Flow Analysis 12.7.1 Flow Rules 12.7.2 Flow Analysis Process 12.8 Code Correspondence Proofs References Chapter 13 Networks and Distributed Systems 13.1 Overview of Networking Concepts 13.1.1 Protocol Hierarchies and Models 13.1.2 Characteristics of Protocols 13.1.3 Network Topologies and Components 13.2 Encryption 148 148 151 151 153 154 157 157 159 160 162 163 165 167 168 172 174 175 177 177 178 181 182 184 188 189 192 195 195 195 198 199 200 201 205 209 210 212 213 215 216 218 220 viii

资料库

Building A Secure Computer System.pdf

相关推荐

安全技术

热门标签

最新资料