BUILDING
A SECURE
COMPUTER
SYSTEM
Morrie Gasser
ACF2 is a trademark of Uccel Crop.
AOS is a trademark of Data General Corp.
DEC, PDP-11, VMS, SES/VMS are trademarks of Digital Equipment Corp.
IBM is a registered trademark of International Business Machines, Inc.
Intel, 80286, iAPX 432 are trademarks of Intel Corp.
Motorola, 68000 are trademarks of Intel Corp.
TOP SECRET is a trademark of CGA Software Products Group, Inc.
Unix is a trademark of American Telephone & Telegraph Co.
Copyright © 1988 by Van Nostrand Reinhold
Library of Congress Catalog Card Number 87-27838
ISBN 0-442-23022-2
All rights reserved. No part of this work covered by the copyright hereon may be reproduced or
used in any form or by any means—graphic, electronic, or mechanical, including photocopying,
recording, taping, or information storage and retrieval systems—without written permission of
the publisher.
Printed in the United States of America
Designed by Beth Tondreau
Van Nostrand Reinhold
115 Fifth Avenue
New York, New York 10003
Van Nostrand Reinhold International Company Limited
11 New Fetter Lane
London EC4P 4EE, England
Van Nostrand Reinhold
480 La Trobe Street
Melbourne, Victoria 3000, Australia
Macmillan of Canada
Division of Canada Publishing Corporation
164 Commander Boulevard
Agincourt, Ontario M1S 3C7, Canada
16 15 14 13 12 11 10 9 8 7 6 5 4 3 2
Library of Congress Cataloging-in-Publication Data
Gasser, Morrie, 1947–
Building a secure computer system.
Bibliography: p.
Includes index.
1. Computers—Access control. 2. System design.
1. Title.
QA76.9.A25G37 1988 005.8 87-27838
ISBN 0-442-23022-2
TO MY WIFE,
KATE,
AND MY CHILDREN,
BECKY AND DANNY.
CONTENTS
Foreword
Preface
PART I OVERVIEW
Chapter 1 What is Computer Security?
1.1 Secrecy, Integrity, and Denial of Service
1.2 Trusted System Evaluation Criteria
References
Chapter 2 Why Systems Are Not Secure
2.1 Security is Fundamentally Difficult
2.2 Security Is an Afterthought
2.3 Security Is an Impediment
2.4 False Solutions Impede Progress
2.5 The Problem is People, Not Computers
2.6 Technology is Oversold
References
Chapter 3 General Concepts
3.1 Internal and External Security
3.3 The System Boundary and the Security Perimeter
3.3 Users and Trust
3.3.1 Protecting the User from Self-betrayal
3.3.2 Identification and Authentication
3.4 Trusted Systems
3.4.1 Trojan Horses
3.5 Subjects, Objects, and Access Control
3.5.1 Access Control
3.5.2 Security Policy
Chapter 4 Design Techniques
4.1 System Structures
4.1.1 Structure of a Computer System
4.1.2 System States
4.2 The Reference Monitor and Security Kernels
xi
xiii
3
3
4
6
7
7
8
9
10
11
12
13
15
15
16
18
18
18
19
21
21
22
23
24
24
25
27
28
v
4.3 System Development Process
References
PART II DETAILED CONCEPTS
Chapter 5 Principles of a Security Architecture
5.1 Consider Security from the Start
5.2 Anticipate Future Security Requirements
5.3 Minimize and Isolate Security Controls
5.4 Enforce Least Privilege
5.5 Structure the Security-Relevant Functions
5.6 Make Security Friendly
5.7 Do Not Depend on Secrecy for Security
References
Chapter 6 Access Control and Multilevel Security
6.1 Access to the System
6.2 Discretionary Access Control
7.2 Covert Channels
7.2.1 Covert Storage Channels
7.2.2 Covert Timing Channels
7.3 Trap Doors
References
PART III IMPLEMENTATION
Chapter 8 Hardware Security Mechanisms
8.1 Hardware/Firmware/Software Trade-offs
6.2.1 Passwords for File Access
6.2.2 Capability List
6.2.3 Owner/Group/Other
6.2.4 Access Control Lists
6.2.5 Trojan Horse Threats
6.3 Mandatory Access Control
6.4 Multilevel Security
6.4.1 Military Security Policy
6.4.2 A Note on Terminology
6.4.3 Mathematical Relationships
6.4.4 Multilevel Security Rules
6.5 Integrity
References
Chapter 7 Trojan Horses and Covert Channels
7.1 Trojan Horses and Viruses
7.1.1 Trojan Horse Examples
7.1.2 Limiting the Trojan Horse
30
32
35
36
36
38
39
41
41
43
44
45
45
47
47
48
48
49
50
50
51
51
52
53
53
56
58
60
61
61
63
67
68
70
71
72
75
76
vi
8.2 Process Support
8.3 Memory Protection
8.3.1 Virtual Address Space
8.3.2 Virtual Memory Mapping
8.3.3 Demand Paging
8.3.4 Segmentation
8.3.5 Access Control with Memory Management
8.4 Execution Domains
8.4.1 Transfer of Control Across Domains
8.4.2 Argument Passing Across Domains
8.5 Input/Output Access Control
8.5.1 Programmed I/O
8.5.2 Unmapped I/O
8.5.3 Premapped I/O
8.5.4 Fully Mapped I/O
References
Chapter 9 Security Models
9.1 Role of a Security Model
9.2 Practical Applications of a Model
9.3 Types of Security Models
9.4 Characteristics of a Security Model
9.5 State-Machine Models
9.5.1 Examples of a State Machine Model
9.5.2 Adding Constraints to State-Machine Access Models
9.5.3 The Bell and La Padula Security Model
9.6 Information-Flow Models
9.7 Informal Model-to-System Correspondence
9.7.1 Mapping the Functions
9.7.2 Mapping the Variables
9.7.3 Unmapped Functions and Variables
References
Chapter 10 Security Kernels
10.1 The Reference Monitor
10.2 The Three Principles
10.2.1 Completeness
10.2.2 Isolation
10.2.3 Verifiability
10.3 Virtualization and Sharing
10.4 Trusted Path
10.5 Trusted Functions
10.6 Kernel Security Policies
10.7 Kernel Implementation Strategies
10.7.1 Case (a): Identical Operating System (Virtual Machine)
10.7.2 Case (b): Compatible Operating System (Emulation)
77
78
78
78
79
80
83
86
89
91
96
99
100
101
101
103
105
105
108
109
110
111
112
117
121
125
127
127
128
128
129
131
132
133
133
134
134
136
137
139
140
141
143
145
vii
10.7.3 Case (c): New Operating System
References
Chapter 11 Architectural Considerations
11.1 Operating System Layering
11.2 Asynchronous Attacks and Argument Validation
11.3 Protected Subsystems
11.4 Secure File Systems
11.4.1 Naming Structures
11.4.2 Unique Identifiers
11.5 Security Guards
11.6 Capability-based Architectures
References
Chapter 12 Formal Specification and Verification
12.1 Formal Specification Techniques
12.2 Properties of Formal Specifications
12.3 Example of a Formal Specification
12.4 Specification-to-Model Correspondence
12.5 Techniques for Proving Specifications
12.6 Methods of Decomposition
13.2.1 Fundamentals of Encryption
13.2.2 Security Services
13.2.3 Integrating Packet Encryption into a Protocol Architecture
13.2.4 Key Management
13.3 A Network Security Architecture
13.3.1 Network Subjects, Objects, and Access Control
13.3.2 Network Security Perimeter and Protected Path
13.3.3 Distributed Secure System
13.3.4 Mutually Suspicious Systems
13.4 Network Servers
12.6.1 Data Structure Refinement
12.6.2 Algorithmic Refinement
12.6.3 Procedural Abstraction
12.7 Information-Flow Analysis
12.7.1 Flow Rules
12.7.2 Flow Analysis Process
12.8 Code Correspondence Proofs
References
Chapter 13 Networks and Distributed Systems
13.1 Overview of Networking Concepts
13.1.1 Protocol Hierarchies and Models
13.1.2 Characteristics of Protocols
13.1.3 Network Topologies and Components
13.2 Encryption
148
148
151
151
153
154
157
157
159
160
162
163
165
167
168
172
174
175
177
177
178
181
182
184
188
189
192
195
195
195
198
199
200
201
205
209
210
212
213
215
216
218
220
viii