book

Computer Security Art and Science, 2nd Edition

Name: Computer Security Art and Science, 2nd Edition
Author: Matt Bishop
ISBN: 9780134097145

by Matt Bishop

November 2018

Intermediate to advanced

1440 pages

48h 29m

English

Addison-Wesley Professional

Read now

Unlock full access

Cover Page
About This E-Book
Title Page
Copyright Page
Dedication Page
Contents
Preface
Preface to the Second EditionPreface to the First Edition
Acknowledgments
Special AcknowledgmentsAcknowledgments
About the Author
Part I: Introduction

Chapter 1 An Overview of Computer Security
1.1 The Basic Components1.2 Threats1.3 Policy and Mechanism1.4 Assumptions and Trust1.5 Assurance1.6 Operational Issues1.7 Human Issues1.8 Tying It All Together1.9 Summary1.10 Research Issues1.11 Further Reading1.12 Exercises
Part II: Foundations
Chapter 2 Access Control Matrix
2.1 Protection State2.2 Access Control Matrix Model2.3 Protection State Transitions2.4 Copying, Owning, and the Attenuation of Privilege2.5 Summary2.6 Research Issues2.7 Further Reading2.8 Exercises
Chapter 3 Foundational Results
3.1 The General Question3.2 Basic Results3.3 The Take-Grant Protection Model3.4 Closing the Gap: The Schematic Protection Model3.5 Expressive Power and the Models3.6 Comparing Security Properties of Models3.7 Summary3.8 Research Issues3.9 Further Reading3.10 Exercises
Part III: Policy
Chapter 4 Security Policies
4.1 The Nature of Security Policies4.2 Types of Security Policies4.3 The Role of Trust4.4 Types of Access Control4.5 Policy Languages4.6 Example: Academic Computer Security Policy4.7 Security and Precision4.8 Summary4.9 Research Issues4.10 Further Reading4.11 Exercises
Chapter 5 Confidentiality Policies
5.1 Goals of Confidentiality Policies5.2 The Bell-LaPadula Model5.3 Tranquility5.4 The Controversy over the Bell-LaPadula Model5.5 Summary5.6 Research Issues5.7 Further Reading5.8 Exercises
Chapter 6 Integrity Policies
6.1 Goals6.2 The Biba Model6.3 Lipner’s Integrity Matrix Model6.4 Clark-Wilson Integrity Model6.5 Trust Models6.6 Summary6.7 Research Issues6.8 Further Reading6.9 Exercises
Chapter 7 Availability Policies
7.1 Goals of Availability Policies7.2 Deadlock7.3 Denial of Service Models7.4 Example: Availability and Network Flooding7.5 Summary7.6 Research Issues7.7 Further Reading7.8 Exercises
Chapter 8 Hybrid Policies
8.1 Chinese Wall Model8.2 Clinical Information Systems Security Policy8.3 Originator Controlled Access Control8.4 Role-Based Access Control8.5 Break-the-Glass Policies8.6 Summary8.7 Research Issues8.8 Further Reading8.9 Exercises
Chapter 9 Noninterference and Policy Composition
9.1 The Problem9.2 Deterministic Noninterference9.3 Nondeducibility9.4 Generalized Noninterference9.5 Restrictiveness9.6 Side Channels and Deducibility9.7 Summary9.8 Research Issues9.9 Further Reading9.10 Exercises
Part IV: Implementation I: Cryptography
Chapter 10 Basic Cryptography
10.1 Cryptography10.2 Symmetric Cryptosystems10.3 Public Key Cryptography10.4 Cryptographic Checksums10.5 Digital Signatures10.6 Summary10.7 Research Issues10.8 Further Reading10.9 Exercises
Chapter 11 Key Management
11.1 Session and Interchange Keys11.2 Key Exchange11.3 Key Generation11.4 Cryptographic Key Infrastructures11.5 Storing and Revoking Keys11.6 Summary11.7 Research Issues11.8 Further Reading11.9 Exercises
Chapter 12 Cipher Techniques
12.1 Problems12.2 Stream and Block Ciphers12.3 Authenticated Encryption12.4 Networks and Cryptography12.5 Example Protocols12.6 Summary12.7 Research Issues12.8 Further Reading12.9 Exercises
Chapter 13 Authentication
13.1 Authentication Basics13.2 Passwords13.3 Password Selection13.4 Attacking Passwords13.5 Password Aging13.6 Challenge-Response13.7 Biometrics13.8 Location13.9 Multifactor Authentication13.10 Summary13.11 Research Issues13.12 Further Reading13.13 Exercises
Part V: Implementation II: Systems
Chapter 14 Design Principles
14.1 Underlying Ideas14.2 Principles of Secure Design14.3 Summary14.4 Research Issues14.5 Further Reading14.6 Exercises
Chapter 15 Representing Identity
15.1 What Is Identity?15.2 Files and Objects15.3 Users15.4 Groups and Roles15.5 Naming and Certificates15.6 Identity on the Web15.7 Anonymity on the Web15.8 Summary15.9 Research Issues15.10 Further Reading15.11 Exercises
Chapter 16 Access Control Mechanisms
16.1 Access Control Lists16.2 Capabilities16.3 Locks and Keys16.4 Ring-Based Access Control16.5 Propagated Access Control Lists16.6 Summary16.7 Research Issues16.8 Further Reading16.9 Exercises
Chapter 17 Information Flow
17.1 Basics and Background17.2 Nonlattice Information Flow Policies17.3 Static Mechanisms17.4 Dynamic Mechanisms17.5 Integrity Mechanisms17.6 Example Information Flow Controls17.7 Summary17.8 Research Issues17.9 Further Reading17.10 Exercises
Chapter 18 Confinement Problem
18.1 The Confinement Problem18.2 Isolation18.3 Covert Channels18.4 Summary18.5 Research Issues18.6 Further Reading18.7 Exercises
Part VI: Assurance
Chapter 19 Introduction to Assurance
19.1 Assurance and Trust19.2 Building Secure and Trusted Systems19.3 Summary19.4 Research Issues19.5 Further Reading19.6 Exercises
Chapter 20 Building Systems with Assurance
20.1 Assurance in Requirements Definition and Analysis20.2 Assurance during System and Software Design20.3 Assurance in Implementation and Integration20.4 Assurance during Operation and Maintenance20.5 Summary20.6 Research Issues20.7 Further Reading20.8 Exercises
Chapter 21 Formal Methods
21.1 Formal Verification Techniques21.2 Formal Specification21.3 Early Formal Verification Techniques21.4 Current Verification Systems21.5 Functional Programming Languages21.6 Formally Verified Products21.7 Summary21.8 Research Issues21.9 Further Reading21.10 Exercises
Chapter 22 Evaluating Systems
22.1 Goals of Formal Evaluation22.2 TCSEC: 1983–199922.3 International Efforts and the ITSEC: 1991–200122.4 Commercial International Security Requirements: 199122.5 Other Commercial Efforts: Early 1990s22.6 The Federal Criteria: 199222.7 FIPS 140: 1994–Present22.8 The Common Criteria: 1998–Present22.9 SSE-CMM: 1997–Present22.10 Summary22.11 Research Issues22.12 Further Reading22.13 Exercises
Part VII: Special Topics
Chapter 23 Malware
23.1 Introduction23.2 Trojan Horses23.3 Computer Viruses23.4 Computer Worms23.5 Bots and Botnets23.6 Other Malware23.7 Combinations23.8 Theory of Computer Viruses23.9 Defenses23.10 Summary23.11 Research Issues23.12 Further Reading23.13 Exercises
Chapter 24 Vulnerability Analysis
24.1 Introduction24.2 Penetration Studies24.3 Vulnerability Classification24.4 Frameworks24.5 Standards24.6 Gupta and Gligor’s Theory of Penetration Analysis24.7 Summary24.8 Research Issues24.9 Further Reading24.10 Exercises
Chapter 25 Auditing
25.1 Definition25.2 Anatomy of an Auditing System25.3 Designing an Auditing System25.4 A Posteriori Design25.5 Auditing Mechanisms25.6 Examples: Auditing File Systems25.7 Summary25.8 Research Issues25.9 Further Reading25.10 Exercises
Chapter 26 Intrusion Detection
26.1 Principles26.2 Basic Intrusion Detection26.3 Models26.4 Architecture26.5 Organization of Intrusion Detection Systems26.6 Summary26.7 Research Issues26.8 Further Reading26.9 Exercises
Chapter 27 Attacks and Responses
27.1 Attacks27.2 Representing Attacks27.3 Intrusion Response27.4 Digital Forensics27.5 Summary27.6 Research Issues27.7 Further Reading27.8 Exercises
Part VIII: Practicum
Chapter 28 Network Security
28.1 Introduction28.2 Policy Development28.3 Network Organization28.4 Availability28.5 Anticipating Attacks28.6 Summary28.7 Research Issues28.8 Further Reading28.9 Exercises
Chapter 29 System Security
29.1 Introduction29.2 Policy29.3 Networks29.4 Users29.5 Authentication29.6 Processes29.7 Files29.8 Retrospective29.9 Summary29.10 Research Issues29.11 Further Reading29.12 Exercises
Chapter 30 User Security
30.1 Policy30.2 Access30.3 Files and Devices30.4 Processes30.5 Electronic Communications30.6 Summary30.7 Research Issues30.8 Further Reading30.9 Exercises
Chapter 31 Program Security
31.1 Problem31.2 Requirements and Policy31.3 Design31.4 Refinement and Implementation31.5 Common Security-Related Programming Problems31.6 Testing, Maintenance, and Operation31.7 Distribution31.8 Summary31.9 Research Issues31.10 Further Reading31.11 Exercises
Part IX: Appendices
Appendix A Lattices
A.1 BasicsA.2 LatticesA.3 Exercises
Appendix B The Extended Euclidean Algorithm
B.1 The Euclidean AlgorithmB.2 The Extended Euclidean AlgorithmB.3 Solving ax mod n = 1B.4 Solving ax mod n = bB.5 Exercises
Appendix C Entropy and Uncertainty
C.1 Conditional and Joint ProbabilityC.2 Entropy and UncertaintyC.3 Joint and Conditional EntropyC.4 Exercises
Appendix D Virtual Machines
D.1 Virtual Machine StructureD.2 Virtual Machine MonitorD.3 Exercises
Appendix E Symbolic Logic
E.1 Propositional LogicE.2 Predicate LogicE.3 Temporal Logic SystemsE.4 Exercises
Appendix F The Encryption Standards
F.1 Data Encryption StandardF.2 Advanced Encryption StandardF.3 Exercises
Appendix G Example Academic Security Policy
G.1 Acceptable Use PolicyG.2 University of California Electronic Communications PolicyG.3 User AdvisoriesG.4 Electronic Communications—Allowable Use
Appendix H Programming Rules
H.1 Implementation RulesH.2 Management Rules
References
Index
Credits
Code Snippets

Content preview from Computer Security Art and Science, 2nd Edition

Chapter 24 Vulnerability Analysis

MACBETH: I pull in resolution and begin To doubt th’ equivocation of the fiend That lies like truth: “Fear not, till Birnam wood Do come to Dunsinane,” and now a wood Comes toward Dunsinane. Arm, arm, and out!

— The Tragedy of Macbeth, V, v, 42–46.

Vulnerabilities arise from computer system design, implementation, maintenance, and operation. This chapter presents a general technique for testing for vulnerabilities in all these areas and discusses several models of vulnerabilities.

24.1 Introduction

A “computer system” is more than hardware and software; it includes the policies, procedures, and organization under which that hardware and software is used. Lapses in security can arise from any of these areas ...

Become an O’Reilly member and get unlimited access to this title plus top books and audiobooks from O’Reilly and nearly 200 top publishers, thousands of courses curated by job role, 150+ live events each month,
and much more.

Read now

Unlock full access

More than 5,000 organizations count on O’Reilly

O’Reilly covers everything we've got, with content to help us build a world-class technology community, upgrade the capabilities and competencies of our teams, and improve overall team performance as well as their engagement.

Julian F.

Head of Cybersecurity

I wanted to learn C and C++, but it didn't click for me until I picked up an O'Reilly book. When I went on the O’Reilly platform, I was astonished to find all the books there, plus live events and sandboxes so you could play around with the technology.

Addison B.

Field Engineer

I’ve been on the O’Reilly platform for more than eight years. I use a couple of learning platforms, but I'm on O'Reilly more than anybody else. When you're there, you start learning. I'm never disappointed.

Amir M.

Data Platform Tech Lead

I'm always learning. So when I got on to O'Reilly, I was like a kid in a candy store. There are playlists. There are answers. There's on-demand training. It's worth its weight in gold, in terms of what it allows me to do.

Mark W.

Embedded Software Engineer

Publisher Resources

ISBN: 9780134097145

Cloud Computing

Data Engineering

Data Science

AI & ML

Programming Languages

Software Architecture

IT/Ops

Security

Design

Business

Soft Skills

Computer Security Art and Science, 2nd Edition

by Matt Bishop

Chapter 24