Computer Security THIRD EDITION Computer Security THIRD EDITION Dieter Gollmann Hamburg University of Technology A John Wiley and Sons, Ltd., Publication This edition first published 2011 2011 John Wiley & Sons, Ltd Registered office John Wiley & Sons Ltd, The Atrium, Southern Gate, Chichester, West Sussex, PO19 8SQ, United Kingdom For details of our global editorial offices, for customer services and for information about how to apply for permission to reuse the copyright material in this book please see our website at www.wiley.com. The right of Dieter Gollmann to be identified as the author of this work has been asserted in accordance with the Copyright, Designs and Patents Act 1988. All rights reserved. No part of this publication may be reproduced, stored in a retrieval system, or transmitted, in any form or by any means, electronic, mechanical, photocopying, recording or otherwise, except as permitted by the UK Copyright, Designs and Patents Act 1988, without the prior permission of the publisher. Wiley also publishes its books in a variety of electronic formats. Some content that appears in print may not be available in electronic books. Designations used by companies to distinguish their products are often claimed as trademarks. All brand names and product names used in this book are trade names, service marks, trademarks or registered trademarks of their respective owners. The publisher is not associated with any product or vendor mentioned in this book. This publication is designed to provide accurate and authoritative information in regard to the subject matter covered. It is sold on the understanding that the publisher is not engaged in rendering professional services. If professional advice or other expert assistance is required, the services of a competent professional should be sought. Library of Congress Cataloging-in-Publication Data Gollmann, Dieter. Computer security / Dieter Gollmann. – 3rd ed. p. cm. Includes bibliographical references and index. ISBN 978-0-470-74115-3 (pbk.) 1. Computer security. I. Title. QA76.9.A25G65 2011 005.8 – dc22 2010036859 A catalogue record for this book is available from the British Library. Set in 9/12 Sabon by Laserwords Private Limited, Chennai, India Printed in Great Britain by TJ International Ltd, Padstow Contents Preface C H A P T E R 1 – History of Computer Security 1.1 1.2 1.3 1.4 1.5 1.6 1.7 The Dawn of Computer Security 1970s – Mainframes 1980s – Personal Computers 1.3.1 An Early Worm 1.3.2 The Mad Hacker 1990s – Internet 2000s – The Web Conclusions – The Benefits of Hindsight Exercises xvii 1 2 3 4 5 6 6 8 10 11 C H A P T E R 2 – Managing Security 13 2.1 2.2 14 15 16 17 19 21 22 23 24 24 26 26 28 29 29 2.3 2.4 2.5 Attacks and Attackers Security Management 2.2.1 Security Policies 2.2.2 Measuring Security 2.2.3 Standards Risk and Threat Analysis 2.3.1 Assets 2.3.2 Threats 2.3.3 Vulnerabilities 2.3.4 Attacks 2.3.5 Common Vulnerability Scoring System 2.3.6 Quantitative and Qualitative Risk Analysis 2.3.7 Countermeasures – Risk Mitigation Further Reading Exercises C H A P T E R 3 – Foundations of Computer Security 31 3.1 32 32 34 34 35 36 37 38 Definitions 3.1.1 Security 3.1.2 Computer Security 3.1.3 Confidentiality 3.1.4 Integrity 3.1.5 Availability 3.1.6 Accountability 3.1.7 Non-repudiation vi CONTENTS 3.2 3.3 3.4 3.5 3.6 3.7 3.8 3.1.8 Reliability 3.1.9 Our Definition The Fundamental Dilemma of Computer Security Data vs Information Principles of Computer Security 3.4.1 Focus of Control 3.4.2 The Man–Machine Scale 3.4.3 Complexity vs Assurance 3.4.4 Centralized or Decentralized Controls The Layer Below The Layer Above Further Reading Exercises 38 39 40 40 41 42 42 44 44 45 47 47 48 C H A P T E R 4 – Identification and Authentication 49 4.1 4.2 4.3 4.4 50 51 52 54 55 56 58 59 63 63 4.5 4.6 4.7 4.8 4.9 Username and Password Bootstrapping Password Protection Guessing Passwords Phishing, Spoofing, and Social Engineering 4.4.1 Password Caching Protecting the Password File Single Sign-on Alternative Approaches Further Reading Exercises C H A P T E R 5 – Access Control 65 5.1 5.2 5.3 66 66 68 68 68 70 71 71 72 72 73 74 74 75 76 78 5.4 5.5 5.6 Background Authentication and Authorization Access Operations 5.3.1 Access Modes 5.3.2 Access Rights of the Bell–LaPadula Model 5.3.3 Administrative Access Rights Access Control Structures 5.4.1 Access Control Matrix 5.4.2 Capabilities 5.4.3 Access Control Lists Ownership Intermediate Controls 5.6.1 Groups and Negative Permissions 5.6.2 Privileges 5.6.3 Role-Based Access Control 5.6.4 Protection Rings CONTENTS 5.7 5.8 5.9 5.10 Policy Instantiation Comparing Security Attributes 5.8.1 Partial Orderings 5.8.2 Abilities in the VSTa Microkernel 5.8.3 Lattice of Security Levels 5.8.4 Multi-level Security Further Reading Exercises C H A P T E R 6 – Reference Monitors 6.1 6.2 6.3 6.4 6.5 6.6 Introduction 6.1.1 Placing the Reference Monitor 6.1.2 Execution Monitors Operating System Integrity 6.2.1 Modes of Operation 6.2.2 Controlled Invocation Hardware Security Features 6.3.1 Security Rationale 6.3.2 A Brief Overview of Computer Architecture 6.3.3 Processes and Threads 6.3.4 Controlled Invocation – Interrupts 6.3.5 Protection on the Intel 80386/80486 6.3.6 The Confused Deputy Problem Protecting Memory 6.4.1 Secure Addressing Further Reading Exercises 79 79 79 80 81 82 84 84 87 88 89 90 90 91 91 91 92 92 95 95 96 98 99 100 103 104 C H A P T E R 7 – Unix Security 107 7.1 108 109 109 110 110 111 111 112 113 113 113 114 115 7.2 7.3 7.4 Introduction 7.1.1 Unix Security Architecture Principals 7.2.1 User Accounts 7.2.2 Superuser (Root) 7.2.3 Groups Subjects 7.3.1 Login and Passwords 7.3.2 Shadow Password File Objects 7.4.1 The Inode 7.4.2 Default Permissions 7.4.3 Permissions for Directories vii viii CONTENTS 7.5 7.6 7.7 7.8 7.9 Access Control 7.5.1 Set UserID and Set GroupID 7.5.2 Changing Permissions 7.5.3 Limitations of Unix Access Control Instances of General Security Principles 7.6.1 Applying Controlled Invocation 7.6.2 Deleting Files 7.6.3 Protection of Devices 7.6.4 Changing the Root of the Filesystem 7.6.5 Mounting Filesystems 7.6.6 Environment Variables 7.6.7 Searchpath 7.6.8 Wrappers Management Issues 7.7.1 Managing the Superuser 7.7.2 Trusted Hosts 7.7.3 Audit Logs and Intrusion Detection 7.7.4 Installation and Configuration Further Reading Exercises 116 117 118 119 119 119 120 120 121 122 122 123 124 125 125 126 126 127 128 128 C H A P T E R 8 – Windows Security 131 8.1 132 132 133 134 135 135 137 139 141 142 143 144 145 145 145 147 148 149 150 150 150 8.2 8.3 8.4 8.5 8.6 Introduction 8.1.1 Architecture 8.1.2 The Registry 8.1.3 Domains Components of Access Control 8.2.1 Principals 8.2.2 Subjects 8.2.3 Permissions 8.2.4 Objects Access Decisions 8.3.1 The DACL 8.3.2 Decision Algorithm Managing Policies 8.4.1 Property Sets 8.4.2 ACE Inheritance Task-Dependent Access Rights 8.5.1 Restricted Tokens 8.5.2 User Account Control Administration 8.6.1 User Accounts 8.6.2 Default User Accounts CONTENTS 8.7 8.8 8.6.3 Audit 8.6.4 Summary Further Reading Exercises 152 152 153 153 C H A P T E R 9 – Database Security 155 9.1 9.2 156 158 160 161 162 163 163 164 167 168 169 170 172 173 175 175 9.3 9.4 9.5 9.6 9.7 9.8 Introduction Relational Databases 9.2.1 Database Keys 9.2.2 Integrity Rules Access Control 9.3.1 The SQL Security Model 9.3.2 Granting and Revocation of Privileges 9.3.3 Access Control through Views Statistical Database Security 9.4.1 Aggregation and Inference 9.4.2 Tracker Attacks 9.4.3 Countermeasures Integration with the Operating System Privacy Further Reading Exercises C H A P T E R 10 – Software Security 177 10.1 178 178 178 178 179 179 179 179 181 181 183 184 185 186 187 187 189 191 191 192 10.2 10.3 10.4 10.5 Introduction 10.1.1 Security and Reliability 10.1.2 Malware Taxonomy 10.1.3 Hackers 10.1.4 Change in Environment 10.1.5 Dangers of Abstraction Characters and Numbers 10.2.1 Characters (UTF-8 Encoding) 10.2.2 The rlogin Bug 10.2.3 Integer Overflows Canonical Representations Memory Management 10.4.1 Buffer Overruns 10.4.2 Stack Overruns 10.4.3 Heap Overruns 10.4.4 Double-Free Vulnerabilities 10.4.5 Type Confusion Data and Code 10.5.1 Scripting 10.5.2 SQL Injection ix x CONTENTS 10.6 10.7 10.8 10.9 Race Conditions Defences 10.7.1 Prevention: Hardware 10.7.2 Prevention: Modus Operandi 10.7.3 Prevention: Safer Functions 10.7.4 Prevention: Filtering 10.7.5 Prevention: Type Safety 10.7.6 Detection: Canaries 10.7.7 Detection: Code Inspection 10.7.8 Detection: Testing 10.7.9 Mitigation: Least Privilege 10.7.10 Reaction: Keeping Up to Date Further Reading Exercises 193 194 194 195 195 195 197 197 197 199 200 201 201 202 C H A P T E R 11 – Bell–LaPadula Model 205 11.1 11.2 206 206 207 208 210 210 211 212 213 214 214 216 216 11.3 11.4 11.5 State Machine Models The Bell–LaPadula Model 11.2.1 The State Set 11.2.2 Security Policies 11.2.3 The Basic Security Theorem 11.2.4 Tranquility 11.2.5 Aspects and Limitations of BLP The Multics Interpretation of BLP 11.3.1 Subjects and Objects in Multics 11.3.2 Translating the BLP Policies 11.3.3 Checking the Kernel Primitives Further Reading Exercises C H A P T E R 12 – Security Models 219 12.1 220 220 220 221 221 223 225 228 228 229 230 231 232 12.2 12.3 12.4 12.5 12.6 The Biba Model 12.1.1 Static Integrity Levels 12.1.2 Dynamic Integrity Levels 12.1.3 Policies for Invocation Chinese Wall Model The Clark–Wilson Model The Harrison–Ruzzo–Ullman Model Information-Flow Models 12.5.1 Entropy and Equivocation 12.5.2 A Lattice-Based Model Execution Monitors 12.6.1 Properties of Executions 12.6.2 Safety and Liveness CONTENTS 12.7 12.8 Further Reading Exercises 232 233 C H A P T E R 13 – Security Evaluation 235 13.1 13.2 13.3 13.4 13.5 13.6 Introduction The Orange Book The Rainbow Series Information Technology Security Evaluation Criteria The Federal Criteria The Common Criteria 13.6.1 Protection Profiles 13.6.2 Evaluation Assurance Levels 13.6.3 Evaluation Methodology 13.6.4 Re-evaluation 13.7 Quality Standards 13.8 An Effort Well Spent? 13.9 Summary 13.10 Further Reading 13.11 Exercises 236 239 241 242 243 243 244 245 246 246 246 247 248 248 249 C H A P T E R 14 – Cryptography 251 14.1 252 252 253 254 255 256 257 257 257 259 259 260 261 261 263 264 265 266 268 269 270 271 272 273 14.2 14.3 14.4 14.5 14.6 14.7 14.8 14.9 Introduction 14.1.1 The Old Paradigm 14.1.2 New Paradigms 14.1.3 Cryptographic Keys 14.1.4 Cryptography in Computer Security Modular Arithmetic Integrity Check Functions 14.3.1 Collisions and the Birthday Paradox 14.3.2 Manipulation Detection Codes 14.3.3 Message Authentication Codes 14.3.4 Cryptographic Hash Functions Digital Signatures 14.4.1 One-Time Signatures 14.4.2 ElGamal Signatures and DSA 14.4.3 RSA Signatures Encryption 14.5.1 Data Encryption Standard 14.5.2 Block Cipher Modes 14.5.3 RSA Encryption 14.5.4 ElGamal Encryption Strength of Mechanisms Performance Further Reading Exercises xi xii CONTENTS C H A P T E R 15 – Key Establishment 275 15.1 15.2 276 276 277 278 279 279 280 281 282 283 285 286 286 287 287 288 288 289 289 291 292 292 293 295 295 15.3 15.4 15.5 15.6 15.7 15.8 Introduction Key Establishment and Authentication 15.2.1 Remote Authentication 15.2.2 Key Establishment Key Establishment Protocols 15.3.1 Authenticated Key Exchange Protocol 15.3.2 The Diffie–Hellman Protocol 15.3.3 Needham–Schroeder Protocol 15.3.4 Password-Based Protocols Kerberos 15.4.1 Realms 15.4.2 Kerberos and Windows 15.4.3 Delegation 15.4.4 Revocation 15.4.5 Summary Public-Key Infrastructures 15.5.1 Certificates 15.5.2 Certificate Authorities 15.5.3 X.509/PKIX Certificates 15.5.4 Certificate Chains 15.5.5 Revocation 15.5.6 Electronic Signatures Trusted Computing – Attestation Further Reading Exercises C H A P T E R 16 – Communications Security 297 16.1 298 298 299 299 301 302 302 304 304 306 307 308 308 310 312 313 16.2 16.3 16.4 16.5 Introduction 16.1.1 Threat Model 16.1.2 Secure Tunnels Protocol Design Principles IP Security 16.3.1 Authentication Header 16.3.2 Encapsulating Security Payloads 16.3.3 Security Associations 16.3.4 Internet Key Exchange Protocol 16.3.5 Denial of Service 16.3.6 IPsec Policies 16.3.7 Summary IPsec and Network Address Translation SSL/TLS 16.5.1 Implementation Issues 16.5.2 Summary CONTENTS 16.6 16.7 16.8 Extensible Authentication Protocol Further Reading Exercises 314 316 316 C H A P T E R 17 – Network Security 319 17.1 320 320 321 322 322 324 324 324 325 326 327 328 329 330 330 330 331 331 331 332 333 333 334 334 334 335 335 336 17.2 17.3 17.4 17.5 17.6 Introduction 17.1.1 Threat Model 17.1.2 TCP Session Hijacking 17.1.3 TCP SYN Flooding Attacks Domain Name System 17.2.1 Lightweight Authentication 17.2.2 Cache Poisoning Attack 17.2.3 Additional Resource Records 17.2.4 Dan Kaminsky’s Attack 17.2.5 DNSSec 17.2.6 DNS Rebinding Attack Firewalls 17.3.1 Packet Filters 17.3.2 Stateful Packet Filters 17.3.3 Circuit-Level Proxies 17.3.4 Application-Level Proxies 17.3.5 Firewall Policies 17.3.6 Perimeter Networks 17.3.7 Limitations and Problems Intrusion Detection 17.4.1 Vulnerability Assessment 17.4.2 Misuse Detection 17.4.3 Anomaly Detection 17.4.4 Network-Based IDS 17.4.5 Host-Based IDS 17.4.6 Honeypots Further Reading Exercises C H A P T E R 18 – Web Security 339 18.1 340 340 341 342 342 343 343 344 346 18.2 18.3 Introduction 18.1.1 Transport Protocol and Data Formats 18.1.2 Web Browser 18.1.3 Threat Model Authenticated Sessions 18.2.1 Cookie Poisoning 18.2.2 Cookies and Privacy 18.2.3 Making Ends Meet Code Origin Policies xiii xiv CONTENTS 18.4 18.5 18.6 18.7 18.8 18.9 18.3.1 HTTP Referer Cross-Site Scripting 18.4.1 Cookie Stealing 18.4.2 Defending against XSS Cross-Site Request Forgery 18.5.1 Authentication for Credit JavaScript Hijacking 18.6.1 Outlook Web Services Security 18.7.1 XML Digital Signatures 18.7.2 Federated Identity Management 18.7.3 XACML Further Reading Exercises 347 347 349 349 350 351 352 354 354 355 357 359 360 361 C H A P T E R 19 – Mobility 363 19.1 19.2 364 364 365 365 366 366 367 368 368 369 369 370 370 372 373 373 375 377 378 379 381 381 383 383 19.3 19.4 19.5 19.6 19.7 19.8 Introduction GSM 19.2.1 Components 19.2.2 Temporary Mobile Subscriber Identity 19.2.3 Cryptographic Algorithms 19.2.4 Subscriber Identity Authentication 19.2.5 Encryption 19.2.6 Location-Based Services 19.2.7 Summary UMTS 19.3.1 False Base Station Attacks 19.3.2 Cryptographic Algorithms 19.3.3 UMTS Authentication and Key Agreement Mobile IPv6 Security 19.4.1 Mobile IPv6 19.4.2 Secure Binding Updates 19.4.3 Ownership of Addresses WLAN 19.5.1 WEP 19.5.2 WPA 19.5.3 IEEE 802.11i – WPA2 Bluetooth Further Reading Exercises C H A P T E R 20 – New Access Control Paradigms 385 20.1 386 386 Introduction 20.1.1 Paradigm Shifts in Access Control CONTENTS 20.2 20.3 20.4 20.5 20.6 20.7 20.8 20.9 20.1.2 Revised Terminology for Access Control SPKI Trust Management Code-Based Access Control 20.4.1 Stack Inspection 20.4.2 History-Based Access Control Java Security 20.5.1 The Execution Model 20.5.2 The Java 1 Security Model 20.5.3 The Java 2 Security Model 20.5.4 Byte Code Verifier 20.5.5 Class Loaders 20.5.6 Policies 20.5.7 Security Manager 20.5.8 Summary .NET Security Framework 20.6.1 Common Language Runtime 20.6.2 Code-Identity-Based Security 20.6.3 Evidence 20.6.4 Strong Names 20.6.5 Permissions 20.6.6 Security Policies 20.6.7 Stack Walk 20.6.8 Summary Digital Rights Management Further Reading Exercises 387 388 390 391 393 394 395 396 396 397 397 398 399 399 400 400 400 401 401 402 403 403 404 405 405 406 406 Bibliography 409 Index 423 xv Preface Ég geng ı́ hring .ı́ kringum allt, sem er. Og utan þessa hrings er veröld mı́n Steinn Steinarr Security is a fashion industry. There is more truth in this statement than one would like to admit to a student of computer security. Security buzzwords come and go; without doubt security professionals and security researchers can profit from dropping the right buzzword at the right time. Still, this book is not intended as a fashion guide. This is a textbook on computer security. A textbook has to convey the fundamental principles of its discipline. In this spirit, the attempt has been made to extract essential ideas that underpin the plethora of security mechanisms one finds deployed in today’s IT landscape. A textbook should also instruct the reader when and how to apply these fundamental principles. As the IT landscape keeps changing, security practitioners have to understand when familiar security mechanisms no longer address newly emerging threats. Of course, they also have to understand how to apply the security mechanisms at their disposal. This is a challenge to the author of a textbook on computer security. To appreciate how security principles manifest themselves in any given IT system the reader needs sufficient background knowledge about that system. A textbook on computer security is limited in the space it can devote to covering the broader features of concrete IT systems. Moreover, the speed at which those features keep changing implies that any book trying to capture current systems at a fine level of detail is out of date by the time it reaches its readers. This book tries to negotiate the route from security principles to their application by stopping short of referring to details specific to certain product versions. For the last steps towards any given version the reader will have to consult the technical literature on that product. Computer security has changed in important aspects since the first edition of this book was published. Once, operating systems security was at the heart of this subject. Many concepts in computer security have their origin in operating systems research. Since the emergence of the web as a global distributed application platform, the focus of xviii PREFACE computer security has shifted to the browser and web applications. This observation applies equally to access control and to software security. This third edition of Computer Security reflects this development by including new material on web security. The reader must note that this is still an active area with unresolved open challenges. This book has been structured as follows. The first three chapters provide context and fundamental concepts. Chapter 1 gives a brief history of the field, Chapter 2 covers security management, and Chapter 3 provides initial conceptual foundations. The next three chapters deal with access control in general. Chapter 4 discusses identification and authentication of users, Chapter 5 introduces the principles of access control, with Chapter 6 focused on the reference monitor. Chapter 7 on Unix/Linux, Chapter 8 on Windows, and Chapter 9 on databases are intended as case studies to illustrate the concepts introduced in previous chapters. Chapter 10 presents the essentials of software security. This is followed by three chapters that have security evaluation as their common theme. Chapter 11 takes the Bell–LaPadula model as a case study for the formal analysis of an access control system. Chapter 12 introduces further security models. Chapter 13 deals with the process of evaluating security products. The book then moves away from stand-alone systems. The next three chapters constitute a basis for distributed systems security. Chapter 14 gives a condensed overview of cryptography, a field that provides the foundations for many communications security mechanisms. Chapter 15 looks in more detail at key management, and Chapter 16 at Internet security protocols such as IPsec and SSL/TLS. Chapter 17 proceeds beyond communications security and covers aspects of network security such as Domain Name System security, firewalls, and intrusion detection systems. Chapter 18 analyzes the current state of web security. Chapter 19 reaches into another area increasingly relevant for computer security – security solutions for mobile systems. Chapter 20 concludes the book with a discussion of recent developments in access control. Almost every chapter deserves to be covered by a book of its own. By necessity, only a subset of relevant topics can therefore be discussed within the limits of a single chapter. Because this is a textbook, I have sometimes included important material in exercises that could otherwise be expected to have a place in the main body of a handbook on computer security. Hopefully, the general coverage is still reasonably comprehensive and pointers to further sources are included. Exercises are included with each chapter but I cannot claim to have succeeded to my own satisfaction in all instances. In my defence, I can only note that computer security is not simply a collection of recipes that can be demonstrated within the confines of PREFACE a typical textbook exercise. In some areas, such as password security or cryptography, it is easy to construct exercises with precise answers that can be found by going through the correct sequence of steps. Other areas are more suited to projects, essays, or discussions. Although it is naturally desirable to support a course on computer security with experiments on real systems, suggestions for laboratory sessions are not included in this book. Operating systems, database management systems, and firewalls are prime candidates for practical exercises. The actual examples will depend on the particular systems available to the teacher. For specific systems there are often excellent books available that explain how to use the system’s security mechanisms. This book is based on material from a variety of courses, taught over several years at master’s but also at bachelor’s degree level. I have to thank the students on these courses for their feedback on points that needed better explanations. Equally, I have to thank commentators on earlier versions for their error reports and the reviewers of the draft of this third edition for constructive advice. Dieter Gollmann Hamburg, December 2010 xix 1 Chapter History of Computer Security Those who do not learn from the past will repeat it. George Santanya Security is a journey, not a destination. Computer security has been travelling for 40 years, and counting. On this journey, the challenges faced have kept changing, as have the answers to familiar challenges. This first chapter will trace the history of computer security, putting security mechanisms into the perspective of the IT landscape they were developed for. OBJECTIVES • Give an outline of the history of computer security. • Explain the context in which familiar security mechanisms were originally developed. • Show how changes in the application of IT pose new challenges in computer security. • Discuss the impact of disruptive technologies on computer security. 2 1 HISTORY OF COMPUTER SECURITY 1.1 T H E D A W N O F C O M P U T E R S E C U R I T Y New security challenges arise when new – or old – technologies are put to new use. The code breakers at Bletchley Park pioneered the use of electronic programmable computers during World War II [117, 233]. The first electronic computers were built in the 1940s (Colossus, EDVAC, ENIAC) and found applications in academia (Ferranti Mark I, University of Manchester), commercial organizations (LEO, J. Lyons & Co.), and government agencies (Univac I, US Census Bureau) in the early 1950s. Computer security can trace its origins back to the 1960s. Multi-user systems emerged, needing mechanisms for protecting the system from its users, and the users from each other. Protection rings (Section 5.6.4) are a concept dating from this period [108]. Two reports in the early 1970s signal the start of computer security as a field of research in its own right. The RAND report by Willis Ware [231] summarized the technical foundations computer security had acquired by the end of the 1960s. The report also produced a detailed analysis of the policy requirements of one particular application area, the protection of classified information in the US defence sector. This report was followed shortly after by the Anderson report [9] that laid out a research programme for the design of secure computer systems, again dominated by the requirement of protecting classified information. In recent years the Air Force has become increasingly aware of the problem of computer security. This problem has intruded on virtually any aspect of USAF operations and administration. The problem arises from a combination of factors that includes: greater reliance on the computer as a data-processing and decision-making tool in sensitive functional areas; the need to realize economies by consolidating ADP [automated data processing] resources thereby integrating or co-locating previously separate data-processing operations; the emergence of complex resource sharing computer systems providing users with capabilities for sharing data and processes with other users; the extension of resource sharing concepts to networks of computers; and the slowly growing recognition of security inadequacies of currently available computer systems. [9] We will treat the four decades starting with the 1970s as historical epochs. We note for each decade the leading innovation in computer technology, the characteristic applications of that technology, the security problems raised by these applications, and the developments and state of the art in finding solutions for these problems. Information technologies may appear in our time line well after their original inception. However, a new technology becomes a real issue for computer security only when it is sufficiently mature and deployed widely enough for new applications with new security problems to materialize. With this consideration in mind, we observe that computer security has passed through the following epochs: • • • • 1970s: age of the mainframe, 1980s: age of the PC, 1990s: age of the Internet, 2000s: age of the web. 1.2 1970s – MAINFRAMES 1.2 1 9 7 0 s – M A I N F R A M E S Advances in the design of memory devices (IBM’s Winchester disk offered a capacity of 35–70 megabytes) facilitated the processing of large amounts of data (for that time). Mainframes were deployed mainly in government departments and in large commercial organizations. Two applications from public administration are of particular significance. First, the defence sector saw the potential benefits of using computers, but classified information would have to be processed securely. This led the US Air Force to create the study group that reported its finding in the Anderson report. The research programmes triggered by this report developed a formal state machine model for the multi-level security policies regulating access to classified data, the Bell–LaPadula model (Chapter 11), which proved to be highly influential on computer security research well into the 1980s [23]. The Multics project [187] developed an operating system that had security as one of its main design objectives. Processor architectures were developed with support for primitives such as segmentations or capabilities that were the basis for the security mechanisms adopted at the operating system level [92]. The second application field was the processing of ‘unclassified but sensitive’ data such as personal information about citizens in government departments. Government departments had been collecting and processing personal data before, but with mainframes data-processing at a much larger scale became a possibility. It was also much easier for staff to remain undetected when snooping around in filesystems looking for information they had no business in viewing. Both aspects were considered serious threats to privacy, and a number of protection mechanisms were developed in response. Access control mechanisms in the operating system had to support multi-user security. Users should be kept apart, unless data sharing was explicitly permitted, and prevented from interfering with the management of the mainframe system. The fundamental concepts for access control in Chapter 5 belong to this epoch. Encryption was seen to provide the most comprehensive protection for data stored in computer memory and on backup media. The US Federal Bureau of Standards issued a call for a data encryption standard for the protection of unclassified data. Eventually, IBM submitted the algorithm that became known as the Data Encryption Standard [221]. This call was the decisive event that began the public discussion about encryption algorithms and gave birth to cryptography as an academic discipline, a development deeply resented at that time by those working on communications security in the security services. A first key contribution from academic research was the concept of public-key cryptography published by Diffie and Hellman in 1976 [82]. Cryptography is the topic of Chapter 14. In the context of statistical database queries, a typical task in social services, a new threat was observed. Even if individual queries were guaranteed to cover a large enough query 3 4 1 HISTORY OF COMPUTER SECURITY set so as not to leak information about individual entries, an attacker could use a clever combination of such ‘safe’ statistical queries to infer information about a single entry. Aggregation and inference, and countermeasures such as randomization of query data, were studied in database security. These issues are taken up in Section 9.4. Thirdly, the legal system was adapted and data protection legislation was introduced in the US and in European countries and harmonized in the OECD privacy guidelines [188]; several legal initiatives on computer security issues followed (Section 9.6). Since then, research on cryptography has reached a high level of maturity. When the US decided to update the Data Encryption Standard in the 1990s, a public review process led to the adoption of the new Advanced Encryption Standard. This ‘civilian’ algorithm developed by Belgian researchers was later also approved in the US for the protection of classified data [68]. For the inference problem in statistical databases, pragmatic solutions were developed, but there is no perfect solution and the data mining community is today re-examining (or reinventing?) some of the approaches from the 1970s. Multi-level security dominated security research into the following decade, posing interesting research questions which still engage theoreticians today – research on non-interference is going strong – and leading to the development of high-assurance systems whose design had been verified employing formal methods. However, these high-assurance systems did not solve the problems of the following epochs and now appear more as specialized offerings for a niche market than a foundation for the security systems of the next epoch. 1.3 1 9 8 0 s – P E R S O N A L C O M P U T E R S Miniaturization and integration of switching components had reached the stage where computers no longer needed to be large machines housed in special rooms but were small enough to fit on a desk. Graphical user interfaces and mouse facilitated user-friendly input/output. This was the technological basis for the personal computer (PC), the innovation that, indirectly, changed the focus of computer security during the 1980s. The PC was cheap enough to be bought directly by smaller units in organizations, bypassing the IT department. The liberation from the tutelage of the IT department resounded through Apple’s famous launch of the Macintosh in 1984. The PC was a singleuser machine, the first successful applications were word processors and spreadsheet programs, and users were working on documents that may have been commercially sensitive but were rarely classified data. At a stroke, multi-level security and multiuser security became utterly irrelevant. To many security experts the 1980s triggered a retrograde development, leading to less protected systems, which in fairness only became less secure when they were later used outside their original environment. While this change in application patterns was gathering momentum, security research still took its main cues from multi-level security. Information-flow models and 1.3 1980s – PERSONAL COMPUTERS non-interference models were proposed to capture aspects not addressed in the Bell–LaPadula model. The Orange Book [224] strongly influenced the common perception of computer security (Section 13.2). High security assurance and multi-level security went hand in hand. Research on multi-level secure databases invented polyinstantiation so that users cleared at different security levels could enter data into the same table without creating covert channels [157]. We have to wait for the Clark–Wilson model (1987) [66] and the Chinese Wall model (1989) [44] to get research contributions influenced by commercial IT applications and coming from authors with a commercial background. Clark and Wilson present well-formed transactions and separation of duties as two important design principles for securing commercial systems. The Chinese Wall model was inspired by the requirement to prevent conflicts of interest in financial consultancy businesses. Chapter 12 covers both models. A less visible change occurred in the development of processor architectures. The Intel 80286 processor supported segmentation, a feature used by multi-user operating systems. In the 80386 processor this feature was no longer present as it was not used by Microsoft’s DOS. The 1980s also saw the first worms and viruses, interestingly enough first in research papers [209, 69] before they later appeared in the wild. The damage that could be done by attacking computer systems became visible to a wider public. We will briefly describe two incidents from this decade. Both ultimately led to convictions in court. 1.3.1 An Early Worm The Internet worm of 1988 exploited a number of known vulnerabilities such as brute force password guessing for remote login, bad configurations (sendmail in debug mode), a buffer overrun in the fingerd daemon, and unauthenticated login from trusted hosts identified by their network address which could be forged. The worm penetrated 5–10% of the machines on the Internet, which totalled approximately 60,000 machines at the time. The buffer overrun in the fingerd daemon broke into VAX systems running Unix 4BSD. A special 536-byte message to the fingerd was used to overwrite the system stack: pushl pushl movl pushl pushl pushl pushl movl chmk $68732f $6e69622f sp, r10 $0 $0 r10 $3 sp, ap $3b push ’/sh, ‹NUL›’ push ’/bin’ save address of start of string push 0 (arg 3 to execve) push 0 (arg 2 to execve) push string addr (arg 1 to execve) push argument count set argument pointer do "execve" kernel call The stack is thus set up so that the command execve("/bin/sh",0,0) will be executed on return to the main routine, opening a connection to a remote shell via 5 6 1 HISTORY OF COMPUTER SECURITY TCP [213]. Chapter 10 presents technical background on buffer overruns. The person responsible for the worm was brought to court and sentenced to a $10,050 fine and 400 hours of community service, with a three-year probation period (4 May 1990). 1.3.2 The Mad Hacker This security incident affected ICL’s VME/B operating system. VME/B stored information about files in file descriptors. All file descriptors were owned by the user :STD. For classified file descriptors this would create a security problem: system operators would require clearance to access classified information. Hence, :STD was not given access to classified file descriptors. In consequence, these descriptors could not be restored during a normal backup. A new user :STD/CLASS was therefore created who owned the classified file descriptors. This facility was included in a routine systems update. The user :STD/CLASS had no other purpose than owning file descriptors. Hence, it was undesirable and unnecessary for anybody to log in as :STD/CLASS. To make login impossible, the password for :STD/CLASS was defined to be the RETURN key. Nobody could login because RETURN would always be interpreted as the delimiter of the password and not as part of the password. The password in the user profile of :STD/CLASS was set by patching hexadecimal code. Unfortunately, the wrong field was changed and instead of a user who could not log in, a user with an unrecognizable security level was created. This unrecognizable security level was interpreted as ‘no security’ so the designers had achieved the opposite of their goal. There was still one line of defence left. User :STD/CLASS could only log in from the master console. However, once the master console was switched off, the next device opening a connection would be treated as the master console. These flaws were exploited by a hacker who himself was managing a VME/B system. He thus had ample opportunity for detailed analysis and experimentation. He broke into a number of university computers via dial-up lines during nighttime when the computer centre was not staffed, modifying and deleting system and user files and leaving messages from The Mad Hacker. He was successfully tracked, brought to court, convicted (under the UK Criminal Damage Act of 1971), and handed a prison sentence. The conviction, the first of a computer hacker in the United Kingdom, was upheld by the Court of Appeal in 1991. 1.4 1 9 9 0 s – I N T E R N E T At the end of 1980s it was still undecided whether fax (a service offered by traditional telephone operators) or email (an Internet service) would prevail as the main method of document exchange. By the 1990s this question had been settled and this decade became without doubt the epoch of the Internet. Not because the Internet was created 1.4 1990s – INTERNET in the 1990s – it is much older – but because new technology became available and because the Internet was opened to commercial use in 1992. The HTTP protocol and HTML provided the basis for visually more interesting applications than email or remote procedure calls. The World Wide Web (1991) and graphical web browsers (Mosaic, 1993) created a whole new ‘user experience’. Both developments facilitated a whole new range of applications. The Internet is a communications system so it may be natural that Internet security was initially equated with communications security, and in particular with strong cryptography. In the 1990s, the ‘crypto wars’ between the defenders of (US) export restrictions on encryption algorithms with more than 40-bit keys and advocates for the use of unbreakable (or rather, not obviously breakable) encryption was fought to an end, with the proponents of strong cryptography emerging victorious. Chapter 16 presents the communications security solutions developed for the Internet in the 1990s. Communications security, however, only solves the easy problem, i.e. protecting data in transit. It should have been clear from the start that the real problems resided elsewhere. The typical end system was a PC, no longer stand-alone or connected to a LAN, but connected to the Internet. Connecting a machine to the Internet has two major ramifications. The system owner no longer controls who can send inputs to this machine; the system owner no longer controls what input is sent to the machine. The first observation rules out traditional identity-based access control as a viable protection mechanism. The second observation points to a new kind of attack, as described by Aleph One in his paper on ‘Smashing the Stack for Fun and Profit’ (1996) [6]. The attacker sends intentionally malformed inputs to an open port on the machine that causes a buffer overrun in the program handling the input, transferring control to shellcode inserted by the attacker. Chapter 10 is devoted to software security. The Java security model addressed both issues. Privileges are assigned depending on the origin of code, not according to the identity of the user running a program. Remote code (applets) is put in a sandbox where it runs with restricted privileges only. As a type-safe language, the Java runtime system offers memory safety guarantees that prevent buffer overruns and the like. Chapter 20 explores the current state of code-based access control. With the steep rise in the number of exploitable software vulnerabilities reported in the aftermath of Aleph One’s paper and with several high profile email-based virus attacks sweeping through the Internet, ‘trust and confidence’ in the PC was at a low ebb. In reaction, Compaq, Hewlett-Packard, IBM, Intel, and Microsoft founded the Trusted Computing Platform Alliance in 1999, with the goal of ‘making the web a safer place to surf’. Advances in computer graphics turned the PC into a viable home entertainment platform for computer games, video, and music. The Internet became an attractive new distribution 7 8 1 HISTORY OF COMPUTER SECURITY channel for companies offering entertainment services, but they had to grapple with technical issues around copy protection (not provided on a standard PC platform of that time). Copy protection had been explored in the 1980s but in the end deemed unsuitable for mass market software; see [110, p. 59). In computer security, digital rights management (DRM) added a new twist to access control. For the first time access control did not protect the system owner from external parties. DRM enforces the security policy of an external party against actions by the system owner. For a short period, DRM mania reached a stage where access control was treated as a special case of DRM, before a more sober view returned. DRM was the second driving force of trusted computing, introducing remote attestation as a mechanism that would allow a document owner to check the software configuration of the intended destination before releasing the document. This development is taken up in Sections 15.6 and 20.7. Availability, one of the ‘big three’ security properties, had always been of paramount importance in commercial applications. In previous epochs, availability had been addressed by organizational measures such as contingency plans, regular backup of data, and fall-back servers preferably located at a distance from a company’s main premises. With the Internet, on-line denial-of-service attacks became a possibility and towards the end of the 1990s a fact. In response, firewalls and intrusion detection systems became common components of network security architectures (Chapter 17). The emergence of on-line denial-of-service attacks led to a reconsideration of the engineering principles underpinning the design of cryptographic protocols. Strong cryptography can make protocols more exploitable by denial-of-service attacks. Today protocols are designed to balance the workload between initiator and responder so that an attacker would have to expend the same computational effort as the victim. 1.5 2 0 0 0 s – T H E W E B When we talk about the web, there is on one side the technology: the browser as the main software component at the client managing the interaction with servers and displaying pages to the user; HTTP as the application-level communications protocol; HTML and XML for data formats; client-side and server-side scripting languages for dynamic interactions; WLAN and mobile phone systems providing ubiquitous network access. On the other side, there are the users of the web: providers offering content and services, and the customers of those offerings. The technology is mainly from the 1990s. The major step forward in the 2000s was the growth of the user base. Once sufficiently many private users had regular and mobile Internet access, companies had the opportunity of directly interacting with their customers and reducing costs by eliminating middlemen and unnecessary transaction steps. In the travel sector budget airlines were among the first to offer web booking of flights, demonstrating that paper tickets can be virtualized. Other airlines