Building a Secure Computer System

Computer systems are usually poor at keeping sensitive information out of the hands of daily users, even though most computer crimes are perpetrated by these same legitimate users. Because of the vast amount of sensitive information stored in today's computers and transversing computer networks, anyone designing a new computer system or updating an old one must pay serious attention to the security problem by investigating all possible means of unauthorized data access.

This book is for the computer professional or student who wants to understand and implement technical solutions to computer security problems. Building a Secure Computer System explains state-of-the-art computer security technology that addresses the major threats to security — information theft and tampering by insiders. It is a practical guide that describes how to use the latest software and hardware techniques in all stages of development — from early design inception to the implementation and daily operation of the computer facility.

• Part I: Overview
1. What is Computer Security?
1. Secrecy, Integrity, and Denial of Service
2. Trusted System Evaluation Criteria
2. Why Systems Are Not Secure
1. Security Is Fundamentally Difficult
2. Security Is an Afterthought
3. Security Is an Impediment
4. False Solutions Impede Progress
5. The Problem Is People, Not Computers
6. Technology Is Oversold
3. General Concepts
1. Internal and External Security
2. The System Boundary and the Security Perimeter
3. Users and Trust
1. Protecting the User from Self-betrayal
2. Identification and Authentication
4. Trusted Systems
1. Trojan Horses
5. Subjects, Objects, and Access Control
1. Access Control
2. Security Policy
4. Design Techniques
1. System Structures
2. Structure of a Computer System
3. System States
4. The Reference Monitor and Security Kernels
5. System Development Process
• Part II: Detailed Concepts
5. Principles of a Security Architecture
1. Consider Security from the Start
2. Anticipate Future Security Requirements
3. Minimize and Isolate Security Controls
4. Enforce Least Privilege
5. Structure the Security-Relevant Functions
6. Make Security Friendly
7. Do Not Depend on Secrecy for Security
6. Access Control and Multilevel Security
1. Access to the System
2. Discretionary Access Control
1. Passwords for File Access
2. Capability List
3. Owner/Group/Other
4. Access Control Lists
5. Trojan Horse Threats
3. Mandatory Access Control
4. Multilevel Security
1. Military Security Policy
2. A Note on Terminology
3. Mathematical Relationships
4. Multilevel Security Rules
5. Integrity
7. Trojan Horses and Covert Channels
1. Trojan Horses and Viruses
1. Trojan Horse Examples
2. Limiting the Trojan Horse
2. Covert Channels
1. Covert Storage Channels
2. Covert Timing Channels
3. Trap Doors
• Part III: Implementation
8. Hardware Security
1. Hardware/Firmware/Software Trade-offs
2. Process Support
3. Memory Protection
1. Virtual Address Space
2. Virtual Memory Mapping
3. Demand Paging
4. Segmentation
5. Access Control with Memory Management
4. Execution Domains
1. Transfer of Control Across Domains
2. Argument Passing Across Domains
5. Input/Output Access Control
1. Programmed I/O
2. Unmapped I/O
3. Premapped I/O
4. Fully Mapped I/O
6. Multiprocessor Support
9. Security Models
1. Role of a Security Model
2. Practical Applications of a Model
1. Security Model as a Security Specification
2. When Is a Model Useful?
3. Types of Security Models
4. Characteristics of a Security Model
5. State-Machine Models
1. Examples of a State Machine Model
2. Adding Constraints to State-Machine Access Models
3. The Bell and La Padula Security Model
6. Information-Flow Models
7. Informal Model-to-System Correspondence
1. Mapping the Functions
2. Mapping the Variables
3. Unmapped Functions and Variables
10. Security Kernels
1. The Reference Monitor
2. The Three Principles
1. Completeness
2. Isolation
3. Verifiability
3. Virtualization and Sharing
4. Trusted Path
5. Trusted Functions
6. Kernel Security Policies
7. Kernel Implementation Strategies
1. Case (a): Identical Operating System (Virtual Machine)
2. Case (b): Compatible Operating System (Emulation)
3. Case (c): New Operating System
11. Architectural Considerations
1. Operating System Layering
2. Asynchronous Attacks and Argument Validation
3. Protected Subsystems
4. Secure File Systems
1. Naming Structures
2. Unique Identifiers
5. Security Guards
6. Capability-based Architectures
12. Formal Specification and Verification
1. Formal Specification Techniques
2. Properties of Formal Specifications
3. Example of a Formal Specification
4. Specification-to-Model Correspondence
5. Techniques for Proving Specifications
6. Methods of Decomposition
1. Data Structure Refinement
2. Algorithmic Refinement
3. Procedural Abstraction
7. Information-Flow Analysis
1. Flow Rules
2. Flow Analysis Process
8. Code Correspondence Proofs
13. Networks and Distributed Systems
1. Overview of Networking Concepts
1. Protocol Hierarchies and Models
2. Characteristics of Protocols
3. Network Topologies and Components
2. Encryption
1. Fundamentals of Encryption
2. Security Services
3. Integrating Packet Encryption into a Protocol Architecture
4. Key Management
3. A Network Security Architecture
1. Network Subjects, Objects, and Access Control
2. Network Security Perimeter and Protected Path
3. Distributed Secure System
4. Mutually Suspicious Systems
4. Network Servers
   1. Authentication and Authorization Servers
   2. Name Servers
   3. Other Servers
5. Security Kernel on a Network
6. The Future of Secure Distributed Systems

A classical text that eveybody in IT security must have read. Still as valid after 15 years.