Security Engineering

A Guide to Building Dependable Distributed Systems

Ross Anderson

Publisher: Wiley, 2001, 612 pages

ISBN: 0-471-38922-6

Keywords: IT Security

Last modified: April 10, 2021, 10:23 p.m.

Synopsis

"Many people are anxious about Internet security for PCs and servers," says leading expert Ross Anderson, "as if that's all there is when in reality security problems have just begun. By 2003, there may be more mobile phones on the Net than PCs, and they will be quickly followed by network-connected devices from refrigerators to burglar alarms to heart monitors. How will we manage the risks?"

Dense with anecdotes and war stories, readable, up-to-date and full of pointers to recent research, this book will be invaluable to you if you have to design systems to be resilient in the face of malice as well as error. Anderson provides the tools and techniques you'll need, discusses what's gone wrong in the past, and shows you how to get your design right the first time around.

You don't need to be a security expert to understand Anderson's truly accessible discussion of:

  • Security engineering basics, from protocols, cryptography, and access controls to the nuts and bolts of distributed systems
  • The lowdown on biometrics, tamper resistance, security seals, copyright markings, and many other protection technologies — for many of them, this is the first detailed information in an accessible textbook
  • What sort of attacks are done on a wide range of systems — from banking and medical records through burglar alarms and smart cards to mobile phones and e-commerce — and how to stop them
  • Management and policy issues — how computer security interacts with the law and with corporate culture

Table of Contents

  • Part One
    1. What is Security Engineering?
      1. Introduction
      2. A Framework
      3. Example 1 — A Bank
      4. Example 2 — An Air Force Base
      5. Example 3 — A Hospital
      6. Example 4 — The Home
      7. Definitions
      8. Summary
    2. Protocols
      1. Password Eavesdropping Risks
      2. Who Goes There? Simple Authentication
        1. Challenge and Response
        2. The MIG-in-the-Middle Attack
        3. Reflection Attacks
      3. Manipulating the Message
      4. Changing the Environment
      5. Chosen Protocol Attacks
      6. Managing Encryption Keys
        1. Basic Key Management
        2. The Needham-Schroeder Protocol
        3. Kerberos
      7. Getting Formal
        1. A Typical Smartcard Banking Protocol
        2. The BAN Logic
        3. Verifying the Payment Protocol
        4. Limitations of Formal Verification
      8. Summary
      • Research Problems
      • Further Reading
    3. Passwords
      1. Basics
      2. Applied Psychology Issues
        1. Social Engineering
        2. Difficulties with Reliable Password Entry
        3. Difficulties with Remembering the Password
      3. System Issues
        1. Protecting Oneself or Others?
        2. Intrusion Detection Issues
        3. Can Users Be Trained?
        4. The Growing Famine for Security Data
      4. Technical Protection of Passwords
        1. Attacks on Password Entry
        2. Attacks on Password Storage
        3. Absolute Limits
      5. Summary
      • Research Problems
      • Further Reading
    4. Access Control
      1. Introduction
      2. Operating System Access Controls
        1. Groups and Roles
        2. Access Control Lists
        3. Unix Operating System Security
        4. Windows NT
        5. Capabilities
        6. Added Features in Windows 2000
        7. Granularity
        8. Sandboxing and Proof-Carrying Code
        9. Object Request Brokers
      3. Hardware Protection
        1. Intel 80x86/Pentium Processors
        2. ARM Processors
        3. Security Processors
        4. Other Processors
      4. What Goes Wrong
        1. Smashing the Stack
        2. Other Technical Attacks
        3. User Interface Failures
        4. Why So Many Things Go Wrong
        5. Remedies
        6. Environmental Creep
      5. Summary
      • Research Problems
      • Further Reading
    5. Cryptography
      1. Introduction
      2. Historical Background
        1. An Early Stream Cipher: The Vigenére
        2. The One-Time Pad
        3. An Early Block Cipher: Playfair
        4. One-Way Functions
        5. Asymmetric Primitives
      3. The Random Oracle Model
        1. Random Functions: Hash Functions
        2. Random Generators: Stream Ciphers
        3. Random Permutations: Block Ciphers
        4. Public Key Encryption and Trapdoor One-Way Permutations
        5. Digital Signatures
      4. Symmetrical Crypto Primitives
        1. SP-Networks
        2. The Advanced Encryption Standard (AES)
        3. Feistel Ciphers
      5. Modes of Operations
        1. Electronic Code Book
        2. Cipher Block Chaining
        3. Output Feedback
        4. Counter Encryption
        5. Cipher Feedback
        6. Message Authentication Code
      6. Hash Functions
        1. Extra Requirements on the Underlying Cipher
        2. Common Hash Functions and Applications
      7. Asymmetric Crypto Primitives
        1. Cryptography Based On Factoring
        2. Cryptography Based on Discrete Logarithms
        3. Special-Purpose Primitives
        4. Certification
        5. The Strength of Asymmetric Cryptographic Primitives
      8. Summary
      • Research Problems
      • Further Reading
    6. Distributed Systems
      1. Concurrency
        1. Using Old Data versus Paying to Propagate State
        2. Locking to Prevent Inconsistent Updates
        3. Order of Updates
        4. Deadlock
        5. Non-convergent State
        6. Secure Time
      2. Failure Tolerance and Failure Recovery
        1. Failure Models
        2. What Is Resilience For?
        3. At What Level Is the Redundancy?
        4. Service Denial Attacks
      3. Naming
        1. The Distributed Systems View of Naming
        2. What Else Goes Wrong
        3. Types of Names
      4. Summary
      • Research Problems
      • Further Reading
  • Part Two
    1. Multilevel Security
      1. Introduction
      2. What Is a Security Policy Model?
      3. The Bell-LaPadula Security Policy Model
        1. Classifications and Clearances
        2. Information Flow Control
        3. Standard Criticisms of Bell-LaPadula
        4. Alternative Formulations
        5. The Biba Model
      4. Exampel os Multilevel Secure Systems
        1. SCOMP
        2. Blacker
        3. MLS UNIX, CMWs, and Trusted Windowing
        4. The NRL Pump
        5. Logistics Systems
        6. Purple Envelope
        7. Future MLS Systems
      5. What Goes Wrong
        1. Composability
        2. The Cascade Problem
        3. Covert Channels
        4. The Threat from Viruses
        5. Polyinstantiation
        6. Other Practical Problems
      6. Broader Implications of MLS
      7. Summary
      • Research Problems
      • Further Reading
    2. Multilateral Security
      1. Introduction
      2. Compartmentation, the Chinese Wall, and the BMA Model
        1. Compartmentation and the Lattice Model
        2. The Chinese Wall
        3. The BMA Model
        4. Comparative Analysis
      3. Inference Control
        1. Basic Problems of Inference In Medicine
        2. Other Applications of Inference Control
        3. The Theory of Inference Control
        4. Limitations of Generic Approaches
        5. The Value of Imperfect Protection
      4. The Residual Problem
      5. Summary
      • Research Problems
      • Further Reading
    3. Banking and Bookkeeping
      1. Introduction
        1. The Origin of Bookkeeping
        2. Double-entry Bookkeeping
      2. How Bank Computer Systems Work
        1. The Clark-Wilson Security Policy Model
        2. Separation of Duties
        3. What Goes Wrong
      3. Wholesale Payment Systems
        1. SWIFT
        2. What Goes Wrong
      4. Automatic Teller Machines
        1. ATM Basics
        2. What Goes Wrong
        3. Practical Implications
      5. Summary
      • Research Problems
      • Further Reading
    4. Monitoring Systems
      1. Introduction
      2. Alarms
        1. The Threat Model
        2. How Not to Protect a Painting
        3. Sensor Defeats
        4. Feature Interactions
        5. Attacks on Communications
        6. Lessons Learned
      3. Prepayment Meters
        1. Utility Metering
        2. How the System Works
        3. What Goes Wrong
      4. Taximeters, Tachographs, and Truck Speed Limiters
        1. What Goes Wrong
        2. Countermeasures
      5. Summary
      • Research Problems
      • Further Reading
    5. Nuclear Command and Control
      1. Introduction
      2. The Kennedy Memorandum
      3. Unconditionally Secure Authentication Codes
      4. Shared Control Schemes
      5. Tamper Resistance and PALs
      6. Treaty Verification
      7. What Goes Wrong
      8. Secrecy or Openness?
      9. Summary
      • Research Problems
      • Further Reading
    6. Security Printing and Seals
      1. Introduction
      2. History
      3. Security Printing
        1. Threat Model
        2. Security Printing Techniques
      4. Packaging and Seals
        1. Substrate Properties
        2. The Problem of Glue
      5. Systematoc Vulnerabilities
        1. Peculiarities of the Threat Model
        2. Staff Diligence
        3. The Effect of Random Failure
        4. Materials Control
        5. Not Protecting the Right Things
        6. The Cost and Nature of Inspection
      6. Evaluation Methodology
      7. Summary
      • Research Problems
      • Further Reading
    7. Biometrics
      1. Introduction
      2. Handwritten Signatures
      3. Face Recognition
      4. Fingerprints
      5. Iris Codes
      6. Voice Recognition
      7. Other Systems
      8. What Goes Wrong
      9. Summary
      • Research Problems
      • Further Reading
    8. Physical Tamper Resistance
      1. Introduction
      2. History
      3. High-End Physically Secure Processors
      4. Evaluation
      5. Medium-Security Processors
        1. The iButton
        2. The Dallas 5002
        3. The Capstone/Clipper Chip
      6. Smartcards and Microcontrollers
        1. Architecture
        2. Security Evolution
        3. The State of the Art
      7. What Goes Wrong
        1. Protecting the Wrong Things: Architectural Errors
        2. Protecting the Wrong Things: Security-by-Obscurity and Evaluation Errors
        3. Protecting Things Wrongly: Protocol Failure
        4. Function Creep
      8. What Should Be Protected?
      9. Summary
      • Research Problems
      • Further Reading
    9. Emission Security
      1. Introduction
      2. History
      3. Technical Surveillance and Countermeasures
      4. Passive Attacks
        1. Leakage through Power and Signal Cables
        2. Leakage through RF Signals
      5. Active Attacks
        1. Tempest Viruses
        2. Nonstop
        3. Glitching
        4. Differential Fault Analysis
        5. Combustion Attacks
        6. Commercial Exploitation
        7. Defenses
      6. How Serious Are Emsec Attacks?
        1. Governments
        2. Businesses
      7. Summary
      • Research Problems
      • Further Reading
    10. Electronic and Information Warfare
      1. Introduction
      2. Basics
      3. Communications Systems
        1. Signals Intelligence Techniques
        2. Attacks on Communicators
        3. Protection Techniques
        4. Interaction Between Civilian and Military Uses
      4. Surveillance and Target Acquisition
        1. Types of Radar
        2. Jamming Techniques
        3. Advanced Radars and Countermeasures
        4. Other Sensors and Multisensor Issues
      5. IFF Systems
      6. Directed Energy Weapons
      7. Information Warfare
        1. Definitions
        2. Doctrine
        3. Potentially Useful Lessons Learned from Electronic Warfare
        4. Differences Between E-War and I-War
      8. Summary
      • Research Problems
      • Further Reading
    11. Telecom System Security
      1. Introduction
      2. Phone Phreaking
        1. Attacks on Metering
        2. Attacks on Signalling
        3. Attacks on Switching and Configuration
        4. Insecure End Systems
        5. Feature Interaction
      3. Mobile Phones
        1. Mobile Phone Cloning
        2. GSM System Architecture
        3. Communications Security Mechanisms
        4. The Next Generation: 3gpp
        5. GSM Security: A Success or Failure?
      4. Corporate Fraud
      5. Summary
      • Research Problems
      • Further Reading
    12. Network Attack and Defence
      1. Introduction
        1. The Most Common Attacks
        2. Skill Issues: Script Kiddies and Packaged Defense
      2. Vulnerabilities in Network Protocols
        1. Attacks on Local Networks
        2. Attacks Using Internet Protocols and Mechanisms
      3. Defense against Network Attack
        1. Configuration Management
        2. Firewalls
        3. Strengths and Limitations of Firewalls
        4. Encryption
      4. Trojans, Viruses, and Worms
        1. Early History of Malicious Code
        2. The Internet Worm
        3. How Viruses and Worms Work
        4. The Arms Race
        5. Recent History
        6. Antivirus Measures
      5. Intrusion Detection
        1. Types of Intrusion Detection
        2. General Limitations of Intrusion Detection
        3. Specific Problems Detecting Network Attacks
      6. Summary
      • Research Problems
      • Further Reading
    13. Protecting E-Commerce Systems
      1. Introduction
      2. A Telegraphic History of E-Commerce
      3. An Introduction to Credit cards
        1. Fraud
        2. Forgery
        3. Automatic Fraud Detection
        4. Economics
      4. Online Credit Card Fraud: The Hype and the Reality
      5. Cryptographic Protection Mechanisms
        1. SSL
        2. SET
        3. PKI
        4. EDI and Business-to-Business Systems
        5. E-Purses and Micropayments
      6. Network Economics
      7. Competitive Applications and Corporate Warfare
      8. What Else Goes Wrong
      9. What Can a Merchant Do?
      10. Summary
      • Research Problems
      • Further Reading
    14. Copyright and Privacy Protection
      1. Introduction
      2. Copyright
        1. Software
        2. Books
        3. Audio
        4. Video and Pay-TV
        5. DVD
      3. Information Hiding
        1. The DVD Marking Concept
        2. General Information-Hiding Techniques
        3. Attacks on Copyright-Marking Schemes
        4. Applications of Copyright-Marking Schemes
      4. Privacy Mechanisms
        1. Content Hiding: PGP
        2. Content Deniability — Steganography
        3. Association Hiding — Remailers and the Dining Cryptographers
        4. Association Deniability — Digital Cash
        5. Other Applications and Issues
      5. Summary
      • Research Problems
      • Further Reading
    15. E-Policy
      1. Introduction
      2. Cryptography Policy
        1. The History of Police Wiretapping
        2. The History of Traffic Analysis
        3. Communications Intelligence on Foreign Targets
        4. The History of Crypto Policy
        5. Discussion
      3. Copyright
        1. DMCA
        2. The Forthcoming European Directive and UCITA
      4. Data Protection
        1. European Data Protection: History
        2. Differences between Europe and the United States
        3. Current Trends
      5. Evidential Issues
        1. Admissibility of Evidence
        2. Reliability of Evidence
        3. Electronic Signatures
        4. Burden of Proof
      6. Other Public Sector Issues
        1. Service Delivery
        2. Social Exclusion and Discrimination
        3. Revenue Protection
        4. Elections
      7. Summary
      • Research Problems
      • Further Reading
    16. Management Issues
      1. Introduction
      2. Managing a Security Project
        1. A Tale of Three Supermarkets
        2. Balancing Risk and Reward
        3. Organizational Issues
      3. Methodology
        1. Top-Down Design
        2. Iterative Design
        3. Lessons from Safety-Critical Systems
      4. Security Requirements Engineering
        1. Managing Requirements Evolution
        2. Managing Project Requirements
        3. Parallelizing the Process
      5. Risk Management
      6. Economic Issues
      7. Summary
      • Research Problems
      • Further Reading
    17. System Evaluation and Assurance
      1. Introduction
      2. Assurance
        1. Perverse Economic Incentives
        2. Project Assurance
        3. Process Assurance
        4. Assurance Growth
        5. Evolution and Security Assurance
      3. Evaluation
        1. Evaluations by the Relying Party
        2. The Common Criteria
        3. What Goes Wrong
      4. Ways Forward
        1. Semi-Open Design
        2. Open Source
        3. Penetrate-and-Patch, CERTs, and bugtraq
        4. Education
      5. Summary
      • Research Problems
      • Further Reading
    18. Conclusions

Reviews

Security Engineering

Reviewed by Roland Buresund

Good ******* (7 out of 10)

Last modified: May 21, 2007, 3:23 a.m.

Opinion

I wish all programmers were forced to follow the guidelines of this book. Life would be so much easier for all of us.

Comments

There are currently no comments

New Comment

required

required (not published)

optional

required

captcha

required