Computer Security: Art and Science

Part 2 of the book is a view of security from the standpoint of theoretical computer science. The author discusses models for the decidability of security systems, i.e. is there a generic algorithm that will determine whether a computer system is secure? As expected, this question is addressed in the context of Turing machines, and the author shows that it is undecidable whether a given state of a given protection system is safe for a given generic right. However the proof proceeds by contradiction, and those of us who insist on constructive proofs in all of mathematics will not accept this one. It would be interesting to find a constructive proof of this result.

If the protection system is restricted in some way then they safety question is decidable. The author discusses such a system, the "Take-Grant Protection Model" in terms of directed graphs, and he shows that this model is decidable in linear time with respect to the size of the graph. He then explains the reasons why a safety model can be decidable versus one that cannot be, via a highly technical discussion of the "Schematic Protection Model" (SPM). This section is very interesting due to the nature of the mathematical constructions that are used. These constructions make it readily apparent why the (undecidable) Harrison-Ruzzo-Ullman (HRU) model is more expressive than the SPM. The expressive power of the different models derives from the notion of a 'type', and this motivates the author to consider the 'typed access matrix model' and its utility in detailing a system's safety properties.

In Part 3, the author gets down to more practical matters, and discusses the implementation of security policies. Taking a computer system to be a finite-state automaton with transition functions that change state, a security policy is defined as a statement that partitions these states into 'secure' and 'nonsecure' states. Secure systems are defined as those that cannot enter a nonsecure state if they are in a secure state. All throughout this part the author emphasizes that fact that all security policies are based on assumptions that would lead to the destruction of these policies if they are false. The author discusses a practical example of a security policy in this part. Also discussed is the relation between security and precision, with the idea of a covert channel arising in this context. The author proves that there is no general procedure for constructing a system that conforms exactly to a specific security policy but that allows all actions that the policy allows.

The Bell-LaPadula confidentiality model, which has its origins in military applications, is also discussed in Part 3. The author explains a confidentiality policy as being a 'information flow policy', which prevents the unauthorized disclosure of information, with unauthorized alteration of information being secondary. An explicit example of this security involving a UNIX operating system is discussed. A formal model is then proposed, and the author then uses the accompanying formalism to prove the 'basic security theorem'. The formal model constructed by the author is interesting in that it can be viewed as a (discrete) dynamical system, with transitions governed by decisions that are responding to requests for access. A system is called secure if it satisfies three conditions, namely the 'simple security condition', the '*-property', and the 'discretionary security property'. The first condition states that a subject that can read or write to an object must dominate it. The *-property states that if a subject can write to an object, the classification of the object must dominate the subject's clearance; if the subject can also read the object, the subject's clearance must be the same as the object's classification. The discretionary security property relates the authority of the access control matrix to allow the controller of an object to condition access based on identity. The author also discusses in detail the objections to the Bell-LaPadula model of computer security.

The author then directs his attention to integrity policies, wherein the emphasis is on ensuring data integrity, and he discusses various integrity security policies in this regard. One of these is the Biba integrity model, which as it turns out is the mathematical dual of the Bell-Lapadula model, wherein a system is now composed of a set of subjects, objects, and integrity levels. The higher the "integrity level", the more confidence there is that a program will execute correctly. This model is then generalized to the Lipner integrity matrix model, which is a hybrid of Biba and Bell-Lapadula, this being done to obtain a model more suitable for commercial needs. The author then considers the Clark-Wilson integrity model, which uses transactions as the basic operation, and wherein data subjected to integrity controls becomes 'constrained data items.' Various certification and enforcement rules are imposed that give this model more commercial applicability than the others, even though the certification process can be very complex and the prone to error. The author compares the Clark-Wilson model with the Biba model and is clearly on the side of the former in terms of practicality, although in the exercises he asks the reader to construct an emulation of the Biba model using Clark-Wilson.

Rating:
Summary: What a gift to the security profession!
Review: This book is simply superb - a comprehensive, beautifully written text for information security students and practitioners. Matt Bishop has decades of security-related contributions to his credit and his book reflects his accumulated wisdom on all things security. I believe that those colleges and universities that offer information security degree programs will certainly use this book as text for those programs, and in doing so, will serve their students extremely well. And for those of us who are laboring in the security vineyard, this book represents a rare opportunity to refine our understanding of the fundamentals by tuning in to the thoughts of a master teacher and practitioner. Well done!!