Security in Computing Systems Joachim Biskup Challenges, Approaches and Solutions Computing Systems Security in The use of general descriptive names, registered names, trademarks, etc. in this publication does not imply, even in the absence of a specific statement, that such names are exempt from the relevant protective laws and regulations and therefore free for general use. Printed on acid-free paper springer.com concerned, specifically the rights of translation, reprinting, reuse of illustrations, recitation, broadcasting, or parts thereof is permitted only under the provisions of the German Copyright Law of September 9, 1965, reproduction on microfilm or in any other way, and storage in data banks. Duplication of this publication are liable for prosecution under the German Copyright Law. in its current version, and permissions for use must always be obtained from Springer-Verlag. Violations Prof. Dr. Joachim Biskup August-Schmidt-Str. 12 44227 Dortmund Germany joachim.biskup@cs.uni-dortmund.de This work is subject to copyright. All rights are reserved, whether the whole or part of the material is ISBN 978-3-540-78441-8 e-ISBN 978-3-540-78442-5 Library of Congress Control Number: 2008937819 ACM Computing Classification (1998): H.1.1, E.4, E.3, D.4.6, K.6.5 © 2009 Springer-Verlag Berlin Heidelberg Cover design: KünkelLopka GmbH, Heidelberg, Germany 9 8 7 6 5 4 3 2 1 Fakultät für Informatik Technische Universität Dortmund Preface This monograph on Security in Computing Systems: Challenges, Approaches and Solutions aims at introducing, surveying and assessing the fundamentals of secu- rity with respect to computing. Here, “computing” refers to all activities which individuals or groups directly or indirectly perform by means of computing sys- tems, i.e., by means of computers and networks of them built on telecommunica- tion. We all are such individuals, whether enthusiastic or just bowed to the inevitable. So, as part of the ‘‘information society’’, we are challenged to maintain our values, to pursue our goals and to enforce our interests, by consciously design- ing a ‘‘global information infrastructure’’ on a large scale as well as by appropri- ately configuring our personal computers on a small scale. As a result, we hope to achieve secure computing: Roughly speaking, computer-assisted activities of indi- viduals and computer-mediated cooperation between individuals should happen as required by each party involved, and nothing else which might be harmful to any party should occur. The notion of security circumscribes many aspects, ranging from human quali- ties to technical enforcement. First of all, in considering the explicit security requirements of users, administrators and other persons concerned, we hope that usually all persons will follow the stated rules, but we also have to face the possi- bility that some persons might deviate from the wanted behavior, whether acci- dently or maliciously. So, in order to achieve security, we have to protect our activities and cooperations against threatening ‘‘attackers’’. Surely, however, as in everyday life, we also have to rely on trust in some partners. Otherwise, we would end up with staying in complete isolation and doing nothing. Second, since we have delegated a number of actions still increasing to computers, the components of a computing system themselves appear as subjects: we have to decide which components are to be trusted and which ones are to be considered as potential attackers. Additionally, while attacks are performed by technical components, usu- ally under outside control, security enforcement also has to be achieved by use of technical components, preferably under our own control or under the control of trustworthy persons. Finally, we are left with a central problem of computer sci- ence: how to design, implement and verify trusted components which will enforce our security requirements technically when running in a potentially hostile envi- ronment? So far, we do not have easy and final answers, and probably we shall never get them. Social communications are in principle open to all kinds of both pleasant and frightening events, and so are the corresponding technical interactions within com- vi Preface puting systems. Thus, in both domains, achieving security appears to be a never- ending task. Nevertheless, people have obtained great insight into social communi- cation and organization over centuries and even millenniums, resulting in the con- cepts of fundamental human rights and individual self-determination within the framework of a balance of power in democratic societies. Clearly, insight is not enough: it also has to be realized. Correspondingly, over only the last few decades, computer science has collected basic knowledge about computing systems, result- ing in a largely accepted body of essentials of secure computing and an impressive collection of applicable security mechanisms. Again, knowledge has to be materi- alized within actual computing systems. In this book, we concentrate on the essentials of secure computing and a collec- tion of the most promising security mechanisms. We have a reader in mind who knows about computer science and engineering, and who is able and willing to study details which are beyond the scope of this introduction and survey in more specialized texts. We present our view of the fundamental knowledge about secu- rity in computing systems, leaving more practical instructions for specific situa- tions open either to the experience of the reader or, again, to other texts. The material of this book is organized into four cross-referencing parts: chal- lenges and basic approaches; fundamentals of information flow and inference con- trol; security mechanisms, with an emphasis on control and monitoring on the one side and on cryptography on the other side; and implementations. Though we have made every effort to make the text readable in sequential order, the reader should be aware that getting a deeper understanding probably requires one to follow the cross-references back and forth. Part One, on ‘‘Challenges and Basic Approaches’’, starts with a more detailed elaboration of the notion of security in computing systems, emphasizing, among other things, the larger socio-technical context of security. Then, we identify infor- mation flow between senders and receivers as a fundamental abstraction of com- puting. This abstraction allows us to express security requirements in the form of interests of participants affected by information flows, and to face the inevitable trade-offs in this realm. Finally, we outline a view of computing systems and their vulnerabilities that should help the reader to see various security requirements and mechanisms within a broader technical context. Part Two, on ‘‘Fundamentals of Information Flow and Inference Control’’, examines the basic abstraction in more depth. We first clarify the impact of and the relevant relationships between the following notions: messages transmitted between parties, inferences made by some party, and the resulting information gain and knowledge. In doing so, we also outline appropriate formalizations in order to lay the foundations for algorithmic treatments. We are then prepared to understand inference control as a basic goal of engineering security in computing systems. Sequential programs, parallel programs, (logic-oriented) information systems in general and statistical databases in particular are inspected in turn to determine whether and how we can algorithmically enforce security by inference control. Finally, we exhibit the close connection between the following events: on the one Preface vii side, the possibility of making nontrivial inferences and thus the possibility of an information flow from one party to another, and on the other side, the possibility of interference by one party with another. Though many security requirements ulti- mately refer to the permission or the prohibition of information flows or interfer- ences, their strict algorithmic enforcement turns out often to be limited for reasons of computational intractability or even non-computability. As a conclusion, we learn that for practical purposes, we must look for less ambitious though still effec- tive approaches. Part Three, on ‘‘Security Mechanisms’’, provides a structured introduction to these approaches. We first identify three key ideas, and for each of them we sketch some related mechanisms. To briefly summarize, redundancy allows one to detect failures and attacks or even to recover from such unfortunate events, isolation pre- vents unwanted information flows or interferences, and indistinguishability makes maliciously planned observations appear random or uniformly expected and thus useless. In most practical situations, however, these key ideas have to be suitably combined in order to obtain overall effectiveness. Additionally, at run time, we nearly always have to properly identify or at least suitably classify agents and to authenticate them, and at design time, security administrators have to specify their security policies, which decide which agents are permitted to gain access to or are prohibited from gaining access to which operations on which objects. There are two classes of techniques to combine these basic ideas. The techniques of control and monitoring work roughly as follows: identifiable agents can get access rights granted and revoked, and access requests of agents are intercepted by control components that decide on allowing or denying the actual access. Additionally, the recordable activities of all agents are audited and exam- ined for possible ‘‘intrusions’’, i.e., whether they appear “acceptable” or “violat- ing”. The techniques of cryptography are based on secrets generated and kept by agents, rather than on identities. Such a secret can be exploited as a cryptographic key: the key holder is distinguished in being able to execute a specific operation in a meaningful way, while all other agents are not. This extremely powerful para- digm can be used in many ways, in particular as follows. For encryption, only the key holder can compute the plaintext belonging to a given ciphertext. For authenti- cation and non-repudiation, only the key holder can compute a digital signature for a given message. Beyond these standard applications, there is a wealth of further possibilities, including anonymization, secret sharing and zero-knowledge proofs. Leaving technicalities aside, modern cryptography can be characterized as enabling cooperation under limited trust. Speaking more technically, cryptography allows one to reduce complex security requirements to an appropriate management of secrets. Most real-life applications demand an appropriate combination of instantiations of both classes. Apparently, the secrecy of cryptographic keys has to be enforced by access control; and, often, identities used for control and monitoring are best authenticated by cryptographic means. viii Preface It is less obvious, but most important for the development of future interopera- ble systems built from autonomous agents, that access rights conceptually bound to specific agents can be managed by certificates and credentials, i.e., by digitally signed digital documents which refer to an agent by merely using a suitable refer- ence (called a public key) to his secret cryptographic key. Finally, in Part Four, on ‘‘Implementations’’, we briefly review some selected implementations of security services. In particular, we show how basic and com- posite security mechanisms, as described in preceding chapters, have been put together to comply with the architecture of specific applications and meet their requirements. Taking suitable abstractions of UNIX, Oracle/SQL, CORBA, Ker- beros, SPKI and PGP as examples, these applications include an operating system; a database management system; middleware systems, with distributed client –ser- ver systems as a special case; and a file and message system. At the end of each chapter, we give some bibliographic hints. Faced with the huge number of contributions to the diverse topics of security in computing, we have made no attempt to cover the relevant literature completely. Rather, these hints reflect only the limited experience and background of the author. As stated before, the presentation of all this material concentrates on the essen- tials of secure computing and a collection of the most promising security mecha- nisms; in most cases we leave out many formal details and full proofs, as well as practical advice about commercially available systems. Nevertheless, throughout the chapters, where appropriate, we introduce formal- izations. We strongly believe that security, like other branches of computer science and engineering, needs precise formalizations and thorough formal verifications based on them, including proofs in the style of mathematics. This belief is in accor- dance with some highly ranked requirements of governmental security evaluation criteria. However, full formalizations would be beyond the scope (and a reasonable size) of this monograph, and the state of our knowledge often does not allow one to treat practical systems in a purely formal way. Furthermore, relevance for practical purposes is intended to be achieved by pre- paring readers to engineer their specific computing systems from the point of view of security. This includes answering the following groups of related questions, all of which are discussed in the text. The first group is concerned with the fundamental notion of security: • What and whose security interests should be enforced? • How to balance conflicting interests? • What requirements result from legitimate security interests? The second group deals with the core of the engineering of systems: • What technical mechanisms support or enforce what security requirements? • How can various security mechanisms be composed together? • What organizational structures are needed to embed technical security mecha- nisms? Preface ix Finally, the third group assesses the achievements of security technology: • How do you convince yourself and others about what kind and degree of secu- rity a specific security design and its implementation satisfy, and how do you verify this? • What assumptions about trust and attacks, at the level of individuals and organi- zations as well as at the technical level, does the above conviction or verification rely on? At this point, after having surveyed the amount of exciting material presented in this monograph (and many further publications) and after having advertised the readers’ anticipated benefit, a reminder to be modest is due: Security deals with ensuring that computing systems actually do what various autonomous users expect them to do, even if some components or partners mis- behave, either unwillingly or maliciously. Thus the reader should always be aware of the intrinsic difficulties to be overcome. A Guide to Reading and Teaching with this Book I have written this rather voluminous text in the style of a monograph, to be read and studied by researchers, developers, academic teachers and advanced students interested in obtaining a comprehensive and unified view of security in computing systems. The text is not necessarily designed for teaching, though it is suitable. Holding a volume like this, some readers might want to concentrate on specific aspects of the whole picture, rather than sequentially follow the full presentation. Moreover, some readers might wonder how to extract background material for a course on security, whether introductory or more specialized. In the following, I shall give some hints for selecting appropriate parts from the book. Regarding concentrating on specific aspects I can recommend that you use the book as follows, among other possibilities: • For managers and non-specialists in security, the following parts of the book provide a (mostly informal) overview of the Essentials of Security, including the requirements and options for technical enforcement: Part One: Challenges and Basic Approaches (Chapters 1 –3) Chapter 6: Key Ideas and Examples Chapter 7: Combined Techniques Chapter 8: Techniques of Control and Monitoring: Essentials Sections 17.1 –3: UNIX Operating System, Oracle/SQL Database Management System and CORBA Middleware (only selections, as case studies) Chapter 10: Elements of a Security Architecture (introduction only) Section 10.1: Establishing Trust in Computing Systems Section 10.2: Layered Design (introduction only) Chapter 12: Techniques of Cryptography: Essentials (without Sections 12.7 –8 and 12.9.4) Sections 17.4 –6: Kerberos, Simple Public Key Infrastructure (SPKI/SDSI) and Pretty Good Privacy (PGP) (only selections, as case studies) • For actual or prospective specialists in security with background knowledge, the following parts provide a (nearly) self-contained introduction to Control and Monitoring: xii A Guide to Reading and Teaching with this Book Chapter 6: Key Ideas and Examples Chapter 7: Combined Techniques Chapter 8: Techniques of Control and Monitoring: Essentials Chapter 9: Conceptual Access Rights Chapter 10: Elements of a Security Architecture Chapter 11: Monitoring and Intrusion Detection Sections 17.1 –3, 5: UNIX Operating System, Oracle/SQL Database Management System, CORBA Middleware and Simple Public Key Infrastructure (SPKI/SDSI) • For actual or prospective specialists in security with background knowledge, the following parts provide a (nearly) self-contained introduction to Cryptography: Chapter 6: Key Ideas and Examples Chapter 7: Combined Techniques Chapter 12: Techniques of Cryptography: Essentials Chapter 13: Encryption Chapter 14: Authentication Chapter 15: Anonymization Chapter 16: Some Further Cryptographic Protocols Sections 17.4 –6: Kerberos, Simple Public Key Infrastructure (SPKI/SDSI) and Pretty Good Privacy (PGP) • For actual or prospective researchers with background knowledge, the follow- ings parts provide an introduction to Inference Control: Chapter 2: Fundamental Challenges Chapter 4: Messages, Inferences, Information and Knowledge Chapter 5: Preventive Inference Control • For experienced readers with solid knowledge, the following parts provide a framework proposal for Security Engineering: Chapter 1: Introduction Chapter 7: Combined Techniques Chapter 10: Elements of a Security Architecture Chapter 17: Design of Selected Systems: UNIX Operating System, Oracle/SQL Database Management System, CORBA Middleware, Kerberos, Simple Public Key Infrastructure (SPKI/SDSI) and Pretty Good Privacy (PGP [...]... from our experiences in other fields, though the innovative sides of computing often demand original solutions Additionally, since computing means employing formalisms, security in computing requires precise and formalized procedures Having the similarities and differences of computing and other fields in mind, we start by making some idealized observations about security in housing, whereby a home,... and well-understood fields for which we have good experience in security that is exploitable for computing These fields also, increasingly, emerge as part of computing: electronic commerce is already in operation; so-called computing nomads” travel around using their mobile laptops as universal working tools; and visionaries are starting to create “ubiquitous computing , where homes and computing equipment... integral and inseparable part of everyday life Accordingly, individuals are not left alone to negotiate their interests; instead, modern democratic societies are increasingly setting up a social and juridical framework for regulating computing, including many aspects of security In the following, we outline the current development of an ‘‘information society’’ and its framework for ‘‘informational... Aggregate Functions 139 Inference Control for Mandatory Information Systems 141 5.6.1 A Labeled Information System with Polyinstantiation 142 5.6.2 Inference-Proof Label Assignments .145 Noninterference in Trace-Based Computing Systems 146 5.7.1 Noninterference Properties .147 5.7.2 Verification by Unwinding .150 Bibliographic Hints .152 Part Three Security Mechanisms ... human interactions have been converted to computer-assisted or computer-mediated versions, and entirely new options for cooperation and communication have evolved As in any sphere of life, so in computing: individuals, as well as groups and organizations, are concerned about security Usually, our intuitive understanding of security is quite mature but often also dazzling and delusive Security in computing. .. closely intertwined 6 1 Introduction 1.2 Fundamental Aspects of Security Assuming a rough and intuitive understanding of security, as sketched above, and a general background knowledge about computing systems, we now declare what we regard as the fundamental aspects of security in computing We intend to use this declaration as a paradigm for the rest of the monograph, without always explicitly mentioning... for computing systems We then abstractly declare the fundamental aspects of security in computing as a paradigm for the rest of the monograph Subsequently, we identify the broader social and political context of security in computing, tentatively sketch a general definition, and treat selected aspects of the design and life cycle of secure computing systems 1.1 The Need for Security Computing has become... identified, in particular regarding the trust assigned to participants or system components • The expenditure for the security mechanisms selected should be justified by the risks recognized 1.3 Informational Assurances 7 1.3 Informational Assurances Security in computing should be multilateral, respecting and enforcing the balanced interests of all participants concerned Computing has evolved into an integral... experiences in teaching and research in security over the last twenty years, though these years have been shared with similar activities in the field of information systems too I gave my first lecture on a topic in security in the winter semester of 1982/83, and my first publication in this field is dated 1984 Since then, I have been involved in security not only through teaching in the classroom, through my... defending individuals against the assumed overwhelming informational power of public institutions and private companies The basic goals require that, in principle, each individual should freely decide on whom he gives what part of his personal data to and on what kind of processing of his personal data he is willing to agree to Accordingly, an individual should retain full control over the processing . ISBN 97 8-3 -5 4 0-7 844 1-8 e-ISBN 97 8-3 -5 4 0-7 844 2-5 Library of Congress Control Number: 2008937819 ACM Computing Classification (1998): H.1.1, E.4, E.3, D.4.6, K.6.5 © 2009 Springer-Verlag Berlin Heidelberg Cover. interactions within com- vi Preface puting systems. Thus, in both domains, achieving security appears to be a never- ending task. Nevertheless, people have obtained great insight into social communi- cation. Security in Computing Systems Joachim Biskup Challenges, Approaches and Solutions Computing Systems Security in The use of general descriptive names, registered names, trademarks, etc. in