Presented at Foundations of Secure Computation, an October 1977 conference at the Georgia Institute of Technology. Gaines and Shapiro begin by adapting basic security principles -- barriers, detection, concealment -- to computers. They also consider deterrence in light of an intruder's motives, with an eye toward making the intrusion too difficult to bother.
It is important to consider security from the point of view of the potential violator. He may seek to obtain information of value to him or to modify information that somebody else will use because there is some expected value to him as a consequence of the modification. He may be dissuaded from doing so because he estimates that the costs are unacceptable. The first cost is the direct cost in time, effort, and money of carrying out his plans. Both strong protection mechanisms and concealment mechanisms, such as cryptography, may impose unacceptable costs in one or more of these measures. In addition, detection and apprehension may have costs associated with them that are uncertain to the violator but whose deterrence value may be substantial. The violator may be deterred by the social stigma associated with the detection or by the penalties which may follow as a consequence of detection.Next they consider contemporary computer security, comprising authentication, authorization ("access control mechanisms"), and the operating system, as well as the system hardware. The idea of holes in an application's security has not yet caught on.
To understand the state of computer security today and how it might be enhanced, we first analyze computer systems from a system point of view. A person attempting to use a computer system either by submitting a job or accessing the computer through a terminal must identify himself to the computer and then be authenticated. ... Other aspects of a computer system which are relevant to security are the hardware itself and the operating and management procedures for the computer.
... When the question of the security of information stored in a computer system was first raised, over a decade ago, it was immediately discovered that from a security point of view operating systems were full of flaws (and many of them still are today). In some systems, these flaws were so serious that it was possible for a user to gain control of the operating system, that is, to have code prepared by the user executed as if it were the supervisor code. Furthermore, flaws in the operating system, once discovered, turned out to be easy to exploit. ...
The initial reaction to the discovery of the weakness of computer system security was to try to correct the flaws. This meant rewriting the access control code so that it would work correctly and trying to rework those parts of systems for which flaws were due to bad design. Such efforts did not work out well; systems so enhanced were shown to have many flaws remaining. Because these flaws were easy to exploit, covering up only a few of them did not appear to be very advantageous. As a result of these failures, recent research has been directed to finding new operating system designs which take security into account in a fundamental way during the design process. ...They note the relative absence of detection mechanisms for security, and close with a recommendation for what would today be recognized as logging:
There are currently few examples of the use of detection in computers. One that is frequently used in systems providing remote access via terminals is to report to the user at each log-in the time of his previous log-in. Thus providing him the opportunity to notice if this report differs from what he remembers. This technique may cause the detection of unauthorized use of the account. There are some weaknesses. For instance, users who repeatedly see the log-in message reporting time of last use soon fail to read this information. ...
We have already remarked that the notion of detection has received very little attention. As an example of the kinds of techniques that might be used, we will consider one idea -- that a record be maintained of all accesses to a file owned by an individual that are made by others, or of only those accesses that are made by others when he is not logged into the system, and that this information be reported to him. Ultimately, the user may provide a list of those he expects to access his files and the report may consist of information concerning all accesses by those not on that list. If such information is stored in a way that a violator cannot get at it, then the information can be relied upon a great deal of the time. One way of recording information so that it cannot be destroyed is to write it on a tape that has no backspace provisions. ...Interesting and worth a read. The PDF of the entire conference proceedings is linked above. I also found a hardback copy for a few bucks on Amazon.
No comments:
Post a Comment