Below are the first 10 and last 10 pages of uncorrected machine-read text (when available) of this chapter, followed by the top 30 algorithmically extracted key phrases from the chapter as a whole.
Intended to provide our own search engines and external engines with highly rich, chapter-representative searchable text on the opening pages of each chapter. Because it is UNCORRECTED material, please consider the following text as a useful but insufficient proxy for the authoritative book pages.
Do not use for reproduction, copying, pasting, or reading; exclusively for search engines.
OCR for page R1
Computers at Risk: Safe Computing in the Information Age Computers at Risk Safe Computing In the Information Age System Security Study Committee Computer Science and Telecommunications Board Commission on Physical Sciences, Mathematics, and Applications National Research Council NATIONAL ACADEMY PRESS 1991
OCR for page R2
Computers at Risk: Safe Computing in the Information Age National Academy Press 2101 Constitution Avenue, N.W. Washington, D.C. 20418 NOTICE: The project that is the subject of this report was approved by the Governing Board of the National Research Council, whose members are drawn from the councils of the National Academy of Sciences, the National Academy of Engineering, and the Institute of Medicine. The members of the committee responsible for the report were chosen for their special competences and with regard for appropriate balance. This report has been reviewed by a group other than the authors according to procedures approved by a Report Review Committee consisting of members of the National Academy of Sciences, the National Academy of Engineering, and the Institute of Medicine. The National Academy of Sciences is a private, nonprofit, self-perpetuating society of distinguished scholars engaged in scientific and engineering research, dedicated to the furtherance of science and technology and to their use for the general welfare. Upon the authority of the charter granted to it by the Congress in 1863, the Academy has a mandate that requires it to advise the federal government on scientific and technical matters. Dr. Frank Press is president of the National Academy of Sciences. The National Academy of Engineering was established in 1964, under the charter of the National Academy of Sciences, as a parallel organization of outstanding engineers. It is autonomous in its administration and in the selection of its members, sharing with the National Academy of Sciences the responsibility for advising the federal government. The National Academy of Engineering also sponsors engineering programs aimed at meeting national needs, encourages education and research, and recognizes the superior achievements of engineers. Dr. Robert M. White is president of the National Academy of Engineering. The Institute of Medicine was established in 1970 by the National Academy of Sciences to secure the services of eminent members of appropriate professions in the examination of policy matters pertaining to the health of the public. The Institute acts under the responsibility given to the National Academy of Sciences by its congressional charter to be an adviser to the federal government and, upon its own initiative, to identify issues of medical care, research, and education. Dr. Samuel O. Thier is president of the Institute of Medicine. The National Research Council was organized by the National Academy of Sciences in 1916 to associate the broad community of science and technology with the Academy's purposes of furthering knowledge and advising the federal government. Functioning in accordance with general policies determined by the Academy, the Council has become the principal operating agency of both the National Academy of Sciences and the National Academy of Engineering in providing services to the government, the public, and the scientific and engineering communities. The Council is administered jointly by both Academies and the Institute of Medicine. Dr. Frank Press and Dr. Robert M. White are chairman and vice chairman, respectively, of the National Research Council. Support for this project was provided by the Defense Advanced Research Projects Agency under Contract No. N00014-89-J-1731. However, the content does not necessarily reflect the position or the policy of the Defense Advanced Research Projects Agency or the government, and no official endorsement should be inferred. Library of Congress Cataloging-in-Publication Data Computers at risk: safe computing in the information age / System Security Study Committee, Computer Science and Telecommunications Board, Commission on Physical Sciences, Mathematics, and Applications, National Research Council. p. cm. Includes bibliographical references. ISBN 0-309-04388-3 1. Computer security. I. National Research Council (U.S.). Computer Science and Telecommunications Board. System Security Study Committee. QA76.9.A25C6663 1990 005.8—dc20 90-22329 CIP Copyright © 1991 by the National Academy of Sciences No part of this book may be reproduced by any mechanical, photographic, or electronic process, or in the form of a phonographic recording, nor may it be stored in a retrieval system, transmitted, or otherwise copied for public or private use, without written permission from the publisher, except for the purposes of official use by the U.S. government. Printed in the United States of America First Printing, December 1990 Second Printing, March 1991 Third Printing, April 1992 Fourth Printing, January 1992 Fifth Printing, March 1994
OCR for page R3
Computers at Risk: Safe Computing in the Information Age SYSTEM SECURITY STUDY COMMITTEE DAVID D. CLARK, Massachusetts Institute of Technology, Chairman W. EARL BOEBERT, Secure Computing Technology Corporation SUSAN GERHART, Microelectronics and Computer Technology Corporation JOHN V. GUTTAG, Massachusetts Institute of Technology RICHARD A. KEMMERER, University of California at Santa Barbara STEPHEN T. KENT, BBN Communications SANDRA M. MANN LAMBERT, Security Pacific Corporation BUTLER W. LAMPSON, Digital Equipment Corporation JOHN J. LANE, Shearson, Lehman, Hutton, Inc. M. DOUGLAS McILROY, AT&T Bell Laboratories PETER G. NEUMANN, SRI International MICHAEL O. RABIN, Harvard University WARREN SCHMITT, Sears Technology Services HAROLD F. TIPTON, Rockwell International STEPHEN T. WALKER, Trusted Information Systems, Inc. WILLIS H. WARE, The RAND Corporation MARJORY S. BLUMENTHAL, Staff Director FRANK PITTELLI, CSTB Consultant DAMIAN M. SACCOCIO, Staff Officer MARGARET A. KNEMEYER, Staff Associate DONNA F. ALLEN, Administrative Secretary CATHERINE A. SPARKS, Senior Secretary
OCR for page R4
Computers at Risk: Safe Computing in the Information Age COMPUTER SCIENCE AND TELECOMMUNICATIONS BOARD JOSEPH F. TRAUB, Columbia University, Chairman ALFRED V. AHO, AT&T Bell Laboratories JOHN SEELY BROWN, Xerox Corporation Palo Alto Research Center FRANK P. CARRUBBA, Hewlett-Packard Company DAVID J. FARBER, University of Pennsylvania SAMUEL H. FULLER, Digital Equipment Corporation JAMES FREEMAN GILBERT, University of California at San Diego WILLIAM A. GODDARD III, California Institute of Technology JOHN L. HENNESSY, Stanford University JOHN E. HOPCROFT, Cornell University MITCHELL D. KAPOR, ON Technology, Inc. SIDNEY KARIN, San Diego Supercomputer Center LEONARD KLEINROCK, University of California at Los Angeles ROBERT LANGRIDGE, University of California at San Francisco ROBERT L. MARTIN, Bell Communications Research WILLIAM F. MILLER, SRI International ABRAHAM PELED, IBM T.J. Watson Research Center RAJ REDDY, Carnegie Mellon University JEROME H. SALTZER, Massachusetts Institute of Technology MARY SHAW, Carnegie Mellon University ERIC E. SUMNER, Institute of Electrical and Electronics Engineers IVAN E. SUTHERLAND, Sutherland, Sproull & Associates GEORGE L. TURIN, Teknekron Corporation VICTOR VYSSOTSKY, Digital Equipment Corporation WILLIS H. WARE, The RAND Corporation WILLIAM WULF, University of Virginia MARJORY S. BLUMENTHAL, Staff Director ANTHONY M. FORTE, Senior Staff Officer HERBERT LIN, Staff Officer DAMIAN M. SACCOCIO, Staff Officer RENEE A. HAWKINS, Staff Associate DONNA F. ALLEN, Administrative Secretary LINDA L. JOYNER, Project Assistant CATHERINE A. SPARKS, Senior Secretary
OCR for page R5
Computers at Risk: Safe Computing in the Information Age COMMISSION ON PHYSICAL SCIENCES, MATHEMATICS, AND APPLICATIONS* NORMAN HACKERMAN, Robert A. Welch Foundation, Chairman PETER J. BICKEL, University of California at Berkeley GEORGE F. CARRIER, Harvard University HERBERT D. DOAN, The Dow Chemical Company (retired) DEAN E. EASTMAN, IBM T.J. Watson Research Center MARYE ANNE FOX, University of Texas PHILLIP A. GRIFFITHS, Duke University NEAL F. LANE, Rice University ROBERT W. LUCKY, AT&T Bell Laboratories CHRISTOPHER F. McKEE, University of California at Berkeley RICHARD S. NICHOLSON, American Association for the Advancement of Science JEREMIAH P. OSTRIKER, Princeton University Observatory ALAN SCHRIESHEIM, Argonne National Laboratory ROY F. SCHWITTERS, Superconducting Super Collider Laboratory KENNETH G. WILSON, Ohio State University NORMAN METZGER, Executive Director * The project that is the subject of this report was initiated under the predecessor group of the Commission on Physical Sciences, Mathematics, and Applications, which was the Commission on Physical Sciences, Mathematics, and Resources, whose members are listed in Appendix G.
OCR for page R6
Computers at Risk: Safe Computing in the Information Age This page in the original is blank.
OCR for page R7
Computers at Risk: Safe Computing in the Information Age Preface The Computer Science and Technology Board, which became the Computer Science and Telecommunications Board in September 1990, formed the System Security Study Committee in response to a fall 1988 request from the Defense Advanced Research Projects Agency (DARPA) to address the security and trustworthiness of U.S. computing and communications systems. The committee was charged with developing a national research, engineering, and policy agenda to help the United States achieve a more trustworthy computing technology base by the end of the century. DARPA asked the committee to take a broad outlook—to consider the interrelationship of security and other qualities (e.g., safety and reliability), commercialization as well as research, and the diverse elements of the research and policy communities. In keeping with DARPA's initial request, the committee focused on security aspects but related them to other elements of trustworthiness. The System Security Study Committee was composed of sixteen individuals from industry and academia, including computer and communications security researchers and practitioners and software engineers. It met in May, August, and November of 1989 and in February, April, and July of 1990. Its deliberations were complemented by briefings from and interviews with a variety of federal government researchers and officials and security experts and others from industry. A central feature of the committee's work was the forging of a consensus in the face of different technical and professional perspectives. While the committee drew on both the research literature and publications aimed at security practitioners, it sought to combine the research and practitioner perspectives to provide a more unified as-
OCR for page R8
Computers at Risk: Safe Computing in the Information Age sessment than might perhaps be typical. Given the goal of producing an unclassified report, the committee focused on the protection of sensitive but unclassified information in computer and communications systems. The orientation toward an unclassified report also limited the extent to which the committee could probe tensions in federal policy between intelligence-gathering and security-providing objectives. This report of the System Security Study Committee presents its assessment of key computer and communications security issues and its recommendations for enhancing the security and trustworthiness of the U.S. computing and communications infrastructure. David D. Clark, Chairman System Security Study Committee
OCR for page R9
Computers at Risk: Safe Computing in the Information Age Acknowledgments The System Security Study Committee appreciates the generous assistance provided by Carl Landwehr of the Naval Research Laboratory and a group of federal liaisons that he coordinated, including Anthony Adamski of the Federal Bureau of Investigation, Dennis Branstad of the National Institute of Standards and Technology, Leon Breault of the Department of Energy, Richard Carr of the National Aeronautics and Space Administration, Richard DeMillo of the National Science Foundation (preceded by John Gannon), C. Terrance Ireland of the National Security Agency, Stuart Katzke of the National Institute of Standards and Technology, Robert Morris of the National Security Agency, Karen Morrissette of the Department of Justice, Mark Scher of the Defense Communications Agency, and Kermith Speierman of the National Security Agency. These individuals made themselves and their associates available to the committee to answer questions, provide briefings, and supply valuable reference materials. The committee is grateful for special briefings provided by William Vance of IBM, John Michael Williams of Unisys, and Peter Wild of Coopers and Lybrand. Additional insight into specific issues was provided by several individuals, including in particular Mark Anderson of the Australian Electronics Research Laboratory, Carolyn Conn of GE Information Services, Jay Crawford of the Naval Weapons Center at China Lake, California, George Dinolt of Ford Aerospace Corporation, Morrie Gasser and Ray Modeen of Digital Equipment Corporation, James Giffin of the Federal Trade Commission, J. Thomas Haigh of Secure Computing Technology Corporation, James Hearn of the National Security Agency, Frank Houston of the Food and Drug Administration, Christian Jahl of the German Industrie Anlagen Betriebs
OCR for page R10
Computers at Risk: Safe Computing in the Information Age Gesellschaft, Ian King of the U.K. Communications-Electronics Security Group, Stewart Kowalski of the University of Stockholm, Milan Kuchta of the Canadian Communications Security Establishment, Timothy Levin of Gemini Computers, Inc., Michael Nash representing the U.K. Department of Trade and Industry, Stephen Purdy and James Bauer of the U.S. Secret Service, John Shore of Entropic Research Laboratory, Inc., Linda Vetter of Oracle Corporation, Larry Wills of IBM, and the group of 30 corporate security officers who participated in a small, informal survey of product preferences. The committee appreciates the encouragement and support of Stephen Squires and William Scherlis of DARPA, who provided guidance, insights, and motivation. It is particularly grateful for the literally hundreds of suggestions and criticisms provided by the ten anonymous reviewers of an early draft. Those inputs helped the committee to tighten and strengthen its presentation, for which it, of course, remains responsible. Finally, the committee would like to acknowledge the major contribution that the staff of the Computer Science and Telecommunications Board has made to this report, in particular thanking Marjory Blumenthal, Damian Saccocio, Frank Pittelli, and Catherine Sparks. They supplied not only very capable administrative support, but also substantial intellectual contributions to the development of the report. The committee also received invaluable assistance from its editor, Susan Maurizi, who labored under tight time constraints to help it express its ideas on a complex and jargon-filled subject. It could not have proceeded effectively without this level of support from the National Research Council. David D. Clark, Chairman System Security Study Committee
OCR for page R11
Computers at Risk: Safe Computing in the Information Age Contents EXECUTIVE SUMMARY 1 1 OVERVIEW AND RECOMMENDATIONS 7 Computer System Security Concerns, 8 Trends—the Growing Potential for System Abuse, 10 The Need to Respond, 11 Toward a Planned Approach, 13 Achieving Understanding, 13 The Nature of Security: Vulnerability, Threat, and Countermeasure, 13 Special Security Concerns Associated with Computers, 15 Security Must Be Holistic—Technology, Management, and Social Elements, 17 Commercial and Military Needs Are Different, 18 Putting the Need for Secrecy into Perspective, 20 Building on Existing Foundations, 21 Scope, Purpose, Contents, and Audience, 24 Recommendations, 26 Recommendation 1: Promulgate Comprehensive Generally Accepted System Security Principles (GSSP), 27 Recommendation 2: Take Specific Short-term Actions That Build on Readily Available Capabilities, 32 Recommendation 3: Gather Information and Provide Education, 36 Recommendation 4: Clarify Export Control Criteria, and Set Up a Forum for Arbitration, 37
OCR for page R12
Computers at Risk: Safe Computing in the Information Age Recommendation 5: Fund and Pursue Needed Research, 39 Recommendation 6: Establish an Information Security Foundation, 43 Conclusion, 45 Notes, 45 2 CONCEPTS OF INFORMATION SECURITY 49 Security Policies—Responding to Requirements for Confidentiality, Integrity, and Availability, 52 Confidentiality, 52 Integrity, 54 Availability, 54 Examples of Security Requirements for Different Applications, 55 Management Controls—Choosing the Means to Secure Information and Operations, 56 Preventing Breaches of Security—Basic Principles, 56 Responding to Breaches of Security, 59 Developing Policies and Appropriate Controls, 59 Risks and Vulnerabilities, 61 Securing the Whole System, 65 Appendix 2.1—Privacy, 66 Appendix 2.2—Informal Survey to Assess Security Requirements, 69 Notes, 72 3 TECHNOLOGY TO ACHIEVE SECURE COMPUTER SYSTEMS 74 Specification vs. Implementation, 75 Specification: Policies, Models, and Services, 76 Policies, 77 Models, 80 Flow Model, 80 Access Control Model, 81 Services, 83 Authentication, 84 Authorization, 87 Auditing, 88 Implementation: The Trusted Computing Base, 88 Computing, 91 Hardware, 91 Operating System, 92 Applications and the Problem of Malicious Code, 93
OCR for page R13
Computers at Risk: Safe Computing in the Information Age Communications, 93 Secure Channels, 94 Authenticating Channels, 96 Security Perimeters, 98 Methodology, 99 Conclusion, 99 Notes, 100 4 PROGRAMMING METHODOLOGY 102 Software Is More Than Code, 104 Simpler Is Better, 106 The Role of Programming Languages, 107 The Role of Specifications, 108 Relating Specifications to Programs, 109 Formal Specification and Verification, 111 Hazard Analysis, 113 Structuring the Development Process, 114 Managing Software Procurement, 115 Scheduling Software Development, 116 Education and Training, 117 Management Concerns in Producing Secure Software, 118 What Makes Secure Software Different, 119 Recommended Approaches to Sound Development Methodology, 120 Notes, 122 5 CRITERIA TO EVALUATE COMPUTER AND NETWORK SECURITY 124 Security Evaluation Criteria in General, 125 Security Characteristics, 125 Assurance Evaluation, 127 Trade-offs in Grouping of Criteria, 130 Comparing National Criteria Sets, 133 Reciprocity Among Criteria Sets, 135 System Certification vs. Product Evaluation, 137 Recommendations for Product Evaluation and System Certification Criteria, 139 Notes, 141 6 WHY THE SECURITY MARKET HAS NOT WORKED WELL 143 The Market for Trustworthy Systems, 143 A Soft Market: Concerns of Vendors, 146
OCR for page R14
Computers at Risk: Safe Computing in the Information Age Federal Government Influence on the Market, 149 Procurement, 149 Strategic Federal Investments in Research and Development, 150 Export Controls as a Market Inhibitor, 152 Technology Transfer: Rationale for Controlling Security Exports, 153 Export Control of Cryptographic Systems and Components, 154 Export Control of Trusted Systems, 156 The Commercial Imperative, 157 Consumer Awareness, 159 Insurance as a Market Lever, 161 Education and Incident Tracking for Security Awareness, 162 Education, 162 Incident Reporting and Tracking, 163 Technical Tools to Compensate for Limited Consumer Awareness, 164 Regulation as a Market Influence: Product Quality and Liability, 165 Product Quality Regulations, 166 Product Liability as a Market Influence, 167 Software and Systems Present Special Problems, 170 Toward Equitable Allocation of Liability, 171 Appendix 6.1— Export Control Process, 173 Appendix 6.2— Insurance, 174 Notes, 176 7 THE NEED TO ESTABLISH AN INFORMATION SECURITY FOUNDATION 179 Actions Needed to Improve Computer Security, 179 Attributes and Functions of the Proposed New Institution, 180 Other Organizations Cannot Fulfill ISF's Mission, 183 Government Organizations, 183 Private Organizations, 184 Why ISF's Mission Should Be Pursued Outside of the Government, 185 A New Not-for-profit Organization, 186 Critical Aspects of an ISF Charter, 187 Start-up Considerations, 188 Funding the ISF, 188 Alternatives to the ISF, 190
OCR for page R15
Computers at Risk: Safe Computing in the Information Age Appendix 7.1— A History of Government Involvement, 192 Appendix 7.2 — Security Practitioners, 201 Notes, 204 8 RESEARCH TOPICS AND FUNDING 206 A Proposed Agenda for Research to Enhance Computer Security, 208 Directions for Funding Security Research, 211 Funding by the Defense Advanced Research Projects Agency, 212 Funding by the National Science Foundation, 212 Promoting Needed Collaboration, 213 Notes, 214 BIBLIOGRAPHY 216 APPENDIXES A The Orange Book 243 B Selected Topics in Computer Security Technology 246 C Emergency Response Teams 276 D Models for GSSP 278 E High-grade Threats 283 F Glossary 286 G List of Members of the Former Commission on Physical Sciences, Mathematics, and Resources 303
OCR for page R16
Computers at Risk: Safe Computing in the Information Age This page in the original is blank.