The National Academies Press

Currently Skimming:

5 Trustworthy Systems from Untrustworthy Components
Pages 154-170

The Chapter Skim interface presents what we've algorithmically identified as the most significant single chunk of text within every page in the chapter.
Select key terms on the right to highlight them within pages of the chapter.

From page 154... ... For some dimensions of trustworthiness it already has. Today, many computing services are implemented using replication, and multiple processors must fail before the service becomes unavailable the service is more reliable than any single component processor. Read the entire page →
From page 155... ... So, this replication-based design effectively amplifies server fault tolerance against random hardware failures. Error correcting codes, used to Read the entire page →
From page 156... ... The problem is that replicas of a single component define a population that lacks the necessary diversity. This is because attacks are now the stimuli that cause components to encounter errors and, since all replicas share design and implementation errors, a single attack will affect all replicas. Read the entire page →
From page 157... ... With greater similarity comes increased likelihood of common vulnerabilities. For example, in UNIX implementations from different vendors, there will be some identical interfaces (because that is what defines UNIX) Read the entire page →
From page 158... ... This combined approach is especially attractive when shortcomings in prevention technology are suspected. For example, in addition to antiforgery credit card technology and authorization codes for each transaction, credit card companies monitor and compare each transaction with profiles of past cardholder activity. Read the entire page →
From page 159... ... An operator constantly dealing with false alerts will become less attentive and less likely to notice a bona fide attack. Attackers might even try to exploit human frailty by causing false alerts so that subsequent real attacks are less likely to attract notice. Read the entire page →
From page 160... ... There is nothing wrong with deploying theoretically limited solutions. What is known as "defense in depth" in the security community argues for using a collection of mechanisms so that the burden of perfection is placed on no single mechanism. Read the entire page →
From page 161... ... For example, the limits and coverage of the various approaches to intruder and anomaly detection are not well understood. PLACEMENT OF TRUSTWORTHINESS FUNCTIONALITY In traditional uniprocessor computing systems, functionality for enforcing security policies and tolerating failures is often handled by the kernel, a small module at the lowest level of the system software. Read the entire page →
From page 162... ... Public Telephone Network The PTN is structured around a relatively small number of highly reliable components. A single modern telephone switch can handle all of the traffic for a town with tens of thousands of residents; long-distance traffic for the entire country is routed through only a few hundred switches. Read the entire page →
From page 163... ... But the Internet's routing infrastructure is built using predominantly Cisco routers, with Bay and a few other companies .sunolvin~ the rest. In that regard. Read the entire page →
From page 164... ... Minimum Essential Information Infrastructure A minimum essential information infrastructure (MEII) is a highly trustworthy communications subsystem a network whose services are immune to failures and attacks. Read the entire page →
From page 165... ... than it does during a civil disaster. Finally, the trustworthiness dimensions that should be preserved by an MEII depend on the customer: local law enforcement agents may not require secrecy in communications when handling a civil disaster but would in day-to-day crime fighting. Read the entire page →
From page 166... ... 166 TRUST IN CYBERSPACE net.5 The development of a "kernel" exhibiting all three of the characteristics might well require new research, and an attempt to build such a "kernel" could reveal technical problems that are not, on the surface, apparent. Implementing an NIS using such a "kernel" could also be a 5There is some question as to whether the PIN can be disconnected and then restarted from scratch Read the entire page →
From page 167... ... A careful analysis of 6see, for example, Rabin `1989~. 7Note that this multimode scheme implements resistance to attacks by using techniques traditionally used for supporting fault tolerance, something that seems especially attractive because a single mechanism is then being used to satisfy multiple requirements for trustworthiness. Read the entire page →
From page 168... ... NONTRADITIONAL PARADIGMS Other less architecturally oriented design approaches have been investigated for amplifying trustworthiness properties, most notably amplifying fault tolerance. These approaches are more algorithmic in flavor. Read the entire page →
From page 169... ... 1998. A "Minimum Essential Information Infrastructure" for U.S. Read the entire page →
From page 170... ... 1987. Trusted Network Interpretation of the Trusted Computer System Evaluation Criteria, NCSC-TG-005, Library Number S228,526, Version 1, the "Red Book." Ft. Read the entire page →

From page 154...

... For some dimensions of trustworthiness it already has. Today, many computing services are implemented using replication, and multiple processors must fail before the service becomes unavailable the service is more reliable than any single component processor.

5 Trustworthy Systems from Untrustworthy Components Pages 154-170

5 Trustworthy Systems from Untrustworthy Components
Pages 154-170