|
Items in cart [0] |
Questions? Call 888-624-8373 |
| [ Top of Page ] [ Home ] [ Contact Us ] [ Help ] [ The National Academies Home ] | ||
Below are the first 10 and last 10 pages of uncorrected machine-read text (when available) of this chapter, followed by the top 30 algorithmically extracted key phrases from the chapter as a whole.
Intended to provide our own search engines and external engines with highly rich, chapter-representative searchable text on the opening pages of each chapter.
Because it is UNCORRECTED material, please consider the following text as a useful but insufficient proxy for the authoritative book pages.
Do not use for reproduction, copying, pasting, or reading; exclusively for search engines.
OCR for page R1
Trust in Cyberspace Fred B. Schneider, Editor Committee on Information Systems Trustworthiness Computer Science and Telecommunications Board Commission on Physical Sciences, Mathematics, and Applications National Research Council National Academy Press Washington, D.C. 1998
OCR for page R2
Page ii
NOTICE: The project that is the subject of this report was approved by the Governing Board of the NationalResearch Council, whose members are drawn from the councils of the National Academy of Sciences, the NationalAcademy of Engineering, and the Institute of Medicine. The members of the committee responsible for the reportwere chosen for their special competences and with regard for appropriate balance. The National Academy of Sciences is a private, nonprofit, self-perpetuating society of distinguishedscholars engaged in scientific and engineering research, dedicated to the furtherance of science and technology andto their use for the general welfare. Upon the authority of the charter granted to it by the Congress in 1863, theAcademy has a mandate that requires it to advise the federal government on scientific and technical matters. Dr.Bruce Alberts is president of the National Academy of Sciences. The National Academy of Engineering was established in 1964, under the charter of the National Academyof Sciences, as a parallel organization of outstanding engineers. It is autonomous in its administration and in theselection of its members, sharing with the National Academy of Sciences the responsibility for advising the federalgovernment. The National Academy of Engineering also sponsors engineering programs aimed at meeting nationalneeds, encourages education and research, and recognizes the superior achievements of engineers. Dr. William A.Wulf is president of the National Academy of Engineering. The Institute of Medicine was established in 1970 by the National Academy of Sciences to secure theservices of eminent members of appropriate professions in the examination of policy matters pertaining to the healthof the public. The Institute acts under the responsibility given to the National Academy of Sciences by its congressional charter to be an adviser to the federal government and, upon its own initiative, to identify issues ofmedical care, research, and education. Dr. Kenneth I. Shine is president of the Institute of Medicine. The National Research Council was organized by the National Academy of Sciences in 1916 to associatethe broad community of science and technology with the Academy's purposes of furthering knowledge and advisingthe federal government. Functioning in accordance with general policies determined by the Academy, the Councilhas become the principal operating agency of both the National Academy of Sciences and the National Academy ofEngineering in providing services to the government, the public, and the scientific and engineering communities.The Council is administered jointly by both Academies and the Institute of Medicine. Dr. Bruce Alberts and Dr.William A. Wulf are chairman and vice chairman, respectively, of the National Research Council. Support for this project was provided by the Defense Advanced Research Projects Agency and the NationalSecurity Agency. Any opinions, findings, conclusions, or recommendations expressed in this material are those ofthe authors and do not necessarily reflect the views of the sponsors.
Library of Congress Catalog Card Number 98-xxx International Standard Book Number xxx
Additional copies of this report are available from: National Academy Press 2101 Constitution Avenue, N.W. Box 285 Washington, DC 20055 800/624-6242 202/334-3313 (in the Washington Metropolitan Area)
Copyright 1998 by the National Academy of Sciences. All rights reserved.
Printed in the United States of America
OCR for page R3
Page iii
COMMITTEE ON INFORMATION SYSTEMS TRUSTWORTHINESS
FRED B. SCHNEIDER, Cornell University, Chair
STEVEN M. BELLOVIN, AT&T Labs Research
MARTHA BRANSTAD, Trusted Information Systems Inc.
J. RANDALL CATOE, MCI Telecommunications Inc.
STEPHEN D. CROCKER, CyberCash Inc.
CHARLIE KAUFMAN, Iris Associates Inc.
STEPHEN T. KENT, BBN Corporation
JOHN C. KNIGHT, University of Virginia
STEVEN McGEADY, Intel Corporation
RUTH R. NELSON, Information System Security
ALLAN M. SCHIFFMAN, SPYRUS
GEORGE A. SPIX, Microsoft Corporation
DOUG TYGAR, University of California, Berkeley
Special Advisor
W. EARL BOEBERT, Sandia National Laboratories
Staff
MARJORY S. BLUMENTHAL, Director
JANE BORTNICK GRIFFITH, Interim Director (1998)
HERBERT S. LIN, Senior Scientist
ALAN S. INOUYE, Program Officer
MARK BALKOVICH, Research Associate (until July 1998)
LISA L. SHUM, Project Assistant (until August 1998)
RITA A. GASKINS, Project Assistant
OCR for page R4
Page iv
COMPUTER SCIENCE AND TELECOMMUNICATIONS BOARD
DAVID D. CLARK, Massachusetts Institute of Technology, Chair
FRANCES E. ALLEN, IBM T.J. Watson Research Center
JAMES CHIDDIX, Time Warner Cable
JOHN M. CIOFFI, Stanford University
W. BRUCE CROFT, University of Massachusetts, Amherst
A.G. FRASER, AT&T Corporation
SUSAN L. GRAHAM, University of California at Berkeley
JAMES GRAY, Microsoft Corporation
PATRICK M. HANRAHAN, Stanford University
JUDITH HEMPEL, University of California at San Francisco
BUTLER W. LAMPSON, Microsoft Corporation
EDWARD D. LAZOWSKA, University of Washington
DAVID LIDDLE, Interval Research
JOHN MAJOR, QUALCOMM Inc.
TOM M. MITCHELL, Carnegie Mellon University
DONALD NORMAN, Hewlett-Packard Company
RAYMOND OZZIE, Groove Networks
DAVID A. PATTERSON, University of California at Berkeley
DONALD SIMBORG, KnowMed Systems
LEE SPROULL, Boston University
LESLIE L. VADASZ, Intel Corporation
MARJORY S. BLUMENTHAL, Director
JANE BORTNICK GRIFITH, Interim Director (1998)
HERBERT S. LIN, Senior Staff Officer
JERRY R. SHEEHAN, Program Officer
ALAN S. INOUYE, Program Officer
JON EISENBERG, Program Officer
JANET BRISCOE, Administrative Associate
NICCI DOWD, Project Assistant
RITA GASKINS, Project Assistant
DAVID PADGHAM, Project Assistant
OCR for page R5
Page v
COMMISSION ON PHYSICAL SCIENCES, MATHEMATICS, AND APPLICATIONS
ROBERT J. HERMANN, United Technologies Corporation, Co-chair
W. CARL LINEBERGER, University of Colorado, Co-chair
PETER M. BANKS, Environmental Research Institute of Michigan
WILLIAM BROWDER, Princeton University
LAWRENCE D. BROWN, University of Pennsylvania
RONALD G. DOUGLAS, Texas A&M University
JOHN E. ESTES, University of California at Santa Barbara
MARTHA P. HAYNES, Cornell University
L. LOUIS HEGEDUS, Elf Atochem North America Inc.
JOHN E. HOPCROFT, Cornell University
CAROL M. JANTZEN, Westinghouse Savannah River Company
PAUL G. KAMINSKI, Technovation, Inc.
KENNETH H. KELLER, University of Minnesota
KENNETH I. KELLERMANN, National Radio Astronomy Observatory
MARGARET G. KIVELSON, University of California at Los Angeles
DANIEL KLEPPNER, Massachusetts Institute of Technology
JOHN KREICK, Sanders, a Lockheed Martin Company
MARSHA I. LESTER, University of Pennsylvania
NICHOLAS P. SAMIOS, Brookhaven National Laboratory
CHANG-LIN TIEN, University of California at Berkeley
NORMAN METZGER, Executive Director
OCR for page R6
The National Academy of Sciences is a private, nonprofit, self-perpetuating society of
distinguished scholars engaged in scientific and engineering research, dedicated to the fur-
therance of science and technology and to their use for the general welfare. Upon the
authority of the charter granted to it by the Congress in 1863, the Academy has a mandate
that requires it to advise the federal government on scientific and technical matters.
Dr. Bruce Alberts is president of the National Academy of Sciences.
The National Academy of Engineering was established in 1964, under the charter of the
National Academy of Sciences, as a parallel organization of outstanding engineers. It is
autonomous in its administration and in the selection of its members, sharing with the National
Academy of Sciences the responsibility for advising the federal government. The National
Academy of Engineering also sponsors engineering programs aimed at meeting national
needs, encourages education and research, and recognizes the superior achievements of engi-
neers. Dr. William A. Wulf is president of the National Academy of Engineering.
The Institute of Medicine was established in 1970 by the National Academy of Sciences
to secure the services of eminent members of appropriate professions in the examination of
policy matters pertaining to the health of the public. The Institute acts under the responsibil-
ity given to the National Academy of Sciences by its congressional charter to be an adviser to
the federal government and, upon its own initiative, to identify issues of medical care,
research, and education. Dr. Kenneth I. Shine is president of the Institute of Medicine.
The National Research Council was organized by the National Academy of Sciences in
1916 to associate the broad community of science and technology with the Academy's
purposes of furthering knowledge and advising the federal government. Functioning in
accordance with general policies determined by the Academy, the Council has become the
principal operating agency of both the National Academy of Sciences and the National
Academy of Engineering in providing services to the government, the public, and the scien-
tific and engineering communities. The Council is administered jointly by both Academies
and the Institute of Medicine. Dr. Bruce Alberts and Dr. William A. Wulf are chairman and
vice chairman, respectively, of the National Research Council.
Al
OCR for page R7
Page vii
Preface Experts have known for some time that networked information systems are not trustworthy and that the technology needed to make them trustworthy was, by and large, not at hand. Our nation is nevertheless becoming dependent on such systems for operating its critical infrastructures (e.g., transportation, communication, finance, and energy distribution). Over the past 2 years, the implications of this dependence—vulnerability to attack and susceptibility to disaster—have become a part of the national agenda. Concerns first voiced from within the defense establishment (under the rubric of "information warfare") led the executive branch to create the President's Commission on Critical Infrastructure Protection and, later, the Critical Infrastructure Assurance Office. The popular press embraced the issues, carrying them to a public already sensitized by direct and collateral experience with the failings of computing systems and networks. So a subject once discussed only in the technical literature is now regularly appearing on the front pages of newspapers and being debated in the Congress. And the present study, initiated at the request of the Defense Advanced Research Projects Agency (DARPA) and the National Security Agency (NSA) some 2 years ago, today informs a discussion of national significance. In particular, this study moves the focus of the discussion forward from matters of policy and procedure and from vulnerabilities and their consequences toward questions about the richer set of options that only new science and technology can provide.
The study committee was convened by the Computer Science and Telecommunications Board (CSTB) of the National Research Council (NRC) to assess the nature of information systems trustworthiness and the prospects for technology that increase it. The committee was asked to examine, discuss, and report on interrelated issues associated with the research, development, and commercialization of technologies for trustworthy systems and to use its assessment to develop recommendations for research to enhance information systems trustworthiness (see Box P.1). This volume contains the results of that study: a detailed research agenda that examines the many dimensions of trustworthiness (e.g., correctness, security, reliability, safety, survivability), the state of the practice, and the available technology and science base. Since the economic and political context is critical to the successful deployment of new technologies, that too is discussed.
The alert reader will have noted that the volume's title Trust in Cyberspace admits two interpretations. This ambiguity was intentional. Parse "trust" as a noun (as in "confidence" or "reliance") and the title succinctly describes the contents of the volume—technologies that help make networked information systems more trustworthy. Parse "trust'' as a verb (as in "to believe") and the title is an invitation to contemplate a future where networked information systems have become a safe place for conducting parts of our daily lives.1 Whether "trust" is being parsed as a noun or the verb, more research is key for trust in cyberspace.
1 One reviewer, contemplating the present, suggested that a question mark be placed at the end of the title to raise questions about the trustworthiness of cyberspace today. And this is a question that the report does raise.
OCR for page R8
Page viii
Committee Composition And Process The study committee included experts on computing and communications systems from industry and academia whose expertise spanned computer and communications security, software engineering, fault-tolerance, systems design and implementation, and networking (see Appendix A). The committee did its work through its own expert deliberations and by soliciting input and discussion from key officials in its sponsoring agencies, other government officials, academic experts, and representatives of a wide range of developers and users of information systems in industry (see Appendix B). The committee did not make use of classified information, believing that detailed knowledge of threats was not important to the task at hand.
The committee first met in June 1996 and eight times subsequently. Three workshops were held to obtain input from a broad range of experts in systems security, software, and networking drawn primarily from industry (see Appendixes C and D). Since information about the NSA R2 research program is less-widely available than for relevant programs at DARPA and other federal agencies, the entire committee visited NSA for a more in-depth examination of R2's research program; subsequent meetings involving NSA R2 personnel and a subset of the committee provided still further input to the study. Staff tracked the progress of relevant activities in the legislative and executive branches in government, including the President's Commission on Critical Infrastructure Protection, Critical Information Assurance Office, and congressional hearings. Staff also sought input from other governmental and quasi-governmental organizations with relevant emphases. Additional inputs included perspectives from professional conferences, technical literature, and government reports gleaned by committee members and staff.
In April 1997, the committee released an interim report that outlined key concepts and known technologies. That report, subject to the NRC review process, generated a number of follow-up comments that helped to guide the committee in its later work.
Acknowledgments The committee is grateful to the many thoughtful reviewers of its interim and final reports, and it appreciates the efforts of the review coordinator. The committee would like to acknowledge Thomas A. Berson (Anagram Laboratories), Dan Boneh (Stanford University), Eric A. Brewer (University of California, Berkeley), Dorothy Denning (Georgetown University), Bruce Fette (Motorola), John D. Gannon (University of Maryland), Li Gong (JavaSoft Inc., Sun Microsystems Inc.), Russ Housley (Spyrus Inc.), John C. Klensin (MCI Communications Corporation), Jimmy Kuo (McAfee Associates Inc.), Steven B. Lipner (Mitretek Systems), Keith Marzullo (University of California at San Diego), Alan J. McLaughlin (Massachusetts Institute of Technology), Robert Morris, Sr. (National Security Agency (retired)), Peter G. Neumann (SRI International), Jimmy Omura (Cylink Corporation), Stewart Personick (Drexel University), Roy Radner (New York University), Morteza Rahimi (Northwestern University), Jeffrey I. Schiller (Massachusetts Institute of Technology), Michael St. Johns (@Home Network), Joseph Sventek (Hewlett-Packard Laboratories), J. Marty Tenenbaum (CNgroup, Inc.), Abel Weinrib (Intel Corporation), Jeannette M. Wing (Carnegie Mellon University), and Mary Ellen Zurko (The Open Group Research Institute).
The committee appreciates the support of its sponsoring agencies, and especially the numerous inputs and responses to requests for information provided by Howard Frank and Teresa Lunt at DARPA, Robert Meushaw at NSA, and John Davis at NSA and the Critical Infrastructure Assurance Office. The support of K. David Nokes at Sandia National Laboratories was extremely helpful in facilitating this study and the preparation of this report.
In addition, the committee would like to thank Jeffrey Schiller for his valuable perspective on Internet standards-setting. The committee would also like to thank individuals who contributed their expertise to the committee's deliberations: Robert H. Anderson (RAND Corp.), Ken Birman (Cornell University), Chip Boylan (Hilb, Rogal, and Hamilton Co.), Robert L. Constable (Cornell University), Dale
OCR for page R9
Page ix
Drew (MCI Security Services), Bill Flanagan (Perot Systems Corporation), Fred Howard (Bell Atlantic Voice Operations), Keith Marzullo (University of California at San Diego), J.S. Moore (University of Texas at Austin), Peter G. Neumann (SRI International), John Pescatore (Trusted Information Systems), John Rushby (SRI International), Sami Saydjari (Defense Advanced Research Projects Agency), Dan Shoemaker (Bell Atlantic Data Operations), Steve Sigmond (Wessels Arnold Investment Banking), Gadi Singer (Intel), Steve Smaha (Haystack, Inc.), Kevin Sullivan (University of Virginia), L. Nick Trefethen (Oxford University), and Werner Vogels (Cornell University).
Several members of the Computer Science and Telecommunications Board provided valuable guidance to the committee and were instrumental in the response to review process. For these contributions, the committee would like to thank David D. Clark, Jim Gray and Butler Lampson. The committee also acknowledges the helpful feedback from Board members Donald Norman and Ed Lazowska.
Special thanks are owed Steve Crocker for his seminal role in launching this study and in helping to shape the committee. The committee—and the chairman especially—benefited from Steve's involvement.
Finally, the committee would like to acknowledge all the hard work by the staff of the National Research Council. Marjory Blumenthal's role in the content and conduct of this study was pivotal. Not only was Marjory instrumental in moving the committee from its initial discussions through the production of an Interim Report and then to a first draft of this report, but her insights into the nontechnical dimensions of trustworthiness were critical in developing Chapter 6. This committee was truly fortunate to have the benefit of Marjory's insights concerning content and process; and this chairman was thankful to have such a master in the business as a teacher and advisor. Alan Inouye joined the project mid-stream. To him fell the enormous task of assembling this final report. Alan did a remarkable job, remaining unfailingly up-beat despite the long hours required and the frustrations that accompanied working to a deadline. First Leslie Wade and later Lisa Shum supported the logistics for the committee's meetings, drafts, and reviews in a careful yet cheery fashion. As a research associate, Mark Balkovich enthusiastically embraced a variety of research and fact-finding assignments. Thanks to Jane Bortnick Griffith for her support as the Interim Director of CSTB who inherited this challenging project mid-stream and did the right thing. Herb Lin was available when we needed him despite his numerous other commitments. The contributions of Laura Ost (editor-consultant) are gratefully acknowledged. Rita Gaskins, David Padgham, and Cris Banks also assisted in completing the report.
Fred B. Schneider, Chair Committee on Information Systems Trustworthiness
OCR for page R10
Page x
BOX P-1: Synopsis of Task Statement
•
Propose a research agenda that identifies ideas for relevant long-term research and the promotion of fundamental or revolutionary (as opposed to incremental) advances to foster increased trustworthiness of networked information systems. Perspectives on where and what kinds of research are needed should be sought from across the relevant technical and business communities.
•
Assess, in part by undertaking dialogue within relevant segments of the technical and business communities, and make recommendations on how to further the development and deployment of trustworthy networked information systems, subsystems, and components.
•
Assess and make recommendations concerning the effectiveness and directions of the existing research programs in ARPA and NSA R2 as they affect the development of trustworthy networked information systems.
•
Examine the state of the market for security products and capabilities and the extent and emphases of private sector research activities with an eye toward illuminating where federal R&D efforts can best be targeted.
•
Assess and develop recommendations for technology policy options to improve the commercial security product base (availability, quality, and affordability), expand awareness in industry of the security problem and of available technology and tools for enhancing protections, and foster technology transfer.
OCR for page R11
Page xi
Contents EXECUTIVE SUMMARY
ES-1
1
INTRODUCTION
1-1
Trustworthy Networked Information Systems
What Erodes Trust
This Study in Context
Scope of This Study
References
2
PUBLIC TELEPHONE NETWORK AND INTERNET TRUSTWORTHINESS
2-1
Network Design
The Public Telephone Network
Network Services and Design
Authentication
Progress of a Typical Call
The Internet
Network Services and Design
Authetication (and other Security Protocols)
Progress of a Typical Connection
Findings
Network Failures and Fixes
Environmental Disruption
Link Failures
Congestion
Findings
Operational Errors
Findings
Software and Hardware Failures
Finding
Malicious Attacks
Attacks on the Telephone System
Routing Attacks
Database Attacks
Facilities
Findings
Attacks on the Internet
Name Server Attacks
Routing System Attacks
Protocol Design and Implementation Flaws
Findings
Emerging Issues
Internet Telephony
Finding
Is the Internet Ready for "Prime Time"?
Findings
References
OCR for page R12
Page xii
3
SOFTWARE FOR NETWORKED INFORMATION SYSTEMS
3-1
Introduction
Background
The Role of Software
Development of an NIS
System Planning, Requirements, and Top-Level Design
Planning and Program Management
Requirements at the System Level
Background
The System Requirements Document
Notation and Style
Where to Focus Effort in Requirements Analysis and Documentation
Top-Level Design
Critical Components
The Integration Plan
Project Structure, Standards, and Process
Barriers to Acceptance of New Software Technologies
Findings
Building and Acquiring Components
Component-Level Requirements
Component Design and Implementation
Programming Languages
Systematic Reuse
COTS Software
The Changing Role of COTS Software
General Problems with COTS Components
Interfacing Legacy Software
Findings
System Integration
System Assurance
Review and Inspection
Formal Methods
Testing
System Evolution
Findings
References
4
REINVENTING SECURITY
4-1
Introduction
Evolution of Security Needs and Mechanisms
Access Control Policies
Shortcomings of Formal Policy Models
A New Approach
Findings
Identification and Authentication Mechanisms
Network-Based Authentication
Cryptographic Authentication
Token-Based Mechanisms
Biometric Techniques
Findings
Cryptography and Public-Key Infrastructure
OCR for page R13
Page xiii
Findings
The Key-Management Problem
Key-Distribution Centers
Certification Authorities
Actual Large-Scale KDC and CA Deployments
Public-Key Infrastructure
Findings
Network Access Control Mechanisms
Closed User Groups
Virtual Private Networks
Firewalls
Limitations of Firewalls
Guards
Findings
Foreign Code and Application-Level Security
The ActiveX Approach
The Java Approach
Findings
Fine-Grained Access Control and Application Security Findings
Language-Based Security: Software Fault Isolation and Proof Carrying Code Findings
Denial of Service
Findings
References
5
TRUSTWORTHY SYSTEMS FROM UNTRUSTWORTHY COMPONENTS
5-1
Introduction
Replication and Diversity
Amplifying Reliability
Amplifying Security
Findings
Monitor, Detect, Respond
Limitations in Detection
Response and Reconfiguration
Perfection and Pragmatism
Findings
Placement of Trustworthiness Functionality
Public Telephone Network
Internet
Minimum Essential Information Infrastructure
Findings
Nontraditional Paradigms
Finding
References
6
THE ECONOMIC AND PUBLIC POLICY CONTEXT
6-1
Risk Management
OCR for page R14
Page xiv
Risk Assessment
Nature of Consequences
Risk Management Strategies
Selecting a Strategy
Findings
Consumers and Trustworthiness
Consumer Costs
Direct Costs
Indirect Costs
Failure Costs
Imperfect Information
Issues Affecting Risk Management
Some Market Observations
Findings
Producers and Trustworthiness
The Larger Marketplace and the Trend Toward Homogeneity
Risks of Homogeneity
Producers and Their Costs
Costs of Integration and Testing
Identifying the Specific Costs Associated with Trustworthiness
Time to Market
Other Issues
The Market for Trustworthiness
Supply and Demand Considerations
Findings
Standards and Criteria
The Character and Context of Standards
Standards and Trustworthiness
Security-Based Criteria and Evaluation
Findings
Cryptography and Trustworthiness
Export Controls
Key Recovery
Factors Inhibiting Widespread Cryptography Deployment
Cryptography and Confidentiality
Findings
Federal Government Interests in NIS Trustworthiness
Public-Private Partnerships
The Changing Market-Government Relationship
Findings
The Roles of the NSA, DARPA, and other Federal Agencies in NIS Trustworthiness Research and Development
National Security Agency
Partnerships with Industry
R2 Program
Issues for the Future
Findings
Defense Advanced Research Projects Agency
Issues for the Future
Findings
References
Notes
OCR for page R15
Page xv
7
CONCLUSIONS AND RESEARCH RECOMMENDATIONS
7-1
Protecting the Evolving Public Telephone Network
Meeting the Urgent Need for Software that Improves Trustworthiness
Reinventing Security for Computers and Communications
Building Trustworthiness form Untrustworthy Components
Social and Economic Factors that Inhibit the Deployment of Trustworthy Technology
Implementing Trustworthiness Research and Development, the Public Policy Role
APPENDIXES
A
Study Committee Biographies
A-1
B
Briefers to the Committee
B-1
C
Workshop Participants and Agenda
C-1
D
List of Position Papers Prepared for the Workshop
D-1
E
Trends in Software
E-1
F
Some Related Trustworthiness Studies
F-1
G
Some Operating System Security Examples
G-1
H
Types of Firewalls
H-1
I
Secrecy of Design
I-1
J
Research in Information System Security and Survivability Funded by the NSA and DARPA
J-1
K
Glossary
K-1
OCR for page R16
Page xvi
This is the tale of the infosys folk: Multics to UNIX to DOS. We once had protection that wasn't a joke Multics to UNIX to DOS. Now hackers and crackers and similar nerds Pass viruses, horses, and horrible words Through access controls that are for the birds. Multics to UNIX to DOS.
With apologies to Franklin P. Adams
OCR for page R17
CONTENTS
Findings, 180
Consumers and Trustworthiness, 180
Consumer Costs, 181
Direct Costs, 181
Indirect Costs, 182
Failure Costs, 183
Imperfect Information, 184
Issues Affecting Risk Management, 186
Some Market Observations, 188
Findings, 189
Producers and Trustworthiness, 190
. .
XVII
The Larger Marketplace and the Trend Toward Homogeneity, 190
Risks of Homogeneity, 191
Producers and Their Costs, 192
Costs of Integration and Testing, 193
Identifying the Specific Costs Associated with
Trustworthiness, 193
Time to Market, 194
Other Issues, 194
The Market for Trustworthiness, 196
Supply and Demand Considerations, 197
Findings, 198
Standards and Criteria, 199
The Character and Context of Standards, 199
Standards and Trustworthiness, 201
Security-based Criteria and Evaluation, 204
Findings, 209
Cryptography and Trustworthiness, 210
Export Controls, 210
Key Recovery, 211
Factors Inhibiting Widespread Deployment of
Cryptography, 211
Cryptography and Confidentiality, 214
Findings, 214
Federal Government Interests in NIS Trustworthiness, 215
Public-Private Partnerships, 219
The Changing Market-Government Relationship, 220
Findings, 221
The Roles of the NSA, DARPA, and other Federal
Agencies in NIS Trustworthiness
Research and Development, 221
National Security Agency, 224
Partnerships with Industry, 226
OCR for page R18
. . .
xvit!
CONTENTS
R2 Program, 228
Issues for the Future, 230
Findings, 232
Defense Advanced Research Projects Agency, 232
Issues for the Future, 235
Findings, 236
References, 237
7 CONCLUSIONS AND RESEARCH RECOMMENDATIONS 240
Protecting the Evolving Public Telephone Network
and the Internet, 241
Meeting the Urgent Need for Software That Improves
Trustworthiness, 244
Reinventing Security for Computers and Communications, 247
Building Trustworthy Systems from Untrustworthy
Components, 250
Social and Economic Factors That Inhibit the Deployment
of Trustworthy Technology, 251
Implementing Trustworthiness Research and Development, 253
APPENDIXES
A Study Committee Biographies
B Briefers to the Committee
C Workshop Participants and Agendas
D List of Position Papers Prepared for the Workshops
Trends in Software
Some Related Trustworthiness Studies
Some Operating System Security Examples
H Types of Firewalls
I Secrecy of Design
I Research in Information System Security and
Survivability Funded by the NSA and DARPA
Glossary
INDEX
259
267
269
279
281
285
291
293
296
298
300
319
OCR for page R19
HI L]
t in
cyberspace
OCR for page R20
This is the tale of the infosys folk:
Multics to UNIX to DOS.
We once had protection that wasn't a joke
Multics to UNIX to DOS.
Now hackers and crackers and similar nerds
Pass viruses, horses, and horrible words
Through access controls that are for the birds.
Multics to UNIX to DOS.
With apologies to Franklin P. Adams
