Computers at Risk

Safe Computing In the Information Age

System Security Study Committee

Computer Science and Telecommunications Board

Commission on Physical Sciences, Mathematics, and Applications

National Research Council

NATIONAL ACADEMY PRESS
1991



The National Academies | 500 Fifth St. N.W. | Washington, D.C. 20001
Copyright © National Academy of Sciences. All rights reserved.
Terms of Use and Privacy Statement



Below are the first 10 and last 10 pages of uncorrected machine-read text (when available) of this chapter, followed by the top 30 algorithmically extracted key phrases from the chapter as a whole.
Intended to provide our own search engines and external engines with highly rich, chapter-representative searchable text on the opening pages of each chapter. Because it is UNCORRECTED material, please consider the following text as a useful but insufficient proxy for the authoritative book pages.

Do not use for reproduction, copying, pasting, or reading; exclusively for search engines.

OCR for page R1
Computers at Risk: Safe Computing in the Information Age Computers at Risk Safe Computing In the Information Age System Security Study Committee Computer Science and Telecommunications Board Commission on Physical Sciences, Mathematics, and Applications National Research Council NATIONAL ACADEMY PRESS 1991

OCR for page R1
Computers at Risk: Safe Computing in the Information Age National Academy Press 2101 Constitution Avenue, N.W. Washington, D.C. 20418 NOTICE: The project that is the subject of this report was approved by the Governing Board of the National Research Council, whose members are drawn from the councils of the National Academy of Sciences, the National Academy of Engineering, and the Institute of Medicine. The members of the committee responsible for the report were chosen for their special competences and with regard for appropriate balance. This report has been reviewed by a group other than the authors according to procedures approved by a Report Review Committee consisting of members of the National Academy of Sciences, the National Academy of Engineering, and the Institute of Medicine. The National Academy of Sciences is a private, nonprofit, self-perpetuating society of distinguished scholars engaged in scientific and engineering research, dedicated to the furtherance of science and technology and to their use for the general welfare. Upon the authority of the charter granted to it by the Congress in 1863, the Academy has a mandate that requires it to advise the federal government on scientific and technical matters. Dr. Frank Press is president of the National Academy of Sciences. The National Academy of Engineering was established in 1964, under the charter of the National Academy of Sciences, as a parallel organization of outstanding engineers. It is autonomous in its administration and in the selection of its members, sharing with the National Academy of Sciences the responsibility for advising the federal government. The National Academy of Engineering also sponsors engineering programs aimed at meeting national needs, encourages education and research, and recognizes the superior achievements of engineers. Dr. Robert M. White is president of the National Academy of Engineering. The Institute of Medicine was established in 1970 by the National Academy of Sciences to secure the services of eminent members of appropriate professions in the examination of policy matters pertaining to the health of the public. The Institute acts under the responsibility given to the National Academy of Sciences by its congressional charter to be an adviser to the federal government and, upon its own initiative, to identify issues of medical care, research, and education. Dr. Samuel O. Thier is president of the Institute of Medicine. The National Research Council was organized by the National Academy of Sciences in 1916 to associate the broad community of science and technology with the Academy's purposes of furthering knowledge and advising the federal government. Functioning in accordance with general policies determined by the Academy, the Council has become the principal operating agency of both the National Academy of Sciences and the National Academy of Engineering in providing services to the government, the public, and the scientific and engineering communities. The Council is administered jointly by both Academies and the Institute of Medicine. Dr. Frank Press and Dr. Robert M. White are chairman and vice chairman, respectively, of the National Research Council. Support for this project was provided by the Defense Advanced Research Projects Agency under Contract No. N00014-89-J-1731. However, the content does not necessarily reflect the position or the policy of the Defense Advanced Research Projects Agency or the government, and no official endorsement should be inferred. Library of Congress Cataloging-in-Publication Data Computers at risk: safe computing in the information age / System Security Study Committee, Computer Science and Telecommunications Board, Commission on Physical Sciences, Mathematics, and Applications, National Research Council. p. cm. Includes bibliographical references. ISBN 0-309-04388-3 1. Computer security. I. National Research Council (U.S.). Computer Science and Telecommunications Board. System Security Study Committee. QA76.9.A25C6663 1990 005.8—dc20 90-22329 CIP Copyright © 1991 by the National Academy of Sciences No part of this book may be reproduced by any mechanical, photographic, or electronic process, or in the form of a phonographic recording, nor may it be stored in a retrieval system, transmitted, or otherwise copied for public or private use, without written permission from the publisher, except for the purposes of official use by the U.S. government. Printed in the United States of America First Printing, December 1990 Second Printing, March 1991 Third Printing, April 1992 Fourth Printing, January 1992 Fifth Printing, March 1994

OCR for page R1
Computers at Risk: Safe Computing in the Information Age SYSTEM SECURITY STUDY COMMITTEE DAVID D. CLARK, Massachusetts Institute of Technology, Chairman W. EARL BOEBERT, Secure Computing Technology Corporation SUSAN GERHART, Microelectronics and Computer Technology Corporation JOHN V. GUTTAG, Massachusetts Institute of Technology RICHARD A. KEMMERER, University of California at Santa Barbara STEPHEN T. KENT, BBN Communications SANDRA M. MANN LAMBERT, Security Pacific Corporation BUTLER W. LAMPSON, Digital Equipment Corporation JOHN J. LANE, Shearson, Lehman, Hutton, Inc. M. DOUGLAS McILROY, AT&T Bell Laboratories PETER G. NEUMANN, SRI International MICHAEL O. RABIN, Harvard University WARREN SCHMITT, Sears Technology Services HAROLD F. TIPTON, Rockwell International STEPHEN T. WALKER, Trusted Information Systems, Inc. WILLIS H. WARE, The RAND Corporation MARJORY S. BLUMENTHAL, Staff Director FRANK PITTELLI, CSTB Consultant DAMIAN M. SACCOCIO, Staff Officer MARGARET A. KNEMEYER, Staff Associate DONNA F. ALLEN, Administrative Secretary CATHERINE A. SPARKS, Senior Secretary

OCR for page R1
Computers at Risk: Safe Computing in the Information Age COMPUTER SCIENCE AND TELECOMMUNICATIONS BOARD JOSEPH F. TRAUB, Columbia University, Chairman ALFRED V. AHO, AT&T Bell Laboratories JOHN SEELY BROWN, Xerox Corporation Palo Alto Research Center FRANK P. CARRUBBA, Hewlett-Packard Company DAVID J. FARBER, University of Pennsylvania SAMUEL H. FULLER, Digital Equipment Corporation JAMES FREEMAN GILBERT, University of California at San Diego WILLIAM A. GODDARD III, California Institute of Technology JOHN L. HENNESSY, Stanford University JOHN E. HOPCROFT, Cornell University MITCHELL D. KAPOR, ON Technology, Inc. SIDNEY KARIN, San Diego Supercomputer Center LEONARD KLEINROCK, University of California at Los Angeles ROBERT LANGRIDGE, University of California at San Francisco ROBERT L. MARTIN, Bell Communications Research WILLIAM F. MILLER, SRI International ABRAHAM PELED, IBM T.J. Watson Research Center RAJ REDDY, Carnegie Mellon University JEROME H. SALTZER, Massachusetts Institute of Technology MARY SHAW, Carnegie Mellon University ERIC E. SUMNER, Institute of Electrical and Electronics Engineers IVAN E. SUTHERLAND, Sutherland, Sproull & Associates GEORGE L. TURIN, Teknekron Corporation VICTOR VYSSOTSKY, Digital Equipment Corporation WILLIS H. WARE, The RAND Corporation WILLIAM WULF, University of Virginia MARJORY S. BLUMENTHAL, Staff Director ANTHONY M. FORTE, Senior Staff Officer HERBERT LIN, Staff Officer DAMIAN M. SACCOCIO, Staff Officer RENEE A. HAWKINS, Staff Associate DONNA F. ALLEN, Administrative Secretary LINDA L. JOYNER, Project Assistant CATHERINE A. SPARKS, Senior Secretary

OCR for page R1
Computers at Risk: Safe Computing in the Information Age COMMISSION ON PHYSICAL SCIENCES, MATHEMATICS, AND APPLICATIONS* NORMAN HACKERMAN, Robert A. Welch Foundation, Chairman PETER J. BICKEL, University of California at Berkeley GEORGE F. CARRIER, Harvard University HERBERT D. DOAN, The Dow Chemical Company (retired) DEAN E. EASTMAN, IBM T.J. Watson Research Center MARYE ANNE FOX, University of Texas PHILLIP A. GRIFFITHS, Duke University NEAL F. LANE, Rice University ROBERT W. LUCKY, AT&T Bell Laboratories CHRISTOPHER F. McKEE, University of California at Berkeley RICHARD S. NICHOLSON, American Association for the Advancement of Science JEREMIAH P. OSTRIKER, Princeton University Observatory ALAN SCHRIESHEIM, Argonne National Laboratory ROY F. SCHWITTERS, Superconducting Super Collider Laboratory KENNETH G. WILSON, Ohio State University NORMAN METZGER, Executive Director *   The project that is the subject of this report was initiated under the predecessor group of the Commission on Physical Sciences, Mathematics, and Applications, which was the Commission on Physical Sciences, Mathematics, and Resources, whose members are listed in Appendix G.

OCR for page R1
Computers at Risk: Safe Computing in the Information Age This page in the original is blank.

OCR for page R1
Computers at Risk: Safe Computing in the Information Age Preface The Computer Science and Technology Board, which became the Computer Science and Telecommunications Board in September 1990, formed the System Security Study Committee in response to a fall 1988 request from the Defense Advanced Research Projects Agency (DARPA) to address the security and trustworthiness of U.S. computing and communications systems. The committee was charged with developing a national research, engineering, and policy agenda to help the United States achieve a more trustworthy computing technology base by the end of the century. DARPA asked the committee to take a broad outlook—to consider the interrelationship of security and other qualities (e.g., safety and reliability), commercialization as well as research, and the diverse elements of the research and policy communities. In keeping with DARPA's initial request, the committee focused on security aspects but related them to other elements of trustworthiness. The System Security Study Committee was composed of sixteen individuals from industry and academia, including computer and communications security researchers and practitioners and software engineers. It met in May, August, and November of 1989 and in February, April, and July of 1990. Its deliberations were complemented by briefings from and interviews with a variety of federal government researchers and officials and security experts and others from industry. A central feature of the committee's work was the forging of a consensus in the face of different technical and professional perspectives. While the committee drew on both the research literature and publications aimed at security practitioners, it sought to combine the research and practitioner perspectives to provide a more unified as-

OCR for page R1
Computers at Risk: Safe Computing in the Information Age sessment than might perhaps be typical. Given the goal of producing an unclassified report, the committee focused on the protection of sensitive but unclassified information in computer and communications systems. The orientation toward an unclassified report also limited the extent to which the committee could probe tensions in federal policy between intelligence-gathering and security-providing objectives. This report of the System Security Study Committee presents its assessment of key computer and communications security issues and its recommendations for enhancing the security and trustworthiness of the U.S. computing and communications infrastructure. David D. Clark, Chairman System Security Study Committee

OCR for page R1
Computers at Risk: Safe Computing in the Information Age Acknowledgments The System Security Study Committee appreciates the generous assistance provided by Carl Landwehr of the Naval Research Laboratory and a group of federal liaisons that he coordinated, including Anthony Adamski of the Federal Bureau of Investigation, Dennis Branstad of the National Institute of Standards and Technology, Leon Breault of the Department of Energy, Richard Carr of the National Aeronautics and Space Administration, Richard DeMillo of the National Science Foundation (preceded by John Gannon), C. Terrance Ireland of the National Security Agency, Stuart Katzke of the National Institute of Standards and Technology, Robert Morris of the National Security Agency, Karen Morrissette of the Department of Justice, Mark Scher of the Defense Communications Agency, and Kermith Speierman of the National Security Agency. These individuals made themselves and their associates available to the committee to answer questions, provide briefings, and supply valuable reference materials. The committee is grateful for special briefings provided by William Vance of IBM, John Michael Williams of Unisys, and Peter Wild of Coopers and Lybrand. Additional insight into specific issues was provided by several individuals, including in particular Mark Anderson of the Australian Electronics Research Laboratory, Carolyn Conn of GE Information Services, Jay Crawford of the Naval Weapons Center at China Lake, California, George Dinolt of Ford Aerospace Corporation, Morrie Gasser and Ray Modeen of Digital Equipment Corporation, James Giffin of the Federal Trade Commission, J. Thomas Haigh of Secure Computing Technology Corporation, James Hearn of the National Security Agency, Frank Houston of the Food and Drug Administration, Christian Jahl of the German Industrie Anlagen Betriebs

OCR for page R1
Computers at Risk: Safe Computing in the Information Age Gesellschaft, Ian King of the U.K. Communications-Electronics Security Group, Stewart Kowalski of the University of Stockholm, Milan Kuchta of the Canadian Communications Security Establishment, Timothy Levin of Gemini Computers, Inc., Michael Nash representing the U.K. Department of Trade and Industry, Stephen Purdy and James Bauer of the U.S. Secret Service, John Shore of Entropic Research Laboratory, Inc., Linda Vetter of Oracle Corporation, Larry Wills of IBM, and the group of 30 corporate security officers who participated in a small, informal survey of product preferences. The committee appreciates the encouragement and support of Stephen Squires and William Scherlis of DARPA, who provided guidance, insights, and motivation. It is particularly grateful for the literally hundreds of suggestions and criticisms provided by the ten anonymous reviewers of an early draft. Those inputs helped the committee to tighten and strengthen its presentation, for which it, of course, remains responsible. Finally, the committee would like to acknowledge the major contribution that the staff of the Computer Science and Telecommunications Board has made to this report, in particular thanking Marjory Blumenthal, Damian Saccocio, Frank Pittelli, and Catherine Sparks. They supplied not only very capable administrative support, but also substantial intellectual contributions to the development of the report. The committee also received invaluable assistance from its editor, Susan Maurizi, who labored under tight time constraints to help it express its ideas on a complex and jargon-filled subject. It could not have proceeded effectively without this level of support from the National Research Council. David D. Clark, Chairman System Security Study Committee

OCR for page R1
Computers at Risk: Safe Computing in the Information Age Contents     EXECUTIVE SUMMARY   1 1   OVERVIEW AND RECOMMENDATIONS   7     Computer System Security Concerns,   8     Trends—the Growing Potential for System Abuse,   10     The Need to Respond,   11     Toward a Planned Approach,   13     Achieving Understanding,   13     The Nature of Security: Vulnerability, Threat, and Countermeasure,   13     Special Security Concerns Associated with Computers,   15     Security Must Be Holistic—Technology, Management, and Social Elements,   17     Commercial and Military Needs Are Different,   18     Putting the Need for Secrecy into Perspective,   20     Building on Existing Foundations,   21     Scope, Purpose, Contents, and Audience,   24     Recommendations,   26     Recommendation 1: Promulgate Comprehensive Generally Accepted System Security Principles (GSSP),   27     Recommendation 2: Take Specific Short-term Actions That Build on Readily Available Capabilities,   32     Recommendation 3: Gather Information and Provide Education,   36     Recommendation 4: Clarify Export Control Criteria, and Set Up a Forum for Arbitration,   37

OCR for page R1
Computers at Risk: Safe Computing in the Information Age     Recommendation 5: Fund and Pursue Needed Research,   39     Recommendation 6: Establish an Information Security Foundation,   43     Conclusion,   45     Notes,   45 2   CONCEPTS OF INFORMATION SECURITY   49     Security Policies—Responding to Requirements for Confidentiality, Integrity, and Availability,   52     Confidentiality,   52     Integrity,   54     Availability,   54     Examples of Security Requirements for Different Applications,   55     Management Controls—Choosing the Means to Secure Information and Operations,   56     Preventing Breaches of Security—Basic Principles,   56     Responding to Breaches of Security,   59     Developing Policies and Appropriate Controls,   59     Risks and Vulnerabilities,   61     Securing the Whole System,   65     Appendix 2.1—Privacy,   66     Appendix 2.2—Informal Survey to Assess Security Requirements,   69     Notes,   72 3   TECHNOLOGY TO ACHIEVE SECURE COMPUTER SYSTEMS   74     Specification vs. Implementation,   75     Specification: Policies, Models, and Services,   76     Policies,   77     Models,   80     Flow Model,   80     Access Control Model,   81     Services,   83     Authentication,   84     Authorization,   87     Auditing,   88     Implementation: The Trusted Computing Base,   88     Computing,   91     Hardware,   91     Operating System,   92     Applications and the Problem of Malicious Code,   93

OCR for page R1
Computers at Risk: Safe Computing in the Information Age     Communications,   93     Secure Channels,   94     Authenticating Channels,   96     Security Perimeters,   98     Methodology,   99     Conclusion,   99     Notes,   100 4   PROGRAMMING METHODOLOGY   102     Software Is More Than Code,   104     Simpler Is Better,   106     The Role of Programming Languages,   107     The Role of Specifications,   108     Relating Specifications to Programs,   109     Formal Specification and Verification,   111     Hazard Analysis,   113     Structuring the Development Process,   114     Managing Software Procurement,   115     Scheduling Software Development,   116     Education and Training,   117     Management Concerns in Producing Secure Software,   118     What Makes Secure Software Different,   119     Recommended Approaches to Sound Development Methodology,   120     Notes,   122 5   CRITERIA TO EVALUATE COMPUTER AND NETWORK SECURITY   124     Security Evaluation Criteria in General,   125     Security Characteristics,   125     Assurance Evaluation,   127     Trade-offs in Grouping of Criteria,   130     Comparing National Criteria Sets,   133     Reciprocity Among Criteria Sets,   135     System Certification vs. Product Evaluation,   137     Recommendations for Product Evaluation and System Certification Criteria,   139     Notes,   141 6   WHY THE SECURITY MARKET HAS NOT WORKED WELL   143     The Market for Trustworthy Systems,   143     A Soft Market: Concerns of Vendors,   146

OCR for page R1
Computers at Risk: Safe Computing in the Information Age     Federal Government Influence on the Market,   149     Procurement,   149     Strategic Federal Investments in Research and Development,   150     Export Controls as a Market Inhibitor,   152     Technology Transfer: Rationale for Controlling Security Exports,   153     Export Control of Cryptographic Systems and Components,   154     Export Control of Trusted Systems,   156     The Commercial Imperative,   157     Consumer Awareness,   159     Insurance as a Market Lever,   161     Education and Incident Tracking for Security Awareness,   162     Education,   162     Incident Reporting and Tracking,   163     Technical Tools to Compensate for Limited Consumer Awareness,   164     Regulation as a Market Influence: Product Quality and Liability,   165     Product Quality Regulations,   166     Product Liability as a Market Influence,   167     Software and Systems Present Special Problems,   170     Toward Equitable Allocation of Liability,   171     Appendix 6.1— Export Control Process,   173     Appendix 6.2— Insurance,   174     Notes,   176 7   THE NEED TO ESTABLISH AN INFORMATION SECURITY FOUNDATION   179     Actions Needed to Improve Computer Security,   179     Attributes and Functions of the Proposed New Institution,   180     Other Organizations Cannot Fulfill ISF's Mission,   183     Government Organizations,   183     Private Organizations,   184     Why ISF's Mission Should Be Pursued Outside of the Government,   185     A New Not-for-profit Organization,   186     Critical Aspects of an ISF Charter,   187     Start-up Considerations,   188     Funding the ISF,   188     Alternatives to the ISF,   190

OCR for page R1
Computers at Risk: Safe Computing in the Information Age     Appendix 7.1— A History of Government Involvement,   192     Appendix 7.2 — Security Practitioners,   201     Notes,   204 8   RESEARCH TOPICS AND FUNDING   206     A Proposed Agenda for Research to Enhance Computer Security,   208     Directions for Funding Security Research,   211     Funding by the Defense Advanced Research Projects Agency,   212     Funding by the National Science Foundation,   212     Promoting Needed Collaboration,   213     Notes,   214     BIBLIOGRAPHY   216     APPENDIXES         A The Orange Book   243     B Selected Topics in Computer Security Technology   246     C Emergency Response Teams   276     D Models for GSSP   278     E High-grade Threats   283     F Glossary   286     G List of Members of the Former Commission on Physical Sciences, Mathematics, and Resources   303

OCR for page R1
Computers at Risk: Safe Computing in the Information Age This page in the original is blank.