The following HTML text is provided to enhance online
readability. Many aspects of typography translate only awkwardly to HTML.
Please use the page image
as the authoritative form to ensure accuracy.
Computers at Risk: Safe Computing in the Information Age
extraordinary measures to keep the existence of a successful attack secret from the target.
The threat is adept in circumventing physical and procedural safeguards and has access to clandestine technology.
The threat will deliberately seek the most obscure vulnerability hidden in the darkest corner of the system—on the grounds that this is the one that will permit the maximum long-term exploitation.1
The designers, implementors, and administrators of high-grade countermeasures must begin with the requirement that their system be safe from hacker or criminal attacks and then work to counter the specialized threat of large-scale, long-term, highly covert assaults. Hacker and criminal attacks must be prevented to preclude the high-grade attacker from obtaining "inside information" about the target system from cheap (if short-lived) penetrations and to ensure that the operation of the system is as stable as possible.
The functionality of system elements engineered to high-grade security standards must be even more modest than the functionality that is affordable for elements engineered to withstand hacker and criminal attacks. High-grade countermeasure engineering has traditionally been associated with communications security devices and subsystems; the committee anticipates that it will, in the future, be applied to selected computer security functions such as reference monitors. In particular, this committee does not foresee that it will ever be feasible to apply high-grade countermeasures to a multitude of system elements, since technical advances that benefit the designer of countermeasures often benefit the attacker even more.2 This circumstance has important implications for the system-wide trade-offs that have to be made when a high-grade threat is considered.
The inevitability of "tunneling" attacks has to be taken into account and the analysis and control carried down to the lowest possible layer of abstraction. A tunneling attack attempts to exploit a weakness in a system that exists at a level of abstraction lower than that used by the developer to design and/or test the system. For example, an attacker might discover a way to modify the microcode of a processor that is used when encrypting some data, rather than attempting to break the system's encryption scheme. The requirement that tunneling attacks be anticipated can substantially increase the cost of high-grade countermeasures, because it can preclude the use of offshore components (in the case of national security systems) or components made by commercial rivals (in the case of industrial systems.)
A higher emphasis on reliability is required, because a high-grade threat must be assumed to have the ability to monitor system behavior and take advantage of component failures. This raises cost and