Group: security

topics > Group: computer science

backup processor
database security
digital signature
distributed system security
key distribution
limitations of system security
one-way hash function
operating system security
password protection
power fail recovery
public key encryption
preventing accidental errors
security by access functions
security by access rights
security by audit trail
security by capabilities
security by seal
security by secure domains
security of remotely executed code
security issues with electronic mail
security leaks and weaknesses
distributed systems
operating system
program proving
type checking

communication protocols
debugging by usage rules
error checking in robot programming
error safe systems
flavor analysis and typestates for supplementary type checking
implementation of hypertext databases
mobile code
programming without errors
random number generation
reliability of distributed systems
replicated data
safety critical systems
type checking by trademark
type-safe and secure languages
using hypertext for cooperative work


A system needs to protect itself from unexpected or malicious input. Except for software errors, protection of all input provides protection throughout the system. The idea is to separate the system from its input by certifying input data types, object consistency, and permission rights. Critical operations may be seen as sub-systems with their own input. In any case, unexpected input must be explicitly handled; even if this means an abort.

Malicious input is difficult to defend against. For instance users may use statistical methods to determine a system's implementation. One solution is a specific purpose machine which can only be used as intended, but development, maintenance and debugging require full access to the system's internals. Any hooks provided can also be used by the malicious user. Such access can be restricted if tied to hardware signatures. Then the user must own the master terminal before gaining full system access. (cbb 5/80)

Software errors are an often overlooked aspect of system security. Most security systems must assume that the underlying software is error-free. Two important requirements are limited domains and thorough consistency checking. The limited domains prevents an error from effecting the entire system, and consistency checking confirms the correctness of the software. (cbb 12/92)

Subtopic: secure system up

Quote: good security encompasses prevention, detection, and reaction; e.g., a vault with alarms and the threat of arrest [»schnB_2000]
Quote: computers should be as secure as real-world systems, and people believe it; real-world systems are not very secure [»lampBW6_2004]
Quote: real-world security balances value, locks, and punishment; e.g., use locks to prevent casual intrusion [»lampBW6_2004]
Quote: perfect security is expensive and inconvenient; e.g., safe deposit box [»lampBW6_2004]
Quote: security is needed for secrecy, integrity of resources, availability, and accountability [»lampBW6_2004]
Quote: producing valid systems is a domain dependent activity [»blumBI8_1985]
Quote: simplify user security as my documents, shared documents, and public documents in separate directories; vendors and administrators handle everything else [»lampBW6_2004]
Quote: security concerns user authentication, service authentication, key management, and encryption of communication [»coxR8_2002]
Quote: 1974 security study of Multics is relevant today; like Unix [»kargPA12_2002]
Quote: Multics has better security than most systems today; security was a primary goal; no buffer overflows; minimized complexity

Subtopic: assurance up

Quote: assurance and authenticated operation are important security goals; assurance is correct behavior despite attacks [»englP7_2003]
Quote: the goal of security is assurance that our systems possess only the properties that we want; assurance that systems work properly [»schnB_2000]
Quote: constantly question security; question your assumptions; question your decisions; trust no one, especially yourself [»schnB_2000]

Subtopic: weakest link up

Quote: secure the weakest link in the attack tree; look at the entire vulnerability landscape [»schnB_2000]

Subtopic: security policy up

Quote: first, define the threat model and risks; second, create a security policy; third, design the countermeasures that enforce the policy [»schnB_2000]
Quote: a secure OS needs mandatory security, controlled by a policy administrator, that enforces who has access to data and its encryption [»schnB_2000]
Quote: prefer policy over tunable settings for security and resource allocation; express in terms of goals; allows audit, avoids user error [»kampPH7_2004]
Quote: a shared system must be easy to monitor; policy implications must be clear and testable [»kampPH7_2004]
Quote: provide primitives for easily expressing security policy in broad terms [»kampPH7_2004]

Subtopic: detection up

Quote: detection and punishment are the primary instruments of security
Quote: tampering with a mechanical voting machine is visible after the fact; but a software attack can leave the machine exactly the same [»nislE1_2007]
Quote: modern society does not prevent crime; it detects crime after the fact [»schnB_2000]
Quote: detect intruders in close to real time, while they are still engaged in the attack
Quote: understand the attack and what it means; detect, localize, identify, assess [»schnB_2000]

Subtopic: threat model up

Quote: an attack tree is an AND/OR threat model; OR nodes are alternative attacks, AND nodes are steps to implement the attack [»schnB_2000]
Quote: evaluate a system's vulnerabilities by propagating leaf nodes to the attack tree's root; e.g., PGP

Subtopic: security kernel up

Quote: system boot requires a security coprocessor to store cyrptographic keys for sealed storage and attestation; verifies the kernel's digest and starts in a well-defined state [»englP7_2003]
Quote: construct user devices with a secure clock and a secure supervising program; can not change; runs periodically [»rabiMO10_2005]
Quote: the nexus is a security-critical system manager with an isolated address space, secure agents, authenticated operations, and secure user input and output [»englP7_2003]

Subtopic: secure language up

Quote: a programming language is secure if it does not lead to machine or implementation effects that are inexplicable in terms of the language [»hoarCA_1974]
Quote: a language is secure if it detects most cases where its concepts break down and produce meaningless results [»brinP4_1999]
Quote: correct if correct input leads to correct output; secure if arbitrary inputs do not have undesired consequences [»mitcJC1_2001]
Quote: Cyclone is a safe dialect of C; avoids buffer overflows, format string attacks, and memory management errors; static analysis plus run-time checks and annotations [»jimT6_2002]

Subtopic: encapsulate state up

Quote: prefer object-orientation implementation for shared systems; encapsulates state in a class; avoids globals [»kampPH7_2004]
Quote: prefer component-oriented designs for shared systems; increased flexibility, can easily disable a subsystem [»kampPH7_2004]

Subtopic: user perspective up

Quote: security is a lot easier if you assume trusted and intelligent users; for the most part, insiders are your allies [»schnB_2000]
Quote: security depends on the user perspective, whatever the user wants; e.g, deleting files is often OK [»yeeKP12_2002]
Quote: security and usability should be complementary; both want computers to correctly do what users want [»yeeKP12_2002]
Quote: efficiency and safety of real world actions are often difficult to discern; must be learned; tools can help [»yeeKP12_2002]
Quote: path of least resistance--default settings are secure, avoid accidents, make security easy [»yeeKP12_2002]
Quote: a system is secure for a user if it only does what the user believes it can do [»yeeKP12_2002]
Quote: define security boundaries that matter to the user, with different security policies [»yeeKP12_2002]
Quote: users should explicitly authorize all unexpected behavior; things can't become unsafe by themselves [»yeeKP12_2002]

Subtopic: visible security up

Quote: a user should know that things are safe by knowing how each actor is limited; visible authorities [»yeeKP12_2002]
Quote: view the actor-ability state in terms of granting actions
Quote: users should know their abilities within a security system; e.g., granting an authority that can not be revoked [»yeeKP12_2002]
Quote: users must securely identify objects and actions; if not, an untrusted program can spoof a trusted one [»yeeKP12_2002]
Quote: need expressive language for setting security policy and understanding the consequences of security-related decisions [»yeeKP12_2002]
Quote: require an interactive dialog before unlocking personal accounts; protects against host-resident attacks [»coxR8_2002]

Subtopic: data security up

Quote: to ensure security, a reference monitor must be tamper proof, invoked on every data reference, and small enough to be proven correct [»kargPA6_1974]
Quote: security rings and memory segmentation might be provably secure; e.g., Multics, a descriptor-based system [»kargPA6_1974]

Subtopic: secure server up

Quote: comprehensive protection of the heap with minimal assumptions and low overhead; separates heap data and meta-data; layout obfuscation, random padding between objects, random recycling [»kharM10_2006]

Subtopic: security server up

Quote: the Plan 9 factotum handles the user's keys and security interactions; no cryptographic code in applications; like the SSH agent [»coxR8_2002]
Quote: after factotum is marked 'private', no secret must escape; process memory is inaccessible and never swapped to disk [»coxR8_2002]
Quote: can attack Plan 9's factotum by rebooting the server with a debugging kernel [»coxR8_2002]
Quote: use a encypted data file server to initialize security agent at boot time; uses PAK key exchange; no backup [»coxR8_2002]

Subtopic: content security up

Quote: the Superfingerprint server delivers content identification (e.g. an execution trace), content hashes, and signature verification pairs; verifies authorship [»rabiMO10_2005]
Quote: if the Shield system identifies content, it verifies that current usage matches the usage policy allowed by a tag; no duplicate tags [»rabiMO10_2005]

Subtopic: implicit authorization up

Quote: selecting a file grants a program authority to open the file for reading [»yeeKP12_2002]

Subtopic: revoke authorization up

Quote: revoke authorities to keep the actor-ability state manageable [»yeeKP12_2002]

Subtopic: usage rules up

Quote: bug detectors for thread correctness, performance issue, security violation, usage bug, dropped exception, null pointer, open stream, unchecked return, unconditional wait [»hoveD12_2004]
Quote: ESP checks very large C/C++ programs with a finite state machine of syntactic code patterns; most branches are irrelevant; e.g., security properties over a million lines with 25 false errors [»laruJR5_2004]
Quote: safety check of untrusted machine code by typestate analysis; allows manipulation of host data structures; checks array bounds, address alignment, initialization, null pointers, stack manipulation [»xuZ6_2000]
Quote: use PQL for runtime security protection; dynamically detect and correct SQL injection, cross-site scripting, and path traversal attacks [»martM10_2005]

Subtopic: security key up

Quote: a key is a secret and the context for using the secret; e.g., the protocol, user, and other parameters [»coxR8_2002]
Quote: Plan 9 uses plain text keys

Subtopic: trust management, security system up

Quote: users require a trusted path to the security manager; e.g., ctrl-alt-del [»yeeKP12_2002]
Quote: classify all programs as trusted or untrusted; by signature or explicit trust [»lampBW6_2004]
Quote: use trust-management systems for direct authorization of security-critical actions; combines policy with credentials [»blazM_1999]
Quote: trust-management systems support delegation and policy specification, refinement, and hierarchies
Quote: PolicyMaker trust-management--blackboard system of source s_i approves request r_i via an authorization program [»blazM_1999]
Quote: KeyNote trust-management--depth-first search to satisfy a policy assertion made of conditions and licensees key expressions; no inter-assertion communication [»blazM_1999]
Quote: SD3 trust management computes answer and verified proof together; only certified evaluator in trusted computing base; e.g., a secure name service [»jimT5_2000]
Quote: SD3 extends datalog by associating names with authenticated public keys, e.g., T(x,y):-K$E(x,y) holds if E(x,y) and relation E under keyholder of K [»jimT5_2000]
Quote: SD3 names may be tied to an IP address; e.g., (K@A)$E(x,y) is relation E at A under public key K; remote evaluator returns E(x,y) as a certificate signed by its private key [»jimT5_2000]
Quote: Grid Security Infrastructure is a widely used security infrastructure with single sign-on and site/local security policies [»butlR12_2000]
Quote: GSI entities can delete rights with a proxy; chains of proxy certificates are rooted at the same user certificate [»butlR12_2000]

Subtopic: security as a formal system up

Quote: without a formal semantics or a formal type system, can not reason about Java or the security properties of its libraries [»deanD5_1996]
Quote: use spi calculus for typechecking security protocols using shared-key cryptography [»abadM9_1999]
Quote: EROS has formal verification of security properties and very little performance loss [»shapJS1_2002]
Quote: security is relative; a security proof requires a model of the system and a model of the attacker [»mitcJC1_2001]
Quote: fix security warnings or add annotations; run Splint until done [»evanD1_2002]
Quote: secure DNS resolver in 10 lines of code; easier to understand than BIND's security policy [»jimT5_2000]
Quote: A says S means that principal A supports the statement S; A speaks for B (A=>B) means that if A makes a statement, so does B [»wobbE2_1994]
Quote: 'A as R' means that A is a principal in role R with reduced rights; A=>(A as R) [»wobbE2_1994]
Quote: B|A means B quoting A, i.e., (B says A) says S [»wobbE2_1994]
Quote: 'B for A' means B acts for A; this includes B|A (B quoting A) [»wobbE2_1994]

Subtopic: secure channel up

Quote: a secure OS needs a trusted path to trusted software that cannot be impersonated; is a login screen valid?
Quote: A channel is secure if every message comes from the same process [»wobbE2_1994]
Quote: if Q is a key, 'Q says P=>Q' if Q signs P=>Q; requires a secure channel or a local key

Subtopic: chain of trust up

Quote: a chain of trust by links of the form "Principal P speaks for principal Q about statements in set T"; e.g., key K_Tom speaks for Tom@Gov about everything [»lampBW6_2004]
Quote: a proof of authority consists of verifiable statements; logic of authentication; e.g., Bob speaks for Alice regarding the statements in set T [»howeJ_2000]
Quote: a verifier, guard, or auditor establishes a link in the chain of trust [»lampBW6_2004]
Quote: 'principal says delegation' is evidence for trust; why trust the principal?, who says?, why is the principal willing?
Quote: A says S means that principal A supports the statement S; A speaks for B (A=>B) means that if A makes a statement, so does B [»wobbE2_1994]
Quote: with hierarchical naming, it is an axiom that a parent speaks for the children; the child delegates authority to the parent [»lampBW6_2004]
Quote: every key is the root of a name space; by signing Q==>K/N, Q speaks for K/N [»lampBW6_2004]
Quote: can establish manually that K_intel==>Intel; allows K_intel to say K_Alice==>Alice@Intel [»lampBW6_2004]
Quote: believe K_Alice==> by trusting that K_com==>com; e.g., as signed by Verisign
Quote: a secure hash of a program image is a principal that can not make statements about trust; must be loaded by a trusted host [»lampBW6_2004]
Quote: a capability is a signed delegation for a complete chain of trust; e.g., an open file descriptor; efficient; more complicated setup and revocation [»lampBW6_2004]
Quote: a chain of trust is a proof of an access control decision; store in a tamper-resistant log for auditing and accountability [»lampBW6_2004]

Subtopic: trust by security label up

Quote: a trusted operating system uses a global policy and security labels on processes and objects; labels hold classification data, type, and policy rules [»kampPH7_2004]

Subtopic: separation of duty up

Quote: separation of duty is a conjunction of principals who make the same statement separately; helps prevent insider fraud [»lampBW6_2004]

Subtopic: security by defense in depth up

Quote: improved security through defense in depth; e.g., door locks, window alarms, and motion sensors [»schnB_2000]
Quote: for good security, watch the watchers; e.g., banks and casinos [»schnB_2000]

Subtopic: security by choke point up

Quote: a choke point forces users into a narrow channel for easier monitoring and control; e.g., turnstiles, checkout lanes, doors, firewalls, routers, fraud detectors [»schnB_2000]

Subtopic: security by compartments, namespace up

Quote: compartmentalize security; limit damage from a successful attack; e.g., door keys, user accounts, encrypted files [»schnB_2000]
Quote: hierarchical and protected namespaces permit trust to be assigned with low cost separation between namespace subsets [»kampPH7_2004]
Quote: the jail model substitutes namespace limits for security labels; semi-permeable partitioning of files, processes, and network; no super-user privileges; simple and efficient [»kampPH7_2004]
Quote: an attacker's activities are constrained by the jail and fully visible to the administrator; the jail administrator can inspected anything in the jail [»kampPH7_2004]
Quote: namespace limits prevent access to objects that cannot be named; simple implementation and user-comprehensible behavior [»kampPH7_2004]
Quote: each principal has a root directory of retained objects

Subtopic: fail securely, fail-safe up

Quote: systems should fail securely, i.e., fail-safe; if a firewall crashes, it should not let in any packets [»schnB_2000]

Subtopic: respond to attacks up

Quote: respond to attacks, otherwise detection is a waste [»schnB_2000]
Quote: be vigilant; for detection and response to be effective, it must work always; be prepared for an attack [»schnB_2000]
Quote: recover quickly from attacks; preventative countermeasures fail all the time; field upgrades [»schnB_2000]

Subtopic: untrusted programs and domains up

Quote: sandbox untrusted programs in a completely separate world with separate folders, history, Web cache, etc.
Quote: only communication with untrusted domains by explicit copy or network file share
Quote: a restricted token is a disjunction of principals who must receive access together; e.g., a flaky program can only touch objects that explicitly grant access to the program and another principal [»lampBW6_2004]

Subtopic: security as authorization up

Quote: the gold standard for security consists of authenticating principals, authorizing access, and auditing the guard's decisions [»lampBW6_2004]
Quote: limit damage via the principle of least authority; at the process or object level
Quote: limit damage instead of preventing security attacks [»karpAH12_2003]
Quote: is the key that signed this request authorized to take this action? [»blazM_1999]
Quote: explicitly designate the source of any authority [»shapJS1_2002]
Quote: type checking ensures well-defined operations on data; security checking ensures authorization to execute operations [»brinP_1973]
Quote: CapaFS uses capability file names for ubiquitous access and delegation; separates user identification from authorization [»regaJT8_2001]

Subtopic: security as identity up

Quote: an identity-based cryptosystem uses a trusted key generation computer to generate a public key/private key pair; the public key is the user's network identity for encryption and digital signature [»shamA_1984]
Quote: a principal is an individual or group who is charged for system resources [»dennJB3_1966]

Subtopic: security policy up

Quote: apply security policies to groups of machines; e.g., private access to home folder, shared access to workgroup folders, vendor-approved releases, signed programs [»lampBW6_2004]
Quote: report all exceptions to a security policy; report all changes to a previous set of exceptions
Quote: specify a security policy in terms of sensitive store locations; i.e., locations or files which an applet must not modify [»leroX1_1998]
Quote: simple types are too coarse for a security policy; e.g., a string can be a message, a file name, or a cryptographic key [»leroX1_1998]
Quote: does this set of credentials prove that a request complies with the local security policy?
Quote: a local security policy usually delegates authorization to trusted credential issuers
Quote: a secure program accesses resources as defined by an audited, security policy; including execution time [»hartPH12_2001]

Subtopic: information-flow control up

Quote: use information-flow control for secrecy under bad programs; guards decide if information can flow to a principal [»lampBW6_2004]

Subtopic: security setup up

Quote: security setup constributes nothing to useful output; only noticed if audit or attack [»lampBW6_2004]
Quote: security setup consists of folder structure, access control lists, group memberships, passwords, installed software, trusted machines

Subtopic: secrecy up

Quote: authenticity concerns data sources and timeliness while secrecy concerns data destinations [»abadM9_1999]
Quote: a defender has knowledge of the terrain; keep it obscure; leverage unpredictability in security systems [»schnB_2000]

Subtopic: role-based security up

Quote: Quilt controls activities allowed on a node type according to social roles [»fishRS3_1988]

Subtopic: automated security up

Quote: Unix programmer's workbench protected data automatically; reduced housekeeping chores [»doloTA7_1978]

Subtopic: history up

Quote: multi-programming needs meta-instructions for parallel processing, naming, and protection [»dennJB3_1966]
Quote: duplicating private data at a fork came from Witsenhausen

Group: security up

Topic: authentication (93 items)
Topic: backup processor (3 items)
Topic: database security (12 items)
Topic: digital signature (25 items)
Topic: distributed system security (17 items)
Topic: encryption (45 items)
Topic: key distribution (35 items)
Topic: limitations of system security (39 items)
Topic: one-way hash function (24 items)
Topic: operating system security (18 items)
Topic: password protection (44 items)
Topic: power fail recovery (6 items)
Topic: public key encryption (30 items)
Topic: preventing accidental errors (37 items)
Topic: security by access functions (10 items)
Topic: security by access rights (38 items)
Topic: security by audit trail (18 items)
Topic: security by capabilities (65 items)
Topic: security by seal (16 items)
Topic: security by secure domains (45 items)
Topic: security of remotely executed code (24 items)
Topic: security issues with electronic mail (18 items)
Topic: security leaks and weaknesses
(67 items)

Related Topics up

Group: distributed systems   (14 topics, 348 quotes)
Group: operating system   (27 topics, 924 quotes)
Group: program proving   (10 topics, 311 quotes)
Group: testing   (18 topics, 557 quotes)
Group: type checking   (12 topics, 392 quotes)

Topic: communication protocols (62 items)
Topic: debugging by usage rules (41 items)
Topic: error checking in robot programming (6 items)
Topic: error safe systems (76 items)
Topic: flavor analysis and typestates for supplementary type checking (68 items)
Topic: implementation of hypertext databases (17 items)
Topic: mobile code (14 items)
Topic: programming without errors (28 items)
Topic: random number generation (29 items)
Topic: reliability of distributed systems (35 items)
Topic: replicated data (51 items)
Topic: roles (21 items)
Topic: safety critical systems (32 items)
Topic: trust (21 items)
Topic: type checking by trademark (13 items)
Topic: type-safe and secure languages (43 items)
Topic: using hypertext for cooperative work
(9 items)

Updated barberCB 6/05
Copyright © 2002-2008 by C. Bradford Barber. All rights reserved.
Thesa is a trademark of C. Bradford Barber.