BKBSECCS.RVW 930924 Van Nostrand Reinhold 115 Fifth Ave. New York, NY 10003 "Building a Secure Computer System", Gasser, 1988 The foreword paints a glowing picture of a "practical, understandable, and thoroughly accurate" book. So much so that one wonders if the author didn't work for the person who wrote the foreword. (I have great difficulty imagining a data security text as a "page turner".) The writer of the foreword shares with the author of the book a profound bias against the "social" aspects of security, and for technical solutions. The preface states that this work is for professionals who want to understand technical solutions to computer security problems. The author feels that database security and encryption are sufficiently dealt with in other works, and, therefore, concentrates on operating systems, hardware architecture, networks and practical verification. The book is divided into three parts: an overview, detailed concepts and implementation. Part one, only forty pages long, could easily have been a single chapter, but is divided into four separate chapters on a definition, problems, general concepts and design techniques. This overview is fairly complete, but extremely vague (and, truth to tell, very boring). For example, chapter three emphasizes the importance of defining the "system boundary", but fails to define the system more precisely than "a vague entity". Both chapters two and three stress the author's opinion that the solutions to computer security are technical, rather than social or procedural. I say opinion, since the author never even attempts to prove his contention, indeed, admitting that "nearly all recorded cases of computer fraud and abuse are nontechnical". Part two, as the title says, gives more detail about security concepts, although still limiting itself to technical factors. Chapter five discusses the importance of planning the security into the architecture from the beginning, as well as some principles to do with design. The practicality of the material is open to question. Section 5.3 recommends a minimum of security level granularity under the principle of "economy of mechanism"; section 5.4 recommends a maximum of granularity under the principle of "least privilege". No attempt is made to reconcile or balance the two. The content is also subject to generalities, at times vague to the point of inaccuracy. The opening statement about the conflict of capability, flexibility, performance, ease of use and cost states that there is no "inherent" conflict between them: in fact the inverse relationship between speed (performance) and power consumption (a cost factor) has now been proven. Chapter six discusses access control in fairly standard fashion. I found chapter seven to be quite fascinating. Given the copyright date (1988) this is a thoughtful and insightful coverage of theoretical aspects of trojan horse and viral programs. The author is still too confident of mandatory access controls, but the general framework is sound. Part three does discuss aspects related to implementation. Hardware security mechanisms are touched on (although most of the discussion deals with matters more relevant to the operating system), security models, security kernels, operating system architectures, formal specifications and verification, and networks and distributed systems. The material included, however, will not assist you in any implementation, but will only raise issues and areas which you may want to study further. The author's "secure hardware" bias is also evident in the statement that software cannot damage hardware: although it is generally conceded that hardware which can be damaged by hardware is a careless and unnecessary fault in the design, examples of hardware which would fial under certain "instructions" go back to the earliest computers. For all of the slightly derisive comments about research systems and "exhaustive academic" studies, this finally gives the feeling of being a non- exhaustive academic study. It reads very much like a textbook, and is delivered in a lecturing style of pronouncement. The course, if course it is, is an introduction to the topic rather than advanced study. For all of that, there is definite value here, if of a limited nature. The title is accurate: this is for those who want to *build* a secure system--from the ground up. The coverage of topics is reasonably complete, although for the details themselves, you will have to go elsewhere. (There is an unintentional pun on the front cover. The illustration is the standard "no" of the red circle with a line through it. The illustration within the circle is of a finger pressing the "Enter" key. "Do Not Enter" is really too strong a warning to be applied to this book.) copyright Robert M. Slade, 1993 BKBSECCS.RVW 930924 ====================== DECUS Canada Communications, Desktop, Education and Security group newsletters Editor and/or reviewer ROBERTS@decus.ca, RSlade@sfu.ca, Rob Slade at 1:153/733 Author "Robert Slade's Guide to Computer Viruses" (Oct. '94) Springer-Verlag