BKCMSCAS.RVW 20030122 "Computer Security: Art and Science", Matt Bishop, 2003, 0-201-44099-7, U$74.99/C$116.99 %A Matt Bishop bishop@cs.ucdavis.edu nob.cs.ucdavis.edu/~bishop/ %C P.O. Box 520, 26 Prince Andrew Place, Don Mills, Ontario M3C 2T8 %D 2003 %G 0-201-44099-7 %I Addison-Wesley Publishing Co. %O U$74.99/C$116.99 416-447-5101 fax: 416-443-0948 bkexpress@aw.com %O http://www.amazon.com/exec/obidos/ASIN/0201440997/robsladesinterne http://www.amazon.co.uk/exec/obidos/ASIN/0201440997/robsladesinte-21 %O http://www.amazon.ca/exec/obidos/ASIN/0201440997/robsladesin03-20 %P 1084 p. %T "Computer Security: Art and Science" First off, the book is very academic: heavy on formal methods, formal models, and symbolic logic, while it's rather light on explanation. In addition, though, the preface says that the goal of the book is to make certain points. The first is to prove that theory is relevant to practice. I would agree, but the initial example used to illustrate this is less than convincing. In addition, as the book progresses, it is easy to see where Bishop tries to prove this element--and extremely difficult to see where he supports the thesis. Second, he wants to say that cryptography is not the same as security (I would have thought that was self evident to anyone with the slightest experience in the field, and Bruce Schneier made that point in "Secrets and Lies" [cf. BKSECLIE.RVW]). Third is that security is an art as well as a science. I am in sympathy with this last assertion, but it is somewhat at odds with other aspects of the work. For example, "assurance" is seen as a major factor in the volume, and the introduction to the topic appears to prove that assurance relies upon a strict adherence to the scientific aspect of security. Part one is an introduction to security. Chapter one is an overview of security concepts. It is written with an apparent authority that masks a number of gaps and the fact that there is a compilation of concepts and terms with little analysis. For example, the seeming attempt to relate the basic security requirements of confidentiality, availability, and integrity (the famous "CIA" triad) to Robert Shirey's proposed classes of threats may confuse some readers, partly because the CIA is three to Shirey's basic four, and also because it may not be clear how the Shirey taxonomy relates to errors. The examples given in the book are overly detailed, and therefore it is confusing to try and extract the main point of an illustration. There are questions at the end of the chapter. They are not the simplistic reading checks of all too many books, but Bishop goes too far in the other direction. The questions are unstructured and open-ended, admitting of no particular answer. They may be useful for the teacher trying to prompt discussion, but students will find them vague and probably irrelevant. Part two is entitled "Foundations." It is possible to get a vague idea of why Bishop thinks this is so, but the material is hardly compelling. Chapter two takes an, again, overly formal and underexplained, look at the access control matrix. Rather ironically, in the midst of this blizzard of symbolic logic, the author tries to promote the simplicity and practicality of the model. The tutorial material almost completely vanishes under the avalanche of set theory proofs in chapter three, as Bishop tries to pull foundational results out of the Harrison-Ruzzo-Ullman work, and others. Part three looks at policy, but not in the sense that most professionals would think of it. Chapter four defines security policies strictly in terms of allowed states, although it does later discuss the more widely recognized management policies. In fact we are presented with a large number of rather questionable definitions, such as military policy (equivalent to confidentiality, apparently) and identity-based access control (IBAC, which Bishop says is the same as discretionary access control, a very questionable equation). We are, however, given a respite from symbolic logic for a while. There is an attempt to relate the Bell-LaPadula model, as an example of confidentiality policy, to the Data General B2 UNIX and Multics, in chapter five. Biba and Clark-Wilson are, of course, the integrity policies reviewed in chapter six. Chapter seven, though, tries to express Chinese Wall and medical information systems as formal "hybrid policies," and doesn't do very well. Non-interference and policy composition, in chapter eight, endeavours to address covert channels, but doesn't say anything very clearly. Part four looks at cryptography, but in a rather disorganized manner. Chapter nine outlines the basics of cryptography, and does a surprisingly good job of discussing substitution and transposition ciphers, along with a variety of frequency analysis attacks to beat them, then gives examples of the fundamental asymmetric algorithms, and ends with cryptographic checksums. The rudimentary requirements of key management are described in chapter ten, which also introduces digital signatures. Chapter eleven seems to be an attempt to discuss design requirements for "real" (rather than theoretical) cryptosystems. Authentication, in chapter twelve, deals with passwords, challenge/response systems, and biometrics, and only touches on cryptography in passing. Part five talks about systems, but repeats a lot of earlier material. Chapter thirteen is a good list of design principles, although not all of them are explained well. A variety of entities that need to have their identity represented are listed in chapter fourteen, which also discusses certificates, following some of the content from the cryptographic section. Chapter fifteen deals with access control mechanisms, expanding on chapter two. The topic of information flow, in chapter sixteen, starts out with a repeat of part three, and then tries to address topics related to systems development. Chapter seventeen, on the confinement problem, is mostly a repeat, and expansion, of the covert channel discussion from chapter five. Part six, on assurance, is written by Elizabeth Sullivan, and is an altogether different book. Chapter eighteen, the introduction, covers what assurance is and why it is needed, and is excellent. Building systems with assurance, in chapter nineteen, describes architectural and procedural factors in security design. Formal methods, and a number of examples of tools for formal methods, are reviewed in chapter twenty. Chapter twenty one, on evaluating systems, provides a terrific overview of TCSEC (Trusted Computer System Evaluation Criteria), ITSEC (Information Technology Security Evaluation Criteria), FIPS-140, and the Common Criteria (and one could only wish she had covered British Standard 7799 or ISO 17799 as well). Part seven deals with special topics. Chapter twenty two, on malicious logic, shows that while Bishop has read some of the good books on viruses, he has also read some very questionable material as well, and passes along some of the persistent myths. Cohen's proof of "undecideability" in virus determination (section 22.6) is not well explained for those not completely familiar with both symbolic logic and Turing machines. Therefore, the relevance of the proof to practical security is not clear, since is seems to address only appending or prepending viruses, which are difficult concepts to use in regard to modern email viruses. Vulnerability analysis, in chapter twenty three, flips back and forth between efforts to describe academic work in relation to penetration testing, and telling stories about exploits. In chapter twenty four, supposedly on auditing, it is quite apparent that Bishop simply cannot wait to discuss intrusion detection systems, which actually aren't due until chapter twenty five. Part eight, "Practicum," purports to use the earlier material in practical settings. Chapters twenty six to twenty nine relate points from earlier chapters to a fictitious company in terms of network, system, user, and program security. Part nine, entitled "End Matter," contains essays or appendices on lattices (the mathematical ones, not the security access lattices), the extended Euclidean algorithm, entropy, virtual machines, symbolic logic, and a sample academic security policy. None are terribly helpful. One extremely odd aspect of the book is that figures are given in the same font as the text, and are not distinguished in any way, so having figures and text on the same page can make it very confusing to separate the two. Having cavilled my way through the entire book, I do have to admit that there is a good deal of solid security material contained within the pages. In the hands of a really competent teacher, this volume could be used to teach a fairly theoretical course in many aspects of security. I'm not sure that I'd want to inflict it on any students in any course I'd be likely to teach, no matter how annoyed I got with them. The overriding problem is to extract the decent content, and organize it in a reasonable fashion. Bishop does not, in the end, seem to provide much evidence for his assertion that theory is relevant to practice. As far as security being an art is concerned, he makes it out to be a very arcane one. I could not, in good conscience, recommend this as the sole text for any course. And I'd be hard pressed to recommend it as reference material for anyone else. copyright, Robert M. Slade, 2003 BKCMSCAS.RVW 20030122