Introduction to Computer Security

Note: Supplemental materials are not guaranteed with Rental or Used book purchases.

ISBN: 9780321247445 | 0321247442
Cover: Hardcover
Copyright: 10/26/2004

Rent Book

(Recommended)

$56.90

Term

Due

Price

Semester

Jul 30

$56.90

Quarter

Jul 16

$52.52

Short Term

Jun 21

$48.14

*This item is part of an exclusive publisher rental program and requires an additional convenience fee. This fee will be reflected in the shopping cart.
Buy Used Book

Usually Ships in 3-5 Business Days

$59.96
Buy New Book

Currently Available, Usually Ships in 24-48 Hours

$79.12

Excerpts

An excellent, beautifully written introduction to the subject of computer security - by a master teacher and practitioner.

Preface

xxv

Goals

xxvi

Philosophy

xxvii

Organization

xxix

Differences Between this Book and Computer Security: Art and Science

xxx

Special Acknowledgment

xxxi

Acknowledgments

xxxi

An Overview of Computer Security

(26)

The Basic Components

(3)

Confidentiality

(1)

Integrity

(1)

Availability

(1)

Threats

(3)

Policy and Mechanism

(2)

Goals of Security

(1)

Assumptions and Trust

(1)

Assurance

(4)

Specification

(1)

Design

(1)

Implementation

(2)

Operational Issues

(3)

Cost-Benefit Analysis

(1)

Risk Analysis

(1)

Laws and Customs

(1)

Human Issues

(3)

Organizational Problems

(1)

People Problems

(1)

Tying It All Together

(1)

Summary

(1)

Further Reading

(1)

Exercises

(5)

Access Control Matrix

(10)

Protection State

(1)

Access Control Matrix Model

(3)

Protection State Transitions

(3)

Conditional Commands

(1)

Summary

(1)

Further Reading

(1)

Exercises

(2)

Foundational Results

(8)

The General Question

(1)

Basic Results

(5)

Summary

(1)

Further Reading

(1)

Exercises

(1)

Security Policies

(16)

Security Policies

(4)

Types of Security Policies

(2)

The Role of Trust

(2)

Types of Access Control

(1)

Example: Academic Computer Security Policy

(4)

General University Policy

(1)

Electronic Mail Policy

(1)

The Electronic Mail Policy Summary

(1)

The Full Policy

(1)

Implementation at UC Davis

(1)

Summary

(1)

Further Reading

(1)

Exercises

(2)

Confidentiality Policies

(12)

Goals of Confidentiality Policies

(1)

The Bell-LaPadula Model

(8)

Informal Description

(4)

Example: The Data General B2 UNIX System

(1)

Assigning MAC Labels

(3)

Using MAC Labels

(1)

Summary

(1)

Further Reading

(1)

Exercises

(2)

Integrity Policies

(10)

Goals

(2)

Biba Integrity Model

(1)

Clark-Wilson Integrity Model

(6)

The Model

(2)

Comparison with the Requirements

(1)

Comparison with Other Models

(1)

Summary

(1)

Further Reading

(1)

Exercises

(1)

Hybrid Policies

(14)

Chinese Wall Model

(5)

Bell-LaPadula and Chinese Wall Models

(1)

Clark-Wilson and Chinese Wall Models

(1)

Clinical Information Systems Security Policy

(3)

Bell-LaPadula and Clark-Wilson Models

(1)

Originator Controlled Access Control

(1)

Role-Based Access Control

(2)

Summary

(1)

Further Reading

(1)

Exercises

(2)

Basic Cryptography

(26)

What Is Cryptography?

(1)

Classical Cryptosystems

(15)

Transposition Ciphers

(1)

Substitution Ciphers

100

(1)

Vigenere Ciphers

101

(6)

One-Time Pad

107

(1)

Data Encryption Standard

108

(4)

Other Classical Ciphers

112

(1)

Public Key Cryptography

113

(3)

RSA

114

(2)

Cryptographic Checksums

116

(3)

HMAC

118

(1)

Summary

119

(1)

Further Reading

119

(1)

Exercises

120

(3)

Key Management

123

(22)

Session and Interchange Keys

124

(1)

Key Exchange

124

(6)

Classical Cryptographic Key Exchange and Authentication

125

(3)

Kerberos

128

(1)

Public Key Cryptographic Key Exchange and Authentication

129

(1)

Cryptographic Key Infrastructures

130

(6)

Certificate Signature Chains

131

(1)

X.509: Certification Signature Chains

132

(2)

PGP Certificate Signature Chains

134

(2)

Summary

136

(1)

Storing and Revoking Keys

136

(1)

Key Storage

136

(1)

Key Revocation

137

(1)

Digital Signatures

137

(3)

Classical Signatures

138

(1)

Public Key Signatures

139

(1)

Summary

140

(1)

Further Reading

141

(1)

Exercises

142

(3)

Cipher Techniques

145

(26)

Problems

145

(2)

Precomputing the Possible Messages

145

(1)

Misordered Blocks

146

(1)

Statistical Regularities

146

(1)

Summary

147

(1)

Stream and Block Ciphers

147

(6)

Stream Ciphers

148

(1)

Synchronous Stream Ciphers

148

(2)

Self-Synchronous Stream Ciphers

150

(1)

Block Ciphers

151

(1)

Multiple Encryption

152

(1)

Networks and Cryptography

153

(3)

Example Protocols

156

(12)

Secure Electronic Mail: PEM

156

(1)

Design Principles

157

(1)

Basic Design

158

(1)

Other Considerations

159

(1)

Conclusion

160

(1)

Security at the Network Layer: IPsec

161

(1)

IPsec Architecture

162

(3)

Authentication Header Protocol

165

(1)

Encapsulating Security Payload Protocol

166

(1)

Conclusion

167

(1)

Summary

168

(1)

Further Reading

168

(1)

Exercises

169

(2)

Authentication

171

(28)

Authentication Basics

171

(1)

Passwords

172

(14)

Attacking a Password System

174

(1)

Countering Password Guessing

175

(1)

Random Selection of Passwords

176

(1)

Pronounceable and Other Computer-Generated Passwords

177

(1)

User Selection of Passwords

178

(4)

Reusable Passwords and Dictionary Attacks

182

(1)

Guessing Through Authentication Functions

183

(1)

Password Aging

184

(2)

Challenge-Response

186

(4)

Pass Algorithms

186

(1)

One-Time Passwords

187

(1)

Hardware-Supported Challenge-Response Procedures

188

(1)

Challenge-Response and Dictionary Attacks

189

(1)

Biometrics

190

(3)

Fingerprints

190

(1)

Voices

191

(1)

Eyes

191

(1)

Faces

191

(1)

Keystrokes

192

(1)

Combinations

192

(1)

Caution

192

(1)

Location

193

(1)

Multiple Methods

193

(2)

Summary

195

(1)

Further Reading

196

(1)

Exercises

196

(3)

Design Principles

199

(12)

Overview

199

(2)

Design Principles

201

(6)

Principle of Least Privilege

201

(1)

Principle of Fail-Safe Defaults

202

(1)

Principle of Economy of Mechanism

202

(1)

Principle of Complete Mediation

203

(1)

Principle of Open Design

204

(1)

Principle of Separation of Privilege

205

(1)

Principle of Least Common Mechanism

206

(1)

Principle of Psychological Acceptability

206

(1)

Summary

207

(1)

Further Reading

208

(1)

Exercises

208

(3)

Representing Identity

211

(26)

What Is Identity?

211

(1)

Files and Objects

212

(1)

Users

213

(1)

Groups and Roles

214

(1)

Naming and Certificates

215

(6)

The Meaning of the Identity

218

(2)

Trust

220

(1)

Identity on the Web

221

(12)

Host Identity

221

(1)

Static and Dynamic Identifiers

222

(2)

Security Issues with the Domain Name Service

224

(1)

State and Cookies

225

(1)

Anonymity on the Web

226

(4)

Anonymity for Better or Worse

230

(3)

Summary

233

(1)

Further Reading

233

(1)

Exercises

234

(3)

Access Control Mechanisms

237

(24)

Access Control Lists

237

(9)

Abbreviations of Access Control Lists

238

(2)

Creation and Maintenance of Access Control Lists

240

(1)

Which Subjects Can Modify an Object's ACL?

241

(1)

Do the ACLs Apply to a Privileged User?

241

(1)

Does the ACL Support Groups and Wildcards?

242

(1)

Conflicts

242

(1)

ACLs and Default Permissions

243

(1)

Revocation of Rights

243

(1)

Example: Windows NT Access Control Lists

244

(2)

Capabilities

246

(6)

Implementation of Capabilities

247

(1)

Copying and Amplifying Capabilities

248

(1)

Revocation of Rights

249

(1)

Limits of Capabilities

250

(1)

Comparison with Access Control Lists

251

(1)

Locks and Keys

252

(3)

Type Checking

253

(2)

Ring-Based Access Control

255

(2)

Propagated Access Control Lists

257

(1)

Summary

258

(1)

Further Reading

258

(1)

Exercises

259

(2)

Information Flow

261

(26)

Basics and Background

261

(2)

Information Flow Models and Mechanisms

263

(1)

Compiler-Based Mechanisms

263

(14)

Declarations

264

(2)

Program Statements

266

(1)

Assignment Statements

266

(1)

Compound Statements

267

(1)

Conditional Statements

267

(1)

Iterative Statements

268

(1)

Goto Statements

269

(3)

Procedure Calls

272

(1)

Exceptions and Infinite Loops

272

(2)

Concurrency

274

(2)

Soundness

276

(1)

Execution-Based Mechanisms

277

(4)

Fenton's Data Mark Machine

278

(2)

Variable Classes

280

(1)

Example Information Flow Controls

281

(3)

Security Pipeline Interface

282

(1)

Secure Network Server Mail Guard

282

(2)

Summary

284

(1)

Further Reading

284

(1)

Exercises

285

(2)

Confinement Problem

287

(22)

The Confinement Problem

287

(3)

Isolation

290

(4)

Virtual Machines

290

(2)

Sandboxes

292

(2)

Covert Channels

294

(12)

Detection of Covert Channels

296

(7)

Mitigation of Covert Channels

303

(3)

Summary

306

(1)

Further Reading

306

(1)

Exercises

307

(2)

Introduction to Assurance

309

(22)

Assurance and Trust

309

(7)

The Need for Assurance

311

(2)

The Role of Requirements in Assurance

313

(1)

Assurance Throughout the Life Cycle

314

(2)

Building Secure and Trusted Systems

316

(8)

Life Cycle

316

(1)

Conception

317

(1)

Manufacture

318

(1)

Deployment

319

(1)

Fielded Product Life

320

(1)

The Waterfall Life Cycle Model

320

(1)

Requirements Definition and Analysis

320

(1)

System and Software Design

321

(1)

Implementation and Unit Testing

321

(1)

Integration and System Testing

322

(1)

Operation and Maintenance

322

(1)

Discussion

322

(1)

Other Models of Software Development

323

(1)

Exploratory Programming

323

(1)

Prototyping

323

(1)

Formal Transformation

323

(1)

System Assembly from Reusable Components

324

(1)

Extreme Programming

324

(1)

Building Security In or Adding Security Later

324

(4)

Summary

328

(1)

Further Reading

328

(1)

Exercises

329

(2)

Evaluating Systems

331

(32)

Goals of Formal Evaluation

331

(3)

Deciding to Evaluate

332

(1)

Historical Perspective of Evaluation Methodologies

333

(1)

TCSEC: 1983--1999

334

(7)

TCSEC Requirements

335

(1)

TCSEC Functional Requirements

335

(1)

TCSEC Assurance Requirements

336

(1)

The TCSEC Evaluation Classes

337

(1)

The TCSEC Evaluation Process

338

(1)

Impacts

338

(1)

Scope Limitations

339

(1)

Process Limitations

339

(1)

Contributions

340

(1)

FIPS 140: 1994--Present

341

(2)

FIPS 140 Requirements

341

(1)

FIPS 140-2 Security Levels

342

(1)

Impact

342

(1)

The Common Criteria: 1998--Present

343

(13)

Overview of the Methodology

344

(4)

CC Requirements

348

(1)

CC Security Functional Requirements

349

(2)

Assurance Requirements

351

(1)

Evaluation Assurance Levels

351

(2)

Evaluation Process

353

(1)

Impacts

354

(1)

Future of the Common Criteria

354

(1)

Interpretations

355

(1)

Assurance Class AMA and Family ALC_FLR

355

(1)

Products Versus Systems

355

(1)

Protection Profiles and Security Targets

355

(1)

Assurance Class AVA

356

(1)

EAL5

356

(1)

SSE-CMM: 1997--Present

356

(3)

The SSE-CMM Model

357

(1)

Using the SSE-CMM

358

(1)

Summary

359

(1)

Further Reading

360

(1)

Exercises

361

(2)

Malicious Logic

363

(26)

Introduction

363

(1)

Trojan Horses

364

(1)

Computer Viruses

365

(8)

Boot Sector Infectors

367

(1)

Executable Infectors

368

(1)

Multipartite Viruses

369

(1)

TSR Viruses

370

(1)

Stealth Viruses

370

(1)

Encrypted Viruses

370

(1)

Polymorphic Viruses

371

(1)

Macro Viruses

372

(1)

Computer Worms

373

(1)

Other Forms of Malicious Logic

374

(2)

Rabbits and Bacteria

374

(1)

Logic Bombs

375

(1)

Defenses

376

(9)

Malicious Logic Acting as Both Data and Instructions

376

(1)

Malicious Logic Assuming the Identity of a User

377

(1)

Information Flow Metrics

377

(1)

Reducing the Rights

378

(3)

Sandboxing

381

(1)

Malicious Logic Crossing Protection Domain Boundaries by Sharing

381

(1)

Malicious Logic Altering Files

382

(1)

Malicious Logic Performing Actions Beyond Specification

383

(1)

Proof-Carrying Code

384

(1)

Malicious Logic Altering Statistical Characteristics

384

(1)

The Notion of Trust

385

(1)

Summary

385

(1)

Further Reading

386

(1)

Exercises

386

(3)

Vulnerability Analysis

389

(34)

Introduction

389

(2)

Penetration Studies

391

(13)

Goals

391

(1)

Layering of Tests

392

(1)

Methodology at Each Layer

393

(1)

Flaw Hypothesis Methodology

393

(1)

Information Gathering and Flaw Hypothesis

394

(1)

Flaw Testing

395

(1)

Flaw Generalization

395

(1)

Flaw Elimination

396

(1)

Example: Penetration of the Michigan Terminal System

396

(2)

Example: Compromise of a Burroughs System

398

(1)

Example: Penetration of a Corporate Computer System

399

(1)

Example: Penetrating a UNIX System

400

(2)

Example: Penetrating a Windows NT System

402

(1)

Debate

403

(1)

Conclusion

404

(1)

Vulnerability Classification

404

(2)

Two Security Flaws

405

(1)

Frameworks

406

(14)

The RISOS Study

406

(2)

The Flaw Classes

408

(1)

Legacy

409

(1)

Protection Analysis Model

409

(1)

The Flaw Classes

410

(2)

Legacy

412

(1)

The NRL Taxonomy

412

(1)

The Flaw Classes

412

(2)

Legacy

414

(1)

Aslam's Model

414

(1)

The Flaw Classes

415

(1)

Legacy

415

(1)

Comparison and Analysis

415

(1)

The xterm Log File Flaw

416

(2)

The fingerd Buffer Overflow Flaw

418

(1)

Summary

419

(1)

Further Reading

420

(1)

Exercises

421

(2)

Auditing

423

(32)

Definitions

423

(1)

Anatomy of an Auditing System

424

(4)

Logger

424

(2)

Analyzer

426

(1)

Notifier

427

(1)

Designing an Auditing System

428

(6)

Implementation Considerations

429

(1)

Syntactic Issues

429

(2)

Log Sanitization

431

(2)

Application and System Logging

433

(1)

A Posteriori Design

434

(4)

Auditing to Detect Violations of a Known Policy

435

(1)

State-Based Auditing

435

(1)

Transition-Based Auditing

436

(1)

Auditing to Detect Known Violations of a Policy

437

(1)

Auditing Mechanisms

438

(3)

Secure Systems

438

(2)

Nonsecure Systems

440

(1)

Examples: Auditing File Systems

441

(7)

Audit Analysis of the NFS Version 2 Protocol

441

(4)

The Logging and Auditing File System (LAFS)

445

(2)

Comparison

447

(1)

Audit Browsing

448

(2)

Summary

450

(1)

Further Reading

451

(1)

Exercises

451

(4)

Intrusion Detection

455

(32)

Principles

455

(1)

Basic Intrusion Detection

456

(2)

Models

458

(7)

Anomaly Modeling

459

(2)

Misuse Modeling

461

(2)

Specification Modeling

463

(1)

Summary

464

(1)

Architecture

465

(6)

Agent

465

(1)

Host-Based Information Gathering

466

(1)

Network-Based Information Gathering

467

(1)

Combining Sources

467

(2)

Director

469

(1)

Notifier

469

(2)

Organization of Intrusion Detection Systems

471

(5)

Monitoring Network Traffic for Intrusions: NSM

471

(1)

Combining Host and Network Monitoring: DIDS

472

(3)

Autonomous Agents: AAFID

475

(1)

Intrusion Response

476

(9)

Incident Prevention

476

(1)

Intrusion Handling

477

(1)

Containment Phase

478

(1)

Eradication Phase

479

(3)

Follow-Up Phase

482

(3)

Exercises

485

(2)

Network Security

487

(30)

Introduction

487

(1)

Policy Development

488

(5)

Data Classes

489

(1)

User Classes

490

(2)

Availability

492

(1)

Consistency Check

492

(1)

Network Organization

493

(14)

Firewalls and Proxies

494

(2)

Analysis of the Network Infrastructure

496

(1)

Outer Firewall Configuration

497

(2)

Inner Firewall Configuration

499

(1)

In the DMZ

500

(1)

DMZ Mail Server

500

(1)

DMZ WWW Server

501

(2)

DMZ DNS Server

503

(1)

DMZ Log Server

503

(1)

Summary

504

(1)

In the Internal Network

504

(2)

General Comment on Assurance

506

(1)

Availability and Network Flooding

507

(3)

Intermediate Hosts

507

(1)

TCP State and Memory Allocations

508

(2)

Anticipating Attacks

510

(2)

Summary

512

(1)

Further Reading

512

(1)

Exercises

513

(4)

System Security

517

(38)

Introduction

517

(1)

Policy

518

(5)

The Web Server System in the DMZ

518

(1)

The Development System

519

(3)

Comparison

522

(1)

Conclusion

523

(1)

Networks

523

(6)

The Web Server System in the DMZ

524

(2)

The Development System

526

(2)

Comparison

528

(1)

Users

529

(5)

The Web Server System in the DMZ

529

(2)

The Development System

531

(3)

Comparison

534

(1)

Authentication

534

(3)

The Web Server System in the DMZ

535

(1)

Development Network System

535

(2)

Comparison

537

(1)

Processes

537

(6)

The Web Server System in the DMZ

537

(4)

The Development System

541

(1)

Comparison

542

(1)

Files

543

(6)

The Web Server System in the DMZ

543

(2)

The Development System

545

(2)

Comparison

547

(2)

Retrospective

549

(1)

The Web Server System in the DMZ

549

(1)

The Development System

550

(1)

Summary

550

(1)

Further Reading

551

(1)

Exercises

551

(4)

User Security

555

(24)

Policy

555

(1)

Access

556

(6)

Passwords

556

(2)

The Login Procedure

558

(2)

Trusted Hosts

560

(1)

Leaving the System

560

(2)

Files and Devices

562

(8)

Files

562

(1)

File Permissions on Creation

563

(1)

Group Access

564

(1)

File Deletion

565

(2)

Devices

567

(1)

Writable Devices

567

(1)

Smart Terminals

567

(2)

Monitors and Window Systems

569

(1)

Processes

570

(5)

Copying and Moving Files

570

(1)

Accidentally Overwriting Files

571

(1)

Encryption, Cryptographic Keys, and Passwords

571

(2)

Start-up Settings

573

(1)

Limiting Privileges

573

(1)

Malicious Logic

574

(1)

Electronic Communications

575

(1)

Automated Electronic Mail Processing

575

(1)

Failure to Check Certificates

575

(1)

Sending Unexpected Content

576

(1)

Summary

576

(1)

Further Reading

577

(1)

Exercises

577

(2)

Program Security

579

(54)

Introduction

579

(1)

Requirements and Policy

580

(3)

Requirements

580

(1)

Threats

581

(1)

Group 1: Unauthorized Users Accessing Role Accounts

581

(1)

Group 2: Authorized Users Accessing Role Accounts

582

(1)

Summary

583

(1)

Design

583

(7)

Framework

584

(1)

User Interface

584

(1)

High-Level Design

584

(1)

Access to Roles and Commands

585

(1)

Interface

586

(1)

Internals

586

(1)

Storage of the Access Control Data

587

(3)

Refinement and Implementation

590

(7)

First-Level Refinement

590

(1)

Second-Level Refinement

591

(3)

Functions

594

(1)

Obtaining Location

594

(1)

The Access Control Record

595

(1)

Error Handling in the Reading and Matching Routines

596

(1)

Summary

597

(1)

Common Security-Related Programming Problems

597

(26)

Improper Choice of Initial Protection Domain

598

(1)

Process Privileges

598

(2)

Access Control File Permissions

600

(1)

Memory Protection

601

(1)

Trust in the System

602

(1)

Improper Isolation of Implementation Detail

603

(1)

Resource Exhaustion and User Identifiers

603

(1)

Validating the Access Control Entries

604

(1)

Restricting the Protection Domain of the Role Process

604

(1)

Improper Change

605

(1)

Memory

605

(3)

Changes in File Contents

608

(1)

Race Conditions in File Accesses

608

(1)

Improper Naming

609

(2)

Improper Deallocation or Deletion

611

(1)

Improper Validation

612

(1)

Bounds Checking

612

(1)

Type Checking

613

(1)

Error Checking

614

(1)

Checking for Valid, not Invalid, Data

614

(1)

Checking Input

615

(2)

Designing for Validation

617

(1)

Improper Indivisibility

617

(1)

Improper Sequencing

618

(1)

Improper Choice of Operand or Operation

619

(2)

Summary

621

(2)

Testing, Maintenance, and Operation

623

(4)

Testing

624

(1)

Testing the Module

625

(1)

Testing Composed Modules

626

(1)

Testing the Program

627

(1)

Distribution

627

(2)

Conclusion

629

(1)

Summary

629

(1)

Further Reading

629

(1)

Exercises

630

(3)

Lattices

633

(4)

Basics

633

(2)

Lattices

635

(1)

Exercises

635

(2)

The Extended Euclidean Algorithm

637

(6)

The Euclidean Algorithm

637

(1)

The Extended Euclidean Algorithm

638

(2)

Solving ax mod n = 1

640

(1)

Solving ax mod n = b

640

(1)

Exercises

641

(2)

Virtual Machines

643

(6)

Virtual Machine Structure

643

(1)

Virtual Machine Monitor

644

(4)

Privilege and Virtual Machines

645

(1)

Physical Resources and Virtual Machines

646

(1)

Paging and Virtual Machines

647

(1)

Exercises

648

(1)

Bibliography

649

(64)

Index

713

Hortensio: Madam, before you touch the instrument To learn the order of my fingering, I must begin with rudiments of art To teach you gamouth in a briefer sort, More pleasant, pithy and effectual, Than hath been taught by any of my trade; And there it is in writing, fairly drawn. The Taming of the Shrew,III, i, 62-68. On September 11, 2001, terrorists seized control of four airplanes. Three were flown into buildings, and a fourth crashed, with catastrophic loss of life. In the aftermath, the security and reliability of many aspects of society drew renewed scrutiny. One of these aspects was the widespread use of computers and their interconnecting networks. The issue is not new. In 1988, approximately 5,000 computers throughout the Internet were rendered unusable within 4 hours by a program called a worm. While the spread, and the effects, of this program alarmed computer scientists, most people were not worried because the worm did not affect their lives or their ability to do their jobs. In 1993, more users of computer systems were alerted to such dangers when a set of programs called sniffers were placed on many computers run by network service providers and recorded login names and passwords. After an attack on Tsutomu Shimomura's computer system, and the fascinating way Shimomura followed the attacker's trail, which led to his arrest, the public's interest and apprehension were finally aroused. Computers were now vulnerable. Their once reassuring protections were now viewed as flimsy. Several films explored these concerns. Movies such asWar GamesandHackersprovided images of people who can, at will, wander throughout computers and networks, maliciously or frivolously corrupting or destroying information it may have taken millions of dollars to amass. (Reality intruded on Hackers when the World Wide Web page set up by MGM/United Artists was quickly altered to present an irreverent commentary on the movie and to suggest that viewers seeThe Netinstead. Paramount Pictures denied doing this.) Another film,Sneakers,presented a picture of those who test the security of computer (and other) systems for their owners and for the government. Goals This book has three goals. The first is to show the importance of theory to practice and of practice to theory. All too often, practitioners regard theory as irrelevant and theoreticians think of practice as trivial. In reality, theory and practice are symbiotic. For example, the theory of covert channels, in which the goal is to limit the ability of processes to communicate through shared resources, provides a mechanism for evaluating the effectiveness of mechanisms that confine processes, such as sandboxes and firewalls. Similarly, business practices in the commercial world led to the development of several security policy models such as the Clark-Wilson model and the Chinese Wall model. These models in turn help the designers of security policies better understand and evaluate the mechanisms and procedures needed to secure their sites. The second goal is to emphasize that computer security and cryptography are different. Although cryptography is an essential component of computer security, it is by no means the only component. Cryptography provides a mechanism for performing specific functions, such as preventing unauthorized people from reading and altering messages on a network. However, unless developers understand the context in which they are using cryptography, and unless the assumptions underlying the protocol and the cryptographic mechanisms apply to the context, the cryptography may not add to the security of the system. The canonical example is the use of cryptography to secure communications between two low-security systems. If only trusted users can access the two systems, cryptography protects messages in transit. But if untrusted users can access either system