Skip to content

Text-only Version

Home
In the News
Research Resources
Teaching Resources
Student Resources
Links
The Gallery
Staff

Computer Security and Human Values

Peter G. Neumann

9. System Considerations

There are various techniques, architectures, and methods relating to system development and operation that can help reduce the gap between what is intended and what is actually possible (the technical gap). These include system security measures and administrative procedures. In particular, crucial issues include system accountability, with user identification, authentication, and authorization, and (sub)system identification, authentication, and authorization as well; better system designs, implementing finer-grain security policies with fewer security vulnerabilities; and judicious monitoring of system usage. These problems are particularly relevant in highly distributed systems (e.g., Neumann [90a]).

Some authors have attempted to make distinctions between intentional and accidental misuse. Even a cursory examination shows that it is essential in many systems and applications to anticipate both types of misuse, including system misbehavior (e.g., hardware faults) as well as human misbehavior. There are examples of one type that can cause (or have caused) serious disasters that could not be detected as instances of the other type. See Neumann [91b].

9.1 Identification, Authentication, and Authorization

One of the most difficult problems related to security is in determining what ‘authorized usage’ means. Computer fraud and abuse laws generally imply that unauthorized use is illegal. But in many computer systems there is no explicit authorization required for malicious or other harmful use. A simple illustrative example is provided by the Internet Worm (e.g., Denning [90], articles 10 – 15), in which four mechanisms were exploited, the sendmail debug option, the finger program, the .rhosts tables for accessing remote systems, and the encrypted password file. Surprising to some, perhaps, none of these required any explicit authorization for their misuse. If enabled by the system configuration, the sendmail debug option can be used by anyone. The finger program bug (relying on a flawed program gets) permitted anyone to exploit a widely available program designed to give out information about another user. The .rhosts tables permit remote access to anyone logged in with no further authorization. Finally, encrypted password files are typically readable, and subject to off-line or on-line dictionary attacks if any of the passwords are indeed dictionary words. The exploitation of each of these four mechanisms is clearly not what was intended as proper use, but authorization is not what distinguishes “good” (or proper) usage from “bad” (or improper). Perhaps the problem lies in system administrators and users unwisely trusting untrustworthy mechanisms, and with vendors promoting systems that are fundamentally limited.

Without the knowledge of who is doing what to whom (in terms of computer processes, programs, data, etc.), authorization is of very limited value. Thus, some reasonably non-spoofable form of authentication is often essential to provide some assurance that the presumed identity is indeed correct.

In the absence of meaningful authorization, the laws tend to be muddled. For example, the current computer abuse laws in California actually can be construed as making certain perfectly legitimate computer uses illegal. Prosecutors have been quoted as saying that this presents no problems, because no such cases would be prosecuted. But clearly there are problems because it becomes impossible to close the socio-technical gap.

9.2 Access Controls

The existence of the technical gap noted above is fairly pervasive in most computer and communication systems. Ideally, the system access controls should permit only those accesses that are actually desirable. In practice, many forms of undesirable user behavior are actually permitted. Thus, the system controls should as closely as possible permit authorized access only when that access actually corresponds to desired behavior.

9.3 Uses of Encryption Technologies

Encryption has traditionally been an approach for achieving communication secrecy. It is now emerging as a partial solution for many other security-related functions, such as providing encrypted and non-forgeable authenticators, transmitting encrypting and decrypting keys in an encrypted form, identification and authentication, digital signatures, tickets for trusted transactions such as registry and notarization functions, non´forgeable integrity seals, non´tamperable date and time stamps, and messages that once sent legitimately cannot easily be non´repudiated as forgeries. Thus, there is a burgeoning assortment of interesting new applications.

Unfortunately, government restrictions on research, use, and export of encryptive techniques makes some of these applications difficult.

9.4 Accountability and Monitoring

User identification and authentication are both essential for adequate accountability. In the absence of adequate user identification, accountability is of limited value.

Anonymous use presents some potential problems. Typical restrictions permit reading only for information that is freely available, while forbidding external modification; unless the system is to be a sandbox or public blackboard, appending of new material should be also restricted, to prevent directory saturation denials of service.

Monitoring is itself a critical security issue. It must be generally non´subvertible (non´bypassable, non´alterable, and otherwise noncompromisable), and must respect privacy requirements.

Monitoring can serve many different purposes, including seeking to detect anomalies relating to confidentiality, integrity, availability, reliability, human safety, etc. With respect to security monitoring, there are two fundamentally different, but interrelated, types – monitoring of use to detect intruders (which may be a benefit to legitimate users) and monitoring to detect misuse by (supposedly) legitimate users. Management has a responsibility to inform legitimate users as to what type of monitoring is in place, although unfortunately it may be desirable to hide the detailed algorithms, because they may imply the existence of particular vulnerabilities. This is a difficult issue. (See, for example, Denning et al. [87].)

Security remains an especially serious problem in highly distributed systems, in which accountability and monitoring take on an even greater role. Examples of systems for real-time audit-trail analysis are given by Lunt [88], while a particular instance of a system that has been carefully designed and implemented to provide extensive restrictions on what can be audited and how the audit data can be controlled is given by Lunt and Jagannathan [88].

Back to the top

Go to: 10. Future Needs

Home > Research Resources > Computer Security > Computer Security and Human Values


   

HOME | IN THE NEWS | RESEARCH RESOURCES
TEACHING RESOURCES | STUDENT RESOURCES
LINKS | THE GALLERY | STAFF

The Research Center on Computing & Society
at Southern Connecticut State University
501 Crescent Street • New Haven, CT 06515
Director: (203) 392-6790 • e-mail: webmaster@computerethics.org

© 2000 – 2007 – Research Center on Computing & Society