Smith Sean W.Marchesini John. - The Craft of System Security

Sean Smith
John Marchesini

Upper Saddle River, NJ Boston Indianapolis San Francisco
New York Toronto Montreal London Munich Paris Madrid
Capetown Sydney Tokyo Singapore Mexico City

Many of the designations used by manufacturers and sellers to distinguish their products are claimed as trademarks. Where those designations appear in this book, and the publisher was aware of a trademark claim, the designations have been printed with initial capital letters or in all capitals.

The authors and publisher have taken care in the preparation of this book, but make no expressed or implied warranty of any kind and assume no responsibility for errors or omissions. No liability is assumed for incidental or consequential damages in connection with or arising out of the use of the information or programs contained herein.

The publisher offers excellent discounts on this book when ordered in quantity for bulk purchases or special sales, which may include electronic versions and/or custom covers and content particular to your business, training goals, marketing focus, and branding interests. For more information, please contact:

U.S. Corporate and Government Sales
(800) 382-3419

For sales outside the United States please contact:
International Sales

Visit us on the Web: www.awprofessional.com

Library of Congress Cataloging-in-Publication Data
Smith, Sean W., 1964
The craft of system security / Sean Smith, John Marchesini.
p. cm.
Includes bibliographical references and index.
ISBN 0-321-43483-8 (pbk. : alk. paper)

Copyright 2008 Pearson Education, Inc.

All rights reserved. Printed in the United States of America. This publication is protected by copyright, and permission must be obtained from the publisher prior to any prohibited reproduction, storage in a retrieval system, or transmission in any form or by any means, electronic, mechanical, photocopying, recording, or likewise. For information regarding permissions, write to:

Pearson Education, Inc.
Rights and Contracts Department
501 Boylston Street, Suite 900
Boston, MA 02116
Fax: (617) 671-3447

ISBN 13: 978-0-321-43483-8

ISBN 10: 0-321-43483-8

Text printed in the United States on recycled paper Courier in Stoughton, Massachusetts.

First printing, November 2007

To Nancy, Hannah, Natalie, and the community at St. Francis of Assisi in Norwich, Vermont
Sean Smith

For Wendy
John Marchesini

Computer security, once the arcane concern of specialists, is becoming everyone's problem in society. Because so many aspects of society now depend on computing, coaxing or tricking a computer into misbehaving can have serious consequences. Attempts to grasp the nuances of this problem are bedeviled by its sheer complexityin the individual components and computer hardware, in the operating systems that make this hardware useful, in the application programs, in the network protocolsand in the human processes that use and maintain these systems.

Since security is everyone's problem, a natural question is how to give each cybercitizen the knowledge and perspective needed to reason about these issues. In navigating their careers as software engineers, managers, lawyers, or anything else, students and practitioners need to be exposed to not only the breadth of the space of this security challenge but also what trends and principles to look out for.

Too many existing texts seem to focus on hacks-du-jour or system administration or cryptographic specialists or the Orange Book/NSA criteria. The computer science student or computer security practitioner can easily find books detailing particular tools that can be used to assess the security of a system but not books that take the reader into the deeper world of why these tools exist or explain how and when to apply the appropriate tool to a particular problem. Furthermore, many of the popular texts fail to aid one who is trying to build a system; many of the tool catalogs out there are geared toward the auditor, not the artisan.

We wrote this book to be that missing doorway. This book presents the modern security practitioner's toolkit; more important, this book also explains why these tools exist and how to use them in order to solve real problems. We want to give students enough practical knowledge to be useful and to give practitioners enough of the fundamentals to foster a deep understanding of the issues. Such mastery of the toolkit is necessary to understand the craft of system security.

How does one get such a security education? One could read through a bookshelf of material or access a large set of CD-ROMs to get the necessary depth, but most people do not have that time. Furthermore, much of that material may pertain to fine details of current systems and is thus doomed to a short shelf life. The material will likely be stale by the time the reader finishes reading it all.

This book itself grew out of a college course the first author developed (and then the second author helped with) to solve just this problem: to provide the right security education to students who may only ever take one security course and then move on toward a wide range of professional careers. We wanted to arm these students with a deep understanding of what they need to know in order to meet today's and tomorrow's security challenges. In the course, and throughout this book, we draw on our experience as security practitioners and try to relay some of the lessons we have learned.

One of us had the good fortune to be working in a government security laboratory at the dawn of the Webwhen the very first forward-thinking government agencies started considering using this new medium for service delivery to wide populations. This experience provided some important lessons to frame what has followed. Computing technology will keep changing explosively, in ways that affect everyone, not only computer scientistscompare the state of home or office computing and of the Web in 1994 to today. However, security must be viewed in the context of the social impact of the systems. If one is going to build, deploy, work with, manage, or perhaps simply use the systems that keep flooding society, one needs to understand these issues.

The other author has spent time working in the security software industry, shipping security products to such institutions as banks, airlines, and government agencies. This experience has made it clear why vendors deal with security by shipping patches on a regular schedule. Software vendors are under continual pressure to release products that are loaded with new features and must get these releases out as quickly as possible. At every stage of the development cycle, security is at odds with this goal. The requirement phase tends to favor featuresand thus complexityover robustness; the design phase typically favors elegance and reuse over durability; the implementation phase usually favors speed over safety; the quality assurance phase traditionally focuses on feature testing rather than crash testing. The result is that many companies ship software that is neither robust, durable, nor safe and that has not been tested to see how well it holds up against malicious users. An essentially infinite list of BugTraq [] identifiers is just waiting to get assigned to such products. If one hopes to build systems that break this mold, one needs to understand these types of issues as well.

The dynamic nature of the security game makes it different from other types of engineering, such as building a bridge or building a safe. When building a bridge, one calculates the strength required, buys the appropriate materials, and constructs the bridge according to the specification. In security, the building blocks age quicklysometimes faster than predicted and sometimes dramatically faster. Staying on top of this situation requires continued vigilance, as well as a solid grasp of the fundamentals. That's why we wrote this book.