The
Inevitability of Failure: The Flawed Assumption of Security in Modern
Computing Environment |
by: Peter A. Loscocco, Stephen
D. Smalley, Patrick A. Muckelbauer, Ruth C. Taylor, S. Jeff Turner, John
F. Farrel
(tos@epoch.ncsc.mil)
National Security Agency
summarized by Seung Yi (seungyi@cs.uiuc.edu)
|
Discussion Points |
|
1. Introduction
- "Fortress built on sand" argument
- Is security really the primary concern of
e-commerce businesses?
2. The Missing Link
- What is the exact definition of the
'Mandatory Security'? Traditionally, the term MAC (Mandatory Access
Control) has been used to describe the multi-level security system
typically found in the military environment. In this paper, mandatory
security is defined somewhat differently.
- Does mandatory security imply that there
should not be a 'root' user with all the privilege?
- It is proven to be impossible to prevent
the covert channels.
- Does any system provide the least of
privilege principle?
- Is there any 'trusted application' in the
typical Unix systems?
- Why don't we see more secure/trusted OS in
the market right now? - It takes too much time to make OS secure, so
it tends to be out of date with limited functionality. Also, it can
be too inconvenient to use secure OS. Export control could be
another reason. Some secure system like IPSEC cannot be reconfigured
very easily.
- Any news/update on RBAC used in Windows NT
5?
- Do you need a discretionary access control
in addition to mandatory access control? Is it ever possible to provide
both at the same time?
- What is difference between the 'trusted
path' and the 'protected path'?
3. General Examples & 4.
Concrete Example
- Another way to attack JVM is to replace the
classloaders to bypass the security manager.
- History based access control can be useful
to provide more flexible security compared to Java sandbox.
- Does SESAME have the same problem as
Kerberos? - Both architecture has a central point of failure, KDC.
- Providing illusion of security to public
can be more dangerous than using the plain unsecured system.
5. System Security & 6. Summary
- They claim the secure OS is an important
part to build a secure system.
|
Partial
Conclusions |
|
- Generally agree on that secure OS
is an important part to build a secure system. Although, it is not
the sufficient condition.
- Overall lukewarm reception of
paper.
|
Recommended
Readings |
|
- Covert channels
- Type theory - What is secure
typing?
|