Loading ...
Sorry, an error occurred while loading the content.

REVIEW: "Computer Security: Art and Science", Matt Bishop

Expand Messages
  • Rob, grandpa of Ryan, Trevor, Devon & Ha
    BKCMSCAS.RVW 20030122 Computer Security: Art and Science , Matt Bishop, 2003, 0-201-44099-7, U$74.99/C$116.99 %A Matt Bishop bishop@cs.ucdavis.edu
    Message 1 of 1 , Feb 7, 2003
      BKCMSCAS.RVW 20030122

      "Computer Security: Art and Science", Matt Bishop, 2003,
      0-201-44099-7, U$74.99/C$116.99
      %A Matt Bishop bishop@... nob.cs.ucdavis.edu/~bishop/
      %C P.O. Box 520, 26 Prince Andrew Place, Don Mills, Ontario M3C 2T8
      %D 2003
      %G 0-201-44099-7
      %I Addison-Wesley Publishing Co.
      %O U$74.99/C$116.99 416-447-5101 fax: 416-443-0948 bkexpress@...
      %O http://www.amazon.com/exec/obidos/ASIN/0201440997/robsladesinterne
      %P 1084 p.
      %T "Computer Security: Art and Science"

      First off, the book is very academic: heavy on formal methods, formal
      models, and symbolic logic, while it's rather light on explanation.
      In addition, though, the preface says that the goal of the book is to
      make certain points. The first is to prove that theory is relevant to
      practice. I would agree, but the initial example used to illustrate
      this is less than convincing. In addition, as the book progresses, it
      is easy to see where Bishop tries to prove this element--and extremely
      difficult to see where he supports the thesis. Second, he wants to
      say that cryptography is not the same as security (I would have
      thought that was self evident to anyone with the slightest experience
      in the field, and Bruce Schneier made that point in "Secrets and Lies"
      [cf. BKSECLIE.RVW]). Third is that security is an art as well as a
      science. I am in sympathy with this last assertion, but it is
      somewhat at odds with other aspects of the work. For example,
      "assurance" is seen as a major factor in the volume, and the
      introduction to the topic appears to prove that assurance relies upon
      a strict adherence to the scientific aspect of security.

      Part one is an introduction to security. Chapter one is an overview
      of security concepts. It is written with an apparent authority that
      masks a number of gaps and the fact that there is a compilation of
      concepts and terms with little analysis. For example, the seeming
      attempt to relate the basic security requirements of confidentiality,
      availability, and integrity (the famous "CIA" triad) to Robert
      Shirey's proposed classes of threats may confuse some readers, partly
      because the CIA is three to Shirey's basic four, and also because it
      may not be clear how the Shirey taxonomy relates to errors. The
      examples given in the book are overly detailed, and therefore it is
      confusing to try and extract the main point of an illustration. There
      are questions at the end of the chapter. They are not the simplistic
      reading checks of all too many books, but Bishop goes too far in the
      other direction. The questions are unstructured and open-ended,
      admitting of no particular answer. They may be useful for the teacher
      trying to prompt discussion, but students will find them vague and
      probably irrelevant.

      Part two is entitled "Foundations." It is possible to get a vague
      idea of why Bishop thinks this is so, but the material is hardly
      compelling. Chapter two takes an, again, overly formal and
      underexplained, look at the access control matrix. Rather ironically,
      in the midst of this blizzard of symbolic logic, the author tries to
      promote the simplicity and practicality of the model. The tutorial
      material almost completely vanishes under the avalanche of set theory
      proofs in chapter three, as Bishop tries to pull foundational results
      out of the Harrison-Ruzzo-Ullman work, and others.

      Part three looks at policy, but not in the sense that most
      professionals would think of it. Chapter four defines security
      policies strictly in terms of allowed states, although it does later
      discuss the more widely recognized management policies. In fact we
      are presented with a large number of rather questionable definitions,
      such as military policy (equivalent to confidentiality, apparently)
      and identity-based access control (IBAC, which Bishop says is the same
      as discretionary access control, a very questionable equation). We
      are, however, given a respite from symbolic logic for a while. There
      is an attempt to relate the Bell-LaPadula model, as an example of
      confidentiality policy, to the Data General B2 UNIX and Multics, in
      chapter five. Biba and Clark-Wilson are, of course, the integrity
      policies reviewed in chapter six. Chapter seven, though, tries to
      express Chinese Wall and medical information systems as formal "hybrid
      policies," and doesn't do very well. Non-interference and policy
      composition, in chapter eight, endeavours to address covert channels,
      but doesn't say anything very clearly.

      Part four looks at cryptography, but in a rather disorganized manner.
      Chapter nine outlines the basics of cryptography, and does a
      surprisingly good job of discussing substitution and transposition
      ciphers, along with a variety of frequency analysis attacks to beat
      them, then gives examples of the fundamental asymmetric algorithms,
      and ends with cryptographic checksums. The rudimentary requirements
      of key management are described in chapter ten, which also introduces
      digital signatures. Chapter eleven seems to be an attempt to discuss
      design requirements for "real" (rather than theoretical)
      cryptosystems. Authentication, in chapter twelve, deals with
      passwords, challenge/response systems, and biometrics, and only
      touches on cryptography in passing.

      Part five talks about systems, but repeats a lot of earlier material.
      Chapter thirteen is a good list of design principles, although not all
      of them are explained well. A variety of entities that need to have
      their identity represented are listed in chapter fourteen, which also
      discusses certificates, following some of the content from the
      cryptographic section. Chapter fifteen deals with access control
      mechanisms, expanding on chapter two. The topic of information flow,
      in chapter sixteen, starts out with a repeat of part three, and then
      tries to address topics related to systems development. Chapter
      seventeen, on the confinement problem, is mostly a repeat, and
      expansion, of the covert channel discussion from chapter five.

      Part six, on assurance, is written by Elizabeth Sullivan, and is an
      altogether different book. Chapter eighteen, the introduction, covers
      what assurance is and why it is needed, and is excellent. Building
      systems with assurance, in chapter nineteen, describes architectural
      and procedural factors in security design. Formal methods, and a
      number of examples of tools for formal methods, are reviewed in
      chapter twenty. Chapter twenty one, on evaluating systems, provides a
      terrific overview of TCSEC (Trusted Computer System Evaluation
      Criteria), ITSEC (Information Technology Security Evaluation
      Criteria), FIPS-140, and the Common Criteria (and one could only wish
      she had covered British Standard 7799 or ISO 17799 as well).

      Part seven deals with special topics. Chapter twenty two, on
      malicious logic, shows that while Bishop has read some of the good
      books on viruses, he has also read some very questionable material as
      well, and passes along some of the persistent myths. Cohen's proof of
      "undecideability" in virus determination (section 22.6) is not well
      explained for those not completely familiar with both symbolic logic
      and Turing machines. Therefore, the relevance of the proof to
      practical security is not clear, since is seems to address only
      appending or prepending viruses, which are difficult concepts to use
      in regard to modern email viruses. Vulnerability analysis, in chapter
      twenty three, flips back and forth between efforts to describe
      academic work in relation to penetration testing, and telling stories
      about exploits. In chapter twenty four, supposedly on auditing, it is
      quite apparent that Bishop simply cannot wait to discuss intrusion
      detection systems, which actually aren't due until chapter twenty

      Part eight, "Practicum," purports to use the earlier material in
      practical settings. Chapters twenty six to twenty nine relate points
      from earlier chapters to a fictitious company in terms of network,
      system, user, and program security.

      Part nine, entitled "End Matter," contains essays or appendices on
      lattices (the mathematical ones, not the security access lattices),
      the extended Euclidean algorithm, entropy, virtual machines, symbolic
      logic, and a sample academic security policy. None are terribly

      One extremely odd aspect of the book is that figures are given in the
      same font as the text, and are not distinguished in any way, so having
      figures and text on the same page can make it very confusing to
      separate the two.

      Having cavilled my way through the entire book, I do have to admit
      that there is a good deal of solid security material contained within
      the pages. In the hands of a really competent teacher, this volume
      could be used to teach a fairly theoretical course in many aspects of
      security. I'm not sure that I'd want to inflict it on any students in
      any course I'd be likely to teach, no matter how annoyed I got with
      them. The overriding problem is to extract the decent content, and
      organize it in a reasonable fashion. Bishop does not, in the end,
      seem to provide much evidence for his assertion that theory is
      relevant to practice. As far as security being an art is concerned,
      he makes it out to be a very arcane one.

      I could not, in good conscience, recommend this as the sole text for
      any course. And I'd be hard pressed to recommend it as reference
      material for anyone else.

      copyright, Robert M. Slade, 2003 BKCMSCAS.RVW 20030122

      rslade@... rslade@... slade@... p1@...
      Find book info victoria.tc.ca/techrev/ or sun.soci.niu.edu/~rslade/
      Upcoming (ISC)^2 CISSP CBK review seminars (+1-888-333-4458):
      March 31, 2003 Indianapolis, IN
    Your message has been successfully submitted and would be delivered to recipients shortly.