REVIEW: "Computer Security: Art and Science", Matt Bishop
- BKCMSCAS.RVW 20030122
"Computer Security: Art and Science", Matt Bishop, 2003,
%A Matt Bishop bishop@... nob.cs.ucdavis.edu/~bishop/
%C P.O. Box 520, 26 Prince Andrew Place, Don Mills, Ontario M3C 2T8
%I Addison-Wesley Publishing Co.
%O U$74.99/C$116.99 416-447-5101 fax: 416-443-0948 bkexpress@...
%P 1084 p.
%T "Computer Security: Art and Science"
First off, the book is very academic: heavy on formal methods, formal
models, and symbolic logic, while it's rather light on explanation.
In addition, though, the preface says that the goal of the book is to
make certain points. The first is to prove that theory is relevant to
practice. I would agree, but the initial example used to illustrate
this is less than convincing. In addition, as the book progresses, it
is easy to see where Bishop tries to prove this element--and extremely
difficult to see where he supports the thesis. Second, he wants to
say that cryptography is not the same as security (I would have
thought that was self evident to anyone with the slightest experience
in the field, and Bruce Schneier made that point in "Secrets and Lies"
[cf. BKSECLIE.RVW]). Third is that security is an art as well as a
science. I am in sympathy with this last assertion, but it is
somewhat at odds with other aspects of the work. For example,
"assurance" is seen as a major factor in the volume, and the
introduction to the topic appears to prove that assurance relies upon
a strict adherence to the scientific aspect of security.
Part one is an introduction to security. Chapter one is an overview
of security concepts. It is written with an apparent authority that
masks a number of gaps and the fact that there is a compilation of
concepts and terms with little analysis. For example, the seeming
attempt to relate the basic security requirements of confidentiality,
availability, and integrity (the famous "CIA" triad) to Robert
Shirey's proposed classes of threats may confuse some readers, partly
because the CIA is three to Shirey's basic four, and also because it
may not be clear how the Shirey taxonomy relates to errors. The
examples given in the book are overly detailed, and therefore it is
confusing to try and extract the main point of an illustration. There
are questions at the end of the chapter. They are not the simplistic
reading checks of all too many books, but Bishop goes too far in the
other direction. The questions are unstructured and open-ended,
admitting of no particular answer. They may be useful for the teacher
trying to prompt discussion, but students will find them vague and
Part two is entitled "Foundations." It is possible to get a vague
idea of why Bishop thinks this is so, but the material is hardly
compelling. Chapter two takes an, again, overly formal and
underexplained, look at the access control matrix. Rather ironically,
in the midst of this blizzard of symbolic logic, the author tries to
promote the simplicity and practicality of the model. The tutorial
material almost completely vanishes under the avalanche of set theory
proofs in chapter three, as Bishop tries to pull foundational results
out of the Harrison-Ruzzo-Ullman work, and others.
Part three looks at policy, but not in the sense that most
professionals would think of it. Chapter four defines security
policies strictly in terms of allowed states, although it does later
discuss the more widely recognized management policies. In fact we
are presented with a large number of rather questionable definitions,
such as military policy (equivalent to confidentiality, apparently)
and identity-based access control (IBAC, which Bishop says is the same
as discretionary access control, a very questionable equation). We
are, however, given a respite from symbolic logic for a while. There
is an attempt to relate the Bell-LaPadula model, as an example of
confidentiality policy, to the Data General B2 UNIX and Multics, in
chapter five. Biba and Clark-Wilson are, of course, the integrity
policies reviewed in chapter six. Chapter seven, though, tries to
express Chinese Wall and medical information systems as formal "hybrid
policies," and doesn't do very well. Non-interference and policy
composition, in chapter eight, endeavours to address covert channels,
but doesn't say anything very clearly.
Part four looks at cryptography, but in a rather disorganized manner.
Chapter nine outlines the basics of cryptography, and does a
surprisingly good job of discussing substitution and transposition
ciphers, along with a variety of frequency analysis attacks to beat
them, then gives examples of the fundamental asymmetric algorithms,
and ends with cryptographic checksums. The rudimentary requirements
of key management are described in chapter ten, which also introduces
digital signatures. Chapter eleven seems to be an attempt to discuss
design requirements for "real" (rather than theoretical)
cryptosystems. Authentication, in chapter twelve, deals with
passwords, challenge/response systems, and biometrics, and only
touches on cryptography in passing.
Part five talks about systems, but repeats a lot of earlier material.
Chapter thirteen is a good list of design principles, although not all
of them are explained well. A variety of entities that need to have
their identity represented are listed in chapter fourteen, which also
discusses certificates, following some of the content from the
cryptographic section. Chapter fifteen deals with access control
mechanisms, expanding on chapter two. The topic of information flow,
in chapter sixteen, starts out with a repeat of part three, and then
tries to address topics related to systems development. Chapter
seventeen, on the confinement problem, is mostly a repeat, and
expansion, of the covert channel discussion from chapter five.
Part six, on assurance, is written by Elizabeth Sullivan, and is an
altogether different book. Chapter eighteen, the introduction, covers
what assurance is and why it is needed, and is excellent. Building
systems with assurance, in chapter nineteen, describes architectural
and procedural factors in security design. Formal methods, and a
number of examples of tools for formal methods, are reviewed in
chapter twenty. Chapter twenty one, on evaluating systems, provides a
terrific overview of TCSEC (Trusted Computer System Evaluation
Criteria), ITSEC (Information Technology Security Evaluation
Criteria), FIPS-140, and the Common Criteria (and one could only wish
she had covered British Standard 7799 or ISO 17799 as well).
Part seven deals with special topics. Chapter twenty two, on
malicious logic, shows that while Bishop has read some of the good
books on viruses, he has also read some very questionable material as
well, and passes along some of the persistent myths. Cohen's proof of
"undecideability" in virus determination (section 22.6) is not well
explained for those not completely familiar with both symbolic logic
and Turing machines. Therefore, the relevance of the proof to
practical security is not clear, since is seems to address only
appending or prepending viruses, which are difficult concepts to use
in regard to modern email viruses. Vulnerability analysis, in chapter
twenty three, flips back and forth between efforts to describe
academic work in relation to penetration testing, and telling stories
about exploits. In chapter twenty four, supposedly on auditing, it is
quite apparent that Bishop simply cannot wait to discuss intrusion
detection systems, which actually aren't due until chapter twenty
Part eight, "Practicum," purports to use the earlier material in
practical settings. Chapters twenty six to twenty nine relate points
from earlier chapters to a fictitious company in terms of network,
system, user, and program security.
Part nine, entitled "End Matter," contains essays or appendices on
lattices (the mathematical ones, not the security access lattices),
the extended Euclidean algorithm, entropy, virtual machines, symbolic
logic, and a sample academic security policy. None are terribly
One extremely odd aspect of the book is that figures are given in the
same font as the text, and are not distinguished in any way, so having
figures and text on the same page can make it very confusing to
separate the two.
Having cavilled my way through the entire book, I do have to admit
that there is a good deal of solid security material contained within
the pages. In the hands of a really competent teacher, this volume
could be used to teach a fairly theoretical course in many aspects of
security. I'm not sure that I'd want to inflict it on any students in
any course I'd be likely to teach, no matter how annoyed I got with
them. The overriding problem is to extract the decent content, and
organize it in a reasonable fashion. Bishop does not, in the end,
seem to provide much evidence for his assertion that theory is
relevant to practice. As far as security being an art is concerned,
he makes it out to be a very arcane one.
I could not, in good conscience, recommend this as the sole text for
any course. And I'd be hard pressed to recommend it as reference
material for anyone else.
copyright, Robert M. Slade, 2003 BKCMSCAS.RVW 20030122
rslade@... rslade@... slade@... p1@...
Find book info victoria.tc.ca/techrev/ or sun.soci.niu.edu/~rslade/
Upcoming (ISC)^2 CISSP CBK review seminars (+1-888-333-4458):
March 31, 2003 Indianapolis, IN