Security engineering: a guide to building dependable distributed systems 3° edition ross anderson -

https://ebookmass.com/product/security-engineering-a-guide-

Instant digital products (PDF, ePub, MOBI) ready for you

Download now and discover formats that fit your needs...

Data Engineering with dbt: A practical guide to building a cloud-based, pragmatic, and dependable data platform with SQL Zagni

https://ebookmass.com/product/data-engineering-with-dbt-a-practicalguide-to-building-a-cloud-based-pragmatic-and-dependable-dataplatform-with-sql-zagni/ ebookmass.com

Solution Architecture Patterns for Enterprise: A Guide to Building Enterprise Software Systems 1st Edition Chanaka Fernando

https://ebookmass.com/product/solution-architecture-patterns-forenterprise-a-guide-to-building-enterprise-software-systems-1stedition-chanaka-fernando/ ebookmass.com

eTextbook 978-0134454177 Building Construction: Principles Materials and Systems (3rd Edition)

https://ebookmass.com/product/etextbook-978-0134454177-buildingconstruction-principles-materials-and-systems-3rd-edition/ ebookmass.com

Obstetrics & Gynaecology: An Evidence-based Text for MRCOG, Third Edition – Ebook PDF Version 3rd

https://ebookmass.com/product/obstetrics-gynaecology-an-evidencebased-text-for-mrcog-third-edition-ebook-pdf-version-3rd/ ebookmass.com

Mine Tonight: A steamy reads romance anthology: four full length books in one! Clare Connelly

https://ebookmass.com/product/mine-tonight-a-steamy-reads-romanceanthology-four-full-length-books-in-one-clare-connelly/

ebookmass.com

Foundations of Maternal-Newborn and Women’s Health Nursing, Seventh Edition Sharon Smith Murray

https://ebookmass.com/product/foundations-of-maternal-newborn-andwomens-health-nursing-seventh-edition-sharon-smith-murray/

ebookmass.com

Ride the High Lonesome Rosanne Bittner

https://ebookmass.com/product/ride-the-high-lonesome-rosannebittner-2/

ebookmass.com

Pathology at a Glance, 2e (Sep 7, 2021)_(1119472458)_(Wiley-Blackwell) 2nd Edition Finlayson

https://ebookmass.com/product/pathology-at-aglance-2e-sep-7-2021_1119472458_wiley-blackwell-2nd-edition-finlayson/

ebookmass.com

Campbell Biology Plus Mastering with Pearson eText u2014

https://ebookmass.com/product/campbell-biology-plus-mastering-withpearson-etext/

ebookmass.com

https://ebookmass.com/product/nuclear-engineering-a-conceptualintroduction-to-nuclear-power-joyce/

ebookmass.com

ThirdEdition

Copyright©2020byRossAnderson

PublishedbyJohnWiley&Sons,Inc.,Indianapolis,Indiana

PublishedsimultaneouslyinCanadaandtheUnitedKingdom

ISBN:978-1-119-64278-7

ISBN:978-1-119-64283-1(ebk)

ISBN:978-1-119-64281-7(ebk)

ManufacturedintheUnitedStatesofAmerica

Nopartofthispublicationmaybereproduced,storedinaretrievalsystemortransmitted inanyformorbyanymeans,electronic,mechanical,photocopying,recording,scanningor otherwise,exceptaspermittedunderSections107or108ofthe1976UnitedStatesCopyright Act,withouteitherthepriorwrittenpermissionofthePublisher,orauthorizationthrough paymentoftheappropriateper-copyfeetotheCopyrightClearanceCenter,222Rosewood Drive,Danvers,MA01923,(978)750-8400,fax(978)646-8600.RequeststothePublisher forpermissionshouldbeaddressedtothePermissionsDepartment,JohnWiley&Sons, Inc.,111RiverStreet,Hoboken,NJ07030,(201)748-6011,fax(201)748-6008,oronlineat www.wiley.com/go/permissions.

LimitofLiability/DisclaimerofWarranty: Thepublisherandtheauthormakenorepresentationsorwarrantieswithrespecttotheaccuracyorcompletenessofthecontentsofthis workandspecificallydisclaimallwarranties,includingwithoutlimitationwarrantiesof fitnessforaparticularpurpose.Nowarrantymaybecreatedorextendedbysalesorpromotionalmaterials.Theadviceandstrategiescontainedhereinmaynotbesuitableforevery situation.Thisworkissoldwiththeunderstandingthatthepublisherisnotengagedinrenderinglegal,accounting,orotherprofessionalservices.Ifprofessionalassistanceisrequired, theservicesofacompetentprofessionalpersonshouldbesought.Neitherthepublishernor theauthorshallbeliablefordamagesarisingherefrom.ThefactthatanorganizationorWeb siteisreferredtointhisworkasacitationand/orapotentialsourceoffurtherinformation doesnotmeanthattheauthororthepublisherendorsestheinformationtheorganizationor websitemayprovideorrecommendationsitmaymake.Further,readersshouldbeaware thatInternetwebsiteslistedinthisworkmayhavechangedordisappearedbetweenwhen thisworkwaswrittenandwhenitisread.

ForgeneralinformationonourotherproductsandservicespleasecontactourCustomer CareDepartmentwithintheUnitedStatesat(877)762-2974,outsidetheUnitedStatesat (317)572-3993orfax(317)572-4002.

Wileypublishesinavarietyofprintandelectronicformatsandbyprint-on-demand.Some materialincludedwithstandardprintversionsofthisbookmaynotbeincludedine-books orinprint-on-demand.IfthisbookreferstomediasuchasaCDorDVDthatisnotincluded intheversionyoupurchased,youmaydownloadthismaterialat booksupport.wiley .com.FormoreinformationaboutWileyproducts,visit www.wiley.com.

LibraryofCongressControlNumber: 2020948679

Trademarks: WileyandtheWileylogoaretrademarksorregisteredtrademarksofJohn Wiley&Sons,Inc.and/oritsaffiliates,intheUnitedStatesandothercountries,andmaynot beusedwithoutwrittenpermission.Allothertrademarksarethepropertyoftheirrespectiveowners.JohnWiley&Sons,Inc.isnotassociatedwithanyproductorvendormentioned inthisbook.

ForShireen,Bavani,Nav,Ivan,Lily-Rani,VeddieandBella

AbouttheAuthor

I’veworkedwithsystemsforoverfortyyears.Igraduatedinmathematics andnaturalsciencefromCambridgeinthe1970s,andgotaqualificationin computerengineering;myfirstproperjobwasinavionics;andaftergetting interestedincryptologyandcomputersecurity,Iworkedinthebanking industryinthe1980s.Ithenstartedworkingforcompanieswhodesigned equipmentforbanks,andthenonrelatedapplicationssuchasprepayment electricitymeters.

Imovedtoacademiain1992butcontinuedtoconsulttoindustryonsecurity technology.Duringthe1990s,thenumberofapplicationsthatusedcryptology roserapidly:burglaralarms,cardoorlocks,roadtolltagsandsatelliteTVsystemsallmadetheirappearance.Thefirstlegaldisputesaboutthesesystems camealong,andIwasluckyenoughtobeanexpertwitnessinsomeofthe importantcases.TheresearchteamIleadhadthegoodfortunetobeinthe rightplaceattherighttimewhentechnologiessuchaspeer-to-peersystems, tamper-resistanceanddigitalwatermarkingbecamehottopics.

AfterI’dtaughtsecurityandcryptologytostudentsforafewyears,it becamecleartomethattheexistingtextbooksweretoonarrowandtheoretical:thesecuritytextbooksfocusedontheaccesscontrolmechanismsin operatingsystems,whilethecryptologybooksdevelopedthetheorybehind cryptographicalgorithmsandprotocols.Thesetopicsareinteresting,and important.Butthey’reonlypartofthestory.Mostworkingengineersare notoverlyconcernedwithcryptooroperatingsysteminternals,butwith gettinggoodtoolsandlearninghowtousethemeffectively.Theinappropriate useofprotectionmechanismsisoneofthemaincausesofsecurityfailure. IwasencouragedbythepositivereceptionofanumberofarticlesIwrote onsecurityengineering(startingwith‘WhyCryptosystemsFail’in1993).

Finally,in1999,Igotroundtorewritingmyclasslecturenotesandanumber ofreal-worldcasestudiesintoabookforageneraltechnicalaudience.

Thefirsteditionofthebook,whichappearedin2001,helpedmeconsolidate mythinkingontheeconomicsofinformationsecurity,asIfoundthatwhenI pulledmyexperiencesaboutsomefieldtogetherintoanarrative,thebackbone ofthestorywasoftentheincentivesthatthevariousplayershadfaced.Asthe firsteditionofthisbookestablisheditselfasthestandardtextbookinthefield, Iworkedonestablishingsecurityeconomicsasadiscipline.In2002,westarted theWorkshopontheEconomicsofInformationSecuritytobringresearchers andpractitionerstogether.

Bythetimethesecondeditioncameoutin2008,itwasclearwe’dnotpaid enoughattentiontothepsychologyofsecurityeither.Althoughwe’dworked onsecurityusabilityfromthe1990s,there’smuchmoretoitthanthat.Weneed tounderstandeverythingfromtheartsofdeceptiontohowpeople’sperceptionofriskismanipulated.Soin2008westartedtheWorkshoponSecurityand HumanBehaviourtogetsecurityengineerstalkingtopsychologists,anthropologists,philosophersandevenmagicians.

Asabbaticalin2011,whichIspentpartlyatGoogleandpartlyatCarnegie MellonUniversity,persuadedmetobroadenourresearchgrouptohirepsychologistsandcriminologists.Eventuallyin2015wesetuptheCambridge CybercrimeCentretocollectlotsofdataonthebadthingsthathappenonline andmakethemavailabletooverahundredresearchersworldwide.Thishasn’t stoppedusdoingresearchontechnicalsecurity;infactit’shelpeduspickmore relevanttechnicalresearchtopics.

Amedicneedstounderstandawholeseriesofsubjectsincludinganatomy, physiology,biochemistry,pharmacyandpsychology,andthentemperthis knowledgewithexperienceofworkingonhundredsofcaseswithexperienced colleagues.Soalsoasecurityengineerneedstounderstandtechnicalsubjects likecrypto,accesscontrols,protocolsandsidechannels;butthisknowledge alsoneedstobehonedbystudyingrealcases.Mygoalinmyacademiccareer hasbeentopullallthistogether.Theresultyounowholdinyourhands.

Ihavelearnedalotintheprocess;writingdownwhatyouthinkyouknow isagoodwayoffindingoutwhatyoudon’t.Ihavealsohadalotoffun.Ihope youhaveasmuchfunreadingit!

RossAnderson Cambridge,November2020

Acknowledgements

Agreatmanypeoplehavehelpedinvariouswayswiththethirdeditionof thisbook.IputthechaptersonlineforcommentasIwrotethem,andIowe thankstothemanypeoplewhoreadthemandpointedoutassortederrorsand obscurities.Theyare:MansoorAhmed,SamAinsworth,PeterAllan,Amit SealAmi,JamesAndrews,TomAuger,Asokan,MariaBada,DanielBates, CraigBauer,PilgrimBeart,GerdBeuster,JohannBezuidenhoudt,FredBone, MattBrockman,NickBohm,FredBone,PhilBooth,LorenzoCavallaro,David Chaiken,YiTingChua,ValerioCini,BenCollier,HugoConnery,Lachlan Cooper,FranckCourbon,ChristopherCowan,OtvanDaalen,EzraDarshan, RomanDickmann,SaarDrimer,CharlesDuffy,MarlenaErdos,AndyFarnell, BobFenichel,DavidFernee,AlexisFitzGerald,Jean-AlainFournier,Jordan Frank,SteveFriedl,JerryGamache,AlexGantman,BenGardiner,JonGeater, StuartGentry,CamGerlach,JohnGilmore,JanGoette,RalphGross,Cyril Guerin,PedramHayati,ChengyingHe,MattHermannson,AlexHicks,Ross Hinds,TimothyHowell,NickHumphrey,JamesHumphry,DuncanHurwood, GaryIrvine,ErikItland,ChristianJeschke,GaryJohnson,DougJones,Henrik Karlzen,JoudKhoury,JonKilian,TimmKorte,RonnyKuckuck,MartKung, JayLala,JackLang,SusanLandau,PeterLandrock,CarlLandwehr,Peter Lansley,JeffLeese,JochenLeidner,TomdeLeon,AndrewLewis,David Lewis,SteveLipner,JimLippard,LizLouis,SimonLuyten,ChristianMainka, DhruvMalik,IvanMarsa-Maestra,PhilMaud,PatrickMcCorry,TJMcIntyre, MarcoMesturino,LukeMewburn,SpencerMoss,StevenMurdoch,Arvind Narayanan,LakshmiNarayanan,KristiNikolla,GregNorcie,Stanislav Ochotnický,AndyOzment,DeborahPeel,StephenPerlmutter,TonyPlank, WilliamPorquet,DavidPottage,MarkQuevedo,RoderickRees,LarryReeves, PhilippReisinger,MarkRichards,NiklasRosencrantz,AndySayler,Philipp

Schaumann,ChristianSchneider,BenScott,Jean-PierreSeifert,MarkShawyer, AdamShostack,IliaShumailov,BarbaraSimons,SamSmith,SaijaSorsa, MichaelSpecter,ChrisTarnovski,DonTaylor,AndrewThaeler,KurtThomas, AnthonyVance,JonasVautherin,AlexVetterl,JeffreyWalton,AndrewWatson,DeboraWeber-Wulff,NienkeWeiland,DavidWhite,BlakeWiggs,Robin Wilton,RonWoerner,BrunoWolff,StuartWray,JeffYan,TomYates,Andrew Yeomans,HaaroonYousaf,TimZanderandYirenZhao.Iamalsogratefulto myeditorsatWiley,TomDinse,JimMinatelandPeteGaughan,andtomy copyeditorsJudyFlynnandKimWimpsett,whohaveallhelpedmakethe processrunsmoothly.

Thepeoplewhocontributedinvariouswaystothefirstandsecondeditions includedthelateAnneAnderson,AdamAtkinson,JeanBacon,RobinBall, AndreasBender,AlastairBeresford,JohannBezuidenhoudt,Maximilian Blochberger,DavidBoddie,KristofBoeynaems,NickBohm,MikeBond, RichardBondi,RobertBrady,MartinBrain,JohnBrazier,IanBrown,Mike Brown,NickBohm,RichardBondi,thelateCasparBowden,DuncanCampbell,PiotrCarlson,PeterChambers,ValerioCini,RichardClayton,FrankClish, JolyonClulow,RichardCox,DanCvrcek,GeorgeDanezis,JamesDavenport, PeterDean,JohnDaugman,WhitDiffie,RogerDingledine,NickDrage, AustinDonnelly,BenDougall,SaarDrimer,OrrDunkelman,SteveEarly,Dan Eble,MikeEllims,JeremyEpstein,RasitEskicio ˇ glu,RobertFenichel,Fleur Fisher,ShawnFitzgerald,DarrenFoong,ShailendraFuloria,DanGeer,Gary Geldart,PaulGillingwater,JohnGilmore,BrianGladman,VirgilGligor,Bruce Godfrey,JohnGordon,GaryGraunke,RichGraveman,WendyGrossman, DanHagon,FengHao,TonyHarminc,PieterHartel,DavidHåsäther,BillHey, FayHider,KonstantinHyppönen,IanJackson,NeilJenkins,SimonJenkins, RogerJohnston,OliverJorns,NikolaosKarapanos,thelatePaulKarger,Ian Kelly,GrantKelly,AlistairKelman,RonaldDeKeulenaer,HyoungJoongKim, PatrickKoeberl,OliverKömmerling,SimonKramer,MarkusKuhn,Peter Landrock,SusanLandau,JackLang,Jong-HyeonLee,thelateOwenLewis, StephenLewis,PaulLeyland,JimLippard,WillieList,DanLough,John McHugh,thelateDavidMacKay,GarryMcKay,UdiManber,JohnMartin, NickMathewson,TylerMoore,thelateBobMorris,IraMoskowitz,Steven Murdoch,ShishirNagaraja,RogerNebel,thelateRogerNeedham,Stephan Neuhaus,AndrewOdlyzko,MarkOeltjenbruns,JoeOsborne,AndyOzment, AlexandrosPapadopoulos,RoyPaterson,ChrisPepper,OscarPereira,Fabien Petitcolas,RaphaelPhan,MikeRoe,MarkRotenberg,AviRubin,JerrySaltzer, MarvSchaefer,DeniseSchmandt-Besserat,GusSimmons,SamSimpson, SergeiSkorobogatov,MatthewSlyman,RickSmith,SijbrandSpannenburg,the lateKarenSpärckJones,MarkStaples,FrankStajano,PhilippSteinmetz,Nik Sultana,DonTaylor,MartinTaylor,PeterTaylor,DanielThomas,PaulThomas,

VlasiosTsiatsis,MarcTobias,HalVarian,NickVolenec,DanielWagner-Hall, RandallWalker,RobertWatson,KeithWillis,SimonWiseman,StuartWray,Jeff YanandthelateStefekZaba.Ialsoowealottomyfirstpublisher,CarolLong. ThroughthewholeprocessIhavebeensupportedbymyfamily,andespeciallybymylong-sufferingwifeShireen.Eacheditionofthebookmeantover ayearwhenIwasconstantlydistracted.Hugethankstoallforputtingup withme!

PartII

Chapter9MultilevelSecurity315

Chapter10Boundaries341

Chapter11InferenceControl375

Chapter12BankingandBookkeeping405

Chapter13LocksandAlarms471

Chapter14MonitoringandMetering497

Chapter15NuclearCommandandControl529

Chapter16SecurityPrintingandSeals549

Chapter17Biometrics571

Chapter18TamperResistance599

Chapter19SideChannels639

Chapter20AdvancedCryptographicEngineering667

Chapter21NetworkAttackandDefence699

Chapter22Phones737

Chapter23ElectronicandInformationWarfare777

Chapter24CopyrightandDRM815

Chapter25NewDirections?865

PartIII

Chapter26SurveillanceorPrivacy?909

Chapter27SecureSystemsDevelopment965

Chapter28AssuranceandSustainability1015

Chapter29Beyond“ComputerSaysNo”1059 Bibliography1061 Index1143

2.2.1.5BullrunandEdgehill22

2.2.1.6Xkeyscore23

2.2.1.7Longhaul24

2.2.1.8Quantum25

2.2.1.9CNE25

2.2.1.10Theanalyst’sviewpoint27

2.2.1.11Offensiveoperations28

2.2.1.12Attackscaling29

2.2.2China30

2.2.3Russia35

2.2.4Therest38

2.2.5Attribution40

2.3Crooks41

2.3.1Criminalinfrastructure42

2.3.1.1Botnetherders42

2.3.1.2Malwaredevs44

2.3.1.3Spamsenders45

2.3.1.4Bulkaccountcompromise45

2.3.1.5Targetedattackers46

2.3.1.6Cashoutgangs46

2.3.1.7Ransomware47

2.3.2Attacksonbankingandpaymentsystems47

2.3.3Sectoralcybercrimeecosystems49

2.3.4Internalattacks49

2.3.5CEOcrimes49

2.3.6Whistleblowers50 2.4Geeks52

2.5Theswamp53

2.5.1Hacktivismandhatecampaigns54

2.5.2Childsexabusematerial55

2.5.3Schoolandworkplacebullying57

2.5.4Intimaterelationshipabuse57 2.6Summary59 Researchproblems60 Furtherreading61 Chapter3PsychologyandUsability63

3.1Introduction63

3.2Insightsfrompsychologyresearch64

3.2.1Cognitivepsychology65

3.2.2Gender,diversityandinterpersonalvariation68

3.2.3Socialpsychology70

3.2.3.1Authorityanditsabuse71

3.2.3.2Thebystandereffect72

3.2.4Thesocial-braintheoryofdeception73

3.2.5Heuristics,biasesandbehaviouraleconomics76

3.2.5.1Prospecttheoryandriskmisperception77

3.2.5.2Presentbiasandhyperbolicdiscounting78

3.2.5.3Defaultsandnudges79

3.2.5.4Thedefaulttointentionality79

3.2.5.5Theaffectheuristic80

3.2.5.6Cognitivedissonance81

3.2.5.7Theriskthermostat81

3.3Deceptioninpractice81

3.3.1Thesalesmanandthescamster82

3.3.2Socialengineering84

3.3.3Phishing86

3.3.4Opsec88

3.3.5Deceptionresearch89 3.4Passwords90

3.4.1Passwordrecovery92

3.4.2Passwordchoice94

3.4.3Difficultieswithreliablepasswordentry94

3.4.4Difficultieswithrememberingthepassword95

3.4.4.1Naïvechoice96

3.4.4.2Userabilitiesandtraining96

3.4.4.3Designerrors98

3.4.4.4Operationalfailures100

3.4.4.5Social-engineeringattacks101

3.4.4.6Customereducation102

3.4.4.7Phishingwarnings103

3.4.5Systemissues104

3.4.6Canyoudenyservice?105

3.4.7Protectingoneselforothers?105

3.4.8Attacksonpasswordentry106

3.4.8.1Interfacedesign106

3.4.8.2Trustedpath,andbogusterminals107

3.4.8.3Technicaldefeatsofpasswordretry counters107

3.4.9Attacksonpasswordstorage108

3.4.9.1One-wayencryption109

3.4.9.2Passwordcracking109

3.4.9.3Remotepasswordchecking109

3.4.10Absolutelimits110

3.4.11Usingapasswordmanager111

3.4.12Willweevergetridofpasswords?113

3.5CAPTCHAs115

3.6Summary116 Researchproblems117 Furtherreading118

Chapter4Protocols119

4.1Introduction119

4.2Passwordeavesdroppingrisks120

4.3Whogoesthere?–simpleauthentication122

4.3.1Challengeandresponse124

4.3.2Two-factorauthentication128

4.3.3TheMIG-in-the-middleattack129

4.3.4Reflectionattacks132

4.4Manipulatingthemessage133

4.5Changingtheenvironment134

4.6Chosenprotocolattacks135

4.7Managingencryptionkeys136

4.7.1Theresurrectingduckling137

4.7.2Remotekeymanagement137

4.7.3TheNeedham-Schroederprotocol138

4.7.4Kerberos139

4.7.5Practicalkeymanagement141

4.8Designassurance141

4.9Summary143 Researchproblems143 Furtherreading144

Chapter5Cryptography145

5.1Introduction145

5.2Historicalbackground146

5.2.1Anearlystreamcipher–theVigenère147

5.2.2Theone-timepad148

5.2.3Anearlyblockcipher–Playfair150

5.2.4Hashfunctions152

5.2.5Asymmetricprimitives154

5.3Securitymodels155

5.3.1Randomfunctions–hashfunctions157

5.3.1.1Properties157

5.3.1.2Thebirthdaytheorem158

5.3.2Randomgenerators–streamciphers159

5.3.3Randompermutations–blockciphers161

5.3.4Publickeyencryptionandtrapdoorone-way permutations163

5.3.5Digitalsignatures164

5.4Symmetriccryptoalgorithms165

5.4.1SP-networks165

5.4.1.1Blocksize166

5.4.1.2Numberofrounds166

5.4.1.3ChoiceofS-boxes167

5.4.1.4Linearcryptanalysis167

5.4.1.5Differentialcryptanalysis168

5.4.2TheAdvancedEncryptionStandard(AES)169

5.4.3Feistelciphers171

5.4.3.1TheLuby-Rackoffresult173

5.4.3.2DES173

5.5Modesofoperation175

5.5.1Hownottouseablockcipher176

5.5.2Cipherblockchaining177

5.5.3Counterencryption178

5.5.4Legacystreamciphermodes178

5.5.5Messageauthenticationcode179

5.5.6Galoiscountermode180

5.5.7XTS180

5.6Hashfunctions181

5.6.1Commonhashfunctions181

5.6.2Hashfunctionapplications–HMAC,commitments andupdating183

5.7Asymmetriccryptoprimitives185

5.7.1Cryptographybasedonfactoring185

5.7.2Cryptographybasedondiscretelogarithms188

5.7.2.1One-waycommutativeencryption189

5.7.2.2Diffie-Hellmankeyestablishment190

5.7.2.3ElGamaldigitalsignatureandDSA192

5.7.3Ellipticcurvecryptography193

5.7.4Certificationauthorities194

5.7.5TLS195

5.7.5.1TLSuses196

5.7.5.2TLSsecurity196

5.7.5.3TLS1.3197

5.7.6Otherpublic-keyprotocols197

5.7.6.1Codesigning197

5.7.6.2PGP/GPG198

5.7.6.3QUIC199

5.7.7Special-purposeprimitives199

5.7.8Howstrongareasymmetriccryptographic primitives?200

5.7.9Whatelsegoeswrong202

5.8Summary203 Researchproblems204 Furtherreading204

Chapter6AccessControl207

6.1Introduction207

6.2Operatingsystemaccesscontrols209

6.2.1Groupsandroles210

6.2.2Accesscontrollists211

6.2.3Unixoperatingsystemsecurity212

6.2.4Capabilities214

6.2.5DACandMAC215

6.2.6Apple’smacOS217

6.2.7iOS217

6.2.8Android218

6.2.9Windows219

6.2.10Middleware222

6.2.10.1Databaseaccesscontrols222

6.2.10.2Browsers223

6.2.11Sandboxing224

6.2.12Virtualisation225

6.3Hardwareprotection227

6.3.1Intelprocessors228

6.3.2Armprocessors230

6.4Whatgoeswrong231

6.4.1Smashingthestack232

6.4.2Othertechnicalattacks234

6.4.3Userinterfacefailures236

6.4.4Remedies237

6.4.5Environmentalcreep238

6.5Summary239 Researchproblems240 Furtherreading240

Chapter7DistributedSystems243

7.1Introduction243

7.2Concurrency244

7.2.1Usingolddataversuspayingtopropagatestate245

7.2.2Lockingtopreventinconsistentupdates246

7.2.3Theorderofupdates247

7.2.4Deadlock248

7.2.5Non-convergentstate249

7.2.6Securetime250

7.3Faulttoleranceandfailurerecovery251

7.3.1Failuremodels252

7.3.1.1Byzantinefailure252

7.3.1.2Interactionwithfaulttolerance253

7.3.2Whatisresiliencefor?254

7.3.3Atwhatlevelistheredundancy?255

7.3.4Service-denialattacks257

7.4Naming259

7.4.1TheNeedhamnamingprinciples260

7.4.2Whatelsegoeswrong263

7.4.2.1Namingandidentity264

7.4.2.2Culturalassumptions265

7.4.2.3Semanticcontentofnames267

7.4.2.4Uniquenessofnames268

7.4.2.5Stabilityofnamesandaddresses269

7.4.2.6Restrictionsontheuseofnames269

7.4.3Typesofname270

7.5Summary271 Researchproblems272 Furtherreading273 Chapter8Economics275 8.1Introduction275 8.2Classicaleconomics276

8.2.1Monopoly278 8.3Informationeconomics281

8.3.1Whyinformationmarketsaredifferent281

8.3.2Thevalueoflock-in282

8.3.3Asymmetricinformation284

8.3.4Publicgoods285 8.4Gametheory286

8.4.1Theprisoners’dilemma287

8.4.2Repeatedandevolutionarygames288 8.5Auctiontheory291

8.6Theeconomicsofsecurityanddependability293

8.6.1WhyisWindowssoinsecure?294

8.6.2Managingthepatchingcycle296

8.6.3Structuralmodelsofattackanddefence298

8.6.4Theeconomicsoflock-in,tyingandDRM300

8.6.5Antitrustlawandcompetitionpolicy302

8.6.6Perverselymotivatedguards304

8.6.7Economicsofprivacy305

8.6.8Organisationsandhumanbehaviour307

8.6.9Economicsofcybercrime308 8.7Summary310 Researchproblems311 Furtherreading311

PartII

Chapter9MultilevelSecurity315

9.1Introduction315

9.2Whatisasecuritypolicymodel?316

9.3Multilevelsecuritypolicy318

9.3.1TheAndersonreport319

9.3.2TheBell-LaPadulamodel320

9.3.3ThestandardcriticismsofBell-LaPadula321

9.3.4TheevolutionofMLSpolicies323

9.3.5TheBibamodel325

9.4HistoricalexamplesofMLSsystems326

9.4.1SCOMP326

9.4.2Datadiodes327

9.5MAC:fromMLStoIFCandintegrity329

9.5.1Windows329

9.5.2SELinux330

9.5.3Embeddedsystems330

9.6Whatgoeswrong331

9.6.1Composability331

9.6.2Thecascadeproblem332

9.6.3Covertchannels333

9.6.4Thethreatfrommalware333

9.6.5Polyinstantiation334

9.6.6PracticalproblemswithMLS335

9.7Summary337 Researchproblems338 Furtherreading339

Chapter10Boundaries341

10.1Introduction341

10.2Compartmentationandthelatticemodel344

10.3Privacyfortigers346

10.4Healthrecordprivacy349

10.4.1Thethreatmodel351

10.4.2TheBMAsecuritypolicy353

10.4.3Firstpracticalsteps356

10.4.4Whatactuallygoeswrong357 10.4.4.1Emergencycare358 10.4.4.2Resilience359

10.4.4.3Secondaryuses359

10.4.5Confidentiality–thefuture362

10.4.6Ethics365

10.4.7Socialcareandeducation367

10.4.8TheChineseWall369 10.5Summary371 Researchproblems372 Furtherreading373 Chapter11InferenceControl375 11.1Introduction375

11.2Theearlyhistoryofinferencecontrol377

11.2.1Thebasictheoryofinferencecontrol378 11.2.1.1Querysetsizecontrol378 11.2.1.2Trackers379 11.2.1.3Cellsuppression379

11.2.1.4Otherstatisticaldisclosurecontrol mechanisms380

11.2.1.5Moresophisticatedquerycontrols381

11.2.1.6Randomization382

11.2.2Limitsofclassicalstatisticalsecurity383

11.2.3Activeattacks384

11.2.4Inferencecontrolinrichmedicaldata385

11.2.5Thethirdwave:preferencesandsearch388 11.2.6Thefourthwave:locationandsocial389 11.3Differentialprivacy392 11.4Mindthegap?394 11.4.1Tacticalanonymityanditsproblems395 11.4.2Incentives398 11.4.3Alternatives399 11.4.4Thedarkside400 11.5Summary401 Researchproblems402 Furtherreading402 Chapter12BankingandBookkeeping405 12.1Introduction405 12.2Bookkeepingsystems406

12.2.1Double-entrybookkeeping408

12.2.2Bookkeepinginbanks408

12.2.3TheClark-Wilsonsecuritypolicymodel410

12.2.4Designinginternalcontrols411 12.2.5Insiderfrauds415

12.2.6Executivefrauds416

12.2.6.1Thepostofficecase418

12.2.6.2Otherfailures419

12.2.6.3Ecologicalvalidity420

12.2.6.4Controltuningandcorporategovernance421

12.2.7Findingtheweakspots422

12.3Interbankpaymentsystems424

12.3.1AtelegraphichistoryofE-commerce424

12.3.2SWIFT425

12.3.3Whatgoeswrong427

12.4Automatictellermachines430

12.4.1ATMbasics430

12.4.2Whatgoeswrong433

12.4.3Incentivesandinjustices437 12.5Creditcards438

12.5.1Creditcardfraud439

12.5.2Onlinecardfraud440

12.5.33DS443

12.5.4Fraudengines444

12.6EMVpaymentcards445

12.6.1Chipcards445

12.6.1.1Staticdataauthentication446

12.6.1.2ICVVs,DDAandCDA450

12.6.1.3TheNo-PINattack451

12.6.2Thepreplayattack452

12.6.3Contactless454 12.7Onlinebanking457

12.7.1Phishing457

12.7.2CAP458

12.7.3Bankingmalware459

12.7.4Phonesassecondfactors459

12.7.5Liability461

12.7.6Authorisedpushpaymentfraud462

12.8Nonbankpayments463

12.8.1M-Pesa463

12.8.2Otherphonepaymentsystems464

12.8.3Sofort,andopenbanking465

12.9Summary466 Researchproblems466 Furtherreading468