What Would Happen If . . . ?

Fernando Berzal

The Craft of System Security by Sean Smith and John Marchesini, Addison-Wesley Professional, 2007, ISBN 0-321-43483-8, 592 pp.

Asking what-if questions is typical of software testers when they’re trying to detect errors in systems under test. But it should also be an ingrained habit for security specialists. Nor is this the only parallel we can draw between software testing and system security. Testing is difficult, risk based, never complete, and intended to prevent deficiencies. You could say exactly the same things about security. As Sean Smith and John Marchesini point out in the title and epilogue of their book, building secure systems is still a craft. As in software testing, we have to rely on our judgment, experience, and tools.

Unfortunately, good judgment comes from experience, and experience often comes from bad judgment. So, relying on our own experience to learn how to build a secure system in practice could be too costly, for both our pockets and our reputation (not to mention our self-esteem). The Craft of System Security offers a less-steep path for anyone interested in building secure systems.

… You took only one security course

The authors’ stated goal is to provide the right security education to students who might only take one security course. I would say they’ve succeeded. Their coverage of myriad security topics is outstanding, albeit necessarily shallow due to the space constraints they face in packing such a wealth of information in a single 500-page volume. In any case, they always include relevant pointers for further information, so interested readers can delve into the details on their own.

The book starts by reviewing the historical background behind computer security. The authors elaborate on the classical C-I-A rubric (which constrained security to confidentiality, integrity, and availability) and discuss additional issues such as privacy. They comment on the US Department of Defense’s Orange Book, which focuses mainly on data confidentiality in a multilevel security environment. They also review the design principles that Jerome Saltzer and Michael Schroeder proposed in 1975 (“The Protection of Information in Computer Systems,” Proc. IEEE, vol. 63, no. 9, pp. 1278–1308).

Once the historical stage is set, the authors address security in the modern computing landscape. Here, the reader will find three sound surveys of operating system-, network-, and implementation-level security. The informative discussions include lessons learned in practice as well as the essential theoretical background to understand each topic. Anecdotes and even aphorisms have their place in this book. For instance, you learn that complexity is the enemy of security, that a necessary trade-off exists between security and usability, and that your motto should be “Trust No One.”

The core of the book analyzes the building blocks of secure systems. Starting with cryptography, the authors provide an excellent overview that teaches you how it works, how to use it, and also how to subvert it (for example, by attacking the method by which the key is chosen or exploiting side channels). They do the same for authentication, public key infrastructure, existing standards, policy compliance, and penetration testing. Instead of just rehashing the typical material you can find in many basic textbooks, the authors give an overall picture of the security landscape along with the facts you might need in practice.

Mismatched models

After the building blocks, the book turns to security as it’s currently employed in different applications. These chapters discuss how the mismatch between reality and the users’ mental models of the Web lead to various security problems that software engineers are probably already aware of. The authors also address privacy issues that result from using automated tools as substitutes for their paper counterparts. Finally, they describe how to translate common social processes to cyberspace and the security implications those translations might have. This discussion covers such diverse topics as digital money, time stamps, and digital rights management.

The final chapters deal with current trends in the field. These chapters are unavoidably less polished than the previous ones, because they cover many half-baked ideas that are still in development. In particular, Smith and Marchesini focus on using formal methods (that is, model checkers) to increase assurance that a system will be secure (for example, by uncovering overlooked subtleties) and using AI tools in defensive software (for example, fraud detection). They also address the deployment of hardware-based security, something that has proven rather difficult in practice, and the study of human issues that might help us build secure usable systems.

Even though a single book can’t make readers an expert, this one is designed to make security apprentices fully aware of the common vulnerabilities that might threaten their systems. It describes how to elaborate models of such threats and make rational decisions about how much to spend to mitigate the risk and impact from a potential attack. Even though these skills aren’t always taught to future software engineers as part of their studies, they’re certainly important for professional software development. Smith and Marchesini's undergraduate textbook is an excellent place to become acquainted with security-related issues. For novices and professionals alike, the authors offer clear explanations and remarks that are always to the point. They also propose interesting project ideas and provide up-to-date information beyond the typical Alice-and-Bob material you might have learned years ago.

Fernando Berzal  is an associate professor in the University of Granada’s Department of Computer Science and Artificial Intelligence and a member of its Intelligent Databases and Information Systems research group. Contact him at berzal@acm.org.