Computer security is a field of computer science concerned with the control of risks related to computer use
The means traditionally taken to realize this objective is to attempt to create a secure computing platform, designed so that agents (users or programs) can only perform actions that have been allowed. This involves specifying and implementing a security policy. The actions in question can be reduced to operations of access, modification and deletion. Computer security can be seen as a subfield of security engineering, which looks at broader security issues in addition to computer security.
In a secure system the legitimate users of that system are still able to do what they should be able to do. While one might be able to secure a computer beyond misuse using extreme measures (locked in a vault without any means of power or communication for example), this would not be regarded as a useful secure system because of the above requirement.
It is important to distinguish the techniques employed to increase a system's security from the issue of that system's security status. In particular, systems which contain fundamental flaws in their security designs cannot be made secure without compromising their utility. Consequently, most computer systems cannot be made secure even after the application of extensive "computer security" measures.
Computer Security By Design
There are two different approaches to security in computing. One focuses mainly on external threats, and generally treats the computer system itself as a trusted system. This philosophy is discussed in the computer insecurity article.
The other, discussed in this article, regards the computer system itself as largely an untrusted system, and redesigns it to make it more secure in a number of ways.
This technique enforces privilege separation, where an entity has only the privileges that are needed for its function. That way, even if an attacker has subverted one part of the system, fine-grained security ensures that it is just as difficult for them to subvert the rest.
Furthermore, by breaking the system up into smaller components, the complexity of individual components is reduced, opening up the possibility of using techniques such as automated theorem proving to prove the correctness of crucial software subsystems. Where formal correctness proofs are not possible, rigorous use of code review and unit testing measures can be used to try to make modules as secure as possible.
The design should use "defense in depth", where more than one subsystem needs to be compromised to compromise the security of the system and the information it holds. Subsystems should default to secure settings, and wherever possible should be designed to "fail secure" rather than "fail insecure" (see fail safe for the equivalent in safety engineering). Ideally, a secure system should require a deliberate, conscious, knowledgeable and free decision on the part of legitimate authorities in order to make it insecure. What constitutes such a decision and what authorities are legitimate is obviously controversial.
In addition, security should not be an all-or-nothing issue. The designers and operators of systems should assume that security breaches are inevitable in the long term. Full audit trails should be kept of system activity, so that when a security breach occurs, the mechanism and extent of the breach can be determined. Storing audit trails remotely, where they can only be appended to, can keep intruders from covering their tracks. Finally, full disclosure helps to ensure that when bugs are found the "window of vulnerability" is kept as short as possible.
Techniques For Creating Secure Systems
The following techniques can be used in engineering secure systems. These techniques, whilst useful, do not of themselves ensure security. One security maxim is "a security system is no stronger than its weakest link"
- Automated theorem proving and other verification tools can enable critical algorithms and code used in secure systems to be mathematically proven to meet their specifications.
- Thus simple microkernels can be written so that we can be sure they don't contain any bugs: eg EROS and Coyotos.
- A bigger OS, able of providing a standard API like POSIX, can be built on a microkernel using small API servers running as normal programs. If one of these API servers has a bug, the kernel and the other servers are not affected: eg Hurd.
- Cryptographic techniques can be used to defend data in transit between systems, reducing the probability that data exchanged between systems can be intercepted or modified.
- Strong authentication techniques can be used to ensure that communication end-points are who they say they are.
- Secure cryptoprocessors can be used to leverage physical security techniques into protecting the security of the computer system.
- Chain of trust techniques can be used to attempt to ensure that all software loaded has been certified as authentic by the system's designers.
- Mandatory access control can be used to ensure that privileged access is withdrawn when privileges are revoked. For example, deleting a user account should also stop any processes that are running with that user's privileges.
- Capability and access control list techniques can be used to ensure privilege separation and mandatory access control. The next sections discuss their use.
This article is licensed under the GNU Free Documentation License. It uses material from the Wikipedia article "Computer Security".