Learning and Experience in Computer Security Education (Invited Paper) Matt Bishop Department of Computer Science, University of California at Davis Davis, CA 95616-8562 Email: mabishop@ucdavis.edu what the subject in question needs. Second, how are the rights constrained by environmental considerations? In that same system, if the subject has (say) read rights over the object, it will not be able to exercise those rights unless that subject has search (execute) permission on the containing directory. Thus, the “clean” model in which least privilege can be applied exactly fails in this situation. Abstract—Computer security is a discipline highly dependent on the environment in which systems and sites are to be secured. But the practical experience needed to understand the limits of abstract knowledge in the field, and to mould that knowledge in a way that can be applied to specific situations arising in practice, is often not taught in academia. Non-academic institutions, including sites that use security to protect themselves and organizations and companies that develop security tools, technologies, and practices, can help close this gap in a way that benefits the organizations, the academic institutions, and the students. An example using the current lack of security and robustness in software shows how this might be done. The result is a need to understand how security works in practice, so that we know how to apply existing models to improve security, and to improve the models to reflect practice better. In the PKI example, cross-certification fits naturally into existing models: the cross-certified root CA becomes a node in the hierarchy directly under the cross-certifying root CA. In the access example, the access control model must be augmented to take “groups” of subjects into account, as well as cascading permissions; or, the UNIX -like system must be augmented to handle rights on a per-object basis, and the incorporation of ACLs into most existing UNIX -like systems enables exactly that. Incorporating practice into education helps bridge this gap between theory and practice. Giving students practical experi- ence in which they can apply the abstract theories, principles, and analyses they learn in class brings those theories to life. In reverse, the students can take what they have done or are doing in practice, and incorporate them into new theories and models, or modify existing ones to reflect the practice better. Working together, academic institutions and non-academic organizations can provide this combination of theory and practice. Further, working together may help compensate somewhat for the damage caused by the pervasive lack of resources in both non-academic organizations and academic institutions damages both. Indeed, such joint work may even provide a basis for seeking additional resources. The goal of this paper is to examine ways that universities may interact with non-academic organizations to support ed- ucation. First, we describe the goals of this interaction based upon the nature of the non-academic institutions; then we discuss the methods of interaction. We next use the notion of “secure programming” as an example of how this co-operation might work. We conclude with some thoughts on the benefits of academic institutions working with other organizations to enhance their educational programs. I. I NTRODUCTION Computer security draws many of its most difficult problems from the realm of practice. The details of the practice create the problems, and they often arise from non-technical consid- erations. Perhaps the best example of this is the hierarchical public key infrastructure (PKI). Initially, a proposed hierarchy had a single root node. Conceptually, this makes the hierarchy a tree, and therefore (relatively) simple and clean. It also requires all certification authorities to be certified by that root, either directly or indirectly. This implies that all those CAs trust the root to some extent. But in reality, such an assumption is untenable. One need only look at the politics of the world to understand that some nation-states will never trust an entity not under their control. This led to the “forest” notion that currently predominates, with several root CAs. When appropriate, the root nodes certify one another (called “cross- certification”). Technically, a single trusted root CA suffices; in practice, no such root exists, requiring the development of alternate mechanisms. Academic education focuses on principles, which by their nature are abstract. For example, the “principle of least priv- ilege” says that a process should have the minimal set of privileges needed to carry out its tasks [12]. In a formal model, this is straightforward. Simply define rights that enable the subject to access the object as needed, and provide those rights to the subject (in an access control list or capability list). But in a real system, the architecture becomes critical. First, what is the granularity of the subject with respect to the resource? In a UNIX -like system, if the subject is not the owner of the object, it shares permissions with other subjects, so the permissions assigned would be the union of the permissions that each subject needed. This may be considerably more than
[1]
Judith N. Froscher,et al.
The Handbook for the Computer Security Certification of Trusted Systems
,
1992
.
[2]
Jerome H. Saltzer,et al.
The protection of information in computer systems
,
1975,
Proc. IEEE.
[3]
Jennifer Vesperman.
Essential CVS
,
2003
.
[4]
Michael Pilato.
Version Control with Subversion
,
2004
.
[5]
Matt Bishop,et al.
Robust Programming by Example
,
2009,
World Conference on Information Security Education.
[6]
Matt Bishop,et al.
Secure Coding Education: Are We Making Progress?
,
2012
.
[7]
Richard R. Linde,et al.
Operating system penetration
,
1975,
AFIPS '75.
[8]
Bill Cheswick,et al.
Firewalls and internet security - repelling the wily hacker
,
2003,
Addison-Wesley professional computing series.
[9]
Matt Bishop,et al.
Summit on Education in Secure Software Final Report
,
2011
.