Readings and Resources
Trust & Trustworthy Computing


2008-08-28 -17:27 -0700

see also:
Readings in Computing Milieu
Readings in System Architecture and Design
Readings in Software Engineering and Development

Acar, Tolga., Michener, John.  Risks in Features vs. Assurance.  Inside Risks department.   Comm. ACM 45, 8 (August 2002), 112.
     Comments on the difficulties on anti-warranties for software and the preference of features over trustworthiness.  Considers that liability law may step in where there is prevalent customer inability to know their security exposures and be able to manage the risks.  There is a trust issue, and the status of the software developer in demonstrating trustworthiness is, it seems to me, going to become a serious matter at some point. -- dh:2002-08-05.
Anderson, Ross JSecurity Engineering: A Guide to Building Dependable Distributed Systems.  John Wiley & Sons (New York: 2001).  ISBN 0-471-38922-6 pbk: alk.paper
     I am pleased to have this book.  I am already pleased with materials from his web site and what I know of his approach to security.  It is a bonus pleasure that the book is also the text for my forthcoming M.Sc in IT Security Engineering course.  dh:2004-06-15.
     The author provides an interesting high-level errata,  Not expecting to produce a new edition very soon, Anderson has begun more-detailed errata and revised material for Parts One (chapters 1-6), Two (chapters 7-20), and Three (chapters 21-24).  If you examine this and other material provided on-line, I think you'll have a clear picture of the quality of the book and the enjoyment to be gained from it.
     About the Author
     Foreword [by Bruce Schneier]
     Legal Notice

     1. What Is Security Engineering?
     2. Protocols
     3. Passwords
     4. Access Control
     5. Cryptography
     6. Distributed Systems
     7. Multilevel Security
     8. Multilateral Security
     9. Banking and Bookkeeping
     10. Monitoring Systems
     11. Nuclear Command and Control
     12. Security Printing and Seals
     13. Biometrics
     14. Physical Tamper Resistance
     15. Emission Security
     16. Electronic and Information Welfare
     17. Telecom System Security
     18. Network Attack and Defense
     19. Protecting E-Commerce Systems
     20. Copyright and Privacy Protection
     21. E-Policy
     22. Management Issues
     23. System Evaluation and Assurance
     24. Conclusions

Appleman, Daniel.  Always Use Protection: A Teen's Guide to Safe Computing.  Apress (Berkeley, CA: 2004).  ISBN 1-59059-326-X pbk.
     This is a delightful book that provides an easy-going perspective of value to parents, teens, and teachers.  The companion web site provides a valuable set of questions and answers and promises other resources.
     About the Author
     Introduction for Parents

     I. Protecting Your Machine
          1. Gremlins in Your Machine
          2. When Software Attacks: All About Viruses
          3. From Sneaks to Slammers: How Viruses Get on Your System
          4. The Built-In Doctor: Antivirus Programs
          5. Guardians at the Gate: Firewalls
          6. Locking Up, Part 1: Software Updates
          7. Locking Up, Part 2: System and Application Configuration
          8. Backups: The Most Important Thing You'll Probably Never Do
          9. What To Do When You've Been Hit
     II. Protecting Your Privacy
          10. When They Think It's You, But It Isn't: Identity Theft
          11. Passwords: Your Key to the Internet
          12. The Traces You Leave Behind: What Your Machine Says About You
          13. Every Move You Make, They'll Be Watching You
     III. Protecting Yourself
          14. Chat Rooms, Public and Private
          15. Scams
     IV. Appendixes
          A. Everyday Security
          B. Registry Tricks
          C. A Note for Parents
Schneier, Bruce.  Applied Cryptography: Protocols, Algorithms, and Source Code in C. ed.2.  With a Foreword by Whitfield Diffie and Afterword by Matt Blaze.  Wiley (New York: 1966).  ISBN 0-471-11709-9 pbk.  See [Schneier1996]
Colwell, Bob.  Ground Bounce.  At Random department.  IEEE Computer 36, 3 (March 2003), 11-13.
     As computer people and aspirants to the discipline of software engineering, we have some notion that nature is far more compliant and predictable than is actually the case.  Colwell provides a delightful story of being humbled by the analog realities of the digital facade that is so marvelously maintained through great diligence and lengthy experience of digital and analog circuit designers.  One of the important arguments about how proof is insufficient is that it is based on misplaced confidence that proof is about the behavior of the artifact, rather than the properties of an immaterial abstraction.  I have begun reading about the experiences of those serious engineers who build something and have to deal with all of the exigencies that arise as a way to be grounded in the degree to which this applies, and how lengthy experience is involved (and insufficient).  -- dh:2003-03-17
Schneier, Bruce.  Applied Cryptography: Protocols, Algorithms, and Source Code in C. ed.2.  With a Foreword by Whitfield Diffie and Afterword by Matt Blaze.  Wiley (New York: 1966).  ISBN 0-471-11709-9 pbk.  See [Schneier1996]
Glass, Robert L.  The Proof of Correctness Wars.  Practical Programmer column.  Comm. ACM 45, 8 (August 2002), 19-21.
     Bob Glass comments on the controversy aroused by the DeMillo-Lipton-Perlis challenge to ideas about proof-of-correctness for software, followed by the Fetzer reaction to ideas of program verification.  This tale is used to suggest that the field is more mature and the religious responses and outrage are much diminished in that maturity.  -- dh:2002-08-05.
Keoh, Sye Loong., Lupu, Emil.  Towards Flexible Credential Verification in Mobile Ad-hoc Networks, pp. 58-65 in Proc. of the 2nd ACM International Workshop on Principles of Mobile Computing, POMC'02, Toulouse, France, October 30-31, 2002.
     "In this paper we propose a flexible credential verification mechanism, which improves the likelihood that participants in an ad-hoc network can verify each other's credentials despite the lack of access to certification and attribute authorities. Users maintain Credential Assertion Statements (CASs), which are formed through extraction of X.509 and attribute certificates into an interoperable XML form. Trusted entities that can verify the credentials listed in the CAS can then issue signed Assertion Signature Statements (ASSs) to other participants in the ad-hoc network. ... Transitivity of trust is generally not allowed, but there are exceptional cases in which it is permitted." -- from the Abstract
     [dh:2005-01-13] Ubiquitous mobile computing is envisioned to involve dynamic, ad hoc formation of communities of devices in the absence of trusted global services. In the general case, the parties have no a priori knowledge of each other, there are no existing trust relationships between them, and there is not even momentary access to a fixed network infrastructure. A conceptual framework for practical trust under such conditions is proposed. The framework's standards-based, hybrid trust architecture depends on community members discovering some mutual basis for peer trust sufficient for the immediate purposes. The framework enhances opportunities for discovering a trust basis by consolidation of credentials produced in different certificate formats and paradigms, including X.509, PGP, and SPKI. Members of the ad-hoc network then accept assertions about unrecognized credentials from other already-trusted peers using a version of web-of-trust authority.
     1. Introduction
     2. Motivation and Aims
     3. Related Work
     4. System Requirements
     5. The Architecture
          5.1 Key management
          5.2 The XML credential generator
          5.3 The security assertion module
          5.4 The verification and validation module
     6. Discussion
     7. Conclusion
     8. Acknowledgment
     9. References
Keoh, Sye Loong., Lupu, Emil.  Towards Flexible Credential Verification in Mobile Ad-hoc Networks, pp. 58-65 in Proc. of the 2nd ACM International Workshop on Principles of Mobile Computing, POMC'02, Toulouse, France, October 30-31, 2002.  See [Keoh2002].

MacKenzie, Donald A.  Computers and the Sociology of Mathematical Proof.  Prepared for Northern Formal Methods Workshop, Ilkley, September 1998.  Edinburgh University Department of SociologyPublished on-line.
MacKenzie, Donald AMechanizing Proof: Computing, Risk, and TrustMIT Press (Cambridge, MA: 2001).  Inside Technology Series.  ISBN 0-262-13393-8 hard cover, alkaline paper.
     "Most aspects of our private and social lives--our safety, the integrity of the financial system, the functioning of utilities and other services, and national security--now depend on computing.  But how can we know that this computing is trustworthy? ...
     "MacKenzie argues that our culture now contains two ideals of proof: proof as traditionally conducted by human mathematicians, and formal, mechanized proof.   He describes the systems constructed by by those committed to the latter ideal and the many questions those systems raise about the nature of proof. ... He concludes that in mechanizing proof, and in pursuing dependable computer systems, we do not and cannot obviate the need for trust in our collective human judgment."  -- from the book jacket description.
     ACM Ubiquity has a review by Peter G. Neumann.
     An earlier article, "Computers and the Sociology of Mathematical Proof" is available on-line.  It provides an useful time-line and an abbreviated earlier treatment of themes in Mechanizing Proof.
     2002-01-18: A syllabus has been created for study of the book with my associate Bill Anderson. 
     1. Knowing Computers
     2. Boardwalks across the Tar Pit
     3. Artificial Mathematicians?
     4. Eden Defiled
     5. Covert Channels
     6. Social Processes and Category Mistakes
     7. Clocks and Chips
     8. Logics, Machines, and Trust
     9. Machines, Proofs, and Cultures
Acar, Tolga., Michener, John.  Risks in Features vs. Assurance.  Comm. ACM 45, 8 (August 2002), 112.  See [Acar2002]
Petroski, Henry.  To Engineer Is Human: The Role of Failure in Successful Design.  St. Martin's Press (New York: 1982, 1983, 1984, 1985).  ISBN 0-312-80680-9.  Combining some material, often in somewhat different form, that appeared in Technology and Culture, Technology Review, and The Washington Post.
     "I believe that the concept of failure--mechanical and structural failure in the context of this discussion--is central to understanding engineering, for engineering design has as its first and foremost objective the obviation of failure.  Thus the colossal disasters that do occur are ultimately failures of design, but the lessons learned from these disasters can do more to advance engineering knowledge than all the successful machines and structures in the world.  Indeed, failures appear to be inevitable in the wake of prolonged success, which encourages lower margins of safety.  Failures in turn lead to greater safety margins and, hence, new periods of success.  To understand what engineering is and what engineers do is to understand how failures can happen and how they can contribute more than successes to advance technology. -- from the Preface, p. xii.
     List of Illustrations

     1. Being Human
     2. Falling Down Is Part of Growing Up
     3. Lessons from Play; Lessons from Life
          Appendix: "The Deacon's Masterpiece," by Oliver Wendell Holmes
     4. Engineering as Hypothesis
     5. Success Is Foreseeing Failure
     6. Design Is Getting From Here to There
     7. Design as Revision
     8. Accidents Waiting to Happen
     9. Safety in Numbers
     10. When Cracks Become Breakthroughs
     11. Of Bus Frames and Knife Blades
     12. Interlude: The Success Story of the Crystal Palace
     13. The Ups and Downs of Bridges
     14. Forensic Engineering and Engineering Fiction
     15. From Slide Rule to Computer: Forgetting How It Used to Be Done
     16. Connoisseurs of Chaos
     17. The Limits of Design

Petroski, Henry.  Design Paradigms: Case Histories of Error and Judgment in Engineering.  Cambridge University Press (Cambridge: 1994).  ISBN 0-521-46649-0 pbk.
     "Possibly the greatest tragedy underlying design errors and the resultant failures is that many of them do seem to be avoidable, yet one of the potentially most effective means of improving reliability in engineering appears to be the most neglected ... perhaps because the state of the art always seems so clearly advanced beyond that of decades, let alone centuries or millennia, past.  However, the state of the art is often only a superficial manifestation, arrived at principally through analytical and calculational tools, of what is understood about the substance and behavior of the products of engineering.  Anyone who doubts this assertion need only look at the design errors and failures that occur in the climate of confidence, if not hubris, known as the state of the art."  -- from the Preface, p. ix.
     1. Introduction
     2. Paconius and the Pedestal for Apollo: A Paradigm of Error in Conceptual Design
     3. Vitruvius's Auger and Galileo's Bones: Paradigms of Limits to Size in Design
     4. Galileo and the Marble Column: A Paradigm of a Design Change for the Worse
     5. Galileo's Confirmation of a False Hypothesis: A Paradigm of Logical Error in Design
     6. The Design and Collapse of the Dee Bridge: A Paradigm of Success Masking Error
     7. The Britannia Tubular Bridge: A Paradigm of Tunnel Vision in Design
     8. Failure as a Source of Engineering Judgment: John Roebling as a Paradigmatic Designer
     9. The Design Climate for the Tacoma Narrows Bridge: A Paradigm for the Selective Use of History
     10. Historic Bridge Failures and Caveats for Future Designs
     11. Conclusion

Schneier, BruceApplied Cryptography: Protocols, Algorithms, and Source Code in C. ed.2.  With a Foreword by Whitfield Diffie and Afterword by Matt Blaze.  Wiley (New York: 1966).  ISBN 0-471-11709-9 pbk.
     The author has a web page that provides further information and an errata for the book.  The 3-floppy set of all software on disk is now on CD-ROM and available internationally, reflecting the relaxation of export restrictions since the book was written.  Other useful information is available at the author's site.
     Foreword by Whitfield Diffie
     About the Author

          1. Foundations
     Part I: Cryptographic Protocols
          2. Protocol Building Blocks
          3. Basic Protocols
          4. Intermediate Protocols
          5. Advanced Protocols
          6. Esoteric Protocols
     Part II: Cryptographic Techniques
          7. Key Length
          8. Key Management
          9. Algorithm Types and Modes
          10. Using Algorithms
     Part III: Cryptographic Algorithms
          11. Mathematical Background
          12. Data Encryption Standard (DES)
          13. Other Block Ciphers
          14. Still Other Block Ciphers
          15. Combining Block Ciphers
          16. Pseudo-Random-Sequence Generators and Stream Ciphers
          17. Other Stream Ciphers and Real Random-Sequence Generators
          18. One-Way Hash Functions
          19. Public-Key Algorithms
          20. Public-Key Digital Signature Algorithms
          21. Identification Schemes
          22. Key-Exchange Algorithms
          23. Special Algorithms for Protocols
     Part IV: The Real World
          24. Example Implementations
          25. Politics
     Afterword by Matt Blaze
     Part V: Source Code
          [1. DES, 2. LOKI91, 3. IDEA, 4. GOST, 5. BLOWFISH, 6. 3-Way, 7. RC5, 8. A5, 9. SEAL]
     The Applied Cryptography Source Code Disk Set
[considerable expansion over the book's code, kept current]
Schneier, BruceBeyond Fear: Thinking Sensibly About Security in an Uncertain World.  Copernicus (New York: 2003).  ISBN 0-387-02620-7 (alk. paper).
     The author maintains a web site and also provides an e-mail newsletter on security topics.  There is an RSS feed as well.
     There's a related open-source project, Password Safe, that is intended to simplify the problem of maintaining many passwords.  This is also an opportunity to apply the precepts of Beyond Fear to a security artifact that has a public implementation.  Even more fun may be a little screen saver, and a console application, that uses idle time to crack S/MIME 40-bit RC2 keys.  The source code of the application may also be instructive in understanding the sensitivity of crypto-graphic techniques.  These are all great illustrations of what it takes to think about security and vulnerabilities.
     A 2004-05-25 Rob Slade review of this book appeared in The Risks Digest 23.38.
     Part One: Sensible Security
          1. All Security Involves Trade-offs
          2. Security Trade-Offs are Subjective
          3. Security Trade-Offs Depend on Power and Agenda
     Part Two: How Security Works
          4. Systems and How They Fail
          5. Knowing the Attackers
          6. Attackers Never Change Their Tunes, Just Their Instruments
          7. Technology Creates Security Imbalances
          8. Security Is a Weakest-Link Problem
          9. Brittleness Makes for Bad Security
          10. Security Revolves Around People
          11. Detection Works Where Prevention Fails
          12. Detection Is Useless Without Response
          13. Identification, Authentication, and Authorization
          14. All Countermeasures Have Some Value, But No Countermeasure Is Perfect
          15. Fighting Terrorism
     Part Three: The Game of Security
          16. Negotiating for Security
          17. Security Demystified
     Author's Note

Swiderski, Frank., Snyder, Window.  Threat Modeling.  Microsoft Press (Redmond, WA: 2004).  ISBN 0-7356-1991-3 pbk.  See [Swiderski2004]
Swiderski, Frank., Snyder, Window.  Threat Modeling.  Microsoft Press (Redmond, WA: 2004).  ISBN 0-7356-1991-3 pbk.
     Before the book appeared, Michael Howard provided a Channel 9 video interview (.asx stream) on the topic.  There's a more-recent Frank Swiderski video interview (mms stream) that demonstrates the threat-modeling tool that is available from Microsoft as an useful companion to the book.  There is also an  MSDN page that support application of threat modeling.  Although much Microsoft material considers security from the perspective of application-software development, the treatment in the text applies to system-wide threat modeling along with illustration of system and application cases.

     I. Application Security
          1. Introduction to Application Security
          2. Why Threat Modeling?
     II. Understanding Threat Modeling
          3. How an Adversary Sees an Application
          4. Constraining and Modeling the Application
          5. The Threat Profile
     III. Using Threat Modeling Effectively
          6. Choosing What to Model
          7. Testing Based on a Threat Model
          8. Making Threat Modeling Work
     IV. Sample Threat Models
          A. Fabrikam Phone 1.0
          B. Humongous Insurance Price Quote Website
          C. A. Datum Access Control API

Hard Hat Area You are navigating Orcmid's Lair

created 2002-08-04-10:33 -0700 (pdt) by orcmid
$$Author: Orcmid $
$$Date: 13-08-22 13:03 $
$$Revision: 37 $