Segurança em Computação

Raul H.C. Lopes

Our goal is not to provide a "how to" guide for potential penetrators of operating systems. Rather we study these flaws to understand the careful analysis necessary in designing and testing operating systems (Pfleeger and Pfleeger in "Security in Computing")

Outline

• O problema da segurança em computação
• Segurança de Programas
• Segurança em Sistemas Operacionais
• Criptografia
• Redes e Protocolos
• Bancos de Dados

Referências básicas

• Computer Security: Art and Science
  Matt Bishop
• Security Engineering
  Ross Anderson

Links de interesse

• CERT (Carnegie-Mellon)
• AusCERT (Austrália)
• Página de Bruce Schneier
• Página de Leslie Lamport: interesse em especificação formal de sistemas

Referências por Tópico

• O problema de Segurança em Computação
  • J.P.Anderson: Computer Security...
    Um dos primeiros artigos em segurança (considerado referência até hoje
  • P.A.Karger and R. Schell: Multics Security Evaluation
    Artigo seminal sobre segurança no MULTICS (predecessor dos UNIX)
  • Guia do NIST sobre tratamento de incidentes
  • D.L.Brinkley and R.R. Schell: Concepts and Terminology for Computer Security
• Segurança no nível de programas
  • K.Thompson: Reflexions on Trusting
  • K.Ashcraft and D.Engler: Using Programmer-Written Compiler Extensions to Catch Security Holes
    Para se defender de Ken Thompson
  • D.Farmer and W.Venema: Imporving Security of your Site by Breaking Into It
    Segurança na linha "break-and-fix cycle"
  • Aleph One: Samashing the Stack
    buffer overflows
  • C.Cowan: Buffer Overflows: Attacks and Defenses
  • Virus e worms
    • C.Nachenberg: Computer Virus - Coevolution, Comm. of ACM, vol 40, n1 (1997)
      download via CAPES
    • P. Szor and P.Ferrie: Hunting for Metamorphic
    • F. Perriot, P. Szor and P.Ferrie: Striking Similarities
    • E.H. Spafford: The Internet Worm Program: An Analysis
    • T.M. Chen J.M. Roberts: Worm Epidemics in High-Speed Networks
    • S.H. Pfleeger and L. Hatton: Investigating the Influence of Formal Methods, IEEE Computer, vol 30 n2 (1997)
    • C.P.Pfleeger, S.H. Pfleeger and M.F.Theofanos: A methodology of Penetration Testing, Computers and Security, vol.8 n7,pp 613-620 (1989)
• Segurança no nível so Sistema Operacional
  • Interesse geral
    • P.A.Karger and R.R.Schell: Thirty Years Later: Lessons From the Multics Evaluation Security
    • Security-enhanced Linux da NSA
    • D.Wheeler: Secure Programming for Linux
    • Artigo comparativo Jail, LSM SE-Linux"
    • Monitor de Máquina Virtual
  • Controle de acesso
    • R.S.Fabry: Capability-based addressing
  • Segurança no Kernel
    • L.Lampson: Protection
    • J.H.Saltzer: The protection of information in MULTICS
  • Máquinas virtuais
    • Número da ACM Queue sobre Máquinas Virtuais
    • Kamp and Watson: Jails: Confining the Omnipotent root
  • Casos reais
  • Critérios de Avaliação
    • Trusted Computer System Evaluation Criteria
    • Common Criteria
  • Protocolos Criptográficos
    • B. Schneier: Applied Criptography
    • D. Stinson: Criptography: theory and Practice
    • R.Merkle: Secure Communications over Insecure Channels, Comm. of ACM, v 21, n4, 294--299
    • Diffie and Hellman: New Directions in Criptography, IEEE Trans. Information Theory, v-IT 22,6, 644-654
    • R.Milner, J. Parrow and D. Walker: A Calculus of Mobile Processes Pt.1
    • R.Milner, J. Parrow and D. Walker: A Calculus of Mobile Processes Pt.2
    • M.Abadi and A.D.Gordon : A Calculus for Criptographic Protocols

  Ferramentas

  • download de TLC

  Exemplos

  • Especificação em TLA

  Trabalhos práticos