OCR of the Document

View the Document >>

Willis H. Ware, RAND Corporation, P-3544, Security and Privacy in Computer Systems, April 1967. Unclassified.

SECURITY AND PRIVACY IN COMPUTER SYSTEMS Willis H Ware April 1967 P-3544 SECURITY AND PRIVACY IN COMPUTER SYSTEMS Willis H Ware The RAND Corporation Santa Monica California ABSTRACT This Paper consists of two distinct but related parts An introductory section reviews and standardizes the terminology to be used throughout and outlines the configuration of a typical remote-access multi-user resource-sharing computer system identifying its vulner- abilities to the accidental or deliberate divulgence of information The main portion of the Paper then compares the security and privacy situations suggesting design considerations for protecting private information handled by computer systems The privacy problem is really a Spectrum of problems which ultimately must be assessed as an engineering Any views expressed in this Paper are those of the author They should not be interpreted as reflecting the views of The RAND Corporation or the official opinion or policy of any of its governmental or private research Sponsors Papers are reproduced by The RAND Corporation as a courtesy to members of its staff This Paper was prepared for presentation at the Spring Joint Computer Conference Atlantic City April 17-19 1967 It comprises the Chairman's Introduction and a separate paper delivered at the Session on Security and Privacy in Computer Systems trade-off question the value of private information to an outsider determining the resources he is willing to expend for acquisition the value of the information to its owner determining what he is willing to pay for protection Computer systems operating with classified military information and those handling private or sensitive in formation are contrasted in terms of controlling user access incentives to penetration hardware requirements file access and protection overall philosophy of system organization certifying authorities magnitude and seriousness of penetration efforts security and protec tion of communication circuits Generally speaking similar hardware-software and systems precautions must be taken The essential distinctions are in the legal frame- work value of information magnitude of resources for both protection and penetration and in communications security The all-important difference is that the users of a com- puter-private network may not be subject to a common authority and discipline or that these forces may be in- adequate to deter deliberate attempts at penetration -1- I INFORMATION LEAKAGE IN A RESOURCE-SHARING COMPUTER SYSTEM With the advent of computer systems which share the resources of the configuration among several users or several problems there is the risk that information from one user or computer program will be coupled to another user or program In many cases the information in question will bear a military classification or be sensi- tive for some reason and safeguards must be provided to guard against the leakage of information This session is concerned with accidents or deliberate attempts which divulge computer-resident information to unauthorized parties Espionage attempts to obtain military or defense in- formation regularly appear in the news Computer systems are now widely used in military and defense installations and deliberate attempts to penetrate such computer systems must be anticipated There can be no doubt that safe- guards must be conceived which will protect the informa- tion in such computer systems There is a corresponding situation in the industrial world Much business informa- tion is company-confidential because it relates to pro- prietary processes or technology or to the success failure or state-of-health of the company _0ne can imagine a circumstance in which it would be profitable for one company to mount an industrial esPionage attack against the computer system of a competitor Similarly one can imagine scenarios in which confidential informa-l tion on individuals which is kept within a computer is potentially profitable to a party not authorized to have the information Hence we can expect that penetrations will be attempted against computer systems which contain non-military information This session will not debate the existence of es- pionage attempts against resource-sharing systems Rather it is assumed that the problem exists at least in principle if not in fact and our papers will be devoted to discussing technological asPects of the problem and possible approaches to safeguards First of all clarification of terminology is in order For the military or defense situation the jargon is well established We speak of Welassified information military security and secure computer installations There are rules and regulations governing the_use and divulgence of military-classified information and we need not dwell further on the issue In the non-military area terminology is not established The phrase industrial security includes such things as protecting proprietary designs and business information but it-also covers the physical protection of plants and facilities For our purposes the term is too broad In most circles the problem which will concern us is being called the privacy problem The words private and privacy are normally asso- ciated with an individual in a personal sense but Webster's Third New International Dictionary also provides the fol- lowing definitions Private for or restricted to the use of a particular person or group or class of persons not freely available to the public Privacy seclusion or freedom from unauthorized oversight or observation We are talking about restricting information within a computer for the use of a Specified group of persons we do not want the infermation freely available to the public We want to isolate the information from un- authorized observation Hence the terminology appears appropriate enough although one might hope that new terms will be found that do not already have strongly established connotations For our purposes today _ security and classified will refer to military or defense information or situations private or privacy to the corre3ponding industrial or non-military govern- mental situations In each case the individual authorized to receive the information will have need to know or access authorization We will do the following in this session In order to bring all of us to a common level of perspective on resource-sharing computer systems I will briefly review the configuration of such systems and identify the major vulnerabilities to penetration and to leakage of informa- tion The following paper by Mr Peters will describe the security safeguards provided for a multi-programmed remote-access computer system Then I will contrast the security and privacy situations identifying similarities and differences The final paper by Dr Petersen and Dr Turn will discuss technical a3pects of security and privacy safeguards Finally we have a panel of three individuals who have faced the privacy problem in real-life systems each will describe his views toward the problem and his approach to a solution In the end it will fall upon each of you to conceive and implement satisfactory safe- guards for the situation which concerns you A priori we can not be certain how dangerous a given vulnerability might be Things which are serious for some computer systems may be only a nuisance for others Let us take the point of view that we will not prejudge the risk associated with a given Vulnerability or threat to privacy Rather let us try only to suggest some of the ways in which a computer system might divulge information to an unauthorized party in either the security or the privacy situation We ll leave for discussion in the con- text of particular installations the question of how much protection we want to provide what explicit safeguards must be provided and how serious any particular vulnera- bility might be The hardware configuration of a typical resource- sharing computer system is shown in Fig 1 There is a central processor to which are attached computer-based files and a communication network for linking to remote users via a switching center We observe first of all that the files may contain information of different levels of sensitivity or military classification therefore access to these files by users must be controlled Im- proper or unauthorized access to a file can divulge in- formation to the wrong person Certainly the file can RADIATION TAPS RADIATION a RADIATION RADIATION - TAPS RADIATION CROSSTALK a CROSSTALK COMMUNICATION UNES eeocrssoe CENTER ILES HARDWARE Theft Copying Failure to connect to Unauthorized access proper line Cross coupling between OPERATOR 85 SYSTEMS PROGRAMMER Replace a protecting monitor with a nonmmimm one or with Disable software protective features HARDWARE one having ins Provide private ins to system - Reveal roiective measures 0 0 Failure of protection Reveal pmtectwe measures Bounds registers REMOTE Memory readiwrite protects MAINTENANCE MAN ACCESS CONSOLES We Disable hardware protective Attachment of recorders tc - SOHWARE dewcos lplaten inli USER Contribute 0 failures Use stand-atone utility ribbon etc Failure 0 protection features programs to access files Bug planted by individual of Identification 55955 or to explore the system low authorization level Auth nticail n User identification Subtle modifications Bounds control to software system Etc Fig 1-Typical configuratidn of resource-sharing computer system also be stolen--a rather drastic divulgence of informa- tion On the other hand an unauthorized copy of a file might be made using the computer itself and the c0py revealed to unauthorized persons The central processor has both hardware and software components - So far as hardware is concerned the cir- cuits for such protections as bound registers memory read-write protect or privileged mode might fail and permit information to leak to improper destinations A large variety of hardware failures might contribute to software failures which in turn lead to divulgence Since the processor consists of high-speed electronic circuits it can be expected that large quantities of electromagnetic energy will radiate conceivably an eaves- dr0pping third party might acquire sensitive information Failure of the software may disable such protection features as access control user identification or memory bounds control leading to improper routing of information Intimately involved with the central computer are three types of personnel operators programmers and maintenance engineers The operator who is reSponsible for minute-bmiinute functioning of the system might reveal information by doing such things as replacing the correct monitor with a non-protecting one of his own or perhaps with a rigged monitor which has Special ins for unauthorized parties Also he might reveal to unauth orized parties some of the protective measures which are designed into the system A co Operative effort between a clever programmer and an engineer could bug a machine for their own gain in such a SDphisticated manner that it might remain unnoticed for an extended period Bug as just used does not refer to an error in a program but to some computer equivalent of the famous transmitter in a martini olive Bugging of a machine could very easily appear innocent and open Operator less machine systems are practical and in principle one might conjecture that a machine could be bugged by an apparently casual passerby There are subtle risks associated with the maintenance process While attempting to diagnose a system failure information could - easily be generated which would reveal to the maintenance man how the software protections are coded _ From that point it might be easy to rewire the machine so that certain instructions appeared to behave normally whereas in fact the protective mechanisms could be bypassed While some of the things that I've just preposed require deliberate acts others could happen by accident Thus so far as the computing central itself is con- cerned we have potential vulnerabilities in control of access to files in radiation from the hardware in hard- ware software or combined hardware-software failures and in deliberate acts of penetration or accidental mis takes by the system personnel The communication links from the central processor to the switching center and from the switching center to the remote consoles are similarly vulnerable Any of the usual wiretapping methods might be employed to steal in- formation from the lines Since some communications will involve relatively high-frequency signals electromagnetic radiation might be intercepted by an eavesdropper Also crosstalk between communication links might possibly reveal information to unauthorized individuals Furthermore the switching central itself might have a radiation or crosstalk -10- vulnerability it might fail to make the right connection and so link the machine to an incorrect user A remote console might also have a radiation vulner- ability Moreover there is the possibility that recording devices of various kinds might be attached to the console to pirate information 'Consideration might have to be given to destroying the ribbon in the printing mechanism or designing the platen so that impressions could not be read from it Finally there is the user of the system Since his link to the computer is via a switching center the central processor must make certain with whom it is conversing Thus there must be means for proPerly identifying the user and this means must be proof against recording devices pirating unauthorized use etc Even after a user has satisfactorily established his identify there remains the problem of verifying his right to have access to certain files and possibly to certain components of the configuration There must be a means for authenticating the requests which he will make of the system and this means must be proof against bugging recorders pirating unauthorized usage 'etc Finally there is the ingenious user who skillfully invades the software system sufficiently -11- to ascertain its structure and to make changes which are not apparent to the operators or to the systems programmers ins to normally unavailable information but which give him To summarize there are human vulnerabilities through- out individual acts can accidentally or deliberately jeopardize the protection of information in a system Hardware vulnerabilities are shared among the computer the communications system and the consoles There are software vulnerabilities and vulnerabilities in the system's organization access control user identifica- tion and authentication How serious any one of these might be depends on the sensitivity of the information being handled the class of users the operating environment and certainly on the skill with which the network has been designed In the most restrictive case the network might have to be protected against all the types of invasions which have been suggested plus many readily conceivable This discussion although not an exhaustive considera- tion of all the ways in which a resource-sharing computer system might be either accidentally or deliberately pene- trated for the purposes of unauthorized acquisition of information has attempted to outline some of the major vulnerabilities which exist in modern computing systems -12 Succeeding papers in this session will address themselves to a more detailed examination of these vulnerabilities and to a discussion of possible solutions -13- II SECURITY AND PRIVACY SIMILARITIES AND DIFFERENCES For the purposes of this Paper we will use the term security when Speaking about computer systems which handle classified defense information and privacy in regard to those computer systems which handle non-defense information which nonetheless must be protected because it is in some reapect sensitive -It should be noted at the outset that the context in which security must be con- sidered is quite different from that which can be applied to the privacy question With respect to classified military information there are federal regulations which establish authority and discipline to govern the conduct of peOple who work with such information Moreover there is an established set of categories into which information is classified Once information is classified Confidential Secret or Secret there are well-defined requirements for its protection for controlling access to it and for transmitting it from place to place In the privacy situation the analogous situation may exist only in part or not at all There are indeed Federal and State statutes which protect the so-called secrecy of communication But it remains to be established that these laws can be extended to cover or interpreted as applicable to the unauthorized -14- acquisition of information from computer equipment There are also laws against thievery and at least one case involving a programmer and theft of privileged information has been tried The telephone companies have formulated regulations governing the conduct of employees who are subject to secrecy of communication laws who may intrude on the privacy of individuals perhaps this experience can be drawn upon by the computer field Though there apparently exist fragments of law and some precedents bearing on the protection of information nonetheless the privacy situation is not so neatly cir- cumscribed and tidy as the security situation Privacy simply is not so controlled Within computer networks serving many companies organizations or agencies there may be no uniform governing authority an incomplete legal framework no established discipline or perhaps not even a code of ethics among users At present there is not even a commonly accepted set of categories to describe levels of sensitivity for private information Great quantities of private information are being accumulated in computer files and the incentives to penetrate the safeguards to privacy are bound to increase Existing laws may prove inadequte or may need more vigorous -15- enforcement There may be need for a monitoring and en- forcement establishment analogous to that in the security situation In any event it can not be taken for granted that there now exist adequate legal and ethical umbrellas for the protection of private information The privacy problem is really a Spectrum of problems At one end it may be necessary to provide only a very low level of protection to the information for only a very short time at the Opposite end it may be necessary to invoke the most sophisticated techniques to guarantee protection of information for extended periods of time Federal regulations state explicitly what aspect of national defense will be compromised by unauthorized divulgence of each category of classified information There is no correSponding particularization of the privacy situation the potential damage from revealing private information is nowhere described in such absolute terms It may be that a small volume of information leaked from a private file may involve inconsequential risk For example the individual names of a company's employees is probably not even sensitive whereas the complete file of employees could well be restricted Certainly the big brother spectre raised by recent Congressional hearings on invasion -16- of privacy via massive computer files is strongly related to the volume of information at risk Because of the diverse spread in the privacy situation the appearance of the problem may be quite different from its reality One would argue on principle that maximum protection should be given to all information labeled private but if privacy of information is not protected by law and authority we can expect that the owner of sensitive information will require a system designed to guarantee pro- tection only against the threat as he sees it Thus while we might imagine very sophisticated attacks against private files the reality of the situation may be that much simpler levels of protection will be accepted by the owners of the information In the end an engineering trade-off question must be assessed The value of private information to an outsider will determine the resources he is willing to expend to acquire it In turn the value of the information to its owner is related to what he is willing to pay to protect it Perhaps this game-like situation can be played out to arrive at a rational basis for establishing the level of protection Perhaps a company or governmental agency-- or a group of companies or agencies or the operating -17- agent of a multi-access computer service--will have to establish its own set of regulations for handling private information Further a company or agency may have to establish penalties for infractions of these regulations and perhaps even provide extra renumeration for those assuming the extraordinary responsibility of protecting private information The security measures deemed necessary for a multi- processing remote terminal computer system Operating in a military classified environment have been discussed elsewhere This paper will compare the security situa tion with the privacy situation and suggest issues to be considered when designing a computer system for guarding private information Technology which can be applied against the design problem is described elsewhere r First of all note that the privacy problem is to some extent present whenever and wherever sharing of the structures of a computer system takes place A time-sharing system slices time in such a way that each user gets a small amount of attention on some periodic basis More Peters B Security Considerations in a Multi- Programmed System presented at this session 67 SJCC 1hPetersen H E and R Turn Systems Implications of Privacy presented at this session 67 SJCC -13- than one user program is resident in the central storage at one time 30d hence there are obvious Opportunities for leakage of information from one program to another although the problem is alleviated to some extent in systems Operating in an interpretive software mode In a multi-programmed computer system it is also true that more than one user program is normally resident in the core store at a time Usually a given program is not executed without interruption it must share the central storage and perhaps other levels of storage with other programs Even in the traditional batch-operated system there can be a privacy problem Although only one program is usually resident in storage at a time parts of other programs reside on magnetic tape or discs in principle ' the currently executing program might accidentally reference others or cause parts of previous programs contained on partially re-used magnetic tape to be outputed Thus unless a computer system is completely stripped of other programs--and this means clearing or removing access to all levels of storage--privacy infractions are possible and might permit divulgence of information from one program to another -19- Let us now reconsider the points raised in the Peters paper and extend the discussion to include the privacy Situation 1 The problem of controlling user access to the resource-sharing computer system is similar in both the security and privacy situations It has been suggested that one-time passwords are necessary to satisfactorily identify and authenticate the user in the security situ- ation In some university time-sharing systems permanently assigned passwords are considered acceptable for user identification Even though printing of a password at the console can be suppressed it is easy to ascertain such a password by covert means hence repeatedly used passwords may prove unwise for the privacy situation - 2 iThe incentive to penetrate the system is present in both the security and privacy circumstances Revelation of military information can degrade the country's defense capabilities Likewise divulgence of sensitive informa- tion can to some extent damage other parties or organiza- tions Private information will always have some value to an outside party and it must be expected that Peters 8 lot cit -20 penetrations will be attempted against computer systems handling such information It is conceivable that the legal liability for unauthorized leaking of sensitive information may become as severe as for divulging classified material 3 The computer hardware requirements appear to be the same for the privacy and security situations Such features as memory read-write protection bounds registers privileged instructions and a privileged mode of operation are required to protect information be it classified or sensitive Also overall software requirements seem similar although certain details may differ in the privacy situation because of communications matters or difference in user discipline 4 The file access and protection problem is similar under both circumstances Not all users of a shared com- puter-private system will be authorized access to all files in the system just as not all users of a secure computer system will be authorized access to all files Hence there must be some combination of hardware and software features which controls access to the on-line classified files in conformance with security levels and need to-know restrictions and in conformance with correSponding attributes in the privacy situation As -21 mentioned earlier there may be a minor difference relative to volume In classified files denial of access must be absolute whereas in private files access to a small quantity of sensitive information might be an acceptable risk 5 The philOSOphy of the overall system organization will probably have to be different in the privacy situation In the classified defense environment users are indoctri- nated-in security meaSures and their personal reSponsibility can be considered as part of the system design Just as the individual who finds a classified document in a hallway is expected to return it so the man who accidentally re- ceives classified information at his console is expected to report it The users in a classified system are subject to the regulations authority and discipline of a govern- mental agency Similar restrictions may not prevail in a commercial or industrial resource-sharing computer network nor in government agencies that do not operate within the framework of government classifications In general it would appear that one cannot exploit the good will of users as part of a privacy system's design 0n the other hand the co-operation of users may be part of the design phil- osophy if it proves possible to impose a uniform code of -22- ethics authority and discipline within a multi-access system Uniform rules of behavior might be possible if all users are members of the same organization but quite difficult or impossible if the users are from many companies or agencies 6 The certifying authority is certainly different in the two situations It is easy to demonstrate that the total number of internal states of a computer is so enormous that some of them will never prevail in the lifetime of the machine It is equally easy to demonstrate that large computer programs have a huge number of internal paths which implies the potential existence of error conditions which may appear rarely or even only once Monitor programs governing the internal scheduling and Operation of multi-programmed time-sharing or batch- operated machines are likely to be extensive and complex and if security or privacy is to be guaranteed some authority must certify that the monitor is preperly pro- grammed and checked out Similarly the hardware must also be certified to possess approPriate protective devices In a security situation a security officer is re- 5ponsible for establishing and implementing measures for -23 the control of classified information Granted that he may have to take the word of computer experts or become a computer expert himself and granted that of itself his presence does not solve the computer security problem there is nonetheless at least an assigned identifiable reSponsible authority In the case of the commercial or industrial system who is the authority Must the business- man take the word of the computer manufacturer who supplied the software If so how does he assure himself that the manufacturer hasn't provided ins to the system that only he the manufacturer knows about Must the businessman create his own analog of defense security practices 7 Privacy and security situations are certainly similar in that deliberate penetrations must be anticipated if not expected but industrial esPionage against computers may be less serious 0n the other hand industrial pene- trations against computers could be very profitable and perhaps safer from a legal viewpoint It would probably be difficult for a potential pene trator to mount the magnitude of effort against an in- dustrial resource-sharing computer system that foreign agents are presumed to mount against secrecy systems of other governments To protect against large-scale efforts -24- an industry-established agency could keep track of major _computing installations and know where penetration efforts requiring heavy computer support might originate 0n the other hand the resourceful and insightful individual can be as great a threat to the privacy of a system If one can estimate the nature and extent of the pene- tration effort expected against an industrial system perhaps it can be used as a design parameter to establsh the level of protection for sensitive information 8 The security and privacy situations are Certainly similar in that each demands secure communication circuits For the most part methods for assuring the security of communication channels have been the exclusive domain of the military and government What about the non-government user Could the specifications levied on common carriers in their implied warranty of a private circuit be extended Does the problem become one for the common carriers Must they develop communication security equipment If the problem is left to the users does each do as he pleases Might it be feasible to use the central computer itself to encode information prior to transmission If so the console will require special equipment for decoding the messages -25- 9 Levels of protection for communications are possibly different in the two situations If one believes that a massive effort at penetration could not be mounted against a commercial private network a relatively low- quality protection for communications would be sufficient 0n the other hand computer networks will inevitably go international Then what A foreign industry might find it advantageous to tap the traffic of U S companies operating an international and presumably private computer network Might it be that for reasons of national interest we will someday find the professional effort of a foreign government focused on the privacy- protecting measures of a computer network If control of international trade were to become an important instrument of government policy then any inter- national communications network involved with industrial or commercial computer-private systems will need the best protection that can be provided This Paper has attempted to identify and briefly discuss the differences and similarities between computer systems Operating with classified military information and computer systems handling private or sensitive information -25- Similar hardware and software and systems precautions must be taken In most respects the differences between the two situations are only of degree However there are a few aspects in which the two situations genuinely differ in kind and on these points designers of a system must take special note The essential differences between the two situations appear to be the following 1 Legal foundations-for protecting classified information are well established whereas in the privacy situation a uniform authority over the users and penalty structure for infractions is lacking We may not be able to count on the good will and disciplined behavior of users as part of the protective measures 2 While penetrations can be expected against both classified and sensitive information the worth of the material at risk in the two situations can be quite different not only to the owner of the data but also to other parties and to society 3 The magnitude of the resources available for protection and for penetration are markedly Smaller in the privacy situation -27- 4 While secure communications are required in both situations there are significant differences in details In the defense environment pro- tected communications are the responsibility of a government agency appropriate equipment is available and the importance of protection overrides economic considerations In the privacy circumstance secure satisfactory com- munication equipment is generally not available and the economics of protecting communications is likely to be more carefully aSSessed 5 Some software details have to be handled dif ferently in the privacy situation to accommodate differences in the security of communications It must be remembered that since the Federal authority and regulations for handling classified military informa- tion do not function for private or sensitive information it does not automatically follow that a computer network designed to safely protect classified information will equally well protect sensitive information The all important difference is that the users of a computer- private network may_not be subject to a common authority -23- and discipline But even if they are the strength of the authority may not be adequate to deter deliberate attempts at penetration