Comprehensive overview of security models?

Is there a book out in the wild that contains a comprehensive overview of security models? Or at least a web page on the Internet that contains a comprehensive list of academic papers that discuss various security models? I'm interested mainly from the programming language point-of-view, but these issues gray easily.

Suggestions on a better place to ask this question also welcomed, since I haven't the faintest clue. Most of my knowledge on the subject is accumulated through ad-hoc memorization of a bunch of papers. There has to be a more elegant way to learn this and also frame the debate.

Comment viewing options

Select your preferred way to display the comments and click "Save settings" to activate your changes.

I'd direct the question at

I'd direct the question at cap-talk.

Personally, I've never seen a comprehensive list of security models, much less an overview...

[edit] It doesn't help that there is such confusion over what 'security' means, or whose 'security' is being protected (the user's security? or RIAA's?) I've seen people get violent at the thought of security in computers, because they're thinking security means restricting their own freedom to use their computers.

Indeed, you should narrow

Indeed, you should narrow down specifically what kind of security you're interested in. Confidentiality, access control models, etc. Security is a dilute term!

Why focus on security models?

What's your real goal?

Is your real goal to learn about security? My favorite starting point is Ross Anderson's Security Engineering. If you want something more focused on software security and implementation issues, try Michael Howard and David LeBlanc's Writing Secure Code. If you want something on static analysis in security, try Brian Chess and Jacob West's Secure Programming with Static Analysis. But I'm not sure these are going to be what you are looking for.

You mention security models specifically. Can you say why? Are you sure that's the right focus? My sense is that research on security models has had fairly limited impact on security practice, and I'm not sure how well so-called "security models" address the security issues you run into in the real world. Don't conflate "techniques for addressing security" with "security models". There's a great deal of work on techniques for addressing security concerns, but most of the best work doesn't take the form of a "security model". Today, if you want to build a secure system, you usually don't start by asking "which security model am I going to use?"; security models tend to be of limited relevance to real systems-building. So I wonder if it makes sense to focus on "security models".

If you love mathematical models, some possibly relevant ideas you might find interesting: non-interference (and subsequent line of research), mandatory access control models (e.g., Bell-Lapadula, Biba), decentralized label management (e.g., JIF and predecessors), DIFC (more recent research), stack inspection, access control (the access control matrix, e.g., the paper from Lampson, HRU safety analysis, take-grant model), object capabilities. If you really love mathematical models, you could read Dieter Gollman's book, Matt Bishop's book, the past proceedings of CSFW and IEEE Security & Privacy. However I still worry that a PL person with no prior background in security might read all that work and think that it's giving you a good overview of security (which I don't think is accurate).

The best place to learn about the most advanced methods for computer security is from research papers. That's a fact of life.

You talk about "framing the debate". What debate?

What's your real goal? To

What's your real goal?

To inhale information in a mostly random fashion. I am really intuitive and can store up insane amounts of detail in my brain. It usually pays off, just not in ways I expect. Sometimes it is best not to have an objective and just let creativity run wild.

You talk about "framing the debate". What debate?

I think I have probably just been inundated with so much US political election stuff the past few weeks. Catchphrases like "framing the debate" are pretty regular this time of the year in the states. I really meant building a mental model in my head for thinking about access control, so that I continue to explain it better (e.g., to coworkers and a lot of my friends who are network admins of researchy institutes with supercomputers).

However I still worry that a PL person with no prior background in security might read all that work and think that it's giving you a good overview of security (which I don't think is accurate).

I don't think I am a "PL person", even though I love it and read gobs of PL papers. I have pretty good knowledge base for security ideas based on the "relevant ideas" you listed, although I notice a few holes. Thanks.

elevator pitch?

regarding how to explain it to others, what would a reasonable elevator pitch be for security? its sub/facets? hrm...

Secure Interaction Design

Secure Interaction Design would be the basis of any elevator pitch I offered.

But if you're feeling poetic, you can go for Horton's Who Done It:

Programs do good things, but also do bad,
making software security more than a fad.
The authority of programs, we do need to tame.
But bad things still happen. Who do we blame?

From the very beginnings of access control:
Should we be safe by construction,
or should we patrol?
Horton shows how, in an elegant way,
we can simply do both, and so save the day.

If you want to get hand-wavy, you can start talking about securable digital economies, markets, even politics - how security models fit into the world-scale picture. There is some at erights but I prefer Nick Szabo's fantastic collection of essays on the subject.

Object capability security model is the basis for security I most favor, and can work in any communications paradigm that uses extrinsic identity. I've not found any other model that is equally expressive (at least without creating absurd administrative overheads). And, importantly, object capability security model is the only one I've discovered that effectively achieves the properties of Secure Interaction Design - visibility, active authorization, awareness, path of least resistance, revocability, etc.

So there's no need to waste your time with a bunch of other security models. Learn you a object capability model for great good. ;-)

various elevator heights

since z-bo was talking about a gestalt, and how to tell mundanes what "security" *is*, i was trying to think about it myself, like how one would tell grandma what computer security is about.

i mean, the most lame generic general thing is: it is about making sure the systems do not do something you don't want them to do. (which implies they can do things you do.)

then a returned question could be: ok, sure, that's i guess security in general, why is that a hard thing?

answer: it is hard in general even before we had computers, and now computers don't actually overall do more to simplify the issues; if anything because of how they are developed and used, they make it even more confusing and difficult.

(dunno where this is going, just going OT along a train of thought, sorry.)

Layman general security description

A lot of my friends who I used to attend private security group meetings with before moving to Boston are pretty good at disstilling this stuff, but for a general explanation of computer security, I like

Security in a nutshell

and slightly less direct and not aimed for layman exactly, but a short intro for average software engineers who need a clue in the right direction:

Computer Security: The Very Idea

What's your real goal?To

What's your real goal?

To inhale information in a mostly random fashion

I think David's point is your question is somewhat similar to asking "what should I read to overview models of people?" and really meaning "what can I read to understand (chemical|neural|social| psychological|...) models of people." E.g., the security models relevant to nuclear strikes, election fraud, ad/click fraud, and stack-smashing seem pretty different.

Thus, for example, you might be interested in models relevant to network attackers. Going more general is like suggesting categorical literature for those interesed in general programming language models: sometimes relevant (... or so I told myself as I read one of them yesterday), but not up there in the LtU suggested reading.

Why not treat it as any other literature search? I'm *guessing* you'd be well-served by correlating reading lists from courses... such as David's ;-) I was lucky to sit on the following ( Perhaps worth keeping in mind that each course will likely be slanted by the professor's interests, e.g., a systems, networks, management, languages, etc.