HUMAN/COMPUTER INTERFACE SECURITY ISSUES
To build secure applications in an open systems environment, one
must consider general security issues related to the
human/computer interface.  This bulletin discusses some of these
issues including the identification of users, platforms, and
hardware security.

IDENTIFYING USERS
Generally, a user's first activity when starting a session with
a secured computer system is identifying himself/herself to the
system.  The most common ways to identify and authenticate users
are by the use of physical keys, account names and passwords, and
biometric checks.

Physical Keys
A physical key is an object whose characteristics are somehow
secret, and which is usually somewhat difficult to reproduce.
It could be:

  -  a piece of machined metal that unlocks the computer;

  -  a hardware device that attaches to an I/O channel (e.g., a
     serial line with an RS-232 connector), which can be
     interrogated by the system, and which must be present to
     execute certain programs; or

  -  a smart card, which is a credit-card-sized circuit board
     which contains some form of non-volatile memory, and may
     even have a CPU.

The risks of physical keys are familiar and obvious:

  -  keys can be forgotten, broken, lost, borrowed or lent;

  -  keys can be stolen or copied (by a determined user);

  -  keys and compromised locks can be expensive to replace;

  -  it can be difficult or impossible to automatically or
     remotely revise authorizations associated with a particular
     physical key; and

  -  physical keys must be physically managed, i.e., stored,
     logged, kept secure, etc.

Often a physical key is used with a password or biometric check.

Passwords
A password is a sequence of characters which is a shared secret
between the user and the system.  Passwords are usually stored on
the system in a user-inaccessible location or are stored in
an encrypted form.  Passwords present a variety of risks:

  -  passwords can be guessed, shared, written down, or
     forgotten;

  -  passwords can be stolen by observation;

  -  passwords tend not to be changed very often, and if they
     are, are more readily forgotten;

  -  passwords in plaintext are passed over the network or are
     stored in publicly readable locations on the system;

  -  encrypted passwords are often publicly readable, making them
     susceptible to cryptographic analysis; and

  -  short passwords can be found via brute-force methods.

These risks led system architects to search for other
identification methods, including biometric checks.

Biometric Checks
A relatively new method of identification for computer systems
is the biometric check.  It consists of comparing some readily
accessible and reliably unique physical characteristic of a human
user against the system's stored values for that characteristic.
Some commonly used biometrics are hand proportions, facial
images, retinal images, fingerprints, and voice prints.

The advantages of biometrics are that they cannot be lent
like a physical key or forgotten like a password.  However,
biometric checks have some obvious drawbacks:

  -  all the biometric sensors are relatively expensive, in both
     monetary and computing terms;

  -  measuring hands requires that the appropriate hand be free,
     ungloved, and that the user has a measurable hand;

  -  a facial image scan requires that the user's appearance not
     change drastically;

  -  a retinal image scan requires that the user has a measurable
     retina, that eyeglasses or a contact lens not interfere, and
     that the user is willing to allow the scanner's laser to
     scan their eye;

  -  fingerprint analysis has the same drawbacks as the hand
     proportion metrics;

  -  voice print analysis is affected by noise and throat
     problems, and requires that the user have a measurable
     voice.

PLATFORMS
Each category of hardware/software platform has its own strengths
and weaknesses with regard to its human/computer interface and
security.

Personal Computers
As organizations begin to install open systems operating systems
and programs on their personal computers, the limitations of
those platforms must be recognized and handled appropriately.
Traditionally, most personal computers were designed to be
single-user, single-tasking systems.  As a result, many of the
safeguards one usually associates with multi-user, multi-tasking
systems are reduced or absent.  Currently, some personal computer
operating systems support a limited form of task-switching or
cooperative multi-tasking.  In general:

  -  Although some personal computers have keyed locks, the keys
     are not necessarily unique, so one size fits all;

  -  Password protection of the machine is absent or not enabled;

  -  There is no built-in support for sharing a single machine
     between multiple users; and

  -  Every program has unlimited access to all the hardware, and
     by extension, all the software.  As a result:

          -    Any program can modify the hardware and software
               interrupts and timers.
 
          -    Any program can read or write any area of memory.

          -    There is little or no protection against the
               inadvertent or intentional modification or
               deletion of files.

Fortunately, most open systems operating systems provide the
needed safeguards.

Workstations
Multi-user, multi-tasking workstations generally have operating
system architectures that address the weaknesses associated with
personal computers.  Most workstation operating systems support
passwords, provide an insulating and protective layer of software
between the user program and the hardware, and provide memory
isolation between user program processes and the operating
system.

However, other weaknesses exist that usually are not addressed.
Some of the relevant UNIX-derived operating system weaknesses
are:

  -  Programs do not run in a ``least resource'' environment. 
     Any application can potentially monopolize all the resources
     of a system;

  -  Programs do not run in a ``least privilege'' environment. 
     That is, although a user may expect an application to affect
     only the files the user specified, a program can actually
     manipulate any resource the user can manipulate;

  -  Tty's and pseudo-tty's are not handled in a secure manner. 
     A program can open a terminal and wait for another program
     to open the same terminal;

  -  Programs share the same directories to create temporary
     files, which means a program can modify or delete the work
     files of other programs;

  -  Programs are built with shared libraries containing
     references to relative rather than absolute pathnames;

  -  Programs that access a file without checking if it is a
     symbolic link can be tricked into accessing a substitute
     file;

  -  Setuid programs (i.e., those programs capable of running
     with a user ID other than the one which is the owner of the
     executable file and/or capable of changing user Ids while
     running) are inherently unsafe; and

  -  Network conveniences like hosts.equiv and NFS have many
     bugs, security holes, and potential management pitfalls. 

Most of these problems are addressed by the Compartmented Mode
Workstation requirements, but are usually not addressed by the
normal, commercial workstation platforms.

Servers
For the purposes of this discussion, a server is a multi-user,
multi-tasking computer system that is intended to provide
simultaneous service to multiple users.  It often runs what are
considered mission-critical applications.  Nowadays, workstations
and servers often run the same operating system, so all the
shortcomings of the workstation operating systems are shared by
the server.  In addition, servers are most often accessed via a
network, rather than multiple serial connections, so they are
more sensitive to the risks of networking.

HARDWARE SECURITY
All software security depends on hardware security.  If the
hardware can be stolen or surreptitiously replaced, secure
software will not help.  When computers filled a room, stolen
computers were not a big problem.  Now that laptop and palmtop
computers are the fastest growing market, physical security is at
least as important as software security.  Some of the most common
problems are:

  -  equipment and removable media is stolen or replaced;

  -  security can be circumvented by changing hardware setup
     parameters;

  -  systems can be booted by unauthorized users;

  -  systems can be booted from unauthorized software;

  -  boot media can be rewritten by unauthorized software; and

  -  unauthorized software can be executed from removable media.

Some of the safeguards which can be taken are:

  -  locked doors and secured equipment;

  -  lockable cases, keyboards, and removable media drives;

  -  key or password-protected configuration and setup;

  -  password required to boot;

  -  password required to mount removable media;

  -  read-only boot media; and

  -  storing removable media in secured areas.

Last, but not least, users need training in the correct use of
the system.  Untrained users can intentionally or unintentionally
subvert security policies through lack of training.

This bulletin summarizes a chapter in NIST Special Publication
800-7, Security in Open Systems.  The document is available for
sale by the National Technical Information Service (NTIS) at
(703) 487-4650; order number PB95-105383, price $36.50.  It is
also available electronically, in HTML format, on our Computer
Security Resource Clearinghouse (CSRC) at:  http://csrc.nist.gov  
Click on Publications, then click on Special Publications.