Computing Reviews
Today's Issue Hot Topics Search Browse Recommended My Account Log In
Review Help
Search
Integrating security in a large distributed system
Satyanarayanan M. ACM Transactions on Computer Systems7 (3):247-280,1989.Type:Article
Date Reviewed: May 1 1990

Andrew is a distributed computer system at Carnegie-Mellon University. It currently consists of a network and 15 servers which are collectively called Vice, 400 UNIX workstations (Virtues), and about 1200 users. It will ultimately increase in size to somewhere between 5000 and 10,000 workstations.

The main security considerations are secrecy and integrity. Denial of service is not fully addressed, but Section 8 of the paper discusses Andrew’s protection against the overconsumption of network bandwidth, disk storage, and CPU cycles. Compared to the TCSEC [1] Andrew is a C1 system that comes close to C2 except that it only partially satisfies the C2 auditing requirement.

Satyanarayanan starts by describing a set of assertions that must be true (although they are not all true yet) for Andrew’s security to be effective. These assertions are mainly concerned with limiting access to the servers and workstations to trusted personnel and using encryption to protect the privacy and integrity of network communications. The paper goes on to describe the various system mechanisms used to implement Andrew’s security policy. The secure remote procedure call mechanism is described along with the distributed authentication service. File protection in Vice is based around access lists. Andrew uses both positive and negative access rights. Access rights are applied at the directory level so that all files in the same directory have the same protection.

Turning to the workstations, the paper discusses how their UNIX security interacts with that of Vice and also how the Vice security is made available to Virtue users. Encryption for authentication and secure communications is based on DES. To get adequate speeds, the developers need a hardware implementation, and the current status of their work to develop such hardware is discussed in Section 9. Section 11 discusses the need for this hardware in order to make it practical to use diskless workstations (which require encrypted paging over the network).

PCs access the system via a server whose function is to interface PCs to Vice by acting as a surrogate, so normal file security applies. The main vulnerability is the clear link between PC and server, but that could easily be solved.

Finally, the author presents a summary of the risks involved, a review of related work, and a review of changes made to Andrew since the system was described in this paper.

This interesting paper is well worth reading. Not only does it describe mechanisms but it looks at the implications of adopting them.
Reviewer:  Pete Trueman Review #: CR113826
1) National Computer Security Center.Department of Defense trusted computer system evaluation criteria. DoD 5200.28-STD, December 1985.
Bookmark and Share
 
Security and Protection (D.4.6 )
 
 
ANDREW (C.0 ... )
 
 
Data Encryption Standard (DES) (E.3 ... )
 
 
Distributed File Systems (D.4.3 ... )
 
 
Distributed Systems (C.2.4 )
 
Would you recommend this review?
yes
no
Other reviews under "Security and Protection": Date
Practical UNIX security
Garfinkel S., Spafford G., O’Reilly & Associates, Inc., Sebastopol, CA, 1991. Type: Book (9780937175729)		 Jun 1 1992
Trusted products evaluation
Chokhani S. Communications of the ACM 35(7): 64-76, 1992. Type: Article		 Oct 1 1993
An experience using two covert channel analysis techniques on a real system design
Haigh J., Kemmerer R., McHugh J., Young W. IEEE Transactions on Software Engineering SE-13(2): 157-168, 1987. Type: Article		 Nov 1 1987
more...
E-Mail This Printer-Friendly
Send Your Comments
Contact Us
Reproduction in whole or in part without permission is prohibited.   Copyright 1999-2024 ThinkLoud®
Terms of Use | Privacy Policy