Chapter 1: Introduction
Fall 2021
Cp 633
Slide #1-*
Secure computing – cps 633
Fall 2020
Instructor : Dr.
Cp 633
Fall 2021
Cp 633
Slide #1-*
It is easy …
It is easy to run a secure computer system …
you merely have to
disconnect all dial-up connections,
permit only direct-wired terminals,
put the machine and its terminals in a shielded room, and
post guards at the door
(Unix gospel)
Cp 633
Cp 633
Slide #1-*
Introduction
Components of computer security: confidentiality, integrity and availability
Threats – we have to identify them and define requirements for ensuring a secure system.
Policies and mechanisms (mechanism enforces the policy)
The role of trust (what are the assumptions?)
Assurance – how much do we trust the security system?
Operational Issues
Human Issues – people are the weakest link in the security mechanism of any system.
Fall 2021
Cp 633
*
Fall 2021
Cp 633
Slide #1-*
Basic Components
Confidentiality – concealment of the information or resources
At the beginning need-to-know principle.
Keeping data and resources hidden. Access control mechanisms – cryptography.
Applies to existence of data or infrastructure.
Sites often wish to conceal their configuration as well as what systems they are using (firewalls… ).
Integrity-trustworthiness of data or resources
Two major components of integrity;
Data integrity (content of information)
Origin integrity (source of data -authentication)
Cp 633
*
Confidentiality: a good example is cryptography, which traditionally is used to protect secret messages. But cryptography is traditionally used to protect data, not resources. Resources are protected by limiting information, for example by using firewalls or address translation mechanisms.
Integrity: a good example here is that of an interrupted database transaction, leaving the database in an inconsistent state (this foreshadows the Clark-Wilson model). Trustworthiness of both data and origin affects integrity, as noted in the book’s example. That integrity is tied to trustworthiness makes it much harder to quantify than confidentiality. Cryptography provides mechanisms for detecting violations of integrity, but not preventing them (e.g., a digital signature can be used to determine if data has changed).
Availability: this is usually defined in terms of “quality of service,” in which authorized users are expected to receive a specific level of service (stated in terms of a metric). Denial of service attacks are attempts to block availability.
Fall 2021
Cp 633
Slide #1-*
Basic Components
Integrity mechanisms – prevention and detection
Prevention –
block the unauthorized attempts to change the data
or any attempts to change data in unauthorized ways (intruder vs. employee).
Detection – Cryptography provides mechanisms for detecting violations of integrity, but not preventing them (e.g., a digital signature can be used to determine if data has changed).
Integrity is harder to quantify than confidentiality. With confidentiality data is either compromised or not, but integrity includes both correctness and trustworthiness of the data.
Cp 633
Basic Components
Availability – Enabling access to data and resources
Denial of service attack – hard to tell whether the unusual traffic patterns come from manipulation of resources?
Fall 2021
cp633
Slide #1-*
cp633
Fall 2021
Cp 633
Slide #1-*
Classes of Threats
A threat is a potential violation of security.
Disclosure
Snooping : an example is passive wiretapping, where the attacker monitors communications.
Deception
Modification: an example is active wiretapping, where the attacker injects something into a communication or modifies parts of the communication – e.g. man in the middle attack.
Spoofing : impersonation of one entity by another; spoofing is often used to achieve usurpation.
E.g log in to spoofed computer, read the spoofed file…
Cp 633
*
Snooping : an example is passive wiretapping, where the attacker monitors communications.
Modification: an example is active wiretapping, where the attacker injects something into a communication or modifies parts of the communication. Modification is sometimes called alteration.
Spoofing: delegation is basically authorized spoofing. The difference is that the ones to which authority is delegated does not impersonate the delegator; she simply asserts authority to act as an agent for the delegator.
Delay:
Denial of service: this may not be due to an attack, but due to limits of resources. However, the effect here is critical. If you define security in terms of what users need to access, the inability to access is a security problem regardless of whether the reason is intentional (an attack) or unintentional (not an attack).
Fall 2021
Cp 633
Slide #1-*
Classes of Threats
repudiation of origin – a false denial that entity sent or created something. Eg. order something by letter, get the product and then deny that you have ordered it.
denial of receipt – a false denial that entity has received some message. Eg. order a product, pay for it, get it, and then deny that you have received it. Fight it with integrity and availability.
Disruption – Interruption or prevention of normal operation
Usurpation – unauthorized control of the part of the system
Denial of service: this may not be due to an attack, but due to limits of resources. The effect here is critical. If you define security in terms of what users need to access, the inability to access is a security problem regardless of whether the reason is intentional or unintentional.
Cp 633
Fall 2021
Cp 633
Slide #1-*
Policies and Mechanisms
Policy says what is, and what is not, allowed
E.g university policy prohibits copying files from other users. Ana fails to protect her files and Bill copies them. Bill has violated the security policy!
Policy: may be expressed in
natural language, which is usually imprecise but easy to understand;
mathematics, which is usually precise but hard to understand;
policy languages, which look like some form of programming language and try to balance precision with ease of understanding
Cp 633
*
Policy: may be expressed in
natural language, which is usually imprecise but easy to understand;
mathematics, which is usually precise but hard to understand;
policy languages, which look like some form of programming language and try to balance precision with ease of understanding
Mechanisms: may be
technical, in which controls in the computer enforce the policy; for example, the requirement that a user supply a password to authenticate herself before using the computer
procedural, in which controls outside the system enforce the policy; for example, firing someone for bringing in a disk containing a game program obtained from an untrusted source
The composition problem requires checking for inconsistencies among policies. If, for example, one policy allows students and faculty access to all data, and the other allows only faculty access to all the data, then they must be resolved (e.g., partition the data so that students and faculty can access some data, and only faculty access the other data).
Fall 2021
Cp 633
Slide #1-*
Policies and Mechanisms
Security mechanism is a method, tool or a procedure to enforce policy.
Mechanisms: may be
technical, in which controls in the computer enforce the policy; eg., the requirement that a user supply a password to authenticate herself before using the computer
procedural, in which controls outside the system enforce the policy; eg., firing someone for bringing in a usb key containing a game program obtained from an untrusted source.
Composition of policies when multiple sites cooperate
If policies conflict, discrepancies may create security vulnerabilities, e.g when University collaborates with Company.
Cp 633
Fall 2021
Cp 633
Slide #1-*
Goals of Security
Prevention
Prevent attackers from violating security policy. Prevention is ideal, because then there are no successful attacks.
However it is cumbersome and hinders normal use of the system
Detection- occurs after someone violates the policy. The mechanism determines that a violation of the policy has occurred (or is underway), and reports it. The system (or system security officer) must then respond appropriately.
Recovery- there are two approaches
Stop attack, shut down the system, assess and repair damage
Continue to function correctly even if attack succeeds
Cp 633
*
Prevention is ideal, because then there are no successful attacks.
Detection occurs after someone violates the policy. The mechanism determines that a violation of the policy has occurred (or is underway), and reports it. The system (or system security officer) must then respond appropriately.
Recovery means that the system continues to function correctly, possibly after a period during which it fails to function correctly. If the system functions correctly always, but possibly with degraded services, it is said to be intrusion tolerant. This is very difficult to do correctly; usually, recovery means that the attack is stopped, the system fixed (which may involve shutting down the system for some time, or making it unavailable to all users except the system security officers), and then the system resumes correct operations.
Fall 2021
Cp 633
Slide #1-*
Goals of Security – recovery
Recovery means that the system continues to function correctly, possibly after a period during which it fails to function correctly.
If the system functions correctly always, but possibly with degraded services, it is said to be intrusion tolerant.
This is very difficult to do correctly:
usually, recovery means that the attack is stopped, the system fixed (which may involve shutting down the system for some time, or making it unavailable to all users except the system security officers), and then the system resumes correct operations.
Cp 633
Fall 2021
Cp 633
Slide #1-*
Trust and Assumptions
Underlie all aspects of security – All security policies and mechanisms rest on assumptions
Example: opening a door lock requires a key. The assumption is that the lock is secure against lock picking. But in an environment with untrustworthy lock-picker the assumption is wrong.
Policies consist of the set of axioms that policy makers believe can be enforced.
Unambiguously partition system states into secure and non-secure
Security mechanisms must prevent system from entering non-secure states
Correctly capture security requirements
Cp 633
*
All security policies and mechanisms rest on assumptions; we’ll examine some in later chapters, most notably Chapter 22, Malicious Logic. Here is a taste of the assumptions.
Policies: as these define security, they have to define security correctly for the particular site. For example, a web site has to be available, but if the security policy does not mention availability, the definition of security is inappropriate for the site. Also, a policy may not specify whether a particular state is “secure” or “non-secure.” This ambiguity causes problems.
Mechanisms: as these enforce policy, they must be appropriate. For example, cryptography does not assure availability, so using cryptography in the above situation won’t work. Further, security mechanisms rely on supporting infrastructure, such as compilers, libraries, the hardware, and networks to work correctly. ’s modified C preprocessor (see the example on p. 615) illustrates this point very well.
Trust and Assumptions
Policies have to define security correctly for the particular site.
E.g a web site has to be available, but if the security policy does not mention availability, the definition of security is inappropriate for the site. Also, a policy may not specify whether a particular state is “secure” or “non-secure.” This ambiguity causes problems.
Bank example: policy allows officers to shift money among accounts.
If bank officer puts somebody’s money in his/her account would policy be violated?
Fall 2021
Cp 633
Slide #1-*
Cp 633
Fall 2021
Cp 633
Slide #1-*
Trust and Assumptions
Security Mechanisms must fulfill the conditions:
Each mechanism is designed to implement one or more parts of policy
Union of mechanisms implement all aspects of security policy.
Support mechanisms should be implemented, installed and administered correctly.
However, cryptography does not assure availability, so using cryptography when availability is a problem won’t work.
Further, security mechanisms rely on supporting infrastructure, such as compilers, libraries, the hardware, and networks to work correctly.
Cp 633
Fall 2021
Cp 633
Slide #1-*
Types of Mechanisms
secure
precise
broad
set of reachable states
set of secure states
Cp 633
*
A reachable state is one that the computer can enter. A secure state is a state defined as allowed by the security policy.
The left figure shows a secure system: all reachable states are in the set of secure states. The system can never enter (reach) a non-secure state, but there are secure states that the system cannot reach.
The middle figure shows a precise system: all reachable states are secure, and all secure states are reachable. Only the non-secure states are unreachable.
The right figure shows a broad system. Some non-secure states are reachable. This system is also not secure.
Cp 633
Slide #1-*
Assurance – i.e. trust can not be quantified precisely
Assurance is a measure of how well the system meets its requirements;
more informally, how much you can trust the system to do what it is supposed to do.
Example – for aspirin drug trust is built by
The testing and certification by food and drug administration FDA
The manufacturing standards by the company and precautions that drug is not contaminated
The safety seal on the bottle
Assurance for the computer world is similar.
Fall 2021
Cp 633
*
Assurance is a measure of how well the system meets its requirements; more informally, how much you can trust the system to do what it is supposed to do. It does not say what the system is to do; rather, it only covers how well the system does it.
Specifications arise from requirements analysis, in which the goals of the system are determined. The specification says what the system must do to meet those requirements. It is a statement of functionality, not assurance, and can be very formal (mathematical) or informal (natural language). The specification can be high-level or low-level (for example, describing what the system as a whole is to do vs. what specific modules of code are to do).
The design architects the system to satisfy, or meet, the specifications. Typically, the design is layered by breaking the system into abstractions, and then refining the abstractions as you work your way down to the hardware. An analyst also must show the design matches the specification.
The implementation is the actual coding of the modules and software components. These must be correct (perform as specified), and their aggregation must satisfy the design.
Note the assumptions of correct compilers, hardware, etc.
Assurance
A system is said to satisfy a specification if the specification states how the system will function
Specifications – statements of correct functioning of the system
Arise from requirements analysis – the goals of the system are determined
Statement of desired functionality
Design – translates specifications into components that will implement them
The design architects the system to satisfy, or meet, the specifications.
Typically, the design is layered by breaking the system into abstractions, and then refining the abstractions as you work your way down to the hardware.
An analyst also must show the design matches the specification.
Fall 2021
cp633
Slide #1-*
cp633
Fall 2021
Cp 633
Slide #1-*
Assurance
Implementation
Programs/systems that carry out design
The implementation is the actual coding of the modules and software components. These must be correct (perform as specified), and their aggregation must satisfy the design.
Note the assumptions of correct compilers, hardware, etc.
Cp 633
Fall 2021
Cp 633
Slide #1-*
Operational Issues
Security does not end when the system is completed. Its operation affects security. A “secure” system can be breached by improper operation (for example, when accounts with no passwords are created). The question is how to assess the effect of operational issues on security.
Cost-Benefit Analysis
Is it cheaper to prevent or recover? This weighs the cost of protecting data and resources with the costs associated with losing the data.
Among the considerations are the overlap of mechanisms’ effects (one mechanism may protect multiple services, so its cost is amortized),
the non-technical aspects of the mechanism (will it be impossible to enforce), and the ease of use.
Cp 633
*
Security does not end when the system is completed. Its operation affects security. A “secure” system can be breached by improper operation (for example, when accounts with no passwords are created). The question is how to assess the effect of operational issues on security.
Cost-Benefit Analysis: this weighs the cost of protecting data and resources with the costs associated with losing the data. Among the considerations are the overlap of mechanisms’ effects (one mechanism may protect multiple services, so its cost is amortized), the non-technical aspects of the mechanism (will it be impossible to enforce), and the ease of use (if a mechanism is too cumbersome, it may cost more to retrofit a decent user interface than the benefits would warrant).
Risk Analysis: what happens if the data and resources are compromised? This tells you what you need to protect and to what level. Cost-benefit analyses help determine the risk here, but there may be other metrics involved (such as customs).
Laws and Customs: these constrain what you can do. Encryption used to be the biggie here, as the text indicates. How much that has changed is anybody’s guess. Customs involve non-legislated things, like the use of urine specimens to determine identity. That is legal, at least in the US in some cases; but it would never be widely accepted as an alternative to a password.
Fall 2021
Cp 633
Slide #1-*
Operational Issues
Risk Analysis – what happens if the data and resources are compromised?
What is the probability that attack will happen? Risk is a function of environment!
What is the financial loss due to attack?
Should we protect something?
How much should we protect this thing?
Laws and Customs
Are desired security measures illegal? Legal issues with export of cryptography.
Will people do them? Use of DNA samples for authentication?
Cp 633
Fall 2021
Cp 633
Slide #1-*
Human Issues
Organizational Problems
Power and responsibility, financial benefits
The key here is that those responsible for security have the power to enforce security.
Otherwise there is confusion, and the architects need not worry if the system is secure because they won’t be blamed if someone gets in.
This arises when system administrators, for example, are responsible for security, but only security officers can make the rules.
Preventing this problem (power without responsibility, or vice versa) is tricky and requires capable management.
What’s worse is that security is not a direct financial incentive for most companies because it doesn’t bring in revenue. It merely prevents the loss of revenue obtained from other sources.
Cp 633
*
Organizations: the key here is that those responsible for security have the power to enforce security. Otherwise there is confusion, and the architects need not worry if the system is secure because they won’t be blamed if someone gets in. This arises when system administrators, for example, are responsible for security, but only security officers can make the rules. Preventing this problem (power without responsibility, or vice versa) is tricky and requires capable management. What’s worse is that security is not a direct financial incentive for most companies because it doesn’t bring in revenue. It merely prevents the loss of revenue obtained from other sources.
People problems are by far the main source of security problems. Outsiders are attackers from without the organization; insiders are people who have authorized access to the system and, possibly, are authorized to access data and resources, but use the data or resources in unauthorized ways. It is speculated that insiders account for 80-90% of all security problems, but the studies generally do not disclose their methodology in detail, so it is hard to know how accurate they are. (Worse, there are many slightly different definitions of the term “insider,” causing the studies to measure slightly different things!) Social engineering, or lying, is quite effective, especially if the people gulled are inexperienced in security (possibly because they are new, or because they are tired).
Fall 2021
Cp 633
Slide #1-*
Human issues
People problems
Outsiders and insiders
Social engineering or lying, is quite effective, especially if the people gulled are inexperienced in security (possibly because they are new, or because they are tired).
People problems are by far the main source of security problems.
Outsiders are attackers outside of the organization;
Insiders are people who have authorized access to the system and, possibly, are authorized to access data and resources, but use the data or resources in unauthorized ways. Insiders account for 80-90% of all security problems.
Cp 633
Fall 2021
Cp 633
Slide #1-*
Tying Together
Threats and requirement analysis
Policy
Specification
Design
Implementation
Operation
Cp 633
*
The point to this slide is that each step feeds into the earlier steps. In theory, each of these should only affect the one before it, and the one after it. In practice, each affects all the ones that come before it.
Feedback from operation and maintenance is critical, and often overlooked. It allows one to validate the threats and the legitimacy of the policy.
Fall 2021
Cp 633
Slide #1-*
Key Points
Policy defines security, and mechanisms enforce security
Confidentiality
Integrity
Availability
Trust and knowing assumptions
Importance of assurance
The human factor
Cp 633
*