Notes A brief introduction to information security Part II Tyler Moore Computer Science & Engineering Department, SMU, Dallas, TX August 28 & 30, 2012 Engineered defenses to achieve protection goals Security threats Countering security threats Notes Outline Engineered defenses to achieve protection goals 1 Threat models Access control for system security Cryptography for communication security Security threats 2 System vulnerabilities: violating engineering assumptions Cryptanalysis: violating physical or mathematical assumptions Violating assumptions about attacker behavior Violating assumptions about defender behavior Countering security threats 3 Ex post countermeasures Ex ante countermeasures 2 / 57 Engineered defenses to achieve protection goals Security threats Countering security threats Notes Let’s recap last time Safety vs. security Information security protection goals Confidentiality : information is accessible only to authorized 1 parties Integrity : modification of information can be detected 2 Availability : authorized parties can access information (and 3 use resources) when and where it is needed Identification vs. authentication vs. authorization Computer systems and networks 3 / 57 Engineered defenses to achieve protection goals Security threats Countering security threats Notes Information security overview Protection Goals Confidentiality Integrity Availability Satisfy goals 2. Security threats 3. Countering security threats 1. Engineer defenses 4 / 57
Engineered defenses to achieve protection goals Threat models Security threats Access control for system security Countering security threats Cryptography for communication security Notes Engineered defenses to achieve protection goals Protection Goals Confidentiality Integrity Availability Satisfy goals 2. Security threats 3. Countering security threats 1. Engineer defenses 6 / 57 Engineered defenses to achieve protection goals Threat models Security threats Access control for system security Countering security threats Cryptography for communication security Notes Threat models All security is relative, but relative to what? ⇒ Threat models codify assumed adversary behavior Threat models articulate assumed adversary behavior Goal : disrupting defender’s protection goals, make money, 1 wreak havoc Knowledge : does the attacker know how the defense works? 2 Capabilities : Computational power available, time available to 3 target defenders, local vs. global eavesdropping, active vs. passive Question: could a threat model be fully specified by assuming a certain level of financial resources available to the adversary? 7 / 57 Engineered defenses to achieve protection goals Threat models Security threats Access control for system security Countering security threats Cryptography for communication security Notes Access control Recall claim from last class: authorization decision is the fundamental challenge of security engineering Access control is how computer systems enforce authorization decisions ⇒ definition: ensuring that authorized user can access and modify only those resources to which he is entitled 8 / 57 Engineered defenses to achieve protection goals Threat models Security threats Access control for system security Countering security threats Cryptography for communication security Notes The rise of the superuser Operating systems (OSes) separate processes that run the OS from processes run by users OS processes have many powers – reading all communications, installing software, etc. These powers can readily be abused by a malicious software designer Solution: create a superuser that can have OS-level capabilities, constrain what regular users can do 9 / 57
Engineered defenses to achieve protection goals Threat models Security threats Access control for system security Countering security threats Cryptography for communication security Notes Operating System Security prevent side channels P i process i and covert channels R j resource j P 2 P 1 P 3 enforce authorization decisions KERNEL for inter-process communication and resource access R 3 R 1 R 2 Same principle on higher layers: virtualization , sandboxes , . . . 10 / 57 Engineered defenses to achieve protection goals Threat models Security threats Access control for system security Countering security threats Cryptography for communication security Notes Sharing resources: mandatory vs. discretionary access control Mandatory access control (MAC) Sysadmin decides what processes should read and write to others in accordance with a security policy Example security policy: two levels (hi and low) no read up: low cannot read hi no write down: hi cannot write to low Under MAC, OS enforces consistent policy to all files and processes in a “top-down” fashion + Consistent policies easier to enforce when baked into the OS - Inflexible policies encourage workarounds to get work done 11 / 57 Engineered defenses to achieve protection goals Threat models Security threats Access control for system security Countering security threats Cryptography for communication security Notes Discretionary access control (DAC) DAC a “bottom-up” approach to access control File owners set access control policies (e.g., which users can read, write or execute given files) OS then enforces the permissions set by the owner + Offers great flexibility in how files and processes can be accessed - Enforcing consistent policies harder - Makes user-account takeovers potentially more harmful 12 / 57 Engineered defenses to achieve protection goals Threat models Security threats Access control for system security Countering security threats Cryptography for communication security Notes Principle of least privilege Principle of least privilege : any file or process should be assigned the minimum level of permissions needed in order to complete required task + Limits the damage a process can cause others - Conflicts with desire to make systems easy-to-use and adaptable Question: what incentive conflict does a programmer face when requesting privileges? 13 / 57
Notes Engineered defenses to achieve protection goals Threat models Security threats Access control for system security Countering security threats Cryptography for communication security Notes Cryptography Protecting information on a computer system is necessary but not sufficient to meet protection goals Must also protect communications between systems Cryptography (crypto for short) can be used to ensure confidentiality and integrity of communications 15 / 57 Engineered defenses to achieve protection goals Threat models Security threats Access control for system security Countering security threats Cryptography for communication security Notes Recall the broker example from last time Exchange Broker � BUY,200,GOOG,$600.25 � 16 / 57 Engineered defenses to achieve protection goals Threat models Security threats Access control for system security Countering security threats Cryptography for communication security Notes Crypto traditionally refers to Alice and Bob Alice Bob I love your music hate Mallory Eve 17 / 57
Engineered defenses to achieve protection goals Threat models Security threats Access control for system security Countering security threats Cryptography for communication security Notes Crypto B.C. Julius Caesar enciphered messages by shifting letters by three Those receiving the message knew to shift back Plaintext: THISISIMPORTANT Caesar Secret key: DDDDDDDDDDDDDDD Ciphertext: WKLVLVLPSRUWDQW 18 / 57 Engineered defenses to achieve protection goals Threat models Security threats Access control for system security Countering security threats Cryptography for communication security Notes Vigen` ere cipher Shift each letter by a different amount, repeating after n letters Plaintext: THISISIMPORTANT Vigen` ere Secret key: DABDABDABDABDAB Ciphertext: WHJVITLMQRRUDNU 19 / 57 Engineered defenses to achieve protection goals Threat models Security threats Access control for system security Countering security threats Cryptography for communication security Notes One-time pad Shift each letter by a different amount, never repeating Plaintext: THISISIMPORTANT One-time pad Secret key: DABHJIZXEBTULQP Ciphertext: WHJZRAHJTPKNLDI Question: what is the key length? 20 / 57 Engineered defenses to achieve protection goals Threat models Security threats Access control for system security Countering security threats Cryptography for communication security Notes Symmetric cryptography Key distribution center k AB k AB Alice Bob { I love your music } k AB 21 / 57
Recommend
More recommend