[soen321-f04] week 1 material (Sep 03)[soen321-f04] week 1 material (Sep 03)
David K. Probst PROBST at vax2.concordia.ca 
Fri Sep 3 16:29:01 EDT 2004 
  Previous message: [soen321-f04] risk management (Sep 03) 
  Next message: [soen321-f04] building secure software 
  Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] 



SOEN 321  Week 1 Lecture Material
_________________________________

reference material: "Cybersecurity Today and Tomorrow: ...".
This should be freely downloadable from nap.edu or cstb.org
We only need pp. 1 - 13 of the actual text.

Modern computer security has roots in secure communication (originally
radio traffic) and in centralized (operating-system) protection.  The
vocabulary of secure communication tends to dominate.  Rather than invent
new terms, we can stretch the meanings of the famous CIA trio in such a
way that computer security does not come across as merely applied
cryptography.

But if applied cryptography is only part of the story, it is certainly
fundamental: the set of security mechanisms must include some cryptographic
mechanisms.  Why is this?  In what way is computer security a package deal?
Is security more than just anti-virus software, firewalls, and downloading
patches for whatever Microsoft's vulnerability of the day happens to be?

Of course.  Information-systems security combines a comprehensive approach
to both secure communicating and secure computing.

Why is information-systems security important?

Answer: Computing has grown, or is growing, to become a central component
of modern life, sometimes as important to our existence as electricity or
banking.  When computing was peripheral, it could be insecure.  As computing
becomes increasingly central, we cannot allow it to become an essential
component of society until we render it secure.  We must protect it just as
we protect our food and water supply.

Ideally, computing should be as reliable (or as secure; the two things are
quite different) as commercial aviation.  Computing today is like flying the
space shuttle; we need to make it more like flying a Boeing 747.

Security means being able to communicate and compute safely in the presence
of adversaries (and adversarial actions taken against our computer systems).

It is well-known that information systems are integral parts of the nation's
critical infrastructure (power grid, air-traffic control, banking, etc.).

CIA
___

It helps to group the various security services that protect against threats
to the security of a system under three broad headings---confidentiality,
integrity, and availability (CIA).  Remember that we sometimes use these
terms very generally, adding more meaning to them than they had when the
context was simply secure message transmission.

1. Confidentiality: Restriction/denial of access to information, programs,
   data, and computing resources.  Better name: Confidentiality and Access
   Control.  Note the underlying notion of authorization here.

The military has had longstanding needs to implement controls to enforce
"need to know".  Large corporations must protect their proprietary information.
Confidentiality goes together with access control because, in practice,
you either have both or you have neither.  It's a package deal.

One could argue that something that supports confidentiality is an
access-control mechanism.  Example: Cryptography can be used to preserve
data confidentiality by controlling access to the plaintext.  The
bread-and-butter notion of access control is a set of mechanisms that limit
which subjects (principals) can perform which operations ("methods") on which
objects.

The familiar operating-system notion of access control is a noncryptographic
mechanism for keeping information (files) confidential.

There is also resource (configuration) hiding and control of computational
capability (the ability to execute specified programs).

General observation: A security service that enforces confidentiality (or
anything else, for that matter) relies on a certain number of _trust
assumptions_.

Example: A security service running on a computer may assume that the kernel
will always supply correct data or that the kernel will always protect it
in some way.

Example: In NFS, file servers are willing to blindly trust file clients.
Any file system that is exported can be read by any machine since file
permissions are enforced in the NFS client.  But why should I trust the
innocence of the NFS client?  How do I know it is not malicious?

In the CS department, hosts are divided into trusted (Department-managed)
and untrusted (user-managed).  In the former, it is impossible to install
a malicious NFS client unless you first break into the system (become root).
In the latter, users may install whatever client software they choose because
those machines _have already been broken into_!

Security is a joke unless you have a pretty astute idea of what you can trust
and what you shouldn't trust.

In fact, assumptions and trust underly any claim that a collection of security
mechanisms implements a given security policy.  Moreover, errors in the trust
model are likely to lead to an inappropriate security policy.

CI..
____

2. Integrity: Have I ensured the trustworthiness of information/data and
   programs?  Are they what they should be?  Do they do what they are
   supposed to do?  Providing integrity is preventing unauthorized
   modification of information/data and programs.

But, just as confidentiality and access control are a package deal, so
are integrity and authentication.  So, "I" stands for Integrity and
Authentication.  Authentication is proving claims of identity.

To see why you either have both or you have neither, consider receiving a
message from Bob.  What good does it do to prove that the message was not
altered in transit (message integrity) if you have no idea that "Bob" is
really Bob?  The sender might have constructed a bad message to begin with.

Data integrity does not necessarily imply data-origin integrity.

Integrity relies on authentication.  Authentication comes in many flavors.
For example, entity authentication is not the same as message-origin
authentication.

In integrity/authentication, there is a subnotion of credibility: if you
have a trusted source and you believe that there has been undisturbed
transmission, you might be more willing to regard the received information
as trustworthy.  But do you trust your source because he is not stupid or
because he understands computer security?  Wouldn't you have to trust him
for both things?

Integrity mechanism may be _prevention_ mechanisms or _detection_ mecahanisms.

Prevention is blocking unauthorized attempts to change data or attempts to
change data in unauthorized ways.

 - strong authentication and access controls will generally stop outsider
   attacks on system integrity

 - it is much trickier to stop insider attacks; only spy agencies and
   financial institutions devote sufficient resources to insider attacks

Detection is letting unauthorized modification occur but reporting that the
information/data is no longer trustworthy.  Detection mechanism include
everything from audit trails to cryptographic identity checks.

Since integrity is really trustworthiness, we may need long chains of
reasoning about trust assumptions.  Bob is a White Hat; Bob is competetent;
Bob protects his information; Bob's information arrived without modification;
I protect Bob's information on my machine.

Ah, but is this information a program?  If so, I need to ask two questions:

 - Is this program malicious?

 - Is this program able to protect itself from adversarial input?

If _either_ answer were "no", the program would be untrustworthy!

Example: Sendmail is an important Mail Transport Agent (MTA).  A hacker
broke into the Sendmail distribution site and substituted a corrupted
version.  The hacker neglected to update the message-authentication
code (MAC).  That's O.K.  Users were too stupid or too lazy to verify
the MAC.  The new Sendmail version was removed from the site.

Whole countries and cultures do not take security seriously.  Being naive
and uneducated, they are not paranoid enough.  "I am nice.  Why would
anyone attack me?  I have no enemies".

CIA
___

3. Availability: The ability to use/access information/computing resources
   with normal delay.  An attacker may deliberately arrange to deny access;
   this is called a Denial of Service (DoS) attack.

Example: Leveraging DoS attacks.  A bank has a primary and secondary server
with automatic switchover.  An attacker corrupts the secondary server and
then launches a successful DoS attack on the primary server.

Important Notions
_________________

 - vulnerability

 - threat

 - attack

 - countermeasure

A _vulnerability_ is an error or weakness in the design, implementation,
or operation of a system (very crudely, a bug).

A _threat_ is the imagined possibility of exploiting a (known) vulnerability
to breach security.

An _attack_ is an actual exploitation attempt.

_Risk_ is the expected loss (probability of occurrence times cost) from
an adversarial action (attack) exploiting a given vulnerability.

Security involves vulnerabilities, threats, and countermeasures.  A
_vulnerability_ is an aspect of a system that makes it possible to attack it.
A _threat_ is the imagined possibility that an adversary will exploit that
vulnerability and cause damage to the system.  A _countermeasure_ is a
mechanism that shields the vulnerability from attack.

It follows that countermesasure engineering must be based on speculation.

Risk management determines how many resources to devote to security.  In
good security engineering, we plan rationally today to thwart tomorrow's
attacks.

Assurance
_________

Vital and yet neglected.  Strategies to gather evidence relevant to claims
that the security mechanisms do implement security policies.  In general,
do I have rational reasons to regard my system as trustworthy?  A vast
field.

Threats
_______

We may classify threats into four broad classes:

1) Disclosure: Unauthorized access to information

2) Deception: Gaining acceptance of false information

3) Disruption: Interruption or prevention of correct operation

4) Usurpation: Assuming unauthorized control of some part of the system

Example: snooping

Example: modification of the environment variables together with data-dependent
computation leads to disruption and usurpation (e.g., format-string attack)

Example: man-in-the-middle attack

Example: spoofing

Policy versus Mechanism
_______________________

To understand security, we must distinguish _policy_ from _mechanism_.

1) Security policy: statement of what operations are, and are not, allowed

2) Security mechanism: method, tool, or procedure for enforcing a security
   policy

Policies often require some procedural mechanisms that technology cannot
enforce.

Example:  Policy states that A may not electronically copy B's assignment.
The operating system provides discretionary access controls.  A does not
bother to configure them correctly.  B is able to violate the security
policy.

Goals
_____

We want to _prevent_, _detect_, and/or _recover_ from attacks.

The first two are obvious.

There are types of recovery:

 - we may be able to stop the attack in progress

 - we may be able to fall back gradually to smaller and smaller cores of
   functionality (fewer users, less software running, less communication
   between systems)

We would like to _nest_ security perimeters and to avoid _brittle_ security
perimeters.  It is far more reasonable to design a _fail-soft_ means of
responding to a successful attack in which, in the worst case, we retreat
to a minimum core of essential functionality.

In practice, there is no guaranteed security (with a few _very expensive_
exceptions).  The reasonable security goal is therefore, how can I make
it more difficult for attacks to succeed and not get totally killed when
an attack does succeed?

Tough Question
______________

How do we determine if the security policy correctly describes the required
level and type of security for the site?  One thing that must be done is
to bring _all_ the trust assumptions into as close a correspondence with
reality as possible.  We must also have a trust model that is comprehensive:
we must have an opinion of the trustworthiness of every entity.

For a security theoretician, the policy correctly and unambiguously partitions
the set of system states into "secure" and "nonsecure" states.  Notionally,
the security mechanisms prevent the system from entering a "nonsecure" state.

In practice, the security mechanisms _do_ allow the system to enter a nonsecure
state, which is why break-ins are possible.

Because there are no absolutes, rational computer security is risk management.

Assurance (continued)
_________

Assurance is the collectional of all the techniques that lead one to form a
rational opinion about how trustworthy a system is.  Crudely, what is my
evidence for trusting this system?  More precisely, what can I do to reduce
the likelihood of trusting my system inappropriately?

Example: Red Teams.  These are highly professional White Hat hackers who are
hired by management to break into systems.  If breaking in is a piece of
cake, then security is lax.  If breaking in requires real work, then the
system is not totally insecure.  After the Red Team reports, countermeasures
can be approved.

Trust Assumptions
_________________

Underlying every site security policy are key assumptions describing what
the site and the system accept as true or trustworthy; understanding these
assumptions is the key to analyzing the strength of a system's security.
These assumptions also allow us to analyze whether mechanisms implement
policy.

If trust has been well placed, a system can be made reasonably secure.

If it has been misplaced, the system cannot be made secure in any sense
of the word,

>From "Cybersecurity"
____________________

What can go wrong?  The usual stuff

What causes things to go wrong?  Accidents and deliberate attacks

A malicious attack is often hidden from detection by subtle "gaslighting",
the construction of a plausible illusion (here, that the system has not
been broken into)

Attacks presuppose vulnerabilities.

Epistemology of Vulnerabilities
_______________________________

For anything other than toy programs, you may detect the presence of a bug
(perhaps by testing) but you can never establish the absence of bugs.
Partly because there are no incentives to do so, software vendors routinely
issue (i.e., sell) buggy software, whose flaws are discovered over time.

But computer systems have grown to the point where it is beyond the power
of the human mind, even aided by automatic tools, to ascertain _what_
vulnerabilities remain.  Although a White Hat or a Black Hat may stumble
over a vulnerability, there is no systematic way to remove vulnerabilities
nor to have any assurance that all vulnerabilities have been removed.

Decent software-engineering practices, if they were articulated or followed,
would remove some of the more obvious vulnerabilities.  We seem to be
going backwards on this.

The two factors making vulnerability analysis intractable are complexity
and (communication) connectivity.  Foolish users demand increasingly complex
systems and also demand that they be connected in arbitrary ways.

The security problem is, how can I secure systems even though I know that
both systems and applications software running on machines is thoroughly
buggy?

Today, the situation is grim.  The cycle of stumbling over bugs and then
desperately patching them has degenerated into an inelegant and tedious
arms race.  We need innovative security proposals before massive attacks
do real damage (despite the headlines, nothing truly serious has happened
so far).

Configuration
_____________

>From p. 10 of "Cybersecurity": Many compromises of an information system
or network result from improper configuration.  For example, a given
system on a network may have a modem attached to it that is not known to
the system administrator, even if it was attached by a legitimate user
for legitimate purposes.  An installed operating system ... .  A system
firewall may be improperly ... .  Etc., etc.

Proper configuration is an extremely important practical factor in system
security.  Configuration covers a lot of things.  Roughly, it means setting
things up right.

Rubin's Two Cents (pp. 9 - 11)
_________________

Computer-system vulnerabilities are due to:

 - buggy code

 - poor administration

 - careless or uninformed users

There is hope for improvement only in category 2.  ;-)

Example: We have known about buffer-overflow vulnerabilities for more than
forty years, people have been trying to remove them for thirty years, and
yet we have new ones or undiscovered old ones every year.




  Previous message: [soen321-f04] risk management (Sep 03) 
  Next message: [soen321-f04] building secure software 
  Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] 


More information about the soen321-f04 mailing list