Introduction
Welcome to the course on Secure Computer Systems!
Topic: technical computer security (cryptography as "black boxes")
- Me:
- teacher: OS, cryptography/data security, computer networks
- researcher: formal methods for mobile systems, incl methods for verifying security protocols
- ex systems manager, hacker
- Teaching assistants:
- Magnus Johansson, PhD student in formal methods (applicable for security properties)
- Frédéric Haziza, PhD student in verification methods (finding bugs in real programs)
- Students: IT, DV, exchange, Int. Masters...?
- Who are you? Background, interests, future plans?
How does the course work?
- Course material: book (buy it today!), web material (+ handouts), see http://www.it.uu.se/edu/course/homepage/sakdat/ht06
- Continuous examination:
- group assignments (3 persons),
- quick followup of results
- no "completion" on assignments, score instead of pass/fail
- score gives grade on course
- be prepared to show your solutions/answers to the class
- Basic block (2p):
- Crypto overview, id+auth, cryptology, access control, models
- Extensions (3p) (smorgasbord, collect points)
- Security kernels, Unix, Windows, Dist.syst., Network, Web, Databases
- Workshop session: oral presentations of "deeper" written assignments (in groups), mandatory for VG, points for all
- Re-examination: extra assignments during winter
- Study during the course; discuss material in groups and during class
- Important to search for information; book encourages further studies
- links on web (you can update parts of it!)
- feedback to me: use yellow stickers, email, web
Subject intro
What is security? What are your experiences? What are the important issues?
- Accidental failures: reliability issues
- Operating mistakes: usability issues
- Intentional failures: security issues (although intentions may not be clear)
- Asset (tillgång)
- hardware, software, data, information, reputation...
- Vulnerability (svaghet)
- weaknesses in design/implementation/procedure which may be exploited to cause loss/harm to assets
- eg default passwords, NFS, ...
- rated by impact (level of criticality)
- Threat (hot)
- set of circumstances/actions which potentially cause loss/harm to assets
- eg tapping the cable to see NFS traffic
- Not the same as vulnerabilities: we may be invulnerable to threat (a vulnerability may not be a threat (we don't care))
- Attack
- exploit of vulnerability
- Control
- action, device, procedure, technique which removes or reduces vulnerability
- eg network construction
A threat is blocked by control of a vulnerability
Four basic threats:
- interception: unauthorised access to information
- interruption: unavailability of authorised access (delete destruct etc)
- modification: unauthorised (or not)
- fabrication: unauthorised, (inject data, falsifications, etc)
Example attacks:
- Trojan horse: pretends to be nice, isn't
- virus: "infects" other programs
- worm: moves by itself
- trapdoor/backdoor: Wargames
- brute force password cracking
- bound/syntax checking: gets/fgets
- exploit information leaks (see information flow later; data vs information)
- denial of service (DoS)
- identity spoofing
- social engineering
2.1.1. Risk analysis
- quantitative: calculate expected losses by threat probability, asset values
- qualitative:
- asset rating (critical, very important, important, not important)
- vulnerability criticality (fix immediately, fix soon, fix sometime, fix if convenient)
- threat rating (very likely, likely, unlikely, very unlikely)
Informally: Risk = Assets x Threats x Vulnerabilities
- Prevention (locks),
- Detection (alarms),
- detect damage occurred, how it's damaged, and who caused the damage
- Reaction
- recover from the damage (minimise damage, make it not happen again)
(We deal only with technical, not social aspects, risk analysis/management etc)
- Confidentiality: prevent unauthorised disclosure of information
- Integrity: prev. unauth. modification of info
- clark/wilson: no modification even by authorised users
- data integrity - external consistency,
- networking: detection/correction of modif/insert/delete/replay, intentional/transmission err
- Availability: prevent unauthorised withholding of info (or resources)
- accessible when needed, without undue delay
- accessible & usable when authorised entity needs
- cf DoS
- More aspects
- accountability: record audit info wrt security, for tracing responsible party
- authenticity (peer entity and data origin),
- trust, risk, privacy, anonymity
- Reliability; DEPENDABILITY
- should be able to depend on the computer system
Many definitions - don't assume they are all the same.
Book definition:
- Computer security deals with the prevention and detection of unauthorised actions by users of a computer system.
(i.e. security is absence of insecurity).
Security-unaware users have specific security requirements but usually no security expertise, or
Users need security but don't know what it is! or how to handle it.
E.g. how many of you use secure email? Virus protection? Firewalls? Passwords? MS Explorer/Outlook?
And how many of your parents do?
Security mechanisms
- need computing resources (not too much)
- must be easy to use (otherwise work-arounds)
- must be easy to manage (otherwise not properly managed)
Ex:
- passwords: need to use good passwords, but not too hard to remember
- virus protection: need to keep it up-to-date
- secure email: need to protect key/certificate
Data vs Information
Computer security is about controlling access to information and resources.
Data represents information, which is the (subjective) interpretation of data. Controlling access to information difficult, often easier to protect data.
However, covert channels can make this insufficient: yes/no replies to access requests (data) represents information; inference problem in statistical databases...
Design principles
How do we make secure computer systems? Think ahead, don't fix it afterwards.
- Should protection mechanisms focus on data, operations or users?
- Focus of Control - data, operations, or users
- data: internal consistency, type control - irrespective of user/operation
- operations: only certain operations can access data - depending on user/data
- users: only certain users can access certain data
Traditionally OS focused on data (resources), more recently operations/users.
- In which layer should a security mechanism be placed?
- Man-machine scale - applications to hardware
- application programs
- services of software package
- operating system (controls file, memory mgmt, devices/resources)
- OS kernel (controls accesses to processor, memory etc)
- hardware: processor, memory, etc
lower: more generic, resource oriented, hardware
higher: application specific, user requirements
"1+2 gives man-machine scale"
Dimensions:
application ^ | user <----+------> resource/data | v hardware
- Simplicity and higher assurance, or lots of features?
- Complexity vs assurance
- complex systems are powerful, but hard to use, manage, and analyse
- simpler systems may match requirements poorly, but be easier use, manage and analyse
- Centralised or decentralised definitions of security and enforcement of it?
- centralised: uniform, but performance bottleneck
- decentralised: more efficient, but possibly less consistent
- How prevent an attacker from circumventing mechanisms in layer N by accessing layer N-1?
- Security perimeter/boundary: errors outside are OK, inside can break security
- Examples
- Recovery tools (filesystems)
- Access to raw device (similar, e.g. disk, memory /dev/kmem, /dev/hda0)
- Object reuse (memory, disk): clear newly allocated object
- Backup: need to access all data, and be protected
- "Core dump" (saved memory image on error): may contain sensitive info, needs protection
Different settings: Everyday/private/educational, Governmental, Commercial, Military
Summary
In security, understanding the problem may be more difficult than finding the solution.