15-349
Introduction to Computer and
Network Security
Iliano Cervesato
22-24 August 2010
This Lecture
 No scare tactic!
 What is computer security
 Course presentation
 Security goals
 Risks of computing
Why Computer Security?
Because computing resources and data are valuable
 Value of resources
 Physical entities
 Computing time / disk space / network connections
 System being off-line
 Value of data





Passwords
Grades
Credit cards
Trade secrets
Military secrets, …
 How valuable?
Digital assets
 In the eye of the beholder
 The owner
 The attacker
Reasons for an Attack
What kind of value can an attacker get?
 A good laugh
 Bragging
 Embarrassment
 Discredit victim
 Inconvenience
 Sometimes huge
 Monetary gain
 Sometimes huge
 Personal safety
Attacking what, exactly?
Soft boundaries:
 Computer systems
 Hardware
 Software
 Data
 Information systems
• Is a program software or data?
• What is firmware?
• FPGA settings?
 (networked) computer systems
 Processes
Digital assets
 Goals/objectives
 People
Business aspects
Difference from Physical World
What makes protecting digital assets hard?
 Complexity of digital systems
 Lots of opportunities
 Attacker just needs to find one entry point
 Defender must protect them all
 No need for physical proximity
 Not even being in the same country
 Computing monoculture
 Low marginal cost
 Speed of aggression
 Defense takes time
Course presentation
Course Logistics
 Time and place
 Lectures: Su, Tu, 1:00-2:20 (1031)
 Recitations: Th 1:00-1:50 (1031)
 Movie nights: (TBA)
 3 instructors [Thierry, Iliano, Khaled]
 Web page
 http://www.qatar.cmu.edu/cs/15349
 Book:
 Stallings, Brown: Computer Security
 Articles on the web site
 Article in the news
15-349
 Description:
 Intro course to computer & network
security
 Very broad
 Not very deep
 Theory <----------------------> Practice
 Objectives:
 Understand basic concepts in security
 Read newspaper/magazine articles
critically
Course organization
 5 parts
1.
2.
3.
4.
5.
Intro (this week)
Applied cryptography
Program security, OS security and Trusted systems
Network security
Beyond technology




Discussions
Movies
Teacher for a day
Guest lectures
 Recitations
 Movie nights
 Field trip (maybe)
Assessment
 Participation: 10%
 Class discussion
 Movie nights
 Quizzes: 20%
 Weekly
 Presentation: 15%
 Assignments: 55%




Crypto: 15%
Program security: 15%
Network security: 15%
Beyond technology: 10%
 No midterm, final!
Let’s get started for real…
Computer & Network Security
Overview
The Security Game
Information and resources have value
 Attacker
 Appropriate the value of somebody
else’s digital assets
 Defender
 Protect digital assets from attackers
 Prevent attacker from appropriating
value
The Security Theater
Weakness in
the system
Possibility
of damage
enables
Threats
Mitigates
Neutralizes
es
c
du ves
e
R mo
Re
Countermeasures
Limits possibility
or consequence
of damage
Vulnerabilities
Re
ali
ze
s
Disables
Mitigates
Diffuses
Exploits
Attacks
Exploitation of a
vulnerability to
realize a threat
Example
 Threat
 Student setting own grade on Blackboard
 Vulnerabilities
 Weak passwords
 Incorrect permissions
 Soft IT guy
 Attacks
 Crack password
 Ask IT guy to weaken permissions
 Countermeasures




Authentication mechanisms
File protection (access control, access login)
Training
Punishments
The CMU Computing Policy
 Rules that regulate allowed use of
computing resources
 No breaching security
 Is it enforceable?
 Yes! If caught, lots of trouble
 Does it mean that security mechanisms are
not needed?
 Needed to make enforcement manageable
 Needed because data/resources are valuable
beyond punishment
 Needed because policy applies only to CMU
students/faculty/staff
Systems don’t meet their functional requirements
Unintended Behaviors
and remedies
 Environmental disruptions
 Fault-tolerant architecture
 Stronger interfaces
 Operator errors
 Education and training
 Better human-computer interfaces
 Poor design/implementation (bugs)
 Languages and tools
 Testing and verification
 Deliberate attacks
 Lower expectations
 Security engineering

This course
Correctness vs. Security
 Correctness: satisfy specifications
 For reasonable inputs,
get reasonable output
 Security: resist attacks
 For unreasonable inputs,
output not completely disastrous
 Main difference
 Active interference from the environment
Stochastic vs. Malicious Events
Incorrect system
 Bugs manifest at
random
Insecure system
 Once discovered, a
vulnerability is
attacked over and over
Let’s play
 Can we redraw this graph so that the
edges don’t intersect?
Let’s play
 What about this one?
The Thrill of Computer Security
Thinking outside of the box!
 Exciting for geeky
attackers
Imagined
Anticipated
 Exciting for
security
researchers
Pos
s
ibl
e
The Security Game
Information and resources have value
 Attacker
 Appropriate the value of somebody
else’s digital assets
 Defender
 Protect digital assets from attackers
 Prevent attacker from appropriating
value
The Security Theater
Weakness in
the system
Possibility
of damage
enables
Threats
Mitigates
Neutralizes
es
c
du ves
e
R mo
Re
Countermeasures
Limits possibility
or consequence
of damage
Vulnerabilities
Re
ali
ze
s
Disables
Mitigates
Diffuses
Exploits
Attacks
Exploitation of a
vulnerability to
realize a threat
Attack Goals
 Publicity
in the physical world
in the electronic world
 Terrorism
 Landing in Red Square
 Highly contagious viruses
 Defacing web pages
 Bank robbery
 Scams
 Plagiarism
 Credit card number theft
 Phishing
 Intellectual property theft
 Vandalism
 Obstruction of justice
 Wiping out data
 Denial of service
 Fraud
 Disruption
 Invasion of privacy
 Collection of personal data  Reading private files
 Surveillance
 Espionage
.
Some Threats
[Defense Science Board]
 Unintended blunders
 Hackers driven by technical challenge
 Disgruntled employees or customers
 Petty criminals
 Organized crime
 Organized terror groups
 Foreign espionage agents
 Information warfare
Who are the Attackers?
 People making mistakes
 Unintentional blunder
 Geeks driven by technical challenge
 Show it can be done
 Often no damage besides planting a flag
 Generally very innovative
 Insiders
 Disgruntled employees
 Employees exploiting the company
 Organized crime
 Adware, span, fraud, DoS for ransom, …
 More and more sophisticated
 More and more of a problem
 States
 Very sophisticated
 From blocking sites to industrial/military espionage
 Script kiddies
 Unsophisticated
 Unknowledgeable, dumb
Is an Attack a Crime?
 Only if some law is broken
 Legal framework busy catching up with the
digital age
 Tendency to blame hackers for everything
 Does it matter?
 Law enforcement can help in case of crime
 Can be too little too late
 Whether illegal or not, one wants to set up
defenses against cyberattacks
Security Properties
security
C
I
A
 Confidentiality:
 Information is not improperly disclosed
 Integrity
 Information is not improperly modified
 Availability
 Information is accessible to legitimate
users
Common Security Properties
C




Secrecy: confidentiality of shared data
Privacy: confidentiality of personal data
Anonymity: confidentiality of identity
Pseudonymity: confidentiality of linkable identity
I





Non-malleability: integrity of data
Authenticity: integrity of source
Non-repudiation: integrity of commitments
Accountability: integrity of responsibility
Authorization: integrity of rights/ownership
A
 No denial of service
Conflicting Goals
 Anonymity: do not record identity
 Non-repudiation: log accesses identifiably
 Availability: system replication
 Defendability: single access point
 Security is often a compromise
 Prioritize goals
 Goals are not binary
 Security is engineered
 Security specifications
Security Policies
 Collection of security properties
 Sometimes conflicting
 Application specific
 E.g., bank:
 Authenticity of clients at ATM and web
 Non-repudiation of transactions
 Integrity of the books
 Secrecy of client and internal data
 Availability of alarm system
 Exclusivity of duties (avoid conflicts of interest)
 Dual control of sensitive transactions
Vulnerable Systems: a Trend
Vulnerability: a weakness that
can be exploited to cause damage
 The Internet





Attack : a method to exploit a
vulnerability
World-Wide connection
Distributed: no central design and control
Open infrastructures: modems, wireless, DHCP
Untrusted software: applets, downloads
Unsophisticated users
 Security costs
 Market now, fix bugs later
 Customers want it,
but won’t pay for it
 Homogeneity
 Hardware: x86
 OS: Windows
 Applications: COTS
The Compromises of Security
 There is no absolute security!
 Race between attackers and defenders
 Constant innovation
 Well-funded, capable, determined attackers succeed
 Costs
 Punishment
 Relative to target’s value
 Users’ inconvenience
 Users’ acceptance
 Hard at a distance
 Rarely possible in real time
 Works mostly for
old threats
 Perceived “unethical”
 Detection
 No international
legislation
 Poor domestic
legislation (DMCA)
 Freedom of expression
 Intangibility
Is Cryptography the Solution?
Cryptography is not the same as security
 No crypto in this lecture
 85% of all CERT advisories cannot be fixed by crypto
 30-50% of recent security holes from buffer overflow
Computer Security
Operating
systems
Cryptography
Mathematics
Psychology
Networking
Programming
languages
Law
Economics
Human
computer
interaction
Policies, Mechanisms, Assurance
How does it do it?
Does it really do it?
Security
Specifications
Policy
Implementation
Mechanisms
Correctness
Assurance
 Distinction between
 Mechanisms
 Policies
depends on level of abstraction
Assurance can sort things out

 Attacker will not politely respect abstraction layers
Abstraction
What is it supposed to do?
Systems
Why are systems vulnerable?
 Design/implementation errors
 Bugs
 Malicious design/implementation
 Tampering
 Misconfigurations
 Unintentional or malicious
 Things we didn’t think about
 Unanticipated behaviors
 Unanticipated circumstances
Countermeasures





Prevent attack (close vulnerability)
Deter it (make it harder)
Deflect it (attacker goes for easier targets)
Detect it
Recover from it
 Multiple countermeasures for same
vulnerability
 No countermeasure is 100%
 Layered defense
 Cover multiple facets of the vulnerability
Examples of Countermeasures
 Encryption
 Useful for some attacks
 Software protection




Software engineering processes
Internal program controls
OS/network mechanism
Monitoring programs
 Hardware countermeasures
 Physical protection
 HW firewalls, intrusion detection, segmentation
 Redundancy
 Policies and procedures
 Training users and administrators
 Legal, economic, ethical framework
Thinking like an Attacker
 Value of asset > cost of attack
 Find another victim otherwise
 Use cheapest attack that will succeed
 Break the weakest link
 System is no stronger than the weakest link
 Point of easiest penetration
 Think outside of the box
Thinking like a Defender
 Make inventory of assets
 Determine their value
 Security goals
 Identify threats, vulnerabilities
 Get adequate countermeasures
 There is no absolute security
 Stronger security = more cost
 Stronger security = less usability
 Do periodic reviews
 Assets change in value over time
 New attacks launched all the time
What is Computer Security?
A game with rules only for the
defending team
 Risk mitigation
 Security goals
 Policies, mechanisms, assurance