Foundation Of Computer Security Foundation of computer security •Reliability: accidental failures. •Usability: operating mistakes. •Security: intentional failures. Security •Security is about the protection of assets. •Hence, computer security is about the protection of IT assets (i.e. hardware, software, data & information, and reputation). •Protection measures can be classified as follows: oPrevention: taking measures that prevent your assets from being damaged. oDetection: taking measures that allow you to detect when an asset has been damaged, how it has been damaged, and who has caused the damage. oReaction: taking measures that allow you to recover your assets or to recover from damage to your assets. Security Example#1: protection of valuable items kept in your private home. •Prevention: o locks at the door and windows bars. o A wall round the property. o Add another layer of protection. •Detection: o you will detect when something has been stolen if it is no longer there. o A burglar alarm goes off when a break in occurs. o Closed circuit television camera •Reaction: o call police. o You may decide to replace the stolen item. Security Example #2: Protecting Credit Card from being ‘stolen’ on the web. •Prevention: o Use encryption when placing an order. o Relay on the merchant to perform some checks on the caller before accepting a credit card order. o Don’t use your card number on the internet. •Detection: o Transaction that you didn’t authorize appears on your credit card statement. •Reaction: o Ask for new card number. o The cost of the fraudulent transaction may have to be cover by the card holder, the merchant where the fraudster made the purchase, or the card issuer. Computer security •Computer Security aims to preserve: o Confidentiality : prevention of unauthorized disclosure of information. o Integrity : prevention of unauthorized modification of information. o Availability : prevention of unauthorized withholding of information or resources. •As lists are never complete you can add further points such as authenticity , Legitimate Use, accountability or nonrepudiation. Integrity Availability Confidentiality CIA model Computer security Confidentiality Prevention of unauthorised disclosure of information •Historically, security and secrecy were closely related (even today?!). •Confidentiality (Privacy ,Secrecy). •Hiding the content of a document OR hiding its very existence. •Unlinkability: two or more items of interest (e.g. messages, actions, events, users, etc.) are unlinkableif an attacker cannot sufficiently distinguish whether they are related or not. •Anonymity: A subject (e.g. user) is anonymous if it cannot be identified within a given anonymity set of subjects. Integrity prevention of unauthorized modification of information •It is not easy to give a concise definition of integrity. •Does prevention of unauthorized actions fall under integrity? •Clark and Wilson : no user of the system , even if authorized, may be permitted to modify data items in such a way that assets or accounting records of the company are lost or corrupted. •We have captured security by specifying the user actions that have to be controlled. •External consistency : the data stored in a computer system should correctly reflect some reality outside the computer system. (DoD’sOrange book) Integrity •Integrity in communication security: refers to the detection and correction of modifications to, insertion in, deletion , or replay of transmitted data. •This include both intentional manipulations and random transmission errors. •Integrity is often a prerequisite for other security properties (e.g. protecting OS access control data so an attacker cannot change it to gain unauthorized access to documents). Here we have to protect the integrity of access control to achieve confidentiality. Availability prevention of unauthorised withholding of information or resources •According to ISO 7498-2: o Availability: the property of being accessible and usable upon demand by an authorized user. o Denial of Service (DoS):the prevention of authorized access to resources or the delaying of time-critical operations. •Although that availability is one of the most important aspects of computer security, there is a lack of security mechanisms effectively protecting against DoS attacks. •Security mechanisms that are too restrictive or too expensive can themselves lead to DoS Accountability •It is hard to prevent all improper actions: o we may find that authorized actions can lead to a security violation. o we may find a flaw in our security system that allow an attacker to find a way past our controls. •Users should be hold responsible for their actions. •Accountability : audit information must be selectively kept and protected so that actions affecting security can be traced to the responsible party. (the Orange book) •In order to do this, the system should first identify and authenticate its users. •It has to keep an audit trail (is a log of security-relevant events). Non-repudiation •Non-repudiation is related to accountability. •Non-repudiation: services provide unforgeable evidence that a specific action occurred. •Digital signatures provide non-repudiation. •Non-repudiation of origin: providing evidence about the sender of a document. •Non-repudiation delivery: providing evidence that a message was delivered to a specific recipient. Reliability •Reliability (accidental failures) & safety (impact of failures on the environment). •Reliability only quantifies the frequency of failures, disregarding the consequences of a failure. From a safety point of view it is important to consider the consequences of failures, especially the failures that lead to hazards. •Security and reliability are very much related and intersected. •Dependability: the property of a computer system such that reliance can justifiably be placed on the service it delivers. (IFIP WG 10.4) *skip 3.1.9 The fundamental Dilemma of computer security •Security-unaware users have specific security requirements but usually no security expertise. •A security unaware user cannot make educated decisions about security products and will have to pick standard ‘best practice’ solutions. •Standard solutions may not address the user’s specific requirements. •There is a trade-off between security and ease-of-use since: oSecurity mechanisms need additional computational resources. oSecurity interferes with the working patterns users are accustomed to. oEffort has to be put into managing security. Data vs. Information •Data represents information. •Information is the interpretation of data. •Data is physical phenomena chosen by convention to represent certain aspects of our conceptual and real world. The meanings we assign to data are called information. •A covert channel is an information flow that is not controlled by a security mechanism. Principles of Computer Security •Fundamental design parameters of computer security. Application Software User (subject) Resource (object) Hardware •The figure above sketches the main dimensions in the design space for computer security. Horizontal axis represents the focus of the security policy, whilst the vertical axis represents the layer of the computer system where a protection mechanism is implemented. Focus of Control First Design Decision: In a given application (i.e. a cash machine), should the protection mechanism in a computer system focus on: •data; •Operations; and/or •users (access control)? It is a fundamental design decision choosing which these options to take when applying security controls. Operating system have traditionally focused on protection data. In modern applications, it is often more relevant to control users’ actions. The Man-Machine Scale Services generic while mechanisms at the outside are more OS likely to address individual user requirements OS Kernel Hardware Second Design Decision: In which layer of the computer system should a security mechanism be placed? more generic simple machine-oriented Mechanisms towards the center tend to be more more specific complex man-oriented Applications Complexity vs. Assurance •There is a trade-off between complexity and assurance. Third Design Decision: Simple with higher assurance OR complex with a feature-rich security environment? •Feature-rich security and high assurance do not match easily Centralized vs. Decentralized •Centralized(If a single entity is in charge of security): o Easy to achieve uniformity. o Better control. BUT o Performance bottleneck. o Single Point of Failure (SPoF). •Decentralized(Distributed): o More efficient. o No SPoF. BUT o More expensive and complicated (e.g. cost, management, etc.). Fourth Design Decision: Centralized OR decentralized? The Layer Below •Every protection mechanism defines a security perimeter (boundary). •Attackers may bypass protection mechanisms at some layer. Fifth Design Decision: How can you prevent an attacker from getting access to a layer below the protection mechanism? •The Layer Below – Examples: 1. Recovery tools, like Norton Utilities, restore the data by reading memory directly and then restoring the file structure. Such a tool can be used to circumvent logical access control as it does not care for the logical memory structure The Layer Below – Examples 2. Unix treats I/O devices and physical memory devices like files. If access permissions are defined badly, e.g. if read access is given to a disk containing read protected files, then an attacker can read the disk contents and reconstruct the files. 3. Object reuse: in a single processor system, when a new process becomes active, it gets access to memory positions used by the previous process. You have to avoid storage residues, i.e. data left behind in the memory area allocated to the new process. 4. Buffer Overruns: a value is assigned to a variable that is too large for the memory buffer allocated to that variable , so that memory allocated to other variables is overwritten. The Layer Above •It is not very wise design decision to spend much time and effort trying to protect a layer from the layer above it! •The security services provided by a layer are mostly not sufficient to the layer above it which requires more complex man-oriented services. Reading “Computer Security ”, 3rd edition by Dieter Gollmann. Wiley, March, 2011. Chapter 3