AN INTRODUCTION TO COMPUTER SECURITY
advertisement
AN INTRODUCTION TO
COMPUTER
SECURITY
Information is a commodity: its purchase
and sale is central to the free enterprise
system
Richard A. Kemmerer
Computer Science Department
University of California
Santa Barbara, California, U.S.A.
Protection Mechanisms are like putting a
lock on the door of a merchant's
warehouse
Email: kemm@cs.ucsb.edu
CS177 2004
Overview of Security
1
CS177 2004
Overview of Security
2
How bad is it?
September 2001 - Nimbda worm spread nationwide
in less than an hour and attacked 86,000
computers
The pervasive use of computer and network
technologies in all walks of life has turned
cybersecurity issues into (inter)national
security issues
CS177 2004
Overview of Security
January 2003 – Sapphire/Slammer SQL worm was
able to spread nationwide in less than 10 minutes,
doubling in size every 8.5 seconds. At its peak (3
minutes after its release) it scanned at over 55
million IP addresses per second, infecting 75,000
victims
3
CS177 2004
Overview of Security
How bad is it?
4
Why is it so bad?
Computers are everywhere
Internet has become a mission-critical infrastructure
for business, government, and financial
institutions
Today’s networks are very heterogeneous, highly
critical applications run side by side with noncritical systems
Cyber attacks against non-critical services may
produce unforeseen side-effects of devastating
proportions
Overview of Security
CS177 2004
5
Overview of Security
CS177 2004
6
1
Why is it so bad?
Why is it so bad?
Home Users Increase Vulnerabilities
Computer security is reactive
Today most homes are connected, particularly with
the advent of DSL and cable modems
Most home users:
– usually reacting to latest attack
– offense is easier than defense
Security is expensive both in dollars and in
time
There is not now, and never will be, a system
with perfect security
– are unaware of vulnerabilities
– don’t use firewalls
– think they have nothing to hide or don’t care if others
get their data
– don’t realize their systems can serve as jump off points
for other attacks (zombies)
CS177 2004
Overview of Security
7
CS177 2004
Overview of Security
8
Security Incidents
Security Vulnerabilities
Incidents
150000
5000
Vulnerabilities
4000
100000
3000
2000
50000
1000
0
In c ide nt s
0
19 8 8
19 8 9
19 9 0
19 9 1
19 9 2
19 9 3
19 9 4
19 9 5
19 9 6
19 9 7
19 9 8
19 9 9
2000
2001
2002
20 03
6
13 2
252
406
773
13 3 4
2340
2 4 12
2573
2 13 4
3734
985 9
2 17 5 6
52658
82 094
13 7 , 5 2
Overview of Security
CS177 2004
9
Who are the attackers?
CS177 2004
CS177 2004
10
Who are the attackers?
Script kiddies download malicious software
from hacker web sites
Hackers trying to prove to their peers that they
can compromise a specific system
Insiders are legitimate system users who
access data that they have no rights to access
Organizational level attackers use the full
resources of the organization to attack
Overview of Security
Overview of Security
After September 11, 2001 the idea of national
state level cyber attacks being carried out by
terrorists became a big concern
11
Overview of Security
CS177 2004
12
2
Security
Outline
Examples of known security threats
The protection of resources (including data
and programs) from accidental or
malicious modification, destruction, or
disclosure
Classification of security threats
Security policies
Protection mechanisms
Techniques for assuring system security
CS177 2004
Overview of Security
13
CS177 2004
Overview of Security
Most Common Threat
Password Guessing
14
Spoofing
Duping a user into believing that he is talking
to the system and revealing information
(e.g., password)
– More of a problem with the availability of
personal computers and fast connections
– Exhaustive search for passwords
– Lists of commonly used passwords
– Distributed default passwords
CS177 2004
Overview of Security
15
CS177 2004
Overview of Security
Browsing
16
Trojan Horse
A program that does more than it is supposed
to do
After an intruder has gained access to a
system he may peruse any files that are
available for reading and glean useful
information for further penetrations
– More sophisticated threat
– A text editor that sets all of your files to be
publicly readable in addition to performing
editing functions
– Often done by legitimate users
– Every unverified program is suspect
Overview of Security
CS177 2004
17
Overview of Security
CS177 2004
18
3
Legal
User
Access
Right
Trap Door
Restricted
Data
A system modification installed by a
penetrator that opens the system on
command
Call
Misuse
– May be introduced by a system developer
Trojan
Horse
– Bogus system engineering change notice
Borrowed
Program
CS177 2004
Overview of Security
19
CS177 2004
Overview of Security
20
Examples
Virus
Amiga Virus
Resident on boot block
IBM Christmas Virus
A program that can infect other programs by
modifying them to include a possibly
evolved copy of itself
Names and netlog files
Denial of service
Census Bureau
County and City Data Book CD-ROM
WWW Pages Containing Applets
MIME-encoded Mail
Code Red Worm
Blaster
Sasser
Overview of Security
CS177 2004
21
Statistical Database
CS177 2004
22
Inference of Sensitive Data
From Nonsensitive Information
A statistic is sensitive if it discloses
confidential information about some
individual, organization, or company
Can detect information about an individual by
querying about a group where the individual
is the only member in the group or the only
one not in the group
Nonsensitive statistics may lead to the
disclosure of sensitive data
Overview of Security
Overview of Security
CS177 2004
For example:
If Smith is the only foreign worker, one can
deduce information about Smith by querying about
non-foreigners
23
Overview of Security
CS177 2004
24
4
Example Database
Name Sex
Major Class SAT GP
Bruno
Alley
Lasta
Gise
Kies
Costo
Kraig
Good
Islay
Farel
Pfau
Ghezzi
Boyer
CS
EE
EE
CS
BIO
EE
CS
PSY
CS
BIO
PSY
EE
CS
F
F
M
F
M
M
M
F
M
F
F
M
M
1998
1998
1996
1996
1997
1995
1996
1997
1995
1997
1995
1996
1997
600
520
630
800
500
580
700
580
600
750
500
600
650
3.2
2.5
3.5
4.0
2.2
3.0
3.8
2.8
3.2
3.8
2.5
3.0
3.5
CS177 2004
Overview of Security
Why Computer Crime
is not Reported
– A successful attack reveals vulnerabilities to
other potential intruders
– Adverse publicity discourages new clients
and disappoints shareholders
– Often viewed as a harmless prank
25
CS177 2004
Overview of Security
THREAT
26
Security
Confidentiality - ensures that sensitive information is not
disclosed to unauthorized recipients
CLASSIFICATION
Integrity - ensures that the data and programs are modified
or destroyed only in a specified and authorized way
Availability - ensures that the resources of the system will be
usable whenever they are needed by an authorized
user
Overview of Security
CS177 2004
27
Computer Security Threats
Overview of Security
CS177 2004
28
Browsing
Browsing
Searching through main and secondary memory for
residue information
Leakage
Inference
Leakage
Tampering
Transmission of data to an unauthorized user from a
process that is allowed to access the data
Accidental destruction
Inference
Masquerading
Deducing confidential data about an individual by
correlating unrelated statistics about groups of
individuals
Denial of services
Overview of Security
CS177 2004
29
Overview of Security
CS177 2004
30
5
Masquerading
Tampering
Gaining access to the system under another user's
account
Making unauthorized changes to the value of
information
Denial of Service
Prevention of authorized access to computer
resources or the delaying of time-critical
operations
Accidental Data Destruction
Unintentional modification of information
CS177 2004
Overview of Security
31
CS177 2004
Overview of Security
Bishop Threat Definitions
32
Cerias Definitions
Vulnerability is a flaw in a system that allows a
policy to be violated
Threat is a potential violation of security
Attacks are those actions which could cause a
threat to occur
Exploit is the act of exercising a vulnerability
Also used to refer to an actual program, binary or
script that automates an attack
Attackers are those who execute an attack
Exposure is an information leak that may assist an
attacker
CS177 2004
Overview of Security
33
CS177 2004
Overview of Security
34
Access Control
Security Policy
A means of limiting a user's access to only those
entities that the policy determines should be
accessed
A security policy is a statement of what is and
what is not allowed
Subjects - Active entities in the system (e.g. , users,
processes, programs)
Objects - Resources or passive entities in the system
(e.g. , files, programs, devices)
May be informal (English statements) or
formal (mathematical logic statements)
Access Modes - Read, write, execute, append, update
Access Control Mechanisms - Determine for each
subject what access modes it has for each object
Overview of Security
CS177 2004
35
Overview of Security
CS177 2004
36
6
Mandatory Control Policy
Access Control
– Each subject has an access class (authorization)
Discretionary Access Control
The owner specifies to the system what other users can
access his files
(Access is at the user's discretion)
– Each object has an access class (classification)
– Access class made up of
* level
* category set
– Comparison of access classes
Mandatory Access Control
The system determines whether a user can access a file
based on the fixed security attributes of the user and of
the file
(Non-discretionary access)
Overview of Security
CS177 2004
* equal (=)
* less than (<)
* greater than (>)
* not comparable (NC)
37
CS177 2004
Overview of Security
Example Mandatory Controls
38
Access Rules
Simple security property
– Three security levels
Unclassified, Confidential, Secret
Read permission if:
Access class (subject) >= Access class (object)
– Three security categories
Crypto, Nuclear, Intelligence
*– Property
Write permission if:
Comparisons
Access class (subject) <= Access class (object)
SECRET/ {CRYPTO} = SECRET/ {CRYPTO}
SECRET/ {CRYPTO} > CONFIDENTIAL/ {CRYPTO}
SECRET/ {CRYPTO} < SECRET/ {CRYPTO, NUCLEAR}
SECRET/ {CRYPTO} NC SECRET/ {NUCLEAR}
Overview of Security
CS177 2004
39
Approaches to Security
CS177 2004
40
Procedural Approaches
• Procedural
• Functions and Mechanism
• Assurance
Overview of Security
Overview of Security
Prescribes appropriate behavior for a user
interacting with the system
– periods processing
– guidelines for managing passwords
– appropriate handling of removable storage
devices
CS177 2004
41
Overview of Security
CS177 2004
42
7
Guidelines for Choosing Passwords
Periods Processing
– Long (8 character minimum)
– Non-obvious
Split the day into periods and run different
classification jobs in each period
– Not written in an obvious place
– Changed at appropriate intervals
– Not shared
– Not stored
Many guidelines can be enforced by the
system
Overview of Security
CS177 2004
43
Overview of Security
CS177 2004
44
Non-Obvious Passwords
Appropriate Handling of Hardware
NOT:
First name
Management of removable media
Disposal of hardware
Middle name
Last name
– study showed that confidential information is
often left in hardware to be salvaged
(IEEE Security & Privacy magazine, January
2003)
Spouse's name
Login name
Null
Name backwards
Name repeated twice
Overview of Security
CS177 2004
45
Functions and Mechanisms
Overview of Security
CS177 2004
46
Authentication Mechanisms
Enforce security policy
Authenticates users at login time
Examples are the 3As
– Authentication: assures that a particular user is
who he/she claims to be
– Secure attention key
– Access control: a means of limiting a user's
access to only those entities that the policy
determines should be accessed
– One way functions
– Audit: a form of transaction record keeping.
The data collected is called an audit log
Overview of Security
CS177 2004
47
Overview of Security
CS177 2004
48
8
Secure Attention Key
One-Way Function
– Foils attempts at spoofing
A function whose inverse is computationally
infeasible to determine
– Guarantees trusted path to the system
– Enciphered passwords are stored in a
password file
– User must use it
– At login time password presented by the
user is enciphered and compared to what is
in the password file
CS177 2004
Overview of Security
49
Reference Monitor
SUBJECTS:
REFERENCE
MONITOR
50
Security Kernel
Provides mediation of all accesses to assure
that the access control policy is enforced
USERS,
PROCESSES,
JOB STREAMS, ...
CS177 2004
Overview of Security
USERS
OBJECTS:
FILES, PROGRAMS,
TAPES, TERMINALS
APPLICATIONS
SUPER.
AUTHORIZATIONS:
USER ACCESS, NEED TO KNOW,
OBJECT SENSITIVITY, ....
KERNEL
Reference Monitor must be
- Invoked on every reference
- Tamperproof
- Subject to analysis/test whose completeness can be assured
Overview of Security
CS177 2004
TRUSTED
SUBJECTS
TRUSTED
USERS
51
CS177 2004
Overview of Security
52
ASSURANCE
TECHNIQUES
Kernel must handle parts of the operating system
that manage resources shared by multiple users
Supervisor contains functions that provide useful
common facilities but do not manage anything
shared among users
Trusted subjects are used to extend the security
policy
– May perform actions not permitted by the access
checks
– Must be subject to analysis and test just like the
security kernel
Overview of Security
CS177 2004
53
Overview of Security
CS177 2004
54
9
Assurance Techniques
Penetration Analysis
Uses a collection of known flaws, generalizes the
flaws, and tries to apply them to the system being
analyzed
Penetration analysis
Covert channel analysis
– Penetration team known as "Tiger Team"
Formal verification
– Demonstrates the presence not the absence of
protection failures
CS177 2004
Overview of Security
55
CS177 2004
Overview of Security
Covert Channels
Two Types of Covert Channels
Security analysis of both overt and covert channels is
necessary
Storage channels – the sender alters the value of a
data item and the receiver detects and interprets the
altered value to receive information covertly
Overt channel – Uses the system's protected data
objects to transfer information
Timing channels – the sender modulates the amount
of time required for the receiver to perform a task
or detect a change in an attribute, and the receiver
interprets the delay or lack of delay to receive
information covertly
Covert channel – Uses entities not normally viewed
as a data object to transfer information
CS177 2004
Overview of Security
57
CS177 2004
Overview of Security
56
58
Formal Verification Techniques
Models
Requirements
Informal
Review
Access Control
Considers subjects and objects requirements:
Formal
Model
1) If subject s has read access to object o, then
Design
Verification
Security _level(s) >= Security_level(o)
Formal
Specification
2) If subject s has write access to object o, then
Code
Verification
Security_level(s) <= Security_level(o)
HOL Language
Implementation
Overview of Security
CS177 2004
59
Overview of Security
CS177 2004
60
10
Formal Specifications
Formal Specifications
Algebraic
State Machine
Relates results of sequences of operations
Relates values of variables before and after each state transition
E.G.
E.G.
Exchange (Exchange(pair)) = pair
Exchange (x,y)
First (Exchange(pair)) = Last (pair)
New_ value(x) = y
& New_value(y) = x
Overview of Security
Last (Exchange(pair)) = First (pair)
CS177 2004
61
Design Verification
Assumes:
62
Surveillance to collect information about a
particular target host or network
Remote exploitation of the vulnerabilities
associated with services identified in
previous step
Escalation of the attacker’s privileges
Extend the compromise to neighboring parts
of the network
Model is appropriate
Specification is complete
Code Verification
Consistency between specification and the implementation
Assumes:
Specification is appropriate
Implementation language is correctly defined
CS177 2004
CS177 2004
Cyber Attacks are Usually
a Multi-Step Process
Consistency between the model and the specification
Overview of Security
Overview of Security
63
What About Privacy?
Overview of Security
CS177 2004
64
Other Privacy Concerns
Confidentiality - ensures that sensitive information is not
disclosed to unauthorized recipients
Privacy is more than just confidentiality
Integrity - ensures that the data and programs are modified
or destroyed only in a specified and authorized way
Availability - ensures that the resources of the system will be
usable whenever they are needed by an authorized
user
Privacy advocates consider it important to be
able to verify the integrity of personal
information, especially when that
information can be used against them
(e.g., credit reports)
Privacy - ensures that only the information that an individual
wishes to disclose is disclosed
Overview of Security
CS177 2004
65
Overview of Security
CS177 2004
66
11
