EE515/IS523
Think Like an
Adversary
Lecture 2
Security Engineering
Yongdae Kim
Recap
http://syssec.kaist.ac.kr/courses/ee515
E-mail policy
Include [ee515] or [is523] in the subject of your
e-mail
Student Survey
http://bit.ly/SiK9M3
News and Research Paper Survey
 Every student needs to submit a summary of news or a
research paper twice
 Submission
 TBD
 Submission date
 Check class calendar
 Topic
 News and research papers should deal with security issues.
 Your content should be different from others. Therefore, always
check the current postings.
 Use twitter, google reader
 Length: maximum 1,000 words, Grading: A – F
 Subject: Title – Author (ID) – #-th
News Survey
News must be fresh
 published within two weeks from the due dates.
Investigative/data journalism
No duplicate!
Do not rely on a single source. Read related articles.
Use your own language
Bibliography should be added.
 "The register" (http://www.theregister.co.uk/)
 "Ars Technica" (http://arstechnica.com/)
 "Bruce Schneier's blog" (http://www.schneier.com/)
 F-secure web blog (http://www.f-secure.com/weblog/)
 etc.
Group Projects
Each project should have some "research" aspect.
Group size
 Min 1 Max 5
Important dates
 Pre-proposal: Sep 17, 9:00 AM.
 Full Proposal: Sep 24, 9:00 AM.
 Midterm report: Oct 24, 9:00 PM
 Final report: Dec 12, 9:00 AM. (NO EXTENSION!!).
Project examples
 Attack, attack, attack!
 Analysis
 Measurement
TSS Body Scanner
6
BMW Stealer
First, the car is entered
nearby RF jammers that block the lock signal
breaking a window
exploiting a gap in the car's internal ultrasonic sensor system to avoid
tripping the alarm.
Connect a device to the car's OBD-II connector
Access to the cars’ unique key fob digital ID,
program a blank key fob to work with the car
http://www.youtube.com/watch?v=DshK4ZXPU9o
Authentication Failure
Security Engineering
Building a systems to remain dependable in
the face of malice, error or mischance
Attack
Security
System
Service
Deny Service,
Degrade QoS,
Misuse
Prevent Attacks
Communication
Send message
Eavesdrop
Encryption
Web server
Serving web page
DoS
CDN?
Computer
;-)
Botnet
Destroy
SMS
Send SMS
Shutdown Cellular
Network
Rate Control,
Channel separation
Pacemaker
Heartbeat Control
Remote programming and
eavesdropping
Distance bounding?
Nike+iPod
Music + Pedometer
Tracking
Don’t use it?
Recommendation
system
Collaborative
filtering
Control rating using Ballot
stuffing
?
A Framework
Policy: what you are
supposed to achieve
Policy
Incentives
Mechanism: ciphers,
access control,
hardware tamper
Mechanism
Assurance
resistance
Assurance: the amount of reliance you can put
on each mechanism
Incentive: to secure or to attack
Design Hierarchy
What are we trying
to do?
How?
With what?
Policy
Protocols
Hardware, crypto,
...
Security vs Dependability
Dependability = reliability + security
Reliability and security are often strongly
correlated in practice
But malice is different from error!
Reliability: “Bob will be able to read this file”
Security: “The Chinese Government won’t be able
to read this file”
Proving a negative can be much harder …
Methodology 101
Sometimes you do a top-down development. In that
case you need to get the security spec right in the
early stages of the project
More often it’s iterative. Then the problem is that
the security requirements get detached
In the safety-critical systems world there are
methodologies for maintaining the safety case
In security engineering, the big problem is often
maintaining the security requirements, especially as
the system – and the environment – evolve
Terminologies
A system can be:
a product or component (PC, smartcard,…)
some products plus O/S, comms and
infrastructure
the above plus applications
the above plus internal staff
the above plus customers / external users
Common failing: policy drawn too narrowly
Terminologies
A subject is a physical person
A person can also be a legal person (firm)
A principal can be
 a person
 equipment (PC, smartcard)
 a role (the officer of the watch)
 a complex role (Alice or Bob, Bob deputising for Alice)
The level of precision is variable – sometimes you
need to distinguish ‘Bob’s smartcard representing
Bob who’s standing in for Alice’ from ‘Bob using
Alice’s card in her absence’. Sometimes you don’t
Terminologies
Secrecy is a technical term – mechanisms
limiting the number of principals who can
access information
Privacy means control of your own secrets
Confidentiality is an obligation to protect
someone else’s secrets
Thus your medical privacy is protected by
your doctors’ obligation of confidentiality
Terminologies
Anonymity is about restricting access to
metadata. It has various flavors, from not
being able to identify subjects to not being
able to link their actions
An object’s integrity lies in its not having
been altered since the last authorized
modification
Authenticity has two common meanings –
an object has integrity plus freshness
you’re speaking to the right principal
Terminologies
A security policy is a succinct statement of
protection goals – typically less than a page of
normal language
A protection profile is a detailed statement of
protection goals – typically dozens of pages of semiformal language
A security target is a detailed statement of
protection goals applied to a particular system – and
may be hundreds of pages of specification for both
functionality and testing
Threat Model
What property do we want to ensure against
what adversary?
Who is the adversary?
What is his goal?
What are his resources?
e.g. Computational, Physical, Monetary…
What is his motive?
What attacks are out of scope?
Terminologies
Attack: attempt to breach system security (DDoS)
Threat: a scenario that can harm a system (System
unavailable)
Vulnerability: the “hole” that allows an attack to
succeed (TCP)
Security goal: “claimed” objective; failure implies
insecurity
Goals: Confidentiality
Confidentiality of information means that it
is accessible only by authorized entities
Contents, Existence, Availability, Origin,
Destination, Ownership, Timing, etc… of:
Memory, processing, files, packets, devices,
fields, programs, instructions, strings...
Goals: Integrity
Integrity means that information can only be
modified by authorized entities
e.g. Contents, Existence, Availability, Origin,
Destination, Ownership, Timing, etc… of:
Memory, processing, files, packets, devices,
fields, programs, instructions, strings...
Goals: Availability
Availability means that authorized entities
can access a system or service.
A failure of availability is often called Denial
of Service:
Packet dropping
Account freezing
Jamming
Queue filling
Goals: Accountability
Every action can be traced to “the
responsible party.”
Example attacks:
Microsoft cert
Guest account
Stepping stones
Goals: Dependability
A system can be relied on to correctly
deliver service
Dependability failures:
Therac-25: a radiation therapy machine
whose patients were given massive overdoses (100
times) of radiation
bad software design and development practices:
impossible to test it in a clean automated way
Ariane 5: expendable launch system
the rocket self-destructing 37 seconds after launch
because of a malfunction in the control software
A data conversion from 64-bit floating point value to 16bit signed integer value
Interacting Goals
Failures of one kind can lead to failures of
another, e.g.:
Integrity failure can cause Confidentiality failure
Availability failure can cause integrity,
confidentiality failure
Etc…
In a Nutshell
Security by Obscurity is not secure!
Conservative modeling for adversary
State-sponsored, Hacktivists, Hacker+Criminals, Researchers ;-)
Care for the weakest link.
Plan for unknown attacks.
Check for environmental changes
All stages are important
Attacker modeling, design, implementation, deployment,
operation
Check News!
Cyber Warfare?
Security & Risk
We only have finite resources for security…
Product A
Product B
Prevents
Attacks:
U,W,Y,Z
Prevents
Attacks:
V,X
Cost $10K
Cost $20K
If we only have $20K, which should we buy?
Risk
The risk due to a set of attacks is the
expected (or average) cost per unit of time.
One measure of risk is Annualized Loss
Expectancy, or ALE:
ALE of attack A
Σ
( pA × L A )
attack A
Annualized attack
incidence
Cost per attack
Risk Reduction
A defense mechanism may reduce the risk
of a set of attacks by reducing LA or pA. This
is the gross risk reduction (GRR):
Σ
(pA ×LA – p’A×L’A)
attack A
The mechanism also has a cost. The net
risk reduction (NRR) is GRR – cost.
Basic Cryptography
Yongdae Kim
The main players
Eve
Yves?
Alice
Bob
Attacks
Normal Flow
Source
Interruption: Availability
Source
Destination
Modification: Integrity
Source
Destination
Destination
Interception: Confidentiality
Source
Destination
Fabrication: Authenticity
Source
Destination
Taxonomy of Attacks
Passive attacks
Eavesdropping
Traffic analysis
Active attacks
Masquerade
Replay
Modification of message content
Denial of service
Big picture
Trusted third party
(e.g. arbiter, distributor
of secret information)
Bob
Alice
Message
Information
Channel
Secret
Information
Message
Secret
Information
Eve
Terminology for Encryption
A denotes a finite set called the alphabet
M denotes a set called the message space
M consists of strings of symbols from an alphabet
An element of M is called a plaintext
C denotes a set called the ciphertext space
C consists of strings of symbols from an alphabet
An element of C is called a ciphertext
 K denotes a set called the key space
 An element of K is called a key
Ee is an encryption function where e  K
Dd called a decryption function where d  K
Encryption
Adversary
Encryption
Ee(m) = c
c
insecure channel
m
Decryption
Dd(c) = m
m
Plaintext source
destination
Alice
Bob
Why do we use key?
Or why not use just a shared encryption function?
SKE with Secure channel
Adversary
Key source
d
Secure channel
e
Encryption
Ee(m) = c
m
c
Insecure channel
Decryption
Dd(c) = m
m
Plaintext source
destination
Alice
Bob
PKE with insecure channel
Passive
Adversary
e
Insecure channel
Key source
d
Encryption
Ee(m) = c
m
c
Insecure channel
Decryption
Dd(c) = m
m
Plaintext source
destination
Alice
Bob
Public key should be authentic!
e
e’
Ee(m)
Ee’(m)
e
Ee(m)
Need to authenticate public keys
Digital Signatures
Primitive in authentication and nonrepudiation
Signature
Process of transforming the message and some
secret information into a tag
Nomenclature
M is set of messages
S is set of signatures
SA: M ! S for A, kept private
VA is verification transformation from M to S for
A, publicly known
Key Establishment, Management
Key establishment
Process to whereby a shared secret key becomes
available to two or more parties
Subdivided into key agreement and key
transport.
Key management
The set of processes and mechanisms which
support key establishment
The maintenance of ongoing keying relationships
between parties
Symmetric vs. Public key
Pros
Cons
 High data throughput
SKE
 Relatively short key size
The key must remain secret
at both ends
O(n2) keys to be managed
Relatively short lifetime of
the key
O(n) keys
Only the private key
must be kept secret
PKE
longer key life time
digital signature
Low data throughput
Much larger key sizes
Symmetric key Encryption
Symmetric key encryption
if for each (e,d) it is easy computationally easy to
compute e knowing d and d knowing e
Usually e = d
Block cipher
breaks up the plaintext messages to be
transmitted into blocks of a fixed length, and
encrypts one block at a time
Stream cipher
encrypt individual characters of plaintext
message one at a time, using encryption
transformation which varies with time
Hash function and MAC
A hash function is a function h
 compression
 ease of computation
 Properties
one-way: for a given y, find x’ such that h(x’) = y
collision resistance: find x and x’ such that h(x) = h(x’)
 Examples: SHA-1, MD-5
MAC (message authentication codes)
 both authentication and integrity
 MAC is a family of functions hk
ease of computation (if k is known !!)
compression, x is of arbitrary length, hk(x) has fixed length
computation resistance
 Example: HMAC