Title: Protection and Security
1Protection and Security
Security Problems
Recommended Reading Bacon, J. Concurrent
Systems Nehmer, J. Systemsoftware Grdl. Mod.
BS (11) Silberschatz, A. Operating System
Concepts (13, 14) Stallings, W. Operating
Systems (15) Tanenbaum, A. Modern Operating
Systems (4) Wettstein, H. Systemarchitektur
2Protection Security
Motivation Risk Analysis and
Management Security Concept and
Requirements Sensitive System
Components Types of Threats
Further Reading Stallings, W.Cryptography and
Network Security, Prentice Hall, 1998 see also
http//williamstallings.com/Security2e.html Anoth
er interesting url http//www.cs.nps.navy.mil/cu
rricula/tracks/security/sec_home.html
3Security Problems
Whats the major security problem with computer
systems?
PEOPLE
- Lack of Understanding (system managers as well
as users) - Most loss of information or system damage is not
malicious - Accidents
- Criminals
4Security Problems
Why should you be interested in computer security?
- As a private citizen
- Who has stored information about you?
- What information is sensitive?
- Personal data
- age, driver license, address, friends
- magazines, clubs
- phone number, social security number, etc.
- Medical infomation
- Have you applied for insurance
- Does your doctor use a billing agency
- Have you filled out an employment questionaire
- Credit infomation
- Does your bank still trust in you
- Purchasing history
- Do you shop with a credit card
- Do you shop on TV or by catalog
- Who is selling this information to whom?
5Security Problems
Why should you be interested in computer security?
- As a member of the Department of Defense
- You are required to safeguard classified
material - You are required to safeguard sensitive but
- unclassified material such as privacy act data
etc. - As a member of the finacial office
- You should maximize the amount of taxes
- whilst minimizing conflicts with citizens
- ....
- As a member of ...
6Security Problems
Why is computer security so difficult?
- Managers are unaware of value of their computer
assets - Fear of damage to public image
- News about computer failures are really bad
reputation - Some news about hackers tend to amire them
- Bad reputation for a company if it was target of
an attack - Legal definitions are often vague or
non-existent - Some of the newer laws are event driven
- Legal prosecution is difficult
7Security Problems
What are the major hardware security problems?
- Theft
- Machinicide
- Bad habits of users or owners
- (e.g. biking home after a longer visit to an
Irish pub - notebook in your rucksack)
8Security Problems
What are the major software security problems?
- Theft
- Modification
- Logic bomb (specific time or event driven)
- Trojan horse
- Deletion
- Misplacement
- Corporate raiders
- Trade secrets
- Inside information
- Financial predictions
- Crackers and hackers
- Mainly the challenge or curiosity
- Phone freaks
9Security Problems
Some methods of defense?
- Hardware control
- Physical security (locks, perimeter control)
- Hardware encryption
- Policies
- Backup procedures
- Virus protection
- Password changes
- Hours of usage
- Software control
- Development control
- Walk through (coding)
- Verification
- Independent analysis
- Operating systems
- Impose limitations on system resources
- Display brief messages to viewers
10Security Problems
History on Computer Security and Events of
Insecurity
The starting points Multics (MIT Organick,
Dennis et al. local security) A list of security
problems by Dan McCracken in 1974 A letter from
Adele Goldberg, in Orwells year
1984 ACM President (at that time)
See http//www.infowar.com/iwftp/risks/all_risks_
index.shtml or http//www.securityfocus.c
om/cgi-bin/forums.p l http//www.security
focus.com/archive/1 http//www.securityt
eam.com/ http//www.netspace.org/dmacks/
pub/lists/bugs ACM SIGSOFT Software
Engineering Notes
11Security Problems
McCrackers Problem list (1974)
- Computers and money
- Computers and privacy
- Computers and elections
- Computers and defense
- Computers and human safety
- Computer-user consumer protection
- Computers and health
- Informal and formal models of critical
properties - e.g., not just of security or reliability,
- not so high-leveled as Asimov's 3 Laws of
Robotics, i.e. - 1. A robot may not injure a human being, or,
- through inaction, allow a human being to
come to harm - 2. A robot must obey the orders given it by
human beings - except where such orders would conflict
with the First Law - 3. A robot must protect its own existence as
long as such - protection does not conflict with the
First or Second Law.
12Security Problems
Adele Goldbergs Letter (part 1)
On this day 8 October 1984, the ACM Council
passed an important resolution. It begins
Contrary to the myth that computer systems are
infallible, in fact computer systems can and do
fail (and will do so for a while) Consequently,
the reliability of computer-based systems cannot
be taken for granted. This reality applies to
all computer-based systems, but it is especially
critical for systems whose failure would result
in extreme risk to the public. Increasingly,
human lives depend upon the reliable operation
of systems such as air traffic and high-speed
ground transportation control systems, military
weapons delivery and defense systems, and health
care delivery and diagnostic systems.
13Security Problems
For sure thats our job
Adele Goldbergs Letter (part 2)
The second part of the resolution includes a list
of technical questions that should be answered
about each computer system. This part states
While it is not possible to eliminate
computer-based systems failure entirely, we
believe that it is possible to reduce risks to
the public to reasonable levels. To do so,
system developers must better recognize and
address the issues of reliability.
The public has the right to require that systems
are installed only after proper steps have been
taken to assure reasonable levels of reliability.
Issues and questions concerning reliability that
must be addressed include 1. What risks and
questions concerning reliability are involved
when the computer system fails? 2. What is
the reasonable and practical level of reliability
to require of the system, and does the
system meet this level? 3. What techniques
were used to estimate and verify the level of
reliability? 4. Were the estimators and
verifiers independent of each other and of
those with vested interests in the system?
14Legend ! Loss of Life Potentially
Life-Critical Loss of
Money/Equipment S Security/Privacy/Integrity
Flaw SYSTEM ENVIRONMENT-------------------------
------------------------------------------- !S
Arthritis-therapy microwaves set heart pacemaker
to 214, killed patient S Failed heart-shocking
devices due to faulty battery packs (SEN 10 3)
S Anti-theft device reset pacemaker FDA
investigating the problem (SEN 10 2) Three
Mile Island PA, now recognized as very close to
meltdown (SEN 4 2) Crystal River FL reactor
(Feb 1980) (Science 207 3/28/80 1445-48, SEN 10
3) SAC/NORAD 50 false alerts in 1979 (SEN 5
3), incl. a simulated attack whose outputs
accidentally triggered a live scramble 9 Nov
1979 (SEN 5 3) NORAD Radar at Thule
detected rising moon as incoming missiles 5 Oct
1960 (SEN 8 3). See E.C. Berkeley, The
Computer Revolution, pp. 175-177, 1962.
Returning space junk detected as missiles. Daniel
Ford, The Button, p. 85 WWMCCS false alarms
triggered scrams 3-6 Jun 1980 (SEN 5 3, Ford pp
78-84) DSP East satellite sensors overloaded
by Siberian gas-field fire (Ford p 62) 747SP
(China Air.) autopilot tried to hold at 41,000 ft
after an engine failed, other engines died
in stall, plane lost 32,000 feet 19 Feb 85 (SEN
10 2) 767 (UA 310 to Denver) four minutes
without engines August 1983 (SEN 8 5) F18
missile thrust while clamped, plane lost 20,000
feet (SEN 8 5) Mercury astronauts forced into
manual reentry (SEN 8 3) Cosmic rays halve
shuttle Challenger comm for 14 hours 8 Oct 84
(SEN 10 1) Frigate George Philip fired missile
in opposite direction (SEN 8 5) S Debit card
copying easy despite encryption (DC Metro, SF
BART, etc.) S Microwave phone calls easily
interceptable portable phones spoofable
15SOFTWARE -----------------------------------------
-------------------------- Mariner 1 Atlas
booster launch failure DO 100 i 1.10 (not 1,10)
(SEN 8 5) Mariner 18 aborted due to a
missing NOT in program (SEN 5 2) F18 plane
crashed due to missing exception condition, pilot
OK (SEN 6 2) F14 off aircraft carrier into
North Sea due to software? (SEN 8 3) F14
lost to uncontrollable spin, traced to tactical
software (SEN 9 5) El Dorados ABS bug
caused recall of all El Dorados (SEN 4 4)
Viking had a misaligned antenna due to a faulty
code patch (SEN 9 5) First Space Shuttle
backup launch-computer synch problem (SEN 6 5
Garman) Second Space Shuttle operational
simulation tight loop upon cancellation of
an attempted abort required manual override (SEN
7 1) Second Shuttle simulation bug found in
jettisoning an SRB (SEN 8 3) Gemini V 100mi
landing error, program ignored orbital motion
around sun (SEN 9 1) F16 simulation plane
flipped over whenever it crossed equator (SEN 5
2) F16 simulation upside-down F16 deadlock
over left vs. right roll (SEN 9 5) Nuclear
reactor design bug in Shock II model/program
(SEN 4 2) Reactor overheating, low-oil
indicator two-fault coincidence (SEN 8 5) SF
BART train doors sometimes open on long legs
between stations (SEN 8 5) IRS reprogramming
cost USA interest on at least 1,150,000 refunds
(SEN 10 3)
16Security Problems
S Numerous system intrusions and penetrations
implanted Trojan horses 414s intrusions
to TRW Credit Information Service, British
Telecom's Prestel, Santa Clara prison data
system (inmate altered release date) (SEN 10 1).
Computerized time-bomb inserted by
programmer (for extortion?) (10 3) Colorado
River flooding in 1983, due to faulty weather
data and/or faulty model too much water
was kept dammed prior to spring thaws. S
Chernenko at MOSKVAX network mail hoax 1 April
1984 (SEN 9 4) S VMS tape backup SW trashed
disc directories dumped in image mode (SEN 8 5)
1979 ATT program bug downed phone service to
Greece for months (SEN 10 3) Demo NatComm
thank-you mailing mistitled supporters NY Times,
16 Dec 1984 Program bug permitted
auto-teller overdrafts in Washington State (SEN
10 3) - Quebec election prediction gave loser
big win 1981 (SEN 10 2, p. 25-26) - Other
election problems including mid-stream
corrections (HW/SW) (SEN 10 3) - SW vendor
rigs elections? (David Burnham, NY Times front
page, 29 July 1985) - Alaskan DMV program
bug jails driver Computerworld 15 Apr 85 (SEN
10 3) - Vancouver Stock Index lost 574
points over 22 months -- roundoff (SEN 9 1)
- Gobbling of legitimate automatic teller cards
(SEN 9 2)
17Security Problems
Schalenguß-maschine
-------------------------- HARDWARE/SOFTWARE
--------------------------------- ! Michigan
man killed by robotic die-casting machinery (SEN
10 2) ! Japanese mechanic killed by
malfunctioning Kawasaki robot (SEN 10 1, 10 3)
Electronic Engineering Times, 21 December 1981
! Chinese computer builder electrocuted by his
smart computer after he built a newer one.
"Jealous Computer Zaps its Creator"! (SEN 10 1)
FAA Air Traffic Control many computer system
outages (e.g., SEN 5 3) ARPANET ground to a
complete halt 27 Oct 1980 (SEN 6 1 Rosen)
Ford Mark VII wiring fires flaw in computerized
air suspension (SEN 10 3) S Harrah's 1.7
Million payoff scam -- Trojan horse chip (SEN 8
5) Great Northeast power blackout due to
threshold set-too-low being exceeded ( big
social impact ? After 9 months baby boom)
Power blackout of 10 Western states, propagated
error 2 Oct 1984 (SEN 9 5) - SF Muni Metro
Ghost Train reappeared, forcing manual operation
(SEN 8 3) Computer-controlled turntable for
huge set ground "Grind" to halt (SEN 10 2)
8080 control system dropped bits and boulders
from 80 ft conveyor (SEN 10 2) S 1984 Rose Bowl
hoax, scoreboard takeover ("Cal Tech vs. MIT")
(SEN 9 2)
18Security Problems
- COMPUTER AS CATALYST, HUMAN FRAILTIES, OR UNKNOWN
CAUSES - !! Korean Airlines 007 shot down 1 Sept 1983,
killing 269 autopilot left on - HDG 246 rather than INERTIAL NAV? (NYReview
25 Apr 85, SEN 9 1, SEN 10 3) - !! Air New Zealand crashed into mountain in the
Antarctica 28 Nov 1979 - computer course data error had been detected
and fixed, - but the pilots have not been not informed
(SEN 6 3 6 5) - ! Woman killed daughter, tried to kill son and
herself after computer error led to a - false report of their all having an incurable
disease (SEN 10 3) - Unarmed Soviet missile crashed in Finland.
Wrong flight path? (SEN 10 2) - South Pacific Airlines, 200 aboard, 500 mi off
course near USSR 6 Oct 1984 - S San Francisco Public Defender's database
accessible to police (SEN 10 2) - Various cases of false arrest due to computer
database use (SEN 10 3) - A 500,000 transaction became 500,000,000 B
200,000,000 lost (SEN 10 3) - FAA Air Traffic Control many near-misses not
reported (SEN 10 3)
19Security Problems
ILL USTRATIVE OF POTENTIAL FUTURE PROBLEMS S
Many known/past security flaws in computer
operating systems and application programs.
Discovery of new flaws running way ahead of their
elimination. Expert systems in critical
environments unpredictability if (unknowingly)
outside of range of competence, e.g.,
incompleteness of rule base. StarWars S
Embezzlements, e.g., Muhammed Ali swindle 23.2
Million, Security Pacific 10.2 Million,
City National Beverly Hills CA 1.1 Million, 23
Mar 1979 These were only marginally
computer-related, but suggestive. Others are
known, but not publically acknowledged.
REFUTATION OF EARLIER REPORT ! The incoming
Exocet missile was not on expected-enemy-missile
list, instead of it was interpreted as a
friendly object." (SEN 8 3) see HMS
Sheffield sinking, reported in New Scientist 97,
p. 353, 2/10/83 Officially denied by
British Minister of Defense Peter Blaker New
Scientist, vol 97, page 502, 24 Feb 83.
Rather, sinking abetted by defensive equipment
being turned off to reduce communication
interference?
20Protection Security
2 major fields Economics Military
Computer Security - Why?
- Information is a strategic resource
- Significant amounts of organizational budget
- are spent on managing information
- Many different types of information with
- several security related objectives
- confidentiality (secrecy) ? protect info value
- integrity ? protect info accuracy
- availability ? ensure info delivery
21Security Problems
Just figure out, how many faults your vacuum
cleaner can do which may influence
significantly your future life style.
Motivation
- Why else do we have to talk about protection and
security? - Systems just have started to force their way
into daily life - (In some years your vacuum cleaner may welcome
you with words like these - when you are entering your flat Please, get
off your shoes, - Ive just cleaned up the whole flat and by
the way I shell remind you - Youll have a date this evening at 9 pm,
whilst your refrigerator claims - Where are the bottles off champagne, and
you should start right now preparing - her/his favorite dish, and please have a
shower afterwards and change clothes.) - Distributed Systems
- (Interaction between systems in local and wide
area networks will increase dramatically, - mobile agents may be active to help us
spending more money for our main interests) - Internet and its commercial applications
- (Electronic commerce etc. will become THE
battlefield of this decade)
22Protection Security
Motivation
- Why do we have to talk about protection and
security? - Systems just have started to force their way
into daily life - (In some years your vacuum cleaner may welcome
you entering your flat - with words like these Please, get off your
shoes, Ive just cleaned up the - whole flat and I shell remind you Youll
have a date this evening at 9 pm. - You should start right now preparing her/his
favorite dish) - Distribute Systems
- (Interaction between systems in local and wide
area networks will increase significantly, - mobile agents may be active to help us
spending more money for our main interests) - Internet and its commercial applications
- (Electronic commerce etc. will become the real
battlefield of this millenium)
23Protection Security
Motivation
- Embedded or Pervasive Systems in daily life
- Communication
- (e.g. phone, fax, email, www, etc.)
- Traffic
- (e.g. ABS, traffic control systems for cars,
trains, ships, planes, auto pilot, etc.) - Management
- (e.g. data bases from small (sport) clubs up to
big companies) - Medicine
- (e.g. virtual surgeon, electronic nurse within
a quarantine ward etc.)
Remark Some of the above systems lead to deadly
dangers if they fail or if someone can corrupt
them!
24Protection Security
Motivation
- Characteristics of today Systems
- Increasing complexity
- (no. of components, over linear interactions
between these components) - Increasing technological development
- (decreasing time to market interval, few
opportunities to learn from bad experiences) - Vulnerability
- (lacking software technology still enables
casual or even intended bugs) - WWW
- (exponential expansion, thousands of new
hackers per year, - no way to control their activities)
Consequences We have to invent basic mechanisms
and policies preventing any casual or intended
damage to our systems.
25Protection Security
Motivation
- We can distinguish between two main classes of
threats - System may be the source of a threat
- System may be the target of a threat
e.g. a crazy mobile robot
e.g. hackers attack to the central data base of
Pentagon
26Protection Security
System as a Source of Threats
- Embedded systems as part of another technical
system - Robots in a manufacturing lane
- ABS, airbag, injection control etc. in a car
- Fly-by-wire in a plane
- Threat A malfunctioning embedded system may lead
to - a crash of the overall system ? risk for life
and limb - Safety means reliable function
- highly available hardware
- free of bugs
- fault tolerant
- correct software
- correct and complete specification
- correct implementation
27Protection Security
System as a Target of a Threat
- Conventional computers for management systems
- SAPs R3 as the central management system of a
company - Special data bases in a public authority (e.g.
inland revenue office) - Your PC or work station
- Threat Economical disadvantages or
- injuries on your personal rights or
- denial of service
- Security means
- Integrity (e.g. protection against damage or
- unauthorized modification of
devices and data) - Confidentiality
- Availability
Hans Eichel controls the tax income
28Protection Security
First Glance Solutions for both Problems
Surround the system by some physical or logical
security fence (e.g. in case of a mobile
robot you may need at least the former one)
Surround the system by some physical or logical
fire wall, i.e. you protect your system
against attacks and threats.
29Protection Security
General Security and Protection Requirements
- Hints for security managers how to establish a
security concept - Specification of all needs concerning security
- Analysis of potential threats
- Cost-benefit analysis
- Designing a security concept
- Implementing the security measurements
- mechanisms
- policies
- Control and reaction on security malfunctions
30Protection Security
Specification
- Which and how much security do we need where?
- Availability of functions and services of the
system - Controlling the use of the system
- users
- programs
- data
- Correctness of system programs and data
- Confidentiality of data
- Integrity of data
- Logging all essential system events (audit)
31Protection Security
Risk Analysis
- Identification and valuation of the main
components - whats valuable and has to be protected
- Threat analysis
- which component might be threatened in which way
- how likely is a threat
- which countermeasures may be used
- Valuation of the risk
- how much are the expected damage costs
- how much would be the counter measures
- better prevent against a potential damage
- or better repair the potential damage
32Protection Security
Risk Assessment
Use a risk matrix to evaluate threats and
counter-measures
Contain and Control
Prevention
Contingency Plan or Insurance
Live With
33Protection Security
Risk Management
Use a risk management model to manage threats
Assets
Vulnerabilities
Threats
Risk
Countermeasures
Aftercare
34Protection Security
Assets
- Hardware
- Software
- Documentation
- Data
- Communications
- Environment
- People
35Protection Security
Threats
Users Terrorists Accidents Issue Motivated Groups
Hackers Criminals Acts of God Foreign
Intelligence
Destroy Disrupt Loose Modify Disclose
File Subsystem Database ...
36Protection Security
Vulnerabilities
Modem
Central Processor
Remote Terminal
Peripheral Device
Oversight
37Protection Security
Designing a Security Concept
- A security concept describes how to treat threats
- and may cover the following
- Security principles
- Orders
- Practices
- Advices
- Rules
- Guiding principles etc.
Remark Most of the above stuff belongs to the
management of an organization as a whole. Thus,
we will focus on security concepts belonging to
the system itself.
38Protection Security
Has to be obeyed by all subjects, no exceptions
are allowed!
Security Concept
- Principles, e.g. security policies (mandatory or
not) - describe the long term security philosophy
- objects to be protected and why
- who is responsible for what
- Rules, e.g. security standards
- apply the rules in the different subsystems
- concrete advices that can be easily controlled
- non technical procedures nor machine specific
instructions - Guiding instructions
- concretize rules for special hardware
- specify on a technical level what has to be done
and how - these guiding instructions have to be adjusted
- to each new hardware/software version
39Protection Security
Endangered Systems
- Embedded Systems
- Local Systems
- Mobile Systems
- Networked Systems
- Worldwide Systems
40Protection Security
Local System Security
- Collection of tools designed to thwart hackers
and/or - prevent unskilled users doing foolish
operations - Became necessary with the introduction of the
computer - Need for automated tools protecting files etc.
41Protection Security
Network Security
- Protects data during a transmission
- between terminals and the main frame or
- between different computers
- Includes telephone transmission and local area
networks
42Protection Security
Computer and Network Security Requirements
- Secrecy / privacy
- information in a computer system should
- be accessible only for authorized parties
- Integrity
- assets can be modified only by authorized
parties - Availability
- assets be available only to authorized parties
43Protection Security
System Security Requirements
44Protection Security
Overview on System Security
data must be securely transmitted through the
network (network security)
it must be controlled that user C and no
other transmits data to user A
45Protection Security
Types of Threats
- No threat correct information flow
- from a source
- file
- address region (stack, global data, shared
memory etc. - keyboard
- ...
- to a target
- file
- address region
- printer
- ...
46Protection Security
Types of Threats
- Interruption attack on availability
- an asset of the system is destroyed or
- becomes unavailable or unusable, e.g.
- destruction of a hardware unit
- cutting of a communication line
- disabling the file management system
47Protection Security
Types of Threats
- Interception attack on confidentiality
- an unauthorized party gains access to an asset
- could be a person, a hidden program, another
computer - wiretapping to capture data in a network
- illicit copying of files or programs
48Protection Security
Types of Threats
- Modification attack on integrity
- an unauthorized party not only gains access to
- but tampers with an asset
- changing values in a data file
- altering a program so that it performs
differently - modifying the content of messages
- being transmitted in a network
49Protection Security
Types of Threats
- Fabrication attack on authenticity
- an unauthorized party inserts
- counterfeit objects into the system
- inserting spurious messages in a network
- adding records to a file
- deleting the whole system as a very unfriendly
super user
50Protection Security
Computer System Assets
- Hardware
- threats include accidental and deliberate damage
- environmental factors
- dust particles
- temperature and humidity
- vibration
- electrical problems (induction via
- handy, high voltage power cable)
- fire, smoke and water, explosions
51Protection Security
Computer System Assets
- Hardware
- threats include accidental and deliberate damage
- environmental factors
- act of God
- flood disaster
- thunderstorm or hurricane
- earth quakes
- asteroid impact
52Protection Security
Computer System Assets
- Hardware
- threats include accidental and deliberate damage
- environmental factors
- act of God
- careless behavior of the owner
- you might flood your keyboard with coffee,
- open office ? your thinkpad might be stolen,
- youre too hectic to use properly a laser printer
53Protection Security
Computer System Assets
- Hardware
- threats include accidental and deliberate damage
- environmental factors
- act of God
- careless behavior of the owner
- malicious behavior of a intruder
any form of vandalism (especially to cables and
plugs)
54Protection Security
Computer System Assets
- Software
- threats include deletion, alteration, damage of
data - bugs, viruses, etc. may lead to threats
- backups of the most recent versions
- can maintain higher availability
- backups of backups
- distribution of backups onto
- trusted servers
- untrusted servers
Remark Typical backup media are DLTs, DATs, AITs
etc.
55Protection Security
Backup Policies
- Initial full backup
- (weekly) full backup
- (daily) differential backup
- (every 6 hours) incremental backup
56Protection Security
Computer System Assets
- Data
- involves files
- threats include unauthorized reading of data
- statistical analysis can lead to determination
- of individual information which might threaten
privacy
57Protection Security
Physical Entrance Control
- Closed shop protects against
- vandalism
- theft
- tabbing
- Video monitoring may prevent against
- careless behavior
- vandalism
- Chip cards protect against
- uncontrolled entrance to a system
58Protection Security
Computer System Assets
- Communication Lines and Networks
- threats include eavesdropping and monitoring
- a telephone conversion, an electronic mail
message, - and a transferred file are subject to these
threats - encryption masks the contents of what is
transferred - so even if the data are obtained by someone
unauthorized, - he/she would be unable to extract useful
information
59Protection Security
Computer System Assets
- Communication Lines and Networks
- masquerade takes place when one entity
- pretends to be a different entity
- message stream modification means that
- some portion of a legitimate message is
- altered, delayed, or reordered
- denial of service prevents or inhibits the
normal - use or management of communications facilities
- disable network or overload it with messages
- overload CPU with a fork bomb
- ...