Title: CSCE 548 Building Secure Software Basic Security Concepts
1CSCE 548 Building Secure SoftwareBasic
Security Concepts
2Security Objectives
- Confidentiality prevent/detect/deter improper
disclosure of information - Integrity prevent/detect/deter improper
modification of information - Availability prevent/detect/deter improper
denial of access to services
3Military Example
- Confidentiality target coordinates of a missile
should not be improperly disclosed - Integrity target coordinates of missile should
be correct - Availability missile should fire when proper
command is issued
4Commercial Example
- Confidentiality patients medical information
should not be improperly disclosed - Integrity patients medical information should
be correct - Availability patients medical information can
be accessed when needed for treatment
5Fourth Objective
- Securing computing resources prevent/detect/deter
improper use of computing resources - Hardware
- Software
- Data
- Network
6Information Assurance
- Prevention
- Detection
- Tolerance/response
7Achieving Security
- Policy
- What to protect?
- Mechanism
- How to protect?
- Assurance
- How good is the protection?
8Security Policy
Organizational Policy
Computerized Information System Policy
9Security Tradeoffs
Security
Functionality
COST
Ease of Use
10Threat, Vulnerability, Risk
- Threat potential occurrence that can have an
undesired effect on the system - Vulnerability characteristics of the system that
makes is possible for a threat to potentially
occur - Attack action of malicious intruder that
exploits vulnerabilities of the system to cause a
threat to occur - Risk measure of the possibility of security
breaches and severity of the damage
11Types of Threats
- Errors of users
- Natural/man-made/machine disasters
- Dishonest insider
- Disgruntled insider
- Outsiders
12Types of Attack
- Interruption an asset is destroyed, unavailable
or unusable (availability) - Interception unauthorized party gains access to
an asset (confidentiality) - Modification unauthorized party tampers with
asset (integrity) - Fabrication unauthorized party inserts
counterfeit object into the system (authenticity) - Denial person denies taking an action
(authenticity)
13Computer Crime
- Any crime that involves computers or aided by the
use of computers - U.S. Federal Bureau of Investigation reports
uniform crime statistics
14Computer Criminals
- Amateurs regular users, who exploit the
vulnerabilities of the computer system - Motivation easy access to vulnerable resources
- Crackers attempt to access computing facilities
for which they do not have the authorization - Motivation enjoy challenge, curiosity
- Career criminals professionals who understand
the computer system and its vulnerabilities - Motivation personal gain (e.g., financial)
15Methods of Defense
- Prevent block attack
- Deter make the attack harder
- Deflect make other targets more attractive
- Detect identify misuse
- Tolerate function under attack
- Recover restore to correct state
- Documentation and reporting
16Information Security Planning
- Organization Analysis
- Risk management
- Mitigation approaches and their costs
- Security policy and procedures
- Implementation and testing
- Security training and awareness
17Prevention
18IdentificationAuthentication
19Authentication
- Allows an entity (a user or a system) to prove
its identity to another entity - Typically, the entity whose identity is verified
reveals knowledge of some secret S to the
verifier - Strong authentication the entity reveals
knowledge of S to the verifier without revealing
S to the verifier
20Authentication Information
Must be securely maintained by the system.
21Elements of Authentication
- Person/group/code/system to be authenticated
- Distinguishing characteristic differentiates the
entities to be authenticated - Proprietor/system owner/administrator
responsible for the system - Authentication mechanism verify the
distinguishing characteristic - Access control mechanism grant privileges upon
successful authentication
22Authentication Requirements
- Network must ensure
- Data exchange is established with addressed peer
entity not with an entity that masquerades or
replays previous messages - Network must ensure data source is the one
claimed - Authentication generally follows identification
- Establish validity of claimed identity
- Provide protection against fraudulent transactions
23User Authentication
- What the user knows
- Password, personal information
- What the user possesses
- Physical key, ticket, passport, token, smart card
- What the user is (biometrics)
- Fingerprints, voiceprint, signature dynamics
24Passwords
- Commonly used method
- For each user, system stores (user name,
F(password)), where F is some transformation
(e.g., one-way hash) in a password file - F(password) is easy to compute
- From F(password), password is difficult to
compute - Password is not stored in the system
- When user enters the password, system computes
F(password) match provides proof of identity
25Vulnerabilities of Passwords
- Inherent vulnerabilities
- Easy to guess or snoop
- No control on sharing
- Practical vulnerabilities
- Visible if unencrypted in distributed and network
environment - Susceptible for replay attacks if encrypted
naively - Password advantage
- Easy to modify compromised password.
26Attacks on Password
- Guessing attack/dictionary attack
- Social Engineering
- Sniffing
- Trojan login
- Van Eck sniffing
27Time Synchronized
Secret key
Time
DES
One Time Password
28Challenge Response
- Non-repeating challenges from the host is used
- The device requires a keypad
Network
Work station
Host
User ID
Challenge
Response
29Devices with Personal Identification Number (PIN)
- Devices are subject to theft, some devices
require PIN (something the user knows) - PIN is used by the device to authenticate the
user - Problems with challenge/response schemes
- Key database is extremely sensitive
- This can be avoided if public key algorithms are
used
30Smart Cards
- Portable devices with a CPU, I/O ports, and some
nonvolatile memory - Can carry out computation required by public key
algorithms and transmit directly to the host - Some use biometrics data about the user instead
of the PIN
31Biometrics
- Fingerprint
- Retina scan
- Voice pattern
- Signature
- Typing style
32Access Control
33Access Control
- Protection objects system resources for which
protection is desirable - Memory, file, directory, hardware resource,
software resources, etc. - Subjects active entities requesting accesses to
resources - User, owner, program, etc.
- Access mode type of access
- Read, write, execute
34Access Control Requirement
- Cannot be bypassed
- Enforce least-privilege and need-to-know
restrictions - Enforce organizational policy
35Access Control
- Access control ensures that all direct accesses
to object are authorized - Protects against accidental and malicious threats
by regulating the reading, writing and execution
of data and programs - Need
- Proper user identification and authentication
- Information specifying the access rights is
protected form modification
36Access Control
- Access control components
- Access control policy specifies the authorized
accesses of a system - Access control mechanism implements and enforces
the policy - Separation of components allows to
- Define access requirements independently from
implementation - Compare different policies
- Implement mechanisms that can enforce a wide
range of policies
37Closed v.s. Open Systems
Closed system
Open System
(minimum privilege)
(maximum privilege)
Access requ.
Access requ.
Allowed accesses
Disallowed accesses
Exists Rule?
Exists Rule?
yes
no
yes
no
Access denied
Access permitted
Access permitted
Access denied
38Authorization Management
- Who can grant and revoke access rights?
- Centralized administration security officer
- Decentralized administration locally autonomous
systems - Hierarchical decentralization security officer gt
departmental system administrator gt Windows NT
administrator - Ownership based owner of data may grant access
to other to his/her data (possibly with grant
option) - Cooperative authorization predefined groups of
users or predefined number of users may access
data
39Access Control Models
All accesses
Discretionary AC
Mandatory AC
Role-Based AC
40Indirect Accesses
41Indirect Information Flow Channels
- Covert channels
- Inference channels
42Communication Channels
- Overt Channel designed into a system and
documented in the user's manual - Covert Channel not documented. Covert channels
may be deliberately inserted into a system, but
most such channels are accidents of the system
design.
43Covert Channel
- Need
- Two active participants
- Encoding schema
- Example sender modulates the CPU utilization
level with the data stream to be transmitted - Sender
- repeat get a bit to send
- if the bit is 1 wait one second (don't use CPU
time) - else busy wait one second (use CPU time)
- endif
- until done
44Inference Channels
Non-sensitive information
Sensitive Information
Meta-data
45Inference Channels
- Statistical Database Inferences
- General Purpose Database Inferences
46Firewalls
47Traffic Control Firewall
- Brick wall placed between apartments to prevent
the spread of fire from one apartment to the next - Single, narrow checkpoint placed between two or
more networks where security and audit can be
imposed on traffic which passes through it
48Firewall
Private Network
security wall between private (protected) network
and outside word
Firewall
External Network
49Firewall Objectives
- Keep intruders, malicious code and unwanted
traffic or information out - Keep proprietary and sensitive information in
Proprietary data
External attacks
50Without firewalls, nodes
- Are exposed to insecure services
- Are exposed to probes and attacks from outside
- Can be defenseless against new attacks
- Network security totally relies on host security
and all hosts must communicate to achieve high
level of security almost impossible
51- Cryptography
- - Secret-Key Encryption
- - Public-Key Encryption
- - Cryptographic Protocols
52Insecure communications
Confidential
53Encryption and Decryption
Plaintext
Ciphertext
Plaintext
Encryption
Decryption
54Breakable versus Practically breakable
- Unconditionally secure impossible to
decrypt. No amount of ciphertext will enable a
cryptanalyst to obtain the plaintext - Computationally secure an algorithm that is not
breakable in practice based on worst case
scenario - Breakable all algorithms (except one-time pad)
are theoretically breakable
55Conventional (Secret Key) Cryptosystem
Plaintext
Ciphertext
Plaintext
Encryption
Decryption
Sender
Recipient
K
CE(K,M) MD(K,C)
K needs secure channel
56Public Key Cryptosystem
Recipients public Key (Kpub)
Recipients private Key (Kpriv)
Plaintext
Ciphertext
Plaintext
Encryption
Decryption
Sender
Recipient
CE(Kpub,M) MD(Kpriv,C)
Kpub needs reliable channel
57Hash Functions
- Hash function h maps an input x of arbitrary
length to a fixed length output h(x)
(compression) - Given h and x, h(x) is easy to compute (ease of
computation)
58Digital Signatures in RSA
Insecure channel
Sign
Verify
Plaintext
Signed plaintext
Plaintext
Encryption Alg.
Decryption Alg.
B
A
As public key
As private key
(need reliable channel)
59Signature and Encryption
B
Encrypted Signed Plaintext
A
Signed Plaintext
Signed Plaintext
Plaintext
Plaintext
D
E
D
E
Bs public key
As public key
Bs private key
As private key
60Cryptographic Protocols
- Messages should be transmitted to destination
- Only the recipient should see it
- Only the recipient should get it
- Proof of the senders identity
- Message shouldnt be corrupted in transit
- Message should be sent/received once only
61Detection/Response
62Misuse Prevention
- Prevention techniques first line of defense
- Secure local and network resources
- Techniques cryptography, identification,
authentication, authorization, access control,
security filters, etc.
Problem Losses occur!
63Intrusion Management
- Intrusion Prevention protect system resources
- Intrusion Detection (second line of defense)
discriminate intrusion attempts from normal
system usage - Intrusion Recovery cost effective recovery models
64Anomaly versus Misuse
Non-intrusive use
Intrusive use
Looks like NORMAL behavior
False negative Non-anomalous but Intrusive
activities
Does NOT look Like NORMAL behavior
False positive Non-intrusive but Anomalous
activities
65False Positive vs. False Negative
- False positive non-intrusive but anomalous
activity - Security policy is not violated
- Cause unnecessary interruption
- May cause users to become unsatisfied
- False negative non-anomalous but intrusive
activity - Security policy is violated
- Undetected intrusion
66Malicious Code
67Program Flaws
- Taxonomy of flaws
- how (genesis)
- when (time)
- where (location)
- the flaw was introduced into the system
68Security Flaws by Genesis
- Genesis
- Intentional
- Malicious Trojan Horse, Trapdoor, Logic Bomb,
covert channes - Non-malicious
- Inadvertent
- Validation error
- Domain error
- Serialization error
- Identification/authentication error
- Other error
69Kinds of Malicious Codes
- Virus a program that attaches copies of itself
into other programs. Propagates and performs
some unwanted function. - Rabbit (Bacteria) program that consumes system
resources by replicating itself.
70Kinds of Malicious Code
- Worm a program that propagates copies of itself
through the network. Usually performs some
unwanted function. - Does not attach to other programs
- Trojan Horse secret, undocumented routine
embedded within a useful program. Execution of
the program results in execution of secret code.
71Kinds of Malicious Code
- Logic bomb, time bomb logic embedded in a
program that checks for a certain set of
conditions to be present in the system. When
these conditions are present, some malicious code
is executed. - Trapdoor secret, undocumented entry point into a
program, used to grant access without normal
methods of access authentication.
72Virus
- Virus lifecycle
- Dormant phase the virus is idle. (not all
viruses have this stage) - Propagation phase the virus places an identical
copy of itself into other programs of into
certain system areas. - Triggering phase the virus is activated to
perform the function for which it was created. - Execution phase the function is performed. The
function may be harmless or damaging.
73Next ClassResponse/Tolerance