CSCE 548 Building Secure Software Basic Security Concepts - PowerPoint PPT Presentation

1 / 73
About This Presentation
Title:

CSCE 548 Building Secure Software Basic Security Concepts

Description:

Military Example ... Overt Channel: designed into a system and documented in the user's manual. Covert Channel: not documented. ... – PowerPoint PPT presentation

Number of Views:73
Avg rating:3.0/5.0
Slides: 74
Provided by: far1
Category:

less

Transcript and Presenter's Notes

Title: CSCE 548 Building Secure Software Basic Security Concepts


1
CSCE 548 Building Secure SoftwareBasic
Security Concepts
2
Security Objectives
  • Confidentiality prevent/detect/deter improper
    disclosure of information
  • Integrity prevent/detect/deter improper
    modification of information
  • Availability prevent/detect/deter improper
    denial of access to services

3
Military Example
  • Confidentiality target coordinates of a missile
    should not be improperly disclosed
  • Integrity target coordinates of missile should
    be correct
  • Availability missile should fire when proper
    command is issued

4
Commercial Example
  • Confidentiality patients medical information
    should not be improperly disclosed
  • Integrity patients medical information should
    be correct
  • Availability patients medical information can
    be accessed when needed for treatment

5
Fourth Objective
  • Securing computing resources prevent/detect/deter
    improper use of computing resources
  • Hardware
  • Software
  • Data
  • Network

6
Information Assurance
  • Prevention
  • Detection
  • Tolerance/response

7
Achieving Security
  • Policy
  • What to protect?
  • Mechanism
  • How to protect?
  • Assurance
  • How good is the protection?

8
Security Policy
Organizational Policy
Computerized Information System Policy
9
Security Tradeoffs
Security
Functionality
COST
Ease of Use
10
Threat, Vulnerability, Risk
  • Threat potential occurrence that can have an
    undesired effect on the system
  • Vulnerability characteristics of the system that
    makes is possible for a threat to potentially
    occur
  • Attack action of malicious intruder that
    exploits vulnerabilities of the system to cause a
    threat to occur
  • Risk measure of the possibility of security
    breaches and severity of the damage

11
Types of Threats
  • Errors of users
  • Natural/man-made/machine disasters
  • Dishonest insider
  • Disgruntled insider
  • Outsiders

12
Types of Attack
  • Interruption an asset is destroyed, unavailable
    or unusable (availability)
  • Interception unauthorized party gains access to
    an asset (confidentiality)
  • Modification unauthorized party tampers with
    asset (integrity)
  • Fabrication unauthorized party inserts
    counterfeit object into the system (authenticity)
  • Denial person denies taking an action
    (authenticity)

13
Computer Crime
  • Any crime that involves computers or aided by the
    use of computers
  • U.S. Federal Bureau of Investigation reports
    uniform crime statistics

14
Computer Criminals
  • Amateurs regular users, who exploit the
    vulnerabilities of the computer system
  • Motivation easy access to vulnerable resources
  • Crackers attempt to access computing facilities
    for which they do not have the authorization
  • Motivation enjoy challenge, curiosity
  • Career criminals professionals who understand
    the computer system and its vulnerabilities
  • Motivation personal gain (e.g., financial)

15
Methods of Defense
  • Prevent block attack
  • Deter make the attack harder
  • Deflect make other targets more attractive
  • Detect identify misuse
  • Tolerate function under attack
  • Recover restore to correct state
  • Documentation and reporting

16
Information Security Planning
  • Organization Analysis
  • Risk management
  • Mitigation approaches and their costs
  • Security policy and procedures
  • Implementation and testing
  • Security training and awareness

17
Prevention
18
IdentificationAuthentication
19
Authentication
  • Allows an entity (a user or a system) to prove
    its identity to another entity
  • Typically, the entity whose identity is verified
    reveals knowledge of some secret S to the
    verifier
  • Strong authentication the entity reveals
    knowledge of S to the verifier without revealing
    S to the verifier

20
Authentication Information
Must be securely maintained by the system.
21
Elements of Authentication
  • Person/group/code/system to be authenticated
  • Distinguishing characteristic differentiates the
    entities to be authenticated
  • Proprietor/system owner/administrator
    responsible for the system
  • Authentication mechanism verify the
    distinguishing characteristic
  • Access control mechanism grant privileges upon
    successful authentication

22
Authentication Requirements
  • Network must ensure
  • Data exchange is established with addressed peer
    entity not with an entity that masquerades or
    replays previous messages
  • Network must ensure data source is the one
    claimed
  • Authentication generally follows identification
  • Establish validity of claimed identity
  • Provide protection against fraudulent transactions

23
User Authentication
  • What the user knows
  • Password, personal information
  • What the user possesses
  • Physical key, ticket, passport, token, smart card
  • What the user is (biometrics)
  • Fingerprints, voiceprint, signature dynamics

24
Passwords
  • Commonly used method
  • For each user, system stores (user name,
    F(password)), where F is some transformation
    (e.g., one-way hash) in a password file
  • F(password) is easy to compute
  • From F(password), password is difficult to
    compute
  • Password is not stored in the system
  • When user enters the password, system computes
    F(password) match provides proof of identity

25
Vulnerabilities of Passwords
  • Inherent vulnerabilities
  • Easy to guess or snoop
  • No control on sharing
  • Practical vulnerabilities
  • Visible if unencrypted in distributed and network
    environment
  • Susceptible for replay attacks if encrypted
    naively
  • Password advantage
  • Easy to modify compromised password.

26
Attacks on Password
  • Guessing attack/dictionary attack
  • Social Engineering
  • Sniffing
  • Trojan login
  • Van Eck sniffing

27
Time Synchronized
Secret key
Time
DES
One Time Password
28
Challenge Response
  • Non-repeating challenges from the host is used
  • The device requires a keypad

Network
Work station
Host
User ID
Challenge
Response
29
Devices with Personal Identification Number (PIN)
  • Devices are subject to theft, some devices
    require PIN (something the user knows)
  • PIN is used by the device to authenticate the
    user
  • Problems with challenge/response schemes
  • Key database is extremely sensitive
  • This can be avoided if public key algorithms are
    used

30
Smart Cards
  • Portable devices with a CPU, I/O ports, and some
    nonvolatile memory
  • Can carry out computation required by public key
    algorithms and transmit directly to the host
  • Some use biometrics data about the user instead
    of the PIN

31
Biometrics
  • Fingerprint
  • Retina scan
  • Voice pattern
  • Signature
  • Typing style

32
Access Control
33
Access Control
  • Protection objects system resources for which
    protection is desirable
  • Memory, file, directory, hardware resource,
    software resources, etc.
  • Subjects active entities requesting accesses to
    resources
  • User, owner, program, etc.
  • Access mode type of access
  • Read, write, execute

34
Access Control Requirement
  • Cannot be bypassed
  • Enforce least-privilege and need-to-know
    restrictions
  • Enforce organizational policy

35
Access Control
  • Access control ensures that all direct accesses
    to object are authorized
  • Protects against accidental and malicious threats
    by regulating the reading, writing and execution
    of data and programs
  • Need
  • Proper user identification and authentication
  • Information specifying the access rights is
    protected form modification

36
Access Control
  • Access control components
  • Access control policy specifies the authorized
    accesses of a system
  • Access control mechanism implements and enforces
    the policy
  • Separation of components allows to
  • Define access requirements independently from
    implementation
  • Compare different policies
  • Implement mechanisms that can enforce a wide
    range of policies

37
Closed v.s. Open Systems
Closed system
Open System
(minimum privilege)
(maximum privilege)
Access requ.
Access requ.
Allowed accesses
Disallowed accesses
Exists Rule?
Exists Rule?
yes
no
yes
no
Access denied
Access permitted
Access permitted
Access denied
38
Authorization Management
  • Who can grant and revoke access rights?
  • Centralized administration security officer
  • Decentralized administration locally autonomous
    systems
  • Hierarchical decentralization security officer gt
    departmental system administrator gt Windows NT
    administrator
  • Ownership based owner of data may grant access
    to other to his/her data (possibly with grant
    option)
  • Cooperative authorization predefined groups of
    users or predefined number of users may access
    data

39
Access Control Models
All accesses
Discretionary AC
Mandatory AC
Role-Based AC
40
Indirect Accesses
41
Indirect Information Flow Channels
  • Covert channels
  • Inference channels

42
Communication Channels
  • Overt Channel designed into a system and
    documented in the user's manual
  • Covert Channel not documented. Covert channels
    may be deliberately inserted into a system, but
    most such channels are accidents of the system
    design.

43
Covert Channel
  • Need
  • Two active participants
  • Encoding schema
  • Example sender modulates the CPU utilization
    level with the data stream to be transmitted
  • Sender
  • repeat get a bit to send
  • if the bit is 1 wait one second (don't use CPU
    time)
  • else busy wait one second (use CPU time)
  • endif
  • until done

44
Inference Channels
Non-sensitive information
Sensitive Information

Meta-data

45
Inference Channels
  • Statistical Database Inferences
  • General Purpose Database Inferences

46
Firewalls
47
Traffic Control Firewall
  • Brick wall placed between apartments to prevent
    the spread of fire from one apartment to the next
  • Single, narrow checkpoint placed between two or
    more networks where security and audit can be
    imposed on traffic which passes through it

48
Firewall
Private Network
security wall between private (protected) network
and outside word
Firewall
External Network
49
Firewall Objectives
  • Keep intruders, malicious code and unwanted
    traffic or information out
  • Keep proprietary and sensitive information in

Proprietary data
External attacks
50
Without firewalls, nodes
  • Are exposed to insecure services
  • Are exposed to probes and attacks from outside
  • Can be defenseless against new attacks
  • Network security totally relies on host security
    and all hosts must communicate to achieve high
    level of security almost impossible

51
  • Cryptography
  • - Secret-Key Encryption
  • - Public-Key Encryption
  • - Cryptographic Protocols

52
Insecure communications
Confidential
53
Encryption and Decryption
Plaintext
Ciphertext
Plaintext
Encryption
Decryption
54
Breakable versus Practically breakable
  • Unconditionally secure impossible to
    decrypt. No amount of ciphertext will enable a
    cryptanalyst to obtain the plaintext
  • Computationally secure an algorithm that is not
    breakable in practice based on worst case
    scenario
  • Breakable all algorithms (except one-time pad)
    are theoretically breakable

55
Conventional (Secret Key) Cryptosystem
Plaintext
Ciphertext
Plaintext
Encryption
Decryption
Sender
Recipient
K
CE(K,M) MD(K,C)
K needs secure channel
56
Public Key Cryptosystem
Recipients public Key (Kpub)
Recipients private Key (Kpriv)
Plaintext
Ciphertext
Plaintext
Encryption
Decryption
Sender
Recipient
CE(Kpub,M) MD(Kpriv,C)
Kpub needs reliable channel
57
Hash Functions
  • Hash function h maps an input x of arbitrary
    length to a fixed length output h(x)
    (compression)
  • Given h and x, h(x) is easy to compute (ease of
    computation)

58
Digital Signatures in RSA
Insecure channel
Sign
Verify
Plaintext
Signed plaintext
Plaintext
Encryption Alg.
Decryption Alg.
B
A
As public key
As private key
(need reliable channel)
59
Signature and Encryption
B
Encrypted Signed Plaintext
A
Signed Plaintext
Signed Plaintext
Plaintext
Plaintext
D
E
D
E
Bs public key
As public key
Bs private key
As private key
60
Cryptographic Protocols
  • Messages should be transmitted to destination
  • Only the recipient should see it
  • Only the recipient should get it
  • Proof of the senders identity
  • Message shouldnt be corrupted in transit
  • Message should be sent/received once only

61
Detection/Response
62
Misuse Prevention
  • Prevention techniques first line of defense
  • Secure local and network resources
  • Techniques cryptography, identification,
    authentication, authorization, access control,
    security filters, etc.

Problem Losses occur!
63
Intrusion Management
  • Intrusion Prevention protect system resources
  • Intrusion Detection (second line of defense)
    discriminate intrusion attempts from normal
    system usage
  • Intrusion Recovery cost effective recovery models

64
Anomaly versus Misuse
Non-intrusive use
Intrusive use
Looks like NORMAL behavior
False negative Non-anomalous but Intrusive
activities
Does NOT look Like NORMAL behavior
False positive Non-intrusive but Anomalous
activities
65
False Positive vs. False Negative
  • False positive non-intrusive but anomalous
    activity
  • Security policy is not violated
  • Cause unnecessary interruption
  • May cause users to become unsatisfied
  • False negative non-anomalous but intrusive
    activity
  • Security policy is violated
  • Undetected intrusion

66
Malicious Code
67
Program Flaws
  • Taxonomy of flaws
  • how (genesis)
  • when (time)
  • where (location)
  • the flaw was introduced into the system

68
Security Flaws by Genesis
  • Genesis
  • Intentional
  • Malicious Trojan Horse, Trapdoor, Logic Bomb,
    covert channes
  • Non-malicious
  • Inadvertent
  • Validation error
  • Domain error
  • Serialization error
  • Identification/authentication error
  • Other error

69
Kinds of Malicious Codes
  • Virus a program that attaches copies of itself
    into other programs. Propagates and performs
    some unwanted function.
  • Rabbit (Bacteria) program that consumes system
    resources by replicating itself.

70
Kinds of Malicious Code
  • Worm a program that propagates copies of itself
    through the network. Usually performs some
    unwanted function.
  • Does not attach to other programs
  • Trojan Horse secret, undocumented routine
    embedded within a useful program. Execution of
    the program results in execution of secret code.

71
Kinds of Malicious Code
  • Logic bomb, time bomb logic embedded in a
    program that checks for a certain set of
    conditions to be present in the system. When
    these conditions are present, some malicious code
    is executed.
  • Trapdoor secret, undocumented entry point into a
    program, used to grant access without normal
    methods of access authentication.

72
Virus
  • Virus lifecycle
  • Dormant phase the virus is idle. (not all
    viruses have this stage)
  • Propagation phase the virus places an identical
    copy of itself into other programs of into
    certain system areas.
  • Triggering phase the virus is activated to
    perform the function for which it was created.
  • Execution phase the function is performed. The
    function may be harmless or damaging.

73
Next ClassResponse/Tolerance
Write a Comment
User Comments (0)
About PowerShow.com