An Overview of Computer Security

1
An Overview of Computer Security

• CS 6262

2
The Definition

• Security is a state of well-being of information
  and infrastructures in which the possibility of
  successful yet undetected theft, tampering, and
  disruption of information and services is kept
  low or tolerable
• Security rests on confidentiality, authenticity,
  integrity, and availability

3
The Basic Components

• Confidentiality is the concealment of information
  or resources.
• Authenticity is the identification and assurance
  of the origin of information.
• Integrity refers to the trustworthiness of data
  or resources in terms of preventing improper and
  unauthorized changes.
• Availability refers to the ability to use the
  information or resource desired.

4
Security Threats and Attacks

• A threat is a potential violation of security.
• Flaws in design, implementation, and operation.
• An attack is any action that violates security.
• Active adversary.

5
Eavesdropping - Message Interception (Attack on
Confidentiality)

• Unauthorized access to information
• Packet sniffers and wiretappers
• Illicit copying of files and programs

B
A
Eavesdropper
6
Integrity Attack - Tampering With Messages

• Stop the flow of the message
• Delay and optionally modify the message
• Release the message again

B
A
Perpetrator
7
Authenticity Attack - Fabrication

• Unauthorized assumption of others identity
• Generate and distribute objects under this
  identity

B
A
Masquerader from A
8
Attack on Availability

• Destroy hardware (cutting fiber) or software
• Modify software in a subtle way (alias commands)
• Corrupt packets in transit
• Blatant denial of service (DoS)
• Crashing the server
• Overwhelm the server (use up its resource)

9
Impact of Attacks

• Theft of confidential information
• Unauthorized use of
• Network bandwidth
• Computing resource
• Spread of false information
• Disruption of legitimate services
• All attacks can be related and are dangerous!

10
Security Policy and Mechanism

• Policy a statement of what is, and is not
  allowed.
• Mechanism a procedure, tool, or method of
  enforcing a policy.
• Security mechanisms implement functions that help
  prevent, detect, and respond to recovery from
  security attacks.
• Security functions are typically made available
  to users as a set of security services through
  APIs or integrated interfaces.
• Cryptography underlies many security mechanisms.

11
Security Services

• Confidentiality protection of any information
  from being exposed to unintended entities.
• Information content.
• Parties involved.
• Where they are, how they communicate, how often,
  etc.

12
Security Services - Contd

• Authentication assurance that an entity of
  concern or the origin of a communication is
  authentic - its what it claims to be or from
• Integrity assurance that the information has not
  been tampered with
• Non-repudiation offer of evidence that a party
  indeed is the sender or a receiver of certain
  information

13
Security Services - Contd

• Access control facilities to determine and
  enforce who is allowed access to what resources,
  hosts, software, network connections
• Monitor response facilities for monitoring
  security attacks, generating indications,
  surviving (tolerating) and recovering from attacks

14
Security Services - Contd

• Security management facilities for coordinating
  users service requirements and mechanism
  implementations throughout the enterprise network
  and across the Internet
• Trust model
• Trust communication protocol
• Trust management infrastructure

15
Assumptions and Trust

• A security policy consists of a set of axioms
  that the policy makers believe can be enforced.
• Two assumptions
• The policy correctly and unambiguously partitions
  the set of system states into secure and
  nonsecure states
• The policy is correct
• The security mechanisms prevent the system from
  entering a nonsecure state
• The mechanisms are effective

16
Assumptions and Trust Contd

• Trusting the mechanisms work require the
  following assumptions
• Each mechanisms enforces part(s) of the security
  policy
• The union of the mechanisms enforce all aspects
  of the policy
• The mechanisms are implemented, installed, and
  administered correctly

17
How to Make a System Trustworthy

• Specification
• A statement of desired functions
• Design
• A translation of specifications to a set of
  components
• Implementation
• Realization of a system that satisfies the design
• Assurance
• The process to insure that the above steps are
  carried out correctly
• Inspections, proofs, testing, etc.

18
Operational Issues

• Risk Analysis
• Cost-Benefit Analysis
• Laws and Custom

19
Human Issues

• Organizational Problems
• People Problems

20
The Security Life Cycle

• The iterations of
• Threats
• Policy
• Specification
• Design
• Implementation
• Operation and maintenance

21
Access Control Matrix
22
Protection State

• A protection system describes the conditions
  under which a system is secure
• State of a system
• A collection of the current values of all memory
  locations, storages, registers, etc.
• A subset of this collection that deals with
  protection is the protection state of the system

23
State Transitions

• State transitions due to commands
• The result of transforming an authorized state
  with an operation allowed in that state is an
  authorized state

24
Access Control Matrix Model

• Describes a protection state
• The rights of each subject with respect to every
  other entity
• The set of all protected entities is the set of
  objects O the set of subjects S is the set of
  active objects a set of rights R
• Access control matrix A specifies for each pair
  of s ?S and o ?O, the set of rights s on o,
  As,o ? R
• The set of protection states of the system is
  represented by (S, O, A)

25
Protection State Transitions

• Sequences of state transitions are represented by
  commands that update the access control matrix
• Primitive commands
• Create or destroy a subject or object
• Enter or delete a right for a subject and object
  pair

26
Special Rights

• The copy right (or grant right) allows the
  possessor to grant rights to another
• The own right enables the possessors to add or
  delete privileges for themselves and others
• Principle of attenuation of Privilege
• A subject may not give rights it does not possess
  to another

27
Foundational Results
28
The General Question

• Given a computer system, how can we determine if
  it is secure?
• Is there a generic algorithm that allows us to
  determine whether a computer system is secure?
• What do we mean by secure?
• Use access control matrix to express the policy

29
Safety

• Let R be the set of generic (primitive) rights of
  the system
• No special rights copy and own
• Definition when a generic right r is added to an
  element of the access control matrix not already
  containing r, that right is said to be leaked
• Definition If a system can never leak right r,
  the system is called safe with respect to the
  right r. If the system can leak right r, the
  system is called unsafe with respect with the
  right r

30
Safety vs. Security

• Safety refers to the abstract model and security
  refers to the actual implementation
• A secure system corresponds to a model safe with
  respect to all rights
• A model safe with respect with all rights does
  not ensure a secure system

31
The Safety Question

• Does there exist an algorithm for determining
  whether a given protection system with initial
  state s0 is safe with respect to a generic right
  r?

32
Basic Results

• Theorem There exists an algorithm that will
  determine whether a given mono-operational
  protection system with initial state s0 is safe
  with respect to a generic right r
• Proof sketch Each command is identified by the
  primitive operation it invokes. Consider the
  minimal sequence of commands needed to leak r
  from the system with initial state s0. We can
  show that the length of this sequence is bounded.
  Therefore, we can enumerate all possible states
  and determine wither the system is safe.

33
Basic Results (contd)

• Theorem It is undecidable whether a given state
  of a given protection system is safe for a given
  generic right
• Proof sketch we show that an arbitrary Turing
  machine can be reduced to the safety problem,
  with the Turing machine entering a final state
  corresponding to the leaking of a given generic
  right. Then if the safety problem is decidable,
  we can determine when the Turing machine halts.
  Since we already know that the halting problem is
  undecidable, the safety problem cant be
  decidable either.

34
Basic Results (contd)

• The safety problem is undecidable for generic
  protection models but is decidable if the
  protection system is restricted in some way