Presentation is loading. Please wait.

Presentation is loading. Please wait.

1 Computer Security in the Real World Butler Lampson Microsoft August 2005.

Published byNatalie Barnes Modified over 10 years ago

Similar presentations

Presentation on theme: "1 Computer Security in the Real World Butler Lampson Microsoft August 2005."— Presentation transcript:

1 1 Computer Security in the Real World Butler Lampson Microsoft August 2005

2 2 Real-World Security Its about risk, locks, and deterrence. Risk management: cost of security < expected value of loss Perfect security costs way too much Locks good enough that bad guys dont break in often. Bad guys get caught and punished often enough to be deterred, so police and courts must be good enough. You can recover from damage at an acceptable cost. Internet security is similar, but little accountability –Its hard to identify the bad guys, so cant deter them

3 3 Accountability Cant identify the bad guys, so cant deter them How to fix this? End nodes enforce accountability –They refuse messages that arent accountable enough »or strongly isolate those messages –All trust is local Need an ecosystem for –Senders becoming accountable –Receivers demanding accountability –Third party intermediaries To stop DDOS attacks, ISPs must play

4 4 How Much Security Security is expensivebuy only what you need. –You pay mainly in inconvenience –If theres no punishment, you pay a lot People do behave this way We dont tell them thisa big mistake The best is the enemy of the good –Perfect security is the worst enemy of real security Feasible security –Costs less in inconvenience than the value it protects –Simple enough for users to configure and manage –Simple enough for vendors to implement

5 5 Dangers and Vulnerabilities Dangers –Vandalism or sabotage that »damages information »disrupts service –Theft of money –Theft of information –Loss of privacy integrity availability integrity secrecy Vulnerabilities –Bad (buggy or hostile) programs –Bad (careless or hostile) people giving instructions to good programs

6 6 Defensive strategies Locks: Control the bad guys –Coarse: Isolatekeep everybody out –Medium:Excludekeep the bad guys out –Fine: RestrictKeep them from doing damage RecoverUndo the damage Deterrence: Catch the bad guys and punish them –Auditing, police, courts or other penalties

7 7 The Access Control Model Object Resource Reference monitor Guard Do operation Request Principal Source Authorization Audit log Authentication Policy 1. Isolation boundary 2. Access control 3. Policy 1.Isolation Boundary to prevent attacks outside access-controlled channels 2.Access Control for channel traffic 3.Policy management

8 8 Isolation Attacks on: –Program –Isolation –Policy Services Boundary Creator GUARDGUARD GUARDGUARD policy Program Data guard Host I am isolated if whatever goes wrong is my (programs) fault Object Resource Reference monitor Guard Do operation Request Principal Source Authorizatio n Audit log Authentication Policy 1. Isolation boundary 2. Access control 3. Policy

9 9 MechanismsThe Gold Standard Authenticate principals: Who made a request Mainly people, but also channels, servers, programs (encryption implements channels, so key is a principal) Authorize access: Who is trusted with a resource Group principals or resources, to simplify management Can be defined by a property, such as type-safe or safe for scripting Audit: Who did what when? Lock = Authenticate + Authorize Deter = Authenticate + Audit Object Resource Reference monitor Guard Do operation Request Principal Source Authorization Audit log Authentication Policy 1. Isolation boundary 2. Access control 3. Policy

10 10 Making Security Work Assurance –Does it really work as specified by policy? –Trusted Computing Base (TCB) »Includes everything that security depends on: Hardware, software, and configuration Assessment –Does formal policy say what I mean? »Configuration and management The unavoidable price of reliability is simplicity.Hoare

11 11 Resiliency: When TCB Isnt Perfect Mitigation: stop bugs from being tickled –Block known attacks and attack classes »Anti-virus/spyware, intrusion detection –Take input only from sources believed good »Red/green; network isolation. Inputs: code, web pages, … Recovery: better yesterdays data than no data –Restore from a (hopefully good) recent state Update: todays bug fix installed today –Quickly fix the inevitable mistakes –As fast and automatically as possible »Not just bugs, but broken crypto, compromised keys, …

12 12 Why We Dont Have Real Security A. People dont buy it: –Danger is small, so its OK to buy features instead. –Security is expensive. »Configuring security is a lot of work. »Secure systems do less because theyre older. Security is a pain. »It stops you from doing things. »Users have to authenticate themselves. B. Systems are complicated, so they have bugs. –Especially the configuration

13 13 Authentication and Authorization Alice is at Intel, working on Atom, a joint Intel- Microsoft project Alice connects to Spectra, Atom s web page, with SSL Chain of responsibility: K SSL K temp K Alice Alice@Intel Atom@Microsoft r/w Spectra Object Resource Reference monitor Guard Do operation Request Principal Source Authorization Audit log Authentication Policy 1. Isolation boundary 2. Access control 3. Policy

14 14 Principals Authentication:Who sent a message? Authorization:Who is trusted? Principal abstraction of who: –People Alice, Bob –Services microsoft.com, Exchange –Groups UW-CS, MS-Employees –Secure channelskey #678532E89A7692F, console Principals say things: –Read file foo –Alices key is #678532E89A7692F

15 15 Trust: The Speaks For Relation Principal A speaks for B about T: A –Meaning: if A says something in set T, B says it too. Thus A is as powerful as B, or trusted like B, about T These are the links in the chain of responsibility –Examples »Alice Atom group of people »Key #7438 Alice key for Alice

16 16 Delegating Trust: Evidence How do we establish a link in the chain? –A link is a fact Q R. Example: Key#7438 Alice@Intel The verifier of the link needs evidence: P says Q R. Example: K Intel says Key#7438 Alice@Intel Three questions about this evidence: –How do we know that P says the delegation? »It comes on a secure channel from P, or signed by Ps key –Why do we trust P for this delegation? »If P speaks for R, P can delegate this power –Why is P willing to say it? »It depends: P needs to know Q, R and their relationship

17 17 Secure Channel Examples –Within a nodeOperating system (pipes, LPC, etc.) –Between nodesSecure wire (hard if > 10 feet) IP Address (fantasy for most networks) Cryptography (practical) Secure channel does not mean physical network channel or path Says thingsdirectlyC says s K SSL says read Spectra Has knownpossible receiversConfidentiality possible sendersIntegrity If P is the onlypossible sender C P K Alice Alice@Intel

18 18 Authenticating Channels Chain of responsibility: K SSL K temp K Alice Alice@Intel … K temp says K Alice says (SSL setup) (via smart card)

19 19 Authenticating Names: SDSI/SPKI A name is in a name space, defined by a principal P –P is like a directory. The root principals are keys. P speaks for any name in its name space K Intel K Intel / Alice (which is just Alice@Intel ) K Intel says … K temp K Alice Alice@Intel …

20 20 Authenticating Groups A group is a principal; its members speak for it –Alice@Intel Atom@Microsoft –Bob@Microsoft Atom@Microsoft –… Evidence for groups: Just like names and keys. … K Alice Alice@Intel Atom@Microsoft r/w …

21 21 View a resource object O as a principal An ACL entry for P means P can speak for O –Permissions limit the set of things P can say for O If Spectra s ACL says Atom can r/w, that means Spectra says … Alice@Intel Atom@Microsoft r/w Spectra Authorization with ACLs

22 22 End-to-End Example: Summary Request on SSL channel: K SSL says read Spectra Chain of responsibility: K SSL K temp K Alice Alice@Intel Atom@Microsoft r/w Spectra

23 23 Authenticating Programs: Loading Essential for extensibility of security A digest X can authenticate a program SQL : –K Microsoft says If file I has digest X then I is SQL – formally X K microsoft / SQL To be a principal, a program must be loaded –By a host H into an execution environment –Examples: booting OS, launching application X SQL makes Hwant to run I if H approves SQL willing to assert H / SQL is running But H must be trusted to run SQL –K BoeingITG says H / SQL K BoeingITG / SQL like K Alice Alice@Intel

24 24 Auditing Auditing: Each step is logged and justified by –A statement, stored locally or signed (certificate), or –A built-in delegation rule Checking access: –Givena requestK Alice says read Spectra an ACL Atom may r/w Spectra –Check K Alice speaksK Alice Atom for Atom rights suffice r/w read

25 25 Assurance: NGSCB/TPM A cheap, convenient, physically separate machine A high-assurance OS stack (we hope) A systematic notion of program identity –Identity = digest of (code image + parameters) »Can abstract this: K MS says digest K MS / SQL –Host certifies the running programs identity: H says K H / P –Host grants the program access to sealed data »H seals (data, ACL) with its own secret key »H will unseal for P if P is on the ACL

26 26 Learn more Computer Security in the Real World at research.microsoft.com/lampson (slides, paper; earlier papers by Abadi, Lampson, Wobber, Burrows) Also in IEEE Computer, June 2004 Ross Anderson – www.cl.cam.ac.uk/users/rja14 Bruce Schneier – Secrets and Lies Kevin Mitnick – The Art of Deception

Download ppt "1 Computer Security in the Real World Butler Lampson Microsoft August 2005."

Similar presentations

1 Accountability and Freedom Butler Lampson Microsoft September 26, 2005.

1 Accountability and Freedom Butler Lampson Microsoft September 26, 2005.
1 Computer Security in the Real World Butler Lampson Microsoft.

1 Computer Security in the Real World Butler Lampson Microsoft.
Chapter 9 E-Security. Awad –Electronic Commerce 1/e © 2002 Prentice Hall 2 OBJECTIVES Security in Cyberspace Conceptualizing Security Designing for Security.

Chapter 9 E-Security. Awad –Electronic Commerce 1/e © 2002 Prentice Hall 2 OBJECTIVES Security in Cyberspace Conceptualizing Security Designing for Security.
Chapter 10 Encryption: A Matter of Trust. Awad –Electronic Commerce 1/e © 2002 Prentice Hall 2 OBJECTIVES What is Encryption? Basic Cryptographic Algorithm.

Chapter 10 Encryption: A Matter of Trust. Awad –Electronic Commerce 1/e © 2002 Prentice Hall 2 OBJECTIVES What is Encryption? Basic Cryptographic Algorithm.
1 Security for Ad Hoc Network Routing. 2 Ad Hoc Networks Properties Mobile Wireless communication Medium to high bandwidth High variability of connection.

1 Security for Ad Hoc Network Routing. 2 Ad Hoc Networks Properties Mobile Wireless communication Medium to high bandwidth High variability of connection.
1 Trust Evidence in Heterogeneous Environments: Towards a Research Agenda Ravi Sandhu Executive Director and Endowed Professor May 2010

1 Trust Evidence in Heterogeneous Environments: Towards a Research Agenda Ravi Sandhu Executive Director and Endowed Professor May 2010
17 Copyright © 2005, Oracle. All rights reserved. Deploying Applications by Using Java Web Start.

17 Copyright © 2005, Oracle. All rights reserved. Deploying Applications by Using Java Web Start.
1 ABCs of PKI TAG Presentation 18 th May 2004 Paul Butler.

1 ABCs of PKI TAG Presentation 18 th May 2004 Paul Butler.
Computer Security CIS326 Dr Rachel Shipsey.

Computer Security CIS326 Dr Rachel Shipsey.
OPERATING SYSTEMS Lecturer: Szabolcs Mikulas Office: B38B

OPERATING SYSTEMS Lecturer: Szabolcs Mikulas Office: B38B
Chapter 1 Introduction Copyright © 2008. Operating Systems, by Dhananjay Dhamdhere Copyright © 20081.2 Introduction Abstract Views of an Operating System.

Chapter 1 Introduction Copyright © Operating Systems, by Dhananjay Dhamdhere Copyright © Introduction Abstract Views of an Operating System.
Configuration management

Configuration management
1 Contract Inactivation & Replacement Fly-in Action ( Continue to Page Down/Click on each page…) Electronic Document Access (EDA)

1 Contract Inactivation & Replacement Fly-in Action ( Continue to Page Down/Click on each page…) Electronic Document Access (EDA)
Slide 14-1 Copyright © 2004 Pearson Education, Inc. Operating Systems: A Modern Perspective, Chapter 5 14 Protection and Security.

Slide 14-1 Copyright © 2004 Pearson Education, Inc. Operating Systems: A Modern Perspective, Chapter 5 14 Protection and Security.
1 And Tips to Avoid Becoming a Victim Recent Cyber Crime Cases.

1 And Tips to Avoid Becoming a Victim Recent Cyber Crime Cases.
© 2013 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved. Fundamentals of Information Systems Security.

© 2013 Jones and Bartlett Learning, LLC, an Ascend Learning Company All rights reserved. Fundamentals of Information Systems Security.
Public Key Infrastructure Alex Bardas. What is Cryptography ? Cryptography is a mathematical method of protecting information –Cryptography is part of,

Public Key Infrastructure Alex Bardas. What is Cryptography ? Cryptography is a mathematical method of protecting information –Cryptography is part of,
25 seconds left…...

25 seconds left…...
Copyright 2001 Advanced Strategies, Inc. www.advstr.com 1 Data Bridging An Overview Prepared for DIGIT 07-11- 2001 By Advanced Strategies, Inc.

Copyright 2001 Advanced Strategies, Inc. 1 Data Bridging An Overview Prepared for DIGIT By Advanced Strategies, Inc.
Installing Windows XP Professional Using Attended Installation Slide 1 of 30Session 8 Ver. 1.0 CompTIA A+ Certification: A Comprehensive Approach for all.

Installing Windows XP Professional Using Attended Installation Slide 1 of 30Session 8 Ver. 1.0 CompTIA A+ Certification: A Comprehensive Approach for all.

Similar presentations

Ads by Google