Presentation on theme: "MT5104 - Computer Security - Lecture 1 1 MT5104 Computer Security Dieter Gollmann Microsoft Research"— Presentation transcript:
MT5104 - Computer Security - Lecture 1 1 MT5104 Computer Security Dieter Gollmann Microsoft Research firstname.lastname@example.org
MT5104 - Computer Security - Lecture 1 2 Introduction - The plan for today Search for a definition of computer security Propose fundamental design principles for computer security Give a preview of the course Books and further reading Questions??
MT5104 - Computer Security - Lecture 1 3 References for this lecture Orange Book: US Trusted Computer Systems Evaluation Criteria ITSEC: European Information Technology Security Evaluation Criteria CTCPEC: Canadian Trusted Computer Product Evaluation Criteria ISO 7498-2 (International Standard): Basic Reference Model for Open Systems Interconnection (OSI) Part 2: Security Architecture Clark, D.R. and Wilson, D.R., A Comparison of Commercial and Military Computer Security Policies, Proceedings of the 1987 IEEE Symposium on Security and Privacy, pages 184-194
MT5104 - Computer Security - Lecture 1 4 What is security? Prevention: take measures that prevent your assets from being damaged Detection: take measures so that you can detect when, how, and by whom an asset has been damaged Reaction: take measures so that you can recover your assets or to recover from a damage to your assets
MT5104 - Computer Security - Lecture 1 5 Example 1 - Private Property Prevention: locks at doors, window bars, walls round the property Detection: stolen items aren’t there anymore, burglar alarms, closed circuit TV Reaction: call the police, replace stolen items, make an insurance claim … Footnote: Parallels to the physical world can illustrate aspects of computer security but they are also misleading.
MT5104 - Computer Security - Lecture 1 6 Example 2 - eCommerce Prevention: encrypt your orders, rely on the merchant to perform checks on the caller, don’t use the Internet (?) … Detection: an unauthorized transaction appears on your credit card statement Reaction: complain, ask for a new card number, etc. Footnote: your credit card number has not been stolen.
MT5104 - Computer Security - Lecture 1 7 Computer Security? Confidentiality: prevent unauthorised disclosure of information Integrity: prevent unauthorised modification of information Availability: prevent unauthorised with- holding of information or resources Other aspects: accountability, authenticity Definitions taken from ITSEC
MT5104 - Computer Security - Lecture 1 8 Confidentiality Historically, security and secrecy were closely related. Sometimes, security and confidentiality are used as synonyms Prevent unauthorised disclosure of information (prevent unauthorised reading) Privacy: protection of personal data Secrecy: protection of date belonging to an organisation
MT5104 - Computer Security - Lecture 1 9 Integrity ITSEC: prevent unauthorised modification of information (prevent unauthorised writing) Clark and Wilson: No user of the system, even if authorized, may be permitted to modify data items in such a way that assets or accounting records of the company are lost or corrupted. Orange Book: Data Integrity - The state that exists when computerized data is the same as that in the source document and has not been exposed to accidental or malicious alteration or destruction. (Integrity synonymous for external consistency.)
MT5104 - Computer Security - Lecture 1 10 Integrity ctd. Integrity in communications: detection (and correction) of modifications of transmitted data, including both intentional modifications and random transmission errors. In the most general sense: make sure that everything is as it is supposed to be; the data in a computer system should correctly reflect some reality outside the computer system. (This is highly desirable but cannot be guaranteed by mechanisms internal to the computer system.) Integrity is a prerequisite for many other security services. Operating systems security has a lot to do with integrity.
MT5104 - Computer Security - Lecture 1 11 Availability CTCPEC: the property that a product’s services are accessible when needed and without undue delay ISO 7498-2: the property of being accessible and usable upon demand by an authorised entity Denial of Service (DoS): The prevention of authorised access of resources or the delaying of time-critical operations Availability may be the most important aspect of computer security, but there are few methods around. Distributed denial of service have recently become notorious.
MT5104 - Computer Security - Lecture 1 12 Accountability - Authorisation Accountability (Orange Book): audit information must be selectively kept and protected so that actions affecting security can be traced to the responsible party Users are identified and authenticated to have a basis for access control decisions. The security system keeps an audit log (audit trail) of security relevant events to detect and investigate intrusions.
MT5104 - Computer Security - Lecture 1 13 Reliability - Dependability Areas related to security: reliability, safety similar engineering methods, similar efforts in standardisation, possible requirement conflicts There is an overlap in notation: is security part of reliability or vice versa? Dependability (IFIP WG 10.4): the property of a com- puter system such that reliance can justifiably be placed on the service it delivers. The service delivered by a system is its behaviour as it is perceived by its user(s); a user is another system (physical, human) which interacts with the former.
MT5104 - Computer Security - Lecture 1 14 The main conclusion There is no single definition of security When reading a document, be careful not to confuse your own notion of security with that used in the document A lot of time is being spent - and wasted - trying to define an unambiguous notation for security Our definition: computer security deals with the prevention and detection of unauthorised actions by users of a computer system.
MT5104 - Computer Security - Lecture 1 15 The Fundamental Dilemma of Computer Security Security unaware users have specific security requirements but no security expertise. Orange Book: Can predefined evaluation criteria meet specific user requirements? ITSEC: How can a security unaware user assess a specific target of evaluation?
MT5104 - Computer Security - Lecture 1 16 Principles of Computer Security The Dimensions of Computer Security Application Software User (subject) Hardware Resource (object)
MT5104 - Computer Security - Lecture 1 17 1 st Fundamental Design Decision Where is the focus of security controls? Security controls may focus on data – operations - users For example, integrity can mean following a given set of rules on the format and content of data items (internal consistency) the operations that may be performed on a data item the users who are allowed to access a data item (authorised access)
MT5104 - Computer Security - Lecture 1 18 2 nd Fundamental Design Decision Where to place security controls? hardware applications services (middleware) operating system OS kernel
MT5104 - Computer Security - Lecture 1 19 The Man-Machine Scale Security mechanisms can be visualized as concentric protection rings, with hardware mechanisms in the centre and application mechanisms at the outside Mechanisms towards the centre tend to be more generic while mechanisms at the outside are more likely to address individual user requirements Combining our first two design decisions, we refer to a man-machine scale for security mechanisms.
MT5104 - Computer Security - Lecture 1 20 The Man-Machine Scale specific complex focus on users generic simple focus on data man oriented machine oriented
MT5104 - Computer Security - Lecture 1 21 Data vs Information Data are physical phenomena chosen by convention to represent certain aspects of our conceptual and real world. The meanings we assign to data are called information. Data is used to transmit and store information and to derive new information by manipulating the data according to formal rules. Information and data correspond to the two ends of the man-machine scale. The distinction between data and information is subtle but it also causes some of the more difficult problems in computer security.
MT5104 - Computer Security - Lecture 1 22 Data vs Information ctd. Controlling access to information can be elusive and may have to be replaced by controlling access to data If there is a close link between information and corresponding data, the two approaches may give very similar results. However, this is not always the case. Covert channels: response time or memory usage is used to signal information. (More explanations in a few weeks.) Inference in statistical databases: combinations of statistical queries give information on individual entries. (More explanations in the course on database security.)
MT5104 - Computer Security - Lecture 1 23 3 rd Fundamental Design Decision complexity vs assurance Frequently, the location of a security mechanism on the man-machine scale is related to its complexity. You find simple generic mechanisms while applications often clamour for feature-rich security functions. Do you prefer simplicity - and higher assurance - to a feature-rich security environment? The fundamental dilemma: simple generic mechanisms may not match specific security requirements. To choose the right features from a rich menu, you have to be a security expert. Security unaware users are in a no-win situation.
MT5104 - Computer Security - Lecture 1 24 Example: Security Evaluation Security evaluation checks whether a product delivers a promised security service. We have to state the function of the security system the required degree of assurance (trust) in its security To achieve a high degree of assurance, the security system has to be examined exhaustively and in close detail. There is an obvious trade-off between complexity and assurance. The higher an assurance level you aim for, the simpler your system ought to be. Feature-rich security and high assurance do not match easily
MT5104 - Computer Security - Lecture 1 25 4 th Fundamental Design Decision centralised or decentralised controls? Within the domain of a security policy, the same controls should be enforced. If a single entity is in charge of security, then it is easy to achieve uniformity but this central entity may become a performance bottleneck. A distributed solution may be more efficient but you have to take added care to guarantee that different components enforce a consistent policy. Should the tasks of defining and enforcing security be given to a central entity or should they be left to individual components in a system?
MT5104 - Computer Security - Lecture 1 26 5 th Fundamental Design Decision blocking access to the layer below It is now time to think about attackers trying to bypass protection mechanisms. Every protection mechanism defines a security perimeter (boundary). The parts of the system that can disable the mechanism lie within the perimeter, the parts of the system that can malfunction without compromising the mechanism lie outside. There is an immediate and important corollary to the second design decision: How do you stop an attacker from getting access to a layer below your protection mechanism?
MT5104 - Computer Security - Lecture 1 27 The Layer Below - Examples Recovery tools, like Norton Utilities, restore the data by reading memory directly and then restoring the file structure. Such a tool can be used to circumvent logical access control as it does not care for the logical memory structure Unix treats I/O devices and physical memory devices like files. If access permissions are defined badly, e.g. if read access is given to a disk containing read protected files, then an attacker can read the disk contents and reconstruct the files.
MT5104 - Computer Security - Lecture 1 28 The Layer Below - more examples Object reuse: in a single processor system, when a new process becomes active, it gets access to memory positions used by the previous process. You have to avoid storage residues, i.e. data left behind in the memory area allocated to the new process. Backup: whoever has access to a backup tape has access to all the data on it. Logical access control is of no help and backup tapes have to be locked away safely to protect the data. Core dumps: same story again
MT5104 - Computer Security - Lecture 1 29 Structure of the course Theory Access control structures Security models Security kernels Hardware security features Practice Operating system security: case studies Middleware security Web security Vulnerabilities: case studies, malicious software
MT5104 - Computer Security - Lecture 1 30 Books on Computer Security D. Gollmann: Computer Security, Wiley & Sons, 1999 C.P. Pfleeger: Security in Computing, Prentice-Hall, 1997 J.S. Park: AS/400 Security in a Client/Server Environment, Wiley & Sons, 1995 L. Gong: Inside Java 2 Platform Security, Addison Wesley, 1999 Ernst & Young: Logical Access Control, McGraw-Hill, 1993 M. Gasser: Building a Secure Computer System. Van Nostrand Reinhold, 1988
MT5104 - Computer Security - Lecture 1 31 Exercises Conduct a survey of security definitions, consult e.g. http://www.radium.ncsc.mil/tpep/process/faq.html http://www.itsec.gov.uk ftp://ftp.cse-cst.gc.ca/pub/criteria/CTCPEC Medical records that can be accessed on-line are sensitive information that should be protected from disclosure, but in an emergency it is highly desirable that whoever treats you has access to your record. How would you use prevention, detection, and recovery to secure your records? Identify suitable security perimeters for analyzing personal computer (PC) security. Consider the room the PC is placed in, the PC itself, or some security module within the PC when investigating security perimeters.