1. CS526: Information Security Chris Clifton August 26, 2003 Course Overview Portions of the material courtesy Professor Matt Bishop

2. 2 What is Information Security? Confidentiality –Is this all? –Why not? Availability –To whom? Authentication –Still not there Integrity It’s about more than network security!

3. 3 Course Outline 1.Introduction: Role of security, Types of security, Definitions. 2.Classification Schemes, Access Control. 3.Formalisms: Information flow, Protection Models. 4.Policy: Risk Analysis, Policy Formation, Role of audit and control. 5.Formal policy models. 6.Cryptography: Cipher methods, Key management, digital signatures. 7.Authentication and Identity. 8.System Design principles. TCB and security kernel construction, Verification, Certification issues. Midterm. Most likely date: 10/16. 9.System Verification. 10.Network Security. Distributed cooperation and commit. Distributed authentication issues. Routing, flooding, spamming. Firewalls. 11.Audit Mechanisms. 12.Malicious Code: Viruses, Worms, etc. 13.Intrusion Detection and Response 14.Vulnerability Analysis. 15.Physical threats, operational security, Legal and Societal Issues Final Exam

4. 4 Course Administration www.cs.purdue.edu/homes/clifton/cs526/ Teaching Assistants: –Yan Wu –Ali Kumcu Mailing list: cs526@cs Evaluation/Grading –Midterm 25%, Final 36% –Exercises, projects, paper reviews 36% 1-2 programming projects 9-11 written assignments (e.g., book exercises) Let me know if you will be taking the qual1

5. 5 Waiting List / Registration Send me “background information” as follows: Preferred Email, registered for CS526, Expected graduation, Research focus, Had CS555, Will take CS555, Taking CS626, likely TA next year Sample: clifton@cs, no, 6/1991, Privacy and Data Mining, no, no, no, no Waitlisted students will be admitted to ensure everyone gets a shot at the course –I am scheduled to offer it next fall

6. 6 Introduction Components of computer security Threats Policies and mechanisms The role of trust Assurance Operational Issues Human Issues

7. 7 Basic Components Confidentiality –Keeping data and resources hidden Integrity –Data integrity (integrity) –Origin integrity (authentication) Availability –Enabling access to data and resources

8. 8 Classes of Threats Disclosure –Snooping Deception –Modification, spoofing, repudiation of origin, denial of receipt Disruption –Modification Usurpation –Modification, spoofing, delay, denial of service

9. 9 Policies and Mechanisms Policy says what is, and is not, allowed –This defines “security” for the site/system/etc. –Policy definition: Informal? Formal? Mechanisms enforce policies Composition of policies –If policies conflict, discrepancies may create security vulnerabilities

10. 10 Goals of Security Prevention –Prevent attackers from violating security policy Detection –Detect attackers’ violation of security policy Recovery –Stop attack, assess and repair damage –Continue to function correctly even if attack succeeds

11. 11 Trust and Assumptions Underlie all aspects of security Policies –Unambiguously partition system states –Correctly capture security requirements Mechanisms –Assumed to enforce policy –Support mechanisms work correctly

12. 12 Types of Mechanisms secure precise broad set of reachable statesset of secure states

13. 13 Assurance Specification –Requirements analysis –Statement of desired functionality Design –How system will meet specification Implementation –Programs/systems that carry out design

14. 14 Operational Issues Cost-Benefit Analysis –Is it cheaper to prevent or recover? Risk Analysis –Should we protect something? –How much should we protect this thing? Laws and Customs –Are desired security measures illegal? –Will people do them?

15. 15 Human Issues Organizational Problems –Power and responsibility –Financial benefits People problems –Outsiders and insiders Which do you think is the real threat? –Social engineering

16. 16 Tying the Definitions Together Threats Policy Specification Design Implementation Operation

17. 17 Key Points Policy defines security, and mechanisms enforce security –Confidentiality –Integrity –Availability Trust and knowing assumptions Importance of assurance The human factor

18. 18 Models: Access Control What is access control? –Limiting who is allowed to do what What is an access control model? –Specifying who is allowed to do what What makes this hard? –Interactions between types of access

19. 19 Basics State: Status of the system –Protection state: subset that deals with protection Access Control Matrix –Describes protection state Formally: –Objects O –Subjects S –Matrix A  S  O Tuple (S, O, A) defines protection states of system

20. 20 Student Choice Topics Trusted Computing Systems –How does software know underlying system can be trusted? –Case study of trusted system / verification –Validation process Forensics –Recovery/Prevention –Tracing/Prosecution Digital Rights Management

21. CS526: Information Security Chris Clifton August 28, 2003 Access Control Matrices

22. 22 Access Restriction Facility Subject: attributes (name, role, groups) Verbs: possible actions –Default rule for each verb Objects associated with set of verbs –Rule for each (object, verb) pair –Rule may be function of subject attributes Can be converted to Access Control Matrix

23. 23 Access Control Matrix: Boolean Evaluation Example InternalLocalState University Long Distance International PublicCRR StudentCR RRR StaffCR RR AccountCR TT T T Transfer T T T T T T

24. 24 What Else Might We Add? Default Rule –General default: Receive –Object default: Call Internal –Requires ability to override with negative and positive access Time-based access –Allow students to call on State University system after hours? History-based access

25. 25 Access Control by History Example: Statistical Database –A–Allows queries for general statistics –B–But not individual values Valid queries: Statistics on 20+ individuals –T–Total salary of all Deans –S–Salary of Computer Science Professors See a problem coming? –S–Salary of CS Professors who aren’t Deans

26. 26 Solution: Query Set Overlap Control (Dobkin, Jones & Lipton ’79) Query valid if intersection of query coverage and each previous query < r Given K minimum query size, r overlap: –Need 1 + (K-1)/r queries to compromise Can represent as access control matrix –Subjects: entities issuing queries –Objects: Powerset of records –O s (i) : objects referenced by s in queries 1..i –A[s,o] = read iff

27. CS526: Information Security Chris Clifton August 28, 2003 Why Security is Hard

28. 28 Protection Study: Your Homework What does it take to make sure your homework is secure? –L–Let’s assume a Unix system (mentor.ics) –I–Issues? Participation Expected!

29. 29 Protection State Transitions State X i = (S i, O i, A i ) Transitions τ i –Single transition X i ├ τ i+1 X i+1 –Series of transitions X ├* Y Access control matrix may change –Change command c associated with transition –X i ├ c i+1 (p i+1,…,p i+1 ) X i+1 Change command c associated with transition

30. 30 Primitive Commands Create Object o –Adds o to objects with no access –S’=S, O’=O  {o}, (  x  S’)[a’[x,o] =  ], (  x  S’)(  y  O)[a’[x,y] = a[x,y]] Create Subject s –Adds s to objects, subjects, sets relevant access control to  Enter r into a[s,o] Delete r from a[s,o] Destroy subject s, destroy object o

31. 31 Special Privileges: Copy, Ownership Copy (or grant) –Possessor can extend privileges to another Own right –Possessor can change their own privileges Principle of Attenuation of Privilege –A subject may not give rights it does not possess

32. 32 Next Optional reading: Dobkin, Jones, and Lipton (TODS 4(1), see course web site) Basic theorems on protection states –Decidability of safety of a state with respect to a right More Protection Models