1 Computer Security in the Real World Butler Lampson Microsoft August 2005.

Slides:



Advertisements
Similar presentations
1 Accountability and Freedom Butler Lampson Microsoft September 26, 2005.
Advertisements

1 Computer Security in the Real World Butler Lampson Microsoft.
Chapter 9 E-Security. Awad –Electronic Commerce 1/e © 2002 Prentice Hall 2 OBJECTIVES Security in Cyberspace Conceptualizing Security Designing for Security.
Chapter 10 Encryption: A Matter of Trust. Awad –Electronic Commerce 1/e © 2002 Prentice Hall 2 OBJECTIVES What is Encryption? Basic Cryptographic Algorithm.
1 Security for Ad Hoc Network Routing. 2 Ad Hoc Networks Properties Mobile Wireless communication Medium to high bandwidth High variability of connection.
1 Trust Evidence in Heterogeneous Environments: Towards a Research Agenda Ravi Sandhu Executive Director and Endowed Professor May 2010
17 Copyright © 2005, Oracle. All rights reserved. Deploying Applications by Using Java Web Start.
1 ABCs of PKI TAG Presentation 18 th May 2004 Paul Butler.
Computer Security CIS326 Dr Rachel Shipsey.
OPERATING SYSTEMS Lecturer: Szabolcs Mikulas Office: B38B
Chapter 1 Introduction Copyright © Operating Systems, by Dhananjay Dhamdhere Copyright © Introduction Abstract Views of an Operating System.
Configuration management
1 Contract Inactivation & Replacement Fly-in Action ( Continue to Page Down/Click on each page…) Electronic Document Access (EDA)
Slide 14-1 Copyright © 2004 Pearson Education, Inc. Operating Systems: A Modern Perspective, Chapter 5 14 Protection and Security.
1 And Tips to Avoid Becoming a Victim Recent Cyber Crime Cases.
© 2013 Jones and Bartlett Learning, LLC, an Ascend Learning Company All rights reserved. Fundamentals of Information Systems Security.
Public Key Infrastructure Alex Bardas. What is Cryptography ? Cryptography is a mathematical method of protecting information –Cryptography is part of,
25 seconds left…...
Copyright 2001 Advanced Strategies, Inc. 1 Data Bridging An Overview Prepared for DIGIT By Advanced Strategies, Inc.
Installing Windows XP Professional Using Attended Installation Slide 1 of 30Session 8 Ver. 1.0 CompTIA A+ Certification: A Comprehensive Approach for all.
Chapter 1  Introduction 1 Introduction Chapter 1  Introduction 2 The Cast of Characters  Alice and Bob are the good guys  Trudy is the bad guy 
Chapter 1  Introduction 1 Chapter 1: Introduction.
Chapter 1  Introduction 1 Chapter 1: Introduction “Begin at the beginning,” the King said, very gravely, “and go on till you come to the end: then stop.”
1 Operating System vs. Network Security Butler Lampson Microsoft Outline What security is about Operating systems security Network security How they fit.
1 Chapter 8 Fundamentals of System Security. 2 Objectives In this chapter, you will: Understand the trade-offs among security, performance, and ease of.
Securing. Agenda  Hard Drive Encryption  User Account Permissions  Root Level Access  Firewall Protection  Malware Protection.
VM: Chapter 5 Guiding Principles for Software Security.
1 Accountability and Freedom Butler Lampson Microsoft October 27, 2005.
15-1 Last time Internet Application Security and Privacy Public-key encryption Integrity.
16.1 © 2004 Pearson Education, Inc. Exam Planning, Implementing, and Maintaining a Microsoft® Windows® Server 2003 Active Directory Infrastructure.
Lecture 2 Page 1 CS 236, Spring 2008 Security Principles and Policies CS 236 On-Line MS Program Networks and Systems Security Peter Reiher Spring, 2008.
 Key exchange o Kerberos o Digital certificates  Certificate authority structure o PGP, hierarchical model  Recovery from exposed keys o Revocation.
Chapter 1  Introduction 1 Chapter 1: Introduction “Begin at the beginning,” the King said, very gravely, “and go on till you come to the end: then stop.”
Introduction To Windows NT ® Server And Internet Information Server.
1 Computer Security in the Real World Butler Lampson Microsoft Annual Computer Security Applications Conference, Edited.
1 Software and Security Butler Lampson Microsoft.
Assessing the Threat How much money is lost due to cyber crimes? –Estimates range from $100 million to $100s billions –Why the discrepancy? Companies don’t.
Lecture 18 Page 1 CS 111 Online Design Principles for Secure Systems Economy Complete mediation Open design Separation of privileges Least privilege Least.
G53SEC Computer Security Introduction to G53SEC 1.
Masud Hasan Secue VS Hushmail Project 2.
Csci5233 Computer Security1 Bishop: Chapter 27 System Security.
CS CS 5150 Software Engineering Lecture 18 Security.
GOLD UNIT 4 - IT SECURITY FOR USERS (2 CREDITS) Rebecca Pritchard.
1 CHAPTER 2 LAWS OF SECURITY. 2 What Are the Laws of Security Client side security doesn’t work Client side security doesn’t work You can’t exchange encryption.
Chapter 1  Introduction 1 Chapter 1: Introduction.
Network Security. 2 SECURITY REQUIREMENTS Privacy (Confidentiality) Data only be accessible by authorized parties Authenticity A host or service be able.
The TAOS Authentication System: Reasoning Formally About Security Brad Karp UCL Computer Science CS GZ03 / M th November, 2008.
SECURITY Professor Mona Mursi. ENVIRONMENT IT infrastructures are made up of many components, abstractly: IT infrastructures are made up of many components,
Lecture 16 Page 1 CS 236 Online Web Security CS 236 On-Line MS Program Networks and Systems Security Peter Reiher.
COSC 513 Operating Systems Project Presentation: Internet Security Instructor: Dr. Anvari Student: Ying Zhou Spring 2003.
3/15/01CSCI {4,6}900: Ubiquitous Computing1 Announcements.
Security: The Goal Computers are as secure as real world systems, and people believe it. This is hard because: Computers can do a lot of damage fast. There.
Security fundamentals Topic 5 Using a Public Key Infrastructure.
CHAPTER 2 Laws of Security. Introduction Laws of security enable user make the judgment about the security of a system. Some of the “laws” are not really.
1 Computer Security in the Real World Butler Lampson What people want from computer security is to be as secure with computers as they are in the real.
Security Issues CS 560. Security in the software development process The security goal:  To make sure that agents (people or external systems) who interact.
Unit 2 Personal Cyber Security and Social Engineering Part 2.
What is YOUR Data Worth???. “Just because you're paranoid doesn't mean they aren't after you.” Joseph Heller, Catch-22.
SemiCorp Inc. Presented by Danu Hunskunatai GGU ID #
Accountability and Freedom
Protecting Memory What is there to protect in memory?
Outline What does the OS protect? Authentication for operating systems
Outline What does the OS protect? Authentication for operating systems
Security of a Local Area Network
Chapter 27: System Security
INFORMATION SYSTEMS SECURITY and CONTROL
Security.
Introduction Security Intro 1.
Designing IIS Security (IIS – Internet Information Service)
Security Principles and Policies CS 236 On-Line MS Program Networks and Systems Security Peter Reiher.
Presentation transcript:

1 Computer Security in the Real World Butler Lampson Microsoft August 2005

2 Real-World Security Its about risk, locks, and deterrence. Risk management: cost of security < expected value of loss Perfect security costs way too much Locks good enough that bad guys dont break in often. Bad guys get caught and punished often enough to be deterred, so police and courts must be good enough. You can recover from damage at an acceptable cost. Internet security is similar, but little accountability –Its hard to identify the bad guys, so cant deter them

3 Accountability Cant identify the bad guys, so cant deter them How to fix this? End nodes enforce accountability –They refuse messages that arent accountable enough »or strongly isolate those messages –All trust is local Need an ecosystem for –Senders becoming accountable –Receivers demanding accountability –Third party intermediaries To stop DDOS attacks, ISPs must play

4 How Much Security Security is expensivebuy only what you need. –You pay mainly in inconvenience –If theres no punishment, you pay a lot People do behave this way We dont tell them thisa big mistake The best is the enemy of the good –Perfect security is the worst enemy of real security Feasible security –Costs less in inconvenience than the value it protects –Simple enough for users to configure and manage –Simple enough for vendors to implement

5 Dangers and Vulnerabilities Dangers –Vandalism or sabotage that »damages information »disrupts service –Theft of money –Theft of information –Loss of privacy integrity availability integrity secrecy Vulnerabilities –Bad (buggy or hostile) programs –Bad (careless or hostile) people giving instructions to good programs

6 Defensive strategies Locks: Control the bad guys –Coarse: Isolatekeep everybody out –Medium:Excludekeep the bad guys out –Fine: RestrictKeep them from doing damage RecoverUndo the damage Deterrence: Catch the bad guys and punish them –Auditing, police, courts or other penalties

7 The Access Control Model Object Resource Reference monitor Guard Do operation Request Principal Source Authorization Audit log Authentication Policy 1. Isolation boundary 2. Access control 3. Policy 1.Isolation Boundary to prevent attacks outside access-controlled channels 2.Access Control for channel traffic 3.Policy management

8 Isolation Attacks on: –Program –Isolation –Policy Services Boundary Creator GUARDGUARD GUARDGUARD policy Program Data guard Host I am isolated if whatever goes wrong is my (programs) fault Object Resource Reference monitor Guard Do operation Request Principal Source Authorizatio n Audit log Authentication Policy 1. Isolation boundary 2. Access control 3. Policy

9 MechanismsThe Gold Standard Authenticate principals: Who made a request Mainly people, but also channels, servers, programs (encryption implements channels, so key is a principal) Authorize access: Who is trusted with a resource Group principals or resources, to simplify management Can be defined by a property, such as type-safe or safe for scripting Audit: Who did what when? Lock = Authenticate + Authorize Deter = Authenticate + Audit Object Resource Reference monitor Guard Do operation Request Principal Source Authorization Audit log Authentication Policy 1. Isolation boundary 2. Access control 3. Policy

10 Making Security Work Assurance –Does it really work as specified by policy? –Trusted Computing Base (TCB) »Includes everything that security depends on: Hardware, software, and configuration Assessment –Does formal policy say what I mean? »Configuration and management The unavoidable price of reliability is simplicity.Hoare

11 Resiliency: When TCB Isnt Perfect Mitigation: stop bugs from being tickled –Block known attacks and attack classes »Anti-virus/spyware, intrusion detection –Take input only from sources believed good »Red/green; network isolation. Inputs: code, web pages, … Recovery: better yesterdays data than no data –Restore from a (hopefully good) recent state Update: todays bug fix installed today –Quickly fix the inevitable mistakes –As fast and automatically as possible »Not just bugs, but broken crypto, compromised keys, …

12 Why We Dont Have Real Security A. People dont buy it: –Danger is small, so its OK to buy features instead. –Security is expensive. »Configuring security is a lot of work. »Secure systems do less because theyre older. Security is a pain. »It stops you from doing things. »Users have to authenticate themselves. B. Systems are complicated, so they have bugs. –Especially the configuration

13 Authentication and Authorization Alice is at Intel, working on Atom, a joint Intel- Microsoft project Alice connects to Spectra, Atom s web page, with SSL Chain of responsibility: K SSL K temp K Alice r/w Spectra Object Resource Reference monitor Guard Do operation Request Principal Source Authorization Audit log Authentication Policy 1. Isolation boundary 2. Access control 3. Policy

14 Principals Authentication:Who sent a message? Authorization:Who is trusted? Principal abstraction of who: –People Alice, Bob –Services microsoft.com, Exchange –Groups UW-CS, MS-Employees –Secure channelskey #678532E89A7692F, console Principals say things: –Read file foo –Alices key is #678532E89A7692F

15 Trust: The Speaks For Relation Principal A speaks for B about T: A –Meaning: if A says something in set T, B says it too. Thus A is as powerful as B, or trusted like B, about T These are the links in the chain of responsibility –Examples »Alice Atom group of people »Key #7438 Alice key for Alice

16 Delegating Trust: Evidence How do we establish a link in the chain? –A link is a fact Q R. Example: Key#7438 The verifier of the link needs evidence: P says Q R. Example: K Intel says Key#7438 Three questions about this evidence: –How do we know that P says the delegation? »It comes on a secure channel from P, or signed by Ps key –Why do we trust P for this delegation? »If P speaks for R, P can delegate this power –Why is P willing to say it? »It depends: P needs to know Q, R and their relationship

17 Secure Channel Examples –Within a nodeOperating system (pipes, LPC, etc.) –Between nodesSecure wire (hard if > 10 feet) IP Address (fantasy for most networks) Cryptography (practical) Secure channel does not mean physical network channel or path Says thingsdirectlyC says s K SSL says read Spectra Has knownpossible receiversConfidentiality possible sendersIntegrity If P is the onlypossible sender C P K Alice

18 Authenticating Channels Chain of responsibility: K SSL K temp K Alice … K temp says K Alice says (SSL setup) (via smart card)

19 Authenticating Names: SDSI/SPKI A name is in a name space, defined by a principal P –P is like a directory. The root principals are keys. P speaks for any name in its name space K Intel K Intel / Alice (which is just ) K Intel says … K temp K Alice …

20 Authenticating Groups A group is a principal; its members speak for it –… Evidence for groups: Just like names and keys. … K Alice r/w …

21 View a resource object O as a principal An ACL entry for P means P can speak for O –Permissions limit the set of things P can say for O If Spectra s ACL says Atom can r/w, that means Spectra says … r/w Spectra Authorization with ACLs

22 End-to-End Example: Summary Request on SSL channel: K SSL says read Spectra Chain of responsibility: K SSL K temp K Alice r/w Spectra

23 Authenticating Programs: Loading Essential for extensibility of security A digest X can authenticate a program SQL : –K Microsoft says If file I has digest X then I is SQL – formally X K microsoft / SQL To be a principal, a program must be loaded –By a host H into an execution environment –Examples: booting OS, launching application X SQL makes Hwant to run I if H approves SQL willing to assert H / SQL is running But H must be trusted to run SQL –K BoeingITG says H / SQL K BoeingITG / SQL like K Alice

24 Auditing Auditing: Each step is logged and justified by –A statement, stored locally or signed (certificate), or –A built-in delegation rule Checking access: –Givena requestK Alice says read Spectra an ACL Atom may r/w Spectra –Check K Alice speaksK Alice Atom for Atom rights suffice r/w read

25 Assurance: NGSCB/TPM A cheap, convenient, physically separate machine A high-assurance OS stack (we hope) A systematic notion of program identity –Identity = digest of (code image + parameters) »Can abstract this: K MS says digest K MS / SQL –Host certifies the running programs identity: H says K H / P –Host grants the program access to sealed data »H seals (data, ACL) with its own secret key »H will unseal for P if P is on the ACL

26 Learn more Computer Security in the Real World at research.microsoft.com/lampson (slides, paper; earlier papers by Abadi, Lampson, Wobber, Burrows) Also in IEEE Computer, June 2004 Ross Anderson – Bruce Schneier – Secrets and Lies Kevin Mitnick – The Art of Deception

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com Inc. All rights reserved.