1 Accountability and Freedom Butler Lampson Microsoft September 26, 2005.

Slides:



Advertisements
Similar presentations
1 Computer Security in the Real World Butler Lampson Microsoft August 2005.
Advertisements

1 IDX. 2 What you will learn: What IDX is Why its important How to use it Tips and tricks Introduction Q & A.
1 Computer Security in the Real World Butler Lampson Microsoft.
Chapter 1 Introduction Copyright © Operating Systems, by Dhananjay Dhamdhere Copyright © Introduction Abstract Views of an Operating System.
Understanding the benefits and the risks. Presented by Corey Nachreiner, CISSP BYOD - Bring Your Own Device or Bring Your Own Danger?
Copyright Critical Software S.A All Rights Reserved. COTS based approach for the Multilevel Security Problem Bernardo Patrão.
Executional Architecture
© 2013 Jones and Bartlett Learning, LLC, an Ascend Learning Company All rights reserved. Fundamentals of Information Systems Security.
What’s New in WatchGuard Dimension v1.2
© Paradigm Publishing, Inc Excel 2013 Level 2 Unit 2Managing and Integrating Data and the Excel Environment Chapter 6Protecting and Sharing Workbooks.
Chapter 1  Introduction 1 Chapter 1: Introduction.
Internet of Things Security Architecture
1 Operating System vs. Network Security Butler Lampson Microsoft Outline What security is about Operating systems security Network security How they fit.
ITIS 1210 Introduction to Web-Based Information Systems Chapter 44 How Firewalls Work How Firewalls Work.
Firewalls Dr.P.V.Lakshmi Information Technology GIT,GITAM University
Information Security 1 Information Security: Security Tools Jeffy Mwakalinga.
CSCI 530 Lab Firewalls. Overview Firewalls Capabilities Limitations What are we limiting with a firewall? General Network Security Strategies Packet Filtering.
1 Accountability and Freedom Butler Lampson Microsoft October 27, 2005.
Chapter 11 Firewalls.
Lecture 2 Page 1 CS 236, Spring 2008 Security Principles and Policies CS 236 On-Line MS Program Networks and Systems Security Peter Reiher Spring, 2008.
Web Security A how to guide on Keeping your Website Safe. By: Robert Black.
Creating a Secured and Trusted Information Sphere in Different Markets Giuseppe Contino.
Chapter 1  Introduction 1 Chapter 1: Introduction “Begin at the beginning,” the King said, very gravely, “and go on till you come to the end: then stop.”
1 Software and Security Butler Lampson Microsoft.
Assessing the Threat How much money is lost due to cyber crimes? –Estimates range from $100 million to $100s billions –Why the discrepancy? Companies don’t.
Lesson 10 – SECURING YOUR NETWORK Security devices Internal security External security Viruses and other malicious software OVERVIEW.
Intranet, Extranet, Firewall. Intranet and Extranet.
Lecture 18 Page 1 CS 111 Online Design Principles for Secure Systems Economy Complete mediation Open design Separation of privileges Least privilege Least.
Introduction to Information and Computer Science Security Lecture b This material (Comp4_Unit8b) was developed by Oregon Health and Science University,
G53SEC Computer Security Introduction to G53SEC 1.
Component 4: Introduction to Information and Computer Science Unit 8: Security Lecture 2 This material was developed by Oregon Health & Science University,
Csci5233 Computer Security1 Bishop: Chapter 27 System Security.
October 15, 2002Serguei A. Mokhov, 1 Intro to Internet-services from Security Standpoint SOEN321-Information-Systems Security Revision.
CS CS 5150 Software Engineering Lecture 18 Security.
CONTENTS  INTRODUCTION.  KEYWORDS  WHAT IS FIREWALL ?  WHY WE NEED FIREWALL ?  WHY NOT OTHER SECURITY MECHANISM ?  HOW FIREWALL WORKS ?  WHAT IT.
Protecting Internet Communications: Encryption  Encryption: Process of transforming plain text or data into cipher text that cannot be read by anyone.
Lecture 16 Page 1 Advanced Network Security Perimeter Defense in Networks: Virtual Private Networks Advanced Network Security Peter Reiher August, 2014.
PRESENTED BY P. PRAVEEN Roll No: 1009 – 11 – NETWORK SECURITY M.C.A III Year II Sem.
1 Topic 2: Lesson 3 Intro to Firewalls Summary. 2 Basic questions What is a firewall? What is a firewall? What can a firewall do? What can a firewall.
Network Security. 2 SECURITY REQUIREMENTS Privacy (Confidentiality) Data only be accessible by authorized parties Authenticity A host or service be able.
IP Security IP sec IPsec is short for Internet Protocol Security. It was originally created as a part of IPv6, but has been retrofitted into IPv4. It.
Lecture 19 Page 1 CS 236 Online 16. Account Monitoring and Control Why it’s important: –Inactive accounts are often attacker’s path into your system –Nobody’s.
Virtual Workspaces Kate Keahey Argonne National Laboratory.
Network Security Chapter 11 powered by DJ 1. Chapter Objectives  Describe today's increasing network security threats and explain the need to implement.
Security CS Introduction to Operating Systems.
SECURITY Professor Mona Mursi. ENVIRONMENT IT infrastructures are made up of many components, abstractly: IT infrastructures are made up of many components,
Lecture 16 Page 1 CS 236 Online Web Security CS 236 On-Line MS Program Networks and Systems Security Peter Reiher.
GOLD UNIT 4 - IT SECURITY FOR USERS (2 CREDITS) Kamran Didcote.
Security: The Goal Computers are as secure as real world systems, and people believe it. This is hard because: Computers can do a lot of damage fast. There.
Security and Firewalls Ref: Keeping Your Site Comfortably Secure: An Introduction to Firewalls John P. Wack and Lisa J. Carnahan NIST Special Publication.
IT Security. What is Information Security? Information security describes efforts to protect computer and non computer equipment, facilities, data, and.
Security fundamentals Topic 5 Using a Public Key Infrastructure.
ITGS Network Architecture. ITGS Network architecture –The way computers are logically organized on a network, and the role each takes. Client/server network.
Security Vulnerabilities in A Virtual Environment
Chapter 40 Network Security (Access Control, Encryption, Firewalls)
“Lines of Defense” against Malware.. Prevention: Keep Malware off your computer. Limit Damage: Stop Malware that gets onto your computer from doing any.
4.1 © 2004 Pearson Education, Inc. Exam Managing and Maintaining a Microsoft® Windows® Server 2003 Environment Lesson 12: Implementing Security.
Resilient Cyber Security and Privacy Butler Lampson Microsoft Research Cyberforum April 7, 2015.
Lecture 12 Page 1 CS 136, Spring 2009 Network Security: Firewalls CS 136 Computer Security Peter Reiher May 12, 2009.
SemiCorp Inc. Presented by Danu Hunskunatai GGU ID #
Lecture 9 Page 1 CS 236 Online Firewalls What is a firewall? A machine to protect a network from malicious external attacks Typically a machine that sits.
Polytechnic University Firewall and Trusted Systems Presented by, Lekshmi. V. S cos
Accountability and Freedom
Schneider Symposium on Trustworthiness
Security in Networking
Firewalls Jiang Long Spring 2002.
How to Mitigate the Consequences What are the Countermeasures?
Designing IIS Security (IIS – Internet Information Service)
Security Principles and Policies CS 236 On-Line MS Program Networks and Systems Security Peter Reiher.
Outline The concept of perimeter defense and networks Firewalls.
Presentation transcript:

1 Accountability and Freedom Butler Lampson Microsoft September 26, 2005

2 Real-World Security It s about risk, locks, and deterrence. Risk management: cost of security < expected loss Perfect security costs way too much Locks good enough that bad guys break in rarely Bad guys get caught and punished enough to be deterred, so police / courts must be good enough. Can recover from damage at an acceptable cost. Internet security similar, but little accountability –Cant identify the bad guys, so cant deter them

3 How Much Security Security is costlybuy only what you need –You pay mainly in inconvenience –If theres no punishment, you pay a lot People do behave this way We dont tell them thisa big mistake The best is the enemy of the good –Perfect security is the worst enemy of real security Feasible security –Costs less than the value it protects –Simple enough for users to manage –Simple enough for vendors to implement

4 Causes of Security Problems Exploitable bugs Bad configuration –TCB: Everything that security depends on Hardware, software, and configuration –Does formal policy say what I mean? Can I understand it? Can I manage it? Why least privilege doesnt work –Too complicated, cant manage it The unavoidable price of reliability is simplicity Hoare

5 Defensive strategies Locks: Control the bad guys –Coarse: Isolate keep everybody out –Medium:Exclude keep the bad guys out –Fine: Restrict Keep them from doing damage Recover Undo the damage Deterrence: Catch bad guys, punish them –Auditing, police, courts or other penalties

6 The Access Control Model Object Resource Reference monitor Guard Do operation Request Principal Source Authorization Audit log Authentication Policy 1. Isolation boundary 2. Access control 3. Policy 1.Isolation Boundary to prevent attacks outside access-controlled channels 2.Access Control for channel traffic 3.Policy management

7 Isolation Attacks on: –Program –Isolation –Policy Services Boundary Creator GUARDGUARD GUARDGUARD policy Program Data guard Host I am isolated if anything that goes wrong is my fault – Actually, my programs fault Object Resource Reference monitor Guard Do operation Request Principal Source Authorizatio n Audit log Authentication Policy 1. Isolation boundary 2. Access control 3. Policy

8 Access Control Mechanisms: The Gold Standard Authenticate principals: Who made a request Mainly people, but also channels, servers, programs (encryption implements channels, so key is a principal) Authorize access: Who is trusted with a resource Group principals or resources, to simplify management Can define by a property, e.g. type-safe or safe for scripting Audit: Who did what when? Lock = Authenticate + Authorize Deter = Authenticate + Audit Object Resource Reference monitor Guard Do operation Request Principal Source Authorization Audit log Authentication Policy 1. Isolation boundary 2. Access control 3. Policy

9 Making Isolation Work Isolation is imperfect: Cant get rid of bugs –TCB = M lines of code –Customers want features more than correctness Instead, dont tickle them. How? Reject bad inputs –Code: dont run or restrict severely –Communication: reject or restrict severely Especially web sites –Data: dont send; dont accept if complex

10 Accountability Cant identify bad guys, so cant deter them Fix? End nodes enforce accountability –Refuse messages that arent accountable enough or strongly isolate those messages –Senders are accountable if you can punish them –All trust is local Need an ecosystem for –Senders becoming accountable –Receivers demanding accountability –Third party intermediaries To stop DDOS attacks, ISPs must play

11 Enforcing Accountability Not being accountable enough means end nodes will reject inputs –Application execution is restricted or prohibited –Communication is restricted or prohibited –Information is not shared or accepted –Access to devices or networks is restricted or prohibited

12 For Accountability To Work Senders must be able to make themselves accountable –This means pledging something of value Friendship Reputation Money … Receivers must be able to check accountability –Specify what is accountable enough –Verify senders evidence of accountability

13 Accountability vs. Access Control In principle there is no difference but Accountability is about punishment, not locks –Hence audit is critical Accountability is very coarse-grained

14 The Accountability Ecosystem Identity, reputation, and indirection services Mechanisms to establish trust relationships –Person to person and person to organization A flexible, simple user model for identity Stronger user authentication –Smart card, cell phone, biometrics Application identity: signing, reputation

15 Accountable Internet Access Just enough to block DDoS attacks Need ISPs to play. Why should they? –Servers demand it; clients dont get locked out –Regulation? A server asks its ISP to block some IP addresses ISPs propagate such requests to peers or clients –Probably must be based on IP address –Perhaps some signing scheme to traverse unreliable intermediaries? High priority packets can get through

16 Partition world into two parts: –GreenSafer/accountable –RedLess safe/unaccountable Two aspects, mostly orthogonal –User Experience –Isolation mechanism Separate hardware with air gap VM Process isolation Accountability vs. Freedom

17 Without R|G: Today N attacks/yr Less valuable assets More valuable assets My Computer m attacks/yr Total: N+m attacks/yr on all assets (N >> m) Less trustworthy Less accountable entities More trustworthy More accountable entities Entities - Programs - Network hosts - Administrators

18 With R|G Less valuable assets My Red Computer N attacks/yr on less valuable assets More valuable assets More valuable assets My Green Computer m attacks/yr on more valuable assets N attacks/yr m attacks/yr (N >> m) Less trustworthy Less accountable entities More trustworthy More accountable entities Entities - Programs - Network hosts - Administrators

19 Must Get Configuration Right Less valuable assets My Red Computer More valuable assets More valuable assets My Green Computer Valuable Asset Less trustworthy Less accountable entities More trustworthy More accountable entities Hostile agent Keep valuable stuff out of red Keep hostile agents out of green

20 Why R|G? Problems: –Any OS will always be exploitable The richer the OS, the more bugs –Need internet access to get work done, have fun The internet is full of bad guys Solution: Isolated work environments: –Green: important assets, only talk to good guys Dont tickle the bugs, by restricting inputs –Red: less important assets, talk to anybody Blow away broken systems Good guys: more trustworthy / accountable –Bad guys: less trustworthy or less accountable

21 Configuring Green Green = locked down = only whitelist inputs Requires professional management –Few users can make these decisions –Avoid click OK to proceed To escape, use Red –Today almost all machines are Red

22 R|G User Model Dilemma People dont want complete isolation –They want to: Cut/paste, drag/drop Share parts of the file system Share the screen Administer one machine, not multiple … But more integration can weaken isolation –Add bugs –Compromise security

23 Data Transfer Mediates data transfer between machines –Drag / drop, Cut / paste, Shared folders Problems –Red Green: Malware entering –Green Red: Information leaking Possible policy –Allowed transfers (configurable). Examples: No transfer of.exe from R to G Only transfer ASCII text from R to G –Non-spoofable user intent; warning dialogs –Auditing Synchronous virus checker; third party hooks,...

24 Where Should /IM Run? As productivity applications, they must be well integrated in the work environment (green) ThreatsA tunnel from the bad guys –Executable attachments –Exploits of complicated data formats Choices –Run two copies, one in Green and one in Red –Run in Green and mitigate threats Green platform does not execute arbitrary programs Green apps are conservative in the file formats they accept –Route messages to appropriate machine

25 R|G and Enterprise Networks Red and green networks are defined as today: –IPSEC –Guest firewall –Proxy settings –… The VMM can act as a router –E.g. red only talks to the proxy

26 Summary Security is about risk management –Cost of security < expected loss Security relies on deterrence more than locks –Deterrence requires the threat of punishment –This requires accountability Accountability needs an ecosystem –Senders becoming accountable –Receivers verifying accountability Accountability limits freedom –Beat this by partitioning: red | green –Dont tickle bugs in green, dispose of red

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com Inc. All rights reserved.