1 Computer Security in the Real World Butler Lampson Microsoft.

Slides:



Advertisements
Similar presentations
Building Secure Mashups D. K. Smetters PARC Usable.
Advertisements

Chapter ADCS CS262/0898/V1 Chapter 1 An Introduction To Computer Security TOPICS Introduction Threats to Computer Systems –Threats, Vulnerabilities.
1 Computer Security in the Real World Butler Lampson Microsoft August 2005.
1 Accountability and Freedom Butler Lampson Microsoft September 26, 2005.
© Copyright 2006 FPT Software 1 © FPT SOFTWARE – TRAINING MATERIAL – Internal use 04e-BM/NS/HDCV/FSOFT v2/3 How to work in Fsoft project Authors: KienNT.
Implementing Tableau Server in an Enterprise Environment
Using Matrices in Real Life
Chapter 9 E-Security. Awad –Electronic Commerce 1/e © 2002 Prentice Hall 2 OBJECTIVES Security in Cyberspace Conceptualizing Security Designing for Security.
Programming with Android: SDK install and initial setup Luca Bedogni Marco Di Felice Dipartimento di Scienze dellInformazione Università di Bologna.
1 Trust Evidence in Heterogeneous Environments: Towards a Research Agenda Ravi Sandhu Executive Director and Endowed Professor May 2010
1 Trust Evidence in Heterogeneous Environments: Towards a Research Agenda Ravi Sandhu Executive Director and Endowed Professor May 2010
1 Copyright © 2002 Pearson Education, Inc.. 2 Chapter 2 Getting Started.
Chapter 1 The Study of Body Function Image PowerPoint
By Rick Clements Software Testing 101 By Rick Clements
17 Copyright © 2005, Oracle. All rights reserved. Deploying Applications by Using Java Web Start.
Jeopardy Q 1 Q 6 Q 11 Q 16 Q 21 Q 2 Q 7 Q 12 Q 17 Q 22 Q 3 Q 8 Q 13
Jeopardy Q 1 Q 6 Q 11 Q 16 Q 21 Q 2 Q 7 Q 12 Q 17 Q 22 Q 3 Q 8 Q 13
Introduction to HTML, XHTML, and CSS
My Alphabet Book abcdefghijklm nopqrstuvwxyz.
Making the System Operational
Overview of local security issues in Campus Grid environments Bruce Beckles University of Cambridge Computing Service.
Chapter 1 Introduction Copyright © Operating Systems, by Dhananjay Dhamdhere Copyright © Introduction Abstract Views of an Operating System.
P-Card User Guide Standard Profile July RCNJ-BOA Purchasing Card User Guide – Standard Profile Ramapo College and Bank of America VISA Procurement.
© SafeNet Confidential and Proprietary Administering SafeNet StorageSecure Smart Card Module 3: Lesson 5 SafeNet StorageSecure Storage Security Course.
Lesson 6: Configuring Servers for Remote Management
Configuration management
Software change management
1 The phone in the cloud Utilizing resources hosted anywhere Claes Nilsson.
ABC Technology Project
1 Contract Inactivation & Replacement Fly-in Action ( Continue to Page Down/Click on each page…) Electronic Document Access (EDA)
31242/32549 Advanced Internet Programming Advanced Java Programming
Executional Architecture
© 2013 Jones and Bartlett Learning, LLC, an Ascend Learning Company All rights reserved. Fundamentals of Information Systems Security.
25 seconds left…...
Services Course Windows Live SkyDrive Participant Guide.
Copyright 2001 Advanced Strategies, Inc. 1 Data Bridging An Overview Prepared for DIGIT By Advanced Strategies, Inc.
We will resume in: 25 Minutes.
VPN AND REMOTE ACCESS Mohammad S. Hasan 1 VPN and Remote Access.
- 1 - Defense Security Service Background: During the Fall of 2012 Defense Security Service will be integrating ISFD with the Identity Management (IdM)
Installing Windows XP Professional Using Attended Installation Slide 1 of 30Session 8 Ver. 1.0 CompTIA A+ Certification: A Comprehensive Approach for all.
Introduction to ikhlas ikhlas is an affordable and effective Online Accounting Solution that is currently available in Brunei.
1 Complexity ©D.Moshkovitz Cryptography Where Complexity Finally Comes In Handy…
User Security for e-Post Applications Dr Chandana Gamage University of Moratuwa.
TCP/IP Protocol Suite 1 Chapter 18 Upon completion you will be able to: Remote Login: Telnet Understand how TELNET works Understand the role of NVT in.
HTML Concepts and Techniques Fourth Edition Project 2 Creating and Editing a Web Page.
1 Operating System vs. Network Security Butler Lampson Microsoft Outline What security is about Operating systems security Network security How they fit.
1 Accountability and Freedom Butler Lampson Microsoft October 27, 2005.
Environmental Council of States Network Authentication and Authorization Services The Shared Security Component February 28, 2005.
16.1 © 2004 Pearson Education, Inc. Exam Planning, Implementing, and Maintaining a Microsoft® Windows® Server 2003 Active Directory Infrastructure.
Lecture 2 Page 1 CS 236, Spring 2008 Security Principles and Policies CS 236 On-Line MS Program Networks and Systems Security Peter Reiher Spring, 2008.
CSE331: Introduction to Networks and Security Lecture 28 Fall 2002.
Introduction To Windows NT ® Server And Internet Information Server.
Chapter 4 Access Control Manage Principals operations in system.
1 Computer Security in the Real World Butler Lampson Microsoft Annual Computer Security Applications Conference, Edited.
1 Software and Security Butler Lampson Microsoft.
Security Protocols in Automation Dwaine Clarke MIT Laboratory for Computer Science January 8, 2002 With help from: Matt Burnside, Todd.
Chapter-4 Windows 2000 Professional Win2K Professional provides a very usable interface and was designed for use in the desktop PC. Microsoft server system.
Lecture 18 Page 1 CS 111 Online Design Principles for Secure Systems Economy Complete mediation Open design Separation of privileges Least privilege Least.
Configuring Directory Certificate Services Lesson 13.
© Oxford University Press 2011 DISTRIBUTED COMPUTING Sunita Mahajan Sunita Mahajan, Principal, Institute of Computer Science, MET League of Colleges, Mumbai.
Tanenbaum & Van Steen, Distributed Systems: Principles and Paradigms, 2e, (c) 2007 Prentice-Hall, Inc. All rights reserved DISTRIBUTED.
Security (and privacy) Larry Rudolph With help from Srini Devedas, Dwaine Clark.
The TAOS Authentication System: Reasoning Formally About Security Brad Karp UCL Computer Science CS GZ03 / M th November, 2008.
3/15/01CSCI {4,6}900: Ubiquitous Computing1 Announcements.
Security: The Goal Computers are as secure as real world systems, and people believe it. This is hard because: Computers can do a lot of damage fast. There.
© ITT Educational Services, Inc. All rights reserved. IS3230 Access Security Unit 6 Implementing Infrastructure Controls.
Active Directory. Computers in organizations Computers are linked together for communication and sharing of resources There is always a need to administer.
1 Computer Security in the Real World Butler Lampson What people want from computer security is to be as secure with computers as they are in the real.
Tanenbaum & Van Steen, Distributed Systems: Principles and Paradigms, 2e, (c) 2007 Prentice-Hall, Inc. All rights reserved DISTRIBUTED SYSTEMS.
Security Principles and Policies CS 236 On-Line MS Program Networks and Systems Security Peter Reiher.
Presentation transcript:

1 Computer Security in the Real World Butler Lampson Microsoft

2 Security: The Goal Computers are as secure as real world systems, and people believe it. This is hard because: –Computers can do a lot of damage fast. –There are many places for things to go wrong. –Networks enable »Anonymous attacks from anywhere »Automated infection »Hostile code and hostile hosts –People dont trust new things.

3 Real-World Security Its about value, locks, and punishment. Locks good enough that bad guys dont break in very often. Police and courts good enough that bad guys that do break in get caught and punished often enough. Less interference with daily life than value of loss. Security is expensivebuy only what you need.

4 Elements of Security Policy:Specifying security What is it supposed to do? Mechanism:Implementing security How does it do it? Assurance:Correctness of security Does it really work?

5 Dangers Vandalism or sabotage that –damages information –disrupts service Theft of money Theft of information Loss of privacy integrity availability integrity secrecy

6 Vulnerabilities Bad (buggy or hostile) programs Bad (careless or hostile) people giving instructions to good programs Bad guy interfering with communications

7 Defensive strategies Keep everybody out –Isolation Keep the bad guy out –Code signing, firewalls Let him in, but keep him from doing damage –Sandboxing, access control Catch him and prosecute him –Auditing, police

8 The Access Control Model Guards control access to valued resources. Reference monitor Object Do operation Resource Principal GuardRequestSource

9 MechanismsThe Gold Standard Authenticating principals Mainly people, but also channels, servers, programs Authorizing access. Usually for groups of principals Auditing Assurance –Trusted computing base

10 Assurance: Making Security Work Trusted computing base –Limit what has to work to ensure security »Ideally, TCB is small and simple –Includes hardware and software –Also includes configuration, usually overlooked »What software has privileges »Database of users, passwords, privileges, groups »Network information (trusted hosts, …) »Access controls on system resources »... The unavoidable price of reliability is simplicity.Hoare

11 Assurance: Configuration Userskeep it simple –At most three levels: self, friends, others »Three places to put objects –Everything else done automatically with policies Administratorskeep it simple –Work by defining policies. Examples: »Each user has a private home folder »Each user belongs to one workgroup with a private folder »System folders contain vendor-approved releases »All executable programs are signed by a trusted party Todays systems dont support this very well

12 Assurance: Defense in Depth Network, with a firewall Operating system, with sandboxing –Basic OS (such as NT) –Higher-level OS (such as Java) Application that checks authorization directly All need authentication

13 Why We Dont Have Real Security A. People dont buy it: –Danger is small, so its OK to buy features instead. –Security is expensive. »Configuring security is a lot of work. »Secure systems do less because theyre older. Security is a pain. »It stops you from doing things. »Users have to authenticate themselves. B. Systems are complicated, so they have bugs.

14 Standard Operating System Security Assume secure channel from user (without proof) Authenticate user by local password –Assign local user and group SIDs Access control by ACLs: lists of SIDs and permissions –Reference monitor is the OS, or any RPC target Domains: same, but authenticate by RPC to controller Web servers: same, but simplified –Establish secure channel with SSL –Authenticate user by local password (or certificate) –ACL on right to enter, or on users private state

15 End-to-End Security Authenticate secure channels Work uniformly between organizations –Microsoft can securely accept Intels authentication –Groups can have members from different organizations Delegate authority to groups or systems Audit all security decisions

16 End-to-End example Alice is at Intel, working on Atom, a joint Intel- Microsoft project Alice connects to Spectra, Atoms web page, with SSL Chain of responsibility: –K SSL K temp K Alice r/w Spectra says Spectra ACL K SSL says Alices smart card Alices login system Spectra web page K temp K Alice Microsoft Intel K Alice

17 Principals Authentication:Who sent a message? Authorization:Who is trusted? Principal abstraction of who: –People Alice, Bob –Services microsoft.com, Exchange –Groups UW-CS, MS-Employees –Secure channelskey #678532E89A7692F, console Principals say things: –Read file foo –Alices key is #678532E89A7692F

18 Speaks For Principal A speaks for B: A –Meaning: if A says something in set T, B says it too. »Thus A is stronger than B, or responsible for B, about T –Examples »Alice Atom group of people »Key #7438 Alice key for Alice Delegation rule: If A says B A then B A –We trust A to delegate its own authority. »Why should A delegate to B? Needs case by case analysis. –Need a secure channel from A for A says »Easy if A is a key. »Channel can be off-line (certificate) or on-line (Kerberos)

19 Authenticating Channels Chain of responsibility: K SSL K temp K Alice … K temp says K Alice says (SSL setup) (via smart card) says Spectra ACL K SSL says Alices smart card Alices login system Spectra web page K temp K Alice Microsoft Intel K Alice

20 Authenticating Names: SDSI/SPKI A name is in some name space, defined by a key The key speaks for any name in its name space –K Intel K Intel / Alice (which is just ) –K Intel says … K temp K Alice … says Spectra ACL K SSL says Alices smart card Alices login system Spectra web page K temp K Alice Microsoft Intel K Alice

21 Authenticating Groups A group is a principal; its members speak for it –… Evidence for groups: Just like names and keys. … K Alice r/w … says Spectra ACL K SSL says Alices smart card Alices login system Spectra web page K temp K Alice Microsoft Intel K Alice

22 View a resource object O as a principal An ACL entry for P means P can speak for O –Permissions limit the set of things P can say for O If Spectra s ACL says Atom can r/w, that means Spectra says … r/w Spectra Authorization with ACLs says Spectra ACL K SSL says Alices smart card Alices login system Spectra web page K temp K Alice Microsoft Intel K Alice

23 End-to-End Example: Summary Request on SSL channel: K SSL says read Spectra Chain of responsibility: K SSL K temp K Alice r/w Spectra says Spectra ACL K SSL says Alices smart card Alices login system Spectra web page K temp K Alice Microsoft Intel K Alice

24 Compatibility with Local OS? (1) Put network principals on OS ACLs (2) Let network principal speak for local one –Use network authentication »replacing local or domain authentication –Users and ACLs stay the same (3) Assign SIDs to network principals –Do this automatically –Use network authentication as before

25 Authenticating Systems A digest X can authenticate a program Word : –K Microsoft says If image I has digest X then I is Word formallyX K Microsoft / Word A system N can speak for another system Word : –K Microsoft says N K Microsoft / Word The first cert makes N want to run I if N likes Word, and it makes N assert the running I is Word The second cert lets N convince others that N is authorized to run Word

26 Auditing Checking access: –Givena requestK Alice says read Spectra an ACL Atom may r/w Spectra –Check K Alice speaksK Alice Atom for Atom rights suffice r/w read Auditing: Each step is justified by –A signed statement (certificate), or –A delgation rule

27 Implement: Tools and Assurance Gold standard –AuthenticationWho said it? –AuthorizationWho is trusted? –Auditing What happened? End-to-end authorization –Principals: keys, names, groups –Speaks for: delegation, chain of responsibility Assurance: Trusted computing base –Keep it small and simple. –Include configuration, not just code.

28 References Why real security is hard –Ross Anderson: –Bruce Schneier, Secrets and Lies Distributed system security –Lampson et al. TOCS 10, 4 (Nov. 1992) –Wobber et al. TOCS 12, 1 (Feb. 1994) Simple Distributed Security Infrastructure (SDSI) –theory.lcs.mit.edu/~cis/sdsi.html Simple Public Key Infrastructure (SPKI) –

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com Inc. All rights reserved.