Dieter Gollmann Microsoft Research

Slides:



Advertisements
Similar presentations
Computer Security CIS326 Dr Rachel Shipsey.
Advertisements

Advanced Networks and Computer Security Curt Carver & Jeff Humphries © 1999 Texas A&M University.
Operating System Security
Security by Design A Prequel for COMPSCI 702. Perspective “Any fool can know. The point is to understand.” - Albert Einstein “Sometimes it's not enough.
Cryptography and Network Security 2 nd Edition by William Stallings Note: Lecture slides by Lawrie Brown and Henric Johnson, Modified by Andrew Yang.
Auditing Concepts.
G53SEC 1 Foundations of Computer Security. G53SEC Overview of Today’s Lecture: Definitions Fundamental Dilemma Data vs. Information Principles of Computer.
EEC 688/788 Secure and Dependable Computing Lecture 2 Wenbing Zhao Department of Electrical and Computer Engineering Cleveland State University
Secure Operating Systems Lesson 0x11h: Systems Assurance.
Chapter 1 – Introduction
1 Cryptography and Network Security Third Edition by William Stallings Lecturer: Dr. Saleem Al_Zoubi.
1 An Overview of Computer Security computer security.
Evidor: The Evidence Collector Software using for: Software for lawyers, law firms, corporate law and IT security departments, licensed investigators,
1 Building with Assurance CSSE 490 Computer Security Mark Ardis, Rose-Hulman Institute May 10, 2004.
CPE 5002 Network security. Look at the surroundings before you leap.
Stephen S. Yau CSE465 & CSE591, Fall Information Assurance (IA) & Security Overview Concepts Security principles & strategies Techniques Guidelines,
Applied Cryptography for Network Security
Chapter 12 File Management Systems
Summary of Lecture 1 Security attack types: either by function or by the property being compromised Security mechanism – prevention, detection and reaction.
Cryptography and Network Security Chapter 1. Chapter 1 – Introduction The art of war teaches us to rely not on the likelihood of the enemy's not coming,
Computer Security: Principles and Practice
Cryptography and Network Security Third Edition by William Stallings Lecture slides by Lawrie Brown.
Cryptography and Network Security Chapter 1 Fourth Edition by William Stallings Lecture slides by Lawrie Brown.
Topics in Information Security Prof. JoAnne Holliday Santa Clara University.
An Introduction to Information Assurance COEN 150 Spring 2007.
Security Architecture Dr. Gabriel. Security Database security: –degree to which data is fully protected from tampering or unauthorized acts –Full understanding.
Introduction to Databases and Database Languages
Software Dependability CIS 376 Bruce R. Maxim UM-Dearborn.
1 Cryptography and Network Security Fourth Edition by William Stallings Lecture slides by Lawrie Brown Changed by: Somesh Jha [Lecture 1]
Dr. Lo’ai Tawalbeh 2007 INCS 741: Cryptography Chapter 1:Introduction Dr. Lo’ai Tawalbeh New York Institute of Technology (NYIT) Jordan’s Campus
Computer Science and Engineering Computer System Security CSE 5339/7339 Session 20 October 28, 2004.
By Hafez Barghouthi. Agenda Today Terminology(What) Security strategies Prevention – detection – reaction Security objectives Fundamental dilemma of Computer.
Cryptography and Network Security
1 Chapter 12 File Management Systems. 2 Systems Architecture Chapter 12.
How Hospitals Protect Your Health Information. Your Health Information Privacy Rights You can ask to see or get a copy of your medical record and other.
10/17/20151 Computer Security Introduction. 10/17/20152 Introduction What is the goal of Computer Security? A first definition: To prevent or detect unauthorized.
Network security Network security. Look at the surroundings before you leap.
John Carpenter & lecture & Information Security 2008 Lecture 1: Subject Introduction and Security Fundamentals.
G53SEC 1 Access Control principals, objects and their operations.
Chapter 1 Introduction to Databases. 1-2 Chapter Outline   Common uses of database systems   Meaning of basic terms   Database Applications  
What security is about in general? Security is about protection of assets –D. Gollmann, Computer Security, Wiley Prevention –take measures that prevent.
G53SEC 1 Reference Monitors Enforcement of Access Control.
Database Security Outline.. Introduction Security requirement Reliability and Integrity Sensitive data Inference Multilevel databases Multilevel security.
CS426Fall 2010/Lecture 251 Computer Security CS 426 Lecture 25 Integrity Protection: Biba, Clark Wilson, and Chinese Wall.
1 Chapter 1 – Background Computer Security T/ Tyseer Alsamany - Computer Security.
Topic 1 – Introduction Huiqun Yu Information Security Principles & Applications.
Database Administration
Operating Systems Objective n The historic background n What the OS means? n Characteristics and types of OS n General Concept of Computer System.
Chap1: Is there a Security Problem in Computing?.
Csci5233 computer security & integrity 1 An Overview of Computer Security.
12/18/20151 Computer Security Introduction. 12/18/20152 Basic Components 1.Confidentiality: Concealment of information (prevent unauthorized disclosure.
Database Security Cmpe 226 Fall 2015 By Akanksha Jain Jerry Mengyuan Zheng.
CSC 386 – Computer Security Scott Heggen. Agenda The Foundations of Computer Security.
Cryptography and Network Security Chapter 1. Background  Information Security requirements have changed in recent times  traditionally provided by physical.
Data and Applications Security Developments and Directions Dr. Bhavani Thuraisingham The University of Texas at Dallas Lecture #25 Dependable Data Management.
By Marwan Al-Namari & Hafezah Ben Othman Author: William Stallings College of Computer Science at Al-Qunfudah Umm Al-Qura University, KSA, Makkah 1.
Chap5: Designing Trusted Operating Systems.  What makes an operating system “secure”? Or “trustworthy”?  How are trusted systems designed, and which.
Information Security Principles and Practices by Mark Merkow and Jim Breithaupt Chapter 1: Why Study Information Security?
Security Architecture and Design Chapter 4 Part 4 Pages 377 to 416.
Computer Security Introduction
CS457 Introduction to Information Security Systems
Auditing Concepts.
Chapter 1: Introduction
Foundation Of Computer Security
Information Security: Terminology
Computer Security Introduction
Computer Security CIS326 Dr Rachel Shipsey.
Computer Security CIS326 Dr Rachel Shipsey.
Chapter 5 Computer Security
Presentation transcript:

Dieter Gollmann Microsoft Research diego@microsoft.com MT5104 Computer Security Dieter Gollmann Microsoft Research diego@microsoft.com MT5104 - Computer Security - Lecture 1

Introduction - The plan for today Search for a definition of computer security Propose fundamental design principles for computer security Give a preview of the course Books and further reading Questions?? MT5104 - Computer Security - Lecture 1

References for this lecture Orange Book: US Trusted Computer Systems Evaluation Criteria ITSEC: European Information Technology Security Evaluation Criteria CTCPEC: Canadian Trusted Computer Product Evaluation Criteria ISO 7498-2 (International Standard): Basic Reference Model for Open Systems Interconnection (OSI) Part 2: Security Architecture Clark, D.R. and Wilson, D.R., A Comparison of Commercial and Military Computer Security Policies, Proceedings of the 1987 IEEE Symposium on Security and Privacy, pages 184-194 MT5104 - Computer Security - Lecture 1

MT5104 - Computer Security - Lecture 1 What is security? Prevention: take measures that prevent your assets from being damaged Detection: take measures so that you can detect when, how, and by whom an asset has been damaged Reaction: take measures so that you can recover your assets or to recover from a damage to your assets MT5104 - Computer Security - Lecture 1

Example 1 - Private Property Prevention: locks at doors, window bars, walls round the property Detection: stolen items aren’t there anymore, burglar alarms, closed circuit TV Reaction: call the police, replace stolen items, make an insurance claim … Footnote: Parallels to the physical world can illustrate aspects of computer security but they are also misleading. MT5104 - Computer Security - Lecture 1

MT5104 - Computer Security - Lecture 1 Example 2 - eCommerce Prevention: encrypt your orders, rely on the merchant to perform checks on the caller, don’t use the Internet (?) … Detection: an unauthorized transaction appears on your credit card statement Reaction: complain, ask for a new card number, etc. Footnote: your credit card number has not been stolen. MT5104 - Computer Security - Lecture 1

MT5104 - Computer Security - Lecture 1 Confidentiality: prevent unauthorised disclosure of information Integrity: prevent unauthorised modification of information Availability: prevent unauthorised with- holding of information or resources Other aspects: accountability, authenticity Definitions taken from ITSEC MT5104 - Computer Security - Lecture 1

MT5104 - Computer Security - Lecture 1 Confidentiality Historically, security and secrecy were closely related. Sometimes, security and confidentiality are used as synonyms Prevent unauthorised disclosure of information (prevent unauthorised reading) Privacy: protection of personal data Secrecy: protection of date belonging to an organisation MT5104 - Computer Security - Lecture 1

MT5104 - Computer Security - Lecture 1 Integrity ITSEC: prevent unauthorised modification of information (prevent unauthorised writing) Clark and Wilson: No user of the system, even if authorized, may be permitted to modify data items in such a way that assets or accounting records of the company are lost or corrupted. Orange Book: Data Integrity - The state that exists when computerized data is the same as that in the source document and has not been exposed to accidental or malicious alteration or destruction. (Integrity synonymous for external consistency.) MT5104 - Computer Security - Lecture 1

MT5104 - Computer Security - Lecture 1 Integrity ctd. Integrity in communications: detection (and correction) of modifications of transmitted data, including both intentional modifications and random transmission errors. In the most general sense: make sure that everything is as it is supposed to be; the data in a computer system should correctly reflect some reality outside the computer system. (This is highly desirable but cannot be guaranteed by mechanisms internal to the computer system.) Integrity is a prerequisite for many other security services. Operating systems security has a lot to do with integrity. MT5104 - Computer Security - Lecture 1

MT5104 - Computer Security - Lecture 1 Availability CTCPEC: the property that a product’s services are accessible when needed and without undue delay ISO 7498-2: the property of being accessible and usable upon demand by an authorised entity Denial of Service (DoS): The prevention of authorised access of resources or the delaying of time-critical operations Availability may be the most important aspect of computer security, but there are few methods around. Distributed denial of service have recently become notorious. MT5104 - Computer Security - Lecture 1

Accountability - Authorisation Accountability (Orange Book): audit information must be selectively kept and protected so that actions affecting security can be traced to the responsible party Users are identified and authenticated to have a basis for access control decisions. The security system keeps an audit log (audit trail) of security relevant events to detect and investigate intrusions. MT5104 - Computer Security - Lecture 1

Reliability - Dependability Areas related to security: reliability, safety similar engineering methods, similar efforts in standardisation, possible requirement conflicts There is an overlap in notation: is security part of reliability or vice versa? Dependability (IFIP WG 10.4): the property of a com- puter system such that reliance can justifiably be placed on the service it delivers. The service delivered by a system is its behaviour as it is perceived by its user(s); a user is another system (physical, human) which interacts with the former. MT5104 - Computer Security - Lecture 1

MT5104 - Computer Security - Lecture 1 The main conclusion There is no single definition of security When reading a document, be careful not to confuse your own notion of security with that used in the document A lot of time is being spent - and wasted - trying to define an unambiguous notation for security Our definition: computer security deals with the prevention and detection of unauthorised actions by users of a computer system. MT5104 - Computer Security - Lecture 1

The Fundamental Dilemma of Computer Security Security unaware users have specific security requirements but no security expertise. Orange Book: Can predefined evaluation criteria meet specific user requirements? ITSEC: How can a security unaware user assess a specific target of evaluation? MT5104 - Computer Security - Lecture 1

Principles of Computer Security The Dimensions of Computer Security Application Software User (subject) Resource (object) Hardware MT5104 - Computer Security - Lecture 1

data – operations - users 1st Fundamental Design Decision Where is the focus of security controls? Security controls may focus on data – operations - users For example, integrity can mean following a given set of rules on the format and content of data items (internal consistency) the operations that may be performed on a data item the users who are allowed to access a data item (authorised access) MT5104 - Computer Security - Lecture 1

2nd Fundamental Design Decision Where to place security controls? applications services (middleware) operating system OS kernel hardware MT5104 - Computer Security - Lecture 1

MT5104 - Computer Security - Lecture 1 The Man-Machine Scale Security mechanisms can be visualized as concentric protection rings, with hardware mechanisms in the centre and application mechanisms at the outside Mechanisms towards the centre tend to be more generic while mechanisms at the outside are more likely to address individual user requirements Combining our first two design decisions, we refer to a man-machine scale for security mechanisms. MT5104 - Computer Security - Lecture 1

MT5104 - Computer Security - Lecture 1 The Man-Machine Scale specific complex focus on users generic simple focus on data man oriented machine oriented MT5104 - Computer Security - Lecture 1

MT5104 - Computer Security - Lecture 1 Data vs Information Data are physical phenomena chosen by convention to represent certain aspects of our conceptual and real world. The meanings we assign to data are called information. Data is used to transmit and store information and to derive new information by manipulating the data according to formal rules. Information and data correspond to the two ends of the man-machine scale. The distinction between data and information is subtle but it also causes some of the more difficult problems in computer security. MT5104 - Computer Security - Lecture 1

Data vs Information ctd. Controlling access to information can be elusive and may have to be replaced by controlling access to data If there is a close link between information and corresponding data, the two approaches may give very similar results. However, this is not always the case. Covert channels: response time or memory usage is used to signal information. (More explanations in a few weeks.) Inference in statistical databases: combinations of statistical queries give information on individual entries. (More explanations in the course on database security.) MT5104 - Computer Security - Lecture 1

3rd Fundamental Design Decision complexity vs assurance Frequently, the location of a security mechanism on the man-machine scale is related to its complexity. You find simple generic mechanisms while applications often clamour for feature-rich security functions. Do you prefer simplicity - and higher assurance - to a feature-rich security environment? The fundamental dilemma: simple generic mechanisms may not match specific security requirements. To choose the right features from a rich menu, you have to be a security expert. Security unaware users are in a no-win situation. MT5104 - Computer Security - Lecture 1

Example: Security Evaluation Security evaluation checks whether a product delivers a promised security service. We have to state the function of the security system the required degree of assurance (trust) in its security To achieve a high degree of assurance, the security system has to be examined exhaustively and in close detail. There is an obvious trade-off between complexity and assurance. The higher an assurance level you aim for, the simpler your system ought to be. Feature-rich security and high assurance do not match easily MT5104 - Computer Security - Lecture 1

4th Fundamental Design Decision centralised or decentralised controls? Within the domain of a security policy, the same controls should be enforced. If a single entity is in charge of security, then it is easy to achieve uniformity but this central entity may become a performance bottleneck. A distributed solution may be more efficient but you have to take added care to guarantee that different components enforce a consistent policy. Should the tasks of defining and enforcing security be given to a central entity or should they be left to individual components in a system? MT5104 - Computer Security - Lecture 1

5th Fundamental Design Decision blocking access to the layer below It is now time to think about attackers trying to bypass protection mechanisms. Every protection mechanism defines a security perimeter (boundary). The parts of the system that can disable the mechanism lie within the perimeter, the parts of the system that can malfunction without compromising the mechanism lie outside. There is an immediate and important corollary to the second design decision: How do you stop an attacker from getting access to a layer below your protection mechanism? MT5104 - Computer Security - Lecture 1

The Layer Below - Examples Recovery tools, like Norton Utilities, restore the data by reading memory directly and then restoring the file structure. Such a tool can be used to circumvent logical access control as it does not care for the logical memory structure Unix treats I/O devices and physical memory devices like files. If access permissions are defined badly, e.g. if read access is given to a disk containing read protected files, then an attacker can read the disk contents and reconstruct the files. MT5104 - Computer Security - Lecture 1

The Layer Below - more examples Object reuse: in a single processor system, when a new process becomes active, it gets access to memory positions used by the previous process. You have to avoid storage residues, i.e. data left behind in the memory area allocated to the new process. Backup: whoever has access to a backup tape has access to all the data on it. Logical access control is of no help and backup tapes have to be locked away safely to protect the data. Core dumps: same story again MT5104 - Computer Security - Lecture 1

Structure of the course Theory Access control structures Security models Security kernels Hardware security features Practice Operating system security: case studies Middleware security Web security Vulnerabilities: case studies, malicious software MT5104 - Computer Security - Lecture 1

Books on Computer Security D. Gollmann: Computer Security, Wiley & Sons, 1999 C.P. Pfleeger: Security in Computing, Prentice-Hall, 1997 J.S. Park: AS/400 Security in a Client/Server Environment, Wiley & Sons, 1995 L. Gong: Inside Java 2 Platform Security, Addison Wesley, 1999 Ernst & Young: Logical Access Control, McGraw-Hill, 1993 M. Gasser: Building a Secure Computer System. Van Nostrand Reinhold, 1988 MT5104 - Computer Security - Lecture 1

MT5104 - Computer Security - Lecture 1 Exercises Conduct a survey of security definitions, consult e.g. http://www.radium.ncsc.mil/tpep/process/faq.html http://www.itsec.gov.uk ftp://ftp.cse-cst.gc.ca/pub/criteria/CTCPEC Medical records that can be accessed on-line are sensitive information that should be protected from disclosure, but in an emergency it is highly desirable that whoever treats you has access to your record. How would you use prevention, detection, and recovery to secure your records? Identify suitable security perimeters for analyzing personal computer (PC) security. Consider the room the PC is placed in, the PC itself, or some security module within the PC when investigating security perimeters. MT5104 - Computer Security - Lecture 1