1. Lecture 8: protection and security
Dr. Nermin Hamza

2. Protection

3. Protection
Protection refers to mechanisms for controlling the access of programs, processes, or users to the resources defined by a computer system.
Modern protection concepts have evolved to increase the reliability of any complex system that makes use of shared resources.
A key, principle for protection is the principle of least privilege

4. Domain of Protection
A computer system is a collection of processes and objects. By objects, we mean both hardware objects (such as the CPU, memory segments, printers, disks, and tape drives) and software objects (such as files, programs, and semaphores).
a protection domain, which specifies the resources that the process may access.
The ability to execute an operation on an object is an access right.
A domain is a collection of access rights, each of which is an ordered pair <object-name, rights- set>.

5. Domain

6. Domain A domain can be realized in a variety of ways:
Each user may be a domain. In this case, the set of objects that can be accessed depends on the identity of the user.
Each process may be a domain. In this case, the set of objects that can be accessed depends on the identity of the process. .
Each procedure may be a domain. In this case, the set of objects that can be accessed corresponds to the local variables defined within the procedure.

7. Access Matrix View protection as a matrix (access matrix)
Rows represent domains
Columns represent objects
Access(i, j) is the set of operations that a process executing in Domaini can invoke on Objectj

8. Access Matrix

9. Use of Access Matrix
Access matrix design separates mechanism from policy.
Mechanism
Operating system provides access-matrix + rules.
If ensures that the matrix is only manipulated by authorized agents and that rules are strictly enforced.
Policy
User dictates policy.
Who can access what object and in what mode.

10. Implementation of Access Matrix
Each column = Access-control list for one object Defines who can perform what operation. Domain 1 = Read, Write Domain 2 = Read Domain 3 = Read 
Each Row = Capability List (like a key) Fore each domain, what operations allowed on what objects.
Object 1 – Read
Object 4 – Read, Write, Execute
Object 5 – Read, Write, Delete, Copy

11. Access Matrix with Copy Rights

12. Access Matrix With Owner Rights

13. Revocation of Access Rights
In a dynamic protection system, we may sometimes need to revoke access rights to objects shared by different users
Access List – Delete access rights from access list.
Simple
Immediate
With an access-list scheme, revocation is easy. The access list is searched for any access rights to be revoked, and they are deleted from the list

14. Revocation of Access Rights
Capability List – Scheme required to locate capability in the system before capability can be revoked.
Reacquisition
Back-pointers
Indirection
Keys

15. Security

16. The Security Problem
Security must consider external environment of the system, and protect the system resources
Intruders (crackers) attempt to breach security
Threat is potential security violation
Attack is attempt to breach security
Attack can be accidental or malicious
Easier to protect against accidental than malicious misuse

17. Security Attack
Threats تهديد mean anything that can interrupt the operation, functioning, integrity, or availability of a network or system, these can take any forms.
Vulnerabilities ثغره are inherent weakness in the design, configuration, implementation, or management of the network or the system that renders it to be susceptible to threats.
Attacks هجوم are a specific technique used to exploit the vulnerabilities

18. Security Violations Categories Methods Message modification
Breach of confidentiality
Breach of integrity
Breach of availability
Theft of service
Denial of service
Methods
Masquerading (breach authentication)
Replay attack
Message modification
Man-in-the-middle attack
Session hijacking

19. Standard Security Attacks

20. Security Measure Levels
Security must occur at four levels to be effective:
Physical
Human
Avoid social engineering, phishing
Operating System
Network
Security is as week as the weakest chain

21. Program Threats (Cont.)
Viruses
Code fragment embedded in legitimate program
Very specific to CPU architecture, operating system, applications
Usually borne via or as a macro
Visual Basic Macro to reformat hard drive
Sub AutoOpen()
Dim oFS
Set oFS = CreateObject(’’Scripting.FileSystemObject’’)
vs = Shell(’’c:command.com /k format c:’’,vbHide)
End Sub

22. Program Threats (Cont.)
Virus dropper inserts virus onto the system
Many categories of viruses, literally many thousands of viruses
File
Boot
Macro
Source code
Polymorphic
Encrypted
Stealth
Tunneling
Multipartite
Armored

23. A Boot-sector Computer Virus

24. The Morris Internet Worm

25. Trojan horse : Definition
a Trojan horse is a malicious program that is disguised as legitimate software.
Like the gift horse left outside the gates of Troy by the Greeks, Trojan Horses appear to be useful or interesting to an unsuspecting user, but are actually harmful

26. Virus or Worm?
Trojan horse programs cannot replicate themselves, in contrast to some other types of malware, like viruses or worms.
A Trojan horse can be deliberately attached to otherwise useful software by a cracker, or it can be spread by tricking users into believing that it is a useful program.

27. Cryptography as a Security Tool
Broadest security tool available
Source and destination of messages cannot be trusted without cryptography
Means to constrain potential senders (sources) and / or receivers (destinations) of messages
Based on secrets (keys)

28. Secure Communication over Insecure Medium

29. Some Basic Terminology
plaintext - original message
ciphertext - coded message
cipher-algorithm : for transforming plaintext to ciphertext
key - info used in cipher known only to sender/receiver
encipher (encrypt) - converting plaintext to ciphertext
decipher (decrypt) - recovering ciphertext from plaintext

30. Encryption Diagram Encryption algorithm Decryption algorithm
Plain Text
Cipher Text
Plain Text
Key
Key

31. Cryptography types:
Symmetric cipher
Asymmetric cipher

32. Also called Secret Key Cryptography (SKC):
Symmetric cryptography :
Also called Secret Key Cryptography (SKC):
Uses a single key for both encryption and decryption
Plain Text
Plain Text
Cipher Text

33. Also called Public Key Cryptography (PKC):
Asymmetric Cryptography :
Also called Public Key Cryptography (PKC):
Uses one key for encryption and another for decryption
Plain Text
Cipher Text
Plain Text

34. Security Services: Authentication Confidentiality : Integrity :
Concerned with assuring that a communication is authentic.
Confidentiality :
Preventing the sensitive information from unauthorized user.
Integrity :
Preventing the information from modification by unauthorized users.
Availability:
Assuring that the authorized users have timely access to the information in the system and to the network.
Access Control:
Ability to limit and control the access to the host systems and applications via communication links.
Non-repudiation:
Preventing either sender or receiver from denying a transmitted message.

35. User Authentication
Crucial to identify user correctly, as protection systems depend on user ID
User identity most often established through passwords, can be considered a special case of either keys or capabilities
Also can include something user has and /or a user attribute
Passwords must be kept secret
Frequent change of passwords
Use of “non-guessable” passwords
Log all invalid access attempts
Passwords may also either be encrypted or allowed to be used only once

36. Authentication – Hash Functions
Basis of authentication
Creates small, fixed-size block of data (message digest, hash value) from m
Hash Function H must be collision resistant on m
Must be infeasible to find an m’ ≠ m such that H(m) = H(m’)
If H(m) = H(m’), then m = m’
The message has not been modified
Common message-digest functions include MD5, which produces a 128-bit hash, and SHA-1, which outputs a 160-bit hash

37. Authentication - MAC
Symmetric encryption used in message-authentication code (MAC) authentication algorithm
Simple example:
MAC defines S(k)(m) = f (k, H(m))
Where f is a function that is one-way on its first argument
k cannot be derived from f (k, H(m))
Because of the collision resistance in the hash function, reasonably assured no other message could create the same MAC
A suitable verification algorithm is V(k)(m, a) ≡ ( f (k,m) = a)
Note that k is needed to compute both S(k) and V(k), so anyone able to compute one can compute the other

38. Authentication – Digital Signature
Based on asymmetric keys and digital signature algorithm
Authenticators produced are digital signatures
In a digital-signature algorithm, computationally infeasible to derive S(ks ) from V(kv)
V is a one-way function
Thus, kv is the public key and ks is the private key
Consider the RSA digital-signature algorithm
Similar to the RSA encryption algorithm, but the key use is reversed
Digital signature of message S(ks )(m) = H(m)ks mod N
The key ks again is a pair d, N, where N is the product of two large, randomly chosen prime numbers p and q
Verification algorithm is V(kv)(m, a) ≡ (akv mod N = H(m))
Where kv satisfies kvks mod (p − 1)(q − 1) = 1

39. Authentication (Cont.)
Why authentication if a subset of encryption?
Fewer computations (except for RSA digital signatures)
Authenticator usually shorter than message
Sometimes want authentication but not confidentiality
Signed patches et al
Can be basis for non-repudiation

40. Key Distribution Delivery of symmetric key is huge challenge
Sometimes done out-of-band
Asymmetric keys can proliferate – stored on key ring
Even asymmetric key distribution needs care – man-in-the-middle attack

41. What is a Firewall? A choke point of control and monitoring
Interconnects networks with differing trust
Imposes restrictions on network services
only authorized traffic is allowed
Auditing and controlling access
can implement alarms for abnormal behavior
Itself immune to penetration
Provides perimeter defence

42. Firewalls
By conventional definition, a firewall is a partition made
of fireproof material designed to prevent the spread
of fire from one part of a building to another.
firewall
isolates organization’s internal net from larger Internet, allowing some packets to pass, blocking others.
Internet
privately administered
222.22/16

43. Advantages and disadvantages of traditional packet filters
One screening router can protect entire network
Can be efficient if filtering rules are kept simple
Widely available. Almost any router, even Linux boxes
Disadvantages
Can possibly be penetrated
Cannot enforce some policies. For example, permit certain users.
Rules can get complicated and difficult to test

44. Firewall goals:
All traffic from outside to inside and vice-versa passes through the firewall.
Only authorized traffic, as defined by local security policy, will be allowed to pass.
The firewall itself is immune to penetration.

45. Firewalling to Protect Systems and Networks
A network firewall is placed between trusted and untrusted hosts
The firewall limits network access between these two security domains
Can be tunneled or spoofed
Tunneling allows disallowed protocol to travel within allowed protocol (i.e. telnet inside of HTTP)
Firewall rules typically based on host name or IP address which can be spoofed
Personal firewall is software layer on given host
Can monitor / limit traffic to and from the host
Application proxy firewall understands application protocol and can control them (i.e. SMTP)
System-call firewall monitors all important system calls and apply rules to them (i.e. this program can execute that system call)