Download presentation
Presentation is loading. Please wait.
1
Computer Security Foundations and Principles
Nicolas T. Courtois University College London
2
Plan What is CompSec? Life Context and Threats Principles - Defenses
CompSec Intro Plan What is CompSec? Computer Industry Security = ? Security Science 123 Life Context and Threats Small / Big Threats Economics Ethics, Hackers Principles - Defenses Security Design Principles, Security Engineering Security Management Principles Weakest Link? Secrecy / Open Source Case Studies - Attack Trees Nicolas T. Courtois, January 2009
3
CompSec Intro Computers… Nicolas T. Courtois, January 2009
4
CompSec Intro Computer Industry We are dealing here with a particular industry: Computer industry. Software and Hardware. This industry is arguably VERY special, unlike any other industry that ever existed… But we can and will compare it to other industries smart cards have their own O.S. much more focus on security since always mobile phones, similarly developed very differently too… voting machines, door/car lock systems, etc… Nicolas T. Courtois, January 2009
5
CompSec Intro Disclaimer I don’t intend to ask you abstract “philosophy” questions at the exam, rather more concrete technical questions: beware of vague statements and excessive generalizations… what do the principles / methodology / ideas actually do in practice… be specific and factual Nicolas T. Courtois, January 2009
6
Computer Industry and Security
CompSec Intro Computer Industry and Security Tech Background: “Industry Standards” such as: Intel CPU and Chipset, RAM and hard drives, C language, UNIX / Windows TCP/IP, HTTP, TLS, Social-Econ Background: Science background: Nicolas T. Courtois, January 2009
7
Computer Industry and Security
CompSec Intro Computer Industry and Security “Industry Standards” Social-Econ Background: Science background: What technology “enablers”(computers) and “disablers” (cryptology,HWSec) can/cannot achieve? How to define / classify security problems and find “good” solutions Nicolas T. Courtois, January 2009
8
Computer Industry and Security
CompSec Intro Computer Industry and Security “Industry Standards” Social-Econ Background: things exist for a reason. “Nice or unpleasant” facts of life: software/hardware economics: which industry dominates which free market triumphs and disasters these stupid humans that cannot be bothered to obey the policy… these bureaucratic organisations that just cannot get their best interest(?) right nobody is buying/using the wonderful(?) technology, adoption barriers theory vs. practice crime war terrorism… laws / regulations etc… Science background: insecure rubbish! Nicolas T. Courtois, January 2009
9
“CompSec Cycle”: “Industry Standards” Social-Econ Background:
CompSec Intro “CompSec Cycle”: “Industry Standards” Social-Econ Background: Science background: Nicolas T. Courtois, January 2009
10
everything ends up here rapid obsolescence
CompSec Intro At The End: everything ends up here rapid obsolescence Nicolas T. Courtois, January 2009
11
What Happens After Death?
CompSec Intro What Happens After Death? Nicolas T. Courtois, January 2009
12
CompSec Intro What is Security? Nicolas T. Courtois, January 2009
13
Definition 1 [Courtois]
CompSec Intro Definition 1 [Courtois] Security: protect the value(s). What value(s) ? ALL ! Nicolas T. Courtois, January 2009
14
Security: protect the value(s).
CompSec Intro Security: protect the value(s). What value(s) ? Money Life and the quality of life. Privacy Good technology vs. bad one Freedom, Justice, etc… Nicolas T. Courtois, January 2009
15
Security: Definition 2. Common Criteria [ISO15408] :
CompSec Intro Security: Definition 2. Common Criteria [ISO15408] : Protecting Assets from Threats asset holder Nicolas T. Courtois, January 2009
16
Difference: protect against intentional damages...
CompSec Intro Security Safety Difference: protect against intentional damages... Notion of an Attacker / Adversary. Notion of an Attack. Nicolas T. Courtois, January 2009
17
Attacker Attacker = Adversary = Threat Agent CompSec Intro
Nicolas T. Courtois, January 2009
18
**Dimensions of Security
CompSec Intro **Dimensions of Security Physical vs. Logical Psychological / Human vs. Organizational / Business very different! Nicolas T. Courtois, January 2009
19
CompSec Intro *Security on One Slide Nicolas T. Courtois, January 2009
20
Confidentiality Integrity Authenticity Accountability Availability
CompSec Intro Main Goals: Confidentiality Integrity Authenticity Accountability Availability Nicolas T. Courtois, January 2009
21
In There a Need for More Security?
CompSec Intro In There a Need for More Security? or will I have a job tomorrow? Nicolas T. Courtois, January 2009
22
Hegel [1770-1831], German philosophy
CompSec Intro Hegel [ ], German philosophy The history is the process of broadening freedom. Nicolas T. Courtois, January 2009
23
Why Security, why Cryptography ?
CompSec Intro Why Security, why Cryptography ? Freedom, new technologies More possibilities More security problems… “Theorem” [Courtois]: Freedom Security 0 Nicolas T. Courtois, January 2009
24
Freedom Security issues…
CompSec Intro Freedom Security issues… Examples: invention of train/metro threat of pickpockets car traffic: major cause of death, trains are much safer invention of the internet pirates and hackers. Nicolas T. Courtois, January 2009
25
Why Security, why Cryptography ?
CompSec Intro Why Security, why Cryptography ? Freedom of travel by car main cause of death (e.g. 1.2 M people die every year in car accidents !) Unlimited exchange of data over the internet unlimited security problems. Nicolas T. Courtois, January 2009
26
Enjoy benefits, limit/remove disadvantages.
CompSec Intro *Prof. Shigeo Tsujii, “The society should be designed to help people to enjoy the freedoms”… “broadened by IT”. Enjoy benefits, limit/remove disadvantages. Nicolas T. Courtois, January 2009
27
“Adding” Security – Def. 3.
CompSec Intro “Adding” Security – Def. 3. The goal of cryptology and security [Courtois]: Add security to the information technologies (IT) that are by nature insecure. enablers/disablers Nicolas T. Courtois, January 2009
28
Adding Security - Criticism
CompSec Intro Adding Security - Criticism Nicolas T. Courtois, January 2009
29
Why security it is an after-thought?
CompSec Intro Critics [Schneier] Why security it is an after-thought? “Aftermarket security is actually a very inefficient way to spend our security dollars; it may compensate for insecure IT products, but doesn't help improve their security”. “Additionally, as long as IT security is a separate industry, there will be companies making money based on insecurity -- companies who will lose money if the internet becomes more secure.” Why security is not built-in? “utopian vision” Security is difficult, expensive and takes time… Nicolas T. Courtois, January 2009
30
CompSec Intro ***Today [Schneier] “I am regularly asked what average Internet users can do to ensure their security. My first answer is usually, "Nothing--you're screwed.“ Nicolas T. Courtois, January 2009
31
Security Science 1.2.3. CompSec Intro
Nicolas T. Courtois, January 2009
32
Claim [Courtois, Schneier]:
CompSec Intro Claim [Courtois, Schneier]: Computer Security and real-world security are governed by the same laws !!! Nicolas T. Courtois, January 2009
33
The Security ? 3-point Formal Approach
CompSec Intro The Security ? 3-point Formal Approach What is Security ? Inability to achieve: Security against what: Adversarial Goal. Against whom: resources of the Adversary: money, human resources, computing power, memory, risk, expertise, etc.. Access to the system. Nicolas T. Courtois, January 2009
34
CompSec Intro 1. Attackers Nicolas T. Courtois, January 2009
35
Vocabulary Attacker / Adversary / Threat Agent CompSec Intro
Nicolas T. Courtois, January 2009
36
Enjoyment, fame, ego, role models
CompSec Intro 1. Adversarial Goals Enjoyment, fame, ego, role models Develop science and offensive technology: $$$ profits and other benefits Nicolas T. Courtois, January 2009
37
petty => organized criminals, rogue states, industrial espionage,
CompSec Intro 2. a. Who Are the Attackers bored teenagers, petty => organized criminals, rogue states, industrial espionage, disgruntled employees, … pure legitimate use Inadvertent events, bugs, errors, ourselves (forgot the d… password!), our family / friends / co-workers, Nicolas T. Courtois, January 2009
38
computers (MIPS) / other hardware (antennas, liquid Nitrogen, etc…)
CompSec Intro 2. b. Their Means computers (MIPS) / other hardware (antennas, liquid Nitrogen, etc…) knowledge / expertise risk/exposure capacity Nicolas T. Courtois, January 2009
39
CompSec Intro 3. Access Nicolas T. Courtois, January 2009
40
Somewhat similar as for cars:
CompSec Intro 3. Access to Computers Somewhat similar as for cars: Nicolas T. Courtois, January 2009
41
When you drive on the road When parked on the street.
CompSec Intro 3. Access to your car. Miles away… When you drive on the road When parked on the street. Enters your garage Had a key yesterday and he made a copy … Nicolas T. Courtois, January 2009
42
Remote location, not connected to Internet
CompSec Intro 3. Access to a Computer Remote location, not connected to Internet Remote location, somewhat connected… Physical proximity… Access to USB ports. Access (alone) for a few seconds… Take it home and hack it… Nicolas T. Courtois, January 2009
43
+wireless communications made things worse…
CompSec Intro *3. Access Internet +wireless communications made things worse… Nicolas T. Courtois, January 2009
44
CompSec Intro “Small” Little Things Nicolas T. Courtois, January 2009
45
CompSec Intro Insecurity Nicolas T. Courtois, January 2009
46
What are Important Security Issues?
CompSec Intro What are Important Security Issues? Think twice. Nicolas T. Courtois, January 2009
47
Mildest Forms of Insecurity
CompSec Intro Mildest Forms of Insecurity nuisance and irritation generated by security and updates, necessity to think about such sordid things as security, losing some pennies on it… Slight problem: the long tail theory. Nicolas T. Courtois, January 2009
48
the Long Tail theory 1 Bank loses 30 M$/Y
CompSec Intro the Long Tail theory 1 Bank loses 30 M$/Y 300 M people lose 1 minute/day = M$/Y Cormac Herley [Microsoft Research] no thanks.. the rational rejection of security advice… the customer is your boss’s boss’s boss! his time is very precious! 30 M$ / minute! cost frequency Nicolas T. Courtois, January 2009
49
CompSec Intro Major Threats Nicolas T. Courtois, January 2009
50
Block Buster Insecurity
CompSec Intro Block Buster Insecurity Viruses/Worms (e.g. Melissa 1999) DOS hurting big corp. / countries [Estonia] Financial/personal data files leaked/lost [lots in the media US] Computer break-ins [little publicity?] Nicolas T. Courtois, January 2009
51
Explosion of Known Vulnerabilities
CompSec Intro Explosion of Known Vulnerabilities What about the unknown ones? Nicolas T. Courtois, January 2009
52
Many PCs are Is My PC Infected? CompSec Intro
Nicolas T. Courtois, January 2009
53
Why Things Happen? Mystified: Economics/Business: Bugs… or don’t care.
CompSec Intro Why Things Happen? Bugs… or don’t care. Programming developed with absence of security. C/C++ is unsafe (Microsoft is currently blacklisting big chunks of standard C, could have happened 10 years ago). Security/cryptography research developed with obsession with security. Both never met. Mystified: security issues are probably always exaggerated and distorted, one way or another (downplayed OR exaggerated, Ross Anderson: “hypertrophy” of security) Economics/Business: many things just don’t matter! customers do not see => do not care about security usability: user burden frustrates them. Nicolas T. Courtois, January 2009
54
CompSec Intro CompSec and Economics Nicolas T. Courtois, January 2009
55
“[…] Why do so many vulnerabilities exist in the first place?[…]”
CompSec Intro Question “[…] Why do so many vulnerabilities exist in the first place?[…]” Cf. Ross Anderson, Tyler Moore et al: “The Economics of Information Security” In Science, October 2006. “Security Economics and the Internal Market”: public report for ENISA (European Network and Information Security Agency), March 2008. Nicolas T. Courtois, January 2009
56
Why Commercial Security Fails?
CompSec Intro Why Commercial Security Fails? Claim: the link between “money” and security is frequently broken today: Security is a public good. “private” incentives are weak. Worse than “market for lemons”: Not only that the customer cannot see the difference between good security and bad. Frequently the manufacturer cannot either. Too frequently security (and our safety) remains something that money cannot buy… (money seems to work for cars, and to fail for computers) Nicolas T. Courtois, January 2009
57
Security and Economics
CompSec Intro Security and Economics Security is about [sensible] security trade-offs. Closely related to economics: How to allocate resources efficiently. Nicolas T. Courtois, January 2009
58
The Very Nature of Security:
CompSec Intro The Very Nature of Security: Bruce Schneier “Beyond Fear” book [2003], p.1: Critical to any security decision is the notion of [security] trade-offs, meaning the costs in terms of money, convenience, comfort, freedoms, and so on – that inevitably attach themselves to any security system. Nicolas T. Courtois, January 2009
59
CompSec Intro Failures Nicolas T. Courtois, January 2009
60
Failure in implementation Failure in operation
CompSec Intro Types of Failures Failure in design Failure in implementation Failure in operation Nicolas T. Courtois, January 2009
61
CompSec Intro If It Can Fail… It Will Schneier: “History has taught us: never underestimate the amount of money, time, and effort someone will expend to thwart a security system. Nicolas T. Courtois, January 2009
62
or should Karate classes be legal?
CompSec Intro Ethics or should Karate classes be legal? Nicolas T. Courtois, January 2009
63
CompSec Intro Key Question: Is actively researching serious security vulnerabilities socially desirable? - Of Course Yes! …will tell you every professional hacker and every academic code-breaker… Nicolas T. Courtois, January 2009
64
CompSec Intro Bruce Schneier [14 May 2008]: Problem: A hacker who discovers one [attack] can sell it on the black market, blackmail the vendor with disclosure, or simply publish it without regard to the consequences. Q: […] is it ethical to research new vulnerabilities? A: Unequivocally, yes. [according to Schneier] Because: Vulnerability research is vital because it trains our next generation of computer security experts. Nicolas T. Courtois, January 2009
65
The question is open to debate and remains somewhat controversial
CompSec Intro Our Answer: The question is open to debate and remains somewhat controversial Maybe it depends.. …on what? Nicolas T. Courtois, January 2009
66
Rescorla [2004] Research and disclose? Yes, if…
CompSec Intro Rescorla [2004] Research and disclose? Yes, if… …these vulnerabilities are likely to be rediscovered Cf. E. Rescorla. “Is finding security holes a good idea?” In 3rd Workshop on the Economics of Information Security (2004). Nicolas T. Courtois, January 2009
67
CompSec Intro Benefits: Disclosure creates incentives for fixing these vulnerabilities. Nicolas T. Courtois, January 2009
68
CompSec Intro Attackers and Hackers Nicolas T. Courtois, January 2009
69
Motivation Enjoyment, fame, ego, role models
CompSec Intro Motivation Enjoyment, fame, ego, role models Develop science and offensive technology: University researchers, (good/bad) Security professionals (defenders) Professional hackers, pen testers, etc… Profits and other benefits Crime business, Promoting legal security business, Political activism, terrorism, Nicolas T. Courtois, January 2009
70
petty => organized criminals, rogue states, industrial espionage,
CompSec Intro Hackers Are: bored teenagers, petty => organized criminals, rogue states, industrial espionage, disgruntled employees, … pure legitimate use Inadvertent events, bugs, errors, ourselves (forgot the d… password!), our family / friends / co-workers, Nicolas T. Courtois, January 2009
71
computers (MIPS) / other hardware (antennas, liquid Nitrogen, etc…)
CompSec Intro 2. b. Their Means computers (MIPS) / other hardware (antennas, liquid Nitrogen, etc…) knowledge / expertise risk/exposure capacity Nicolas T. Courtois, January 2009
72
Biggest conference in Cryptography: DefCon: 9000 people.
CompSec Intro Hacker Movement Biggest conference in Cryptography: Crypto in Santa Barbara, CA, 500 people. DefCon: 9000 people. CCC conf: 3000 people. the biggest in EU. 80 % very young, 70 % German, 98 % male, 99 % white. => future growth potential. Talks start at 10h. At 23h there are 3 technical talks in parallel. At 24h there are “funny/entertainment/philosophy” talks. There are sofas to sleep in the congress center, but hackers never sleep, they type sth. on their laptop. Conference bandwidth was 3 Gbytes, instant tentatives of intrusion. There are stands about speed hacking, speed soldering. Practical lock-picking, RFID hacking, etc. Nicolas T. Courtois, January 2009
73
CompSec Intro Hacktivism Mostly about getting attention in the press through direct and spectacular action (hacking) against a government or corporate entity. In order to achieve a political effect. Usually still a technology claim: Just improve the security! It is broken. Just hire better experts/cryptographers/programmers… Political statement unrelated to technology: Russia does not agree with Estonia. Nicolas T. Courtois, January 2009
74
Chaos Computer Club started in Hamburg in 1981
CompSec Intro Chaos Computer Club started in Hamburg in 1981 as a German-speaking libertarian-anarchist conference and social movement claiming freedom at any price, including freedom to pirate anything… Nicolas T. Courtois, January 2009
75
CompSec Intro Chaos Computer Club Very strong relations with German press makes that it is much harder to put hackers to jail (fear of bad press coverage). Don’t do the same things that some people do.. They will get away with it, you will not. These people are very strong defenders of some rights such as privacy and freedom of speech, and thus they achieve a sort of legitimacy in the public eye to indulge in activities that would otherwise be considered just criminal. in the same way trade unions frequently get away with doing illegal things, but not always, many trade union leader have been in prison once or twice. The risk is totally and absolutely non-zero. In the 80s the CCC guys showed the insecurity of Bildschirmtext computer network and made it debit a bank in Hamburg 134K DM in favour of the Club. Then they organized a press conference. The banks were nice, did NOT sue them. But how can you predict they will be nice? Nicolas T. Courtois, January 2009
76
Recent Trend: Rapid growth. The industrialization of hacking:
CompSec Intro Recent Trend: Rapid growth. The industrialization of hacking: division of labour, clear definition of roles forming a supply chain professional management Nicolas T. Courtois, January 2009
77
Principles of Security Engineering
CompSec Intro Principles of Security Engineering Nicolas T. Courtois, January 2009
78
Security Engineering Definition: [Ross Anderson]
CompSec Intro Security Engineering Definition: [Ross Anderson] building systems to remain dependable in face of malice, error or mischance. Nicolas T. Courtois, January 2009
79
or “Security Mantras”: repeat after me: C.I.A. C.I.A.
CompSec Intro Magic Formulas… or “Security Mantras”: repeat after me: C.I.A. C.I.A. In fact we have no silver bullet. on the contrary: Security is about trade-offs. Conflicting engineering criteria…. Conflicting requirements… Overcoming human, technology and market failures. insecure rubbish! Nicolas T. Courtois, January 2009
80
Proportionality Principle
CompSec Intro Proportionality Principle Maximize security??? Maximize “utility” (the benefits) while limiting risk to an acceptable level within reasonable cost… all about economics… Nicolas T. Courtois, January 2009
81
Efficiency and Effectiveness
CompSec Intro Efficiency and Effectiveness Security measures must be: Efficient and effective… Nicolas T. Courtois, January 2009
82
Design Principles for Protection Mechanisms
CompSec Intro Design Principles for Protection Mechanisms [Saltzer and Schroeder 1975] important for exam Nicolas T. Courtois, January 2009
83
Least Privilege [or Limitation] Principle
CompSec Intro Least Privilege [or Limitation] Principle Every “module” (such as a process, a user or a program) should be able to access only such information and resources that are necessary to its legitimate purpose. Nicolas T. Courtois, January 2009
84
Default Deny There are two basic attitudes:
CompSec Intro Default Deny There are two basic attitudes: Default permit - "Everything, not explicitly forbidden, is permitted" Allows greater functionality by sacrificing security. Good if security threats are non-existent or negligible. Default deny - "Everything, not explicitly permitted, is forbidden" Improves security, harder to get any functionality. Believed to be a good approach if you have lots of security threats. Nicolas T. Courtois, January 2009
85
Fail-safe Defaults Secure by default,
CompSec Intro Fail-safe Defaults Secure by default, Example:if we forget to specify access, deny it. Nicolas T. Courtois, January 2009
86
CompSec Intro Economy of Mechanism A protection mechanism should have a simple and small design. small and simple enough to be build in a rigorous way, and fully tested and analysed Nicolas T. Courtois, January 2009
87
Separation of Privileges
CompSec Intro Separation of Privileges Split into pieces with limited privileges! Implementation in software engineering: Have computer program fork into two processes. The main program drops privileges (e.g. dropping root under Unix). The smaller program keeps privileges in order to perform a certain task. The two halves then communicate via a socket pair. Benefits: A successful attack against the larger program will gain minimal access. even though the pair of programs will perform privileged operations. A crash in a process run as nobody cannot be exploited to gain privileges. Additional possibilities: obfuscate individual modules and/or make them tamper resistant through software. Or burn them into a dedicated hardware module, and burn the fuse that allows to read the firmware. Nicolas T. Courtois, January 2009
88
Least Common Mechanism
CompSec Intro Least Common Mechanism Mechanisms used to access resources should not be shared. Why? Not so obvious. If everybody depends on it, failure will have a higher impact. One user can do a DOS attack. Shared service [or resource such as CPU cache] can provide side channels. A mechanism serving all users must be designed to the satisfaction of every user, harder than satisfying more specialized requirements. Nicolas T. Courtois, January 2009
89
CompSec Intro Be Friendly! Nicolas T. Courtois, January 2009
90
Saltzer and Schroeder 1975:
CompSec Intro Saltzer and Schroeder 1975: Psychologically Acceptable not enough anymore Nicolas T. Courtois, January 2009
91
Acceptable and accepted…
CompSec Intro Usability Consent Acceptable and accepted… Nice User-friendly or not: otherwise the mechanism will be bypassed (-consent) Nicolas T. Courtois, January 2009
92
Be Even More Friendly: Don’t annoy people.
CompSec Intro Be Even More Friendly: Don’t annoy people. Minimize the number of clicks Minimize the number of things to remember Make security easy to understand and self-explanatory Security should NOT impact users that obey the rules. Established defaults should be reasonable. People should not feel trapped. It should be easy to Restrict access Give access Personalize settings Etc… Nicolas T. Courtois, January 2009
93
More Design Principles
CompSec Intro More Design Principles Nicolas T. Courtois, January 2009
94
Think Ahead [Morrie Gasser 1988] Pro-active security design:
CompSec Intro Think Ahead Pro-active security design: Design the security in, built-in from the start. Contrary of aftermarket security. Allow for future security enhancements. [Morrie Gasser 1988] also Fail securely: if sth. goes wrong, yes, make sure it “fails securely”. Nicolas T. Courtois, January 2009
95
CompSec Intro Trust vs. Security Nicolas T. Courtois, January 2009
96
Trust Following Ross Anderson and US Dept of Defence definitions:
CompSec Intro Trust Following Ross Anderson and US Dept of Defence definitions: Trusted system [paradoxical definition]: one that can break the security policy (in theory, risk). Trustworthy system: one that won’t fail us (0 risk). An employee who is selling secrets is trusted and NOT trustworthy at the same time. Nicolas T. Courtois, January 2009
97
Be Reluctant to Trust Cf. Least Privilege. CompSec Intro
Nicolas T. Courtois, January 2009
98
Be Trustworthy Public scrutiny promotes trust.
CompSec Intro Be Trustworthy Public scrutiny promotes trust. Commitment to security is visible in the long run. Nicolas T. Courtois, January 2009
99
*Management Principles for Production and Development,
CompSec Intro *Management Principles for Production and Development, or Integrity of a Business Process… [Lipner 1982] slides also relevant and repeated in 02 part Nicolas T. Courtois, January 2009
100
Lipner 1982 These can be see as management principles:
CompSec Intro Lipner 1982 These can be see as management principles: How to manage development and production, avoid random failures and security breaches alike. Principle of Segregation of Duties = Separation of Duty. Nicolas T. Courtois, January 2009
101
Segregation of Duties Achieved by (closely related):
CompSec Intro Segregation of Duties Achieved by (closely related): Principle of Functional separation: Several people should cooperate. Examples: one developer should not work alone on a critical application, the tester should not be the same person as the developer If two or more steps are required to perform a critical function, at least two different people should perform them, etc. This principle makes it very hard for one person to compromise the security, on purpose of inadvertently. Principle of Dual Control: Example 1: in the SWIFT banking data management system there are two security officers: left security officer and right security officer. Both must cooperate to allow certain operations. Example 2: nuclear devices command. Example 3: cryptographic secret sharing Nicolas T. Courtois, January 2009
102
Record what actions took place and who performed them
CompSec Intro Auditing / Monitoring Record what actions took place and who performed them Contributes to both disaster recovery (business continuity) and accountability. Nicolas T. Courtois, January 2009
103
CompSec Intro Lipner 1982: Requirements, focus on integrity of the business processes and of the “production” data whatever it means: Users will not write their own programs. Separation of Function: Programmers will develop on test systems and test data, not on “production” systems. A special procedure will allow to execute programs. Compliance w.r.t. 3 will be controlled / audited. Managers and auditors should have access to the system state and to all system logs. Nicolas T. Courtois, January 2009
104
The False Principle: The Weakest Link CompSec Intro
Nicolas T. Courtois, January 2009
105
Schneier: www.schneier.com/blog/archives/2005/12/weakest_link_se.html
CompSec Intro Weakest Link Chain metaphor: Schneier: “security is only as strong as the weakest link.” Nicolas T. Courtois, January 2009
106
CompSec Intro Chains vs. Layers Nicolas T. Courtois, January 2009
107
Security can be like a chain: or, better Security can be layered
CompSec Intro Two Cases Security can be like a chain: or, better Security can be layered Nicolas T. Courtois, January 2009
108
Military: Defence in Depth
CompSec Intro Military: Defence in Depth Nicolas T. Courtois, January 2009
109
Computer systems have multiple layers, e.g.
CompSec Intro Layers Computer systems have multiple layers, e.g. HW components Chipset/MB OS TCP/IP stack HTTP application Secure http layer Java script User/smart card interface Nicolas T. Courtois, January 2009
110
Example 1: assuming 1000 little details… CompSec Intro
Nicolas T. Courtois, January 2009
111
Example 2: assuming 1000 little details… CompSec Intro
Nicolas T. Courtois, January 2009
112
Another False?? Or True?? Principle:
CompSec Intro Another False?? Or True?? Principle: Assume the Worst Nicolas T. Courtois, January 2009
113
Back to Schneier Quote www.schneier.com/essay-005.html
CompSec Intro Back to Schneier Quote “It's always better to assume the worst. Assume your adversaries are better than they are. Assume science and technology will soon be able to do things they cannot yet. Give yourself a margin for error. Give yourself more security than you need today. When the unexpected happens, you'll be glad you did.” BUT… this is rubbish(or is it?) Nicolas T. Courtois, January 2009
114
Worst Case Defences? Criticism
CompSec Intro Worst Case Defences? Criticism Cormac Herley [Microsoft research]: Most security systems are build to defend against the worst case. In reality, the average case losses are insignificant or small, e.g. actually computer crime worldwide is very small… and many security technologies are maybe -- from the economics point of view -- totally useless but it depends, we cannot judge security technologies by present losses, because there are also losses that have been avoided or deterred by this technology, and also that losses evolve over the time with highly chaotic pattern (they are 0 then suddenly they may explode) Nicolas T. Courtois, January 2009
115
Worst Case Defences? Conclusion
CompSec Intro Worst Case Defences? Conclusion There is no general answer. Both arguments are legitimate. More detailed analysis is needed; what if etc... Can this be done? Maybe there will always be some purely political choices that is impossible neither to justify, nor to undermine. Nicolas T. Courtois, January 2009
116
Security Technologies: Security as f(penetration rate)
CompSec Intro Security Technologies: Security as f(penetration rate) Nicolas T. Courtois, January 2009
117
Deployment / Penetration Rate
CompSec Intro Deployment / Penetration Rate Two sorts of technologies: A) Those that are effective if deployed at 20%: Examples: virus detection (as opposed to removal / fighting the viruses), 99 % / hard disk encryption, 20 % making the entry/authentication harder, as an option for the user, 20% B) Those that are totally ineffective even at 99%: virus removal, buggy anti-virus: “your anti-virus has just restarted due to an internal error”… we click YES for 1 % of the security alerts out of fatigue… certificates are frequently invalid… it invalidates the 99 % of the time we did prevent the intrusion… we lost our time if some ATMs still accept a blank mag-stripe only cards, the whole purpose of chips on bank cards is nearly defeated… Nicolas T. Courtois, January 2009
118
Secrecy vs. Transparency
CompSec Intro Secrecy vs. Transparency Nicolas T. Courtois, January 2009
119
Open Source vs. Closed Source and Security
CompSec Intro Open Source vs. Closed Source and Security Nicolas T. Courtois, January 2009
120
Very frequently an obvious business decision.
CompSec Intro Secrecy: Very frequently an obvious business decision. Creates entry barriers for competitors. But also defends against hackers. Nicolas T. Courtois, January 2009
121
Kerckhoffs’ principle: [1883]
CompSec Intro Kerckhoffs’ principle: [1883] “The system must remain secure should it fall in enemy hands …” Nicolas T. Courtois, January 2009
122
Kerckhoffs’ principle: [1883]
CompSec Intro Kerckhoffs’ principle: [1883] Most of the time: incorrectly understood. Utopia: Who can force companies to publish their specs??? No obligation to disclose. Security when disclosed. Better security when not disclosed. Nicolas T. Courtois, January 2009
123
1. Military: layer the defences.
CompSec Intro Yes (1,2,3,4): 1. Military: layer the defences. Nicolas T. Courtois, January 2009
124
CompSec Intro Yes (2): 2) Basic economics: these 3 extra months (and not more ) are simply worth a a lot of money. Nicolas T. Courtois, January 2009
125
CompSec Intro Yes (3): 3) Prevent the erosion of profitability / barriers for entry for competitors / “inimitability” Nicolas T. Courtois, January 2009
126
4) Avoid Legal Risks Yes (4):
CompSec Intro Yes (4): 4) Avoid Legal Risks companies they don't know where their code is coming from, they want to release the code and they can't because it's too risky! re-use of code can COMPROMISE own IP rights and create unknown ROYALTY obligations (!!!) clone/stolen code is more stable, more reliable, easier to understand! Nicolas T. Courtois, January 2009
127
What’s Wrong with Open Source?
CompSec Intro What’s Wrong with Open Source? Nicolas T. Courtois, January 2009
128
Kerckhoffs principle:
CompSec Intro Kerckhoffs principle: Rather WRONG in the world of smart cards… Reasons: side channel attacks, PayTV card sharing attacks etc.. But could be right elsewhere for many reasons… Example: DES,AES cipher, open-source, never really broken KeeLoq cipher, closed source, broken in minutes… Nicolas T. Courtois, January 2009
129
Open and closed security are more or less equivalent…
CompSec Intro Which Model is Better? Open and closed security are more or less equivalent… more or less as secure: opening the system helps both the attackers and the defenders. Cf. Ross Anderson: Open and Closed Systems are Equivalent (that is, in an ideal world). In Perspectives on Free and Open Source Software, MIT Press 2005, pp Nicolas T. Courtois, January 2009
130
Open Source: Remains a wishful thinking utopia kind of concept.
CompSec Intro Open Source: Remains a wishful thinking utopia kind of concept. I know people that were fired because of their open source advocacy… and very naïve and stupid on behalf of young people: Nicolas T. Courtois, January 2009
131
Social Critique of Open Source Software
CompSec Intro Social Critique of Open Source Software Open source is just the second market failure, as bad as Microsoft, and a part of the same problem. [according to Courtois]: A. Why young and skilled programmers would work for FREE while doing a work of absolutely huge social benefit? B. Why incompetent programmers at ill-intentioned corporations are millionaires in dollars? Economics: Not sustainable. They will be less and less people in group A… Hopefully! Opinion: Working for free is plainly and totally wrong, and can be illegal. Don’t work for free [unless you have a personal wealth to support it]. Get paid! Nicolas T. Courtois, January 2009
132
CompSec Intro Attack Trees Nicolas T. Courtois, January 2009
133
Attack Tree [Schneier 1999]
CompSec Intro Attack Tree [Schneier 1999] Formal analysis of all known attack avenues. A tree with OR nodes and AND nodes. nodes can be labeled with probabilities or cost estimates but what about unknown attacks? Get Admin Access sub-goals refinement details 1/10 Abuse Limited Account Get Limited Access Abuse System Privileges Privilege Escalation Exploit #36 Nicolas T. Courtois, January 2009
134
Expanded Example Get Admin Access Abuse Limited Account
CompSec Intro Expanded Example Get Admin Access 1/10 1/100 Become Admin Directly Abuse Limited Account Get Limited Access Obtain Legit. Admin Account Abuse System Privileges similar Privilege Escalation Exploit #36 £1000 Create One’s Own Account bribe Obtain Sb’s Credentials Create Account login password in person remotely guess / crack intercept reset shoulder surfing keyboard sniffer Nicolas T. Courtois, January 2009
135
CompSec Intro Unix Log In Nicolas T. Courtois, January 2009
136
Weakest Link Security like a chain: Get Admin Access easier!
CompSec Intro Weakest Link Security like a chain: Get Admin Access 1/100 1/10 Become Admin Directly Abuse Limited Account easier! Nicolas T. Courtois, January 2009
137
Defense in Depth Crack Password also appears in attack trees…
CompSec Intro Defense in Depth also appears in attack trees… Crack Password spec secrecy cipher secrecy getting the SAM file password hardness Nicolas T. Courtois, January 2009
138
CompSec Intro Conclusion: In complex systems, the principles of weakest link and defence in depth will occur simultaneously. Nicolas T. Courtois, January 2009
139
Accessing Password Database
CompSec Intro Accessing Password Database Nicolas T. Courtois, January 2009
140
Stealing Data with Costs
CompSec Intro Stealing Data with Costs Nicolas T. Courtois, January 2009
141
Opening a Safe with Costs
CompSec Intro Opening a Safe with Costs © Bruce Schneier Nicolas T. Courtois, January 2009
142
Cheapest Attack without Special Equipment
CompSec Intro Cheapest Attack without Special Equipment © Bruce Schneier Nicolas T. Courtois, January 2009
143
Attack Tree for PGP CompSec Intro Nicolas T. Courtois, January 2009
© Bruce Schneier Nicolas T. Courtois, January 2009
144
Reading a message sent between 2 Windows machines with countermeasures
CompSec Intro Reading a message sent between 2 Windows machines with countermeasures © Bruce Schneier Nicolas T. Courtois, January 2009
Similar presentations
© 2025 SlidePlayer.com Inc.
All rights reserved.