Presentation is loading. Please wait.

Presentation is loading. Please wait.

Computer Security Foundations and Principles

Similar presentations


Presentation on theme: "Computer Security Foundations and Principles"— Presentation transcript:

1 Computer Security Foundations and Principles
Nicolas T. Courtois University College London

2 Plan What is CompSec? Life Context and Threats Principles - Defenses
CompSec Intro Plan What is CompSec? Computer Industry Security = ? Security Science 123 Life Context and Threats Small / Big Threats Economics Ethics, Hackers Principles - Defenses Security Design Principles, Security Engineering Security Management Principles Weakest Link? Secrecy / Open Source Case Studies - Attack Trees Nicolas T. Courtois, January 2009

3 CompSec Intro Computers… Nicolas T. Courtois, January 2009

4 CompSec Intro Computer Industry We are dealing here with a particular industry: Computer industry. Software and Hardware. This industry is arguably VERY special, unlike any other industry that ever existed… But we can and will compare it to other industries smart cards have their own O.S. much more focus on security since always mobile phones, similarly developed very differently too… voting machines, door/car lock systems, etc… Nicolas T. Courtois, January 2009

5 CompSec Intro Disclaimer I don’t intend to ask you abstract “philosophy” questions at the exam, rather more concrete technical questions: beware of vague statements and excessive generalizations… what do the principles / methodology / ideas actually do in practice… be specific and factual Nicolas T. Courtois, January 2009

6 Computer Industry and Security
CompSec Intro Computer Industry and Security Tech Background: “Industry Standards” such as: Intel CPU and Chipset, RAM and hard drives, C language, UNIX / Windows TCP/IP, HTTP, TLS, Social-Econ Background: Science background: Nicolas T. Courtois, January 2009

7 Computer Industry and Security
CompSec Intro Computer Industry and Security “Industry Standards” Social-Econ Background: Science background: What technology “enablers”(computers) and “disablers” (cryptology,HWSec) can/cannot achieve? How to define / classify security problems and find “good” solutions Nicolas T. Courtois, January 2009

8 Computer Industry and Security
CompSec Intro Computer Industry and Security “Industry Standards” Social-Econ Background: things exist for a reason. “Nice or unpleasant” facts of life: software/hardware economics: which industry dominates which free market triumphs and disasters these stupid humans that cannot be bothered to obey the policy… these bureaucratic organisations that just cannot get their best interest(?) right nobody is buying/using the wonderful(?) technology, adoption barriers theory vs. practice crime war terrorism… laws / regulations etc… Science background: insecure rubbish! Nicolas T. Courtois, January 2009

9 “CompSec Cycle”: “Industry Standards” Social-Econ Background:
CompSec Intro “CompSec Cycle”: “Industry Standards” Social-Econ Background: Science background: Nicolas T. Courtois, January 2009

10 everything ends up here rapid obsolescence
CompSec Intro At The End: everything ends up here rapid obsolescence Nicolas T. Courtois, January 2009

11 What Happens After Death? 
CompSec Intro What Happens After Death?  Nicolas T. Courtois, January 2009

12 CompSec Intro What is Security? Nicolas T. Courtois, January 2009

13 Definition 1 [Courtois]
CompSec Intro Definition 1 [Courtois] Security: protect the value(s). What value(s) ? ALL ! Nicolas T. Courtois, January 2009

14 Security: protect the value(s).
CompSec Intro Security: protect the value(s). What value(s) ? Money Life and the quality of life. Privacy Good technology vs. bad one Freedom, Justice, etc… Nicolas T. Courtois, January 2009

15 Security: Definition 2. Common Criteria [ISO15408] :
CompSec Intro Security: Definition 2. Common Criteria [ISO15408] : Protecting Assets from Threats asset holder Nicolas T. Courtois, January 2009

16 Difference: protect against intentional damages...
CompSec Intro Security  Safety Difference: protect against intentional damages... Notion of an Attacker / Adversary. Notion of an Attack. Nicolas T. Courtois, January 2009

17 Attacker Attacker = Adversary = Threat Agent CompSec Intro
Nicolas T. Courtois, January 2009

18 **Dimensions of Security
CompSec Intro **Dimensions of Security Physical vs. Logical Psychological / Human vs. Organizational / Business very different! Nicolas T. Courtois, January 2009

19 CompSec Intro *Security on One Slide Nicolas T. Courtois, January 2009

20 Confidentiality Integrity Authenticity Accountability Availability
CompSec Intro Main Goals: Confidentiality Integrity Authenticity Accountability Availability Nicolas T. Courtois, January 2009

21 In There a Need for More Security?
CompSec Intro In There a Need for More Security? or will I have a job tomorrow? Nicolas T. Courtois, January 2009

22 Hegel [1770-1831], German philosophy
CompSec Intro Hegel [ ], German philosophy The history is the process of broadening freedom. Nicolas T. Courtois, January 2009

23 Why Security, why Cryptography ?
CompSec Intro Why Security, why Cryptography ? Freedom, new technologies  More possibilities  More security problems… “Theorem” [Courtois]: Freedom   Security  0 Nicolas T. Courtois, January 2009

24 Freedom  Security issues…
CompSec Intro Freedom  Security issues… Examples: invention of train/metro  threat of pickpockets car traffic:  major cause of death, trains are much safer invention of the internet  pirates and hackers. Nicolas T. Courtois, January 2009

25 Why Security, why Cryptography ?
CompSec Intro Why Security, why Cryptography ? Freedom of travel by car  main cause of death (e.g. 1.2 M people die every year in car accidents !) Unlimited exchange of data over the internet  unlimited security problems. Nicolas T. Courtois, January 2009

26 Enjoy benefits, limit/remove disadvantages.
CompSec Intro *Prof. Shigeo Tsujii, “The society should be designed to help people to enjoy the freedoms”… “broadened by IT”. Enjoy benefits, limit/remove disadvantages. Nicolas T. Courtois, January 2009

27 “Adding” Security – Def. 3.
CompSec Intro “Adding” Security – Def. 3. The goal of cryptology and security [Courtois]: Add security to the information technologies (IT) that are by nature insecure. enablers/disablers Nicolas T. Courtois, January 2009

28 Adding Security - Criticism
CompSec Intro Adding Security - Criticism Nicolas T. Courtois, January 2009

29 Why security it is an after-thought?
CompSec Intro Critics [Schneier] Why security it is an after-thought? “Aftermarket security is actually a very inefficient way to spend our security dollars; it may compensate for insecure IT products, but doesn't help improve their security”. “Additionally, as long as IT security is a separate industry, there will be companies making money based on insecurity -- companies who will lose money if the internet becomes more secure.” Why security is not built-in? “utopian vision” Security is difficult, expensive and takes time… Nicolas T. Courtois, January 2009

30 CompSec Intro ***Today [Schneier] “I am regularly asked what average Internet users can do to ensure their security. My first answer is usually, "Nothing--you're screwed.“ Nicolas T. Courtois, January 2009

31 Security Science 1.2.3. CompSec Intro
Nicolas T. Courtois, January 2009

32 Claim [Courtois, Schneier]:
CompSec Intro Claim [Courtois, Schneier]: Computer Security and real-world security are governed by the same laws !!! Nicolas T. Courtois, January 2009

33 The Security ? 3-point Formal Approach
CompSec Intro The Security ? 3-point Formal Approach What is Security ? Inability to achieve: Security against what: Adversarial Goal. Against whom: resources of the Adversary: money, human resources, computing power, memory, risk, expertise, etc.. Access to the system. Nicolas T. Courtois, January 2009

34 CompSec Intro 1. Attackers Nicolas T. Courtois, January 2009

35 Vocabulary Attacker / Adversary / Threat Agent CompSec Intro
Nicolas T. Courtois, January 2009

36 Enjoyment, fame, ego, role models
CompSec Intro 1. Adversarial Goals Enjoyment, fame, ego, role models Develop science and offensive technology: $$$ profits and other benefits Nicolas T. Courtois, January 2009

37 petty => organized criminals, rogue states, industrial espionage,
CompSec Intro 2. a. Who Are the Attackers bored teenagers, petty => organized criminals, rogue states, industrial espionage, disgruntled employees, … pure legitimate use Inadvertent events, bugs, errors, ourselves (forgot the d… password!), our family / friends / co-workers, Nicolas T. Courtois, January 2009

38 computers (MIPS) / other hardware (antennas, liquid Nitrogen, etc…)
CompSec Intro 2. b. Their Means computers (MIPS) / other hardware (antennas, liquid Nitrogen, etc…) knowledge / expertise risk/exposure capacity Nicolas T. Courtois, January 2009

39 CompSec Intro 3. Access Nicolas T. Courtois, January 2009

40 Somewhat similar as for cars:
CompSec Intro 3. Access to Computers Somewhat similar as for cars: Nicolas T. Courtois, January 2009

41 When you drive on the road When parked on the street.
CompSec Intro 3. Access to your car. Miles away… When you drive on the road When parked on the street. Enters your garage Had a key yesterday and he made a copy Nicolas T. Courtois, January 2009

42 Remote location, not connected to Internet
CompSec Intro 3. Access to a Computer Remote location, not connected to Internet Remote location, somewhat connected… Physical proximity… Access to USB ports. Access (alone) for a few seconds… Take it home and hack it… Nicolas T. Courtois, January 2009

43 +wireless communications made things worse…
CompSec Intro *3. Access Internet +wireless communications made things worse… Nicolas T. Courtois, January 2009

44 CompSec Intro “Small” Little Things Nicolas T. Courtois, January 2009

45 CompSec Intro Insecurity Nicolas T. Courtois, January 2009

46 What are Important Security Issues?
CompSec Intro What are Important Security Issues? Think twice. Nicolas T. Courtois, January 2009

47 Mildest Forms of Insecurity
CompSec Intro Mildest Forms of Insecurity nuisance and irritation generated by security and updates, necessity to think about such sordid things as security, losing some pennies on it… Slight problem: the long tail theory. Nicolas T. Courtois, January 2009

48 the Long Tail theory 1 Bank loses 30 M$/Y
CompSec Intro the Long Tail theory 1 Bank loses 30 M$/Y 300 M people lose 1 minute/day = M$/Y Cormac Herley [Microsoft Research] no thanks.. the rational rejection of security advice… the customer is your boss’s boss’s boss! his time is very precious! 30 M$ / minute! cost frequency Nicolas T. Courtois, January 2009

49 CompSec Intro Major Threats Nicolas T. Courtois, January 2009

50 Block Buster Insecurity
CompSec Intro Block Buster Insecurity Viruses/Worms (e.g. Melissa 1999) DOS hurting big corp. / countries [Estonia] Financial/personal data files leaked/lost [lots in the media US] Computer break-ins [little publicity?] Nicolas T. Courtois, January 2009

51 Explosion of Known Vulnerabilities
CompSec Intro Explosion of Known Vulnerabilities What about the unknown ones? Nicolas T. Courtois, January 2009

52 Many PCs are Is My PC Infected? CompSec Intro
Nicolas T. Courtois, January 2009

53 Why Things Happen? Mystified: Economics/Business: Bugs… or don’t care.
CompSec Intro Why Things Happen? Bugs… or don’t care. Programming developed with absence of security. C/C++ is unsafe (Microsoft is currently blacklisting big chunks of standard C, could have happened 10 years ago). Security/cryptography research developed with obsession with security. Both never met. Mystified: security issues are probably always exaggerated and distorted, one way or another (downplayed OR exaggerated, Ross Anderson: “hypertrophy” of security) Economics/Business: many things just don’t matter! customers do not see => do not care about security usability: user burden frustrates them. Nicolas T. Courtois, January 2009

54 CompSec Intro CompSec and Economics Nicolas T. Courtois, January 2009

55 “[…] Why do so many vulnerabilities exist in the first place?[…]”
CompSec Intro Question “[…] Why do so many vulnerabilities exist in the first place?[…]” Cf. Ross Anderson, Tyler Moore et al: “The Economics of Information Security” In Science, October 2006. “Security Economics and the Internal Market”: public report for ENISA (European Network and Information Security Agency), March 2008. Nicolas T. Courtois, January 2009

56 Why Commercial Security Fails?
CompSec Intro Why Commercial Security Fails? Claim: the link between “money” and security is frequently broken today: Security is a public good. “private” incentives are weak. Worse than “market for lemons”: Not only that the customer cannot see the difference between good security and bad. Frequently the manufacturer cannot either. Too frequently security (and our safety) remains something that money cannot buy… (money seems to work for cars, and to fail for computers) Nicolas T. Courtois, January 2009

57 Security and Economics
CompSec Intro Security and Economics Security is about [sensible] security trade-offs. Closely related to economics: How to allocate resources efficiently. Nicolas T. Courtois, January 2009

58 The Very Nature of Security:
CompSec Intro The Very Nature of Security: Bruce Schneier “Beyond Fear” book [2003], p.1: Critical to any security decision is the notion of [security] trade-offs, meaning the costs in terms of money, convenience, comfort, freedoms, and so on – that inevitably attach themselves to any security system. Nicolas T. Courtois, January 2009

59 CompSec Intro Failures Nicolas T. Courtois, January 2009

60 Failure in implementation Failure in operation
CompSec Intro Types of Failures Failure in design Failure in implementation Failure in operation Nicolas T. Courtois, January 2009

61 CompSec Intro If It Can Fail… It Will Schneier: “History has taught us: never underestimate the amount of money, time, and effort someone will expend to thwart a security system. Nicolas T. Courtois, January 2009

62 or should Karate classes be legal?
CompSec Intro Ethics or should Karate classes be legal? Nicolas T. Courtois, January 2009

63 CompSec Intro Key Question: Is actively researching serious security vulnerabilities socially desirable? - Of Course Yes! …will tell you every professional hacker and every academic code-breaker… Nicolas T. Courtois, January 2009

64 CompSec Intro Bruce Schneier [14 May 2008]: Problem: A hacker who discovers one [attack] can sell it on the black market, blackmail the vendor with disclosure, or simply publish it without regard to the consequences. Q: […] is it ethical to research new vulnerabilities? A: Unequivocally, yes. [according to Schneier] Because: Vulnerability research is vital because it trains our next generation of computer security experts. Nicolas T. Courtois, January 2009

65 The question is open to debate and remains somewhat controversial
CompSec Intro Our Answer: The question is open to debate and remains somewhat controversial Maybe it depends.. …on what? Nicolas T. Courtois, January 2009

66 Rescorla [2004] Research and disclose? Yes, if…
CompSec Intro Rescorla [2004] Research and disclose? Yes, if… …these vulnerabilities are likely to be rediscovered Cf. E. Rescorla. “Is finding security holes a good idea?” In 3rd Workshop on the Economics of Information Security (2004). Nicolas T. Courtois, January 2009

67 CompSec Intro Benefits: Disclosure creates incentives for fixing these vulnerabilities. Nicolas T. Courtois, January 2009

68 CompSec Intro Attackers and Hackers Nicolas T. Courtois, January 2009

69  Motivation Enjoyment, fame, ego, role models
CompSec Intro Motivation Enjoyment, fame, ego, role models Develop science and offensive technology: University researchers, (good/bad) Security professionals (defenders) Professional hackers, pen testers, etc… Profits and other benefits Crime business, Promoting legal security business, Political activism, terrorism, Nicolas T. Courtois, January 2009

70 petty => organized criminals, rogue states, industrial espionage,
CompSec Intro Hackers Are: bored teenagers, petty => organized criminals, rogue states, industrial espionage, disgruntled employees, … pure legitimate use Inadvertent events, bugs, errors, ourselves (forgot the d… password!), our family / friends / co-workers, Nicolas T. Courtois, January 2009

71 computers (MIPS) / other hardware (antennas, liquid Nitrogen, etc…)
CompSec Intro 2. b. Their Means computers (MIPS) / other hardware (antennas, liquid Nitrogen, etc…) knowledge / expertise risk/exposure capacity Nicolas T. Courtois, January 2009

72 Biggest conference in Cryptography: DefCon: 9000 people.
CompSec Intro Hacker Movement Biggest conference in Cryptography: Crypto in Santa Barbara, CA, 500 people. DefCon: 9000 people. CCC conf: 3000 people. the biggest in EU. 80 % very young, 70 % German, 98 % male, 99 % white. => future growth potential. Talks start at 10h. At 23h there are 3 technical talks in parallel. At 24h there are “funny/entertainment/philosophy” talks. There are sofas to sleep in the congress center, but hackers never sleep, they type sth. on their laptop. Conference bandwidth was 3 Gbytes, instant tentatives of intrusion. There are stands about speed hacking, speed soldering. Practical lock-picking, RFID hacking, etc. Nicolas T. Courtois, January 2009

73 CompSec Intro Hacktivism Mostly about getting attention in the press through direct and spectacular action (hacking) against a government or corporate entity. In order to achieve a political effect. Usually still a technology claim: Just improve the security! It is broken. Just hire better experts/cryptographers/programmers… Political statement unrelated to technology: Russia does not agree with Estonia. Nicolas T. Courtois, January 2009

74 Chaos Computer Club started in Hamburg in 1981
CompSec Intro Chaos Computer Club started in Hamburg in 1981 as a German-speaking libertarian-anarchist conference and social movement claiming freedom at any price, including freedom to pirate anything… Nicolas T. Courtois, January 2009

75 CompSec Intro Chaos Computer Club Very strong relations with German press makes that it is much harder to put hackers to jail (fear of bad press coverage). Don’t do the same things that some people do.. They will get away with it, you will not. These people are very strong defenders of some rights such as privacy and freedom of speech, and thus they achieve a sort of legitimacy in the public eye to indulge in activities that would otherwise be considered just criminal. in the same way trade unions frequently get away with doing illegal things, but not always, many trade union leader have been in prison once or twice. The risk is totally and absolutely non-zero. In the 80s the CCC guys showed the insecurity of Bildschirmtext computer network and made it debit a bank in Hamburg 134K DM in favour of the Club. Then they organized a press conference. The banks were nice, did NOT sue them. But how can you predict they will be nice? Nicolas T. Courtois, January 2009

76 Recent Trend: Rapid growth. The industrialization of hacking:
CompSec Intro Recent Trend: Rapid growth. The industrialization of hacking: division of labour, clear definition of roles forming a supply chain professional management Nicolas T. Courtois, January 2009

77 Principles of Security Engineering
CompSec Intro Principles of Security Engineering Nicolas T. Courtois, January 2009

78 Security Engineering Definition: [Ross Anderson]
CompSec Intro Security Engineering Definition: [Ross Anderson] building systems to remain dependable in face of malice, error or mischance. Nicolas T. Courtois, January 2009

79 or “Security Mantras”: repeat after me: C.I.A. C.I.A.
CompSec Intro Magic Formulas… or “Security Mantras”: repeat after me: C.I.A. C.I.A. In fact we have no silver bullet. on the contrary: Security is about trade-offs. Conflicting engineering criteria…. Conflicting requirements… Overcoming human, technology and market failures. insecure rubbish! Nicolas T. Courtois, January 2009

80 Proportionality Principle
CompSec Intro Proportionality Principle Maximize security??? Maximize “utility” (the benefits) while limiting risk to an acceptable level within reasonable cost… all about economics… Nicolas T. Courtois, January 2009

81 Efficiency and Effectiveness
CompSec Intro Efficiency and Effectiveness Security measures must be: Efficient and effective… Nicolas T. Courtois, January 2009

82 Design Principles for Protection Mechanisms
CompSec Intro Design Principles for Protection Mechanisms [Saltzer and Schroeder 1975] important for exam Nicolas T. Courtois, January 2009

83 Least Privilege [or Limitation] Principle
CompSec Intro Least Privilege [or Limitation] Principle Every “module” (such as a process, a user or a program) should be able to access only such information and resources that are necessary to its legitimate purpose. Nicolas T. Courtois, January 2009

84 Default Deny There are two basic attitudes:
CompSec Intro Default Deny There are two basic attitudes: Default permit - "Everything, not explicitly forbidden, is permitted" Allows greater functionality by sacrificing security. Good if security threats are non-existent or negligible. Default deny - "Everything, not explicitly permitted, is forbidden" Improves security, harder to get any functionality. Believed to be a good approach if you have lots of security threats. Nicolas T. Courtois, January 2009

85 Fail-safe Defaults Secure by default,
CompSec Intro Fail-safe Defaults Secure by default, Example:if we forget to specify access, deny it. Nicolas T. Courtois, January 2009

86 CompSec Intro Economy of Mechanism A protection mechanism should have a simple and small design. small and simple enough to be build in a rigorous way, and fully tested and analysed Nicolas T. Courtois, January 2009

87 Separation of Privileges
CompSec Intro Separation of Privileges Split into pieces with limited privileges! Implementation in software engineering: Have computer program fork into two processes. The main program drops privileges (e.g. dropping root under Unix). The smaller program keeps privileges in order to perform a certain task. The two halves then communicate via a socket pair. Benefits: A successful attack against the larger program will gain minimal access. even though the pair of programs will perform privileged operations. A crash in a process run as nobody cannot be exploited to gain privileges. Additional possibilities: obfuscate individual modules and/or make them tamper resistant through software. Or burn them into a dedicated hardware module, and burn the fuse that allows to read the firmware. Nicolas T. Courtois, January 2009

88 Least Common Mechanism
CompSec Intro Least Common Mechanism Mechanisms used to access resources should not be shared. Why? Not so obvious. If everybody depends on it, failure will have a higher impact. One user can do a DOS attack. Shared service [or resource such as CPU cache] can provide side channels. A mechanism serving all users must be designed to the satisfaction of every user, harder than satisfying more specialized requirements. Nicolas T. Courtois, January 2009

89 CompSec Intro Be Friendly! Nicolas T. Courtois, January 2009

90 Saltzer and Schroeder 1975:
CompSec Intro Saltzer and Schroeder 1975: Psychologically Acceptable not enough anymore Nicolas T. Courtois, January 2009

91 Acceptable and accepted…
CompSec Intro Usability Consent Acceptable and accepted… Nice User-friendly or not: otherwise the mechanism will be bypassed (-consent) Nicolas T. Courtois, January 2009

92 Be Even More Friendly: Don’t annoy people.
CompSec Intro Be Even More Friendly: Don’t annoy people. Minimize the number of clicks Minimize the number of things to remember Make security easy to understand and self-explanatory Security should NOT impact users that obey the rules. Established defaults should be reasonable. People should not feel trapped. It should be easy to Restrict access Give access Personalize settings Etc… Nicolas T. Courtois, January 2009

93 More Design Principles
CompSec Intro More Design Principles Nicolas T. Courtois, January 2009

94 Think Ahead [Morrie Gasser 1988] Pro-active security design:
CompSec Intro Think Ahead Pro-active security design: Design the security in, built-in from the start. Contrary of aftermarket security. Allow for future security enhancements. [Morrie Gasser 1988] also Fail securely: if sth. goes wrong, yes, make sure it “fails securely”. Nicolas T. Courtois, January 2009

95 CompSec Intro Trust vs. Security Nicolas T. Courtois, January 2009

96 Trust Following Ross Anderson and US Dept of Defence definitions:
CompSec Intro Trust Following Ross Anderson and US Dept of Defence definitions: Trusted system [paradoxical definition]: one that can break the security policy (in theory, risk). Trustworthy system: one that won’t fail us (0 risk). An employee who is selling secrets is trusted and NOT trustworthy at the same time. Nicolas T. Courtois, January 2009

97 Be Reluctant to Trust Cf. Least Privilege. CompSec Intro
Nicolas T. Courtois, January 2009

98 Be Trustworthy Public scrutiny promotes trust.
CompSec Intro Be Trustworthy Public scrutiny promotes trust. Commitment to security is visible in the long run. Nicolas T. Courtois, January 2009

99 *Management Principles for Production and Development,
CompSec Intro *Management Principles for Production and Development, or Integrity of a Business Process… [Lipner 1982] slides also relevant and repeated in 02 part Nicolas T. Courtois, January 2009

100 Lipner 1982 These can be see as management principles:
CompSec Intro Lipner 1982 These can be see as management principles: How to manage development and production, avoid random failures and security breaches alike. Principle of Segregation of Duties = Separation of Duty. Nicolas T. Courtois, January 2009

101 Segregation of Duties Achieved by (closely related):
CompSec Intro Segregation of Duties Achieved by (closely related): Principle of Functional separation: Several people should cooperate. Examples: one developer should not work alone on a critical application, the tester should not be the same person as the developer If two or more steps are required to perform a critical function, at least two different people should perform them, etc. This principle makes it very hard for one person to compromise the security, on purpose of inadvertently. Principle of Dual Control: Example 1: in the SWIFT banking data management system there are two security officers: left security officer and right security officer. Both must cooperate to allow certain operations. Example 2: nuclear devices command. Example 3: cryptographic secret sharing Nicolas T. Courtois, January 2009

102 Record what actions took place and who performed them
CompSec Intro Auditing / Monitoring Record what actions took place and who performed them Contributes to both disaster recovery (business continuity) and accountability. Nicolas T. Courtois, January 2009

103 CompSec Intro Lipner 1982: Requirements, focus on integrity of the business processes and of the “production” data whatever it means: Users will not write their own programs. Separation of Function: Programmers will develop on test systems and test data, not on “production” systems. A special procedure will allow to execute programs. Compliance w.r.t. 3 will be controlled / audited. Managers and auditors should have access to the system state and to all system logs. Nicolas T. Courtois, January 2009

104 The False Principle: The Weakest Link CompSec Intro
Nicolas T. Courtois, January 2009

105 Schneier: www.schneier.com/blog/archives/2005/12/weakest_link_se.html
CompSec Intro Weakest Link Chain metaphor: Schneier: “security is only as strong as the weakest link.” Nicolas T. Courtois, January 2009

106 CompSec Intro Chains vs. Layers Nicolas T. Courtois, January 2009

107 Security can be like a chain: or, better Security can be layered
CompSec Intro Two Cases Security can be like a chain: or, better Security can be layered Nicolas T. Courtois, January 2009

108 Military: Defence in Depth
CompSec Intro Military: Defence in Depth Nicolas T. Courtois, January 2009

109 Computer systems have multiple layers, e.g.
CompSec Intro Layers Computer systems have multiple layers, e.g. HW components Chipset/MB OS TCP/IP stack HTTP application Secure http layer Java script User/smart card interface Nicolas T. Courtois, January 2009

110 Example 1: assuming 1000 little details… CompSec Intro
Nicolas T. Courtois, January 2009

111 Example 2: assuming 1000 little details… CompSec Intro
Nicolas T. Courtois, January 2009

112 Another False?? Or True?? Principle:
CompSec Intro Another False?? Or True?? Principle: Assume the Worst Nicolas T. Courtois, January 2009

113 Back to Schneier Quote www.schneier.com/essay-005.html
CompSec Intro Back to Schneier Quote “It's always better to assume the worst. Assume your adversaries are better than they are. Assume science and technology will soon be able to do things they cannot yet. Give yourself a margin for error. Give yourself more security than you need today. When the unexpected happens, you'll be glad you did.” BUT… this is rubbish(or is it?) Nicolas T. Courtois, January 2009

114 Worst Case Defences? Criticism
CompSec Intro Worst Case Defences? Criticism Cormac Herley [Microsoft research]: Most security systems are build to defend against the worst case. In reality, the average case losses are insignificant or small, e.g. actually computer crime worldwide is very small… and many security technologies are maybe -- from the economics point of view -- totally useless but it depends, we cannot judge security technologies by present losses, because there are also losses that have been avoided or deterred by this technology, and also that losses evolve over the time with highly chaotic pattern (they are 0 then suddenly they may explode) Nicolas T. Courtois, January 2009

115 Worst Case Defences? Conclusion
CompSec Intro Worst Case Defences? Conclusion There is no general answer. Both arguments are legitimate. More detailed analysis is needed; what if etc... Can this be done? Maybe there will always be some purely political choices that is impossible neither to justify, nor to undermine. Nicolas T. Courtois, January 2009

116 Security Technologies: Security as f(penetration rate)
CompSec Intro Security Technologies: Security as f(penetration rate) Nicolas T. Courtois, January 2009

117 Deployment / Penetration Rate
CompSec Intro Deployment / Penetration Rate Two sorts of technologies: A) Those that are effective if deployed at 20%: Examples: virus detection (as opposed to removal / fighting the viruses), 99 % / hard disk encryption, 20 % making the entry/authentication harder, as an option for the user, 20% B) Those that are totally ineffective even at 99%: virus removal, buggy anti-virus: “your anti-virus has just restarted due to an internal error”… we click YES for 1 % of the security alerts out of fatigue… certificates are frequently invalid… it invalidates the 99 % of the time we did prevent the intrusion… we lost our time if some ATMs still accept a blank mag-stripe only cards, the whole purpose of chips on bank cards is nearly defeated… Nicolas T. Courtois, January 2009

118 Secrecy vs. Transparency
CompSec Intro Secrecy vs. Transparency Nicolas T. Courtois, January 2009

119 Open Source vs. Closed Source and Security
CompSec Intro Open Source vs. Closed Source and Security Nicolas T. Courtois, January 2009

120 Very frequently an obvious business decision.
CompSec Intro Secrecy: Very frequently an obvious business decision. Creates entry barriers for competitors. But also defends against hackers. Nicolas T. Courtois, January 2009

121 Kerckhoffs’ principle: [1883]
CompSec Intro Kerckhoffs’ principle: [1883] “The system must remain secure should it fall in enemy hands …” Nicolas T. Courtois, January 2009

122 Kerckhoffs’ principle: [1883]
CompSec Intro Kerckhoffs’ principle: [1883] Most of the time: incorrectly understood. Utopia: Who can force companies to publish their specs??? No obligation to disclose. Security when disclosed. Better security when not disclosed. Nicolas T. Courtois, January 2009

123 1. Military: layer the defences.
CompSec Intro Yes (1,2,3,4): 1. Military: layer the defences. Nicolas T. Courtois, January 2009

124 CompSec Intro Yes (2): 2) Basic economics: these 3 extra months (and not more ) are simply worth a a lot of money. Nicolas T. Courtois, January 2009

125 CompSec Intro Yes (3): 3) Prevent the erosion of profitability / barriers for entry for competitors / “inimitability” Nicolas T. Courtois, January 2009

126 4) Avoid Legal Risks Yes (4):
CompSec Intro Yes (4): 4) Avoid Legal Risks companies they don't know where their code is coming from, they want to release the code and they can't because it's too risky! re-use of code can COMPROMISE own IP rights and create unknown ROYALTY obligations (!!!) clone/stolen code is more stable, more reliable, easier to understand! Nicolas T. Courtois, January 2009

127 What’s Wrong with Open Source?
CompSec Intro What’s Wrong with Open Source? Nicolas T. Courtois, January 2009

128 Kerckhoffs principle:
CompSec Intro Kerckhoffs principle: Rather WRONG in the world of smart cards… Reasons: side channel attacks, PayTV card sharing attacks etc.. But could be right elsewhere for many reasons… Example: DES,AES cipher, open-source, never really broken KeeLoq cipher, closed source, broken in minutes… Nicolas T. Courtois, January 2009

129 Open and closed security are more or less equivalent…
CompSec Intro Which Model is Better? Open and closed security are more or less equivalent… more or less as secure: opening the system helps both the attackers and the defenders. Cf. Ross Anderson: Open and Closed Systems are Equivalent (that is, in an ideal world). In Perspectives on Free and Open Source Software, MIT Press 2005, pp Nicolas T. Courtois, January 2009

130 Open Source: Remains a wishful thinking utopia kind of concept.
CompSec Intro Open Source: Remains a wishful thinking utopia kind of concept. I know people that were fired because of their open source advocacy… and very naïve and stupid on behalf of young people: Nicolas T. Courtois, January 2009

131 Social Critique of Open Source Software
CompSec Intro Social Critique of Open Source Software Open source is just the second market failure, as bad as Microsoft, and a part of the same problem. [according to Courtois]: A. Why young and skilled programmers would work for FREE while doing a work of absolutely huge social benefit? B. Why incompetent programmers at ill-intentioned corporations are millionaires in dollars? Economics: Not sustainable. They will be less and less people in group A… Hopefully! Opinion: Working for free is plainly and totally wrong, and can be illegal. Don’t work for free [unless you have a personal wealth to support it]. Get paid! Nicolas T. Courtois, January 2009

132 CompSec Intro Attack Trees Nicolas T. Courtois, January 2009

133 Attack Tree [Schneier 1999]
CompSec Intro Attack Tree [Schneier 1999] Formal analysis of all known attack avenues. A tree with OR nodes and AND nodes. nodes can be labeled with probabilities or cost estimates but what about unknown attacks? Get Admin Access sub-goals refinement details 1/10 Abuse Limited Account Get Limited Access Abuse System Privileges Privilege Escalation Exploit #36 Nicolas T. Courtois, January 2009

134 Expanded Example Get Admin Access Abuse Limited Account
CompSec Intro Expanded Example Get Admin Access 1/10 1/100 Become Admin Directly Abuse Limited Account Get Limited Access Obtain Legit. Admin Account Abuse System Privileges similar Privilege Escalation Exploit #36 £1000 Create One’s Own Account bribe Obtain Sb’s Credentials Create Account login password in person remotely guess / crack intercept reset shoulder surfing keyboard sniffer Nicolas T. Courtois, January 2009

135 CompSec Intro Unix Log In Nicolas T. Courtois, January 2009

136 Weakest Link Security like a chain: Get Admin Access easier!
CompSec Intro Weakest Link Security like a chain: Get Admin Access 1/100 1/10 Become Admin Directly Abuse Limited Account easier! Nicolas T. Courtois, January 2009

137 Defense in Depth Crack Password also appears in attack trees…
CompSec Intro Defense in Depth also appears in attack trees… Crack Password spec secrecy cipher secrecy getting the SAM file password hardness Nicolas T. Courtois, January 2009

138 CompSec Intro Conclusion: In complex systems, the principles of weakest link and defence in depth will occur simultaneously. Nicolas T. Courtois, January 2009

139 Accessing Password Database
CompSec Intro Accessing Password Database Nicolas T. Courtois, January 2009

140 Stealing Data with Costs
CompSec Intro Stealing Data with Costs Nicolas T. Courtois, January 2009

141 Opening a Safe with Costs
CompSec Intro Opening a Safe with Costs © Bruce Schneier Nicolas T. Courtois, January 2009

142 Cheapest Attack without Special Equipment
CompSec Intro Cheapest Attack without Special Equipment © Bruce Schneier Nicolas T. Courtois, January 2009

143 Attack Tree for PGP CompSec Intro Nicolas T. Courtois, January 2009
© Bruce Schneier Nicolas T. Courtois, January 2009

144 Reading a message sent between 2 Windows machines with countermeasures
CompSec Intro Reading a message sent between 2 Windows machines with countermeasures © Bruce Schneier Nicolas T. Courtois, January 2009


Download ppt "Computer Security Foundations and Principles"

Similar presentations


Ads by Google