Presentation is loading. Please wait.

Presentation is loading. Please wait.

1 Computer Security in the Real World Butler Lampson Microsoft Annual Computer Security Applications Conference, 2000 www.acsac.org www.acsac.org Edited.

Published by Modified over 8 years ago

Similar presentations

Presentation on theme: "1 Computer Security in the Real World Butler Lampson Microsoft Annual Computer Security Applications Conference, 2000 www.acsac.org www.acsac.org Edited."— Presentation transcript:

1 1 Computer Security in the Real World Butler Lampson Microsoft Annual Computer Security Applications Conference, 2000 www.acsac.org www.acsac.org Edited by A. Heddaya for Boston Univ. CS-350 Spring 2002 Original from: http://research.microsoft.com/lampson/Slides/SecurityAbstract.htm on 2002-04-18http://research.microsoft.com/lampson/Slides/SecurityAbstract.htm

2 2 Security: The Goal Computers are as secure as real world systems, and people believe it. This is hard because: –Computers can do a lot of damage fast. –There are many places for things to go wrong. –Networks enable »Anonymous attacks from anywhere »Automated infection »Hostile code and hostile hosts –People don’t trust new things.

3 3 Why We Don’t Have “Real” Security A. People don’t buy it: –Danger is small, so it’s OK to buy features instead. –Security is expensive. »Configuring security is a lot of work. »Secure systems do less because they’re older.  Security is a pain. »It stops you from doing things. »Users have to authenticate themselves. B. Systems are complicated, so they have bugs.

4 4 The Security Problem Real-world Requirements

5 5 Real-World Security It’s about value, locks, and punishment.  Locks good enough that bad guys don’t break in very often.  Police and courts good enough that bad guys that do break in get caught and punished often enough.  Less interference with daily life than value of loss. Security is expensive—buy only what you need.

6 6 Elements of Security Policy:Specifying security What is it supposed to do? Mechanism:Implementing security How does it do it? Assurance:Correctness of security Does it really work?

7 7 Dangers—Best Approach to Specs. Vandalism or sabotage that –damages information –disrupts service Theft of money Theft of information Loss of privacy Unknown successful attak Integrity Availability Integrity Secrecy Accountability

8 8 Vulnerabilities Bad (buggy or hostile) programs Bad (careless or hostile) people giving bad instructions to good programs Bad guy interfering with communications

9 9 Defensive strategies Keep everybody out –Isolation Keep the bad guy out –Code signing, firewalls Let him in, but keep him from doing damage –Sandboxing, access control Catch him and prosecute him –Auditing, police

10 10 The Security Solution Elements

11 11 The Access Control Model Guards control access to valued resources. Reference monitor Object Do operation Resource Principal GuardRequestSource

12 12 Mechanisms—The Gold Standard Authenticating principalswho said it?  Mainly people, but also channels, servers, programs Authorizing access who is trusted?  Usually for groups of principals Auditing what happened? Assurance –Trusted computing base

13 13 Assurance: Making Security Work Trusted computing base –Limit what has to work to ensure security »Ideally, TCB is small and simple –Includes hardware and software –Also includes configuration, usually overlooked »What software has privileges »Database of users, passwords, privileges, groups »Network information (trusted hosts, …) »Access controls on system resources »... The unavoidable price of reliability is simplicity.—Hoare

14 14 Assurance: Configuration Users—keep it simple –At most three levels: self, friends, others »Three places to put objects –Everything else done automatically with policies Administrators—keep it simple –Work by defining policies. Examples: »Each user has a private home folder »Each user belongs to one workgroup with a private folder »System folders contain vendor-approved releases »All executable programs are signed by a trusted party Today’s systems don’t support this very well

15 15 Assurance: Defense in Depth Network, with a firewall Operating system, with sandboxing –Basic OS (such as NT) –Higher-level OS (such as Java) Application that checks authorization directly All need authentication

16 16 Standard Operating System Security Assume secure channel from user (without proof) Authenticate user by local password –Assign local user and group SIDs Access control by ACLs: lists of SIDs and permissions –Reference monitor is the OS, or any RPC target Domains: same, but authenticate by RPC to controller Web servers: same, but simplified –Establish secure channel with SSL –Authenticate user by local password (or certificate) –ACL on right to enter, or on user’s private state

17 17 End-to-End Security Authenticate secure channels Work uniformly between organizations –Microsoft can securely accept Intel’s authentication –Groups can have members from different organizations Delegate authority to groups or systems Audit all security decisions

18 18 End-to-End example Alice is at Intel, working on Atom, a joint Intel- Microsoft project Alice connects to Spectra, Atom’s web page, with SSL Chain of responsibility: –K SSL  K temp  K Alice  Alice@Intel  Atom@Microsoft  r/w Spectra says Spectra ACL K SSL says Alice’s smart card Alice’s login system Spectra web page K temp K Alice Alice@IntelAtom@Microsoft Microsoft Intel K Alice

19 19 Principals Authentication:Who sent a message? Authorization:Who is trusted? Principal — abstraction of “who”: –People Alice, Bob –Services microsoft.com, Exchange –Groups UW-CS, MS-Employees –Secure channelskey #678532E89A7692F, console Principals say things: –“Read file foo ” –“Alice’s key is #678532E89A7692F ”

20 20 Speaks For Principal A speaks for B: A    –Meaning: if A says something in set T, B says it too. »Thus A is stronger than B, or responsible for B, about T –Examples »Alice  Atom group of people »Key #7438  Alice key for Alice Delegation rule: If A says “B  A” then B  A –We trust A to delegate its own authority. »Why should A delegate to B? Needs case by case analysis. –Need a secure channel from A for “A says” »Easy if A is a key. »Channel can be off-line (certificate) or on-line (Kerberos)

21 21 Authenticating Channels Chain of responsibility: K SSL  K temp  K Alice  Alice@Intel  … K temp says K Alice says (SSL setup) (via smart card) says Spectra ACL K SSL says Alice’s smart card Alice’s login system Spectra web page K temp K Alice Alice@IntelAtom@Microsoft Microsoft Intel K Alice

22 22 Authenticating Names: SDSI/SPKI A name is in some name space, defined by a key The key speaks for any name in its name space –K Intel  K Intel / Alice (which is just Alice@Intel ) –K Intel says … K temp  K Alice  Alice@Intel  … says Spectra ACL K SSL says Alice’s smart card Alice’s login system Spectra web page K temp K Alice Alice@IntelAtom@Microsoft Microsoft Intel K Alice

23 23 Authenticating Groups A group is a principal; its members speak for it –Alice@Intel  Atom@Microsoft –Bob@Microsoft  Atom@Microsoft –… Evidence for groups: Just like names and keys. … K Alice  Alice@Intel  Atom@Microsoft  r/w … says Spectra ACL K SSL says Alice’s smart card Alice’s login system Spectra web page K temp K Alice Alice@IntelAtom@Microsoft Microsoft Intel K Alice

24 24 View a resource object O as a principal An ACL entry for P means P can speak for O –Permissions limit the set of things P can say for O If Spectra ’s ACL says Atom can r/w, that means Spectra says … Alice@Intel  Atom@Microsoft  r/w Spectra Authorization with ACLs says Spectra ACL K SSL says Alice’s smart card Alice’s login system Spectra web page K temp K Alice Alice@IntelAtom@Microsoft Microsoft Intel K Alice

25 25 End-to-End Example: Summary Request on SSL channel: K SSL says “read Spectra ” Chain of responsibility: K SSL  K temp  K Alice  Alice@Intel  Atom@Microsoft  r/w Spectra says Spectra ACL K SSL says Alice’s smart card Alice’s login system Spectra web page K temp K Alice Alice@IntelAtom@Microsoft Microsoft Intel K Alice

26 26 Compatibility with Local OS? (1) Put network principals on OS ACLs (2) Let network principal speak for local one –Alice@Intel  Alice@microsoft –Use network authentication »replacing local or domain authentication –Users and ACLs stay the same (3) Assign SIDs to network principals –Do this automatically –Use network authentication as before

27 27 Authenticating Systems A digest X can authenticate a program Word : –K Microsoft says “If image I has digest X then I is Word ” formallyX  K Microsoft / Word A system N can speak for another system Word : –K Microsoft says N  K Microsoft / Word The first cert makes N want to run I if N likes Word, and it makes N assert the running I is Word The second cert lets N convince others that N is authorized to run Word

28 28 Auditing Checking access: –Givena requestK Alice says “ read Spectra ” an ACL Atom may r/w Spectra –Check K Alice speaksK Alice  Atom for Atom rights suffice r/w  read Auditing: Each step is justified by –A signed statement (certificate), or –A delgation rule

29 29 Implement: Tools and Assurance Gold standard –AuthenticationWho said it? –AuthorizationWho is trusted? –Auditing What happened? End-to-end authorization –Principals: keys, names, groups –Speaks for: delegation, chain of responsibility Assurance: Trusted computing base –Keep it small and simple. –Include configuration, not just code.

30 30 References Why “real” security is hard –Ross Anderson: www.cl.cam.ac.uk/users/rja14 –Bruce Schneier, Secrets and Lies Distributed system security –Lampson et al. TOCS 10, 4 (Nov. 1992) –Wobber et al. TOCS 12, 1 (Feb. 1994) Simple Distributed Security Infrastructure (SDSI) –theory.lcs.mit.edu/~cis/sdsi.html Simple Public Key Infrastructure (SPKI) –www.cis.ohio-state.edu/htbin/rfc/rfc2693.html

Download ppt "1 Computer Security in the Real World Butler Lampson Microsoft Annual Computer Security Applications Conference, 2000 www.acsac.org www.acsac.org Edited."

Similar presentations

1 Computer Security in the Real World Butler Lampson Microsoft August 2005.

1 Computer Security in the Real World Butler Lampson Microsoft August 2005.
1 Accountability and Freedom Butler Lampson Microsoft September 26, 2005.

1 Accountability and Freedom Butler Lampson Microsoft September 26, 2005.
1 Computer Security in the Real World Butler Lampson Microsoft.

1 Computer Security in the Real World Butler Lampson Microsoft.
Overview of local security issues in Campus Grid environments Bruce Beckles University of Cambridge Computing Service.

Overview of local security issues in Campus Grid environments Bruce Beckles University of Cambridge Computing Service.
Authenticating Users. Objectives Explain why authentication is a critical aspect of network security Explain why firewalls authenticate and how they identify.

Authenticating Users. Objectives Explain why authentication is a critical aspect of network security Explain why firewalls authenticate and how they identify.
Chapter 1  Introduction 1 Chapter 1: Introduction “Begin at the beginning,” the King said, very gravely, “and go on till you come to the end: then stop.”

Chapter 1  Introduction 1 Chapter 1: Introduction “Begin at the beginning,” the King said, very gravely, “and go on till you come to the end: then stop.”
1 Operating System vs. Network Security Butler Lampson Microsoft Outline What security is about Operating systems security Network security How they fit.

1 Operating System vs. Network Security Butler Lampson Microsoft Outline What security is about Operating systems security Network security How they fit.
1 Chapter 8 Fundamentals of System Security. 2 Objectives In this chapter, you will: Understand the trade-offs among security, performance, and ease of.

1 Chapter 8 Fundamentals of System Security. 2 Objectives In this chapter, you will: Understand the trade-offs among security, performance, and ease of.
Extending ForeFront beyond the limit www.AGATSolutions.com TMGUAG ISAIAG AG Security Suite.

Extending ForeFront beyond the limit TMGUAG ISAIAG AG Security Suite.
1 Accountability and Freedom Butler Lampson Microsoft October 27, 2005.

1 Accountability and Freedom Butler Lampson Microsoft October 27, 2005.
Environmental Council of States Network Authentication and Authorization Services The Shared Security Component February 28, 2005.

Environmental Council of States Network Authentication and Authorization Services The Shared Security Component February 28, 2005.
Public Key Infrastructure (PKI) Providing secure communications and authentication over an open network.

Public Key Infrastructure (PKI) Providing secure communications and authentication over an open network.
16.1 © 2004 Pearson Education, Inc. Exam 70-294 Planning, Implementing, and Maintaining a Microsoft® Windows® Server 2003 Active Directory Infrastructure.

16.1 © 2004 Pearson Education, Inc. Exam Planning, Implementing, and Maintaining a Microsoft® Windows® Server 2003 Active Directory Infrastructure.
Lecture 2 Page 1 CS 236, Spring 2008 Security Principles and Policies CS 236 On-Line MS Program Networks and Systems Security Peter Reiher Spring, 2008.

Lecture 2 Page 1 CS 236, Spring 2008 Security Principles and Policies CS 236 On-Line MS Program Networks and Systems Security Peter Reiher Spring, 2008.
 Key exchange o Kerberos o Digital certificates  Certificate authority structure o PGP, hierarchical model  Recovery from exposed keys o Revocation.

 Key exchange o Kerberos o Digital certificates  Certificate authority structure o PGP, hierarchical model  Recovery from exposed keys o Revocation.
Chapter 9 Chapter 9: Managing Groups, Folders, Files, and Object Security.

Chapter 9 Chapter 9: Managing Groups, Folders, Files, and Object Security.
Introduction to PKI Seminar What is PKI? Robert Brentrup July 13, 2004.

Introduction to PKI Seminar What is PKI? Robert Brentrup July 13, 2004.
CSE331: Introduction to Networks and Security Lecture 28 Fall 2002.

CSE331: Introduction to Networks and Security Lecture 28 Fall 2002.
Using Internet Information Server And Microsoft ® Internet Explorer To Implement Security On The Intranet HTTP.

Using Internet Information Server And Microsoft ® Internet Explorer To Implement Security On The Intranet HTTP.
CMSC 414 Computer and Network Security Lecture 19 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 19 Jonathan Katz.

Similar presentations

Ads by Google