Presentation is loading. Please wait.

Presentation is loading. Please wait.

1 Software and Security Butler Lampson Microsoft.

Published by Modified over 8 years ago

Similar presentations

Presentation on theme: "1 Software and Security Butler Lampson Microsoft."— Presentation transcript:

1 1 Software and Security Butler Lampson Microsoft

2 2 Real-World Security It’s about value, locks, and punishment.  Locks good enough that bad guys don’t break in very often.  Police and courts good enough that bad guys that do break in get caught and punished often enough.  Less interference with daily life than value of loss. Security is expensive—buy only what you need.  People do behave this way  We don’t tell them this—a big mistake  Perfect security is the worst enemy of real security

3 3 Dangers and Vulnerabilities Dangers –Vandalism or sabotage that »damages information »disrupts service –Theft of money –Theft of information –Loss of privacy integrity availability integrity secrecy Vulnerabilities –Bad (buggy or hostile) programs –Bad (careless or hostile) people giving instructions to good programs

4 4 Defensive strategies Control the bad guys –Coarse: Isolate—keep everybody out –Medium:Exclude—keep the bad guys out –Fine: Restrict—Keep them from doing damage Recover—Undo the damage Catch the bad guys and punish them –Auditing, police

5 5 The Access Control Model Guards control access to valued resources. Reference monitor Object Do operation Resource Principal GuardRequestSource

6 6 Mechanisms—The Gold Standard Authenticating principals  Mainly people, but also channels, servers, programs (encryption implements channels, so key is a principal) Authorizing access  Usually for groups, principals that have some property, such as “type-safe” or “safe for scripting” Auditing Assurance –Trusted computing base

7 7 Assurance: Making Security Work Trusted computing base –Limit what has to work to ensure security »Ideally, TCB is small and simple –Includes hardware and software –Also includes configuration, usually overlooked »What software has privileges »Database of users, passwords, privileges, groups »... The unavoidable price of reliability is simplicity.—Hoare

8 8 Why We Don’t Have “Real” Security A. People don’t buy it: –Danger is small, so it’s OK to buy features instead. –Security is expensive. »Configuring security is a lot of work. »Secure systems do less because they’re older.  Security is a pain. »It stops you from doing things. »Users have to authenticate themselves. B. Systems are complicated, so they have bugs. –Especially the configuration

9 9 End-to-End Security Be explicit about trust –Audit all security decisions –Take account of channels, machines, and software Delegate authority (to groups or systems) Work uniformly between organizations –Microsoft can securely accept Intel’s authentication –Groups can cross organization boundaries

10 10 End-to-End example Alice is at Intel, working on Atom, a joint Intel- Microsoft project Alice connects to Spectra, Atom’s web page, with SSL Chain of responsibility: K SSL  K temp  K Alice  Alice@Intel  Atom@Microsoft  r/w Spectra says Spectra ACL K SSL says Alice’s smart card Alice’s login system Spectra web page K temp K Alice Alice@IntelAtom@Microsoft Microsoft Intel K Alice

11 11 Principals Authentication:Who sent a message? Authorization:Who is trusted? Principal — abstraction of “who”: –People Alice, Bob –Services microsoft.com, Exchange –Groups UW-CS, MS-Employees –Secure channelskey #678532E89A7692F, console Principals say things: –“Read file foo ” –“Alice’s key is #678532E89A7692F ”

12 12 Speaks For Principal A speaks for B: A    –Meaning: if A says something in set T, B says it too. »Thus A is stronger than B, or responsible for B, about T –Examples »Alice  Atom group of people »Key #7438  Alice key for Alice We trust A to delegate its own authority. –Delegation rule: If A says “B  A” then B  A –Why should A delegate to B? Analyze case by case. Next: four examples of “speaks for”.

13 13 Authenticating Channels Chain of responsibility: K SSL  K temp  K Alice  Alice@Intel  … K temp says K Alice says (SSL setup) (via smart card) says Spectra ACL K SSL says Alice’s smart card Alice’s login system Spectra web page K temp K Alice Alice@IntelAtom@Microsoft Microsoft Intel K Alice

14 14 Authenticating Names: SDSI/SPKI A name is in a name space, defined by a principal P –P is like a directory. The root principals are keys. P speaks for any name in its name space K Intel  K Intel / Alice (which is just Alice@Intel ) K Intel says … K temp  K Alice  Alice@Intel  … says Spectra ACL K SSL says Alice’s smart card Alice’s login system Spectra web page K temp K Alice Alice@IntelAtom@Microsoft Microsoft Intel K Alice

15 15 Authenticating Groups A group is a principal; its members speak for it –Alice@Intel  Atom@Microsoft –Bob@Microsoft  Atom@Microsoft –… Evidence for groups: Just like names and keys. … K Alice  Alice@Intel  Atom@Microsoft  r/w … says Spectra ACL K SSL says Alice’s smart card Alice’s login system Spectra web page K temp K Alice Alice@IntelAtom@Microsoft Microsoft Intel K Alice

16 16 View a resource object O as a principal An ACL entry for P means P can speak for O –Permissions limit the set of things P can say for O If Spectra ’s ACL says Atom can r/w, that means Spectra says … Alice@Intel  Atom@Microsoft  r/w Spectra Authorization with ACLs says Spectra ACL K SSL says Alice’s smart card Alice’s login system Spectra web page K temp K Alice Alice@IntelAtom@Microsoft Microsoft Intel K Alice

17 17 End-to-End Example: Summary Request on SSL channel: K SSL says “read Spectra ” Chain of responsibility: K SSL  K temp  K Alice  Alice@Intel  Atom@Microsoft  r/w Spectra says Spectra ACL K SSL says Alice’s smart card Alice’s login system Spectra web page K temp K Alice Alice@IntelAtom@Microsoft Microsoft Intel K Alice

18 18 Authenticating Systems: Loading A digest X can authenticate a program SQL : –K Microsoft says “If image I has digest X then I is SQL ” formallyX  K Microsoft / SQL –This is just like K Alice  Alice@Intel But a program isn’t a principal: it can’t say things To become a principal, a program must be loaded into a host H –Booting is a special case of loading X  SQL makes H want to run I if H likes SQL It also makes H assert that the running I is SQL

19 19 Authenticating Systems: Quoting A loaded program depends on the host it runs on. –We write H | SQL for SQL running on H –H | SQL says s = H says SQL says s H can’t prove that it’s running SQL But H can be trusted to run SQL –K Microsoft says H | SQL  K Microsoft / SQL This lets H convince others that it’s running SQL

20 20 Certifying Properties Need a trusted authority: CA  “type-safe” –Actually K MS says CA  K MS / “type-safe” Usually done manually Can also be done by a program P –A compiler –A class loader –A more general proof checker Logic is the same: P  “type-safe” –Someone must authorize the program: –K MS says P  K MS / “type-safe”

21 21 Compound Principals A  B says s = (A says s)  (B says s) H | P says s = H says P says s A  B says s = (A says s)  (B says s) –Useful for weakening a principal: –A  B says “read f” needs both A  R f and B  R f –Example: Java rule—callee  caller  callee-code –Example: NT restricted tokens—if process P is running untrusted-code for blampson then P  blampson  untrusted-code

22 22 Auditing Checking access: –Givena requestK Alice says “ read Spectra ” an ACL Atom may r/w Spectra –Check K Alice speaksK Alice  Atom for Atom rights suffice r/w  read Auditing: Each step is justified by –A signed statement (certificate), or –A delgation rule

23 23 Assurance: NGSCB (Palladium) A cheap, convenient, physically separate machine A high-assurance OS stack (we hope) A systematic notion of program identity –Identity = digest of (code image + parameters) »Can abstract this: K MS says digest  K MS / SQL –Host certifies the running program’s identity: H says K  H | P –Host grants the program access to sealed data »H seals (data, ACL) with its own secret key »H will unseal for P if P is on the ACL

24 24 Learn more Computer Security in the Real World at research.microsoft.com/lampson (slides, paper; earlier papers by Abadi, Lampson, Wobber, Burrows) Ross Anderson – www.cl.cam.ac.uk/users/rja14 Bruce Schneier – Secrets and Lies

Download ppt "1 Software and Security Butler Lampson Microsoft."

Similar presentations

1 Computer Security in the Real World Butler Lampson Microsoft August 2005.

1 Computer Security in the Real World Butler Lampson Microsoft August 2005.
1 Accountability and Freedom Butler Lampson Microsoft September 26, 2005.

1 Accountability and Freedom Butler Lampson Microsoft September 26, 2005.
1 Computer Security in the Real World Butler Lampson Microsoft.

1 Computer Security in the Real World Butler Lampson Microsoft.
Implementing Tableau Server in an Enterprise Environment

Implementing Tableau Server in an Enterprise Environment
Overview of local security issues in Campus Grid environments Bruce Beckles University of Cambridge Computing Service.

Overview of local security issues in Campus Grid environments Bruce Beckles University of Cambridge Computing Service.
Chapter 1  Introduction 1 Introduction Chapter 1  Introduction 2 The Cast of Characters  Alice and Bob are the good guys  Trudy is the bad guy 

Chapter 1  Introduction 1 Introduction Chapter 1  Introduction 2 The Cast of Characters  Alice and Bob are the good guys  Trudy is the bad guy 
Chapter 1  Introduction 1 Chapter 1: Introduction “Begin at the beginning,” the King said, very gravely, “and go on till you come to the end: then stop.”

Chapter 1  Introduction 1 Chapter 1: Introduction “Begin at the beginning,” the King said, very gravely, “and go on till you come to the end: then stop.”
1 Operating System vs. Network Security Butler Lampson Microsoft Outline What security is about Operating systems security Network security How they fit.

1 Operating System vs. Network Security Butler Lampson Microsoft Outline What security is about Operating systems security Network security How they fit.
Http Web Authentication Web authentication is used to verify a users identity before allowing access to certain web pages On web browsers you get a login.

Http Web Authentication Web authentication is used to verify a users identity before allowing access to certain web pages On web browsers you get a login.
1 Pertemuan 12 Authentication, Encryption, Digital Payments, and Digital Money Matakuliah: M0284/Teknologi & Infrastruktur E-Business Tahun: 2005 Versi:

1 Pertemuan 12 Authentication, Encryption, Digital Payments, and Digital Money Matakuliah: M0284/Teknologi & Infrastruktur E-Business Tahun: 2005 Versi:
1 Accountability and Freedom Butler Lampson Microsoft October 27, 2005.

1 Accountability and Freedom Butler Lampson Microsoft October 27, 2005.
Environmental Council of States Network Authentication and Authorization Services The Shared Security Component February 28, 2005.

Environmental Council of States Network Authentication and Authorization Services The Shared Security Component February 28, 2005.
Department of Information Engineering1 Major Concerns in Electronic Commerce Authentication –there must be proof of identity of the parties in an electronic.

Department of Information Engineering1 Major Concerns in Electronic Commerce Authentication –there must be proof of identity of the parties in an electronic.
Attacking Malicious Code: A Report to the Infosec Research Council Kim Sung-Moo.

Attacking Malicious Code: A Report to the Infosec Research Council Kim Sung-Moo.
16.1 © 2004 Pearson Education, Inc. Exam 70-294 Planning, Implementing, and Maintaining a Microsoft® Windows® Server 2003 Active Directory Infrastructure.

16.1 © 2004 Pearson Education, Inc. Exam Planning, Implementing, and Maintaining a Microsoft® Windows® Server 2003 Active Directory Infrastructure.
Lecture 2 Page 1 CS 236, Spring 2008 Security Principles and Policies CS 236 On-Line MS Program Networks and Systems Security Peter Reiher Spring, 2008.

Lecture 2 Page 1 CS 236, Spring 2008 Security Principles and Policies CS 236 On-Line MS Program Networks and Systems Security Peter Reiher Spring, 2008.
19.1 Silberschatz, Galvin and Gagne ©2003 Operating System Concepts with Java Chapter 19: Security The Security Problem Authentication Program Threats.

19.1 Silberschatz, Galvin and Gagne ©2003 Operating System Concepts with Java Chapter 19: Security The Security Problem Authentication Program Threats.
 Key exchange o Kerberos o Digital certificates  Certificate authority structure o PGP, hierarchical model  Recovery from exposed keys o Revocation.

 Key exchange o Kerberos o Digital certificates  Certificate authority structure o PGP, hierarchical model  Recovery from exposed keys o Revocation.
Information Networking Security and Assurance Lab National Chung Cheng University The Ten Most Critical Web Application Security Vulnerabilities Ryan J.W.

Information Networking Security and Assurance Lab National Chung Cheng University The Ten Most Critical Web Application Security Vulnerabilities Ryan J.W.
Chapter 1  Introduction 1 Chapter 1: Introduction “Begin at the beginning,” the King said, very gravely, “and go on till you come to the end: then stop.”

Chapter 1  Introduction 1 Chapter 1: Introduction “Begin at the beginning,” the King said, very gravely, “and go on till you come to the end: then stop.”

Similar presentations

Ads by Google