Transcript Document

EXTRACTS FROM
TRIPOS
Jennifer Seberry
7/18/2015
Introduction

7/18/2015
We look at a number of
applications which need various
combinations of confidentiality,
availability and integrity properties.
Transaction Processing Systems





ATMs – The original retail transaction processing system.
Since 1968 – world installed base 300,000 – 500,000
Encryption techniques used to generate PINs in secure
hardware devices located within ATMs and at bank computer
centres
Telephone Cards – prepaid cards, SIMs
SIMs are smart cards that identify the user for billing, manage
keys for encrypting the conversation, and let the subscriber
perform banking functions and place bets on horse races.
7/18/2015
Transaction Processing Systems 2




7/18/2015
Prepayment electricity meters
Road toll and parking garage
tokens.
Lottery ticket terminals – uses
encryption to ensure that vendors
cannot manufacture valid tickets
after the draw.
Allow postal franking machines to
replenish remotely
Electronic Warfare and Similar Topics
NATO Security Classifications
 Restricted – little known military value
 Confidential – could cause serious
damage to operational effectiveness
 Secret – would threaten life directly, or
seriously damage relations with friendly
governments
 Top Secret – would lead directly to
widespread loss of life, threaten directly
the internal stability of friendly countries
7/18/2015
Electronic Warfare and Similar Topics 2

7/18/2015
This is a multilevel secure system.
It has the property that processes
can read down and write up, but
never vice versa.
Electronic Warfare and Similar Topics 3
Cryptographic techniques are used in
many roles in modern warfare –
 Frequency agile radar.
 Spread spectrum radio.
 Identify friend or foe.
7/18/2015
Electronic Warfare and Similar Topics 4
Other commercial applications
 Satellite and other pay-per-view TV
 Burglar alarms
 Sniffers
 Computer access tokens
 Tachographs
7/18/2015
End-to-End: SWIFT 1


7/18/2015
Is owned cooperatively by several
thousand banks worldwide to
provide a secure ‘email’ system for
messages of value
Confidentiality depends on line
encryption devices between the
banks and the local SWIFT node,
and between these nodes and the
main SWIFT processing sites.
End-to-End: SWIFT 1



7/18/2015
Keys are hand carried in EEPROM
cartridges between the devices at
either end of a leased line.
SWIFT 1 ran for 20 years without a
single report of external fraud.
There were many internal frauds –
such as programmers inserting
bogus messages into the SWIFT
processing queues
Data Translation –ATM Networks


7/18/2015
Most ATMs operate using some
variant of a system developed by
IBM. This uses a secret key – PIN
An offset can be added to the PIN
operation – this has no real
cryptographic function; it just
enables customers to choose their
own PIN. The following slide has
an example of this process -
Data Translation –ATM Networks -2
Account Number N: 8807012345691715
PIN key PK:
FEFEFEFEFEFEFEFEFEFE
Result of DES {N} KP: A2CE126C69AEC82D
{N} KP decimal zed: 0224126269042823
Natural PIN:
0224
Offset:
6565
Customer PIN:
6789
7/18/2015
Data Translation –ATM Networks -3

7/18/2015
Security depends on keeping the
PIN secret, and the usual strategy
is to supply a ‘terminal master key’
to each ATM , in the form of two
printed components, which are
carried to the branch by two
separate officials, input at the ATM
keyboard, and combined to form
the key.
Data Translation –ATM Networks -4

7/18/2015
The problem faced by VISA and
MasterCard was to extend this
security policy to tens of thousands
of banks worldwide. The solution
was to insist on standardized
encryption units, called ‘security
modules’, which provide a trusted
computing base, or TCB, with
modules at each member bank
and in each switch on the network
Multistate Machines



7/18/2015
Many CPUS have some simple security
mechanism supported in the hardware,
on which the higher level access control
mechanisms are built.
Early IBM mainframes had a two state
CPU: the machine was either in
authorized state or it was not.
Much the same happens with Unix
systems. A program can run as root or as
a user.
Multistate Machines 2


Most security holes have always been
caused by bugs.
If designing an access control system to
enhance the IBM PC architecture, there
are a number of choices



7/18/2015
Control access to DOS applications only
Add extra hardware e.g. An encryption
chip in the disk controller
Make the security depend on the
obscurity of certain features in your
design e.g. hide a disk encryption key in
a bad sector
Access Control Matrices
The access control system is
designed to limit access by users
to system resources. Its effect can
often be modeled by an access
control matrix:
File 1 File 2 File 3 File 4
Sam
rwx rwx rw
r
Alice
x
x
rw
0
Bob
x
r
r
r

7/18/2015
Access Control Matrices 2
The Clarke-Wilson security policy limits
access to constrained data items to
authorized transformation procedures
which write an audit trail. File 2 becomes
the TP and File 3 the CDI.
File 1 File 2 File 3 File 4
Sam
rwx rwx rw
r
Alice
x
x
0
0
File 2
x
rw
w
Bob
rx
r
r
r

7/18/2015
SECURITY
Unix
1.





7/18/2015
Mechanisms –
Kernel (system) vs. User
(application)
root (superuser) vs. User (mortal)
Permission flags – ACLs
Groups
Set-user-id (setuid, suid) and
setgid
SECURITY
Unix 2
2.


7/18/2015
Problems
Kernel bloat
Root bloat – much runs as root
when more limited privilege could
be used. Some examples –
* mailers
* lpr/lpd
* sockets
SECURITY
Unix 3

7/18/2015
Unprotected resources – often
programmers avoid root bloat by
simply leaving important shared
data structures and resources
accessible to all users. Examples * ttys/ptys
* mail spool
* utmp
SECURITY
Unix 4
3.

7/18/2015
SUID
Suid programs are very difficult to do
right:
* Run with all the privileges of the
creating user. Suidness is inherited by
sub processes
* Suid programs inherit the environment
from their parent process
* Suid shell scripts
* kernel bugs can allow tracing
SECURITY
Unix 5
* Shared libraries are often loaded
from directories specified by
environment variables
* Argument mangling and
substitution
* Signals can easily be sent by the
caller of a suid program
7/18/2015
The Effect of Viruses


7/18/2015
Vast majority of viruses are to be found
on PCs and MACs.
Viruses can be used to attack multi-level
secure systems –
* The reference monitor can be
corrupted, hence the virus can deliver
the entire system to the attacker.
* If the TCB remains intact then the virus
could still use any available covert
channel to signal information down.
The Effect of Viruses 2
A well designed TCB will protect
against viral attacks, as well as
against careless or malicious
disclosure by users or applications
software.
7/18/2015
Verification and Evaluation
The main evaluation classes are as follows:
 C1 discretionary access control by
groups of users
 C2 discretionary access control by single
users; object reuse; audit
 B1 mandatory access control
 B2 structured protection
 B3 security domains
 A1 verification design
7/18/2015
Steganography
(Hidden Writing)

7/18/2015
A technique to prevent an opponent from
reading your traffic and for him to remain
unaware that there is any traffic at all.
Old examples of this:
* In ancient Greece tattooing on a slaves
head
* invisible ink
* microdot
* low-bandwidth applications
Steganography
(Hidden Writing) 2

7/18/2015
More modern techniques include:
* burst transmission systems
* meteor scatter radio
* spread spectrum radio
* encryption
Tempest

7/18/2015
Tempest attacks involve reconstructing
the screen image (or other useful
information) from the stray radio
frequency emissions from monitors and
other components. Most of the material
on Tempest remains classified, with the
result that most researchers outside the
military have a clear idea of the threat,
and of what countermeasures are
appropriate or even possible.
Clark-Wilson

7/18/2015
The Clark-Wilson model of computer
security seeks to formalise the ideas of
good practice which have accumulated
over centuries in the accountancy
profession. The model can be
summarised as follows: There are
procedures whereby data can be input –
turned from an unconstrained data item
into a constrained data item, or CDI –
and whereby the validity of a CDI can be
checked. Access control is by means of
triples (subject, TP, CDI) which are so
structured that a dual control policy is
enforced.
Malicious Code


1.
7/18/2015
Malicious code is more likely to deny
service than to attempt to breach
confidentiality, e.g. the internet worm
denied Internet service to thousands of
users
A virus will typically have two
components –
a replication mechanism – The
commonest way for a virus to replicate
itself is to append itself to an
executable file and patch itself in.
Malicious Code 2
2.
7/18/2015
Payload – this will usually be activated
by a trigger, such as a date, and then
may do one or more of a number of bad
things:
* make selective or random changes to
the machines protection state
* make selective or random changes to
user data
* lock the network
* steal CPU resources for some
nefarious task
Malicious Code 3


7/18/2015
In the practical world the most
important protective measure is
managerial discipline –
* to review all software loaded
* provide a central reporting point
In the academic world research
centres on making smarter
antivirus products.
Denial of Service

7/18/2015
Viruses and other malicious code
are only one example of a denial of
service attack. Jamming is another,
whether of radar or of missile
telemetry.
Interference and Aggregation

7/18/2015
Security considerations may even
place limits on the quality of
service which we can offer in some
applications. A good example is
the prevention of inference attacks
on statistical database systems.
* The classic example is census
information.
Intrusion Detection



7/18/2015
Sound an alarm whenever a user’s
behaviour departs significantly from the
established norm – the assumption is
that the user’s password or access
control must have been compromised.
Detection systems look at the pattern of
usage of operating commands or specific
actions.
Another example would be for credit card
companies to monitor a customer’s
spending pattern.
Application Level Controls

7/18/2015
The most important application
level security feature is ease of
safe use. This means that systems
should be designed with failsafe
defaults and in the full appreciation
of the various mistakes that people
make.
Application Level Controls 2
Type of Human Behaviour
Extraordinary errors – hard to convince how
they could occur. Stress free
Error
Rate
10-5
Errors in regularly performed simple tasks
with minimum stress
Errors such as pressing the wrong button or
reading the wrong display.
10-4
Errors of omission depending on situation and
memory.
Highly complex task, considerable stress
10-2
Problems involving creative thinking and
7/18/2015
10-3
10-1
1-10-1
Further Reading


7/18/2015
“A short course on Computer
Viruses” – Fred Cohen
“Development Guidelines for
Vehicle Based Software” - Motor
Industry Software Reliability
Association’s booklet
Risk Analysis

7/18/2015
The basic idea is to prioritise
security expenditure, while at the
same time provide a financial case
for senior management. The most
common technique is the
calculation of the annual loss
expectancy, or ALE, for each
possible loss scenario.
Organisational Aspects
of Security


7/18/2015
Most security breaches in the real world
come from blunders. Rather than the skill
of a capable motivated opponent, they
arise from the stupidity of the victim’s
own system designers, developers,
operators, or managers.
An emerging theme is the strong
correlation between quality and security.
Investment in software quality will reduce
the incidence of computer security
problems.
Organisational Aspects
of Security 2



7/18/2015
The most effective quality measure is the
code walk-through.
There are clearly discernable fashions in
computer security –
* 1980’s
– hackers
* late 1980’s
- viruses
* 2000
- firewall
The project leader must build a robust
system which takes into account the
current discernible fashions in computer
security