MT5104 Computer Security Dieter Gollmann Microsoft Research

Download Report

Transcript MT5104 Computer Security Dieter Gollmann Microsoft Research

MT5104
Computer Security
Dieter Gollmann
Microsoft Research
[email protected]
MT5104 - Computer Security Lecture 1
1
Introduction - The plan for today
• Search for a definition of computer security
• Propose fundamental design principles for
computer security
• Give a preview of the course
• Books and further reading
• Questions??
MT5104 - Computer Security Lecture 1
2
References for this lecture
• Orange Book: US Trusted Computer Systems Evaluation Criteria
• ITSEC: European Information Technology Security Evaluation
Criteria
• CTCPEC: Canadian Trusted Computer Product Evaluation
Criteria
• ISO 7498-2 (International Standard): Basic Reference Model for
Open Systems Interconnection (OSI) Part 2: Security Architecture
• Clark, D.R. and Wilson, D.R., A Comparison of Commercial and
Military Computer Security Policies, Proceedings of the 1987
IEEE Symposium on Security and Privacy, pages 184-194
MT5104 - Computer Security Lecture 1
3
What is security?
• Prevention: take measures that prevent your
assets from being damaged
• Detection: take measures so that you can
detect when, how, and by whom an asset
has been damaged
• Reaction: take measures so that you can
recover your assets or to recover from a
damage to your assets
MT5104 - Computer Security Lecture 1
4
Example 1 - Private Property
• Prevention: locks at doors, window bars,
walls round the property
• Detection: stolen items aren’t there
anymore, burglar alarms, closed circuit TV
• Reaction: call the police, replace stolen
items, make an insurance claim …
• Footnote: Parallels to the physical world can illustrate
aspects of computer security but they are also misleading.
MT5104 - Computer Security Lecture 1
5
Example 2 - eCommerce
• Prevention: encrypt your orders, rely on the
merchant to perform checks on the caller,
don’t use the Internet (?) …
• Detection: an unauthorized transaction
appears on your credit card statement
• Reaction: complain, ask for a new card
number, etc.
• Footnote: your credit card number has not been stolen.
MT5104 - Computer Security Lecture 1
6
Computer Security?
• Confidentiality: prevent unauthorised
disclosure of information
• Integrity: prevent unauthorised modification
of information
• Availability: prevent unauthorised withholding of information or resources
• Other aspects: accountability, authenticity
• Definitions taken from ITSEC
MT5104 - Computer Security Lecture 1
7
Confidentiality
• Historically, security and secrecy were
closely related. Sometimes, security and
confidentiality are used as synonyms
• Prevent unauthorised disclosure of
information (prevent unauthorised reading)
• Privacy: protection of personal data
• Secrecy: protection of date belonging to an
organisation
MT5104 - Computer Security Lecture 1
8
Integrity
• ITSEC: prevent unauthorised modification of
information (prevent unauthorised writing)
• Clark and Wilson: No user of the system, even if
authorized, may be permitted to modify data items
in such a way that assets or accounting records of
the company are lost or corrupted.
• Orange Book: Data Integrity - The state that exists
when computerized data is the same as that in the
source document and has not been exposed to
accidental or malicious alteration or destruction.
(Integrity synonymous for external consistency.)
MT5104 - Computer Security Lecture 1
9
Integrity ctd.
• Integrity in communications: detection (and correction) of
modifications of transmitted data, including both
intentional modifications and random transmission errors.
• In the most general sense: make sure that everything is as it
is supposed to be; the data in a computer system should
correctly reflect some reality outside the computer system.
(This is highly desirable but cannot be guaranteed by
mechanisms internal to the computer system.)
• Integrity is a prerequisite for many other security services.
Operating systems security has a lot to do with integrity.
MT5104 - Computer Security Lecture 1
10
Availability
• CTCPEC: the property that a product’s services are
accessible when needed and without undue delay
• ISO 7498-2: the property of being accessible and
usable upon demand by an authorised entity
• Denial of Service (DoS): The prevention of
authorised access of resources or the delaying of
time-critical operations
• Availability may be the most important aspect of computer
security, but there are few methods around. Distributed
denial of service have recently become notorious.
MT5104 - Computer Security Lecture 1
11
Accountability - Authorisation
• Accountability (Orange Book): audit information
must be selectively kept and protected so that
actions affecting security can be traced to the
responsible party
• Users are identified and authenticated to have a
basis for access control decisions.
• The security system keeps an audit log (audit trail)
of security relevant events to detect and
investigate intrusions.
MT5104 - Computer Security Lecture 1
12
Reliability - Dependability
• Areas related to security: reliability, safety
similar engineering methods, similar efforts in
standardisation, possible requirement conflicts
• There is an overlap in notation: is security part of
reliability or vice versa?
• Dependability (IFIP WG 10.4): the property of a computer system such that reliance can justifiably be placed on
the service it delivers. The service delivered by a system is
its behaviour as it is perceived by its user(s); a user is
another system (physical, human) which interacts with the
former.
MT5104 - Computer Security Lecture 1
13
The main conclusion
• There is no single definition of security
• When reading a document, be careful not to
confuse your own notion of security with that
used in the document
• A lot of time is being spent - and wasted - trying to
define an unambiguous notation for security
• Our definition: computer security deals with
the prevention and detection of unauthorised
actions by users of a computer system.
MT5104 - Computer Security Lecture 1
14
The Fundamental Dilemma of
Computer Security
• Security unaware users have specific
security requirements but no security
expertise.
• Orange Book: Can predefined evaluation
criteria meet specific user requirements?
• ITSEC: How can a security unaware user
assess a specific target of evaluation?
MT5104 - Computer Security Lecture 1
15
Principles of Computer Security
The Dimensions of Computer Security
Application
Software
User
(subject)
Resource
(object)
Hardware
MT5104 - Computer Security Lecture 1
16
1st Fundamental Design Decision
Where is the focus of security controls?
• Security controls may focus on
data – operations - users
• For example, integrity can mean following a
given set of rules on
• the format and content of data items (internal consistency)
• the operations that may be performed on a data item
• the users who are allowed to access a data item (authorised
access)
MT5104 - Computer Security Lecture 1
17
2nd Fundamental Design Decision
Where to place security controls?
applications
services (middleware)
operating system
OS kernel
hardware
MT5104 - Computer Security Lecture 1
18
The Man-Machine Scale
• Security mechanisms can be visualized as
concentric protection rings, with hardware
mechanisms in the centre and application
mechanisms at the outside
• Mechanisms towards the centre tend to be more
generic while mechanisms at the outside are more
likely to address individual user requirements
• Combining our first two design decisions, we refer
to a man-machine scale for security mechanisms.
MT5104 - Computer Security Lecture 1
19
The Man-Machine Scale
specific
complex
focus on users
generic
simple
focus on data
man
oriented
machine
oriented
MT5104 - Computer Security Lecture 1
20
Data vs Information
• Data are physical phenomena chosen by convention to
represent certain aspects of our conceptual and real world.
The meanings we assign to data are called information.
Data is used to transmit and store information and to derive
new information by manipulating the data according to
formal rules.
• Information and data correspond to the two ends of the
man-machine scale.
• The distinction between data and information is subtle but
it also causes some of the more difficult problems in
computer security.
MT5104 - Computer Security Lecture 1
21
Data vs Information ctd.
• Controlling access to information can be elusive and may
have to be replaced by controlling access to data
• If there is a close link between information and
corresponding data, the two approaches may give very
similar results. However, this is not always the case.
• Covert channels: response time or memory usage is used to
signal information. (More explanations in a few weeks.)
• Inference in statistical databases: combinations of
statistical queries give information on individual entries.
(More explanations in the course on database security.)
MT5104 - Computer Security Lecture 1
22
3rd Fundamental Design Decision
complexity vs assurance
• Frequently, the location of a security mechanism on the
man-machine scale is related to its complexity. You find
simple generic mechanisms while applications often
clamour for feature-rich security functions.
• Do you prefer simplicity - and higher assurance
- to a feature-rich security environment?
• The fundamental dilemma: simple generic mechanisms
may not match specific security requirements. To choose
the right features from a rich menu, you have to be a
security expert. Security unaware users are in a no-win
situation.
MT5104 - Computer Security Lecture 1
23
Example: Security Evaluation
• Security evaluation checks whether a product delivers a
promised security service. We have to state
• the function of the security system
• the required degree of assurance (trust) in its security
• To achieve a high degree of assurance, the security system
has to be examined exhaustively and in close detail.
• There is an obvious trade-off between complexity and
assurance. The higher an assurance level you aim for, the
simpler your system ought to be.
• Feature-rich security and high assurance do not match
easily
MT5104 - Computer Security Lecture 1
24
4th Fundamental Design Decision
centralised or decentralised controls?
• Within the domain of a security policy, the same controls
should be enforced.
• If a single entity is in charge of security, then it is easy to
achieve uniformity but this central entity may become a
performance bottleneck. A distributed solution may be
more efficient but you have to take added care to guarantee
that different components enforce a consistent policy.
• Should the tasks of defining and enforcing
security be given to a central entity or should they
be left to individual components in a system?
MT5104 - Computer Security Lecture 1
25
5th Fundamental Design Decision
blocking access to the layer below
• It is now time to think about attackers trying to bypass
protection mechanisms. Every protection mechanism
defines a security perimeter (boundary). The parts of the
system that can disable the mechanism lie within the
perimeter, the parts of the system that can malfunction
without compromising the mechanism lie outside.
• There is an immediate and important corollary to the
second design decision:
• How do you stop an attacker from getting access
to a layer below your protection mechanism?
MT5104 - Computer Security Lecture 1
26
The Layer Below - Examples
• Recovery tools, like Norton Utilities, restore the data by
reading memory directly and then restoring the file
structure. Such a tool can be used to circumvent logical
access control as it does not care for the logical memory
structure
• Unix treats I/O devices and physical memory devices like
files. If access permissions are defined badly, e.g. if read
access is given to a disk containing read protected files,
then an attacker can read the disk contents and reconstruct
the files.
MT5104 - Computer Security Lecture 1
27
The Layer Below - more
examples
• Object reuse: in a single processor system, when a new
process becomes active, it gets access to memory positions
used by the previous process. You have to avoid storage
residues, i.e. data left behind in the memory area allocated
to the new process.
• Backup: whoever has access to a backup tape has access to
all the data on it. Logical access control is of no help and
backup tapes have to be locked away safely to protect the
data.
• Core dumps: same story again
MT5104 - Computer Security Lecture 1
28
Structure of the course
• Theory
• Practice
• Access control
structures
• Security models
• Security kernels
• Hardware security
features
• Operating system
security: case studies
• Middleware security
• Web security
• Vulnerabilities: case
studies, malicious
software
MT5104 - Computer Security Lecture 1
29
Books on Computer Security
• D. Gollmann: Computer Security, Wiley & Sons, 1999
• C.P. Pfleeger: Security in Computing, Prentice-Hall, 1997
• J.S. Park: AS/400 Security in a Client/Server Environment,
Wiley & Sons, 1995
• L. Gong: Inside Java 2 Platform Security, Addison Wesley,
1999
• Ernst & Young: Logical Access Control, McGraw-Hill,
1993
• M. Gasser: Building a Secure Computer System. Van
Nostrand Reinhold, 1988
MT5104 - Computer Security Lecture 1
30
Exercises
•
•
•
•
•
Conduct a survey of security definitions, consult e.g.
http://www.radium.ncsc.mil/tpep/process/faq.html
http://www.itsec.gov.uk
ftp://ftp.cse-cst.gc.ca/pub/criteria/CTCPEC
Medical records that can be accessed on-line are sensitive
information that should be protected from disclosure, but
in an emergency it is highly desirable that whoever treats
you has access to your record. How would you use
prevention, detection, and recovery to secure your records?
• Identify suitable security perimeters for analyzing personal
computer (PC) security. Consider the room the PC is
placed in, the PC itself, or some security module within the
PC when investigating security perimeters.
MT5104 - Computer Security Lecture 1
31