Secrets and Lies - University of Southern California inf520/inf519/slides/inf520-  · PDF...

Click here to load reader

  • date post

    14-Apr-2018
  • Category

    Documents

  • view

    217
  • download

    4

Embed Size (px)

Transcript of Secrets and Lies - University of Southern California inf520/inf519/slides/inf520-  · PDF...

  • Secrets and LiesSecrets and Lies

    a summary traversal of Bruce Schneiera summary traversal of Bruce Schneiers books book

    David Morgan

    Page 1Page 1

    Complexity is the worst enemy of security.

    security,

    earlier

    security,

    later

    complexity,

    earlier

    complexity,

    later

    decreasing

    increasing

    Trajectory of our industryTrajectory of our industry

    BECAUSE

    As systems get more complex [they do], they necessarily get more secure.

  • Security of computer systems is a Security of computer systems is a

    business problembusiness problem

    a business uncertainty

    cost/benefit

    what does it cost the business (not somebody else) to be

    secure?

    what does it cost to not be secure?

    which is the better deal?

    treated by risk management

    Standardized practice, regulation,enforcementStandardized practice, regulation,enforcement

    employment workplace

    environment

    air traffic

    building and civil engineering

    food and drug

    accounting

    computer products

    There's no reason to treat software any differently

    from other products. Today Firestone can produce a

    tire with a single systemic flaw and they're liable, but

    Microsoft can produce an operating system with

    multiple systemic flaws discovered per week and not

    be liable. Today if a home builder sells you a house

    with hidden flaws that make it easier for burglars to

    break in, you can sue the home builder; if a software

    company sells you a software system with the same

    problem, you're stuck with the damages. p. 8

  • 33--step to sweeten the security dealstep to sweeten the security deal

    enforce liabilities

    allow liability transfer among parties

    reduce risk

    Enforce liabilitiesEnforce liabilities

    create (negative) incentive to be secure

    prevailing vacuum no liability no incentive no security

    enforce liabilities, proportion to parties

    maker of vulnerable software

    author of attack tool that exploits it

    user of attack tool (attacker)

    sysadmin for victim network

  • Enforce liabilitiesEnforce liabilities

    who gets the blame?

    100% sysadmin

    0% tool user

    0% tool author

    0% maker

    why?

    available to blame

    cant catch him

    cant catch him

    liability unenforced

    what if this changes?

    Allow liability transfer among partiesAllow liability transfer among parties

    insurance industry

    assuming liability is their business

    incentivize higher security with lower premiums

  • Provide mechanisms to reduce riskProvide mechanisms to reduce risk

    automatic by makers, pursuant to incentive

    security standards set, centralized, required by insurance industry

    outsourcing to firms that security-specialize

    THE

    LANDSCAPE

    what are the issues we need to address

  • Idle claimIdle claim

    this software is secure

    idle because it is incomplete

    does not address the system, only the product

    does not address threat

    idle because it isnt possible to attest

    security weakness is about what you dont know

    you do not know what you dont know

    therefore you do not know your security weakness

    Windows 10 promotional videoWindows 10 promotional video

    10-reasons-to-upgrade-to-Windows-10_security.mp4

    against what?

  • most secure evermost secure ever probably meansprobably means

    Windows 10 fixed more security vulnerabilities

    added more security features

    than ever

    It doesnIt doesnt meant mean

    that its the most secure Windows ever

    that Microsoft knows whether it is

    that thats knowable

    security is not black and white

    We are secure is nave and simplistic

    secure from whom?

    secure against what?

    security of the system, not the product, counts

    context matters more than technology

    security against average hacker against NSA

    what is the size of the fire?

    The landscape The landscape themesthemes

  • Some preSome pre--digitaldigital

    threatsthreats

    theft

    embezzlement

    voyeurism

    extortion

    fraud

    snake oil

    impersonation

    Threats in the digital ageThreats in the digital age

    theft

    embezzlement

    voyeurism

    extortion

    fraud

    snake oil

    impersonation

  • Threats in any ageThreats in any age

    bad guy has a business model too

    asset he threatens is worth only so much to him

    useful to good guy to understand that model

    that way you might influence bad guys motive

    (threat components: agent, means, opportunity, motive)

    So whatSo whats new with threats?s new with threats?

    automation

    salami attack

    action at a distance

    the worlds pickpockets are all in your house

    technique propagation

    first attacker needs skill, others use his software

  • Technique propagation

    So whatSo whats new with threats?s new with threats?

    physical theft

    stolen material gone

    you can no longer use it basis of legal injury

    availability and integrity violated

    digital theft

    stolen material still there no similar injury

    you can still use it

    availability and integrity preserved

  • AttacksAttacks

    criminal

    publicity

    legal

    Adversaries classifiedAdversaries classified

    objectives

    access

    resources

    expertise

    risk

  • AdversariesAdversaries

    hackers

    lone criminals

    malicious insiders

    industrial espionage

    press

    organized crime

    police

    terrorists

    national intelligence

    infowarriors

    Security needsSecurity needs

    privacy

    multilevel security

    anonymity

    authentication

    integrity

    audit

    electronic currency

    proactive solutions

  • TECHNOLOGIES

    what tools do we have to address the issues

    Tools for offense and defenseTools for offense and defense

    cryptography

    network

    software

    hardware

    etc - to discuss another day mostly, but: Schneier devotes 12 chapters to Part 2: Technologies

    I want to discusss Computer Security and Software Reliability

  • CIA triad againCIA triad again

    Access control is centralAccess control is central

    early, computer security stressed confidentiality

    because early research was military

    But confidentiality is about access control

    So are integrity and availability

    C, I, A all boil down to access control

    C about access for reading

    I about access for writing

    A about access in general itself

    goal: authorized people have access to do whats authorized, everyone else does not

  • Need access control?Need access control?

    first computers small scale, full trust

    became multi-user at scale

    personal computers, single-user

    networking multi-user at scale

    no - yes

    Access Access subject & objectsubject & object

    subject

    user

    processe

    objects

    file

    database record

    device

    memory region

    another process (plug-in)

  • Controlling accessControlling access

    Control what can be done to objects

    permissions

    e.g. permission mechanisms in particular

    filesystems, ext or ntfs or

    or

    Control what subjects can do

    capabilities

    e.g. database management systems

    are these different methods, or different perpectives?

    Security modelsSecurity models

    multi-level

    formalization of military classification/clearance

    Bell-LaPadula

    no write down, no read up

    mandatory vs discretionary access controls

    chinese wall

    clark-Wilson

  • Security at low level (hardware/OS)Security at low level (hardware/OS)

    reference monitor

    active, explicit mediation of every access

    trusted computing base

    set of components that collectively enforce a

    security policy

    secure kernel

    (sub)set of components in the trusted computing

    base that implements the reference monitor

    specifically

    Multics operating systemMultics operating system

    most successful historical implementation

    built with the security model and mathematical formalisms explicitly in mind

    small, 56,000 lines of code

    15 million in Windows 95

    linux similarly large

    last Multics system deactiveated 2000

  • Covert channelsCovert channels

    communication channel that can transfer information in violation of a systems security policy

    storage channels

    least significant bits of color bytes in an image file

    reserved or user-definable fields in packet headers

    timing channels

    port knocking

    non-covert timing channel: Morse code

    http://funtranslations.com/morse#

    Evaluation criteria

    Orange book

    hierarchy of security level designations

    D, C1, C2, B1, B2, B3, A

    did not make systems provably secure

    for local, stand-alone computers, not networked ones

    varies from other nations standards efforts

    Common Criteria

    international standardization effort

  • Software reliability

    Murphys computer

    must work in the presence of random faults

    adversaryless