ccm4350 security architecture and engineering lecture 2 ... · •fundamental dilemma: —too many...
TRANSCRIPT
![Page 1: CCM4350 Security Architecture and Engineering Lecture 2 ... · •Fundamental Dilemma: —Too many security-unaware users due to Internet —They cannot understand security evaluations](https://reader033.vdocument.in/reader033/viewer/2022042123/5e9e3fd8e1d01d49c7542666/html5/thumbnails/1.jpg)
CCM4350
Security Architecture and Engineering
Lecture 2 – Security Design Principles
15.10.2012 1
![Page 2: CCM4350 Security Architecture and Engineering Lecture 2 ... · •Fundamental Dilemma: —Too many security-unaware users due to Internet —They cannot understand security evaluations](https://reader033.vdocument.in/reader033/viewer/2022042123/5e9e3fd8e1d01d49c7542666/html5/thumbnails/2.jpg)
Content of Today’s Lecture
• Summary and Wrap up on Security
Terminology
• The Fundamental Dilemma of Security
• Five Design Principles for Engineering Secure
Systems
(Lecture follows D. Gollmann. Security Engineering,
Section 2.1-2.6, 2nd edition, Wiley 2006)
![Page 3: CCM4350 Security Architecture and Engineering Lecture 2 ... · •Fundamental Dilemma: —Too many security-unaware users due to Internet —They cannot understand security evaluations](https://reader033.vdocument.in/reader033/viewer/2022042123/5e9e3fd8e1d01d49c7542666/html5/thumbnails/3.jpg)
Last Lecture
• Security can be defined as (CIA)
Confidentiality
Integrity
Availability
• Sometimes Prevention of security attacks fails
• Then we need to rely on Accountability and
Non-repudiation.
![Page 4: CCM4350 Security Architecture and Engineering Lecture 2 ... · •Fundamental Dilemma: —Too many security-unaware users due to Internet —They cannot understand security evaluations](https://reader033.vdocument.in/reader033/viewer/2022042123/5e9e3fd8e1d01d49c7542666/html5/thumbnails/4.jpg)
Accountability and Non-Repudiation
• Accountability:
Keep auditing to trace responsible party
— Necessitates identification and authentication
— Trail security relevant events in audit
• Nonrepudiation:
Provide unforgeable evidence for actions
— Nonrepudiation of occurrence and
— Nonrepudiation of delivery
![Page 5: CCM4350 Security Architecture and Engineering Lecture 2 ... · •Fundamental Dilemma: —Too many security-unaware users due to Internet —They cannot understand security evaluations](https://reader033.vdocument.in/reader033/viewer/2022042123/5e9e3fd8e1d01d49c7542666/html5/thumbnails/5.jpg)
Relationship to other areas of computing
Dependability
• Dependability (according to Laprie):
Availability (point in time)
Reliability (time interval)
Safety
Confidentiality
Integrity
Maintainability
Σ CIA = Security
![Page 6: CCM4350 Security Architecture and Engineering Lecture 2 ... · •Fundamental Dilemma: —Too many security-unaware users due to Internet —They cannot understand security evaluations](https://reader033.vdocument.in/reader033/viewer/2022042123/5e9e3fd8e1d01d49c7542666/html5/thumbnails/6.jpg)
Safety versus Security
• Security always begins at the host
• Safety: protection against catastrophic impact
by the environment (protect human lives and
economic values)
• Security: protect the computer/network
systems against threats
Safety
Security
![Page 7: CCM4350 Security Architecture and Engineering Lecture 2 ... · •Fundamental Dilemma: —Too many security-unaware users due to Internet —They cannot understand security evaluations](https://reader033.vdocument.in/reader033/viewer/2022042123/5e9e3fd8e1d01d49c7542666/html5/thumbnails/7.jpg)
Conclusions on Terminology
• There is no single definition of security
• When reading a document, be careful not to
confuse your own notion of security with that
used in the document
• A lot of time is spent (and wasted) in trying to
define unambiguous notations for security
Definition: Computer Security deals with the
prevention and detection of unauthorised actions
by users of a computer system.
7
![Page 8: CCM4350 Security Architecture and Engineering Lecture 2 ... · •Fundamental Dilemma: —Too many security-unaware users due to Internet —They cannot understand security evaluations](https://reader033.vdocument.in/reader033/viewer/2022042123/5e9e3fd8e1d01d49c7542666/html5/thumbnails/8.jpg)
0th Step: Analysis of Goals and Attacker
• Security Engineering has two parallel activities
• Analysis of Protection (Security) Goals — CIA: specify which ones are important for which user
— Multilateral Security: resolve security conflicts
• Attacker Model: — There is no protection against the a skillful attacker
— Hence quantify attacker (e.g. Attack trees, Misuse cases)
8
![Page 9: CCM4350 Security Architecture and Engineering Lecture 2 ... · •Fundamental Dilemma: —Too many security-unaware users due to Internet —They cannot understand security evaluations](https://reader033.vdocument.in/reader033/viewer/2022042123/5e9e3fd8e1d01d49c7542666/html5/thumbnails/9.jpg)
The Fundamental Dilemma of Security
• In the past, only few organisations (DoD) relied
on security
• Today, everyone connected to the Internet relies
on computer and network security
Fundamental Dilemma: security-unaware
users have specific security requirements
but no security expertise.
9
![Page 10: CCM4350 Security Architecture and Engineering Lecture 2 ... · •Fundamental Dilemma: —Too many security-unaware users due to Internet —They cannot understand security evaluations](https://reader033.vdocument.in/reader033/viewer/2022042123/5e9e3fd8e1d01d49c7542666/html5/thumbnails/10.jpg)
Principles of Security (Gollmann)
• Horisontal axis: focus of security policy
• Vertical axis: layer of computer system to place
protection mechanism
![Page 11: CCM4350 Security Architecture and Engineering Lecture 2 ... · •Fundamental Dilemma: —Too many security-unaware users due to Internet —They cannot understand security evaluations](https://reader033.vdocument.in/reader033/viewer/2022042123/5e9e3fd8e1d01d49c7542666/html5/thumbnails/11.jpg)
Focus of Control: 1st Design Decision
1st Fundamental Design Decision: (horisontal)
Should the focus of security control be on — Data
— Operations, or
— Users?
Example: rules for integrity of accounts database — Data rule: internal consistency of balance of account
— Rules for operations that may be performed on a data item
— Rules specifying the users allowed to access a data item
![Page 12: CCM4350 Security Architecture and Engineering Lecture 2 ... · •Fundamental Dilemma: —Too many security-unaware users due to Internet —They cannot understand security evaluations](https://reader033.vdocument.in/reader033/viewer/2022042123/5e9e3fd8e1d01d49c7542666/html5/thumbnails/12.jpg)
2nd Fundamental Design Decision:
In which layer of computer system should we
place security controls?
1
2
![Page 13: CCM4350 Security Architecture and Engineering Lecture 2 ... · •Fundamental Dilemma: —Too many security-unaware users due to Internet —They cannot understand security evaluations](https://reader033.vdocument.in/reader033/viewer/2022042123/5e9e3fd8e1d01d49c7542666/html5/thumbnails/13.jpg)
The Man-Machine Scale: 3rd Design Decision
1
3
• Visualise security mechanisms as concentric
protection rings: generic data mechanisms in the
centre; mechanisms addressing user requirements
at the outside.
![Page 14: CCM4350 Security Architecture and Engineering Lecture 2 ... · •Fundamental Dilemma: —Too many security-unaware users due to Internet —They cannot understand security evaluations](https://reader033.vdocument.in/reader033/viewer/2022042123/5e9e3fd8e1d01d49c7542666/html5/thumbnails/14.jpg)
The Man-Machine Scale
• Scale balances Information with Data
1
4
![Page 15: CCM4350 Security Architecture and Engineering Lecture 2 ... · •Fundamental Dilemma: —Too many security-unaware users due to Internet —They cannot understand security evaluations](https://reader033.vdocument.in/reader033/viewer/2022042123/5e9e3fd8e1d01d49c7542666/html5/thumbnails/15.jpg)
3rd Fundamental Design Decision
• Location of a security mechanism on the man-
machine scale is related to its complexity. — Right: Generic mechanisms are simple,
— Left: User applications clamour for feature-rich security functions.
• 3rd Design Decision: Do you prefer simplicity – and
higher assurance – to a feature-rich security
environment? —These two do not match easily
—High assurance requires adherence to systematic design
—Security adopted formal methods early for highest assurance
levels: e.g. Orange book (A1/2), CC (EAL5-7)
![Page 16: CCM4350 Security Architecture and Engineering Lecture 2 ... · •Fundamental Dilemma: —Too many security-unaware users due to Internet —They cannot understand security evaluations](https://reader033.vdocument.in/reader033/viewer/2022042123/5e9e3fd8e1d01d49c7542666/html5/thumbnails/16.jpg)
4th Design Decision: Central or Distributed
Control
• Central entity in charge of security: —Easy to achieve uniformity…
—But central entity may become a performance bottleneck
• Distributed solution —May be more efficient…
—But difficult to ensure that policy is enforced consistently
4th Design Decision: should the tasks of defining
and enforcing security be given to a central
entity or should they be left to individual
components in a system.
![Page 17: CCM4350 Security Architecture and Engineering Lecture 2 ... · •Fundamental Dilemma: —Too many security-unaware users due to Internet —They cannot understand security evaluations](https://reader033.vdocument.in/reader033/viewer/2022042123/5e9e3fd8e1d01d49c7542666/html5/thumbnails/17.jpg)
The Layer Below
• So far, we only explored means to express
security policies but what about the attacker?
• The attacker may try to bypass our protection
mechanism to reach their “soft underbelly”.
• Example: if attacker gains system privileges in
the OS he can change the control data for
security mechanisms in the services and
application layers.
![Page 18: CCM4350 Security Architecture and Engineering Lecture 2 ... · •Fundamental Dilemma: —Too many security-unaware users due to Internet —They cannot understand security evaluations](https://reader033.vdocument.in/reader033/viewer/2022042123/5e9e3fd8e1d01d49c7542666/html5/thumbnails/18.jpg)
Security Parameter
• Every protection mechanism defines a security
perimeter (boundary). —The parts of the system that can malfunction without
compromising the mechanism lie outside the perimeter.
—The parts of the system that can disable the mechanism lie
within the perimeter.
• Note: Attacks from insiders are a major
concern in security considerations.
![Page 19: CCM4350 Security Architecture and Engineering Lecture 2 ... · •Fundamental Dilemma: —Too many security-unaware users due to Internet —They cannot understand security evaluations](https://reader033.vdocument.in/reader033/viewer/2022042123/5e9e3fd8e1d01d49c7542666/html5/thumbnails/19.jpg)
Exercise
• Identify suitable security perimeters for analysing
personal computer (PC) security. —Consider the room the PC is placed in, the PC itself, or some security
module within the PC when investigating security perimeter.
• Questions you should ask to answer the question
above:
1. Physical security: Is the PC in a protected room, a room
shared with colleagues, a room in a public place?
2. What are the options for input? Keyboard, data carrier
(CD, USB stick, floppy), Internet?
3. Can users take the PC home or open it?
![Page 20: CCM4350 Security Architecture and Engineering Lecture 2 ... · •Fundamental Dilemma: —Too many security-unaware users due to Internet —They cannot understand security evaluations](https://reader033.vdocument.in/reader033/viewer/2022042123/5e9e3fd8e1d01d49c7542666/html5/thumbnails/20.jpg)
5th Design Decision: Blocking Access to
the Layer Below!!!
Attackers try to bypass protection mechanisms.
• There is an immediate and important extension
to the 2nd design decision:
• 5th Design Decision: How can you prevent an
attacker from getting access to a layer below
your protection mechanism?
![Page 21: CCM4350 Security Architecture and Engineering Lecture 2 ... · •Fundamental Dilemma: —Too many security-unaware users due to Internet —They cannot understand security evaluations](https://reader033.vdocument.in/reader033/viewer/2022042123/5e9e3fd8e1d01d49c7542666/html5/thumbnails/21.jpg)
Physical and Organisational Security
Measures Control Access to Layer Below
![Page 22: CCM4350 Security Architecture and Engineering Lecture 2 ... · •Fundamental Dilemma: —Too many security-unaware users due to Internet —They cannot understand security evaluations](https://reader033.vdocument.in/reader033/viewer/2022042123/5e9e3fd8e1d01d49c7542666/html5/thumbnails/22.jpg)
The Layer Below – Examples
• Recovery tools restore data by reading memory directly and then restoring the file structure. Such a tool can be used to circumvent logical access control as it does not care for the logical memory structure.
• Unix treats I/O devices and physical memory devices like files. If access permissions are defined badly, e.g. if read access is given to a disk, an attacker can read the disk contents and reconstruct read protected files.
![Page 23: CCM4350 Security Architecture and Engineering Lecture 2 ... · •Fundamental Dilemma: —Too many security-unaware users due to Internet —They cannot understand security evaluations](https://reader033.vdocument.in/reader033/viewer/2022042123/5e9e3fd8e1d01d49c7542666/html5/thumbnails/23.jpg)
More examples – The Layer Below
• Object reuse: In single processor systems, when a new process is activated it gets access to memory positions used by the previous process.
— Avoid storage residues, i.e. data left behind in the memory area allocated to the new process.
• Backup: Whoever has access to a backup tape has access to all the data on it.
—Logical access control is of no help and backup tapes have to be locked away safely to protect the data.
• Core dumps: same story again; if internal state contains sensitive information, like keys, they can be read from core dump. Attacker can intentionally crash system.
![Page 24: CCM4350 Security Architecture and Engineering Lecture 2 ... · •Fundamental Dilemma: —Too many security-unaware users due to Internet —They cannot understand security evaluations](https://reader033.vdocument.in/reader033/viewer/2022042123/5e9e3fd8e1d01d49c7542666/html5/thumbnails/24.jpg)
Summary
• Security terminology is ambiguous with many overloaded terms.
• Fundamental Dilemma: —Too many security-unaware users due to Internet
—They cannot understand security evaluations (orange book etc)
• The resolution of this Fundamental Dilemma is currently the most pressing challenge in computer security.
• Five Design Decisions help to define security policy and security perimeter – and to address the dilemma?
![Page 25: CCM4350 Security Architecture and Engineering Lecture 2 ... · •Fundamental Dilemma: —Too many security-unaware users due to Internet —They cannot understand security evaluations](https://reader033.vdocument.in/reader033/viewer/2022042123/5e9e3fd8e1d01d49c7542666/html5/thumbnails/25.jpg)
Outlook: Aspects of Network Security
• Distributed systems: computers connected
by networks
• Communications (network) security:
addresses security of the communication
links
• Computer security: addresses security of
the end systems; today, this is the difficult
part
• Application security: relies on both to
provide services securely to end users
• Security management: how to deploy
security technologies 2
5
firewall