Upload
others
View
2
Download
0
Embed Size (px)
Citation preview
CCM4350
Security Architecture and Engineering
Lecture 2 – Security Design Principles
15.10.2012 1
Content of Today’s Lecture
• Summary and Wrap up on Security
Terminology
• The Fundamental Dilemma of Security
• Five Design Principles for Engineering Secure
Systems
(Lecture follows D. Gollmann. Security Engineering,
Section 2.1-2.6, 2nd edition, Wiley 2006)
Last Lecture
• Security can be defined as (CIA)
Confidentiality
Integrity
Availability
• Sometimes Prevention of security attacks fails
• Then we need to rely on Accountability and
Non-repudiation.
Accountability and Non-Repudiation
• Accountability:
Keep auditing to trace responsible party
— Necessitates identification and authentication
— Trail security relevant events in audit
• Nonrepudiation:
Provide unforgeable evidence for actions
— Nonrepudiation of occurrence and
— Nonrepudiation of delivery
Relationship to other areas of computing
Dependability
• Dependability (according to Laprie):
Availability (point in time)
Reliability (time interval)
Safety
Confidentiality
Integrity
Maintainability
Σ CIA = Security
Safety versus Security
• Security always begins at the host
• Safety: protection against catastrophic impact
by the environment (protect human lives and
economic values)
• Security: protect the computer/network
systems against threats
Safety
Security
Conclusions on Terminology
• There is no single definition of security
• When reading a document, be careful not to
confuse your own notion of security with that
used in the document
• A lot of time is spent (and wasted) in trying to
define unambiguous notations for security
Definition: Computer Security deals with the
prevention and detection of unauthorised actions
by users of a computer system.
7
0th Step: Analysis of Goals and Attacker
• Security Engineering has two parallel activities
• Analysis of Protection (Security) Goals — CIA: specify which ones are important for which user
— Multilateral Security: resolve security conflicts
• Attacker Model: — There is no protection against the a skillful attacker
— Hence quantify attacker (e.g. Attack trees, Misuse cases)
8
The Fundamental Dilemma of Security
• In the past, only few organisations (DoD) relied
on security
• Today, everyone connected to the Internet relies
on computer and network security
Fundamental Dilemma: security-unaware
users have specific security requirements
but no security expertise.
9
Principles of Security (Gollmann)
• Horisontal axis: focus of security policy
• Vertical axis: layer of computer system to place
protection mechanism
Focus of Control: 1st Design Decision
1st Fundamental Design Decision: (horisontal)
Should the focus of security control be on — Data
— Operations, or
— Users?
Example: rules for integrity of accounts database — Data rule: internal consistency of balance of account
— Rules for operations that may be performed on a data item
— Rules specifying the users allowed to access a data item
2nd Fundamental Design Decision:
In which layer of computer system should we
place security controls?
1
2
The Man-Machine Scale: 3rd Design Decision
1
3
• Visualise security mechanisms as concentric
protection rings: generic data mechanisms in the
centre; mechanisms addressing user requirements
at the outside.
The Man-Machine Scale
• Scale balances Information with Data
1
4
3rd Fundamental Design Decision
• Location of a security mechanism on the man-
machine scale is related to its complexity. — Right: Generic mechanisms are simple,
— Left: User applications clamour for feature-rich security functions.
• 3rd Design Decision: Do you prefer simplicity – and
higher assurance – to a feature-rich security
environment? —These two do not match easily
—High assurance requires adherence to systematic design
—Security adopted formal methods early for highest assurance
levels: e.g. Orange book (A1/2), CC (EAL5-7)
4th Design Decision: Central or Distributed
Control
• Central entity in charge of security: —Easy to achieve uniformity…
—But central entity may become a performance bottleneck
• Distributed solution —May be more efficient…
—But difficult to ensure that policy is enforced consistently
4th Design Decision: should the tasks of defining
and enforcing security be given to a central
entity or should they be left to individual
components in a system.
The Layer Below
• So far, we only explored means to express
security policies but what about the attacker?
• The attacker may try to bypass our protection
mechanism to reach their “soft underbelly”.
• Example: if attacker gains system privileges in
the OS he can change the control data for
security mechanisms in the services and
application layers.
Security Parameter
• Every protection mechanism defines a security
perimeter (boundary). —The parts of the system that can malfunction without
compromising the mechanism lie outside the perimeter.
—The parts of the system that can disable the mechanism lie
within the perimeter.
• Note: Attacks from insiders are a major
concern in security considerations.
Exercise
• Identify suitable security perimeters for analysing
personal computer (PC) security. —Consider the room the PC is placed in, the PC itself, or some security
module within the PC when investigating security perimeter.
• Questions you should ask to answer the question
above:
1. Physical security: Is the PC in a protected room, a room
shared with colleagues, a room in a public place?
2. What are the options for input? Keyboard, data carrier
(CD, USB stick, floppy), Internet?
3. Can users take the PC home or open it?
5th Design Decision: Blocking Access to
the Layer Below!!!
Attackers try to bypass protection mechanisms.
• There is an immediate and important extension
to the 2nd design decision:
• 5th Design Decision: How can you prevent an
attacker from getting access to a layer below
your protection mechanism?
Physical and Organisational Security
Measures Control Access to Layer Below
The Layer Below – Examples
• Recovery tools restore data by reading memory directly and then restoring the file structure. Such a tool can be used to circumvent logical access control as it does not care for the logical memory structure.
• Unix treats I/O devices and physical memory devices like files. If access permissions are defined badly, e.g. if read access is given to a disk, an attacker can read the disk contents and reconstruct read protected files.
More examples – The Layer Below
• Object reuse: In single processor systems, when a new process is activated it gets access to memory positions used by the previous process.
— Avoid storage residues, i.e. data left behind in the memory area allocated to the new process.
• Backup: Whoever has access to a backup tape has access to all the data on it.
—Logical access control is of no help and backup tapes have to be locked away safely to protect the data.
• Core dumps: same story again; if internal state contains sensitive information, like keys, they can be read from core dump. Attacker can intentionally crash system.
Summary
• Security terminology is ambiguous with many overloaded terms.
• Fundamental Dilemma: —Too many security-unaware users due to Internet
—They cannot understand security evaluations (orange book etc)
• The resolution of this Fundamental Dilemma is currently the most pressing challenge in computer security.
• Five Design Decisions help to define security policy and security perimeter – and to address the dilemma?
Outlook: Aspects of Network Security
• Distributed systems: computers connected
by networks
• Communications (network) security:
addresses security of the communication
links
• Computer security: addresses security of
the end systems; today, this is the difficult
part
• Application security: relies on both to
provide services securely to end users
• Security management: how to deploy
security technologies 2
5
firewall