CSCE 548 Building Secure Software Basic Security Concepts

1
CSCE 548 Building Secure SoftwareBasic
Security Concepts
2
Security Objectives

• Confidentiality prevent/detect/deter improper
  disclosure of information
• Integrity prevent/detect/deter improper
  modification of information
• Availability prevent/detect/deter improper
  denial of access to services

3
Military Example

• Confidentiality target coordinates of a missile
  should not be improperly disclosed
• Integrity target coordinates of missile should
  be correct
• Availability missile should fire when proper
  command is issued

4
Commercial Example

• Confidentiality patients medical information
  should not be improperly disclosed
• Integrity patients medical information should
  be correct
• Availability patients medical information can
  be accessed when needed for treatment

5
Fourth Objective

• Securing computing resources prevent/detect/deter
  improper use of computing resources
• Hardware
• Software
• Data
• Network

6
Information Assurance

• Prevention
• Detection
• Tolerance/response

7
Achieving Security

• Policy
• What to protect?
• Mechanism
• How to protect?
• Assurance
• How good is the protection?

8
Security Policy
Organizational Policy
Computerized Information System Policy
9
Security Tradeoffs
Security
Functionality
COST
Ease of Use
10
Threat, Vulnerability, Risk

• Threat potential occurrence that can have an
  undesired effect on the system
• Vulnerability characteristics of the system that
  makes is possible for a threat to potentially
  occur
• Attack action of malicious intruder that
  exploits vulnerabilities of the system to cause a
  threat to occur
• Risk measure of the possibility of security
  breaches and severity of the damage

11
Types of Threats

• Errors of users
• Natural/man-made/machine disasters
• Dishonest insider
• Disgruntled insider
• Outsiders

12
Types of Attack

• Interruption an asset is destroyed, unavailable
  or unusable (availability)
• Interception unauthorized party gains access to
  an asset (confidentiality)
• Modification unauthorized party tampers with
  asset (integrity)
• Fabrication unauthorized party inserts
  counterfeit object into the system (authenticity)
• Denial person denies taking an action
  (authenticity)

13
Computer Crime

• Any crime that involves computers or aided by the
  use of computers
• U.S. Federal Bureau of Investigation reports
  uniform crime statistics

14
Computer Criminals

• Amateurs regular users, who exploit the
  vulnerabilities of the computer system
• Motivation easy access to vulnerable resources
• Crackers attempt to access computing facilities
  for which they do not have the authorization
• Motivation enjoy challenge, curiosity
• Career criminals professionals who understand
  the computer system and its vulnerabilities
• Motivation personal gain (e.g., financial)

15
Methods of Defense

• Prevent block attack
• Deter make the attack harder
• Deflect make other targets more attractive
• Detect identify misuse
• Tolerate function under attack
• Recover restore to correct state
• Documentation and reporting

16
Information Security Planning

• Organization Analysis
• Risk management
• Mitigation approaches and their costs
• Security policy and procedures
• Implementation and testing
• Security training and awareness

17
Prevention
18
IdentificationAuthentication
19
Authentication

• Allows an entity (a user or a system) to prove
  its identity to another entity
• Typically, the entity whose identity is verified
  reveals knowledge of some secret S to the
  verifier
• Strong authentication the entity reveals
  knowledge of S to the verifier without revealing
  S to the verifier

20
Authentication Information
Must be securely maintained by the system.
21
Elements of Authentication

• Person/group/code/system to be authenticated
• Distinguishing characteristic differentiates the
  entities to be authenticated
• Proprietor/system owner/administrator
  responsible for the system
• Authentication mechanism verify the
  distinguishing characteristic
• Access control mechanism grant privileges upon
  successful authentication

22
Authentication Requirements

• Network must ensure
• Data exchange is established with addressed peer
  entity not with an entity that masquerades or
  replays previous messages
• Network must ensure data source is the one
  claimed
• Authentication generally follows identification
• Establish validity of claimed identity
• Provide protection against fraudulent transactions

23
User Authentication

• What the user knows
• Password, personal information
• What the user possesses
• Physical key, ticket, passport, token, smart card
• What the user is (biometrics)
• Fingerprints, voiceprint, signature dynamics

24
Passwords

• Commonly used method
• For each user, system stores (user name,
  F(password)), where F is some transformation
  (e.g., one-way hash) in a password file
• F(password) is easy to compute
• From F(password), password is difficult to
  compute
• Password is not stored in the system
• When user enters the password, system computes
  F(password) match provides proof of identity

25
Vulnerabilities of Passwords

• Inherent vulnerabilities
• Easy to guess or snoop
• No control on sharing
• Practical vulnerabilities
• Visible if unencrypted in distributed and network
  environment
• Susceptible for replay attacks if encrypted
  naively
• Password advantage
• Easy to modify compromised password.

26
Attacks on Password

• Guessing attack/dictionary attack
• Social Engineering
• Sniffing
• Trojan login
• Van Eck sniffing

27
Time Synchronized
Secret key
Time
DES
One Time Password
28
Challenge Response

• Non-repeating challenges from the host is used
• The device requires a keypad

Network
Work station
Host
User ID
Challenge
Response
29
Devices with Personal Identification Number (PIN)

• Devices are subject to theft, some devices
  require PIN (something the user knows)
• PIN is used by the device to authenticate the
  user
• Problems with challenge/response schemes
• Key database is extremely sensitive
• This can be avoided if public key algorithms are
  used

30
Smart Cards

• Portable devices with a CPU, I/O ports, and some
  nonvolatile memory
• Can carry out computation required by public key
  algorithms and transmit directly to the host
• Some use biometrics data about the user instead
  of the PIN

31
Biometrics

• Fingerprint
• Retina scan
• Voice pattern
• Signature
• Typing style

32
Access Control
33
Access Control

• Protection objects system resources for which
  protection is desirable
• Memory, file, directory, hardware resource,
  software resources, etc.
• Subjects active entities requesting accesses to
  resources
• User, owner, program, etc.
• Access mode type of access
• Read, write, execute

34
Access Control Requirement

• Cannot be bypassed
• Enforce least-privilege and need-to-know
  restrictions
• Enforce organizational policy

35
Access Control

• Access control ensures that all direct accesses
  to object are authorized
• Protects against accidental and malicious threats
  by regulating the reading, writing and execution
  of data and programs
• Need
• Proper user identification and authentication
• Information specifying the access rights is
  protected form modification

36
Access Control

• Access control components
• Access control policy specifies the authorized
  accesses of a system
• Access control mechanism implements and enforces
  the policy
• Separation of components allows to
• Define access requirements independently from
  implementation
• Compare different policies
• Implement mechanisms that can enforce a wide
  range of policies

37
Closed v.s. Open Systems
Closed system
Open System
(minimum privilege)
(maximum privilege)
Access requ.
Access requ.
Allowed accesses
Disallowed accesses
Exists Rule?
Exists Rule?
yes
no
yes
no
Access denied
Access permitted
Access permitted
Access denied
38
Authorization Management

• Who can grant and revoke access rights?
• Centralized administration security officer
• Decentralized administration locally autonomous
  systems
• Hierarchical decentralization security officer gt
  departmental system administrator gt Windows NT
  administrator
• Ownership based owner of data may grant access
  to other to his/her data (possibly with grant
  option)
• Cooperative authorization predefined groups of
  users or predefined number of users may access
  data

39
Access Control Models
All accesses
Discretionary AC
Mandatory AC
Role-Based AC
40
Indirect Accesses
41
Indirect Information Flow Channels

• Covert channels
• Inference channels

42
Communication Channels

• Overt Channel designed into a system and
  documented in the user's manual
• Covert Channel not documented. Covert channels
  may be deliberately inserted into a system, but
  most such channels are accidents of the system
  design.

43
Covert Channel

• Need
• Two active participants
• Encoding schema
• Example sender modulates the CPU utilization
  level with the data stream to be transmitted
• Sender
• repeat get a bit to send
• if the bit is 1 wait one second (don't use CPU
  time)
• else busy wait one second (use CPU time)
• endif
• until done

44
Inference Channels
Non-sensitive information
Sensitive Information

Meta-data

45
Inference Channels

• Statistical Database Inferences
• General Purpose Database Inferences

46
Firewalls
47
Traffic Control Firewall

• Brick wall placed between apartments to prevent
  the spread of fire from one apartment to the next
• Single, narrow checkpoint placed between two or
  more networks where security and audit can be
  imposed on traffic which passes through it

48
Firewall
Private Network
security wall between private (protected) network
and outside word
Firewall
External Network
49
Firewall Objectives

• Keep intruders, malicious code and unwanted
  traffic or information out
• Keep proprietary and sensitive information in

Proprietary data
External attacks
50
Without firewalls, nodes

• Are exposed to insecure services
• Are exposed to probes and attacks from outside
• Can be defenseless against new attacks
• Network security totally relies on host security
  and all hosts must communicate to achieve high
  level of security almost impossible

51

• Cryptography
• - Secret-Key Encryption
• - Public-Key Encryption
• - Cryptographic Protocols

52
Insecure communications
Confidential
53
Encryption and Decryption
Plaintext
Ciphertext
Plaintext
Encryption
Decryption
54
Breakable versus Practically breakable

• Unconditionally secure impossible to
  decrypt. No amount of ciphertext will enable a
  cryptanalyst to obtain the plaintext
• Computationally secure an algorithm that is not
  breakable in practice based on worst case
  scenario
• Breakable all algorithms (except one-time pad)
  are theoretically breakable

55
Conventional (Secret Key) Cryptosystem
Plaintext
Ciphertext
Plaintext
Encryption
Decryption
Sender
Recipient
K
CE(K,M) MD(K,C)
K needs secure channel
56
Public Key Cryptosystem
Recipients public Key (Kpub)
Recipients private Key (Kpriv)
Plaintext
Ciphertext
Plaintext
Encryption
Decryption
Sender
Recipient
CE(Kpub,M) MD(Kpriv,C)
Kpub needs reliable channel
57
Hash Functions

• Hash function h maps an input x of arbitrary
  length to a fixed length output h(x)
  (compression)
• Given h and x, h(x) is easy to compute (ease of
  computation)

58
Digital Signatures in RSA
Insecure channel
Sign
Verify
Plaintext
Signed plaintext
Plaintext
Encryption Alg.
Decryption Alg.
B
A
As public key
As private key
(need reliable channel)
59
Signature and Encryption
B
Encrypted Signed Plaintext
A
Signed Plaintext
Signed Plaintext
Plaintext
Plaintext
D
E
D
E
Bs public key
As public key
Bs private key
As private key
60
Cryptographic Protocols

• Messages should be transmitted to destination
• Only the recipient should see it
• Only the recipient should get it
• Proof of the senders identity
• Message shouldnt be corrupted in transit
• Message should be sent/received once only

61
Detection/Response
62
Misuse Prevention

• Prevention techniques first line of defense
• Secure local and network resources
• Techniques cryptography, identification,
  authentication, authorization, access control,
  security filters, etc.

Problem Losses occur!
63
Intrusion Management

• Intrusion Prevention protect system resources
• Intrusion Detection (second line of defense)
  discriminate intrusion attempts from normal
  system usage
• Intrusion Recovery cost effective recovery models

64
Anomaly versus Misuse
Non-intrusive use
Intrusive use
Looks like NORMAL behavior
False negative Non-anomalous but Intrusive
activities
Does NOT look Like NORMAL behavior
False positive Non-intrusive but Anomalous
activities
65
False Positive vs. False Negative

• False positive non-intrusive but anomalous
  activity
• Security policy is not violated
• Cause unnecessary interruption
• May cause users to become unsatisfied
• False negative non-anomalous but intrusive
  activity
• Security policy is violated
• Undetected intrusion

66
Malicious Code
67
Program Flaws

• Taxonomy of flaws
• how (genesis)
• when (time)
• where (location)
• the flaw was introduced into the system

68
Security Flaws by Genesis

• Genesis
• Intentional
• Malicious Trojan Horse, Trapdoor, Logic Bomb,
  covert channes
• Non-malicious
• Inadvertent
• Validation error
• Domain error
• Serialization error
• Identification/authentication error
• Other error

69
Kinds of Malicious Codes

• Virus a program that attaches copies of itself
  into other programs. Propagates and performs
  some unwanted function.
• Rabbit (Bacteria) program that consumes system
  resources by replicating itself.

70
Kinds of Malicious Code

• Worm a program that propagates copies of itself
  through the network. Usually performs some
  unwanted function.
• Does not attach to other programs
• Trojan Horse secret, undocumented routine
  embedded within a useful program. Execution of
  the program results in execution of secret code.

71
Kinds of Malicious Code

• Logic bomb, time bomb logic embedded in a
  program that checks for a certain set of
  conditions to be present in the system. When
  these conditions are present, some malicious code
  is executed.
• Trapdoor secret, undocumented entry point into a
  program, used to grant access without normal
  methods of access authentication.

72
Virus

• Virus lifecycle
• Dormant phase the virus is idle. (not all
  viruses have this stage)
• Propagation phase the virus places an identical
  copy of itself into other programs of into
  certain system areas.
• Triggering phase the virus is activated to
  perform the function for which it was created.
• Execution phase the function is performed. The
  function may be harmless or damaging.

73
Next ClassResponse/Tolerance