DOC PREVIEW
UW CSEP 590 - Lecture Notes

This preview shows page 1-2-21-22 out of 22 pages.

Save
View full document
View full document
Premium Document
Do you want full access? Go Premium and unlock all 22 pages.
Access to all documents
Download any document
Ad free experience
View full document
Premium Document
Do you want full access? Go Premium and unlock all 22 pages.
Access to all documents
Download any document
Ad free experience
View full document
Premium Document
Do you want full access? Go Premium and unlock all 22 pages.
Access to all documents
Download any document
Ad free experience
View full document
Premium Document
Do you want full access? Go Premium and unlock all 22 pages.
Access to all documents
Download any document
Ad free experience
Premium Document
Do you want full access? Go Premium and unlock all 22 pages.
Access to all documents
Download any document
Ad free experience

Unformatted text preview:

Accountability and FreedomReal-World SecurityCauses of Security ProblemsThe Access Control ModelAccess Control Mechanisms: The Gold StandardMaking Isolation WorkBad = UnaccountableFor Accountability To WorkAccountability vs. Access ControlThe Accountability EcosystemAccountable Internet AccessSlide 12Without R|G: TodayWith R|GMust Get Configuration RightWhy R|G?Configuring GreenR|G User Model DilemmaData TransferWhere Should Email/IM Run?R|G and Enterprise NetworksSummary1Accountability and FreedomButler LampsonMicrosoftOctober 27, 20052Real-World Security•It’s about risk, locks, and deterrence. Risk management: cost of security < expected lossPerfect security costs way too muchLocks good enough that bad guys break in rarelyBad guys get caught and punished enough to be deterred, so police / courts must be good enough.Can recover from damage at an acceptable cost. •Internet security similar, but little accountability–Can’t identify the bad guys, so can’t deter them3Causes of Security Problems•Exploitable bugs•Bad configuration–TCB: Everything that security depends onHardware, software, and configuration–Does formal policy say what I mean?•Can I understand it? Can I manage it?•Why least privilege doesn’t work–Too complicated, can’t manage itThe unavoidable price of reliability is simplicity—Hoar e4The Access Control ModelObject Resource Reference monitor Guard Do operationRequestPrincipalSource AuthorizationAudit logAuthenticationPolicy1. Isolation boundary2. Access control3. Policy1. Isolation Boundary: I am isolated if anything that goes wrong is my (program’s) fault2. Access Control for channel traffic3. Policy management5Access Control Mechanisms:The Gold Standard-Authenticate principals: Who made a requestMainly people, but also channels, servers, programs(encryption implements channels, so key is a principal)-Authorize access: Who is trusted with a resourceGroup principals or resources, to simplify management Can define by a property, e.g. “type-safe” or “safe for scripting”-Audit: Who did what when?•Lock = Authenticate + Authorize•Deter = Authenticate + AuditObject Resource Reference monitor Guard Do operationRequestPrincipalSource AuthorizationAudit logAuthenticationPolicy1. Isolation boundary2. Access control3. Policy6Making Isolation Work•Isolation is imperfect: Can’t get rid of bugs–TCB = 10-50 M lines of code–Customers want features more than correctness•Instead, don’t tickle them.•How? Reject bad inputs–Code: don’t run or restrict severely–Communication: reject or restrict severely•Especially web sites–Data: don’t send; don’t accept if complex7Bad = Unaccountable•Can’t identify bad guys, so can’t deter them•Fix? End nodes enforce accountability–Refuse inputs that aren’t accountable enough•or strongly isolate those inputs–Senders are accountable if you can punish them–All trust is local•Need an ecosystem for–Senders becoming accountable–Receivers demanding accountability–Third party intermediaries•To stop DDOS attacks, ISPs must play8For Accountability To Work•Senders must be able to make themselves accountable–This means pledging something of value•Friendship•Reputation•Money•…•Receivers must be able to check accountability–Specify what is accountable enough–Verify sender’s evidence of accountability9Accountability vs. Access Control•“In principle” there is no differencebut•Accountability is about punishment, not locks–Hence audit is critical•Accountability is very coarse-grained10The Accountability Ecosystem•Identity, reputation, and indirection services•Mechanisms to establish trust relationships–Person to person and person to organization•A flexible, simple user model for identity•Stronger user authentication–Smart card, cell phone, biometrics•Application identity: signing, reputation11Accountable Internet Access•Just enough to block DDoS attacks•Need ISPs to play. Why should they?–Servers demand it; clients don’t get locked out–Regulation?•A server asks its ISP to block some IP addresses•ISPs propagate such requests to peers or clients–Probably must be based on IP address–Perhaps some signing scheme to traverse unreliable intermediaries?•High priority packets can get through12•Partition world into two parts:–Green Safer/accountable –Red Less safe/unaccountable•Two aspects, mostly orthogonal–User Experience–Isolation mechanism•Separate hardware with air gap•VM•Process isolationAccountability vs. Freedom13Without R|G: TodayN attacks/yrLessvaluable assetsMorevaluable assetsMy Computerm attacks/yrTotal: N+m attacks/yr on all assets(N >> m)Less trustworthyLess accountableentitiesMore trustworthyMore accountableentitiesEntities- Programs- Network hosts- Administrators14With R|GLessvaluable assets My Red ComputerN attacks/yr on less valuable assetsMorevaluable assetsMorevaluable assetsMy Green Computerm attacks/yr on more valuable assetsN attacks/yrm attacks/yr(N >> m)Less trustworthyLess accountableentitiesMore trustworthyMore accountableentitiesEntities- Programs- Network hosts- Administrators15Must Get Configuration RightLessvaluable assets My Red ComputerMorevaluable assetsMorevaluable assetsMy Green ComputerValuableAssetLess trustworthyLess accountableentitiesMore trustworthyMore accountableentitiesHostileagent•Keep valuable stuff out of red•Keep hostile agents out of green16Why R|G?•Problems: –Any OS will always be exploitable•The richer the OS, the more bugs–Need internet access to get work done, have fun•The internet is full of bad guys•Solution: Isolated work environments:–Green: important assets, only talk to good guys•Don’t tickle the bugs, by restricting inputs–Red: less important assets, talk to anybody•Blow away broken systems•Good guys: more trustworthy / accountable–Bad guys: less trustworthy or less accountable17Configuring Green•Green = locked down = only whitelist inputs•Requires professional management–Few users can make these decisions–Avoid “click OK to proceed”•To escape, use Red–Today almost all machines are Red18R|G User Model Dilemma•People don’t want complete isolation–They want to:•Cut/paste, drag/drop•Share parts of the file system•Share the screen•Administer one machine, not multiple•…•But more integration can weaken isolation–Add bugs–Compromise


View Full Document

UW CSEP 590 - Lecture Notes

Documents in this Course
Sequitur

Sequitur

56 pages

Sequitur

Sequitur

56 pages

Protocols

Protocols

106 pages

Spyware

Spyware

31 pages

Sequitur

Sequitur

10 pages

Load more
Download Lecture Notes
Our administrator received your request to download this document. We will send you the file to your email shortly.
Loading Unlocking...
Login

Join to view Lecture Notes and access 3M+ class-specific study document.

or
We will never post anything without your permission.
Don't have an account?
Sign Up

Join to view Lecture Notes 2 2 and access 3M+ class-specific study document.

or

By creating an account you agree to our Privacy Policy and Terms Of Use

Already a member?