CS 161 Computer Security Spring 2010 Paxson Wagner Discussion 2 February 2 2010 1 TCB Trusted Computing Base a Is trust a good thing Why or why not b What is a trusted computing base c What can we do to reduce the size of the TCB d What components are included in the physical analog of the TCB for the following security goals i ii iii iv v Preventing break ins to your apartment Locking up your bike Preventing people from riding BART for free Making sure no explosives are present on an airplane Preventing all the money from being stolen from a bank vault Answer a It s great to trust a friend but it s bad to have to trust a component in a system that has security goals It means that the component can violate your security goals if it fails This is the difference between something you trust and something that is trustworthy b It is the set of hardware and software on which we depend for correct enforcement of policy If part of the TCB is incorrect the system s security properties can no longer be guaranteed to be true Paraphrased from Pfleeger c Privilege separation can help reduce the size of the TCB You will end up with more components but not all of them can violate your security goals if they break d This list is not necessarily complete i ii iii iv the lock the door the walls the windows the roof the floor you anyone who has a key the bike frame the bike lock the post you lock it to the ground the ticket machines the tickets the turnstiles the entrances the employees the TSA employees the security gates the one way exit gates the fences surrounding the runway area but NOT the airline employees restaurant employees others v the vault the owner the manager together but not separately assuming one has the code and the other has the key 2 Security Principles The following are the security principles we discussed in lecture A Security is economics B Least privilege CS 161 Spring 2010 Discussion 2 1 C Use failsafe defaults D Separation of responsibility E Defense in depth F Psychological acceptability G Human factors matter H Ensure complete mediation I Know your threat model J Detect if you can t prevent K Don t rely on security through obscurity L Design security in from the start Identify the principle s relevant to each of the following scenarios a New cars often come with a valet key This key is intended to be used by valet drivers who park your car for you The key opens the door and turns on the ignition but it does not open the trunk or the glove compartment b Many home owners leave a key to their house under the floor mat in front of their door c Convertible owners often leave the roof down when parking their car allowing for easy access to whatever is inside d Warranties on cell phones do not cover accidental damage which includes liquid damage Unfortunately for cell phone companies many consumers who accidentally damage their phones with liquid will wait for it to dry then take it in to the store claiming that it doesn t work but they don t know why To combat this threat many companies have begun to include on the product a small sticker that turns red and stays red when it gets wet e Social security numbers which we all know we are supposed to keep secret are often easily obtainable or easily guessable f The TSA hires a lot of employees and purchases a lot of equipment in order to stop people from bringing explosives onto airplanes Answer Note that there may be principles that apply other than those listed below a Principle of least privilege They do not need to access your trunk or your glove box so you don t give them the access to do so b Unfortunately we often do rely on security through obscurity The security of your home depends on the belief that most criminals don t know where your key is With a modicum of effort criminals could find your key and open the lock c Security is economics Even if they left the top up it would be easy for a criminal to cut through it If the criminals did that it would cost the owner the cost of the items in the car and the cost of a new roof d Detect if you can t prevent People will try to scam cell phone manufacturers and there is nothing the companies can do to stop this But they can and do detect when people have voided their warranty via liquid damage CS 161 Spring 2010 Discussion 2 2 e Design security in from the start SSNs were not designed to be authenticators so security was not designed in from the start The number is based on geographic region a sequential group number and a sequential serial number They have since been repurposed as authenticators f Security is economics They spend a lot of money to protect airplanes lives and the warm safe fuzzy feeling that people want to have when they fly 3 Adversaries a When you book a flight on Southwest airlines Southwest sends your ticket information to you via email This email contains all the information you need to modify your itinerary add change or cancel flights and print your boarding pass However email is sent in the clear meaning that anyone between your computer and the Southwest servers can read your messages and take your flight information Moreover for many of us Google or Microsoft eventually gets to see your email as it sits in your inbox Should we be concerned about this Why not have Southwest send a physical envelope to your apartment where you would at least have evidence of tampering b Imagine you are a highly motivated attacker who wants to travel under someone else s name How might you take advantage of Southwest s system Answer a Economics and threat model For most people this sort of manipulation is not of any concern We are not worried about the threat of someone intercepting our messages it just is not interesting to anyone out there This is called a threat model the threats you are actually concerned with in your system The other side of this is economics We are more than happy to take the minor risk of someone intercepting our email because it is much more convenient than USPS b Print out two copies of a victim s boarding pass Photoshop one to have your own name DoS the victim so they cannot arrive at the airport Go through TSA security with the modified boarding pass and your own id Arrive at gate and use the unmodified boarding pass As long as the victim does not arrive at the airport you should be able to board easily 4 Alternative Access Methods Suppose you have a Linux machine for your personal use This includes storing sensitive information including
View Full Document
Unlocking...