CS 161 Computer SecuritySpring 2010 Paxson/Wagner Discussion 2February 2, 20101. TCB (Trusted Computing Base)(a) Is trust a good thing? Why or why not?(b) What is a trusted computing base?(c) What can we do to reduce the size of the TCB?(d) What components are included in the (physical analog of the) TCB for the following security goals:i. Preventing break-ins to your apartmentii. Locking up your bikeiii. Preventing people from riding BART for freeiv. Making sure no explosives are present on an airplanev. Preventing all the money from being stolen from a bank vaultAnswer(a) It’s great to trust a friend, but it’s bad to have to trust a component in a system that has security goals.It means that the component can violate your security goals if it fails. This is the difference betweensomething you trust and something that is trustworthy.(b) It is the set of hardware and software on which we depend for correct enforcement of policy. Ifpart of the TCB is incorrect, the system’s security properties can no longer be guaranteed to be true.(Paraphrased from Pfleeger.)(c) Privilege separation can help reduce the size of the TCB. You will end up with more components, butnot all of them can violate your security goals if they break.(d) (This list is not necessarily complete.)i. the lock, the door, the walls, the windows, the roof, the floor, you, anyone who has a keyii. the bike frame, the bike lock, the post you lock it to, the groundiii. the ticket machines, the tickets, the turnstiles, the entrances, the employeesiv. the TSA employees, the security gates, the “one-way” exit gates, the fences surrounding the run-way area (but NOT the airline employees, restaurant employees, others?)v. the vault, the owner + the manager (together, but not separately, assuming one has the code andthe other has the key)2. Security Principles The following are the security principles we discussed in lecture:A. Security is economicsB. Least privilegeCS 161, Spring 2010, Discussion 2 1C. Use failsafe defaultsD. Separation of responsibilityE. Defense in depthF. Psychological acceptabilityG. Human factors matterH. Ensure complete mediationI. Know your threat modelJ. Detect if you can’t preventK. Don’t rely on security through obscurityL. Design security in from the startIdentify the principle(s) relevant to each of the following scenarios:(a) New cars often come with a valet key. This key is intended to be used by valet drivers who park yourcar for you. The key opens the door and turns on the ignition, but it does not open the trunk or theglove compartment.(b) Many home owners leave a key to their house under the floor mat in front of their door.(c) Convertible owners often leave the roof down when parking their car, allowing for easy access towhatever is inside.(d) Warranties on cell phones do not cover accidental damage, which includes liquid damage. Unfortu-nately for cell phone companies, many consumers who accidentally damage their phones with liquidwill wait for it to dry, then take it in to the store, claiming that it doesn’t work, but they don’t knowwhy. To combat this threat, many companies have begun to include on the product a small sticker thatturns red (and stays red) when it gets wet.(e) Social security numbers, which we all know we are supposed to keep secret, are often easily obtainableor easily guessable.(f) The TSA hires a lot of employees and purchases a lot of equipment in order to stop people frombringing explosives onto airplanes.Answer (Note that there may be principles that apply other than those listed below.)(a) Principle of least privilege. They do not need to access your trunk or your glove box, so you don’t givethem the access to do so.(b) Unfortunately we often do rely on security through obscurity. The security of your home depends onthe belief that most criminals don’t know where your key is. With a modicum of effort, criminals couldfind your key and open the lock.(c) Security is economics. Even if they left the top up, it would be easy for a criminal to cut through it.If the criminals did that, it would cost the owner the cost of the items in the car and the cost of a newroof!(d) Detect if you can’t prevent. People will try to scam cell phone manufacturers, and there is nothing thecompanies can do to stop this. But they can (and do) detect when people have voided their warrantyvia liquid damage.CS 161, Spring 2010, Discussion 2 2(e) Design security in from the start. SSNs were not designed to be authenticators, so security was notdesigned in from the start. The number is based on geographic region, a sequential group number, anda sequential serial number. They have since been repurposed as authenticators.(f) Security is economics. They spend a lot of money to protect airplanes, lives, and the warm/safe/fuzzyfeeling that people want to have when they fly.3. Adversaries(a) When you book a flight on Southwest airlines, Southwest sends your ticket information to you viaemail. This email contains all the information you need to modify your itinerary (add, change, or cancelflights) and print your boarding pass. However, email is sent in the clear, meaning that anyone betweenyour computer and the Southwest servers can read your messages and take your flight information.Moreover, for many of us, Google or Microsoft eventually gets to see your email as it sits in yourinbox. Should we be concerned about this? Why not have Southwest send a physical envelope to yourapartment where you would at least have evidence of tampering?(b) Imagine you are a highly motivated attacker who wants to travel under someone else’s name. Howmight you take advantage of Southwest’s system?Answer:(a) Economics and threat model. For most people, this sort of manipulation is not of any concern. We arenot worried about the threat of someone intercepting our messages; it just is not interesting to anyoneout there. This is called a “threat model”: the threats you are actually concerned with in your system.The other side of this is economics. We are more than happy to take the (minor) risk of someoneintercepting our email because it is much more convenient than USPS.(b) Print out two copies of a victim’s boarding pass. Photoshop one to have your own name. DoS thevictim so they cannot arrive at the airport. Go through TSA security with the modified boarding passand your own id. Arrive at gate and use the unmodified boarding pass. As long as the victim does notarrive at the airport, you
View Full Document
Unlocking...