CS18000 Programming I 8 23 2010 CS52600 Information Security Course Overview 8 23 2010 Prof Chris Clifton Portions of the material courtesy Professor Matt Bishop What is Information Security Confidentiality Is this all Why not Availability To whom Authentication Still not there Integrity It s about more than network security 2010 Chris Clifton 2 1 CS18000 Programming I 8 23 2010 Course Outline 1 Introduction Role of security Types of security Definitions 2 Access Control Matrix model 3 Protection Models 4 Policy Risk Analysis Policy Formation Role of audit and control 5 Formal policy models 6 Information Flow 7 Authentication and Identity 8 TBD probably basics of Cryptography 9 System Design principles TCB and security kernel construction Verification Certification issues Midterm Most likely date 10 18 Let me know of bad dates this week 10 System Design principles TCB and security kernel construction Verification Certification issues 11 Network Security Distributed cooperation and commit Distributed authentication issues Routing flooding spamming Firewalls 12 Audit Mechanisms 13 Malicious Code Viruses Worms etc 14 Vulnerability Analysis 15 Physical threats operational security Legal and Societal Issues Final Exam December 18 9pm earliest you should count on leaving campus before you see the exam schedule 3 Course Administration www cs purdue edu homes clifton cs526 Teaching Assistant Ashish Kundu Course Announcements Mailing list directed to you purdue edu http www cs purdue edu clifton cs526 Discussion grades assignment submission through blackboard Evaluation Grading Midterm 25 Final 36 Exercises projects 36 1 2 programming projects 9 11 written assignments similar to exercises in the book Let me know if you will be taking the qual1 See web page for more 4 2010 Chris Clifton 2 CS18000 Programming I 8 23 2010 Course Text Recommended Text Matthew Bishop Computer Security Art and Science Addison Wesley 2003 ISBN 0 201 44099 7 http nob cs ucdavis edu book If you don t have the latest printing see the above link for Errata pages Not required but easier than finding reading original papers 8 23 2010 CS52600 5 Waiting List Registration Send me background information as follows Career ID Infosec Masters Expected graduation Research focus Had CS555 Will take CS555 Taking CS626 likely TA next year Sample clifton no 6 1991 Privacy and Data Mining no no no no Course is planned for spring as well 6 2010 Chris Clifton 3 CS18000 Programming I 8 23 2010 Introduction Components of computer security Threats Policies and mechanisms The role of trust Assurance Operational Issues Human Issues 7 Basic Components Confidentiality Keeping data and resources hidden Integrity Data integrity integrity Origin integrity authentication Availability Enabling access to data and resources 8 2010 Chris Clifton 4 CS18000 Programming I 8 23 2010 Classes of Threats Disclosure Snooping Deception Modification spoofing repudiation of origin denial of receipt Disruption Modification Usurpation Modification spoofing delay denial of service 9 Policies and Mechanisms Policy says what is and is not allowed This defines security for the site system etc Policy definition Informal Formal Mechanisms enforce policies Composition of policies If policies conflict discrepancies may create security vulnerabilities 10 2010 Chris Clifton 5 CS18000 Programming I 8 23 2010 Goals of Security Prevention Prevent attackers from violating security policy Detection Detect attackers violation of security policy Recovery Stop attack assess and repair damage Continue to function correctly even if attack succeeds 11 Trust and Assumptions Underlie all aspects of security Policies Unambiguously partition system states Correctly capture security requirements Mechanisms Assumed to enforce policy Support mechanisms work correctly 12 2010 Chris Clifton 6 CS18000 Programming I 8 23 2010 Types of Mechanisms secure broad precise set of reachable states set of secure states 13 Assurance Specification Requirements analysis Statement of desired functionality Design How system will meet specification Implementation Programs systems that carry out design 14 2010 Chris Clifton 7 CS18000 Programming I 8 23 2010 Operational Issues Cost Benefit Analysis Is it cheaper to prevent or recover Risk Analysis Should we protect something How much should we protect this thing Laws and Customs Are desired security measures illegal Will people do them 15 Human Issues Organizational Problems Power and responsibility Financial benefits People problems Outsiders and insiders Which do you think is the bigger problem Social engineering 16 2010 Chris Clifton 8 CS18000 Programming I 8 23 2010 Tying the Definitions Together Threats Policy Specification Design Implementation Operation 17 Key Points Policy defines security and mechanisms enforce security Confidentiality Integrity Availability Trust and knowing assumptions Importance of assurance The human factor 18 2010 Chris Clifton 9 CS18000 Programming I 8 23 2010 Models Access Control What is access control Limiting who is allowed to do what What is an access control model Specifying who is allowed to do what What makes this hard Interactions between types of access 19 Basics State Status of the system Protection state subset that deals with protection Access Control Matrix Describes protection state Formally Objects O Subjects S Matrix A S O Tuple S O A defines protection states of system 20 2010 Chris Clifton 10 CS18000 Programming I 8 23 2010 Student Choice Topics Trusted Computing Systems How does software know underlying system can be trusted Case study of trusted system verification Validation process Forensics Recovery Prevention Tracing Prosecution Digital Rights Management Legal issues 21 CS526 Information Security Access Control Matricies Prof Chris Clifton August 25 2010 2010 Chris Clifton 11 CS18000 Programming I 8 23 2010 Access Restriction Facility Subject attributes name role groups Verbs possible actions Default rule for each verb Objects associated with set of verbs Rule for each object verb pair Rule may be function of subject attributes Can be converted to Access Control Matrix 23 Access Control Matrix Boolean Evaluation Example Internal Public Local CR State University Long Distance International R R R CR R R R T Student Staff Account CR CR T T CR CR Transfer T T CR CR CR CR CR T T T T T 24 2010 Chris Clifton 12 CS18000 Programming I 8 23 2010 What Else Might We Add Default Rule General default Receive
View Full Document
Unlocking...