Review CS 194 1 CS 161 Computer Security Attackers will exploit any and all flaws Buffer overruns format string usage errors implicit casting TOCTTOU Lecture 14 Trusted Computing Base TCB System portion s that must operate correctly for system security goals to be assured Desired properties Reference Monitor Principles Software security defensive programming Three Cryptographic principles Conservative Design Kerkhoff s Principle Proactively Study Attacks October 18 2006 Prof Anthony D Joseph http cs161 org First two principles Security is Economics Least Priviledge 10 18 06 Goals for Today Use default deny polices 11 other principles Principles are neither necessary nor sufficient to ensure a secure system design but they are often very helpful Goal is to explore what you can do at design time to improve security Start by denying all access then allow only that which has been explicitly permitted Ensures that if security mechanisms fail or crash default will be secure behavior Example Packet filter is a router Failure means no packets will be routed Implementation techniques to avoid security holes when writing code Fail safe behavior Fail open behavior much more dangerous Several good practices Lots of overlap with software engineering and general software quality but security places heavier demands Joseph CS161 UCB Fall 2006 Lec 14 2 3 Use Fail Safe Defaults Principles for building secure systems 10 18 06 Joseph CS161 UCB Fall 2006 Attacker just waits for packet filter to crash or induces crash and then the fort is wide open Lec 14 3 10 18 06 Non Fail Safe Defaults Examples Joseph CS161 UCB Fall 2006 Lec 14 4 4 Separation of Responsibility Split up privilege SunOS machines used to ship with in etc hosts equiv file No one person or program has complete power Require more than one party to approve before access is granted Allowed anyone with root access on any machine on the Internet to log into your machine as root Two party rule examples Movie theater pay teller and get ticket stub then separate employee tears ticket in half collects a half of it and puts it in lockbox Irix machines used to ship with xhost in their X Windows configuration files Helps prevent insider fraud under over charge Allowed anyone to connect to Xserver Most companies purchases over certain amount must be approved by both requesting employee and a purchasing officer Helps prevent insider fraud in vendor choice 10 18 06 Joseph CS161 UCB Fall 2006 Lec 14 5 10 18 06 Page 1 Joseph CS161 UCB Fall 2006 Lec 14 6 Nuclear Two Party Rule 5 Defense in Depth Minuteman nuclear missile launch control ctr A closely related principle Underground control of ten nuclear missiles Two launch officers must agree to launch missiles Five control ctrs for squadron of 50 missiles You can recognize a security guru because they re wearing both a belt and a set of suspenders Decommissioned center preserved at Whiteman AFB Missouri 10 18 06 Joseph CS161 UCB Fall 2006 Principle is that with multiple redundant protections all of them have to be breached to endanger system security Lec 14 7 10 18 06 6 Psychological Acceptability Security systems must be usable by ordinary people and take into account humans role Example Company FW admin capriciously blocks apps that engineers need to get their jobs done Web browser pops up security warnings but no indication of steps you should take They view FW as damage and tunnel around it Sys admin makes all passwords auto generated long unmemorizable strings changed monthly What do you do Like everyone else click OK NSA s crypto equipment stores key material on small physical token shaped like ordinary key Users simply write down their passwords on yellow post its attached to their screens To activate encryption device insert key into device s slot and turn it No system can remain secure for long when all its users actively seek to subvert it Intuitively understandable interface even for 18 year olds soldiers with minimal training Sys admins aren t going to win this game Well intentioned edicts can ultimately turn out to be counter productive Joseph CS161 UCB Fall 2006 Lec 14 9 10 18 06 8 Ensure Complete Mediation Lec 14 10 Be careful with shared code Original assumptions may no longer be valid Threat model may have changed Example Internet users were once only researchers who trusted each other Can sometimes avoid checking every access and allowing security decisions to be cached but beware Most networking protocols designed during those days assumed that all other network participants were benign and non malicious Not true today Millions of users many malicious ones Many old network protocols are suffering under the strain of attack e g spam What if context relevant to security decision changes and cache entry isn t invalidated Someone might get away with accessing something they shouldn t Joseph CS161 UCB Fall 2006 Joseph CS161 UCB Fall 2006 9 Least Common Mechanism When enforcing access control policies ensure that every access to every object is checked Caching is a slightly sticky subject 10 18 06 Lec 14 8 7 Usability Important that users buy into security model Examples 10 18 06 Joseph CS161 UCB Fall 2006 Lec 14 11 10 18 06 Page 2 Joseph CS161 UCB Fall 2006 Lec 14 12 10 Detect if You Can t Prevent 11 Orthogonal Security If you can t prevent break ins at least detect them and provide a way to identify the perpetrator Forensics are important We ve seen this one before Security mechanisms implemented orthogonally transparently to rest of system are useful in protecting legacy systems Keep audit logs so you can analyze breakins afterwards Example FIPS 140 1 federal standard for tamper resistant hardware Also allow us to improve assurance by composing multiple mechanisms in series Type III devices highest level are very expensive Type II devices are only required to be tamper evident e g a visibly broken seal 10 18 06 Lower cost and usable in broad set of apps Joseph CS161 UCB Fall 2006 Lec 14 13 10 18 06 We ve seen this one in the last lecture Security through obscurity phrase Very hard to keep system design secret from a dedicated adversary Every running installation has binary executable code that can be disassembled Hard to assess chances that secret will leak or difficulty of learning the secret Systems that rely on secrecy of design algorithms or source code to be secure Claimed reasoning This system is so obscure only 100 people understand anything about it so what are the odds that
View Full Document
Unlocking...