POPULAR POWER Security Issues of Peer-to-Peer Systems

Slides:

Advertisements

Similar presentations

Security Issues of Peer-to-Peer Systems February 14, 2001 OReilly Peer-to-Peer Conference Nelson Minar, CTO POPULAR POWER.

Advertisements

Instant Messenger Security with a focus on implementing security policies in corporate IM services Kaushal S Chandrashekar CS 691 Dr. Edward Chow UCCS.

Mobile Code Security Yurii Kuzmin. What is Mobile Code? Term used to describe general-purpose executables that run in remote locations. Web browsers come.

Dr. Kalpakis CMSC 421, Operating Systems. Fall 2008 URL: Security.

Mobile Code Security Aviel D. Rubin, Daniel E. Geer, Jr. MOBILE CODE SECURITY, IEEE Internet Computing, 1998 Minkyu Lee

Security and Trust in E- Commerce. The E-commerce Security Environment: The Scope of the Problem  Overall size of cybercrime unclear; amount of losses.

1 Topic 1 – Lesson 3 Network Attacks Summary. 2 Questions ► Compare passive attacks and active attacks ► How do packet sniffers work? How to mitigate?

Chapter 4 McGraw-Hill/Irwin Copyright © 2011 by The McGraw-Hill Companies, Inc. All rights reserved. Ethics and Information Security.

Fundamentals of Computer Security Geetika Sharma Fall 2008.

Building Your Own Firewall Chapter 10. Learning Objectives List and define the two categories of firewalls Explain why desktop firewalls are used Explain.

19.1 Silberschatz, Galvin and Gagne ©2003 Operating System Concepts with Java Chapter 19: Security The Security Problem Authentication Program Threats.

Security Presented by : Qing Ma. Introduction Security overview security threats password security, encryption and network security as specific.

Client/Server Computing Model of computing in which very powerful personal computers (clients) are connected in a network with one or more server computers.

Peer-to-Peer Technology and Security Issues By Raul Rodriguez, Arash Zarrinbakhsh, Cynthia Roger and Phillip Shires College of Business Administration.

Copyright © 2002 Pearson Education, Inc. Slide 5-1 PERTEMUAN 8.

UNCLASSIFIED Secure Indirect Routing and An Autonomous Enterprise Intrusion Defense System Applied to Mobile ad hoc Networks J. Leland Langston, Raytheon.

Silberschatz, Galvin and Gagne  Operating System Concepts Module 19: Security The Security Problem Authentication Program Threats System Threats.

Internet Security Terms and Techniques Chris Avram Faculty of Information Technology Monash University 1U-Cubed ‘99Chris Avram.

Mobile Code and Worms By Mitun Sinha Pandurang Kamat 04/16/2003.

Web server security Dr Jim Briggs WEBP security1.

Lesson 9-Securing a Network. Overview Identifying threats to the network security. Planning a secure network.

Alter – Information Systems 4th ed. © 2002 Prentice Hall 1 E-Business Security.

Securing Windows 7 Lesson 10. Objectives Understand authentication and authorization Configure password policies Secure Windows 7 using the Action Center.

Intranet, Extranet, Firewall. Intranet and Extranet.

Malicious Code Brian E. Brzezicki. Malicious Code (from Chapter 13 and 11)

October 15, 2002Serguei A. Mokhov, 1 Intro to Internet-services from Security Standpoint SOEN321-Information-Systems Security Revision.

CSE 4481 Computer Security Lab Mark Shtern. INTRODUCTION.

Software Security Testing Vinay Srinivasan cell:

1 22 August 2001 The Security Architecture of the M&M Mobile Agent Framework P. Marques, N. Santos, L. Silva, J. Silva CISUC, University of Coimbra, Portugal.

SECURITY ENGINEERING 2 April 2013 William W. McMillan.

Course code: ABI 204 Introduction to E-Commerce Chapter 5: Security Threats to Electronic Commerce AMA University 1.

1 Chpt. 12: INFORMATION SYSTEM QUALITY, SECURITY, AND CONTROL.

CSE 4481 Computer Security Lab Mark Shtern. INTRODUCTION.

Chapter 9 Networking & Distributed Security. csci5233 computer security & integrity (Chap. 9) 2 Outline Overview of Networking Threats Wiretapping, impersonation,

Lecture 16 Page 1 CS 236 Online Web Security CS 236 On-Line MS Program Networks and Systems Security Peter Reiher.

Lesson 19-E-Commerce Security Needs. Overview Understand e-commerce services. Understand the importance of availability. Implement client-side security.

1 Security. 2 Linux is not secure No computer system can ever be "completely secure". –make it increasingly difficult for someone to compromise your system.

MIS 7003 MIS Core Course The MBA Program The University of Tulsa Professor: Akhilesh Bajaj Security: Personal & Business © Akhilesh Bajaj 2004,2005, 2007,

Security Vulnerabilities in A Virtual Environment

Part V Electronic Commerce Security Online Security Issues Overview Managing Risk Computer Security Classifications. Security.

Security Distributed Systems Lecture # 14. Why care about security? Authentication Use another person’s ID for sending Non-repudiation E-commerce.

Mark Shtern.  Our life depends on computer systems  Traffic control  Banking  Medical equipment  Internet  Social networks  Growing number of.

1 Network Security. 2 Security Services Confidentiality: protection of any information from being exposed to unintended entities. –Information content.

Trusted Component Deployment Trusted Components Bernd Schoeller January 30 th, 2006.

Security on the Internet Norman White ©2001. Security What is it? Confidentiality – Can my information be stolen? Integrity – Can it be changed? Availability.

Chapter 40 Internet Security.

Securing Information Systems

Key management issues in PGP

Network Security Presented by: JAISURYA BANERJEA MBA, 2ND Semester.

Ilija Jovičić Sophos Consultant.

Instructor Materials Chapter 7 Network Security

Secure Software Confidentiality Integrity Data Security Authentication

Security Issues.

Introduction to SQL Server 2000 Security

The Security Problem Security must consider external environment of the system, and protect it from: unauthorized access. malicious modification or destruction.

Tool Server Workstation Router Universal

Message Digest Cryptographic checksum One-way function Relevance

Intrusion detection systems?

INFORMATION SYSTEMS SECURITY and CONTROL

Software models - Software Architecture Design Patterns

Operating System Security

Faculty of Science IT Department By Raz Dara MA.

ONLINE SECURE DATA SERVICE

Computer Security By: Muhammed Anwar.

Advanced Computer Networks

Operating System Concepts

Security in SDR & cognitive radio

CSE 542: Operating Systems

Presentation transcript:

POPULAR POWER Security Issues of Peer-to-Peer Systems February 14, 2001 O’Reilly Peer-to-Peer Conference Nelson Minar, CTO <nelson@popularpower.com>

Overview Peer-to-peer security is hard Some old techniques, some new Example: Popular Power POPULAR POWER

Standard security concerns Someone stealing my data Virus infecting my computer Someone impersonating me Someone modifying my data POPULAR POWER

The Real Problem: the Network Anna Kournikova VBS/SST-A VBS/SST@MM OnTheFly ILOVEYOU VBS/Loveletter.a Melissa Trinoo Tribe Flood Network Creative W32/ProLin@MM Kalamar’s VBS Worm Generator +50,000 more Stacheldraht POPULAR POWER

Client/Server Security: Understood Make a secure server Use firewall to restrict access to server Encrypt all communications Authenticate server to client Authenticate client to server (oops) Audit server: logs, tripwires, etc Pray you have no bugs POPULAR POWER

P2P Security is Harder Each computer is untrusted Peers don't have trust relationships Capacity for rapid spread of trouble Individuals can cause local damage that spreads Everyone can be running different software Code may be mobile; beware! Decentralization can make auditing difficult Complex systems: hard to understand POPULAR POWER

Security Tools (not Solutions!) Encryption Authentication Firewalls Trust and Reputation Sandboxes Frameworks: SSL, Intel’s PTPTL, etc. POPULAR POWER

Firewalls Good things Bad things Easy to set up Restrict access to a “white list” of allowed traffic Single point of control Bad things Unsubtle: Block all traffic on port, not application Inflexible: Generally static rulesets Difficult for users inside network to influence Not an Internet-wide security solution POPULAR POWER

Trust and Reputation Mechanisms Give entities identities (pseudonymonous) Create reputation sharing mechanism Assign reputations to entities Allow others to retrieve reputations Use reputation to build trust relationships Example: eBay Example: Public key infrastructure Verisign-style certificate hierarchies PGP Web of Trust Peer to Peer / decentralized solutions POPULAR POWER

Secure Execution Environments Essential for mobile code systems! Traditional approaches OS-based security Ad-hoc mechanisms (VBS, Javascript, Emacs) Sandboxes Java Virtual Machine Inferno / Dis C# / CLR NSA / VMWare: NetTop POPULAR POWER

Example Application: Popular Power Distributed computing Centralized server Untrusted clients Mobile code Must protect four different groups: Our own servers Client computers Customers submitting jobs The Internet itself POPULAR POWER

Protecting Our Servers Standard Unix server protection Firewalls Validating all input (Java – no buffer overflows) Auditing servers Offline signature keys POPULAR POWER

Protecting Client Computers Threat model: Byzantine failure Malicious code Buggy code Secure execution environment Java sandbox Fine-grained policy model to add privileges Authentication Cryptographic protection on files, communication POPULAR POWER

Protecting Job Submitters Theft of intellectual property Obfuscation of code Encryption of data “Shredding” of computation Time to crack vs. value of data Data manipulation – spoofing results Redundant execution + verification Reputations of client computers Running checksums POPULAR POWER

Protecting the Internet Distributed denial of service Load testing / quality of service monitoring Malicious attack, or accident in programming Careful authentication of job submission Built-in failsafes in code Built-in failsafes in system Play nice with firewalls Open question? POPULAR POWER

Conclusion There are lots of good security tools Peer-to-peer has hard problems Complex decentralized systems are inherently difficult to secure We have an ethical responsibility to create secure systems POPULAR POWER