Security Basics CSCE 489/689 (Software Security) Fall 2018 Philip Ritchey Department of Computer Science and Engineering

Klossner’s comics are quite good. You should check them out. A 2014 study by IBM and Ponemon Institute identified three main causes of a data breach: malicious or criminal attack, system glitch (IT and business process failures), human error. https://www-935.ibm.com/services/multimedia/SEL03027USEN_Poneman_2014_Cost_of_Data_Breach_Study.pdf

If you remember nothing else… Remember these: There is No Security without Physical Security The Goals of Security: Confidentiality, Integrity, Availability “Threat” is what could happen. “Attack” is what does happen. Design Principles: Simplicity and Restriction

First: there is no security without physical security. Physical security is necessary, but not sufficient. If an attacker has physical access, they have a HUGE advantage. Physical access can be onsite (break-in, insider) or offsite (theft). ATM machine security? It better be bolted to the wall/ground. If not, it’s easy to load it onto a truck and take it home to exploit with a sledgehammer and other tools. JerryRigEverything – Physical Defeat of Tapplock: https://www.youtube.com/watch?v=RxM55DNS9CE defeated: 2:23-4:33 Pen Test Partners – Bluetooth Unlock: https://www.youtube.com/watch?time_continue=8&v=BLfI2_xOmK8 http://blog.securitymetrics.com/2014/10/physical-security-threat.html

The Basics: Fundamental Concepts C: Confidentiality I: Integrity A: Availability Other ‘A’s: A: Authenticity A: Anonymity A: Assurance A: Authorization A: Accounting A: Auditing https://www.thesecurityawarenesscompany.com/2015/05/14/the-cia-triad/

The concealment of information or resources. Confidentiality The concealment of information or resources. Applies to content and existence Supported by access control mechanisms Cryptography File permissions Whitelists / Blacklists Enforcement relies on system services (e.g. kernel) Assumptions and Trust Protect data at rest, in transit, and in use. Alice has a file. She doesn’t want anyone else to be able to read the file. Bob should not be able to read the file. Bob should not be able to open the file (Bob does not have read permission, OS will not allow Bob to open the file for reading) Bob should not be able to make sense of the data in the file (suppose Bob can read bits directly. The bits should be gibberish to Bob. i.e. the data is encrypted) Bob should not even know the file exists. even the bits on disk that indicate what other bits belong to a file should be obfuscated. or the file is hidden inside of another file, one that Bob may or may not be allowed to read, in such a way that only Alice can extract the bits that make up the secret file (stego “enstegged?”)

The trustworthiness of data or resources. Integrity The trustworthiness of data or resources. Data integrity and origin integrity Origin  “authentication” Impacts credibility Prevention mechanisms and detection mechanisms Prevention: block unauthorized changes to the data (2 kinds) Detection: report loss of trustworthiness of data’s integrity Correctness and trustworthiness Origin, transmission, storage Unauthorized user attempts to make changes: outsider Authorized user attempts to make unauthorized changes: insider Prevention: access control: passwords, permissions Detection: MACs, document hashes Protect data at rest, in transit, and in use.

The ability to use the information or resource desired. Availability The ability to use the information or resource desired. An unavailable system is at least as bad as no system at all Reliability Example: compromised secondary, unavailable primary Denial of Service (DoS, DDoS) Attempts to block availability Difficult to detect and distinguish The slashdot/digg/reddit effect “An unavailable system is at least as bad as no system at all” it hurts worse when things you rely on are not available. you own a car. It breaks down. You are late to work and have to pay for tow + repairs. you don’t own a car. You bike to work everyday. The reddit effect occurs when a popular website links to a smaller site, causing a massive increase in traffic. This overloads the smaller site, causing it to slow down or even temporarily become unavailable.

Examples Confidentiality — An employee should not come to know the salary of another employee Integrity — An employee should not be able to modify their own salary Availability — Paychecks should be printed and delivered on time

The Basics: Threats and Attacks Threat: potential violation of security Attacks: actions that cause violations of security. Attackers: those who execute attacks. Assets: the objects of attack. 4 classes of threat: Disclosure: unauthorized access to information Deception: acceptance of false data Disruption: interruption or prevention of correct operation Usurpation: unauthorized control of some part of a system Threat: potential violation of security. The fact that the violation MIGHT occur means that those actions which could cause it to occur must be guarded against and prepared for. Threats include defects in design, implementation, and operation Attacks: actions that cause violations of security. Active vs. Passive Attackers: Actors who execute attacks. Asset: Objects of attack, e.g. computers and networks

Garden Variety Threats Snooping Modification or Alteration Masquerading or Spoofing Repudiation of Origin Denial of Receipt Delay Denial of Service Cause and Result are important, Intention is not. Repudiation of origin: false denial that an entity sent or created something. DECEPTION. Countered by INTEGRITY. Denial of Receipt: false denial that an entity received some information. DECEPTION. Countered by INTEGRITY. Security violations can be unintentional (some of the worst have been). They can also be “carried out” by non-sentient processes. Mother Earth will sometimes rain on your parade but she’s not out to get you. You still have to protect against her actions.

Snooping Unauthorized access to information Packet sniffers and wiretappers Illicit copying of files and programs A B Attacker Snooping: unauthorized interception of information. Passive wiretapping. A form of DISCLOSURE. Countered by CONFIDENTIALITY.

Modification Stop the flow of the message Delay and optionally modify the message Release the message again A B Attacker Modification or alteration: unauthorized change made to data. Could be DECEPTION (some entity relies on the modified data to determine which action to take or incorrect information is accepted as correct and released) or DISRUPTION and USURPATION (the modified data controls the operation of the system). Active wiretapping, man-in-the-middle. Countered by INTEGRITY.

Spoofing Unauthorized assumption of other’s identity Generate and distribute objects under this identity A B Attacker: from A Masquerading or spoofing: impersonation of one entity by another. DECEPTION and USURPATION. May be passive, usually active. Countered by INTEGRITY. Delegation is a form of masquerading which is not a violation of security. “I am Tom doing business on behalf on Susan” is OK as long as Susan delegated authority to act on her behalf to Tom. Tom saying “I am Susan” is not OK.

Delay and Denial of Service Destroy hardware (cutting fiber) or software Modify software in a subtle way (alias commands) Corrupt packets in transit Blatant denial of service (DoS): Crashing the server Overwhelm the server (use up its resource) A B Delay: a temporary inhibition of service. DISRUPTION and USURPATION. Countered by AVAILABILITY. Denial of Service: a long term inhibition of service. DISRUPTION and USURPATION. Infinite delay. Countered by AVAILABILITY.

Man-In-The-Middle X Passive tapping Listen to communication without altering contents. Active wire tapping Modify data being transmitted Example: user attacker server logon! Intruder takes over identity of user (masquerading) X logoff! fine!

Impact of Attacks Theft of confidential information Unauthorized use of Network bandwidth Computing resource Spread of false information Disruption of legitimate services All attacks can be related and are dangerous!

The Basics: Design Principles Simplicity Less to go wrong Fewer possible inconsistencies Easy to understand Restriction Minimize access Inhibit communication The design principles are rooted in simplicity and restrictiveness. Simplicity lies on many levels. The basic idea is that simpler things have fewer components, so less can go wrong. Further, there are fewer interfaces, so there are fewer subjects communicating through the interfaces that can be inconsistent. Finally, they are easier to check, since the mechanism is not complex, and therefore easier to understand. There is also less to check. Restriction minimizes the number and types of interactions between the subject and other subjects. In some (MIL/GOV) circles, an example is the “need to know” principle: only give the subject access to the information it needs to complete its task. It also should only be able to release information when required to by its goals. Note that this includes integrity, because by altering other subjects, the writer can communicate information (e.g. covert channels).

The Basics: Design Principles Least privilege: Every program and every user of the system should operate using the least set of privileges necessary to complete the job. Fail-safe defaults: Base access decisions on permission rather than exclusion. Economy of mechanism: Keep the design as simple and small as possible. Complete mediation: Every access to every object must be checked for authority. Separation of privilege: Where feasible, a protection mechanism that requires two keys to unlock it is more robust and flexible than one that allows access to the presenter of only a single key. Saltzer and Schroeder's design principles are design principles enumerated by Jerome Saltzer and Michael Schroeder in their 1975 article The Protection of Information in Computer Systems, that from their experience are important for the design of secure software systems. Fun example of not fail-safe default: Christmas classic movie “Diehard”. Hans Gruber and the Vault. Last stage is EM lock. Power cut, vault unlocked. Bad design!

The Basics: Design Principles Open design: The design should not be secret. Least common mechanism: Minimize the amount of mechanism common to more than one user and depended on by all users. Psychological acceptability: It is essential that the human interface be designed for ease of use, so that users routinely and automatically apply the protection mechanisms correctly. Work factor: Compare the cost of circumventing the mechanism with the resources of a potential attacker. Compromise recording: It is sometimes suggested that mechanisms that reliably record that a compromise of information has occurred can be used in place of more elaborate mechanisms that completely prevent loss. Work factor = what is “enough” security? Threat model  risk analysis / management Compromise recording = auditing Security is risk management

Summary No Security without Physical Security The Security Triad: Confidentiality, Integrity, Availability Also: Anonymity, Authenticity, Assurance, Authorization, Accounting, Auditing Threats, Attacks, Attackers, Assets Threat Classes: Disclosure, Deception, Disruption, Usurpation Common Threats: Snooping, Spoofing, Modification, Denial of Service, MitM Security Principles: Simplicity and Restriction Economy of Mechanism, Fail-safe Defaults, Complete Mediation, Open Design, Separation of Privilege, Least Privilege, Least Common Mechanism, Psychological Acceptability

Thanks and Gig ‘em! WHOOP!