EEC 688/788 Secure and Dependable Computing

EEC 688/788 Secure and Dependable Computing
Lecture 1 Wenbing Zhao Department of Electrical and Computer Engineering Cleveland State University

EEC688/788 Secure and Dependable Computing
Outline Motivation Syllabus Basic terminology Dependability concepts Attributes Fault, error, and failure Approaches to achieving dependability Security concepts Vulnerabilities, threats, attacks, and controls 11/16/2018 EEC688/788 Secure and Dependable Computing

Motivation Why secure and dependable computing is important?* Increased reliance on software to optimize everything from business processes to engine fuel economy Relentlessly growing scale and complexity of systems and systems-of-systems Near-universal reliance on a commodity technology base that is not specifically designed for dependability Growing stress on legacy architectures (both hardware and software) due to ever-increasing performance demands Worldwide interconnectivity of systems Continual threats of malicious attacks on critical systems *Taken from “A high dependability computing consortium”, James H. Morris, CMU, 11/16/2018 EEC688/788 Secure and Dependable Computing

More Motivation The cost of poor software is very high Annual cost to US economy of poor quality software: $60B source: US NIST Report , May 2002. Industry needs greater dependability and security Improved quality of products Improved quality of development processes Better system and network security, to avoid: viruses, trojans, denial of service, ... network penetration, loss of confidential data, ... Improved customer satisfaction 11/16/2018 EEC688/788 Secure and Dependable Computing

(1996 Cost of Downtime Study – by Contingency Planning Research)
11/16/2018 EEC688/788 Secure and Dependable Computing

Industry is Embracing Secure and Dependable Computing
The hardware platforms are changing: Smartcards Pervasive computing / embedded systems IBM, Sun “autonomic computing” Major PC dependability and security initiatives under way: Trusted Computing Group Promoters: Intel, HP, Compaq, IBM, Microsoft Microsoft’s trustworthy computing push Intel’s LaGrande dependable hardware 11/16/2018 EEC688/788 Secure and Dependable Computing

Course Objectives Have solid understanding of the basic concepts and theory of secure and dependable computing Getting familiar with some basic building blocks (tools and APIs) needed to build secure and dependable systems No attempt to be comprehensive: topics covered are what I am interested in and what I think important 11/16/2018 EEC688/788 Secure and Dependable Computing

Prerequisite Operating system principles Processes, scheduling, file systems, etc. Java programming language At least you should know how to write a Hello World program You don’t have to be a Java expert Computer networks TCP, UDP, IP, Ethernet, etc. 11/16/2018 EEC688/788 Secure and Dependable Computing

Outline of Lectures Dependability concepts Introduction to computer and network security Cryptography, Secure communication, Intrusion detection and prevention Dependability techniques Logging & checkpointing Recovery-oriented computing Replication Group communication systems Consensus and Paxos Byzantine fault tolerance 11/16/2018 EEC688/788 Secure and Dependable Computing

Outline of Labs Lab 0 – Getting familiar with Linux Lab 1 – Secure shell Lab 2 – Secure computing in Java Lab 3 – Group communication with Spread toolkit 11/16/2018 EEC688/788 Secure and Dependable Computing

Course Projects Write a short survey paper on a particular topic and make a presentation. The topic must be approved by the instructor. May form a team of up to 2. The team is expected to survey 5-10 research papers, among them at least 2 must be published within 5 years. 11/16/2018 EEC688/788 Secure and Dependable Computing

Exam One midterm on security One final exam on fault tolerance Exams are closed book and closed notes, except that you are allowed to bring with you a one-page cheat sheet no larger than the US letter size (double-sided allowed) There is no makeup exam! 11/16/2018 EEC688/788 Secure and Dependable Computing

Grading Policy Class participation (20%) Lab reports (10%) Project (30%) Exams (40%) 11/16/2018 EEC688/788 Secure and Dependable Computing

Grading Policy A: % A-: 85-89% B+: 80-84% B: 75-79% B-: 70-74% C+: 65-69% C: 60-64% F: <60% 11/16/2018 EEC688/788 Secure and Dependable Computing

Class Participation 20% of the course credit To obtain the full credit for class participation, you must satisfy ALL of the following conditions: You do not miss more than 2 lectures You do not miss any exam and lab sessions You asked at least 10 questions during the semester You will lose all 20% credit if you miss more than 6 lectures/labs/presentations For undergraduate students: (if you choose to the labs option) 11/16/2018 EEC688/788 Secure and Dependable Computing

Do not cheat! Do not copy other student’s lab report, exams or projects Do not copy someone else’s work found on the Internet Including project implementation and report You can quote a sentence or two, but put those in quote and give reference You can build your projects on top of open source libraries, but again, you should explicitly give acknowledgement and state clearly which parts are implemented by you 11/16/2018 EEC688/788 Secure and Dependable Computing

Consequences for Cheating
You get 0 credit for the project/lab/exam that you have cheated If the task is worth 25% or more of the course, it is considered a major infraction Otherwise, it is considered a minor infraction For major infraction and repeated minor infractions You will get an F grade, and You may be suspended or repulsed from CSU CSU Code of Conduct 11/16/2018 EEC688/788 Secure and Dependable Computing

Reference Texts Building Dependable Distributed Systems, by Wenbing Zhao, Wiley-Scrivener, March 2014 Security in Computing (4th Edition), by Charles P. Pfleeger, Shari Lawrence Pfleeger, Prentice Hall, 2006 Replication: Theory and Practice, Editted by by Bernadette Charron-Bost, Fernando Pedone, Andre Schiper, Springer, 2010 Computer Networks (4th Edition), by Andrew S. Tanenbaum, Prentice Hall, 2003 Cryptography and Network Security: Principles and Practices (3rd Edition), by William Stallings, Prentice Hall, 2003 SSH, the Secure Shell (2nd Edition), by Daniel J. Barrett, Robert G. Byrnes, Richard E. Silverman, O'Reilly, 2005 11/16/2018 EEC688/788 Secure and Dependable Computing

Reference Texts Reliable Computer Systems: Design and Evaluation (3rd Edition), by Daniel P. Siewiorek and Robert S. Swarz, A K Peters, 1998 Distributed Systems: Principles and Paradigms, by Andrew S. Tanenbaum, and Maarten van Steen, Prentice Hall, 2002 Reliable Distributed Systems: Technologies, Web Services, and Applications, by Kenneth P. Birman, Springer, 2005 Network Intrusion Detection (3rd Edition), by Stephen Northcutt, Judy Novak, New Riders Publishing, 2002 11/16/2018 EEC688/788 Secure and Dependable Computing

EEC688/788: Secure & Dependable Computing
Terminology A system is an entity that interacts with other entities, i.e., other systems, including hardware, software, humans, and the physical world with its natural phenomena These other systems are the environment of the given system The system boundary is the common frontier between the system and its environment A system may consists of one or more components, such as nodes or processes System System Boundary Environment 11/16/2018 EEC688/788: Secure & Dependable Computing

Terminology State: determines the status of the system A system may be recovered to where it was before a failure if its state was captured and survives the failure Service delivered by a system: work done that benefits its users User/Client: another system that interacts with the former Function of a system: what the system is intended to do (Functional) Specification: description of the system function Correct service: when the delivered service implements the system function Use a calculator as an example. Service: calculation service. User: whoever wants to perform a calculation using the service. Function: calculation. Spec: add, minus, multiply, division, etc.. Correct service: add: 1+1=2, etc. 11/16/2018 EEC688/788: Secure & Dependable Computing

Dependability and its Attributes
Dependability refers to the ability of a distributed system to provide correct services to its users despite various threats to the system such as undetected software defects, hardware failures, and malicious attacks A dependable system has the following attributes Availability: a measure of the readiness of the system Reliability: a measure of the system’s capability of providing correct services continuously for a period of time Integrity: the capability of the system to protect its state from being compromised due to various threats Maintainability: the capability of the system to evolve after it is deployed Safety: when the system fails, it does not cause catastrophic consequences 11/16/2018 EEC688/788: Secure & Dependable Computing

Quantitative Dependability Measures
Availability - a measure of the readiness of the system It is the probability of being operational at a given instant of time A availability means that the system is not operational at most one hour in a million hours A system with high availability may in fact fail. However, failure frequency and recovery time should be small enough to achieve the desired availability Soft real-time systems such as telephone switching and airline reservation require high availability 11/16/2018 EEC688/788: Secure & Dependable Computing

11/16/2018 EEC688/788: Secure & Dependable Computing

Quantitative Dependability Measures
Reliability - a measure of continuous delivery of correct service. It is the probability of surviving (potentially despite failures) over an interval of time May also be evaluated as time to failure For example, the reliability requirement might be stated as a availability for a 10-hour mission. In other words, the probability of failure during the mission may be at most 10-6 Hard real-time systems such as flight control and process control demand high reliability, in which a failure could mean loss of life 11/16/2018 EEC688/788: Secure & Dependable Computing

Fault, Error, and Failure
The adjudged or hypothesized cause of an error is called a fault An error is a manifestation of a fault in a system, in which the logical state of an element differs from its intended value A service failure occurs if the error propagates to the service interface and causes the service delivered by the system to deviate from correct service The failure of a component causes a permanent or transient fault in the system that contains the component Service failure of a system causes a permanent or transient external fault for the other system(s) that receive service from the given system Circular definition? A fault is really a failure in a smaller scope 11/16/2018 EEC688/788: Secure & Dependable Computing

Fault Faults can arise during all stages in a computer system's evolution - specification, design, development, manufacturing, assembly, and installation - and throughout its operational life Most faults that occur before full system deployment are discovered through testing and eliminated Faults that are not removed can reduce a system's dependability when it is in the field A fault can be classified by its duration, nature of output, and correlation to other faults (and many other criteria) 11/16/2018 EEC688/788: Secure & Dependable Computing

Fault Types - Based on Duration
Permanent faults are caused by irreversible device/software failures within a component due to damage, fatigue, or improper manufacturing, or bad design and implementation Permanent software faults are also called Bohrbugs Easier to detect Transient/intermittent faults are triggered by environmental disturbances or incorrect design Transient software faults are also referred to as Heisenbugs Study shows that Heisenbugs are the majority software faults Harder to detect Once a permanent fault has occurred, the faulty component can be restored by replacement or repair environmental disturbances such as voltage fluctuations, electro-magnetic interference, or radiation These events typically have a short duration, returning the affected circuitry to a normal operating state without causing any lasting damage Example Heisenbugs: temperary memory corruption? => lead to software aging 11/16/2018 EEC688/788: Secure & Dependable Computing

Fault Types - Based on Nature of Output
Malicious fault: The fault that causes a unit to behave arbitrarily or malicious. Also referred to as Byzantine fault A sensor sending conflicting outputs to different processors Compromised software system that attempts to cause service failure Non-malicious faults: the opposite of malicious faults Faults that are not caused with malicious intention Faults that exhibit themselves consistently to all observers, e.g., fail-stop A fail-stop system simply stops executing once it fails Malicious faults are much harder to detect than non-malicious faults If a sensor does not read correctly consistently to everyone, we say there is non-malicious fault 11/16/2018 EEC688/788: Secure & Dependable Computing

Fault Types - Based on Correlation
Components fault may be independent of one another or correlated A fault is said to be independent if it does not directly or indirectly cause another fault Faults are said to be correlated if they are related. Faults could be correlated due to physical or electrical coupling of components Correlated faults are more difficult to detect than independent faults What can you say about running three replicated processes on the same node? 11/16/2018 EEC688/788: Secure & Dependable Computing

Approaches to Achieving Dependability
Fault Avoidance - how to prevent, by construction, the fault occurrence or introduction Fault Removal - how to minimize, by verification, the presence of faults Fault Tolerance - how to provide, by redundancy, a service complying with the specification in spite of faults Fault Forecasting - how to estimate, by evaluation, the presence, the creation, and the consequence of faults 11/16/2018 EEC688/788: Secure & Dependable Computing

Computer Security and its Attributes
Computer security is synonymous to the following three attributes: Confidentiality: computer-related assets are accessed only by authorized parties. Confidentiality is sometimes called secrecy or privacy Integrity: assets can be modified only by authorized parties or only in authorized ways Availability: assets are accessible to authorized parties at appropriate times We have seen that any computer-related system has both theoretical and real weaknesses. The purpose of computer security is to devise ways to prevent the weaknesses from being exploited Security in Computing, 4th Edition By Charles P. Pfleeger, Shari Lawrence Pfleeger 11/16/2018 EEC688/788: Secure & Dependable Computing Wenbing Zhao 32

Confidentiality Confidentiality is the concealment of information Conceal the content of the information Conceal the very existence of information The need for keeping information secret arises from the government and the industry Enforce “need to know” principle Achieve confidentiality: access control mechanisms Cryptography: users without the cryptographic key cannot access unscrambled information Other access control mechanisms may conceal the mere existence of data, such as Steganography We also understand confidentiality well because we can relate computing examples to those of preserving confidentiality in the real world 11/16/2018 EEC688/788: Secure & Dependable Computing Wenbing Zhao 33

Integrity Integrity refers to the trustworthiness of information, usually phrased in terms of preventing improper or unauthorized change Data integrity: the content of the information Origin integrity: the source of the data, i.e., authentication Integrity mechanisms: Prevention mechanisms: Blocking any unauthorized attempts to change the data Blocking any attempts to change the data in unauthorized ways Detection mechanisms: report that the data’s integrity is no longer trustworthy Analyze system events to detect problems Analyze the data itself to see if required or expected constraints still hold Prevention example: suppose an accounting system is on a computer. Someone breaks into the system and tries to modify the accounting data. Then an unauthorized user has tried to violate the integrity of the accounting database. But if an accountant hired by the firm to maintain its books tries to embezzle money by sending it overseas and hiding the transactions, a user (the accountant) has tried to change data (the accounting data) in unauthorized ways (by moving it to a Swiss bank account). Adequate authentication and access controls will generally stop the break-in from the outside, but preventing the second type of attempt requires very different controls. 11/16/2018 EEC688/788: Secure & Dependable Computing Wenbing Zhao

Working with Confidentiality & Integrity
With confidentiality, the data is either compromised or it is not With integrity, both the correctness and the trustworthiness of the data must be considered Origin of the data How well the data was protected before it arrived at the current machine How well the data is protected on the current machine Evaluating integrity is often very difficult 11/16/2018 EEC688/788: Secure & Dependable Computing Wenbing Zhao

Availability Availability refers to the ability to use the information desired An aspect of reliability Also an aspect of system design: an unavailable system is at least as bad as no system at all Why availability is relevant to security? Someone may deliberately arrange to deny access to data or to a service by making it unavailable Denial of service attacks: attempts to block availability It is very difficulty to detect denial of service attacks Must determine if the unusual access patterns are attributable to deliberate manipulation of resources or of environment (i.e., an atypical event) 11/16/2018 EEC688/788: Secure & Dependable Computing Wenbing Zhao 36

Availability The security community is just beginning to understand what availability implies and how to ensure it A small, centralized control of access is fundamental to preserving confidentiality and integrity, but it is not clear that a single access control point can enforce availability Much of computer security's past success has focused on confidentiality and integrity; full implementation of availability is security's next great challenge 11/16/2018 EEC688/788: Secure & Dependable Computing Wenbing Zhao

Relationship of Security Goals
A secure system must meet all three requirements The challenge is how to find the right balance among the goals, which often conflict For example, it is easy to preserve a particular object's confidentiality in a secure system simply by preventing everyone from reading that object However, this system is not secure, because it does not meet the requirement of availability for proper access => There must be a balance between confidentiality and availability 11/16/2018 EEC688/788: Secure & Dependable Computing Wenbing Zhao

Relationship of Security Goals
11/16/2018 EEC688/788: Secure & Dependable Computing Wenbing Zhao

Vulnerabilities, Threats, Attacks, & Controls
A vulnerability is a weakness in the security system A threat to a computing system is a set of circumstances that has the potential to cause loss or harm A human who exploits a vulnerability perpetrates an attack on the system. How do we address these problems? We use a control as a protective measure A control is an action, device, procedure, or technique that removes or reduces a vulnerability A threat is blocked by control of a vulnerability For instance, a particular system may be vulnerable to unauthorized data manipulation because the system does not verify a user's identity before allowing data access 11/16/2018 EEC688/788: Secure & Dependable Computing

Threats, Vulnerabilities, and Controls
11/16/2018 EEC688/788: Secure & Dependable Computing

Type of Threats An interception means that some unauthorized party has gained access to an asset In an interruption, an asset of the system becomes lost, unavailable, or unusable If an unauthorized party not only accesses but tampers with an asset, the threat is a modification An unauthorized party might create a fabrication of counterfeit objects on a computing system An interception means that some unauthorized party has gained access to an asset Example: illicit copying of program or data files, or wiretapping to obtain data in a network Unlike a loss, which may be discovered fairly quickly, a silent interceptor may leave no traces by which the interception can be readily detected In an interruption, an asset of the system becomes lost, unavailable, or unusable Example: malicious destruction of a hardware device Example: erasure of a program or data file Example: (distributed) denial of service attacks If an unauthorized party not only accesses but tampers with an asset, the threat is a modification Example: someone might change the values in a database, alter a program so that it performs an additional computation Example: modify message being transmitted over the network Some cases of modification can be detected with simple measures, but other, more subtle, changes may be almost impossible to detect An unauthorized party might create a fabrication of counterfeit objects on a computing system Example: the intruder may insert spurious transactions to a network communication system or add records to an existing database Sometimes these additions can be detected as forgeries, but if skillfully done, they are virtually indistinguishable from the real thing 11/16/2018 EEC688/788: Secure & Dependable Computing

Type of Threats Ask students to identify the figures w.r.t. interception, interruption, modification and fabrication 11/16/2018 EEC688/788: Secure & Dependable Computing

Threats: Methods, Opportunity, and Motive
A malicious attacker must have three things: Method: the skills, knowledge, tools, and other things with which to launch an attack Opportunity: the time and access to accomplish the attack Motive: a reason to want to perform this attack against this system 11/16/2018 EEC688/788: Secure & Dependable Computing

EEC688: Secure & Dependable Computing
Methods of Defense Harm occurs when a threat is realized against a vulnerability To protect against harm, we can neutralize the threat, close the vulnerability, or both The possibility for harm to occur is called risk 11/16/2018 EEC688: Secure & Dependable Computing Wenbing Zhao

EEC688: Secure & Dependable Computing
Methods of Defense We can deal with harm in several ways. We can seek to Prevent it, by blocking the attack or closing the vulnerability Deter it, by making the attack harder, but not impossible Deflect it, by making another target more attractive (or this one less so) Detect it, either as it happens or some time after the fact Recover from its effects Intrusion tolerance is also a form of recovery because it enables the system to continue operating correctly despite attacks 11/16/2018 EEC688: Secure & Dependable Computing Wenbing Zhao

Methods of Defense – Multiple Controls
11/16/2018 EEC688: Secure & Dependable Computing Wenbing Zhao

Countermeasures / Controls
Encryption Scrambling process Software controls Internal program controls, OS controls, development controls Hardware controls hardware or smart card implementations of encryption Policies and Procedures Example: change password periodically Physical Controls Example: Locks on doors, guards at entry points Software control will be elaborated in more details in the next slide 11/16/2018 EEC688: Secure & Dependable Computing Wenbing Zhao 48

EEC 688/788 Secure and Dependable Computing

Similar presentations

Presentation on theme: "EEC 688/788 Secure and Dependable Computing"— Presentation transcript:

Similar presentations

About project

Feedback

Log in

Auth with social network:

EEC 688/788 Secure and Dependable Computing

Similar presentations

Presentation on theme: "EEC 688/788 Secure and Dependable Computing"— Presentation transcript:

Similar presentations

About project

Feedback