1. Week 8 - Friday

2.  What did we talk about last time?  Bell-La Padula model  Clark-Wilson model  Chinese Wall model  Biba model

6. Taylor Ryan

8.  How do we know if something is secure?  We define our security policy using our access control matrix  We say that a right is leaked if it is added to an element of the access control matrix that doesn’t already have it  A system is secure if there is no way rights can be leaked  Is there an algorithm to determine if a system is secure?

9.  In a mono-operational system, each command consists of a single primitive command:  Create subject s  Create object o  Enter r into a[s,o]  Delete r from a[s,o]  Destroy subject s  Destroy object o  In this system, we could see if a right is leaked with a sequence of k commands

10.  Delete and Destroy commands can be ignored  No more than one Create command is needed (in the case that there are no subjects)  Entering rights is the trouble  We start with set S 0 of subjects and O 0 of objects  With n generic rights, we might add all n rights to everything before we leak a right  Thus, the maximum length of the command sequence that leaks a right is k ≤ n(|S 0 |+1)(|O 0 |+1) + 1  If there are m different commands, how many different command sequences are possible?

11.  A Turing machine is a mathematical model for computation  It consists of a head, an infinitely long tape, a set of possible states, and an alphabet of characters that can be written on the tape  A list of rules saying what it should write and should it move left or right given the current symbol and state 1011110000 A A

12.  3 state, 2 symbol “busy beaver” Turing machine:  Starting state A Tape Symbol State AState BState C WriteMoveNextWriteMoveNextWriteMoveNext 01RB0RC1LC 11RHALT1RB1LA

13.  If an algorithm exists, a Turing machine can perform that algorithm  In essence, a Turing machine is the most powerful model we have of computation  Power, in this sense, means the ability to compute some function, not the speed associated with its computation

14.  Given a Turing machine and input x, does it reach the halt state?  It turns out that this problem is undecidable  That means that there is no algorithm that can be to determine if any Turing machine will go into an infinite loop  Consequently, there is no algorithm that can take any program and check to see if it goes into an infinite loop

16.  We can simulate a Turing machine using an access control matrix  We map the symbols, states and tape for the Turing machine onto the rights and cells of an access control matrix  Discovering whether or not the right leaks is equivalent to the Turing machine halting with a 1 or a 0

17.  Without heavy restrictions on the rules for an access control, it is impossible to construct an algorithm that will determine if a right leaks  Even for a mono-operational system, the problem might take an infeasible amount of time  But, we don’t give up!  There are still lots of ways to model security  Some of them offer more practical results

19.  Saltzer and Schroeder wrote an important paper in 1975 that gave 8 principles that should be used in the design of any security mechanisms 1. Least privilege 2. Fail-safe defaults 3. Economy of mechanism 4. Complete mediation 5. Open design 6. Separation of privilege 7. Least common mechanism 8. Psychological acceptability  These principles will be part of Project 3

20.  The principle of least privilege states that a subject should be given only those privileges that it needs in order to complete its task  This principle restricts how privileges are granted  You're not supposed to get any more privileges than absolutely necessary  Examples  JayWeb  Unix systems  Windows systems?

21.  The principle of fail-safe defaults states that, unless a subject is given explicit access to an object, it should be denied access to an object  This principle restricts how privileges are initialized  A subject should always be assumed not to have access  Examples  Airports  Unix systems  Windows systems?

22.  The principle of economy of mechanism states that security mechanisms should be as simple as possible  This principle simplifies the design and implementation of security mechanisms  The more complex a system is, the more assumptions that are built in  Complex systems are hard to test  Examples  Die Hard  Houdini

23.  The principle of complete mediation requires that all access to objects be checked to ensure that they are allowed  This principle restricts the caching of information (and also direct access to resources)  The OS must mediate all accesses and make no assumptions that privileges haven't changed  Examples  Banks  Unix systems

24.  The principle of open design states that the security of a mechanism should not depend on the secrecy of its design or implementation  "Security through obscurity" fallacy  Examples  Enigma  RSA  Lock-picking

25.  The principle of separation of privilege states that a system should not grant permission based on a single condition  Security should be based on several different conditions (perhaps two-factor authentication)  Ideally, secure mechanisms should depend on two or more independent verifiers  Examples  Nuclear launch keys  PhD qualifying exams  Roaccutane (used to be Accutane)

26.  The principle of least common mechanism states that mechanisms used to access resources should not be shared  Sharing allows for channels for communication  Sharing also lets malicious users or programs affect the integrity of other programs or data  Examples  Virtual memory  File systems

27.  The principle of psychological acceptability states that security mechanisms should not make the resource (much) more difficult to access than if the security mechanisms were not present  Two fold issues:  Users must not be inconvenienced or they might fight against the system or take their business elsewhere  Administrators must find the system easy to administer  Examples  Windows UAC  Retina scans  Changing your password all the time

29.  A typical OS will make efforts to protect security in a number of ways:  User authentication  Memory protection  File and I/O device access control  Allocation and access to general objects  Enforced sharing  Guaranteed fair service  Interprocess communication and synchronization  Protection of OS data

30.  A trusted OS is similar to a normal OS, except that it puts a layer of access control around everything  A trusted OS will typically be careful about:  User identification and authentication  Mandatory access control  Discretionary access control  Object reuse protection  Complete mediation  Trusted paths  Auditing  Intrusion detection

31.  Mandatory access control (MAC) means that the controls are enforced by rules in the system, not by user choices  Bell-La Padula is a perfect example of MAC  Discretionary access control (DAC) means that the user has control over who can access the objects he or she owns  Linux and Windows are largely DAC systems  Most real systems have elements of both

32.  When a file is deleted, it isn’t actually deleted  It’s blocks are unlinked from the file system  When you create a new file, it usually uses a block from an old deleted file  You can examine the contents of that block and reconstruct some or all of the deleted file  Software is available for home users to undelete files  Digital forensics experts use more powerful tools in criminal investigations  The problem is that object reuse allows for security violations  A regular OS often does this and other kinds of object reuse for efficiency  A trusted OS will sacrifice efficiency for security

33.  Complete mediation means that every access goes through the system  All resources are checked  Past permissions are no guarantee of future permissions  A trusted path means an unmistakable process for performing protected tasks  Phishing is the opposite of a trusted path  Some attacks on OS users rely on getting them to download a file with the same name as a system command, which will then be run instead if they execute from the same directory

34.  Trusted systems also keep an audit log of all security-relevant actions that have been taken  Unfortunately, audit logs can become huge  Even if an illegal access is known to have happened, it might be impossible to find it in the logs  Audit reduction is the process of reducing the size of the log to critical events  This may require sophisticated pattern recognition software

35.  One approach to making a trusted system is a kernelized design  A security kernel is the low level part of the OS that enforces security mechanisms  It can be a unified layer sitting between hardware and the rest of the OS  Or it can be spread throughout the entire OS  The reference monitor is the most important part of the security kernel  It controls accesses to objects  It should be tamperproof, unbypassable, and analyzable

36.  Virtualization means presenting the user with a virtual machine  The user can interact with the virtual machine but cannot directly affect the real hardware  Virtual memory is a great example of this  Your program sees memory starting at 0 and going up to some limit, but the OS maps this transparently to the real memory

38.  User interaction is problematic because input is often not under the direct control of the OS  Hardware can vary, and it is hard to check all software drivers  Sometimes security measure are bypassed for efficiency  Ambiguity in access policy  Incomplete mediation  Generality  Customizability leads to unpredictable configurations or special modules that need high privilege access  Time-of-check to time-of-use issues

39.  There are many methods to provide assurance that a system has few vulnerabilities:  Testing  Penetration testing  Formal verification  Validation  Open source model

40.  We discussed testing briefly before  It has problems:  Testing can find problems, but it can’t find the lack of problems  Testing takes time and effort because the number of states a program can undergo is exponential in its length  Black box testing cannot be guaranteed to be complete  Code introduced into a program to test it can change its behavior  Complex systems can have errors that are difficult to reproduce  It is still the most common form of assurance

41.  Penetration testing (or tiger team analysis or ethical hacking) is a kind of testing where experts try to use every trick they can to break a system  It is an art requiring creativity and a science requiring deep technical knowledge  It is not a panacea, but there is money to be made as a penetration tester

42.  It is possible to prove that some programs do specific things  You start with a set of preconditions  You transform those conditions with each operation  You can then guarantee that, with the initial preconditions, certain postconditions will be met  Using this precondition/postcondition approach to formally describe programming languages is called Hoare semantics  Proving things about complex programs is hard and requires automated use of programs called theorem provers

43.  Validation is checking the design against the requirements  Verification is checking the implementation against the design  OS validation is often done in the following ways:  Requirements checking  Design and code reviews  System testing

44.  In open source systems, the software is freely available for public use and criticism  In most cases, anyone sufficiently skilled can even add their own code to the systems  They are popular  Microsoft CEO Steve Ballmer said in 2008 that 60% of the web servers in the world run Linux  The open source security advantage is that a huge number of people can look for flaws  The open source security disadvantage is the same  Research suggests that a product being open source or closed source is not the key determiner of security

46.  Finish OS assurance and evaluation  Database background  Database security requirements  Claire Chambless presents

47.  Read Sections 6.1 and 6.2  Finish Assignment 3  Due tonight before midnight  Keep working on Project 2  Due next Friday