Presentation is loading. Please wait.

Presentation is loading. Please wait.

The Inevitability of Failure: The Flawed Assumption of Security in Modern Computing Environments presented by Toby.

Published byJoseph Garrison Modified over 9 years ago

Similar presentations

Presentation on theme: "The Inevitability of Failure: The Flawed Assumption of Security in Modern Computing Environments presented by Toby."— Presentation transcript:

1 The Inevitability of Failure: The Flawed Assumption of Security in Modern Computing Environments presented by Toby

2

3

4 Introduction

5

6 Introduction Premise 1.Ppl be debating lots of security additions without much talk about the operating systems

7 Introduction Premise 1.Ppl be debating lots of security additions without much talk about the operating systems 2.Debates are flawed—assume that application level security can be attained on current operating systems

8 Introduction Premise 1.Ppl be debating lots of security additions without much talk about the operating systems 2.Debates are flawed—assume that application level security can be attained on current operating systems 3.Current (err.. 15 year old) operating systems are inadequate from a security standpoint

9 2 The Missing Link

10 Mandatory Security Trusted Path

11 2 The Missing Link Mandatory Security Mandatory Security: “...any security policy where the definition of the policy logic and the assignment of security attributes is tightly controlled by a system security policy administrator.” –this paper The user should have no influence over the security policy in theory

12 2 The Missing Link Mandatory Security Example systems that should have Mandatory Security: access control authentication usage cryptographic usage

13 2 The Missing Link Mandatory Security According to the big black box, Mandatory Security has these general benefits: Confinement of applications (from a security standpoint) Lack of burden on individual users to manage security Narrowing of bandwidth of channels for leaking private information Increased accountability of unauthorized private information flow

14 2 The Missing Link Mandatory Security Example of 1998 state of OSes Windows NT: Two security domains: Complete Privilege Complete Unprivileged Pretty coarse-grained

15 2 The Missing Link Trusted Path “A trusted path is a mechanism by which a user may directly interact with trusted software, which can only be activated by either the user or the trusted software and may not be imitated by other software.” –this paper

16 2 The Missing Link Trusted Path “A trusted path is a mechanism by which a user may directly interact with trusted software, which can only be activated by either the user or the trusted software and may not be imitated by other software.” –this paper

17 2 The Missing Link Trusted Path Example given: Windows NT: Trusted path given for stuff like password changing But no means for extending to other trusted software

18 3 General Examples

19 3 General Examples Access Control

20 4 Concrete Examples

21 4 Concrete Examples Mobile Code Mobile code probably meant something much different in 1998 Here: Java Mobile = portable Does not equal iPhone

22 4 Concrete Examples Mobile Code Java (1998): “not tamperproof or unbypassable” i.e. you can break boundaries of abstraction depends on the application-space access control for security e.g. executables could be tampered with

23 4 Concrete Examples Kerberos Malicious software could spoof client-side authentication Need a trusted path to guarantee this can’t happen Client’s password could be obtained

24 4 Concrete Examples Kerberos Malicious software could spoof client-side authentication Need a trusted path to guarantee this can’t happen Client’s password could be obtained

25 6 Summary

26 No single security mechanism will be a solution to security problems but we knew that Modern (1998) computing threats cannot be addressed without secure operating systems they were right Authors hoped to motivate interest in OS security well, people are interested don’t know if it’s their doing or not

Download ppt "The Inevitability of Failure: The Flawed Assumption of Security in Modern Computing Environments presented by Toby."

Similar presentations

Security Issues in Mobile Code Systems David M.Chess, High Integrity Computing Lab, IBM T.J. Watson Research Center Hawthorne, NY, USA Mobile code systems.

Security Issues in Mobile Code Systems David M.Chess, High Integrity Computing Lab, IBM T.J. Watson Research Center Hawthorne, NY, USA Mobile code systems.
Operating System Security

Operating System Security
Chapter 1  Introduction 1 Chapter 1: Introduction.

Chapter 1  Introduction 1 Chapter 1: Introduction.
User Documentation.  You cannot build a system for a client and leave them without adequate documentation  Computer systems are complex, require configuration.

User Documentation.  You cannot build a system for a client and leave them without adequate documentation  Computer systems are complex, require configuration.
PKE PP Mike Henry Jean Petty Entrust CygnaCom Santosh Chokhani.

PKE PP Mike Henry Jean Petty Entrust CygnaCom Santosh Chokhani.
Access Control Chapter 3 Part 3 Pages 209 to 227.

Access Control Chapter 3 Part 3 Pages 209 to 227.
Access Control Methodologies

Access Control Methodologies
Chapter 6 User Protections in OS. csci5233 computer security & integrity (Chap. 6) 2 Outline User-level protections 1.Memory protection 2.Control of access.

Chapter 6 User Protections in OS. csci5233 computer security & integrity (Chap. 6) 2 Outline User-level protections 1.Memory protection 2.Control of access.
Securing the Broker Pattern Patrick Morrison 12/08/2005.

Securing the Broker Pattern Patrick Morrison 12/08/2005.
Introduction Cloud characteristics Security and Privacy aspects Principal parties in the cloud Trust in the cloud 1. Trust-based privacy protection 2.Subjective.

Introduction Cloud characteristics Security and Privacy aspects Principal parties in the cloud Trust in the cloud 1. Trust-based privacy protection 2.Subjective.
Chapter 4: Security Policies Overview The nature of policies What they cover Policy languages The nature of mechanisms Types Secure vs. precise Underlying.

Chapter 4: Security Policies Overview The nature of policies What they cover Policy languages The nature of mechanisms Types Secure vs. precise Underlying.
Accounting, Protection, Security and More Fault Handling Gotchas May 26, 2000 Instructor: Gary Kimura.

Accounting, Protection, Security and More Fault Handling Gotchas May 26, 2000 Instructor: Gary Kimura.
Chapter 1  Introduction 1 Chapter 1: Introduction “Begin at the beginning,” the King said, very gravely, “and go on till you come to the end: then stop.”

Chapter 1  Introduction 1 Chapter 1: Introduction “Begin at the beginning,” the King said, very gravely, “and go on till you come to the end: then stop.”
Network Security Peter Behrens Seth Elschlager. Computer Security Preventing unauthorized use of your network and information within that network. Preventing.

Network Security Peter Behrens Seth Elschlager. Computer Security Preventing unauthorized use of your network and information within that network. Preventing.
E-commerce security by Asif Dalwai 886 39 5409. Introduction E-commerce applications Threats in e-commerce applications Measures to handle threats Incorporate.

E-commerce security by Asif Dalwai Introduction E-commerce applications Threats in e-commerce applications Measures to handle threats Incorporate.
Sanjay Goel, School of Business/Center for Information Forensics and Assurance University at Albany Proprietary Information 1 Unit Outline Information.

Sanjay Goel, School of Business/Center for Information Forensics and Assurance University at Albany Proprietary Information 1 Unit Outline Information.
Trusted Path Client- server applications Using COTS components Tommy Kristiansen

Trusted Path Client- server applications Using COTS components Tommy Kristiansen
What does it mean for you?.  The protection of private, identifying information.  If information is accorded a confidential status, that status mandates.

What does it mean for you?.  The protection of private, identifying information.  If information is accorded a confidential status, that status mandates.
ITIS 3200: Introduction to Information Security and Privacy Dr. Weichao Wang.

ITIS 3200: Introduction to Information Security and Privacy Dr. Weichao Wang.
ADVANCED LINUX SECURITY. Abstract : Using mandatory access control greatly increases the security of an operating system. SELinux, which is an implementation.

ADVANCED LINUX SECURITY. Abstract : Using mandatory access control greatly increases the security of an operating system. SELinux, which is an implementation.

Similar presentations

Ads by Google