Principles of Computer Security

Author: Mark Burgess

Computers and Security

Fact of the week
This course is worth 10 ECTS points and will be based a continual assessment of your work. The course is an MSc level course, so it involves a good measure of work. On the other hand, higher level courses reward with higher grades than lower level courses, so the incentive is there for you to do the problems. Each week you must complete a set of problems that culminate in a result, which must be submitted. You must deliver all work by the relevant deadlines.

REVISE YOUR NOTES ON SECURITY FROM THE SYSTEM ADMINISTRATION COURSE Chapter 1 Gollmann Chapter 1 Bishop: Introduction to Computer Security Chapter 1 Bishop: Computer Security: Art and Science Security is about protecting our assets and assumptions. A man walks into a bank. He knows that he cannot crack the safe because the safe is protected by a combination lock. So he pulls a gun and asks one of the bank employees to open it for him. Unfortunately, he is 10 years too late there is no safe to crack. The money is stored in an automated container that the sta has no access toits impossible to open. Even the sta do not have a code, without customer authorization. So he points his gun at the customers and says, empty your accounts. A spy or perhaps a journalist stands outside the Pentagon and wonders how hell nd out about Americas plans to destroy the axis of evil. He cannot get into the building; its heavily guarded. He cannot crack into their computer system, because he doesnt know how to start. So he waits until one of the generals comes out to eat lunch at a local restaurant, and steals the generals laptop. These examples might seem rather trivial even ippant in their attitude to security. But they are classic examples of how to bypass the so-called security that have been practices successfully for years. 1

Principles of Computer Security

Author: Mark Burgess

What is computer security? You might have some ideas about this alreadysomething to do with hackers or viruses? Maybe codes or encryption? This is what many companies would like us to believebut, in fact, it has little to do with any of this. Security is much more interesting, and a lot harder.

Once more unto the bridge, dear friends

Imagine an island, connected to the world by a number of bridges. Behind the bridges is everything that we care about and all our wealth and assets. On the other side is everyone who could prot by stealing from us, harming us, or discrediting us. Perhaps we want to travel somewhere, carrying some of these assets. Venturing out into the world could be dangerous. We could be attacked, robbed, even killed. This scenario is a general one, whether it be a military operation on a real island, or whether the island is a computer system and the bridges are network connections. The journey could be a network transmission. The principles of security a largely the same, regardless of whether we use computers or not. To maintain our safety, security and indeed our assets we have to sacrice the convenience of free travel to the outside, because free travel to our island, since this would also allow others free travel. If we come into conict, we have to face the possibility of loss or damage. One of our aims is to minimize the risk of loss. Note that security is not necessarily about secrecy or keeping something for ourselves: one of our assets or interests could be the freedom to distribute information to customers, or provide a service. If someone tries to prevent us from doing that, it is a destruction of our assets. Freedom to do is also an asset.

We must accept a certain level of risk! (Always) Security is about well-being (integrity ) and about protecting property or interests from intrusions, stealing or wire-tapping (privacy - the right to keep a secret can also be stolen). In order to do that, in a hostile environment, we need to restrict access to our assets. To grant access to a few, we need to know whom we can trust and we need to verify the credentials (authenticate ) of those we allow to come near us. Security is thus based on the following independent issues: Condentiality/Privacy - the ability to keep things private/condential 2

Principles of Computer Security

Author: Mark Burgess

Trust - do we trust data from an individual or a host? Could they be used against us? Authenticity - are security credentials in order? Are we talking to whom we think we are talking to, privately or not? Integrity - has the system been compromised/altered already? Non-repudiation - (strictly speaking, this is a matter of integrity). This means that it should not be possible for users to deny or repudiate actions carried out (hide their tracks). This gives one the possibility of monitoring and even punishing those responsible for criminal actions. It is about preserving the integrity of evidence, or forensic tracks, lain by attackers. Environments can be hostile because of Physical threats - weather, natural disaster, bombs, power failures, etc. Human threats - stealing, trickery, bribery, spying, sabotage, accidents. Software threats - viruses, Trojan horses, logic bombs, denial of service. What are we afraid of? Losing the ability to use the system. Losing important data or les Losing face/reputation Losing money Spreading private information about people. In the system administration course, we reviewed these issues from the perspective of a system manager, and discussed possible defenses. There we stated the fundamental requirement for security to exist: In order to secure a system, we require the ability to restrict access or privilege to the system.

Principles of Computer Security

Author: Mark Burgess

If we are going to understand all the issues related to security, we need to see the problems from a greater number of perspectives. We need to open up some of the black boxes that we referred to in the system administration course and look inside. This is a journey that will touch upon topics from almost every course you have ever had. In this course we shall cover many aspects of security in connection with computer systems. Whereas, in system administration we looked at some of the practical aspects of computer security, here we look more carefully at the theory of the subject. This will allow us to bring in several new issues that we did not consider earlier. For instance, many computers are used in mission-critical systems, such as aircraft controls and machinery, where human lives are at stake. Thus reliability and safety are also concerns here (actually, these can be dened under the heading of integrity, if we think of an unreliable system as being one whose operation whose behavior loses integrity). Real-time systems are computer systems that are guaranteed to respond in real-time to every request that is made of them. That means that a real-time system must always be fast enough to cope with any demand that is made of it. Real time systems are required in cases where human lives and huge sums of money are involved. For instance, in a ight control system it would be unacceptable to give a command Oh my goodness, were going to crash, aps NOW! and have the computer reply with Processing, please wait.... Thus we need to use our imaginations, and ask the question: what is important to us? What do we need to protect? A nal point: when we are restricting access, in an environment where there is a thin line between trust and mistrust, accountability is often important. We can keep records of who does what, and hold people responsible for their actions. This is often important to organizations, since it means that they can blame someone else for their loss. This seems to be important to nancial and political organizations.

The dilemma of security

The problem that we cannot get away from in computer security is that we can only have good security if everyone understands what security means, and agrees with the need for security. Security is a social problem/issue, because it has no meaning until a person denes what it means to them. I.e. it is about what happens when policy is broken. 4

Principles of Computer Security

Author: Mark Burgess

If we make things dicult for users by imposing too many restrictions, they will tend to work around them, because people are essentially lazy. The harsh truth is this: in practice, most users have little or no understanding of security. This is our biggest security hole.

The meaning of security lies in trust

One thing that I am going to repeat many times in this course is the following mantra: Every security problem boils down to a question of trust in the end. Whom or what do we trust? We introduce the idea of security for protecting ourselves against parties whom we do not trust. But how do we solve this problem? Usually, we introduce some kind of technology to move trust from a risky place to a safer place. For example, if we do not trust our neighbors not to steal our possessions, we put a lock on our door. We no longer have to trust our neighbors, but we have to trust that the lock will do its job in the way we expect. If we dont entirely trust the lock, we could install an alarm system that calls the police if someone breaks in. Now we are trusting the lock a little, the alarm system and the police. After all, who says that the police will not be the ones who steal your possessions? In some parts of the world, this idea is not so absurd. Every day, we go about our lives placing our trust in banks, cash terminals (ATM/minibanks), course examiners, police, government, restaurants (will they poison us today?) and a hundred other things. We do not question this trust, because it is seldom broken. But that is not always the case. When you learn to drive a dangerous piece of machinery, like a car, you are placing lives at risk, and most governments require you to pass an exam to show that you can use the equipment safely. Computer systems are just as capable of causing great damage, perhaps not to individuals so much as to society. We are so reliant on them that things fall apart quickly when they fail to work. Still, we do not demand that users take a driving test for computers. Nor do we demand that the computers themselves be safe to drive. Our trust in computers and their users is often quite misplaced. And this is where the problems lie.

Principles of Computer Security

Author: Mark Burgess

Systems!
Security is a property of systems; its not something you can buy. If you want an old house, you cant buy oldness (age), it is just a property of some houses. You cannot buy an age add-on for your house. Anyone selling security in a box is a fraud. An American admiral once said: Before World War 2, everything was simpleafter that, we had systems. Systems are rule-based, or algorithmic protocols for working often in collaboration with others. How do we do X? We follow a recipe. The problem arises because systems suer from complexity and thus have bugs and unpredictable consequences. This is an important source of security problems. Weaknesses in systems can be dangerous in themselves, and malicious parties can exploit them.

Standardization: Orange Book

Standardization is a tactic in the war against disorder and chaos. Agreement about standards is a useful starting point for talking about security. Standardization leads to predictability and predictability leads to trust. The main risk to computers is the people who come into contact with them: networked users. To minimize the eects of users on the system, we introduce security mechanisms. The Trusted Computer Security Evaluation Criteria (TSEC) Orange book was the rst attempt to try to specify a standard for security management in the US in 1967. Although concentrated on national security issues, the recommendations were also of general applicability. Windows NT made a song and dance about having a C2 security classication when it was released (actually this was only for a machine decoupled from the network, and with no oppy drive). Unix systems have always been roughly C2 compliant. (See Gollmann chapter 10), though this actually means very little. C2 security means having the ability to set le permissions, or Discretionary Access Controls (DAC). This requires users to have names and passwords, and it requires les to have permission bits, and processes to have owners. C2 also requires the system to be able to log activity so that users have accountability. Few systems bother to log every little detail in this way, so C2 security is not very useful in practice, but it does mention the basics: login identity and access control.

Principles of Computer Security

Author: Mark Burgess

Implementing security: scales

Whenever we are faced with understanding something complicated, we need to do it level-by-level or scale-by-scale. It is remarkable how often this simple principle is forgotten and then rediscovered. If we look at a computer system, for instance, there are lots of levels at which it works: The interface between program and user The functionality provided by the program The algorithms which implement that functionality The act of communication with other systems Subsystems (e.g. system calls) which the program relies on The hardware the software runs on Any dependencies or trust relationships implicit in the system At the top of this list, we have high-level issues, which are usually under our control, either by choice or by design. At the bottom are low-level issues, which we normally cannot do anything about. Security can be weak or strong at any of these levels, with dierent consequences in each case. For example, consider a program that has a series of buttons and menus. Suppose the program controls a crucial computer system, handling hundreds of transactions per second for the stock market. If this program stops, it means real money will be lost. Periodically, its necessary to buy or sell stocks. Suppose the buttons are arranged like this: |--------------------------------------------------| | Newsflash Buy Sell Quit | |--------------------------------------------------| | | | | | DISPLAY | | | | | | | |--------------------------------------------------|

Principles of Computer Security

Author: Mark Burgess

This is an insecure user-interface, because a simple slip of the mouse could result in selecting Quit, instead of Sell. We have a lot to lose by such a mistake. The Newsash function broadcasts news bulletins about buying/selling strategies and the days secret password information to everyone on a list of names within the company. This information is not encrypted, so it is susceptible to sning or spoong attacks. This function is an intrinsically insecure function of the program. The algorithms that the program uses to calculate its prognoses use temporary les in a public le space, which could be modied by other users. Another user could therefore trick the program into calculating incorrectly. This is a security fault in the coding. We could continue this deconstruction through all the levels of the program in a litany of condemnation. Suce it to say that, at every level, there are potentially damaging aws. We begin to see a pattern of thoughtless design faults that we could do something about.

How to build secure systems

There are many design considerations that go into ensuring security and we shall be returning to these in the coming weeks. The main theme is how to ensure predictability. All systems failbut we must make sure that whatever they do, they do it predictablywithout unfortunate surprises. Special protocols Limiting functionality Standards of behavior, interface and communication Then, there are a number of questions we have to ask ourselves. 1. Should protection mechanisms focus on data, functionality or users? 2. In which layer should security mechanisms be placed? 3. Do we prefer a simple (easy to secure) or feature-rich (dicult) system? 4. Should security be handled by a central manager, or left to individual components in a system? 5. How do we prevent an attacker from accessing a level below our security mechanisms and thereby circumventing them?

Principles of Computer Security

Author: Mark Burgess

Here is a summary of the principles from the course in Network and System Administration, which relate to security. You should think about these in the light of this introduction: The principle of communities: What one member of a cooperative community does aects every other member, and vice versa. Each member of a community therefore has a responsibility to consider the well-being of other members of the community. Policy : a clear expression of goals and responses prepares a site for future trouble, and documents intent and procedure. Simplest is best: simple rules make system behavior easy to understand. Users tolerate rules if they understand them. Security: the fundamental requirement for security is the ability to restrict access and privilege to data. Data invulnerability (redundancy): The purpose of a backup copy is to provide an image of data which is unlikely to be destroyed by the same act that destroys the original. In the coming weeks, we shall take some of the issues above and consider them in detail. We shall also try to gauge some of the political developments and current concerns about security that dominate the computer news.

Thought of the week

Do you trust the information in this course? What makes you trust it? How could you verify if the information were true or false? Do you trust the identity and the authenticity of the source? Can you verify that I am who I say I am? How much proof do you need?