Professional Documents
Culture Documents
Security
From Security in Computing, Fifth Edition, by Charles P. Pfleeger, et al. (ISBN: 9780134085043). Copyright 2015 by Pearson Education, Inc. All rights reserved.
Objectives
Define computer security as well as basic computer security terms
Introduce the C-I-A Triad
Introduce basic access control terminology
Explain basic threats, vulnerabilities, and attacks
Show how controls map to threats
What Is Computer Security?
• Protection of the items you value, called the assets of a computer or
computer system.
• There are many types of assets
Hardware
Software
Data
Or combinations of these
Assets
Values of Assets
Basic Terms
• Vulnerability
• Threat
• Attack
• Countermeasure or control
Vulnerabilities, Threats,
Attacks, Controls
• Vulnerability is a weakness in the security system
• (i.e., in procedures, design, or implementation), that might be exploited to cause
loss or harm.
Confidentiality
Secure
Integrity Availability
Access Control
Types of Threats
Types of Attackers
Threats
• In an interception means that some unauthorized party has gained access to an
asset.
• If an unauthorized party not only accesses but tampers (forges) with an asset, the
threat is a modification.
• method: the skills, knowledge, tools, and other things with which
to be able to pull off the attack
• Knowledge of systems are widely available
• Detection
• Detect attackers’ violation of security policy
• Recovery
• Stop attack, assess and repair damage
• Continue to function correctly even if attack succeeds
Trust and Assumptions
• Trust underlies all aspects of security
• Policies
• Unambiguously partition system states
• Correctly capture security requirements
• Mechanisms
• Assumed to enforce policy
• Support mechanisms work correctly
Control or Countermeasure
• Means to counter threats. Harm occurs when a threat is realized against a
vulnerability. To protect against harm, then, we can neutralize the threat, close
the vulnerability, or both.
• The possibility for harm to occur is called risk. We can deal with harm in several
ways:
• prevent it, by blocking the attack or closing the vulnerability
• deter it, by making the attack harder but not impossible
• deflect it, by making another target more attractive (or this one less so)
• mitigate it, by making its impact less severe
• detect it, either as it happens or some time after the fact
• recover from its effects
Controls/Countermeasures
Different Types of Controls
Controls Available
• Encryption
• We take data in their normal, unscrambled state, called:
• cleartext or plaintext, and transform them so that they are unintelligible to the outside
observer; the transformed data are called enciphered text or ciphertext.
• Operating system and network system controls: limitations enforced by the operating system
or network to protect each user from all other users
• i.e. chmod on UNIX: (Read, Write, Execute) vs. (Owner, Group, Other)
• Physical Controls
• i.e. locks on doors,
• guards at entry points,
• backup copies of important software and data, and
• physical site planning that reduces the risk of natural disasters.
Effectiveness of Controls
• Awareness of Problem
• People using controls must be convinced of the need for security. That is,
people will willingly cooperate with security requirements only if they
understand
• why security is appropriate in a given situation.
Effectiveness of Controls
• Likelihood of Use
• Of course, no control is effective unless it is used
• Principle of Effectiveness:
• Controls must be used properly to be effective.
• They must be efficient, easy to use, and appropriate.
• Periodic Review
• Just when the security specialist finds a way to secure assets against certain
kinds of attacks, the opposition doubles its efforts in an attempt to defeat the
security mechanisms. Thus, judging the effectiveness of a control is an
ongoing task.
Principle of Weakest Link
• Security can be no stronger than its weakest link !!!
• Whether it is the power supply that powers the firewall or the operating
system under the security application or the human who plans, implements,
and administers controls, a failure of any control can lead to a security failure.
Summary
• Vulnerabilities are weaknesses in a system;
• threats exploit those weaknesses;
• controls protect those weaknesses from exploitation
• Confidentiality, integrity, and availability are the three basic security
primitives
• Different attackers pose different kinds of threats based on their
capabilities and motivations
• Different controls address different threats; controls come in many
flavors and can exist at various points in the system
Authentication, Access Control,
and Cryptography
From Security in Computing, Fifth Edition, by Charles P. Pfleeger, et al. (ISBN: 9780134085043).
Authentication
• The act of proving that a user is who she says she is.
• Methods:
– Something the user knows
– Something the user is
– Something the user has
Something You Know
• Passwords
• Security questions
• Attacks on “something you know”:
– Dictionary attacks
– Inferring likely passwords/answers
– Guessing
– Defeating concealment
– Exhaustive or brute-force attack
– Rainbow tables
Distribution of Password Types
Password Storage
Plaintext Concealed
Biometrics: Something You Are
Problems with Biometrics
• Intrusive
• Expensive
• Single point of failure
• Sampling error
• False readings
• Speed
• Forgery
Tokens: Something You Have
Federated Identity Management
Single Sign-On
Access Control
Access Policies
• Goals:
– Check every access
– Enforce least privilege
– Verify acceptable usage
Stream Block
Advantages Speed of High diff usion
transformation Immunity to
Low error insertion of
propagation symbol
• computational security
– given limited computing resources (eg time
needed for calculations is greater than age of
universe), the cipher cannot be broken
Brute Force Search
• always possible to simply try every key
• most basic attack, proportional to key size
• assume either know / recognise plaintext
Key Size (bits) Number of Alternative Time required at 1 Time required at 106
Keys decryption/µs decryptions/µs
32 231 µs = 35.8 minutes 2.15 milliseconds
2 32
= 4.3 × 10 9
128
2128 = 3.4 × 1038 2127 µs = 5.4 × 1024 years 5.4 × 1018 years
168
2168 = 3.7 × 1050 2167 µs = 5.9 × 1036 years 5.9 × 1030 years
26 characters
(permutation) 26! = 4 × 1026 2 × 1026 µs = 6.4 × 1012 years 6.4 × 106 years
Classical Substitution Ciphers
• where letters of plaintext are replaced by
other letters or by numbers or symbols
• example:
meet me after the toga party
PHHW PH DIWHU WKH WRJD SDUWB
Caesar Cipher
• can define transformation as:
a b c d e f g h i j k l m n o p q r s t u v w x y z
D E F G H I J K L M N O P Q R S T U V W X Y Z A B C
Plain: abcdefghijklmnopqrstuvwxyz
Cipher: DKVQFIBJWPESCXHTMYAUOLRGZN
Plaintext: ifwewishtoreplaceletters
Ciphertext: WIRFRWAJUHYFTSDVFSFUUFYA
Monoalphabetic Cipher Security
• now have a total of 26! = 4 x 1026 keys.
• with so many keys, might think is secure.
• but would be !!!WRONG!!!.
• problem is language characteristics.
Language Redundancy and Cryptanalysis
– If both the letters are in the same column, take the letter
below each one (going back to the top if at the bottom)
T U O R I
A L S B C
D E F G H ‘H’ and ‘I’
are in same
K M N P Q column,
V W X Y Z hence take
letter below
them to
replace. HI
→ QC
• If both letters are in the same row, take the letter to the right
of each one (going back to the left if at the farthest right)
T U O R I
A L S B C
D E F G H ‘D’ and ‘E’
are in same
K M N P Q row, hence
V W X Y Z take letter to
the right of
them to
replace. DE
→ EF
• If neither of the preceding two rules are true, form
a rectangle with the two letters and take the
letters on the horizontal opposite corner of the
rectangle.
• Using these rules, the result of the encryption of
‘hide money’ with the key of ‘tutorials’ would be −
• QC EF NU MF ZV
• Decrypting the Playfair cipher is as simple as doing
the same process in reverse. Receiver has the same
key and can create the same key table, and then
decrypt any messages made using that key.
Security of Playfair Cipher
• security much improved over monoalphabetic.
• since have 26 x 26 = 676 digrams
• would need a 676 entry frequency table to analyse
(verses 26 for a monoalphabetic)
• and correspondingly more ciphertext
a b c d e f g h i j k l m n o p q r s t u v w x y z
0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25
Vigenere Cipher
O W A R E Y
O U a b c d
B A C K I N
Product Ciphers
• ciphers using substitutions or transpositions are not
secure because of language characteristics
• hence consider using several ciphers in succession to
make harder, but:
– two substitutions make a more complex substitution
– two transpositions make more complex transposition
– but a substitution followed by a transposition makes a new
much harder cipher
• this is bridge from classical to modern ciphers
Rotor Machines
• before modern ciphers, rotor machines were most
common complex ciphers in use
• widely used in WW2
– German Enigma, Allied Hagelin, Japanese Purple
• implemented a very complex, varying substitution
cipher
• used a series of cylinders, each giving one
substitution, which rotated and changed after each
letter was encrypted
• with 3 cylinders have 263=17576 alphabets
Hagelin Rotor Machine
Steganography
• an alternative to encryption
• hides existence of message
– using only a subset of letters/words in a longer
message marked in some way
– using invisible ink
– hiding in LSB in graphic image or sound file
• has drawbacks
– high overhead to hide relatively few info bits
Summary
• have considered:
– classical cipher techniques and terminology
– monoalphabetic substitution ciphers
– cryptanalysis using letter frequencies
– Playfair cipher
– polyalphabetic ciphers
– transposition ciphers
– product ciphers and rotor machines
– stenography
DES (Data Encryption
Standard)
Basics
• The Data Encryption Standard (DES) is a symmetric-key block cipher
created in the early 1970s by an IBM team and adopted by the
National Institute of Standards and Technology (NIST).
• Symmetric-key means that it employs the same key in both encrypting
and decrypting the data.
• DES uses 16 rounds and the block size is 64-bit. Though, key length is
64-bit, DES has an effective key length of 56 bits, since 8 of the 64 bits
of the key are not used by the encryption algorithm.
DES Algorithm Steps
• The process begins with the 64-bit plain text block getting handed
over to an initial permutation (IP) function.
• The initial permutation (IP) is then performed on the plain text.
• Next, the initial permutation (IP) creates two halves of the permuted
block, referred to as Left Plain Text (LPT) and Right Plain Text (RPT).
• Each LPT and RPT goes through 16 rounds of the encryption process.
• Finally, the LPT and RPT are rejoined, and a Final Permutation (FP) is
performed on the newly combined block.
• The result of this process produces the desired 64-bit ciphertext.
1. Initial permutation (IP)
2. 16 Rounds
In this step, S Box RPT will be permuted according to the P Box table
and gives rise to P Box RPT.
Step5: XOR
and Swap
3. Final permutation
DES Modes of Operation
• Electronic Codebook (ECB). Each 64-bit block is encrypted and
decrypted independently
• Cipher Block Chaining (CBC). Each 64-bit block depends on the
previous one and uses an Initialization Vector (IV)
• Cipher Feedback (CFB). The preceding ciphertext becomes the input for
the encryption algorithm, producing pseudorandom output, which in
turn is XORed with plaintext, building the next ciphertext unit
• Output Feedback (OFB). Much like CFB, except that the encryption
algorithm input is the output from the preceding DES
• Counter (CTR). Each plaintext block is XORed with an encrypted
counter. The counter is then incremented for each subsequent block
DES: The Data Encryption Standard
• Symmetric block cipher
AES: Advanced Encryption System
• Symmetric block cipher
• Developed in 1999 by
independent Dutch
cryptographers
• Still in common use
DES vs. AES
RSA Algorithm
Public Key (Asymmetric) Cryptography
• Instead of two users sharing one secret key, each user has two
keys: one public and one private.
• Messages encrypted using the user’s public key can only be
decrypted using the user’s private key, and vice versa.
Basics
• RSA algorithm is asymmetric cryptography algorithm. Asymmetric means
that it works on two different keys i.e. Public Key and Private Key. The
Public Key is given to everyone and Private key is kept private.
• An example of asymmetric cryptography :
o A client (for example browser) sends its public key to the server and
requests for some data.
o The server encrypts the data using client’s public key and sends the
encrypted data.
o Client receives this data and decrypts it.
Basics
Key Generation
RSA Encryption
RSA Decryption
𝐶𝑑
RSA Example
Security of RSA
Mathematical Attacks
Timing Attacks
• Consider the secret key = "CHARLES".
Now decrypt the following cipher text using Playfair
Cipher.
PRSBHADGDCBCAZRZVPAMBW
PR
SB
C H A R L
HA
E S B D F DG
DC
G I/J K M N BC
Secret Key = AZ
O P Q T U RZ
VP
V W X Y Z AM
BW
Rules:
If 2 alphabets in same row, write most left alphabet.
If 2 alphabets in same column, write above most alphabet.
If none of above, then make rectangle out of them (alphabet) and write their
opposite corners.
Plain Text TH ES CH EM ER EA LX LY WO RK SX
Cipher Text PR SB HA DG DC BC AZ RZ VP AM BW
HELLOHOWAREYOU
Caesar Cipher
• Identify plain text from cipher text using Caesar
cipher with a shift of 4.
P = (C-shift) mod 26
Autokey Cipher
• Generate cipher text from plain text using Auto-key
cipher with initial key of 12.
n = p*q = 3*11 = 33
ø(n) = (p-1)*(q-1) = 2*10 = 20
choose d such that (d*e) % ø(n) = 1. One solution is d (private key) = 3
Decryption of cipher text (c) = 29 is M = 293 % 33 = 2
• Diffie-Hellman key exchange algorithm with example.
Program Security
Challenges to writing secure
code
Unintentional (Non-
malicious) Programming
Oversights
Non-malicious code
• Caused from a mistake done by a human such as programmers and
developers.
• Many such errors cause program malfunction but do not lead to more
serious security vulnerabilities.
http://www.somesite.com/subpage/userinput.asp?
parm1=(808)555-1212&parm2=2015Jan17
• As a security professional, you might examine the various parts of the URL to determine what they
mean and how they might be exploited.
• For instance, the parameters parm1 and parm2 look like a telephone number and a date, respectively.
• But what would happen if parm2 were submitted as 1800Jan01? Or 1800Feb30? Or 2048Min32? Or
1Aardvark2Many?
• Something in the program or the system with which it communicates would likely fail. One possibility is
that the system would fail catastrophically, with a routine’s failing on a data type error as it tried to
handle a month named “Min” or even a year (like 1800) that was out of expected range.
• Another possibility is that the receiving program would continue to execute but would generate a very
wrong result.
Solution to incomplete mediation
• Three properties of a reference monitor are
(1) small and simple enough to give confidence of correctness
(2) Unbypassable
(3) always invoked
• Back door
is another name for a trap door, back doors provide immediate access to a
system by passing employed authentication and security protocols, Attackers
can use back doors to bypass security control and gain control at a system
without time consuming hacking.
Malicious Code
• Logic Bombs
The logic bomb is code embedded in some legitimate program that
execute when a certain predefined events occurs.
These codes surreptitiously inserted into an application or operating
system that causes it to perform some destructive or security –
compromising activity whenever specified conditions are met.
A bomb may sent a note to an attacker when a user is logged on to
the internet and is using an specific program such as a word
processor, this message informs the attacker that the user is ready for
an attack.
1. Attacker implants logic bomb
2. Victim reports installation
3. Attacker sends attack message
4. Victim dose as logic bomb installation
Notice that this bomb dose not actually begin the attack but tells the attacker
that the victim has met needed state for an attack to begin.
Malicious Code
• Trojan Horses
A malicious, security–breaking program that is disguised as
something benign, such as directory lister, archiver, game, or a
program to find and destroy viruses!"
A Trojan horse is a useful, or apparently useful program or command
procedure containing hidden code that when invoked performs some
unwanted or harmful function.
Trojan Horses can be used to accomplish functions indirectly that an
unauthorized user could not accomplish directly.
for example, to gain access to the files of another user on a shared
system, a user could create a Trojan Horse program that when
executed, changed the invoking user’s file permissions so that the file
are readable by any user.
The program appears to be performing a useful function but it may
also be quietly deleting the victim’s files.
Malicious Code
• Zombie
A zombie is a program that secretly takes over another internet
attached computer and then uses that computer to launch attacks
that are difficult to trace to the zombie’s creator.
Zombies are used in Denial of service attacks, typically against
targeted web sites.
The zombie is planted on hundreds of computers belonging to
unsuspecting third parties and then used to overwhelm the target
website by launching on overwhelming onslaught of internet traffic.
Malicious Code
• Viruses
A cracker program that searches out other programs and 'infects‘
them by embedding a copy of itself in them so that they become
Trojan horses.
When these programs are executed, the embedded virus is executed
too, thus propagating the ' infection ' this normally happens invisibly
to the user.
Unlike a worm, a virus can not infect other computers without
assistance.
It is propagated by vectors such as humans trading programs with
their friends the virus may do nothing but propagate itself and then
allow the program to run normally.
Usually, however, after propagating silently for a while, it starts doing
things like writing cute messages on the terminal or playing strange
tricks with the display.
Many nasty viruses, written by particularly perversely minded
crackers, do irreversible damage, like nuking the entire user’s files...
During its lifetime a typical virus goes through the following four phases:
1- Dormant phase: The virus is idle the virus will eventually be activated by
some event, such as a date. The presence of another program or file, or the
capacity of the disk exceeding some limit, not all viruses have this stage.
2- Propagation phase: The virus places an identical copy of itself into other
programs or into certain system areas on the disk. Each infected program will
now contain a clone of the virus, which will itself enter a propagation phase.
3- Triggering phase: The virus is activated to perform the function for which
it was intended. As with the dormant phase, the triggering phase can be
caused by a variety of system events, including a count of the number of
times that this copy of the virus has made copies of itself.
4- Execution phase: The function is performed. The function may be
harmless, such as a message on the screen, or damaging, such as the
destruction of programs and data files.
• Virus Anatomy,
Virus Structure has four ports
1. Mark can prevent re-infection attempt.
2. Infection Mechanism causes spread to
other files
3. Trigger are conditions for delivering payload
4. Payload is the possible damage to infected
computer
• Program File Viruses
• Memory – resident virus
lodges in main memory as part of a resident system program. From that
point on, virus infects every program that executes.
• Polymorphic virus
creates copies during replication that are functionally equivalents but have
distinctly different bit patterns.
In this case the “signature “of the virus will vary with each copy. To achieve
this variation, the virus may randomly insert superfluous instructions or
interchange the order of independent in-generally called a mutation
engine, creates a random encryption key to encrypt the reminder of the
virus. The key is stored with the virus, and the mutation engine itself is
altered.
When an infected program is invoked, the virus uses the stored random
key to decrypt the virus, when the virus replicates, a different random key
is selected.
• Boot Sector Virus
Boot sector viruses infect the system area of the disk that is read when the
disk is initially accessed or booted. This area can include the master boot
record, the operation system’s boot sector or both.
A virus infecting these areas typically takes the system instructions it finds
and moves them to some other area on the disk. The virus is then free to
place its own code in the boot record.
When the system initializes, the virus loads into memory and simply points
to the new location for the system instructions. The system then boots in a
normal fashion except the virus is now resident in memory.
A boot sector virus can replicate without your executing any programs
from an infected disk. Simply accessing the disk is sufficient.
• Stealth Virus
A format virus explicitly designed to hide itself from detection by antivirus
software.
When the virus is loaded into memory, it monitors system calls to files and
disk sectors, when a call is trapped the, virus modifies the information
returned to the process making the call so that it sees the original
uninfected information. This aids the virus in avoiding detection.
For example many boot sector viruses contain stealth ability. If the infected
disk is booted, programs such as FDISK report a normal boot record. The
virus is intercepting sector calls from FDISK and returning the original boot
sector information.
If you boot the system from a clean floppy disk however, the drive is
inaccessible. If you run FDISK again, the program reports a corrupted boot
sector on the drive.
• Macro Virus
Macro Virus is set of macro commands, specific to an application, which
automatically executes in an unsolicited manner and spread to that application’s
documents.
According to the national computer security agency (www.ncsa.com), macro
viruses now make up two – thirds of all computer viruses.
Macro viruses are particularly threatening for a number of reasons:
1- A macro virus is platform independent. Virtually all of the macro viruses infect
Microsoft word documents. Any hardware platform and operating system that
supports word can be infected.
2- Macro viruses infect documents, not executable portions of code. Most of the
information introduced on to a computer system is in the form of a document
rather than a program.
3- Macro viruses are easily spread. A very common method is by electronic mail.
• Email Virus
A more recent development in malicious software is the e-mail virus.
The first rapidly spreading e-mail viruses, such as Melissa, made use
of a Microsoft word macro embedded in an attachment.
If the recipient opens the e-mail attachment, the word macro is
activated then:
1- The e-mail virus sends itself to everyone on the mailing list in the
user’s e-mail package
2- The virus does local damage
• Worms
A program that propagates itself over a network, reproducing itself as
it goes.
Worm is also self-replicating but a stand-alone program that exploits
security holes to compromise other computers and spread copies of
itself through the network.
Unlike viruses, worms do not need to parasitically attach to other
programs.
Because of the recursive structure of this propagation, the spread
rate of worms is very fast and poses a big threat on the Internet
infrastructure as a whole.
Worms Anatomy
From Security in Computing, Fifth Edition, by Charles P. Pfleeger, et al. (ISBN: 9780134085043).
Countermeasures for Users
User Vigilance
• The easiest control against malicious code is hygiene: not engaging in
behavior that permits malicious code contamination.
• The two components of hygiene are avoiding points of contamination
and blocking avenues of vulnerability.
To avoid contamination,
Use only commercial software acquired from reliable, well-established
vendors.
Test all new software on an isolated computer.
Open attachments—and other potentially infected data files—only when
you know them to be safe.
Install software—and other potentially infected executable code files—
only when you really, really know them to be safe.
Recognize that any website can be potentially harmful.
Make a recoverable system image and store it safely.
Make and retain backup copies of executable system files.
For blocking system vulnerabilities,
As new vulnerabilities become known we should apply patches.
Zero-day attacks are especially problematic, because a vulnerability
presumably unknown to the software writers is now being exploited.
Systems run many different software products from different vendors, but
a vendor’s patch cannot and does not consider possible interactions with
other software.
We should apply all patches promptly except when doing so would cause
more harm than good, which of course you seldom know in advance.
Virus Detectors
• Virus scanners are tools that look for signs of malicious code infection.
Most such tools look for a signature or fingerprint, a telltale pattern in
program files/memory. Limitations of detection tools:
1. Detection tools are necessarily retrospective, looking for patterns of
known infections. As new infectious code types are developed, tools
need to be updated frequently with new patterns.
2. Patterns are necessarily static. If malicious code always begins with, or
even contains, the same four instructions, the binary code of those
instructions may be the invariant pattern for which the tool searches.
Because tool writers want to avoid misclassifying good code as malicious,
they seek the longest pattern they can.
Virus Signatures
• A virus cannot be completely invisible. Code must be stored somewhere,
and the code must be in memory to execute.
• The virus executes in a particular way, using certain methods to spread.
Each of these characteristics yields a telltale pattern, called a signature,
that can be found by a program that looks for it.
• The virus’s signature is important for creating a program, called a virus
scanner, that can detect and, in some cases, remove viruses.
• The scanner searches memory and long-term storage, monitoring
execution and watching for the telltale signatures of viruses.
Code Analysis
• To determine what it does, how it propagates and where it originated.
Out-of-Band Communication
• Transferring one fact along a communication path separate from that
of another fact. Eg. bank card PINs are always mailed separately from
the bank card so that if the envelope containing the card is stolen, the
thief cannot use the card without the PIN.
Continuous Authentication
• Encryption can provide continuous authentication, but care must be
taken to set it up properly and guard the end points.
• If two parties carry on an encrypted communication, an interloper
wanting to enter into the communication must break the encryption
or cause it to be reset with a new key exchange between the
interceptor and one end. (This latter technique is known as a session
hijack).
Q1: The SilentBanker man-in-the-browser attack depends on malicious
code that is integrated into the browser. These browser helpers are
essentially unlimited in what they can do.
Suggest a design by which such helpers are more rigorously controlled.
Does your approach limit the usefulness of such helpers?
A1:
If a computer responds to a prompt with a user’s password, software can
direct that computer to save the password and later reuse it or repeat it to
another process, as was the case with the SilentBanker man-in-the-
browser attack.
If authentication involves computing a cryptographic result, the encryption
key has to be placed somewhere during the computing, and it might be
susceptible to copying by another malicious process.
Or on the other end, if software can interfere with the authentication-
checking code to make any value succeed, authentication is compromised.
Thus, vulnerabilities in authentication include not just the authentication
data but also the processes used to implement authentication
Q2:A cryptographic nonce is important for confirming that a party is
active and fully participating in a protocol exchange. One reason
attackers can succeed with many web-page attacks is that it is relatively
easy to craft authentic-looking pages that spoof actual sites.
Suggest a technique by which a user can be assured that a page is both
live and authentic from a particular site. That is, design a mark, data
interchange, or some other device that shows the authenticity of a web
page.
A2:
Before giving any information to a website, you should make sure it is
secure. Below are some quick tips that you can use to tell if a site is
secure.
Check the SSL Certificate. Look at the URL of the website. If it begins
with “https” instead of “http” it means the site is secured using an SSL
Certificate (the s stands for secure). SSL Certificates secure all of your
data as it is passed from your browser to the website’s server.
To get an SSL Certificate, the company must go through a validation
process.
Web Attacks
targeting Users
False or Misleading Content
• Defaced Web Site
Occurs when an attacker replaces or modifies the content of a
legitimate web site.
For example, in January 2010, BBC reported that the web site of
the incoming president of the European Union was defaced to
present a picture of British comic actor Rowan Atkinson (Mr. Bean)
instead of the president.
http://www.google.com/search?q=cross+site+scripting
&ie=utf-8&oe=utf-8&aq=t&rls=org.mozilla:en-US:official
&client=firefox-a&lr=lang_enent or server.
2. SQL Injection
• Operates by inserting code into an exchange between a client and
database server. Eg., Bank application
3. Dot-Dot-Slash
• Enter the dot-dot. In both Unix and Windows, ‘..’ is the directory
indicator for “predecessor.” And ‘../..’ is the grandparent of the current
location.
• So someone who can enter file names can travel back up the
directory tree one .. at a time.
• Eg., passing the following URL causes the server to return the
requested file, autoexec.nt, enabling an attacker to modify or delete
it.
4. Sever-Side Include
• Web pages can be organized to invoke a particular function
automatically. For example, many pages use web commands to send
an email message in the “contact us” part of the displayed page.
• One of the server-side include commands is exec, to execute an
arbitrary file on the server.
Website Data: A User’s Problem, Too
• Some website data affect users significantly. Consider one of the most
common data items that web sites maintain: user IDs and passwords.
• Faced with many passwords to remember, users skimp by reusing the
same password on multiple sites. Even that reuse would be of only
minor consequence if websites protected IDs and corresponding
passwords.
• Websites’ ID and password tables are both valuable to attackers and
frequently obtained. Even if it is the website that is attacked, it is the
users who suffer the loss.
Foiling Data Attacks
Single Users
Multitasking
Protected Objects
The rise of multiprogramming meant that several aspects of a
computing system required protection:
memory
sharable I/O devices, such as disks
serially reusable I/O devices, such as printers and tape drives
sharable programs and subprocedures
networks
sharable data
Operating System Design to Protect Objects
• The operating system must protect itself in order to protect its users
and resources.
Advantages of hiding
addresses?
Security benefits of
Segmentation?
• Virtual Memory - Paging
• Combined Paging with Segmentation
Security in
design of OS
• Simplicity of Design
• Layered Design
Layered Trust
Separation: physical, temporal, logical, and cryptographic
Encapsulation: Each layer uses the more central layers as services,
and each layer provides a certain level of functionality to the
layers farther out
Damage control: possible with hierarchical structuring
• Kernelized Design
Security kernel: locus of all security enforcement
Coverage
Separation
Unity
Modifiability
Compactness
• Reference Monitor
• Correctness and Completeness
• Secure Design Principles
least privilege
economy of mechanism
open design
complete mediation
permission based
separation of privilege
least common mechanism
ease of use
• Trusted system
one with evidence to substantiate the claim it implements some
function or policy. To trust any program, we looking for certain key
characteristics:
Functional correctness
Enforcement of integrity
Limited privilege
Appropriate confidence level
• Trusted System Functions
Trusted Computing Base (TCB)
Everything necessary for a system to enforce its security policy. It
constitute:
hardware, including processors, memory, registers, a clock, and I/O devices
some notion of processes, so that we can separate and protect security-
critical processes
primitive files, such as the security access control database and
identification and authentication data
protected memory, so that the reference monitor can be protected against
tampering
some interprocess communication
System separated into TCB and non-TCB sections
• TCB Design and Implementation
• Secure Startup
Secure startup ensures no malicious code can block or interfere with
security enforcement.
• Trusted Path
A trusted path precludes interference between a user and the security
enforcement mechanisms of the operating system.
• Object Reuse
Object sanitization ensures no leakage of data if a subject uses a
memory object released by another subject.
• Audit
Trusted systems must also track any security relevant changes, such as
installation of new programs or modification to the operating system.
Rootkit
• Root: most privileged subject (in a Unix system)
• Rootkit: Tool or script that obtains privileges of root
Phone Rootkit
Rootkit Evades Detection
Antivirus tools (and most programs) do not contain code to query the disk,
determine the disk format, identify files and where they are stored, find the file
names and properties from an index table, or structure the results for use and
display.
Instead the tools call builtin functions through an application programming
interface (API) to get this information. What if malicious code intruded on that
sequence of calls?
OS Security Exercise
• If two users share access to a segment, they must do so
by the same name. Must their protection rights to it be
the same? Why or why not?
• No.
a) object name
b) rights-set
c) both object name and rights-set
d) none of the mentioned
• Explain how a fence register is used for relocation of a
user’s program.
• The address in the fence register is the starting address
of the user space. Thus, the user program can be
written relative to address 0. Adding the fence register’s
contents will properly relocate the user’s address
references.
• Give an example of an object whose sensitivity may
change during execution.
• One example is a printer that is used to print both
confidential and non-confidential data.
• Another example is a portion of unused disk space that
would initially have low sensitivity. However, once the
space is assigned to an active file, it would acquire a
different sensitivity value, depending on the sensitivity
of the data in the file.
• Why should the directory of one user not be generally
accessible to other users (not even for read-only
access)?
• The knowledge of the existence of certain objects should
not be available to unauthorized users.
• For example, a knowledge that Jones and Smith are
working together on a project (as evidenced by shared
access to many files) might be sensitive.
• Sometimes, testing or development versions of hardware
components or software systems should not be known by
all users.
• List two disadvantages of using physical separation in a
computing system. List two disadvantages of using
temporal separation in a computing system.
• Disadvantages (of both forms of separation):
Inability to share
Inconvenience to users
Record keeping burden
Inefficient resource utilization
PRIVACY
Privacy Concepts
• Aspects of Information Privacy
1. Controlled Disclosure
2. Sensitive Data
3. Affected Subject
Controlled Disclosure
• Privacy is the right to control who knows certain things about you.
• People may ask you for your telephone number: your auto mechanic,
a shop clerk, your tax authority, a new business contact, or a new
friend.
• In each case, you consider why the person wants the number and
then decide whether to give it out.
• But the key point is that you decide.
Sensitive Data
• Identity
• Finances
• Legal
• Health
• Opinions, preferences, and membership
• Biometrics
• Documentary evidence
• Privileged communications
• Academic and employment information
• Location data
• Digital footprint
Affected Subject
• Companies may have data they consider private or sensitive: product
plans, key customers, profit margins, and newly discovered
technologies, as examples.
• For private enterprise, privacy usually relates to gaining and
maintaining an edge over the competition.
• Other organizations, such as schools, hospitals, or charities, may need
to protect personal data about their students, patients, or donors.
Computer-Related Privacy
Problems
1. Information collection
2. Information usage
3. Information retention
4. Information disclosure
5. Information security
6. Access control
7. Monitoring
8. Policy changes
Data Collection
• Capacities of computer storage devices continue to grow, driving the
cost per byte down.
• Availability of massive, inexpensive storage encourages collecting and
saving data.
Google had 17 data centers in 2014, accounting for 0.01 percent of the
world’s total energy usage.
Microsoft has over a billion users and over 100,000 servers.
Notice and Consent
• Notice of collection and consent to allow collection of data are
foundations of privacy.
Telephone companies record the date, time, duration, source, and
destination of each telephone call.
ISPs track sites visited.
Some sites keep the IP address of each visitor to the site.
The user is not necessarily aware of this third category of data collection and
thus cannot be said to have given informed consent to the collection.
Control and Ownership of Data
• Disseminated data are almost impossible to get back.
• In many instances, you are asked to provide data (with proper notice)
and you consent to do so, explicitly or implicitly. But what happens
when the data are transferred to the requesting person or system?
• Having collected data with your permission, others may keep the data
you give them; you have ceded control (and sometimes ownership,
depending on the law in your region) of that copy of the data to
them.
Privacy Principles and Policies
• Fair Information Practices
• U.S. Privacy Laws
• Controls on U.S. Government Websites
• Controls on Commercial Websites
• Non-U.S. Privacy Principles
• Individual Actions to Protect Privacy
• Governments and Privacy
• Identity Theft
Fair Information Practices
• Collection limitation.
• Data quality.
• Purpose specification.
• Use limitation.
• Security safeguards.
• Openness.
• Individual participation.
• Accountability.
• Conflicting Laws
Different laws in different jurisdictions will inevitably clash.
Individual Actions to Protect
Privacy
• Anonymity
For example, a rock star buying a beach house might want to avoid
unwanted attention from neighbors.
• Multiple Identities—Linked or Not
To your bank, you are your account number. To your motor vehicles bureau,
you are your driver’s license number. And to your credit card company, you
are your credit card number.
• Pseudonymity
Multiple identities can also be convenient; Similarly, disposable identities
(that you use for a while and then stop using) can be convenient.
Governments and Privacy
• Authentication
• Data Access Risks
• Steps to Protect Against Privacy Loss
Data minimization. Data anonymization. Auditing. Security and controlled
access. Training. Quality. Restricted usage. Data left in place. Policy.
Web merchants are under no obligation to price products the same for all
customers, or the same as other sellers price the same product.
Privacy-Preserving Technology
Encrypting a vote with the public key of the election board, could preserve
confidentiality. The difficulty is in ensuring that only authorized people can
vote and that an authorized person can vote only once .
• VoIP and Skype
Cellular telephony and Internet-based phone service have significantly
changed the situation of traditional telephony. Voice over IP (VoIP) is a
protocol for transmission of voice traffic over the Internet.
Major VoIP carriers include Skype, Google Talk, and Vonage.
Privacy can be sacrificed even if the voice traffic is solidly encrypted,
the source and destination of the phone call will be somewhat exposed
through packet headers.
• Privacy in Cloud
Where the Field Is Headed
• Various privacy rights organizations, such as the Center for Democracy and Technology,
the Electronic Privacy Information Center (EPIC), Privacy.Org, and Privacy International,
and professional computing societies, such as IEEE and ACM, must continue their efforts.
• The Johns Hopkins Information Security Institute, of which Rubin is Technical Director,
has produced several good studies of privacy vulnerabilities.
• Annie Antón of Georgia Institute of Technology has developed tools to analyze privacy
policies.
• Bob Gellman is a well-respected consultant on privacy issues.
• IEEE Security & Privacy magazine has at least one article about privacy in every issue, in
its Privacy Interests department.