Computer Security

 Software with problems

 metric confusion caused NASAs 125 million Mars orbiter loss

 Virtually all of information security is implemented in software

 protection of information from theft, corruption, or natural disaster, while allowing the
information to remain accessible and productive to its intended users.

 Computer Security - generic name for the collection of tools designed to protect.

 Network Security - measures to protect data during their transmission.

 Internet Security - measures to protect data during their transmission over a collection of
interconnected networks.

Computers and Data

 Data/ Information

 Resources

 Valuable

 Vulnerable

Vulnerability

 Vulnerability is a weakness in the security system

Ex: does not verify a user before data access.

Security threat

 A set of circumstances that has the potential to cause loss or harm.

 Any possible action that compromise the security of information.

 Security threats

 Human initiated - Hacking

 Computer Initiated - Virus

 Natural disasters

 Flood

 Lightening

 Fire

Security threats

 Reasons

• Human Errors.

• SW design flats.

• SW Failures.
 Security threats

Interception

• An interception means that some unauthorized party has gained access to an asset.

(person, program, or a computing system.)

Ex:

 Illicit copying of program or data

 Network wiretapping

 Interruption

◦ Asset of the system becomes lost, unavailable, or unusable.

Ex:

 malicious destruction of a hardware device

 Erasure of a program or data file
 malfunction of an operating system (can’t find a disk file.)
 Modification

◦ unauthorized party not only accesses but also alter the asset

Ex:

o Change the values in a database

o Alter a program to performs deferent computation
o Modify data being transmitted electronically
 Fabrication

 The intruder may insert transactions or data to a network communication

system.
 Add records to an existing database.
Attack

 Human
 Another System

 Security Attack – Definition

 A deliberate attempt (especially in the sense of a method or technique) to avoid

security services and violate the security policy of a system.
Attacker must have

 Method:

 How : Skill, knowledge, tools

 Opportunity :

 When : suitable time for attack

 Motive :

 Why : Reason for the attack

Types of attack

 Passive Attack

 Attempts to learn or make use of information from the system

 Does not affect system resources

 Release the content

 Traffic analysis
 Active Attack

 Attempts to alter system resources or affect their operation.

 Denial of service
 Modification of content

Security Controls

Protective measures against attacks

 Security Control - Definition

An action, device, procedure, or technique that removes or reduces a vulnerability.

A threat is blocked by control of vulnerability.

 Figure 1-4 Vulnerabilities of Computing Systems

Security Concepts

Confidentiality, Integrity, and Availability

Security Concepts

 Confidentiality

 Illegitimate users may not able to access or modify data

 Disclosure of information to unauthorized individuals or systems.
 Availability

 legitimate users may able to access or modify data

 Present of information when it is needed
 Integrity

 Accuracy of data
 Security
of Data

Figure 1-6 Multiple Controls

Computer Criminals

 Computer Crime

 Any crime involving a computer

 Hackers

 Access computer systems non maliciously

 Crackers

 Access computer systems maliciously

Cryptography

Encryption

 Process of scramble characters in s text

 process of transform information using an algorithm to make it unreadable

 Formal notation

 Plain text
P= {p1, sp2, p3, …}

 Cipher text
C= {c1, c2, c3, ….}

 Algorithm(Rule used to encryption)

E

C=E(P)

Cipher text depends on plain text and algorithm

 Formal notation

 Key
k

C=E(k, P)

Cipher text depends on plain text and algorithm

Decryption

 Transforming unreadable encrypted text to make it readable

 Formal notation

◦ P=D(C)
Encryption Types

 Number of keys

 Pirate Key
 Public Key
 How input process
 Stream cipher
 Block cipher
 Operations / technique
 Substitution
 Transposition/permutation
Encryption

 Symmetric key algorithm

◦ both sender and receiver use the same key to encrypt and decrypt the message.

 single-key
 secret-key
 conventional encryption
 Asymmetric key algorithm

o sender and receiver use two deferent keys to encrypt and decrypt the message.
o two-key
o public-key encryption
Comparison
Symmetric key algorithm

 Advantages

 Authentication
 Integrity
 Disadvantages
 Key distribution
 N(n-1)/2 keys for n users
Asymmetric key algorithm

 Advantages

 Authentication
 Integrity
 Disadvantages
 Less number of keys
Asymmetric Vs. Symmetric

Secret Key (Symmetric) Public Key (Asymmetric)

Number of keys 1 2

Protection of One key must be kept secret; the other can be freely
key Must be kept secret exposed
Secrecy and integrity of
Best uses data Key exchange, authentication

Speed Fast Slow

Stream Cipher

 One character process per once

Block cipher

 Group of plain text

Cipher techniques

 Substitution ciphers

 Caesar cipher
 Monoalphabetic ciphers
 Polialphebatic ciphers
◦ Transposition ciphers

 Rail fence
 Columnar

Caesar Cipher

 C = E(3, p)

= (p + 3) mod 26

 C = E(k, p)
 = (p + k) mod 26

◦ Plain: a b c d e f g h i j k l m n o p q r s t u v w x y z

◦ cipher: D E F G H I J K L M N O P Q R S T U V W X Y Z A B C

Monoalphabetic Ciphers

 Plain: abcdefghijklmnopqrstuvwxyz
 Cipher: DKVQFIBJWPESCXHTMYAUOLRGZN
 Example

 Plaintext: ifwewishtoreplaceletters
 Cipher text: WIRFRWAJUHYFTSDVFSFUUFYA

Poly alphabetic Ciphers

Algorithm

A B C D E F G H I J K L M N O P Q R S T U V W X Y Z

A a b c d e f g h i j k l m n o p q r s t u v w x y z

B b c d e f g h i j k l m n o p q r s t u v w x y z a

C c d e f g h i j k l m n o p q r s t u v w x y z a b

D d e f g h i j k l m n o p q r s t u v w x y z a b c

E e f g h i j k l m n o p q r s t u v w x y z a b c d

F f g h i j k l m n o p q r s t u v w x y z a b c d f

G g h i j k l m n o p q r s t u v w x y z a b c d e g

H h i j k l m n o p q r s t u v w x y z a b c d e f g

I j k l m n o p q r s t u v w x y z a b c d e f g h i

J k l m n o p q r s t u v w x y z a b c d e f g h i j

Rail fence
mematrhtgpry

etefeteoaat

 MEMATRHTGPRYETEFETEOAAT

Columnar transposition

 Plain text: attackpostponeduntiltwoam

 Key: 4 3 1 2 5 6 7

 Cipher text: TTNAAPTMTSUOAODWCOIXKNLYPETZ

Quality

 Confusion

 Complex relationship between plain text, key, cipher text

 Interceptor consume the time
 Diffusion

 Cipher spread the plaintext over the cyiphertext

Cryptanalysis

 Analyze the algorithm and plaintext to deduce the meaning of cipher text message

 Known Ciphertext-only Attack

 Known Plaintext Attack
 Chosen Plainext Attack
 Cryptanalyst

Hash Function

 Input

 Arbitrary block of data

  Process
 Encryption
 Output
 Fixed size bit string
 Message digest
 Application
◦ Message integrity

 Message authentication codes (MAC)

 Digital signatures
Massage Authentication Code

 MAC

 Information used to authenticate a message

 variable-length message
 Secret Key
 Drawback

 Symmetric key

◦ Message Authentication Code Fixed size is better than variable length

 Fixed size is better than variable length

Key Exchange

 E(KR-Pub,E(KS-Prv,K))

Digital Signature

 Only the sender can make

 Others can recognize the creator
 Authenticate
 Nonrepudiation
 Primary conditions
o Must be Unforgeable
 S(P,M)

o Must be authentic

 Other properties
 Not alterable
 Not reusable
Digital Signature
Time Stamped

 Use

 Software distribution
 Financial transactions
 Message authentication
 Key generation algorithm

 selects a private, public key pair

 Signing algorithm

 produces a signature.
 A signature verifying algorithm

 message, public key and a signature

 Accepts or rejects the message's claim to authenticity.
Digital Certificates

 Certificate

◦ Public key ?

 Certifies a user
 Signed by a third
party
 Signer’s private
key
 Time -stamped

Certificate authority
  Trusted third party
 Issue certificates
 Certify particular user
 Sign – for certifying

Program security
 Software failure
 Unexpected behavior
 A departure from the systems required behavior.
  Error in operation
 Loss of data
 Secure program- Program source code that is written to withstand failures.
 Flow
 Felt
 Frailer
Solutions

 Patch

 Piece of software designed to fix problems

 Updated program or data to fix a problem
 Patch may cause new problems \

Program Security

 Non malicious programs Errors

 Programmer mistakes
 Program malfunctions
 malicious programs
 Software designed to does something that user did not intend to do
 Malicious attacker can exploit non malicious program flow for malicious purposes

Non malicious Problems

1. Buffer overflows
2. Incomplete mediation
3. Time of check to Time of use error

Buffer

 Data structure
 Program or process store data
 Temporary data storage area
 Finite amount of data

Resource sharing
Buffer overflows

 Overflow

 Program or process tries to store data in a buffer than it was intended to hold.
 Translator

 an error message warning

 subscript out of bounds

 Some languages
◦ buffer sizes do not have to be predefined

 Attacker can replace instructions in OS code area or Data area

 Masquerade as OS - get higher priority

 replace code in system space

 Use stack pointer- sub procedure

 Replace return register
 Code Injection

Incomplete mediation

 Attacker access a resource because code does not properly validate

 Data type error
 Data range error
 Generates wrong result
 Default condition
 Attacker access a resource because code does not properly validate
 Data type error
 Data range error
 Generates wrong result
 Default condition
 Anticipate potential problems
 Client side validation
 Only valid choices
 Web applications - Editing URL
Exploited less often than buffer overflows but easily exploitable

Time of Check to Time of use error

 Access policy – who access what

 Request must be mediated

 While the security is checked

 condition changed

TOCTTO error

 Attacker gains access to a low security object, but switches it with a high security

 Request to access a file presented as a data structure

 File name
 Access mode

 Authorized

 Witting queue to be served

 Ensure serial integrity – avoid loss of control

 Access checking SW must own the data until the access is complete.
 Ensure not to expose critical parameters during loss of control

Malicious code

 Software designed to does something that user did not intend to do

  Secretly access a computer system without the owner's knowledge
 Disrupt software execution
 Modifies or destroys data
 Steals data - spy
 Allows unauthorized access
 initiate unnecessary communications
 Agent
 Trigger on

 Date or time -
 Event –program execution, program end , file access
 Condition – particular user activity
 Count –
 Malicious code runs under the user authority
 Source

 Downloads
 Software plug-in
 ActiveX controls
 Applets
 Setup programs

Installing downloads

 Setup take over the control

 Update files
 Delete files
 change registry
Taxonomy

 Independents

◦ self contained programs that can be scheduled and run by the OS

 Needs host :

◦ Programs that cannot exist independently of some program

Need host malicious codes

 Virus

 Replicate itself
 Pass malicious code to other programs
 Modify files
 ham the data and operations
 Two types
 Transient : life depends on the life of it’s host: the virus runs when the
host does

 Resident : virus locates itself in memory

 Trojan Hose

 Software attach itself to a harmless file

 Software that appears to perform a desirable function
 Also perform functions unexpected by user
 Logic bomb

 wait till triggered by a specific event

 Time Bomb

 Wait till the date or time to trigger

  Backdoor/Trapdoor

 Feature in a program which someone can access

 Perhaps with special privileges
Warms

 Computer program that copy itself through a network

 Send copies of itself to other nodes
 No need to attach itself to an existing program
 Consuming bandwidth
 Rabbit

 Virus or trogon which self replace without bounds

 Consume resources

Program security - Defenses

Defenses

 Prevention

 Cure

Prevention

 Development controls

 Operating system controls

 Administrative controls

Development controls

 Specifying

 Designing

 Coding
  Testing

◦ Modularity

◦ Mutual Suspicion

◦ Confinement

◦ Generic diversity

◦ Peer Reviews

Modularity

 Dividing a task into subtasks

 Easier to trace a problem

Modularity

 Each component

◦ Single purpose

 Performs one function

◦ Small

 Less amount of information

 structure and content

◦ Simple:

 Low degree of complexity

 Easy understand the purpose and

◦ Independent

 Task isolated from other modules

 Encapsulation

◦ Isolation
Abstraction

◦ Information hiding

 Advantages of small, independent components

◦ Maintenance

◦ Understandability

◦ Reuse

◦ Correctness

◦ Testing

 Coupling

• Degree which a component depends on other components

 Cohesion

• Degree which a elements of a component bind on other

 high cohesion and low coupling

Abstraction

 Hiding detail
  Hiding complexity

 Sharing is minimized

 cannot easily and maliciously alter the components

Encapsulation

 Limited interfaces

 Limited covert channels

Mutual Suspicion

 Relationship between two programs

 Calling program suspect called program

 Called program suspect calling program

 Limited access

Confinement

 Used by operating systems

 Strictly limited resources

Genetic Diversity

 Product with separate components

 Increase Genetic Diversity

  Reduce tight integration

Software Development

 Peer reviews

 Hazard analysis

 Testing

 Good design

 Prediction

 Static analysis

 Configuration management

 Analysis of mistakes

Peer Reviews

 Review

 Sharing a product

Hazard Analysis

 Expose potential hazards

◦ hazard lists

◦ prevention or mitigation strategies

◦ continue throughout the life cycle

◦ Hazard and operability studies (HAZOP) Failure modes and effects analysis
(FMEA) and Fault tree analysis (FTA)

Testing

 Unit testing

 Integration testing

 Acceptance test
  Function testing

 performance testing

 White box testing

◦ Test cases

 Black box testing

 Installation testing

Good Design

 Philosophy of fault tolerance

 Policy for handling failures

 Design rationale and history

 Design patterns

◦ Anticipate faults

◦ Handle

◦ Maximize safety and security

 Passive fault detection

 Active fault detection

Fault Tolerance

 Correcting fault

◦ Too risky

◦ Inconvenient

◦ Expensive

 Isolating the damage

 Minimizing disruption
Policy

 Retrying:

◦ Restoring the system

◦ Performing the service again

 Correcting

◦ Restoring the system

◦ Correcting

◦ Performing the service again

 Reporting

◦ Restoring the system

◦ Reporting the problem

◦ Not providing the service again

Prediction

 Predict the risks

 Un expected events

 Decide controls

Static Analysis

 Examine the design

 Performed before peer review

 Tools and techniques

 Aspects

◦ Control flow structure

 ◦ Data flow structure

◦ Data structure

Configuration Management

 Control over the software changes during development and maintenance

 Who makes which changes

◦ Corrective changes: Day-to-day functions

◦ Adaptive changes: modifications

◦ Perfective changes: perfecting existing functions

◦ Preventive changes: preventing from degrading

 Activities

◦ Configuration identification

◦ Configuration control and change management

◦ Configuration auditing

◦ Status accounting

 Configuration and change control board (CCB)

 Changes are evaluated for side effects

Configuration Identification

 Inventory of all components

◦ Code, DBMS, third-party software, libraries, test cases, documents (baseline)

Configuration Control & Management

 Coordinate separate, related versions

 ◦ 16-bit and 32-bit processors

 Separate files

 Deltas

 Conditional compilation

Configuration Auditing

 Confirms the baseline is complete and accurate

 Documentation

 Independent parties

Status accounting

 Document the components

◦ current version

◦ change history

◦ pending change requests

Learn from our mistakes

 Same mistake twice

 Document

◦ Failures

◦ Fixes

◦ Check list

Secure Programs

 Operating systems

 Databases offer security

 Features
 ◦ Different access to different items

◦ Different kinds of users

General Purpose Operating Systems

Operating System

 Multi user

 Multi tasking

 Access control

◦ Controlling shared access

◦ Interface to allow that access

Protected Objects

 Memory

 Files on auxiliary storage

  I/O devices

 Programs and sub procedures

 Networks

 Data

◦ Supported by hardware

Separation

 Keeping one user's objects separate from other users

◦ physical separation: Different processes use different physical objects-separate

printers for different levels of security

◦ temporal separation: processes having different security requirements are

executed at different times

◦ logical separation: users operate under the illusion that no other processes exist

◦ cryptographic separation: processes cover their data and computations

Sharing
  Do not protect

 Isolate

◦ Different processes are unaware of each other

◦ Deferent address space

◦ Files

 Share all or share nothing

◦ Declare public or private by user

 Share with access limitation

◦ Particular user’s access to a particular object

 Share by capabilities

◦ Degree of sharing depend on the owner

 Limit use of an object

◦ Deferent users have deferent rights for deferent objects

Memory and Address Protection

 Fence

◦ single-user operating systems

◦ Prevent System memory

◦ predefined memory address

◦ Drawback

◦ Space always reserved

Variable Fence Register

 Operating system can be protected

  Impossible to change the starting address

R
elocation

 Application began at address 0

 Relocate all address reflect in actual memory

 Fence register
 Base & Bounds Registers

 Base register (Variable fence)

◦ starting address

 Bounds register

◦ upper address limit

◦ context switch

◦ OS perform

◦ Change in execution

◦ Change register contents

 base and bounds

 User's address space

 User is perfectly protected

Two Pairs of Base & Bounds

 Secure user’s code & data

 Ability to split a program into two

pieces

More pairs of registers

  Code

 Read-only data

 Modifiable data

 limit for practical computer design

 Drawbacks

◦ Shared subprogram from a common library

Tagged Architecture

 Word memory has extra bits

 Identify the access rights

 Set by privileged instructions

◦ (operating system)

Segmentation
 Dividing a program into separate pieces

 Fixed size segments

 Code or data within a segment is addressed as the pair <name, offset>

 OS maintain a table of

◦ Segment names

◦ Segment addresses
Segmentation

 Advantages

◦ Any segment at any location

◦ Move any segment to any location

◦ Segment can be removed

◦ Address reference passes through the OS

 Perform security check

 Security benefits

◦ Each address reference is checked for protection.

 ◦ Different classes of data items can be assigned different levels of protection.

◦ Users can share access to a segment, with different access rights.

◦ A user cannot generate an address or access to an unpermitted segment

 Dynamic data structures

 Program can generate a reference to a invalid offset beyond the end of the segment

 No solution

◦ Compilation or even a program is loaded

 Solution

◦ Translation table maintain segment length

◦ Check every generated address

◦ Efficiency issues

Paging

 Program -Equal-sized pieces – Pages

 Memory -Equal-sized units -page frames.

◦ Page size = 512 - 4096 bytes

 OS maintain a table of

◦ Page numbers

◦ Page addresses

 Address

◦ <page, offset>
 ◦

Paging with Segmentation

 Segments : logical units

 Fixed-size pages

 Additional hardware
 Access Control to General Objects

 Goals in protecting objects

◦ Check every access

◦ Enforce least privilege

◦ Verify acceptable usage

◦ Objects

◦ Subjects

◦ Unique owner - possesses "control" access rights

 Directory

 User wise

 Maintained by OS

 Rights

◦ Read

◦ Write

◦ Execute

◦ Owner

Directory

 Disadvantages

◦ Deferent directory for each user

◦ Large data structures

◦ Entry for unwanted objects

◦ Time consuming operations

◦ Two entries under the same name for different

files

 A:F (or B:F)

 Rename by third user

 Access Control List

 One list for each object

 One directory for each subject

Access Control Matrix

 <subject, object, rights>

Capability

 keep track of the access rights of subjects to objects during execution

 Ticket giving permissions

 Access to an object

 Un-forgeable

◦ Don’t give the ticket directly to the user

◦ OS holds
 Encrypted

◦ key available only to the access control mechanism

Domain

 Local name space

 Collection of objects to which process has access

 Collection of capabilities

Procedure Calls

 Calling sub procedure

 Deferent domain

 Passing rights

◦ R,RW

 OS create New capabilities

 Procedure based Access Control

 Procedure that controls access to objects

 Accesses to an object be made through a trusted interface

 Users or general operating system routines cant access

 No simple, fast access

Role Based Access Control

 Deferent users

◦ Administrators

◦ Users or guests

 Associate privileges

◦ Users

◦ Groups

◦ Control access rights by job

File Protection Mechanisms

 All-None Protection

◦ Trust combined with ignorance

◦ All files are public

◦ Protected system files by system administrator

◦ Drawbacks

 Lack of trust

 Too coarse- not possible to configure selected users

  Rise of sharing

 Complexity

 File listings

 Group Protection

◦ User groups

◦ Common requirements

 Common project

 Department

 class

◦ Drawbacks

 Group affiliation - single user in two groups.

 Multiple personalities- redundant , inconvenient

 Limited sharing

 Individual Permissions

◦ Persistent permissions

 Number of access lists

 Revocation is not easy

◦ Temporary Acquired Permission

 Temporarily acquires access permission

 Only for execution of the program

User Authentication

 Something the user knows

◦ Passwords, PIN numbers

  Something the user has

◦ Driver's license

 Something the user is –biometrics

◦ Fingerprint

◦ Voice pattern

◦ Retina and iris

Passwords

 Problems

◦ Loss

 forgotten password

◦ Use

 Password for each access

 Time consuming

◦ Disclosure

 Unauthorized individual

◦ Revocation.

 Change password

Additional Authentication

 Multifactor authentication

◦ Department

◦ Branch

◦ Workstation

◦ Time period
Attacks on Passwords

 Try all possible passwords

◦ Exhaustive or brute force attack

 Try frequently used passwords

◦ Qwe,asd

 Try passwords likely for the user

◦ Meaningful to user

 Search for the system list of passwords

 Ask the users

Good Practice

 Good passwords

 Choose long passwords

 Avoid meaningful words

 Unlikely password

 Change the password regularly

 Don't write it down

 Don't tell anyone else

Loose-Lipped Systems

◦ UNKNOWN USER ENTER USER NAME:

adams is not the name

Exhaustive Attack

 Brute force attack

Impersonation of Login

 User trust the system

 Programmer capture the entry parameters

 User should interrupt any running process

◦ Break key

◦ Ctrl+Alt+Del

Trusted Operating Systems

Operating System

 Primary security provider

 Providing other services

 Targeted for attacks

Trusted Operating System

 Services

◦ Memory protection

◦ File protection

◦ General object access control

◦ User authentication

 Consistent

 Effective

Trusted Program

 Functional correctness

 Enforcement of integrity

 Limited privilege

 Appropriate confidence level

Security Policies

 Statement of the security which provided by the system

 A plan

◦ What is to be secured

◦ Why

◦ How

Military Security Policy

 Each piece of information is ranked

Military Security Policy

 Need-to-know rule

◦ Limit access

◦ Based on performing job

◦ classified information are associated with compartments

Trusted Operating System Design

 Good design principles

◦ Least privilege

 User , Program

◦ Economy of mechanism

 Design of the protection should be small, simple

◦ Open design

 Potential attackers

◦ Complete mediation

 Permission based. (default condition for denial of access)

◦ Separation of privilege

 More than one condition

 Authentication plus a cryptographic key

 Good design principles

◦ Least common mechanism

 physical or logical separation reduce the risk from sharing

◦ Ease of use
Features of Ordinary OS

Features of Protected OS

 Memory is separated by user

User, and data and program libraries have controlled

Features of Ordinary OS

 User authentication

◦ Identify each user

◦ password comparison.

 Memory protection.

◦ User's program run in portion of protected memory

 File and I/O device access control

 ◦ Protect user and system files

 Allocation access control to general objects

 Enforced sharing

 Guaranteed fair service

 Interposes communication and synchronization

 Protected operating system protection data

Features of Protected OS

 Identification and Authentication

 Mandatory and Discretionary Access Control

 Policy decisions are made beyond the control

 Central authority determines

 User cannot change access rights

 Discretionary access control (DAC)

 Objects owner or any authorized user control the access to object

 Object Reuse Protection

 Reusing objects is efficient

 Control object reuse by another user

 OS clear or overwrite objects reassigned space before second user

 Trusted Path

 Setting a password

 Changing access permissions

Trusted communication
  Accountability and Audit

◦ maintaining a log of security-relevant events

 Audit Log Reduction

 Intrusion Detection

◦ Analyze audit log

◦ Identify patterns

◦ Warning

Kernelized Design

 Kernel/nucleus or core

◦ Interprocess communication

◦ Message passing

◦ Interrupt handling

 Security kernel

◦ Security mechanisms of the entire operating system

◦ Control user access

◦ Control interposes communication

 Coverage

◦ Every access to a protected object must pass the security kernel

 Separation
 ◦ Isolating security mechanisms both from the rest of the operating system and from
the user space

◦ protect security mechanisms

 Unity

◦ All security functions are performed by a single set of code

◦ Easier to trace the cause of any problems

 Modifiability

◦ Changes to the security mechanisms are easier to make and easier to test

 Compactness

◦ Performs only security functions, Small component

 Verifiability

◦ Relatively small

◦ Analyzable

 Adds yet another layer of interface

 Degrade system performance

 Reference monitor

◦ Controls accesses to objects

◦ Tamperproof - impossible to disable

◦ Unbypassable

◦ Analyzable - small enough to analysis and testing

  Reference monitor

◦ Controls accesses to objects

◦ Tamperproof - impossible to disable

◦ Unbypassable

◦ Analyzable - small enough to analysis and testing

Trusted Computing Base

 Everything in the trusted operating system necessary to enforce the security policy

◦ HW,SW

 Modular operating systems

◦ Security activities

◦ Other functions

◦ Gathering all security function to TCB destroy modularity

 Security-related activities are performed in different places

Virtualization

 OS simulate collection of computer resources

 Virtual machine

◦ Collection of simulated hardware facilities

◦ Processor, memory, I/O (printer, logical drives)

◦ Deferent resources

 Multiple Virtual Memory Spaces

Layered Design

◦ Hardware

◦ Kernel

◦ Operating system

◦ User

◦ Single logical function with several different modules in deferent layers

 Database and Data Mining Security

System Data

 System data

◦ OS data

◦ User data

◦ Application data

 Database

◦ Dat

◦ Txt

◦ Log

◦ …..

◦ Database Management Systems

Database Components

 Records

 Fields, Column

 Attribute

 Elements
 Name Address Location code Reference

212 Market
ADAMS St. Columbus OH 43210

501 Union
BENCHLY St. Chicago IL 60603

CARTER 411 Elm St. Columbus OH 43210

Structure

 Logical structure –Schema

◦ Part of database – subschema

Schema & Subschema

Addre Sta Airpo

Name First ss City te Zip rt

212
ADAM Charle Mark Columb 432
S s et St. us OH 10 CMH

212
ADAM Edwar Mark Columb 432
S d et St. us OH 10 CMH

501
BENCH Union 606
LY Zeke St. Chicago IL 03 ORD

411
CARTE Marle Elm Columb 432
R ne St. us OH 10 CMH

CARTE Columb 432

411
R Beth us OH 10 CMH
Elm
 St.

411
CARTE Elm Columb 432
R Ben St. us OH 10 CMH

411
CARTE Lisabe Elm Columb 432
R th St. us OH 10 CMH

411
CARTE Elm Columb 432
R Mary St. us OH 10 CMH

Relation is a set of related columns

Advantages of Using Databases

 Shared access

◦ Many users can use one common, centralized set of data

  Minimal redundancy

◦ Individual users do not have to maintain own data

◦ Reduce db size

 Data consistency

◦ Change to a data value affects all users of the data value

 Data integrity

◦ data are protected against accidental or malicious changes

 Controlled access

◦ Authorized users are only allowed to access

Security Requirements

 Physical database integrity

◦ Data of database are resistant to physical problems

 Power failures

 Reconstruct

 OS protection

 Logical database integrity

◦ Structure of the database is preserved

 Integrity of a database

 Modification of one field does not affect other fields

 Authorized individuals

 Element integrity

◦ Element are accurate

 Field check(numeric, uppercase)

 Access control

 Change log
  Auditability

◦ Track who or what has accessed

◦ Track what actions are performed

◦ Audit record

 Access control

◦ Logically separated for users

◦ Allowed to access only authorized data

◦ Different users have deferent access modes

 User authentication

◦ Every user is identified

 Availability

◦ Users can access the database which they are authorized

◦ Repaired or upgraded?

Reliability and Integrity

 Reliability

◦ Execution without failures

◦ Dimensions

◦ Database integrity: Whole DB is protected against damage

 Disk failure

 DB Corruption

 Operating system

◦ Element integrity: Value of a specific data element is protected

 Control unauthorized users

 DBMS
 ◦ Element accuracy: Accuracy of values in elements

 Checks the values of elements,

 Constraint conditions

 OS Protection Features

◦ Backing up

◦ Restore

◦ Access control facilities

◦ DBMS Protection Features

◦ Two phase update

◦ Redundancy/Internal Consistency

◦ Concurrency control/Consistency

◦ Monitor

 Two-Phase Update

◦ Failure in the middle of modifying data

◦ Intent

 DBMS gathers the resources it needs

 Open files

 Lock other users

 Create dummy records

◦ Commit

 Writing of a commit flag to the database

 Redundancy/Consistency

◦ Additional information to detect inconsistencies

 Few check bits

  Shadow fields

◦ Recovery features

 Db reload from backup

 Later changes are applied from the audit log

 Concurrency/Consistency

◦ Updating in Transactions

◦ Locking(db, table, record, attribute)

 Monitor

◦ Responsible for structural integrity of the database

◦ Data type , format, range

◦ Filter

 State Constraints

◦ Condition of the entire database

◦ Shouldn't violate

◦ Commit

◦ Primary keys

 Transition Constraints

◦ Conditions necessary before changes can be applied to a database

Sensitive Data

 Sensitivity/Access control

◦ Important

◦ Shouldn't public

◦ DB ,Table ,Record ,Attribute

 Access levels - Sensitive level

  Access Decisions

◦ Database administrator

◦ Access policy

◦ DBMS

Inference

Derive sensitive data from nonsensitive data

 Direct Attack

◦ Tries to determine values of sensitive fields

◦ Select from query

 Indirect Attack

◦ Release only statistics

Sum, avg

 Controls for Statistical Inference Attacks

◦ Query should disclosed sensitive data

 Controls

◦ Suppression - sensitive data are not provided

◦ Concealing – not the exactly the actual value

 Mechanisms

◦ Random Sample check

◦ Query Analysis

Multilevel Databases

 Sensitivity

◦ Attribute

◦ Deferent sensitivity levels

 ◦ Security

 Each individual element

 Several grades of security

 Security for aggregations – deferent attributes

◦ Granularity

 Every element of a database have a distinct sensitivity

 Every combination of elements have distinct sensitivity

Name Department Salary Phone Performance

Rogers training 43,800 123 A2

Jenkins research 62,900 345 D4

Poling training 38,200 321 B1

Garland user services 54,600 3456 A4

Hilten user services 44,500 765 B1

Davis administration 51,400 345 A3

Designs of Multilevel Security

 Efficiency

 Flexibility

 Simplicity

 Trustworthiness

Multilevel Databases

 Implementation Mechanisms

◦ Partitioning

◦ Encryption
  Deferent keys

◦ Integrity Lock

 Limited access

 Integrity

 Implementation Mechanisms

◦ Sensitivity Lock

 Separate lock for record

 Encrypted

 Data item

 Sensitivity


Designs of Multilevel Security

 Protect data item and its sensitivity

 Process efficiency

◦ Encoding

◦ Decoding

 Additional space

 Untrusted database manager

 Trusted front end

◦ Reference monitor

◦ Authenticates the user's identity.

◦ Pass query to the database manager

◦ Pass query Results

 Database Manager

◦ I/O access

 Commutative Filters

◦ Forms an interface between the user and DBMS

 ◦ Reformats the query

 Improve efficiency

 Distributed Databases

◦ Trusted front end controls access

◦ Multiple databases

◦ Complex implementation

◦ View/window

◦ Subset of data

◦ Filtering original DB

TCB
Data Mining

 Order

 Categorize

 Search

 Patterns

 Relations

 Summerize

 Automated

Advantages

 Analyzing System data

◦ Audit logs

 Identify patterns related to attacks

 Prevention tools

 Prevention techniques

Security Concerns

 Confidentiality

◦ Commercially sensitive data

◦ Inference

◦ Aggregate may reveal sensitive related information

◦ Data collector can sell to competitors

 Availability

◦ Combining databases

◦ Structure
  Integrity

◦ Data collector can alter data

◦ Redundancy

 Deferent primary keys

Security in Networks

Vulnerability

 Anonymity

◦ Disguise the attack's origin

 Many points of attack

◦ Targets

◦ Origins

◦ All the hosts may not in the control of administrator

 Sharing

◦ Access

 Complexity of system

◦ Deferent networks

◦ Deferent Systems

◦ Not visible- abstraction

Vulnerability

 Unknown path

◦ Routing

◦ Unsecure paths
  Unknown perimeter

◦ Network boundary

◦ Accessibility

◦ Malicious users

Attackers

 Earn in illegally

 Prove themselves with challenge

 Organized criminals
  Steel information

 Sabotage

 Terrorists

 Script kiddies

◦ People who download and run attack scripts

◦ Not creative

Identify Vulnerabilities

 Reconnaissance / Investigation

 Port Scan

◦ Gather network information

◦ Running services

◦ Running applications

◦ Responding ports for the system

◦ Versions

 Social Engineering

◦ Impressed by the high-level person

 Intelligence

◦ eavesdropping

 Bulletin Boards and Chats

◦ Knowledge sharing

 Documentation

Methods

 Eavesdropping
  Interception

 Impersonation

 Denial of Service

 Connection Flooding

◦ ICMP

Methods/Medium

 Wiretap

◦ Passive wiretapping

◦ Active wiretapping

 Inductance

◦ Radiation

 Microwave interception

 Satellite, wireless
 ◦ Impersonate

◦ Interfere

 Optical fiber

Web Site Vulnerabilities

 Completely exposed

◦ Visible code

 Able to download

 Buffer overflow

 Incomplete mediation

 Editors & utilities

 Code errors

 Server side programs

 Denial of Service

Denial of Service

 Flood

◦ Smurf

◦ Teardrop

 datagrams that cannot fit together

◦ Traffic Redirection

◦ DNS Attacks
Denial of Service

 Distributed Denial of Service

◦ Trojan Horse

◦ Zombie

 Computer

◦ Same time

Malicious code carrie

 Active or Mobile Code

 ◦ Save

 Server resources

 Band width

 Better execution of components

◦ Download from Server to client for execution

◦ Active X Controls

◦ Java applets

 Cookies

◦ Not active code

◦ Temp data files, expires

 Machine name, connection details, date

◦ Downloaded to client, read by server

◦ Intercept and impersonate as user

  Scripts

◦ Common Gateway Interface (CGI)

◦ Active server pages (ASP)

 Bots

◦ Malicious code under remote control

◦ network of bots, called a botnet

◦ distributed denial-of-service attacks

Network Security Controls

 Good principles of

◦ System analysis

◦ Design
 ◦ Implementation

◦ Maintenance

 Architecture Design

◦ Segmentation

 limits the level of damage a single vulnerability

 Web server - handle HTTP sessions

 Application code

 Databases

 Redundancy

◦ Multiple Servers

 If one fails, the other takes over processing

 Application / DB

 Encryption

 Link Encryption

◦ Data are encrypted just before send to physical link

 Link Encryption

 End-to-End Encryption

◦ Software

◦ Hardware
  End-to-End Encryption

Comparison

Link Encryption End-to-End Encryption

Security within hosts

Data exposed in sending host Data encrypted in sending host

Data exposed in intermediate nodes Data encrypted in intermediate nodes

Role of user

Invisible to user User applies encryption

Host maintains encryption User must find algorithm

One facility for all users User selects encryption

Typically done in hardware Either software or hardware implementation

All or no data encrypted User chooses to encrypt or not, for each data item

Implementation concerns

Requires one key per host pair Requires one key per user pair

Provides node authentication Provides user authentication

Virtual Private Networks

 Network established by using public network for secure communication

 Tunnel mode
 SSH Encryption

◦ Provides an authenticated and encrypted path

 SSL Encryption

◦ TLS

◦ Encrypted channel between client and server

 SSL Encryption

◦ Client requests an SSL session

◦ Server responds with its public key certificate

 Server authenticity

◦ Both the server and client compute the session key

 Use servers public key

 ◦ Secure commutation start

 IP Security

◦ Version 6 of the IP protocol suite

 Spoofing

 Eavesdropping

 Session hijacking

◦ Similar to SSL

 Encapsulated security payload

Honeypots

 Attracting

 Monitoring the actions of an attacker

 Actual system should be safe

Intrusion detection system

 Device or component that is

 placed inside a protected network to

 monitor what occurs within the network

 identify malicious or suspicious events

 Host based
  Network based

◦ Stealth Mode

 Functions

◦ Monitoring users and system activity

◦ Auditing

 system configuration for vulnerabilities

 Misconfigurations

◦ Assessing the integrity of critical system and data

◦ Recognizing known attack patterns

◦ Identifying abnormal activity through statistical analysis

◦ Managing audit trails

◦ Highlighting user violation

◦ Correcting system configuration errors

Types of IDSs

 Signature-Based Intrusion Detection

 ◦ pattern-matching

◦ Statistical analysis

 Heuristic Intrusion Detection

◦ Anomaly based

◦ Model of expected behavior

◦ Unexpected behaviors are flagged

◦ Administrator can change the flags

Intrusion detection system

 Alarm network is separated