1 / 28

Lecture 10: Security Design Principles

Lecture 10: Security Design Principles. CS 436/636/736 Spring 2012 Nitesh Saxena. Course Admin . HW3 due at 11am on Thursday Please submit on time. Today’s Info/fun bit: RFID Relay Attack To Enter UAB Classroom. response. query. query. query. response. response. An Exercise .

garrett-tillman
Download Presentation

Lecture 10: Security Design Principles

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Lecture 10: Security Design Principles CS 436/636/736 Spring 2012 Nitesh Saxena

  2. Course Admin • HW3 due at 11am on Thursday • Please submit on time Lecture 9: Security Design Principles

  3. Today’s Info/fun bit:RFID Relay Attack To Enter UAB Classroom response query query query response response

  4. An Exercise • Spot an attack on this protocol meant of mutual authentication between A and B, assuming the two share a symmetric key • A  B: rA • B  A: Enck(rA, rB) • A  B: rB Lecture 9: Security Design Principles

  5. Design Principles for Secure Systems • Two basic themes: • Simplicity – KISS • Makes design and interactions easy • Easy to prove its safety • Restriction • Minimize the power of entities Lecture 9: Security Design Principles

  6. Principles of design • Principle of least privilege • Principle of fail-safe defaults • Principle of economy of mechanism • Principle of complete mediation • Principle of open design • Principle of separation of privilege • Principle of least common mechanism • Principle of psychological acceptability Lecture 9: Security Design Principles

  7. Principle of least privilege • Entity should be given only those privilege needed to finish a task • Temporary elevation of privilege should be relinquished immediately • Granularity of privileges • Append permission only for logging process. Lecture 9: Security Design Principles

  8. Principle of fail-safe defaults • Unless a subject is given explicit access to an object, it should be denied access to the object. • Default access to an object is none • Access Control Lists (ACLs), firewall examples. • Restricting privileges at the time of creation Lecture 9: Security Design Principles

  9. Principle of economy of mechanism • Security mechanism should be as simple as possible. • Fewer errors • Testing and verification is easy • Assumptions are less • Interface to other modules • Implicit assumptions of modules • Finger example Lecture 9: Security Design Principles

  10. Principle of complete mediation • All accesses to objects should be checked to ensure they are allowed. • UNIX file descriptor • DNS cache poisoning. • Restrict caching policies • Security vs. performance issues Lecture 9: Security Design Principles

  11. Principle of open design • Security of a mechanism should not depend upon secrecy of its design or implementation (why not?) • Secrecy != security • Complexity != security • “Security through obscurity” • Cryptography and openness Lecture 9: Security Design Principles

  12. Principle of separation of privilege • System should not grant permission based on single condition • Company checks over $75,000 to be signed by two officers. • Example: “su” on BSD requires • User be in group “wheel” • User knows root password • Restrictive because it limits access Lecture 9: Security Design Principles

  13. Principle of least common mechanism • Isolation • Mechanisms used to access resources should not be shared • Restrictive because it limits sharing • Amazon website – Denial of service attacks!! Lecture 9: Security Design Principles

  14. Principle of psychological acceptability • Security mechanism should not make the resource difficult to access • Recognizes the most important element in computer security? The human! Lecture 9: Security Design Principles

  15. Principle of least privilege Principle of fail-safe defaults Principle of economy of mechanism Principle of complete mediation Principle of open design Principle of separation of privilege Principle of least common mechanism Principle of psychological acceptability Example 1 • Viruses cause havoc because, any program or script that is downloaded or received as email attachment, runs with the privileges of the user that runs them. Or worse the privileges of the application. • What is the problem? • What design principles are being exploited? Lecture 9: Security Design Principles

  16. Principle of least privilege Principle of fail-safe defaults Principle of economy of mechanism Principle of complete mediation Principle of open design Principle of separation of privilege Principle of least common mechanism Principle of psychological acceptability Example 2 • Unix password authentication • Which design principle is being adhered to mainly? Lecture 9: Security Design Principles

  17. Principle of least privilege Principle of fail-safe defaults Principle of economy of mechanism Principle of complete mediation Principle of open design Principle of separation of privilege Principle of least common mechanism Principle of psychological acceptability Example 3 • “wifi-free” is the wireless LAN to be used by a University faculty, students and staff. However, even a guy at a nearby cafe could use it!!!!!! • What design principles are being violated? Lecture 9: Security Design Principles

  18. Principle of least privilege Principle of fail-safe defaults Principle of economy of mechanism Principle of complete mediation Principle of open design Principle of separation of privilege Principle of least common mechanism Principle of psychological acceptability Example 4 • A bluetooth Device A wants to establish a key with another bluetooth device B Mechanism 1: they agree upon a common trusted CA, get certificates from this CA and for example, use STS protocol to establish a key Mechanism 2: they use a physical channel (e.g., an audio channel) to establish a key • Which mechanism better adheres to the principle of economy of mechanism? Lecture 9: Security Design Principles

  19. Example 5 • TLS defines a mandatory server side certificate and an optional client side certificate. Though highest level of security is achieved using client and server side certificates, client side keys did not become very popular because of administrative overhead (Installation, expiration of client side certificates). • What design principle is being violated? Lecture 9: Security Design Principles

  20. SSL Handshaking Messages *=optional

  21. Principle of least privilege Principle of fail-safe defaults Principle of economy of mechanism Principle of complete mediation Principle of open design Principle of separation of privilege Principle of least common mechanism Principle of psychological acceptability Example 5 • TLS defines a mandatory server side certificate and an optional client side certificate. Though highest level of security is achieved using client and server side certificates, client side keys did not become very popular because of administrative overhead (Installation, expiration of client side certificates). • What design principle is being violated? Lecture 9: Security Design Principles

  22. Principle of least privilege Principle of fail-safe defaults Principle of economy of mechanism Principle of complete mediation Principle of open design Principle of separation of privilege Principle of least common mechanism Principle of psychological acceptability Example 6 • COCA (Cornell Online Certification Authority) distributes the operation of issuing certificates among multiple servers • What is the main principle COCA is trying to adhere to? Lecture 9: Security Design Principles

  23. Principle of least privilege Principle of fail-safe defaults Principle of economy of mechanism Principle of complete mediation Principle of open design Principle of separation of privilege Principle of least common mechanism Principle of psychological acceptability Example 7 • Polynomial secret sharing • What principle is being adhered to? Lecture 9: Security Design Principles

  24. Principle of least privilege Principle of fail-safe defaults Principle of economy of mechanism Principle of complete mediation Principle of open design Principle of separation of privilege Principle of least common mechanism Principle of psychological acceptability Example 8 • Various cipher machines were developed and used during the two World Wars. For example, Enigma, Schlusselzusatz, Purple, etc. It was believed that keeping secret the design of the machines will help boost the security. • Which principle is being violated? Lecture 9: Security Design Principles

  25. Principle of least privilege Principle of fail-safe defaults Principle of economy of mechanism Principle of complete mediation Principle of open design Principle of separation of privilege Principle of least common mechanism Principle of psychological acceptability Example 9 Every time A receives a certificate from B, she should verify if B’s certificate is not revoked. We studied the mechanism of CRLs to achieve this. • Which principle is being violated by CRLs? • What would be a better solution? • Online Certificate Status Protocol (OCSP) Lecture 9: Security Design Principles

  26. Principle of least privilege Principle of fail-safe defaults Principle of economy of mechanism Principle of complete mediation Principle of open design Principle of separation of privilege Principle of least common mechanism Principle of psychological acceptability Example 10 • Policy on password selection to access machines at a University: • Use both uppercase and lowercase letters if the computer system considers an uppercase letter to be different from a lowercase letter when the password is entered. • Include digits and punctuation characters as well as letters. • Choose something easily remembered so it doesn't have to be written down. • Use at least 8 characters. Password security is improved slightly by having long passwords. • A password should be easy to type quickly so someone cannot follow what was typed by watching the keyboard. • Use two or more short words and combine them with a special character or a number, like ROBOT4ME or EYE-CON. • Put together an acronym that has special meaning to you, like NOTFSW (None Of This Fancy Stuff Works) or AVPEGCAN (All VAX Programmers Eat Green Cheese At Night). • Which principle is being violated? Lecture 9: Security Design Principles

  27. Principle of least privilege Principle of fail-safe defaults Principle of economy of mechanism Principle of complete mediation Principle of open design Principle of separation of privilege Principle of least common mechanism Principle of psychological acceptability Example 11 • Keyboard acoustic emanations • Which principle is being exploited? Lecture 9: Security Design Principles

  28. Principle of least privilege Principle of fail-safe defaults Principle of economy of mechanism Principle of complete mediation Principle of open design Principle of separation of privilege Principle of least common mechanism Principle of psychological acceptability Example 12 • RFID (Radio Frequency Identification cards) • Which principle(s) do they violate? Lecture 9: Security Design Principles

More Related