420 likes | 583 Views
EXTRACTS FROM TRIPOS. Jennifer Seberry. Introduction. We look at a number of applications which need various combinations of confidentiality, availability and integrity properties. Transaction Processing Systems. ATMs – The original retail transaction processing system.
E N D
EXTRACTS FROM TRIPOS Jennifer Seberry
Introduction • We look at a number of applications which need various combinations of confidentiality, availability and integrity properties.
Transaction Processing Systems • ATMs – The original retail transaction processing system. • Since 1968 – world installed base 300,000 – 500,000 • Encryption techniques used to generate PINs in secure hardware devices located within ATMs and at bank computer centres • Telephone Cards – prepaid cards, SIMs • SIMs are smart cards that identify the user for billing, manage keys for encrypting the conversation, and let the subscriber perform banking functions and place bets on horse races.
Transaction Processing Systems 2 • Prepayment electricity meters • Road toll and parking garage tokens. • Lottery ticket terminals – uses encryption to ensure that vendors cannot manufacture valid tickets after the draw. • Allow postal franking machines to replenish remotely
Electronic Warfare and Similar Topics NATO Security Classifications • Restricted – little known military value • Confidential – could cause serious damage to operational effectiveness • Secret – would threaten life directly, or seriously damage relations with friendly governments • Top Secret – would lead directly to widespread loss of life, threaten directly the internal stability of friendly countries
Electronic Warfare and Similar Topics 2 • This is a multilevel secure system. It has the property that processes can read down and write up, but never vice versa.
Electronic Warfare and Similar Topics 3 Cryptographic techniques are used in many roles in modern warfare – • Frequency agile radar. • Spread spectrum radio. • Identify friend or foe.
Electronic Warfare and Similar Topics 4 Other commercial applications • Satellite and other pay-per-view TV • Burglar alarms • Sniffers • Computer access tokens • Tachographs
End-to-End: SWIFT 1 • Is owned cooperatively by several thousand banks worldwide to provide a secure ‘email’ system for messages of value • Confidentiality depends on line encryption devices between the banks and the local SWIFT node, and between these nodes and the main SWIFT processing sites.
End-to-End: SWIFT 1 • Keys are hand carried in EEPROM cartridges between the devices at either end of a leased line. • SWIFT 1 ran for 20 years without a single report of external fraud. • There were many internal frauds – such as programmers inserting bogus messages into the SWIFT processing queues
Data Translation –ATM Networks • Most ATMs operate using some variant of a system developed by IBM. This uses a secret key – PIN • An offset can be added to the PIN operation – this has no real cryptographic function; it just enables customers to choose their own PIN. The following slide has an example of this process -
Data Translation –ATM Networks -2 Account Number N: 8807012345691715 PIN key PK: FEFEFEFEFEFEFEFEFEFE Result of DES {N} KP: A2CE126C69AEC82D {N} KP decimal zed: 0224126269042823 Natural PIN: 0224 Offset: 6565 Customer PIN: 6789
Data Translation –ATM Networks -3 • Security depends on keeping the PIN secret, and the usual strategy is to supply a ‘terminal master key’ to each ATM , in the form of two printed components, which are carried to the branch by two separate officials, input at the ATM keyboard, and combined to form the key.
Data Translation –ATM Networks -4 • The problem faced by VISA and MasterCard was to extend this security policy to tens of thousands of banks worldwide. The solution was to insist on standardized encryption units, called ‘security modules’, which provide a trusted computing base, or TCB, with modules at each member bank and in each switch on the network
Multistate Machines • Many CPUS have some simple security mechanism supported in the hardware, on which the higher level access control mechanisms are built. • Early IBM mainframes had a two state CPU: the machine was either in authorized state or it was not. • Much the same happens with Unix systems. A program can run as root or as a user.
Multistate Machines 2 • Most security holes have always been caused by bugs. • If designing an access control system to enhance the IBM PC architecture, there are a number of choices • Control access to DOS applications only • Add extra hardware e.g. An encryption chip in the disk controller • Make the security depend on the obscurity of certain features in your design e.g. hide a disk encryption key in a bad sector
Access Control Matrices • The access control system is designed to limit access by users to system resources. Its effect can often be modeled by an access control matrix: File 1 File 2 File 3 File 4 Sam rwx rwx rw r Alice x x rw 0 Bob x r r r
Access Control Matrices 2 • The Clarke-Wilson security policy limits access to constrained data items to authorized transformation procedures which write an audit trail. File 2 becomes the TP and File 3 the CDI. File 1 File 2 File 3 File 4 Sam rwx rwx rw r Alice x x 0 0 File 2 x - rw w Bob rx r r r
SECURITYUnix • Mechanisms – • Kernel (system) vs. User (application) • root (superuser) vs. User (mortal) • Permission flags – ACLs • Groups • Set-user-id (setuid, suid) and setgid
SECURITYUnix 2 • Problems • Kernel bloat • Root bloat – much runs as root when more limited privilege could be used. Some examples – * mailers * lpr/lpd * sockets
SECURITYUnix 3 • Unprotected resources – often programmers avoid root bloat by simply leaving important shared data structures and resources accessible to all users. Examples - * ttys/ptys * mail spool * utmp
SECURITYUnix 4 • SUID • Suid programs are very difficult to do right: * Run with all the privileges of the creating user. Suidness is inherited by sub processes * Suid programs inherit the environment from their parent process * Suid shell scripts * kernel bugs can allow tracing
SECURITYUnix 5 * Shared libraries are often loaded from directories specified by environment variables * Argument mangling and substitution * Signals can easily be sent by the caller of a suid program
The Effect of Viruses • Vast majority of viruses are to be found on PCs and MACs. • Viruses can be used to attack multi-level secure systems – * The reference monitor can be corrupted, hence the virus can deliver the entire system to the attacker. * If the TCB remains intact then the virus could still use any available covert channel to signal information down.
The Effect of Viruses 2 A well designed TCB will protect against viral attacks, as well as against careless or malicious disclosure by users or applications software.
Verification and Evaluation The main evaluation classes are as follows: • C1 discretionary access control by groups of users • C2 discretionary access control by single users; object reuse; audit • B1 mandatory access control • B2 structured protection • B3 security domains • A1 verification design
Steganography(Hidden Writing) • A technique to prevent an opponent from reading your traffic and for him to remain unaware that there is any traffic at all. Old examples of this: * In ancient Greece tattooing on a slaves head * invisible ink * microdot * low-bandwidth applications
Steganography(Hidden Writing) 2 • More modern techniques include: * burst transmission systems * meteor scatter radio * spread spectrum radio * encryption
Tempest • Tempest attacks involve reconstructing the screen image (or other useful information) from the stray radio frequency emissions from monitors and other components. Most of the material on Tempest remains classified, with the result that most researchers outside the military have a clear idea of the threat, and of what countermeasures are appropriate or even possible.
Clark-Wilson • The Clark-Wilson model of computer security seeks to formalise the ideas of good practice which have accumulated over centuries in the accountancy profession. The model can be summarised as follows: There are procedures whereby data can be input – turned from an unconstrained data item into a constrained data item, or CDI – and whereby the validity of a CDI can be checked. Access control is by means of triples (subject, TP, CDI) which are so structured that a dual control policy is enforced.
Malicious Code • Malicious code is more likely to deny service than to attempt to breach confidentiality, e.g. the internet worm denied Internet service to thousands of users • A virus will typically have two components – • a replication mechanism – The commonest way for a virus to replicate itself is to append itself to an executable file and patch itself in.
Malicious Code 2 • Payload – this will usually be activated by a trigger, such as a date, and then may do one or more of a number of bad things: * make selective or random changes to the machines protection state * make selective or random changes to user data * lock the network * steal CPU resources for some nefarious task
Malicious Code 3 • In the practical world the most important protective measure is managerial discipline – * to review all software loaded * provide a central reporting point • In the academic world research centres on making smarter antivirus products.
Denial of Service • Viruses and other malicious code are only one example of a denial of service attack. Jamming is another, whether of radar or of missile telemetry.
Interference and Aggregation • Security considerations may even place limits on the quality of service which we can offer in some applications. A good example is the prevention of inference attacks on statistical database systems. * The classic example is census information.
Intrusion Detection • Sound an alarm whenever a user’s behaviour departs significantly from the established norm – the assumption is that the user’s password or access control must have been compromised. • Detection systems look at the pattern of usage of operating commands or specific actions. • Another example would be for credit card companies to monitor a customer’s spending pattern.
Application Level Controls • The most important application level security feature is ease of safe use. This means that systems should be designed with failsafe defaults and in the full appreciation of the various mistakes that people make.
Further Reading • “A short course on Computer Viruses” – Fred Cohen • “Development Guidelines for Vehicle Based Software” - Motor Industry Software Reliability Association’s booklet
Risk Analysis • The basic idea is to prioritise security expenditure, while at the same time provide a financial case for senior management. The most common technique is the calculation of the annual loss expectancy, or ALE, for each possible loss scenario.
Organisational Aspects of Security • Most security breaches in the real world come from blunders. Rather than the skill of a capable motivated opponent, they arise from the stupidity of the victim’s own system designers, developers, operators, or managers. • An emerging theme is the strong correlation between quality and security. Investment in software quality will reduce the incidence of computer security problems.
Organisational Aspects of Security 2 • The most effective quality measure is the code walk-through. • There are clearly discernable fashions in computer security – * 1980’s – hackers * late 1980’s - viruses * 2000 - firewall • The project leader must build a robust system which takes into account the current discernible fashions in computer security