Security Engineering

1
Security Engineering

• (overview)
• John.Giacomoni_at_colorado.edu
• 2002.01.14

2
Purpose of Security Engineering

• Resource Protection
• Confidentiality
• Integrity
• Availability

3
Mechanisms

• Access Control
• Authentication
• Protocols
• Mediation
• Audit

4
Mechanisms(Access Control)

• Restricting Access to Named Subjects

5
Mechanisms(Authentication)

• Ensuring Authenticity of Subject
• (is the participant the subject it claims to be)

6
Mechanisms(Protocols)

• Information Exchange Mechanisms

7
Mechanisms(Mediation)

• Mechanisms Used to Grant Resources (objects) to
  Subjects

8
Mechanisms(Audit)

• Usage Reports
• Forensic Analysis
• Intrusion Detection

9
Toolbag

• Cryptography
• Symmetric (Shared Secret)
• Asymmetric (Public/Private Keys)
• Digital Signatures
• Secure Hashes

10
Whats Good with Cryptography?

• Strength based on Key
• Algorithm/Protocol can be Publicly Accessible
• Foundation in Clean Mathematics
• Algorithms Publically Reviewed and Accepted are
  Rarely Broken In Production Systems.

11
Results of Good Cryptography

• Seen as a Panacea
• Rarely Directly Attacked

12
Mechanism Failures(Access Control)

• Collusion
• Manager Gives Personal Keys to Repair Technician
• Naming Attacks
• DNS Cache Poisoning
• Certificate Authority Database Corruption

13
Mechanism Failures(Authentication)

• Collusion
• Manager Gives Personal Keys to Repair Technician
• Identity Theft
• Stolen Authentication Secrets/Tokens

14
Mechanism Failures(Protocols)

• Eavesdropping
• Unencrypted Sniffing
• Reflection
• MIG/Man-in-the-Middle
• Logic Errors

15
Mechanism Failures(Mediation)

• Authentication/Naming
• Corruption of Trusted Computing Base
• Logic Errors

16
Mechanism Failures(Audit)

• Audit Trail Altered
• Audit File NOT Append-Only
• Audit Trail Overloaded
• Overloading Audit Log Partition
• Access Control/Authentication Failures

17
Advanced Mechanisms

• Multilevel Security
• Multilateral Security

18
Multilevel Security

• Bell-LaPadula
• Read Down
• Write Up
• Confidentiality
• Biba
• Read Up
• Write Down
• Integrity

19
Multilevel SecurityWhat goes wrong?

• Data Floats up and Stays Up
• Composability
• The Cascade Problem
• Covert Channels
• Viruses
• Polyinstantiation

20
Multilateral Security

• Compartmentalization
• Parallel Compartments in Isolation
• Chinese Wall
• All Compartments Available Until a Choice is Made
• BMA
• Complicated (See me for details)

21
Multilateral SecurityWhat Goes Wrong?

• Inference Control
• Recomposition of Data
• Generic Approaches Limited in Scope

22
Things Which Go Wrong(In General)

• Emergent Properties
• Environmental Creep
• People
• Economic Incentives

23
Emergent Properties

• Bugs
• Subliminal Channels
• The Cascade Problem
• Recomposition of Data

24
Environmental Creep

• Changing Environment Without Reevaluating
  Specifications.
• Old TCP Protocols (telnet, ftp, etc) on Global
  Internet
• ATMs, Banks -gt Convenience Stores

25
People(who are you protecting against?)

• Skill Non/Moderately/Highly
• Motivation Idle/Moderately/Highly
• Resources Low/Medium/High/Intelligence Agency
• Location Inside/Outside

26
Economic Incentives

• Information insecurity is at least as much due
  to perverse incentives.
• Network Externalities
• Moral Hazard
• Liability Dumping (Tragedy of the Commons)

27
What are we Left With?
28
Programming Satans Computer

• programing a computer which gives answers
  which are subtly and maliciously wrong at the
  most inconvenient possible moment.

29
Is the Security Engineer S Out Of Luck?

• NO
• Solid Foundation Technologies
• Increasing Awareness
• Though not Enough
• Case Studies

30
Case Studies

• Military Applications and Intelligence Agencies
• Identify Friend/Foe
• Radio Communications
• Industry
• ATMs
• Pay-TV

31
Case Study(Pay-TV)

• Discard Messages Addressed to System
• Then Cancel Subscription (Yay Free TV)
• Freeze EEPROM by Removing Programming Voltage
• Eventually Bypassing SmartCard Security Features
  with Probing Stations etc
• 10,000 for a second hand one

32
Risk Management

• The Systematic Evaluation of Risk in the Scope of
  the Encompassing Business Model
• 10,000,000 Raw Gross at 1 Loss 9,900,000
• 10,000,000 Raw Gross at .5 Loss 9,950,000
• 20,000,000 Raw Gross at 2 Loss 19,600,000
• (Increased Loss Acceptable in Face of Greater
  Realized Gross)

33
Security Requirements Engineering

• Risk Management
• Security Policy
• Security Target
• Security Policy and Target Engineering is not
  Intrinsically Different from the Normal
  Engineering Process

34
Evaluation Assurance

• DoD Rainbow Series
• US Gov. Specified and Tested
• Gov. Carries Expense of Evaluation
• Common Criterion
• Preexisting Protection Profiles
• Independent Evaluators
• Producer Pays for Evaluation
• Supposed to be Cheaper/Fairer

35
Beware 3rd Party Evaluations

• Who is Evaluating the Evaluators?
• (Economic Incentives)

36
Summary

• Traditional Approaches Fail
• Security Needs to be Pervasive
• A Systems Approach is Required
• Technical
• Socio-Economic

37
FYII have Skipped the Following Topics

• Distributed Systems
• Monitoring Systems
• Alarms/IDS
• Zero Failure Tolerance Systems
• Nuclear Command and Control
• Security Printing/Seals
• Biometrics
• Tamper Resistance/Detection
• Emissions Security (EMF/Tempest)
• Electronic Information Security
• Telecom Systems
• Network Attack and Defense

38
For More Information

• Security Engineering by Ross Anderson
• Come Talk to Me )

39
QA Time )

• (Look a plane ltrun awaygt)