CCM4350

Security Architecture and Engineering

Lecture 2 – Security Design Principles

15.10.2012 1

Content of Today’s Lecture

• Summary and Wrap up on Security

Terminology

• The Fundamental Dilemma of Security

• Five Design Principles for Engineering Secure

Systems

(Lecture follows D. Gollmann. Security Engineering,

Section 2.1-2.6, 2nd edition, Wiley 2006)

Last Lecture

• Security can be defined as (CIA)

Confidentiality

Integrity

Availability

• Sometimes Prevention of security attacks fails

• Then we need to rely on Accountability and

Non-repudiation.

Accountability and Non-Repudiation

• Accountability:

Keep auditing to trace responsible party

— Necessitates identification and authentication

— Trail security relevant events in audit

• Nonrepudiation:

Provide unforgeable evidence for actions

— Nonrepudiation of occurrence and

— Nonrepudiation of delivery

Relationship to other areas of computing

Dependability

• Dependability (according to Laprie):

Availability (point in time)

Reliability (time interval)

Safety

Confidentiality

Integrity

Maintainability

Σ CIA = Security

Safety versus Security

• Security always begins at the host

• Safety: protection against catastrophic impact

by the environment (protect human lives and

economic values)

• Security: protect the computer/network

systems against threats

Safety

Security

Conclusions on Terminology

• There is no single definition of security

• When reading a document, be careful not to

confuse your own notion of security with that

used in the document

• A lot of time is spent (and wasted) in trying to

define unambiguous notations for security

Definition: Computer Security deals with the

prevention and detection of unauthorised actions

by users of a computer system.

7

0th Step: Analysis of Goals and Attacker

• Security Engineering has two parallel activities

• Analysis of Protection (Security) Goals — CIA: specify which ones are important for which user

— Multilateral Security: resolve security conflicts

• Attacker Model: — There is no protection against the a skillful attacker

— Hence quantify attacker (e.g. Attack trees, Misuse cases)

8

The Fundamental Dilemma of Security

• In the past, only few organisations (DoD) relied

on security

• Today, everyone connected to the Internet relies

on computer and network security

Fundamental Dilemma: security-unaware

users have specific security requirements

but no security expertise.

9

Principles of Security (Gollmann)

• Horisontal axis: focus of security policy

• Vertical axis: layer of computer system to place

protection mechanism

Focus of Control: 1st Design Decision

1st Fundamental Design Decision: (horisontal)

Should the focus of security control be on — Data

— Operations, or

— Users?

Example: rules for integrity of accounts database — Data rule: internal consistency of balance of account

— Rules for operations that may be performed on a data item

— Rules specifying the users allowed to access a data item

2nd Fundamental Design Decision:

In which layer of computer system should we

place security controls?

1

2

The Man-Machine Scale: 3rd Design Decision

1

3

• Visualise security mechanisms as concentric

protection rings: generic data mechanisms in the

centre; mechanisms addressing user requirements

at the outside.

The Man-Machine Scale

• Scale balances Information with Data

1

4

3rd Fundamental Design Decision

• Location of a security mechanism on the man-

machine scale is related to its complexity. — Right: Generic mechanisms are simple,

— Left: User applications clamour for feature-rich security functions.

• 3rd Design Decision: Do you prefer simplicity – and

higher assurance – to a feature-rich security

environment? —These two do not match easily

—High assurance requires adherence to systematic design

—Security adopted formal methods early for highest assurance

levels: e.g. Orange book (A1/2), CC (EAL5-7)

4th Design Decision: Central or Distributed

Control

• Central entity in charge of security: —Easy to achieve uniformity…

—But central entity may become a performance bottleneck

• Distributed solution —May be more efficient…

—But difficult to ensure that policy is enforced consistently

4th Design Decision: should the tasks of defining

and enforcing security be given to a central

entity or should they be left to individual

components in a system.

The Layer Below

• So far, we only explored means to express

security policies but what about the attacker?

• The attacker may try to bypass our protection

mechanism to reach their “soft underbelly”.

• Example: if attacker gains system privileges in

the OS he can change the control data for

security mechanisms in the services and

application layers.

Security Parameter

• Every protection mechanism defines a security

perimeter (boundary). —The parts of the system that can malfunction without

compromising the mechanism lie outside the perimeter.

—The parts of the system that can disable the mechanism lie

within the perimeter.

• Note: Attacks from insiders are a major

concern in security considerations.

Exercise

• Identify suitable security perimeters for analysing

personal computer (PC) security. —Consider the room the PC is placed in, the PC itself, or some security

module within the PC when investigating security perimeter.

• Questions you should ask to answer the question

above:

1. Physical security: Is the PC in a protected room, a room

shared with colleagues, a room in a public place?

2. What are the options for input? Keyboard, data carrier

(CD, USB stick, floppy), Internet?

3. Can users take the PC home or open it?

5th Design Decision: Blocking Access to

the Layer Below!!!

Attackers try to bypass protection mechanisms.

• There is an immediate and important extension

to the 2nd design decision:

• 5th Design Decision: How can you prevent an

attacker from getting access to a layer below

your protection mechanism?

Physical and Organisational Security

Measures Control Access to Layer Below

The Layer Below – Examples

• Recovery tools restore data by reading memory directly and then restoring the file structure. Such a tool can be used to circumvent logical access control as it does not care for the logical memory structure.

• Unix treats I/O devices and physical memory devices like files. If access permissions are defined badly, e.g. if read access is given to a disk, an attacker can read the disk contents and reconstruct read protected files.

More examples – The Layer Below

• Object reuse: In single processor systems, when a new process is activated it gets access to memory positions used by the previous process.

— Avoid storage residues, i.e. data left behind in the memory area allocated to the new process.

• Backup: Whoever has access to a backup tape has access to all the data on it.

—Logical access control is of no help and backup tapes have to be locked away safely to protect the data.

• Core dumps: same story again; if internal state contains sensitive information, like keys, they can be read from core dump. Attacker can intentionally crash system.

Summary

• Security terminology is ambiguous with many overloaded terms.

• Fundamental Dilemma: —Too many security-unaware users due to Internet

—They cannot understand security evaluations (orange book etc)

• The resolution of this Fundamental Dilemma is currently the most pressing challenge in computer security.

• Five Design Decisions help to define security policy and security perimeter – and to address the dilemma?

Outlook: Aspects of Network Security

• Distributed systems: computers connected

by networks

• Communications (network) security:

addresses security of the communication

links

• Computer security: addresses security of

the end systems; today, this is the difficult

part

• Application security: relies on both to

provide services securely to end users

• Security management: how to deploy

security technologies 2

5

firewall