Download Introduction

CSC 682: Advanced Computer Security
Introduction
CSC 682: Advanced Computer Security
Slide #1
About Me
http://www.nku.edu/~waldenj1
James Walden
– Assistant Professor of Computer Science
– [email protected]
– Interests:
•
•
•
•
Software Security
Programming Languages
Software Engineering
Network Security
CSC 682: Advanced Computer Security
Slide #2
Course Administration
Web Site
– Notes, readings, and assignments on web site.
– http://www.nku.edu/~waldenj1
Assignment submission
– Use submit command on kosh.
Contact Information
– Email: [email protected]
– Phone: (859) 572-5571
CSC 682: Advanced Computer Security
Slide #3
Topics
1.What is Security?
2.Web Security
3.Evaluating Research
CSC 682: Advanced Computer Security
Slide #4
What is Security?
Security is the prevention of certain types of
intentional actions from occuring in a system.
– These potential actions are threats.
– Threats that are carried out are attacks.
– Intentional attacks are carried out by an attacker.
– Objects of attacks are assets.
CSC 682: Advanced Computer Security
Slide #5
Safety vs Security
Adversary: An intelligent attacker who
intentionally causes the system to fail.
Safety
• Home: fire alarm.
• Car: crumple zones.
• Computer: UPS.
Security
• Home: door lock.
• Car: alarm.
• Computer: Login
password.
Safety and security can interact: Who is watching
your computer room after the fire alarm was pulled?
CSC 682: Advanced Computer Security
Slide #6
Goals of Security
Prevention
– Prevent attackers from violating security policy
Detection
– Detect attackers’ violation of security policy
Recovery
– Stop attack, assess and repair damage
Survivability
– Continue to function correctly even if attack succeeds
CSC 682: Advanced Computer Security
Slide #7
NSTISSC Security Model
CSC 682: Advanced Computer Security
Slide #8
Components of Security
Confidentiality
– Keeping data and resources hidden. Privacy.
Integrity
– Preventing unauthorized changes to data or
resources.
Availability
– Enabling access to data and resources
CSC 682: Advanced Computer Security
Slide #9
Confidentiality
Authentication
Passwords, mother’s maiden name
Corporations
Trade secrets, e.g., the formula for Coca Cola.
Databases
SSN, Driver’s license
Governments
National security
Embarrassing information: www.thememoryhole.org
CSC 682: Advanced Computer Security
Slide #10
Integrity
Data Integrity
– content of the information.
– ex: 2005 Walmart $1.5 million bar code scam.
Origin Integrity (authentication)
– source of the information.
– ex: 1997 Kurt Vonnegut MIT commencement
address email. Vonnegut was not the 1997
speaker and the content wasn’t his.
Prevention vs Detection
CSC 682: Advanced Computer Security
Slide #11
Availability
Prevent loss of system access.
Denial of service attacks common.
– Easy to launch, difficult to track down.
– Can be just part of another attack
CSC 682: Advanced Computer Security
Slide #12
States of Information
1. Storage
Information not currently being accessed.
2. Processing
Information currently being used by processor.
3. Transmission
Information in transit btw one node and another.
CSC 682: Advanced Computer Security
Slide #13
Security Measures
Technology.
– Hardware/software used to ensure
confidentiality, integrity, or availability.
Policy and practice.
– Security requirements and activities.
Education, training, and awareness.
– Understanding of threats and vulnerabilities and
how to protect against them.
CSC 682: Advanced Computer Security
Slide #14
How to evaluate security solutions?
1. What assets are you trying to protect?
2. What are the risks to those assets?
3. How well does the security solution
mitigate those risks?
4. What other risks does the security solution
cause?
5. What costs and trade-offs does the security
solution impose?
CSC 682: Advanced Computer Security
Slide #15
Aspects of Risks
To evaluate a risk, we need to evaluate both:
– Probability of risk occurring.
– Cost incurred by risk if it occurs.
Minimize product of probability and cost.
Risks are impacted by environment.
– Building a house in a flood plain incurs
additional risks beyond that of house itself.
– Similarly, installion and configuration options
impact risk of software systems.
CSC 682: Advanced Computer Security
Slide #16
Security is a matter of Trade-offs
Security is only one of many system goals:
•
•
•
•
•
•
Functionality
Ease of Use
Efficiency
Time to market
Cost
Security
CSC 682: Advanced Computer Security
Slide #17
Cost-Benefit Analysis
Is it cheaper to prevent violation or recover?
– Cost of good network security:
• Money, time, reduced functionality, annoyed users.
• Large and ongoing.
– Risks of bad network security:
• Angry customers, bad press, network downtime.
• Small and temporary.
CSC 682: Advanced Computer Security
Slide #18
Airport Security
Let’s consider the issue of airport security from the
standpoint of what we’ve learned. Develop a
solution, keeping the 5 questions in mind:
1. What assets are you trying to protect?
2. What are the risks to those assets?
3. How well does the security solution mitigate
those risks?
4. What other risks does the security solution cause?
5. What costs and trade-offs does the security
solution impose?
CSC 682: Advanced Computer Security
Slide #19
Human Issues: People Problems
Social engineering
– Kevin Mitnick testified before Congress “I was
so successful in that line of attack that I rarely
had to resort to a technical attack.”
Circumvention
– Users write down passwords, leave screens
unlocked.
Insider attacks
CSC 682: Advanced Computer Security
Slide #20
Human Issues: Organizations
Low priority
– Security costs, but doesn’t produce income.
– Lack of liability reduces costs of bad security.
Variable impact
– Cost of security violation highly variable.
– Insurance converts variable risk to fixed cost, but
risk too variable for much involvement so far.
Power and responsibility
– Personnel responsible for security often don’t
have power to enforce security.
CSC 682: Advanced Computer Security
Slide #21
Security: Laws and Customs
Are desired security measures illegal?
– cryptography export before 2000
– is it legal to monitor security breakins?
– international commerce
Will users circumvent them?
– writing down passwords
– removing file ACLs
CSC 682: Advanced Computer Security
Slide #22
Security Liability
Product liability:
– Tires: Continental recalled Ford SUV tires in
2002 due to wire and vibration problems.
– Software: Manufacturer not liable for security
flaws.
Since Microsoft isn’t liable for Windows
security failures, why would they want to
sacrifice money, time, functionality, and ease
of use for security?
CSC 682: Advanced Computer Security
Slide #23
Assumptions
• Security rests on assumptions specific to
type of security required and environment.
• Example:
– TCP/IP designed for pre-commercial Internet.
• Assumed only legitimate admins had root access.
• Trusted IP addresses, since only root can set IP addr.
• What happens to network when Windows 95 systems
added to network, where desktop user has all
privileges?
CSC 682: Advanced Computer Security
Slide #24
Assurance
How much can you trust a system?
Example:
– Purchasing aspirin from a drugstore.
– Bases for trust:
• Certification of drug by FDA.
• Reputation of manufacturer.
• Safety seal on bottle.
CSC 682: Advanced Computer Security
Slide #25
How much do you trust?
Ken Thompson’s compiler hack from
“Reflections on Trusting Trust.”
– Modified C compiler does two things:
• If compiling a compiler, inserts the self-replicating
code into the executable of the new compiler.
• If compiling login, inserts code to allow a backdoor
password.
– After recompiling and installing old C compiler:
• Source code for Trojan horse does not appear
anywhere in login or C compiler.
• Only method of finding Trojan is analyzing binary.
CSC 682: Advanced Computer Security
Slide #26
What is web application security?
The art and science of developing web
applications that function correctly even
when under attack.
CSC 682: Advanced Computer Security
Reasons for Attacking Web Apps
CSC 682: Advanced Computer Security
A Growing Problem
SoftwareVulnerabilities
9000
8000
7000
Vulnerabilities
6000
5000
4000
3000
2000
1000
0
1995 1996 1997 1998 1999 2000 2001 2002 2003 2004 2005 2006
Year
CSC 682: Advanced Computer Security
Firewalls don’t protect web apps
telnet
Firewall
ftp
Application
Web
Client
Web
Server
HTTP Traffic
Port 80
CSC 682: Advanced Computer Security
Application
Database
Server
HTTP: HyperText Transfer Protocol
Simple request/response protocol
– Request methods: GET, POST, HEAD, etc.
– Stateless: req#2 doesn’t know about req#1
HTTPS
– HTTP wrapped in SSL/TLS encryption
– Protects data in transit to web server.
– Doesn’t protect stored data.
– Doesn’t protect server from being hacked.
CSC 682: Advanced Computer Security
HTTP Request
Method
URL
Protocol Version
GET http://www.google.com/ HTTP/1.1 Headers
Host: www.google.com
User-Agent: Mozilla/5.0 (Windows NT 5.1)
Gecko/20060909 Firefox/1.5.0.7
Accept: text/html, image/png, */*
Accept-Language: en-us,en;q=0.5
Cookie: rememberme=true;
PREF=ID=21039ab4bbc49153:FF=4
Blank Line
No Data for GET
CSC 682: Advanced Computer Security
HTTP Response
Protocol Version
HTTP Response Code
Headers
HTTP/1.1 200 OK
Cache-Control: private
Blank Content-Type: text/html
Line Server: GWS/2.1
Date: Fri, 13 Oct 2006 03:16:30 GMT
<HTML> ... (page data) ... </HTML>
Web Page Data
CSC 682: Advanced Computer Security
HTTP GET Parameters
http://ex.com/path/app.cgi?param1=val1&param2=val2
Format
parameter_name=value
 Multiple parameters separated by &

URI encoding

Encode chars as ISO-Latin hex val: %XY
Special characters must be encoded.
 Any character may be encoded.

CSC 682: Advanced Computer Security
HTTP POST Parameters
POST /path/app.cgi HTTP/1.0
Content-Type: application/x-www-form-urlencoded
Content-Length: 32
param1=value1&param2=value2
Format
parameter_name=value
 Multiple parameters separated by &

URI encoding
CSC 682: Advanced Computer Security
Cookies
HTTP/1.1 200 OK
Content-Type: text/html
Set-Cookie: Name=Value; path=/; expires=01-Jan-2038 23:59:59UCT
GET /path/app.cgi HTTP/1.1
Host: ex.com
Cookie: Name=Value
Cookie Format
Only sent to URLs that match path, domain.
 Sent only via SSL if secure specified.
 Expires on date or when browser closed.

CSC 682: Advanced Computer Security
Web Application Vulnerabilities
Input-based Security Problems
– Injection Flaws
– Insecure Remote File Inclusion
– Unvalidated Input
Authentication and Authorization
– Authentication
– Access Control
– Cross-Site Scripting
Other Bugs
– Error Handling and Information Leakage
– Insecure Storage
– Insecure Communications
CSC 682: Advanced Computer Security
Vulnerability Trends for 2006
CSC 682: Advanced Computer Security
Key Points
• Components of security
– Confidentiality, Integrity, Availability
• States of information
– Storage, Processing, Transmission
• Security is a matter of trade-offs.
• Web Input
– HTTP stateless request/response protocol.
– Cookies are HTTP headers used to provide state.
– SSL protects data in transit, but not in storage.
CSC 682: Advanced Computer Security
Slide #39
References
1. Ross Anderson, Security Engineering, Wiley,
2001.
2. Matt Bishop, Introduction to Computer Security,
Addison-Wesley, 2005.
3. Peter Neumann, (moderator), Risks Digest,
http://catless.ncl.ac.uk/Risks/
4. Bruce Schneier, Beyond Fear, Copernicus Books,
2003.
5. Ken Thompson, “Reflections on Trusting Trust”,
Communication of the ACM, Vol. 27, No. 8,
August 1984, pp. 761-763
(http://www.acm.org/classics/sep95/)
CSC 682: Advanced Computer Security
Slide #40