Computer Security

What does Tor do?

Hides location but not encrypt traffic

What are the roles of an OS?

Meditated access between processes. Provide a programming abstraction Restrict resource consumption

What happens in a traditional policy interpretation?

Prevent access to certain files, Files access checker, functionality is scattered

A virus destroys a computer because any program that is downloaded is run with admin permissions. What property of secure design does this violate?

Principle of least privledge.

What are the Pros and Cons of VM's

Pros: 1. Can run legacy applications 2. Easier to reason about security 3. OS independence Cons: 1. Processor architecture dependent 2. Type 1a, 1b requires reloading lowest OS 3. Type 1a, 2 have high overhead 4. Type 1b, 2 have poor security / performance isolation 5. Complex OS interface (large body of OS code)

Traditional Applications

● Weak Password Dictionary [Spafford 1991] ○ Store dictionary of easily guessable passwords as bloom filter, query when users pick passwords. ● Intrusion Detection ○ we possess pieces of virus, shellcode, etc and want to see if it was in any packets ● Encrypted Search ○ performing queries on protected data

Issues

●CP/CPS are documents ○ Not machine parsable ○ Not in a standard format ○ Technical requirements together with organizational procedures ●Solutions ○ Work in progress

Types of Security Mechanisms/controls

●Cryptography and cryptographic protocols. ●Software controls. ●Hardware controls. ●Physical controls.

Access Control Lists in Windows?

●Each object contains a security descriptor, which has ○ Security Identifier of the person who owns the object. ○ The regular ACL for access permissions. ○ The system ACL (SACL) which is used for auditing, ○ A group security identifier.

Symmetric / Private key Ciphers and their applications

●IDEA (used in PGP) ●Blowfish (password hashing in OpenBSD) ●RC4 (used in WEP), RC5 ●Double DES, Triple DES ●SAFER (used in Bluetooth) ●AES (pervasive)

Crypto Libraries

●Usually hard to use for inexperienced developers ●Windows ○ CryptoAPI (all MS apps) ●Open Source ○ OpenSSL (Apache, etc.) ○ LibreSSL (OpenBSD after Heartbleed) ○BoringSSL (Google) ○ GnuTLS (GPL) ○ NSS (Netscape/Firefox) ○ LibPKI (OpenCA/NYU-Poly)

What are common techniques for static software watermarking?

Replace instruction groups by semantic equivalents, Insert redundant instruction groups,

Requirements and Attacks

Repository / MITM / Mirror ●Slow Retrieval ●Endless Data ● Replay Old Metadata Repository Metadata Key ● Unsatisfiable Dependencies ●Extraneous Dependencies ● Depends on Everything ●Provides Everything Revoked Metadata or Package Signing Key ● Use Revoked Key Package Signing Key ●Escalation of Privilege

Design Prinicples

Responsability Seperation Multi-Signature Trust Explicit and implicit Revocation Minimize Individual Key and Role Risk

What can affect risk?

Risk can exist when there is a known issue that increases the attack surface. Risk can also exist when there are non-specific issues, unexplored threat areas, or lack of depth-of-knowledge.

When is a safeguard effective?

S is cost effective if ANB(S) > 0

What are some common hash algorithms?

SHA-1, SHA-224, 256,384, 512,3 MD2,MD4,MD5,MD6

List of working Hash Functions?

SHA-2 MD5 MD4 MD6 SHA-256

S

Safeguard

Programming Language VM Summary

Sandbox code in a language interpreter / runtime Pros: ●Low overhead per VM ●Possible to reason about some security properties ●Architecture independent, somewhat OS independent Cons: ●No backwards compatibility ●Some performance cost ●Very poor resource isolation (OS interface) ●Can have a bloated TCB / ill defined system interface

What are the Unix permission values?

1 001 execute only 2 010 write only 4 100 read only

Threat Modeling Summary

1. Enumerate assets 2.Determine the threats to the system 3. Perform risk assessment 4. Perform risk management ○If needed, perform risk mitigation by developing cost-effective security mechanisms

What is Tor?

1. Successful privacy enhancing technology that works at the transport layer ●Online anonymity: 1. software 2. network 3. Protocol ●Open source, freely available ●Community of researchers, developers, relay operators, and millions of users. ●Funding from US DoD, Electronic Frontier Foundation, Voice of America, Google, NLnet, Human Rights Watch, ...

How many combinations are there for 8 characters

10 quadrillion

How much money as lost to cyber crime?

140 Billion

How many combinations are there for 6 lowercase characters

308 million

What is Discretionary access control?

A department can decide what access to allow for each individual. Discretionary Access Control (DAC) ○A system that uses discretionary access control allows the owner of the resource to specify which subjects can access which resources. ○Access control is at the discretion of the owner.

Certificate Revocation List (CRL)

A repository that lists revoked digital certificates. ●A CRL is a signed document ○ CRL data ■Serial number ■ Issuer ○ Revoked Entries List ■Serial number of the revoked certificate ■ Revocation Time ■ Revocation Reason ○Extensions ○ CA's signature ●The CA identifies the CRL Distribution Point (CDP) by inserting the URL in the certificate

What are the elements of a security policy?

A security policy considers all relevant aspects of confidentiality, integrity and availability. ○ Confidentiality policy: ■ Identifies information leakage and controls information flow. ○ Integrity Policy: ■ Identifies authorized ways in which information may be altered. Enforces separation of duties. ○ Availability policy: ■ Describes what services must be provided: example - a browser must be able to download pages but may optionally choose not to execute JavaScript.

What is least astonishment?

A system should behave how the user expects.

What is a threat?

A threat to a system is any potential occurrence, malicious or otherwise, that can have an adverse effect on the assets and resources associated with the system.

SYN Flood

A type of DoS where an attacker sends a large amount of SYN request packets to a server in an attempt to deny service. ● Implement filtering ● Reduce SYN-RECEIVED Timer ● SYN cookies

What is vulnerability?

A vulnerability of a system is some characteristic that makes it possible for a threat to occur.

● Disable default accounts and passwords on systems

Access Control

● Host based and Network based firewall

Access Control

What is the principle of complete mediation?

All accesses to objects should be checked to ensure that they are allowed. Example Unix file checking, DNS cache posioning,

What is an attack?

An attack on a system is some action that involves exploitation of some vulnerability in order to cause an existing threat to occur.

What is the principle of least privledge?

An entity should only be given the information required for it's task. Temporary elevation of status should be released immediately.

ACS(S)

Annualized Cost of Safeguard S

ALE

Annualized Loss Expectancy

ALE(with S)

Annualized Loss Expectancy with a safeguard

ALE(without S)

Annualized Loss Expectancy without a safeguard

ANB(S)

Annualized Net Benefit of S ○= ALE(without S) - ALE(with S) - ACS(S)

ARO

Annualized Rate of Occurrence

RSA decryption

Bob can simply: 1. Compute m as: 2. m = c^d (mod n) 3. Convert m into Alice's message

Give example of capability list

Capability lists are: cap(proc 1) = {(file1, {r,w,o}), (file2, {r}), (proc 1, {r,w,x,o}), (proc 2, {w})} cap(proc 2) = {(file1, {a}), (file2, {r,o}), (proc 1, {r}), (proc 2, {r,w,x,o})}

What are somethings needed to run a program?

Code, runtime, system tools, system libraries, settings

What are some crypto libraries?

CryptoAPI, OpenSSL, LibroSSL, BoringSSl, SnuTLS, NSS, LibPKI

In the early days of telephones hey would run a wire from the phones to the electricity box. What fundamental design principle is this an example of?

Design for iteration and open design.

Certificate Policy

Dictates the circumstances in which a certificate can be used. protects the CA from claims of loss if the certificate is misused. should identify the user's community, names of the CA and RA and the object identifier.

How does unix handle acess control?

Each file entry in a directory is a pointer to a data structure called inode. mode Type of file and access rights uid User who owns the file gid Group which owns the file atime Access time mtime Modification time itime Inode alteration Block count Size of file (sort of) Pointer to physical location

What is design for iteration?

Ensure that pieces can change and evolve over time. Abstraction and modularity can help.

What is true of Kerckhoff's principles of open designs related to cryptographic systems?

Everything is public except the key

What is the principle of economy of mechanism?

Security mechanisms should be as simple as possible.

What is Trust/

Security policies and mechanisms are based on assumptions and one trusts that these assumptions hold.

What is Open Design?

Given enough eyes all bugs are shallow. By getting a large amount of people looking the code problems will be more visible.

Symmetric Key / Private Key

Sender and receiver share a common (private) key ○ Encryption and Decryption is done using the private key ○ Also called conventional/shared-key/single-key cryptography

What is the Biba Integrity model?

Integrity Model: prevents inappropriate modification of data - write: iff I(s) >= I(o) - read: iff I(o) >= I(s) ● Protect integrity, not confidentiality ○ Core concept: "no read down, no write up" ● One cannot read a lower level ● One cannot write a higher level

The TUF project protects the integrity and authnticity of software updates. TUF distributes the operation of signing software updates amongst multiple members of a project.

It appeals to the prinicple of least privledge.

What is true about closed design ()proprietary design)?

Keep the Cipher secret.

What is sweeping simplifications?

Keeping it simple stupid. If something is complicated it can help to add layers which only interact with each other. A layer can have a specific role to perform.

What makes a process safe?

Memory Safety Control-flow Safety Type Safety

Smurf ATTTACK

Mitigation Techniques ● Configure hosts and routers not to respond to ICMP requests or broadcasts ● Ingress filtering that rejects spoofed source addresses

● Audit even successful login-attempts

Non-repudiation

SLE

Single Loss Expectancy

Summarize Amoeba?

Summary: - Capability based system. - Provides "single-system" image. Pros: Capabilities can be derived independent of trusted server. Cons: - What if a capability is "overheard"? - Revocation is painful for applications

What is true about symmetric key cryptographic system:

Symmetric Key / Private Key: Sender and receiver share a common (private) key ○ Encryption and Decryption is done using the private key ○ Also called conventional/shared-key/single-key cryptography One shared key, Keys have symmetry

Capability refernce monitor continued?

System call interposition: ●Process X performs a system call to trace a process P ●The kernel adds a hook at P's system call entry to trap calls ●When P makes a "sensitive" call, X is notified ○"sensitive" is defined by the kernel ●P is suspended (either by X or the kernel) ●X checks the call arguments, etc. ○If a permitted call, allows the kernel to issue it ○If denied, abort the system call ■This causes problems for applications...

DRM Conclusions

The notions of "ownership" and "property" and "stealing" are complicated when they apply to digital objects DRM provides a framework for mutually untrusting parties to engage in commerce where the digital objects are the goods being traded. Social and Philosophical Issues

Microsoft downloads Windows updates in the background without the user being aware. What does this violate?

The prinicple of least astonishment.

What prinicple does the free speech flag violate?

The prinicple of least common mechanism

What is containerization

The process of creating stand-alone executables package of software that includes everthing needed to run it

These are some of the measures listed in the policy. Why are they needed? What properties does this influence?

Throttle repeated unsuccessful login-attempts, rather than account lockout ○ Availability

What does a capability reference monitor do?

To implement a capability system: ●Get the capability to what you want to mediate ○ Need to ensure that restricted processes do not have a copy of this capability ● Create a new capability for calling your reference monitor ●Pass this capability in place of the original capability ● Can be repeated for multiple reference monitors!

many buiness people run open wireless networks

Usability is outwieghing the least common mechanism to a lesser extent the prinicple of least privledge and fail safe are in play.

Design Problems

Viruses and worms Cookie management Phishing attacks

What is UNIX?

an operating system ●Each file has owner and group ●Permissions set by owner ○Read, write, execute ○Owner, group, other ○Represented by vector of four octal values ●Only owner, root can change permissions ○This privilege cannot be delegated or shared ●Setid bits - Discussed in a few slides

Kerberos can prevent what type of attacks?

man in the middle, Eacesdropping, Imposter, RelayAttacks

What is the principle of least common mechanism

mechanisms used to access resources should not be shared. Shared resources should use resource isolation to reduce risk of DoS attacks.

What are dynamic watermarks weak against?

vulnerable to semantics-preserving code transformations.

Renaming - Qu-Potkonjak

• Embed the mark by adding constraints (extra edges) to • Easy to attack by random register re-numbering.

Summary

• Watermarking is communication of information by embedding and reliably retrieving data • Used for Authentication, Fingerprinting, Steganography, ... • Different types of software watermarks: Static Data, Dynamic Software, Dynamic Data, Easter Egg, etc.

What is the goal of a security mechanism?

○Prevention ○Detection ○Recovery

What are the caveats of Jif?

●No threads ○ Information flow hard to control ○ Active area of current research ●Timing channels not controlled ○ Explicit choice for practicality ●Differences from Java ○ Some exceptions are fatal ○ Cannot allow access to some system calls

What is Android security model?

●OS user-isolation applied to applications ●Permission restrictions focused on inter-component (application) communications

Tor - Summary

●Online anonymity 1. software 2. network 3. Protocol ●Open source, freely available ●Today, it is used every day for a wide variety of purposes by normal people, the military, journalists, law enforcement officers, activists, ... ●Performance Issues

What is MULTICS?

●Operating System ○Designed 1964-1967 ■ MIT Project MAC, Bell Labs, GE ○At peak, ~100 Multics sites ○Last system, Canadian Department of Defense, Nova Scotia, shut down October, 2000 ●Extensive Security Mechanisms ○Influenced many subsequent systems

What are capabilities?

●Operating system concept ○"... of the future and always will be ..." ○But they are fairly widely used now!!!! ●Examples ○ Dennis and van Horn, MIT PDP-1 Timesharing ○ Hydra, StarOS, Intel iAPX 432, Eros, ... ○Amoeba: distributed, unforgeable tickets

Why DDoS Is Used

●Overwhelms server resources and bandwidth ●Threatening availability threatens infrastructure and ability to carry out mission critical tasks ●DDoS denies legitimate users access to information and denies systems and servers the ability to carry out processes ●Carried out over different types of protocols ●Can be used to as a tool for protesters and political attacks

PKI Summary

●PKIs improve key management ●Infrastructures can be linked ○Cross-certification ● Many usability challenges remain in practice ○Quantity / complexity of protocols ○Lack of user awareness of issues ●Revocation is based upon negative assertions ○Still an open problem ○In the future, may use whitelist-style approach (?)

What are Impersonation Tokens?

●Process uses security attributes of another ○ Client passes impersonation token to server ● Client specifies impersonation level of server ○ Anonymous ■ Token has no information about the client ○ Identification ■ server obtains the SIDs of client and client's privileges, but server cannot impersonate the client ○ Impersonation ■ server identifies and impersonates the client ○ Delegation ■ lets server impersonate client on local, remote systems

Fault Domains

●Process's code and data in one segment ○ Identified by a unique pattern of upper bits ○ Code is separate from data (heap, stack, etc.) ○ Think of a fault domain as a "sandbox" ●Modified binary to not escape the domain ○ Addresses masked so that all memory writes are to addresses within the segment ■ Coarse-grained memory safety (viz. array bounds checking) ○ Code inserted before each jump to ensure that the destination is within the segment

Software Fault Isolation (SFI)

●Processes live in the same hardware address space; software reference monitor isolates them ○ Each process is assigned a logical "fault domain" ○ Check all memory references and jumps to ensure they don't leave process's domain ●Tradeoff: checking vs. communication ○ Pay the cost of executing checks for each memory access and control transfer to save the cost of context switching when trapped into the kernel

Chome Summary?

●Pros: ○Backwards compatible ○Separate processes -> better isolation (OS) ○Uses multiple security techniques ●Cons: ○Plug-ins still represent a threat ■Only sandboxes some plug-ins (Flash) ■This requires work / coordination by the vendor

Asymmetric / Public key crypto algorithms

●RSA ●DSA ●ElGamal ●Pailliar (Homomorphic) ●Cramer-Shoup

Cryptographic Hash Functions

●Requirements of cryptographic hash functions: ○ Can be applied to data of any length. ○Output is fixed length ○ Relatively easy to compute h(x), given x and deterministic ○Infeasible to get x, given h(x). One-wayness property ○Given x, infeasible to find y such that h(x) = h(y). Weak-collision resistance property. ○Infeasible to find any pair x and y such that h(x) = h(y). Strong-collision resistance property.

What is the Multics access model?

●Ring structure ○ A ring is a domain in which a process executes ○ Numbered 0, 1, 2, ... ; Kernel is ring 0 ○ Graduated privileges ■ Processes at ring i have privileges of every ring j > i ●Segments ○ Each data area or procedure is called a segment ○ Segment protection {b1, b2, b3} with b1 > b2 > b3 ■ Process/data can be accessed from rings b1 ... b2 ■ A process from rings b2 ... b3 can only call segment at restricted entry points

DES Security

●S-Box design not well understood (secret). ●Has survived some recent sophisticated attacks (differential cryptanalysis) ●Key is too short. Hence is vulnerable to brute force attack. ●1998 distributed attack took 3 months. ●$1,000,000 machine will crack DES in 35 minutes - 1997 estimate. $10,000 - 2.5 days.

Current Security of MD5 and SHA-1

●SHA-1 ○ B'day attack requires 280 calls ○ Faster attacks 269 calls ○ https://shattered.io/ ● MD5 ○ Output is 128-bits, so B'day attack requires 264 calls only ○ Faster attacks to find a collision: http://eprint.iacr.org/2004/199.pdf ●Better use stronger versions, such as SHA-256 ●Although, these attacks are still not practical - they only find two random messages that collide

What is the quantitative method of risk assessment?

●SLE: Single Loss Expectancy ●ARO: Annualized Rate of Occurrence ●ALE: Annualized Loss Expectancy ●S: Safeguard (security mechanism) ●ALE(without S) ●ALE(with S) ●ACS(S): Annualized Cost of Safeguard S ●ANB(S): Annualized Net Benefit of S ○= ALE(without S) - ALE(with S) - ACS(S) ●S is cost effective if ANB(S) > 0

What is UID?

A number associated with a particular account. Linux uses the UID internally for most operations, and it converts to the associated username only when interacting with people. ●Each process has three Ids (+ more under Linux) ○ Real user ID (RUID) ■ same as the user ID of parent (unless changed) ■ used to determine which user started the process ○ Effective user ID (EUID) ■ from set user ID bit on the file being executed, or sys call ■ determines the permissions for process ■ file access and port binding ○ Saved user ID (SUID) ■ So previous EUID can be restored ●Real group ID, effective group ID, used similarly

Certification Practice Statement

A statement of the practices that a Certification Authority employs in issuing, suspending, revoking, and renewing certificates and providing access to them, in accordance with specific requirements (i.e., requirements specified in this Certificate Policy, or requirements specified in a contract for services).

DNS Amplification Attack

An attack that uses publicly accessible and open DNS servers to flood a system with DNS response traffic. Mitigation Techniques ● Deploy scanning tools to search for vulnerable DNS servers ● ISP source IP verification ● Exclusively provide name resolution for a single domain

Endless Data

Attacker returns an endless stream of data Crashes services on the client Prevents package updates APT ● Downloads size of an unsigned long then crashes YUM ●Fills the disk ●Exits with no output (leaving the file!)

What is capability based access control?

Conceptually, capability is a row of an ACM, i.e. a list of rights for a subject. Let: O be a set of objects oi ; R be a set of rights r i for a subject s; and capability list c is a set of pairs. Then: Let cap() be the function that determines the capability list c associated with subject s where subject s may access oi using any right in r i

What is the Bell-La Padula model?

Confidentiality Model: - ss: "no read up" - *: "no write down" Information can only flow UP ● BLP model is a formal description of allowable paths of information flow in a secure system. ● Formalization of military security policy - confidentiality. ● Set of subjects S and objects O. Each subject s in S and o in O has a fixed security class L(s) (clearance) and L(o) (classification). ● Security classes are ordered by a relation ● Combines mandatory and discretionary access control.

Programming Language VM

Core idea: Run code within a special process that checks the safety / validity. Technique used often by programming languages ●Java, Lua, Flash, JavaScript, Seattle / Repy, etc. ●Often use 'byte code' instead of source code ○Intermediate representation. ●Any bug in the program language VM is usually fatal.

What isolation expectations are true of an effective virtualization environment?

Fault isolation, Data Security, Performance Isolation.

What are the goals of a watermarking system?

Fidelity, Robustness/Stealthiness, Payload/Capacity, Security

CFI: Control-Flow Integrity

Main idea: pre-determine control flow graph (CFG) of an application ●Execution must follow the pre-determined control flow graph

Java has 1 Million lines of code in its STL, all of this code is trusted and may make privledged calls. What design prinicples.

Principle of least privledge, fail-safe defaults, economy of mechanism, and least common mechanism are violated. In favor or efficiency.

What are the principles of secure design?

Principle of minimizing secrets, of complete mediation, of fail-safe defaults, of least privledge, of economy of mechanism, of least common mechanism.

What principle was being followed when the Kremlin swtiched from using computers to using typewriters.

Principle of sweeping simplifications

Bloom Filters

Probabilistic hash table. No means no. Yes means maybe. Multiple (different) hash functions. Can't resize table. Also can't remove elements ● Test whether an element is a member of a set. ● False negatives are not possible ● You can choose k to minimize false positives ● Make use of hash functions - Given a set S={x1, x2, ..., xn}, is y in S? - Set of k hash functions (SHA-1, MD5, etc) - Start with an m-bit long array B filled with 0's - Addition: Hash each item x in S, k times. If H(x)=a, set B[a]=1 - To check if y in S (Query): Check B at H(y) for all k hash functions. All k values must be 1.

Key Management

The method whereby two nodes using key encryption agree on common parameters for the keys they will use to encrypt data. ●Key distribution is a major problem ○Acquiring a key ~-> breaking a system ○ ●possible key distribution techniques include: ○physical delivery by secure courier ■e.g., code-books used in submarines ■ ■one-time pads used by diplomatic missions ■registration name and password for computers ■ ■trusted-third party to validate identity / key ownership ○authentication key server (private key, eg Kerberos) ■have an online server trusted by all clients ■server has a unique secret key shared with each client ■server negotiates keys on behalf of clients ○public notary (public key, eg PKI) ■have an off-line server trusted by all clients ■server has a well known public key ■server signs public key certificates for each client

What are the steps of the Security Life Cycle?

Threats, Policy, Specification, Design, Implementation, Operation and Maitenence

What is Watermarking?

Watermarking is the practice of embedding an image or pattern in paper that isn't readily perceivable. It is often used with currency to thwart counterfeiting attempts. Similarly, organizations often use watermarking in digital documents and other types of files. • Communication of information by embedding it in and reliably retrieving it from a host/cover data. - Resource: Inherent redundancy of the host data - Constraint: Preserving host data's salient characteristics and functionality • Conventional uses - Authentication, copyright control and enforcement, access control, - Fingerprinting • Ownership verification, traitor tracing, transaction tracking - Steganography • Covert communication - Captioning - Hybrid in-band digital analog communication

RSA Signatures

Which IPsec authentication method requires having identity certificates on each peer? ●Key Generation: same as in encryption ●Sign(m, kpriv): s = md mod N ○"Encrypt" with a private key ●Verify(m, s, kpub): (se == m mod N) ○Conceptually, just decrypt / compare ●The above text-book version is insecure ●In practice, we use a randomized version of RSA ○ Hash the message and then sign the hash

Ping of Death

packets in excess of 65535 bytes sent targeted machine ● the attacker sends malformed or fragmented ping messages > 65,535B to the victim (max = 65,535B) ● When the receiver assembles all IP fragments, IP packet > 65,535B. ● This may cause a buffer overflow. ● PoD has nothing to do with ICMP, but rather the reassembly process of IP fragments which can contain any type of protocol. Mitigation Techniques ● Check sum of 'Fragment Offset' and 'Total Length' incoming IP fragments ● Configure firewall to check packets ● Use a memory buffer larger than 65,535 bytes

Why Hide?

• Because you want to protect it from malicious use - Copy protection and deterrence - Digital Watermarks • Because you do not want anyone to even know about its existence - Covert communication - Steganography • Because it is ugly - Media bridging, - Meta Data embedding • To get a free ride - Hybrid digital analog communication, captioning.

Extending Program Semantics - Venketesan et al.

• Bogus branches tie the watermark CFG to the program. • Basic blocks are marked so the watermark graph can be found.

Naïve Approaches

• High bit-rate, little overhead, unstealthy • Low bit-rate, no overhead, stealthy, easy to destroy

Different Types of Software Watermarks

• Static Data (i.e. strings) • Dynamic Software • Dynamic Data • Easter Egg • Dynamic Execution Trace • Others (Fingerprinting, License Mark)

Static vs. Dynamic Watermarking

• Static algorithms are vulnerable to semantics-preserving code transformations. • Dynamic algorithms extract the mark from the state of the program when run on a secret key input sequence.

Sandbox Computation

• Subset of Python (Repy) - Created for the testbed - Supports 'object-capability' interposition

What is rule based access control?

○Uses rules based upon a person's 'role' that indicate what can and cannot happen between a subject and an object. ○Not necessarily identity based. ○Traditionally, rule-based access control has been used in MAC systems as an enforcement mechanism.

Give examples of Risk mangement?

● Assume you buy 100 shares of stock at $50 per share. Potential maximum impact: $5000 ● Risk management strategies: ○ Risk reduction: buy a conservative stock ○ Risk mitigation: buy a "contrary" stock (Buy Dell in addition to HP, in case HP loses significant market share to Dell) ○ Risk transfer: buy an option to sell at $40/share; reduces maximum impact to $1000 (this could also be thought of as a risk mitigation strategy) ○ Risk acceptance: If you buy the options, you accept $1000 of risk

What is an example of a security model?

● BLP model is a formal description of allowable paths of information flow in a secure system. ● Formalization of military security policy - confidentiality. ● Set of subjects S and objects O. Each subject s in S and o in O has a fixed security class L(s) (clearance) and L(o) (classification). ● Security classes are ordered by a relation ● Combines mandatory and discretionary access control.

Attacks that Kerberos Prevents

● Man in the Middle - only valid users can generate needed output (encrypted challenge messages) ●Eavesdropping - All the data in the protocol is encrypted (or is publicly known) ●Imposter - User's secret Key as proof of identity ● Replay Attacks - Due to the TimeStamps and Lifetime fields, it is impossible to re-send any Ticket (i.e., authenticating as someone else)

OWASP XSS Prevention Rules

● Never Insert Untrusted Data Except in Allowed Locations ● HTML Escape Before Inserting Untrusted Data into HTML Element Content ● Attribute Escape Before Inserting Untrusted Data into HTML Common Attributes ● JavaScript Escape Before Inserting Untrusted Data into JavaScript Data Values ● CSS Escape And Strictly Validate Before Inserting Untrusted Data into HTML Style Property Values ● URL Escape Before Inserting Untrusted Data into HTML URL Parameter Values ● Sanitize HTML Markup with a Library Designed for the Job ● Prevent DOM-based XSS

How does Jif work?

● Represent principals as Java classes ● Jif augments Java types with labels ○ int {Alice:Bob} x; ○ Object {L} o; ● Subtyping follows the [order] (lattice order) ● Type inference ○ Programmer may omit types; Jif will infer them from how values are used in expressions

What is the application sandbox?

●Application sandbox ○ Each application runs with its UID in its own Dalvik virtual machine ■ Provides CPU protection, memory protection ■ Authenticated communication protection using Unix domain sockets ■ Only ping, zygote* - run as root ●Applications announce permission requirement ○ Create a whitelist model - user grants access ■ But don't want to ask user often - all questions used to be asked at install time!!! ○ Inter-component communication reference monitor checks permission

What is the motiation of IFC?

●Goal: Keep X confidential ●ACLs, capabilities, etc. all interpose on X ○This keeps an untrusted process from accessing X ●Information Flow Control idea: ○Allow X to be accessed freely (read) ○Prevent X and information about X from being sent to untrusted parties over communication channels ○This contains X and prevents disclosure.

Native Client (NaCl)

●Goal: download an x86 binary and run it "safely" ○ Much better performance than JavaScript, Java, etc. ●ActiveX: verify signature, then unrestricted ○ Critically depends on user's understanding of trust ●.NET controls: IL bytecode + verification ●Native Client: sandbox for untrusted x86 code ○ Restricted subset of x86 assembly ○SFI-like sandbox ensures memory safety ○ Restricted system interface ○ (Close to) native performance

What happens in a traditional library design?

●Large, single Trusted Computing Base (TCB) ○ Any failure is fatal ○ Privilege is widely used ■ Java's Calendar library uses privileges when deserializing ●Isolation only in the TCB ○ Must contain policy

Why Revocation ?

●Many possible reasons ○Private Key compromise ○ Information in the Certificate is outdated ○ The user does not want the certificate anymore ○Algorithm used is compromised ●How to provide revocation information ? ○ Certificate Revocation List (CRL) ○ Online Certificate Status Protocol (OCSP)

Key Observations

●Most code (and bugs) in libraries. ●Large TCB is the result of: ○Legacy module reuse ○Policy existing in the TCB (isolation) ●Policy implementation is difficult.

Use of digital certificates

●Secure e-mail: S/MIME ●Secure connections: SSL/TLS ●Virtual Private Network (VPN) via IPSEC ●Document Signing/Encryption ●XML Signing/Encryption ●Secure Wireless Access

Repy V2

●Securing library code ○ Small kernel (TCB)1 ■ Externalize library code2 ○ Privileges are external3 ■ Isolation above the kernel ■ Explicit capability passing ○ Privileged ops through kernel • Securing library code - Small kernel (TCB) • Separate components above - Privilege is external • Isolation above the kernel • Explicit capability passing - Privileged ops call through kernel Failures outside of the kernel are non-fatal

Sample permission options in Windows?

●Security ID (SID) ○ Identity (replaces UID) ■ SID revision number ■ 48-bit authority value ■ variable number of Relative Identifiers (RIDs), for uniqueness ○ Users, groups, computers, domains, and domain members all have SIDs

What are tokens?

●Security Reference Monitor ○ uses tokens to identify the security context of a process or thread ●Security context ○ privileges, accounts, and groups associated with the process or thread ●Impersonation token ○ thread can adopt a different security context, usually of another user

What is Computer Security?

●Security is the ability of a system to protect information and system resources with respect to confidentiality, integrity, and availability. ●Computer Security deals with the prevention and detection of unauthorized actions by users of a computer system. ●Computer security is preventing attackers from achieving objectives through unauthorized access or unauthorized use of computers and networks.

Brute Force Attacks: Key Recovery

●Since the key space is finite, given a pair of plaintext and ciphertext, a cryptanalyst can try and check all possible keys. ●For above to be not feasible, key space should be large!! ○ How large? ○ Large enough to make it impractical for an adversary. But what is impractical today, may not be so tomorrow. At least 280 - see this paper on "selecting cryptographic key sizes

A Few Types of DDoS Attacks

●Smurf Attack ●SYN Flood Attack ●Reflected SYN Attack ●Ping of Death ●Slowloris ●DNS Amplification Attack

Digital Certificates Principles

●Trusted binding of a PK to an Identity ●Signed assertion of key holder's identity ○Signed by a Certification Authority (CA) ○ Integrity Protection of the Public Key ●Issued under a set of formal rules ○ Certification Practice Statement ○ Certification Policy ●Most Used Standard X.509 ○Adopted by the IETF for Internet Ops.

Attacks on Software Watermarks

1. Additive • Attacker adds his own watermark to make it plausible that his watermark came before the owner's 2. Subtractive/Distortive • removal of the watermark or altering the watermark enough to where it is no longer recognizable • Trough semantics-preserving transformations - Code optimization, decompile-recompile, translation, code obfuscation, dead-code removal. 3. Collusive • Two attackers have two copies of the same watermarked program -- with different watermarks.

What is Lipner's model?

1. Users will not write their own programs, but will use existing production programs and databases. 2. Programmers will develop and test programs on a non-production system; if they need access to actual data, they will be given production data via a special process, but will use it on their development system. 3. A special process must be followed to install a program from the development system onto the production system. 4. The special process in 3, above, must be controlled and audited. 5. The management and auditors must have access to both the system state and to the system logs that are generated.

Trusted Platform Module (TPM)

A chip on the motherboard of the computer that provides cryptographic services.

What is a security policy?

A document created by senior management that identifies the role of security in the organization ● A security policy is a set of rules stating which actions are permitted and which are not.

Online Certificate Status Protocol (OCSP)

A protocol that performs a real-time lookup of a certificate's status. ●Simple Client-Server protocol ○ Useful to provide compact and updated info ●OCSP provides the REVOCATION status of a certificate (not its validity) ●Possible responses: ○ Good ○ Revoked ○ Unknown ●The CA identifies the OCSP server by inserting the URL of the OCSP server in the certificate

Advanced Encryption Standard (AES)

A symmetric cipher that was approved by the NIST in late 2000 as a replacement for DES. ● National Institute of Science and Technology ○ DES is an aging standard that no longer addresses today's needs for strong encryption ○ Triple-DES: Endorsed by NIST as today's de-facto standard ● AES: The Advanced Encryption Standard ○ Finalized in 2001 ○ Goal - To define Federal Information Processing Standard (FIPS) by selecting a new powerful encryption algorithm suitable for encrypting government documents ○ AES candidate algorithms were required to be: ■ Symmetric-key, supporting 128, 192, and 256 bit keys ■ Royalty-Free ■ Unclassified (i.e. public domain) ■ Available for worldwide export

What is an ACL (Access Control List)?

ACLs allow you to create network rules across entire subnets. Intuition: An access control list (acl) is a set of permissions that correspond to an object. Each permission usually specifies a principle and a right. acl(File A): {(Alice: write), (Bob: read, execute)} In the above example Alice has the permission to write File A. Bob has the permission to read and execute File A.

What are the benefits of virtualization?

Files system permissions are diificult. very broad and complex hard to restrict OS hooks are coarse-grained and awkward

Custom Reference Monitor Summary

Capability systems: ●Very natural and straightforward ○The monitor hides the current capability behind its checks and exposes a "safe" version ○Easy to chain multiple together Access Control List systems: ● Hard to do custom reference monitors ○ Difficult to implement correctly ■Lots of corner cases to handle ○ Cannot chain multiple together ○ Not popular in practice

What is true about Stackgruards?

Compiler technique, Does not provide comprehensive protection, Corrupt Canary, canary

A suer of FaceBook found that he could post on the walls of users that he was not friends with. Which prinicple is being violated.

Complete Mediation

Ciminals take checks and change the amount of money being paid

Complete mediation. It violates authenticity.

Destroy files as soon as they are no longer needed using approved methods

Confidentiality

Enable full disk encryption on portable devices, in addition to file/database encryption

Confidentiality, Privacy

The Stork package manager shares immutable copies of installed packages across OS VMs. It reduces duplicate package downloads between VMs and saves disk space, network bandwidth, and memory.

Stork violates the Least common mechanism and least pridledge

A recent blue tooth attack found that attackers were able to take control of any blue tooth device in range how can this be mitigated

Fail-safe defaults

In the original version of python to open a http server it does not check the certificate of root-of-trust what prinicple is violate?

Fail-safe defaults are violated

Security for software distribution is deceptively hard

For MITM security in package management ●Selective trust delegation ● Customized repository views ●Treating the repository as untrusted For compromised resilience ● Responsibility separation. ● Multitrust signatures (a.k.a. two-man rule). ● Explicit and implicit revocation of keys. ● Minimizing risk (with offline keys).

Time-Stamping

In transaction management, a technique used in scheduling concurrent transaction that assigns a global unique time stamp to each transaction.

Why use resource isolation

It is critical to isolate principles from each other to provide availability Can counter this by having more resources and flooding the site with network traffic and requests. Can lead to resource exhaustion if done wrong with processes, memory, disk space, and others

What is role based access control?

It is used to give users with specific characteristics (roles) different levels of access to information. ●Non-Discretionary (Role Based) Access Control Models ○Role Based Access Control (RBAC) uses a centrally administered set of controls to determine how subjects and objects interact. ○It is the best system for an organization that has high turnover.

Cryptographic Hash Functions

Key Points ●h(x) -> hash ○hash is fixed length (16,20,32 bytes) ○h(x) is fast / cheap ●given hash, cannot compute x ●Given x, cannot find y so that h(x) == h(y) ●Cannot find any x,y so that h(x) == h(y)

Avenues of Attack

Man-in-the-middle (MITM) / Mirror Key compromise ● Developer key ● Repository key Repository compromise

Give another example

Non-IT Example 2: Driving risk ● Assets at risk: people's lives and health, the automobile, other property ● Negative event: auto accident ● Risk Management: ○ Risk reduction: Following DWI laws, defensive driving techniques, ABS, driving slow or just not driving on snowy days ○ Risk mitigation: Seat belts, air bags, "crumple zones" in auto design ○ Risk transfer: insurance ○ Risk acceptance: residual risk of injury, deductible on insurance

What is mandatory access control?

Strict access control barriers to gain entry, no variation allowed. ●Mandatory Access Control (MAC) ○Access control is based on a security labeling system. Users have security clearances and resources have security labels that contain data classifications. ○This model is used in environments where information classification and confidentiality is very important (e.g., the military).

What would make brute forcing an algorithm easier for an attacker?

Public Key is known, Key space is small, Algorithm is known ●Since the key space is finite, given a pair of plaintext and ciphertext, a cryptanalyst can try and check all possible keys. ●For above to be not feasible, key space should be large!! ○ How large? ○ Large enough to make it impractical for an adversary. But what is impractical today, may not be so tomorrow. At least 280 - see this paper on "selecting cryptographic key sizes

Different ciphers were developed and used to transport messages during WW2. What principle was being violated by this?

Principle of Open design.

An error box appears when a user attempts to carry out an action. What principle does this violate?

Principle of least astonishment.

What are the fundamental design principles?

Principle of open design, sweeping simplifications, design for iteration, and least astonishment.

What is the IFC and what does it do?

Prior approaches to access control: ○ ACL: An object has a list of authorized subjects ○ Capability: Only a subject with a capability can access an object ● What else could we do to maintain confidentiality?

What are the challenges of IoT

Privacy Protection, Data Integrity and Provenance, Authentication, Identity Management, Anonymity, Digital Forgetting, Standardization,

Which principles should be considered while aligning security and usability

Pseudosecurity harms usability Pseudousability harms security Integrated iterative design

Benefits of Virtualization

Reduced attack exposure Stable, safe configs Segmentation Running a program in a sandbox protects and untested application from potential malware, however if resource isolation is not carried out well it could lead to exhaustion.

What is the principle of minimizing secrets?

Secrets should be few and interchangable, the secrecy of a mechanism should not depend upon secrecy of its design or implementation. Similar to open design principle.

Admonition and Designation

Security by admonition Security by designation Implementation

What are the different types of software watermarking?

Static Data, Dynamic Software, Dynamic Data, Easter Egg, Dynamic Execution Trance,Fingerprinting

What is virtualization?

Technology used to host one or more operating systems within the memory of a single host computer. This mechanism allows virtually any OS to operate on any hardware. It also allows multiple operating systems to work simultaneously on the same hardware. is the process of creating a software-based or virtual representation of something such as virtual applications, servers, storage, and networks

What is the principle of fail-safe defaults?

Use sane defaults, The default should be secure. Default access to an object is None. restricting privilege at the time of creation.

Public Key Encryption

Used prevalently on the web, it allows for secure messages to be sent between parties without having to agree on, or share, a secret key. It uses an asymmetric encryption scheme in which the encryption key is made public, but the decryption key is kept private. ●Two keys: ○ public encryption key e ○ private decryption key d ●Encryption easy when e is known ● Decryption easy when d is known ● Decryption infeasible when d is not known

What is a Type 1 OS Virtual Machine?

Virtual Machine Monitor / Hypervisor: Software layer between hardware and OS virtualizes and manages hardware resources Type 1a (VMware ESX, Xen, etc.) Virtual machine is an application execution environment with its own operating system. ● OS is provided very simplified interface ● Reasoning about security / performance is easier ● High performance penalty per OS VM Type 1b (LXC, Jails, Zones)LXC forces all OS VMs to be the same type of OS. It is essentially a series of kernel patches. ● Low overhead per VM ● Complex OS interface ● Poor OS mechanisms for security / performance Type 2 (VMware Workstation, VirtualBox) VMware workstation is an application that hosts OSes. ● Very high overhead per VM ● Complex OS interface ● Poor OS mechanisms for security / performance ● Can run on unmodified OS

Slowloris

______ attempts to monopolize all of the available request handling threads on the Web server by sending HTTP requests that never complete. ● Equivalent of a SYN flood but over HTTP ● It tries to keep many connections to the target web server open and hold them open as long as possible by sending partial HTTP headers, but never completing the request. Mitigation Techniques ● Increase the maximum number of clients the web server will allow ● Limit the number of connections to a single IP address ● Restrict the length of time a client is allowed to stay connected

What is access control?

a. Access control is a security role defined and set at the Row-leve (access to the record) and at the column level (access to the field), and is exectured when attempeing to access any Servicenow table Access control is a series of mechanisms used by management, to specify what users can do, which resources they can access, and what operations they can perform on a system. More generally, it permits managers of a system to direct or restrain the behavior, use and content of a system.

what is the clark wilson model

seeperation of duties , well formed transactions and object integrity ● A well-formed transaction is a series of operations that leave the data in a consistent state if the data is in a consistent state when the transaction begins. ● The principle of separation of duty requires the certifier and the implementers be different people. ○ In order for the transaction to corrupt the data (either by illicitly changing data or by leaving the data in an inconsistent state), either two different people must make similar mistakes or collude to certify the well-formed transaction as correct.

Digital Rights Management (DRM)

technologies that let copyright owners control the level of access or use allowed for a copyrighted work, such as limiting the number of times a song can be copied What are rights? What is digital rights management? Rights are what society guarantees to each individual. Basically, rights are the rules of society. Western society believes that when somebody creates something alone, it belongs to them, and they have the right to decide how it will be used. Example: If Alice creates something digital, like a video, Alice has total authority over that video. She can delete it if she wants. She can make it public and free. Or, she can selectively authorize other people to see it, based on, for example, whether they have paid to see the video.

Symmetric Encryption

the same key is used to encode and decode ●Only one Key (K) ●Key must be shared between parties ●Issues ○Key Distribution ? ○ How to protect the key ? ●Based on a key pair ○Private Key ○Public Key ●The two Keys are mathematically linked ○ Data Encrypted with one key can be decrypted only with the other one ●Different Algorithms use different mathematical properties ○ RSA, DSA, ECDSA

What manages access requests?

○ Access requests pass through the gatekeeper, aka, reference monitor

Extending Program Semantics -Moskowitz & Cooperman

• A watermarked media object is embedded in the program's static data segment. • "Essential" parts of the program are steganographically encoded into the media. • If the watermarked image is attacked, the embedded code will crash.

Altering Program Statistics - Stern et al.

• Embed mark by adjusting frequency of instruction patterns: 1. Replace instruction groups by semantic equivalents. 2. Insert redundant instruction groups.

Extending Program Semantics - Nagra-Thomborson

• Embed mark in which threads execute which basic blocks. • Can have huge performance degradation. • Why? Parallelism-analysis is hard.

Extending Program Semantics - Cousot and Cousot

• Embed the mark in the result of a static analysis problem. • Algorithm introduces many "weird" constants. Unstealthy, since 92% of all literal integers are 2n , 2n +1, 2n -1

Additive Spread Spectrum Methods

• Information symbols (m) are modulated with a weighted unit-energy spreading vector (p(m,k)). • The weighting factor (a) is set in accordance with local characteristics of the host signal (C). • Embedded signal is generated by adding the modulated message signal (a×p(m,k)) to host signal. • Detection is (most generally) based on correlation statistics between received signal and p(m,k).

Linear (Additive) Schemes

• Inspired by spread-spectrum communications. • The embedding operation is the sample addition of the watermark to host signal. • There are two reasons for the wide popularity of this type of methods. - Simplicity in their implementation. - Reliability under severe additive noise (attack).

Attacker Control of a Mirror

• Set up mirror • Created a fictitious identity • Leased a server from outside hosting provider • Setup mirrors for just 5 popular distributions • Notified the distribution maintainers • Mirrors were added to the official mirror list • Served packages to banks, government computers, military systems, etc.

Extending Program Semantics - Path-Based Watermarking

• The branches executed for the secret input generate a stream of 0s and 1s from which the watermark is extracted. • An attacker can easily insert new branches: - Java ⇒ Use an Error Correcting Code - x86 ⇒ Tamper-proof the branches

Reordering - Davidson & Myhrvold

• The watermark is embedded in the basic block sequence

Extending Program Semantics - Collberg-Thomborson

• The watermark is embedded in the topology of a dynamic graph structure, built at runtime but only for the special input sequence I 1 , · · · , Ik . • Why? Shape-analysis is hard.

Designing Watermarking Techniques

• Two questions to be answered - What is the resource? - What is the attack model? • Four Primary design goals - Fidelity: The degree of degradation due to embedding operation. - Robustness/Stealthiness: The level of immunity against all forms of manipulation (intentional and unintentional attacks). - Payload/Capacity: The amount of message signal that can be reliably embedded and extracted. - Security: Meaning depends on the application. Perhaps the most misunderstood and ignored aspect.

What is an integrity policy?

○ A commercial security policy is a security policy developed primarily to provide integrity. ■Focus on how much the object can be trusted.

What is a confidentiality policy?

○ A military security policy (also called government security policy) is a security policy developed primarily to provide confidentiality. ■Not worrying about trusting the object as much as disclosing the object

What are the two most popular types of security policies?

○ A military security policy (also called government security policy) is a security policy developed primarily to provide confidentiality. ■Not worrying about trusting the object as much as disclosing the object ○ A commercial security policy is a security policy developed primarily to provide integrity. ■Focus on how much the object can be trusted.

What are risk management strategies?

○ Accept the risk - The risk is so low or so costly to mitigate that it is worth accepting. ○ Transfer the risk - Transfer the risk to somebody else via insurance, warnings etc. ○ Remove the risk - Remove the system component or feature associated with the risk if the feature is not worth the risk. ○ Mitigate the risk - Reduce the risk with countermeasures.

What are the properties of a hash function?

○ Can be applied to data of any length. ○Output is fixed length ○ Relatively easy to compute h(x), given x and deterministic ○Infeasible to get x, given h(x). One-wayness property ○Given x, infeasible to find y such that h(x) = h(y). Weak-collision resistance property. ○Infeasible to find any pair x and y such that h(x) = h(y). Strong-collision resistance property.

What are the 5 catagories of the LIMM

○ Development (D) ○ Production Code (PC) ○ Production Data (PD) ○ System Development (SD) ○ Software Tools (T)

What are the 3 techniques for controlling access?

○ Discretionary ○ Mandatory ○ Non-Discretionary (Role Based)

IT assets refers to

○ Information (e.g. data) ○ IT processes/functionality (e.g. algorithm) ○ IT systems (e.g. hard drive)

● Write audit events to a separate system

○ Integrity, Non-repudiation

● Maintain detailed documentation of everything

○ Non-repudiation, Accountability

What are the 6 classes of threats?

○ Spoofing - Using someone else's credentials to gain access to otherwise inaccessible assets. ○ Tampering - Changing data to mount an attack. ○ Repudiation - Occurs when a user denies performing an action, but the target of the action has no way to prove otherwise. ○ Information disclosure - The disclosure of information to a user who does not have permission to see it. ○ Denial of service - Reducing the ability of valid users to access resources. ○ Elevation of privilege - Occurs when an unprivileged user gains privileged status.

What is the idea behind IFC?

○Allow X to be accessed freely (read) ○Prevent X and information about X from being sent to untrusted parties over communication channels ○This contains X and prevents disclosure.

What are the elements of a security policy?

○Confidentiality policy: Identifies information leakage and controls information flow. ○Integrity Policy: Identifies authorized ways in which information may be altered. Enforces separation of duties. ○Availability policy: Describes what services must (and must not) be provided: example - a browser may download pages but no Java applets.

What are the 4 types of threats?

○Disclosure - unauthorized access to information ○Deception - acceptance of false data ○Disruption - interruption or prevention of correct operation ○Usurpation - unauthorized control of some part of a system

What is risk assessment/management?

○Identifying the assets at risk (cost of asset - cost of most expensive attack) ○Putting quantitative (e. g., dollars) or qualitative (e. g. low/medium/high) measures on the potential loss (impact) ○Putting quantitative (i. e., the probability) or qualitative (e. g. low/medium/high) measures on the likelihood of the event happening Risk Management is a process for planning on how to control those risks

What is a Access Control Matrix?

○Is a table of subjects and objects indicating what actions individual subjects can take upon individual objects. ■ each row represents a subject, ■ each column represents an object, and ■ each entry is the set of access rights for that subject to that object.

What are Constrained User Interfaces?

○Restrict user's access abilities by not allowing them certain types of access, or the ability to request certain functions or information ○Three major types ■ Menus and Shells ■ Database Views ■Physically Constrained Interfaces

Other Hash Functions

○SHA-2 (SHA-256) ○MD5 - Message Digest algorithm 5 ■Very similar to SHA ○MD4 ○MD6

What are some information channels?

○Storage channels: transmit information explicitly ■ Variable assignment, writing to sockets, files ○Covert channels: transmit by mechanisms not intended for transmitting information ■ System load, locks ... ○Timing channels: transmit information based on when something happens (rather than what happens)

How do they prevent exploitation?

● 100 open source libraries + 500 million lines new code ○ Open source -> no obscurity ●Goals ○ Prevent remote attacks ○ Secure drivers, media codecs, new and custom features ●Overflow prevention ○ Some stack and heap protection ● Decided against (in initial release) ○ stack and heap non-execute protections (due to time-to-market constraints and battery life constraints) ○ ASLR - performance impact ■ Many pre-linked images for performance ■ Can't install different images on different devices in the factory

NT Domains

● A domain is a set of computers with a central security authority ● PDC and the BDC (Backup) must be Windows NT. ● A domain can be set up to: ○ Ease viewing and access to resources. ○ Share a common user account database and security policy. ○ Enforce a common security stance across physical, divisional, or corporate boundaries. ○ Elimination of the need for every machine to provide its own authentication service. ● Users authenticated to the domain, can gain access to resources, such as printing, file sharing or applications, across all of the servers.

What is a security policy

● A security policy is a set of rules stating which actions are permitted and which are not. ● Can be informal or highly mathematical. ● If we consider a computer system to be a finite state automaton with state transitions (which nerds do) then: ○ A security policy is a statement that partitions the states of a system into a set of authorized or secure states and a set of unauthorized or non-secure states. ○ A secure system is a system that starts in an authorized state and cannot enter an unauthorized state. ○ A breach of security occurs when a system enters an unauthorized state. ● We expect a trusted system to enforce the required security policies.

What is a security mechanism?

● Mechanism should not be confused with policy. ● A security mechanism is an entity or procedure that enforces some part of a security policy.

Now do an example using driving as the risk

● Assets at risk: people's lives and health, the automobile, other property ● Negative event: auto accident ● Risk Management: ○ Risk reduction: Following DWI laws, defensive driving techniques, ABS, driving slow or just not driving on snowy days ○ Risk mitigation: Seat belts, air bags, "crumple zones" in auto design ○ Risk transfer: insurance ○ Risk acceptance: residual risk of injury, deductible on insurance

Give an example using the stock market.

● Assume you buy 100 shares of stock at $50 per share. Potential maximum impact: $5000 ● Risk management strategies: ○ Risk reduction: buy a conservative stock ○ Risk mitigation: buy a "contrary" stock (Buy Dell in addition to HP, in case HP loses significant market share to Dell) ○ Risk transfer: buy an option to sell at $40/share; reduces maximum impact to $1000 (this could also be thought of as a risk mitigation strategy) ○ Risk acceptance: If you buy the options, you accept $1000 of risk

What is the goal of the Biba Integritity model

● Biba integrity model is counterpart (dual) of BLP model. ● It identifies paths that could lead to inappropriate modification of data as opposed to inappropriate disclosure in the BLP model.

Open vs Closed Design

● Closed Design (as was followed in military communication during the World War I/II) ○ Keep the cipher secret ○ Also sometimes referred to as the "proprietary design" ●Open Design (Kerckhoffs' principle) ○ Keep everything public, except the key ○ Good practice - this is what we focus upon!

What does using the OS as a reference montior accomplish?

● Collection of running processes and files ○ Processes are associated with users ○ Files have access control lists (ACLs) saying which users can read/write/execute them ● OS enforces a variety of safety policies ○ File accesses are checked against file's ACL ○ Process cannot write into memory of another process ○ Some operations require superuser privileges ■ But may need to switch back and forth (e.g., setuid in Unix) ○ Enforce CPU sharing, disk quotas, etc. ● Same policy for all processes of the same user

What is Lipner's Integrity Matrix Model

● Combines confidentiality (BLP) and Integrity (Biba). ● Provides two security levels ○ Audit Manager (AM) ○ System Low (SL) ● Defines five categories (compartments) ○ Development (D) ○ Production Code (PC) ○ Production Data (PD) ○ System Development (SD) ○ Software Tools (T)

What are Confidentiality, Integrity and Availability

● Confidentiality: ○ Let X be a set of entities and I be some information. Then I has the property of confidentiality with respect to X if no member of X can obtain information about I. ● Integrity: ○ Let X be a set of entities and I some information. Then I has the property of integrity with respect to X if I is unmodifiable by X. ● Availability: ○ Let X be a set of entities and I a resource. Then I has the property of availability with respect to X if all members of X can access I.

What are copying capabilties?

● Copying capability means giving rights. 1. How do you allow copying? ●X wants Y to read object O which X owns: 1.X has a capability with all bits set, flips the bit for read to 0. 2.X generates a new check field using a one-way hash of the new rights XOR'd with the old check field: ■ c new = h(rnew XOR cold) 3.X sends the new capability to Y. 4.Y sends a request to the server 5. The server XORs the new rights with the old check field. If the hash of this is the new check field, the credential is valid.

What is an exclusive security policy?

● Exclusive policies explicitly state what is prohibited ○ "Employees may not use email or web browsers from corporate systems for personal use." ○ "Employees may not use email or web browsers from corporate systems for pornography, illegal activities or other materials detrimental to the corporation or its perception by the public"

Give examples of hiercal policies at each level

● High level:"company proprietary information shall be protected from release to unauthorized personnel" ● Mid level procedural policy: ○ All proprietary information shall have a committee responsible for its control ○ A member must authorize any distribution of material ○ Enforcement: training, audit ● Mid level technology policy: ○ Proprietary information may only be stored on protected systems, accessible only to those with authorized access There shall be no externally initiated, automated means to retrieve information from the protected systems ■Low level; e. g., a firewall rule blocking incoming traffic on ports 20 (ftp data), 21 (ftp control), and 69 (tftp) ■The firewall is the enforcement mechanism

Hash Output Length

● How long should be the output (n bits) of a cryptographic hash function? ● To find collision - randomly select messages and check if hash matches any that we know. ● Throwing k balls in N = 2n bins. How large should k be, before probability of landing two balls in the same becomes greater than ½? ● Birthday paradox - a collision can be found in roughly sqrt(N) = 2(n/2) trials for an n bit hash ○ In a group of 23 (~ sqrt(365)) people, at least two of them will have the same birthday (with a probability > ½) ● Hence n should be at least 160

What is the Clark-Wilson model most concerned with?

● In commercial environment we worry about the integrity of the data in the system and the actions performed upon that data. ● The data is said to be in a consistent state if it satisfies given properties. ○ For example, let D be the amount of money deposited so far today, W the amount of money withdrawn so far today, YB be the amount of money in all accounts at the end of yesterday, and TB be the amount of money in all accounts so far today. Then the consistency property is: D + YB - W = TB

What is an inclusive security policy?

● Inclusive policies explicitly state what is allowed, and all other actions are prohibited ○ "Employees may only use the Internet from corporate systems for business related email and web browsing" ○ "Employees may only use the Internet from corporate systems for business related email and web browsing. Occasional personal email and browsing are permitted as long as it does not impact employee performance, corporate system performance and does not include any pornography, illegal activities, or other materials detrimental to the corporation or its perception by the public"

Who Should Be Concerned About Security Policy

● Managers ● System designers ● Users: ○ what are the policy's impacts on their actions, and what are the ramifications of not following policy ● System administrators, support personnel who manage enforcement technologies and processes ● Company lawyers: they may have to use the written policies in support of actions taken against employees in violation

How can threats be ranked?

● One methodology for ranking threats is the use of DREAD (used by Microsoft!) ○ Damage Potential ○ Reproducibility ○ Exploitability Cost (or cost and ease of performing attack) ○ Affected Users ○ Discoverability

What is true about one time pad?

● Plaintext is binary string and key is binary string of equal length then encryption can be done by a simple xor operation. ● If the key is random and is not re-used, then such a system offers unconditional security - perfect secrecy! Intuitively perfect secrecy can be seen from the fact that given any plaintext and ciphertext, there is a key which maps the selected plaintext to the selected ciphertext. System is not practical.

One Time Pad - Unconditional Security.

● Plaintext is binary string and key is binary string of equal length then encryption can be done by a simple xor operation. Plaintext: 01010000010001010011 Key: 11010101001001100111 Ciphertext: 10000101011000110100 ● If the key is random and is not re-used, then such a system offers unconditional security - perfect secrecy! ● Intuitively perfect secrecy can be seen from the fact that given any plaintext and ciphertext, there is a key which maps the selected plaintext to the selected ciphertext. So given a ciphertext, we get no information whatsoever on what key or plaintext could have been used. ● How do we obtain "random" bit-strings for shared secret keys? ● System is not practical. ● Interesting point in the design space

Pros and Cons of Quantitative Approach

● Pro: ○ Objective, independent process ○ Solid basis for cost/benefit analysis of safeguards ○ Credibility for audit, management (especially corporate management) ○ This type of approach is useful for many kinds of reliability related design questions (e. g., redundant servers, etc.), where threats and likelihood of "events" can be accurately modeled statistically ○Quantitative risk assessment is the basis for insurance, risk managed portfolios, etc. ● Con ○ In most cases, it is difficult to enumerate all types of events and get meaningful data on probability and impact ○ Very time consuming, costly to do right ○ Many unknowns may give a false sense of control ○ Not reliable for "rare" events or "unthinkable" impacts

Security of quantum key distribution

● Quantum cryptography obtains its fundamental security from the fact that each qubit is carried by a single photon, and each photon will be altered as soon as it is read. This makes impossible to intercept message without being detected. ● Since physics is used to create the key, there's little chance it can be cracked using mathematics.

What is the tranquility principle?

● Recall: BLP assumed that security levels of objects are constant. ● Principle of Tranquility states that subjects and objects may not change their security level once instantiated. ● Principle of Strong Tranquility states that security levels do not change during the lifetime of the system. ● Principle of Weak Tranquility states that security levels do not change in a way that violates the rules of a given security policy.

Software Fault Isolation Summary

● Sandbox code in a process ● Ensure binaries are "safe" ● Architecture dependent / Language independent Some backwards compatibility ● Pros: ○ Very little performance cost ○ Low overhead per VM ● Cons: ○ Poor resource isolation (OS interface) ○ Doesn't handle how you talk to the OS

What are the Principles of Operation

● Separation of duty ○ If two or more steps are required to perform a critical function, at least two different people should perform the steps. ● Separation of function ○ Developers do not develop new programs on production systems due to the potential threat to production data. ● Auditing ○ Auditing is the process of analyzing systems to determine what actions took place and who performed them. Commercial systems emphasize recovery and accountability.

What are examples of DDoS characteristics?

● Simple to implement ● Cheap! Market rate: DDoS $5/hr for small web-site, $100/hr for big ones (2013) ● Effective

What is the Chinese Wall Model?

● The Chinese Wall Model is a model of a security policy that speaks equally to confidentiality and integrity. It describes policies that involve a conflict of interest in business. For example: ○ In the environment of a stock exchange or investment house the goal of the model is to prevent a conflict of interest in which a trader represents two clients, and the best interests of the clients conflict, so the trader could help one gain at the expense of the other. ● The objects of the database are items of information related to a company. ● A company dataset (CD) contains objects related to a single company. ● A conflict of interest class (COI) contains the datasets of companies in competition. ● COI(O) represents the conflict of interest class that contains object O. ● CD(O) represents the company dataset that contains object O. The model assumes that each object belongs to exactly one conflict of interest class.

How does the Clark-Wilson model work?

● The Clark-Wilson Model defines data subject to its integrity controls as constrained data items or CDIs. ● Data not subject to the integrity controls are called unconstrained data items, or UDIs. ● Integrity verification procedures, or IVPs, test that the CDIs conform to the integrity constraints at the time the IVPs are run. In this case, the system is said to be in a valid state. ● Transformation procedures, or TPs, change the state of the data in the system from one valid state to another; TPs implement well-formed transactions. ● Certification Rule 1 (CR1): ○ When any IVP is run, it must ensure that all CDIs are in a valid state. ● Certification Rule 2 (CR2): ○ For some associated set of CDIs, a TP must transform those CDIs in a valid state into a (possibly different) valid state. ○ CR2 defines a relation certified C that associates a set of CDIs with a particular TP; ● Enforcement Rule 1 (ER1): ○ The system must maintain the certified relations, and must ensure that only TPs certified to run on a CDI manipulate that CDI. ● Enforcement Rule 2 (ER2): The system must associate a user with each TP and set of CDIs. The TP may access those CDIs on behalf of the associated user. If the user is not associated with a particular TP and CDI, then the TP cannot access that CDI on behalf of that user. ○ This defines a set of triple (user, TP, { CDI set }) to capture the association of users, TPs, and CDIs. Call this relation allowed A. Of course, these relations must be certified: ● Enforcement Rule 3 (ER3): ○ System must authenticate each user attempting to execute a TP. ● Certification Rule 4 (CR4): ○ All TPs must append enough information to reconstruct the operation to an append-only CDI. (Why append-only?) ● Certification Rule 5 (CR5): ○ Any TP that takes as input a UDI may perform only valid transformations, for all possible values of the UDI. The transformation either rejects the UDI or transforms it into a CDI. ● Enforcement Rule 4 (ER4): ○ Only the certifier of a TP may change the list of entities associated with that TP. No certifier of a TP, or of an entity associated with that TP, may ever have execute permission with respect to that entity

What are some examples of security documents?

● The SANS (SysAdmin, Audit, Network, Security) Institute has sample security policies available on-line in many areas. These can be downloaded and used as is, or modified to the needs of a specific company ○ http://www.sans.org/resources/policies/ ● IETF Site Security Handbook (policies for systems admins) ○ http://www.ietf.org/rfc/rfc2196.txt?number=2196 ● NIST web site: lots of material on security: technology, best practices, policies, regulations, etc. A search for "security policy" on that site got 6090 hits ○ csrc.nist.gov

What is a security model?

● To formulate a security policy you have to describe entities it governs and what rules constitute it - a security model does just that! ● A security model is a model that represents a particular policy or set of policies. They are used to: ○ Describe or document a policy ○ Test a policy for completeness and consistency ○ Help conceptualize and design an implementation ○ Check whether an implementation meets requirements.

What are some Hardware and Architecture mechanisms to prevent this?

● Translation Lookaside Buffer (TLB) ○ Maps virtual to physical addresses ○ Located next to the cache ○ Only "supervisor process" can manipulate TLB ■ But if OS is compromised, malicious code can abuse TLB to make itself invisible in virtual memory (Shadow Walker) ● TLB miss raises a page fault exception ○ Control is transferred to OS (in supervisor mode) ○ OS brings the missing page to the memory ● This is an expensive context switch

Another Approach...

● What if instead of using a different language, we could execute a "safe" binary? ○ ActiveX shows the user can't be trusted to know "safe" ● What if you could show that a binary had certain properties, like would never make a certain system call? ● You could potentially run binaries without hardware protection! ○ Would have excellent performance, essentially no overhead ○ System calls would remain a major problem ○ Impractical to subset for any real architecture (x86, ARM, etc.) ... or so it was thought

How do you implement capability based access control?

●A capability is an unforgeable "token" giving the possessor certain rights to an object. ●This is analogous to movie ticket or ID card. ●This "token" could be made transferable with an appropriate entry in ticket. ●Used by Kerberos (WIN 2K). ●To make sure capability cannot be forged: ○ Maintained by OS. ○ Programming language restricts access (private). ○ Stored in a region not accessible to users. ○ The goal is to prevent forgery.

What are specification, Design and Implementation?

●A specification is a statement of the desired functioning of the system. ●Design of a system translates the specifications into components that will implement the specifications. ●Given a design, an implementation creates a system that satisfies the design.

Kerberos Requirements

●A user wants to login into a server ○has to prove her identity - HOW ? ●Kerberos first report identified requirements as: ○secure ○reliable ○transparent ○scalable ●implemented using an authentication protocol based on Needham-Schroeder

The different properties of each?

●ACL ○Associate list with each object ○Check user/group against list ○Relies on authentication: need to know user ●Capabilities ○Capability is unforgeable ticket ■ Random bit sequence, or managed by OS ■ Can be passed from one process to another ○Reference monitor checks ticket ■ Does not need to know identity of user/process

What are Access control entities in Windows?

●ACL may be composed of Access Control Entries (ACE) which are composed of: ○ Basic permissions (six individual permissions) ■ Read (R), Write (W), Execute (X), Delete (D), Change Access Permissions (P), Take Ownership (O) ○ Standard permissions which are combinations derived from the basic permissions. ●ACE types: ○ Access-denied ACE - Used in ACLs to deny access rights ○ Access-allowed ACE - Used in ACLs to allow access rights ○ System-audit ACE - Used in SACLs to generate an audit record when the trustee attempts to exercise the specified access rights.

What are the elements of Access Control?

●Access Controls: The security features that control how users and systems communicate and interact with one another. ●Object: A passive entity that contains information ●Subject: An active entity that requests access to an object or the data in an object ●Access: The flow of information between subject and object

What are the Application development concepts?

●Activity - one-user task ○ Example: scroll through your inbox ○ Email client comprises many activities ●Service - Java daemon that runs in background ○ Example: application that streams an mp3 in background ● Intent - asynchronous messaging system ○ Fire an intent to switch from one activity to another ○ Example: email app has inbox, compose activity, viewer activity ■ User clicks on inbox entry, fires an intent to the viewer activity, which then allows the user to view the email ● Content provider ○ Store and share data using a relational database interface ●Broadcast receiver ○ "mailboxes" for messages from other applications

What is ASLR?

●Address Space Layout Randomization ●Randomly choose base address of stack, heap, code segment ●Randomly pad stack frames and malloc() calls ●Randomize location of Global Offset Table ●Randomization can be done at compile- or link-time, or by rewriting existing binaries

What are the advantages and disadvantages of the Android model?

●Advantages ○ Sandboxes applications, not "users" ○ Focuses on more than just 'allow / disallow' ●Drawbacks ○ (used to be) Main access control settings via a dialog box at install time ○ Outdated versions of software ○ Lots of trusted (?) library code

Pros and Cons of Unix?

●Advantages: ○ Some protection from most users ○ Flexible enough to make actions possible ●Drawbacks: ○ Too tempting to use root privileges ○ No way to assume some root privileges without all root privileges (At least with what is described here)

What are the pros and cons of windows security?

●Advantages: ○ Tokens provide contextual information ○ More flexible than Unix ●Drawbacks: ○ Poor implementation of tokens in APIs ( historically, many just use identification) ○ Complex for users / developers

Cryptography: Cast of Characters

●Alice (A), Bob (B), Charlie (C): communicating parties ●Eve (E): Eavesdropping (or passive) adversary ●Mallory (M): Man-in-the-Middle (or active) adversary ○People often use Eve for this as well ●Trent (T): a trusted third party (TTP)

"Textbook" RSA: KeyGen

●Alice wants people to be able to send her encrypted messages. ●X mod Y ●She chooses two (large) prime numbers, p and q and computes n=pq and \phi(n). ["large" >= 512 bits] ●She chooses a number e such that e is relatively prime to and computes d, the inverse of e in (i.e., ed =1 mod \phi(n)) ●She publicizes the pair (e,n) as her public key.(e is called RSA exponent, n is called RSA modulus). She keeps d secret and destroys p and q. ●Plaintext and ciphertext messages are elements of Zn and e is the encryption key.

????

●Alice wants to send a message M to Bob. ●Alice will compute the secure hash of M ○hash(M) -> h ●Alice encrypts this hash with her private key ○sign(h, Apriv) -> s ●Alice sends M and s to Bob ●Bob computes the secure hash of M ○hash(M) -> h ●Bob verifies the signature ○verify(M, s, Apub) ■assert dec(s, Apub) == h

What is Amobae?

●Amoeba ○Key idea: Make a network of systems look like one machine ○Late 1980's, early 1990's OS ○ Distributed ○ Capability-based Interesting factoid: First version of Python was for Amoeba!

Triple-DES

●Applies DES three times to each block. ●"Key bundle": 3 DES keys K1, K2, K3 ● Decryption is the reverse ● Security: ○ if all three keys are independent → 168-bit long key → brute-force attacks more difficult

What is true about assymetrical key cryptographic systems?

●Asymmetric Key / Public Key: Every user has a private key and a public key ○ Encryption is done using the public key and Decryption using private key ○ Also called two-key cryptography

Challenges for Android?

●Battery life ○ Developers must conserve power ○ Applications store the state, thus they can be stopped in order to save power and then restarted - helps with DoS ○ Most foreground activity is never killed ●Android market ○ Not reviewed by Google (different from Apple) ○ No way of stopping bad applications from showing up on market ○ Malware writers may be able to get code onto platform: shifts focus from remote exploit to privilege escalation

How is the Chromium Security Architecture

●Browser ("kernel") ○ Full privileges (file system, networking) ●Rendering engine ○ Up to 20 processes ○ Sandboxed ●One process per plugin ○ Full privileges of browser ○ Sort of like a "device driver" for the browser

CA Operations

●CA key protection ○Physical Security ○Personnel Controls ●Certificate Request Processing ○Issuing Certificates ○Revocation of Certificates ●Recent Compromises ○Attackers managed to get *.google.com certificate ○Trusted in all Browsers ○Required Updates in Applications

Principal Components of a PKI

●Certificate Authority ○ Issues certificates and revocation info ○ Distributes public data (eg., certificates) ●Registration Authority ○Point of contact with users ○Verifies the identity of the users ●Certificate Repository/Revocation Info ●Applications (PKI-enabled) ●Additional Services

RA Operations

●Certificate Request Approval ○ Identification of applicant ○ Check for Attributes ■ DNS domain for web servers ■Email for users ●Certificate Revocation Pre-Processing ○ Identification of the requester ○ Reason for revocation request

Attribute Certificates

●Certificates that provide attributes to Identities ○Attached to an Identity Certificate ○Provide one or more attributes ○ Issued by an Attribute Authority ●Separate Authentication from Authorization ●Lack of support in deployed software ●Other Authorization systems ○Shibboleth (based on XAML)

How do you revoke rights in capabilities system?

●Check each process and delete capability? Too inefficient. How is this done efficiently? ●One method: Use indirection. Capability does not name object but contains a pointer to an object in the global table. To revoke an entry, just invalidate the entry in the global table. ●Amoeba: Change random check and issue new capability. This invalidates all existing capabilities.

WIT: Write Integrity Testing

●Combines static analysis ... ○ For each memory write, compute the set of memory locations that may be the destination of the write ○ For each indirect control transfer, compute the set of addresses that may be the destination of the transfer ○ "Color table" assigns matching colors to instructions (write or jump) and all statically valid destinations ■ Is this sound? Complete? ●... with dynamic enforcement ○ Code is instrumented with runtime checks to verify that destination of write or jump has the right color

What are Content Dependent Access Control and Context Based Access Control?

●Content Dependent Access Control: ○Access to an object is determined by the content within the object. ●Context Based Access Control: ○ Makes access decision based on the context of a collection of information rather than content within an object.

Isolation at multiple levels

●Data security ○Each VM is managed independently ■Different OS, files, registry, MAC address, etc. ■Data sharing is often impossible; ■ Mandatory I/O interposition ●Fault isolation ○Crashes are contained within a VM ●Performance ○Should be able to guarantee performance levels ●No assumptions required for software inside a VM ○Important for security!

Properties of each continued?

●Delegation ○ Cap: Process can pass capability at run time ○ ACL: Try to get owner to add permission to list? ■ More common: let other process act under current user ●Revocation ○ ACL: Remove user or group from list ○ Cap: Try to get capability back from process? ■ Possible in some systems if appropriate bookkeeping ■ OS knows which data is a capability ■ If capability is used for multiple resources, it has to revoke all or none ... ■ Indirection: capability points to pointer to resource ■ If C -> P -> R, then revoke capability C by setting P=0

Issues

●Denial of Service ●Additional costs for the CA ○Servers ○Bandwidth ●The URL in the certificate can become stale ●Solutions ○Pre-computed OCSP responses

What are the OS mechanisms of Amoeba?

●Distributed system ○ Multiple processors, connected by network ○ Process on A can start a new process on B ○ Location of processes designed to be transparent ●Capability-based system ○ Each object resides on server ○ Invoke operation through message to server ■ Send message with capability and parameters ■ Server uses object # to identify object ■ Server checks rights field to see if operation is allowed ■ Check field prevents processes from forging capabilities

What is setid is unix?

●Each process has three Ids (+ more under Linux) ○ Real user ID (RUID) ■ same as the user ID of parent (unless changed) ■ used to determine which user started the process ○ Effective user ID (EUID) ■ from set user ID bit on the file being executed, or sys call ■ determines the permissions for process ■ file access and port binding ○ Saved user ID (SUID) ■ So previous EUID can be restored ●Real group ID, effective group ID, used similar ●Three setid bits ○ Setuid - set EUID of process to ID of file owner ○ Setgid - set EGID of process to GID of file ○ Sticky: ■ If Off: user has write permission on directory, can rename or remove files, even if not owner ■ If On: only file owner, directory owner, and root can rename or remove file in the directory ●Three setid bits ○ Setuid - set EUID of process to ID of file owner ○ Setgid - set EGID of process to GID of file ○ Sticky: ■ If Off: user has write permission on directory, can rename or remove files, even if not owner ■ If On: only file owner, directory owner, and root can rename or remove file in the directory

CFI: Security Guarantees

●Effective against attacks based on illegitimate control-flow transfer ○Stack-based buffer overflow, return-to-libc exploits, pointer subterfuge ●Does not protect against attacks that do not violate the program's original CFG ○Incorrect arguments to system calls ○Substitution of file names ○Other data-only attacks

DES - Data Encryption Standard

●Encrypts by series of substitution and transpositions. ●Based on Feistel Structure ●Worldwide standard for more than 20 years. ● Has a history of controversy. ● Designed by IBM (Lucifer) with later help (interference?) from NSA. ● No longer considered secure for highly sensitive applications. ● Replacement standard AES (advanced encryption standard)

What is the qualitative approach?

●Establish classes of loss values ("impact"), such as ○ Low, medium, high ○ Under $10K, between $10K and $1M, over $1M (used by at least one company) ○ Type of loss (e. g. compromise of credit card #, compromise of SSN, compromise of highly personal data) ○ Minor injury, significant injuries, loss of life, large scale loss of life (used by emergency response organizations to categorize non-IT events) ○ Rank ordering

Unix permission bits?

●File permissions obtained by ls -l command ●First character indicates type of file ○ - plain file ○ d directory ○ c character device (tty or printer) ○ b block device ○ l symbolic link ○ Etc owner group other

CFI: Control Flow Enforcement

●For each control transfer, determine statically its possible destination(s) ●Insert a unique bit pattern at every destination ○ Two destinations are equivalent if CFG contains edges to each from the same source ■ This is imprecise (why?) ○ Use same bit pattern for equivalent destinations ●Insert binary code that at runtime will check whether the bit pattern of the target instruction matches the pattern of possible destinations

Why a PKI ?

●Fundamental problems with public-key crypto ○ Identity related to keys ○ Where can you get the public key ? ○ How to update keys over time ? ○ How to check the validity of the key ? ○ How to trust a new Key ? ●Digital Certificates and PKIs!

Inline Reference Monitor

●Generalize SFI to more than just memory safety ○ Policy specified in some formal language ○ Policy deals with application-level concepts: access to system resources, network events, etc. ■ "No process should send to the network after reading a file", "No process should open more than 3 windows", ... ■ Huge semantic gap! ●Policy checks are integrated into the binary code ○ Via binary rewriting or when compiling ○ Want to be efficient and only add when needed ■ Only check divide by zero when doing division ● Inserted checks should be uncircumventable ○ Rely on SFI for basic memory safety

Symmetric key cryptography revisited

●Good: Efficient ●Bad: Key distribution and management is a serious problem - for N users O(N2 ) keys are needed

Asymmetric cryptography model

●Good: Key management problem potentially simpler ●Bad: Much slower than symmetric / private key crypto

Proxy Certificates

●Hack to allow users to issue proxy credentials for themselves ○ Generation of a new keypair ○ The user signs a new certificate with his/her own identity certificate (acts as a CA!) ●Use of proxy certificates ○ Grid computing (batch jobs) ●Possible future application ○ Mobile computing ○Avatar authentication

Why Threat Modeling?

●Helps you understand your application better. ●Discover potential design flaws and vulnerabilities ●Prioritize security analysis ●Understand overall security risk ●Develop mitigating strategies ●Provide more complete analysis

Verifying Jumps and Stores

●If target address can be determined statically, mask it with the segment's upper bits ○ Crash, but won't stomp on another process's memory ●If address unknown until runtime, insert checking code before the instruction ●Ensure that code can't jump around the checks ○ Target address held in a dedicated register ○ Its value is changed only by inserted code, atomically, and only with a value from the data segment

What is a Security Descriptor?

●Information associated with an object: ○ Specifies who can perform actions and what actions they can perform on an object ●Several fields ○ SIDs for the owner and primary group of an object ○ A Discretionary Access Control List (DACL) ■ access rights allowed or denied to users or groups ○ A System Access Control List (SACL) ■ types of access attempts that generate audit records for the object. ○ A set of control bits that qualify the meaning of a security descriptor or its individual members.

Next Step: XFI

●Inline reference monitor added via binary rewriting ○ Can be applied to some legacy code ●Uses CFI as a building block to prevent circumvention ●Supports fine-grained access control policies for memory regions ○ More than simple memory safety (cf. SFI) ●Relies in part on load-time verification ○Similar to "proof-carrying code"

What Makes a Process Safe?

●Memory safety: all memory accesses are "correct" ○ Respect array bounds, don't stomp on another process's memory, separation between code and data ●Control-flow safety: all control transfers are envisioned by the original program ○ No arbitrary jumps, no calls to library routines that the original program did not call ■ ... but wait until we see mimicry attacks ●Type safety: all function calls and operations have arguments of the correct type

Ensuring Integrity+Authentication through Digital Signatures

●Message Integrity ○ Detect if message is tampered with while in the transit ●Source/Sender Authentication ○ No forgery possible ●Non-repudiation ○If I sign something, I can not deny later ○A trusted third party (court) can resolve dispute

Modern Hardware Meets Security

●Modern hardware: large number of registers, big memory pages ●Principle of least privilege → each process should live in its own hardware address space ●... but the performance cost of inter-process communication is high ○ Context switches are very expensive ●Conflict: isolation vs. cheap communication

XFI: Memory Access Control

●Module has access to its own memory ○ With restrictions (e.g., shouldn't be able to corrupt its own scoped stack) ●Host can also grant access to other contiguous memory regions ○ Fine-grained: can restrict access to a single byte ○ Access to constant addresses and scoped stack verified statically ○ Inline memory guards verify other accesses at runtime ■ Fast inline verification for a certain address range; if this fails, call special routines that check access control data structures

What is a Multics process

●Multiple segments ○ Segments are dynamically linked ○ Linking process uses file system to find segment ○ A segment may be shared by several processes ●Multiple rings ○ Procedure, data segments each in specific ring ○ Access depends on two mechanisms ■ Per-Segment Access Control ■ File author specifies the users that have access to it ■ Concentric Rings of Protection ■ Call or read/write segments in outer rings ■ To access inner ring, go through a "gatekeeper" ●Interprocess communication through "channels"

What capabilities are used in Amoeba?

●Owner capability ○When server creates object, returns owner cap. ■ All rights bits are set to 1 (= allow operation) ■ Check field contains 48-bit random number stored by server ●Derived capability ○ Owner can set some rights bits to 0 ○ Calculate new check field ●Server can verify rights and check field ○ Without owner capability, cannot forge derived capability

PKI Standards

●PKCS#7 ○ Data format for signing/encrypting documents ○Base format for S/MIME ●Cartographic Message Syntax (CMS) ○Evolution of RSA's PKCS#7 format from IETF ○Allows multiple signatures (hierarchical or parallel) on the same document ○ It can include CRLs and Certificates for signature ●PKCS#10 ○ Certificate Request Format ●PKCS#11 ○Standard API to use cryptographic hardware ○ Used mostly on UNIX ○ Windows uses MS-CAPI Crypto Service Provider ■Proprietary format (same functionality of PKCS#11) ●PKCS#12 ○ Data format to transport certificates together with their private key ○Encrypted with a password ○Supported by Browsers to Import/Export certificates to/from their certificate store ●PKCS#13 (abandoned ?) ○ Elliptic Curve Cryptography Standard ○ It will address many aspects of elliptic curve cryptography, including parameter and key generation and validation, digital signatures, public-key encryption, and key agreement. ●PKCS#14 (abandoned ?) ○ Pseudo-random Number Generation ●PKCS#15 ○ Cryptographic Token Information Format Standard ○ is a complement to PKCS #11 giving a standard for the format of cryptographic credentials stored on cryptographic tokens.

What are the types of web attacks?

●SQL injection ○Bad input checking allows malicious SQL query ○Known defenses address problem effectively ●XSS (CSS) - cross-site scripting ○Problem stems from echoing untrusted input ○ Difficult to prevent: requires care, testing, tools, ... ●XSRF (CSRF) - cross-site request forgery ○Forged request leveraging ongoing session ○ Can be prevented (if XSS problems fixed)

What innovations did multics have?

●Segmented, Virtual memory ○ Hardware translates virtual address to real address ●High-level language implementation ○ Written in PL/1, only small part in assembly language ●Shared memory multiprocessor ○ Multiple CPUs share same physical memory ●Relational database ○ Multics Relational Data Store (MRDS) in 1978 ●Security ○ Designed to be secure from the beginning ○ First B2 security rating (1980s), only one for years

Public Key Signatures

●Signer has public key, private key pair ●Signer signs using its private key ●Verifier verifies using public key of the signer

Directory Service (LDAP)

●Similar to a hierarchical DB ●Used in PKIs for ○ Certificates and CRLs distribution ○Additional Information provisioning ●LDAP is the protocol to access the DB ○ Lightweight Directory Access Protocol ○ Comes from the X.500 standard ●Features (v3) ○ Referral and secure access (LDAPS)

What are some types of DDos attacks?

●Smurf Attack ●SYN Flood Attack ●Reflected SYN Attack ●Ping of Death ●Slowloris ●DNS Amplification Attack

Who is root?

●Special user with extra privileges -root. ○ UID is 0. ○ Can do (almost) anything!! ○ Holy grail of hackers! ●Other special users ○ daemon or sys - handles some network services ○ ftp - used for anonymous FTP access. ○ uucp - manages UUCP system. ○ guest - used for site visitors. ○ lp - used by printer system ○ Other special users exist

How does permission inheritance work?

●Static permission inheritance (Win NT) ○ Initially, subfolders inherit permissions of folder ○ Folders and subfolders are changed independently ○ Replace Permissions on Subdirectories command ■ Eliminates any differences in permissions ●Dynamic permission inheritance (Win 2000) ○ Child inherits parent permission, remains linked ○ Parent changes are inherited, except for explicit settings ○ Inherited and explicitly-set permissions may conflict ■ Resolution rules ■ Positive permissions are additive ■ Negative permission (deny access) takes priority

Caesar Cipher (or Shift Cipher)

●Substitution cipher ●Replace each letter in the plaintext by a letter some fixed number of positions down the alphabet ●Example - left shift of 3/right shift of 23: Plain: ABCDEFGHIJKLMNOPQRSTUVWXYZ Cipher: XYZABCDEFGHIJKLMNOPQRSTUVW

Improving CFI Precision

●Suppose a call from A goes to C, and a call from B goes to either C, or D (when can this happen?) ○ CFI will use the same tag for C and D, but this allows an "invalid" call from A to D ○Possible solution: duplicate code or inline ○Possible solution: multiple tags ●Function F is called first from A, then from B; what's a valid destination for its return? ○ CFI will use the same tag for both call sites, but this allows F to return to B after being called from A ○Solution: shadow call stack

How does the android security model work?

●The Android manifest file allows developers to define an access control policy for access to components ○ Each component can be assigned an access permission label ○ Each application requests a list of permission labels (was fixed at install time)

How to scale the network?

●The clients need to learn info about the relays they can use. Eventually this means partial network knowledge, and non-clique topology. ●Everybody-a-relay, and the anonymity questions that come with that.

What are some access control techniques?

●There are a number of different access controls and technologies available to support the different models. ○ Rule Based Access Control ○ Constrained User Interfaces ○ Content Dependent Access Control ○ Context Dependent Access Control ○ Access Control Matrix

Six performance problems

●Tor's congestion/flow control is not good ●Some users bulk-transfer over Tor ●Not enough capacity (run a relay!) ●Load balancing isn't right ●Not just high latency, but high variability ●High directory downloading overhead

What are issues with Tor?

●Tor's congestion/flow control is not good ●Some users bulk-transfer over Tor ●Not enough capacity (run a relay!) ●Load balancing isn't right ●Not just high latency, but high variability ●High directory downloading overhead

Difference between capabilities and ACL's

●Two questions arise in access control systems: ○ Given a subject, what objects can it access and how? ○ Given an object, what subjects can access it and how? ●Which question is easier to answer with ACL's? Why? ●Former is easier to answer with capabilities and the latter is easier to answer with ACL. ●The latter question is more often asked, hence ACL's used more often. ●With more distributed processing and agent based systems, perhaps the former question will be asked more frequently in the future. Thoughts?

CFI: Preventing Circumvention

●Unique IDs ○ Bit patterns chosen as destination IDs must not appear anywhere else in the code memory except ID checks ●Non-writable code ○ Program should not modify code memory at runtime ■ What about run-time code generation and self-modification? ●Non-executable data ○ Program should not execute data as if it were code ●Enforcement: hardware support + prohibit system calls that change protection state + verification at load-time

CFI: Binary Instrumentation

●Use binary rewriting to instrument code with runtime checks (similar to SFI) ●Inserted checks ensure that the execution always stays within the statically determined CFG ○ Whenever an instruction transfers control, destination must be valid according to the CFG ●Goal: prevent injection of arbitrary code and invalid control transfers (e.g., return-to-libc) ○ Secure even if the attacker has complete control over the thread's address space

Two Stacks

●XFI maintains a separate "scoped stack" with return addresses and some local variables ○ Keeps track of function calls, returns and exceptions ●Secure storage area for function-local information ○ Cannot be overflown, accessed via a computed reference or pointer, etc. ○ Stack integrity ensured by software guards ○ Presence of guards is determined by static verification when program is loaded ●Separate "allocation stack" for arrays and local variables whose address can be passed around

Kerberos - Summary

●trusted key server system developed by MIT ●provides centralised third-party authentication in a distributed network ●has a Key Distribution Centre (KDC) ●KDC provides non-corruptible authentication credentials (tickets or tokens)

Kerberos: a Key Server

●trusted key server system developed by MIT ●provides centralised third-party authentication in a distributed network ●access control may be provided for ○each computing resource ○in either a local or remote network (realm) ●has a Key Distribution Centre (KDC), containing a database of: ○principles (customers and services) ○encryption keys ●basic third-party authentication scheme ●KDC provides non-corruptible authentication credentials (tickets or tokens)

What is Umask

●umask (User file creation mode mask) is a four digit octal number used to determine file permissions for newly created files. ●It defines permission you do not want to be given (the bit-wise complement of the permission you want a file to have by default). ●Set up at time of log in, in environment variables ●0002 - umask means 0775 permissions. ●0077 umask means ? ●0022 umask means ?