coms w4182: computer security ii prof. steven m. bellovinsmb/classes/s20/l_intro.pdf · coms w4181...
TRANSCRIPT
![Page 1: COMS W4182: Computer Security II Prof. Steven M. Bellovinsmb/classes/s20/l_intro.pdf · COMS W4181 is a prerequisite for this class—I assume that you ... Steven M. Bellovin January](https://reader034.vdocuments.net/reader034/viewer/2022043009/5f9b718ca5d59d17df65437e/html5/thumbnails/1.jpg)
COMS W4182: Computer Security II
Prof. Steven M. Bellovinhttps://www.cs.columbia.edu/˜smb/classes/s20
Steven M. Bellovin January 19, 2020 1
![Page 2: COMS W4182: Computer Security II Prof. Steven M. Bellovinsmb/classes/s20/l_intro.pdf · COMS W4181 is a prerequisite for this class—I assume that you ... Steven M. Bellovin January](https://reader034.vdocuments.net/reader034/viewer/2022043009/5f9b718ca5d59d17df65437e/html5/thumbnails/2.jpg)
What is this Course?
• Security architecture
• Security engineering
• How to think about security
+ How to think about insecurity. . .
• A successor to COMS W4181, Computer Security I
Steven M. Bellovin January 19, 2020 2
![Page 3: COMS W4182: Computer Security II Prof. Steven M. Bellovinsmb/classes/s20/l_intro.pdf · COMS W4181 is a prerequisite for this class—I assume that you ... Steven M. Bellovin January](https://reader034.vdocuments.net/reader034/viewer/2022043009/5f9b718ca5d59d17df65437e/html5/thumbnails/3.jpg)
Who is this Course For?
• Primarily, security professionals
• Security architects, security reviewers, etc.
• (But 4181 is for all programmers)
Steven M. Bellovin January 19, 2020 3
![Page 4: COMS W4182: Computer Security II Prof. Steven M. Bellovinsmb/classes/s20/l_intro.pdf · COMS W4181 is a prerequisite for this class—I assume that you ... Steven M. Bellovin January](https://reader034.vdocuments.net/reader034/viewer/2022043009/5f9b718ca5d59d17df65437e/html5/thumbnails/4.jpg)
Prerequisites
• COMS W4181 is a prerequisite for this class—I assume that youknow the material in it
• However—in this very bureaucratic university, SSOL does not enforceprerequisites
• A prerequisite is a warning: you are expected to know the material
• I will not ask anyone if they’ve taken 4181 or not
• But—I will not review encryption algorithms, firewalls, etc.
• If you have any doubts, see me
Steven M. Bellovin January 19, 2020 4
![Page 5: COMS W4182: Computer Security II Prof. Steven M. Bellovinsmb/classes/s20/l_intro.pdf · COMS W4181 is a prerequisite for this class—I assume that you ... Steven M. Bellovin January](https://reader034.vdocuments.net/reader034/viewer/2022043009/5f9b718ca5d59d17df65437e/html5/thumbnails/5.jpg)
Security Architecture
• How to put the pieces together
• How to spot the risky parts
• How to evaluate an architecture
Steven M. Bellovin January 19, 2020 5
![Page 6: COMS W4182: Computer Security II Prof. Steven M. Bellovinsmb/classes/s20/l_intro.pdf · COMS W4181 is a prerequisite for this class—I assume that you ... Steven M. Bellovin January](https://reader034.vdocuments.net/reader034/viewer/2022043009/5f9b718ca5d59d17df65437e/html5/thumbnails/6.jpg)
Security Engineering
• Putting the pieces together
• Tradeoffs
• Balancing cost, security, usability, acceptability, and more
Steven M. Bellovin January 19, 2020 6
![Page 7: COMS W4182: Computer Security II Prof. Steven M. Bellovinsmb/classes/s20/l_intro.pdf · COMS W4181 is a prerequisite for this class—I assume that you ... Steven M. Bellovin January](https://reader034.vdocuments.net/reader034/viewer/2022043009/5f9b718ca5d59d17df65437e/html5/thumbnails/7.jpg)
How to Think About Security
• Security is a property of the overall design
• You do not get security by sprinkling on crypto or by forcing people tochange their passwords frequently
• Those can sometimes help—but bad guys go around strong security,not through it
• Security is a systems property
Steven M. Bellovin January 19, 2020 7
![Page 8: COMS W4182: Computer Security II Prof. Steven M. Bellovinsmb/classes/s20/l_intro.pdf · COMS W4181 is a prerequisite for this class—I assume that you ... Steven M. Bellovin January](https://reader034.vdocuments.net/reader034/viewer/2022043009/5f9b718ca5d59d17df65437e/html5/thumbnails/8.jpg)
How to Think About Insecurity. . .
• The bad guys don’t follow the rules
• To understand how to secure a system, you have to understand whatsort of attacks are possible
• Note that that is not the same as actually launching them. . .
Steven M. Bellovin January 19, 2020 8
![Page 9: COMS W4182: Computer Security II Prof. Steven M. Bellovinsmb/classes/s20/l_intro.pdf · COMS W4181 is a prerequisite for this class—I assume that you ... Steven M. Bellovin January](https://reader034.vdocuments.net/reader034/viewer/2022043009/5f9b718ca5d59d17df65437e/html5/thumbnails/9.jpg)
Course Structure
• Lecture format
• Syllabus subject to change to discuss current events
• Approximate grading percentages:Homework 48%Midterm 21%Final 31%
Experience suggests that the exact percentages are not thatimportant (and may change slightly)
• Grades will be posted on Courseworks
• Yes, I curve
Steven M. Bellovin January 19, 2020 9
![Page 10: COMS W4182: Computer Security II Prof. Steven M. Bellovinsmb/classes/s20/l_intro.pdf · COMS W4181 is a prerequisite for this class—I assume that you ... Steven M. Bellovin January](https://reader034.vdocuments.net/reader034/viewer/2022043009/5f9b718ca5d59d17df65437e/html5/thumbnails/10.jpg)
Readings
• Thinking Security: Stopping Next Year’s Hackers, Steven M. Bellovin,Addison-Wesley, 2016, ISBN 0-13-427754-6, 0-13-427754-6. (Onlythe ebook is available, and not from Amazon. . . )
• Security Engineering, Second Edition, Ross J. Anderson, Wiley,2008, ISBN-13: 978-0470068526, ISBN-10: 0470068523.
• Some primary source material—I assume you all know how to usethe library and/or electronic resources. (Hint: Google does not (yet?)have access to all of the world’s knowledge.)
• Note: ACM and IEEE readings are often only easily available from thecampus network.
Yes, there is a lot of assigned reading.Steven M. Bellovin January 19, 2020 10
![Page 11: COMS W4182: Computer Security II Prof. Steven M. Bellovinsmb/classes/s20/l_intro.pdf · COMS W4181 is a prerequisite for this class—I assume that you ... Steven M. Bellovin January](https://reader034.vdocuments.net/reader034/viewer/2022043009/5f9b718ca5d59d17df65437e/html5/thumbnails/11.jpg)
Logistics
• For grading issues, approach the TAs within two weeks; if you don’treceive a satisfactory answer, contact me.
• For issues relating to this class, email smb+4182@cs. . .
• That lets me auto-sort class-related mail and keep better track ofthings
Steven M. Bellovin January 19, 2020 11
![Page 12: COMS W4182: Computer Security II Prof. Steven M. Bellovinsmb/classes/s20/l_intro.pdf · COMS W4181 is a prerequisite for this class—I assume that you ... Steven M. Bellovin January](https://reader034.vdocuments.net/reader034/viewer/2022043009/5f9b718ca5d59d17df65437e/html5/thumbnails/12.jpg)
Written Assignments
• There will be several written assignments during the term
• The form required will be different each time—make sure you readthe instructions
• Yes, those matter
• I want analysis and not just recounting of facts, i.e., not just “what” but“why”
Steven M. Bellovin January 19, 2020 12
![Page 13: COMS W4182: Computer Security II Prof. Steven M. Bellovinsmb/classes/s20/l_intro.pdf · COMS W4181 is a prerequisite for this class—I assume that you ... Steven M. Bellovin January](https://reader034.vdocuments.net/reader034/viewer/2022043009/5f9b718ca5d59d17df65437e/html5/thumbnails/13.jpg)
Programming Assignments
• (I haven’t quite decided if there will be programming homework)
• All programming homework must be done in C or C++ unlessotherwise instructed. Don’t bother asking for exceptions.
• Turn in a single tar file, including a Makefile; if necessary, includetest data and a README file with execution instructions
• All programs must compile and run on Linux on the Google Cloudmachines; zero credit for programs that don’t compile. Note that thismeans you must be comfortable compiling and running code onLinux.
• Because most security problems are due to buggy code, there will becopious deductions for bugs or for inadequate documentation
Steven M. Bellovin January 19, 2020 13
![Page 14: COMS W4182: Computer Security II Prof. Steven M. Bellovinsmb/classes/s20/l_intro.pdf · COMS W4181 is a prerequisite for this class—I assume that you ... Steven M. Bellovin January](https://reader034.vdocuments.net/reader034/viewer/2022043009/5f9b718ca5d59d17df65437e/html5/thumbnails/14.jpg)
Again:
• Programs must compile and run on Linux on the Google Cloudmachines
• You can do your initial development on any platform you want—butyou must make sure that the submitted version works on GoogleCloud
Steven M. Bellovin January 19, 2020 14
![Page 15: COMS W4182: Computer Security II Prof. Steven M. Bellovinsmb/classes/s20/l_intro.pdf · COMS W4181 is a prerequisite for this class—I assume that you ... Steven M. Bellovin January](https://reader034.vdocuments.net/reader034/viewer/2022043009/5f9b718ca5d59d17df65437e/html5/thumbnails/15.jpg)
Using Open Source Programs
• Generally, you are free to use any binary software installed on theGoogle Cloud machines
• Generally, you are welcome to use any open source software if (a) allsuch files are in a separate subdirectory from anything you write; (b)you clearly identify the origin of all such code; and (c) it all compilesseamlessly if the grader just types ’make’ in the parent directory.
• Exception: you may not use outside code that accomplishes theprimary purpose of the assignment.
• If in doubt, ask me first.
Steven M. Bellovin January 19, 2020 15
![Page 16: COMS W4182: Computer Security II Prof. Steven M. Bellovinsmb/classes/s20/l_intro.pdf · COMS W4181 is a prerequisite for this class—I assume that you ... Steven M. Bellovin January](https://reader034.vdocuments.net/reader034/viewer/2022043009/5f9b718ca5d59d17df65437e/html5/thumbnails/16.jpg)
Co-operation versus Dishonesty
• Discussing homework with others is encouraged—but all programsand written material must be individual work unless otherwiseinstructed.
• Please use appropriate file permission mechanisms to protect yourhomework. (Looking at other people’s work is forbidden.)
• Zero tolerance for cheating
• See the department’s honesty policy:http://www.cs.columbia.edu/education/honesty I will assume thatyou have all read it; you are in any event responsible for its terms andprovisions.
Steven M. Bellovin January 19, 2020 16
![Page 17: COMS W4182: Computer Security II Prof. Steven M. Bellovinsmb/classes/s20/l_intro.pdf · COMS W4181 is a prerequisite for this class—I assume that you ... Steven M. Bellovin January](https://reader034.vdocuments.net/reader034/viewer/2022043009/5f9b718ca5d59d17df65437e/html5/thumbnails/17.jpg)
The Ethics of Security
• Taking a computer security class is not an excuse for hacking
• “Hacking” is any form of unauthorized access, including exceedingauthorized permissions
• The fact that a file or computer is not properly protected is no excusefor unauthorized access
• If the owner of a resource invites you to attack it, such use isauthorized
• For more details, seehttp://www.columbia.edu/cu/policy/network_use.html
• Absolutely no Trojan horses, back doors, or other malicious code inhomework assignments
Steven M. Bellovin January 19, 2020 17
![Page 18: COMS W4182: Computer Security II Prof. Steven M. Bellovinsmb/classes/s20/l_intro.pdf · COMS W4181 is a prerequisite for this class—I assume that you ... Steven M. Bellovin January](https://reader034.vdocuments.net/reader034/viewer/2022043009/5f9b718ca5d59d17df65437e/html5/thumbnails/18.jpg)
Not How I Teach It!
(Used with permission; see http://www.nukees.com)
Steven M. Bellovin January 19, 2020 18
![Page 19: COMS W4182: Computer Security II Prof. Steven M. Bellovinsmb/classes/s20/l_intro.pdf · COMS W4181 is a prerequisite for this class—I assume that you ... Steven M. Bellovin January](https://reader034.vdocuments.net/reader034/viewer/2022043009/5f9b718ca5d59d17df65437e/html5/thumbnails/19.jpg)
Contacting Me
• Feel free to drop in during office hours.
• I’ll announce changes on my home page
• I’m amenable to meeting other times, by appointment. You’rewelcome to drop in if my office door is open, but I reserve the right toask you to come back later
• If you have any questions, please use email rather than telephone; Itravel a lot and am not very reachable by phone
Steven M. Bellovin January 19, 2020 19
![Page 20: COMS W4182: Computer Security II Prof. Steven M. Bellovinsmb/classes/s20/l_intro.pdf · COMS W4181 is a prerequisite for this class—I assume that you ... Steven M. Bellovin January](https://reader034.vdocuments.net/reader034/viewer/2022043009/5f9b718ca5d59d17df65437e/html5/thumbnails/20.jpg)
Talking to Me
• Drop by just to talk (a good idea if you think you’ll want me to write arecommendation. . . )
• You don’t need to be in trouble to talk with me. . .
• If my office door is open, just walk in
• But—I travel too much
Steven M. Bellovin January 19, 2020 20
![Page 21: COMS W4182: Computer Security II Prof. Steven M. Bellovinsmb/classes/s20/l_intro.pdf · COMS W4181 is a prerequisite for this class—I assume that you ... Steven M. Bellovin January](https://reader034.vdocuments.net/reader034/viewer/2022043009/5f9b718ca5d59d17df65437e/html5/thumbnails/21.jpg)
Class Schedule
• Probable midterm date: March 6
• The final will be held on the date specified by the registrar. Thecurrent projection is Friday, May 8, 9:00-12:00—but that’s tentative.Do not make any travel plans that involve leaving campus before that.
Steven M. Bellovin January 19, 2020 21
![Page 22: COMS W4182: Computer Security II Prof. Steven M. Bellovinsmb/classes/s20/l_intro.pdf · COMS W4181 is a prerequisite for this class—I assume that you ... Steven M. Bellovin January](https://reader034.vdocuments.net/reader034/viewer/2022043009/5f9b718ca5d59d17df65437e/html5/thumbnails/22.jpg)
TAs
• ???
Steven M. Bellovin January 19, 2020 22
![Page 23: COMS W4182: Computer Security II Prof. Steven M. Bellovinsmb/classes/s20/l_intro.pdf · COMS W4181 is a prerequisite for this class—I assume that you ... Steven M. Bellovin January](https://reader034.vdocuments.net/reader034/viewer/2022043009/5f9b718ca5d59d17df65437e/html5/thumbnails/23.jpg)
Lectures
• I prepare slides for each class, and upload them shortly before classtime
• Slides (and other information) are uploaded to my web page
• Well, occasionally they’re uploaded shortly after class. . .
Steven M. Bellovin January 19, 2020 23
![Page 24: COMS W4182: Computer Security II Prof. Steven M. Bellovinsmb/classes/s20/l_intro.pdf · COMS W4181 is a prerequisite for this class—I assume that you ... Steven M. Bellovin January](https://reader034.vdocuments.net/reader034/viewer/2022043009/5f9b718ca5d59d17df65437e/html5/thumbnails/24.jpg)
Homeworks
• As noted, four homework assignments
• Homeworks are designed for practice, teaching, and evaluation
• Homeworks must be submitted electronically by the start of class
• Homeworks received later that day lose 5%, the next day 10%, twodays late 20%, three days late 30%; after that, zero credit
• Exceptions granted only for unforeseeable events. Workload, day job,etc., are quite foreseeable.
• No grace period, no freebies
• Problems? See me before the due date
Steven M. Bellovin January 19, 2020 24
![Page 25: COMS W4182: Computer Security II Prof. Steven M. Bellovinsmb/classes/s20/l_intro.pdf · COMS W4181 is a prerequisite for this class—I assume that you ... Steven M. Bellovin January](https://reader034.vdocuments.net/reader034/viewer/2022043009/5f9b718ca5d59d17df65437e/html5/thumbnails/25.jpg)
Grade Arithmetic
• If four homeworks total 48%, each one is 12%
• If you miss one assignment, that’s 12% off your final average
• That’s generally more than a single letter grade
• An 88% can be a B. . .
Steven M. Bellovin January 19, 2020 25
![Page 26: COMS W4182: Computer Security II Prof. Steven M. Bellovinsmb/classes/s20/l_intro.pdf · COMS W4181 is a prerequisite for this class—I assume that you ... Steven M. Bellovin January](https://reader034.vdocuments.net/reader034/viewer/2022043009/5f9b718ca5d59d17df65437e/html5/thumbnails/26.jpg)
Responsibility
• You’re all adults
• You’re all responsible for your own actions
• If there’s something missing, you have to tell me
Steven M. Bellovin January 19, 2020 26
![Page 27: COMS W4182: Computer Security II Prof. Steven M. Bellovinsmb/classes/s20/l_intro.pdf · COMS W4181 is a prerequisite for this class—I assume that you ... Steven M. Bellovin January](https://reader034.vdocuments.net/reader034/viewer/2022043009/5f9b718ca5d59d17df65437e/html5/thumbnails/27.jpg)
Practical Focus
• This is not a pure academic-style security course
• A lot of (in)security is about doing the unexpected
• The ability to “think sideways” is a big advantage
Steven M. Bellovin January 19, 2020 27
![Page 28: COMS W4182: Computer Security II Prof. Steven M. Bellovinsmb/classes/s20/l_intro.pdf · COMS W4181 is a prerequisite for this class—I assume that you ... Steven M. Bellovin January](https://reader034.vdocuments.net/reader034/viewer/2022043009/5f9b718ca5d59d17df65437e/html5/thumbnails/28.jpg)
The First Question
“What are you trying to protect, and against whom?”
• Some assets are more valuable than others
• Different enemies have different goals
• Different enemies have different abilities
You don’t want to spend too much—but you also don’t want to spend toolittle.
Steven M. Bellovin January 19, 2020 28
![Page 29: COMS W4182: Computer Security II Prof. Steven M. Bellovinsmb/classes/s20/l_intro.pdf · COMS W4181 is a prerequisite for this class—I assume that you ... Steven M. Bellovin January](https://reader034.vdocuments.net/reader034/viewer/2022043009/5f9b718ca5d59d17df65437e/html5/thumbnails/29.jpg)
What is Security?
Security is keeping unauthorized entities from doing things you don’t wantthem to do.
This definition is too informal. . .
Steven M. Bellovin January 19, 2020 29
![Page 30: COMS W4182: Computer Security II Prof. Steven M. Bellovinsmb/classes/s20/l_intro.pdf · COMS W4181 is a prerequisite for this class—I assume that you ... Steven M. Bellovin January](https://reader034.vdocuments.net/reader034/viewer/2022043009/5f9b718ca5d59d17df65437e/html5/thumbnails/30.jpg)
What is Security?
The standard definition: CIA
• Confidentiality
• Integrity
• Availability
Steven M. Bellovin January 19, 2020 30
![Page 31: COMS W4182: Computer Security II Prof. Steven M. Bellovinsmb/classes/s20/l_intro.pdf · COMS W4181 is a prerequisite for this class—I assume that you ... Steven M. Bellovin January](https://reader034.vdocuments.net/reader034/viewer/2022043009/5f9b718ca5d59d17df65437e/html5/thumbnails/31.jpg)
Confidentiality
• “The property that information is not made available or disclosed tounauthorized individuals, entities, or processes [i.e., to anyunauthorized system entity].” [definitions from RFC 4949]. Not thesame as privacy.
• Contrast with privacy : “The right of an entity (normally a person),acting in its own behalf, to determine the degree to which it willinteract with its environment, including the degree to which the entityis willing to share information about itself with others.” Privacy is areason for confidentiality
• The traditional focus of computer security
Steven M. Bellovin January 19, 2020 31
![Page 32: COMS W4182: Computer Security II Prof. Steven M. Bellovinsmb/classes/s20/l_intro.pdf · COMS W4181 is a prerequisite for this class—I assume that you ... Steven M. Bellovin January](https://reader034.vdocuments.net/reader034/viewer/2022043009/5f9b718ca5d59d17df65437e/html5/thumbnails/32.jpg)
Integrity
• data integrity: “The property that data has not been changed,destroyed, or lost in an unauthorized or accidental manner.”
• system integrity: “The quality that a system has when it can performits intended function in a unimpaired manner, free from deliberate orinadvertent unauthorized manipulation.”
• Often of more commercial interest than confidentiality
Steven M. Bellovin January 19, 2020 32
![Page 33: COMS W4182: Computer Security II Prof. Steven M. Bellovinsmb/classes/s20/l_intro.pdf · COMS W4181 is a prerequisite for this class—I assume that you ... Steven M. Bellovin January](https://reader034.vdocuments.net/reader034/viewer/2022043009/5f9b718ca5d59d17df65437e/html5/thumbnails/33.jpg)
Availability
• “The property of a system or a system resource being accessible andusable upon demand by an authorized system entity, according toperformance specifications for the system; i.e., a system is available ifit provides services according to the system design whenever usersrequest them.”
• Turning off a computer provides confidentiality and integrity, but hurtsavailability. . .
• Denial of service attacks are direct assaults on availability
Steven M. Bellovin January 19, 2020 33
![Page 34: COMS W4182: Computer Security II Prof. Steven M. Bellovinsmb/classes/s20/l_intro.pdf · COMS W4181 is a prerequisite for this class—I assume that you ... Steven M. Bellovin January](https://reader034.vdocuments.net/reader034/viewer/2022043009/5f9b718ca5d59d17df65437e/html5/thumbnails/34.jpg)
They Interact
• It’s obvious that violations of integrity can be used to compromiseconfidentiality
• In some situations, violations of availability can be used that way aswell
Steven M. Bellovin January 19, 2020 34
![Page 35: COMS W4182: Computer Security II Prof. Steven M. Bellovinsmb/classes/s20/l_intro.pdf · COMS W4181 is a prerequisite for this class—I assume that you ... Steven M. Bellovin January](https://reader034.vdocuments.net/reader034/viewer/2022043009/5f9b718ca5d59d17df65437e/html5/thumbnails/35.jpg)
Where Did CIA Come From?
• Oldest known source: Saltzer and Schroeder, 1975, which useddifferent language: “unauthorized information release,” “unauthorizedinformation modification,” and “unauthorized denial of use.”
• A 1991 National Academies study did use the CIA terminology
• The actual source: a 1990 NASA booklet, drawing on earlierpresentations by Ross Leo
Steven M. Bellovin January 19, 2020 35
![Page 36: COMS W4182: Computer Security II Prof. Steven M. Bellovinsmb/classes/s20/l_intro.pdf · COMS W4181 is a prerequisite for this class—I assume that you ... Steven M. Bellovin January](https://reader034.vdocuments.net/reader034/viewer/2022043009/5f9b718ca5d59d17df65437e/html5/thumbnails/36.jpg)
However. . .
• I don’t really like that definition
• Example: is a modification to a log file an integrity violation?
• Example: what about RAM-resident malware?
• Example: what if I cryptanalyze a site’s private key but don’t use it?
• Most important: it doesn’t give us any guidance on how to secure asystem
Steven M. Bellovin January 19, 2020 36
![Page 37: COMS W4182: Computer Security II Prof. Steven M. Bellovinsmb/classes/s20/l_intro.pdf · COMS W4181 is a prerequisite for this class—I assume that you ... Steven M. Bellovin January](https://reader034.vdocuments.net/reader034/viewer/2022043009/5f9b718ca5d59d17df65437e/html5/thumbnails/37.jpg)
Proposed Definition
Definition 1 (Security) A system is secure if there are no unauthorizedchanges possible to the execution environment of any user.
Definition 2 (Functional Security) A system is functionally secure if it isinfeasible for an attacker to materially change the executionenvironment of any user.
These definitions will be used throughout the semester.
Steven M. Bellovin January 19, 2020 37
![Page 38: COMS W4182: Computer Security II Prof. Steven M. Bellovinsmb/classes/s20/l_intro.pdf · COMS W4181 is a prerequisite for this class—I assume that you ... Steven M. Bellovin January](https://reader034.vdocuments.net/reader034/viewer/2022043009/5f9b718ca5d59d17df65437e/html5/thumbnails/38.jpg)
Execution Environments
At any point, every user of a system can perform certain operations oncertain resources. We call this the execution environment.
There are sometimes authorized transitions to different executionenvironments, e.g., after logging in
Similar to access control matrices
Steven M. Bellovin January 19, 2020 38
![Page 39: COMS W4182: Computer Security II Prof. Steven M. Bellovinsmb/classes/s20/l_intro.pdf · COMS W4181 is a prerequisite for this class—I assume that you ... Steven M. Bellovin January](https://reader034.vdocuments.net/reader034/viewer/2022043009/5f9b718ca5d59d17df65437e/html5/thumbnails/39.jpg)
In Other Words. . .
• Insecurity is defined as someone having unintended abilities
• It doesn’t matter how they obtained those abilities or if they’ve usedthem
Steven M. Bellovin January 19, 2020 39
![Page 40: COMS W4182: Computer Security II Prof. Steven M. Bellovinsmb/classes/s20/l_intro.pdf · COMS W4181 is a prerequisite for this class—I assume that you ... Steven M. Bellovin January](https://reader034.vdocuments.net/reader034/viewer/2022043009/5f9b718ca5d59d17df65437e/html5/thumbnails/40.jpg)
Access Control Matrix
• List all proceses and files in a matrix
• Each row is a process (“subject”)
• Each column is a file (“object”)
• Each matrix entry is the access rights that subject has for that object
Steven M. Bellovin January 19, 2020 40
![Page 41: COMS W4182: Computer Security II Prof. Steven M. Bellovinsmb/classes/s20/l_intro.pdf · COMS W4181 is a prerequisite for this class—I assume that you ... Steven M. Bellovin January](https://reader034.vdocuments.net/reader034/viewer/2022043009/5f9b718ca5d59d17df65437e/html5/thumbnails/41.jpg)
Sample Access Control Matrix
Subjects p and qObjects f, g, p, qAccess rights r (read), w (write), x (execute), o (owner)
f g p qp rwo r rwx wq - r r rwxo
Steven M. Bellovin January 19, 2020 41
![Page 42: COMS W4182: Computer Security II Prof. Steven M. Bellovinsmb/classes/s20/l_intro.pdf · COMS W4181 is a prerequisite for this class—I assume that you ... Steven M. Bellovin January](https://reader034.vdocuments.net/reader034/viewer/2022043009/5f9b718ca5d59d17df65437e/html5/thumbnails/42.jpg)
Other Permissions
• Append
• Delete file
• Owner (can change ACL)
• Many more are possible
Steven M. Bellovin January 19, 2020 42
![Page 43: COMS W4182: Computer Security II Prof. Steven M. Bellovinsmb/classes/s20/l_intro.pdf · COMS W4181 is a prerequisite for this class—I assume that you ... Steven M. Bellovin January](https://reader034.vdocuments.net/reader034/viewer/2022043009/5f9b718ca5d59d17df65437e/html5/thumbnails/43.jpg)
Access Control Matrix Operations
• System can transition from one ACM state to another
• Primitive operations: create subject, create object; destroy subject,destroy object; add access right; delete access right
• Transitions are, of course, conditional
Steven M. Bellovin January 19, 2020 43
![Page 44: COMS W4182: Computer Security II Prof. Steven M. Bellovinsmb/classes/s20/l_intro.pdf · COMS W4181 is a prerequisite for this class—I assume that you ... Steven M. Bellovin January](https://reader034.vdocuments.net/reader034/viewer/2022043009/5f9b718ca5d59d17df65437e/html5/thumbnails/44.jpg)
Conditional ACM Changes
Process p wishes to give process q read access to a file f owned by p.
command grant read file(p, f, q)if o in a[p, f ]
thenenter ”r” into a[q, f ]
else(signal error condition)
fiend
Steven M. Bellovin January 19, 2020 44
![Page 45: COMS W4182: Computer Security II Prof. Steven M. Bellovinsmb/classes/s20/l_intro.pdf · COMS W4181 is a prerequisite for this class—I assume that you ... Steven M. Bellovin January](https://reader034.vdocuments.net/reader034/viewer/2022043009/5f9b718ca5d59d17df65437e/html5/thumbnails/45.jpg)
Security is a System Problem
• You can’t solve it one component at a time
• It’s not a matter of adding crypto or using better passwords
• Firewalls don’t do it, either
• All of these things help—but all of the components interact
Steven M. Bellovin January 19, 2020 45
![Page 46: COMS W4182: Computer Security II Prof. Steven M. Bellovinsmb/classes/s20/l_intro.pdf · COMS W4181 is a prerequisite for this class—I assume that you ... Steven M. Bellovin January](https://reader034.vdocuments.net/reader034/viewer/2022043009/5f9b718ca5d59d17df65437e/html5/thumbnails/46.jpg)
More Definitions
vulnerability An error or weakness in the design, implementation, oroperation of a system
attack A means to exploit some vulnerability in a system
threat An adversary that is motivated and capable of exploiting avulnerability
(Definitions from Trust in Cyberspace)
Steven M. Bellovin January 19, 2020 46
![Page 47: COMS W4182: Computer Security II Prof. Steven M. Bellovinsmb/classes/s20/l_intro.pdf · COMS W4181 is a prerequisite for this class—I assume that you ... Steven M. Bellovin January](https://reader034.vdocuments.net/reader034/viewer/2022043009/5f9b718ca5d59d17df65437e/html5/thumbnails/47.jpg)
Vulnerabilities
• The technical failing in a system
• The primary focus of most computer security classes
• If you can close the vulnerabilities, the threats don’t matter
• Or do they?
Steven M. Bellovin January 19, 2020 47
![Page 48: COMS W4182: Computer Security II Prof. Steven M. Bellovinsmb/classes/s20/l_intro.pdf · COMS W4181 is a prerequisite for this class—I assume that you ... Steven M. Bellovin January](https://reader034.vdocuments.net/reader034/viewer/2022043009/5f9b718ca5d59d17df65437e/html5/thumbnails/48.jpg)
Threats
• Different enemies have different abilities
• Teenage joy-hackers can’t crack a modern cryptosystem
• Serious enemies can exploit the “three Bs”: burglary, bribery, andblackmail
• But are they motivated to attack you?
• You can’t design a security system unless you know who the enemy is
Steven M. Bellovin January 19, 2020 48
![Page 49: COMS W4182: Computer Security II Prof. Steven M. Bellovinsmb/classes/s20/l_intro.pdf · COMS W4181 is a prerequisite for this class—I assume that you ... Steven M. Bellovin January](https://reader034.vdocuments.net/reader034/viewer/2022043009/5f9b718ca5d59d17df65437e/html5/thumbnails/49.jpg)
The Threat Matrix
Ski
ll−→ Opportunistic hacks Advanced Persistent Threats
Joy hacks Targeted attacks
Degree of Focus −→
Steven M. Bellovin January 19, 2020 49
![Page 50: COMS W4182: Computer Security II Prof. Steven M. Bellovinsmb/classes/s20/l_intro.pdf · COMS W4181 is a prerequisite for this class—I assume that you ... Steven M. Bellovin January](https://reader034.vdocuments.net/reader034/viewer/2022043009/5f9b718ca5d59d17df65437e/html5/thumbnails/50.jpg)
Types of Attackers
Joy hackers Beginners; doing it for fun; little knowledge or focus
Opportunistic attackers Often very good but will hit any vulnerabletarget
Targetiers Focuses on particular target; gathers background information,but not necessarily skilled
APT Skilled and focused.
Steven M. Bellovin January 19, 2020 50
![Page 51: COMS W4182: Computer Security II Prof. Steven M. Bellovinsmb/classes/s20/l_intro.pdf · COMS W4181 is a prerequisite for this class—I assume that you ... Steven M. Bellovin January](https://reader034.vdocuments.net/reader034/viewer/2022043009/5f9b718ca5d59d17df65437e/html5/thumbnails/51.jpg)
Advanced Persistent Threats
• The most dangerous attacker
• Still a wide range, from skilled criminals to some governments to veryadvanced cyberwarfare and cyberespionage activities—think Stuxnet
• The US? China? Russia? Israel? North Korea? (I’m blaming the“Andromedans”. . . )
• Caution: many corporations blame ordinary penetrations on APTs
Steven M. Bellovin January 19, 2020 51
![Page 52: COMS W4182: Computer Security II Prof. Steven M. Bellovinsmb/classes/s20/l_intro.pdf · COMS W4181 is a prerequisite for this class—I assume that you ... Steven M. Bellovin January](https://reader034.vdocuments.net/reader034/viewer/2022043009/5f9b718ca5d59d17df65437e/html5/thumbnails/52.jpg)
Don’t Neglect the Human Element
“Humans are incapable of securely storing high-quality cryptographickeys, and they have unacceptable speed and accuracy when performingcryptographic operations. They are also large, expensive to maintain,difficult to manage, and they pollute the environment. It is astonishing thatthese devices continue to be manufactured and deployed, but they aresufficiently pervasive that we must design our protocols around theirlimitations.”
Network Security: Private Communication in a Public World, Kaufman,Perlman, and Speciner
Steven M. Bellovin January 19, 2020 52
![Page 53: COMS W4182: Computer Security II Prof. Steven M. Bellovinsmb/classes/s20/l_intro.pdf · COMS W4181 is a prerequisite for this class—I assume that you ... Steven M. Bellovin January](https://reader034.vdocuments.net/reader034/viewer/2022043009/5f9b718ca5d59d17df65437e/html5/thumbnails/53.jpg)
Engineering
• Sometimes, requirements are inconsistent and/or incomplete
• Conflicts:
– Security versus cost
– Security versus performance
– Security versus acceptability and culture
– Security versus usability
– Security versus security!
• We’ll discuss how to detect and analyze such conflicts
Steven M. Bellovin January 19, 2020 53
![Page 54: COMS W4182: Computer Security II Prof. Steven M. Bellovinsmb/classes/s20/l_intro.pdf · COMS W4181 is a prerequisite for this class—I assume that you ... Steven M. Bellovin January](https://reader034.vdocuments.net/reader034/viewer/2022043009/5f9b718ca5d59d17df65437e/html5/thumbnails/54.jpg)
Designing Security
• The problem is overconstrained
• Among the contraints are cost, human behavior, and ease ofoperation
• In the real world, realistic security is often far more important thantheoretical security
• What are you trying to protect against whom?
Steven M. Bellovin January 19, 2020 54
![Page 55: COMS W4182: Computer Security II Prof. Steven M. Bellovinsmb/classes/s20/l_intro.pdf · COMS W4181 is a prerequisite for this class—I assume that you ... Steven M. Bellovin January](https://reader034.vdocuments.net/reader034/viewer/2022043009/5f9b718ca5d59d17df65437e/html5/thumbnails/55.jpg)
What this Course is About
• Thinking about security
• Mechanisms
• Threat analysis
• Security architecture
• Assurance
• In short, engineering secure systems
Steven M. Bellovin January 19, 2020 55