what is computer security?
DESCRIPTION
What is Computer Security?. for Professor Ruan’s Class at Nankai University Clark Thomborson 2 nd April 2007. Questions to be (Partially) Answered. What is security? What types of security can be handled by a computer? But first... let me introduce myself. Clark Thom{p,bor}son. - PowerPoint PPT PresentationTRANSCRIPT
What is Computer Security?
for Professor Ruan’s Class at Nankai University
Clark Thomborson
2nd April 2007
Questions to be (Partially) Answered
What is security? What types of security can be handled
by a computer?
But first... let me introduce myself.
Clark Thom{p,bor}son
Clark Thompson: 1954-1986 1971-75: BS (Honors) Chemistry and MS
CompSci/CompEng’g at Stanford. 1976-9: PhD Computer Science at C-MU. 1977-86: parallel algorithms, connection networks,
VLSI complexity at UC Berkeley. 1986: Thompson + Borske = Thomborson
1986-96: VLSI algorithmics, randomized rounding, supercomputer performance at U Minnesota – Duluth.
1996-present: software obfuscation, watermarking, tamperproofing, trusted computing at Auckland.
NZ and Auckland New Zealand is a South Pacific island nation,
populated by 600,000 “Maori”: the first people of NZ, about 800
years ago. 300,000 “Asian” (Chinese, Indian, Iranian, ...) 300,000 “Pacific” (Samoan, Fijian, Tongan, …) 3,100,000 “European” (mostly emigrants from Great
Britain) 1,300,000 people live in the Auckland region.
Population density is very low almost everywhere else in NZ.
4.3 million people in 270,000 km2 = 16 people / km2
Tianjin: 11 million people in 11,000 km2 = 1000 people / km2
The University of Auckland has 25,000 undergraduate students, 5,000 postgraduate students, and 4,000 staff. 5,500 of our students are from other countries.
Computer Science Department
We are the largest and most diversified computer science department in New Zealand: 40 staff 800 undergraduates 100 postgraduates
Secure Systems Group
Inventions: Software obfuscation, Software watermarking, Tamperproofing, and 3d object watermarking (subcontract: Cardiff U)
Secure systems development: Applications of trusted computing, Specification of security requirements, and Security improvements
http://www.cs.auckland.ac.nz/research/groups/ssg/
CSC PhD Scholarships
20 PhD Scholarships per year from the China Scholarship Council and the University of Auckland The CSC pays travel and living expenses. The University of Auckland does not charge tuition fees
(other PhD students pay NZD $5000/year ~ USD $3000/year)
Our PhD programme is 3 to 4 years of supervised research, with no coursework. You must already have a research-oriented Master’s degree. You must find a supervisor and define a topic before you are
admitted. See http://www.cs.auckland.ac.nz/phd/ and
www.csc.edu.cn.
What is Security?(A Taxonomic Overview)
The first step in wisdom is to know the things themselves; this notion consists in having a true idea of the objects; objects are distinguished and known by classifying them methodically and giving them appropriate names. Therefore, classification and name-giving will be the foundation of our science.
Carolus Linnæus, Systema Naturæ, 1735
(from Lindqvist and Jonsson, “How to Systematically Classify Computer Security Intrusions”, 1997.)
Standard Taxonomy of Security
1. Confidentiality: no one is allowed to read, unless they are authorised.
2. Integrity: no one is allowed to write, unless they are authorised.
3. Availability: all authorised reads and writes will be performed by the system.
Authorisation: giving someone the authority to do something.
Authentication: being assured of someone’s identity. Identification: knowing someone’s name or ID#. Auditing: maintaining (and reviewing) records of
security decisions.
A Multi-Level Hierarchy
“Static security”: the confidentiality, integrity, and availability properties of a system.
“Dynamic security”: the gold standard of Authentication, Authorisation, Audit. These processes assure static security. If these processes run too often, we have a “gold-
plated” system design! (Infeasible – too expensive.) Metaphorically, a security engineer should
Seal all security perimeters with an authenticating gold veneer (note: a veneer is a very thin sheet),
Sprinkle auditing gold-dust uniformly but very sparingly over the most important security areas, and
Place an authorising golden seal on the most important accesses, but not on any other accesses.
Security Governance
Governance should be pro-active, not reactive. Governors should constantly be asking questions,
considering the answers, and revising plans. Specification, or Policy (answering the question of
what the system is supposed to do), Implementation (answering the question of how to
make the system do what it is supposed to do), and Assurance (answering the question of whether the
system is meeting its specifications). Governors cannot be involved in the low-level
decisions of static security, and they should not be heavily involved in dynamic security. They should be security executives, not its operators.
Generalized Static Security
Confidentiality, Integrity, and Availability only cover security for read and write operations.
What about security for executable objects? Unix directories have “rwx” permission bits.
Do we need a fourth aspect of static security? XXXX-ity: all executions must be authorised. I don’t know a good name for this property. (Is there a
good name for it in Chinese? gwi ju? => “guijuity”?) At the top of a taxonomy we should combine, rather than
divide. Confidentiality, Integrity, and XXXX-ity are all
Prohibitions. Availability is a Permission.
S
P− P+
AC I X
S
AC I X
Prohibitions and Permissions
Prohibition: (try to) prevent something from happening.
Permission: (try to) allow something to happen. There are two types of secure systems:
In a prohibitive system, all operations are prohibited by default. Permissions are granted in special cases, e.g. to authorised individuals.
In a permissive system, all operations are allowed by default. Prohibitions are special cases, e.g. when an individual attempts to access a secure system.
Prohibitive systems have permissive subsystems. Permissive systems have prohibitive subsystems.
Recursive Security; Allowances
Prohibitions, i.e. “Thou shalt not kill.” General rule: An action (in some range R) is not
allowed, with exceptions (permissions) P1, P2, P3, ...
Permissions, i.e. an entry visa. General rule: An action in P is allowed, with exceptions
(prohibitions) R1, R2, R3, ...
This leads to a hierarchy of controls on actions.P: allowed
R3
R1: prohibitedR2P1
P2
Is Our Taxonomy Complete?
Prohibitions and permissions are properties of hierarchical systems, such as a judicial system. Most legal controls (“laws”) are prohibitive. A few are permissive.
Contracts are non-hierarchical: agreed between peers. Obligations are promises to do something in the future. Exemptions are exceptions to an obligation. The contract must specify a dispute-resolution procedure. Often
this is an obligation to submit to a legal judgement. There are two types of peerages: obligatory and
exemptive. Obligatory peerages have exemptive subsystems. Exemptive peerages have obligatory subsystems.
Can we have hierarchies within peerages, and peerages within hierarchies? Yes, but the linkage is still obscure to me. I intend to keep
working on this. Maybe you can help!
Obligations are requirements on actions, e.g. “Honour thy father and mother.” Note: these are prohibitions on inactions. Obligation rule: An action (in some range O) is required, with exemptions
O1, O2, O3, ... Exemptions are non-requirements on actions, e.g. “A trustee shall not
be answerable for involuntary acts.” These are permissions on inactions. Exemption rule: An action in E is not required, with obligations E1, E2, ...
We have added a new level to our hierarchy!
Our new taxonomy has more descriptive power than the CIA taxonomy.
I still want to see a “design win”. Will these insights lead to better security in the real world?
Inactions and Actions; Requirements
S
P− P+
PerPro Obl Exe
S
ExePro Per Obl
Reviewing our Questions
1. What is security? Three layers: static, dynamic, governance. Four types of static security rules: prohibitions,
permissions, obligations, and exemptions. A taxonomic structure is (requirements, allowances) x (actions, inactions).
2. What types of security can be handled by a computer?
Computer Security Systems
Definition. A computer system is a static security detector if it has a set of static security rules, expressed as efficient computer programs, reliable inputs, to determine when an action or an inaction is required or not
allowed, and a reliable output channel to an enforcement agent (computer or human).
Definition. A computer system is a static security enforcer if its outputs effectively control the system’s compliance with its static security
rules, and its inputs are supplied by one or more static security detectors.
Computers can implement most of the dynamic layer of security: auditing, authorisation, authentication, identification. Most level-2 operations are automated, but human oversight is necessary.
Computers can give very limited assistance at the governance layer. Governors make tradeoffs among specification, implementation, and
assurance activities. Human judgement is required!
Let’s briefly consider the primary methods of control.
Lessig’s Taxonomy of Control
Easy Difficult
Inexpensive
Expensive
Computers make things easy or difficult.
Legal Illegal
Governments make things legal or illegal.
The world’s economy makes things inexpensive or expensive.
Moral
Immoral
Our culture makes things moral or immoral.
Reviewing our Questions
Questions: What is security? What types of security can be handled by a
computer?
Partial answers: There are three layers of security: static,
dynamic, and governance. Computers can handle the first two layers.