CS 513 - System Security
Lecture 1
Lecturer: Professor Fred B. Schneider
Notes by: Vicky Weissman
Lecture Date: 1/27/00
Today's Topics
- Why Networked Information Systems (NIS) are not trustworthy
- Why NIS are prevalent
- The risks of using untrustworthy NIS
Trustworthiness
A system is trustworthy if it behaves as expected despite:
- environmental disruption
- examples: earthquakes, storms, squirrels eating through wire insulation
- env. disruption is a significant cause of today's outages
- expected number of future outages should remain constant
(frequency of events that cause disruptions should not increase)
- replication and robust design can protect against disruptions.
- hostile acts
- currently not a significant cause of outages
- attacks appear to be growing in both number and sophistication
- DISA reports that the number of attacks on government installations doubles every year
- CERT at CMU says that the number of attacks is growing exponentially
- attacks are correlated (not independent)
- good designs deter hostile acts
- operational failures (aka operator/human error)
- significant cause of today's outages
- as the user base becomes less sophisticated, the number of outages due to
operational failure is expected to increase.
- better designs, particularly of user interfaces, can help
- design error
- significant cause of today's outages
- hackers often launch attacks by taking advantage of design weaknesses
A system is only as trustworthy as its most easily compromised point.
A system built from trustworthy modules may or may not be trustworthy, since the
'glue' binding the components together can introduce weaknesses into the system.
The class of nonfunctional properties are defined by the contexts in which you can imbed a system without
affecting the system's functional properties (I/O behavior).
Prevalence
Industries use NIS to meet the continual demand for faster service at less cost. For example,
just in time (JIT) manufacturing is a technique that reduces cost by relying on a precise delivery
schedule instead of stock-piling parts. In this kind of environment, timely information (who needs
what and when?) becomes essential, thus the need for network information systems. The risk is that
a disruption to the schedule will halt production in a short period of time.
The development of new industries exploiting NIS, such as electronic
commerce, contributes to their growing prevalence.
Effect of Deregulation:
The current trend is to deregulate. Recent examples of deregulation include the telephone
system and the power systems in NY and CA. Deregulation encourages companies in essential
services to cut costs and attract customers. Operating costs are reduced by diminishing
redundancy (increasing the likelihood and scope of environmental disruption), computerizing control
systems (fewer expensive, human operators and finer control over reduced resources -> more NIS)
, and out-sourcing peripheral duties such as janitorial work (less
control over who has access to facilities/information). Some of the cost reduction is passed
to the customer along with an increased set of features (increased code complexity and
subsequently increased likelihood of design error).
Today's systems tend to use commercial off-the-shelf (COTS) components. Due to
mass production, the COTS are relatively cheap, everyone knows how to use them,
and everyone can read documents in the same format. COTS, however, are not trustworthy
components, because they must compete in a marketplace that favors features over security
and awards large market share to the first rather than the best product available.
Risks of Prevalent, Untrustworthy NIS
Untrustworthy NIS allow:
- information disclosure / violations of privacy
- information corruption - examples include hackers retargeting bombs and selling other people's stocks
- denial of service
- informational warfare (IW)