CS 513 - System Security
Lecture 2
Lecturer: Professor Fred B. Schneider
Notes by: Vicky Weissman
Lecture Date: 2/1/00
Today's Topics
- Security in the Real World
- Risk Management
- Externality
- Computer Security
- The Gold Standard
- Assurance
- Basic Definitions and Some Common Security Properties
Real World Security
Real world security is defined by 3 components:
- valuables - the things that we want to protect, but are willing to lose
- locks - mechanisms that we are willing to invest in to deter theft
- locks differ in scale based on what they are designed to protect
(my car vs. a priceless painting), what the environment is (NYC vs. Ithaca), and
people's perception of what is needed
- locks save money, because they lower insurance rates and reduce the police force
- locks that interfere excessively with daily life will not be used
- police/courts - agencies in charge of addressing/dealing with violations
- examples: sysAdmin, Cornell's JA, U.S. Court System, National Security Agency
- vital to security, because they keep people from trying to steal
- we need mechanisms to support police/courts
Externality
Valuables, locks, and police/courts are part of a risk management system in which you
have a valuable, you protect it with a suitably scaled lock, and you rely on
police/courts to enforce your ownership rights. This system fails under externality.
Externality occurs when the owners do not have the incentive to invest in proper locks.
Examples include the tragedy of the commons (everyone owns a resource, so no one takes
responsibility for it), pollution-emitting factories, and power companies (they have some
insurance, but not enough to cover the loss of life and income that users suffer due
to an outage). The problem of externality is solved by society passing and enforcing
liability laws.
Computer Security
Like security in the real world, computer security is defined by valuables, locks (and keys),
and police/courts. In this context, however,
- valuables are data and computation
- locks are authorization mechanisms such as requiring userid and passwd
- keys open locks by authentication which is either something you are (fingerprint),
something you have (card letting you into lab), or something you know (password)
- police/courts perform auditing
Authorization, Authentication, and Auditing are known as the Gold
Standard of security.
In both the real and the electronic world, security is holistic. In other words, a system
is as secure as its weakest link.
Assurance
An important property of security mechanisms is assurance. To provide assurance, you must prove that a system does no more and no less than is given in
its specification. An increase in functionality requires an increase in assurance to maintain the
original level of trust. People trust mathematical proofs and tests that they can run themselves.
People do not trust 3rd party promises. (If the NSA says something is good for encryption,
then they probably know how to crack it.)
Strategies to Increase Assurance:
- economy of mechanism (aka KISS: Keep It Simple Stupid)
- modularization - construct system from small, easily testable building blocks
- open design - publishing source code. This allows the users to find errors, but
nifty loopholes may not be reported. Vulnerabilities that are not encountered during
common usage are not found. Therefore, open design can lead to a false sense of
security.
- no security by obscurity - do not depend on the secrecy of a design to provide security
Basic Definitions and Common Security Properties
Vocabulary:
- vulnerabilities - weaknesses that can be exploited in a system
- attacks - methods of exploiting vulnerabilities
- threats - motivated, capable adversaries that would attack. Threats range from foreign
governments (lots of resources/intelligence/motivation) to teenage hackers running pre-packaged
attack scripts that they don't understand.
All systems have vulnerabilities, but an attack that can exploit them may not exist.
If attacks do exist, then the threats may not. So, the first step to building a secure
system is to determine what the threats are.
Some Common Security Properties:
- secrecy/confidentiality
- need to determine what constitutes a secret
- a secret can be discovered by combining unclassified (not secret) facts and by
deconstructing an unclassified fact into classified components
- privacy and secrecy are 2 different concepts. Privacy is defined wrt people such as a
person's civil rights
- integrity - refers to the unauthorized changing of data
- availability - important to remember that one system's availability may depend on another's.
- separation of privilege - all keys are distinct, so that you have fine-grained control
over locks