Availability •Ensuring timely and reliable access to and use of information

全文

(1)The NIST Computer Security Handbook defines the term Computer Security as:. Chapter 1 Overview 1. 2. Key Security Concepts ity. Confidentiality. nfi Co. ity. Data and services. egr. Int. den. tia l. •Preserving authorized restrictions on information access and disclosure, including means for protecting personal privacy and proprietary information. Integrity •Guarding against improper information modification or destruction, including ensuring information nonrepudiation and authenticity. Availability •Ensuring timely and reliable access to and use of information. Availability. 4. Figure 1.1 The Security Requirements Triad. Levels of Impact Low. Moderate. High. The loss could be expected to have a limited adverse effect on organizational operations, organizational assets, or individuals. The loss could be expected to have a serious adverse effect on organizational operations, organizational assets, or individuals. The loss could be expected to have a severe or catastrophic adverse effect on organizational operations, organizational assets, or individuals. • Computer security is not as. • Attackers only need to find. •. •. • • • 5. simple as it might first appear to the novice Potential attacks on the security features must be considered Procedures used to provide particular services are often counterintuitive Physical and logical placement needs to be determined Additional algorithms or protocols may be involved. • • •. a single weakness, the developer needs to find all weaknesses Users and system managers tend to not see the benefits of security until a failure occurs Security requires regular and constant monitoring Is often an afterthought to be incorporated into a system after the design is complete Thought of as an impediment to efficient and user-friendly operation 6.

(2) Vulnerabilities, Threats and Attacks. Assets of a Computer System •. Hardware. Categories of vulnerabilities • Corrupted (loss of integrity) • Leaky (loss of confidentiality) • Unavailable or very slow (loss of availability). •. Software. Threats • Capable of exploiting vulnerabilities • Represent potential security harm to an asset. Data. •. Attacks (threats carried out) • Passive – attempt to learn or make use of information from the system that does not affect system resources • Active – attempt to alter system resources or affect their operation • Insider – initiated by an entity inside the security parameter • Outsider – initiated from outside the perimeter. Communication facilities and networks 7. 8. 9. 10. Countermeasures Means used to deal with security attacks • Prevent • Detect • Recover. Residual vulnerabilities may remain. Goal is to minimize residual level of risk to the assets. May itself introduce new vulnerabilities. Passive and Active Attacks. Table 1.3. Computer and Network Assets, with Examples of Threats Availability Equipment is stolen or Hardware disabled, thus denying service.. Software. Confidentiality An unencrypted CDROM or DVD is stolen.. Programs are deleted, An unauthorized copy denying access to users. of software is made.. An unauthorized read of data is performed. Files are deleted, Data An analysis of denying access to users. statistical data reveals underlying data. Messages are destroyed Communication or deleted. Lines and Communication lines Networks or networks are rendered unavailable.. Integrity. Messages are read. The traffic pattern of messages is observed.. Passive Attack A working program is modified, either to cause it to fail during execution or to cause it to do some unintended task. Existing files are modified or new files are fabricated. Messages are modified, delayed, reordered, or duplicated. False messages are 11 fabricated.. •. Attempts to learn or make use of information from the system but does not affect system resources. •. Eavesdropping on, or monitoring of, transmissions. •. Goal of attacker is to obtain information that is being transmitted. •. Two types: o Release of message contents o Traffic analysis. Active Attack •. •. •. Attempts to alter system resources or affect their operation Involve some modification of the data stream or the creation of a false stream Four categories: o o o o. Replay Masquerade Modification of messages Denial of service 12.

(3) Attack Surfaces. Attack Surface Categories. Consist of the reachable and exploitable vulnerabilities in a system Examples:. Open ports on outward facing Web and other servers, and code listening on those ports. Services available on the inside of a firewall. Code that processes incoming data, email, XML, office documents, and industry-specific custom data exchange formats. Interfaces, SQL, and Web forms. An employee with access to sensitive information vulnerable to a social engineering attack. 13. Network Attack Surface. Software Attack Surface. Vulnerabilities over an enterprise network, wide-area network, or the Internet. Vulnerabilities in application, utility, or operating system code. Including network protocol vulnerabilities, such as those used for DoS attackes. Particular focus is Web server software. Human Attack Surface. social engineering, human error, and trusted insiders. 14. Shallow. High Security Risk. Low Security Risk. Medium Security Risk. Small. Large. Layering. Medium Security Risk. Deep. Computer Security Strategy. Attack Surface. Figure 1.3 Defense in Depth and Attack Surface. 15. Summary • Computer security concepts o Definition o Challenges o Model. • Threats, attacks, and assets. • Fundamental security design principles • Attack surfaces and attack trees o Attack surfaces o Attack trees. • Computer security strategy o Security policy o Security implementation o Assurance and evaluation 17. 16.

(4) Basic Terminology l Plaintext. l Readable message or data that is fed into the. algorithm as input. l Encryption algorithm. l Performs transformations on the plaintext. l Public and private key. Chapter 2. l Pair of keys, one for encryption, one for decryption. l Ciphertext. l Scrambled message produced as output. l Decryption key. Cryptographic Tools. l Produces the original plaintext. 1. 2. Attacking Symmetric Encryption. Symmetric Encryption. Cryptanalytic Attacks l Rely on:. Two requirements for secure use: • Need a strong encryption algorithm • Sender and receiver must have obtained copies. l. Nature of the algorithm. l. Some knowledge of the general characteristics of the plaintext. l. Some sample plaintextciphertext pairs. of the secret key in a secure fashion and must keep the key secure. Brute-Force Attack l Try all possible keys on some ciphertext until an intelligible translation into plaintext is obtained. l Exploits the characteristics of the algorithm to attempt to deduce a specific plaintext or the key being used 3. 4. Block Ciphers vs. Stream Ciphers. Block & Stream Ciphers. l Block cypher: applied to a. unit of data larger than a single 64-bit or 128-bit block, e.g., Electronic CodeBook (ECB) mode. Block Cipher •Processes the input one block at a time •Produces an output block for each input block. l l. Stream Cipher •Processes the input elements continuously (typically 1 Byte at a time) •Produces output one element at a time •Faster than block ciphers •Pseudorandom stream is one that is unpredictable without knowledge of the input key. P1 Encryption. • •. The universal technique for providing confidentiality for transmitted or stored data Also referred to as secret-key encryption. l Ci = Mi XOR StreamKey i. b. K. Encrypt b. Encrypt b. C2. Cn. C2. b. Cn b. K. Decrypt b. P1. b. K. Decrypt b. Decrypt b. P2. Pn. (a) Block cipher encryption (electronic codebook mode). l Stream cipher: process. 5. Pn b. K. Encrypt b. C1 K. Each block of plaintext is encrypted using the same key Cryptanalysts may be able to exploit regularities in the plaintext. message bit by bit (as a stream): a pseudo-random keystream XOR’ed with plaintext bit by bit:. P2. b. K. C1. Decryption. •. Key K. Key K. Pseudorandom byte generator (key stream generator). Pseudorandom byte generator (key stream generator). k Plaintext byte stream M. ENCRYPTION. kk Ciphertext byte stream C. DECRYPTION. Plaintext byte stream M. (b) Stream encryption. Figure 2.2 Types of Symmetric Encryption. 6.

(5) Data Encryption Standard (DES). Comparison of 3 Symmetric Encryption Popular Block Cyphers. • DES. Triple DES. AES. Plaintext block size (bits). 64. 64. 128. Ciphertext block size (bits). 64. 64. 128. Key size (bits). 56. 112 or 168. 128, 192, or 256. •. DES Uses 64 bit plaintext block and 56 bit key to produce a 64 bit ciphertext block Strength concerns: • Use of 56-bit key • there are 256 possible keys, which is approximately 7.2x1016 keys.. DES = Data Encryption Standard AES = Advanced Encryption Standard. •Electronic Frontier Foundation (EFF) announced in July 1998 that it had broken a DES encryption •Should no longer be used in production systems. 7. 8. Table 2.2 Key size (bits) 56 128 168. Cipher DES AES Triple DES. Number of Alternative Keys 256. ≈ 7.2 ×. 1016. Triple DES (3DES). Time Required at 109 decryptions/s. Time Required at 1013 decryptions/s 1 hour. 255 ns = 1.125 years. l Repeats basic DES algorithm three times using either. two or three unique keys l. Underlying encryption/decryption algorithm is DES. 2127 ns = 5.3 × 1021 2128 ≈ 3.4 × 1038 years. 5.3 × 1017 years. l First standardized for use in financial applications in. 2167 ns = 5.8 × 1033 years. 5.8 × 1029 years. l Advantages: l 168-bit key length overcomes the vulnerability to brute-force attack of DES. 2168 ≈ 3.7 × 1050. ANSI standard X9.17 in 1985. 192. AES. 2192 ≈ 6.3 × 1057 2191 ns = 9.8 × 1040 years. 9.8 × 1036 years. 256. AES. 2256 ≈ 1.2 × 1077 2255 ns = 1.8 × 1060 years. 1.8 × 1056 years. Average Time Required for Exhaustive Key Search. l Drawbacks: l Performance is slow: 3 times slower than DES l Uses a 64-bit block size. l For efficiency and security, a larger block size is desirable.. 9. 10. Advanced Encryption Standard (AES) Needed a replacement for 3DES. NIST called for proposals for a new AES in 1997. Selected Rijndael in November 2001. Asymmetric. Should have a security strength equal to or better than 3DES. 3DES was not reasonable for long term use due to performance and block size. Significantly improved efficiency. Symmetric block cipher. Publicly proposed by Diffie and Hellman in 1976 Published as FIPS 197. Based on mathematical functions. • Uses two separate keys • Public key and private key • Public key is made public for others to use. 128 bit data and 128/192/256 bit keys 11. 12.

(6) PUa. PRa Alice 's private key. Alice's public key. X= D[PRa, Y]. Transmitted ciphertext. X. Y = E[PUa, X] Plaintext input. Encryption algorithm (e.g., RSA). Decryption algorithm. (a) Encryption with public key. Bob. Plaintext output. Alice. Alice's public key ring Joy. Ted Bob. Mike PRb. PUb. Bob's private key. Bob's public key X= D[PUb, Y]. Transmitted ciphertext. X. Y = E[PRb, X] Plaintext input. Encryption algorithm (e.g., RSA) Bob. Decryption algorithm. (b) Encryption with private key. Plaintext output. Alice. Figure 2.6 Public-Key Cryptography. l Public-key encryption for protecting message. l Public-key encryption for protecting message. confidentiality. l Similar to symmetric encryption, but using a public/private key pair l Sender encrypts data using the receiver’s public key l Receiver decrypts data using his own private key 13. integrity. l Sender encrypts data using his or her private key l Receiver, or anyone else, can decrypt the message using. sender’s public key. 14. Table 2.3 Public-Key Cryptosystems Algorithm. Digital Signature. Symmetric Key Distribution. Encryption of Secret Keys. RSA. Yes. Yes. Yes. Diffie-Hellman. No. Yes. No. DSS. Yes. No. No. Elliptic Curve. Yes. Yes. Yes. Useful if either key can be used for each role (public/private key) Computationall y infeasible for opponent to otherwise recover original message. 15. Computationally easy to create key pairs. Computationally infeasible for opponent to determine private key from public key. Computationall y easy for sender knowing public key to encrypt messages Computationall y easy for receiver knowing private key to decrypt ciphertext. 16. Message Authentication RSA (Rivest, Shamir, Adleman) Diffie-Hellman key exchange algorithm Digital Signature Standard (DSS) Elliptic curve cryptography (ECC). Developed in 1977. Enables two users to securely reach agreement about a shared secret that can be used as a secret key for subsequent symmetric encryption of messages. Provides only a. digital signature function with SHA-1. Security like RSA, but with much smaller keys. Most widely accepted and implemented approach to publickey encryption. Protects against active attacks. Limited to the exchange of the keys. Verifies received message is authentic. Cannot be used for encryption or key exchange. Can use conventional encryption 17. •Contents have not been altered •From authentic source •Timely and in correct sequence. •Only sender & receiver share a key. 18.

(7) l One-way hash. Compare. MAC algorithm MAC. Message. Message. Message. K. E. D. Compare. (a) Using symmetric encryption. H. Message. digest is encrypted using symmetric encryption l (b) message digest is encrypted using public-key encryption l (c) keyed hash: secret key is incorporated into the process of generating a hash code. MAC algorithm. H. K. H. PRa. PUa. E. D. Compare. (b) Using public-key encryption K. K. Message. Transmit. H. Message. l (a) message. Destination B. Message. K. Source A. Message. function: an alternative to MAC l Three ways. Message. Message. K. H. K. Compare. H. K (c) Using secret value. Figure 2.3 Message Authentication Using a Message Authentication Code (MAC).. Figure 2.5 Message Authentication Using a One-Way Hash Function.. 19. Hash Function Requirements Can be applied to a block of data of any size. 20. Security of Hash Functions There are two approaches to attacking a secure hash function:. Produces a fixed-length output H(x) is relatively easy to compute for any given x One-way or pre-image resistant: Computationally infeasible to find x such that H(x) = h Weak collision resistance: Given x, computationally infeasible to find y ≠ x such that H(y) = H(x) Strong collision resistance: Computationally infeasible to find any pair (x,y) such that H(x) = H(y). SHA most widely used hash algorithm. Additional secure hash function applications:. Cryptanalysis. Passwords. •Exploit logical weaknesses in the algorithm. •Hash of a password is stored by Linux in the file /etc/passwd. Brute-force attack. Intrusion detection. •Strength of hash function depends solely on the length of the hash code produced by the algorithm. •Store H(F) for each file on a system and secure the hash values. 21. Random Numbers. Uses include generation of:. Random Number Requirements. l. Keys for public-key algorithms. l. Stream key for symmetric stream cipher. l. l. l. 22. Symmetric key for use as a temporary session key or in creating a digital envelope Handshaking to prevent replay attacks Session key 23. Randomness l. Unpredictability. Criteria: l. l. Uniform distribution l Frequency of occurrence of each of the numbers should be approximately the same Independence l No one value in the sequence can be inferred from the others. l. l. Each number is statistically independent of other numbers in the sequence Opponent should not be able to predict future elements of the sequence on the basis of earlier elements 24.

(8) Random versus Pseudorandom. Summary • Confidentiality with symmetric encryption § Symmetric encryption § Symmetric block encryption algorithms § Stream ciphers. Cryptographic applications typically make use of algorithmic techniques for random number generation •Algorithms are deterministic and therefore produce sequences of numbers that are not statistically random. • Public-key encryption § §. Pseudorandom numbers are:. §. •Sequences produced that satisfy statistical randomness tests •Likely to be predictable. § Authentication using symmetric encryption § Message authentication without message encryption § Secure hash functions. • Random and pseudorandom numbers § The use of random numbers § Random versus pseudorandom. True random number generator (TRNG): •Uses a nondeterministic source to produce randomness •Most operate by measuring unpredictable natural processes •e.g. radiation, gas discharge, leaky capacitors •Increasingly provided on modern processors. Public-key cryptosystems Requirements for public-key cryptography Asymmetric encryption algorithms. • Message authentication and hash functions. 25. 26.

(9) RFC 4949 RFC 4949 defines user authentication as: “The process of verifying an identity claimed by or for a system entity.”. Chapter 3 User Authentication 1. 2. Authentication Process • Fundamental. building block and primary line of defense. • Basis for. access control and user accountability. The four means of authenticating user identity are based on:. • Identification step l Presenting an identifier to the security system. • Verification step. •Password, PIN, answers to prearranged •Smartcard, questions electronic keycard, physical key. l Presenting or generating authentication information that corroborates the binding between the entity and the identifier. •Fingerprint, retina, face. •typing rhythm Voice pattern, face liveness detection,. 3. 4. The UNIX Password Scheme. Password Authentication. •. •. • Widely used line of defense against intruders o User provides name/login and password o System compares password with the one stored for that specified login. •. • The user ID: o Determines that the user is authorized to access the system o Determines the user’s privileges o Used in discretionary access control. •. 5. The user selects a password. The system selects a fixed-length salt value, which can be based on the time at which the password is set, or a pseudorandom number. The password and salt are used as input to a hashing algorithm to produce a hash code. The hashing algorithm is designed to be slow to execute in order to make it difficult for the attacker to try many passwords. The hashed password is then stored, together with the salt, in the password file for the corresponding user ID. When a user attempts to log in he provides an ID and a password. The system uses the ID retrieve the salt and the encrypted password, which are used as input to the hashing algorithm. If the result matches the stored value, the password is accepted.. Password. Password File User ID. Salt. slow hash function. Salt Hash code. • • •. Load. (a) Loading a new password. Password File User id. User ID. Salt Hash code Salt Password. Select. slow hash function. Hashed password. Compare. (b) Verifying a password. Figure 3.2 UNIX Password Scheme. 6.

(10) Purpose of the Salt. UNIX Implementation. • The salt serves three purposes:. Original scheme. o It greatly increases the difficulty of offline dictionary attacks. For a salt of length b bits, the number of possible passwords is increased by a factor of 2b, increasing the difficulty of guessing a password in a dictionary attack. o It prevents duplicate passwords from being visible in the password file. Even if two users choose the same password, those passwords will be assigned different salt values. Hence, the hashed passwords of the two users will differ. o It becomes nearly impossible to find out whether a person with passwords on two or more systems has used the same password on all of them.. • Up to 8 characters in length • 12-bit salt • Use zero value as data, repeatedly encrypted 25 times • Output translated to 11 character sequence. Now regarded as inadequate • Still often required for compatibility with legacy systems. 7. 8. Password Cracking. Improved Implementations Much stronger hash/salt schemes available for Unix. OpenBSD uses Blowfish block cipher based hash algorithm called Bcrypt • Most secure version of Unix hash/salt scheme • Uses 128-bit salt to create 192bit hash value. Rainbow table attacks. •Develop a large dictionary of possible passwords and try each against the password file •Each password must be hashed using each salt value and then compared to stored hash values. •Pre-compute tables of hash values for all salts •A huge table of hash values •Can be countered by using a sufficiently large salt value and a sufficiently large hash length. Password crackers exploit the fact that people choose easily guessable passwords. John the Ripper. •Shorter password lengths are easier to crack. Recommended hash function is based on MD5 • Salt of up to 48-bits • Password length is unlimited • Produces 128-bit hash • Uses an inner loop with 1000 iterations to achieve slowdown. Dictionary attacks. •Open-source password cracker first developed in in 1996 •Uses a combination of bruteforce and dictionary techniques. 9. 10. Password Cracking. 50%. • However password-cracking techniques have also improved o The processing capacity available for password cracking has increased dramatically • A PC running a single AMD Radeon HD7970 GPU, for instance, can try on average an 8.2*109 password combinations each second,. o The use of sophisticated algorithms to generate potential passwords • [NARA05] developed a model for password generation using the probabilities of letters in natural language. The researchers used standard Markov modeling techniques. Percent guessed. 40% 30% 20% 10% 0% 104. o Studying examples and structures of actual passwords in use • In 2009 when an SQL injection attack against online games service RockYou.com exposed 32 million plaintext passwords used by its members to log in to their accounts [TIMM10]. Since then, numerous sets of leaked password files have become available for analysis. 11. 107. 1010. 1013. Number of guesses. Figure 3.3 The Percentage of Passwords Guessed After a Given Number of Guesses. 12.

(11) Password File Access Control. Password Selection Strategies User education. Users can be told the importance of using hard to guess passwords and can be provided with guidelines for selecting strong passwords. Can block offline guessing attacks by denying access to encrypted passwords. Computer generated passwords. Make available only to privileged users Shadow password file (Hashed passwords are kept in a separate file from the user IDs). Vulnerabilities Weakness in the OS that allows access to the file. Accident with permissions making it readable. Users have trouble remembering them. Users with same password on other systems. Reactive password checking. System periodically runs its own password cracker to find guessable passwords. Sniff passwords in network traffic. Complex password policy Forcing users to pick stronger passwords. 13. Table 3.2 Types of Cards Used as Tokens Card Type Embossed. Raised characters only, on front. Memory Cards. Old credit card. • The most common is the magnetic stripe card • Can be used alone for physical access • Provides significantly greater security when combined. Defining Feature. Example. Magnetic stripe. Magnetic bar on back, characters on front. Bank card. Memory. Electronic memory inside. Prepaid phone card. Smart Contact Contactless. Electronic memory and processor inside Electrical contacts exposed on surface Radio antenna embedded inside. Biometric ID card. o Hotel room, ATM… with a password or PIN. 15. 16. Smart Cards. Smart Tokens •. • •. Physical characteristics: o Include an embedded microprocessor o Can be a smart card or U. •. Interface:. •. Authentication protocol, three categories:. 14. •. o Communication with a compatible reader/writer o Static: token authenticates the user to the computer. o Dynamic password generator: the token generates a unique password periodically (e.g., every minute).. o Challenge-response: computer system generates a challenge,. such as a random string of numbers. The smart token generates a response based on the challenge, e.g., by encrypting the challenge string w. its private key. 17. Has the appearance of a credit card; also called IC card Contains an embedded microprocessor • Processor • Memory • I/O ports. and three types of memory: o Read-only memory (ROM) • Stores data that does not change during the card’s life o Electrically erasable programmable ROM (EEPROM) • Holds application data and programs o Random access memory (RAM) • Holds temporary data generated when applications are executed. 18.

(12) Electronic Identity Cards (eID). Biometric Authentication • Attempts to authenticate an individual based on unique physical characteristics. Use of a smart card as a national identity card for citizens. • Based on pattern recognition •. Can serve the same purposes as other national ID cards, and similar cards such as a driver’s license, for access to government and commercial services. Is technically complex and expensive when compared to passwords and tokens. • Physical characteristics used include: o o o o o o o. Can provide stronger proof of identity and can be used in a wider variety of applications. In effect, is a smart card that has been verified by the national government as valid and authentic. Facial characteristics Fingerprints Hand geometry Retinal pattern Iris Signature Voice. 19. 20. Name (PIN) Biometric sensor. Feature extractor. Biometric database. User interface. Iris. Cost. Hand Signature Face. (a) Enrollment. Retina. Name (PIN). Finger. User interface. Biometric sensor. true/false. Feature extractor. Feature matcher. Biometric database. One template. (b) Verification. Voice. Biometric sensor. User interface. Accuracy. user's identity or "user unidentified". Feature extractor. Feature matcher. Biometric database. N templates. (c) Identification Figure 3.8 A Generic Biometric System. Enrollment creates an association between a user and the user's biometric characteristics. Depending on the application, user authentication either involves verifying that a claimed user is the actual user or identifying an unknown user.. Figure 3.7 Cost Versus Accuracy of Various Biometric Characteristics in User Authentication Schemes. 21. 22. Probability density function. imposter profile. decision threshold (t). Fig. 3.9. profile of genuine user. •. If a single user is tested by the system numerous times, the matching score s will vary, with a probability density function (PDF) typically forming a bell curve.. •. Any other individual (imposter) should have a much lower matching score but again will exhibit a bell-shaped PDF. The range of matching scores produced by two individuals, one genuine and one an imposter, compared to a given reference template, are likely to overlap. A threshold value is selected thus that if the presented value s ≥ t a match is assumed, and for s <t, a mismatch is assumed. The area of each shaded area to the right of t indicates probability for which a false match (accept an imposter) is possible; the shaded part to the left indicates probability for which a false nonmatch (reject he genuine user) is possible. By moving the threshold, left or right, the probabilities can be altered: a decrease in false match rate results in an increase in false nonmatch rate, and vice versa, representing tradeoff between security and convenience. o. false nonmatch possible. false match possible. • • •. average matching value of imposter. average matching value of genuine user. •. Matching score (s). Figure 3.9 Profiles of a Biometric Characteristic of an Imposter and an Authorized Users In this depiction, the comparison between presented feature and a reference feature is reduced to a single numeric value. If the input value (s) is greater than a preassigned threshold (t), a match is declared.. o o 23. For example, in the case of a fingerprint, results may vary due to sensor noise; changes in the print due to swelling, dryness, and so on; finger placement; and so on.. HIgher threshold: more secure and less convenient Lower threshold: less secure and more convenient. 24.

(13) Face. 100%. Fingerprint. Voice. Hand. Iris. 100%. et. hr es. false nonmatch rate. in cr ea s. ho l. 10%. false nonmatch rate. d. in. 10%. 1%. al e rro. rr ate. lin e. 1%. ld ho. d se ea y, cr rit d de ecu ase nce s ce ie in ven n co. es hr. t se ea cr de. s cr d ec ea co ecr uri sed nv ea ty, en sed ien ce. equ. 0.1% 0.0001%. 0.1% 0.0001%. 0.001%. 0.01%. 0.1%. 0.001%. 0.01%. 0.1%. 1%. 10%. 100%. false match rate 1%. 10%. 100% 100%. false match rate. Figure 3.11 Actual Biometric Measurement Operating Characteristic Curves, reported in [MANS01]. To clarify differences among systems, a log-log scale is used.. Figure 3.10 Idealized Biometric Measurement Operating Characteristic Curves (log-log scale). 25. 26. Challenge-Response Protocol for Password Authentication. Remote User Authentication • Authentication over a network, the Internet, or a. • •. • Security threats include:. •. communications link is more complex. o Eavesdropping, capturing a password, replaying an authentication sequence that has been observed •. • Generally rely on some form of a challengeresponse protocol to counter threats. •. User first transmits his or her identity to the remote host. The host generates a random number r, called a nonce, and returns it to the user. In addition, the host specifies two functions, h() and f(), to be used in the response. This transmission from host to user is the challenge. The user’s response is the quantity f(r’, h(P’)), where r’ = r and P’ is the user’s password. The function h is a hash function, so that the response consists of the hash function of the user’s password combined with the random number using the function f. (f can be the identity function as a special case) The host stores the hash function of each register user’s password, depicted as (P(U)) for user U. When the response arrives, the host compares the incoming f(r’, h(P’)) to the calculated f(r, h(P(U))). If the quantities match, the user is authenticated. This scheme defends against several forms of attack. o o o. The host stores a hash code of the password. This secures the password from intruders into the host system. The password hash is not transmitted directly, but rather a function in which the password hash is one of the arguments. Thus the password hash cannot be captured during transmission. The use of a random number (nonce) as one of the arguments of f defends against a replay attack, in which an adversary captures the user’s transmission and attempts to log on to a system by retransmitting the user’s messages.. 27. 28. Summary. Eavesdropping. Denial-of-Service Attempts to disable a user authentication service by flooding the service with numerous authentication attempts. Adversary attempts to learn the password by some sort of attack that involves the physical proximity of user and adversary. Trojan Horse. An application or physical device masquerades as an authentic application or device for the purpose of capturing a user password, passcode, or biometric. • Electronic user authentication principles • Password-based authentication. Host Attacks Directed at the user file at the host where passwords, token passcodes, or biometric templates are stored. o The vulnerability of passwords o The use of hashed passwords o Password cracking of userchosen passwords o Password file access control o Password selection strategies. Replay Client Attacks Adversary attempts to achieve user authentication without access to the remote host or the intervening communications path. Adversary repeats a previously captured user response. • Biometric authentication o Physical characteristics used in biometric applications o Operation of a biometric authentication system o Biometric accuracy. • Remote user authentication o Challenge-Response Protocoll. • Token-based authentication. 29. o Memory cards o Smart cards o Electronic identity cards. 30.

(14) Authorization database. Security administrator Access control. Authentication. Access control function. Authentication function. Chapter 4. User. System resources. Access Control. Auditing. Figure 4.1 Relationship Among Access Control and Other Security Functions. 1. Subjects, Objects, and Access Rights. Access Control Policies • Discretionary access control (DAC) o Controls access based on the identity of the requestor and on access rules (authorizations) stating what requestors are (or are not) allowed to do. • Mandatory access control (MAC) o Controls access based on comparing security labels with security clearances. 2. • Role-based access control (RBAC) o Controls access based on the roles that users have within the system and on rules stating what accesses are allowed to users in given roles. Subject. • Attribute-based access control (ABAC). An entity capable of accessing objects. o Controls access based on attributes of the user, the resource to be accessed, and current environmental conditions. Access right. Object. Describes the way in which a subject may access an object. A resource to which access is controlled. Could include:. Entity used to contain and/or receive information. • Read, Write, Execute, Delete, Create, Search.... 4. 3. Discretionary Access Control (DAC). OBJECTS File 1. • Scheme in which an entity may enable another entity to access some resource. SUBJECTS. • Each entry in the matrix indicates the access rights. File 3. File 4. Own Read Write. User A. Own Read Write. User B. Read. Own Read Write. User C. Read Write. Read. • Often provided using an access matrix o One dimension consists of identified subjects that may attempt data access to the resources o The other dimension lists the objects that may be accessed. File 2. of a particular subject for a particular object. Write. Read Own Read Write. (a) Access matrix. 5. File 1. File 2. A Own R W. B. C. R. R W. •. •. B Own R. C R. User A. File 1. Own R W. 6. File 3. Own R W. • User B. File 1. File 2. File. R. Own R. W.

(15) SUBJECTS. Own Read Write. User A. Own Read Write. User B. Read. Own Read Write. User C. Read Write. Read. Write. Read Own Read Write. (a) Access matrix. File 1. A Own R W. • File 2. B. C. R. R W. User A. File 1. File 3. Own R W. Own R W. •. • User B. C. B Own R W. User C. B. C Own R W. R. Own. File 1. A. Read. File 1. A. Write. File 1. A. Own. File 3. File 3. File 4. A. Read. File 3. R. W. R. A. Write. File 3. •. •. •. B. Read. File 1. File 1. File 2. File 4. B. Own. File 2. R W. R. Own R W. B. Read. File 2. •. •. B. Write. File 2. B. Write. File 3. B. Read. File 4. C. Read. File 1. C. Write. File 1. C. Read. File 2. C. Own. File 4. C. Read. File 4. C. Write. File 4. W. B. A. Own R W. • File 4. Object. File 2. R. A Own R W. Access Mode. File 1. • File 3. Subject. (c) Capability lists for files of part (a). • (b) Access control lists for files of part (a). Figure 4.2 Example of Access Control Structures 7. Table 4.1 Authorization Table for Files in Figure 4.2. 8. System intervention. Subjects Si. read F. Access control mechanisms (Si, read, F). S1 SUBJECTS. S2. S3. S1 control. owner. files S3. F1. F2. owner control. read *. read owner. write *. execute. control. control. write. • Files. Memory addressing hardware. Segments & pages. Process manager. Processes. Terminal & device manager. Terminal & devices. Instruction decoding hardware. Instructions. •. OBJECTS subjects S2. Objects. File system. processes P1 P2 wakeup. disk drives D1 D2. wakeup. seek. owner. owner. seek *. Sj. wakeup P. (Sj, wakeup, P). stop. Sk. * - copy flag set. Sm. grant α to Sn, X delete β from Sp, Y. •. 1. Subject S0 issues a request of type α for object X. 2. The request causes the system to generate a message of the form (S0 , α, X) to the controller for X. 3. The controller interrogates the access matrix A to determine if α is in A[S0 , X]. If so, the access is allowed; if not, the access is denied and a protection violation occurs.. (Sk, grant, α, Sn, X) (Sm, delete, β, Sp, Y). Access matrix monitor. Figure 4.3 Extended Access Control Matrix Access write matrix. Figure 4.4 An Organization of the Access Control Function. 9. Table 4.2 Access Control System Commands. •. • • •. Should be control. • • •. Should be subject S. • 11. 10. Table 4.2 Explanations • •. •. Should be subject S. read. The first three rules deal with transferring, granting, and deleting access rights. R1: If the entry α* exists in A[S0, X], then S0 has access right α to subject X and, because of the presence of the copy flag, can transfer this right, with or without copy flag, to another subject. A subject would transfer the access right without the copy flag if there were a concern that the new subject would maliciously transfer the right to another subject that should not have that access right. R2 states that if S0 is designated as the owner of object X, then S0 can grant an access right to that object X for any other subject S. R3 permits S0 to delete any access right from any matrix entry in a row for which S0 controls the subject and for any matrix entry in a column for which S0 owns the object. R4 permits a subject to read that portion of the matrix that it owns or controls. The remaining rules govern the creation and deletion of subjects and objects. R5: any subject can create a new object, which it owns, and can then grant and delete access to the object. R6: the owner of an object can destroy the object, resulting in the deletion of the corresponding column of the access matrix. R7 enables any subject to create a new subject; the creator owns the new subject and the new subject has control access to itself. R8 permits the owner of a subject to delete the row and column (if there are subject columns) of the access matrix designated by that subject. 12.

(16) Protection Domains. UNIX File Access Control. • A protection domain is a set of objects together with. UNIX files are managed using inodes (index nodes). access rights to those objects. Each protection domain occupies a row in the access matrix.. •Control structures with key information needed for a particular file •An active inode is associated with exactly one file •File attributes, permissions and control information are sorted in the inode •When a file is opened its inode is brought into main memory and stored in a memory resident inode table. • More general and flexibility than user ID-based scheme, which is a special case (each user has a protection domain).. • Example: UNIX user mode/kernel mode separation: • A user program executes in user mode, in which certain areas of memory. are protected from the user’s use and in which certain instructions may not be executed.. • When the user process issues a system call, that call executes in kernel mode, in which privileged instructions may be executed and in which protected areas of memory may be accessed.. Directories are structured in a hierarchical tree. •May contain files and/or other directories •Contains file names plus pointers to associated inodes 13. 14. File Access Control: The other 3 bits. UNIX File Access Control. entries. as s. as s O th. er. cl. cl. la s rc ne. G ro up. O w. “Set user ID”(SetUID) “Set group ID”(SetGID) l. l. (a) Traditional UNIX approach (minimal access control list). th. er. p O. ro u G. user: :rwuser:joe:rwgroup::r-mask::rwother::---. l l. rw- rw- ---. System temporarily uses rights of the file owner/group in addition to the real user’s rights when making access control decisions Enables privileged programs to access files/resources not generally accessible, l Any user can use the “passwd” program to change his own password by modifying the UNIX password file.. Sticky bit. cl. as. cl as. s. s. l rc la ss. write, and execute permission for the owner of the file, members of the group and all other users l The owner ID, group ID, and protection bits are part of the file’s inode masked. l. user: :rwgroup::r-other::---. w ne. l 9 bits specify read,. l. rw- r-- ---. O. (user ID) l Member of a primary group identified by a group ID l 12 protection bits. s. l Unique user name. When a directory’s sticky bit is set, only the owner of any file in the directory can rename, move, or delete that file Otherwise any user with write/execute permissions for the directory can rename or delete contained files. 15. 16. (b) Extended access control list. Figure 4.5 UNIX File Access Control. Access Control Lists (ACLs) in UNIX. • RBAC is based on the roles that users assume in a system rather than the user’s identity. • Assign access rights to roles instead of individual users. In urn, users are assigned to different roles, either statically or dynamically. Modern UNIX systems support ACLs, more expressive than permission bits • FreeBSD, OpenBSD, Linux, Solaris. Setfacl (set file access control list) • The setfacl command assigns a list of UNIX user IDs and groups to a file • Any number of users and groups can be associated with a file, each with three protection bits (read, write, execute). When a process requests access to a file system object two steps are performed:. Users. Roles. Resources. Role 1. Role 2. Role 3. • Step 1 selects the most appropriate ACL • Step 2 checks if the matching entry contains sufficient permissions 17. Figure 4.6 Users, Roles, and Resources. 18.

(17) R1. R2. Rn. RBAC3 Consolidated model. U1 U2. RBAC1 Role hierarchies. U3 U4. RBAC2 Constraints. RBAC0 Base model. U5. (a) Relationship among RBAC models U6. (RH) Role Hierarchy. Operations. Um. Users. (UA) User Assignment. Roles. (PA) Permission Assignment. Permissions. OBJECTS R1. ROLES. R1. control. R2. Rn. owner. owner control. control. R2. control. Rn. F1. F1. P1. P2. read *. read owner. wakeup. wakeup. write *. execute. write. D1. D2. seek. owner. owner. seek *. user_sessions. session_roles Objects Sessions. stop. (b) RBAC models. Figure 4.8 A Family of Role-Based Access Control Models.. Figure 4.7 Access Control Matrix Representation of RBAC 19. 20. Table 4.3 Scope RBAC Models. Director. Project Lead 1. Production Engineer 1. Project Lead 2. Quality Engineer 1. Production Engineer 2. Engineer 1. Quality Engineer 2. Engineer 2. Engineering Dept. Figure 4.9 Example of Role Hierarchy. 21. Attribute-Based Access Control (ABAC). Constraints - RBAC • Provide a means of adapting RBAC to the specifics of administrative and security policies of an organization • A defined relationship among roles or a condition related to roles. Can define authorizations that express conditions on properties of both the resource and the subject. • Types: Mutually exclusive roles •A user can only be assigned to one role in the set (either during a session or statically) •Any permission (access right) can be granted to only one role in the set. Cardinality. Prerequisite roles. •Setting a maximum number with respect to roles. •Dictates that a user can only be assigned to a particular role if it is already assigned to some other specified role 23. Strength is its flexibility and expressive power. Main obstacle to its adoption in real systems has been concern about the performance impact of evaluating predicates on both resource and user properties for each access. Web services have been pioneering technologies through the introduction of the eXtensible Access Control Markup Language (XAMCL). There is considerable interest in applying the model to cloud services. 24.

(18) ABAC. ABAC Model: Attributes Subject attributes. Object attributes. • A subject is an active entity that causes information to flow among objects or changes the system state. • An object (or resource) is a passive information system-related entity containing or receiving information. • Attributes define the identity and characteristics of the subject. • Objects have attributes that can be leverages to make access control decisions. Environment attributes • Describe the operational, technical, and even situational environment or context in which the information access occurs • A stock brokerage system may specify that transactions are permitted only during 9am – 5pm, so time is part of env attributes. 2a. • ABAC allows very flexible policies to be specified • e.g. only users with affiliation of ZJU, security clearance of high, age older than 40 can access files with owner ZJU, classification “top secret” or below, during working hours 9am-5pm.. 2d Rules. 1 Enforce. Decision. Subject. 2b. 3. Object. Access Control Mechanism. 2c. Name Etc.. Clearance Type. Affiliation. Etc.. Subject Attributes. Owner. Relies upon the evaluation of attributes of the subject, attributes of the object, and a formal relationship or access control rule defining the allowable operations for subjectobject attribute combinations in a given environment. Systems are capable of enforcing DAC, RBAC, and MAC concepts. Allows an unlimited number of attributes to be combined to satisfy any access control rule. 25. Access Control Policy Environmental Conditions. Controls access to objects by evaluating rules against the attributes of entities, operations, and the environment relevant to a request. Classification. ObjectAttributes. 26. ABAC Policies A policy is a set of rules and relationships that govern allowable behavior within an organization, based on the privileges of subjects and how resources or objects are to be protected under which environment conditions Typically written from the perspective of the object that needs protecting and the privileges available to subjects. Figure 4.10 Simple ABAC Scenario 27. Summary • Access control principles o Access control context o Access control policies. • Subjects, objects, and access rights • Discretionary access control. • Attribute-based access control o Attributes o ABAC logical architecture o ABAC policies. o Access control model o Protection domains. • UNIX file access control o Traditional UNIX file access control o Access control lists in UNIX. • Role-based access control o RBAC reference models 29. 28.

(19) l. Chapter 5 Database and Cloud Security 1. Structured collection of data stored for use by one or more applications. Database management system (DBMS) •Suite of programs for constructing and maintaining the database •SQL Structured Query language) Provides a uniform interface to the database. l. Contains the relationships between data items and groups of data items. l. Can sometimes contain sensitive data that needs to be secured. CALLER ID TABLE PhoneNumber. 2. ADDITIONAL SUBSCRIBER TABLE PhoneNumber. Has service? (Y/N). List of subscribers. l. Table of data consisting of rows and columns l l l. l. l. PRIMARY TABLE PhoneNumber. Each column holds a particular type of data Each row contains a specific value for each column Ideally has one column where all values are unique, forming an identifier/key for that row. Last name First name address. Enables the creation of multiple tables linked together by a unique identifier that is present in all tables. BILLING HISTORY TABLE PhoneNumber. CURRENT BILL TABLE PhoneNumber. Date Transaction type Transaction amount. Current date Previous balance Current charges Date of last payment Amount of last payment. SQL allows the user to request or modify data that fit a given set of criteria. 3. Figure 5.2 Example Relational Database Model. A relational database uses multiple tables related to one another by a designated key; in this case the key is the PhoneNumber field.. 4. Table 5.1. Basic Terminology for Relational Databases Primary key • Uniquely identifies a row • Consists of one or more column names. Foreign key l l l. Relation/table/file Tuple/row/record Attribute/column/field. • Links one table to attributes in another. View/virtual table • Result of a query that returns selected rows and columns from one or more tables 5. 6.

(20) Attributes. Records. 1. • • •. Aj. • • •. AM. x11. • • •. x1j. • • •. x1M. •. •. •. •. •. •. •. •. •. •. •. •. i. xi1. xij. xiM. •. •. •. •. •. •. •. •. •. •. •. •. N. xN1. • • •. • • •. xNj. Employee Table. Department Table. A1. • • •. • • •. Did Dname 4 human resources 8 education 9 13 15. Ename Did Salarycode Robin 15 23 Neil 13 12. Dacctno 528221 202035. Eid 2345 5088. Ephone 6127092485 6127092246. accounts. 709257. Jasmine 4. 26. 7712. 6127099348. public relations services. 755827. Cody Holly. 15 8. 22 23. 9664 3054. 6127093148 6127092729. 8 9. 24 21. 2976 4490. 6127091945 6127099380. 223945. Robin Smith. primary key. foreign key. primary key. (a) Two tables in a relational database. Dname Ename Eid human resources Jasmine 7712 education Holly 3054. xNM. Ephone 6127099348 6127092729. education. Robin. 2976. 6127091945. accounts public relations services services. Smith Neil Robin Cody. 4490 5088 2345 9664. 6127099380 6127092246 6127092485 6127093148. (b) A view derived from the database. Figure 5.3 Abstract Model of a Relational Database 7. Figure 5.4 Relational Database Example. 8. SQL Injection Attacks (SQLi). l Standardized language to define schema, manipulate, and query data in a relational database. • One of the most. • Most common attack. • Designed to exploit the. • Depending on the. prevalent and dangerous networkbased security threats. l Several similar versions of ANSI/ISO standard l All follow the same basic syntax and semantics. SQL statements can be used to:. goal is bulk extraction of data. environment SQL injection can also be exploited to:. nature of Web application pages. • Create tables • Insert and delete data in tables • Create views • Retrieve data with query statements. o Modify or delete data o Execute arbitrary operating system commands o Launch denial-of-service (DoS) attacks. • Sends malicious SQL commands to the database server. 9. 10. Switch $name = $_REQUEST['name']; $query = “SELECT * FROM suppliers WHERE name = '" . $name . "';" $result = mysql_query($query);. Internet Router. Wireless access point. Firewall. (a) Vulnerable PHP code $name = $_REQUEST['name']; $query = “SELECT * FROM suppliers WHERE name = '" . mysql_real_escape_string($name) . "';" $result = mysql_query($query);. Web servers. (b) Safer PHP code. Figure 11.3 SQL Injection Example Legend:.. •. This query works fine if the input $name = Bob but if the input is $name = Bob'; drop table suppliers, then the query becomes o o. SELECT * FROM suppliers WHERE name = ‘Bob‘; drop table suppliers; The database views this line as 2 separate SQL statements: first select all entries with name Bob, then delete the entire supplier table.. • mysql_real_escape_string() prepends backslashes to the some special characters, including \n, \r, \, ', " o o. •. Query becomes SELECT * FROM suppliers WHERE name = ‘Bob\‘\; drop table suppliers’ It looks for a database entry with name matching “Bob’; drop table suppliers”, and returns null.. Data exchanged between hacker and servers Two-way traffic between hacker and Web server Credit card data is retrieved from database. Web application server Database servers Database. Or, perform input validation: o o. die "The specified name contains illegal characters!“ unless ($name =~ /^\w+$/); But this does not handle the name O’Connor. 11. Figure 5.5 Typical SQL Injection Attack. 12.

(21) SQLi is Application-Level Attack. SQLi Countermeasures. • Not detectable by lower-layer defense mechanisms such as firewalls. • Three types:. • Manual defensive coding practices • Parameterized query insertion. Detection. • Check queries at runtime to see if they conform to a model of expected queries. • Signature based • Anomaly based • Code analysis. Defensive coding. Run-time prevention. 13. Database access control system determines:. Can support a range of administrative policies. 14. • Two commands for managing access rights: • Grant. o Used to grant one or more access rights or can be used to assign a user to a role. • Revoke. Centralized administration. If the user has access to the entire database or just portions of it. • Small number of privileged users may grant and revoke access rights. o Revokes the access rights. • Typical access rights are: • • • • •. Ownership-based administration. What access rights the user has (create, insert, delete, update, read, write). • The creator of a table may grant and revoke access rights to the table. • Example:. Decentralized administration. Bob Ann. t=. 10. t=. Ellen 30. David 20. t=. 40 t= t = 60. Ann. t=. 10. David 20. t=. 50. t = 60. Frank. 16. •. Frank. Bob. REVOKE { privileges | role } [ON table] FROM { user | role | PUBLIC }. Jim. 50. Chris. t=. t = 70. GRANT { privileges | role } [ON table] TO { user | role | PUBLIC } [IDENTIFIED BY password] [WITH GRANT OPTION]. • GRANT SELECT ON ANY TABLE TO tom • This statement enables user tom to query any table in the database.. • The owner of the table may grant and revoke authorization rights to other users, allowing them to grant and revoke access rights to the table 15. t=. Select Insert Update Delete References. If the grant from Bob to David is revoked, the grant from David to Frank should not be revoked, since it does not depend on the grant from Bob to David. Role-based access control (RBAC) is a natural fit for database access control.. o Unlike a file system associated with a single or a few applications, a database system. often supports dozens of applications. An individual user may use a variety of applications to perform a variety of tasks, each of which requires its own set of privileges. o RBACl eases administrative burden and improves security. •. A database RBAC needs to provide the following capabilities:. •. Categories of database users:. • • •. Create and delete roles Define permissions for a role Assign and cancel assignment of users to roles. Application owner. Chris. When user A revokes an access right, any cascaded access right is also revoked, unless that access right would exist even if the original grant from A had never occurred.. • An end user who owns database objects as part of an application. Figure 5.6 Bob Revokes Privilege from David 17. End user. Administrator. • An end user who operates on database objects via a particular application but does not own any of the database objects. • User who has administrative responsibility for part or all of the database. 18.

(22) Nonsensitive data. • Each employee’s salary should be confidential • RBAC constraint: Name and Salary cannot be accessed together in the same query. • But a user who knows. Sensitive data. Inference. Access Control Authorized access. Salary ($). Department. Dept. Manager. Andy. senior. 43,000. strip. Cathy. Calvin. Name. junior. 35,000. strip. Cathy. senior. 48,000. strip. Cathy. Dennis. junior. 38,000. panel. Herman. Herman. senior. 55,000. panel. Herman. Ziggy. senior. 67,000. panel. Herman. o 1. the structure of the Employee table and o 2. the view tables maintain the same row order as the Employee table. Unauthorized access. Metadata. • Is able to merge the two views in (b) to construct the table shown in (c). Inference: performing authorized queries and deducing unauthorized information from the legitimate responses received. Figure 5.7 Indirect Information Access Via Inference Channel. Position. Cathy. (a) Employee table. Position. Salary ($). Name. Department. senior. 43, 000. Andy. strip. junior. 35,000. Calvin. strip. senior. 48,000. Cathy. strip. (b) Two views. Salary ($). Department. Andy. senior. 43,000. strip. Calvin. Name. junior. Position. 35,000. strip. Cathy. senior. 48,000. strip. (c) Table derived from combining query answers. Figure 5.8 Inference Example 19. 20. Solution •. •. •. •. • The first inference problem, that it was possible to infer the relationship between employee and salary, can be detected through analysis of the data structures and security constraints. • However, the second inference problem, in which the start-date column was added to the Salaries table, cannot be detected using only the information stored in the database. In particular, the database does not indicate that the employee name can be inferred from the start date.. o Employees (Emp#, Name, Address) o Salaries (S#, Salary) o Emp-Salary (Emp#, S#). Each line consists of the table name followed by a list of column names for that table. In this case, each employee is assigned a unique employee number (Emp#) and a unique salary number (S#). The Employees table and the Salaries table are accessible to the Clerk role, but the Emp-Salary table is only available to the Administrator role. In this structure, the sensitive relationship between employees and salaries is protected from users assigned the Clerk role. Another inference channel: suppose that we want to add a new attribute, employee start date, which is not sensitive. This could be added to the Salaries table as follows: o o o. •. Inference Detection. Construct three tables, which include the following information:. Employees (Emp#, Name, Address) Salaries (S#, Salary, Start-Date) Emp-Salary (Emp#, S#). However, an employee’s start date is an easily observable or discoverable attribute of an employee. Thus a user in the Clerk role may be able to infer the employee’s name. This would compromise the relationship between employee and salary. A straightforward way to remove the inference channel is to add the start-date column to the Employees table rather than to the Salaries table.. o Need human understanding of application semantics. 21. 22. Inference Detection Inference detection during database design. Approach removes an inference channel by altering the database structure or by changing the access control regime to prevent inference. l. The database is typically the most valuable information resource for any organization l. Techniques in this category often result in unnecessarily stricter access controls that reduce availability. Two approaches. Inference detection at query time. l. Approach seeks to eliminate an inference channel violation during a query or series of queries. l. l. Firewalls, authentication, general access control systems, DB access control systems, database encryption. l. Encryption becomes the last line of defense in database security. Can be applied to the entire database, at the record level, the attribute level, or level of the individual field. Disadvantages to encryption: l. If an inference channel is detected, the query is denied or altered. Protected by multiple layers of security. Key management l. l. Inflexibility l. 23. Authorized users must have access to the decryption key for the data for which they have access. When part or all of the database is encrypted it becomes more difficult to perform record searching. 24.

(23) Cloud Security. – organization that produces data to be made available for controlled release – human entity that presents queries to the system – frontend that transforms user queries into queries on the encrypted data stored on the server. Meta Data. metadata. 1. Original query. Data owner. NIST SP-800-145 defines cloud computing as:. Database. “A model for enabling ubiquitous, convenient, on-demand network access to a shared pool of configurable computing resources (e.g., networks, servers, storage, applications, and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction. This cloud model promotes availability and is composed of five essential characteristics, three service models, and four deployment models.”. 4. Plaintext result. User Client. Meta Data. – an organization that receives the encrypted data from a data owner and makes them available for distribution to clients. 2. Transformed query. Query Processor. 3. Encrypted result. Encrypt/ Decrypt. Query Executor. Server. Encrypted database. Figure 5.9 A Database Encryption Scheme. Essential Characteristics. 25. Broad Network Access. Rapid Elasticity. Measured Service. On-Demand Self-Service. Resource Pooling. 26. Cloud Application Software (provided by cloud, visible to subscriber). Cloud Application Software (developed by subscriber). Cloud Platform (visible only to provider). Cloud Platform (visible to subscriber). Cloud Infrastructure (visible only to provider). Cloud Infrastructure (visible only to provider). Software as a Service (SaaS). Service Models. Platform as a Service (PaaS). (a) SaaS. Infrastructure as a Service (IaaS). (b) PaaS Cloud Application Software (developed by subscriber). Deployment Models. Cloud Platform (visible to subscriber). Public. Private. Hybrid. Cloud Infrastructure (visible to subscriber). Community. (c) IaaS. Figure 5.12 Cloud Service Models. Figure 5.11 Cloud Computing Elements 27. Public cloud. Private cloud. •The cloud infrastructure is made available to the general public or a large industry group and is owned by an organization selling cloud services •The cloud provider is responsible both for the cloud infrastructure and for the control of data and operations within the cloud. •The cloud infrastructure is operated solely for an organization •It may be managed by the organization or a third party and may exist on premise or off premise •The cloud provider is responsible only for infrastructure and not for control. Community cloud. Hybrid cloud. •The cloud infrastructure is shared by several organizations and supports a specific community that has shared concerns •It may be managed by the organizations or a third party and may exist on premise or off premise. •The cloud infrastructure is a composition of two or more clouds. 28. Enterprise Cloud User LAN switch Router. Network or Internet. Router LAN switch. Cloud service provider. Servers. 29. Figure 5.13 Cloud Computing Context. 30.

(24) Cloud Security • • •. SecaaS Is a segment of the SaaS offering of a Cloud Provider Defined by The Cloud Security Alliance as the provision of security applications and services via the cloud either to cloud-based infrastructure and software or from the cloud to the customers’ on-premise systems • Categories of service:. • The typical multi-tenant model, where different tenants (customers) share the same physical cloud computing and communication infrastructure, creates security and privacy risks for tenants.. o o o o o o o o o o. Identity and access management Data loss prevention Web security E-mail security Security assessments Intrusion management Security information and event management Encryption Business continuity and disaster recovery Network security. 31. 32. Summary. Encryption. • The need for database security • Database management systems • Relational databases. E-mail security Data loss prevention. Security assessments Security information and event management Business continuity and disaster recovery. Web security Intrusion management. o Elements of a relational database system o Structured Query Language. • SQL injection attacks. Identity and access management Network security. o A typical SQLi attack o The injection technique o SQLi attack avenues and types o SQLi countermeasures. Cloud service clients and adversaries. Figure 5.15 Elements of Cloud Security as a Service. 33. • Inference. •. Database access control o o o. • •. Database encryption Cloud computing o o. • • •. SQL-based access definition Cascading authorizations Role-based access control. Cloud computing elements Cloud computing reference architecture. Cloud security risks and countermeasures Data protection in the cloud Cloud security as a service 34.

(25) [SOUP13] defines malware as: “a program that is inserted into a system, usually covertly, with the intent of compromising the confidentiality, integrity, or availability of the victim’s data, applications, or operating system or otherwise annoying or disrupting the victim.”. Chapter 6 Malicious Software 1. Classified by:. Also classified by:. How it spreads or propagates to reach the desired targets. Those that need a host program (parasitic code such as viruses). The actions or payloads it performs once a target is reached. Those that are independent, self-contained programs (worms, trojans, and bots). Propagation mechanisms include: • Infection of existing content by viruses that is subsequently spread to other systems • Exploit of software vulnerabilities by worms or drive-bydownloads to allow the malware to replicate • Social engineering attacks that convince users to bypass security mechanisms to install Trojans or to respond to phishing attacks. Payload actions performed by malware once it reaches a target system can include:. Malware that does not replicate (trojans and spam email) Malware that does replicate (viruses and worms). • Corruption of system or data files • Make the system a zombie agent of attack as part of a botnet • Theft of information from the system/keylogging • Stealthing/hiding its presence on the system 3. Criminals. Organized crime. Organizations that sell their services to companies and nations. 4. Advanced Persistent Threats (APTs). • Another significant malware development is the change from attackers being individuals often motivated to demonstrate their technical competence to their peers to more organized and dangerous attack sources such as:. Politically motivated attackers. 2. • Well-resourced, persistent application of a wide variety of intrusion technologies and malware to selected targets (usually business or political) • Typically attributed to state-sponsored organizations and criminal enterprises • Differ from other types of attack by their careful target selection and stealthy intrusion efforts over extended periods • High profile attacks include Aurora, RSA, APT1, and Stuxnet. National government agencies. • A large underground economy involving the sale of attack kits, access to compromised hosts, and to stolen information 5. 6.

(26) APT Attacks Advanced. • Aim:. •Used by the attackers of a wide variety of intrusion technologies and malware including the development of custom malware if required. o Varies from theft of intellectual property or security and infrastructure related data to the physical disruption of infrastructure. • Techniques used:. Persistent. o Social engineering o Spear-phishing attack: phishing attack targeting specific individuals o Drive-by-downloads from selected compromised websites likely to be visited by personnel in the target organization. •Determined application of the attacks over an extended period against the chosen target in order to maximize the chance of success •A variety of attacks may be progressively applied until the target is compromised. • Intent: o To infect the target with sophisticated malware with multiple propagation mechanisms and payloads o Once they have gained initial access, a range of attack tools are used to maintain and extend their access. Threats •Threats to the selected targets as a result of the organized, capable, and well-funded attackers intent to compromise the specifically chosen targets 7. 8. Viruses Infection mechanism. • Piece of software that infects a host program. • Means by which a virus spreads or propagates • Also referred to as the infection vector. o Modifies it to include a copy of the virus o Replicates and goes on to infect other content o Easily spread through network environments. Trigger. • When attached to an executable program a virus can do anything that the program is permitted to do. • Event or condition that determines when the payload is activated or delivered Payload. o Executes secretly when the host program is run. • May be specific to operating system and hardware. • What the virus does (besides spreading) • May involve damage or benign but noticeable activity. o Takes advantage of their details and weaknesses 10. 9. Dormant phase Virus is idle. Will eventually be activated by some event. Not all viruses have this stage. Triggering phase Virus is activated to perform the function for which it was intended. Can be caused by a variety of system events. May not be identical to the propagating version. Each infected program will now contain a clone of the virus which will itself enter a propagation phase. procedure attach-to-program; begin repeat file := get-random-program; until first-program-line ≠ 1234567; prepend V to file; end;. procedure attach-to-program; begin repeat file := get-random-program; until first-program-line ≠ 1234567; compress file; (* t1 *) prepend CV to file; (* t2 *) end;. procedure execute-payload; begin (* perform payload actions *) end;. May be harmless or damaging. 11. begin (* main action block *) attach-to-program; uncompress rest of this file into tempfile; (* t3 *) execute tempfile; (* t4 *) end;. begin (* main action block *) attach-to-program; if trigger-condition then execute-payload; goto main; end;. (a) A simple virus. Execution phase Function is performed. program CV 1234567;. procedure trigger-condition; begin (* return true if trigger condition is true *) end;. Propagation phase Virus places a copy of itself into other programs or into certain system areas on the disk. program V 1234567;. (b) A compression virus. Figure 6.1 Example Virus Logic. 12.

(27) • A virus in Fig. 6.1 is easily detected because the virusinfected program is larger than the corresponding uninfected one. • One way to thwart detection is to compress the executable file so that both the infected and uninfected programs have identical length, as shown in Fig. 6.2.. Virus Classifications. CV. P'1. P2. P2. P'2. Classification by concealment strategy. Classification by target • t0: P1' is infected version of P1; P2 is clean. CV. CV. Boot sector infector o Infects master boot record and spreads when system is booted from the disk containing the virus. t1: P2 is compressed into P2'. •. CV. •. Encrypted virus. •. Stealth virus. •. Polymorphic virus. •. Metamorphic virus. File infector o Infects executable files. P'1. P'2. P'1. •. • t2: CV attaches itself to P2'. Multipartite virus o Infects files in multiple ways. t3: P1' is decompressed into the original program P1. Figure 6.2 A Compression Virus. Macro virus o Infects files with macro or scripting code that is interpreted by an application. P1. o A portion of the virus creates a random encryption key and encrypts the remainder of the virus o A form of virus explicitly designed to hide itself from detection by anti-virus software o may use code mutation, compression, or rootkit techniques. o A virus that mutates with every infection changing its bit pattern, but different copies are functionally equivalent o Rewrites itself completely at each iteration, may change their function/behavior as well as their appearance.. 13. 14. Encrypting virus. An Encrypted Virus. • An encrypting virus always propagates using the same decryption routine. However, the key value within the decryption routine changes from infection to infection. Consequently, the encrypted body of the virus also varies, depending on the key value.. • Before decryption. • After decryption. 15. Macro and Scripting Viruses. 16. •. Program that actively seeks out more machines to infect and each infected machine serves as an automated launching pad for attacks on other machines; exploits software vulnerabilities in client or server programs. •. Can use network connections to spread from system to system;. •. Or spread through shared media (USB drives, CD, DVD data disks);. •. Or spread in macro or script code included in attachments and instant messenger file transfers. •. Upon activation the worm may replicate and propagate again. • Very common in mid-1990s o Platform independent o Infect documents (not executable portions of code) o Easily spread. • Exploit macro capability of MS Office applications o More recent releases of products include protection. • No longer the predominant virus threat. 17. 18.

(28) Target Discovery. Worm Replication •. E-mail or instant messenger. Scanning First function in the propagation phase for a network worm Searches for other systems to infect. o o. •Worm e-mails a copy of itself to other systems •Sends itself as an attachment via an instant message service. Scanning strategies that a worm can use: •Random. File sharing. •Creates a copy of itself or infects a file as a virus on removable media (USB stick). Remote execution capability. •Worm executes a copy of itself on another system. Remote file access or transfer capability Remote login capability. • •. •Hit-list • • • •. •. •Worm logs onto a remote system as a user and then uses commands to copy itself from one system to the other. Fast spread sphase. Uses information contained on an infected victim machine to find more hosts to scan. •Local subnet • •. If a host can be infected behind a firewall that host then looks for targets in its own local network The host uses the subnet address structure to find other hosts that would otherwise 20 be protected by the firewall. Morris Worm. Slow finish phase. 1.0. • Earliest significant worm infection. Fraction of hosts infected. 0.8. The attacker first compiles a long list of potential vulnerable machines Once the list is compiled the attacker begins infecting machines on the list Each infected machine is provided with a portion of the list to scan This results in a very short scanning period which may make it difficult to detect that infection is taking place. •Topological. •Worm uses remote file access or transfer service to copy itself from one system to the other. 19. Slow start phase. Each compromised host probes random addresses in the IP address space using a different seed This produces a high volume of Internet traffic which may cause generalized disruption even before the actual attack is launched. • Released by Robert Morris in 1988. 0.6. • Designed to spread on UNIX systems. 0.4. • Successful attacks achieved communication with the operating system command interpreter o Sent a bootstrap program to the command interpreter to copy worm over. Fraction of hosts not infected. 0.2. • Robert Morris now a professor at MIT, working on OS and distributed systems (not security). 0. o http://pdos.csail.mit.edu/rtm/. Time. Figure 6.3 Worm Propagation Model. 21. State-of-the-Art Worm Technology •. Multiplatform: attack a variety of platforms, including Windows, Linux, MacOS; or exploit macro supported in popular document types.. •. Multi-exploit: penetrate systems in a variety of ways, using exploits against Web servers, browsers, e-mail, file sharing, and other network-based applications; or via shared media (USB sticks).. •. Fast spreading: optimize the rate of spread of a worm to locate as many vulnerable machines as possible in a short time period.. •. Polymorphic: Each copy of the worm has new code generated on the fly using functionally equivalent instructions and encryption techniques.. •. Metamorphic: In addition to changing their appearance, change their behavior at different iterations.. •. Transport vehicles: spread a wide variety of malicious payloads, such as distributed denial-of-service bots, rootkits, and spyware.. •. Zero-day exploit: an unknown vulnerability is exploited that is only discovered when the worm is launched. 23. 22. Mobile Code • Programs that can be shipped unchanged to a variety of platforms o Including Java applets, ActiveX, and JavaScript. • Transmitted from a remote system to a local system and then executed on the local system • Often acts as a mechanism for a virus, worm, or Trojan horse. 24.

Availability &bull;Ensuring timely and reliable access to and use of information

Availability •Ensuring timely and reliable access to and use of information