Ch5-Computer Security
0 likes40 views
This document discusses various topics related to computer security authorization, including multilevel security models like Bell-LaPadula and Biba's model, covert channels, inference control, CAPTCHAs, firewalls, and intrusion detection systems. It also provides an overview of network layers like the network layer, transport layer, TCP, and UDP. The key models discussed are Bell-LaPadula for confidentiality and Biba's model for integrity. Covert channels, inference control, and intrusion detection systems are described as techniques for authorization and access control.
Ch5-Computer Security
- 1. 1 241-427-SV-2-2552-COE-PSU 1 241-427 Computer Security Chapter V: Authorization Dr. Sangsuree Vasupongayya 241-427-SV-2-2552-COE-PSU 2 Outline o Multilevel Security Models n Bell-LaPadula n Biba’s Model o Multilateral Security o Covert Channel o Inference Control o CAPTCHA o Firewalls o Intrusion detection systems 241-427-SV-2-2552-COE-PSU 3 Authorization o Restrictions on the actions of authenticated users o Authentication n establishing identity n Binary (either authenticated or not) o Authorization n enforce restrictions on what the authenticated user is allowed to do n Fine grained
- 2. 2 241-427-SV-2-2552-COE-PSU 4 Multilevel Security Models (MLS) o Security models are descriptive not proscriptive (tell what needs to be protected but not how to provide such protection) o Basic information n Subject (human) : clearances n Object (data) : classifications o US DoD definds 4 levels TOP SECRET > SECRET > CONFIDENTIAL > UNCLASSIFIED o Why the model is needed? n Subjects & objectives with different levels use the same system resources o Only review 2 most popular models n Bell-LaPadula, Biba’s model 241-427-SV-2-2552-COE-PSU 5 Bell-LaPadula (BLP) o Named after its inventors o Goal: confidentiality o High water mark principle o Simple Security Condition (No read up) Subject S can read object Oiff L(O) = L(S) n A SECRET researcher can view SECRET or lower classification level document but nothing higher o *-property (No write down) Subject S can write object Oiff L(S) = L(O) n A SECRET researcher can create SECRET or TOP SECRET documents but nothing lower 241-427-SV-2-2552-COE-PSU 6 Biba’s Model o Goal: Integrity o Low water mark principle o Inverse of BLP o No read down Subject S can read object Oiff I(S) = I(O) o No write up Subject S can write object Oiff I(O) = I(S) o If S read O then I(S) = min(I(S),I(O )) o E.g., n General can write order to Colonel à Major n Private cannot write order to Sergeant Lieutenant
- 3. 3 241-427-SV-2-2552-COE-PSU 7 BLP versus Biba’s model BLP L(O1) L(O) L(O2) Biba I(O1) I(O2) I(O) Low level high level o BLP model concerns confidentiality so the security level is the highest of the two components à if only any part of the object is a secret, the whole object is a secret o Biba’s model concerns integrity so the trust on an object is the lowest of the two components à if only any part of the object is not trustable then the whole object is not trustable 241-427-SV-2-2552-COE-PSU 8 Multilateral Security o Why do we need this? n MLS enforces access control (information flow) “up and down” n Not realistic enough for real situations o E.g., a MLS at a hospital o TOP SECRET diseases such as AIDS, Cancel o SECRET prescription of drugs o CONFIDENTIAL amount of each drugs o UNCLASSIFY list of drugs & associated diseases n What’s wrong with this view? o A SECRET personnel can look at the prescription of drugs and associated diseases to find information of who got what diseases in the TOP SECRET level 241-427-SV-2-2552-COE-PSU 9 Multilateral Security (cont.) o Deal with information flow across security levels o Define SECRITY LEVEL {compartment} o Use need to know principle: subjects are only allowed access to the information that they must know
- 4. 4 241-427-SV-2-2552-COE-PSU 10 Covert channel o A communication path not intended as such by the system’s designers o E.g., Alice has TOP SECRET clearance. Bob has CONDIFENTIAL clearance. All users share a file space. Alice can send information to Bob by simply create a file. 241-427-SV-2-2552-COE-PSU 11 Covert channel (cont.) o 3 conditions are required n Both Alice and Bob has an access to a shared resource n Alice can change the properties of a shared resource and Bob can observe the change n Alice and Bob can synchronize their communication o Virtually impossible to eliminate all covert channel o Can only reduce covert channel capacity 241-427-SV-2-2552-COE-PSU 12 Inference Control o Preventing specific information to leak from legal usages that are engineered to dig o E.g., consider a database system of university faculty n A guest user is query for average salary of female engineering professors and get $100,000 as a response n The same guest user sends another query for the number of female engineering professors and get 1 as a response n As a result a specific information is leaked via legal actions o E.g., a database of medical records n Study statistical correlation to find the risk factors or the courses of certain diseases n But medical information are private
- 5. 5 241-427-SV-2-2552-COE-PSU 13 Inference Control (cont.) o Many techniques can be done o E.g., n Query set size control: no response is returned if the size of the set is too small. The female faculty example can be helped this way n Randomization: adding random noise to data, this way information may not be accurate enough to be useful n N-respondent k% dominance rule: data is not released if k% or more of the result is contributed by N or fewer subjects, this technique is applied to information collected by the United States Census Bureau 241-427-SV-2-2552-COE-PSU 14 CAPTCHA Completely Automated Public Turing Computer and Humans Apart 241-427-SV-2-2552-COE-PSU 15 CAPTCHA (cont.) o A test that a human can pass, but a computer can’t pass with a probability better than guessing o It is designed to restrict access to resources to humans n It is easy for human to pass n It must be difficult or impossible for a machines to pass n Even if the machine has access to the CAPTCHA software o Yahoo e -mail used CAPTCHA to prevent spammers from automatically signing up for large numbers of accounts
- 6. 6 241-427-SV-2-2552-COE-PSU 16 Network basic reviews o A network is composed of hosts and routers n Hosts: servers, computers, PDAs, cell phones n Routers: route data through the network from host to host 241-427-SV-2-2552-COE-PSU 17 Network basic reviews (cont.) o Router must process data up to the network layer in order to know where to route the packet o Application layer: handling the application data that is sent from host to host o Transport layer: deals with logical end-to-end transport of the data e.g., TCP, UDP o Network layer: routes the data through the network 241-427-SV-2-2552-COE-PSU 18 Network basic reviews (cont.) o Protocols n specify communication rules employed by the network n Can be stateless or stateful o Stateless protocols don’t “remember” anything n Can also have serious security issues o Stateful protocols do have some memory n DoS attacks often take advantage of stateful protocols o Protocol stack n Networking protocols residing within layers n Layers are all stacked up n A protocol stack is more of a concept than an actual physical construct
- 7. 7 241-427-SV-2-2552-COE-PSU 19 Network basic reviews (cont.) o Network layer n Offers unreliable “best effort” delivery of packets n Internet Protocol (IP) n IP must run in every host and router in the network 241-427-SV-2-2552-COE-PSU 20 Network layer o Routers also run routing protocols: determine the best path to use when sending packets o To route packets à every host on the Internet has a 32-bit IP address o Each host can have many processes n To distinguish the process a 16-bit port number is assigned n Port numbers below 1024 are reserved for specific applications o Port 80: HTTP o Port 110: POP3 n Port numbers from 1024 to 65535 are available n IP + port number defines a socket n A socket uniquely identifies a process 241-427-SV-2-2552-COE-PSU 21 Network layer o Routers determine the proper route for a packet using information in the IP header n Source IP address n Destination IP address n TTL (time-to-live): limits the number of “hops” that a packet can travel before it is terminated o Fragmentation n The packet size is limited n Large packets must be split into smaller packets n Reassembling process happen at the destination n Possible DoSattacks o IPv6 n 128-bit addresses n Strong security in the form of IPSec
- 8. 8 241-427-SV-2-2552-COE-PSU 22 Network basic reviews (cont.) o Transport layer n Since the network layer offers unreliable “best effort” delivery of packets n The network attempts to get packets to their destination, but if a packet fails to arrive (or its data is corrupted or a packet arrives out of order), the network takes no responsibility n Any improved service beyond the network layer must be implemented somewhere above the network layer n Reliable delivery of packets is the primary purpose of the transport layer 241-427-SV-2-2552-COE-PSU 23 Network basic reviews (cont.) o Transport layer (cont.) Hosts could put more packets into the network n Routers include buffers to store extra packets When the buffer is full, the packets are dropped n Data packets can also get corrupted in transit n Routing is a dynamic process so packets can arrive out of order n Two transport layer protocols o Transmission Control Protocol (TCP) o User Datagram Protocol (UDP) 241-427-SV-2-2552-COE-PSU 24 Transmission Control Protocol o Provides for reliable delivery o Connection-oriented: contact the server before sending the data n to be sure that the server is alive the server is listening on the appropriate port o TCP will make sure that n Packets arrive n Packets are sequenced in the correct order n Data has not been corrupted o TCP provides these services by n Including sequence numbers in the packets n Telling the sender to retransmit packets when problems are detected
- 9. 9 241-427-SV-2-2552-COE-PSU 25 TCP Three-way handshake o SYN: the client requests synchronization with the server o SYN-ACK: the server acknowledges receipt of the SYN request o ACK: the client acknowledges that SYN-ACK; data are also included 241-427-SV-2-2552-COE-PSU 26 TCP o Connections are terminated by FIN (finish) or RST (reset) packet o Possible DoS attacks on TCP three-way handshake n Whenever a SYN packet is received n The server must remember the “half-open” connectionà consumes a server resources n Too many half-open connections can cause the server to be exhausted 241-427-SV-2-2552-COE-PSU 27 User Datagram Protocol o Requires minimal overhead o Provides no assurance o Why does UDP exist? n UDP is more efficient n has a smaller header n Consumes less bandwidth n No restrictions to slow down the sender o Applications n Delay is not tolerable n Acceptable to lose some fraction of the packets n E.g., streaming audio and video n However, reliability must be built in the application layer
- 10. 10 241-427-SV-2-2552-COE-PSU 28 Firewalls o Examines requests to access the network o Decides whether they pass a reasonableness test n Pass à allow though n Not pass à refuse o E.g., request a meeting w/ the dean n Contact the secretary à secretary filter the request o Certain level of filtering depend on the person n E.g., president of the United States of America v.s. the dean Firewall Internet Internal network 241-427-SV-2-2552-COE-PSU 29 Types of firewalls o Each type of fire wall filters packets by examining the data up to a particular layer of the network protocol stack o Three types of fire walls n Packet filter n Stateful packet filter n Application proxy 241-427-SV-2-2552-COE-PSU 30 Packet filter firewall o Examines packets up to the network layer o Only header information is examined o Using access control lists (ACLs) o Disadvantage n No concept of state each packet is treated independently n Is blind to application data n E.g., TCP ACK scan attack
- 11. 11 241-427-SV-2-2552-COE-PSU 31 TCP ACK scan attack o Sending the ACK packet w/o the prior two packets of the TCP three-way handshake o Packet filter has no concept of stateà valid o The host realizes a problem à send RST packet 241-427-SV-2-2552-COE-PSU 32 Stateful packet filter o Adds state to a packet filter firewall o Keep track of TCP connections o Remember UDP “connections ” o Operates at the transport layer o Can prevents many attacks e.g., TCP ACK scan o Disadvantage n Cannot examine application data n Slower than packet filtering firewall 241-427-SV-2-2552-COE-PSU 33 Application proxy o Proxy acts on your behalf n Verify the legitimacy of the packets and the data inside the packet is safe o Advantage: has a complete view of connections and the application data o Disadvantage: slow o Incoming packet is destroyed and a new packet is created when the data passes through the firewall n Can prevent Firewalk
- 12. 12 241-427-SV-2-2552-COE-PSU 34 Firewalk o Set the TTL to be one hop beyond the firewall o Waiting for the ICMP “time exceeded” error messages after the packet is terminated o Internet Control Message Protocol (ICMP) 241-427-SV-2-2552-COE-PSU 35 Personal Firewall o Protect a single or small network o Any of the three firewall approaches can be used o Usually simple 241-427-SV-2-2552-COE-PSU 36 Defense in depth o Good strategy o Take time to attack DMZ (demilitarized zone): must be exposed to the outside world
- 13. 13 241-427-SV-2-2552-COE-PSU 37 Intrusion detection systems o To keep bad guys out of your system or network n Authentication and firewalls are ways to prevent intrusions n But it might fails o Purpose of an IDs is to detect attacks before, during, and after they have occurred o Two methods n Signature-Based IDSs n Anomaly-based IDSs o Two basic architectures n Host-based IDS n Network-based IDS 241-427-SV-2-2552-COE-PSU 38 Basic architectures o Host-based Intrusion detection system n Apply the detection method to activities occurred on hosts n Usually detect attacks such as buffer overflows, escalation of privilege n Have little or no view of network activities o Network-based Intrusion detection system n Apply detection method to network traffic n Usually detect attacks such as denial of service, network probes, malformed packets n May have some overlap with firewalls n Have little or no direct view of host-based attacks 241-427-SV-2-2552-COE-PSU 39 Signature-Based IDS o Detect attacks based on known “signatures ” or patterns o Use statistical analysis and heuristics o Must keep the false alarm rate to a manageable level o Advantages n Simplicity, Efficiency, Excellent ability to detect know attacks, Specific warning issues o Disadvantages n Signature file must be current, large number of signatures, can only detect known attacks
- 14. 14 241-427-SV-2-2552-COE-PSU 40 Anomaly-Based IDS o Define a baseline behavior of a system o Provide warning whenever the system strays too far from this baseline o Challenges n What is “normal”?, Normal must be able to adapt with the system, What is “abnormal”? o Advantage n A chance of detecting previously unknown attacks o Disadvantages n Not specific warning issues n Can’t stand on their own (only used to supplement the performance of signature-based systems)