week 8 monday n.
Skip this Video
Loading SlideShow in 5 Seconds..
CS363 PowerPoint Presentation
Download Presentation

Loading in 2 Seconds...

play fullscreen
1 / 43

CS363 - PowerPoint PPT Presentation

  • Uploaded on

Week 8 - Monday. CS363. Last time. What did we talk about last time? Access control Authentication. Questions?. Project 2. Security Presentation. Andrew Sandridge. Challenge Response. Pass Algorithms. Some systems have a special function f a user (or user's system) must know

I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
Download Presentation

PowerPoint Slideshow about 'CS363' - mali

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.

- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
last time
Last time
  • What did we talk about last time?
  • Access control
  • Authentication
security presentation
Security Presentation

Andrew Sandridge

pass algorithms
Pass Algorithms
  • Some systems have a special function f a user (or user's system) must know
  • Thus, the system will give the user a prompt, and the user must respond
  • Perhaps the system would issue a random value to the user, who must then encrypt it with his secret key and send it back to the system
  • Perhaps it's just some other way of processing the data
  • Monkey Island 2: LeChuck's Revenge hand puzzle
one time passwords
One-Time Passwords
  • A one-time password is invalidated as soon as it is used
  • Thus, an attacker stealing the password can do limited damage
    • He can only log in once
    • He has to act quickly before the legitimate user logs in first
  • How do you generate all these passwords?
  • How do you synchronize the user and the system?
one time password implementations
One-time password implementations
  • RSA SecurID's change the password every 30 or 60 seconds
  • The user must be synchronized with the system within a few seconds to keep this practical
  • Using a secure hash function, we start with a seed value k, then
    • h(k) = k1, h(k1) = k2, …, h(kn-1) = kn
  • Then passwords are in reverse order
    • p1 = kn, p2 = kn-1, … pn-1 = k2, pn = k1
  • Biometrics means identifying humans by their physical and biological characteristics
  • This technology is often seen in spy and science fiction movies
    • It does exist, but it is far from perfect
  • Like passwords, the actual biometric scans are usually not stored
    • Instead specific features are stored for later comparison
  • Biometrics pose unique privacy concerns because the information collected can reveal health conditions
  • Historically, fingerprints are one of the most heavily used forms of biometric identification
    • Especially useful for solving crimes
    • Even identical twins have different fingerprints
    • Fun fact: Koalas have fingerprints so similar to human beings that even experts are fooled
  • Optical scanners are available
  • Cheap, capacitive scanners are now even available on many laptops
  • The image of the fingerprint is usually not stored
  • Instead, specific, differentiable features are recorded
voice recognition
Voice recognition
  • Voice recognition systems must be trained on your voice
  • They can be defeated with recording devices
  • If you have a cold, it throws off the characteristics of your voice
  • As a consequence, they are particularly susceptible to both false positives and false negatives
eye recognition
Eye recognition
  • As the technology matures and hardware becomes cheaper, eye recognition is becoming more common
  • Iris recognition looks at the patterns of light and dark areas in your iris (the colored part of your eye)
    • For simplicity, the image is converted to grayscale for comparison
    • Newer iris scanners can make successful identifications at 10 feet away or more, even correcting for glasses!
  • Retina scans exist but are unpopular
    • The retina is the tissue lining the inside of your eye and requires pupil dilation to get an accurate picture, blinding you for several minutes
  • There are even systems for recognizing the patterns of discolorations on the whites of your eyes!
face recognition
Face recognition
  • The shape of your face, the distance between your eyes and nose, and other facial features are relatively distinctive
    • Although they can be nearly the same for identical twins
  • Computer vision techniques must be used to locate the face, deal with changes in haircut, glasses, etc.
  • Participants must have a neutral facial expression or results can be thrown off
  • The US Department of State uses facial recognition and fingerprinting to document foreigners entering the country
    • Their database has over 75 million photographs
other biometrics
Other biometrics
  • Hand geometry readers measure the shape of your hand
  • Keystroke dynamics are the patterns that you use when typing
    • Users are quite distinctive, but distractions and injuries can vary patterns a lot
  • Combinations of different biometrics are sometimes used
  • DNA sequencing is not (yet) fast enough to be used for authentication
  • Researchers are always coming up with new biometrics to use
problems with biometrics
Problems with biometrics
  • People assume that they are more secure than they are
  • Attacks:
    • Fingerprints can be lifted off a champagne glass
    • Voices can be recorded
    • Iris recognition can be faked with special contact lenses
  • Both false positives and false negatives are possible
  • It is possible to tamper with transmission from the biometric reader
  • Biometric characteristics can change
  • Identical twins sometimes pose a problem
what is trust
What is trust?
  • To trust a program, we are looking for 4 things:
    • Functional correctness
      • The program does what it should
    • Enforcement of integrity
      • The program’s data is still correct even if given bad or unauthorized commands
    • Limited privilege
      • If the program accesses secure data, it only accesses what it needs, and it doesn’t leak rights or data to untrusted parties
    • Appropriate confidence level
      • The program has been examined carefully and given trust appropriate for its job
security policies
Security policies
  • A security policy is a statement of the security we expect a system to enforce
  • A mechanism is a tool or protocol to enforce the policy
    • It is possible to have good policies but bad mechanisms or vice versa
  • A trusted system has:
    • Enforcement of a security policy
    • Sufficiency of measures and mechanisms
    • Evaluation
bell lapadula overview
Bell-LaPadula overview
  • Confidentiality access control system
  • Military-style classifications
  • Uses a linear clearance hierarchy
  • All information is on a need-to-know basis
  • It uses clearance (or sensitivity) levels as well as project-specific compartments
security clearances
Security clearances
  • Both subjects (users) and objects (files) have security clearances
  • Below are the clearances arranged in a hierarchy
simple security condition
Simple security condition
  • Let levelO be the clearance level of object O
  • Let levelS be the clearance level of subject S
  • The simple security condition states that S can read O if and only if the levelO≤ levelS and S has discretionary read access to O
  • In short, you can only read down
  • Example?
  • In a few slides, we will expand the simple security condition to make the concept of level
  • The *-property states that S can write O if and only if the levelS≤ levelO and S has discretionary write access to O
  • In short, you can only write up
  • Example?
basic security theorem
Basic security theorem
  • Assume your system starts in a secure initial state
  • Let T be all the possible state transformations
  • If every element in T preserves the simple security condition and the *-property, every reachable state is secure
  • This is sort of a stupid theorem, because we define “secure” to mean a system that preserves the security condition and the *-property
adding compartments
Adding compartments
  • We add compartments such as NUC = Non-Union Countries, EUR = Europe, and US = United States
  • The possible sets of compartments are:
    • {NUC}
    • {EUR}
    • {US}
    • {NUC, EUR}
    • {NUC, US}
    • {EUR, US}
    • {NUC, EUR, US}
  • Put a clearance level with a compartment set and you get a security level
  • The literature does not always agree on terminology
romaine lattice
Romaine lattice
  • The subset relationship induces a lattice








updated properties
Updated properties
  • Let L be a security level and C be a category
  • Instead of talking about levelO≤ levelS, we say that security level (L, C) dominates security level (L’, C’) if and only if L’ ≤ L and C’ C
  • Simple security now requires (LS, CS) to dominate (LO, CO) and S to have read access
  • *-property now requires (LO, CO) to dominate (LS, CS) and S to have write access
  • Problems?
clark wilson model1
Clark-Wilson model
  • Commercial model that focuses on transactions
  • Just like a bank, we want certain conditions to hold before a transaction and the same conditions to hold after
  • If conditions hold in both cases, we call the system consistent
  • Example:
    • D is the amount of money deposited today
    • W is the amount of money withdrawn today
    • YB is the amount of money in accounts at the end of business yesterday
    • TB is the amount of money currently in all accounts
    • Thus,

D + YB – W = TB

clark wilson definitions
Clark-Wilson definitions
  • Data that has to follow integrity controls are called constrained data items or CDIs
  • The rest of the data items are unconstrained data items or UDIs
  • Integrity constraints (like the bank transaction rule) constrain the values of the CDIs
  • Two kinds of procedures:
    • Integrity verification procedures (IVPs) test that the CDIs conform to the integrity constraints
    • Transformation procedures (TPs) change the data in the system from one valid state to another
clark wilson rules
Clark-Wilson rules
  • Clark-Wilson has a system of 9 rules designed to protect the integrity of the system
  • There are five certification rules that test to see if the system is in a valid state
  • There are four enforcement rules that give requirements for the system
certification rules 1 and 2
Certification Rules 1 and 2
  • CR1: When any IVP is run, it must ensure that all CDIs are in a valid state
  • CR2: For some associated set of CDIs, a TP must transform those CDIs in a valid state into a (possibly different) valid state
    • By inference, a TP is only certified to work on a particular set of CDIs
enforcement rules 1 and 2
Enforcement Rules 1 and 2
  • ER1: The system must maintain the certified relations, and must ensure that only TPs certified to run on a CDI manipulate that CDI
  • ER2: The system must associate a user with each TP and set of CDIs. The TP may access those CDIs on behalf of the associated user. If the user is not associated with a particular TP and CDI, then the TP cannot access that CDI on behalf of that user.
    • Thus, a user is only allowed to use certain TPs on certain CDIs
certification rule 3 and enforcement rule 3
Certification Rule 3 and Enforcement Rule 3
  • CR3: The allowed relations must meet the requirements imposed by the principle of separation of duty
  • ER3: The system must authenticate each user attempting to execute a TP
    • In theory, this means that users don't necessarily have to log on if they are not going to interact with CDIs
certification rules 4 and 5
Certification Rules 4 and 5
  • CR4: All TPs must append enough information to reconstruct the operation to an append-only CDI
    • Logging operations
  • CR5: Any TP that takes input as a UDI may perform only valid transformations, or no transformations, for all possible values of the UDI. The transformation either rejects the UDI or transforms it into a CDI
    • Gives a rule for bringing new information into the integrity system
enforcement rule 4
Enforcement Rule 4
  • ER4: Only the certifier of a TP may change the list of entities associated with that TP. No certifier of a TP, or of any entity associated with that TP, may ever have execute permission with respect to that entity.
    • Separation of duties
clark wilson summary
Clark-Wilson summary
  • Designed close to real commercial situations
    • No rigid multilevel scheme
    • Enforces separation of duty
  • Certification and enforcement are separated
  • Enforcement in a system depends simply on following given rules
  • Certification of a system is difficult to determine
next time
Next time…
  • Chinese Wall and Biba models
  • Theoretical limitations (HRU result)
  • Trusted system design elements
  • Yuki Gage presents
  • Read Sections 5.1 – 5.3
  • Keep working on Project 2