EE515/IS523 Think Like an

AdversaryLecture 2

Security Engineering

Yongdae Kim

Recaphttp://syssec.kaist.ac.kr/courses/ee515

E-mail policy Include [ee515] or [is523] in the subject of your e-

mail

Student Surveyhttp://bit.ly/SiK9M3

News and Research Paper Survey

Every student needs to submit a summary of news or a research paper twice

Submission TBD

Submission date Check class calendar

Topic News and research papers should deal with security issues. Your content should be different from others. Therefore, always

check the current postings. Use twitter, google reader

Length: maximum 1,000 words, Grading: A – F Subject: Title – Author (ID) – #-th

News Survey News must be fresh

published within two weeks from the due dates.

Investigative/data journalism No duplicate! Do not rely on a single source. Read related articles. Use your own language Bibliography should be added. "The register" (http://www.theregister.co.uk/) "Ars Technica" (http://arstechnica.com/) "Bruce Schneier's blog" (http://www.schneier.com/) F-secure web blog (http://www.f-secure.com/weblog/) etc.

Group Projects Each project should have some "research" aspect. Group size

Min 1 Max 5

Important dates Pre-proposal: Sep 17, 9:00 AM. Full Proposal: Sep 24, 9:00 AM. Midterm report: Oct 24, 9:00 PM Final report: Dec 12, 9:00 AM. (NO EXTENSION!!).

Project examples Attack, attack, attack! Analysis Measurement

TSS Body Scanner

6

BMW StealerFirst, the car is entered

nearby RF jammers that block the lock signalbreaking a window

exploiting a gap in the car's internal ultrasonic sensor system to avoid tripping the alarm.

Connect a device to the car's OBD-II connectorAccess to the cars’ unique key fob digital ID, program a blank key fob to work with the car

http://www.youtube.com/watch?v=DshK4ZXPU9o

Authentication Failure

Security EngineeringBuilding a systems to remain dependable in

the face of malice, error or mischance

System ServiceAttack

Deny Service, Degrade QoS,

Misuse

SecurityPrevent Attacks

Communication Send message Eavesdrop Encryption

Web server Serving web page DoS CDN?

Computer ;-) Botnet Destroy

SMS Send SMSShutdown Cellular

NetworkRate Control,

Channel separation

Pacemaker Heartbeat ControlRemote programming

and eavesdroppingDistance bounding?

Nike+iPod Music + Pedometer Tracking Don’t use it?

Recommendation system

Collaborative filtering

Control rating using Ballot stuffing

?

A FrameworkPolicy: what you are

supposed to achieveMechanism: ciphers,

access control,hardware tamperresistance

Assurance: the amount of reliance you can put on each mechanism

Incentive: to secure or to attack

PolicyPolicy IncentivesIncentives

MechanismMechanism AssuranceAssurance

Design HierarchyWhat are we trying

to do?

How?

With what?

PolicyPolicy

ProtocolsProtocols

Hardware, crypto, ...Hardware, crypto, ...

Security vs DependabilityDependability = reliability + security Reliability and security are often strongly

correlated in practice

But malice is different from error!Reliability: “Bob will be able to read this file”Security: “The Chinese Government won’t be able

to read this file”

Proving a negative can be much harder …

Methodology 101 Sometimes you do a top-down development. In that

case you need to get the security spec right in the early stages of the project

More often it’s iterative. Then the problem is that the security requirements get detached

In the safety-critical systems world there are methodologies for maintaining the safety case

In security engineering, the big problem is often maintaining the security requirements, especially as the system – and the environment – evolve

TerminologiesA system can be:

a product or component (PC, smartcard,…)some products plus O/S, comms and

infrastructure the above plus applications the above plus internal staff the above plus customers / external users

Common failing: policy drawn too narrowly

Terminologies A subject is a physical person

A person can also be a legal person (firm)

A principal can be a person equipment (PC, smartcard) a role (the officer of the watch) a complex role (Alice or Bob, Bob deputising for Alice)

The level of precision is variable – sometimes you need to distinguish ‘Bob’s smartcard representing Bob who’s standing in for Alice’ from ‘Bob using Alice’s card in her absence’. Sometimes you don’t

TerminologiesSecrecy is a technical term – mechanisms

limiting the number of principals who can access information

Privacy means control of your own secrets

Confidentiality is an obligation to protect someone else’s secrets

Thus your medical privacy is protected by your doctors’ obligation of confidentiality

TerminologiesAnonymity is about restricting access to

metadata. It has various flavors, from not being able to identify subjects to not being able to link their actions

An object’s integrity lies in its not having been altered since the last authorized modification

Authenticity has two common meanings – an object has integrity plus freshnessyou’re speaking to the right principal

Terminologies A security policy is a succinct statement of

protection goals – typically less than a page of normal language

A protection profile is a detailed statement of protection goals – typically dozens of pages of semi-formal language

A security target is a detailed statement of protection goals applied to a particular system – and may be hundreds of pages of specification for both functionality and testing

Threat ModelWhat property do we want to ensure against

what adversary?

Who is the adversary?What is his goal?What are his resources?

e.g. Computational, Physical, Monetary…

What is his motive?What attacks are out of scope?

Terminologies Attack: attempt to breach system security (DDoS)

Threat: a scenario that can harm a system (System unavailable)

Vulnerability: the “hole” that allows an attack to succeed (TCP)

Security goal: “claimed” objective; failure implies insecurity

Goals: ConfidentialityConfidentiality of information means that it is

accessible only by authorized entities

Contents, Existence, Availability, Origin, Destination, Ownership, Timing, etc… of:

Memory, processing, files, packets, devices, fields, programs, instructions, strings...

Goals: IntegrityIntegrity means that information can only be

modified by authorized entities

e.g. Contents, Existence, Availability, Origin, Destination, Ownership, Timing, etc… of:

Memory, processing, files, packets, devices, fields, programs, instructions, strings...

Goals: AvailabilityAvailability means that authorized entities

can access a system or service.

A failure of availability is often called Denial of Service:Packet droppingAccount freezing JammingQueue filling

Goals: AccountabilityEvery action can be traced to “the

responsible party.”

Example attacks:Microsoft certGuest accountStepping stones

Goals: DependabilityA system can be relied on to correctly deliver

serviceDependability failures:

Therac-25: a radiation therapy machine whose patients were given massive overdoses (100

times) of radiation bad software design and development practices:

impossible to test it in a clean automated way

Ariane 5: expendable launch system the rocket self-destructing 37 seconds after launch

because of a malfunction in the control software A data conversion from 64-bit floating point value to 16-

bit signed integer value

Interacting GoalsFailures of one kind can lead to failures of

another, e.g.: Integrity failure can cause Confidentiality failureAvailability failure can cause integrity,

confidentiality failureEtc…

In a Nutshell Security by Obscurity is not secure! Conservative modeling for adversary State-sponsored, Hacktivists, Hacker+Criminals,

Researchers ;-) Care for the weakest link. Plan for unknown attacks. Check for environmental changes All stages are important Attacker modeling, design, implementation,

deployment, operation Check News! Cyber Warfare?

Security & RiskWe only have finite resources for security…

If we only have $20K, which should we buy?

Product A

Prevents Attacks: U,W,Y,Z

Cost $10K

Product B

Prevents Attacks: V,X

Cost $20K

RiskThe risk due to a set of attacks is the

expected (or average) cost per unit of time.One measure of risk is Annualized Loss

Expectancy, or ALE:

Σattack A

( pA × LA )

Annualized attack incidence

Cost per attack

ALE of attack A

Risk ReductionA defense mechanism may reduce the risk of

a set of attacks by reducing LA or pA. This is the gross risk reduction (GRR):

The mechanism also has a cost. The net risk reduction (NRR) is GRR – cost.

Σattack A

(pA × LA – p’A×L’A)

Basic Cryptography

Yongdae Kim

The main players

Alice Bob

EveYves?

Attacks

Source Destination

Normal Flow

Source Destination

Interruption: Availability

Source Destination

Interception: Confidentiality

Source Destination

Modification: Integrity

Source Destination

Fabrication: Authenticity

Taxonomy of AttacksPassive attacks

EavesdroppingTraffic analysis

Active attacksMasqueradeReplayModification of message contentDenial of service

Big pictureTrusted third party

(e.g. arbiter, distributorof secret information)

SecretInformation

Message

SecretInformation

Message

Alice Bob

InformationChannel

Eve

Terminology for Encryption

A denotes a finite set called the alphabet M denotes a set called the message space

M consists of strings of symbols from an alphabetAn element of M is called a plaintext

C denotes a set called the ciphertext spaceC consists of strings of symbols from an alphabetAn element of C is called a ciphertext

K denotes a set called the key space An element of K is called a key

Ee is an encryption function where e K

Dd called a decryption function where d K

Encryption

Why do we use key?Or why not use just a shared encryption function?

Plaintext source

EncryptionEe(m) = c

destination

DecryptionDd(c) = m

c insecure channel

Alice Bob

Adversary

m m

SKE with Secure channel

Plaintext source

EncryptionEe(m) = c

destination

DecryptionDd(c) = m

c Insecure channel

Alice Bob

Adversary

Key source

e

m m

d Secure channel

PKE with insecure channel

Plaintext source

EncryptionEe(m) = c

destination

DecryptionDd(c) = m

cInsecure channel

Alice Bob

PassiveAdversary

Key source

d

m m

e Insecure channel

Public key should be authentic!

ee

ee

EEee(m)(m)

ee’’

EEee’’(m)(m)EEee(m)(m)

Need to authenticate public keys

Digital SignaturesPrimitive in authentication and non-

repudiation

Signature Process of transforming the message and some

secret information into a tag

NomenclatureM is set of messagesS is set of signaturesSA: M ! S for A, kept private

VA is verification transformation from M to S for A, publicly known

Key Establishment, Management

Key establishmentProcess to whereby a shared secret key becomes

available to two or more partiesSubdivided into key agreement and key transport.

Key managementThe set of processes and mechanisms which

support key establishment The maintenance of ongoing keying relationships

between parties

Symmetric vs. Public keyPros Cons

SKE High data throughput Relatively short key size

The key must remain secret at both ends

O(n2) keys to be managed Relatively short lifetime of

the key

PKE

O(n) keys Only the private key

must be kept secret longer key life time digital signature

Low data throughput Much larger key sizes

Symmetric key EncryptionSymmetric key encryption

if for each (e,d) it is easy computationally easy to compute e knowing d and d knowing e

Usually e = d

Block cipherbreaks up the plaintext messages to be

transmitted into blocks of a fixed length, and encrypts one block at a time

Stream cipherencrypt individual characters of plaintext

message one at a time, using encryption transformation which varies with time

Hash function and MAC A hash function is a function h

compression ease of computation Properties

one-way: for a given y, find x’ such that h(x’) = y collision resistance: find x and x’ such that h(x) = h(x’)

Examples: SHA-1, MD-5

MAC (message authentication codes) both authentication and integrity MAC is a family of functions hk

ease of computation (if k is known !!) compression, x is of arbitrary length, hk(x) has fixed length computation resistance

Example: HMAC