Date post: | 16-Dec-2015 |
Category: |
Documents |
Upload: | raymond-marshall |
View: | 218 times |
Download: | 2 times |
EEC 688/788EEC 688/788Secure and Dependable Secure and Dependable ComputingComputing
Lecture 2Lecture 2
Wenbing ZhaoWenbing ZhaoDepartment of Electrical and Computer EngineeringDepartment of Electrical and Computer Engineering
Cleveland State UniversityCleveland State University
[email protected]@ieee.org
04/18/2304/18/23EEC688/788: Secure & Dependable EEC688/788: Secure & Dependable
ComputingComputing Wenbing ZhaoWenbing Zhao
OutlineOutline Basic terminology Dependability concepts
Attributes Fault, error, and failure Approaches to achieving dependability
Security concepts Attributes Vulnerabilities, threats, attacks, and controls
Computer Security: Art and Science, by Matt Bishop, Addison-Wesley Professional, 2002 http://my.safaribooksonline.com/book/networking/security/0201440997
Security in Computing, 4th Edition By Charles P. Pfleeger, Shari Lawrence Pfleeger http://proquest.safaribooksonline.com/0132390779
04/18/2304/18/23EEC688/788: Secure & Dependable EEC688/788: Secure & Dependable
ComputingComputing Wenbing ZhaoWenbing Zhao
TerminologyTerminology A system is an entity that interacts with
other entities, i.e., other systems, including hardware, software, humans, and the physical world with its natural phenomena
These other systems are the environment of the given system
The system boundary is the common frontier between the system and its environment
A system may consists of one or more components, such as nodes or processes
System
Environment
System Boundary
04/18/2304/18/23EEC688/788: Secure & Dependable EEC688/788: Secure & Dependable
ComputingComputing Wenbing ZhaoWenbing Zhao
TerminologyTerminology State: determines the status of the system
A system may be recovered to where it was before a failure if its state was captured and survives the failure
Service delivered by a system: work done that benefits its users User/Client: another system that interacts with the former Function of a system: what the system is intended to do (Functional) Specification: description of the system function Correct service: when the delivered service implements the system
function
04/18/2304/18/23EEC688/788: Secure & Dependable EEC688/788: Secure & Dependable
ComputingComputing Wenbing ZhaoWenbing Zhao
Dependability and its Dependability and its AttributesAttributes Dependability refers to the ability of a distributed system
to provide correct services to its users despite various threats to the system such as undetected software defects, hardware failures, and malicious attacks
A dependable system has the following attributes Availability: a measure of the readiness of the system Reliability: a measure of the system’s capability of providing correct
services continuously for a period of time Integrity: the capability of the system to protect its state from being
compromised due to various threats Maintainability: the capability of the system to evolve after it is deployed Safety: when the system fails, it does not cause catastrophic
consequences
04/18/2304/18/23EEC688/788: Secure & Dependable EEC688/788: Secure & Dependable
ComputingComputing Wenbing ZhaoWenbing Zhao
Quantitative Dependability Quantitative Dependability MeasuresMeasures Availability - a measure of the readiness of the system
It is the probability of being operational at a given instant of time A 0.999999 availability means that the system is not operational
at most one hour in a million hours A system with high availability may in fact fail. However, failure
frequency and recovery time should be small enough to achieve the desired availability
Soft real-time systems such as telephone switching and airline reservation require high availability
04/18/2304/18/23EEC688/788: Secure & Dependable EEC688/788: Secure & Dependable
ComputingComputing Wenbing ZhaoWenbing Zhao
04/18/2304/18/23EEC688/788: Secure & Dependable EEC688/788: Secure & Dependable
ComputingComputing Wenbing ZhaoWenbing Zhao
Quantitative Dependability Quantitative Dependability MeasuresMeasures Reliability - a measure of continuous delivery of correct service.
It is the probability of surviving (potentially despite failures) over an interval of time
May also be evaluated as time to failure For example, the reliability requirement might be stated as a
0.999999 availability for a 10-hour mission. In other words, the probability of failure during the mission may be at most 10-6
Hard real-time systems such as flight control and process control demand high reliability, in which a failure could mean loss of life
04/18/2304/18/23EEC688/788: Secure & Dependable EEC688/788: Secure & Dependable
ComputingComputing Wenbing ZhaoWenbing Zhao
Fault, Error, and FailureFault, Error, and Failure The adjudged or hypothesized cause of an error is called a fault An error is a manifestation of a fault in a system, in which the logical
state of an element differs from its intended value A service failure occurs if the error propagates to the service
interface and causes the service delivered by the system to deviate from correct service
The failure of a component causes a permanent or transient fault in the system that contains the component
Service failure of a system causes a permanent or transient external fault for the other system(s) that receive service from the given system
04/18/2304/18/23EEC688/788: Secure & Dependable EEC688/788: Secure & Dependable
ComputingComputing Wenbing ZhaoWenbing Zhao
FaultFault Faults can arise during all stages in a computer system's
evolution - specification, design, development, manufacturing, assembly, and installation - and throughout its operational life
Most faults that occur before full system deployment are discovered through testing and eliminated
Faults that are not removed can reduce a system's dependability when it is in the field
A fault can be classified by its duration, nature of output, and correlation to other faults (and many other criteria)
04/18/2304/18/23EEC688/788: Secure & Dependable EEC688/788: Secure & Dependable
ComputingComputing Wenbing ZhaoWenbing Zhao
Fault Types - Based on DurationFault Types - Based on Duration
Permanent faults are caused by irreversible device/software failures within a component due to damage, fatigue, or improper manufacturing, or bad design and implementation Permanent software faults are also called Bohrbugs Easier to detect
Transient/intermittent faults are triggered by environmental disturbances or incorrect design Transient software faults are also referred to as Heisenbugs Study shows that Heisenbugs are the majority software faults Harder to detect
04/18/2304/18/23EEC688/788: Secure & Dependable EEC688/788: Secure & Dependable
ComputingComputing Wenbing ZhaoWenbing Zhao
Fault Types - Based on Nature of Fault Types - Based on Nature of OutputOutput
Malicious fault: The fault that causes a unit to behave arbitrarily or malicious. Also referred to as Byzantine fault A sensor sending conflicting outputs to different processors Compromised software system that attempts to cause service
failure Non-malicious faults: the opposite of malicious faults
Faults that are not caused with malicious intention Faults that exhibit themselves consistently to all observers, e.g.,
fail-stop A fail-stop system simply stops executing once it fails
Malicious faults are much harder to detect than non-malicious faults
Wenbing ZhaoWenbing Zhao
Fault Types - Based on Fault Types - Based on CorrelationCorrelation Components fault may be independent of one
another or correlated A fault is said to be independent if it does not
directly or indirectly cause another fault Faults are said to be correlated if they are related.
Faults could be correlated due to physical or electrical coupling of components
Correlated faults are more difficult to detect than independent faults
04/18/2304/18/23EEC688/788: Secure & Dependable EEC688/788: Secure & Dependable
ComputingComputing
04/18/2304/18/23EEC688/788: Secure & Dependable EEC688/788: Secure & Dependable
ComputingComputing Wenbing ZhaoWenbing Zhao
Approaches to Achieving Approaches to Achieving DependabilityDependability Fault Avoidance - how to prevent, by construction,
the fault occurrence or introduction Fault Removal - how to minimize, by verification,
the presence of faults Fault Tolerance - how to provide, by redundancy, a
service complying with the specification in spite of faults
Fault Forecasting - how to estimate, by evaluation, the presence, the creation, and the consequence of faults
04/18/2304/18/23EEC688/788: Secure & Dependable EEC688/788: Secure & Dependable
ComputingComputing Wenbing ZhaoWenbing Zhao
Computer Security and its Computer Security and its AttributesAttributes
Computer security is synonymous to the following three attributes: Confidentiality: computer-related assets are accessed only by
authorized parties. Confidentiality is sometimes called secrecy or privacy
Integrity: assets can be modified only by authorized parties or only in authorized ways
Availability: assets are accessible to authorized parties at appropriate times
04/18/2304/18/23EEC688/788: Secure & Dependable EEC688/788: Secure & Dependable
ComputingComputing Wenbing ZhaoWenbing Zhao
ConfidentialityConfidentiality Confidentiality is the concealment of information
Conceal the content of the information Conceal the very existence of information
The need for keeping information secret arises from the government and the industry Enforce “need to know” principle
Achieve confidentiality: access control mechanisms Cryptography: users without the cryptographic key cannot access
unscrambled information Other access control mechanisms may conceal the mere
existence of data, such as Steganography
04/18/2304/18/23EEC688/788: Secure & Dependable EEC688/788: Secure & Dependable
ComputingComputing Wenbing ZhaoWenbing Zhao
IntegrityIntegrity Integrity refers to the trustworthiness of information, usually
phrased in terms of preventing improper or unauthorized change Data integrity: the content of the information Origin integrity: the source of the data, i.e., authentication
Integrity mechanisms: Prevention mechanisms:
Blocking any unauthorized attempts to change the data Blocking any attempts to change the data in unauthorized ways
Detection mechanisms: report that the data’s integrity is no longer trustworthy Analyze system events to detect problems Analyze the data itself to see if required or expected constraints still hold
04/18/2304/18/23EEC688/788: Secure & Dependable EEC688/788: Secure & Dependable
ComputingComputing Wenbing ZhaoWenbing Zhao
Working with Confidentiality & Working with Confidentiality & IntegrityIntegrity With confidentiality, the data is either compromised
or it is not With integrity, both the correctness and the
trustworthiness of the data must be considered Origin of the data How well the data was protected before it arrived at the
current machine How well the data is protected on the current machine
Evaluating integrity is often very difficult
04/18/2304/18/23EEC688/788: Secure & Dependable EEC688/788: Secure & Dependable
ComputingComputing Wenbing ZhaoWenbing Zhao
AvailabilityAvailability Availability refers to the ability to use the information
desired An aspect of reliability Also an aspect of system design: an unavailable system is at
least as bad as no system at all Why availability is relevant to security?
Someone may deliberately arrange to deny access to data or to a service by making it unavailable
Denial of service attacks: attempts to block availability It is very difficulty to detect denial of service attacks
Must determine if the unusual access patterns are attributable to deliberate manipulation of resources or of environment (i.e., an atypical event)
04/18/2304/18/23EEC688/788: Secure & Dependable EEC688/788: Secure & Dependable
ComputingComputing Wenbing ZhaoWenbing Zhao
AvailabilityAvailability The security community is just beginning to understand what
availability implies and how to ensure it A small, centralized control of access is fundamental to
preserving confidentiality and integrity, but it is not clear that a single access control point can enforce availability
Much of computer security's past success has focused on confidentiality and integrity; full implementation of availability is security's next great challenge
04/18/2304/18/23EEC688/788: Secure & Dependable EEC688/788: Secure & Dependable
ComputingComputing Wenbing ZhaoWenbing Zhao
Relationship of Security Relationship of Security GoalsGoals A secure system must meet all three requirements The challenge is how to find the right balance among
the goals, which often conflict For example, it is easy to preserve a particular object's
confidentiality in a secure system simply by preventing everyone from reading that object
However, this system is not secure, because it does not meet the requirement of availability for proper access
=> There must be a balance between confidentiality and availability
04/18/2304/18/23EEC688/788: Secure & Dependable EEC688/788: Secure & Dependable
ComputingComputing Wenbing ZhaoWenbing Zhao
Relationship of Security Relationship of Security GoalsGoals
04/18/2304/18/23EEC688/788: Secure & Dependable EEC688/788: Secure & Dependable
ComputingComputing Wenbing ZhaoWenbing Zhao
Vulnerabilities, Threats, Attacks, & Vulnerabilities, Threats, Attacks, & ControlsControls
A vulnerability is a weakness in the security system A threat to a computing system is a set of
circumstances that has the potential to cause loss or harm
A human who exploits a vulnerability perpetrates an attack on the system.
How do we address these problems? We use a control as a protective measure A control is an action, device, procedure, or technique that
removes or reduces a vulnerability A threat is blocked by control of a vulnerability
04/18/2304/18/23EEC688/788: Secure & Dependable EEC688/788: Secure & Dependable
ComputingComputing Wenbing ZhaoWenbing Zhao
Threats, Vulnerabilities, and Threats, Vulnerabilities, and ControlsControls
04/18/2304/18/23EEC688/788: Secure & Dependable EEC688/788: Secure & Dependable
ComputingComputing Wenbing ZhaoWenbing Zhao
Type of ThreatsType of Threats An interception means that some unauthorized
party has gained access to an asset In an interruption, an asset of the system becomes
lost, unavailable, or unusable If an unauthorized party not only accesses but
tampers with an asset, the threat is a modification An unauthorized party might create a fabrication of
counterfeit objects on a computing system
04/18/2304/18/23EEC688/788: Secure & Dependable EEC688/788: Secure & Dependable
ComputingComputing Wenbing ZhaoWenbing Zhao
Type of ThreatsType of Threats
04/18/2304/18/23EEC688/788: Secure & Dependable EEC688/788: Secure & Dependable
ComputingComputing Wenbing ZhaoWenbing Zhao
Threats: Threats: Methods, Opportunity, and Methods, Opportunity, and MotiveMotive
A malicious attacker must have three things: Method: the skills, knowledge, tools, and other
things with which to launch an attack Opportunity: the time and access to accomplish
the attack Motive: a reason to want to perform this attack
against this system
04/18/2304/18/23 EEC688: Secure & Dependable ComputingEEC688: Secure & Dependable Computing Wenbing ZhaoWenbing Zhao
Methods of Defense Methods of Defense Harm occurs when a threat is realized against a
vulnerability To protect against harm, we can neutralize the threat,
close the vulnerability, or both The possibility for harm to occur is called risk
04/18/2304/18/23 EEC688: Secure & Dependable ComputingEEC688: Secure & Dependable Computing Wenbing ZhaoWenbing Zhao
Methods of Defense Methods of Defense We can deal with harm in several ways. We can seek
to Prevent it, by blocking the attack or closing the vulnerability Deter it, by making the attack harder, but not impossible Deflect it, by making another target more attractive (or this
one less so) Detect it, either as it happens or some time after the fact Recover from its effects
Intrusion tolerance is also a form of recovery because it enables the system to continue operating correctly despite attacks
04/18/2304/18/23 EEC688: Secure & Dependable ComputingEEC688: Secure & Dependable Computing Wenbing ZhaoWenbing Zhao
Methods of Defense Methods of Defense –– Multiple Multiple ControlsControls
04/18/2304/18/23 EEC688: Secure & Dependable ComputingEEC688: Secure & Dependable Computing Wenbing ZhaoWenbing Zhao
Countermeasures / ControlsCountermeasures / Controls Encryption
Scrambling process Software controls
Internal program controls, OS controls, development controls
Hardware controls hardware or smart card implementations of encryption
Policies and Procedures Example: change password periodically
Physical Controls Example: Locks on doors, guards at entry points