Documentos de Académico
Documentos de Profesional
Documentos de Cultura
Computer Security
l Textbook
¡ Computer Security: Art and Science, Matt Bishop, Addison- Wesley,
2003
l Will follow the book mostly
l Will be supplemented by other material (references and papers)
l Errata URL: http://nob.cs.ucdavis.edu/~bishop/
l Other References
¡ Security in Computing, 2nd Edition, Charles P. Pfleeger, Prentice Hall
¡ Security Engineering: A Guide to Building Dependable Distributed
Systems, Ross Anderson, Wiley, John & Sons, Incorporated, 2001
¡ Building Secure Software: How to avoid the Security Problems the Right
Way, John Viega, Gary McGraw, Addison-Wesley, 2002
l Papers
¡ List will be provided as supplemental readings and review
assignments
l James Joshi
l 721, IS Building
l Phone: 412-624-9982
l E-mail: jjoshi@mail.sis.pitt.edu
l Web: www2.sis.pitt.edu/~jjoshi/INFSCI2935
l Office Hours:
¡ Fridays: 2.00 – 4.00 p.m.
¡ By appointments
l GSA: will be announced later
INFSCI 2935: Introduction to Computer Security 7
Course Policies
l Deals with
¡Security of (end) systems
lExamples: Operating system, files in a host, records,
databases, accounting information, logs, etc.
¡Security of information in transit over a network
lExamples: e-commerce transactions, online banking,
confidential e-mails, file transfers, record transfers,
authorization messages, etc.
“Using encryption on the internet is the equivalent of arranging an
armored car to deliver credit card information from someone living in
a cardboard box to someone living on a park bench” –
Gene Spafford
confidentiality integrity
Integrity confidentiality
availability accountability
l Physical security
¡Information was primarily on paper
¡Lock and key
¡Safe transmission
l Administrative security
¡Control access to materials
¡Personnel screening
¡Auditing
Information
Security
Features
or
Services
Attackers/Intruders/
Malfeasors Security
Mechanisms
INFSCI 2935: Introduction to Computer Security 16
Attack Vs Threat
l Prevention
¡To prevent someone from violating a security policy
l Detection
¡To detect activities in violation of a security policy
¡Verify the efficacy of the prevention mechanism
l Recovery
¡Stop policy violations (attacks)
¡Assess and repair damage
¡Ensure availability in presence of an ongoing attack
¡Fix vulnerabilities for preventing future attack
¡ Retaliation against the attacker
broad
secure precise
l Cost-Benefit Analysis
¡Benefits vs. total cost
¡Is it cheaper to prevent or recover?
l Risk Analysis
¡Should we protect something?
¡How much should we protect this thing?
¡Risk depends on environment and change with time
l Laws and Customs
¡Are desired security measures illegal?
¡Will people do them?
¡Affects availability and use of technology
INFSCI 2935: Introduction to Computer Security 27
Human Issues
l Organizational Problems
¡Power and responsibility
¡Financial benefits
l People problems
¡Outsiders and insiders
lWhich do you think is the real threat?
¡Social engineering
Threats
Human factor
Policy
Specification
Design
Implementation
Operation &
Maintenance
INFSCI 2935: Introduction to Computer Security 29
Protection System
l State of a system
¡ Current values of
l memory locations, registers, secondary storage, etc.
l other system components
l Protection state (P)
¡ A system state that is considered secure
l A protection system
¡ Describes the conditions under which a system is secure (in a
protection state)
¡ Consists of two parts:
l A set of generic rights
l A set of commands
l State transition
¡ Occurs when an operation (command) is carried out
INFSCI 2935: Introduction to Computer Security 30
Protection System
o: own s1 o, r, w o, r, w w
r: read Access Matrix
s2 o, r, w r o, r, w
w:write
s3 r r o, r, w r o, r, w
s1 f2 o, r, w f3 o, r, w f5 w f1 s2 o, r, w
f2 s1 o, r, w s2 r s3 r
s2 f1 o, r, w f2 r f5 o, r, w
f3 s1 o, r, w s3 r
s3 f2 r f3 r f4 o, r, w
f4 s3 o, r, w
f5 r f6 o, r, w
f5 s1 w s2 o, r, w s3 r
f6 s3 o, r, w
INFSCI 2935: Introduction to Computer Security 33
Access Control Matrix
Hostnames Telegraph Nob Toadflax
Telegraph own ftp ftp
Nob ftp, nsf, mail, own ftp, nfs, mail
Inc_ctr +
Dcr_ctr -
l Can be represented as an
ACM
INFSCI 2935: Introduction to Computer Security 36
Solution: Query Set Overlap Control (Dobkin, Jones &
Lipton ’79)
l Precondition: s ∉ S
l Primitive command: create subject s
l Postconditions:
¡S´ = S ∪{ s }, O´ = O ∪{ s }
¡(∀y ∈ O´)[a´[s, y] = ∅] (row entries for s)
¡(∀x ∈ S´)[a´[x, s] = ∅] (column entries for s)
¡(∀x ∈ S)(∀y ∈ O)[a´[x, y] = a[x, y]]
l Precondition: o ∉ O
l Primitive command: create object o
l Postconditions:
¡S´ = S, O´ = O ∪ { o }
¡(∀x ∈ S´)[a´[x, o] = ∅] (column entries for o)
¡(∀x ∈ S)(∀y ∈ O)[a´[x, y] = a[x, y]]
l Precondition: s ∈ S, o ∈ O
l Primitive command: enter r into a[s, o]
l Postconditions:
¡S´ = S, O´ = O
¡a´[s, o] = a[s, o] ∪ { r }
¡(∀x ∈ S´ – { s })(∀y ∈ O´ – { o })
[a´[x, y] = a[x, y]]
l Precondition: s ∈ S, o ∈ O
l Primitive command: delete r from a[s, o]
l Postconditions:
¡S´ = S, O´ = O
¡a´[s, o] = a[s, o] – { r }
¡(∀x ∈ S´ – { s })(∀y ∈ O´ – { o })
[a´[x, y] = a[x, y]]
l Precondition: s ∈ S
l Primitive command: destroy subject s
l Postconditions:
¡S´ = S – { s }, O´ = O – { s }
¡(∀y ∈ O´)[a´[s, y] = ∅] (row entries removed)
¡(∀x ∈ S´)[a´[x, s] = ∅] (column entries
removed)
¡(∀x ∈ S´)(∀y ∈ O´) [a´[x, y] = a[x, y]]
l Precondition: o ∈ o
l Primitive command: destroy object o
l Postconditions:
¡S´ = S, O´ = O – { o }
¡(∀x ∈ S´)[a´[x, o] = ∅] (column entries
removed)
¡(∀x ∈ S´)(∀y ∈ O´) [a´[x, y] = a[x, y]]
l Mono-operational + l Mono-operational +
mono-conditional biconditional
Command grant_read_file(p, f, q) Command grant_read_file(p, f, q)
If own in a[p,f] If r in a[p,f] and c in a[p,f]
Then Then
Enter r into a[q,f] Enter r into a[q,f]
End End
l A simple definition
¡ A secure system doesn’t allow violations of a security policy
l Alternative view: based on distribution of rights to the
subjects
¡ Leakage of rights: (unsafe with res
l Assume that A representing a secure state does not contain
a right r in any element of A.
l A right r is said to be leaked, if a sequence of
operations/commands adds r to an element of A, which not
containing r
l Safety of a system with initial protection state Xo
¡ Safe with respect to r: System is safe with respect to r if r
can never be leaked
¡ Else it is called unsafe with respect to right r.
l Given
¡initial state X0 = (S0, O0, A0)
¡Set of primitive commands c
¡r is not in A0[s, o]
l Can we reach a state Xn where
¡∃s,o such that An[s,o] includes a right r not in
A0[s,o]?
? ß ? ß
+
x z y x z y
x takes (a to y) from z
INFSCI 2935: Introduction to Computer Security 56
Take-Grant Protection Model
2. Grant rule: if g ∈?, the take rule produces another graph with a
transitive edge a ⊆ ß added.
a
z grants (a to y) to x
? ß ? ß
+
x z y x z y
x removes (a to) y
ß ß -a
4. Remove rule: +
x y x y
INFSCI 2935: Introduction to Computer Security 57
Take-Grant Protection Model:
Sharing
l Given G0, can vertex x obtain a rights over y?
¡Can_share(a,x, y,G0) is true iff
l G0+ * Gn using the four rules, &
l There is an a edge from x to y in Gn
l tg-path: v0,…,vn with t or g edge between any
pair of vertices vi, vi+1
¡Vertices tg-connected if tg-path between them
l Theorem: Any two subjects with tg-path of
length 1 can share rights
{g} ß⊇a
4. Lemma 3.2
INFSCI 2935: Introduction to Computer Security 59
Any two subjects with tg-path of length 1
can share rights
Can_share(a, x, y,G0) l Lemma 3.1
¡Sequence:
l Create
{t} ß⊇a l Take
x z y l Grant
l Take
a
{t} ß⊇a
tg
g
a
¡t? *, g? , t? * v0 vn
t g t
v0 vn a
By lemma 3.1
a
a
By grant By take
x s a
a
I2
I1 a
y
a In
INFSCI 2935: Introduction to Computer Security 63
What about objects?
Initial, terminal spans
s
x’ s’ a
In
a
I2
I1 a
y
x
x’ can grant a right to x a s’ can take a right from s
INFSCI 2935: Introduction to Computer Security 65