systems security part 1
play

- Systems Security: Part 1 - Prof. Dr. Michael Backes Director, - PowerPoint PPT Presentation

Aug 09, 2023 •287 likes •1.05k views

Introduction to Cybersecurity - Systems Security: Part 1 - Prof. Dr. Michael Backes Director, CISPA Center for IT Security, Privacy, and Accountability Chair for IT-security & Cryptography General Information Correct formatting

  1. Introduction to Cybersecurity - Systems Security: Part 1 - Prof. Dr. Michael Backes Director, CISPA – Center for IT Security, Privacy, and Accountability Chair for IT-security & Cryptography

  2. General Information  Correct formatting (Tutorial group 1, Exercise 1): [1][Exercise 1]  No additional whitespaces! No <>!  New submission mail address to avoid confusion: submissions-cysec16@cs.uni-saarland.de - Different prefix than regular mailing list - Old submission addresses still work  Exercise groups start on Wednesday Foundations of Cybersecurity 2016 1

  3. Last Lecture  Organizational matters  Commercialization of cyber attacks  What is cyber security and what has to be protected - Hardware, software stack, crypto, network - Software exploits, hardware hacks, side- channels, …  Intro to cryptography - Ancient ciphers: Caesar, Substitution cipher, Vigenère cipher, Enigma - Cryptanalysis of ancient ciphers Foundations of Cybersecurity 2016 2

  4. Part I: System Security http://dilbert.com/strips/comic/2005-09-12/ Foundations of Cybersecurity 2016 3

  5. The Programmer’s Blues Foundations of Cybersecurity 2016 4

  6. Heartbleed  Serious vulnerability in the popular OpenSSL cryptographic software library - Missing bounds check before a memory copy operation that uses non-sanitized user input as the length parameter - Not a crypto error, but an implementation error!  Allows anyone on the Internet to read the memory of the systems protected by the vulnerable versions of OpenSSL - Private keys - In-memory decrypted packets received via SSL connection - Etc. Foundations of Cybersecurity 2016 5

  7. How Heartbleed works http://xkcd.com/1354/ Foundations of Cybersecurity 2016 6

  8. Chapter “System Security” Overview  This lecture: Security Principles & Authentication User  2 nd lecture: Access Control & Malware  3 rd lecture: Hijacking control flows Software Crypto OS Hardware Foundations of Cybersecurity 2016 7

  9. Chapter “System Security” Overview  Practical security (How to exploit vulnerabilities?) - Security principles - Basic design of (in-)secure systems - Basics of access control, malware - How to hijack control in computer systems? - How to defend against such control hijacking attacks? - Authentication methods  Project: Learn about basic control-flow hijacking  Some advanced topics are part of follow-up lectures (Security, Security Engineering) Foundations of Cybersecurity 2016 8

  10. Recommended Literature  William Stallings, Lawrie Brown. “Computer Security: Principles and Practice.” ISBN-13: 978-0135137116 (third, international edition) - Chapter 1: Overview Chapter 3: Authentication - - Chapter 4: Access Control Only Sections 4.1-4.5 - - Chapter 6: Malicious Software - Chapter 10: Buffer Overflow - Chapter 13: Trusted Computing and Multilevel Security • Only Sections 13.1 and 13.3  David Basin, Patrick Schaller, Michael Schläpfer . “Applied Information Security: A Hands - On Approach.” ISBN: 978-3-642-43632-1 - Chapter 1: Security Principles - Chapter 4: Authentication and Access Control Chapter 6: Web Application Security -  Jerome Saltzer , Michael Schroeder. “The Protection of Information in Computer System.” In Proceedings of the IEEE, volume 63, pages 1278 — 1308, 1975 Foundations of Cybersecurity 2016 9

  11. Security Principles Prof. Dr. Michael Backes 11.11.2016

  12. General Notions  Subject - Active entity (e.g., user or a system acting on behalf of a user)  Object - Passive entity (e.g., data container like files, directories, etc.) - General assumption: Access to an object gives access to the objects’ data content ( information ) • Information is encoded/represented as various forms of data Subject Object If authorized: (e.g., User (e.g., Resource Accesses and operates on process) like File)  Subject is Authorized : Allowed by security policy to access object Foundations of Cybersecurity 2016 11

  13. Refresher: Classic Information Security Goals  Confidentiality Assure that information is not disclosed to unauthorized principals -  Integrity - Data: Prevent unauthorized modification of programs and information System: Assure that system performs its intended function in an unimpaired manner, - free from unauthorized manipulation  Availability - Guarantee reliable access to information and services by authorized principals  Further important goals: - Accountability: Trace actions of an entity uniquely back to that entity - Authenticity: Property of being genuine and being able to be verified and trusted - Privacy, Non-repudiation, Anonymity, Unlinkability  Depending on context, not always easy to define precisely  Sometimes contradicting and not easy to combine - Anonymity vs accountability Foundations of Cybersecurity 2016 12

  14. 12 Security Principles  High level goals - Security best practices - Applicability depends on concrete context  Especially applies to secure software design - Emphasizes clean and secure design  Often requires trade-offs Foundations of Cybersecurity 2016 13

  15. VS https://cdn1.coolstuff.com/autogen/preset/aspectThumb/960x720/6305517763ac93f87c1e5babc5d657c7.jpg http://www.richter-spielgeraete.de/tl_system/content/de/01_Produkte/xx_Piktogramme/3.63390.gif Foundations of Cybersecurity 2016 14

  16. Simplicity Keep it simple.  Applies to any engineering and implementation task:  The simpler the solution - the easier to understand, analyze, and review - less likely to contain flaws  Negative examples: Monolithic operating systems, browser, email clients 10 1400 Thunderbird Linux kernel WEIGHTED CVSS SCORE Firefox 1200 # VULNERABILITIES 8 Firefox Win Xp Chrome 1000 OS X Chrome Bash 6 Thunderbird 800 OS X Tiger Win Xp 600 4 Linux kernel 400 2 200 Bash 0 0 0 50 100 0 50 100 LINES OF CODE (MILLIONS) LINES OF CODE (MILLIONS) Sources: cvedetails.com openhub.net Foundations of Cybersecurity 2016 15

  17. http://www.surface-generation.com/wp-content/uploads/2015/03/Question-mark-box-620-x-350.jpg Foundations of Cybersecurity 2016 16

  18. Open Design The security of a system should not depend on the secrecy of its protection mechanisms.  Avoid “Security by obscurity”  In crypto a.k.a. Kerckhoffs ’ principle  Security should depend on possession of secrets only (passwords, keys, …) - Simply not possible to maintain secrecy of a system that should be distributed (e.g., reverse engineering)  Intuitive example: Securing a door does not rely on attacker’s ignorance to operating a door, but on possession of the key and security of lock mechanism - Today’s de -facto crypto mechanisms all developed with open design  Counter examples: DRM mechanisms (e.g. DVD, Playstation ,…), KeeLoq, Windows NT LAN Manager, Mifare classic (basis for old UdS card) Foundations of Cybersecurity 2016 17

  19. http://uncrate.com/p/2008/03/oxo-pop-containers.jpg Foundations of Cybersecurity 2016 18

  20. Compartmentalization Organize resources into isolated groups of similar needs.  Groups (or compartments) isolated from each other with limited communication between compartments over controlled channel  Facilitates simplification of design (“divide -and- conquer” approach); attacks or errors contained to affected compartment; security-sensitive functionality can be in dedicated hardened compartment  Compartmentalization at different levels: - User-space vs kernel space Memory space (between processes; data vs code) - - Modularization of software - µKernel Network Network - Virtual machines User input User device System - Network zones File system File system  Problem: Not always possible to completely isolate Monolithic design resources/functionality - Tightly control channel between compartments Network Network and compartment interfaces  User input User display Intuitive Example: Compartmentalized submarine design File system File system  Example: µKernel vs monolithic kernel µKernel with compartmentalization Foundations of Cybersecurity 2016 19

  21. https://www.google.de/maps/@48.8547067,2.3438011,17z Foundations of Cybersecurity 2016 20

  22. Minimum Exposure Minimize the attack surface a system presents to the adversary.  Reduce external interfaces to a minimum - E.g., network-listening services of a computer system http://www.bryanandrews.org/wp-content/uploads/2001/11/nmap-banner-scan-example.png  Limit amount of information given away that can help an adversary - E.g., error pages of webservers provide information about the software versions http://articles.slicehost.com/assets/2008/12/5/apache-404-footer.jpg  Minimize the window of opportunity for an adversary to attack - E.g., limit the number of failed password attempts before locking account http://cache.clickonf5.org/wp-content/uploads/2009/12/twitterlocked_thumb.png Foundations of Cybersecurity 2016 21

  23. http://melaniejor.typepad.com/.a/6a00e54fd1fc4388340133f2f9498f970b-pi http://www.keyring.com/images/products/detail/92400_Split_key_ring.jpg http://thumbs.dreamstime.com/t/blue-house-22708798.jpg http://cliparts.co/cliparts/qcB/X7G/qcBX7Ga4i.jpg Foundations of Cybersecurity 2016 22

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Dawn Song dawnsong@cs.berkeley.edu 1 Part II OS &amp; Web Security OS Security Web

Dawn Song dawnsong@cs.berkeley.edu 1 Part II OS &amp; Web Security OS Security Web

Safe Extension Dawn Song dawnsong@cs.berkeley.edu 1 Part II OS &amp; Web Security OS Security Web Security More esoteric topics Click fraud, etc. Reputation systems &amp; trust metrics Few papers, but local experts

420 views • 5 slides
Version Control Systems (Part 1) Devin J. Pohly &lt;djpohly@cse.psu.edu&gt; CMPSC 311:

Version Control Systems (Part 1) Devin J. Pohly &lt;djpohly@cse.psu.edu&gt; CMPSC 311:

Systems and Internet i Infrastructure Security i Institute for Networking and Security Research Department of Computer Science and Engineering Pennsylvania State University, University Park, PA Version Control Systems (Part 1) Devin J.

581 views • 47 slides
Version Control Systems (Part 2) Devin J. Pohly &lt;djpohly@cse.psu.edu&gt; CMPSC 311:

Version Control Systems (Part 2) Devin J. Pohly &lt;djpohly@cse.psu.edu&gt; CMPSC 311:

Systems and Internet i Infrastructure Security i Institute for Networking and Security Research Department of Computer Science and Engineering Pennsylvania State University, University Park, PA Version Control Systems (Part 2) Devin J.

406 views • 40 slides
Software and Web Security deel 2 deel 2 sws1 Software and Web Security - 1 &amp; 2 y Software

Software and Web Security deel 2 deel 2 sws1 Software and Web Security - 1 &amp; 2 y Software

1 Software and Web Security deel 2 deel 2 sws1 Software and Web Security - 1 &amp; 2 y Software is the main source of security vulnerabilities esp in systems accessible via a network i t ibl i t k part 1 part 1 security problems

672 views • 65 slides
Part 5 Usability and Security Cognitive Errors, Usability vs. Security, Groupware Antonio Cerone

Part 5 Usability and Security Cognitive Errors, Usability vs. Security, Groupware Antonio Cerone

Phd course on Formal modelling and analysis of interactive systems Part 5 Usability and Security Cognitive Errors, Usability vs. Security, Groupware Antonio Cerone United Nations University International Institute for Software Technology

1.76k views • 109 slides
System Security Overview with an Emphasis on Security Issues for Storage and Emerging NVM (Part

System Security Overview with an Emphasis on Security Issues for Storage and Emerging NVM (Part

System Security Overview with an Emphasis on Security Issues for Storage and Emerging NVM (Part 2) Byoungyoung Lee ( ) byoungyoung@snu.ac.kr Seoul National University 1 Outline Part1. Bugs in File Systems Semantic inconsistency

1.27k views • 115 slides
Security Security with Distributed Systems Why Security? The need for security mechanisms in

Security Security with Distributed Systems Why Security? The need for security mechanisms in

Security Security with Distributed Systems Why Security? The need for security mechanisms in distributed systems arises from the desire to share resources Resources must be protected against unauthorized access, as enemies (attackers)

1.16k views • 67 slides
Advanced Systems Security: Introduction to OS Security Trent Jaeger Systems and Internet

Advanced Systems Security: Introduction to OS Security Trent Jaeger Systems and Internet

Systems and Internet Infrastructure Security Network and Security Research Center Department of Computer Science and Engineering Pennsylvania State University, University Park PA Advanced Systems Security: Introduction to OS Security Trent

770 views • 28 slides
Com puter Security Part One Security as a subject Security is an old problem in the

Com puter Security Part One Security as a subject Security is an old problem in the

Com puter Security Part One Security as a subject Security is an old problem in the computing world, and are parallel to even older problems outside computing Required level of security is always related to what you protect

237 views • 23 slides
Security and Privacy Why Security is Difficult 12A. Operating Systems and Security complexity

Security and Privacy Why Security is Difficult 12A. Operating Systems and Security complexity

5/18/2018 Security and Privacy Why Security is Difficult 12A. Operating Systems and Security complexity of our software and systems 12B. Authentication millions of lines of code, thousands of developers rich and powerful protocols

374 views • 9 slides
Security and Privacy Why Security is Difficult 12A. Operating Systems and Security complexity

Security and Privacy Why Security is Difficult 12A. Operating Systems and Security complexity

5/24/2017 Security and Privacy Why Security is Difficult 12A. Operating Systems and Security complexity of our software and systems 12B. Authentication millions of lines of code, thousands of developers rich and powerful protocols

533 views • 14 slides
Advanced Systems Security: Security-Enhanced Linux Trent Jaeger Systems and Internet

Advanced Systems Security: Security-Enhanced Linux Trent Jaeger Systems and Internet

Systems and Internet Infrastructure Security Network and Security Research Center Department of Computer Science and Engineering Pennsylvania State University, University Park PA Advanced Systems Security: Security-Enhanced Linux Trent

474 views • 26 slides
Advanced Systems Security: Linux Security Modules Trent Jaeger Systems and Internet

Advanced Systems Security: Linux Security Modules Trent Jaeger Systems and Internet

Systems and Internet Infrastructure Security Network and Security Research Center Department of Computer Science and Engineering Pennsylvania State University, University Park PA Advanced Systems Security: Linux Security Modules Trent

872 views • 30 slides
Advanced Systems Security: Hardware Security Trent Jaeger Systems and Internet

Advanced Systems Security: Hardware Security Trent Jaeger Systems and Internet

Systems and Internet Infrastructure Security Network and Security Research Center Department of Computer Science and Engineering Pennsylvania State University, University Park PA Advanced Systems Security: Hardware Security Trent Jaeger

703 views • 46 slides
Security and Privacy 12A. Operating Systems Security Operating Systems Principles 12B.

Security and Privacy 12A. Operating Systems Security Operating Systems Principles 12B.

5/18/2016 Security and Privacy 12A. Operating Systems Security Operating Systems Principles 12B. Authentication 12C. Authorization Security and Privacy 12D. Trust 12E. At-Rest Encryption Mark Kampe (markk@cs.ucla.edu) Security and Privacy

116 views • 8 slides
Distributed Systems How does the OS ensure security? 13C. Security for Distributed Systems

Distributed Systems How does the OS ensure security? 13C. Security for Distributed Systems

5/27/2017 Distributed Systems How does the OS ensure security? 13C. Security for Distributed Systems all key resources are kept inside of the OS protected by hardware (mode, memory management) 13I. Secure Sessions processes cannot

253 views • 9 slides
Understanding OpenDaylight VTN and the Redirection Function Shreyansh Jain NEC Technologies

Understanding OpenDaylight VTN and the Redirection Function Shreyansh Jain NEC Technologies

Understanding OpenDaylight VTN and the Redirection Function Shreyansh Jain NEC Technologies India Pvt. Ltd. shreyansh.jain@{nectechnologies.in, gmail.com} Next 45 Minutes A brief introduction to OpenDaylight VTN OpenDaylight

811 views • 44 slides
Computer Communication Networks Network ICEN/ICSI 416 Fall 2017 Prof. Dola Saha 1 Network

Computer Communication Networks Network ICEN/ICSI 416 Fall 2017 Prof. Dola Saha 1 Network

Computer Communication Networks Network ICEN/ICSI 416 Fall 2017 Prof. Dola Saha 1 Network Layer Goals: understand principles behind network layer services, focusing on data plane: network layer service models forwarding

1.74k views • 149 slides
Recent Developments in Analytic Bootstrap Annual Theory Meeting, Durham, 2017 Alexander

Recent Developments in Analytic Bootstrap Annual Theory Meeting, Durham, 2017 Alexander

Recent Developments in Analytic Bootstrap Annual Theory Meeting, Durham, 2017 Alexander Zhiboedov, Harvard U How do we compute when the coupling is strong? No small coupling expansion No Lagrangian No extra symmetries/integrability Bootstrap

645 views • 49 slides
Future Scenarios Breakout discussions as AIMS/KISMET 2020 February 11, 2020 At our first

Future Scenarios Breakout discussions as AIMS/KISMET 2020 February 11, 2020 At our first

Future Scenarios Breakout discussions as AIMS/KISMET 2020 February 11, 2020 At our first workshop in December 2019, we spent a majority of the time hearing about various datasets that might be useful as a starting point to explore ways to

244 views • 7 slides
Efficient Preconditioning in 3D Marine Electromagnetic Geophysical Modeling N. Yavich, M.

Efficient Preconditioning in 3D Marine Electromagnetic Geophysical Modeling N. Yavich, M.

Efficient Preconditioning in 3D Marine Electromagnetic Geophysical Modeling N. Yavich, M. Malovichko, M. Zhdanov Applied Computational Geophysics Lab Moscow Institute of Physics and Technology September 2016 One of several Marine

572 views • 18 slides
Monthly Webinar Series: Understanding storage performance for hyperconverged infrastructure Luke

Monthly Webinar Series: Understanding storage performance for hyperconverged infrastructure Luke

Monthly Webinar Series: Understanding storage performance for hyperconverged infrastructure Luke Pruen Technical Services Director Virtual SANs made simple Introducing StorMagic Enabling HCI Partner Network Global footprint 30 +

597 views • 24 slides
Cuts and discontinuities Ruth Britto Trinity College Dublin MHV@30, Fermilab 17 March 2016

Cuts and discontinuities Ruth Britto Trinity College Dublin MHV@30, Fermilab 17 March 2016

Cuts and discontinuities Ruth Britto Trinity College Dublin MHV@30, Fermilab 17 March 2016 Ruth Britto Cuts and discontinuities Amplitudes as building blocks MHV amplitudes, for other helicity amplitudes Saw the Parke-Taylor formula in

552 views • 36 slides
The Boundary State from Wilson Loops Online Workshop on String Field Theory and Related Aspects

The Boundary State from Wilson Loops Online Workshop on String Field Theory and Related Aspects

The Boundary State from Wilson Loops Online Workshop on String Field Theory and Related Aspects June 2020 Shota Komatsu, IAS Based on two papers to appear. With Yunfeng Jiang, Amit Sever, and Edoardo Vescovi Shota Komatsu, IAS The Boundary

1.05k views • 45 slides

More recommend