Operating Systems Lecture Notes

30 January 2012 • Security

---

Outline

• The security problem: threat, attack, defend.
• Program, system, and network threats.
• Security tools.
  • User authentication and authorization.
  • Cryptography
• Implementing security.
• Computer-security classifications.

What is Security?

• Security is a game with lots of different rules.
  • Make sure you understand the rules.
• A system is secure if resources are used as intended.
  • The system gets to decide intended resource use.
  • External matters can (usually do) influence the decision.
• Unintended resource use is a security violation.

The Security Game

• The security game has three phases:
  1. The system offers resources containing threats: weaknesses that can violate security.
  2. The intruder attacks by exploiting resource threats.
  3. The system defends by somehow ameliorating threats and attacks.
• But really: the security game is like Calvinball.

Security Threats

• Security threats are weaknesses inherent in the system.
  • These could be by (lack of) design, or by circumstance.
  • Examples: buffer-overflow, or timing threats.
• The set of security threads is not static; it evolves over time.
  • Old threats are handled, new threats are discovered.

Security Attacks

• Data attacks
  • On confidentiality: unintended data reads.
  • On integrity: unintended data writes.
  • On availability: unintended data destruction.
• Service attacks
  • Theft: unintended resource use.
  • Denial: preventing intended resource use.

Security Defenses

• Two main defenses against security attacks are
  1. Reduce security threats (the attack surface).
     • Increase the cost of attacking.
  2. Reduce the value of having attacked.
• Example:
  • Store passwords in indirect databases.
  • Don't store passwords in plain text.

Security Defense Architectures

• Security is not an add-on.
  • It must be designed in from the start.
  • This tends to make security either inflexible or expensive or both.
• Security architectures contentiously vary with requirements, but
  • Simplicity: easy to spot and fix threats.
  • Layering: successful attacks lead to the chance for another attack.

Security Defense Concepts

• Important security defense concepts include:
  • Identity: who or what an agent is.
    • A data entry-clerk, jblow@monmouth.edu
  • Authentication: the veracity of an agent's identity.
    • A password, some biometrics.
  • Authorization: what an authenticated agent can do.
    • Only registrars add seats to a class.

Thinking About Security

• Security is a binary value: a system is either secure or it's not.
  • And almost all systems are (perhaps latently) not secure under their own rules.
  • It does not make sense to say “the system is 80% secure” with respect to security.
• Exploiting “just one threat” is often enough to run wild through the system.

Thinking About Risk

• It's better to think about security risks: the likelihood that an attack causes a certain amount of damage.
  • This is probabilistic thinking.
• Estimate
  • the probability of successful attack P_a, and
  • the amount of damaged caused E_d
• to determine the expected loss P_aE_d.

Risk Example

• Given
  • A one-in-a-million attack (P_a = 10^-6)
  • which, if successful, incurs a million-dollars in damage (E_d = 10⁶)
• has an expected loss of P_aE_d = 10^-610⁶ = 1.
• The quality of the result is directly proportional to the quality of the estimates.

Using Risk

• Expected loss risk estimates can be used to bound defense costs.
  • Spending more than a dollar to defend against a one-in-a-million, million dollar risk may not be wise.
    • This suggests insurance against loss.
• Two defenses suggested by risk analysis are
  • reduce the attack probability, and
  • reduce the cost of a successful attack.

Summary

• Security is a game; make sure you understand the rules.
• Security involves threats, attacks, and defenses.
• Proper security analysis requires probabilistic thinking.

References

• Reflections on Trusting Trust by Ken Thompson in the Communications of the ACM, August, 1984.
• Practical Threat Analysis and Risk Management by Mick Bauer in Linux Journal, January, 2002.

---

This page last modified on 2012 January 30.