Operating Systems Lecture Notes
30 January 2012 • Security
Outline
The security problem: threat, attack, defend.
Program, system, and network threats.
Security tools.
User authentication and authorization.
Cryptography
Implementing security.
Computer-security classifications.
What is Security?
Security is a game with lots of different rules.
Make sure you understand the rules.
A system is
secure
if resources are used as intended.
The system gets to decide intended resource use.
External matters can (usually do) influence the decision.
Unintended resource use is a security violation.
The Security Game
The security game has three phases:
The system offers resources containing
threats
: weaknesses that can violate security.
The intruder
attacks
by exploiting resource threats.
The system defends by somehow ameliorating threats and attacks.
But really: the security game is like
Calvinball
.
Security Threats
Security threats are weaknesses inherent in the system.
These could be by (lack of) design, or by circumstance.
Examples: buffer-overflow, or timing threats.
The set of security threads is not static; it evolves over time.
Old threats are handled, new threats are discovered.
Security Attacks
Data attacks
On confidentiality: unintended data reads.
On integrity: unintended data writes.
On availability: unintended data destruction.
Service attacks
Theft: unintended resource use.
Denial: preventing intended resource use.
Security Defenses
Two main defenses against security attacks are
Reduce security threats (the
attack surface
).
Increase the cost of attacking.
Reduce the value of having attacked.
Example:
Store passwords in indirect databases.
Don't store passwords in plain text.
Security Defense Architectures
Security is not an add-on.
It must be designed in from the start.
This tends to make security either inflexible or expensive or both.
Security architectures contentiously vary with requirements, but
Simplicity: easy to spot and fix threats.
Layering: successful attacks lead to the chance for another attack.
Security Defense Concepts
Important security defense concepts include:
Identity: who or what an agent is.
A data entry-clerk,
jblow@monmouth.edu
Authentication: the veracity of an agent's identity.
A password, some biometrics.
Authorization: what an authenticated agent can do.
Only registrars add seats to a class.
Thinking About Security
Security is a binary value: a system is either secure or it's not.
And almost all systems are (perhaps latently) not secure under their own rules.
It does not make sense to say “the system is 80% secure” with respect to security.
Exploiting “just one threat” is often enough to run wild through the system.
Thinking About Risk
It's better to think about security risks: the likelihood that an attack causes a certain amount of damage.
This is probabilistic thinking.
Estimate
the probability of successful attack
P
a
, and
the amount of damaged caused
E
d
to determine the expected loss
P
a
E
d
.
Risk Example
Given
A one-in-a-million attack (
P
a
= 10
-6
)
which, if successful, incurs a million-dollars in damage (
E
d
= 10
6
)
has an expected loss of
P
a
E
d
= 10
-6
10
6
= 1.
The quality of the result is directly proportional to the quality of the estimates.
Using Risk
Expected loss risk estimates can be used to bound defense costs.
Spending more than a dollar to defend against a one-in-a-million, million dollar risk may not be wise.
This suggests insurance against loss.
Two defenses suggested by risk analysis are
reduce the attack probability, and
reduce the cost of a successful attack.
Summary
Security is a game; make sure you understand the rules.
Security involves threats, attacks, and defenses.
Proper security analysis requires probabilistic thinking.
References
Reflections on Trusting Trust
by Ken Thompson in the
Communications of the ACM
, August, 1984.
Practical Threat Analysis and Risk Management
by Mick Bauer in
Linux Journal
, January, 2002.
This page last modified on 2012 January 30.