Security potpourri
description
Transcript of Security potpourri
![Page 1: Security potpourri](https://reader035.fdocuments.in/reader035/viewer/2022062305/56816414550346895dd5c6b7/html5/thumbnails/1.jpg)
1
Security potpourri
INF 123 – Software [email protected]
(Slides from Dick Taylor and Crista Lopes)
![Page 2: Security potpourri](https://reader035.fdocuments.in/reader035/viewer/2022062305/56816414550346895dd5c6b7/html5/thumbnails/2.jpg)
2
Potpourri
![Page 3: Security potpourri](https://reader035.fdocuments.in/reader035/viewer/2022062305/56816414550346895dd5c6b7/html5/thumbnails/3.jpg)
3
![Page 4: Security potpourri](https://reader035.fdocuments.in/reader035/viewer/2022062305/56816414550346895dd5c6b7/html5/thumbnails/4.jpg)
4
Outline
• Definitions• Common security design decisions• Trust between users• Practical guidelines
![Page 5: Security potpourri](https://reader035.fdocuments.in/reader035/viewer/2022062305/56816414550346895dd5c6b7/html5/thumbnails/5.jpg)
5
DEFINITIONS
![Page 6: Security potpourri](https://reader035.fdocuments.in/reader035/viewer/2022062305/56816414550346895dd5c6b7/html5/thumbnails/6.jpg)
6
Security
• Non-functional property• Protection aimed at preserving the system’s:
– integrity, – availability, – and confidentiality.
• (Definition from the National Institute of Standards and Technology)
![Page 7: Security potpourri](https://reader035.fdocuments.in/reader035/viewer/2022062305/56816414550346895dd5c6b7/html5/thumbnails/7.jpg)
7
Confidentiality
• Only authorized parties can access the information
• Breach
![Page 8: Security potpourri](https://reader035.fdocuments.in/reader035/viewer/2022062305/56816414550346895dd5c6b7/html5/thumbnails/8.jpg)
8
Integrity
• Authorized parties can manipulate information only in the authorized ways
• Corruption
Denethor is only a steward, but he acts like a king.(He should not.)
![Page 9: Security potpourri](https://reader035.fdocuments.in/reader035/viewer/2022062305/56816414550346895dd5c6b7/html5/thumbnails/9.jpg)
9
Availability
• Authorized parties can access resources on all appropriate occasions
• Denial of service
![Page 10: Security potpourri](https://reader035.fdocuments.in/reader035/viewer/2022062305/56816414550346895dd5c6b7/html5/thumbnails/10.jpg)
10
SECURITY DESIGN DECISIONS
![Page 11: Security potpourri](https://reader035.fdocuments.in/reader035/viewer/2022062305/56816414550346895dd5c6b7/html5/thumbnails/11.jpg)
11
Common security design decisions
• Principle Of Least Authority – POLA• Separation of privilege• Complete mediation• Fail-safe defaults• Access control• …
![Page 12: Security potpourri](https://reader035.fdocuments.in/reader035/viewer/2022062305/56816414550346895dd5c6b7/html5/thumbnails/12.jpg)
12
POLA
• AKA Principle of Least Privilege• Do not give to a component more privilege
(data, visibility, CPU time, bandwidth, …) than it needs
![Page 13: Security potpourri](https://reader035.fdocuments.in/reader035/viewer/2022062305/56816414550346895dd5c6b7/html5/thumbnails/13.jpg)
13
POLA
Something shiny!Don’t touch it!
![Page 14: Security potpourri](https://reader035.fdocuments.in/reader035/viewer/2022062305/56816414550346895dd5c6b7/html5/thumbnails/14.jpg)
14
POLAWhat do you think of Sauron?
He’s a good guy!
I shouldn’t say more…
That’s not in the script …
![Page 15: Security potpourri](https://reader035.fdocuments.in/reader035/viewer/2022062305/56816414550346895dd5c6b7/html5/thumbnails/15.jpg)
15
Separation of privilege
• Goal: avoid exploitation of privilege• Run different actions in different modes• Example:
– network.py needs to go through the firewall– view.py does not– Open port only for network.py
![Page 16: Security potpourri](https://reader035.fdocuments.in/reader035/viewer/2022062305/56816414550346895dd5c6b7/html5/thumbnails/16.jpg)
16
Complete mediation
• Make sure every access is permitted
Accesscontrol
data
Frodo’s path
Mordor checkpoints
So easy …
![Page 17: Security potpourri](https://reader035.fdocuments.in/reader035/viewer/2022062305/56816414550346895dd5c6b7/html5/thumbnails/17.jpg)
17
Fail-safe defaults
• Deny access if explicit permission is absent• Be paranoiac
I don’t trust him, Mr Frodo.
![Page 18: Security potpourri](https://reader035.fdocuments.in/reader035/viewer/2022062305/56816414550346895dd5c6b7/html5/thumbnails/18.jpg)
18
Access control
• Decide whether access to a protected resource should be granted or denied
• Discretionary access control– Based on the identity of the requestor, the
resource, and whether the requestor has permission to access
• Mandatory access control– Policy based
![Page 19: Security potpourri](https://reader035.fdocuments.in/reader035/viewer/2022062305/56816414550346895dd5c6b7/html5/thumbnails/19.jpg)
19
Discretionary Access ControlDatabase A Component Q Interface F
Alice Read-Write; Always
Bend Yes
Bob Read-Write;Between 9 and 5
Fold No
Charles No access Spindle No
Dave No access Mutilate Yes
Eve Read-only; Always
None No
![Page 20: Security potpourri](https://reader035.fdocuments.in/reader035/viewer/2022062305/56816414550346895dd5c6b7/html5/thumbnails/20.jpg)
20
Mandatory Access Control
• Bob: Secret• Alice: Confidential• Tom: Top Secret
![Page 21: Security potpourri](https://reader035.fdocuments.in/reader035/viewer/2022062305/56816414550346895dd5c6b7/html5/thumbnails/21.jpg)
21
TRUST BETWEEN USERS
![Page 22: Security potpourri](https://reader035.fdocuments.in/reader035/viewer/2022062305/56816414550346895dd5c6b7/html5/thumbnails/22.jpg)
22
![Page 23: Security potpourri](https://reader035.fdocuments.in/reader035/viewer/2022062305/56816414550346895dd5c6b7/html5/thumbnails/23.jpg)
23
Example: Ebay
• Open decentralized application
• Independent buyers/sellers
• Potentially malicious participants
• Need to counter threats Marvin
(malicious)
Carol
Bob
Alice
Mallory(malicious)
DecentralizedAuctioning
![Page 24: Security potpourri](https://reader035.fdocuments.in/reader035/viewer/2022062305/56816414550346895dd5c6b7/html5/thumbnails/24.jpg)
24
Trust and security
• Trust is not binary– You trust some people– About some topics– For some time
• Many security threats exploit human nature– Social engineering
![Page 25: Security potpourri](https://reader035.fdocuments.in/reader035/viewer/2022062305/56816414550346895dd5c6b7/html5/thumbnails/25.jpg)
25
Security and trust
No trust Blind trust
Computermeasures
Socialmeasures
![Page 26: Security potpourri](https://reader035.fdocuments.in/reader035/viewer/2022062305/56816414550346895dd5c6b7/html5/thumbnails/26.jpg)
26
ImpersonationBob
Alice
Mallory(malicious)
“I am Bob”
Bob is reliable and everyonehas a good opinion about Bob
![Page 27: Security potpourri](https://reader035.fdocuments.in/reader035/viewer/2022062305/56816414550346895dd5c6b7/html5/thumbnails/27.jpg)
27
Fraudulent Actions
Alice “buyer”
Alice paysfor the items
Marvin “seller”(malicious)
Marvin doesnot ship the items
![Page 28: Security potpourri](https://reader035.fdocuments.in/reader035/viewer/2022062305/56816414550346895dd5c6b7/html5/thumbnails/28.jpg)
28
MisrepresentationBob
Alice
Mallory(malicious)
“Bob is unreliable”
Bob is reliable and everyonehas a good opinion about Bob
![Page 29: Security potpourri](https://reader035.fdocuments.in/reader035/viewer/2022062305/56816414550346895dd5c6b7/html5/thumbnails/29.jpg)
29
Collusion (!= collision)Bob
Alice
Mallory(malicious)
“Bob is unreliable”
Bob is reliable and everyonehas a good opinion about Bob
Marvin(malicious)
![Page 30: Security potpourri](https://reader035.fdocuments.in/reader035/viewer/2022062305/56816414550346895dd5c6b7/html5/thumbnails/30.jpg)
30
Addition of UnknownsCarol
(new entrant in the system)
Bob Alice
Bob has no informationabout Carol; he is not sure
whether to interact with Carol
Carol is new and does notknow Alice; she is not sure
whether to interact with Alice
![Page 31: Security potpourri](https://reader035.fdocuments.in/reader035/viewer/2022062305/56816414550346895dd5c6b7/html5/thumbnails/31.jpg)
31
PRACTICAL GUIDELINES
![Page 32: Security potpourri](https://reader035.fdocuments.in/reader035/viewer/2022062305/56816414550346895dd5c6b7/html5/thumbnails/32.jpg)
32
In practice
• Never-ending game of:– Find vulnerability– Attack– Fix– Repeat
• No system is 100% secure• Least common denominator: A system is as
secure as its least secure component
![Page 33: Security potpourri](https://reader035.fdocuments.in/reader035/viewer/2022062305/56816414550346895dd5c6b7/html5/thumbnails/33.jpg)
Intermezzo: MD5
• Message Digest algorithm 5• Transforms an arbitrary-length message into a
128-bit value– One way function
• MD5("The quick brown fox jumps over ") = 9e107d9d372bb6826bd81d3542a419d6
• MD5("The quick brown fox jumps over.") = e4d909c290d0fb1ca068ffaddf22cbd0
![Page 34: Security potpourri](https://reader035.fdocuments.in/reader035/viewer/2022062305/56816414550346895dd5c6b7/html5/thumbnails/34.jpg)
34
Intermezzo: MD5 dictionary attack
• Goal: recover passwords from their encryption• Brute-force
– Given 9e107d9d372bb6826bd81d3542a419d6– Iterate over MD5(words) and compare the hash
• Dictionary attack– Rainbow tables: map MD5 to common passwords
• { 9e107d9d: ‘password’, 6826bd85: ‘qwerty’, … }– http://www.cbsnews.com/news/the-25-most-com
mon-passwords-of-2013/
![Page 35: Security potpourri](https://reader035.fdocuments.in/reader035/viewer/2022062305/56816414550346895dd5c6b7/html5/thumbnails/35.jpg)
35
Least common denominator: example
• MD5 encryption for passwords• Hash of passwords stored in DB• But root DB password is ‘password’ • Dictionary attack• Attacker knows all passwords
![Page 36: Security potpourri](https://reader035.fdocuments.in/reader035/viewer/2022062305/56816414550346895dd5c6b7/html5/thumbnails/36.jpg)
36
Solutions
• MD5 with salt – MD5(password + salt) instead of MD5(password)– Prevent rainbow attack– But need to keep the salt around
• How do you protect the salt?
• Better password• MD5 has collisions: use SHA1 instead of MD5
![Page 37: Security potpourri](https://reader035.fdocuments.in/reader035/viewer/2022062305/56816414550346895dd5c6b7/html5/thumbnails/37.jpg)
37
HTTPS = HTTP + SSL
• Send HTTP request to server• Problem: Eavesdropping• Problem: Man-in-the-middle
– Malicious server pretends to be your server• Solution: encrypt transmitted data
POST /home/login HTTP/1.1Hostname: …Content-Type: jsonContent-Length: 26{ name:foo, password:OMG }
1d5fs#d3R6[5wgfr48rs&g=24fg+3t2fgfdC5.3gdf*453gdfg241df3%2gdDf1we&4w*e348sf48q6xwBas2Aa213dJE
SSL
Encrypt headers and payload, but not (IP, port) (the attacker already knows my IP and that of the server to do a MITM attack)
![Page 38: Security potpourri](https://reader035.fdocuments.in/reader035/viewer/2022062305/56816414550346895dd5c6b7/html5/thumbnails/38.jpg)
38
Practicality
• Sometimes the human is the least common denominator
![Page 39: Security potpourri](https://reader035.fdocuments.in/reader035/viewer/2022062305/56816414550346895dd5c6b7/html5/thumbnails/39.jpg)
39
Password reuse
![Page 40: Security potpourri](https://reader035.fdocuments.in/reader035/viewer/2022062305/56816414550346895dd5c6b7/html5/thumbnails/40.jpg)
40
Password vs passphrase
![Page 41: Security potpourri](https://reader035.fdocuments.in/reader035/viewer/2022062305/56816414550346895dd5c6b7/html5/thumbnails/41.jpg)
41
Sanitize inputs
Solution: escape dangerous characters (replace ‘ by \’ or by space)PHP: mysql_real_escape_string
![Page 42: Security potpourri](https://reader035.fdocuments.in/reader035/viewer/2022062305/56816414550346895dd5c6b7/html5/thumbnails/42.jpg)
42
Think about the problem first …
Voting machines download executables from the Internet???Yes, because they run on normal computers, with Windows OS, not as purpose-built embedded systems like ATMs.