What is Computer Security?

for Professor Ruan’s Class at Nankai University

Clark Thomborson

2nd April 2007

Questions to be (Partially) Answered

What is security? What types of security can be handled

by a computer?

But first... let me introduce myself.

Clark Thom{p,bor}son

Clark Thompson: 1954-1986 1971-75: BS (Honors) Chemistry and MS

CompSci/CompEng’g at Stanford. 1976-9: PhD Computer Science at C-MU. 1977-86: parallel algorithms, connection networks,

VLSI complexity at UC Berkeley. 1986: Thompson + Borske = Thomborson

1986-96: VLSI algorithmics, randomized rounding, supercomputer performance at U Minnesota – Duluth.

1996-present: software obfuscation, watermarking, tamperproofing, trusted computing at Auckland.

NZ and Auckland New Zealand is a South Pacific island nation,

populated by 600,000 “Maori”: the first people of NZ, about 800

years ago. 300,000 “Asian” (Chinese, Indian, Iranian, ...) 300,000 “Pacific” (Samoan, Fijian, Tongan, …) 3,100,000 “European” (mostly emigrants from Great

Britain) 1,300,000 people live in the Auckland region.

Population density is very low almost everywhere else in NZ.

4.3 million people in 270,000 km2 = 16 people / km2

Tianjin: 11 million people in 11,000 km2 = 1000 people / km2

The University of Auckland has 25,000 undergraduate students, 5,000 postgraduate students, and 4,000 staff. 5,500 of our students are from other countries.

Computer Science Department

We are the largest and most diversified computer science department in New Zealand: 40 staff 800 undergraduates 100 postgraduates

Secure Systems Group

Inventions: Software obfuscation, Software watermarking, Tamperproofing, and 3d object watermarking (subcontract: Cardiff U)

Secure systems development: Applications of trusted computing, Specification of security requirements, and Security improvements

http://www.cs.auckland.ac.nz/research/groups/ssg/

CSC PhD Scholarships

20 PhD Scholarships per year from the China Scholarship Council and the University of Auckland The CSC pays travel and living expenses. The University of Auckland does not charge tuition fees

(other PhD students pay NZD $5000/year ~ USD $3000/year)

Our PhD programme is 3 to 4 years of supervised research, with no coursework. You must already have a research-oriented Master’s degree. You must find a supervisor and define a topic before you are

admitted. See http://www.cs.auckland.ac.nz/phd/ and

www.csc.edu.cn.

What is Security?(A Taxonomic Overview)

The first step in wisdom is to know the things themselves; this notion consists in having a true idea of the objects; objects are distinguished and known by classifying them methodically and giving them appropriate names. Therefore, classification and name-giving will be the foundation of our science.

Carolus Linnæus, Systema Naturæ, 1735

(from Lindqvist and Jonsson, “How to Systematically Classify Computer Security Intrusions”, 1997.)

Standard Taxonomy of Security

1. Confidentiality: no one is allowed to read, unless they are authorised.

2. Integrity: no one is allowed to write, unless they are authorised.

3. Availability: all authorised reads and writes will be performed by the system.

Authorisation: giving someone the authority to do something.

Authentication: being assured of someone’s identity. Identification: knowing someone’s name or ID#. Auditing: maintaining (and reviewing) records of

security decisions.

A Multi-Level Hierarchy

“Static security”: the confidentiality, integrity, and availability properties of a system.

“Dynamic security”: the gold standard of Authentication, Authorisation, Audit. These processes assure static security. If these processes run too often, we have a “gold-

plated” system design! (Infeasible – too expensive.) Metaphorically, a security engineer should

Seal all security perimeters with an authenticating gold veneer (note: a veneer is a very thin sheet),

Sprinkle auditing gold-dust uniformly but very sparingly over the most important security areas, and

Place an authorising golden seal on the most important accesses, but not on any other accesses.

Security Governance

Governance should be pro-active, not reactive. Governors should constantly be asking questions,

considering the answers, and revising plans. Specification, or Policy (answering the question of

what the system is supposed to do), Implementation (answering the question of how to

make the system do what it is supposed to do), and Assurance (answering the question of whether the

system is meeting its specifications). Governors cannot be involved in the low-level

decisions of static security, and they should not be heavily involved in dynamic security. They should be security executives, not its operators.

Generalized Static Security

Confidentiality, Integrity, and Availability only cover security for read and write operations.

What about security for executable objects? Unix directories have “rwx” permission bits.

Do we need a fourth aspect of static security? XXXX-ity: all executions must be authorised. I don’t know a good name for this property. (Is there a

good name for it in Chinese? gwi ju? => “guijuity”?) At the top of a taxonomy we should combine, rather than

divide. Confidentiality, Integrity, and XXXX-ity are all

Prohibitions. Availability is a Permission.

S

P− P+

AC I X

S

AC I X

Prohibitions and Permissions

Prohibition: (try to) prevent something from happening.

Permission: (try to) allow something to happen. There are two types of secure systems:

In a prohibitive system, all operations are prohibited by default. Permissions are granted in special cases, e.g. to authorised individuals.

In a permissive system, all operations are allowed by default. Prohibitions are special cases, e.g. when an individual attempts to access a secure system.

Prohibitive systems have permissive subsystems. Permissive systems have prohibitive subsystems.

Recursive Security; Allowances

Prohibitions, i.e. “Thou shalt not kill.” General rule: An action (in some range R) is not

allowed, with exceptions (permissions) P1, P2, P3, ...

Permissions, i.e. an entry visa. General rule: An action in P is allowed, with exceptions

(prohibitions) R1, R2, R3, ...

This leads to a hierarchy of controls on actions.P: allowed

R3

R1: prohibitedR2P1

P2

Is Our Taxonomy Complete?

Prohibitions and permissions are properties of hierarchical systems, such as a judicial system. Most legal controls (“laws”) are prohibitive. A few are permissive.

Contracts are non-hierarchical: agreed between peers. Obligations are promises to do something in the future. Exemptions are exceptions to an obligation. The contract must specify a dispute-resolution procedure. Often

this is an obligation to submit to a legal judgement. There are two types of peerages: obligatory and

exemptive. Obligatory peerages have exemptive subsystems. Exemptive peerages have obligatory subsystems.

Can we have hierarchies within peerages, and peerages within hierarchies? Yes, but the linkage is still obscure to me. I intend to keep

working on this. Maybe you can help!

Obligations are requirements on actions, e.g. “Honour thy father and mother.” Note: these are prohibitions on inactions. Obligation rule: An action (in some range O) is required, with exemptions

O1, O2, O3, ... Exemptions are non-requirements on actions, e.g. “A trustee shall not

be answerable for involuntary acts.” These are permissions on inactions. Exemption rule: An action in E is not required, with obligations E1, E2, ...

We have added a new level to our hierarchy!

Our new taxonomy has more descriptive power than the CIA taxonomy.

I still want to see a “design win”. Will these insights lead to better security in the real world?

Inactions and Actions; Requirements

S

P− P+

PerPro Obl Exe

S

ExePro Per Obl

Reviewing our Questions

1. What is security? Three layers: static, dynamic, governance. Four types of static security rules: prohibitions,

permissions, obligations, and exemptions. A taxonomic structure is (requirements, allowances) x (actions, inactions).

2. What types of security can be handled by a computer?

Computer Security Systems

Definition. A computer system is a static security detector if it has a set of static security rules, expressed as efficient computer programs, reliable inputs, to determine when an action or an inaction is required or not

allowed, and a reliable output channel to an enforcement agent (computer or human).

Definition. A computer system is a static security enforcer if its outputs effectively control the system’s compliance with its static security

rules, and its inputs are supplied by one or more static security detectors.

Computers can implement most of the dynamic layer of security: auditing, authorisation, authentication, identification. Most level-2 operations are automated, but human oversight is necessary.

Computers can give very limited assistance at the governance layer. Governors make tradeoffs among specification, implementation, and

assurance activities. Human judgement is required!

Let’s briefly consider the primary methods of control.

Lessig’s Taxonomy of Control

Easy Difficult

Inexpensive

Expensive

Computers make things easy or difficult.

Legal Illegal

Governments make things legal or illegal.

The world’s economy makes things inexpensive or expensive.

Moral

Immoral

Our culture makes things moral or immoral.

Reviewing our Questions

Questions: What is security? What types of security can be handled by a

computer?

Partial answers: There are three layers of security: static,

dynamic, and governance. Computers can handle the first two layers.