1 / 42

Security potpourri

Security potpourri. INF 123 – Software architecture tdebeauv@uci.edu (Slides from Dick Taylor and Crista Lopes). Potpourri. Outline. Definitions Common security design decisions Trust between users Practical guidelines. Definitions. Security. Non-functional property

dunn
Télécharger la présentation

Security potpourri

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Security potpourri INF 123 – Software architecture tdebeauv@uci.edu (Slides from Dick Taylor and Crista Lopes)

  2. Potpourri

  3. Outline • Definitions • Common security design decisions • Trust between users • Practical guidelines

  4. Definitions

  5. Security • Non-functional property • Protection aimed at preserving the system’s: • integrity, • availability, • and confidentiality. • (Definition from the National Institute of Standards and Technology)

  6. Confidentiality • Only authorized parties can access the information • Breach

  7. Integrity • Authorized parties can manipulate information only in the authorized ways • Corruption Denethor is only a steward, but he acts like a king. (He should not.)

  8. Availability • Authorized parties can access resources on all appropriate occasions • Denial of service

  9. Security design decisions

  10. Common security design decisions • Principle Of Least Authority – POLA • Separation of privilege • Complete mediation • Fail-safe defaults • Access control • …

  11. POLA • AKA Principle of Least Privilege • Do not give to a component more privilege (data, visibility, CPU time, bandwidth, …) than it needs

  12. POLA Don’t touch it! Something shiny!

  13. POLA What do you think of Sauron? He’s a good guy! I shouldn’t say more… That’s not in the script …

  14. Separation of privilege • Goal: avoid exploitation of privilege • Run different actions in different modes • Example: • network.py needs to go through the firewall • view.py does not • Open port only for network.py

  15. Complete mediation • Make sure every access is permitted So easy … Frodo’s path Access control data Mordor checkpoints

  16. Fail-safe defaults • Deny access if explicit permission is absent • Be paranoiac I don’t trust him, Mr Frodo.

  17. Access control • Decide whether access to a protected resource should be granted or denied • Discretionary access control • Based on the identity of the requestor, the resource, and whether the requestor has permission to access • Mandatory access control • Policy based

  18. Discretionary Access Control

  19. Mandatory Access Control • Bob: Secret • Alice: Confidential • Tom: Top Secret

  20. Trust between users

  21. Carol Bob Alice Decentralized Auctioning Mallory (malicious) Example: Ebay • Open decentralized application • Independent buyers/sellers • Potentially malicious participants • Need to counter threats Marvin (malicious)

  22. Trust and security • Trust is not binary • You trust some people • About some topics • For some time • Many security threats exploit human nature • Social engineering

  23. Security and trust Social measures Blind trust No trust Computer measures

  24. Impersonation Bob Alice Bob is reliable and everyone has a good opinion about Bob “I am Bob” Mallory (malicious)

  25. Fraudulent Actions Alice pays for the items Marvin does not ship the items Marvin “seller” (malicious) Alice “buyer”

  26. Misrepresentation Bob Alice Bob is reliable and everyone has a good opinion about Bob “Bob is unreliable” Mallory (malicious)

  27. Collusion (!= collision) Bob Alice Bob is reliable and everyone has a good opinion about Bob “Bob is unreliable” Marvin (malicious) Mallory (malicious)

  28. Addition of Unknowns Carol (new entrant in the system) Carol is new and does not know Alice; she is not sure whether to interact with Alice Bob has no information about Carol; he is not sure whether to interact with Carol Alice Bob

  29. Practical guidelines

  30. In practice • Never-ending game of: • Find vulnerability • Attack • Fix • Repeat • No system is 100% secure • Least common denominator: A system is as secure as its least secure component

  31. Intermezzo: MD5 • Message Digest algorithm 5 • Transforms an arbitrary-length message into a 128-bit value • One way function • MD5("The quick brown fox jumps over ") = 9e107d9d372bb6826bd81d3542a419d6 • MD5("The quick brown fox jumps over.") = e4d909c290d0fb1ca068ffaddf22cbd0

  32. Intermezzo: MD5 dictionary attack • Goal: recover passwords from their encryption • Brute-force • Given 9e107d9d372bb6826bd81d3542a419d6 • Iterate over MD5(words) and compare the hash • Dictionary attack • Rainbow tables: map MD5 to common passwords • { 9e107d9d: ‘password’, 6826bd85: ‘qwerty’, … } • http://www.cbsnews.com/news/the-25-most-common-passwords-of-2013/

  33. Least common denominator: example • MD5 encryption for passwords • Hash of passwords stored in DB • But root DB password is ‘password’  • Dictionary attack • Attacker knows all passwords

  34. Solutions • MD5 with salt • MD5(password + salt) instead of MD5(password) • Prevent rainbow attack • But need to keep the salt around • How do you protect the salt? • Better password • MD5 has collisions: use SHA1 instead of MD5

  35. HTTPS = HTTP + SSL • Send HTTP request to server • Problem: Eavesdropping • Problem: Man-in-the-middle • Malicious server pretends to be your server • Solution: encrypt transmitted data POST /home/login HTTP/1.1 Hostname: … Content-Type: json Content-Length: 26 { name:foo, password:OMG} 1d5fs#d3R6[5wgfr48rs&g=24fg+3t2fgfdC5.3gdf*453gdfg241df3%2gdDf1we&4w*e348sf48q6xwBas2Aa213dJE SSL Encrypt headers and payload, but not (IP, port) (the attacker already knows my IP and that of the server to do a MITM attack)

  36. Practicality • Sometimes the human is the least common denominator

  37. Password reuse

  38. Password vs passphrase

  39. Sanitize inputs Solution: escape dangerous characters (replace ‘ by \’ or by space) PHP:mysql_real_escape_string

  40. Think about the problem first … Voting machines download executables from the Internet??? Yes, because they run on normal computers, with Windows OS, not as purpose-built embedded systems like ATMs.

More Related