CIS 5373 Systems Security Topic 1: Introduction to Systems Security Endadul Hoque 1
Why should you care? Security impacts our day-to-day life Become a security-aware user Make safe decisions Become a security-aware developer Design and build secure systems Become a security researcher Identify security flaws and propose mitigations *Based on https://lifeasageek.github.io/class/cs52700-fall16/slides/intro.pdf 2
What is Security? Definition: Security Security is the application and enforcement of policies through mechanisms over data and resources Policies specify what we want to enforce (e.g., only Alice should read file F) Common goals: confidentiality, integrity, availability Mechanisms specify how we enforce the policy (i.e., an implementation of a policy, encryption) Goal has nothing to say about mechanism 3 *Based on https://lifeasageek.github.io/class/cs52700-fall16/slides/intro.pdf
Systems Security Security applied to computer systems Hardware, software, network, and computing power Protection against theft, damage, misuse, and disruption of the services they provide [Source: Wikipedia] 4
Our Focus Several layers of systems security Software security Operating systems security Network Security Web/Internet Security 5
Why is systems security hard? Things can go wrong in multiple fronts 1 Problems with policy Examples: Reset password by answering security questions Reset password by providing last 4 digits of credit card numbers 6
Why is systems security hard? Things can go wrong in multiple fronts 2 Problems with assumptions Examples: Human factors the weakest link in phishing attacks Hardware is trustworthy Attackers computational power 7
Why is systems security hard? Things can go wrong in multiple fronts 3 Problems with mechanisms Bugs/vulnerabilities in implementations Examples: Impersonation attacks Apple s goto fail Information leakage OpenSSL s Heartbleed bug Unauthorized access Unlimited password-guessing allowed for one icloud API 8
Bugs Definition: Software bugs A software bug is an error, flaw, failure, defect or fault in a computer program or system that causes it to produce an incorrect or unexpected result, or to behave in unintended ways. [Wikipedia] According to [1] Faults Activate Errors Propagate Failures [1] Avizienis et al., Basic Concepts and Taxonomy of Dependable and Secure Computing, IEEE TDSC, 1(1), 2014 (https://www.nasa.gov/pdf/636745main_day_3-algirdas_avizienis.pdf) 9
Faults, Errors & Failures Faults Physical defects or flaws occurring in some components (hardware or software) E.g., Buffer overflow Errors Introduce inaccuracy in system s state due to some faults E.g., Memory corruption Failures Not delivering the correct/expected service E.g., System crash 10
Faults, Errors & Failures 11
Faults, Errors & Failures A fault is active when it causes an error, otherwise it is dormant Many errors do not reach the system s external interface, as a result, no failure is observed 12
Vulnerabilities Definition: Vulnerabilities A vulnerability is a weakness which allows an attacker to violate the system s security policies. [Wikipedia] A vulnerability is exploitable If an exploit (e.g., malicious inputs) exists Depend on the goal(s) of the attacker(s) Some vulnerabilities are not related to software Human factors can result in, e.g., phishing attacks Security bugs Bugs in security enforcing software (e.g., OS kernel, SSL/TLS) Lead to vulnerabilities and leave a system open to attacks 13
Symantec Cyber crime hit the big time in 2016, with high-profile victims and bigger than ever financial rewards discovered more than 430 million new unique pieces of malware in 2015, up 36 percent from the year before. Trend Micro predicts a 25% growth in the number of new ransomware families in 2017 IoT devices will play a bigger role in DDoS attacks the average payout for a ransomware attack is $722, which could reach up to $70K if an enterprise network is hit. 14
Real-world Security Incidents 15
Apple s goto fail 16 http://zd.net/1mlouxz
Heartbleed TLS heartbeat extension A keep-alive feature One end of the connection sends a payload of arbitrary data to the other end The other end sends back an exact copy of that data to prove everything's OK. Bug in OpenSSL Buffer over-read due to missing bounds check Reveal in-memory authentication credentials Threat to confidentiality https://xkcd.com/1354/ 17
Coming Up Software vulnerabilities 18