8/9/2019 CS461 01.Overview
http://slidepdf.com/reader/full/cs461-01overview 1/30
Introduction to Computer
SecuritySlide Set 1
CS498IA
Spring 2007 Nikita Borisov
Based on slides provided by Matt Bishop for use with
Computer Security: Art and Science
8/9/2019 CS461 01.Overview
http://slidepdf.com/reader/full/cs461-01overview 2/30
Outline• Administrative Issues
• Class Overview
• Information Assurance Overview
– Components of computer security
– Threats
– Policies and mechanisms
– The role of trust
– Assurance
– Operational Issues
– Human Issues
8/9/2019 CS461 01.Overview
http://slidepdf.com/reader/full/cs461-01overview 3/30
Reading
• For this lecture:
– First Chapter of Computer Security: Art andScience
• For next lecture: – Read Chapter 2 of Computer Security: Art and
Science
8/9/2019 CS461 01.Overview
http://slidepdf.com/reader/full/cs461-01overview 4/30
Administrivia• Instructor
– Nikita Borisov
• Communications – Class web page http://www.cs.uiuc.edu/class/sp07/cs498ia
– Newsgroup class.cs498ia
• Office Hours: – TBA
• Grades – 2 midterms
– 1 final – approx. bi-weekly homeworks
– extra project for graduate students taking IA4
8/9/2019 CS461 01.Overview
http://slidepdf.com/reader/full/cs461-01overview 5/30
Grading Scheme
25% N/AProject
15%20%Homeworks
30%40%Final
15% each20% eachMidterms
IA4IA3
8/9/2019 CS461 01.Overview
http://slidepdf.com/reader/full/cs461-01overview 6/30
Security Classes at UIUC• Security course roadmap
– http://iti.uiuc.edu/roadmaps/security-roadmap.html
• Two course security introduction sequence
– Cover “Computer Security: Art and Science” by Matt Bishop
– Introduction to Computer Security (CS461)
• Covers NSA 4011 security professional requirements
• A broad overview of security.
– Computer Security (CS463)
• Covers more advanced topics
• Covers introductory topics in greater depth
8/9/2019 CS461 01.Overview
http://slidepdf.com/reader/full/cs461-01overview 7/30
Security Classes at UIUC• Applied Computer Security Lab - CS460
– Taught in spring
– With CS461 covers NSA 4013 system administrator requirements
– Project oriented course. Hands on experience to reinforce how basicsecurity concepts are implemented today.
• Advanced Computer Security - CS598cag
– Prepares students for research in computer security
– Seminar style course
• Cryptography – Math 595/ECE 559
• Reading Group
– Listed as CS591rhc
– Student lead group. Reads and discusses current security research papers.
8/9/2019 CS461 01.Overview
http://slidepdf.com/reader/full/cs461-01overview 8/30
Write on Card
1. Your name & netid
2. Your year (if undergrad) or advisor (if grad)
3. 400- & 500- level courses you’ve taken
4. Why you’re interested in computer security
8/9/2019 CS461 01.Overview
http://slidepdf.com/reader/full/cs461-01overview 9/30
Why I Like Security
• You get to be paranoid
• You get to look at systems in a broadcontext
8/9/2019 CS461 01.Overview
http://slidepdf.com/reader/full/cs461-01overview 10/30
Brief History of Computer
Security
“With the explosive growth of the
Internet, there has been a rise inimportance of computer security”
8/9/2019 CS461 01.Overview
http://slidepdf.com/reader/full/cs461-01overview 11/30
Time Lag
• Internet is 35 years old
– Was designed without security provisions
• “Explosive growth” started in mid-’90s
– Security not a priority until much later
• Explosive growth of desktops started in ’80s – Also no emphasis on security
8/9/2019 CS461 01.Overview
http://slidepdf.com/reader/full/cs461-01overview 12/30
A less brief history
• Interest in computer security very old
– But largely confined to the military
• Other communities did not care
– Internet - it’s only a research network, whowould attack it?
– Desktops - who needs military security, I justwant to run my spreadsheet!
8/9/2019 CS461 01.Overview
http://slidepdf.com/reader/full/cs461-01overview 13/30
Important Events
• Morris worm - 1988
– Brought down a large fraction of the Internet
– Academic interest in network security
• E-commerce - mid ‘90s
– Industrial interest in network security protocols
• Resurgence of worms - early ‘00s
– Made computer security a household term
8/9/2019 CS461 01.Overview
http://slidepdf.com/reader/full/cs461-01overview 14/30
Class Topics• Introduction and motivation
• Security Policies: Access Control Matrix, Confidentiality and integrity policies
• Trusted Operating Systems
• Risk Analysis• Legislation and security
• Applied Cryptography: basic crypto, key management, cipher techniques, authentication
• Network security mechanisms
• Legal and ethical issues in security
• Security design principles, assurance techniques, Auditing• System evaluation
• Code vulnerabilities and malicious programs
• Physical security
• EMSEC
• Hardware-enforced security
8/9/2019 CS461 01.Overview
http://slidepdf.com/reader/full/cs461-01overview 15/30
Basic Components
• Confidentiality
– Keeping data and resources hidden
• Integrity – Data integrity (integrity)
– Origin integrity (authentication)
• Availability – Enabling access to data and resources
8/9/2019 CS461 01.Overview
http://slidepdf.com/reader/full/cs461-01overview 16/30
Classes of Threats
• Disclosure
– Snooping
• Deception
– Modification, spoofing, repudiation of origin, denial of receipt
• Disruption
– Modification
• Usurpation – Modification, spoofing, delay, denial of service
8/9/2019 CS461 01.Overview
http://slidepdf.com/reader/full/cs461-01overview 17/30
Types of Attackers
• Unskilled hacker (“script-kiddie”)
• Skilled hacker
• Organized crime• Nation-states
8/9/2019 CS461 01.Overview
http://slidepdf.com/reader/full/cs461-01overview 18/30
Policies and Mechanisms
• Policy says what is, and is not, allowed
– This defines “security” for the site/system/etc.
• Mechanisms enforce policies• Composition of policies
– If policies conflict, discrepancies may create
security vulnerabilities
8/9/2019 CS461 01.Overview
http://slidepdf.com/reader/full/cs461-01overview 19/30
Goals of Security
• Prevention
– Prevent attackers from violating security policy
• Detection – Detect attackers’ violation of security policy
• Recovery
– Stop attack, assess and repair damage
– Continue to function correctly even if attack succeeds
8/9/2019 CS461 01.Overview
http://slidepdf.com/reader/full/cs461-01overview 20/30
Trust and Assumptions
• Underlie all aspects of security
• Policies
– Unambiguously partition system states – Correctly capture security requirements
• Mechanisms
– Assumed to enforce policy – Support mechanisms work correctly
8/9/2019 CS461 01.Overview
http://slidepdf.com/reader/full/cs461-01overview 21/30
Login Program
check_password(user, pass) {
if (user = “ken” and password = “xyzzy”) {
return OK }
...
}
A
8/9/2019 CS461 01.Overview
http://slidepdf.com/reader/full/cs461-01overview 22/30
Compiler Program
compile(source) {
if (match(source, “check_password”)) {
insert(source, A)}
...
}
B
8/9/2019 CS461 01.Overview
http://slidepdf.com/reader/full/cs461-01overview 23/30
Compiler Program
compile(source) {
if (match(source, “check_password”)) {
insert(source, A)
}
if (match(source, “compile”)) {
insert(source, B);
}...
}
B
8/9/2019 CS461 01.Overview
http://slidepdf.com/reader/full/cs461-01overview 24/30
Compiler Program
compile(source) {
if (match(source, “check_password”)) {
insert(source, A)
}if (match(source, “compile”)) {
insert(source, B);
}
...}
B
8/9/2019 CS461 01.Overview
http://slidepdf.com/reader/full/cs461-01overview 25/30
Types of Mechanisms
secure precise broad
set of reachable states set of secure states
8/9/2019 CS461 01.Overview
http://slidepdf.com/reader/full/cs461-01overview 26/30
Assurance
• Specification
– Requirements analysis
– Statement of desired functionality• Design
– How system will meet specification
• Implementation – Programs/systems that carry out design
8/9/2019 CS461 01.Overview
http://slidepdf.com/reader/full/cs461-01overview 27/30
Operational Issues
• Cost-Benefit Analysis
– Is it cheaper to prevent or recover?
• Risk Analysis – Should we protect something?
– How much should we protect this thing?
• Laws and Customs
– Are desired security measures illegal? – Will people do them?
8/9/2019 CS461 01.Overview
http://slidepdf.com/reader/full/cs461-01overview 28/30
Human Issues
• Organizational Problems
– Power and responsibility
– Financial benefits• People problems
– Outsiders and insiders
– Social engineering
8/9/2019 CS461 01.Overview
http://slidepdf.com/reader/full/cs461-01overview 29/30
Tying Together
Threats
Policy
Specification
Design
Implementation
Operation
Information
8/9/2019 CS461 01.Overview
http://slidepdf.com/reader/full/cs461-01overview 30/30
Key Points
• Policy defines security, and mechanismsenforce security
– Confidentiality
– Integrity
– Availability
• Trust and knowing assumptions
• Importance of assurance• The human factor