Bài giảng Computer Security - 5. Security Paradigms and Pervasive Trust Paradigm

5. Security Paradigms andPervasive Trust ParadigmProf. Bharat BhargavaCenter for Education and Research in Information Assurance and Security (CERIAS)andDepartment of Computer SciencesPurdue University bb@cs.purdue.eduCollaborators in the RAID Lab ( Leszek Lilien (former Post Doc)Dr. Yuhui Zhong (former Ph.D. Student) This research is supported by CERIAS and NSF grants from IIS and ANIR.[cf. Csilla Farkas, University of South Carolina]Information hidingPrivacySecurity TrustApplications Policy makingFormal modelsNegotiation Network securityAnonymity Access controlSemantic web security Encryption Data miningSystem monitoringComputer epidemic Data provenance FraudBiometricsIntegrityVulnerabilitiesThreatsOutlineHow to use trust for authentication and authorization in open computing systems?Old security paradigms (OSPs)Failures of OSPsExample of enhancing OSPDefining new security paradigms (NSPs)Challenges and requirements for NSPsReview and examples of existing security paradigmsNew Paradigm: Pervasive TrustOld Computer Security ParadigmsInformation Fortress [Blakeley, NSPW’96]Walls (security perimeter, firewalls)Guards and gates (access control)Passwords (passwords)Fortress contents (computer system, confidential data)Spies, saboteurs, and Trojan Horses (viruses, worms, Trojan horses)CIA = Confidentiality, Integrity, and AvailabilityOriginally misnamed “PIA” to avoid “CIA” [Greenwald, NSPW’98]with “P” for “Privacy” (but really meaning “Confidentiality”)Failures of Old Security Paradigms (1)Opinions of Dr. Bill WulfPioneer in computer securityPresident of the National Academy of Engineering (U.S.A.)Computer security made little progress between mid 70’s and mid 90’sWhy? (top 5 reasons)Fatally flawed basic assumption of Perimeter Defense (PD)Misconception that security flaws rise because of s/w bugs (not only!)PD cannot defend against legitimate insidersPD can’t prevent DoS attacks (which don’t penetrate systems)PD has never worked (not a single PD-based system that works)Failures of Old Security Paradigms (2)Incremental R&D in last 30 years tried to fix the Perimeter Defense model problemSuggestionsMaybe system should not define security – instead define best effort deliveryDefine inherently distributed security modelGeneral security is not a good ideasecurity must be application-specific, context-specific, etc.Challenge the basic security assumptions and explore alternative security solutionsFailures of Old Security Paradigms (3) Opinions of Farnam Jahanian [U. Michigan] w.r.t. Perimeter Security for ISPs Perimeter Security can’t address:Zero-day threatsInternal misuseOn-site consultants and contractorsPartner extranetsExposed VPN clients and open wireless environments Solutions:Virtualize perimeterModel network not threatsUse defense in depthDeal with crumbling perimeter of enterprise security (evolving models of threat, trust, business)Old Paradigms Are Not Sufficient Enhance Old Security Paradigms (OSPs) OR: Replace OSPs with New Security Paradigms Example of Enhancing OSP at FAA:Vulnerabilities and CountermeasuresFAA = Federal Aviation Administration Approach [Dan Meehan, FAA, Aug.2003]Vulnerability trendsNumber of uncovered vulnerabilities doubling each yearDecreasing vulnerability-to-exploit time (often need Pervasive SecurityPervasive Security Challenges (1) Large set of attacks possible, e.g.:Physical attacks in addition to all types of software attacks=>need tamper resistance (e.g., hardware-based intrusion detection)Information leaks => need physical obfuscation (e.g. deceiving data)Power-draining attacksBandwidth-usage attacks => prevent, e.g., by charging users for BW “Always-on” wireless connectivityFirewall or Superuser approaches do not work wellDoS attacks and DoS accidents difficult to protect against (e.g., a center-of-attention DoS accident, when too many legitimate messages sent to a device until it becomes overloaded; e.g., when it joins a new system, or when it offers an extremely popular service)Energy-efficient cryptography needed (authentication and encryption)[cf. NSF IDM Workshop, August 2003]Pervasive Security Challenges (2) Heterogeneous devices with limited resources (CPU, memory, bandwidth, energy, )Detect corrupted sensors and actuatorsDetect s/w breaksEfficient “lightweight” cryptographic primitives portable, low-power, low-memory usage, simple, proven security Lack of clarity regarding Trusted BaseOn whose behalf is the device acting ?What software or hardware is trusted ? How do we achieve (provable) security with a minimal Trusted Computing Base ? Need to define security mechanisms across the hardware/software interface[cf. NSF IDM Workshop, August 2003]Key Concepts for New Security Paradigms(FAA Perspective) Broad system approach Robust architecture with multiple layers of protection Constant vigilance Dealing with pervasive and global challenge to critical infrastructure Dynamic net configuration and automatic recovery Combine social and technological solutions[Dan Meehan, FAA, Aug.2003]Principles for New ParadigmsSecurity should be inherent, not add-onDo not depend on identity, don’t authenticate itGood enough is good enough. Perfect is too goodAdapt and evolveUse ideas of security from open social systems[Blakley, 1996]Security Paradigms w.r.t. Sources (1) [Generic and specialized] Paradigm categories w.r.t. their sources:Computer scienceReliability, integrity, or fault toleranceConcurrency controlBiological phenomenaHuman organism and immune systemsGeneticsEpidemiologyEcologyPhysical phenomenaDiffusion or percolationSecurity Paradigms w.r.t. Sources (2) cont - [Generic and specialized] Paradigm categories w.r.t. their sources:Mathematical theoriesGame theoryArtificial and natural models of animal and human social systemsMilitary science theories and systemsBusiness and economic systemsEsp. accounting and auditing systems--- Details for each of the categories follow --- CS Paradigms: Compromise ToleranceAnalogy: computer science – fault toleranceFault (compromise) tolerance: ability of a system to work acceptably even when components have failed (have been compromised)Compromise tolerance vs. fault tolerance [Kahn, 1998]Behavior of faulty components is simpler -- compromised components may be maliciously cleverFaults are usually independent -- compromises are notSolution: independent corroborationIndependent corroboration is a form of redundancyDifficulty: independence is difficult to pin downhow can software judge whether two principals are independent? Analysis of “independence”independence is not absolute, but relative to one's interestsindependence judgments are closely tied to trustindependence judgments are based largely on known connections between the principalsCS Paradigms: Optimistic Access ControlAnalogy: computer science – optimistic concurrency controlOptimistic concurrency controlLet transactions execute / Undo or compensate transactions that violated rulesOptimistic access control (OAC) [Povey, 1999]Enforcement of access rules is retrospectiveSystem administrator ensures that the system is not misusedCompensating transactions to recover system integrity in the case of a breachHandles emergenciesWorking alongside traditional access control, which handles normal situationsApplicabilityOAC enables defining security policies with emergency roles:Allow users to exceed their normal least-privilege access rights on rare special occasions (disaster, medical emergency, critical deadline)Bio Paradigms: Human vs. ComputerAnalogy: biology – human organismStriking similarities between humans and computer systems [Williams, 1996]Made up of many distinct but tightly integrated subsystemsRecursively, subsystems include subsystemsHave external interfaces (human: skin, eyes – computers: physical protection, I/O devices)Have internal interfaces (human: nervous system and heart – computers: int. between modules)Check for bad input (human: sneezing if foreign particles – computers: input validation)Detect intrusions (human: immune system – computers: IDS or IPS)Correct errors (human: rebuilding of genetic material – computers: fault tolerance)Conclusions “We can learn a lot about securing complex systems by looking to evolution and medicine. From evolution, we should especially note the complex relationship between threats and protections.” [Williams, 1996]Bio Paradigms: New Availability ModelAnalogy: biology – epidemiologySystem availability: [Lin, Ricciardi, Marzullo, 1998]Probability that the system satisfies its specification: no more than f processes are infectedApplication of epidemiology [ibid]Model: a simple epidemic with a zero latency periodDifferent from existing epidemiological approaches (e.g, as used for virus propagation modeling)Transmission of infection is more restricted than general mixing of populations Measure: availability -- not the expected % of infected processes as a function of timeAssumed: the system will not misbehave if no more than f processes are infectedA simple epidemic model (not a general epidemic model)Disinfection not done unless too many processes infectedExpensive: either identify infected processes or reload all processes from trusted imagesObservationWhen connectivity is low, a higher transmission rate is required for an epidemic to become widespreadPhysics Paradigms: Insecurity FlowAnalogy: physics – percolation theoryInsecurity flow throughout security domains [Moskowitz and Kang, 1997]Insecurity flow – not information flowCan insecurity flow penetrate a protection? (all-or-nothing: no partial flows)Security violation: protective layers broke down and insecurity flows inIn the physics worldFire spreading through a forest, orLiquid spreading through a porous material are analyzed via percolation theoryInsecurity flow is similarly analyzedSource: point where invader starts outSink : repository of information that we protectSecurity violation: when insecurity flow reaches the sinkMath Paradigms: MANET SecurityAnalogy: math – game theoryPotential node misbehaviors in mobile ad hoc networks (MANETs) [Michiardi and Molva, 2002]Passive DoS attacks: no energy cost for attackersAttacks by malicious nodes: harm others, w/o spending any energyAttacks by selfish nodes: save my energyActive DoS attacks: energy cost for attackersAttacks by malicious nodes: harm others, even if it costs energy CORE security mechanismBased on reputationAssures cooperation among ≤ N/2 nodes (N = number of network nodes)Game theory model used to analyze COREPrisoner’s Dilemma (PD) game [Tucker, 1968]Represents strategy to be chosen by nodes of a mobile ad hoc networkNodes are players: can cooperate or “defect”Prisoner’s Dilemma examplePolice arrest two robbers who hid stolen money, and interrogate them in separate cellsEach criminal faces two choices: to confess (defect) or not (cooperate)If a criminal does not confess while his partner does, he will be jailed while his partner is set free – partner gets all hidden moneyIf both confess, both will go to jail - money is safe: they’ll divide hidden money when set freeIf neither of them confesses, both will be set free - money is safe: they’ll divide hidden moneyClassical PD: the game is played only onceDominant strategy: confess (regardless of the other player’s move)Notion of trust is irrelevant – there is no “next time”Extended PD: m-dimensional gameBuilding mutual trust over time gives the best result:Both criminals are set free, each gets 50% of hidden money in each of m cyclesMath Paradigms: MANET Security - cont.Social Paradigms: SafeBotAnalogy: social interactions, bodyguardsIdea of SafeBots [Filman and Linden, 1996]Software security controls implemented as ubiquitous, communicating, dynamically confederating agents that monitor and control communications among the components of preexisting applicationsAgents remember events, communicate with other agents, draw inferences, and plan actions to achieve security goalsA pervasive approach, in contrast to, e.g., firewallsImplementationFoolproof security controls for distributed systemsFlexible and context-sensitiveTranslate very high level specification languages into wrappers (executables) around insecure componentsObservation: mammals devote large fraction of processing to securityMaybe computer systems should devote to security 100 times more resources? [Filman and Linden, 1996, as reported by Zurko]Social Paradigms: Traffic MaskingAnalogy: military – intelligence services - deceptionTraffic analysis attacksFor RPC communication, TAA can determine the identity of the remote method by analyzing the length of the message and the values of the arguments being passed to the methodSolution: traffic masking by data padding [Timmerman, 1997]Prevents inferringAdding padding data makes all of the messages look identical in terms of their length and the type of data that is being sent. Messages are “masked” to an eavesdropper Any message may be used to invoke any of the methods on the serverSocial Paradigms: Small WorldSmall-world phenomenon [Milgram, 1967]Find chains of acquaintances linking pairs of people in the United States who did not know one another (remember the Erdös number?)Result: the average number of intermediate steps in a successful chain: between five and six => the six degrees of separation principleRelevance to security research [Čapkun et al., 2002]A graph exhibits the small-world phenomenon if (roughly speaking) any two vertices in the graph are likely to be connected through a short sequence of intermediate verticesConclusion: After reviewing and analyzing the paradigms, selected a social paradigm for A&ACandidate Paradigm: Pervasive Trust Pervasive Trust (PT) (“peet”)New authentication and authorization (A&A) paradigmDefined after examination of many generic and specific paradigmsSatisfies the generic security paradigm of Defense in Depth Satisfies the generic security paradigm of Pervasive SecurityWhy Pervasive Trust? Trust ratings underlie interactions among components:at the perimeterwithin the system Analogous to a social model of interactiontrust is constantly –if often unconsciously– applied in interactions between:peoplebusinessesinstitutionsanimals (e.g.: a guide dog)artifacts (e.g.: “Can I rely on my car for this long trip?”)What is Pervasive Trust? Answer 1: Using trust in Pervasive Computing Answer 2: Using trust pervasively in any computing systemUsing trust is pervasive in social systemsSmall village – big city analogy for closed system – open systemInitial Use of Pervasive Trust Initial use of pervasive trust:perimeter-defense authorization model Investigated by B. Bhargava, Y. Zhong, et al., 2002 - 2003using trust ratings:direct experiencessecond-hand recommendationsusing trust ratings to enhance the role-based access control (RBAC) mechanismReferencesSlides based on BB+LL part of the paper: Bharat Bhargava, Leszek Lilien, Arnon Rosenthal, Marianne Winslett, “Pervasive Trust,” IEEE Intelligent Systems, Sept./Oct. 2004, pp.74-77 “Private and Trusted Interactions,” by B. Bhargava and L. Lilien, March 2004. “Trust, Privacy, and Security. Summary of a Workshop Breakout Session at the National Science Foundation Information and Data Management (IDM) Workshop held in Seattle, Washington, September 14 - 16, 2003” by B. Bhargava, C. Farkas, L. Lilien and F. Makedon, CERIAS Tech Report 2003-34, CERIAS, Purdue University, November 2003. or https://www.cerias.purdue.edu/tools_and_resources/bibtex_archive/archive/2003-34.pdfPaper References:1. The American Heritage Dictionary of the English Language, 4th ed., Houghton Mifflin, 2000.2. B. Bhargava et al., Trust, Privacy, and Security: Summary of a Workshop Breakout Session at the National Science Foundation Information and Data Management (IDM) Workshop held in Seattle,Washington, Sep. 14–16, 2003, tech. report 2003-34, Center for Education and Research in Information Assurance and Security, Purdue Univ., Dec. 2003; www.cerias.purdue.edu/tools_and_resources/bibtex_archive/archive/2003-34.pdf.3. “Internet Security Glossary,” The Internet Society, Aug. 2004; www.faqs.org/rfcs/rfc2828.html.4. B. Bhargava and L. Lilien “Private and Trusted Collaborations,” to appear in Secure Knowledge Management (SKM 2004): A Workshop, 2004.5. “Sensor Nation: Special Report,” IEEE Spectrum, vol. 41, no. 7, 2004.6. R. Khare and A. Rifkin, “Trust Management on the World Wide Web,” First Monday, vol. 3, no. 6, 1998; www.firstmonday.dk/issues/issue3_6/khare.7. M. Richardson, R. Agrawal, and P. Domingos,“Trust Management for the Semantic Web,” Proc. 2nd Int’l Semantic Web Conf., LNCS 2870, Springer-Verlag, 2003, pp. 351–368.8. P. Schiegg et al., “Supply Chain Management Systems—A Survey of the State of the Art,” Collaborative Systems for Production Management: Proc. 8th Int’l Conf. Advances in Production Management Systems (APMS 2002), IFIP Conf. Proc. 257, Kluwer, 2002.9. N.C. Romano Jr. and J. Fjermestad, “Electronic Commerce Customer Relationship Management: A Research Agenda,” Information Technology and Management, vol. 4, nos. 2–3, 2003, pp. 233–258.THE END