Trust in Cyberspace (1999) / Chapter Skim
Currently Skimming:
4 Reinventing Security
4 Reinventing Security
Pages 109-153
The Chapter Skim interface presents what we've algorithmically identified as the most significant single chunk of text within every page in the chapter.
Select key terms on the right to highlight them within pages of the chapter.
From page 109... ...
Similarly, the level of physical security afforded to the NISs that support stock markets like the NYSE and AMEX is greater that that of a typical commercial system. Although physical and personnel controls are essential elements of system security, they are largely outside the scope of this study.
|
From page 110... ...
Moreover, because most COTS components are intended for constructing a range of systems, their security mechanisms usually are not tailored to specific needs. Instead, they reflect perceptions by a product-marketing organization about the requirements of a fairly broad market segment.2 The task faced by the NIS security architect, then, is determining (1)
|
From page 111... ...
Clearly, these attacks should be of great concern to NIS security architects. ACCESS CONTROL POLICIES It is common to describe access controls in terms of the policies that they support and to judge the effectiveness of access control mechanisms relative to their support for those policies.
|
From page 114... ...
Access controls can enforce the principle of least privilege.3 In this fashion, they prevent and contain attacks. Before suggesting directions for the future, it is instructive to examine the two basic types of access control policies that have dominated computer security work for over two and a half decades: discretionary access control and mandatory access control.
|
From page 115... ...
Shortcomings of Formal Policy Models Despite the lion's share of attention from researchers and actual support in deployed system security mechanisms, many security policies of practical interest cannot be formulated as discretionary and mandatory access control policies. Discretionary and mandatory access control focus on protecting information from unauthorized access.
|
From page 116... ...
And modern programs likely have their own access controls, independent of what is provided by the underlying operating system and the DOD access control model. An access control model that does not capture this aspect of computing systems is fatally flawed.
|
From page 117... ...
DGSA does not legislate that only the DOD access control model be used; instead it supports a broad set of security policies that go far beyond the traditional information-flow policies. DGSA also does not discourage DOD end users from employing the latest in object-based, distributed systems, networks, and so on, while instituting rich access control, integrity, and availability policies.
|
From page 118... ...
118 TRUST IN CYBERSPACE A New Approach One can view the ultimate goal as the building of systems that resist attack. Attackers exploit subtle flaws and side effects in security mechanisms and, more typically, exploit interactions between mechanisms.
|
From page 119... ...
But the arguments given earlier suggest that suitable formal models for NIS security policies, which invariably include stipulations about availability and application semantics, do not today exist and would be difficult to develop. Moreover, establishing a correspondence between a system and a formal model has proved impractical, even for systems built specifically with the construction of that correspondence in mind and for which analysts have complete knowledge and access to internals.
|
From page 120... ...
(In a world where monitoring radio transmissions was difficult but kidnapping diplomatic couriers bearing cryptographic keys was easy, the perceived threats would be different and the encryption solution no longer would be appropriate.) Vulnerability assessments provide a well-known way to identify system insecurities.
|
From page 121... ...
When implemented with a moderate degree of assurance, networkbased authentication can be appealing. It relies on a third party the network provider rather than burdening end users or servers.
|
From page 122... ...
The simplest form of cryptographic authentication is based on an implicit property of encryption: if an entity does not possess the proper key, then encrypted messages sent or received by that entity decrypt into random bits. More-sophisticated forms employ cryptographic protocols stylized exchanges between two or more parties to authenticate callers and to distribute short-term cryptographic keys.
|
From page 123... ...
Hardware tokens are evolving into full-fledged, personal cryptographic devices, capable of providing services beyond authentication. Biometric Techniques Biometric authentication techniques rely on presumed-unique characteristics of individuals: voice-print systems, fingerprint readers, retinal or iris scanners, and so forth.
|
From page 124... ...
Legitimate needs will arise for new cryptographic authentication protocols (e.g., practical multicast communication authentication) , but the technology for verifying these protocols is far from mature.
|
From page 125... ...
is the same as the key used to verify it. This means that pairs of communicating parties must share a secret, and if that secret becomes known to some third party, then that third party becomes empowered (1)
|
From page 126... ...
The keys used for decryption and integritycheck generation are called private keys; they are kept secret and generally known only to a single party. The keys used for encryption and integrity-check verification are called public keys; these can be freely published (hence the name "public-key cryptography".
|
From page 127... ...
for cryptographic services will promote greater use of such services in NISs. Cryptographic services are an extremely effective means for solving certain security problems in geographically distributed systems.
|
From page 128... ...
Certification Authorities With public-key cryptography, the challenge is distributing the public keys in a secure fashion.l4 Confidentiality is not an issue because public keys are not secret, but integrity protection is. If A wants to send an encrypted message to B and A can be misled by an attacker about B's public key, then A can be tricked into encrypting messages for B using the attacker's public key.
|
From page 129... ...
Numerous examples of inauthentic PGP keys resident in various public servers raise questions about the actual size of POP's deployment. Web browsers employ server certificates, usually issued by public CAs (see below)
|
From page 130... ...
When public-key cryptography was first described in the open literature, no mention was made of certificates the public keys associated with identities were simply presumed to be available whenever needed. An MIT bachelor's thesis (Kornfelder, 1978)
|
From page 131... ...
Any user with a public key can issue a certificate whose subject is any other user. POP works in this fashion; its certification model is called a web of trust.
|
From page 132... ...
Another approach to certificate use is embodied by what are called "key-centric" systems, such as the Secure Distributed Security Infrastructure (SDSI) , in which all names bound to public keys are viewed as having only local significance, for the syntactic convenience of users.
|
From page 133... ...
However, VPNs implemented in this way are vulnerable to wiretapping attacks conducted on the underlying real network and to administrative configuration errors. To prevent wiretapping, cryptographic protocols can be employed at either the network or Internet layer.
|
From page 134... ...
. Access control in IPsec is based on cryptographic authentication, effected initially through key distribution and on a continuing basis through the use of a keyed message authentication function.
|
From page 135... ...
Third, it is easier to administer software on one or a small number of firewalls than to do so for the entire collection of workstations, personal computers, and servers composing an organization's computing network. Physical access to a computer's console might be necessary for setting or checking its configuration, for example.
|
From page 136... ...
The first three correspond to layers of the protocol stack; the fourth tends to incorporate features of both network and application layer systems. Attacks conveyed using protocol layers higher than the one at which the firewall operates cannot be blocked by the firewall, because the firewall cannot filter those messages.
|
From page 137... ...
Most often they are used to permit the flow of information from a lower-sensitivity environment to a higher-sensitivity enclave in support of mandatory access control policies, blocking possible reverse information flow that might accompany protocol acknowledgment and flow-control traffic. Automated filters within guards have been designed to ensure that all traffic conforms to specified criteria, including field-by-field restrictions on types or values.
|
From page 138... ...
Closed user groups have some utility in individual, circuit switched networks, but they will become increasingly irrelevant as networking migrates to the Internet proper or to Internet technology.
|
From page 139... ...
Thus, all the issues cited for firewalls are applicable here, but with increased emphasis on assurance and mandatory access control policies. FOREIGN CODE AND APPLICATION-LEVEL SECURITY Most users today execute software written by others.
|
From page 140... ...
Industry trends are toward even greater use of "active document" technology (e.g., Apple OpenDoc and Microsoft OLIN, which means that more blurring of documents and executable content is likely to occur. The increased use of foreign code may enable enhanced functionality, but it also will create a problem: system trustworthiness will erode unless security mechanisms are developed and deployed for confining the ef 2)
|
From page 141... ...
The ActiveX Approach The ActiveX security mechanisms allow modules to be digitally signed pieces of code. Users check this signature and, based on that, decide whether a module should be permitted to execute.
|
From page 142... ...
IDK 1.2 programmers must now master this complexity. Also, users and programmers must now correctly assess and configure suitable sets of access rights for executing foreign code.
|
From page 143... ...
3. Confining foreign code according to an interpreter that provides a rich access control model has potential, provided programmers and users have a means to correctly assess and configure suitable sets of access rights.
|
From page 144... ...
The problem is only exacerbated by the all-too-frequent mismatch between application-level security policies, which involve application-level abstractions, and the low-level objects and permissions constituting an FGAC configuration. FGAC is important, but there is more to application security than access control.
|
From page 145... ...
Moreover, modern applications tend to involve security policies defined in terms of application-level abstractions rather than operating system ones. Thus, while there remains a need for security mechanisms in an operating system, it seems clear that enforcing security increasingly will be a responsibility shared between the operating system and the application.
|
From page 146... ...
The behavior of programs that never attempt illegal memory accesses is unaffected by the modifications; programs that would have violated memory safety end up accessing legal addresses instead. Note that the use of program modification to enforce security policies is not limited to memory safety, and any security policy that can be enforced by moni
|
From page 148... ...
SFI and PCC might well represent the vanguard of a new approach to the enforcement of some security policies an approach in which programming language technology is leveraged to obtain mechanisms that are more efficient and that are better suited to the higher-level abstractions that characterize applications-level security. Most programming today is done in high-level typed languages, and good use might be made of the structural and type information that high-level languages provide.
|
From page 149... ...
and proof-carrying code (PCC) are promising new approaches to enforcing security policies.
|
From page 150... ...
On the Internet, such a coordinated attack is not difficult to launch because PCs and many other Internet hosts run operating systems that are easy to subvert and because the Web and foreign code provide a vehicle for causing attack code to be downloaded onto the hosts. Not all denial-of-service attacks involve saturating servers or resources, though.
|
From page 151... ...
1987. "A Comparison of Commercial and Military Computer Security Policies," pp.
|
From page 152... ...
1998. Enforceable Security Policies, Technical Report TR98-1664, Computer Science Department, Cornell University, Ithaca, NY.
|
From page 153... ...
Podell, eds. Los Alamitos, CA: IEEE Computer Society Press.
|
Key Terms
This material may be derived from roughly machine-read images, and so is provided only to facilitate research.
More
information on Chapter Skim is available.