What is Computer Security for Professor Ruan s Class

What is Computer Security? for Professor Ruan’s Class at Nankai University Clark Thomborson 2 nd April 2007

Questions to be (Partially) Answered What is security? n What types of security can be handled by a computer? n n But first. . . let me introduce myself.

Clark Thom{p, bor}son n Clark Thompson: 1954 -1986 n n 1971 -75: BS (Honors) Chemistry and MS Comp. Sci/Comp. Eng’g at Stanford. 1976 -9: Ph. D Computer Science at C-MU. 1977 -86: parallel algorithms, connection networks, VLSI complexity at UC Berkeley. 1986: Thompson + Borske = Thomborson n n 1986 -96: VLSI algorithmics, randomized rounding, supercomputer performance at U Minnesota – Duluth. 1996 -present: software obfuscation, watermarking, tamperproofing, trusted computing at Auckland.

NZ and Auckland n New Zealand is a South Pacific island nation, populated by n n n 1, 300, 000 people live in the Auckland region. n n 600, 000 “Maori”: the first people of NZ, about 800 years ago. 300, 000 “Asian” (Chinese, Indian, Iranian, . . . ) 300, 000 “Pacific” (Samoan, Fijian, Tongan, …) 3, 100, 000 “European” (mostly emigrants from Great Britain) Population density is very low almost everywhere else in NZ. 4. 3 million people in 270, 000 km 2 = 16 people / km 2 Tianjin: 11 million people in 11, 000 km 2 = 1000 people / km 2 The University of Auckland has 25, 000 undergraduate students, 5, 000 postgraduate students, and 4, 000 staff. n 5, 500 of our students are from other countries.

Computer Science Department n We are the largest and most diversified computer science department in New Zealand: 40 staff n 800 undergraduates n 100 postgraduates n

Secure Systems Group n Inventions: n n n Secure systems development: n n Software obfuscation, Software watermarking, Tamperproofing, and 3 d object watermarking (subcontract: Cardiff U) Applications of trusted computing, Specification of security requirements, and Security improvements http: //www. cs. auckland. ac. nz/research/groups/ssg/

CSC Ph. D Scholarships n 20 Ph. D Scholarships per year from the China Scholarship Council and the University of Auckland n n n Our Ph. D programme is 3 to 4 years of supervised research, with no coursework. n n n The CSC pays travel and living expenses. The University of Auckland does not charge tuition fees (other Ph. D students pay NZD $5000/year ~ USD $3000/year) You must already have a research-oriented Master’s degree. You must find a supervisor and define a topic before you are admitted. See http: //www. cs. auckland. ac. nz/phd/ and www. csc. edu. cn.

What is Security? (A Taxonomic Overview) The first step in wisdom is to know the things themselves; this notion consists in having a true idea of the objects; objects are distinguished and known by classifying them methodically and giving them appropriate names. Therefore, classification and name-giving will be the foundation of our science. Carolus Linnæus, Systema Naturæ, 1735 (from Lindqvist and Jonsson, “How to Systematically Classify Computer Security Intrusions”, 1997. )

Standard Taxonomy of Security 1. 2. 3. n n Confidentiality: no one is allowed to read, unless they are authorised. Integrity: no one is allowed to write, unless they are authorised. Availability: all authorised reads and writes will be performed by the system. Authorisation: giving someone the authority to do something. Authentication: being assured of someone’s identity. Identification: knowing someone’s name or ID#. Auditing: maintaining (and reviewing) records of security decisions.

A Multi-Level Hierarchy n n “Static security”: the confidentiality, integrity, and availability properties of a system. “Dynamic security”: the gold standard of Authentication, Authorisation, Audit. n n n These processes assure static security. If these processes run too often, we have a “goldplated” system design! (Infeasible – too expensive. ) Metaphorically, a security engineer should n n n Seal all security perimeters with an authenticating gold veneer (note: a veneer is a very thin sheet), Sprinkle auditing gold-dust uniformly but very sparingly over the most important security areas, and Place an authorising golden seal on the most important accesses, but not on any other accesses.

Security Governance n n Governance should be pro-active, not reactive. Governors should constantly be asking questions, considering the answers, and revising plans. n n Specification, or Policy (answering the question of what the system is supposed to do), Implementation (answering the question of how to make the system do what it is supposed to do), and Assurance (answering the question of whether the system is meeting its specifications). Governors cannot be involved in the low-level decisions of static security, and they should not be heavily involved in dynamic security. n They should be security executives, not its operators.

Generalized Static Security n n Confidentiality, Integrity, and Availability only cover security for read and write operations. What about security for executable objects? n n Do we need a fourth aspect of static security? n n n Unix directories have “rwx” permission bits. XXXX-ity: all executions must be authorised. I don’t know a good name for this property. (Is there a good name for it in Chinese? gwi ju? => “guijuity”? ) At the top of a taxonomy we should combine, rather than divide. Confidentiality, Integrity, and XXXX-ity are all Prohibitions. S Availability is a Permission. C I X A C S P− I P+ X A

Prohibitions and Permissions n n n Prohibition: (try to) prevent something from happening. Permission: (try to) allow something to happen. There are two types of secure systems: n n In a prohibitive system, all operations are prohibited by default. Permissions are granted in special cases, e. g. to authorised individuals. In a permissive system, all operations are allowed by default. Prohibitions are special cases, e. g. when an individual attempts to access a secure system. Prohibitive systems have permissive subsystems. Permissive systems have prohibitive subsystems.

Recursive Security; Allowances n Prohibitions, i. e. “Thou shalt not kill. ” n n Permissions, i. e. an entry visa. n n General rule: An action (in some range R) is not allowed, with exceptions (permissions) P 1, P 2, P 3, . . . General rule: An action in P is allowed, with exceptions (prohibitions) R 1, R 2, R 3, . . . This leads to a hierarchy of controls on actions. P: allowed R 1: prohibited P 1 P 2 R 3

Is Our Taxonomy Complete? n Prohibitions and permissions are properties of hierarchical systems, such as a judicial system. n n Contracts are non-hierarchical: agreed between peers. n n Obligations are promises to do something in the future. Exemptions are exceptions to an obligation. The contract must specify a dispute-resolution procedure. Often this is an obligation to submit to a legal judgement. There are two types of peerages: obligatory and exemptive. n n n Most legal controls (“laws”) are prohibitive. A few are permissive. Obligatory peerages have exemptive subsystems. Exemptive peerages have obligatory subsystems. Can we have hierarchies within peerages, and peerages within hierarchies? n Yes, but the linkage is still obscure to me. I intend to keep working on this. Maybe you can help!

Inactions and Actions; Requirements n Obligations are requirements on actions, e. g. “Honour thy father and mother. ” Note: these are prohibitions on inactions. n n Exemptions are non-requirements on actions, e. g. “A trustee shall not be answerable for involuntary acts. ” These are permissions on inactions. n n Obligation rule: An action (in some range O) is required, with exemptions O 1, O 2, O 3, . . . Exemption rule: An action in E is not required, with obligations E 1, E 2, . . . We have added a new level to our hierarchy! S S P− Pro n Per Obl Exe Pro Obl P+ Per Exe Our new taxonomy has more descriptive power than the CIA taxonomy. n n I still want to see a “design win”. Will these insights lead to better security in the real world?

Reviewing our Questions 1. What is security? n Three layers: static, dynamic, governance. n Four types of static security rules: prohibitions, permissions, obligations, and exemptions. A taxonomic structure is (requirements, allowances) x (actions, inactions). 2. What types of security can be handled by a computer?

Computer Security Systems n Definition. A computer system is a static security detector if it has n n Definition. A computer system is a static security enforcer if n n n Most level-2 operations are automated, but human oversight is necessary. Computers can give very limited assistance at the governance layer. n n its outputs effectively control the system’s compliance with its static security rules, and its inputs are supplied by one or more static security detectors. Computers can implement most of the dynamic layer of security: auditing, authorisation, authentication, identification. n n a set of static security rules, expressed as efficient computer programs, reliable inputs, to determine when an action or an inaction is required or not allowed, and a reliable output channel to an enforcement agent (computer or human). Governors make tradeoffs among specification, implementation, and assurance activities. Human judgement is required! Let’s briefly consider the primary methods of control.

Lessig’s Taxonomy of Control Governments make things legal or illegal. Legal Moral Inexpensive The world’s economy makes things inexpensive or expensive. Expensive Immoral Our culture makes things moral or immoral. Illegal Easy Difficult Computers make things easy or difficult.

Reviewing our Questions: n What is security? n What types of security can be handled by a computer? Partial answers: n There are three layers of security: static, dynamic, and governance. n Computers can handle the first two layers.