THE SECURITY ENVIRONMENTGoal ThreatData confidentiality Exposure of dataData integrity Tampering with dataSystem availability Denial of service
Intruders• In the security literature, people who are nosing around places wherethey have no business being are called intruders or sometimesadversaries (News Paper)• Intruders act in two different ways.• Passive intruders just want to read files they are not authorized to read.• Active intruders are more malicious; they want to make unauthorized changesto data.• In a sense, an intruder is like someone with a gun who tries to kill aspecific person; a virus writer is more like a terrorist bomber who justwants to kill people in general, rather than some particular person
Accidental Data Loss1. Acts of God: fires, floods, earthquakes, wars, riots, or ratsgnawing tapes or floppy disks.2. Hardware or software errors: CPU malfunctions,unreadable disks or tapes, telecommunication errors,program bugs.3. Human errors: incorrect data entry, wrong tape or diskmounted, wrong program run, lost disk or tape, or someother mistake.
(b) Public Key Cryptography(a) Private Key Cryptography
User Authentication• Authentication Using Passwords• Complex Password, One time Password, Challenge and Response• Authentication Using a Physical Object• Smart Card, ID Card
Design Principles for Security• System design should be public• The default should be no access• Check for current authority• Give each process the least privilege possible• The protection mechanism should be simple, uniform, and built intothe lowest layers of the system.• The scheme chosen must be psychologically acceptable.Golden Rule – Make it simple stupid
Motivation - Protection Domains• A computer system contains many “objects” that need to beprotected. These objects can be hardware (e.g., CPUs, memorysegments, disk drives, or printers), or they can be software (e.g.,processes, files, databases, or semaphores)• Each object has a unique name by which it is referenced, and a finiteset of operations that processes are allowed to carry out on it. Theread and write operations are appropriate to a file; up and downmake sense on a semaphore.• It is obvious that a way is needed to prohibit processes from accessingobjects that they are not authorized to access.
Protection Domains• A domain is a set of (object, rights) pairs. Each pair specifies an objectand some subset of the operations that can be performed on it. Aright in this context means permission to perform one of theoperations.
• At every instant of time, each process runs in some protection domain. Inother words, there is some collection of objects it can access, and for eachobject it has some set of rights. Processes can also switch from domain todomain during execution. The rules for domain switching are highly systemdependent.
Access Control Lists• In practice, actually storing the matrix is rarely done because it islarge and sparse.• Most domains have no access at all to most objects, so storing a verylarge, mostly empty, matrix is a waste of disk space.• The technique consists of associating with each object an (ordered)list containing all the domains that may access the object, and how.This list is called the Access Control List or ACL
• Here we see three processes, each belonging to a different domain. A , B , and C , and three filesF1 , F2 , and F3 .• Each file has an ACL associated with it. File F1 has two entries in its ACL (separated by asemicolon). The first entry says that any process owned by user A may read and write the file. Thesecond entry says that any process owned by user B may read the file.• All other accesses by these users and all accesses by other users are forbidden.