CAN304 Computer Systems Security

Email: jie.zhang01@xjtlu.edu.cn
Office hours: 2:00-3:00PM, Tue & Wed EE522

---

Lecture 1. Introduction

Computer security concepts

Definition

The protection afforded to an automated information system in order to attain the applicable objectives of preserving the integrity, availability, and confidentiality of information system resources (includes hardware, software, firmware, information/data, and telecommunications).
为实现信息系统资源的完整性、可用性和机密性(包括硬件、软件、固件、信息/数据和电信)的适用目标而对自动化信息系统提供的保护。

CIA (3 key objectives)

• Confidentiality 保留对信息获取和披露的授权限制，包括保护个人隐私和专有信息的手段。
• Integrity 集成度 防止不适当的信息修改或破坏，包括确保信息的不可抵赖性和真实性。
• Availabilitiy 确实及时可靠的获取和使用信息

Other objectives

• Authenticity
• Accountability
  • Ensuring actions of an entity to be traced uniquely to that entity.
  • Support nonrepudiation, deterrence, intrusion detection and prevention, etc.

术语

Computer security deals with computer-related assets that are subject to a variety of threats and for which various measures are taken to protect those assets.
要保护什么？

• System Resource

  • Hardware
  • Software
  • Data
  • Communication facilities and networks

• Security Policy

  • A set of rules and practices that specify or regulate how a system or organization provides security services to protect sensitive and critical system resources. 一组规则和实践，指定或规范系统或组织如何提供安全服务来保护敏感和关键的系统资源。

• Vulnerability

  • A flaw or weakness in a system’s design, implementation, or operation and management that could be exploited to violate the system’s security policy. 系统设计、实现或操作和管理中的缺陷或弱点，可以被利用来违反系统的安全策略。

• Exploit

  • An actual incident of taking advantage of a vulnerability. 利用漏洞的实际事件。
  • Term also refers to the code or methodology used to take advantage of a vulnerability. 术语也指用于利用漏洞的代码或方法。

• Threat

  • A potential for violation of security, which exists when there is a circumstance, capability, action, or event, that could breach security and cause harm. 违反安全的潜在可能性，当存在可能违反安全并造成危害的环境、能力、动作或事件时，就存在这种可能性。

• Vulnerability vs threat

  • Vulnerabilities are not introduced to a system; rather they are there from the beginning.
  • Threats are introduced to a system like a virus download or a social engineering attack.
  • That is, a threat is a possible danger that might exploit a vulnerability.

• Attack

  • A threat that is carried out and, if successful, leads to an undersirable violation of security, or threat consequence

• Attacker

  • The agent carrying out the attack.

• Types of attack:

  • Active attack: An attempt to alter system resources or affect their operation. 试图改变系统资源或影响其运行。
  • Passive attack: An attempt to learn or make use of information from the system that does not affect system resources. 试图从系统中学习或使用信息，但不影响系统资源。
  • Inside attack: Initiated by an entity inside the security perimeter (an “insider”). The insider is authorized to access system resources but uses them in a way not approved by those who granted the authorization. 由安全边界内的实体发起(“内部人员”)。局内人被授权访问系统资源，但使用这些资源的方式没有被授予权限的人批准。
  • Outside attack: Initiated from outside the perimeter, by an unauthorized or illegitimate user of the system (an “outsider”). 由系统的未经授权或非法用户(“局外人”)从外围发起。

• Countermeasure 对策

  • An action, device, procedure, or technique that reduces a threat, a vulnerability, or an attack by eliminating or preventing it, by minimizing the harm it can cause, or by discovering and reporting it so that corrective action can be taken. 一种动作、装置、程序或技术，通过消除或预防威胁、漏洞或攻击，将其可能造成的伤害降至最低，或通过发现并报告威胁、漏洞或攻击，从而采取纠正措施。

---

More on threats, attacks, and assets

4 threat consequences

• Unauthorized disclosure 未经授权的披露
• Deception 欺骗
• Disruption 破坏
• Usurpation 篡夺

Unauthorized disclosure

A circumstance or event whereby an entity gains acess to data for which the entity is not authorized. 一个实体获得未授权的数据访问权的情况或事件。
什么攻击可以引起unauthorized disclosure？

• Exposure: Sensitive data are directly released to an unauthorized entity. 将敏感数据直接暴露给未授权的实体。
• Interception: An unauthorized entity directly accesses sensitive data traveling between authorized sources and denstinations. 未经授权的实体直接访问在授权源和站点之间传输的敏感数据。
• Inference: An unauthorized entity indirectly accesses sensitive data by reasoning from characteristics or by-products of communications. 未经授权的实体通过推理通信的特性或副产品间接访问敏感数据。
• Intrusion: An unauthorized entity gains access to sensitive data by circumventing a system’s security protections. 未经授权的实体绕过系统的安全保护，获取敏感数据。

Deception

A circumstance or event that may result in an authorized entity receiving false data and believing it to be true. 可能导致授权实体收到虚假数据并认为其为真实的情况或事件。
什么攻击可以引起deception？

• Masquerade 伪装 未经授权的实体通过伪装成授权实体获得对系统的访问权限或执行恶意行为。
• Falsification 篡改 虚假数据欺骗授权实体。
• Repudiation 否认 一个实体通过错误地否认某一行为的责任来欺骗另一个实体。

Disruption

A circumstance or event that interrupts or prevents the correct operation of system services and functions. 中断或阻止系统服务和功能正常运行的情况或事件。
什么攻击可以引起disruption？

• Incapacitation: Prevents or interrupts system operation by disabling a system component. 失能:通过使能系统组件，阻止或中断系统运行。
• Corruption: Undesirably alters system operation by adversely modifying system functions or data. 损坏:通过对系统功能或数据的不良修改，对系统运行造成不良影响。
• Obstruction: A threat action that interrupts delivery of system services by hindering system operation. 阻碍:指通过阻碍系统运行而中断系统业务的威胁行为。

Usurpation

A circumstance or event that results in control of system services or functions by an unauthorized entity. 由未经授权的实体控制系统服务或功能的情况或事件。
什么攻击可以引起usurpation？

• Misappropriation: An entity assumes unauthorized logical or physical control of a system resource. 挪用:一个实体对系统资源进行未经授权的逻辑或物理控制。
• Misuse: Causes a system component to perform a function or service that is detrimental to system security. 误用:导致系统组件执行不利于系统安全的功能或服务。

Threats to assets

• Hardware
  • Major threat: availability
  • Confidentiality
• Software
  • Major threat: availability
  • Confidentiality, integrity
• Data
  • A much more widespread problem is data security
  • Availability, confidentiality, integrity
• Communication lines and networks: network security
• network security attacks
  • Passive attacks: are in the nature of eavesdropping on, or monitoring of, transmissions (Release of message contents/Traffic analysis) are very difficult to detect because they do not involve any alteration of the data.
  • Active attacks: involve some modification of tha data stream of the creation of a false stream (replay/masquerade/modification of messages/denial of service)

Countermeasures

Economy of mechanism

The design of security measures should be economical to develop, use and verify.

Fail-safe designs

• Access decisions should be based on permission rather than exclusion
• Default to lack of access
• So if something goes wrong or is forgotten or isn’t done, no security lost.

Complete mediation

Apply security on every access to a protected object. Every access must be checked against the access control mechanism.

Open design

the design of a security mechanism should be open rather than secret.
Kerckhoffs principle: A cryptographic system should be secure even if everything about the system, except the key, is public knowledge.

Separation of privileges

Provide mechanisms that separate the privileges used for one purpose from those used for another. 提供将用于一个目的的特权与用于另一个目的的特权分开的机制。

Least privilege

• Every process and every user of the system should operate using the least set of privileges necessary to perform the task 系统的每个进程和每个用户都应该使用执行任务所需的最小权限集进行操作
• Require another request to perform another type of access 要求另一个请求来执行另一种类型的访问

Least common mechanism

The design should minimize the functions shared by different users, providing mutual security. Coupling leads to possible security breaches.

Psychological acceptability

• Mechanism must be simple to use 机制必须简单易用
• Simple enough that people will use it without thinking about it
• Must rarely or never prevent permissible accesses 必须很少或从不阻止允许的访问

Computer security strategy

A comprehensive security strategy involves three aspects: 复杂的安全策略有三个部分

• Specification/policy
• Implementation/mechanisms
  1. prevention
  2. detection
  3. response
  4. recovery
• Correctness/assurance

Assurance & evaluation

Assurance is expressed as a degree of confidence, not in terms of a formal proof that a design or implementation is correct. 保证被表达为一种信心的程度，而不是一个设计或实现是正确的正式证明。
Evaluation is the process of examining a computer product or system with respect to certain criteria. Evaluation involves testing and may also involve formal analytic or mathematical techniques. 评估是根据一定的标准对计算机产品或系统进行检查的过程。评估包括测试，也可能涉及形式分析或数学技术。

Tools for security

• Cryptographic tools: Encryption, message authentication code, digital signature, etc.
• Access control: Only let authorized parties access the system
• User authentication
• Intrusion detection/prevention, firewall (IDS: intrusion detection system) (IPS: intrusion prevention system)

---

Lecture 2. Fundamentals of cryptography(1)

Classicial & modern cryptography

###Private-key encryption

• secure communication
• secure storage

A private-key encryption scheme is defined by a message space 𝑀 and algorithms (𝐺𝑒𝑛, 𝐸𝑛𝑐, 𝐷𝑒𝑐):

• 𝐺𝑒𝑛 (key-generation algorithm): generates 𝑘 生成密钥算法
• 𝐸𝑛𝑐 (encryption algorithm): takes key 𝑘 and message 𝑚 ∈ 𝑀 as input; outputs ciphertext 𝑐 (𝑐 ← 𝐸𝑛𝑐!(𝑚)) 加密算法
• 𝐷𝑒𝑐 (decryption algorithm): takes key 𝑘 and ciphertext 𝑐 as input; outputs 𝑚 or “error” (𝐷𝑒𝑐!(𝑐) = 𝑚) 解密算法
• For all 𝑚 ∈ 𝑀 and 𝑘 output by 𝐺𝑒𝑛, 𝐷𝑒𝑐!(𝐸𝑛𝑐!(𝑚)) = 𝑚

The shift cipher

挪移加密，把字母表挪移对照，生成密文（把第二行向左移动k值）

Sufficient key space principle

• The key space should be large enough to prevent “brute-force” exhaustive-search attacks 空间要大，避免暴力法破解
• If an encryption scheme has a key space that is too small, then it will be vulnerable to exhaustive-search attacks 如果一个加密方案的密钥空间太小，那么它将容易受到耗尽搜索攻击
• 凯撒加密法是不安全的