Fall Semester 2023

DS 404 Information Security and Privacy

Lecture 1: Security Principles – Part 1
Threat model, Human Factor, Security
Economics, Detection first
Ravi Mittal
Acknowledgements!
⚫ Contents of this class presentation has been taken from the
following sources. Thanks are due to the original content
creators:
⚫ Security Principles: https://textbook.cs161.org/security-
principles.pdf
Security Principles

⚫ Know your threat model

⚫ Trusted Computing Base (TCB)
⚫ Consider human factors
⚫ Security is economics
⚫ Detect if you can’t prevent
⚫ Defense in depth
⚫ Least privilege
⚫ Separation of responsibility
⚫ Ensure complete mediation
⚫ Don’t rely on security through obscurity
⚫ Use fail-safe defaults
⚫ Design in security from the start

3
Security Principles – We will study today

⚫ Know your threat model

⚫ Consider human factors
⚫ Security is economics
⚫ Detect if you can’t prevent
⚫ Defense in depth
⚫ Least privilege
⚫ Separation of responsibility
⚫ Ensure complete mediation
⚫ Don’t rely on security through obscurity
⚫ Use fail-safe defaults
⚫ Design in security from the start

4
Read this …

https://theweek.com/articles/441194/why-world-war-iii-fought-internet

5
Email received …

How can you find out that this is fraudulent email? 6

SMS received a few days back

How can you find out that this is fraudulent message?

7
SMS received a few days back

What is the issue with this message?

8
1. Know Your Threat Model

9
Know Your Threat Model
⚫ Threat model:
⚫ Potential cause of a harm is a threat
⚫ Threats can be malicious or not
⚫ A model of who your attacker is and what resources they have

⚫ Threat modelling is a structured process with these

objectives:
⚫ Identify security requirements
⚫ Pinpoint security threats and potential vulnerabilities
⚫ Quantify threat and vulnerability criticality, and
⚫ Prioritize remediation methods

10
Why do the Threat Modeling?

1. Understand threats to guard against during requirements

analysis
2. Provide basis for which security mechanisms to include
during design
3. Verify security of system design
4. Provide basis for prescribing secure implementation
practices
5. Provide basis for testing system security after
implementation

11
Security Principle: Know Your Threat Model

⚫ Consider: Personal security

⚫ Who and why might someone attack you?
⚫ Criminals might attack you for money
⚫ Teenagers might attack you for laughs or to win online games
⚫ Governments might spy on you to collect intelligence
⚫ Intimate partners might spy on you
⚫ This is a surprisingly dangerous threat model!

12
Know Your Threat Model
⚫ It all comes down to people: The attackers
⚫ No attackers = No problem!
⚫ One of the best ways to counter an attacker is to attack their reasons
⚫ Why do people attack systems?

Money Politics Fun

Advertisers Anonymous NSA To watch the world burn

13
Threat Model: Common Assumptions for Attackers

⚫ Assume that the attacker…

⚫ Can interact with systems without notice
⚫ Knows general information about systems (operating
systems, vulnerabilities in software, usually patterns of
activity, etc.)
⚫ Can get lucky
⚫ If an attack only succeeds 1/1,000,000 times, the attacker will try
1,000,000 times!
⚫ May coordinate complex attacks across different systems
⚫ Has the resources required to mount the attack
⚫ Can and will obtain privileges if possible

14
The Threat Modeling Process

1 Identify assets

2 Document architecture

3 Decompose application

4 Identify threats

5 Document threats

6 Rate threats
2. Trusted Computing Base (TCB)

16
Trusted Computing Base

⚫ What is the TCB?

⚫ The components of a system that security relies upon
⚫ The careful design and implementation of a system's trusted
computing base is paramount to its overall security
⚫ Properties of the TCB
⚫ Correctness
⚫ Completeness (can’t be bypassed)
⚫ Security (can’t be tampered with)
⚫ Generally made to be as small as possible
⚫ A smaller, simpler TCB is easier to write and audit
⚫ KISS principle: Keep It Simple, Stupid

17
Which of the two is good ?

18
Which of the two is good ?

19
Consider a Mobile Handset

⚫ How to make is secure?

⚫ It consists of 20 Million lines of code
⚫ Can all 20 Million be made part of TCB?
⚫ No
⚫ Question: How to test 20 Million LOC fully?
⚫ Can it’s OS be made part of TCB?
⚫ Yes…but not fully ..

20
TCB in Operating Systems

⚫ Modern operating systems strive to reduce the size of the

TCB so that an exhaustive examination of its code base (by
means of manual or computer-assisted software audit or
program verification) becomes feasible
⚫ What consists of the conceptual Trusted Computing Based in
a Unix/Linux system?
⚫ Hardware, kernel, system binaries, system configuration files, setuid
root programs, etc.
⚫ A reference monitor (in an OS) is a tamperproof, always-
invoked, and small-enough-to-be-fully-tested-and-analyzed
module that controls all software access to data objects or
devices (verifiable)
⚫ The reference monitor verifies that the request is allowed by the
access control policy
21
TCB in a secure OS

⚫ Reference monitor User space

⚫ Part of TCB User

process
⚫ All system calls go
through reference
monitor for security
checking
⚫ Check: How Linux Reference
monitor
implements Reference
TCB
Monitor?
⚫ Linux Security Module OS kernel
(LSM)
Kernel space
22
3. Human Factors

23
It All Comes Down To People
⚫ The users
⚫ Users like convenience (ease of use)
⚫ If a security system is unusable, it will be unused
⚫ Users will find way to subvert security systems if it makes their lives easier
⚫ The programmers
⚫ Programmers make mistakes
⚫ Despite knowing, they continue to make similar mistakes
⚫ Everyone else
⚫ Social engineering attacks exploit other people’s trust and access for personal
gain

“There is no patch for human stupidity”

24
Warning Dialogs

When you send information to the Internet, it

might be possible for others to see that
information. Do you want to continue?

In the future, do not show this message.

Yes No

25
Warning Dialogs

When you see a dialog box like this, click ‘Yes’

to make it go away. If available, click the
checkbox first to avoid being bothered by it
again.

In the future, do not show this message.

Yes No

26
Warning Dialogs
Website Certified by an Unknown Authority

Unable to verify the identity of svn.xiph.org as a trusted site.

Possible reasons for this error:
- Your browser does not recognise the Certificate Authority that issued the site’s certificate.
- The site’s certificate is incomplete due to a server misconfiguration.
- You are connected to a site pretending to be svn.xiph.org, possibly to obtain your confidential
information.
Please notify the site’s webmaster about this problem.
Before accepting this certificate, you should examine this site’s certificate carefully. Are you willing to
accept this certificate for the purpose of identifying the Web site svn.xiph.org?

Examine Certificate...

Accept this certificate permanently

Accept this certificate temporarily for this session
Do not accept this certificate and do not connect to this Web site

OK Cancel

27
Warning Dialogs

Unable to verify the identity of svn.xiph.org as a trusted site.

Blah blah geekspeak geekspeak geekspeak.
Before accepting this certificate, your browser can display a second dialog
full of incomprehensible information. Do you want to view this dialog?

View Incomprehensible Information

Make this message go away permanently

Make this message go away temporarily for this session
Stop doing what you were trying to do
OK Cancel

Takeaway: Consider human factors

28
4. Security is Economics

29
How Secure is a system?

⚫ No system is 100% secure against all attacks

⚫ Systems only need to be protected against a certain level of
attacks
⚫ More security → more money to implement
⚫ Cost/benefit analyses often appear in security
⚫ The cost of your defence should be less than the cost of attacks
happening
⚫ If the attack costs more than the reward, the attacker probably won’t
do it
⚫ Example: You don’t put a $10 lock on a $1 item…

30
Physical Safes

 We want our safes to stop people from breaking in, so let’s

measure them by how long it takes an expert to break into one:

TL-15 ($3,000)
15 minutes with common tools
TL-30 ($4,500)
30 minutes with common tools
TXTL-60 (>$50,000)
TRTL-30 ($10,000)
60 minutes with common tools,
30 minutes with common tools
a cutting torch, and up to 4 oz of
and a cutting torch
explosives

Takeaway: Security is economics

31
Burglar Alarms

 Security companies are supposed to

detect home break-ins
 Problem: Too many false alarms. Many
alarms go unanswered
 Why is it useful to place a sign?
 Placing a sign helps deter burglars
from entering at risk of being caught…
 … even if you don’t have an alarm
installed!
 An attacker might prefer the neighbor
without a sign

32
You can try this !

Without keeping a
dog at home

33
5. Detect if You Can’t Prevent

34
Detect if You Can’t Prevent

⚫ Deterrence: Stop the attack before it happens

⚫ Prevention: Stop the attack as it happens
⚫ Detection: Learn that there was an attack (after it happened)
⚫ If you can’t stop the attack from happening, you should at least be able
to know that the attack has happened.
⚫ Response: Do something about the attack (after it happened)
⚫ Once you know the attack happened, you should respond
⚫ Detection without response is pointless!

35
What if there is an APT that does undetected?

⚫ APT: Advanced Persistent threat by a criminal organization

⚫ They take months or years of preparation before doing an attack
⚫ What happens if your organization can’t detect early phase of
an APT attack?

36
Response: Mitigation and Recovery
⚫ Assume that bad things will happen! You should plan
security in way that lets you to get back to a working state
⚫ Example: Earthquakes
⚫ Have resources for 1 week of staying put
⚫ Have resources to travel 50 miles from my current location
⚫ Example: Ransomware
⚫ Ransomware: An attacker steals your data and demands payment in
exchange for recovering your data
⚫ Keep offsite backups!
⚫ If your computer catches fire, it should be no big deal

37
 Detection but no Response

 Bitcoin transactions are irreversible. If

you are hacked, you can never recover
your Bitcoins. Link
 $68M stolen from NiceHash exchange in
December 2017 Hacked Bitcoin Exchange Says
 Four multi-million-dollar attacks on Users May Share $68 Million Loss
Ethereum in July 2018 Lulu Yilun Chen August 5,
 Coinbase: One detected theft per day and Yuji 2016
 Takeaway: Prevention is great, but Nakamura
depending only on prevention can be
brittle: When prevention fails, the
system fails catastrophically

https://www.bloomberg.com/news/articles/2016-08-05/hacked-bitcoin-exchange-says-
it-will-spread-losses-among-users
38
Lecture Summary

⚫ It is very important to know the thread model as

⚫ This allows proper planning of prevention, detection, and recovery
⚫ A secure system is required to have a Trusting Computing
Base (TCB) that is
⚫ Small
⚫ Extremely Reliable
⚫ Totally Safe
⚫ Security is not free – it requires money and time – it is
economics
⚫ If one is not able to prevent security breaches, one must
detect it (at the minimum)

39