Vulnerabilities and Threats in Distributed Systems includes about From Vulnerabilities to Losses, Vulnerabilities and Threats, Vulnerabilities, Threats, Mechanisms to Reduce Vulnerabilities and Threats (Applying Reliability and Fault Tolerance Principles to Security Research, Using Trust in Role-based Access Control,...).
Vulnerabilities and Threats in Distributed Systems* Prof. Bharat Bhargava Dr. Leszek Lilien Department of Computer Sciences and the Center for Education and Research in Information Assurance and Security (CERIAS ) Purdue University www.cs.purdue.edu/people/{bb, llilien} Presented by Prof. Sanjay Madria Department of Computer Science University of MissouriRolla Supported in part by NSF grants IIS0209059 and IIS0242840 * Prof. Bhargava thanks the organizers of the 1st International Conference on Distributed Computing & Internet Technology—ICDCIT 2004. In particular, he thanks: Prof. R. K. Shyamsunder Prof. Hrushikesha Mohanty Prof. R.K. Ghosh Prof. Vijay Kumar Prof. Sanjay Madria He thanks the attendees, and regrets that he could not be present He came to Bhubaneswar in 2001 and enjoyed it tremendously. He was looking forward to coming again He will be willing to communicate about this research. Potential exists for research collaboration. Please send mail to bb@cs.purdue.edu He will very much welcome your visit to Purdue University ICDCIT 2004 From Vulnerabilities to Losses Growing business losses due to vulnerabilities in distributed systems Vulnerabilities occur in: Identity theft in 2003 – expected loss of $220 bln worldwide ; 300%(!) annual growth rate [csoonline.com, 5/23/03] Computer virus attacks in 2003 – estimated loss of $55 bln worldwide [news.zdnet.com, 1/16/04] Hardware / Networks / Operating Systems / DB systems / Applications Loss chain Dormant vulnerabilities enable threats against systems Potential threats can materialize as (actual) attacks Successful attacks result in security breaches Security breaches cause losses ICDCIT 2004 Vulnerabilities and Threats Vulnerabilities and threats start the loss chain Best to deal with them first Deal with vulnerabilities Gather in metabases and notification systems info on vulnerabilities and security incidents, then disseminate it Example vulnerability and incident metabases Example vulnerability notification systems CVE (Mitre), ICAT (NIST), OSVDB (osvdb.com) CERT (SEICMU), Cassandra (CERIASPurdue) Deal with threats Threat assessment procedures Specialized risk analysis using e.g. vulnerability and incident info Threat detection / threat avoidance / threat tolerance ICDCIT 2004 Outline Vulnerabilities Threats Mechanisms to Reduce Vulnerabilities and Threats 3.1 Applying Reliability and Fault Tolerance Principles to Security Research 3.2 Using Trust in Rolebased Access Control 3.3 Privacypreserving Data Dissemination 3.4 Fraud Countermeasure Mechanisms ICDCIT 2004 Vulnerabilities Topics Models for Vulnerabilities Fraud Vulnerabilities Vulnerability Research Issues ICDCIT 2004 Models for Vulnerabilities (1) A vulnerability in security domain – like a fault in reliability domain Modeling vulnerabilities A flaw or a weakness in system security procedures, design, implementation, or internal controls Can be accidentally triggered or intentionally exploited, causing security breaches Analyzing vulnerability features Classifying vulnerabilities Building vulnerability taxonomies Providing formalized models System design should not let an adversary know vulnerabilities unknown to the system owner ICDCIT 2004 Models for Vulnerabilities (2) Diverse models of vulnerabilities in the literature Analysis of four common computer vulnerabilities [17] In various environments Under varied assumptions Examples follow Identifies their characteristics, the policies violated by their exploitation, and the steps needed for their eradication in future software releases Vulnerability lifecycle model applied to three case studies [4] Shows how systems remains vulnerable long after security fixes Vulnerability lifetime stages: appears, discovered, disclosed, corrected, publicized, disappears ICDCIT 2004 Models for Vulnerabilities (3) Modelbased analysis to identify configuration vulnerabilities [23] Formal specification of desired security properties Abstract model of the system that captures its security related behaviors Verification techniques to check whether the abstract model satisfies the security properties Kinds of vulnerabilities [3] Operational E.g. an unexpected broken linkage in a distributed database Informationbased E.g. unauthorized access (secrecy/privacy), unauthorized modification (integrity), traffic analysis (inference problem), and Byzantine input ICDCIT 2004 Models for Vulnerabilities (4) Not all vulnerabilities can be removed, some shouldn’t Because: Vulnerabilities create only a potential for attacks Some vulnerabilities cause no harm over entire system’s life cycle Some known vulnerabilities must be tolerated Removal of some vulnerabilities may reduce usability E.g., removing vulnerabilities by adding passwords for each resource request lowers usability Some vulnerabilities are a side effect of a legitimate system feature Due to economic or technological limitations E.g., the setuid UNIX command creates vulnerabilities [14] Need threat assessment to decide which vulnerabilities to remove first ICDCIT 2004 10 Outline Vulnerabilities Threats Mechanisms to Reduce Vulnerabilities and Threats 3.1 Applying Reliability and Fault Tolerance Principles to Security Research 3.2 Using Trust in Rolebased Access Control 3.3 Privacypreserving Data Dissemination 3.4 Fraud Countermeasure Mechanisms ICDCIT 2004 42 Basic Terms Privacypreserving Data Dissemination Guardian 1 Original Guardian “Owner” (Private Data Owner) “Data” (Private Data) Guardian 5 Thirdlevel Guardian 2 Second Level Guardian 4 Guardian 6 Guardian 3 “Guardian:” Entity entrusted by private data owners with collection, storage, or transfer of their data owner can be a guardian for its own private data owner can be an institution or a computing system Guardians allowed or required by law to share private data With owner’s explicit consent Without the consent as required by law research, court order, etc ICDCIT 2004 43 Problem of Privacy Preservation Guardian passes private data to another guardian in a data dissemination chain Owner privacy preferences not transmitted due to neglect or failure Chain within a graph (possibly cyclic) Risk grows with chain length and milieu fallibility and hostility If preferences lost, receiving guardian unable to honor them ICDCIT 2004 44 Challenges Ensuring that owner’s metadata are never decoupled from his data Metadata include owner’s privacy preferences Efficient protection in a hostile milieu Threats examples Uncontrolled data dissemination Intentional or accidental data corruption, substitution, or disclosure Detection of a loss of data or metadata Efficient recovery of data and metadata Recovery by retransmission from the original guardian is most trustworthy ICDCIT 2004 45 Overview Privacypreserving Data Dissemination Use bundles to make data and metadata inseparable bundle = selfdescriptive private data + its metadata E.g., encrypt or obfuscate bundle to prevent separation Each bundle includes mechanism for apoptosis apoptosis = clean selfdestruction Bundle chooses apoptosis when threatened with a successful hostile attack Develop distancebased evaporation of bundles E.g., the more “distant” from it owner is a bundle, the more it evaporates (becoming more distorted) More details on “Privacypreserving Data Dissemination” available in the extended version of this presentation at: www.cs.purdue.edu/people/bb#colloquia ICDCIT 2004 46 Outline Vulnerabilities Threats Mechanisms to Reduce Vulnerabilities and Threats 3.1 Applying Reliability and Fault Tolerance Principles to Security Research 3.2 Using Trust in Rolebased Access Control 3.3 Privacypreserving Data Dissemination 3.4 Fraud Countermeasure Mechanisms ICDCIT 2004 47 Overview Fraud Countermeasure Mechanisms (1) System monitors user behavior System decides whether user’s behavior qualifies as fraudulent Three types of fraudulent behavior identified: “Uncovered deceiving intention” “Trapping intention” User misbehaves all the time User behaves well at first, then commits fraud “Illusive intention” User exhibits cyclic behavior: longer periods of proper behavior separated by shorter periods of misbehavior ICDCIT 2004 48 Overview Fraud Countermeasure Mechanisms (2) System architecture for swindler detection Profilebased anomaly detector State transition analysis Provides state description when an activity results in entering a dangerous state Deceiving intention predictor Monitors suspicious actions searching for identified fraudulent behavior patterns Discovers deceiving intention based on satisfaction ratings Decision making Decides whether to raise fraud alarm when deceiving pattern is discovered ICDCIT 2004 49 Overview Fraud Countermeasure Mechanisms (3) Performed experiments validated the architecture All three types of fraudulent behavior were quickly detected More details on “Fraud Countermeasure Mechanisms” available in the extended version of this presentation at: www.cs.purdue.edu/people/bb#colloqia ICDCIT 2004 50 Summary Presented: Vulnerabilities Threats Mechanisms to Reduce Vulnerabilities and Threats 3.1 Applying Reliability and Fault Tolerance Principles to Security Research 3.2 Using Trust in Rolebased Access Control 3.3 Privacypreserving Data Dissemination 3.4 Fraud Countermeasure Mechanisms ICDCIT 2004 51 Conclusions Exciting area of research 20 years of research in Reliability can form a basis for vulnerability and threat studies in Security Need to quantify threats, risks, and potential impacts on distributed applications. Do not be terrorized and act scared Adapt and use resources to deal with different threat levels Government, industry, and the public are interested in progress in this research ICDCIT 2004 52 References (1) 10 11 N.R. Adam and J.C. Wortmann, “SecurityControl Methods for Statistical Databases: A Comparative Study,” ACM Computing Surveys, Vol. 21, No. 4, Dec. 1989 The American Heritage Dictionary of the English Language, Fourth Edition, Houghton Mifflin, 2000 P. Ammann, S. Jajodia, and P. Liu, “A Fault Tolerance Approach to Survivability,” in Computer Security, Dependability, and Assurance: From Needs to Solutions, IEEE Computer Society Press, Los Alamitos, CA, 1999 W.A. Arbaugh, et al., “Windows of Vulnerability: A Case Study Analysis,” IEEE Computer, pp. 5259, Vol. 33 (12), Dec. 2000 A. Avizienis, J.C. Laprie, and B. Randell, “Fundamental Concepts of Dependability,” Research Report N01145, LAASCNRS, Apr. 2001 A. Bhargava and B. Bhargava, “Applying faulttolerance principles to security research,” in Proc. of IEEE Symposium on Reliable Distributed Systems, New Orleans, Oct. 2001. B. Bhargava, “Security in Mobile Networks,” in NSF Workshop on ContextAware Mobile Database Management (CAMM), Brown University, Jan. 2002 B. Bhargava (ed.), Concurrency Control and Reliability in Distributed Systems, Van Nostrand Reinhold, 1987 B. Bhargava, “Vulnerabilities and Fraud in Computing Systems,” Proc. Intl. Conf. IPSI, Sv. Stefan, Serbia and Montenegro, Oct. 2003 B. Bhargava, S. Kamisetty and S. Madria, “Faulttolerant authentication and group key management in mobile computing,” Intl. Conf. on Internet Comp., Las Vegas, June 2000 B. Bhargava and L. Lilien, “Private and Trusted Collaborations,” Proc. Secure Knowledge Management (SKM 2004): A Workshop, Amherst, NY, Sep. 2004 ICDCIT 2004 53 References (2) 12 13 14 15 16 17 18 19 20 21 B. Bhargava and Y. Zhong, “Authorization Based on Evidence and Trust,” Proc. Intl. Conf. on Data Warehousing and Knowledge Discovery DaWaK2002, AixenProvence, France, Sep. 2002 B. Bhargava, Y. Zhong, and Y. Lu, "Fraud Formalization and Detection,” Proc. Intl. Conf. on Data Warehousing and Knowledge Discovery DaWaK2003, Prague, Czechia, Sep. 2003 M. Dacier, Y. Deswarte, and M. Kaâniche, “Quantitative Assessment of Operational Security: Models and Tools,” Technical Report, LAAS Report 96493, May 1996 N. Heintze and J.D. Tygar, “A Model for Secure Protocols and Their Compositions,” IEEE Transactions on Software Engineering, Vol. 22, No. 1, 1996, pp. 1630 E. Jonsson et al., “On the Functional Relation Between Security and Dependability Impairments,” Proc. 1999 Workshop on New Security Paradigms, Sep. 1999, pp. 104111 I. Krsul, E.H. Spafford, and M. Tripunitara, “Computer Vulnerability Analysis,” Technical Report, COAST TR 9807, Dept. of Computer Sciences, Purdue University, 1998 B. Littlewood at al., “Towards Operational Measures of Computer Security”, Journal of Computer Security, Vol. 2, 1993, pp. 211229 F. MaymirDucharme, P.C. Clements, K. Wallnau, and R. W. Krut, “The Unified Information Security Architecture,” Technical Report, CMU/SEI95TR015, Oct. 1995 N.R. Mead, R.J. Ellison, R.C. Linger, T. Longstaff, and J. McHugh, “Survivable Network Analysis Method,” Tech. Rep. CMU/SEI2000TR013, Pittsburgh, PA, Sep. 2000 C. Meadows, “Applying the Dependability Paradigm to Computer Security,” Proc. Workshop on New Security Paradigms, Sep. 1995, pp. 7581 ICDCIT 2004 54 Reference (3) 22 23 24 25 26 27 28 29 P.C. Meunier and E.H. Spafford, “Running the free vulnerability notification system Cassandra,” Proc. 14th Annual Computer Security Incident Handling Conference, Hawaii, Jan. 2002 C. R. Ramakrishnan and R. Sekar, “ModelBased Analysis of Configuration Vulnerabilities,” Proc. Second Intl. Workshop on Verification, Model Checking, and Abstract Interpretation (VMCAI’98), Pisa, Italy, 2000 B. Randell, “Dependability—a Unifying Concept,” in: Computer Security, Dependability, and Assurance: From Needs to Solutions, IEEE Computer Society Press, Los Alamitos, CA, 1999 A.D. Rubin and P. Honeyman, “Formal Methods for the Analysis of Authentication Protocols,” Tech. Rep. 937, Dept. of Electrical Engineering and Computer Science, University of Michigan, Nov. 1993 G. Song et al., “CERIAS Classic Vulnerability Database User Manual,” Technical Report 200017, CERIAS, Purdue University, West Lafayette, IN, 2000 G. Stoneburner, A. Goguen, and A. Feringa, “Risk Management Guide for Information Technology Systems,” NIST Special Publication 80030, Washington, DC, 2001 M. Winslett et al., “Negotiating trust on the web,” IEEE Internet Computing Spec. Issue on Trust Management, 6(6), Nov. 2002 Y. Zhong, Y. Lu, and B. Bhargava, “Dynamic Trust Production Based on Interaction Sequence,” Tech. Rep. CSDTR 03006, Dept. Comp. Sciences, Purdue Univ., Mar.2003 The extended version of this presentation available at: www.cs.purdue.edu/people/bb#colloqia ICDCIT 2004 55 Thank you! ICDCIT 2004 56 ... 2004 Vulnerabilities and Threats Vulnerabilities and threats start the loss chain Best to deal with them first Deal with vulnerabilities Gather in metabases and notification systems info on ... 2004 Outline Vulnerabilities Threats Mechanisms to Reduce Vulnerabilities and Threats 3.1 Applying Reliability and Fault Tolerance Principles to Security Research 3.2 Using Trust in Rolebased Access ... Avoid (prevent) threats in systems Detect threats Eliminate threats Tolerate threats Deal with threats based on degree of risk acceptable to application Avoid/eliminate threats to human life Tolerate threats to noncritical or redundant components