CSE345/545 - Winter 2025

Foundations of Computer Security

Lecture 1: Security Components

Dr. Arun Balaji Buduru

Founding Head, Usable Security Group (USG)
Associate Professor, Dept. of CSE | HCD, IIIT-Delhi, India
Visiting Faculty, Indiana University – Bloomington, USA
What would you do?
1
Know the Characters
Alice, the average
user (Bob)

Trudy, the bad guy

Dan,
2
the admin
Alice’s view of Security
3

 I just want to finish my work

 Financial transactions
 Transferring files

 I don’t do much on the Internet so I am safe

 I don’t have any PII (Personally Identifiable Information)
on my machine
 I don’t want somebody to keep on tab on what I am
doing
Dan’s view of Security
4

 How do I convince users that having a strong password

helps?
 What technology, process, or people skills can I use to
reduce
 Attackson my machines
 Customer or complaint calls / emails
Trudy’s view of Security
5

 How can I guess his / her password?

 Can I exploit any weaknesses / loop holes in the
systems?
 Can I exploit human behavior?
 Social engineering
Security Properties
6

 Five main security properties:

 Confidentiality – No unauthorized information gathering
 Integrity – Data has not been (maliciously) altered

 Availability – Data/services can be accessed as desired

 Accountability – Actions traceable to those responsible

 Authentication – User or data origin accurately

identifiable
Confidentiality
7
Integrity
8
Authentication
9
Availability
10
Which Property is Violated?
11

 Hacker gets access to a classified information from a

machine
 You are not able to access the bank’s site for transaction
 You break into IIIT-D machine to change your grades
 The online session keeps expiring when you are trying to
a transaction on the bank’s website
Whole-System is Critical
12

 Securing a system involves a whole-system view

 Cryptography

 Implementation

 People

 Physical security
 Everything in between

 This is because “security is only as strong as the weakest

link,” and security can fail in many places
 No reason to attack the strongest part of a system if you can
walk right around it.
Analyzing the Security of a System
13

 First thing: Summarize the system as clearly and

concisely as possible
 Criticalstep. If you can’t summarize the system clearly and
concisely, how can you analyze it’s security?
 Next steps:
 Identify the assets: What do you wish to protect?
 Identify the adversaries and threats

 Identify vulnerabilities: Weaknesses in the system

 Calculate the risks

 Evaluate controls / mitigation strategies, and iterate

Assets
14

 Need to know what you are protecting!

 Hardware: Laptops, servers, routers, PDAs, phones, ...
 Software: Applications, operating systems, database systems,
source code, object code, ...
 Data and information: Data for running and planning your
business, design documents, data about your customers, data
about your identity
 Reputation, brand name
 Responsiveness

 Assets should have an associated value (e.g., cost to replace

hardware, cost to reputation, how important to business
operation)
Adversaries
15

 National governments
 Terrorists
 Thieves
 Business competitors
 Your supplier
 Your consumer
 New York Times
 Your family members (parents, children)
 Your friends
 Your ex-friends
Vulnerabilities
16

 Weaknesses of a system that could be exploited to cause

damage
 Accounts with system privileges where the default password has
not been changed (Diebold: 1111)
 Programs with unnecessary privileges
 Programs with known flaws
 Known problems with cryptography
 Weak firewall configurations that allow access to vulnerable
services
 ...

 Sources for vulnerability updates: MITRE, CVSS, CERT, SANS,

Bugtraq, the news(?)
Threats
17

 Threats are actions by adversaries who try to exploit

vulnerabilities to damage assets
 Spoofing identities: Attacker pretends to be someone else
 Tampering with data: Change outcome of election

 Denial of service: Attacker makes voting machines

unavailable on election day
 Escalation of privilege: Regular voter becomes admin

 Specific threats depend on environmental conditions,

enforcement mechanisms, etc
 Youmust have a clear, simple, accurate understanding of
how the system works!
Threats
18

 Several ways to classify threats

 By damage done to the assets
◼ Confidentiality, Integrity, Availability
 By the source of attacks
◼ (Type of) insider
◼ (Type of) outsider
◼ Local attacker
◼ Remote attacker
◼ Attacker resources
 By the actions
◼ Interception
◼ Interruption
◼ Modification
◼ Fabrication
19

Authentication
Authentication
20

 Binding of identity / entity to the subject

 One or more of the following
 What entity knows (eg. password)
 What entity has (eg. badge, smart card)

 What entity is (eg. fingerprints, retinal characteristics)

 ??Where entity is (eg. In front of a particular terminal)

Authentication System
21

 (A, C, F, L, S)
A information that proves identity
 C information stored on computer and used to validate
authentication information
 F complementation function; f : A → C

 L functions that prove identity

 S functions enabling entity to create, alter information in A or

C
Passwords
22

 Sequence of characters
 Examples: 10 digits, a string of letters, etc.
 Generated randomly, by user, by computer with user input

 Sequence of words
 Examples: pass-phrases
 Algorithms
 Examples: challenge-response, one-time passwords
 Entropy vs. memorability
 The more complex a password the harder it is to guess ...
 ... and the harder it is to remember.
 Thus, we write them down.
Storage
23

 Store as cleartext
 If password file compromised, all passwords revealed
 Encipher file
 Need to have decipherment, encipherment keys in memory
 Reduces to previous problem

 Store one-way hash of password

 If file read, attacker must still guess passwords or invert the hash
Password Cracking
24

 Social Engineering
 Password Resetting – surprisingly large!

 Dictionary Attacks – John the Ripper

 Brute Force Attacks

 Key stroke Logging and Sniffing

 Hash chains and Rainbow Tables

One-Time Passwords
25

 Password that can be used exactly once

 After use, it is immediately invalidated
 Challenge-response mechanism
 Challenge is number of authentications; response is password for
that particular number
 Problems
 Synchronization of user and system
 Generation of good random passwords

 Password distribution problem

One-Time Passwords
26

 Generation mechanisms
 Time-synchronization

◼ Using a synchronized time between client and server

◼ Example
Let tx be a current synchronized time,
f(tx)=px The passwords in the order of use are
p1, p2 … px …
One-Time Passwords (cont.)
27

 Challenge-response
◼ Using a challenge from server
◼ Example: Let cn be the current challenge from server,
f(cn) = pn The passwords p in the order of use are
p1, p2 … pn
 Hash chain
◼ Using a chain of hash functions
◼ Example: h is the one-way hash function, p is the OTP and an
initial seed s
h(s)=p1, h(p1)=p2, …, h(pn-1)=pn
The passwords in the order of use are
pn, pn-1, …, p2, p1
Challenge-Response
28

User and system share a secret function f

user request to authenticate system

user random message r system

(the challenge)

user f(r) system

(the response)
Hardware Support
29

 Token-based
 Used to compute response to challenge
◼ May encipher or hash challenge
◼ May require PIN from user

 Temporally-based
 Every minute (or so) different number shown
◼ Computer knows what number to expect when
 User enters number and fixed password
Biometrics
30

 Automated measurement of biological, behavioral

features that identify a person
 Fingerprints: optical or electrical techniques
◼ Maps fingerprint into a graph, then compares with database
◼ Measurements imprecise, so approximate matching algorithms used
 Voices: speaker verification or recognition
◼ Verification: uses statistical techniques to test hypothesis that speaker is who
is claimed (speaker dependent)
◼ Recognition: checks content of answers (speaker independent)
Other Characteristics
31

 Can use several other characteristics

 Eyes: patterns in irises unique
◼ Measure patterns, determine if differences are random; or correlate images
using statistical tests
 Faces: image, or specific characteristics like distance from nose to
chin
◼ Lighting, view of face, other noise can hinder this
 Keystroke dynamics: believed to be unique
◼ Keystroke intervals, pressure, duration of stroke, where key is struck
◼ Statistical tests used
Effectiveness of Biometrics
32

 Evaluated on three basic criteria

 False reject rate: Rate at which supplicants (authentic users) are
denied or prevented from accessing authorized areas due to
failure detected by biometric device (Type I error).
 False accept rate: Rate at which supplicants who are not
legitimate users are allowed access to systems or areas due to
failure detected by biometric device (Type II error).
 Crossover error rate: Level at which the number of false
rejections equals the number of false acceptances, (equal error
rate). This is the most common and important overall measure
of the accuracy of biometric systems.
Acceptability of Biometrics
33

 Balance between how acceptable the security

system to users and its effectiveness in
maintaining the security
 Many biometric systems that are highly reliable and
effective are invasive
 Many information security professionals, in an effort
to avoid confrontation and possible user boycott of
biometric controls, do not use them
Authentication: Summary
34

 Authentication is not cryptography

 You have to consider system components
 Passwords are here to stay
 They provide a basis for most forms of authentication
 Protocols are important
 They can make masquerading harder
 Authentication methods can be combined
 Multi-factor
Authorization
35

 Authorization is the function of specifying access rights to

resources
 E.g: Human resources staff are normally authorized to
access employee records
 Represented as ACL
 Access Control Matrix
36

 Access control matrix is simplest framework for

describing rights of users over files in a matrix
File 1 File 2 File 3 File 4

User 1 R, W, O R R, W, X, O W

User 2 R R, O R R, W, X, O
 Access Control List
37

 A variant of the access control matrix

 Store each column with the object it represents

ACL(file 1) = {(user 1, RWO), (user 2, R)}

ACL(file 2) = {(user 1, R), (user 2, RO)}
ACL(file 3) = {(user 1, RWXO), (user 2, R)}
ACL(file 4) = {(user 1, W), (user 2, RWXO)}
 Creation and Maintenance of
Access Control List
38

 Which subjects can modify an object’s ACL?

 Possessors with the “own” right can modify the ACL
 Does the ACL support groups and wildcards?
 Groups and wildcards are used to limit the size of the ACLs
 Conflicts?
 When there is conflict between two ACLs, the resolution
resolved by the rules in the system
 ACLs and default permissions?
 Ifno appropriate ACL entry exists, the default permission is
applied
 Capabilities
39

 Another variant of the access control matrix

 Store each row with the subject it represents

CAP(user 1) = {(file 1, RWO), (file 2, R), (file 3, RWXO),

(file 4, W)}
CAP(user 2) = {(file 1, R), (file 2, RO), (file 3, R), (file 4,
RWXO)}
 ACL vs. Capabilities
40

 Two different questions

 Given an object, which subjects can access it, and how?
 Given a subject, which objects can it access, and how?

 ACL is easy to answer the first question

 Capabilities is easy to answer the second question
 Which question is more important?
ACL vs. Capabilities (cont.)
41

 Authentication
 Given a process that wishes to perform an operation on an object
◼ ACL needs to authenticate the process’s identity
◼ Capabilities do not require authentication, but require unforgeability
 Least Privilege
 Capabilities provide finer grained least privilege control
 Revocation
 ACL can remove a group of users from the list, and those users can
no longer gain access to the object
 Capabilities have no equivalent operation
 TROJAN HORSES

 A Trojan Horse is rogue software installed,

perhaps unwittingly, by duly authorized users
 A Trojan Horse does what a user expects it to
do, but in addition exploits the user's
legitimate privileges to cause a security
breach
 TROJAN HORSE EXAMPLE

ACL

A:r
File F
A:w

B:r
File G
A:w

Principal B cannot read file F

 TROJAN HORSE EXAMPLE

Principal A ACL
executes
A:r
read File F
Program Goodies A:w

Trojan Horse
B:r
File G
write A:w

Principal B can read contents of file F copied to file G

Bell-LaPadula security model
45

The Bell-LaPadula (BLP) model is about information

confidentiality, and this model formally represents the long
tradition of attitudes about the flow of information
concerning national secrets.
Classifications and clearances
46

 Unclassified, confidential, secret, top secret

 Cost ‘lives’ marked ‘secret’
 Cost ‘many lives’ marked ‘top secret’
Bell – LaPadula - Details
 Earliest formal model
 Each user subject and information object
has a fixed security class – labels
 Use the notation ≤ to indicate dominance

 Simple Security (ss) property:

the no read-up property

A subject s has read access to an object iff the class of the
subject C(s) is greater than or equal to the class of the object
C(o)
 i.e. Subjects can read Objects iff C(o) ≤ C(s)
Access Control: Bell-LaPadula

Subjects Objects
Top Secret Read OK Top Secret

Secret Secret

Unclassified Unclassified
Access Control: Bell-LaPadula

Subjects Objects
Top Secret Top Secret

Secret Read OK Secret

Unclassified Unclassified
Access Control: Bell-LaPadula

Subjects Objects
Top Secret Top Secret

Secret Secret

Unclassified Read OK Unclassified

 Bell - LaPadula (2)

 * property (star):
the no write-down (NWD) property
 Whilea subject has read access to object O, the subject can
only write to object P if
C(O) ≤ C (P)
 No process may write data to a lower level
Access Control: Bell-LaPadula

Subjects Objects
Top Secret Write OK Top Secret

Secret Secret

Unclassified Unclassified
Access Control: Bell-LaPadula

Subjects Objects
Top Secret Top Secret

Secret Write OK Secret

Unclassified Unclassified
Access Control: Bell-LaPadula

Subjects Objects
Top Secret Top Secret

Secret Secret

Unclassified Write OK Unclassified

Access Control Models
55
 Discretionary Access Control (DAC)
 Restricting access to objects based on identity of
subjects and/or groups to which they belong
 Mandatory Access Control (MAC)
 Restrict access to objects based on the sensitivity
(as represented by a label) of the information
contained in the objects and the formal
authorization (i.e. clearance) of subjects to access
information of such sensitivity
 Access Control Models (cont.)
56

 Role based access control (RBAC)

 Began in 1970s

 To facilitate the security management in multi-user, multi-

application systems
 Minimum requirements:
◼ Associate roles with each individual.
◼ Each role defines a specific set of operations that the
individual acting in that role may perform.
◼ An individual needs to be authenticated, chooses a role
assigned to the individual, and accesses information
according to operations needed for the role.
 RBAC
57
 Users: human beings
 Roles: job function (title)
 Permissions: approval of a mode of access
 Always positive
 Abstract representation
 Can apply to single object or to many

users roles
permissions (P)
(U) (R) Permission
User Assignment (UA)
Assignment (PA)
RBAC Family

RBAC3 consolidated model

RBAC1 RBAC2
role hierarchy constraints

RBAC0 base model

58
 RBAC Family (cont.)
59

 RBAC0: the base model indicating that it is the

minimum requirement for RBAC
 RBAC1: include RBAC0 and support of role hierarchy
 Inheritance among roles
 Inheritance of permission from junior role (bottom) to
senior role (top)
 RBAC2: include RBAC0 and support of constraints
 Enforces high-level organizational policies, such as
mutually exclusive roles
 RBAC3: combine RBAC1 and RBAC2
 Situation-Aware Access Control
60

 Situation-aware access control model incorporates

situation-awareness into RBAC
For example, only when the user with the role of a teacher
in the Smart Classroom during the class time, the user
can create a group discussion