Introduction

Modules

  • Attacks against the networking stack
  • Security of core Internet services
  • TLS and the global PKI
  • Privacy and anonymity
  • Web security
  • Malware and malware detection

Concepts

  • Confidentiality - Data must only be released to authorized principals. Temploral aspect, relation to difficulty or work factor.

  • Integrity - Data must not be modified (in an undetectable manner)

  • Availability - Data and resources must be accessible when required.

  • Authenticity - Data must be bound to identity. Authentication enables the ability to make trust decisions.

  • Non-repudiation - Non-repudiation prevents denial of authorship of a message. Not always a desirable property.

Access Control

  • Access control frameworks allow one to specify security policies that describe who can interact with what. Requires authentication as a building block for authorization.

Principals: Participants in a system Subjects: Entities that operate on behalf of principals Objects: Resources acted upon by subjects

Authentication

  • Verification of a claim of identity made by a subject on behalf of a principal. Involves credentials: something you know; something you have; something you are.

  • Desirable properties: unforgeable, unguessable, revocable.

  • Discretionary access control (DAC): users control what access is given

  • Manatory access control (MAC): a central authority sets the access

  • Role-based access control (RBAC): users are assigned roles and access is given on role

Access Control Matrices are very verbose way of describing access control

There are some models including abstract and contrete: access control lists (ACLs), Bell-LaPadula (no read up, no write down), Biba (no write up, no read down)

Covert channels can be used to leak information in collusion wiht an authorized user.

Side channels allow inadvertent information leakage (timing, power, RF emissions, sound)

Non-interference: Any sequence of low inputs will produce the same low ouputs, regardless of any high inputs.

Information Flow

Information flow control (IFC) makes it theoretically possible to verify non-interference.

Last modified January 7, 2020