CS 739 Reviews - Spring 2012

Summary:
This paper discusses the goal of the security (to make it as secure as real world systems) and some basic elements of the security of computer systems (policy, mechanism and assurance). In particular, it introduces the gold standard in implementations (Authentication, Authorization and Auditing) and chain of responsibility in End-to-end authorization as well as the concept of trusted computing base for assurance.

Problem:
The problem here is we want to the computer systems as secure as real world but there are lots of challenges here such as the systems are network enable so anonymous attacks can come from anywhere. The question is what is supposed to do for security (policy), how does it work (mechanism) and how we are sure it really works (assurance).

Contributions:
The paper is rather straightforward. The analogy for security between real world and the computer systems is interesting and helpful. It seems there is no new technical stuff of novel ideas in this paper. From my view, the contribution of this paper is that it identifies the key factors in computer security, such as gold standards in implementation. And I really like its argument that the simplicity is always the cost to achieve the security, e.g. it proposes the trusted computing base (TCB) as small and simple as possible.

Flaws:
I guess one possible flaw of this paper lies in the model of trust chains. I admit basically it is a feasible way to authenticate and authorize the principals in distributed environment, i.e. distributed access control. The paper also gives an example of Alices at Intel visiting Microsoft’s webpage. But generally I do not think the trust has transitivity to form a chain. If A is B’s friend and B is C’s friend, we cannot say A and C are also friends. Chains of trust may not work in such cases.

Applicability:
This paper introduces several important and basic ideas in computer security which has been widely used in today’s systems. For example, Kaberos is used in the next generation Hadoop. It is interested the past a couple of years have seen a rapid growing in embedded systems or ubiquitous computing. Just as topics covered in yesterday’s security talks, it would be interesting to see how the arguments and mechanisms in this paper could be applied in embedded context rather than traditional Internet, such as voting machines and controlling cars or appliances in home remotely.

This paper doesn't focus on any particular system of computer security but aims to give an overview of the challenges the author believes have been ignored in the race to develop technically sophisticated solutions. He correctly notes that security systems have not been as widely adopted as the security community expected because securing a system imposes both a development cost and a maintenance cost that might be out of proportion to the perceived damage an attacker might do. The best way to increase the use of security systems would be to lower the cost of implementing and using them, namely by making them simpler.

The author emphasizes the human element in software creation and use. Security flaws exist not only because of poor design but also due to bugs in the implemented code. Bugs aren't fixed by designing more complicated methods, they are only made more numerous. Further, the cost of security checks and the cost of elements such as isolation of client code also scales with the complexity of the security system. This imposes a burden on the experience of the average user. Many existing security systems go unused (or are poorly used) due to imperfect understanding by system administrators and users (sometimes a result of poor documentation). The best security in the world is of no use if it's not used properly. Some suggestions the author makes for simplifying the implementation include separating users into a small number of simple classes and keeping both a white list and a black list for access control.

There is a long section toward the end about distributed access control. This aims to make the task of authentication easier by allowing indirect authentication through a chain of agents. In this way, a hierarchy can be set up with smaller servers overall but more hops necessary. New agents only have to be added at a leaf server in the hierarchy which incurs smaller cost than changing a massive central server. This is a widely accepted idea in the security community and I felt that the author made the explanation unnecessarily confusing by inventing an arrow notation. A better symbol would be "<", to indicate the amount of trust placed on each agent.

One element I feel the author dropped is the idea of intrusion detection and punishment. They were brought up in the introduction as a parallel source of optimization. However, intrusion detection only came back up at the end in a very short section about keeping logs of client activity. These logs crucially rely on the chain of authentication. Punishment was never brought back up. It might be out of the scope of a purely technical paper but as this article was more of an overview, it would be interesting to see the challenges that arise from enforcement issues, whether they be international law or establishing robust logs that could convince a third party that claimed wrongdoing had taken place when two entities are in dispute.

The paper analyses the requirements/challenges for achieving "real security" in practice and suggests methods to achieve it in a distributed environment as big as the Internet.

In practice, threats/attacks can be handled in two ways: 1. Prevention - stronger security, 2. Increasing risk of punishment - better detection but not much security. In real computer systems, it is hard to achieve any of the above because the system involved is way too complicated, making the secure systems even more complicated. The paper address this issue with an end-to-end solution and guidelines on how to design a secure system.

The author talks about the various elements of a secure system, the policy, mechanism and assurance. An important note that the author makes is the point about the positive and negative aspects of a policy. It is important because most of the secure systems concentrate more on preventing the attacker, but end up limiting the legitimate users. Almost all secure systems implement security using access control model. Any secure transaction in a local system involves three steps, authentication (identifying the user), authorization (allowing the user) and auditing (logging it). Each step is integral/essential part of a secure system.

One of the major contribution of the paper is the idea about Trusted Computing Base (TCB) to be small for better security. (TCB - the set of software/hardware systems involved closely with assuring security). This is because, the large the TCB, security becomes complicated and pushes the (lazy) user to accept a weaker system. Also the idea of "defense in depth", which assures more secure systems by thwarting the attacker with redundant levels of security. In the author's end-to-end solution for security, he advocates the need for delegation in larger distributed system (using "speaks for" relationship). This provides a model for designing a large distributed systems where the access control information are spread apart and the system relies on setting up secure channel to delegate the security to trusted parties. The idea of hierarchical namespace aids in making this delegation simpler and extensible.

In the paper, the author tackles the problem of security by prevention rather than the other alternative of having a very good detection system and rely on "risk of punishment" to demotivate an attacker. It is not clear if this would be a better solution than providing complete security.

On the whole, the idea in the paper is in general useful to many distributed system that requires security assurance and remain as a very good guidelines for designing a secure system in general.

This paper gives a brief introduction to computer security. It initially starts off with security in a small system and progresses towards security in distributed system. To start off, It does a nice job of giving a good overview of the implementation of security where it describes the layout of the individual components that are the setup which refers to the architecture of the system, the setup, hardware and software. The principal sends requests which are to be evaluated by the guard which authorize the request by using an access control list.
The paper then moves on to talk about how to provide Access control in a distributed environment. Security in this case is a multi-step process with each step requiring authentication to execute the next step. The paper gives some examples pertaining to this about authentication across different systems. It modelled this as chains of responsibility where each step in the chain needs signatures to get to the next level. It suggested a very descriptive example of cross-network authentication for collobaration across companies, similar to getting access to VPN. The paper also describes how the chain of responsibility is set up, each element trusts the previous element in the link. So basically the process of setting up the chain of responsibility boils down mainly to how secure channels are implemented. It is also important for the guard to verify this chain of responsibility for which the paper suggests a push/pull model from each element in the link. The paper also in brief talks about auditing whereby attacks are detected and the attacker is determined and punished. This can be implemented by logging each request to the service and analyzing the log to look at who attacked at what time, etc.
On the whole, I feel this is a good introduction to security with respect to what is expected out of a secure system and some high level ideas on what the architecture of a secure system can be.

This paper is a general overview on security in computing. This paper goes over some of the reason why security in systems is not correct and gives a general overview on what some methods are for securing systems. The general reason that he gives for security being kind of a oversight in software at the time was that it didn't add any additional features to the software that user could see and usage was restricted. It was not a priority at the time so features were favored.

This paper also goes into several methods for improving security and lays out a few ground rules that, if followed, could increase the security of the system. Some of the idea's brought up in this paper were:

Simpler scheme's for administering and using security measures in software. The idea behind this is that not everyone needs the fine grain control over security that can be provided by the OS. So some specific preset security settings that can be selected by the administrator could reduce the chances of an error in implementation. This also extends to users (in the form of easier use of logins/etc), and developers (type safe languages like java).

Login Methods and how to make them secure and easy to use. Discusses securing communication channels, some popular authentication frameworks (Kerberos), and naming schemes for login credentials. Also discussed are some physical security methods (such as smart card logins).

Overall I enjoyed this paper, it was a rather interesting overview on security in systems. This paper did mention in the very beginning that it would take users looking at security as being more of a feature before significant time would be spent writing software to be more secure. This has somewhat happened in the years since this paper was written. Insecure software can cost a company an entire line of software if the security breach into their software is big enough and may take years to get rid of the taint of insecure software. The discussion about making software and systems easier to secure via simplicity I found to be quite spot on. Simplicity reduces the chances for error's to occur and makes them easier to spot for both the administrator and the coder developing the software.

This paper discusses various components of computer security and some common methods used to divide it up into components. The second part of the paper presents an idea for a universal authentication system for use on the internet.

Currently there are many methods used for security on the internet. This increases the complexity of certain tasks when many different designs must be used and can make it hard to detect intrusions consistently. Having a clear idea of the goals of the security is necessary for properly designing the mechanisms used in the program. One of the goals mentioned is for better detection and punishment as a deterrent for solving security problems.

The paper begins by explaining how security is a complex issue and it is generally not possible to make a system completely secure as the cost would be too high if not impossible for other reasons. One idea is to cut back on the complexity of security, such as reducing the total number of groups assigned for authorization but this often interferes with desired functionality. A way to divide security into three components is presented, involving policy (goals), mechanism (how it will be accomplished), and assurance (how to show it works). A second set of four divisions is shown for the goals of the security, with secrecy, integrity, availability and accountability. Secrecy protects from items like theft and privacy concerns, integrity protects resources and makes sure they are not changed incorrectly, availability protects against losing access to services, and accountability helps keep track of who had access if something goes wrong. Vulnerabilities are also classified into three forms, involving buggy programs, gullible programs, and programs susceptible to spoofing communication. The paper goes on to recommend a universal authentication system for the internet, called a distributed access control. Typically setups rely on correct configuration information or administrator security policy, which could be simplified by providing a universal method across networks. This distributed access control would provide a chain of responsibility where certain elements are given trust and then corresponding responsibility for certain items. Three items are checked to verify links. The first items is checking why the link should be trusted, which is assumed by the previous element in the link accepting it already. A second item is knowing if the link goes to someone that is actually who it says it is, which can be accomplished through cryptography. Finally, the third item is checking why the item was delegated the responsibility for this link, which can be involve details of the current setup. Consistent naming can help with verifying some of these details. Detection and Punishment, which is a strong deterrent in security, is easier with these links which can help verify someone who gained unintended access.

This paper presents many ideas about security but not as much details to support some of these ideas. Some of the suggestions, like always using type-safe languages, may help with security but not be as useful in a general, practical setting. A distributed access control could certainly be used by a variety of designs for helping with security and authentication. Designing software to do a better job of some of the failings mentioned in the paper are certainly good goals for software in general.

This paper outlines the basic ideas of computer security by analogizing the security in real systems, and concludes the common principles for the uniform end-to-end scheme. “Speaks for” relation forms a chain of responsibility in a system, which explains what is going in the system.

The main problem the paper tries to solve is computer security. It doesn’t work well in practice usually. By analyzing the characteristics of security, the main difficulties of computer security is 1) the reliance on prevention, and 2) the complexity in code. Also, for distributed systems, the approach to handle authentication and authorization on local system needs to be extended to provide a uniform way throughout the Internet. This paper tries to explains the issues and figure out the basic principles underlying the approaches.

This paper has several contributions. The first one is the outline of computer security problem. As the real system, computer system needs to figure out policy, mechanism, and assurance on security. For policy, the system needs to specify what to do. For mechanisms, two models are discussed, access control model and information flow control model. These lead to the gold standard for security: authenticating, authorizing and auditing. Assurance is based on the idea of trusted computing base, which is related to end-to-end principle. This contains two components, the code and the configuration. To make security work, the system should keep security setup much simpler.

The second one is the principles of security for distributed systems. The author proposes a concept of “chain of responsibilities”. The key idea in this concept is “speaks for”, which determines which principal is more powerful. The verifier in a system can know who says by either receiving it on a secure channel or store it locally. The paper also suggests hierarchical names is a good convention to adopt, and it provides a form of multiplexing. Some variations are also discussed.

One flaw of this paper from my perspective is that the paper suggests that hierarchical naming is a good solution. However, there exist some systems which all the names may form a flat structure which no hierarchical, such as the naming policies in peer-to-peer systems or the service-id in the proposed layered naming architecture in Internet. How to find out the parent of responsibility in practice is not covered in this paper.

The ideas in this paper explain how security works in existing systems. It is also valuable in directing the design of a secure system. I think it presents the principles of computer security and it’s still applicable in practice nowadays.

This paper talks about implementing end-to-end access control in a distributed system. It formalizes the notion of "speaks for" relation between principals and talks about what encompasses that notion and how to go about implementing them.
On a very high level, the paper solves the problem of end-to-end authentication and authorization on a distributed system, where there is not centralized security controller. Though the solving of this problem is superfluous, the paper seems to do some analysis of the problem and spell out the solution in a formalized manner.
The biggest contribution of this paper is, perhaps, the “speaks for” relation and the “Chains of responsibility” formalism (which appears to the reflexive transitive closure of the said relation) which seems to conveniently capture and encapsulate the security parameters and properties of an end-to-end access control.
Ideas discussed in the paper:
- The paper does an excellent job setting the scene through Section 2 (especially for people with no background in computer security). The descriptions of policy, mechanism and assurance in layman terms are a very nice feature of the paper.
- The description of reference monitors as guards, mediating authentication and authorization, makes it easy to compare and contrast the local access control implementations with the end-to-end access control descriptions in the paper.
- The paper describes local access control in the context of a single system first. Then the paper describes how secure channel interactions occur in the presence of a domain controller and across domains.
- In distributed access control, the paper first describes the scenario common in an implementation of an end-to-end access control in a distributed system, through an example. Then, it builds, step-by-step, the idea of a chain of responsibility.
- The paper formalizes the “speaks for” relation between principals and “about subjects” and the combination of both, being the delegation. It says that the principal gets its authority delegated since it has passed the challenge of trust. It then describes how the delegation manifests in the form of a signature or an ACL entry and why a principal makes a delegation.
- The paper then describes the internals of setting up a chain of responsibility and goes over the high level implementation details such as differentiating between secure channels and ordinary channels and the difference between public and private key encryption. It also talks about caching and the push vs. pull mechanisms of collecting evidence.
- The paper finally talks about auditing - proof of evidences collected in making access control decisions.
The paper doesn’t seem to have any flaws in general (or rather, I would attribute my not finding any flaws to my lack of background in security). Although, the author might have skipped the first section and delved straight into the description computer security.

The paper focuses on two key ideas: security must involve simpler setup and simpler design; in a distributed system where there is no central controller, security requires a clear flow of who delegates authority to whom.
The paper analyses the reason for poor security in real world systems and says that it is all about the balance between the value of the gain and the risk of punishment in the view of the attacker and the balance between the cost of security and risk of an attack and the cost of recovery in the view of the user. Other factors that influence this are the complexity involved in designing a highly secure system and the restriction it imposes on the other features that are needed. Based on this analysis, he argues that security in real systems will improve only if there is a high probability of a security threat, or if the system design for security is made simpler. He argues in favor of auditing, that increases the risk of punishment and also favors an early intrusion detection which may reduce the cost of recovery.
The paper then dives into the basic ideas of computer security which include secrecy, integrity, availability and accountability which can be implemented using access control and the gold standards for security namely: authentication, authorization and auditing. In centralized systems where there is no central management, the paper explains how to perform end-to-end access control by building a chain of responsibility based on “speaks for” relation between principals. Each link in the chain is a delegation and the right principal asserts each link using a secure channel. Also, it is shown that every kind of authentication and authorization information is supported by this mechanism.
The paper as such does not propose any new problem or mechanism but does an analysis on real world security issues. I agree with his reasoning that security requires a simpler model and more standard and easier configurations. This is in contradiction to his other statement that a system is as secure as its weakest link which necessitates building a system that is simple and foolproof which is not always easy. As the author points out that tracing the attacker and punishing in the internet world is not easy and so auditing by itself is not sufficient in the computer world which in turn shifts the focus on prevention.
With regard to the end-to-end access control mechanism in a distributed system, I agree that it a cleaner model of ensuring security when there is no central point of control. But it does not address all the issues such as how an attack or impersonation happens after a source is established as a trusted source and delegation occurs. Addressing all these issues will definitely make the system more complex. I consider the important take away point from the paper is security in real world systems is a tradeoff between the cost of risk and the nature of complexity you can tolerate.

The paper talks about how security should be approached in general in web
based technologies and systems where the model is distributed. The paper does
not talk about any specific security mechanism, however, it kindles
discusssion on how to approach the problem of securing a system by clearly
defining on whom to trust and defining security boundaries. The approach of
the paper is to talk about how the system should be set up rather than how it
should actually be implemented using a specific security mechanism. It talks about
frameworks for security like access control lists, differentiating between
authentication, authorization and auditing, infomation control flow model.
It talks about how systems can be made secure by enforcing end to end security
with depth in it so that the attacker could not compromise all the levels at
the same time since there are too many knobs to turn. It also describes the
concept of user group and others which we find in the unix systems as a means
for easily managing security policies. Concepts like ticketing systems,
setuids are highlighted with appropriate examples to show how local access
control is enforced. In the distributed scenario, the paper highlights the
concept of trust by defining who trusts whom based on whom on what objects and
establishing some chain of responsibility. This also lets us collect evidence
and audit the access to objects so that the attacker can be identified when an
attack happens.

The paper in my opinion does a very good job on how to set up a security
system and how to look for ways to make it more secure from a fundamental
perspective on how it is set up rather than the code that goes into it. I like
the fact that security systems should raise the bar for the attacker and have
provisions to audit and catch the attacker and punish him rather than making
it impossible by all means.

I think the paper failed to mention that security fundamentally arises by
having atleast one entity which is trusted in nature. For instance, you need
to trust the browser you use to surf anything on web. Or when using public key
encryption, you need to trust the key distributor. The paper also talks about
how with internet, the security concerns have escalated since there are more
chances of attack. However, with the advent of internet from an open source
perspective, more security bugs are flushed out by sharing the code in public
and having more pairs of eyes looking at it rather than one single programmer
or one single organization responsible for the software. Also, in the initial
section, the authors state that security in computer systems is only a matter
of software. I think hardware security plays a very important role as well in
real world. It is not difficult for an attacker to confiscate a secure device
and break into it at his own will by taking advantage of how the hardware is
implemented. I read a paper by Ross Anderson that explains hardware attacks on
credit cards which can be done by almost any normal person who can spend a
couple of bucks. Where the paper talks about attacks being performed by
driving the system into a state that is not often realized during normal
execution, I wonder if model checkers would be of any use to formally flush
out vulnerabilities in the system.

In this paper, the author claims that accountability is an important way to achieve security in distributed systems. He supports the claim by giving examples from security in real world systems. Although we do not have perfect security in real world, we do not have catastrophic issues since the punishment is so harsh. Therefore, the author suggests that we should concentrate on detecting and punishing bad hackers to provide better security.

The author also believes that simplicity is key to security; therefore, he anaylzes the three main headings namely policy, mechanism, and assurance in this regards. The policy should be as simple as private-shared-public concepts for both users and admins; so that everyone can understand and trust it. We should have a mechanism that provides isolation in terms of authorization and authentication for better auditing. Finally, we should have a layered defense system and easy setup and run strategy to assure security system work. After summarizing security in general as such, the author introduces the end-to-end access control approach which propagates the responsibilities over links from one user to another. Therefore, by looking at individual logs of components we can decide which one gives the unintended access, and hope to detect the bad guys.

I don't think that there is much novel contribution in this paper. Among all the papers we read so for, this might be the paper that has the least impact on the field. There may be two reasons for that: First, the paper is not that convincing in the sense that it fails to satisfy academic paper requirements. Second, the claim may be a bit discouraging for security researchers and cannot find too many supporters. Personally, I liked and agree with the opinion that a very good detection and punishment would be best to deal with security problems.

I believe the most important flaw of the paper is the contradiction resides in the paper. In the introduction, author claims that large companies trade security with cost, and they prefer paying the cost of security problems instead of implementing an expensive security systems. In addition, the systems will get better and better after each catastrophic failure. I think companies would still not buy advanced security systems even if we make them simple and accountable; they will still be very expensive to setup. This is also somewhat supported in the first sections of the paper. So, the question is why do we care then?

I believe end-to-end access control systems are very important for the current Web since it is getting more and more interactive and layered; we have OSs, browsers, Networks, VMs, application layers, databases, and etc. Data should be labeled in in every layer from server to client, and we can get an end-to-end access control system, which enforces policies in each layer and provides better security. Therefore, I agree with author that with an end-to-end access control mechanism, we can achieve very good results. On the other hand, I disagree that it is very simple to implement since it should interact with too many heterogeneous layers and it is still a very expensive setup for current security issues.

Seth Pollen, Victor Bittorf, David Capel, Igor Canadi

In ‘Computer Security in the Real World’, the author makes two basic points: 1. security should be simple, 2. bigger emphasis should be placed on discovery and punishment of the attackers. He starts off by describing the current state of security and argues that the main problem with security is it’s complexity. It’s really hard to set up right and sometimes prevents people from getting what they want. If secretary has to ask boss about permission to read the files so they can be printed, it wastes time for both the secretary and the boss. On the other hand, having secretary be able to read all the files has immediate impact on productivity. Loss of security in that case may be a problem, but it’s not immediately obvious one, and thus has no value for secretary or the boss. The author gives more examples of where security gets in the way of things and gives the problem more psychological and organizational dimension. To solve the problem without sacrificing productivity, the author proposes a punishment model, where secretary won’t sell the files to competitor because of the fear of being punished.

The author then gives overview of security being composed of Policy, Mechanism and Assurance, and discusses implications of two basic principles, simplicity and punishment on all three layers of the security. For simplicity, he gives an idea of configuration to be as high-level as possible, passing through a compiler that translates the policy into low-level setup. For punishment, the author’s idea is to rely on auditing accesses to the data, so when the attack happens, it is easier to find the attacker and punish him.

Following the general discussion about security is the explanation of access control, both in terms of authentication and authorization. The author describes the chain of responsibility as a basic model for distributed access control, arguing that it is both simple to understand and effective to audit.

In our reading group, we concluded that this paper is more a marketing than a technical paper. The author didn’t describe any novel approaches, but he did a good job on selling the security. If security is made simple, then users will both understand and trust it, which is really important step towards a world of secure systems.

We had a big discussion about whether auditing gives you better security. We think it does, but what’s really more important is that people know they are being audited. We gave example of the Panopticon prison, where there is only one guard in the watching tower and inmates can’t see him, but he can see all of them. They can’t tell whether they are watched or not, or even is there a guard in the watching tower.

Some flaws of the auditing model is that it doesn’t raise alarms when the attack happens. There might be an evidence of an attack, but if nobody looks at it, nobody will ever know.

We also argued that the model works only in settings where every user is correctly authenticated and there are no anonymous users. However, most of the attacks on computer systems are done by anonymous individuals gaining backdoor access to the system or impersonating a user with higher permissions. If Alice is logged on to a system, and she knows that system knows she is Alice, of course she won’t try to break into the central database. But if an attacker impersonates Alice and breaks into database on her behalf, what good is auditing then?

A flaw that we discuss in chain of responsibility is that if an attacker gains unprivileged access to highly-trusted server, he can compromise the entire system and gain unlimited access to the every piece of data on all the systems in the trusted subtree of the attacked server. We think this is a huge risk that author didn’t address at all.

We wrapped up our discussion by agreeing that the paper is oversold and does not tackle the real problem of security in anonymized Internet setting where most of the attacks are not committed by authorized users whose identity we can find out by simply auditing their behaviors. However, we did agree that most of what the paper stated was true and probably helped big organizations think about internal security.