How to analyze the security of a system?
- What is the system and what is its value
- identify the attack surface
-- how can it be attacked?
- identify potential vulnerabilities
- identify the threats and adversaries
-- what is the threat model you need to protect against?
What is the system?
What is the attack surface? (What are the avenues by which someone might try to attack your system?)
Why use attack trees?
- to think about attack surface like a bad guy
What are vulnerabilities?
What are threats? What do they correspond to?
- Actions by adversaries who try to exploit vulnerabilities to damage asset
- Correspond to confidentiality, integrity, authenticity and availability
What are the threats to a voting machine?
1. Extract records: find out who voted for who
2. Tampering with data: change outcome of election
3. Spoofing identity: vote as someone else
4. Crash machine: prevent others from voting
What is confidentiality and how can it be violated?
What is integrity and how can it be violated?
What is authenticity and how can it be violated?
What is availability and how can it be violated?
Why do you need a threat model?
- to organize what you assume about attackers's goals and capabilities
What do you assume about attacker's goals and capabilities?
What is the triage?
- threats, vulnerabilities and asset value
How do you evaluate what combination of threats * vulnerabilities * asset value are the biggest?
What is the shared secret between the physical lock and key?
What is a bitting code?
- the discrete code that a key is cut with
-- cuts at regular intervals (4-6 cuts)
-- depth of cuts quantized in standard fashion
What are the design assumptions of a physical lock?
- if you don't know the secret code, you can't open the lock
- the secret code is secret
- if you can't open the lock, everything is fine
How is the design assumption "if you don't know the secret code, you can't open the lock" flawed?
- lock bypass via manipulation
How does picking a lock work?
How does raking a lock work?
How does bumping a lock work?
Defenses for picking, raking, and bumping attacks?
1. security pins
-- Spool pins, mushroom pins, interlocking pins
---- Shapes that get “stuck” when plug under tension
---- Pin rotation (angled cuts on keys)
2. ancillary locking mechanisms; sidebars
How do master keys work?
Second set of pins (spacers); multiple shear lines
What are the problems are of master keying?
What are the problems with "The secret code is secret" security design assumption?
- lock bypass via duplication
-- field casting
What is optical decoding?
Decode keys semi-automatically from photos - Traditional computer vision problem (photometry) - Normalize for scale and rotation
What is UCSD's Sneakey?
Project where: Reference key measured at control points • User supplies correspondences between target key and reference image • Image normalized (homographic transform), cut locations identified and cut depths measured (n guesses)
What's the problem with the solution of just selling a unique key to a customer in order to prevent decoding?
- can easily be re-made through key milling machines or 3D printing
What's one defense to the problems of the secret code is secret?
- Electronic & mechanical keys - Challenge/response via RF ◆ But own issues; batteries, replay, how to program, etc - HIGH SECURITY/Very expensive solution: -- Electronic; no battery; self-erase; heavy RF shielding; different combination for each user; unerasable audit log
What's the problem of the "If you can’t open the lock, everything is fine" design assumption?
- can go around