EEC 688/788

Secure and Dependable

Computing
Lecture 2
Wenbing Zhao
Department of Electrical and Computer Engineering

Cleveland State University

wenbing@ieee.org

Outline

Basic terminology
Dependability concepts

Attributes
Fault, error, and failure
Approaches to achieving dependability

Security concepts

Attributes
Vulnerabilities, threats, attacks, and controls

Security in Computing, 4th Edition By CharlesP.Pfleeger, ShariLawrencePfleeger

11/17/15

http://proquest.safaribooksonline.com/0132390779

EEC688/788: Secure & Dependable

Computing

Wenbing Zhao

Terminology

A system is an entity that interacts with

other entities, i.e., other systems,
including hardware, software, humans,
and the physical world with its natural
phenomena
These other systems are the
environment of the given system
The system boundary is the common
frontier between the system and its
environment
A system may consists of one or more
components, such as nodes or
processes

11/17/15

EEC688/788: Secure & Dependable

Computing

System
System Boundary
Environment

Wenbing Zhao

Terminology

State: determines the status of the system

A system may be recovered to where it was before a failure if its state

was captured and survives the failure

Service delivered by a system: work done that benefits its users

User/Client: another system that interacts with the former
Function of a system: what the system is intended to do
(Functional) Specification: description of the system function
Correct service: when the delivered service implements the system
function

11/17/15

EEC688/788: Secure & Dependable

Computing

Wenbing Zhao

Dependability and its

Attributes
Dependability refers to the ability of a distributed system

to provide correct services to its users despite various

threats to the system such as undetected software
defects, hardware failures, and malicious attacks
A dependable system has the following attributes

11/17/15

Availability: a measure of the readiness of the system

Reliability: a measure of the systems capability of providing correct
services continuously for a period of time
Integrity: the capability of the system to protect its state from being
compromised due to various threats
Maintainability: the capability of the system to evolve after it is deployed
Safety: when the system fails, it does not cause catastrophic
consequences
EEC688/788: Secure & Dependable
Computing

Wenbing Zhao

Quantitative Dependability
Measures

Availability - a measure of the readiness of the system

It is the probability of being operational at a given instant of time
A 0.999999 availability means that the system is not operational
at most one hour in a million hours
A system with high availability may in fact fail. However, failure
frequency and recovery time should be small enough to achieve
the desired availability
Soft real-time systems such as telephone switching and airline
reservation require high availability

11/17/15

EEC688/788: Secure & Dependable

Computing

Wenbing Zhao

11/17/15

EEC688/788: Secure & Dependable

Computing

Wenbing Zhao

Quantitative Dependability
Measures

Reliability - a measure of continuous delivery of correct service.

It is the probability of surviving (potentially despite failures) over
an interval of time
May also be evaluated as time to failure
For example, the reliability requirement might be stated as a
0.999999 availability for a 10-hour mission. In other words, the
probability of failure during the mission may be at most 10 -6
Hard real-time systems such as flight control and process control
demand high reliability, in which a failure could mean loss of life

11/17/15

EEC688/788: Secure & Dependable

Computing

Wenbing Zhao

Fault, Error, and Failure

The adjudged or hypothesized cause of an error is called a fault

An error is a manifestation of a fault in a system, in which the logical
state of an element differs from its intended value
A service failure occurs if the error propagates to the service
interface and causes the service delivered by the system to deviate
from correct service
The failure of a component causes a permanent or transient fault in
the system that contains the component
Service failure of a system causes a permanent or transient external
fault for the other system(s) that receive service from the given
system

11/17/15

EEC688/788: Secure & Dependable

Computing

Wenbing Zhao

Fault

Faults can arise during all stages in a computer system's

evolution - specification, design, development, manufacturing,
assembly, and installation - and throughout its operational life
Most faults that occur before full system deployment are
discovered through testing and eliminated
Faults that are not removed can reduce a system's dependability
when it is in the field
A fault can be classified by its duration, nature of output, and
correlation to other faults (and many other criteria)

11/17/15

EEC688/788: Secure & Dependable

Computing

Wenbing Zhao

Fault Types - Based on Duration

Permanent faults are caused by irreversible device/software

failures within a component due to damage, fatigue, or improper
manufacturing, or bad design and implementation
Permanent software faults are also called Bohrbugs
Easier to detect
Transient/intermittent faults are triggered by environmental
disturbances or incorrect design
Transient software faults are also referred to as Heisenbugs
Study shows that Heisenbugs are the majority software faults
Harder to detect

11/17/15

EEC688/788: Secure & Dependable

Computing

Wenbing Zhao

Fault Types - Based on Nature of

Output

Malicious fault: The fault that causes a unit to behave arbitrarily or

malicious. Also referred to as Byzantine fault
A sensor sending conflicting outputs to different processors
Compromised software system that attempts to cause service
failure
Non-malicious faults: the opposite of malicious faults
Faults that are not caused with malicious intention
Faults that exhibit themselves consistently to all observers, e.g.,
fail-stop

A fail-stop system simply stops executing once it fails

Malicious faults are much harder to detect than non-malicious

faults

11/17/15

EEC688/788: Secure & Dependable

Computing

Wenbing Zhao

Fault Types - Based on

Correlation

Components fault may be independent of one

another or correlated
A fault is said to be independent if it does not
directly or indirectly cause another fault
Faults are said to be correlated if they are related.
Faults could be correlated due to physical or
electrical coupling of components
Correlated faults are more difficult to detect than
independent faults

11/17/15

EEC688/788: Secure & Dependable

Computing

Wenbing Zhao

Approaches to Achieving
Dependability

Fault Avoidance - how to prevent, by construction,

the fault occurrence or introduction
Fault Removal - how to minimize, by verification,
the presence of faults
Fault Tolerance - how to provide, by redundancy, a
service complying with the specification in spite of
faults
Fault Forecasting - how to estimate, by evaluation,
the presence, the creation, and the consequence of
faults

11/17/15

EEC688/788: Secure & Dependable

Computing

Wenbing Zhao

Computer Security and its

Attributes
Computer security is synonymous to the following three
attributes:

Confidentiality: computer-related assets are accessed only by

authorized parties. Confidentiality is sometimes called secrecy
or privacy
Integrity: assets can be modified only by authorized parties or
only in authorized ways
Availability: assets are accessible to authorized parties at
appropriate times

11/17/15

EEC688/788: Secure & Dependable

Computing

Wenbing Zhao

Confidentiality

Confidentiality is the concealment of information

The need for keeping information secret arises from the

government and the industry

Conceal the content of the information

Conceal the very existence of information

Enforce need to know principle

Achieve confidentiality: access control mechanisms

11/17/15

Cryptography: users without the cryptographic key cannot access

unscrambled information
Other access control mechanisms may conceal the mere
existence of data, such as Steganography

EEC688/788: Secure & Dependable

Computing

Wenbing Zhao

Integrity

Integrity refers to the trustworthiness of information, usually

phrased in terms of preventing improper or unauthorized
change

Data integrity: the content of the information

Origin integrity: the source of the data, i.e., authentication

Integrity mechanisms:

Prevention mechanisms:

Detection mechanisms: report that the datas integrity is no longer

trustworthy

11/17/15

Blocking any unauthorized attempts to change the data

Blocking any attempts to change the data in unauthorized ways

Analyze system events to detect problems

Analyze the data itself to see if required or expected constraints still hold

EEC688/788: Secure & Dependable

Computing

Wenbing Zhao

Working with Confidentiality &

Integrity

With confidentiality, the data is either compromised

or it is not
With integrity, both the correctness and the
trustworthiness of the data must be considered

Origin of the data

How well the data was protected before it arrived at the
current machine
How well the data is protected on the current machine

Evaluating integrity is often very difficult

11/17/15

EEC688/788: Secure & Dependable

Computing

Wenbing Zhao

Availability

Availability refers to the ability to use the information

desired

An aspect of reliability
Also an aspect of system design: an unavailable system is at
least as bad as no system at all

Why availability is relevant to security?

Someone may deliberately arrange to deny access to data or to

a service by making it unavailable
Denial of service attacks: attempts to block availability
It is very difficulty to detect denial of service attacks

11/17/15

Must determine if the unusual access patterns are attributable to

deliberate manipulation of resources or of environment (i.e., an
atypical event)

EEC688/788: Secure & Dependable

Computing

Wenbing Zhao

Availability

The security community is just beginning to understand what

availability implies and how to ensure it
A small, centralized control of access is fundamental to
preserving confidentiality and integrity, but it is not clear that a
single access control point can enforce availability
Much of computer security's past success has focused on
confidentiality and integrity; full implementation of
availability is security's next great challenge

11/17/15

EEC688/788: Secure & Dependable

Computing

Wenbing Zhao

Relationship of Security
Goals

A secure system must meet all three requirements

The challenge is how to find the right balance among

the goals, which often conflict
For example, it is easy to preserve a particular object's
confidentiality in a secure system simply by preventing
everyone from reading that object
However, this system is not secure, because it does not meet
the requirement of availability for proper access
=> There must be a balance between confidentiality and
availability

11/17/15

EEC688/788: Secure & Dependable

Computing

Wenbing Zhao

Relationship of Security
Goals

11/17/15

EEC688/788: Secure & Dependable

Computing

Wenbing Zhao

Vulnerabilities, Threats, Attacks, &

Controls

A vulnerability is a weakness in the security system

A threat to a computing system is a set of
circumstances that has the potential to cause loss or
harm
A human who exploits a vulnerability perpetrates an
attack on the system.
How do we address these problems? We use a
control as a protective measure

A control is an action, device, procedure, or technique that

removes or reduces a vulnerability
A threat is blocked by control of a vulnerability

11/17/15

EEC688/788: Secure & Dependable

Computing

Wenbing Zhao

Threats, Vulnerabilities, and

Controls

11/17/15

EEC688/788: Secure & Dependable

Computing

Wenbing Zhao

Type of Threats

An interception means that some unauthorized

party has gained access to an asset
In an interruption, an asset of the system becomes
lost, unavailable, or unusable
If an unauthorized party not only accesses but
tampers with an asset, the threat is a modification
An unauthorized party might create a fabrication of
counterfeit objects on a computing system

11/17/15

EEC688/788: Secure & Dependable

Computing

Wenbing Zhao

Type of Threats

11/17/15

EEC688/788: Secure & Dependable

Computing

Wenbing Zhao

Threats: Methods, Opportunity, and

Motive

A malicious attacker must have three things:

11/17/15

Method: the skills, knowledge, tools, and other

things with which to launch an attack
Opportunity: the time and access to accomplish
the attack
Motive: a reason to want to perform this attack
against this system

EEC688/788: Secure & Dependable

Computing

Wenbing Zhao

Methods of Defense

Harm occurs when a threat is realized against a

vulnerability
To protect against harm, we can neutralize the threat,
close the vulnerability, or both
The possibility for harm to occur is called risk

11/17/15

EEC688: Secure & Dependable Computing

Wenbing Zhao

Methods of Defense

We can deal with harm in several ways. We can seek

to

Prevent it, by blocking the attack or closing the vulnerability

Deter it, by making the attack harder, but not impossible
Deflect it, by making another target more attractive (or this
one less so)
Detect it, either as it happens or some time after the fact
Recover from its effects

11/17/15

Intrusion tolerance is also a form of recovery because it enables the

system to continue operating correctly despite attacks

EEC688: Secure & Dependable Computing

Wenbing Zhao

Methods of Defense Multiple

Controls

11/17/15

EEC688: Secure & Dependable Computing

Wenbing Zhao

Countermeasures / Controls

Encryption

Software controls

hardware or smart card implementations of encryption

Policies and Procedures

Internal program controls, OS controls, development

controls

Hardware controls

Scrambling process

Example: change password periodically

Physical Controls

11/17/15

Example: Locks on doors, guards at entry points

EEC688: Secure & Dependable Computing

Wenbing Zhao