ENPM 808s
Information Systems Survivability:
3. Threats
- - - - - - - - - - - - - - - - - - -
Threats to Survivability, Security,
Reliability, Predictability, etc.
Wide Range of Illustrative Threats
- - - - - - - - - - - - - - - - - - -
Inappropriate requirements: wrong, deficient, overly specific, underly constraining, sometimes poor conceptualizationFlawed designs: inconsistent with requirements, new vulnerabilities not covered by requirements
Faulty implementation: inconsistent with design specs, new bugs not covered by specifications, Trojan horses, incomplete testing, short-sighted optimization,
Operation: intentional and accidental misuse by users, system administrators, insiders, outsiders, faulty maintenance, premature decommission
Hardware malfunctions, power failures, environmental disturbances
Multidimensional Threat Domains
- - - - - - - - - - - - - - - - - - -
Security attacks, malicious or otherwise: See Figure 2.1 and Table 2.1 of the ARL report (which follows). External misuse, hardware misuse, masquerading, pest programs, bypasses of authorization, misuse with authorization, indirect misuse. ...Reliability failures: See Table 2.2 of the ARL report (which follows). Application code, middleware, DBMS, networks, operating systems, software development, hardware, national infrastructures, environments, interference, ...
Performance failures: partial outages, resource saturation, degradation; may be induced by reliability and security failures, ...
Multiple Threats
- - - - - - - - - - - - - - - - - - -
Weak links are already riskful. Exploitations of multiple weak-links can be even more far-reaching.Independent vs. coordinated threats
Sequential threats vs. concurrent threats
Accidental vs. intentional threats
Crossover threats involving security, reliability, etc.
Types of Computer Misuse
- - - - - - - - - - - - - - - - - - -
External misuse (EX)
1. Visual spying: observation of keystrokes or screens
2. Misrepresentation: deception of operators and users
3. Physical scavenging: dumpster-diving for printout
Hardware misuse (HW)
4. Logical scavenging: examining discarded or stolen media
5. Eavesdropping: electronic or other data interception
6. Interference: electronic or other jamming
7. Physical attack on, or modification of, equipment or power
8. Physical removal of equipment and storage media
Masquerading (MQ)
9. Impersonation: false identity external to computer systems
10. Piggybacking attacks on communication lines, workstations
11. Playback and spoofing attacks
12. Network weaving to mask physical whereabouts or routing
Pest programs (PP): setting up opportunities for further misuse
13. Trojan-horse attacks (including letter bombs)
14. Logic bombs (a form of Trojan horse, including time bombs)
15. Malevolent worm attacks, acquiring distributed resources
16. Virus attacks, attaching to programs and replicating
Bypassing authentication or authorization (BY)
17. Trapdoor attacks, from any of a variety of sources:
a. Improper identification and authentication
b. Improper initialization or allocation
c. Improper termination or deallocation
d. Improper runtime validation
e. Naming flaws, confusions, and aliases
f. Improper encapsulation: exposed implementation detail
g. Asynchronous flaws: e.g., time-of-check to time-of-use anomalies
h. Other logic errors
18. Authorization attacks, for example, password cracking, token hacking
Active misuse of authority (AM) (writing, using, with apparent authorization)
19. Creation, modification, use, service denials (includes false data entry)
20. Incremental attacks (e.g., salami attacks)
21. Denials of service (including saturation attacks)
Passive misuse of authority (reading, with apparent authorization) (PM)
22. Browsing randomly or searching for particular characteristics
23. Inference and aggregation (especially in databases), traffic analysis
24. Covert channel exploitation and other data leakage
25. Misuse through inaction (IM): willful neglect, errors of omission
26. Use as an indirect aid for subsequent misuse (IN): off-line preencryptive
matching, factoring large numbers, autodialer scanning.
Illustrative Reliability Threats
- - - - - - - - - - - - - - - - - - -
Outside-environmental threats
Environmental problems (earthquakes, floods)
Power utility disturbances
Electromagnetic/other external interference
Inappropriate user behavior, unavailability of key persons
National-infrastructure threats
Glitches in telecommunications, air-traffic control, power distribution, and other infrastructures dependent
on computer-communication infrastructures
Middleware and application-code threats
Windows environments: cache management, crashes
Browser and Web server flaws
Accidentally corrupted code
Database-specific threats
DBMS software flaws
Internal database synchronization and cache management
Distributed database consistency
Improper DBMS software upgrades and maintenance
Improper database entries and updates
Network threats
Faulty network components (hosts, routers, firewalls, etc.)
Distributed system synchronization
Traffic blockage and congestion
Operating-system threats
OS software design and implementation flaws
Improper OS configuration
Improper OS upgrades and maintenance
Failures of backup and retrieval mechanisms
Software-development problems
Faulty system design and implementation,
Poor use of software engineering techniques
Bad programming practice (buffer overflows!)
Programming-language threats
Compiler language inadequacies
Compiler design and implementation flaws, buffer overflows
Hardware threats
Flaws in hardware design and implementation
Undesirable internal hardware state alterations
Improper hardware maintenance
Inside-environmental threats
Internal power disturbances
Self-generated or other internal interference
Discussion Topics: Threats
- - - - - - - - - - - - - - - - - - -
Are single-point failures and single-flaw exploitations intrinsically different from multiple failures and multiple-flaw exploitations, with respect to the threats? With respect to risks? What about with respect to system architecture (preliminary guess)? (Architecture issues are of course considered later in the course.)What inherent differences might there be between intentional threats, accidents, and environmental causes? With respect to threats, risks, and architectures...
Reading for the Next Class Period
- - - - - - - - - - - - - - - - - - -
Read Chapter 3 of the arl-one report on requirements for survivability:
http://www.csl.sri.com/neumann/arl-one.html.