D u k e S y s t e m s Scaling Data and Services Jeff Chase Duke University.
D u k e S y s t e m s CPS 210 Security in Networked Systems Always Use Protection Jeff Chase Duke...
-
Upload
oswald-harris -
Category
Documents
-
view
213 -
download
1
Transcript of D u k e S y s t e m s CPS 210 Security in Networked Systems Always Use Protection Jeff Chase Duke...
![Page 1: D u k e S y s t e m s CPS 210 Security in Networked Systems Always Use Protection Jeff Chase Duke University chase/cps210.](https://reader035.fdocuments.in/reader035/viewer/2022070409/56649e985503460f94b9b975/html5/thumbnails/1.jpg)
D u k e S y s t e m s
CPS 210Security in Networked Systems
Always Use Protection
Jeff ChaseDuke University
http://www.cs.duke.edu/~chase/cps210
![Page 2: D u k e S y s t e m s CPS 210 Security in Networked Systems Always Use Protection Jeff Chase Duke University chase/cps210.](https://reader035.fdocuments.in/reader035/viewer/2022070409/56649e985503460f94b9b975/html5/thumbnails/2.jpg)
Malware
![Page 3: D u k e S y s t e m s CPS 210 Security in Networked Systems Always Use Protection Jeff Chase Duke University chase/cps210.](https://reader035.fdocuments.in/reader035/viewer/2022070409/56649e985503460f94b9b975/html5/thumbnails/3.jpg)
Botnets
[microsoft.com]
![Page 4: D u k e S y s t e m s CPS 210 Security in Networked Systems Always Use Protection Jeff Chase Duke University chase/cps210.](https://reader035.fdocuments.in/reader035/viewer/2022070409/56649e985503460f94b9b975/html5/thumbnails/4.jpg)
Any program you install or run can be a Trojan Horse vector for a malware payload.
![Page 5: D u k e S y s t e m s CPS 210 Security in Networked Systems Always Use Protection Jeff Chase Duke University chase/cps210.](https://reader035.fdocuments.in/reader035/viewer/2022070409/56649e985503460f94b9b975/html5/thumbnails/5.jpg)
Confused deputy
http://finntrack.co.uk/, erights.orghttp://www.cap-lore.com/CapTheory/ConfusedDeputyM.html
Bob has the Power. Bob wishes to hold the power and use it properly.
Alice considers Bob her deputy in the use of this Power. Alice trusts Bob to deny the power to Mal.
Mal wants the power. Can Mal trick Bob to get it?
![Page 6: D u k e S y s t e m s CPS 210 Security in Networked Systems Always Use Protection Jeff Chase Duke University chase/cps210.](https://reader035.fdocuments.in/reader035/viewer/2022070409/56649e985503460f94b9b975/html5/thumbnails/6.jpg)
Attack scenarios we consider
• Trojan horse– A threatening program is offered as a “gift”, and runs
“inside the victims walls” (i.e., with victim’s identity).
• Confused deputy– Attacker corrupts a “good” program and takes over its
functions, e.g., to assume victim’s identity.
• Confused user– Attacker tricks victim into giving away secrets. (Or victim
fails to use secrets or fails to protect secrets.)
• Later: DDOS, spoofing, and other network attacks
![Page 7: D u k e S y s t e m s CPS 210 Security in Networked Systems Always Use Protection Jeff Chase Duke University chase/cps210.](https://reader035.fdocuments.in/reader035/viewer/2022070409/56649e985503460f94b9b975/html5/thumbnails/7.jpg)
Security, an overview
We reduce it to three intertwined issues:
1.What program am I running?– Can this program be trusted? Who says?
– Can I be sure that the program has not been tampered?
2.Who am I talking to? – Can this entity be trusted?
– Can I be sure the communication has not been tampered?
3.Should I approve this request? R(op, subject, object)
– Who is the requester? (subject)
– What program is speaking for the requester?
– Does the subject have the required permissions?
![Page 8: D u k e S y s t e m s CPS 210 Security in Networked Systems Always Use Protection Jeff Chase Duke University chase/cps210.](https://reader035.fdocuments.in/reader035/viewer/2022070409/56649e985503460f94b9b975/html5/thumbnails/8.jpg)
Elements of security
• Isolation/protection– Sandboxes and boundaries prevent unchecked access.
• Integrity– Fingerprint data to detect tampering.
– Encrypt data to prevent access or tampering.
• Authentication– Identify a peer by proof that it possesses a secret.
• Identity and attributes– Identities have credentials: names, tags, roles...
• Authorization == access control– Guard checks credentials against an access policy.
![Page 9: D u k e S y s t e m s CPS 210 Security in Networked Systems Always Use Protection Jeff Chase Duke University chase/cps210.](https://reader035.fdocuments.in/reader035/viewer/2022070409/56649e985503460f94b9b975/html5/thumbnails/9.jpg)
Crypto primitives
Encrypt/Decrypt
Signing
Secure hashing
Use a shared secret key(symmetric)
oruse a keypair
one public, one private(asymmetric)
useful forfingerprinting data
![Page 10: D u k e S y s t e m s CPS 210 Security in Networked Systems Always Use Protection Jeff Chase Duke University chase/cps210.](https://reader035.fdocuments.in/reader035/viewer/2022070409/56649e985503460f94b9b975/html5/thumbnails/10.jpg)
![Page 11: D u k e S y s t e m s CPS 210 Security in Networked Systems Always Use Protection Jeff Chase Duke University chase/cps210.](https://reader035.fdocuments.in/reader035/viewer/2022070409/56649e985503460f94b9b975/html5/thumbnails/11.jpg)
![Page 12: D u k e S y s t e m s CPS 210 Security in Networked Systems Always Use Protection Jeff Chase Duke University chase/cps210.](https://reader035.fdocuments.in/reader035/viewer/2022070409/56649e985503460f94b9b975/html5/thumbnails/12.jpg)
http://blogs.msdn.com/b/sdl/archive/2008/10/22/ms08-067.aspx
![Page 13: D u k e S y s t e m s CPS 210 Security in Networked Systems Always Use Protection Jeff Chase Duke University chase/cps210.](https://reader035.fdocuments.in/reader035/viewer/2022070409/56649e985503460f94b9b975/html5/thumbnails/13.jpg)
Program integrity and isolation
![Page 14: D u k e S y s t e m s CPS 210 Security in Networked Systems Always Use Protection Jeff Chase Duke University chase/cps210.](https://reader035.fdocuments.in/reader035/viewer/2022070409/56649e985503460f94b9b975/html5/thumbnails/14.jpg)
Trusting Programs
• In Unix– Programs you run use your identity (process UID).
– Maybe you even saved them with setuid so others who trust you can run them with your UID.
– The programs that run your system run as root.
• You trust these programs.– They can access your files
– send mail, etc.
– Or take over your system…
• Where did you get them?
![Page 15: D u k e S y s t e m s CPS 210 Security in Networked Systems Always Use Protection Jeff Chase Duke University chase/cps210.](https://reader035.fdocuments.in/reader035/viewer/2022070409/56649e985503460f94b9b975/html5/thumbnails/15.jpg)
![Page 16: D u k e S y s t e m s CPS 210 Security in Networked Systems Always Use Protection Jeff Chase Duke University chase/cps210.](https://reader035.fdocuments.in/reader035/viewer/2022070409/56649e985503460f94b9b975/html5/thumbnails/16.jpg)
Trusting Trust
• Perhaps you wrote them yourself.– Or at least you looked at the source code…
• You built them with tools you trust.
• But where did you get those tools?
![Page 17: D u k e S y s t e m s CPS 210 Security in Networked Systems Always Use Protection Jeff Chase Duke University chase/cps210.](https://reader035.fdocuments.in/reader035/viewer/2022070409/56649e985503460f94b9b975/html5/thumbnails/17.jpg)
Where did you get those tools?
• Thompson’s observation: compiler hacks cover tracks of Trojan Horse attacks.
![Page 18: D u k e S y s t e m s CPS 210 Security in Networked Systems Always Use Protection Jeff Chase Duke University chase/cps210.](https://reader035.fdocuments.in/reader035/viewer/2022070409/56649e985503460f94b9b975/html5/thumbnails/18.jpg)
Login backdoor: the Thompson Way
• Step 1: modify login.c– (code A) if (name == “ken”) login as root
– This is obvious so how do we hide it?
• Step 2: modify C compiler– (code B) if (compiling login.c) compile A into binary
– Remove code A from login.c, keep backdoor
– This is now obvious in the compiler, how do we hide it?
• Step 3: distribute a buggy C compiler binary– (code C) if (compiling C compiler) compile code B into binary
– No trace of attack in any (surviving) source code
![Page 19: D u k e S y s t e m s CPS 210 Security in Networked Systems Always Use Protection Jeff Chase Duke University chase/cps210.](https://reader035.fdocuments.in/reader035/viewer/2022070409/56649e985503460f94b9b975/html5/thumbnails/19.jpg)
Signing:example
![Page 20: D u k e S y s t e m s CPS 210 Security in Networked Systems Always Use Protection Jeff Chase Duke University chase/cps210.](https://reader035.fdocuments.in/reader035/viewer/2022070409/56649e985503460f94b9b975/html5/thumbnails/20.jpg)
Reuters, June 2012
wired.com, June 2012
![Page 21: D u k e S y s t e m s CPS 210 Security in Networked Systems Always Use Protection Jeff Chase Duke University chase/cps210.](https://reader035.fdocuments.in/reader035/viewer/2022070409/56649e985503460f94b9b975/html5/thumbnails/21.jpg)
Phishing, password attacks, and other “human” attack vectors.
![Page 22: D u k e S y s t e m s CPS 210 Security in Networked Systems Always Use Protection Jeff Chase Duke University chase/cps210.](https://reader035.fdocuments.in/reader035/viewer/2022070409/56649e985503460f94b9b975/html5/thumbnails/22.jpg)
technology
people
Where are the boundaries of the “system” that you would like to secure?
Where is the weakest link?What happens when the weakest link fails?
![Page 23: D u k e S y s t e m s CPS 210 Security in Networked Systems Always Use Protection Jeff Chase Duke University chase/cps210.](https://reader035.fdocuments.in/reader035/viewer/2022070409/56649e985503460f94b9b975/html5/thumbnails/23.jpg)
The First Axiom of Security
• “Security is at least as much a social problem as it is a technical problem.”– Translation: humans are the weak link.
• We will focus on the technical elements, but do not lose sight of the social dimension. – Keys left in lock
– Phishing
– Executable attachments
– Trojan software
– Post-it passwords
– Bribes, torture, etc.
– Etc.
![Page 24: D u k e S y s t e m s CPS 210 Security in Networked Systems Always Use Protection Jeff Chase Duke University chase/cps210.](https://reader035.fdocuments.in/reader035/viewer/2022070409/56649e985503460f94b9b975/html5/thumbnails/24.jpg)
![Page 25: D u k e S y s t e m s CPS 210 Security in Networked Systems Always Use Protection Jeff Chase Duke University chase/cps210.](https://reader035.fdocuments.in/reader035/viewer/2022070409/56649e985503460f94b9b975/html5/thumbnails/25.jpg)
![Page 26: D u k e S y s t e m s CPS 210 Security in Networked Systems Always Use Protection Jeff Chase Duke University chase/cps210.](https://reader035.fdocuments.in/reader035/viewer/2022070409/56649e985503460f94b9b975/html5/thumbnails/26.jpg)
Identify: Friend or Foe?
Former Student
![Page 27: D u k e S y s t e m s CPS 210 Security in Networked Systems Always Use Protection Jeff Chase Duke University chase/cps210.](https://reader035.fdocuments.in/reader035/viewer/2022070409/56649e985503460f94b9b975/html5/thumbnails/27.jpg)
How accidents happen
Former Student
![Page 28: D u k e S y s t e m s CPS 210 Security in Networked Systems Always Use Protection Jeff Chase Duke University chase/cps210.](https://reader035.fdocuments.in/reader035/viewer/2022070409/56649e985503460f94b9b975/html5/thumbnails/28.jpg)
![Page 29: D u k e S y s t e m s CPS 210 Security in Networked Systems Always Use Protection Jeff Chase Duke University chase/cps210.](https://reader035.fdocuments.in/reader035/viewer/2022070409/56649e985503460f94b9b975/html5/thumbnails/29.jpg)
![Page 30: D u k e S y s t e m s CPS 210 Security in Networked Systems Always Use Protection Jeff Chase Duke University chase/cps210.](https://reader035.fdocuments.in/reader035/viewer/2022070409/56649e985503460f94b9b975/html5/thumbnails/30.jpg)
Example use of fingerprint
This is a line from /etc/passwd for user Fred Flintstone./etc/login uses this record to validate the user’s password.The file is public, but Fred’s password is secret.Or is it?
hashed
![Page 31: D u k e S y s t e m s CPS 210 Security in Networked Systems Always Use Protection Jeff Chase Duke University chase/cps210.](https://reader035.fdocuments.in/reader035/viewer/2022070409/56649e985503460f94b9b975/html5/thumbnails/31.jpg)
Access Control
![Page 32: D u k e S y s t e m s CPS 210 Security in Networked Systems Always Use Protection Jeff Chase Duke University chase/cps210.](https://reader035.fdocuments.in/reader035/viewer/2022070409/56649e985503460f94b9b975/html5/thumbnails/32.jpg)
The story so far
• Components run within contexts (isolated sandboxes).
• Each component/context is associated with an identity with some attributes (subject).
• Components use system calls to interact across context boundaries, or access shared objects.
• Each object has some access attributes.
• The system has a reference monitor and guard to check access for (op, subject, object).
• Principle of least privilege limits the damage a component can do if it “goes rogue”.
![Page 33: D u k e S y s t e m s CPS 210 Security in Networked Systems Always Use Protection Jeff Chase Duke University chase/cps210.](https://reader035.fdocuments.in/reader035/viewer/2022070409/56649e985503460f94b9b975/html5/thumbnails/33.jpg)
![Page 34: D u k e S y s t e m s CPS 210 Security in Networked Systems Always Use Protection Jeff Chase Duke University chase/cps210.](https://reader035.fdocuments.in/reader035/viewer/2022070409/56649e985503460f94b9b975/html5/thumbnails/34.jpg)
![Page 35: D u k e S y s t e m s CPS 210 Security in Networked Systems Always Use Protection Jeff Chase Duke University chase/cps210.](https://reader035.fdocuments.in/reader035/viewer/2022070409/56649e985503460f94b9b975/html5/thumbnails/35.jpg)
Access control matrix
Alice
Bob
obj1 obj2
RW
RWR
---
We can imagine the set of all allowed accesses for all subjects or all objects as a huge matrix.
How is the matrix stored?
![Page 36: D u k e S y s t e m s CPS 210 Security in Networked Systems Always Use Protection Jeff Chase Duke University chase/cps210.](https://reader035.fdocuments.in/reader035/viewer/2022070409/56649e985503460f94b9b975/html5/thumbnails/36.jpg)
Access control matrix
Alice
Bob
obj1 obj2
RW
RWR
---
How is the matrix stored?
• Capabilities: each subjects holds a list of its rights (capabilities) and presents them as proof.
• Access control list (ACL): each object stores a list of subjects permitted to access it.
• Many systems use a level of indirection through attributes (e.g., roles or groups).
capability list
ACL
![Page 37: D u k e S y s t e m s CPS 210 Security in Networked Systems Always Use Protection Jeff Chase Duke University chase/cps210.](https://reader035.fdocuments.in/reader035/viewer/2022070409/56649e985503460f94b9b975/html5/thumbnails/37.jpg)
Android permissions
http://source.android.com/tech/security/
![Page 38: D u k e S y s t e m s CPS 210 Security in Networked Systems Always Use Protection Jeff Chase Duke University chase/cps210.](https://reader035.fdocuments.in/reader035/viewer/2022070409/56649e985503460f94b9b975/html5/thumbnails/38.jpg)
Android permissions• A permission is a named object.
– Declared by an app (or system).
• Apps request the permissions they want/require/use.
– System grants requested permissions according to policy at app install time. After that, the permissions don’t change.
• Permissions protect interactions among app components (e.g., intents, binder RPC)
– Each component states permissions required by its counterparty.
![Page 39: D u k e S y s t e m s CPS 210 Security in Networked Systems Always Use Protection Jeff Chase Duke University chase/cps210.](https://reader035.fdocuments.in/reader035/viewer/2022070409/56649e985503460f94b9b975/html5/thumbnails/39.jpg)
Granting permissions
• A permission is bound to the provider key that signed the declaring app (or the system).
• The declaring app (or system) associates a protection level with the permission.
• The protection level drives system policy to grant permissions.
• normal: granted on request
• dangerous: requires user approval
• signature: granted only to requesting apps from the same provider
• system: granted only to apps installed on the system image
![Page 40: D u k e S y s t e m s CPS 210 Security in Networked Systems Always Use Protection Jeff Chase Duke University chase/cps210.](https://reader035.fdocuments.in/reader035/viewer/2022070409/56649e985503460f94b9b975/html5/thumbnails/40.jpg)
Cryptosystems
![Page 41: D u k e S y s t e m s CPS 210 Security in Networked Systems Always Use Protection Jeff Chase Duke University chase/cps210.](https://reader035.fdocuments.in/reader035/viewer/2022070409/56649e985503460f94b9b975/html5/thumbnails/41.jpg)
Authentication and integrity
EMLX
This is a picture of a $2.5B move in the value of Emulex Corporation, in response to a fraudulent press release by short-sellers through InternetWire in 2000. The release was widely disseminated by news media as a statement from Emulex management, but media failed to authenticate it.
[reproduced from clearstation.com]
![Page 42: D u k e S y s t e m s CPS 210 Security in Networked Systems Always Use Protection Jeff Chase Duke University chase/cps210.](https://reader035.fdocuments.in/reader035/viewer/2022070409/56649e985503460f94b9b975/html5/thumbnails/42.jpg)
Crypto primitives
Encrypt/Decrypt
Signing
Secure hashing
Use a shared secret key(symmetric)
oruse a keypair
one public, one private(asymmetric)
useful forfingerprinting data
![Page 43: D u k e S y s t e m s CPS 210 Security in Networked Systems Always Use Protection Jeff Chase Duke University chase/cps210.](https://reader035.fdocuments.in/reader035/viewer/2022070409/56649e985503460f94b9b975/html5/thumbnails/43.jpg)
Cryptography for Busy People
• Standard crypto functions parameterized by keys.– Fixed-width “random” value (length matters, e.g., 256-bit)
– Symmetric (DES: fast, requires shared key K1 = K2)
– Asymmetric (RSA: slow, uses two keys)
• “Believed to be computationally infeasible” to break
E
D
EncryptEncrypt
DecryptDecrypt
K1
K2
M
M
[Image: Landon Cox]
![Page 44: D u k e S y s t e m s CPS 210 Security in Networked Systems Always Use Protection Jeff Chase Duke University chase/cps210.](https://reader035.fdocuments.in/reader035/viewer/2022070409/56649e985503460f94b9b975/html5/thumbnails/44.jpg)
E
D
CryptCrypt
CryptCrypt
Asymmetric crypto works both ways
[Image: Landon Cox]
A’s private keyor
A’s public key A’s public keyor
A’s private key
![Page 45: D u k e S y s t e m s CPS 210 Security in Networked Systems Always Use Protection Jeff Chase Duke University chase/cps210.](https://reader035.fdocuments.in/reader035/viewer/2022070409/56649e985503460f94b9b975/html5/thumbnails/45.jpg)
Cryptographic hashes
• Also called a secure hash or one-way hash– E.g., SHA1, MD5
• Result called a hash, checksum, fingerprint, digest
• Very efficient
SHA1 hashSHA1 hash
160 bitsArbitrarily large
“Hash digest”
[Image: Landon Cox]
![Page 46: D u k e S y s t e m s CPS 210 Security in Networked Systems Always Use Protection Jeff Chase Duke University chase/cps210.](https://reader035.fdocuments.in/reader035/viewer/2022070409/56649e985503460f94b9b975/html5/thumbnails/46.jpg)
Two Flavors of “Signature”
• A digest encrypted with a private asymmetric key is called a digital signature– “Proves” that a particular identity sent the message.
• “Proves” the message has not been tampered.• “Unforgeable”
– The sender cannot deny sending the message.• “non-repudiable”
– Can be legally binding in the United States
• A digest encrypted with a shared symmetric key is called a message authentication code (MAC).
• faster, but…