Protection and Securitypeople.rennes.inria.fr/Alan.Schmitt/teaching/assets/Security.pdf · digital...
Transcript of Protection and Securitypeople.rennes.inria.fr/Alan.Schmitt/teaching/assets/Security.pdf · digital...
Protection and Security
What is (Computer) Security?
“Security is a chain; it’s only as secure as its weakest link.”
“Security is a process,not a product.”
“Security is a tradeoff”
Applied Operating System Concepts Silberschatz, Galvin, and Gagne 199919.2
The Security Problem
• Security must consider external environment of the system, andprotect it from:
– unauthorized access.– malicious modification or destruction– accidental introduction of inconsistency.
• Easier to protect against accidental than malicious misuse.
• Protection is internal, Security is external→ take the hard drive of a computer and read it from another system
Applied Operating System Concepts Silberschatz, Galvin, and Gagne !199918.1
Module 18: Protection
• Goals of Protection
• Domain of Protection
• Access Matrix
• Implementation of Access Matrix
• Revocation of Access Rights
• Capability-Based Systems
• Language-Based Protection
• Digital Rights Management
Applied Operating System Concepts Silberschatz, Galvin, and Gagne !199918.2
Protection
• Operating system consists of a collection of object|s, hardware or
software
• Each object has a unique name and can be accessed through a
well-defined set of operations.
• Protection problem - ensure that each object is accessed
correctly and only by those processes that are allowed to do so.
→ Prevent unauthorized access- System processes- Other users- Digital Rights Management
→ Improve reliability- Protect system from application bugs
* Policy is distinct from mechanism
objects,
that depend of the object
Applied Operating System Concepts Silberschatz, Galvin, and Gagne !199918.3
Domain Structure
• Access-right = <object-name, rights-set>
Rights-set is a subset of all valid operations that can be
performed on the object.
• Domain = set of access-rights
• Association between processes and domains may be static or dynamic• Each domain can be a user, a process, or a procedure
Applied Operating System Concepts Silberschatz, Galvin, and Gagne !199918.4
Domain Implementation
• System consists of 2 domains:
– User
– Supervisor
• UNIX
– Domain = user-id
– Domain switch accomplished via file system.
! Each file has associated with it a domain bit (setuid bit).
! When file is executed and setuid = on, then user-id is
set to owner of the file being executed. When execution
completes user-id is reset.
Demo of setuid
schmitta@charm tmp % cat printid.c#include <stdlib.h>#include <stdio.h>#include <unistd.h>#include <sys/types.h> int main(void){ printf("Real UID\t= %d\n", getuid()); printf("Effective UID\t= %d\n", geteuid()); printf("Real GID\t= %d\n", getgid()); printf("Effective GID\t= %d\n", getegid()); return EXIT_SUCCESS;}schmitta@charm tmp % gcc -o printid printid.cschmitta@charm tmp % chmod ug+s printid
schmitta@charm tmp % ls -l printid-rwsr-sr-x 1 schmitta staff 12688 29 avr 10:19 printidschmitta@charm tmp % ./printid Real UID = 503Effective UID = 503Real GID = 20Effective GID = 20schmitta@charm tmp % su adminPassword:bash-3.2$ ./printid Real UID = 501Effective UID = 503Real GID = 501Effective GID = 20
Access Matrix
F1 F2 F3 HP
D1 read read
D2 print
D3 read exec
D4readwrite
readwrite
Access Matrix
F1 F2 F3 HP D1 D2 D3 D4
D1 read read switch
D2 print switch switch
D3 read exec
D4readwrite
readwrite
switch
Copy
F1 F2 F3
D1 read read
D3 read* exec
D4readwrite
readwrite
Copy
F1 F2 F3
D1 read read
D3 read* exec
D4readwrite
readreadwrite
iTunes and Access Matrix
• Songs: no iPod limit ! copy
• Songs: 5 computers ! limited copy
• Rented movie: on 1 computer at a time! transfer
Owner
F1 F2 F3
D1 read read
D3
read*
owner exec
D4read
write
read
write
Owner
F1 F2 F3
D1 read read
D3
read*
owner
write*
exec
D4read
write
read
write
Control
F1 F2 F3 HP D1 D2 D3 D4
D1 read read switch
D2 print switchswitchcontrol
D3 read exec
D4readwrite
readwrite
switch
Control
F1 F2 F3 HP D1 D2 D3 D4
D1 read read switch
D2 print switchswitchcontrol
D3 read exec
D4readwrite
readwrite
switch
Applied Operating System Concepts Silberschatz, Galvin, and Gagne !199918.9
Implementation of Access Matrix
• Each column = Access-control list for one object
Defines who can perform what operation.
Domain 1 = Read, Write
Domain 2 = Read
Domain 3 = Read
!
• Each Row = Capability List (like a key)
Fore each domain, what operations allowed on what objects.
Object 1 – Read
Object 4 – Read, Write, Execute
Object 5 – Read, Write, Delete, Copy
For
44
Access Control Lists (1)
Use of access control lists of manage file access
R
45
Access Control Lists (2)
Two access control lists
46
Capabilities (1)
Each process has a capability list
Revoking Access Rights
• Immediately or later?
• Revoke the rights to all users or to some?
• Revoke some rights or all rights of an object?
• Temporarily or permanently?
Revoking Access Rights
• Simple with access list if we revoke by object
• More difficult with capabilities. Use
• Reacquisition
• Back-pointers
• Indirections (not selective)
• Keys (not selective if one key per object)
Language-Based Protection
• Specification of protection in a programming language
allows the high-level description of policies for the
allocation and use of resources.
• Language implementation can provide software for
protection enforcement when automatic hardware-
supported checking is unavailable.
• Interpret protection specifications to generate calls on
whatever protection system is provided by the hardware
and the operating system.
Applied Operating System Concepts Silberschatz, Galvin, and Gagne 199919.12
Java Security Model
An Application of Protection: DRM
DRM
• DRM = Digital Rights Management
• Access control technologies to limit usage of digital media or devices
• May prevent access, copying, or conversion
• DRM is a technical way to enforce laws
DRM
CSS
• CSS = Content Scramble System
• Licensed for DVD drives, DVD players, DVD movies
• Enforces region coding, prevents skipping “intros”
• Does not prevent bit by bit copying!
• Cracked since 1999
AACS
• AACS = Advanced Access Content System
• Similar to CSS, but much stronger
• Features Managed Copy
• Final standard not yet released
• Keys can be revoked and new keys used... but they are cracked even before their release!
DRM Gone Bad
The Sony BMG Fiasco
Blog post from Mark Russinovich...
“Last week when I was testing the latest version of RootkitRevealer (RKR) I ran a scan on one of my systems and was shocked to see evidence of a rootkit. Rootkits are cloaking technologies that hide files, Registry keys, and other system objects from diagnostic and security software, and they are usually employed by malware attempting to keep their implementation hidden...”
After some investigation he found it came from an audio CD by Sony BMG
“The Sony rootkit is designed to hide any files, registry keys and processes starting with the string $sys$”
The CD installed a CD drive driver and made sure no more than 3 copies of the CD were made
It also made the system unstable and less secure
Sony had to recall every protected CD
Several lawsuits were filed and settled
This protection is not used anymore
MLB (Major League Baseball) has been selling videos of games with DRM since 2003
In 2007, they changed their DRM provider, and for some users old videos stopped playing
MLB may provide replacements, with DRM
What do you really buy?
MSN Music DRM keys
MSN Music store closed in November 2006
On April 22, 2008, customers were told authorization servers would stop on August 31, 2008
⇒ Using a new computer or reinstalling the OS will result in unplayable songs
The Future of DRM
• Music: becoming DRM free
• Amazon MP3 store, iTunes+, most majors
• Video: very entrenched
• Many countries pass laws protecting DRM
• DMCA, EUCD, DADVSI
• Future of Fair Use? See Free Cultureby Lawrence Lessig
http://www.free-culture.cc/
Homework
Larry Lessig: How creativity is being strangled by the law
http://www.ted.com/talks/view/id/187
Applied Operating System Concepts Silberschatz, Galvin, and Gagne 199919.1
Module 19: Security
• The Security Problem• Authentication• Program Threats• System Threats• Threat Monitoring• Encryption
22
Generic Security AttacksTypical attacks! Request memory, disk space, tapes and just read! Try illegal system calls! Start a login and hit DEL, RUBOUT, or BREAK! Try modifying complex OS structures! Try to do specified DO NOTs! Convince a system programmer to add a trap door! Beg admin’s sec"y to help a poor user who forgot password
Threats
– data confidentiality (data read)– data integrity (data modified)– system availability (denial-of-service attacks)
hard to avoid
modified or deleted)
Security is achieved by taking measures at the following levels:— Physical (e.g. prevent removing of hard drive)— Human (e.g. prevent bribing a user)— Network (e.g. prevent intercepting private data)— Operating system (e.g. authenticate users)
“The hacker: someone who figured things out and made something cool happen.”
Hacker vs Cracker
Human SecuritySocial Engineering
“Social engineering is a collection of techniques used to manipulate people into performing actions
or divulging confidential information”
• Phishing
• Pretexting (over the phone)
• Trojan Horse
• Road Apple
• free floppy, CD, usb drive...
• Quid Pro Quo (something for something)
“It is notable that Mitnick did not use software programs or hacking tools for cracking passwords
or otherwise exploiting computer or phone security.”
Breaking in over Internet
– need an IP number of a machine (or its symbolic equivalent, such as so.cs.unibo.it
– can test if that number is alive using ping
– can try to connect using telnet
– IP numbers “similar” (consecutive numbers) to one that is alive might work as well
– a hacker with fast connection could discover many entry points to the system (ie, IP numbers
that accept telnet connections)
– the hacker can then try to exploit weak pairs (login, password)
)
Applied Operating System Concepts Silberschatz, Galvin, and Gagne 199919.3
Authentication
• User identity most often established through passwords, can beconsidered a special case of either keys or capabilities.
• Passwords must be kept secret.– Frequent change of passwords.– Use of “non-guessable” passwords.– Log all invalid access attempts.
11
Authentication Using Passwords
(a) A successful login(b) Login rejected after name entered(c) Login rejected after name and password typed
12
Authentication Using Passwords
! How a cracker broke into LBL" a U.S. Dept. of Energy research lab
One-time passwords
– Each password is valid only once. Hence anyone capturing the password of a session and then
trying to use it for another session will fail.
– problem: where to keep the password list
– a solution: use one-way functions
easy to compute; hard to invert
hence in , we have: easy, hard
How it works:
initialisation: a password , an integer
session passwords then are:
the server keeps track and updates the integer for
Challenge-response authentication
– The user selects an algorithm, ex:
– at login time:
the server sends an integer
the user answers with
– problem: the algorithm can be guessed
– a solution:
a function (public)
user selects a key
at login time:
server sends a number
user answers
it should be hard to find out from seeing the results of computating with
14
Authentication Using a Physical Object
! Magnetic cards" magnetic stripe cards" chip cards: stored value cards, smart cards
Applied Operating System Concepts Silberschatz, Galvin, and Gagne 199919.4
Program Threats
• Trojan Horse– Code segment that misuses its environment.– Exploits mechanisms for allowing programs written by users
to be executed by other users.• Trap Door
– Specific user identifier or password that circumvents normalsecurity procedures.
– Could be included in a compiler.
• Logic Bomb
• Login Spoofing
• Buffer Overflow
17
Operating System SecurityTrojan Horses
! Free program made available to unsuspecting user" Actually contains code to do harm
! Place altered version of utility program on victim’s computer" trick user into running that program
Trojan horse: how to make execute the malicious program
– advert it on Interner as something exciting
– (Example) use PATH variables
Immagine is in PATH for user xx and xx types
cd ˜yy
programxx
Thus: malicious program programxx written by yy is executed by xx and can access xx
data
– (Examples) Install a malicious program called la in user/bin
eventually someone, by mistake, will type la rather than ls
– (Example) Exploiting a shell that checks the working directory before consulting PATH:
a user yy install a malicious program called ls in his/her home directory
the user does something suspicious (such as using a lot of resources)
the administrator might type:
cd ˜yy
ls
Internet
Imagine
(Example)
20
Trap Doors
(a) Normal code. (b) Code with a trapdoor inserted
Ken Thomson’s backdoor
For debugging purposes, backdoor in “login”
Did it by modifying the C compiler:
• when compiling password verification
• accept the correct password
• or accept the special debugging password
def compile(code): if (looksLikeLoginCode(code)): generateLoginWithBackDoor() else: compileNormally(code)
But this would look strange in the C compiler...
def compile(code): if (looksLikeLoginCode(code)): generateLoginWithBackDoor(code) elif (looksLikeCompilerCode(code)): generateCompilerWithBackDoorDetection(code) else: compileNormally(code)
19
Logic Bombs
! Company programmer writes program" potential to do harm" OK as long as he/she enters password daily" ff programmer fired, no password and bomb explodes
18
Login Spoofing
(a) Correct login screen(b) Phony login screen
Login spoofing
– a program that displays the screen
– the user of the program thus can read many pairs (login, password)
– a way out:
the login session starts out with a key combination that a user program cannot catch (exam-
ple: ctl-alt-del in windows)
Buffer overflow
In C, array bounds (among other things) are not checked
Example of unchecked code:
int i
char c[100]
i = 400
c[i] = 0
21
Buffer Overflow
! (a) Situation when main program is running! (b) After program A called! (c) Buffer overflow shown in gray
39
Java Security (1)
! A type safe language" compiler rejects attempts to misuse variable
! Checks include #! Attempts to forge pointers! Violation of access restrictions on private class
members! Misuse of variables by type! Generation of stack over/underflows! Illegal conversion of variables to another type
Applied Operating System Concepts Silberschatz, Galvin, and Gagne 199919.5
System Threats
• Worms – use spawn mechanism; standalone program• Internet worm
– Exploited UNIX networking features (remote access) andbugs in finger and sendmail programs.
– Grappling hook program uploaded main worm program.• Viruses – fragment of code embedded in a legitimate program.
– Mainly effect microcomputer systems.– Downloading viral programs from public bulletin boards or
exchanging floppy disks containing an infection.– Safe computing.
Worm vs Virus
A “worm” is a program that can run independently, will consume the resources of its host from within in order to maintain itself, and can propagate a complete working version of itself on to other machines.
A “virus” is a piece of code that inserts itself into a host, including operating systems, to propagate. It cannot run independently. It requires that its host program be run to activate it.
35
The Internet Worm
! Consisted of two programs" bootstrap to upload worm" the worm itself
! Worm first hid its existence! Next replicated itself on new machines
Morris Worm
November 2, 1988
Robert Tappan Morris Jr., 1st year Cornell graduate student sends a worm on a few machines
Within hours, about 10% of the internet (6.000 machines) was down
Applied Operating System Concepts Silberschatz, Galvin, and Gagne 199919.6
The Morris Internet Worm
How it WorkedGetting in
Using a remote shell (rsh)
host-login without password required
Buffer overflow: finger with a 536 byte string
used to launch /bin/sh
Sendmail bug using its debug mode
mailed the grappling hook to be executed
Propagation
When in, downloaded the worm
Then tried to crack passwords
Looked in new accounts for rsh data files
Attempted to infect new machines
If already there, quit 6 out of 7 times
This brought down most machines
26
Virus Damage Scenarios
! Blackmail! Denial of service as long as virus runs! Permanently damage hardware! Target a competitor’s computer
" do harm" espionage
! Intra−corporate dirty tricks" sabotage another corporate officer’s files
Where viruses could act
– modify executable files
attaching themselves to the front, or to the end
possibly having to modify file headers and file internal logical addresses
first they get activated; then the original file is executed
– residing in memory
possibly redirecting some interrupts to them (ex: system calls)
– overwriting some boot procedure on disk
thus the virus gets loaded every time the machine is turned on
– hiding within a macro
very effective for Word and Excel programs, for instance
easy to write
– modify a source code
a “portable” virus
29
How Viruses Work (3)
! An executable program! With a virus at the front! With the virus at the end! With a virus spread over free space within program
31
How Viruses Spread
! Virus placed where likely to be copied! When copied
" infects programs on hard drive, floppy" may try to spread over LAN
! Attach to innocent looking email" when it runs, use mailing list to replicate
Viruses and Anti-virus techniques
Anti-virus: virus scanners
Scan executable files looking for viruses that match those in a database
– a problem: variants of the virus might exist
Fuzzy search
might miss some
might interpret some correct file as a virus
– can be slow
Check only files that have been modified since last search
A virus could change the file date
Check only files whose length has changed
A virus could use compression techniques
32
Antivirus and Anti−Antivirus Techniques
(a) A program(b) Infected program(c) Compressed infected program(d) Encrypted virus(e) Compressed virus with encrypted compression code
33
Antivirus and Anti−Antivirus Techniques
Examples of a polymorphic virusAll of these examples do the same thing
34
Antivirus and Anti−Antivirus Techniques
! Integrity checkers! Behavioral checkers! Virus avoidance
" good OS" install only shrink−wrapped software" use antivirus software" do not click on attachments to email" frequent backups
! Recovery from virus attack" halt computer, reboot from safe disk, run antivirus
Some ModernWorms & Viruses
1999: Melissa, macro virus (Word + Outlook)
2000: ILOVEYOU, VBScript worm. Between $5 billion and $10 billion in damage. “ The Pentagon, CIA, and the British Parliament had to shut down their e-mail systems to get rid of the worm.”
2003: Blaster, Sobig, Sober (until 2005).
2004: MyDoom. Email binary attachment.
One of the fastest spreading worms: 1 in 12 emails at peak.
Used to created a Denial of Service attack against SCO and Microsoft.
2004: Sasser. Did not need user intervention, used a buffer overflow.
Agence France-Presse (AFP): satellite communications blocked for hoursDelta Air Lines: cancel several trans-atlantic flights (computer systems down)Nordic insurance company If and Finnish Sampo Bank: close their 130 offices in Finland.British Coastguard: electronic mapping service disabled for a few hoursGoldman Sachs, Deutsche Post, and the European Commission also touchedX-ray department at Lund University Hospital: all their four layer X-ray machines disabled for several hours and had to redirect emergency X-ray patients to a nearby hospital.
2007: Storm Worm.
Email attachment: PDF spam, e-cards, YouTube Invites. Also blog comment spam.
Still active (latest version: April 1st, 2008)
Payload morphs every 30 mn.
Used to create a peer to peer botnet.
Botnets
Current Botnets
• Kraken: about 500.000 machines
• Storm: about 100.000 machines (was 2 million)
• Used for spam, phishing, denial of service attacks
Some safe design principles
– make the system public (avoid “security by obscurity”)
– allow only accesses explicitely granted
– always check for accesses
– use simple protection mechanisms, built into the OS kernel (precisely: the lowest possible level
of the OS; cf: Windows NT)
Applied Operating System Concepts Silberschatz, Galvin, and Gagne 199919.9
Network Security Through Domain Separation Via Firewall
Applied Operating System Concepts Silberschatz, Galvin, and Gagne 199919.7
Threat Monitoring
• Check for suspicious patterns of activity – i.e., several incorrectpassword attempts may signal password guessing.
• Audit log – records the time, user, and type of all accesses to anobject; useful for recovery from a violation and developing bettersecurity measures.
• Scan the system periodically for security holes; done when thecomputer is relatively unused.
Applied Operating System Concepts Silberschatz, Galvin, and Gagne 199919.8
Threat Monitoring (Cont.)
• Check for:– Short or easy-to-guess passwords– Unauthorized set-uid programs– Unauthorized programs in system directories– Unexpected long-running processes– Improper directory protections– Improper protections on system data files– Dangerous entries in the program search path (Trojan
horse)– Changes to system programs: monitor checksum values