Security 1 © 2000 Franz Kurfess Course Overview Principles of Operating Systems Introduction ...

Security Security 11 © 2000 Franz Kurfess

Course OverviewPrinciples of Operating Systems

Course OverviewPrinciples of Operating Systems

Introduction Computer System

Structures Operating System

Structures Processes Process Synchronization Deadlocks CPU Scheduling

Memory Management Virtual Memory File Management Security Networking Distributed Systems Case Studies Conclusions


Chapter Overview Security

Chapter Overview Security

Motivation Objectives Protection

protection of resources protection methods

Access Control

Security threats protection mechanisms

Important Concepts and Terms

Chapter Summary


MotivationMotivation

computer systems may be of considerable value and must be protected from damage

hardware, software, and stored data may be essential for the performance of tasks and need to be available when needed

system objects need to be protected from inadvertent unauthorized access or use

there is the possibility of intrusion, modification, deletion, etc. with malicious intent


ObjectivesObjectives

know basic protection methods and mechanisms be aware of the most common threats to system

security evaluate tradeoffs between performance, ease of

use, flexibility, etc. on one hand and security on the other hand


ProtectionProtection methods and mechanisms that check the legality of an

operation on an object in the computer system legality refers to

the authorization to perform an operation the appropriate use of an operation the validity of the parameters

objects can be hardware components software entities

OS components, user programs files, processes, pipes, etc

data


Policy vs. MechanismPolicy vs. Mechanism

protection = policy + mechanism policy

set of rules implemented by a mechanism determined by the management of the system

mechanism means for accomplishing a task used for implementing and enforcing a policy


Computer ObjectsComputer Objects

objects in a computer system that need to be protected

hardware objects CPU, memory segments, hard disk, printers, tape drives,

etc.

software objects files, processes, databases, semaphores, pipes, etc.


Protection DomainProtection Domain

a domain is a set of rights to perform certain operations on certain objects

specified as (objects, rights) pairs each pair specifies an object and operations that can be

performed on the object

limit and control access of processes to objects they are authorized to use only with operations they are authorized for


Minimum Privilege PrincipleMinimum Privilege Principle

a process should have only the capabilities needed to perform its task a protection domain must be tailored to each individual

process not practical for most systems in practice, processes with similar domains are grouped

together


Protection Domains in UNIXProtection Domains in UNIX

the domain of a process is determined by its user id (uid) its group id (gid)

a process may switch temporarily between different domains e.g. to execute a program owned by another user this is a security problem, especially when user processes

switch to the root domain


Access to ResourcesAccess to Resources computer system resources

hardware deliberate or accidental damage, theft, unauthorized use physical access to hardware may be restricted

software execution, modification, deletion, unauthorized copying restricted privileges, configuration management

data modification or destruction, unauthorized use restricted privileges, encryption, off-line storage

communication eavesdropping, traffic analysis, intrusion, forging of messages, denial of

service prevention, detection, encryption, isolation


Access ControlAccess Control

subject entity requesting access usually a process (UID and GID on UNIX) users are represented by processes

object: entity to be accessed CPU, memory, network, files, programs

access right operations the subject is allowed to perform on the object


Unix Access ControlUnix Access Control

subjects divided into three domains

user, group and others (not user)

objects primarily files access to devices through the file system

access rights three types

read write execute


Access MatrixAccess Matrix

specifies for each domain and each object the permissible operations rows hold domains objects are in the columns

entry access(i,j) specifies the set of operations that a process executing in

domain Di can perform on object Oj


Access Matrix DiagramAccess Matrix Diagram

File1 File2 File3 Printer

Domain 1 2

3

r rw

rx

r w

the operations specified in the entry are allowed for processes in a certain domain for a particular object


Domain Switching in an Access Matrix

Domain Switching in an Access Matrix

File1 File2 File3 Printer D1 D2 D3

Domain 1 2

3

r rw

rx

r w

switch

switch

switching between domains can also be controlled by the access matrix additional columns for the target domain


Implementation of Access Matrices

Implementation of Access Matrices

global table access lists capability lists


Global TableGlobal Table set of ordered triplets

<domain, object, rights> for each operation of a subject on an object, the table is

searched for a triplet such that the subject must be in the domain the object must be present the operation must be part of the rights

advantage simple realization

drawbacks large tables, requiring virtual memory or I/O operations groupings of entries not possible


Access Control ListsAccess Control Lists

each object has a list of pairs with (domain, access rights) specifies which operations may be performed by which

entity

columns are implemented as lists only non-empty entries are stored used in the VMS operating system


ExampleExample

File1: (john, rw) File2: (mary, rwx) File3: (john, r), (mary, rw), (fred, rx) File4: (*, rx) File5: (fred, -), (*, rw)


Capability ListCapability List

for each domain in the access matrix we associate a list of objects along with the type of access for each object

each row is implemented as a list objects within a domain operations allowed on the objects

a process presents the capability for an operation to the OS before the operation is performed

maintained by the OS, not directly accessible to the users


ExampleExample

File r w - Pointer to file2

File r - x Pointer to file1

File r w x Pointer to file3

File - w - Pointer to file4

Type Rights Object

0

1

2

3


ComparisonComparison access lists

correspond directly to the needs of the users

determining access rights for a particular domain is difficult

permissions for all objects must be specified

frequently a default list is used, and only deviations are noted explicitly

every access to an object must be checked

requires a search of the access list

capability lists do not correspond directly to

the needs of the users useful for finding information

on a particular process revocation of capabilities may

be inefficient not very frequently used in

their pure form sometimes used as cache for

information in the access list


Modification of Access RightsModification of Access Rights

permissions for operations on objects may change dynamically in a system

this can lead to the extension or revocation of access rights

easy with an access-list scheme corresponding rights are modified

difficult with capability lists capabilities are distributed throughout the system, and

must be found first


AuthorizationAuthorization

granting of permissions for operations on objects to subjects


AuthenticationAuthentication

users other systems


User AuthenticationUser Authentication

identification of users at login time an be addressed through

passwords physical identification


PasswordsPasswords

legitimate users identify themselves by providing an account id and a password if the password matches the one stored in the system, the

user is considered legitimate

the password must be kept secret must not be exposed by the user must be stored internally in encrypted format or in a

protected place

easy to understand and use low implementation overhead


Password ProblemsPassword Problems

often easy to defeat password guessing with the use of a list of likely words watching while the user types the password (shoulder

surfing) network sniffing account sharing


Example Password CrackingExample Password Cracking

7-character passwords chosen from a 95 printable character set: 957 (or 7x1013 approx.)

at 1000 encryption/sec it will take 2000 years to create the complete list


Password SecrecyPassword Secrecy

extension and encryption associate an n-bit random number with each password

the number is stored in the password file unencrypted

the password and the random number are first concatenated and then encrypted together and stored in password file

increases the size of the possible passwords by 2N


Passwords ProvisionsPasswords Provisions system-generated passwords

random, easy to remember, but nonsense words (i.e. vriendly) are generate by the system

regular change of passwords may defeat the purpose

users write down passwords toggling between passwords use of month/year in the password

paired passwords users provide a list of questions and answers that will be stored in

encrypted format the system randomly selects an entry which the user has to complete

user picks an algorithm


One-Time PasswordsOne-Time Passwords

each password can be used only once frequently based on special hardware calculators or code

books to determine the one-time password complicated to administer


Physical IdentificationPhysical Identification

plastic card with magnetic stripe and password (cash machines) often augmented by personal identification numbers (PIN)

fingerprints, voice prints, visual recognition signature


SecuritySecurity

application of protection methods and mechanisms to maintain the safe operation of a computer system

must also take into account the external environment of the system

cannot rely on orderly behavior of users and processes users may try to circumvent protection mechanisms


Security AspectsSecurity Aspects

physical security prevention of unauthorized access to physical systems restriction to legal use of systems

operational security subjects may only execute legal operations on objects


Security ThreatsSecurity Threats

technical interruption interception modification fabrication

nontechnical (“social engineering”)


Security Threats in OSesSecurity Threats in OSes

most operating systems have major security problems

penetration teams can be used to test security and expose problems


Common Attack MethodsCommon Attack Methods

snooping and sniffing listening in on network traffic ask for memory pages, disk space or tapes and just read them

(don't fill them) many systems don’t delete old information

trial and error on system calls illegal system calls, legal system calls with illegal parameters, or

legal system calls with legal but unreasonable parameters example: “ping of death” attack

login interrupt start logging in and then hit DEL RUBOUT BREAK (or other

control keys) halfway through


Attack Methods (Cont.)Attack Methods (Cont.)

OS meddling modify complex OS data structures residing in memory

do don’ts look for manuals that say Do not do X and try as many

combinations of X as possible.

social engineering bribe or trick the security personnel


IntrudersIntruders

persons from outside seek unauthorized access to a computer system frequently via network connection intruders are often referred to as hackers or crackers

legitimate users make unauthorized use of a system evasion of auditing or access controls


Program and System ThreatsProgram and System Threats

Trapdoors Logic Bombs Trojan Horses Viruses Bacteria Worms


Taxonomy of Software ThreatsTaxonomy of Software Threats

[Bowles and Pelaez, 1992]

MaliciousPrograms

TrapDoor

LogicBomb

TrojanHorse

Virus Bacterium Worm

Needs HostProgram

Indepen-dent

replicate


Trap DoorTrap Door

hidden entry point to the system often left by the designer of a program

for debugging or malicious purposes

can circumvent normal security procedures

can be very difficult to detect


Example Trap DoorExample Trap Door

an employee of a bank works on the transaction processing system used by the bank

to be prepared for unpleasant situations at work, she leaves an entry point into the system

she’s fired for security violations after she’s fired, she gains access via modem,

transfers a large amount of money to an account on a Caribbean island, and erases all files


Confinement ExampleConfinement Example you’re a great physicist working on a novel approach to

the unified theory of everything unfortunately, your programming skills are not sufficient,

and you have to trust programmers they know only the code, but not some critical values that you

enter interactively

you inspect their programs, compile and install them yourself to make sure that there is no communication outside your own account

you perform all your simulations and calculations you’re ready to publish your results when you see an

article written by your programmers with your results


Confinement ProblemConfinement Problem

can programs be written in such a way that the information used and generated cannot be communicated outside the domain? no network connection no writing to files outside the domain no usage of peripheral devices

problem: covert channels information can be transmitted through indirect ways relies on properties of the process execution that can be

observed by other processes length of CPU bursts, paging rate, etc.


Logic BombsLogic Bombs

segment in a regular program that checks for certain conditions

when the conditions are met, some unwanted functions are executed


Example Logic BombExample Logic Bomb

a contractor implements a logic bomb in a library circulation system

the bomb is designed to go off on a certain date unless the contractor had been paid


Trojan HorsesTrojan Horses

(seemingly) useful program containing hidden code that may perform unwanted functions

hidden segment misuses its current environments runs in the user’s environment with all the user’s privileges

often hidden in regular programs e.g. login program, email, editor


Examples Trojan HorseExamples Trojan Horse Example 1: True friends

you’re working on a programming assignment together with your friend

for testing purposes, you make your programs executable for each other

you invoke your friend’s program, and it deletes all your files Example 2: Password Stealing

a user writes a program that looks exactly like the login procedure for a multi-user system

it is left on the terminal for the next unsuspecting user this program reads the password and stores it then it exits with an error message and lets the user continue with

the regular login process


VirusesViruses

fragment of code embedded in a legitimate program designed to spread into other programs and systems may be destructive or simply annoying

display of messages program malfunctions modification or deletion of files system crash

most prevalent on single-user systems weak protection curiosity and negligence of users


Virus ProtectionVirus Protection

antivirus programs practically all current programs are effective only against

particular known viruses

safe computing purchase only unopened media from reputable sources avoid shared media

floppy disks, bulletin boards if you have to share media, apply antivirus programs immediately


BacteriaBacteria

programs that consume system resources by replicating themselves

bacteria may reproduce exponentially, eventually taking up all resources


WormsWorms

programs that replicate themselves and send copies across network connections

may perform unwanted functions in addition to replication


Internet WormInternet Worm one of the greatest computer security

violations of all times Robert Morris, Cornell University, first year

graduate student unleashed Nov. 2, 1988 propagated to thousands of computers on the

Internet Sun 3 workstations and VAX computers running

Unix BSD 4.x


Internet Worm cont.Internet Worm cont.

worm components grappling hook (99 lines of C code) the worm proper

strategy compile and execute the grappling hook on the machine

under attack upload main worm contact new hosts spread the grappling hook


Worm DiagramWorm Diagram

Worm Worm

Grappling Hook

Infected System Target System

finger

rshsendmail

worm sent

worm request



transmission methods to infect new machines: rsh finger sendmail



limited replication on an already infected machines new copies of the worm

would exit, except for every seventh instance

caused a major disruption on affected systems may have been intended as harmless


Remote Shell FlawRemote Shell Flaw

frequently accessed remote hosts can be listed in a file .xhosts

remote shells can be invoked without password the worm used these files to propagate to trusted

new hosts


invoking finger with an argument that exceeds the buffer of the finger demon results in an overwrite of the stack frame

the finger demon continued with the execution of the argument instead of returning to its main routine

Finger FlawFinger Flaw


Sendmail FlawSendmail Flaw

the debugging option of the sendmail program is often left on as a background process intended for testing purposes usually invoked with a user email address

the worm called debug with commands to mail and execute a copy of the grappling hook


The Worm’s DemiseThe Worm’s Demise

on the evening of the next day countermeasures were circulated to system administrators

reasons for success quick electronic communication access to source code distribution of source code and executables to remote

machines collaboration of experts

Morris was convicted in federal court ($10,000 fine, 3 years probation, 400 hours of community service, legal fees)


CountermeasuresCountermeasures

prevention possible threats are anticipated

this is not possible for all threats

mechanisms are installed to prevent attacks

detection in case of an attack, it is identified and corrective

measures are taken


Countermeasure ExamplesCountermeasure Examples

access restrictions users are only allowed to login from a specific terminal, during

certain days of the week, during certain hours of the day.

system dials the user back at a predetermined phone number

login increase login time to discourage repeated login tries record all logins

traps easy to break in accounts seemingly interesting information for intruders


Threat MonitoringThreat Monitoring

limited login attempts if more than a few login attempts are unsuccessful, the

login process is aborted

audit log records time, user, type of access to objects useful for recovery and prevention considerable overhead

security check systematic checks for security holes usually done during low traffic times


Security ChecksSecurity Checks

periodic exploration of potential security holes weak passwords

short, easy to guess

unauthorized set-uid programs unauthorized programs in system directories suspicious processes

running time, behavior, access to resources

improper file and directory protections user and system directories and files

password file, device drivers, system programs

modifications to system programs


Design Principles for SecurityDesign Principles for Security

system design should be public better verification and discovery of flaws

minimum privilege principle give each process the least privilege possible default should be no access

check for authority and authentication simple, uniform protection mechanisms at low levels acceptable for users


EncryptionEncryption

mainly used for transmission and storage of sensitive information e.g. password file in Unix

basic mechanism information is encrypted into an unintelligible format this is stored or transmitted the receiver or reader must decrypt it into readable format

encryption frequently relies on operations that can be done efficiently in one direction, but the inverse operation is very difficult to do e.g. factorization of large integers


Important Concepts and TermsImportant Concepts and Terms access control access control list audit log authentication capability list confinement problem deadlock decryption digital signature encryption external security internal security object operation

permission private key cryptosystem privilege privileged instruction protection protection domain right security policy starvation subject system mode trojan horse user mode virus


Chapter SummaryChapter Summary

physical and operational safety of computer systems can be important aspects

protection methods and mechanisms are available to prevent unauthorized access to and use of computer systems

especially networked computers are vulnerable to security threats like trapdoors, logic bombs, Trojan horses, viruses, bacteria,

worms

the main types of countermechanisms are prevention and detection

Security 1 © 2000 Franz Kurfess Course Overview Principles of Operating Systems Introduction ...

Documents

Transcript of Security 1 © 2000 Franz Kurfess Course Overview Principles of Operating Systems Introduction ...