Security and Authentication CS-502 (EMC) Fall 20091 Security and Authentication CS-502, Operating...

Security and Authentication

CS-502 (EMC) Fall 2009 1


CS-502, Operating SystemsFall 2009 (EMC)

(Slides include materials from Modern Operating Systems, 3rd ed., by Andrew Tanenbaum and from Operating System Concepts, 7th ed., by Silbershatz, Galvin, & Gagne)


CS-502 (EMC) Fall 2009 2

Reading Assignment

• Tanenbaum, Modern Operating Systems, 3rd edition, Chapter 9– Security and threats– Viruses

• How to write and detect!

– Protection – implementation of security


CS-502 (EMC) Fall 2009 3

Concepts

• Protection:• Mechanisms and policy to keep programs and users

from accessing or changing stuff they should not do

• Internal to OS

• §9.1-9.3 in Tanenbaum

• Security:• Issues external to OS

• Authentication of user, validation of messages, malicious or accidental introduction of flaws, etc.

• §9.4-9.8 in Tanenbaum


CS-502 (EMC) Fall 2009 4

Outline

• A puzzle – who am I talking to?

• The first computer virus

• Some program threats

• Overview of protection mechanisms

• Fun with cryptography


CS-502 (EMC) Fall 2009 5

Puzzle

• Alice wishes to send secret message to Bob– She places message in impenetrable box– Locks the box with unbreakable padlock– Sends locked box to Bob

• Problem:– Bob has no key to unlock box– No feasible way to securely send key to Bob

• How does Bob retrieve message?


CS-502 (EMC) Fall 2009 6

Answer

• Bob adds 2nd unbreakable padlock to box– Locks with own key– Sends box back to Alice (with two padlocks!)

• Alice unlocks and removes her lock– Sends box back to Bob

• Bob unlocks his lock– Opens box and reads message

• What could go wrong?


CS-502 (EMC) Fall 2009 7

Authentication

• How does a system (distributed or not) know who it is talking to?

• Who do I say that I am?

• How can I verify that …• … I know something that nobody else should know?• … I have something that nobody else should have?• … I am someone that nobody else should be?• … without giving away that crucial information to

hackers and crackers!


CS-502 (EMC) Fall 2009 8

Threats against Authentication

I want to pretend to be you:• I can steal your password

– the sticky note on your monitor or the list in your desk drawer

– by monitoring your communications or looking over your shoulder

• I can guess your password – particularly useful if I can also guess your user name

• I can get between you and the system you are talking to


CS-502 (EMC) Fall 2009 9

Getting between you and system you are talking to


CS-502 (EMC) Fall 2009 10

Login Spoof

• I create a login screen in my process– On a public machine

– Looks exactly like real one

• You log into system– My login process records your user ID and password

– Logs you in normally

• Result:– I have gotten between you and system without your knowledge– Also, I have stolen your user ID and password


CS-502 (EMC) Fall 2009 11

The Trouble with Passwords

• They are given away

• They are too easy to guess

• They are used too often

• There are too many of them

• They are used in too many places


CS-502 (EMC) Fall 2009 12

Example — Easy to Guess Passwords

Tanenbaum Figure 9-18. How a cracker broke into a U.S. Department of Energy computer at LBL.


CS-502 (EMC) Fall 2009 13

Password Studies

• Morris and Thompson (1979)– 86% of Unix passwords were from list of likely

passwords• Street & city names, first & last names, dictionary

words, words spelled backwards, etc.

• Results confirmed in multiple studies & multiple systems

• See Tanenbaum, §9.4.1


CS-502 (EMC) Fall 2009 14

The Trouble with Passwords

• They are given away

• They are too easy to guess

• They are used too often

• There are too many of them

• They are used in too many places


CS-502 (EMC) Fall 2009 15

Some ways around the problem

• Better passwords– longer– larger character set– more random in nature/encrypted

• Use passwords less often– change frequently, one system per password– challenge/response – exposed only once

Passwords are a pain in the $%#@(&*System administrators often adopt policies that

defeat goals rather than support them


CS-502 (EMC) Fall 2009 16

The Challenge/Response Protocol

Art MaryHello, I’m Art

Decrypt This {R}P

R

Hello Art! How can I help you?

P is a shared secret

R is a r

andom number


CS-502 (EMC) Fall 2009 17

The Challenge/Response Protocol

Art MaryHello, I’m Art

Decrypt This {R}P

R

Hello Art! How can I help you?

At this point, is Mary confidentthat she is talking with Art?

At this point, is Art confidentthat he is talking with Mary?


CS-502 (EMC) Fall 2009 18

Threat: Steal passwords from the system

• Don’t keep them in an obvious place

• Encrypt them so that version seen by system is not same as what user enters

• … or version on the wire

• …… or version used last time


CS-502 (EMC) Fall 2009 19

Too many passwords to remember?

• Third-party authentication– Get someone to vouch for you

• The basics: “This guy says you know him..”“Yes, I trust him, so you should too..”

• Kerberos – Certificate-based authentication within a trust community

• More about this next week


CS-502 (EMC) Fall 2009 20

What is in a certificate?

• Who issued it

• When was it issued

• For what purpose was it issued

• For what time frame is it valid

• (possibly other application-specific data)

• A “signature” that proves it has not been forged


CS-502 (EMC) Fall 2009 21

Systems and Networks Are Not Different

• Same basic rules about code behavior apply

• Same authentication rules apply

• The same security principles apply

• Same Coding Rules Apply To: – An application

– Code which manages incoming messages

– Code which imposes access controls on a network

– ...


CS-502 (EMC) Fall 2009 22

The Principles

• Understand what you are trying to protect

• Understand the threat(s) you are trying to protect against– Also, costs and risks

• Be prepared to establish trust by telling people how you do it

• Assume that the bad guys are at least as clever as you are!


CS-502 (EMC) Fall 2009 23

Questions?


CS-502 (EMC) Fall 2009 24

The First Computer Virus

• Reading assignment:–Ken Thompson, “Reflections on Trusting Trust,”

Communications of ACM, vol.27, #8, August 1984, pp. 761-763 (pdf)

• Three steps1. Program that prints a copy of itself

2. Training a compiler to understand a constant

3. Embedding a Trojan Horse without a trace

Require

d read

ing


CS-502 (EMC) Fall 2009 25

Step 1 – Program to print copy of itself

• How do we do this?

• First, store character array representing text of program

• Body of program• Print declaration of character array

• Loop through array, printing each character

• Print entry array as a string

• Result: general method for program to reproduce itself to any destination!


CS-502 (EMC) Fall 2009 26

Step 2 – Teaching constant values to compiler

…

/* reading string constants */

if (s[i++] == '\\')

if (s[i] == 'n') insert ('\n');

elseif (s[i] == 'v') insert ('\v');

elseif …

• Question: How does compiler know what integer values to insert for '\n', '\v', etc.?


CS-502 (EMC) Fall 2009 27

Step 2 (continued)

• Answer: In the first compiler ever written, insert the actual character code

• i.e., 11 (decimal) for ‘\v’, etc.

/* reading string constants */

if (s[i++] == '\\')

if (s[i] == 'n') insert ('\n');

elseif (s[i] == 'v') insert (11);

elseif …

• Next: Use the first compiler to compile itself!


CS-502 (EMC) Fall 2009 28

Step 2 (continued)

• Result: a compiler that “knows” how to interpret the sequence “\v”

• And all compilers derived from this one, forever after!

• Finally: replace the value “11” in the source code of the compiler with ‘\v’ and compile itself again

• Note: no trace of values of special characters in …– The C Programming Language book– source code of C compiler

• I.e., special character values are self-reproducing


CS-502 (EMC) Fall 2009 29

Step 3 – Inserting a Trojan Horse

• In compiler source, add the textif (match(sourceString, pattern)insert the Trojan Horse code

where “pattern” is the login code (for example)

• In compiler source, add additional textif (match(sourceString2, pattern2)insert the self-reproducing code

where “pattern2” is a part of the compiler itself

• Use this compiler to recompile itself, then remove source


CS-502 (EMC) Fall 2009 30

Step 3 – Concluded

• Result: an infected compiler that willa. Insert a Trojan Horse in the login code of any Unix

system

b. Propagate itself to all future compilers

c. Leave no trace of Trojan Horse in its source code

• Like a biological virus: – A small bundle of code that uses the compiler’s own

reproductive mechanism to propagate itself


CS-502 (EMC) Fall 2009 31

Questions?


CS-502 (EMC) Fall 2009 32

Security must occur at four levels to be effective

• Physical– The best security system is no better than the lock on your front

door (or desk, or file cabinet, etc.)!

• Human– Phishing, dumpster diving, social engineering

• Operating System– Protection and authentication subsystems– Prevention of unauthenticated access to data

• Network– Protection and authentication subsystems– Separate from underlying protocols

• Security is as weak as the weakest link in chain


CS-502 (EMC) Fall 2009 33

How do these attacks work?

• Messages that attack mail readers or browsers

• Denial of service attacks against a web server

• Password crackers

• Viruses, Trojan Horses, other “malware”


CS-502 (EMC) Fall 2009 34

The concept of a “Vulnerability”

• Buffer overflow

• Protocol/bandwidth interactions– Protocol elements which do no work

• “execute this” messages– The special case of “mobile agents”

• Human user vulnerabilities– eMail worms– Phishing


CS-502 (EMC) Fall 2009 35

Another Principle

• There is a never-ending war going on between the “black hats” and the rest of us.

• For every asset, there is at least one vulnerability

• For every protective measure we add, “they” will find another vulnerability


CS-502 (EMC) Fall 2009 36

Yet Another Principle

• There is no such thing as a bullet-proof barrier

• Every level of the system and network deserves an independent threat evaluation and appropriate protection

• Only a multi-layered approach has a chance of success!


CS-502 (EMC) Fall 2009 37

Actual Losses:

• Approximately 70% are due to human error

• More than half of the remainder are caused by insiders

• “Social Engineering” accounts for more loss than technical attacks.


CS-502 (EMC) Fall 2009 38

What is “Social Engineering”?

“Hello. This is Dr. Burnett of the cardiology department at the Conquest Hospital in Hastings. Your patient, Sam Simons, has just been admitted here unconscious. He has an unusual ventricular arrhythmia. Can you tell me if there is anything relevant in his record?”


CS-502 (EMC) Fall 2009 39

Questions?


CS-502 (EMC) Fall 2009 40

Program Threats

• Trojan Horse– Code segment that misuses its environment– Exploits mechanisms for allowing programs written by users to be

executed by other users– Spyware, pop-up browser windows, covert channels

• Trap Door– Specific user identifier or password that circumvents normal

security procedures– Could be included in a compiler

• Logic Bomb– Program that initiates a security incident under certain

circumstances• Stack and Buffer Overflow

– Exploits a bug in a program (overflow either the stack or memory buffers)


CS-502 (EMC) Fall 2009 41

C Program with Buffer-overflow Condition

#include <stdio.h>#define BUFFER SIZE 256int main(int argc, char *argv[]){char buffer[BUFFER SIZE];if (argc < 2)

return -1;else {

strcpy(buffer,argv[1]);return 0;

}}


CS-502 (EMC) Fall 2009 42

Layout of Typical Stack Frame


CS-502 (EMC) Fall 2009 43

Modified Shell Code

#include <stdio.h>

int main(int argc, char *argv[])

{

execvp('\bin\sh', '\bin \sh', NULL);

return 0;

}


CS-502 (EMC) Fall 2009 44

Hypothetical Stack Frame

Before attack After attack


CS-502 (EMC) Fall 2009 45

Effect

• If you can con a privileged program into reading a string into a buffer unprotected from overflow, then …

• …you have just gained the privileges of that program in a shell!


CS-502 (EMC) Fall 2009 46

Program Threats – Viruses

• Code fragment embedded in legitimate programs• Very specific to CPU architecture, operating

system, applications• Usually borne via email or as a macro• E.g., Visual Basic Macro to reformat hard drive

Sub AutoOpen()Dim oFSSet oFS = CreateObject(’’Scripting.FileSystemObject’’)vs = Shell(’’c:command.com /k format c:’’,vbHide)

End Sub


CS-502 (EMC) Fall 2009 47

Program Threats (Cont.)

• Virus dropper inserts virus onto the system• Many categories of viruses, literally many thousands of

viruses– File– Boot– Macro– Polymorphic– Source code– Encrypted– Stealth– Tunneling– Multipartite– Armored


CS-502 (EMC) Fall 2009 48

Questions?


CS-502 (EMC) Fall 2009 49

Goals of Protection

• Operating system consists of a collection of objects (hardware or software)

• Each object has a unique name and can be accessed through a well-defined set of operations.

• Protection problem – to ensure that each object is accessed correctly and only by those processes that are allowed to do so.


CS-502 (EMC) Fall 2009 50

Guiding Principles of Protection

• Principle of least privilege– Programs, users and systems should be given

just enough privileges to perform their tasks

• Separate policy from mechanism– Mechanism: the stuff built into the OS to make

protection work– Policy: the data that says who can do what to

whom


CS-502 (EMC) Fall 2009 51

Domain Structure

• Access-right = <object-name, rights-set>where rights-set is a subset of all valid operations that can be performed on the object.

• Domain = set of object-right pairs


CS-502 (EMC) Fall 2009 52

Domain – Examples

• User– An actual human, or a name of a system role

• e.g, uucp, root

– Rights list what the “user” can do

• A team– Working on a project

See Tanenbaum, §9.3.1


CS-502 (EMC) Fall 2009 53

Conceptual Model

• View protection as a matrix (Access Matrix)

• Rows represent domains

• Columns represent objects

• Access(i, j) is set of operations that process executing in Domaini can invoke on Objectj


CS-502 (EMC) Fall 2009 54

Textbook Access Matrix

• Columns are access control lists (ACLs)• Associated with each object

• Rows are capabilities• Associated with each user, group, or domain


CS-502 (EMC) Fall 2009 55

Unix & Linux

• System comprises many domains:–– Each user– Each group– Kernel/System– Specific system processes & responsibilities

• (Windows has even more domains than this!)


CS-502 (EMC) Fall 2009 56

Unix/Linux Matrix

file1 file 2 file 3 device domain

User/Domain 1 r rx rwx – enter

User/Domain 2 r x rx rwx –

User/Domain 3 rw – – – –

…

• Columns are access control lists (ACLs)• Associated with each object

• Rows are capabilities• Associated with each user or each domain


CS-502 (EMC) Fall 2009 57

Changing Domains (Unix)

• Domain = uid or gid• Domain switch via file access controls

– Each file has associated with it a domain bit (setuid bit).• rwS instead of rwx

– When executed with setuid = on, then uid or gid is temporarily set to owner or group of file.

– When execution completes uid or gid is reset.

• Separate mechanism for entering kernel domain– System call interface


CS-502 (EMC) Fall 2009 58

General (textbook) representation

• Domains are objects– Can be added to Access Matrix


CS-502 (EMC) Fall 2009 59

Practicalities

• At run-time…– What does the OS know about the user?

– What does the OS know about the resources?

• What is the cost of checking and enforcing?– Access to the data

– Cost of searching for a match

• Impractical to implement full Access Matrix– Size

– Access controls disjoint from both objects and domains


CS-502 (EMC) Fall 2009 60

ACLs vs. Capabilities

• Access Control List: Focus on resources– Good if resources greatly outnumber users– Can be implemented with minimal caching– Good when the user who creates a resource has

authority over it

• Typically attached to objects– E.g., file metadata– Control mechanism checks if user fits one of the classes

of usage


CS-502 (EMC) Fall 2009 61

ACLs vs. Capabilities (continued)

• Capability System: Focus on users– Good if users greatly outnumber resources

– Lots of information caching is needed

– Good when a system manager has control over all resources

• Like a system of (unforgeable) tickets– Domain/user must present a ticket to get access to a

particular object or class of objects

– Issue: can a capability be revoked once it is given out?


CS-502 (EMC) Fall 2009 62

Both are needed

• ACLs for files and other proliferating resources• Capabilities for major system functions

• The common OSs offer BOTH– Linux emphasizes an ACL model

• provides good control over files and resources that are file-like

– Windows 2000/XP/Vista emphasize Capabilities• provides good control over access to system functions (e.g.

creating a new user, or doing a system backup…)

• Access control lists for files


CS-502 (EMC) Fall 2009 63

…and good management, too!

• What do we need to know to set up a new user or to change their rights?

• …to set up a new resource or to change the rights of its users?

• …Who has the right to set/change access rights?

• No OS allows you to implement all the possible policies easily.


CS-502 (EMC) Fall 2009 64

Enforcing Access Control

• User level privileges must always be less than OS privileges!– For example, a user should not be allowed to grab

exclusive control of a critical device– or write to OS memory space

• …and the user cannot be allowed to raise his privilege level!

• The OS must enforce it…and the user must not be able to bypass the controls

• In most modern operating systems, the code which manages the resource enforces the policy


CS-502 (EMC) Fall 2009 65

(Traditional) Requirements–System Call Code

• No user can interrupt it while it is running

• No user can feed it data to make it – violate access control policies– stop serving other users

• No user can replace or alter any system call code

• No user can add functionality to the OS!

• Data must NEVER be treated as code!


CS-502 (EMC) Fall 2009 66

“Yeah, but …”

• No user can interrupt it while it is running• Windows, Linux routinely interrupt system calls

• No user can feed it data to make it • violate access control policies• stop serving other users

• No user can replace or alter any system call code• Except your average virus

• No user can add functionality to the OS!• Except dynamically loaded device drivers

• Data must NEVER be treated as code!• “One man’s code is another man’s data” A. Perlis


CS-502 (EMC) Fall 2009 67

Saltzer-Schroeder Guidelines

• System design should be public• Default should be no access• Check current authority – no caching!• Protection mechanism should be

– Simple, uniform, built into lowest layers of system

• Least privilege possible for processes• Psychologically acceptable

• KISS!


CS-502 (EMC) Fall 2009 68

Reading Assignment

Tanenbaum, Chapter 9


CS-502 (EMC) Fall 2009 69

Questions?

Security and Authentication CS-502 (EMC) Fall 20091 Security and Authentication CS-502, Operating...

Documents

Transcript of Security and Authentication CS-502 (EMC) Fall 20091 Security and Authentication CS-502, Operating...