Lecture 21 Chapter 14: Protection Chapter 15: Security

1
Lecture 21Chapter 14 Protection Chapter 15
Security
2
Chapter 14 Protection

• Goals of Protection
• Principles of Protection
• Domain of Protection
• Access Matrix
• Implementation of Access Matrix
• Access Control
• Revocation of Access Rights
• Capability-Based Systems
• Language-Based Protection

3
Objectives

• Discuss the goals and principles of protection in
  a modern computer system
• Explain how protection domains combined with an
  access matrix are used to specify the resources a
  process may access
• Examine capability and language-based protection
  systems

4
Protection

• Operating system consists of a collection of
  objects, hardware or software
• Each object has a unique name and can be accessed
  through a well-defined set of operations.
• Protection problem
• Ensure that each object is accessed correctly and
  only by those processes that are allowed to do
  so.
• Guiding principle
• principle of least privilege
• Programs, users and systems should be given just
  enough privileges to perform their tasks

5
Domain Structure

• Access-right ltobject-name, rights-setgt
• where rights-set is a subset of all valid
  operations that can be performed on the object.
• Domain set of access-rights

6
Domain Implementation (UNIX)

• System consists of 2 domains
• User
• Supervisor
• UNIX
• Domain user-id
• Domain switch accomplished via file system.
• Each file has associated with it a domain bit
  (setuid bit).
• When file is executed and setuid on,
• then user-id is set to owner of the file being
  executed.
• When execution completes user-id is reset.

7
Domain Implementation (MULTICS)

• Let Di and Dj be any two domain rings.
• If j lt I ? Di ? Dj

8
Access Matrix

• View protection as a matrix (access matrix)
• Rows represent domains
• Columns represent objects
• Access(i, j) is the set of operations that a
  process executing in Domaini can invoke on Objectj

9
Use of Access Matrix

• If a process in Domain Di tries to do op on
  object Oj,
• then op must be in the access matrix.
• Can be expanded to dynamic protection.
• Operations to add, delete access rights.
• Special access rights
• owner of Oi
• copy op from Oi to Oj
• control Di can modify Dj access rights
• transfer switch from domain Di to Dj

10
Use of Access Matrix (Cont.)

• Access matrix design separates mechanism from
  policy
• Mechanism
• Operating system provides access-matrix rules
• It ensures that the matrix is only manipulated by
  authorized agents and that rules are strictly
  enforced
• Policy
• User dictates policy
• Who can access what object and in what mode

11
Implementation of Access Matrix

• Each column Access-control list for one object
  Defines who can perform what operation. Domain
  1 Read, Write Domain 2 Read Domain 3
  Read ?
• Each Row Capability List (like a key)Fore each
  domain, what operations allowed on what objects.
• Object 1 Read
• Object 4 Read, Write, Execute
• Object 5 Read, Write, Delete, Copy

12
Access Matrix With Domains as Objects
Figure B
13
Access Matrix with Copy Rights
14
Access Matrix With Owner Rights
15
Modified Access Matrix of Figure B
16
Access Control

• Protection can be applied to non-file resources
• Solaris 10 provides role-based access control to
  implement least privilege
• Privilege is right to execute system call or use
  an option within a system call
• Can be assigned to processes
• Users assigned roles granting access
• to privileges and programs

17
Revocation of Access Rights

• Access List Delete access rights from access
  list.
• Simple
• Immediate
• Capability List Scheme required to locate
  capability in the system before capability can be
  revoked.
• Reacquisition
• Back-pointers
• Indirection
• Keys

18
Language-Based Protection

• Specification of protection in a programming
  language allows the high-level description of
  policies for the allocation and use of
  resources.
• Language implementation can provide software for
  protection enforcement when automatic
  hardware-supported checking is unavailable.
• Interpret protection specifications to generate
  calls on whatever protection system is provided
  by the hardware and the operating system.

19
Protection in Java

• Protection is handled by the Java Virtual Machine
  (JVM)
• A class is assigned a protection domain when it
  is loaded by the JVM.
• The protection domain indicates what operations
  the class can (and cannot) perform.
• If a library method is invoked that performs a
  privileged operation,
• the stack is inspected to ensure the operation
  can be performed by the library.

20
(No Transcript)
21
Chapter 15 Security

• The Security Problem
• Program Threats
• System and Network Threats
• Cryptography as a Security Tool
• User Authentication
• Implementing Security Defenses
• Firewalling to Protect Systems and Networks
• Computer-Security Classifications
• An Example Windows XP

22
Objectives

• To discuss security threats and attacks
• To explain the fundamentals of encryption,
  authentication, and hashing
• To examine the uses of cryptography in computing
• To describe the various countermeasures to
  security attacks

23
The Security Problem

• Security must consider external environment of
  the system, and protect the system resources
• Intruders (crackers) attempt to breach security
• Threat is potential security violation
• Attack is attempt to breach security
• Attack can be accidental or malicious
• Easier to protect against accidental than
  malicious misuse

24
Concern for Security

• Explosive growth of desktops started in 80s
• No emphasis on security
• Who wants military security, I just want to run
  my spreadsheet!
• Internet was originally designed for a group of
  mutually trusting users
• By definition, no need for security
• Users can send a packet to any other user
• Identity (source IP address) taken by default to
  be true
• Explosive growth of Internet in mid 90s
• Security was not a priority until recently
• Only a research network, who will attack it?

25
Security Violations

• Categories
• Breach of confidentiality
• Breach of integrity
• Breach of availability
• Theft of service
• Denial of service
• Methods
• Masquerading (breach authentication)
• Replay attack
• Message modification
• Man-in-the-middle attack
• Session hijacking

26
Security Measure Levels

• Security must occur at four levels to be
  effective
• Physical
• Human
• Avoid social engineering, phishing, dumpster
  diving
• Operating System
• Network
• Security is as week as the weakest chain

27
Program Threats

• Trojan Horse
• Code segment that misuses its environment
• Exploits mechanisms for allowing programs written
  by users to be executed by other users
• Spyware, pop-up browser windows, covert channels
• Trap Door
• Specific user identifier or password that
  circumvents normal security procedures
• Could be included in a compiler
• Logic Bomb
• Program that initiates a security incident under
  certain circumstances
• Stack and Buffer Overflow
• Exploits a bug in a program
• overflow either the stack or memory buffers

28
C Program with Buffer-overflow Condition

• include ltstdio.hgt
• define BUFFER SIZE 256
• int main(int argc, char argv)
• char bufferBUFFER SIZE
• if (argc lt 2)
• return -1
• else
• strcpy(buffer,argv1)
• return 0

29
Layout of Typical Stack Frame
30
Modified Shell Code

• include ltstdio.hgt
• int main(int argc, char argv)
• execvp(\bin\sh,\bin \sh, NULL)
• return 0

31
Hypothetical Stack Frame
Before attack
After attack
32
Program Threats (Cont.)

• Viruses
• Code fragment embedded in legitimate program
• Very specific to CPU architecture, operating
  system, applications
• Usually borne via email or as a macro
• Visual Basic Macro to reformat hard drive
• Sub AutoOpen()
• Dim oFS
• Set oFS CreateObject(Scripting.FileSystemObje
  ct)
• vs Shell(ccommand.com /k format
  c,vbHide)
• End Sub

33
Program Threats (Cont.)

• Virus dropper inserts virus onto the system
• Many categories of viruses, literally many
  thousands of viruses
• File
• Boot
• Macro
• Source code
• Polymorphic
• Encrypted
• Stealth
• Tunneling
• Multipartite
• Armored

34
A Boot-sector Computer Virus
35
System and Network Threats

• Worms
• use spawn mechanism standalone program
• Internet worm
• Exploited UNIX networking features (remote
  access) and bugs in finger and sendmail programs
• Grappling hook program uploaded main worm program
• Port scanning
• Automated attempt to connect to a range of ports
  on one or a range of IP addresses
• Denial of Service
• Overload the targeted computer preventing it from
  doing any useful work
• Distributed denial-of-service (DDOS) come from
  multiple sites at once

36
The Morris Internet Worm
37
Code-Red Worm

• On July 19, 2001, more than 359,000 computers
  connected to the Internet were infected in less
  than 14 hours
• Spread

38
Sapphire Worm

• was the fastest computer worm in history
• doubled in size every 8.5 seconds
• infected more than 90 percent of vulnerable hosts
  within 10 minutes.

39
DoS attack on SCO

• On Dec 11, 2003
• Attack on web and FTP servers of SCO
• a software company focusing on UNIX systems
• SYN flood of 50K packet-per-second
• SCO responded to more than 700 million attack
  packets over 32 hours

40
Witty Worm

• 25 March 2004
• reached its peak activity after approximately 45
  minutes
• at which point the majority of vulnerable hosts
  had been infected
• World
• USA

41
Nyxem Email Virus

• Jan 15, 2006 infected about 1M computers within
  two weeks
• At least 45K of the infected computers were also
  compromised by other forms of spyware or botware
• Spread

42
Security Trends
www.cert.org (Computer Emergency Readiness Team)
43
The Cast of Characters

• Alice and Bob are the good guys
• Trudy is the bad guy
• Trudy is our generic intruder
• Who might Alice, Bob be?
• well, real-life Alices and Bobs
• Web browser/server for electronic transactions
• on-line banking client/server
• DNS servers
• routers exchanging routing table updates

44
Alices Online Bank

• Alice opens Alices Online Bank (AOB)
• What are Alices security concerns?
• If Bob is a customer of AOB, what are his
  security concerns?
• How are Alice and Bob concerns similar? How are
  they different?
• How does Trudy view the situation?

45
Alices Online Bank

• AOB must prevent Trudy from learning Bobs
  balance
• Confidentiality (prevent unauthorized reading of
  information)
• Trudy must not be able to change Bobs balance
• Bob must not be able to improperly change his own
  account balance
• Integrity (prevent unauthorized writing of
  information)

46
Alices Online Bank

• AOBs information must be available when needed
• Availability (data is available in a timely
  manner when needed)
• How does Bobs computer know that Bob is really
  Bob and not Trudy?
• When Bob logs into AOB, how does AOB know that
  Bob is really Bob?
• Authentication (assurance that other party is the
  claimed one)
• Bob cant view someone elses account info
• Bob cant install new software, etc.
• Authorization (allowing access only to permitted
  resources)

47
Think Like Trudy

• Good guys must think like bad guys!
• A police detective
• Must study and understand criminals
• In security
• We must try to think like Trudy
• We must study Trudys methods
• We can admire Trudys cleverness
• Often, we cant help but laugh at Alice and Bobs
  carelessness
• But, we cannot act like Trudy