What we will cover

1
What we will cover

• Protection and Security in OS

2
Difference between Protection Security

• Protection Mostly, mechanism for controlling
  access to system resources by processes. This
  includes a means of specifying controls and a
  means of enforcing the controls. This is an
  internal problem.
• Security Mostly, assuring the integrity of
  system resources and data. Protection is the
  enforcement aspect of security. Security must
  also consider the external environment in which
  the system operates.

3
Domain of Protection

• Who needs protection?
• System resources need protection
• resources include both hardware and software
• examples of software resources files, programs,
  buffers, semaphores etc.
• examples of hardware resources CPU, memory
  segments, printers, disks etc.
• think of each resource as an object accessible
  only through associated operations
• Protection From whom?
• Other users (user domain)
• Other processes (process domain)

4
Principle of Protection

• Guiding principle principle of least privilege
• Programs, users and systems should be given just
  enough privileges to perform their tasks
• Also known as need-to-know principle

5
Domain Structure

• Implement protection domain
• a process has an associated protection domain and
  operates within this domain
• a protection domain is a set of ordered pairs
• each ordered pair consists of an object and a set
  of access rights (permitted operations)
• Access-right ltobject-name, rights-setgtwhere
  rights-set is a subset of all valid operations
  that can be performed on the object.
• Domain set of access-rights

6
Protection Domain Structure

• The association between a process and a domain
  can be
• fixed (static) or
• can change as process executed (dynamic)
• Static association is easier to implement while
  dynamic association is more complex
• Which one is better?
• Static association may violate need-to-know
  principle
• Dynamic association
• change association dynamically by either (1)
  modifying the domain, or (2) switching to a
  different domain

7
Domain Implementation (MULTICS)

• Let Di and Dj be any two domain rings.
• If j lt i ? Di ? Dj

• Disadvantages
• Too complicated
• Violating need-to-know principle

8
Domain Implementation (UNIX)

• System consists of 2 domains
• User mode
• Kernel mode
• UNIX
• Domain user-id
• Domain switch accomplished via file system.
• Each file has associated with it a domain bit
  (setuid bit).
• When file is executed and setuid on, then
  user-id is set to owner of the file being
  executed. When execution completes user-id is
  reset.

9
Domain Implementation (UNIX)

• Is it safe?

10
Domain Example

• Processes move back and forth between user mode,
  (i.e., user domain) and kernel mode, (i.e.,
  kernel domain).
• Unix setuid

real user id 201 effective user id
201 exec(shell)
load
shell owner100 setuid bit0
real user id 201 effective user id
201 exec(a.out)
a.out owner100 setuid bit1
100
load
11
Access Matrix

• View protection as a matrix (access matrix)
• Rows represent domains
• Columns represent objects
• Access(i, j) is the set of operations that a
  process executing in Domaini can invoke on Objectj

12
Access Matrix
13
Visualizing access matrix for UNIX
-rwxr-xr-x 1 John students 14839 May 14 0715
chatter -rw-r----- 1 John students 998 May
14 0827 guru.c -rwxr-xr-- 2 John students
4096 May 17 1159 data
Domain/object chatter guru.c data
Owner Read, write, execute Read, write Read, write, execute
group Read, execute Read Read, execute
world Read, execute Read
14
Use of Access Matrix

• If a process in Domain Di tries to do op on
  object Oj, then op must be in the access
  matrix.
• Can be expanded to dynamic protection.
• Special operations to change content of access
  matrix
• Change access rights
• copy an access right from one domain to another
• owner rights

15
Access Matrix with Copy Rights
16
Access Matrix With Owner Rights
17
Use of Access Matrix (Cont.)

• Access matrix design separates mechanism from
  policy.
• Policy
• User dictates policy.
• Who can access what object and in what mode.
• Mechanism
• Operating system provides access-matrix rules.
• It ensures that the matrix is only manipulated by
  authorized agents and that rules are strictly
  enforced.

18
Security
19
The Security Problem

• Security must consider external environment of
  the system, and protect the system resources
• Intruders (crackers) attempt to breach security
  (malicious access)
• Unauthorized reading of data
• Unauthorized modifications of data
• Unauthorized destruction of data
• Preventing legitimate use of the systems (denial
  of service)

20
User Authentication

• Protection (earlier discussed) majorly dependent
  on user authentication
• Based on use of Passwords
• Biometrics is another option but
• Still not implemented
• Not cost-effective yet

21
Use of Passwords

• Passwords are mutually agreed-upon code words,
  assumed to be known only to the user and the
  system.
• The use of passwords is fairly straightforward.
  A user enters some piece of identification, such
  as a name or an assigned user ID, if the
  identification matches that on file for the user,
  the user is authenticated to the system.
• If the identification match fails, the user is
  rejected by the system.

22
Attacks on Passwords

• Try all possible passwords
• exhaustive or brute force attack
• Is this impossible to create?
• Try many probable passwords
• Users do not likely select a password uncommon,
  hard to spell or pronounce, very long
• Try passwords likely for the user
• Password generally is meaningful to the user

23
Attacks on Passwords (cont)

• Encrypted password (used in UNIX)
• Flaw was user tends to select a meaningful
  password (a word in the dictionary)
• System encrypts the word and stores the encrypted
  version
• The process is irreversible, so apparently secure
• Dictionary attack
• Off-line cluster attack

24
Many Password Selection Criteria

• Use characters other than just A-Z
• Choose long passwords
• Avoid actual names or words
• Choose an unlikely password
• Change the password regularly
• Dont write it down
• Dont tell anyone else

25
The Authentication Process

• Intentionally slow
• This makes exhaustive attack infeasible
• Identify intruder from the normal user
• Some who continuously fails to login may not be
  an authorized user.
• System disconnect a user after three to five
  failed logins
• What is the flaw?

26
Program Threats

• Trojan Horse
• Code segment that misuses its environment
• Exploits mechanisms for allowing programs written
  by users to be executed by other users
• Spyware, pop-up browser windows, covert channels
• PWSteal.Tarno.Q - registers itself as a browser
  helper (key logger)
• Trap Door
• Specific user identifier or password that
  circumvents normal security procedures
• Could be included in a program
• Combination of trojan horse and trap door even
  fatal
• Trojan.Lodeight.A opens a Back-door on TCP port
  1084

27
How to defend against such program threats

• Analyze the execution patterns of the Trojan
  Horses Trapdoors
• The malicious code is executed without user
  intervention.
• The malicious code may be directed by a remote
  attacker once a connection is made.
• Resources used by the malicious code, such as
  file names and network addresses, are hard-coded
  in the binary.
• OS resources (processes, memory) used by the
  malicious code may be consumed for the purpose of
  degrading performance.
• A key characteristic of Trojan Horses and
  Trapdoors is that they cannot be invoked by the
  attacker and are autonomous at least until a
  connection is made.

28
Program Threats (contd.)

• Stack and Buffer Overflow
• Exploits a bug in a program (overflow either the
  stack or memory buffers)

29
Simple example code

• include ltstring.hgt
• void foo (char bar)
• char c12
• strcpy(c, bar) // no bounds checking...
• int main (int argc, char argv)
• foo(argv1)

30
Stack Buffer Overflow
Before data is copied. "hello" is the first command line argument. "A?A?A?A?A?A?A?A?A?A?A?A?A?A?A?A?A?A?A?A?\x08?\x35?\xC0?\x80" is the first command line argument.
31
System and Network Threats

• Worms use spawn mechanism standalone program
• Morris worm
• Exploited UNIX networking features (remote
  access) and bugs in finger and sendmail programs
• Grappling hook program uploaded main worm program

32
System and Network Threats

• Denial of Service
• Easier than penetration attacks
• Overload the targeted computer preventing it from
  doing any useful work
• Distributed denial-of-service (DDOS) come from
  multiple sites at once
• Open tcp connection (never closing one)

33
Security Through Domain Separation Via Firewall