Security and Authentication
Download
Report
Transcript Security and Authentication
Security and Authentication
CS-502, Operating Systems
Fall 2009 (EMC)
(Slides include materials from Modern Operating Systems, 3rd ed., by Andrew Tanenbaum and from
Operating System Concepts, 7th ed., by Silbershatz, Galvin, & Gagne)
CS-502 (EMC) Fall 2009
Security and
Authentication
1
Reading Assignment
• Tanenbaum, Modern Operating Systems, 3rd
edition, Chapter 9
– Security and threats
– Viruses
• How to write and detect!
– Protection – implementation of security
CS-502 (EMC) Fall 2009
Security and
Authentication
2
Concepts
• Protection:
• Mechanisms and policy to keep programs and users
from accessing or changing stuff they should not do
• Internal to OS
• §9.1-9.3 in Tanenbaum
• Security:
• Issues external to OS
• Authentication of user, validation of messages,
malicious or accidental introduction of flaws, etc.
• §9.4-9.8 in Tanenbaum
CS-502 (EMC) Fall 2009
Security and
Authentication
3
Outline
• A puzzle – who am I talking to?
• The first computer virus
• Some program threats
• Overview of protection mechanisms
• Fun with cryptography
CS-502 (EMC) Fall 2009
Security and
Authentication
4
Puzzle
• Alice wishes to send secret message to Bob
– She places message in impenetrable box
– Locks the box with unbreakable padlock
– Sends locked box to Bob
• Problem:– Bob has no key to unlock box
– No feasible way to securely send key to Bob
• How does Bob retrieve message?
CS-502 (EMC) Fall 2009
Security and
Authentication
5
Answer
• Bob adds 2nd unbreakable padlock to box
– Locks with own key
– Sends box back to Alice (with two padlocks!)
• Alice unlocks and removes her lock
– Sends box back to Bob
• Bob unlocks his lock
– Opens box and reads message
• What could go wrong?
CS-502 (EMC) Fall 2009
Security and
Authentication
6
Authentication
• How does a system (distributed or not) know
who it is talking to?
• Who do I say that I am?
• How can I verify that …
•
•
•
•
… I know something that nobody else should know?
… I have something that nobody else should have?
… I am someone that nobody else should be?
… without giving away that crucial information to
hackers and crackers!
CS-502 (EMC) Fall 2009
Security and
Authentication
7
Threats against Authentication
I want to pretend to be you:
• I can steal your password
– the sticky note on your monitor or the list in your desk
drawer
– by monitoring your communications or looking over
your shoulder
• I can guess your password
– particularly useful if I can also guess your user name
• I can get between you and the system you are
talking to
CS-502 (EMC) Fall 2009
Security and
Authentication
8
Getting between you and system you are talking to
CS-502 (EMC) Fall 2009
Security and
Authentication
9
Login Spoof
• I create a login screen in my process
– On a public machine
– Looks exactly like real one
• You log into system
– My login process records your user ID and password
– Logs you in normally
• Result:– I have gotten between you and system
without your knowledge
– Also, I have stolen your user ID and password
CS-502 (EMC) Fall 2009
Security and
Authentication
10
The Trouble with Passwords
•
•
•
•
•
They are given away
They are too easy to guess
They are used too often
There are too many of them
They are used in too many places
CS-502 (EMC) Fall 2009
Security and
Authentication
11
Example — Easy to Guess Passwords
Tanenbaum Figure 9-18. How a cracker broke into a U.S.
Department of Energy computer at LBL.
CS-502 (EMC) Fall 2009
Security and
Authentication
12
Password Studies
• Morris and Thompson (1979)
– 86% of Unix passwords were from list of likely
passwords
• Street & city names, first & last names, dictionary
words, words spelled backwards, etc.
• Results confirmed in multiple studies &
multiple systems
• See Tanenbaum, §9.4.1
CS-502 (EMC) Fall 2009
Security and
Authentication
13
The Trouble with Passwords
•
•
•
•
•
They are given away
They are too easy to guess
They are used too often
There are too many of them
They are used in too many places
CS-502 (EMC) Fall 2009
Security and
Authentication
14
Some ways around the problem
• Better passwords
– longer
– larger character set
– more random in nature/encrypted
Passwords are a pain in the $%#@(&*
System administrators often adopt policies that
defeat goals rather than support them
• Use passwords less often
– change frequently, one system per password
– challenge/response – exposed only once
CS-502 (EMC) Fall 2009
Security and
Authentication
15
The Challenge/Response Protocol
Mary
Art
Hello, I’m Art
Decrypt This {R}P
R
Hello Art! How can I help you?
CS-502 (EMC) Fall 2009
Security and
Authentication
16
The Challenge/Response Protocol
Art
Mary
Hello, I’m Art
Decrypt This {R}P
R
Hello Art! How can I help you?
At this
point, is Art confident
CS-502 (EMC) Fall 2009
that he is talking with Mary?
Security and
Authentication
At this point,
is Mary confident
17
that she is talking with Art?
Threat: Steal passwords from the system
• Don’t keep them in an obvious place
• Encrypt them so that version seen by system
is not same as what user enters
• … or version on the wire
• …… or version used last time
CS-502 (EMC) Fall 2009
Security and
Authentication
18
Too many passwords to remember?
• Third-party authentication
– Get someone to vouch for you
• The basics: “This guy says you know him..”
“Yes, I trust him, so you should too..”
• Kerberos – Certificate-based authentication within
a trust community
• More about this next week
CS-502 (EMC) Fall 2009
Security and
Authentication
19
What is in a certificate?
•
•
•
•
•
•
Who issued it
When was it issued
For what purpose was it issued
For what time frame is it valid
(possibly other application-specific data)
A “signature” that proves it has not been
forged
CS-502 (EMC) Fall 2009
Security and
Authentication
20
Systems and Networks Are Not Different
• Same basic rules about
code behavior apply
• Same authentication
rules apply
• The same security
principles apply
CS-502 (EMC) Fall 2009
• Same Coding Rules
Apply To:
Security and
Authentication
– An application
– Code which manages
incoming messages
– Code which imposes
access controls on a
network
– ...
21
The Principles
• Understand what you are trying to protect
• Understand the threat(s) you are trying to
protect against
– Also, costs and risks
• Be prepared to establish trust by telling
people how you do it
• Assume that the bad guys are at least as
clever as you are!
CS-502 (EMC) Fall 2009
Security and
Authentication
22
Questions?
CS-502 (EMC) Fall 2009
Security and
Authentication
23
The First Computer Virus
• Reading assignment:–
Ken Thompson, “Reflections on Trusting Trust,”
Communications of ACM, vol.27, #8, August
1984, pp. 761-763 (pdf)
• Three steps
1. Program that prints a copy of itself
2. Training a compiler to understand a constant
3. Embedding a Trojan Horse without a trace
CS-502 (EMC) Fall 2009
Security and
Authentication
24
Step 1 – Program to print copy of itself
• How do we do this?
• First, store character array representing text of
program
• Body of program
• Print declaration of character array
• Loop through array, printing each character
• Print entry array as a string
• Result: general method for program to reproduce
itself to any destination!
CS-502 (EMC) Fall 2009
Security and
Authentication
25
Step 2 – Teaching constant values to compiler
…
/* reading string constants */
if (s[i++] == '\\')
if (s[i] == 'n') insert ('\n');
elseif (s[i] == 'v') insert ('\v');
elseif …
• Question: How does compiler know what integer
values to insert for '\n', '\v', etc.?
CS-502 (EMC) Fall 2009
Security and
Authentication
26
Step 2
(continued)
• Answer: In the first compiler ever written, insert
the actual character code
• i.e., 11 (decimal) for ‘\v’, etc.
/* reading string constants */
if (s[i++] == '\\')
if (s[i] == 'n') insert ('\n');
elseif (s[i] == 'v') insert (11);
elseif …
• Next: Use the first compiler to compile itself!
CS-502 (EMC) Fall 2009
Security and
Authentication
27
Step 2 (continued)
• Result: a compiler that “knows” how to interpret
the sequence “\v”
• And all compilers derived from this one, forever after!
• Finally: replace the value “11” in the source code
of the compiler with ‘\v’ and compile itself again
• Note: no trace of values of special characters in …
– The C Programming Language book
– source code of C compiler
• I.e., special character values are self-reproducing
CS-502 (EMC) Fall 2009
Security and
Authentication
28
Step 3 – Inserting a Trojan Horse
• In compiler source, add the text
if (match(sourceString, pattern)
insert the Trojan Horse code
where “pattern” is the login code (for example)
• In compiler source, add additional text
if (match(sourceString2, pattern2)
insert the self-reproducing code
where “pattern2” is a part of the compiler itself
• Use this compiler to recompile itself, then
remove source
CS-502 (EMC) Fall 2009
Security and
Authentication
29
Step 3 – Concluded
• Result: an infected compiler that will
a. Insert a Trojan Horse in the login code of any Unix
system
b. Propagate itself to all future compilers
c. Leave no trace of Trojan Horse in its source code
• Like a biological virus:
– A small bundle of code that uses the compiler’s own
reproductive mechanism to propagate itself
CS-502 (EMC) Fall 2009
Security and
Authentication
30
Questions?
CS-502 (EMC) Fall 2009
Security and
Authentication
31
Security must occur at four levels to be
effective
• Physical
– The best security system is no better than the lock on your front
door (or desk, or file cabinet, etc.)!
• Human
– Phishing, dumpster diving, social engineering
• Operating System
– Protection and authentication subsystems
– Prevention of unauthenticated access to data
• Network
– Protection and authentication subsystems
– Separate from underlying protocols
• Security is as weak as the weakest link in chain
CS-502 (EMC) Fall 2009
Security and
Authentication
32
How do these attacks work?
• Messages that attack mail readers or
browsers
• Denial of service attacks against a web
server
• Password crackers
• Viruses, Trojan Horses, other “malware”
CS-502 (EMC) Fall 2009
Security and
Authentication
33
The concept of a “Vulnerability”
• Buffer overflow
• Protocol/bandwidth interactions
– Protocol elements which do no work
• “execute this” messages
– The special case of “mobile agents”
• Human user vulnerabilities
– eMail worms
– Phishing
CS-502 (EMC) Fall 2009
Security and
Authentication
34
Another Principle
• There is a never-ending war going on
between the “black hats” and the rest of us.
• For every asset, there is at least one
vulnerability
• For every protective measure we add,
“they” will find another vulnerability
CS-502 (EMC) Fall 2009
Security and
Authentication
35
Yet Another Principle
• There is no such thing as a bullet-proof
barrier
• Every level of the system and network
deserves an independent threat evaluation
and appropriate protection
• Only a multi-layered approach has a chance
of success!
CS-502 (EMC) Fall 2009
Security and
Authentication
36
Actual Losses:
• Approximately 70% are due to human error
• More than half of the remainder are caused
by insiders
• “Social Engineering” accounts for more loss
than technical attacks.
CS-502 (EMC) Fall 2009
Security and
Authentication
37
What is “Social Engineering”?
“Hello. This is Dr. Burnett of the cardiology
department at the Conquest Hospital in
Hastings. Your patient, Sam Simons, has
just been admitted here unconscious. He has
an unusual ventricular arrhythmia. Can you
tell me if there is anything relevant in his
record?”
CS-502 (EMC) Fall 2009
Security and
Authentication
38
Questions?
CS-502 (EMC) Fall 2009
Security and
Authentication
39
Program Threats
• Trojan Horse
– Code segment that misuses its environment
– Exploits mechanisms for allowing programs written by users to be
executed by other users
– Spyware, pop-up browser windows, covert channels
• Trap Door
– Specific user identifier or password that circumvents normal
security procedures
– Could be included in a compiler
• Logic Bomb
– Program that initiates a security incident under certain
circumstances
• Stack and Buffer Overflow
– Exploits a bug in a program (overflow either the stack or memory
buffers)
CS-502 (EMC) Fall 2009
Security and
Authentication
40
C Program with Buffer-overflow Condition
#include <stdio.h>
#define BUFFER SIZE 256
int main(int argc, char *argv[])
{
char buffer[BUFFER SIZE];
if (argc < 2)
return -1;
else {
strcpy(buffer,argv[1]);
return 0;
}
}
CS-502 (EMC) Fall 2009
Security and
Authentication
41
Layout of Typical Stack Frame
CS-502 (EMC) Fall 2009
Security and
Authentication
42
Modified Shell Code
#include <stdio.h>
int main(int argc, char *argv[])
{
execvp('\bin\sh', '\bin \sh', NULL);
return 0;
}
CS-502 (EMC) Fall 2009
Security and
Authentication
43
Hypothetical Stack Frame
After attack
Before attack
CS-502 (EMC) Fall 2009
Security and
Authentication
44
Effect
• If you can con a privileged program into
reading a string into a buffer unprotected
from overflow, then …
• …you have just gained the privileges of that
program in a shell!
CS-502 (EMC) Fall 2009
Security and
Authentication
45
Program Threats – Viruses
• Code fragment embedded in legitimate programs
• Very specific to CPU architecture, operating
system, applications
• Usually borne via email or as a macro
• E.g., Visual Basic Macro to reformat hard drive
Sub AutoOpen()
Dim oFS
Set oFS =
CreateObject(’’Scripting.FileSystemObject’
’)
vs = Shell(’’c:command.com /k format
c:’’,vbHide)
End Sub
CS-502 (EMC) Fall 2009
Security and
Authentication
46
Program Threats (Cont.)
• Virus dropper inserts virus onto the system
• Many categories of viruses, literally many thousands of
viruses
–
–
–
–
–
–
–
–
–
–
File
Boot
Macro
Polymorphic
Source code
Encrypted
Stealth
Tunneling
Multipartite
Armored
CS-502 (EMC) Fall 2009
Security and
Authentication
47
Questions?
CS-502 (EMC) Fall 2009
Security and
Authentication
48
Goals of Protection
• Operating system consists of a collection of
objects (hardware or software)
• Each object has a unique name and can be
accessed through a well-defined set of operations.
• Protection problem – to ensure that each object is
accessed correctly and only by those processes
that are allowed to do so.
CS-502 (EMC) Fall 2009
Security and
Authentication
49
Guiding Principles of Protection
• Principle of least privilege
– Programs, users and systems should be given
just enough privileges to perform their tasks
• Separate policy from mechanism
– Mechanism: the stuff built into the OS to make
protection work
– Policy: the data that says who can do what to
whom
CS-502 (EMC) Fall 2009
Security and
Authentication
50
Domain Structure
• Access-right = <object-name, rights-set>
where rights-set is a subset of all valid operations
that can be performed on the object.
• Domain = set of object-right pairs
CS-502 (EMC) Fall 2009
Security and
Authentication
51
Domain – Examples
• User
– An actual human, or a name of a system role
• e.g, uucp, root
– Rights list what the “user” can do
• A team
– Working on a project
See Tanenbaum, §9.3.1
CS-502 (EMC) Fall 2009
Security and
Authentication
52
Conceptual Model
• View protection as a matrix (Access Matrix)
• Rows represent domains
• Columns represent objects
• Access(i, j) is set of operations that process
executing in Domaini can invoke on Objectj
CS-502 (EMC) Fall 2009
Security and
Authentication
53
Textbook Access Matrix
• Columns are access control lists (ACLs)
• Associated with each object
• Rows are capabilities
• Associated with each user, group, or domain
CS-502 (EMC) Fall 2009
Security and
Authentication
54
Unix & Linux
• System comprises many domains:–
–
–
–
–
Each user
Each group
Kernel/System
Specific system processes & responsibilities
• (Windows has even more domains than
this!)
CS-502 (EMC) Fall 2009
Security and
Authentication
55
Unix/Linux Matrix
file1
file 2
file 3
device
domain
User/Domain 1 r
rx
rwx
–
enter
User/Domain 2 r
x
rx
rwx
–
User/Domain 3 rw
…
–
–
–
–
• Columns are access control lists (ACLs)
• Associated with each object
• Rows are capabilities
• Associated with each user or each domain
CS-502 (EMC) Fall 2009
Security and
Authentication
56
Changing Domains (Unix)
• Domain = uid or gid
• Domain switch via file access controls
– Each file has associated with it a domain bit (setuid bit).
• rwS instead of rwx
– When executed with setuid = on, then uid or gid is
temporarily set to owner or group of file.
– When execution completes uid or gid is reset.
• Separate mechanism for entering kernel domain
– System call interface
CS-502 (EMC) Fall 2009
Security and
Authentication
57
General (textbook) representation
• Domains are objects
– Can be added to Access Matrix
CS-502 (EMC) Fall 2009
Security and
Authentication
58
Practicalities
• At run-time…
– What does the OS know about the user?
– What does the OS know about the resources?
• What is the cost of checking and enforcing?
– Access to the data
– Cost of searching for a match
• Impractical to implement full Access Matrix
– Size
– Access controls disjoint from both objects and domains
CS-502 (EMC) Fall 2009
Security and
Authentication
59
ACLs vs. Capabilities
• Access Control List: Focus on resources
– Good if resources greatly outnumber users
– Can be implemented with minimal caching
– Good when the user who creates a resource has
authority over it
• Typically attached to objects
– E.g., file metadata
– Control mechanism checks if user fits one of the classes
of usage
CS-502 (EMC) Fall 2009
Security and
Authentication
60
ACLs vs. Capabilities (continued)
• Capability System: Focus on users
– Good if users greatly outnumber resources
– Lots of information caching is needed
– Good when a system manager has control over all
resources
• Like a system of (unforgeable) tickets
– Domain/user must present a ticket to get access to a
particular object or class of objects
– Issue: can a capability be revoked once it is given out?
CS-502 (EMC) Fall 2009
Security and
Authentication
61
Both are needed
• ACLs for files and other proliferating resources
• Capabilities for major system functions
• The common OSs offer BOTH
– Linux emphasizes an ACL model
• provides good control over files and resources that are file-like
– Windows 2000/XP/Vista emphasize Capabilities
• provides good control over access to system functions (e.g.
creating a new user, or doing a system backup…)
• Access control lists for files
CS-502 (EMC) Fall 2009
Security and
Authentication
62
…and good management, too!
• What do we need to know to set up a new
user or to change their rights?
• …to set up a new resource or to change the
rights of its users?
• …Who has the right to set/change access
rights?
• No OS allows you to implement all the
possible policies easily.
CS-502 (EMC) Fall 2009
Security and
Authentication
63
Enforcing Access Control
• User level privileges must always be less than OS
privileges!
– For example, a user should not be allowed to grab
exclusive control of a critical device
– or write to OS memory space
• …and the user cannot be allowed to raise his
privilege level!
• The OS must enforce it…and the user must not be
able to bypass the controls
• In most modern operating systems, the code which
manages the resource enforces the policy
CS-502 (EMC) Fall 2009
Security and
Authentication
64
(Traditional) Requirements–System Call Code
• No user can interrupt it while it is running
• No user can feed it data to make it
– violate access control policies
– stop serving other users
• No user can replace or alter any system call
code
• No user can add functionality to the OS!
• Data must NEVER be treated as code!
CS-502 (EMC) Fall 2009
Security and
Authentication
65
“Yeah, but …”
• No user can interrupt it while it is running
• Windows, Linux routinely interrupt system calls
• No user can feed it data to make it
• violate access control policies
• stop serving other users
• No user can replace or alter any system call code
• Except your average virus
• No user can add functionality to the OS!
• Except dynamically loaded device drivers
• Data must NEVER be treated as code!
• “One man’s code is another man’s data” A. Perlis
CS-502 (EMC) Fall 2009
Security and
Authentication
66
Saltzer-Schroeder Guidelines
•
•
•
•
System design should be public
Default should be no access
Check current authority – no caching!
Protection mechanism should be
– Simple, uniform, built into lowest layers of system
• Least privilege possible for processes
• Psychologically acceptable
• KISS!
CS-502 (EMC) Fall 2009
Security and
Authentication
67
Reading Assignment
Tanenbaum, Chapter 9
CS-502 (EMC) Fall 2009
Security and
Authentication
68
Questions?
CS-502 (EMC) Fall 2009
Security and
Authentication
69