No Slide Title - Computer Science & Engineering
Download
Report
Transcript No Slide Title - Computer Science & Engineering
Lecture 21
Chapter 14: Protection
Chapter 15: Security
Principles of Computer Operating Systems
Modified from Silberschatz, Galvin and Gagne
Chapter 14: Protection
Goals of Protection
Principles of Protection
Domain of Protection
Access Matrix
Implementation of Access Matrix
Access Control
Revocation of Access Rights
Capability-Based Systems
Language-Based Protection
Principles of Computer Operating Systems
2
Objectives
Discuss the goals and principles of protection in a modern computer
system
Explain how protection domains combined with an access matrix are
used to specify the resources a process may access
Examine capability and language-based protection systems
Principles of Computer Operating Systems
3
Protection
Operating system consists of a collection of objects, hardware or software
Each object has a unique name and can be accessed through a well-
defined set of operations.
Protection problem
Ensure that each object is accessed correctly and only by those
processes that are allowed to do so.
Guiding principle
principle of least privilege
Programs, users and systems should be given just enough privileges
to perform their tasks
Principles of Computer Operating Systems
4
Domain Structure
Access-right = <object-name, rights-set>
where rights-set is a subset of all valid operations that can be performed
on the object.
Domain = set of access-rights
Principles of Computer Operating Systems
5
Domain Implementation (UNIX)
System consists of 2 domains:
User
Supervisor
UNIX
Domain = user-id
Domain switch accomplished via file system.
Each file has associated with it a domain bit (setuid bit).
When file is executed and setuid = on,
–
then user-id is set to owner of the file being executed.
When execution completes user-id is reset.
Principles of Computer Operating Systems
6
Domain Implementation (MULTICS)
Let Di and Dj be any two domain rings.
If j < I Di Dj
Principles of Computer Operating Systems
7
Access Matrix
View protection as a matrix (access matrix)
Rows represent domains
Columns represent objects
Access(i, j) is the set of operations that a process executing in
Domaini can invoke on Objectj
Principles of Computer Operating Systems
8
Use of Access Matrix
If a process in Domain Di tries to do “op” on object Oj,
then “op” must be in the access matrix.
Can be expanded to dynamic protection.
Operations to add, delete access rights.
Special access rights:
owner of Oi
copy op from Oi to Oj
control – Di can modify Dj access rights
transfer – switch from domain Di to Dj
Principles of Computer Operating Systems
9
Use of Access Matrix (Cont.)
Access matrix design separates mechanism from policy
Mechanism
Operating system provides access-matrix + rules
It ensures that the matrix is only manipulated by authorized agents
and that rules are strictly enforced
Policy
User dictates policy
Who can access what object and in what mode
Principles of Computer Operating Systems
10
Implementation of Access Matrix
Each column = Access-control list for one object
Defines who can perform what operation.
Domain 1 = Read, Write
Domain 2 = Read
Domain 3 = Read
Each Row = Capability List (like a key)
Fore each domain, what operations allowed on what objects.
Object 1 – Read
Object 4 – Read, Write, Execute
Object 5 – Read, Write, Delete, Copy
Principles of Computer Operating Systems
11
Access Matrix With Domains as Objects
Figure B
Principles of Computer Operating Systems
12
Access Matrix with Copy Rights
Principles of Computer Operating Systems
13
Access Matrix With Owner Rights
Principles of Computer Operating Systems
14
Modified Access Matrix of Figure B
Principles of Computer Operating Systems
15
Access Control
Protection can be applied to non-file resources
Solaris 10 provides role-based access control to implement least
privilege
Privilege is right to execute system call or use an option within a
system call
Can be assigned to processes
Users assigned roles granting access
to privileges and programs
Principles of Computer Operating Systems
16
Revocation of Access Rights
Access List – Delete access rights from access list.
Simple
Immediate
Capability List – Scheme required to locate capability in the system
before capability can be revoked.
Reacquisition
Back-pointers
Indirection
Keys
Principles of Computer Operating Systems
17
Language-Based Protection
Specification of protection in a programming language allows the high-
level description of policies for the allocation and use of resources.
Language implementation can provide software for protection
enforcement when automatic hardware-supported checking is
unavailable.
Interpret protection specifications to generate calls on whatever
protection system is provided by the hardware and the operating system.
Principles of Computer Operating Systems
18
Protection in Java
Protection is handled by the Java Virtual Machine (JVM)
A class is assigned a protection domain when it is loaded by the JVM.
The protection domain indicates what operations the class can (and
cannot) perform.
If a library method is invoked that performs a privileged operation,
the stack is inspected to ensure the operation can be performed by
the library.
Principles of Computer Operating Systems
19
Principles of Computer Operating Systems
20
Chapter 15: Security
The Security Problem
Program Threats
System and Network Threats
Cryptography as a Security Tool
User Authentication
Implementing Security Defenses
Firewalling to Protect Systems and Networks
Computer-Security Classifications
An Example: Windows XP
Principles of Computer Operating Systems
21
Objectives
To discuss security threats and attacks
To explain the fundamentals of encryption, authentication, and hashing
To examine the uses of cryptography in computing
To describe the various countermeasures to security attacks
Principles of Computer Operating Systems
22
The Security Problem
Security must consider external environment of the system, and protect
the system resources
Intruders (crackers) attempt to breach security
Threat is potential security violation
Attack is attempt to breach security
Attack can be accidental or malicious
Easier to protect against accidental than malicious misuse
Principles of Computer Operating Systems
23
Concern for Security
Explosive growth of desktops started in ‘80s
No emphasis on security
Who wants military security, I just want to run my spreadsheet!
Internet was originally designed for a group of mutually
trusting users
By definition, no need for security
Users can send a packet to any other user
Identity (source IP address) taken by default to be true
Explosive growth of Internet in mid ’90s
Security was not a priority until recently
Only a research network, who will attack it?
Principles of Computer Operating Systems
24
Security Violations
Categories
Breach of confidentiality
Breach of integrity
Breach of availability
Theft of service
Denial of service
Methods
Masquerading (breach authentication)
Replay attack
Message modification
Man-in-the-middle attack
Session hijacking
Principles of Computer Operating Systems
25
Security Measure Levels
Security must occur at four levels to be effective:
Physical
Human
Avoid social engineering, phishing, dumpster diving
Operating System
Network
Security is as week as the weakest chain
Principles of Computer Operating Systems
26
Program Threats
Trojan Horse
Code segment that misuses its environment
Exploits mechanisms for allowing programs written by users to be executed by
other users
Spyware, pop-up browser windows, covert channels
Trap Door
Specific user identifier or password that circumvents normal security procedures
Could be included in a compiler
Logic Bomb
Program that initiates a security incident under certain circumstances
Stack and Buffer Overflow
Exploits a bug in a program
overflow either the stack or memory buffers
Principles of Computer Operating Systems
27
C Program with Buffer-overflow Condition
#include <stdio.h>
#define BUFFER SIZE 256
int main(int argc, char *argv[])
{
char buffer[BUFFER SIZE];
if (argc < 2)
return -1;
else {
strcpy(buffer,argv[1]);
return 0;
}
}
Principles of Computer Operating Systems
28
Layout of Typical Stack Frame
Principles of Computer Operating Systems
29
Modified Shell Code
#include <stdio.h>
int main(int argc, char *argv[])
{
execvp(‘‘\bin\sh’’,‘‘\bin \sh’’, NULL);
return 0;
}
Principles of Computer Operating Systems
30
Hypothetical Stack Frame
After attack
Before attack
Principles of Computer Operating Systems
31
Program Threats (Cont.)
Viruses
Code fragment embedded in legitimate program
Very specific to CPU architecture, operating system, applications
Usually borne via email or as a macro
Visual Basic Macro to reformat hard drive
Sub AutoOpen()
Dim oFS
Set oFS = CreateObject(’’Scripting.FileSystemObject’’)
vs = Shell(’’c:command.com /k format
End Sub
Principles of Computer Operating Systems
32
c:’’,vbHide)
Program Threats (Cont.)
Virus dropper inserts virus onto the system
Many categories of viruses, literally many thousands of viruses
File
Boot
Macro
Source code
Polymorphic
Encrypted
Stealth
Tunneling
Multipartite
Armored
Principles of Computer Operating Systems
33
A Boot-sector Computer Virus
Principles of Computer Operating Systems
34
System and Network Threats
Worms
use spawn mechanism; standalone program
Internet worm
Exploited UNIX networking features (remote access) and bugs in finger
and sendmail programs
Grappling hook program uploaded main worm program
Port scanning
Automated attempt to connect to a range of ports on one or a range of
IP addresses
Denial of Service
Overload the targeted computer preventing it from doing any useful
work
Distributed denial-of-service (DDOS) come from multiple sites at once
Principles of Computer Operating Systems
35
The Morris Internet Worm
Principles of Computer Operating Systems
36
Code-Red Worm
On July 19, 2001, more than 359,000 computers connected to
the Internet were infected in less than 14 hours
Spread
Principles of Computer Operating Systems
37
Sapphire Worm
was the fastest computer worm in history
doubled in size every 8.5 seconds
infected more than 90 percent of vulnerable hosts within 10 minutes.
Principles of Computer Operating Systems
38
DoS attack on SCO
On Dec 11, 2003
Attack on web and FTP servers of SCO
a software company focusing on UNIX systems
SYN flood of 50K packet-per-second
SCO responded to more than 700 million attack packets over 32 hours
Principles of Computer Operating Systems
39
Witty Worm
25 March 2004
reached its peak activity after approximately 45 minutes
at which point the majority of vulnerable hosts had been infected
World
USA
Principles of Computer Operating Systems
40
Nyxem Email Virus
Jan 15, 2006: infected about 1M computers
within two weeks
At least 45K of the infected computers were also compromised by
other forms of spyware or botware
Spread
Principles of Computer Operating Systems
41
Security Trends
www.cert.org (Computer Emergency Readiness Team)
Principles of Computer Operating Systems
42
The Cast of Characters
Alice and Bob are the good guys
Trudy is the bad guy
Trudy is our generic “intruder”
Who might Alice, Bob be?
… well, real-life Alices and Bobs
Web browser/server for electronic transactions
on-line banking client/server
DNS servers
routers exchanging routing table updates
Principles of Computer Operating Systems
43
Alice’s Online Bank
Alice opens Alice’s Online Bank (AOB)
What are Alice’s security concerns?
If Bob is a customer of AOB, what are his security concerns?
How are Alice and Bob concerns similar? How are they different?
How does Trudy view the situation?
Principles of Computer Operating Systems
44
Alice’s Online Bank
AOB must prevent Trudy from learning Bob’s balance
Confidentiality (prevent
unauthorized reading of information)
Trudy must not be able to change Bob’s balance
Bob must not be able to improperly change his own account balance
Integrity (prevent
Principles of Computer Operating Systems
unauthorized writing of information)
45
Alice’s Online Bank
AOB’s information must be available when needed
Availability (data
is available in a timely manner when needed)
How does Bob’s computer know that “Bob” is really Bob and not Trudy?
When Bob logs into AOB, how does AOB know that “Bob” is really Bob?
Authentication (assurance
that other party is the claimed one)
Bob can’t view someone else’s account info
Bob can’t install new software, etc.
Authorization (allowing
Principles of Computer Operating Systems
access only to permitted resources)
46
Think Like Trudy
Good guys must think like bad guys!
A police detective
Must study and understand criminals
In security
We must try to think like Trudy
We must study Trudy’s methods
We can admire Trudy’s cleverness
Often, we can’t help but laugh at Alice and Bob’s carelessness
But, we cannot act like Trudy
Principles of Computer Operating Systems
47