Transcript Security and Protection

Module 6.0: Security and Protection


Types of misuse:
– 1. Accidental
– 2. Intentional
– Protection is to prevent either accidental or intentional misuse;
– Security is to prevent intentional misuse.
We will first cover Security and then Protection.
K. Salah
1
Operating Systems
The Security Problem
•
•
Security must consider external environment of the system, and
protect it from:
– unauthorized access.
– malicious modification or destruction
Easier to protect against accidental than malicious misuse.
K. Salah
2
Operating Systems
Examples of Security Flaws
 Early UNIX
 lpr could remove a file after printing
 mkdir could be used to get access to passwords
 MULTICS (predecessor to UNIX)
 was possible to get access to users' files
 How: replace system editor, works fine but also steals the
file.
 Called “Trojan Horse”: In the story of Homer's Iliad, one army gave another a
present of a wooden horse, army hidden inside. Trojan horse appears helpful, but really
does something harmful.
 Command.com  del *.*
 A program that emulates a login prompt
K. Salah
3
Operating Systems
Worm and Viruses
 Internet worm (Morris, 1988)
A worm is a selfreplicating program:
 Used rsh, finger, or sendmail
 May not do harm, but dragged down many machines. Virus and
Trojan horse do harms.
 Viruses
 Actually inside a program (worm separate)
 Trojan horse does not spread, virus spreads usually through e-mail.
 Example:
 add code to end of program
 Replace first line (``entry point'') with jump to this code, end of virus
jumps to real entry point
 Virus has control, tries to replicate, also does malicious things
 Antivirus programs
 look for viruses (some use virtual memory!)
K. Salah
4
Operating Systems
The Morris Internet Worm
K. Salah
5
Operating Systems
Generic Security Attacks
Request disk space or pages and read them
Try illegal system calls
While logging in hit ctrlC
Do everything you're not supposed to
Trojan horse
Trap door or back door:
– Specific user identifier or password that circumvents normal
security procedures.
– Could be included in a compiler.
– Used for field services or debugging, and might be only know to
programmers.
Logic bomb
Email virus
K. Salah
6
Operating Systems
General Design Principles for Security
Make system design public
Make default no access
Check for current authority
Give processes least access possible
Don't build security into insecure system
-- i.e., don't try to build security on top of UNIX
K. Salah
7
Operating Systems
Threat Monitoring
•
Check for suspicious patterns of activity – i.e., several incorrect password attempts
may signal password guessing.
•
Audit log – records the time, user, and type of all accesses to an object; useful for
recovery from a violation and developing better security measures.
•
•
•
•
•
•
•
•
•
Scan the system periodically for security holes; done when the computer is
relatively unused.
Short or easy-to-guess passwords
Unauthorized set-uid programs
Unauthorized programs in system directories
Unexpected long-running processes
Improper directory protections
Improper protections on system data files
Dangerous entries in the program search path (Trojan horse)
Changes to system programs: monitor checksum values
K. Salah
8
Operating Systems
Authentication
 Make sure user is who they say
 Typical approach: passwords
 Stored in encrypted file
 anyone can see it supposedly won't help
 Reality
 dictionary searchers
 encrypt and compare
 stupidity of users
 Other types of Authentication
 ATMstyle
 card + password
 Fingerprints, retina scan
 SecureIDs
 Signature analysis
 Digital Signature by VeriSign
K. Salah
9
Operating Systems
Encryption
•
•
•
Encrypt clear text into cipher text.
Properties of good encryption technique:
– Relatively simple for authorized users to incrypt and decrypt
data.
– Encryption scheme depends not on the secrecy of the
algorithm but on a parameter of the algorithm called the
encryption key.
– Extremely difficult for an intruder to determine the
encryption key.
Data Encryption Standard substitutes characters and rearranges
their order on the basis of an encryption key provided to
authorized users via a secure mechanism. Scheme only as
secure as the mechanism.
K. Salah
10
Operating Systems
Encryption (Cont.)
•
•
•
Public-key encryption based on each user having two keys:
– public key – published key used to encrypt data.
– private key – key known only to individual user used to
decrypt data.
Must be an encryption scheme that can be made public without
making it easy to figure out the decryption scheme.
The security of cryptosystem is a function of two things:
– The strength of the algorithm
– The length of the key: 32,64,112,128,256
 64-bit takes 600,000 years to break on a
supercomputer, assuming the algorithm is unbreakable.
K. Salah
11
Operating Systems
Protection and Protection Domains
Specifically, how to protect files, CPU, etc.
Policy: what should be protected from whom
Mechanism: how does OS enforce policy
Protection Domains
– Objects : things that need to be protected, files; for example, CPU, memory,
printer
– Rights: permission to perform some operation on object
– Domain: set of (object, rights) pairs
K. Salah
12
Operating Systems
Protection Domains
 Domain - a set of (object, rights) pairs
 Protection matrix
File1
Domain
1
File2
Read
enter
Read
2
Printer Domain2 Domain3
write
enter
Write
write
3
• Maintaining such a matrix is a waste. Store by rows or by columns.
K. Salah
13
Operating Systems
Domain Implementation
•
•
System consists of 2 domains:
– User
– Supervisor
UNIX
– Domain = user-id
– Domain switch accomplished via file system.
 Each file has associated with it a domain bit (setuid bit).
 When file is executed and setuid = on, then user-id is
set to owner of the file being executed. When execution
completes user-id is reset.
K. Salah
14
Operating Systems
Protection Mechanisms
Access Control Lists (By columns)
• an object maintains a list of granted domains
– File1: (Alice, student, R-X), (*, staff, RWX)
– In UNIX, a file has rwx for the owner, group, and others.
Capabilities (By rows)
• a domain maintains a list of accessible objects
– Domain1: (File1, R--), (Domain2, Enter)
K. Salah
15
Operating Systems