Protection and Security

Transcription

1 Protection and Security

2 What is (Computer) Security? Security is a chain; it s only as secure as its weakest link. Security is a process, not a product.

3 Security is a tradeoff

4 The Security Problem Security must consider external environment of the system, and protect it from: unauthorized access. malicious modification or destruction accidental introduction of inconsistency. Easier to protect against accidental than malicious misuse. Protection is internal, Security is external take the hard drive of a computer and read it from another system Applied Operating System Concepts Silberschatz, Galvin, and Gagne

5 Module 18: Protection Goals of Protection Domain of Protection Access Matrix Implementation of Access Matrix Revocation of Access Rights Capability-Based Systems Language-Based Protection Digital Rights Management Applied Operating System Concepts Silberschatz, Galvin, and Gagne!

6 Protection Operating system consists of a collection of object s, objects, hardware or software Each object has a unique name and can be accessed through a well-defined set of operations. that depend of the object Protection problem - ensure that each object is accessed correctly and only by those processes that are allowed to do so. Prevent unauthorized access - System processes - Other users - Digital Rights Management Improve reliability - Protect system from application bugs * Policy is distinct from mechanism Applied Operating System Concepts Silberschatz, Galvin, and Gagne!

7 Domain Structure Access-right = <object-name, rights-set> Rights-set is a subset of all valid operations that can be performed on the object. Domain = set of access-rights Association between processes and domains may be static or dynamic Each domain can be a user, a process, or a procedure Applied Operating System Concepts Silberschatz, Galvin, and Gagne!

8 Domain Implementation System consists of 2 domains: User Supervisor UNIX Domain = user-id Domain switch accomplished via file system. Each file has associated with it a domain bit (setuid bit). When file is executed and setuid = on, then user-id is set to owner of the file being executed. When execution completes user-id is reset. Applied Operating System Concepts Silberschatz, Galvin, and Gagne!

9 Demo of setuid

10 tmp % cat printid.c #include <stdlib.h> #include <stdio.h> #include <unistd.h> #include <sys/types.h> int main(void) { printf("real UID\t= %d\n", getuid()); printf("effective UID\t= %d\n", geteuid()); printf("real GID\t= %d\n", getgid()); printf("effective GID\t= %d\n", getegid()); return EXIT_SUCCESS; } schmitta@charm tmp % gcc -o printid printid.c schmitta@charm tmp % chmod ug+s printid

11 tmp % ls -l printid -rwsr-sr-x 1 schmitta staff avr 10:19 printid schmitta@charm tmp %./printid Real UID = 503 Effective UID = 503 Real GID = 20 Effective GID = 20 schmitta@charm tmp % su admin Password: bash-3.2$./printid Real UID = 501 Effective UID = 503 Real GID = 501 Effective GID = 20

12 Access Matrix F1 F2 F3 HP D1 read read D2 print D3 read exec D4 read write read write

13 Access Matrix F1 F2 F3 HP D1 D2 D3 D4 D1 read read switch D2 print switch switch D3 read exec D4 read write read write switch

14 Copy F1 F2 F3 D1 read read D3 read* exec D4 read write read write

15 Copy F1 F2 F3 D1 read read D3 read* exec D4 read write read read write

16 itunes and Access Matrix Songs: no ipod limit! copy Songs: 5 computers! limited copy Rented movie: on 1 computer at a time! transfer

17 Owner F1 F2 F3 D1 read read D3 read* owner exec D4 read write read write

18 Owner F1 F2 F3 D1 read read D3 read* owner write* exec D4 read write read write

19 Control F1 F2 F3 HP D1 D2 D3 D4 D1 read read switch D2 print switch switch control D3 read exec D4 read write read write switch

20 Control F1 F2 F3 HP D1 D2 D3 D4 D1 read read switch D2 print switch switch control D3 read exec D4 read write read write switch

21 Implementation of Access Matrix Each column = Access-control list for one object Defines who can perform what operation. Domain 1 = Read, Write Domain 2 = Read Domain 3 = Read M Each Row = Capability List (like a key) Fore each domain, what operations allowed on what objects. Object 1 Read Object 4 Read, Write, Execute Object 5 Read, Write, Delete, Copy Applied Operating System Concepts Silberschatz, Galvin, and Gagne!

22 Access Control Lists (1) R Use of access control lists of manage file access 44

23 Access Control Lists (2) Two access control lists 45

24 Capabilities (1) Each process has a capability list 46

25 Revoking Access Rights Immediately or later? Revoke the rights to all users or to some? Revoke some rights or all rights of an object? Temporarily or permanently?

26 Revoking Access Rights Simple with access list if we revoke by object More difficult with capabilities. Use Reacquisition Back-pointers Indirections (not selective) Keys (not selective if one key per object)

27 Language-Based Protection Specification of protection in a programming language allows the high-level description of policies for the allocation and use of resources. Language implementation can provide software for protection enforcement when automatic hardwaresupported checking is unavailable. Interpret protection specifications to generate calls on whatever protection system is provided by the hardware and the operating system.

28 Java Security Model Applied Operating System Concepts Silberschatz, Galvin, and Gagne

29 An Application of Protection: DRM

30 DRM DRM = Digital Rights Management Access control technologies to limit usage of digital media or devices May prevent access, copying, or conversion DRM is a technical way to enforce laws

31 DRM

32 CSS CSS = Content Scramble System Licensed for DVD drives, DVD players, DVD movies Enforces region coding, prevents skipping intros Does not prevent bit by bit copying! Cracked since 1999

33 AACS AACS = Advanced Access Content System Similar to CSS, but much stronger Features Managed Copy Final standard not yet released Keys can be revoked and new keys used... but they are cracked even before their release!

34 DRM Gone Bad

35 The Sony BMG Fiasco Blog post from Mark Russinovich... Last week when I was testing the latest version of RootkitRevealer (RKR) I ran a scan on one of my systems and was shocked to see evidence of a rootkit. Rootkits are cloaking technologies that hide files, Registry keys, and other system objects from diagnostic and security software, and they are usually employed by malware attempting to keep their implementation hidden...

36 After some investigation he found it came from an audio CD by Sony BMG The Sony rootkit is designed to hide any files, registry keys and processes starting with the string $sys$ The CD installed a CD drive driver and made sure no more than 3 copies of the CD were made It also made the system unstable and less secure

37 Sony had to recall every protected CD Several lawsuits were filed and settled This protection is not used anymore

38 What do you really buy? MLB (Major League Baseball) has been selling videos of games with DRM since 2003 In 2007, they changed their DRM provider, and for some users old videos stopped playing MLB may provide replacements, with DRM

39 MSN Music DRM keys MSN Music store closed in November 2006 On April 22, 2008, customers were told authorization servers would stop on August 31, 2008 Using a new computer or reinstalling the OS will result in unplayable songs

40 The Future of DRM Music: becoming DRM free Video: very entrenched DMCA, EUCD, DADVSI Amazon MP3 store, itunes+, most majors Many countries pass laws protecting DRM Future of Fair Use? See Free Culture by Lawrence Lessig

41 Homework Larry Lessig: How creativity is being strangled by the law

42 Module 19: Security The Security Problem Authentication Program Threats System Threats Threat Monitoring Encryption Applied Operating System Concepts Silberschatz, Galvin, and Gagne

43 Generic Security Attacks Typical attacks Request memory, disk space, tapes and just read Try illegal system calls Start a login and hit DEL, RUBOUT, or BREAK Try modifying complex OS structures Try to do specified DO NOTs Convince a system programmer to add a trap door Beg admin s sec y to help a poor user who forgot password 22

44 Threats data confidentiality (data read) data integrity (data modified) or deleted) system availability (denial-of-service attacks) hard to avoid Security is achieved by taking measures at the following levels: Physical (e.g. prevent removing of hard drive) Human (e.g. prevent bribing a user) Network (e.g. prevent intercepting private data) Operating system (e.g. authenticate users)

45 Hacker vs Cracker The hacker: someone who figured things out and made something cool happen.

46 Human Security Social Engineering

47 Social engineering is a collection of techniques used to manipulate people into performing actions or divulging confidential information

48

49 Phishing Pretexting (over the phone) Trojan Horse Road Apple free floppy, CD, usb drive... Quid Pro Quo (something for something)

50 It is notable that Mitnick did not use software programs or hacking tools for cracking passwords or otherwise exploiting computer or phone security.

51 Breaking in over Internet need an IP number of a machine (or its symbolic equivalent, such as so.cs.unibo.it) can test if that number is alive using ping can try to connect using telnet IP numbers similar (consecutive numbers) to one that is alive might work as well a hacker with fast connection could discover many entry points to the system (ie, IP numbers that accept telnet connections) the hacker can then try to exploit weak pairs (login, password)

52 Authentication User identity most often established through passwords, can be considered a special case of either keys or capabilities. Passwords must be kept secret. Frequent change of passwords. Use of non-guessable passwords. Log all invalid access attempts. Applied Operating System Concepts Silberschatz, Galvin, and Gagne

53 Authentication Using Passwords (a) A successful login (b) Login rejected after name entered (c) Login rejected after name and password typed 11

54 Authentication Using Passwords How a cracker broke into LBL a U.S. Dept. of Energy research lab 12

55

56

57 One-time passwords Each password is valid only once. Hence anyone capturing the password of a session and then trying to use it for another session will fail. problem: where to keep the password list a solution: use one-way functions easy to compute; hard to invert hence in, we have: easy, hard How it works: initialisation: a password, an integer session passwords then are: the server keeps track and updates the integer for

58 Challenge-response authentication The user selects an algorithm, ex: at login time: the server sends an integer the user answers with problem: the algorithm can be guessed a solution: a function (public) user selects a key at login time: server sends a number user answers it should be hard to find out from seeing the results of computating with

59 Authentication Using a Physical Object Magnetic cards magnetic stripe cards chip cards: stored value cards, smart cards 14

60 Program Threats Trojan Horse Code segment that misuses its environment. Exploits mechanisms for allowing programs written by users to be executed by other users. Trap Door Specific user identifier or password that circumvents normal security procedures. Could be included in a compiler. Logic Bomb Login Spoofing Buffer Overflow Applied Operating System Concepts Silberschatz, Galvin, and Gagne

61 Operating System Security Trojan Horses Free program made available to unsuspecting user Actually contains code to do harm Place altered version of utility program on victim s computer trick user into running that program 17

62 Trojan horse: how to make execute the malicious program advert it on Internet Interner as something exciting (Example) use PATH variables Immagine Imagine is in PATH for user xx and xx types cd yy programxx Thus: malicious program programxx written by yy is executed by xx and can access xx data (Examples) (Example) Install a malicious program called la in user/bin eventually someone, by mistake, will type la rather than ls (Example) Exploiting a shell that checks the working directory before consulting PATH: a user yy install a malicious program called ls in his/her home directory the user does something suspicious (such as using a lot of resources) the administrator might type: cd yy ls

63 Trap Doors (a) Normal code. (b) Code with a trapdoor inserted 20

64 Ken Thomson s backdoor For debugging purposes, backdoor in login Did it by modifying the C compiler: when compiling password verification accept the correct password or accept the special debugging password

65 def compile(code): if (lookslikelogincode(code)): generateloginwithbackdoor() else: compilenormally(code) But this would look strange in the C compiler...

66 def compile(code): if (lookslikelogincode(code)): generateloginwithbackdoor(code) elif (lookslikecompilercode(code)): generatecompilerwithbackdoordetection(code) else: compilenormally(code)

67 Logic Bombs Company programmer writes program potential to do harm OK as long as he/she enters password daily ff programmer fired, no password and bomb explodes 19

68 Login Spoofing (a) Correct login screen (b) Phony login screen 18

69 Login spoofing a program that displays the screen the user of the program thus can read many pairs (login, password) a way out: the login session starts out with a key combination that a user program cannot catch (example: ctl-alt-del in windows)

70 Buffer overflow In C, array bounds (among other things) are not checked Example of unchecked code: int i char c[100] i = 400 c[i] = 0

71 Buffer Overflow (a) Situation when main program is running (b) After program A called (c) Buffer overflow shown in gray 21

72 Java Security (1) A type safe language compiler rejects attempts to misuse variable Checks include Attempts to forge pointers Violation of access restrictions on private class members Misuse of variables by type Generation of stack over/underflows Illegal conversion of variables to another type 39

73 System Threats Worms use spawn mechanism; standalone program Internet worm Exploited UNIX networking features (remote access) and bugs in finger and sendmail programs. Grappling hook program uploaded main worm program. Viruses fragment of code embedded in a legitimate program. Mainly effect microcomputer systems. Downloading viral programs from public bulletin boards or exchanging floppy disks containing an infection. Safe computing. Applied Operating System Concepts Silberschatz, Galvin, and Gagne

74 Worm vs Virus A worm is a program that can run independently, will consume the resources of its host from within in order to maintain itself, and can propagate a complete working version of itself on to other machines. A virus is a piece of code that inserts itself into a host, including operating systems, to propagate. It cannot run independently. It requires that its host program be run to activate it.

75 The Internet Worm Consisted of two programs bootstrap to upload worm the worm itself Worm first hid its existence Next replicated itself on new machines 35

76 Morris Worm November 2, 1988 Robert Tappan Morris Jr., 1 st year Cornell graduate student sends a worm on a few machines Within hours, about 10% of the internet (6.000 machines) was down

77 The Morris Internet Worm Applied Operating System Concepts Silberschatz, Galvin, and Gagne

78 How it Worked Getting in Using a remote shell (rsh) host-login without password required Buffer overflow: finger with a 536 byte string used to launch /bin/sh Sendmail bug using its debug mode mailed the grappling hook to be executed

79 Propagation When in, downloaded the worm Then tried to crack passwords Looked in new accounts for rsh data files Attempted to infect new machines If already there, quit 6 out of 7 times This brought down most machines

80

81 Virus Damage Scenarios Blackmail Denial of service as long as virus runs Permanently damage hardware Target a competitor s computer do harm espionage Intra corporate dirty tricks sabotage another corporate officer s files 26

82 Where viruses could act modify executable files attaching themselves to the front, or to the end possibly having to modify file headers and file internal logical addresses first they get activated; then the original file is executed residing in memory possibly redirecting some interrupts to them (ex: system calls) overwriting some boot procedure on disk thus the virus gets loaded every time the machine is turned on hiding within a macro very effective for Word and Excel programs, for instance easy to write modify a source code a portable virus

83 How Viruses Work (3) An executable program With a virus at the front With the virus at the end With a virus spread over free space within program 29

84 How Viruses Spread Virus placed where likely to be copied When copied infects programs on hard drive, floppy may try to spread over LAN Attach to innocent looking when it runs, use mailing list to replicate 31

85 Viruses and Anti-virus techniques Anti-virus: virus scanners Scan executable files looking for viruses that match those in a database a problem: variants of the virus might exist Fuzzy search might miss some might interpret some correct file as a virus can be slow Check only files that have been modified since last search A virus could change the file date Check only files whose length has changed A virus could use compression techniques

86 Antivirus and Anti Antivirus Techniques (a) A program (b) Infected program (c) Compressed infected program (d) Encrypted virus (e) Compressed virus with encrypted compression code 32

87 Antivirus and Anti Antivirus Techniques Examples of a polymorphic virus All of these examples do the same thing 33

88 Antivirus and Anti Antivirus Techniques Integrity checkers Behavioral checkers Virus avoidance good OS install only shrink wrapped software use antivirus software do not click on attachments to frequent backups Recovery from virus attack halt computer, reboot from safe disk, run antivirus 34

89 Some Modern Worms & Viruses 1999: Melissa, macro virus (Word + Outlook) 2000: ILOVEYOU, VBScript worm. Between $5 billion and $10 billion in damage. The Pentagon, CIA, and the British Parliament had to shut down their systems to get rid of the worm. 2003: Blaster, Sobig, Sober (until 2005).

90 2004: MyDoom. binary attachment. One of the fastest spreading worms: 1 in 12 s at peak. Used to created a Denial of Service attack against SCO and Microsoft. 2004: Sasser. Did not need user intervention, used a buffer overflow.

91 Agence France-Presse (AFP): satellite communications blocked for hours Delta Air Lines: cancel several trans-atlantic flights (computer systems down) Nordic insurance company If and Finnish Sampo Bank: close their 130 offices in Finland. British Coastguard: electronic mapping service disabled for a few hours Goldman Sachs, Deutsche Post, and the European Commission also touched X-ray department at Lund University Hospital: all their four layer X-ray machines disabled for several hours and had to redirect emergency X-ray patients to a nearby hospital.

92 2007: Storm Worm. attachment: PDF spam, e-cards, YouTube Invites. Also blog comment spam. Still active (latest version: April 1st, 2008) Payload morphs every 30 mn. Used to create a peer to peer botnet.

93 Botnets

94

95 Current Botnets Kraken: about machines Storm: about machines (was 2 million) Used for spam, phishing, denial of service attacks

96 Some safe design principles make the system public (avoid security by obscurity ) allow only accesses explicitely granted always check for accesses use simple protection mechanisms, built into the OS kernel (precisely: the lowest possible level of the OS; cf: Windows NT)

97 Network Security Through Domain Separation Via Firewall Applied Operating System Concepts Silberschatz, Galvin, and Gagne

98 Threat Monitoring Check for suspicious patterns of activity i.e., several incorrect password attempts may signal password guessing. Audit log records the time, user, and type of all accesses to an object; useful for recovery from a violation and developing better security measures. Scan the system periodically for security holes; done when the computer is relatively unused. Applied Operating System Concepts Silberschatz, Galvin, and Gagne

99 Threat Monitoring (Cont.) Check for: Short or easy-to-guess passwords Unauthorized set-uid programs Unauthorized programs in system directories Unexpected long-running processes Improper directory protections Improper protections on system data files Dangerous entries in the program search path (Trojan horse) Changes to system programs: monitor checksum values Applied Operating System Concepts Silberschatz, Galvin, and Gagne