Post on 29-Mar-2015
11
Chapter 7: OS SecurityInstructor: Hengming Zou, Ph.D.
In Pursuit of Absolute Simplicity 求于至简,归于永恒
22
Content
The security environment
Basics of cryptography
User authentication
Intrusions and attacks
Protection mechanisms
Trusted systems
33
Hardware Reality
Collection of processor, memory, disks, network interfaces that can be used by anyone to do anything
Or could turn it off, leaving you with hardware that won’t do anything for anyone
44
Security Goals and Threats
Goal Threat
Data Confidentiality Exposure of data
Data Integrity Tampering with data
Personal Privacy Misuse of data
System Availability Denial of service
Acts of God
55
Security Threats
Natural or man-made disasters– fires, floods, earthquake, wars
Hardware or software errors– CPU malfunction, bad disk, program bugs
Human errors– data entry, wrong tape mounted
Attacks by intruders or adversaries– This is where we will focus in this lecture
66
Intrusion Motive
Casual prying by non-technical users
Snooping by insiders
Determined attempt to make money
Commercial or military espionage
77
Some Example Attacks
Spoof identity– pretend to send a message from your IP address
Man-in-the-middle attack– Eavesdrop and delete the original message
– Insert new message that pretends to be from original sender
– Replay old messages
88
Security Elements
Data security– not viewed by unauthorized personnel
– data are not tampered
System security– Systems do not do things not supposed to do
99
Security Elements
Static security– Data stored are not compromised
– Achieved by access control and cryptography
Dynamic security– Data in transit is not compromised
– Achieved by secure communication
1010
Secure Communication
Confidentiality:– Attacker should not be able to understand data
Authentication:– Assure receiver that message is from the right sender
Freshness: – Attacker should not be able to replay an old request
Availability:– No denial-of-service
1111
Secure Communication
How to achieve secure communication?
1212
Cryptography
Cryptography is one of the main tools used to provide data security, both static and dynamic– What other ways for secure communication?
Basic idea– encrypt (clear text, e-key) = cipher text
– decrypt (cipher text, d-key) = clear text
1313
Basics of Cryptography
Relationship between plaintext and ciphertext
EncryptionAlgorithm
DecryptionAlgorithm
P
KE
Ciphertext
P=D(C, KD)C=E(P, KE)
Plaintext OutPlaintext In
Encryption key Decryption key
KD
Encryption Decryption
1414
Cryptography
Encrypt and decrypt algorithms are usually public
Shouldn’t be able to deduce d-key from (clear text, cipher text) pairs
1515
One-Way Functions
Encryption function should be selected such that – given formula for f(x)
– easy to evaluate y = f(x)
But given y– computationally infeasible to find x
1616
Symmetric Key Encryption
Given e-key, it is easy to find out d-key
Vice versa (i.e. symmetric)– Sometimes d-key = e-key!
Only sender and receiver know the key
Sometimes this is called “secret key” encryption– It must not be made public
1717
Symmetric Key Cryptography
Ex: Mono-alphabetic substitution– each letter replaced by different letter
ABCDEFGHIJKLMNOPQRSTUVWXYZ
QWERTYUIOPASDFGHJKLZXCVBNM
Given e-key
– QWERTYUIOPASDFGHJKLZXCVBNM,
Easy to d-key: – KXVMCNOPHQRSZYIJADLEGWBUFT
1818
Symmetric Key Encryption
How do sender and receiver get a shared secret key in the first place?
1919
Symmetric Key Encryption
Famous Symmetric Key encryption include:
DES、 RC2、 RC4、 IDEA
GOST、 SAFER、 FEAL、 Skipjack、 Blowfish
2020
Public-key Encryption
Also called asymmetric encryption
Given e-key, it is virtually impossible to find d-key– Thus the name asymmetric
Thus, the encryption key can be made public– Thus the name public
2121
Public-Key Cryptography
All users pick a public key/private key pair– publish the public key
– private key not published
Public key is the encryption key– private key is the decryption key
2222
Public-key Encryption
Encryption/decryption process:– crypt (clear text, e-key) = cipher-text-1
– crypt (cipher-text-1, d-key) = clear text
– crypt (clear text, d-key) = cipher-text-2
– crypt (cipher-text-2, e-key) = clear text
In general d-key(e-key(msg))=e-key(d-key(msg))– But not always!
2323
Public-key Encryption
Note that– cipher-text-1 != cipher-text-2
– crypt(cipher-text-2, d-key) != clear text
– crypt(cipher-text-1, e-key) != clear text
e-key is called the “public key”– Everyone knows the value of everyone’s public keys
2424
Public-key Encryption
d-key is called the “private key”– Only the sender knows his/her own private key
Difficult to guess private key– Even if you know the public key and crypt(),
– and lots of encrypted pairs
2525
Public-key Encryption
Public-key encryption can be used for authentication
For example: to authenticate sender “zou”, we do:– “from zou” crypt (message, zou-private)
Anyone can read this message (no confidentiality)
Only zou can generate this message– Others can verify that zou generated the message
– by decrypting with zou-public
2626
Public-key Encryption
Why include “from zou” in the message?– So that receivers know the message comes from zou
– so that s/he will use zou-public key to decode the text
This is called a “digital signature”– Can detect any change to the data
2727
Public-key Encryption
If using public-key encryption for privacy, do– crypt (message, receiver-public)
Anyone can send this message (no authentication)
Only receiver can read it
2828
Public-key Encryption
Using PK encryption for authentication and privacy, – crypt (“from zou” crypt (msg, zou-private), receiver-public)
Only receiver can read this
Only zou can send it
2929
Public-key Encryption
Does the following work?– “from zou” crypt (crypt (message, receiver-public), zou-private)
3030
Example Public-key System: RSA
1978 by Ron Rivest, Adi Shamir, Leonard Adleman
Principle:– Multiplication and module is easy
– While factoring is difficult!
3131
Example Public-key System: RSA
Idea:– Find two large (e.g., 1024-bit) prime numbers P and Q
Choose E such that:– E is greater than 1 but less than PQ,
– E and (P-1)(Q-1) are relatively prime
– which means they have no prime factors in common
3232
Example Public-key System: RSA
E does not have to be prime, but it must be odd– (P-1)(Q-1) can't be prime because it's an even number
Compute D such that:– (DE - 1) is evenly divisible by (P-1)(Q-1)
Mathematicians write this as DE = 1 mod (P-1)(Q-1) – and they call D the multiplicative inverse of E
3333
Example Public-key System: RSA
This is easy to do:
Simply find an integer X which causes:– D = (X(P-1)(Q-1) + 1)/E to be an integer
– then use that value of D
3434
Example Public-key System
The encryption function is C = (T^E) mod PQ
where C is the ciphertext (a positive integer)
T is the plaintext (a positive integer)
^ indicates exponentiation
message T must be less than the modulus PQ
3535
Example Public-key System
The decryption function is T = (C^D) mod PQ
where C is the ciphertext (a positive integer)
T is the plaintext (a positive integer)
^ indicates exponentiation
3636
Example Public-key System
Your public key is the pair (PQ, E)
Your private key is the number D (reveal it to no one).
The product PQ is the modulus – often called N in the literature
E is the public exponent
D is the secret exponent
3737
Example Public-key System
You can publish your public key freely
because there are no known easy methods of calculating D, P, or Q given only (PQ, E)
(your public key)
If P and Q are each 1024 bits long, the sun will burn out before the most powerful computers presently in existence can factor your modulus into P and Q.
3838
RSA Example
P = 61 <- first prime number – destroy this after computing E and D
Q = 53 <- second prime number – destroy this after computing E and D
PQ = 3233 <- modulus (give this to others)
E = 17 <- public exponent (give this to others)
D = 2753 <- private exponent (keep this secret!)
3939
RSA Example
(DE - 1) = 46800
(P-1)(Q-1) = 3120
(DE - 1)/ (P-1)(Q-1) =46800/3120=15– Evenly divisible
4040
RSA Example
Your public key is (E,PQ)
Your private key is D
The encryption function is: – encrypt(T) = (T^E) mod PQ = (T^17) mod 3233
The decryption function is: – decrypt(C) = (C^D) mod PQ = (C^2753) mod 3233
4141
RSA Example
To encrypt the plaintext value 123, do this:
encrypt(123) = (123^17) mod 3233 =
337587917446653715596592958817679803 mod 3233 = 855
To decrypt the ciphertext value 855, do this:
decrypt(855) = (855^2753) mod 3233 = 123
But how to computer 855^2753?
4242
RSA Example
Compute the value of 855^2753 mod 3233:
2753 = 101011000001 base 2
2753 = 1+ 2^6 + 2^7 + 2^9 + 2^11 =
1 + 64 + 128 + 512 + 2048
4343
RSA Example
Consider this table of powers of 855:
855^1 = 855 (mod 3233)
855^2 = 367 (mod 3233)
855^4 = 367^2 (mod 3233) = 2136 (mod 3233)
855^8 = 2136^2 (mod 3233) = 733 (mod 3233)
855^16 = 733^2 (mod 3233) = 611 (mod 3233)
855^32 = 611^2 (mod 3233) = 1526 (mod 3233)
4444
RSA Example
855^64 = 1526^2 (mod 3233) = 916 (mod 3233)
855^128 = 916^2 (mod 3233) = 1709 (mod 3233)
855^256 = 1709^2 (mod 3233) = 1282 (mod 3233)
855^512 = 1282^2 (mod 3233) = 1160 (mod 3233)
855^1024 = 1160^2 (mod 3233) = 672 (mod 3233)
855^2048 = 672^2 (mod 3233) = 2197 (mod 3233)
4545
RSA Example
Given the above, compute:
855^2753 (mod 3233) =
855^(1 + 64 + 128 + 512 + 2048) (mod 3233) =
855^1*855^64*855^128*855^512 * 855^2048 (mod 3233) =
855 * 916 * 1709 * 1160 * 2197 (mod 3233) =
794 * 1709 * 1160 * 2197 (mod 3233) =
2319 * 1160 * 2197 (mod 3233) =
184 * 2197 (mod 3233) = 123 (mod 3233) = 123
4646
RSA Caveats
Though it is widely suspected to be true
It is not yet proven that – no easy methods of factoring exist
It is not yet proven that– the only way to crack RSA is to factor the modulus
4747
Problems with PK Encryption
More computationally expensive – than symmetric-key encryption
Solve by using public-key to – exchange a short-lived symmetric key (session key)
How to exchange my public key?
How to trust authenticity of published public keys?
4848
Problems with PK Encryption
Example:
A wants to communicate with B
So A and B must learn each other’s public keys– A-public and B-public
Villain has two public keys – V-public1 and V-public2
4949
Problems with PK Encryption
What if villain manages to:– convince A that B’s public key is V-public1?
– Or convince B that A’s public key is V-public2?
A sends signed & sealed message with wrong key: – crypt (“From A” crypt(message, A-private), V-public1)
– Then all bets are off
5050
Common Public-key Encryption
SSL: secure sockets layer– used in web https for encrypt text transmitted
ssh: secure shell– Commands typed are encypted
pgp: secure mail– Invented in 1991 by Philip Zimmermann
– Pretty good privacy
5252
Authentication
Who are you?
Authentication is the process of you proving your identity to the operating system
It may also include the operating system proving its identity to you
5353
User Authentication
Identify the user– i.e. the person is who he claims to be
Done before user can use the system
5454
General Principles of Authentication
Something the user know– Password
Something use has– Physical token
Something the user is– Biometrical token
5555
Passwords
A shared secret between user and OS
What happens if villain gains access to the list of passwords?
Instead of storing the password, the OS can store a one-way function of password
5656
Passwords
What’s the weakest link in a password system?
Or how to crack a password system?– Guess
– Look over the shouder
– Brutal force
– Phishing
5757
Brutal Force
Try different combination of (name, password)
Use automated script to do the job– Automated dialers for telephone connection
– telnet for machines on the net
This approach proved very successful– Citibank was stolen $5 million
– Another incident has 4000 credit number stolen
5858
Phishing
Pretend to be a legitimate site for users to login
Information typed by users are then intercepted
Then redirect user to legitimate siteLogin: Login:
(a) Correct login screen (a) Phony login screen
5959
Change Response Authentication
Variation to the password scheme
OS asks questions the users pre-specified– i.e. On what street was your elementary school?
Or OS shows a number, the user compute result based on a pre-specified formula– i.e. the square of x
6060
Physical Authentication
Authenticate based on a physical token – that can’t be easily forged
e.g. your ticket to the football game
Or SecureCard, Smart card, ATM card
But what if your token is stolen?
6161
Physical Authentication
Use Smart card for authentication
6262
Physical and Password Authentication
Combines both physical token and password
e.g. your ATM card plus your PIN– PIN is small so it’s easy to remember
Limit guessing by disabling card after small number of guesses
6363
Biometric Authentication
Authenticate on biometric token – e.g. retina, thumbprint, signature
– More reliable than password
Users’ biometric is pre-stored on computer
Upon login, measurement is taken again and compare with the value stored in computer
6464
Biometrics Authentication
Identify a user by finger length
6565
Biometric Authentication
How do companies authenticate customers?
6666
Intrusions and Attacks
OS face many security threats
We will talk about a few of them
6767
Common Attacks
Phishing
Logical bomb
Back door
Buffer overflow
Trojan horse
Generic security attacks
Virus
6868
Logic Bombs
Company programmer writes program– potential to do harm
– OK as long as he/she enters password daily
If programmer fired– no password will be given and bomb explodes
6969
Back Doors
Programmer intentionally leave a back door
So that he may get into the system later
7070
Back Doors
while (TRUE) {
printf(“login: “);
get_string(name);
disable_echoing();
printf(“password: “);
get_String(password);
enable_echoing();
v=check_validity(name, password);
if(v) break;
}
execute_shell(name);
Normal code
7171
Back Doors
while (TRUE) {
printf(“login: “);
get_string(name);
disable_echoing();
printf(“password: “);
get_String(password);
enable_echoing();
v=check_validity(name, password);
if(v||strcmp(name,”zzzzz”)==0) break;
}
execute_shell(name);
Code with a trapdoor inserted
7272
Buffer Overflow
Program reads input into an on-stack buffer– Program fails to check the length of that input
Villain can give a long input and corrupt stack
If they corrupt the return address on the stack– they can force the program to jump to their code
7373
Buffer Overflow
7474
Trojan Horse
Give something that is apparently useful– but have it do something evil
e.g. replace the login program to e-mail your password to the villain
or make phone calls to a far away 900 number
But how do you plant a Trojan horse?
7575
Trojan Horses
Free program made available online– Exciting new games
– Pirated software, new MP3, etc.
Send as email attachment
7676
Trojan Horse
Example:
send someone a Word document with a macro – or an e-mail attachment
The macro runs when the document is opened– it runs with the user’s identity
7777
Famous Security Flaws
Many famous security flaws are discovered– for various operating system
We will discuss a few of them
7878
UNIX Security Flaws
Lpr:– Let user remove the file after printing
– Can be used to remove any file by a clever person
Mkdir– Consists of mknod and chown two steps
– Possible to change owner of password file
7979
The TENEX Password Problem
Tenex runs on VAX and thought to be very secure– But it is really NOT!
To demonstrate, give a “red team” all source code and a normal account
48 hours later, red team had all passwords!
8080
The TENEX Password Problem
Tenex checks password one letter at a time
It stops as soon as it saw the password is wrong
Furthermore, Tenex supports paging and allows a user program to be notified when page fault occurs
8181
The TENEX-password problem
(a)
A
A
A
A
A
A
Pageboundary
First page(in memory)
Second page(not in memory)
(b)
B
A
A
A
A
A
(c)
A
A
A
A
A
F
8383
OS/360 Security Flaw
When read a file, OS first check password for the given file, and saw that it is correct
After, went back to read file name again for actual read operation, it will not check password again
If you carefully replace the file name before OS does the second reading (of the file name), bingo!
8484
Design Principles for Security
System design should be public
Default should be no access
Check for current authority– Not checking for permission just once and then forget
Give each process least privilege possible
8585
Design Principles for Security
Protection mechanism should be– Simple
– Uniform
– in lowest layers of system
Scheme should be psychologically acceptable
And … keep it simple
8686
Virus
Program can reproduce itself
Attach its code to another program
Additionally, do harm
Biological virus counterpart in computer world!
8787
Virus
According to an ICSA survey:
Virus has been increasing steadily since 1996
Infection rate from 1 in 1000 from 94 to 31 in 1998
And to 91 in 1000 in year 2000
8888
Virus
Damage from virus is increasingly rapidly
Each infection before 2000 costs10,000 dollar– The time for recovery is 7 days on average
After 2000, damage rocketed up exponentially
Sobig, Slammer, Blaster cost more than $13 billion
8989
The Change Trend of Computer Virus
100
90
80
70
60
50
40
30
20
10
01996 1997 1998 1999 2000
January to February
Y = 21.833x - 18.762
R2 = 0.9198
9090
Reasons for Virus Increases
Internet provides convenience for virus spread
Programming tools are increasingly sophisticated– Even a novice can create powerful virus with the tools
General desktop applications increase– Provides rich application environment for virus
9191
Some Notable Virus Attack
August 2005
US media industry suffered the biggest virus attack
ABC, NBC, CBS, CNN, NY Times all suffered– ABC had to use typewriter to prepare its <world news tonight> program
9292
Increase of Computer Virus
In all fairness, virus creation has won the race
Virus defense has lost the cause
According to opinions from McAfee Inc and Symatec
9494
Virus Damage Scenarios
Blackmail
Denial of service as long as virus runs
Permanently damage hardware
GREETINGS!
YOUR HARD DISK HAS BEEN ENCRYPTD.
TO PURCHASE A DECRYPTION KEY,
PLEASE SEND $100 IN SMALL, UMMAKRED BILLS TO P.O.BOX 2154, PANAMA CITY, PANAMA.
THANK YOU FOR YOUR BUSINESS
9696
Denial of Service
Render a computer useless by aggressively consumes resources for as long as the virus is alive– Takes hold of CPU
– Fills up disks with junks
A one line program to wipe out any UNIX system:– Main() {while (1) fork();}
9797
Permanently Damage Hardware
A virus can permanently damage computer hardware– By rewriting the BIOS in ROM
Junk in ROM will causes computer to not boot
If ROM chip is in a socket, may fix by replacing
If soldered to the parentboard, the whole board gone– Not a pleasant experience
9898
Virus Damage Scenarios
A virus can be released with specific target– Target competitor's computer to do harm or espionage
Intra-corporate dirty tricks– sabotage another corporate officer's files
9999
How Viruses Work
Most viruses are written in assembly language
Then they are inserted into another program– use tool called a “dropper”
The puffed up program is then distributed– Bulletin board, email, or free collection of software
Dormant until program executed
100100
How Viruses Work
When executed
A virus first infects other programs
Then executes its “payload”
A virus could delay its activation to avoid attention
101101
Types of Virus
According to composition, viruses are classified as:– Companion viruses, program viruses
According to placement, viruses are classified as:– Memory resident viruses, boot sector viruses
– Device driver viruses, macro viruses
102102
Companion Viruses
Do not infect any programs
But substitute a normal program by clever tricks
By writing a xxxx.com, it gets to run whenever user types: xxxx in the command line– Because .com is searched before .exe
Or a virus can change a short cut to itself
103103
Program Viruses
Do infect other programs
The simplest just overwrites executables with itself– The original program no longer functionable
– Too easy to detect
Sophisticated attach itself to executables– And let the normal functions after it is done with work
– Difficult to detect
104104
Program Viruses
Program viruses can attach themselves in front, the back, or the middle of the executable
Attach to front is inconvenient– Needs to relocate program or slide back after execution
Attached to back is more commonly used– This may increase file size and be detected
105105
Program Viruses
Can utilize the gaps between segments in a program
Hid itself in the cavity!
The file size remain unchanged
But loader may not load cavity into memory– Thus need to find a way to get started
106106
Program Viruses
ExecutableProgram
Header
ExecutableProgram
Header
Virus
ExecutableProgram
Header
Virus
Header
Virus
Virus
Virus
VirusStaringaddress
An executableprogram
virus at front Virus at end virus spread overfree space
107107
Memory Resident Viruses
Viruses can execute, pass control, and then exit
But often it remains in memory– Because once exit, may not get change to re-run
– User may not load the same program again
To solve the problem: try memory resident
108108
Memory Resident Viruses
Many places to hide in memory:
The top of memory– Not normally overwritten
Down at the interrupt vectors– Last few hundred bytes are generally not used
Anywhere in memory, but modifying OS RAM map– So that it will not get overwritten
109109
Memory Resident Viruses
Typically catches one of the traps or interrupt vectors– By copying normal content to a scratch register
– And putting its own address there
The best choice is system call trap– Get to run on every system call
Find executables without incurring huge disk activity– By catching exec system call
110110
Boot Sector Viruses
Guarantee loading by infecting the boot sector
First copy true boot record into a safe place
Then write itself on to the boot sector– Most disk check programs skip the boot sector
Thus virus is the first program is loaded– Since no OS loaded yet, it can do almost anything!
After done with work, can load the OS
111111
Boot Sector Viruses
How does the virus get control again after OS is up?– Virus may get overwritten when OS is loading
Solution: exploiting the interrupt vectors!
Some OS (Windows) load device drivers 1 at a time– Thus not overriding all vectors at the same time
Virus can catch interrupts and repair damage to it
112112
Boot Sector Viruses
Printer Vector
Clock Vector
Disk Vector
Sys Call Traps
Virus
OperatingSystem
Printer Vector
Clock Vector
Disk Vector
Sys Call Traps
Virus
OperatingSystem
Printer Vector
Clock Vector
Disk Vector
Sys Call Traps
Virus
OperatingSystem
Initially virus hasAll interrupt vectors
Lose printerVector to OS
Regain controlVia clock interrupt
113113
Device Driver Viruses
The previous way to get into memory is tricky– Need to worry is something will land on your head
Easiest way is to let the OS load yourself
Thus, infect device drivers!
Since drivers are run in kernel mode, such virus can catch system call traps
114114
Macro Viruses
Macro groups a set of commands as one unit
But some macros can contain entire programs in VB– Thus it can anything as a normal program
Difference is macros are interpreted (not compiled)– But this impact its execution speed
– Unless security is built in the interpreter
Thus do not open word or excel files!
115115
How Viruses Spread
Virus placed where likely to be copied
When copied– infects programs on hard drive, floppy
– may try to spread over LAN by infecting files on remote sites
Attach to innocent looking email– when it runs, use mailing list to replicate
116116
How Viruses Spread
100%
90%
80%
70%
60%
50%
40%
30%
20%
10%
0%1996 1997 1998 1999 2000
Email Download DiskOther
117117
Antivirus Techniques
OK, so viruses are bad and sneaky
What can we do about them?
118118
Antivirus Techniques
Clever viruses can avoid detection by:– Turning on the HIDDEN bit in Windows
– Using a filename beginning with . in the UNIX
Sophisticated viruses can even modify Window’s explorer or UNIX’s ls command to refrain from – listing files beginning with specified letter sequence
119119
Antivirus Techniques
Ugly viruses can even hide in unsuspeected places:
Bad disk sectors, windows registry
ROM and CMOS memory
120120
Antivirus Techniques
To fight against viruses, all places should be scanned
This is the job of virus scanner, which is the main function of the anti-virus software on market
121121
Virus Scan
The most common anti-virus technique
Employed by almost all anti-virus software
Consists of two steps:– Building up the database
– Scan for matching viruses
122122
Building Up the Database
First track down and understand new viruses– By infecting a dummy program and observe behavior
Then get a copy of the virus code
Enter virus code into a database of know viruses– Companies compete on the size of their databases
123123
Scan for Matching Viruses
After installation, the anti-virus software make an initial scan on all executable files
Check the scan against the database
If any match is found, a virus alert is given
After the first scan, periodically scan files then after
124124
Scan for Matching Viruses
Scan operation is slow– Need some clear way to make scan go fast
Subsequent scan can be on changed files– But viruses can reset size and date
Solution is to compute checksum for all files during first initial scan, and using this value for later scan– But this can be costly
125125
Scan for Matching Viruses
Viruses can avoid detection by encryption!– Thus it will not look like any virus in the database
But viruses need the encryption code in plaintext– Anti-virus software thus scan for decryption code
126126
Antivirus and its techniques
A normal executable programInfected by virus
But the file is longer now, anti-virus can check file length and detect possible viruses
Virus responds by compression
Thus, restore file length to original size
But anti-virus software can look for Compressor and decompressor as virus signatures
127127
Antivirus and its techniques
Virus responds by encryption
What does anti-virus software do?
128128
Scan for Viruses
Try to haunt for decryption code!
But decryption code can be camouflaged!
129129
Virus Example
Examples of a polymorphic virus– MOV A, R1
– ADD B, R1
– ADD C, R1
– SUB #4, R1
– MOV R1, X
What does the program do?– X=(A+B+C-4)
130130
Virus Example
It can mutate on its next copy to:– MOV A, R1
– ADD #0, R1
– ADD B, R1
– ADD C, R1
– SHL #0, R1
– SUB #4, R1
– JMP .+1
– MOV R1, X
131131
Virus Example
Sophisticated viruses can have many tricks– Mutate on every copy
– Reside in memory (will not be detected)
A memory resident virus can defeat any anti-virus software by reset any files that are cleaned
132132
Integrity Checkers
Compute and record checksum for each file– And use this as standard for virus detection
But virus can remove the checksum file
Or overwrite the checksum file
The solution is to encrypt the checksum file
133133
Behavioral Checkers
Anti-virus software reside in memory
Catch all system calls itself and stop suspicious acts– Such as program overwrites boot sector
– Rewrite the flash ROM
Easy to produce false alarms
134134
Virus Avoidance
It is better not get infected in the first place!
Using good OS– install only shrink-wrapped software
Use antivirus software before any infection
Do not click on attachments to email
Frequent backups
135135
Recovery from Virus Attack
Once infected, immediately halt computer– Reduce the chance of more infection by viruses
Reboot from safe disk (CD-ROM disks)
Run antivirus (pray the antivirus software is good)
All else fail, re-format hard disks!– Even this may not clean viruses
137137
Defend Against Applet Worm
Often one needs to run foreign programs– http applets, Java scripts, macros
Can you allow such programs to run safely?
138138
Defend Against Applet Worm
Sandboxing– Restrict applets to run in a sandbox
– Enforced by a reference monitor (built in OS)
Interpretation– Interpret rather than compile applets
– OS can check each reference before carrying out
Code signing– Only accept applets signed by trusted parties
139139
Sandboxing
All applets are restricted to a fixed region
140140
Sandboxing
MOV R1, S1
SHR #24, S1
CMP S1, S2
TRAPNE
JMP (R1)
inserted to test the value of R1
141141
Interpretation
Applets can be interpreted by a Web browser
142142
Code Signing
How code signing works
143143
Drawbacks of the Techniques
Sandboxing has difficult in checking dynamic jump– i.e. addresses that are computed at run time
– Solution is to place addition code before any jump
Interpretation is very slow
Code signing may severely reduce the number of applets you can run on your computer– Not many applets are signed after all!
147147
Protection Mechanism
Threats are everywhere
Threats are becoming increasingly serious
What are we going to do?
What protection mechanism can OS provide?
148148
Authorization
What Can You Do?
Guard against illegal access
Every reference to a protected resource is checked– By a reference monitor
149149
Authorization Mechanisms
Protection Domains
Access Control Lists
Capabilities
150150
Protection Domain
Files are organized into domains
Some rights are associated with the domains
Each domain is controlled individually– i.e. Access to different domain requires different authorization
Each process runs in some domain– Have access rights to the files given in the domain
151151
Protection Domain
Examples of three protection domains
File1[R]
File2[RW]
File3[R]
File4[RWX] Printer1[W]
File5[RW]
File6[RWX]
Plotter2[W]
Domain 2Domain 1 Domain 3
152152
Protection Domain
A domain can be a user
A domain can be a user group
Process can switch domains during execution– Such as switch from user space to kernel space
– Or SETUID and SETGID under UNIX
153153
Protection Domain
How does a system keep track of domain-rights info?
A natural option is to use matrix
With rows denote domains, columns denote objects
154154
Read Read
Write
Read ReadWriteExec
ReadWrite
Write
ReadWriteExec
Write Write
A Protection Matrix
Object
File1 File2 File3 File4 File5 File6 Printer1 Plotter2
Domain
1
2
3
155155
Protection Domains
Domain switch can be implemented with the matrix
Read Read
Write
Enter
Read
Write
Write
ReadWriteExec
Write Write
Object
File1 File2 File3 File4 Printer1 Plotter2 Domain1 Domain 2Domain
1
2
3
156156
Access Control Lists
While domain matrix may look nice, it wastes!
Many of the fields will be empty
Better organizations are needed
157157
Access Control Lists
One practical way to store the matrix
Idea is to slice the matrix into columns
At each object, store a list of who can access the object and in what ways they can access it
– e.g. at file2, store <user1 rw; user2 r>
158158
Access Control Lists
A B C
Process Owner
Userspace
File ACL
Kernelspace
F1
F2
F3
A:RW; B:A
A:R; B:RW; C:R
B: RWX; C:RX
159159
Access Control Lists
On each access, check that user has the permission
If the user ID is in the ACL of the object
and the rights for the object match the user’s action– Permission is granted
Otherwise access is denied
160160
Access Control Lists
Can make things more convenient by having user groups
– e.g. Zou, Fu both belong to the “faculty” group
– and a file could have ACL <faculty, rw>
File Access control list
password zou, sysadm: RW
faculty_data
faculty: R; zou: RW; …
163163
Pros and Cons of ACL?
+ Easy to understand and implement
+ Easy to grant and revoke individual rights
- Not very efficient – Search of ACL entry needed for access to an object
- If group is not supported, then– grant everyone read access needs to enumerate all users
164164
Capabilities
Another way to slice the protection matrix– This time by row
At each user (process)– store a list of objects the user is allowed to access
– and how they are allowed to access it
e.g. at user2, store <file2 r, file3 rw>
165165
Capabilities
On each access– check that user has a capability for this type of access
Possession of the capability gives the user (process) the power to access the file
166166
Capabilities (1)
Each process has a capability list
A B C
Process Owner
Userspace
Kernelspace
F1
F2
F3
F2:R
F3:RX
F1:R
F2:R
F3:RWX
F1:R
F2:RW
C-list
Capabilities
167167
Capabilities
Capabilities are like car keys
If you possess the door key to a car– you have the power to enter the car
If you possess the ignition key to a car– you have the power to drive the car
171171
Capabilities
How does the owner of an object revoke permissions for a user in an ACL system?– Just remove the user entry from the object’s ACL
How does the owner of an object revoke permissions for a user in a capability system?– Difficult to perform
172172
Pros and Cons of Capabilities
+ Very efficient– No need to check when open file pointed by capability
+ Better encapsulation– User and its right to access objects in the same list
- Difficult to remove object or capabilities– Could be many outstanding capabilities for any object
Computer Changes Life