Post on 20-Dec-2015
Security Security 11 © 2000 Franz Kurfess
Course OverviewPrinciples of Operating Systems
Course OverviewPrinciples of Operating Systems
Introduction Computer System
Structures Operating System
Structures Processes Process Synchronization Deadlocks CPU Scheduling
Memory Management Virtual Memory File Management Security Networking Distributed Systems Case Studies Conclusions
Security Security 22 © 2000 Franz Kurfess
Chapter Overview Security
Chapter Overview Security
Motivation Objectives Protection
protection of resources protection methods
Access Control
Security threats protection mechanisms
Important Concepts and Terms
Chapter Summary
Security Security 33 © 2000 Franz Kurfess
MotivationMotivation
computer systems may be of considerable value and must be protected from damage
hardware, software, and stored data may be essential for the performance of tasks and need to be available when needed
system objects need to be protected from inadvertent unauthorized access or use
there is the possibility of intrusion, modification, deletion, etc. with malicious intent
Security Security 44 © 2000 Franz Kurfess
ObjectivesObjectives
know basic protection methods and mechanisms be aware of the most common threats to system
security evaluate tradeoffs between performance, ease of
use, flexibility, etc. on one hand and security on the other hand
Security Security 55 © 2000 Franz Kurfess
ProtectionProtection methods and mechanisms that check the legality of an
operation on an object in the computer system legality refers to
the authorization to perform an operation the appropriate use of an operation the validity of the parameters
objects can be hardware components software entities
OS components, user programs files, processes, pipes, etc
data
Security Security 66 © 2000 Franz Kurfess
Policy vs. MechanismPolicy vs. Mechanism
protection = policy + mechanism policy
set of rules implemented by a mechanism determined by the management of the system
mechanism means for accomplishing a task used for implementing and enforcing a policy
Security Security 77 © 2000 Franz Kurfess
Computer ObjectsComputer Objects
objects in a computer system that need to be protected
hardware objects CPU, memory segments, hard disk, printers, tape drives,
etc.
software objects files, processes, databases, semaphores, pipes, etc.
Security Security 88 © 2000 Franz Kurfess
Protection DomainProtection Domain
a domain is a set of rights to perform certain operations on certain objects
specified as (objects, rights) pairs each pair specifies an object and operations that can be
performed on the object
limit and control access of processes to objects they are authorized to use only with operations they are authorized for
Security Security 99 © 2000 Franz Kurfess
Minimum Privilege PrincipleMinimum Privilege Principle
a process should have only the capabilities needed to perform its task a protection domain must be tailored to each individual
process not practical for most systems in practice, processes with similar domains are grouped
together
Security Security 1010 © 2000 Franz Kurfess
Protection Domains in UNIXProtection Domains in UNIX
the domain of a process is determined by its user id (uid) its group id (gid)
a process may switch temporarily between different domains e.g. to execute a program owned by another user this is a security problem, especially when user processes
switch to the root domain
Security Security 1111 © 2000 Franz Kurfess
Access to ResourcesAccess to Resources computer system resources
hardware deliberate or accidental damage, theft, unauthorized use physical access to hardware may be restricted
software execution, modification, deletion, unauthorized copying restricted privileges, configuration management
data modification or destruction, unauthorized use restricted privileges, encryption, off-line storage
communication eavesdropping, traffic analysis, intrusion, forging of messages, denial of
service prevention, detection, encryption, isolation
Security Security 1212 © 2000 Franz Kurfess
Access ControlAccess Control
subject entity requesting access usually a process (UID and GID on UNIX) users are represented by processes
object: entity to be accessed CPU, memory, network, files, programs
access right operations the subject is allowed to perform on the object
Security Security 1313 © 2000 Franz Kurfess
Unix Access ControlUnix Access Control
subjects divided into three domains
user, group and others (not user)
objects primarily files access to devices through the file system
access rights three types
read write execute
Security Security 1414 © 2000 Franz Kurfess
Access MatrixAccess Matrix
specifies for each domain and each object the permissible operations rows hold domains objects are in the columns
entry access(i,j) specifies the set of operations that a process executing in
domain Di can perform on object Oj
Security Security 1515 © 2000 Franz Kurfess
Access Matrix DiagramAccess Matrix Diagram
File1 File2 File3 Printer
Domain 1 2
3
r rw
rx
r w
the operations specified in the entry are allowed for processes in a certain domain for a particular object
Security Security 1616 © 2000 Franz Kurfess
Domain Switching in an Access Matrix
Domain Switching in an Access Matrix
File1 File2 File3 Printer D1 D2 D3
Domain 1 2
3
r rw
rx
r w
switch
switch
switching between domains can also be controlled by the access matrix additional columns for the target domain
Security Security 1717 © 2000 Franz Kurfess
Implementation of Access Matrices
Implementation of Access Matrices
global table access lists capability lists
Security Security 1818 © 2000 Franz Kurfess
Global TableGlobal Table set of ordered triplets
<domain, object, rights> for each operation of a subject on an object, the table is
searched for a triplet such that the subject must be in the domain the object must be present the operation must be part of the rights
advantage simple realization
drawbacks large tables, requiring virtual memory or I/O operations groupings of entries not possible
Security Security 1919 © 2000 Franz Kurfess
Access Control ListsAccess Control Lists
each object has a list of pairs with (domain, access rights) specifies which operations may be performed by which
entity
columns are implemented as lists only non-empty entries are stored used in the VMS operating system
Security Security 2020 © 2000 Franz Kurfess
ExampleExample
File1: (john, rw) File2: (mary, rwx) File3: (john, r), (mary, rw), (fred, rx) File4: (*, rx) File5: (fred, -), (*, rw)
Security Security 2121 © 2000 Franz Kurfess
Capability ListCapability List
for each domain in the access matrix we associate a list of objects along with the type of access for each object
each row is implemented as a list objects within a domain operations allowed on the objects
a process presents the capability for an operation to the OS before the operation is performed
maintained by the OS, not directly accessible to the users
Security Security 2222 © 2000 Franz Kurfess
ExampleExample
File r w - Pointer to file2
File r - x Pointer to file1
File r w x Pointer to file3
File - w - Pointer to file4
Type Rights Object
0
1
2
3
Security Security 2323 © 2000 Franz Kurfess
ComparisonComparison access lists
correspond directly to the needs of the users
determining access rights for a particular domain is difficult
permissions for all objects must be specified
frequently a default list is used, and only deviations are noted explicitly
every access to an object must be checked
requires a search of the access list
capability lists do not correspond directly to
the needs of the users useful for finding information
on a particular process revocation of capabilities may
be inefficient not very frequently used in
their pure form sometimes used as cache for
information in the access list
Security Security 2424 © 2000 Franz Kurfess
Modification of Access RightsModification of Access Rights
permissions for operations on objects may change dynamically in a system
this can lead to the extension or revocation of access rights
easy with an access-list scheme corresponding rights are modified
difficult with capability lists capabilities are distributed throughout the system, and
must be found first
Security Security 2525 © 2000 Franz Kurfess
AuthorizationAuthorization
granting of permissions for operations on objects to subjects
Security Security 2727 © 2000 Franz Kurfess
User AuthenticationUser Authentication
identification of users at login time an be addressed through
passwords physical identification
Security Security 2828 © 2000 Franz Kurfess
PasswordsPasswords
legitimate users identify themselves by providing an account id and a password if the password matches the one stored in the system, the
user is considered legitimate
the password must be kept secret must not be exposed by the user must be stored internally in encrypted format or in a
protected place
easy to understand and use low implementation overhead
Security Security 2929 © 2000 Franz Kurfess
Password ProblemsPassword Problems
often easy to defeat password guessing with the use of a list of likely words watching while the user types the password (shoulder
surfing) network sniffing account sharing
Security Security 3030 © 2000 Franz Kurfess
Example Password CrackingExample Password Cracking
7-character passwords chosen from a 95 printable character set: 957 (or 7x1013 approx.)
at 1000 encryption/sec it will take 2000 years to create the complete list
Security Security 3131 © 2000 Franz Kurfess
Password SecrecyPassword Secrecy
extension and encryption associate an n-bit random number with each password
the number is stored in the password file unencrypted
the password and the random number are first concatenated and then encrypted together and stored in password file
increases the size of the possible passwords by 2N
Security Security 3232 © 2000 Franz Kurfess
Passwords ProvisionsPasswords Provisions system-generated passwords
random, easy to remember, but nonsense words (i.e. vriendly) are generate by the system
regular change of passwords may defeat the purpose
users write down passwords toggling between passwords use of month/year in the password
paired passwords users provide a list of questions and answers that will be stored in
encrypted format the system randomly selects an entry which the user has to complete
user picks an algorithm
Security Security 3333 © 2000 Franz Kurfess
One-Time PasswordsOne-Time Passwords
each password can be used only once frequently based on special hardware calculators or code
books to determine the one-time password complicated to administer
Security Security 3434 © 2000 Franz Kurfess
Physical IdentificationPhysical Identification
plastic card with magnetic stripe and password (cash machines) often augmented by personal identification numbers (PIN)
fingerprints, voice prints, visual recognition signature
Security Security 3535 © 2000 Franz Kurfess
SecuritySecurity
application of protection methods and mechanisms to maintain the safe operation of a computer system
must also take into account the external environment of the system
cannot rely on orderly behavior of users and processes users may try to circumvent protection mechanisms
Security Security 3636 © 2000 Franz Kurfess
Security AspectsSecurity Aspects
physical security prevention of unauthorized access to physical systems restriction to legal use of systems
operational security subjects may only execute legal operations on objects
Security Security 3737 © 2000 Franz Kurfess
Security ThreatsSecurity Threats
technical interruption interception modification fabrication
nontechnical (“social engineering”)
Security Security 3838 © 2000 Franz Kurfess
Security Threats in OSesSecurity Threats in OSes
most operating systems have major security problems
penetration teams can be used to test security and expose problems
Security Security 3939 © 2000 Franz Kurfess
Common Attack MethodsCommon Attack Methods
snooping and sniffing listening in on network traffic ask for memory pages, disk space or tapes and just read them
(don't fill them) many systems don’t delete old information
trial and error on system calls illegal system calls, legal system calls with illegal parameters, or
legal system calls with legal but unreasonable parameters example: “ping of death” attack
login interrupt start logging in and then hit DEL RUBOUT BREAK (or other
control keys) halfway through
Security Security 4040 © 2000 Franz Kurfess
Attack Methods (Cont.)Attack Methods (Cont.)
OS meddling modify complex OS data structures residing in memory
do don’ts look for manuals that say Do not do X and try as many
combinations of X as possible.
social engineering bribe or trick the security personnel
Security Security 4141 © 2000 Franz Kurfess
IntrudersIntruders
persons from outside seek unauthorized access to a computer system frequently via network connection intruders are often referred to as hackers or crackers
legitimate users make unauthorized use of a system evasion of auditing or access controls
Security Security 4242 © 2000 Franz Kurfess
Program and System ThreatsProgram and System Threats
Trapdoors Logic Bombs Trojan Horses Viruses Bacteria Worms
Security Security 4343 © 2000 Franz Kurfess
Taxonomy of Software ThreatsTaxonomy of Software Threats
[Bowles and Pelaez, 1992]
MaliciousPrograms
TrapDoor
LogicBomb
TrojanHorse
Virus Bacterium Worm
Needs HostProgram
Indepen-dent
replicate
Security Security 4444 © 2000 Franz Kurfess
Trap DoorTrap Door
hidden entry point to the system often left by the designer of a program
for debugging or malicious purposes
can circumvent normal security procedures
can be very difficult to detect
Security Security 4545 © 2000 Franz Kurfess
Example Trap DoorExample Trap Door
an employee of a bank works on the transaction processing system used by the bank
to be prepared for unpleasant situations at work, she leaves an entry point into the system
she’s fired for security violations after she’s fired, she gains access via modem,
transfers a large amount of money to an account on a Caribbean island, and erases all files
Security Security 4646 © 2000 Franz Kurfess
Confinement ExampleConfinement Example you’re a great physicist working on a novel approach to
the unified theory of everything unfortunately, your programming skills are not sufficient,
and you have to trust programmers they know only the code, but not some critical values that you
enter interactively
you inspect their programs, compile and install them yourself to make sure that there is no communication outside your own account
you perform all your simulations and calculations you’re ready to publish your results when you see an
article written by your programmers with your results
Security Security 4747 © 2000 Franz Kurfess
Confinement ProblemConfinement Problem
can programs be written in such a way that the information used and generated cannot be communicated outside the domain? no network connection no writing to files outside the domain no usage of peripheral devices
problem: covert channels information can be transmitted through indirect ways relies on properties of the process execution that can be
observed by other processes length of CPU bursts, paging rate, etc.
Security Security 4848 © 2000 Franz Kurfess
Logic BombsLogic Bombs
segment in a regular program that checks for certain conditions
when the conditions are met, some unwanted functions are executed
Security Security 4949 © 2000 Franz Kurfess
Example Logic BombExample Logic Bomb
a contractor implements a logic bomb in a library circulation system
the bomb is designed to go off on a certain date unless the contractor had been paid
Security Security 5050 © 2000 Franz Kurfess
Trojan HorsesTrojan Horses
(seemingly) useful program containing hidden code that may perform unwanted functions
hidden segment misuses its current environments runs in the user’s environment with all the user’s privileges
often hidden in regular programs e.g. login program, email, editor
Security Security 5151 © 2000 Franz Kurfess
Examples Trojan HorseExamples Trojan Horse Example 1: True friends
you’re working on a programming assignment together with your friend
for testing purposes, you make your programs executable for each other
you invoke your friend’s program, and it deletes all your files Example 2: Password Stealing
a user writes a program that looks exactly like the login procedure for a multi-user system
it is left on the terminal for the next unsuspecting user this program reads the password and stores it then it exits with an error message and lets the user continue with
the regular login process
Security Security 5252 © 2000 Franz Kurfess
VirusesViruses
fragment of code embedded in a legitimate program designed to spread into other programs and systems may be destructive or simply annoying
display of messages program malfunctions modification or deletion of files system crash
most prevalent on single-user systems weak protection curiosity and negligence of users
Security Security 5353 © 2000 Franz Kurfess
Virus ProtectionVirus Protection
antivirus programs practically all current programs are effective only against
particular known viruses
safe computing purchase only unopened media from reputable sources avoid shared media
floppy disks, bulletin boards if you have to share media, apply antivirus programs immediately
Security Security 5454 © 2000 Franz Kurfess
BacteriaBacteria
programs that consume system resources by replicating themselves
bacteria may reproduce exponentially, eventually taking up all resources
Security Security 5555 © 2000 Franz Kurfess
WormsWorms
programs that replicate themselves and send copies across network connections
may perform unwanted functions in addition to replication
Security Security 5656 © 2000 Franz Kurfess
Internet WormInternet Worm one of the greatest computer security
violations of all times Robert Morris, Cornell University, first year
graduate student unleashed Nov. 2, 1988 propagated to thousands of computers on the
Internet Sun 3 workstations and VAX computers running
Unix BSD 4.x
Security Security 5757 © 2000 Franz Kurfess
Internet Worm cont.Internet Worm cont.
worm components grappling hook (99 lines of C code) the worm proper
strategy compile and execute the grappling hook on the machine
under attack upload main worm contact new hosts spread the grappling hook
Security Security 5858 © 2000 Franz Kurfess
Worm DiagramWorm Diagram
Worm Worm
Grappling Hook
Infected System Target System
finger
rshsendmail
worm sent
worm request
Security Security 5959 © 2000 Franz Kurfess
Internet Worm cont.Internet Worm cont.
transmission methods to infect new machines: rsh finger sendmail
Security Security 6060 © 2000 Franz Kurfess
Internet Worm cont.Internet Worm cont.
limited replication on an already infected machines new copies of the worm
would exit, except for every seventh instance
caused a major disruption on affected systems may have been intended as harmless
Security Security 6161 © 2000 Franz Kurfess
Remote Shell FlawRemote Shell Flaw
frequently accessed remote hosts can be listed in a file .xhosts
remote shells can be invoked without password the worm used these files to propagate to trusted
new hosts
Security Security 6262 © 2000 Franz Kurfess
invoking finger with an argument that exceeds the buffer of the finger demon results in an overwrite of the stack frame
the finger demon continued with the execution of the argument instead of returning to its main routine
Finger FlawFinger Flaw
Security Security 6363 © 2000 Franz Kurfess
Sendmail FlawSendmail Flaw
the debugging option of the sendmail program is often left on as a background process intended for testing purposes usually invoked with a user email address
the worm called debug with commands to mail and execute a copy of the grappling hook
Security Security 6464 © 2000 Franz Kurfess
The Worm’s DemiseThe Worm’s Demise
on the evening of the next day countermeasures were circulated to system administrators
reasons for success quick electronic communication access to source code distribution of source code and executables to remote
machines collaboration of experts
Morris was convicted in federal court ($10,000 fine, 3 years probation, 400 hours of community service, legal fees)
Security Security 6565 © 2000 Franz Kurfess
CountermeasuresCountermeasures
prevention possible threats are anticipated
this is not possible for all threats
mechanisms are installed to prevent attacks
detection in case of an attack, it is identified and corrective
measures are taken
Security Security 6666 © 2000 Franz Kurfess
Countermeasure ExamplesCountermeasure Examples
access restrictions users are only allowed to login from a specific terminal, during
certain days of the week, during certain hours of the day.
system dials the user back at a predetermined phone number
login increase login time to discourage repeated login tries record all logins
traps easy to break in accounts seemingly interesting information for intruders
Security Security 6767 © 2000 Franz Kurfess
Threat MonitoringThreat Monitoring
limited login attempts if more than a few login attempts are unsuccessful, the
login process is aborted
audit log records time, user, type of access to objects useful for recovery and prevention considerable overhead
security check systematic checks for security holes usually done during low traffic times
Security Security 6868 © 2000 Franz Kurfess
Security ChecksSecurity Checks
periodic exploration of potential security holes weak passwords
short, easy to guess
unauthorized set-uid programs unauthorized programs in system directories suspicious processes
running time, behavior, access to resources
improper file and directory protections user and system directories and files
password file, device drivers, system programs
modifications to system programs
Security Security 6969 © 2000 Franz Kurfess
Design Principles for SecurityDesign Principles for Security
system design should be public better verification and discovery of flaws
minimum privilege principle give each process the least privilege possible default should be no access
check for authority and authentication simple, uniform protection mechanisms at low levels acceptable for users
Security Security 7070 © 2000 Franz Kurfess
EncryptionEncryption
mainly used for transmission and storage of sensitive information e.g. password file in Unix
basic mechanism information is encrypted into an unintelligible format this is stored or transmitted the receiver or reader must decrypt it into readable format
encryption frequently relies on operations that can be done efficiently in one direction, but the inverse operation is very difficult to do e.g. factorization of large integers
Security Security 7171 © 2000 Franz Kurfess
Important Concepts and TermsImportant Concepts and Terms access control access control list audit log authentication capability list confinement problem deadlock decryption digital signature encryption external security internal security object operation
permission private key cryptosystem privilege privileged instruction protection protection domain right security policy starvation subject system mode trojan horse user mode virus
Security Security 7272 © 2000 Franz Kurfess
Chapter SummaryChapter Summary
physical and operational safety of computer systems can be important aspects
protection methods and mechanisms are available to prevent unauthorized access to and use of computer systems
especially networked computers are vulnerable to security threats like trapdoors, logic bombs, Trojan horses, viruses, bacteria,
worms
the main types of countermechanisms are prevention and detection