Embed Size (px)
Citation preview
May 15th, 2002 1
505 review – distributed systems and security
(slides mostly from Tanenbaum)
Jonathan M. Smith
University of Pennsylvania
http://www.cis.upenn.edu/~posse
May 15th, 2002 2
Remote Procedure Call
• Model of communication– support distributed programming
– in fact tries to hide communication!
• Interface between programming language and communications system
• Adopts procedure-call interface– e.g., remote_foo(arg_1, arg_2);
Remote Procedure Call
• Steps in making a remote procedure call– the stubs are shaded gray
May 15th, 2002 4
RPC client and server
• RPC client host must know how to reach server and what service is required
• RPC server host must know who is requesting the service, what service is requested, and how to reply
• Usually built over UDP; issues include argument marshalling, transport, binding, etc. Example: name resolution
Remote Procedure Call
Implementation Issues• Cannot pass pointers
– call by reference becomes copy-restore (but might fail)
• Weakly typed languages– client stub cannot determine size
• Not always possible to determine parameter types• Cannot use global variables
– may get moved to remote machine
May 15th, 2002 6
The BSD “socket” API
• Designed for UNIX, which had “pipes”
• Socket provides a “handle” (descriptor) which can be used for system operations such as read() and write()
• Other services must exist for rendezvous, synchronization, etc.
• E.g., sd = socket(INET,STREAM,);
May 15th, 2002 7
Client and Server Actions
• Server– bind(sd, addr, addr_len)
– listen(sd,.)
– accept(sd, addr, addr_len)
• Client– connect(sd, addr, addr_len)
Distributed Shared Memory (1)
• Note layers where it can be implemented– hardware
– operating system
– user-level software
Distributed Shared Memory (2)
Replication(a) Pages distributed
on 4 machines
(b) CPU 0 reads page 10
(c) CPU 1 reads page 10
Distributed Shared Memory (3)
• False Sharing
• Must also achieve sequential consistency
Distributed Systems (1)
Comparison of three kinds of multiple CPU systems
Distributed Systems (2)
Achieving uniformity with middleware
Network Hardware (1)
• Ethernet(a) classic Ethernet
(b) switched Ethernet
Computer
(a) (b)
May 15th, 2002 14
CSMA/CD (Ethernet)
• Carrier Sense, Multiple Access with Collision Detect
• Originally 3Mbps, DIX 10Mbps, now 100
• Originally coax bus– Now more commonly twisted pair (10BaseT) through
repeaters
• Optimistic Protocol, Unique Station Address, Variable Size
May 15th, 2002 15
Ethernet Frame Format
Preamble Dest.Address
SrcAddress
Type CRC PostamblePacket Body
64 48 48 16 32 8
Network Hardware (2)
The Internet
Network Services and Protocols (1)
Network Services
May 15th, 2002
Application Needs & Network Characteristics
Application Needs Network Char.
Reliable, Ordered, Single-Copy Message Delivery
Drops , Duplicates and Reorders Messages
Arbitrarily large messages
Finite message size
Allows Flow Control by Receiver
Arbitrary Delay
Supports multiple applications per-host
…
Network Services and Protocols (2)
• Internet Protocol
• Transmission Control Protocol
• Interaction of protocols
May 15th, 2002 20
Protocol Stacks illustrated:
• Service and peer interfaces
ProtocolProtocol
High-levelObject
High-levelObject
Peer-to-peer interface
Service interface Service Interface
Host #1 Host #2
May 15th, 2002 21
Service Interfaces & Encapsulation
• Examples: send(), read(), receive()
• Object representation is encapsulated– Represented in “lower” layer format
• Example: TCP/IP/Ethernet
ETH SrcETH Dst IP Header
TCP Packet (Sequence #,Checksum & Data)
May 15th, 2002 22
IPv4 Packet Format
• IPv4
Version Hlen TOS Length
Ident Flags Offset
TTL Protocol Checksum
SourceAddr
DestinationAddr
Options(variable length) Pad
DATA
May 15th, 2002 23
TCP and UDP packets
• Protocols support O.S. “port numbers”:
SrcPort DstPort
Checksum Length SequenceNum
SrcPort DstPort
Options (variable)
Checksum UrgPtr
HL 0 Flags Advert.Wind.
Acknowledgment
DATA
UDP TCP
May 15th, 2002 24
Packet-Switched Nets are “Store-and-Forward”
• So, buffers (“elastic buffers”) are used to accommodate bursts– Can never have enough buffering!
– Buffers form “queues”
Source#1
Source#2
Desti-nationQueue
Router
May 15th, 2002 25
TCP Learns what?
• Tries to discover “bottleneck bandwidth”
• Does this with acknowledgments
TCPSender
TCPSender
TCPRcvrQueue
Router ACK
ACK
ACK
May 15th, 2002 26
Congestion Window Timeline
• Slow-start, then maintenance
Time
WINDOW
BottleneckBandwidth
Document-Based Middleware (1)
• The Web– a big directed graph of documents
Document-Based Middleware (2)
How the browser gets a page
1. Asks DNS for IP address
2. DNS replies with IP address
3. Browser makes connection
4. Sends request for specified page
5. Server sends file
6. TCP connection released
7. Browser displays text
8. Browser fetches, displays images
File System-Based Middleware (1)
• Transfer Models(a) upload/download model
(b) remote access model
(a)(b)
File System-Based Middleware (2)
Naming Transparency
(b) Clients have same view of file system
(c) Alternatively, clients with different view
File System-Based Middleware (3)
• Semantics of File sharing– (a) single processor gives sequential consistency– (b) distributed system may return obsolete value
File System-Based Middleware (4)
• AFS – Andrew File System– workstations grouped into cells
– note position of venus and vice
Client's view
Shared Object-Based Middleware (1)
• Main elements of CORBA based system– Common Object Request Broker Architecture
Shared Object-Based Middleware (2)
• Scaling to large systems– replicated objects
– flexibility
• Globe– designed to scale to a billion users
– a trillion objects around the world
Shared Object-Based Middleware (3)
Globe structured object
Shared Object-Based Middleware (4)
• A distributed shared object in Globe– can have its state copied on multiple computers at
once
Shared Object-Based Middleware (5)
Internal structure of a Globe object
Coordination-Based Middleware (1)• Linda
– independent processes
– communicate via abstract tuple space
• Tuple– like a structure in C, record in Pascal
1. Operations: out, in, read, eval
Coordination-Based Middleware (2)
Publish-Subscribe architecture
Coordination-Based Middleware (3)• Jini - based on Linda model
– devices plugged into a network
– offer, use services
• Jini Methods1. read
2. write
3. take
4. notify
May 15th, 2002 41
Security
Chapter 9
9.1 The security environment 9.2 Basics of cryptography 9.3 User authentication 9.4 Attacks from inside the system 9.5 Attacks from outside the system 9.6 Protection mechanisms 9.7 Trusted systems
May 15th, 2002 42
The Security EnvironmentThreats
Security goals and threats
May 15th, 2002 43
Intruders
Common Categories
1. Casual prying by nontechnical users
2. Snooping by insiders
3. Determined attempt to make money
4. Commercial or military espionage
May 15th, 2002 44
Accidental Data Loss
Common Causes
1. Acts of God- fires, floods, wars
2. Hardware or software errors- CPU malfunction, bad disk, program bugs
3. Human errors- data entry, wrong tape mounted
May 15th, 2002 45
Basics of Cryptography
Relationship between the plaintext and the ciphertext
May 15th, 2002 46
• Monoalphabetic substitution– each letter replaced by different letter
• Given the encryption key, – easy to find decryption key
• Secret-key crypto called symmetric-key crypto
Secret-Key Cryptography
May 15th, 2002 47
Public-Key Cryptography
• All users pick a public key/private key pair– publish the public key
– private key not published
• Public key is the encryption key– private key is the decryption key
May 15th, 2002 48
One-Way Functions
• Function such that given formula for f(x)
– easy to evaluate y = f(x)
• But given y
– computationally infeasible to find x
May 15th, 2002 49
Digital Signatures
• Computing a signature block
• What the receiver gets
(b)
May 15th, 2002 50
Key Management
• This is the hard part!
• How do you get a shared secret?– Private-key systems need this, right?
– Public-key systems don’t
• Do need a directory of public keys
• Keys might (and often do) change with time
May 15th, 2002 51
User Authentication
Basic Principles. Authentication must identify:
1. Something the user knows
2. Something the user has
3. Something the user is
This is done before user can use the system
May 15th, 2002 52
Authentication Using Passwords
(a) A successful login
(b) Login rejected after name entered
(c) Login rejected after name and password typed
May 15th, 2002 53
Authentication Using Passwords
• How a cracker broke into LBL– a U.S. Dept. of Energy research lab
May 15th, 2002 54
Authentication Using Passwords
The use of salt to defeat precomputation of
encrypted passwords
Salt Password
,
,
,
,
May 15th, 2002 55
Authentication Using a Physical Object
• Magnetic cards– magnetic stripe cards
– chip cards: stored value cards, smart cards
May 15th, 2002 56
Authentication Using Biometrics
A device for measuring finger length.
May 15th, 2002 57
Countermeasures
• Limiting times when someone can log in
• Automatic callback at number prespecified
• Limited number of login tries
• A database of all logins
• Simple login name/password as a trap– security personnel notified when attacker bites
May 15th, 2002 58
Operating System SecurityTrojan Horses
• Free program made available to unsuspecting user– Actually contains code to do harm
• Place altered version of utility program on victim's computer– trick user into running that program
May 15th, 2002 59
Login Spoofing
(a) Correct login screen
(b) Phony login screen
May 15th, 2002 60
Logic Bombs
• Company programmer writes program– potential to do harm
– OK as long as he/she enters password daily
– ff programmer fired, no password and bomb explodes
May 15th, 2002 61
Trap Doors
(a) Normal code.
(b) Code with a trapdoor inserted
May 15th, 2002 62
Buffer Overflow
• (a) Situation when main program is running
• (b) After program A called
• (c) Buffer overflow shown in gray
May 15th, 2002 63
Generic Security Attacks
Typical attacks
• Request memory, disk space, tapes and just read
• Try illegal system calls
• Start a login and hit DEL, RUBOUT, or BREAK
• Try modifying complex OS structures
• Try to do specified DO NOTs
• Convince a system programmer to add a trap door
• Beg admin's sec’y to help a poor user who forgot password
May 15th, 2002 64
Famous Security Flaws
The TENEX – password problem
(a) (b) (c)
May 15th, 2002 65
Design Principles for Security
1. System design should be public
2. Default should be n access
3. Check for current authority
4. Give each process least privilege possible
5. Protection mechanism should be- simple
- uniform
- in lowest layers of system
6. Scheme should be psychologically acceptable
And … keep it simple
May 15th, 2002 66
Network Security
• External threat– code transmitted to target machine
– code executed there, doing damage
• Goals of virus writer– quickly spreading virus
– difficult to detect
– hard to get rid of
• Virus = program can reproduce itself– attach its code to another program
– additionally, do harm
May 15th, 2002 67
Virus Damage Scenarios
• Blackmail
• Denial of service as long as virus runs
• Permanently damage hardware
• Target a competitor's computer– do harm
– espionage
• Intra-corporate dirty tricks– sabotage another corporate officer's files
May 15th, 2002 68
How Viruses Work (1)
•Virus written in assembly language
•Inserted into another program– use tool called a “dropper”
•Virus dormant until program executed– then infects other programs
– eventually executes its “payload”
May 15th, 2002 69
How Viruses Work (2)
Recursive procedure that finds executable files on a UNIX system
Virus could
infect them all
May 15th, 2002 70
How Viruses Work (3)
• An executable program• With a virus at the front• With the virus at the end• With a virus spread over free space within program
May 15th, 2002 71
How Viruses Work (4)
• After virus has captured interrupt, trap vectors
• After OS has retaken printer interrupt vector
• After virus has noticed loss of printer interrupt vector and recaptured it
May 15th, 2002 72
How Viruses Spread
•Virus placed where likely to be copied
•When copied– infects programs on hard drive, floppy
– may try to spread over LAN
•Attach to innocent looking email– when it runs, use mailing list to replicate
May 15th, 2002 73
Antivirus and Anti-Antivirus Techniques
(a) A program(b) Infected program(c) Compressed infected program(d) Encrypted virus(e) Compressed virus with encrypted compression code
May 15th, 2002 74
Antivirus and Anti-Antivirus Techniques
Examples of a polymorphic virus
All of these examples do the same thing
May 15th, 2002 75
Antivirus and Anti-Antivirus Techniques
• Integrity checkers
• Behavioral checkers
• Virus avoidance– good OS
– install only shrink-wrapped software
– use antivirus software
– do not click on attachments to email
– frequent backups
• Recovery from virus attack– halt computer, reboot from safe disk, run antivirus
May 15th, 2002 76
The Internet Worm
•Consisted of two programs– bootstrap to upload worm
– the worm itself
•Worm first hid its existence
•Next replicated itself on new machines
May 15th, 2002 77
Mobile Code (1) Sandboxing
(a) Memory divided into 1-MB sandboxes
(b) One way of checking an instruction for validity
May 15th, 2002 78
Mobile Code (2)
Applets can be interpreted by a Web browser
May 15th, 2002 79
Mobile Code (3)
How code signing works
May 15th, 2002 80
Java Security (1)
• A type safe language– compiler rejects attempts to misuse variable
• Checks include …1. Attempts to forge pointers
2. Violation of access restrictions on private class members
3. Misuse of variables by type
4. Generation of stack over/underflows
5. Illegal conversion of variables to another type
May 15th, 2002 81
Java Security (2)
Examples of specified protection with JDK 1.2
May 15th, 2002 82
Protection Mechanisms Protection Domains (1)
Examples of three protection domains
May 15th, 2002 83
Protection Domains (2)
A protection matrix
May 15th, 2002 84
Protection Domains (3)
A protection matrix with domains as objects
May 15th, 2002 85
Access Control Lists (1)
Use of access control lists of manage file access
May 15th, 2002 86
Access Control Lists (2)
Two access control lists
May 15th, 2002 87
Capabilities (1)
Each process has a capability list
May 15th, 2002 88
• Cryptographically-protected capability
• Generic Rights1. Copy capability
2. Copy object
3. Remove capability
4. Destroy object
Capabilities (2)
Server Object Rights f(Objects, Rights, Check)
May 15th, 2002 89
Trusted SystemsTrusted Computing Base
A reference monitor
May 15th, 2002 90
Formal Models of Secure Systems
(a) An authorized state
(b) An unauthorized state
May 15th, 2002 91
Multilevel Security (1)
The Bell-La Padula multilevel security model
May 15th, 2002 92
Multilevel Security (2)
The Biba Model
• Principles to guarantee integrity of data
1. Simple integrity principle• process can write only objects at its security level or lower
2. The integrity * property• process can read only objects at its security level or higher
May 15th, 2002 93
Orange Book Security (1)
• Symbol X means new requirements
• Symbol -> requirements from next lower category apply here also
May 15th, 2002 94
Orange Book Security (2)
May 15th, 2002 95
Covert Channels (1)
Client, server and collaborator processes
Encapsulated server can still leak to collaborator via
covert channels
May 15th, 2002 96
Covert Channels (2)
A covert channel using file locking
May 15th, 2002 97
Covert Channels (3)
• Pictures appear the same
• Picture on right has text of 5 Shakespeare plays– encrypted, inserted into low order bits of color values
ZebrasHamlet, Macbeth, Julius CaesarMerchant of Venice, King Lear
