Embed Size (px)
Citation preview
Outline for Today’s Lecture
Administrative: – If you weren’t here last time, pick up
midterm– Assignment 3 still in progress
Objective: – Security– Access Control Mechanisms
Grades*
0
1
2
3
4
5
6
7
89-100 79-88 69-78 59-68 <60
Median = 80 Mean = 75.8
A
A-/B+
B
B-/C+
C-/D*
* = remedialconcurrency problem
*histogram not updatedafter grade changes
Step 0: Basic Mechanisms
Discussed in previous lecture:
• symmetric key cryptography
• public key cryptography
• digital signatures
• one-way functions
• hashes
Step 1: User Authentication
Basic Principles. Authentication must identify:
1. Something the user knows
2. Something the user has
3. Something the user is
This is done before user can use the system for access control
Authentication Using Passwords
(a) A successful login(b) Login rejected after name entered(c) Login rejected after name and password typed
Authentication Using Passwords
• How a cracker broke into LBL– a U.S. Dept. of Energy research lab
Login Spoofing
(a) Correct login screen(b) Phony login screen
Authentication Using Passwords
The use of salt to defeat precomputation of encrypted passwords
Salt Password
,
,
,
,
One-Time PasswordsUsing 1-way function:• Function such that given formula for f(x)
– easy to evaluate y = f(x)• But given y
– computationally infeasible to find x
• One-time passwords– Choose password s and integer n– 1st time P1=f(f(f(f(s)))), 2nd time P2= f(f(f(s))), etc– Login name supplies current integer value– Server stores old password, f(newpassword)==old?
Challenge - Response
• Sets of question – answer pairs– Server picks one and asks– User knows answer
• User picks function f(x)– Server sends a value for x– User sends back f(x) as password
• Using symmetric encryption– Server sends random value r– User encrypts with secret key – e(r,k)
• Server compares
Graphical Challenge-Response
Authentication Using a Physical Object
• Magnetic cards– magnetic stripe cards– chip cards: stored value cards, smart cards
• RFIDs
Authentication Using Biometrics
• A device for measuring finger length.
• Retinal scans• Voice recognition• Surveillance tech
– Image analysis– Gait analysis
Countermeasures
• Limiting times when someone can log in• Automatic callback at number
prespecified• Limited number of login tries• A database of all logins• Simple login name/password as a trap
– security personnel notified when attacker bites
Step 2: Access Control Mechanisms
Protection Domains
Examples of three protection domains
The Access Model• Authorization problems can be represented
abstractly by of an access model.– each row represents a subject/principal/domain– each column represents an object– each cell: accesses permitted for the {subject,
object} pair• read, write, delete, execute, search, control, or any other
method
• In real systems, the access matrix is sparse and dynamic.
• need a flexible, efficient representation
17
Access Control Matrix
• Processes execute in a protection domain, initially inherited from subject TA
grp
Terry
Lynngr
adef
ile
solu
tion
s
proj
1
rwx
rw rw
r
rx
luvl
tr
r
rw
hotg
ossi
p
rw
rw
18
Two Representations• ACL - Access Control Lists
– Columns of previous matrix– Permissions attached to Objects– ACL for file hotgossip: Terry, rw; Lynn, rw
• Capabilities– Rows of previous matrix– Permissions associated with Subject– Tickets, Namespace (what it is that one can name)– Capabilities held by Lynn: luvltr, rw; hotgossip,rw
File Access Control
• Access control lists - detailed list attached to file of users allowed (denied) access, including kind of access allowed/denied.
• UNIX RWX - owner, group, everyone• Capabilities – permitted accesses associated
with subject (user), similar to an address space.– Un-forgeable object reference, like a pointer.
Trusted SystemsTrusted Computing Base
A reference monitor
Access Control Lists
• Approach: represent the access matrix by storing its columns with the objects.
• Tag each object with an access control list (ACL) of authorized subjects/principals.
• To authorize an access requested by S for O– search O’s ACL for an entry matching S– compare requested access with permitted access– access checks are often made only at bind time
Access Control Lists
Use of access control lists of manage file access
R
Access Control Lists
Two access control lists
UNIX access control
• Each file carries its access control with it.
rwx rwx rwx setuid
OwnerUID
GroupGID
Everybody else
• Owner has chmod, chgrp rights (granting, revoking)
27
Access Control Matrix
• How to encode in Unix? TA
grp
Terry
Lynngr
adef
ile
solu
tion
s
proj
1
rwx
rw rw
r
rx
luvl
tr
r
rw
hotg
ossi
p
rw
rw
Capabilities• Approach: represent the access matrix by
storing its rows with the subjects.• Tag each subject with a list of capabilities for the objects it
is permitted to access.
– A capability is an unforgeable object reference, like a pointer.
– It endows the holder with permission to operate on the object
• e.g., permission to invoke specific methods
– Typically, capabilities may be passed from one subject to another.
• Rights propagation and confinement problems
Capabilities
Each process has a capability list
• Cryptographically-protected capability
• Generic Rights1. Copy capability2. Copy object3. Remove capability4. Destroy object
Capabilities
Server Object Rights f(Objects, Rights, Check)
Dynamics of Protection Schemes
• How to endow software modules with appropriate privilege?– What mechanism exists to bind principals with
subjects?• e.g., setuid syscall, setuid bit
– What principals should a software module bind to?• privilege of creator: but may not be sufficient to perform
the service• privilege of owner or system: dangerous
Dynamics of Protection SchemesProblems:• Mutual Suspicion
When a caller requests a service, the callee should be limited in what stuff of the caller’s it has access to (only what it is passed). (entering domain - setuid vs. passing in single object)
• Modification When caller does pass an object as parameter, we want to control whether
the callee can modify it (I send you a photo, you remove my copyright mark)
• Conservation When caller passes an object to gain service, we want to know that the
callee doesn’t retain or even pass on the right to the object after we think they are done with it.
(our credit card number – and selling such databases)
• Confinement We want to prevent information leaks (besides the objects themselves)
33
Dynamics of Protection Schemes
• How to revoke privileges?• What about adding new subjects or new
objects?• How to dynamically change the set of objects
accessible (or vulnerable) to different processes run by the same user?– Need-to-know principle / Principle of minimal
privilege– How do subjects change identity to execute a more
privileged module?• protection domain, protection domain switch (enter)
34
Protection Domains• Processes execute in a
protection domain, initially inherited from subject
• Goal: to be able to change protection domains
• Introduce a level of indirection
• Domains become protected objects with operations defined on them: owner, copy, control
TA
grp
Terry
Lynngr
adef
ile
solu
tion
s
proj
1
rwx
rw rwo
r
rxc
luvl
tr
r
rw
hotg
ossi
p
rw
rw
Domain0
Dom
ain0
ctl
enter
r
enter
35
• If domain contains copy on right to some object, then it can transfer that right to the object to another domain.
• If domain is owner of some object, it can grant that right to the object, with or without copy to another domain
• If domain is owner or has ctl right to a domain, it can remove right to object from that domain
• Rights propagation.
TA
grp
Terry
Lynngr
adef
ile
solu
tion
s
proj
1
rwx
rw rwo
r
rxc
luvl
tr
r
rw
hotg
ossi
p
rw
rw
Domain0
Dom
ain0
ctl
enter
r
rc
r
enter
UNIX access control
• Each file carries its access control with it.
rwx rwx rwx setuid
OwnerUID
GroupGID
Everybody else When bit set, itallows processexecuting objectto assume UID ofowner temporarily -enter owner domain(rights amplification)
• Owner has chmod, chgrp rights (granting, revoking)
Capability Calling Mechanism
• Assume a capability to execute a procedure (lpr)
• Parameter is a capability to an object of mine (read access to file foo)
• lpr’s c-list has a template capability for the parameter, requires that certain rights are passed in (if lpr can’t read the file foo, it obviously can’t do its job)
• Sometimes, need rights amplification to do the job.
Dynamics of Protection SchemesProblems:• Mutual Suspicion
enter my domain vs. me, as owner, granting right to another domain (temp)
• Modification rights for particular operations
• Conservationctl – being able to revoke rights; not granting copy rights
• Confinement remove rights to write or create anything else?
Multilevel Security
The Bell-La Padula multilevel security model
Risks
Trojan Horses: Inside Jobs• Free program made available to unsuspecting user
– Contains code to do harm– Example of tricking user, himself or herself, into running that program
• Place altered version of utility program on victim's computer, say, in some bin directory that might be in their PATHs
• Lay a trap for sysadmin to gain root privilege– Install local version of ls; then do something that causes sysadmin to
% cd yourHomeDir% ls -l
Logic Bombs
Company programmer writes program– potential to do harm– OK as long as he/she enters password daily; his/her
name stays on the paycheck database; etc.– if programmer fired, no password and bomb explodes
Trap Doors
(a) Normal code.
(b) Code with a trapdoor inserted
Generic Security AttacksTypical attacks• Request “free” memory, disk space, tapes and just read
what was left there (not zero filled on dealloc)• Try illegal system calls – if the system gets confused
enough, you may be in.• Start a login and hit DEL, RUBOUT, or BREAK to possibly
kill password checking• Try modifying complex OS structures kept in user space (if
any)• Try to do specified DO NOTs• Convince a system programmer to add a trap door• Beg admin's sec’y to help a poor user who forgot password
Buffer Overflow
(a) Situation when main program is running
(b) After procedure A is called
(c) Fixed sized buffer B - overflow shown in grayUser supplies long enough string to overwrite return address
UNIX lpr utility, option to remove file after printing; print and remove password file
Link file core in working directory to the password file. Force a core dump of a SETUID program, writes on the core file, overwriting password file
Famous Security Flaws
Famous Security Flaws
The TENEX – password problem• Page faults could be monitored by user – user func. called• One char at a time password checking – either illegal or fault
(a) (b) (c)
Design Principles for Security
1. System design should be public – open source2. Default should be no access3. Check for current authority – e.g. not just at “open”4. Give each process least privilege possible5. Protection mechanism should be
- simple- uniform- in lowest layers of system
Security is not an add-on feature6. Scheme should be psychologically acceptable
And … keep it simple
From the Outside:Network Security
• External threat– code transmitted to target machine– code executed there, doing damage
• Goals of virus writer– quickly spreading virus– difficult to detect– hard to get rid of
• Virus = program can reproduce itself by attaching its code to another program– additionally, do harm
Virus Damage Scenarios
• Blackmail• Denial of service as long as virus runs• Permanently damage hardware• Target a competitor's computer
– do harm– espionage
• Intra-corporate dirty tricks– sabotage another corporate officer's files
How Viruses Work
• Virus usually written in assembly language• Inserted into another program
– use tool called a “dropper”
• Virus dormant until program executed– then infects other programs– eventually executes its “payload”
• possibly waits for significant date
• Types: companion, executable program, memory, boot sector, device driver, macro, source code
Bait and switch – companion viruses• MS-DOS example:
run progsystem tries prog.com then prog.exeRelease a prog.com for a popular prog.exe
How Viruses Work
How Viruses Work
Recursive
procedure that
finds executable
files on a UNIX
system
Virus could
infect them all
How Viruses Work
• An executable program• with a parasitic virus at the front• at the end• spread over free space within program (cavity virus)
Boot sector viruses1st hide the real boot sector
When booted, copies virus into memory, making it a memory resident virus
Then boots the OS
Device driver infected with virus, loads it at boot time.
How Viruses Work
How Viruses Work
• After virus has captured interrupt, trap vectors– Syscall trap a good one. Can look for exec calls
• After OS has retaken printer interrupt vector• After virus has noticed loss of printer interrupt vector and recaptured it
Macros
Applications like Word or Excel allow macros that get executed via keystroke or menu
Attach a macro to open file function and you are off and running
Can be sent in email attachments
Some emailers automatically open attachments
How Viruses Work
How Viruses Spread
• Virus placed where likely to be copied
• When copied– infects programs on hard drive, floppy– may try to spread over LAN
• Attach to innocent looking email– when it runs, use mailing list to replicate
Antivirus and Anti-Antivirus Techniques
(a) A program(b) Infected program, metadata giveaways(c) Compressed infected program(d) Encrypted virus(e) Compressed virus with encrypted compression code
Antivirus and Anti-Antivirus Techniques
Examples of a polymorphic virusAll of these examples do the same thing
Mutation engine – code that morphs the signature part of the virus each time it spreads
Antivirus and Anti-Antivirus Techniques
• Integrity checkers - checksums• Behavioral checkers• Virus avoidance
– good OS– install only shrink-wrapped software– use antivirus software– do not click on attachments to email– avoid active content– frequent backups
• Recovery from virus attack– halt computer, reboot from safe disk, run antivirus
The Internet Worm
• Worm = replicating program• Nov. 1988, Robert Morris, Cornell grad student• Consisted of two programs
– bootstrap to upload worm– the worm itself
• Worm first hid its existence• Next replicated itself on new machines
– rsh– finger name@site - overflow finger daemon’s stack with long string– Bug in sendmail to mail bootstrap & exec it– Tried to break user passwords and go on
• Too aggressive – let 1 in 7 re-infects live• CERT – Computer Emergency Response Team – collects info on
system flaws that can be attacked. Fields reports of security break-ins
Mobile Code Sandboxing
(a) Memory divided into 1-MB sandboxes
(b) One way of checking an instruction for validity
Mobile Code
Applets can be interpreted by a Web browser
Mobile Code
How code signing works
Covert Channels
Client, server and collaborator processes
Encapsulated server can still leak to collaborator
via covert channels
Covert Channels
A covert channel using file locking
Covert Channels• Pictures appear the same• Picture on right has text of 5 Shakespeare plays
– encrypted, inserted into low order bits of color values
ZebrasHamlet, Macbeth, Julius CaesarMerchant of Venice, King Lear
Is it a Technical Problem?
Lots of known solution techniques
• Access control
• Crypto
• Firewalls
• Intrusion detection
So why isn’t it a solved problem?
Economics
“The party who is in a position to protect a system is not the party who would suffer the results of security failure.”
Ross Anderson
Security• For whom is it built?• Who pays for it?
