protection and securitypeople.rennes.inria.fr/alan.schmitt/teaching/assets/security.pdf · digital...

Protection and Security

What is (Computer) Security?

“Security is a chain; it’s only as secure as its weakest link.”

“Security is a process,not a product.”

“Security is a tradeoff”

Applied Operating System Concepts Silberschatz, Galvin, and Gagne 199919.2

The Security Problem

• Security must consider external environment of the system, andprotect it from:

– unauthorized access.– malicious modification or destruction– accidental introduction of inconsistency.

• Easier to protect against accidental than malicious misuse.

• Protection is internal, Security is external→ take the hard drive of a computer and read it from another system

Applied Operating System Concepts Silberschatz, Galvin, and Gagne !199918.1

Module 18: Protection

• Goals of Protection

• Domain of Protection

• Access Matrix

• Implementation of Access Matrix

• Revocation of Access Rights

• Capability-Based Systems

• Language-Based Protection

• Digital Rights Management

Applied Operating System Concepts Silberschatz, Galvin, and Gagne !199918.2

Protection

• Operating system consists of a collection of object|s, hardware or

software

• Each object has a unique name and can be accessed through a

well-defined set of operations.

• Protection problem - ensure that each object is accessed

correctly and only by those processes that are allowed to do so.

→ Prevent unauthorized access- System processes- Other users- Digital Rights Management

→ Improve reliability- Protect system from application bugs

* Policy is distinct from mechanism

objects,

that depend of the object

Applied Operating System Concepts Silberschatz, Galvin, and Gagne !199918.3

Domain Structure

• Access-right = <object-name, rights-set>

Rights-set is a subset of all valid operations that can be

performed on the object.

• Domain = set of access-rights

• Association between processes and domains may be static or dynamic• Each domain can be a user, a process, or a procedure

Applied Operating System Concepts Silberschatz, Galvin, and Gagne !199918.4

Domain Implementation

• System consists of 2 domains:

– User

– Supervisor

• UNIX

– Domain = user-id

– Domain switch accomplished via file system.

! Each file has associated with it a domain bit (setuid bit).

! When file is executed and setuid = on, then user-id is

set to owner of the file being executed. When execution

completes user-id is reset.

Demo of setuid

schmitta@charm tmp % cat printid.c#include <stdlib.h>#include <stdio.h>#include <unistd.h>#include <sys/types.h> int main(void){ printf("Real UID\t= %d\n", getuid()); printf("Effective UID\t= %d\n", geteuid()); printf("Real GID\t= %d\n", getgid()); printf("Effective GID\t= %d\n", getegid()); return EXIT_SUCCESS;}schmitta@charm tmp % gcc -o printid printid.cschmitta@charm tmp % chmod ug+s printid

schmitta@charm tmp % ls -l printid-rwsr-sr-x 1 schmitta staff 12688 29 avr 10:19 printidschmitta@charm tmp % ./printid Real UID = 503Effective UID = 503Real GID = 20Effective GID = 20schmitta@charm tmp % su adminPassword:bash-3.2$ ./printid Real UID = 501Effective UID = 503Real GID = 501Effective GID = 20

Access Matrix

F1 F2 F3 HP

D1 read read

D2 print

D3 read exec

D4readwrite

readwrite

Access Matrix

F1 F2 F3 HP D1 D2 D3 D4

D1 read read switch

D2 print switch switch

D3 read exec

D4readwrite

readwrite

switch

Copy

F1 F2 F3

D1 read read

D3 read* exec

D4readwrite

readwrite

Copy

F1 F2 F3

D1 read read

D3 read* exec

D4readwrite

readreadwrite

iTunes and Access Matrix

• Songs: no iPod limit ! copy

• Songs: 5 computers ! limited copy

• Rented movie: on 1 computer at a time! transfer

Owner

F1 F2 F3

D1 read read

D3

read*

owner exec

D4read

write

read

write

Owner

F1 F2 F3

D1 read read

D3

read*

owner

write*

exec

D4read

write

read

write

Control

F1 F2 F3 HP D1 D2 D3 D4

D1 read read switch

D2 print switchswitchcontrol

D3 read exec

D4readwrite

readwrite

switch

Control

F1 F2 F3 HP D1 D2 D3 D4

D1 read read switch

D2 print switchswitchcontrol

D3 read exec

D4readwrite

readwrite

switch

Applied Operating System Concepts Silberschatz, Galvin, and Gagne !199918.9

Implementation of Access Matrix

• Each column = Access-control list for one object

Defines who can perform what operation.

Domain 1 = Read, Write

Domain 2 = Read

Domain 3 = Read

!

• Each Row = Capability List (like a key)

Fore each domain, what operations allowed on what objects.

Object 1 – Read

Object 4 – Read, Write, Execute

Object 5 – Read, Write, Delete, Copy

For

44

Access Control Lists (1)

Use of access control lists of manage file access

R

45

Access Control Lists (2)

Two access control lists

46

Capabilities (1)

Each process has a capability list

Revoking Access Rights

• Immediately or later?

• Revoke the rights to all users or to some?

• Revoke some rights or all rights of an object?

• Temporarily or permanently?

Revoking Access Rights

• Simple with access list if we revoke by object

• More difficult with capabilities. Use

• Reacquisition

• Back-pointers

• Indirections (not selective)

• Keys (not selective if one key per object)

Language-Based Protection

• Specification of protection in a programming language

allows the high-level description of policies for the

allocation and use of resources.

• Language implementation can provide software for

protection enforcement when automatic hardware-

supported checking is unavailable.

• Interpret protection specifications to generate calls on

whatever protection system is provided by the hardware

and the operating system.

Applied Operating System Concepts Silberschatz, Galvin, and Gagne 199919.12

Java Security Model

An Application of Protection: DRM

DRM

• DRM = Digital Rights Management

• Access control technologies to limit usage of digital media or devices

• May prevent access, copying, or conversion

• DRM is a technical way to enforce laws

DRM

CSS

• CSS = Content Scramble System

• Licensed for DVD drives, DVD players, DVD movies

• Enforces region coding, prevents skipping “intros”

• Does not prevent bit by bit copying!

• Cracked since 1999

AACS

• AACS = Advanced Access Content System

• Similar to CSS, but much stronger

• Features Managed Copy

• Final standard not yet released

• Keys can be revoked and new keys used... but they are cracked even before their release!

DRM Gone Bad

The Sony BMG Fiasco

Blog post from Mark Russinovich...

“Last week when I was testing the latest version of RootkitRevealer (RKR) I ran a scan on one of my systems and was shocked to see evidence of a rootkit. Rootkits are cloaking technologies that hide files, Registry keys, and other system objects from diagnostic and security software, and they are usually employed by malware attempting to keep their implementation hidden...”

After some investigation he found it came from an audio CD by Sony BMG

“The Sony rootkit is designed to hide any files, registry keys and processes starting with the string $sys$”

The CD installed a CD drive driver and made sure no more than 3 copies of the CD were made

It also made the system unstable and less secure

Sony had to recall every protected CD

Several lawsuits were filed and settled

This protection is not used anymore

MLB (Major League Baseball) has been selling videos of games with DRM since 2003

In 2007, they changed their DRM provider, and for some users old videos stopped playing

MLB may provide replacements, with DRM

What do you really buy?

MSN Music DRM keys

MSN Music store closed in November 2006

On April 22, 2008, customers were told authorization servers would stop on August 31, 2008

⇒ Using a new computer or reinstalling the OS will result in unplayable songs

The Future of DRM

• Music: becoming DRM free

• Amazon MP3 store, iTunes+, most majors

• Video: very entrenched

• Many countries pass laws protecting DRM

• DMCA, EUCD, DADVSI

• Future of Fair Use? See Free Cultureby Lawrence Lessig

http://www.free-culture.cc/

Homework

Larry Lessig: How creativity is being strangled by the law

http://www.ted.com/talks/view/id/187

Applied Operating System Concepts Silberschatz, Galvin, and Gagne 199919.1

Module 19: Security

• The Security Problem• Authentication• Program Threats• System Threats• Threat Monitoring• Encryption

22

Generic Security AttacksTypical attacks! Request memory, disk space, tapes and just read! Try illegal system calls! Start a login and hit DEL, RUBOUT, or BREAK! Try modifying complex OS structures! Try to do specified DO NOTs! Convince a system programmer to add a trap door! Beg admin’s sec"y to help a poor user who forgot password

Threats

– data confidentiality (data read)– data integrity (data modified)– system availability (denial-of-service attacks)

hard to avoid

modified or deleted)

Security is achieved by taking measures at the following levels:— Physical (e.g. prevent removing of hard drive)— Human (e.g. prevent bribing a user)— Network (e.g. prevent intercepting private data)— Operating system (e.g. authenticate users)

“The hacker: someone who figured things out and made something cool happen.”

Hacker vs Cracker

Human SecuritySocial Engineering

“Social engineering is a collection of techniques used to manipulate people into performing actions

or divulging confidential information”

• Phishing

• Pretexting (over the phone)

• Trojan Horse

• Road Apple

• free floppy, CD, usb drive...

• Quid Pro Quo (something for something)

“It is notable that Mitnick did not use software programs or hacking tools for cracking passwords

or otherwise exploiting computer or phone security.”

Breaking in over Internet

– need an IP number of a machine (or its symbolic equivalent, such as so.cs.unibo.it

– can test if that number is alive using ping

– can try to connect using telnet

– IP numbers “similar” (consecutive numbers) to one that is alive might work as well

– a hacker with fast connection could discover many entry points to the system (ie, IP numbers

that accept telnet connections)

– the hacker can then try to exploit weak pairs (login, password)

)

Applied Operating System Concepts Silberschatz, Galvin, and Gagne 199919.3

Authentication

• User identity most often established through passwords, can beconsidered a special case of either keys or capabilities.

• Passwords must be kept secret.– Frequent change of passwords.– Use of “non-guessable” passwords.– Log all invalid access attempts.

11

Authentication Using Passwords

(a) A successful login(b) Login rejected after name entered(c) Login rejected after name and password typed

12

Authentication Using Passwords

! How a cracker broke into LBL" a U.S. Dept. of Energy research lab

One-time passwords

– Each password is valid only once. Hence anyone capturing the password of a session and then

trying to use it for another session will fail.

– problem: where to keep the password list

– a solution: use one-way functions

easy to compute; hard to invert

hence in , we have: easy, hard

How it works:

initialisation: a password , an integer

session passwords then are:

the server keeps track and updates the integer for

Challenge-response authentication

– The user selects an algorithm, ex:

– at login time:

the server sends an integer

the user answers with

– problem: the algorithm can be guessed

– a solution:

a function (public)

user selects a key

at login time:

server sends a number

user answers

it should be hard to find out from seeing the results of computating with

14

Authentication Using a Physical Object

! Magnetic cards" magnetic stripe cards" chip cards: stored value cards, smart cards

Applied Operating System Concepts Silberschatz, Galvin, and Gagne 199919.4

Program Threats

• Trojan Horse– Code segment that misuses its environment.– Exploits mechanisms for allowing programs written by users

to be executed by other users.• Trap Door

– Specific user identifier or password that circumvents normalsecurity procedures.

– Could be included in a compiler.

• Logic Bomb

• Login Spoofing

• Buffer Overflow

17

Operating System SecurityTrojan Horses

! Free program made available to unsuspecting user" Actually contains code to do harm

! Place altered version of utility program on victim’s computer" trick user into running that program

Trojan horse: how to make execute the malicious program

– advert it on Interner as something exciting

– (Example) use PATH variables

Immagine is in PATH for user xx and xx types

cd ˜yy

programxx

Thus: malicious program programxx written by yy is executed by xx and can access xx

data

– (Examples) Install a malicious program called la in user/bin

eventually someone, by mistake, will type la rather than ls

– (Example) Exploiting a shell that checks the working directory before consulting PATH:

a user yy install a malicious program called ls in his/her home directory

the user does something suspicious (such as using a lot of resources)

the administrator might type:

cd ˜yy

ls

Internet

Imagine

(Example)

20

Trap Doors

(a) Normal code. (b) Code with a trapdoor inserted

Ken Thomson’s backdoor

For debugging purposes, backdoor in “login”

Did it by modifying the C compiler:

• when compiling password verification

• accept the correct password

• or accept the special debugging password

def compile(code): if (looksLikeLoginCode(code)): generateLoginWithBackDoor() else: compileNormally(code)

But this would look strange in the C compiler...

def compile(code): if (looksLikeLoginCode(code)): generateLoginWithBackDoor(code) elif (looksLikeCompilerCode(code)): generateCompilerWithBackDoorDetection(code) else: compileNormally(code)

19

Logic Bombs

! Company programmer writes program" potential to do harm" OK as long as he/she enters password daily" ff programmer fired, no password and bomb explodes

18

Login Spoofing

(a) Correct login screen(b) Phony login screen

Login spoofing

– a program that displays the screen

– the user of the program thus can read many pairs (login, password)

– a way out:

the login session starts out with a key combination that a user program cannot catch (exam-

ple: ctl-alt-del in windows)

Buffer overflow

In C, array bounds (among other things) are not checked

Example of unchecked code:

int i

char c[100]

i = 400

c[i] = 0

21

Buffer Overflow

! (a) Situation when main program is running! (b) After program A called! (c) Buffer overflow shown in gray

39

Java Security (1)

! A type safe language" compiler rejects attempts to misuse variable

! Checks include #! Attempts to forge pointers! Violation of access restrictions on private class

members! Misuse of variables by type! Generation of stack over/underflows! Illegal conversion of variables to another type

Applied Operating System Concepts Silberschatz, Galvin, and Gagne 199919.5

System Threats

• Worms – use spawn mechanism; standalone program• Internet worm

– Exploited UNIX networking features (remote access) andbugs in finger and sendmail programs.

– Grappling hook program uploaded main worm program.• Viruses – fragment of code embedded in a legitimate program.

– Mainly effect microcomputer systems.– Downloading viral programs from public bulletin boards or

exchanging floppy disks containing an infection.– Safe computing.

Worm vs Virus

A “worm” is a program that can run independently, will consume the resources of its host from within in order to maintain itself, and can propagate a complete working version of itself on to other machines.

A “virus” is a piece of code that inserts itself into a host, including operating systems, to propagate. It cannot run independently. It requires that its host program be run to activate it.

35

The Internet Worm

! Consisted of two programs" bootstrap to upload worm" the worm itself

! Worm first hid its existence! Next replicated itself on new machines

Morris Worm

November 2, 1988

Robert Tappan Morris Jr., 1st year Cornell graduate student sends a worm on a few machines

Within hours, about 10% of the internet (6.000 machines) was down

Applied Operating System Concepts Silberschatz, Galvin, and Gagne 199919.6

The Morris Internet Worm

How it WorkedGetting in

Using a remote shell (rsh)

host-login without password required

Buffer overflow: finger with a 536 byte string

used to launch /bin/sh

Sendmail bug using its debug mode

mailed the grappling hook to be executed

Propagation

When in, downloaded the worm

Then tried to crack passwords

Looked in new accounts for rsh data files

Attempted to infect new machines

If already there, quit 6 out of 7 times

This brought down most machines

26

Virus Damage Scenarios

! Blackmail! Denial of service as long as virus runs! Permanently damage hardware! Target a competitor’s computer

" do harm" espionage

! Intra−corporate dirty tricks" sabotage another corporate officer’s files

Where viruses could act

– modify executable files

attaching themselves to the front, or to the end

possibly having to modify file headers and file internal logical addresses

first they get activated; then the original file is executed

– residing in memory

possibly redirecting some interrupts to them (ex: system calls)

– overwriting some boot procedure on disk

thus the virus gets loaded every time the machine is turned on

– hiding within a macro

very effective for Word and Excel programs, for instance

easy to write

– modify a source code

a “portable” virus

29

How Viruses Work (3)

! An executable program! With a virus at the front! With the virus at the end! With a virus spread over free space within program

31

How Viruses Spread

! Virus placed where likely to be copied! When copied

" infects programs on hard drive, floppy" may try to spread over LAN

! Attach to innocent looking email" when it runs, use mailing list to replicate

Viruses and Anti-virus techniques

Anti-virus: virus scanners

Scan executable files looking for viruses that match those in a database

– a problem: variants of the virus might exist

Fuzzy search

might miss some

might interpret some correct file as a virus

– can be slow

Check only files that have been modified since last search

A virus could change the file date

Check only files whose length has changed

A virus could use compression techniques

32

Antivirus and Anti−Antivirus Techniques

(a) A program(b) Infected program(c) Compressed infected program(d) Encrypted virus(e) Compressed virus with encrypted compression code

33

Antivirus and Anti−Antivirus Techniques

Examples of a polymorphic virusAll of these examples do the same thing

34

Antivirus and Anti−Antivirus Techniques

! Integrity checkers! Behavioral checkers! Virus avoidance

" good OS" install only shrink−wrapped software" use antivirus software" do not click on attachments to email" frequent backups

! Recovery from virus attack" halt computer, reboot from safe disk, run antivirus

Some ModernWorms & Viruses

1999: Melissa, macro virus (Word + Outlook)

2000: ILOVEYOU, VBScript worm. Between $5 billion and $10 billion in damage. “ The Pentagon, CIA, and the British Parliament had to shut down their e-mail systems to get rid of the worm.”

2003: Blaster, Sobig, Sober (until 2005).

2004: MyDoom. Email binary attachment.

One of the fastest spreading worms: 1 in 12 emails at peak.

Used to created a Denial of Service attack against SCO and Microsoft.

2004: Sasser. Did not need user intervention, used a buffer overflow.

Agence France-Presse (AFP): satellite communications blocked for hoursDelta Air Lines: cancel several trans-atlantic flights (computer systems down)Nordic insurance company If and Finnish Sampo Bank: close their 130 offices in Finland.British Coastguard: electronic mapping service disabled for a few hoursGoldman Sachs, Deutsche Post, and the European Commission also touchedX-ray department at Lund University Hospital: all their four layer X-ray machines disabled for several hours and had to redirect emergency X-ray patients to a nearby hospital.

2007: Storm Worm.

Email attachment: PDF spam, e-cards, YouTube Invites. Also blog comment spam.

Still active (latest version: April 1st, 2008)

Payload morphs every 30 mn.

Used to create a peer to peer botnet.

Botnets

Current Botnets

• Kraken: about 500.000 machines

• Storm: about 100.000 machines (was 2 million)

• Used for spam, phishing, denial of service attacks

Some safe design principles

– make the system public (avoid “security by obscurity”)

– allow only accesses explicitely granted

– always check for accesses

– use simple protection mechanisms, built into the OS kernel (precisely: the lowest possible level

of the OS; cf: Windows NT)

Applied Operating System Concepts Silberschatz, Galvin, and Gagne 199919.9

Network Security Through Domain Separation Via Firewall

Applied Operating System Concepts Silberschatz, Galvin, and Gagne 199919.7

Threat Monitoring

• Check for suspicious patterns of activity – i.e., several incorrectpassword attempts may signal password guessing.

• Audit log – records the time, user, and type of all accesses to anobject; useful for recovery from a violation and developing bettersecurity measures.

• Scan the system periodically for security holes; done when thecomputer is relatively unused.

Applied Operating System Concepts Silberschatz, Galvin, and Gagne 199919.8

Threat Monitoring (Cont.)

• Check for:– Short or easy-to-guess passwords– Unauthorized set-uid programs– Unauthorized programs in system directories– Unexpected long-running processes– Improper directory protections– Improper protections on system data files– Dangerous entries in the program search path (Trojan

horse)– Changes to system programs: monitor checksum values