CS 4/591: Introduction to Computer Security Lecture 5: Confinement Intro to Crypto James Hook 11/5/2015 5:55 AM.
Download ReportTranscript CS 4/591: Introduction to Computer Security Lecture 5: Confinement Intro to Crypto James Hook 11/5/2015 5:55 AM.
CS 4/591: Introduction to Computer Security Lecture 5: Confinement Intro to Crypto James Hook 11/5/2015 5:55 AM Last Time • Voting Machine Case Study • Bell LaPadula – Confidentiality • Biba – Integrity 11/5/2015 5:55 AM Today • Loose ends • The Confinement Problem • Crypto introduction 11/5/2015 5:55 AM Last Time • Proposed Integrity Model – How well did it work? 11/5/2015 5:55 AM Voting Machine Architecture Processor Touch Screen Smart Card Reader Open 11/5/2015 5:55 AM Audio jack Removable Flash Printer Key Access On-board Flash RAM EPROM Inside Box Boot Process • Boot device specified by hardware jumpers (inside box) – EPROM – on-board flash (default) – ext flash • On Boot: – Copy bootloader into RAM; init hardware – Scan Removable flash for special files • “fboot.nb0” => replace bootloader in on-board flash • “nk.bin” => replace OS in on-board flash • “EraseFFX.bsq” => erase file system on on-board flash – If no special files uncompress OS image – Jump to entry point of OS 11/5/2015 5:55 AM Boot (continued) • On OS start up: – run Filesys.exe • unpacks registry • runs programs in HKEY_LOCAL_MACHINE\Init – – – – shell.exe (debug shell) device.exe (Device manager) gwes.exe (graphics and event) taskman.exe (Task Manager) – Device.exe mounts file systems • \ (root): RAM only • \FFX: mount point for on-board flash • \Storage Card: mount point for removable flash 11/5/2015 5:55 AM Boot (continued) • Customized taskman.exe – Check removable flash • explorer.glb => launch windows explorer • *.ins => run proprietary scripts – (script language has buffer overflow vulnerabilities) – used to configure election data • default => launch “BallotStation” – \FFX\Bin\BallotStation.exe 11/5/2015 5:55 AM BallotStation • Four modes: pre-download, preelection testing, election, post-election • Mode recorded in election results file – \Storage Card\CurrentElection\election.brs 11/5/2015 5:55 AM Stealing Votes • Malicious processes runs in parallel with BallotStation • Polls election results file every 15 seconds – If election mode and new results – temporarily suspend Ballot Station – steal votes – resume Ballot Station 11/5/2015 5:55 AM Viral propagation • Malicious bootloader – Infects host by replacing existing bootloader in on-board flash – subsequent bootloader updates print appropriate messages but do nothing • fboot.nb0 – package contains malicious boot loader – and vote stealing software 11/5/2015 5:55 AM Discussion • Having developed this design, it is now time to critique it! – Are you satisfied with the protection against external threats? – Are you satisfied with the protection against insider threats? 11/5/2015 5:55 AM Plan • Confinement Problem (Lampson) • Isolation – Virtual Machines – Sandboxes • Covert Channels 11/5/2015 5:55 AM The Confinement Problem • Lampson, “A Note on the Confinement Problem”, CACM, 1973. This note explores the problem of confining a program during its execution so that it cannot transmit information to any other program except its caller. A set of examples attempts to stake out the boundaries of the problem. Necessary conditions for a solution are stated and informally justified. 11/5/2015 5:55 AM Discussion • • • • Reactions? What is a “customer”? What is a “service”? What does Lampson’s motivating scenario look like? 11/5/2015 5:55 AM Possible Leaks 0. If a service has memory, it can collect data, wait for its owner to call it, then return the data 1. The service may write into a permanent file 2. The service may create a temporary file 3. The service may send a message to a process controlled by its owner [via ipc] 4. More subtly, the information may be encoded in the bill rendered for the service… 11/5/2015 5:55 AM Possible Leaks (cont) 5. If the system has interlocks which prevent files from being open for writing and reading at the same time, the service can leak data if it is merely allowed to read files which can be written by the owner. 11/5/2015 5:55 AM Leak 5 (cont) The interlocks allow a file to simulate a shared Boolean variable which one program can set and the other can’t Given a procedure open (file, error) which does goto error if the file is already open, the following procedures will perform this simulation: procedure settrue (file); begin loop1: open (file, loop1) end; procedure setfalse (file); begin close (file) end; Boolean procedure value (file); begin value : = true; open (file, loop2); value := false; close (file); loop2: end; 11/5/2015 5:55 AM Leak 5 (cont) Using these procedures and three files called data, sendclock, and receiveclock, a service can send a stream of bits to another concurrently running program. Referencing the files as though they were variables of this rather odd kind, then, we can describe the sequence of events for transmitting a single bit: sender: receiver: sender: receiver: sender: 11/5/2015 5:55 AM data : = bit being sent; sendclock : = true wait for sendclock = true; received bit : = data; receive clock : = true; wait for receive clock = true; sendclock : = false; wait for sendclock = false; receiveclock : = false; wait for receiveclock = false; Leak 6 6. By varying its ratio of computing to input/output or its paging rate, the service can transmit information which a concurrently running process can receive by observing the performance of the system. … 11/5/2015 5:55 AM One solution • Just say no! • Total isolation: A confined program shall make no calls on any other program • Impractical 11/5/2015 5:55 AM Confinement rule • Transitivity: If a confined program calls another program which is not trusted, the called program must also be confined. 11/5/2015 5:55 AM Classification of Channels: • Storage • Legitimate (such as the bill) • Covert – I.e. those not intended for information transfer at all, such as the service program’s effect on the system load • In which category does Lampson place 5? 11/5/2015 5:55 AM Mitigation • Lampson proposes a mitigation strategy for 5 • Confined read makes a copy (this can be done lazily on a conflicting write) 11/5/2015 5:55 AM Root Problem: • Resource sharing enables covert channels • The more our operating systems and hardware enable efficient resource sharing the greater the risk of covert channels 11/5/2015 5:55 AM Lipner’s Comments • 1975 paper discusses how confidentiality models and access control address storage and legitimate channels • Discussion? • How does Lipner think BLP fits in? 11/5/2015 5:55 AM Lipner’s Contribution • Identifies time as “A difficult problem” – “While the storage and legitimate channels of Lampson can be closed with a minimal impact on system efficiency, closing the covert channel seems to impose a direct and unreasonable performance penalty.” 11/5/2015 5:55 AM Resources • Lampson, A note on the Confinement Problem, CACM Vol 16, no. 10, October 1973. – http://doi.acm.org/10.1145/362375.362389 • Lipner, A Comment on the Confinement Problem, Proceedings of the 5th Symposium on Operating Systems Principles, pp 192 196 (Nov. 1975) – http://doi.acm.org/10.1145/800213.806537 11/5/2015 5:55 AM Virtualization Returns • Intel’s Vanderpool architecture brings Virtual Machines back to the mainstream • Intel Virtualization Paper – ftp://download.intel.com/technology/comp uting/vptech/vt-ieee-computer-final.pdf – (Some figures that follow are taken from the paper) 11/5/2015 5:55 AM Applications of Virtualization • Workload isolation • Workload consolidation • Workload migration 11/5/2015 5:55 AM Isolation 11/5/2015 5:55 AM Consolidation 11/5/2015 5:55 AM Migration 11/5/2015 5:55 AM Virtualizing Intel architectures • As is, Intel architectures do not meet the two requirements: – Nonfaulting access to privileged state • IA-32 has registers that describe and manipulate the “global descriptor table” • These registers can only be set in ring 0 • They can be queried in any ring without generating a fault – This violates rule 2 (all references to sensitive data traps) • Software products to virtualize Intel hardware had to get around this. – Vmware and Virtual PC dynamically rewrite binary code! – Xen requires source changes (paravirtualization) 11/5/2015 5:55 AM Intel solutions • VT-x, virtualization for IA-32 • VT-i, virtualization for Itanium • Changed architecture to meet the criteria 11/5/2015 5:55 AM Ring aliasing and ring compression • Solution is to allow guest to run at intended privilege level by augmenting privilege levels. • See Figure 2(d). 11/5/2015 5:55 AM Nonvirtuallized and 0/1/3 • • (a) is typical of x86 operating systems (b) and (c) give two strategies for virtualization in software 11/5/2015 5:55 AM 0/3/3 and VT-x 11/5/2015 5:55 AM Nonfaulting access to privileged state • Two kinds of changes – Make access fault to the VM – Allow nonfaulting access, but to state under the control of the VMM 11/5/2015 5:55 AM • Intel Virtualization Paper – ftp://download.intel.com/technology/comp uting/vptech/vt-ieee-computer-final.pdf 11/5/2015 5:55 AM Crypto • Intro to Crypto Mechanisms 11/5/2015 5:55 AM Basic Problem encrypt Ciphertext Plain Text decrypt 11/5/2015 5:55 AM x = decrypt (encrypt x) x = d (e x) Basic Properties • Easy to encrypt and decrypt • Hard to discover the plain text from the cipher text 11/5/2015 5:55 AM Caesar • Simple substitution cipher • Key is a single letter, the image of the letter A • For example, if key is C – A -> C B -> D … Y -> A Z -> B 11/5/2015 5:55 AM Caesar • From key, it is easy to calculate d,e: caesar k = (map (\x -> (x + k) `mod` maxSymb), map (\x -> (x - k) `mod` maxSymb)) 11/5/2015 5:55 AM Caesar • • • • Easy to Compute x = d (e x) But vulnerable to statistical attack With a reasonable amount of cipher text generated from English text the substitution can be reconstructed 11/5/2015 5:55 AM Making it a little harder • Vigenère • Running Key (following Anderson) – Plain tobeornot – Key runrunrun – Cipher KIOVIEEIG 11/5/2015 5:55 AM Vigenère vigenere ks = e ps d ps key = (e,d) where key ++ ks = zipWith (\ k p -> (p + k) `mod` maxSymb) ks ps = zipWith (\ k p -> (p - k) `mod` maxSymb) ks ps 11/5/2015 5:55 AM Statistics • A little harder • But often have repeated patterns at multiples of keyword length 11/5/2015 5:55 AM Taking it to the limit • One time pad – One symbol of key material per symbol of plain text oneTimePad ks = (e,d) where e ps = zipWith (\ k p -> (p + k) `mod` maxSymb) ks ps d ps = zipWith (\ k p -> (p - k) `mod` maxSymb) ks ps 11/5/2015 5:55 AM One time pad • Shannon proved – A cipher has perfect secrecy if and only if there are as many possible keys as possible plaintexts, and every key is equally likely. • One time pad meets satisfies this 11/5/2015 5:55 AM One time pad issues • Discuss issues of one time pad from text? 11/5/2015 5:55 AM What besides substitutions? 11/5/2015 5:55 AM Block Ciphers • Rewrite a block of text at a time – Playfair: 2 symbols to 2 symbols – DES: 64 bits to 64 bits • How many output bits change per change in the input? 11/5/2015 5:55 AM Block Ciphers • What about message integrity? 11/5/2015 5:55 AM Addressing Integrity Directly Send IBM $10M n Send Jim $10M 11/5/2015 5:55 AM n’ n ≠ n’ Hash functions • Current hot area of research • Some algorithms that were thought to be good cryptographic hash functions have proven vulnerable • Nevertheless, basic idea remains strong: – From a message of arbitrary size, calculate a message digest of fixed small size – Use message digest to authenticate integrity of message 11/5/2015 5:55 AM Hash functions • How can this be used to test integrity of software systems? • How can hash functions be incorporated into the voting machine? • Common names for this concept? 11/5/2015 5:55 AM Properties of Hash Functions • Preimage – Given h(x), calculate x • Collisions – h(M1) = h(M2) 11/5/2015 5:55 AM Symmetric Crypto • In the algorithms sketched above we used the same key to encrypt and decrypt • This is called symmetric cryptography 11/5/2015 5:55 AM Asymmetric Crypto • In asymmetric crypto, two keys are generated simultaneously: – public key – private key • The private key cannot be easily reconstructed from the public key • Given a message encrypted with either key, the other key can be used to decrypt 11/5/2015 5:55 AM Digital Signatures • How can asymmetric crypto be used for a digital signature mechanism? 11/5/2015 5:55 AM