CS 471 - Lecture 11 Protection and Security Ch. 14,15 George Mason University Fall 2009
Download ReportTranscript CS 471 - Lecture 11 Protection and Security Ch. 14,15 George Mason University Fall 2009
CS 471 - Lecture 11
Protection and Security
Ch. 14,15
George Mason University
Fall 2009
Protection
In a computer system, each object should be
accessed through a well-defined set of
operations.
Protection problem - ensure that each object is
accessed through the well-defined operations
and only by those processes that are allowed to
do so.
Least privilege principle: Programs and users
should be given just enough privileges to
perform their tasks (Not easy to achieve!)
GMU – CS 571
11.2
Domain Structure
A process operates within a protection domain.
• Each domain defines a set of objects and the types of
operations that may be invoked on objects.
• Static or dynamic association
Access-right = <object-name, rights-set>
where rights-set is a subset of all valid operations
that can be performed on the object.
GMU – CS 571
11.3
Access Matrix
The model can be viewed as a matrix (access matrix)
• Rows represent domains
• Columns represent objects
• Access(i, j) is the set of operations that a process
executing in Domaini can invoke on Objectj
• Can be expanded to dynamic protection (operations to
add, delete access rights and switch domains).
GMU – CS 571
11.4
Implementing the Access Matrix
The access matrix is usually large and sparse
We can
• store the matrix by columns or by rows
• store only the non-empty elements
Storing the matrix by columns corresponds to
access control lists
Storing the matrix by rows corresponds to
capabilities
GMU – CS 571
11.5
Access Control List (ACL)
Associate with each object a list containing all the
domains that may access the object, and how.
Each column of the access matrix is captured in an
access control list.
GMU – CS 571
11.6
ACL (Cont.)
To condense the length of the access control list,
many systems recognize three classifications of users
in connection with each file (e.g. Unix)
• Owner
• Group
• Others
Only three 3-bit fields are needed to define protection
for each of these groups, for read access, write access
and execution control
More fine-grained access control lists can be specified
for each file, if needed (e.g. Solaris 2.6 and beyond)
How to revoke rights??
GMU – CS 571
11.7
A sample directory listing in Unix
Above, “program” has the protection bits “r w x r - x r - x “
The owner (pbg) can read, modify and execute “program”
The members of the group (staff) can read and execute “program”
All “other users” can also read and execute “program”
GMU – CS 571
11.8
Domains in Unix
In Unix, each user-id defines a separate domain
By default, each process is executed in the
domain of the user who invokes it
Assume Mike wants to change his password
• He will need to invoke a program such as
“passwd”, which needs to have R/W rights for the
file /etc/passwd
• Will the “passwd” program run in Mike’s
domain??
GMU – CS 571
11.9
Domain Switching in Unix
Domain switch (dynamic associateion)
accomplished via file system
• A domain bit (setuid bit) is associated with each
file
• When the file is executed and setuid = on, then
user-id is set to the owner of the file being
executed. When the execution completes, user-id
is reset.
• If setuid=off, then the file is executed in the
domain of the user who invokes it
GMU – CS 571
11.10
Capabilities
Associate with each domain a list of objects that may be
accessed, and permitted operations.
Each row of the access matrix is captured in a capability
list.
In practice, each capability can be seen as a ticket for
an operation.
How to revoke rights??
GMU – CS 571
11.11
Security
Security must consider also the external environment of
the system, and protect it from:
• unauthorized access
• malicious modification or destruction
Types of security threats to consider:
• Interception – an unauthorized party gains access to data or
service
• Interruption – situation where data or service becomes
unavailable
• Modification – unauthorized changing of data or tampering
with a service so that it no longer adheres to its spec.
• Fabrication – situation where data or activity generated that
normally would not exist.
GMU – CS 571
11.12
User Authentication
Correctly identifying the users is crucial for
system security.
Authentication can be done based on:
Authentication using login name and password
• User possession
• User knowledge
• User attribute
• Each user supplies a (login name, password)
• If the login name is among the authorized users
and the password matches with system records, it
is accepted.
GMU – CS 571
11.13
User Authentication (Cont.)
Attacker must correctly enter the login name and the
password.
• Login name can be easily guessed
• Password must be selected very carefully!
Several studies show that an unexpectedly large
percentage of users (between 82% and 86%) use easily
predictable passwords
(Morris and Thompson, 1979; Klein, 1990; Kabay, 1997)
•
•
•
•
•
GMU – CS 571
First and last names
Street/city names, vacation destinations
Words from a moderate-sized dictionary
SSN or license plate numbers
Abusive expressions, etc.
11.14
Authentication Using Passwords
How an attacker broke into LBL in 1989
• a U.S. Dept. of Energy research lab
GMU – CS 571
11.15
Trivial Attack Scenario
Attacker can connect to the target machine and try
passwords from his/her dictionary.
Many daemons break the underlying TCP connection
after some number of unsuccessful login attempts in
order to slow down attackers. Attacker can simply
start many threads in parallel.
Attacker can easily automate this process and run
continuously over a broadband internet connection.
Even scripts are available for free on the Internet for
this purpose.
GMU – CS 571
11.16
One-Time Passwords
The password is different in each instance
Commercial implementations use hardware
calculators (SecurID).
•
•
•
•
•
GMU – CS 571
Mostly in the shape of a credit card
Have a display and keypad
The user enters the shared secret (PIN)
The display shows one-time password
Example of two-factor authentication
11.17
Biometrics
Use physical characteristics of the user that are
hard to forge.
• Palm or hand-readers can measure finger length,
•
•
•
•
GMU – CS 571
finger width, and the line patterns.
Finger print readers
Retinal pattern analysis
Signature Analysis
Voice Biometrics
11.18
Program Threats
Threats caused by programs written by other
users
•
•
•
•
GMU – CS 571
Trojan Horses
Trap Doors
Logic Bombs
Stack and Buffer Overflow
11.19
Trojan Horses
A seemingly innocent program containing code
to perform an unexpected and undesirable
function (modify, delete, copy files).
The person installing it first has to get the
Trojan Horse executed.
• Place the program on the Internet as a “free”
utility.
• Place the program in one of the directories heavily
used.
GMU – CS 571
11.20
Trojan Horses (Cont.)
Scenario
In UNIX, the environment variable $PATH controls
the directories that are searched for a command
ECHO $PATH
:/usr/local/bin:/usr/bin:/bin:/usr/ucb:
/usr/java/bin:/usr/bin/X11: /opt/util
Attacker prepares a Trojan Horse and installs it in
/usr/bin/X11 under the name ‘la’
GMU – CS 571
11.21
Trojan Horses (Cont.)
Login Spoofing: Attacker writes a program to
“emulate” the login screen of the terminal.
When a user comes and enters his/her
username and password, the program sends
this info to the Attacker, prints “Invalid
password”, sends a signal to kill its shell.
This logs out Attacker and triggers the real login
program.
One way to guard against this attack is to have
the login sequence start with a key combination
that users program cannot catch.
GMU – CS 571
11.22
Spyware Programs as Trojan Horse
Spyware is a software that comes along with
program the user has chosen to install
(freeware, shareware or commercial programs).
Spyware may
• Download ads to display on the user’s system
• Create pop-up browser windows when certain
sites are visited
• Capture information from the user’s site and
return it to a central site (for example, to receive
instructions/addresses for distributing spam
messages)
GMU – CS 571
11.23
Logic Bombs
A piece of code written by one of a company’s
programmers and secretly inserted into the
production operating system/application
program.
As long as the programmer “feeds” it its daily
password, nothing happens.
If the programmer is fired or physically removed
from the premises without warning, the logic
bomb goes off (deleting/encrypting files, making
hard-to-detect changes).
GMU – CS 571
11.24
Trap Doors
Code inserted into the system by a system
programmer to bypass some normal check
(a) Normal code
(b) Code with a trapdoor inserted
While (TRUE) {
printf(“login:”);
get_string(name);
disable_echoing();
printf(“password:”);
get_string(password);
enable_echoing();
v = check_validity(name, password);
if (v) break;
}
execute_shell(name);
(a)
GMU – CS 571
While (TRUE) {
printf(“login:”);
get_string(name);
disable_echoing();
printf(“password:”);
get_string(password);
enable_echoing();
v = check_validity(name, password);
if (v || strcmp (name, “zzzzz”) == 0) break;
}
execute_shell(name);
(b)
11.25
Stack and Buffer Overflow
Most common way for an attacker to gain
unauthorized access to the target system
Consider the following code sequence in C:
int i;
char B[1024];
i = 12000;
B[i] = 0;
Suppose that the main program calls a procedure A
that asks the user a file name and then reads it into a
fixed-size buffer.
GMU – CS 571
11.26
Buffer Overflow (Cont.)
(a) Situation when main program is running
(b) After the function A is called
(c) Buffer overflow shown in gray
GMU – CS 571
11.27
Buffer Overflow (Cont.)
Attacker may provide a very long file name
This will overwrite memory, and also possibly
the return address.
Or worse, the file name can be very carefully
supplied so as to contain a valid binary
program overlaying the return address as the
address of B.
Measures against buffer overflow attacks
GMU – CS 571
11.28
Hypothetical Stack Frame
After attack
Before attack
GMU – CS 571
11.29
System Threats
Worms: Processes that uses the spawn
mechanism to clobber system performance.
• A worm spawn copies of itself, using up system
resources and network channels (denial of
service).
Viruses: Fragments of code embedded in a
legitimate program.
• When executed, they may modify/destroy files or
cause system crashes
GMU – CS 571
11.30
The Morris Internet Worm
• Launched by Robert Morris, a first-year graduate student at Cornell (1988)
GMU – CS 571
11.31
Macro Viruses
Macro viruses take advantage of a feature found
in Microsoft Office applications such as Word or
Excel.
A macro is an executable program embedded in
a word processing document or other type of
file.
• Users employ macros to automate repetitive tasks
and thereby save keystrokes.
• Macros are automatically executed on certain
events (Opening/closing files, starting an
application).
• Macro viruses are easily spread through e-mail
GMU – CS 571
11.32
Parasitic Viruses
Parasitic virus attaches itself to executable files and
replicates, when the infected program is executed -by finding other executable files to infect.
GMU – CS 571
11.33
Some Other Types of Viruses
Memory-resident virus lodges in main memory as part of
the resident system program. It infects every program
that executes.
Boot sector virus infects a boot record and spreads
when the system is booted from the disk containing the
virus.
Encrypted virus includes the decryption code, along with
the virus.
Stealth virus is designed to avoid detection by modifying
parts of the system.
Polymorphic virus mutates with every infection, making
detection by the “signature” of the virus very difficult or
impossible.
Compression/decompression is a frequently used
technique by virus writers to avoid detection/disinfection
GMU – CS 571
11.34
Mutations of a Polymorphic Virus
A piece of code that can mutate a sequence of machine
instructions without changing its functionality is called
a mutation engine.
GMU – CS 571
11.35
Denial of Service attacks
Bandwidth depletion
• Typically accomplished by sending many message to a
single machine, making it difficult for the normal
messages to be processed.
Resource depletion
• Attempting to tie up resources that are needed by
normal processes.
One thing that makes the problem particularly difficult
is that attackers use innocent users by secretly
installing code on their machine (zombies).
Detecting/stopping DoS attacks typically involves
monitoring of message traffic.
GMU – CS 571
11.36
Cryptography
Purpose: take a message or file, called the plaintext (P) , and
encrypt it into the ciphertext (C) in such a way that only
authorized people know how to convert it back to the plaintext.
•
•
•
•
Secrecy of the algorithms will depend on parameters called keys.
To encrypt a plaintext, compute C = Ek (P)
To decrypt a ciphertext, compute P = Dk (C)
Given C, computing P must be computationally infeasible.
GMU – CS 571
11.37
Symmetric Cryptosystems
In symmetric cryptosystems, the same key
is used to encrypt and decrypt a message: P
= Dk (Ek (P))
• The sender and receiver are required to share the
same key, which must be kept secret.
• The key distribution problem
• Setting up secure channels requires a protocol.
GMU – CS 571
11.38
AES (Advanced Encryption Standard) Contest
In 1997, NIST published a call for a new encryption
system (AES). The algorithms had to be:
•
•
•
•
Unclassified and publicly disclosed
Available royalty-free for use worldwide
Symmetric block cipher algorithms, for 128-bit blocks
Usable with key sizes of 128, 192 and 256
The winner algorithm was Rijndael -- adopted for use
by the US government in December 2001
GMU – CS 571
11.39
Some Common Symmetric Algorithms
and Corresponding Key Lengths
Blowfish (Schneier): up to 448 bits
DES (IBM): 56 bits
IDEA (Massey & Xuejia): 128 bits
RC4 (Rivest): up to 2048 bits
RC5 (Rivest): 128 – 256 bits
Rijndael (Daemen and Rijmen): 128 – 256 bits
Serpent (Anderson, Biham, Knudsen): 128 – 256 bits
Triple DES (IBM): 168 bits
Twofish (Schneier): 128 – 256 bits
GMU – CS 571
11.40
Secure Channels - 1
Some communication relies on the idea of a
secure channel between two entities:
–
–
–
–
Authentication of communicating parties, message
integrity, confidentiality
Determining whether a client is authorized to perform
the given request.
Secure channels set up with authentication as part of
the process.
One option is for the client and server to share a
secret key and use challenge-response protocols to
authenticate.
Tanenbaum & Van Steen, Distributed Systems: Principles and Paradigms, 2e, (c) 2007 Prentice-Hall, Inc. All rights reserved. 0-13-239227-5
Secure Channels - 2
Session keys –
•
•
•
•
•
Shared secret key that is used to encrypt message
for integrity.
Typically, only used as long as the channel exists
– destroyed when channel is closed.
One benefit is that if the secret key is
compromised, the damage is limited to a single
session.
Also, the less time a key is in use, the less likely it
will be revealed to the wrong party. The more
messages that exist using a particular key, the
more likely that it will be broken.
Needs to be a secure way to generate this session
key – Trusted third party can be used.
Tanenbaum & Van Steen, Distributed Systems: Principles and Paradigms, 2e, (c) 2007 Prentice-Hall, Inc. All rights reserved. 0-13-239227-5
Authentication Based on a Shared
Secret Key (1)
A wants to set up a secure
channel with B.
Challenge-response protocol that assumes A and B already
share a secret key KA,B. A sends a request to B
Tanenbaum & Van Steen, Distributed Systems: Principles and Paradigms, 2e, (c) 2007 Prentice-Hall, Inc. All rights reserved. 0-13-239227-5
Authentication Based on a Shared
Secret Key (2)
B verifies that it is talking to A if A can
correctly encode the challenge number.
Tanenbaum & Van Steen, Distributed Systems: Principles and Paradigms, 2e, (c) 2007 Prentice-Hall, Inc. All rights reserved. 0-13-239227-5
Authentication Based on a Shared
Secret Key (3)
Tanenbaum & Van Steen, Distributed Systems: Principles and Paradigms, 2e, (c) 2007 Prentice-Hall, Inc. All rights reserved. 0-13-239227-5
Authentication Based on a Shared
Secret Key (4)
Authentication based on a shared secret key, but using three
instead of five messages. This ‘optimization’ is open to a
reflection attack.
Tanenbaum & Van Steen, Distributed Systems: Principles and Paradigms, 2e, (c) 2007 Prentice-Hall, Inc. All rights reserved. 0-13-239227-5
Authentication Based on a Shared
Secret Key (5)
C does not know KA,B and cannot
answer the challenge.
The reflection attack where C (Chuck) tries to convince B
(Bob) of identity A (Alice).
Tanenbaum & Van Steen, Distributed Systems: Principles and Paradigms, 2e, (c) 2007 Prentice-Hall, Inc. All rights reserved. 0-13-239227-5
Authentication Based on a Shared
Secret Key (6)
C starts a new session with B where it now uses B’s
challenge number.
Tanenbaum & Van Steen, Distributed Systems: Principles and Paradigms, 2e, (c) 2007 Prentice-Hall, Inc. All rights reserved. 0-13-239227-5
Authentication Based on a Shared
Secret Key (5)
Now C knows the answer to B’s challenge and can complete the
protocol. Note that this can’t happen with the original challengeresponse protocol.
Tanenbaum & Van Steen, Distributed Systems: Principles and Paradigms, 2e, (c) 2007 Prentice-Hall, Inc. All rights reserved. 0-13-239227-5
Asymmetric Cryptosystems
(Public-Key Encryption)
In asymmetric cryptosystems, the keys for encryption and
decryption are different: P = Dd (Ee (P))
First proposed by Diffie and Helman in 1976
• Overcomes the key distribution problem of symmetric algorithms
Usually, one of the keys in an asymmetric cryptosystem is
kept private, the other is made public, hence the framework is
also known as public-key cryptosystems.
It should be computationally infeasible to determine the
decryption key given only the knowledge of the encryption
key.
Relies on several results from number theory that makes
brute-force attacks computationally infeasible.
GMU – CS 571
11.50
Public-Key Encryption
Major steps
• Each user generates a pair of keys to be used for
encryption and decryption.
• One of the keys is made public. The companion
key is kept private.
• If Bob wishes to send a private message to Alice,
Bob encrypts the message using Alice’s public
key.
• When Alice receives the message, she decrypts it
using her private key. No other recipient can
decrypt the message because only Alice knows
Alice’s private key.
GMU – CS 571
11.51
Authentication using
Public and Private Keys
Suppose Bob wants to send a message to Alice,
and although he is not interested in keeping the
contents secret, he wants Alice to be certain
that the message is indeed from him.
• Bob uses his private key to encrypt the message
• When Alice receives the ciphertext, she finds that
she can indeed decrypt it with Bob’s public key :
the authentication is complete
Authentication and Secrecy can be combined
• Bob will encrypt the message first by using his
private key and then encrypt a second time using
Alice’s public key.
• Alice will apply decryption using first her private
key and then Bob’s public key.
GMU – CS 571
11.52
RSA Encryption - 1
RSA – named after inventers Rivest, Shamir and
Adleman (1978)
Relies on the fact that no methods are known to
efficiently find the prime factors of large
numbers.
Asymmetric system: Public & private keys are
constructed from very large prime numbers
(hundreds of decimal digits).
Tanenbaum & Van Steen, Distributed Systems: Principles and Paradigms, 2e, (c) 2007 Prentice-Hall, Inc. All rights reserved. 0-13-239227-5
RSA Encryption - 2
To find a key pair e, d:
1. Choose two large prime numbers, P and Q (each greater than 10100), and
form:
N=PxQ
Z = (P–1) x (Q–1)
2. For d choose any number that is relatively prime with Z (that is, such that d
has no common factors with Z).
We illustrate the computations involved using small integer values
for P and Q:
P = 13, Q = 17 –> N = 221, Z = 192
d=5
3. To find e solve the equation:
e x d = 1 mod Z
That is, e x d is the smallest element divisible by d in the series Z+1, 2Z+1,
3Z+1, ... .
e x d = 1 mod 192 = 1, 193, 385, ...
385 is divisible by d
e = 385/5 = 77
Tanenbaum & Van Steen, Distributed Systems: Principles and Paradigms, 2e, (c) 2007 Prentice-Hall, Inc. All rights reserved. 0-13-239227-5
RSA Encryption - 3
To encrypt text using the RSA method, the plaintext is divided
into equal blocks of length k bits where 2k < N (that is, such that
the numerical value of a block is always less than N; in
practical applications, k is usually in the range 512 to 1024).
k = 7, since 27 = 128 (N = 221)
The function for encrypting a single block of plaintext M is:
E'(e,N,M) = Me mod N
for a message M, the ciphertext is M77 mod 221
The function for decrypting a block of encrypted text c to
produce the original plaintext block is:
D'(d,N,c) = cd mod N
Tanenbaum & Van Steen, Distributed Systems: Principles and Paradigms, 2e, (c) 2007 Prentice-Hall, Inc. All rights reserved. 0-13-239227-5
Authentication in a PKI system
Public key systems can also be used to generate session keys
using mutual authentication.
Tanenbaum & Van Steen, Distributed Systems: Principles and Paradigms, 2e, (c) 2007 Prentice-Hall, Inc. All rights reserved. 0-13-239227-5
Digital Signatures
Message integrity
–
–
If A sends a message to B over a secure channel,
there is no assurance that B won’t modify the
message later and make claims about A.
B may need to be sure that A won’t later deny
sending the message.
Digital signatures provide assurances
–
–
using PKI on entire message
can sign a message digest (less expensive than
encrypting a large message)
Issues:
–
What happens when public/private keys are changed?
Tanenbaum & Van Steen, Distributed Systems: Principles and Paradigms, 2e, (c) 2007 Prentice-Hall, Inc. All rights reserved. 0-13-239227-5
Digital Signatures (1)
Digital signing a message using public-key cryptography. B knows the message
- a copy). A is
came from A since it was encoded with KA (B can keep
protected from tampering as well.
Tanenbaum & Van Steen, Distributed Systems: Principles and Paradigms, 2e, (c) 2007 Prentice-Hall, Inc. All rights reserved. 0-13-239227-5
Digital Signatures (2)
Digitally signing a message using a message digest.
The
message m can be in plain-text accompanied by KA(H(m))
Tanenbaum & Van Steen, Distributed Systems: Principles and Paradigms, 2e, (c) 2007 Prentice-Hall, Inc. All rights reserved. 0-13-239227-5
Covert Channels (Cont.)
Can secret information be passed even if the messages
are subject to inspection?
The picture on the left is the original one
The picture on the right has the text of 5 Shakespeare plays
embedded in it.
GMU – CS 571
11.60
Mobile Code
Securing mobile code involves protecting the
local site from code created remotely.
• ‘Sandboxes’ allow downloaded programs to be
run in such a way that each executed
instruction is carefully controlled either by
static analysis before executing the code or by
inserting dynamic checks (or both).
• Java uses byte code verification, specialized
loaders for remote classes, and a security
manager
byte code verifiers – check Java byte code for illegal
instructions or for parts of the code that do not conform to
some format standards.
specialized loaders – prohibit certain types of instructions
that may allow things like additional loading of (potentially
unchecked) classes
Security manager – runtime checks – acts as a reference
manager.
Various ways to implement security policy: capabilities,
stack introspection, name space management.
GMU – CS 571
11.61
Protecting the Target
Java Sandbox
GMU – CS 571
11.62
Protecting the Target
A playground is a separate designated machine
that can be used to run untrusted code.
GMU – CS 571
11.63