advanced database course (esed5204) eng. hanan alyazji university of palestine software engineering...
TRANSCRIPT
Advanced Database Course
(ESED5204)
Eng. Hanan Alyazji
University of PalestineSoftware Engineering Department
Data Security
Attack and Attacker
A computer attack is any operation intended to disrupt, deny,
degrade or destroy information held in computers or computer
system.
Goal of an Attacker:
Reduce of an availability of a system to legit users, so that the
system is unable to provide the services it is supposed to provide.
Deny you use of your own resources (Denial of Service, or DOS).
Types of Attacks
Active attacks
Attempt to introduce invalid data into a system, and damage or destroy
data already stored in it.
Denial of service
Breaking into a site
(Intelligence gathering, Resource usage, Deception)
Passive attacks
Attempt to steal information stored in a system by eavesdropping.
Sniffing (Passwords, Network traffic, Sensitive information)
Information gathering
Passive vs Active
Passive No altering to the data and network.
Information disclosure and followed by active attacks.
Hard to detect.
Active Violation of the consistency or availability.
Perceptible but hard to track.
Malfunction of the services or the network.
Types of attacks
Denial of Service (DoS).
Website Defacement.
Viruses and Worms.
Data sniffing and Spoofing.
Unauthorized Access Malicious Code and Trojans.
Port-scanning and Probing.
Wireless Attacks.
Denial of Service
As its name implied, this type of attack aims at deny legitimate
users’ access to a resource.
Denial of Service attacks occur when a malicious attacker
tries to reduce the quality of service of the target, or even
make the target unusable to others.
Block users from reaching a particular target.
Sometimes, advanced hackers use these types of attacks to
cover their more complicated attacks.
Goal of DoS
Flood a network, thereby preventing legitimate network
traffic.
Disrupt connections between machines, thereby preventing
access to a service.
Prevent a particular individual from accessing a service.
Disrupt service to a specific system or person.
Website Defacement
A website defacement is an attack on a website that
changes the visual appearance of the site.
These are typically the work of system crackers ,who
break into a web server and replace the hosted website
with one of their own.
System crackers:
A cracker is someone who breaks into someone else.
System crackers is someone involved in computer
security.
Viruses and Worms Computer Virus
A computer virus is a program that can infect a computer without
permission or knowledge of the user.
Requires user interaction to infect.
Infects user files and directories.
Computer Worm
A computer worm is a program which copies itself across a network.
It is a virus with enough malicious “code” to replicate itself without
the need of a host.
Penetrates hosts and slows network traffic.
Viruses vs Worms
A computer worm differs from a computer virus in that: A computer worm can run itself. A computer worm can spread without a host program.
Some modern computer worms also use files to hide inside.
A virus needs a host program to run. The virus code runs as part of the host program.
SO, A virus is dependent upon a host file and the transfer of files
between machines to spread, while a worm can run completely
independently and spread itself through network connections.
Data Sniffing and Spoofing
Sniffing
A program or device that monitors data traveling over a network.
Hackers can use this technique to find out passwords and
usernames for services that transmit the information.
Attackers are normally undetected.
Spoofing
An attempt to gain access to a system by posing as an authorized
user.
Acting on behalf of another person or entity.
Attacks routinely occur from spoofed sources to hide the original
identity.
Unauthorized Access
Can be accomplished by any connection to a computer or
network.
Must somehow compromise authentication (password, token,
PIN) to gain access.
Once access is gained malicious activity can occur.
Unless internal auditing and access control is implemented,
access can be undetected for years.
Malicious Code and Trojans
Malicious Code
It is a new breed of threat that cannot be efficiently controlled by
conventional antivirus software alone.
Trojans (Backdoors)
A Trojan is a program that may appear to be legitimate, but in fact
does something malicious.
Users may install programs that contain Trojans embedded within
the code.
Many computer games contain Trojans that allow remote users to
gain access.
Permit an attacker to access resources on target.
Wireless Attacks
Wireless Equivalent Privacy (WEP) protocol cannot be
trusted for security.
Attackers can easily eavesdrop or spoof wireless traffic.
Hackers external to your building may be able to intercept
and view all of your wireless traffic.
Hacker tools free and easily accessible via the web.
Port-scanning and Probing Port-scanning
Technique that used by hackers to discover open network ports in your computer which they can break into.
A port scanner is a piece of software designed to search a network host for open ports.
Probing
Probe: is an attempt to gain access to a computer and its files through a known or probable weak point in the computer system.
Once vulnerable ports are identified, the port can be probed with malicious intent.
Probing software is free and commonly accessible via the web.
Attacker’s Process
Attacker’s Process is consists of several steps:
1. Passive Reconnaissance.
2. Active Reconnaissance.
3. Exploiting the System.
1. Gaining Access.
2. Elevating Privileges.
3. Uploading Program.
4. Keeping Access.
5. Covering Tracks.
Attacker’s Process
Passive Reconnaissance
Aims at gaining as much information as possible about the
target system.
Not necessary through the network but by listening to
people talking about their company’s business and policy.
The most popular type of passive attack through network is
“sniffing”
Passive Reconnaissance (Sniffing)
Active Reconnaissance
The hacker is still gathering information but in a more forceful
or active way.
This is a critical moment to detect an intruder as active action
usually exposes his trace.
Logging (e.g. firewall data logging and access data logging) is
the key countermeasure for this type of attack.
A typical example will be “port scanning”.
Active Reconnaissance
Some of key information that interest most hackers are:
Host accessible.
Locations of routers and firewalls.
Operating system running on key system.
Ports that are open.
Services that are running.
Versions of applications that are running.
Exploiting the System
Anything that can be used to comprised a machine is
considered as an exploit.
There are three ways an attacker can exploit a system:
Gaining Access.
Elevation of Privileges.
Denial of Services.
Gaining Access
The most popular type of exploiting the system is Gaining Access
There are several common ways of gaining access to a system:
Operating System Attacks.
Most OS are non-secure by default installation.
Application-level Attacks.
Software are not well-test before release.
Script and Sample Program attacks.
More common in Unix platform
Misconfiguration Attacks.
Unneeded services not removed.
Elevating Privileges
Gain root or administrator privilege
By gaining a minimal amount of
access (e.g. guest account) and
then elevate that to full access.
Uploading Program
Usually the attackers will upload two kinds of software to the
target computers to:
Increase access.
After gaining access as normal user, upload and run a
program that can exploit the weakness in the OS to gain
root privilege.
Compromise other systems.
Launch attacks to another computer through the victim
machine so as to increase the difficulty of being traced.
Keeping Access
Put a back door so that the attacker can return later.
A back door is a means of access to a computer program that
bypasses security mechanisms.
Ways of putting a back doors:
Adding an account to the system.
Overwrite a system file with one that has a hidden feature.
Running a Trojan Horse Program.
Covering Track
The last thing an attacker will do is to make sure he/she does
not get caught.
Methods:
Clean up the log files.
Only those items relating to the attack.
Turn off logging as soon as the attacker gain access to the
machine.
Authentication
Authentication: binding of identity to subject.
Identity: is that of external entity (my identity, etc.)
Subject: is computer entity (process, etc.)
Establishing Identity: One or more of the following:
What entity knows (eg. password)
What entity has (eg. badge, smart card)
What entity is (eg. fingerprints, retinal characteristics)
Where entity is (eg. In front of a particular terminal)
Passwords
Problems
Employees generally have very weak passwords
E.g. girl friend’s names, birthday
Even worse, passwords are never changed and old accounts
are not deleted.
On the other hand, passwords are one of the easiest thing to
secure as it is already built into the system
Strong password characteristics:
Changes every 45 days.
Minimum length of 10 characters.
Contains at least one alpha, one number and one special character.
Alpha, number and special characters must be mixed and not
appended to the end.
e.g. oa$5z6nc not oazcn$56
Does not reuse previous five passwords.
After five failed logon attempts, password is blocked for several
hours.
Guessing a Password
Using Anderson’s formula:
P probability of in specified period of time.
G number of guesses tested in 1 time unit.
T number of time units.
N number of possible passwords.
Then P ≥ TG/N
Example Passwords drawn from a 96-char alphabet Can test 104 guesses per second Probability of a success to be 0.5 over a 365 day period
What is minimum password length?
Solution
N ≥ TG/P = (365246060)104/0.5 = 6.311011
Choose s such that sj=0 96j ≥ N ≥ 6.311011
So s ≥ 6, meaning passwords must be at least 6 chars
Access Control
Access Control
Access control comprises those mechanisms that enforce mediation on subject requests for access to objects. Its function is to control which principals (persons, processes, machines, …) have access to:
which resources in the system,
which files they can read,
which programs they can execute, and
how they share data with other principals, and so on.
Access Control Models
Discretionary: users are authorized to determine which other
users can access files or other resources that they create, use,
or own.
Mandatory: computer system decides exactly who has access
to which resources.
Role-Based :user’s access & privileges determined by role.
Discretionary Access Control
Based on the concept of access rights or Privileges for objects and
mechanisms for giving users privileges (and revoking privileges).
In Databases, objects refer to Tables and Views.
Creator of a table or a view automatically gets all privileges on it.
DMBS keeps track of who gains and loses privileges, and
ensures that only requests from users who have the necessary
privileges (at the time the request is issued) are allowed.
Discretionary Access Control
DAC:
A means of restricting access to objects based on the identity of subjects or
groups, or both, to which they belong. The controls are discretionary in the
sense that a subject with a certain access permission is capable of passing that
permission on to any other subject.
Mandatory Access Control
A means of restricting access to objects based on the sensitivity of
the information contained in the objects and the formal authorization
(i.e. clearance) of subjects to information of such sensitivity. Mandatory Access Control (MAC)
Access rules are set system-wide.
Normal users cannot violate system-wide rules, even for resources
they “own” (e.g. create).
Implements organizational policy.
Usually combined with DAC to add discretion.
S
ProcessS
P
S
Read Write
P
Mandatory access control (MAC)
No reads up No writes down
41
MAC vs DAC
Discretionary Access Control (DAC)
Access governed by normal users.
Owner of a resource can designate permissions.
Standard model for Unix, Linux, Windows, etc.
Access control is at the discretion of the user.
Implements user’s policy.
MAC
Mandatory Access Control (MAC)
Access rules are set system-wide.
Normal users cannot violate system-wide rules, even for
resources they “own” (e.g. create).
Implements organizational policy.
Usually combined with DAC to add discretion.
Applications
Multi-level military security
Bell-LaPadula Mode
Bell & LaPadula(BLP) Model
Simple security property = No-read-up
A subject Si can have read access to an object Oj only if C
(Si) >= C (Oj)
Star(*)-property = No-write-down
a subject Si can have write access to an object Oj only if C (Si)
<= C (Oj)
44
Bell-LaPadula Model
Security levels arranged in linear ordering
Top Secret: highest
Secret
Confidential
Unclassified: lowest
Subjects have security clearance L(s)
Objects have security classification L(o)
Clearance is primarily a restriction on what you can release.
Secret
Confidential
Unclassified
Top Secret
Low
Sec
urit
y le
vel
High
Bell-LaPadula Model
Classifications:
Top Secret
Secret
Confidential
Unclassified
What is the main goal of the Bell-LaPadula model?
Confidentiality. The model tries to prevent information from a
high level of sensitivity to flow to a lower level.
46
Reading Information
Information flows up, not down
“Reads up” disallowed, “reads down” allowed
Simple Security Condition
Subject s can read object o iff, L(o) ≤ L(s) and s has
permission to read o
Note: combines mandatory control (relationship of
security levels) and discretionary control (the required
permission)
Sometimes called “No reads up” rule
47
Writing Information
Information flows up, not down
“Writes up” allowed, “writes down” disallowed
*-Property
Subject s can write object o iff L(s) ≤ L(o) and s has
permission to write o
Note: combines mandatory control (relationship of
security levels) and discretionary control (the required
permission)
Sometimes called “No writes down” rule
Bell-LaPadula Example
49
Example
objectsubjectsecurity level
Syllabus
Assignments
Assignment Solutions
Grade Files
EveryoneUnclassified
StudentsConfidential
HassanSecret
AhmedTop Secret
Ahmed can read all files. Students cannot read grade files or assignment solutions. Everyone can only read syllabus.
Exercise
Assume that the Bell-LaPadula security model has been
implemented in a system.
Alice has a ‘secret’ clearance and Bob’s clearance is ‘classified’.
Which of the following operations are not allowed, assuming that
both Alice and Bob operate at their highest clearance level?
1. Alice reads a document written by Bob.
2. Bob reads a document written by Alice.
3.Bob sends Alice a document that he has written.
4. Alice sends Bob a document that she has written.
5. Alice reads a document with the label ‘secret’.
6. Bob reads an unclassified document and sends it to Alice.
Questions?
?