cs 471 - lecture 11 protection and security ch. 14,15 george mason university fall 2009

CS 471 - Lecture 11

Protection and Security

Ch. 14,15

George Mason University

Fall 2009

11.2GMU – CS 571

Protection

In a computer system, each object should be accessed through a well-defined set of operations.

Protection problem - ensure that each object is accessed through the well-defined operations and only by those processes that are allowed to do so.

Least privilege principle: Programs and users should be given just enough privileges to perform their tasks (Not easy to achieve!)

11.3GMU – CS 571

Domain Structure A process operates within a protection domain.

• Each domain defines a set of objects and the types of operations that may be invoked on objects.

• Static or dynamic association

Access-right = <object-name, rights-set>where rights-set is a subset of all valid operations that can be performed on the object.

11.4GMU – CS 571

Access Matrix The model can be viewed as a matrix (access matrix)

• Rows represent domains

• Columns represent objects

• Access(i, j) is the set of operations that a process executing in Domaini can invoke on Objectj

• Can be expanded to dynamic protection (operations to add, delete access rights and switch domains).

11.5GMU – CS 571

Implementing the Access Matrix

The access matrix is usually large and sparse

We can • store the matrix by columns or by rows

• store only the non-empty elements

Storing the matrix by columns corresponds to access control lists

Storing the matrix by rows corresponds to capabilities

11.6GMU – CS 571

Access Control List (ACL) Associate with each object a list containing all the

domains that may access the object, and how. Each column of the access matrix is captured in an

access control list.

11.7GMU – CS 571

ACL (Cont.)

To condense the length of the access control list, many systems recognize three classifications of users in connection with each file (e.g. Unix)• Owner• Group• Others

Only three 3-bit fields are needed to define protection for each of these groups, for read access, write access and execution control

More fine-grained access control lists can be specified for each file, if needed (e.g. Solaris 2.6 and beyond)

How to revoke rights??

11.8GMU – CS 571

A sample directory listing in Unix

Above, “program” has the protection bits “r w x r - x r - x “

The owner (pbg) can read, modify and execute “program”

The members of the group (staff) can read and execute “program”

All “other users” can also read and execute “program”

11.9GMU – CS 571

Domains in Unix In Unix, each user-id defines a separate domain

By default, each process is executed in the domain of the user who invokes it

Assume Mike wants to change his password• He will need to invoke a program such as

“passwd”, which needs to have R/W rights for the file /etc/passwd

• Will the “passwd” program run in Mike’s domain??

11.10GMU – CS 571

Domain Switching in Unix

Domain switch (dynamic associateion) accomplished via file system• A domain bit (setuid bit) is associated with each

file

• When the file is executed and setuid = on, then user-id is set to the owner of the file being executed. When the execution completes, user-id is reset.

• If setuid=off, then the file is executed in the domain of the user who invokes it

11.11GMU – CS 571

Capabilities Associate with each domain a list of objects that may be accessed,

and permitted operations. Each row of the access matrix is captured in a capability list. In practice, each capability can be seen as a ticket for an operation. How to revoke rights??

11.12GMU – CS 571

Security Security must consider also the external environment of

the system, and protect it from:• unauthorized access

• malicious modification or destruction

Types of security threats to consider:• Interception – an unauthorized party gains access to data or

service

• Interruption – situation where data or service becomes unavailable

• Modification – unauthorized changing of data or tampering with a service so that it no longer adheres to its spec.

• Fabrication – situation where data or activity generated that normally would not exist.

11.13GMU – CS 571

User Authentication

Correctly identifying the users is crucial for system security.

Authentication can be done based on:• User possession• User knowledge• User attribute

Authentication using login name and password• Each user supplies a (login name, password)• If the login name is among the authorized users

and the password matches with system records, it is accepted.

11.14GMU – CS 571

User Authentication (Cont.) Attacker must correctly enter the login name and the

password.• Login name can be easily guessed• Password must be selected very carefully!

Several studies show that an unexpectedly large percentage of users (between 82% and 86%) use easily predictable passwords

(Morris and Thompson, 1979; Klein, 1990; Kabay, 1997)• First and last names• Street/city names, vacation destinations• Words from a moderate-sized dictionary• SSN or license plate numbers• Abusive expressions, etc.

11.15GMU – CS 571

Authentication Using Passwords

How an attacker broke into LBL in 1989• a U.S. Dept. of Energy research lab

11.16GMU – CS 571

Trivial Attack Scenario

Attacker can connect to the target machine and try passwords from his/her dictionary.

Many daemons break the underlying TCP connection after some number of unsuccessful login attempts in order to slow down attackers. Attacker can simply start many threads in parallel.

Attacker can easily automate this process and run continuously over a broadband internet connection.

Even scripts are available for free on the Internet for this purpose.

11.17GMU – CS 571

One-Time Passwords

The password is different in each instance

Commercial implementations use hardware calculators (SecurID). • Mostly in the shape of a credit card

• Have a display and keypad

• The user enters the shared secret (PIN)

• The display shows one-time password

• Example of two-factor authentication

11.18GMU – CS 571

Biometrics

Use physical characteristics of the user that are hard to forge.

• Palm or hand-readers can measure finger length, finger width, and the line patterns.

• Finger print readers

• Retinal pattern analysis

• Signature Analysis

• Voice Biometrics

11.19GMU – CS 571

Program Threats

Threats caused by programs written by other users

• Trojan Horses

• Trap Doors

• Logic Bombs

• Stack and Buffer Overflow

11.20GMU – CS 571

Trojan Horses

A seemingly innocent program containing code to perform an unexpected and undesirable function (modify, delete, copy files).

The person installing it first has to get the Trojan Horse executed.• Place the program on the Internet as a “free”

utility.

• Place the program in one of the directories heavily used.

11.21GMU – CS 571

Trojan Horses (Cont.)

Scenario

In UNIX, the environment variable $PATH controls the directories that are searched for a command

ECHO $PATH:/usr/local/bin:/usr/bin:/bin:/usr/ucb: /usr/java/bin:/usr/bin/X11: /opt/util

Attacker prepares a Trojan Horse and installs it in /usr/bin/X11 under the name ‘la’

11.22GMU – CS 571

Trojan Horses (Cont.) Login Spoofing: Attacker writes a program to

“emulate” the login screen of the terminal.

When a user comes and enters his/her username and password, the program sends this info to the Attacker, prints “Invalid password”, sends a signal to kill its shell.

This logs out Attacker and triggers the real login program.

One way to guard against this attack is to have the login sequence start with a key combination that users program cannot catch.

11.23GMU – CS 571

Spyware Programs as Trojan Horse

Spyware is a software that comes along with program the user has chosen to install (freeware, shareware or commercial programs).

Spyware may• Download ads to display on the user’s system

• Create pop-up browser windows when certain sites are visited

• Capture information from the user’s site and return it to a central site (for example, to receive instructions/addresses for distributing spam messages)

11.24GMU – CS 571

Logic Bombs

A piece of code written by one of a company’s programmers and secretly inserted into the production operating system/application program.

As long as the programmer “feeds” it its daily password, nothing happens.

If the programmer is fired or physically removed from the premises without warning, the logic bomb goes off (deleting/encrypting files, making hard-to-detect changes).

11.25GMU – CS 571

Trap Doors Code inserted into the system by a system

programmer to bypass some normal check (a) Normal code

(b) Code with a trapdoor inserted

While (TRUE) { printf(“login:”); get_string(name); disable_echoing(); printf(“password:”); get_string(password); enable_echoing(); v = check_validity(name, password); if (v) break;}execute_shell(name); (a)

While (TRUE) { printf(“login:”); get_string(name); disable_echoing(); printf(“password:”); get_string(password); enable_echoing(); v = check_validity(name, password); if (v || strcmp (name, “zzzzz”) == 0) break;}execute_shell(name); (b)

11.26GMU – CS 571

Stack and Buffer Overflow Most common way for an attacker to gain

unauthorized access to the target system

Consider the following code sequence in C:

int i;

char B[1024];

i = 12000;

B[i] = 0;

Suppose that the main program calls a procedure A

that asks the user a file name and then reads it into a

fixed-size buffer.

11.27GMU – CS 571

Buffer Overflow (Cont.)

(a) Situation when main program is running(b) After the function A is called(c) Buffer overflow shown in gray

11.28GMU – CS 571

Buffer Overflow (Cont.)

Attacker may provide a very long file name

This will overwrite memory, and also possibly the return address.

Or worse, the file name can be very carefully supplied so as to contain a valid binary program overlaying the return address as the address of B.

Measures against buffer overflow attacks

11.29GMU – CS 571

Hypothetical Stack Frame

Before attack After attack

11.30GMU – CS 571

System Threats

Worms: Processes that uses the spawn mechanism to clobber system performance.• A worm spawn copies of itself, using up system

resources and network channels (denial of service).

Viruses: Fragments of code embedded in a legitimate program. • When executed, they may modify/destroy files or

cause system crashes

11.31GMU – CS 571

The Morris Internet Worm

• Launched by Robert Morris, a first-year graduate student at Cornell (1988)

11.32GMU – CS 571

Macro Viruses

Macro viruses take advantage of a feature found in Microsoft Office applications such as Word or Excel.

A macro is an executable program embedded in a word processing document or other type of file. • Users employ macros to automate repetitive tasks

and thereby save keystrokes.

• Macros are automatically executed on certain events (Opening/closing files, starting an application).

• Macro viruses are easily spread through e-mail

11.33GMU – CS 571

Parasitic Viruses

Parasitic virus attaches itself to executable files and replicates, when the infected program is executed -- by finding other executable files to infect.

11.34GMU – CS 571

Some Other Types of Viruses Memory-resident virus lodges in main memory as part of

the resident system program. It infects every program that executes.

Boot sector virus infects a boot record and spreads when the system is booted from the disk containing the virus.

Encrypted virus includes the decryption code, along with the virus.

Stealth virus is designed to avoid detection by modifying parts of the system.

Polymorphic virus mutates with every infection, making detection by the “signature” of the virus very difficult or impossible.

Compression/decompression is a frequently used technique by virus writers to avoid detection/disinfection

11.35GMU – CS 571

Mutations of a Polymorphic Virus

A piece of code that can mutate a sequence of machine instructions without changing its functionality is called a mutation engine.

11.36GMU – CS 571

Denial of Service attacks

Bandwidth depletion• Typically accomplished by sending many message to a

single machine, making it difficult for the normal messages to be processed.

Resource depletion• Attempting to tie up resources that are needed by

normal processes.

One thing that makes the problem particularly difficult is that attackers use innocent users by secretly installing code on their machine (zombies).

Detecting/stopping DoS attacks typically involves monitoring of message traffic.

11.37GMU – CS 571

Cryptography

Purpose: take a message or file, called the plaintext (P) , and encrypt it into the ciphertext (C) in such a way that only authorized people know how to convert it back to the plaintext. • Secrecy of the algorithms will depend on parameters called keys.

• To encrypt a plaintext, compute C = Ek (P)

• To decrypt a ciphertext, compute P = Dk (C)

• Given C, computing P must be computationally infeasible.

11.38GMU – CS 571

Symmetric Cryptosystems

In symmetric cryptosystems, the same key is used to encrypt and decrypt a message: P = Dk (Ek (P))

• The sender and receiver are required to share the same key, which must be kept secret.

• The key distribution problem

• Setting up secure channels requires a protocol.

11.39GMU – CS 571

AES (Advanced Encryption Standard) Contest

In 1997, NIST published a call for a new encryption system (AES). The algorithms had to be:• Unclassified and publicly disclosed

• Available royalty-free for use worldwide

• Symmetric block cipher algorithms, for 128-bit blocks

• Usable with key sizes of 128, 192 and 256

The winner algorithm was Rijndael -- adopted for use by the US government in December 2001

11.40GMU – CS 571

Some Common Symmetric Algorithmsand Corresponding Key Lengths

Blowfish (Schneier): up to 448 bits DES (IBM): 56 bits IDEA (Massey & Xuejia): 128 bits RC4 (Rivest): up to 2048 bits RC5 (Rivest): 128 – 256 bits Rijndael (Daemen and Rijmen): 128 – 256 bits Serpent (Anderson, Biham, Knudsen): 128 – 256 bits Triple DES (IBM): 168 bits Twofish (Schneier): 128 – 256 bits

Tanenbaum & Van Steen, Distributed Systems: Principles and Paradigms, 2e, (c) 2007 Prentice-Hall, Inc. All rights reserved. 0-13-239227-5

Secure Channels - 1Some communication relies on the idea of a

secure channel between two entities: – Authentication of communicating parties, message

integrity, confidentiality

– Determining whether a client is authorized to perform the given request.

– Secure channels set up with authentication as part of the process.

– One option is for the client and server to share a secret key and use challenge-response protocols to authenticate.


Secure Channels - 2Session keys –

• Shared secret key that is used to encrypt message for integrity.

• Typically, only used as long as the channel exists – destroyed when channel is closed.

• One benefit is that if the secret key is compromised, the damage is limited to a single session.

• Also, the less time a key is in use, the less likely it will be revealed to the wrong party. The more messages that exist using a particular key, the more likely that it will be broken.

• Needs to be a secure way to generate this session key – Trusted third party can be used.


Authentication Based on a Shared Secret Key (1)

Challenge-response protocol that assumes A and B already share a secret key KA,B. A sends a request to B

A wants to set up a secure channel with B.



B verifies that it is talking to A if A can correctly encode the challenge number.



Authentication based on a shared secret key, but using three instead of five messages. This ‘optimization’ is open to a

reflection attack.



The reflection attack where C (Chuck) tries to convince B (Bob) of identity A (Alice).

C does not know KA,B and cannot answer the challenge.



C starts a new session with B where it now uses B’s challenge number.



Now C knows the answer to B’s challenge and can complete the protocol. Note that this can’t happen with the original challenge-

response protocol.

11.50GMU – CS 571

Asymmetric Cryptosystems(Public-Key Encryption)

In asymmetric cryptosystems, the keys for encryption and decryption are different: P = Dd (Ee (P))

First proposed by Diffie and Helman in 1976 • Overcomes the key distribution problem of symmetric algorithms

Usually, one of the keys in an asymmetric cryptosystem is kept private, the other is made public, hence the framework is also known as public-key cryptosystems.

It should be computationally infeasible to determine the decryption key given only the knowledge of the encryption key.

Relies on several results from number theory that makes brute-force attacks computationally infeasible.

11.51GMU – CS 571

Public-Key Encryption

Major steps• Each user generates a pair of keys to be used for

encryption and decryption.

• One of the keys is made public. The companion key is kept private.

• If Bob wishes to send a private message to Alice, Bob encrypts the message using Alice’s public key.

• When Alice receives the message, she decrypts it using her private key. No other recipient can decrypt the message because only Alice knows Alice’s private key.

11.52GMU – CS 571

Authentication using Public and Private Keys

Suppose Bob wants to send a message to Alice, and although he is not interested in keeping the contents secret, he wants Alice to be certain that the message is indeed from him. • Bob uses his private key to encrypt the message• When Alice receives the ciphertext, she finds that

she can indeed decrypt it with Bob’s public key : the authentication is complete

Authentication and Secrecy can be combined• Bob will encrypt the message first by using his

private key and then encrypt a second time using Alice’s public key.

• Alice will apply decryption using first her private key and then Bob’s public key.


RSA Encryption - 1

RSA – named after inventers Rivest, Shamir and Adleman (1978)

Relies on the fact that no methods are known to efficiently find the prime factors of large

numbers.

Asymmetric system: Public & private keys are constructed from very large prime numbers

(hundreds of decimal digits).


RSA Encryption - 2To find a key pair e, d: 1. Choose two large prime numbers, P and Q (each greater than 10100), and

form:N = P x Q Z = (P–1) x (Q–1)

2. For d choose any number that is relatively prime with Z (that is, such that d has no common factors with Z).

We illustrate the computations involved using small integer values for P and Q:

P = 13, Q = 17 –> N = 221, Z = 192 d = 5

3. To find e solve the equation:e x d = 1 mod Z

That is, e x d is the smallest element divisible by d in the series Z+1, 2Z+1, 3Z+1, ... .

e x d = 1 mod 192 = 1, 193, 385, ...385 is divisible by de = 385/5 = 77


RSA Encryption - 3To encrypt text using the RSA method, the plaintext is divided

into equal blocks of length k bits where 2k < N (that is, such that the numerical value of a block is always less than N; in practical applications, k is usually in the range 512 to 1024).

k = 7, since 27 = 128 (N = 221)The function for encrypting a single block of plaintext M is:

E'(e,N,M) = Me mod Nfor a message M, the ciphertext is M77 mod 221

The function for decrypting a block of encrypted text c to produce the original plaintext block is:

D'(d,N,c) = cd mod N


Authentication in a PKI system

Public key systems can also be used to generate session keys using mutual authentication.


Digital Signatures

Message integrity – If A sends a message to B over a secure channel,

there is no assurance that B won’t modify the message later and make claims about A.

– B may need to be sure that A won’t later deny sending the message.

Digital signatures provide assurances– using PKI on entire message

– can sign a message digest (less expensive than encrypting a large message)

Issues:– What happens when public/private keys are changed?


Digital Signatures (1)

Digital signing a message using public-key cryptography. B knows the message came from A since it was encoded with KA (B can keep a copy). A is

protected from tampering as well.

-


Digital Signatures (2)

Digitally signing a message using a message digest. The message m can be in plain-text accompanied by KA(H(m))

-

11.60GMU – CS 571

Covert Channels (Cont.) Can secret information be passed even if the messages

are subject to inspection?

The picture on the left is the original one The picture on the right has the text of 5 Shakespeare plays

embedded in it.

11.61GMU – CS 571

Mobile Code

Securing mobile code involves protecting the local site from code created remotely. • ‘Sandboxes’ allow downloaded programs to be

run in such a way that each executed instruction is carefully controlled either by static analysis before executing the code or by inserting dynamic checks (or both).

• Java uses byte code verification, specialized loaders for remote classes, and a security manager

byte code verifiers – check Java byte code for illegal instructions or for parts of the code that do not conform to some format standards.

specialized loaders – prohibit certain types of instructions that may allow things like additional loading of (potentially unchecked) classes

Security manager – runtime checks – acts as a reference manager.

Various ways to implement security policy: capabilities, stack introspection, name space management.

11.62GMU – CS 571

Protecting the Target

Java Sandbox

11.63GMU – CS 571

Protecting the Target

A playground is a separate designated machine that can be used to run untrusted code.

cs 471 - lecture 11 protection and security ch. 14,15 george mason university fall 2009

Documents

distributed systems

tanenbaum van steen

shared secret key

secret key ka

particular key

session key trusted

secure channels

secure way