cs 471 - lecture 11 protection and security ch. 14,15 george mason university fall 2009
TRANSCRIPT
CS 471 - Lecture 11
Protection and Security
Ch. 14,15
George Mason University
Fall 2009
11.2GMU – CS 571
Protection
In a computer system, each object should be accessed through a well-defined set of operations.
Protection problem - ensure that each object is accessed through the well-defined operations and only by those processes that are allowed to do so.
Least privilege principle: Programs and users should be given just enough privileges to perform their tasks (Not easy to achieve!)
11.3GMU – CS 571
Domain Structure A process operates within a protection domain.
• Each domain defines a set of objects and the types of operations that may be invoked on objects.
• Static or dynamic association
Access-right = <object-name, rights-set>where rights-set is a subset of all valid operations that can be performed on the object.
11.4GMU – CS 571
Access Matrix The model can be viewed as a matrix (access matrix)
• Rows represent domains
• Columns represent objects
• Access(i, j) is the set of operations that a process executing in Domaini can invoke on Objectj
• Can be expanded to dynamic protection (operations to add, delete access rights and switch domains).
11.5GMU – CS 571
Implementing the Access Matrix
The access matrix is usually large and sparse
We can • store the matrix by columns or by rows
• store only the non-empty elements
Storing the matrix by columns corresponds to access control lists
Storing the matrix by rows corresponds to capabilities
11.6GMU – CS 571
Access Control List (ACL) Associate with each object a list containing all the
domains that may access the object, and how. Each column of the access matrix is captured in an
access control list.
11.7GMU – CS 571
ACL (Cont.)
To condense the length of the access control list, many systems recognize three classifications of users in connection with each file (e.g. Unix)• Owner• Group• Others
Only three 3-bit fields are needed to define protection for each of these groups, for read access, write access and execution control
More fine-grained access control lists can be specified for each file, if needed (e.g. Solaris 2.6 and beyond)
How to revoke rights??
11.8GMU – CS 571
A sample directory listing in Unix
Above, “program” has the protection bits “r w x r - x r - x “
The owner (pbg) can read, modify and execute “program”
The members of the group (staff) can read and execute “program”
All “other users” can also read and execute “program”
11.9GMU – CS 571
Domains in Unix In Unix, each user-id defines a separate domain
By default, each process is executed in the domain of the user who invokes it
Assume Mike wants to change his password• He will need to invoke a program such as
“passwd”, which needs to have R/W rights for the file /etc/passwd
• Will the “passwd” program run in Mike’s domain??
11.10GMU – CS 571
Domain Switching in Unix
Domain switch (dynamic associateion) accomplished via file system• A domain bit (setuid bit) is associated with each
file
• When the file is executed and setuid = on, then user-id is set to the owner of the file being executed. When the execution completes, user-id is reset.
• If setuid=off, then the file is executed in the domain of the user who invokes it
11.11GMU – CS 571
Capabilities Associate with each domain a list of objects that may be accessed,
and permitted operations. Each row of the access matrix is captured in a capability list. In practice, each capability can be seen as a ticket for an operation. How to revoke rights??
11.12GMU – CS 571
Security Security must consider also the external environment of
the system, and protect it from:• unauthorized access
• malicious modification or destruction
Types of security threats to consider:• Interception – an unauthorized party gains access to data or
service
• Interruption – situation where data or service becomes unavailable
• Modification – unauthorized changing of data or tampering with a service so that it no longer adheres to its spec.
• Fabrication – situation where data or activity generated that normally would not exist.
11.13GMU – CS 571
User Authentication
Correctly identifying the users is crucial for system security.
Authentication can be done based on:• User possession• User knowledge• User attribute
Authentication using login name and password• Each user supplies a (login name, password)• If the login name is among the authorized users
and the password matches with system records, it is accepted.
11.14GMU – CS 571
User Authentication (Cont.) Attacker must correctly enter the login name and the
password.• Login name can be easily guessed• Password must be selected very carefully!
Several studies show that an unexpectedly large percentage of users (between 82% and 86%) use easily predictable passwords
(Morris and Thompson, 1979; Klein, 1990; Kabay, 1997)• First and last names• Street/city names, vacation destinations• Words from a moderate-sized dictionary• SSN or license plate numbers• Abusive expressions, etc.
11.15GMU – CS 571
Authentication Using Passwords
How an attacker broke into LBL in 1989• a U.S. Dept. of Energy research lab
11.16GMU – CS 571
Trivial Attack Scenario
Attacker can connect to the target machine and try passwords from his/her dictionary.
Many daemons break the underlying TCP connection after some number of unsuccessful login attempts in order to slow down attackers. Attacker can simply start many threads in parallel.
Attacker can easily automate this process and run continuously over a broadband internet connection.
Even scripts are available for free on the Internet for this purpose.
11.17GMU – CS 571
One-Time Passwords
The password is different in each instance
Commercial implementations use hardware calculators (SecurID). • Mostly in the shape of a credit card
• Have a display and keypad
• The user enters the shared secret (PIN)
• The display shows one-time password
• Example of two-factor authentication
11.18GMU – CS 571
Biometrics
Use physical characteristics of the user that are hard to forge.
• Palm or hand-readers can measure finger length, finger width, and the line patterns.
• Finger print readers
• Retinal pattern analysis
• Signature Analysis
• Voice Biometrics
11.19GMU – CS 571
Program Threats
Threats caused by programs written by other users
• Trojan Horses
• Trap Doors
• Logic Bombs
• Stack and Buffer Overflow
11.20GMU – CS 571
Trojan Horses
A seemingly innocent program containing code to perform an unexpected and undesirable function (modify, delete, copy files).
The person installing it first has to get the Trojan Horse executed.• Place the program on the Internet as a “free”
utility.
• Place the program in one of the directories heavily used.
11.21GMU – CS 571
Trojan Horses (Cont.)
Scenario
In UNIX, the environment variable $PATH controls the directories that are searched for a command
ECHO $PATH:/usr/local/bin:/usr/bin:/bin:/usr/ucb: /usr/java/bin:/usr/bin/X11: /opt/util
Attacker prepares a Trojan Horse and installs it in /usr/bin/X11 under the name ‘la’
11.22GMU – CS 571
Trojan Horses (Cont.) Login Spoofing: Attacker writes a program to
“emulate” the login screen of the terminal.
When a user comes and enters his/her username and password, the program sends this info to the Attacker, prints “Invalid password”, sends a signal to kill its shell.
This logs out Attacker and triggers the real login program.
One way to guard against this attack is to have the login sequence start with a key combination that users program cannot catch.
11.23GMU – CS 571
Spyware Programs as Trojan Horse
Spyware is a software that comes along with program the user has chosen to install (freeware, shareware or commercial programs).
Spyware may• Download ads to display on the user’s system
• Create pop-up browser windows when certain sites are visited
• Capture information from the user’s site and return it to a central site (for example, to receive instructions/addresses for distributing spam messages)
11.24GMU – CS 571
Logic Bombs
A piece of code written by one of a company’s programmers and secretly inserted into the production operating system/application program.
As long as the programmer “feeds” it its daily password, nothing happens.
If the programmer is fired or physically removed from the premises without warning, the logic bomb goes off (deleting/encrypting files, making hard-to-detect changes).
11.25GMU – CS 571
Trap Doors Code inserted into the system by a system
programmer to bypass some normal check (a) Normal code
(b) Code with a trapdoor inserted
While (TRUE) { printf(“login:”); get_string(name); disable_echoing(); printf(“password:”); get_string(password); enable_echoing(); v = check_validity(name, password); if (v) break;}execute_shell(name); (a)
While (TRUE) { printf(“login:”); get_string(name); disable_echoing(); printf(“password:”); get_string(password); enable_echoing(); v = check_validity(name, password); if (v || strcmp (name, “zzzzz”) == 0) break;}execute_shell(name); (b)
11.26GMU – CS 571
Stack and Buffer Overflow Most common way for an attacker to gain
unauthorized access to the target system
Consider the following code sequence in C:
int i;
char B[1024];
i = 12000;
B[i] = 0;
Suppose that the main program calls a procedure A
that asks the user a file name and then reads it into a
fixed-size buffer.
11.27GMU – CS 571
Buffer Overflow (Cont.)
(a) Situation when main program is running(b) After the function A is called(c) Buffer overflow shown in gray
11.28GMU – CS 571
Buffer Overflow (Cont.)
Attacker may provide a very long file name
This will overwrite memory, and also possibly the return address.
Or worse, the file name can be very carefully supplied so as to contain a valid binary program overlaying the return address as the address of B.
Measures against buffer overflow attacks
11.29GMU – CS 571
Hypothetical Stack Frame
Before attack After attack
11.30GMU – CS 571
System Threats
Worms: Processes that uses the spawn mechanism to clobber system performance.• A worm spawn copies of itself, using up system
resources and network channels (denial of service).
Viruses: Fragments of code embedded in a legitimate program. • When executed, they may modify/destroy files or
cause system crashes
11.31GMU – CS 571
The Morris Internet Worm
• Launched by Robert Morris, a first-year graduate student at Cornell (1988)
11.32GMU – CS 571
Macro Viruses
Macro viruses take advantage of a feature found in Microsoft Office applications such as Word or Excel.
A macro is an executable program embedded in a word processing document or other type of file. • Users employ macros to automate repetitive tasks
and thereby save keystrokes.
• Macros are automatically executed on certain events (Opening/closing files, starting an application).
• Macro viruses are easily spread through e-mail
11.33GMU – CS 571
Parasitic Viruses
Parasitic virus attaches itself to executable files and replicates, when the infected program is executed -- by finding other executable files to infect.
11.34GMU – CS 571
Some Other Types of Viruses Memory-resident virus lodges in main memory as part of
the resident system program. It infects every program that executes.
Boot sector virus infects a boot record and spreads when the system is booted from the disk containing the virus.
Encrypted virus includes the decryption code, along with the virus.
Stealth virus is designed to avoid detection by modifying parts of the system.
Polymorphic virus mutates with every infection, making detection by the “signature” of the virus very difficult or impossible.
Compression/decompression is a frequently used technique by virus writers to avoid detection/disinfection
11.35GMU – CS 571
Mutations of a Polymorphic Virus
A piece of code that can mutate a sequence of machine instructions without changing its functionality is called a mutation engine.
11.36GMU – CS 571
Denial of Service attacks
Bandwidth depletion• Typically accomplished by sending many message to a
single machine, making it difficult for the normal messages to be processed.
Resource depletion• Attempting to tie up resources that are needed by
normal processes.
One thing that makes the problem particularly difficult is that attackers use innocent users by secretly installing code on their machine (zombies).
Detecting/stopping DoS attacks typically involves monitoring of message traffic.
11.37GMU – CS 571
Cryptography
Purpose: take a message or file, called the plaintext (P) , and encrypt it into the ciphertext (C) in such a way that only authorized people know how to convert it back to the plaintext. • Secrecy of the algorithms will depend on parameters called keys.
• To encrypt a plaintext, compute C = Ek (P)
• To decrypt a ciphertext, compute P = Dk (C)
• Given C, computing P must be computationally infeasible.
11.38GMU – CS 571
Symmetric Cryptosystems
In symmetric cryptosystems, the same key is used to encrypt and decrypt a message: P = Dk (Ek (P))
• The sender and receiver are required to share the same key, which must be kept secret.
• The key distribution problem
• Setting up secure channels requires a protocol.
11.39GMU – CS 571
AES (Advanced Encryption Standard) Contest
In 1997, NIST published a call for a new encryption system (AES). The algorithms had to be:• Unclassified and publicly disclosed
• Available royalty-free for use worldwide
• Symmetric block cipher algorithms, for 128-bit blocks
• Usable with key sizes of 128, 192 and 256
The winner algorithm was Rijndael -- adopted for use by the US government in December 2001
11.40GMU – CS 571
Some Common Symmetric Algorithmsand Corresponding Key Lengths
Blowfish (Schneier): up to 448 bits DES (IBM): 56 bits IDEA (Massey & Xuejia): 128 bits RC4 (Rivest): up to 2048 bits RC5 (Rivest): 128 – 256 bits Rijndael (Daemen and Rijmen): 128 – 256 bits Serpent (Anderson, Biham, Knudsen): 128 – 256 bits Triple DES (IBM): 168 bits Twofish (Schneier): 128 – 256 bits
Tanenbaum & Van Steen, Distributed Systems: Principles and Paradigms, 2e, (c) 2007 Prentice-Hall, Inc. All rights reserved. 0-13-239227-5
Secure Channels - 1Some communication relies on the idea of a
secure channel between two entities: – Authentication of communicating parties, message
integrity, confidentiality
– Determining whether a client is authorized to perform the given request.
– Secure channels set up with authentication as part of the process.
– One option is for the client and server to share a secret key and use challenge-response protocols to authenticate.
Tanenbaum & Van Steen, Distributed Systems: Principles and Paradigms, 2e, (c) 2007 Prentice-Hall, Inc. All rights reserved. 0-13-239227-5
Secure Channels - 2Session keys –
• Shared secret key that is used to encrypt message for integrity.
• Typically, only used as long as the channel exists – destroyed when channel is closed.
• One benefit is that if the secret key is compromised, the damage is limited to a single session.
• Also, the less time a key is in use, the less likely it will be revealed to the wrong party. The more messages that exist using a particular key, the more likely that it will be broken.
• Needs to be a secure way to generate this session key – Trusted third party can be used.
Tanenbaum & Van Steen, Distributed Systems: Principles and Paradigms, 2e, (c) 2007 Prentice-Hall, Inc. All rights reserved. 0-13-239227-5
Authentication Based on a Shared Secret Key (1)
Challenge-response protocol that assumes A and B already share a secret key KA,B. A sends a request to B
A wants to set up a secure channel with B.
Tanenbaum & Van Steen, Distributed Systems: Principles and Paradigms, 2e, (c) 2007 Prentice-Hall, Inc. All rights reserved. 0-13-239227-5
Authentication Based on a Shared Secret Key (2)
B verifies that it is talking to A if A can correctly encode the challenge number.
Tanenbaum & Van Steen, Distributed Systems: Principles and Paradigms, 2e, (c) 2007 Prentice-Hall, Inc. All rights reserved. 0-13-239227-5
Authentication Based on a Shared Secret Key (3)
Tanenbaum & Van Steen, Distributed Systems: Principles and Paradigms, 2e, (c) 2007 Prentice-Hall, Inc. All rights reserved. 0-13-239227-5
Authentication Based on a Shared Secret Key (4)
Authentication based on a shared secret key, but using three instead of five messages. This ‘optimization’ is open to a
reflection attack.
Tanenbaum & Van Steen, Distributed Systems: Principles and Paradigms, 2e, (c) 2007 Prentice-Hall, Inc. All rights reserved. 0-13-239227-5
Authentication Based on a Shared Secret Key (5)
The reflection attack where C (Chuck) tries to convince B (Bob) of identity A (Alice).
C does not know KA,B and cannot answer the challenge.
Tanenbaum & Van Steen, Distributed Systems: Principles and Paradigms, 2e, (c) 2007 Prentice-Hall, Inc. All rights reserved. 0-13-239227-5
Authentication Based on a Shared Secret Key (6)
C starts a new session with B where it now uses B’s challenge number.
Tanenbaum & Van Steen, Distributed Systems: Principles and Paradigms, 2e, (c) 2007 Prentice-Hall, Inc. All rights reserved. 0-13-239227-5
Authentication Based on a Shared Secret Key (5)
Now C knows the answer to B’s challenge and can complete the protocol. Note that this can’t happen with the original challenge-
response protocol.
11.50GMU – CS 571
Asymmetric Cryptosystems(Public-Key Encryption)
In asymmetric cryptosystems, the keys for encryption and decryption are different: P = Dd (Ee (P))
First proposed by Diffie and Helman in 1976 • Overcomes the key distribution problem of symmetric algorithms
Usually, one of the keys in an asymmetric cryptosystem is kept private, the other is made public, hence the framework is also known as public-key cryptosystems.
It should be computationally infeasible to determine the decryption key given only the knowledge of the encryption key.
Relies on several results from number theory that makes brute-force attacks computationally infeasible.
11.51GMU – CS 571
Public-Key Encryption
Major steps• Each user generates a pair of keys to be used for
encryption and decryption.
• One of the keys is made public. The companion key is kept private.
• If Bob wishes to send a private message to Alice, Bob encrypts the message using Alice’s public key.
• When Alice receives the message, she decrypts it using her private key. No other recipient can decrypt the message because only Alice knows Alice’s private key.
11.52GMU – CS 571
Authentication using Public and Private Keys
Suppose Bob wants to send a message to Alice, and although he is not interested in keeping the contents secret, he wants Alice to be certain that the message is indeed from him. • Bob uses his private key to encrypt the message• When Alice receives the ciphertext, she finds that
she can indeed decrypt it with Bob’s public key : the authentication is complete
Authentication and Secrecy can be combined• Bob will encrypt the message first by using his
private key and then encrypt a second time using Alice’s public key.
• Alice will apply decryption using first her private key and then Bob’s public key.
Tanenbaum & Van Steen, Distributed Systems: Principles and Paradigms, 2e, (c) 2007 Prentice-Hall, Inc. All rights reserved. 0-13-239227-5
RSA Encryption - 1
RSA – named after inventers Rivest, Shamir and Adleman (1978)
Relies on the fact that no methods are known to efficiently find the prime factors of large
numbers.
Asymmetric system: Public & private keys are constructed from very large prime numbers
(hundreds of decimal digits).
Tanenbaum & Van Steen, Distributed Systems: Principles and Paradigms, 2e, (c) 2007 Prentice-Hall, Inc. All rights reserved. 0-13-239227-5
RSA Encryption - 2To find a key pair e, d: 1. Choose two large prime numbers, P and Q (each greater than 10100), and
form:N = P x Q Z = (P–1) x (Q–1)
2. For d choose any number that is relatively prime with Z (that is, such that d has no common factors with Z).
We illustrate the computations involved using small integer values for P and Q:
P = 13, Q = 17 –> N = 221, Z = 192 d = 5
3. To find e solve the equation:e x d = 1 mod Z
That is, e x d is the smallest element divisible by d in the series Z+1, 2Z+1, 3Z+1, ... .
e x d = 1 mod 192 = 1, 193, 385, ...385 is divisible by de = 385/5 = 77
Tanenbaum & Van Steen, Distributed Systems: Principles and Paradigms, 2e, (c) 2007 Prentice-Hall, Inc. All rights reserved. 0-13-239227-5
RSA Encryption - 3To encrypt text using the RSA method, the plaintext is divided
into equal blocks of length k bits where 2k < N (that is, such that the numerical value of a block is always less than N; in practical applications, k is usually in the range 512 to 1024).
k = 7, since 27 = 128 (N = 221)The function for encrypting a single block of plaintext M is:
E'(e,N,M) = Me mod Nfor a message M, the ciphertext is M77 mod 221
The function for decrypting a block of encrypted text c to produce the original plaintext block is:
D'(d,N,c) = cd mod N
Tanenbaum & Van Steen, Distributed Systems: Principles and Paradigms, 2e, (c) 2007 Prentice-Hall, Inc. All rights reserved. 0-13-239227-5
Authentication in a PKI system
Public key systems can also be used to generate session keys using mutual authentication.
Tanenbaum & Van Steen, Distributed Systems: Principles and Paradigms, 2e, (c) 2007 Prentice-Hall, Inc. All rights reserved. 0-13-239227-5
Digital Signatures
Message integrity – If A sends a message to B over a secure channel,
there is no assurance that B won’t modify the message later and make claims about A.
– B may need to be sure that A won’t later deny sending the message.
Digital signatures provide assurances– using PKI on entire message
– can sign a message digest (less expensive than encrypting a large message)
Issues:– What happens when public/private keys are changed?
Tanenbaum & Van Steen, Distributed Systems: Principles and Paradigms, 2e, (c) 2007 Prentice-Hall, Inc. All rights reserved. 0-13-239227-5
Digital Signatures (1)
Digital signing a message using public-key cryptography. B knows the message came from A since it was encoded with KA (B can keep a copy). A is
protected from tampering as well.
-
Tanenbaum & Van Steen, Distributed Systems: Principles and Paradigms, 2e, (c) 2007 Prentice-Hall, Inc. All rights reserved. 0-13-239227-5
Digital Signatures (2)
Digitally signing a message using a message digest. The message m can be in plain-text accompanied by KA(H(m))
-
11.60GMU – CS 571
Covert Channels (Cont.) Can secret information be passed even if the messages
are subject to inspection?
The picture on the left is the original one The picture on the right has the text of 5 Shakespeare plays
embedded in it.
11.61GMU – CS 571
Mobile Code
Securing mobile code involves protecting the local site from code created remotely. • ‘Sandboxes’ allow downloaded programs to be
run in such a way that each executed instruction is carefully controlled either by static analysis before executing the code or by inserting dynamic checks (or both).
• Java uses byte code verification, specialized loaders for remote classes, and a security manager
byte code verifiers – check Java byte code for illegal instructions or for parts of the code that do not conform to some format standards.
specialized loaders – prohibit certain types of instructions that may allow things like additional loading of (potentially unchecked) classes
Security manager – runtime checks – acts as a reference manager.
Various ways to implement security policy: capabilities, stack introspection, name space management.
11.62GMU – CS 571
Protecting the Target
Java Sandbox
11.63GMU – CS 571
Protecting the Target
A playground is a separate designated machine that can be used to run untrusted code.