1.06k likes | 1.2k Vues
Week 10 - Friday. CS363. Last time. What did we talk about last time? Eavesdropping and wiretapping Network threats Network controls. Questions?. Project 3. Assignment 4. Access controls on routers. Routers want to block packet floods from affecting the servers behind the router
E N D
Week 10 - Friday CS363
Last time • What did we talk about last time? • Eavesdropping and wiretapping • Network threats • Network controls
Access controls on routers • Routers want to block packet floods from affecting the servers behind the router • We can have ACLs that list all the legal (or all the illegal) hosts that can send (or are not allowed to send) packets into the network • But, checking packets against ACLs slows down the system, making the router easier to flood • Since it is possible to forge source addresses, the ACLs might not correctly block the packets
Wireless security • A wireless access point has a Service Set Identifier (SSID) • SSIDs are usually broadcast, weakening security • Even non-broadcast SSIDs can be discovered whenever someone connects to them • Wired Equivalent Privacy (WEP) was the old standard for encryption • Tools like WEPCrack and AirSnort can break WEP in minutes because of flaws in the RC4 encryption algorithm • WiFi Protected Access (WPA) and later WPA2 have better security • Encryption keys change for each packet • Several authentication mechanisms are allowed • WPA2 can use AES • There are still flaws in some implementations
Firewalls • A firewall filters traffic between an inside network and an outside network • The inside is more trusted and needs to be protected from the outside • Kinds of firewalls: • Packet filtering gateway or screening routers • Stateful inspection firewalls • Application proxies • Guards • Personal firewalls
Packet filtering gateway • Packet filtering gateways are simple • They only allow certain packets to get by • Based on source or destination address • Based on protocol (HTTP on port 80, for example) • A packet filter can be used in combination with other firewalls • The packet filter can remove a lot of traffic so that a more complex firewall has to worry about checking fewer packets • Packet filters ignore the data inside the packets • They only use the addresses and port numbers
Stateful inspection firewall • A stateful inspection firewall keeps track of data inside of packets • For example, if a host inside the firewall initiates a TCP connection with a host outside, a stateful inspection firewall can remember this and let only that particular outside host’s packets in
Application proxies and guards • An application proxy gateway (or bastion host) appears to function like a host running a particular application • The outside world sends date to the application proxy’s IP address • The application proxy changes the addresses and forwards the data on to the real server • Only appropriate requests and responses are allowed through • All accesses can also be logged • A guard is really the same thing, just with more functionality • For example, a guard might reassemble a file and run it though a virus scanner
Personal firewalls • A personal firewall is software that runs on a workstation • These firewalls can give additional protection • The user and OS can have very fine grained control over what kind of connections can be made and what kind of applications can send and receive data
Intrusion detection • Firewalls and authentication mechanisms are supposed to prevent malicious attacks • Not all attacks can be prevented • It is useful to know when they are happening • An intrusion detection system (IDS) is hardware or software that monitors activity to look for suspicious patterns • A network-based IDS is stand-alone hardware that monitors a whole network • A host-based IDS runs on a host to protect that host
Types of IDSs • Signature-based IDSs do pattern matching, looking for patterns of known malicious behavior • Only works for known types of attacks • Heuristic (or anomaly based) IDSs build up a model of acceptable behavior • If something doesn’t fit the model, an alarm is raised • An example is a particular user who has a characteristic way of typing that suddenly changes • State-based IDSs try to see when the system is in an unsafe state • Model-based IDSs try to model unacceptable activity and react when activity looks like the model • Misuse intrusion detection is like model-based except that the model is known bad behavior
IDS operation • Many IDSs are configured in stealth mode • They cannot send messages on the network they are monitoring • Alarms are sent through some alternate means • Responding to alarms • Monitor data • Change system settings to protect it • Alert a human being • Because they are often statistical, an IDS can have false positives and false negatives • Both are problematic
Secure e-mail • The Internet is not secure, and neither is the e-mail that we send across it, usually in plain text • E-mails can be intercepted, changed, forged, made to look as if they are coming from different addresses or going to different addresses • We want the following four things for secure e-mail: • Message confidentiality • Message integrity • Sender authenticity • Nonrepudiation
Confidentiality and integrity • As usual, we will rely on cryptography • The contents will be encrypted with standard symmetric key cryptography • We may need to use an special encoding system (such as base 64 encoding) that only produces regular ASCII characters, since that’s all some e-mail senders can handle • We can attach a digital signature (using public key cryptography) for nonrepudiation • We include a hash of the message (called a message integrity check) for integrity
Secure e-mail systems • PGP (Pretty Good Privacy) is a system that uses the encryption mechanisms we described to send safe e-mails • The public key system uses a decentralized web of trust where you add your friends’ keys to your web and get keys for their friends and friends of friends • S/MIME is a standard that is like PGP, but it uses hierarchies of trust based on certificates from central authorities instead of a web
Buffer overflow • A buffer overflow happens when data is written past the end (or beginning) of an array • It could overwrite: • User data • User code • System data • System code User Data User Data User Code User Data System Data User Data System Code
Incomplete mediation • Incomplete mediation happens with a system does not have complete control over the data that it processes • Example URL: • http://www.security.com/query.php?date=2012March20 • Wrong URL: • http://www.security.com/query.php?date=2000Hyenas • The HTML generates the URL, but the URL can be entered manually
Time-of-check to time-to-use • A time-of-check to time-to-use flaw is one where one action is requested, but before it can be performed, the data related to the action is changed • The book’s example is a man who promises to buy a painting for $100 who puts five $20 bills on the counter and pulls one back when the clerk is turning to wrap up the painting • In this flaw, the first action is authorized, but the second may not be
Viruses • Terminology is inconsistent • Popular culture tends to call everything a virus • Sometimes we will too, but here are some other terms: • Almost all of these are, by definition, Trojan horses • Worms differ from viruses primarily because they spread across networks
Where Viruses Live • One-time execution • Boot sector • The part of a hard drive that says what code to load to start your OS • Memory resident • Sometimes called TSR (terminate and stay resident) • Inside documents • A few other places that are sensible: • Applications • Libraries • Compilers (infect programs as you create them) • Antivirus software
Virus Signatures • Storage patterns • The size of a file • Compare against a hash digest for the program • Execution patterns • Viruses are also suspicious because of the way they execute • The functioning of the code compared to some standard • Suspicious execution patterns (weird JUMP commands)
Polymorphic viruses • Because virus scanners try to match strings in machine code, virus writers design polymorphic viruses that change their appearances • No-ops, code that doesn’t have an impact on execution, can be used for simple disguises • Clever viruses can break themselves apart and hide different parts in randomly chosen parts of code • Similar to code obfuscation • Advanced polymorphic viruses called encrypting viruses encrypt parts of themselves with randomly chosen keys • A scanner would have to know to decrypt the virus to detect it • Virus scanners cannot catch everything
Targeted malicious code • Trapdoors • A way to access functionality that is not documented • Often inserted during development for testing purposes • Salami attacks • Steal tiny amounts of money when a cent is rounded in financial transactions • Or, steal a few cents from millions of people • Rootkits • Privilege escalation • Keystroke logging
Testing to prevent programming flaws • Unit testing tests each component separately in a controlled environment • Integration testing verifies that the individual components work when you put them together • Function and performance tests sees if a system performs according to specification • Acceptance testing give the customer a chance to test the product you have created • The final installation testing checks the product in its actual use environment
Testing methodologies • Regression testing is done when you fix a bug or add a feature • We have to make sure that everything that used to work still works after the change • Black-box testing uses input values to test for expected output values, ignoring internals of the system • White-box or clear box testing uses knowledge of the system to design tests that are likely to find bugs • You can only prove there are bugs. It is impossible to proves that aren’t bugs.
Separation • OS security is fundamentally based on separation • Physical separation: Different processes use different physical objects • Temporal separation: Processes with different security requirements are executed at different times • Logical separation: Programs cannot access data or resources outside of permitted areas • Cryptographic separation: Processes conceal their data so that it is unintelligible
Memory protection • Protecting memory is one of the most fundamental protections an OS can give • All data and operations for a program are in memory • Most I/O accesses are done by writing memory to various locations • Techniques for memory protection • Fence • Base/bounds registers • Tagged architectures • Segmentation • Paging
Storing access control information • Directory based approaches • Create a directory that lists all the objects a given user can access and their associated rights: • Problems: • Directories can become large • How is access revoked? • What if two files in different locations in the system have the same name? • Access control lists • List all the users that have rights for a specific object • Most objects only have a few legal users • Wild cards can make the situation easier • Access control matrices • Both directories and access control lists are equivalent • We can also imagine a matrix that holds all subjects and all objects • It is too inefficient for most systems to be implemented this way, but security researchers sometimes use this model for theoretical purposes
Definition of authentication • Authentication is the binding of an identity to a subject • Example: Bill Gates (external entity) is a registered user whose identity on this system is gatesw (identity of system subject) • The external identity must provide information to authenticate based on • What the entity knows (passwords) • What the entity has (security badge) • What the entity is (fingerprints or voice ID) • Where the entity is (using a particular terminal)
Passwords • Passwords are one of the most common forms of authentication mechanisms based on what the entity knows • The password represents authentication information that the user must know • The system keeps complementation information that can be used to check the password • As you now know, real systems generally do not store passwords in the clear but store hashes of them
Attacking a password system • A dictionary attack is an attack based on guessing the password from trial and error • A dictionary attack can work on the complementary information (hashes of passwords) • If this information is unavailable, a dictionary attack can directly attack the authentication functions (literally trying to log in repeatedly) • Let P be the probability that an attacker guesses the password over a certain span of time • Let G be the number of guesses that can be made per unit time • Let T be the number of time units of guessing • Let N be the number of possible passwords • Then,
Generating passwords • Random passwords • Pronounceable passwords • User selected passwords • Many user selected passwords are easy to guess • Proactive password checkers can improve the situation • Passwords age and should be periodically replaced
Salting • Some attackers are looking for any password instead of trying to find a specific password • If they have access to the file with the hashes of passwords, they have much less searching to do if the total number of accounts is large (some hash will match, even if the password doesn't) • For this case, salting is used • Salting adds random data to the password in stored form so that an attacker cannot immediately recognize the password • In Unix, this is a random choice of 4,096 different hashing functions (the specific choice is recorded with the password) • Other systems can simply add random bits to the end of the password before hashing (which can all be tried at authentication time) • Salting has little or no impact on an attack against a single password
Defending authentication functions • Backoff • Force the user to wait longer and longer between failed authentication techniques • Exponential backoff means that the first time waits 1 second before allowing a user to log in, the second waits 2 seconds, the third waits 4 seconds, etc. • Disconnection • If the connection is remote and requires significant time to connect (dialing, VPN, etc.), the system can simply break connection after a number of failed attempts • Disabling • With n failed attempts, an account is locked until an administrator resets the account • Jailing • In jailing, the user is allowed to enter a fake system that looks like the real one • In theory, jailing can be used to learn more about an attacker's goals • Attractive data (called honeypots) can be made available, tempting the attacker to spend more time on the system (until he can be caught)
One-Time Passwords • A one-time password is invalidated as soon as it is used • Thus, an attacker stealing the password can do limited damage • He can only log in once • He has to act quickly before the legitimate user logs in first • We can generate one-time passwords in the following way: • Using a secure hash function, we start with a seed value k, then • h(k) = k1, h(k1) = k2, …, h(kn-1) = kn • Then passwords are in reverse order • p1 = kn, p2 = kn-1, … pn-1 = k2, pn = k1
Biometrics • Fingerprints • Optical scanners • Capacitive scanners (much more common, even available on many laptops) • Voice • System must be trained on your voice • Eye • Iris • Retina • Even the whites! • Face recognition • Considerable computer vision techniques must be used to locate the face, deal with changes in haircut, glasses, etc. • Hand geometry readers • Keystroke dynamics • Actually quite characteristic • Combinations can be used too
Problems with biometrics • People assume that they are more secure than they are • Attacks: • Fingerprints can be lifted off a champagne glass • Voices can be recorded • Iris recognition can be faked with special contact lenses • False positives and false negatives are possible • It is possible to tamper with transmission from the biometric reader • Biometric characteristics can change
Bell-LaPadula overview • Confidentiality access control system • Military-style classifications • Uses a linear clearance hierarchy • All information is on a need-to-know basis • It uses clearance (or sensitivity) levels as well as project-specific compartments
Security clearances • Both subjects (users) and objects (files) have security clearances • Below are the clearances arranged in a hierarchy