1 / 47

Lecture 21 Chapter 14: Protection Chapter 15: Security

Lecture 21 Chapter 14: Protection Chapter 15: Security. Chapter 14: Protection. Goals of Protection Principles of Protection Domain of Protection Access Matrix Implementation of Access Matrix Access Control Revocation of Access Rights Capability-Based Systems

eithne
Télécharger la présentation

Lecture 21 Chapter 14: Protection Chapter 15: Security

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Lecture 21Chapter 14: Protection Chapter 15: Security

  2. Chapter 14: Protection • Goals of Protection • Principles of Protection • Domain of Protection • Access Matrix • Implementation of Access Matrix • Access Control • Revocation of Access Rights • Capability-Based Systems • Language-Based Protection

  3. Objectives • Discuss the goals and principles of protection in a modern computer system • Explain how protection domains combined with an access matrix are used to specify the resources a process may access • Examine capability and language-based protection systems

  4. Protection • Operating system consists of a collection of objects, hardware or software • Each object has a unique name and can be accessed through a well-defined set of operations. • Protection problem • Ensure that each object is accessed correctly and only by those processes that are allowed to do so. • Guiding principle • principle of least privilege • Programs, users and systems should be given just enough privileges to perform their tasks

  5. Domain Structure • Access-right = <object-name, rights-set> • where rights-set is a subset of all valid operations that can be performed on the object. • Domain = set of access-rights

  6. Domain Implementation (UNIX) • System consists of 2 domains: • User • Supervisor • UNIX • Domain = user-id • Domain switch accomplished via file system. • Each file has associated with it a domain bit (setuid bit). • When file is executed and setuid = on, • then user-id is set to owner of the file being executed. • When execution completes user-id is reset.

  7. Domain Implementation (MULTICS) • Let Di and Djbe any two domain rings. • If j < I Di  Dj

  8. Access Matrix • View protection as a matrix (access matrix) • Rows represent domains • Columns represent objects • Access(i, j) is the set of operations that a process executing in Domaini can invoke on Objectj

  9. Use of Access Matrix • If a process in Domain Ditries to do “op” on object Oj, • then “op” must be in the access matrix. • Can be expanded to dynamic protection. • Operations to add, delete access rights. • Special access rights: • owner of Oi • copy op from Oi to Oj • control – Di can modify Dj access rights • transfer – switch from domain Di to Dj

  10. Use of Access Matrix (Cont.) • Access matrix design separates mechanism from policy • Mechanism • Operating system provides access-matrix + rules • It ensures that the matrix is only manipulated by authorized agents and that rules are strictly enforced • Policy • User dictates policy • Who can access what object and in what mode

  11. Implementation of Access Matrix • Each column = Access-control list for one object Defines who can perform what operation. Domain 1 = Read, Write Domain 2 = Read Domain 3 = Read • Each Row = Capability List (like a key)Fore each domain, what operations allowed on what objects. Object 1 – Read Object 4 – Read, Write, Execute Object 5 – Read, Write, Delete, Copy

  12. Access Matrix With Domains as Objects Figure B

  13. Access Matrix with Copy Rights

  14. Access Matrix With Owner Rights

  15. Modified Access Matrix of Figure B

  16. Access Control • Protection can be applied to non-file resources • Solaris 10 provides role-based access control to implement least privilege • Privilege is right to execute system call or use an option within a system call • Can be assigned to processes • Users assigned roles granting access to privileges and programs

  17. Revocation of Access Rights • Access List – Delete access rights from access list. • Simple • Immediate • Capability List – Scheme required to locate capability in the system before capability can be revoked. • Reacquisition • Back-pointers • Indirection • Keys

  18. Language-Based Protection • Specification of protection in a programming language allows the high-level description of policies for the allocation and use of resources. • Language implementation can provide software for protection enforcement when automatic hardware-supported checking is unavailable. • Interpret protection specifications to generate calls on whatever protection system is provided by the hardware and the operating system.

  19. Protection in Java • Protection is handled by the Java Virtual Machine (JVM) • A class is assigned a protection domain when it is loaded by the JVM. • The protection domain indicates what operations the class can (and cannot) perform. • If a library method is invoked that performs a privileged operation, • the stack is inspected to ensure the operation can be performed by the library.

  20. Chapter 15: Security • The Security Problem • Program Threats • System and Network Threats • Cryptography as a Security Tool • User Authentication • Implementing Security Defenses • Firewalling to Protect Systems and Networks • Computer-Security Classifications • An Example: Windows XP

  21. Objectives • To discuss security threats and attacks • To explain the fundamentals of encryption, authentication, and hashing • To examine the uses of cryptography in computing • To describe the various countermeasures to security attacks

  22. The Security Problem • Security must consider external environment of the system, and protect the system resources • Intruders (crackers) attempt to breach security • Threat is potential security violation • Attack is attempt to breach security • Attack can be accidental or malicious • Easier to protect against accidental than malicious misuse

  23. Concern for Security • Explosive growth of desktops started in ‘80s • No emphasis on security • Who wants military security, I just want to run my spreadsheet! • Internet was originally designed for a group of mutually trusting users • By definition, no need for security • Users can send a packet to any other user • Identity (source IP address) taken by default to be true • Explosive growth of Internet in mid ’90s • Security was not a priority until recently • Only a research network, who will attack it?

  24. Security Violations • Categories • Breach of confidentiality • Breach of integrity • Breach of availability • Theft of service • Denial of service • Methods • Masquerading (breach authentication) • Replay attack • Message modification • Man-in-the-middle attack • Session hijacking

  25. Security Measure Levels • Security must occur at four levels to be effective: • Physical • Human • Avoid social engineering, phishing, dumpster diving • Operating System • Network • Security is as week as the weakest chain

  26. Program Threats • Trojan Horse • Code segment that misuses its environment • Exploits mechanisms for allowing programs written by users to be executed by other users • Spyware, pop-up browser windows, covert channels • Trap Door • Specific user identifier or password that circumvents normal security procedures • Could be included in a compiler • Logic Bomb • Program that initiates a security incident under certain circumstances • Stack and Buffer Overflow • Exploits a bug in a program • overflow either the stack or memory buffers

  27. C Program with Buffer-overflow Condition #include <stdio.h> #define BUFFER SIZE 256 int main(int argc, char *argv[]) { char buffer[BUFFER SIZE]; if (argc < 2) return -1; else { strcpy(buffer,argv[1]); return 0; } }

  28. Layout of Typical Stack Frame

  29. Modified Shell Code #include <stdio.h> int main(int argc, char *argv[]) { execvp(‘‘\bin\sh’’,‘‘\bin \sh’’, NULL); return 0; }

  30. Hypothetical Stack Frame After attack Before attack

  31. Program Threats (Cont.) • Viruses • Code fragment embedded in legitimate program • Very specific to CPU architecture, operating system, applications • Usually borne via email or as a macro • Visual Basic Macro to reformat hard drive Sub AutoOpen() Dim oFS Set oFS = CreateObject(’’Scripting.FileSystemObject’’) vs = Shell(’’c:command.com /k format c:’’,vbHide) End Sub

  32. Program Threats (Cont.) • Virus dropper inserts virus onto the system • Many categories of viruses, literally many thousands of viruses • File • Boot • Macro • Source code • Polymorphic • Encrypted • Stealth • Tunneling • Multipartite • Armored

  33. A Boot-sector Computer Virus

  34. System and Network Threats • Worms • use spawn mechanism; standalone program • Internet worm • Exploited UNIX networking features (remote access) and bugs in finger and sendmail programs • Grappling hook program uploaded main worm program • Port scanning • Automated attempt to connect to a range of ports on one or a range of IP addresses • Denial of Service • Overload the targeted computer preventing it from doing any useful work • Distributed denial-of-service (DDOS) come from multiple sites at once

  35. The Morris Internet Worm

  36. Code-Red Worm • On July 19, 2001, more than 359,000 computers connected to the Internet were infected in less than 14 hours • Spread

  37. Sapphire Worm • was the fastest computer worm in history • doubled in size every 8.5 seconds • infected more than 90 percent of vulnerable hosts within 10 minutes.

  38. DoS attack on SCO • On Dec 11, 2003 • Attack on web and FTP servers of SCO • a software company focusing on UNIX systems • SYN flood of 50K packet-per-second • SCO responded to more than 700 million attack packets over 32 hours

  39. Witty Worm • 25 March 2004 • reached its peak activity after approximately 45 minutes • at which point the majority of vulnerable hosts had been infected • World • USA

  40. Nyxem Email Virus • Jan 15, 2006: infected about 1M computers within two weeks • At least 45K of the infected computers were also compromised by other forms of spyware or botware • Spread

  41. Security Trends www.cert.org (Computer Emergency Readiness Team)

  42. The Cast of Characters • Alice and Bob are the good guys • Trudy is the bad guy • Trudy is our generic “intruder” • Who might Alice, Bob be? • … well, real-life Alices and Bobs • Web browser/server for electronic transactions • on-line banking client/server • DNS servers • routers exchanging routing table updates

  43. Alice’s Online Bank • Alice opens Alice’s Online Bank (AOB) • What are Alice’s security concerns? • If Bob is a customer of AOB, what are his security concerns? • How are Alice and Bob concerns similar? How are they different? • How does Trudy view the situation?

  44. Alice’s Online Bank • AOB must prevent Trudy from learning Bob’s balance • Confidentiality (prevent unauthorized reading of information) • Trudy must not be able to change Bob’s balance • Bob must not be able to improperly change his own account balance • Integrity (prevent unauthorized writing of information)

  45. Alice’s Online Bank • AOB’s information must be available when needed • Availability (data is available in a timely manner when needed) • How does Bob’s computer know that “Bob” is really Bob and not Trudy? • When Bob logs into AOB, how does AOB know that “Bob” is really Bob? • Authentication (assurance that other party is the claimed one) • Bob can’t view someone else’s account info • Bob can’t install new software, etc. • Authorization (allowing access only to permitted resources)

  46. Think Like Trudy • Good guys must think like bad guys! • A police detective • Must study and understand criminals • In security • We must try to think like Trudy • We must study Trudy’s methods • We can admire Trudy’s cleverness • Often, we can’t help but laugh at Alice and Bob’s carelessness • But, we cannot act like Trudy

More Related