1 / 69

Protection & Security

Explore the internal and external challenges of protecting information integrity and preventing unauthorized access to programs and data in computer systems. Learn about access control principles, domain specification, access matrix implementation, and revocation of access rights.

loisgama
Télécharger la présentation

Protection & Security

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. 12 Protection & Security Kai Bu kaibu@zju.edu.cn http://list.zju.edu.cn/kaibu/cmpt300

  2. strictly an internal problem: how to provide controlled access to programs and data stored in a computer system? Protection & Security

  3. strictly an internal problem: how to provide controlled access to programs and data stored in a computer system? Protection & Security internal and external problem: how to protect information integrity by preventing unauthorized access, malicious destruction or alteration of data, and accidental introduction of inconsistency?

  4. ProtectionSecurity

  5. ProtectionSecurity specify&enforce access controls

  6. Principle of Least Privilege • Give programs, users, & even systems just enough privileges to perform tasks • Minimize the damage from failure or compromise of a component

  7. Need-to-Know Principle • At any time, a process should be able to access only resources that it currently requires to complete its task • Example: when process p invokes procedure A(), A() should access only its own variables and formal parameters • Minimize the risks of possible security violations

  8. Protection Domain • Specify resources a process may access • Define a set of objects and the types of operations to be invoked on each object • Access right: the ability to execute an op on an object • Domain: a collection of ordered-pair access rights <object-name, rights-set>

  9. Protection Domain • <O4, {print}> shared by D2 and D3

  10. Protection Domain • Static vs Dynamic the association between proc & domain is fixed or dynamic throughout the process’s lifetime • Domain switching enable proc to switch from one domain to another toward need-to-know

  11. Domain Realization • User as a domain object access depends on user identity • Process as a domain object access depends on proc identity • Procedure as a domain object access depends on local variables defined within the procedure

  12. Access Matrix • access(i,j): define a set of operations that a process in domain Di can invoke on object Oj

  13. Access Right Switch • Include domains among the objects of the access matrix Require three additional ops: copy, owner, control

  14. Copy • Denote by an asterisk * • Copy only within a column • Example: copy F2-read from D2 to D3

  15. Copy: Variants • Transfer copy access(i,j) to access(k,j); remove access(i,j); • Limited Copy copy R* only as R to access (k,j); proc in Dkcannot further copy R;

  16. Owner • If access(i,j) includes the owner right, proc in domain Di can add or remove any right in any entry in column j;

  17. Control • Apply only to domain objects • If access(i,j) includes the control right, proc executing in domain Dican change any right in row j original

  18. Control • Apply only to domain objects • If access(i,j) includes the control right, proc executing in domain Dican change any right in row j modified

  19. how to implement access matrix?

  20. Global Table • Consist of a set of ordered triples <domain, object, rights-set> • Search and compare, allow or error • Limitations: possibly large, addition I/O needed; data redundancy: e.g., if all can read a particular obj, a separate entry needed in every domain;

  21. Access Lists for Objects • Each column as an access list for an obj • Consist of a set of ordered pairs: <domain, rights-set> • An additional default set of access rights may be used

  22. Capability Lists for Domains • Each row as an access list for a domain • Consist of a set of ordered pairs: <object, rights-set>

  23. Lock-Key • Each object has a list of unique locks • Each domain has a list of unique keys • A process executing in a domain can access an object only if that domain hasa key that matches one of the locks of the object

  24. Revocation of Access Rights • For access-list scheme: search the access list for any rights to be revoked; delete them from the list.

  25. Revocation of Capabilities • Reacquisition • Back-pointers • Indirection • Keys

  26. Revocation of Capabilities • Reacquisition periodically delete capabilities from each domain; reacquire deleted capabilities upon next access; • Back-pointers • Indirection • Keys

  27. Revocation of Capabilities • Reacquisition • Back-pointers maintain a list of pointers for each obj; point to the obj’s capabilities; follow pointers to change capabilities; • Indirection • Keys

  28. Revocation of Capabilities • Reacquisition • Back-pointers • Indirection indirectly point capabilities to objects; capability points to a unique entry in a global table, which points to the object; delete a table entry to revoke; • Keys

  29. Revocation of Capabilities • Reacquisition • Back-pointers • Indirection • Keys associate each capability with a key; associate each object with a master key; match the keys when assigning rights; replace master keys to revoke;

  30. ProtectionSecurity specify&enforce access controls

  31. ProtectionSecurity what if AccessControl violation?

  32. SecuritySecurity what if AccessControl violation?

  33. Security what if AccessControl violation? intruder/cracker: those attempting to breach security; threat: the potential for security violation; attack: the attempt to break security;

  34. Security Violations • Breach of confidentiality unauthorized reading of data • Breach of integrity unauthorized modification of data • Breach of availability unauthorized destruction of data • Theft of service unauthorized use of resources • Denial of service prevent legitimate use of the system

  35. Security Attacks • Masquerading breach authentication; pretend someone else • Man-in-the-middle masquerade as sender to receiver, AND masquerade receiver to sender

  36. how programs breach security?

  37. Trojan, Trap, Bomb • Trojan Horse a code segment that misuses its env • Trap Door a hole in the software that can be used only by its designer • Logic Bomb a security hole to be created when a predefined set of parameters was met

  38. Stack/Buffer Overflow • Program neglects bounds checking • Attacker sends more data than expected • Overwrite return address on the stack with address of the exploit code

  39. Viruses • A fragment of self-replicating code embedded in a legitimate program • Categories: file, boot, macro, source code, polymorphic, encrypted, stealth, tunneling, multipartite, armored cont.

  40. Viruses • Polymorphic change each time it is installed to avoid detection by antivirus software; • Encrypted include decryption code along with the encrypted virus • Stealth modify parts of the system that could be used to detect it;

  41. what’s beyond program?

  42. system and network threats

  43. system and network threats abuse of service & network connection

  44. Worms • A process that uses spawn mechanism to duplicate itself • Use up system resources and lock out all other processes The Morris Internet Worm: copy worm to hooked systems:

  45. Port Scanning • A means for a cracker to detect a system’s vulnerabilities to attack • Create a TCP/IP connection to a specific port or a range of ports • Use known bugs of answering services

  46. Denial of Service • Disrupt legitimate use of a system or facility • Example: TCP SYN Flood • DDoS: Distributed Denial of Service

  47. how to defend against attacks?

  48. how to defend against attacks? cryptography based on secrets

  49. Encryption Components: • A set K of keys • A set M of messages • A set C of ciphertexts • An encrypting function E : K  (M  C) • A decrypting function D : K  (C  M) Types: symmetric vs asymmetric

  50. Symmetric Encryption • The same key to encrypt and decrypt

More Related