Hệ điều hành - Chapter 9: Security

SecurityChapter 99.1 The security environment 9.2 Basics of cryptography 9.3 User authentication 9.4 Attacks from inside the system 9.5 Attacks from outside the system 9.6 Protection mechanisms 9.7 Trusted systems 1The Security EnvironmentThreatsSecurity goals and threats2IntrudersCommon CategoriesCasual prying by nontechnical usersSnooping by insidersDetermined attempt to make moneyCommercial or military espionage3Accidental Data LossCommon CausesActs of Godfires, floods, warsHardware or software errorsCPU malfunction, bad disk, program bugsHuman errorsdata entry, wrong tape mounted4Basics of CryptographyRelationship between the plaintext and the ciphertext5Monoalphabetic substitutioneach letter replaced by different letterGiven the encryption key, easy to find decryption keySecret-key crypto called symmetric-key cryptoSecret-Key Cryptography6Public-Key CryptographyAll users pick a public key/private key pairpublish the public keyprivate key not publishedPublic key is the encryption keyprivate key is the decryption key7One-Way FunctionsFunction such that given formula for f(x)easy to evaluate y = f(x)But given ycomputationally infeasible to find x8Digital SignaturesComputing a signature blockWhat the receiver gets(b)9User AuthenticationBasic Principles. Authentication must identify:Something the user knowsSomething the user hasSomething the user isThis is done before user can use the system10Authentication Using Passwords(a) A successful login(b) Login rejected after name entered(c) Login rejected after name and password typed11Authentication Using PasswordsHow a cracker broke into LBLa U.S. Dept. of Energy research lab12Authentication Using PasswordsThe use of salt to defeat precomputation of encrypted passwordsSaltPassword,,,,13Authentication Using a Physical ObjectMagnetic cardsmagnetic stripe cardschip cards: stored value cards, smart cards14Authentication Using BiometricsA device for measuring finger length.15CountermeasuresLimiting times when someone can log inAutomatic callback at number prespecifiedLimited number of login triesA database of all loginsSimple login name/password as a trapsecurity personnel notified when attacker bites16Operating System SecurityTrojan HorsesFree program made available to unsuspecting userActually contains code to do harmPlace altered version of utility program on victim's computertrick user into running that program17Login Spoofing(a) Correct login screen(b) Phony login screen18Logic BombsCompany programmer writes programpotential to do harmOK as long as he/she enters password dailyff programmer fired, no password and bomb explodes19Trap Doors(a) Normal code. (b) Code with a trapdoor inserted20Buffer Overflow(a) Situation when main program is running(b) After program A called(c) Buffer overflow shown in gray21Generic Security AttacksTypical attacksRequest memory, disk space, tapes and just readTry illegal system callsStart a login and hit DEL, RUBOUT, or BREAKTry modifying complex OS structuresTry to do specified DO NOTsConvince a system programmer to add a trap doorBeg admin's sec’y to help a poor user who forgot password22Famous Security FlawsThe TENEX – password problem(a)(b)(c)23Design Principles for SecuritySystem design should be publicDefault should be n accessCheck for current authorityGive each process least privilege possibleProtection mechanism should besimpleuniformin lowest layers of systemScheme should be psychologically acceptableAnd keep it simple24Network SecurityExternal threatcode transmitted to target machinecode executed there, doing damageGoals of virus writerquickly spreading virusdifficult to detecthard to get rid ofVirus = program can reproduce itselfattach its code to another programadditionally, do harm25Virus Damage ScenariosBlackmailDenial of service as long as virus runsPermanently damage hardwareTarget a competitor's computerdo harmespionageIntra-corporate dirty trickssabotage another corporate officer's files26How Viruses Work (1)Virus written in assembly languageInserted into another programuse tool called a “dropper”Virus dormant until program executedthen infects other programseventually executes its “payload”27How Viruses Work (2)Recursive procedure that finds executable files on a UNIX systemVirus couldinfect them all28How Viruses Work (3)An executable programWith a virus at the frontWith the virus at the endWith a virus spread over free space within program29How Viruses Work (4)After virus has captured interrupt, trap vectorsAfter OS has retaken printer interrupt vectorAfter virus has noticed loss of printer interrupt vector and recaptured it30How Viruses SpreadVirus placed where likely to be copiedWhen copiedinfects programs on hard drive, floppymay try to spread over LANAttach to innocent looking emailwhen it runs, use mailing list to replicate31Antivirus and Anti-Antivirus Techniques(a) A program(b) Infected program(c) Compressed infected program(d) Encrypted virus(e) Compressed virus with encrypted compression code32Antivirus and Anti-Antivirus TechniquesExamples of a polymorphic virusAll of these examples do the same thing33Antivirus and Anti-Antivirus TechniquesIntegrity checkersBehavioral checkersVirus avoidancegood OSinstall only shrink-wrapped softwareuse antivirus softwaredo not click on attachments to emailfrequent backupsRecovery from virus attackhalt computer, reboot from safe disk, run antivirus34The Internet WormConsisted of two programsbootstrap to upload wormthe worm itselfWorm first hid its existenceNext replicated itself on new machines35Mobile Code (1) Sandboxing(a) Memory divided into 1-MB sandboxes(b) One way of checking an instruction for validity36Mobile Code (2)Applets can be interpreted by a Web browser37Mobile Code (3)How code signing works38Java Security (1)A type safe languagecompiler rejects attempts to misuse variableChecks include Attempts to forge pointersViolation of access restrictions on private class membersMisuse of variables by typeGeneration of stack over/underflowsIllegal conversion of variables to another type39Java Security (2)Examples of specified protection with JDK 1.240Protection Mechanisms Protection Domains (1)Examples of three protection domains41Protection Domains (2)A protection matrix42Protection Domains (3)A protection matrix with domains as objects43Access Control Lists (1)Use of access control lists of manage file access44Access Control Lists (2)Two access control lists45Capabilities (1)Each process has a capability list46Cryptographically-protected capabilityGeneric RightsCopy capabilityCopy objectRemove capabilityDestroy objectCapabilities (2)ServerObjectRightsf(Objects, Rights, Check)47Trusted SystemsTrusted Computing Base A reference monitor48Formal Models of Secure Systems(a) An authorized state(b) An unauthorized state49Multilevel Security (1)The Bell-La Padula multilevel security model50Multilevel Security (2)The Biba ModelPrinciples to guarantee integrity of dataSimple integrity principleprocess can write only objects at its security level or lowerThe integrity * propertyprocess can read only objects at its security level or higher51Orange Book Security (1)Symbol X means new requirementsSymbol -> requirements from next lower category apply here also52Orange Book Security (2)53Covert Channels (1)Client, server and collaborator processesEncapsulated server can still leak to collaborator via covert channels54Covert Channels (2)A covert channel using file locking55Covert Channels (3)Pictures appear the samePicture on right has text of 5 Shakespeare playsencrypted, inserted into low order bits of color valuesZebrasHamlet, Macbeth, Julius CaesarMerchant of Venice, King Lear56