politecnico di milano © 2001 - william fornaciari operating systems security: pack 1 lecturer:...

© 2001 - William Fornaciari© 2001 - William Fornaciari

Politecnico di MilanoPolitecnico di Milano

Operating SystemsOperating Systems

Security: pack 1Security: pack 1

Lecturer:Lecturer:

William FornaciariWilliam Fornaciari

Politecnico di MilanoPolitecnico di [email protected]@elet.polimi.it

www.elet.polimi.it/~fornaciawww.elet.polimi.it/~fornacia

SecuritySecurity © 2001 - William Fornaciari© 2001 - William Fornaciari- - 22 - -

Computer Security in the Real Computer Security in the Real WorldWorld

“ What people want from computer security is to be as secure with computers as they are in the real world. Real-world security is about value, locks, and police. When it works, you get good enough locks (not too many break-ins), good enough police (so break-ins aren’t a paying business), and minimum interference with daily life. Computer security is hard because people don’t trust new things (especially when they don’t understand them), and computers are fast and complicated. The kind of computer break-ins most people care about are vandalism or sabotage that damages information or disrupts service, theft of money or information, and loss of privacy. Some people think that because computers are precise, perfect computer security should be possible. I’ll explain why this is wrong ... ” Butler Lampson


SecuritySecurity

Computer security deals with the prevention, detection and reaction to unauthorised actions by usersWith term security we focus on the global problem dealing with

Technical issuesManagement issuesSocial issuesLegal issues

There is no single definition of security


Security vs Protection Security vs Protection

We can refer to protection as a subset of securityReferring only to specific mechanisms used by OS to safeguard computer informationProviding controlled access to programs and data stored in the computer

Security requires not only a suitable protection system, but must considers the external environment in which the system operates

Malicious behaviour of entities external to the system, affecting computer assets

Hardware included communication lines and networksSoftwareData


Security ContestSecurity Contest

Network Security

Informative System Security

Informative System Security

Intruder

Intruder


IntrudersIntruders

Modern systems usually allow remote accessFrom terminalsFrom modemsFrom the network

Intruders can use all of these ways to break in


Security AreasSecurity Areas

Apart from social and legislative controls, computer security can be generally partitioned into three areas

External security Interface securityInternal security


External SecurityExternal Security

Concerns physical access to overall computer facilities, to prevent theft, destruction, tampering; This includes

Control of access to communication lines, removable memory media and terminalsSafeguarding information from natural disaster like fire, earthquakes, floods, short circuits, wars, …

External security consist of administrative and physical control measures to prevent undesired access to physical resourcesFull protection cannot be assured, hence the target is to

Minimize possible violationsMinimize possible consequent damagesProvide recovery procedures (typically a proper backup policy)


Interface SecurityInterface Security

It is concerned with the authentication of a user once physical access to a computer system became feasible (Authentication)


Internal SecurityInternal Security

It is concerned withControl of access within computer system (Protection)Safeguarding of information transmitted over communication lines between computer system (communication/network security)Safeguarding stored information that is inadvertently or maliciously disclosed (file security)Monitoring the utilization of the system resources from its users (Auditing)


Security Levels Security Levels

The problem of security can be faced at three different levels

Basic technologiesArchitectures and protocolsOrganization

Organization

Architectures and Protocols

Basic Technologies


Basic technologiesBasic technologies

Basically focus on cryptographic techniques but also belong to this level

Electromagnetic shields...

Technologies of this level are hard to trick with a direct attack Brute force attacks comport an huge cost


Architectures and protocolsArchitectures and protocols

The system may be secure but we do not know who is our interlocutorWe need special architectures and protocols for

Cryptographic keys exchangeCertificates


OrganizationOrganization

Concern with non-technical problems but with the human levelComputer security is easily subverted by bad human practices

e.g. writing passwords on the computer monitorThe management have to instil secure behaviours into the users and strongly discourage non-secure behaviours

Non-secure behaviours may compromise all security measures we have hardly made-up

In a nutshell there is a need of a management security consciousness

Social engineering attacks tend to be cheap, easy, effective


Security MeasuresSecurity Measures

A rough classification isPrevention, take measures that prevent computer assets from being damagedDetection, take measures that allow detection when an asset has been damaged, how it has been damaged, and who has caused the damageReaction, take measures that allow recovering computer assets or recovering from a damage to computer assets


Security Problems (1)Security Problems (1)

Security is an engineering problemTrade-off between safety, cost, performance and inconvenienceRisk analysis and security planning are required

Security is a global conceptWe cannot protect a part of a system leaving another part without any protectionThose breaking security will attack the weakest point


Security Problems (2)Security Problems (2)

Total security is, generally, not achievableBecause making mistakes is easyThe nature of problem implies that mistakes are always exploited

The target to reach isMaking security violation a mechanisms requiring a cost and an effort so great that it is not convenient


Fundamental Constraints of Fundamental Constraints of Practical Computer SecurityPractical Computer Security

Security costsIf security measures cost too much, they won’t be adopted

Conflict between security and ease-of-useUsers have specific security requirements but usually no security expertiseIf security mechanisms are not easy to use or interfere too much with the working patterns users are familiar, they will not be used or are misused

Misuse often makes security measures useless

Impact on performance is manifoldSecurity measures need additional computational resourcesIf impact is too high, they will not be used


Security RequirementsSecurity Requirements

There are a range of security requirements we have to grant to messages and data

ConfidentialityIntegrityAvailabilityAccountabilityNo repudiation


ConfidentialityConfidentiality

Confidentiality Concern with prevention of unauthorized disclosure of informationCapture the concept that computer security not have only to stop unauthorized user to read sensitive information but have to prevent from learning sensitive information

The terms privacy and secrecy are sometimes used to distinguish between

Protection of personal data (privacy)Protection of data belonging to an organization (secrecy)


IntegrityIntegrity

IntegrityConcern with unauthorized modification of informationIf we associate integrity with the prevention of all unauthorized actions, then confidentiality becomes a part of integrity

Data integrityIs the state that exists when electronic data is the same as that in the source documents and has not been exposed to accidental or malicious alteration or destructionIt is impossible to guarantee this property only with mechanisms internal to the computer system, but we have also to consider communications security


AvailabilityAvailability

Availability Concern with prevention of unauthorized withholding of information or resourcesIt is the property of being accessible and useable upon demand by an authorized entity

Engineering techniques use to improve availability

Go far beyond traditional boundaries of computer securityCome from other areas like fault-tolerant computing

In the context of security it is linked with prevention of denial of service


Accountability (1)Accountability (1)

Confidentiality, integrity, availabilityDeal with different aspects of access controlPut their emphasis on the prevention of unwelcome events

Authorized actions can, also, lead to a security violationA flaw in security system may allows an intruder to find a way to go round controlsFor these reasons users should be held responsible for their actions, so it was introduced a new security requirement, the accountability


Accountability (2)Accountability (2)

AccountabilityAudit information must be selectively kept and protected so that actions affecting security can be traced to the responsible party

The system has to identify and authenticate users to achieve this target

It has to keep an audit trail of security relevant events

If a security violation has occurred, information from audit trail may help to identify the intruder


Reliability and SafetyReliability and Safety

Often considering computer security we have to keep in mind other areas like

Reliability, relating to accidental failuresSecurity is a part of reliability or viceversa

Safety, relating to the impact of system failures on their environment


Categories of ThreatsCategories of Threats

A normal information flow from a source and a destination may be subject to

Passive attacksInterception

Active attacksInterruptionModificationFabrication


Normal Information FlowNormal Information Flow

Information Source

Information

Destination

Normal information flow


Interruption Interruption

Prevent source from sending information to receiveror receiver from sending request to sourceIt is an attack to availability

Intruder

Information Source

Information

Destination


How Interruption Occurs How Interruption Occurs

Interruption ma be obtained destroying or making unusable a resource

Destroying hardwareE.g., an hard disk, cutting communication lines ...

Deleting or damaging softwareDeleting dataInterference with communications channelOverloading a shared resource

The intruder with this kind of attacks want to cause denial of service


InterceptionInterception

The information flow between source and destination is eavesdropped by an unauthorized third partyIt is an illicit data copy and a threat to confidentiality

Intruder

Information Source

Information

Destination


Another Type of InterceptionAnother Type of Interception

It is an active attack

Intruder

Information Source

Information

Destination


How Interception OccursHow Interception Occurs

There are several ways to achieve this purposeBreak-insIllicit data copyingEavesdroppingMasqueradingTampering

The aims of this attack could beAcquiring message contentTraffic flow analysis which permit to deduce information


ModificationModification

The information or data are modified it is a threat to integrity

Intruder

Information Source

Information

Destination


How Modification OccurHow Modification Occur

Ways to bring modification based attacks areInterception of data requestMasqueradingIllicit access to servers/services

Modification may concernMessage authorMessage sending time (reply attacks)Message contents


FabricationFabrication

Unauthorized party inserts counterfeit objects into the systemCounterfeit concern both author and contents messageIt is a threat to integrity

Intruder

Information Source

Information

Destination


How Fabrication OccurHow Fabrication Occur

This attacks can be lead byMasqueradingBypassing protection measuresDuplication of legitimate request


Passive vs Active AttacksPassive vs Active Attacks

Passive attacks are forms of eavesdroppingNo modification, injections of requests occurAre difficult to detectRequire mechanisms that protect communication independently from the fact an attack is occurring

Active attacks are more aggressiveAvailability and integrity are compromised


Informative System Security Informative System Security ThreatsThreats

Computer security consist ofFormulating an access control policy that reflects the protection requirements of the applicationThe computer system has to enforce the policy in the presence of active attempts to bypass or disable controls

Implementing a complex system is a challenge task and there is a long history of security bugs in OS caused often by simple programming errorsMany attacks exploit well know security weakness in an automated and efficient manner


How Things Go WrongHow Things Go Wrong

The major sources of security problems fall into the following categories

Change in environmentBound and syntax checkingConvenient but dangerous design featuresEscapes from controlled invocationBypass at a lower layerFlaws in protocol implementations


Change in EnvironmentChange in Environment

Change is one of the biggest enemies of securityA system may offers perfectly adequate security, a part of the system is changed

The security implication of changes was taken into account but the security is compromisedOr, even worse, the changes was considered no influent to security and unpleasant surprise will occur


Bound and Syntax CheckingBound and Syntax Checking

A frequent source of security problems are commands that not check the size or the syntax of their arguments

By overrunning an input buffer, an attacker with detailed system knowledge can overwrite memory locations holding security-relevant data


Convenient featuresConvenient features

Backward compatibility with legacy systems, ease of installation, ease of use, are good reasons for including features These features are however dangerous from a security viewpoint leaving the system open for attackers to exploit what is an intended system feature


Controlled InvocationControlled Invocation

An error in such a program can seriously undermine securityE.g., in Unix when a user logs in

The login program sets up an environment for that user executing the commands contained in the user’s .cshrc and .login filesThe login program runs with root privilegeA user can use file .cshrc and .login as trojan horses inserting commands that will be executed by rootIt is, therefore, crucial that the UID of the login process is set to the user’s UID before executing any commands that could be defined by the user


BypassBypass

Logical access control validates access by users and processes to logical system objectsThis control may be bypassed if an attacker

Can insert code below logical access controlOr gets direct access to memory


Flawed Protocol Flawed Protocol ImplementationsImplementations

Abstract descriptions of security protocols are full of innocuous statements like ‘pick up a random number’Sometimes, designers go for an easy option being aware of its security shortcomingsSometimes they do not immediately spot the problem


Malicious Programs (1)Malicious Programs (1)

Dangers for a system often are represented by programs which take advantage of system weak-points

e.g., OS that not protect against unauthorised modification

Clever programmers can get SW to do their dirty work for themPrograms have several advantages for these purpose

SpeedMutabilityAnonymity


Malicious Programs (2)Malicious Programs (2)

We can distinguish malicious programs in two categories

Independent programs, that may be executed autonomously from the execution of other programs

WormBacteria

Program fragments, that cannot work independently from the execution of another process

Trojan horseTrapdoorsLogic bombVirus

Trojan horse and logic bomb may be, in same case, part of virus


TaxonomyTaxonomy

Malicious Programs

Need Host Programs Independent

BacteriaLogic BombsTrapdoors Viruses WormsTrojan Horses

Replicates


TrapdoorsTrapdoors

A trapdoor Is a secret entry point into an otherwise legitimate programIs a portion of code that recognize special input sequences or that it is activated when an application is executed with a particular ID

An user knowing its existence may gain access bypassing normal authentication proceduresTrapdoors are used by programmers

To facilitate debugging and program test avoiding tedious and long authentication proceduresTo have an activation method if the program authentication process have a bug

Controls against trapdoors are difficult to implement


Logic BombsLogic Bombs

A logic Bomb is a piece of code belonging to a legitimate program that under certain conditions explodes

Modifying or deleting data and filesCausing a system halt...

Usually they are inserted by program authorsPractically it is hard or impossible to detect a logic bomb before its explosion

Typical activating conditions areThe presence or absence of certain filesA particular dayA particular user which is executing the application


Trojan HorsesTrojan Horses

A trojan horse seemingly is a useful program that contains hidden code that performs harmful things

Obtaining access to the user’s files changing file permissionsObtaining passwordsDeleting data and filesAdding backdoors to programs...

We may find them EditorsFake login screenParticularly dangerous in compilers

Inserting malicious code in a program during its compilation


BacteriaBacteria

Their only purpose is to replicate themselvesBacteria reproduces itself in an exponential way

Taking up all the processor capacityTaking up memoryTaking up disk spaceEventually denying users access to resources


WormsWorms

Worms Use network connections to spread from system to systemTo replicate themselves use

E-mail facility– A worm mails a copy of itself to other systems

Remote execution capability– A worm executes a copy of itself on other systems

Remote log-in capability– A worm log on to a remote system as a user and

then uses commands to copy itself from one system to the other

Can spread very rapidly


Worms (2)Worms (2)

When a worm is activated may act as aVirusBacteriaTrojan horseOr making whatever kind of malicious action

Four phases characterized a worm (like a virus)Sleeping, the worm is inactive waiting for same event Propagation, the worm

Looks for other system to infect analysing host table or remote system addressesEstablishes a remote connectionCopies itself in the remote system assuring the copy will be activated


Worms (3)Worms (3)

Triggering, the worm is ready to do its workThis phase may be activated by various events

Execution, the worm makes its work

The Morris Internet worm in 1988 is the most famous example, more recently I love you


VirusesViruses

Viruses are programs that can infect other programs by modifying themLike worms, also viruses are designed for spreading but they are piece of code inserted into legitimate programsViruses occur anywhere imported code gets executed

Imported programsSome inclusions in mail messagesBoot sectors and other executable portions of mediaMacros attached to some data files

Along with mere infection, trojan horses, trapdoors, or logic bombs can be included


Virus Life-CycleVirus Life-Cycle

The life-cycle of a virus has four phases like worms

Not all viruses have the sleeping onePropagation

The virus put a copy of itself in some program or in some system disk areaThe copy itself will enter the propagation phase

Triggering phaseThe virus is activated by some event for executing its task

ExecutionThe virus execute its task which may be innocuous or harmful


Virus SpreadVirus Spread

Infectedprogram

Uninfectedprogram

Virus Code

Infectedprogram

Uninfectedprogram

Virus Code

Infectedprogram

Uninfectedprogram

Virus Code Virus Code

1.

2.

3.


Typical Virus ActionsTypical Virus Actions

Typical virus actions areFind uninfected writable programsModify those programsPerform normal actions of infected programDo whatever other damage is desired by its author


Viruses Taxonomy (1)Viruses Taxonomy (1)

A non-exhaustive taxonomyParasitic virus

It is the classic virus attacked to executable file

When the infected program is executed, the virus for uninfected file for spreading

Memory resident virusLodges in main memory as a part of a resident system program

Once in memory, it Infects every program that is executed

Boot sector virusIt infects a boot sector

When the system is started, the virus start its work



Stealth virusIt is designed with the precise intent of eluding anti-virus detection

– Compression techniques may be used by this kind of viruses for leaving unmodified the infected program dimensions

– The virus may modify the routines for the I/O operation so that when that routines are used, they show as uninfected the infected program

– Hiding in a sector marked as bad in the FAT

Slow infection virusControl the rate of infection to avoid immediate detection



Polymorph virusIt is design to make little changes to its code at every infection

– Creates copies of itself that are functionally equivalent but have distinctly different bit patterns

– Encrypts itself and uses a new key on each new infection

It is a way to deceive anti-virus mechanism– Making detection by signature impossible

Macro virusIt is attached to a data file

– Therefore bypass integrity protection mechanisms targeting executables

It is written in high-level language– Therefore it is much more platform independent


Dealing with VirusesDealing with Viruses

The solution to contrast viruses arePrevention of infectionDetection and reactionContainment


Preventing the Spread of Preventing the Spread of VirusesViruses

To prevent a virus infection the solution is not installing untrusted softwareBut who can you trust?

Viruses have been found in commercial shrink-wrap software

So we have to take other prevention measuresScan incoming programs for viruses

Some viruses are designed to hideAnti-virus software do not detect newest viruses

Limit the targets viruses can reachMonitor updates to executable files


Virus Detection (1)Virus Detection (1)

Virus detection is need if infection occurredBoth virus and anti-virus software are become more complexWe may identify four anti-virus generation

Simple analysers (first generation)Scanner using the virus signature to identify the infection

– Do not identify polymorph viruses

Others maintain a record of program length looking for variation in length

– Do not identify secret viruses



Heuristic analysers (second generation)Uses heuristic rules to search for probable virus infectionLooks for fragments of code that are often associated with virusesA checksum may be attached to the end of a program so that if a virus infected the program without modifying the checksum it may be detected

– Some viruses are able to generate checksum itselfChecksum may be substituted with a coded hash function that is harder to modify by a virus

Activity trap (third generation)They are memory-resident programs that identify a virus by its actions rather than its structureThey intervene when these actions take place



Totally equipped protection (fourth generation)Consists of a variety of anti-virus techniques used in conjunctionBesides analysis and activity trap, these packages consist of control access techniques that prevent virus from entering the system


ContainmentContainment

To avoid viruses damages we may run suspect programs in an encapsulated environment limiting their forms of access to prevent virus spreadContainment requires versatile security model and strong protection

Running each executable in its own protection domain relaying on the underlying access control mechanisms

Standard access control mechanisms offered by OS often are not enough

Programs execute under the user’s identity with the user’s privileges

So the evil program has full user privileges


Standard Access Control Standard Access Control MechanismsMechanisms

Other problems with standard access mechanisms are

What access is allowable?How does it get set?How fast can you create the domains?

Most popular OS do not offer simple ways to limit the security domain of programs

Access control mechanisms present several problem in managing untrusted code (as we have seen talking about protection )

Other possible solutionImproved OS access control for managing untrusted codePadded cells


Padded Cell ApproachesPadded Cell Approaches

Improving OS access control means building systems able to manage domains not the same as process spaces Padded cell essentially consist in executing programs in an encapsulated environment Three ways to implement an encapsulated environment

Augmenting the OSSolves the general problem

Virtual machine and language-based approachesMost suitable for downloading small executable

Software-enforced fault isolationMost suitable for composition of executables


Virtual Machine and Language Virtual Machine and Language ApproachesApproaches

Define a virtual machine that does not allow insecure operationsRun imported programs through an interpret for that languageJava does precisely thatThe java virtual machine is meant to provide a secure execution environment allowing

Very limited file accessNo process creationVery limited network communicationsVery limited examination of details of the host computer


Software-Enforced Fault Software-Enforced Fault IsolationIsolation

The virtual machine approach is limitingWhat happens if you need to write a file, create a process … ?Usually only one language is supported

Consist of a software approach to memory protection

Segment matchingAddress sandboxing


Authorization and Access Authorization and Access ControlControl

Computer security deals with the prevention and detection of unauthorized actions by users of a computer systemThe concepts of proper authorization and of access control are essential for this definitionWe have seen Access control mechanisms talking about protection


Identification and Identification and AuthenticationAuthentication

A secure system somehow has to track the identities of the users requesting its servicesIdentification

Consist of entering user name and passwordYou announce who you are

Authentication is the process of verifying a user’s identity

Once user name and password are entered, a process compare the input against the entries stored in a password fileLogin will succeed if its entered a valid user name and the corresponding password


User AuthenticationUser Authentication

There exists two reasons for authenticating a user

User identity is a parameter in access control decision

Processes are generally assigned to protection domains according to the identity of the user on whose behalf they are executed

User identity is recorded when logging security relevant events in an audit trail

Most computer system use identification and authentication through username and password as their first line of defence


PasswordsPasswords

Identification and authentication through a password

Has become a widely accepted mechanism and not too difficult to implementObtaining a valid password is an extremely common way for gaining unauthorized access to a computer system

Password guessingPassword spoofingCompromise of the password file


Choosing PasswordsChoosing Passwords

Password choice is a critical security issueCompletely prevent an attacker from accidentally guessing a valid password is impossibleThe use of trivial words as passwords makes an illegal disclosure a rather easy eventWe can try to keep the probability for such an event as low as possible adopting same sagacity

Changing default system password like ‘manager’Prescribing a minimal password lengthMixing upper and lower case symbolIncluding numerical and other non-alphabetical symbol Avoiding obvious passwordsChanging the password frequentlyAlways choose easy-to-remember password


Password GuessingPassword Guessing

Attackers essentially follow two guessing strategy

Exhaustive search (brute force)Try all possible combination of valid symbols, up to certain length

Intelligent searchSearch through a restricted name space

– Try passwords that are somehow associated with a user like name, names of friends and relatives, car brand, car registration number, phone number ...

– Try password that are generally popular (dictionary attack)

Successful attacks are more often based on social engineering than on technical ingenuity

Actions should be taken to focus the user’s attention on the relevance of a careful choice of password, and of its correct use


Dictionary attacksDictionary attacks

In a dictionary attackAn on-line dictionary contains a set of popular passwordsA program try all passwords from the dictionary till finding the correct one


Password disclosurePassword disclosure

Studies have shown that the illegal disclosure of passwords through repeated attempts is still feasible today with acceptable computation time

Due to the use of massive parallelism

Parallel technologies combined with a negligence in the selection and management of passwords, increase the exposure to intrusions


Improving Password Security Improving Password Security (1)(1)

System may help to improve password security

Password checkersTools that check passwords against some dictionary of ‘weak’ passwords

Password generationSome OS include password generator producing random but pronounceable passwordsUsers are allowed only to adopt password proposed by the systemUser are unlikely to memorise long and complicated passwords

– They write such passwords down on a piece of paper that is kept close to the computer



Password ageingAn expiry date for passwords can be set forcing users to change passwords ate regular intervalA list of old passwords may be kept to prevent re-use of old passwords by usersChanging passwords too often cause problem of writing them to remind

Limit login attemptsThe system can monitor unsuccessful attempts and react by locking the user account completely or at least for a certain period of timeUseful against dictionary attacks



Inform userAfter a successful login, the system can display the time of the last login and the number of failed login attemptsUser may discover recently attempted attacks


Spoofing Attacks (1)Spoofing Attacks (1)

Identification and authentication through username and password provide unilateral authentication

The user has no guarantees about the identity of the party to whom he is giving his password

In a spoofing attackThe attacker runs a program that presents a fake login screen on some terminal/workstationUser tries to logonUser name and password are stored by the attackerExecution could be handed over the user or login is aborted with an error messageThe spoofing program terminates giving back control to the OS


Against Spoofing Attacks Against Spoofing Attacks

Solutions against spoofing attacks may beDisplaying the number of failed loginsGuarantee that the user communicates with the OS and not with a spoofing program

Windows NT has a secure attention sequence CTRL+ALT+DEL which invokes the Windows NT OS login screen

Double authentication system (handshaking)It is mutual authentication where the system introduces itself to the user through information known only to the user, and the user authenticates back to the systemE.g. In a distributed system, the system could be required to authenticate itself to the user


Beyond Spoofing AttacksBeyond Spoofing Attacks

Other way through which an intruder may ‘find’ a password are due to that

Passwords do not travel directly from the user to the checking routinePasswords are, temporarily, held in intermediate storage locations like

BuffersCachesWeb pages

The management of these storage locations is beyond the control of the user and a password may be kept longer than the user may though


Compromise of the Password Compromise of the Password FileFile

User passwords are stored in the password files managed by OSPassword files are a desirable target for an intruder

Disclosure or modification of its content permit the intruder gaining system access

Password file must be protectedCryptographic protectionAccess control enforced by the OSA combination of cryptographic protection and access control plus mechanisms to slow dictionary attacks


Cryptographic Protection (1)Cryptographic Protection (1)

Instead of the password x, the value f(x) is stored in the password file

f(x) is a one-way function easy to compute but hard to reverse

When an user logs in and enters a password x1, the system

Applies the one-way function f and the compare f(x1) with the expected value f(x). If the values matches, the user has been successfully authenticated

The password file can be left more readable if dictionary attacks are not a concern


Cryptographic Protection (2)Cryptographic Protection (2)

In a dictionary attack the attacker Knows the encryption function

E.g. Unix uses the one-way function crypt(3)

Encrypts all words in a dictionaryCompare, off-line, all these words against the encrypted entries in the password file, if a match is found the attacker knows that user password

We may use a one-way function harder to compute

Dictionary attacks become harder (require more time)Also login mechanism slow-down

It is better to hide also the encrypted password file


Access Control MechanismsAccess Control Mechanisms

OS access control mechanisms restrict the access to files and other resources to users holding appropriate privileges

They can be used to protect password filesOnly privileged users can have access to the password fileIf read access is restricted to privileged users, passwords in theory could be stored unencrypted

Malicious users, taking advantages of erratic OS modules (bugs or trapdoors) could access the content of password fileTrojan horse in the login procedure of a system can record all the passwords used at login timeCombination of access control mechanisms an cryptographic methods is then recommended


Proprietary Storage FormatsProprietary Storage Formats

A weak form of read protection is provided by proprietary storage formats

E.g. Windows NT stores encrypted passwords in a proprietary binary format

A determined attacker will obtain or deduce the information necessary to be able to detect the location of security relevant data

politecnico di milano © 2001 - william fornaciari operating systems security: pack 1 lecturer:...

Documents

systems security

security areas

term security

realworld security

subset of security

perfect computer security

security vs protection

computer information