politecnico di milano © 2001 - william fornaciari operating systems security: pack 1 lecturer:...
TRANSCRIPT
© 2001 - William Fornaciari© 2001 - William Fornaciari
Politecnico di MilanoPolitecnico di Milano
Operating SystemsOperating Systems
Security: pack 1Security: pack 1
Lecturer:Lecturer:
William FornaciariWilliam Fornaciari
Politecnico di MilanoPolitecnico di [email protected]@elet.polimi.it
www.elet.polimi.it/~fornaciawww.elet.polimi.it/~fornacia
SecuritySecurity © 2001 - William Fornaciari© 2001 - William Fornaciari- - 22 - -
Computer Security in the Real Computer Security in the Real WorldWorld
“ What people want from computer security is to be as secure with computers as they are in the real world. Real-world security is about value, locks, and police. When it works, you get good enough locks (not too many break-ins), good enough police (so break-ins aren’t a paying business), and minimum interference with daily life. Computer security is hard because people don’t trust new things (especially when they don’t understand them), and computers are fast and complicated. The kind of computer break-ins most people care about are vandalism or sabotage that damages information or disrupts service, theft of money or information, and loss of privacy. Some people think that because computers are precise, perfect computer security should be possible. I’ll explain why this is wrong ... ” Butler Lampson
SecuritySecurity © 2001 - William Fornaciari© 2001 - William Fornaciari- - 33 - -
SecuritySecurity
Computer security deals with the prevention, detection and reaction to unauthorised actions by usersWith term security we focus on the global problem dealing with
Technical issuesManagement issuesSocial issuesLegal issues
There is no single definition of security
SecuritySecurity © 2001 - William Fornaciari© 2001 - William Fornaciari- - 44 - -
Security vs Protection Security vs Protection
We can refer to protection as a subset of securityReferring only to specific mechanisms used by OS to safeguard computer informationProviding controlled access to programs and data stored in the computer
Security requires not only a suitable protection system, but must considers the external environment in which the system operates
Malicious behaviour of entities external to the system, affecting computer assets
Hardware included communication lines and networksSoftwareData
SecuritySecurity © 2001 - William Fornaciari© 2001 - William Fornaciari- - 55 - -
Security ContestSecurity Contest
Network Security
Informative System Security
Informative System Security
Intruder
Intruder
SecuritySecurity © 2001 - William Fornaciari© 2001 - William Fornaciari- - 66 - -
IntrudersIntruders
Modern systems usually allow remote accessFrom terminalsFrom modemsFrom the network
Intruders can use all of these ways to break in
SecuritySecurity © 2001 - William Fornaciari© 2001 - William Fornaciari- - 77 - -
Security AreasSecurity Areas
Apart from social and legislative controls, computer security can be generally partitioned into three areas
External security Interface securityInternal security
SecuritySecurity © 2001 - William Fornaciari© 2001 - William Fornaciari- - 88 - -
External SecurityExternal Security
Concerns physical access to overall computer facilities, to prevent theft, destruction, tampering; This includes
Control of access to communication lines, removable memory media and terminalsSafeguarding information from natural disaster like fire, earthquakes, floods, short circuits, wars, …
External security consist of administrative and physical control measures to prevent undesired access to physical resourcesFull protection cannot be assured, hence the target is to
Minimize possible violationsMinimize possible consequent damagesProvide recovery procedures (typically a proper backup policy)
SecuritySecurity © 2001 - William Fornaciari© 2001 - William Fornaciari- - 99 - -
Interface SecurityInterface Security
It is concerned with the authentication of a user once physical access to a computer system became feasible (Authentication)
SecuritySecurity © 2001 - William Fornaciari© 2001 - William Fornaciari- - 1010 - -
Internal SecurityInternal Security
It is concerned withControl of access within computer system (Protection)Safeguarding of information transmitted over communication lines between computer system (communication/network security)Safeguarding stored information that is inadvertently or maliciously disclosed (file security)Monitoring the utilization of the system resources from its users (Auditing)
SecuritySecurity © 2001 - William Fornaciari© 2001 - William Fornaciari- - 1111 - -
Security Levels Security Levels
The problem of security can be faced at three different levels
Basic technologiesArchitectures and protocolsOrganization
Organization
Architectures and Protocols
Basic Technologies
SecuritySecurity © 2001 - William Fornaciari© 2001 - William Fornaciari- - 1212 - -
Basic technologiesBasic technologies
Basically focus on cryptographic techniques but also belong to this level
Electromagnetic shields...
Technologies of this level are hard to trick with a direct attack Brute force attacks comport an huge cost
SecuritySecurity © 2001 - William Fornaciari© 2001 - William Fornaciari- - 1313 - -
Architectures and protocolsArchitectures and protocols
The system may be secure but we do not know who is our interlocutorWe need special architectures and protocols for
Cryptographic keys exchangeCertificates
SecuritySecurity © 2001 - William Fornaciari© 2001 - William Fornaciari- - 1414 - -
OrganizationOrganization
Concern with non-technical problems but with the human levelComputer security is easily subverted by bad human practices
e.g. writing passwords on the computer monitorThe management have to instil secure behaviours into the users and strongly discourage non-secure behaviours
Non-secure behaviours may compromise all security measures we have hardly made-up
In a nutshell there is a need of a management security consciousness
Social engineering attacks tend to be cheap, easy, effective
SecuritySecurity © 2001 - William Fornaciari© 2001 - William Fornaciari- - 1515 - -
Security MeasuresSecurity Measures
A rough classification isPrevention, take measures that prevent computer assets from being damagedDetection, take measures that allow detection when an asset has been damaged, how it has been damaged, and who has caused the damageReaction, take measures that allow recovering computer assets or recovering from a damage to computer assets
SecuritySecurity © 2001 - William Fornaciari© 2001 - William Fornaciari- - 1616 - -
Security Problems (1)Security Problems (1)
Security is an engineering problemTrade-off between safety, cost, performance and inconvenienceRisk analysis and security planning are required
Security is a global conceptWe cannot protect a part of a system leaving another part without any protectionThose breaking security will attack the weakest point
SecuritySecurity © 2001 - William Fornaciari© 2001 - William Fornaciari- - 1717 - -
Security Problems (2)Security Problems (2)
Total security is, generally, not achievableBecause making mistakes is easyThe nature of problem implies that mistakes are always exploited
The target to reach isMaking security violation a mechanisms requiring a cost and an effort so great that it is not convenient
SecuritySecurity © 2001 - William Fornaciari© 2001 - William Fornaciari- - 1818 - -
Fundamental Constraints of Fundamental Constraints of Practical Computer SecurityPractical Computer Security
Security costsIf security measures cost too much, they won’t be adopted
Conflict between security and ease-of-useUsers have specific security requirements but usually no security expertiseIf security mechanisms are not easy to use or interfere too much with the working patterns users are familiar, they will not be used or are misused
Misuse often makes security measures useless
Impact on performance is manifoldSecurity measures need additional computational resourcesIf impact is too high, they will not be used
SecuritySecurity © 2001 - William Fornaciari© 2001 - William Fornaciari- - 1919 - -
Security RequirementsSecurity Requirements
There are a range of security requirements we have to grant to messages and data
ConfidentialityIntegrityAvailabilityAccountabilityNo repudiation
SecuritySecurity © 2001 - William Fornaciari© 2001 - William Fornaciari- - 2020 - -
ConfidentialityConfidentiality
Confidentiality Concern with prevention of unauthorized disclosure of informationCapture the concept that computer security not have only to stop unauthorized user to read sensitive information but have to prevent from learning sensitive information
The terms privacy and secrecy are sometimes used to distinguish between
Protection of personal data (privacy)Protection of data belonging to an organization (secrecy)
SecuritySecurity © 2001 - William Fornaciari© 2001 - William Fornaciari- - 2121 - -
IntegrityIntegrity
IntegrityConcern with unauthorized modification of informationIf we associate integrity with the prevention of all unauthorized actions, then confidentiality becomes a part of integrity
Data integrityIs the state that exists when electronic data is the same as that in the source documents and has not been exposed to accidental or malicious alteration or destructionIt is impossible to guarantee this property only with mechanisms internal to the computer system, but we have also to consider communications security
SecuritySecurity © 2001 - William Fornaciari© 2001 - William Fornaciari- - 2222 - -
AvailabilityAvailability
Availability Concern with prevention of unauthorized withholding of information or resourcesIt is the property of being accessible and useable upon demand by an authorized entity
Engineering techniques use to improve availability
Go far beyond traditional boundaries of computer securityCome from other areas like fault-tolerant computing
In the context of security it is linked with prevention of denial of service
SecuritySecurity © 2001 - William Fornaciari© 2001 - William Fornaciari- - 2323 - -
Accountability (1)Accountability (1)
Confidentiality, integrity, availabilityDeal with different aspects of access controlPut their emphasis on the prevention of unwelcome events
Authorized actions can, also, lead to a security violationA flaw in security system may allows an intruder to find a way to go round controlsFor these reasons users should be held responsible for their actions, so it was introduced a new security requirement, the accountability
SecuritySecurity © 2001 - William Fornaciari© 2001 - William Fornaciari- - 2424 - -
Accountability (2)Accountability (2)
AccountabilityAudit information must be selectively kept and protected so that actions affecting security can be traced to the responsible party
The system has to identify and authenticate users to achieve this target
It has to keep an audit trail of security relevant events
If a security violation has occurred, information from audit trail may help to identify the intruder
SecuritySecurity © 2001 - William Fornaciari© 2001 - William Fornaciari- - 2525 - -
Reliability and SafetyReliability and Safety
Often considering computer security we have to keep in mind other areas like
Reliability, relating to accidental failuresSecurity is a part of reliability or viceversa
Safety, relating to the impact of system failures on their environment
SecuritySecurity © 2001 - William Fornaciari© 2001 - William Fornaciari- - 2626 - -
Categories of ThreatsCategories of Threats
A normal information flow from a source and a destination may be subject to
Passive attacksInterception
Active attacksInterruptionModificationFabrication
SecuritySecurity © 2001 - William Fornaciari© 2001 - William Fornaciari- - 2727 - -
Normal Information FlowNormal Information Flow
Information Source
Information
Destination
Normal information flow
SecuritySecurity © 2001 - William Fornaciari© 2001 - William Fornaciari- - 2828 - -
Interruption Interruption
Prevent source from sending information to receiveror receiver from sending request to sourceIt is an attack to availability
Intruder
Information Source
Information
Destination
SecuritySecurity © 2001 - William Fornaciari© 2001 - William Fornaciari- - 2929 - -
How Interruption Occurs How Interruption Occurs
Interruption ma be obtained destroying or making unusable a resource
Destroying hardwareE.g., an hard disk, cutting communication lines ...
Deleting or damaging softwareDeleting dataInterference with communications channelOverloading a shared resource
The intruder with this kind of attacks want to cause denial of service
SecuritySecurity © 2001 - William Fornaciari© 2001 - William Fornaciari- - 3030 - -
InterceptionInterception
The information flow between source and destination is eavesdropped by an unauthorized third partyIt is an illicit data copy and a threat to confidentiality
Intruder
Information Source
Information
Destination
SecuritySecurity © 2001 - William Fornaciari© 2001 - William Fornaciari- - 3131 - -
Another Type of InterceptionAnother Type of Interception
It is an active attack
Intruder
Information Source
Information
Destination
SecuritySecurity © 2001 - William Fornaciari© 2001 - William Fornaciari- - 3232 - -
How Interception OccursHow Interception Occurs
There are several ways to achieve this purposeBreak-insIllicit data copyingEavesdroppingMasqueradingTampering
The aims of this attack could beAcquiring message contentTraffic flow analysis which permit to deduce information
SecuritySecurity © 2001 - William Fornaciari© 2001 - William Fornaciari- - 3333 - -
ModificationModification
The information or data are modified it is a threat to integrity
Intruder
Information Source
Information
Destination
SecuritySecurity © 2001 - William Fornaciari© 2001 - William Fornaciari- - 3434 - -
How Modification OccurHow Modification Occur
Ways to bring modification based attacks areInterception of data requestMasqueradingIllicit access to servers/services
Modification may concernMessage authorMessage sending time (reply attacks)Message contents
SecuritySecurity © 2001 - William Fornaciari© 2001 - William Fornaciari- - 3535 - -
FabricationFabrication
Unauthorized party inserts counterfeit objects into the systemCounterfeit concern both author and contents messageIt is a threat to integrity
Intruder
Information Source
Information
Destination
SecuritySecurity © 2001 - William Fornaciari© 2001 - William Fornaciari- - 3636 - -
How Fabrication OccurHow Fabrication Occur
This attacks can be lead byMasqueradingBypassing protection measuresDuplication of legitimate request
SecuritySecurity © 2001 - William Fornaciari© 2001 - William Fornaciari- - 3737 - -
Passive vs Active AttacksPassive vs Active Attacks
Passive attacks are forms of eavesdroppingNo modification, injections of requests occurAre difficult to detectRequire mechanisms that protect communication independently from the fact an attack is occurring
Active attacks are more aggressiveAvailability and integrity are compromised
SecuritySecurity © 2001 - William Fornaciari© 2001 - William Fornaciari- - 3838 - -
Informative System Security Informative System Security ThreatsThreats
Computer security consist ofFormulating an access control policy that reflects the protection requirements of the applicationThe computer system has to enforce the policy in the presence of active attempts to bypass or disable controls
Implementing a complex system is a challenge task and there is a long history of security bugs in OS caused often by simple programming errorsMany attacks exploit well know security weakness in an automated and efficient manner
SecuritySecurity © 2001 - William Fornaciari© 2001 - William Fornaciari- - 3939 - -
How Things Go WrongHow Things Go Wrong
The major sources of security problems fall into the following categories
Change in environmentBound and syntax checkingConvenient but dangerous design featuresEscapes from controlled invocationBypass at a lower layerFlaws in protocol implementations
SecuritySecurity © 2001 - William Fornaciari© 2001 - William Fornaciari- - 4040 - -
Change in EnvironmentChange in Environment
Change is one of the biggest enemies of securityA system may offers perfectly adequate security, a part of the system is changed
The security implication of changes was taken into account but the security is compromisedOr, even worse, the changes was considered no influent to security and unpleasant surprise will occur
SecuritySecurity © 2001 - William Fornaciari© 2001 - William Fornaciari- - 4141 - -
Bound and Syntax CheckingBound and Syntax Checking
A frequent source of security problems are commands that not check the size or the syntax of their arguments
By overrunning an input buffer, an attacker with detailed system knowledge can overwrite memory locations holding security-relevant data
SecuritySecurity © 2001 - William Fornaciari© 2001 - William Fornaciari- - 4242 - -
Convenient featuresConvenient features
Backward compatibility with legacy systems, ease of installation, ease of use, are good reasons for including features These features are however dangerous from a security viewpoint leaving the system open for attackers to exploit what is an intended system feature
SecuritySecurity © 2001 - William Fornaciari© 2001 - William Fornaciari- - 4343 - -
Controlled InvocationControlled Invocation
An error in such a program can seriously undermine securityE.g., in Unix when a user logs in
The login program sets up an environment for that user executing the commands contained in the user’s .cshrc and .login filesThe login program runs with root privilegeA user can use file .cshrc and .login as trojan horses inserting commands that will be executed by rootIt is, therefore, crucial that the UID of the login process is set to the user’s UID before executing any commands that could be defined by the user
SecuritySecurity © 2001 - William Fornaciari© 2001 - William Fornaciari- - 4444 - -
BypassBypass
Logical access control validates access by users and processes to logical system objectsThis control may be bypassed if an attacker
Can insert code below logical access controlOr gets direct access to memory
SecuritySecurity © 2001 - William Fornaciari© 2001 - William Fornaciari- - 4545 - -
Flawed Protocol Flawed Protocol ImplementationsImplementations
Abstract descriptions of security protocols are full of innocuous statements like ‘pick up a random number’Sometimes, designers go for an easy option being aware of its security shortcomingsSometimes they do not immediately spot the problem
SecuritySecurity © 2001 - William Fornaciari© 2001 - William Fornaciari- - 4646 - -
Malicious Programs (1)Malicious Programs (1)
Dangers for a system often are represented by programs which take advantage of system weak-points
e.g., OS that not protect against unauthorised modification
Clever programmers can get SW to do their dirty work for themPrograms have several advantages for these purpose
SpeedMutabilityAnonymity
SecuritySecurity © 2001 - William Fornaciari© 2001 - William Fornaciari- - 4747 - -
Malicious Programs (2)Malicious Programs (2)
We can distinguish malicious programs in two categories
Independent programs, that may be executed autonomously from the execution of other programs
WormBacteria
Program fragments, that cannot work independently from the execution of another process
Trojan horseTrapdoorsLogic bombVirus
Trojan horse and logic bomb may be, in same case, part of virus
SecuritySecurity © 2001 - William Fornaciari© 2001 - William Fornaciari- - 4848 - -
TaxonomyTaxonomy
Malicious Programs
Need Host Programs Independent
BacteriaLogic BombsTrapdoors Viruses WormsTrojan Horses
Replicates
SecuritySecurity © 2001 - William Fornaciari© 2001 - William Fornaciari- - 4949 - -
TrapdoorsTrapdoors
A trapdoor Is a secret entry point into an otherwise legitimate programIs a portion of code that recognize special input sequences or that it is activated when an application is executed with a particular ID
An user knowing its existence may gain access bypassing normal authentication proceduresTrapdoors are used by programmers
To facilitate debugging and program test avoiding tedious and long authentication proceduresTo have an activation method if the program authentication process have a bug
Controls against trapdoors are difficult to implement
SecuritySecurity © 2001 - William Fornaciari© 2001 - William Fornaciari- - 5050 - -
Logic BombsLogic Bombs
A logic Bomb is a piece of code belonging to a legitimate program that under certain conditions explodes
Modifying or deleting data and filesCausing a system halt...
Usually they are inserted by program authorsPractically it is hard or impossible to detect a logic bomb before its explosion
Typical activating conditions areThe presence or absence of certain filesA particular dayA particular user which is executing the application
SecuritySecurity © 2001 - William Fornaciari© 2001 - William Fornaciari- - 5151 - -
Trojan HorsesTrojan Horses
A trojan horse seemingly is a useful program that contains hidden code that performs harmful things
Obtaining access to the user’s files changing file permissionsObtaining passwordsDeleting data and filesAdding backdoors to programs...
We may find them EditorsFake login screenParticularly dangerous in compilers
Inserting malicious code in a program during its compilation
SecuritySecurity © 2001 - William Fornaciari© 2001 - William Fornaciari- - 5252 - -
BacteriaBacteria
Their only purpose is to replicate themselvesBacteria reproduces itself in an exponential way
Taking up all the processor capacityTaking up memoryTaking up disk spaceEventually denying users access to resources
SecuritySecurity © 2001 - William Fornaciari© 2001 - William Fornaciari- - 5353 - -
WormsWorms
Worms Use network connections to spread from system to systemTo replicate themselves use
E-mail facility– A worm mails a copy of itself to other systems
Remote execution capability– A worm executes a copy of itself on other systems
Remote log-in capability– A worm log on to a remote system as a user and
then uses commands to copy itself from one system to the other
Can spread very rapidly
SecuritySecurity © 2001 - William Fornaciari© 2001 - William Fornaciari- - 5454 - -
Worms (2)Worms (2)
When a worm is activated may act as aVirusBacteriaTrojan horseOr making whatever kind of malicious action
Four phases characterized a worm (like a virus)Sleeping, the worm is inactive waiting for same event Propagation, the worm
Looks for other system to infect analysing host table or remote system addressesEstablishes a remote connectionCopies itself in the remote system assuring the copy will be activated
SecuritySecurity © 2001 - William Fornaciari© 2001 - William Fornaciari- - 5555 - -
Worms (3)Worms (3)
Triggering, the worm is ready to do its workThis phase may be activated by various events
Execution, the worm makes its work
The Morris Internet worm in 1988 is the most famous example, more recently I love you
SecuritySecurity © 2001 - William Fornaciari© 2001 - William Fornaciari- - 5656 - -
VirusesViruses
Viruses are programs that can infect other programs by modifying themLike worms, also viruses are designed for spreading but they are piece of code inserted into legitimate programsViruses occur anywhere imported code gets executed
Imported programsSome inclusions in mail messagesBoot sectors and other executable portions of mediaMacros attached to some data files
Along with mere infection, trojan horses, trapdoors, or logic bombs can be included
SecuritySecurity © 2001 - William Fornaciari© 2001 - William Fornaciari- - 5757 - -
Virus Life-CycleVirus Life-Cycle
The life-cycle of a virus has four phases like worms
Not all viruses have the sleeping onePropagation
The virus put a copy of itself in some program or in some system disk areaThe copy itself will enter the propagation phase
Triggering phaseThe virus is activated by some event for executing its task
ExecutionThe virus execute its task which may be innocuous or harmful
SecuritySecurity © 2001 - William Fornaciari© 2001 - William Fornaciari- - 5858 - -
Virus SpreadVirus Spread
Infectedprogram
Uninfectedprogram
Virus Code
Infectedprogram
Uninfectedprogram
Virus Code
Infectedprogram
Uninfectedprogram
Virus Code Virus Code
1.
2.
3.
SecuritySecurity © 2001 - William Fornaciari© 2001 - William Fornaciari- - 5959 - -
Typical Virus ActionsTypical Virus Actions
Typical virus actions areFind uninfected writable programsModify those programsPerform normal actions of infected programDo whatever other damage is desired by its author
SecuritySecurity © 2001 - William Fornaciari© 2001 - William Fornaciari- - 6060 - -
Viruses Taxonomy (1)Viruses Taxonomy (1)
A non-exhaustive taxonomyParasitic virus
It is the classic virus attacked to executable file
When the infected program is executed, the virus for uninfected file for spreading
Memory resident virusLodges in main memory as a part of a resident system program
Once in memory, it Infects every program that is executed
Boot sector virusIt infects a boot sector
When the system is started, the virus start its work
SecuritySecurity © 2001 - William Fornaciari© 2001 - William Fornaciari- - 6161 - -
Viruses Taxonomy (2)Viruses Taxonomy (2)
Stealth virusIt is designed with the precise intent of eluding anti-virus detection
– Compression techniques may be used by this kind of viruses for leaving unmodified the infected program dimensions
– The virus may modify the routines for the I/O operation so that when that routines are used, they show as uninfected the infected program
– Hiding in a sector marked as bad in the FAT
Slow infection virusControl the rate of infection to avoid immediate detection
SecuritySecurity © 2001 - William Fornaciari© 2001 - William Fornaciari- - 6262 - -
Viruses Taxonomy (2)Viruses Taxonomy (2)
Polymorph virusIt is design to make little changes to its code at every infection
– Creates copies of itself that are functionally equivalent but have distinctly different bit patterns
– Encrypts itself and uses a new key on each new infection
It is a way to deceive anti-virus mechanism– Making detection by signature impossible
Macro virusIt is attached to a data file
– Therefore bypass integrity protection mechanisms targeting executables
It is written in high-level language– Therefore it is much more platform independent
SecuritySecurity © 2001 - William Fornaciari© 2001 - William Fornaciari- - 6363 - -
Dealing with VirusesDealing with Viruses
The solution to contrast viruses arePrevention of infectionDetection and reactionContainment
SecuritySecurity © 2001 - William Fornaciari© 2001 - William Fornaciari- - 6464 - -
Preventing the Spread of Preventing the Spread of VirusesViruses
To prevent a virus infection the solution is not installing untrusted softwareBut who can you trust?
Viruses have been found in commercial shrink-wrap software
So we have to take other prevention measuresScan incoming programs for viruses
Some viruses are designed to hideAnti-virus software do not detect newest viruses
Limit the targets viruses can reachMonitor updates to executable files
SecuritySecurity © 2001 - William Fornaciari© 2001 - William Fornaciari- - 6565 - -
Virus Detection (1)Virus Detection (1)
Virus detection is need if infection occurredBoth virus and anti-virus software are become more complexWe may identify four anti-virus generation
Simple analysers (first generation)Scanner using the virus signature to identify the infection
– Do not identify polymorph viruses
Others maintain a record of program length looking for variation in length
– Do not identify secret viruses
SecuritySecurity © 2001 - William Fornaciari© 2001 - William Fornaciari- - 6666 - -
Virus Detection (2)Virus Detection (2)
Heuristic analysers (second generation)Uses heuristic rules to search for probable virus infectionLooks for fragments of code that are often associated with virusesA checksum may be attached to the end of a program so that if a virus infected the program without modifying the checksum it may be detected
– Some viruses are able to generate checksum itselfChecksum may be substituted with a coded hash function that is harder to modify by a virus
Activity trap (third generation)They are memory-resident programs that identify a virus by its actions rather than its structureThey intervene when these actions take place
SecuritySecurity © 2001 - William Fornaciari© 2001 - William Fornaciari- - 6767 - -
Virus Detection (3)Virus Detection (3)
Totally equipped protection (fourth generation)Consists of a variety of anti-virus techniques used in conjunctionBesides analysis and activity trap, these packages consist of control access techniques that prevent virus from entering the system
SecuritySecurity © 2001 - William Fornaciari© 2001 - William Fornaciari- - 6868 - -
ContainmentContainment
To avoid viruses damages we may run suspect programs in an encapsulated environment limiting their forms of access to prevent virus spreadContainment requires versatile security model and strong protection
Running each executable in its own protection domain relaying on the underlying access control mechanisms
Standard access control mechanisms offered by OS often are not enough
Programs execute under the user’s identity with the user’s privileges
So the evil program has full user privileges
SecuritySecurity © 2001 - William Fornaciari© 2001 - William Fornaciari- - 6969 - -
Standard Access Control Standard Access Control MechanismsMechanisms
Other problems with standard access mechanisms are
What access is allowable?How does it get set?How fast can you create the domains?
Most popular OS do not offer simple ways to limit the security domain of programs
Access control mechanisms present several problem in managing untrusted code (as we have seen talking about protection )
Other possible solutionImproved OS access control for managing untrusted codePadded cells
SecuritySecurity © 2001 - William Fornaciari© 2001 - William Fornaciari- - 7070 - -
Padded Cell ApproachesPadded Cell Approaches
Improving OS access control means building systems able to manage domains not the same as process spaces Padded cell essentially consist in executing programs in an encapsulated environment Three ways to implement an encapsulated environment
Augmenting the OSSolves the general problem
Virtual machine and language-based approachesMost suitable for downloading small executable
Software-enforced fault isolationMost suitable for composition of executables
SecuritySecurity © 2001 - William Fornaciari© 2001 - William Fornaciari- - 7171 - -
Virtual Machine and Language Virtual Machine and Language ApproachesApproaches
Define a virtual machine that does not allow insecure operationsRun imported programs through an interpret for that languageJava does precisely thatThe java virtual machine is meant to provide a secure execution environment allowing
Very limited file accessNo process creationVery limited network communicationsVery limited examination of details of the host computer
SecuritySecurity © 2001 - William Fornaciari© 2001 - William Fornaciari- - 7272 - -
Software-Enforced Fault Software-Enforced Fault IsolationIsolation
The virtual machine approach is limitingWhat happens if you need to write a file, create a process … ?Usually only one language is supported
Consist of a software approach to memory protection
Segment matchingAddress sandboxing
SecuritySecurity © 2001 - William Fornaciari© 2001 - William Fornaciari- - 7373 - -
Authorization and Access Authorization and Access ControlControl
Computer security deals with the prevention and detection of unauthorized actions by users of a computer systemThe concepts of proper authorization and of access control are essential for this definitionWe have seen Access control mechanisms talking about protection
SecuritySecurity © 2001 - William Fornaciari© 2001 - William Fornaciari- - 7474 - -
Identification and Identification and AuthenticationAuthentication
A secure system somehow has to track the identities of the users requesting its servicesIdentification
Consist of entering user name and passwordYou announce who you are
Authentication is the process of verifying a user’s identity
Once user name and password are entered, a process compare the input against the entries stored in a password fileLogin will succeed if its entered a valid user name and the corresponding password
SecuritySecurity © 2001 - William Fornaciari© 2001 - William Fornaciari- - 7575 - -
User AuthenticationUser Authentication
There exists two reasons for authenticating a user
User identity is a parameter in access control decision
Processes are generally assigned to protection domains according to the identity of the user on whose behalf they are executed
User identity is recorded when logging security relevant events in an audit trail
Most computer system use identification and authentication through username and password as their first line of defence
SecuritySecurity © 2001 - William Fornaciari© 2001 - William Fornaciari- - 7676 - -
PasswordsPasswords
Identification and authentication through a password
Has become a widely accepted mechanism and not too difficult to implementObtaining a valid password is an extremely common way for gaining unauthorized access to a computer system
Password guessingPassword spoofingCompromise of the password file
SecuritySecurity © 2001 - William Fornaciari© 2001 - William Fornaciari- - 7777 - -
Choosing PasswordsChoosing Passwords
Password choice is a critical security issueCompletely prevent an attacker from accidentally guessing a valid password is impossibleThe use of trivial words as passwords makes an illegal disclosure a rather easy eventWe can try to keep the probability for such an event as low as possible adopting same sagacity
Changing default system password like ‘manager’Prescribing a minimal password lengthMixing upper and lower case symbolIncluding numerical and other non-alphabetical symbol Avoiding obvious passwordsChanging the password frequentlyAlways choose easy-to-remember password
SecuritySecurity © 2001 - William Fornaciari© 2001 - William Fornaciari- - 7878 - -
Password GuessingPassword Guessing
Attackers essentially follow two guessing strategy
Exhaustive search (brute force)Try all possible combination of valid symbols, up to certain length
Intelligent searchSearch through a restricted name space
– Try passwords that are somehow associated with a user like name, names of friends and relatives, car brand, car registration number, phone number ...
– Try password that are generally popular (dictionary attack)
Successful attacks are more often based on social engineering than on technical ingenuity
Actions should be taken to focus the user’s attention on the relevance of a careful choice of password, and of its correct use
SecuritySecurity © 2001 - William Fornaciari© 2001 - William Fornaciari- - 7979 - -
Dictionary attacksDictionary attacks
In a dictionary attackAn on-line dictionary contains a set of popular passwordsA program try all passwords from the dictionary till finding the correct one
SecuritySecurity © 2001 - William Fornaciari© 2001 - William Fornaciari- - 8080 - -
Password disclosurePassword disclosure
Studies have shown that the illegal disclosure of passwords through repeated attempts is still feasible today with acceptable computation time
Due to the use of massive parallelism
Parallel technologies combined with a negligence in the selection and management of passwords, increase the exposure to intrusions
SecuritySecurity © 2001 - William Fornaciari© 2001 - William Fornaciari- - 8181 - -
Improving Password Security Improving Password Security (1)(1)
System may help to improve password security
Password checkersTools that check passwords against some dictionary of ‘weak’ passwords
Password generationSome OS include password generator producing random but pronounceable passwordsUsers are allowed only to adopt password proposed by the systemUser are unlikely to memorise long and complicated passwords
– They write such passwords down on a piece of paper that is kept close to the computer
SecuritySecurity © 2001 - William Fornaciari© 2001 - William Fornaciari- - 8282 - -
Improving Password Security Improving Password Security (2)(2)
Password ageingAn expiry date for passwords can be set forcing users to change passwords ate regular intervalA list of old passwords may be kept to prevent re-use of old passwords by usersChanging passwords too often cause problem of writing them to remind
Limit login attemptsThe system can monitor unsuccessful attempts and react by locking the user account completely or at least for a certain period of timeUseful against dictionary attacks
SecuritySecurity © 2001 - William Fornaciari© 2001 - William Fornaciari- - 8383 - -
Improving Password Security Improving Password Security (3)(3)
Inform userAfter a successful login, the system can display the time of the last login and the number of failed login attemptsUser may discover recently attempted attacks
SecuritySecurity © 2001 - William Fornaciari© 2001 - William Fornaciari- - 8484 - -
Spoofing Attacks (1)Spoofing Attacks (1)
Identification and authentication through username and password provide unilateral authentication
The user has no guarantees about the identity of the party to whom he is giving his password
In a spoofing attackThe attacker runs a program that presents a fake login screen on some terminal/workstationUser tries to logonUser name and password are stored by the attackerExecution could be handed over the user or login is aborted with an error messageThe spoofing program terminates giving back control to the OS
SecuritySecurity © 2001 - William Fornaciari© 2001 - William Fornaciari- - 8585 - -
Against Spoofing Attacks Against Spoofing Attacks
Solutions against spoofing attacks may beDisplaying the number of failed loginsGuarantee that the user communicates with the OS and not with a spoofing program
Windows NT has a secure attention sequence CTRL+ALT+DEL which invokes the Windows NT OS login screen
Double authentication system (handshaking)It is mutual authentication where the system introduces itself to the user through information known only to the user, and the user authenticates back to the systemE.g. In a distributed system, the system could be required to authenticate itself to the user
SecuritySecurity © 2001 - William Fornaciari© 2001 - William Fornaciari- - 8686 - -
Beyond Spoofing AttacksBeyond Spoofing Attacks
Other way through which an intruder may ‘find’ a password are due to that
Passwords do not travel directly from the user to the checking routinePasswords are, temporarily, held in intermediate storage locations like
BuffersCachesWeb pages
The management of these storage locations is beyond the control of the user and a password may be kept longer than the user may though
SecuritySecurity © 2001 - William Fornaciari© 2001 - William Fornaciari- - 8787 - -
Compromise of the Password Compromise of the Password FileFile
User passwords are stored in the password files managed by OSPassword files are a desirable target for an intruder
Disclosure or modification of its content permit the intruder gaining system access
Password file must be protectedCryptographic protectionAccess control enforced by the OSA combination of cryptographic protection and access control plus mechanisms to slow dictionary attacks
SecuritySecurity © 2001 - William Fornaciari© 2001 - William Fornaciari- - 8888 - -
Cryptographic Protection (1)Cryptographic Protection (1)
Instead of the password x, the value f(x) is stored in the password file
f(x) is a one-way function easy to compute but hard to reverse
When an user logs in and enters a password x1, the system
Applies the one-way function f and the compare f(x1) with the expected value f(x). If the values matches, the user has been successfully authenticated
The password file can be left more readable if dictionary attacks are not a concern
SecuritySecurity © 2001 - William Fornaciari© 2001 - William Fornaciari- - 8989 - -
Cryptographic Protection (2)Cryptographic Protection (2)
In a dictionary attack the attacker Knows the encryption function
E.g. Unix uses the one-way function crypt(3)
Encrypts all words in a dictionaryCompare, off-line, all these words against the encrypted entries in the password file, if a match is found the attacker knows that user password
We may use a one-way function harder to compute
Dictionary attacks become harder (require more time)Also login mechanism slow-down
It is better to hide also the encrypted password file
SecuritySecurity © 2001 - William Fornaciari© 2001 - William Fornaciari- - 9090 - -
Access Control MechanismsAccess Control Mechanisms
OS access control mechanisms restrict the access to files and other resources to users holding appropriate privileges
They can be used to protect password filesOnly privileged users can have access to the password fileIf read access is restricted to privileged users, passwords in theory could be stored unencrypted
Malicious users, taking advantages of erratic OS modules (bugs or trapdoors) could access the content of password fileTrojan horse in the login procedure of a system can record all the passwords used at login timeCombination of access control mechanisms an cryptographic methods is then recommended
SecuritySecurity © 2001 - William Fornaciari© 2001 - William Fornaciari- - 9191 - -
Proprietary Storage FormatsProprietary Storage Formats
A weak form of read protection is provided by proprietary storage formats
E.g. Windows NT stores encrypted passwords in a proprietary binary format
A determined attacker will obtain or deduce the information necessary to be able to detect the location of security relevant data