1 protection and security protection = mechanisms used to control access to valued resources: e.g.,...
Post on 20-Dec-2015
217 views
TRANSCRIPT
1
Protection and Security
Protection = mechanisms used to control access to valued resources: e.g., programs & data stored on computer system. Usually accompanied by detection and
response mechanisms
Security = protecting the confidentiality, integrity, and availability of a system according to the rules set out by a specific policy. Policy = the set of allowable states of a
system.
2
Goals of Protection
Let’s say we have a valuable resource like an O.S. collection of objects, hardware & software Objects have unique names Accessed through well-defined set of operations
Goals of protection: Ensure each object accessed correctly & only by
authorized processes according to some policy. A policy is a statement of what states (and
operations) are allowed (i.e., secure/authorized), and what are not allowed (i.e., nonsecure/unauthorized) for a specific system.
4
Protection Domains
Access-right = <object-name, rights-set>
Rights-set = subset of all valid operations that can be performed on the object
(i.e., the policy!)
Domain = set of access-rights
5
Domain Implementation Example-I: UNIX Examples of object
Files, laser printers, and email servers… Access control bits (UNIX)
Three categories of user (owner, group, world) Three types of access privileges (read, write,
execute) One bit per operation (111101000 = rwxr-x----)
Domain is implemented as the “user-id” OS can do domain switching to execute some
task accomplished via file system Each file has associated domain bit (setuid
bit) When file executed and setuid=on,
user-id set to owner of the file being executed When execution completes, user-id is reset “ps” is a setuid program, as is “lpr”.
6
Domain Implementation Example-II: Multics Rings
Nested domain structure (“rings”) Let Di and Dj be any two domain rings If j < i Di Dj lower-level
= more privileges
each process maintains current ring number
7
Access Matrix
Column: defines who can perform what operation on
the object Row:
Operations allowed on what objects, per-domain
8
Dynamic Access Matrices
Extend for dynamic protection:Operations to add, delete access rights
transfer – switch from domain Di to Dj
owner of Oi
copy op from Oi to Oj
control – Di can modify Dj’s access rights
10
Access Matrix with Copy Rights
Asterisk denotes that access right can be copied within column (for the object)
12
Control: Modifying Access Matrix
• Control: process executing in one domain can modify another domain
• Example:D2 changes D4
13
Implementation of Access Matrix
Access list for objects Maintain <domain, right-set> list per object
Capability (object) list for domains Maintain list of objects + operations per
domain Object name = capability Check in capability list for access
Pros and cons of access list & capability list? Determine the set of access rights for each
domain? Revocation of capabilities?
14
Language-Based Protection
Specification of protection in programming language:
Allows high-level description of policies for allocation and use of resources
Protection in Java: Dynamically load untrusted classes over a
network Important to provide protection!
Class loader: Find and load object Define namespace seen by different classes
15
Security
The Security Problem Program Threats System & Network Threats Counter-measures to Threats
Threat Monitoring Cryptography
16
Security problem
Confidentiality: ensuring objects are available/understandable only to authorized peers
E.g., no unauthorized read access Integrity: ensuring objects have not been
maliciously or accidentally modified. No introduction of inconsistency.
Availability: ensuring objects are available without delay and operate correctly (to authorized peers)
No malicious destruction of resources (i.e., objects)
17
Threats
Program Threats: program cause security breaches Trojan Horse, Login Spoofing,
Trap/Back Door, Stack/Buffer Overflow, Virus
System & Network Threats: Abuse services and network
connection to cause security breaches
Worms, Port Scanning, (Distributed) Denial of Service
18
Trojan Horse
Code (segment) that misuses its environment.
Objective of Trojan Get executed by someone Once executed copy/mail/modify some critical
files Example:
In /tmp put a program named ls Administrator goes to /tmp, types ls... If the path “.” is in front of his search path...
Bingo!
19
Login Spoofing
Write a fake login program Fake program shows the usual login
prompt.... Unsuspecting user comes in and tries to
log in Types loginID Types password
The Spoof login store the pair away and terminates
Normal logins come back up User simply thinks he mistyped his password... In the meantime, the attacker found a valid
pair!
20
Trap Doors
Modification at the source level Programmer introduces a loophole to
bypass the login process. Loophole ignores password for a specific
login Who can use it? (programmer,
attacker) How to prevent it...
Code review Sometimes in compiler (very difficult)
21
Buffer Overflow
Bug in a program Program overstep some
array bounds Overwrites return
address When subroutine
returns, it effectively jumps someplace else....
Return Address
Main's Local Variables
Stack
Foo()'s local var
Fixed Sized-Array
22
Buffer Overflow
Return Address
Main's Local Variables
Stack
Foo()'s local var
Long string that overflows...It wipes out the return address
Bug in a program Program overstep some
array bounds Overwrites return
address When subroutine
returns, it effectively jumps someplace else....
23
Buffer Overflow
Return Address
Main's Local Variables
Stack
Foo()'s local var
Long string that overflows...It wipes out the return address
If string is well aligned with place of return address, it can be a meaninfull address
Bug in a program Program overstep some
array bounds Overwrites return
address When subroutine
returns, it effectively jumps someplace else....
24
Buffer Overflow
Return Address
Main's Local Variables
Stack
Foo()'s local var
Long string that overflows...It wipes out the return address
If string is well aligned with place of return address... It can be a meaninfull address
MaliciousCode!
Bug in a program Program overstep some
array bounds Overwrites return
address When subroutine
returns, it effectively jumps someplace else....
25
Virus
Self-reproducing Attach to host machine Dormant for a while Activate at some point and
Destroy Steal
Spreading via Program copying, Email, Web-
pages, …
26
Worms
Slightly different from virus Self-reproduces; take up resources Do not need a host-program Use vulnerabilities to spread across the
net Break system through infestation; worst
outbreak can take worldwide networks down.
Worms propagate themselves; Virus require action by the user to perpetuate themselves
Example: Morris Worms, CodeRed