addendum: security · security: monitoring check for suspicious patterns –login times audit logs...
TRANSCRIPT
Addendum: Security
System-Software WS 04/05380 © P. Reali / M. Corti
Security internal protection
– memory protection– file system accesses
external protection– accessibility
problems:– program threats
System-Software WS 04/05381 © P. Reali / M. Corti
Security: Program Threats Trojan horses: a code segment
that misuses its environment– mail attachments– web downloads (e.g., SEXY.EXE
which formats your hard disk)– programs with the same name as
common utilities– misleading names (e.g.,
README.TXT.EXE) Trap door (in programs or
compilers): an intentional hole inthe software
System-Software WS 04/05382 © P. Reali / M. Corti
Security: System Threats worms: a standalone program that spawns other
processes (copies of itself) to reduce systemperformance– example: Morris worm (1988)
exploited holes in rsh, finger and sendmail to gainaccess to other machines
once on the other machine it was able to replicate itself
– used by spammers to spread and distribute spammingapplications
viruses: similar to worms but embedded in otherprograms– they usually infect other programs and
the boot sector
System-Software WS 04/05383 © P. Reali / M. Corti
Security: System Threats Denial of service
– perform many requests to steal all the available resources– often distributed (using worms)
Example: SYN flooding attacks– the attacker tries to connect– the victim answers with a synchronize and acknowledge
packet– and waits for acknowledgment
Countermeasures– active filtering– request dropping– cookie based protocols (requests must be authenticated)– stateless protocols
System-Software WS 04/05384 © P. Reali / M. Corti
Security: System Threats badly implemented and designed software:
– lpr (setuid) with an option to delete the printed file– mkdir (first create the inode then change the owner)
it was possible to change the inode before the chown …– buffer overflows– password in memory or swap files– insecure protocols (FTP, SMTP)– missing sanity checks (syscalls, command in input, …)– short keys and passwords– proprietary protocols
System-Software WS 04/05385 © P. Reali / M. Corti
Bad design: A very recent example Texas Instruments produces RFID tags offering
cryptographic functionalities. used for cars and electronic payments 40 bit keys proprietary protocol Attack from Johns Hopkins University and RSA
Labs– less than 2 hours for 5 keys– less than 3500$
System-Software WS 04/05386 © P. Reali / M. Corti
Security: Buffer Overflows Overwrite a function’s return
address
function foo(int p1, int p2) { char array[10]; strcpy(array, someinput);}
array
FPRET
p1 & p2
array
Avoid strcpy and check the length,e.g., strncpy
System-Software WS 04/05387 © P. Reali / M. Corti
Security: Monitoring check for suspicious patterns
– login times audit logs periodic scans for security holes (bad passwords,
set-uid programs, changes to system programs)– system integrity checks (checksums for executable files)
[tripwire] network services
– monitor network activity
System-Software WS 04/05388 © P. Reali / M. Corti
Example: Firewalling Many applications use network sockets to
communicate (even on a single machine) Many applications are not protected
Solution: filter all the incoming connections bydefault and allow only the trusted ones
System-Software WS 04/05389 © P. Reali / M. Corti
Security: (some) Design Principles Open systems (programs and protocols) Default is deny access Check for current authority (timeouts, …) Give the least privilege possible Simple protection mechanisms Do not ask to much to the users (or they will avoid
to protect themselves)
System-Software WS 04/05390 © P. Reali / M. Corti
Security and Systems: Some ExamplesEnhancements to memory management: Intel XD bit, AMD NX bit mark pages according to the content (data or code) an exception is generated if the PC is moved to a
data address prevents some buffer overflow attacks dynamically generated code has to be generated
through special system calls Windows XP SP2, Linux, BSD …
System-Software WS 04/05391 © P. Reali / M. Corti
Security and Systems: Some ExamplesSELinux National Security Agency (USA) patches to the Linux kernel to enforce mandory
access control open source independent from the traditional UNIX roles (users
and groups) configurable policies restricting what a program is
able to do
System-Software WS 04/05392 © P. Reali / M. Corti
Security and Systems: Some ExamplesOpenBSD audit process (proactive bug search) random gaps in the stack ProPolice: gcc puts a random integer on the
stack in a call prologue and checks it whenreturning
W^X: pages are writable xor executable
System-Software WS 04/05393 © P. Reali / M. Corti
Security and Systems: Some ExamplesOpenBSD randomized shared library order and
addresses mmap() and malloc() return randomized
addresses guard pages between objects privilege separation and revocation
System-Software WS 04/05394 © P. Reali / M. Corti
Privilege Separation unprivileged child process to contain and restrict
the effects of programming errors e.g., openssh
listen *22network connection
monitor networkprocessing
request authauth result
key exchange
authentication
fork unprivileged child
monitor user requestprocessing
request PTYpass PTY user network data
state export
fork user child
time