Addendum: Security

System-Software WS 04/05380 © P. Reali / M. Corti

Security internal protection

– memory protection– file system accesses

external protection– accessibility

problems:– program threats

System-Software WS 04/05381 © P. Reali / M. Corti

Security: Program Threats Trojan horses: a code segment

that misuses its environment– mail attachments– web downloads (e.g., SEXY.EXE

which formats your hard disk)– programs with the same name as

common utilities– misleading names (e.g.,

README.TXT.EXE) Trap door (in programs or

compilers): an intentional hole inthe software

System-Software WS 04/05382 © P. Reali / M. Corti

Security: System Threats worms: a standalone program that spawns other

processes (copies of itself) to reduce systemperformance– example: Morris worm (1988)

exploited holes in rsh, finger and sendmail to gainaccess to other machines

once on the other machine it was able to replicate itself

– used by spammers to spread and distribute spammingapplications

viruses: similar to worms but embedded in otherprograms– they usually infect other programs and

the boot sector

System-Software WS 04/05383 © P. Reali / M. Corti

Security: System Threats Denial of service

– perform many requests to steal all the available resources– often distributed (using worms)

Example: SYN flooding attacks– the attacker tries to connect– the victim answers with a synchronize and acknowledge

packet– and waits for acknowledgment

Countermeasures– active filtering– request dropping– cookie based protocols (requests must be authenticated)– stateless protocols

System-Software WS 04/05384 © P. Reali / M. Corti

Security: System Threats badly implemented and designed software:

– lpr (setuid) with an option to delete the printed file– mkdir (first create the inode then change the owner)

it was possible to change the inode before the chown …– buffer overflows– password in memory or swap files– insecure protocols (FTP, SMTP)– missing sanity checks (syscalls, command in input, …)– short keys and passwords– proprietary protocols

System-Software WS 04/05385 © P. Reali / M. Corti

Bad design: A very recent example Texas Instruments produces RFID tags offering

cryptographic functionalities. used for cars and electronic payments 40 bit keys proprietary protocol Attack from Johns Hopkins University and RSA

Labs– less than 2 hours for 5 keys– less than 3500$

System-Software WS 04/05386 © P. Reali / M. Corti

Security: Buffer Overflows Overwrite a function’s return

address

function foo(int p1, int p2) { char array[10]; strcpy(array, someinput);}

array

FPRET

p1 & p2

array

Avoid strcpy and check the length,e.g., strncpy

System-Software WS 04/05387 © P. Reali / M. Corti

Security: Monitoring check for suspicious patterns

– login times audit logs periodic scans for security holes (bad passwords,

set-uid programs, changes to system programs)– system integrity checks (checksums for executable files)

[tripwire] network services

– monitor network activity

System-Software WS 04/05388 © P. Reali / M. Corti

Example: Firewalling Many applications use network sockets to

communicate (even on a single machine) Many applications are not protected

Solution: filter all the incoming connections bydefault and allow only the trusted ones

System-Software WS 04/05389 © P. Reali / M. Corti

Security: (some) Design Principles Open systems (programs and protocols) Default is deny access Check for current authority (timeouts, …) Give the least privilege possible Simple protection mechanisms Do not ask to much to the users (or they will avoid

to protect themselves)

System-Software WS 04/05390 © P. Reali / M. Corti

Security and Systems: Some ExamplesEnhancements to memory management: Intel XD bit, AMD NX bit mark pages according to the content (data or code) an exception is generated if the PC is moved to a

data address prevents some buffer overflow attacks dynamically generated code has to be generated

through special system calls Windows XP SP2, Linux, BSD …

System-Software WS 04/05391 © P. Reali / M. Corti

Security and Systems: Some ExamplesSELinux National Security Agency (USA) patches to the Linux kernel to enforce mandory

access control open source independent from the traditional UNIX roles (users

and groups) configurable policies restricting what a program is

able to do

System-Software WS 04/05392 © P. Reali / M. Corti

Security and Systems: Some ExamplesOpenBSD audit process (proactive bug search) random gaps in the stack ProPolice: gcc puts a random integer on the

stack in a call prologue and checks it whenreturning

W^X: pages are writable xor executable

System-Software WS 04/05393 © P. Reali / M. Corti

Security and Systems: Some ExamplesOpenBSD randomized shared library order and

addresses mmap() and malloc() return randomized

addresses guard pages between objects privilege separation and revocation

System-Software WS 04/05394 © P. Reali / M. Corti

Privilege Separation unprivileged child process to contain and restrict

the effects of programming errors e.g., openssh

listen *22network connection

monitor networkprocessing

request authauth result

key exchange

authentication

fork unprivileged child

monitor user requestprocessing

request PTYpass PTY user network data

state export

fork user child

time