1 / 43

Protection and Security

Protection and Security. Andy Wang Operating Systems COP 4610 / CGS 5765. Definitions. Security : policy of authorizing accesses Prevents intentional misuses of a system Protection : the actual mechanisms implemented to enforce the specialized policy

cynthiaj
Download Presentation

Protection and Security

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Protection and Security Andy Wang Operating Systems COP 4610 / CGS 5765

  2. Definitions • Security: policy of authorizing accesses • Prevents intentional misuses of a system • Protection: the actual mechanisms implemented to enforce the specialized policy • Prevents either accidental or intentional misuses

  3. Security Goals • Data confidentiality: secret data remains secret • Data integrity: unauthorized users should not be able to modify data • System availability: nobody can make a system unusable

  4. Security Components • Authentication determines who the user is • Authorization determines who is allowed to do what • Enforcement makes it so people can do only what they are allowed to do

  5. Authentication • The most common approach: passwords • If I know the secret, the machine can assume that I’m the user • Problems: 1. Password storage 2. Poor passwords

  6. Password Storage • Encryption • Uses a key to transform the data • Difficult to reverse without the key • UNIX stores encrypted passwords in /etc/passwd • Uses one-way transformations • Encrypts a typed password and compares encrypted passwords

  7. Poor Passwords • Short passwords • Easy to crack • Long passwords • Tend to be written down somewhere

  8. Original UNIX • Required only lower-case, 5-lettered passwords • 265 or 1 million combinations • In 1975, it would take one day to crack one password • Today, we can go through all those combinations < 1 second

  9. Partial Solutions • Extend password with a unique number • Require more complex passwords • 6 letters of upper, lower cases, numbers, and special characters • 706 or 100 billion combinations • Unfortunately, people still pick common words

  10. Partial Solutions • Delay every login by 1 second • Assign very long passwords • Give everyone a calculator (ATM card) • Requires a physical theft to steal the password

  11. Two-factor Authentications • Something one knows (e.g., password) • + something one owns (e.g., card)

  12. Authentication in Distributed Systems • Private key encryption of data • Encrypt(Key, Plaintext) = Cipher text • Decrypt(Key, Cipher text) = Plaintext • Hard to reverse without the key • With the plaintext and the cipher text, one cannot derive the key • Provides secrecy and authentication, as long as the key stays secret

  13. How to distribute the keys? • Authentication server • Keeps a list of keys

  14. Encrypt(KeyAS, “I want KeyAB”) Kerberos Protocol Keyxy is needed to talk between x and y Server S Client B Client A KeyBS KeyAS

  15. Encrypt(KeyAS,“Here is KeyAB and a message to B”) Kerberos Protocol Keyxy is needed to talk between x and y Server S Client B Client A KeyBS KeyAS

  16. message Encrypt(KeyBS, “use KeyAB to talk to A”) Kerberos Protocol Keyxy is needed to talk between x and y Server S Client B Client A KeyBS KeyAS

  17. Additional Details • Expiration timestamp for a key • Prevents a machine from replaying messages (e.g., “deposit $100”) • Checksum for an encrypted message • Prevents modifications to a message (e.g., “deposit $1000”) • KeyAS and KeyBS are renewed periodically to reduce their exposures

  18. Public Key Encryption • Separates authentication from secrecy • Involves a public key and private key • Encrypt(Keypublic, plaintext) = cipher text • Decrypt(Keyprivate, cipher text) = plaintext • Encrypt(Keyprivate, plaintext) = cipher text • Decrypt(Keypublic, cipher text) = plaintext

  19. Public Key Encryption • Idea: • Private key is kept secret • Public key is advertised

  20. Public Key Encryption • Encrypt(Keymy_public, “Hi, Andy”) • Anyone can create it, but only I can read it (secrecy) • Encrypt(Keymy_private, “I’m Andy”) • Everyone can read it, but only I can create it (authentication)

  21. Public Key Encryption • Encrypt(Keyyour_public, Encrypt(Keymy_private, “I know your secret”)) • Only I can create it, and only you can read it

  22. Authorization • Access matrix describes who can do what -The matrix tends to be sparse

  23. Access Control List • Stores all permissions for all users with each object • Analogy: a guard in front of a door • Checks for a list of people allowed to enter • UNIX: permission of each file is specified according to its owner, group, and the world

  24. Capability List • Stores all objects a process can touch • Analogy: Keys • A key owner has the right of entry • Example: page tables • Each process has a list of pages that it can access

  25. Access Control List vs. Capability List • Access control list (commonly used) • Easy to know who can access the object • Hard to know which objects a user can access • Capability list • A user knows the list of objects to access • Hard to know who can access an object • More difficult to revoke capabilities

  26. Enforcement • Enforcer programs check passwords, access control lists, and so on… • In UNIX, enforcers are run as superuser • If there is a bug, you are hosed!

  27. The State of the World in Security • Authentication • Poor passwords • Nobody encrypts emails • Authorization • Coarse-grained access control list • Often turned off for sharing • Enforcement • Buggy operating systems

  28. Classes of Security Problems • Eavesdropping is the listener approach • Tap into the Ethernet and see everything • Countermeasure: pressurized cabled • Abuse of privilege • If the superuser is evil, there is nothing you can do

  29. Classes of Security Problems • Imposter breaks into the system by pretending to be someone else • Recorded voice and facial image • Countermeasure: behavioral monitoring to look for suspicious activities • Overwriting the boot block

  30. Classes of Security Problems • A Trojan horse is a seemingly innocent program that performs an unexpected function • Countermeasure: integrity checking • Periodically, check binaries against their checksums

  31. Classes of Security Problems • Salami attack builds up an attack, one-bit at a time • Example: send partial pennies to a bank account • Countermeasure: code reviews

  32. Classes of Security Problems • Logic bombs: a programmer may secretly insert a piece of code into the production system • A programmer feeds the system password periodically • If the programmer is fired, the logic bomb goes off • Countermeasure: code reviews

  33. Classes of Security Problems • Denial-of-service attacks aim to reduce system availability • A handful of machines can flood a victim machine to disrupt its normal use • Countermeasure: open

  34. time Pentagon Traffic Analysis • Before the 1991 Persian Gulf War • Foreign intelligence tried to predict the starting date of the war

  35. Pentagon Traffic Analysis • So much for the element of surprise…

  36. Tenex • Used to be the most popular system at universities before UNIX • Thought to be very secure

  37. Tenex • Source code for the password check: for (j = 0; j < 8; j++) { if (input[j] != pw[j]) { // go to error; } } • Need to go through 2568 combinations

  38. Tenex • Unfortunately, Tenex used virtual memory • A fast password check means that the first character is wrong (error) • A slow check means that the first character is correct (page fault) password in memory on disk

  39. Tenex • 2568 checks to crack a password is reduced down to 256 * 8 checks

  40. The Internet Worm • In 1988, a Cornell graduate student, RTM, released a worm into the Internet • The worm used three attacks • rsh • fingerd • sendmail

  41. The Internet Worm • Some machines trust other machines, the use of rsh was sufficient to get into a remote machine without authentication

  42. The Internet Worm • finger command did not check the input buffer size • finger name@location • Overflow the buffer • Overwrite the return address of a procedure • Jump and execute a shell (under root privilege)

  43. The Internet Worm • sendmail allowed the worm to mail a copy of the code and get it executed • The worm was caught due to multiple infections • People noticed the high CPU load

More Related