450 likes | 534 Views
CS134a: Security (Week 7). Overall outline Basic Issues Types of protection and security Penetration of a computing facility Access and information-flow control mechanisms Protection Problems. Security Violations. Two basic types of intrusions Malicious intrusion
E N D
CS134a: Security (Week 7) • Overall outline • Basic Issues • Types of protection and security • Penetration of a computing facility • Access and information-flow control mechanisms • Protection Problems Computing Systems
Security Violations • Two basic types of intrusions • Malicious intrusion • Read or destroy sensitive information • “Hackers” view it as a challenge • (The traditional word hacker refers to skilled computer programmers; the people who break into systems “crackers” adopted the word for their own use) • Incidental violations • Hardware failures • Bugs in OS and applications • Natural disasters, power blackouts, etc. Computing Systems
Definitions • The terms protection and security do not have precise technical definitions • Random House: • protection: the act or state of guarding from attack, invasion, or annoyance • security:freedom from danger, risk, doubt, or apprehension • Protection is the mechanisms and policies to provide security Computing Systems
Definitions II • A computer system contains collections of data and services that we will call objects • Files, programs, in some cases processors • Active components that can perform read/write operations will be called subjects • Processes Computing Systems
Protection and security categories • Information disclosureUnauthorized dissemination of information, either as theft or illegal actions on the parts of a user.Enforcement of the right to privacy, a social policy that is the right of an individual to control the collection, storing, and dissemination about herself or himself. Computing Systems
Categories • Information destruction: Information loss as the result of an error or sabotage.Includes loss of OS data structures (like resource queues), destruction of research or development results, and deletion of court or police records. • Unauthorized use of services: unauthorized use of proprietary services, or to obtain free computing time. For example, copying a game for a friend. Computing Systems
Categories • Denial of service: preventing authorized users from using the system’s services in a timely manner. Can be caused by hardware/software malfunctions, or may be malicious.Recent spate of DoS attacks on web servers: Microsoft, Yahoo, etc. Computing Systems
Safeguards • No single safeguard scheme is adequate • Must obtain a balance between • Adequately protecting a system • Allowing authorized users to access the system • Two types of safeguards: external and internal Computing Systems
External safeguards • Control physical access to the computing facility • PCs may leave this to the owner of the system • Shared facilities often use • Administrative policies • Physical safeguards: locks, badges, etc. • Threat monitoring, and audit trails Computing Systems
Internal safeguards • Verification of user identity • Access control, “can subject s access object o?” • For example, who can access a file • Simple case control only the file open; more complex schemes also regulate read/write/execute permissions • Information flow control, “can subject s acquire the information contained in object o?” • Access control is not sufficient, a subject may be able to infer the contents of the object by watching the system and other users Computing Systems
Internal safeguards • Internal safeguards govern user who have entered the system legally • External safeguards try to prevent illegal access, but it is not always possible to prevent access • Public terminals • External network may be tapped or subverted • Cryptography disguises information (we will not talk a lot about this) Computing Systems
User authentication methods • Based on one or more of the following: • Knowledge of some “secret” information (e.g. password) • Possession of some artifact (e.g, key) • Physical characteristic (e.g. fingerprint, brainwave) • Secret information may be • password • an interactive dialog (what’s your SS#, mother’s maiden name, etc.) • a combination to the lock on a room Computing Systems
Physical artifacts • A card with machine-readable information • Bank machines (ATMs) require card+PIN • Badges • Keys Computing Systems
Physical characteristics • Kinds • Fingerprints: hard to implement • Hand geometry: lengths of fingers, etc. • Voice patterns • Signatures: speed and force of writing • Uncertain recognition may reject an authorized user • or accept an impostor Computing Systems
Penetration • A user may bypass authentication mechanisms • A user may obtain information that will permit legal entry • Wire tapping • Watching the network for cleartext passwords • Never send a cleartext password over Internet! Use encryption (like ssh) to protect your passwords • Trial-and-error • Guess a password: seems hard with 8-character passwords (64^8 combinations) • In practice, people tend to use a small subsets Computing Systems
Penetration • Browsing: When storage is deallocated, the system rarely erases it (free disk blocks or memory pages). Defense systems often require garbage to be copied onto deallocated areas. • Waste searching. Looking through garbage cans, etc., is highly successful. • Trap doors: applications may contain secret entries. A Trojan Horse is a program offered for public use that performs unadvertised actions. Computing Systems
Access and Information Flow Control • Process information locations • Registers • Associative memories (cache, TLB) • Primary memory • Secondary memory • Protection • OS saves and restores registers on each context switch; registers are private • Cache and TLB are inaccessible to user-mode programs Computing Systems
Access and information flow control • An execution environment includes • programs, files, processes residing in primary and secondary memory • hardware components like IO devices or special processors • Execution environment may be • static: constant for the life of a process • dynamic: varies with time • Dynamic environments are needed to provide the smallest possible execution environment Computing Systems
Main memory protection • Control process access to it’s own instructions, and to another process • A process should only be allowed to access in areas that are assigned by OS • Memory access rights: • Read(R): may read the contents, even copy it into executable areas • Write(R): may modify the contents; Append(R) only allows writing onto the end • Execute(R): may execute the contents as a program Computing Systems
Access control • Boolean logic • Ø(R Ú W Ú X): no access • R Ù Ø(W Ú X): read-only Computing Systems
Access control without virtual memory • Bounds registers Computing Systems
Access control without virtual memory • Identification keys • Memory is divided into blocks (like pages) • Each memory block has an n-bit pattern called a lock • Each process contains an n-bit key • Hardware compares the key with the lock on every access Computing Systems
Access control with virtual memory • Relocation register Computing Systems
Relocation register • Same problem: access control is inflexible • Could use locks and keys • Better to associate access control with each process and extend the Mmap function to handle extra info Computing Systems
Paged segmentation • Access rights are associated with each segment • Segment table entry: • pt_base: pointer to page table • int pt_len: length of page table • bool pt_resident: whether page table is in memory • access_rights access: access control info • Page table entry • pg_base: pointer to page • pg_resident: whether page is in memory Computing Systems
Paged segmentation address translation Computing Systems
Protection for secondary storage • Implicit access through virtual memory (page/seg faults) • Explicit access through the file system • Filesystems needs to keep information about access control • Access lists • Capability lists Computing Systems
Access/capability lists • Access table for each file, listing which subjects can access the file • Capability for each process/user listing rights • Unix • access list for each file: user/group/other, rwx • user: jyh group: cs134 file perm: 4775 • capability for each user: list of groups • Windows NT • access list for each kernel object • capability list for each user: list of groups Computing Systems
Capabilities vs access lists • Capability is like a ticket (to see Godzilla vs Mothra) • Access list is like a reservation at a restaurant • Are they the same? • Same amount of info • Capabilities can become the only mechanism for access Computing Systems
Capabilities • Capability list is like a segment table; it points to objects that may accessed • segment tables are only valid for the life of a process • segment tables refer to primary storage • capabilities refer to secondary storage • Capability-based addressing • combines access models • capabilities are the only means to access an object Computing Systems
Capability-based addressing Computing Systems
Dynamic environments • Execution environment is determined by segment table • Segment table may grow; since segments are never unlinked, it never shrinks • Dynamic environment needs additional protection • MULTICS provides a scheme of concentric rings • Innermost rings are most highly protected • Access is only allowed to outer shell Computing Systems
MULTICS rings Computing Systems
MULTICS Rings • An inward call generates an interrupt • checks the reference based on access rights • An outward call also generates an interrupt • Arguments must be copied to the outer procedures Computing Systems
Rings • Seems flexible, but it is limited strict orderind • In general, objects may have references that form an arbitrary graph, and they may be difficult to partition Computing Systems
Capability-based systems Computing Systems
Privileged system states • Supervisor/user mode • VAX: kernel, executive, supervisor, user • Capability-based has no need for privileged modes Computing Systems
Protection problems • We define schemes for explicit access • What about information flow? • A problem when mutually suspicious processes want to cooperate • Example user interacting with a service Computing Systems
Service goals • No user should be able to steal the service by making a copy • No user should be able to damage the service • No user should be able to use the service without permission • It should be possible to revoke access to the service • No user should be able to prevent others from using the service Computing Systems
User goals • The service should not be able to steal or destroy any information or services that were not explicitly given to the service • The service should be able to notify its owner with nonsensitive information (e.g. billing), but not sensitive information Computing Systems
Access-control • Theft and destruction can be solved with execute-only privileges for the service • Unauthorized use is harder; could use access control • Capability-based systems • Capabilities can be copied and passed to other users Computing Systems
HYDRA • Generic rights for an object o: r, w, s, and l • r: read, w: write • s: right to copy a capability into object o • l: right to copy capability from object o • Capabilities a special right: the environment right, that allows them to be copied Computing Systems
Capability-passing Computing Systems
Revocation of privileges • Access lists: remove a user from the list • What about a file open? • Capability-based • Have a dummy pointer to an object alias • All references are through alias • All references can be removed by modifying alias Computing Systems
Other problems • Denial of service • Not possible to enforce in asynchronous systems • Can give each process a fixed time limit... • Trojan horse (service destroys or discloses information) • Have the “gift” process run with restricted privileges Computing Systems