690 likes | 703 Views
Explore the internal and external challenges of protecting information integrity and preventing unauthorized access to programs and data in computer systems. Learn about access control principles, domain specification, access matrix implementation, and revocation of access rights.
E N D
12 Protection & Security Kai Bu kaibu@zju.edu.cn http://list.zju.edu.cn/kaibu/cmpt300
strictly an internal problem: how to provide controlled access to programs and data stored in a computer system? Protection & Security
strictly an internal problem: how to provide controlled access to programs and data stored in a computer system? Protection & Security internal and external problem: how to protect information integrity by preventing unauthorized access, malicious destruction or alteration of data, and accidental introduction of inconsistency?
ProtectionSecurity specify&enforce access controls
Principle of Least Privilege • Give programs, users, & even systems just enough privileges to perform tasks • Minimize the damage from failure or compromise of a component
Need-to-Know Principle • At any time, a process should be able to access only resources that it currently requires to complete its task • Example: when process p invokes procedure A(), A() should access only its own variables and formal parameters • Minimize the risks of possible security violations
Protection Domain • Specify resources a process may access • Define a set of objects and the types of operations to be invoked on each object • Access right: the ability to execute an op on an object • Domain: a collection of ordered-pair access rights <object-name, rights-set>
Protection Domain • <O4, {print}> shared by D2 and D3
Protection Domain • Static vs Dynamic the association between proc & domain is fixed or dynamic throughout the process’s lifetime • Domain switching enable proc to switch from one domain to another toward need-to-know
Domain Realization • User as a domain object access depends on user identity • Process as a domain object access depends on proc identity • Procedure as a domain object access depends on local variables defined within the procedure
Access Matrix • access(i,j): define a set of operations that a process in domain Di can invoke on object Oj
Access Right Switch • Include domains among the objects of the access matrix Require three additional ops: copy, owner, control
Copy • Denote by an asterisk * • Copy only within a column • Example: copy F2-read from D2 to D3
Copy: Variants • Transfer copy access(i,j) to access(k,j); remove access(i,j); • Limited Copy copy R* only as R to access (k,j); proc in Dkcannot further copy R;
Owner • If access(i,j) includes the owner right, proc in domain Di can add or remove any right in any entry in column j;
Control • Apply only to domain objects • If access(i,j) includes the control right, proc executing in domain Dican change any right in row j original
Control • Apply only to domain objects • If access(i,j) includes the control right, proc executing in domain Dican change any right in row j modified
Global Table • Consist of a set of ordered triples <domain, object, rights-set> • Search and compare, allow or error • Limitations: possibly large, addition I/O needed; data redundancy: e.g., if all can read a particular obj, a separate entry needed in every domain;
Access Lists for Objects • Each column as an access list for an obj • Consist of a set of ordered pairs: <domain, rights-set> • An additional default set of access rights may be used
Capability Lists for Domains • Each row as an access list for a domain • Consist of a set of ordered pairs: <object, rights-set>
Lock-Key • Each object has a list of unique locks • Each domain has a list of unique keys • A process executing in a domain can access an object only if that domain hasa key that matches one of the locks of the object
Revocation of Access Rights • For access-list scheme: search the access list for any rights to be revoked; delete them from the list.
Revocation of Capabilities • Reacquisition • Back-pointers • Indirection • Keys
Revocation of Capabilities • Reacquisition periodically delete capabilities from each domain; reacquire deleted capabilities upon next access; • Back-pointers • Indirection • Keys
Revocation of Capabilities • Reacquisition • Back-pointers maintain a list of pointers for each obj; point to the obj’s capabilities; follow pointers to change capabilities; • Indirection • Keys
Revocation of Capabilities • Reacquisition • Back-pointers • Indirection indirectly point capabilities to objects; capability points to a unique entry in a global table, which points to the object; delete a table entry to revoke; • Keys
Revocation of Capabilities • Reacquisition • Back-pointers • Indirection • Keys associate each capability with a key; associate each object with a master key; match the keys when assigning rights; replace master keys to revoke;
ProtectionSecurity specify&enforce access controls
ProtectionSecurity what if AccessControl violation?
SecuritySecurity what if AccessControl violation?
Security what if AccessControl violation? intruder/cracker: those attempting to breach security; threat: the potential for security violation; attack: the attempt to break security;
Security Violations • Breach of confidentiality unauthorized reading of data • Breach of integrity unauthorized modification of data • Breach of availability unauthorized destruction of data • Theft of service unauthorized use of resources • Denial of service prevent legitimate use of the system
Security Attacks • Masquerading breach authentication; pretend someone else • Man-in-the-middle masquerade as sender to receiver, AND masquerade receiver to sender
Trojan, Trap, Bomb • Trojan Horse a code segment that misuses its env • Trap Door a hole in the software that can be used only by its designer • Logic Bomb a security hole to be created when a predefined set of parameters was met
Stack/Buffer Overflow • Program neglects bounds checking • Attacker sends more data than expected • Overwrite return address on the stack with address of the exploit code
Viruses • A fragment of self-replicating code embedded in a legitimate program • Categories: file, boot, macro, source code, polymorphic, encrypted, stealth, tunneling, multipartite, armored cont.
Viruses • Polymorphic change each time it is installed to avoid detection by antivirus software; • Encrypted include decryption code along with the encrypted virus • Stealth modify parts of the system that could be used to detect it;
system and network threats abuse of service & network connection
Worms • A process that uses spawn mechanism to duplicate itself • Use up system resources and lock out all other processes The Morris Internet Worm: copy worm to hooked systems:
Port Scanning • A means for a cracker to detect a system’s vulnerabilities to attack • Create a TCP/IP connection to a specific port or a range of ports • Use known bugs of answering services
Denial of Service • Disrupt legitimate use of a system or facility • Example: TCP SYN Flood • DDoS: Distributed Denial of Service
how to defend against attacks? cryptography based on secrets
Encryption Components: • A set K of keys • A set M of messages • A set C of ciphertexts • An encrypting function E : K (M C) • A decrypting function D : K (C M) Types: symmetric vs asymmetric
Symmetric Encryption • The same key to encrypt and decrypt