What we will cover… Protection and Security in OS
Difference between Protection & Security Protection: Mostly, mechanism for controlling access to system resources by processes. This includes a means of specifying controls and a means of enforcing the controls. This is an internal problem. Security: Mostly, assuring the integrity of system resources and data. Protection is the enforcement aspect of security. Security must also consider the external environment in which the system operates.
Domain of Protection Who needs protection? System resources need protection resources include both hardware and software examples of software resources: files, programs, buffers, semaphores etc. examples of hardware resources: CPU, memory segments, printers, disks etc. think of each resource as an object accessible only through associated operations Protection From whom? Other users (user domain) Other processes (process domain)
Principle of Protection Guiding principle – principle of least privilege Programs, users and systems should be given just enough privileges to perform their tasks Also known as “need-to-know” principle
Domain Structure Implement protection domain a process has an associated protection domain and operates within this domain a protection domain is a set of ordered pairs each ordered pair consists of an object and a set of access rights (permitted operations) Access-right = <object-name, rights-set> where rights-set is a subset of all valid operations that can be performed on the object. Domain = set of access-rights
Protection Domain Structure The association between a process and a domain can be fixed (static) or can change as process executed (dynamic) Static association is easier to implement while dynamic association is more complex Which one is better? Static association may violate need-to-know principle Dynamic association change association dynamically by either (1) modifying the domain, or (2) switching to a different domain
Domain Implementation (MULTICS) Let Di and Dj be any two domain rings. If j < i Di Dj Disadvantages: Too complicated Violating need-to-know principle
Domain Implementation (UNIX) System consists of 2 domains: User mode Kernel mode UNIX Domain = user-id Domain switch accomplished via file system. Each file has associated with it a domain bit (setuid bit). When file is executed and setuid = on, then user-id is set to owner of the file being executed. When execution completes user-id is reset.
Domain Implementation (UNIX) Is it safe?
Domain Example load load Processes move back and forth between user mode, (i.e., user domain) and kernel mode, (i.e., kernel domain). Unix setuid User mode process Kernel mode real user id = 201 effective user id = 201 exec(“shell”) load shell owner=100 setuid bit=0 real user id = 201 effective user id = 201 exec(“a.out”) a.out owner=100 setuid bit=1 load 100
Access Matrix View protection as a matrix (access matrix) Rows represent domains Columns represent objects Access(i, j) is the set of operations that a process executing in Domaini can invoke on Objectj
Access Matrix
Visualizing access matrix for UNIX -rwxr-xr-x 1 John students 14839 May 14 07:15 chatter -rw-r----- 1 John students 998 May 14 08:27 guru.c -rwxr-xr-- 2 John students 4096 May 17 11:59 data Domain/object chatter guru.c data Owner Read, write, execute Read, write group Read, execute Read world
Use of Access Matrix If a process in Domain Di tries to do “op” on object Oj, then “op” must be in the access matrix. Can be expanded to dynamic protection. Special operations to change content of access matrix Change access rights: copy an access right from one domain to another owner rights
Access Matrix with Copy Rights
Access Matrix With Owner Rights
Use of Access Matrix (Cont.) Access matrix design separates mechanism from policy. Policy User dictates policy. Who can access what object and in what mode. Mechanism Operating system provides access-matrix + rules. It ensures that the matrix is only manipulated by authorized agents and that rules are strictly enforced.
Security
The Security Problem Security must consider external environment of the system, and protect the system resources Intruders (crackers) attempt to breach security (malicious access): Unauthorized reading of data Unauthorized modifications of data Unauthorized destruction of data Preventing legitimate use of the systems (denial of service)
User Authentication Protection (earlier discussed) majorly dependent on user authentication Based on use of Passwords Biometrics is another option but Still not implemented Not cost-effective yet An operating system bases much of its protection on knowing who a user of the system is. The ways of an operating system identify and authenticate a user are: 1. Use of Passwords 2. Attacks on Passwords 3. Password Selection Criteria 4. The Authentication Process 5. Flaws in the Authentication Process 6. Authentication Other Than Passwords
Use of Passwords Passwords are mutually agreed-upon code words, assumed to be known only to the user and the system. The use of passwords is fairly straightforward. A user enters some piece of identification, such as a name or an assigned user ID, if the identification matches that on file for the user, the user is authenticated to the system. If the identification match fails, the user is rejected by the system. Passwords are mutually agreed-upon code words, assumed to be known only to the user and the system. The use of of passwords is fairly straightforward. A user enters some piece of identification, such as a name or an assigned user ID, if the identification matches that on file for the user, the user is authenticated to the system. If the identification match fails, the user is rejected by the system.
Attacks on Passwords Try all possible passwords exhaustive or brute force attack Is this impossible to create? Try many probable passwords Users do not likely select a password uncommon, hard to spell or pronounce, very long Try passwords likely for the user Password generally is meaningful to the user Here are some ways you might be able to determine a user’s password. An attacker tries all possible passwords. It is called brute force or exhaustive attack. Generally user won’t select a long, uncommon,hard to spell or pronounce password. So probably the intruder may guess the password. A user likely selects passwords meaningful to him/her. For example, the name of a spouse, a child, a brother or sister, a pet, a street name, or something similar.
Attacks on Passwords (cont’) Encrypted password (used in UNIX) Flaw was user tends to select a meaningful password (a word in the dictionary) System encrypts the word and stores the encrypted version The process is irreversible, so apparently secure Dictionary attack Off-line cluster attack In order to validate passwords, the system must have a way of comparing entries with actual passwords. Rather than trying to guess a user’s password, an attacker may instead target the system password file. The most easy way is to obtain the password directly from the user. People often tape a password to the side of a terminal, or write it on a card just inside the top desk drawer and so on.
Many Password Selection Criteria Use characters other than just A-Z Choose long passwords Avoid actual names or words Choose an unlikely password Change the password regularly Don’t write it down Don’t tell anyone else The preceding slides lead to some conclusions regarding appropriate passwords. Passwords should be hard to guess and hard to determine exhaustively. Here are some suggestions regarding password selection: Use characters other than just A-Z Choose long passwords Avoid actual names or words Choose an unlikely password Change the password regularly Don’t write it down Don’t tell anyone else
The Authentication Process Intentionally slow This makes exhaustive attack infeasible Identify intruder from the normal user Some who continuously fails to login may not be an authorized user. System disconnect a user after three to five failed logins What is the flaw? Some authentication procedures are intentionally slow. A legitimate user will not complain if the login process takes 5 or 10 seconds. To a penetrator who is trying an exhaustive search or a dictionary search, this delay makes this class of attack infeasible. Even a terrible typist should be able to login successfully in three to five tries. So someone who continuously fails to login may not be an authorized user. System disconnect a user after three to five failed logins
Program Threats Trojan Horse Trap Door Code segment that misuses its environment Exploits mechanisms for allowing programs written by users to be executed by other users Spyware, pop-up browser windows, covert channels PWSteal.Tarno.Q - registers itself as a browser helper (key logger) Trap Door Specific user identifier or password that circumvents normal security procedures Could be included in a program Combination of trojan horse and trap door even fatal Trojan.Lodeight.A opens a Back-door on TCP port 1084
How to defend against such program threats Analyze the execution patterns of the Trojan Horses & Trapdoors The malicious code is executed without user intervention. The malicious code may be directed by a remote attacker once a connection is made. Resources used by the malicious code, such as file names and network addresses, are hard-coded in the binary. OS resources (processes, memory) used by the malicious code may be consumed for the purpose of degrading performance. A key characteristic of Trojan Horses and Trapdoors is that they cannot be invoked by the attacker and are autonomous – at least until a connection is made.
Program Threats (contd.) Stack and Buffer Overflow Exploits a bug in a program (overflow either the stack or memory buffers)
Simple example code #include <string.h> void foo (char *bar) { char c[12]; strcpy(c, bar); // no bounds checking... } int main (int argc, char **argv) foo(argv[1]);
"hello" is the first command line argument. Stack Buffer Overflow Before data is copied. "hello" is the first command line argument. "AAAAAAAAAAAAAAAAAAAA\x08\x35\xC0\x80" is the first command line argument.
System and Network Threats Worms – use spawn mechanism; standalone program Morris worm Exploited UNIX networking features (remote access) and bugs in finger and sendmail programs Grappling hook program uploaded main worm program
System and Network Threats Denial of Service Easier than penetration attacks Overload the targeted computer preventing it from doing any useful work Distributed denial-of-service (DDOS) come from multiple sites at once Open tcp connection (never closing one)
Security Through Domain Separation Via Firewall