Chapter 9 Security 9.4 - 9.6 Authentication Insider Attacks Exploiting Code Bugs.

Slides:



Advertisements
Similar presentations
1 Identification Who are you? How do I know you are who you say you are?
Advertisements

Chapter 9 Security 9.1 The security environment
Sockets and Services CS-480b Dick Steflik. Evaluating Socket Based Services How complex is the service? How might the service be abused? What information.
Communications of the ACM (CACM), Vol. 32, No. 6, June 1989
Hacking Presented By :KUMAR ANAND SINGH ,ETC/2008.
Stack-Based Buffer Overflows Attacker – Can take over a system remotely across a network. local malicious users – To elevate their privileges and gain.
Silberschatz, Galvin and Gagne  Operating System Concepts The Security Problem A system is secure iff its resources are used and accessed as.
1 Protection Protection = access control Goals of protection Protecting general objects Example: file protection in Linux.
19.1 Silberschatz, Galvin and Gagne ©2003 Operating System Concepts with Java Chapter 19: Security The Security Problem Authentication Program Threats.
1 Security Chapter The security environment 9.2 Basics of cryptography 9.3 User authentication 9.4 Attacks from inside the system 9.5 Attacks from.
1 Chapter 11: Authentication Basics Passwords. 2 Establishing Identity Authentication: binding of identity to subject One or more of the following –What.
Security: Attacks. 2 Trojan Horse Malicious program disguised as an innocent one –Could modify/delete user’s file, send important info to cracker, etc.
Security A system is secure if its resources are used and accessed as intended under all circumstances. It is not generally possible to achieve total security.
What we will cover… Protection and Security in OS.
Chapter 1 Introduction
1 Pertemuan 23 Sistem Keamanan Matakuliah: T0316/sistem Operasi Tahun: 2005 Versi/Revisi: 5.
1 Security and Protection Chapter 9. 2 The Security Environment Threats Security goals and threats.
Silberschatz, Galvin and Gagne  Operating System Concepts Module 19: Security The Security Problem Authentication Program Threats System Threats.
File System Implementation
Web server security Dr Jim Briggs WEBP security1.
Buffer Overflow Attacks Figure (a) Situation when the main program is running. (b) After the procedure A has been called. (c) Buffer overflow shown.
Chapter 5 Input/Output I/O Hardware I/O Software Software Layers Tanenbaum, Modern Operating Systems 3 e, (c) 2008 Prentice-Hall, Inc. All rights.
CSCI 530 Lab Authentication. Authentication is verifying the identity of a particular person Example: Logging into a system Example: PGP – Digital Signature.
1 Security Chapter The security environment 9.2 User authentication 9.3 Attacks from inside the system 9.4 Attacks from outside the system 9.5 Protection.
Chapter 15: Security (Part 1). The Security Problem Security must consider external environment of the system, and protect the system resources Intruders.
14.1 Silberschatz, Galvin and Gagne ©2009 Operating System Concepts with Java – 8 th Edition Chapter 14: Protection.
Introduction to Operating Systems Chapter 1. cs431 -cotter2 Lecture Objectives Understand the relationship between computing hardware, operating system,
Security 0 The Secure Environment. Security 1 The Secure Environment Security goals (C.I.A.) and threats.
Operating Systems 1 K. Salah Module 6.0: Security and Protection  Types of misuse: –1. Accidental –2. Intentional –Protection is to prevent either accidental.
1 Security Chapter The security environment 9.2 Basics of cryptography 9.3 User authentication 9.4 Attacks from inside the system 9.5 Attacks from.
Administrative: Objective: –Tutorial on Risks –Phoenix recovery Outline for today.
Security. cs431-cotter2 Figure 9-1. Security goals and threats. Threats Tanenbaum, Modern Operating Systems 3 e, (c) 2008 Prentice-Hall, Inc. All rights.
CS 4010 Hacking Samba Server Vulnerabilities. Recon Telnet headers claim the following: –Red Hat Linux release 9 (Shrike) –Kernel smp on an i686.
Operating system Security By Murtaza K. Madraswala.
1 Firewalls G53ACC Chris Greenhalgh. 2 Contents l Attacks l Principles l Simple filters l Full firewall l Books: Comer ch
1 Chapter 11: Authentication Basics Passwords. 2 Establishing Identity Authentication: binding of identity to subject One or more of the following –What.
1 Application Security: Electronic Commerce and Chapter 9 Copyright 2003 Prentice-Hall.
Chapter 4 – Protection in General-Purpose Operating Systems Section 4.5 User Authentication.
INTRUDERS BY VISHAKHA RAUT TE COMP OUTLINE INTRODUCTION TYPES OF INTRUDERS INTRUDER BEHAVIOR PATTERNS INTRUSION TECHNIQUES QUESTIONS ON INTRUDERS.
Lecture 20 Hacking. Over the Internet Over LAN Locally Offline Theft Deception Modes of Hacker Attack.
Security Chapter 9 Tanenbaum & Bo, Modern Operating Systems:4th ed., (c) 2013 Prentice-Hall, Inc. All rights reserved.
CHAPTER 9 Sniffing.
Security CS Introduction to Operating Systems.
Identification Authentication. 2 Authentication Allows an entity (a user or a system) to prove its identity to another entity Typically, the entity whose.
Database Security David Nguyen. Dangers of Internet  Web based applications open up new threats to a corporation security  Protection of information.
CSCI 530 Lab Authentication. Authentication is verifying the identity of a particular person Example: Logging into a system Example: PGP – Digital Signature.
14.1 Silberschatz, Galvin and Gagne ©2009 Operating System Concepts with Java – 8 th Edition Protection.
Security Attacks Tanenbaum & Bo, Modern Operating Systems:4th ed., (c) 2013 Prentice-Hall, Inc. All rights reserved.
Chapter 1 Introduction  What is an operating system  History of operating systems  The operating system zoo  Computer hardware review  Operating system.
CSCE 201 Identification and Authentication Fall 2015.
CIS 450 – Network Security Chapter 10 – UNIX Password Crackers.
Technical Devices for Security Management Kathryn Hockman COSC 481.
 Encryption provides confidentiality  Information is unreadable to anyone without knowledge of the key  Hashing provides integrity  Verify the integrity.
Lecture 12 Page 1 CS 136, Spring 2009 Network Security: Firewalls CS 136 Computer Security Peter Reiher May 12, 2009.
1 E-Site - FTP Services Setup / install guide. 2 About FTP services can run on any desired port(s) Runs as a windows service Works for all sites installed.
Company LOGO Security in Linux PhiHDN - VuongNQ. Contents Introduction 1 Fundamental Concepts 2 Security System Calls in Linux 3 Implementation of Security.
Lecture 9 Page 1 CS 236 Online Firewalls What is a firewall? A machine to protect a network from malicious external attacks Typically a machine that sits.
MODERN OPERATING SYSTEMS Third Edition ANDREW S
2N Helios IP - News May 11th 2017.
Operating system Security
Common Operating System Exploits
Chapter 9 Security 9.1 The security environment
Controlling A Computer
CS703 - Advanced Operating Systems
Security.
Operating System Concepts
Crisis and Aftermath Morris worm.
Chapter 14: Protection.
FIGURE Illustration of Stack Buffer Overflow
Presentation transcript:

Chapter 9 Security Authentication Insider Attacks Exploiting Code Bugs

Authentication General principles of authenticating users: Something the user knows. Something the user has. Something the user is. Tanenbaum, Modern Operating Systems 3 e, (c) 2008 Prentice-Hall, Inc. All rights reserved

Figure (a) A successful login. (b) Login rejected after name is entered. (c) Login rejected after name and password are typed. Authentication Using Passwords Tanenbaum, Modern Operating Systems 3 e, (c) 2008 Prentice-Hall, Inc. All rights reserved

Figure How a cracker broke into a U.S. Department of Energy computer at LBL. How Crackers Break In Tanenbaum, Modern Operating Systems 3 e, (c) 2008 Prentice-Hall, Inc. All rights reserved

Figure The use of salt to defeat precomputation of encrypted passwords. UNIX Password Security Tanenbaum, Modern Operating Systems 3 e, (c) 2008 Prentice-Hall, Inc. All rights reserved

Challenge-Response Authentication The questions should be chosen so that the user does not need to write them down. Examples: Who is Marjolein’s sister? On what street was your elementary school? What did Mrs. Woroboff teach? Tanenbaum, Modern Operating Systems 3 e, (c) 2008 Prentice-Hall, Inc. All rights reserved

Figure Use of a smart card for authentication. Authentication Using a Physical Object Tanenbaum, Modern Operating Systems 3 e, (c) 2008 Prentice-Hall, Inc. All rights reserved

Figure A device for measuring finger length. Authentication Using Biometrics Tanenbaum, Modern Operating Systems 3 e, (c) 2008 Prentice-Hall, Inc. All rights reserved

Figure (a) Normal code. (b) Code with a trap door inserted. Trap Doors Tanenbaum, Modern Operating Systems 3 e, (c) 2008 Prentice-Hall, Inc. All rights reserved

Figure (a) Correct login screen. (b) Phony login screen. Login Spoofing Tanenbaum, Modern Operating Systems 3 e, (c) 2008 Prentice-Hall, Inc. All rights reserved

Exploiting Code Bugs Example steps to exploit a bug: Run port scan to find machines that accept telnet connections. Try to log in by guessing login name and password combinations. Once in, run the flawed program with input that triggers the bug. If the buggy program is SETUID root, create a SETUID root shell. Fetch and start a zombie program that listens to an IP port for cmds. Arrange that the zombie program is started when the system reboots. Tanenbaum, Modern Operating Systems 3 e, (c) 2008 Prentice-Hall, Inc. All rights reserved

Figure (a) Situation when the main program is running. (b) After the procedure A has been called. (c) Buffer overflow shown in gray. Buffer Overflow Attacks Tanenbaum, Modern Operating Systems 3 e, (c) 2008 Prentice-Hall, Inc. All rights reserved

Figure (a) The stack before the attack. (b) The stack after the stack has been overwritten. Return to libc Attacks Tanenbaum, Modern Operating Systems 3 e, (c) 2008 Prentice-Hall, Inc. All rights reserved

Figure Code that might lead to a code injection attack. Code Injection Attacks Tanenbaum, Modern Operating Systems 3 e, (c) 2008 Prentice-Hall, Inc. All rights reserved