1 Security Chapter The security environment 9.2 Basics of cryptography 9.3 User authentication 9.4 Attacks from inside the system 9.5 Attacks from outside the system 9.6 Protection mechanisms 9.7 Trusted systems

2 Security refers to the overall security problem. Protection mechanisms refers to the specific operating system mechanisms used to safeguard information in the computer. Threats to computer systems: –Data confidentiality is concerned with having secret data remain secret. –Data integrity means that unauthorized users should not be able to modify any data without the owner’s permission. –System availability means that nobody can disturb the system to have it unusable. Security Environment

3 The Security Environment Threats Security goals and threats From a security perspective, computer systems have three general goals.

4 Intruders Common Categories 1.Casual prying by nontechnical users 2.Snooping by insiders 3.Determined attempt to make money 4.Commercial or military espionage

5 Accidental Data Loss Valuable data can be lost by accident. Common Causes: 1.Acts of God -fires, floods, wars 2.Hardware or software errors -CPU malfunction, bad disk, program bugs 3.Human errors -data entry, wrong tape mounted

6 The purpose of cryptography is to take a message or a file, called the plaintext, and encrypt it into the ciphertext in such a way that only authorized people know how to convert it back to the plaintext. The secrecy depends on parameters to the algorithms called keys. Basics of Cryptography

7 Relationship between the plaintext and the ciphertext

8 Substitute Cipher: each letter or group of letter is replaced by another letter or group of letters –Caesar cipher: rotate the letter (a  D, b  E, c  F, z  C). Example: attack  DWWDFN –Monoalphabetic substitution Each letter replaced by different letter Plaintext: ABCDEFGHIJKLMNOPQRSTUVWXYZ Ciphertext: QWERTYUIOPASDFGHJKLZXCVBNM Disadvantage: It does not smooth out frequencies in the cipher text. –Polyalphabatic cipher – use multiple cipher alphabets. Secret-Key Cryptography

9 Transposition cipher: reorder the letters, but don't disguise them. –select a key MEGABUCK p l e a s e t r a n s f e r o n e h u n d r e d  afnsedtoelnhesurndpaeerr Plain text  cipher text Secret-Key Cryptography

10 Transposition Ciphers A transposition cipher.

11 Given the encryption key, –easy to find decryption key Secret-key cryptography is called symmetric-key cryptography because they used the same key for encryption and decryption. The data encryption standard (DES): –block cipher adopted by the US Government in Jan –encryption based on 56-bit key. The Advanced Encryption Standard (AES) –In November 2001, Rijndael become US Government Standard. Secret-Key Cryptography

12 Public-Key Cryptography Public-key cryptography has the property: –Distinct keys are used for encryption and decryption. –Given a well-chosen encryption key, it is virtually impossible to discover the corresponding decryption key. The encryption key can be made public and only the private decryption key kept secret.

13 Public-Key Cryptography Public-key cryptography uses an encryption algorithm E and a decryption algorithm D such that deriving D is effectively impossible even with a complete description of E. You can encrypt without knowing how to decrypt. Requirements: –D (E(P)) = P –It is extremely difficult to deduce the decryption key from the encryption key. –E cannot be broken by a plaintext attack.

14 Public-Key Cryptography All users pick a public key/private key pair –publish the public key –private key not published Public key is the encryption key –private key is the decryption key

15 Public-Key Cryptosystems: RSA RSA, named after its inventors Rivest, Shamir, and Adlemean, a public-key cryptographic algorithm. The security of RSA comes from the fact that no methods are known to efficiently find the prime factors to large numbers. For example, 2100 can be written as 2100 = 2 x 2 x 3 x 5 x 5 x 7 making 2, 3, 5, and 7 the prime factors in In RSA, the private and public keys are constructed from very large prime numbers. It turns out breaking RSA is equivalent to finding those two prime numbers.

16 Public-Key Cryptography RSA (Rivest, Shamir, Adleman) Algorithm: –choose 2 large primes, p and q > 10^100. –compute n=pq and z=(p-1)(q-1). –choose a number relatively prime to z (that is, such that d has no common factors with z ) and call it d. – find e such that e x d mod z = 1. Group P into blocks such that C=P e (mod n) and P=C d (mod n) where 0 <= P < n

17 Public-Key Cryptography Example: p=13 q=17  n = 13 x 17 = 221 z = (13 – 1) x (17 – 1) = 192. let d=5 (prime to z = 192) e x d mod 192 = 1  e x d = x k (k = 0, 1, 2, …) = 1, 193, 385, is divisible by d = 5  e = 385/5 = 77 Example: p=3 q=11  n = 3 x 11 = 33 z = (3 – 1) x (11 – 1) = 20. let d=7 (prime to z) 7 x e mod 20 = 1  7e = 1, 21, …  e = 3 C = P 3 (mod 33), P = C 7 (mod 33)

18 RSA An example of the RSA algorithm.

19 Pretty Good Privacy (PGP) Pretty Good Privacy (PGP) is a popular program used to encrypt and decrypt over the Internet. It can also be used to send an encrypted digital signature that lets the receiver verify the sender's identity and know that the message was not changed en route. Available both as freeware and in a low-cost commercial version, PGP is the most widely used privacy-ensuring program by individuals and is also used by many corporations. Developed by Philip R. Zimmermann in 1991, PGP has become a de facto standard for security. PGP can also be used to encrypt files being stored so that they are unreadable by other users or intruders..

20 One-Way Functions Function such that given formula for f(x) –easy to evaluate y = f(x) But given y –computationally infeasible to find x Example: Those functions used in public- key cryptography.

21 Digital Signatures Digital signatures make it possible to sign messages and other digital documents in such a way that they cannot be repudiated by the sender later. Steps to use digital signatures: –The sender runs the document through a one-way hashing algorithm –The sender applies his private key to the hash to get D(hash). This is called the signature block. –The receiver computes the hash of the document using MD5 or SHA and then applies the sender’s public key to the signature block to get E(D(hash)). Compare these two.

22 Digital Signatures Computing a signature block What the receiver gets (b)

23 Digital Signatures The most popular hashing functions used are: –MD5 (Message Digest) –SHA (Secure Hash Algorithm) The public key is usually published. To avoid altering, message senders can attach a certificate to the message, which contains: –The user’s name –The public key –Digitally singed by a trusted third party

24 User Authentication Basic Principles. Authentication must identify: 1.Something the user knows 2.Something the user has 3.Something the user is In the computer world, hacker is a term of honor reserved for great programmers. Crackers are those who try to break into computer systems where they do not belong.

25 Authentication Using Passwords The most widely used form of authentication is to require the user to type a login name and a password. Selecting Good Passwords make it difficult for a cracker to guess. In the following, which is the better practice?

26 Authentication Using Passwords (a) A successful login (b) Login rejected after name entered (c) Login rejected after name and password typed

27 How crackers break in? Locate machines: –War dialers dial telephone exchange (770-xxxx). –Use ping to test if some computer is up and running. Guess password Become superuser. Install a packet sniffer, software that examines all incoming and outgoing network packets. Real hackers refer to those who are just running scripts they found on the Internet as script kiddies.

28 Authentication Using Passwords How a cracker broke into LBL –a U.S. Dept. of Energy research lab

29 UNIX Password Security UNIX Password Security: –The login program asks the user to type his name and password. –The login program then reads the password file until it finds the line containing the user’s login name. If the password matches, the login is permitted. Improvement: Associate an n-bit random number, called the salt, with each password.

30 Authentication Using Passwords The use of salt to defeat precomputation of encrypted passwords Salt Password,,,,

31 Improving Password Security The password program might complaint: –Passwords should be a minimum of seven characters. –Passwords should contain both upper and lower case letters. –Passwords should contain at least one digit or special character. –Passwords should not be dictionary words, people’s names, etc. One-time passwords Challenge-response authentication

32 Authentication Using a Physical Object Information-bearing plastic cards come in two varieties: –Magnetic stripe cards –Chip cards Stored value cards Smart cards Smart cards: –Advantages: They do not need an online connection to a bank. Secure login authentication. –Disadvantages: Fixed cryptographic protocol could be broken. Slower operation –Example: American Express Credit Cards

33 Authentication Using a Physical Object Magnetic cards –magnetic stripe cards –chip cards: stored value cards, smart cards

34 Authentication Using Biometrics Biometrics are physical characteristics of the user that are hard to forge. A biometrics system has two parts: –Enrollment – Biometrics is stored in a database or a smart card. –Identification – the user shows up and provides a login name.

35 Authentication Using Biometrics Examples: –Finger length –Fingerprint –Retinal pattern analysis –Signature analysis –Voice recognition –Urinate sample –DNA analysis

36 Authentication Using Biometrics A device for measuring finger length.

37 Countermeasures Limiting times when someone can log in Automatic callback at number prespecified Limited number of login tries A database of all logins Simple login name/password as a trap –security personnel notified when attacker bites

38 Operating System Security Trojan Horses Free program made available to unsuspecting user –Actually contains code to do harm Place altered version of utility program on victim's computer –trick user into running that program

39 Login Spoofing (a) Correct login screen (b) Phony login screen

40 Logic Bombs and Trap Doors A logic bomb is a piece of code written by company programmer: –potential to do harm –OK as long as he/she enters password daily –If programmer is fired, no password and bomb explodes A trap door is the code inserted into the system by a system programmer to bypass some normal check. –Solution: code reviews

41 Trap Doors (a) Normal code. (b) Code with a trapdoor inserted

42 Buffer Overflow Most systems are written in C. No C compiler does array bounds checking. Overflow could point to an invalid address or even an executable code. It is difficult to fix because there are so many existing C programs around that do not check for buffer overflow.

43 Buffer Overflow (a) Situation when main program is running (b) After program A called (c) Buffer overflow shown in gray

44 Generic Security Attacks To test a system’s security is to hire a group of experts, known as tiger teams or penetration teams, to see if they can break in. When designing a system, it should withstand typical attacks: –Request memory, disk space, tapes and just read –Try illegal system calls –Start a login and hit DEL, RUBOUT, or BREAK –Try modifying complex OS structures –Try to do specified DO NOTs –Convince a system programmer to add a trap door –Beg administrator’s secretary to help a poor user who forgot password

45 Famous Security Flaws UNIX –lpr: remove the password file –Force core dump on the password file –Use some root related command such as mkdir TENEX for DEC-10 computers –Carefully position a password to cause the page fault for each character input OS/360 –During the password verification, wind the tape to read the unauthorized file

46 Famous Security Flaws The TENEX – password problem (a)(b)(c)

47 Design Principles for Security 1.System design should be public 2.Default should be no access 3.Check for current authority 4.Give each process least privilege possible 5.Protection mechanism should be -simple -uniform -in lowest layers of system 6.Scheme should be psychologically acceptable Keep the design simple

48 Network Security External threat –code transmitted to target machine –code executed there, doing damage Goals of virus writer –quickly spreading virus –difficult to detect –hard to get rid of Virus is a program can reproduce itself –By attaching its code to another program –additionally, do harm Worms are programs which can self replicate without attaching to other program.

49 Virus Damage Scenarios Blackmail (encrypt your files and ask for money) Denial of service as long as virus runs main() {while (1) fork();} Permanently damage hardware (Overwrite BIOS) Target a competitor's computer –do harm (reduce product quality) –espionage (steal industrial secret) Intra-corporate dirty tricks –sabotage another corporate officer's files (then get promoted)

50 How Viruses Work Virus written in assembly language Inserted into another program –use tool called a “dropper” to attach the virus to another program. Virus dormant until program executed –then infects other programs –eventually executes its “payload” –The payload may do nothing until a certain date has passed.

51 How Viruses Work Seven kinds of virus based on what is infected: –Companion: prog.com, prog.exe –Executable program –Memory –Boot sector –Device driver –Macro –Source code

52 How Viruses Work Executable program viruses –Overwriting viruses are viruses that overwrite the executable program with itself. –Parasitic viruses are viruses attach themselves to the program and do their dirty work, but allow the program to function normally afterward. –Cavity viruses are viruses which hide itself in the memory holes.

53 How Viruses Work Recursive procedure that finds executable files on a UNIX system Virus could infect (or attach virus to) them all

54 How Viruses Work An executable program With a virus at the front With the virus at the end With a virus spread over free space within program

55 Viruses A memory-resident virus stays in memory all the time. A virus that resides in the master boot record or boot sector is called boot sector virus. A device virus is the virus that infects a device drivers. A micro virus is a micro attached to the document. A source code virus is the virus code included in a program source code. #include

56 How Viruses Work After virus has captured interrupt, trap vectors After OS has retaken printer interrupt vector After virus has noticed loss of printer interrupt vector and recaptured it

57 How Viruses Spread Virus placed where likely to be copied When copied –infects programs on hard drive, floppy –may try to spread over LAN Attach to innocent looking –when it runs, use mailing list to replicate

58 Antivirus and Anti-Antivirus Techniques A goat file is a program that does nothing but is infected by a virus. Use goat file to create the profile of a virus and insert it into the virus database. Virus scanners scan every executable file or some specific types of files to locate the virus. The anitvirus program can detect file infection by comparing the file length. A virus that mutates on each copy is called a polymorphic virus. A piece of code that can mutate a sequence of machine instructions without changing its functionality is called mutation engine.

59 Antivirus and Anti-Antivirus Techniques (a) A program (b) Infected program (c) Compressed infected program (d) Encrypted virus (e) Compressed virus with encrypted compression code

60 Antivirus and Anti-Antivirus Techniques Examples of a polymorphic virus All of these examples do the same thing

61 Antivirus and Anti-Antivirus Techniques Integrity checkers use the checksum to identify an infected file. Behavioral checkers stay in memory and try to catch virus. Virus avoidance: better safe than sorry. –good OS –install only shrink-wrapped software –use antivirus software –do not click on attachments to –frequent backups

62 Antivirus and Anti-Antivirus Techniques The industry should do: –Make simple operating system –Forget active content –There should be a way to selectively write protect specified disk cylinders to prevent viruses from infecting the programs on them. –Flash ROM is a nice idea, but it should only be modifiable when an external toggle switch has been flipped. Recovery from virus attack –halt computer, reboot from safe disk, run antivirus

63 The Internet Worm Nov. 2, 1988 a Cornell graduate student, Robert Tappan Morris, released a worm program into the Internet. Consisted of two programs –bootstrap to upload worm –the worm itself Worm first hid its existence. Next replicated itself on new machines –Run a remote shell using the rsh command –Overflow finger daemon to execute sh. –Use sendmail to mail a copy of the bootstrap and get it executed.

64 The Internet Worm Morris was caught when one of his friends spoke with the New York Times computer reporter, John Markoff, and tried to convince Markoff that the incident was an accident. Morris was tried and convicted in federal court. He was sentenced to a fine of $10,000, 3 years probation, and 400 hours of community service. The CERT (Computer Emergency Response Team) is established thereafter. What is Morris doing now?

65 Mobile Code Many Web pages contain small programs called applets to be fetched and executed. Agents are programs are shipped from one machine to another for execution. A PostScript file is a file to be printed on a PostScript printer.

66 Mobile Code Methods of dealing with applets and mobile code: –Sandboxing attempts to confine each applet to a limited range of virtual addresses enforced at run time. –Interpretation makes applets run interpretively, for example, in JVM (Java Virtual Machine). –Code signing devices to accept applets from trusted sources. Security was a part of the Java design.

67 Mobile Code Sandboxing (a) Memory divided into 1-MB sandboxes (b) One way of checking an instruction for validity

68 Mobile Code Applets can be interpreted by a Web browser –Untrusted applet is confined in the sandbox. –Local applets are trusted applets.

69 Code Signing How code signing works: –The vendor computes a hash function of an applet to get a 128-bit or 160-bit number, depending on whether MD5 or SHA is used. –It then signs the hash value by encrypting it with its private key. –When the applet is received, the browser computes the hash functions and decrypts the accompanying signature using the vendor’s public key.

70 Mobile Code How code signing works

71 Java Security Java programs are compiled to an intermediate binary code called JVM byte code. A type safe language –compiler rejects attempts to misuse variable Checks include 1.Attempts to forge pointers 2.Violation of access restrictions on private class members 3.Misuse of variables by type 4.Generation of stack over/underflows 5.Illegal conversion of variables to another type

72 Java Security Examples of specified protection with JDK 1.2 –Security policy (coding signing) applies to all local and remote applets.

73 Protection Mechanisms Protection mechanisms are mechanisms used to safeguard data. –Policy: whose data are to be protected from whom –Mechanism: how is the policy enforced in the system. (our emphasis) Protection Domains –object = computer resource, either hardware (CPU, printer, etc.) or software (files, processes, etc.). –right = an appropriate operation on an object. (read, write) –protection domain = set of (object, rights) pairs. In some systems, protection is enforced by a program called a reference monitor.

74 Protection Mechanisms Protection Domains Examples of three protection domains

75 Protection Mechanisms At every instance in time, each process runs in some protection domain. (e.g. in UNIX the domain of a process is defined by a user's id (uid) and group id (gid)) –A system call causes a domain switch. –e.g. when a process EXECs a file with the SETUID of SETGID bit on, the process acquires a new effecutive UID or GID with a different (UID, GID) combination. –For example, passwd

76 Protection Mechanisms How to keep track of which object belongs to which domain? –Protection Matrix: A large matrix with the rows being domains and the columns being objects. –Access Control List (ACL) - by column –Capabilities - by row

77 Protection Domains A protection matrix

78 Protection Domains A protection matrix with domains as objects

79 Access Control Lists Access Control List (ACL) is the technique to associate with each object an ordered list containing the domains that may access the object and their rights: –file1  1,r  2,rw  NULL file1: (Anne's UID, r), (Bob's UID, rw). –e.g. UNIX provides 3 bits per file for: ownerowner's groupothers rwx –The owner can change the protection bits at any time suing chmod - change mode.

80 Access Control Lists Use of access control lists of manage file access

81 Access Control Lists Two access control lists

82 Capabilities A capability list or C-list is a method to associate a list of objects that may be accessed and on which operations are permitted with each process. Requests are sent to a type manager. The type manager is given more rights than the capability itself allows (e.g. to read an inode to access a file - this is called rights amplification).

83 Capabilities A Capabilities usually have generic rights: 1.Copy capability – create a new object with the same capability. 2.Copy object – create a duplicate object with a new capability. 3.remove capability – delete an entry from the C- list. 4.destroy object – permanently remove an object and a capability.

84 Capabilities Each process has a capability list

85 Cryptographically-protected capability Generic Rights 1.Copy capability 2.Copy object 3.Remove capability 4.Destroy object Capabilities ServerObjectRightsf(Objects, Rights, Check)

86 Trusted Systems Two questions are asked : –Is it possible to build a secure computer system? Yes. –If so, why is it not done? Current systems are not secure but users are unwilling to throw them out. Building a secure system is to keep it simple. But users want more features. More features mean more complexity, more code, more bugs, and more security errors. TCB (Trusted Computing Base) consisting of the hardware and software necessary for enforcing all the security rules.

87 Trusted Systems Trusted Computing Base A reference monitor

88 Formal Models of Secure Systems (a) An authorized state (b) An unauthorized state Can it be proven that the system can never reach an unauthorized state? Difficult

89 Multilevel Security The Bell-La Padula Model is designed for handling military security. The Biba model is designed for the data integrity. U.S. Department of Defense uses the Orange Book to divide operating systems into seven categories based on their security properties.

90 Multilevel Security The Bell-La Padula multilevel security model

91 Multilevel Security The Biba Model Principles to guarantee integrity of data 1.Simple integrity principle process can write only objects at its security level or lower 2.The integrity * property process can read only objects at its security level or higher

92 Orange Book Security Symbol X means new requirements Symbol -> requirements from next lower category apply here also

93 Orange Book Security

94 Covert Channels A covert channel is described as: "any communication channel that can be exploited by a process to transfer information in a manner that violates the systems security policy." Essentially, it is a method of communication that is not part of an actual computer system design, but can be used to transfer information to users or system processes that normally would not be allowed access to the information.

95 Covert Channels Client, server and collaborator processes Encapsulated server can still leak to collaborator via covert channels

96 Covert Channels A covert channel using file locking

97 Covert Channels Pictures appear the same but information is hidden in the image. It is called steganography. Picture on right has text of 5 Shakespeare plays –encrypted, inserted into low order bits of color values Zebras Hamlet, Macbeth, Julius Caesar Merchant of Venice, King Lear