1. Computer Security Patricia Roy Manatee Community College, Venice, FL ©2008, Prentice Hall Chapters 14 and 15 Operating Systems: Internals and Design Principles, 6/E William Stallings

2. Computer Security Concepts Confidentiality –Data confidentiality –Privacy Integrity –Data integrity –System integrity Availability

3. The Security Requirements Triad

4. Additional Concepts Authenticity: verification, trusted source Accountability: e.g., trace security breach to a responsible party

5. Disclosure

6. Deception

7. Disruption

8. Usurpation

9. Scope of System Security

10. Assets

11. Intruders Masquerader: non-authorized user exploiting authorized users account Misfeasor: legitimate user - non-authorized access to resources Clandestine user: seizing supervisory control for evasion

12. Hacker

13. Criminals

14. Insiders

15. Malware Parasitic (needs host – virus, logic bomb, backdoor) or self-contained (worm, bot) Replicate (virus, worm) or do not (activated by trigger – logic bomb, backdoor, bot)

16. Backdoor Trapdoor Secret entry point to avoid usual security access procedure Useful for programmers debugging – maintenance hook

17. Logic Bomb Embedded into legitimate program Explodes when certain conditions are met –Presence or absence of certain files –Particular day of the week –Particular user running application

18. Trojan Horse Useful program that contains hidden code that when invoked performs some unwanted or harmful function Can be used to accomplish functions indirectly that an unauthorized user could not accomplish directly –User may set file permission so everyone has access –login

19. Mobile Code Transmitted from remote system to local system Executed on local system without the users explicit instruction

20. Multiple-Threat Malware Multipartite virus infects in multiple ways Blended attack uses multiple methods Ex: Nimda has worm, virus, and mobile code characteristics

21. Parts of Virus Infection mechanism Trigger Payload

22. Virus Stages Dormant phase –Virus is idle Propagation phase –Virus places an identical copy of itself into other programs or into certain system areas on the disk 22

23. Virus Stages Triggering phase –Virus is activated to perform the function for which it was intended –Caused by a variety of system events Execution phase –Function is performed 23

24. Simple Virus

25. Compression Virus

26. Virus Classification by Target Boot sector infector: spreads when booting File infector: infects executable files Macro virus: Platform independent –Most infect Microsoft Word documents –Infect documents, not executable portions of code –Easily spread –File system access controls are of limited use in preventing spread

27. Virus Classification by Concealment Strategy Encrypted virus –Random encryption key encrypts remainder of virus Stealth virus –Hides itself from detection of antivirus software, e.g., by compression

28. Virus Classification by Concealment Strategy (2) Polymorphic virus –Mutates with every infection –Conceals ``signature Metamorphic virus –Mutates with every infection –Rewrites itself completely after every iteration –Might change behavior

29. E-Mail Viruses Attachment Open e-mail Uses e-mail software to replicate

30. Worms Use network connections to spread form system to system Electronic mail facility –A worm mails a copy of itself to other systems 30

31. Worms Remote execution capability –A worm executes a copy of itself on another system Remote log-in capability –A worm logs on to a remote system as a user and then uses commands to copy itself from one system to the other

32. Bots Zombie or drone Program secretly takes of another Internet-attached computer Launch attacks that are difficult to trace to bots creator Collection of bots is a botnet Spamming, sniffing traffic, keylogging, manipulating polls, distributed denial-of- service

33. Rootkit Set of programs installed on a system to maintain administrator (or root) access to that system Hides its existence

34. System Call Table Modification by Rootkit

35. Authentication Basis for most type of access control and accountability Identification step Verification step

36. Password-Based Authentication ID –Determines if use authorized to access system –Determines privileges for user –Discretionary access control

37. UNIX Password Scheme

39. Famous Security Flaws The TENEX – password problem (a)(b)(c)

40. Token-Based Authentication User posses object Memory cards Smart cards

41. Biometrics - Cost versus Accuracy

42. Access Control Discretionary access control –Based on identity of requestor, might enable other entity to access resource Mandatory access control –Based on comparing security labels with security clearances Role-based access control –Based on roles user has in system

43. Extended Access Control Matrix

44. Organization of the Access Control Function

45. Users, Roles, and Resources

46. Access Control Matrix Representation of RBAC

48. Intrusion Detection Classification: Host-based and Network- based Components: –Sensors: Collect data –Analyzers –User interface

49. Profiles of Behavior of Intruders and Authorized Users

50. Host-Based IDSs Anomaly detection –Collection of data relating to behavior of legitimated users over time Signature detection –Define set of rules or attack patters

51. Audit Records Native audit records –Operating system accounting software Detection-specific audit records –Generate audit records required by the IDS

52. Antivirus Approaches Detection Identification Removal

53. Antivirus and Anti-Antivirus Techniques (a) A program (b) Infected program (c) Compressed infected program (d) Encrypted virus (e) Compressed virus with encrypted compression code

54. Generic Decryption CPU emulator Virus signature scanner Emulation control module

55. Digital Immune System

56. Behavior-Blocking Software Operation