1. Outline for Today’s Lecture Administrative: –If you weren’t here last time, pick up midterm –Assignment 3 still in progress Objective: –Security –Access Control Mechanisms

2. Grades* Median = 80 Mean = 75.8 A A-/B+ B B-/C+ C-/D* * = remedial concurrency problem *histogram not updated after grade changes

3. Step 0: Basic Mechanisms Discussed in previous lecture: symmetric key cryptography public key cryptography digital signatures one-way functions hashes

4. Step 1: User Authentication Basic Principles. Authentication must identify: 1.Something the user knows 2.Something the user has 3.Something the user is This is done before user can use the system for access control

5. Authentication Using Passwords (a) A successful login (b) Login rejected after name entered (c) Login rejected after name and password typed

6. Authentication Using Passwords How a cracker broke into LBL –a U.S. Dept. of Energy research lab

7. Login Spoofing (a) Correct login screen (b) Phony login screen

8. Authentication Using Passwords The use of salt to defeat precomputation of encrypted passwords Salt Password,,,,

9. One-Time Passwords Using 1-way function: Function such that given formula for f(x) –easy to evaluate y = f(x) But given y –computationally infeasible to find x One-time passwords –Choose password s and integer n –1 st time P 1 =f(f(f(f(s)))), 2 nd time P 2 = f(f(f(s))), etc –Login name supplies current integer value –Server stores old password, f(newpassword)==old?

10. Challenge - Response Sets of question – answer pairs –Server picks one and asks –User knows answer User picks function f(x) –Server sends a value for x –User sends back f(x) as password Using symmetric encryption –Server sends random value r –User encrypts with secret key – e(r,k) Server compares

11. Graphical Challenge-Response

12. Authentication Using a Physical Object Magnetic cards –magnetic stripe cards –chip cards: stored value cards, smart cards RFIDs

13. Authentication Using Biometrics A device for measuring finger length. Retinal scans Voice recognition Surveillance tech –Image analysis –Gait analysis

14. Countermeasures Limiting times when someone can log in Automatic callback at number prespecified Limited number of login tries A database of all logins Simple login name/password as a trap –security personnel notified when attacker bites

15. Step 2: Access Control Mechanisms Protection Domains Examples of three protection domains

16. The Access Model Authorization problems can be represented abstractly by of an access model. –each row represents a subject/principal/domain –each column represents an object –each cell: accesses permitted for the {subject, object} pair read, write, delete, execute, search, control, or any other method In real systems, the access matrix is sparse and dynamic. need a flexible, efficient representation

17. 17 Access Control Matrix Processes execute in a protection domain, initially inherited from subject TA grp Terry Lynn gradefile solutions proj1 rwx rw r rx luvltr r rw hotgossip rw

18. 18 Two Representations ACL - Access Control Lists –Columns of previous matrix –Permissions attached to Objects –ACL for file hotgossip: Terry, rw; Lynn, rw Capabilities –Rows of previous matrix –Permissions associated with Subject –Tickets, Namespace (what it is that one can name) –Capabilities held by Lynn: luvltr, rw; hotgossip,rw

19. Protection Domains A protection matrix

20. Protection Domains A protection matrix with domains as objects

21. File Access Control Access control lists - detailed list attached to file of users allowed (denied) access, including kind of access allowed/denied. UNIX RWX - owner, group, everyone Capabilities – permitted accesses associated with subject (user), similar to an address space. –Un-forgeable object reference, like a pointer.

22. Trusted Systems Trusted Computing Base A reference monitor

23. Access Control Lists Approach: represent the access matrix by storing its columns with the objects. Tag each object with an access control list (ACL) of authorized subjects/principals. To authorize an access requested by S for O –search O’s ACL for an entry matching S –compare requested access with permitted access –access checks are often made only at bind time

24. Access Control Lists Use of access control lists of manage file access R

25. Access Control Lists Two access control lists

26. UNIX access control Each file carries its access control with it. rwx rwx rwx setuid Owner UID Group GID Everybody else Owner has chmod, chgrp rights (granting, revoking)

27. 27 Access Control Matrix How to encode in Unix? TA grp Terry Lynn gradefile solutions proj1 rwx rw r rx luvltr r rw hotgossip rw

28. Capabilities Approach: represent the access matrix by storing its rows with the subjects. Tag each subject with a list of capabilities for the objects it is permitted to access. –A capability is an unforgeable object reference, like a pointer. –It endows the holder with permission to operate on the object e.g., permission to invoke specific methods –Typically, capabilities may be passed from one subject to another. Rights propagation and confinement problems

29. Capabilities Each process has a capability list

30. Cryptographically-protected capability Generic Rights 1.Copy capability 2.Copy object 3.Remove capability 4.Destroy object Capabilities ServerObjectRightsf(Objects, Rights, Check)

31. Dynamics of Protection Schemes How to endow software modules with appropriate privilege? –What mechanism exists to bind principals with subjects? e.g., setuid syscall, setuid bit –What principals should a software module bind to? privilege of creator: but may not be sufficient to perform the service privilege of owner or system: dangerous

32. Dynamics of Protection Schemes Problems: Mutual Suspicion When a caller requests a service, the callee should be limited in what stuff of the caller’s it has access to (only what it is passed). (entering domain - setuid vs. passing in single object) Modification When caller does pass an object as parameter, we want to control whether the callee can modify it (I send you a photo, you remove my copyright mark) Conservation When caller passes an object to gain service, we want to know that the callee doesn’t retain or even pass on the right to the object after we think they are done with it. (our credit card number – and selling such databases) Confinement We want to prevent information leaks (besides the objects themselves)

33. 33 Dynamics of Protection Schemes How to revoke privileges? What about adding new subjects or new objects? How to dynamically change the set of objects accessible (or vulnerable) to different processes run by the same user? –Need-to-know principle / Principle of minimal privilege –How do subjects change identity to execute a more privileged module? protection domain, protection domain switch (enter)

34. 34 Protection Domains Processes execute in a protection domain, initially inherited from subject Goal: to be able to change protection domains Introduce a level of indirection Domains become protected objects with operations defined on them: owner, copy, control TA grp Terry Lynn gradefile solutions proj1 rwx rwrwo r rxc luvltr r rw hotgossip rw Domain0 ctl enter r

35. 35 If domain contains copy on right to some object, then it can transfer that right to the object to another domain. If domain is owner of some object, it can grant that right to the object, with or without copy to another domain If domain is owner or has ctl right to a domain, it can remove right to object from that domain Rights propagation. TA grp Terry Lynn gradefile solutions proj1 rwx rwrwo r rxc luvltr r rw hotgossip rw Domain0 ctl enter r rcrc r

36. UNIX access control Each file carries its access control with it. rwx rwx rwx setuid Owner UID Group GID Everybody elseWhen bit set, it allows process executing object to assume UID of owner temporarily - enter owner domain (rights amplification) Owner has chmod, chgrp rights (granting, revoking)

37. Capability Calling Mechanism Assume a capability to execute a procedure (lpr) Parameter is a capability to an object of mine (read access to file foo) lpr’s c-list has a template capability for the parameter, requires that certain rights are passed in (if lpr can’t read the file foo, it obviously can’t do its job) Sometimes, need rights amplification to do the job.

38. Dynamics of Protection Schemes Problems: Mutual Suspicion enter my domain vs. me, as owner, granting right to another domain (temp) Modification rights for particular operations Conservation ctl – being able to revoke rights; not granting copy rights Confinement remove rights to write or create anything else?

39. Multilevel Security The Bell-La Padula multilevel security model

40. Multilevel Security The Biba Model Principles to guarantee integrity of data 1.Simple integrity principle process can write only objects at its security level or lower 2.The integrity * property process can read only objects at its security level or higher

41. Risks

42. Trojan Horses: Inside Jobs Free program made available to unsuspecting user –Contains code to do harm –Example of tricking user, himself or herself, into running that program Place altered version of utility program on victim's computer, say, in some bin directory that might be in their PATHs Lay a trap for sysadmin to gain root privilege –Install local version of ls; then do something that causes sysadmin to % cd yourHomeDir % ls -l

43. Login Spoofing (a) Correct login screen (b) Phony login screen

44. Logic Bombs Company programmer writes program –potential to do harm –OK as long as he/she enters password daily; his/her name stays on the paycheck database; etc. –if programmer fired, no password and bomb explodes

45. Trap Doors (a) Normal code. (b) Code with a trapdoor inserted

46. Generic Security Attacks Typical attacks Request “free” memory, disk space, tapes and just read what was left there (not zero filled on dealloc) Try illegal system calls – if the system gets confused enough, you may be in. Start a login and hit DEL, RUBOUT, or BREAK to possibly kill password checking Try modifying complex OS structures kept in user space (if any) Try to do specified DO NOTs Convince a system programmer to add a trap door Beg admin's sec’y to help a poor user who forgot password

47. Buffer Overflow (a) Situation when main program is running (b) After procedure A is called (c) Fixed sized buffer B - overflow shown in gray User supplies long enough string to overwrite return address

48. UNIX lpr utility, option to remove file after printing; print and remove password file Link file core in working directory to the password file. Force a core dump of a SETUID program, writes on the core file, overwriting password file Famous Security Flaws

49. The TENEX – password problem Page faults could be monitored by user – user func. called One char at a time password checking – either illegal or fault (a)(b)(c)

50. Design Principles for Security 1.System design should be public – open source 2.Default should be no access 3.Check for current authority – e.g. not just at “open” 4.Give each process least privilege possible 5.Protection mechanism should be -simple -uniform -in lowest layers of system Security is not an add-on feature 6.Scheme should be psychologically acceptable And … keep it simple

51. From the Outside:Network Security External threat –code transmitted to target machine –code executed there, doing damage Goals of virus writer –quickly spreading virus –difficult to detect –hard to get rid of Virus = program can reproduce itself by attaching its code to another program –additionally, do harm

52. Virus Damage Scenarios Blackmail Denial of service as long as virus runs Permanently damage hardware Target a competitor's computer –do harm –espionage Intra-corporate dirty tricks –sabotage another corporate officer's files

53. How Viruses Work Virus usually written in assembly language Inserted into another program –use tool called a “dropper” Virus dormant until program executed –then infects other programs –eventually executes its “payload” possibly waits for significant date Types: companion, executable program, memory, boot sector, device driver, macro, source code

54. Bait and switch – companion viruses MS-DOS example: run prog system tries prog.com then prog.exe Release a prog.com for a popular prog.exe How Viruses Work

55. Recursive procedure that finds executable files on a UNIX system Virus could infect them all

56. How Viruses Work An executable program with a parasitic virus at the front at the end spread over free space within program (cavity virus)

57. Boot sector viruses 1 st hide the real boot sector When booted, copies virus into memory, making it a memory resident virus Then boots the OS Device driver infected with virus, loads it at boot time. How Viruses Work

58. After virus has captured interrupt, trap vectors –Syscall trap a good one. Can look for exec calls After OS has retaken printer interrupt vector After virus has noticed loss of printer interrupt vector and recaptured it

59. Macros Applications like Word or Excel allow macros that get executed via keystroke or menu Attach a macro to open file function and you are off and running Can be sent in email attachments Some emailers automatically open attachments How Viruses Work

60. How Viruses Spread Virus placed where likely to be copied When copied –infects programs on hard drive, floppy –may try to spread over LAN Attach to innocent looking email –when it runs, use mailing list to replicate

61. Antivirus and Anti-Antivirus Techniques (a) A program (b) Infected program, metadata giveaways (c) Compressed infected program (d) Encrypted virus (e) Compressed virus with encrypted compression code

62. Antivirus and Anti-Antivirus Techniques Examples of a polymorphic virus All of these examples do the same thing Mutation engine – code that morphs the signature part of the virus each time it spreads

63. Antivirus and Anti-Antivirus Techniques Integrity checkers - checksums Behavioral checkers Virus avoidance –good OS –install only shrink-wrapped software –use antivirus software –do not click on attachments to email –avoid active content –frequent backups Recovery from virus attack –halt computer, reboot from safe disk, run antivirus

64. The Internet Worm Worm = replicating program Nov. 1988, Robert Morris, Cornell grad student Consisted of two programs –bootstrap to upload worm –the worm itself Worm first hid its existence Next replicated itself on new machines –rsh –finger name@site - overflow finger daemon’s stack with long string –Bug in sendmail to mail bootstrap & exec it –Tried to break user passwords and go on Too aggressive – let 1 in 7 re-infects live CERT – Computer Emergency Response Team – collects info on system flaws that can be attacked. Fields reports of security break-ins

65. Mobile Code Sandboxing (a) Memory divided into 1-MB sandboxes (b) One way of checking an instruction for validity

66. Mobile Code Applets can be interpreted by a Web browser

67. Mobile Code How code signing works

68. Java Security A type safe language –compiler rejects attempts to misuse variable Checks include … 1.Attempts to forge pointers 2.Violation of access restrictions on private class members 3.Misuse of variables by type 4.Generation of stack over/underflows 5.Illegal conversion of variables to another type

69. Java Security Examples of specified protection with JDK 1.2

70. Covert Channels Client, server and collaborator processes Encapsulated server can still leak to collaborator via covert channels

71. Covert Channels A covert channel using file locking

72. Covert Channels Pictures appear the same Picture on right has text of 5 Shakespeare plays –encrypted, inserted into low order bits of color values Zebras Hamlet, Macbeth, Julius Caesar Merchant of Venice, King Lear

73. Is it a Technical Problem? Lots of known solution techniques Access control Crypto Firewalls Intrusion detection So why isn’t it a solved problem?

74. Economics “The party who is in a position to protect a system is not the party who would suffer the results of security failure.” Ross Anderson Security For whom is it built? Who pays for it?