1 / 45

CS134a: Security (Week 7)

CS134a: Security (Week 7). Overall outline Basic Issues Types of protection and security Penetration of a computing facility Access and information-flow control mechanisms Protection Problems. Security Violations. Two basic types of intrusions Malicious intrusion

leo-murphy
Download Presentation

CS134a: Security (Week 7)

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. CS134a: Security (Week 7) • Overall outline • Basic Issues • Types of protection and security • Penetration of a computing facility • Access and information-flow control mechanisms • Protection Problems Computing Systems

  2. Security Violations • Two basic types of intrusions • Malicious intrusion • Read or destroy sensitive information • “Hackers” view it as a challenge • (The traditional word hacker refers to skilled computer programmers; the people who break into systems “crackers” adopted the word for their own use) • Incidental violations • Hardware failures • Bugs in OS and applications • Natural disasters, power blackouts, etc. Computing Systems

  3. Definitions • The terms protection and security do not have precise technical definitions • Random House: • protection: the act or state of guarding from attack, invasion, or annoyance • security:freedom from danger, risk, doubt, or apprehension • Protection is the mechanisms and policies to provide security Computing Systems

  4. Definitions II • A computer system contains collections of data and services that we will call objects • Files, programs, in some cases processors • Active components that can perform read/write operations will be called subjects • Processes Computing Systems

  5. Protection and security categories • Information disclosureUnauthorized dissemination of information, either as theft or illegal actions on the parts of a user.Enforcement of the right to privacy, a social policy that is the right of an individual to control the collection, storing, and dissemination about herself or himself. Computing Systems

  6. Categories • Information destruction: Information loss as the result of an error or sabotage.Includes loss of OS data structures (like resource queues), destruction of research or development results, and deletion of court or police records. • Unauthorized use of services: unauthorized use of proprietary services, or to obtain free computing time. For example, copying a game for a friend. Computing Systems

  7. Categories • Denial of service: preventing authorized users from using the system’s services in a timely manner. Can be caused by hardware/software malfunctions, or may be malicious.Recent spate of DoS attacks on web servers: Microsoft, Yahoo, etc. Computing Systems

  8. Safeguards • No single safeguard scheme is adequate • Must obtain a balance between • Adequately protecting a system • Allowing authorized users to access the system • Two types of safeguards: external and internal Computing Systems

  9. External safeguards • Control physical access to the computing facility • PCs may leave this to the owner of the system • Shared facilities often use • Administrative policies • Physical safeguards: locks, badges, etc. • Threat monitoring, and audit trails Computing Systems

  10. Internal safeguards • Verification of user identity • Access control, “can subject s access object o?” • For example, who can access a file • Simple case control only the file open; more complex schemes also regulate read/write/execute permissions • Information flow control, “can subject s acquire the information contained in object o?” • Access control is not sufficient, a subject may be able to infer the contents of the object by watching the system and other users Computing Systems

  11. Internal safeguards • Internal safeguards govern user who have entered the system legally • External safeguards try to prevent illegal access, but it is not always possible to prevent access • Public terminals • External network may be tapped or subverted • Cryptography disguises information (we will not talk a lot about this) Computing Systems

  12. User authentication methods • Based on one or more of the following: • Knowledge of some “secret” information (e.g. password) • Possession of some artifact (e.g, key) • Physical characteristic (e.g. fingerprint, brainwave) • Secret information may be • password • an interactive dialog (what’s your SS#, mother’s maiden name, etc.) • a combination to the lock on a room Computing Systems

  13. Physical artifacts • A card with machine-readable information • Bank machines (ATMs) require card+PIN • Badges • Keys Computing Systems

  14. Physical characteristics • Kinds • Fingerprints: hard to implement • Hand geometry: lengths of fingers, etc. • Voice patterns • Signatures: speed and force of writing • Uncertain recognition may reject an authorized user • or accept an impostor Computing Systems

  15. Penetration • A user may bypass authentication mechanisms • A user may obtain information that will permit legal entry • Wire tapping • Watching the network for cleartext passwords • Never send a cleartext password over Internet! Use encryption (like ssh) to protect your passwords • Trial-and-error • Guess a password: seems hard with 8-character passwords (64^8 combinations) • In practice, people tend to use a small subsets Computing Systems

  16. Penetration • Browsing: When storage is deallocated, the system rarely erases it (free disk blocks or memory pages). Defense systems often require garbage to be copied onto deallocated areas. • Waste searching. Looking through garbage cans, etc., is highly successful. • Trap doors: applications may contain secret entries. A Trojan Horse is a program offered for public use that performs unadvertised actions. Computing Systems

  17. Access and Information Flow Control • Process information locations • Registers • Associative memories (cache, TLB) • Primary memory • Secondary memory • Protection • OS saves and restores registers on each context switch; registers are private • Cache and TLB are inaccessible to user-mode programs Computing Systems

  18. Access and information flow control • An execution environment includes • programs, files, processes residing in primary and secondary memory • hardware components like IO devices or special processors • Execution environment may be • static: constant for the life of a process • dynamic: varies with time • Dynamic environments are needed to provide the smallest possible execution environment Computing Systems

  19. Main memory protection • Control process access to it’s own instructions, and to another process • A process should only be allowed to access in areas that are assigned by OS • Memory access rights: • Read(R): may read the contents, even copy it into executable areas • Write(R): may modify the contents; Append(R) only allows writing onto the end • Execute(R): may execute the contents as a program Computing Systems

  20. Access control • Boolean logic • Ø(R Ú W Ú X): no access • R Ù Ø(W Ú X): read-only Computing Systems

  21. Access control without virtual memory • Bounds registers Computing Systems

  22. Access control without virtual memory • Identification keys • Memory is divided into blocks (like pages) • Each memory block has an n-bit pattern called a lock • Each process contains an n-bit key • Hardware compares the key with the lock on every access Computing Systems

  23. Access control with virtual memory • Relocation register Computing Systems

  24. Relocation register • Same problem: access control is inflexible • Could use locks and keys • Better to associate access control with each process and extend the Mmap function to handle extra info Computing Systems

  25. Paged segmentation • Access rights are associated with each segment • Segment table entry: • pt_base: pointer to page table • int pt_len: length of page table • bool pt_resident: whether page table is in memory • access_rights access: access control info • Page table entry • pg_base: pointer to page • pg_resident: whether page is in memory Computing Systems

  26. Paged segmentation address translation Computing Systems

  27. Protection for secondary storage • Implicit access through virtual memory (page/seg faults) • Explicit access through the file system • Filesystems needs to keep information about access control • Access lists • Capability lists Computing Systems

  28. Access/capability lists • Access table for each file, listing which subjects can access the file • Capability for each process/user listing rights • Unix • access list for each file: user/group/other, rwx • user: jyh group: cs134 file perm: 4775 • capability for each user: list of groups • Windows NT • access list for each kernel object • capability list for each user: list of groups Computing Systems

  29. Capabilities vs access lists • Capability is like a ticket (to see Godzilla vs Mothra) • Access list is like a reservation at a restaurant • Are they the same? • Same amount of info • Capabilities can become the only mechanism for access Computing Systems

  30. Capabilities • Capability list is like a segment table; it points to objects that may accessed • segment tables are only valid for the life of a process • segment tables refer to primary storage • capabilities refer to secondary storage • Capability-based addressing • combines access models • capabilities are the only means to access an object Computing Systems

  31. Capability-based addressing Computing Systems

  32. Dynamic environments • Execution environment is determined by segment table • Segment table may grow; since segments are never unlinked, it never shrinks • Dynamic environment needs additional protection • MULTICS provides a scheme of concentric rings • Innermost rings are most highly protected • Access is only allowed to outer shell Computing Systems

  33. MULTICS rings Computing Systems

  34. MULTICS Rings • An inward call generates an interrupt • checks the reference based on access rights • An outward call also generates an interrupt • Arguments must be copied to the outer procedures Computing Systems

  35. Rings • Seems flexible, but it is limited strict orderind • In general, objects may have references that form an arbitrary graph, and they may be difficult to partition Computing Systems

  36. Capability-based systems Computing Systems

  37. Privileged system states • Supervisor/user mode • VAX: kernel, executive, supervisor, user • Capability-based has no need for privileged modes Computing Systems

  38. Protection problems • We define schemes for explicit access • What about information flow? • A problem when mutually suspicious processes want to cooperate • Example user interacting with a service Computing Systems

  39. Service goals • No user should be able to steal the service by making a copy • No user should be able to damage the service • No user should be able to use the service without permission • It should be possible to revoke access to the service • No user should be able to prevent others from using the service Computing Systems

  40. User goals • The service should not be able to steal or destroy any information or services that were not explicitly given to the service • The service should be able to notify its owner with nonsensitive information (e.g. billing), but not sensitive information Computing Systems

  41. Access-control • Theft and destruction can be solved with execute-only privileges for the service • Unauthorized use is harder; could use access control • Capability-based systems • Capabilities can be copied and passed to other users Computing Systems

  42. HYDRA • Generic rights for an object o: r, w, s, and l • r: read, w: write • s: right to copy a capability into object o • l: right to copy capability from object o • Capabilities a special right: the environment right, that allows them to be copied Computing Systems

  43. Capability-passing Computing Systems

  44. Revocation of privileges • Access lists: remove a user from the list • What about a file open? • Capability-based • Have a dummy pointer to an object alias • All references are through alias • All references can be removed by modifying alias Computing Systems

  45. Other problems • Denial of service • Not possible to enforce in asynchronous systems • Can give each process a fixed time limit... • Trojan horse (service destroys or discloses information) • Have the “gift” process run with restricted privileges Computing Systems

More Related