Protection and Security • Protection = mechanisms used to control access to valued resources: e.g., programs & data stored on computer system. • Usually accompanied by detection and response mechanisms • Security = protecting the confidentiality, integrity, and availability of a system according to the rules set out by a specific policy. • Policy = the set of allowable states of a system.
Goals of Protection • Let’s say we have a valuable resource like an O.S. • collection of objects, hardware & software • Objects have unique names • Accessed through well-defined set of operations • Goals of protection: • Ensure each object accessed correctly & only by authorized processes according to some policy. • A policy is a statement of what states (and operations) are allowed (i.e., secure/authorized), and what are not allowed (i.e., nonsecure/unauthorized) for a specific system.
Protection • Protection Domains • Access Matrix • Implementation • Language-Based Protection
Protection Domains • Access-right = <object-name, rights-set> • Rights-set = subset of all valid operations that can be performed on the object • (i.e., the policy!) • Domain = set of access-rights
Domain Implementation Example-I: UNIX • Examples of object • Files, laser printers, and email servers… • Access control bits (UNIX) • Three categories of user (owner, group, world) • Three types of access privileges (read, write, execute) • One bit per operation (111101000 = rwxr-x----) • Domain is implemented as the “user-id” • OS can do domain switching to execute some task • accomplished via file system • Each file has associated domain bit (setuid bit) • When file executed and setuid=on,user-id set to owner of the file being executed • When execution completes, user-id is reset • “ps” is a setuid program, as is “lpr”.
Domain Implementation Example-II: Multics Rings • Nested domain structure (“rings”) • Let Di and Djbe any two domain rings • If j < i Di Dj • lower-level = more privileges • each process maintains current ring number
Access Matrix • Column: • defines who can perform what operation on the object • Row: • Operations allowed on what objects, per-domain
Dynamic Access Matrices • Extend for dynamic protection:Operations to add, delete access rights • transfer – switch from domain Di to Dj • owner of Oi • copy op from Oi to Oj • control – Di can modify Dj’s access rights
Switching Domains • Switching domains: add domains as objects!
Access Matrix with Copy Rights • Asterisk denotes that access right can be copied within column (for the object)
Access Matrix With Owner Rights • Ownership:can add new rights, remove some rights
Control: Modifying Access Matrix • Control: process executing in one domain can modify another domain • Example:D2 changes D4
Implementation of Access Matrix • Access list for objects • Maintain <domain, right-set> list per object • Capability (object) list for domains • Maintain list of objects + operations per domain • Object name = capability • Check in capability list for access • Pros and cons of access list & capability list? • Determine the set of access rights for each domain? • Revocation of capabilities?
Language-Based Protection • Specification of protection in programming language: • Allows high-level description of policies for allocation and use of resources • Protection in Java: • Dynamically load untrusted classes over a network • Important to provide protection! • Class loader: • Find and load object • Define namespace seen by different classes
Security • The Security Problem • Program Threats • System & Network Threats • Counter-measures to Threats • Threat Monitoring • Cryptography
Security problem • Confidentiality: ensuring objects are available/understandable only to authorized peers • E.g., no unauthorized read access • Integrity: ensuring objects have not been maliciously or accidentally modified. • No introduction of inconsistency. • Availability: ensuring objects are available without delay and operate correctly (to authorized peers) • No malicious destruction of resources (i.e., objects)
Threats • Program Threats: • program cause security breaches • Trojan Horse, Login Spoofing, Trap/Back Door, Stack/Buffer Overflow, Virus • System & Network Threats: • Abuse services and network connection to cause security breaches • Worms, Port Scanning, (Distributed) Denial of Service
Trojan Horse • Code (segment) that misuses its environment. • Objective of Trojan • Get executed by someone • Once executed copy/mail/modify some critical files • Example: • In /tmp put a program named ls • Administrator goes to /tmp, types ls... • If the path “.” is in front of his search path... Bingo!
Login Spoofing • Write a fake login program • Fake program shows the usual login prompt.... • Unsuspecting user comes in and tries to log in • Types loginID • Types password • The Spoof login store the pair away and terminates • Normal logins come back up • User simply thinks he mistyped his password... • In the meantime, the attacker found a valid pair!
Trap Doors • Modification at the source level • Programmer introduces a loophole to bypass the login process. • Loophole ignores password for a specific login • Who can use it? (programmer, attacker) • How to prevent it... • Code review • Sometimes in compiler (very difficult)
Buffer Overflow Stack • Bug in a program • Program overstep some array bounds • Overwrites return address • When subroutine returns, it effectively jumps someplace else.... Main's Local Variables Return Address Foo()'s local var Fixed Sized-Array
Buffer Overflow Stack • Bug in a program • Program overstep some array bounds • Overwrites return address • When subroutine returns, it effectively jumps someplace else.... Main's Local Variables Return Address Foo()'s local var Long string that overflows... It wipes out the return address
Buffer Overflow Stack • Bug in a program • Program overstep some array bounds • Overwrites return address • When subroutine returns, it effectively jumps someplace else.... Main's Local Variables Return Address Foo()'s local var Long string that overflows... It wipes out the return address If string is well aligned with place of return address, it can be a meaninfull address
Buffer Overflow Stack • Bug in a program • Program overstep some array bounds • Overwrites return address • When subroutine returns, it effectively jumps someplace else.... Main's Local Variables Malicious Code! Return Address Foo()'s local var Long string that overflows... It wipes out the return address If string is well aligned with place of return address... It can be a meaninfull address
Virus • Self-reproducing • Attach to host machine • Dormant for a while • Activate at some point and • Destroy • Steal • Spreading via • Program copying, Email, Web-pages, …
Worms • Slightly different from virus • Self-reproduces; take up resources • Do not need a host-program • Use vulnerabilities to spread across the net • Break system through infestation; worst outbreak can take worldwide networks down. • Worms propagate themselves; Virus require action by the user to perpetuate themselves • Example: Morris Worms, CodeRed
Other System & Network Threats • Port scanning • Automated attempt to connect to a range of ports on one or a range of IP addresses • Denial of Service • Overload the targeted computer preventing it from doing any useful work • Distributed denial-of-service (DDOS) come from multiple sites at once