Protection and Security

What is (Computer)
Security?
“Security is a chain; it’s only as
secure as its weakest link.”

“Security is a process,
not a product.”
“Security is a tradeoff”
 The Security Problem

• Security must consider external environment of the system, and

protect it from:
– unauthorized access.
– malicious modification or destruction
– accidental introduction of inconsistency.
• Easier to protect against accidental than malicious misuse.

• Protection is internal, Security is external

→ take the hard drive of a computer and read it from another system

Applied Operating System Concepts 19.2 Silberschatz, Galvin, and Gagne 1999
 Module 18: Protection

• Goals of Protection
• Domain of Protection
• Access Matrix
• Implementation of Access Matrix
• Revocation of Access Rights
• Capability-Based Systems
• Language-Based Protection
• Digital Rights Management

Applied Operating System Concepts 18.1 Silberschatz, Galvin, and Gagne !1999
 Protection

• objects, hardware or
Operating system consists of a collection of object|s,
software
• Each object has a unique name and can be accessed through a
well-defined set of operations. that depend of the object
• Protection problem - ensure that each object is accessed
correctly and only by those processes that are allowed to do so.
→ Prevent unauthorized access
- System processes
- Other users
- Digital Rights Management
→ Improve reliability
- Protect system from application bugs

* Policy is distinct from mechanism

Applied Operating System Concepts 18.2 Silberschatz, Galvin, and Gagne !1999
 Domain Structure

• Access-right = <object-name, rights-set>

Rights-set is a subset of all valid operations that can be
performed on the object.
• Domain = set of access-rights

• Association between processes and domains may be static or dynamic

• Each domain can be a user, a process, or a procedure

Applied Operating System Concepts 18.3 Silberschatz, Galvin, and Gagne !1999
 Domain Implementation

• System consists of 2 domains:

– User
– Supervisor
• UNIX
– Domain = user-id
– Domain switch accomplished via file system.
✴ Each file has associated with it a domain bit (setuid bit).
✴ When file is executed and setuid = on, then user-id is
set to owner of the file being executed. When execution
completes user-id is reset.

Applied Operating System Concepts 18.4 Silberschatz, Galvin, and Gagne !1999
Demo of setuid
schmitta@charm tmp % cat printid.c
#include <stdlib.h>
#include <stdio.h>
#include <unistd.h>
#include <sys/types.h>

int main(void)
{
printf("Real UID\t= %d\n", getuid());
printf("Effective UID\t= %d\n", geteuid());
printf("Real GID\t= %d\n", getgid());
printf("Effective GID\t= %d\n", getegid());

return EXIT_SUCCESS;
}
schmitta@charm tmp % gcc -o printid printid.c
schmitta@charm tmp % chmod ug+s printid
schmitta@charm tmp % ls -l printid
-rwsr-sr-x 1 schmitta staff 12688 29 avr 10:19 printid
schmitta@charm tmp % ./printid
Real UID = 503
Effective UID = 503
Real GID = 20
Effective GID = 20
schmitta@charm tmp % su admin
Password:
bash-3.2$ ./printid
Real UID = 501
Effective UID = 503
Real GID = 501
Effective GID = 20
 Access Matrix
F1 F2 F3 HP

D1 read read

D2 print

D3 read exec

read read
D4
write write
 Access Matrix
F1 F2 F3 HP D1 D2 D3 D4

D1 read read switch

D2 print switch switch

D3 read exec

read read
D4 switch
write write
 Copy
F1 F2 F3

D1 read read

D3 read* exec

read read
D4
write write
 Copy
F1 F2 F3

D1 read read

D3 read* exec

read read
D4 read
write write
 iTunes and
Access Matrix

• Songs: no iPod limit ! copy

• Songs: 5 computers ! limited copy
• Rented movie: on 1 computer at a time
! transfer
 Owner
F1 F2 F3

D1 read read
read*
D3 owner exec

read read
D4
write write
 Owner
F1 F2 F3

D1 read read
read*
D3 owner exec
write*
read read
D4
write write
 Control
F1 F2 F3 HP D1 D2 D3 D4

D1 read read switch

switch
D2 print switch
control
D3 read exec

read read
D4 switch
write write
 Control
F1 F2 F3 HP D1 D2 D3 D4

D1 read read switch

switch
D2 print switch
control
D3 read exec

read read
D4 switch
write write
 Implementation of Access Matrix

• Each column = Access-control list for one object

Defines who can perform what operation.

Domain 1 = Read, Write

Domain 2 = Read
Domain 3 = Read

!
• Each Row = Capability List (like a key)
For each domain, what operations allowed on what objects.
Fore
Object 1 – Read
Object 4 – Read, Write, Execute
Object 5 – Read, Write, Delete, Copy

Applied Operating System Concepts 18.9 Silberschatz, Galvin, and Gagne !1999
 Access Control Lists (1)

Use of access control lists of manage file access

44
Access Control Lists (2)

Two access control lists

45
 Capabilities (1)

Each process has a capability list

46
Revoking Access Rights

• Immediately or later?
• Revoke the rights to all users or to some?
• Revoke some rights or all rights of an
object?
• Temporarily or permanently?
Revoking Access Rights
• Simple with access list if we revoke by object
• More difficult with capabilities. Use
• Reacquisition
• Back-pointers
• Indirections (not selective)
• Keys (not selective if one key per object)
 Language-Based Protection

• Specification of protection in a programming language

allows the high-level description of policies for the
allocation and use of resources.
• Language implementation can provide software for
protection enforcement when automatic hardware-
supported checking is unavailable.
• Interpret protection specifications to generate calls on
whatever protection system is provided by the hardware
and the operating system.
 Java Security Model

Applied Operating System Concepts 19.12 Silberschatz, Galvin, and Gagne 1999
An Application of
Protection: DRM
 DRM

• DRM = Digital Rights Management

• Access control technologies to limit usage of
digital media or devices
• May prevent access, copying, or conversion
• DRM is a technical way to enforce laws
DRM
 CSS
• CSS = Content Scramble System
• Licensed for DVD drives, DVD players, DVD
movies
• Enforces region coding, prevents skipping
“intros”
• Does not prevent bit by bit copying!
• Cracked since 1999
 AACS
• AACS = Advanced Access Content System
• Similar to CSS, but much stronger
• Features Managed Copy
• Final standard not yet released
• Keys can be revoked and new keys used...
but they are cracked even before their
release!
DRM Gone Bad
The Sony BMG Fiasco
Blog post from Mark Russinovich...
“Last week when I was testing the latest version
of RootkitRevealer (RKR) I ran a scan on one of
my systems and was shocked to see evidence of a
rootkit. Rootkits are cloaking technologies that
hide files, Registry keys, and other system objects
from diagnostic and security software, and they
are usually employed by malware attempting to
keep their implementation hidden...”
After some investigation he found it came
from an audio CD by Sony BMG

“The Sony rootkit is designed to hide any files,

registry keys and processes starting with the string
$sys$”

The CD installed a CD drive driver and made

sure no more than 3 copies of the CD were
made

It also made the system unstable and less

secure
Sony had to recall every protected CD

Several lawsuits were filed and settled

This protection is not used anymore

What do you really buy?

MLB (Major League Baseball) has been selling

videos of games with DRM since 2003
In 2007, they changed their DRM provider, and
for some users old videos stopped playing
MLB may provide replacements, with DRM
MSN Music DRM keys

MSN Music store closed in November 2006

On April 22, 2008, customers were told
authorization servers would stop on August
31, 2008
Using a new computer or reinstalling the
OS will result in unplayable songs
 The Future of DRM
• Music: becoming DRM free
• Amazon MP3 store, iTunes+, most majors
• Video: very entrenched
• Many countries pass laws protecting DRM
• DMCA, EUCD, DADVSI
• Future of Fair Use? See Free Culture
by Lawrence Lessig

http://www.free-culture.cc/
 Homework

Larry Lessig: How creativity is being strangled by

the law
http://www.ted.com/talks/view/id/187
 Module 19: Security

• The Security Problem

• Authentication
• Program Threats
• System Threats
• Threat Monitoring
• Encryption

Applied Operating System Concepts 19.1 Silberschatz, Galvin, and Gagne 1999
 Generic Security Attacks
Typical attacks
! Request memory, disk space, tapes and just read
! Try illegal system calls
! Start a login and hit DEL, RUBOUT, or BREAK
! Try modifying complex OS structures
! Try to do specified DO NOTs
! Convince a system programmer to add a trap door
! Beg admin’s sec"y to help a poor user who forgot password

22
 Threats

– data confidentiality (data read)

– data integrity (data modified
modified) or deleted)
– system availability (denial-of-service attacks)
hard to avoid

Security is achieved by taking measures at the following levels:

— Physical (e.g. prevent removing of hard drive)
— Human (e.g. prevent bribing a user)
— Network (e.g. prevent intercepting private data)
— Operating system (e.g. authenticate users)
 Hacker vs Cracker

“The hacker: someone who figured things out

and made something cool happen.”
 Human Security
Social Engineering
 “Social engineering is a collection of techniques
used to manipulate people into performing actions
or divulging confidential information”
• Phishing
• Pretexting (over the phone)
• Trojan Horse
• Road Apple
• free floppy, CD, usb drive...
• Quid Pro Quo (something for something)
 “It is notable that
Mitnick did not use
software programs
or hacking tools for
cracking passwords
or otherwise
exploiting computer
or phone security.”
 Breaking in over Internet

– need an IP number of a machine (or its symbolic equivalent, such as so.cs.unibo.it )

– can test if that number is alive using ping
– can try to connect using telnet
– IP numbers “similar” (consecutive numbers) to one that is alive might work as well
– a hacker with fast connection could discover many entry points to the system (ie, IP numbers
that accept telnet connections)
– the hacker can then try to exploit weak pairs (login, password)
 Authentication

• User identity most often established through passwords, can be

considered a special case of either keys or capabilities.
• Passwords must be kept secret.
– Frequent change of passwords.
– Use of “non-guessable” passwords.
– Log all invalid access attempts.

Applied Operating System Concepts 19.3 Silberschatz, Galvin, and Gagne 1999
 Authentication Using Passwords

(a) A successful login

(b) Login rejected after name entered
(c) Login rejected after name and password typed 11
Authentication Using Passwords

! How a cracker broke into LBL

" a U.S. Dept. of Energy research lab
12
 One-time passwords

– Each password is valid only once. Hence anyone capturing the password of a session and then
trying to use it for another session will fail.
– problem: where to keep the password list
– a solution: use one-way functions
easy to compute; hard to invert
hence in , we have: easy, hard
How it works:
initialisation: a password , an integer
session passwords then are:

the server keeps track and updates the integer for

 Challenge-response authentication

– The user selects an algorithm, ex:

– at login time:
the server sends an integer
the user answers with
– problem: the algorithm can be guessed
– a solution:
a function (public)
user selects a key
at login time:
server sends a number
user answers
it should be hard to find out from seeing the results of computating with
Authentication Using a Physical Object

! Magnetic cards
" magnetic stripe cards
" chip cards: stored value cards, smart cards 14
 Program Threats

• Trojan Horse
– Code segment that misuses its environment.
– Exploits mechanisms for allowing programs written by users
to be executed by other users.
• Trap Door
– Specific user identifier or password that circumvents normal
security procedures.
– Could be included in a compiler.

• Logic Bomb

• Login Spoofing

• Buffer Overflow

Applied Operating System Concepts 19.4 Silberschatz, Galvin, and Gagne 1999
 Operating System Security
Trojan Horses

! Free program made available to unsuspecting user

" Actually contains code to do harm

! Place altered version of utility program on

victim’s computer
" trick user into running that program

17
 Trojan horse: how to make execute the malicious program

– advert it on Internet
Interner as something exciting
– (Example) use PATH variables
Imagine is in PATH for user xx and xx types
Immagine
cd ˜yy
programxx
Thus: malicious program programxx written by yy is executed by xx and can access xx
data
(Example) Install a malicious program called la in user/bin
– (Examples)
eventually someone, by mistake, will type la rather than ls
– (Example) Exploiting a shell that checks the working directory before consulting PATH:
a user yy install a malicious program called ls in his/her home directory
the user does something suspicious (such as using a lot of resources)
the administrator might type:
cd ˜yy
ls
 Trap Doors

(a) Normal code.

(b) Code with a trapdoor inserted
20
 Ken Thomson’s
backdoor
For debugging purposes, backdoor in “login”
Did it by modifying the C compiler:
• when compiling password verification
• accept the correct password
• or accept the special debugging
password
 def compile(code):
if (looksLikeLoginCode(code)):
generateLoginWithBackDoor()
else:
compileNormally(code)

But this would look strange in the C compiler...

def compile(code):
if (looksLikeLoginCode(code)):
generateLoginWithBackDoor(code)
elif (looksLikeCompilerCode(code)):
generateCompilerWithBackDoorDetection(code)
else:
compileNormally(code)
 Logic Bombs

! Company programmer writes program

" potential to do harm
" OK as long as he/she enters password daily
" ff programmer fired, no password and bomb explodes

19
 Login Spoofing

(a) Correct login screen

(b) Phony login screen
18
 Login spoofing

– a program that displays the screen

– the user of the program thus can read many pairs (login, password)
– a way out:
the login session starts out with a key combination that a user program cannot catch (exam-
ple: ctl-alt-del in windows)
 Buffer overflow

In C, array bounds (among other things) are not checked

Example of unchecked code:

int i
char c[100]
i = 400
c[i] = 0
 Buffer Overflow

! (a) Situation when main program is running

! (b) After program A called
! (c) Buffer overflow shown in gray 21
 Java Security (1)

! A type safe language

" compiler rejects attempts to misuse variable

! Checks include #
! Attempts to forge pointers
! Violation of access restrictions on private class
members
! Misuse of variables by type
! Generation of stack over/underflows
! Illegal conversion of variables to another type
39
 System Threats

• Worms – use spawn mechanism; standalone program

• Internet worm
– Exploited UNIX networking features (remote access) and
bugs in finger and sendmail programs.
– Grappling hook program uploaded main worm program.
• Viruses – fragment of code embedded in a legitimate program.
– Mainly effect microcomputer systems.
– Downloading viral programs from public bulletin boards or
exchanging floppy disks containing an infection.
– Safe computing.

Applied Operating System Concepts 19.5 Silberschatz, Galvin, and Gagne 1999
 Worm vs Virus
A “worm” is a program that can run
independently, will consume the resources of
its host from within in order to maintain
itself, and can propagate a complete working
version of itself on to other machines.
A “virus” is a piece of code that inserts itself
into a host, including operating systems, to
propagate. It cannot run independently. It
requires that its host program be run to
activate it.
 The Internet Worm

! Consisted of two programs

" bootstrap to upload worm
" the worm itself
! Worm first hid its existence
! Next replicated itself on new machines

35
 Morris Worm

November 2, 1988
Robert Tappan Morris Jr., 1st year Cornell
graduate student sends a worm on a few
machines
Within hours, about 10% of the internet
(6.000 machines) was down
 The Morris Internet Worm

Applied Operating System Concepts 19.6 Silberschatz, Galvin, and Gagne 1999
 How it Worked
Getting in
Using a remote shell (rsh)
host-login without password required
Buffer overflow: finger with a 536 byte string
used to launch /bin/sh
Sendmail bug using its debug mode
mailed the grappling hook to be executed
 Propagation
When in, downloaded the worm
Then tried to crack passwords
Looked in new accounts for rsh data files
Attempted to infect new machines
If already there, quit 6 out of 7 times
This brought down most machines
 Virus Damage Scenarios
! Blackmail
! Denial of service as long as virus runs
! Permanently damage hardware
! Target a competitor’s computer
" do harm
" espionage
! Intra−corporate dirty tricks
" sabotage another corporate officer’s files

26
 Where viruses could act

– modify executable files

attaching themselves to the front, or to the end
possibly having to modify file headers and file internal logical addresses
first they get activated; then the original file is executed
– residing in memory
possibly redirecting some interrupts to them (ex: system calls)
– overwriting some boot procedure on disk
thus the virus gets loaded every time the machine is turned on
– hiding within a macro
very effective for Word and Excel programs, for instance
easy to write
– modify a source code
a “portable” virus
 How Viruses Work (3)

! An executable program
! With a virus at the front
! With the virus at the end
! With a virus spread over free space within program29
 How Viruses Spread

! Virus placed where likely to be copied

! When copied
" infects programs on hard drive, floppy
" may try to spread over LAN
! Attach to innocent looking email
" when it runs, use mailing list to replicate

31
 Viruses and Anti-virus techniques

Anti-virus: virus scanners

Scan executable files looking for viruses that match those in a database

– a problem: variants of the virus might exist

Fuzzy search
might miss some
might interpret some correct file as a virus
– can be slow
Check only files that have been modified since last search
A virus could change the file date
Check only files whose length has changed
A virus could use compression techniques
Antivirus and Anti−Antivirus Techniques

(a) A program
(b) Infected program
(c) Compressed infected program
(d) Encrypted virus
(e) Compressed virus with encrypted compression code 32
Antivirus and Anti−Antivirus Techniques

Examples of a polymorphic virus

All of these examples do the same thing
33
Antivirus and Anti−Antivirus Techniques

! Integrity checkers
! Behavioral checkers
! Virus avoidance
" good OS
" install only shrink−wrapped software
" use antivirus software
" do not click on attachments to email
" frequent backups
! Recovery from virus attack
" halt computer, reboot from safe disk, run antivirus
34
 Some Modern
Worms & Viruses
1999: Melissa, macro virus (Word + Outlook)
2000: ILOVEYOU, VBScript worm. Between $5
billion and $10 billion in damage. “ The
Pentagon, CIA, and the British Parliament had
to shut down their e-mail systems to get rid
of the worm.”
2003: Blaster, Sobig, Sober (until 2005).
2004: MyDoom. Email binary attachment.

One of the fastest spreading worms: 1 in

12 emails at peak.

Used to created a Denial of Service attack

against SCO and Microsoft.

2004: Sasser. Did not need user intervention,

used a buffer overflow.
Agence France-Presse (AFP): satellite
communications blocked for hours
Delta Air Lines: cancel several trans-atlantic
flights (computer systems down)
Nordic insurance company If and Finnish Sampo
Bank: close their 130 offices in Finland.
British Coastguard: electronic mapping service
disabled for a few hours
Goldman Sachs, Deutsche Post, and the European
Commission also touched
X-ray department at Lund University Hospital: all
their four layer X-ray machines disabled for
several hours and had to redirect emergency
X-ray patients to a nearby hospital.
2007: Storm Worm.

Email attachment: PDF spam, e-cards,

YouTube Invites. Also blog comment spam.

Still active (latest version: April 1st, 2008)

Payload morphs every 30 mn.

Used to create a peer to peer botnet.

Botnets
 Current Botnets

• Kraken: about 500.000 machines

• Storm: about 100.000 machines (was 2
million)
• Used for spam, phishing, denial of service
attacks
 Some safe design principles

– make the system public (avoid “security by obscurity”)

– allow only accesses explicitely granted
– always check for accesses
– use simple protection mechanisms, built into the OS kernel (precisely: the lowest possible level
of the OS; cf: Windows NT)
 Network Security Through Domain Separation Via Firewall

Applied Operating System Concepts 19.9 Silberschatz, Galvin, and Gagne 1999
 Threat Monitoring

• Check for suspicious patterns of activity – i.e., several incorrect

password attempts may signal password guessing.
• Audit log – records the time, user, and type of all accesses to an
object; useful for recovery from a violation and developing better
security measures.
• Scan the system periodically for security holes; done when the
computer is relatively unused.

Applied Operating System Concepts 19.7 Silberschatz, Galvin, and Gagne 1999
 Threat Monitoring (Cont.)

• Check for:
– Short or easy-to-guess passwords
– Unauthorized set-uid programs
– Unauthorized programs in system directories
– Unexpected long-running processes
– Improper directory protections
– Improper protections on system data files
– Dangerous entries in the program search path (Trojan
horse)
– Changes to system programs: monitor checksum values

Applied Operating System Concepts 19.8 Silberschatz, Galvin, and Gagne 1999