Documenti di Didattica
Documenti di Professioni
Documenti di Cultura
What is (Computer)
Security?
“Security is a chain; it’s only as
secure as its weakest link.”
“Security is a process,
not a product.”
“Security is a tradeoff”
The Security Problem
Applied Operating System Concepts 19.2 Silberschatz, Galvin, and Gagne 1999
Module 18: Protection
• Goals of Protection
• Domain of Protection
• Access Matrix
• Implementation of Access Matrix
• Revocation of Access Rights
• Capability-Based Systems
• Language-Based Protection
• Digital Rights Management
Applied Operating System Concepts 18.1 Silberschatz, Galvin, and Gagne !1999
Protection
• objects, hardware or
Operating system consists of a collection of object|s,
software
• Each object has a unique name and can be accessed through a
well-defined set of operations. that depend of the object
• Protection problem - ensure that each object is accessed
correctly and only by those processes that are allowed to do so.
→ Prevent unauthorized access
- System processes
- Other users
- Digital Rights Management
→ Improve reliability
- Protect system from application bugs
Applied Operating System Concepts 18.2 Silberschatz, Galvin, and Gagne !1999
Domain Structure
Applied Operating System Concepts 18.3 Silberschatz, Galvin, and Gagne !1999
Domain Implementation
Applied Operating System Concepts 18.4 Silberschatz, Galvin, and Gagne !1999
Demo of setuid
schmitta@charm tmp % cat printid.c
#include <stdlib.h>
#include <stdio.h>
#include <unistd.h>
#include <sys/types.h>
int main(void)
{
printf("Real UID\t= %d\n", getuid());
printf("Effective UID\t= %d\n", geteuid());
printf("Real GID\t= %d\n", getgid());
printf("Effective GID\t= %d\n", getegid());
return EXIT_SUCCESS;
}
schmitta@charm tmp % gcc -o printid printid.c
schmitta@charm tmp % chmod ug+s printid
schmitta@charm tmp % ls -l printid
-rwsr-sr-x 1 schmitta staff 12688 29 avr 10:19 printid
schmitta@charm tmp % ./printid
Real UID = 503
Effective UID = 503
Real GID = 20
Effective GID = 20
schmitta@charm tmp % su admin
Password:
bash-3.2$ ./printid
Real UID = 501
Effective UID = 503
Real GID = 501
Effective GID = 20
Access Matrix
F1 F2 F3 HP
D1 read read
D2 print
D3 read exec
read read
D4
write write
Access Matrix
F1 F2 F3 HP D1 D2 D3 D4
D3 read exec
read read
D4 switch
write write
Copy
F1 F2 F3
D1 read read
D3 read* exec
read read
D4
write write
Copy
F1 F2 F3
D1 read read
D3 read* exec
read read
D4 read
write write
iTunes and
Access Matrix
D1 read read
read*
D3 owner exec
read read
D4
write write
Owner
F1 F2 F3
D1 read read
read*
D3 owner exec
write*
read read
D4
write write
Control
F1 F2 F3 HP D1 D2 D3 D4
read read
D4 switch
write write
Control
F1 F2 F3 HP D1 D2 D3 D4
read read
D4 switch
write write
Implementation of Access Matrix
!
• Each Row = Capability List (like a key)
For each domain, what operations allowed on what objects.
Fore
Object 1 – Read
Object 4 – Read, Write, Execute
Object 5 – Read, Write, Delete, Copy
Applied Operating System Concepts 18.9 Silberschatz, Galvin, and Gagne !1999
Access Control Lists (1)
45
Capabilities (1)
• Immediately or later?
• Revoke the rights to all users or to some?
• Revoke some rights or all rights of an
object?
• Temporarily or permanently?
Revoking Access Rights
• Simple with access list if we revoke by object
• More difficult with capabilities. Use
• Reacquisition
• Back-pointers
• Indirections (not selective)
• Keys (not selective if one key per object)
Language-Based Protection
Applied Operating System Concepts 19.12 Silberschatz, Galvin, and Gagne 1999
An Application of
Protection: DRM
DRM
http://www.free-culture.cc/
Homework
Applied Operating System Concepts 19.1 Silberschatz, Galvin, and Gagne 1999
Generic Security Attacks
Typical attacks
! Request memory, disk space, tapes and just read
! Try illegal system calls
! Start a login and hit DEL, RUBOUT, or BREAK
! Try modifying complex OS structures
! Try to do specified DO NOTs
! Convince a system programmer to add a trap door
! Beg admin’s sec"y to help a poor user who forgot password
22
Threats
Applied Operating System Concepts 19.3 Silberschatz, Galvin, and Gagne 1999
Authentication Using Passwords
– Each password is valid only once. Hence anyone capturing the password of a session and then
trying to use it for another session will fail.
– problem: where to keep the password list
– a solution: use one-way functions
easy to compute; hard to invert
hence in , we have: easy, hard
How it works:
initialisation: a password , an integer
session passwords then are:
! Magnetic cards
" magnetic stripe cards
" chip cards: stored value cards, smart cards 14
Program Threats
• Trojan Horse
– Code segment that misuses its environment.
– Exploits mechanisms for allowing programs written by users
to be executed by other users.
• Trap Door
– Specific user identifier or password that circumvents normal
security procedures.
– Could be included in a compiler.
• Logic Bomb
• Login Spoofing
• Buffer Overflow
Applied Operating System Concepts 19.4 Silberschatz, Galvin, and Gagne 1999
Operating System Security
Trojan Horses
17
Trojan horse: how to make execute the malicious program
– advert it on Internet
Interner as something exciting
– (Example) use PATH variables
Imagine is in PATH for user xx and xx types
Immagine
cd ˜yy
programxx
Thus: malicious program programxx written by yy is executed by xx and can access xx
data
(Example) Install a malicious program called la in user/bin
– (Examples)
eventually someone, by mistake, will type la rather than ls
– (Example) Exploiting a shell that checks the working directory before consulting PATH:
a user yy install a malicious program called ls in his/her home directory
the user does something suspicious (such as using a lot of resources)
the administrator might type:
cd ˜yy
ls
Trap Doors
19
Login Spoofing
int i
char c[100]
i = 400
c[i] = 0
Buffer Overflow
! Checks include #
! Attempts to forge pointers
! Violation of access restrictions on private class
members
! Misuse of variables by type
! Generation of stack over/underflows
! Illegal conversion of variables to another type
39
System Threats
Applied Operating System Concepts 19.5 Silberschatz, Galvin, and Gagne 1999
Worm vs Virus
A “worm” is a program that can run
independently, will consume the resources of
its host from within in order to maintain
itself, and can propagate a complete working
version of itself on to other machines.
A “virus” is a piece of code that inserts itself
into a host, including operating systems, to
propagate. It cannot run independently. It
requires that its host program be run to
activate it.
The Internet Worm
35
Morris Worm
November 2, 1988
Robert Tappan Morris Jr., 1st year Cornell
graduate student sends a worm on a few
machines
Within hours, about 10% of the internet
(6.000 machines) was down
The Morris Internet Worm
Applied Operating System Concepts 19.6 Silberschatz, Galvin, and Gagne 1999
How it Worked
Getting in
Using a remote shell (rsh)
host-login without password required
Buffer overflow: finger with a 536 byte string
used to launch /bin/sh
Sendmail bug using its debug mode
mailed the grappling hook to be executed
Propagation
When in, downloaded the worm
Then tried to crack passwords
Looked in new accounts for rsh data files
Attempted to infect new machines
If already there, quit 6 out of 7 times
This brought down most machines
Virus Damage Scenarios
! Blackmail
! Denial of service as long as virus runs
! Permanently damage hardware
! Target a competitor’s computer
" do harm
" espionage
! Intra−corporate dirty tricks
" sabotage another corporate officer’s files
26
Where viruses could act
! An executable program
! With a virus at the front
! With the virus at the end
! With a virus spread over free space within program29
How Viruses Spread
31
Viruses and Anti-virus techniques
Scan executable files looking for viruses that match those in a database
(a) A program
(b) Infected program
(c) Compressed infected program
(d) Encrypted virus
(e) Compressed virus with encrypted compression code 32
Antivirus and Anti−Antivirus Techniques
! Integrity checkers
! Behavioral checkers
! Virus avoidance
" good OS
" install only shrink−wrapped software
" use antivirus software
" do not click on attachments to email
" frequent backups
! Recovery from virus attack
" halt computer, reboot from safe disk, run antivirus
34
Some Modern
Worms & Viruses
1999: Melissa, macro virus (Word + Outlook)
2000: ILOVEYOU, VBScript worm. Between $5
billion and $10 billion in damage. “ The
Pentagon, CIA, and the British Parliament had
to shut down their e-mail systems to get rid
of the worm.”
2003: Blaster, Sobig, Sober (until 2005).
2004: MyDoom. Email binary attachment.
Applied Operating System Concepts 19.9 Silberschatz, Galvin, and Gagne 1999
Threat Monitoring
Applied Operating System Concepts 19.7 Silberschatz, Galvin, and Gagne 1999
Threat Monitoring (Cont.)
• Check for:
– Short or easy-to-guess passwords
– Unauthorized set-uid programs
– Unauthorized programs in system directories
– Unexpected long-running processes
– Improper directory protections
– Improper protections on system data files
– Dangerous entries in the program search path (Trojan
horse)
– Changes to system programs: monitor checksum values
Applied Operating System Concepts 19.8 Silberschatz, Galvin, and Gagne 1999