Protection and Security Security: policy for controlling access to system Protection: mechanism implementing security policy Why: users can do bad things to system either maliciously or unintentionally What makes a system susceptible? Multi-user system Networked system Fork and exec Definition of a Secure System: resources are accessed only as intended Types of threats to security: Unauthorized disclosure: reads that shouldn t be allowed Unauthorized updates: writes that shouldn t be Denial of service: interfere with legitimate access Aspects of a Protection mechanism: 1. User identification (authorization) 2. Authorization information: data specifying what user is and is not allowed to do 3. Access Enforcement: check that user s accesses are in his/her set of allowable accesses How? Passwords Protection Mechanism for Authentication Physical key/card and user PIN number Physical Characteristics: finger print, retina scan Passwords: How: system keeps password file of <user, password> pairs when user logs in his/her password compared to file entry Vulnerability: keeping password file secure Solution: don t make the password file secret Don t store passwords, store encrypted passwords If user gets access, they only have encrypted passwords Password Security Problems Looking over someone s shoulder when type in Fake login programs Sniffing NW traffic for plain-text passwords ex. telnet sends passwords in plain text, ssh does not Password cracker programs Trying all possible combinations is too expensive But, people make bad choices for passwords so can reduce the search space with pretty good results Human Solutions: pick better passwords & change them often Machine Solutions: slow down the cracker Add a delay (it really doesn t take 5 seconds to check) Break connection after some number of tries 1
Protection Mechanism for Access Enforcement General Model Object: thing to which we want to control access (foo.c) User: ones who do things to objects (newhall) Rights: permissions to invoke ops on objects (rwx) Domain: set of rights Domain 1 Domain 2 Domain 3 Obj1, read Obj3, read Obj1, read, execute Obj2, write Obj3, execute Obj2, read, write Unix Protection Domains associated with user Can switch domains by changing uid temporarily setuid program: change process s effective uid to owner of a.out example: passwd: change your password Allows any user to write to files that only root has write access to: /etc/passwd : regular users have only R access /etc/shadow : regular users have neither R nor W -rw-r--r-- 1 root root 54831 Apr 24 08:47 /etc/passwd -rw-r----- 1 root shadow 102478 Apr 25 12:58 /etc/shadow Security Threats 1. Human Access data you didn t protect, look over your shoulder or guess passwords, steal/destroy your machine, 2. Program: Malware (Malicious Software) virus, worm, trojan horse, bot net, rootkit, May be installed on system without knowledge of user/administrator use a system vulnerability to get on the system May go to great lengths to hide themselves don t show up in ps, /proc, top, system logs, disable antivirus software, Program Threats Trojan Horse: program appears to do one thing, but also secretly does something else (ex) put fake mail program in user s path, when user runs it it sends mail, but also deletes all user s files Problem is world writable directories in user s paths Login Spoofing: fake login program to get passwords Trap Door: hole in software that does something bad (ex) writer of banking software adds code like: put all values of transactions < 1cent in my account 2
System Threats Systems that support fork/exec and remote connections (client/server) can lead to bad things 1. Viruses and Worms could be malicious (delete files, erase disk) or attack of service (use up system resources) (ex) fork bomb: while(1) { fork(); } fills up system process table virus: program fragment inside another program requires human interaction to catch & infect the system free software w/virus that user downloads and runs mail reading programs that exec attachments w/viruses Anti-virus software: search for known virus code sequences in files on system Worms First Internet Worm, 1988 By Robert Morris, a Cornell Graduate student His father is a computer security expert at NIST He received jail time and a fine à don t try this at home Now he is a professor at MIT à??? A denial of service attack, but could have easily been written to do more damage Attacked BSD Unix systems on Internet, brought down thousands of computers in a few hours Two Parts: Bootstrap program: loads worm onto remote machine using bugs in rsh, finger, sendmail Worm program: finds other machines to infect and other user accounts to use finds rsh data (other hosts to which user s can connect) runs password cracker Boot Strapping theworm rsh bug: System keeps <host, loggin> pairs for hosts that user can connect to without giving password Using list, worm connects to other hosts & load itself on them finger bug: buffer overflow PROBLEM: statically declared local variable for input, and not doing a bounds check on the size of the input 1. A well-formatted input string of too long a length overwrites the stack contents (including the saved PC value (the address in the calling function to return to after the function completes)) 2. When the function returns, it returns to some bad code in this wellformatted bad input string (e.g. execs a shell) 3. Since the finger daemon process is owned by root: the worm now has a shell running as root on the remote machine int foo(char *instr){ char array[max]; strcpy(array, instr); } Stack address: foo s 0x2000 main s array [ Caller s PC: return addr in main func 0x100 0x2020 0x2050 Format of bad input string: evil code evil return addr evil code PC set to this on return from function foo foo s main s stack after strcpy: array [ evil code return addr in main func 0x2020 more evil code address: 0x2000 0x2020 0x2050 3
Preventing Buffer Overflow Humans: programmers always need to add bounds checking for reads (input) This seems easy, but it is a very common error System level (w/hw support): Setting that disallows executing code on the stack Unfortunately, this doesn t prevent buffer overflow: use return addr of system(), param: /bin/bash Making it harder (this is not prevention): OS: when it creates a new process, allocate its stack starting at a different virtual address each time Heartbleed openssl Bug SSL/TLS protocol: encrypted transfer: https:// Heartbeat functionality (part of protocol): keeps secure connection open (o/w times out) 1. send heartbeat msg: client data & len server 2. msg received (copied into its mem) 3. sends heartbeat response: a copy of msg & other stuff Problem: receiver doesn t check that message received is really the length the sender says it is in the message: evil client: sends small data (ex. 1 byte), but large len value server response message: copies 1 byte of message received plus next len-1 bytes of its own state into response: could be anything (private encryption keys, unencrypted private data) Bot Net A bot, short for robot, is an automated software program that can execute certain commands A botnet, short for robot network, is an aggregation of computers compromised by bots, connected to a central controller that can issue it commands great for distributing spam, unleashing a coordinated attack on a large NW Root Kit SW/tools for maintaining root access on a system and hiding itself from administrators Installed at first by exploiting a system vulnerability, like a worm, or installed by an unsuspecting user With root access, you can change drivers, load kernel modules, change kernel-level code, turn-off logging, modify logging, with root access, its not hard to hide activities from system 4
What can you do? Beware of phishing Use & check certificates (3 rd party authentication) Use encrypted interfaces (ssh vs. telnet) Don t download free SW well, be careful Install security SW (it also has vulnerabilities) Update system with security patches Pick good passwords, change them occasionally Use a firewall Firewall Interface between trusted local area network (LAN) and untrusted external NW (internet) Trusted LAN Firewall Untrusted Internet All communication between inside and outside is through the Firewall Firewall keeps invalid packets from entering the internal NW TCP/UDP-IP Packets Most NW traffic is TCP/UDP-IP packets A message between two processes on different machines is broken up into multiple IP packets each routed from source to destination independently through NW IP packet has: Src address: IP and port number Dest address: IP and prot number Firewall Functionality: 1. Packet Filtering: inspects packets as enter, filter on a set of rules and drop packets not matching rules Unix: iptables are interface to firewall rules accept connections on some ports (22: ssh, 80: http) disable connections on others (20:telnet) 2. Can be stateful: keeps track of all open connections, and drops invalid packets this state, however, can be target of DOS attacks 3. Use Network Address Translation (NAT) between internal and external NW Maps external addresses to private internal addresses Outside doesn t know the exact internal addr of target 5
More Security Information Computer Emergency Readiness Team: www-us-cert.gov List of security threats, bugs, fixes, Symantec puts out an annual security report and has links to all kinds of historic info off its webpage: www.symantec.com/security_response Summary Security: Policy for controlling access to system Protection: Mechanism implementing security policy Protection Mechanisms for access enforcement ACLs or Capabilities Passwords, retina scans, off the grid private NWs Secure System: resources are accessed only as intended Security Threats Human, Program, System More and more complications: Cloud computing, on-line commerce, mobile devices 6