Language-Based Protection

Similar documents
The Security Problem

Chapter 15: Security. Operating System Concepts 8 th Edition,

Chapter 14: Security. Operating System Concepts Essentials 8 th Edition

Chapter 15: Security. Operating System Concepts 9 th Edition

Security. Reading: Chapter 15, [OSC] (except Section 15.9)

Chapter 15: Security. Chapter 15: Security

19.1. Security must consider external environment of the system, and protect it from:

Module 20: Security. The Security Problem Authentication Program Threats System Threats Threat Monitoring Encryption. Operating System Concepts 20.

System and Network Security

Protection and Security

CIS 21 Final Study Guide. Final covers ch. 1-20, except for 17. Need to know:

ETHICAL HACKING & COMPUTER FORENSIC SECURITY

CompTIA Security+ Malware. Threats and Vulnerabilities Vulnerability Management

CS System Security 2nd-Half Semester Review

CS System Security Mid-Semester Review

Security and Authentication

Data Communication. Chapter # 5: Networking Threats. By: William Stalling

Protection. Disclaimer: some slides are adopted from book authors slides with permission 1

Access Controls. CISSP Guide to Security Essentials Chapter 2

Security Threats: Network Based Attacks

CERT-In. Indian Computer Emergency Response Team ANTI VIRUS POLICY & BEST PRACTICES

Control Flow Hijacking Attacks. Prof. Dr. Michael Backes

CTS2134 Introduction to Networking. Module 08: Network Security

Protection and Security

Intruders. significant issue for networked systems is hostile or unwanted access either via network or local can identify classes of intruders:

Hacking Terminology. Mark R. Adams, CISSP KPMG LLP

Protection and Security. Sarah Diesburg Operating Systems CS 3430

Ethics and Information Security. 10 주차 - 경영정보론 Spring 2014

SINGLE COURSE. NH9000 Certified Ethical Hacker 104 Total Hours. COURSE TITLE: Certified Ethical Hacker

ACS / Computer Security And Privacy. Fall 2018 Mid-Term Review

Certified Ethical Hacker

Fundamentals of Information Systems Security Lesson 8 Mitigation of Risk and Threats to Networks from Attacks and Malicious Code

Network Security Fundamentals

INF3700 Informasjonsteknologi og samfunn. Application Security. Audun Jøsang University of Oslo Spring 2015

Guide to Network Security First Edition. Chapter One Introduction to Information Security

Cyber Security & Ethical Hacking Training. Introduction to Cyber Security Introduction to Cyber Security. Linux Operating System and Networking: LINUX

EC-Council. Program Brochure. EC-Council. Page 1

Unit 5. System Security

Overview. Handling Security Incidents. Attack Terms and Concepts. Types of Attacks

e-commerce Study Guide Test 2. Security Chapter 10

Last time. Trusted Operating System Design. Security in Networks. Security Features Trusted Computing Base Least Privilege in Popular OSs Assurance

Malware, , Database Security

IS-2150/TEL-2810 Introduction to Computer Security Quiz 2 Thursday, Dec 14, 2006

AURA ACADEMY Training With Expertised Faculty Call Us On For Free Demo

ISO/IEC Common Criteria. Threat Categories

SANS Exam SEC504 Hacker Tools, Techniques, Exploits and Incident Handling Version: 7.1 [ Total Questions: 328 ]

Lecture 12 Malware Defenses. Stephen Checkoway University of Illinois at Chicago CS 487 Fall 2017 Slides based on Bailey s ECE 422

Copyright

SANS SEC504. Hacker Tools, Techniques, Exploits and Incident Handling.

Home Computer and Internet User Security

Chapter 10: Security and Ethical Challenges of E-Business

Security+ Practice Questions Exam Cram 2 (Exam SYO-101) Copyright 2004 by Que Publishing. International Standard Book Number:

Protection. Disclaimer: some slides are adopted from book authors slides with permission 1

Security, Privacy and Authentication. Michael Power Gowling Lafleur Henderson LLP

Ethical Hacking and Prevention

Chapter 19 Security. Chapter 19 Security

Systems and Network Security (NETW-1002)

Security+ Guide to Network Security Fundamentals, Third Edition. Chapter 3 Protecting Systems

CHAPTER 8 SECURING INFORMATION SYSTEMS

CUNY John Jay College of Criminal Justice MATH AND COMPUTER SCIENCE

Cyber Security Practice Questions. Varying Difficulty

Chapter 10: Security. 2. What are the two types of general threats to computer security? Give examples of each.

Accounting Information Systems

SE420 Software Quality Assurance

Buffer overflow background

Network Fundamentals. Chapter 7: Networking and Security 4. Network Fundamentals. Network Architecture

IS 2150 / TEL 2810 Information Security & Privacy

Mobile MOUSe HACKING REVEALED ONLINE COURSE OUTLINE

POST GRADUATE DIPLOMA IN CYBER SECURITY (PGDCS)

Define information security Define security as process, not point product.

Today: Protection. Protection

Technology in Action

COMPUTER NETWORK SECURITY

Web insecurity Security strategies General security Listing of server-side risks Language specific security. Web Security.

Internetwork Expert s CCNA Security Bootcamp. Common Security Threats

Certified Ethical Hacker (CEH)

20: Exploits and Containment

Chapter 13: Protection. Operating System Concepts Essentials 8 th Edition

Buffer overflow is still one of the most common vulnerabilities being discovered and exploited in commodity software.

Curso: Ethical Hacking and Countermeasures

CEH v8 - Certified Ethical Hacker. Course Outline. CEH v8 - Certified Ethical Hacker. 12 May 2018

V8 - CEH v8 - Certified Ethical Hacker. Course Outline. CEH v8 - Certified Ethical Hacker. 03 Feb 2018

Table of Contents. Chapter One. Domain 1.0: Systems Security... 1 Practice Questions... 1 Quick-Check Answer Key Answers and Explanations...

Operating System Services

Threat Modeling. Bart De Win Secure Application Development Course, Credits to

Chapter 4. Network Security. Part I

Computer Networks. Network Security and Ethics. Week 14. College of Information Science and Engineering Ritsumeikan University

Program Security and Vulnerabilities Class 2

Principles of Information Security, Fourth Edition. Chapter 2 The Need for Security

Distributed Systems. Lecture 14: Security. Distributed Systems 1

Distributed Systems. Lecture 14: Security. 5 March,

Princess Nora Bint Abdulrahman University College of computer and information sciences Networks department Networks Security (NET 536)

Chapter 14: Protection. Operating System Concepts 9 th Edition

ISA564 SECURITY LAB. Code Injection Attacks

GCIH. GIAC Certified Incident Handler.

CompTIA Security+ (Exam SY0-401)

Chapter 17: System Protection

CS Paul Krzyzanowski

Computer Security Exam 2 Review. Paul Krzyzanowski. Rutgers University. Spring 2018

DumpsTorrent. Latest dumps torrent provider, real dumps

Transcription:

Language-Based Protection Specification of protection in a programming language allows the high-level description of policies for the allocation and use of resources. Language implementation can provide software for protection enforcement when automatic hardwaresupported checking is unavailable. Interpret protection specifications to generate calls on whatever protection system is provided by the hardware and the operating system. page 1

Protection in Java 2 Protection is handled by Java Virtual Machine (JVM) A class is assigned a protection domain when it is loaded by the JVM The protection domain indicates what operations the class can (and cannot) perform If a library method is invoked that performs a privileged operation, the stack is inspected to ensure the operation can be performed by the library page 2

Stack Inspection page 3

Chapter 15: Security - Objectives To discuss security threats and attacks To explain the fundamentals of encryption, authentication, and hashing To examine the uses of cryptography in computing To describe the various countermeasures to security attacks page 4

The Security Problem Security must consider external environment of the system, and protect the system resources Intruders (crackers) attempt to breach security Threat is potential security violation Attack is attempt to breach security Attack can be accidental or malicious Easier to protect against accidental than malicious misuse page 5

Security Violations Categories Breach of confidentiality Breach of integrity Breach of availability Theft of service Denial of service Methods Masquerading (breach authentication) Replay attack Message modification Man-in-the-middle attack Session hijacking page 6

Standard Security Attacks page 7

Security Measure Levels Security must occur at four levels to be effective: Physical Human Avoid social engineering, phishing, dumpster diving Operating System Network Security is as week as the weakest chain page 8

Program Threats Trojan Horse Code segment that misuses its environment Exploits mechanisms for allowing programs written by users to be executed by other users Spyware, pop-up browser windows, covert channels Trap Door Specific user identifier or password that circumvents normal security procedures Could be included in a compiler Logic Bomb Program that initiates a security incident under certain circumstances Stack and Buffer Overflow Exploits a bug in a program (overflow either the stack or memory buffers) page 9

C Program with Buffer-overflow Condition #include <stdio.h> #define BUFFER SIZE 256 int main(int argc, char *argv[]) { char buffer[buffer SIZE]; if (argc < 2) return -1; else { strcpy(buffer,argv[1]); return 0; } } page 10

Layout of Typical Stack Frame page 11

Modified Shell Code #include <stdio.h> int main(int argc, char *argv[]) { execvp( /bin/sh, /bin/sh, NULL); return 0; } page 12

Hypothetical Stack Frame Before attack After attack page 13

Program Threats (Cont.) Viruses Code fragment embedded in legitimate program Very specific to CPU architecture, operating system, applications Usually borne via email or as a macro Visual Basic Macro to reformat hard drive Sub AutoOpen() Dim ofs Set ofs = CreateObject( Scripting.FileSystemObject ) vs = Shell( c:command.com /k format c:,vbhide) End Sub page 14

Program Threats (Cont.) Virus dropper inserts virus onto the system Many categories of viruses, literally many thousands of viruses File Boot Macro Source code Polymorphic Encrypted Stealth Tunneling Multipartite Armored page 15

A Boot-sector Computer Virus page 16

System and Network Threats Worms use spawn mechanism; standalone program Internet worm Exploited UNIX networking features (remote access) and bugs in finger and sendmail programs Grappling hook program uploaded main worm program Port scanning Automated attempt to connect to a range of ports on one or a range of IP addresses Denial of Service Overload the targeted computer preventing it from doing any useful work Distributed denial-of-service (DDOS) come from multiple sites at once page 17

The Morris Internet Worm page 18

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback