Lecture 17 Overview. Targeted Malicious Code Trapdoor – undocumented entry point to a module – forget to remove them – intentionally leave them in the.

Lecture 17 Overview

Targeted Malicious Code• Trapdoor– undocumented entry point to a module

– forget to remove them– intentionally leave them in the program for testing– intentionally leave them in the program for

maintenance of the finished program, or– intentionally leave them in the program as a covert

means of access to the component after it becomes an accepted part of a production system

2CS 450/650 Lecture 17: Targeted Malicious Codes

Targeted Malicious Code• Salami Attack– a series of many minor actions that together

results in a larger action that would be difficult or illegal to perform at once

– Ex. Interest computation

• rootkit – A program or coordinated set of programs

designed to gain control over a computer system or network of computing systems


Targeted Malicious Code• Privilege Escalation– a means for malicious code to be launched by a user

with lower privileges but run with higher privileges

• Interface illusion – a spoofing attack in which all or part of a web page

is false

• Keystroke Logging


Targeted Malicious Code• Man-in-the-Middle Attacks

• Timing Attacks– attempts to compromise a cryptosystem by analyzing

the time taken to execute cryptographic algorithms

• Covert Channels– programs that leak information– ex. Hide data in output


Covert Channel• Two active agents

– Sender (has access to unauthorized information)• e.g., Trojan Horse in MS Word

– Receiver (reads sent information)• e.g., program creating the copy

• Encoding schema– How the information is sent

• e.g., – File F exists 0– File F is does not exist 1

• Synchronization– e.g., when to check for existence of F


Storage Covert Channels• Based on properties of resources– pass information by using presence or absence of

objects in storage

• Examples:– File locks– Delete/create file– Memory allocation


Timing Covert Channel• Time is the factor – how fast– pass information using the speed at which things

happen

• Examples:– Processing time– Transmission time


Controls Against Program Threats

• Prevent Threats during software development– Modularity• security analysts must be able to understand each

component as an independent unit and be assured of its limited effect on other components



• Prevent Threats during software development– Encapsulation• hide a component's implementation details • minimize interfaces to reduce covert channels

– Information hiding • a component as a kind of black box • components will have limited effect on other

components



• Peer Reviews– Hazard Analysis• set of systematic techniques to expose potentially

hazardous system states

– Testing • unit testing, integration testing, function testing,

performance testing, acceptance testing, installation testing, regression testing



• Good Design– Using a philosophy of fault tolerance– Have a consistent policy for handling failures– Capture the design rationale and history– Use design patterns

• Prediction– predict the risks involved in building and using the

system



• Static Analysis– Use tools and techniques to examine characteristics

of design and code to see if the characteristics warn of possible faults

• Configuration Management– control changes during development and

maintenance• Analysis of Mistakes• Proofs of Program Correctness– Can we prove that there are no security holes?


Operating System Controls on Use of Programs

• Trusted Software– code has been rigorously developed and analyzed• Functional correctness• Enforcement of integrity• Limited privilege• Appropriate confidence level


Operating System Controls on Use of Programs

• Mutual Suspicion– assume other program is not trustworthy

• Confinement – limit resources that program can access

• Access Log – list who access computer objects, when, and for

how long


Administrative Controls• Standards of Program Development

• Standards of design• Standards of documentation, language, and coding

style• Standards of programming• Standards of testing• Standards of configuration management• Security Audits

• Separation of Duties


Lecture 18Protection in Operating System

CS 450/650

Fundamentals of Integrated Computer Security

Slides are modified from Ian Goldberg and Hesham El-Rewini

Operating System• An OS allows different users to access

different resources in a shared way

• The OS needs to control – the sharing and – provide an interface to allow the access• Identification and authentication are required for

access control

CS 450/650 Lecture 18: Protection in Operating System 18

History• OSs evolved as a way to allow multiple users use the

same hardware– Sequentially (based on executives)– Interleaving (based on monitors)

• OS makes resources available to users – if required by them and permitted by some policy

• OS also protects users from each other– Attacks, mistakes, resource overconsumption

• Even for a single-user OS, protecting a user from him/herself is a good thing– Mistakes, malware


Protected Objects• CPU• Memory• I/O devices (disks, printers, keyboards,...)• Programs• Data• Networks


Separation• Keep one user's objects separate from other

users

• Physical separation– Use different physical resources for different users– Easy to implement, but expensive and inefficient

• Temporal separation– Execute different users' programs at different times


Separation• Logical separation– User is given the impression that no other users

exist– As done by an operating system

• Cryptographic separation– Encrypt data and make it unintelligible to

outsiders– Complex


Sharing• Sometimes, users want to share resources – Library routines (e.g., libc)– Files or database records

• OS should allow flexible sharing, not “all or nothing”– Which files or records? Which part of a file/record?– Which other users?– Can other users share objects further?– What uses are permitted?

• Read but not write, view but not print (Feasibility?)• Aggregate information only

– For how long?


Memory and Address Protection

• Prevent program from corrupting other programs or data, operating system and maybe itself

• Often, the OS can exploit hardware support for this protection, so it’s cheap

• Memory protection is part of translation from virtual to physical addresses– Memory management unit (MMU) generates exception if

something is wrong with virtual address or associated request

– OS maintains mapping tables used by MMU and deals with raised exceptions


Memory and Address Protection

Bare Machine

user

0

n

memory


Protection Techniques• Fence register– Exception if memory access below address in fence register– Protects operating system from user programs– Single user only


Address Protection for a resident monitor

memory

0

n

Fence register

CPUaddress true

falseerror

Address >=fence


Protection Techniques• Base/bounds register pair– Exception if memory access below/above address in

base/bounds register– Different values for each user program– Maintained by operating system during context switch– Limited flexibility


Protection Techniques• Tagged architecture– Each memory word has one or more extra bits that identify

access rights to word– Very flexible– Large overhead– Difficult to port OS from/to other

hardware architectures


Segmentation• Each program has multiple address spaces – Segments

• use different segments for code, data, stack– Or maybe even more fine-grained, • different segments for data with different access

restrictions

• Virtual addresses consist of two parts:– <segment name, offset within segment>


Segmentation• OS keeps mapping from segment name to its

base physical address in Segment Table

• OS can transparently relocate or resize segments and share them between processes

• Each segment has its own memory protection attributes


Segmentation

memory

0

n

CPU (s,d)

<true

false

error

limit base

+

Segment Table


Logical and Physical Representation of Segments


Translation of Segment Address

Segment Table also contains memory protection attributesCS 450/650 Lecture 18: Protection in Operating System 34

Review of Segmentation• Advantages:– Each address reference is checked for protection

by hardware– Many different classes of data items can be

assigned different levels of protection– Users can share access to a segment, with

potentially different access rights– Users cannot access an unpermitted segment


Review of Segmentation• Disadvantages:– External fragmentation– Dynamic length of segments requires costly out-

of-bounds check for generated physical addresses– Segment names are difficult to implement

efficiently


Paging• Program (i.e., virtual address space) is divided

into equal-sized chunks– pages

• Physical memory is divided into equal-sized chunks– frames

• Frame size equals page sizeCS 450/650 Lecture 18: Protection in Operating System 37

Paging• Virtual addresses consist of two parts:

– <page #, offset within page>– # bits for offset = log2(page size), – no out-of-bounds possible for offset

• OS keeps mapping from page # to its base physical address in Page Table

• Each page has its own memory protection attributes


Paging

memory

0

n

CPU p d

Page Table

f

f d

Logical address Physical address


Page Address Translation


Review of Paging• Advantages:– Each address reference is checked for protection by

hardware– Users can share access to a page, with potentially

different access rights– Users cannot access an unpermitted page

• Disadvantages:– Internal fragmentation– Assigning different levels of protection to different

classes of data items not feasible


x86 Architecture• x86 architecture provides both segmentation

and paging– Linux uses a combination of segmentation and

paging• Only simple form of segmentation to avoid portability

issues• Segmentation cannot be turned off on x86

– Same for Windows


Paged Segmentation


x86 Architecture• Memory protection bits indicate no access,

read/write access or read-only access

• Recent x86 processors also include NX (No eXecute) bit, forbidding execution of instructions stored in page– Enabled in Windows XP SP 2 and some Linux

distros – Helps against some buffer overflows


Lecture 17 Overview. Targeted Malicious Code Trapdoor – undocumented entry point to a module – forget to remove them – intentionally leave them in the.

Documents