Dec 20, 2015
2S. Manolache, Process programming and operating systems, Security
Last on TTIT61
FilesOperationsSharingProtection
Directory hierarchiesDisk scheduling algorithms
3S. Manolache, Process programming and operating systems, Security
Lecture Plan
1. What is an operating system? What are its functions? Basics of computer architectures. (Part I of the textbook)
2. Processes, threads, schedulers (Part II , chap. IV-VI)
3. Synchronisation (Part II, chap. VII)
4. Primary memory management. (Part III, chap. IX, X)
5. File systems and secondary memory management (Part III, chap. XI, XII, Part IV)
6. Security (Part VI)
4S. Manolache, Process programming and operating systems, Security
Outline
ProtectionProtection DomainsAccess matrix, access control lists, capability lists
SecurityTypes of attacksPassword protectionCryptographyTrojans, exploits, worms, viruses Intrusion detectionLogging
5S. Manolache, Process programming and operating systems, Security
Protection
Processes must be protected from one another’s activities
Protection refers to a set of mechanisms used to ensure that resources (CPU, memory, I/O, files) are accessed only after proper authorisation by the OS
OS has to provide means toSpecify access controlEnforce them
6S. Manolache, Process programming and operating systems, Security
Policies and Mechanisms
PoliciesSpecify what will be doneMay change over time
MechanismsSpecify how policies will be implementedPreferably general, such that a change in policy does
not imply a change in the mechanisms (i.e. a change in the OS)
7S. Manolache, Process programming and operating systems, Security
Protection Domains
OS consists of a collection ofProcessesObjects (hw: CPU, memory, I/O; sw: files, semaphores,
programs)A protection domain specifies
The objects that may be used by a processThe operations that may be invoked on each object
8S. Manolache, Process programming and operating systems, Security
Protection Domains
O3, {RD, WR}
O1, {RD, WR}
O2, {EX}
O2, {WR}
O4, {print}
O1, {EX}
O3, {RD}
9S. Manolache, Process programming and operating systems, Security
Protection Domains
Domains can be associated perUserProcessProcedure
Association between processes and domains can be dynamicE.g.: seteuid(new_uid) (set effective user ID, is a
privileged operation, i.e. only root may successfully execute it)
10S. Manolache, Process programming and operating systems, Security
User Mode and Kernel Mode
Kernel mode = monitor mode in the book In kernel mode the process may execute privileged
instructions (read/write to I/O ports, changing protection domains, process priorities, etc.)
Why should low level I/O port operations protected?
11S. Manolache, Process programming and operating systems, Security
The setuid Bit
$ ls –l /bin/ls
-r-xr-xr-x 1 root bin 27284 Jan 23 2005 /bin/ls
Even though /bin/ls is owned by root, when a user executes it, it runs with the user’s ID, thus it has the rights of the user executing it, not of the owner of the file
If it were:
-r-sr-xr-x 1 root bin 27284 Jan 23 2005 /bin/lsThen it would run with the effective user ID of the file
owner, i.e. root
Examples? Why would we want that?
12S. Manolache, Process programming and operating systems, Security
Access Matrix
read
switch
F1 F2 F3 Laserprinter D1 D2 D3 D4
D1
D2
D3
D4 readwrite
readwrite
read
read
exec
switch
switch switch
13S. Manolache, Process programming and operating systems, Security
Access Control Lists and Capability Lists
An access control list is a column in the access matrix, i.e. it for each object it specifies <process, rights>
A capability list is a row in the access matrix, i.e. for each domain it specifies <object, rights>
14S. Manolache, Process programming and operating systems, Security
Who Ensures Protection?
OSCompilers (does not compile code that contains I/O
operations for example)Language (Java for example)
15S. Manolache, Process programming and operating systems, Security
Security
Can be regarded as protection from external threats, from the environment
Resources to be protected from unauthorised access, malicious destruction, accidental introduction of inconsistencies
16S. Manolache, Process programming and operating systems, Security
Types of Attacks
Theft of informationUnauthorised modification of dataUnlawful use (spam, launching malicious attacks)Preventing legitimate use (denial of service)
17S. Manolache, Process programming and operating systems, Security
Breaking In
Physically (break into computer room, destroy the computers, install sniffing devices, etc.)
Human (log in as someone else, root preferably)Network (intercept/modify data circulating on the net, send
data as coming from a legitimate source, launch data flood for (distributed) denial of service attacks)
OS (exploit bugs in server software such that they will execute provided malicious code)
18S. Manolache, Process programming and operating systems, Security
Prevention
Physical attacks: lock the doors Human
Choose difficult to guess passwordsProtect the passwords
19S. Manolache, Process programming and operating systems, Security
Password Protection
# passwd john
Changing password for john
New password:
Retype password:
Plain text password: ev@hvtB
Library function crypt
Encrypted password stored in /etc/passwd: d6649MpokpY0.
20S. Manolache, Process programming and operating systems, Security
Password Protection
telnet remote
User: john
Password: ev@hvtB
crypt gives a one-way encryption, i.e. it is very difficult to obtain the original from the encrypted form
ev@hvtB
crypt
d6649MpokpY0.
/etc/passwd: d6649MpokpY0.
compare
21S. Manolache, Process programming and operating systems, Security
Sniffing
User1Serveror user2
Malicioususer
What happens in the case of telnet?
22S. Manolache, Process programming and operating systems, Security
Cryptography
Never telnet! Always ssh!One-way encryption would not helpSymmetric keys and asymmetric keys cryptography
systemsSymmetric:
Same key used for both encryption and decryptionHow do we transport the key to the other end over an
untrustworthy channel?Asymmetric:
Different keys
23S. Manolache, Process programming and operating systems, Security
Public/Private Key Systems
Each user has two keys, a public and a private one It is very difficult to calculate the private key when only the
corresponding public key is known (very difficult = years of trying on supercomputers)
Public/Private key systems are computationally more complex than symmetric key approaches
24S. Manolache, Process programming and operating systems, Security
Public/Private Keys
What is encrypted with the public key can be decrypted only by the private keyAlice everybody the public key. Bob writes her a
message and encrypts it with Alice’s public key. Only Alice may read the message because only she has the private key
25S. Manolache, Process programming and operating systems, Security
Digital Signatures
What is encrypted with private key can be decrypted only by the public keyAlice computes a hash of a message (the so-called
message digest), then she encrypts the digest with her private key, and appends the encrypted digest to the plain text message
Everybody having Alice’s public key may decrypt the message digest, and compute it from the original plain-text message. If the decrypted and computed digests are identical, they are sure thatAlice wrote the messageNobody changed the message on the way
26S. Manolache, Process programming and operating systems, Security
Ssh with Password Authentication
Server sends its public keyUser sends a symmetric session key encrypted with the
server’s public key. Only the real server may decrypt it.From then on, the symmetric key is used for
communicationThe password does not traverse the network in plain text!
27S. Manolache, Process programming and operating systems, Security
Impersonating
User1Serveror user2
Malicioususer
Does ssh with password authentication protect in this case?
Passwords may be read by a corrupted ssh server
28S. Manolache, Process programming and operating systems, Security
Spoofing
User1
Malicioususer
Can a malicious user read the password?
Serveror user2
Yes, if the client has no previous knowledge of the real public key of the server
29S. Manolache, Process programming and operating systems, Security
Spoofing
User1
Malicioususer
Can a malicious user read the password?
Serveror user2
Serveror user2
No
30S. Manolache, Process programming and operating systems, Security
Ssh with Public/Private Key Authentication
A secure channel (encrypted by a symmetric key) is established like in the password authentication scheme
Next, the server sends a challenge encrypted with the user’s public key
The legitimate user is the only one to be able to decrypt the challenge
The response to the challenge is sent back, and if they match, the user is authenticated
31S. Manolache, Process programming and operating systems, Security
Impersonating
User1Serveror user2
Malicioususer
Even if the server is corrupted, no passwords are sent
32S. Manolache, Process programming and operating systems, Security
Spoofing
User1
Malicioususer
Can users be duped to think that they connect to the real server?
Serveror user2
Yes, if the client has no previous knowledge of the real public key of the server, but no password is sniffed
33S. Manolache, Process programming and operating systems, Security
Certificates
How can users know that the public key they get from a server is the public key of the real server?
By means of certificatesAn authority, the CA (certificate authority), signs the public
key of the real server with the private key of the CAEverybody may decrypt the signature and read the public
key of the real serverBut nobody may forge the public key of the real server
because they do not have access to the CA’s private key in order to issue a new certificate for the forged key
34S. Manolache, Process programming and operating systems, Security
Program Threats
Trojan horsesTrap doorsExploits
35S. Manolache, Process programming and operating systems, Security
Trojan Horses
Use of a program that is believed to do something, but in addition it does something else
E.g.: Emulate a login screen, an ssh server, etc., log typed keys, read system files and email them, etc.
Protection:Do not execute untrusted codeDo not put the current directory (the dot ‘.’) in your
search path
36S. Manolache, Process programming and operating systems, Security
Trap Doors
Doors left open by the programmerE.g.:
if (uid == sorma)
grant_access();
else
authenticate();
Easy to spot if we have access to the source code of system programs and/or OS
Difficult to spot if they are very clever, for example the trap is not in the source of the program but in the source of the compiler that compiles the program!
37S. Manolache, Process programming and operating systems, Security
Exploits
Stack and buffer overflows
E.g.:Safe:
char s[BUF_MAX];
fgets(s, BUF_MAX, stdin);Unsafe:
char s[BUF_MAX];
gets(s);What if one introduces a string that is longer than
BUF_MAX? Those characters will overwrite code. What if the extra characters typed are themselves code?
38S. Manolache, Process programming and operating systems, Security
System Threats
VirusesCode appended to legitimate programs
WormsStand-alone programs
39S. Manolache, Process programming and operating systems, Security
Denial of Service
Do not gain informationDisable legitimate usersVery difficult if not impossible to counter
40S. Manolache, Process programming and operating systems, Security
Firewalls
Software program or hardware device that controls connections to and from a network
41S. Manolache, Process programming and operating systems, Security
Intrusion Detection
Various axes of detection:Detection in real-time or post-factumTypes of inputs analysed: shell commands, system
calls, network packet headers, server log filesResponse: alarm, kill process, set a trap
42S. Manolache, Process programming and operating systems, Security
Intrusion Detection
Signature based. Based on characteristics of abnormalitySpecific behaviour patterns.
E.g.: Anti-virus, fishing for strings such as /etc/passwd in network packets, etc.
Identifies known attacksAnomaly detection. Based on characteristics of normality
Monitoring if the system deviates from “normal” operation. Anomalous login time, anomalous shell commands, etc.
Identifies previously unknown attacks
43S. Manolache, Process programming and operating systems, Security
False Alarms
(2 intrusions/day x 10 records/intrusion) / 1 milion records/day = 0.00002 = P(I) = probability of an intrusion
An intrusion detection system has to maximise P(I | A) and P(not I | not A) (probability to have an intrusion given that we got an alarm and probability of no intrusion given that no alarm rang)
Let us assume that P(A | I) = 0.8 (probability of ringing an alarm given that an intrusion occurs)
Let us assume that P(A | not I) = 0.0001 (probability of ringing an alarm given that no intrusion occurs)
We get P(I | A) = 0.14.That is very low! 6 out of 7 alarms are false!
44S. Manolache, Process programming and operating systems, Security
Auditing and Logging
Monitoring system callsKeeping log files and regularly checking themMonitoring important directories and executable files for
change, deletions, etc.Keeping CRC of important executables on read-only
supports and comparing with computed CRCsMount /usr read-only!Mount /tmp no-exec and no-suid!Let /home be a separate partition from /Make /home no-suid
45S. Manolache, Process programming and operating systems, Security
Summary
ProtectionProtection DomainsAccess matrix, access control lists, capability lists
SecurityTypes of attacksPassword protectionCryptographyTrojans, exploits, worms, viruses Intrusion detectionLogging
46S. Manolache, Process programming and operating systems, Security
Course Summary
1. What is an operating system? What are its functions? Basics of computer architectures. (Part I of the textbook)
2. Processes, threads, schedulers (Part II , chap. IV-VI)
3. Synchronisation (Part II, chap. VII)
4. Primary memory management. (Part III, chap. IX, X)
5. File systems and secondary memory management (Part III, chap. XI, XII, Part IV)
6. Security (Part VI)