Lecture 37



Reminder: No class on Friday.
Case study final reports in PDF format due one
day before presentation. Presentations due
electronically day after presentation.
Questions?
Wednesday, April 13
CS 470 Operating Systems - Lecture 37
1
Outline

Program threats

System and network threats

Current events article

Reis, Barth, and Pizano, "Browser Security:
Lessons from Google Chrome", Communications of
the ACM, August 2009.
Wednesday, April 13
CS 470 Operating Systems - Lecture 37
2
Program Threats

Trojan Horse: program that misuses the
environment it is in. Get an authorized user to
run a program that does something other than
what is expected.



Relative path is vulnerable, especially if '.' is in path.
Could end up running a different program.
Login screen emulators sniff passwords.
Spyware uses covert channels to communicate
surreptitiously, usually from victim machine.
Wednesday, April 13
CS 470 Operating Systems - Lecture 37
3
Program Threats


Trapdoor: special input recognized by a
program to circumvent security. Often used for
debugging, but then left open. Can be added
by the compiler, so not visible in source code.
Viruses: fragments of code embedded into
programs by "infecting" them. Generally very
malicious, e.g., deleting files, crashing systems,
etc.
Wednesday, April 13
CS 470 Operating Systems - Lecture 37
4
Program Threats


Stack & buffer overflow: overwrite the return
address to return to rogue program. Many
programs use fixed-size buffers in the stack to
store user data without guarding against
overflow.
While setting up an overflow attack takes
considerable knowledge, the exploit can be
scripted so that just about anyone (aka script
kiddie) can launch an attack.
Wednesday, April 13
CS 470 Operating Systems - Lecture 37
5
System and Network Threats

Worms: stand alone programs that propagate
through service vulnerabilities.


Morris worm (1988): exploited rsh, finger, and
sendmail. rsh uses .rhosts file to allow remote log in
without a password. finger was a buffer overflow on
the username argument. sendmail was a debug
backdoor that executed provided code.
Took down much of the precursor to the Internet.
Resulted in 3 years probation, 400 hours
community service, $10K fine. Legal costs >$100K
Wednesday, April 13
CS 470 Operating Systems - Lecture 37
6
System and Network Threats


W32.Sobig.F@mm (2003): original worm was
hidden in a photo uploaded to a porn newgroup
using a stolen credit card number. Used its own
SMTP engine to email itself as an attachment to
every address found on the infected system. Was
the fastest spreading worm at the time the text was
written.
Port scanning: not an attack in and of itself,
but often used to test and detect system vulnerabilities in advance of an attack. Often done
from infected machines.
Wednesday, April 13
CS 470 Operating Systems - Lecture 37
7
System and Network Threats

Denial of Service (DoS): often easier than
trying to break in.



Java applet that eats CPU time or infinitely pops up
windows
TCP/IP SYN attack. Needs to be stopped at the
network level until the OS can catch up
Accidental DoS. E.g., CS courses using fork( ) or
new operators in loops.
Wednesday, April 13
CS 470 Operating Systems - Lecture 37
8
System and Network Threats

Generally not possible to stop DoS, especially
distributed attacks. Note that excessive
network connections may be the normal
consequence of something like a successful ad
campaign.
Wednesday, April 13
CS 470 Operating Systems - Lecture 37
9
What to do about security?

Cryptography and encryption (CS 415)

Frequent updates and anti-virus scans

Firewalls

Intrusion detection systems
Wednesday, April 13
CS 470 Operating Systems - Lecture 37
10
Current Events Article




Reis, Barth, and Pizano, "Browser Security:
Lessons from Google Chrome",
Communications of the ACM, August 2009.
Reis and Pizano are Google software
engineers. Barth is a postdoc at UC-Berkeley.
Example of a technical paper for a general
technical audience.
Summary: This paper discusses three key
problems for web browser security and how
Google Chrome addresses them.
Wednesday, April 13
CS 470 Operating Systems - Lecture 37
11
Web Browser Security


Web browsers are an appealing target for
attacks. Practically every computer has at least
one user that uses a web browser to connect
over a network to obtain content, services, and
applications. The user trusts that the browser
"does the right thing".
By their nature, web browsers invite outside
code to be executed on a user's computer.
Historically, every browser has had a bug that
allowed breaches of security.
Wednesday, April 13
CS 470 Operating Systems - Lecture 37
12
Web Browser Security


Also, even after security bugs are patched,
many users continue to run older, vulnerable
versions.
Authors identify three factors that contribute to
the security danger

Severity of vulnerabilties

Window of vulnerability

Frequency of exposure
Wednesday, April 13
CS 470 Operating Systems - Lecture 37
13
Severity of Vulnerabilities



Ideally, all software is bug-free and lack
exploitable vulnerabilities. Reality is that we
can only hope to reduce the severity of
vulnerabilities.
Do this by isolating browser components and
reducing privileges to the minimum needed to
accomplish task to reduce the amount of
damage that can be done.
Google Chrome uses separate processes and
sandboxing along with various OS facilities.
Wednesday, April 13
CS 470 Operating Systems - Lecture 37
14
Security Architecture

Google Chrome consists of two types of
processes


Browser kernel: high-privilege process that
interfaces with user and runs under the user's
authority. Responsible for drawing the UI, store
cookies and history, network access.
Rendering engine: low-privilege processes that
acts on behalf of the Web content providers. They
are not trusted to interact with user file system.
Responsible for parsing HTML, executing
JavaScript, decode images to paint an off-screen
buffer, etc.
Wednesday, April 13
CS 470 Operating Systems - Lecture 37
15
Security Architecture
Wednesday, April 13
CS 470 Operating Systems - Lecture 37
16
Security Architecture


Sandboxing is a generic term used to mean
that a process is run in an environment that
restricts its access to system resources.
Google Chrome uses two types of sandboxes
around the rendering engine


JavaScript sandbox that immediately surrounds the
process. This is a virtual machine that prevents
interaction between Web pages.
An OS sandbox that prevents any interaction with
other processes or the OS itself.
Wednesday, April 13
CS 470 Operating Systems - Lecture 37
17
Security Architecture


The only communication allowed by the
rendering engine is via an IPC channel to the
browser kernel with a restricted, simple
message interface. This includes HTTP
protocol traffic, rendered pages, and user input
events.
Implemented using OS facilities. In Windows,
uses a restricted security token. Mac OS X has
built-in sandbox facility. Linux has third-party
options.
Wednesday, April 13
CS 470 Operating Systems - Lecture 37
18
Exploitation Mitigation

Google Chrome uses various OS barriers to
make it more difficult for attackers to jump to
malicious code. From the Windows
implementation:


DEP (data execution prevention): mark memory
pages as non-executable, e.g., the stack
GS (stack overrun detection): places canary with
each stack call between current top of stack and
return address. Compiler inserts check for correct
canary value. Helps prevent stack overrun exploits.
Wednesday, April 13
CS 470 Operating Systems - Lecture 37
19
Exploitation Mitigation


ASLR (addres space layout randomization):
randomizes the location of common system
components.
These mitigations can be used by any program
and do not require major changes to program
structure.
Wednesday, April 13
CS 470 Operating Systems - Lecture 37
20
Compatibility Challenges


Browsers must maintain compatibility with
emerging Web content, but plug-ins are not
designed to run in a sandbox.
At the time of the article, Google Chrome ran
plug-ins outside of the sandbox relying on thirdparties to provide adequate security. Since
then, they have started integrating plug-ins like
a PDF reader that do run inside the sandbox.
Wednesday, April 13
CS 470 Operating Systems - Lecture 37
21
Window of Vulnerability


Any exploit can cause harm. Want to minimize
the length of time users run unpatched
versions.
Two areas of activity

Automated quality testing

Convenient auto-updating for users
Wednesday, April 13
CS 470 Operating Systems - Lecture 37
22
Automated Testing

When a vulnerability is discovered, Google
applies a three-step process to produce a
security patch.



Triage the severity of the the vulnerability and
assign an engineer to resolve the issue
Diagnose root cause and write a patch. Could be
as simple as adding a bounds check, or as complex
as replacing a data structure.
Test patch to make sure is both fixes the problem
and does not break any functionality
Wednesday, April 13
CS 470 Operating Systems - Lecture 37
23
Automated Testing

Third step takes the longest. Want to automate
it. Google Chrome testing consists of:


Thousands of regression tests run after every
change to browser source code.
Tests on one million Web sites in a VM farm that
monitors rendering for memory errors, crashes, and
hangs. Often exposes race conditions and other
low-probability events.
Wednesday, April 13
CS 470 Operating Systems - Lecture 37
24
Security Updates



Auto-updating should be convenient and nondisruptive to user. Google Chrome uses a
system called Omaha that checks every 5
hours for updates.
When an update occurs, the download happens
in a parallel directory, then when the browser is
launched again, the new version takes over.
Updates happen shortly after they are available
and the user never has to wait.
Also, have added Flash Player to distribution.
Wednesday, April 13
CS 470 Operating Systems - Lecture 37
25
Frequency of Exposure


Google Chrome warns users if they try to visit a
site that has been reported as malicious, e.g.,
distributing malware or is a phishing attempt.
Issues include


Privacy: do not want to have every URL visited
reported to a central service. Solution is for
browser to download URL hashes periodically.
Minimizing false positives: provide tools help
publishers remove their URLS from blacklist when
they have been cleaned up.
Wednesday, April 13
CS 470 Operating Systems - Lecture 37
26