Lecture 35 Reading for Wednesday: Reis, Barth, and Pizano, "Browser Security: Lessons from Google Chrome", Communications of the ACM, August 2009. Focus on how the OS is used to ensure security and its limitations. Questions? Monday, April 9 CS 470 Operating Systems - Lecture 35 1 Outline Language-based protection Security User authorization Program threats System and network threats Monday, April 9 CS 470 Operating Systems - Lecture 35 2 Language-Based Protection Efforts to gain more control over protection issues has led to integrating statements about resources into programming languages. This has several advantages: protection needs are declared rather than programmed as calls to the OS protection is described independently of the facilities provided by the OS enforcement is automatic and does not require a separate subsystem to be designed privileges are closely related to concept of type Monday, April 9 CS 470 Operating Systems - Lecture 35 3 Language-Based Protection Of course, would want to map compiler-based protection checking onto provided OS facilities where possible for efficiency, but can always generate software checks. Java 2 is an example. As a language it has strong type-checking; in particular cannot convert an int into a pointer private class data cannot be accessed directly Monday, April 9 CS 470 Operating Systems - Lecture 35 4 Language-Based Protection The JVM allows dynamic loading of classes in response to requests to create instances. Since these classes can come from different sources (including over the network), some are more trusted than others. Process-based protection is not enough, since the OS would need to know what class is being requested, too. So PDs are associated with each class and depend on the class' URL and digital signature. The JVM handles checking. Monday, April 9 CS 470 Operating Systems - Lecture 35 5 Security Recall that OS security is dealing with the external environment. Making sure that only authorized users gain access; prevent malicious destruction or alteration of data; prevent denial of service. Assumes a protected system. That is, assumes that every authorized user abides by the protection policy. This prevents accidental misuse of resources. Monday, April 9 CS 470 Operating Systems - Lecture 35 6 Security Security deals with intentional (i.e., malicious) misuse of resources: unauthorized reading: breach of confidentiality unauthorized modification: breach of integrity unauthorized destruction: breach of availability unauthorized use of resources: theft of service denial of service: prevention of legitimate use of service Monday, April 9 CS 470 Operating Systems - Lecture 35 7 Security Completely, totally secure system is not achievable when system is not isolated. Goal is to make cost to perpetrator prohibitively high as to make system a less attractive target. Four levels of security Physical: perpetrators cannot get access to physical machine Human: administrators and users screened to reduce chance of authorized user giving access to perpetrator. No bribes, etc. Educate users. Monday, April 9 CS 470 Operating Systems - Lecture 35 8 Security Must have physical and human security in order to provide OS security. Other two levels: Network: deal with interception of data, denial of service. OS: generally needs to be built-in from the start. E.g., DOS, original MacOS were very difficult to make secure. Today's lecture topic. Monday, April 9 CS 470 Operating Systems - Lecture 35 9 User Authorization How is a user identified by the OS? Monday, April 9 CS 470 Operating Systems - Lecture 35 10 User Authorization Login name and password is the most common mechanism. Both user to OS and user to access objects. What are some advantages of this scheme? What are some disadvantages of this scheme? Monday, April 9 CS 470 Operating Systems - Lecture 35 11 User Authorization Efforts to make passwords more secure Encrypt and restrict access to password information Prevent use of dictionary words Aging, password histories One-time use passwords - change at end of every session Challenge-response pairs Codebook sequence Hardware dongles Monday, April 9 CS 470 Operating Systems - Lecture 35 12 Other Authorization Methods Biometrics Fingerprint readers Palm/hand readers Iris readers Multi-factor - require 2 or more authentication methods Palm reader and RFID card Username/password and dongle password Monday, April 9 CS 470 Operating Systems - Lecture 35 13 Program Threats Trojan Horse: program that misuses the environment it is in. Get an authorized user to run a program that does something other than what is expected. Relative path is vulnerable, especially if '.' is in path. Could end up running a different program. Login screen emulators sniff passwords Spyware uses covert channels to communicate surreptitiously, usually from victim machine. Monday, April 9 CS 470 Operating Systems - Lecture 35 14 Program Threats Trapdoor: special input recognized by a program to circumvent security. Often used for debugging, but then left open. Can be added by a compiler, so not visible in source code. Viruses: fragments of code embedded into programs by "infecting" them. Generally very malicious, e.g., deleting files, crashing systems, etc. Monday, April 9 CS 470 Operating Systems - Lecture 35 15 Program Threats Stack & buffer overflow: overwrite the return address to return to rogue program. Many programs use fixed-size buffers in the stack to store user data without guarding against overflow. While setting up an overflow attack takes considerable knowledge, the exploit can be scripted so that just about anyone (script kiddie) can launch an attack. Monday, April 9 CS 470 Operating Systems - Lecture 35 16 System and Network Threats Worms: stand alone programs that propagate through service vulnerabilities. Morris worm (1988): exploited rsh, finger, sendmail. rsh uses .rhosts file to allow remote log in without a password. finger was a buffer overflow on the username argument. sendmail was a debug backdoor that executed provided code. Took down much of the precursor to the Internet. Resulted in 3 years probation, 400 hours community service, $10K fine. Legal costs >$100K Monday, April 9 CS 470 Operating Systems - Lecture 35 17 System and Network Threats W32.Sobig.F@mm (2003): original worm was hidden in a photo uploaded to a porn newgroup using a stolen credit card number. Used its own SMTP engine to email itself as an attachment to every address found on the infected system. Was the fastest spreading worm at the time the text was written. Port scanning: not an attack in and of itself, but often used to test and detect system vulnerabilities in advance of an attack. Often done from infected machines. Monday, April 9 CS 470 Operating Systems - Lecture 35 18 System and Network Threats Denial of Service (DoS): often easier than trying to break in. Java applet that eats CPU time or infinitely pops up windows TCP/IP SYN attack. Needs to be stopped at the network level until the OS can catch up Accidental DoS. E.g., CS courses using fork( ) or new operators in loops. Monday, April 9 CS 470 Operating Systems - Lecture 35 19 System and Network Threats Generally not possible to stop DoS, especially distributed attacks. Note that excessive network connections may be the normal consequence of something like a successful ad campaign. Monday, April 9 CS 470 Operating Systems - Lecture 35 20 What to do about security? Cryptography and encryption (CS 415) Frequent updates and anti-virus scans Firewalls Intrusion detection systems Reading for Wednesday discusses, in part, how the OS is used to provide security in the Google Chrome web browser. Monday, April 9 CS 470 Operating Systems - Lecture 35 21