Lecture 35

advertisement
Lecture 35


Reading for Wednesday: Reis, Barth, and
Pizano, "Browser Security: Lessons from
Google Chrome", Communications of the ACM,
August 2009. Focus on how the OS is used to
ensure security and its limitations.
Questions?
Monday, April 9
CS 470 Operating Systems - Lecture 35
1
Outline

Language-based protection

Security

User authorization

Program threats

System and network threats
Monday, April 9
CS 470 Operating Systems - Lecture 35
2
Language-Based Protection

Efforts to gain more control over protection
issues has led to integrating statements about
resources into programming languages. This
has several advantages:




protection needs are declared rather than
programmed as calls to the OS
protection is described independently of the
facilities provided by the OS
enforcement is automatic and does not require a
separate subsystem to be designed
privileges are closely related to concept of type
Monday, April 9
CS 470 Operating Systems - Lecture 35
3
Language-Based Protection


Of course, would want to map compiler-based
protection checking onto provided OS facilities
where possible for efficiency, but can always
generate software checks.
Java 2 is an example. As a language it has


strong type-checking; in particular cannot convert
an int into a pointer
private class data cannot be accessed directly
Monday, April 9
CS 470 Operating Systems - Lecture 35
4
Language-Based Protection


The JVM allows dynamic loading of classes in
response to requests to create instances.
Since these classes can come from different
sources (including over the network), some are
more trusted than others.
Process-based protection is not enough, since
the OS would need to know what class is being
requested, too. So PDs are associated with
each class and depend on the class' URL and
digital signature. The JVM handles checking.
Monday, April 9
CS 470 Operating Systems - Lecture 35
5
Security


Recall that OS security is dealing with the
external environment. Making sure that only
authorized users gain access; prevent
malicious destruction or alteration of data;
prevent denial of service.
Assumes a protected system. That is,
assumes that every authorized user abides by
the protection policy. This prevents accidental
misuse of resources.
Monday, April 9
CS 470 Operating Systems - Lecture 35
6
Security

Security deals with intentional (i.e., malicious)
misuse of resources:

unauthorized reading: breach of confidentiality

unauthorized modification: breach of integrity

unauthorized destruction: breach of availability

unauthorized use of resources: theft of service

denial of service: prevention of legitimate use of
service
Monday, April 9
CS 470 Operating Systems - Lecture 35
7
Security


Completely, totally secure system is not
achievable when system is not isolated. Goal
is to make cost to perpetrator prohibitively high
as to make system a less attractive target.
Four levels of security


Physical: perpetrators cannot get access to physical
machine
Human: administrators and users screened to
reduce chance of authorized user giving access to
perpetrator. No bribes, etc. Educate users.
Monday, April 9
CS 470 Operating Systems - Lecture 35
8
Security

Must have physical and human security in order
to provide OS security. Other two levels:


Network: deal with interception of data, denial of
service.
OS: generally needs to be built-in from the start.
E.g., DOS, original MacOS were very difficult to
make secure. Today's lecture topic.
Monday, April 9
CS 470 Operating Systems - Lecture 35
9
User Authorization

How is a user identified by the OS?
Monday, April 9
CS 470 Operating Systems - Lecture 35
10
User Authorization

Login name and password is the most common
mechanism. Both user to OS and user to
access objects.

What are some advantages of this scheme?

What are some disadvantages of this scheme?
Monday, April 9
CS 470 Operating Systems - Lecture 35
11
User Authorization


Efforts to make passwords more secure

Encrypt and restrict access to password information

Prevent use of dictionary words

Aging, password histories
One-time use passwords - change at end of
every session

Challenge-response pairs

Codebook sequence

Hardware dongles
Monday, April 9
CS 470 Operating Systems - Lecture 35
12
Other Authorization Methods


Biometrics

Fingerprint readers

Palm/hand readers

Iris readers
Multi-factor - require 2 or more authentication
methods

Palm reader and RFID card

Username/password and dongle password
Monday, April 9
CS 470 Operating Systems - Lecture 35
13
Program Threats

Trojan Horse: program that misuses the
environment it is in. Get an authorized user to
run a program that does something other than
what is expected.



Relative path is vulnerable, especially if '.' is in path.
Could end up running a different program.
Login screen emulators sniff passwords
Spyware uses covert channels to communicate
surreptitiously, usually from victim machine.
Monday, April 9
CS 470 Operating Systems - Lecture 35
14
Program Threats


Trapdoor: special input recognized by a
program to circumvent security. Often used for
debugging, but then left open. Can be added
by a compiler, so not visible in source code.
Viruses: fragments of code embedded into
programs by "infecting" them. Generally very
malicious, e.g., deleting files, crashing systems,
etc.
Monday, April 9
CS 470 Operating Systems - Lecture 35
15
Program Threats


Stack & buffer overflow: overwrite the return
address to return to rogue program. Many
programs use fixed-size buffers in the stack to
store user data without guarding against
overflow.
While setting up an overflow attack takes
considerable knowledge, the exploit can be
scripted so that just about anyone (script
kiddie) can launch an attack.
Monday, April 9
CS 470 Operating Systems - Lecture 35
16
System and Network Threats

Worms: stand alone programs that propagate
through service vulnerabilities.


Morris worm (1988): exploited rsh, finger,
sendmail. rsh uses .rhosts file to allow remote log in
without a password. finger was a buffer overflow on
the username argument. sendmail was a debug
backdoor that executed provided code.
Took down much of the precursor to the Internet.
Resulted in 3 years probation, 400 hours
community service, $10K fine. Legal costs >$100K
Monday, April 9
CS 470 Operating Systems - Lecture 35
17
System and Network Threats


W32.Sobig.F@mm (2003): original worm was
hidden in a photo uploaded to a porn newgroup
using a stolen credit card number. Used its own
SMTP engine to email itself as an attachment to
every address found on the infected system. Was
the fastest spreading worm at the time the text was
written.
Port scanning: not an attack in and of itself,
but often used to test and detect system vulnerabilities in advance of an attack. Often done
from infected machines.
Monday, April 9
CS 470 Operating Systems - Lecture 35
18
System and Network Threats

Denial of Service (DoS): often easier than
trying to break in.



Java applet that eats CPU time or infinitely pops up
windows
TCP/IP SYN attack. Needs to be stopped at the
network level until the OS can catch up
Accidental DoS. E.g., CS courses using fork( ) or
new operators in loops.
Monday, April 9
CS 470 Operating Systems - Lecture 35
19
System and Network Threats

Generally not possible to stop DoS, especially
distributed attacks. Note that excessive
network connections may be the normal
consequence of something like a successful ad
campaign.
Monday, April 9
CS 470 Operating Systems - Lecture 35
20
What to do about security?

Cryptography and encryption (CS 415)

Frequent updates and anti-virus scans

Firewalls

Intrusion detection systems

Reading for Wednesday discusses, in part, how
the OS is used to provide security in the Google
Chrome web browser.
Monday, April 9
CS 470 Operating Systems - Lecture 35
21
Download