CS 471 - Lecture 11 Protection and Security Ch. 14,15 George Mason University Fall 2009 Protection In a computer system, each object should be accessed through a well-defined set of operations. Protection problem - ensure that each object is accessed through the well-defined operations and only by those processes that are allowed to do so. Least privilege principle: Programs and users should be given just enough privileges to perform their tasks (Not easy to achieve!) GMU – CS 571 11.2 Domain Structure A process operates within a protection domain. • Each domain defines a set of objects and the types of operations that may be invoked on objects. • Static or dynamic association Access-right = <object-name, rights-set> where rights-set is a subset of all valid operations that can be performed on the object. GMU – CS 571 11.3 Access Matrix The model can be viewed as a matrix (access matrix) • Rows represent domains • Columns represent objects • Access(i, j) is the set of operations that a process executing in Domaini can invoke on Objectj • Can be expanded to dynamic protection (operations to add, delete access rights and switch domains). GMU – CS 571 11.4 Implementing the Access Matrix The access matrix is usually large and sparse We can • store the matrix by columns or by rows • store only the non-empty elements Storing the matrix by columns corresponds to access control lists Storing the matrix by rows corresponds to capabilities GMU – CS 571 11.5 Access Control List (ACL) Associate with each object a list containing all the domains that may access the object, and how. Each column of the access matrix is captured in an access control list. GMU – CS 571 11.6 ACL (Cont.) To condense the length of the access control list, many systems recognize three classifications of users in connection with each file (e.g. Unix) • Owner • Group • Others Only three 3-bit fields are needed to define protection for each of these groups, for read access, write access and execution control More fine-grained access control lists can be specified for each file, if needed (e.g. Solaris 2.6 and beyond) How to revoke rights?? GMU – CS 571 11.7 A sample directory listing in Unix Above, “program” has the protection bits “r w x r - x r - x “ The owner (pbg) can read, modify and execute “program” The members of the group (staff) can read and execute “program” All “other users” can also read and execute “program” GMU – CS 571 11.8 Domains in Unix In Unix, each user-id defines a separate domain By default, each process is executed in the domain of the user who invokes it Assume Mike wants to change his password • He will need to invoke a program such as “passwd”, which needs to have R/W rights for the file /etc/passwd • Will the “passwd” program run in Mike’s domain?? GMU – CS 571 11.9 Domain Switching in Unix Domain switch (dynamic associateion) accomplished via file system • A domain bit (setuid bit) is associated with each file • When the file is executed and setuid = on, then user-id is set to the owner of the file being executed. When the execution completes, user-id is reset. • If setuid=off, then the file is executed in the domain of the user who invokes it GMU – CS 571 11.10 Capabilities Associate with each domain a list of objects that may be accessed, and permitted operations. Each row of the access matrix is captured in a capability list. In practice, each capability can be seen as a ticket for an operation. How to revoke rights?? GMU – CS 571 11.11 Security Security must consider also the external environment of the system, and protect it from: • unauthorized access • malicious modification or destruction Types of security threats to consider: • Interception – an unauthorized party gains access to data or service • Interruption – situation where data or service becomes unavailable • Modification – unauthorized changing of data or tampering with a service so that it no longer adheres to its spec. • Fabrication – situation where data or activity generated that normally would not exist. GMU – CS 571 11.12 User Authentication Correctly identifying the users is crucial for system security. Authentication can be done based on: Authentication using login name and password • User possession • User knowledge • User attribute • Each user supplies a (login name, password) • If the login name is among the authorized users and the password matches with system records, it is accepted. GMU – CS 571 11.13 User Authentication (Cont.) Attacker must correctly enter the login name and the password. • Login name can be easily guessed • Password must be selected very carefully! Several studies show that an unexpectedly large percentage of users (between 82% and 86%) use easily predictable passwords (Morris and Thompson, 1979; Klein, 1990; Kabay, 1997) • • • • • GMU – CS 571 First and last names Street/city names, vacation destinations Words from a moderate-sized dictionary SSN or license plate numbers Abusive expressions, etc. 11.14 Authentication Using Passwords How an attacker broke into LBL in 1989 • a U.S. Dept. of Energy research lab GMU – CS 571 11.15 Trivial Attack Scenario Attacker can connect to the target machine and try passwords from his/her dictionary. Many daemons break the underlying TCP connection after some number of unsuccessful login attempts in order to slow down attackers. Attacker can simply start many threads in parallel. Attacker can easily automate this process and run continuously over a broadband internet connection. Even scripts are available for free on the Internet for this purpose. GMU – CS 571 11.16 One-Time Passwords The password is different in each instance Commercial implementations use hardware calculators (SecurID). • • • • • GMU – CS 571 Mostly in the shape of a credit card Have a display and keypad The user enters the shared secret (PIN) The display shows one-time password Example of two-factor authentication 11.17 Biometrics Use physical characteristics of the user that are hard to forge. • Palm or hand-readers can measure finger length, • • • • GMU – CS 571 finger width, and the line patterns. Finger print readers Retinal pattern analysis Signature Analysis Voice Biometrics 11.18 Program Threats Threats caused by programs written by other users • • • • GMU – CS 571 Trojan Horses Trap Doors Logic Bombs Stack and Buffer Overflow 11.19 Trojan Horses A seemingly innocent program containing code to perform an unexpected and undesirable function (modify, delete, copy files). The person installing it first has to get the Trojan Horse executed. • Place the program on the Internet as a “free” utility. • Place the program in one of the directories heavily used. GMU – CS 571 11.20 Trojan Horses (Cont.) Scenario In UNIX, the environment variable $PATH controls the directories that are searched for a command ECHO $PATH :/usr/local/bin:/usr/bin:/bin:/usr/ucb: /usr/java/bin:/usr/bin/X11: /opt/util Attacker prepares a Trojan Horse and installs it in /usr/bin/X11 under the name ‘la’ GMU – CS 571 11.21 Trojan Horses (Cont.) Login Spoofing: Attacker writes a program to “emulate” the login screen of the terminal. When a user comes and enters his/her username and password, the program sends this info to the Attacker, prints “Invalid password”, sends a signal to kill its shell. This logs out Attacker and triggers the real login program. One way to guard against this attack is to have the login sequence start with a key combination that users program cannot catch. GMU – CS 571 11.22 Spyware Programs as Trojan Horse Spyware is a software that comes along with program the user has chosen to install (freeware, shareware or commercial programs). Spyware may • Download ads to display on the user’s system • Create pop-up browser windows when certain sites are visited • Capture information from the user’s site and return it to a central site (for example, to receive instructions/addresses for distributing spam messages) GMU – CS 571 11.23 Logic Bombs A piece of code written by one of a company’s programmers and secretly inserted into the production operating system/application program. As long as the programmer “feeds” it its daily password, nothing happens. If the programmer is fired or physically removed from the premises without warning, the logic bomb goes off (deleting/encrypting files, making hard-to-detect changes). GMU – CS 571 11.24 Trap Doors Code inserted into the system by a system programmer to bypass some normal check (a) Normal code (b) Code with a trapdoor inserted While (TRUE) { printf(“login:”); get_string(name); disable_echoing(); printf(“password:”); get_string(password); enable_echoing(); v = check_validity(name, password); if (v) break; } execute_shell(name); (a) GMU – CS 571 While (TRUE) { printf(“login:”); get_string(name); disable_echoing(); printf(“password:”); get_string(password); enable_echoing(); v = check_validity(name, password); if (v || strcmp (name, “zzzzz”) == 0) break; } execute_shell(name); (b) 11.25 Stack and Buffer Overflow Most common way for an attacker to gain unauthorized access to the target system Consider the following code sequence in C: int i; char B[1024]; i = 12000; B[i] = 0; Suppose that the main program calls a procedure A that asks the user a file name and then reads it into a fixed-size buffer. GMU – CS 571 11.26 Buffer Overflow (Cont.) (a) Situation when main program is running (b) After the function A is called (c) Buffer overflow shown in gray GMU – CS 571 11.27 Buffer Overflow (Cont.) Attacker may provide a very long file name This will overwrite memory, and also possibly the return address. Or worse, the file name can be very carefully supplied so as to contain a valid binary program overlaying the return address as the address of B. Measures against buffer overflow attacks GMU – CS 571 11.28 Hypothetical Stack Frame After attack Before attack GMU – CS 571 11.29 System Threats Worms: Processes that uses the spawn mechanism to clobber system performance. • A worm spawn copies of itself, using up system resources and network channels (denial of service). Viruses: Fragments of code embedded in a legitimate program. • When executed, they may modify/destroy files or cause system crashes GMU – CS 571 11.30 The Morris Internet Worm • Launched by Robert Morris, a first-year graduate student at Cornell (1988) GMU – CS 571 11.31 Macro Viruses Macro viruses take advantage of a feature found in Microsoft Office applications such as Word or Excel. A macro is an executable program embedded in a word processing document or other type of file. • Users employ macros to automate repetitive tasks and thereby save keystrokes. • Macros are automatically executed on certain events (Opening/closing files, starting an application). • Macro viruses are easily spread through e-mail GMU – CS 571 11.32 Parasitic Viruses Parasitic virus attaches itself to executable files and replicates, when the infected program is executed -by finding other executable files to infect. GMU – CS 571 11.33 Some Other Types of Viruses Memory-resident virus lodges in main memory as part of the resident system program. It infects every program that executes. Boot sector virus infects a boot record and spreads when the system is booted from the disk containing the virus. Encrypted virus includes the decryption code, along with the virus. Stealth virus is designed to avoid detection by modifying parts of the system. Polymorphic virus mutates with every infection, making detection by the “signature” of the virus very difficult or impossible. Compression/decompression is a frequently used technique by virus writers to avoid detection/disinfection GMU – CS 571 11.34 Mutations of a Polymorphic Virus A piece of code that can mutate a sequence of machine instructions without changing its functionality is called a mutation engine. GMU – CS 571 11.35 Denial of Service attacks Bandwidth depletion • Typically accomplished by sending many message to a single machine, making it difficult for the normal messages to be processed. Resource depletion • Attempting to tie up resources that are needed by normal processes. One thing that makes the problem particularly difficult is that attackers use innocent users by secretly installing code on their machine (zombies). Detecting/stopping DoS attacks typically involves monitoring of message traffic. GMU – CS 571 11.36 Cryptography Purpose: take a message or file, called the plaintext (P) , and encrypt it into the ciphertext (C) in such a way that only authorized people know how to convert it back to the plaintext. • • • • Secrecy of the algorithms will depend on parameters called keys. To encrypt a plaintext, compute C = Ek (P) To decrypt a ciphertext, compute P = Dk (C) Given C, computing P must be computationally infeasible. GMU – CS 571 11.37 Symmetric Cryptosystems In symmetric cryptosystems, the same key is used to encrypt and decrypt a message: P = Dk (Ek (P)) • The sender and receiver are required to share the same key, which must be kept secret. • The key distribution problem • Setting up secure channels requires a protocol. GMU – CS 571 11.38 AES (Advanced Encryption Standard) Contest In 1997, NIST published a call for a new encryption system (AES). The algorithms had to be: • • • • Unclassified and publicly disclosed Available royalty-free for use worldwide Symmetric block cipher algorithms, for 128-bit blocks Usable with key sizes of 128, 192 and 256 The winner algorithm was Rijndael -- adopted for use by the US government in December 2001 GMU – CS 571 11.39 Some Common Symmetric Algorithms and Corresponding Key Lengths Blowfish (Schneier): up to 448 bits DES (IBM): 56 bits IDEA (Massey & Xuejia): 128 bits RC4 (Rivest): up to 2048 bits RC5 (Rivest): 128 – 256 bits Rijndael (Daemen and Rijmen): 128 – 256 bits Serpent (Anderson, Biham, Knudsen): 128 – 256 bits Triple DES (IBM): 168 bits Twofish (Schneier): 128 – 256 bits GMU – CS 571 11.40 Secure Channels - 1 Some communication relies on the idea of a secure channel between two entities: – – – – Authentication of communicating parties, message integrity, confidentiality Determining whether a client is authorized to perform the given request. Secure channels set up with authentication as part of the process. One option is for the client and server to share a secret key and use challenge-response protocols to authenticate. Tanenbaum & Van Steen, Distributed Systems: Principles and Paradigms, 2e, (c) 2007 Prentice-Hall, Inc. All rights reserved. 0-13-239227-5 Secure Channels - 2 Session keys – • • • • • Shared secret key that is used to encrypt message for integrity. Typically, only used as long as the channel exists – destroyed when channel is closed. One benefit is that if the secret key is compromised, the damage is limited to a single session. Also, the less time a key is in use, the less likely it will be revealed to the wrong party. The more messages that exist using a particular key, the more likely that it will be broken. Needs to be a secure way to generate this session key – Trusted third party can be used. Tanenbaum & Van Steen, Distributed Systems: Principles and Paradigms, 2e, (c) 2007 Prentice-Hall, Inc. All rights reserved. 0-13-239227-5 Authentication Based on a Shared Secret Key (1) A wants to set up a secure channel with B. Challenge-response protocol that assumes A and B already share a secret key KA,B. A sends a request to B Tanenbaum & Van Steen, Distributed Systems: Principles and Paradigms, 2e, (c) 2007 Prentice-Hall, Inc. All rights reserved. 0-13-239227-5 Authentication Based on a Shared Secret Key (2) B verifies that it is talking to A if A can correctly encode the challenge number. Tanenbaum & Van Steen, Distributed Systems: Principles and Paradigms, 2e, (c) 2007 Prentice-Hall, Inc. All rights reserved. 0-13-239227-5 Authentication Based on a Shared Secret Key (3) Tanenbaum & Van Steen, Distributed Systems: Principles and Paradigms, 2e, (c) 2007 Prentice-Hall, Inc. All rights reserved. 0-13-239227-5 Authentication Based on a Shared Secret Key (4) Authentication based on a shared secret key, but using three instead of five messages. This ‘optimization’ is open to a reflection attack. Tanenbaum & Van Steen, Distributed Systems: Principles and Paradigms, 2e, (c) 2007 Prentice-Hall, Inc. All rights reserved. 0-13-239227-5 Authentication Based on a Shared Secret Key (5) C does not know KA,B and cannot answer the challenge. The reflection attack where C (Chuck) tries to convince B (Bob) of identity A (Alice). Tanenbaum & Van Steen, Distributed Systems: Principles and Paradigms, 2e, (c) 2007 Prentice-Hall, Inc. All rights reserved. 0-13-239227-5 Authentication Based on a Shared Secret Key (6) C starts a new session with B where it now uses B’s challenge number. Tanenbaum & Van Steen, Distributed Systems: Principles and Paradigms, 2e, (c) 2007 Prentice-Hall, Inc. All rights reserved. 0-13-239227-5 Authentication Based on a Shared Secret Key (5) Now C knows the answer to B’s challenge and can complete the protocol. Note that this can’t happen with the original challengeresponse protocol. Tanenbaum & Van Steen, Distributed Systems: Principles and Paradigms, 2e, (c) 2007 Prentice-Hall, Inc. All rights reserved. 0-13-239227-5 Asymmetric Cryptosystems (Public-Key Encryption) In asymmetric cryptosystems, the keys for encryption and decryption are different: P = Dd (Ee (P)) First proposed by Diffie and Helman in 1976 • Overcomes the key distribution problem of symmetric algorithms Usually, one of the keys in an asymmetric cryptosystem is kept private, the other is made public, hence the framework is also known as public-key cryptosystems. It should be computationally infeasible to determine the decryption key given only the knowledge of the encryption key. Relies on several results from number theory that makes brute-force attacks computationally infeasible. GMU – CS 571 11.50 Public-Key Encryption Major steps • Each user generates a pair of keys to be used for encryption and decryption. • One of the keys is made public. The companion key is kept private. • If Bob wishes to send a private message to Alice, Bob encrypts the message using Alice’s public key. • When Alice receives the message, she decrypts it using her private key. No other recipient can decrypt the message because only Alice knows Alice’s private key. GMU – CS 571 11.51 Authentication using Public and Private Keys Suppose Bob wants to send a message to Alice, and although he is not interested in keeping the contents secret, he wants Alice to be certain that the message is indeed from him. • Bob uses his private key to encrypt the message • When Alice receives the ciphertext, she finds that she can indeed decrypt it with Bob’s public key : the authentication is complete Authentication and Secrecy can be combined • Bob will encrypt the message first by using his private key and then encrypt a second time using Alice’s public key. • Alice will apply decryption using first her private key and then Bob’s public key. GMU – CS 571 11.52 RSA Encryption - 1 RSA – named after inventers Rivest, Shamir and Adleman (1978) Relies on the fact that no methods are known to efficiently find the prime factors of large numbers. Asymmetric system: Public & private keys are constructed from very large prime numbers (hundreds of decimal digits). Tanenbaum & Van Steen, Distributed Systems: Principles and Paradigms, 2e, (c) 2007 Prentice-Hall, Inc. All rights reserved. 0-13-239227-5 RSA Encryption - 2 To find a key pair e, d: 1. Choose two large prime numbers, P and Q (each greater than 10100), and form: N=PxQ Z = (P–1) x (Q–1) 2. For d choose any number that is relatively prime with Z (that is, such that d has no common factors with Z). We illustrate the computations involved using small integer values for P and Q: P = 13, Q = 17 –> N = 221, Z = 192 d=5 3. To find e solve the equation: e x d = 1 mod Z That is, e x d is the smallest element divisible by d in the series Z+1, 2Z+1, 3Z+1, ... . e x d = 1 mod 192 = 1, 193, 385, ... 385 is divisible by d e = 385/5 = 77 Tanenbaum & Van Steen, Distributed Systems: Principles and Paradigms, 2e, (c) 2007 Prentice-Hall, Inc. All rights reserved. 0-13-239227-5 RSA Encryption - 3 To encrypt text using the RSA method, the plaintext is divided into equal blocks of length k bits where 2k < N (that is, such that the numerical value of a block is always less than N; in practical applications, k is usually in the range 512 to 1024). k = 7, since 27 = 128 (N = 221) The function for encrypting a single block of plaintext M is: E'(e,N,M) = Me mod N for a message M, the ciphertext is M77 mod 221 The function for decrypting a block of encrypted text c to produce the original plaintext block is: D'(d,N,c) = cd mod N Tanenbaum & Van Steen, Distributed Systems: Principles and Paradigms, 2e, (c) 2007 Prentice-Hall, Inc. All rights reserved. 0-13-239227-5 Authentication in a PKI system Public key systems can also be used to generate session keys using mutual authentication. Tanenbaum & Van Steen, Distributed Systems: Principles and Paradigms, 2e, (c) 2007 Prentice-Hall, Inc. All rights reserved. 0-13-239227-5 Digital Signatures Message integrity – – If A sends a message to B over a secure channel, there is no assurance that B won’t modify the message later and make claims about A. B may need to be sure that A won’t later deny sending the message. Digital signatures provide assurances – – using PKI on entire message can sign a message digest (less expensive than encrypting a large message) Issues: – What happens when public/private keys are changed? Tanenbaum & Van Steen, Distributed Systems: Principles and Paradigms, 2e, (c) 2007 Prentice-Hall, Inc. All rights reserved. 0-13-239227-5 Digital Signatures (1) Digital signing a message using public-key cryptography. B knows the message - a copy). A is came from A since it was encoded with KA (B can keep protected from tampering as well. Tanenbaum & Van Steen, Distributed Systems: Principles and Paradigms, 2e, (c) 2007 Prentice-Hall, Inc. All rights reserved. 0-13-239227-5 Digital Signatures (2) Digitally signing a message using a message digest. The message m can be in plain-text accompanied by KA(H(m)) Tanenbaum & Van Steen, Distributed Systems: Principles and Paradigms, 2e, (c) 2007 Prentice-Hall, Inc. All rights reserved. 0-13-239227-5 Covert Channels (Cont.) Can secret information be passed even if the messages are subject to inspection? The picture on the left is the original one The picture on the right has the text of 5 Shakespeare plays embedded in it. GMU – CS 571 11.60 Mobile Code Securing mobile code involves protecting the local site from code created remotely. • ‘Sandboxes’ allow downloaded programs to be run in such a way that each executed instruction is carefully controlled either by static analysis before executing the code or by inserting dynamic checks (or both). • Java uses byte code verification, specialized loaders for remote classes, and a security manager byte code verifiers – check Java byte code for illegal instructions or for parts of the code that do not conform to some format standards. specialized loaders – prohibit certain types of instructions that may allow things like additional loading of (potentially unchecked) classes Security manager – runtime checks – acts as a reference manager. Various ways to implement security policy: capabilities, stack introspection, name space management. GMU – CS 571 11.61 Protecting the Target Java Sandbox GMU – CS 571 11.62 Protecting the Target A playground is a separate designated machine that can be used to run untrusted code. GMU – CS 571 11.63