Lecture 15: Multics for the Masses
advertisement
Lecture 15: Multics for the Masses There once was an artist named Titian Who worked like a future Multician. With models ramshackle, He’d just change their ACL, And give them all access permission. Peter Neumann CS551: Security and Privacy University of Virginia Computer Science David Evans http://www.cs.virginia.edu/~evans Menu • Midterm Results • Introduction to the Rest of the Course • Saltzer & Schroeder – “The Protection of Information in Computer Systems” • Return Midterms 27 July 2016 University of Virginia CS 551 2 Midterm • Most people did well • I don’t grade on a curve (but the histogram is provided to give you a sense of how you did) • Don’t misinterpret the , , or crosscountry skier as an indication of your likely final grade: – Everyone can still get an A in the course – Anyone can still fail the course 27 July 2016 University of Virginia CS 551 3 Problem 4 (2): Faculty Turnover • Best solutions based on S-Key • Card issuer generates random number R for each door, calculates h(R), h(h(R), ..., h1001 (R). • Initializes door with h1001 (R). • The first card gets h1000 (R). Next card gets h999 (R), h998 (R), etc. 27 July 2016 University of Virginia CS 551 4 Card Reader Memory: hn+1 (R) Value from card h h(v) = Yes Open Door No h h(h(v)) = Yes No Alert Security! 27 July 2016 University of Virginia CS 551 Open Door Store h(v) in memory 5 System Security 27 July 2016 University of Virginia CS 551 6 Course Overview • Part 1 (until now): – Making/breaking the numeric keypad – Almost all math • Part 2 (rest of course): – Making/Kicking down the door – Mostly engineering and people (but math is still important) 27 July 2016 University of Virginia CS 551 7 Learning in CS551 Part 1 Part 2 Problem Sets 60% 15% Projects 20% 40% Readings 15% 40% Lectures 5% 5% 27 July 2016 University of Virginia CS 551 8 Anonymous Poll: How many read S&S? 27 July 2016 University of Virginia CS 551 9 Rest of Course • Saltzer/Schroeder papers describes state of the art in security in 1974 • Based on work on Multics (predecessor to UNIX, but better) • Are things better or worse today? 27 July 2016 University of Virginia CS 551 10 Laws of Inevitable Progress • Moore’s Law: – Processing power doubles every 18 months • Gates’ Law – Software grows to use all available memory and processing power – Ex: • Multics 1969: 56,000 lines of code (PL/I) • Windows 2000: ~55M lines of code (asm/C/C++) • 1000x in 30 years (law predicts 1Mx, so uSoft has work to do!) 27 July 2016 University of Virginia CS 551 11 Bugs and Vulnerabilities • Neumann’s (?) Law: – Number of bugs increases as square of code size • Security vulnerabilities are approximately linear in the number of program bugs (lots of other things cause vulnerabilities too) – Windows 2000 has 965,000 times as many bugs as Multics. – Double because of C++ ~ 2M times as many security vulnerabilities. 27 July 2016 University of Virginia CS 551 12 Motivation • Metcalfe’s Law: – Value of a network is square of number of users • Internet growth: – 1974: ~1000 hosts (10000 users?) – 2000: 200 M users • Internet is 400M times more valuable today than it was in 1974 27 July 2016 University of Virginia CS 551 13 The Bad News • Unnamed Law: – Security risk is the product of the number of vulnerabilities (linear in the number of code bugs) and the value (how many people will be motivated how hard to attack you) Multics in 1974: (56K)2 * (10K)2 Windows 2000: (55M * 2)2 * (200M)2 • Security problems are 1.54*1015 times (quadrillion) worse today than in 1974! 27 July 2016 University of Virginia CS 551 14 The Good News • Some small technical improvements since 1974 – firewalls, intrusion detection, virus scanners (no viruses in 1974) (The Really Good News) • This means security people are much in demand and obscenely well paid. 27 July 2016 University of Virginia CS 551 15 Prehistory • Security didn’t matter much when you had batch processing and machine operators • CTSS (1961, Fernando Corbató) – Compatible Time-Sharing System – First time-sharing operating system – Each user’s job has access to full machine in turn – 1962 demo to ARPA led to $3M funding for Project MAC 27 July 2016 University of Virginia CS 551 16 History • • Multics – “Multiplexed Information and Computing Service” (1969, Corbató, Saltzer) Design goals: http://www.multicians.org/managerial.html 1. Convenient remote terminal use. 2. Continuous operation (i.e., without shutdown) analogous to power and telephone companies. 3. A wide range of configuration capacity which could be dynamically varied without system or user program reorganisation. 27 July 2016 University of Virginia CS 551 17 Multics Design Goals, Cont. 4. An internal file system with apparent reliability high enough for users to entrust their only copies of programs and data to it. 5. The ability of users to share selectively information among themselves. 6. The ability to store and create hierarchical structures of information for purposes of system administration and decentralisation of user activities. First hierarchical file system! 27 July 2016 University of Virginia CS 551 18 Multics Design Goals, cont. 7. The ability to support a wide range of applications ranging from heavy numerical production calculations to inter active timesharing users without inordinate inefficiency. 8. The ability to allow a multiplicity of programming environments and human interfaces within the same system. 9. The ability to evolve the system with changes in technology and in user aspirations. Multics more-or-less achieved all of these with 54.94M less lines of code than Windows 2000! 27 July 2016 University of Virginia CS 551 19 S & S Definitions • Privacy – “The ability of an individual to decide whether, when, and to whom personal information is released.” • Security – “Used to denote mechanisms and techniques that control who may use or modify the computer or the information stored in it.” – Reading (confidentiality) – Writing (integrity) – Availability 27 July 2016 University of Virginia CS 551 20 Multiple Use Systems • Computer with more than one purpose – 1975: mainframes, time-sharing – 2000: networked PCs • One machine is shared by people and programs who don’t trust each other completely. 27 July 2016 University of Virginia CS 551 21 Levels of Information Protection • All-or-Nothing Systems – Complete isolation – No sharing, like pulling out network cable • Controlled (Static) Sharing – Different people can access each item – UNIX: user/group IDs, mode bits – NFS: access control lists 27 July 2016 University of Virginia CS 551 22 Levels of Information Protection 2 • Programmable Sharing Controls – Two users must agree to modification – Access only between 2am and 6am – Implementation techniques: • Reference monitors • Capabilities 27 July 2016 University of Virginia CS 551 23 S&S Principles 1 1. Economy of Mechanism – keep it (small and) simple stupid! 2. Fail-safe defaults – make permission active instead of exclusion 3. Complete mediation – every access to every object is checked 4. Open design – don’t rely on security by obscurity. 27 July 2016 University of Virginia CS 551 24 S&S Principles 2 5. Separation of privilege – require two separate checks/keys for permission 6. Least privilege – allow as little access as possible for job 7. Least common mechanism – don’t share mechanisms between users 8. Psychological acceptability – don’t confuse users or drive them crazy 27 July 2016 University of Virginia CS 551 25 S&S Principles: Conflicts? • Economy of Mechanism vs. Least Common Mechanism • Fail-safe defaults vs. Psychological Acceptability • Separation of Privilege vs. Economy, Psychological Acceptability • Least privilege vs. Psychological Acceptability • etc. 27 July 2016 University of Virginia CS 551 26 How well does this satisfy S&S Principles? Card Reader Card Issuer Memory: hn+1 (R) R, n Key Card hn (R) Value from card h h(v) = Yes Open Door No h h(h(v)) = Yes No Open Door Store h(v) in memory Alert Security! 27 July 2016 University of Virginia CS 551 27 Virtual Memory Protection Memory Processor Program 2 Descriptor Register: base bound Privileged state bit: off bound base Processor checks all memory references according to base address and bound. Cannot change unless privileged state bit is on (only for Supervisor). 27 July 2016 University of Virginia CS 551 Program 1 Supervisor 28 Limitations of Virtual Memory • Cannot share memory between programs – Can add additional descriptors to set up shared memory, add read/write bits, etc. • Requires special hardware – Software Fault Isolation [Wahbe96] can do it in software only • Performance cost for every memory access 27 July 2016 University of Virginia CS 551 29 Capabilities • User places protection descriptor values (“capabilities”) on memory addresses – Allows for arbitrary, controlled memory sharing – Capabilities can refer to hardware devices also (they are just memory addresses) • Need to make capabilities unforgeable – Hardware-protected tags – (~ Java – type-checking + bytecode verification) 27 July 2016 University of Virginia CS 551 30 Capabilities Problems: Revocation • Once someone has a capability, how can you deny access? • Must destroy original object • Java: once someone has an open FileOutputStream, can’t revoke it! • No cheap solution: – Store capabilities somewhere special and disallow copying – Require an indirection step through something object owner controls 27 July 2016 University of Virginia CS 551 31 Capabilities Problems: Propagation • How can you control who capability is passed to? (You can’t.) • Java: can’t control which applet that FileOutputStream is passed to • Possible solutions: – Store somewhere special and disallow copying (passing as parameters) – Associate capability with principal (need to check call stack) 27 July 2016 University of Virginia CS 551 32 Access Control Lists • Maintain a list of principals and access permissions • Delay check until last possible moment (can “revoke” until then) • Access controlled must be protected • Combine with capabilities to avoid having to check table for every memory reference 27 July 2016 University of Virginia CS 551 33 Multics Rings Ring 8 Lower rings have more privileges. Ring 2 Ring 1 Memory segments have descriptors that indicate highest ring number that may read/write segment. Ring 0: Kernel Untrusted User Programs 27 July 2016 Special instructions for switching between rings (e.g., making a system call). University of Virginia CS 551 34 Summary • Computers may be ~1M times faster than 1970, but they are >1 Quadrillion times less secure! • Multics was way better than Windows 2000 • Basic confidentiality and integrity mechanisms from early 1970s still dominate today, and more or less work. Hard part is: – Designing and defining good policies – Implementing software without bugs 27 July 2016 University of Virginia CS 551 35 Charge • Now is the time to get cracking on your projects. If you are unsure what to do, meet with me. • I brushed over all the details on capabilities and ACLs: read S&S • Do the readings! • Next time: Viruses, Worms, Trojan Horses, and all that good stuff! 27 July 2016 University of Virginia CS 551 36
