CMSC 414 Computer and Network Security Lecture 13 Jonathan Katz Exam stats Median: 75 Letter grades – 85-100: A – 65-85: B – 50-65: C – < 50: D/F Memory Protection Memory protection Usually think of multi-user security in terms of files, but memory protection must also be done – Behind the scenes…handled by OS automatically Enforce logical separation – Users operate under the illusion that no other user’s processes are running, and in fact are unable to access objects outside some permitted domain Memory protection “Fence”: restricts access to portions of memory – Introduced in single-user systems to prevent (accidental) destruction of OS code E.g., predefined memory address where OS resides; users disallowed from modifying – Can be enforced at the hardware level Drawbacks – Fixed space allocated for OS – What if OS is supposed to be “modifiable”? – May waste space Continued… Variation is to have a “fence register” which stores the address of the protected portion of memory – Allow easy “relocation” by simple addition (in hardware) – Protected portion can dynamically change More opportunity for security breaches… Base/bounds registers Can have two registers: base register and bounds register – Memory access restricted to lie between these two Contents of these registers will be changed by the OS, per-user, as part of context switching Can also have an additional base/bounds register for each user, to logically separate instructions from data – Prevent accidental overwriting of executable code Tagged architecture Base/bounds registers offer very course-grained protection – Also, have the restriction that different sections of memory space must be contiguous Possible to improve this by tagging every, e.g., word of memory – E.g., label each word read/write/execute Can be wasteful of memory… Requires changes at the hardware level Segmentation Program components divided into logical segments (e.g., code of a single procedure; local variables) Each segment has a unique name; items in segment addressed by (name, offset) Each segment may be stored anywhere in memory – OS handles mapping; transparent to user – Can implement diff. protection for each segment – OS controls which programs have which entries in their segment address tables – Multiple users can potentially be given access to the same segment – Complete mediation Drawbacks of segmentation? Users can guess memory locations Users can generate (name, offset) where the offset is larger than the segment size – Can fix this by storing current segment length in the segment address table, but this is inefficient Memory fragmentation Address table lookup can be slow Paging Similar to segmentation, but with fixed-size segments called pages – Addressing via (page, offset) Avoids fragmentation problem…and “large offset” issue Programmer need not be aware of pages (in contrast to segments, which were logical units) Drawbacks – “Re-paging” causes potential security problems as data is shifted from one page to another – Can be difficult to describe desired protection, since pages are no longer logical units Combining the approaches Segmentation better for security; paging better for efficiency – Combine to get best of both Program divided into logical segments; each segment broken into fixed-size pages Network Security Authentication: an Overview Authentication Verifying the identity of another entity – Computer authenticating to another computer – Person authenticating to a local computer – Person authenticating to a remote computer Two issues: – How authentication information is stored (at both ends) – Authentication protocol itself Authentication Authentication may be based on – What you know – What you have – What you are – Examples? Can also consider two-factor authentication Mutual authentication vs. unidirectional authentication Authentication Important to be clear about what is being authenticated – – – – The user? The machine? The user’s role? The data? What assumptions are being made? – E.g., login on untrusted terminal Attack taxonomy Passive attacks Active attacks – Impersonation – Man-in-the-middle Server compromise Different attacks may be easier/more difficult in different settings Address-based authentication Is sometimes used (e.g., unix) This is generally not very secure – Relatively easy to forge source addresses of network packets Password-based protocols Password-based authentication – Any system based on low-entropy shared secret (note: different from book definitions!) Distinguish on-line attacks vs. off-line attacks Password selection User selection of passwords is typically very weak – Lower entropy password makes dictionary attacks easier Typical passwords: – Derived from account names or usernames – Dictionary words, reversed dictionary words, or small modifications of dictionary words – Etc. Better password selection Non-alphanumeric characters Longer phrases Can try to enforce good password selection… …but these types of passwords are difficult for people to memorize and type! From passwords to keys? Can potentially use passwords to derive symmetric or public keys What is the entropy of the resulting key? Often allows off-line dictionary attacks on the password