1

Protection and Security

Protection = mechanisms used to control access to valued resources: e.g., programs & data stored on computer system. Usually accompanied by detection and

response mechanisms

Security = protecting the confidentiality, integrity, and availability of a system according to the rules set out by a specific policy. Policy = the set of allowable states of a

system.

2

Goals of Protection

Let’s say we have a valuable resource like an O.S. collection of objects, hardware & software Objects have unique names Accessed through well-defined set of operations

Goals of protection: Ensure each object accessed correctly & only by

authorized processes according to some policy. A policy is a statement of what states (and

operations) are allowed (i.e., secure/authorized), and what are not allowed (i.e., nonsecure/unauthorized) for a specific system.

3

Protection

Protection Domains Access Matrix

Implementation Language-Based Protection

4

Protection Domains

Access-right = <object-name, rights-set>

Rights-set = subset of all valid operations that can be performed on the object

(i.e., the policy!)

Domain = set of access-rights

5

Domain Implementation Example-I: UNIX Examples of object

Files, laser printers, and email servers… Access control bits (UNIX)

Three categories of user (owner, group, world) Three types of access privileges (read, write,

execute) One bit per operation (111101000 = rwxr-x----)

Domain is implemented as the “user-id” OS can do domain switching to execute some

task accomplished via file system Each file has associated domain bit (setuid

bit) When file executed and setuid=on,

user-id set to owner of the file being executed When execution completes, user-id is reset “ps” is a setuid program, as is “lpr”.

6

Domain Implementation Example-II: Multics Rings

Nested domain structure (“rings”) Let Di and Dj be any two domain rings If j < i Di Dj lower-level

= more privileges

each process maintains current ring number

7

Access Matrix

Column: defines who can perform what operation on

the object Row:

Operations allowed on what objects, per-domain

8

Dynamic Access Matrices

Extend for dynamic protection:Operations to add, delete access rights

transfer – switch from domain Di to Dj

owner of Oi

copy op from Oi to Oj

control – Di can modify Dj’s access rights

9

Switching Domains

Switching domains: add domains as objects!

10

Access Matrix with Copy Rights

Asterisk denotes that access right can be copied within column (for the object)

11

Access Matrix With Owner Rights

Ownership:can add new rights, remove some rights

12

Control: Modifying Access Matrix

• Control: process executing in one domain can modify another domain

• Example:D2 changes D4

13

Implementation of Access Matrix

Access list for objects Maintain <domain, right-set> list per object

Capability (object) list for domains Maintain list of objects + operations per

domain Object name = capability Check in capability list for access

Pros and cons of access list & capability list? Determine the set of access rights for each

domain? Revocation of capabilities?

14

Language-Based Protection

Specification of protection in programming language:

Allows high-level description of policies for allocation and use of resources

Protection in Java: Dynamically load untrusted classes over a

network Important to provide protection!

Class loader: Find and load object Define namespace seen by different classes

15

Security

The Security Problem Program Threats System & Network Threats Counter-measures to Threats

Threat Monitoring Cryptography

16

Security problem

Confidentiality: ensuring objects are available/understandable only to authorized peers

E.g., no unauthorized read access Integrity: ensuring objects have not been

maliciously or accidentally modified. No introduction of inconsistency.

Availability: ensuring objects are available without delay and operate correctly (to authorized peers)

No malicious destruction of resources (i.e., objects)

17

Threats

Program Threats: program cause security breaches Trojan Horse, Login Spoofing,

Trap/Back Door, Stack/Buffer Overflow, Virus

System & Network Threats: Abuse services and network

connection to cause security breaches

Worms, Port Scanning, (Distributed) Denial of Service

18

Trojan Horse

Code (segment) that misuses its environment.

Objective of Trojan Get executed by someone Once executed copy/mail/modify some critical

files Example:

In /tmp put a program named ls Administrator goes to /tmp, types ls... If the path “.” is in front of his search path...

Bingo!

19

Login Spoofing

Write a fake login program Fake program shows the usual login

prompt.... Unsuspecting user comes in and tries to

log in Types loginID Types password

The Spoof login store the pair away and terminates

Normal logins come back up User simply thinks he mistyped his password... In the meantime, the attacker found a valid

pair!

20

Trap Doors

Modification at the source level Programmer introduces a loophole to

bypass the login process. Loophole ignores password for a specific

login Who can use it? (programmer,

attacker) How to prevent it...

Code review Sometimes in compiler (very difficult)

21

Buffer Overflow

Bug in a program Program overstep some

array bounds Overwrites return

address When subroutine

returns, it effectively jumps someplace else....

Return Address

Main's Local Variables

Stack

Foo()'s local var

Fixed Sized-Array

22

Buffer Overflow

Return Address

Main's Local Variables

Stack

Foo()'s local var

Long string that overflows...It wipes out the return address

Bug in a program Program overstep some

array bounds Overwrites return

address When subroutine

returns, it effectively jumps someplace else....

23

Buffer Overflow

Return Address

Main's Local Variables

Stack

Foo()'s local var

Long string that overflows...It wipes out the return address

If string is well aligned with place of return address, it can be a meaninfull address

Bug in a program Program overstep some

array bounds Overwrites return

address When subroutine

returns, it effectively jumps someplace else....

24

Buffer Overflow

Return Address

Main's Local Variables

Stack

Foo()'s local var

Long string that overflows...It wipes out the return address

If string is well aligned with place of return address... It can be a meaninfull address

MaliciousCode!

Bug in a program Program overstep some

array bounds Overwrites return

address When subroutine

returns, it effectively jumps someplace else....

25

Virus

Self-reproducing Attach to host machine Dormant for a while Activate at some point and

Destroy Steal

Spreading via Program copying, Email, Web-

pages, …

26

Worms

Slightly different from virus Self-reproduces; take up resources Do not need a host-program Use vulnerabilities to spread across the

net Break system through infestation; worst

outbreak can take worldwide networks down.

Worms propagate themselves; Virus require action by the user to perpetuate themselves

Example: Morris Worms, CodeRed

27

Other System & Network Threats

Port scanning Automated attempt to connect to a

range of ports on one or a range of IP addresses

Denial of Service Overload the targeted computer

preventing it from doing any useful work

Distributed denial-of-service (DDOS) come from multiple sites at once