Presentation is loading. Please wait.

Presentation is loading. Please wait.

ITEC 245. Material mainly derived from Pfleeger; Daswani or Stallings. Slides by Prem Uppuluri based on material from various sources. Application Security.

Similar presentations


Presentation on theme: "ITEC 245. Material mainly derived from Pfleeger; Daswani or Stallings. Slides by Prem Uppuluri based on material from various sources. Application Security."— Presentation transcript:

1 ITEC 245. Material mainly derived from Pfleeger; Daswani or Stallings. Slides by Prem Uppuluri based on material from various sources. Application Security corresponds with Chapter 3: program security; Chapter 4: OS security and Chapter 5, with additional notes from various sources. Throughout these ages our operating systems infested by bugs The ignorant world turns to Windows for safety Safety from themselves It is now the time for the world to realize that we all feel pain By DilDog Ninja Strike Force (Cult of the Dead Cow) Sensei of the Undocumented Opcode. From the slides of Vitaly Shmatikov – Univ of Texas

2 ITEC 245. Material mainly derived from Pfleeger; Daswani or Stallings. Slides by Prem Uppuluri based on material from various sources. So far We looked at: –Various vulnerabilities –Fundamentals of Cryptography Encryption/decryption Secure hash functions. Next: Software application security (roughly corresponds to chapter 3 – though I have added additional notes from sources other than the textbook)

3 ITEC 245. Material mainly derived from Pfleeger; Daswani or Stallings. Slides by Prem Uppuluri based on material from various sources. Applications Food for thought: –If a computer does not run any software, then it cannot be attacked. Hence, “host-based attacks” are all due to software applications. –Host-based is different from network-based attacks. –Host-based attacks focus on the information stored on a “host” computer, while network based attacks focus on information in transit across networks. Application security involves studying “host-based” security.

4 ITEC 245. Material mainly derived from Pfleeger; Daswani or Stallings. Slides by Prem Uppuluri based on material from various sources. What does application security entail? There are several software applications varying in complexity: –E.g, Simple editors, Web Servers, Database Management Systems, Operating Systems. While they have some common vulnerabilities, each of them have unique/specific security vulnerabilities. Difficult/impossible(?) to study the security of every type of software application. Hence, in this part of the course we will limit our study to: –Secure Design principles that apply to any software application. –Application of secure design principles to Operating Systems (Windows and Linux) and Database Management Systems (Oracle) –Examples of secure programming principles for programming in Java.

5 ITEC 245. Material mainly derived from Pfleeger; Daswani or Stallings. Slides by Prem Uppuluri based on material from various sources. Secure Design principles Design principles are different from implementation principles. Design deals with what facilities etc., that you will offer. What principles do you think you will follow when designing a software application?

6 ITEC 245. Material mainly derived from Pfleeger; Daswani or Stallings. Slides by Prem Uppuluri based on material from various sources. Secure Design principles (2) Originally formulated in 1975 by Jerome Saltzer and Michael Shroeder. Other principles were added later. Complete list from website maintained by the Department of Homeland Security: https://buildsecurityin.us- cert.gov/daisy/bsi/articles/knowledge/principles/358-BSI.html

7 ITEC 245. Material mainly derived from Pfleeger; Daswani or Stallings. Slides by Prem Uppuluri based on material from various sources. List of principles of software security. Least Privilege Economy of Mechanism Complete Mediation Separation of Privilege Least Common Mechanism Securing the weakest link. Defense in depth Failing Securely Reluctance to trust Never assuming that your secrets are safe Promoting Privacy. Psychological acceptability One more principle from the original authors: Open design.

8 ITEC 245. Material mainly derived from Pfleeger; Daswani or Stallings. Slides by Prem Uppuluri based on material from various sources. Principles of software security (2) Least Privilege Give the least privilege for the least time to get the job done. The time factor is important. When implementing code or any system – use features that will limit time. E.g., if someone logs in as an administrator and the account is idle, log the person out! Economy of Mechanism Based on the mantra “KISS”: Keep it simple, stupid! How does it translate to implementation/design of secure code? –Reuse components of any code (make code modular). –Do not re-implement security algorithms (e.g., DES cryptography) – use standard APIs. –Create a choke point when developing code – choke points are interfaces from which all the code must pass.

9 ITEC 245. Material mainly derived from Pfleeger; Daswani or Stallings. Slides by Prem Uppuluri based on material from various sources. Principles of software security (2) –Complete Mediation Security checks in applications cannot be bypassed/circumvented. E.g., the single user mode in Linux or the “safe mode” in Windows allow login without entering password: This is a violation of complete mediation. –Open Design No secrets. E.g., the security of encryption should not depend on keeping the encryption algorithm secret. –Separation of Privilege (or “separation of duty”) E.g., multiple authentication criteria. (we will see more of this when discussing OS security) –Least Common Mechanism E.g, do not share certain resources.

10 ITEC 245. Material mainly derived from Pfleeger; Daswani or Stallings. Slides by Prem Uppuluri based on material from various sources. Other principles Securing the weakest link. –E.g., if you haven’t fixed buffer overflow, don’t bother installing retina- scanning-based authentication Defense in depth –Have a layered approach if possible for software. –E.g., in the Java code you would want to run the code with certain protection. Failing Securely –Do not let your code or software simply crash! –Or if it crashes, do not let it expose any secrets – e.g., by passing too much information to the exception handling routines. Reluctance to trust –Never assume that the user will use the code the way you design. Never assuming that your secrets are safe –Don’t rely on an obscure implementation (similar to Open design) Promoting Privacy. –We will look at this when discussing database security.

11 ITEC 245. Material mainly derived from Pfleeger; Daswani or Stallings. Slides by Prem Uppuluri based on material from various sources. Next: Example 1: How principles of software security design apply to the design of general purpose OSes Corresponds to Chapter 4 w/ additional notes by Prem Uppuluri

12 ITEC 245. Material mainly derived from Pfleeger; Daswani or Stallings. Slides by Prem Uppuluri based on material from various sources. General purpose OS. Examples: –Windows NT family 2000, XP, Vista, 7 –Linux (multi-user) –FreeBSD –Solaris Specifically, any OS that is designed to run multi- purpose software. Excluded from this list: Mobile OSes (iPhone, Android, Windows mobile etc.). Why? These use a subset of general purpose OS security mechanisms.

13 ITEC 245. Material mainly derived from Pfleeger; Daswani or Stallings. Slides by Prem Uppuluri based on material from various sources. What is an Operating System? What is the function of an Operating System (OS)? It is software that: –mediates access to, and –enforces the sharing of system resources, by all other programs on the machine.

14 ITEC 245. Material mainly derived from Pfleeger; Daswani or Stallings. Slides by Prem Uppuluri based on material from various sources. Two key characteristics of a general purpose OS Most general purpose OSes these days: –Support multi processing (multiple processes can share the CPU). –Support multi users (multiple users can work at the same time).

15 ITEC 245. Material mainly derived from Pfleeger; Daswani or Stallings. Slides by Prem Uppuluri based on material from various sources. Functions of an OS Some functions of an OS –Creation/removal of processes: OSes allow users to start new processes and end them. –Memory management: Operating Systems allocate memory and manage the memory (e.g., free memory) etc., when processes are being executed. –Process scheduling: When multiple processes are competing with each other to run on ONE CPU, an OS is responsible for scheduling which process runs next? –Handling I/O and Interrupts

16 ITEC 245. Material mainly derived from Pfleeger; Daswani or Stallings. Slides by Prem Uppuluri based on material from various sources. What needs to be protected in a general purpose OS? (1) So based on the functions of an OS, it is clear that –When multiprocessing (with multiple users) several hardware resources are shared and thus need protection: (Examples: Memory I/O systems Disks Networks Sharable data/programs ) So how do OSes protect these? And against whom?

17 ITEC 245. Material mainly derived from Pfleeger; Daswani or Stallings. Slides by Prem Uppuluri based on material from various sources. What needs to be protected in a general purpose OS? (1) Examples of where security is needed: –User level processes should not interfere with each other. E.g., a Word process should not be able to access the memory of a Chrome process. –Permissions on user directories (folders) and files. –Sharing of I/O resources (e.g., multiple users on a computer should not be able to view each other's print jobs, or keystrokes).

18 ITEC 245. Material mainly derived from Pfleeger; Daswani or Stallings. Slides by Prem Uppuluri based on material from various sources. OS security using separation. OSes achieve security using the concept of separation of access to resources. Some examples of separation include: –Access control (who can access the resources of a system?) –Identity and credential management (what is the identity of the current user? Can this identity be changed?) –Audit and Integrity checks. (Keeps track of who performed what actions at what time. Also, have any files been changed? Are different measures consistent?) –Information flow. E.g., What can be cut and pasted? What can be copied and pasted? What info can be sent out on the network?

19 ITEC 245. Material mainly derived from Pfleeger; Daswani or Stallings. Slides by Prem Uppuluri based on material from various sources. Next: How does an Operating System achieve separation? What are the key issues in doing so?

20 ITEC 245. Material mainly derived from Pfleeger; Daswani or Stallings. Slides by Prem Uppuluri based on material from various sources. Main challenge: Policing the Police… or protecting the Operating System itself! An OS is responsible for separation, however, there is a problem: –Given that an OS is a software program.  What prevents other software programs from circumventing the OS? i.e., why cannot the OS be bypassed?  Or, can an OS be bypassed?  Example: Is it possible for you to write a program that directly accesses the resources by circumventing the OS's memory management, process management and other mechanisms?

21 ITEC 245. Material mainly derived from Pfleeger; Daswani or Stallings. Slides by Prem Uppuluri based on material from various sources. Circumventing the OS An OS can be circumvented in certain cases: –E.g., when you boot an OS from a CD or a DVD – you are circumventing the OS on the disk. The OS installed on the disk will be unable to mediate any of your processes access to the CPU. However, once you “load” an operating system – it cannot be circumvented (or it should not be if implemented securely). Why cannot it be circumvented?

22 ITEC 245. Material mainly derived from Pfleeger; Daswani or Stallings. Slides by Prem Uppuluri based on material from various sources. The Architecture-OS dance. Various architectures (Intel, AMD, SPARC etc.) provide some hardware security features (think of them as switches) such that: –The first software that gets loaded when you start a computer grabs the controls of these hardware features. –Without control of these hardware features, hardware resources cannot be accessed. (unless you use a physical attack, such as removing a hard disk from the computer). If the first software is the OS (as is usually the case), it controls these hardware features.

23 ITEC 245. Material mainly derived from Pfleeger; Daswani or Stallings. Slides by Prem Uppuluri based on material from various sources. What is separation? What are these hardware features? –Two key ones: Interrupts (programmable interrupts) and Rings.

24 ITEC 245. Material mainly derived from Pfleeger; Daswani or Stallings. Slides by Prem Uppuluri based on material from various sources. Privilege rings in OS. Most CPUs come with multiple “rings”. When a software wants to access any hardware resource, it has to grab a certain ring number. Ring 0: allows access to all the hardware resources… Ring 3: doesn’t allow any access to hardware. Ring 1 will allow access to a few etc... Image source:l Wikipedia © LOTR

25 ITEC 245. Material mainly derived from Pfleeger; Daswani or Stallings. Slides by Prem Uppuluri based on material from various sources. Privilege rings in OS (2). So how does a software grab a ring? (A)Defeating Lord Sauron. (B)Using Orcs. (C)Capture Gollum. (D)Using interrupts. Answer: D Image source:l Wikipedia

26 ITEC 245. Material mainly derived from Pfleeger; Daswani or Stallings. Slides by Prem Uppuluri based on material from various sources. Privilege rings in OS (3). Interrupts Every architecture (intel x86, SPARC etc) provides certain hardware switches called interrupts. Interrupts can be “thrown” or triggered using machine language instructions that the architecture supports. –E.g., 0x80h is an assembly op code (in Intel x86 architecture) that allows a software to grab ring 0. Every interrupt is associated with a software method (program). ONLY that software program can be executed when the interrupt is thrown. Image source:l Wikipedia The first software that gets loaded on boot-up, will also install the software programs associated with each interrupt

27 ITEC 245. Material mainly derived from Pfleeger; Daswani or Stallings. Slides by Prem Uppuluri based on material from various sources. Privilege rings in OS (4). So an OS (as it is the first process that must be loaded into the memory): –Loads the software methods associated with each interrupt. –E.g., In Intel x86 architecture, interrupt 80 is associated with grabbing the ring 0. So with this interrupt, the OS associates software methods (or functions or sub routines) that allow access to hardware resources. These software methods are called “system calls”.

28 ITEC 245. Material mainly derived from Pfleeger; Daswani or Stallings. Slides by Prem Uppuluri based on material from various sources. System calls in an OS Every OS provides a set of system calls –Think of these as an API to access and/or modify various resources –E.g., in Linux: – sys_open, allows a program to access files on a disk. (so access to the hardware: disk). –Sys_fork, allows the creation of a new process (thus accessing the resources of memore etc.). In Windows: –NtCreateProcess: creates a new process (similar to fork). Complete list of system calls in Linux: Look at the file: /usr/include/unistd.h on any Linux machine. Complete list of system calls in Windows: http://www.metasploit.com/users/opcode/syscalls.html

29 ITEC 245. Material mainly derived from Pfleeger; Daswani or Stallings. Slides by Prem Uppuluri based on material from various sources. System calls in OS There are many system calls as you saw in the links on previous slides. System calls are organized into an “array”. Think of this as an array of methods. –System_call[] syscalls … –Each index associated with one system call. E.g., syscalls[3] may be the method “fork” system call.

30 ITEC 245. Material mainly derived from Pfleeger; Daswani or Stallings. Slides by Prem Uppuluri based on material from various sources. System calls summary. When a software process calls a system call, let us say “Open”, then: –Interrupt 80 is thrown. (So the software program now has access to ring 0). –However remember when an interrupt is thrown: only the software associated with that interrupt can be executed. –This software (a whole bunch of system call implementations) is provided by the OS. –The appropriate system call method is searched (in this case “open”) and executed. Hence, OS can control complete access to hardware resources by other software process.

31 ITEC 245. Material mainly derived from Pfleeger; Daswani or Stallings. Slides by Prem Uppuluri based on material from various sources. Another way to look at how OS can prevent any process from directly accessing hardware.. if a software process wants to access the hard disk – it has to grab ring 0. However, it can only grab ring 0 by throwing the interrupt 0x80 (on Intel x86). However, if it throws interrupt 0x80, then only the code associated with that interrupt can get executed. The first process loaded when the system boots up gets the first shot at associating software with each interrupt. If the first process is the OS itself – then the OS can control the software associate with each interrupt. Hence, any other software program can only use the OS’s software to access hardware resources.

32 ITEC 245. Material mainly derived from Pfleeger; Daswani or Stallings. Slides by Prem Uppuluri based on material from various sources. Next: Overview of security provided by the operating system in accessing: –Memory –Files –Etc..


Download ppt "ITEC 245. Material mainly derived from Pfleeger; Daswani or Stallings. Slides by Prem Uppuluri based on material from various sources. Application Security."

Similar presentations


Ads by Google