Presentation is loading. Please wait.

Presentation is loading. Please wait.

Politecnico di Milano © 2001 - William Fornaciari Operating Systems Security: pack 1 Lecturer: William Fornaciari Politecnico di Milano

Similar presentations


Presentation on theme: "Politecnico di Milano © 2001 - William Fornaciari Operating Systems Security: pack 1 Lecturer: William Fornaciari Politecnico di Milano"— Presentation transcript:

1 Politecnico di Milano © William Fornaciari Operating Systems Security: pack 1 Lecturer: William Fornaciari Politecnico di Milano

2 Security© William Fornaciari- 2 - Computer Security in the Real World “ What people want from computer security is to be as secure with computers as they are in the real world. Real-world security is about value, locks, and police. When it works, you get good enough locks (not too many break-ins), good enough police (so break-ins aren’t a paying business), and minimum interference with daily life. Computer security is hard because people don’t trust new things (especially when they don’t understand them), and computers are fast and complicated. The kind of computer break-ins most people care about are vandalism or sabotage that damages information or disrupts service, theft of money or information, and loss of privacy. Some people think that because computers are precise, perfect computer security should be possible. I’ll explain why this is wrong... ” Butler Lampson

3 Security© William Fornaciari- 3 - Security Computer security deals with the prevention, detection and reaction to unauthorised actions by users With term security we focus on the global problem dealing with Technical issues Management issues Social issues Legal issues There is no single definition of security

4 Security© William Fornaciari- 4 - Security vs Protection We can refer to protection as a subset of security Referring only to specific mechanisms used by OS to safeguard computer information Providing controlled access to programs and data stored in the computer Security requires not only a suitable protection system, but must considers the external environment in which the system operates Malicious behaviour of entities external to the system, affecting computer assets Hardware included communication lines and networks Software Data

5 Security© William Fornaciari- 5 - Security Contest Security Contest Network Security Informative System Security Intruder

6 Security© William Fornaciari- 6 - Intruders Modern systems usually allow remote access From terminals From modems From the network Intruders can use all of these ways to break in

7 Security© William Fornaciari- 7 - Security Areas Apart from social and legislative controls, computer security can be generally partitioned into three areas External security Interface security Internal security

8 Security© William Fornaciari- 8 - External Security Concerns physical access to overall computer facilities, to prevent theft, destruction, tampering; This includes Control of access to communication lines, removable memory media and terminals Safeguarding information from natural disaster like fire, earthquakes, floods, short circuits, wars, … External security consist of administrative and physical control measures to prevent undesired access to physical resources Full protection cannot be assured, hence the target is to Minimize possible violations Minimize possible consequent damages Provide recovery procedures (typically a proper backup policy)

9 Security© William Fornaciari- 9 - Interface Security It is concerned with the authentication of a user once physical access to a computer system became feasible (Authentication)

10 Security© William Fornaciari Internal Security It is concerned with Control of access within computer system (Protection) Safeguarding of information transmitted over communication lines between computer system (communication/network security) Safeguarding stored information that is inadvertently or maliciously disclosed (file security) Monitoring the utilization of the system resources from its users (Auditing)

11 Security© William Fornaciari Security Levels The problem of security can be faced at three different levels Basic technologies Architectures and protocols Organization Architectures and Protocols Basic Technologies

12 Security© William Fornaciari Basic technologies Basically focus on cryptographic techniques but also belong to this level Electromagnetic shields... Technologies of this level are hard to trick with a direct attack Brute force attacks comport an huge cost

13 Security© William Fornaciari Architectures and protocols The system may be secure but we do not know who is our interlocutor We need special architectures and protocols for Cryptographic keys exchange Certificates

14 Security© William Fornaciari Organization Concern with non-technical problems but with the human level Computer security is easily subverted by bad human practices e.g. writing passwords on the computer monitor The management have to instil secure behaviours into the users and strongly discourage non-secure behaviours Non-secure behaviours may compromise all security measures we have hardly made-up In a nutshell there is a need of a management security consciousness Social engineering attacks tend to be cheap, easy, effective

15 Security© William Fornaciari Security Measures A rough classification is Prevention, take measures that prevent computer assets from being damaged Detection, take measures that allow detection when an asset has been damaged, how it has been damaged, and who has caused the damage Reaction, take measures that allow recovering computer assets or recovering from a damage to computer assets

16 Security© William Fornaciari Security Problems (1) Security is an engineering problem Trade-off between safety, cost, performance and inconvenience Risk analysis and security planning are required Security is a global concept We cannot protect a part of a system leaving another part without any protection Those breaking security will attack the weakest point

17 Security© William Fornaciari Security Problems (2) Total security is, generally, not achievable Because making mistakes is easy The nature of problem implies that mistakes are always exploited The target to reach is Making security violation a mechanisms requiring a cost and an effort so great that it is not convenient

18 Security© William Fornaciari Fundamental Constraints of Practical Computer Security Security costs If security measures cost too much, they won’t be adopted Conflict between security and ease-of-use Users have specific security requirements but usually no security expertise If security mechanisms are not easy to use or interfere too much with the working patterns users are familiar, they will not be used or are misused Misuse often makes security measures useless Impact on performance is manifold Security measures need additional computational resources If impact is too high, they will not be used

19 Security© William Fornaciari Security Requirements There are a range of security requirements we have to grant to messages and data Confidentiality Integrity Availability Accountability No repudiation

20 Security© William Fornaciari Confidentiality Confidentiality Concern with prevention of unauthorized disclosure of information Capture the concept that computer security not have only to stop unauthorized user to read sensitive information but have to prevent from learning sensitive information The terms privacy and secrecy are sometimes used to distinguish between Protection of personal data (privacy) Protection of data belonging to an organization (secrecy)

21 Security© William Fornaciari Integrity Integrity Concern with unauthorized modification of information If we associate integrity with the prevention of all unauthorized actions, then confidentiality becomes a part of integrity Data integrity Is the state that exists when electronic data is the same as that in the source documents and has not been exposed to accidental or malicious alteration or destruction It is impossible to guarantee this property only with mechanisms internal to the computer system, but we have also to consider communications security

22 Security© William Fornaciari Availability Availability Concern with prevention of unauthorized withholding of information or resources It is the property of being accessible and useable upon demand by an authorized entity Engineering techniques use to improve availability Go far beyond traditional boundaries of computer security Come from other areas like fault-tolerant computing In the context of security it is linked with prevention of denial of service

23 Security© William Fornaciari Accountability (1) Confidentiality, integrity, availability Deal with different aspects of access control Put their emphasis on the prevention of unwelcome events Authorized actions can, also, lead to a security violation A flaw in security system may allows an intruder to find a way to go round controls For these reasons users should be held responsible for their actions, so it was introduced a new security requirement, the accountability

24 Security© William Fornaciari Accountability (2) Accountability Audit information must be selectively kept and protected so that actions affecting security can be traced to the responsible party The system has to identify and authenticate users to achieve this target It has to keep an audit trail of security relevant events If a security violation has occurred, information from audit trail may help to identify the intruder

25 Security© William Fornaciari Reliability and Safety Often considering computer security we have to keep in mind other areas like Reliability, relating to accidental failures Security is a part of reliability or viceversa Safety, relating to the impact of system failures on their environment

26 Security© William Fornaciari Categories of Threats A normal information flow from a source and a destination may be subject to Passive attacks Interception Active attacks Interruption Modification Fabrication

27 Security© William Fornaciari Normal Information Flow Information Source Information Destination Normal information flow

28 Security© William Fornaciari Interruption Prevent source from sending information to receiver or receiver from sending request to source It is an attack to availability Intruder Information Source Information Destination

29 Security© William Fornaciari How Interruption Occurs Interruption ma be obtained destroying or making unusable a resource Destroying hardware E.g., an hard disk, cutting communication lines... Deleting or damaging software Deleting data Interference with communications channel Overloading a shared resource The intruder with this kind of attacks want to cause denial of service

30 Security© William Fornaciari Interception The information flow between source and destination is eavesdropped by an unauthorized third party It is an illicit data copy and a threat to confidentiality Intruder Information Source Information Destination

31 Security© William Fornaciari Another Type of Interception It is an active attack Intruder Information Source Information Destination

32 Security© William Fornaciari How Interception Occurs There are several ways to achieve this purpose Break-ins Illicit data copying Eavesdropping Masquerading Tampering The aims of this attack could be Acquiring message content Traffic flow analysis which permit to deduce information

33 Security© William Fornaciari Modification The information or data are modified it is a threat to integrity Intruder Information Source Information Destination

34 Security© William Fornaciari How Modification Occur Ways to bring modification based attacks are Interception of data request Masquerading Illicit access to servers/services Modification may concern Message author Message sending time (reply attacks) Message contents

35 Security© William Fornaciari Fabrication Unauthorized party inserts counterfeit objects into the system Counterfeit concern both author and contents message It is a threat to integrity Intruder Information Source Information Destination

36 Security© William Fornaciari How Fabrication Occur This attacks can be lead by Masquerading Bypassing protection measures Duplication of legitimate request

37 Security© William Fornaciari Passive vs Active Attacks Passive attacks are forms of eavesdropping No modification, injections of requests occur Are difficult to detect Require mechanisms that protect communication independently from the fact an attack is occurring Active attacks are more aggressive Availability and integrity are compromised

38 Security© William Fornaciari Informative System Security Threats Computer security consist of Formulating an access control policy that reflects the protection requirements of the application The computer system has to enforce the policy in the presence of active attempts to bypass or disable controls Implementing a complex system is a challenge task and there is a long history of security bugs in OS caused often by simple programming errors Many attacks exploit well know security weakness in an automated and efficient manner

39 Security© William Fornaciari How Things Go Wrong The major sources of security problems fall into the following categories Change in environment Bound and syntax checking Convenient but dangerous design features Escapes from controlled invocation Bypass at a lower layer Flaws in protocol implementations

40 Security© William Fornaciari Change in Environment Change is one of the biggest enemies of security A system may offers perfectly adequate security, a part of the system is changed The security implication of changes was taken into account but the security is compromised Or, even worse, the changes was considered no influent to security and unpleasant surprise will occur

41 Security© William Fornaciari Bound and Syntax Checking A frequent source of security problems are commands that not check the size or the syntax of their arguments By overrunning an input buffer, an attacker with detailed system knowledge can overwrite memory locations holding security-relevant data

42 Security© William Fornaciari Convenient features Backward compatibility with legacy systems, ease of installation, ease of use, are good reasons for including features These features are however dangerous from a security viewpoint leaving the system open for attackers to exploit what is an intended system feature

43 Security© William Fornaciari Controlled Invocation An error in such a program can seriously undermine security E.g., in Unix when a user logs in The login program sets up an environment for that user executing the commands contained in the user’s.cshrc and.login files The login program runs with root privilege A user can use file.cshrc and.login as trojan horses inserting commands that will be executed by root It is, therefore, crucial that the UID of the login process is set to the user’s UID before executing any commands that could be defined by the user

44 Security© William Fornaciari Bypass Logical access control validates access by users and processes to logical system objects This control may be bypassed if an attacker Can insert code below logical access control Or gets direct access to memory

45 Security© William Fornaciari Flawed Protocol Implementations Abstract descriptions of security protocols are full of innocuous statements like ‘pick up a random number’ Sometimes, designers go for an easy option being aware of its security shortcomings Sometimes they do not immediately spot the problem

46 Security© William Fornaciari Malicious Programs (1) Dangers for a system often are represented by programs which take advantage of system weak- points e.g., OS that not protect against unauthorised modification Clever programmers can get SW to do their dirty work for them Programs have several advantages for these purpose Speed Mutability Anonymity

47 Security© William Fornaciari Malicious Programs (2) We can distinguish malicious programs in two categories Independent programs, that may be executed autonomously from the execution of other programs Worm Bacteria Program fragments, that cannot work independently from the execution of another process Trojan horse Trapdoors Logic bomb Virus Trojan horse and logic bomb may be, in same case, part of virus

48 Security© William Fornaciari Taxonomy Malicious Programs Need Host ProgramsIndependent BacteriaLogic BombsTrapdoorsVirusesWormsTrojan Horses Replicates

49 Security© William Fornaciari Trapdoors A trapdoor Is a secret entry point into an otherwise legitimate program Is a portion of code that recognize special input sequences or that it is activated when an application is executed with a particular ID An user knowing its existence may gain access bypassing normal authentication procedures Trapdoors are used by programmers To facilitate debugging and program test avoiding tedious and long authentication procedures To have an activation method if the program authentication process have a bug Controls against trapdoors are difficult to implement

50 Security© William Fornaciari Logic Bombs A logic Bomb is a piece of code belonging to a legitimate program that under certain conditions explodes Modifying or deleting data and files Causing a system halt... Usually they are inserted by program authors Practically it is hard or impossible to detect a logic bomb before its explosion Typical activating conditions are The presence or absence of certain files A particular day A particular user which is executing the application

51 Security© William Fornaciari Trojan Horses A trojan horse seemingly is a useful program that contains hidden code that performs harmful things Obtaining access to the user’s files changing file permissions Obtaining passwords Deleting data and files Adding backdoors to programs... We may find them Editors Fake login screen Particularly dangerous in compilers Inserting malicious code in a program during its compilation

52 Security© William Fornaciari Bacteria Their only purpose is to replicate themselves Bacteria reproduces itself in an exponential way Taking up all the processor capacity Taking up memory Taking up disk space Eventually denying users access to resources

53 Security© William Fornaciari Worms Worms Use network connections to spread from system to system To replicate themselves use facility –A worm mails a copy of itself to other systems Remote execution capability –A worm executes a copy of itself on other systems Remote log-in capability –A worm log on to a remote system as a user and then uses commands to copy itself from one system to the other Can spread very rapidly

54 Security© William Fornaciari Worms (2) When a worm is activated may act as a Virus Bacteria Trojan horse Or making whatever kind of malicious action Four phases characterized a worm (like a virus) Sleeping, the worm is inactive waiting for same event Propagation, the worm Looks for other system to infect analysing host table or remote system addresses Establishes a remote connection Copies itself in the remote system assuring the copy will be activated

55 Security© William Fornaciari Worms (3) Triggering, the worm is ready to do its work This phase may be activated by various events Execution, the worm makes its work The Morris Internet worm in 1988 is the most famous example, more recently I love you

56 Security© William Fornaciari Viruses Viruses are programs that can infect other programs by modifying them Like worms, also viruses are designed for spreading but they are piece of code inserted into legitimate programs Viruses occur anywhere imported code gets executed Imported programs Some inclusions in mail messages Boot sectors and other executable portions of media Macros attached to some data files Along with mere infection, trojan horses, trapdoors, or logic bombs can be included

57 Security© William Fornaciari Virus Life-Cycle The life-cycle of a virus has four phases like worms Not all viruses have the sleeping one Propagation The virus put a copy of itself in some program or in some system disk area The copy itself will enter the propagation phase Triggering phase The virus is activated by some event for executing its task Execution The virus execute its task which may be innocuous or harmful

58 Security© William Fornaciari Virus Spread Infected program Uninfected program Virus Code Infected program Uninfected program Virus Code Infected program Uninfected program Virus Code

59 Security© William Fornaciari Typical Virus Actions Typical virus actions are Find uninfected writable programs Modify those programs Perform normal actions of infected program Do whatever other damage is desired by its author

60 Security© William Fornaciari Viruses Taxonomy (1) A non-exhaustive taxonomy Parasitic virus It is the classic virus attacked to executable file When the infected program is executed, the virus for uninfected file for spreading Memory resident virus Lodges in main memory as a part of a resident system program Once in memory, it Infects every program that is executed Boot sector virus It infects a boot sector When the system is started, the virus start its work

61 Security© William Fornaciari Viruses Taxonomy (2) Stealth virus It is designed with the precise intent of eluding anti- virus detection –Compression techniques may be used by this kind of viruses for leaving unmodified the infected program dimensions –The virus may modify the routines for the I/O operation so that when that routines are used, they show as uninfected the infected program –Hiding in a sector marked as bad in the FAT Slow infection virus Control the rate of infection to avoid immediate detection

62 Security© William Fornaciari Viruses Taxonomy (2) Polymorph virus It is design to make little changes to its code at every infection –Creates copies of itself that are functionally equivalent but have distinctly different bit patterns –Encrypts itself and uses a new key on each new infection It is a way to deceive anti-virus mechanism –Making detection by signature impossible Macro virus It is attached to a data file –Therefore bypass integrity protection mechanisms targeting executables It is written in high-level language –Therefore it is much more platform independent

63 Security© William Fornaciari Dealing with Viruses The solution to contrast viruses are Prevention of infection Detection and reaction Containment

64 Security© William Fornaciari Preventing the Spread of Viruses To prevent a virus infection the solution is not installing untrusted software But who can you trust? Viruses have been found in commercial shrink-wrap software So we have to take other prevention measures Scan incoming programs for viruses Some viruses are designed to hide Anti-virus software do not detect newest viruses Limit the targets viruses can reach Monitor updates to executable files

65 Security© William Fornaciari Virus Detection (1) Virus detection is need if infection occurred Both virus and anti-virus software are become more complex We may identify four anti-virus generation Simple analysers (first generation) Scanner using the virus signature to identify the infection –Do not identify polymorph viruses Others maintain a record of program length looking for variation in length –Do not identify secret viruses

66 Security© William Fornaciari Virus Detection (2) Heuristic analysers (second generation) Uses heuristic rules to search for probable virus infection Looks for fragments of code that are often associated with viruses A checksum may be attached to the end of a program so that if a virus infected the program without modifying the checksum it may be detected –Some viruses are able to generate checksum itself Checksum may be substituted with a coded hash function that is harder to modify by a virus Activity trap (third generation) They are memory-resident programs that identify a virus by its actions rather than its structure They intervene when these actions take place

67 Security© William Fornaciari Virus Detection (3) Totally equipped protection (fourth generation) Consists of a variety of anti-virus techniques used in conjunction Besides analysis and activity trap, these packages consist of control access techniques that prevent virus from entering the system

68 Security© William Fornaciari Containment To avoid viruses damages we may run suspect programs in an encapsulated environment limiting their forms of access to prevent virus spread Containment requires versatile security model and strong protection Running each executable in its own protection domain relaying on the underlying access control mechanisms Standard access control mechanisms offered by OS often are not enough Programs execute under the user’s identity with the user’s privileges So the evil program has full user privileges

69 Security© William Fornaciari Standard Access Control Mechanisms Other problems with standard access mechanisms are What access is allowable? How does it get set? How fast can you create the domains? Most popular OS do not offer simple ways to limit the security domain of programs Access control mechanisms present several problem in managing untrusted code (as we have seen talking about protection ) Other possible solution Improved OS access control for managing untrusted code Padded cells

70 Security© William Fornaciari Padded Cell Approaches Improving OS access control means building systems able to manage domains not the same as process spaces Padded cell essentially consist in executing programs in an encapsulated environment Three ways to implement an encapsulated environment Augmenting the OS Solves the general problem Virtual machine and language-based approaches Most suitable for downloading small executable Software-enforced fault isolation Most suitable for composition of executables

71 Security© William Fornaciari Virtual Machine and Language Approaches Define a virtual machine that does not allow insecure operations Run imported programs through an interpret for that language Java does precisely that The java virtual machine is meant to provide a secure execution environment allowing Very limited file access No process creation Very limited network communications Very limited examination of details of the host computer

72 Security© William Fornaciari Software-Enforced Fault Isolation The virtual machine approach is limiting What happens if you need to write a file, create a process … ? Usually only one language is supported Consist of a software approach to memory protection Segment matching Address sandboxing

73 Security© William Fornaciari Authorization and Access Control Computer security deals with the prevention and detection of unauthorized actions by users of a computer system The concepts of proper authorization and of access control are essential for this definition We have seen Access control mechanisms talking about protection

74 Security© William Fornaciari Identification and Authentication A secure system somehow has to track the identities of the users requesting its services Identification Consist of entering user name and password You announce who you are Authentication is the process of verifying a user’s identity Once user name and password are entered, a process compare the input against the entries stored in a password file Login will succeed if its entered a valid user name and the corresponding password

75 Security© William Fornaciari User Authentication There exists two reasons for authenticating a user User identity is a parameter in access control decision Processes are generally assigned to protection domains according to the identity of the user on whose behalf they are executed User identity is recorded when logging security relevant events in an audit trail Most computer system use identification and authentication through username and password as their first line of defence

76 Security© William Fornaciari Passwords Identification and authentication through a password Has become a widely accepted mechanism and not too difficult to implement Obtaining a valid password is an extremely common way for gaining unauthorized access to a computer system Password guessing Password spoofing Compromise of the password file

77 Security© William Fornaciari Choosing Passwords Password choice is a critical security issue Completely prevent an attacker from accidentally guessing a valid password is impossible The use of trivial words as passwords makes an illegal disclosure a rather easy event We can try to keep the probability for such an event as low as possible adopting same sagacity Changing default system password like ‘manager’ Prescribing a minimal password length Mixing upper and lower case symbol Including numerical and other non-alphabetical symbol Avoiding obvious passwords Changing the password frequently Always choose easy-to-remember password

78 Security© William Fornaciari Password Guessing Attackers essentially follow two guessing strategy Exhaustive search (brute force) Try all possible combination of valid symbols, up to certain length Intelligent search Search through a restricted name space –Try passwords that are somehow associated with a user like name, names of friends and relatives, car brand, car registration number, phone number... –Try password that are generally popular (dictionary attack) Successful attacks are more often based on social engineering than on technical ingenuity Actions should be taken to focus the user’s attention on the relevance of a careful choice of password, and of its correct use

79 Security© William Fornaciari Dictionary attacks In a dictionary attack An on-line dictionary contains a set of popular passwords A program try all passwords from the dictionary till finding the correct one

80 Security© William Fornaciari Password disclosure Studies have shown that the illegal disclosure of passwords through repeated attempts is still feasible today with acceptable computation time Due to the use of massive parallelism Parallel technologies combined with a negligence in the selection and management of passwords, increase the exposure to intrusions

81 Security© William Fornaciari Improving Password Security (1) System may help to improve password security Password checkers Tools that check passwords against some dictionary of ‘weak’ passwords Password generation Some OS include password generator producing random but pronounceable passwords Users are allowed only to adopt password proposed by the system User are unlikely to memorise long and complicated passwords –They write such passwords down on a piece of paper that is kept close to the computer

82 Security© William Fornaciari Improving Password Security (2) Password ageing An expiry date for passwords can be set forcing users to change passwords ate regular interval A list of old passwords may be kept to prevent re-use of old passwords by users Changing passwords too often cause problem of writing them to remind Limit login attempts The system can monitor unsuccessful attempts and react by locking the user account completely or at least for a certain period of time Useful against dictionary attacks

83 Security© William Fornaciari Improving Password Security (3) Improving Password Security (3) Inform user After a successful login, the system can display the time of the last login and the number of failed login attempts User may discover recently attempted attacks

84 Security© William Fornaciari Spoofing Attacks (1) Identification and authentication through username and password provide unilateral authentication The user has no guarantees about the identity of the party to whom he is giving his password In a spoofing attack The attacker runs a program that presents a fake login screen on some terminal/workstation User tries to logon User name and password are stored by the attacker Execution could be handed over the user or login is aborted with an error message The spoofing program terminates giving back control to the OS

85 Security© William Fornaciari Against Spoofing Attacks Solutions against spoofing attacks may be Displaying the number of failed logins Guarantee that the user communicates with the OS and not with a spoofing program Windows NT has a secure attention sequence CTRL+ALT+DEL which invokes the Windows NT OS login screen Double authentication system (handshaking) It is mutual authentication where the system introduces itself to the user through information known only to the user, and the user authenticates back to the system E.g. In a distributed system, the system could be required to authenticate itself to the user

86 Security© William Fornaciari Beyond Spoofing Attacks Other way through which an intruder may ‘find’ a password are due to that Passwords do not travel directly from the user to the checking routine Passwords are, temporarily, held in intermediate storage locations like Buffers Caches Web pages The management of these storage locations is beyond the control of the user and a password may be kept longer than the user may though

87 Security© William Fornaciari Compromise of the Password File User passwords are stored in the password files managed by OS Password files are a desirable target for an intruder Disclosure or modification of its content permit the intruder gaining system access Password file must be protected Cryptographic protection Access control enforced by the OS A combination of cryptographic protection and access control plus mechanisms to slow dictionary attacks

88 Security© William Fornaciari Cryptographic Protection (1) Instead of the password x, the value f(x) is stored in the password file f(x) is a one-way function easy to compute but hard to reverse When an user logs in and enters a password x 1, the system Applies the one-way function f and the compare f(x 1 ) with the expected value f(x). If the values matches, the user has been successfully authenticated The password file can be left more readable if dictionary attacks are not a concern

89 Security© William Fornaciari Cryptographic Protection (2) In a dictionary attack the attacker Knows the encryption function E.g. Unix uses the one-way function crypt(3) Encrypts all words in a dictionary Compare, off-line, all these words against the encrypted entries in the password file, if a match is found the attacker knows that user password We may use a one-way function harder to compute Dictionary attacks become harder (require more time) Also login mechanism slow-down It is better to hide also the encrypted password file

90 Security© William Fornaciari Access Control Mechanisms OS access control mechanisms restrict the access to files and other resources to users holding appropriate privileges They can be used to protect password files Only privileged users can have access to the password file If read access is restricted to privileged users, passwords in theory could be stored unencrypted Malicious users, taking advantages of erratic OS modules (bugs or trapdoors) could access the content of password file Trojan horse in the login procedure of a system can record all the passwords used at login time Combination of access control mechanisms an cryptographic methods is then recommended

91 Security© William Fornaciari Proprietary Storage Formats A weak form of read protection is provided by proprietary storage formats E.g. Windows NT stores encrypted passwords in a proprietary binary format A determined attacker will obtain or deduce the information necessary to be able to detect the location of security relevant data


Download ppt "Politecnico di Milano © 2001 - William Fornaciari Operating Systems Security: pack 1 Lecturer: William Fornaciari Politecnico di Milano"

Similar presentations


Ads by Google