Presentation is loading. Please wait.

Presentation is loading. Please wait.

System Security 계산이론연구실 120070196 임석재.

Published byRonald Golden Modified over 7 years ago

Similar presentations

Presentation on theme: "System Security 계산이론연구실 120070196 임석재."— Presentation transcript:

1 System Security 계산이론연구실 임석재

2 Contents Authentication Processes Files Retrospective

3 Authentication Focus here is on techniques used
All systems require some form Introduction to Computer Security ©2004 Matt Bishop November 1, 2007

4 DMZ Web Server SSH: cryptographic authentication for hosts
Does not use IP addresses Reject connection if authentication fails SSH: cryptographic authentication for user Request a password on failure Experimenting with smart card systems, so uses PAM. Why PAM? Passwords: use MD-5 hash to protect passwords Can be as long as desired (arbitrary length) Proactive password checking to ensure they are hard to guess No password aging (unnecessary) Introduction to Computer Security ©2004 Matt Bishop November 1, 2004

5 Devnet Workstation Requires authentication as unauthorized people have access to physically secure area Each user must self-authenticate at login Employees VS developers? Passwords: proactively checked Use DES-based hash for NIS compatibility Max password length: 8 chars Aging in effect; time bounds (min 3d, max 90d). for what? SSH: like DMZ web server, except: root access is blocked Must log in as ordinary user, then change to root Other role accounts simply have a password hash that cannot be produced when any password is entered. The program lsu and sudo on UNIX systems Introduction to Computer Security ©2004 Matt Bishop November 1, 2004

6 Comparison Both use strong authentication
The SSH server requires cryptographic authentication for host and user Host and user identities are established using the RSA public key cryptosystem All certificates installed by trusted sysadmins Both allow reusable passwords One uses MD-5, other UNIX DES-based hash (the version supported by NIS) One does not password aging, other does Introduction to Computer Security ©2004 Matt Bishop November 1, 2004

7 Processes What each system must run
Goal is to minimize the number of these Introduction to Computer Security ©2004 Matt Bishop November 1, 2004

8 DMZ Web Server Necessary processes: Web server Commerce server
Enough privileges to read pages, execute CGI scripts Simply needs minimal privileges. Why? Commerce server Enough privileges to copy files from web server’s area to spool area; not enough to alter web pages SSH server (privileged) Sysadmin privileges to support the remote access and tunnelling facilities Login server (privileged) Enough privileges to change to the user logging in If a physical terminal or console Any essential OS services (privileged) Page daemon, etc. Introduction to Computer Security ©2004 Matt Bishop November 1, 2004

9 Example A typical UNIX system will have the following daemons:
init, the login server sshd, the SSH server webd, the Web server commerced, the commerce server Various servers for the operating system A Solaris system running with minimal services will include Scheduling process, a paging process, a file system flushing process, a process for recording logins and logouts, enabling of accounting creates one more process Introduction to Computer Security ©2004 Matt Bishop November 1, 2004

10 Potential Problem UNIX systems: need root privileges to bind to ports under 1024 only root programs be able to access network ports Including port 80 (for web servers) But web server is unprivileged! because access is checked only when the port is opened. This allows two approaches to minimizing of privileges. Solution 1: Web Server starts with root privileges, opens port, discards privileges. What need? Solution 2: Write a wrapper program with root privileges, open port, drop privilege, invoke web server, pass the file descriptor corresponding to open port to that process. then terminates Introduction to Computer Security ©2004 Matt Bishop November 1, 2004

11 File Access ACLs provide on defense. We can adapt another defense
In pure capability system The capability names the object If Don’t possess the capability, cannot identify an object If we can change the meaning of a file system name, then we can confine all references to a particular part of the file system The web server needs to reference only programs and files within the hierarchy of Web pages Change process notion of “root directory” to limit access to files in file system Introduction to Computer Security ©2004 Matt Bishop November 1, 2004

12 FILE access Most UNIX systems provide a system call chroot that changes the process' notion of the root of the file hierarchy. suppose a process wishes to open the file /usr/web/pages/index.html if ((fd = open("/usr/web/pages/index.html", O_RDONLY)) < 0) perror("open /usr/web/pages/index.html for reading failed"); the system call chroot("/usr/web") changes the process' notion of root to usr/web if ((fd = open("/pages/index.html", O_RDONLY)) < 0) perror("open /usr/web/pages/index.html for reading failed"); The process could not directly refer to the file /usr/trans/1.

13 Example Some variants of the UNIX system allow the superuser to make links to a directory Web server changes root directory to /usr/Web Commerce server changes root directory to /usr/trans Note “xdir” accessible to both processes / usr W eb trans commerce server web server pages xdir 1 November 1, 2004 Introduction to Computer Security ©2004 Matt Bishop

14 Interprocess Communications
An issue is how the Web server communicates with the commerce server Web server needs to tell commerce server a transaction file is ready Use shared directory Web server places file with name “trnsnnnn” in directory (n is digit) Commerce server periodically checks directory for files of that name, operates on them Use the UNIX signaling mechanism If web server and the commerce server run with the same real or effective UID, or either runs with superuser privileges Web server and the commerce server should run as distinct users, with different privileges. Why? Introduction to Computer Security ©2004 Matt Bishop November 1, 2004

15 Devnet Workstation Serves developer who will compile, test, debug, and manage software, write reports, analyses Servers provide administrative information Run with as few privileges as possible Best: user nobody and group nogroup When access to privileged ports is required, one of two methods is used Use inet daemon to listen at ports, spawn less privileged servers to service request the server starts with root privileges, opens the ports and other files accessible only to root, and drops to a lesser privilege level. Servers change notion of root directory Clients NIS client to talk to UINFO system File server allow client to access itself (NFS) Introduction to Computer Security ©2004 Matt Bishop November 1, 2004

16 Example Consider a mail server on the devnet Two alertnatives
Port 25 can be opened only by root processes But the mail server need not run as root Two alertnatives Some mail servers allow the system administrator to specify an UID The mail server begins execution as root, open port, then switches to UID If saved UID is root, what disadvantages exist? Use wrapper as root Open port, redirects standard input and output to that port, drop privileges, spawns the mail server What conditions need? Introduction to Computer Security ©2004 Matt Bishop November 1, 2004

17 Devnet Workstation Logging mechanism Disk space
Records OS calls, parameters, results Saves it locally, sent to central logging server Intrusion detection done; can augment logging as needed Initially, process start, end, audit and effective UIDs recorded Disk space If disk utilization over 95%, program scans local systems and deletes all temp files and editor backup files not in use Meaning have not been accessed in last 3 days Allow remote access using SSH Devnet users can test software using multiple workstations System administrator can log in remotely to perform maintenance activities Introduction to Computer Security ©2004 Matt Bishop November 1, 2004

18 Comparison Both systems DMZ web server: only necessary processes
Run servers with the minimum level of privilege needed Have processes that log information DMZ web server: only necessary processes For the Web server, remote administration, the OS New software developed, compiled elsewhere Processes run in very restrictive environment for only root user Processes write log entries to local log and directly to log server Devnet workstation: provides environment for developers More processes for more tasks or program that on the DMZ Process environment less restrictive to allow other users to share data Processes write to log server, which does all logging from other programs, timestamps and formats them Introduction to Computer Security ©2004 Matt Bishop November 1, 2004

19 Files Protections differ due to differences in policies
Use physical limits whenever possible, as these cannot be corrupted Use access controls otherwise Introduction to Computer Security ©2004 Matt Bishop November 1, 2004

20 DMZ Web Server System programs, configuration files, etc. are on CD-ROM If attacker succeeds in breaking in, modifying in-core processes, then sysadmins simply reboot to recover Web page root directory, and the subdirectory containing the CGI programs, are on the CD-ROM Public key for internal commerce server here, too Only web pages change Too often to make putting them on CD-ROM When the system boots, one of its start-up actions is to mount two directories from the hard drive onto mount points on the CD-ROM Small hard drive holds pages, spool areas, temp directories, sysadmin home directory Introduction to Computer Security ©2004 Matt Bishop November 1, 2004

21 DMZ Web Server The commerce server
Has access to the Web page directory and the spooling area Copies the data to the spooling area and deletes the original data. An attacker is unable to control it, Why? Web server will be unable to control the commerce server. Moreover, CGI programs encipher all data using a public key system Private key is on the internal network, not the DMZ system Attacker cannot decipher the data, Alternative? Introduction to Computer Security ©2004 Matt Bishop November 1, 2004

22 Example Web server: user webbie Commerce server: user ecommie
When running, root directory is root of web page directory, “/mnt/www” CGI programs owned by root, located in directory (“/mnt/www/cgi-bin”) mounted from CD-ROM Keys in “/mnt/www/keys” Transaction files in “/mnt/www/pages/trans” Readable, writable by webbie, ecommie Commerce server: user ecommie Periodically checks “/mnt/www/pages/trans” Moves files out to “/home/com/transact” Introduction to Computer Security ©2004 Matt Bishop November 1, 2004

23 DMZ Web Server Specifies that the number of programs on the system be minimal. the system itself requires few programs. Everything statically linked No compilers, dynamic loaders, etc. Command interpreter for sysadmin Programs to start, stop servers Programs to edit, create, delete, view files Programs to monitor systems No other programs None to read mail or news, no batching, no web browsers, etc. Introduction to Computer Security ©2004 Matt Bishop November 1, 2004

24 DMZ Web Server The integrity of the system should be checked
If question: Stop web server Transfer all remaining transaction files Reboot system from CD-ROM Reformat hard drive Reload contents of user directories, web pages from the internal Web server system clone Restart servers If an attacker has left any back doors or processes? Introduction to Computer Security ©2004 Matt Bishop November 1, 2004

25 Devnet Workstation First approach is to allow each developer to configure his or her own workstation create too many different systems to manage read-only media would have to be created for each workstation Standard configuration for these Provides folks with needed tools, configurations Configuration is on bootable CD-ROM CD-ROM created on isolated workstation Changes made to that workstation, then new CD-ROM created and distributed Workstations also have hard drive for local writable storage Mounted under CD-ROM Can be wiped if any question of integrity or during boot procedure Introduction to Computer Security ©2004 Matt Bishop November 1, 2004

26 Devnet Workstation Logs on log server examined using various analysis tools and intrusion detection systems Security officers validate by analyzing 30 min worth of log entries and comparing result to reports from IDS Validation of the configuration and software and detection of security incidents To use of read-only media eliminates the need for integrity checking Scans of writable media look for files matching known patterns of intrusions If found, reboot and wipe hard drive Then do full check of file server Introduction to Computer Security ©2004 Matt Bishop November 1, 2004

27 Comparison Both use physical means to prevent system software from being compromised Attackers can’t alter CD-ROMs Both have file systems on writable media that are mounted on the main file system Reloading systems DMZ web server: save transaction files, regenerate system from WWW-clone Actually, push files over to internal network system Devnet workstation: just reboot, reformat hard drive Files on hard drive are transient or replicated (logs) Because the main file system is on a CD-ROM, its integrity is ensured. Introduction to Computer Security ©2004 Matt Bishop November 1, 2004

28 Comparison The differences between the approaches used in developing the two CD-ROMs spring from the question of attack from within the company. Devnet workstation: users trusted not to attack it Any developer can use any devnet workstation Developers may accidentally or deliberately introduce Trojan horses, etc Hence everything critical on read-only media Security was a consideration, but it was weighted against productivity and morale. DMZ web server: fewer trusted users Designed withstand attack from both the internet and the internel network. Self-contained; no mounting files remotely, none of its files mounted remotely CD-ROM has minimal web server system augmented only by additional programs tailored for Drib’s purpose Introduction to Computer Security ©2004 Matt Bishop November 1, 2004

29 Summary: DMZ Web Server
Runs as few services as possible Keeps everything on unalterable media Checks source of all connections Web: from outer firewall only SSH: from trusted administrative host only The Web server and commerce server run with minimal privileges. Web, commerce servers transfer files via shared directory They do not directly communicate The transaction files themselves are enciphered using a public key algorithm Access to the administrative account requires that the user access a trusted host and then authenticate to the DMZ Web server using a public key protocol. Introduction to Computer Security ©2004 Matt Bishop November 1, 2004

30 Summary: Devnet Workstation
Runs as few programs, servers as possible Many more than DMZ web server, though They may use ancillary hardware (such as embedded systems) to support the development Security prominent but not dominant Must not interfere with ability of developer to do job Security mechanisms hinder attackers, help find attackers, and enable rapid recovery from successful attack Access from network allowed User information resides in a centralized repository to maintain consistency across all development systems. Firewall(s) assumed to keep out unwanted users, so security mechanisms are second line of defense Backups occur daily. Because each workstation has a local writable area, users may keep files in that area rather than place them on the file servers. Introduction to Computer Security ©2004 Matt Bishop November 1, 2004

Download ppt "System Security 계산이론연구실 120070196 임석재."

Similar presentations

1 Chapter 8 Fundamentals of System Security. 2 Objectives In this chapter, you will: Understand the trade-offs among security, performance, and ease of.

1 Chapter 8 Fundamentals of System Security. 2 Objectives In this chapter, you will: Understand the trade-offs among security, performance, and ease of.
Chapter One The Essence of UNIX.

Chapter One The Essence of UNIX.
System and Network Security Practices COEN 351 E-Commerce Security.

System and Network Security Practices COEN 351 E-Commerce Security.
November 1, 2004Introduction to Computer Security ©2004 Matt Bishop Slide #24-1 Chapter 24: System Security Introduction Policy Networks Users Authentication.

November 1, 2004Introduction to Computer Security ©2004 Matt Bishop Slide #24-1 Chapter 24: System Security Introduction Policy Networks Users Authentication.
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 12: Managing and Implementing Backups and Disaster Recovery.

70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 12: Managing and Implementing Backups and Disaster Recovery.
Guide To UNIX Using Linux Third Edition

Guide To UNIX Using Linux Third Edition
June 1, 2004Computer Security: Art and Science ©2002-2004 Matt Bishop Slide #27-1 Chapter 27: System Security Introduction Policy Networks Users Authentication.

June 1, 2004Computer Security: Art and Science © Matt Bishop Slide #27-1 Chapter 27: System Security Introduction Policy Networks Users Authentication.
Web Proxy Server Anagh Pathak Jesus Cervantes Henry Tjhen Luis Luna.

Web Proxy Server Anagh Pathak Jesus Cervantes Henry Tjhen Luis Luna.
Maintaining Windows Server 2008 File Services

Maintaining Windows Server 2008 File Services
1 Network File System. 2 Network Services A Linux system starts some services at boot time and allow other services to be started up when necessary. These.

1 Network File System. 2 Network Services A Linux system starts some services at boot time and allow other services to be started up when necessary. These.
AN INTRODUCTION TO LINUX OPERATING SYSTEM Zihui Han.

AN INTRODUCTION TO LINUX OPERATING SYSTEM Zihui Han.
Presented by Manager, MIS.  GRIDCo’s intentions for publishing an Acceptable Use Policy are not to impose restrictions that are contrary to GRIDCo’s.

Presented by Manager, MIS.  GRIDCo’s intentions for publishing an Acceptable Use Policy are not to impose restrictions that are contrary to GRIDCo’s.
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment, Enhanced Chapter 12: Managing and Implementing Backups and Disaster Recovery.

70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment, Enhanced Chapter 12: Managing and Implementing Backups and Disaster Recovery.
70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network, Enhanced Chapter 14: Problem Recovery.

70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network, Enhanced Chapter 14: Problem Recovery.
Chapter 5 Roles and features. objectives Performing management tasks using the Server Manager console Understanding the Windows Server 2008 roles Understanding.

Chapter 5 Roles and features. objectives Performing management tasks using the Server Manager console Understanding the Windows Server 2008 roles Understanding.
© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public 1 Version 4.1 ISP Responsibility Working at a Small-to-Medium Business or ISP – Chapter 8.

© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public 1 Version 4.1 ISP Responsibility Working at a Small-to-Medium Business or ISP – Chapter 8.
Hands-On Microsoft Windows Server 2008

Hands-On Microsoft Windows Server 2008
Csci5233 Computer Security1 Bishop: Chapter 27 System Security.

Csci5233 Computer Security1 Bishop: Chapter 27 System Security.
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment, Enhanced Chapter 12: Managing and Implementing Backups and Disaster Recovery.

70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment, Enhanced Chapter 12: Managing and Implementing Backups and Disaster Recovery.
5 Chapter Five Web Servers. 5 Chapter Objectives Learn about the Microsoft Personal Web Server Software Learn how to improve Web site performance Learn.

5 Chapter Five Web Servers. 5 Chapter Objectives Learn about the Microsoft Personal Web Server Software Learn how to improve Web site performance Learn.

Similar presentations

Ads by Google