1. Lecture 21 Chapter 14: Protection Chapter 15: Security

2. Chapter 14: Protection Goals of Protection Principles of Protection
Domain of Protection
Access Matrix
Implementation of Access Matrix
Access Control
Revocation of Access Rights
Capability-Based Systems
Language-Based Protection

3. Objectives
Discuss the goals and principles of protection in a modern computer system
Explain how protection domains combined with an access matrix are used to specify the resources a process may access
Examine capability and language-based protection systems

4. Protection
Operating system consists of a collection of objects, hardware or software
Each object has a unique name and can be accessed through a well-defined set of operations.
Protection problem
Ensure that each object is accessed correctly and only by those processes that are allowed to do so.
Guiding principle
principle of least privilege
Programs, users and systems should be given just enough privileges to perform their tasks

5. Domain Structure Access-right = <object-name, rights-set>
where rights-set is a subset of all valid operations that can be performed on the object.
Domain = set of access-rights

6. Domain Implementation (UNIX)
System consists of 2 domains:
User
Supervisor
UNIX
Domain = user-id
Domain switch accomplished via file system.
Each file has associated with it a domain bit (setuid bit).
When file is executed and setuid = on,
then user-id is set to owner of the file being executed.
When execution completes user-id is reset.

7. Domain Implementation (MULTICS)
Let Di and Dj be any two domain rings.
If j < I  Di  Dj

8. Access Matrix View protection as a matrix (access matrix)
Rows represent domains
Columns represent objects
Access(i, j) is the set of operations that a process executing in Domaini can invoke on Objectj

9. Use of Access Matrix
If a process in Domain Di tries to do “op” on object Oj,
then “op” must be in the access matrix.
Can be expanded to dynamic protection.
Operations to add, delete access rights.
Special access rights:
owner of Oi
copy op from Oi to Oj
control – Di can modify Dj access rights
transfer – switch from domain Di to Dj

10. Use of Access Matrix (Cont.)
Access matrix design separates mechanism from policy
Mechanism
Operating system provides access-matrix + rules
It ensures that the matrix is only manipulated by authorized agents and that rules are strictly enforced
Policy
User dictates policy
Who can access what object and in what mode

11. Implementation of Access Matrix
Each column = Access-control list for one object Defines who can perform what operation. Domain 1 = Read, Write Domain 2 = Read Domain 3 = Read 
Each Row = Capability List (like a key) Fore each domain, what operations allowed on what objects.
Object 1 – Read
Object 4 – Read, Write, Execute
Object 5 – Read, Write, Delete, Copy

12. Access Matrix With Domains as Objects
Figure B

13. Access Matrix with Copy Rights

14. Access Matrix With Owner Rights

15. Modified Access Matrix of Figure B

16. Access Control Protection can be applied to non-file resources
Solaris 10 provides role-based access control to implement least privilege
Privilege is right to execute system call or use an option within a system call
Can be assigned to processes
Users assigned roles granting access
to privileges and programs

17. Revocation of Access Rights
Access List – Delete access rights from access list.
Simple
Immediate
Capability List – Scheme required to locate capability in the system before capability can be revoked.
Reacquisition
Back-pointers
Indirection
Keys

18. Language-Based Protection
Specification of protection in a programming language allows the high-level description of policies for the allocation and use of resources.
Language implementation can provide software for protection enforcement when automatic hardware-supported checking is unavailable.
Interpret protection specifications to generate calls on whatever protection system is provided by the hardware and the operating system.

19. Protection in Java
Protection is handled by the Java Virtual Machine (JVM)
A class is assigned a protection domain when it is loaded by the JVM.
The protection domain indicates what operations the class can (and cannot) perform.
If a library method is invoked that performs a privileged operation,
the stack is inspected to ensure the operation can be performed by the library.

21. Chapter 15: Security The Security Problem Program Threats
System and Network Threats
Cryptography as a Security Tool
User Authentication
Implementing Security Defenses
Firewalling to Protect Systems and Networks
Computer-Security Classifications
An Example: Windows XP

22. Objectives To discuss security threats and attacks
To explain the fundamentals of encryption, authentication, and hashing
To examine the uses of cryptography in computing
To describe the various countermeasures to security attacks

23. The Security Problem
Security must consider external environment of the system, and protect the system resources
Intruders (crackers) attempt to breach security
Threat is potential security violation
Attack is attempt to breach security
Attack can be accidental or malicious
Easier to protect against accidental than malicious misuse

24. Concern for Security Explosive growth of desktops started in ‘80s
No emphasis on security
Who wants military security, I just want to run my spreadsheet!
Internet was originally designed for a group of mutually trusting users
By definition, no need for security
Users can send a packet to any other user
Identity (source IP address) taken by default to be true
Explosive growth of Internet in mid ’90s
Security was not a priority until recently
Only a research network, who will attack it?

25. Security Violations Categories Breach of confidentiality
Breach of integrity
Breach of availability
Theft of service
Denial of service
Methods
Masquerading (breach authentication)
Replay attack
Message modification
Man-in-the-middle attack
Session hijacking

26. Security Measure Levels
Security must occur at four levels to be effective:
Physical
Human
Avoid social engineering, phishing, dumpster diving
Operating System
Network
Security is as week as the weakest chain

27. Program Threats Trojan Horse Code segment that misuses its environment
Exploits mechanisms for allowing programs written by users to be executed by other users
Spyware, pop-up browser windows, covert channels
Trap Door
Specific user identifier or password that circumvents normal security procedures
Could be included in a compiler
Logic Bomb
Program that initiates a security incident under certain circumstances
Stack and Buffer Overflow
Exploits a bug in a program
overflow either the stack or memory buffers

28. C Program with Buffer-overflow Condition
#include <stdio.h>
#define BUFFER SIZE 256
int main(int argc, char *argv[]) {
char buffer[BUFFER SIZE];
if (argc < 2)
return -1;
else {
strcpy(buffer,argv[1]);
return 0; }

29. Layout of Typical Stack Frame

30. Modified Shell Code #include <stdio.h>
int main(int argc, char *argv[]) {
execvp(‘‘\bin\sh’’,‘‘\bin \sh’’, NULL);
return 0; }

31. Hypothetical Stack Frame
Before attack
After attack

32. Program Threats (Cont.)
Viruses
Code fragment embedded in legitimate program
Very specific to CPU architecture, operating system, applications
Usually borne via or as a macro
Visual Basic Macro to reformat hard drive
Sub AutoOpen()
Dim oFS
Set oFS = CreateObject(’’Scripting.FileSystemObject’’)
vs = Shell(’’c:command.com /k format c:’’,vbHide)
End Sub

33. Program Threats (Cont.)
Virus dropper inserts virus onto the system
Many categories of viruses, literally many thousands of viruses
File
Boot
Macro
Source code
Polymorphic
Encrypted
Stealth
Tunneling
Multipartite
Armored

34. A Boot-sector Computer Virus

35. System and Network Threats
Worms
use spawn mechanism; standalone program
Internet worm
Exploited UNIX networking features (remote access) and bugs in finger and sendmail programs
Grappling hook program uploaded main worm program
Port scanning
Automated attempt to connect to a range of ports on one or a range of IP addresses
Denial of Service
Overload the targeted computer preventing it from doing any useful work
Distributed denial-of-service (DDOS) come from multiple sites at once

36. The Morris Internet Worm

37. Code-Red Worm
On July 19, 2001, more than 359,000 computers connected to the Internet were infected in less than 14 hours
Spread

38. Sapphire Worm was the fastest computer worm in history
doubled in size every 8.5 seconds
infected more than 90 percent of vulnerable hosts within 10 minutes.

39. DoS attack on SCO On Dec 11, 2003 Attack on web and FTP servers of SCO
a software company focusing on UNIX systems
SYN flood of 50K packet-per-second
SCO responded to more than 700 million attack packets over 32 hours
CAIDA

40. Witty Worm
25 March 2004
reached its peak activity after approximately 45 minutes
at which point the majority of vulnerable hosts had been infected
World
USA

41. Nyxem Virus
Jan 15, 2006: infected about 1M computers within two weeks
At least 45K of the infected computers were also compromised by other forms of spyware or botware
Spread

42. Security Trends www.cert.org (Computer Emergency Readiness Team)
Discuss observed security trends, noting growth in sophistication of attacks contrasting with decrease in skill & knowledge needed to mount an attack.
Computer Emergency Readiness Team
(Computer Emergency Readiness Team)

43. The Cast of Characters Alice and Bob are the good guys
Trudy is the bad guy
Trudy is our generic “intruder”
Who might Alice, Bob be?
… well, real-life Alices and Bobs
Web browser/server for electronic transactions
on-line banking client/server
DNS servers
routers exchanging routing table updates

44. Alice’s Online Bank Alice opens Alice’s Online Bank (AOB)
What are Alice’s security concerns?
If Bob is a customer of AOB, what are his security concerns?
How are Alice and Bob concerns similar? How are they different?
How does Trudy view the situation?
What are Alice’s security concerns?
If Bob is a customer of AOB, what are his security concerns?
How are Alice and Bob concerns similar? How are they different?
How does Trudy view the situation?
Confidentiality: Prevent unauthorized reading of information
Integrity : prevent unauthorized writing of information

45. Alice’s Online Bank AOB must prevent Trudy from learning Bob’s balance
Confidentiality (prevent unauthorized reading of information)
Trudy must not be able to change Bob’s balance
Bob must not be able to improperly change his own account balance
Integrity (prevent unauthorized writing of information)
What are Alice’s security concerns?
If Bob is a customer of AOB, what are his security concerns?
How are Alice and Bob concerns similar? How are they different?
How does Trudy view the situation?
Confidentiality: Prevent unauthorized reading of information
Integrity : prevent unauthorized writing of information

46. Alice’s Online Bank AOB’s information must be available when needed
Availability (data is available in a timely manner when needed)
How does Bob’s computer know that “Bob” is really Bob and not Trudy?
When Bob logs into AOB, how does AOB know that “Bob” is really Bob?
Authentication (assurance that other party is the claimed one)
Bob can’t view someone else’s account info
Bob can’t install new software, etc.
Authorization (allowing access only to permitted resources)
Availability: Data is available in a timely manner when needed

47. Think Like Trudy Good guys must think like bad guys!
A police detective
Must study and understand criminals
In security
We must try to think like Trudy
We must study Trudy’s methods
We can admire Trudy’s cleverness
Often, we can’t help but laugh at Alice and Bob’s carelessness
But, we cannot act like Trudy