Presentation is loading. Please wait.

Presentation is loading. Please wait.

Chapter 9 Security 9.4 - 9.6 Authentication Insider Attacks Exploiting Code Bugs.

Published by Modified over 8 years ago

Similar presentations

Presentation on theme: "Chapter 9 Security 9.4 - 9.6 Authentication Insider Attacks Exploiting Code Bugs."— Presentation transcript:

1 Chapter 9 Security 9.4 - 9.6 Authentication Insider Attacks Exploiting Code Bugs

2 Authentication General principles of authenticating users: Something the user knows. Something the user has. Something the user is. Tanenbaum, Modern Operating Systems 3 e, (c) 2008 Prentice-Hall, Inc. All rights reserved. 0-13- 6006639

3 Figure 9-17. (a) A successful login. (b) Login rejected after name is entered. (c) Login rejected after name and password are typed. Authentication Using Passwords Tanenbaum, Modern Operating Systems 3 e, (c) 2008 Prentice-Hall, Inc. All rights reserved. 0-13- 6006639

4 Figure 9-18. How a cracker broke into a U.S. Department of Energy computer at LBL. How Crackers Break In Tanenbaum, Modern Operating Systems 3 e, (c) 2008 Prentice-Hall, Inc. All rights reserved. 0-13- 6006639

5 Figure 9-19. The use of salt to defeat precomputation of encrypted passwords. UNIX Password Security Tanenbaum, Modern Operating Systems 3 e, (c) 2008 Prentice-Hall, Inc. All rights reserved. 0-13- 6006639

6 Challenge-Response Authentication The questions should be chosen so that the user does not need to write them down. Examples: Who is Marjolein’s sister? On what street was your elementary school? What did Mrs. Woroboff teach? Tanenbaum, Modern Operating Systems 3 e, (c) 2008 Prentice-Hall, Inc. All rights reserved. 0-13- 6006639

7 Figure 9-20. Use of a smart card for authentication. Authentication Using a Physical Object Tanenbaum, Modern Operating Systems 3 e, (c) 2008 Prentice-Hall, Inc. All rights reserved. 0-13- 6006639

8 Figure 9-21. A device for measuring finger length. Authentication Using Biometrics Tanenbaum, Modern Operating Systems 3 e, (c) 2008 Prentice-Hall, Inc. All rights reserved. 0-13- 6006639

9 Figure 9-22. (a) Normal code. (b) Code with a trap door inserted. Trap Doors Tanenbaum, Modern Operating Systems 3 e, (c) 2008 Prentice-Hall, Inc. All rights reserved. 0-13- 6006639

10 Figure 9-23. (a) Correct login screen. (b) Phony login screen. Login Spoofing Tanenbaum, Modern Operating Systems 3 e, (c) 2008 Prentice-Hall, Inc. All rights reserved. 0-13- 6006639

11 Exploiting Code Bugs Example steps to exploit a bug: Run port scan to find machines that accept telnet connections. Try to log in by guessing login name and password combinations. Once in, run the flawed program with input that triggers the bug. If the buggy program is SETUID root, create a SETUID root shell. Fetch and start a zombie program that listens to an IP port for cmds. Arrange that the zombie program is started when the system reboots. Tanenbaum, Modern Operating Systems 3 e, (c) 2008 Prentice-Hall, Inc. All rights reserved. 0-13- 6006639

12 Figure 9-24. (a) Situation when the main program is running. (b) After the procedure A has been called. (c) Buffer overflow shown in gray. Buffer Overflow Attacks Tanenbaum, Modern Operating Systems 3 e, (c) 2008 Prentice-Hall, Inc. All rights reserved. 0-13- 6006639

13 Figure 9-25. (a) The stack before the attack. (b) The stack after the stack has been overwritten. Return to libc Attacks Tanenbaum, Modern Operating Systems 3 e, (c) 2008 Prentice-Hall, Inc. All rights reserved. 0-13- 6006639

14 Figure 9-26. Code that might lead to a code injection attack. Code Injection Attacks Tanenbaum, Modern Operating Systems 3 e, (c) 2008 Prentice-Hall, Inc. All rights reserved. 0-13- 6006639

Download ppt "Chapter 9 Security 9.4 - 9.6 Authentication Insider Attacks Exploiting Code Bugs."

Similar presentations

1 Identification Who are you? How do I know you are who you say you are?

1 Identification Who are you? How do I know you are who you say you are?
Chapter 9 Security 9.1 The security environment

Chapter 9 Security 9.1 The security environment
Sockets and Services CS-480b Dick Steflik. Evaluating Socket Based Services How complex is the service? How might the service be abused? What information.

Sockets and Services CS-480b Dick Steflik. Evaluating Socket Based Services How complex is the service? How might the service be abused? What information.
Communications of the ACM (CACM), Vol. 32, No. 6, June 1989

Communications of the ACM (CACM), Vol. 32, No. 6, June 1989
Hacking Presented By :KUMAR ANAND SINGH 04-243,ETC/2008.

Hacking Presented By :KUMAR ANAND SINGH ,ETC/2008.
Stack-Based Buffer Overflows Attacker – Can take over a system remotely across a network. local malicious users – To elevate their privileges and gain.

Stack-Based Buffer Overflows Attacker – Can take over a system remotely across a network. local malicious users – To elevate their privileges and gain.
Silberschatz, Galvin and Gagne  2002 19.1 Operating System Concepts The Security Problem A system is secure iff its resources are used and accessed as.

Silberschatz, Galvin and Gagne  Operating System Concepts The Security Problem A system is secure iff its resources are used and accessed as.
1 Protection Protection = access control Goals of protection Protecting general objects Example: file protection in Linux.

1 Protection Protection = access control Goals of protection Protecting general objects Example: file protection in Linux.
19.1 Silberschatz, Galvin and Gagne ©2003 Operating System Concepts with Java Chapter 19: Security The Security Problem Authentication Program Threats.

19.1 Silberschatz, Galvin and Gagne ©2003 Operating System Concepts with Java Chapter 19: Security The Security Problem Authentication Program Threats.
1 Security Chapter 9 9.1 The security environment 9.2 Basics of cryptography 9.3 User authentication 9.4 Attacks from inside the system 9.5 Attacks from.

1 Security Chapter The security environment 9.2 Basics of cryptography 9.3 User authentication 9.4 Attacks from inside the system 9.5 Attacks from.
1 Chapter 11: Authentication Basics Passwords. 2 Establishing Identity Authentication: binding of identity to subject One or more of the following –What.

1 Chapter 11: Authentication Basics Passwords. 2 Establishing Identity Authentication: binding of identity to subject One or more of the following –What.
Security: Attacks. 2 Trojan Horse Malicious program disguised as an innocent one –Could modify/delete user’s file, send important info to cracker, etc.

Security: Attacks. 2 Trojan Horse Malicious program disguised as an innocent one –Could modify/delete user’s file, send important info to cracker, etc.
Security A system is secure if its resources are used and accessed as intended under all circumstances. It is not generally possible to achieve total security.

Security A system is secure if its resources are used and accessed as intended under all circumstances. It is not generally possible to achieve total security.
What we will cover… Protection and Security in OS.

What we will cover… Protection and Security in OS.
Chapter 1 Introduction 1.5 - 1.8.

Chapter 1 Introduction
1 Pertemuan 23 Sistem Keamanan Matakuliah: T0316/sistem Operasi Tahun: 2005 Versi/Revisi: 5.

1 Pertemuan 23 Sistem Keamanan Matakuliah: T0316/sistem Operasi Tahun: 2005 Versi/Revisi: 5.
1 Security and Protection Chapter 9. 2 The Security Environment Threats Security goals and threats.

1 Security and Protection Chapter 9. 2 The Security Environment Threats Security goals and threats.
Silberschatz, Galvin and Gagne  2002 19.1 Operating System Concepts Module 19: Security The Security Problem Authentication Program Threats System Threats.

Silberschatz, Galvin and Gagne  Operating System Concepts Module 19: Security The Security Problem Authentication Program Threats System Threats.
File System Implementation

File System Implementation
Web server security Dr Jim Briggs WEBP security1.

Web server security Dr Jim Briggs WEBP security1.

Similar presentations

Ads by Google