CSE 451
description
Transcript of CSE 451
![Page 1: CSE 451](https://reader036.fdocuments.us/reader036/viewer/2022062807/5681518b550346895dbfc419/html5/thumbnails/1.jpg)
CSE 451
Section March 2
Distributed Systems & Security
![Page 2: CSE 451](https://reader036.fdocuments.us/reader036/viewer/2022062807/5681518b550346895dbfc419/html5/thumbnails/2.jpg)
Overview
• Project feedback• Questions on project 3• Distributed systems• System Security
![Page 3: CSE 451](https://reader036.fdocuments.us/reader036/viewer/2022062807/5681518b550346895dbfc419/html5/thumbnails/3.jpg)
Project 2 feedback
• Need to bullet proof OS– Can’t assume resources won’t run out: file IDs,
address space IDs– Shouldn’t use any parameter without validation
• Including buffer sizes
– Need to test corner cases:• Running out of file Ids• Running out of physical memory• Loading programs too large for physical memory
• Writeups: generally good– Add introduction/conclusion– Add hints for next quarter
![Page 4: CSE 451](https://reader036.fdocuments.us/reader036/viewer/2022062807/5681518b550346895dbfc419/html5/thumbnails/4.jpg)
Questions on project 3
• I need to meet with every group this week
![Page 5: CSE 451](https://reader036.fdocuments.us/reader036/viewer/2022062807/5681518b550346895dbfc419/html5/thumbnails/5.jpg)
Distributed Systems
• People have talked about it since the 70s – why aren’t there more?– The web– File / print servers– Databases– Clusters
• It’s really hard…– Machines fail– Messages get lost– Machines get corrupted
![Page 6: CSE 451](https://reader036.fdocuments.us/reader036/viewer/2022062807/5681518b550346895dbfc419/html5/thumbnails/6.jpg)
Distributed System Impossibilities
• Attacking Generals Problem:– Deciding to attack – if both attack, win, if one
attacks, lose. Can only send messengers that may be killed or subverted
![Page 7: CSE 451](https://reader036.fdocuments.us/reader036/viewer/2022062807/5681518b550346895dbfc419/html5/thumbnails/7.jpg)
Attacking Generals
• It is impossible with a fixed maximum # of messages– You can never tell if your acknowledgement was
heard– Suppose you had a protocol that took no more than
12 messages, but messages could get lost. • The last message could get lost• Ergo, you didn’t need the last message
– If messages always get delivered, but one general is faulty (may die during decision making), you still can’t do it
• This is important: consider transactions
![Page 8: CSE 451](https://reader036.fdocuments.us/reader036/viewer/2022062807/5681518b550346895dbfc419/html5/thumbnails/8.jpg)
Byzantine Generals Problem
• Have multiple general trying to decide to attack. One or more may be traitors. Can they agree to attack?
![Page 9: CSE 451](https://reader036.fdocuments.us/reader036/viewer/2022062807/5681518b550346895dbfc419/html5/thumbnails/9.jpg)
Transactions
• Distributed transactions use “two phase commit”– First phase: ask participants to vote– If all vote “commit”, send out commit message. If
any vote “abort”, send abort message.– After vote to commit, participant changes must
survive crashes– To continue after failure, reboot and ask what the
vote was, or ask other participants to vote on what the decision was.
• It is impossible to survive partitions (machines disconnected from other participants) and not “block”
![Page 10: CSE 451](https://reader036.fdocuments.us/reader036/viewer/2022062807/5681518b550346895dbfc419/html5/thumbnails/10.jpg)
Distributed systems
• These kinds of results make things hard– Message get lost, and you don’t know where
(on a request or reply)– Messages get delivered out of order– Messages can take a long time to get
delivered– A very slow machine may appear dead– Failures occur in a distributed system that
don’t occur on a single machine, so distribution isn’t invisible
![Page 11: CSE 451](https://reader036.fdocuments.us/reader036/viewer/2022062807/5681518b550346895dbfc419/html5/thumbnails/11.jpg)
Security
• Security is also hard in a distributed system– How do you prove who you are?– How do you determine what someone
is allowed to do?– How do you secure your system
against attackers?
![Page 12: CSE 451](https://reader036.fdocuments.us/reader036/viewer/2022062807/5681518b550346895dbfc419/html5/thumbnails/12.jpg)
Proving who you are
• This is Authentication– On a single computer, just store passwords
in a file– On a distributed system, you don’t want to
send passwords over the network: they could be “sniffed”
• Three general approaches:– Secret key encryption– Public key encryption– Hardware
![Page 13: CSE 451](https://reader036.fdocuments.us/reader036/viewer/2022062807/5681518b550346895dbfc419/html5/thumbnails/13.jpg)
Secret Key Authentication
• Each person has a key that is secret but known to the service.
• Challenge response style:– S->A: random number– A->S {random number}Ka
• Kerberos style: use “tickets”
![Page 14: CSE 451](https://reader036.fdocuments.us/reader036/viewer/2022062807/5681518b550346895dbfc419/html5/thumbnails/14.jpg)
Kerberos
• Keys are only shared with a key distribution center.
• To authenticate:– A ->KDC: A,B,time– KDC->A {B,time,k}Ka, {A,time,k}Kb– A->B {A,time,k}kb, {time}k– B->A {time}k– A->B
![Page 15: CSE 451](https://reader036.fdocuments.us/reader036/viewer/2022062807/5681518b550346895dbfc419/html5/thumbnails/15.jpg)
Public Key Encryption
• Public keys: (asymmetric encryption)– One key encrypts, one key decrypts– One key kept private, the other key is
public– To “sign” a message: encrypt with
private key– To “seal” a message: encrypt with
public key of recipient
![Page 16: CSE 451](https://reader036.fdocuments.us/reader036/viewer/2022062807/5681518b550346895dbfc419/html5/thumbnails/16.jpg)
Public Key Authentication
• Uses certificates:– A->KDC: A,B– KDC->A: (PKB,B) skdc : a certificate– A->B: (na, A)PKB– B->KDC: B, A– KDC->B: (PKA,A)skdc– B->A: (na, nb)pka– A->B: (nb) pkb
![Page 17: CSE 451](https://reader036.fdocuments.us/reader036/viewer/2022062807/5681518b550346895dbfc419/html5/thumbnails/17.jpg)
What are you allowed to do?
• Two approaches:– ACLs: have a list on each object of who is
allowed access, and how much– Capabilities: get a ticket from someone that
gives you access, and present the ticket
• Both are used:– In NT: ACLs stored on all objects, used to
grant a Handle to the object– The Handle is a capability: the ACL isn’t
checked during access (e.g. read/write)
![Page 18: CSE 451](https://reader036.fdocuments.us/reader036/viewer/2022062807/5681518b550346895dbfc419/html5/thumbnails/18.jpg)
What are the common methods of attack?
• Local exploits• Network Exploits• Root Kits
![Page 19: CSE 451](https://reader036.fdocuments.us/reader036/viewer/2022062807/5681518b550346895dbfc419/html5/thumbnails/19.jpg)
Intrusion Tools
• Port Scanners (SATAN)– Remotely scan a range of addresses– Report on available services
• NFS, NIS, Sendmail, TFTP, RSH, X, FTP
– Report any known security holes– Can be detected (Courtney, Gabriel)
• Monitor traffic with TCPDUMP
![Page 20: CSE 451](https://reader036.fdocuments.us/reader036/viewer/2022062807/5681518b550346895dbfc419/html5/thumbnails/20.jpg)
Intrusion Tools (2)
• Host-based scanners (Cops, Tiger))– Checks for known local problems
• Insecure configurations (ACLs, Passwords)
• Known bugs in services• Signs of intrusion (modified binaries)
![Page 21: CSE 451](https://reader036.fdocuments.us/reader036/viewer/2022062807/5681518b550346895dbfc419/html5/thumbnails/21.jpg)
Remote Exploits
• Used to penetrate a machine with no local access (no existing account)
• Drives deployment of firewalls• Services that perform operations based
on unsecured user requests present vulnerabilities
• Examples:– Sendmail– IP spoofing (for authentication by IP address
only)
![Page 22: CSE 451](https://reader036.fdocuments.us/reader036/viewer/2022062807/5681518b550346895dbfc419/html5/thumbnails/22.jpg)
Local Exploits
• Goal: gain unauthorized privileges for an existing account
• Getting an account:– Social engineering (asking people for
passwords)– Trading passwords– Sniffing traffic
• Exploits derived from bugs that execution of hostile commands at a privileged level– Eg. Scripts running with SUID– Cracking passwords
![Page 23: CSE 451](https://reader036.fdocuments.us/reader036/viewer/2022062807/5681518b550346895dbfc419/html5/thumbnails/23.jpg)
Physical Exploits
• Attach machine to network & sniff• Reboot machine with floppy• Remove hard drive• Walk up to logged-on machine• Modifying hardware, or convincing
others to modify hardware
![Page 24: CSE 451](https://reader036.fdocuments.us/reader036/viewer/2022062807/5681518b550346895dbfc419/html5/thumbnails/24.jpg)
What are the exploits?
• Domain errors – exposing data (e.g. passwords in pagefile)
• Validation errors – not validating parameters (e.g. finger exploit)
• Serialization – checking access asynchronously (e.g. allowing object to change after access check)
• Authentication / Authorization errors – e.g SUID bit
• Boundary condition violation – exhausting a resource (e.g. subst DOS)
• Exploitable logic errors
![Page 25: CSE 451](https://reader036.fdocuments.us/reader036/viewer/2022062807/5681518b550346895dbfc419/html5/thumbnails/25.jpg)
Attack Process
• Reconnaissance– DNS zone transfer – copies DNS database– Search newsgroups for email addresses –
learn patterns
• Probe– Port scan using SATAN – often logged– Distributed port scan – many clients scan
same host– Check services for known vulnerabilities
![Page 26: CSE 451](https://reader036.fdocuments.us/reader036/viewer/2022062807/5681518b550346895dbfc419/html5/thumbnails/26.jpg)
Attack Process (2)
• Attack the vulnerability– Attack code can be executed on the
host in untrusted account
• Find local exploit with COPS / TIGER– Become root
![Page 27: CSE 451](https://reader036.fdocuments.us/reader036/viewer/2022062807/5681518b550346895dbfc419/html5/thumbnails/27.jpg)
Attack Process (3)
• Stealth– Modify logs to hide signs of attack– Replace binary files with modified versions that
don’t report attack• Eg. modify PS, netstat to not report process &
connections• Ensure future unlogged access
• Listening– Sniffers - monitor local network traffic– Snoopers - monitor local I/o (keystrokes, etc.) to
learn more accounts & passwords
• Spread attack to related hosts
![Page 28: CSE 451](https://reader036.fdocuments.us/reader036/viewer/2022062807/5681518b550346895dbfc419/html5/thumbnails/28.jpg)
What next
• Machines are used for future attacks:– Tribe Flood Network– Trin00
• Hackers remotely control a large network of computers, use them to coordinate attacks– Port scanning– Denial of service