DOC PREVIEW
Berkeley COMPSCI 162 - Protection and Security

This preview shows page 1-2-19-20 out of 20 pages.

Save
View full document
View full document
Premium Document
Do you want full access? Go Premium and unlock all 20 pages.
Access to all documents
Download any document
Ad free experience
View full document
Premium Document
Do you want full access? Go Premium and unlock all 20 pages.
Access to all documents
Download any document
Ad free experience
View full document
Premium Document
Do you want full access? Go Premium and unlock all 20 pages.
Access to all documents
Download any document
Ad free experience
View full document
Premium Document
Do you want full access? Go Premium and unlock all 20 pages.
Access to all documents
Download any document
Ad free experience
Premium Document
Do you want full access? Go Premium and unlock all 20 pages.
Access to all documents
Download any document
Ad free experience

Unformatted text preview:

Protection and SecurityJi [email protected]/22/20094/22/2009Access EnforcementAccess EnforcementStfthttkzSome part of the system must make sure the only authorized actions take placez Enforcer checks passwords, ACLs, etcz Bugs in enforcer⇒things for malicious users ggto exploitz In UNIX, superuser can do anythingpygz Because of coarse-grained access control, lots of stuff has to run as superuser in order to workto workz If there is a bug in any one of these programs, you lose!programs, you lose!Access Enforcement-ContinueAccess Enforcement ContinuePdzParadoxz Bullet-proof enforcerzOnly known way is to make enforcer as smallzOnly known way is to make enforcer as small as possiblez Easier to make correct, but simple-minded tti dlprotection modelz Fancy protectionzTries to adhere to principle of least privilegezTries to adhere to principle of least privilegez Really hard to get rightState of the WorldState of the WorldAth ti ti E tizAuthentication: Encryptionz But almost no one encrypts or has public key identitykey identityz Authorization: Access Control zBut many systems only provide very coarse-zBut many systems only provide very coarsegrained accessz In UNIX, need to turn off protection to penable sharingz Enforcement: Kernel modeH d i illi li i hzHard to write a million line program without bugszAny bug is a potential security loophole!zAny bug is a potential security loophole!Challenges to Access EnforcementC a e ges to ccess o ce e tzAbuse of valid privilegeszAbuse of valid privilegesz A super-user in Unix can do anythingItTjHzImposter or Trojan Horsez Listenerz Eavesdrop on terminal wire, or listen in on local network trafficz Spoilerz Use up all resources and make system crashz Create doctored version of some standard programpogaExamples of PenetrationExamples of Penetrationz Permission on lists of /dev files will lead to access to raw I/O devicesz Users leaves fake shell on terminalzEmail based PhishingEmail based Phishingz Walk up to terminal that is still logged onzFind Account with null passwordzFind Account with null passwordz Fake distributions – distribute a version of the software with doctored codeExamples of PenetrationExamples of Penetrationz Create a fake file system and have the system mount it. Can put a program there “owned” by the superuser, with setuid bit set. User runs program and becomes superuser.z Buffer Overflow – many systems are vulnerable to argument buffers overflowing.Security Problems: Buffer-overflow Conditiony#define BUFFER SIZE 256it (itint process(int argc, char *argv[]){char buffer[BUFFER SIZE];[];if (argc < 2)return -1;else {t(bff [1])strcpy(buffer,argv[1]);return 0;}}Before attackAfter attack}• Technique exploited by many network attacks– Anytime input comes from network request and is not checked for sizesize– Allows execution of code with same privileges as running program – but happens without any action from user!The Morris Internet WormThe Morris Internet Wormz Internet worm (Self-reproducing)(pg)z Author Robert Morris, a first-year Cornell grad studentz Launched close of Workday on November 2, 1988zWithin a few hours of release it consumed resources to the pointzWithin a few hours of release, it consumed resources to the point of bringing down infected machinesz Techniquesz Exploited UNIX networking features (remote access)z Bugs in finger (buffer overflow) and sendmail programs (debug mode allowed remote login)g)z Dictionary lookup-based password crackingz Grappling hook program uploaded main worm programTiming Attacks: Tenex Password Checkingggz Tenex –early 70’s, BBNeeea y 0 s,z Most popular system at universities before UNIXz Thought to be very secure, gave “red team” all the source code and documentation (want code to be publicly available, as in UNIX)zIn 48 hours, they figured out how to get every password in theIn 48 hours, they figured out how to get every password in the systemz Here’s the code for the password check:for (i = 0; i < 8; i++)if (userPasswd[i] != realPasswd[i])go to errorgz How many combinations of passwords?z 2568?z Wrong!How to Prevent Buffer Overflow?How to Prevent Buffer Overflow?z Use a type safe language such as Java/C#/Pythonyz Use static source code scanner to check existing codeexisting codez Make stack not executable z Implement some kind of dynamic stack-validity checking algorithmvalidity checking algorithmDefeating Password CheckingDefeating Password CheckingzTenex used VM, and it interacts badly with the above codeTenex used VM, and it interacts badly with the above codez Key idea: force page faults at inopportune times to break passwords quicklyzArrange 1stchar in string to be last char in pg rest on next pgzArrange 1stchar in string to be last char in pg, rest on next pgz Then arrange for pg with 1stchar to be in memory, and rest to be on disk (e.g., ref lots of other pgs, then ref 1stpage)|a|aaaaaa|page in memory| page on disk gy|gz Time password check to determine if first character is correct!z If fast, 1stchar is wrongzIf slow 1stchar is right pg fault one of the others wrongzIf slow, 1stchar is right, pg fault, one of the others wrongz So try all first characters, until one is slowz Repeat with first two characters in memory, rest on disk z Only 256 * 8 attempts to crack passwordsz Fix is easy, don’t stop until you look at all the charactersConsequences of System Break-inConsequences of System Breakin z Once the system has been penetrated, it may be impossible to secure it againz It’s not always possible to tell when the system has been penetrated, since the villain can clean up all traces behind himselfzIf we can never be sure that there are no bugs,If we can never be sure that there are no bugs, then we can never be sure that the system is secure, since bugs could provide loopholesis secure, since bugs could provide loopholes in the protection mechanisms.CountermeasuresCountermeasuresz Loggingz Get humans involved at key stepsypz Principle of minimum privilegezCorrectness proofszCorrectness proofsz Callback used to avoid abuse of accountsz Consistency or plausibility checkz E.g. is this user spending $10,000 when his largest $previous purchase was $100?Inference ControlInference Controlz The goal –allowing users to be able to get statistical information (e.g. average) out of a database, but not get individual dataz The problem –can design sets of queries that gwill generate individual informationzAverage salary of all Xgyz Average


View Full Document

Berkeley COMPSCI 162 - Protection and Security

Documents in this Course
Lecture 1

Lecture 1

12 pages

Nachos

Nachos

41 pages

Security

Security

39 pages

Load more
Download Protection and Security
Our administrator received your request to download this document. We will send you the file to your email shortly.
Loading Unlocking...
Login

Join to view Protection and Security and access 3M+ class-specific study document.

or
We will never post anything without your permission.
Don't have an account?
Sign Up

Join to view Protection and Security 2 2 and access 3M+ class-specific study document.

or

By creating an account you agree to our Privacy Policy and Terms Of Use

Already a member?