Protection and Security Ji t Wang Jingtao W cs162 tb imail eecs 4 22 2009 Access Enforcement z Some partt off the S th system t mustt make k sure the only authorized actions take place Enforcer checks passwords ACLs etc z Bugs g in enforcer things g for malicious users to exploit z z In UNIX superuser p can do anything y g Because of coarse grained access control lots of stuff has to run as superuser in order to work z If there is a bug in any one of these programs you lose z Access Enforcement Continue z P d Paradox z Bullet proof enforcer Only known way is to make enforcer as small as possible z Easier to make correct but simple minded protection t ti model d l z z Fancy protection Tries to adhere to principle of least privilege z Really hard to get right z State of the World z A th ti ti Authentication E Encryption ti z z But almost no one encrypts or has public key identity Authorization Access Control But many systems only provide very coarsecoarse grained access z In UNIX need to turn off p protection to enable sharing z z Enforcement Kernel mode Hard H d to write i a million illi liline program without ih bugs z Any bug is a potential security loophole z Challenges C a e ges to Access ccess Enforcement o ce e t z Abuse of valid privileges z z z IImposter t or Trojan T j Horse H Listener z z Eavesdrop on terminal wire or listen in on local network traffic Spoiler z z A super user in Unix can do anything Use up all resources and make system crash Create doctored version of some standard p og a program Examples of Penetration z z z z z z Permission on lists of dev files will lead to access to raw I O devices Users leaves fake shell on terminal Email based Phishing Walk up to terminal that is still logged on Find Account with null password Fake distributions distribute a version of the software with doctored code Examples of Penetration z z Create a fake file system and have the system mount it Can put a program there owned by the superuser with setuid bit set User runs program and becomes superuser Buffer Overflow many systems are vulnerable to argument buffers overflowing Security y Problems Buffer overflow Condition define BUFFER SIZE 256 i t process int int i t argc char argv char buffer BUFFER SIZE if argc 2 return 1 else strcpy buffer argv 1 t b ff 1 return 0 Before attack After attack Technique exploited by many network attacks Anytime input comes from network request and is not checked for size Allows execution of code with same privileges as running program but happens without any action from user The Morris Internet Worm z Internet worm Self reproducing p g z z z z Author Robert Morris a first year Cornell grad student Launched close of Workday on November 2 1988 Within a few hours of release release it consumed resources to the point of bringing down infected machines Techniques z z z z Exploited UNIX networking features remote access Bugs in finger buffer overflow and sendmail programs debug mode allowed remote login g Dictionary lookup based password cracking Grappling hook program uploaded main worm program Timing g Attacks Tenex Password Checking g z Tenex e e ea earlyy 70 s 0 s BBN z z z z Most popular system at universities before UNIX Thought to be very secure gave red team all the source code and documentation want code to be publicly available as in UNIX In 48 hours they figured out how to get every password in the system Here s the code for the password check for i 0 i 8 i if userPasswd i realPasswd i go to error g z How many combinations of passwords z z 2568 Wrong How to Prevent Buffer Overflow z Use a type safe language such as y Java C Python z Use static source code scanner to check existing code z Make stack not executable z Implement some kind of dynamic stackvalidity checking algorithm Defeating Password Checking z Tenex used VM and it interacts badly with the above code z Key idea force page faults at inopportune times to break passwords quickly z Arrange 1st char in string to be last char in pg pg rest on next pg z Then arrange for pg with 1st char to be in memory and rest to be on disk e g ref lots of other pgs then ref 1st page a aaaaaa page g in memory y page g on disk z Time password check to determine if first character is correct z If fast 1st char is wrong z If slow slow 1st char is right right pg fault fault one of the others wrong z So try all first characters until one is slow z Repeat with first two characters in memory rest on disk z Only 256 8 attempts to crack passwords z Fix is easy don t stop until you look at all the characters Consequences of System Break in Break in z z z Once the system has been penetrated it may be impossible to secure it again It s not always possible to tell when the system has been penetrated since the villain can clean up all traces behind himself If we can never be sure that there are no bugs then we can never be sure that the system is secure since bugs could provide loopholes in the protection mechanisms Countermeasures z z z z z z Logging Get humans involved at keyy steps p Principle of minimum privilege Correctness proofs Callback used to avoid abuse of accounts Consistency or plausibility check z E g is this user spending 10 000 when his largest previous purchase was 100 Inference Control z z The goal allowing users to be able to get statistical information e g average out of a database but not get individual data The problem can design g sets of queries that will generate individual information z z z Average g salary y of all X Average salary of X delta Size of X Inference Control z No good solution to this problem can do g some things Randomize data slightly i e introduce small errors z Permit only queries on predefined groups e g zip codes e g z The Confinement Problem z Problem Mutually suspicious customer and service want to insure that the service can only reach information provided by the customer customer and that the service is protected from the customer z z Idea is concept p of information utility y Idea currently y resurfacing g as server web based software Two problems remain z z Service may not perform as advertised Service mayy leak i e transmit confidential data List of Possible Leaks z z z z z If the service has memory it can collect data The service can send a message to a process controlled t ll d b by itits …
View Full Document
Unlocking...