CSE543 Computer and Network Security - Fall 2007 - Professor JaegerLecture 18 - Systems and Midterm ReviewCSE543 - Fall 2007Computer and Network SecurityProfessor JaegerOctober 30, 2007CSE543 Computer and Network Security - Fall 2007 - Professor Jaeger Page Understanding Data Lifetime•What happens to data in a system?–Where do secrets go?•Handled by–Hardware, systems, middleware, applications, drivers, etc.•How to find leaks and solve them?2CSE543 Computer and Network Security - Fall 2007 - Professor Jaeger Page Data Lifetime•How long memory values reside on a system–Allocate a buffer–Assign a secret–Free the buffer•Q: What happens to the memory during and after this cycle?–What happens to freed memory? –Data may be written elsewhere, used for other purposes•Q: What’s the threat model here?•Key (and other secrets) protection is paramount!3CSE543 Computer and Network Security - Fall 2007 - Professor Jaeger Page Can’t Be That Hard!•Typical solutions–Zero the memory on free–Pin memory, so not written to swap–Encrypted file systems•Problems–Compilers may not comply•Zeroing code on ‘free’ buffers is optimized out–Crashes–Incorrect features (don’t really pin memory)–Hibernation and Migration•Write state of system–Complex interactions of logging, random number generation, crash dumps, error reporting, etc.4CSE543 Computer and Network Security - Fall 2007 - Professor Jaeger Page Understanding Approach•Whole System Simulation–TaintBochs (extension of IA-32 simulator)•Key Ideas–Shadow Memory•Backup of all existing memory (registers and main memory)–Propagation Policy•“If any byte of any input value is tainted, then all bytes of the output are tainted”–Exceptional Cases•Tainted lookup tables -- Add more tainting•Constant functions -- Remove unnecessary tainting–Tainted Inputs•Device inputs: all (keyboard) or patterns (network)•Application: state what data is tainted to the system5CSE543 Computer and Network Security - Fall 2007 - Professor Jaeger Page Analysis•Log everything–All changes in system state at any point in simulation•System states–Can generate the state of the system at any time•Identify Data–Map memory and registers to source variables•Program and line number where variable was defined–Patch Linux kernel to store this or core dump reading•Identify Code–Find line number of modifying code–Can also enact gdb to use most features from a state6CSE543 Computer and Network Security - Fall 2007 - Professor Jaeger Page Findings•Mozilla browser–What happens to a user-input password•Ends up in–Linux tty buffers –Linux Random number generator–Xserver input queue–Linux UNIX domain socket buffers–Mozilla strings•Everyone in path allocates memory–Sometimes for multiple purposes–Free’d, but not zero’d–Memory is still around until reused •May also be copied to other variables7CSE543 Computer and Network Security - Fall 2007 - Professor Jaeger Page Fixes•Some are easy–Heap memory•Ensure memory is zero’d–Stack memory•Zero the stack frame•Some are harder–Stores built from tainted data •Random number and others in memory–Stores written to other places•Swap (encrypt it)•Logs, etc? Encrypt them?8CSE543 Computer and Network Security - Fall 2007 - Professor Jaeger Page What Does This Say About Security?•Systems Security–Involves interactions at multiple levels•OS•Devices•Application•Services (X Window System)•Users•Function Is Defined By Code–What does that instruction do?–What is its security impact?–Can programmers express this? Or can we figure it out?–Can it be conveyed into a form that users can work within?•Not around...9CSE543 Computer and Network Security - Fall 2007 - Professor Jaeger Page Midterm•11/1 –In class•Closed book and closed notes•Contents–1/3 crypto and 2/3 systems security•Crypto –Scope is same as mini-exam•Questions will be closely related, but no same or subsumed by mini-exam•Systems–Principles–Systems Approaches•Some times compare them10CSE543 Computer and Network Security - Fall 2007 - Professor Jaeger Page Security Terminology•Adversary•Risks•Vulnerability•Threats•Compromise•Trust•Trust Model•Threat Model11CSE543 Computer and Network Security - Fall 2007 - Professor Jaeger Page Cryptography•Encryption, Decryption•Symmetric Key Systems–DES–One-time pads•Public Key Systems–RSA–Diffie-Hellman•Hash Functions–Uses–Properties•Combinations of these into protocols•Threats to crypto systems (use)12CSE543 Computer and Network Security - Fall 2007 - Professor Jaeger Page Authentication•Key distribution –Needham-Schroeder–Secret and public key•Kerberos–Protocol Basics–Extensions to NH•Kerberos Flaws•Public Key Infrastructure–Use–Limitations13CSE543 Computer and Network Security - Fall 2007 - Professor Jaeger Page Trusted Computing•Hardware for Security–Protected Storage–Hash Extends–Sealed Storage•IMA Model (Paper)–What can really be done?•Issues–Trust and DRM14CSE543 Computer and Network Security - Fall 2007 - Professor Jaeger Page Systems Security•Access Control Fundamentals–Protection State–Protection System–Reference Monitor–Access Matrix•Policies–Secrecy: Bell-LaPadula/MLS –Integrity: Biba, LOMAC, Clark-Wilson–Goals/Properties–How represented, how achieved?•ACLs and Capabilities–Functions and issues15CSE543 Computer and Network Security - Fall 2007 - Professor Jaeger Page Systems Architectures•Protection systems–UNIX, Windows–Features used for ‘protection’ and/or ‘security’•Secure Systems–Sandbox Systems–Secure Capability Systems–Multics–SELinux•Domain transitions–Programming language vulnerabilities–Security-typed languages•Related to HW •+ SELinux and Security-Typed Languages16CSE543 Computer and Network Security - Fall 2007 - Professor Jaeger Page Good
View Full Document