6 3ULQFLSOHV RI 2SHUDWLQJ 6 VWHPV DOO Lecture 15 Security Geoffrey M Voelker 7RGD Some principles of computer security Cribbed from Steve Gribble at UW who based it on slides from David Wagner at Berkeley Why security is a computer systems issue Example UCSD security related project Backscatter Detecting DoS attacks David Moore CAIDA Voelker and Stefan Savage CSE November 26 2001 CSE 120 Lecture 15 Security 2 1 6HFXULW Computer Security Techniques for computing in the presence of adversaries Three categories of security goals Confidentiality preventing unauthorized release of info Integrity preventing unauthorized modification of indo Availability preventing denial of service attacks Protection is about providing all three on a single machine Usually considered the responsibility of the OS Cryptography Techniques for communicating in the presence of adversaries November 26 2001 CSE 120 Lecture 15 Security 3 7UXVWHG RPSXWLQJ DVH 7 Think carefully about what you trust with your data If you type your password on a keyboard you re trusting The keyboard manufacturer Your computer manufacturer Your OS The password library The application that is checking the password TCB set of components hardware software people that you trust your secrets with Public Web kiosks should not be in your TCB Should your OS Think about IE and ActiveX November 26 2001 CSE 120 Lecture 15 Security 4 2 HVLJQ 3ULQFLSOHV IRU 6HFXULW RQVFLRXV 6 VWHPV Security is much much more than just crypto If there is a fundamental flaw in the design of the system then all of the crypto in the world won t help you It is usually easier to find a bug in an implementation than circumvent a crypto systems Unfortunately systems design is still as much an art as it is a science But decades of building systems the wrong way have helped us cull some learned wisdom We ll cover some in the rest of this part of the lecture November 26 2001 CSE 120 Lecture 15 Security 5 3ULQFLSOH RI HDVW 3ULYLOHJH Figure out exactly which capabilities a program needs to run and grant it only those Not always easy but one algorithm start with granting none run and see where it breaks add new privileges repeat Unix Good example Should not normally run as root to prevent against accidents Bad example Some programs run as root just to get a small privilege such as using a port 1024 privileged port E g ftpd Exploit these programs and you get root access to system November 26 2001 CSE 120 Lecture 15 Security 6 3 7UDFWRUEHDPLQJ ZX IWSG wu ftpd tries to run with least privilege But occasionally tries to elevate its privilege with seteuid 0 privileged critical section runs here seteuid getuid However wu ftpd does not disable Unix signals While in a critical section can be tractor beamed away to a signal handler Does not return to original control flow Remote user can cause a signal handler to run by terminating a download in midstream But need to catch wu ftpd in the critical section wu ftpd doesn t relinquish privileges after signal handler November 26 2001 Result Can abort a download and then use wu ftpd as root CSE 120 Lecture 15 Security 7 3ULQFLSOH RI HDVW RPPRQ 0HFKDQLVP Basic lesson Be careful of shared code Eudora Outlook and Internet Explorer Assumptions made may no longer be valid with shared code Windows exports an API to IE s HTML rendering code Eudora and other programs use this to display HTML in email By default JavaScript and Java parsing are enabled HTML rendering code knows Java Script is unsafe Disables it when JavaScript is downloaded from Internet Internet is untrusted But enables it when JavaScript is loaded off of disk Your own file system is trusted But email is loaded off of disk Fertile ground for email viruses November 26 2001 CSE 120 Lecture 15 Security 8 4 YHQ 0RUH 3HUQLFLRXV VMS password checking flaw Password checking algorithm for I 0 I password length I if password I entered password I return false return true What is the problem here Hint Think about virtual memory Another hint Think about page faults Final hint Who controls where in memory entered password lives November 26 2001 CSE 120 Lecture 15 Security 9 3ULQFLSOH RI RPSOHWH 0HGLDWLRQ Check every access to every object In rare cases can get away with less caching But only if sure nothing relevant in environment has changed which is a lot Ex NFS and file handles NFS protocol Client contacts remote mountd to get a file handle to a remotely exported NFS file system Remote mountd checks access control at mount time File handle is a capability client presents it to read write file Access control is not checked after mount time Can use network sniffer to get file handle and access file system November 26 2001 CSE 120 Lecture 15 Security 10 5 DLO 6DIH HIDXOWV Start by denying all access then allow only that which has been explicitly permitted Oversights will then show up as false negatives Opposites lead to false positives Somebody is denied access who should have it Somebody is given access that shouldn t get it Not much incentive to report this kind of failure Examples SunOS shipped with in etc hosts equiv Irix shipped with xhost Essentially lets anyone login as any local user to host Any remote client can connect to local X server November 26 2001 CSE 120 Lecture 15 Security 11 1R 6HFXULW 7KURXJK 2EVFXULW Security through obscurity Attempting to gain security by hiding implementation details Claim A secure system should be secure even if all implementation details are published In fact systems become more secure as people scour over implementation details and find flaws Rely on mathematics and sound design to provide security Ex GSM cell phones GSM committee designed their own crypto algorithm but hid it from the world Social engineering reverse engineering revealed the algorithm Turned out to be relatively weak easy to subvert Ex Netscape SSL November 26 2001 CSE 120 Lecture 15 Security 12 6 2XWORRN RU 7KH XWXUH Doesn t look bright More and more complex systems are being deployed More and more lives are being trusted to them Bruce Schneier 3 waves of security attacks 1st wave physical attacks on wires and hardware 2nd Physical security to defend against this wave syntactic attacks on crypto protocols and systems E g buffer overflows DDoS attacks 3rd wave semantic attacks humans and computers trust information that they shouldn t E g falsified press announcements November 26 2001 Emulex corp stock hoax CEO resigns 61 stock drop Semantic attack against people with
View Full Document
Unlocking...