1&6(3ULQFLSOHVRI2SHUDWLQJ6\VWHPV)DOOLecture 15: SecurityGeoffrey M. VoelkerNovember 26, 2001 CSE 120 – Lecture 15 – Security 27RGD\● Some principles of computer security◆ Cribbed from Steve Gribble at UW, who based it on slides from David Wagner at Berkeley◆ Why security is a computer systems issue● Example UCSD security-related project◆ Backscatter: Detecting DoS attacks◆ David Moore (CAIDA), Voelker and Stefan Savage (CSE)2November 26, 2001 CSE 120 – Lecture 15 – Security 36HFXULW\● Computer Security◆ Techniques for computing in the presence of adversaries» Three categories of security goals■ Confidentiality: preventing unauthorized release of info■ Integrity: preventing unauthorized modification of indo■ Availability: preventing denial of service attacks» Protection is about providing all three on a single machine■ Usually considered the responsibility of the OS● Cryptography◆ Techniques for communicating in the presence of adversariesNovember 26, 2001 CSE 120 – Lecture 15 – Security 47UXVWHG&RPSXWLQJ%DVH7&%● Think carefully about what you trust with your data◆ If you type your password on a keyboard, you’re trusting» The keyboard manufacturer» Your computer manufacturer» Your OS» The password library» The application that is checking the password◆ TCB = set of components (hardware, software, people) that you trust your secrets with● Public Web kiosks should not be in your TCB◆ Should your OS? (Think about IE and ActiveX)3November 26, 2001 CSE 120 – Lecture 15 – Security 5'HVLJQ3ULQFLSOHVIRU6HFXULW\&RQVFLRXV6\VWHPV● Security is much, much more than just crypto◆ If there is a fundamental flaw in the design of the system, thenall of the crypto in the world won’t help you◆ It is usually easier to find a bug in an implementation than circumvent a crypto systems● Unfortunately, systems design is still as much an art as it is a science◆ But, decades of building systems the wrong way have helped us cull some learned wisdom◆ We’ll cover some in the rest of this part of the lectureNovember 26, 2001 CSE 120 – Lecture 15 – Security 63ULQFLSOHRI/HDVW3ULYLOHJH● Figure out exactly which capabilities a program needs to run, and grant it only those◆ Not always easy, but one algorithm: start with granting none, run and see where it breaks, add new privileges, repeat● Unix◆ Good example: Should not normally run as root to prevent against accidents◆ Bad example: Some programs run as root just to get a small privilege, such as using a port < 1024 (privileged port)» E.g., ftpd» Exploit these programs, and you get root access to system4November 26, 2001 CSE 120 – Lecture 15 – Security 77UDFWRUEHDPLQJZXIWSG● wu-ftpd tries to run with least privilege◆ But occasionally tries to elevate its privilege with:seteuid(0);// privileged critical section runs hereseteuid(getuid());◆ However, wu-ftpd does not disable Unix signals» While in a critical section, can be “tractor-beamed” away to a signal handler■ Does not return to original control flow» Remote user can cause a signal handler to run by terminating a download in midstream!■ But need to catch wu-ftpd in the critical section» wu-ftpd doesn’t relinquish privileges after signal handler■ Result: Can abort a download and then use wu-ftpd as rootNovember 26, 2001 CSE 120 – Lecture 15 – Security 83ULQFLSOHRI/HDVW&RPPRQ0HFKDQLVP● Basic lesson: Be careful of shared code◆ Assumptions made may no longer be valid with shared code● Eudora/Outlook and Internet Explorer◆ Windows exports an API to IE’s HTML rendering code» Eudora and other programs use this to display HTML in email» By default, JavaScript and Java parsing are enabled◆ HTML rendering code knows Java(Script) is unsafe» Disables it when JavaScript is downloaded from Internet■ Internet is untrusted» But enables it when JavaScript is loaded off of disk■ Your own file system is trusted◆ But…email is loaded off of disk!» Fertile ground for email viruses…5November 26, 2001 CSE 120 – Lecture 15 – Security 9(YHQ0RUH3HUQLFLRXV● VMS password checking flaw◆ Password checking algorithmfor (I = 0; I < password.length(); I++) {if (password[I] != entered_password[I])return false;}return true;◆ What is the problem here?» Hint: Think about virtual memory…» Another hint: Think about page faults…» Final hint: Who controls where in memory entered_password lives?November 26, 2001 CSE 120 – Lecture 15 – Security 103ULQFLSOHRI&RPSOHWH0HGLDWLRQ● Check every access to every object◆ In rare cases, can get away with less (caching)» But only if sure nothing relevant in environment has changed (which is a lot)● Ex: NFS and file handles◆ NFS protocol» Client contacts remote “mountd” to get a file handle to a remotely exported NFS file system■ Remote mountd checks access control at mount time» File handle is a capability: client presents it to read/write file■ Access control is not checked after mount time» Can use network sniffer to get file handle and access file system6November 26, 2001 CSE 120 – Lecture 15 – Security 11)DLO6DIH'HIDXOWV● Start by denying all access, then allow only that which has been explicitly permitted◆ Oversights will then show up as “false negatives”» Somebody is denied access who should have it◆ Opposites lead to “false positives”» Somebody is given access that shouldn’t get it» Not much incentive to report this kind of failure…● Examples◆ SunOS shipped with “+” in /etc/hosts.equiv» Essentially lets anyone login as any local user to host◆ Irix shipped with “xhost +”» Any remote client can connect to local X serverNovember 26, 2001 CSE 120 – Lecture 15 – Security 121R6HFXULW\7KURXJK2EVFXULW\● Security through obscurity◆ Attempting to gain security by hiding implementation details◆ Claim: A secure system should be secure even if all implementation details are published» In fact, systems become more secure as people scour over implementation details and find flaws» Rely on mathematics and sound design to provide security● Ex: GSM cell phones◆ GSM committee designed their own crypto algorithm, but hid it from the world» Social engineering + reverse engineering revealed the algorithm» Turned out to be relatively weak, easy to subvert● Ex:
View Full Document