Chapter 9: SecuritySecuritySecurity environment: threatsWhat kinds of intruders are there?Accidents cause problems, too…ProtectionProtection domainsProtection matrixDomains as objects in the protection matrixRepresenting the protection matrixAccess control listsAccess control lists in the real worldCapabilitiesCryptographically protected capabilityProtecting the access matrix: summaryReference monitorFormal models of secure systemsBell-La Padula multilevel security modelBiba multilevel integrity modelCovert channelsCovert channel using file lockingSteganographyCryptographyCryptography basicsSecret-key encryptionModern encryption algorithmsUnbreakable codesPublic-key cryptographyThe RSA algorithm for public key encryptionOne-way functionsDigital signaturesPretty Good Privacy (PGP)User authenticationAuthentication using passwordsDealing with passwordsSalting the passwordsSample breakin (from LBL)Authentication using a physical objectAuthentication using biometricsCountermeasuresAttacks on computer systemsTrojan horsesLogin spoofingLogic bombsTrap doorsBuffer overflowGeneric security attacksSecurity flaws: TENEX password problemDesign principles for securitySecurity in a networked worldVirus damage scenariosHow viruses workHow viruses find executable filesWhere viruses live in the programViruses infecting the operating systemHow do viruses spread?Hiding a virus in a fileUsing encryption to hide a virusPolymorphic virusesHow can viruses be foiled?Worms vs. virusesMobile codeSecurity in JavaChapter 9: SecurityChapter 9: Security2CS 1550, cs.pitt.edu (originaly modified by Ethan L. Miller and Scott A. Brandt)SecurityThe security environment Protection mechanisms Basics of cryptography User authentication Attacks from inside the system Attacks from outside the system Trusted systemsChapter 9: Security3CS 1550, cs.pitt.edu (originaly modified by Ethan L. Miller and Scott A. Brandt)Security environment: threatsOperating systems have goalsConfidentialityIntegrityAvailabilitySomeone attempts to subvert the goalsFunCommercial gainGoal ThreatData confidentiality Exposure of dataData integrity Tampering with dataSystem availability Denial of serviceChapter 9: Security4CS 1550, cs.pitt.edu (originaly modified by Ethan L. Miller and Scott A. Brandt)What kinds of intruders are there?Casual prying by nontechnical usersCuriositySnooping by insidersOften motivated by curiosity or moneyDetermined attempt to make moneyMay not even be an insiderCommercial or military espionageThis is very big business!Chapter 9: Security5CS 1550, cs.pitt.edu (originaly modified by Ethan L. Miller and Scott A. Brandt)Accidents cause problems, too…Acts of GodFiresEarthquakesWars (is this really an “act of God”?)Hardware or software errorCPU malfunctionDisk crashProgram bugs (hundreds of bugs found in the most recent Linux kernel)Human errorsData entryWrong tape mountedrm * .oChapter 9: Security6CS 1550, cs.pitt.edu (originaly modified by Ethan L. Miller and Scott A. Brandt)ProtectionSecurity is mostly about mechanismHow to enforce policiesPolicies largely independent of mechanismProtection is about specifying policiesHow to decide who can access what?Specifications must beCorrectEfficientEasy to use (or nobody will use them!)Chapter 9: Security7CS 1550, cs.pitt.edu (originaly modified by Ethan L. Miller and Scott A. Brandt)Protection domainsThree protection domainsEach lists objects with permitted operationsDomains can share objects & permissionsObjects can have different permissions in different domainsThere need be no overlap between object permissions in different domainsHow can this arrangement be specified more formally?File1 [R]File2 [RW]File3 [R]File4 [RWX]File5 [RW]File3 [W]Screen1 [W]Mouse [R]Printer [W]Domain 1 Domain 2 Domain 3Chapter 9: Security8CS 1550, cs.pitt.edu (originaly modified by Ethan L. Miller and Scott A. Brandt)Protection matrixEach domain has a row in the matrixEach object has a column in the matrixEntry for <object,column> has the permissionsWho’s allowed to modify the protection matrix?What changes can they make?How is this implemented efficiently?Domain File1 File2 File3 File4 File5 Printer1 Mouse1Read ReadWrite2Read ReadWriteExecuteReadWriteWrite3Write Write ReadChapter 9: Security9CS 1550, cs.pitt.edu (originaly modified by Ethan L. Miller and Scott A. Brandt)Domains as objects in the protection matrixSpecify permitted operations on domains in the matrixDomains may (or may not) be able to modify themselvesDomains can modify other domainsSome domain transfers permitted, others notDoing this allows flexibility in specifying domain permissionsRetains ability to restrict modification of domain policiesDomain File1 File2 File3 File4 File5 Printer1 Mouse Dom1 Dom2 Dom31 Read ReadWriteModify2 Read ReadWriteExecuteReadWriteWrite Modify3 Write Write Read EnterChapter 9: Security10CS 1550, cs.pitt.edu (originaly modified by Ethan L. Miller and Scott A. Brandt)Representing the protection matrixNeed to find an efficient representation of the protection matrix (also called the access matrix)Most entries in the matrix are empty!Compress the matrix by:Associating permissions with each object: access control listAssociating permissions with each domain: capabilitiesHow is this done, and what are the tradeoffs?Chapter 9: Security11CS 1550, cs.pitt.edu (originaly modified by Ethan L. Miller and Scott A. Brandt)Access control listsEach object has a list attached to itList hasProtection domainUser nameGroup of usersOtherAccess rightsReadWriteExecute (?)Others?No entry for domain => no rights for that domainOperating system checks permissions when access is neededFile1elm: <R,W>znm: <R>root: <R,W,X>File2elm: <R,X>uber: <R,W>root: <R,W>all: <R>Chapter 9: Security12CS 1550, cs.pitt.edu (originaly modified by Ethan L. Miller and Scott A. Brandt)Access control lists in the real worldUnix file systemAccess list for each file has exactly three domains on itUser (owner)GroupOthersRights include read, write, execute: interpreted differently for directories and filesAFSAccess lists only apply to directories: files inherit rights from the directory they’re inAccess list may have many entries on it with possible rights:read, write, lock (for
View Full Document