Program SecurityProgramming Issues of SecurityMalicious CodeTypes of Malicious CodeHomes for VirusesCause and Effects [Pfleeger97]How to Prevent VirusesControls against ThreatsTrusted Operating SystemsWe will coverProtected ObjectsSecurity MethodsMemory ProtectionMemory Protection (cont’d)Memory Protection: SegmentationMemory Protection: PagingFile ProtectionFile Protection (cont’d)User AuthenticationAttacks on PasswordsAttacks on Passwords (cont’d)Password ListsPassword SelectionAuthentication ProcessDesigning Trusted OSMajor ActivitiesFoundations of Trusted OSSecure vs TrustedSecurity PoliciesMilitary Security PolicyCompartments and SensitivityCommercial Security PoliciesExample PoliciesExample Chinese WallModels of SecurityMultilevel SecuritySecure Flow of InformationDesign of Trusted OSAssurance in Trusted OSAssurance in Trusted OS (cont’d)EvaluationEvaluation (cont’d)Example OS ImplementationsRRRProgram SecurityRRRProgramming Issues of Security•Types and effects of flaws and malicious code•Techniques to help control program threatsRRRMalicious Code•Definition: unexpected or undesired effects in programs or parts caused by an agent intent on damage. [Pfleeger97]•Two main categories:–Programs that compromise or change data–Programs that affect computer serviceRRRTypes of Malicious CodeCode Type CharacteristicsVirus Attaches itself to program and propagates copies to other programsTrojan horse Contains unexpected, additional functionalityLogic bomb Triggers action when condition occursTime bomb Triggers action when specified time occursTrapdoor Allows unauthorized access functionalityWorm Propagates copies of itself through a networkRabbit Replicates itself without limit to exhaust resource[Pfleeger97]RRRHomes for Viruses•Objective:–Hard to detect–Hard to destroy or deactivate–Spreads infection widely–Can reinfect–Easy to create–Machine (and OS) independent •Candidate Homes:•Boot Sector•Memory:•Interprets keys•Error handlers•Application Program•Macro feature•Libraries:•Used by many programsCause and Effects [Pfleeger97]VIRUS EFFECT HOW IT IS CAUSEDAttach to exec. Program •Modify file directory•Write to executable programAttach to data or control file•Modify directory•Rewrite data•Append to data•Append data to selfRemain in memory•Intercept interrupt by modifying interrupt handler address table•Load self in nontransient memory areaInfect disks•Intercept interrupt•Intercept OS system call (e.g, format disk)•Modify system file•Modify ordinary executable programConceal self •Intercept system calls that would reveal identity and falsify result•Classify self as “hidden” fileSpread infection •Infect boot ssector•Infect system program•Infect ordinary program•Infect data ordinary program reads to gain controlPrevent deactivation •Activate before deactivating program and block deactivation•Store copy to reinfect after deactivationRRRHow to Prevent Viruses•Use only commercial SW from reliable, well-established vendors•All new SW should be tested on isolated computer.–Look for unexpected behavior–Scan for viruses•Make a bootable diskette (store safely)–Modify startup files on diskette to use system files from diskette (drivers, memory mgmt sw, etc.)•Create and retain backup copies of executable system files–Enable clean install after virus infection•Use virus scanners regularly: –Multiple scanners better than just one–Update regularlyRRRControls against Threats•Peer reviews•Good SE development practices:–Modularity: decompose task into subtasks–Encapsulation: minimize coupling between modules–Information Hiding: modules have limited effects on other modules•Independent Testing•Configuration Management–Changes are monitored carefully (protect from unintentional threats)–Once reviewed program is accepted, programmers cannot covertly make changes, such as trapdoors (protect from malicious threats)•Proofs of Program Correctness•Process Improvement:–CMM–Standards (e.g., 2167A, ISO9000)RRRTrusted Operating SystemsRRRWe will cover•Memory Protection•File protection•General object access control•User authenticationRRRProtected Objects•Multiprogramming required protection for:–Memory–Sharable I/O devices (e.g. disks)–Serially reusable devices (e.g., printers, tape drives)–Sharable programs and subprocedures–Sharable dataRRRSecurity Methods•Physical separation:–Processes use different physical objects –(E.g., separate printers)•Temporal separation:–Processes with different security requirements execute at different TIMES•Logical separation:–Users operate within their own “domain”–OS constrains program access to permitted parts•Cryptographic Separation:–Processes conceal data and computations from outsidersRRRMemory Protection•Fences:–Protected sections of memory–Designed for single-user systems–Facilitates relocation (logical vs physical)•Base/bounds registers–Base register: variable fence register •Lower bound for for addresses–Bounds register: upper address limit–Supports multiple users: •each user has values for base and bounds regs–Context Switch: OS updates base/bounds regs–Can have 2 pairs of base/bounds:•One for executable programs•One for dataRRRMemory Protection (cont’d)•Tagged architecture–Some number of extra bits used to indicate access (read-only, execute-only, write)–Adjacent locns can have diff. Accesses–Separate different classes of data (numeric, char, address/pointer)–Only used for few systems •Burroughs B6500-7500 uses 3 tag bits to separate data words, descriptors (ptrs), and control words (stack ptrs and addressing control words)•IBM System/38: tag bits for integrity and access–Challenge: is compatability of code•Legacy OS systems•Cheaper memory will make this more feasibleMemory Protection: Segmentation•Divide program into logical pieces –(data, code for 1 procedure)•Soln for unbounded number of base/bounds reg. with diff. access rights•Each segment has unique name:–Code or data item has address: < name, offset>•For efficiency:–Each process has seg. addr table •Benefits:–Each address reference checked for protection–Different classes of data have different types of protection•Weaknesses:–Efficiency of encoding segment names–Fragmentation of memoryMAINSEG_AFETCH <DATA_SEG,20>SUBDATA_SEGMAIN cSEG_AeSUB aDATA_SEG
View Full Document
Unlocking...