DOC PREVIEW
U of I CS 241 - System Programming Security

This preview shows page 1-2-3-4-5 out of 16 pages.

Save
View full document
View full document
Premium Document
Do you want full access? Go Premium and unlock all 16 pages.
Access to all documents
Download any document
Ad free experience
View full document
Premium Document
Do you want full access? Go Premium and unlock all 16 pages.
Access to all documents
Download any document
Ad free experience
View full document
Premium Document
Do you want full access? Go Premium and unlock all 16 pages.
Access to all documents
Download any document
Ad free experience
View full document
Premium Document
Do you want full access? Go Premium and unlock all 16 pages.
Access to all documents
Download any document
Ad free experience
View full document
Premium Document
Do you want full access? Go Premium and unlock all 16 pages.
Access to all documents
Download any document
Ad free experience
Premium Document
Do you want full access? Go Premium and unlock all 16 pages.
Access to all documents
Download any document
Ad free experience

Unformatted text preview:

CS241 System ProgrammingSecurityContentAdministrativeTotal Approach to SecurityInternal Threats/SecurityInternal ThreatsIntrudersAttacks from Inside of the SystemInside AttacksVirusInternet WormUser AuthenticationPasswordsHow Crackers Break-in?Protect Your PasswordsSummary (General Design Principles of Security)CS241 System ProgrammingSecurity Klara NahrstedtLecture 263/29/20063/30/2006CS 241 - System Programming, Klara Nahrstedt2Content z Security Environmentz Generic Security Attacksz User Identification and Biometricsz Design Principles3/30/2006CS 241 - System Programming, Klara Nahrstedt3Administrative z MP3 is posted, due April 3, 2006z Quiz 7 is March 31, 2006z Material covered in Quiz 7– R&R Chapter 4 and Chapter 5– Tanenbaum 5.33/30/2006CS 241 - System Programming, Klara Nahrstedt4Total Approach to Security z External Security z User Interface Security -- Establishing user identification and access rights. z Internal Security -- Controls built into the hardware and software to ensure: – Reliable and uncorrupted operation of the system. – Integrity of programs and data3/30/2006CS 241 - System Programming, Klara Nahrstedt5Internal Threats/Security z Data Confidentiality– have secret data remain secret. z Data Integrity– unauthorized used should not be able modify any data without the owner's permission. z System Availability– nobody can disturb the system to make it unusable (e.g., make sure that denial of service does not occur). z Privacy– the system protects individuals from misuse of information z The security system needs to protect against – intruders (adversaries)– accidental data loss3/30/2006CS 241 - System Programming, Klara Nahrstedt6Internal Threatsz Security goals and threats3/30/2006CS 241 - System Programming, Klara Nahrstedt7Intrudersz Common Categories– Casual prying by non-technical users– Snooping by insiders– Determined attempt to make money– Commercial or military espionage3/30/2006CS 241 - System Programming, Klara Nahrstedt8Attacks from Inside of the System z Trojan Horse– seemingly innocent program contains code to perform an unexpected and undesirable function. z Examples– Modifying, deleting or encrypting the user file; copying them into a place where cracker can retrieve them later, or even sending them to the cracker via email of FTP. z One approach to do this is to place the program as a free, exciting new game, MP3 viewer, or something that attracts attention. z The Trojan horse approach does not require the user to break into the computer.3/30/2006CS 241 - System Programming, Klara Nahrstedt9Inside Attacks z Login Spoofing– attacker writes a false login program that displays on the screen login prompt. This program asks for name, password, user types in login name and password. The false information is written to a file and the phony login program sends a signal to kill the shell. This action logs the attacker out and triggers the real login program. The user assumes that he/she wrote the wrong password and repeats the steps. z Logic Bombs– build in bad behavior (e.g., erase a disk) into operating system if certain action is not taken. For example, as long the programmer feeds in a password every day, the behavior is not visible. When a programmer is fired, the password is not given and the bad behavior is triggered. z Trap Doors– code is inserted into the system by the system programmer to bypass some normal check. For example, a login program could be written which allows a user to login independent of what password he/she types. The trap-door bypasses the whole authentication process.z Viruses and Worms3/30/2006CS 241 - System Programming, Klara Nahrstedt10Virus z Virus is – Malware– piece of code that can reproduce itself by attaching a copy of itself to another programz Virus – Can cause Denial of Service (DOS) attack – Can cause Distributed Denial of Service (DDOS) attack– Can cause permanently damaged hardware3/30/2006CS 241 - System Programming, Klara Nahrstedt11Internet Wormz Free-standing program designed to travel between systems for some particular purpose. z Consisted of two programs– bootstrap to upload worm– the worm itselfz Worm first hid its existencez Next replicated itself on new machines3/30/2006CS 241 - System Programming, Klara Nahrstedt12User Authentication z User Attributes: Something about the person -- e.g., fingerprints, voice-prints, photographs, signatures. z User Possession: Something possessed by the person -- e.g., badges, id cards, keys. z User Knowledge: Something known by the person -- e.g., passwords, lock combinations, mother-in-law's maiden name.3/30/2006CS 241 - System Programming, Klara Nahrstedt13Passwords z People tend to choose easy-to-remember passwords, which are also easy to guess. z Short passwords can be guessed by repeated trials of all possibilities. z Passwords that are too long prompt people to write them down, which risks compromise by loss or theft of the note. z The best passwords are of length 6-10 chars. z Avoid words that are in a dictionary. z Passwords made up of nonsense syllables are almost as secure as those made up of randomly chosen characters, but are easier to remember.3/30/2006CS 241 - System Programming, Klara Nahrstedt14How Crackers Break-in?z Password guessing– crackers compile potential common words as passwords, and use them to login. z War dialers– dial telephone numbers and detect if security is in place (some PC systems don't have passwords). z Weak root passwordz Script kiddies– scripts found on the Internet, use brute force attacks to exploit bugs in specific programs.3/30/2006CS 241 - System Programming, Klara Nahrstedt15Protect Your Passwordsz One-way encrypt the password file– UNIX designers are so confident of their one-way encryption scheme that the UNIX password file is ``read permitted'' to all users.z Encourage uses to change passwords oftenz Limit the number of attempts to enter a password. z The standard way to crack UNIX encryption – copy the password file to another machine– try encrypting the dictionary, permutations of common words, wife names, telephone numbers and comparing it against the password file contents. z ``Salt'' technique (by Morris and Thompson):– associate an n-bit random number, called the salt, with each password. The random number is changed whenever the password is changed.3/30/2006CS 241 - System Programming, Klara Nahrstedt16Summary (General Design Principles of


View Full Document

U of I CS 241 - System Programming Security

Documents in this Course
Process

Process

28 pages

Files

Files

37 pages

File I/O

File I/O

52 pages

C Basics

C Basics

69 pages

Memory

Memory

23 pages

Threads

Threads

14 pages

Lecture

Lecture

55 pages

C Basics

C Basics

24 pages

Signals

Signals

27 pages

Memory

Memory

45 pages

Threads

Threads

47 pages

Threads

Threads

28 pages

LECTURE

LECTURE

45 pages

Threads

Threads

30 pages

Threads

Threads

55 pages

Files

Files

37 pages

SIGNALS

SIGNALS

22 pages

Files

Files

37 pages

Threads

Threads

14 pages

Threads

Threads

13 pages

Load more
Download System Programming Security
Our administrator received your request to download this document. We will send you the file to your email shortly.
Loading Unlocking...
Login

Join to view System Programming Security and access 3M+ class-specific study document.

or
We will never post anything without your permission.
Don't have an account?
Sign Up

Join to view System Programming Security 2 2 and access 3M+ class-specific study document.

or

By creating an account you agree to our Privacy Policy and Terms Of Use

Already a member?