CPS110: General securityIntro: general securitySecurity abstractionsBuilding up from the hardwareSlide 5Authentication: who are you?Password authenticationCryptographic hashesSlide 9Weak passwordsSlide 11Slide 12Physical token authenticationBiometric authenticationReal-world authenticationAuthorization: what can you do?Access control listsSlide 18Frighteningly commonSlide 20Data breachWhat to do?Identifying sensitive filesSlide 24Download entropy scoresCapabilitiesSlide 27Slide 28RevocationDealing with securityReducing the trusted baseCommon attacksHidden channelsHidden channels: tenexBuffer overflowTrojan horseWhy security is so hardLogin backdoorConfickerConficker and DNSSlide 41Coming upCPS110: General securityLandon CoxIntro: general securityHardware realityProcessor, memory, disks, NICComponents can be used by anyoneOS abstractionControlled access to hardwareSecurity abstractionsWhat HW primitives exist for access control?Processor mode bit (kernel/user mode)Protected instructions (I/O instructions, halt)Protected data (page tables, interrupt vector)Want to build two abstractions on theseIdentity (authentication) Who are you?Security policy (authorization)What are you allowed to do?Building up from the hardwareOne of the themes of this classThreadsAtomic test&set, interrupt enable/disableTransactionsSingle disk sector writeReliable communicationAtomic packet sendBuilding up from the hardwareAlready built on top of HW security primitivesSecure sharing of physical memoryUse protection between address spaces(fault on unauthorized access)Secure sharing of kernel servicesUse system calls to safely transition to privileged mode(trap after syscall instruction)Authentication: who are you?Prove your identity to the OSMany ways to authenticate1. Passwords2. Physical tokens3. BiometricsPassword authenticationPasswordShared secret between you and the OSSeveral weaknessesHow should we store passwords?Cryptographic hashes (MD5, SHA)Hashes are one-way functionsCheck that hash(input) = hash(password)Cryptographic hashesInfeasible to reverse (even for the system!)I.e. cannot compute plaintext from digestCollision-resistant hash functionProbability (collision) < probability (HW error)Extremely useful tool in lots of domainsCan be used as a shorthand for naming objects (e.g. files)SHA1 hashSHA1 hash160 bitsArbitrarily large“Hash digest”Password authenticationWhat’s the weakest link in password systems?People!People choose short passwords(brute force attacks take less time)People choose easy-to-remember passwords(narrows the search space: dictionary attack)People choose the same password for everything(break the weakest web site, gain access to the strongest)How could you use cryptographic hashes to solve this?User remembers one password, systems sends Hash(pass + site name)Weak passwordsConsider an 8-character password256^8 possible passwords2^64 ~ 16 * billion * billionIf you only choose lower-case letters26^8 ~ 200 billionIf you choose a word from the dictionary320,000 words in Webster’s unabridged1000/second  find a password in 5 minutesResearchers ran an attack on Michigan passwordsRecovered thousands; some of the most popular: “beer”, “hockey”Similar result at Berkeley CS in the 80s: “gandolph”Physical token authenticationRequire something physicalE.g. a ticket to a dance performanceWhat if your token is stolen/forged?Require a physical token + passwordE.g. your ATM card + PINBiometric authenticationEssentially a physical tokenOne that should be hard to steal/forgeExamplesThumbprint, retina scan, signatureMost have accuracy problemsFalse positives (accept invalid person)False negatives (reject valid person)Real-world authenticationHow to authenticate to your credit card company?Give them your social security numberThey ask over the phone and checkHow is this vulnerable?Company has my SSN, so they can pretend to be me(or someone who breaks into them can pretend to be me)Phone line snoop can pretend to be meAuthorization: what can you do?Fundamental structureAccess control matrixRows = authentication domainsColumns = objectsTwo approaches to storing data: Access control lists and capabilitiesFile 1 File 2 File 3User 1 RW RW RWUser 2 -- R RWAccess control listsStandard for file systemsAt each objectStore who can access the objectStore how the object can be accessedOn each accessCheck that the user has proper permissionsUse groups to make things more convenientE.g. forbes, chase, and lpcox are all in group “prof”Access control listsHow can you defeat ACL authorization?Villain convinces the OS it is someone elseExampleSendmail runs as root (full privileges)Attacker compromises sendmail processCan now run arbitrary code under root IDThis is what you will be doing in Project 3What if you get the ACL wrong?Frighteningly common“Usability and privacy: a study of Kazaa…”Good and Krekelberg, SigCHI 2003In 12 hours, found 150 inboxes on KazaaObserved people downloading themMany other examples: web, NFS, etcPeople don’t understand software interactionsAffects even diligent users …Data breachAliceBobDespite her best efforts, Alice’s data is only as secure as her least competent confidant.SnoopWhat to do?Two goals1. Identify sensitive files2. Infer who is allowed to view themMany more constraints1. Don’t impact performance2. Don’t bother the user3. Remain backwards-compatibleIdentifying sensitive filesApproach: identify the common caseI download sensitive docs from many sourcesmail.cs.duke.eduWhat do the examples have in common?Encryption!Identifying sensitive filesApproach: identify the common caseI download sensitive docs from many sourcesInsight: data is often encrypted for a reasonIn our examples, servers allow clients to cache sensitive fileTo protect those files in the network, communication is encryptedHow can we tell if network communication is encrypted?Use the port (e.g., 443 is used for HTTPS)Ciphertext exhibits high “entropy” or randomnessEntropy = information density, measured in bits/byteCan inexpensively measure the entropy of every socketIf data stream exhibits high