Lecture 16:Lecture 16:SecuritySecurityCSE 120: Principles of Operating SystemsAlex C. SnoerenHW 4 due 11/29CSE 120 – Lecture 162SecuritySecurity Computer Security◆ Techniques for computing in the presence of adversaries◆ Three categories of security goals» Confidentiality: preventing unauthorized release of info» Integrity: preventing unauthorized modification of info» Availability: preventing denial of service attacks◆ Protection is about providing all three on a single machine» Usually considered the responsibility of the OS» Could also be runtime (e.g., verification in JVM) Cryptography◆ Techniques for communicating in the presence of adversariesCSE 120 – Lecture 163Trusted Computing Base (TCB)Trusted Computing Base (TCB) Think carefully about what you trust with your data◆ If you type your password on a keyboard, you’re trusting» The keyboard manufacturer» Your computer manufacturer» Your OS» The password library» The application that is checking the password◆ TCB = set of components (hardware, software, people) thatyou trust your secrets with Public Web kiosks should not be in your TCB◆ Should your OS? (Think about IE and ActiveX)CSE 120 – Lecture 164““Reflections on Trusting TrustReflections on Trusting Trust”” UNIX program called “login” authenticates users◆ Users enter their account name, password◆ Program checks password against password database◆ What could go wrong? Why would administrator trust login program?◆ Inspect source code, verify what it does◆ I.e., no ‘backdoors’ that allowed unexpected access◆ Is the program safe? NO. Trusted computing base includes compiler◆ Ken Thompson put backdoor in original UNIX login◆ Hacked the C compiler to hide his tracksCSE 120 – Lecture 165Cryptography can bridge Cryptography can bridge TCBsTCBs Enables communication between trusted parties◆ Even (especially) in the face of untrusted eavesdroppers◆ Allows systems to expand their trusted computing base Three main goals:◆ Authentication: verify the identity of the communicating party» Distinct from authorization (e.g., ACLs, capabilities)◆ Integrity: verify the message arrives as sender intended◆ Confidentiality: only recipient can read message» This is NOT the same as integrity; can have one without theother. Implemented with a wide family of mechanisms◆ Rely on some form of “key” or secret; some shared, some notCSE 120 – Lecture 166Basic Cryptographic OperationsBasic Cryptographic Operations Encryption & Decryption◆ Given a message and a secret key, create a cyphertext◆ The cyphertext should only be able to be understood by someonewho uses a decryption key to decrypt it◆ Goal is that cyphertext is confidential Authentication◆ Given an a message and the identity of a party, verify that themessage was indeed sent by the specified party◆ Also, ensure that the message has not been modified (or duplicated)◆ Messages are typically signed by the sender Main design point is whether secret keys are shared◆ Symmetric (fast, cheap) vs Public/Private key pair (easy distribute)CSE 120 – Lecture 167Design PrinciplesDesign Principles Security is much, much more than just crypto◆ Crypto is a crucial mechanism for security, but is not a panacea◆ If there is a fundamental flaw in the design of the system, thenall of the crypto in the world won’t help you◆ It is usually easier to find a bug in an implementation thancircumvent a crypto system Unfortunately, systems design is still as much an art asit is a science◆ But, decades of building systems the wrong way have helped uscollect some learned wisdom◆ We’ll cover some in the rest of this part of the lectureCSE 120 – Lecture 168Principle of Least PrivilegePrinciple of Least Privilege Figure out exactly which capabilities a program needsto run, and grant it only those◆ Not always easy, but one algorithm: start with granting none,run and see where it breaks, add new privileges, repeat Unix◆ Good example: Should not normally run as root to preventagainst accidents◆ Bad example: Some programs run as root just to get a smallprivilege, such as using a port < 1024 (privileged port)» E.g., ftpd» Exploit these programs, and you get root access to systemCSE 120 – Lecture 169Counter Example: Counter Example: wu-ftpdwu-ftpd wu-ftpd tries to run with least privilege◆ But occasionally tries to elevate its privilege with:seteuid(0);// privileged critical section runs hereseteuid(getuid()); However, wu-ftpd does not disable Unix signals◆ wu-ftpd doesn’t relinquish privileges after signal handler◆ While in critical section, can be “tractor-beamed” away to a signalhandler» Does not return to original control flow Remote user can cause a signal handler to run by terminating adownload in midstream!◆ But need to catch wu-ftpd in the critical section◆ Result: Can abort a download and then use wu-ftpd as rootCSE 120 – Lecture 1610Least-Common MechanismLeast-Common Mechanism Be very careful integrating shared or reused code◆ Assumptions made may no longer be valid in current context Couter example: Outlook and Internet Explorer◆ Windows exports an API to IE’s HTML rendering code» Outlook and other programs use this to display HTML in email» By default, JavaScript and Java parsing are enabled◆ HTML rendering code knows Java(Script) is unsafe» Disables it when JavaScript is downloaded from Internet» Only enables it when loaded from trusted sources Your own file system is trusted◆ But…email is spooled on disk. D’oh!CSE 120 – Lecture 1611Complete MediationComplete Mediation Check every access to every object◆ Of course, this introduces overhead◆ So, implementers try to get away with less (caching)◆ But only when nothing relevant in environment has changed Counter example: NFS and file handles◆ Client contacts remote “mountd” to get a file handle to aremotely exported NFS file system» Remote mountd checks access control at mount time◆ File handle is a capability: client presents it to read/write file» Client responsible for enforcing per-file restrictions◆ An eavesdropper can sniff file handle and access file systemCSE 120 – Lecture 1612Time-of-Check-to-time-of-UseTime-of-Check-to-time-of-Use Complete mediation gets even tougher with multiprogramming◆ Attacker can execute concurrently with TCB◆ Improper
View Full Document