Lecture 17: Introduction to Security, Authentication

CS111: Operating Systems
Lecture 17 12/2/2013
Trevor Humphreys

Media Faults (SSD, Disk, and other media failing)

Media Fault is when the hard disk or SSD dies.
We want reliable crashes in case of power failure

Disk doesn't lose any data except for block write in progress
Disk will work on restart
No wrong data written, just lose the block in progress

How we can accomplish this

Battery Backup for System:
- Extra power in case of power outage to handle it if power dies
- Need to replace batteries constantly.
- Reliability problem
Journaling and Commit Records
- Keep track of everything written to disk so we can reset
- What if the record is corrupted? The cell data may be corrupt
- We could store the journal on a different disk... But that may fail too
- This helps for power outages but not media faults.

The problem with both of these techniques is, while they are good ways to deal with the problem of power failure, they aren't designed to deal with true media failure.

The best technique for dealing with media faults is redundancy

RAID (Redundant Arrays of Independent Disks)

Some example economics:

A 10TB drive costs say $1500.
A 1 TB drive costs say $80.
If you could buy 10 of the 1TB drives and combine them, it is almost half the price

Using RAID, we can configure multiple disks so users see only 1 drive.
This configuration is called concatenation. The Berkeley computer scientists invented a special disk driver to do this.

There is a performance problem with concatenation: access patterns dictate that a lot of the time one drive is doing all the work and the rest of the system just sits there (temporal locality.)

Because of this they came up with a different way of "gluing" drives together. Instead of just laying out the data end to end, split all the different parts up among different drives. This is called block-level striping
This gives much better performance because multiple disk arms can run at once.

A large problem: the reliability of these big drives is less than the reliability of small drives. If any of the small drives fail, the whole system will now fail.

Mirroring: all written data should be written to two separate physical disks.
Each block gets written twice. This will halve our available storage space, but will greatly improve reliability.

We can add different schemes on top of each other. Ex: Mirror at the bottom level, then stripe the level above that.
The different techniques are a tool kit for building a system that is large AND reliable AND quick.

Different types of RAID

RAID 0: Concatenation and Striping without redundancy.
- Better performance
- Less reliability
- Requires twice the power.
RAID 1: Only Mirroring.
- Slightly slower write performance (Have to write twice)
- Better read performance (Closer disk arm can read the data)
- Better reliability.
- Takes twice the power.
- Costs twice as much for the same amount of storage.
RAID 4: Parity Drive with Concatenation. Given 5 Disks:
- Virtual disk is the first 4 disks (size n-1 drives.)
- The final disk is the parity disk. Each block on the parity disk contains the XOR of the other disks.
- In this case a block on the parity disk contains A^B^C^D.
- If one disks fails you can recover it with data from the other three disks and the XOR (parity) disk.
- If the parity disk dies you can just recompute it.
- If more than one disk dies, you are still going to lose data.
- You can mirror the parity disk to increase the number of failed disks you can handle. (RAID 6)
RAID 5: RAID 4 but uses Striping instead of Concatenation.
- Parity drive is distributed evenly throughout the disks.
- Idea is to avoid hotspots. In RAID 4 the parity drive is a hotspot -> it's always writing.
- Advantages: less hotspots, so better performance.
- Disadvantages: adding in more disks is difficult. You have to copy everything around.

What happens when you need to replace a disk in RAID 4?

The system realizes it has a new blank drive.
It starts to copy all the missing data into the new drive. The time it spends doing this is called the recovery period.
If we try to access the system during this period it will be very slow. It could take hours to repair, and performance will be low this whole time.
What if another disk fails during recovery period? data is lost.

Disk failure rates: initially high (manufacturing defects), then low for long period, then begins to rise again.

RAID 4 systems have way better reliability at low time and much worse reliability at high time.
If you have someone around to do repairs its great, because you can keep replacing parts and stay low failure rate area.
However, the odds of drives failing increases exponentially.

The overall reliability depends on the human factor, and also the recovery period.

If the recovery period is 1 hour, the overall reliability approaches 100%.
If the recovery period is 2 weeks, the system could easily fail.

Network File Systems (NFS)

Ex:

SUN ZFS Storage 7320 applicance

2x storage controllers
2x 10GbE adapters
8x512GB SSD read accelerators (caches)
8x736GB SSD write accelerators
136x 300GB 15,000 RPM disk drives
~37TB exported capacity.

Throughput: 134140 operations per second (avg 1.51msec response time.)

This means a proper NFS is 4-5x faster than a local disk and can handle a huge amount of requests.

NFS Security

What can go wrong with a network file system?

For one thing, permissions problems -- what if we're reading a file and another user makes it unreadable?

Traditionally, the client kernel deals with permissions for NFS files, just like regular files.
But this indicates a security problem: you must trust the client kernel. An attacker with a bad client can give a fake user id and get access to other files.

There are a couple solutions to this in the NFS world:

Use physical protection. Run all client kernels in a physically secure room.
- Most NFS traffic in the world is sent over private networks like this.
- This has the best performance because there is no encryption needed.
Virtual private networks (VPNs). Set up keys on every trusted machine; then use them to set up a virtual sub-network across the internet.
- If you send encrypted, authenticated packets you basically reproduce physical protection.
- But something like SEASnet can't use this method. There are thousands of connections, all must be trusted.
Individual authentication.
- Each client-server request must contain more info than just their userid.
- NFSv4 specififies Kerberos tickets for this
- Not used very much in the real world.

Security

What's the difference between traditional security and computer security?
Attacks via fraud are more of a problem than attacks via force.
DDoS attacks can take you offline, but at least you won't compromise data.

Main forms of attack:

Against privacy (unauthorized data release)
Against integrity (tampering with data)
Against service (DDoS)

We want a system that disallows unauthorized service AND allows authorized access.

To keep out unauthorized users: Test with fake users, obviously bad clients, etc. But you won't really know if you are safe until your system is compromised.
To let in authorized users: A lot simpler, just make sure everyone can log in. They will tell you if they can't.

How to prepare against DDoS? Most of the time you don't. Ex: MyUCLA doesn't, because they are of the idea "who would DDoS us?"

Next Idea:
We have to think about threat modelling and classification.

Threats: Ordered by severity:

Insiders
- Most common form of breach: authorized users doing things they shouldn't have.
Social engineering (Mitnick)
- Mitnick was a famous hacker who broke into systems by pretending to be a repairman.
- Actually, smooth talkers getting into systems is a big problem.
Network attacks
- DDoS
- Drive-by Downloads (browser vulnerabilities)
- Viruses
- Phishing
Device attacks
- USB virus
- etc

General Functions used for Defence:

Authentication
- Passwords
- RSA keys
Integrity
- Timestamps
- Checksums
Authorization
- Access control list
- Root access
Auditing
- Keep a log of who changed system and when