CS 111: Operating Systems - May 31st

Scripts by Xiao Liu and Sau Man Kwan

NFS Security

• Sever should be able to say no to requests
• Clients can go bad
  • If attacker can become any user (insider)
  • Client says "I'm root"
• In NFS, user 0 is mapped to "nobody"
  • Nobody has the lowest uid
  • Help a bit but does not solve the problem
• Bad NFS server(spoofing the read one)
• NFSv4 attempts to attack all those issues
  • Names, not numbers
  • More ACLs etc.
  • Authentication of clients and servers
  • Encryption of data
• Example of security issue
  • Flame virus
  • In March: DDoS(distributed denial of service)
  • Attack on BBC web
  • Part of Iranian effort to control info flow
  • Supreme council of virtual space

How to defense against attackers on security

• To think about this
  • Real-world security involves defense against 2 kinds of attacks
  • Force
  • Fraud
  • In the virtual world: Fraud
• Main forms of virtual fraud-based attack
  • Against privacy(unauthorized release of info) --- wikileaks
  • Against integrity(tempering with other's info) --- injection
  • Against service(denial of service)
• Main goals of defenders
  • Disallow unauthorized reads or writes
  • Harder to test, users won't tell about those problems
  • Allow authorized access

Threat Modeling and Classification

• Insiders
• Social engineering
  • "I forgot my password" case
• Network attacks
  • Driven by downloads(10% of websites)
  • Virus
  • DoS
• Device attack
  • USB virus

General Features Needed for Any Security Mechanism

• Authentication
• Integrity
• Authorization
• Auditing(for insider attacks)
• Correctness
• Efficiency

How to authenticate

• Based on something that the principal(person in charge)knows
• Passwords
• Problem: guessing password or snooping, people can forget password
• Based on something that the principad has
• RSA secure ID
• Problem: theft, loss
• Based on who the principal is
• Biometrics
  • Fingerprints
  • Eye balls
• Problem: faked, false negative
• All have bootstrapping(starting) problems
  • Have to trust underlying techniques to some extent
• External
  • Need password, tokens, biometrics
  • Possible attack
    • Brute force(guessing password)
    • Fraud server
  • Expensive, rare
• Internal
  • Reliable, cheap checks in system as you do accesses
  • Read(fd, buf, size) should fail if fd isn't open for read
  • Must be controlled by kernel
  • Can change uid via syscall

Network Authentication Building Blocks

• Crypographic hash function
  • SHA1(message)->160-bit hash
  • Knowing H doesn't help you to compute M feasible
• Symmetric encryption(triple-DES)(relatively fast)
  • Sender and receiver share a security key K
  • Given M,K -> easy to get encrypted version {M}^K
  • Given {M}^K,K -> easy to get M
  • Given {M}^K -> hard to get M or K
  • Major problem: bootstrapping, cant get K to the other party
• Asymmetric encryption(RSA)(relatively slow)
  • Given M,P -> easy to get encrypted version {M}^P
  • Given {M}^P,K -> easy to get M
  • Given {M}^P,P -> hard to get M
• Nonce-random integer generated
  • A->B {I'm Alice}^K
  • B->A {Nonce}^K
  • A->B {Nonce+1 transfer money}^K
    • Suppose attacker got a copy of this message and play it later to pretend to be one of them
    • B can set an expire time
• HMAC(hashed messaged authentication code)
  • K=shared key
  • SHA1((K XOR pad1)concat SHA2(K XOR pad2)concat M))
  • What if shared secrets are hard to maintain?
  • Use a public key system -> initial phrase
  • Recipient publishes -> public key(slow)
  • Sender creates a nonce K -> negotiate a public key