Lecture 17. Security and privacy (Winter, 2015)

Lecture 17. Security and Privacy

By: Lai Chen

Adversarial computing is a big topic in computer system design. Recent examples:

  • Sony Hack(Nov. 2014)
  • Supreme Council on Virtual Space (2012-03-01 attack on BBC)

    • Two Major Areas to Worry about

  • 1. attacks via force: someone breaks into Boelter Hall and sabotages the servers

    • Sometimes has a connection with O.S. That is, the O.S. has a physical lock associated with it. Examples include fingerprint detection and iris verification.

  • 2. attacks via fraud: a hacker pretends to be the administrator

    • O.S. security mostly worries about this.

    Main Forms of Attacks

  • 1. attacks against privacy (unauthorized user information)

    • The attacker snoops private information such as payrolls, grades etc.

  • 2. attacks against integrity (tempering with other people's data)

    • The attacker maliciously modifies other people's data without even knowing what they are .

  • 3. attacks against service (denial of service)

    • A typical example is to send a large file that the server's buffer cannot handle.

    General Goals

  • 1. to disallow unauthorized access

    • This directly deals with attack 1 and 2. This is relatively hard due to the considerable amount of potential security holes.

  • 2. to allow authorized access

    • This is relatively easy.

  • 3. efficiency

    • The security setting does not affect the performance of the underlying system too much. This is also relatively easy


    How to test for goal #1?

    1. try to do unauthorized access via malformed data
        This is impractical.
    2. hire tiger team, a team of hackers dedicated to break into your system
        Expensive!
    3. Threat modeling & Classification
    ( prioritize the bugs: what are the most likely adversaries? )
            a. insiders
                i. how much we trust them?
                ii. what could they do?
            b. social engineering (K. Mitnick)
                i. an outsider pretends to be an insider
            c. Network attacks
                i. virus
                ii. drive by downloads
            d. device attacks
                  i.usb virus


    O.S. General Security-related primitives

        1. Authentication : checks user identity
            e.g. password
        2. Intergrity: checks the form the data is supposed to be vs. they being tempered
            e.g. checksum
        3. Authorization: checks for permission
            e.g. permission bits in files in linx file system
        4. Auditing : records accesses; detect someone being an imposter
            e.g. login records
        5. Correctness: original OS must work
        6. Efficiency : original OS must work quickly
               
           

    How to do Authentication?

        1. Based on what you know:
         password
        2. Based on what you have :
        secure ID: synced with the server
        3. Based on who you are:
        biometric ID: thumb prints; iris readers
       
        Put togerther: multifactor authentication
       

    Attacks on Authentication and Defenses

        1. guessing : set time limits; use tough passwords; use captchas 
        2. fraudulent servers :  use certificates
           

    External Authentication: expensive

        Analogy: guard at entrypoint when you enter a military base
        In o.s.: ssh key exchange

    Internal Authentication: cheap

        Analogy the badge that guard gives you.
        In o.s.: open ("foo", O_RDONLY)
                    O_RDONLY is the "badge" used internally in o.s. to grant access to read a file.
       
       

    Authorization:  methods of acessing resources

        1. Direct : map into address space
            e.g. mmap
            + fast
            -hardware must support access restrictions you care about
            e.g. memory-mapped graphics buffer
                char screen[1024*1024*3];  // the buffer
                screen[10231]=12; //change collor
            -not flexible!!
            -hard to revoke access (need to un-authorize the entire address space)
       
        2. Indirect: give the app a handle that's opaque (can be used by  system calls but the app cannot invoke directly)
            +flexible
            +easy to revoke access
           
           

    The three dimensional array:


    users(principals)
    resources (files)
    operations (rwx)

    e.g. 10^4 users, 10^7 files, 4 operations. total 4^10^11 bits = 46.5661 GiB
    2 Ways to represent compactly and efficiently
        1. Access control lists (ACLs) : asscociated with ACL
            e.g. /home/mike has an ACL: root, mike rwx; others r-x
            e.g. unix : users    group   other
            e.g. more general (Linux) setfacl getfacl: gives user ability to set up groups
        2. Capabilities: recorded with principals (processes)
            each shell running on a user's behalf collect a set of capabillities
            e.g. Linux:
                fd = open('foo',...)
                chmod("foo",0000);
                read(fd,buf,..)  //works
                //fd is actually a capabillity
               
                // this could be a security fault: fd held by attacker



    Trusted Computing Base (Kerckhoff Design Principle)

    Minimize what needs to be secret.
    Keys must be secret but nothing else must be

    Reflections on Trusting Trust
    login.c
    if (strcmp(user,"")==0)
        uid=0;
       
    gcc.c
    if compiling "login.c", insert security hole
    if compiling "gcc.c", insert security hole