Start of Lecture: March 31, 2014

Title text: We actually stand around the antivirus displays with the Mac users just waiting for someone to ask.

Chapter 15: Security 1 Reminders

• Hope you had fun with Bob and Jeeva! • Exercise 5 is due this Wednesday • Assignment 3 is due next Wednesday • I will release a practice final soon • Please check your marks on docsdb for any errors

Chapter 15: Security 2 Thought Questions

• What is the probability of deadlock? Does that increase or decrease with more cores? • Some results that suggest that deadlock decreases if number resources increases, increases as number of processes increases and (un- intuitively) increases if both resources and processes increase together: • http://dl.acm.org/citation.cfm?id=808054 • http://citeseerx.ist.psu.edu/viewdoc/download? doi=10.1.1.72.4304&rep=rep1&type=pdf • Not a well understood problem that needs much more research

Chapter 15: Security 3 Thought Questions

• Is there a technique that tackles both external and internal fragmentation? Which would you consider more detrimental to have happen? • Both are detrimental, though arguably external segmentation builds up over time as processes terminate, whereas internal fragmentation is local to a process and gone when it terminates • Multiple page sizes get some of the best of both worlds, since there can be larger chunks (reducing the number of pages) and then smaller, finer grained pages (reducing internal fragmentation)

Chapter 15: Security 4 Chapter 15: Security

CMPUT 379, Section B1, Winter 2014 March 31, April 2, April 4 Objectives

• Discuss goals of protection in modern systems • Discuss security threats and attacks

• Explain fundamentals of encryption, authentication, hashing

• Examine the uses of cryptography in computing • Describe various countermeasures to security attacks

Chapter 15: Security 6 Protection versus Security • Errors in operation can be accidental or malicious • The role of protection is to provide a mechanism to enforce policies on resource use (an internal problem) • e.g. restrict access to memory and corresponding variables, such as with locks on variables or permissions on files • The role of security is to protect threats/errors that arise from the external environment • e.g. protection system ineffective if user authentication compromised

Chapter 15: Security 7 Protection Mechanisms

D1 D2 D3 Domain = set of Ͻ O3, {read, write} Ͼ Ͻ O1, {execute} Ͼ Ͻ O1, {read, write} Ͼ Ͻ O2, {write} ϾϽ O4, {print} Ͼ Ͻ O3, {read} Ͼ Ͻ O2, {execute} Ͼ access-rights

object F1 F2 F3 printer domain

D read read 1 Access Matrix = D2 print Access(i,j)

D3 read execute read read D4 write write

Chapter 15: Security 8 The security problem • Impossible to ensure resources used and accessed as intended under all circumstances • Intruders (crackers) attempt to breach security • Threat is potential security violation • Attack is attempt to breach security • Attack accidental or malicious — easier to protect against accidental than malicious misuse, which is mostly obtained through protection mechanisms

Chapter 15: Security 9 Security Violation Categories

• Breach of confidentiality — unauthorized reading of data • Breach of integrity — unauthorized modification of data • Breach of availability — unauthorized destruction of data • Theft of service — unauthorized use of resources • Denial of service (DOS) — prevention of legitimate use

Chapter 15: Security 10 Goal of the attacks • Monetary gain • advertising • theft, e.g. programmer embezzled money with intentional rounding errors to add occasional half-cent to own accounts • Information gain • Prove a point and/or (moral) attack on an organization • Status and bragging rights

Chapter 15: Security 11 Advertising-Based attacks (Adware)

• Goal of attackers not to debilitate the system or steal, but rather to make money through advertising

Chapter 15: Security 12 Security Violation Methods

• Masquerading (breach of authentication) — pretending to be an authorized user to escalate privileges • Replay attack — intercept and modify message • Man-in-the-middle attack — intruder sits in data flow, masquerading as sender to receiver and vice versa • Session hijacking — intercept an already-established session to bypass authentication

Chapter 15: Security 13 Examples of security violation

Normal

communication

sender receiver

attacker

Masquerading

sender receiver communication

attacker

Man-in-the-middle

sender communication receiver communication

attacker

Chapter 15: Security 14 Security is critical for an OS • Poor memory management can be slow/inconvenient, but security issues can be catastrophic • Many critical events in OS history, such as • Stuxnet — attach Iran’s shut down nuclear reactors, one of the first to bridge the virtual and real world and have physical impact • Heartland Payment Systems — 134 million credit cards exposed • Department of Veteran Affairs — stole info on 26.5 million veterans, including Social Security numbers, dates of births, disability ratings • For a historical list: https://www.securelist.com/en/threats/ vulnerabilities?chapter=40

Chapter 15: Security 15 Early breaches (e.g. Morris Worm)

https://www.youtube.com/watch?v=Qg4oNW2xAms

Chapter 15: Security 16 Security Measures • Impossible to have absolute security, but makes cost to perpetrator sufficiently high to deter most intruders • either prevent attack or detect attack so can take countermeasures • Security must occur at four levels to be effective: • Physical — data centers, servers, connected terminals e.g. prevent physical damage from intruder into a data centre • Human — dumpster diving, phishing (e.g. email for confidential info) • Operating System — protection mechanisms, debugging • Network — intercepted communications, interruption, DOS • Security is as week as the weakest link in the chain

Chapter 15: Security 17 Many weak links due to trade-offs • Convenience: could have multiple layers of authentication, to make it hard to compromise a system with just one password, but inconvenient for the user • Access: could make access to data centres almost impossible, but then difficult for maintenance • Flexibility: could more strictly protect programs from each other, but then inter-process communication difficult • Openness: internet not policed (yet? shiver), so sites and free software can be a risk

Chapter 15: Security 18 Program Threats

• Many names for the variations of threats, following names most common • Trojan Horse • Trap Door • Logic Bomb • Stack and Buffer Overflow • Viruses

Chapter 15: Security 19 Trojan Horse

• Exploits mechanisms that allow a program written by a user to be executed as a different user with different permissions • Code segment that is “hidden” inside code, then that code is brought into another domain/environment with different permissions and attacks there • like the legendary trojan horse used to compromise Troy

Chapter 15: Security 20 Examples of trojan horses

• Text-editor that copies opened file to a special area accessible to the creator of the text editor • “.” in root’s path on Linux • Emulator of login program to steal password • Spyware — often installed by being hidden in freeware/ shareware, but also sometimes in commercial software • e.g. spyware daemon constantly contacts a central site, obtains spam message and delivers the message to the user • in 2010, estimated that 90% of spam delivered as spyware daemon

Chapter 15: Security 21 Current working directory in path • Idea is to trick root into running a script • Assume root has put “.” at the start of their path • PATH=$PATH:$HOME/bin:. • I, a non-root user, creates a file named “cd” in some directory root has access to, with one simple command • rm -rf $1 • If root tries to “cd” anywhere from that directory, then my malicious “cd” will execute instead and delete the contents of the destination directory!

Chapter 15: Security 22 How to prevent trojan horses

• OS design error: enforce principle of least privilege • user of an OS does not need to install network daemons: do not give them that permission, then the installed freeware cannot start daemons • Human error: a user should not run as administrator by default, so that programs user runs do not have more access to the system than necessary • e.g. alternative in Linux is ‘sudo’ when temporarily need to run as root

Chapter 15: Security 23 Video Break: brought to you by another dazzling classmate!

https://www.youtube.com/watch?v=x7ozaFbqg00!

Chapter 15: Security 24 Trap Door

• Designer of program or system may leave a hole in software that only they are capable of using • e.g. deletes certain important pieces of information periodically • Trap door could be very easily hidden in huge code bases, making it difficult to detect them • Even harder if trap door hidden in compiler, rather than the source code

Chapter 15: Security 25 Logic Bomb

• A program that initiates a security incident only under certain circumstances • E.g. programmer write code to detect whether still employed; if not, then code could be launched to damage site or spawn daemon to allow remote access • Difficult to detect under normal operation

Chapter 15: Security 26 Stack and buffer overflow • Memory-based attacks using stack-overflow or buffer- overflow are most common way to gain access to a system from an unauthorized user • Bob discussed historical smashing the stack paper in detail and showed many ways this approach can be used to compromise a system and how to protect against it • Mostly possible because of ability to execute code in a page not originally initialized as executable • Recent AMD and Intel x86 chips include new bit in page tables to indicate executable/nonexecutable; as becomes more prevalent, buffer-overflow attacks will diminish

Chapter 15: Security 27 Viruses

• Virus is a fragment of code embedded in a legitimate program that is self-replicating and designed to “infect” other programs (like a real virus) • Many categories of viruses, many thousands of viruses

Chapter 15: Security 28 Many overlapping quantifiers for viruses • File — virus appended to a file, then changes start of program by jumping execution to that code, e.g. macros in a file in Microsoft Office Suite • Boot — virus infect boot sector, executes every time system is booted before OS is loaded • Macro — most viruses written in low-level language (e.g. assembly or C), whereas macro virus written in high-level language such as Visual Basic . . . such as source code virus, encrypted virus, stealth virus, tunnelling virus, multipartite virus, …

Chapter 15: Security 29 virus copies boot sector to unused Boot virus location X

virus replaces original boot block with itself

at system boot, virus decreases physical memory, hides in memory above new limit

virus attaches to disk read- write interrupt, monitors all disk activity

whenever new it blocks any attempts of it has a logic bomb to removable R/W disk other programs to write the wreak havoc at a is installed, it infects boot sector certain date that as well

Chapter 15: Security 30 System and Network Threats

• System and network threats involve the abuse of services and network connections • More open an OS is — more services/functions enabled — more likely a bug is available to exploit • Goal is to reduce attach surface — set of ways an attacker can try to break into the system • Examples: worms, port scanning, denial-of-service

Chapter 15: Security 31 Internet Worm: Morris Worm

• Exploited UNIX networking features (remote access) and bugs in finger and sendmail programs • Exploited trust-relationship mechanism used by rsh to access friendly systems without use of a password • Program called “grappling hook” program to upload main worm program (99 lines of C code) • Once target system infected, then would infect other systems that the system connected to

Chapter 15: Security 32