To avoid confusion we will use the term security to refer overall problem, and the term protection mechanism to refer the specific operating system mechanism used to safeguard information in the computer.
Fist we will look at security to see what nature of the problem is.
Later on in the chapter we will look at the protection mechanism and models available to help achieve security.
The sources of threats are listed in figure 9.1.
Security goals and threats
The fist one, Data confidentiality, is concerned with having secret remaining secret.
The second goal, data integrity, means that unauthorized users should not be able to modify any data without the owner’s permissions.
The third goal, system availability, means that nobody can disturb the system to make it unusable.
Such denial of service attacks are increasingly common (this is because floods of requests).
Another aspect of security is privacy: protecting individuals from misuse information's about them.
In security literature, people who are noising around places where they have no business being called intruders (davetsiz misafir) or something adversaries (rakip, düşman).
Intruders act in two ways.
Passive intruders; just want to read files they are nor authorized to red.
Active Intruders are more malicious (kötülük kin); they want to make unauthorized changes to data.
Designing a system secure against intruders;some common categories.
Causal praying by non-hectically users; Sharing files reading mails.
Snooping by insiders; break security is a personal challenge.
Determined attempts to make money; steal from banks where they were working for.
Commercial or military espionage; stealing programs, trade secrets, paten-table ideas, technology, circuit designs, business plans and so forth ( casusluk).
A virus may be an Intruders itself.
Intruders try to break into specific system to steal or destroy particular data, whereas a virus usually cause more general damage.
Accidental data loss
In addition to threads caused by malicious intruders, valuable data can be lost by accident.
Some common causes of accidental data loss are;
Act of God; fires, floods, earthquakes, wars, riots, or rats gnawing tapes or floppy disks.
Hardware or software errors; CPU malfunctions, unreadable disks or tapes, telecommunication errors, program bugs.
Human errors; incorrect data entry, wrong tape or disk mounted, wrong program running, lost disk or tape, or some other mistakes.
Maintaining adequate backups, preferable far from the original data.
Basics of Cryptography
A little knowledge of Cryptography may be useful for understanding parts of this chapter.
The purpose of Cryptography is to take a message or file, called the plaintext, and encrypt it into cipher text in such a way that only authorized people know to convert it back to the plaintext.
The encryption and decryption algorithms should be public?
They can now be kept secret.
In trade this tactic is called security by obscurity and
Instead, the secrecy is depends on parameters to the algorithms called keys.
If P is the plaintext, K E is the encrypted key, C is the cipher text, and E encryption algorithm (function) then C=E(P,K E ).
This the definition of the encryption.
Similarly, P=D(C,K D ) where D is the decryption algorithm, K D is the decryption key and P is the plaintext.
This relation is shown in figure 9.2.
Relationship between the plaintext and the cipher text
each letter replaced by different letter
Given the encryption key,
easy to find decryption key
Secret-key crypto called symmetric-key crypto
To make this clearer, consider an encryption algorithm in which each letter is replaced by a different letter, for example, all As are replaced by Qs, and all Bs are replaced by Ws, all Cs are replaced by Es and so on. Like this:
Plain text: ABCDEFGHIJKLMNOPQRSTUVWZ
This general system is called a mono-alphabetic substitution (yerine koyma); for example the plaintext ATTACK would be transformed into the chipper text QZZQEA.
At the first glance this might appear to be safe system because although knows the general system, he does not know which of 26! = (yaklaşık) 4x 10^26 possible key is in use.
However in English e is the most common letter and followed by t,o,a, n, i, and most common diagrams are th, in er, re, etc.
Many crypto-graphics system like this one (is easy to find the decryption key and vice versa).
Such systems are called secret-key cryptography or symmetric-key cryptography.
For security 1024 bit keys should be used giving a search of space 2^1024 = (y) 2x 10^308 keys.
All users pick a public key/private key pair
publish the public key
private key not published
Public key is the encryption key
private key is the decryption key
Secret key mechanisms are efficient but both person be in possession of shared secret keys.
To get around this problem, public-key cryptography is used.
Public key cryptography, consider the following two questions;
Question 1: how much is the 314159265358979x314159265358979?
Question 2: what is the square root of 3912571506419387090594828508241?
Encryption makes use of the easy operations but decryption without the key requires you perform the hard operation.
A public key system called RSA exploit the fact that multiplying by numbers is much easier for a computer to do than factoring big numbers, especially when all arithmetic is done using modulo arithmetic and all numbers involved have hundreds of digits..
This is a thousand times slower than symmetric cryptography.
Every one pick (publickey, privatekey).
The public key is the encryption key; and the private key is the decryption key.
To send a secret message to a user a correspondent encrypts the message with the receiver's public key.
Since receivers has the private key, only the receivers can decrypts the message.
Function such that given formula for f(x)
easy to evaluate y = f(x)
But given y
computationally infeasible to find x
There are various situations that we will see later in which it is desirable some functions, f, which means has property that given f and its parameters x, computing y=f(x) is easy to do, but given only f(x), finding x is computationally in feasible (initialize y to x).
Then it could have a loop that iterates a many as times as there are 1 bits in x, with each iteration permuting bits of y in an iteration-dependent way, adding in a different constant on each iteration, and generally mixing the bits up very thoroughly.
Digital signatures make it possible to sign email message and other digital documents in such a way that they cannot be repudiated by the sender later (this requires an hashing operation).
The most popular hashing function used are MD5 (message Digest) which produces a 16-byte result and SHA (Secure Hash Algorithm) which produces a 20-byte result.
The next step assumes the use of public key cryptography as described above.
The document owned then applies his private hey to the hash to get D (hash).
This value, called the signature block, is applied to the document and sent to the receiver, as shown in figure 9.3.
Computing a signature block
What the receiver gets
The receiver computes the has of the document using MD5 or SHA, as agreed upon in advance.
The receiver than applies the sender2s public key to the signature block to get E(D(hash)).
E(D(x)) = x
We originally asked for was that
D(E(x)) = x
E is the encryption function and D is the decryption function.
The order of application must not matter and RSA algorithm has this property.
One common method for message senders to attach a certificate to a message, which contains users name and public key and digitally signed by a trusted third party.
Security issues in operating systems.
When a user logs into a computer, the OS normally wishes to determine who the user is, a process called user authentication .
Three general principles of user authentication is given below.
Something the user knows.
Something the user has.
Something the user is.
These principles leads to different authentication schemas with different complexity and security properties.
People who want to cause trouble on a particular system have to first log into that system, which means getting past whichever authentication procedure is used.
These peoples are called hackers ( this term used for programmers so a term of honor is reserved for great programmer.
In true sense we will call people who try to break into computer system where they do not belong crackers (üşütük) .
Authentication using passwords
The most widely used form of authentication is to require the user to type a login name and password (asterisk).
If they marched login is allowed to not.
Another area in which not quite getting it right has serious security implications is illustrated in figure 0.4,
A successful login is shown,
A failed attempt by a cracker to log into system A.
A failed attempt by a cracker to log into system B.
In 9.4.b, the system complains as soon as it sees invalid login name.
This is mistake, as it allows the cracker to keep trying login names until she find a valid one.
The last option is really trying.
(a) A successful login
(b) Login rejected after name entered
(c) Login rejected after name and password typed
How hacker break in
Most crackers break in by just calling up the target computer and trying many (login name, password) combinations until they find one that works (names birth date, and ect.).
War dialer which dial up 10,000 telephone numbers in random order and after 2.6 million calls he located 20,000 computers in an area and 200 of which had no security at all.
The combination of a war dialer and password guessing can be deadly.
An alternative to using a war dialer is attack to computers over Internet. Every computer on the Internet has a 32-bit IP address used to identify it.
People usually writes these addressing dotted decimal notation as w.x.y.z where each of the four components of the IP addresses is an integer from 0 to 255 in decimal.
Many telnet diamonds break the underlying TCP connection after some number of unsuccessful login attempts in order to slow down crackers (cracker start many threads).
To find IP addresses they use, all he has to to this type;
And will get some of their IP addresses.
One hopes their security is better, but there is little reason to believe that since another nuclear weapon lab, Los, Alamos, lost a hard disk full of classified information in 2000.
LBL > telnet elxsi
ELXSI AT LBL
INCORRECT PASSWORD, TRY AGAIN
INCORRECT PASSWORD, TRY AGAIN
WELCOME TO THE ELXSI COMPUTER AT LBL
Once a cracker has broken into a system and become super user, it may be possible to install a packet signifier, software that exams all incoming and outgoing network packets looking certain patterns.
Increasingly many breaks ins are being done by technically naive who are just running scripts they found on the Internet. These scripts either use brute forces attacks of the type described above, or try to exploit known bugs in specific programs. Real hacker refer to them as script kiddies.
UNIX password security
Some older OS keep the password file on the disk in unencrypted from, but protect by the usual system protection mechanisms.
This is just looking for trouble.
A better solution, used in UNIX, works like this.
The login program ask to type his name and password.
The password is immediately encrypted by using it as a key to encrypt a fixed block of data.
One way function is used.
The login program then reads the password file, which is just series of ASCII lines, one per user, until it finds the line containing the user’s login name.
Read the chapter.
To prevent the possibility of attacks (is to associate an n bit random number, are called salt, with each password.
The random number is changed whenever the password is changed.
Figure 9.6, the use of salt to defeat pre-computation of the encrypted passwords.
The notation e(Dog4238) represents the result of concentrating Bobbie’s password, (Dog, with her randomly assigned salt 4238 and running it through the encryption function e.
Improving password security
The program that users call to install or change their password can also give a warning when poor password is chosen.
Among other it might complain about are.
Passwords should be a minimum of seven characters.
Passwords should contain both upper and lower case letters.
Passwords should contain at least one digit or special character.
Passwords should not be dictionary words, people’s name etc.
One time passwords
The most extreme form of changing the password all the time is one-time password .
Each login uses the next password in a list.
If an intruder discovers a password, ,t will not to do him any good, since next time a different password must be used.
If the secret password is s, the first password is given by running one-way function n times.
P1 = f(f(f(f(s))))
The second password is given by running the one-way function n-1 times;
P2 = f(f(f(s)))
Challenge response authentication
A variation on the password idea is to have each new user provide a long list of questions and answers that are then stored on the server securely (encrypted).
The questions should be chosen so that the user does not need to write them down.
Possible questions are;
Who is Majolein’s sister?
On what street was your elementary school?
What did Mrs Worobooff teach?
At login, the server asks one of them at random and checks the answer.
Another variation is challenge response. User send 7 and the user types 49 (the function is x^2).
Authentication using a physical object
The second method for authenticating a user is to check for some physical object they have rather than something they know (like door keys).
Chip cards contain an integrated circuit (chip) on them.
These card can be subdivided into two categories: stored value cards and smart cards.
Stored value cards contain a small amount of memory (usually less than 1 KB) using EEPROM technology to allow the value to be remembered when the card is removed from the reader and thus the power turned off.
However, nowadays, much security work is being focused on the smart cards which currently have something like-a 4- MHz 8-bit CPU, 16 KB of ROM , 4 KB of EEPROm, 512 bytes of starching RAM and 9600 –bpsd communication channel to the reader.
Smart cards can be used to hold money, as do stored value cards, but with much better security and universality.
Various authentication schemas can be used with a smart card. A simple challenge response works like this.
Figure 9.7 use of a smart card authentication
magnetic stripe cards
chip cards: stored value cards, smart cards.
Authentication using biometrics
The third authentication method measures phys,cal characteristics of the user that are hard to forge (taklit).
These are called biometrics.
For example, a fingerprint or a voiceprint reader in the terminal could verify the user2s identity.
A typical biometrics system has two parts;
Enrolment (characteristics are measured and stored in a record;significant features are extracted) and,
Identification (the user show up and provides a login name. Then the system makes the measurements again).
Finger length measurements is surprisingly practical as illustrated in figure 9.8 but not perfect. The system can be attacked with hand molds made of plaster of Pairs or some other materials.
A device for measuring finger length.
Intruder may broke into a system and does major damages.
Extra measure can be taken.
Restricting login times to 8 A.M. To 5 P. M.
Dial-up lines may be made up more secure.
In any event with or without call back, the system should take at least 5 seconds to check any password typed in on a dial-up line, and should increase this time after several consecutive unsuccessful login attempts.
All logins should be recorded and reported.
The next step is lying baited traps to catch intruders (A simple schema is to have one special login name with an easy password and then the security manager can see who is the intruder).
Other traps can be easy-to-find bugs in the OS and similar things, designed for the purpose of catching intruders in the act.
Limiting times when someone can log in
Automatic callback at number pre-specified
Limited number of login tries
A database of all logins
Simple login name/password as a trap
security personnel notified when attacker bites
Operating System Security Attacks from Inside the System
Free program made available to unsuspecting user
Actually contains code to do harm
Place altered version of utility program on victim's computer
trick user into running that program
Free program made available to unsuspecting user
Actually contains code to do harm
Place altered version of utility program on victim's computer
trick user into running that program
One insiders attack is the Trojan horse, ,in which a seemingly innocent program contains code to perform an unexpected and undesirable function.
This function might be modifying, deleting or encrypting the user’s files, copying them to a place where the cracker can retrieve them later, or even sending them to a cracker or a temporary safe hiding place via email or FTP.
(a) Correct login screen
(b) Phony login screen
Somewhat related to Trojan horse is login proofing .
Normally login screen displayed.
A cracker or cheater writes a program to display the screen of figure (b) user enters login name and then (asks password) password.
The login name and password is collected.
Company programmer writes program
potential to do harm
OK as long as he/she enters password daily
ff programmer fired, no password and bomb explodes.
Another insider attack.
High employee mobility is the logic bomb.
The programmer secretly insert into a production OS
As long as the programmer feeds its daily password, it does nothing.
A person is fired and removed prom premises without warning.
The next day the logic bomb does not get fed its daily password, so it goes off.
(a) Normal code.
(b) Code with a trapdoor inserted
Buffer overflows (1)
Most system programs are written in the C programming language.
Unfortunately, no C compiler does array bound checking.
i = 12000;
C[i] = 0;
This property of C leads to attack of following kind of.
This may change memory areas where other programs codes resides.
Then the running code of other program changed to a random junk and probably the program will crash within seconds.
If the changed program parts was a correct program instead of a junk program!
Buffer overflows (2)
(a) Situation when main program is running
(b) After program A called
(c) Buffer overflow shown in gray
Generic security attacks
Request memory, disk space, tapes and just read; may not be erased and may be full of interesting information.
Try illegal system calls; many system can easily be confused.
Start a login and hit DEL, RUBOUT, or BREAK; password checking program will be killed and login is successful.
Try modifying complex OS structures; Keep user in user space. Changing the system can wreak havoc (hasar) with the security.
Try to do specified DO NOT s; Manuals says that do not do X, try as many as variations of X as possible.
Convince a system programmer to add a trap door; by skipping certain vital security checks for any user with your login name.
Beg administrator's secretary to help a poor user who forgot password; bribe a secretary and access wonderful information.
Famous security flaws
The TENEX – password problem.
One character password checking program.
Stopping as soon as it saw that the password was wrong.
When the first character of the password is correct page fault occurred.
And the intruder is informed.that the password is correct.
Design principles for security
System design should be public; other wise intruder will find out sooner or late and system sunk.
Default should be no access; Errors in legimate access is refused will be reported much faster than unauthorized accesses.
Check for current authority; check the permission when a file is opened.
Give each process least privilege possible; Trojan horse will not do much damage.
Protection mechanism should be
in lowest layers of system
Scheme should be psychologically acceptable. Much work is not acceptable.
And … keep it simple
code transmitted to target machine
code executed there, doing damage
Goals of virus writer
quickly spreading virus
difficult to detect
hard to get rid of
Virus = program can reproduce itself
attach its code to another program
additionally, do harm
Attacks from outside the System
Since a virus is just a program, it can do anything a program can do.
Black mail; a virus can encrypt all files on victim's hard disk an the intruder try to get money.
Another thing a virus can do is render the computer unusable as long as the virus is running.
This called a denial of service attack .
BIOS in Flash ROM.
A virus can write random junk in the flash ROM.
A virus can also be released with a specific target.
Another example of a target virus is one that could be written by ambitious corporate vice president and release onto the local LAN.
Virus Damage Scenarios
Denial of service as long as virus runs
Permanently damage hardware
Target a competitor's computer
Intra-corporate dirty tricks
sabotage another corporate officer's files
Parasitic viruses .
Cavity viruses .
Memory resident viruses.
Boot sector viruses .
Device driver viruses.
Macro viruses ; words document creates a macro and the macro contains a macro viruses.
Source code viruses .
How Viruses Work (1)
Virus written in assembly language
Inserted into another program
use tool called a “dropper”
Virus dormant (hareketsiz ve uyur) until program executed
then infects other programs
eventually executes its “payload”
How Viruses Work (2)
Recursive procedure that finds executable files on a UNIX system
infect them all
How Viruses Work (3)
Parasitic viruses; can attach themselves to the front, the back , or middle of the executable program
(a) An executable program
(b) With a virus at the front
( c) With the virus at the end
(d) With a virus spread over free space within program
How Viruses Work (4)
Boot sector viruses ;
(a) After virus has captured interrupt, trap vectors
(b) After OS has retaken printer interrupt vector
( c) After virus has noticed loss of printer interrupt vector and recaptured it.
How Viruses Spread
Virus placed where likely to be copied
infects programs on hard drive, floppy
may try to spread over LAN
Attach to innocent looking email
when it runs, use mailing list to replicate
Antivirus and Anti-Antivirus Techniques
(a) A program
(b) Infected program
(c) Compressed infected program
(d) Encrypted virus
(e) Compressed virus with encrypted compression code
Antivirus and Anti-Antivirus Techniques
Examples of a polymorphic virus, All of these examples do the same thing
Calculation code of X=A+B+C-4).
Do the same thing but NOPs inserted.
Virus uses ( c) instead of (a) and still works; A virus that mutates on each copy is called a polymorphic virus. (d) and (e) does the same. (A mutilator engine changes code without changing its function)
Antivirus and Anti-Antivirus Techniques
install only shrink-wrapped software
use antivirus software
do not click on attachments to email
Recovery from virus attack
halt computer, reboot from safe disk, run antivirus
The Internet worms
Consisted of two programs
bootstrap to upload worm
the worm itself
Worm first hid its existence
Next replicated itself on new machines
Mobile Code (1) Sandboxing
(a) Memory divided into 1-MB sandboxes
(b) One way of checking an instruction for validity.
When the program jumps to an unauthorized area trap is occurred.
Mobile Code (2)
Applets can be interpreted by a Web browser
Mobile Code (3)
How code signing works
Java security (1)
A type safe language
compiler rejects attempts to misuse variable
Checks include …
Attempts to forge (taklit) pointers
Violation of access restrictions on private class members
Misuse of variables by type
Generation of stack over/underflows
Illegal conversion of variables to another type
Java security (2)
Examples of specified protection with JDK 1.2.
In the fist line, the user Susan has setup her permission files; the www. taxre .com have read access to 1040.xls.
In addition to applets from all sources, whether signed or not can read and write files in /usr/tmp.
Furtherer more Susan also t h rust Microsoft enough to allow applets originating at its site read and writes to update or fix bugs. Trusted companies must signed their certificate ant necessary public key must be on her disk.
Files are not the only source that can be protected (other sources also)
Protection Mechanisms Protection Domains (1)
Examples of three protection domains
A domain is a set of (object,rights) pairs. Each pair specifies an object and some subset of the operations that can be performed on it.
A right in this context means permission to perform one of operations
Protection Domains (2)
A protection matrix
In Unix, the domain of a process is defined by its UID and GID (UID,GID) combinations are also possible.
Protection Domains (3)
A protection matrix with domains as objects
Process in domain 1 can switch to domain 2 but once there they cannot go back.
Access control lists (1)
Use of access control lists of manage file access
A list containing all domains that may access the object. This list is called Access Control List or ALC.
Often in security literature, the users are called subjects or principals, to contrast them with things owned, the objects, such as files.
Access control lists (2)
Two access control lists
A portion of ACL might be as shown in figure 9-26.
Each process has a capability list
Server generates and returns a capability to user of the form showed in figure 9-28.
Copy capability; create newt capability to create the same object.
Copy object; create a duplicate object with a new capability.
Remove capability; delete an entry from the C-list; object unaffected.
Destroy object; permanently remove an object and a capability.
f(Objects, Rights, Check) Rights Object Server
Trusted Systems Trusted Computing Base
A reference monitor
Is possible to build a secure computer system?
If so, is it not done?
Formal model of security systems
(a) An authorized state
(b) An unauthorized state
Robert has found a way to issue command to have matrix changed to fig 9-30 (b) and gained access mailbox7.
The OS carries out his request because it does not know that the state is unauthorized.
Multilevel security (1)
The Bell-La Padula multilevel security model; designed for handling military security but also applicable to other organizations.
The simple security property ; a process running at a security level k can read only objects at it level or lower.
The * property ; a process running at security lvel k can write only objects it level or higher.
Multilevel security (2)
The Bell-La Padula multilevel security model;
Multilevel security (3)
The Biba Model
Principles to guarantee integrity of data
Simple integrity principle
process can write only objects at its security level or lower
The integrity * property
process can read only objects at its security level or higher
Orange Book Security (1)
Orange Book dividing OS into seven categories based on their security properties.
Level C is intended for environments with cooperating users.
C1 requires a mode operating system, The Unix rwx schema meets C1 but does not meet C2.
C2 adds the requirements that discretionary access control is down to the level of the individual users .
The B and A levels requires all controlled users and objects to be assigned a security level k-label such as un classified, secret or top secret.
B2 adds to this requirement that the system has been designed top-down in a modular way.
B3 contains all of B2’s features plus must be ACLs with use and group,
A1 requires a formal model of protection system and a prrof that the model is correct. Read from the book.
Orange Book Security (2)
Symbol X means new requirements
Symbol -> requirements from next lower category apply here also.
Orange Book Security (3)
Covert channels (1)
Client, server and collaborator processes
Encapsulated server can still leak to collaborator via covert channels
The collaborator can try to detect the bit stream by carefully monitoring its response time.
In general, it will get better response when the server is sending a 0 than when the server is sending a 1.
Covert channels (2)
A covert channel using file locking
Locking and unlocking to transmit the secret bit stream 11010100.
Acquiring and releasing dedicated sources can also be used for signaling.
Covert channels (3)
Pictures appear the same
Picture on right has text of 5 Shakespeare plays
encrypted, inserted into low order bits of color values
Hamlet, Macbeth, Julius Caesar Merchant of Venice, King Lear Zebras
The security Environment; threads Intruders and accidental losses.
Basics of Cryptography; secret and public keys, digital signatures
User authentication; using password, physical object, biometrics.
Attacks from inside the system; Trojan horse, login spoofing, logic bombs, trap doors, buffer overflows, security attacks and flaws
Attacks from outside the system; viruses and Antivirus, techniques, worms and mobile codes.
Protection mechanisms;domains, control lists and capabilities.
Trusted systems; trusted base computing, multi level and orange book security.