Sie sind auf Seite 1von 63

D. M.

Akbar Hussain
Ocvin ,.cn (ov.c
D. M. Akbar Hussain
Security Threats
Protection Mechanism
Counter Threats
D. M. Akbar Hussain, )cqvicncn.
- Conf1denf1a11fy
Requires information in a computer system only be
accessible for reading by authorized parties
Assets can be modified by authorized parties only
- Ava11ab111fy
Assets be available to authorized parties
- Aufhenf1c1fy
Requires that a computer system be able to verify the identity
of a user
D. M. Akbar Hussain
.oc o{ ,.cn,
D. M. Akbar Hussain, Incv.
1. An asset of the system is destroyed of becomes unavailable or unusable
2. Attack on availability
3. Destruction of hardware
4. Cutting of a communication line
5. Disabling the file management system
D. M. Akbar Hussain, Incv.
1. An unauthorized party gains access to an asset
2. Attack on confidentiality
3. Wiretapping to capture data in a network
4. Illicit copying of files or programs
D. M. Akbar Hussain, Incv.
1. An unauthorized party not only gains access but tampers
with an asset
2. Attack on integrity
3. Changing values in a data file
4. Altering a program so that it performs differently
5. Modifying the content of messages being transmitted in a
D. M. Akbar Hussain, Incv.
1. An unauthorized party inserts counterfeit objects
into the system
2. Attack on authenticity
3. Insertion of spurious messages in a network
4. Addition of records to a file
D. M. Akbar Hussain
(onvc ,.cn /..c.
Threats include accidental and deliberate damage
Threats include deletion, alteration, damage
Backups of the most recent versions can maintain high availability
Involves files
Security concerns for availability, secrecy, and integrity
Statistical analysis can lead to determination of individual information which threatens
D. M. Akbar Hussain
(onvc ,.cn /..c.
Communication Lines and Networks Passive Attacks
Release of message contents for a telephone conversion, an electronic mail message, and a
transferred file are subject to these threats
Traffic analysis
Encryption masks the contents of what is transferred so even if obtained by someone, they
would be unable to extract information
D. M. Akbar Hussain
(onvc ,.cn /..c.
Communication Lines and Networks Active Attacks
Masquerade takes place when one entity pretends to be a different entity
Replay involves the passive capture of a data unit and its subsequent retransmission to
produce an unauthorized effect
Modification of messages means that some portion of a legitimate message is altered, or that
messages are delayed or reordered, to produce an unauthorized effect
Denial of service prevents or inhibits the normal use or management of communications
D. M. Akbar Hussain
The ability of sharing resources brings the need of protection
No protection
Sensitive procedures are run at separate times
Each process operates separately from other processes with no sharing or communication
Share all or share nothing
Owner of an object declares it public or private
Share via access limitation
Operating system checks the permissibility of each access by a specific user to a specific
Operating system acts as the guard
Share via dynamic capabilities
Dynamic creation of sharing rights for objects
Limit use of an object
Limit not only access to an object but also the use to which that object may be put for
example, a user may be able to derive statistical summaries but not to determine specific data
D. M. Akbar Hussain
Toc.ion O{ ^cno,
Protection of main memory is essential.
Concern is more of correct functioning as well as
Memory space for different processes is
accomplished using virtual memory scheme.
A hardware support for memory protection may be
A storage control key which can be set by o/s is
normally used.
D. M. Akbar Hussain
+.c Oicncv /..c.. (ono
Most common user access control on shared or server system is:
Log on
Requires both a user identifier (ID) and a password
System only allows users to log on if the ID is known to the
system and password associated with the ID is correct
Users can reveal their password to others either intentionally or
Hackers are skillful at guessing passwords
ID/password file can be obtained
D. M. Akbar Hussain
Ivv Oicncv /..c.. (ono
Following successful log on, user is granted access to that system
and applications, it is essential for those system having sensitive
data to have some sort of control access to it.
Associated with each user, there could be a user
profile that specifies permissible operations and file
Operating system enforces these rules.
Database management system controls access to
specific records or portions of records. An access
matrix model can be utilized.
D. M. Akbar Hussain
/..c.. (ono ^vi_
Subject: An entity capable of accessing objects, subject equates with process.
Object: Anything to which access is controlled, for example files, memory
Access rights: The way in which an object is accessed by a subject, for
example read, write and execute.
D. M. Akbar Hussain
/..c.. (ono
Matrix decomposed by column, Access Control Lists.
Provides for each object, list of users and their access rights
D. M. Akbar Hussain
/..c.. (ono
Matrix decomposed by rows, Capability Tickets.
Provides authorized objects and operations for a user.
D. M. Akbar Hussain
Most Publicized threats are Intruders (hackers) and Viruses. The
former is classified into three classes:
Masquerader: Any one not authorized to use a
system penetrates into systems access control to
exploit a legitimate users account. (Outsider)
Misfeasor: A legit user either misuses privileges or
accesses resources for which he is not authorized.
Clandestine User: The one gets supervisory control
of the system and may use to evade auditing and
access control. (Outsider/Insider)
D. M. Akbar Hussain
1nv.ion Ic.nniqvc.
Objective of intruder is the gain access to the system or to
increase the range of privileges accessible on a system.
Protected information that an intruder acquires is a password.
One way Encryption: System stores an encrypted form
of user password, on entry of the password by a user,
system encrypts it and compare it with the stored
Access Control: Access is to the password file is
limited to one user.
If the above control mechanism is in placed, it is not easy to intrude.
D. M. Akbar Hussain
cvnin Tv...ov.
Try default password used with standard accounts shipped with computer.
Exhaustively try all short passwords (up to 3-4 characters).
Try words in dictionary or a list of likely passwords.
Collect information about users and use these items as passwords. For
example spouse and children names, date of births etc.
Try users phone numbers, social security numbers, and room numbers.
Try all legitimate license plate numbers for this state.
Use a Trojan horse to bypass restrictions on access.
Tap the line between a remote user and the host system.
D. M. Akbar Hussain
Tv...ov Toc.ion
First line of defense against intrusion is password system.
User has to provide ID in addition to password.
Password authenticate the ID of the individual logging on.
ID provides Security as:
It determines if the user is authorized, meaning only
the one which has ID setup for can be allowed.
It also determines the privileges to the user of that ID.
It is a discretionary access control, a user can grant
permission for the use of files to other users.
D. M. Akbar Hussain
(vncvii, o{ Tv...ov.
D. M. Akbar Hussain
(vncvii, o{ Tv...ov.
Salt is a value related to the time at which the password is assigned,
it serves following:
Prevents duplicate passwords.
Increase the length of the password without requiring
the user to remember additional words, possible
increased by a factor of 4096.
It prevents the use of hardware implementation of
D. M. Akbar Hussain
1{{c.i.cnc.. o{
1. Users name, initials, account number.
2. Try words from dictionaries.
3. Various permutation of last step.
D. M. Akbar Hussain
/..c.. (ono
Access to the password file is only accessible to the super
This may not be the ultimate choice as:
Most system are susceptible to unanticipated break ins, after
gaining access by some means the user may wish to obtain a
collection of passwords.
By accident password file may be readable.
A user having multiple accounts with different privileges and
using same password. Knowledge of password on any of those
machine could jeopardize other machines security.
D. M. Akbar Hussain
Tv...ov cc.ion
User Education
Computer Generated Passwords
Reactive Password Checking
Proactive Password Checking
D. M. Akbar Hussain
+.c 1vv.vion
Mostly fails:
People ignore the guide lines.
May not understand the importance of protection.
May be doing some thing in their believe to be very
difficult to guess.
D. M. Akbar Hussain
(onvc cncvcv Tv...ov.
Difficulty in remembering
Need to write it down (not a good choice)
Have history of poor acceptance
D. M. Akbar Hussain
)cv.i.c Tv...ov.
System periodically runs its own password cracker to find
guessable passwords.
System cancels passwords that are guessed and notifies user.
Consumes resources to do this.
Hacker can use this on their own machine with a copy of the
password file.
D. M. Akbar Hussain
Tov.i.c Tv...ov.
The system checks at the time of selection if the password is allowable.
With guidance from the system users can select memorable passwords
that are difficult to guess.
The balance is between user acceptability and strength. Lots of rejection
will make user unhappy and simple technique for acceptance will not do
good for the system.
Following can be used as guide line rules:
All passwords must be 8 characters or more.
At least one of these 8 characters must be a capital (uppercase)
letter, lower case letter, numerical and a punctuation.
Another technique could also be employed by compiling a dictionary of
possible bad passwords. Therefore when a user selects a password, it is
checked in and if found bad, user is asked to select another one. It has
two problems:
D. M. Akbar Hussain
1nv.ion Icc.ion
Second line of defense, with following consideration:
1. Detect the intruder as quickly as possible.
2. Effective intrusion detection server as a deterrent.
3. Intrusion detection enables the collection of information about
intrusion techniques and could be useful in implementing
improved intrusion strategies.
Typically, intrusion detection is based on the assumption that intruder behavior
is different from a legit user. But certainly, it will not provide a very clear
distinct version of differences, there is an over lap between the two.
D. M. Akbar Hussain
To{ic o{ 1nvvc. (. +.c.
D. M. Akbar Hussain
1nv.ion Icc.ion .ncnc.
5faf1sf1ca1 anoma1y defecf1on: 5faf1sf1ca1 anoma1y defecf1on: 5faf1sf1ca1 anoma1y defecf1on: 5faf1sf1ca1 anoma1y defecf1on:
Collection of data related to the behavior of legitimate users over a period of time.
Statistical tests are used to determine if the behavior is not legitimate behavior.
Good against masqueraders, not suitable to misfeasors.
ku1e 8ased defecf1on: ku1e 8ased defecf1on: ku1e 8ased defecf1on: ku1e 8ased defecf1on:
Rules are developed to see any deviation from previous patterns.
Expert system can be used to detect a suspicious behavior.
May work well to both masqueraders and misfeasors.
Statistical approach attempts to define a normal, expected behavior in contrast to
rule based detection which attempts to define exact proper behavior.
D. M. Akbar Hussain
1nv.ion Icc.ion .ncnc.
Ivnvvncnv oo {o inv.ion vcc.ion i. vvvi c.ov:
Naf1ve Aud1f kecods: Naf1ve Aud1f kecods: Naf1ve Aud1f kecods: Naf1ve Aud1f kecods:
All multi-user systems collect user activity information.
No additional collection software is required.
The information may not be in the form required or to be used by the intrusion detection.
Defecf1on 5pec1f1c Aud1f kecods: Defecf1on 5pec1f1c Aud1f kecods: Defecf1on 5pec1f1c Aud1f kecods: Defecf1on 5pec1f1c Aud1f kecods:
A collection facility dedicated for specifically used for intrusion detection.
Could be made vender independent.
Disadvantage is extra overheads, a kind of tow account packages running.
D. M. Akbar Hussain
1_vnc 1nv.ion Icc.ion ,.cn
Subject: Initiator of the actions, could be a user or a process on behalf of a user or group of
Action: Operation performed by the subject on the object.
Object: Receptor of actions for example a file.
Exception Condition: Condition raised on the action.
Resource Usage: Processor, I/O units number of records etc.
Time Stamp: Unique time and date stamp at action time.
Consider this example: copy esbjerg.exe to <aalborg>esbjerg.exe
11265436779 CPU = 0001 0 <aalborg>copy.exe execute Jensen
11265436780 record = 10 0 <jensen>esbjerg.exe read Jensen
11265436781 record = 0 Write viol <aalborg>copy.exe execute Jensen
D. M. Akbar Hussain
^vi.iov. o{.vc o ^
Most sophisticated threat.
Application programs as well as utility programs.
Concealed within or masquerades as legit software.
Could be spread through email.
By infected floppy disks.
D. M. Akbar Hussain
^vi.iov. Tovn.
Can be divided into two categories as shown below:
Could be part of these
D. M. Akbar Hussain
^vi.iov. Tovn.
Trap Doors:
It is a code triggered through some special sequence
of inputs or being run by a certain user ID.
Entry point into a program that allows someone who
is aware of trapdoor to gain access.
Used legitimately by programmers to debug and test
Avoids necessary setup and authentication (this was
the main motivation to bypass long setups).
Method to activate program if something wrong with
authentication procedure.
D. M. Akbar Hussain
^vi.iov. Tovn.
Logic Bomb:
Code embedded in a legitimate program that is set to
explode when certain conditions are satisfied.
One of the oldest type of program threat.
Following are the example criterion for explosion:
Presence or absence of certain files
Particular day of the week
Particular user running application
or being run by a certain user ID.
D. M. Akbar Hussain
^vi.iov. Tovn.
Trojan Horses:
Useful program that contains hidden code which is
when invoked performs some unwanted or harmful
Can be used to accomplish functions indirectly that
an unauthorized user could not accomplish directly.
For example a Trojan horse program executed on a
system could change the user privileges of certain
The most dangerous and difficult to detect is a type of
Trojan horse is in a modified compiler. Which may
insert a code to create a trap door to login.
D. M. Akbar Hussain
^vi.iov. Tovn.
Program that can infect other programs by
modifying them.
Modification includes copy of virus program.
The infected program can infect other programs.
D. M. Akbar Hussain
^vi.iov. Tovn.
Network worm use network connections to spread
from system to system.
Once active on a system, it behaves like a virus.
It can implement Trojan horse.
It uses the following to replicate itself:
Electronic mail facility
A worm mails a copy of itself to other systems.
Remote execution capability
A worm executes a copy of itself on another system.
Remote log-in capability
A worm logs on to a remote system as a user and then
uses commands to copy itself from one system to the
D. M. Akbar Hussain
^vi.iov. Tovn.
Program that secretly takes over another Internet-
attached computer.
It uses that computer to launch attacks that are
difficult to trace to the zombies creator.
Typically, used in denial of service attacks.
D. M. Akbar Hussain
(iv.c. )vvc
A virus can do any thing performed by a normal program.
Basically it attaches itself to a program and execute secretly when the
host program run.
Following phases are common root of execution:
Dormant Phase: Virus is idle, waiting some event, may be date, file
etc. Not every single virus has this stage.
Propagation Phase: Virus places an identical copy of itself into other
programs or into certain system areas on the disk. Each infected
program has a clone of the virus.
Triggering phase: Virus is activated to perform the function for which it
was intended. Triggering can be activated by some kind of event may
be a count number representing the number of time a copy of the virus
has been made.
Execution phase: Actual action is performed.
D. M. Akbar Hussain
(iv.c. I,c.
A non stop war between virus writers and anti-virus software writers, following are the well
known classes:
Parasitic Virus
Most common it attaches itself to executable files and replicates.
When the infected program is executed, it looks for other executables to infect.
Memory-resident Virus
Lodges in main memory as part of a resident system program.
Once in memory, it infects every program that executes.
Boot sector Virus
Infects boot record.
Spreads when system is booted from the disk containing the virus.
Stealth Virus
Designed to hide itself form detection by anti-virus software.
May use compression
Polymorphic Virus
Mutates with every infection, making detection by the signature of the virus impossible.
Mutation engine creates a random encryption key to encrypt the remainder of the virus and the
key is stored with the virus
D. M. Akbar Hussain
^v.o (iv.c.
As of the start of this decade, two third viruses are macro viruses.
Platform independent, mostly infect Microsoft Word on any platform.
Infect document, not executable portions of code.
Easily spread, typically through electronic mail.
A macro is an executable program embedded in a word processing document or
other type of file. Macros in Word:
Executes when Word starts.
Executes when defined event occurs such as opening or closing a document.
Command macro
Executed when user invokes a command (e.g., File Save).
D. M. Akbar Hussain
/ni.iv. /
Ideal solution: prevent any virus to get through.
Typically, impossible.
But if properly prevented could reduce number of
Most desirable root:
D. M. Akbar Hussain
cnci. Ic.,ion
Generic decryption technology enables the anti-virus program to detect
complex polymorphic viruses. A file containing a Polymorphic virus
when executed the virus decrypt itself to be activated. Such structure is
detected by executing those files through GD scanner. Which has the
following modules:
CPU emulator
Instructions in an executable file are interpreted by the emulator rather
than the processor.
Virus signature scanner
Scan target code looking for known virus signatures.
Emulation control module
Controls the execution of the target code.
D. M. Akbar Hussain
Iiiv 1nnvnc ,.cn
Motivation for such system is because of the following:
Integrated mail systems: System such as Lotus notes and Microsoft Outlook makes it very
simple to send any thing to any body and work with objects that are received.
Mobile-program system: Capabilities such as JAVA allow programs to move on their own
from one system to other.
Working Procedure of Digital Immune System:
1. A monitoring program runs on each PC and could forward any program
thought of to be infected to the administrative.
2. Administrative machine encrypts the sample and send it to a central
analysis machine.
3. It creates an environment to run that program for analysis. A
prescription is produced to identify the virus.
4. Resulting prescription is sent back to the administrative machine.
5. It forwards that prescription to the infected machine.
6. Prescription is then forwarded to other clients in the organization.
7. Subscribers around the world receive regular anti-virus updates for
protection from new viruses.
D. M. Akbar Hussain
1 nvi (iv.c.
Activated when recipient opens the e-mail
Activated by opening an e-mail that contains the
Uses Visual Basic scripting language.
Propagates itself to all of the e-mail addresses
known to the infected host.
D. M. Akbar Hussain
(iv. Tovvion Iinc.
D. M. Akbar Hussain ,.cn.
Multilevel security
Information organized into categories.
No read up or Simple Security Property
A subject can Only read objects of a less or equal
security level
No write down or Star Property
Only write objects of greater or equal security level
If the above two rules are properly implemented could provide multi-level security.
D. M. Akbar Hussain
)c{ccn.c ^onio (on.c
The reference monitor enforces the security rules with following
Complete Mediation: Security rule on every access.
Isolation: Reference monitor and data base are protected from
unauthorized modification.
Verifiability: Provable methodology for mediation and
D. M. Akbar Hussain
Io]vn 1o.c Ic{cn.c
D. M. Akbar Hussain
Io]vn 1o.c Ic{cn.c
D. M. Akbar Hussain
Io]vn 1o.c Ic{cn.c
D. M. Akbar Hussain
Io]vn 1o.c Ic{cn.c
D. M. Akbar Hussain
+invo.. 2000,
It exploits object oriented concepts to provide a powerful and flexible access control
capability. It provides uniform access control to processes, threads & files etc. Access is
controlled through two identities: Access token and Security Descriptor.
Access Confo1 5cheme
Name/password to authenticate a user, after successful login a process object is created.
An Access token is associated with that process object indicating privileges associated with
a user.
Access Token: General description of access token:
Security ID
Identifies a user uniquely across all the machines on the network (logon name)
Group SIDs
List of the groups to which this user belongs
List of security-sensitive system services that this user may call
Default owner
If this process crates another object, this field specifies who is the owner
Default ACL
Initial list of protections applied to the objects that the user creates
D. M. Akbar Hussain
+invo.. 2000,
D. M. Akbar Hussain
+invo.. 2000,
5ecu1fy Desc1pfo
Defines type and contents of a security descriptor
Owner of the object can generally perform any action on the security
System Access Control List (SACL)
Specifies what kinds of operations on the object should generate audit
Discretionary Access Control List (DACL)
Determines which users and groups can access this object for which
D. M. Akbar Hussain
+invo.. 2000,
D. M. Akbar Hussain