SECURITY AND OPERATING SYSTEMS

What is Security?
Informal: Security is keeping unauthorized entities from doing things you dont want them to do. More formal: Confidentiality, integrity, Availability What is the operating systems role?

Internal Roles
Weve discussed a lot of internal features: privileged mode, memory protection, file access permissions, etc. What do these accomplish? What is the real goal?

Protecting Whom?
Internal features protect the operating system against users This necessary but not sufficient File permissions protect users (and the OS) against other users Again, this is necessary but not sufficient

User Authentication
File permissions are based on user identity, which is based on authentication How does an OS authenticate users? Many methods: something you know, something you have, something you are

Something You Know: Passwords

Very common Very easily guessed Originally stored in plaintext, but thats a very bad idea Today, passwords are usually stored hashed However some network authentication schemes, such as

challenge/response, require plaintext (or equivalent)

Hashed Passwords
Store f(PW), where f is not invertible When user enters PW, calculate f(PW) and compare To guard against precomputation attacks, assign a random salt at password change time and store hsalt, f(PW,salt)i Attackers can still run password-guessing programs, so most operating systems use access control to protect the hashed passwords

Attack Techniques
Trojan horses come and get it attack Login spoofing Buggy software the big one

Trojan Horses
Trick someone into executing a program that does nasty things (Many viruses and worms spread that way) How can the OS protect users? Unix-type file permissions dont help the attack program can change permissions Need mandatory access control (MAC)

Sandboxes
A better idea is for the OS to provide sandboxes an enviornment where the program can execute but cant affect the rest of the machine Strong isolation is conceptually pretty easy run the program on a separate machine, or under VMware There are other, more elegant mechanisms that attempt to provide the same feature at lower cost; most are limited to root The trick and its a very difficult one is permitting limited interaction with the outside world while still protecting security

Trusted Path
A trusted path is a user-initiated sequence that is guaranteed to get you to the real OS Example: cntl+alt+delete on Windows Well, it was supposed to be one. . . But you have to train people not to log in unless theyve initiated the sequence Must protect all password prompts that way

Viruses and Worms

Viruses spread by themselves within a machine, but require human intervention toinfect other machines Worms spread between machines, though they may require human assistance (i.e., opening an attachment) to infect another machine What can the OS do to stop these?

What to Log?
Everything? Possibly takes too much storage, though disk space is cheap Serious potential privacy risk Can you process that much data? But must log security-sensitive events

Solaris Basic Security Module (BSM)

BSM can do a lot of logging Some categories: login/logout, ioctl, file write, network events, mount/unmount, fork, exec, and more Great care taken to protect log files Again, though can you process the data?

Its the Application

The real purpose of an operating system is to run certain applications The issue isnt how secure the OS is, its how secure the applications Again, most worms dont violate OS security

CRYPTOGRAPHY AND NETWORK SECURITY

Cryptography Fundamentals
Privacy versus Authentication: Privacy: preventing third party from snooping Authentication: preventing impostering Two kinds of authentication: Guarantee that no third party has modified data Receiver can prove that only the sender originated the data Digital Signature

E.g., for electronic transactions Cryptographic Privacy

Encrypt before sending, decrypt on receiving Terms: plain text and cipher text Two components: key, and the algorithm Should algorithm be secret? Yes, for military systems; no, for commercial systems Key distribution must be secure

Cryptographic Authentication

The same system can also be used for authentication

Cryptanalysis
Cryptanalysis: attacker tries to break the system E.g., by guessing the plain text for a given cipher text Or, by guessing the cipher text for some plain text Possible attacks: Cipher-text only attack Known plain-text attack Chosen plain-text attack Chosen text attack

Security Guarantees Two possibilities: Unconditional Computational security Unconditional security: an example

 One-time tape Most systems have computational security How much security to have? Depends on cost-benefit analysis for attacker

Public-Key Systems Shared-key ==> difficulties in key distribution C(n,2) = O(n^2) keys Public key system Public component and a private component Two kinds: Public key distribution: establish shared key first Public key cryptography: use public/private keys in encryption/decryption Public key cryptography can also be used for digital signatures

Some Popular Systems Private key systems: DES, 3DES Public key systems: RSA: based on difficulty of factoring Galois-Field (GF) system: based on difficulty of finding logarithm Based on knapsack problem

Key Management Keys need to be generated periodically New users Some keys may be compromised Addressing the O(n^2) problem with key distribution Link encryption Key Distribution Centre (KDC): all eggs in one basket Multiple KDCs: better security Key management easier in public key

Some Non-Crypto Attacks

Man-in-the-middle attack: play a trick by being in the middle Traffic analysis: Can learn information by just looking at presence/absence of traffic, or its volume Can be countered using data padding Playback or replay attacks: To counter: need to verify timeliness of message from sender while authenticating Beware of issues of time synchronization