Operating System Security: Chapter 20, section 20.1 through 20.6; ------------------------------------------------------------------------------ what do we mean by a "secure" OS? - a very vague concept, basically, it means that the OS makes sure the resources are used and accessed as intended even under malicious attacks; Security violations: - disclosure of the information: - unauthorized read; - integrity of the information: - unauthorized write; - unauthorized destruction; - denial of service: - stop the system from functioning properly; - example: TCP SYN packet attack; Mechanisms to ensure security: - Trusted Computing Base (TCB); - a collection of hardware and software code that cannot be modified and are known to be correct; - based on the trusted computing base, the security of a system can be reasoned; - example: a TCB may include the hardware, OS, and firmware (the boot ROM); in UNIX, the TCB includes all the setuid root program as well; - Ratings of OS: - DoD (Department of Defense) classified the level of security in systems into four levels: D, C, B, A. - D is essentially no protection; MS-DOS, Macintosh belongs to this level; - C is discretionary control; C includes C1 and C2; most UNIXs are C1; WinNT supposedly can be configured to satisfy C2 level security; - B includes B1, B2, B3, and are different levels of mandatory control systems; - A includes A1 and beyond. Must use formal verification technique. Very few OS are A level systems. - constraint of such rating: military purpose; consider OS in isolation and doesn't address network security; The "Principal of Least Priviledge": the system should only give a subject (processes, users) enough priviledge to do what it has to do, and no more than that; ------------------------------------------------------------------------------- Common security problems: - passwords: - easy to guess passwords; - default passwords for default account never changed; - cracking passwords; - solutions: one-time passwords; challenge & response; - shared secret, S, between user and the system that is never transmitted; - system presents a challenge C; - the card calculate f(S, C), returns it to the system; f is secret and in hardware; - the system verifies, and allows the user to log on; - in some systems, the seed S is the current time; - many cards also need a password to unlock the card; - accounts on multiple machines: Kerberos; - programmed threats: - Trojan horse; - trap doors; - setuid Root program problems: - forcing setuid root binaries to have runtime errors and change its behavior; - Example 1: the Internet worm in 1988; - combined denial of service attacks with setuid root program attacks; - target Version 4 BSD UNIX; - bootstrap program and the worm program; - infection method: 1. 536-byte string to overflow finger daemon's buffer, change return address, and a new procedure is called, which exec("/bin/sh"); 2. sendmail debug option; - the worm then guesses the passwords, once uploaded; after that, it searches for .rhosts under the user account for rsh to other machines; - virus; ------------------------------------------------------------------------------- OS security tools: - audit logs; - Tripware; - books that list common vulneribilities; ------------------------------------------------------------------------------ Network Security: - Cryptographic Tools: - encryption; - DES (Data Encryption Standard); - public key systems; - RSA protocol; - Diffe-Hellman protocol; - Example application: SSL (Secure Socket Layer); -