Monday, November 22, 1993 Last week: Chapter 10 with Dr. Zhao Now: Chapter 11 Today: Security and Protection ------------------------------------------------------------------------------- Protection: mechanism for controlling the access of programs, processes, or users to the resources defined by a computer system. Must be able to specify controls to be imposed and must provide some form of enforcement. Security: a measure of confidence that the integrity of a system and its data will be preserved. Protection deals with internal problems Security also must deal with external problems ------------------------------------------------------------------------------- Security facets: major ones are data loss and intruders - Data loss (relatively managable by backups) Acts of God (fire, floods, earthquakes, wars, etc.) Hardware or software errors: Unreadable disks and tapes, program bugs, etc. Human errors: Incorrect data entry, wrong tape or disk mounted, etc. - Intruders: passive (just looking around) and active (modifying data) Some categories include: Casual prying, snooping by insiders Determined attempts to make money (stealing the rounded interest; siphoning off unused accounts; blackmail) Espionage, commercial and governmental Malicious abuse (consume system resources; destroy or alter data; etc.) ------------------------------------------------------------------------------- Security flaws [Much of this discussion on Security comes from Tannebaum] - Errors in system program designs: suid version of lpr that removed files without checking privledges - Insufficient legality checking: (general problem with suid shell script) Process composed of two actions. User interrupts suid process after first action, modifies environment, continues with second concrete example: mkdir used to (1) create directory with mknod and then (2) chown owner from root to user. mkdir foo mknod (associates name foo with new inode) ---pause mkdir ---rm foo and link some system file to it ---resume mkdir chown (user now owns the system file) ------------------------------------------------------------------------------- Listening to network traffic or detecting electromagnetic radiation from computer site ------------------------------------------------------------------------------- Trojan horse attack - simple one: leave running process that fakes a login prompt but caches user name and password to a file - Why . is no longer first on many people's path (e.g., executable file named "ls" in /tmp). If behaves as real ls (but not showing itself) many people will never notice! ------------------------------------------------------------------------------- Trap doors left by some previously trusted person - Doomsday machine scenarios of "trash the system if I am not in the payroll file" - Insert special code in system programs that give special privledges to specific users or on specific password But this is easy to detect---how about putting code in the compiler to generate such instructions for any program compiled with the compiler? People rarely compare object to source! Still possible to detect if someone else starts maintaining compiler. But what if we are bootstrapping and the code is in an early version of the compiler but then taken out? Object code retains the functions but source doesn't show them anymore! ------------------------------------------------------------------------------- TENEX Password problem - TENEX (PDP 10) included way of invoking user function on each page fault (to permit user monitoring of program's behavior) - Also required passwords to access file - Scenario: arrange password so it falls across page boundaries: A/AAAAA. Attempt to access file. If page fault before "Illegal access" then first character right. If not, change character and try again. Only 128 characters so you'll get it right eventually! Then move on to character two of the password: VA/AAAA, and so on. 128*n versus 128^n different trials. ------------------------------------------------------------------------------- Internet worm (November 2, 1988) [Spaf's TR] [Robert Tappan Morris, Jr./ironically RT Morris Sr. is well-known NSA computer security expert, formerly of AT&T Bell Labs] Consisted of bootstrap and worm proper Bootstrap, 99 lines of C named l1.c, tried to install itself and if successful acquired worm from the machine it came from and started it Worm tried to hide its existance, checked to see if it was already running on the machine and in 6/7 cases terminated if so. If not terminated, it tried to (1) break user passwords and (2) spread to other machines Spreading to other machines (1) use broken passwords to get to other machines user has accounts on (2) attempt to find "trusted hosts" and rsh to them (3) exploit bug in finger program finger / fingerd relationship fingerd failed to check for buffer size finger a specially crafted 536-byte long string on fingerd side, this overflows allocated buffer, overwriting parts of data stack (e.g., return vector) fingerd thus caused to returns control to this corrupted area code here attempts to create a shell (execute /bin/sh). If successful then successful penetration of system (4) exploit system administration sloppiness sendmail has a "debug" option that is supposed to be disabled if not disabled permits execution of commands worm checked to see if destination hosts had debug disabled and took advantage if not Primary effect of worm was to occupy most of machines' cycles (1/7 not enough to keep it from taking over). This is primary reason why it was noticed. ------------------------------------------------------------------------------- Note that many of the most effective breaches of security are not technological - fake deposit slips - easily guessable passwords - calling people on the phone and asking for passwords (or Credit Card numbers, for that matter) ------------------------------------------------------------------------------- Next: Protection (chapter 11)