Embed Size (px)
Citation preview
TATIONpRÆSEN
April 19, 2023
AARHUSUNIVERSITET
SYSTEM SECURITY MECHANISMS
1. TRUSTED COMPUTING BASE2. FIREWALLS3. VIRUS SCANNERS 4. INTRUSION DETECTION5. SECURITY POLICIES6. ACCESS CONTROL7. JAVA SECURITY
1
outsiders
insiders
April 19, 2023
AARHUSUNIVERSITET
TRUSTED COMPUTING BASE – TCB › Mostly a concept associated to insider attacks, but applies generally
› The TCB is the part of the system which is assumed to perform correctly even when under attack
› Examples:› “We assume that all Windows programs on all machines perform correctly
as long as the attacker did not have physical access to the machines”› “We assume the Unix kernels on all machines in the company perform
correctly as long as the attacker did not have physical access to the machines”
› “We assume the IBM 4758 in the basement does not leak the secret key stored on it to anyone which does not have the password”
2
April 19, 2023
AARHUSUNIVERSITET
KEEP THE TCB SMALL› The smaller the TCB the more likely it is that it will actually remain secure in practice› Easier to protect› Easier to supervise› Easier to debug before use› …
› The goal is then to use the assumption that the TCB is secure to make the rest of the system secure
› When designing system security it is important to make it clear to oneself what ones TCB is› Often larger than expected› Might not fit the threat model…
3
April 19, 2023
AARHUSUNIVERSITET
INSIDERS / OUTSIDERS› System security is about protecting e.g. a company’s network› Network security on the other hand was about protecting information when
in transit, e.g. between companies
› One often distinguishes between insider attacks and outsider attacks› Insider attacks are by legitimate users like an employee› Outsider attacks are from entities not intended to use the system, like an
employee of a competitor
› Fairly easy to protect against outsider attacks: lock all doors, paint all windows black, cut all network cables going out of the house and close all wireless connections› Does not work for insiders
4
April 19, 2023
AARHUSUNIVERSITET
WHAT IS YOU NEED A NETWORK CABLE OUT OF THE HOUSE?› Often the simple solution to outsider attacks does not work as you would like to have communication with the outside› Customer to see you homepage› Family to send you e-mails
› If you have a cable out of the house you will be forced to receive at least one network package from the attacker› Even if you authenticate all access, you don’t know who sent the first IP
package until after the authentication protocol is done
› Often the attacker needs to send just one package› Stack overflows› Bad users› Bad operating systems 5
April 19, 2023
AARHUSUNIVERSITET
FIREWALLS: TALK TO MY ATTORNEY› The principle behind firewalls is to let one machine talk to the outside› Easier to configure one machine to be robust enough to talk to the
attacker than configuring the entire network of machines › The firewall becomes part of the TCB
› The firewall then completely protects the rest of the network against outside traffic or allows only certain benign traffic to reach insider machines
› Another example of this principle are VPNs, where the VPN proxy does the authentication after which the private machine is let into the network› It is verified as an insider
6
April 19, 2023
AARHUSUNIVERSITET
HANDLING WEB SERVERS› Often web servers are placed outside the firewall
› They have to communicate heavily with the outside
› They are often less critical than insider machines with e.g. accounting information
› They do not need access to insider machines› Write out: Insiders are trusted to write to the web server› No read in: The web server is not trusted to look inside the intranet
7
April 19, 2023
AARHUSUNIVERSITET
THE PROXY IDEA
8
42.42.42.42
41.41.41.41
40.40.40.40
• Also hides internal network structure
• Can filter out evil inputs even from allowed traffic
Might not be able to handle all types of applications used by insiders
httphttp
ping
April 19, 2023
AARHUSUNIVERSITET
VIRUS SCANNERS› Virus scanners are used to prevent and detect malicious code
› Everything that can be executed can be a virus› .exe files› Macros in excel sheets› Java applets in web pages, …
› Prevents by scanning incoming traffic like e-mail to see if they contain known viruses
› Detects by scanning the harddisk, memory, boot sector and other writable areas to see if they contain viruses
› They look for virus signatures:› Pieces of code or character in the description of the virus which does
not change as it spreads9
April 19, 2023
AARHUSUNIVERSITET
VIRUS COUNTERATTACKS› Write new viruses often
› Takes a long time before all scanners are updated› Years!
› Hide where the scanner does not look› Boot sector› Memory› Memory sticks› Backup DVD’s
› Mutate: Some viruses spread and hibernate as ( K, EK(virus.exe), boot.exe )
› K is a fresh random key each time› boot.exe is a small obfuscated program for decrypting and then
executing virus.exe
10
April 19, 2023
AARHUSUNIVERSITET
INTRUSION DETECTION› Impossible to prevent all intrusions without cutting the cable
› Next best is to detect and recover› Easy to detect a malicious virus which e.g. deletes all disks
› And easy to recover using a backup› Harder to detect a more subtle virus which e.g.
› just reads keystrokes to learn passwords and then sends them back to a hacker› uses your machine to send spam e-mail
› There are at least three ideas used to detect subtle viruses:› Rule based› Statistical› Honey pot
11
April 19, 2023
AARHUSUNIVERSITET
RULE BASED› A huge database of disallowed behaviour is constructed
› You cannot send 100 e-mails per minute› You cannot try to access the password file› …
› The TCB checks all processes and alarms if anyone does anything disallowed
› Hard to make efficient without having intended users suffer too much› You might send e-mail to a mailing list› You might try to access the password file by mistake, doing e.g. “find . –
name forgottenfile” in the root directory› Hard to predict all bad behaviour
12
April 19, 2023
AARHUSUNIVERSITET
STATISTICAL› Instead uses statistics to build a profile of typical behaviour
› If behaviour suddenly changes an alert is raised
› Can detect unpredicted bad behaviour
› Hard to not get many false positives if it is to be effectice
13
April 19, 2023
AARHUSUNIVERSITET
HONEY POT› Create interesting resources which no honest users accesses› If old versions of programs are known to have stupid bugs, like
storing password in cleartext in some known file, see if a process accesses it
› The Matrix: Sometimes entire virtual machines are created as honey pots, with e.g. Wmware› Made particularly easy to break into so the virus/hacker will go for
these first› If the hacker/virus destroys it, it is not a catastrophy› Can log every move of the hacker/virus and study it afterwards› Today many hackers/viruses detect if they are virtualized and behave
benign if they are14
April 19, 2023
AARHUSUNIVERSITET
INSIDERS› We now turn to the insiders
› Not all insiders are allowed to do the same to all parts of the system
› To structure our thoughts when formulating who can do what to which parts we use › Security policy models: What to consider and how to formulate it› Security policies: A concrete decision of who can do what written in
the model› Mechanisms: How the TCB enforces the policy
15
April 19, 2023
AARHUSUNIVERSITET
RECURRING CONCEPTS› Objects o: Files, Devices, Hardware, …› Subjects s: Users, Processes, …› Entity: The set of objects and subjects› Classes: Example: {restricted, confidential, secret}› Classification C: Maps entities to classifications, e.g., C(Jesper) = secret
› Lattice: Partial ordering on classes with a top element and a bottom element:
16restricted
confidential
secret
guest
user1
administr
atoruser2
April 19, 2023
AARHUSUNIVERSITET
BELL-LA PADULA POLICY› First lattice model
› Mainly intended for military use, confidentiality
› No read up: s can read from o iff C(o) C(s)
› No write down: s can write to o iff C(s) C(o)
› Ensures that info cannot flow from o1 to o2 if C(o2) C(o1)
17restricted
confidential
secret
guest
user1
administr
atoruser2
April 19, 2023
AARHUSUNIVERSITET
BIBA POLICY› Focuses on authenticity
› No read down: s can read from o iff C(s) C(o)
› No write up: s can write to o iff C(o) C(s)
› Ensures that info cannot flow from o1 to o2 if C(o1) C(o2)
18bull shit
plausible
verified
April 19, 2023
AARHUSUNIVERSITET
CHINESE WALL› Focuses on separating domains
› No order on classes
› No information can flow from objects of one class to objecta of another
› Example: If a subject ever read an object containing information about customer 1 it can never write a file belonging to customer 2
› Used e.g. be large consultancy houses
19customer 2customer 1
April 19, 2023
AARHUSUNIVERSITET
ACCESS CONTROL› Used to enforce a given policy
› Sometimes it is the policy
› Each subject is now given a list of rights over objects› Called the access control matrix› Usual to store rows at users or columns at files
› Groups of users and classes of files are used to keep the access control matrix small
› With discretionary access contriol, where subjects can change the matrix,it can be undecidable if a given subject can end up being allowed to read a given file
20
Alice
Bob
file1 file2
read delete
write read
User capability, Windows
AccessControlList, Unix
April 19, 2023
AARHUSUNIVERSITET
JAVA SECURITY› We look at security policies and enforcements in Java
› The Java compilers compile to platform independent byte code, stored in .class files
› The Java virtual machine, JVM, runs .class files often packed in .jar files
› The JVM runs in browsers, washing machines, cell phones, …
April 19, 2023
AARHUSUNIVERSITET
JAVA SECURITY –1.0 › The Java virtual machine does extensive checks on the byte code before loading to ensure that it sticks to the semantics of Java: › No invalid type casts› No index out of bound errors › No interpreting integers as points› No access to private members from outside an object› …
› JVM handles all memory collection to avoid the many errors with calls to free and delete in C and C++
› Places the class loader and JVM in the TCB, but not the compiler or the sender of the .class file!
April 19, 2023
AARHUSUNIVERSITET
JAVA SECURITY – 1.0 › The is a distinction between locally stored .class files and .class files obtained from the outside› Insiders are called Java applications› Outsiders, typically run by browsers, are called Java applets
› Applications are allowed all rights that the user have
› Applets are sandboxed› They cannot read or write files or parts of the screen outside
themselves› They cannot establish Internet connections
› Except to the machine from which they were downloaded› The note has an interesting list of historic bugs that I will not go
through here
April 19, 2023
AARHUSUNIVERSITET
JAVA SECURITY – 1.1 › Introduced the concept of a signed applet
› If the.jar file is signed by a trusted party then it is given same rights as a Java application when executed
› Allows, e.g., a browser-based web-bank solution to read the file on the disk containing your secret key› Needed to sign transaction requests
› Ultimately placed all trusted parties in your TCB!› They can read all your files and send them to any machine on the
Internet› Maybe by mistake › Maybe because
April 19, 2023
AARHUSUNIVERSITET
JAVA SECURITY – 1.2 › Refined the concept of a signed applet
› Allows to give access to only some files and some connections
› Code Source: Where does the .class file come from, or rather, who signed it
› Permission: The right to e.g. read a particular file
› Policy: Maps code sources to permissions› E.g., “if signed by www.handelsbanken.dk then it may read c:\
0000199.usf”
› Implications: Partial order on sources and permissions› E.g., “if signed by www.handelsbanken.* then it may read c:\*” implies
the above right
April 19, 2023
AARHUSUNIVERSITET
CODE SOURCE › The .jar file contains
› URL of provider› Signature of provider on the .jar file› Certificate of provider
› From which the public key can be extracted
› If the certificate is valid and contains the URL in the .jar file and the signature is valid under the public key of the provider, then the URL in the .jar file is added to the code source
› There can be several URLs in the code source
April 19, 2023
AARHUSUNIVERSITET
PERMISSIONS› Contains a target and a list of rights
› File example› Permission1 = C:\* read, exec› Permission2 = C:\0000199.usf read› Permission1 implies Permission2, but not vice versa
› Socket example› Permission1 = *.au.dk:100-200
connect,accept› Permission2 = imap.nfit.au.dk:143 connect› Permission1 implies Permission2, but not vice versa
April 19, 2023
AARHUSUNIVERSITET
POLICY› A table of code sources and permissions
› Stored in a plain ascii file by default› Take care who can edit it!
› Example:
Code Source Permissionwww.handelsbanken.* C:\*; read*.nfit.au.dk imap.nfit.au.dk:143;-connect
› This policy would allow › My webbank solution to read my key file if signed by
www.handelsbanken.no› An applet-based webmail solution to connect to my e-mail account at the
university
