Protection and Security

Security -- a measure of confidence in the ability of a system to maintain the intregrity of its resources and access to them.

Purposes of protection:

• prevent mischievous modifications (our system has been hacked several times)
  • login trojan horse
  • Morris worm
  • set uid flag (necessary for mail -- and game playing) what happens if a system binary has set uid and its binary is world writable?
• increased reliability

  avoid system failures/lose of resources)

• reduce damage resulting from blunders/failures

  we had a graphics editor that used "*" as a default file name

  rm *

• copyright protecting/licensing

  nuisance of license servers

• privacy

  credit ratings, health records

• protect valuable information

  UNIX source code

• misuse of system

  no games

  (fraternity at Tech won contest by running off 100,000 (or so) entries)

These problems have always existed, but since Internet, have become more acute.

Free software foundation: all software should be free (since making extra copies costs almost nothing). Do you agree?

Protection provides mechanisms to enforce policies. Sometimes mechanisms drive policy (an old problem with computer system, not limited to security policy).

OS must protect objects: CPU, files, etc. It is processes which act on objects. What can be done with an object depends on its type; security concerns depend on what can be done to/with object.

We don't want you to be able to send commands to dial our modems.
We want to be sure you can't (advertently or whatever) modify /etc/passwd file except in a very controlled fashion.

Access Domains

We can represent an object and its access list as an ordered pair:
< obj, {list of access rights} >. So domain 1 may contain:

   < O1, { read, write } >
   < O3, { read, write, execute } >
   < O4, { read, write, delete } >
   < O5, { login } >
   < O6, { dialin } >
   < O7, { dialout, reset, reconfig } >
   .
   .
   .
   < On, { set, unset } >

In terms of designing a particular OS, decisions must be made as to what domains are defined.

Can be in terms of userids, processes, groups, procedures. Most commonly, each user has a separate domain. Advantage of domain assigned to a procedure is that whenever a program calls that procedure, the program acquires its access rights, and then uses them when the procedure returns.

Examples:

1. MVS -- system runs in two modes, supported by hardware: user and supervisor. To breech security only required finding a way for a process to successfully shift from user to supervisor mode without detection.

2. UNIX -- one mechanism intended to provide controlled access is the use of "set uid". This is a flag associated with a file (shows up as an "s" rather than an "x" in the owner flags from ls. Check the mail program). Usually all access is determined according to the user id of the individual who started the process. So whatever permissions your userid has, any process you start will have -- unless its a set uid process.

   For these special processes, the process assumes the access rights of the owner of the file rather than the person running the process. So if a file is owned by "root" and has the set uid flag, then even if you run it, it runs as root. In UNIX, root, also called the super-user, has all access rights.

   Any command you run which must modify anything to which you do not have access will have set uid, normally as root. For example,

   mail must write in /var/spool/mail/ where is the recipient.

   yppasswd must change /etc/passwd so you can change your passwd.

   ping needs network access.

   submit must write into various directories.

   nethack writes into score file.

   lpr writes into spool file.

   You can give files set uid with the chmod command. But you must own the file to do this. So if you want to provide a tool which anyone can run, but when it runs, it acts like you are running it, then you can set uid on the file with chmod o+xs . Whoever runs it will look (to the OS while this command is running) like you. If you can change the contents a file owned which has set uid, then you have complete access to everything on the system (except for encrypted stuff). This is a commonly exploited hole in UNIX. As UNIX proliferates, many new sys admin types are unaware of how dangerous set uid files are.

   Question: what do you discover if you find files with permissions -rwsr-xr-x owned by root in response to typing ls -lR | grep "^-r.s" | more ?
   With permissions -rwsrwxrwx?

Access Matrix

 +---------------------------------------------------------+
 |   \ obj |         |        |        |        |          |
 |dom \    |    F1   |   F2   |   F3   |  ptr A |  term A  |
 +---------+---------+--------+--------+--------+----------+
 |  D1     |  read   |  exec  |        |        |          |
 |  D2     |         |        |        | print  |read,write|
 |  D3     |         |        |        |        |          |
    .
    .
    .

Common to combine: have access lists (used for first access to object), then, if access successful, add to capability list of process for future accesses of object.

Lock-key scheme: each object has one or more locks, domain.

Must be able to change access privileges. So

 +---------+---------+--------+--------+--------+----------+------+------+------+
 |   \ obj |         |        |        |        |          |      |      |      |
 |dom \    |    F1   |   F2   |   F3   |  ptr A |  term A  |  D1  |  D2  |  D3  | ...
 +---------+---------+--------+--------+--------+----------+------+------+------+
 |  D1     |  read   |  exec  |        |        |          |      |switch|      | ...
 |  D2     |         |        |        | print  |read,write|      |      |switch| ...
 |  D3     |         |        |        |        |          |      |      |      | ...
    .
    .
    .

• Physical restriction
• Knowledge
• Tokens

In the second, the best example is passwords. Problem is that passwords are often easily guessed (e.g., birth dates, maiden names, pet/children/car names, initials of common expressions). And too easily passed around. And too often written down. Some dial-in systems use a call-back mechanism: you dial-in, pass the password test, (the modems may also exchange some data which you don't know about) then the system hangs up and dials your number; the modems can exchange data again.

Tokens: badges, thumbprints, voice prints, signatures, vessels in retina.

Encryption

Generally have encryption algorithm, which uses a user supplied key to compute encrypted data.

In UNIX, password file, /etc/passwd, is publicly readable and is used for a bunch of things (on networks it gets more complicated so that you can log onto any machine). It contains an encrypted form of your password. Then login program prompts you for your password, encrypts it, then looks in /etc/passwd for your user-id and compares the encryption with the password there. Since the same encryption is used, the strings should match. (I think is also uses your userid, so that two users with the same password will not produce the same encryption in /etc/passwd.)

A common system cracking tool, once you have found one userid/password so that you can get onto a system, is to run the crypt program, using the userids in /etc/passwd and all the words in /usr/dict/words (a file on all UNIX system, contains ~25,000 common words, used for spell checking) as passwords. This takes a LONG time, but if you're running on someone else's system, who cares?

(What I`m doing here is controversial. Many UNIX system administrator types do not like such casual spreading of common UNIX weaknesses. I believe that it is dangerous to rely on ignorance as a basic security tool. Particularly with UNIX. Too widely used.

If you're a sys admin type, you should check your password file like this -- other people are. Scripts to do this are widely available. And you should check for set uid files. We had someone in California check our files last year, but they had access to a dictionary of one of the widely used Indian (as in India) languages, I forget which one. They found a bunch of passwords. And reported them to us.

DES

1. D( k, E( k, m ) ) = m
2. D, E are efficient
3. Knowing D and E are not sufficient to decrypt m.

public encryption key: ( e, n )
private key: ( d, n )

where

d, e are elements of Z+ (pos. ints)

m (the message) is element of { 1 .. n-2 }

then

E( m ) = m**e mod n = c

D( c ) = c**d mod n.

n is a product of 2 very large randomly chosen primes (> 100 digits), p, q.

d is a large randomly chosen integer relatively prime to p-1 and q-1, i.e.,

gcd( d, (p-1)(q-1) ) = 1.

and e is the multiplicative inverse of d mod (p-1)(q-1). I.e.,

e * d mod (p-1)(q-1) = 1

So n is known, but p and q are not.

Example:

p = 5, q = 7 (so n = 35 & (p-1)(q-1) = 24)

pick d = 11 (since gcd( 11, 24 ) = 1.

then e = 11 also since 11 * 11 mod 24 = 1

If m = 2, then

c = 2 ** 11 mod 35 = 18,

and

18 **11 mod 35 = 2.

(The bug found in the Pentium chip came from a faculty member at Mary Baldwin trying to factor some large primes.)

In the cold war error, the CIA stopped publication of some encryption research. It is not clear if they were genuinely worried about how good the proposed algorithms were or if they were trying to convince the Soviets to use them. Known as the briar patch defense: No! Not that! Don't use that!! It will ruin us. Please, no. (heh, heh, heh).

Federal government is concerned about the use of these technologies; can make it impossible to wiretap. As telephones go digital, this is perceived as a real problem. In process of providing a "clipper chip" for use in digital communications. This will enable wiretapping on court order. Much controversy here.

Threats

Trojan horse -- a program which appears to provide some useful service, but does something undesirable.

A common one is to write a program that clears a screen and then writes:

          Old Dominion University
          Department of Computer Science
          SunOS 4.1.3 (marigold)

          login:

then reads from the screen. It will then wait patiently for someone to type his/her userid, and echoes each character as it is typed, then types

          Password:

on the next line. This time it does not echo what is typed. After the user types a return, it types:

          Login incorrect.

then issues the logout system call. Of course after saving the userid and password.

Easier. If you have "." in your path (type echo $path to see) and you cd to a friends directory, if he/she has any files which are the same as system commands, then you will run that code rather than the system command. It might do interesting things.

Trap door -- often, system programmers leave shortcuts in code to reduce the irritation/delays/overhead that mere users must go through to get onto a system (it's human nature). These are undocumented and are often left in the code.

(somewhat similar are cookies: undocumented commands left in a system for the amusement of those in the know. To really be a cookie, it should be harmless, and only known by "those in the know". Mac systems will display a picture of its original developers if you know the key strokes.)

Worms -- worms are programs that spawn mechanisms to clobber a system.

The most famous is Robert Morris', a first year Cornell grad student. It almost brought down Internet in 1988. Morris designed a self-replicating program (which exploited well-know problems/opportunities with rsh, which allows easy access to other machines on a network without checking passwords, with debugging code often left running in sendmail, and with the lack of array range checking (a nice feature of C) in finger. See text for a more complete discussion.

Viruses -- similar to worms, but are (almost) completed limited to the PC, Mac world. Multiuser systems are seldom affected since by their nature they contain several security mechanisms which are lacking/inappropriate on single user systems. Are usually introduced by the owner of the PC or Mac downloading some code which contains a virus, though some vendors have also shipped blister-packed software with viruses. Sometimes these are whimsical, sometimes very destructive. Once the program containing them is started, it will copy fragments of its code into other executables, so that even if the offending program is removed, the virus remains and can keep replicating itself. If it contains a time delay (doesn't do anything to make its presence know for some time), then it can have been infected backups also. Often the boot sector of the main drive is infected. Most PCs come with viral detection programs which detect change in checksums of programs.

Evaluation of Protection Mechanisms

security -- how effective is the mechanism?

flexibility -- how easily can the mechanism respond to change (system changes, user changes, change in individual user needs)?

efficiency -- how costly is the mechanism? what is the impact on system performance?

convenience -- what is the impact on the user community?

Two war stories:

1. at an unnamed school west of here, a computer science student was charged for changing grades on the admin system.

   security mechanisms used:

   • ignorance (system was obtuse to use even if you had full access to IBM manuals. almost impossible to understand). This is an all-too-commonly used mechanism -- and causes false confidence.
   • data base changes were transaction-driven. A special application program was written for each transaction. Execution of this program was password protected. In addition, the program had to be registered with the security system before it could access specified parts of the database.
   • the program could only be run from specified workstations (this is part of the program registration process mentioned above)
   • the program could only be run during specified time periods (also registered)
   • access to the workstation was physically controlled.

   Any changes to the above required rerunning a tightly controlled security generation program and would only become applicable at the next "sysgen".

   Security assumed that few people would know about all of the restrictions.

   How would you breech such a system?

   (Hint, it might help to have a part-time job in the computing center, so you could temporarily unplug a workstation in the registrar's office and plug a computing center workstation into the same port (which is how workstations were identified). And to have a girl friend/boy friend work in the registrar's office who knew the password, work schedule (when someone would not be using the workstation) and which workstation was used for this transaction.)

2. System at HP: provided physical security to machine room. To get it, had to go into small room, close door. Place badge (with magnetic strip) into reader, repeat randomly selected phrase into voice registration system, signed name. With luck, could then open inside door.

   It helped not to catch a cold. And not to get pregnant. (To keep several people from slipping through together, as the staff was prone to due since this procedure is something of a nuisance, the weight of each person was looked up and the floor of the room was really a set of scales.)

   Incidentally, recognition of a signed name by the system was based only on the pressure pattern (how hard you push down and when) and not on the physical appearance of the signature. Impossible (almost?) for forgers to fool because they are good at appearance. But once you know what it's checking, if you can experiment, then it is much easier to fool. But you have to understand what it's checking.

Index	Previous	Next

Copyright ©1998, G. Hill Price
Send comments to G. Hill Price