INTRUDERS
One of the publicized threats to security is the intruders generally referred to as hackers or
crackers.
There are three classes of intruders
Significant issue for networked systems is hostile or unwanted access either via network
or local.
Can identify classes of intruders
Masquerader: - An individual who is not authorized to use the computer and
who penetrates a systems access controls to exploit a
legitimate users account.
Misfeasor: - A legitimate user who accesses data, program, or resources for
which such access is not authorized, or who is authorized for
such access but misuse his or her privileges.
Clandestine user: - An individual who seizes supervisory control of the system
and uses this control to evade auditing and access controls
or to suppress audit collection
Intrusion Techniques
Aim to increase privileges on system
Basic attack methodology
Key goal often is to acquire passwords so then exercise access rights of owner
Intrusion Detection
Inevitably will have security failures
So need also to detect intrusions so can
Block if detected quickly act as deterrent
Collect info to improve security
Assume intruder will behave differently to a legitimate user
But will have imperfect distinction between
Timers and
Resource measures
Honey pots
2. PASSWORD MANAGEMENT
Password Protection
Virtually all multi-user systems require that a user provide not only a name or identifier
(ID) but also a password.
The password serves to authenticate the ID of the individual logging on to the system
The ID provides security in the following ways
The ID determines whether the user is authorized to gain access to system.
Ensure users change the default passwords to something they can remember
Have system monitor failed login attempts, & lockout account if see too many in a short
period.
User education
Computer generated passwords
Reactive password checking
Proactive password checking.
a. User Education :-
User can be told the important of using hard to guess password and can be
provided with the guidelines for selecting the strong passwords.
This user education strategy is likely to succeed at more installation,
particularly where there is large user population or lot of turnover.
b.Computer Generated Passwords :Computer generated passwords also create problems.
If the password is quite random in nature user will not be able to remember
them.
Even if the password is pronounceable, the user may have difficult in
remembering it and so be tempted to write it down.
c.Reactive Password checking:A reactive password checking strategy is one in which the system
periodically runs its own password cracker to find guessable passwords
. The system cancels any password that is guessed by the user.
d. Proactive Password Checking
The most promising approach to provide password security is proactive password
checker.
In this a user is allowed to select his/her own password.
The possible approaches to proactive password checking are
All passwords must be at least eight characters long.
In the first eight characters, the password must include atleast one
each of uppercase, lowercase, numeric digits and punctuation marks.
Usually user password or password file is essential to intrude.
Protection of password file
One-way encryption: - The system stores an encrypted form of the users
password, and compares it with the encrypted output of presented
password.
Access control: - Access to the password file is limited to one or a very
few accounts.
Crypt(3)
Related to time
Salt
Prevent the use of a hardware implementation of DES, which would ease the
difficulty of a brute-force guessing attack
Obtaining a copy of the password file, then a cracker program can be run on
another machine
Not yet feasible to use a brute-force technique of trying all possible combinations of
characters
Passwords must NOT be too short, NOT be too easy to guess
Access Control
Denies the opponent access to the password file
Has several flaws
Many systems are susceptible to unanticipated break-ins
An accident of protection might render the password file readable
Some users use the same password on other machines.
Rule enforcement
All passwords must be at least eight characters long
In the first eight characters, the passwords must include at least one each of
uppercase, lowercase, numeric digits, and punctuation marks.
Markov Model
[m, A, T, k]
where
m : number of states
A : state space
T : matrix of transition prob.
k : order of the model
prob. depends on previous k
characters
Determine the freq. matrix f(i,j,k) which is the number of occurrences of the
trigram consisting of the ith, jth ,and kth character.
For each bigram ij, calculate f(i,j,) as the total number of trigrams
beginning with ij
Secret entry point into a program allows those who know access bypassing usual
security procedures.
A threat when left in production programs allowing exploited by attackers very hard
to block in OS
b. Logic Bomb
c. Trojan Horse
d. Zombie
Attaches itself to another program and executes secretly when the host program is
executed.
e.Viruses
Propagation Phase:The virus places an identical coy of itself into other programs or into
certain system areas on the disk.
Each infected program will now contain a clone of the virus which
will itself propagation phase.
Triggering Phase :The virus is activated to perform the function for which it was
intended.
It can be caused by a variety of system events including a count of
the number of times that this copy of the virus has made copies of
itself.
Execution Phase:The function is performed
The function may be harmless Such as Message on the screen or
Damaging such as the destruction of programs and data files.
Virus Structure
Program V :=
{
goto main;
1234567;
subroutine infect-executable :=
{
loop:
file := get-random-executable-file;
if (first-line-of-file = 1234567) then goto loop
else prepend V to file; }
subroutine do-damage :=
{whatever damage is to be done}
subroutine trigger-pulled :=
{return true if condition holds}
main: main-program := {infectexecutable;
if trigger-pulled then do-damage;
goto next;}
next:
}
Types of Viruses
Can classify on basis of how they attack
Parasitic virus
-- attaches itself to executable files and replicates
Memory-resident virus
-- Lodges in the main memory and infects every program
that executes.
Stealth
-- Designed to hide itself from antivirus software.
Polymorphic virus
-- A virus that mutates with every infection, making
detection very difficult.
Metamorphic virus
-- Mutates with every infection, making detection by the
signature of the virus impossible..
f. Email Virus
or worse even when mail viewed by using scripting features in mail agent
Replicating but not infecting program (does not attach itself to a program)
g.Worms
Widely used by hackers to create zombie PC's, subsequently used for further
attacks, esp DoS.
Worm Operation
Triggering
Execution
h.Morris Worm
4. VIRUS COUNTERMEASURES
Best countermeasure is prevention (Do not allow a virus to get into the system in the
first place.)
But in general not possible Hence need to do one or more of
Detection - of viruses in infected system
Identification - of specific infecting virus
Removal - restoring system to clean state
Anti-Virus Software
A module that scans the target code looking for known virus signatures.
Emulation Control Module:-
Two major trends in Internet Technology have had an increasing impact on the
rate of virus propagation in recent years
The administrative machine encrypts the sample and sends it to a central virus analysis
machine.
This machine creates an environment in which the infected program can be safely run
for analysis.
The virus analysis machine then produces a prescription for identifying and
removing the virus.
Subscribers around the world receive regular antivirus updates that protect them from
the new virus.
Behavior-Blocking Software
Has advantage over scanners but malicious code runs before detection
5. FIREWALLS
5.1 FIREWALLS
Firewall can be an effective means of protecting a local system or network of systems from
network-based security threats while affording access to the outside world via WANs and
the Internet.
Premises network
Enterprise-wide network
Internet connectivity
Aims of firewall
Protecting the premises network from Internet-based attacks
Providing a single choke point (where security & audit can be imposed)
Direction control
User control
Behavior control
Controls how particular services are used (e.g. filtering e-mail to eliminate
spam)
Firewall capabilities
Provides convenient platform for some Internet functions (e.g. address translation,
logging Internet usage)
Firewall Limitations
O
a. Packet-Filtering Router
Filtering by rules
Applies a set of rules to each IP packet and then forwards or discards the packet (in
both directions)
The packet filter is typically set up as a list of rules based on matches to fields in the
IP or transport (TCP or UDP) header
Source IP address:- The IP address of the system that originated the IP packet.
Destination IP address :- The IP address of the system the IP packet is trying
to reach.
Source & Destination transport-level address :- The transport level(e.g
TCPor UDP) port numbers which defines
applications such as SNMP or TELNET.
IP protocol field :- Defines the transport protocol.
Interfaces: - For a router with three or more ports which interface of the
routerthe packet came from or which interface of the router the
packet is destined for .
Default policies
Example A : Inbound mail is allowed, but only to a gateway host. However, mail from host
SPIGOT is blocked.
Example C : Any inside host can send mail to the outside. The problem with this rule is
that the use of port 25 for SMTP receipt is only a default.
Example D : This rule set achieves the intended result that was not achieved in C taking
advantage of a feature of TCP connections (ACK flag of a TCP segment).
Example E : This rule set is one approach to handling FTP-like services with two
connections (using control connection port and data connection port). The 3rd rule allows
packets destined for a high-numbered port (nonservers) on an internal machine.
Advantages
Simplicity
Transparency to users
High speed
Disadvantages
Difficulty of dealing with applications at the packet-filtering level
Difficulty of setting up packet filter rules correctly
Lack of Authentication
Possible attacks vs. countermeasures (Possible attacks on Packet filtering routers and the
appropriate countermeasures)
IP address spoofing
The source station specifies the route that a packet should take as it crosses
the Internet (in the hope that this will bypass security measures)
Discards all packets where the protocol type is TCP and the IP Fragment
Offset is equal to 1
b. Application-Level Gateway
Advantages
More secure than packet filters.
Only need to scrutinize a few allowable applications (rather than trying to deal with
the numerous possible combinations that are to be allowed and forbidden at the TCP
and IP level).
Easy to log and audit all incoming traffic at the application level.
Disadvantages
Additional processing overhead on each connection (as the splice point, the gateway
must examine and forward all traffic in both directions)
c. Circuit-Level Gateway
Security function
The gateway relays TCP segments without examining the contents
The gateway determines which connections will be allowed.
SOCKS procedures
The client opens a TCP connection to the SOCKS port (TCP 1080) on the
SOCKS server
After evaluating the request, the SOCKS server either establishes the
connection or denies it
d. Bastion Host
A system identified by the firewall administrator as a critical strong point in the networks
security
Common characteristics
Each proxy module is a very small SW package specifically designed for network
security.
A proxy generally performs no disk access other than to read its initial configuration
file.
In addition to the use of simple configuration of a single system (single packet filtering
router or single gateway), more complex configurations are possible.
Configured so that only packets from and to the bastion host are allowed to
pass thru
A bastion host
Advantages
Greater security than single configurations
For public information server (such as a Web server), the router can be
configured to allow direct traffic from the Internet.
Disadvantages
If the router is completely compromised, traffic could flow directly thru the
router between the Internet and the private network.
b. Screened Host Firewall, Dual-Homed Bastion
One way to enhance the ability of a system to defend against intruders and malicious
programs is to implement trusted system technology.
Data Access Control
Access control by OS
Through the user access control procedure (log on), a user can be
identified to the system
Associated with each user, there can be a profile that specifies
permissible operations and file accesses
The operating system can enforce rules based on the user profile (and
may grant a user permission to access a file or use an application,
no
further security checks)
Access control by DBMS
Previous scheme is not sufficient for a system including sensitive data
in its database
The DBMS must control access to specific records or even portions of
records in the database
Access control models
a. Access matrix
b. Access control list
c. Capability list (Capability tickets).
a. Access Matrix
Basic elements
Subject : An entity capable of accessing objects (generally a process
representing any user or application that gains access to an object).
Object : Anything to which access is controlled (e.g. files, portions of
files, programs and segments of memory)
Access right : The way in which an object is accessed by a subject
(e.g. read, write and execute)
b. Access
Control List
Decomposition of the access matrix by columns
An access control list lists users (processes) and their permitted access
Rights
The list may contain a default or public entry : defines default set of
rights)
c. Capability List
Management of tickets
Tickets may be dispersed around the system great security
problem
The ticket must be unforgeable
A solution : the OS holds all tickets in a region of memory
inaccessible to users
The
Concept
of
Trusted Systems
Multilevel security
Definition of multiple categories or levels of data
Commonly found in the military (information category : unclassified, confidential,
secret, top secret)
A subject at a high level may not convey information to a subject at a lower level
or noncomparable level unless that flow accurately reflects the will of an
authorized user.
Two rules of multilevel security
No read up : a subject can only read an object of less or equal security level
(simple security property)
No write down : a subject can only write into an object of greater or equal
security level (*-Property)
Reference monitor concept
Multilevel security for a data processing system
Reference monitor
Controlling element in the HW and OS of a computer that regulates the access of
subjects to objects on basis of security parameters.
Accesses security kernel database
Enforces the security rules (no read up & no write down)
Audit file
Stores important security events such as
Detected security violations
Authorized changes to the security kernel database.
Isolation : The reference monitor and database are protected from unauthorized
modification
It must not be possible for an attacker to change the logic of the reference
monitor or the contents of the security kernel database.
Trusted system
A system that can provide such verification