What is Security?
Informal: Security is keeping unauthorized entities from doing things you dont want them to do. More formal: Confidentiality, integrity, Availability What is the operating systems role?
Internal Roles
Weve discussed a lot of internal features: privileged mode, memory protection, file access permissions, etc. What do these accomplish? What is the real goal?
Protecting Whom?
Internal features protect the operating system against users This necessary but not sufficient File permissions protect users (and the OS) against other users Again, this is necessary but not sufficient
User Authentication
File permissions are based on user identity, which is based on authentication How does an OS authenticate users? Many methods: something you know, something you have, something you are
Hashed Passwords
Store f(PW), where f is not invertible When user enters PW, calculate f(PW) and compare To guard against precomputation attacks, assign a random salt at password change time and store hsalt, f(PW,salt)i Attackers can still run password-guessing programs, so most operating systems use access control to protect the hashed passwords
Attack Techniques
Trojan horses come and get it attack Login spoofing Buggy software the big one
Trojan Horses
Trick someone into executing a program that does nasty things (Many viruses and worms spread that way) How can the OS protect users? Unix-type file permissions dont help the attack program can change permissions Need mandatory access control (MAC)
Sandboxes
A better idea is for the OS to provide sandboxes an enviornment where the program can execute but cant affect the rest of the machine Strong isolation is conceptually pretty easy run the program on a separate machine, or under VMware There are other, more elegant mechanisms that attempt to provide the same feature at lower cost; most are limited to root The trick and its a very difficult one is permitting limited interaction with the outside world while still protecting security
Trusted Path
A trusted path is a user-initiated sequence that is guaranteed to get you to the real OS Example: cntl+alt+delete on Windows Well, it was supposed to be one. . . But you have to train people not to log in unless theyve initiated the sequence Must protect all password prompts that way
What to Log?
Everything? Possibly takes too much storage, though disk space is cheap Serious potential privacy risk Can you process that much data? But must log security-sensitive events
Cryptography Fundamentals
Privacy versus Authentication: Privacy: preventing third party from snooping Authentication: preventing impostering Two kinds of authentication: Guarantee that no third party has modified data Receiver can prove that only the sender originated the data Digital Signature
Encrypt before sending, decrypt on receiving Terms: plain text and cipher text Two components: key, and the algorithm Should algorithm be secret? Yes, for military systems; no, for commercial systems Key distribution must be secure
Cryptographic Authentication
Cryptanalysis
Cryptanalysis: attacker tries to break the system E.g., by guessing the plain text for a given cipher text Or, by guessing the cipher text for some plain text Possible attacks: Cipher-text only attack Known plain-text attack Chosen plain-text attack Chosen text attack
Security Guarantees Two possibilities: Unconditional Computational security Unconditional security: an example
One-time tape Most systems have computational security How much security to have? Depends on cost-benefit analysis for attacker
Public-Key Systems Shared-key ==> difficulties in key distribution C(n,2) = O(n^2) keys Public key system Public component and a private component Two kinds: Public key distribution: establish shared key first Public key cryptography: use public/private keys in encryption/decryption Public key cryptography can also be used for digital signatures
Some Popular Systems Private key systems: DES, 3DES Public key systems: RSA: based on difficulty of factoring Galois-Field (GF) system: based on difficulty of finding logarithm Based on knapsack problem
Key Management Keys need to be generated periodically New users Some keys may be compromised Addressing the O(n^2) problem with key distribution Link encryption Key Distribution Centre (KDC): all eggs in one basket Multiple KDCs: better security Key management easier in public key