6.

2 Security
 Contents
o Security problem
o Program threat
o Network and system threat
o Security tools
o Cryptography
o Authentication
o Intrusion defense
o Firewall
 Security problem
o Security must consider external environment of the system,
and protect it from:
– unauthorized access.
– malicious modification or destruction
– accidental introduction of inconsistency.
– These are management, rather than system, problems.
o Easier to protect against accidental than malicious misuse.
o We say that the system is secure if its resources are used
and accessed as intended under all circumstances.
 Security problem(con’t…)
o Security has many facets. Three of the more important
ones are the nature of the threats, the nature of intruders,
and accidental data loss.
Threat: make sure data confidentiality, integrity, availability
and etc
Intruders: people who are nosing around places where they
have no business being are called intruders or sometimes
adversaries
o Intruders act in two different ways.
 Passive intruders just want to read files they are not
authorized to read
 Active intruders are more malicious; they want to make
unauthorized changes to data.
 Security problem(con’t…)
Accidental data loss:
o In addition to threats caused by malicious intruders,
valuable data can be lost by accident.
o Some of the common causes of accidental data loss are
1. Acts of God: fires, floods, earthquakes, wars, riots, or
rats gnawing backup tapes.
2. Hardware or software errors: CPU malfunctions,
unreadable disks or tapes, telecommunication errors,
program bugs.
3. Human errors: incorrect data entry, wrong tape or CD-
ROM mounted, wrong program run, lost disk or tape, or
some other mistake.
 Security Violation Categories

o Breach of confidentiality
– Unauthorized reading of data
o Breach of integrity
– Unauthorized modification of data
o Breach of availability
– Unauthorized destruction of data
o Theft of service
– Unauthorized use of resources
o Denial of service (DOS)
– Prevention of legitimate use
 Security Violation Methods
o Masquerading (breach authentication)
– Pretending to be an authorized user to
escalate privileges
o Replay attack
– As is or with message modification
o Man-in-the-middle attack
– Intruder sits in data flow, masquerading
as sender to receiver and vice versa
o Session hijacking
– Intercept an already-established session
to bypass authentication
Standard Security Attacks
 Security Measure Levels
o Impossible to have absolute security, but make
cost to perpetrator sufficiently high to deter most
intruders
o Security must occur at four levels to be effective:
– Physical
• Against armed or surreptitious entry by
intruders.
– Human
• Careful screening of users to reduce the
chance of unauthorized access.
– Network
• No one should intercept the data on the
network.
– Operating system
• The system must protect itself from
accidental or purposeful security beaches.
• A weakness at a high level of security allows
 Security measures at OS level
o User authentication
– Verifying the user’s authentication
o Program threats
– Misuse of programs unexpected misuse of
programs.
o System threats
– Worms and viruses
o Intrusion detection
– Detect attempted intrusions or successful
intrusions and initiate appropriate responses to
the intrusions.
o Cryptography
– Ensuring protection of data over network
 Program Threats
o Many variations, many names
o Trojan Horse
– Code segment that misuses its environment
– Exploits mechanisms for allowing programs written
by users to be executed by other users
– Spyware, pop-up browser windows, covert
channels
– Up to 80% of spam delivered by spyware-infected
systems
o Trap Door
– The designer of the code might leave a hole in the
software that only she is capable of using.
– Specific user identifier or password that circumvents
normal security procedures
– Could be included in a compiler
o Logic Bomb
– Program that initiates a security incident under
certain circumstances
 Program Threats(con’t…)
o Stack and Buffer Overflow
– Exploits a bug in a program (overflow either the
stack or memory buffers.)
o The attacker determines the vulnerability and writes a
program to do the following.
– Overflow an input-field, command-line argument, or
input buffer until it writes into the stack.
– Overwrite the current return address on the stack
with the address of the exploit code in the next step.
– Write a simple set of code for the next space in the
stack that includes commands that the attacker
wishes to execute, for example, spwan a shell.
 System Threats
o Viruses
– Code fragment embedded in legitimate program
– Self-replicating, designed to infect other computers
– Very specific to CPU architecture, operating system,
applications
– Usually borne via email or as a macro
– Visual Basic Macro to reformat hard drive
Sub AutoOpen()
Dim oFS
Set oFS = CreateObject(’’Scripting.FileSystemObject’’)
vs = Shell(’’c:command.com /k format c:’’,vbHide)
End Sub
 System Threats (Cont.)
o Virus dropper inserts virus onto the system
o Many categories of viruses, literally many thousands
of viruses
– File / parasitic
– Boot / memory
– Macro
– Source code
– Polymorphic to avoid having a virus signature
– Encrypted
– Stealth
– Tunneling
– Multipartite
– Armored
 System Threats(con’t…)
o Worms – use spawn mechanism; standalone program
– The worm spawns copies of itself, using up systems
resources and perhaps locking out system use by all
other processes.
o Internet worm
– Exploited UNIX networking features (remote access)
and bugs in finger and sendmail programs.
– Grappling hook program uploaded main worm
program.
o Denial of Service
– Overload the targeted computer preventing it from
doing any useful work.
– Downloading of a page.
– Partially started TCP/IP sessions could eat up all
resources.
– Difficult to prevent denial of service attacks.
 Threat Continues
o Attacks still common, still occurring
o Attacks moved over time from science experiments to
tools of organized crime
– Targeting specific companies
– Creating botnets to use as tool for spam and DDOS
delivery
– Keystroke logger to grab passwords, credit card
numbers
The Morris Internet Worm
 Threat Monitoring
o Check for suspicious patterns of activity – i.e.,
several incorrect password attempts may signal
password guessing.

o Audit log – records the time, user, and type of all

accesses to an object; useful for recovery from a
violation and developing better security
measures.

o Scan the system periodically for security holes;

done when the computer is relatively unused.
 Threat Monitoring (Cont.)
o Check for:
– Short or easy-to-guess passwords
– Unauthorized set-uid programs
– Unauthorized programs in system directories
– Unexpected long-running processes
– Improper directory protections
– Improper protections on system data files
– Dangerous entries in the program search path
(Trojan horse)
– Changes to system programs: monitor
checksum values
 FireWall
o A firewall is placed between trusted and untrusted
hosts.
– A firewall is a computer or router that sits
between trusted and untrusted systems. It
monitors and logs all connections.
o The firewall limits network access between these
two security domains.
o Spoofing: An unauthorized host pretends to be
an authorized host by meeting some authorization
criterion.
Network Security Through Domain Separation Via Firewall

DMZ: Demilitarized zone

 Intrusion Detection
o Detect attempts to intrude into computer systems.
o Wide variety of techniques
– The time of detection
– The type of inputs examined to detect intrusion activity
– The range of response capabilities.
• Alerting the administrator, killing the intrusion process, false resource is
exposed to the attacker (but the resource appears to be real to the
attacker) to gain more information about the attacker.
o The solutions are known as intrusion detection systems.
o Detection methods:
– Auditing and logging.
• Install logging tool and analyze the external accesses.
– Tripwire (UNIX software that checks if certain files and directories have been
altered – I.e. password files)
• Integrity checking tool for UNIX.
• It operates on the premise that a large class of intrusions results in
anomalous modification of system directories and files.
• It first enumerates the directories and files to be monitored for changes
and deletions or additions. Later it checks for modifications by comparing
signatures.
o System call monitoring
– Detects when a process is deviating from expected system call behavior.
 Cryptography
o Eliminate the need to trust the network.
o Cryptography enables a recipient of a message to verify
that the message was created by some computer
possessing a certain key.
o Keys are designed to be computationally infeasible to
derive from the messages
o Means to constrain potential senders (sources) and / or
receivers (destinations) of messages
– Based on secrets (keys)
– Enables
• Confirmation of source
• Receipt only by certain destination
• Trust relationship between sender and receiver
 Encryption
o Constrains the set of possible receivers of a message
o Encrypt clear text into cipher text.
o Properties of good encryption technique:
– Relatively simple for authorized users to encrypt and
decrypt data.
– Encryption scheme depends not on the secrecy of the
algorithm but on a parameter of the algorithm called the
encryption key.
– Extremely difficult for an intruder to determine the
encryption key.
o Data Encryption Standard substitutes characters and
rearranges their order on the basis of an encryption key
provided to authorized users via a secure mechanism.
Scheme only as secure as the mechanism.
• RSA : public/private key algorithm is popular
 Encryption(con’t…)
o Constrains the set of possible receivers of a
message
o Encryption algorithm consists of
– Set K of keys
– Set M of Messages
– Set C of ciphertexts (encrypted messages)
– A function E : K → (M→C). That is, for each k 
K, Ek is a function for generating ciphertexts
from messages
• Both E and Ek for any k should be efficiently
computable functions
– A function D : K → (C → M). That is, for each k 
K, Dk is a function for generating messages
from ciphertexts
• Both D and Dk for any k should be efficiently
computable functions
 Encryption (Cont.)
o An encryption algorithm must provide this
essential property: Given a ciphertext c  C, a
computer can compute m such that Ek(m) = c
only if it possesses k
– Thus, a computer holding k can decrypt
ciphertexts to the plaintexts used to
produce them, but a computer not holding k
cannot decrypt ciphertexts
– Since ciphertexts are generally exposed (for
example, sent on the network), it is
important that it be infeasible to derive k
from the ciphertexts
 Symmetric Encryption
o Same key used to encrypt and decrypt
– Therefore k must be kept secret
o DES was most commonly used symmetric block-encryption
algorithm (created by US Govt)
– Encrypts a block of data at a time
– Keys too short so now considered insecure
o Triple-DES considered more secure
– Algorithm used 3 times using 2 or 3 keys
o 2001 NIST adopted new block cipher - Advanced Encryption
Standard (AES)
– Keys of 128, 192, or 256 bits, works on 128 bit blocks
o RC4 is most common symmetric stream cipher, but known to
have vulnerabilities
– Encrypts/decrypts a stream of bytes (i.e., wireless
transmission)
– Key is a input to pseudo-random-bit generator
• Generates an infinite keystream
Secure Communication over Insecure Medium
 Asymmetric Encryption

o Public-key encryption based on each user

having two keys:
– public key – published key used to encrypt
data
– private key – key known only to individual
user used to decrypt data
o Must be an encryption scheme that can be made
public without making it easy to figure out the
decryption scheme
– Most common is RSA block cipher
– Efficient algorithm for testing whether or not
a number is prime
– No efficient algorithm is know for finding the
prime factors of a number
 Asymmetric Encryption (Cont.)

• Formally, it is computationally infeasible to derive

kd,N from ke,N, and so ke need not be kept secret
and can be widely disseminated
– ke is the public key
– kd is the private key
– N is the product of two large, randomly chosen
prime numbers p and q (for example, p and q
are 512 bits each)
– Encryption algorithm is Eke,N(m) = mke mod N,
where ke satisfies kekd mod (p−1)(q −1) = 1
– The decryption algorithm is then Dkd,N(c) = ckd
mod N
Encryption using RSA Asymmetric Cryptography
 Cryptography (Cont.)

Note :
 symmetric cryptography based on
transformations
 asymmetric based on mathematical functions
– Asymmetric much more compute intensive
– Typically not used for bulk data encryption
 Authentication
o Constraining set of potential senders of a message
– Complementary to encryption
– Also can prove message unmodified
o Algorithm components
– A set K of keys
– A set M of messages
– A set A of authenticators
– A function S : K → (M→ A)
• That is, for each k  K, Sk is a function for
generating authenticators from messages
• Both S and Sk for any k should be efficiently
computable functions
– A function V : K → (M × A→ {true, false}). That is, for
each k  K, Vk is a function for verifying authenticators
on messages
• Both V and Vk for any k should be efficiently
computable functions
 Authentication (Cont.)
o For a message m, a computer can generate an
authenticator a  A such that Vk(m, a) = true only if it
possesses k
o Thus, computer holding k can generate authenticators
on messages so that any other computer possessing k
can verify them
o Computer not holding k cannot generate authenticators
on messages that can be verified using Vk
o Since authenticators are generally exposed (for example,
they are sent on the network with the messages
themselves), it must not be feasible to derive k from the
authenticators
o Practically, if Vk(m,a) = true then we know m has not
been modified and that send of message has k
– If we share k with only one entity, know where the
message originated
 Implementation of Cryptography

o Can be done at various

layers of ISO Reference
Model
– SSL at the Transport layer
– Network layer is typically
IPSec
• IKE for key exchange
• Basis of Virtual
Private Networks
(VPNs)

o Why not just at lowest level?

– Sometimes need more
knowledge than available at
low levels
• i.e. User authentication
• i.e. e-mail delivery
 User Authentication
o Crucial to identify user correctly, as protection systems
depend on user ID
o User identity most often established through passwords, can
be considered a special case of either keys or capabilities
o Passwords must be kept secret
– Frequent change of passwords
– History to avoid repeats
– Use of “non-guessable” passwords
– Log all invalid access attempts (but not the passwords
themselves)
– Unauthorized transfer
o Passwords may also either be encrypted or allowed to be used
only once
– Does encrypting passwords solve the exposure problem?
• Might solve sniffing
• Consider shoulder surfing
• Consider Trojan horse keystroke logger
• How are passwords stored at authenticating site?
 Passwords
o Encrypt to avoid having to keep secret
– But keep secret anyway (i.e. Unix uses superuser-only
readably file /etc/shadow)
– Use algorithm easy to compute but difficult to invert
– Only encrypted password stored, never decrypted
– Add “salt” to avoid the same password being encrypted to
the same value
o One-time passwords
– Use a function based on a seed to compute a password,
both user and computer
– Hardware device / calculator / key fob to generate the
password
• Changes very frequently
o Biometrics
– Some physical attribute (fingerprint, hand scan)
o Multi-factor authentication
– Need two or more factors for authentication
• i.e. USB “dongle”, biometric measure, and password
 s
k !
r
a st
e b m e
g r e
i n th
ud a l l
c l u
on yo
C sh
i
W