INTRO TO COMP SECURITY
INTRO TO COMP SECURITY CS 491
Popular in Course
verified elite notetaker
verified elite notetaker
verified elite notetaker
verified elite notetaker
verified elite notetaker
verified elite notetaker
Popular in ComputerScienence
This 101 page Class Notes was uploaded by Orrin Rutherford on Tuesday September 1, 2015. The Class Notes belongs to CS 491 at Portland State University taught by James Hook in Fall. Since its upload, it has received 43 views. For similar materials see /class/168282/cs-491-portland-state-university in ComputerScienence at Portland State University.
Reviews for INTRO TO COMP SECURITY
Report this Material
What is Karma?
Karma is the currency of StudySoup.
You can buy or earn more Karma at anytime and redeem it for class notes, study guides, flashcards, and more!
Date Created: 09/01/15
Fun With Crypto keys and protocols some Bishop some Jim some RA Keys and protocols Keys notation session keys certs and digital signatures Key infrastructure storage protocols how we use keys NeedhamSchroderKerberos streamblock ciphers crypto protocol examples PEM dead IPSEC February 07 introseo crypt022 3 mi 39139 a 4 min ix classified as a quotmum0 irgzrzrzztmmgmit RSA amnion in m can you export this tshiIt nminum mmuum FebvuavyW muusec vymeV Basic Notation Xe YZ WkXy X sends Ythe message produced by concatenating Z and Wenciphered by key kxy which is shared by users X and Y A9 TIZkAWkAT A sends Ta message consisting of the concatenation of Z enciphered using kA A s key and Wenciphered using km the key shared by A and T r1 r2 nonces nonrepeating random numbers e encipher d decipher February 07 introseo crypt024 Cryptographic Key Infrastructure Goal bind identity to key Classical not possible as all keys are shared Use protocols to agree on a shared key Public key bind identity to public key February 07 Crucial as people will use key to communicate with principal whose identity is bound to key Erroneous binding means no secrecy between principals Assume principal identified by an acceptable name introseo crypt025 Certi cates public keyname a cert is a signed public key Create token message containing Identity of principal here Alice Corresponding public key Timestamp when issued Other information perhaps identity of signer signed by trusted authority here Cathy CA eA Alice II T dc February 07 introseo crypt026 Use Bob gets Alice s certificate SOMEHOW If he knows Cathy s public key he can decipher the certificate When was certificate issued Is the principal Alice Now Bob has Alice s public key Problem Bob needs Cathy s public key to validate certificate Problem pushed up a level Problem is real though Solution space some distributed protocol tree to get CERTs OR a CERT a message or file on a computer has needed CERTS provided with it a CERT chain February 07 introsec crypt027 Certi cate Signature Chains Create certificate Generate hash of certificate sign hash with issuer s private key Validate signature Obtain issuer s public key Decipher enciphered hash Recompute hash from certificate and compare Problem getting issuer s public key February 07 introseo crypt028 X509 certi cate format Some certificate components in X509v3 February 07 Version Serial number Signature algorithm identifier hash algorithm Issuer s name uniquely identifies issuer Interval of validity Subject s name uniquely identifies subject Subject s public key Signature enciphered hash introseo crypt029 Issuers Certi cation Authority CA entity that issues certificates February 07 Multiple issuers pose validation problem Alice s CA is Cathy Bob s CA is Don how can Alice validate Bob s certificate Have Cathy and Don crosscertify Each issues certi cate for the other Have a hierarchical cert authority Cathy and Don have Eduard as a CA introsec cryptoZ l 0 CA tree Alice has CA1 Bob has CA2 CA1 and CA2 have CA3 Alice gets CERT from Bob must validate Bob with CA2 no trust then validate CA2 with CA3 hierarchical trust relationship February 07 introseo cryptoZ l l Signing With PGP Single certificate may have multiple signatures associated with it Notion of trust embedded in each signature Range from untrusted to ultimate trust Signer defines meaning of trust level no standards with a hierarchy eventually you come to a CA that must trust itself Called selfsigning PGP has notion of web of trust no CA hierarchy February 07 introsec crypt0212 PGP Web of trust Validating Certl cates Alice needs to validate Bob s OpenF GP cert Arrows show signatures Does Qt know Fred Self signatures not shown Knows Henry slightly but his signature is at casual level of trust Alice gets Ellen s cert Knows Jack so uses his cert to validate Ellen s then hers to validate Bob s Giselle or Ellen Alice gets Giselle s cert February 07 introsec crypt0213 Storing Keys Multiuser or networked systems attackers may defeat access control mechanisms Encipher file containing key consider these problems Attacker can monitor keystrokes to decipher files Key will be resident in memory that attacker may be able to read os swap also possible Use physical devices like smart card Key never enters system Card can be stolen so have 2 devices combine bits to make single key attacks against smart keys exist February 07 introsec crypt0214 Key Revocation timeout or CRL Certificates may be invalidated before expiration Usually due to compromised key May be due to change in circumstance eg someone leaving company Problems Entity revoking certificate authorized to do so Revocation information circulates to everyone fast enough Network delays infrastructure problems may delay information there is very little real experience with cert revocation other than timestamp timeout February 07 introseo crypt0215 Digital Signature Construct that authenticated origin contents of message in a manner provable to a disinterested third party judge Sender cannot deny having sent message service is nonrepudiation Limited to technical proofs Inability to deny one s cryptographic key was used to sign One could claim the cryptographic key was stolen or compromised Legal proofs etc probably required not dealt with here Alice s box with cert was hacker by Malach Februaryov Malach made bankintrransactions oryproz e Common Error Classical Alice Bob share key k Alice sends m H m kto Bob This is a digital signature WRONG This is not a digital signature Why Third party cannot determine whether Alice or Bob generated message February 07 introsec crypt0217 conventional wisdom with public key crypto we sign with our private key they verify with their public key obviously they can t have our private key they encrypt with our public key send us M we decrypt with our private key RSA fits this model if they encrypted with our private key and we decrypted with our public key the world would be a tad cockeyed February 07 introseo crypt0218 RSA Digital Signatures Use private key to encipher message Protocol for use is critical Key points Never sign random documents and when signing always sign hash and never document Mathematical properties can be turned against Signer Sign message first then encipher Changing public keys causes forgery February 07 introsec crypt0219 session keys and key exchange protocols KMP typically it is not a good idea to use the same key over and over again an adversary has better odds of cracking Ki with a greater number of messages therefore we may choose to generate sessionkeys based on previous shared secrets and discard them at some point based on too much time or too many messages protocols exist for generating keys and setting them up between both sides Alice and Bob goal is typically generation of encryption or MD keys February 07 introsec crypt0220 simple session key courtesy of publickey crypto Alice wants to send a message m to Bob Assume public key encryption Alice generates a random cryptographic key ks and uses it to encipher m To be used for this message only Called a session key She enciphers ks with Bobs public key k3 k3 enciphers all session keys Alice uses to communicate with Bob Called an interchange key Alice sends m ks ks k3 February 07 introseo crypt0221 Bene ts Limits amount of traffic enciphered with single key Standard practice to decrease the amount of traffic an attacker can obtain Prevents some attacks Example Alice will send Bob message that is either BUY or SELL Eve computes possible ciphertexts BUY kB and SELL kB Eve intercepts enciphered message compares and gets plaintext at once February 07 introsec crypt0222 Key Exchange Algorithms Goal Alice Bob get shared key Key cannot be sent in clear Attacker can listen in Key can be sent enciphered or derived from exchanged data plus data not known to an eavesdropper DH Alice Bob may trust third party Kerberos All cryptosystems protocols publicly known secrets in keys Anything transmitted is assumed available to attacker February 07 introseo crypt0223 Simple Symmetrickey exchange Protocol Cathy is trusted 3rd party Alice request for session key to Bob kA gt Cathy k kll k k Alice 4 S A S B Cathy k k Alice S B gtBob February 07 introseo crypt0224 Problems How does Bob know he is talking to Alice Replay attack Eve records message from Alice to Bob later replays it Bob may think he s talking to Alice but he isn t Session key reuse Eve replays message from Alice to Bob so Bob reuses session key Protocols must provide authentication and defense against replay February 07 introsec crypt0225 NeedhamSchroeder Alice Bob r1 Alice Cathy V Alice Bob r1 ks Alice ks kB kA Alice 4 Cathy Alice ks kB Alice gt Bob r2 ks Alice 4 Bob r2 l ks Alice gt Bob February 07 introseo crypt0226 Kerberos Authentication system Based on NeedhamSchroeder with DenningSacco modification Central server plays role of trusted third party Cathy Ticket sessionkey with timestamp Authenticator DNS like Identifies sender February 07 introseo crypt0227 Idea User u authenticates to Kerberos server Obtains ticket T GS for ticket granting service TGS TGS is Kerberos form of single signon User u wants to use service 3 User sends authenticator Au ticket TMGS to TGS asking for ticket for service TGS sends ticket TMS to user User sends Au TMS to server as request to use 3 Details follow February 07 introsec crypt0228 Ticket Credential saying issuer has identified ticket requester note 3way binding below Example ticket issued to user u for service 3 T 3 u H u s address valid time km ks where session key k for user and service time is interval for which ticket valid identity u s address may be IP address or something else February 07 introseo crypt0229 Authenticator Credential containing identity of sender of ticket Used to confirm sender is entity to which ticket was issued Example authenticator user u generates for service 3 A u H generation time kt k where kt is alternate session key Generation time is when authenticator generated Note more elds not relevant here February 07 introsec crypt0230 Protocol user user TGS gt Cathy k k H T user 4 JCS u uTGS Cathy service AMIGS TmTGS user TGS userk k TGSHT user lt w u w TGS AM Tus user gt servzce I 1 kw user 4 service February 07 introseo crypt0231 Analysis First two steps get user ticket to use TGS User u can obtain session key only if u knows key shared with Cathy Next four steps show how u gets and uses ticket for service 8 February 07 Service s validates request by checking sender using Aujs is same as entity ticket issued to Step 6 optional used when u requests confirmation introsec crypt0232 Problems Relies on synchronized clocks If not synchronized and old tickets authenticators not cached replay is possible Bellovin poked homes in K4 in famous paper so now we have K5 which uses ASN1 ouch ouch ouch February 07 introsec crypt0233 Public Key Key Exchange Here interchange keys known eA eB Alice and Bob s public keys known to all dA dB Alice and Bob s private keys known only to owner Simple protocol ks is desired session key k 6 Alice s B gtBob February 07 introseo crypt0234 Problem and Solution Vulnerable to forgery or replay Because eB known to anyone Bob has no assurance that Alice sent message Simple fix uses Alice s private key ks is desired session key k d 6 Alice s A B gtBob February 07 introsec crypt0235 Notes Can include message enciphered with ks Assumes Bob has Alice s public key and vice versa February 07 If not each must get it from public server If keys not bound to identity of owner attacker Eve can launch a maninthemidde attack next slide Cathy is public server providing public keys Solution to this binding identity to keys discussed later as public key infrastructure PKI introsec crypt0236 ManintheMiddle Attack send Bob s public key l Eve intercepts request I r Alice Cathy V6 send Bob 3 publlc keygt Cathy 613 Eve 4 Cathy 6E Alice 4 Eve ks e Alice E Eve Intercepts messagegt Bob ks 63 Eve gt Bob February 07 introseo crypt0237 Key Mgmt Key Points Key management critical to effective use of cryptosystems Different levels of keys session vs interchange Keys need infrastructure to identify holders allow revoking Key escrowing complicates infrastructure Ultimately we still may need manual dissemination of something eg root selfsigned certificates Digital signatures provide integrity of origin and content Much easier with public key cryptosystems than with classical cryptosystems February 07 introsec crypt0238 common problems With ciphers Using cipher requires knowledge of environment and threats in the environment in which cipher will be used Is the set of possible messages small Do the messages exhibit regularities that remain after encipherment Can an active wiretapper rearrange or change parts of the message February 07 introseo crypt0239 Attack 1 Precomputation Set of possible messages M small Public key cipher fused ldea precompute set of possible ciphertexts fM build table m fm When ciphertext fm appears use table to find m Also called forward searches February 07 introseo crypt0240 message entropy space may be small Digitized sound Seems like far too many possible plaintexts Initial calculations suggest 232 such plaintexts Analysis of redundancy in human speech reduced this to about 100000 z 217 This is small enough to worry about precomputation attacks February 07 introseo crypt0241 Misordered Blocks Alice sends Bob message Message is LIVE 11 08 21 O4 Enciphered message is 44 57 21 16 Eve intercepts it rearranges blocks Now enciphered message is 16 21 57 44 Bob gets enciphered message deciphers it He sees EVIL February 07 introseo crypto242 Notes Digitally signing each block won t stop this attack Two approaches Cryptographically hash the entire message and sign it Place sequence numbers in each block of message so recipient can tell intended order Then you sign each block February 07 introsec crypt0243 Statistical Regularities If plaintext repeats ciphertext may too Example using DES input in hex 3231 3433 3635 3837 3231 3433 3635 M corresponding output in hex ef7c 4bb2 b4ce 6f3b ef7c 4bb2 b4ce Fix cascade blocks together chaining this is why DESCBC is used February 07 introseo crypt0244 What These Mean Use of strong cryptosystems wellchosen or random keys not enough to be secure Other factors February 07 Protocols directing use of cryptosystems Ancillary information added by protocols Implementation not discussed here Maintenance and operation not discussed here introsec crypt0245 Networks and Cryptography ISOOSI model Conceptually each host has peer at each layer Peers communicate with peers at same layer February 07 Application layer Application layer Presentation layer gt Presentation layer Session layer Session layer Transport layer gt Transport layer Network layer Network layer g NetWOFK layer Data link layer gt Data link layer b Data link layer Physical layer Physical layer v Physical layer introsec crypt0246 Link and EndtoEnd Protocols Link Protocol End to End or E2E Protocol February 07 introseo crypt0247 Encryption Link encryption Each host enciphers message so host at next hop can read it Message can be read at intermediate hosts Endtoend encryption Host enciphers message so host at other end of communication can read it Message cannot be read at intermediate hosts February 07 introseo crypt0248 Examples secure shell protocol end to end therefore good password form does not send password in clear unlike traditional telnet PPP Encryption Control Protocol Host gets message deciphers it Figures out where to fonNard it Enciphers it in appropriate key and fonNards it Link protocol not end to end February 07 introsec crypt0249 Cryptographic Considerations Link encryption Each host shares key with neighbor should be per host pair BUT often per network broadcast network in particular increasing tendency to have per host or per site certificate using SSL yes publickey crypto Endtoend Each host shares key with destination Can be set on perhost or perhost pair basis Message cannot be read at intermediate nodes February 07 introseo crypt0250 Traf c Analysis Link encryption Can protect headers of packets Possible to hide source and destination Note may be able to deduce this from traffic flows Endtoend encryption Cannot hide IP packet headers Intermediate nodes need to route packet Attacker can read source destination Can t hide L3 on Internet can t route without it if application encryption not hiding L4 TCPUDP port numbers either February 07 introseo oryptoZS i Example Protocols PrivacyEnhanced Electronic Mail PEM Applications layer protocol PEM is not used in real world was breakthru of sorts in lETFcrypto history typically might use PGPSSL at this point email is often tunneled in some sense IP Security IPSEC Network layer protocol February 07 introseo crypt0252 Goals of PEM Confidentiality Only sender and recipients can read message Origin authentication Identify the sender precisely Data integrity Any changes in message are easy to detect Nonrepudiation of origin Whenever possible February 07 introseo crypt0253 Message Handling System end to end email MTA MTA User Agents email client Message Transfer MTA A A Agents V email proxy gateway February 07 introseo crypt0254 Design Principles Do not change related existing protocols Cannot alter SMTP Do not change existing software Need compatibility with existing software Make use of PEM optional Available if desired but email still works without them Some recipients may use it others not Enable communication without prearrangement Outof band authentication key exchange problematic February 07 introseo crypt0255 Basic Design Keys Two keys Interchange keys tied to sender recipients and is static for some set of messages Like a publicprivate key pair Must be available before messages sent Data exchange keys generated for each message a session key session being the message February 07 introseo crypt0256 Basic Design Sending Confidentiality 0 m message 0 ks data exchange key 0 kB Bob s interchange key mkskskB Alice gt Bob February 07 introseo crypt0257 Basic Design Integrity Integrity and authentication 0 m message 0 hm hash of message m Message Integrity Check MIC 0 kA Alice s interchange key m Mm kA Alice gt Bob Non repudiation if kA is Alice s private key this establishes that Alice s private key was used to sign the message February 07 introseo crypt0258 Basie Design Everything Confidentiality integrity authentication 0 Notations as in previous slides 0 If kA is private key get non repudiation too mks hmkAkskB Alice gtBob February 07 introseo crypt0259 Practical Considerations Limits of SMTP Only ASCII characters limited length lines Use encoding procedure February 07 Map local char representation into canonical format Format meets SMTP requirements Compute and encipher MIC over the canonical format encipher message if needed Map each 6 bits of result into a character insert newline after every 64th character Add delimiters around this ASCII message introseo crypt0260 PEM VS PGP Use different ciphers PGP originally used IDEA cipher PEM used DES in CBC mode Use different certificate models PGP uses general web of trust PEM uses hierarchical certification structure fatal flaw no such beastie Inetwide Handle end of line differently PGP remaps end of line if message tagged text but leaves them alone if message tagged binary PEM always remaps end of line February 07 introsec crypt026 l IPsec Network layer security Protects all messages sent along a path Provides confidentiality integrity authentication of endpoints replay detection 1P inside 7 dest February 07 enterprise 39 router IPIPsec f irewa 1 V router f irewa security gateways introsec 1 SIC crypt0262 IPsee Tunnel Mode IP ESP previous IP packet 1p header between encapsulated data body Encapsulate IP packet IP header and IP data Use IP to send lPsecwrapped packet Note inner IP header protected typically end to router or router to router FFFF uary 07 introseo crypt0263 IPsec Protocols Authentication Header AH integrity authentication weak antireplay Encapsulating Security Payload ESP Confidentiality antireplay in current version hash is also available one either uses AH or ESP but not both IKE Oakley DH more or less ISAKMP ISAKMP is a metaprotocol for KMP design February 07 introseo crypt0264 IPsec Architecture Security Policy Database SPD February 07 Says how to handle messages discard them add security services forward message unchanged SPD associated with network interface SPD determines appropriate entry from packet attributes Including source destination transport protocol introseo crypt0265 Example Goals Discard SMTP packets from host 19216829 Forward packets from 192168197 without Change SPD entries src 19216829 dest 10123 to 1012103 port 25 discard src 192168197 dest 10123 to 1012103 port 25 bypass dest 10123 to 1012103 port 25 apply IPsec Note entries scanned in order If no match for packet it is discarded February 07 introseo crypt0266 IPsec Architecture Security Association SA Association between peers for security services Identi ed uniquely by dest address security protocol AH or ESP unique 32bit number security parameter index or SPI Unidirectional routing is 2 oneway problems Can apply different services in either direction SA uses either ESP or AH if both required 2 SAs needed February 07 introseo crypt0267 SA Database SAD Entry describes SA some fields for all packets AH algorithm identifier keys When SA uses AH ESP encipherment algorithm identifier keys When SA uses con dentiality from ESP ESP authentication algorithm identifier keys When SA uses authentication integrity from ESP SA lifetime time for deletion or max byte count lPsec mode tunnel transport either February 07 introsec crypt0268 SAD Fields Antireplay inbound only When SA uses antireplay feature Sequence number counter outbound only Generates AH or ESP sequence number Sequence counter overflow field Stops traffic over this SA if sequence counter overflows Aging variables Used to detect timeouts February 07 introsec crypt0269 Which to Use Gnu PGP IPSEC What do the security services apply to If applicable to one application and application layer mechanisms available use that PGPSSL for electronic mail IPSEC is VPN can cover ALL applications but maybe not end to end might be host to IPSEC server inside enterprise router to router between enterprises February 07 introseo crypt0270 study questions what sessionkey algorithms did we talk about miss any major ones is crypto the problem with network protocols using it or the packaging people have a hard time with keys why publickey crypto shared secrets in symmetric or MD algorithms what does single signon mean and do you think it will ever happen February 07 introsec crypt0271 CS 491591 Introduction to Computer Security Confinement James Hook some slides adapted from Bishop 10200714aa Plan Confinement Problem Lampson Isolation Virtual Machines Sandboxes Covert Channels 10200714aa The Confinement Problem Lampson A Note on the Confinement Problem CACM 1973 This note explores the problem of confining a program during its execution so that it cannot transmit information to any other program except its caller A set of examples attempts to stake out the boundaries of the problem Necessary conditions for a solution are stated and informally justified 10200714aa Possible Leaks 0 If a service has memory it can collect data wait for its owner to call it then return the data 1 The service may write into a permanent file 2 The service may create a temporary file 3 The service may send a message to a process controlled by its owner via ipc 4 More subtly the information may be encoded in the bill rendered for the service 10200714aa Possible Lea ks cont 5 If the system has interlocks which prevent files from being open for writing and reading at the same time the service can leak data if it is merely allowed to read files which can be written by the owner 10200714aa Leak 5 cont The interlocks allow a file to simulate a shared Boolean variable which one program can set and the other can t Given a procedure open file error which does goto error if the file is already open the following procedures will perform this simulation procedure settrue file begin loopl open file loopl end procedure setfalse file begin close file end Boolean procedure value file begin value true open file loop2 value fa close file loop2 end 10200714aa Leak 5 cont Using these procedures and three files called data sendclock and receiveclock a service can send a stream of bits to another concurrently running program Referencing the files as though they were variables of this rather odd kind then we can describe the sequence of events for transmitting a single bit sender data bit being sent sendclock true receiver wait for sendclock true received bit data receive clock true sender wait for receive clock true sendclock false receiver wait for sendclock false receiveclock false sender wait for receiveclock false 10200714aa Leak 6 6 By varying its ratio of computing to inputoutput or its paging rate the service can transmit information which a concurrently running process can receive by observing the performance of the system 10200714aa One solution Just say no Total isolation A confined program shall make no calls on any other program lmpractical 10200714aa Confinement rule Transitivity If a confined program calls another program which is not trusted the called program must also be confined 10200714aa Classification of Channels Storage Legitimate such as the bill Covert le those not intended for information transfer at all such as the service program s effect on the system load In which category does Lampson place 5 10200714aa Mitigation Lampson proposes a mitigation strategy for 5 Confined read makes a copy this can be done lazily on a conflicting write 10200714aa Root Problem Resource sharing enables covert channels The more our operating systems and hardware enable efficient resource sharing the greater the risk of covert channels 10200714aa Lipner s Comments 1975 paper discusses how confidentiality models and access control address storage and legitimate channels Identifies time as A difficult problemquot While the storage and legitimate channels of Lampson can be closed with a minimal impact on system ef ciency closing the covert channel seems to impose a direct and unreasonable performance penalty 10200714aa Resources Lampson A note on the Confinement Problem CACM Vol 16 no 10 October 1973 httpdoiaomorgiOJ 145862875862389 Lipner A Comment on the Confinement Problem Proceedings of the 5th Symposium on Operating Systems Principles pp 192 196 Nov 1975 httpcloiacmorg10l 145800213806537 10200714aa Timing Channel Kocher CRYPTO 96 Timing Attacks on Implementations of Diffie Hellman RSA D55 and Other Systems 10200714aa Kocher s Attack 0 This computes X a2 mod n where z 20 z1 atmp a for i 0 to k l do begin if z 1 then x x atmp mod n atmp atmp atmp mod n end result x 0 Length of run time related to number of 1 bits in z 10200714aa Isolation Virtual machines Emulate computer Process cannot access underlying computer system anything not part of that computer system Sandboxing Does not emulate computer Alters interface between computer process 10200714aa Virtual Machine VM 0 A program that simulates hardware of computer system 0 Virtual machine monitor 0MM provides VM on which conventional OS can run Each VM is one subject VMM knows nothing about processes running on each VM VMM mediates all interactions of VM with resources other VMS Satisfies rule of transitive closure 10200714aa Example IBM VM370 ser processes MVS Virtual I I System370 user rocesses user processes u e um c u e mute c I l DOSVS MVS Virtual CP CMS CMS I virtual Virtual Virtual Virtual Virtual Virtual hardware System370 System370 System370 System370 System370 CP real hardware System3 70 Adapted fram Dmel pp 505507 10200714aa Example KVM370 o Securityenhanced version of IBM VM370 VMM 0 Goals Provide virtual machines for users Prevent VMs of different security classes from communicating 0 Provides minidisks some VMs could share some areas of disk Security policy controlled access to shared areas to limit communications to those allowed by policy 10200714aa DEC VAX VMM VMM is security kernel Can run Ultrix OS or VMS OS Invoked on trap to execute privileged instruction Only VMM can access hardware directly VM kernel executive levels both mapped into physical executive level VMM subjects users VMs Each VM has own disk areas file systems Each subject object has multilevel security integrity labels 10200714aa Sandbox 0 Environment in which actions of process are restricted according to security policy Can add extra securitychecking mechanisms to libraries kernel Program to be executed is not altered Can modify program or process to be executed Similar to debuggers profilers that add breakpoints Add code to do extra checks memory access etc as program runs software fault isolation 10200714aa Exanu eljn ng Execu on 0 Sidewinder Uses type enforcement to confine processes Sandbox built into kernel site cannot alter it 0 Java VM Restricts set of files that applet can access and hosts to which applet can connect 0 DTE type enforcement mechanism for DTEL Kernel modi cations enable system administrators to con gure sandboxes 10200714aa Example Trapping System Calls Janus execution environment Users restrict objects modes of access 0 TWO Components Framework does runtime checking Modules determine which accesses allowed Configuration file controls modules loaded constraints to be enforced 10200714aa Janus Configuration File baslc module baslc 7 Load basic module define suoprocess environment varlaoles putenv IFSquottn quot PATHsblnblnusrbln TZPSTBPDT 7 Define environmental Variables for process deny access to everythlng except flles under usr path deny readwrlte path allow readwrlte usr 7 Deny all file accesses except to those under usr allow suoprocess to read flleS 1n llorary dlrectorleS needed for dynamlc loadlng path allow read l1b uSrl1b uSrlocalllb 7 Allow reading of files in these directories all dynamic load libraries are here needed so chlld can execute programs path allow readexec sbln bln usrbln 7 Allow reading execution ofsubprograms in these directories 10200714aa Janus Implementation 0 System calls to be monitored de ned in modules 0 On system call Janus framework invoked Validates system call with those speci c parameters are allowed If not sets process environment to indicate call failed If okay framework gives control back to process on return framework invoked to update state 0 Example reading MIME mail Embed delete file in Postscript attachment Set Janus to disallow Postscript engine access to files 10200714aa Additional Resources 0 R Wahbe S Lucco T Anderson and S Graham Efficient Softwarebased Fault Isolation httpwwwcscornelleduhomejgmcs71lsp 0 Christopher Small MiSFlT A Tool for Constructing Safe Extensible C Systems httpwwwdogfishorgchris gaperslmisfiqm isfitieeeps 10200714aa Going Deep on Virtualization Background following Bishop Chapter 29 Virtualization and Intel architectures 10200714aa Overview Virtual Machine Structure Virtual Machine Monitor Privilege Physical Resources Paging 10200714aa What Is It 0 Virtual machine monitor 0MM virtualizes system resources Runs directly on hardware Provides interface to give each program running on it the illusion that it is the only process on the system and is running directly on hardware Provides illusion of contiguous memory beginning at address 0 a CPU and secondary storage to each program 10200714aa Example IBM VM370 ser processes I MVS l Vrrtual I I System33970 user rocesses user processes u e uIULc c u e HAUL e I DOSVS MVS Vrrtual CP CMS CMS I virtual ua Virtual Virtual hardware System33970 System33970 System33970 System33970 System33970 CP real hardware System3 70 Mapiedfmm Dwiel pp 505507 10200714aa Privileged Instructions 1 VMM running operating system 0 which is running process p p tries to read privileged operation traps to hardware 2 VMM invoked determines trap occurred in o VMM updates state of o to make it look like hardware invoked 0 directly so 0 tries to read causing trap 3 VMM does read Updates oto make it seem like 0 did read Transfers control to o 10200714aa Privileged Instructions 4 0 tries to switch context to p causing trap 5 VMM updates virtual machine of o to make it appear 0 did context switch successfully Transfers control to 0 which as 0 apparently did a context switch to p has the effect of returning control to p 10200714aa Privileged Instructions issue read system call retum from read call invaked by hardware trap reud mlrhed context switch to p VMM hard ware 10200714aa Privilege and VMs Sensitive instruction discloses or alters state of processor privilege Sensitive data structure contains information about state of processor privilege 10200714aa When Is VM Possible Can virtualize an architecture when 1 All sensitive instructions cause traps when executed by processes at lower levels of privilege 2 All references to sensitive data structures cause traps when executed by processes at lower levels of privilege 10200714aa Example VAX System 0 4 levels of privilege user supervisor executive kernel CHMK changes privilege to kernel level sensitive instruction 0 Causes trap except when executed in kernel mode meets rule 1 Page tables have copy of Processor Status Longword PSL containing privilege level sensitive data structure 0 If user level processes prevented from altering page tables trying to do so will cause a trap this meets rule 2 10200714aa Multiple Levels of Privilege Hardware supports n levels of privilege VM must also support n levels VM monitor runs at highest level so n 1 levels of privilege left Solution virtualize levels of privilege Called ring compression 10200714aa Example VAX VMM System 0 VMM at kernel level 0 VMM maps virtual kernel and executive level to real executive mode Called VM kernel level VM executive level Virtual machine bit added to PSL o If set current process running on VM Special register VMPSL records PSL of currently running VM All sensitive instructions that could reveal level of privilege get this information from VMPSL or trap to the VMM which then emulates the instruction 10200714aa 20 Alternate Approach Divide users into different classes Control access to system by limiting access of each class 10200714aa Example IBM VM370 Each control program command associated with user privilege classes Gquot general user class can start a VM Aquot primary system operator class can control accounting VM availability other system resources Anyquot class can gain or surrender access to VM 10200714aa 21 Physical Resources and VMs Distributes resources among VMs as appropriate Each VM appears to have reduced amount of resources from real system Example VMM to create 10 VMs means real disk split into 10 minidisks o Minidisks may have different sizes 0 VMM does mapping between minidisk addresses real disk addresses 10200714aa Example Disk IO 0 VM s OS tries to write to disk IO instruction privileged traps to VMM o VMM checks request services it Translates addresses involved Verifies IO references disk space allocated to that VM Services request 0 VMM returns control to VM when appropriate If IO synchronous when service complete If IO asynchronous when service begun 10200714aa 22 Paging and VMs Like ordinary disk IO but 2 problems Some pages may be available only at highest level of privilege 0 VM must remap level of privilege of these pages Performance issues 0 VMM paging its own pages is transparent to VMs 0 VM paging is handled by VMM if VM s OS does lots of paging this may introduce significant delays 10200714aa Example VAXVMS o On VAXVMS only kernel level processes can read some pages What happens if process at VM kernel level needs to read such a page Fails as VM kernel level is at real executive level VMM reduces level of page to executive then it works 0 Note security risk 7 In practice OK as VMS allows executive level processes to change to kernel level 10200714aa 23 Example IBM VM370 0 Supports several different operating systems OSMFI39 OSMVT designed to access disk storage 0 Ifjobs being run underthose systems depend on timings delay caused by VM may affect success ofjob If system supports virtual paging like MVS either MVS or VMM may cause paging o The VMM paging may introduce overhead delays that cause programs to fail that would not were the programs run directly on the hardware 10200714aa Virtualization Returns Intel s Vanderpool architecture brings Virtual Machines back to the mainstream Intel Virtualization Paper ftpdownloadintelcomtechnologylcomp utin v tech vtieeecom uterfinal df 10200714aa 24 Applications of Virtualization o Workload isolation o Workload consolidation o Workload migration 102007 1436 Isolation Workload isolation VMM l HW 25 Consolidation Workload consolidation Migration Workload migration 08 g 03 26 Virtualizing Intel architectures As is Intel architectures do not meet the two requirements Nonfaulting access to privileged state lA32 has registers that describe and manipulate the global descriptor table These registers can only be set in ring 0 They can be queried in any ring without generating a fault This violates rule 2 all references to sensitive data traps Software products to virtualize Intel hardware had to get around this Vmware and Virtual PC dynamically rewrite binary code Xen requires source changes paravirtualization 10200714aa lntel solutions VTx virtualization for lA32 VTi virtualization for ltanium Changed architecture to meet the criteria 10200714aa 27 Ring aliasing and ring compression Solution is to allow guest to run at intended privilege level by augmenting privilege levels See Figure 2d 10200714aa Nonvirtuallized and 013 3 Applications 3 Guest applications o a is typical of X86 operating systems 0 b and c give two strategies for virtualization in software 10200714aa 28 033 and VTX I l eitestapplica tionsquot l l 39 l l l ll 3 Guesftragplicaiions 1 Nonfaulting access to privileged state o Two kinds of changes Make access fault to the VM Allow nonfaulting access but to state under the control of the VMM 102007 1436 29 Intel Virtualization Paper ftp downloadintelcomtechnologycomp utin v tech vtieee com uter final clf 10200714aa Dark Side Malware and Virtual Machines SubVirt Implementing malware with viltual machines King Chen Wang Verbowski Wang Lorch Describes the construction of a virtual machine based rootkitquot and potential fenses 10200714aa 30
Are you sure you want to buy this material for
You're already Subscribed!
Looks like you've already subscribed to StudySoup, you won't need to purchase another subscription to get this material. To access this material simply click 'View Full Document'