Upload
gabrielle-wiley
View
217
Download
1
Tags:
Embed Size (px)
Citation preview
Computer Security
Patricia RoyManatee Community College, Venice,
FL©2008, Prentice Hall
Chapters 14 and 15
Operating Systems:Internals and Design Principles, 6/E
William Stallings
Computer Security Concepts
• Confidentiality– Data confidentiality– Privacy
• Integrity– Data integrity– System integrity
• Availability
The Security Requirements Triad
Additional Concepts
• Authenticity: verification, trusted source
• Accountability: e.g., trace security breach to a responsible party
Disclosure
Deception
Disruption
Usurpation
Scope of System Security
Assets
Intruders
• Masquerader: non-authorized user exploiting authorized user’s account
• Misfeasor: legitimate user - non-authorized access to resources
• Clandestine user: seizing supervisory control for evasion
Hacker
Criminals
Insiders
Malware
• Parasitic (needs host – virus, logic bomb, backdoor) or self-contained (worm, bot)
• Replicate (virus, worm) or do not (activated by trigger – logic bomb, backdoor, bot)
Backdoor
• Trapdoor
• Secret entry point to avoid usual security access procedure
• Useful for programmers debugging – maintenance hook
Logic Bomb
• Embedded into legitimate program
• Explodes when certain conditions are met– Presence or absence of certain files– Particular day of the week– Particular user running application
Trojan Horse
• Useful program that contains hidden code that when invoked performs some unwanted or harmful function
• Can be used to accomplish functions indirectly that an unauthorized user could not accomplish directly– User may set file permission so everyone has
access– login
Mobile Code
• Transmitted from remote system to local system
• Executed on local system without the user’s explicit instruction
Multiple-Threat Malware
• Multipartite virus infects in multiple ways
• Blended attack uses multiple methods
• Ex: Nimda has worm, virus, and mobile code characteristics
Parts of Virus
• Infection mechanism
• Trigger
• Payload
Virus Stages
• Dormant phase– Virus is idle
• Propagation phase– Virus places an identical copy of itself into
other programs or into certain system areas on the disk
22
Virus Stages
• Triggering phase– Virus is activated to perform the function for
which it was intended– Caused by a variety of system events
• Execution phase– Function is performed
23
Simple Virus
Compression Virus
Virus Classification by Target
• Boot sector infector: spreads when booting
• File infector: infects executable files
• Macro virus: Platform independent– Most infect Microsoft Word documents– Infect documents, not executable portions of
code– Easily spread– File system access controls are of limited use
in preventing spread
Virus Classification by Concealment Strategy
• Encrypted virus– Random encryption key encrypts remainder of
virus
• Stealth virus– Hides itself from detection of antivirus
software, e.g., by compression
Virus Classification by Concealment Strategy (2)
• Polymorphic virus– Mutates with every infection– Conceals ``signature’’
• Metamorphic virus– Mutates with every infection– Rewrites itself completely after every iteration– Might change behavior
E-Mail Viruses
• Attachment
• Open e-mail
• Uses e-mail software to replicate
Worms
• Use network connections to spread form system to system
• Electronic mail facility– A worm mails a copy of itself to other systems
30
Worms
• Remote execution capability– A worm executes a copy of itself on another
system
• Remote log-in capability– A worm logs on to a remote system as a user
and then uses commands to copy itself from one system to the other
Bots
• Zombie or drone
• Program secretly takes of another Internet-attached computer
• Launch attacks that are difficult to trace to bot’s creator
• Collection of bots is a botnet
• Spamming, sniffing traffic, keylogging, manipulating polls, distributed denial-of-service
Rootkit
• Set of programs installed on a system to maintain administrator (or root) access to that system
• Hides its existence
System Call Table Modification by Rootkit
Authentication
• Basis for most type of access control and accountability
• Identification step
• Verification step
Password-Based Authentication
• ID– Determines if use authorized to access
system– Determines privileges for user– Discretionary access control
UNIX Password Scheme
UNIX Password Scheme
Famous Security Flaws
The TENEX – password problem
(a) (b) (c)
Token-Based Authentication
• User posses object
• Memory cards
• Smart cards
Biometrics - Cost versus Accuracy
Access Control
• Discretionary access control– Based on identity of requestor, might enable
other entity to access resource
• Mandatory access control– Based on comparing security labels with
security clearances
• Role-based access control– Based on roles user has in system
Extended Access Control Matrix
Organization of the Access Control Function
Users, Roles, and Resources
Access Control Matrix Representation of RBAC
Access Control Matrix Representation of RBAC
Intrusion Detection
• Classification: Host-based and Network-based
• Components:– Sensors: Collect data– Analyzers– User interface
Profiles of Behavior of Intruders and Authorized Users
Host-Based IDSs
• Anomaly detection– Collection of data relating to behavior of
legitimated users over time
• Signature detection– Define set of rules or attack patters
Audit Records
• Native audit records– Operating system accounting software
• Detection-specific audit records– Generate audit records required by the IDS
Antivirus Approaches
• Detection
• Identification
• Removal
Antivirus and Anti-Antivirus Techniques
(a) A program(b) Infected program(c) Compressed infected program(d) Encrypted virus(e) Compressed virus with encrypted compression code
Generic Decryption
• CPU emulator
• Virus signature scanner
• Emulation control module
Digital Immune System
Behavior-Blocking Software Operation