Computer Security

Patricia RoyManatee Community College, Venice,

FL©2008, Prentice Hall

Chapters 14 and 15

Operating Systems:Internals and Design Principles, 6/E

William Stallings

Computer Security Concepts

• Confidentiality– Data confidentiality– Privacy

• Integrity– Data integrity– System integrity

• Availability

The Security Requirements Triad

Additional Concepts

• Authenticity: verification, trusted source

• Accountability: e.g., trace security breach to a responsible party

Disclosure

Deception

Disruption

Usurpation

Scope of System Security

Assets

Intruders

• Masquerader: non-authorized user exploiting authorized user’s account

• Misfeasor: legitimate user - non-authorized access to resources

• Clandestine user: seizing supervisory control for evasion

Hacker

Criminals

Insiders

Malware

• Parasitic (needs host – virus, logic bomb, backdoor) or self-contained (worm, bot)

• Replicate (virus, worm) or do not (activated by trigger – logic bomb, backdoor, bot)

Backdoor

• Trapdoor

• Secret entry point to avoid usual security access procedure

• Useful for programmers debugging – maintenance hook

Logic Bomb

• Embedded into legitimate program

• Explodes when certain conditions are met– Presence or absence of certain files– Particular day of the week– Particular user running application

Trojan Horse

• Useful program that contains hidden code that when invoked performs some unwanted or harmful function

• Can be used to accomplish functions indirectly that an unauthorized user could not accomplish directly– User may set file permission so everyone has

access– login

Mobile Code

• Transmitted from remote system to local system

• Executed on local system without the user’s explicit instruction

Multiple-Threat Malware

• Multipartite virus infects in multiple ways

• Blended attack uses multiple methods

• Ex: Nimda has worm, virus, and mobile code characteristics

Parts of Virus

• Infection mechanism

• Trigger

• Payload

Virus Stages

• Dormant phase– Virus is idle

• Propagation phase– Virus places an identical copy of itself into

other programs or into certain system areas on the disk

22

Virus Stages

• Triggering phase– Virus is activated to perform the function for

which it was intended– Caused by a variety of system events

• Execution phase– Function is performed

23

Simple Virus

Compression Virus

Virus Classification by Target

• Boot sector infector: spreads when booting

• File infector: infects executable files

• Macro virus: Platform independent– Most infect Microsoft Word documents– Infect documents, not executable portions of

code– Easily spread– File system access controls are of limited use

in preventing spread

Virus Classification by Concealment Strategy

• Encrypted virus– Random encryption key encrypts remainder of

virus

• Stealth virus– Hides itself from detection of antivirus

software, e.g., by compression

Virus Classification by Concealment Strategy (2)

• Polymorphic virus– Mutates with every infection– Conceals ``signature’’

• Metamorphic virus– Mutates with every infection– Rewrites itself completely after every iteration– Might change behavior

E-Mail Viruses

• Attachment

• Open e-mail

• Uses e-mail software to replicate

Worms

• Use network connections to spread form system to system

• Electronic mail facility– A worm mails a copy of itself to other systems

30

Worms

• Remote execution capability– A worm executes a copy of itself on another

system

• Remote log-in capability– A worm logs on to a remote system as a user

and then uses commands to copy itself from one system to the other

Bots

• Zombie or drone

• Program secretly takes of another Internet-attached computer

• Launch attacks that are difficult to trace to bot’s creator

• Collection of bots is a botnet

• Spamming, sniffing traffic, keylogging, manipulating polls, distributed denial-of-service

Rootkit

• Set of programs installed on a system to maintain administrator (or root) access to that system

• Hides its existence

System Call Table Modification by Rootkit

Authentication

• Basis for most type of access control and accountability

• Identification step

• Verification step

Password-Based Authentication

• ID– Determines if use authorized to access

system– Determines privileges for user– Discretionary access control

UNIX Password Scheme

UNIX Password Scheme

Famous Security Flaws

The TENEX – password problem

(a) (b) (c)

Token-Based Authentication

• User posses object

• Memory cards

• Smart cards

Biometrics - Cost versus Accuracy

Access Control

• Discretionary access control– Based on identity of requestor, might enable

other entity to access resource

• Mandatory access control– Based on comparing security labels with

security clearances

• Role-based access control– Based on roles user has in system

Extended Access Control Matrix

Organization of the Access Control Function

Users, Roles, and Resources

Access Control Matrix Representation of RBAC

Access Control Matrix Representation of RBAC

Intrusion Detection

• Classification: Host-based and Network-based

• Components:– Sensors: Collect data– Analyzers– User interface

Profiles of Behavior of Intruders and Authorized Users

Host-Based IDSs

• Anomaly detection– Collection of data relating to behavior of

legitimated users over time

• Signature detection– Define set of rules or attack patters

Audit Records

• Native audit records– Operating system accounting software

• Detection-specific audit records– Generate audit records required by the IDS

Antivirus Approaches

• Detection

• Identification

• Removal

Antivirus and Anti-Antivirus Techniques

(a) A program(b) Infected program(c) Compressed infected program(d) Encrypted virus(e) Compressed virus with encrypted compression code

Generic Decryption

• CPU emulator

• Virus signature scanner

• Emulation control module

Digital Immune System

Behavior-Blocking Software Operation