Operating Systems: Internals and Design Principles, 6/E William Stallings - Chapter 15: Computer Security Techniques

Chapter 15Computer Security TechniquesDave BremerOtago Polytechnic, N.Z.©2008, Prentice HallOperating Systems:Internals and Design Principles, 6/EWilliam StallingsRoadmapAuthenticationAccess ControlIntrusion DetectionMalware DefenseDealing With Buffer Overflow AttacksWindows Vista SecurityAuthenticationBasis for most type of access control and accountabilityTwo stepsIdentificationVerificationMeans of AuthenticationTraditionally listed as three factorsSomething you knowPassword, PINSomething you haveCard, RFID badgeSomething you areBiometricsA different takeNick Mathewson is attributed with turning these factors into:Something you had, Something you forgot, Something you were!Biometrics expandedRecently Biometrics (something you are) has been expanded into:Something the individual isStatic Biometrics: Fingerprint, faceSomething the individual doesDynamic Biometrics: handwriting, voice recognition, typing rhythmPassword-Based AuthenticationDetermines if user is authorized to access the systemDetermines privileges for the userDiscretionary access control may be appliedHashed PasswordsWidely used technique for storing passwordsSecure against a variety of cryptanalytic attacksUNIX Password SchemeSaltPrevents duplicate passwords from being visible in the password file.Greatly increases the difficulty of offline dictionary attacks. It becomes nearly impossible to find out whether a person with an account on multiple systems has used the same password for all.Token-Based AuthenticationObjects that a user possesses for the purpose of user authentication are called tokens.Examples includeMemory cardsSmart cardsMemory CardsMemory cards can store but not process data.Often used in conjunction with password or pingDrawbacks includeRequires a special readerToken lossUser dissatisfactionSmart CardsContains microprocessor, along with memory, and I/O ports.Many types exist differing by three main aspects:Physical characteristicsInterfaceStaticDynamic password generator Challenge-responseStatic Biometric AuthenticationIncludesFacial characteristicsFingerprintsHand geometryRetinal patternBased on pattern recognition,technically complex and expensive. Dynamic Biometric AuthenticationPatterns may changeIncludesIrisSignatureVoiceTyping rhythmCost versus AccuracyRoadmapAuthenticationAccess ControlIntrusion DetectionMalware DefenseDealing With Buffer Overflow AttacksWindows Vista SecurityAccess ControlDictates what types of access are permitted, under what circumstances, and by whom. Discretionary access controlMandatory access controlRole-based access controlNot mutually exclusiveExtended Access Control MatrixOrganization of the Access Control FunctionRole Based Access ControlEffective implementation of the principle of least privilegeEach role should contain the minimum set of access rights needed for that role.A user is assigned to a role that enables him or her to perform what is required for that role.But only while they are performing that roleRolesAccess Control Matrix Representation of RBACAccess Control Matrix Representation of RBACRoadmapAuthenticationAccess ControlIntrusion DetectionMalware DefenseDealing With Buffer Overflow AttacksWindows Vista SecuritySome DefinitionsSecurity intrusion:A security event in which an intruder gains access to a system without authorization.Intrusion detection: A security service that monitors and analyzes system events to find intrusions and provide alertsIntrusion Detection Systems (IDS)Host-basedMonitors a single hostNetwork-basedCentrally monitors networks traffic, devicesIDS ComponentsSensorsCollect data and forward to the analyzer.AnalyzersDetermines if an intrusion has occurredUser interfaceProfiles of BehaviorHost-Based IDSsCan detect both external and internal intrusionsAnomaly detectionCollection of data relating to behavior of legitimated users over time may useThreshold detectionProfile based detectionSignature detectionDefine set of rules or attack pattersAudit RecordsNative audit recordsUses the OS accounting software/logsDetection-specific audit recordsGenerate audit records required by the IDSRoadmapAuthenticationAccess ControlIntrusion DetectionMalware DefenseDealing With Buffer Overflow AttacksWindows Vista SecurityAntivirus ApproachesIdeal approach is prevention, don’t allow a virus onto the system!Impossible in many cases.Next best approach requires: DetectionIdentificationRemovalGeneric Decryption (GD)When a file containing a polymorphic virus is executed, the virus must decrypt itself to activate. GD Detection requiresCPU emulatorVirus signature scannerEmulation control moduleDigital Immune SystemA comprehensive approach to virus protection developed by IBM, refined by Symantec.Aims to provide rapid response times to combat viruses as soon as they are introduced.Digital Immune SystemBehaviour Blocking SoftwareIntegrates with the operating system monitors program behavior in real time for malicious actions and blocks them.Monitored behaviors may include:opening or modifying certain files formatting disk drives Modifications to executable files or macrosModification of critical system settingsNetwork communicationBehavior-Blocking Software OperationWorm CountermeasuresSignature-based worm scan filtersFilter-based worm containmentPayload-classification-based worm containmentThreshold random walk (TRW) scan detectionRate limitingRate haltingBotnet and Rootkit CountermeasuresIDS and Anti-Viral techniques are useful against botsMain aim is to detect and disable a botnet during its constructionRootkits are, by design, difficult to detectCountering rootkits requires a variety of network- and computer-level security tools.RoadmapAuthenticationAccess ControlIntrusion DetectionMalware DefenseDealing With Buffer Overflow AttacksWindows Vista SecurityBuffer OverflowProtection from stack buffer overflows can be broadly classified into two categories:Compile-time defenses Aims to harden programs to resist attacks in new programsStack protection mechanismsAims to detect and abort attacks in existing programs Compile Time DefensesChoice of Programming LanguageSome languages do not allow some unsafe coding practicesSafe Coding Techniques and AuditingLanguage Extensions and Use of Safe LibrariesStack Protection MechanismsRun Time DefensesThese defenses involve changes to the memory management of the virtual address space of processes.Executable address space protectionAddress space randomizationGuard pagesRoadmapAuthenticationAccess ControlIntrusion DetectionMalware DefenseDealing With Buffer Overflow AttacksWindows Vista SecurityWindows Vista SecurityAccess control scheme Access tokenIndicates privilegesAccess Mask