CS 420 TEST 3

Cloud

(just using somebody else's computer) The key idea is straightforward: outsource your computation or storage needs to a well-managed data center run by a company specializing in this and staffed by experts in the area. Because the data center typically belongs to someone else, you will probably have to pay for the use of the resources, but at least you will not have to worry about the physical machines, power, cooling, and maintenance.

Other characteristics of security

- Authenticity - Accountability - Non-repudiability - Privacy

Inside threats to security include:

- current and former employees seeking to sabotage the IS infrastructure and integrity of data - unintentional human error or operational errors - hardware or software failure - natural disasters

Types of Rootkits: Let us now discuss the five kinds of rootkits that are currently possible, from bottom to top. In all cases, the issue is: where does the rootkit hide?

1. Hypervisor rootkits 2. Hardware rootkits 3. Kernel rootkits. 4. Library rootkits. 5. Application rootkits.

Authentication: verifying the user.

1. Something the user knows. 2. Something the user has. 3. Something the user is

The Bell-LaPadula (not a data integrity) model has rules about how information can flow:

1. The simple security property: A process running at security level k can read only objects at its level or lower. For example, a general can read a lieutenant's documents but a lieutenant cannot read a general's documents. 2. The * property: A process running at security level k can write only objects at its level or higher. For example, a lieutenant can append a message to a general's mailbox telling everything he knows, but a general cannot append a message to a lieutenant's mailbox telling everything he knows because the general may have seen top-secret documents that may not be disclosed to a lieutenant.

backdoor:

Is installed on the machine that allows the criminals who sent out the malware to easily command the machine to do what it is instructed to do. This problem is created by code inserted into the system by a system programmer to bypass some normal checks.

Access Control List (ACL)

A clearly defined list of permissions that specifies what actions an authenticated user may perform on a shared resource.

Protection Domains

A computer system contains many resources, or ''objects,'' that need to be protected. These objects can be hardware (e.g., CPUs, memory pages, disk drives, or printers) or software (e.g., processes, files, databases, or semaphores). Each object has a unique name by which it is referenced, and a finite set of operations that processes are allowed to carry out on it. The read and write operations are appropriate to a file; up and down make sense on a semaphore. A domain is a set of (object, rights) pairs. Each pair specifies an object and some subset of the operations that can be performed on it. A right in this context means permission to perform one of the operations. Often a domain corresponds to a single user, telling what the user can do and not do, but a domain can also be more general than just one user. For example, the members of a programming team working on some project might all belong to the same domain so that they can all access the project files. How objects are allocated to domains depends on the specifics of who needs to know what. One basic concept, however, is the POLA (Principle of Least Authority) or need to know. In general, security works best when each domain has the minimum objects and privileges to do its work—and no more. At every instant of time, each process runs in some protection domain. In other words, there is some collection of objects it can access, and for each object it has some set of rights. Processes can also switch from domain to domain during execution. The rules for domain switching are highly system dependent. An important question is how the system keeps track of which object belongs to which domain. Conceptually, at least, one can envision a large matrix, with the rows being domains and the columns being objects. Each box lists the rights, if any, that the domain contains for the object. Given this matrix and the current domain number, the system can tell if an access to a given object in a particular way from a specified domain is allowed. Each column represents the privilege

Botnet (bots or zombie):

A machine has taken over in this fashion and a collection of them, a contraction of ''robot network.'' most criminal activities on the Internet build on infrastructures.

Malware:

A software, which included Trojan horses, viruses, and worms and collectively and often quickly spread around the world.

Security In-Depth

A typical biometrics system has two parts: enrollment and identification. During enrollment, the user's characteristics are measured and the results digitized. Then significant features are extracted and stored in a record associated with the user. The record can be kept in a central database (e.g., for logging in to a remote computer), or stored on a smart card that the user carries around and inserts into a remote reader (e.g., at an ATM machine). Another biometric that is in widespread commercial use is iris recognition.

Red queen effect:

An evolution of security describes a phenomenon seen in coevolving populations- to maintain relative fitness, each population must constantly adapt to the other.

Code Reuse Attacks

An example of how gadgets are linked together by return addresses on the stack. The gadgets are short snippets of code that end with a return instruction. The return instruction will pop the address to return to off the stack and continue execution there. In this case, the attacker first returns to gadget A in some function X, then to gadget B in function Y, etc. It is the attacker's job to gather these gadgets in an existing binary. As he did not create the gadgets himself, he sometimes has to make do with gadgets that are perhaps less than ideal, but good enough for the job.

Hypervisor rootkits.

An extremely sneaky kind of rootkit could run the entire operating system and all the applications in a virtual machine under its control. The first proof-of-concept, blue pill (a reference to a movie called The Matrix), was demonstrated by a Polish hacker named Joanna Rutkowska in 2006. This kind of rootkit usually modifies the boot sequence so that when the machine is powered on it executes the hypervisor on the bare hardware, which then starts the operating system and its applications in a virtual machine. The strength of this method, like the previous one, is that nothing is hidden in the operating system, libraries, or programs, so rootkit detectors that look there will come up short.

Library rootkits.

Another place a rootkit can hide is in the system library, for example, in libc in Linux. This location gives the malware the opportunity to inspect the arguments and return values of system calls, modifying them as need be to keep itself hidden.

Application rootkits.

Another place to hide a rootkit is inside a large application program, especially one that creates many new files while running (user profiles, image previews, etc.). These new files are good places to hide things, and no one thinks it strange that they exist.

Deadlock Prevention

Assure that at least one of conditions is never satisfied • Mutual exclusion - a resource is either own or available, but two things can't be at once. • Hold and wait - states that the process is holding onto a resource/s that may (or may not) be required by other processes. • No Preemption - Takes away some resources • Circular wait - states that there exists a chain of processes where each process is waiting for a resource that is being held by another process.

7.11 CLOUDS

Cloud is reliable enough to do its purpose. The National Institute of Standards and Technology (NSIT), always a good source to fall back on, lists five essential characteristics: 1. On-demand self-service. Users should be able to provision resources automatically, without requiring human interaction. 2. Broad network access. All these resources should be available over the network via standard mechanisms so that heterogeneous devices can make use of them. 3. Resource pooling. The computing resource owned by the provider should be pooled to serve multiple users and with the ability to assign and reassign resources dynamically. The users generally do not even know the exact location of ''their'' resources or even which country they are located in. 4. Rapid elasticity. It should be possible to acquire and release resources elastically, perhaps even automatically, to scale immediately with the users' demands. 5. Measured service. The cloud provider meters the resources used in a way that matches the type of service agreed upon.

logic bomb

Computer code that lies dormant until it is triggered by a specific logical event. This device is a piece of code written by one of a company's (currently employed) programmers and secretly inserted into the production system.

CIA

Confidentiality: is concerned with having secret data remain secret. More specifically, if the owner of some data has decided that these data are to be made available only to certain people and no others, the system should guarantee that the release of the data to unauthorized people never occurs. As an absolute minimum, the owner should be able to specify who can see what, and the system should enforce these specifications, which ideally should be per file. Integrity: unauthorized users should not be able to modify any data without the owner's permission. Data modification in this context includes not only changing the data but also removing data and adding false data. If a system cannot guarantee that data deposited in it remain unchanged until the owner decides to change them, it is not worth much for data storage. Availability: nobody can disturb the system to make it unusable. Goal Threat Confidentiality Exposure of Data Integrity Tampering with Data Availability Denial of Service Denial-of-service attacks are increasingly common.

Safe and Unsafe States (2)

Demonstration that the state in (b) is not safe. Fig. 6-10(a), but this time A requests and gets another resource, giving Fig. 6-10(b). Can we find a sequence that is guaranteed to work? Let us try. The scheduler could run B until it asked for all its resources, as shown in Fig. 6-10(c). Eventually, B completes, and we get the state of Fig. 6-10(d).

a multilevel security system.

Processes data at different classifications (security levels) and users with different clearances (security levels) can use the system. A process running on behalf of a user acquires the user's security level. Since there are multiple security levels.

Buffer Overflow Attack:

Doesn't check if the buffer overflows: gets, Strcpy, memcpy, Strcat An attack that occurs when a process attempts to store data in RAM beyond the boundaries of a fixed-length storage buffer.

Banker's Algorithm for Single Resource

Figure 6-11. Three resource allocation states: (a) Safe. (b) Safe. (c) Unsafe. Fig. 6-11(a) we see four customers, A, B, C, and D, each of whom has been granted a certain number of credit units (e.g., 1 unit is 1K dollars) A scheduling algorithm that can avoid deadlocks is due to Dijkstra (1965); it is known as the banker's algorithm and is an extension of the deadlock detection algorithm given in Sec. 3.4.1.

Banker's Algorithm for Multiple Resources (1)

Figure 6-12. The banker's algorithm with multiple resources. In Fig. 6-12 we see two matrices. The one on the left shows how many of each resource are currently assigned to each of the five processes. The matrix on the right shows how many resources each process still needs in order to complete.

Hypervisors

Intel Architecture - virtual technology AMD - Secure virtual machine (SVM) The basic idea is to create containers in which virtual machines can be run. When a guest operating system is started up in a container, it continues to run there until it causes an exception and traps to the hypervisor, for example, by executing an I/O instruction. The set of operations that trap is controlled by a hardware bitmap set by the hypervisor. With these extensions the classical trap-and-emulate virtual machine approach becomes possible.

Attacking Circular Wait Condition (1)

Figure 6-13. (a) Numerically ordered resources. (b) A resource graphs Another way to avoid the circular wait is to provide a global numbering of all the resources, as shown in Fig. 6-13(a). Now the rule is this: processes can request resources whenever they want to, but all requests must be made in numerical order. A process may request first a printer and then a tape drive, but it may not request a first a plotter and a printer. With this rule, the resource allocation graph can never have cycles. Let us see why this is true for the case of two processes, in Fig. 6-13(b). We can get a deadlock only if A requests resource j and B requests resource i. Condition Approach Mutual exclusion Spool everything Hold and wait Request all resources initially Circular wait Order resources numerically

Deadlock Avoidance Resource Trajectories

Figure 6-8. Two process resource trajectories. We see a model for dealing with two processes and two resources, for example, a printer and a plotter.

Safe and Unsafe States (1)

Figure 6-9. Demonstration that the state in (a) is safe. In Fig. 6-9(a) we have a state in which A has three instances of the resource but may need as many as nine eventually. B currently has two and may need four altogether, later. Similarly, C also has two but may need an additional five. A total of 10 instances of the resource exist, so with seven resources already allocated, three there are still free. A state is said to be safe if there is some scheduling order in which every process can run to completion even if all of them suddenly request their maximum number of resources immediately.

Steganography

Hiding the existence of information through images. A technology that makes it possible to embed hidden information in documents, pictures, and music files

POLA (Principle of Least Authority

How objects are allocated to domains depends on the specifics of who needs to know what. In general, security works best when each domain has the minimum objects and privileges to do its work—and no more.

Sensitive instructions:

In a nutshell, every CPU with kernel mode and user mode has a set of instructions that behave differently when executed in kernel mode than when executed in user mode. These include instructions that do I/O, change the MMU settings, and so on.

Memory Virtualization

In general, for each virtual machine the hypervisor needs to create a shadow page table that maps the virtual pages used by the virtual machine onto the actual pages the hypervisor gave it. Shadow page table: 1 for each virtual machine is a bridge to Guest OS Virtual memory table and to physical memory. Guest-induced page faults: while they are intercepted by the hypervisor, they must be reinjected into the guest. This is not cheap at all. hypervisor-induced page faults they are handled by updating the shadow page tables

DAC: Discretionary Access Control -

In many environments this model works fine, but there are other environments where much tighter security is required, such as the military, corporate patent departments, and hospitals. In the latter environments, the organization has stated rules about who can see what, and these may not be modified by individual soldiers, lawyers, or doctors, at least not without getting special permission from the boss (and probably from the boss' lawyers as well).

Firmware rootkits.

In theory at least, a rootkit could hide by reflashing the BIOS with a copy of itself in there. Such a rootkit would get control whenever the machine was booted and also whenever a BIOS function was called. If the rootkit encrypted itself after each use and decrypted itself before each use, it would be quite hard to detect. This type has not been observed in the wild yet.

Open-BSD:

Modern CPUs have a feature that is popularly referred to as the NX bit, which stands for ''No-eXecute.'' It is extremely useful to distinguish between data segments (heap, stack, and global variables) and the text segment (which contains the code). Specifically, many modern operating systems try to ensure that data segments are writable, but are not executable, and the text segment is executable, but not writable. This policy is known on OpenBSD as WˆX (pronounced as ''W Exclusive-OR X'') or ''W XOR X''). It signifies that memory is either writable or executable, but not both. Mac OS X, Linux, and Windows have similar protection schemes.

Authentication Using a Physical Object

One disadvantage of any fixed cryptographic protocol is that over the course of time it could be broken, rendering the smart card useless.

Public-key Cryptography (Diffie and Hellman, 1976)

One way function: Ex A^2=B is easier to than sqrt of B One-way Hash Function/ One to One Functions The hashing function typically produces a fixed-length result independent of the original document size. The most popular hashing functions used is SHA-1 (Secure Hash Algorithm), which produces a 20-byte result (NIST, 1995). Newer versions of SHA-1 are SHA-256 and SHA-512, which produces 32-byte and 64-byte results, respectively, but they are less widely used to date.

Recovery from Deadlock Possible Methods of recovery (though none are "attractive"):

Preemption - is the act of temporarily interrupting a task being carried out by a computer system Rollback - Checkpointing a process means that its state is written to a file so that it can be restarted later Killing processes - The crudest but simplest way to break a deadlock is to kill one or more processes. One possibility is to kill a process in the cycle. Process termination, abort all deadlocked processes or abort them one at a time until deadlock cycle is broken. Or, use resource preemption, where resources are taken away from one process and given to another til deadlock is broken.

Hypervisors should score well in three dimensions:

Safety: The hypervisor should have full control of virtualized resources. Fidelity: behavior of a program on a virtual machine should be identical to the same program running on bare hardware. Efficiency: much of code in virtual machine should run without intervention by hypervisor.

Basics of Cryptography

Secret-Key Symmetric Key Monoalphabetic A B C D E ... W X Y Z Q W E R R ... U B N M CaesarCipher or ShiftCipher with 3 shifts plaintext cypherText Ex: HELLO = ITSSG Permutation choices: e is the most common letter, followed by t, o, a, n, i, etc. The most common two-letter combinations, called diagrams, are th, in, er, re, and so on.

Virtual Memory

Space on a hard disk or other storage device that simulates random access memory. We pretend that we have more memory.

PaaS (Platform as a Service)

Specific OS, database, and etc. A service model in which various platforms are provided virtually, enabling developers to build and test applications within virtual, online environments tailored to the specific needs of a project.

Can we build secure systems?

The answer to the first one is: ''In theory, yes.'' In principle, software can be free of bugs and we can even verify that it is secure—as long as that software is not too large or complicated. The second question, why secure systems are not being built, comes down to two fundamental reasons. First, current systems are not secure, but users are unwilling to throw them out. The second issue is more subtle. The only known way to build a secure system is to keep it simple. Features are the enemy of security. The good folks in the Marketing Dept. at most tech companies believe (rightly or wrongly) that what users want is more features, bigger features, and better features. They make sure that the system architects designing their products get the word. However, all these mean more complexity, more code, more bugs, and more security errors.

Three methods of protecting them are known:

The first way requires a tagged architecture, a hardware design in which each memory word has an extra (or tag) bit that tells whether the word contains a capability or not. The tag bit is not used by arithmetic, comparison, or similar ordinary instructions, and it can be modified only by programs running in kernel mode (i.e., the operating system). Tagged-architecture machines have been built and can be made to work well (Feustal, 1972). The IBM AS/400 is a popular example. The second way is to keep the C-list inside the operating system. Capabilities are then referred to by their position in the capability list. A process might say: ''Read 1 KB from the file pointed to by capability 2.'' This form of addressing is similar to using file descriptors in UNIX. Hydra (Wulf et al., 1974) worked this way. The third way is to keep the C-list in user space, but manage the capabilities cryptographically so that users cannot tamper with them. This approach is particularly suited to distributed systems and works as follows. When a client process sends a message to a remote server, for example, a file server, to create an object for it, the server creates the object and generates a long random number, the check field, to go with it. A slot in the server's file table is reserved for the object and the check field is stored there along with the addresses of the disk blocks. In UNIX terms, the check field is stored on the server in the i-node. It is not sent back to the user and never put on the network.

Kernel rootkits.

The most common kind of rootkit at present is one that infects the operating system and hides in it as a device driver or loadable kernel module. The rootkit can easily replace a large, complex, and frequently changing driver with a new one that contains the old one plus the rootkit.

IaaS (Infrastructure as a Service)

The same cloud runs multiple different operating systems on the same hardware at the same time, it also permits clever management. A service model in which hardware services are provided virtually, including network infrastructure devices such as virtual servers.

Biba

The security model focused on maintaining the integrity of objects. 1. The simple integrity property: A process running at security level k can write only objects at its level or lower (no write up). 2. The integrity * property: A process running at security level k can read-only objects at its level or higher (no read down).

Privileged instructions:

There is also a set of instructions that cause a trap if executed in user mode. Their paper stated for the first time that a machine is virtualizable only if the sensitive instructions are a subset of the privileged instructions.

Hacker (white hat):

a term of honor reserved for great programmers Cracker (black hat): people who try to break into computer systems where they do not belong

Virtualization

allows a single computer to host multiple virtual machines, each potentially running a completely different operating system.

TCB

Trusted Computing Base - Low-level hardware, software like the OS kernel and firmware that must be trusted or nothing secure can be built on the system.

Data Execution Prevention (DEP)

Windows feature that uses a combination of software and hardware to prevent the execution of code in unintended areas of memory to protect against buffer overflow attacks. Don't execute memory that only meant to store data. Nx-bit

Command Injection Attacks:

an attack in which the goal is execution of arbitrary commands on the host operating system via a vulnerable application. Command injection attacks are possible when an application passes unsafe user supplied data (forms, cookies, HTTP headers etc.) to a system shell. In this attack, the attacker-supplied operating system commands are usually executed with the privileges of the vulnerable application. Command injection attacks are possible largely due to insufficient input validation.

Security through Obscurity:

as good as not having no security at all.

script-kiddies:

attackers similarly range from not very skilled wannabe black hats. - They may be professionals working for criminals, governments (e.g., the police, the military, or the secret services), or security firms—or hobbyists that do all their hacking in their spare time.

One common method is for message senders to attach a

certificate to the message, which contains the user's name and public key and is digitally signed by a trusted third party. Once the user has acquired the public key of the trusted third party, he can accept certificates from all senders who use this trusted third party to generate their certificates. A trusted third party that signs certificates is called a CA (Certification Authority). However, for a user to verify a certificate signed by a CA, the user needs the CA's public key. Where does that come from and how does the user know it is the real one? To do this in a general way requires a whole scheme for managing public keys, called a PKI (Public Key Infrastructure).

six primitive operations on the protection matrix that can be used as a base to model any protection system:

create object delete object create domain delete domain insert right remove right. The two latter primitives insert and remove rights from specific matrix elements, such as granting domain 1 permission to read File6. These six primitives can be combined into protection commands

VMM (Virtual Machine Monitor) / hypervisor

creates the illusion of multiple (virtual) machines on the same physical hardware.

SAAs (Software As A Service)

google drive, canvas, and Microsoft Office 365. Services for delivering and providing access to the software remotely as a web-based service

Types of Attackers:

hacktivism, vandalism, terrorism, cyberwarfare, espionage, spam, extortion, Privacy and blackmail, fraud—and occasionally the attacker still simply wants to show off, or expose the poor security of an organization.

Convert channels

is a noisy channel, containing a lot of extraneous information, but information can be reliably sent over a noisy channel by using an error-correcting code (e.g., a Hamming code, or even something more sophisticated). The use of an error-correcting code reduces the already low bandwidth of the covert channel even more, but it still may be enough to leak substantial information. It is fairly obvious that no protection model based on a matrix of objects and domains is going to prevent this kind of leakage. - A communication channel. The collaborator can try to detect the bitstream by carefully monitoring its response time. In general, it will get a better response when the server is sending a 0 than when the server is sending a 1.

A rootkit

is a program or set of programs and files that attempts to conceal its existence, even in the face of determined efforts by the owner of the infected machine to locate and remove it. Usually, the rootkit contains some malware that is being hidden as well. Rootkits can be installed by any of the methods discussed so far, including viruses, worms, and spyware, as well as by other ways, one of which will be discussed later.

Virus:

is a program that can reproduce itself by attaching its code to another program, analogous to how biological viruses reproduce. The virus can also do other things in addition to reproducing itself. Worms are like viruses but are self-replicating. That difference will not concern us for the moment, so we will use the term ''virus'' to cover both.

Sandboxing

is a software management strategy that isolates applications from critical system resources and other programs. It provides an extra layer of security that prevents malware or harmful applications from negatively affecting your system.

The problem with the Bell-LaPadula model

is that it was devised to keep secrets, not guarantee the integrity of the data. For the latter, we need precisely the reverse properties (Biba, 1977): Together, these properties ensure that the programmer can update the janitor's files with information acquired from the president, but not vice versa. Of course, some organizations want both the Bell-LaPadula properties and the Biba properties, but these are in direct conflict so they are hard to achieve simultaneously. Neither Bell-LaPadula model and Biba works

Security:

is the techniques and tools for preventing unauthorized access to files. - One important aspect of the security problem, related to confidentiality, is privacy: protecting individuals from misuse of information about them. This quickly gets into many legal and moral issues Protection Mechanism: is a specific O.S. mechanism to safeguard information

Hacking tools

nmap: helps attackers determine the network services offered by a computer system by means of a portscan - is useful for attackers as well as defenders, a property that is known as dual-use dsniff: offers a variety of ways to monitor network traffic and redirect network packets The Low Orbit Ion Cannon (LOIC): a tool to launch denial-of-service attacks. Metasploit: the framework that comes preloaded with hundreds of convenient exploits against all sorts of targets, launching attacks was never easier.

stack canaries:

one commonly used defense against the attack sketched above is to use. Modern computer systems still use (digital) canaries as early warning systems.

SWATing DOXing

releasing private information to the publics

Virtual Machines:

run different OSs on top of the hardware - Running software in virtual machines has other advantages in addition to strong isolation. One of them is that having fewer physical machines saves money on hardware and electricity and takes up less rack space. - A software implementation of a computer system, allowing one physical computer to run several "virtual computers", each with their own independent operating system and application software.

Challenge-Response Authentication:

security questions

Ransomware:

strong cryptography with a virus that encrypts all the files

MAC: Mandatory Access Control -

to ensure that the stated security policies are enforced by the system, in addition to the standard discretionary access controls. What these mandatory access controls do is regulate the flow of information, to make sure that it does not leak out in a way it is not supposed to.