Reference Monitors & OS Security Flashcards
what is the security kernel (rmb that CO guy from 2018)
He’s a fast runner, he plays soccer maybe, and he creates the referee,
Hardware, firmware and
software elements of a TCB
that implement the reference
monitor concept.
TCB (trusted computer base)
The totality of protection mechanisms within a computer system – including hardware, firmware, and software – the combination of which is responsible for enforcing a security policy.
What are the requirements of reference monitors. RM is implemented by kernel (colonel) so it represents SAF. That leads to total vehicular control.
Function Requirement: Complete meditation
Security Requirement: Tamper Proof
Assurance Requirement: Verifiable
I mean this is kinda intuitive also
Complete mediation
The reference validation mechanism must
always be invoked.
Tamper-proof
The reference validation mechanism must
be tamper-proof.
Verifiable
The reference validation mechanism must
be small enough to be analysed and
tested
placing RM hardware
access control mechanisms in microprocessors
placing RM OS kernel
hypervisor, i.e. a virtual machine that
emulates the host computer it is running on. Referee with sunglasses.
placing RM Services layer
access control in database systems, Java Virtual Machine, .NET Common Language Runtime, or CORBA middleware architecture.
Referee sips an 8 bit coffee shaped like a computer
placing RM Operating system
access control in Unix and Windows 2000
placing RM Application
security checks in the application code to address application specific requirements
AllFather Speaks: Orphan Kills Heimdallr
Application, services, operatingsystem, kernel (wear killer sunglasses/vizors), hardware
Operating System Integrity
Assume that your O/S prevents unauthorized access to resources (as long as it works as intended)
Ey say more about tamper proof requirement
• To bypass protection, an attacker may try to disable the security controls by
modifying the O/S.
• An integrity problem: the O/S is not only the arbitrator of access requests, it
is itself an object of access control.
• Users must not be able to modify the operating system.
don’t fuck with the boy,ogre. the boy controls weapons but the boy is a weapon
What are the 2 competing requirements in OS integrity, and what are the concepts used to achieve these goals
Users should be able to use (invoke) the O/S. Solved by status information
Users should not be able to misuse the O/S/ Solved by controlled invocation or restricted privilege.
What is the status flag
To protect itself, an O/S must be able to distinguish computations ‘on behalf’ of
the O/S from computations ‘on behalf’ of a user.
Status flag allows system to work in different modes
the computer lady from little britain goes up to the entrance to a different party. the butler asks, are you for yourself or bill gatees.
Intel 80x86: two status bits and four modes
Unix distinguishes between user and superuser (root)
For example, to stop users from writing directly to memory and corrupting the logical file structure, the OS grants write access to memory locations only if the processor is in supervisor mode.
If a user wants to write to memory (requires supervisor mode) then the system has to switch between nodes. How is this done
Changing the status bit to supervisor mode would give all supervisor privileges to the user
Controlled invocation: Invocation of a function that executes privileged instructions to provide a limited, well defined functionality, and then
return to user mode.
So the computer lady, me in a dress, looks my ben ten watch. see it glow 0 in a faint green glow in the night sky. the air is humid. Option 1, I turn the watch to 1. I hear the click of the watch, bill gates’ silhouette appears on it and I turn into it. I am in supervisor mode now.
Option 2, I bring out my phone, with confidence and ego i call bill gates and he gives me the functionality to write to memory (enter the orange ball).
why is there a need for security mechanisms at the core
Security mechanisms in a given layer can be compromised from a layer
below.
To evaluate security, you must check that security mechanisms cannot
be bypassed.
The more complex a system, the more difficult this check becomes. At
the core of a system you may find simple structures which are amenable
to thorough analysis.
tldr: you create a very skinny man with a body shape like an apple core. his heart’s poking out, it’s quite terrifying, like the seed in the apple core. he’s in charge of the base layer of the system
what are the benefits for putting security mechanisms at the core
Putting security mechanisms into the core of the system can reduce performance overheads caused by security
Processor performance depends on the right choice and efficient implementation of a generic set of operations that is most useful to the majority of users. The same holds for security mechanisms
Some sources assume that TCBs and security kernels must enforce multi-level security policies.
The skinny man with the core body has a sniper. see him somehow carry the weight of the barret. his eyes are bloodshot. he takes aim at UAVs flying overhead and shoots them. the people living above cheer.
he does not smile.
RAM. Also sum up security characteristics of different types of memory.
reads and writes memory, no guarantee of confidentiality
There’s a goat-person with hooves. he has those weird goat eyes. you can both see and fuck with the goat person, like push him over.
The goat person is making what it thinks are heart eyes at edward cullen. edward cullen can’t be fucked with obviously. But he can be seen and whoops he sparkles and he’s got bill gates in his hands
Edward Cullen is distracted, checking out lil huddy. lil huddy keeps getting attacked by kpop tiktok bot stans.
Lil huddy is playing with a worm in between his fingers. the worm holds the secret to all existence, and has a wise face.
the worm drops, it shits. audit log
ROM (read only memory)
Provides integrity but not confidentiality, the ROM may store part of the OSq
EPROM (erasable and programmable read only memory)
could store parts of the OS or crypto keys; high tech attacks can soften this
WROM
Memory contents are frozen once and for all, by blowing a fuse placed on the write line, WROM could hold crypto keys or audit logs
Volatile memory
Volatile memory loses its contents when power is switched off.
• Memory contents still present after a short power
loss.
• Can be reconstructed by special electronic techniques if power has been switched off for some time.
• To counter such attacks, memory has to be overwritten repeatedly with suitable bit patterns.
When you reboot derek, he still remembers some things. You can hack into him to try to reconstruct his old memories a while after he dies (his ghost), but erm, q hard. To solve this, derek repeatedly has his memory changed when alive.
Non-volatile (permanent) Memory
Non-volatile (permanent) memory keeps its content when power is switched off; if attacker can directly access memory bypassing the CPU, cryptographic or physical measures are needed to protect sensitive data. • E.g., a light sensor in a tamper resistant module may detect an attempted manipulation and trigger the deletion of the data kept in the module.
Jianyu remembers all things when he sleeps, shiva waking sleep something. If you try to peek inside, he self detonates.
what is confidential
you can’t see my shit
what is integrity
you can’t fuck with my shit.
integrity, cant fuck w me
confi, cena y’cant see me
What is IPC
A process has its own address space and
communicates with other processes only
through O/S primitives (Inter-Process
Communication).
Logical separation of processes as a basis for security.
A context switch between processes can be an expensive operation.
is the context switch expensive
yes
what is a process
A program in execution, consisting of executable code, data, and the execution context, e.g. the contents of certain CPU registers.
what is a thread
Strands of execution within a process. Threads share an address space to avoid the overheads of a full context switch, but they also avoid potential security controls
Processes and threads are important units of control for the OS, and for security. They are the :
subjects of access control
how does the CPU deal with interruptions of executions created by errors
through exceptions, interrupts, and traps. Bill gates shaves his head and wears a tie why?
what is a trap.
special input to the CPU that includes an address (interrupt vector) in an interrupt vector table giving the location of the program (interrupt handler) that deals with the condition specified in the trap.
satya nadella in a dress serves a list of IV bags in a table to bill gates. he raises an eyebrow. One of the IV bags is bloodied and has a torn off human hand on it.
Bill gates pushes a small copy of himself onto a stack then gives a nod to the hand. the hand moves the watch of some fake bill gates to remove the supervisor bit. then it returns control of the world to the User. bill gates continues doing his own thing.
What does the OS have to do
- Separate user space from OS space,
- Logically separate users,
- Restrict the memory objects a process can access
at the Microsoft garden party, bill gates has a whole bar to himself that he doesn’t let people enter. he then tells me that I can go to this bar table but not this other bar table. i can’t go there, erm, there’s a forcefield. I look at my ben ten watch. I don’t do anything yet. I also feels my hot hair (sunny day) and look at the row of wigs in the classroom/bar over there that I can’t access cos I don’t have position. I tear my hair off.
What is the logical separation of users
- File management
2. Memory management
Segmentation Security
Segmentation divides memory into logical units of variable lengths.
• A division into logical units is a good basis for enforcing a security policy.
• Units of variable length make memory
management more difficult.
Paging Security
Paging divides memory into pages of equal length.
• Fixed length units allow efficient memory
management.
• Page faults may create a covert channel
Why is paging not a good basis for access control
Paging is not a good basis for access control as pages are not logical units.
One page may contain objects requiring different protection.
When a process accesses a logical object stored on more than
one page, a page fault occurs whenever a new page is requested.
A covert channel exists if page faults are observable.
Covert Channel
Consider a password scheme where the password entered is compared character by character with the reference password stored in memory.
Access is denied the moment an incorrect match is found.
If a password is stored across a page boundary, then observing a page fault indicates that the piece of the password on the first page has been guessed correctly.
If the attacker can control where the password is stored on the page, password guessing becomes easy
how does the OS control access to data objects in memory
1 Operating system modifies the addresses it receives from user processes; e.g., address
sandboxing.
2 Operating system constructs the effective addresses from relative addresses it receives from user
processes;
3 Operating system checks whether the addresses it receives from user processes are within given
bounds.
Address consists of
Segment identifier Offset
When the operating system receives an address, it sets the correct segment identifier as follows:
Bitwise AND of the address with mask_1 clears the segment identifier;
bitwise OR with mask_2 sets the segment identifier to the intended value SEG_ID.
look at tutorial notes
RELATIVE ADDRESSING
The address is specified by an offset relative to a given base address.
Fence registers
Base register addressing keeps users out of O/S space; fence register points to top of user space.
Bounds register
Define the bottom of the user space. Base and bounds registers allow to separate program from data space.
cybercrime Zoom
Zoom’s randomly-generated meeting ID No. could be predicted (and even brute-forceable), allowing bad actors to intrude, disrupt and eavesdrop on meetings.
The company subsequently replaced meeting IDs with “cryptographically strong” one and made passwords default for users to join a meeting.
Security flaws in the app could let websites hijack
Mac cameras. The company subsequently patched its software and uninstalled a local webserver that created the vulnerability.
The app sent data about a user’s time zone and city,
as well as details about the user’s device to Facebook, even if the user did not have a Facebook account.
The company tightened their privacy policy after concerns surfaced about user’s personal information
being used to target ads.
Zoom allegedly leaked user information because of an issue with how the app grouped contacts.
Zoom allegedly misled users to believe video meetings were secured with end-to-end encryption instead of transport encryption.
THE COVID-19 PANDEMIC HAS INCREASED THE
IMPORTANCE OF GOOD CYBER HYGIENE
Uptick in number of cases involving
cybercriminals attempting to capitalise on
COVID-19 to steal personal information and credentials which will allow them to gain access
to networks and/or make financial gains.
There are fake contact tracing apps that are embedded with malware that can be used to conduct malicious activities, such as monitoring users’ activities on their devices or stealing personal data.
Some malware strains deployed* include known credential-stealing malware such as AZORult, Cerberus, Lokibot, and TrickBot.
These threats have proliferated across many sectors, including healthcare, manufacturing, pharmaceutical and transportation.
OVERVIEW OF CYBER THREATS IN SINGAPORE 2019
PHISHING 47500
WEBSITE DEFACEMENT 873
RANSOMWARE 35
OMMONLY SPOOFED GOVERNMENT
ORGANISATIONS
70% of incidents reported to SingCERT by SMEs and members of the public occurred through phishing attacks
COMMAND AND CONTROL SERVERS (C&C) AND
BOTNET DRONES
530
unique C&C servers were
observed in Singapore, a
73% increase from 2018.
2,300 botnet drones (compromised computers infected with malicious programs) with Singapore IP addresses were observed daily, on average (20% decrease from CSA’s observations in 2018).
CYBERCRIME IN SINGAPORE
Refers to cyber-extortion, online cheating cases, and offences under the Computer Misuse Act (CMA), such as unauthorised access of computer material and unauthorised use of computer service.
Point-of-Sale (POS)
Attacks
Refers to compromise of touchpoints (e.g. online shopping sites and cash terminals in brick-and-mortar stores). Active since 2016, Magecart cybercrime operators have been conducting POS attacks by injecting malicious codes into e-commerce websites to skim credit card details. They have stepped up their activities in recent years, targeting both SMEs and MNCs.
Supply Chain Attacks
Supply chain attacks target the less secure components of systems, and could be aimed at accessing and stealing confidential information, or gaining a foothold to springboard attacks into other parts of the system and connected networks. Thirdparty service providers with access to an organisation’s data are often the weak links targeted by threat actors.
Data Breaches
2019 witnessed an exponential increase in data breaches around the world, with the total number of records exposed registering a near 300 per cent increase, compared to 2018. [2] The large amounts of personal and financial information held in organisations such as governments, healthcare institutions and technology firms serve as attractive targets for threat actors.
Mobile Attacks
Threat actors are shifting towards targeting mobile devices such as smartphones and tablets to conduct credential theft, surveillance and malicious advertising. A major factor behind this spike in mobile attacks is likely due to the increased usage of mobile banking applications, which provide lucrative avenues for threat actors to gain access to and steal sensitive information.
Spear Phishing
Threat actors have been observed to adapt the writing styles of spoofed individuals and organisations, as well as use information from publicly available sources, such as social media posts, so that their e-mails appear more convincing to their victims. Business e-mail compromise (BEC) is another form of spear phishing on the rise
SYSTEM SECURITY
- computer security : provide a protected environment for data and their processing
- single user: physical security
- process protection
- data protection
- networked computer (yeah idk)
Security issues
Inter-process
communication
• Storage protection
Communication security
• Tampering of message data
• Identification of sender
• Disclosure of data to
unauthorized parties
Storage security
• Control of access to
storage/file manager
• Identification of data
owner and user
DISTRIBUTED SYSTEM SECURITY computer security
Addresses security of the end
systems
DISTRIBUTED SYSTEM SECURITY Application security
Relies on both to provide services
securely to end users.
RISK-BASED SECURITY APPROACH
- Computing power (could be technology-dependent)
- Value of the encrypted data e.g. payment (target-specific)
- Nature of the system e.g. government, bank, SCADA, etc
Practical security is about risk management which depends on a number of factors
- business nature:
Public confidence: Government, Banks, …
Critical infrastructure: SCADA, Healthcare, Aviation, … - Potential Rewards for the Attacker
Business secret, reputation of competitors
Government policy, Economic forecast
Industrial control (ICS), etc - Resources needed to protect the system and to break the system
Risk-based security system is a balance between
Risk Potential loss of owner & potential reward of enemy Cost Security design and implementation, computing overheads
Convenience Users may be tempted to bypass the security control or breach security if too inconvenient to use
SYSTEM SECURITY FAILURES
Cryptographic algorithms are broken
Security features are not designed correctly
Security features are not used correctly
Security components are not implemented correctly
Security components are not configured properly
Security is not managed properly
Threat environment may change and assumption invalid
Prerequisite of Security Technology Framework:
- Security requirements
- Security policies
- Security mechanisms
Prevention:
take measures that prevent
your assets from being
damaged.
Detection:
take measures so that you can
detect when, how, and by
whom an asset has been
damaged.
Reaction:
take measures so that you can
recover your assets or to
recover from a damage to
your assets.
Confidentiality:
prevent unauthorised disclosure of information
Integrity:
prevent unauthorised modification of information
Availability:
prevent unauthorised withholding of information
or resources
Authenticity:
“know whom you are talking to”
Accountability (nonrepudiation):
prove that an entity was involved in some event
Anonymity ensures that a
a user may use a resource or service without disclosing the user’s identity.
Anonymity requires that other users or subjects are unable to determine the identity of a user
bound to a subject or operation.
Unlinkability ensures that a
user may make multiple uses of resources or services without others
being able to link these uses together. Unlinkability requires that users and/or subjects are unable
to determine whether the same user caused certain specific operations in the system.
confidentiality subgroups
Anonymity and unlinkability
reasons for confidentiality
1. One may want to hide not just secrets, but also their existence. 2. Traffic analysis, “meta-data”, can reveal sensitive information. 3. Anonymity and unlinkability; in general privacy-related properties
Data Integrity
The state that exists when computerized data is the same as that in the source document and has not been exposed to
accidental or malicious alteration or destruction.
Data Integrity Purposes n
Prevent unauthorised modification of
information (prevent unauthorised writing).
Detection (and correction) of intentional and
accidental modifications of transmitted data.
• Typically enforced via (cryptographic)
checksums and other coding
techniques.
Integrity is a prerequisite for many other security services;
• In operating systems, integrity of the bootstrap process (kernel, device drivers, system files) is critical to prevent
persistent viruses/malwares.
• Windows Vista and above allows only “signed drivers” to be installed.
AVAILABILITY
The property of being accessible and usable upon demand by an authorised entity
affected by Denial of Service DoS attacks
THE “SMURF” ATTACK
Attacker sends ICMP (Internet
Control Message Protocol) echo
requests to a broadcast address in
a network
Victim’s address spoofed as sender
address.
The echo request is distributed to
all nodes in the network
Each node replies with an echo to
the victim.
The victim is flooded with many
incoming messages.
Note the amplification: the
attacker sends one message, the
victim receives many
Accountability is the property that ensures that the actions of an entity can be
traced solely to this entity.
Accountability guarantees that all operations carried out by individuals, systems or processes can be identified (identification) and that the trace to the author and the operation is kept (traceability).
• To be effective, one needs:
– Audit trails: eg, in the OS level, this could be system/authentication logs,
etc.
– A link between a user and a “user identity”, so the user can be held
accountable.
In distributed systems
cryptographic non-repudiation mechanisms can be used
to achieve accountability
\
Delegation is an important issue in accountability and non-repudiation
NON- REPUDIATION
Non-repudiation services provide
unforgeable evidence that a specific
action occurred
Non-repudiation of origin: protects
against a sender of data denying that
data was sent.
Non-repudiation of delivery: protects
against a receiver of data denying that
data was received.
Enforcement typically relies on publickey cryptographic techniques.
SECURITY AND RELIABILITY
To make software more reliable, it is tested against typical usage patterns:
– “It does not matter how many bugs there are, it matters how often they are triggered.”
• To make software more secure, it has to be tested against ‘untypical’ usage patterns (but there are typical
attack patterns).
Computer security deals with the
prevention and detection of unauthorized actions by users of a computer
system.
2. Computer security is concerned with the measures we can take to deal with intentional actions by parties
behaving in an unwelcome fashion.
FUNDAMENTAL DILEMMA OF SECURITY
Security unaware users have specific
security requirements but no
security expertise.
• A security unaware user will rely on standard
‘best practices’ solutions, which may not meet
his requirements.
• To provide the ‘right’ security solution to a
user requires the user to be ‘security aware’…
Design Decisions
I. What to focus the protection mechanism
on?
II. Where to place the security mechanism at?
III. Complexity (of security properties) vs
assurance
IV. Centralized vs decentralized security
control
V. Protection of the ‘layer below’
The man-machine scale for security mechanisms combines our first two design decisions
What to focus on?
Where to place at?
Specific
Complex
Focus on users
Generic
Simple
Focus on data
Data are a
representation of certain aspects of our
conceptual and real world.
The meanings we assign to data are called
information.
Information and data lie on the
two ends of the manmachine scale.
The distinction between data and information can be
subtle but causes some of the more difficult problems
in computer security.
Covert channel is a type of c
computer security attack that creates a capability to transfer information objects between processes
through channels “not intended for information transfer at all”, such as the service program’s effect on system load.
Covert channel elaborate
Controlling access to information may be elusive and need to be replaced by controlling access to data
But controlling data may
not always yields control
of information.
Covert channels:
response time or
memory usage may
signal information.
nference in statistical databases: combine statistical queries to get information on individual entries.
Side channel:
Side-channel attack is any attack based on information gained from the implementation of a system. For example,
timing information, power consumption, electromagnetic leaks or even sound can provide an extra source of
information, which can be exploited to break the system.
Component-level security VS System-level security
Often, the location of a security mechanism on the
man-machine scale is related to its complexity.
• Generic mechanisms are simple, applications
clamour for feature-rich security functions
