oe eRe Secure Programs Nonmalicious Program Errors ! 3:3System security == Bon F 3.1 i 4 Ni at We we Protecting programs and data from outsiders was what in achieve in the last chapter. We studied controls and procedures to d But higher is the need to protect programs from themselves. In th focus on the need of security at the program level and hew is it achj at will concentrate on building secure programs. Secure Programs : Programs are viewed differently by different communities viz, ,. developers and managers. Same way(definition of a secure program is diffe for all of then) ‘or some, Secure program is one that is difficult to br in. others a secure program is one that runs free of errors for a consider ible period under production whereas there are some for whom Secure prog which has not even a single a Definitions might be different but secure program is one that enforces the (basic components of security that confidentiality, integrity and availability Various approaches that are use; judge security and quality of a program e') Number of faults discovered and fixed : @any program which has been checked and tested extensively for all t of faults before the release of itlis bound to be more secure and of qualit are complete guidelines and procedures of testing a program thoroughly so the faults and errors can be fixed. More the number of faults discovered fixed at an early stage, lesser is the probability of they appearing at a later dnaking the program inseeusS But this approach had various drawbacks v rather then making programs more secure, lead to introduction of new faults ae : (° Pressure of fixing a particular fault lead to whole concentrati fixing just that fault and not the root cause of it oo a. ( Fixing a fault often lead to the introduction of new faults at a! location that were nof immediately detected) G@ Fault couldn’t be fixed because that lead to the degrading of s performance or finetionality.) Detecting Program Security Flaws : a program is examined and observed if it behaves exactly in the was intended to by the designers and how the users expected it to. An" destem Security Program Security of program’s behaviour from what it is expected to is a program security flaw security flaw need not be just an error or a fault, it can be a vulnerability that’car lead to injection of faults at a later stageXSecurity flaws are not easy to detect, they need a thorough in and out checking of the program. Two reasons why this approach couldn't be of much help ee) (e Programming techniques evolve and change much more faster than ty tt i. computer security techniques do. So, when the security experts are trying to patch old security flaws, newer might have been discovered. 2. It is not possible to exhaustively check program for all the flaws that are possible. Experienced attackers will some way or the other_find the way to implant malicious code successfully in a program without getting detected.) Types of program flaws : (Flaws in a program can be either intentional or unintentional} (ntentional ones are deliberately injected in the programs and can be malicious or non- malicious Whereas unintentional program flaws occur out of negligence or ignorance. Unintentional Program flaws can be validation errors, logic errors, inadequate identification and authentication, violation of boundary conditions, domain errors, serialization and aliasing) Nonmalicious Program Errors : “To err is human” and being human, software developers are no exception. During the complete phase of development, programmers make a number of mistakes in various phases of development. These mistakes are usually unintentional and nonmalicious. These errors can lead to malfunctioning of programs but usually do not compromise the securing of a program. But still there are few which can be serious security breach. Three such types of errors are discussed : Buffer Overflows : @uffer overflow in computing is a problem similar to one in real world where we try to pour two liters of water in a one liter bottle. This leads to the Ry being overflowed out of bottle and spilled oy<7 Se Cy (Whereas,(in a computing environment, buffer is memory allocated to store some data. A buffer’s capacity is finite and its m declared by the programmer in a program: Pace tha aXimum si 2 Lets see an example : ( Char Test{10}) oe command in ‘C’ language will set aside ten bytes of memory that be adttressed test [0] to test [9]. Something similar to shown in Fig. 3.2. eens) °C SRIAr 10 bytes of memory Fig. 3.2.1 : Buffer memory allocation (ow, referring something like test [10]. = ‘x’ will lead to an er “subscript out of bound” in C language. Also this is a condition of bul overflow where we are trying to use a buffer address which doesn’t exist) example will probably make it more clear : | for ((=0; i<=9 ; 44), test[i] = *X’; test[10] = ‘Y’;‘System Security ee Program Security 3.2.2 Incomplete Mediation : Buffer overflows posed a threat of excessive data that could create havoc Incomplete mediation is a similar type of an attack where rather than sending overflowed data, attacke ds an invalid data that the server can interpret as a valid data leading to miscalculations and wrong results. ~ _, Suppose in a web application, programmer may have applied all types of validation controls to check that entered data is of valid type and in acceptable range but if the data is submitted using post back method or a return URL, whole purpose is lost because an attacker can use invalid data ig the return URL that would create serious security implications. Lets take an example which will” make the seriousness of this security threat clearer. - An online shopping website allows consumers to select item number and quantity on an order page. Hitting the order button will register the order in the database and creation of bill that is sent to customer with the goods. Now for an order, the return URL looks something like this : http://www.onlineshop.com/buy/order&CustID=420&Itemnumber=120&Price =10&quantity=100&ordernumber=100&total=1000 “Which implies that for 2 order number = 100 cust ID = 420 . 100 quantity of item number 120 is ordered at a price of Rs. 10 which amounts to total of Rs. 1000.” “Now, an attacker takes the benefit of return URL and changes the total of Rs. 1000 to Rs. 10 and if the program is not capable of handling this attack, manually entering this on the address bar will work, duping company of a large amount. eas 3.2.3 Time-to check to Time-of-Use Errors : This type of program error uses incomplete mediation discussed in the last section to pose a serious security flaw. This programming flaw involves time based synchronization. For increased efficiency, modern processors and operating systems usually change the order in which instructions and procedures are executed. Like, all the checking routines requiring access to database are executed once and then all the checked and verified routines are used.___ Program Security ae ie Now, ch the routines or procedures in between this time of checking Src d by an attacker to his advantage By changing the lable any desired process can be executed and using can be use , procedure in this time frame ava Consider this example : Suppose a user A a data structure to hold t le X using a “service ticket” which is ts to read a fi 4 ae ooks like in the Fig. 3.2.5 he request. A service ticket | User Access aN | A Read X Fig. 3.2.5: Service ticket Now, the access control mediator checks from the access control lists whether the access should be allowed or not. Let access control mediator check this at time T1 and allows the access by putting the service ticket in allowed Tequests. Noy, et is to be used at time T2 which is essentially after time T1. Attacker using incomplete mediation now changes this service ticket as ‘shown in Fig. 3.2.6 between the time frame T1 and T2. < User Access A Delete Y eS Fig. 3.2.6 : Modified service ticket Since this service ticket lies in the allowed r i . uests, at time T2 thus completing the attack. “ So 3.3 Viruses and Other Malicious Code: Programs themselves are seldom securit ‘ ity threats. Program on its o : oer until executed. Programs usually operate on data and cause oe “ay ou biome ey _ en trigger it. Like, a malicious code gets a file Peieuar lan nacing oe pre-defined extent or when a malicious code to eres destruction and havoe. as to what triggered a ~~Program Securit 39 ee Progrann Secumy ‘System Securit ie Malicious codes are a major concern of worry because you never know how they get triggered, what all harm can they cause and how to control them. Be Besides, malicious code can usually spread by itsetf can cause much harm, Malicious codes have been classified into three types: *- Viruses : A virus is a small piece of software that piggybacks on real programs. For example, a virus might attach itself to a program such : as spreadsheet program. Each time the-spreadsheet program runs, the virus runs, too, and it has the chance to reproduce (by attaching to other programs) or wreak havoc and this typically happens without the user’s knowledge or permission,. An e-mail virus moves around in e- mail messages, and usually replicates itself by automatically mailing itself to dozens of people in the victim's e-mail address book. ¢ Worms : A worm is a small piece of software that uses computer networks and security holes to replicate itself. A copy of the worm scans the network for another machine that has a specific security hole. It copies itself to the new machine using the security hole, and then starts replicating from there, as well. e Trojan horses : A Trojan horse is simply a computer program. The program claims to do one thing (it may claim to _be a game) but instead does damage when-you+unit{it may format your hard disk). Trojan horses have no way to replicate automatically. 3.1 Viruses : Computer viruses are mysterious and grab our attention. On the one hand, viruses show us how vulnerable we are. A properly engineered virus can have an amazing effect on the worldwide Internet. On the other hand, they show how sophisticated and interconnected human beings have become. Types of viruses : a Boot viruses place some of their code in the disk sector whose code _ the machine will automatically execute when booting. Thus, when an infected machine boots, the vi ai are finished loading, they have previously moved to another location, or take other ‘measures to ensure the machine appears to boot normally.)1 Security Ac __ Program Security am files which are the files containing at when you run the rus code is File viruses attach to. progr executable or interpretable code in such a way th : infected program, the virus code executes. Usually the vi added in such a way that it executes first, although this is not strictly necessary. After the virus code has finished loading and executing, it will normally load and execute the original program it has infected, or call the function it intercepted, so as to not arouse the user’s suspicion Macro viruses are really just a type of file virus, but a particularly good type. They copy their macros to templates and/or other application document files. Although ‘auto macros’ were almost exclusively used by early macro viruses (often to ensure the virus code is the first to execute when infected templates or documents were opened), several other mechanisms are also available - in fact, some of, these, such as taking over standard internal functions of the host application (say the ‘File Save*command) and installing default event handlers are probably more commonly used these days. Script viruses also became quite successful around the beginning of this century.(This was mainly due to the increase in machines running Windows Scripting Host, which was first installed by default in Windows 98 and 2000 and with Internet Explorer 5.0 and later versions. Representing new types of ‘program file’, but with icons more like that of ‘safe’ text files, standalone Visual Basic Script (VBS) and JavaScript (JS) programs became a popular target of the— writers of mass mailing viruses. Companion viruses take advantage of features of the_operating system to be executed, rather than directly infecting programs or boot sectors. Under DOS and Windows, when you execute the command ‘ABC’, the rule is that ABC.COM executes before ABC.EXE in the rare cases where both files exist. Thus, a companion virus could place its code in a COM file with its first name matching that of an existing “execution preference companion’ method, but several other forms of companion infection are also Possible.311 eee Example of a Virus — Melissa and ILOVEYOU 1999 was spectacular. Melissa spread in a virus that came in March d it worked like this Meli Microsoft Word documents sent via e-mail, an Someone created the virus as a Word document uploaded to an Internet newsgroup. Anyone who downloaded the, document and opened it would trigger the virus. The virus would then send the document (and therefore itself) ing anle- mail message to the first 50 people in the person's address book. The e-mail contained a friendly note that included ‘the person's name, so the message recipient would open the document thinking it was harmless. The virus would achine. As a result, the then create 50 new messages from the recipient's mi Melissa virus was the fastest-spreading virus ever seen! rogramming language built into The Melissa virus took advantage of the p' It is a complete Microsoft Word called VBA, or Visual Basic for Applications. programming language and it can be programmed to do things like modify files and send e-mail messages. It also has a useful but dangerous auto-execute feature. A programmer can insert a program into a document that runs instantly whenever the document is opened. This is how the Melissa virus was e who opened a document infected with Melissa would programmed. Anyon nent It would send the 50-e-mails, and then infect a immediately activate the virus. — eo central file called ) NORMAL.DOT so that any file saved later would also contain the virus! It created a huge mess. The ILOVEYOU virus that appeared on May 4, 2000, was even simpler. It contained a piece of code as an attachment. People who double clicked on the attachment allowed the code to execute. The code sent copies of itself to everyone in the victim's address book and then started corrupting files on the victim's machine. This is as simple as a virus can get. ILOVEYOU virus was human-powered. If a person double-clicked on the program that came as an attachment, then the program ran and did its thing.- What fueled this virus was the human willingness to double-click on the executable.eae erty 3.3.2 Worms: A computer worm is an application that can replicate itself via a permanent or dial-up network connection. Unlike a virus, which seeds itself within the computer’s hard disk or file system, a worm is a self-supporting program. A typical worm will only maintain a functional copy of itself in active memory; it will not even write itself to disk, a There are actually two different types of computer worms. The first will \_ operate on only a single computer, just like a typical application. The worm will ws’ only use the system’s network connection as a communication channel in order to replicate itself to additional systems or to relay information. Depending on the ‘worm design, it may or may not leave a copy of itself running on the initial system once it replicates to a new host. The second type of.computer worm “i actually uses the network connection as a central system so that it may have different segments of its code running on multiple systems. 7 eo Example of a Worm - Code Red A worm called Code Red made huge headlines in 2001. Experts predicted that this worm could* clog the Internet so effectively that things would completely grind to a halt. a eek a Cag The Code Red worm slowed down Internet traffic when it began to i replicate itself, but not nearly as badly as predicted. Each copy of the worm scanned the Internet for Windows NT or Windows 2000 servers that do not have the Microsoft security patch installed. Each time it found an unsecured server, ' the worm copied itself to that server. The new copy then scanned for rier Oe servers to infect. Depending on the number of unsecured servers, a worm could : conceivably create hundreds of thousands of copies. The Code Red worm was designed to do three things : ¢ — Replicate itself for the first 20 days of each month Replace Web pages on infected servers with a aan page that declares ¢ Launch a concerted attack on the White House W i attempt to overwhelm it. aProgram Securit 3-13 _ gf ity System Security 7 The most common version of Code Red is a variation, typically referred to as. a mutated strain, of the original Ida Code Red that replicated itself on July 19, 2001. Upon successful infection, the worm would wait for the appointed hour and connect to the www.whitehouse.gov domain. This attack would consist of the infected systems simultaneously sending 100 connections to port 80 of www.whitehouse.gov (198.137.240.91). The U.S. government changed the IP address of www.whitehouse.gov to circumvent that particular threat from the worm and issued a general warning about the worm, advising users of Windows NT or Windows 2000 Web servers to make sure they have installed the security patch 3.3.3 Trojan Horse : A Trojan horse, as the name implies, is an application which contains a nasty sur} surprise. This is a process or function, specifically added by the Trojan. horse’s pr 's programmer that performs an activity that the user is unaware of— and would probably not approve of. The visible application may or may not do anything that is hat_is actually useful. The hidden application is what makes the _ program a Trojan Trojan horse. Trojan horses differ from viruses in that they do not replicate or attach themselves to other files. A Trojan is a stand-alone application which had its bomb included from the original source code. It did not become malicious due to i the effects of another application. ix ov’ Working of the Trojan Tore is more or less similar like the actual Trojan wv horse which was used by the Greeks to enter Troy. A trojan horse has a client 3 and a server code. Server code ‘s implanted in some way at the victim’s machine. ee Now, whenever the system boots, this server code is automatically executed on \ i ux ¢ ¢ machine. Execution of this code opens up a port at a pre specified port no on \ pvietim’s machine. Client module of a trojan horse is used to connect to victim’s machine on this port no using his IP address. Once the connection is made client module can be used to remotely perform’ any action on victim’s machine. (This include reading and modifying files, Tebooting systems, switching of off display, executing programs, locking ing keyboard anda lot more.* System Security ee a iagppentletaalianenijhiennemsin te ealipatinceeen t One popular trojan horse that is really dangerous is-SubSeven which has been used by thousands of attackers across the globe to fool around with network users. 3.3.4 Protection from Malicious Code : ways. But creating Protection from malicious code is possible in many n. Users awareness and being aware of viruses and worms is the best protectio! should make sure that they take viruses seriously and not let them harm in any way. This can be done by taking care of all what is mentioned here. ¢ (Use effective virus scanners that can read all types of files for various virus signatures or patterns. Just installing antivirus software is not sufficient; virus scanning software should be regularly updated. This ensures that the virus scanner protects against the newer threats that keep coming on a daily basis. y e Use only licensed software that comes from a reliable source. Pirated software involves repeated and continuous distribution from one source to another and then reaching the end user. Virus can be induced in any of these mid sources which then keep on spreading with pirated copies of the software. < Emails and attachments that are coming from reliable sources should only be open. As much as possible files of extension types EXE, COM, VBS etc coming in an attachment should not be open. ss «_If possible new software coming from non reliable sources should be first installed and tested on isolated system. e (Backup copies of important documents, executable files as well as Fecoverable system image should be maintained and stored with proper version no and date created. \ eto sy 3.3.5 Some facts about Viruses : Various facts about viruses are : e Viruses can infect and modify hidden as well as read-only files Sico/ e (Viruses can stay in memory only till its contents are not washed out A complete power off can flush off all the contents of main memory as315 system Security _______— as formatting the secondary memory can help in getting rid of a Some misconceptions about viruses are: e Viruses can infect only systems running Microsoft Windows — Viruses are designed and written in such a way that they can affect a large number of users. Since these days windows is the most widely used operating system, most viruses are written to target systems running them. It is equally possible to have viruses affecting UNIX, Linux and Macintosh systems. (e Viruses can infect only data and program files’— It is thought that only data files like word documents and executable files can be affected by virus. Completely false, virus can affect virtually any type of file and can be equally potential threat as to wor ment and executables. Viruses can spread only through email or disks — Again, though a irus needs a host program to attach to that doesn’t mean that virus can spread only through email or disks. Virus can 1 spread through any medium by which files can be transferred or exchanged like networks, internet etc. Whereas there are also worms which doesn’t need any host program to spread. 3.4 Targeted Malicious Code : Malicious code which we were discussing in the last section is written with no one specific in mind, it could affect any user or any machine whereas we also have targeted malicious code that are written to target specific system, application or a user. Various targeted malicious codes are : 3.4.1 baie 5 When, developing large application and computer operating systems, Programmers insert debugging aids that provide breaks in the code for insertion el code and intermediate output capabilities much as scaffolding and ™porary braces are used in building construction. Computer operating systemstem Security 3-16 Program Security are designed so as to prevent unintended access to them and insertion or modification ‘of code. Consequently, programmers will sometimes insert code that allows them to compromise these requirements during the debugging phases of program development and later during system maintenance and improvement \ Programmers often have unexecuted, redundant, or incomplete instructions and unused data or parameters in their program code. These facilities-are referred to as trapdoors that can be used for Trojan horse and direct attacks such as false data entry, Normally, trapdoors are eliminated in the final editing, but sometimes ley are overlooked or intentionally left in to facilitate—future access and modification. In addition, some unscrupulous programmers introduce trapdoors for later compromising of computer programs. Designers or maintainers of large complex programs may also introduce trapdoors inadvertently through weaknesses in design logic. During the use and maintenance of computer programs and computer circuitry, ingenj mmers invariably discovér some of t weaknesses and take advantage of them for useful and innocuous purposes. However, the trapdoors may also be used for unauthorized, malicious purposes as well. Functions that can be performed by computer programs and computers that are not in the specifications are often referred to as negative specifications. Designers and implementers struggle to make programs and computers function according to specifications and to prove that they do. They cannot practicably prove that a computer system conforms to negative specifications and does not perform functions that it is not supposed to perform. (Best examples of trapdoors are what are popularly called as Game Cracks. Trapdoors are inserted by programmers in the games to skip stagés"and test the program, which are accidentally discovered by gamers all around the world and soon becomes popular by the name of game cracks. ‘ o_o \ 2 Salami Attacks: wu ‘ f Uwe A oat An automated form of abuse is secret!y executing an unauthorized program that causes the unnoticed or immaterial debiting of small amounté of assets from a large number of sources or accounts is identified as a salami attack which is taking small slices wi iceably reducing the whole. Other methods must be used to remove the acquired assets from the system. /For example, in aaay Program Security ‘System Security Sica eS banking system the demand deposit accounting system of programs for savings accounts could be changed using the Trojan horse or some other method to randomly reduce each of a few hundred accounts by 10 paise or 15 paise by transferring the money to a favoured account where it can be withdrawn through authorized, normal methods. No: controls are violated because the money is not removed from the system of accounts. Instead, small fractions of the funds are merely rearranged. The success of the fraud is based on the idea that each savings gecount customer loses so little that it is of little consequence or goes unnoticed. Many variations are possible. The assets may be an inventory of products or services as well as money. Salami attacks are usually not fully discoverable within obtainable expenditures for investigation. Victims have usually lost so little individually that they are unwilling to expend much effort to solve the case. Specialized detection routines can be built into the suspect program, or snapshot storage dump listings could be obtained at crucial times in suspected program production tuns. If the salami acts are taking identifiable amounts, these can be traced, but a clever perpetrator will randomly vary the amounts or accounts debited and credited. Using an iterative binary search of balancing halves of all accounts is another costly way fo isolate an offending account. 3.4.3 Covert Channels ; (| covert channel is a mechanism whereby information may be transferred i eeuions manner, )A Trojan horse routine within a program with certain access rightS-carr use a'covert channel to communicate data to another rogram or area of the same program which does not possess those rights, Although generally more applicable to multi-user or multi-tasking systems where different levels of data sensitivity may be being processed simultaneously, they must also be considered in single user applications. In order to be classed as covert the communication mechanism should not be apparent to the user. So program A Passing the data to program B by using a file called ‘secrets for B’ within the User's directory would not count. However\a program which changed the access times of all the user's files in a coded fashion that could be determined) by Program at a later stage would be considered to be using a covert channel, The Possibility of covert channels should be considered during both the design and test of secure software, There are a large number of mechanisms whereby covertSystem Security 3-18 ___ Program Security 3.5 3.5.1 channels may be exploited. Some of these do not involve ‘Trojan horse’ modifications to the software, they simply exploit accidental ‘leakage’ of information. Where secure application software is being written to run on a standard operating system the designer may require a very detailed knowledge of the internals of the operating system in order to analyse the possibilities for covert channels. Controls against Program Threats : Program threats that we were studying in last few sections seems to give a picture of computing world being total insecure and unsafe. But, believe me that is not the case, by implementing developmental, operating systems and administrative controls in place we can actually build a lot more safe and secure programs. Developmental Controls : Best approach to build secure programs is, start building them secure right from the development./ A Software Development Life Cycle (SDLC) is divided into Analysis, Design, Coding, Testing and Maintenance phases. By checking and implementing security controls in each of the phase, our objective can be well taken care off. Various controls in Software Development Life Cycle that helps are : ¢ Modularity, Encapsulation and Information Hiding : Implementing this popular Object Oriented features in programming languages helps in building secure programs. e Reviews : Reviews, code walk-throughs, Inspection at various stages of SDLC by security experts can help to a great extent. . Testing : Testing like Unit testing, Integration testing, System testing, User Acceptance testing and Performance testing helps in discovering errors and faults that may occur jn a real world situation when the programs are under production.3-19 Program Security System Security e Follow good practices : Every programming language has some good practices defined, be it provided by organization, client or the vendor. These practices should be followed to the maximum extent possible. Since, these practices are written by experts after years of exposure and facing issue that concerns that programming language. 3.5.2 Operating System Controls : Some controls can be provided at the operating system level so that the program run error free and without compromising security. Operating system controls are discussed detailed in next chapter. Still, the ones which should be ensured are : ‘ a Use trusted software : Trusted softwares are one whose code and working has been rigorously developed, analysed and tested. Using trusted softwares from reputed vendors can resolve a number of security issues. ¢ Confinement : An operating system can confine a suspected program by limiting the system resources it can access. ¢ Maintaining and Reviewing Audit logs : Network based operating systems maintains audit logs for any kind of exceptions, security or software errors, failures etc. associated with each program which can be review and studied by system administrator to check for malicious programs, 3.5.3 Admi istrative Controls : Administrative controls are the ones which are imposed by management and administrators. Rather than being actual physical controls, these are policies and practices that are followed to create a secure environment. Administrative controls are discussed in chapter 7. Various administrative controls that can be imposed on programs are : Cr Security Policies + Security policies set aside by management are used while using any program. : fe erereiis Roles : Who in the organization will do what should be well defined with no conflicts.)ee chante ee Protected Objects and Methods of Protection File Protection Mec! Authentication Biometrics Jystem Security 1 42 i Operating System Security For a system to be completely secure, just doing that at application level is knows the in and out of the hardware and not sufficient. Any attacker who operating system running on it can actually fool around with the system without being detected and prevented at the application level. Operating systems provide different types of access to different objects by different users. So, the security of the system should be taken care off well at the system level itself by the operating system architects. Need of security at the operating system level has increased a$ the operating system gradually moved from single user to multiuser supporting multiprogramming and multitasking like unix, windows 2000 etc. So, there was a requirement to protect one user’s objects from others. This objective of the operating system is achieved by memory protection, file protection, general control of access to objects and user authentication. Protected Objects and Methods of Protection : There are various objects in the operating system that need to be protected to keep the system secure : This includes : e Memory Shared devices like disks, printers etc. e — Sharable programs and procedures e Networks e User specific data e System data Operating system keeps the system secure and protected by separating one user’s objects from other users. Various ways in which this separation is done by : e Physical separation : In this type of separation different processes use different physical objects. e.g. Different processes are stored on different physical disks which are accessed by different user with various access rights.system Secutly 4.2 Operating System Security es ent processes are executed at different al separation : Differ es 4 ever executed at the time instances. e.g. Two write processes are n same time to avoid inconsistency. ¢ Logical separation : Users do not realize that there are other processes executing as well simultaneously. Operating system ensures that no such process executes that leaves the system insecure. e Cryptographic separation : Process data is encrypted so that no other process is able to read and understand the same. Though ‘separation’ is quite easy and effective in implementation but leads to Poor resource utilizatior) Besides separating objects there is sometimes a need to share same objects like a function which is also taken care off by operating systems at various levels like No protection, isolating objects, share all, share nothing, share via permission rights, share by capabilities and limited use of an object. Access can be implemented at various levels bit, byte, word, field, record, file, volume or even a disk. It is easier to implement and control the access at larger level objects. _Memory and Address Protection : One major challenge in a multiprogramming environment is to protect memory that is being used by one program from getting affected by other programs. Various ways in which memory protection is provided are : Fence : : Fencing is the simplest form of memory protection that was first used in single user operating system. Fencing divides the main memory into two or more blocks where one block is used by the operating system and can never be overwritten by user’s programs. Other blocks are used 2 a: by the user’s program Fencing is not a very efficient protection i ; : t technique because a part of the ree system block is always wasted when not in use which otherwise could been used by the user programs, Besides, when operating system needed - More a memory space that was not possible to be allocated outside its own block. esoystem Security 4-4 Operating System Security Fencing protection is possible in one single direction where Operating System can be protected from user programs but one user program cannot be protected from other user program. Address Memory 0 Operating system block --: Fence User programs Fig. 4.2.1 : Fencing Relocation : s With the increase in need of program portability across various operating systems and hardware platforms, it has become very difficult for the Programmers to write programs with absolute addresses. So, a ~ Relocation is used-where a program is assumed to have started Then depending on the free memory space available in the ~ absolute starting address is assigned to the Program and hence fort “in the Program are changed to absolute physical addresses. main memory th all addresses A Relocation register is used for the same. Value in the relocation register is added to every virtual address generated by a user process at the time it is sent to memory to obtain the absolute physical addresses. RelocationAe Operating System Security system Security Base / Bounds register : technique is also referred to as the f starfing address. To make the bound register is used. Bound e maximum a user program can e as well as Relocation register discussed in the last base register which stores the information ©! implementation more secure and protected a register stores the upper address limit which is thi use. Bound register can be used to calculate maximum available spac: to check that a user program doesn’t exceeds the memory space allocated to it and enter into the restricted area. This implementation is very useful in a multiuser environment where one user’s programs need to be protected from other users. Bound (0120 200, Logical addresses Fig. 4.2.3 : Base/Bound register Tagged architecture : Using Base/Bound Registers is still not very efficient implementation technique since it imposes a requirement of contiguous memory allocation failing which it is not possible to execute a program. It is quite possible that sometimes there is a requirement to protect only some data values in the main memory where as other can be read or written. For example in a bank account record we need to protect only the account number and current account balance field but not other fields like transaction details. si In this kind of eiauon using Base/Bound register is quite inefficient since ey create an all-or-nothing situation i.e. either all of a program data is available ~ to be accessed or none of the data. :2m Security 4-6_ Operating System Security Tagged architecture is a solution to this kind of requirement in which every word of memory has the kind of access rights defined on that word. This is done by one or more extra-bits with each word that identifies the access rights. Now, when the memory word is first used by the program, access rights are set on each word and the access bits are checked every time an instruction accesses that location after the bits are once set. eee Tag Memory word R 001 N 0120 N 0370 : RW 1000 ; x 1250 x 1359 R 1599 N-— No access R- Read only RW = Read/write X — Execute only ee Using this technique each memory word can be protected in a different way and thus can be used by subsequent programs if the access is allowed. This makes the processing very efficient but raises the hardware overhead . of extra bits associated with each memory word to store the access rights.Operating System Security stem Security _ paging : Paging is another memory-management address space of a process to be non-contiguo’ broken into fixed-sized blocks called page frames and logi program) ig broken into blocks of the same size called pages. ges are loaded into any available scheme that permits the physical us. In paging, physical memory is ical memory (user When a process is to be executed, its pai memory page frames. Every address that is generated in paging scheme is divided into two parts : a page number (p) and a page offset (d). The page number is used as an index into a page table. The page table contains the base address of each page in physical memory. This base address is combined with the page offset to define the physical memory address that is sent to the memory unit. Size of a page is typically a power of 2, varying between 512 bytes and 16 MB per page, depending on the computer architecture. Selection of a power of 2 as a page size makes the translation of a logical address into a page number and page offset particularly easy. Page number Page offset Logical program Page frame number Physical memory Fig. 4.2.4 : Page address translation _ Memory protection in a paged environment is accomplished by protection bits that are associated with each page frame. These bits are usually kept in the Page table. One bit can define a page to be read-write or read only. Each Teference to memory goes through the page table to find the corresponding page 2 frame number, at the same time, protection bits can be checked to verify that no Access violation is being made.stem Security ai ae 48 Operating System Sec Segmentation : In segmentation scheme, memory is viewed by users as a collection of Variable-sized segments, with no necessary ordering among segments Segmentation is a memory-management scheme that supports this user view of memory. A logical address space is a collection of segments. Each segment has a name and length. Addresses specify both the segment name and the offset within the segment. For simplicity of implementation, segments are numbered and are referred to by a segment number, rather than by a segment name. A logical address is thus (segment-number, offset) When a user program is com Segments reflecting the input segments like : piled, compiler automatically constructs program. A compiler. might create separate * — Global variables * Code portion of each function ¢ Local variables of each function etc Segmentation involves mapping of two-dimensional user defined addresses into one-dimensional physical addresses by a segment table. Each entry of the segment table has a segment base and a segment limit. Segment base contains the starting physical address where the segment resides in memory where as the segment limit specifies the length of the segment. A logical address consists of two parts : a segment number ‘s’ and an offset into that segment ‘d’. Segment number is used as an index into the segment table. Offset ‘d’ of the logical address must be between 0 and the segment limit Tf not, an error condition is raised otherwise the offset is added to the segment base to produce the address is physical memory of the desiréd byte. Logical address. space Fig. 4.2.5: SegmentationSystem Security . 4-9 Operating System Security 4.3 One major advantage of Segmentation is the association of protection with the segments. Since the segments represent a semantically defined portion of the program, it is likely that all entries in the segment will be used the same way. Some segments have just the instructions while the other contains only data so same kind of protection can be applied to complete segment. Instructions are non-self-modify: just as Read only or execute only. Mei such a way to check the protection bi to prevent illegal attempt in a read- ing, so instruction segments can be defined mory mapping hardware is implemented in its associated with each segment table entry accesses to memory. Illegal accesses to memory includes write only segment or to use execute only segment as data. Control of Access to General Objects : This chapter started with the discussion of objects that need to be protected in a multiprogramming environment. Number and kinds of objects that needs to be protected are still increasing. Some examples includes : [. Memory “© -Dataon storage devices e Files and Directories e Hardware devices © Program under execution e Data structures e Passwords and other confidential or authentication information e Protection mechanism. Memory protection mechanisms have already been discussed and are fairly €asy to implement. Other general objects are usually difficult to be protected because number of access points are fairly large and the kind of access is not limited just to read, write and execute. Various goals in protecting objects are : . * Check every access : This goal enforces a requirement that every ~ access that is made to an object by a user should be checked. * Enforce least privilege : Implementing this goal ensures that a user or a program has access to only the minimum number of objects that are needed to complete a task. No extra access should be granted to any object though that may not even impose security violation.stem Security 4-10 Operating System Security It should be well defined for an object as med on that object. Protection her the access to that object is that object is valid « Verify acceptable usage + to what all operations can be perfor mechanism should not just check whet! allowed or not but also the operation performed on or not. eg.: For a directory in an operating system valid operations can be create, delete, list files etc. where as an execute operation on a directory should be identified as invalid. Various protection mechanisms that are used for the protection of the objects are: Directory : ion user directories are created which contains In this type of implementati r has access alongwith the file name, access the list of files to which that use rghit and ie poise ‘ These directories are separate for each user and maintained by operating system. No user has the permissions to make changes in these directories. User A directory Access File File name rights pointer Files User B directory Directory access This type of mechanism is easy to implement but becomes inefficient when the number of shared objects and users increase. Besides when the list of each user gets longer it becomes very time consuming to change access rights on an object being shared among many users. Since, list of all the users need to be they contain an entry to that object and then changed. Active searched if i 3 entation by Windows 2000 server is an example of this type. directory implem > v eo411 idisle som Seorty 4 Access Contro! Matrix : m A rather more effective implementation which saves operating ce. from storing repeated information is access contro! matrix where matrix lists a the subjects and objects that are to be protected. OBJECTS USERS Albhar 7 nw 7 w 7 ~ ~ Group! Bunty Chandu Debika Group2 { Eva Fibi plalel[=lel[eio Ea eecirxae pla|a|7 wplalr~|s}/e]/e]e | wim) a | apa | aya Gaurav zplalwalwl~|wmlnl|el| > Group3 Himanshu < Ss mw w 7 Jafar W| Ww) Ww Kunal Group4 Luv 7 = < < < Mayur R wi|w Modes : R Read W write and read — * Fig. 4.3.2 : Access control matrix __ Access control information can be viewed as a matrix with with rows eg and columns representing the objects. ‘The access that is permitted to the object is shown in the body of the matrix, For See UR ie ea cee eh ae!System Security pee ___ Operating System Securj example, in the matrix in figure, the letter at an intersection of a row and , column indicates what type of access the subject may make to the objec Because least privilege is a primary goal of access control, most cells of the matrix will be empty, meaning that no access. is allowed. When most of the cel]; are empty, the matrix is said to be sparse. Access Control List : When using access control matrix, storage of every cell’s contents is not efficient if the matrix is sparse. Therefore, access control list can be used that Stores either the columns or the rows, as represented in Fig. 4.3.2. Object User | Access AandB | ASPNET Albhar Jafar G ASPNET GP-A GP-B D ASPNET GP-A Eva Fibi E ASPNET Albhar Chandu GP-B ASPNET Albhar Chandu Debika GP-B 2727 Z/2 7 7 Z/r Sw zZI\~ J zI/Zz Sw Fig. 4.3.2 contd..413 Operating System Security —— — a Socenty_ F ASPNET Albhar Debika GP-B Gaurav Gand H | ASPNET Albhar GP-C J ASPNET |} Albhar Gaurav Himanshu Jafar KandL | ASPNET Albhar Himanshu GP-D SPA ZzSr7 Pr ZSR7Z7 SERA ZZ) GP Group N None R Read WwW Write and read ASPNET _ System account Fig. 4.3.2 : Access control list Fig. 4.3.2 shows access control storage based on the columns (i.e., the lists of users whose authorized type of access to each object is recorded), called list- based sto, age. Unlisted users need not be denied all access. In many cases, most “We ae eulhorized some access — for example, execute or read access to the System’s language processors — and only a few will be granted more or less ity — for example, either write or no access. An indicator in or with the May indicate the default type of access for the resource. List-based control is __~ tent because it contains only the exceptions,stem 414 __Operating System Security Capability or Ticket Based Storage of Access Controls : Figure shows access control storage based on the rows (i.¢., the lists of objects to which the user is authorized to gain specified types of access), calleq ticket-based or capability-based storage. Thé latter term refers to rigorously defined constructs, called capabilities, which define both an object and one or More types of some access permitted to it. Capabilities may be defined by hardware or by software. Any pure ticket-based scheme has the disadvantage that it lacks the efficiency of a default access type per object. This problem can be alleviated, however, by grouping capabilities in shared catalogs and by grafting ‘some list-based control onto a ticket-based scheme. Object/Access Albhar | A/W, B/W, C/W, D/R, E/R, F/R, G/R, H/R, J/R, K/R, L/R : AIR, B/W, C/W, D/R af AIR, B/W, C/W, D/R, E/R G AIR, BIR, CIR, F/R, G/W, H/W, J/R AJR, G/W, H/W, J/R, K/R, LIR ; feR.oW.namxmuR es fe