IEC 312 – Distributed

System Security
Dr. E.Silambarasan
Assistant Professor
Department of CSE - Cyber Security
Indian Institute of Information Technology, Kottayam
Module 1
• Introduction- Background, Distributed Systems, Distributed Systems Security, Common Security
Issues and Technologies
• Host-Level Threats and Vulnerabilities- Background, Malware, Eavesdropping, Job Faults, Resource
Starvation, Privilege Escalation, Injection Attacks.
• Infrastructure-Level Threats and Vulnerabilities- Introduction, Network- Level Threats and
Vulnerabilities, Grid Computing Threats and Vulnerabilities, Storage Threats and Vulnerabilities,
Overview of Infrastructure Threats and Vulnerabilities.
Host-Level Threats and Vulnerabilities
• Vulnerabilities refer to design or operational weaknesses that allow a system to be potentially compromised
by an attacker.
• Vulnerabilities in pieces of trusted software installed on the host that could be exploited.
• A threat reflects the potential or likelihood of an attacker causing damage or compromising the system.
• The threats arise due to either mobile codes (both trusted and untrusted) that are downloaded and executed

Classification of host-level threats

Host-Level Threats and Vulnerabilities
Transient Code Vulnerabilities:
• ‘Transient code’ is any binary, object code, or script that is mobile and executes on a remote host.
• A remote host is one which executes the mobile code either intentionally or accidentally.
• An end-user on the host could inadvertently download and execute a mobile code that has malicious intent,
which could compromise the security of the host and pose serious challenges to all other hosts on the network.
• Attacks through Trojan horses, spyware, and eavesdropping are common in the distributed world, particularly
through content or applications published on the Internet.
• The need to deliver rich and intelligent content to users has forced networked applications such as Web
browsers, e-mail clients, and so on to allow scripts to be executed, for example, Javascript, or an Applet or
ActiveX object.
• A person with malicious intent can use this scripting ability to take control of a host or cause permanent
damage to its content.
Resident Code Vulnerabilities
• ‘Resident code’ is a piece of trusted software installed on the host with the knowledge of the user.
• Resident code, however trusted, may contain some vulnerabilities.
• Historically, most attacks have happened by exploiting these vulnerabilities.
Host-Level Threats and Vulnerabilities
Malware: Malicious Software
Trojan Horse:
• A type of malware that is disguised as legitimate software. Cybercriminals trick users into uploading
Trojans onto their computers where they cause damage or collect data.
• Victim is unaware of the fact that their system has been compromised.
• Trojan horses cannot operate autonomously.
• Trojan horses typically reach the victim in the form of an attachment in an e-mail or data in a sharable
media such as a CD-ROM, a flash drive, and so on, or as a file sent through online chats/messenger or
downloaded from a Web site/FTP site.
• Trojan horses are scripted with the intention to create back doors for remote access to the host under
attack, disable the security scanner/firewall setup on the host and prepare the host to participate in a
distributed denial-of-service or even crypto-viral attack.
• Attractive screen savers, catchy attachment names, and games are some of the methods that hackers
have used to infect hosts.
• In some operating systems, file extensions are hidden to make it easy for users to manage their
information. Often this has been exploited to infect an unsuspecting host.
Host-Level Threats and Vulnerabilities
Malware: Malicious Software
Spyware:
• A program that secretly records what a user does, so that cybercriminals can make use of this
information. For example, spyware could capture credit card details.
• It also monitors the user’s access behavior, collecting information and using it to make
commercial gains for its author.
• SearchSeekFind, ShopAtHomeSelect, and Surfairy are three well-known spyware.
Worms/Viruses:
• Trojan horses and spyware, which largely rely on social engineering and user action.
• A self-replicating program that attaches itself to a clean file and spreads throughout a computer system,
infecting files with malicious code.
• Viruses are generally malicious in intent and are created by their authors to replicate themselves on all
executable files and macros on a host.
• As systems began to network, virus authors found an easier means to infect hosts over networks. This
led to the advent of worms.
Host-Level Threats and Vulnerabilities
Eavesdropping
• In collaborative computing platforms such as Grid, business users often share their desktops and other
computing resources.
• Some of these users are genuinely interested in sharing their computing resources for a common cause;
others have malicious intent, and still others inappropriately handle information that passes through
their system.
• There are three classes of vulnerability under this category,
• unauthorized access to confidential data,
• unauthorized access to protected or privileged binaries
• unauthorized tampering with computational results
Host-Level Threats and Vulnerabilities
Eavesdropping
• Unauthorized Access to Confidential Data – by Users
• In DS computing environments there are schedulers, which identify a node for job execution based on
machine load and uptime.
• Once a node is identified, the scheduler provisions both the executable binaries/script and the relevant
data.
• As the grid system does not assume any privileges on a remote host, all the files related to this job are
hosted in a folder (such as tmp) to which every logged-on user on the system has access.
• If the scheduled job runs on the host even for less than a minute, users on the host with malicious intent
has adequate time to copy sensitive data to an alternative location.
• They can then examine, analyze, interpret, and misuse the data offline, and employ brute force or similar
techniques against encrypted staged data.
• Another serious issue may arise if staged data contains some access privilege information such as a user ID
and password or other authentication keys.
• This is required if the scheduled job has to impersonate the user or use alternative credentials to access
some external systems.
• Such access credentials, if they become available to a user with malicious intent, can have severe security
repercussions which are difficult to trace or identify.
• In a more conventional distributed system such as a Web application, user interactions are through
aWeb browser.
• The limitation of web browsers and the HTML language in providing a rich interface has led to several
innovations, such as Applets, scripting and ActiveX controls.
• All these mechanisms require the Web browser to download and execute mobile alien code on the host.
• This can pose serious threats to the system, ranging from eavesdropping on private information,
through corrupting system data, to take complete control of the system.
• Netscape introduced cookies to overcome challenges in HTTP protocol.
• Websites use cookies to store information on a user’s machine so that some information about the
user’s interaction with the site is available the next time they access it.
• Cookies by themselves are harmless and do not pose any security threat.
• However, the data available in cookies can provide insights into the user’s browsing habits, which
malicious users can use for commercial or other gains.
• Cookies that store access control information are even more dangerous.
• They can be accessed by a sniffer on the network and reused to impersonate the user and steal their
identity.
Host-Level Threats and Vulnerabilities
Eavesdropping
• Unauthorized Access to Protected or Privileged Binaries – by Users
• First, a binary may actually implement some proprietary algorithm or trade secret, and a malicious
user gaining access to such a piece of code or executable could cause an organization great losses.
For example, take a rate calculator used by an insurance firm.
• Second, some binaries contain certain access privilege information, such as a user ID/password,
hardcoded in them.
• Merely copying such a binary and reusing it would provide a malicious user with elevated privileges
to a system. For example, applications that connect to a database.
• Finally, malicious users may simply re-execute the binary without having any knowledge of the data
on it. If the binary happens to alter some external system, it can perhaps make the system
inconsistent and affect business.
• In this case, the intent of the user is not to gain information or access to a privileged system, but to
cause inconvenience or disturbance.
Host-Level Threats and Vulnerabilities
Eavesdropping
• Unauthorized Tampering with Computational Results
• The malicious user alters the results of computation with the intent to corrupt or mislead the
system.
• It is rather difficult to initiate such attacks, and they are largely dependent on the type of
application, the output it generates, and the duration of the run.
• It is difficult to tamper with the results of very short-lived jobs that run for less than a second.
• Similarly, jobs that post their computation results directly to a centralized system without storing
them in intermediate files are difficult to tamper with.
• Jobs whose source code is available, which runs for several minutes to hours and uses intermediate
files to store results, are often easy targets for such attacks.
Host-Level Threats and Vulnerabilities
Eavesdropping
• Unauthorized Access to Private Data – by Jobs
• Though grid schedulers tend to deprivilege grid jobs and let them run with minimal privileges on the host,
most hosts leave a lot of sensitive data accessible to anyone with basic privileges.
• Potentially, the grid jobs which run on a remote host could exploit this vulnerability to read and expose
private and sensitive information stored there.
• For instance, if not properly secured, password shadow/cache files on the host could be used to get access
to it.
• A host of system configurations and other files might also be vulnerable to such attacks.
• While hosts are vulnerable to attacks from mobile jobs that execute on them, equally vulnerable are other
mobile jobs that execute at the same time.
• By default, most grid schedulers allow more than one job to run on the host concurrently based on a
number of CPU slots.
• This creates the possibility of sensitive information from an innocuous job falling into the hands of a
malicious one that happens to execute concurrently on the same host.
• In this case, the host facilitates the attack without being aware of it.
Host-Level Threats and Vulnerabilities
Job Faults:
• Engineers, researchers, and other users write applications that solve specific problems they are working on.
• These applications do not normally undergo quality tests or certification.
• When scheduled to run over the grid, they can potentially cause faults (though in this case, the faults are
generated unintentionally), which can bring down the entire host, along with all the applications running on it.
• In other cases, the job owners may have malicious intentions and script jobs targeting a particular host to
inject a fault that will corrupt the host or simply cause reboot/shutdown.
• This does not imply that the host alone is vulnerable to mobile jobs that run on it.
• It is equally possible for the host applications and users to be harmful to the grid applications and to inject
faults that cause the grid applications to either fail or behave inappropriately.
Host-Level Threats and Vulnerabilities
Resource Starvation
• Job starvation occurs when a long-running job is ahead of the job queue, blocking out several reasonably
smaller jobs.
• Grid applications tend to be resource intensive.
• They are either CPU-bound or memory-bound and are written in such a way that there are hardly any
synchronization or other waits.
• Once initiated, they saturate the hosts, on which they run completely, leaving very little behind for other
applications to use.
• For instance, a computational fluid dynamics application works with a large data set consuming most of the
physical memory on the host and, depending on the problem size, can run for long periods, while soaking up
all available CPU slots on the host.
• The challenge really is to use this spare capacity without affecting the applications/jobs already running on these
hosts.
• The easiest way to use this idle capacity is to augment this to an existing grid or cluster.
• The resource starvation issue makes it difficult to guarantee the quality of service to both existing applications on the
host (native applications) and the grid applications.
• In the case of production servers which are used as grid nodes, the response times or the throughput of the native
host applications are affected because of the computationally-intense nature of the grid jobs.
• Similarly, in the case of desktop nodes, the interactive nature of the host may be in jeopardy.
• In either case, resource starvation on the grid node affects the smooth operation of the node’s primary function.
Host-Level Threats and Vulnerabilities
Overflow:
• Buffers are used by software programs to store data. They typically have an upper and a lower
bound.
• Any location outside these bounds does not belong to the program. Either accessing or storing data
in locations outside the bounds leads to program faults or unexpected behavior.
• Buffer overflow is a vulnerability on the host that can lead to memory access exceptions,
predominantly left in the system due to programming oversights or errors.
• Stack-Based Buffer Overflow
Host-Level Threats and Vulnerabilities
Overflow:
• Stack-Based Buffer Overflow
• The first type of threat attempts to overwrite adjacent locations in the stack, modifying variables
either intentionally or accidentally.
• This causes erratic or incorrect program behavior, sometimes causing the application to fail abruptly.
• Exploiting such vulnerabilities, it is possible for a user with malicious intent to bring down a critical
service or application on a host.
• The second type of threat modifies a function pointer or return address to execute arbitrarily
different code.
• Programs store the function argument and the return location in stack frames.
• Program control transfers to a location specified in the altered value when the buffer overflows.
• Malicious users may carefully place the block of code they would like to execute and smash the
stack to jump to this program location.
Host-Level Threats and Vulnerabilities
Overflow:
• Heap-Based Buffer Overflow
• The data contained in the heap are predominantly program data allocated dynamically during
the lifetime of the program’s execution and do not contain function pointers/return location

Privilege Escalation:
• Privilege escalation is an issue related to an unauthorized user elevating their authorization level on
a host in order to perform tasks that they are not otherwise allowed to perform.
• In most cases, the elevated privilege desired by malicious users is that of root or the user equivalent
of root.
• By elevating privilege to that of root, a malicious user can take absolute control of the host.
• This can have severe impacts, including the host being part of distributed denial-of-service or other
similar attacks, which are difficult to trace.
Host-Level Threats and Vulnerabilities
Privilege Escalation:
• There are two possible types of privilege escalation, namely horizontal privilege escalation and vertical
privilege escalation.
• In the case of horizontal privilege escalation, a malicious user tries to assume the identity of a peer in
the system.
• The objective of the malicious user is not to take complete control of the machine, rather they are trying
to access another user’s private data or conceal their own identity and present themselves to others as
the compromised user.
• Vertical privilege escalation occurs when a malicious user assumes the identity of a system
administrator (root in Linux or Local System account in Windows).
• This allows the malicious user to access all information stored on the host and perform tasks that are
otherwise not permissible.
• Buffer overflows are often the easiest way to achieve privilege escalation.
• Hackers have exploited buffer overflows more than anything else to gain root privileges on a host, as is
apparent from the CERT vulnerability reports
Host-Level Threats and Vulnerabilities
Injection Attacks:
• Injection attacks are attempts by malicious hackers to exploit an application vulnerability that does not
handle user inputs securely.
• Injection attacks generally use an executable code/script to intrude into a host system.
• There are several ways to inject malicious code through user inputs.
• Shell/PHP Injection
• PHP/ASP injection commonly refers to such a code injection vulnerability on applications built over a
server-side scripting engine such as PHP or ASP.
• SQL Injection
• A malicious user uses an insecure application input field to inject a harmful query string or retrieve
unauthorized data.