Professional Documents
Culture Documents
System Security
LEARNING OBJECTIVES
Upon completion of this chapter, you should be able to
LO1 Memorize a brief descriptionof the system and
.s Otline a detailed define the
components of the system
malicious programs
overview of buffer
overflows and show howthey may be
exploited for writing
LO3 List and explain the
commonly known malicious programs
LO4 Relate to the concept of
technologies Intrusion Detection Systems (1DS) and explain the
types of IDS
LOS Define firewalls and explain their
different architectures with their respective advantages and
disadvantages
examples.
J Others These are obËects that the system controls and protects. Examples are programs (note no
processes). data, terminals, modenms, etc.
components and others is called
The line of demarcation between the security relevant
perimeter.
system sors
A common misconception which must be avoided is that encryption provides
Encryption, as we have seen in the previous discussions in the book, provides data-confidentiality, Houo
for system security it is needed to have trust in the security-related components inside the security perimeter
For example, the OS needs to be trusted. If the OS is found to be untrustworthy then the result of an encminti
program which runs on the OS cannot also be relied upon. Hence, encryption alone cannot solve the problem
other principles and methods are necessary.
Users, Trust, and Trusted Systems
A user is a person whose information the system protects and whose access to information is controlled
by the system. A user is in general trusted to keep his secret, often in the form of a password, confidential
from other users who do not have access to the trusted user's documents. In spite of this, a user may be
deceived to manipulate his data in afashion which compromises the security of the system. In order to prote:
against such athreat, atrusted user should be warned when he accidentally gives away valuable intomaton
However. if a user betrays this trust intentionally, then system security cannot handle such a scenario.
The system identifies a user through a unique identifier (ID), which is public information like namt
or account number. The identifier must be unique and unforgetable. The act of associating a user
win
unique identifier is called authentication. The identification number is used by the
system to associale d
process (arunning program) with a user. Trust in systems is built using the techniques of
authentication. Systems in a network authentication as other systems, or programs identification a
impersonating is u
prograns is a serious security threat. Trusted system enforces a given security policy based on this trust
Trusted systems classify programs based on the level of trust on them. Trusted programs are those upon
which the security of the system relies. These programs are responsible for the security of the system.The
outputs of these programs are verified and are believed to be correct even if they interact with untrusted
programs. On the other hand, benign programs are believed to be benign and obtained generally fromtrusted
vendors, like OS providers. They are believed lo be harmless and are trustworthy as long as they ddo notcone
into play with untrusted programs. Untrusted programs are obtained from unknown or untrusted sources,ike
adownloaded file from an
unknown web-page.
LO2 BUFFER OVERFLOW AND
MALICIOUS
Buffer overftow is a commonly known mistake that exist inSOFTWARE
some Cimplementations. These classes ofbugs
are extremely dangerous, as they write past the end of a buffer or array and hence corrup the processsack
Often they change the return
address of a process after a location where
function callto a secret memory
System Security 527
malcioIscode s planted. This calls for the understanding of these kinds of errors to develop secure coding
principlestolessen these sccurity threats in systems.
Abuffer. often visualized as an array is a contiguous space of related variables of the same data type
C++there are n0 automatiC checks on the buffer, which means a user may write past a buffer. This
Cor
pheomCnonis known
In as buffer overflow. Arrays, like all variables in C, can he either static or dynamic
Stalic variables are allocated at load tme on data segment. Dynamic variables are allocated at run time on
shall diseuss on the
the stack. We overflow of dynamnic buffers, commonly referred as stack-based hbuffer
overflowS,
For exanple. consider the following Ccode snippet as a simple example of buffer overflow.
main( ) {
int int buffer [10]:
buffeI [20] =5;
Most compilers will comp1le the abOve program without errors. This seemingly simple mistake can beto
In order
used by the authors of malicious softwares to trigger their codes and thus compromise security.
dorstand the principle behind these attacks let us look at the organization of the process in memory
text, data and stack. as shown in
ADrocess, which is a program inexecution, is divided into three regions:
binary instructions and read-onlv data.
Eio 19.1. The text region is decided by the programn and is made of uninitialized data region stores
Anveffort to write in this area leads to asegmentation fault. The initialized or
the process is blocked and rescheduled with
static variables. If the available memory is rendered unavailable,
a larger memory space between the
text and stack segments.
Lower
memory
Text
addresses
Data
Higher
Stack memory
addresses
Malicious programs,as already clarified, are those programs which try to subvert the expected operation of
secured and benign codes. As mentioned in the previous section, buffer overflow attacks give the adversary
the power to change the returm address. Typically, the changed return address points back to the buffer itselt.
where amalicious exploit is written. The exploit couldbe aprogram to run ashell in the victim computer. The
various types of
ability to open up ashell in a target computer, gives in turn the ability to the attacker to run
harnful programs. The two most commonly known categories of malicious programs are worms and viruses.
Although often worms are also referred to as viruses, it would be appropriate to mention at this point the
difference between these two types.
O Worms These are programs that can run independently. It can propagate a full working version of
itself to other machines. The term tries to draw an analogy of these programs with that of parasites which live
inside ahost and uses its resources for its existence. The concept of aworm program that spreads itself among
machines was first mentioned in the classic science fiction, named "The Shockwave Rider' by John Brunner in
1975. Thereafter researchers at Xerox PARC reported their experiments on the worm programs in an article
in the Communications of the ACM.
Interestingly, the initial worm programs were designed to do "good" work in a distributive way. and not
break systems. However as of now, worms are used only as a special category of harmful programs.
(ryptography ornd Network Security
536
Viruseshee programs on the other hand, cannot run independently.not It requires tho
biological viruses, which are alive themselves,.
run andactivate them)|Thesc are analogous to word VIRUS was used to indiccate
and coupt host cellk. The first time when
the
fiction, named "When Harlie Was
a
One': program infienctvals e a
The first
hut
that
computeT Was by David Gerold in a science
thatformcanal insapefect
1983. He defined computer virus to be. a program
of the term was made bv FredCohen around
itself.
other programs by modifying them toinclude a copy of
adwares
Some other vpes of malicioIs progranns are logic bombs. Trojans. sPywares and
J Logic Bombs 4logic bomb is a malicious program which has typically two parts: payload and
ingger 1he payload tvpically is a malicious piece of code, and the trigger is usually a Boolean the
triggers the malicies code when the condition is satisfied )The trigger Is usually developed hat
conditions like date.
Logie bombs are inseted stealthily into a big program. They often have an objective of causing inancial
harm. Thus, the logic bomb creates violation of security when some external events occur.
Historically. there are several examples of such codes. Recently, a person fired from his job.
alogic bomb in the system such that it will be fired on a particular date after he left the
company. imTheplanted
bomb would delete al! the files inthe system. The man was ultimately detained in jail for several yearsIogcfor
this misdoing. Such examples of logic bombs which fires on a particular time or date. say April 010
known as time bombs.
Once. a program was posted in the USENET news network to make system administration easy. In the
program which was to be compiled and run with root privilege. dangerously there were lines to changeto
root directory and remove all files.
J Trojans (Trojans are malicious programs that perform some harmless activities in addition o
some malicious activities. A Trojan horse is a program with some known or documented effect and some
undocumented or unexpected effects.
Aclassic example is password grabbing programs. Afake login prompt asks the user to enter the
The program then obtains the password and displays 'an error message password.
showing incorrect
actual login prompt is displayed, thus making the user believe that he typed in the password. Then the
he enters the system with correct password, but password incorrectly.Now
meanwhile he has given avway his password.
A propagating Trojan horse or a replicating Trojan horse is an
a copy of itself. One of the carliest examples, called the example of Trojan horse which can create
create an extra copy of itself. animal, was an example of a Trojan which would
J Spyware Spyware is software that is used to
another computerThe information which the spywarecollect information from a computer and transmit it 0
exports the another system
to
is that spywares do not replicate. could be of the same iyp
as done by viruses, but the essential
difference
Trojans, in the fact that the spywares do not deceive the user They are also diferent rou
downloaded when weare viewing some webpage, the but does its malice passively. Spywares olel
Examples of phenomenon being called drive by downloa0
information gathered include the following:
Passwords Akey logger is often used to retrieve the
during login. Ause of a virtual key by the user
Uses the key strokes to board can often be a information typed in as password which
ascertain the content of the typed way to subvert actions of these key loggers
(redit Card Numbers and message.
benefits. Bank Secrets These are special subjects financial
of for their
spywares
System Security
537
Adietionarvattack
or adictionarv
in the
that the etcpassud file. The
cryptanalysis,
only way of breaking the UNIX password security isto do a brute force search
attack is launched bythe adversary by recording possible passwords chosen from say English
verified with
by the UNIX crypt function and the
and numbers in afile.
file for any matches.
Then they are encrvpted
3.2
spreading are called email worms.
Viruses
The number of
computer
experience an attack everyviruses
is on the rise.
39 Literature says that a computer
building viruses has evolved. Asseconds. The art of using new connected to the Internel hey
told vulnerabilities
in
computer without permission or above,ofviruses are malicious programs thatsystems anditselfusingandthem for
J Infection
knowledge the user. Acomputer virus has can copy infect a
Mechanism/ three parts:
a copy of the virus,The This part involves how a
exact means through virus
vector of the virus. which the virus spreads isby modifying other code to contain
spreads commonly known as the infection
System Security
539
Payload This part
Jintenti0nal damage. details what the virus does. hesides spreading The
or Accidental damage may result from unk nown payload may create accidental
systems. hugs in the virus code, etc.
The pavload is triggered on some
J Trigger conditions.
The parts 'pavload and 'rigger are optional
infect. Alogic bomb is atem according to the definition of a virus. By
hast o
devoidofthe infection step. attributed to a program, which has definition, a virus
the trigger and the payload. but is
Apscudocodefor the virus is as shown below:
infect();
if trigger( )
then payload ( ) :
(IDS)
INTRUSION DETECTION SYSTEMS ocCurring in a computer system
LO4
Signs of violations 0 compiter seiy moitoiDg
polcies, the events use
acceptable or
policies, or standard securty practices are
Detecton s the Drocess ot
Intrusion
analvzed Intruson P'revention is theDess of detecting the sgns of itrusion and attempting to op he
intrusive eflorts. Collectivell the sIstem is known as Intusion Detection and Prevention System (1bPs
netwurk
inftrastruIcturc of nearly every
DPS have beome a neCssaIN
aditionto the
CCUity organization
types.
dided into three different
Intruders canbe boadh
Masquerador They are vDCallk utsiders from the Irusted users and are not authorized \0 5e he
COmputet STSems. These intuders penetratethe system protection by way of legitimate user acCOunts
MisteasOr Thev are Ivpically insiders and legitimate userS Who aCCeSses resources that theey are no
detect.
Documenting the Existing Threat to an Organization They maintain logs about the threats that they
Deterring
makes them lessIndividuals from
likely to commilViolating Security Policies The fact that the users are monitored by
IDS.
violations.
Preventive Actions of the
perform security allacks on thelDS The IDS uses several response prevent the attempts t0
systems. Some of techniques to
the ways of how this can be
achieved are by
terminating
System Security 545
thenetwork connection or user sessions that are being used in the attack, block access to the target from the
IPS
lendingaccouNts or .The preventive step could be a drastic
(arget
host. measure like blocking all accesses to the
importantfunctions of the IPSinvolvethe
Other
TheelDSChangethe Security Environment The
following
IDS changes security
include recontiguration of the network firewalls. environment to stop an atack. This
ould
susspectedto have vulnerabilities. application of patches onto the host
computers which
are
ID. can Change the Contenttof the Attack TheIDS often acts like a
The1DS proxy which does
That meansthey
unpackage the payloads of the request, remove the
headers. normalization.
This step nullifies certain
They often
remove malicious attachments from incoming files and pass the cleaned email to the attacks.
recipient.
43 False Positives and Negatives
DPS technology adopts statistical methods to comprehend the threats to the
companying attribute of false positives and
system. Thus, this has an
negatives. They arise because of the fact that the IDPS cannot
providecomplete and accurate detection. The false alarms are defined as follows:
Calse Positive When the IDPS incorrectly identifies a benign (harmless) activity as
occurred. malicious, a false
nositive is said to have
.Ealse Negative When the IDPS fails to identify a malicious activity, a false negative is said to have
occurred.
I is not possible to eliminate both false positives and negatives, as reducing one of the errors has
a
consequence of increasing the other. It is intuitive that organizations prefer to reduce the false negatives at the
cost of an increased false positive. Thus more malicious events are detected. However, extra work needs to
be done to be sure (or surer) that they are realy malicious. Altering the configurations of an IDPS to improve
the detection accuracies is technically known as tuning of the IDPS.
The malicious activities adopt several evasive techniques to bypass the IDPS. For example, the atack
can encompass changing the encoding of characters, hoping that while the target will be able to understand
the encoding, the IDPS would not. Thus the IDPS needs to take measures to compensate these evasive
techniques. The thumb rule is that if the IDPS is capable to see the activity the same way as the target, then
most of the evasive techniques will fail.
J Signature Based Detection Asignature is apatterm that coresponds to aknown threat. Signature
based detection is the process of comparing the signature, which signities aknown threat against the events
email
eoDServed. Examples of signatures could be a telnet attempt with roOt as the username. Or, an
Ua subject name as Free xyz" or an attachment, "picture.jpg" are other examples of signatures of
malicious events.
Security
546 Cryptography and Network
of allowable data flow. These ules specify the allowable data flow and also the direction of data
internal to external network or vice versa
Following factors allow or deny the data flow through the packet filters:
How, ie.
1. The physical network interface (network adaptor) that the packet arrives on.
The address the data is coming from.
The address the data is going to.
4 The type of transport laver, TCP, UDP.
5. The transport layer source pot.
The transport layer destinationport.
Packet filters generally do not understand the application layer protocols used in the
packets. The rules are instead kept in the TCPAP kernel and applicd to any packet. The actions communicmayationbe
either deny or permit the packet. For a network packet to be routed to its destination, it has totaken
pemit listnule maintained in the kemel.If apacketmatches with adeny rule, then it is dropped. match
Hoe with a
apacket does not match with either an allow rule or adeny rule. then also it is dropped. There are
somepacket fillers which allow packets, if it does not match with a deny rule. however
Commands in packet filters check the source and destination port numbers on the TCP and UDP Iransn
layer protocols. The combinations of ports and protocols which are to be allowed are mentioned in the all
list.
Because packet filters work in the network layer, they are unable to process protocols with state
The packet filters do not also inspect the application layer data in the packets. This information
least secured. However they are the fastest firewall makes these filters the
technologies and often a part of the IP routers. The packet
filters often do network address translation so that the topology of the
the network is hidden to untrusted or network and the addressing scheme of
external network.
The advantages of the packet firewalls are
summarized below:
Advantages
1. Packet filters are faster than other techniques.
2 Less complicated, in the sense that a single rule
3. They do not require client controls deny or allow of packets.
4. They shield the internal IP computers to be configured specially.
address from the external world.
J Disadvantages
1. Packet filters do not understand
services, such andPUT and GETapplication layer protocols and hence cannot restrict access to Flr
2. They are stateless, and hence not commands.
3. Packet filters have almost no auditsuitable for appication layer protocols.
Next we present an event generation and alerting
an example of a cheap example of a packet filter. This example is writtenmechanisms.
of the syntax) can be packet filering lools. It is a kernel based tool on specifically for ipivadm, whichis
applied for other kernel Linux. The principles (and even thus
There are four basiC
-A
interfaces for packet
categories covered by the ipfwadm rules: filtering on open source Unix systems.
Packet Accouning
Input firewall
-0
System Security S49
Outputfirewall
Forwardingtìrewall
pfisadmalsohas masquerading (-M) capabilities. For more information on the
iipfradm manual page.
switches and options, see
theImaginethat the organization uses a private network 192. 168.10. The Internet Service Provider has
asgnedtheaddress 201123. 102.32 as the gateway and 20L123.102.33 as the mail server. The
orgganization are as follows: policies oft
the
To allow all outgoing TCP connections
To allow incoming SMTP and DNS to external mail server
To block all other traffic
The following block of commands can be placed in a system boot file (perhaps rc local on Unix
Svstems).
ipfwadm -F-f
ipfwadn -F-p deny
infwadm -F-im-b-Ptcp -S 0.0.0.00 1024:65535 -D 201.123.102.33 25
infwadm -F -im-b -P tcp -S 0.0.0.0/0 1024:65535 -D 201.123.102.33 53
infwadm -F -im-b -Pudp -S 0.0.0.0/0 1024:65535 -D 201.123.102.33 53
infwadm -F -am-S 192.168.1.0/24 -D 0.0.0.0/0 -W eth0
sbin/route add -host 201.123.102.33 gw 192.168.1.2
The lines can be explained as follows: the first line flushes (-f) all forwarding (-F) rules. The second line
setsthe default policy (-p) to deny, while the line three to five are input rules (-i) in the following format:
ipfwadm -F (forward) -i (input) m(masq.) -b (bi-directional) -P (protoco)[protocol]-S (source)[subnet/
mask] [originating ports]-D (destination) [subnet/maskJ[port)
The sixth line appends (-a) a rule that permits all internal IP addresses output to all external addresses
on all protocols, all ports. The seventh line adds a route so that the traffic going to 201.123.102.33 will be
directed to the internal address 192.168.1.2.
In the next section we present the working principle of circuit level firewalls, which are second generation
firewalls.
J Advantages
They are faster than application layer firewalls.
They are more secured than packet filter firewalls.
3. Thev maintain limited state information of the protocols.
4 They protect against spoofing of packets.
5 They shield internal IP addresses from
external networks by network address translation.
J Disadvantages
They cannot restrict access to protocol subsets other than TCP.
2 Thev have limited audit event generation capabilities.
3. They cannot perform security checks on higher level protocols.
thcprotoco/ knitions. They also pertom auditing, ser authentication and caching. services which were
nM/ertormed,bv the packet filters or the cirCuitthelevel
Onthe other band. 0nce the packet from realfirewalls
client is allowed hy the proxy server the packet is
andedto;anroxy client who conacIs the actual server
information sent hy the actual server to the provid1ng the service [he proxy clhent
ntiormationto .be actual cient. proxV server. who decides wwhethersuhsequeniy
to send the
Thus the ptoxy service is
MnmunicatingArectlv with the service n
the Internet. However. transparent to a 1ser. who heleves that he is
firevaall hosts network stack and the proxy
topofthe operate only in the application services
laver of
are implemented on
the
level protocols in the kernel hefore heing operating syste
the
cach nacket must pass through the low:
Henc
thestackktothe application layer for athorough analysis by the proxy services Then thepassed packetto must travelof
the top
downthe stack and then be distributed by the low level
hak
protooBs are verv slow. protocols in the kernel Hence the application
laver
Theadvantages and disadvantages of the application layer protocols are summarized helow
J Advantages
They enforce and understand high level protocols, like HTTP and FIP.
Thoy maintain information about the
communication passing through the firewall server partial
ommunication derived state information, full application derived state information. partial session
information.
They can be used to deny access to certain network services, while allowing others.
4 They are capable of processing and manipulating packet data.
They do not allow direct communication between external servers and internal svstems, thus
shielding internal IP addresses from the outside network.
6. They are transparent between the user and the external network.
They provide features like HTTP object caching, URL filtering, and user authentication.
8. They are good at generating auditing records, allowing administrators to monitor threats to the
firewall.
D Disadvantages
1. They require replacing the native network stack on the firewall server.
2. They do not allow network servers to run on the firewall servers, as the proxy servers use the same
port to listen.
They are slow and thus lead to degradation in performance.
4. They are not scalable, as each new network service adds onto the number of proxV services
required.
J. Proxy services require modifications to client procedures.
in the system. Thus bugs
O. They rely on operating system support and thus are vulnerable to bugs
In NDIS, TCP/IP. WinSock, Win32 or the standard C library can cause security concems in the
security provided by the application layer firewalls.
modifications of the security
ynamic packet filter firewalls are a fourth generation firewalls that allow protocol.
nules onthe fiy. This technology is most suitable for providing limitedsupport for the UDP transport
network or vice-
This sfirewall associates to the
network external
all UDP packets that cross fromthe internal
generated and sent back to the original requester.
then a Virtual connection. If aresponse packet is
then a pass the firewall server. The intormation
virtual connection is established and the packet is allowed to is received
for asmall unit of time. If no response packet
Comes ponding
within this to)a virtual
time frame then
connection
the
is
virtual
remembered
connection is invalidated. The response packet that is allowed back
Security
Cryptography and Network
552