Security 1 System Network Security PDF

Security of Information System
Operating Systems, Database and Program

Security
UCSC 1
All rights reserved. No part of this material may be reproduced and sold.
kasun@cmb.ac.lk
Operating systems, database and program
security:
•Identify the security features of ordinary and trusted
operating system
•Evaluate the operating system security
UCSC 2
kasun@cmb.ac.lk
•Understand the security requirement of databases
•Describe the types of computer virus and protection
methods
Security
4.1 Operating Systems Security
UCSC 3
kasun@cmb.ac.lk
• Security Policies
• Models of Security
• Security Features of Ordinary
Operating
• System
Security Features of Trusted Operating
System
Computer System Components
UCSC 4
kasun@cmb.ac.lk
• Hardware
– Provides basic computing resources (CPU, memory, I/O
devices).
• Operating system
– Controls and coordinates the use of the hardware among
the various application programs.
• Applications programs
– Define the ways in which the system resources are used to
solve the computing problems of the users.
• Users
UCSC 5
kasun@cmb.ac.lk
– E.g., people, machines, other computers.
UCSC 6
kasun@cmb.ac.lk
Operating System
Operating systems provide the fundamental
mechanisms for securing computer processing. Since
the 1960s, operating systems designers have explored
how to build “secure” operating systems —operating
systems whose mechanisms protect the system
against a motivated adversary. Recently, the
importance of ensuring such security has become a
mainstream issue for all operating systems.
UCSC
kasun@cmb.ac.lk
What Security Goals Does
Operating System Provide?
• Goal 1: enabling multiple users securely
share a computer
– Separation and sharing of processes, memory,
files, devices, etc.
• How to achieve it?
– memory protection
UCSC 8
kasun@cmb.ac.lk
– processor modes
– authentication
– file access control
What Security Goals Does
Operating System Provide?
• Goal 2: ensure secure operation in
networked environment
• How to achieve it?
UCSC 9
kasun@cmb.ac.lk
– Authentication – Access Control
– Logging & Auditing
– Intrusion Detection
– Recovery
Memory Protection: access
control to memory
• Ensures that one user’s process cannot
access other’s memory
UCSC 10
kasun@cmb.ac.lk
– fence
– relocation
– base/bounds register
– segmentation
– paging
– …
• Operating system and user processes need to
have different privileges
UCSC 11
kasun@cmb.ac.lk
CPU Modes (a.k.a. processor
modes or privilege
• System mode (privileged mode, master mode, kernel mode)
– can execute any instruction and access any memory locations, e.g.,
accessing hardware devices, enabling and disabling interrupts,
changing privileged processor state, accessing memory
management units, modifying registers for various descriptor tables
.
• User mode
– access to memory is limited, cannot execute some instructions
UCSC 12
kasun@cmb.ac.lk
• Transition from user mode to system mode must be done
through well defined call gates (system calls)
Reading: http://en.wikipedia.org/wiki/CPU_modes
Placing Security in Lower Layers
UCSC 13
kasun@cmb.ac.lk
Applications
Services
OS
OS Kernel
Hardware
Two good reasons to place security in lower layers:
1. It may be possible to evaluate security to a higher level of
assurance.
2. Putting security mechanisms into the core of the system reduces
performance overheads caused by security.
UCSC 14
kasun@cmb.ac.lk
Three major tasks
• Operating systems must provide efficient
resource mechanisms,
• Second, it is the operating system’s
responsibility to switch among the processes
fairly
• Third, access to resources should be
controlled, such that one process cannot
UCSC
kasun@cmb.ac.lk
inadvertently or maliciously impact the
execution of another.
Operating System Security
The reference monitor is an abstract concept, the security kernel is its
implementation, and the trusted computing base contains the security
kernel among other protection mechanisms.
Three rules:
1. Keep the security kernel of an operating system as simple as possible.
2. Users must not be able to modify the operating system.
3. Operating system has to prevent users from accidentally or
intentionally accessing other users’ data.
UCSC 16
kasun@cmb.ac.lk
Access Control
An access enforcement mechanism authorizes requests
from multiple subjects (e.g. users, processes, etc.) to
perform operations (e.g., read, write, etc.) on
objects (e.g., files, sockets, etc.).
An operating system provides an access enforcement

mechanism.
Two fundamental concepts of access control:

UCSC
kasun@cmb.ac.lk
• a protection system that defines the access control
specification and
• a reference monitor that is the system’s access
enforcement mechanism that enforces this
specification.
UCSC 18
kasun@cmb.ac.lk
Protection system
A protection system consists of a protection state, which describes the
operations that system subjects can perform on system objects, and a set
of protection state operations, which enable modification of that state.
A protection system enables the definition and management of a
protection state. A protection state consists of the specific system
subjects, the specific system objects, and the operations that those
subjects can perform on those objects.
The access matrix is used to define the protection domain of a process.
UCSC
kasun@cmb.ac.lk
Lanpson's access Matric
Problems with access matrix
Untrusted processes can tamper with the protection system.
A protection system that permits untrusted processes to modify the protection
state is called a discretionary access control (DAC) system.
Mandatory protection system
UCSC
kasun@cmb.ac.lk
A mandatory protection system is a protection system that can only be modified
by trusted administrators via trusted software, consisting of the following state
representations:
A mandatory protection state is a protection state where subjects and objects are
represented by labels where the state describes the operations that subject
labels may take upon object labels;
A labelling state for mapping processes and system resource objects to labels;
A transition state that describes the legal ways that processes and system
resource objects may be relabeled.
Mandatory access control
UCSC
kasun@cmb.ac.lk
A label is simply an abstract identifier—the assignment of permissions to a
label defines its security semantics. Labels are tamperproof .
Trusted administrators define the access matrix’s labels and set the
operations that subjects of particular labels can perform on objects of
particular labels. Such protection systems are mandatory access control
(MAC) systems because the protection system is immutable to untrusted
processes.
UCSC
kasun@cmb.ac.lk
UCSC
kasun@cmb.ac.lk
A Mandatory Protection System: The protection State is
defined in terms of labels and is immutable. The
immutable labeling state and transition state enable the
definition and management of the labels for system
subjects and objects.
A reference monitor is the classical access enforcement mechanism. It takes
a request as input, and returns a binary response Indicating whether the
request is authorized by the reference monitor’s access control policy.
We identify three distinct components of a reference monitor:
(1) its interface -The interface defines where the authorization module
needs to be invoked to perform an authorization query to the protection
state, a labeling query to the labeling state, or a transition query to the
transition state.
UCSC
kasun@cmb.ac.lk
(2) its authorization module-determines the exact queries that are to be
made to the policy store. ;
(3) Its policy store-The policy store responds to authorization, labeling, and
transition queries based on the protection system that it maintains.
UCSC
kasun@cmb.ac.lk
A Reference monitor is a component that authorizes access requests at the
UCSC
kasun@cmb.ac.lk
reference monitor interface defined by individual hooks that invoke the reference
monitor's authorization module to submit an authorization query to the policy store.
The policy store answers authorization queries, labeling queries, and label
transition queries using the corresponding states.
UCSC
kasun@cmb.ac.lk
Microkernel vs. Monolithic System
• Monolithic kernel
– one big kernel provides all services, e.g., file system,
network services, device drivers, etc.
– e.g., Linux 2.6 kernel has about 6 millions of code
• Microkernel
– implement many services as processes
UCSC 28
kasun@cmb.ac.lk
• Difference between kernel mode and processes
running as root (or superuser, administrator)
Microkernel vs. Monolithic System
• Most operating systems are monolithic, that is the whole

operating system is a single a.out file that runs in “kernel
mode”.
• The alternative is a microkernel-based system, in which

most of the OS runs as separate processes, mostly outside the
kernel. They communicate by message passing.
UCSC 29
kasun@cmb.ac.lk
• Reference: The Tanenbaum-Torvalds Debate available at
http://www.oreilly.com/catalog/opensources/book/appa.htm
Security Evaluation
Users of secure systems need some kind of
assurance that the products they use
provide adequate security. They could:
1. Rely on the word of the
manufacturer/service provider?
UCSC 30
kasun@cmb.ac.lk
2. Test the system themselves.
3. Rely on an impartial assessment by
an independent body (evaluation).
Evaluation Criteria
• The Trusted Computer Security Evaluation Criteria (TCSEC,
Orange Book) were the first evaluation criteria to gain wide
acceptance.
• A number of other criteria have since been developed to improve
on the Orange Book and to unify different criteria which have
arisen:
UCSC 31
kasun@cmb.ac.lk
– Information Technology Security Evaluation (ITSEC)
– Canadian Trusted Computer Product Evaluation Criteria
– Federal Criteria
– Common Criteria
Target of the Evaluation

• Evaluation criteria refer to either
– Products
• We have to find an accepted set of generic requirements
(Security classes of Orange Book and the protection profile of
Federal and Common Criteria)
– Systems
UCSC 32
kasun@cmb.ac.lk
• Requirements capture and analysis becomes part of each
individual evaluation (ITSEC).
• Where is the borderline between a security evalution and
the task of security consultant?
Method and Structure of the Evaluation
• Security Evaluation can be product oriented or process
oriented.
• The concepts of Repeatability and Reproducibility
• Three aspects are addressed in an evaluation criteria:
– Functionality: The security features of a system.
– Effectiveness: Are the mechanisms used appropriate for
the given security requirement?
UCSC 33
kasun@cmb.ac.lk
– Assurance: The thoroughness of the evaluation.
Orange Book
• Although the efforts were concentrated in the “national security
in USA”, the document also provides:
– A yardstick for users to assess the degree of trust that can
be placed in a computer security system.
– Guidance for manufacturers of computer security systems
– A basis for specifying security requirements when
acquiring a computer security system.
UCSC 34
kasun@cmb.ac.lk
Classification of OS Security
• D – Minimal Protection
• C1 – Discretionary Security Protection: intended for an environment
where co-operating users process the data at the same level of integrity.
• C2 – Controlled Access Protection: make users individually accountable
for their actions. Most reasonable class for commercial applications.
• B1 – Labelled Security Protection: intended to handle classified data
and enforce mandatory policies. Include thorough security testing.
• B2 – Structured Protection: Increases assurance by adding
requirements to the design. e.g. Covert channel analysis.
• B3 – Security Domains: Highly resistant to penetration.
• A1 – Verified Design: Adds formal model for security policy.
UCSC 35
kasun@cmb.ac.lk
Common Criteria
• Starting in late 90’s, the Common Criteria merges ideas from its
various predecessors. The ultimate goal is an internationally set
of criteria in the form of an ISO standard.
• It separates functional and security requirements from the
intensity of required testing.
• Evaluation assurance levels from 1 to 7.
– EAL1: Tester reads documentation and performs some tests to
confirm documented functionality.
– EAL7: Developer provides formal functional specification and
high-level design, security functions must be simple enough for
formal analysis.
UCSC 36
kasun@cmb.ac.lk
Red Book
Red Book attempts to address network security with the concepts
and terminology of Orange Book.
Q: Are computer networks simply a specific example for computer
systems?
A: We must distinguish two different types of networks:
1. Networks of independent components.
2. Centralised networks (only this one is considered in Red Book).
UCSC 37
kasun@cmb.ac.lk
Trusted Computing (TC)
• The Trusted Computing Group is an alliance of Microsoft, Intel,
IBM, HP and AMD which promotes a standard for a more
secure PC.
– Their definition of security is controversial, though.
• TC provides a computing platform on which you can not tamper
with the application software, and where these applications can
communicate securely with their authors and with each other. –
The original motivation was digital rights management.
There is an excellent FAQ about “Trusted Computing” available at

http://www.cl.cam.ac.uk/~rja14/tcpa-faq.html
UCSC 38
kasun@cmb.ac.lk
Security Features
• Identification and Authentication
• Object Reuse Protection
– Prevent leaks via reallocation
– Clean before re-use Complete
Mediation
• Mediate all means of access
UCSC 39
kasun@cmb.ac.lk
• File access plus direct memory access if possible
• Mediate on each access, not generally done for files
–
More Security Features
• Trusted Path
– Give end user means to determine they
are really talking with OS
UCSC 40
kasun@cmb.ac.lk
– Secure Attention Key (SAK): key
sequence that cannot be intercepted by
non-OS
• Ctl-Alt-Del in Windows
• Rootkit…
– Or security relevant changes only made during
system boot
UCSC 41
kasun@cmb.ac.lk
More Security Features
• Audit
– Must be able to review and recreate security relevant changes –
Must protect log
• Log growth
– Originally assumed security officer would review directly
– Can by used for backing evidence
• Really want to detect anomalies
– Intrusion detection
UCSC 42
kasun@cmb.ac.lk
Security
4.2 Database Security
UCSC All rights reserved. No part of this material may be reproduced and sold. kasun@cmb.ac.lk
• Security Requirements of Databases
• Reliability and Integrity
• Protection of Sensitive Data
• Inference Problem: Direct and Indirect
• Attacks
Disaster Recovery
34
• Database system security is more than securing the
database
– Secure database
– Secure DBMS
– Secure applications
– Secure operating system in relation to database system
– Secure web server in relation to database system
– Secure network environment in relation to database
system
35
Layered Database Security
Securing Database
– Users, Passwords
• Default users/passwords
– sys, system accounts – privileged, change default passwords – scott
account – well-known account and password, change it
- general password policies (length,

domain, changing, protection)
– Privileges, Roles, Grant/Revoke
• Privileges
– System - actions
– Objects – data
• Roles (pre-defined and user-defined role)
– Collections of system privileges (example: DBA role)
• Grant / Revoke
– Giving (removing ) privileges or roles to (from) users
37
Confidentiality and Integrity Combined
Processing of Encrypted Files in Database
Management Systems (DBMS)
* searching
* upd
a
tes
Protection of Key and MAC
Access Control – Principles
Access Control – Files and Directories
UCSC Control – Files and Directories
AccessAll rights reserved. No part of this material may be reproduced and sold. kasun@cmb.ac.lk
Fundamental Model of Access Control
Subjects Access Reference Objects

requests monitor
Read File A
Authorization Schemes
Identity – based Access Control
O1 O2 O3 O4 O5 O6
S1 r, w
S2 x, d
S3
S4
S5 l, c
S6
UCSC 68
kasun@cmb.ac.lk
Role – based Access Control
UCSC 69
kasun@cmb.ac.lk
Role – based Access Control
UCSC 71
kasun@cmb.ac.lk
LECTURER grant all privileges on
EMPLOYEES to role LECTURER;
grant LECTURER to
USER1;
DBA
candidates
employees
hrdata schema
Role – based Dynamic Access Control
UCSC 74
kasun@cmb.ac.lk
Attribute Certificates (AC)
• PKCs may include life/long lasting attributes.

– if the attribute doesn’t expire before the related PKC,
then the attribute may be included in the PKC.
• ACs should be used for short lasting attributes:

– if the attribute expires before the related PKC, then
the attribute should placed in an AC.
UCSC 75
kasun@cmb.ac.lk
Difference between PKC and AC
PKC is passport and AC is visa

Public Key Certificate (PKC)Attribute Certificate (AC)
UCSC 76
kasun@cmb.ac.lk
and attributes
UCSC 77
kasun@cmb.ac.lk
• AA Attribute Authority (also called AC
Issuer)
– An authority trusted by one or more users to create
and sign attribute certificate. It is important to note
that the AA is responsible for the attribute
certificates during their whole lifetime, not just for
issuing them.
UCSC 78
kasun@cmb.ac.lk
• AA can be any entity in the network having
objects in its control.
Example: SQL Injection Attack through Web Application

– Application tracks own usernames and passwords in database –
Client accepts username and password, passes as parameters –
Application Java code contains SQL statement:
• String query = "SELECT * FROM users_table " +
• " WHERE username = " + " ‘ " + username + " ‘ " +
UCSC 79
kasun@cmb.ac.lk
• " AND password = " + " ‘ " + password + " ‘ " ;
– Expecting one row to be returned if success, no rows if failure
– Attacker enters any username, password of: Aa ‘ OR ‘ ‘ = ‘
– Query becomes: SELECT * FROM users_table WHERE
username = ‘anyname‘ AND password = ‘Aa‘ OR ‘ ‘ = ‘ ‘; //
F or T => T
– All user rows returned to application
– If application checking for 0 vs. more than 0 rows, attacker is in
UCSC 80
kasun@cmb.ac.lk
Data Inference
Data Dependency
Avg(A1,A2,A3)*3=16=A1+A2+A3
Avg(A2,A3)*2=11=A2+A3
For example, suppose that an attacker wishes to find
out the salary of A1. He can do this by asking for the
average salaries of A1, A2 and A3 and of A2, A3.
Individual Salary – High Classification
Average Salary – Low Classification
Small Query Window
Additions
UCSC to NoSmall
All rights reserved. Query
part of this material Window
may be reproduced and sold. kasun@cmb.ac.lk
To avoid disasters:
• Back-up files
• Store backups securely:
– off-site, locked
• Twin sites for computer equipment
• Insure with a disaster recovery firm - loan of
equipped premises
• Disaster Recovery plan essential
UCSC
kasun@cmb.ac.lk
– Prioritise programs to be up & running first –
Notification to staff of procedure
– Test the planning (like fire practice)!
Preventing your own disasters
• no eating or drinking near the computer •
no extremes of environment (heat, smoke)
• clean & lock your computer!
• backup hard disk files and floppy disks
UCSC
kasun@cmb.ac.lk
• store backups safely
• write protect disks
Why backup?
• disks don’t last forever
• liquids + disks = disaster
• magnetic fields damage disks
UCSC
kasun@cmb.ac.lk
• files are damaged if a power failure happens
during saving or loading
• accidental deletion by YOU!
• network crashes
UCSC
kasun@cmb.ac.lk
Disaster Recovery Plans
• Single system or device failures - Includes a network
device, disk, motherboard, network interface card, or
component failure.
• Data center events - Provides procedures for a major event
within a data center.
• Site events - Identifies the critical capabilities that need to
be restored.
UCSC 98
kasun@cmb.ac.lk
• Testing the DRP - Identifies key employees and performs
walkthroughs of the plan periodically.
Backup Policy
• Frequency of backups - Identifies how often
backups actually occur.
• Storage of backups - Defines how to store backups
in a secure location. It also states the mechanism
for requesting and restoring backups.
UCSC 99
kasun@cmb.ac.lk
• Information to be backed up - Identifies which
data needs to be backed up more frequently.
Security
4.3 Program Security
•Kinds of Malicious Code
UCSC 100
kasun@cmb.ac.lk
•How Viruses Attach and Gain Control
•Homes for Viruses
•Virus Signatures
•Preventing Virus Infection
•Trapdoors
•Convert Channels
•Control Against Program Threats
•Java mobile codes
UCSC 101
kasun@cmb.ac.lk
◆Malicious code often masquerades as good
software or attaches itself to good software
◆Some malicious programs need host
programs
• Trojan horses, logic bombs, viruses
◆Others can exist and propagate independently
• Worms, automated viruses
UCSC 102
kasun@cmb.ac.lk
◆There are many infection
vectors and propagation
mechanisms
UCSC 103
kasun@cmb.ac.lk
UCSC 104
kasun@cmb.ac.lk
◆A trojan horse is malicious code hidden in an
apparently useful host program
◆When the host program is executed, trojan
does something harmful or unwanted
◆Trojans do not replicate
UCSC 105
kasun@cmb.ac.lk
• This is the main difference from worms and
viruses
◆program which secretly takes over another

networked computer
UCSC 106
kasun@cmb.ac.lk
◆then uses it to indirectly launch
attacks
◆often used to launch distributed
denial of service (DDoS) attacks
◆exploits known flaws in network
systems
UCSC 107
kasun@cmb.ac.lk
What is a computer virus?
• A program that reproduces itself • Affects
software, not the actual machine
• Many different types:
– file:
– macro:
– boot or partition, etc.
• May lie dormant
UCSC
kasun@cmb.ac.lk
• Can strike at any time
◆Virus propagates by infecting other programs

• Automatically creates copies of itself, but to propagate, a
human has to run an infected program
– Self-propagating malicious programs are usually called
worms
◆Viruses employ many propagation methods
UCSC
kasun@cmb.ac.lk
• Insert a copy into every executable (.COM, .EXE) • Insert
a copy into boot sectors of disks
– “Stoned” virus infected PCs booted from infected
floppies, stayed in memory and infected every floppy
inserted into PC
• Infect TSR (terminate-and-stay-resident) routines
– By infecting a common OS routine, a virus can always
stay in memory and infect all disks, executables, etc.76
What do viruses do?

• Non-destructive viruses
UCSC
kasun@cmb.ac.lk
– Print unexpected message, make a sound –
Examples: Peace, Red Cross, Bubbleboy
• Destructive viruses
– Destroy data and files
– Examples: Michelangelo, Dark Avenger, Joshi,
Stealth (makes hard disk inoperable) etc.
• Millions of viruses and hundreds of
different effects
• Non-destructive viruses still waste time
UCSC
kasun@cmb.ac.lk
Protection against viruses
• Few computer systems are totally secure
• Buy from a reputable computer dealers
• Buy "shrink-wrapped" software
• Always suspect any other software
• Make executables read only
• Write protect diskettes
• Careful with internet & email files
UCSC
kasun@cmb.ac.lk
• Use scanning software (anti-virus) to check for
viruses
If you find a virus
• DON’T PANIC
• Work systematically. DON’T RUSH
• Tell system manager - IT Services • Clean
up
– Disinfect and Retrieve clean files
UCSC
kasun@cmb.ac.lk
– Destroy disk
– Ask for help if you are not sure!
UCSC
kasun@cmb.ac.lk
◆A cryptovirus is a virus embedding and using a
public-key (http://www.cryptovirology.com/)
First Technique
◆ Use the private key to encrypt the payload
Second Technique
◆ Use a symmetric key to encrypt payload
◆ Use the private key to encrypt the symmetric key replicating
but not infecting program typically spreads over a network
– cf Morris Internet Worm in 1988, led to creation of CERTs
• using users distributed privileges or by exploiting system

vulnerabilities
• widely used by hackers to create zombie PC's, subsequently
used for further attacks, esp DoS
UCSC 116
kasun@cmb.ac.lk
• major issue is lack of security of permanently connected
systems, esp PC's
81
Virus (and Worm) Phases
1. Dormant
2. Propagation
* search for other systems to infect
* establish connection to target remote system
* replicate self onto
remote system
1. Trigger
2. Execute
Anti-Virus Technologies
◆ Simple anti-virus scanners
• Look for signatures (fragments of known viruses)
• Heuristics for recognizing code associated with viruses
– For example, polymorphic viruses often use decryption loops
UCSC 118
kasun@cmb.ac.lk
• Integrity checking to find modified files
– Record file sizes, checksums, MACs (keyed hashes of
contents)
◆ Generic decryption and emulation scanners
• Goal: detect polymorphic viruses with known body
• Emulate CPU execution for a few hundred instructions,
virus will eventually decrypt, can recognize known body
– Does not work very well against metamorphic viruses and
viruses not located near beginning of infected executable83
Possible Counter Measures
◆ Update all softwares like operating system, drivers all softwares
that use the internet and update anti virus and anti spyware
◆ Install inbound and outbound firewall
◆Encrypt important data
◆Backup the data regularly
◆ Install third party registry editor, traffic monitoring software
◆ Disable autorun feature
UCSC 120
kasun@cmb.ac.lk
◆ Hope antivirus vendors find a cure for it in near future
◆Use open source software and operating
systems
Applets
• An applet is a typically small program embedded in
another application, generally a Web browser that
provides a JVM.
• An applet’s host program provides an applet context
in which the applet executes.
• An applet is generally launched from an HTML
document with an APPLET tag that specifies the
UCSC 122
kasun@cmb.ac.lk
URL for the applet bytecodes
Applet security
• Applets typically execute under a strict
security manager that prevents an applet
from
– Accessing the local disk to read, write, delete,
or execute files.
UCSC 123
kasun@cmb.ac.lk
– Loading nonstandard libraries.
– Opening connections to arbitrary hosts.
Applet security
• The tight applet security is sometimes
described as sandbox security to suggest
that an applet must “play” within a
UCSC 124
kasun@cmb.ac.lk
confined area from which it must not
venture.
• An applet is allowed to open a socket to
the server from which is downloaded, thus
enabling socket-based communications.
UCSC 125
kasun@cmb.ac.lk
Java Signed Applet:
•Compile the applet

•Create a JAR file •Generate
Keys
•Sign the JAR file
•Export the Public Key Certificate
•Import the Certificate as a Trusted Certificate
UCSC 126
kasun@cmb.ac.lk
•Create the policy file
•Run the applet
Creating a Jar file:
UCSC 127
kasun@cmb.ac.lk
E:\JavaExamples>javac writeFile.java
E:\JavaExamples>jar -cvf writeFile.jar

writeFile.class
UCSC 128
kasun@cmb.ac.lk
added manifest adding: writeFile.class(in =
1747) (out= 984)(deflated 43%)
Signing a Applet:
E:\JavaExamples\SSL>keytool -genkey -alias

kasun -keystore writeFile
E:\JavaExamples\SSL>jarsigner -keystore
writeFile writeFile.jar kasun Enter
Passphrase for keystore: writeFile
UCSC 129
kasun@cmb.ac.lk
E:\JavaExamples\SSL>jarsigner -verify
writeFile.jar jar verified.
Run a Signed Applet:
UCSC 130
kasun@cmb.ac.lk
<applet code="writeFile.class"
archive="writeFile.jar"
width=400 height=400>
UCSC 131
<All rights reserved. No part of this material may be reproduced and sold.
kasun@cmb.ac.lk
/applet>
UCSC 132
kasun@cmb.ac.lk
UCSC 133
kasun@cmb.ac.lk
Security of Information System
Security in Networks and Distributed

Systems
UCSC 134
kasun@cmb.ac.lk
Security in networks and distributed systems:
• Describe the authentication mechanisms and protocols in
open network environment
• Design security polices and network protection systems
to prevent unauthorized access in open network
environment
• Identify the security requirement of the Internet
UCSC 135
kasun@cmb.ac.lk
• Describe the existing security solutions and protocols
• Design new solutions to address the security problems in
open network environment
Systems
5.1 Network Security
•Network Security Issues such as
UCSC 136
kasun@cmb.ac.lk
Impersonation, Message Confidentiality, Message
Integrity, Code Integrity, Denial of Service
•IP Security (IPSec ) protocol and Virtual
Private Networks (VPN)
•Securing wireless (IEEE 802.11) networks
•PKI based Authentication and Kerberos
Authentication
•Biometrics Authentication Mechanisms
•Access Control Mechanisms
•Firewalls
UCSC 137
kasun@cmb.ac.lk
IP Security Overview
• Benefits of IPSec
– Transparent to applications (below transport layer
(TCP, UDP)
– Provide security for individual users
• IPSec can assure that:
– A router or neighbor advertisement comes from an
authorized router
– A redirect message comes from the router to which the
initial packet was sent
UCSC 138
kasun@cmb.ac.lk
– A routing update is not forged
What can IPSEC do for us?
• Authentication
• Integrity
• Access control
• Confidentiality
• Replay protection (Partial)
UCSC 139
kasun@cmb.ac.lk
Types of communications
• Host To Host
• Host To Security Gateway
• Security Gateway To Security Gateway

• Security Gateway = Firewall
• Also refer to as Network (i.e. Network To
Network)
UCSC 140
kasun@cmb.ac.lk
• Host To Host
UCSC 141
kasun@cmb.ac.lk
Host A IPsec (SA) Host B
Other Hosts
UCSC 142
kasun@cmb.ac.lk
UCSC 143
kasun@cmb.ac.lk
Host A Security
IPsec (SA) Gateway
No IPsec OR
Other Hosts NAT ROUTE
Internal
Network
UCSC 144
kasun@cmb.ac.lk
Security Gateway to Security Gateway
UCSC 145
kasun@cmb.ac.lk
Security Security
Gateway IPsec (SA) Gateway
OR
IPC-NAT ROUTE
Internal
Network
Internal
Network
UCSC 146
kasun@cmb.ac.lk
Security Associations (SA)
• A one way relationsship between a

sender and a receiver.
• Identified by three parameters:
– Security Parameter Index (SPI)
– IP Destination address
– Security Protocol Identifier
UCSC 147
kasun@cmb.ac.lk
•Stored in the SPD (Security Policy Database)
Security Policy Database (SPD)
Each entry defines a subset of IP traffic and points to an

SA for that traffic: defined using IP and upper layer
protocol field values called selectors.
Outbound traffic processing includes:

•Compare the values of the selector fields against
SPD to find an SPD entry
UCSC 148
kasun@cmb.ac.lk
•Determine the SA for this packet and associated SPI
•Do the required IPSec processing (AH or ESP)
Types of IPSEC Connections
• Transport Mode
• Does not encrypt the entire packet
• Uses original IP Header
• Faster
UCSC 149
kasun@cmb.ac.lk
• Tunnel Mode
• Encrypts entire packet including IP Header (ESP)
• Creates a new IP header
• Slower
Security Associations (SA)
Authenticates IP
AH ESP with payload and selected
authentication portions of IP header
and IPv6 extension
Transport Mode headers
ESP SA
UCSC 150
kasun@cmb.ac.lk
Encrypts IP payload payload but no IP header Encrypts inner IP
and any IPv6 packet. Authenticates
extension header Tunnel Mode inner IP packet.
SA
Encrypts IP payload Authenticates entire inner
and any IPv6 IP packet plus selected
extension header. portions of outer IP header
Authenticates IP Encrypts inner IP packet
UCSC 151
kasun@cmb.ac.lk
UCSC 152
kasun@cmb.ac.lk
Application Layers (5-7) / Data
TCP/UDP Header (Layer 4)
IP Header (Layer 3)
Frame Header (Layer 2)
UCSC 153
kasun@cmb.ac.lk
OR
Frame Hdr IP Hdr TCP/UDP Data
AH (Authentication Header)
• IP Protocol 51
• Provides authentication of
packets
UCSC 154
kasun@cmb.ac.lk
• Does not encrypt the payload
Transport Mode
IP Hdr AH TCP/UDP Data
Tunnel Mode
New IP HdrIP Hdr AH Org. IP Hdr TCP/UDP Data
UCSC 155
kasun@cmb.ac.lk
Transport vs Tunnel Mode ESP
•Transport mode is used to encrypt & optionally

authenticate IP data
•data protected but header left in clear
•can do traffic analysis but is efficient
•good for ESP host to host traffic
•Tunnel mode encrypts entire IP packet
UCSC 156
kasun@cmb.ac.lk
•add new header for next hop
•good for VPNs, gateway to gateway security
ESP (Encapsulating Security Payload)
• IP Protocol 50
• Encrypts the Payload
• Provides Encryption and Authentication
Transport Mode
UCSC 157
kasun@cmb.ac.lk
IP Hdr AH ESP TCP/UDP Data
Tunnel Mode
Org. IP
New IP Hdr AH ESP TCP/UDP Data
Hdr
UCSC 158
kasun@cmb.ac.lk
• Too complicated, many different ways
UCSC 159
kasun@cmb.ac.lk
to configure
• Can be configured insecurely
• Client security is an issue
VPN (Virtual Private Network)
A Virtual Private
Network Carries Private
Traffic Over a Public Network
UCSC 160
kasun@cmb.ac.lk
• Secure communications between two
hosts or networks • IPsec is one of the
more popular VPN technology's
UCSC 161
kasun@cmb.ac.lk
UCSC 162
kasun@cmb.ac.lk
UCSC 163
kasun@cmb.ac.lk
UCSC 164
kasun@cmb.ac.lk
UCSC 165
kasun@cmb.ac.lk
UCSC 166
kasun@cmb.ac.lk
•Authentication methods supported
•Encryption methods supported
•Key Management
•Data stream filtering for viruses, JAVA, active X
•Supported certificate authorities
UCSC 167
kasun@cmb.ac.lk
•Encryption Layer: Datalink, network, session,
application. Higher Layer . More granular
•Granularity of Security: Departmental level,
Application level, Role-based
UCSC 168
kasun@cmb.ac.lk
Security Risk of Wireless
Bypassing the firewalls
Short message service spamming
Malicious downloadable code or content
Weak Encryption key or non-existent
Turning on wireless encryption does not mean data
is protected end-to-end
Wired portion of the traffic may travel in the clear
Security Problems
Unauthorized or “rogue” access points on trusted
networks
Access to network by unauthorized clients (theft of

service, "war driving")
Interception and monitoring of wireless traffic

• range can be hundreds of feet
UCSC 170
kasun@cmb.ac.lk
• packet analyser software freely available
Jamming is easy, unlicensed frequency

Security Problems (cont'd)
Client-to-client attacks (in ad hoc mode)
Denial or degradation of service

• flood with bogus packets, association/authentication
requests, …
UCSC 171
kasun@cmb.ac.lk
Misconfiguration possibilities
• no encryption used
• weak (guessable) password used to generate key
• weak protection of encryption key on client machine
• weak protection of management interface for access
point
UCSC 172
kasun@cmb.ac.lk
(In)Security in 802.11b
Authentication is the process of proving
identity
− open: just supply correct SSID
− shared key: relies on WEP
WEP: Wired Equivalent Privacy
UCSC 173
kasun@cmb.ac.lk
WEP
Without WEP, no confidentiality, integrity, or
authentication of user data
The cipher used in WEP is RC4, keylength from 40 up to
128 bits
Key is shared by all clients and the base station

− compromising one node compromises network
UCSC 174
kasun@cmb.ac.lk
Manual key distribution among clients makes changing
the key difficult
WEP Encryption Weakness
Initialization Vector (IV) used during encryption is only
24 bits long
Key to cracking: find packets with duplicate public IVs
− repetition of IV guaranteed on busy networks due to
small IV space
UCSC 175
kasun@cmb.ac.lk
Tools: WEPCrack, AirSnort
− 15 minutes to 24 hours to collect enough packets
Recommendations: General
Get informed about risks!
Regular security audits and penetration assessments
Require "strong" passwords, limit number of login

attempts
UCSC 176
kasun@cmb.ac.lk
Disable ad hoc mode
• invites access by unauthorized nodes to your computer
Recommendations:WLAN
Security
WEP (fair)
− enable wireless frame encryption
− use longest key
− change the WEP key regularly (manually)
UCSC 177
kasun@cmb.ac.lk
802.1X and WPA (user authentication + dynamic keys)
(better)
− use as soon as practical and stable
− set rekeying to occur every few hours
802.11i (best)
− upgrade / use when available and supported
UCSC 178
kasun@cmb.ac.lk
What is Kerberos?
• The 3-headed dog who guards the entrance to
Hades
• Network Authentication Protocol
• Used in:
Client/Server Peer-
to-Peer
• Developed by the Massachusetts Institute

of Technology (MIT) ‘s Project Athena
UCSC 179
kasun@cmb.ac.lk
Kerberos – Message 180
• Current Release – Version 5
• Adoption by Microsoft Windows 2000
UCSC All rights reserved. No part of this material may be reproduced and sold.
kasun@cmb.ac.lk
kasun@cmb.ac.lk
Authentication Server
User
User logs on to workstation
and requests service on
application server
Request is passed over to

the Authentication Server
Application
Server
kasun@cmb.ac.lk
User
AS verifies user access

rights,
creates TG ticket and session
key, encrypts using key
derived from user’s password
Application and sends back to user
Server
kasun@cmb.ac.lk
User
WS prompts user for userID

and a password, decrypts and
verifies the ticket, and sends
new request to the TGS
Application
Server
User
TGS decrypts ticket and

authenticator, verifies
request
and creates ticket for the
requested server
Application
Server
User
WS sends the ticket and
the authenticator to the
requested server
Application
Server
User
Server verifies the ticket
and
the authenticator and if
OK,
grants access to the
requested server
Application
Server
Strong Authentication Protocol
Initiator Verifier Verifies the
Generates an
Sends the
authentication token
(Step 2) (Step 3)
(Step 1)
Sends the
Verifies the authentication token
Generates new
(Step 5)
(Step 6) (Step 4)
Sends the
Generates authentication token newVerifies the
authentication tokenauthentication token
(Step 7)(Step 9) (Step 8)
39
Authenticity of Public Keys
Authentication in Open Networks – Certificates
Remote Authentication
UCSC 42
kasun@cmb.ac.lk
Authentication with Biometrics
Automated methods of identity verification or

identification based on the principle of measurable
physiological or behavioral characteristics.
Example: Fingerprint, an iris pattern, a voice sample.
UCSC 44
kasun@cmb.ac.lk
Biometric characteristics should be unique and
not duplicable or transferable.
•A choke point of control and monitoring

•interconnects networks with differing trust
•imposes restrictions on network services
•only authorized traffic is allowed
•auditing and controlling access
•can implement alarms for abnormal behavior
•is (supposedly) itself immune to penetration
•provides perimeter defense
UCSC 46
kasun@cmb.ac.lk
Purpose of a Firewall
Basically, a firewall does three things to protect
the network:
• It blocks incoming data that might contain a

hacker attack.
• Hide internal addresses from Internet hackers.
This is called NAT.
UCSC 47
kasun@cmb.ac.lk
• It screens outgoing traffic to limit Internet use
and/or access to remote sites.
Limitation of a Firewall
•Cannot protect from attacks bypassing it
•Cannot protect against internal threats

•E.g. disgruntled employee
UCSC 48
kasun@cmb.ac.lk
•Cannot protect against transfer of all virus
infected programs or files because of huge range
of O/S & file types
UCSC 49
kasun@cmb.ac.lk
• Packet Filters
• Stateful Packet Filters
• Application Level Gateway
• Circuit Level Gateway
Packet Filter Firewalls
• Simple concept
UCSC 50
kasun@cmb.ac.lk
• Examine each IP packet (no context) and
permit or deny according to rules • Restrict
access to services (ports)
• Possible default policies:
– that not expressly permitted is prohibited
– that not expressly prohibited is permitted
UCSC 51
kasun@cmb.ac.lk
Attacks on Packet Filters
•IP address spoofing

•Fake source address to be a trusted one
•Countermeasure: Discard packets with inside source address
arriving on an external interface
•Source routing attacks
•Attacker sets a route other than default
•Countermeasure: Block source routed packets
•Tiny fragment attacks
UCSC 52
kasun@cmb.ac.lk
•Split header info over several tiny packets to circumvent
•rules that depend on TCP header information
•Countermeasure: Either discard or reassemble before check
Stateful Packet Filters
•Examine each IP packet in context

•keeps tracks of client-server sessions
•checks each packet validly belongs to one
UCSC 53
kasun@cmb.ac.lk
•Better able to detect bogus packets out of context
•E.g. permit ftp data connection from outside the

firewall to inside, provided the corresponding control
connection from inside to outside is still open between
same machines and on expected ports.
Application-level Gateway (proxy)
• Use an application specific gateway/proxy
• Has full access to protocol
UCSC 54
kasun@cmb.ac.lk
– User requests service from proxy
– Proxy validates request as legal
– Then forwards request and returns result to user
• Need separate proxies for each service
– some services naturally support proxying
– others are more problematic
– custom services generally not supported
– Ex: HTTP for Web
FTP for file transfers
SMTP/POP3 for e-mail
UCSC 55
kasun@cmb.ac.lk
Circuit Level Gateway
• Relays two TCP connections
• Imposes security by limiting which
connections are allowed
• Once created, usually relays traffic without
examining contents
UCSC 56
kasun@cmb.ac.lk
• Typically used, when it trusts internal
users by allowing general outbound
connections
– E.g. SOCKS server
UCSC 57
kasun@cmb.ac.lk
Features and Functionality
• A wide range of additional features and

functionalities are being integrated into standard
firewall products.
These are
– Demilitarized zone (DMZ)
– Content filtering
UCSC 58
kasun@cmb.ac.lk
– Virtual private networking (VPN).
Demilitarized Zone Firewalls
• A secure system that supports a limited number

of applications for use by outsiders.
UCSC 59
kasun@cmb.ac.lk
• For example, a company that hosts a Web site or
sells its products or services over the Internet
Systems
5.2 Web Security
•Solving Privacy Problems
•Solving Authentication Problems
UCSC 60
kasun@cmb.ac.lk
•Secure Socket Layer (SSL) Protocol
•Secure Electronic Transaction (SET)
Protocol
•Safe Guarding Web Servers
UCSC 61
kasun@cmb.ac.lk
How the Internet Works -2
UCSC 62
kasun@cmb.ac.lk
UCSC 63
kasun@cmb.ac.lk
Stateless protocol
Problems : html
1. Authentication of clients (browser)
2. Authentication of users
3. Authentication of WWW CGI
servers
4. Protection of html documents
5. Control of access
Remote login
Access Control for Users
Access Ctrl Table
Protection of Messages
Protection of Documents
SSL and TLS
SSL was originated by Netscape
TLS working group was formed within IETF
First version of TLS can be viewed as an SSLv3.1
UCSC 73
kasun@cmb.ac.lk
SSL Architecture
UCSC 74
kasun@cmb.ac.lk
UCSC 75
kasun@cmb.ac.lk
SSL Record Protocol Operation
UCSC 76
kasun@cmb.ac.lk
UCSC 77
kasun@cmb.ac.lk
Handshake Protocol
The most complex part of SSL.
Allows the server and client to
authenticate each other.
Negotiate encryption, MAC algorithm and
cryptographic keys.
Used before any application data are
transmitted.
UCSC 78
kasun@cmb.ac.lk
Secure WWW (SSL)
Secure client/server (WWW) protocol:

1. Server Authentication
2. Client Authentication (optional)
3. Negotiation of the encryption algorithm
4. Establishment of the session key
5. Encryption of http messages (DES, RC4, etc.)
6. Integrity of http messages (MD2)
Secure WWW (SSL)
Phase 2: “Keys Exchange” phase
Phase 3: “Session Key Creation” phase
Phase 4: “Server Verify” phase
Phase 5: “Client Authentication” phase
Phase 6: “Finished” phase
Transport Layer Security

The same record format as the SSL record format.
Defined in RFC 2246.
Similar to SSLv3.
Differences in the:
version number
message
authentication code
pseudorandom
function
alert codes
cipher suites
client certificate
types
certificate_verify and finished
message cryptographic
computations padding
68

Security 1 System Network Security PDF

Uploaded by

Copyright:

Available Formats

You might also like

Security 1 System Network Security PDF

Uploaded by

Document Information

Original Description:

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Security 1 System Network Security PDF

Uploaded by

Copyright:

Available Formats

Security of Information System

Operating Systems, Database and Program

4.1 Operating Systems Security

An operating system provides an access enforcement

Two fundamental concepts of access control:

The access matrix is used to define the protection domain of a process.

Mandatory protection system

• Most operating systems are monolithic, that is the whole

• The alternative is a microkernel-based system, in which

Target of the Evaluation

There is an excellent FAQ about “Trusted Computing” available at

4.2 Database Security

- general password policies (length,

Subjects Access Reference Objects

• PKCs may include life/long lasting attributes.

• ACs should be used for short lasting attributes:

PKC is passport and AC is visa

Example: SQL Injection Attack through Web Application

◆program which secretly takes over another

◆Virus propagates by infecting other programs

What do viruses do?

• using users distributed privileges or by exploiting system

Virus (and Worm) Phases

•Compile the applet

E:\JavaExamples>jar -cvf writeFile.jar

E:\JavaExamples\SSL>keytool -genkey -alias

Security in Networks and Distributed

• Host To Security Gateway

• Security Gateway To Security Gateway

Other Hosts NAT ROUTE

• A one way relationsship between a

Each entry defines a subset of IP traffic and points to an

Outbound traffic processing includes:

TCP/UDP Header (Layer 4)

Frame Header (Layer 2)

IP Hdr AH TCP/UDP Data

New IP HdrIP Hdr AH Org. IP Hdr TCP/UDP Data

•Transport mode is used to encrypt & optionally

Access to network by unauthorized clients (theft of

Interception and monitoring of wireless traffic

Jamming is easy, unlicensed frequency

Denial or degradation of service

WEP: Wired Equivalent Privacy

Key is shared by all clients and the base station

Regular security audits and penetration assessments

Require "strong" passwords, limit number of login

• Developed by the Massachusetts Institute

Request is passed over to

AS verifies user access

WS prompts user for userID

TGS decrypts ticket and

(Step 7)(Step 9) (Step 8)

Automated methods of identity verification or

•A choke point of control and monitoring

• It blocks incoming data that might contain a

•Cannot protect from attacks bypassing it

•Cannot protect against internal threats