4

Operating Systems

Computer Security ThreatsComputer Security TechniquesCloud Computing SecurityOperating Systems Overview

Computer Security Techniques

Computer Security

Last Update Unknown

Authentication

Authentication is the basis for most type of access control and accountability and usually involves two steps:

Identification and Verification

Means of Authentication

Traditionally listed as three factors which are:

Something you know

  • Password, PIN


Something you have

  • Card, RFID badge


Something you are

    • Static Biometrics: Fingerprint, face
    • Dynamic Biometrics: Handwriting, Voice recognition, Typing rhythm

Password-Based Authentication

Passwords determine if the user is authorised to access the system and what privileges they have and what access controls are applied to them.


Hashed Passwords

Password hashing is a widely used technique for storing passwords and protects from a variety of cryptanalytic attacks


UNIX Password Scheme

When a user attempts to log on to a UNIX system,

  • the user provides an ID and a password.
  • The operating system uses the ID to index into the password file and retrieve the plaintext salt and the encrypted password.
  • The salt and user-supplied password are used as input to the encryption routine.
  • If the result matches the stored value, the password is accepted.


Salt

The salt prevents duplicate passwords from being visible in the password file and greatly increases the difficulty of offline dictionary attacks.

It becomes nearly impossible to find out whether a person with an account on multiple systems has used the same password for all.

Token-Based Authentication

Objects that a user possesses for the purpose of user authentication are called tokens.

Examples of these include memory cards and smart cards.


Memory Cards

Memory cards can store but not process data and are often used in conjunction with a password.

The drawbacks are that they require a special reader and often can be lost.


Smart Cards

Smart cards contain a microprocessor, along with memory, and I/O ports.

Many types exist differing by three main aspects:

  • Physical characteristics
  • Interface
  • Static - Dynamic password generator or challenge-response

Static Biometric Authentication

Something the individual is

Based on pattern recognition which is technically complex and expensive. 


Includes:

  • Facial characteristics
  • Fingerprints
  • Hand geometry
  • Retinal pattern

Dynamic Biometric Authentication

Something the individual does

Patterns may change


Includes:

  • Iris
  • Signature
  • Voice
  • Typing rhythm

Access Control

Dictates what types of access are permitted, under what circumstances, and by whom.


Discretionary access control – Controls access based on the identity of the requestor and on access rules (authorizations) stating what requestors are (or are not) allowed to do.

Mandatory access control – Controls access based on security labels or clearances

Role-based access control – Controls access based on the roles that users have within the system and on rules stating what accesses are allowed to users in given roles.



Role Based Access Control

Effective implementation of the principle of least privilege

Each role should contain the minimum set of access rights needed for that role.

A user is assigned to a role that enables him or her to perform what is required for that role but only while they are performing that role

Intrusion Detection Systems (IDS)

Host-based

  • Monitors a single host


Network-based

  • Centrally monitors networks traffic, devices

IDS Components

Sensors

  • Collect data and forward to the analyser.


Analysers

  • Determines if an intrusion has occurred


User interface

Profiles of Behaviour

Although the typical behaviour of an intruder differs from the typical behaviour of an authorised user, there is an overlap in these behaviours.

  • Thus, a loose interpretation of intruder behaviour, which will catch more intruders, will also lead to a number of false positives, or authorised users identified as intruders.
  • But, an attempt to limit false positives by a tight interpretation of intruder behaviour will lead to an increase in false negatives, or intruders not identified as intruders.


Thus, there is an element of compromise and art in the practice of intrusion detection.

Host-Based IDSs

Can detect both external and internal intrusions


Anomaly detection

  • Collection of data relating to behaviour of legitimate users over time may use
    • Threshold detection
    • Profile based detection


Signature detection

  • Define set of rules or attack patters

Audit Records

Native audit records

  • Uses the OS accounting software/logs


Detection-specific audit records

  • Generate audit records required by the IDS

Antivirus Approaches

Ideal approach is prevention, don’t allow a virus onto the system! However, this is impossible in many cases.


The next best approach requires:

  • Detection – Once the infection has occurred, determine that it has occurred and locate the virus.
  • Identification – Identify the specific virus that has infected a program.
  • Removal – Remove all traces of the virus from the infected program and restore it to its original state. Remove the virus from all infected systems so that the disease cannot spread further.

Generic Decryption (GD)

When a file containing a polymorphic virus is executed, the virus must decrypt itself to activate.

GD Detection requires

  • CPU emulator
  • Virus signature scanner
  • Emulation control module

Behaviour Blocking Software

Integrates with the operating system and monitors program behaviour in real time for malicious actions and blocks them.


Monitored behaviours may include:

  • opening or modifying certain files
  • formatting disk drives
  • Modifications to executable files or macros
  • Modification of critical system settings
  • Network communication

Worm Countermeasures

  1. Signature-based worm scan filters
  2. Filter-based worm containment
  3. Payload-classification-based worm containment
  4. Threshold random walk (TRW) scan detection
  5. Rate limiting
  6. Rate halting

Botnet and Rootkit Countermeasures

IDS and Anti-Viral techniques are useful against bots and their main aim is to detect and disable a botnet during its construction.

Rootkits are, by design, difficult to detect so countering rootkits requires a variety of network- and computer-level security tools.

Buffer Overflow

Protection from stack buffer overflows can be broadly classified into two categories:

Compile-time defences which aim to harden programs to resist attacks in new programs

Stack protection mechanisms which aim to detect and abort attacks in existing programs 

Compile Time Defences

  • Choice of Programming Language
  • Some languages do not allow some unsafe coding practices
  • Safe Coding Techniques and Auditing
  • Language Extensions and Use of Safe Libraries
  • Stack Protection Mechanisms

Run Time Defences

  • These defences involve changes to the memory management of the virtual address space of processes.
  • Executable address space protection
  • Address space randomisation
  • Guard pages