Jinn -Il M rw 4009825 UNCLASSIFIED EDMPUTEH UPEHHIJMB SYSTEM UULHEHHBJUTJES 586 an my system really be penetrated This is the question so often asked by computer system managers The in evitable answer is Ya n Any computer system can be penetrated by a knowledge able usurf Large computer systems in partic ular by their size and coeplexity leave them selves open to attacks by unauthorized users Let us examine some of the vulnerabilities of computer systems as well as some of the possi ble defensive measures COMMON OPERATIKG SYSTEH VULNERABILITIES Operating system vulnerabilities generally fall into one or more of the following seven classes 0 Incomplete parameter validation Inconsistent parameter validation Implied sharing of privileged conu fidential data validation and inade quote serialization Inadequate identification anthems tication or authorization Violable limits Exploitahle logic error Let us look in detail at each class of flaws and see how they affect the system oper- ation Incomplete parameter validation When- ever a user requests any type of service the operating system must verify that the user is authorized to make that request and that a proper parameter string has been provided by the user This verification is done to prevent the user from compromising a control program which is performing services for all users Flaws in some operating systems may allow a user to fool a control program into would not otherwise be allowed access rights placing the user program into privi leged or executive mode or severely degrading the operation of the ADP system The following is a good example of income plete parameter validation Using a file dump routine User requests a dump of 306 records from File A but File A contains only 200 records The system honors the user request and User is allowed access to not only File A but also to whatever data is stored beyond the address area of kilo A Security requirements should make the con trol routine validate the parameters and either reject the user request or dump only those records which apply to File A Inconsistent parameter validation Inconw sistent naramoter validation occurs whenever there are multiple definitions for the same construct within the operating system For example a system control program may validate a user programis parameters but trusts another system routine s parameters as valid without verification Therefore a user who can fool the system into believing his code is system routine code can obtain unauthorized privi leges System routines should verify all input parameter strings even those from an other system routine Implied sharing g _privileged 23 co -m fidentiai data In a multiprogramming envi ronment the couputer's facilities are shared by many users The operating system must have the builtuin capability to isolate each user from all other users Failure to provide this segregation can result in a possible compromise of privileged information in modern operating systems two problems are generally noted in this area The first is the matter of sen- sitive residue This involves information left behind in memory or other storage media providing him access to data which he after a run has terminated An unauthorized March 79 Page 13 UNCLASSIFIED mem M Doclnt 4009894 UNCLASSIFIED user can enter the system and obtain access to thoso leftovers This technique is commonly known as coauonging The second problem in valves the system sharing user space for its own storage To save space the opcrating sys tom frequently shares the user s buffers to store temporary working tables This may allow the user unauthorized access to the system tables 1 0 password tables etc x This is frequently known as the oneroaod bzaokboard problam validation nd inadequate s rializatioo System integrity is guaranteed only if ingormation passed between program sequences is protected If the operating system allows operations and the operations are not porformod in a timely se quenoo the information may be modified or compromised An example of this would be para mitting the user to perform 1 0 into a check point or restart file so that his restarted program is on unauthorized or supervisory privileges must be able to enforce timing constraints to a controlicd state Inadequate identification authorization Most operating maintain some type of job initiation pro cedurcs whichzmonitor authorized vs unauthorw ized access A system flaw exists whenever a system germits a user to bypass these secu rity mechanisms A user who finds a way to obtain oxe utivo operation mode can walk through the system without being questioned by the system monitor Operating systems must require proof of access rights for all user requests Security mechanisms must be pro rooted from user tampering For example pass word fiies should be or protected from-common access and must be unugual enqogh to void any guessing or permutation attempts Violable limits Because of architec- tural limitations the operating system has to limit the ro ources a user can control TheSe limits or hands off policies are usually described in the system documenta tion whenever an advertised limit is not enforced a security flaw exists For example a user may be limited to operate within an assigned partition of storage but a flaw in the system allows him access to another parti tion on an overflow condition Because the operating system did not enforce the roles of the road a user could accidentally or deliberately cause a system overloadE result ing in system degradation or crash Exploitablo logic error With four to five million lines of code it is inevitable that there will be bugs in any major operating system A knowledgeable user may exploit these iv To be secure an operating systenu yinformation or programs to which he is not authorized Logic errors can especially be created whenever the original design or coding has been changed Logic modifications compro wise any security measures designed into the original system Examples of exploitable logic errors in errorahandling procedures A user may request modifications or dumping of a file belonging to another usen Incorrect error handling may initiate the actions without first verifying that the user has access rights to that file There is no way to avoid logic errors in large operating systems however theae errors should be cor rected when discovered to avoid prolonged compromise of sensitive information PENETRATION TECHNIQUES Now that we know what some of the potential operating system fiaws are we need to know how a knowledgeable user or penetnaoor will ex ploit these flaws to obtain unauthorized access to the system In planning his attack the ponetrator will have to answer the question What do I want information or system de gradation 5 The answer to this question will determine his method of attack The pene trator's next stop is to obtain all available system documentation Valuable information which may point to vulnerabilities is avail- able in the documentation After reviewing the manuals the penetrator can then decide on the techniques to be used in the penetra tion attempt The penetrator's main objectiVe is to attack one or more of the seven major flaw classes discussed earlier Probably one of the most avaiiablo and easiest system penetration methods is the use of utility programs 3 These service routines often execute user requests without requiring proof of access rights Some types of utility routines are storage dump facilities opera- tions support programs and maintenance sup port programs Another widely usad penetration technique is oporotor spoofing A ponetrator can use trickery such as giving his program the same name as a system routine to make the operator think that his program is a privileged system routine He may then request a ioad of privi- leged disc packs or magnetic tapes The penetrator can also obtain access to privileged information by creating a frojan horse A Trojan horSB is a program which in addition to doing what it is advertised to do does something else which its user doesn't know about and uouidn t want done A Trojan horse is usually hidden in a utility program An example would be a performance monitor which also dumps user information into a file somewhere account numbers passwords etc System penetration can also be obtained errors to his advantage to obtain access to March 79 Page 14 UNCLASSIFIED as mimm - UNCLASSIFIED DQCID 4009825 by using any of several covert attacks Wire tapping Also known as eavesdropu ping this act involves the penetrator con- necting some listening device to a commoni cations line somewhere between a peripheral device and the computer central processing unit being penetrated This is a passive oper- ation Between lines entry This is similar to wire tapping except that the process is active The penetrate enters spurious commands onto the communication lines which were meant only for the legitimate users This operation is usually done when the intended terminal is at an idle state Clandestine code This operation involves the entering of changes possibly a Trojan horse into the coding of the computer operating system Masguerading This involves logging into the computer system as a legitimate user whose account number and password have been acquired by begging borrowing or stealing DEFENSIVE MEASURES COUNTERMEASURES So if our system is so susceptible to unauthorized accessde fense against these measures The host ap- proach is to build security into the initial system design 3 Patches to the design at a later time may create more flaws than they patch The problem with most current oper ating systems lies in the fact that they were developed in the 19605 with no thought in mind for security requirements Even with security in mind we must remember that operating sys tem security is not a binary yes no condition No large operating system currently in use can be completely certified as secure Here are examples of measures which we can take to protect our system from attack Beta Data is becoming more widely used by both the gov crnment and private industry should be performed whenever sensitive inw formation such as password files payroll data defense statistics and the like is stored'or sent over data communication lines Using frontwend security controller This technique could be used to control access to the host com puter from remote terminals This would remove the security overhead from the host computer's operating system The smaller operating system in the minicomputer would also be easier to certify as secure Mathematical models Models allow sys tems to study the complete operating system environment and pick each area apart for security analysis Kernels Kernels are small portions of software blocked together to perform a sin- gle function These small software modules could be certified secure Software verification tools Many tools have been or are being developed to certify the security of computer software A LOOK RESEARCH AREAS Many areas in computer system security need to be explored in the future Some of those areas are 1 Development of better control struc tures audit trails 2 Expansion of kernel theory to develop a secure operating system 3 Cost analysis studies Where do we draw the line between cost of computer gecurity and need How-do we measure security 4 Bevelopment of strong consistent man agement policies to govern the use of computer facilities 5 Development of software verification tools to certify computer software 6 Development of some type of virtual machine monitor an operating system which isolates each user into his own mini operating system which when properl designed and im plemented is spoof proof and Development of a security specifi- cation language which allows security require ments to be programmed into the operating sys too by the security officer I hope I have been able to provide some insight into just how vulnerable modern com puter operating systems are Department of Defense studies have shown a need for protect- ing data relating to the nation's defense be cause of the many opportunities for fraud and embezzlement 2 we must also realize that software security is only one aspect of the total security environment We must also consider administrative personnel physical communications enanations and hardware secu rity As modern technological advances are made with their applications for computers we will have a continuing requirement for opera- ting system security No matter what misuses take place we must realize that people are still going to use that magnificent adding machine the computer It has been proven that there are people'with March 79 Page 15 oocm 4009825 UNCLASSIFIED skills to crack safes yet people stili use 2 Abbott R p_ at 31 security and Enhance- safes The same correiation can be made to wants of Campuger opgrating syste 5nu Na- computer usage- Our job as system managers is tionnl Bureau of Standards kept resin to attempt to protect against accidental or 76-1041 April 976 deliberate destruction modification or disw closure 2 Security policy administrative 3 Hoffman Methods far Cbmputer personnel physical coneonicctions security and Privagy prent1 -galx Inc hardware and software and practices must he ew Jersey 397 sufficient to make up for the computer's in ability to protect itself 4 Chin 3-3 Analysis of Operating System Security Lawrence Liverworts Laboratories December 2 1975 l Webb 9 A and Frickel Handbook for Analyzing the Security of Operating 5 Linda R-R- OPeratknE System Security Systems Lawrence Liverwore Laboratories PTwasedi g3 9f Eat 0301 Cbmputer Conf r 1975 once 1975 1975 pp 361-368 U nized need reziprch and discussion drafting bf a proposal etc and continues with STAHDARDS coordination through the Senior Data Represent A COMMENT atives 30R of the 300 elements There are draftings and redraftiugs to meet objections suggestions etc and final approval comes in Iany cases only after a painfully long process This is far from an inflexible role in the standardization process but hard'handed manner- A Standard not in the naggicaln way he outlines always has wide circulation throughout the You can only have standards with sweat u with- out'tears perhaps but certainly not without It goes without saying that stand- consideraiif if ff 3 I am afraid that '9 have erds cannot be achieved without some degree uch of in PBata Standards Without Tears has menit The Data Dictionary concept can play a to i diCt for 9t ieally giVing of magic 0n the practical level the magic credit to the standardization process that the machin alrsady exists_fbr rendering coarse NDSC has long been pursuing and also pre materials into fine standard senting a few half-truths here and there along with the nuggets of wisdom I a good name for this philosophy of standardization might be the Rumplestiltskin agree tha _data Standards after the legendary gnome who was Should be enf r ed 0 his Pr93 t at the able to weave straw into gold to further his Pense nefarious designs Let us not accuse our good night the has not tried to shut off friends from the team of such plotting anyone's job because of failure to Everyone would like to have the magic machine standards On paper we have the authority dispense usable and workable standards without both NSA Regulation 80 9 and 414 Stand- igoing through the long and often painful pro ardization of Data Elements and RelatedgFen-' cess outlined above tures for AetiVitieS A n x This philosophy is I'm afraid a naive one m nt tion 0f and when viewed in the light of the standard Related Features in Conputer Projects jzatiou Process 1 think 1 see he give us the 63thortty t make Iife unh PPY is saying here however He is pointing out for sponsors whose labs ighore or conflict with the Dag D will expose Peopie t0 the Standar s' 'xn Eheoyy we can Point already published standard data elements to the concept of enforcement of data stardanls in the dictionary part-bf the System even to the short run disodvehtage of a con puter'project In actual practice we sacri- fice the long-term benefits to the Agency that would follow from a rigorous enforcement of the standards we alreddy have the will Show people in the dictionary portion what the current usage of data fields is along a wide spectrum of different Agency app11 cations Exposure to this usage will Via Stan ards as 5 eth1 g gradually lead us towards the necessary which not only can be but must be imposed in The author of the 3 i fzex ble' essay does not explicitiy state this The Center never inpoSes standards in but this is my Of his this way but issues then only after a long and concept rigorous process This begins with a recogu on to separate the data fea_ tures we deal with into two Uata February 1979 Elements and Beta Fields I agree that this March 79 Page 16 86 36 UNCLASSIFIED