|
|
|
Worms A worm is a program that attempts to copy itself in nearby execution environments. Worms are distinguished from viruses by the fact that they travel under their own identity. Worms exploit connectivity with nearby execution environments. One worm spread within a large population of systems by looking for user IDs with null passwords or passwords equal to the ID. In this population, one system in five yielded to the attack. Defenses against worms involve limiting connectivity by means of well-managed access controls. Dictionary Attacks Dictionaries may be attacked to determine passwords. A short dictionary attack involves trying a list of hundreds or thousands of words that are frequently chosen as passwords against several systems. Although most systems resist such attacks, some do not. In one case, one system in five yielded to a particular dictionary attack. Long dictionary attacks are used by insiders to expand their privileges. In this approach, a natural-language dictionary in the native language of the system users is encrypted under the encryption scheme used by the target system. The encrypted values of words in the dictionary are then compared to the encrypted passwords in the password file; a match occurs whenever a password has been chosen from the dictionary. Three conditions are necessary to the success of a long dictionary attack. First, the attacker must be able to log on to the target system; this condition may be met by the use of a short dictionary attack. Second, the attacker must have read access to the password file; in many systems, particularly UNIX systems, this is the default access. Third, the attacker must know the mechanism and the key variable under which the passwords are encrypted; this condition is often met simply by using the defaults with which the system was shipped. Although these conditions may never be met in a well-managed system, dictionary attacks often work against several systems in a sufficiently large population of target systems. THE BASIC ARCHITECTURAL ELEMENTS The following sections discuss the basic components of computer architecture; these are the general ideas and abstractions used to describe computers. Most of these concepts apply to more than one type of computer; many have specific security-related effects or uses. Domains In general, a domain may be defined as a sphere of influence. With computers, it is useful to be able to talk about the extent of influence of various mechanisms and components. Historically, the term “domain” was synonymous with “computer”. In early single-thread computers, every application owned the whole machine and that was its domain. In modern systems, multiple applications run as synchronously under the control of operating systems and monitors. Each of these processes may have a different domain. In early operating systems, the domain of the operating system was usually congruent with that of the hardware processor in which it ran; in modern systems, this may not be true. Some operating systems control multiple processors, and some processors run multiple operating systems. In addition, the domain of early access control facilities was congruent with that of the operating system under which it ran; this is no longer true. Although few operating systems run more than one access control facility, it is not unusual for a single access control facility to serve multiple operating systems and even processors. Although this flexibility is valuable, it may influence security. It may provide uniformity of control, yet in doing so, it may compromise the integrity of the implementation. The wider the domain, the more difficult it is to maintain its integrity. States Many computer systems offer separate domains called states. States are usually distinguished by the set of operations that are permitted to occur within them. For example, many systems are divided into two states called privileged and unprivileged, system and application, supervisor and problem program, or supervisor and user. System state is distinguished from application state by the fact that all operations are legal in system state, whereas only a subset of the operations is legal in application state. The instructions excluded from application state usually include input, output, and storage management instructions. The Multics System (Honeywell Bull, Inc.) offered rings of domains. Rings are distinguished from states by the fact that there are more of them, they are not necessarily hierarchical, and each can be entered only from adjacent ones, and then only by means of a narrow portal called a gate. It has been asserted that two states are inadequate for some purposes. For example, most modern hardware implements three or more states. Nonetheless, some large shared systems do not implement any hardware states. Finite-State Machines A finite-state machine is one in which all valid states can be enumerated and in which any operation takes the machine only from one valid state to another, equally valid state. For example, in finite-state architectures there may be no possibility of a data exception. One can contrast this concept to more traditional architectures in which it is possible for a defined operation to move the machine to an invalid state. By eliminating the possibility of invalid states, finite-state architecture eliminates much of the error handling that might otherwise have to be performed by programming or operator intervention. Finite-state architecture limits and excludes much of the complexity that implementers, programmers, operators, and users might otherwise have to overcome. In addition, it limits the opportunity for mischief that such error-handling capability introduces. Security Domains A security domain is a single domain of trust that shares a single security policy and a single management. Historically, security domains have been used to define a single system. Modern networks often implement security domains that include many systems. Storage Storage refers to those computer components in which information can be recorded for later retrieval and use. It is typically classified by type. Storage is usually shared over time but allocated to only one use, user, or task at a time. The following sections discuss different types of storage.
|