Scribe Notes: Lecture 17

Vasilios Mezinis and Ryota Shibano

 

NFS performs:

·        SPECsfs20082008_nfs.v3

·        HPBL860c i2 4-node HA-NFS cluster (2010)

·        4 servers (each has 2 boot drive and 192 GB Ram)

·        8 disk controller (each has 2 GB cache)

·        4 FC switches, 16 disk array, 1472 drivers, each has 72 GB


 

NFS Security:

Client A wants mount or un-mount without constantly having to go back to root by plugging in a NFS machine and allowing everyone to use it.

 

Steps for Client A to become root:

·        $   sudo   sh

·        #   cp   /bin/mount   /nfs/eggert/mount

·        #   chwon   root   /nfs/eggert/mount

·        #   chmod   uts   /nfs/eggert/mount

·        #   ls   -l

 

Steps for Client B:

·        $   /nfs/eggert/mount   ______    ______

 

For this method to work, we must assume root access people on all clients are completely trustworthy.  In reality, this method won’t work because it can only happen highly managed, small groups.  We cannot assume everybody is trustworthy.

 

Method to Solve the Problem:

Make root have a UID of 0 and “nobodies” have a UID of 65535 (or any non-zero number).  Clients with UID of 0 have access to all files and can change anything at will.  Clients with UID that are no equal to 0 have access to only files that are public.  This avoids the problem because clients without UID of 0 cannot use chown or chmod.


You can impersonate any used when root.  There needs to be authentications that goes beyond just trusting a person's UID number. (NFS solves this problem, and we will learn how later.)


Suppose Client A says that Eggert's UID = 59 and Client B says Eggert's UID = 193.  Causes problem of files not being able to be shared across the two different sectors since they are associated with different UID's.  We can solve this by using name instead of UID's!  However, its tricky to program since strings can be of infinite length.  This method is used in NFS v4, but is slower.


The most common problem in NFS, however, occurs when the error "Network not responding, still trying." appears on the screen.  This occurs when too many people are using the same network, or when the network itself is down.  It occurs when the server is trying to contact the outside world.


Security:

Security cannot be easily retrofitted and should be though about before programming even begins


The real-world meaning of security: Defense against attacks via force and fraud.

The virtual-world meaning of security: Fraud is currently the big problem.  However, force must not be overlooked.


Main forms of attacks


The attacks are against privacy (passwords), integrity (changing a students grade), and service (making a system perform badly).


To solve this problem: We want to disallow unauthorized.  However, we still want to allow authorized access!  These are usually conflicting goals, which, individually, could solved easily.  However, together, they prove very difficult to maintain.


It's easier to test authorized access because if a person like the chancellor of UCLA cannot access the documents, he will tell people and the problem will be solved.  Hard to test unauthorized service because if a hacker gets into the server, he will not be telling anyone.


Threat Modeling and Classification:


Don't just design system with passwords.  It is necessary to figure out the possible threats to a system, and the design your programs around those exact threats.


Example: For Citibank, the biggest problem is problem is people in the inside miss using their authority!


Types of Attacks:


Insider Attacks: People have access to the passwords of the system use them inappropriately.  A lot of times if they are caught, the company does not tell the public because they are embarrassed.


Social Engineering: Where someone pretend to be someone else.  For example, when a student pretend to be a teacher to change his grades.


Network Attacks: Buffer overloads, viruses (e-mail and drive by downloads), denial of services.  These are getting worst, not better.


Device Attacks: Attacks initiated through a USB of CD.


Functions for Implementing Security Measures:


Authentication: Check to see if the user is who they say they are.  Do this through passwords for example.


Authorization: What is any given user allowed to do.  This is implemented through permissions on files.


Integrity: Detect when someone attempts to change information in a file.  Keep an eye on this through checksums and logs.


Auditing: Detect suspicious patterns of activity that, though they may have not done anything wrong yet, has the potential to be harmful.  This is checked through logs that look suspicious.  For example if someone is constantly accessing a famous person information page in a hospital.


Correctness and Efficiency:  People won't use the system if it wrong or if it takes to long to use.  Need the balance the above four while maintaining this.


Authentication

    Percipient Masqueracling
            External
                - identify outside partcipants
                - expensive and suspicious
            Internal
                - identify inside partcipants
                - cheap and efficient, relies on external
    
    External
        1. Password
            - can be guessed
            - can be told to others
        2. Physical token
            Attack: password guesing
            Defence: system supllies and guess passwords
            Attack: network snoopers
            Defence: fraudulent servers

    Internal
            OS records who your are efficiently
                - in process descriptor
                -consulted for all access
                -check open(), kill()
                -system call to change uid
    
                

                Eggert use a setid Program owned by Gene
                Eggert=43, Gene = 93
                In this case, EUID=93, UID=43
                Let Gene any authentication alogorithm it has

I) Authentication Building Block
        Crypticgraphic Hash Function
            h(k) = val
            h^-1(val) = {k,k2,...kn} is expensive
            Ex SHA1(K) = H, H is 160 bits

II) Symmetric Encryption Shared key K
        given M, K    getting {M} is easy
        given {M}, K    getting M is easy
        given {M}        getting M is hard
        given {M}, M    getting K is hard
        key management is trickey in this case

III)Asymmetric Encryption Public Key System
        K: Private Key
        U: Public Key
        M: Message
        given M, U    getting {M} is easy
        given {M},K    getting M is easy
        given {M},U    getting M is hard
        given U            getting K is hard
        given {M},U    getting K is hard
     
HMAC
        assume a shared secret key K      ^ - XOR     * - concatnation
        send SHA1( K ^ pad1 ) * SHA1 ( ( K ^ pad2 ) * M) * M
        Knowing SHA1(X) gussing SHA1(X^s) is easy
        SHA1 ( K ^ M ) * M is possible

        Typically : Multiphase
                A send "{NonceA Pri A}^A " to B
                B send "{NonceA NonceB Pri B}^B " to A
                A send "{NonceA * K}^A " to B

            .ssh/id-rsa.pub to get public ID
            .ssh/id-rsa to get private ID
            .ssh/known_host to get all host ID

POINT TO POINT SYSTEM
        Virtual Network atop on untrusted Network
        ssh is pain because of problem of C setup
        Ipsec - much begger overhead initially, Corporate Network
        SSH - informal network
        use intend authentication in vertual network, extend to setup

Channels
        P1 owned by U1, P2 owned by U2
        set of file both can access {}
        Can U1 communicate to U2?
        Yes, possible by system call