Post on 18-Dec-2021
transcript
1
INSE 6130 Operating System Security
Secure Booting
1
Prof. Lingyu Wang
Overview
AEGIS: Secure Bootstrap ArchitectureTPM: Trusted Platform Module
2
2
The Problem
All security controls are initiated by ... what?Why are we so sure about our kernel/bios/hardware?
Network Service Security
Access Control
A thenti tion
What if we were insecure from the very beginning?
3
Authentication
Auditing and Logging
Recall the “Smartest Hack of All Time”
Ken Thompson, in his 1983 Turing Award lecture, admitted a back door he created in early UNIX versions
UNIXClean Source of UNIX
CompilerClean Source of Compiler
4
If you start insecure, you always end up insecure
Kenneth Thompson and Dennis Ritchie
of UNIX
3
OS Boot Process
Problem: many things could already go wrong before
OS it t l User Programsyour OS security controls can ever come into effect!
Expanded ROMsBoot Block (MBR,GRUB)
Operating System
(security control)
User Programs
5
POST
BIOS
Solution: AEGIS Architecture
User ProgramsEach level needs to verify its upper level’s integrity before the control is passed
Level 5
Expanded ROMs
Boot Block (MBR,GRUB)
Operating Systembefore the control is passed
Level 0 is secureWe assume it is
If level i can ensure level i+1 is secure, then all levels will be secure (a simple mathematical induction)
Level 2
Level 3
Level 4
6
POST
BIOS section1
BIOS section2
AEGIS ROM
trustedLevel 0
Level 1
4
Integrity Chaining
How does level i ensures integrity of level i+1 ?Level i stores a digital signature of level i+1
What if this signature is altered?The signature is part of level iSo level i-1 will detect the modification
Expanded ROMsExpanded ROMs
7POST
BIOS section1
BIOS section2
AEGIS ROM
trusted
What If The Check Fails?
The boot process will be terminated if a check fails at any level
Good for integrity, bad for availability
Recovery mechanismsThe system will boot into a small recovery kernel in ROM (like safe mode of OS)Then recover either from ROM cards or from network hosts
8
network hosts
Again, why can we trust what we trust?Bottom line: hacking hardware is more difficult than hacking software
5
Overview
AEGIS: Secure Bootstrap ArchitectureTPM: Trusted Platform Module
9
BackgroundExtending the ideas of AEGISTCG (Trusted Computing Group)
Industry standards body w/ 135 members including component vendors, software developers, systems vendors and network and infrastructure companies, e.g., AMD, HP, IBM, Intel, Lenovo, Microsoft, Sun
Key componentTPM (Trusted Platform Module) chip
10
Roughly the AEGIS ROM roleShipped in hardware: Thinkpad, Lifebook, etc.Supported by software: Windows Vista, Trusted GRUB etc.
6
Architecture of TPM
11Borrowed from Dan Boneh’s slides here
How Does TPM Work
12Borrowed from Dan Boneh’s slides here
Very similar to AEGIS
7
What Else Can Be Achieved
Besides ensuring the integrity of booting process?Encrypted partitionsyp p
Offline security (stolen laptops): only verified software can decrypt the partitionsEase data deletion/machine recycling: just change TPM to remove the decryption key
13
INSE 6130 Operating System Security
Securing Network Services
14
Prof. Lingyu Wang
8
Outline
Overviewinetd/xinetd/tcp_wrapper iptablesTelnet/FTP/SSH
15
“Any Problem in Computer Science Can Be Solved with Another Layer of Indirection (Abstraction)”
Application layer
ISO/OSI model vs TCP/IP suite
Application layer HTTP FTP POP3 Application layer
Presentation layer
Session layer
Transport layer
N t k l
Application layer
Transport layer
Internet layer
HTTP, FTP, POP3, SMTP, SNMP, IMAP, IRC, SSH, Telnet, FTPBitTorrent, …
TCP, UDP, RTP… SSL
IPv4, IPv6 IPSEC
16
Network layer
Data link layer
Physical layer
Internet layer
Data link layer
Physical layer
IPv4, IPv6 … IPSEC
Ethernet, Wi-Fi, Token ring, FDDI,PPP…
RS-232, 10BASE-T, …
9
Network Model(Conceptual/physical) communications
Application layer
Transport layer
Application layer
Presentation layer
Session layer
Transport layer
Application layer
Presentation layer
Session layer
Transport layer
17
Internet layer
Data link layer
Physical layer
Alice Bob
Network layer
Data link layer
Physical layer
Network layer
Data link layer
Physical layer
Network layer
Data link layer
Physical layer
Eve
UNIX/Linux
Basic defense in UNIX/Linux:
Iptables-based firewall + tcp_wrapper + xinetdIt’s basic, so you too should have itIt’s basic, so you shouldn’t depend on it
18
depend on it
10
Outline
Overviewinetd/xinetd/tcp_wrapper iptablesTelnet/FTP/SSH
19
The UNIX Internet Daemon (inetd)
inetd is a ‘super’ serverIt runs at boot time as part of the startup procedureIt examines /etc/inetd.conf to determine which network services are under its control
No longer used in some OSs (e.g., inetd in Solaris is now configured in the Service Management Facility)
Then listen to those portsUpon a connection request, inetd starts the
20
p q ,appropriate server
11
The UNIX Internet Daemon (inetd)
A sample inetd.conf file might look like this:# Internet server configuration database #ftp stream tcp nowait root /usr/etc/ftpd ftpd#ftp stream tcp nowait root /usr/etc/ftpd ftpd #telnet stream tcp nowait root /usr/etc/telnetd telnetd #shell stream tcp nowait root /usr/etc/rshd rshd #login stream tcp nowait root /usr/etc/rlogind rlogind ……#echo stream tcp nowait root internal #daytime stream tcp nowait root internal #time stream tcp nowait root internal #
21
#echo dgram udp wait root internal
ServiceSocket type
protocol type
Re-use server
user Command/argument
Routinely check the fileAfter break ins, services may be installed for later use
xinetdA replacement for inetd
Fedora is not shipped with inetd; it uses xinetdIs better
Providing access control to services based on Address/(domain) name of remote host, and time of access
Can alleviate DOS by placing limits onThe number of processes for each serviceThe number of processes it will fork Th i f l fil it t
22
The size of log files it creates The number of connections a single host can initiate Rate of incoming connections
Extensive logging abilities
http://www.xinetd.org/faq.html
12
Outline
Overviewinetd/xinetd/tcp_wrapperiptablesTelnet/FTP/SSH
23
tcp_wrapper
tcp_wrapper does the following:(Optionally) sends a "banner" to connecting clientCompares hostname/requested service with a (negative) ACLIf denied, tcpwrapper drops the connectionLogs the results with syslog
Advantages
24
Transparent to both the client and the wrapped network serviceCentralized management of multiple protocols
13
tcp_wrapper Configuration
Configuration files decide which connections to accept
/etc/hosts.allow and /etc/hosts.deny
When a connection reaches tcpwrapper:It reads /etc/hosts.allow to match a rule and executes the specified actionsIf no match, it checks /etc/hosts.deny to match a rule and then denies access
25
and then denies accessIf still no match, it handles the request to server
At most one rule is executed On a first-come-first-serve basis
tcp_wrapper Configuration Language
Format of /etc/hosts.allow and/etc/hosts.deny: daemon_list : client_host_list [: option : option ... ]
daemon_list Command name of a list of servicesWildcard ALL
client_host_list The hostname or IP address of clientsWildcard ALL, LOCAL, KNOWN, UNKNOWN, PARANOID
26
, , , ,
option : option…Actions (e.g., allow, deny, etc.).
14
tcp_wrapper Example 1To allow all connections except those from the domain pirate.net:### /etc/hosts.allow:## Allow anybody to connect to our machine except# people from pirate.net#
27
all : .pirate.net : denyall : all : allow
What if the order is reversed?
tcp_wrapper Example 2
To only allow finger by internal machines:# # /etc/hosts.allow: # # finger for insiders only ## in.fingerd : LOCAL : allow in fingerd : ALL : twist /usr/local/bin/some message
28
in.fingerd : ALL : twist /usr/local/bin/some_message
What if the order is reversed?
15
tcp_wrapper Example 3
If you discover repeated break-in attempts through telnet and rlogin, but you need to telnet into your computer from concordia.ca:
# # /etc/hosts.allow: # # Allow telnet & # rlogin from concordia.ca, but nowhere else
29
# telnetd,rlogind : concordia.ca : allow telnetd,rlogind : all : deny
tcp_wrapper Utilitiestcpdchk scans the configuration file and reports configuration errors
% tcpdchk Warning: /etc/host.allow, line 24, iphone: no such process name in /etc/inetd.conf (/etc/host.allow or /etc/inetd.conf are inconsistent)
Tcpdmatch simulates a request and see the result% tcpdmatch sshd bush@whitehouse.govclient: hostname whitehouse.govclient: address 63.161.169.137client: username bush
30
client: username bushserver: process sshdmatched: /etc/hosts.deny line 39option : denyaccess: denied %
16
Outline
Overviewinetd/xinetd/tcp_wrapper iptablesTelnet/FTP/SSH
31
iptables
Where it isIn Linux kernel 2.4 or later, a command line program
What it is forDefine rules for filtering packets
What it isThree chains of rules, INPUT, OUTPUT, FORWARDFirst come first serve
32
host
input output
forward
17
iptables Example 1
iptables -A INPUT -s 200.200.200.1 -j DROP -A: append to rule chain INPUT-s: source address (IP or DNS name)-j: action (DROP, DENY, ACCEPT)So what does this mean?
What about this:
33
iptables -A OUTPUT -d 200.200.200.1 -j DROP
iptables Example 2
iptables -A INPUT -s 200.200.200.1/24 -p tcp --destination-port telnet -j DROP
-p: protocol (TCP, UDP, ICMP, etc.)--destination-port: (or –source-port)/24: subnet mask (CIDR)
iptables -A INPUT -p tcp --destination-port telnet -i wan1 -j DROP
34
wan1 j DROP-i: input interface (or –o)
Iptables –L, –F, -I INPUT 1, -R INPUT 1-L: list –F: flush –I: insert –R: replace
18
iptables Example 3
iptables -A INPUT -i wan1 -p tcp --syn -j DROP --syn: syn packet
iptables -A INPUT -i ppp0 -p tcp --syn --destination-port ! 80 -j DROP
!: not equal
iptables -P FORWARD ACCEPT
35
Default policy
http://www.netfilter.org/
OutlineOverviewinetd/xinetd
HTTP, FTP, POP3, SMTP, SNMP, IMAP, IRC, SSH, Telnet, FTPBitTorrent, …
tcp_wrapper iptablesTelnet/FTP/SSH
TCP, UDP, RTP… SSL
IPv4, IPv6 … IPSEC
36
Ethernet, Wi-Fi, Token ring, FDDI,PPP…
RS-232, 10BASE-T, …
19
FTP: Separate Control, Data
Client contacts server at port 21, obtains authorization over control connection, browses remote directory by commands over control connection
Serverreceives a command for a file transfer, opens a TCP data connection to client, closes connection, maintains “state”: current directory, earlier authentication
37
state : current directory, earlier authentication
FTPclient
FTPserver
TCP control connectionport 21
TCP data connectionport 20
Security Issues with FTPPasswords typed to FTP are transmitted intransmitted in clear
38
20
Security Issues with FTP (Cont’d)FTP in active mode makes it difficult toit difficult to implement packet-based firewalls
Because server needs to initiate the
39
data connectionBounce attack
Telnet Risks
Username, Password and other session data are transmitted over the network in clear
In Ethernet, packets sent between computers are actually delivered to every computer on the wire Telnet session packets are vulnerable throughout their journey
ISPs have a single computer compromised and every Telnet connection passing through it had its password sniffed
40
A second danger of Telnet is session hijacking After you log in using your password, the attacker can seize control of the session and type whatever commands he wishes
21
What is SSH?
SSH – Secure ShellA softwareA software
Commercial versionFreeware (www.openssh.com)
A protocol For secure remote login/many other network servicesSSH-1 developed in 1995 by Tatu Ylönen in Finland
41
SSH 1 developed in 1995 by Tatu Ylönen in FinlandInternet Engineering Task Force (IETF) Draft in 1995