CIS 5373 – Systems SecurityTopic 3.1: OS Security – Basics of secure design
Endadul Hoque
Slide Acknowledgment
• Contents are based on slides from Ninghui Li (Purdue), John Mitchell (Stanford), Dan Boneh(Stanford)
2
What security goals does an operating system provide?
3
• Originally: time-sharing computers: enabling multiple users to securely share a computer
– Separation and sharing of processes, memory, files, devices, etc.
• What is the threat model?
– Users may be malicious, users have terminal access to computers, software may be malicious/buggy, and so on
• Security mechanisms
– Memory protection
– Processor modes
– User authentication
– File access control
• More recent past and present: Networked desktop computers: ensure secure operation in networked environment
• New threat?
– Attackers coming from the network. Network-facing programs on computers may be buggy. Users may be hurt via online communication.
• Security mechanisms
– Authentication; Access Control
– Secure Communication (using cryptography)
– Logging & Auditing
– Intrusion Prevention and Detection
– Recovery 4
What security goals does an operating system provide?
• Present and near future: mobile computing devices
• New threat?
– Apps (programs) may be malicious or questionable.
– More tightly connected with personal life of the owner.
• Security mechanisms?
– Isolation of each app.
– Help users assess risks of apps.
– Risk communication. 5
What security goals does an operating system provide?
Principles of Secure Design
• Compartmentalization– Isolation
– Principle of least privilege
• Defense in depth– Use more than one security mechanism
– Secure the weakest link
– Fail securely
• Keep it simple
6
Principles of Least Privilege
• Principle of Least Privilege
– A system module should only have the minimal privileges needed for its intended purposes
• What’s a privilege?
– Ability to access or modify a resource
• Assumes compartmentalization and isolation
– Separate the system into isolated compartments
– Limit interaction between compartments
7
Monolithic design
8
System
Network
User input
File system
Network
User device
File system
Monolithic design
9
System
Network
User input
File system
Network
User device
File system
Monolithic design
10
System
Network
User input
File system
Network
User device
File system
Component design
11
Network
User input
File system
Network
User display
File system
Component design
12
Network
User input
File system
Network
User display
File system
Component design
13
Network
User input
File system
Network
User display
File system
Example: Mail Agent
• Requirements
– Receive and send email over external network
– Place incoming email into local user inbox files
• Sendmail
– Traditional Unix
– Monolithic design
– Historical source of many vulnerabilities
• Qmail
– Compartmentalized design
14
Memory Protection: Access Control to Memory
• Ensures that one user’s process cannot access other’s memory– fence
– relocation
– base/bounds register
– segmentation
– paging
– …
• Operating system and user processes need to have different privileges
15Reading: http://flylib.com/books/en/4.270.1.46/1/
CPU modes (aka Processor modes or privilege)
• System mode (privileged mode, master mode, supervisor mode, kernel mode)
– Can execute any instruction
– Can access any memory locations, e.g., accessing hardware devices,
– Can enable and disable interrupts,
– Can change privileged processor state,
– Can access memory management units,
– Can modify registers for various descriptor tables
16
Reading: http://en.wikipedia.org/wiki/CPU_modes
CPU modes (aka Processor modes or privilege)
• User mode
– Access to memory is limited,
– Cannot execute some instructions
– Cannot disable interrupts,
– Cannot change arbitrary processor state,
– Cannot access memory management units
• Transition from user mode to system mode can only happen via well defined entry points, i.e., through system calls
17
Reading: http://en.wikipedia.org/wiki/CPU_modes
System Calls
• Guarded gates from user mode (space, land) into kernel mode (space, land)– use a special CPU instruction (often an
interruption) to transfer control to predefined entry point in more privileged code
– allows the more privileged code to specify where it will be entered as well as important processor state at the time of entry
– the higher privileged code, by examining processor state set by the less privileged code and/or its stack, determines what is being requested and whether to allow it
18
Reading: http://en.wikipedia.org/wiki/System_call
Kernel space vs User space
• Part of the OS runs in the kernel model
– known as the OS kernel
• Other parts of the OS run in the user mode, including service programs (daemon programs), user applications, etc.
– they run as processes
– they form the user space (or the user land)
• Why is root user more powerful than normal users?
19
Privilege Levels
• Security is often achieved by running control/protection code at a higher privilege level
• Components running at the same level can be isolated by a higher-privilege component
• If attack and defense are at the same level, then it is an arms’ race and there can be no guarantee
20
ISOLATION – THE CONFINEMENT PRINCIPLE
OS Security
21
Running untrusted code
• We often need to run buggy/unstrusted code:
– programs from untrusted Internet sites:• apps, extensions, plug-ins, codecs for media player
– exposed applications: pdf viewers, outlook
– legacy daemons: sendmail, bind
– Honeypots
• Goal: if application “misbehaves” ⇒ kill it
22
Approach: Confinement
Confinement: ensure misbehaving app cannot harm rest of system
Can be implemented at many levels:
– Hardware: run application on isolated hw (air gap)
⇒ difficult to manage23
air gap network 1Network 2
app 1 app 2
Approach: Confinement
Confinement: ensure misbehaving app cannot harm rest of system
Can be implemented at many levels:
– Virtual machines: isolate OS’s on a single machine
24
Virtual Machine Monitor (VMM)
OS1 OS2
app1 app2
Approach: Confinement
Confinement: ensure misbehaving app cannot harm rest of system
Can be implemented at many levels:
– Process: System Call Interposition
Isolate a process in a single operating system
25
Operating System
process 2
process 1
Approach: Confinement
Confinement: ensure misbehaving app cannot harm rest of system
Can be implemented at many levels:
– Threads: Software Fault Isolation (SFI)
• Isolating threads sharing same address space
– Application: e.g. browser-based confinement
26
Implementing Confinement
• Key component: reference monitor
– Mediates requests from applications• Implements protection policy
• Enforces isolation and confinement
– Must always be invoked:• Every application request must be mediated
– Tamperproof:• Reference monitor cannot be killed
• … or if killed, then monitored process is killed too
– Small enough to be analyzed and validated
27
System call interposition
• Observation: to damage host system (e.g. persistent changes) app must make system calls:
– To delete/overwrite files: unlink, open, write
– To do network attacks: socket, bind, connect, send
• Idea: monitor app’s system calls and block unauthorized calls
• Implementation options:
– Completely kernel space (e.g. GSWTK)
– Completely user space (e.g. program shepherding)
– Hybrid (e.g. Systrace)
28
System call interposition
Linux ptrace: process tracing
process calls: ptrace (… , pid_t pid , …)
and wakes up when pid makes sys call.
Monitor kills application if request is disallowed29
OS Kernel
monitoredapplication
(browser)monitor
user space
open(“/etc/passwd”, “r”)
System call interposition
• If app forks, monitor must fork
– Forked-monitor monitors forked-app
• If monitor crashes, app must be killed
• Monitor must maintain all OS state associated with app
– current-working-dir (CWD), UID, EUID, GID
– When app does “cd path” • monitor must update its CWD
• otherwise: relative path requests interpreted incorrectly
30
cd(“/tmp”)open(“passwd”, “r”)
cd(“/etc”)open(“passwd”, “r”)
Complications:
Virtual Machines
31
Virtual Machine Monitor (VMM)
Guest OS 2
Apps
Guest OS 1
Apps
Hardware
Host OS
VM2 VM1
VMM security assumption
VMM Security assumption:
– Malware can infect guest OS and guest apps
– But malware cannot escape from the infected VM
• Cannot infect host OS
• Cannot infect other VMs on the same hardware
Requires that VMM protect itself and is not buggy
– VMM is much simpler than full OS
… but device drivers run in Host OS32
Problem: Covert channels
• Covert channel: unintended communication channel between isolated components
– Can be used to leak classified data from secure component to public component
33
Classified VM Public VM
secretdoc
ma
lwa
re
listenercovert
channel
VMM
An example covert channel
• Both VMs use the same underlying hardware
• To send a bit b ∈ {0,1} malware does:
– b = 1: at 1:00am do CPU intensive calculation
– b = 0: at 1:00am do nothing
• At 1:00am listener does CPU intensive calc. and measures completion time
– b = 1 ⇒ completion-time > threshold
• Many covert channels exist in running system:
– File lock status, cache contents, interrupts, …
– Difficult to eliminate all34
VMM introspection – protecting IDS/AV systems
Intrusion detection / Anti-virus
• Runs as part of OS kernel and user space process
– Kernel root kit can shutdown protection system
– Common practice for modern malware
• Standard solution: run IDS system in the network
– Problem: insufficient visibility into user’s machine
35
VMM introspection – protecting IDS/AV systems
Better: run IDS as part of VMM (protected from malware)
– VMM can monitor virtual hardware for anomalies
– VMI: Virtual Machine Introspection
• Allows VMM to check Guest OS internals
36
Infected VMma
lwa
re
VMM
Guest OS
Hardware
IDS
Subversion of VMI is possible
Coming up
• Access control
37