+ All Categories
Home > Documents > INSE 6130 Operating System Security - …users.encs.concordia.ca/home/w/wang/lecture/lecture/...INSE...

INSE 6130 Operating System Security - …users.encs.concordia.ca/home/w/wang/lecture/lecture/...INSE...

Date post: 09-May-2018
Upload: doankhuong
View: 231 times
Download: 1 times
Share this document with a friend
of 41 /41
INSE 6130 Operating System Security Secure Booting Prof. Lingyu Wang 1

INSE 6130 Operating System Security

Secure Booting

Prof. Lingyu Wang



AEGIS: Secure Bootstrap ArchitectureTPM: Trusted Platform Module


The ProblemThe Problem

All security controls are initiated by ... what?h b k l/b /h d ?Why are we so sure about our kernel/bios/hardware?

What if we were insecure from the very beginning?

Network Service Security

Access ControlAccess Control


Auditing and Logging


Recall the “Smartest Hack of All Time”Recall the Smartest Hack of All Time

Ken Thompson, in his 1983 Turing Award lecture, admitted a back door he created in early UNIX versionsadmitted a back door he created in early UNIX versions

CompilerClean Source of Compiler

UNIXClean Source of UNIX

If you start insecure, you always end up insecure

Kenneth Thompson and Dennis Ritchie


OS Boot ProcessOS Boot Process

Problem: many things could already go wrong beforealready go wrong before your OS security controls can ever come into effect!

Operating System

User Programs

Operating System

(security control)

Expanded ROMsBoot Block (MBR,GRUB)




Solution: AEGIS ArchitectureSolution: AEGIS Architecture

User ProgramsEach level needs to verify its upper level’s integrity

Level 5

Operating System

its upper level s integrity before the control is passed

Level 0 is secureLevel 4

Boot Block (MBR,GRUB)We assume it is

If level i can ensure level i+1 is secure, then all levels will b ( i l

Level 3

Expanded ROMsbe secure (a simple mathematical induction)

Level 2

BIOS section1

BIOS section2


Level 1


POSTtrustedLevel 0

Integrity ChainingIntegrity Chaining

How does level i ensures integrity of level i+1 ?l d l f l lLevel i stores a digital signature of level i+1

What if this signature is altered?Th i t i t f l l iThe signature is part of level iSo level i-1 will detect the modification

d d

BIOS section2

Expanded ROMsExpanded ROMs





What If The Check Fails?What If The Check Fails?

The boot process will be terminated if a check f il t l lfails at any level

Good for integrity, bad for availability

Recovery mechanismsRecovery mechanismsThe system will boot into a small recovery kernel in ROM (like safe mode of OS)ROM (like safe mode of OS)Then recover either from ROM cards or from network hosts

Again, why can we trust what we trust?Bottom line: hacking hardware is more difficult than


ghacking software


AEGIS: Secure Bootstrap ArchitectureTPM: Trusted Platform Module


BackgroundBackgroundExtending the ideas of AEGISTCG (T t d C ti G )TCG (Trusted Computing Group)

Industry standards body w/ 135 members including component vendors, software developers, systems p , p , yvendors and network and infrastructure companies, e.g., AMD, HP, IBM, Intel, Lenovo, Microsoft, Sun

Key componentKey componentTPM (Trusted Platform Module) chipRoughly the AEGIS ROM rolegShipped in hardware: Thinkpad, Lifebook, etc.Supported by software: Windows Vista, Trusted GRUB etc



Architecture of TPMArchitecture of TPM

11Borrowed from Dan Boneh’s slides here

How Does TPM WorkHow Does TPM Work

Very similar to AEGIS

12Borrowed from Dan Boneh’s slides here


What Else Can Be AchievedWhat Else Can Be Achieved

Besides ensuring the integrity of booting process?Encrypted partitions

Offline security (stolen laptops): only verified software can decrypt the partitionscan decrypt the partitionsEase data deletion/machine recycling: just change TPM to remove the decryption keyyp y


INSE 6130 Operating System Security

Securing Network Services

Prof. Lingyu Wang



Overviewinetd/xinetdtcp_wrapper iptablesTelnet/FTP/SSH


“Any Problem in Computer Science Can Be Solved with A th L f I di ti (Ab t ti )”Another Layer of Indirection (Abstraction)”

ISO/OSI model vs TCP/IP suite

Application layer

Presentation layer

Application layer HTTP, FTP, POP3, SMTP, SNMP, IMAP, IRC, SSH, Telnet, FTPPresentation layer

Session layer


,BitTorrent, …

TCP UDP RTP SSLTransport layer

Network layer

Transport layer

Internet layer


IPv4, IPv6 … IPSEC

Data link layer

Physical layer

Data link layer

Physical layer

Ethernet, Wi-Fi, Token ring, FDDI,PPP…

RS-232, 10BASE-T, …


y y y y , ,

Network ModelNetwork Model(Conceptual/physical) communications

Application layerApplication layerApplication layer Application layerApplication layer

Presentation layer

Session layer

Application layer

Presentation layer

Session layer

Transport layer

Internet layer

Session layer

Transport layer

Network layer

Session layer

Transport layer

Network layer Network layer y

Data link layer

Physical layer

Network layer

Data link layer

Physical layer

Network layer

Data link layer

Physical layer

Network layer

Data link layer

Physical layer


y y

Alice Bob

Physical layerPhysical layer Physical layer



Basic defense in UNIX/LiUNIX/Linux:

Iptables-based firewall + tcp wrapper + xinetdtcp_wrapper + xinetdIt’s basic, so you too should have itIt’s basic, so you shouldn’t depend on it



Overviewinetd/xinetdtcp_wrapper iptablesTelnet/FTP/SSH


The UNIX Internet Daemon (inetd)The UNIX Internet Daemon (inetd)

inetd is a ‘super’ serverb f h dIt runs at boot time as part of the startup procedure

It examines /etc/inetd.conf to determine which network services are under its controlnetwork services are under its control

No longer used in some OSs (e.g., inetd in Solaris is now configured in the Service Management Facility)

Th li t t th tThen listen to those portsUpon a connection request, inetd starts the appropriate serverappropriate server


The UNIX Internet Daemon (inetd)( )

A sample inetd.conf file might look like this:# Internet server configuration database# Internet server configuration database #ftp stream tcp nowait root /usr/etc/ftpd ftpd #telnet stream tcp nowait root /usr/etc/telnetd telnetd #shell stream tcp nowait root /usr/etc/rshd rshd p#login stream tcp nowait root /usr/etc/rlogind rlogind ……#echo stream tcp nowait root internal #daytime stream tcp nowait root internal #time stream tcp nowait root internal #echo dgram udp wait root internal

ServiceSocket type

protocol type

Re-use server

user Command/argument

Routinely check the file


Routinely check the fileAfter break ins, services may be installed for later use

xinetdxinetdA replacement for inetd

Fedora is not shipped with inetd; it uses xinetdFedora is not shipped with inetd; it uses xinetdIs better

Providing access control to services based onProviding access control to services based on Address/(domain) name of remote host, and time of access

Can alleviate DOS by placing limits onThe n mbe of p o esses fo ea h se i eThe number of processes for each serviceThe number of processes it will fork The size of log files it creates Th b f ti i l h t i iti tThe number of connections a single host can initiate Rate of incoming connections

Extensive logging abilities





tcp wrappertcp_wrapper

tcp_wrapper does the following:(Optionally) sends a "banner" to connecting clientCompares hostname/requested service with a (negative) ACL(negative) ACLIf denied, tcpwrapper drops the connectionLogs the results with syslogg y g

AdvantagesTransparent to both the client and the wrapped p ppnetwork serviceCentralized management of multiple protocols


tcp wrapper Configurationtcp_wrapper Configuration

Configuration files decide which connections to taccept

/etc/hosts.allow and /etc/hosts.deny

When a connection reaches tcpwrapper:When a connection reaches tcpwrapper:It reads /etc/hosts.allow to match a rule and executes the specified actionsthe specified actionsIf no match, it checks /etc/hosts.deny to match a rule and then denies accessIf still no match, it handles the request to server

At most one rule is executed


On a first-come-first-serve basis

tcp wrapper Configuration Languagetcp_wrapper Configuration Language

Format of /etc/hosts.allow and/etc/hosts.deny: d l l h l [ ]daemon_list : client_host_list [: option : option ... ]

daemon_list Command name of a list of servicesCommand name of a list of servicesWildcard ALL

client_host_list The hostname or IP address of clientsWildcard ALL, LOCAL, KNOWN, UNKNOWN, PARANOID

option : optionoption : option…Actions (e.g., allow, deny, etc.).


tcp wrapper Example 1tcp_wrapper Example 1To allow all connections except those from the domain pirate net:domain pirate.net:## /etc/hosts.allow:/ /## Allow anybody to connect to our machine except# l f i t t# people from pirate.net#all : .pirate.net : denyall : .pirate.net : denyall : all : allow


What if the order is reversed?

tcp wrapper Example 2tcp_wrapper Example 2

To only allow finger by internal machines:## # /etc/hosts.allow: # # finger for insiders only ### in.fingerd : LOCAL : allow in.fingerd : ALL : twist /usr/local/bin/some_message

What if the order is reversed?


tcp wrapper Example 3tcp_wrapper Example 3

If you discover repeated break-in attempts th h t l t d l i b t d tthrough telnet and rlogin, but you need to telnet into your computer from concordia.ca:

## # /etc/hosts.allow: # # All t l t &# Allow telnet & # rlogin from concordia.ca, but nowhere else # telnetd,rlogind : concordia.ca : allow telnetd,rlogind : all : deny


tcp wrapper Utilitiestcp_wrapper Utilitiestcpdchk scans the configuration file and reports configuration errorsg

% tcpdchk Warning: /etc/host.allow, line 24, iphone: no such process name in /etc/inetd.conf (/etc/host allow or /etc/inetd conf are inconsistent)(/etc/host.allow or /etc/inetd.conf are inconsistent)

Tcpdmatch simulates a request and see the result% tcpdmatch sshd [email protected]: hostname whitehouse govclient: hostname whitehouse.govclient: address username bushserver: process sshdserver: process sshdmatched: /etc/hosts.deny line 39option : denyaccess: denied


access de ed%


Overviewinetd/xinetdtcp_wrapper iptablesTelnet/FTP/SSH



Where it isk l 2 l d lIn Linux kernel 2.4 or later, a command line program

What it is forD fi l f filt i k tDefine rules for filtering packets

What it isTh ee chains of les INPUT OUTPUT FORWARDThree chains of rules, INPUT, OUTPUT, FORWARDFirst come first serve

input output


host forward

iptables Example 1iptables Example 1

iptables -A INPUT -s -j DROP d l h-A: append to rule chain INPUT

-s: source address (IP or DNS name)j: action (DROP DENY ACCEPT)-j: action (DROP, DENY, ACCEPT)

So what does this mean?

What about this:

iptables -A OUTPUT -d -j DROPp j


iptables Example 2iptables Example 2

iptables -A INPUT -s -p tcp --d ti ti t t l t j DROPdestination-port telnet -j DROP

-p: protocol (TCP, UDP, ICMP, etc.)--destination-port: (or source-port)--destination-port: (or –source-port)/24: subnet mask (CIDR)

i t bl A INPUT t d ti ti t t l t iiptables -A INPUT -p tcp --destination-port telnet -i wan1 -j DROP

i: input interface (or o)-i: input interface (or –o)

Iptables –L, –F, -I INPUT 1, -R INPUT 1-L: list F: flush I: insert R: replace


-L: list –F: flush –I: insert –R: replace

iptables Example 3iptables Example 3

iptables -A INPUT -i wan1 -p tcp --syn -j DROP k--syn: syn packet

iptables -A INPUT -i ppp0 -p tcp --syn --destination-port ! 80 -j DROP

!: not equal

iptables -P FORWARD ACCEPT Default policyp y



p // g/



inetd/xinetdtcp_wrapper iptables

BitTorrent, …



IPv4, IPv6 … IPSEC

Ethernet, Wi-Fi, Token ring, FDDI,PPP…

RS-232 10BASE-T


RS 232, 10BASE T, …

FTP: Separate Control, DataFTP: Separate Control, Data

Client contacts server at port 21, obtains authorization over control connection, browses remote directory by commands over control connection

Serverreceives a command for a file transfer, opens a TCP , pdata connection to client, closes connection, maintains “state”: current directory, earlier authentication

TCP control connectionport 21




TCP data connectionport 20

Security Issues with FTPSecurity Issues with FTPPasswords typed to FTP areto FTP are transmitted in clear


Security Issues with FTP (Cont’d)Security Issues with FTP (Cont d)FTP in active mode makesmode makes it difficult to implement

k t b dpacket-based firewalls

Because server needs to initiate the data connectionBounce attack


Telnet RisksTelnet Risks

Username, Password and other session data are t itt d th t k i ltransmitted over the network in clear

In Ethernet, packets sent between computers are actually delivered to every computer on the wireactually delivered to every computer on the wire Telnet session packets are vulnerable throughout their journey

ISPs have a single computer compromised and every Telnet connection passing through it had its password sniffed

A second danger of Telnet is session hijackingA second danger of Telnet is session hijacking After you log in using your password, the attacker can seize control of the session and type whatever


commands he wishes

What is SSH?What is SSH?

SSH – Secure ShellA software

Commercial versionFreeware (www.openssh.com)

A protocol l / h kFor secure remote login/many other network services

SSH-1 developed in 1995 by Tatu Ylönen in FinlandInternet Engineering Task Force (IETF) Draft in 1995Internet Engineering Task Force (IETF) Draft in 1995