+ All Categories
Home > Documents > INSE 6130 Operating System Security

INSE 6130 Operating System Security

Date post: 18-Dec-2021
Upload: others
View: 8 times
Download: 0 times
Share this document with a friend
Embed Size (px)
of 21 /21
1 INSE 6130 Operating System Security Secure Booting 1 Prof. Lingyu Wang Overview AEGIS: Secure Bootstrap Architecture TPM: Trusted Platform Module 2
Microsoft PowerPoint - handout9.ppt [Compatibility Mode]Secure Booting
The Problem
All security controls are initiated by ... what? Why are we so sure about our kernel/bios/hardware?
Network Service Security
Recall the “Smartest Hack of All Time”
Ken Thompson, in his 1983 Turing Award lecture, admitted a back door he created in early UNIX versions
UNIXClean Source of UNIX
Kenneth Thompson and Dennis Ritchie
Problem: many things could already go wrong before
OS it t l User Programsyour OS security controls can ever come into effect!
Expanded ROMs Boot Block (MBR,GRUB)
Operating System
(security control)
User Programs
Solution: AEGIS Architecture
User Programs Each level needs to verify its upper level’s integrity before the control is passed
Level 5
Expanded ROMs
Level 0 is secure We assume it is
If level i can ensure level i+1 is secure, then all levels will be secure (a simple mathematical induction)
Level 2
Level 3
Level 4
Integrity Chaining
How does level i ensures integrity of level i+1 ? Level i stores a digital signature of level i+1
What if this signature is altered? The signature is part of level i So level i-1 will detect the modification
Expanded ROMsExpanded ROMs
What If The Check Fails?
The boot process will be terminated if a check fails at any level
Good for integrity, bad for availability
Recovery mechanisms The system will boot into a small recovery kernel in ROM (like safe mode of OS) Then recover either from ROM cards or from network hosts
network hosts
Again, why can we trust what we trust? Bottom line: hacking hardware is more difficult than hacking software
Background Extending the ideas of AEGIS TCG (Trusted Computing Group)
Industry standards body w/ 135 members including component vendors, software developers, systems vendors and network and infrastructure companies, e.g., AMD, HP, IBM, Intel, Lenovo, Microsoft, Sun
Key component TPM (Trusted Platform Module) chip
Roughly the AEGIS ROM role Shipped in hardware: Thinkpad, Lifebook, etc. Supported by software: Windows Vista, Trusted GRUB etc.
How Does TPM Work
Very similar to AEGIS
Besides ensuring the integrity of booting process? Encrypted partitionsyp p
Offline security (stolen laptops): only verified software can decrypt the partitions Ease data deletion/machine recycling: just change TPM to remove the decryption key
Securing Network Services
“Any Problem in Computer Science Can Be Solved with Another Layer of Indirection (Abstraction)”
Application layer
Application layer HTTP FTP POP3 Application layer
Presentation layer
Session layer
Transport layer
Application layer
Transport layer
Internet layer
HTTP, FTP, POP3, SMTP, SNMP, IMAP, IRC, SSH, Telnet, FTP BitTorrent, …
RS-232, 10BASE-T, …
Basic defense in UNIX/Linux:
Iptables-based firewall + tcp_wrapper + xinetd It’s basic, so you too should have it It’s basic, so you shouldn’t depend on it
The UNIX Internet Daemon (inetd)
inetd is a ‘super’ server It runs at boot time as part of the startup procedure It examines /etc/inetd.conf to determine which network services are under its control
No longer used in some OSs (e.g., inetd in Solaris is now configured in the Service Management Facility)
Then listen to those ports Upon a connection request, inetd starts the
The UNIX Internet Daemon (inetd)
A sample inetd.conf file might look like this: # Internet server configuration database #ftp stream tcp nowait root /usr/etc/ftpd ftpd#ftp stream tcp nowait root /usr/etc/ftpd ftpd #telnet stream tcp nowait root /usr/etc/telnetd telnetd #shell stream tcp nowait root /usr/etc/rshd rshd #login stream tcp nowait root /usr/etc/rlogind rlogind …… #echo stream tcp nowait root internal #daytime stream tcp nowait root internal #time stream tcp nowait root internal #
Service Socket type
user Command/ argument
Routinely check the file After break ins, services may be installed for later use
xinetd A replacement for inetd
Fedora is not shipped with inetd; it uses xinetd Is better
Providing access control to services based on Address/(domain) name of remote host, and time of access
Can alleviate DOS by placing limits on The number of processes for each service The number of processes it will fork Th i f l fil it t
The size of log files it creates The number of connections a single host can initiate Rate of incoming connections
Extensive logging abilities
tcp_wrapper does the following: (Optionally) sends a "banner" to connecting client Compares hostname/requested service with a (negative) ACL If denied, tcpwrapper drops the connection Logs the results with syslog
Transparent to both the client and the wrapped network service Centralized management of multiple protocols
/etc/hosts.allow and /etc/hosts.deny
When a connection reaches tcpwrapper: It reads /etc/hosts.allow to match a rule and executes the specified actions If no match, it checks /etc/hosts.deny to match a rule and then denies access
and then denies access If still no match, it handles the request to server
At most one rule is executed On a first-come-first-serve basis
tcp_wrapper Configuration Language
daemon_list Command name of a list of services Wildcard ALL
client_host_list The hostname or IP address of clients Wildcard ALL, LOCAL, KNOWN, UNKNOWN, PARANOID
tcp_wrapper Example 1 To allow all connections except those from the domain pirate.net: ## # /etc/hosts.allow: # # Allow anybody to connect to our machine except # people from pirate.net #
tcp_wrapper Example 2
To only allow finger by internal machines: # # /etc/hosts.allow: # # finger for insiders only # # in.fingerd : LOCAL : allow in fingerd : ALL : twist /usr/local/bin/some message
tcp_wrapper Example 3
If you discover repeated break-in attempts through telnet and rlogin, but you need to telnet into your computer from concordia.ca:
# # /etc/hosts.allow: # # Allow telnet & # rlogin from concordia.ca, but nowhere else
tcp_wrapper Utilities tcpdchk scans the configuration file and reports configuration errors
% tcpdchk Warning: /etc/host.allow, line 24, iphone: no such process name in /etc/inetd.conf (/etc/host.allow or /etc/inetd.conf are inconsistent)
Tcpdmatch simulates a request and see the result % tcpdmatch sshd [email protected] client: hostname whitehouse.gov client: address client: username bush
client: username bush server: process sshd matched: /etc/hosts.deny line 39 option : deny access: denied %
Where it is In Linux kernel 2.4 or later, a command line program
What it is for Define rules for filtering packets
What it is Three chains of rules, INPUT, OUTPUT, FORWARD First come first serve
iptables Example 1
iptables -A INPUT -s -j DROP -A: append to rule chain INPUT -s: source address (IP or DNS name) -j: action (DROP, DENY, ACCEPT) So what does this mean?
What about this:
iptables Example 2
iptables -A INPUT -s -p tcp -- destination-port telnet -j DROP
-p: protocol (TCP, UDP, ICMP, etc.) --destination-port: (or –source-port) /24: subnet mask (CIDR)
iptables -A INPUT -p tcp --destination-port telnet -i wan1 -j DROP
wan1 j DROP -i: input interface (or –o)
Iptables –L, –F, -I INPUT 1, -R INPUT 1 -L: list –F: flush –I: insert –R: replace
iptables Example 3
iptables -A INPUT -i wan1 -p tcp --syn -j DROP --syn: syn packet
iptables -A INPUT -i ppp0 -p tcp --syn --destination- port ! 80 -j DROP
!: not equal
Outline Overview inetd/xinetd
HTTP, FTP, POP3, SMTP, SNMP, IMAP, IRC, SSH, Telnet, FTP BitTorrent, …
tcp_wrapper iptables Telnet/FTP/SSH
RS-232, 10BASE-T, …
Client contacts server at port 21, obtains authorization over control connection, browses remote directory by commands over control connection
Server receives a command for a file transfer, opens a TCP data connection to client, closes connection, maintains “state”: current directory, earlier authentication
FTP client
FTP server
TCP control connection port 21
TCP data connection port 20
Security Issues with FTP Passwords typed to FTP are transmitted intransmitted in clear
Security Issues with FTP (Cont’d) FTP in active mode makes it difficult toit difficult to implement packet-based firewalls
Because server needs to initiate the
Telnet Risks
Username, Password and other session data are transmitted over the network in clear
In Ethernet, packets sent between computers are actually delivered to every computer on the wire Telnet session packets are vulnerable throughout their journey
ISPs have a single computer compromised and every Telnet connection passing through it had its password sniffed
A second danger of Telnet is session hijacking After you log in using your password, the attacker can seize control of the session and type whatever commands he wishes
Commercial version Freeware (www.openssh.com)
A protocol For secure remote login/many other network services SSH-1 developed in 1995 by Tatu Ylönen in Finland