Date post: | 01-Apr-2015 |
Category: |
Documents |
Upload: | deven-chilson |
View: | 256 times |
Download: | 3 times |
Operating System SecurityQiwen Pan and Hailei Jiang
VIDEO
•http://www.youtube.com/watch?v=nHERFh7OO8c
Security ThreatsTrojan Horse: A piece of code that misuses its environment. The
program seems innocent enough, however when executed, unexpected behavior occurs.
Trap Doors: Inserting a method of breaching security in a system. For instance, some secret set of inputs to a program might provide special privileges.
Threat monitoring: Look for unusual activity. Once access is gained, how do you identify someone acting in an unusual fashion?
Audit Log: Record time, user, and type of access on all objects. Trace problems back to source.
Worms : Use spawning mechanism; standalone programs. Internet Worm: In the Internet worm, Robert Morse exploited UNIX
networking features (remote access) as well as bugs in finger and sendmail programs. Grappling hook program uploaded main worm program.
Viruses: Fragment of code embedded in a legitimate program. Mainly effects personal PC systems. These are often downloaded via e-mail or as active components in web pages.
Typical Security Attacks
Take measures at four levels to protect the system•Physical•Human•Network•Operating System
Windows XP Security
WINLOGON.exe• Windows Logon
Process - Winlogon.exe
• presses CTRL+ALT+DEL
Logon and Security Subsystems
Security is based on user accounts Each user has unique security ID
Login to ID creates security access token
The local security authority subsystem(LSASS) generates access tokens represent users on the systems
The authentication package checks to see the password is correct
The security subsystem then generates the access token containing the privileges, quota limits and group IDs.
Encrypting File System(EFS)
•Allows you to encrypt data stored on an NTFS drive
•Only enabling user can gain access to encrypted object
•Uses public and private key encryption method
•Encryption process is invisible to user
Is there a file where password information is kept in Windows XP?
•C:\WINDOWS\system32\config\SAM
•C:\WINDOWS\system32\config\SYSTEM
• MD4----- a destructive algorithm
Hack WinXP an Admins Passwords
Log in and go to DOS command prompt and enter these commands exactly: cd\ cd\windows\system32 mkdir temphack copy logon.scr temphack\logon.scr copy cmd.exe temphack\cmd.exe del logon.scr rename cmd.exe logon.scr exit
Hack WinXP an Admins Passwords
•User Name: Andy•Password: 1234
enter “net user Andy 1234”
TSL/SSL
•Secure Socket Layer/Transport Layer Security
• Authentication scheme often used by Web-based applications
• Supported on Windows XP through IIS (Internet Information Server).
SSL/TLS Protocol Layers
•Handshake: negotiate session information between the client and the server
•Change Cipher Spec. : change the keying material used for encryption between the client and server.
•Alert: indicate a change in status or an error condition to the peer.
IP Security Policies
•Security measure added to TCP/IP •Protects communications between two
systems using that protocol•Can be used over a RAS or WAN link•Creates a secured point-to-point link
between two systems•Configured and enabled with Advanced
TCP/IP Settings dialog box
IP Security Policies Modes
•Transport•Tunneling
Internet Security
•Risks▫Unwittingly downloading Trojan horses or
viruses, ▫Accepting malicious e-mail▫Allowing a remote cracker to take complete
control of your computer•Protection:
▫Security features for standalone or LAN system
▫Internet Connection Firewall
Defends Your Computer
•Act Safely Online•Install Self-Defense
Software(Firewall, anti-Virus, Anti-Malware……)
•Keep Your Programs Up-to-Date!•Don't Let Another User Compromise
Your Computer•Use Administrator Rights Sparingly•Use Strong Passwords•Always Back Up Your Data•Encrypt Your Data
More information about defend your computer is on the website:http://www.osnews.com/story/19701/How_to_Secure_Your_Windows_Computer_and_Protect_Your_Privacy
Linux Security
Linux has evolved into one of the mostpopular and versatile operating systemsmany features mean broad attack surfacecan create highly secure Linux systemswill review:
Discretionary Access Controlstypical vulnerabilities and exploits in Linuxbest practices for mitigating those threatsnew improvements to Linux security model
Linux Security Model
Linux’s traditional security model is:people or proceses with “root” privileges cando anything
other accounts can do much less
hence attacker’s want to get root privileges
can run robust, secure Linux systems
crux of problem is use of DiscretionaryAccess Controls (DAC)
Linux Security Transactions
File System Security
in Linux everything as a filee.g. memory, device-drivers, named pipes,and other system resources
hence why filesystem security is so important
I/O to devices is via a “special” filee.g. /dev/ cdrom
have other special files like named pipesa conduit between processes / programs
Users and Groups
a user-account (user)represents someone capable of using files
associated both with humans and processes
a group-account (group)is a list of user-accounts
users have a main group
may also belong to other groups
users & groups are not files
Users and Groups
user's details are kept in/etc/passwordmaestro:x:200:100:Maestro EdwardHizzersands:/home/maestro:/bin/bash
additional group details in /etc/groupconductors:x:100:
pianists:x:102:maestro,volodya
use useradd, usermod, userdel to alter
File Permissions
files have two owners: a user & a group
each with its own set of permissions
with a third set of permissions for other
permissions are to read/write/execute inorder user/group/other, cf.- rw- rw-r -- 1 maestrouser 35414 Mar25 01:38
baton.txt
set using chmod command
Directory Permissions
read = list contentswrite = create or delete files in directoryexecute = use anything in or changeworking directory to this directorye.g.$ chmod g+rx extreme_casseroles$ ls -l extreme_casserolesdrwxr-x--- 8 biff drummers 288Mar 25 01:38 extreme_casseroles
Sticky Bit
originally used to lock file in memorynow used on directories to limit delete
if set must own file or dir to deleteother users cannot delete even if have write
set using chmod command with +t flag, e.g.chmod +t extreme_casseroles
directory listing includes t or T flagdrwxrwx--T 8 biff drummers 288 Mar25 01:38 extreme_casseroles
only apply to specific directory not child dirs
SetUID and SetGID
setuid bit means program "runs as" ownerno matter who executes it
setgid bit means run as a member of thegroup which owns it
again regardless of who executes it
"run as" = "run with same privileges as”are very dangerous if set on file owned byroot or other privileged account or group
only used on executable files, not shell scripts
SetGID and Directories
setuid has no effect on directories
setgid does and causes any file created ina directory to inherit the directory's group
useful if users belong to other groups androutinely create files to be shared withother members of those groups
instead of manually changing its group
Numeric File Permissions
Kernel vs User Space
Kernel spacerefers to memory used by the Linux kerneland its loadable modules (e.g., device drivers)
User spacerefers to memory used by all other processes
since kernel enforces Linux DAC andsecurity critical to isolate kernel from user
so kernel space never swapped to disk
only root may load and unload kernel modules
setuid root Vulnerabilities
a setuid root program runs as rootno matter who executes it
used to provide unprivileged users with accessto privileged resourcesmust be very carefully programmed
if can be exploited due to a software bugmay allow otherwise-unprivileged users to use it towield unauthorized root privileges
distributions now minimise setuid-root programssystem attackers still scan for them!
Web Vulnerabilities
a very broad category of vulnerabilitiesbecause of ubiquity of world wide web have big andvisible attack surfaces
when written in scripting languagesnot as prone to classic buffer overflows
can suffer from poor input-handling
few “enabled-by-default” web applications
but users install vulnerable web applications
or write custom web applications having easily-identified and easily-exploited flaws
Rootkits
allow attacker to cover their tracksif successfully installed before detection, all isvery nearly lostoriginally collections of hacked commands
hiding attacker’s files, directories, processes
now use loadable kernel modulesintercepting system calls in kernel-spacehiding attacker from standard commands
may be able to detect with chkrootkitgenerally have to wipe and rebuild system
Linux System Hardening
consider how to mitigate Linux securityrisks at system and application levels
first look at OS-level security tools andtechniques that protect the entire system
OS Installationsecurity begins with O/S installationespecially what software is run
since unused applications liable to be left in default,un-hardened and un-patched state
generally should not run:X Window system, RPC services, R-services, inetd,SMTP daemons, telnet etc
also have some initial system s/w configuration:setting root passwordcreating a non-root user accountsetting an overall system security levelenabling a simple host-based firewall policyenabling SELinux
Patch Management
installed server applications must be:configured securelykept up to date with security patches
patching can never win “patch rat-race”have tools to automatically download andinstall security updates
e.g. up2date, YaST, apt-getnote should not run automatic updates onchange-controlled systems without testing
Network Access Controls
network a key attack vector to secure
TCP wrappers a key tool to check accessoriginally tcpd inetd wrapper daemon
before allowing connection to service checks•
•
•
if requesting host explicitly in hosts.allow is ok
if requesting host explicitly in hosts.deny is blocked
if not in either is ok
checks on service, source IP, username
now often part of app using libwrappers
Network Access Controls
also have the very powerful netfilter Linuxkernel native firewall mechanism
and iptables user-space front end
as useful on firewalls, servers, desktopsdirect config tricky, steep learning curvedo have automated rule generatorstypically for “personnal” firewall use will:
allow incoming requests to specified servicesblock all other inbound service requestsallow all outbound (locally-originating) requests
if need greater security, manually config
Antivirus Software
historically Linux not as vulnerable to virusesmore to lesser popularity than securityprompt patching was effective for wormsbut viruses abuse users privilegesnon-root users have less scope to exploit
but can still consume resources
growing Linux popularity mean exploitshence antivirus software will more important
various commercial and free Linux A/V
User Management
guiding principles in user-account security:need care setting file / directory permissionsuse groups to differentiate between rolesuse extreme care in granting / using root privs
commands: chmod, useradd/mod/del,groupadd/mod/del, passwd, chageinfo in files /etc/passwd & /etc/groupmanage user’s group membershipsset appropriate password ages
Root Delegation
have "root can to anything, users do little” issue
“su” command allows users to run as rooteither root shell or single command
must supply root password
means likely too many people know this
SELinux RBAC can limit root authority, complex
“sudo” allows users to run as rootbut only need their password, not root password
/etc/sudoers file specifies what commands allowed
or configure user/group perms to allow, tricky
Logging
effective logging a key resourceLinux logs using syslogd or Syslog-NG
receive log data from a variety of sourcessorts by facility (category) and severitywrites log messages to local/remote log files
Syslog-NG preferable because it has:variety of log-data sources / destinationsmuch more flexible “rules engine” to configurecan log via TCP which can be encrypted
should check and customized defaults
Log Management
balance number of log files usedsize of few to finding info in many
manage size of log filesmust rotate log files and delete old copies
typically use logrotate utility run by cron
to manage both system and application logs
must also configure application logging
Application Security
this is a large topicmany security features are implemented insimilar ways across different applicationswill review issues such as:
running as unprivileged user/grouprunning in chroot jailmodularityencryptionlogging
Running As UnprivilegedUser/Group
every process “runs as” some user
extremely important this user is not rootsince any bug can compromise entire system
may need root privileges, e.g. bind porthave root parent perform privileged function
but main service from unprivileged child
user/group used should be dedicatedeasier to identify source of log messages
Running in chroot Jail
chroot confines a process to a subset of /maps a virtual “/” to some other directory
useful if have a daemon that should onlyaccess a portion of the file system, e.g. FTP
directories outside the chroot jail aren’t visibleor reachable at all
contains effects of compromised daemon
complex to configure and troubleshootmust mirror portions of system in chroot jail
Modularity
applications running as a single, large,multipurpose process can be:
more difficult to run as an unprivileged user
harder to locate / fix security bugs in source
harder to disable unnecessary functionality
hence modularity a highly prized featureproviding a much smaller attack surface
cf. postfix vs sendmail, Apache modules
Encryption
sending logins & passwords or applicationdata over networks in clear text exposesthem to network eavesdropping attacks
hence many network applications nowsupport encryption to protect such data
often using OpenSSL library
may need own X.509 certificates to usecan generate/sign using openssl command
may use commercial/own/free CA
Logging
applications can usually be configured tolog to any level of detail (debug to none)
need appropriate setting
must decide if use dedicated file or systemlogging facility (e.g. syslog)
central facility useful for consistent use
must ensure any log files are rotated
Mandatory Access Controls
Linux uses a DAC security model
but Mandatory Access Controls (MAC) impose aglobal security policy on all users
users may not set controls weaker than policy
normal admin done with accounts without authority tochange the global security policy
but MAC systems have been hard to manage
Novell’s SuSE Linux has AppArmor
RedHat Enterprise Linux has SELinux
pure SELinux for high-sensitivity, high-security
SELinuxis NSA's powerful implementation of mandatoryaccess controls for LinuxLinux DACs still applies, but if it allows the actionSELinux then evaluates it against its ownsecurity policies"subjects" are processes (run user cmds)actions are "permissions”objects not just files & dirsto manage complexity SELinux has:
"that which is not expressly permitted, is denied”groups of subjects, permissions, and objects
Security Contextseach individual subject & object in SELinux isgoverned by a security context being a:
user - individual user (human or daemon)•••
SELinux maintains its own list of usersuser labels on subjects specify account's privilegesuser labels on objects specify its owner
role - like a group, assumed by users• a user may only assume one role at a time,• may only switch roles if and when authorized to do so
domain (type) - a sandbox being a combination ofsubjects and objects that may interact with each other
this model is called Type Enforcement (TE)
Decision Making in SELinux
two types of decisions:
access decisionswhen subjects do things to objects that already exist,or create new things in expected domain
transition decisionsinvocation of processes in different domains than theone in which the subject-process is running
creation of objects in different types (domains) thantheir parent directories
transitions must be authorized by SELinux policy
RBAC and MLS Controls
have Role Based Access Control (RBAC)rules specify roles a user may assume
other rules specify circumstances when a usermay transition from one role to another
and Multi Level Security (MLS)concerns handling of classified data
• “no read up, no write down”
MLS is enforced via file system labeling
SELinux Policy Management
creating and maintaining SELinux policiesis complicated and time-consuming
a single SELinux policy may consist ofhundreds of lines of text
RHEL has a default “targeted” policydefines types for selected network apps
allows everything else to use DAC controls
have a range of SELinux commandssee additional references for details
Novell AppArmor
Novell’s MAC for SuSE Linuxenforced at kernel levelusing Linux Security Modules
restricts behavior of selected applicationsin a very granular but targeted way
hence a compromised root application'saccess will be containedhas no controls addressing data classificationhence only a partial MAC implementation
non-protected apps just use Linux DAC
Summary
reviewed Linux security model and DAC
vulnerabilities
O/S and application hardening
MAC, SELinux and AppArmor