Date post: | 04-Jun-2018 |
Category: |
Documents |
Upload: | arshad-shaikh |
View: | 219 times |
Download: | 0 times |
of 64
8/13/2019 SecurityInOrdinaryOSes-2014-topost
1/64
Jan. 27-31, 2014
8/13/2019 SecurityInOrdinaryOSes-2014-topost
2/64
Go to: http://www.rwpoll.com
Enter the session ID that Ill give you on theboard.
Use an anonymous user ID and name (or
none at all) to provide me with anonymousfeedback. I encourage feedback about any aspects of the
course, or questions about the material!
http://www.rwpoll.com/http://www.rwpoll.com/8/13/2019 SecurityInOrdinaryOSes-2014-topost
3/64
Tomorrows tutorial is mandatory (on bashscripting and batch file scripting).
Material is relevant for Assign 2.
Assign 2 is due next Tuesday.
8/13/2019 SecurityInOrdinaryOSes-2014-topost
4/64
1. 2. 3. 4.
0% 0%0%0%
1. (Top Secret, {EUR})
2. (Secret, {US})
3. (Secret, {US,EUR})4. (Secret, {})
8/13/2019 SecurityInOrdinaryOSes-2014-topost
5/64
1. 2. 3. 4.
0% 0%0%0%
1. (Top Secret, {EUR})
2. (Secret, {US})
3. (Secret, {US,EUR})4. (Confidential,
{EUR,US})
8/13/2019 SecurityInOrdinaryOSes-2014-topost
6/64
8/13/2019 SecurityInOrdinaryOSes-2014-topost
7/64
1. 2. 3. 4. 5.
0% 0% 0%0%0%
1. High
2. System
3. Appl4. User
5. Low
8/13/2019 SecurityInOrdinaryOSes-2014-topost
8/64
1. 2. 3. 4. 5.
0% 0% 0%0%0%
1. High
2. System
3. Appl4. User
5. Low
8/13/2019 SecurityInOrdinaryOSes-2014-topost
9/64
For systems with bothsecurity and integritygoals, Biba and BLP canbe jointly applied
Integrity and secrecy ofobjects are not necessarilythe same
Subjects and objects willbe assigned both Bibaintegrity classes and BLPsecurity classes
8/13/2019 SecurityInOrdinaryOSes-2014-topost
10/64
Question: when you see the output from ls l, what doesthe orange number below represent? -rw-r--r-- 1alice staff 42 Nov 2 2013 test.txt
Answer: its the number of hard links to the file. A hard link is another filename that points to the same
underlying inode. They are created using ln.
An inodeis the data structure that represents the file (points tothe actual hard drive blocks that store the file).
You can also have symbolic links, which is a filename that pointsto another filename (can be useful for software that assumes afile is in a certain location, but the system does not always put itthere). Created using ln s.
8/13/2019 SecurityInOrdinaryOSes-2014-topost
11/64
The main one is that when you delete theoriginal file
The other hard links remain, so only the link isdeleted and the files inode (and thus data)
remains.
For a files inode to be deleted, all of its hard links must
be removed first.
The symbolic links to the original file would point
to nothing and thus be broken or dangling.
8/13/2019 SecurityInOrdinaryOSes-2014-topost
12/64
Ordinary operating systems are quite far awayfrom being secure, as discussed in the last fewlectures
Well discuss UNIX (precursor to Linux) andWindows. History
Protection systems
Why they are inherently insecure
Common vulnerabilities/threats
8/13/2019 SecurityInOrdinaryOSes-2014-topost
13/64
A multiuser operating system developed by KenThompson (recall the compiler bug of first class) andDenis Ritchie at AT&T Bell labs in 1969.
It remains a significant OS today, embodied in manysystems, including Linux, Sun Solaris, IBM AIX, thevarious BSD systems (which Mac OS X is based upon)
Unix became popular for a number of reasons: it was the first portable OS (written in C), it had an API that helped developers write applications it was far simpler than Multics, a competing OS at the time
(UNIX has smaller code-size, better performance, easieradministration).
8/13/2019 SecurityInOrdinaryOSes-2014-topost
14/64
It was considered a streamlined descendant ofMultics, it adopted several of the Multicssecurity features, e.g., password storage
It was built with less stringent security goals inmind. Its goal was to develop a common platform that
could be shared by several users. Thus its primarygoal was protection of the users data from errors intheir programs
Note that protection does not ensure confidentialityand integrity goals.
8/13/2019 SecurityInOrdinaryOSes-2014-topost
15/64
Consists of an operating system kernel and manyprocesses
A protection ring boundary isolates the kernel from
processes
Each process has its own address space that definesmemory pages it can access
Uses the concept of afilefor all persistent system objects,such as secondary storage, I/O devices, & network
An identity, based on the user, is associated with theprocess (access to files is limited by the processs identity).
8/13/2019 SecurityInOrdinaryOSes-2014-topost
16/64
This is a general operating system concept,which Id prefer to describe in terms of todayssystems. Same concept of protection rings was first used in
UNIX and Multics!
See [*] Matt Welsh, OS Lecture 2: OS Structure
and System Calls, slides 9-15, 2007, URL:http://www.eecs.harvard.edu/~mdw/course/cs161
/notes/osstructure.pdf, accessed Jan. 24, 2014.
http://www.eecs.harvard.edu/~mdw/course/cs161/notes/osstructure.pdfhttp://www.eecs.harvard.edu/~mdw/course/cs161/notes/osstructure.pdfhttp://www.eecs.harvard.edu/~mdw/course/cs161/notes/osstructure.pdfhttp://www.eecs.harvard.edu/~mdw/course/cs161/notes/osstructure.pdfhttp://www.eecs.harvard.edu/~mdw/course/cs161/notes/osstructure.pdfhttp://www.eecs.harvard.edu/~mdw/course/cs161/notes/osstructure.pdfhttp://www.eecs.harvard.edu/~mdw/course/cs161/notes/osstructure.pdfhttp://www.eecs.harvard.edu/~mdw/course/cs161/notes/osstructure.pdf8/13/2019 SecurityInOrdinaryOSes-2014-topost
17/64
UNIX has a discretionary access controlsystem
Users can control the assignment of permissionsto system resources (i.e., files)
A files mode bits (e.g., rwxr--r--), owner UID or
group GID may be changed by any UNIX
processes run by the files owner
Since it allows users to change their files ownerUID and group GID, file labeling is also
discretionary
8/13/2019 SecurityInOrdinaryOSes-2014-topost
18/64
Informally, it consists of the kernel andseveral processes that run with the identityof the privileged user (root or superuser)
These root processes provide a variety ofservices (e.g., system boot, userauthentication, etc.)
All kernel and root processes have full systemaccess
All other processes have limited access basedon their associated users identity
8/13/2019 SecurityInOrdinaryOSes-2014-topost
19/64
8/13/2019 SecurityInOrdinaryOSes-2014-topost
20/64
Can also be accomplished by a root processinvoking a system call to change the UID of aprocess. E.g., a privileged process such as login or sshd These processes must run as rootin order to change the
identity of a process to that of the user who has loggedin.
These services, and others, must run as root in orderto have special permissions to files This is not ideal why? Hint: all root processes must be considered part of the
TCB.
8/13/2019 SecurityInOrdinaryOSes-2014-topost
21/64
8/13/2019 SecurityInOrdinaryOSes-2014-topost
22/64
Time of check to time of use (TOCTTOU) vulnerabilities
If the user possesses a file descriptor (e.g., through readpermissions), can perform any ad hoc command on the file
using system calls ioctl or fnctl, as well as read and modifyfile metadata
Side note: ioctl and fnctl are catch-all calls; see man pgs
UNIX also doesnt mediate all security-sensitive objects,such as network communications
Firewalls provide some control of networkcommunication, but often do not restrict networkcommunication by process identity.
8/13/2019 SecurityInOrdinaryOSes-2014-topost
23/64
The nobodyuser owns no files and belongs to nogroups. A processs permissions can be restricted by running as
nobody It does however have others privileges to all files
The chroot command limits a process to a subtree ofthe file system
Only can be setup by a root process (disadvantage) Must be set up carefully. Otherwise, an attacker can
escape the limited domain by:1. create /etc/passwd and /etc/shadow files in subtree2. Add an entry for root and login as this root
8/13/2019 SecurityInOrdinaryOSes-2014-topost
24/64
UNIX has several root processes that maintainnetwork ports that are open to all remote parties these are called network facing daemons
Buffer overflows in these daemons have enabledremote attackers to compromise the TCB. The known vulnerabilities have been fixed, but there is no
proof there are no more within the new code.
Some daemons are notorious for sending passwordsin the clear (e.g., rlogin, ftpd, and telnet) Fortunately, most of these have become obsolete and
replaced with more secure versions.
8/13/2019 SecurityInOrdinaryOSes-2014-topost
25/64
UNIX systems provide support forextensions through kernel modules (loadeddynamically into kernel)
What if the kernel module is malicious or buggy?
Rootkits are malware created to takeadvantage of kernel module loadingavailable to root processes.
Because part of the rootkit lives in thekernel, it can evade detection.
8/13/2019 SecurityInOrdinaryOSes-2014-topost
26/64
Environment variables are system variables that areavailable to processes to convey state acrossapplications E.g. LIBPATH defines the search order for dynamic
libraries
A common vulnerability is that the attacker: Finds a TCB program lets call it program A -- with setuid
(so when it runs, it runs with root permissions). Changes LIBPATH so any file will first find (and load) an
attacker-provided file as a dynamic library
Run program A, which then loads the attacker-providedfile, which will then run as root.
8/13/2019 SecurityInOrdinaryOSes-2014-topost
27/64
A directory or file might be shared between a TCBprocess and an untrusted process.
E.g., sharing the /tmp directory Any process can create files in this directory
If an untrusted process can guess the name of a TCBprocesss /tmp file, it can create this file in advance, grantaccess to the TCB process, then it will have access to a TCBfile.
Prevention method: TCB processes should check forexistence of files upon creation (e.g., using O_CREAT flag).-- but should we rely on programmers to remember this?
8/13/2019 SecurityInOrdinaryOSes-2014-topost
28/64
Untrusted processes can change the state of thesystem between the time an operation is authorizedand the time that operation is performed
Classic example: a root process (initiated by a setuid)uses the accesssystem call to determine if user A (whostarted the process) has access to file /tmp/X. After the access call, but before the open, the user changes
the binding between the file name and the inode accessed. Could change /tmp/X to a symbolic link to /etc/shadow.
UNIX has since added a flag so open prevents traversal viasymbolic links.
Note it is still vulnerable to manipulation of mapping fromname to inodes.
8/13/2019 SecurityInOrdinaryOSes-2014-topost
29/64
Recall that there is a system of 7 questions tohelp us understand the security of an operatingsystem. Well go through them for UNIX.
1. Complete mediation: How does thereference monitor interface ensure allsecurity-sensitive operations are mediatedcorrectly?
Hooks exist to check for file or inode permission onsome system calls, and authorizes access toobjects
Problem: UNIX allows modifications to fileswithout the need for write permission (e.g., fcntl)
8/13/2019 SecurityInOrdinaryOSes-2014-topost
30/64
2. Complete mediation: Does the referencemonitor interface mediate security sensitiveoperations on all system resources?
No. For some objects, such as networkcommunications UNIX itself provides no authorization.
3. Complete mediation: How do we verify that thereference monitor interface provides completemediation?
It is difficult to know whether all operations havebeen identified and all paths mediated. No specificapproach has been used to verify completemediation.
8/13/2019 SecurityInOrdinaryOSes-2014-topost
31/64
4. Tamperproof:How does the system protectthe reference monitor, including itsprotection system, from modification?
Both are stored in the kernel -> good Protection system is discretionary -> bad
Uses protection rings for isolation -> good
User-level processes can access and modify thekernel itself, beyond system calls, e.g. throughfiles in e.g., /proc (where all files representprocesses) and direct access to kernel memory(e.g., via device file /dev/kmem) -> bad
8/13/2019 SecurityInOrdinaryOSes-2014-topost
32/64
5. Tamperproof: Does the systems protectionsystem protect the TCB programs?
No specific on-disk methods.
Many processes running as root, and if any oneis compromised, e.g., one that is acceptingnetwork data, the whole TCB is compromised asthere is no protection among root processes.
6. Verifiable: What is the basis for thecorrectness of the systems TCB?
TCB size and extensible nature of the kernel(e.g., device drivers and other kernel modules)make it impractical to verify correctness.
8/13/2019 SecurityInOrdinaryOSes-2014-topost
33/64
7. Verifiable: Does the protectionsystem enforce the systems
security goals? Enforcement of system security
goals is not possible due to the lackof complete mediation and
tamperproofing (discretionaryprotection system).
8/13/2019 SecurityInOrdinaryOSes-2014-topost
34/64
Given the security analysis of UNIX, howsecure do you think it is?
Which of the security analysis points do youthink UNIX could improve upon (and how)?
8/13/2019 SecurityInOrdinaryOSes-2014-topost
35/64
8/13/2019 SecurityInOrdinaryOSes-2014-topost
36/64
Assignment 2 is due on Tuesday (Feb. 4) at
midnight! Questions about it so far?
Questions regarding scripting after the tutorial?
8/13/2019 SecurityInOrdinaryOSes-2014-topost
37/64
1. 2. 3. 4.
0% 0%0%0%
1. To set the ownerspermissions on a file
2. To specify that a programshould only have access tofiles in the currentdirectory (and below).
3. To specify that a fileshould be executed as its
owner (often root).
4. To specify that a programmust run as the nobodyuser.
8/13/2019 SecurityInOrdinaryOSes-2014-topost
38/64
1. 2. 3. 4. 5. 6.
0% 0% 0%0%0%0%
1. Network facingdaemons
2. Rootkits
3. Environmentvariables
4.Registry
5. Shared Resources
6. TOCCTOU
8/13/2019 SecurityInOrdinaryOSes-2014-topost
39/64
Windows was originally a GUI for MS-DOS,which was the original operating system forIBM personal computers, introduced in 1981
The visibility soon led to Windows using itsname for the subsequent OSs that Microsoftreleased
Early Windows systems were based on MS-
DOS
Starting with Windows NT 4.0, a secondindependent line of systems based on the NTkernel emerged.
8/13/2019 SecurityInOrdinaryOSes-2014-topost
40/64
The initial focus of the Windows OS was on platformsenvisioned for a single user and disconnected fromany network.
The emergence of the WWW made networkedservices fundamental to its use But email, web clients, etc. introduced vulnerabilities that
Windows was not designed to encounter.
The usability model of Windows as an open, flexible,user-administered platform, plus its ubiquity, made itan easy target for attackers And Microsoft was slow to address such threats
8/13/2019 SecurityInOrdinaryOSes-2014-topost
41/64
In 2000, many features were enabled by default Opened door to vulnerabilities in these features (e.g.,
Code Red and variants)
Some success reducing vulnerabilities throughbetter code development practices, code analysistools, & more secure configuration settings
Improvements in security features -- less effective Windows 2K-based access control system is complex &
largely unused
TCB is extremely large (50 million LOC in the OS alone) User Account Control (UAC) usability disaster
8/13/2019 SecurityInOrdinaryOSes-2014-topost
42/64
Discretionary for managing protection state, objectlabeling and protection domain transitions
More variety in objects and operations than UNIX, andadditional flexibility in assigning them to subjects
Each process is assigned a token that describes theprocesss identity, consisting of:
a UID, set of group SIDs, a set of alias SIDs to enableactions on behalf of another identity, and a set of ad-hocprivileges just associated with this token
8/13/2019 SecurityInOrdinaryOSes-2014-topost
43/64
The hierarchical name space for all objects knownto the system.
Applications may define new data types and addthem to the active directory
Windows defines up to 30 operations per objecttype Some of these operations can be defined for new
object types This contrasts from the rwx operations in the UNIX
protection state Even for file objects in Windows, there are additional
operations such as accessing file attributes andsynchronizing file operations.
8/13/2019 SecurityInOrdinaryOSes-2014-topost
44/64
8/13/2019 SecurityInOrdinaryOSes-2014-topost
45/64
8/13/2019 SecurityInOrdinaryOSes-2014-topost
46/64
Authorization queries are processed by the SecurityReference Monitor (SRM) a kernel component thattakes a process token, object SID, and set ofoperations, and returns a boolean result.
The SRM uses the object SID to retrieve its ACL todetermine the query result
If an ACE grants the necessary operations, the requestis authorized unless a deny ACE is encountered.
If an ACE is encountered in the list that denies therequest, the request is denied.
8/13/2019 SecurityInOrdinaryOSes-2014-topost
47/64
A set of object managers determine mediation
For each object type, there is an object
manager that implements the functions ofthat type
Object managers run in the kernel, and areeffectively extending the system
Presents challenges: how do we know that eachnew object manager mediates all operations?
No process for ensuring this.
8/13/2019 SecurityInOrdinaryOSes-2014-topost
48/64
Consists of all system services and processesrunning as a trusted user (e.g. Administrator)
Provides a setuid-like mechanism Also has concern of whether vulnerabilities exist in
such services, which would lead to compromise
The complexity of the discretionary Windows
access control model often results in usersrunning as Administrator
In this case, any user program would be able to takecontrol of the system
8/13/2019 SecurityInOrdinaryOSes-2014-topost
49/64
8/13/2019 SecurityInOrdinaryOSes-2014-topost
50/64
A flexible means for restricting the permissions of aprocess
The permissions of a process running in a restricted
context are the intersectionof the restricted contextand the processs normal permissions
Much more flexible than UNIXs nobody user a restricted context may be assigned arbitrary permissions
Less error-prone than UNIXs chroot Restricted contexts are built into the access control system
Usability limits its use: difficult to define properly
8/13/2019 SecurityInOrdinaryOSes-2014-topost
51/64
Again, recall our system of 7 questions tohelp understand the security of anoperating system
1. Complete mediation: How does thereference monitor interface ensure allsecurity-sensitive operations aremediated correctly?
Mediation is performed by object managers. Without the source code, it is difficult to know
where mediation is performed.
8/13/2019 SecurityInOrdinaryOSes-2014-topost
52/64
2. Complete mediation: Does the referencemonitor interface mediate securitysensitive operations on all systemresources?
Object managers provide an opportunity forcomplete mediation, but provide no guarantee.
Since the set of managers is extensible, it isfeasible that insecure object managers could beadded
The only way to guarantee complete mediationhere is to have a formal approach that defineswhat each manager does and how it is to besecured.
8/13/2019 SecurityInOrdinaryOSes-2014-topost
53/64
3. Complete mediation: How do we verify that thereference monitor interface provides completemediation?
Same as for UNIX no approach has been used.
4. Tamperproof:How does the system protect thereference monitor, including its protectionsystem, from modification?
Discretionary access control untrusted userprocesses can modify permissions
Users running as administrator although UAC helps Kernel modules could be loaded, but later versions of
Windows 64-bit OSs enforce only signed drivers
8/13/2019 SecurityInOrdinaryOSes-2014-topost
54/64
64-bit versions of Windows Vista (and later) enforcethat all Microsoft kernel drivers be digitally signed byMicrosoft or other companies with valid certificates i.e., the companys certificate was issued by a trusted
certificate authority, such as Verisign.
The digital signatures of these kernel drivers are thenverified by the OS at load-time. As a result, drivers that do nothave a valid signature from
Microsoft or a company with a valid certificate will not beloaded into the kernel.
See the following article for more details about Windowskernel-mode driver signing: http://msdn.microsoft.com/en-us/library/ff548231%28v=VS.85%29.aspx
http://msdn.microsoft.com/en-us/library/ff548231(v=VS.85).aspxhttp://msdn.microsoft.com/en-us/library/ff548231(v=VS.85).aspxhttp://msdn.microsoft.com/en-us/library/ff548231(v=VS.85).aspxhttp://msdn.microsoft.com/en-us/library/ff548231(v=VS.85).aspxhttp://msdn.microsoft.com/en-us/library/ff548231(v=VS.85).aspxhttp://msdn.microsoft.com/en-us/library/ff548231(v=VS.85).aspxhttp://msdn.microsoft.com/en-us/library/ff548231(v=VS.85).aspxhttp://msdn.microsoft.com/en-us/library/ff548231(v=VS.85).aspx8/13/2019 SecurityInOrdinaryOSes-2014-topost
55/64
Enabled by default in Windows Vista and later.
ASLR randomizes the base memory address ofprocesses Makes exploitation of memory errors much more difficult.
Consider what is involved in a buffer overflow exploit anaddress needs to be supplied.
If the address cannot be predicted, the supplied addresshas a high probability of being incorrect -> no execution
You can read more about ASLR here: [*] Whitehouse, An Analysis of Address Space Layout Randomization on Windows, URL:
http://www.symantec.com/avcenter/reference/Address_Space_Layout_Randomization.pdf,last accessed Jan. 30, 2012.
http://www.symantec.com/avcenter/reference/Address_Space_Layout_Randomization.pdfhttp://www.symantec.com/avcenter/reference/Address_Space_Layout_Randomization.pdfhttp://www.symantec.com/avcenter/reference/Address_Space_Layout_Randomization.pdf8/13/2019 SecurityInOrdinaryOSes-2014-topost
56/64
5. Tamperproof: Does the systems protectionsystem protect the TCB programs?
No better than UNIX in terms of processesrunning as root
Good (recently done): driver signing and ASLRcan prevent many attacks
6. Verifiable: What is the basis for thecorrectness of the systems TCB?
Any basis for correctness is informal. Windows also has an unbounded TCB, and
extensible kernel that prevent any effectiveformal verification
8/13/2019 SecurityInOrdinaryOSes-2014-topost
57/64
7. Verifiable: Does the protectionsystem enforce the systemssecurity goals?
It is not possible to tell whether a
Windows system is secure
Since the model is more complex
than the UNIX model, and can beextended arbitrarily, verifying itssecurity is even more difficult.
8/13/2019 SecurityInOrdinaryOSes-2014-topost
58/64
1. 2. 3. 4.
0% 0%0%0%
1. TOCTTOU
2. Bypass-able access
controls using certain
unchecked system calls3. All of the above
4. None of the above
8/13/2019 SecurityInOrdinaryOSes-2014-topost
59/64
The registry is a global, hierarchical database to storedata for all programs. Contains security-sensitive information such as paths to
libraries and exes to be loaded for the app.
These registry entries should be protected, and can beassociated with a security context that limits access However, not always effectively used. E.g., AOL added a
registry entry that specified the name of a DLL to beloaded, but permissions were set such that any user couldwrite to the entry.
This is often done because software vendors want to ensureeverything runs smoothly, without access issues oninstall/running.
8/13/2019 SecurityInOrdinaryOSes-2014-topost
60/64
Windows users usually just want theirsoftware to install and run properly Avoiding access control issues is desired by most
users. Solution? Run as administrator (or a userwith administrator rights).
This is bad, as everything becomes part of theTCB.
User Account Control (UAC) aimed to help withthis, and is good as long as users do not disable it Disabling is easy through a registry key.
8/13/2019 SecurityInOrdinaryOSes-2014-topost
61/64
Earlier Windows deployments came with fullfunctionality enabled
This resulted in the famous Code Red worms,
which attacked the SQL server component of theMicrosoft IIS web server Buffer overflow triggered through malicious requests
Many people who ran IIS did not have an SQLserver running, or even know the SQL server wasenabled by default in their IIS system In subsequent versions of IIS, software must be
manually enabled to be accessible.
8/13/2019 SecurityInOrdinaryOSes-2014-topost
62/64
Given the security analysis of Windows, howsecure do you think it is?
Which of the security analysis points do youthink Windows could improve upon (andhow)?
8/13/2019 SecurityInOrdinaryOSes-2014-topost
63/64
Not mandatory.
Will be a question and answer period in
support of Assignment #2.
Come prepared with your questions for theTA!
You can also use this time for questions aboutAssignment #1 or the previous tutorials.
8/13/2019 SecurityInOrdinaryOSes-2014-topost
64/64