SecurityInOrdinaryOSes-2014-topost

8/13/2019 SecurityInOrdinaryOSes-2014-topost

1/64

Jan. 27-31, 2014


2/64

Go to: http://www.rwpoll.com

Enter the session ID that Ill give you on theboard.

Use an anonymous user ID and name (or

none at all) to provide me with anonymousfeedback. I encourage feedback about any aspects of the

course, or questions about the material!
http://www.rwpoll.com/http://www.rwpoll.com/


3/64

Tomorrows tutorial is mandatory (on bashscripting and batch file scripting).

Material is relevant for Assign 2.

Assign 2 is due next Tuesday.


4/64

1. 2. 3. 4.

0% 0%0%0%

1. (Top Secret, {EUR})

2. (Secret, {US})

3. (Secret, {US,EUR})4. (Secret, {})


5/64

1. 2. 3. 4.

0% 0%0%0%

1. (Top Secret, {EUR})

2. (Secret, {US})

3. (Secret, {US,EUR})4. (Confidential,

{EUR,US})


6/64


7/64

1. 2. 3. 4. 5.

0% 0% 0%0%0%

1. High

2. System

3. Appl4. User

5. Low


8/64

1. 2. 3. 4. 5.

0% 0% 0%0%0%

1. High

2. System

3. Appl4. User

5. Low


9/64

For systems with bothsecurity and integritygoals, Biba and BLP canbe jointly applied

Integrity and secrecy ofobjects are not necessarilythe same

Subjects and objects willbe assigned both Bibaintegrity classes and BLPsecurity classes


10/64

Question: when you see the output from ls l, what doesthe orange number below represent? -rw-r--r-- 1alice staff 42 Nov 2 2013 test.txt

Answer: its the number of hard links to the file. A hard link is another filename that points to the same

underlying inode. They are created using ln.

An inodeis the data structure that represents the file (points tothe actual hard drive blocks that store the file).

You can also have symbolic links, which is a filename that pointsto another filename (can be useful for software that assumes afile is in a certain location, but the system does not always put itthere). Created using ln s.


11/64

The main one is that when you delete theoriginal file

The other hard links remain, so only the link isdeleted and the files inode (and thus data)

remains.

For a files inode to be deleted, all of its hard links must

be removed first.

The symbolic links to the original file would point

to nothing and thus be broken or dangling.


12/64

Ordinary operating systems are quite far awayfrom being secure, as discussed in the last fewlectures

Well discuss UNIX (precursor to Linux) andWindows. History

Protection systems

Why they are inherently insecure

Common vulnerabilities/threats


13/64

A multiuser operating system developed by KenThompson (recall the compiler bug of first class) andDenis Ritchie at AT&T Bell labs in 1969.

It remains a significant OS today, embodied in manysystems, including Linux, Sun Solaris, IBM AIX, thevarious BSD systems (which Mac OS X is based upon)

Unix became popular for a number of reasons: it was the first portable OS (written in C), it had an API that helped developers write applications it was far simpler than Multics, a competing OS at the time

(UNIX has smaller code-size, better performance, easieradministration).


14/64

It was considered a streamlined descendant ofMultics, it adopted several of the Multicssecurity features, e.g., password storage

It was built with less stringent security goals inmind. Its goal was to develop a common platform that

could be shared by several users. Thus its primarygoal was protection of the users data from errors intheir programs

Note that protection does not ensure confidentialityand integrity goals.


15/64

Consists of an operating system kernel and manyprocesses

A protection ring boundary isolates the kernel from

processes

Each process has its own address space that definesmemory pages it can access

Uses the concept of afilefor all persistent system objects,such as secondary storage, I/O devices, & network

An identity, based on the user, is associated with theprocess (access to files is limited by the processs identity).


16/64

This is a general operating system concept,which Id prefer to describe in terms of todayssystems. Same concept of protection rings was first used in

UNIX and Multics!

See [*] Matt Welsh, OS Lecture 2: OS Structure

and System Calls, slides 9-15, 2007, URL:http://www.eecs.harvard.edu/~mdw/course/cs161

/notes/osstructure.pdf, accessed Jan. 24, 2014.
http://www.eecs.harvard.edu/~mdw/course/cs161/notes/osstructure.pdfhttp://www.eecs.harvard.edu/~mdw/course/cs161/notes/osstructure.pdfhttp://www.eecs.harvard.edu/~mdw/course/cs161/notes/osstructure.pdfhttp://www.eecs.harvard.edu/~mdw/course/cs161/notes/osstructure.pdfhttp://www.eecs.harvard.edu/~mdw/course/cs161/notes/osstructure.pdfhttp://www.eecs.harvard.edu/~mdw/course/cs161/notes/osstructure.pdfhttp://www.eecs.harvard.edu/~mdw/course/cs161/notes/osstructure.pdfhttp://www.eecs.harvard.edu/~mdw/course/cs161/notes/osstructure.pdf


17/64

UNIX has a discretionary access controlsystem

Users can control the assignment of permissionsto system resources (i.e., files)

A files mode bits (e.g., rwxr--r--), owner UID or

group GID may be changed by any UNIX

processes run by the files owner

Since it allows users to change their files ownerUID and group GID, file labeling is also

discretionary


18/64

Informally, it consists of the kernel andseveral processes that run with the identityof the privileged user (root or superuser)

These root processes provide a variety ofservices (e.g., system boot, userauthentication, etc.)

All kernel and root processes have full systemaccess

All other processes have limited access basedon their associated users identity


19/64


20/64

Can also be accomplished by a root processinvoking a system call to change the UID of aprocess. E.g., a privileged process such as login or sshd These processes must run as rootin order to change the

identity of a process to that of the user who has loggedin.

These services, and others, must run as root in orderto have special permissions to files This is not ideal why? Hint: all root processes must be considered part of the

TCB.


21/64


22/64

Time of check to time of use (TOCTTOU) vulnerabilities

If the user possesses a file descriptor (e.g., through readpermissions), can perform any ad hoc command on the file

using system calls ioctl or fnctl, as well as read and modifyfile metadata

Side note: ioctl and fnctl are catch-all calls; see man pgs

UNIX also doesnt mediate all security-sensitive objects,such as network communications

Firewalls provide some control of networkcommunication, but often do not restrict networkcommunication by process identity.


23/64

The nobodyuser owns no files and belongs to nogroups. A processs permissions can be restricted by running as

nobody It does however have others privileges to all files

The chroot command limits a process to a subtree ofthe file system

Only can be setup by a root process (disadvantage) Must be set up carefully. Otherwise, an attacker can

escape the limited domain by:1. create /etc/passwd and /etc/shadow files in subtree2. Add an entry for root and login as this root


24/64

UNIX has several root processes that maintainnetwork ports that are open to all remote parties these are called network facing daemons

Buffer overflows in these daemons have enabledremote attackers to compromise the TCB. The known vulnerabilities have been fixed, but there is no

proof there are no more within the new code.

Some daemons are notorious for sending passwordsin the clear (e.g., rlogin, ftpd, and telnet) Fortunately, most of these have become obsolete and

replaced with more secure versions.


25/64

UNIX systems provide support forextensions through kernel modules (loadeddynamically into kernel)

What if the kernel module is malicious or buggy?

Rootkits are malware created to takeadvantage of kernel module loadingavailable to root processes.

Because part of the rootkit lives in thekernel, it can evade detection.


26/64

Environment variables are system variables that areavailable to processes to convey state acrossapplications E.g. LIBPATH defines the search order for dynamic

libraries

A common vulnerability is that the attacker: Finds a TCB program lets call it program A -- with setuid

(so when it runs, it runs with root permissions). Changes LIBPATH so any file will first find (and load) an

attacker-provided file as a dynamic library

Run program A, which then loads the attacker-providedfile, which will then run as root.


27/64

A directory or file might be shared between a TCBprocess and an untrusted process.

E.g., sharing the /tmp directory Any process can create files in this directory

If an untrusted process can guess the name of a TCBprocesss /tmp file, it can create this file in advance, grantaccess to the TCB process, then it will have access to a TCBfile.

Prevention method: TCB processes should check forexistence of files upon creation (e.g., using O_CREAT flag).-- but should we rely on programmers to remember this?


28/64

Untrusted processes can change the state of thesystem between the time an operation is authorizedand the time that operation is performed

Classic example: a root process (initiated by a setuid)uses the accesssystem call to determine if user A (whostarted the process) has access to file /tmp/X. After the access call, but before the open, the user changes

the binding between the file name and the inode accessed. Could change /tmp/X to a symbolic link to /etc/shadow.

UNIX has since added a flag so open prevents traversal viasymbolic links.

Note it is still vulnerable to manipulation of mapping fromname to inodes.


29/64

Recall that there is a system of 7 questions tohelp us understand the security of an operatingsystem. Well go through them for UNIX.

1. Complete mediation: How does thereference monitor interface ensure allsecurity-sensitive operations are mediatedcorrectly?

Hooks exist to check for file or inode permission onsome system calls, and authorizes access toobjects

Problem: UNIX allows modifications to fileswithout the need for write permission (e.g., fcntl)


30/64

2. Complete mediation: Does the referencemonitor interface mediate security sensitiveoperations on all system resources?

No. For some objects, such as networkcommunications UNIX itself provides no authorization.

3. Complete mediation: How do we verify that thereference monitor interface provides completemediation?

It is difficult to know whether all operations havebeen identified and all paths mediated. No specificapproach has been used to verify completemediation.


31/64

4. Tamperproof:How does the system protectthe reference monitor, including itsprotection system, from modification?

Both are stored in the kernel -> good Protection system is discretionary -> bad

Uses protection rings for isolation -> good

User-level processes can access and modify thekernel itself, beyond system calls, e.g. throughfiles in e.g., /proc (where all files representprocesses) and direct access to kernel memory(e.g., via device file /dev/kmem) -> bad


32/64

5. Tamperproof: Does the systems protectionsystem protect the TCB programs?

No specific on-disk methods.

Many processes running as root, and if any oneis compromised, e.g., one that is acceptingnetwork data, the whole TCB is compromised asthere is no protection among root processes.

6. Verifiable: What is the basis for thecorrectness of the systems TCB?

TCB size and extensible nature of the kernel(e.g., device drivers and other kernel modules)make it impractical to verify correctness.


33/64

7. Verifiable: Does the protectionsystem enforce the systems

security goals? Enforcement of system security

goals is not possible due to the lackof complete mediation and

tamperproofing (discretionaryprotection system).


34/64

Given the security analysis of UNIX, howsecure do you think it is?

Which of the security analysis points do youthink UNIX could improve upon (and how)?


35/64


36/64

Assignment 2 is due on Tuesday (Feb. 4) at

midnight! Questions about it so far?

Questions regarding scripting after the tutorial?


37/64

1. 2. 3. 4.

0% 0%0%0%

1. To set the ownerspermissions on a file

2. To specify that a programshould only have access tofiles in the currentdirectory (and below).

3. To specify that a fileshould be executed as its

owner (often root).

4. To specify that a programmust run as the nobodyuser.


38/64

1. 2. 3. 4. 5. 6.

0% 0% 0%0%0%0%

1. Network facingdaemons

2. Rootkits

3. Environmentvariables

4.Registry

5. Shared Resources

6. TOCCTOU


39/64

Windows was originally a GUI for MS-DOS,which was the original operating system forIBM personal computers, introduced in 1981

The visibility soon led to Windows using itsname for the subsequent OSs that Microsoftreleased

Early Windows systems were based on MS-

DOS

Starting with Windows NT 4.0, a secondindependent line of systems based on the NTkernel emerged.


40/64

The initial focus of the Windows OS was on platformsenvisioned for a single user and disconnected fromany network.

The emergence of the WWW made networkedservices fundamental to its use But email, web clients, etc. introduced vulnerabilities that

Windows was not designed to encounter.

The usability model of Windows as an open, flexible,user-administered platform, plus its ubiquity, made itan easy target for attackers And Microsoft was slow to address such threats


41/64

In 2000, many features were enabled by default Opened door to vulnerabilities in these features (e.g.,

Code Red and variants)

Some success reducing vulnerabilities throughbetter code development practices, code analysistools, & more secure configuration settings

Improvements in security features -- less effective Windows 2K-based access control system is complex &

largely unused

TCB is extremely large (50 million LOC in the OS alone) User Account Control (UAC) usability disaster


42/64

Discretionary for managing protection state, objectlabeling and protection domain transitions

More variety in objects and operations than UNIX, andadditional flexibility in assigning them to subjects

Each process is assigned a token that describes theprocesss identity, consisting of:

a UID, set of group SIDs, a set of alias SIDs to enableactions on behalf of another identity, and a set of ad-hocprivileges just associated with this token


43/64

The hierarchical name space for all objects knownto the system.

Applications may define new data types and addthem to the active directory

Windows defines up to 30 operations per objecttype Some of these operations can be defined for new

object types This contrasts from the rwx operations in the UNIX

protection state Even for file objects in Windows, there are additional

operations such as accessing file attributes andsynchronizing file operations.


44/64


45/64


46/64

Authorization queries are processed by the SecurityReference Monitor (SRM) a kernel component thattakes a process token, object SID, and set ofoperations, and returns a boolean result.

The SRM uses the object SID to retrieve its ACL todetermine the query result

If an ACE grants the necessary operations, the requestis authorized unless a deny ACE is encountered.

If an ACE is encountered in the list that denies therequest, the request is denied.


47/64

A set of object managers determine mediation

For each object type, there is an object

manager that implements the functions ofthat type

Object managers run in the kernel, and areeffectively extending the system

Presents challenges: how do we know that eachnew object manager mediates all operations?

No process for ensuring this.


48/64

Consists of all system services and processesrunning as a trusted user (e.g. Administrator)

Provides a setuid-like mechanism Also has concern of whether vulnerabilities exist in

such services, which would lead to compromise

The complexity of the discretionary Windows

access control model often results in usersrunning as Administrator

In this case, any user program would be able to takecontrol of the system


49/64


50/64

A flexible means for restricting the permissions of aprocess

The permissions of a process running in a restricted

context are the intersectionof the restricted contextand the processs normal permissions

Much more flexible than UNIXs nobody user a restricted context may be assigned arbitrary permissions

Less error-prone than UNIXs chroot Restricted contexts are built into the access control system

Usability limits its use: difficult to define properly


51/64

Again, recall our system of 7 questions tohelp understand the security of anoperating system

1. Complete mediation: How does thereference monitor interface ensure allsecurity-sensitive operations aremediated correctly?

Mediation is performed by object managers. Without the source code, it is difficult to know

where mediation is performed.


52/64

2. Complete mediation: Does the referencemonitor interface mediate securitysensitive operations on all systemresources?

Object managers provide an opportunity forcomplete mediation, but provide no guarantee.

Since the set of managers is extensible, it isfeasible that insecure object managers could beadded

The only way to guarantee complete mediationhere is to have a formal approach that defineswhat each manager does and how it is to besecured.


53/64

3. Complete mediation: How do we verify that thereference monitor interface provides completemediation?

Same as for UNIX no approach has been used.

4. Tamperproof:How does the system protect thereference monitor, including its protectionsystem, from modification?

Discretionary access control untrusted userprocesses can modify permissions

Users running as administrator although UAC helps Kernel modules could be loaded, but later versions of

Windows 64-bit OSs enforce only signed drivers


54/64

64-bit versions of Windows Vista (and later) enforcethat all Microsoft kernel drivers be digitally signed byMicrosoft or other companies with valid certificates i.e., the companys certificate was issued by a trusted

certificate authority, such as Verisign.

The digital signatures of these kernel drivers are thenverified by the OS at load-time. As a result, drivers that do nothave a valid signature from

Microsoft or a company with a valid certificate will not beloaded into the kernel.

See the following article for more details about Windowskernel-mode driver signing: http://msdn.microsoft.com/en-us/library/ff548231%28v=VS.85%29.aspx
http://msdn.microsoft.com/en-us/library/ff548231(v=VS.85).aspxhttp://msdn.microsoft.com/en-us/library/ff548231(v=VS.85).aspxhttp://msdn.microsoft.com/en-us/library/ff548231(v=VS.85).aspxhttp://msdn.microsoft.com/en-us/library/ff548231(v=VS.85).aspxhttp://msdn.microsoft.com/en-us/library/ff548231(v=VS.85).aspxhttp://msdn.microsoft.com/en-us/library/ff548231(v=VS.85).aspxhttp://msdn.microsoft.com/en-us/library/ff548231(v=VS.85).aspxhttp://msdn.microsoft.com/en-us/library/ff548231(v=VS.85).aspx


55/64

Enabled by default in Windows Vista and later.

ASLR randomizes the base memory address ofprocesses Makes exploitation of memory errors much more difficult.

Consider what is involved in a buffer overflow exploit anaddress needs to be supplied.

If the address cannot be predicted, the supplied addresshas a high probability of being incorrect -> no execution

You can read more about ASLR here: [*] Whitehouse, An Analysis of Address Space Layout Randomization on Windows, URL:

http://www.symantec.com/avcenter/reference/Address_Space_Layout_Randomization.pdf,last accessed Jan. 30, 2012.
http://www.symantec.com/avcenter/reference/Address_Space_Layout_Randomization.pdfhttp://www.symantec.com/avcenter/reference/Address_Space_Layout_Randomization.pdfhttp://www.symantec.com/avcenter/reference/Address_Space_Layout_Randomization.pdf


56/64

5. Tamperproof: Does the systems protectionsystem protect the TCB programs?

No better than UNIX in terms of processesrunning as root

Good (recently done): driver signing and ASLRcan prevent many attacks

6. Verifiable: What is the basis for thecorrectness of the systems TCB?

Any basis for correctness is informal. Windows also has an unbounded TCB, and

extensible kernel that prevent any effectiveformal verification


57/64

7. Verifiable: Does the protectionsystem enforce the systemssecurity goals?

It is not possible to tell whether a

Windows system is secure

Since the model is more complex

than the UNIX model, and can beextended arbitrarily, verifying itssecurity is even more difficult.


58/64

1. 2. 3. 4.

0% 0%0%0%

1. TOCTTOU

2. Bypass-able access

controls using certain

unchecked system calls3. All of the above

4. None of the above


59/64

The registry is a global, hierarchical database to storedata for all programs. Contains security-sensitive information such as paths to

libraries and exes to be loaded for the app.

These registry entries should be protected, and can beassociated with a security context that limits access However, not always effectively used. E.g., AOL added a

registry entry that specified the name of a DLL to beloaded, but permissions were set such that any user couldwrite to the entry.

This is often done because software vendors want to ensureeverything runs smoothly, without access issues oninstall/running.


60/64

Windows users usually just want theirsoftware to install and run properly Avoiding access control issues is desired by most

users. Solution? Run as administrator (or a userwith administrator rights).

This is bad, as everything becomes part of theTCB.

User Account Control (UAC) aimed to help withthis, and is good as long as users do not disable it Disabling is easy through a registry key.


61/64

Earlier Windows deployments came with fullfunctionality enabled

This resulted in the famous Code Red worms,

which attacked the SQL server component of theMicrosoft IIS web server Buffer overflow triggered through malicious requests

Many people who ran IIS did not have an SQLserver running, or even know the SQL server wasenabled by default in their IIS system In subsequent versions of IIS, software must be

manually enabled to be accessible.


62/64

Given the security analysis of Windows, howsecure do you think it is?

Which of the security analysis points do youthink Windows could improve upon (andhow)?


63/64

Not mandatory.

Will be a question and answer period in

support of Assignment #2.

Come prepared with your questions for theTA!

You can also use this time for questions aboutAssignment #1 or the previous tutorials.


64/64

Date post:	04-Jun-2018
Category:	Documents
Upload:	arshad-shaikh
View:	219 times
Download:	0 times

SecurityInOrdinaryOSes-2014-topost

Documents