OperatingSystems
SISTEMAS OPERATIVOS:
Lección 14:Introduction to OS Security
1
• Introducción y conceptos básicos
Jesús Carretero PérezDavid Exposito SinghJosé Daniel García SánchezFrancisco Javier García BlasFlorin Isaila
OperatingSystems
Contents
• Safetyandsecurity• Securityissues.• Securitypolitics.• Design ofsecure operating systems.• Cryptography.• Protection mechanisms inoperating systems.• Protection andsecurity services.• The security system inWindowsNT.
2
OperatingSystems
Securityandprotection
• The security ofasystem hasmultiple facets:– Protection from datadamage (fires,earthquakes,etc.).– Unauthorized accessto system (intruders,privacyviolations,etc.).
– ...
• Protection is topreventmisuse ofresourcesmade when it is within the scope ofthe operatingsystem.– Protection policiesandmechanisms areneed– Toensure that users have access only totheir ownresources (files,memory,etc.).
3
OperatingSystems
Posiblesecurity problems
Elemento
Hardware RobadoCopiado
DestruidoSobrecargadoPinchadoFalsificado
Fallido
Robado Destruido
No disponible
Privacidad Integridad Disponibilidad
Elemento Privacidad Integridad Disponibilidad
Software RobadoCopiado
Modificado Caballo de Troya VirusFalsificado
BorradoMal instaladoExpirado
Elemento
BorradosMal instaladosDestruídos
DescubiertosInferidosInterceptados
Dañados Error HW Error SW Error usuario
Datos
Privacidad Integridad Disponibilidad
4
OperatingSystems
Securityaspects inan OS
• Three aspects ofdesign:
• To avoid dataloss.– Backup,...
• Controldataprivacy.– Encryption,...
• Controlaccess todataandresources.– Passwords,e - cards,physical identification,...
5
OperatingSystems
Contents
• Safetyandsecurity• Securityissues.• Securitypolitics.• Design ofsecure operating systems.• Cryptography.• Protection mechanisms inoperating systems.• Protection andsecurity services.• The security system inWindowsNT.
6
OperatingSystems
Securityproblems (I)
• Using improper or malicious programs– Troyan Horse– Backdoor– Covert Channels
• Unexperienced or neglected users– Deleting by mistake,openaccounts,easy passwords,..
• Unauthorized users– Authenticationproblems– Login andpassword discovery
• Virus
7
OperatingSystems
Using acover channel
8
OperatingSystems
Virusinstallation andpropagation
9
OperatingSystems
Securityproblems (II)
• Worms– Self-propagating destructive Programs– Usually malitious
• Breakers protection systems breakers– Password analyzers
• Systems bombing– Service denial attacks
10
OperatingSystems
Contents
• Safetyandsecurity• Securityissues.• Securitypolitics.• Design ofsecure operating systems.• Cryptography.• Protection mechanisms inoperating systems.• Protection andsecurity services.• The security system inWindows.
11
OperatingSystems
Securitypolicies
• Each organization hasdifferent securityrequirements
• The security policy dictates the rulesto be followedtoprovide protection andsecurity toprovidesystems
• Nomechanisms involved,only policies• There are laws that must bemet when confidentialinformation is used
• The security policy should give confidence
12
OperatingSystems
Military policies
• It is based on the classification ofall objects with safetyrequirements inone ofthe followingfive levels:– Declassified,Restricted,Confidential,Secret,TopSecret.
• Users who have access toobjects oflevel i also have to i+ 1.
• Ruleofwhat you need to know:– Accessis allowed only tosensitive datatothosewho need todotheir
job.
• Thus,it cancompartmentalize users,by tightening the accessrule.
• Acompartment canbeextendedatvarious levels andwithinthe same generalaccess rulealso applies.
13
OperatingSystems
Military policy levels
14
OperatingSystems
VMSsecurity police
15
OperatingSystems
Commercial policies
• They arebased on military policy,but weaken therequirements.
• Chinesse Wall:– Classifies objects andusers inthree levels ofabstraction:
• Objects,Groups andConflict Classes.– Each object belongs toone group andeach group toasingleclass of
conflict.– Aclass ofconflict,however,may include various groups.
• AccessControlPolicy:– Aperson canaccess the information provided beforewas not
connected toanother group ofclass conflict tothe information theywant to access belongs.
16
OperatingSystems
ChinesseWallexample
17
OperatingSystems
Securitymodels
• Amodel is amechanism that allows tomake explicit asecurity policy.• Multilevel securitymodels:
– Sensitivity ranges andstrict separation between subjects andobjects that donot haveaccess.
– They tend to beabstract andvery generalmodels,which makes them verycomplex,difficult toverify andexpensive toimplement.
• Limited security models:– Respond formally tothe properties that asafe system must meet,but introducing
restrictions on multi - level security systems.– They arebased on two principles:
• They usethe generaltheory ofcomputation todefine aformalsystem ofrulesofprotection.• They usean array ofaccess control,whose ranks arethe subjects andwhose columns arethe
subjects.
• Accessrights subject on the object i j arethe contents ofthe arrayelement (i, j).
• Examples:Graham-Denning,Harrison-Ruzzo-Hullman (HRU)andaccesspermission.
18
OperatingSystems
Contents
• Safetyandsecurity• Securityissues.• Securitypolitics.• Design ofsecure operating systems.• Cryptography.• Protection mechanisms inoperating systems.• Protection andsecurity services.• The security system inWindowsNT.
19
OperatingSystems
Securityprinciples
• Opendesign.• Require permissions.• Minimum privilege.• Economic mechanisms.• Fullintermediation.• Sharing minimum.• Easy touseandadapt.• Separation ofprivileges.
20
OperatingSystems
Safetytasks
• Authentication ofresources.• Resource allocation.• Controlaccess toresources.• Controlofcommunication andsharing betweenprocesses.
• DataProtection.
21
OperatingSystems
Safetytasks andOScomponents
22
OperatingSystems
Secure systems design techniques
• Separation ofresources– Physical– Temporary– Cryptography - Logic
• Using virtualenvironments– Multiple virtualmemory spaces– VirtualMachines
• Layered Design– Kernel assurance– Safetymonitors– Layers Coating
23
OperatingSystems
Virtualmachines
24
OperatingSystems
SecurityinOSlayers
HardwareFunciones de seguridadNúcleo de
Seguridad
Núcleo del SO
SistemaOperativo
Interfaz deUsuario
Identificacióndel usuario
Autenticacióndel usuario
Actualización de datos de identificacióndel usuario
E/S básica
Llamadas al sistema
ProcesosE/S de alto nivelGestión de memoria
Planificación, compartición de recursos
ManejadoresInterrupciones
25
OperatingSystems
Secure Kernel OS
Núcleo del SOE/S básica
ManejadoresInterrupcionesMultitarea ...
Servicios del SO
Aplicaciones privilegiadas
Aplicaciones de usuario
Base de computación no fiable
Base de computación fiable
Hardware
26
OperatingSystems
External controls for security
• Penetration equipment andaccess oflimitation– Firewallsandinternal networks
• Programming controls– Trusted design– Isolation principle– IndependentTesters– ConfigurationManagement
• Safetystandards– DoD 2167A– SEE-CMM– ISO-9000
27
OperatingSystems
Firewalls
28
OperatingSystems
OSsecurity controls
• Runreliable software– Donot download softwarefrom unknownnetworks
• Suspect processes– Minimumprivileges
• Runprocesses confined– Isolated machinesif necessary
• Register accesses– Enable operating system logs
• Periodically search ofsecurity holes– Loganalysis– See if there arestrange information flows ...
29
OperatingSystems
Contents
• Safetyandsecurity• Securityissues.• Securitypolitics.• Design ofsecure operating systems.• Cryptography.• Protection mechanisms inoperating systems.• Protection andsecurity services.• The security system inWindowsNT.
30
OperatingSystems
Cryptography
• Cryptography is the technique toencode an objectsothat its meaning isnot obvious.
• Originalobject (O)canbeconverted into anencrypted object (C)applying an encryption function(E). It is decrypted by another function (D).
• Keyissues:– Cipher algorithms– Passwords
31
OperatingSystems
Encryption anddecryption
32
OperatingSystems
Encryption Algorithms
• Procedures that allow you to hide the contents ofthe objectandput it inits originalform,respectively.
• Substitution:change atext by another– Monoalphabetic– Polyalphabetic
• Transposition or permutation:reorder text– Flow Characters flow– Blocks
• Currently:Exponential algorithms with very long keys– RSA– DES– KeyScrutiny
33
OperatingSystems
Passwords
• Thekeyisthepatternusedbytheencryptionanddecryptionalgorithmstomanipulatemessagesineitherdirection.
• There are systemsnotusingcryptographickey.• Cryptographysystems:
– Symmetrical orAsymmetrical• Advantagesofpasswords:
– Publicalgorithms– Youneed to knowalgorithmandpassword– Samealgorithmusedwithdifferentkeys
• Disadvantages:– Propagationkey->complexalgorithms– It mustwithstandattemptstobreakpasswords
34
OperatingSystems
Public andprivate keys
• Private keys:known only encrypter anddecrypter– Example:DES.– Problem:propagationofkeys.
• Public keys:the encryption key is known,but todecipherneed one key that only hasthe receiver.– Anyone cansend encryptedmessages,but only the recipient can
decrypt them.– Noproblemofpropagationofkeys– Example:RSA
• DigitalSignatures key that identifies auser or systemunequivocally.– Accepted legallevel– There areauthorities granting signatures andvalid certificates.
35
OperatingSystems
Contents
• Safetyandsecurity• Securityissues.• Securitypolitics.• Design ofsecure operating systems.• Cryptography.• Protection mechanisms inoperating systems.• Protection andsecurity services.• The security system inWindowsNT.
36
OperatingSystems
Protection
• Protect from inappropriate access• Different types ofprotection:
– Reading– Writing– Performance– Elimination
• All operating systems must have protectionmechanisms that allow implement different securitypolicies for access to the system.
• Commitment security-sharing is needed
37
OperatingSystems
User authentication
• Authentication (who?)– Keys (paswords)– Physical ids
• SmartCards• Speech,iris,or fingerprint recognition
• Accessrights (what?)– Object =>which users andrights– User =>what objects andwhat rights
• SecurityDescriptorobject indicating what rightseach user hasaccess tothat object
38
OperatingSystems
Windowssecurity descriptor
39
OperatingSystems
Authentication process
• When auser wants to access the data,the system asks:– User ID:user name inthe system.– Keyword or password:space totype the keyword (echoshows*).– Protection domain towhich the user belongs.
• Authentication:– Check that all dataareconsistent.
• Problems:– Filesvisibledata(passwords,users,...)– Incomplete or partial process. Gives clues.– Authentication process suplantantion
• Basicprinciple:– Distrust
40
OperatingSystems
Passwords
• Apassword is asetofalphanumeric andspecialcharacters known only tothe user andthe operatingsystem on which it hasreached an agreement tobeused as a key toaccess the system.
• The authentication is based on tuples <username,password>
• Decisions:– Who assigns keywords? Administrator,user,...– Length andformat keywords.
• Minimum length,special chars,...– Where are the keys stored? Shadowfiles– Duration ofthe keys.Keys with expiration
41
OperatingSystems
Password distribution study
0
5
10
15
20
25
Dos le
tras
Tres le
tras
Cuatro
letra
s
Cinco l
etras
Seis le
tras
Diccion
ario
Buena
Tipo de clave
Porc
enta
je
42
OperatingSystems
Protection Domains
• Domain:asetofpairs (object,rights),where eachpair specifies an object andoperations that canrunon it.
• Identify users andgroups– UID:user id– GID:group id
• Processes runwith:– RealUIDor Effective UID– RealGIDor Effective GID
43
OperatingSystems
Protection in UNIX (I)
• Protection ofafile– Owner UIDandgroup GID– 9protectionbitsfor owner,group andothers (rwx).
• Infiles– r =>read– w =>write– x =>Execute permission
• InDirectories– r =>list content– w =>create or delete entries– x =>access permission
44
OperatingSystems
Protection inUNIX(II)
• BitsSETUIDyGETUID– If aprocess executes afilewith the activeSETUIDUID=UIDfileowner
– If aprocess executes afilewith activegetuid GID=GIDfileowner
• Protection rules:– If effective uid =0access is granted– If effective uid =UIDowner ofthe first group ofbitsisused; if not
– If GID=GIDowner ofthe second group ofbitsis used; ifnot the last three bitsareused
45
OperatingSystems
Changing the protection domain
Llamada al sistemaDominio de
protección del usuario
Dominio de protección del núcleo del SO
Aplicación
trap
46
OperatingSystems
Protection matrix
• Definethe relationship between domains andsystemobjects.
• The element (i,j)indicates the operations that the domain icanperform on the object j.
• Drifting HRUmodel andis very clear,but there areproblemsofimplementation:– It canbevery large anddisperse– Astatic structure ->number ofdomains andfixed objects ->sizing?
• Solutions:– Access by rows:capabilities– Access by columns:access controllists (ACLs)
47
OperatingSystems
Protection matrix example
48
OperatingSystems
Access Control Lists (ACL)
• Each object is assigned alist ofpairs (domain,operation)thatdescribeswhat the domain candointhe object. Ex.:– Data->(john,teacher,RW)(elvira,pupil,R)
• Concessions anddenial ofservice– Denials first– You canspecify user andgroup.
• They areeasy tocreate andmaintain.• They arecentralized with the object,making it easy to revoke
permissions.• But they arenot good if the system is large andhighly
sought after :– the ACLbecome very large andits operations areslow
49
OperatingSystems
ACLs inWindows
50
OperatingSystems
Capabilities
• Linked toeach domain asetofdescriptors indicatingoperations components that domain canperform on eachobject in the system. Ex.:Cap-id Tipo Derechos Objeto------------------------------------0 archivo rw- datos
• Explicitlyrequestedandgrantedforasessionorsetofoperations.
• Theownerhas,thatcangivetoothers.• Thelistsofcapabilitiesarecapabilities.• Problem:Grantrightsiseasy,butverydifficult to revokeifthe
systemislarge.
51
OperatingSystems
Structure ofacapability
• Structureofacapability
• Capabilities not directly correspond tothe needs ofusers andareless intuitive than the ACL.– Because ofthis,most operating systems provide ACLasaprotectionmechanism.
52
OperatingSystems
Contents
• Safetyandsecurity• Securityissues.• Securitypolitics.• Design ofsecure operating systems.• Cryptography.• Protection mechanisms inoperating systems.• Protection andsecurity services.• The security system inWindowsNT.
53
OperatingSystems
Generic services
• Create protection descriptor• Openprotection descriptor• Close protection descriptor• Destroy descriptorprotection• Get protection information• Defineprotection information• Definedefaultprotection information
54
OperatingSystems
POSIXservices
• POSIX provides services similar to the above.
• However, there are no specific services to create, destroy oropen descriptors protection.
• The descriptors are associated with objects are created and destroyed with those objects.
• Consult example of use.
55
OperatingSystems
access.
• Service:#include <unistd.h>
int access(char *name, int amode);
• Arguments:– Name file name– Amode access mode to test. amode is inclusive OR of R_OK, W_OK,X_OK or F_OK.
• Returns:– 0 if the process can access the file (for read, write or exec) or -1 if not.
• Example:– access("archivo", F_OK) returns0ifthefileexistsor-1if
not.
56
OperatingSystems
chmod.
• Service:#include <sys/types.h>
#include <sys/stat.h>
int chmod(char *name, mode_t mode);
• Arguments:– Name file name– Mode new protection bits for access rights
• Returns:– Zero or -1 in case of error.
• Description:– Modify permission bits and SETUID y SETGID of the file.– Only the onwer can change those bits.
57
OperatingSystems
chown.
• Service:#include <sys/types.h>
#include <unistd.h>
int chown(char name, uid_t owner, gid_t group);
• Arguments:– Name file name– owner new owner of the file– group new id for the file group
• Returns:– Zero or -1 in case of error.
• Description:– Modify user ID and/orGID of a file– Bits SETUID y SETGID are reset
58
OperatingSystems
Managing security ids
• Description:– Get information about the id of a process or group.uid_t getuid (void);uid_t geteuid (void);gid_t getgid (void);gid_t getegid (void);
– Allow to change the id of a process or its group.
uid_t setuid (uid_t uid);gid_t setgid (gid_t gid);
59
OperatingSystems
umask.
• Service:#include <sys/types.h>#include <sys/stat.h>mode_t umask(mode_t cmask);
• Arguments:– Cmask permission bits to be removedwhen a file is created.
• Returns:– Previousmasks
• Description:– Setthe filecreation mask ofthe calling process.– Bitsinthe mask aredisabled inthe fileprotection word .
• If mask =022,and0777bitsafileis created,actualfilewillbe0755bits.
– . 60
OperatingSystems
Contents
• Safetyandsecurity• Securityissues.• Securitypolitics.• Design ofsecure operating systems.• Cryptography.• Protection mechanisms inoperating systems.• Protection andsecurity services.• The security system inWindowsNT.
61
OperatingSystems
Windowsservices
• Windows has a security level C2 according to DoD.
• Existence of discretionary access control:• Ability to allow or deny access rights any object
based on the user's identity.
• Windows uses a security descriptor and checklists(ACL), with access control entries (ACE) for:
• Permits and denials of access.
62
OperatingSystems
Securitysubsystem
• Specific security subsystem Windows.• Logon processes,showing the dialog sothat users canaccess
the system,ask the user ID,your keyword anddomain.• LocalSecurityAuthority,which controls the user has
permission toaccess the system. It is the heart ofthe systemthat manages localpolitics,authentication services,policyauditing andlogging ofaudited events.
• User AccountManager,whichmaintains the database ofusers andgroups. It provides user validation.
• SecurityReferenceMonitor,which controls user access toobjects tosee if they have the appropriate permissions usingsecurity policy andgenerates events for audit logs.
63
OperatingSystems
Structure ofthe security system
Autoridad deseguridad
local
Subsistemawin32
AplicaciónRegistro
Política deseguridad
Procesode logon Gestor de
cuentas deusuario
Nivel deusuarioNivel desistema
Manejadores de Dispositivo
Nivel de Abstracción del Hardware (HAL)
Auditoría
Validaciónde accesos
Monitor dereferencia
de seguridad
Servicios del sistema
64
OperatingSystems
SISTEMAS OPERATIVOS:
Lección 14:Introduction to OS Security
65
• Introducción y conceptos básicos
Jesús Carretero PérezDavid Exposito SinghJosé Daniel García SánchezFrancisco Javier García BlasFlorin Isaila
