trusted operating systems securing networked systems l.
Download
Skip this Video
Loading SlideShow in 5 Seconds..
Trusted Operating Systems Securing Networked Systems PowerPoint Presentation
Download Presentation
Trusted Operating Systems Securing Networked Systems

Loading in 2 Seconds...

play fullscreen
1 / 83

Trusted Operating Systems Securing Networked Systems - PowerPoint PPT Presentation


  • 167 Views
  • Uploaded on

Trusted Operating Systems Securing Networked Systems. Jeffrey W. Thompson Argus Systems Group, Inc. A technical discussion of platform security Using Argus’ PitBull .comPack trusted operating system product suite as a reference Concepts are easily translatable to other TOS systems.

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

PowerPoint Slideshow about 'Trusted Operating Systems Securing Networked Systems' - allayna


An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
trusted operating systems securing networked systems
Trusted Operating SystemsSecuring Networked Systems

Jeffrey W. Thompson

Argus Systems Group, Inc.

introduction
A technical discussion of platform security

Using Argus’ PitBull .comPack trusted operating system product suite as a reference

Concepts are easily translatable to other TOS systems.

Introduction

Jeff Thompson

Software Evangelist and Visionary

Argus Systems Group, Inc.

company profile
Argus Systems Group, Inc. is an international provider of Internet security software and engineering services providing E-commerce systems security solutions

Dedicated to providing security solutions necessary to advance new ways of conducting business over the Internet

Company Profile
overview
Failings of Standard Operating Systems

Understanding Trusted Operating Systems

How TOS Addresses Failings

Applying TOS to Modern Architectures

Overview
experts agree
Experts Agree. . .

“The threats posed by the modern computing environment cannot be addressed without secure operating systems. Any security effort which ignores this fact can only result in a ‘fortress built upon sand’.”

Excerpted from: “The Inevitability of Failure: The Flawed Assumption of Security in Modern Computing Environments”,

US National Security Agency (NSA) Report, 1998

failings of standard platforms
Super User/Root

Discretionary Access Control

Networking Is Not Tied To Security

Failings of Standard Platforms

Understanding the Sand

super user root
Privileged access to the system is either on or off.

Only one user is considered to have this “special” access

Creates a common and single point of attack

Super User/Root
super user root ramifications
Buffer Overflow Attacks

Misdirection of “root” programs

Access to most system files (ok, all files)

Super User/Root Ramifications
buffer overflow attacks
Setuid 0 programs

Daemons running as root

If you want to learn more attend to Greg Hoglund’s Advanced Buffer Overflow Techniques talk at 4:30pm today.

Buffer Overflow Attacks

A buffer overflow attack places new programmatic code on a

a process’ stack, and causes the process to execute this code

when returning from a function. This code is executed with

the same rights as the running process, allowing the attacker

to force the program to perform nefarious tasks.

An attacker goes after…

misdirection of root programs
Misdirection of “root” programs

A setuid 0 program that can be “tricked” into performing

unforeseen actions can be used to obtain permanent root

access to a system.

Examples:

Race conditions that allow file overwrites

Reads any file on system

Program allows setting of location of tmp file

All of these can easily lead to unauthorized root access

discretionary access control
The owner of the file where the data is stored determines who gets initial access to it.

A user with READ access can let other users have access to the data, either by making a copy or by making a setuid program that gives access.

A user with WRITE access can let other users have access to the data by making a setuid program that gives access.

The owner of a file can’t stop other users who have access from giving that access to others, and the owner cannot know if the transfer has taken place.

Discretionary Access Control
dac ramifications
A user that owns a file can modify it, irregardless of the permissions on the file

If you become root you have access to most system files (as they are all owned by root) and an easy path to gaining ongoing access to the system

In order for an attacker to access a file, he simply has to become the user that owns the file.

Root access also gives you DAC override and access to all files irregardless of permissions.

DAC Ramifications
networking is not tied to security
Networking is Not Tied To Security

User access to files and resources on a system is not related

in any way to how the user connects to the system.

Firewalls and network filtering determine what services a

remote connection can access, but provide no additional

security or policy once a user is connected to the system.

A user connected over the Internet has exactly the same

file access on a system as the same user logged in from

an internal connection, or a VPN connection.

summing it all up
Summing it All Up

Setuid programs are major points of attack.

Many services have to run as root and are vulnerable to attack.

Setuid ‘0’ programs

Services running as root

User AFrom Internal

User AFrom Internet

User ‘A’ has the same access on the system no matter where he comes from. User ‘A’ may be able to cause serious damage to system depending on his access rights.

Compromise is only a matter of time.All we can do is wait and watch.

understanding tos trusted operating systems
Least Privilege

Authorizations

Mandatory Access Control

Network Labeling

Security Gate

CGI Daemon

Understanding TOS(Trusted Operating Systems)
privilege topics
Definitions

Process Privileges

File System Privileges

Privilege Inheritance

Privilege Topics
privilege definitions
Least Privilege

“The principle that requires that each subject be granted the most restrictive set of privileges needed for the performance of authorized tasks. The application of this principle limits the damage that can result from accident, error, or unauthorized use.”

Privilege Bracketing

The principle of enabling and disabling privileges around the smallest section of code which require it.

Privilege Definitions
privileges
Traditional UNIX has one privilege: root.

Argus has divided the root privilege into many sub-privileges, for example:

PV_FS_MOUNT

PV_DAC_R

Argus includes new privileges, for example:

PV_MAC_W

PV_PV_PROC

Privileges
process privileges
Three privilege sets are associated with each process:

Limiting the maximum possible privilege set a process can have during its lifetime

Maximum the set of privileges over which a process has control

Effective the set of privileges used to override system restrictions

Process Privileges
process privileges cont d
The following rules apply to process privilege sets:

A process may manipulate its effective privilege set within the bounds set by its maximum privilege set.

A process’s effective privilege set (EPS) must always be a subset of the process’s maximum privilege set.

A process’s maximum privilege set (MPS) must always be a subset of the process’s limiting privilege set (LPS).

Process Privileges(cont’d)
process privileges cont d22
Rules (cont’d):

A process may only lower its maximum privilege set, never increasing it (except certain privileged processes).

A process may only lower its limiting privilege set, never increasing it (no privilege will override this restriction).

Process Privileges (cont’d)
file system privileges
File System Privilege Information:

Privilege information is stored in the inode (index node) of each file on the system..

Privilege information is ignored for directories Three privilege sets are associated with each file:

innate

proxy

authorized

File System Privileges
file system privileges cont d
Innate Privileges

Privileges a process is guaranteed to have in its maximum privilege vector upon startup.

Proxy Privileges

Privileges that will be granted only if the process has them in its maximum privilege set prior to executing the file (i.e. privileges that the process will be allowed to “keep” across the exec).

Authorized Privileges

Privileges that will be granted only if the user has at least one of the authorizations in the Privileged Authorization Set of the file.

File System Privileges (cont’d)
privilege inheritance
New processes are created via the fork() system call.

fork() copies all privileges from the parent to the new child.

Executable files (programs) are executed via the exec() system call.

exec() calculates the new process’s privileges according to several rules based on the privileges in the old process and privileges on the executable file.

Privilege Inheritance
privilege vs authorization
Privilege

An attribute of a process that allows the process to execute specific, security-relevant code within the TCB.

Authorization

An attribute of a user ID that allows a process acting on behalf of the user to execute specific, security-relevant code within the TCB.

Privilege vs. Authorization
control via authorization
Control via Authorization

User accounts have authorizations,

not privileges.

Authorizations are the key

to gain access to a program’s features.

unauthorized use of programs
When a user runs a program (creates a new process and runs an executable file) that is privileged, that program can check to see if the user is authorized to use the program or the privileges.

If the person running the program doesn’t have the appropriate authorization, the program can:

1) exit with an error message

2) run with a reduced feature set (e.g., ls shows all files if run by an ISSO, otherwise it shows only files dominated by the lsing process)

3) disallow some functionality (e.g., the -c option on cpio can only be used by the ISSO)

Unauthorized Use of Programs
privilege authorizations
An executable can have a set of privileges placed on it that will only be put into the process’ maximum set if it passes an authorization check.

An executable can have two types of authorizations placed on it

Access Authorizations

Privilege Authorizations

Access Authorizations require a user to have the authorization in order to run the executable.

Privilege authorizations require a user to have the authorization in order to have the authorized privilege set put into the maximum set.

Privilege Authorizations
authorizations and roles
Other authorizations (not a complete list):

BOOT SHUTDOWN

DOWNGRADE UPGRADE

LOGIN AUTH

ILMODIFY SETSL

OUTSIDEACCRED AUDIT

Authorizations and Roles

Three roles

ISSO (Information Systems Security Officer)

SA (System Administrator)

SO (System Operator)

By convention, authorization names are capitalized.

mac definition
Mandatory Access Control:

“A means of restricting access to objects based on the sensitivity (as represented by a label) of the information contained in the objects and the formal authorization (i.e., clearance) of subjects to access information of such sensitivity.”

TCSEC, Glossary

MAC Definition
mac explanation
The owner of a file cannot change the MAC settings of a file unless he is authorized to do so.

The owner of a file cannot give another user access to the file unless the user is already authorized to have access to that class of data.

Copies of the file will automatically be protected at least as well as the original file, no matter how the copy is created and no matter what program or utility is used.

MAC Explanation
mac topics
Definitions and Rules

Sensitivity Labels

Process Labels

Object Labels

Login Label

MAC Topics
sl components
An SL has a single hierarchical component (classification or class).

Examples:

unclassified, classified, secret, top secret

public, sensitive, confidential, classified

An SL also has (optional) non-hierarchical components (compartments or categories).

Examples:

financial, personnel, marketing, engineering

projectA, projectB, projectC

An SL is generally written with the class and compartments separated by a colon.

Examples:

TS:A,B S:A,B,C TS(no compartment)

SL Components
sl dominance
Classes can be treated like numbers, with a class being less than, equal to, or greater than another.

Examples:

topsecret > secret > confidential > unclassified

A compartments set can be a subset of another, or it can be a super set, or equal, or disjoint.

Examples:

{A,B} is a subset of {A,B,C}

{B,C} is a superset of both {B} and {C} (and the null set)

{A,B} and {B,C} are disjoint

SL Dominance
sl dominance cont d
A label (SL1) is said to dominate another label (SL2) if and only if both of the following are true:

1) the class of SL1 is greater than or equal to the class of SL2, and

2) the compartment set of SL1 is a superset of, or equals, the compartment set of SL2

Examples: (TS > S > C)

TS:A,B dominates TS:B and S:A,B and S

S:A,B,C dominates S:A and S and C:A,B,C

Equality is a special case of dominance, that is, if two labels dominate each other, they are equal.

For some labels, such as TS:A,B and S:C, neither label dominates the other.

SL Dominance (cont’d)
sl dominance cont d37
The diagram below shows how SLs are related by dominance. Each arrow points from one SL to an SL it dominates. If a label dominates another, it is said to be “higher” than the second, and the second is said to be “lower” than the first.SL Dominance (cont’d)
sl inheritance
Every process and file on the system has an SL.

When a process creates a file, the file is created with the SL of the process.

When a process creates a new process (with the fork system call), the new process inherits the same SL.

The system boots with a specific SL, which is inherited by all other processes. Some of these processes, such as the login process, can change their SLs.

Each user account is assigned a default SL by the security officer as the account is created. This default is what a user will have as his session SL when he logs on.

SL Inheritance
sl access controls
A process cannot open a file for read unless the SL of the process dominates the SL of the file.

A process cannot open a file for write unless the SL of the process equals the SL of the file.

Unless a process has the privilege needed to change an SL, the process cannot change its own SL or the SL of any process or file on the system.

This form of access control is called Mandatory Access Control (MAC).

This means that if a process makes a copy of a file, the new file will be at the SL of the process, which is equal to or higher than the original file’s SL, so the security of the copy is equal to or greater than the security of the original file.

SL Access Controls
clearances and max sls
Every process on the system has two extra SLs:

Minimum Clearance

Maximum Clearance

These SLs are used only when the process attempts to change its own SL or the SL or another object.

Directories and devices can have a second SL:

Maximum SL

This SL is used for access control. A process can write to a device or into a directory (create or delete files) if the process SL is within the range of the device or directory’s SLs instead of being restricted to being equal to the device or directory's minimum SL.

Clearances and Max SLs
mac rule summary
Dominance

A label L1 is said to dominate label L2 if the hierarchical component of L1 is greater than or equal to that of L2 and if all compartments (categories) of L2 are contained in the compartments of L1.

Information Flow

Information/data is allowed to flow between objects or subjects only if the destination sensitivity label dominates the source sensitivity label (“write up, read down” or “*-property”).

MAC Rule Summary
process labels
Label information is stored in the proc structure of each process on the system.

Three SLs are associated with each process:

Effective SL

Minimum Clearance

Maximum Clearance

The range of SLs from minimum clearance to maximum clearance is called the “clearance range.”

Process Labels
process labels cont d
The following rules apply to process SLs:

A process effective SL must dominate the process minimum clearance.

A process effective SL must be dominated by the process’s maximum clearance.

Only a privileged process may change the effective SL or minimum or maximum clearance of a process.

Process Labels (cont’d)
object labels
Label information is stored in the inode (index node) of each object on the system.

Two SLs are associated with each object:

Maximum SL

Minimum SL

(The maximum SL is only used for directories and devices.)

Object Labels
object labels cont d
The following rules apply to object SLs:

An object minimum SL must be dominated by the object’s maximum SL.

Only a privileged process may change the SLs of an object.

Object Labels (cont’d)
login label
Each user is assigned a default login SL, a minimum clearance (SL), and a maximum clearance (SL). (all stored in /etc/security/clear).

At login, the user is assigned his default login SL unless an SL is explicitly requested.

Example:

login: smith -e "othersl a b"

A user can only log in with an SL within his clearance range.

Login Label
network labeling
Network data is labeled based on interface, host, and port

A process/service cannot talk to external hosts unless the data is dominated by the process

Outgoing data is checked against a range of allowable date based on network rules

Network Labeling
network security rule

192.0.0.14

/255.255.255.0

IN OUT

tcp:

21-

24

| IMPL_LO |

TS ALL |

CON A |

Network Security Rule

A table of network security rules is loaded into the networking stack. The rules look like this:

network security rule49
Network Security Rule

name

192.0.0.14

/255.255.255.0

IN OUT

tcp:

21-

24

| IMPL_LO |

TS ALL |

CON A |

This is a host rule...

slide50

Network Security Rule

name

mask

192.0.0.14

/255.255.255.0

IN OUT

tcp:

21-

24

| IMPL_LO |

TS ALL |

CON A |

…with a mask, so the rule applies to all hosts with a 192.0.0.xxx IP address.

slide51

Network Security Rule

name

mask

192.0.0.14

/255.255.255.0

IN OUT

tcp:

21-

24

| IMPL_LO |

TS ALL |

CON A |

The rule applies to both incoming and outgoing packets.

slide52

Network Security Rule

name

mask

protocol

192.0.0.14

/255.255.255.0

IN OUT

tcp:

21-

24

| IMPL_LO |

TS ALL |

CON A |

The rule applies only to those 192.0.0.xxx packets with TCP protocol.

slide53

Network Security Rule

name

mask

protocol

start port range

end port range

192.0.0.14

/255.255.255.0

IN OUT

tcp:

21-

24

| IMPL_LO |

TS ALL |

CON A |

The rule applies only to those 192.0.0.xxx packets with TCP protocol and using ports 21-24.

slide54

Network Security Rule

name

mask

protocol

start port range

end port range

192.0.0.14

/255.255.255.0

IN OUT

tcp:

21-

24

| IMPL_LO |

TS ALL |

CON A |

All packets must be in this range. They must also be in NI rule range.

min SL

max SL

slide55

Network Security Rule

name

mask

protocol

start port range

end port range

192.0.0.14

/255.255.255.0

IN OUT

tcp:

21-

24

| IMPL_LO |

TS ALL |

CON A |

Set incoming packet SL to CONFIDENTIAL A.

min SL

max SL

default SL

securing services

Interface

Interface

:80Con Httpd

:80Con Httpd

Interface

Default

Con Default

:3300

Con SQL

VPNInterface

Interface

Default

Con Default

:3300Con SQL

Interface

Default

Con Default

Securing Services

HttpdCon Httpd

Host B

Host A

SQL

Con SQL

Host C

outgoing restrictions
Outgoing Restrictions

Interface

HttpdCon Httpd

:80Con Httpd

CGI Programs

Interface

Default

Con Default

The web server can communicate on its :80 due to the host rule.

CGI programs cannot make network connections back out as

They will run as “Con Httpd” and thus not dominate the

Incoming data rule of “Con Default”. A range can be put on the

interface to enforce restrictions on all outgoing packets as well.

security gateway
Security Gateway is a trusted program that:

allows communication between two processes with disjoint Sensitivity Labels

allows only one-to-one communication

is written by security experts

Security Gateway
security gate
Security Gate

CGI

SL: Con CGI

SQL

SL: Con SQL

These applications cannot talk as they are in disjoint compartments.

security gate60
Security Gate

Privileged program that acts as a gateway for communication between two applications.

CGI

SL: Con CGI

SQL

SL: Con SQL

Security

Gate

This only allows the programs to talk, but doesn’t allow access to files or other resources of these applications.

cgi daemon
A secure CGI daemon that

separates CGI functionality of a web server from the web server itself

provides a secure way to execute any CGI programs

provides virtual partition between web server and CGI programs

provides a secure communication between web server and CGI program

CGI Daemon
cgi daemon62
CGI Daemon

Confidential CGI

Confidential Web

httpd

CGId

SG

CGId runs in a separate compartment, and has noaccess to httpd compartmentalizedfiles or its network access.

CGI

Programs

how tos addresses failings
Buffer Overflow Attacks

Misdirection of “root” programs

A user that owns a file can modify it, irregardless of the permissions on the file

If you become root you have access to most system files (as they are all owned by root) and an easy path to gaining ongoing access to the system

User access to files and resources on a system is not related in any way to how they connect to the system.

Firewalls and network filtering determine what services a remote connection can access, but provide no additional security or policy once a user is connected to the system.

A user connected over the Internet has exactly the same file access on a system as the same user logged in from an internal connection, or a VPN connection.

How TOS Addresses Failings
buffer overflow attacks64
Least Privilege allows

Programs run with minimal abilities

Programs can drop privileges when they are no longer needed

Buffer Overflow Attacks
buffer overflow attacks example
Buffer Overflow Attacks Example

Httpd

Bind to Privileged Port Privilege

Httpd

No Privilege

Httpd can be run as normal user

with bind to privileged port privilege.

There is no need for it to be root now.

Once httpd binds to its network port

it can drop its privilege as it is no

longer required.

In standard Unix httpd has complete access to the system

even though it really only needs the ability to bind to a

privileged port. Why?

A buffer overflow attack on this daemon now results in no special privileges. Also if it were attacked when it had privilege the attacker would only gain the bind privilege

misdirection of root programs66
Least privilege reduces the damage caused.Misdirection of “root” programs

Most attacks of this type rely upon specific abilities of the rootuser for their success (such as complete file access). As mostprograms do not need this ability, the number of attacks is reduced.

Also, a program can drop these special privileges when no longer

needed thus further reducing the code that could be targetted

for an attack.

misdirection of root programs67
Misdirection of “root” programs

Program Code

Main()…

More code

And more code

This program running as rootunder standard Unix has potential attack points throughout its entire code base.

misdirection of root programs68
Misdirection of “root” programs

Program Code

This program running as any user under a TOS has potential attack points only where privileges are active thus greatly reducing attack vulnerability.

Main()…

Enable Privileges

Privileged code

Drop privileges

More code

And more code

a user that owns a file can modify it
MAC can be used to restrict access to a file even if a user is the owner.A user that owns a file can modify it

User logged in as Root

but forced to SL of Confidential

Root has read access to system files but not write accessdue to MAC protection. The user has no way of changing hiseffective SL and thus can never gain write access.

System Files – Owned by Root

at Implementation_Low

root has access to all files
Root has access to all files

Under a TOS, root is not a special user. The user mustprivileges or authorizations that allow him access to aprivileged program in order to gain special abilities.

Implication: Programs running as root are really no different than programs running as any other user.

network protection
Network Protection

Network rules can force a user to enter the system a specific effective SL thus limiting their access.

These rules can cause a user to have different types of access that are dependent on where he logs in from (even through a VPN).

Implications:

System files can be MAC protected to never be modifiable by any user coming from a public connection.

Administrative programs can be isolated so that they are only executable by internally connected users.

summing it all up72
Summing it All Up

Services can run as different users, or even as root. They gain no special rights because of this.

Setuid programs are now running with least privilege.

Least Privilege Programs

Services running as root

User AFrom Internal

User AFrom Internet

User ‘A’ can be given restricted access if coming over the Internet (even no access), while the same user coming in from an internal connection can be given more access.

Applications are isolated from each other and the system, limiting the damaged caused by a penetration.

defining labels
Hierarchical components:

TOP_SECRET(TS), Confidential(CON), Unclassified(U), Implementation_Low(IMPL_LO)

Compartments:

WEB, A, MAIL

Defining Labels
basic web server
Basic Web Server

Files

Web content and CGI is stored at Unclassified WEB

Web Server configuration is stored at U WEB_CONF but could be stored at U WEB if you would like the content creator to have access to configuration files

basic web server76
Basic Web Server

Files

System files (configuration, libraries, and binaries) are all stored at Implementation Low.

basic web server77
Basic Web Server

Web Server

The web server is run at CON WEB WEB_CONF, giving it read access to all web content and its own configuration files. The web server and any CGI programs it runs are unable to modify the files due to MAC restrictions.

basic web server78
Basic Web Server

Network

The interface places all external connections to the web server at CON WEB WEB_CONF allowing communications to take place at that SL.

FTP and SSH connections are placed at U WEB allowing content to be placed on the system. Clearly SSH is a better mechanism for doing this!

root as a guest account

SL: Con User

Root Shell

telnetd

Pop/Imap

SL: Con Mail

Sendmail

Mail Files

Root as a Guest Account

System Files

SL: IMPL_LO

Read Only

NIC

:23 SL: Con User

Can’tAccessEach Other

:25, 110, 143 SL: Con Mail

Root connects in at Con User and is unable to modify ANY system files.

root as a guest account80

SL: Con User

Root Shell

telnetd

Pop/Imap

SL: Con Mail

Sendmail

Mail Files

Root as a Guest Account

System Files

SL: IMPL_LO

Read Only

NIC

:23 SL: Con User

Can’tAccessEach Other

:25, 110, 143 SL: Con Mail

The mail system is also completely isolated. Any breach here, will not lead to a system compromise.

commercial trusted os platforms
Argus PitBull .comPack

Solaris 7 (Sparc & x86)

Porting to:

Solaris 8 (Sparc & x86)

IBM AIX

Linux (32bit and 64bit kernels)

Hewlett Packard

Virtual Vault (HP hardware)

Commercial Trusted OS Platforms
the argus revolution
Free PitBull Foundation Licenses for Individual Non-Commercial Use

http://www.argusrevolution.com/

The Argus Revolution