chapter 5a n.
Download
Skip this Video
Loading SlideShow in 5 Seconds..
Chapter 5a PowerPoint Presentation
Download Presentation
Chapter 5a

Loading in 2 Seconds...

play fullscreen
1 / 128

Chapter 5a - PowerPoint PPT Presentation


  • 135 Views
  • Uploaded on

Chapter 5a. Operating Systems Security Stallings chapters 4,10,23,24. Protecting Hardware / System Resources. Hardware : Memory, CPU, I/O System Identity (Authentication) Processes and address spaces Files Network (penetration, messages) Databases, Web sites. Hardware security.

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

PowerPoint Slideshow about 'Chapter 5a' - paniz


An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
chapter 5a
Chapter 5a

Operating Systems Security

Stallings chapters 4,10,23,24

protecting hardware system resources
Protecting Hardware / System Resources
  • Hardware:
    • Memory, CPU, I/O
    • System
    • Identity (Authentication)
    • Processes and address spaces
    • Files
    • Network (penetration, messages)
    • Databases, Web sites
hardware security
Hardware security
  • The lowest and most basic level
  • Affects all other levels
  • Without minimal support, no security is possible
protecting memory
Protecting Memory
  • Base and Bound Registers
  • Segmented memory
  • Protection keys
  • Virtual (Paged) memory
  • Segmented and Paged Virtual memory
  • Tagged architecture (capabilities)

Prof. Ehud Gudes Security Ch5

memory protection basic
Memory Protection (basic)

Was also used in Intel 808X

Base

Limit

user

0

ModeBit

Supervisor mode can load B / L registers

Prof. Ehud Gudes Security Ch5

protection keys ibm 360 history
Protection Keys (IBM 360 - History)
  • PSW had 4 bits protection key
  • Each memory partition had 4 bits protection key (total 16 possible partitions)
  • To access:
    • PSW key = Memory key
    • Key 0 (OS) can access partition with any other key!

Prof. Ehud Gudes Security Ch5

memory protection paging
Memory Protection - Paging
  • Memory protection implemented by associating protection bit with each frame.
  • Valid-invalid bit attached to each entry in the page table:
    • “valid” indicates that the associated page is in the process’ logical address space, and is thus a legal page.
    • “invalid” indicates that the page is not in the process’ logical address space.
    • different than in/out of memory!

Prof. Ehud Gudes Security Ch5

address translation architecture
Address Translation Architecture

Prof. Ehud Gudes Security Ch5

segmentation
Segmentation
  • One-dimensional address space with growing tables
  • One table may bump into another

Prof. Ehud Gudes Security Ch5

segmentation cont
Segmentation cont.

Allows each table to grow or shrink, independently

Prof. Ehud Gudes Security Ch5

segmentation primitive form intel 286 old pc
Segmentation – primitive form – Intel 286 (old PC)
  • Data segment and Code segment
  • Fixed size – 64K each

Prof. Ehud Gudes Security Ch5

implementation of pure segmentation
Implementation of Pure Segmentation

(a)-(d) Development of checkerboarding

(e) Removal of the checkerboarding by compaction

Prof. Ehud Gudes Security Ch5

segmentation architecture cont
Segmentation Architecture (Cont.)
  • Protection. With each entry in segment table associate:
    • validation bit = 0  illegal segment
    • read/write/execute privileges
  • Protection bits associated with segments; code sharing occurs at segment level.
  • Since segments vary in length, memory allocation is a dynamic storage-allocation problem.
  • A segmentation example is shown in the following diagram

Prof. Ehud Gudes Security Ch5

example of segmentation
Example of Segmentation

Prof. Ehud Gudes Security Ch5

segmentation vs paging
Segmentation vs. Paging

Comparison of paging and segmentation

Prof. Ehud Gudes Security Ch5

segmentation with paging multics 1
Segmentation with Paging: MULTICS (1)
  • Descriptor segment points to page tables
  • Segment descriptor – numbers are field lengths

Prof. Ehud Gudes Security Ch5

segmentation with paging multics 2

Into Descriptor Segment

Segmentation with Paging: MULTICS (2)

A 34-bit MULTICS virtual address

Prof. Ehud Gudes Security Ch5

segmentation with paging multics 3
Segmentation with Paging: MULTICS (3)

Conversion of a 2-part MULTICS address into a main memory address

segmentation with paging multics 4
Segmentation with Paging: MULTICS (4)
  • Simplified version of the MULTICS TLB
  • Existence of 2 page sizes makes actual TLB more complicated

Prof. Ehud Gudes Security Ch5

paged segmentation on the intel 80386

Privilege level (0-3)

0 = GDT/ 1 = LDT

13

1

2

Index

Paged segmentation on the INTEL 80386
  • 16k segments, each up to 1G (32bit words)
  • 2 types of segment descriptors
    • Local Descriptor Table (LDT), for each process
    • Global (GDT) system etc.
    • access by loading a 16bit selector to one of the 6 segment registers: CS, DS, SS, (holding the 16bit selector during run time, 0 means not-in-use)
  • Selector points to segment descriptor (8 bytes)

Prof. Ehud Gudes Security Ch5

segmentation with paging pentium 3
Segmentation with Paging: Pentium (3)

Conversion of a (selector, offset) pair to a linear address

Prof. Ehud Gudes Security Ch5

segmentation with paging pentium 4
Segmentation with Paging: Pentium (4)

Mapping of a linear address onto a physical address

Prof. Ehud Gudes Security Ch5

intel 30386 address translation
Intel 30386 Address Translation

Prof. Ehud Gudes Security Ch5

protecting cpu processes
Protecting CPU/Processes
  • User vs. Kernel (supervisor) mode
  • Amplification – System calls (Trap, SVC)
  • Protection rings

Prof. Ehud Gudes Security Ch5

user supervisor mode

Privileged

Instructions

User / Supervisor Mode

Instructions

SVC

- Supervisor mode can execute all the instructions

- User mode can execute non-privileged instructions only

- One must trust the supervisor

Prof. Ehud Gudes Security Ch5

basic policies
Basic policies
  • Isolation—a process must be protected from other processes.
  • Controlled sharing—processes must be able to share resources in a controlled way.

Prof. Ehud Gudes Security Ch5

execution states or modes
Execution states or modes
  • At least two modes of operation are needed to have any security.
  • Most hardware architectures use a supervisor and a user mode. In the user mode some intructions, called privileged instructions, cannot be executed directly. In supervisor mode all the instructions can be executed. The state of a process is kept in a Program Status Word.

Prof. Ehud Gudes Security Ch5

how the mode is switched
How the mode is switched
  • A supervisor/kernel call (trap) switch to an address in the OS address space with the new mode (this is called: Amplification)
  • Old address and old mode is saved (e.g. in OLD PSW)
  • When returning the old address and mode are restored (note different than a procedure call because of the mode switch)

Prof. Ehud Gudes Security Ch5

memory protection vs cpu protection
Memory protection vs. CPU protection

Both are mutually dependent!:

  • Without CPU protection, anyone can change keys/bound registers!
  • Without memory protection, anyone can change old PSW and set to Supervisor mode!

Both are needed!

Prof. Ehud Gudes Security Ch5

protection rings
Protection rings
  • Some architectures define in their hardware a set of rings (4 to 32) that correspond to domains of execution with hierarchical levels of trust. Rings are a generalization of the concept of mode of operation.
  • Crossing of rings is done through gates that check the rights of the crossing process. A process calling a segment in a higher ring must go through a gate.

Prof. Ehud Gudes Security Ch5

rings in multics

r0

r1

r2

r3

r4

r5

r6

r7

W – Write

R – Read

Ex – Execute

C – Call

R – ring

C

C

Ex

W

R

Rings in Multics

Prof. Ehud Gudes Security Ch5

slide33

0 = kernel

1 = OS functions

2 = safe applications

3

3 =

untrusted

applications

2

1

0

- Calls upward

(higher privilege)

- Data access toward

less privilege

- Gate crossings

- Protected entry points

Prof. Ehud Gudes Security Ch5

protection rings on intel pentium

Level

Protection rings on Intel Pentium

Protection on the Pentium

Prof. Ehud Gudes Security Ch5

protecting i o
Protecting I/O
  • I/O privileged instructions
  • Interrupts vector in protected area
  • Open file table in protected area
  • Open requires system call
  • Example for combined Memory/CPU protection

Prof. Ehud Gudes Security Ch5

security in multics summary
Security in Multics - Summary
  • Files on disk – Access Control lists
  • Files equal segments in Virtual memory!
  • When segment is called, file is opened and ACL checked. Then segment descriptor is created and protection is via the descriptor.
  • Process protection using protection rings.
  • Process control and amplification using Gates.

Prof. Ehud Gudes Security Ch5

access matrix model
Access Matrix Model
  • View protection as a matrix (access matrix)
  • Rows represent domains (or Subjects) – a subject may be a user, a process, a role, an IP, etc. a Domain is a subject in some context.
  • Columns represent objects to which access is required
  • Access(i, j) is the set of operations that a subject executing in Domaini can invoke on Objectj

Prof. Ehud Gudes Security Ch5

what s the difference between a subject and a domain
What’s the Difference Between a Subject and a Domain

A subject is usually a process. During its life-time, a subject may acquire rights or lose them. At a particular point in time, a subject has given a set of rights that’s a domain!

Prof. Ehud Gudes Security Ch 1

access matrix
Access Matrix

Figure A

Prof. Ehud Gudes Security Ch5

access matrix of figure a with domains as objects
Access Matrix of Figure A With Domains as Objects

Figure B

Prof. Ehud Gudes Security Ch5

use of access matrix
Use of Access Matrix
  • If a process in Domain Ditries to do “op” on object Oj, then “op” must be in the access matrix.
  • Can be expanded to dynamic protection.
    • Operations to add, delete access rights.
    • Special access rights:
      • owner of Oi
      • copy op from Oi to Oj
      • control – Di can modify Dj access rights
      • transfer – switch from domain Di to Dj
  • Reminder - the HRU model

Prof. Ehud Gudes Security Ch5

implementation of access matrix capabilities and access control lists
Implementation of Access Matrix – Capabilities and Access-control lists
  • Representing by row – each subject (domain ) with the objects it can access – Capability list
  • Representation by Column – each object with the list of subjects that can access it (and which type of access) –

Access control list (ACL)

Prof. Ehud Gudes Security Ch5

implementation of access matrix
Implementation of Access Matrix
  • Each column = Access-control list for one object Defines who can perform what operation.For File F1 Domain 4 = Read, Write Domain 1 = ReadFor File f2

Domain 2 = Read

  • Each Row = Capability List (like a set of keys)Fore each domain, what operations allowed on what objects. For domain 1:

File 1 – Read, File 3 - Read

For Domain 3:

File 2 – Read, File 3 - Execute

access control lists 1
Access Control Lists (1)

In Unix - the (abstract) ACL is in the Inode

Prof. Ehud Gudes Security Ch5

access control lists 2
Access Control Lists (2)

Two access control lists

Prof. Ehud Gudes Security Ch5

capabilities 1
Capabilities (1)

Each process has a capability list

Prof. Ehud Gudes Security Ch5

implementing access matrix capability lists
Implementing Access Matrix - Capability Lists
  • “Slicing” the protection matrix by rows
  • Users and processes have capability lists which are lists of permissions for each object appearing in a domain - c-lists.
  • Hard to revoke access to objects, have to be found in
  • Capabilities are “special” objects - ticket, never accessible to user space objects - better protection. To get access process must present the “ticket”!
  • Generic operations on c-lists
    • Copy capability (from one object to another)
    • Copy Object (with capability)
    • Remove capability (an entry of the c-list)

Prof. Ehud Gudes Security Ch5

descriptors
Descriptors
  • Descriptors are similar to capabilities but are used mainly for accessing memory.
  • Because the descriptors are used for addressing they are handled by the memory allocation unit of the OS and we need to trust now that unit.
  • Descriptors and capabilities can be seen as embodiments of rows of the access matrix

Prof. Ehud Gudes Security Ch5

using capabilities for addressing descriptors
Using Capabilities for Addressing - Descriptors

Instruction address

cap

offset

Object Length Base

i

C

B

B

Rights Object

L

X

B+

X

RW

C

Capability

The instruction contains pointer to capability instead of a segment address

B+

Descriptor Table

Memory

Prof. Ehud Gudes Security Ch5

sharing using capabilities

RW

R

RW

R

F3

D11

F5

F6

F4

F1

D1

RW

RW

F2

P1 C - list

R

R

D12

RW

RW

D

R

R

D3

RW

R

D31

P2 C - list

Sharing Using Capabilities

D2

Directories

Prof. Ehud Gudes Security Ch5

capability based systems
Capability-Based Systems
  • Hydra
    • Fixed set of access rights known to and interpreted by the system.
    • Interpretation of user-defined rights performed solely by user's program; system provides access protection for use of these rights.
  • Cambridge CAP System
    • Data capability - provides standard read, write, execute of individual storage segments associated with object.
    • Software capability -interpretation left to the subsystem, through its protected procedures.

Prof. Ehud Gudes Security Ch5

capabilities protection of
Capabilities - Protection of
  • In system area – need system call for every access?
  • Cryptographically-protected capability
  • Generic Rights

1. Copy capability

2. Copy object

3. Remove capability

4. Destroy object

Prof. Ehud Gudes Security Ch5

capabilities amplification domain switch with protected entry points

RE

R

Ent

RE

C – listcalling Domain

RW

C – listcalled Domain

Capabilities – AmplificationDomain Switch with Protected entry Points

callingprocedure

Rights Object

datasegment

call

Rights Object

calledprocedure

return

datasegment

Prof. Ehud Gudes Security Ch5

capabilities amplification abstract data type and rights amplification

callingprocedure

Rights Object

RE

Pop, Pushempty

Stack S

Ent

Popprocedure

calling C – list

Amplification template

Before call

RE

Pop / RW

After call

RE

RW

C – list forpop procedure

C – list forActivation of pop

Capabilities – AmplificationAbstract Data Type and Rights Amplification

Prof. Ehud Gudes Security Ch5

capabilities amplification abstract data type and rights amplification1
Capabilities – AmplificationAbstract Data Type and Rights Amplification

?What the difference with OO

1) Historically much earlier

2)Implemented at a much lower level (Hardware vs. Compiler)

Prof. Ehud Gudes Security Ch5

capabilities revocation revocation of rights with indirection

C’

user:

X’

X

RW

RW

X’

X

C’

Object

RWRevoke

X’

owner:

C

Descriptor Table

Capabilities – RevocationRevocation of Rights with Indirection

X’ entry is deleted

Prof. Ehud Gudes Security Ch5

capabilities revocation revocation of rights with indirect capability in sward

C

RW

RW

RW

X

Descriptor Table

I

CI

Capabilities – RevocationRevocation of Rights with Indirect Capability in SWARD

user:

X’

Object

owner:

Also X’ entry is deleted but its indirect capability

Prof. Ehud Gudes Security Ch5

acls and capabilities
ACLs and Capabilities
  • ACLs need not be in memory, checked at the time of first access (disadv). C-lists need to be in memory (assigned at process creation – adv)
  • ACL is checked only at first access (open). Capability is checked for every access (ticket for addressing). But finer granularity! Security / performance tradeoff!
  • Capabilities enable easy granting/copying amplification. No simple analog in ACLs (setUid?)

Prof. Ehud Gudes Security Ch5

acls and capabilities cont
ACLs and Capabilities, cont.
  • ACLs are more convenient for Objects changes (deleting objects, creating objects, changing access to objects).Capabilities are more convenient for User changes (user deletion)
  • Revocation of ACLs is easy. Revocation of capabilities is hard
  • Capabilities can be used to control Mobile code

Prof. Ehud Gudes Security Ch5

security in multics summary1
Security in Multics - Summary
  • Files on disk – Access Control lists
  • Files equal segments in Virtual memory!
  • When segment is called, file is opened and ACL checked. Then segment descriptor is created and protection is via the descriptor.
  • Process protection using protection rings.
  • Process control and amplification using Gates.

Prof. Ehud Gudes Security Ch5

an example for access matrix implementation file system security in unix
An example for Access matrix implementation - File System Security in Unix

Octal Representation of Access Permissions

Prof. Ehud Gudes Security Ch5

file system security unix
File System security - Unix
  • Ownership – Umask,
    • Chown (problem with Setuid)
  • Link (hard or soft) and sticky bit
  • Amplification – SetUid, SetGId

Prof. Ehud Gudes Security Ch5

unix file access control1
UNIX File Access Control
  • “set user ID”(SetUID) or “set group ID”(SetGID)
    • system temporarily uses rights of the file owner / group in addition to the real user’s rights when making access control decisions
    • enables privileged programs to access files / resources not generally accessible
  • sticky bit
    • on directory limits rename/move/delete to owner
  • superuser
    • is exempt from usual access control restrictions
unix example for setuid
Unix – Example for SetUid

1. $ chmod +r grades

$ ls –1 *grades

-rw-r--r-- 1 pat CS440514 Apr 5 18:26 grades

-rwx--x--x 1 pat CS440 1725 Apr 2 10:26 prgrades

2. $ chmod u+s prgradesTurn on SUID permission

$ ls –1 prgrades

-rws--x--x 1 pat CS440 1725 Apr 2 10:26 prgrades

$

3. $ chmod 600 grades Just give read/write to owner

$ls –1 *grades

-rw------- 1 pat CS440 514 Apr 5 18:26 grades

-rws--x--x 1 pat CS440 1725 Apr 2 10:26 prgrades

Prof. Ehud Gudes Security Ch5

file system security unix group problem
File System Security – Unix Group Problem
  • Affiliation (user may belong to primary group and multiple secondary groups)
  • Limited sharing
  • Multiple personality
  • Changes in group membership (prolifiration control?)
  • Command newgrp – try it with chmod!

Prof. Ehud Gudes Security Ch5

unix file system security violating security principles su
Unix File System Security – Violating Security Principles [SU]
  • Principle of Least Privilage (group access)
  • Principle of Safe Defaults
  • Principle of Need to Know (Others access, Super-user power)
  • Principle of Accountability (setUid)

Always there is Tradeoff:

Security / Convenience / Performance!

Prof. Ehud Gudes Security Ch5

unix access control lists new in unix berkeley also in linux and solaris
UNIX Access Control Lists(new in Unix Berkeley! Also in Linux and Solaris)
  • modern UNIX systems support ACLs
  • can specify any number of additional users / groups and associated rwx permissions
  • ACLs are optional extensions to std perms
  • group perms also set max ACL perms
  • when access is required
    • select most appropriate ACL
      • owner, named users, owning / named groups, others – SETFACL command (do man!)
    • check if have sufficient permissions for access
unix access control cont
UNIX Access Control (Cont.)

FreeBSD files include an additional protection bit that indicates whether the file has an extended ACL. FreeBSD and most UNIX implementations use the following strategy:

  • The owner entries have the same meaning as normal.
  • The group class entry specifies group permissions. These permissions represent the maximum permissions that can be assigned to named users or named groups, other than the owning user, and hence functions as a mask.
  • Additional named users and named groups may be associated with the file, each with a 3-bit permission field.
  • When a process requests access to a file system object, two steps are performed. Step 1 selects the ACL entry that most closely matches the requesting process. The ACL entries are looked at in the following order: owner, named users, (owning or named) groups, others. Only a single entry determines access. Step 2 checks if the matching entry (which may be one of several group entries) contains sufficient permissions.
file encryption gudes80
File Encryption [Gudes80]

K’ j1

K’ j2

K’ jnj

. . .

Validation Record – k’j

File Fj

The “keys record” scheme

Prof. Ehud Gudes Security Ch5

file encryption cont

F1

F2

0

K’21

K’12

K’11

K’2

K’1

U1

1

1

File F2

File F1

U2

1

0

Access Matrix

File Encryption, cont.

Fig. 6. The “key inversion” problem

Prof. Ehud Gudes Security Ch5

file encryption enciphering and deciphering with subkeys davida81

M

. . .

. . .

Plaintextrecord

m1

mj

mt

. . .

. . .

*c1

*cj

*ct

encipher

Σ mod n

Ciphertextrecord

C

modd1

decipher

Plaintextfield

mj

File Encryption Enciphering and Deciphering with subkeys (Davida81)

Prof. Ehud Gudes Security Ch5

distributed systems security
Distributed systems security
  • What is the semantics of file security on the server
  • What happens after the client opens a file? – the concept of file handle.
  • Authentication of the client and server machines
  • Distributed object architectures - CORBA
  • Middleware software

Prof. Ehud Gudes Security Ch5

the concept of mount

Server 1Games

Server 2Work

Client 1

Client 2

mail

news

other

pacman

pacwoman

pacchild

(a)

Client 1

Client 2

games

games

work

pacman

pacwoman

pacchild

work

pacman

pacwoman

pacchild

mail

news

other

mail

news

other

(b)

(c)

The concept of Mount
layer structure of nfs
Layer Structure of NFS

Server

Client

System call layer

Virtual file system layer

Virtual file system layer

Local Operating System

Local operating system

NFS server

NFS Client

Message to server

Message from client

Local disk

Local disk

Network

Prof. Ehud Gudes Security Ch5

distributed systems security scenario in unix see t for details
Distributed systems security – Scenario in Unix (see [T] for details)
  • After Open, information is maintained in the file-handle on the CLIENT machine! So state (e.g. file pointer is maintained by client
  • So if the server fails, the state is preserved
  • But how to insure authentication of file-handle and no replay? Remember after Open, no more checks!
  • New versions of Unix include machine to machine authentication

Prof. Ehud Gudes Security Ch5

distributed systems security example problem in unix
Distributed systems security – Example problem in Unix
  • Rhost command allows a machine to define what other machines/users can login into your machine
  • Assume you allow user: ehud to login into my machine
  • What happens if a Linux user defines a user-id: ehud on his machine and connect it to the system?
  • Right! He can login in into your machine and do whatever he likes!
  • Solution: define in rhost the set of local servers only!

Prof. Ehud Gudes Security Ch5

windows nt security
Windows-NT Security
  • C2 Certified (mainly DAC and Authentication)
  • Monitor based architecture (SRM) plus Clients modules (LSA, SAM) for Login & Authentication
  • Objects based – Registry file for everything
  • Authentication – Passwords and Kerberos
  • SID (Security ID) and SAT (Security Access Token). Remote authentication.
  • Domains – For set of machines. Machine (SID) Authentication.
  • Groups and Subgroups

Prof. Ehud Gudes Security Ch5

windows nt security cont
Windows-NT Security, cont.
  • Security descriptors (in Registry)
  • ACL’s. ACE – Access Control Entry – Positive and Negative.
  • User Profiles and Security Management.
  • Auditing – What and When.
  • File Encryption.
  • Web security, Certificates, SSL, etc….

Prof. Ehud Gudes Security Ch5

windows nt security architecture
Windows NT Security Architecture

Prof. Ehud Gudes Security Ch5

windows nt1
סוגי הרשאות ב- Windows-NT

Prof. Ehud Gudes Security Ch5

windows nt part of registery
דוגמה למתאר הגנה ב- Windows-NT – part of Registery

SecurityDescriptor

File

Security

Descriptor

ACE

Note, multiple files may have the same descriptor

ACE

Prof. Ehud Gudes Security Ch5

slide85
אלגוריתם גישה נוכחית

1. If the object has no DACL, the object has no protection and the security system grants the desired access.

2. If the caller has the take-ownership privilege, the security system grants write-owner access before examining the DACL. The security system grants write-owner access if it was the only access requested.

3. If the caller is the owner of the object, the read-control and write-DACL access rights are granted. If these rights were the only access rights requested, access is granted without examining the DACL.

4. Each ACE in the DACL is examined from first to last. If the SID in the ACE matches an enabled SID (SIDs can be enabled and disabled) in the caller’s access token(whether that be the primary SID or a group SID), the ACE is processed. If it is an access-allowed ACE, the rights in the access mask in the ACE are granted; if all the requested access rights have been granted, the access check succeeds. If it is an access-denied ACE and any of the requested access rights are in the denied-access rights, access is denied to the object.

5. If the end of the DACL is reached and some of the requested access rights still haven’t been granted, access is denied.

Prof. Ehud Gudes Security Ch5

audit trails
Audit Trails
  • Not all auditing is configured through the default GUI.
  • Audit log sizing.
  • Audit of important things:
    • Audit failed login attempts
    • Audit use of backup/restore rights
    • Audit changes to the registry

Prof. Ehud Gudes Security Ch5

security in windows 2000
Security in Windows 2000

Structure of an access token

Priveliges are non-standard privileges like Debug or Backup privileges

Prof. Ehud Gudes Security Ch5

security api calls
Security API calls

Principal Win32 API functions for security

the registry
The Registry

Some of the Win32 API calls for using the registry

Prof. Ehud Gudes Security Ch5

the registry1
The Registry
  • A Security Nightmare!
  • The repository for all important data
  • A haven for trojan horse attacks
  • Too complicated, too arcane, too opaque
  • Remote access
  • Lock it and audit, audit, audit…

Prof. Ehud Gudes Security Ch5

impersonation
Impersonation
  • process can have multiple threads
    • common for both clients and servers
  • impersonation allows a server to serve a user, using their access privileges
    • e.g. ImpersonateNamedPipeClient function sets user’s token on the current thread
    • then access checks for that thread are performed against this token not server’s
    • with user’s access rights
mandatory access control
Mandatory Access Control
  • have Integrity Control in Windows Vista
  • that limits operations changing an object’s state
  • objects and principals are labeled (using SID) as:
    • Low integrity (S-1-16-4096)
    • Medium integrity (S-1-16-8192)
    • High integrity (S-1-16-12288)
    • System integrity (S-1-16-16384)
  • when write operation occurs first check subject’s integrity level dominates object’s integrity level
  • much of O/S marked medium or higher integrity
pwdump and ntcrack
PWDump and NTCrack
  • Lots of press!
  • PWDump
    • Dumps the user contents of the SAM, including encrypted passwords.
    • Requires administrator or backup privilages
      • %SystemRoot%\Repair\SAM._
  • NTCrack
    • Simple implementation of an off-line dictionary attack for Windows-NT

Prof. Ehud Gudes Security Ch5

conclusions
Conclusions
  • Windows-NT can be secure
  • By default, it isn’t secure
  • Over time, users have a tendency to make less secure
    • Insecure defaults
  • Watch the security alerts; understand enough to estimate their importance.

Prof. Ehud Gudes Security Ch5

trusted secure operating systems
Trusted (Secure) Operating Systems
  • Layered software
  • Small kernel
  • One Monitor capturing all access requests
  • Validation and Verification
  • Fulfilling standards and Assurance criteria (see Stallings chp. 10)
trusted systems trusted computing base
Trusted Systems Trusted Computing Base

A reference monitor

Prof. Ehud Gudes Security Ch5

layered operating system

Subprocesses of User Processes

User Processes

Compilers, Data Base Managers

Utility Functions

OperatingSystem

Systems, Device Allocation

Scheduling, Sharing, Memory Management

OperatingSystemKernel

Synchronization, Allocation

Security Functions

SecurityKernel

Hardware

Layered Operating System

Prof. Ehud Gudes Security Ch5

virtual machine
Virtual Machine

Prof. Ehud Gudes Security Ch5

principles of security kernel
Principles of Security Kernel
  • Coverage – of each access
  • Separation – of security functions from rest
  • Unity – a single module
  • Modifiability and Maintenance – easy to control
  • Compactness – small and therefore
  • Verifyable

Prof. Ehud Gudes Security Ch5

formal verification
Formal Verification
  • Formal specification
  • Proof that implementation follows formal specification
  • Problem: how to “prove” the specification?
  • Definitions:
    • a program is correct if it halts and produces correct output for every input
    • A program is partially correct if whenever it halts, it produces the correct output

Prof. Ehud Gudes Security Ch5

assertions

min < A[i]?

ENTRY

min

A[1]

i

1

YES

ii + 1

EXIT

NO

i > n?

YES

NO

min

A[j]

Assertions

P: n > 0

Q: n > 0 and 1  i  n andmin  A[1]

R: n > 0 and 1  i  n and j 1  j  i –1min  A[j]

S: n > 0 andi = n + 1 andj1  j nmin  A[j]

verification and validation
Verification and Validation
  • Verification: Assuring the system is correct!
  • Validation: Assuring it’s the correct system!
  • Model checking methods
  • The debate around “Open Source”!

Prof. Ehud Gudes Security Ch5

trusted platform module tpm
Trusted Platform Module (TPM)
  • concept from Trusted Computing Group
  • hardware module at heart of hardware / software approach to trusted computing
  • uses a TPM chip on
    • motherboard, smart card, processor
    • working with approved hardware / software
    • generating and using crypto keys
  • has 3 basic services: authenticated boot, certification, and encryption
authenticated boot service
Authenticated Boot Service
  • responsible for booting entire O/S in stages
  • ensuring each is valid and approved for use
    • verifying digital signature associated with code
    • keeping a tamper-evident log
  • log records versions of all code running
  • can then expand trust boundary
    • TPM verifies any additional software requested
      • confirms signed and not revoked
  • hence know resulting configuration is well-defined with approved components
certification service
Certification Service
  • once have authenticated boot
  • TPM can certify configuration to others
    • with a digital certificate of configuration info
    • giving another user confidence in it
  • include challenge value in certificate to also ensure it is timely
  • provides hierarchical certification approach
    • trust TPM then O/S then applications
encryption service
Encryption Service
  • encrypts data so it can be decrypted
    • by a certain machine in given configuration
  • depends on
    • master secret key unique to machine
    • used to generate secret encryption key for every possible configuration only usable in it
  • can also extend this scheme upward
    • create application key for desired application version running on desired system version
trusted systems
Trusted Systems
  • security models aimed at enhancing trust
  • work started in early 1970’s leading to:
    • Trusted Computer System Evaluation Criteria (TCSEC), Orange Book, in early 1980s
    • further work by other countries
    • resulting in Common Criteria in late 1990s
  • also Computer Security Center in NSA
    • with Commercial Product Evaluation Program
    • evaluates commercially available products
    • required for Defense use, freely published
computer security classifications
Computer Security Classifications
  • U.S. Department of Defense outlines four divisions of computer security: A, B, C, and D.
  • D – Minimal security.
  • C – Provides discretionary protection through auditing. Divided into C1 and C2. C1 identifies cooperating users with the same level of protection. C2 allows user-level access control.
  • B – All the properties of C, however each object may have unique sensitivity labels. Divided into B1, B2, and B3.
  • A – Uses formal design and verification techniques to ensure security.

Prof. Ehud Gudes Security Ch 1

orange book security 1
Orange Book Security (1)
  • Symbol X means new requirements
  • Symbol -> requirements from next lower category apply here also
orange book security 2
Orange Book Security (2)

Prof. Ehud Gudes Security Ch5

common criteria cc
Common Criteria (CC)
  • ISO standards for security requirements and defining evaluation criteria to give:
    • greater confidence in IT product security
    • from formal actions during process of:
    • development using secure requirements
    • evaluation confirming meets requirements
    • operation in accordance with requirements
  • evaluated products are listed for use
cc requirements
CC Requirements
  • have a common set of potential security requirements for use in evaluation
  • target of evaluation (TOE) refers product / system subject to evaluation
  • functional requirements
    • define desired security behavior
  • assurance requirements
    • that security measures effective correct
  • have classes of families of components
slide116

Summary - OS attacks

  • Remote login weaknesses
  • Password guessing
  • Bypass file permissions
  • Scavenge memory
  • Buffer overflow attacks
  • Denial of service attacks (resource hogging)

Prof. Ehud Gudes Security Ch5

generic security attacks
Generic Security Attacks

Typical attacks

  • Request memory, disk space, tapes and just read
  • Try illegal system calls
  • Start a login and hit DEL, RUBOUT, or BREAK
  • Try modifying complex OS structures
  • Try to do specified DO NOTs
  • Convince a system programmer to add a trap door
  • Beg admin's sec’y to help a poor user who forgot password

Prof. Ehud Gudes Security Ch5

famous security flaws
Famous Security Flaws

The TENEX – password problem

(a)

(b)

(c)

Prof. Ehud Gudes Security Ch5

weaknesses
Weaknesses
  • Both Unix and Windows use passwords for authentication. Unix keeps passwords encrypted but the password file is readable by all users. This allows a user to make a copy and use dictionaries and parallel processing to guess passwords.
  • Process protection is based mainly on the user/supervisor mode separation and kernel processes are not protected against each other.
  • Even if hardware architectures offer further protection, e.g., descriptors and rings, commercial OSs do not use them in an effort to get more performance

Prof. Ehud Gudes Security Ch5

weaknesses ii
Weaknesses II
  • The concept of superuser, an almighty user, typically the systems administrator, is a poor security decision.
  • Inheritance of rights in forked processes is another flaw commonly exploited in attacks. If an attacker tricks a program in superuser mode to execute a Trojan Horse, this inherits the rights of that program and runs in superuser mode
  • Transfer of rights between processes—In Unix every user has a unique id, UID. If a bit in a file permission (setuid) for a file containing an executable program is turned on, the program executing that program acquires the rights of the file owner. Windows has an impersonation token, that has a similar effect. This violates the principle of accountability.

Prof. Ehud Gudes Security Ch5

weaknesses iii
Weaknesses III
  • Lack of conceptual model. The file permission structure doesn’t follow the access matrix or any other security model. The interpretation of rights for directories makes things even more muddled
  • Directory problems. An attacker can place his own file in the path of a writable directory and maybe get higher privileges when the file is invoked.
  • Most systems lack the concept of a trusted path [Los00]. A trusted path is a user connection to a part of the system that provides secure login, authentication, and rights.
  • Some systems do not have auditing facilities or the audit log is within reach of the superuser (and could be changed by a hacker acting as a superuser).

Prof. Ehud Gudes Security Ch5

weaknesses iv
Weaknesses IV
  • Complex, poorly designed, and poorly tested utilities. Microsoft’s Outlook is a Swiss cheese. The Sendmail program in Unix is another source of trouble.
  • Some flaws come from implementation languages, e.g., buffer overflow. Buffer overflow occurs when a variable in a procedure is filled with more values that it can hold. The overflow can overwrite the return address and if the hacker put her code there her program could get superuser mode [Dil]
  • Finally, configuration of these systems is complex and administrators make many mistakes. There are many demo programs and rarely used utilities which can be exploited by hackers. This is even more true for PCs where the users usually have no idea what they get in their software

Prof. Ehud Gudes Security Ch5

os defenses
OS defenses
  • Memory protection (supported by hardware)
  • File protection
  • Access control for I/O devices
  • Requires good processor support for low overhead and to avoid bypassing of high-level mechanisms
  • Capabilities and descriptors are effective mechanisms
  • Firewalls to protect access to the system
  • Authentication (part of login)

Prof. Ehud Gudes Security Ch5

threat monitoring
Threat Monitoring
  • Check for suspicious patterns of activity – i.e., several incorrect password attempts may signal password guessing.
  • Audit log – records the time, user, and type of all accesses to an object; useful for recovery from a violation and developing better security measures.
  • Scan the system periodically for security holes; done when the computer is relatively unused.

Prof. Ehud Gudes Security Ch5

threat monitoring cont
Threat Monitoring (Cont.)
  • Check for:
    • Short or easy-to-guess passwords
    • Unauthorized set-uid programs
    • Unauthorized programs in system directories
    • Unexpected long-running processes
    • Improper directory protections
    • Improper protections on system data files
    • Dangerous entries in the program search path (Trojan horse)
    • Changes to system programs: monitor checksum values

Prof. Ehud Gudes Security Ch5

hardened oss
Hardened OSs
  • IBM’s AIX [Cam90]—It implements a TCB to support DAC. Instead of read/write/execute rights AIX defines an Abstract Data Type (class), with higher-level operations, appropriate for the type of object such as copy, save, query, and set. These accesses define an access matrix implemented as Access Control Lists. The ACLs are set by the owners of files and by administrators. ACLs can be permissive or restrictive. AIX reduces the privileges of the system administrator by defining five partially-ordered roles

Prof. Ehud Gudes Security Ch5

hardened oss ii
Hardened OSs II
  • Virtual Vault [HP, Rub94]—A trusted version of HP-UX operating system (A Unix variant). It uses compartments based on the multilevel model to isolate portions of the OS. It also reduces the root privileges and controls inheritance of rights in forked threads.
  • Argus Pitbull [Arg]—This is a system based on:
      • Compartmentalization using a multilevel MAC model.
      • Least privilege applied to all processes, including superuser. The superuser is implemented using three roles: Systems Security Officer, System Administrator, and System Operator.
      • Kernel-level enforcement.

Prof. Ehud Gudes Security Ch5

design principles for security
Design Principles for Security
  • System design should be public
  • Default should be No access
  • Check for current authority
  • Give each process least privilege possible
  • Protection mechanism should be
    • simple
    • uniform
    • in lowest layers of system
  • Scheme should be psychologically acceptable

And … keep it simple (Kiss)

Prof. Ehud Gudes Security Ch 1