Upload
myra-shepherd
View
234
Download
1
Tags:
Embed Size (px)
Citation preview
1
Chapter 5a
Operating Systems Security
Stallings chapters 4,10,23,24
2
Protecting Hardware / System Resources
Hardware:Memory, CPU, I/OSystemIdentity (Authentication)Processes and address spacesFilesNetwork (penetration, messages)Databases, Web sites
3
Hardware security
The lowest and most basic levelAffects all other levelsWithout minimal support, no security
is possible
04/21/23Prof. Ehud Gudes Security
Ch 5 4
Protecting Memory
Base and Bound RegistersSegmented memoryProtection keysVirtual (Paged) memorySegmented and Paged Virtual memoryTagged architecture (capabilities)
04/21/23Prof. Ehud Gudes Security
Ch 5 5
Base
Limit
0 user
Mode Bit
Supervisor mode can load B / L registers
Memory Protection (basic)
Was also used in Intel 808X
04/21/23Prof. Ehud Gudes Security
Ch 5 6
Protection Keys (IBM 360 - History)
PSW had 4 bits protection keyEach memory partition had 4 bits
protection key (total 16 possible partitions)
To access:PSW key = Memory keyKey 0 (OS) can access partition with any
other key!
04/21/23Prof. Ehud Gudes Security
Ch 5 7
Memory Protection - PagingMemory protection implemented by
associating protection bit with each frame.
Valid-invalid bit attached to each entry in the page table:“valid” indicates that the associated page is in
the process’ logical address space, and is thus a legal page.
“invalid” indicates that the page is not in the process’ logical address space.
different than in/out of memory!
04/21/23Prof. Ehud Gudes Security
Ch 5 8
Address Translation Architecture
04/21/23Prof. Ehud Gudes Security
Ch 5 9
Valid (v) or Invalid (i) Bit In A Page Table
04/21/23Prof. Ehud Gudes Security
Ch 5 10
Segmentation
One-dimensional address space with growing tablesOne table may bump into another
04/21/23Prof. Ehud Gudes Security
Ch 5 11
Segmentation cont.
Allows each table to grow or shrink, independently
04/21/23Prof. Ehud Gudes Security
Ch 5 12
Segmentation – primitive form – Intel 286 (old PC)
Data segment and Code segment
Fixed size – 64K each
04/21/23Prof. Ehud Gudes Security
Ch 5 13
Implementation of Pure Segmentation
(a)-(d) Development of checkerboarding(e) Removal of the checkerboarding by compaction
04/21/23Prof. Ehud Gudes Security
Ch 5 14
Segmentation Architecture (Cont.)Protection. With each entry in segment table
associate:validation bit = 0 illegal segmentread/write/execute privileges
Protection bits associated with segments; code sharing occurs at segment level.
Since segments vary in length, memory allocation is a dynamic storage-allocation problem.
A segmentation example is shown in the following diagram
04/21/23Prof. Ehud Gudes Security
Ch 5 15
Example of Segmentation
04/21/23Prof. Ehud Gudes Security
Ch 5 16
Segmentation vs. Paging
Comparison of paging and segmentation
04/21/23Prof. Ehud Gudes Security
Ch 5 17
Segmentation with Paging: MULTICS (1)
Descriptor segment points to page tablesSegment descriptor – numbers are field lengths
04/21/23Prof. Ehud Gudes Security
Ch 5 18
Segmentation with Paging: MULTICS (2)
A 34-bit MULTICS virtual address
Into Descriptor Segment
19
Segmentation with Paging: MULTICS (3)
Conversion of a 2-part MULTICS address into a main memory address
04/21/23Prof. Ehud Gudes Security
Ch 5 20
Segmentation with Paging: MULTICS (4)
Simplified version of the MULTICS TLB Existence of 2 page sizes makes actual TLB more complicated
04/21/23Prof. Ehud Gudes Security
Ch 5 21
Paged segmentation on the INTEL 80386
16k segments, each up to 1G (32bit words)
2 types of segment descriptors Local Descriptor Table (LDT), for each process Global (GDT) system etc. access by loading a 16bit selector to one of the 6
segment registers: CS, DS, SS, (holding the 16bit selector during run time, 0 means not-in-use0 means not-in-use)
Selector points to segment descriptor (8 bytes)
Index
1 2Privilege level (0-3)0 = GDT/ 1 = LDT13
04/21/23Prof. Ehud Gudes Security
Ch 5 22
Segmentation with Paging: Pentium (3)
Conversion of a (selector, offset) pair to a linear address
04/21/23Prof. Ehud Gudes Security
Ch 5 23
Segmentation with Paging: Pentium (4)
Mapping of a linear address onto a physical address
04/21/23 Prof. Ehud Gudes Security Ch 5
24
Intel 30386 Address Translation
04/21/23Prof. Ehud Gudes Security
Ch 5 25
Protecting CPU/Processes
User vs. Kernel (supervisor) modeAmplification – System calls (Trap,
SVC)Protection rings
04/21/23Prof. Ehud Gudes Security
Ch 5 26
-Supervisor mode can execute all the instructions
-One must trust the supervisor
-User mode can execute non-privileged instructions only
Instructions
PrivilegedInstructions
SVC
User / Supervisor Mode
04/21/23Prof. Ehud Gudes Security
Ch 5 27
Basic policies
Isolation—a process must be protected from other processes.
Controlled sharing—processes must be able to share resources in a controlled way.
04/21/23Prof. Ehud Gudes Security
Ch 5 28
Execution states or modes
At least two modes of operation are needed to have any security.
Most hardware architectures use a supervisor and a user mode. In the user mode some intructions, called privileged instructions, cannot be executed directly. In supervisor mode all the instructions can be executed. The state of a process is kept in a Program Status Word.
04/21/23Prof. Ehud Gudes Security
Ch 5 29
How the mode is switched
A supervisor/kernel call (trap) switch to an address in the OS address space with the new mode (this is called: Amplification)
Old address and old mode is saved (e.g. in OLD PSW)
When returning the old address and mode are restored (note different than a procedure call because of the mode switch)
04/21/23Prof. Ehud Gudes Security
Ch 5 30
Memory protection vs. CPU protection
Both are mutually dependent!:Without CPU protection, anyone can
change keys/bound registers!Without memory protection, anyone
can change old PSW and set to Supervisor mode!
Both are needed!
04/21/23Prof. Ehud Gudes Security
Ch 5 31
Protection rings
Some architectures define in their hardware a set of rings (4 to 32) that correspond to domains of execution with hierarchical levels of trust. Rings are a generalization of the concept of mode of operation.
Crossing of rings is done through gates that check the rights of the crossing process. A process calling a segment in a higher ring must go through a gate.
04/21/23Prof. Ehud Gudes Security
Ch 5 32
Rings in Multics
r0 r1 r2 r3 r4 r5 r6 r7
Ex CC
W
R
W – Write
R – Read
Ex – Execute
C – Call
R – ring
04/21/23Prof. Ehud Gudes Security
Ch 5 33
01
2
3
0 = kernel1 = OS functions
2 = safe applications3 = untrusted applications
-Calls upward( higher privilege)
-Data access toward less privilege
-Gate crossings -Protected entry points
04/21/23Prof. Ehud Gudes Security
Ch 5 34
Protection rings on Intel Pentium
Protection on the Pentium
Level
04/21/23Prof. Ehud Gudes Security
Ch 5 35
Protecting I/O
I/O privileged instructionsInterrupts vector in protected areaOpen file table in protected areaOpen requires system callExample for combined Memory/CPU
protection
04/21/23Prof. Ehud Gudes Security
Ch 5 36
Security in Multics - Summary
Files on disk – Access Control listsFiles equal segments in Virtual memory!When segment is called, file is opened and
ACL checked. Then segment descriptor is created and protection is via the descriptor.
Process protection using protection rings.Process control and amplification using
Gates.
04/21/23Prof. Ehud Gudes Security
Ch 5 37
Access Matrix ModelView protection as a matrix (access matrix)
Rows represent domains (or Subjects) – a subject may be a user, a process, a role, an IP, etc. a Domain is a subject in some context.
Columns represent objects to which access is required
Access(i, j) is the set of operations that a subject executing in Domaini can invoke on Objectj
04/21/23Prof. Ehud Gudes Security
Ch 1 38
What’s the Difference Between a Subject and a Domain
A subject is usually a process. During its life-time, a subject may acquire rights or lose them. At a particular point in time, a subject has given a set of rights that’s a domain!
04/21/23Prof. Ehud Gudes Security
Ch 5 39
Access Matrix
Figure A
04/21/23Prof. Ehud Gudes Security
Ch 5 40
Access Matrix of Figure A With Domains as Objects
Figure B
04/21/23Prof. Ehud Gudes Security
Ch 5 41
Use of Access MatrixIf a process in Domain Di tries to do “op” on
object Oj, then “op” must be in the access matrix.
Can be expanded to dynamic protection.Operations to add, delete access rights.Special access rights:
owner of Oi
copy op from Oi to Oj
control – Di can modify Dj access rights
transfer – switch from domain Di to Dj
Reminder - the HRU model
04/21/23Prof. Ehud Gudes Security
Ch 5 42
Implementation of Access Matrix – Capabilities and Access-control lists
Representing by row – each subject (domain ) with the objects it can access – Capability list
Representation by Column – each object with the list of subjects that can access it (and which type of access) –
Access control list (ACL)
43
Implementation of Access MatrixEach column = Access-control list for one object
Defines who can perform what operation.For File F1
Domain 4 = Read, WriteDomain 1 = Read
For File f2 Domain 2 = Read
Each Row = Capability List (like a set of keys)
Fore each domain, what operations allowed on what objects. For domain 1:
File 1 – Read, File 3 - ReadFor Domain 3:File 2 – Read, File 3 - Execute
04/21/23Prof. Ehud Gudes Security
Ch 5 44
Access Control Lists (1)
In Unix - the (abstract) ACL is in the Inode
04/21/23Prof. Ehud Gudes Security
Ch 5 45
Access Control Lists (2)
Two access control lists
04/21/23Prof. Ehud Gudes Security
Ch 5 46
Capabilities (1)
Each process has a capability list
04/21/23Prof. Ehud Gudes Security
Ch 5 47
Implementing Access Matrix - Capability Lists
“Slicing” the protection matrix by rowsUsers and processes have capability lists which
are lists of permissions for each object appearing in a domain - c-lists.
Hard to revoke access to objects, have to be found in
Capabilities are “special” objects - ticket, never accessible to user space objects - better protection. To get access process must present the “ticket”!
Generic operations on c-lists Copy capability (from one object to another) Copy Object (with capability) Remove capability (an entry of the c-list)
04/21/23Prof. Ehud Gudes Security
Ch 5 48
DescriptorsDescriptors are similar to capabilities
but are used mainly for accessing memory.
Because the descriptors are used for addressing they are handled by the memory allocation unit of the OS and we need to trust now that unit.
Descriptors and capabilities can be seen as embodiments of rows of the access matrix
04/21/23Prof. Ehud Gudes Security
Ch 5 49
Using Capabilities for Addressing - Descriptors
Instruction address
cap offset
C i
Rights Object
RW X
Capability
Object Length Base
X L B
Descriptor Table
Memory
B
B+
B+
C
The instruction contains pointer to capability
instead of a segment address
04/21/23Prof. Ehud Gudes Security
Ch 5 50
Sharing Using Capabilities
RW
P1 C - list
R
P2 C - list
RW
RW
R
D
D1
RW
R
R
D3
RW
D2
Directories
R
D11
D12
RW
R
D31
RW
R
F1
F2
F4
F3
F5
F6
04/21/23Prof. Ehud Gudes Security
Ch 5 51
Capability-Based Systems Hydra
Fixed set of access rights known to and interpreted by the system.
Interpretation of user-defined rights performed solely by user's program; system provides access protection for use of these rights.
Cambridge CAP System Data capability - provides standard read, write,
execute of individual storage segments associated with object.
Software capability -interpretation left to the subsystem, through its protected procedures.
04/21/23Prof. Ehud Gudes Security
Ch 5 52
In system area – need system call for every access?
Cryptographically-protected capability
Generic Rights1. Copy capability2. Copy object3. Remove capability4. Destroy object
Capabilities - Protection of
ServerObjectRightsf(Objects, Rights, Check)
04/21/23Prof. Ehud Gudes Security
Ch 5 53
Capabilities – AmplificationDomain Switch with Protected entry Points
callingprocedure
datasegment
R
C – listcalling Domain
RE
Ent
RW
C – listcalled Domain
REcalled
procedure
datasegment
Rights Object
Rights Object
call
return
04/21/23Prof. Ehud Gudes Security
Ch 5 54
Capabilities – AmplificationAbstract Data Type and Rights Amplification
Pop, Pushempty
calling C – list
RE
Ent
Rights Object callingprocedure
Pop / RW
C – list forpop procedure
RE
Stack S
Popprocedure
Amplification template
RW
C – list forActivation of pop
RE
Before call
After call
04/21/23Prof. Ehud Gudes Security
Ch 5 55
Capabilities – AmplificationAbstract Data Type and Rights Amplification
?What the difference with OO
1) Historically much earlier
2)Implemented at a much lower level (Hardware vs. Compiler)
04/21/23Prof. Ehud Gudes Security
Ch 5 56
Capabilities – RevocationRevocation of Rights with Indirection
RWRevoke
X’
RW X’
RW X
X’
X Object
C
C’
C’
user:
owner:
Descriptor Table
X’ entry is deleted
04/21/23Prof. Ehud Gudes Security
Ch 5 57
Capabilities – RevocationRevocation of Rights with Indirect Capability in SWARD
Object
RWC
X
Descriptor Table
user:
owner:
CI RW
I RW
Also X’ entry is deleted but its indirect capability
X’
04/21/23Prof. Ehud Gudes Security
Ch 5 58
ACLs and CapabilitiesACLs need not be in memory, checked at
the time of first access (disadv). C-lists need to be in memory (assigned at process creation – adv)
ACL is checked only at first access (open). Capability is checked for every access (ticket for addressing). But finer granularity!
Security / performance tradeoff!Capabilities enable easy granting/copying
amplification. No simple analog in ACLs (setUid?)
04/21/23Prof. Ehud Gudes Security
Ch 5 59
ACLs and Capabilities, cont.ACLs are more convenient for Objects
changes (deleting objects, creating objects, changing access to objects).Capabilities are more convenient for User changes (user deletion)
Revocation of ACLs is easy. Revocation of capabilities is hard
Capabilities can be used to control Mobile code
04/21/23Prof. Ehud Gudes Security
Ch 5 60
Security in Multics - Summary
Files on disk – Access Control listsFiles equal segments in Virtual memory!When segment is called, file is opened and
ACL checked. Then segment descriptor is created and protection is via the descriptor.
Process protection using protection rings.Process control and amplification using
Gates.
04/21/23Prof. Ehud Gudes Security
Ch 5 61
An example for Access matrix implementation - File System Security in Unix
Octal Representation of Access Permissions
4000Set user ID on execution (see below)
2000Set group ID on execution (see below)
1000Set sticky bit (see below)
0400Read by owner
0200Write by owner
0100Execute by owner
0040Read by group
0020Write by group
0010Execute by group
0004Read by other
0002Write by other
0001Execute by other
UNIX File Access Control
04/21/23Prof. Ehud Gudes Security
Ch 5 63
Protection of Files and Directories – Unix
ReadWriteExecute
Filescancancan
readWrite, truncate
execute
Directories
cancancan
do lscreate, delete
pass through
04/21/23Prof. Ehud Gudes Security
Ch 5 64
File System security - Unix
Ownership – Umask, Chown (problem with Setuid)
Link (hard or soft) and sticky bitAmplification – SetUid, SetGId
UNIX File Access Control
“set user ID”(SetUID) or “set group ID”(SetGID)system temporarily uses rights of the file owner /
group in addition to the real user’s rights when making access control decisions
enables privileged programs to access files / resources not generally accessible
sticky bit on directory limits rename/move/delete to owner
superuser is exempt from usual access control restrictions
04/21/23Prof. Ehud Gudes Security
Ch 5 66
Unix – Example for SetUid1. $ chmod +r grades
$ ls –1 *grades
-rw-r--r-- 1 pat CS440 514 Apr 5 18:26 grades
-rwx--x--x 1 pat CS440 1725 Apr 2 10:26 prgrades
2. $ chmod u+s prgrades Turn on SUID permission
$ ls –1 prgrades
-rws--x--x 1 pat CS440 1725 Apr 2 10:26 prgrades
$
3. $ chmod 600 grades Just give read/write to owner
$ls –1 *grades
-rw------- 1 pat CS440 514 Apr 5 18:26 grades
-rws--x--x 1 pat CS440 1725 Apr 2 10:26 prgrades
04/21/23Prof. Ehud Gudes Security
Ch 5 67
File System Security – Unix Group Problem
Affiliation (user may belong to primary group and multiple secondary groups)
Limited sharingMultiple personalityChanges in group membership
(prolifiration control?)Command newgrp – try it with chmod!
04/21/23Prof. Ehud Gudes Security
Ch 5 68
Unix File System Security – Violating Security Principles [SU]
Principle of Least Privilage (group access)
Principle of Safe DefaultsPrinciple of Need to Know (Others
access, Super-user power)Principle of Accountability (setUid)
Always there is Tradeoff:Security / Convenience / Performance!
UNIX Access Control Lists(new in Unix Berkeley! Also in Linux and Solaris)
modern UNIX systems support ACLscan specify any number of additional users
/ groups and associated rwx permissionsACLs are optional extensions to std permsgroup perms also set max ACL permswhen access is required
select most appropriate ACLowner, named users, owning / named groups, others
– SETFACL command (do man!)check if have sufficient permissions for access
UNIX Access Control (Cont.)
FreeBSD files include an additional protection bit that indicates whether the file has an extended ACL. FreeBSD and most UNIX implementations use the following strategy: 1. The owner entries have the same meaning as normal. 2. The group class entry specifies group permissions. These permissions represent the maximum permissions that can be assigned to named users or named groups, other than the owning user, and hence functions as a mask.3. Additional named users and named groups may be associated with the file, each with a 3-bit permission field.4.When a process requests access to a file system object, two steps are performed. Step 1 selects the ACL entry that most closely matches the requesting process. The ACL entries are looked at in the following order: owner, named users, (owning or named) groups, others. Only a single entry determines access. Step 2 checks if the matching entry (which may be one of several group entries) contains sufficient permissions.
04/21/23Prof. Ehud Gudes Security
Ch 5 71
File Encryption [Gudes80]
K’ j1
K’ j2
. . . K’ jnj
Validation Record – k’j
File Fj
The “keys record” scheme
04/21/23Prof. Ehud Gudes Security
Ch 5 72
File Encryption, cont.
1 1
01U2
U1
F2F1
Access Matrix
K’11 K’12
K’1
File F1
K’21 0
K’2
File F2
Fig. 6. The “key inversion” problem
04/21/23Prof. Ehud Gudes Security
Ch 5 73
File Encryption Enciphering and Deciphering with subkeys
(Davida81)
*c1 *cj *ct. . . . . .
Plaintextrecord m1 mj mt
. . . . . .M
Σ mod n
C
mod d1
mj
Ciphertextrecord
Plaintextfield
encipher
decipher
04/21/23Prof. Ehud Gudes Security
Ch 5 74
Distributed systems security
What is the semantics of file security on the serverWhat happens after the client opens a file? – the
concept of file handle.Authentication of the client and server machinesDistributed object architectures - CORBA Middleware software
75
The concept of Mount
Client 1 Client 2Server 1Games
Server 2Work
(a)Client 1 Client 2
(b) (c)
games
work
games
pacman
pacwoman
pacchild
news
other
pacman
pacwoman
pacchild
work
news
other
pacman
pacwoman
pacchild
news
other
04/21/23Prof. Ehud Gudes Security
Ch 5 76
Layer Structure of NFS
Client Server
System call layer
Virtual file system layer
NFS Client
Network
Virtual file system layer
Message to server
Local disk
Local Operating System
Message from client
Local disk
Local operating systemNFS server
04/21/23Prof. Ehud Gudes Security
Ch 5 77
Distributed systems security – Scenario in Unix (see [T] for details)
After Open, information is maintained in the file-handle on the CLIENT machine! So state (e.g. file pointer is maintained by client
So if the server fails, the state is preservedBut how to insure authentication of file-handle and
no replay? Remember after Open, no more checks!New versions of Unix include machine to machine
authentication
04/21/23Prof. Ehud Gudes Security
Ch 5 78
Distributed systems security – Example problem in Unix
Rhost command allows a machine to define what other machines/users can login into your machine
Assume you allow user: ehud to login into my machine
What happens if a Linux user defines a user-id: ehud on his machine and connect it to the system?
Right! He can login in into your machine and do whatever he likes!
Solution: define in rhost the set of local servers only!
04/21/23Prof. Ehud Gudes Security
Ch 5 79
Windows-NT SecurityC2 Certified (mainly DAC and Authentication)Monitor based architecture (SRM) plus Clients
modules (LSA, SAM) for Login & AuthenticationObjects based – Registry file for everythingAuthentication – Passwords and KerberosSID (Security ID) and SAT (Security Access Token).
Remote authentication.Domains – For set of machines. Machine (SID)
Authentication.Groups and Subgroups
04/21/23Prof. Ehud Gudes Security
Ch 5 80
Security descriptors (in Registry)ACL’s. ACE – Access Control Entry – Positive and
Negative.User Profiles and Security Management.Auditing – What and When.File Encryption.Web security, Certificates, SSL, etc….
Windows-NT Security, cont.
04/21/23Prof. Ehud Gudes Security
Ch 5 81
Windows NT Security Architecture
82
- ב עצמים Windows-NTסוגיTypeDescription
ProcessUser Process
ThreadThread within a process
SemaphoreCounting semaphore used for interprocess synchronization
MutexBinary Semaphore used to enter a critical region
EventSynchronization object with persistent state (signaled/not)
PortMechanism for interprocess message passing
TimerObject allowing a thread to sleep for a fixed time interval
QueueObject used for completion notification on asynchronous I/O
Open fileObject associated with an open file
Access tokenSecurity descriptor for some object
ProfileData structure used for profiling CPU usage
SectionStructure used for mapping files onto virtual address space
KeyRegistry key
Object directory
Directory for grouping objects within the object manager
Symbolic linkPointer to another object by name
DeviceI/O device object
Device driverEach loaded device driver has its own object
04/21/23Prof. Ehud Gudes Security
Ch 5 83
- ב הרשאות Windows-NTסוגי
TypeDescription
Read (R)Can read a file
Write (W)Can change the content of a file
Execute (X)Can run the program
Delete (D) Can delete the file
Change permissions (P)
Can change permissions on the file
Take ownership (O)Can take ownership of the file
04/21/23Prof. Ehud Gudes Security
Ch 5 84
- ב הגנה למתאר – Windows-NTדוגמהpart of Registery
Header
Owner’s SID
Group SID
DACL
SACL
Header
DEny
Elvis
111111
Allow
Cathy
110000
Ida
111111
Allow
Everyone
100000
SACL
Header
Audit
Marilyn
111111
SecurityDescriptor
Security
Descriptor
File
ACE
ACE
Note, multiple files may have the same descriptor
04/21/23Prof. Ehud Gudes Security
Ch 5 85
נוכחית גישה אלגוריתם1. If the object has no DACL, the object has no protection and the
security system grants the desired access.2. If the caller has the take-ownership privilege, the security system
grants write-owner access before examining the DACL. The security system grants write-owner access if it was the only access requested.
3. If the caller is the owner of the object, the read-control and write-DACL access rights are granted. If these rights were the only access rights requested, access is granted without examining the DACL.
4. Each ACE in the DACL is examined from first to last. If the SID in the ACE matches an enabled SID (SIDs can be enabled and disabled) in the caller’s access token(whether that be the primary SID or a group SID), the ACE is processed. If it is an access-allowed ACE, the rights in the access mask in the ACE are granted; if all the requested access rights have been granted, the access check succeeds. If it is an access-denied ACE and any of the requested access rights are in the denied-access rights, access is denied to the object.
5. If the end of the DACL is reached and some of the requested access rights still haven’t been granted, access is denied.
04/21/23Prof. Ehud Gudes Security
Ch 5 86
Audit Trails
Not all auditing is configured through the default GUI.
Audit log sizing.Audit of important things:
Audit failed login attemptsAudit use of backup/restore rightsAudit changes to the registry
04/21/23Prof. Ehud Gudes Security
Ch 5 87
Security in Windows 2000
Structure of an access token
HeaderExpiration
timeGroups
Default CACL
User SID
Group SID
Restricted SIDs
Privileges
Priveliges are non-standard privileges like Debug or Backup privileges
88
Security API calls
Principal Win32 API functions for security
Win32 API functionDescription
InitializeSecurityDescriptorPrepare a new security descriptor for use
LookupaccountSidLook up the SID for a given user name
SetSecurityDescriptorOwner
Enter the owner SID in the security descriptor
SetSecurityDescriptorGroup
Enter a group SID in the security descriptor
InitializeAclInitialize a DACL or SACL
AddAccessAllowedAceAdd a new ACE to a DACL or SACL allowing access
AddAccessDeniedAceAdd a new ACE to a DACL or SACL denying access
DeleteAceRemove an ACE from a DACL or SACL
SetSecurityDescriptionDaclAttach a DACL to a security descriptor
04/21/23Prof. Ehud Gudes Security
Ch 5 89
The Registry
Some of the Win32 API calls for using the registry
Win32 API functionDescription
RegCreateKeyExCreate a new registry key
RegDeleteKeyDelete a registry key
RegOpenKeyExOpen a key to get a handle to it
RegEnumKeyExEnumerate the subkeys subordinates to the key of the handle
RegQueryValueExLook up the data for a value within a key
04/21/23Prof. Ehud Gudes Security
Ch 5 90
The Registry
A Security Nightmare!The repository for all important dataA haven for trojan horse attacksToo complicated, too arcane, too
opaqueRemote accessLock it and audit, audit, audit…
Impersonation
process can have multiple threadscommon for both clients and servers
impersonation allows a server to serve a user, using their access privilegese.g. ImpersonateNamedPipeClient function
sets user’s token on the current threadthen access checks for that thread are
performed against this token not server’swith user’s access rights
Mandatory Access Control
have Integrity Control in Windows Vistathat limits operations changing an object’s stateobjects and principals are labeled (using SID) as:
Low integrity (S-1-16-4096)Medium integrity (S-1-16-8192)High integrity (S-1-16-12288) System integrity (S-1-16-16384)
when write operation occurs first check subject’s integrity level dominates object’s integrity level
much of O/S marked medium or higher integrity
04/21/23Prof. Ehud Gudes Security
Ch 5 93
PWDump and NTCrack
Lots of press!PWDump
Dumps the user contents of the SAM, including encrypted passwords.
Requires administrator or backup privilages%SystemRoot%\Repair\SAM._
NTCrackSimple implementation of an off-line
dictionary attack for Windows-NT
04/21/23Prof. Ehud Gudes Security
Ch 5 94
Conclusions
Windows-NT can be secureBy default, it isn’t secureOver time, users have a tendency to
make less secureInsecure defaults
Watch the security alerts; understand enough to estimate their importance.
04/21/23 95
Trusted (Secure) Operating Systems
Layered softwareSmall kernelOne Monitor capturing all access
requestsValidation and VerificationFulfilling standards and Assurance
criteria (see Stallings chp. 10)
04/21/23Prof. Ehud Gudes Security
Ch 5 96
Trusted Systems Trusted Computing Base
A reference monitor
Reference Monitors
04/21/23Prof. Ehud Gudes Security
Ch 5 98
Layered Operating System
Subprocesses of User Processes
User Processes
Compilers, Data Base Managers
Utility Functions
Systems, Device Allocation
Scheduling, Sharing, Memory Management
Synchronization, Allocation
Security Functions
Hardware
OperatingSystem
OperatingSystemKernel
SecurityKernel
04/21/23Prof. Ehud Gudes Security
Ch 5 99
Virtual Machine
04/21/23Prof. Ehud Gudes Security
Ch 5 100
Principles of Security Kernel
Coverage – of each accessSeparation – of security functions from
restUnity – a single moduleModifiability and Maintenance – easy
to controlCompactness – small and thereforeVerifyable
04/21/23Prof. Ehud Gudes Security
Ch 5 101
Formal Verification
Formal specification Proof that implementation follows formal
specification Problem: how to “prove” the specification? Definitions:
a program is correct if it halts and produces correct output for every input
A program is partially correct if whenever it halts, it produces the correct output
102
Assertions
Q: n > 0 and 1 i n and min A[1]
R: n > 0 and 1 i n and j 1 j i –1 min A[j]
S: n > 0 and i = n + 1 and j 1 j n min A[j]
P: n > 0
YES
YES
ENTRY
min A[1]i 1
i i + 1
i > n?
min < A[i]?
NO
NO
min A[j]
EXIT
04/21/23Prof. Ehud Gudes Security
Ch 5 103
Verification and ValidationVerification: Assuring the system is
correct!
Validation: Assuring it’s the correct system!
Model checking methods
The debate around “Open Source”!
Trusted Platform Module (TPM)
concept from Trusted Computing Group hardware module at heart of hardware /
software approach to trusted computinguses a TPM chip on
motherboard, smart card, processorworking with approved hardware / softwaregenerating and using crypto keys
has 3 basic services: authenticated boot, certification, and encryption
Authenticated Boot Service
responsible for booting entire O/S in stagesensuring each is valid and approved for use
verifying digital signature associated with codekeeping a tamper-evident log
log records versions of all code runningcan then expand trust boundary
TPM verifies any additional software requestedconfirms signed and not revoked
hence know resulting configuration is well-defined with approved components
Certification Service
once have authenticated bootTPM can certify configuration to others
with a digital certificate of configuration infogiving another user confidence in it
include challenge value in certificate to also ensure it is timely
provides hierarchical certification approachtrust TPM then O/S then applications
Encryption Serviceencrypts data so it can be decrypted
by a certain machine in given configuration
depends onmaster secret key unique to machineused to generate secret encryption key for
every possible configuration only usable in it
can also extend this scheme upwardcreate application key for desired application
version running on desired system version
TPM Functions
Protected Storage Function
Trusted Systems
security models aimed at enhancing trustwork started in early 1970’s leading to:
Trusted Computer System Evaluation Criteria (TCSEC), Orange Book, in early 1980s
further work by other countriesresulting in Common Criteria in late 1990s
also Computer Security Center in NSAwith Commercial Product Evaluation Programevaluates commercially available productsrequired for Defense use, freely published
04/21/23Prof. Ehud Gudes Security
Ch 1 111
Computer Security ClassificationsU.S. Department of Defense outlines four
divisions of computer security: A, B, C, and D.D – Minimal security.C – Provides discretionary protection through
auditing. Divided into C1 and C2. C1 identifies cooperating users with the same level of protection. C2 allows user-level access control.
B – All the properties of C, however each object may have unique sensitivity labels. Divided into B1, B2, and B3.
A – Uses formal design and verification techniques to ensure security.
112
Orange Book Security (1)
Symbol X means new requirements Symbol -> requirements from next lower category apply here
also
04/21/23Prof. Ehud Gudes Security
Ch 5 113
Orange Book Security (2)
Common Criteria (CC)
ISO standards for security requirements and defining evaluation criteria to give:greater confidence in IT product securityfrom formal actions during process of:development using secure requirementsevaluation confirming meets requirementsoperation in accordance with requirements
evaluated products are listed for use
CC Requirementshave a common set of potential security
requirements for use in evaluationtarget of evaluation (TOE) refers product /
system subject to evaluationfunctional requirements
define desired security behavior
assurance requirementsthat security measures effective correct
have classes of families of components
04/21/23Prof. Ehud Gudes Security
Ch 5 116
Summary - OS attacks
Remote login weaknessesPassword guessingBypass file permissionsScavenge memoryBuffer overflow attacksDenial of service attacks (resource
hogging)
04/21/23Prof. Ehud Gudes Security
Ch 5 117
Generic Security AttacksTypical attacksRequest memory, disk space, tapes and just readTry illegal system callsStart a login and hit DEL, RUBOUT, or BREAKTry modifying complex OS structuresTry to do specified DO NOTsConvince a system programmer to add a trap doorBeg admin's sec’y to help a poor user who forgot
password
04/21/23Prof. Ehud Gudes Security
Ch 5 118
Famous Security Flaws
The TENEX – password problem
(a) (b) (c)
04/21/23Prof. Ehud Gudes Security
Ch 5 119
WeaknessesBoth Unix and Windows use passwords for
authentication. Unix keeps passwords encrypted but the password file is readable by all users. This allows a user to make a copy and use dictionaries and parallel processing to guess passwords.
Process protection is based mainly on the user/supervisor mode separation and kernel processes are not protected against each other.
Even if hardware architectures offer further protection, e.g., descriptors and rings, commercial OSs do not use them in an effort to get more performance
04/21/23Prof. Ehud Gudes Security
Ch 5 120
Weaknesses IIThe concept of superuser, an almighty user, typically
the systems administrator, is a poor security decision. Inheritance of rights in forked processes is another
flaw commonly exploited in attacks. If an attacker tricks a program in superuser mode to execute a Trojan Horse, this inherits the rights of that program and runs in superuser mode
Transfer of rights between processes—In Unix every user has a unique id, UID. If a bit in a file permission (setuid) for a file containing an executable program is turned on, the program executing that program acquires the rights of the file owner. Windows has an impersonation token, that has a similar effect. This violates the principle of accountability.
04/21/23Prof. Ehud Gudes Security
Ch 5 121
Weaknesses IIILack of conceptual model. The file permission
structure doesn’t follow the access matrix or any other security model. The interpretation of rights for directories makes things even more muddled
Directory problems. An attacker can place his own file in the path of a writable directory and maybe get higher privileges when the file is invoked.
Most systems lack the concept of a trusted path [Los00]. A trusted path is a user connection to a part of the system that provides secure login, authentication, and rights.
Some systems do not have auditing facilities or the audit log is within reach of the superuser (and could be changed by a hacker acting as a superuser).
04/21/23Prof. Ehud Gudes Security
Ch 5 122
Weaknesses IVComplex, poorly designed, and poorly tested utilities.
Microsoft’s Outlook is a Swiss cheese. The Sendmail program in Unix is another source of trouble.
Some flaws come from implementation languages, e.g., buffer overflow. Buffer overflow occurs when a variable in a procedure is filled with more values that it can hold. The overflow can overwrite the return address and if the hacker put her code there her program could get superuser mode [Dil]
Finally, configuration of these systems is complex and administrators make many mistakes. There are many demo programs and rarely used utilities which can be exploited by hackers. This is even more true for PCs where the users
usually have no idea what they get in their software
04/21/23Prof. Ehud Gudes Security
Ch 5 123
OS defensesMemory protection (supported by hardware)File protection Access control for I/O devicesRequires good processor support for low
overhead and to avoid bypassing of high-level mechanisms
Capabilities and descriptors are effective mechanisms
Firewalls to protect access to the systemAuthentication (part of login)
04/21/23Prof. Ehud Gudes Security
Ch 5 124
Threat MonitoringCheck for suspicious patterns of activity
– i.e., several incorrect password attempts may signal password guessing.
Audit log – records the time, user, and type of all accesses to an object; useful for recovery from a violation and developing better security measures.
Scan the system periodically for security holes; done when the computer is relatively unused.
04/21/23Prof. Ehud Gudes Security
Ch 5 125
Threat Monitoring (Cont.)Check for:
Short or easy-to-guess passwordsUnauthorized set-uid programsUnauthorized programs in system directoriesUnexpected long-running processesImproper directory protectionsImproper protections on system data filesDangerous entries in the program search path
(Trojan horse)Changes to system programs: monitor checksum
values
04/21/23Prof. Ehud Gudes Security
Ch 5 126
Hardened OSsIBM’s AIX [Cam90]—It implements a TCB to
support DAC. Instead of read/write/execute rights AIX defines an Abstract Data Type (class), with higher-level operations, appropriate for the type of object such as copy, save, query, and set. These accesses define an access matrix implemented as Access Control Lists. The ACLs are set by the owners of files and by administrators. ACLs can be permissive or restrictive. AIX reduces the privileges of the system administrator by defining five partially-ordered roles
04/21/23Prof. Ehud Gudes Security
Ch 5 127
Hardened OSs IIVirtual Vault [HP, Rub94]—A trusted version of HP-UX
operating system (A Unix variant). It uses compartments based on the multilevel model to isolate portions of the OS. It also reduces the root privileges and controls inheritance of rights in forked threads.
Argus Pitbull [Arg]—This is a system based on: Compartmentalization using a multilevel MAC
model. Least privilege applied to all processes, including
superuser. The superuser is implemented using three roles: Systems Security Officer, System Administrator, and System Operator.
Kernel-level enforcement.
Prof. Ehud Gudes Security Ch 1 128
Design Principles for Security
1. System design should be public2. Default should be No access3. Check for current authority4. Give each process least privilege possible5. Protection mechanism should be
- simple
- uniform
- in lowest layers of system
6. Scheme should be psychologically acceptableAnd … keep it simple (Kiss)