Upload
vuonghanh
View
228
Download
5
Embed Size (px)
Citation preview
CSE543 - Introduction to Computer and Network Security Page
CSE543 - Introduction to Computer and Network Security
Module: Operating System Security
Professor Trent Jaeger
1Wednesday, October 16, 13
CSE543 - Introduction to Computer and Network Security Page
OS Security• So, you have built an operating system that enables
user-space processes to access hardware resources‣ Thru various abstractions: files, pages, devices, etc.
• Now, you want your operating system to enforce security requirements for your application processes‣ What do you do?
2Wednesday, October 16, 13
CSE543 - Introduction to Computer and Network Security Page
OS Security • We learned about a few things last time that will
hopefully help you• Your OS must implement a ‣ Protection system
• Your protection system is enforced by a‣ Reference validation mechanism
• Which do you tackle first?
3Wednesday, October 16, 13
CSE543 - Introduction to Computer and Network Security Page
Multiprocessor Systems• Major Effort: Multics‣ Multiprocessing system -- developed many OS concepts• Including security
‣ Begun in 1965 • Development continued into the mid-70s
‣ Used until 2000‣ Initial partners: MIT, Bell Labs, GE/Honeywell‣ Other innovations: hierarchical filesystems, dynamic linking
• Subsequent proprietary system, SCOMP, became the basis for secure operating systems design
4Wednesday, October 16, 13
CSE543 - Introduction to Computer and Network Security Page
Multics Goals• Secrecy‣ Multilevel security
• Integrity ‣ Rings of protection
• Resulting system is considered a high point in secure system design
5Wednesday, October 16, 13
CSE543 - Introduction to Computer and Network Security Page
Multics Basics• Processes are programs that are executing within
Multics (seems obvious now ...)‣ Protection domain is a list of segments‣ Stored in the process descriptor segment
• Segments are stored value regions that are accessible by processes, e.g., memory regions, secondary storage‣ Segments can be organized into hierarchies ‣ Local segments (memory addresses) are accessed directly‣ Non-local segments are addressed by hierarchy• /tape/drive1/top10k
• /etc/conf/http.conf
• This is the genesis of the modern hierarchical filesystem!
6Wednesday, October 16, 13
CSE543 - Introduction to Computer and Network Security Page
Segment Management
• PDS acts like segment working set for process‣ Segments are addressed by
name (path)‣ If authorized, added to PDS‣ Multics security is defined
with respect to segments
7
Segment Descr. Word 0
Segment Descr. Word 1
....
Segment Descr. Word N
Segment 0
Segment 1
Segment N
Process Descriptor Segment
Wednesday, October 16, 13
CSE543 - Introduction to Computer and Network Security Page
Multics Functionality• Not all code executing on Multics (or any OS) is the
same‣ Kernel‣ System processes‣ Middleware‣ Important User Processes‣ Untrusted User Processes‣ ...
• Previously, all ran in one protection domain‣ Multics supported multiple address spaces (processes)‣ But, how do you protect one process from another?
8Wednesday, October 16, 13
CSE543 - Introduction to Computer and Network Security Page
Protection Rings• Successively less-privileged “domains”• Modern CPUs support 4 rings‣ Use 2 mainly: Kernel and user
• Intel x86 rings‣ Ring 0 has kernel
‣ Ring 3 has application code
• Example: Multics (64 rings in theory, 8 in practice)9
Wednesday, October 16, 13
CSE543 - Introduction to Computer and Network Security Page
What Are Protection Rings?• Coarse-grained, Hardware Protection Mechanism• Boundary between Levels of Authority‣ Most privileged -- ring 0‣ Monotonically less privileged above
• Fundamental Purpose‣ Protect system integrity• Protect kernel from services
• Protect services from apps
• So on...
10Wednesday, October 16, 13
CSE543 - Introduction to Computer and Network Security Page
Intel Protection Ring Rules• Each Memory Segment has a privilege level (ring
number)
• The CPU has a Current Protection Level (CPL)‣ Level of the segment where instructions are being read
• Program can read/write in segments of higher level than CPL‣ kernel can read/write user space
‣ user cannot read/write kernel• why not?
11Wednesday, October 16, 13
CSE543 - Introduction to Computer and Network Security Page
Ring 0
Ring 3
Protection Ring Rules• Program cannot call code of
higher privilege directly‣ Gate is a special memory
address where lower-privilege code can call higher• Enables OS to control where
applications call it (system calls)
12
Gate
No gate
Wednesday, October 16, 13
CSE543 - Introduction to Computer and Network Security Page
Multics Interpretation• Kernel resides in ring 0• Process runs in a ring r‣ Access based on current ring
• Process accesses data (segment)‣ Each data segment has an access
bracket: (a1, a2)• a1 <= a2
‣ Describes read and write access to segment• r is the current ring• r <= a1: access permitted• a1 < r <= a2: r and x permitted; w denied• a2 < r: all access denied
13
1
2
3
4
5
6
7
0
a1
a2
RWX
R-X
---
Ring
Wednesday, October 16, 13
CSE543 - Introduction to Computer and Network Security Page
Multics Interpretation (con’t)• Also different procedure segments
‣ with call brackets: (c1, c2), c1 <= c2
‣ and access brackets (a1, a2)
‣ The following must be true (a2 == c1)
‣ Rights to execute code in a new procedure segment• r < a1: access permitted with ring-crossing fault
• a1 <= r <= a2 = c1: access permitted and no fault
• a2 < r <= c2: access permitted through a valid gate
• c2 < r: access denied
• What’s it mean?‣ case 1: ring-crossing fault changes procedure’s ring
• increases from r to a1
‣ case 2: keep same ring number
‣ case 3: gate checks args, decreases ring number
• Target code segment defines the new ring
14
1
2
3
4
5
6
7
0
a1
a2
Allow
with
gate
No ring
fault
Denied
Ring
c2
c1
Ring
fault
Wednesday, October 16, 13
CSE543 - Introduction to Computer and Network Security Page
Examples• Process in ring 3 accesses data segment‣ access bracket: (2, 4)‣ What operations can be performed?
• Process in ring 5 accesses same data segment‣ What operations can be performed?
• Process in ring 5 accesses procedure segment‣ access bracket (2, 4) ‣ call bracket (4, 6)‣ Can call be made?‣ How do we determine the new ring?‣ Can new procedure segment access the data segment
above?15
Wednesday, October 16, 13
CSE543 - Introduction to Computer and Network Security Page
More Multics Segments• Named segments are protected by access control lists
and MLS protections‣ Hierarchically arranged
‣ Precursor to hierarchical file systems
• Memory segment access is controlled by hardware monitor‣ Multics hardware retrieves segment descriptor word (SDW)
• Like a file descriptor
‣ Based on rights in the SDW determines whether can access segment
• Master mode (like root) can override protections
16Wednesday, October 16, 13
CSE543 - Introduction to Computer and Network Security Page
Multics & Reference Monitor• Multics Final Report - Schroeder‣ Multics is too large to satisfy verifiability‣ Multics was 44K SLOC!
• What about tamperproofing and complete mediation?
17Wednesday, October 16, 13
CSE543 - Introduction to Computer and Network Security Page
Multics Vulnerability Analysis• Karger and Schell - Detailed security analysis covering‣ Hardware‣ Software‣ Procedural features (administration)
• Good news‣ Design for security‣ System language prevents buffer overflows• Defined buffer sizes
‣ Hardware features prevent buffer overflows • Addressing off segment is an error
• Stack grows up
‣ System is much smaller than current UNIX system18
Wednesday, October 16, 13
CSE543 - Introduction to Computer and Network Security Page
Vulnerabilities Found• Hardware
‣ Indirect addressing -- incomplete mediation• Check direct, but not indirect address
‣ Mistaken modification introduced the error
• Software‣ Ring protection (done in software)
• Argument validation was flawed
• Certain type of pointer was handled incorrectly
‣ Master mode transfer• For performance, run master mode program (signaler) in user ring
• Development assumed trusted input to signaler -- bad combo
• Procedural‣ Trap door insertion goes undetected
19Wednesday, October 16, 13
CSE543 - Introduction to Computer and Network Security Page
Now forward to UNIX ...
20Wednesday, October 16, 13
CSE543 - Introduction to Computer and Network Security Page
Privilege Escalation• Sounds bad, but...‣ Many programs depend on a mechanism to increase rights
• Example: Password‣ Run shell as you, but need to change your password‣ Requires modification to file /etc/shadow
‣ Only modifiable by root‣ What do you do?
21Wednesday, October 16, 13
CSE543 - Introduction to Computer and Network Security Page
UID Transition: Setuid• A special bit in the mode bits• Execute file ‣ Resulting process has the effective (and fs) UID/GID of file
owner
• Enables a user to escalate privilege‣ For executing a trusted service
• Downside: User defines execution environment ‣ e.g., Environment variables, input arguments, open
descriptors, etc.
• Service must protect itself or user can gain root access
• All UNIX services involve root processes -- many via setuid22
Wednesday, October 16, 13
CSE543 - Introduction to Computer and Network Security Page
UNIX Security Limitations• Circa 2000 Problems‣ Discretionary access control
‣ Setuid root processes
‣ Network-facing daemons vulnerable
‣ Name resolution vulnerabilities (we still have those)
• What can we do?
23Wednesday, October 16, 13
CSE543 - Introduction to Computer and Network Security Page
UNIX Security Limitations• Circa 2000 Problems‣ Discretionary access control
‣ Setuid root processes
‣ Network-facing daemons vulnerable
‣ Name resolution vulnerabilities (we still have those)
• What can we do?‣ Reference validation mechanism that satisfies reference
monitor concept
‣ Protection system with mandatory access control (mandatory protection system)
24Wednesday, October 16, 13
CSE543 - Introduction to Computer and Network Security Page
Linux Security Modules• Reference validation mechanism for Linux‣ Upstreamed in Linux 2.6
‣ Support modular enforcement - you choose
• SELinux, AppArmor, POSIX Capabilities, SMACK, ...
• 150+ authorization hooks‣ Mediate security-sensitive operations on
• Files, dirs/links, IPC, network, semaphores, shared memory, ...
‣ Variety of operations per data type
• Control access to read of file data and file metadata separately
• Hooks are restrictive
25Wednesday, October 16, 13
CSE543 - Introduction to Computer and Network Security Page
Linux Security Modules
26Systems and Internet Infrastructure Security (SIIS) Laboratory Page
LSM Hooks
13
Wednesday, October 16, 13
CSE543 - Introduction to Computer and Network Security Page
Linux Security Modules
• Now LSMs are always compiled into the kernel
27Systems and Internet Infrastructure Security (SIIS) Laboratory Page
LSM API
14 Wednesday, October 16, 13
CSE543 - Introduction to Computer and Network Security Page
LSM & Reference Monitor• Does LSM satisfy reference monitor concept?
28Wednesday, October 16, 13
CSE543 - Introduction to Computer and Network Security Page
LSM & Reference Monitor• Does LSM satisfy reference monitor concept?‣ Tamperproof
• Can MAC policy be tampered?• Can kernel be tampered? By network threats?
29Wednesday, October 16, 13
CSE543 - Introduction to Computer and Network Security Page
LSM & Reference Monitor• Does LSM satisfy reference monitor concept?‣ Tamperproof
• Can MAC policy be tampered?• Can kernel be tampered? By network threats?
‣ Verifiable• How large is kernel?• Can we perform complete testing?
30Wednesday, October 16, 13
CSE543 - Introduction to Computer and Network Security Page
LSM & Reference Monitor• Does LSM satisfy reference monitor concept?‣ Tamperproof
• Can MAC policy be tampered?• Can kernel be tampered? By network threats?
‣ Verifiable• How large is kernel?• Can we perform complete testing?
‣ Complete Mediation• What is a security-sensitive operation?• Do we mediate all paths to such operations?
31Wednesday, October 16, 13
CSE543 - Introduction to Computer and Network Security Page
LSM & Complete Mediation• Security-sensitive operations‣ Instructions? Which?‣ Structure member accesses? To what data?‣ Data types whose instances may be controlled
• Inodes, files, IPCs, tasks, ...• Approaches‣ Mediation: Check that authorization hook
dominates all control-flow paths to structure member access on security-sensitive data type
‣ Consistency: Check that every structure member access that is mediated once is always mediated• Several bugs found - some years later
32Wednesday, October 16, 13
CSE543 - Introduction to Computer and Network Security Page
LSM & Complete Mediation
33Systems and Internet Infrastructure Security (SIIS) Laboratory Page
LSM Analysis • Static analysis of Zhang, Edwards,
and Jaeger [USENIX Security 2002]!
‣ Based on a tool called CQUAL!
• Found a TOCTTOU bug!
‣ Authorize filp in sys_fcntl!
‣ But pass fd again to fcntl_getlk!
• Many supplementary analyses were necessary to support CQUAL!
21
/* from fs/fcntl.c */
long sys_fcntl(unsigned int fd,
unsigned int cmd,
unsigned long arg)
{
struct file * filp;
...
filp = fget(fd);
...
err = security ops->file ops
->fcntl(filp, cmd, arg);
...
err = do fcntl(fd, cmd, arg, filp);
...
}
static long
do_fcntl(unsigned int fd,
unsigned int cmd,
unsigned long arg,
struct file * filp) {
...
switch(cmd){
...
case F_SETLK:
err = fcntl setlk(fd, ...);
...
}
...
}
/* from fs/locks.c */
fcntl_getlk(fd, ...) {
struct file * filp;
...
filp = fget(fd);
/* operate on filp */
...
}
Figure 8: Code path from Linux 2.4.9 containing an ex-
ploitable type error.
THREAD-A:
(1) fd1 = open("myfile", O_RDWR);
(2) fd2 = open("target_file", O_RDONLY);
(3) fcntl(fd1, F_SETLK, F_WRLOCK);
KERNEL-A (do_fcntl):
(4) filp = fget(fd1);
(5) security_ops->file_ops
->fcntl (fd1);
(6) fcntl_setlk(fd1,cmd)
THREAD-B:
/* this closes fd1, dups fd2,
* and assigns it to fd1.
*/
(7) dup2( fd2, fd1 );
KERNEL-A (fcntl_setlk)
/* this filp is for the target
* file due to (7).
*/
(8) filp = fget (fd1)
(9) lock file
Figure 9: An example exploit.
chance of race conditions when the data structures are
not properly synchronized, which may result in poten-
tial exploits.
Here we present a type error of this kind. Many se-
curity checks that intend to protect the inode structure
are performed on the dentry data structure. For exam-
ple, the following code does the permission check on the
dentry structure, but does the “set attribute” operation
on the inode structure.
/* from fs/attr.c */
...
security_ops->inode_ops
->setattr(dentry, attr);
...
inode = dentry->d_inode;
inode_setattr(inode, attr);
...
It is also quite common in Linux to check on the file
data structure and operate on the inode data structure.
Wednesday, October 16, 13
CSE543 - Introduction to Computer and Network Security Page
Take Away• Goal: Build authorization into operating systems‣ Multics and Linux
• Requirements: Reference monitor‣ Satisfy reference monitor concept
• Multics‣ Mediation on segments
‣ Still some bugs; not convinced could verify
• Linux‣ Did not enforce security (DAC, Setuid, root daemons)
‣ Linux Security Modules
‣ Approximates reference monitor assuming network threats only -- some challenges in ensuring complete mediation
34Wednesday, October 16, 13