cs 527 software security
play

CS-527 Software Security OS Security Asst. Prof. Mathias Payer - PowerPoint PPT Presentation

Nov 21, 2022 •178 likes •463 views

CS-527 Software Security OS Security Asst. Prof. Mathias Payer Department of Computer Science Purdue University TA: Kyriakos Ispoglou https://nebelwelt.net/teaching/17-527-SoftSec/ Spring 2017 Unix security model Table of Contents Unix

  1. CS-527 Software Security OS Security Asst. Prof. Mathias Payer Department of Computer Science Purdue University TA: Kyriakos Ispoglou https://nebelwelt.net/teaching/17-527-SoftSec/ Spring 2017

  2. Unix security model Table of Contents Unix security model 1 Principle of Least Privilege 2 Isolation techniques 3 Defense in Depth 4 TOCTTOU / Confused Deputy 5 Summary and conclusion 6 Mathias Payer (Purdue University) CS-527 Software Security 2017 2 / 28

  3. Unix security model Unix security Everything is a file. Keep things simple. Separate between user-space and kernel space. Isolate on process level (use virtual memory, unprivileged processes). (But allow communication through shared memory or IPC.) Mathias Payer (Purdue University) CS-527 Software Security 2017 3 / 28

  4. Unix security model Unix privilege model Distinguish between users. Allow groups of multiple users. Each file has a set of three read/write/execute sets for users, groups, and all other users. Access permissions restrict access to files, directories, programs Extremely simple but allows layering and chaining. More complex privilege models can be mapped through layering across, e.g., multiple directories. Mathias Payer (Purdue University) CS-527 Software Security 2017 4 / 28

  5. Unix security model Unix process permissions Real User ID (RUID): inherits UID (if unchanged) of the parent process, allows tracking of who started process. Effective User ID (EUID): the UID the process currently used for policy decisions (e.g., file access). Saved User ID (SUID): allows restoring previous UID. Now, how do you get rid of privileges? int setresuid(uid t ruid, uid t euid, uid t suid); Unprivileged user processes may change the real UID, effective UID, and saved set-user-ID, each to one of: the current real UID, the current effective UID or the current saved set-user-ID. Privileged processes (on Linux, those having the CAP SETUID capability) may set the real UID, effective UID, and saved set-user-ID to arbitrary values. Similar mechanism for groups Mathias Payer (Purdue University) CS-527 Software Security 2017 5 / 28

  6. Principle of Least Privilege Table of Contents Unix security model 1 Principle of Least Privilege 2 Isolation techniques 3 Defense in Depth 4 TOCTTOU / Confused Deputy 5 Summary and conclusion 6 Mathias Payer (Purdue University) CS-527 Software Security 2017 6 / 28

  7. Principle of Least Privilege Compartmentalization Break large monolithic over-privileged software into smaller components. Develop “fault compartments”, that each fail individually. Goal: when one compartment fails, the others can still function. Think of compartments in ships, if one is flooded it can be separated. Mathias Payer (Purdue University) CS-527 Software Security 2017 7 / 28

  8. Principle of Least Privilege Isolation Ensure that individual components can only interact through well-defined channels (APIs). No other components at the same privilege level can interact with the component without going through the API. Needs some higher privileged component to control interaction. Mathias Payer (Purdue University) CS-527 Software Security 2017 8 / 28

  9. Principle of Least Privilege Principle of Least Privilege A privilege gives an entity the permission to access a resource. Enforce minimal privileges for intended purpose. Assumes compartmentalization (break software into smaller components) and isolation (ensure that components can only interact along exposed API). Drop privileges when you no longer need them. Mathias Payer (Purdue University) CS-527 Software Security 2017 9 / 28

  10. Principle of Least Privilege Example: mail agents Mail agents need to do a plethora of tasks: (i) send/receive data from the network, (ii) manage a pool of received/unsent messages, (iii) provide access to stored messages for each user. Two approaches: sendmail and qmail Sendmail uses a typical Unix approach with a large monolithic server and is known for the high complexity and previous security vulnerabilities. QMail uses a modern least privilege approach with a set of communicating processes. Mathias Payer (Purdue University) CS-527 Software Security 2017 10 / 28

  11. Principle of Least Privilege Example: qmail Separate modules run under separate user IDs (isolation) Each user ID has only limited access to a subset of the resources (least privilege) Only one very small component runs as suid root Only one very small component running as root Mathias Payer (Purdue University) CS-527 Software Security 2017 11 / 28

  12. Principle of Least Privilege Example: qmail Network Local qmail-smtpd qmail-inject (qmaild) (“user”) qmail-queue (suid qmailq) qmail-send (qmails) qmail-rspawn qmail-lspawn (qmailr) (root) qmail-remote qmail-local (qmailr) (sets uid user) Mathias Payer (Purdue University) CS-527 Software Security 2017 12 / 28

  13. Principle of Least Privilege qmail components qmaild/“user” : incoming email suid qmaild : split message into contents and headers, signal qmail-send qmail-send : send locally or remotely qmail-lspawn : root, spawns qmail-local with ID of user qmail-local : handles alias expansion, delivers locally, or signals qmail-queue if needed qmail-remote : sends remote message Mathias Payer (Purdue University) CS-527 Software Security 2017 13 / 28

  14. Isolation techniques Table of Contents Unix security model 1 Principle of Least Privilege 2 Isolation techniques 3 Defense in Depth 4 TOCTTOU / Confused Deputy 5 Summary and conclusion 6 Mathias Payer (Purdue University) CS-527 Software Security 2017 14 / 28

  15. Isolation techniques Confining applications “Strongly” isolate processes from the rest of the system. Limit a process to a view of the file system chroot (Linux) and jail (FreeBSD): the process executes under a different root. What are the potential problems? An attacker can escape from a jail if there is a link to the outside (e.g., .. ). Mathias Payer (Purdue University) CS-527 Software Security 2017 15 / 28

  16. Isolation techniques System Call Interposition To change persistent state, an application must do system calls. So does an attack. System calls offer an interesting abstraction level Audit all the system calls and parameters, enforce access restrictions. Define a policy depending on what the program should do and define a least privilege policy of system calls that is required for the program to function. Can this be implemented through ptrace? ptrace suffers from TOCTTOU attacks (where an attacker-controlled thread changes the parameters after the check but before the execution of the system call). Mathias Payer (Purdue University) CS-527 Software Security 2017 16 / 28

  17. Isolation techniques Sandboxing The seccomp interface can be used to implement an efficient sandbox (e.g., Chrome uses seccomp on Linux). After executing seccomp only read, write, exit, and sigreturn can be executed, all other system calls terminate the application. The sandbox first sets up I/O channels to a mediator, calls seccomp, and then can only request services from the trusted mediator. Mathias Payer (Purdue University) CS-527 Software Security 2017 17 / 28

  18. Isolation techniques Software-based Fault Isolation Application and untrusted code run in the same address space. The untrusted code may only read/write the untrusted data segment. How do you implement such a restriction? For each memory read/write the target address is masked: and $0x00ff0000, %rax mov $0xc0fe0000, (%rax) . Challenge for CISC architectures: jump to unaligned instructions: mov $0x80cd01b0, (%rax) → mov $1, %al; int $0x80 NaCL solves the problem by aligning individual instructions. Mathias Payer (Purdue University) CS-527 Software Security 2017 18 / 28

  19. Isolation techniques Virtualizing applications: containers Full virtualization can be heavy-weight and incurs a lot of redundancy (the same kernel running multiple times, wasted disk/memory space). Containers solve this problem and allow the execution of “applications” in a virtual environment without replicated full virtual machines. Namespaces need to be separated: pid (processes), net (network), ipc (IPC), mnt (file system), uts (host name) namespaces. Control over the container through cgroups (controlling memory, CPU, and block I/O). AUFS, a special file system that allows different views of the same file system, adding permissions for containers and allowing to hide parts of the file system or have exclusive access to it. Mathias Payer (Purdue University) CS-527 Software Security 2017 19 / 28

  20. Isolation techniques Other isolation techniques More drastic isolation techniques ensure clear separation. Virtual Machine Introspection (VMI) assumes a trusted hypervisor that mediates inspections. An air gap physically separates machines. (An air gap may still not be enough!) A hard problem for isolation are side channels/covert channels. An even harder problem is specifying policies. Mathias Payer (Purdue University) CS-527 Software Security 2017 20 / 28

  21. Defense in Depth Table of Contents Unix security model 1 Principle of Least Privilege 2 Isolation techniques 3 Defense in Depth 4 TOCTTOU / Confused Deputy 5 Summary and conclusion 6 Mathias Payer (Purdue University) CS-527 Software Security 2017 21 / 28

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

deel 2 sws1 1 Software and Web Security - 1 & 2 Software is the main source of security

deel 2 sws1 1 Software and Web Security - 1 & 2 Software is the main source of security

Software and Web Security deel 2 sws1 1 Software and Web Security - 1 & 2 Software is the main source of security vulnerabilities esp in systems accessible via a network part 1 security problems in machine code, compiled from C(++)

1.35k views • 67 slides
Software and Web Security deel 2 deel 2 sws1 Software and Web Security - 1 & 2 y Software

Software and Web Security deel 2 deel 2 sws1 Software and Web Security - 1 & 2 y Software

1 Software and Web Security deel 2 deel 2 sws1 Software and Web Security - 1 & 2 y Software is the main source of security vulnerabilities esp in systems accessible via a network i t ibl i t k part 1 part 1 security problems

672 views • 65 slides
Software Security By Hunter Stevenson Khalid Alharbi CSCI 5828 Foundations of Software

Software Security By Hunter Stevenson Khalid Alharbi CSCI 5828 Foundations of Software

Software Security By Hunter Stevenson Khalid Alharbi CSCI 5828 Foundations of Software Engineering Spring 2012 What is the talk NOT about? Cryptography. Database security. Operating Systems security. Network security.

1.37k views • 121 slides
Software Security: Defenses & Principles CS 161: Computer Security Prof. Vern Paxson TAs:

Software Security: Defenses & Principles CS 161: Computer Security Prof. Vern Paxson TAs:

Software Security: Defenses & Principles CS 161: Computer Security Prof. Vern Paxson TAs: Devdatta Akhawe, Mobin Javed & Matthias Vallentin http://inst.eecs.berkeley.edu/~cs161/ January 25, 2011 Testing for Software Security Issues

444 views • 42 slides
Engineering Secure Software The Basics of Software Security Terminology Vulnerabilities Trust

Engineering Secure Software The Basics of Software Security Terminology Vulnerabilities Trust

Engineering Secure Software The Basics of Software Security Terminology Vulnerabilities Trust Boundary Attacks Threats Application Attacker Exploit Vulnerability : a software defect with security consequences Threat : a potential danger to

1.54k views • 80 slides
Software In-Security Buffer overflows Overview Web Application security Malware OS

Software In-Security Buffer overflows Overview Web Application security Malware OS

Lecture overview Table of contents: Introduction to SW security Software In-Security Buffer overflows Overview Web Application security Malware OS security topics Code scanning Emmanuel Benoist Taught by Ulrich

479 views • 13 slides
CS-412 Software Security Introduction Mathias Payer EPFL, Spring 2019 Mathias Payer CS-412

CS-412 Software Security Introduction Mathias Payer EPFL, Spring 2019 Mathias Payer CS-412

CS-412 Software Security Introduction Mathias Payer EPFL, Spring 2019 Mathias Payer CS-412 Software Security Course outline Secure software lifecycle Security policies Attack vectors Defense strategies: mitigations and testing Case

681 views • 49 slides
CS412 Software Security Secure Software Lifecycle Mathias Payer EPFL, Spring 2019 Mathias Payer

CS412 Software Security Secure Software Lifecycle Mathias Payer EPFL, Spring 2019 Mathias Payer

CS412 Software Security Secure Software Lifecycle Mathias Payer EPFL, Spring 2019 Mathias Payer CS412 Software Security Software liveliness Software is not a one-shot effort Software development, production, and maintenance are cost/labor

449 views • 23 slides
CS412 Software Security Web Security Mathias Payer EPFL, Spring 2019 Mathias Payer CS412

CS412 Software Security Web Security Mathias Payer EPFL, Spring 2019 Mathias Payer CS412

CS412 Software Security Web Security Mathias Payer EPFL, Spring 2019 Mathias Payer CS412 Software Security Web (and internet) security: two views Just a long running network service Complex application with multiple layers and components.

577 views • 47 slides
Introduction Gang Tan Penn State University Spring 2019 CMPSC 447: Software Security Why a

Introduction Gang Tan Penn State University Spring 2019 CMPSC 447: Software Security Why a

Introduction Gang Tan Penn State University Spring 2019 CMPSC 447: Software Security Why a course on software security? Software plays a major role in the modern society But is a major source of security problems. Software is the

659 views • 30 slides
Secure Software Development TDDC90 Software Security Ulf Kargn Institutionen fr

Secure Software Development TDDC90 Software Security Ulf Kargn Institutionen fr

Secure Software Development TDDC90 Software Security Ulf Kargn Institutionen fr Datavetenskap (IDA) Avdelningen fr Databas- och Informationsteknik (ADIT) Original slides by Marcus Bendtsen Agenda Securing the software

1.91k views • 65 slides
Chapter 11 Software Security Secure programs Security implies some degree of trust that the

Chapter 11 Software Security Secure programs Security implies some degree of trust that the

Chapter 11 Software Security Secure programs Security implies some degree of trust that the program enforces expected C onfidentiality I ntegrity A vailability How can we look at software component and assess its

837 views • 49 slides
CS527 Software Security Secure Software Lifecycle Mathias Payer Purdue University, Spring 2018

CS527 Software Security Secure Software Lifecycle Mathias Payer Purdue University, Spring 2018

CS527 Software Security Secure Software Lifecycle Mathias Payer Purdue University, Spring 2018 Mathias Payer CS527 Software Security Software liveliness Software is not a one-shot effort Software development, production, and maintenance are

725 views • 23 slides
Web Security TDDC90 Software Security Ulf Kargn Institutionen fr Datavetenskap (IDA)

Web Security TDDC90 Software Security Ulf Kargn Institutionen fr Datavetenskap (IDA)

Web Security TDDC90 Software Security Ulf Kargn Institutionen fr Datavetenskap (IDA) Avdelningen fr Databas- och Informationsteknik (ADIT) Original slides by Marcus Bendtsen Some recent attacks 2 A game changer The Internet

1.17k views • 87 slides
Software Security Return to Libc and ROP Jan Nordholz Prof. Jean-Pierre Seifert Security in

Software Security Return to Libc and ROP Jan Nordholz Prof. Jean-Pierre Seifert Security in

Software Security Return to Libc and ROP Jan Nordholz Prof. Jean-Pierre Seifert Security in Telecommunications TU Berlin SoSe 2014 jan (sect) Software Security SoSe 2014 1 / 13 Recap: Overflow Bugs Ingredients: fixed-size buffer on the

429 views • 13 slides
CS527 Software Security Web Security Mathias Payer Purdue University, Spring 2018 Mathias Payer

CS527 Software Security Web Security Mathias Payer Purdue University, Spring 2018 Mathias Payer

CS527 Software Security Web Security Mathias Payer Purdue University, Spring 2018 Mathias Payer CS527 Software Security Daemons / Services / Servers A daemon is a long running service that serves outside requests. A web server, a mail

503 views • 31 slides
Qubes OS Towards Secure & Trustworthy Personal Computing Joanna Rutkowska Invisible Things

Qubes OS Towards Secure & Trustworthy Personal Computing Joanna Rutkowska Invisible Things

Qubes OS Towards Secure & Trustworthy Personal Computing Joanna Rutkowska Invisible Things Lab and Qubes OS Project Qubes OS A reasonably secure OS for personal computers (currently: laptops & desktops) Security by Compartmentalization

1.16k views • 43 slides
FSU DEPARTMENT OF COMPUTER SCIENCE Isolation and Analysis of Optimization Errors by Mickey R.

FSU DEPARTMENT OF COMPUTER SCIENCE Isolation and Analysis of Optimization Errors by Mickey R.

FSU DEPARTMENT OF COMPUTER SCIENCE Isolation and Analysis of Optimization Errors by Mickey R. Boyd David B. Whalley Florida State University 1 FSU DEPARTMENT OF COMPUTER SCIENCE Motivation much time and effort spent during testing

744 views • 19 slides
Failure Isolation in the Wide Area Ethan Katz-Bassett, David Choffnes, Colin Scott, Harsha

Failure Isolation in the Wide Area Ethan Katz-Bassett, David Choffnes, Colin Scott, Harsha

Failure Isolation in the Wide Area Ethan Katz-Bassett, David Choffnes, Colin Scott, Harsha Madhyastha, Arvind Krishnamurthy and Tom Anderson University of Washington *funded by NSF Outages happen. Theyre expensive, embarrassing and

463 views • 42 slides
Identity and Streams Washington DC, Martin Thomson requestIdentity Reminder:

Identity and Streams Washington DC, Martin Thomson requestIdentity Reminder:

W3C stuff 2014-05 Interim, Identity and Streams Washington DC, Martin Thomson requestIdentity Reminder: RTCConfiguration parameter with three values: yes, ifconfigured, no. Originally included in support of

282 views • 11 slides
Intent Semantics in the ABI Sergey Bratus, Julian Bangert Outline From faulty classic

Intent Semantics in the ABI Sergey Bratus, Julian Bangert Outline From faulty classic

Intent Semantics in the ABI Sergey Bratus, Julian Bangert Outline From faulty classic policies to a new sweet spot ABI-level objects and security policy ABI-level policy examples Why this works on x86 Future directions

499 views • 26 slides
I S NSTITUTE FOR ECURITY FOR T ECHNOLOGY S TUDIES T ECHNOLOGY S TUDIES Cyber Security and

I S NSTITUTE FOR ECURITY FOR T ECHNOLOGY S TUDIES T ECHNOLOGY S TUDIES Cyber Security and

Traps, Events, Emulation and Enforcement: the Yin and Yang of virtualization-based security Sergey Bratus, Michael E. Locasto, Ashwin Ramaswamy, Sean W. Smith Dartmouth College Dartmouth College I NSTITUTE S ECURITY I S NSTITUTE FOR

540 views • 31 slides
Outline CSci 5271 Bernsteins perspective Introduction to Computer Security Day 8: Defensive

Outline CSci 5271 Bernsteins perspective Introduction to Computer Security Day 8: Defensive

Outline CSci 5271 Bernsteins perspective Introduction to Computer Security Day 8: Defensive programming and design, Announcements intermission part 2 Stephen McCamant Techniques for privilege separation University of Minnesota, Computer

577 views • 5 slides
Beyond Unit Testing Steve Loughran Julio Guijarro HP Laboratories, Bristol, UK steve.loughran

Beyond Unit Testing Steve Loughran Julio Guijarro HP Laboratories, Bristol, UK steve.loughran

Beyond Unit Testing Steve Loughran Julio Guijarro HP Laboratories, Bristol, UK steve.loughran at hpl.hp.com julio.guijarro at hpl.hp.com About Us Julio Guij arro Research scientist at HP Laboratories on Grid-S cale Deployment Leads t

1.14k views • 31 slides

More recommend