CSE 543 - Computer Security Lecture 11 - OS Security October 2, - - PowerPoint PPT Presentation

CSE543 Computer (and Network) Security - Fall 2007 - Professor Jaeger

CSE 543 - Computer Security

Lecture 11 - OS Security October 2, 2007

URL: http://www.cse.psu.edu/~tjaeger/cse543-f07/

1

CSE543 Computer (and Network) Security - Fall 2007 - Professor Jaeger Page

OS Security

• An secure OS should provide the following

mechanisms

– Memory protection – File protection – General object protection – Access authentication

• How do we go about designing a trusted OS?
• “Trust” in this context means something different from

“Secure”

CSE543 Computer (and Network) Security - Fall 2007 - Professor Jaeger Page

Trust vs. Security

• When you get your medication at a pharmacy, you

are “trusting” that it is appropriate for the condition you are addressing. In effect, you are arguing internally:

– The doctor was correct in prescribing this drug – The FDA vetted the drug through scientific analysis and clinical trials – No maniac has tampered with the bottle

• The first two are are matters “trust”, and the last is a

matter of “security”

• An OS needs to perform similar due diligence to

achieve “trust” and “security”

CSE543 Computer (and Network) Security - Fall 2007 - Professor Jaeger Page

Access Control Lists

• ACL: a list of the principals that are authorized to

have access to some object.

• Eg.,

O2 S1 Y S2 Y S3 Y

• Or more correctly:

O1: S1 O2: S1, S2, S3 O3: S3

• We are going to see a lot of

examples of these throughout the semester.

CSE543 Computer (and Network) Security - Fall 2007 - Professor Jaeger Page

ACL in systems

• ACLs are typically used to implement discretionary

access control

• For example: you define the UNIX file system ACLs

using the chmod utility ….

CSE543 Computer (and Network) Security - Fall 2007 - Professor Jaeger Page

Discretionary Access Control in UNIX FS

• The UNIX filesystem implements discretionary

access control through file permissions set by user

• The set of objects is the files in the filesystem,

– e.g., /etc/passwd

• Each file an owner and group (subjects)

– The owner is typically the creator of the file, and the entity in control of the access control policy – Note: this can be overridden by the “root” user

• There is a additional subject called world, which

represents everyone else

CSE543 Computer (and Network) Security - Fall 2007 - Professor Jaeger Page

UNIX filesystem rights …

• There are three rights in the UNIX filesystem

– READ - allows the subject (process) to read the contents

• f the file.

– WRITE - allows the subject (process) to alter the contents

• f the file.

– EXECUTE - allows the subject (process) to execute the contents of the file (e.g., shell program, executable, …)

• Q: why is execute a right?
• Q: does the right to read a program implicitly give

you the right to execute it?

CSE543 Computer (and Network) Security - Fall 2007 - Professor Jaeger Page

The UNIX FS access policy

• Really, this is a bit string encoding an access matrix
• E.g.,

rwx rwx rwx

• And a policy is encoded as “r”, “w”, “x” if enabled,

and “-” if not, e.g,

rwxrw--x

• Says user can read, write and execute, group can

read and write, and world can execute only.

World Group Owner

CSE543 Computer (and Network) Security - Fall 2007 - Professor Jaeger Page

Caveats: UNIX Filesystem

• Access is often not really this easy: you need to have

certain rights to parent directories to access a file (execute, for example)

– The reasons for this are quite esoteric

• The preceding policy may appear to be contradictory

– A member of the group does not have execute rights, but members of the world do, so … – A user appears to be both allowed and prohibited from executing access – Not really: these policies are monotonic … the absence of a right does not mean they should not get access at all, just that that particular identity (e.g., group member, world) should not be given that right.

CSE543 Computer (and Network) Security - Fall 2007 - Professor Jaeger Page

Windows 2000 Security Model

• Windows uses an ACL model too

– But, its model is more general

• Subjects

– Tokens: Can describe users, groups, arbitrary privileges and retract privileges (restricted contexts)

• Objects

– Types: An extensible set of object types can be defined

• Operations

– General operations: Fixed set supported by all types – Per type operations: Operations with semantics specific to the type may be defined

• Negative rights
• Result: Any combination of rights can be described

Page CSE497b Introduction to Computer and Network Security - Spring 2007 - Professor Jaeger

Tokens

• Like the UID/GID in a UNIX process

– User – Group – Aliases – Privileges (predefined sets of rights)

• May be specific to a domain
• Composed into global SID
• Subsequent processes inherit access tokens

– Different processes may have different rights

11

Page CSE497b Introduction to Computer and Network Security - Spring 2007 - Professor Jaeger

Access Control Entries

• DACL in the security descriptor of an object

– List of access control entries (ACEs)

• ACE structure (proposed by Swift et al)

– Type (grant or deny) – Flags – Object Type: global UID for type (limit ACEs checked) – InheritedObjectType: complex inheritance – Access rights: access mask – Principal SID: principal the ACE applies to

• Checking algorithm

– ACE matches SID (user, group, alias, etc) – ACE denies access for specified right -- deny – ACE grants access for some rights -- need full coverage

12

Page CSE497b Introduction to Computer and Network Security - Spring 2007 - Professor Jaeger

Access Checking with ACEs

• Example

13

Page CSE497b Introduction to Computer and Network Security - Spring 2007 - Professor Jaeger

Window Vista Integrity

• Integrity protection for writing
• Defines a series of protection level of increasing

protection

– untrusted (lowest) – low (Internet) – medium (user) – high (admin) – system – installer (highest)

• Semantics: If the subject’s (process’s) integrity level

dominates the object’s integrity level, then the write is allowed

14

CSE543 Computer (and Network) Security - Fall 2007 - Professor Jaeger Page

Vista Integrity

• Does Vista Integrity protect the integrity of J’s public

key file O2?

O1 O2 O3 J R RW R W S2 N R R W S3 N R R W

CSE543 Computer (and Network) Security - Fall 2007 - Professor Jaeger Page

UID Transition: Setuid

• A special bit in the mode bits
• Execute file

– Resulting process has the effective (and fs) UID/GID of file

• wner
• Enables a user to escalate privilege

– For executing a trusted service

• Downside: User defines execution environment

– e.g., Environment variables, input arguments, open descriptors, etc.

• Service must protect itself or user can gain root

access

• All UNIX services involves root processes -- many

via setuid

CSE543 Computer (and Network) Security - Fall 2007 - Professor Jaeger Page

/tmp Vulnerability

• creat(pathname, mode)
• O_EXCL flag

– if file already exists this is an error

• Potential attack

– Attacker creates file in shared space (/tmp) – Give it a filename used by a higher authority service – Make sure that service has permission to the file – If creat is used without O_EXCL, then can share the file with the higher authority process

CSE543 Computer (and Network) Security - Fall 2007 - Professor Jaeger Page

Other Vulnerabilities

• Objects w/o sufficient control

– Windows registry, network

• Libraries

– Load order permits malware defined libraries

• Executables are everywhere

– Web content, Email, Documents (Word)

• Labeling is wrong

– Mount a new file system; device

• Malware can modify your permissions

– Inherent to discretionary model

CSE543 Computer (and Network) Security - Fall 2007 - Professor Jaeger Page

Sandboxing

• An execution environment for programs that contains

a limited set of rights

– A subset of your permissions (meet secrecy and integrity goals) – Cannot be changed by the running program (mandatory)

CSE543 Computer (and Network) Security - Fall 2007 - Professor Jaeger Page

UNIX Chroot

• Create a domain in which a process is confined

– Process can only read/write within file system subtree – Applies to all descendant processes – Can carry file descriptors in ‘chroot jail’

CSE543 Computer (and Network) Security - Fall 2007 - Professor Jaeger Page

Chroot Vulnerability

• Unfortunately, chroot can trick its own system

– define a passwd file at <newroot>/etc/passwd – run su

• su thinks that this is the real passwd file

– gives root access

• Use mknod to create device file to access physical memory
• Setup requires great care

– Never run chroot process as root – Must not be able to get root privileges – No control by chrooted process (user) of contents in jail – Be careful about descriptors, open sockets, IPC that may be available

CSE543 Computer (and Network) Security - Fall 2007 - Professor Jaeger Page

Janus

• One of several sandboxing systems developed in the

mid-to-late 90s

• Operating system access control is too coarse

– Run everything as user or root (too many perms) – Can modify permissions (add more) – UNIX is not very expressive (cannot specify minimal rights)

CSE543 Computer (and Network) Security - Fall 2007 - Professor Jaeger Page

Janus Threat Model

• Web browser and mail helper applications

– Plugins

• Problem

– Helpers are untrustworthy (many vulnerabilities) – May execute input data (postscript, Word)

• Solution Choices

– Application reference monitor – Use existing OS protection – Extend OS protection – Network firewall

• None of these is sufficient

CSE543 Computer (and Network) Security - Fall 2007 - Professor Jaeger Page

Janus Approach

• Components

– Framework

• Multiple modules
• Combine modules authorizations (last wins)

– Modules

• Enforce security policy

– Configuration file

• Specifies modules to load and their policy
• Policies

– Constrain to one directory – Clean environment variables – Limit network access to X proxy

CSE543 Computer (and Network) Security - Fall 2007 - Professor Jaeger Page

Janus Implementation

• Initialize application

– Limit available VM – Disable core dumps – Close non-std file descriptors – Set umask – Etc.

• Trace and authorize system calls

– Uses /proc filesystem to register callbacks – Per system call control – Get arguments from system call

CSE543 Computer (and Network) Security - Fall 2007 - Professor Jaeger Page

Janus Limitations

• Limited policies

– Very restricted

• Specialized for single OS

– Need to port

• Performance

– Callback and argument parsing

• Complexity

– Argument parsing

• Security

– Argument parsing – Time-of-Check-to-Time-of-Use (TOCTTOU)

CSE543 Computer (and Network) Security - Fall 2007 - Professor Jaeger Page

Linux AppArmor

• Linux Security Module

– Enforces mandatory access control

• Confine network facing daemons

– Sandbox them to protect system from remote compromise

• Approach

– Non-network processes

• Not threatened
• Run “unconfined”

– Network daemons

• Threatened
• Run with limited permissions to protect rest of system
• If only threat is via network, this is plausible

– Server systems

CSE543 Computer (and Network) Security - Fall 2007 - Professor Jaeger Page

Windows Restricted Context

• Confine code run by a particular user
• Goals

– Code should have no more rights than user – Should be able to restrict code to specific files or objects – Should be part of Windows AC model

• Restricted context == Access token

– Semantics: both RC and other token must be granted access

• Intersection of rights

– RC may not be modified by process (mandatory) – RC may include positive and negative rights

• Might work if overall model was not so complex