CSE543 - Introduction to Computer and Network Security Module: - - PowerPoint PPT Presentation

฀฀฀฀ ฀

• ฀฀฀฀

฀฀฀฀฀ ฀฀฀฀฀฀

CSE543 - Introduction to Computer and Network Security Page

CSE543 - Introduction to Computer and Network Security Module: Operating System Security

Professor Patrick McDaniel Fall 2008

1

CSE543 - Introduction to Computer and Network Security Page

OS Security

• An secure OS should provide (at least) the

following mechanisms

• Memory protection
• File protection
• General object protection
• Access authentication
• How do we go about designing a trusted OS?
• “Trust” in this context means something

different from “Secure”

2

CSE543 - Introduction to Computer and Network Security Page

Trust vs. Security

• When you get your medication at a pharmacy, you are

“trusting” that it is appropriate for the condition you are addressing. In effect, you are arguing internally:

• The doctor was correct in prescribing this drug
• The FDA vetted the drug through scientific analysis and

clinical trials

• No maniac has tampered with the bottle
• The first two are are matters “trust”, and the last is a

matter of “security”

• An OS needs to perform similar due diligence to

achieve “trust” and “security”

3

CSE543 - Introduction to Computer and Network Security Page

Access Control Lists

• ACL: a list of the principals that are authorized to have

access to some object.

• Eg.,

O2 S1 Y S2 Y S3 Y

• Or more correctly:

O1: S1 O2: S1, S2, S3 O3: S3

• We are going to see a lot of

examples of these throughout the semester.

4

CSE543 - Introduction to Computer and Network Security Page

ACL in systems

• ACLs are typically used to implement discretionary

access control

• For example: you define the UNIX file system ACLs

using the chmod utility ….

5

CSE543 - Introduction to Computer and Network Security Page

Discretionary Access

• The UNIX filesystem implements discretionary access

control through file permissions set by user

• The set of objects is the files in the filesystem,
• e.g., /etc/passwd
• Each file an owner and group (subjects)
• The owner is typically the creator of the file, and the entity

in control of the access control policy

• Note: this can be overridden by the “root” user
• There is a additional subject called world, which

represents everyone else

6

CSE543 - Introduction to Computer and Network Security Page

UNIX filesystem rights …

• There are three rights in the UNIX filesystem
• READ - allows the subject (process) to read the contents
• f the file.
• WRITE - allows the subject (process) to alter the contents
• f the file.
• EXECUTE - allows the subject (process) to execute the

contents of the file (e.g., shell program, executable, …)

• Q: why is execute a right?
• Q: does the right to read a program implicitly give you

7

CSE543 - Introduction to Computer and Network Security Page

The UNIX FS access policy

• Really, this is a bit string encoding an access matrix
• E.g.,

rwx rwx rwx

• And a policy is encoded as “r”, “w”, “x” if enabled, and

“-” if not, e.g,

rwxrw--x

• Says user can read, write and execute, group can read

and write, and world can execute only. World Group Owner

8

CSE543 - Introduction to Computer and Network Security Page

Caveats: UNIX Filesystem

• Access is often not really this easy: you need to have

certain rights to parent directories to access a file (execute, for example)

• The reasons for this are quite esoteric
• The preceding policy may appear to be contradictory
• A member of the group does not have execute rights, but

members of the world do, so …

• A user appears to be both allowed and prohibited from

executing access

• Not really: these policies are monotonic … the absence of

a right does not mean they should not get access at all, just that that particular identity (e.g., group member, world) should not be given that right.

9

CSE543 - Introduction to Computer and Network Security Page

Tokens

• Like the UID/GID in a UNIX process
• User
• Group
• Aliases
• Privileges (predefined sets of rights)
• May be specific to a domain
• Composed into global SID
• Subsequent processes inherit access tokens
• Different processes may have different rights

10

CSE543 - Introduction to Computer and Network Security Page

Access Control Entries

• DACL in the security descriptor of an object
• List of access control entries (ACEs)
• ACE structure (proposed by Swift et al)
• Type (grant or deny)
• Flags
• Object Type: global UID for type (limit ACEs checked)
• InheritedObjectType: complex inheritance
• Access rights: access mask
• Principal SID: principal the ACE applies to
• Checking algorithm
• ACE matches SID (user, group, alias, etc)
• ACE denies access for specified right -- deny
• ACE grants access for some rights -- need full coverage

11

CSE543 - Introduction to Computer and Network Security Page

Access Checking with ACEs

• Example

12

CSE543 - Introduction to Computer and Network Security Page

Window Vista Integrity

• Integrity protection for writing
• Defines a series of protection level of increasing

protection

• untrusted (lowest)
• low (Internet)
• medium (user)
• high (admin)
• system
• installer (highest)
• Semantics: If subject’s (process’s) integrity level

dominates the object’s integrity level, then the write is allowed

13

CSE543 - Introduction to Computer and Network Security Page

Vista Integrity

• Does Vista Integrity protect the integrity of J’s public

key file O2?

O1 O2 O3 J R RW RW S2 N R RW S3 N R RW

14

CSE543 - Introduction to Computer and Network Security Page

UID Transition: Setuid

• A special bit in the mode bits
• Execute file
• Resulting process has the effective (and fs) UID/GID of file
• wner
• Enables a user to escalate privilege
• For executing a trusted service
• Downside: User defines execution environment
• e.g., Environment variables, input arguments, open

descriptors, etc.

• Service must protect itself or user can gain root access
• All UNIX services involves root processes -- many via setuid

15

CSE543 - Introduction to Computer and Network Security Page

/tmp Vulnerability

• creat(pathname, mode)
• O_EXCL flag
• if file already exists this is an error
• Potential attack
• Attacker creates file in shared space (/tmp)
• Give it a filename used by a higher authority service
• Make sure that service has permission to the file
• If creat is used without O_EXCL, then can share the file

with the higher authority process

16

CSE543 - Introduction to Computer and Network Security Page

Other Vulnerabilities

• Objects w/o sufficient control
• Windows registry, network
• Libraries
• Load order permits malware defined libraries
• Executables are everywhere
• Web content, Email, Documents (Word)
• Labeling is wrong
• Mount a new file system; device
• Malware can modify your permissions
• Inherent to discretionary model

17

CSE543 - Introduction to Computer and Network Security Page

Sandboxing

• An execution environment for programs that contains a

limited set of rights

• A subset of your permissions (meet secrecy and integrity goals)
• Cannot be changed by the running program (mandatory)

18

CSE543 - Introduction to Computer and Network Security Page

UNIX Chroot

• Create a domain in which a process is confined
• Process can only read/write within file system subtree
• Applies to all descendant processes
• Can carry file descriptors in ‘chroot jail’

19

CSE543 - Introduction to Computer and Network Security Page

Chroot Vulnerability

• Unfortunately, chroot can trick its own system
• define a passwd file at <newroot>/etc/passwd
• run su
• su thinks that this is the real passwd file
• gives root access
• Use mknod to create device file to access physical memory
• Setup requires great care
• Never run chroot process as root
• Must not be able to get root privileges
• No control by chrooted process (user) of contents in jail
• Be careful about descriptors, open sockets, IPC that may be

available

20

CSE543 - Introduction to Computer and Network Security Page

Process-specific Permissions

• Design the permissions of a process specific to its use
• How do we change the permissions of a process in an

ACL system?

21

CSE543 - Introduction to Computer and Network Security Page

Confused Deputy Problem

• Imagine a multi-client server
• Clients have a different set of objects that they can access
• In an ACL system, the server always has access to all

the objects

• What happens if a client tricks the server into accessing

into another client’s objects?

• Shouldn’t the server only have access to that client’s
• bjects for its requests?

22

CSE543 - Introduction to Computer and Network Security Page

Capabilities

• A capability is the tuple (object, rights)
• A capability system implements access control by

checking if the process has an appropriate capability

• Simple, right?
• This is a little like a ticket in the Kerberos system
• Q: Does this eliminate the need for authentication?

23

CSE543 - Introduction to Computer and Network Security Page

Capabilities

• A: Well, yes and no …
• Capabilities remove the overhead of managing per
• bject rights, but add the overhead of managing

capabilities

• Moreover, to get any real security, they have to be

unforgeable

• Hardware tags (to protect capabilities)
• Protected address space/registers
• Language based techniques
• Enforce access restrictions on caps.
• Cryptography
• Make them unforgeable

24

CSE543 - Introduction to Computer and Network Security Page

Real OS Capabilities

• The OS kernel manages capabilities in the process table, out of

reach of the process

• Capabilities added by user requests (that comply with policy)

Process Table . . . Process Z X C R D W E . . . C List A B C D RX RW

25

CSE543 - Introduction to Computer and Network Security Page

User space capability?

• Well, what are the requirements?
• Authenticity/integrity - do not want malicious process to

forge capabilities

• Start with the data itself: [object, rights]
• Object is typically encoded with identifier, or by some other

tag (capabilities are sometimes known as tags)

• Rights are often fixed (read, modify, write, execute, etc.)
• Now, do what you with any other data (assume the

kernel has a secret key k) E(k, [Oi, r1, r2, … rn])

• What’s wrong with this construction (I got it from the website
• f one of the experts in the area)?

26

CSE543 - Introduction to Computer and Network Security Page

The right construction

• Encryption does not provide authenticity/integrity, it

provides confidentiality [Oi, r1, r2, … rn],HMAC(k, [Oi, r1, r2, … rn])

• So how would you attack the preceding construction?

27

CSE543 - Introduction to Computer and Network Security Page

A (fictional) Capability Example

• We use the “ls -lt” command to view the contents of our home

directory in a OS implementing capabilities:

• Initially, our shell process has RWX capabilities for our home directory, and

RX capabilities for all the directories to the root.

• The “ls -lt” command is exec()ed, and the shell delegates the directory

permissions by giving “ls” the capabilities

• Note that the capabilities are _not_ tied to any subject
• The “ls -lt” process exercises the rights to read the directories structure all

the way down to the local

• Of course, the “ls -lt” process now need to obtain read rights to the files (to

get their specific meta-information), and obtains them by appealing to the security manager (in kernel) -- the request fulfills the policy, and they are added and exercised

• The “ls -lt” uses access rights given to the terminal to write output
• Note: there are many ways that the policy can be implemented,

rights handed off, etc. We will talk about a couple in the following discussions.

28

CSE543 - Introduction to Computer and Network Security Page

Procedure-Level Protection Domains

• HYDRA
• Each procedure defines a new protection domain
• Procedure
• Code
• Data
• Capabilities to other objects
• Caller-independent
• Caller-dependent templates
• Local Name Space
• Capabilities are bound here
• Record of a procedure invocation (procedure instance)
• Process
• Stack of LNSs

29

CSE543 - Introduction to Computer and Network Security Page

How HYDRA works

• Q: Which object defines the protection domain?

30

Caller LNS Callee LNS Kernel

Call Callee + Capabilities Create Callee LNS

Caller Proc Callee Proc

Capabilities Capabilities Data Data

Template Template

Caller-Dep Capabilities Caller-Dep Capabilities

CSE543 - Introduction to Computer and Network Security Page

Implications of Fine-Grained Protection

• Programmer
• Must define templates for procedure
• Connect the procedure rights together
• Performance Impact
• Q: Do we need to manage rights at this level?

31

CSE543 - Introduction to Computer and Network Security Page

Linden’s Capability View

• Achieve flexible, effective security by
• Small protection domains
• Extensible set of types
• Implies a capability system
• Small protection domains with least privilege permissions
• Extensible types enable composition of systems reliably
• Capabilities can be passed among protection domains and into new

subsystems

• Protected Procedures
• Like HYDRA
• Change domain with each procedure invocation
• New procedure is a new instance
• Protection Domain switch time is key
• high in modern processors

32

CSE543 - Introduction to Computer and Network Security Page

Correctness Claim

• “It is far more difficult to build a 50,000 line program

than 1,000 programs that are each 50 lines long.”

• What is your opinion of this?
• Is it just the procedure development that is important?
• Two problems
• Decomposition results in inefficiencies
• Interactions between procedures are not captured

33

CSE543 - Introduction to Computer and Network Security Page

Flexibility vs. Security

• Small protection domains are desirable because:
• Enables solving finer-grained problems
• Less rigid protection
• Independent accounting
• Reliable and redundant security controls
• Individual controls are easier to understand

34

CSE543 - Introduction to Computer and Network Security Page

Secure Capability Systems

• SCAP
• Karger’s extension of the Cambridge CAP system
• EROS
• Shapiro’s reimplementation of the KeyKOS system

35

CSE543 - Introduction to Computer and Network Security Page

Capabilities and the *-Property

• Capabilities and Lattice Models Don’t Mix
• Suppose A is higher secrecy than B
• A can read B’s capabilities
• Q: Can a Trojan horse running as A write to Obj?

B’s capabilities

Read-Write Obj

36

CSE543 - Introduction to Computer and Network Security Page

SCAP *-security

• Mediate requests to load capabilities
• Must be loaded into a capability cache before use
• Enforce MLS requirements on capability load
• If subject label dominates capability’s object label, then
• Change the capability to read-only
• Expensive to test for MLS on every load
• For general confinement test against confinement

property for every load (uses ACLs!)

37

CSE543 - Introduction to Computer and Network Security Page

EROS *-security

• Define weak capabilities
• If a weak capability is used to fetch a capability

(transitively), then the fetched capability becomes read-only and weak

• Assign weak capabilities to higher-secrecy subjects for

accessing a lower-secrecy write capability

• becomes read-only and weak
• No need to test against a policy at runtime
• Faster performance is possible
• For general confinement use an confined processes or

authorized capability sets

• Not clear these really worked for general confinement

38

CSE543 - Introduction to Computer and Network Security Page

Capability Management

• How’d you get those capabilities?
• Stored with program, user
• Compare with getting permissions by a process label
• How do I get them back?
• Once granted, nearly impossible to revoke

39

CSE543 - Introduction to Computer and Network Security Page

EROS Revocation

• Defined by Redell
• Use a layer of indirection
• Revoker capabilities
• If you may revoke, create a revoker
• The grant capabilities to the revoker
• When you delete the revoker, all descendants become

invalid

Object Revoker

Not Revocable

Revocable

40

CSE543 - Introduction to Computer and Network Security Page

SCAP Revocation

• Chain the capabilities
• “revocation by chaining”
• All capabilities to an object are stored in a ring
• Can then revoke one
• Motivate reassessment of all others
• How do I know that I am revoking a particular capability?
• Compare with using revoker capabilities
• the memory/performance cost
• the flexibility of revocation

41

CSE543 - Introduction to Computer and Network Security Page

Result

• Generally, the security problems with capability

systems can be solved

• So, why aren’t cap systems more broadly used?
• Capability management is difficult
• How do I know what rights to give out in the first place?
• Defining and testing confinement is expensive or limiting
• Test every grant is expensive (supposed to be lots)
• Predefine a safe domain is limiting and counterintuitive
• Setup per process is key
• For ACLs it is setup per object -- may be less volatility

42

CSE543 - Introduction to Computer and Network Security Page

Mandatory Access Control

• Is about administration
• Policy is defined and fixed for the system
• Users cannot modify policy
• More importantly, users’ processes cannot modify policy
• So, what should the policy be?

43

CSE543 - Introduction to Computer and Network Security Page

Security Goals

• Secrecy
• Do not leak data to unauthorized subjects
• Integrity
• Do not depend on input from lower integrity subjects
• Invocation, inputs, files, etc.

44

CSE543 - Introduction to Computer and Network Security Page

MAC Systems

• Major Effort: Multics
• Multiprocessing system -- developed many OS concepts
• Including security
• Begun in 1965
• Development continued into the mid-70s
• Used until 2000
• Initial partners: MIT, Bell Labs, GE/Honeywell
• Other innovations: hierarchical filesystems, dynamic linking
• Subsequent proprietary system, SCOMP, became the

basis for secure operating systems design

45

CSE543 - Introduction to Computer and Network Security Page

Multics Goals

• Secrecy
• Multilevel security
• Integrity
• Rings of protection
• Reference Monitoring
• Mediate segment access, ring

crossing

• Resulting system is considered a

high point in secure system design

46

CSE543 - Introduction to Computer and Network Security Page

Protection Rings

• Successively less-privileged “domains”
• Modern CPUs support 4 rings
• Use 2 mainly: Kernel and user
• Intel x86 rings
• Ring 0 has kernel
• Ring 3 has application code
• Example: Multics (64 rings in theory, 8 in practice)

47

CSE543 - Introduction to Computer and Network Security Page

What Are Protection Rings?

• Coarse-grained, Hardware Protection Mechanism
• Boundary between Levels of Authority
• Most privileged -- ring 0
• Monotonically less privileged above
• Fundamental Purpose
• Protect system integrity
• Protect kernel from services
• Protect services from applications
• So on...

48

CSE543 - Introduction to Computer and Network Security Page

Intel Protection Ring Rules

• Each Memory Segment has a

privilege level (ring number)

• The CPU has a Current

Protection Level (CPL)

• Level of the segment where

instructions are being read

• Program can read/write in

segments of lower level than CPL

• kernel can read/write user space
• user cannot read/write kernel
• why not?

49

CSE543 - Introduction to Computer and Network Security Page

Ring 0 Ring 3

Protection Ring Rules

• Program cannot call code of

higher privilege directly

• Gate is a special memory

address where lower-privilege code can call higher

• Enables OS to control where

applications call it (system calls)

50

Gate

No gate

CSE543 - Introduction to Computer and Network Security Page

Multics Interpretation

• Kernel resides in ring 0
• Process runs in a ring r
• Access based on current ring
• Process accesses data (segment)
• Each data segment has an access

bracket: (a1, a2)

• a1 <= a2
• Describes read and write access to

segment

• r is the current ring
• r <= a1: access permitted
• a1 < r <= a2: r and x permitted; w denied
• a2 < r: all access denied

51

1 2 3 4 5 6 7 a1 a2

RWX R-X

• Ring

CSE543 - Introduction to Computer and Network Security Page

Multics Interpretation (con’t)

• Also different procedure segments
• with call brackets: (c1, c2), c1 <= c2
• and access brackets (a1, a2)
• The following must be true (a2 == c1)
• Rights to execute code in a new procedure segment
• r < a1: access permitted with ring-crossing fault
• a1 <= r <= a2 = c1: access permitted and no fault
• a2 < r <= c2: access permitted through a valid gate
• c2 < r: access denied
• What’s it mean?
• case 1: ring-crossing fault changes procedure’s ring
• increases from r to a1
• case 2: keep same ring number
• case 3: gate checks args, decreases ring number
• Target code segment defines the new ring

52

1 2 3 4 5 6 7 a1 a2

Allow with gate No ring fault Denied

Ring c2 c1

Ring fault

CSE543 - Introduction to Computer and Network Security Page

Examples

• Process in ring 3 accesses data segment
• access bracket: (2, 4)
• What operations can be performed?
• Process in ring 5 accesses same data segment
• What operations can be performed?
• Process in ring 5 accesses procedure segment
• access bracket (2, 4)
• call bracket (4, 6)
• Can call be made?
• How do we determine the new ring?
• Can new procedure segment access the data segment

above?

53

CSE543 - Introduction to Computer and Network Security Page

Multics Segments

• Named segments are protected by access control lists

and MLS protections

• Hierarchically arranged
• Precursor to hierarchical file systems
• Memory segment access is controlled by hardware

monitor

• Multics hardware retrieves segment descriptor word (SDW)
• Like a file descriptor
• Based on rights in the SDW determines whether can access

segment

• Master mode (like root) can override protections

54

CSE543 - Introduction to Computer and Network Security Page

Multics Vulnerability Analysis

• Detailed security analysis covering
• Hardware
• Software
• Procedural features (administration)
• Good news
• Design for security
• System language prevents buffer overflows
• Defined buffer sizes
• Hardware features prevent buffer overflows
• Addressing off segment is an error
• Stack grows up
• System is much smaller than current UNIX systems

55

CSE543 - Introduction to Computer and Network Security Page

Vulnerabilities Found

• Hardware
• Indirect addressing -- incomplete mediation
• Check direct, but not indirect address
• Mistaken modification introduced the error
• Software
• Ring protection (done in software)
• Argument validation was flawed
• Certain type of pointer was handled incorrectly
• Master mode transfer
• For performance, run master mode program (signaler) in user ring
• Development assumed trusted input to signaler -- bad combo
• Procedural
• Trap door insertion goes undetected

56

CSE543 - Introduction to Computer and Network Security Page

Final Project

• Due: December 19th, 5:00pm (5:01pm gets 0 points)
• Email to mcdaniel@cse.psu.edu
• Project must include
• 5-10 page write-up of publishable quality and content.
• Effort should match number of people in group.
• CC all members (I will email back your final grade)
• Source code/data should be tarred and put on web for

downloading.

• No presentations!
• 10% extra credit for turning it in at the final exam!!!!

57

CSE543 - Introduction to Computer and Network Security Page

Final

• Time: either this weekend (you name a time), 2 hours
• r Tuesday, December 16 - 4:40pm-6:30pm (230 ARTS)
• Note: everyone must agree to change.
• Content: all content in the class, more focus on topics

since the midterm (100 total pts)

• 14 short answer (3 pts) = 42pts
• 4 long answer (7 pts) = 28pts
• 3 word problems (10 pts) = 30pts
• Remainder of today: questions?

58