least privilege and privilege separation
play

Least privilege and privilege separation Deian Stefan Slides - PowerPoint PPT Presentation

Sep 21, 2022 •108 likes •578 views

CSE 127: Computer Security Least privilege and privilege separation Deian Stefan Slides adopted from John Mitchell, Dan Boneh, and Stefan Savage This week How to build secure systems Least privilege and privilege separation

  1. CSE 127: Computer Security Least privilege and privilege separation Deian Stefan Slides adopted from John Mitchell, Dan Boneh, and Stefan Savage

  2. This week… • How to build secure systems ➤ Least privilege and privilege separation ➤ Sandboxing and isolation • Key is underlying principles not mechanisms ➤ We’re going to look at systems techniques ➤ Other ways to achieve similar goals: language-based

  3. Principles of secure design • Principle of least privilege • Privilege separation • Defense in depth ➤ Use more than one security mechanism ➤ Fail securely/closed • Keep it simple

  4. Principles of secure design • Principle of least privilege • Privilege separation • Defense in depth ➤ Use more than one security mechanism ➤ Fail securely/closed • Keep it simple

  5. Principle of Least Privilege Defn: A system should only have the minimal 
 privileges needed for its intended purposes • What’s a privilege? ➤ Ability to access (e.g., read or write) a resource

  6. Principle of Least Privilege Defn: A system should only have the minimal 
 privileges needed for its intended purposes • What’s a privilege? ➤ Ability to access (e.g., read or write) a resource

  7. Principle of Least Privilege Defn: A system should only have the minimal 
 privileges needed for its intended purposes • What’s a privilege? ➤ Ability to access (e.g., read or write) a resource

  8. 
 
 
 
 What’s the problem with this defn? • Talking about a huge, monolith system is not really useful • Why? 
 Network Network User input User device File system File system

  9. 
 
 
 Breaking a system into components • Compartmentalization and isolation ➤ Separate the system into isolated compartments ➤ Limit interaction between compartments • Why is this more meaningful? 
 Network Network User input User device File system File system

  10. How dow we break things apart?

  11. Map compartment to user ids! • Recall: permissions in UNIX granted according to UID ➤ A process may access files, network sockets, …. • Each process has UID • Each file has ACL ➤ Grants permissions to users according to UIDs and 
 roles (owner, group, other) ➤ Everything is a file!

  12. How many UIDs does a process have? • A: one • B: two • C: three • D: four

  13. Process UIDs • Real user ID (RUID) ➤ same as the user ID of parent (unless changed) ➤ used to determine which user started the process • Effective user ID (EUID) ➤ from setuid bit on the file being executed, or syscall ➤ determines the permissions for process • Saved user ID (SUID) ➤ Used to save and restore EUID

  14. Process UIDs • Real user ID (RUID) ➤ same as the user ID of parent (unless changed) ➤ used to determine which user started the process • Effective user ID (EUID) ➤ from setuid bit on the file being executed, or syscall ➤ determines the permissions for process • Saved user ID (SUID) ➤ Used to save and restore EUID

  15. Process UIDs • Real user ID (RUID) ➤ same as the user ID of parent (unless changed) ➤ used to determine which user started the process • Effective user ID (EUID) ➤ from setuid bit on the file being executed, or syscall ➤ determines the permissions for process • Saved user ID (SUID) ➤ Used to save and restore EUID

  16. Process UIDs • Real user ID (RUID) ➤ same as the user ID of parent (unless changed) ➤ used to determine which user started the process • Effective user ID (EUID) ➤ from setuid bit on the file being executed, or syscall ➤ determines the permissions for process • Saved user ID (SUID) ➤ Used to save and restore EUID

  17. SetUID demystified (a bit) • Root ➤ ID=0 for superuser root; can access any file • fork and exec system calls ➤ Inherit three IDs, except exec of file with setuid bit • setuid system call ➤ seteuid(newid) can set EUID to ➤ Real ID or saved ID, regardless of current EUID ➤ Any ID, if EUID is root

  18. SetUID demystified (a bit) • Root ➤ ID=0 for superuser root; can access any file • fork and exec system calls ➤ Inherit three IDs, except exec of file with setuid bit • setuid system call ➤ seteuid(newid) can set EUID to ➤ Real ID or saved ID, regardless of current EUID ➤ Any ID, if EUID is root

  19. SetUID demystified (a bit) • Root ➤ ID=0 for superuser root; can access any file • fork and exec system calls ➤ Inherit three IDs, except exec of file with setuid bit • setuid system call ➤ seteuid(newid) can set EUID to ➤ Real ID or saved ID, regardless of current EUID ➤ Any ID, if EUID is root

  20. SetUID demystified (a bit) • There are actually 3 bits: ➤ setuid - set EUID of process to ID of file owner ➤ setgid - set EGID of process to GID of file ➤ sticky bit ➤ on: only file owner, directory owner, and root can 
 rename or remove file in the directory ➤ off: if user has write permission on directory, can 
 rename or remove files, even if not owner

  21. SetUID demystified (a bit) • There are actually 3 bits: ➤ setuid - set EUID of process to ID of file owner ➤ setgid - set EGID of process to GID of file ➤ sticky bit ➤ on: only file owner, directory owner, and root can 
 rename or remove file in the directory ➤ off: if user has write permission on directory, can 
 rename or remove files, even if not owner

  22. Where have you seen this? -rwsr-xr-x 1 root root 55440 Jul 28 2018 /usr/bin/passwd drwxrwxrwt 16 root root 700 Feb 6 17:38 /tmp/

  23. Why are EUIDs even a thing? We can drop and elevate privileges! Owner 18 RUID 25 SetUID …; program …; exec( ); Owner 18 …; -rw-r--r-- …; RUID 25 file read/write EUID 18 i=getruid() Owner 25 setuid(i); -rw-r--r-- RUID 25 read/write …; EUID 25 file …;

  24. Why are EUIDs even a thing? We can drop and elevate privileges! Owner 18 RUID 25 SetUID …; program …; exec( ); Owner 18 …; -rw-r--r-- …; RUID 25 file read/write EUID 18 i=getruid() Owner 25 setuid(i); -rw-r--r-- RUID 25 read/write …; EUID 25 file …;

  25. Example 1: Mail agent • Requirements ➤ Receive and send email over external network ➤ Place incoming email into local user inbox files • Sendmail ➤ Monolithic design ➤ Historical source of many vulnerabilities • Qmail ➤ Compartmentalized design

  26. qmail design • Isolation based on OS isolation ➤ Separate modules run as separate “users” ➤ Each user only has access to specific resources • Least privilege ➤ Minimal privileges for each UID ➤ Only one “setuid” program ➤ Only one “root” program

  27. structure of qmail qmail-smtpd qmail-inject qmail-queue Incoming internal mail Incoming external mail qmail-send qmail-rspawn qmail-lspawn qmail-remote qmail-local

  28. structure of qmail qmail-smtpd qmail-inject qmail-queue setuid Incoming internal mail Incoming external mail qmail-send qmail-rspawn qmail-lspawn qmail-remote qmail-local

  29. structure of qmail qmail-smtpd qmail-inject qmail-queue setuid Incoming internal mail Incoming external mail qmail-send root qmail-rspawn qmail-lspawn qmail-remote qmail-local

  30. structure of qmail qmaild user qmail-smtpd qmail-inject qmailq qmail-queue qmail-send root qmailr qmails qmail-rspawn qmail-lspawn setuid user qmailr user qmail-remote qmail-local

  31. structure of qmail qmaild user qmail-smtpd qmail-inject qmailq qmail-queue Reads incoming mail directories Splits message into header, body Signals qmail-send qmail-send root qmailr qmails qmail-rspawn qmail-lspawn setuid user qmailr user qmail-remote qmail-local

  32. structure of qmail qmaild user qmail-smtpd qmail-inject qmailq qmail-queue qmail-send signals • qmail-lspawn if local qmail-send • qmail-remote if remote root qmailr qmails qmail-rspawn qmail-lspawn setuid user qmailr user qmail-remote qmail-local

  33. structure of qmail qmaild user qmail-smtpd qmail-inject qmailq qmail-queue qmail-send root qmailr qmails qmail-rspawn qmail-lspawn setuid user qmailr user qmail-remote qmail-local qmail-lspawn • Spawns qmail-local • qmail-local runs with ID of user receiving local mail

  34. structure of qmail qmaild user qmail-smtpd qmail-inject qmailq qmail-queue qmail-send root qmailr qmails qmail-rspawn qmail-lspawn setuid user qmailr user qmail-remote qmail-local qmail-local • Handles alias expansion • Delivers local mail • Calls qmail-queue if needed

  35. structure of qmail qmaild user qmail-smtpd qmail-inject qmailq qmail-queue qmail-send root qmailr qmails qmail-rspawn qmail-lspawn setuid user qmailr user qmail-remote qmail-local qmail-remote • Delivers message to remote MTA

  36. Android design • Isolation: Each app runs with own UID (own VM) ➤ Provides memory protection ➤ Communication limited to using UNIX domain sockets + reference monitor checks permissions ➤ Only ping and zygote run as root • Least Privilege: Applications announces permission ➤ User grants access at install time + runtime

  37. okws design • Isolation: each service runs with own UID ➤ Each service run in a chroot jail, restricted to ➤ Communication limited to structured RPC between service and DB • Least privilege ➤ Each UID is unique non privileged user ➤ Only okld (launcher daemon) runs as root

  38. okws design

  39. okws design

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Privilege: An Update Litigation Privilege: a brief definition Confidential Made for

Privilege: An Update Litigation Privilege: a brief definition Confidential Made for

Privilege: An Update Litigation Privilege: a brief definition Confidential Made for dominant purpose of civil or criminal litigation Relate to litigation which is pending, reasonably contemplated, or existing Legal Advice Privilege:

532 views • 20 slides
Legal Privilege, Client Communication and Discovery Cayman Islands Legal Practitioners

Legal Privilege, Client Communication and Discovery Cayman Islands Legal Practitioners

Legal Privilege, Client Communication and Discovery Cayman Islands Legal Practitioners Association Adam Huckle 27 March 2019 Overview What is Privilege? Types: Legal Advice Privilege Litigation Privilege Recent cases

226 views • 18 slides
Privilege Escala-on Manual privilege escala/on techniques on Unix

Privilege Escala-on Manual privilege escala/on techniques on Unix

Privilege Escala-on Manual privilege escala/on techniques on Unix and Windows Michal Knapkiewicz, May 2016 whoami Senior Consultant at Advanced Security

884 views • 51 slides
+ The Primacy of Client Privilege: Designing a Statutory Advice Privilege for Accredited

+ The Primacy of Client Privilege: Designing a Statutory Advice Privilege for Accredited

+ The Primacy of Client Privilege: Designing a Statutory Advice Privilege for Accredited Non-Lawyer Tax Advisors Nicole Wilson-Rogers, Annette Morgan and Dale Pinto + Structure Snapshot: Argument advanced in the paper Current Privileges

422 views • 17 slides
FLEXDROID: Enforcing In- App Privilege Separation in Android Jaebaek Seo, Daehyeok Kim, Donghyun

FLEXDROID: Enforcing In- App Privilege Separation in Android Jaebaek Seo, Daehyeok Kim, Donghyun

FLEXDROID: Enforcing In- App Privilege Separation in Android Jaebaek Seo, Daehyeok Kim, Donghyun Cho, T aesoo Kim, Insik Shin (NDSS 16) Presented by Shivansh Chandnani CS 563 (Fall 2018) 3 rd party libraries are very popular in Android

1.12k views • 28 slides
Attorney-Client Privilege Between Affiliated Entities: Who Owns the Privilege When Interests

Attorney-Client Privilege Between Affiliated Entities: Who Owns the Privilege When Interests

Presenting a live 90-minute webinar with interactive Q&A Attorney-Client Privilege Between Affiliated Entities: Who Owns the Privilege When Interests Diverge? Navigating the Complexities of Joint Representations During Litigation, Spinoffs,

889 views • 42 slides
Chapter 13: Design Principles Overview Principles Least Privilege Fail-Safe

Chapter 13: Design Principles Overview Principles Least Privilege Fail-Safe

Chapter 13: Design Principles Overview Principles Least Privilege Fail-Safe Defaults Economy of Mechanism Complete Mediation Open Design Separation of Privilege Least Common Mechanism Psychological

787 views • 43 slides
Chapter 13: Design Principles Overview Principles Least Privilege Fail-Safe

Chapter 13: Design Principles Overview Principles Least Privilege Fail-Safe

Chapter 13: Design Principles Overview Principles Least Privilege Fail-Safe Defaults Economy of Mechanism Complete Mediation Open Design Separation of Privilege Least Common Mechanism Psychological

488 views • 22 slides
Protecting Privilege in Post-Accident Investigations Successfully Asserting Attorney-Client

Protecting Privilege in Post-Accident Investigations Successfully Asserting Attorney-Client

Presenting a live 90-minute webinar with interactive Q&A Protecting Privilege in Post-Accident Investigations Successfully Asserting Attorney-Client Privilege, Self-Critical Analysis Privilege, Work Product Doctrine and More TUESDAY, MARCH

471 views • 36 slides
Principle of Least Privilege Dawn Song Principle of least privilege Privilege Ability to

Principle of Least Privilege Dawn Song Principle of least privilege Privilege Ability to

Computer Security Course. Dawn Computer Security Course. Dawn Song Song Principle of Least Privilege Dawn Song Principle of least privilege Privilege Ability to access or modify a resource Principle of least privilege A

429 views • 39 slides
Privilege separation and isolation Deian Stefan Slides adopted from John Mitchell, Dan Boneh, and

Privilege separation and isolation Deian Stefan Slides adopted from John Mitchell, Dan Boneh, and

CSE 127: Computer Security Privilege separation and isolation Deian Stefan Slides adopted from John Mitchell, Dan Boneh, and Stefan Savage Chromium security architecture Browser ("kernel") Full privileges (file system,

603 views • 29 slides
GSS-Proxy: Better privilege separation Simo Sorce Principal Software Engineer, Red Hat February

GSS-Proxy: Better privilege separation Simo Sorce Principal Software Engineer, Red Hat February

GSS-Proxy: Better privilege separation Simo Sorce Principal Software Engineer, Red Hat February 2013 1 Outline Introduction to GSS-API Using GSS-API Introduction to GSS-Proxy GSS-Proxy components Kernel upcalls and

186 views • 18 slides
Design, Privilege Separation CS 161: Computer Security Prof. David Wagner January 27, 2016

Design, Privilege Separation CS 161: Computer Security Prof. David Wagner January 27, 2016

Software Security: Design, Privilege Separation CS 161: Computer Security Prof. David Wagner January 27, 2016 Robustness Security bugs are a fact of life How can we use access control to improve the security of software, so security bugs

695 views • 32 slides
and Meeting Legal Ethics Standards Addressing Waiver and Exceptions to the Privilege, the

and Meeting Legal Ethics Standards Addressing Waiver and Exceptions to the Privilege, the

Presenting a live 90-minute webinar with interactive Q&A Attorney-Client Privilege in Insurance Disputes: Preserving Confidentiality and Meeting Legal Ethics Standards Addressing Waiver and Exceptions to the Privilege, the Tripartite

1.17k views • 78 slides
Bank Examination Privilege in Litigation: Understanding the Nuances, Best Practices for Asserting

Bank Examination Privilege in Litigation: Understanding the Nuances, Best Practices for Asserting

Presenting a live 90-minute webinar with interactive Q&A Bank Examination Privilege in Litigation: Understanding the Nuances, Best Practices for Asserting the Privilege TUESDAY, JUNE 13, 2017 1pm Eastern | 12pm Central | 11am

894 views • 45 slides
Outline Secure use of the OS Bernsteins perspective CSci 5271 Techniques for privilege

Outline Secure use of the OS Bernsteins perspective CSci 5271 Techniques for privilege

Outline Secure use of the OS Bernsteins perspective CSci 5271 Techniques for privilege separation Introduction to Computer Security Announcements intermission Day 9: OS security basics OS security: protection and isolation Stephen

649 views • 13 slides
Cyber-physical Models of Power System State Estimation Security Gyrgy Dn School of

Cyber-physical Models of Power System State Estimation Security Gyrgy Dn School of

Cyber-physical Models of Power System State Estimation Security Gyrgy Dn School of Electrical Engineering KTH, Royal Institute of Technology Stockholm, Sweden Joint work with: Ognjen Vukovi, Henrik Sandberg, Kin Cheong Sou, Andr

554 views • 39 slides
B24B: Useful, Affordable IT for the Poorest 4 billion June 25, 2002 Thomas Kalil

B24B: Useful, Affordable IT for the Poorest 4 billion June 25, 2002 Thomas Kalil

B24B: Useful, Affordable IT for the Poorest 4 billion June 25, 2002 Thomas Kalil tkalil@uclink.berkeley.edu Grand challenge ! Provide affordable, useful digital services to the 4 billion people on the planet earning less than $1,500 ! Not a

399 views • 10 slides
Optical Packet Switching the technology and its potential role in future communication networks

Optical Packet Switching the technology and its potential role in future communication networks

Optical Packet Switching the technology and its potential role in future communication networks Results from IST project . Lars Dittmann COM Technical University of Denmark ld@com.dtu.dk 1 ld@com.dtu.dk Zagreb 210503 What

1.05k views • 20 slides
CORPORATE OFFICE PROPERTIES TRUST Results for 1Q 2020 April 30, 2020 The Preferred Provider

CORPORATE OFFICE PROPERTIES TRUST Results for 1Q 2020 April 30, 2020 The Preferred Provider

CORPORATE OFFICE PROPERTIES TRUST Results for 1Q 2020 April 30, 2020 The Preferred Provider of Mission Critical Real Estate Solutions Table of Contents Results for 1Q 2020............................Page 3 Safe Harbor I. Unless

752 views • 41 slides
Outline Saltzer & Schroeders principles CSci 5271 More secure design principles

Outline Saltzer & Schroeders principles CSci 5271 More secure design principles

Outline Saltzer & Schroeders principles CSci 5271 More secure design principles Introduction to Computer Security Day 7: Defensive programming and design, part 1 Software engineering for security Stephen McCamant Announcements

355 views • 7 slides
Authority Analysis for Least Privilege Environments Toby Murray and Gavin Lowe Oxford

Authority Analysis for Least Privilege Environments Toby Murray and Gavin Lowe Oxford

Authority Analysis for Least Privilege Environments 01 Authority Analysis for Least Privilege Environments Toby Murray and Gavin Lowe Oxford University Computing Laboratory Authority Analysis for Least Privilege Environments 02 The Rise of

797 views • 22 slides
CSE484/CSE584 SECURE DESIGN PRINCIPLES, OS, AND RUNTIME SECURITY Dr. Benjamin Livshits Some of

CSE484/CSE584 SECURE DESIGN PRINCIPLES, OS, AND RUNTIME SECURITY Dr. Benjamin Livshits Some of

CSE484/CSE584 SECURE DESIGN PRINCIPLES, OS, AND RUNTIME SECURITY Dr. Benjamin Livshits Some of f the Common Principles Minimize attack Secure by surface area Default Principle of Fail-Safe Least Stance Privilege Secure the

975 views • 56 slides
Database Security Enforced Database security - only authorized users can perform authorized

Database Security Enforced Database security - only authorized users can perform authorized

IT360: Applied Database Systems Database Security Kroenke: Ch 9, pg 309-314 PHP and MySQL: Ch 9, pg 217-227 1 Rights Database Security Enforced Database security - only authorized users can perform authorized activities Responsibilities

317 views • 9 slides

More recommend