Security Security as term, Possible Security violations - - PowerPoint PPT Presentation

security
SMART_READER_LITE
LIVE PREVIEW

Security Security as term, Possible Security violations - - PowerPoint PPT Presentation

Nov 07, 2022 769 likes •988 views

BS1 WS19/20 topic-based slides Security Security as term, Possible Security violations Authentication Criteria for Trust in Computer Systems Three hearts of Windows Security DACLs A Look at Security System is secure if

slide-1
SLIDE 1

BS1 WS19/20 – topic-based slides

Security

  • Security as term, Possible Security violations
  • Authentication
  • Criteria for Trust in Computer Systems
  • Three hearts of Windows Security
  • DACLs
slide-2
SLIDE 2

Operating Systems 20

A Look at Security

  • System is secure if its resources are utilized and access is as

intended under all circumstances

  • Security violations:
  • Unauthorized reading of data (theft of information) – Confjdentiality
  • Unauthorized modifjcation of data – Integrity
  • Unauthorized destruction of data – Integrity, Availability
  • Security measures:
  • Physical
  • User authorization
  • Weakness at high-level security may circumvent low-level

(operating system) measures

slide-3
SLIDE 3

Operating Systems 21

Authentication

  • Username/password, biometric ID, smartcards, 2FA
  • Special case of keys/capabilities
  • System generated vs. User generated passwords

(hard to remember/easy to guess)

  • Paired passwords: system selects one/user responds appropriately
  • How to store passwords securely
  • ne-way functions executed on passwords

easy to calculate but hard to invert

  • Shadow passwords

restricted access to password fjles

slide-4
SLIDE 4

Operating Systems 22

A1 Verified Design B3 Security Domains B2 Structured Protection (Trusted XENIX) B1 Labeled Security Protection (HP-UX, Trusted IRIX, Tru64 UNIX) C2

Controlled Access Protection (highest level considered practical for general purpose OS)

C1 Discretionary Access Protection (obsolete) D Minimal Protection (e.g. DOS)

Trusted Computer System Evaluation Criteria

slide-5
SLIDE 5

Operating Systems 23

Common Criteria

  • New standard, called Common Criteria (CC), is the new standard

for software and OS ratings

  • Consortium of US, UK, Germany, France, Canada, and the Netherlands in 1996
  • Became ISO standard 15408 in 1999
  • For more information, see http://www.commoncriteriaportal.org/ and

http://csrc.nist.gov/cc

  • CC is more fmexible than TCSEC trust ratings
  • includes concept of Protection Profjle to collect security requirements into easily

specifjed and compared sets, and the concept of Security Target (ST) that contains a set of security requirements that can be made by reference to a PP

slide-6
SLIDE 6

Operating Systems 24

A Note About Physical Security

  • Security is harder to maintain if someone has physical access:
  • attackers can always destroy data
  • attackers can retrieve and modify unencrypted data by booting a live system

File System Protection Mechanisms don’t apply

  • Complete Encryption is the only way to secure data on systems

that can have compromised physical security (like laptops).

slide-7
SLIDE 7

Operating Systems 25

Security Components

System Service Dispatcher System Threads User Mode

Kernel Mode

Object Mgr. Windows USER, GDI File System Cache

I/O Mgr

Device & File Sys. Drivers Plug and Play Mgr. Power Mgr. Security Reference Monitor Virtual Memory Processes & Threads Local Procedure Call Graphic s Drivers Kernel (kernel mode callable interfaces) Configura- tion Mgr (registry) WinLogon MSGINA LSASS

Active Directory

LSA Server

SAM Server

MSVC1_0.dll Kerberos.dll LSA Policy

Event Logger Active Directory

SAM

slide-8
SLIDE 8

Operating Systems 26

The three hearts of Windows Security

  • Local Security Authority (LSA) -

as local user-mode process

  • Heart of user authentication on local machine
  • LSA - on domain controller
  • Heart of user authentication on networked machines
  • Security Reference Monitor (SRM)
  • Heart of object access protection
slide-9
SLIDE 9

Operating Systems 27

Security Components

  • Local Security Authority
  • User-mode process (\Windows\System32\Lsass.exe) that implements

policies (e.g. password, logon), authentication, and sending audit records to the security event log

  • LSASS policy database: registry key HKLM\SECURITY

WinLogon MSGINA LSASS NetLogon

Active Directory

LSA Server SAM Server MSVC1_0.dl Kerberos.dll

LSA Policy

Event Logger

Active Directory SAM

slide-10
SLIDE 10

Operating Systems 28

LSASS Components

  • Security Account Manager (SAM) Service
  • A set of subroutines (\Windows\System32\Samsrv.dll ) responsible for managing

the database that contains the usernames and groups defjned on the local machine

  • SAM database: A database that contains the defjned local users and groups,

along with their passwords and other attributes. This database is stored in the registry under HKLM\SAM.

  • Password crackers attack the local user account password hashes stored in the

SAM

slide-11
SLIDE 11

Operating Systems 29

LSASS Components

  • Active Directory
  • A directory service that contains a database that stores information about objects

in a domain

  • A domain is a collection of computers and their associated security groups that

are managed as a single entity

  • The Active Directory server, implemented as a service, \Windows\System32\

Ntdsa.dll, that runs in the Lsass process

slide-12
SLIDE 12

Operating Systems 30

Protecting Objects

  • bject access is gated by the Security Reference Monitor (SRM)
  • performs access validation at the time that an object is opened by a process
  • Access validation is a security equation that consists of the following:
  • Desired Access: the type of access that is being requested.

must be specifjed up front,

include all accesses that will be performed on the object as a result of the validation.

  • Token: identifjes the user that owns the process, including their privileges

Threads can adopt a special type of token called an “impersonation token” that contains the identify of another account.

  • The object’s Security Descriptor

contains a Discretionary Access Control List (DACL),

describes the types of access to the object users are allowed.

slide-13
SLIDE 13

Operating Systems 31

Handles and Security

If the validation succeeds, a handle is created in the process requesting access and through which the process can accesses the resource

  • Changing security on an object only afgects subsequent opens
  • Processes that have existing handles can continue to access objects with the

accesses they were granted

  • E.g. changing permissions on a share won’t afgect currently connected users
slide-14
SLIDE 14

Operating Systems 32

Access Control Lists

  • ACL is a set of Access Control List Entries (ACEs)
  • 2 types: access-allowed / access-denied
  • Each ACE contains SID and access mask
  • Order of ACEs in ACL is important:
  • First-Fit algorithm
  • frequently: access-denied ACEs fjrst
  • implemented by explorer GUI
  • ther schemes possible
slide-15
SLIDE 15

Operating Systems 33

Access Control Entries (ACEs)

  • Each ACE includes an access mask
  • Defjnes all possible actions for a particular object type
  • Each object can have up to 16 specifjc access types

(specifjc access mask)

  • Standard types apply to all objects:
  • SYNCHRONIZE – allow a process to wait on signaled state,
  • WRITE_OWNER – assign write owner,
  • WRITE_DAC – write access to discretionary ACL,
  • READ_CONTROL – access to security descriptor,
  • DELETE – grant/deny delete access
  • Generic types
  • FILE_GENERIC_READ, FILE_GENERIC_WRITE, FILE_GENERIC_EXECUTE
slide-16
SLIDE 16

Operating Systems 34

Discretionary Access Control Lists DACLs

  • DACLs consist of zero or more Access Control Entries
  • A security descriptor with no DACL allows all access
  • A security descriptor with an empty (0-entry) DACL denies all access
  • An ACE is either “allow” or “deny”

Read, Write, Delete, ... SID Access Mask ACE Type

slide-17
SLIDE 17

Operating Systems 35

Access Check - recap

  • ACEs in the DACL are examined in order
  • Does the ACE have a SID matching a SID in the token?
  • If so, do any of the access bits match any remaining desired accesses?
  • If so, what type of ACE is it?

Deny: return ACCESS_DENIED

Allow: grant the specifjed accesses and if there are no remaining accesses to grant, return ACCESS_ALLOWED

  • If we get to the end of the DACL and there are remaining desired accesses, return

ACCESS_DENIED

slide-18
SLIDE 18

Operating Systems 36

Example: Access granted

Security Token User ID: FredMgr Group Ids: Users Mgrs Everyone Privileges: None Desired access read/write File object Security descriptor AccessAllowed FredMgr Read (RX) AccessAllowed Mgrs Special Access(RW) AccessAllowed Everyone Special Access(X) ACE ACE ACE Discretionary Access Control List

slide-19
SLIDE 19

Operating Systems 37

Example: Access denied

Security Token User ID: FredMgr Group Ids: Users Mgrs Everyone Privileges: None Desired access read/write File object Security descriptor AccessDenied Mgrs (No Access) AccessAllowed FredMgr Read(RX) AccessAllowed Everyone Write(W) ACE ACE ACE Discretionary Access Control List

slide-20
SLIDE 20

Operating Systems 38

UNIX File Protection

  • Access rights can be independently defjned for:
  • (u) user

Owner of a fjle (defaults to creator)

  • (g) group

Group

  • (o) other

all other users of the system

  • Example:

$> ls -lisa total 2 421908 1 drwxr-xr-x 2 apolze 1024 Jan 7 15:06 . 116884 1 drwxr-xr-x 13 apolze 2048 Jan 7 15:06 .. 116992 0 -rw------- 1 apolze 0 Jan 7 15:05 Mail.txt 116991 0 -rw-rw‐rw‐ 1 apolze 0 Jan 7 15:05 test.c