system configuration as a privilege
play

System Configuration as a Privilege Glenn Wurster , Paul C. van - PDF document

Apr 11, 2024 •331 likes •526 views

System Configuration as a Privilege Glenn Wurster , Paul C. van Oorschot School of Computer Science Carleton University, Canada HotSec 2009 11 Aug 2009 Glenn Wurster, Paul C. van Oorschot System Config Privilege 1/ 19 1 The Configuration

  1. System Configuration as a Privilege Glenn Wurster , Paul C. van Oorschot School of Computer Science Carleton University, Canada HotSec 2009 — 11 Aug 2009 Glenn Wurster, Paul C. van Oorschot System Config Privilege 1/ 19 1

  2. The Configuration Privilege Separate configuration privilege from traditional root Why separate the two? 1 System is normally used for performing work e.g., reading e-mail, coding, writing papers 2 Prevent stealthy configuration changes 3 Restrict the abilities of installers Glenn Wurster, Paul C. van Oorschot System Config Privilege 2/ 19 1. Compromised daemons/root applications • No limit to configuration changes 2. Dubious installers • Sony DRM, Kazaa 2

  3. Installing Applications Typical procedure 1 Become the superuser 2 Run the installer Problem: Granting unrestricted access to the file system Glenn Wurster, Paul C. van Oorschot System Config Privilege 3/ 19 1. User knows when they want to install something 2. Explicitly grants superuser privileges • Can run arbitrary code • Can overwrite arbitrary files 3. Source of installer is downloaded code? • The complete opposite of what we’re trying to tell them 3

  4. Protecting Configuration-Related Files Examples of Configuration-Related Files Executables Libraries System Config Files System Scripts Glenn Wurster, Paul C. van Oorschot System Config Privilege 4/ 19 1. Information Flow • Read and write to data files • Only read from configuration-related files 2. Application Includes Installers 3. Regardless of whether the program is run as root 4. Example of Data file: • Your pictures of Montreal 4

  5. Primary Existing Mechanisms for File-System Protection Many proposals 1 Discretionary e.g., UNIX and ACL’s 2 Mandatory Access control e.g., SELinux, AppArmor 3 Physical e.g., read-only media 4 Reactive e.g., Tripwire What about software installs/updates? Glenn Wurster, Paul C. van Oorschot System Config Privilege 5/ 19 1. Assumption is the system is in a steady state • No new applications being installed/removed 2. Need very-high privileges to install/upgrade • Read-only media needs to be made writable • Tripwire needs manual merging of changes 3. My Observations • All handle installs, but were not designed for it. • Even MAC systems don’t directly tackle the prob- lem of how you get new/updated software onto the system. 5

  6. The Alternative Install Approaches Have Their Own Problems 1 Do everything manually Technical expertise required 2 Application bundles/packages Caveat: binaries/scripts run during application install 3 Track system changes User surveillance Glenn Wurster, Paul C. van Oorschot System Config Privilege 6/ 19 1. Manual Install: • Thick book of instructions • No installer run with superuser privileges 2. Application bundles: • Linux package managers - still run scripts with root • Apple bundles - don’t know about scripts 3. Tracking Changes: • System Checkpointing, Sandboxing • User must run tools before install 6

  7. Classifying Installers 1 What is an installer? Is a FTP server an installer? 2 Not all installers are created equal. Game vs. OS upgrade 3 Update vs. Upgrade vs. Install Glenn Wurster, Paul C. van Oorschot System Config Privilege 7/ 19 1. What is an installer • Hard question • Prone to subversion by malware 2. Different installers need to do different things • Security Updates change little • OS Upgrades change much 3. Any attempt to subclass the installer space? • Apparently not 4. Not sure we need to classify installers • Configuration privilege still a contribution without classification 7

  8. Limiting Configuration Actions Two options: 1 Identify installers and limit them � Identifying installers is probably hard What about non-installers? 2 Limit all applications � Also protects against other attacks The approach we use Glenn Wurster, Paul C. van Oorschot System Config Privilege 8/ 19 1. From Previous: Identifying what is an installer is hard 2. Alternative install approaches (manual, packages, track- ing) required identifying installers 3. Non-installers should not be allowed to configure the system 4. Want to limit dangerous configuration operations re- gardless 8

  9. Limiting all Applications Prevent modifications to system configuration 1 Create a new privilege, the configuration privilege Tied to the ability to modify system configuration Modifying system configuration Operations having a direct visible effect on configuration files or applications on disk Scripts Startup Files (OS and application related) Executable files Glenn Wurster, Paul C. van Oorschot System Config Privilege 9/ 19 1. Privilege required to modify system configuration • Files on disk 2. Identify configuration changes and limit them 3. Privilege required to modify configuration files on a system 9

  10. Limiting Configuration-Related Changes Enforcement points 1 Kernel enforcement Not the best fit 2 Proxy enforcement (Configuration Daemon - configd ) Our proposal - a single choke-point Ways to limit configuration operations 1 User input 2 What files are modified 3 How the files are modified 4 The previous contents of the modified files 5 . . . Access control on non-traditional properties. Glenn Wurster, Paul C. van Oorschot System Config Privilege 10/ 19 1. Kernel enforcement limits choices • Rootkit-resistant disks • Code-signing 2. Configd • A daemon which responds to configuration requests 3. User-input is intentionally broad • Traditional Keyboard/Display • USB Keys • Location Sensor • Biometrics 10

  11. The Crux This application requires configuration privileges in order to install. Please re-run this application after logging in with configuration privilege. 1 The privilege alone is insufficient Glenn Wurster, Paul C. van Oorschot System Config Privilege 11/ 19 1. Problem: • Developers pop up a dialogue box • Users follow the instructions • We’ve just shifted the problem. 2. Not sufficient to just create the privilege • Must specify how the privilege is used 3. Restrict in a way that developers can’t convince the naive user to run with elevated privileges. 11

  12. Preventing a Shell Game 1 Don’t let the user grant configuration privilege 2 Restrict configuration privilege to a single system daemon Enforce access-control protections in the daemon Glenn Wurster, Paul C. van Oorschot System Config Privilege 12/ 19 1. Reduce the effectiveness of social engineering 2. A single system daemon • Make it hard to get around 12

  13. How Much Complexity Should Be Exposed? Desired target audience: Non-technical users vs. Fine-grained access control solutions which require users to get involved with the fine grains usually fail due to usability issues. Glenn Wurster, Paul C. van Oorschot System Config Privilege 13/ 19 1. The collection of parts in a drill • More useful than the drill, but harder to use 2. Going past determining all the pieces we need 3. Involves determining how the pieces work together 4. Decrease the complexity exposed to the user 13

  14. Current Installer Frameworks Examples MSI, Debian, Redhat, Gentoo, InstallShield Glenn Wurster, Paul C. van Oorschot System Config Privilege 14/ 19 1. Installers can bypass most frameworks by talking di- rectly to the OS kernel • Including all frameworks I’m aware of 2. OS does not restrict activities • Installer is run as superuser 14

  15. configd Installer Framework Restrict operations allowed by the kernel Force all system modifications to go through the framework Glenn Wurster, Paul C. van Oorschot System Config Privilege 15/ 19 1. Applies to all applications 2. Interface with OS kernel is limited 3. Configd can reject requests for configuration changes 15

  16. Design of configd Coded modules currently include: 1 Verifying changes with the user 2 Rootkit-resistant disks (Butler et. al. CCS 2008) 3 Code-signing (Wurster et. al. HotSec 2007) Glenn Wurster, Paul C. van Oorschot System Config Privilege 16/ 19 1. Each Module: • Examines elements of system state • Rejects, Allows, or Postpones making a decision 2. Base Configd also responds to system events 3. Rejected requests do not not modify file-system state 4. Modules work together • e.g., Code-signing combined with Rootkit-resistant disks 5. Mix of modules is not right yet. 6. Experimenting with asking the user 7. Extensible to try out new ideas • Module list is not designed to be modifed at run- time 16

  17. Additional Design Details Kernel responsibilities 1 Suspend other programs when requested by configd 2 Prevent root from modifying configd 3 Restrict configure permission to configd configd responsibilities 1 Respond to configuration change requests 2 Queue up requests until a specific USB key is inserted 3 Perform allowed changes to system configuration 4 Notify the kernel what configuration-related files to protect Glenn Wurster, Paul C. van Oorschot System Config Privilege 17/ 19 1. Kernel: • Prevents others from getting configure permission • Protects the configd process • Protects configuration-related files 2. Configd: • Deals with requests for configuration changes • Notifies the kernel what files are configuration re- lated 3. Prevent race conditions by suspending other tasks 17

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Configuration 2 What system configuration does zsim simulate? Type and number of cores,

Configuration 2 What system configuration does zsim simulate? Type and number of cores,

MICRO 2015 Waikiki, Hawaii 5 Dec 2015 ZS IM T UTORIAL Configuration and Stats Configuration 2 What system configuration does zsim simulate? Type and number of cores, caches, how different components are connected to each other.

560 views • 22 slides
Configuration management Configuration management Configuration management Configuration

Configuration management Configuration management Configuration management Configuration

Configuration management Configuration management Configuration management Configuration management Configuration management Field of management that focuses on establishing and maintaining consistency of a systems attributes

647 views • 6 slides
Privilege: An Update Litigation Privilege: a brief definition Confidential Made for

Privilege: An Update Litigation Privilege: a brief definition Confidential Made for

Privilege: An Update Litigation Privilege: a brief definition Confidential Made for dominant purpose of civil or criminal litigation Relate to litigation which is pending, reasonably contemplated, or existing Legal Advice Privilege:

532 views • 20 slides
Least privilege and privilege separation Deian Stefan Slides adopted from John Mitchell, Dan

Least privilege and privilege separation Deian Stefan Slides adopted from John Mitchell, Dan

CSE 127: Computer Security Least privilege and privilege separation Deian Stefan Slides adopted from John Mitchell, Dan Boneh, and Stefan Savage This week How to build secure systems Least privilege and privilege separation

578 views • 46 slides
CS314 Software Engineering Configuration Management Dave Matthews Configuration Management

CS314 Software Engineering Configuration Management Dave Matthews Configuration Management

1/17/18 CS314 Software Engineering Configuration Management Dave Matthews Configuration Management Management of an evolving system in a controlled way. Version control tracks component changes as they happen. System Building

236 views • 8 slides
Windows Privilege Escalations: Still abusing Service Accounts to get SYSTEM privileges Antonio

Windows Privilege Escalations: Still abusing Service Accounts to get SYSTEM privileges Antonio

Windows Privilege Escalations: Still abusing Service Accounts to get SYSTEM privileges Antonio Cocomazzi, Rome, September 27 th 2020 whoami System Engineer @ SentinelOne Passionate about IT security and constantly trying to learn and

893 views • 60 slides
Augeas a configuration API Raphal Pinson Configuration Management Sitewide configuration

Augeas a configuration API Raphal Pinson Configuration Management Sitewide configuration

Augeas a configuration API Raphal Pinson Configuration Management Sitewide configuration Local configuration Editing of Configuration Data (1) Keyhole approaches (2) Greenfield approaches (3) Templating Missing pieces Handle

831 views • 61 slides
Configuration Database Lana Abadie, LHCb week, May 25 Part I The configuration database

Configuration Database Lana Abadie, LHCb week, May 25 Part I The configuration database

Configuration Database Lana Abadie, LHCb week, May 25 Part I The configuration database DB Design Methodology (ex: the TFC system) TFC dataflow TFC system : use cases Entity relation model & Table design The

381 views • 18 slides
Legal Privilege, Client Communication and Discovery Cayman Islands Legal Practitioners

Legal Privilege, Client Communication and Discovery Cayman Islands Legal Practitioners

Legal Privilege, Client Communication and Discovery Cayman Islands Legal Practitioners Association Adam Huckle 27 March 2019 Overview What is Privilege? Types: Legal Advice Privilege Litigation Privilege Recent cases

226 views • 18 slides
Privilege Escala-on Manual privilege escala/on techniques on Unix

Privilege Escala-on Manual privilege escala/on techniques on Unix

Privilege Escala-on Manual privilege escala/on techniques on Unix and Windows Michal Knapkiewicz, May 2016 whoami Senior Consultant at Advanced Security

884 views • 51 slides
+ The Primacy of Client Privilege: Designing a Statutory Advice Privilege for Accredited

+ The Primacy of Client Privilege: Designing a Statutory Advice Privilege for Accredited

+ The Primacy of Client Privilege: Designing a Statutory Advice Privilege for Accredited Non-Lawyer Tax Advisors Nicole Wilson-Rogers, Annette Morgan and Dale Pinto + Structure Snapshot: Argument advanced in the paper Current Privileges

422 views • 17 slides
Attorney-Client Privilege Between Affiliated Entities: Who Owns the Privilege When Interests

Attorney-Client Privilege Between Affiliated Entities: Who Owns the Privilege When Interests

Presenting a live 90-minute webinar with interactive Q&A Attorney-Client Privilege Between Affiliated Entities: Who Owns the Privilege When Interests Diverge? Navigating the Complexities of Joint Representations During Litigation, Spinoffs,

889 views • 42 slides
Protecting Privilege in Post-Accident Investigations Successfully Asserting Attorney-Client

Protecting Privilege in Post-Accident Investigations Successfully Asserting Attorney-Client

Presenting a live 90-minute webinar with interactive Q&A Protecting Privilege in Post-Accident Investigations Successfully Asserting Attorney-Client Privilege, Self-Critical Analysis Privilege, Work Product Doctrine and More TUESDAY, MARCH

471 views • 36 slides
Principle of Least Privilege Dawn Song Principle of least privilege Privilege Ability to

Principle of Least Privilege Dawn Song Principle of least privilege Privilege Ability to

Computer Security Course. Dawn Computer Security Course. Dawn Song Song Principle of Least Privilege Dawn Song Principle of least privilege Privilege Ability to access or modify a resource Principle of least privilege A

429 views • 39 slides
Mutual Water Company Proposed System Upgrades & Financing Original System Configuration

Mutual Water Company Proposed System Upgrades & Financing Original System Configuration

Mutual Water Company Proposed System Upgrades & Financing Original System Configuration 300,000 gal 160,000 gal tank tank Booster Pump Station ~ 5.3 Miles of Pipeline Well 1 Well 2 History Approx 28,000 ft of asbestos fiber

340 views • 15 slides
T wo-State Spin System graph G =( V , E ) 2 states {0,1} configuration : V { 0 , 1 }

T wo-State Spin System graph G =( V , E ) 2 states {0,1} configuration : V { 0 , 1 }

Approximate Counting v ia Correlation Decay i n Spin Systems Yitong Yin Nanjing University Joint work with Liang Li ( Peking U ) and Pinyan Lu ( MSRA ) T wo-State Spin System graph G =( V , E ) 2 states {0,1} configuration : V { 0 , 1 }

891 views • 31 slides
Vulnerability Analysis Chapter 24 Computer Security: Art and Science , 2 nd Edition Version 1.0

Vulnerability Analysis Chapter 24 Computer Security: Art and Science , 2 nd Edition Version 1.0

Vulnerability Analysis Chapter 24 Computer Security: Art and Science , 2 nd Edition Version 1.0 Slide 24-1 Overview What is a vulnerability? Penetration studies Flaw Hypothesis Methodology Other methodologies Vulnerability

1.76k views • 148 slides
Handout 2 Summary of this handout: Symmetric Ciphers Overview Block Ciphers Feistel Ciphers

Handout 2 Summary of this handout: Symmetric Ciphers Overview Block Ciphers Feistel Ciphers

06-20008 Cryptography The University of Birmingham Autumn Semester 2012 School of Computer Science Eike Ritter 2 October, 2012 Handout 2 Summary of this handout: Symmetric Ciphers Overview Block Ciphers Feistel Ciphers DES II.

588 views • 10 slides
Cryptography MELISSA CHASE, MSR Modern Cryptography the scientific study of techniques for

Cryptography MELISSA CHASE, MSR Modern Cryptography the scientific study of techniques for

Cryptography MELISSA CHASE, MSR Modern Cryptography the scientific study of techniques for securing digital information, transactions, and distributed computations Katz and Lindell 07 Authentication Verifiable elections

351 views • 20 slides
Post-quantum cryptography D. J. Bernstein University of Illinois at Chicago, Technische

Post-quantum cryptography D. J. Bernstein University of Illinois at Chicago, Technische

Post-quantum cryptography D. J. Bernstein University of Illinois at Chicago, Technische Universiteit Eindhoven Cryptographers Working systems Cryptanalytic algorithm designers Unbroken systems Cryptographic algorithm

454 views • 13 slides
Computer Security 3e Dieter Gollmann Chapter 7: 1 Security.di.unimi.it/sicurezza1516/ Chapter

Computer Security 3e Dieter Gollmann Chapter 7: 1 Security.di.unimi.it/sicurezza1516/ Chapter

Computer Security 3e Dieter Gollmann Chapter 7: 1 Security.di.unimi.it/sicurezza1516/ Chapter 7: Unix Security Chapter 7: 2 Objectives Understand the security features provided by a typical operating system. Introduce the basic Unix

667 views • 62 slides
AIST GRID CA Updates APGrid PMA meeting, Nov. 29, 2005 Yoshio Tanaka (yoshio.tanaka@aist.go.jp

AIST GRID CA Updates APGrid PMA meeting, Nov. 29, 2005 Yoshio Tanaka (yoshio.tanaka@aist.go.jp

AIST GRID CA Updates APGrid PMA meeting, Nov. 29, 2005 Yoshio Tanaka (yoshio.tanaka@aist.go.jp yoshio.tanaka@aist.go.jp) ) Yoshio Tanaka ( Grid Technology Research Center, Grid Technology Research Center, AIST, Japan Japan AIST, National

256 views • 13 slides
Advances in Programming Languages APL17: Safer C Programming with Cyclone Ian Stark School of

Advances in Programming Languages APL17: Safer C Programming with Cyclone Ian Stark School of

Advances in Programming Languages APL17: Safer C Programming with Cyclone Ian Stark School of Informatics The University of Edinburgh Monday 17 March 2008 Semester 2 Week 11 Coursework Statistics Total of 30 submissions, with all topics

554 views • 23 slides
Automating security policies From deployment to auditing with Rudder Jonathan CLARKE

Automating security policies From deployment to auditing with Rudder Jonathan CLARKE

Automating security policies From deployment to auditing with Rudder Jonathan CLARKE jcl@normation.com Normation CC-BY-SA normation.com Who am I ? Jonathan Clarke Job: Co-founder and CTO at Normation Line of work:

282 views • 24 slides

More recommend