Why secure the OS? Works directly on the hardware but can be - - PDF document

why secure the os
SMART_READER_LITE
LIVE PREVIEW

Why secure the OS? Works directly on the hardware but can be - - PDF document

Oct 11, 2023 23 likes •108 views

Why secure the OS? Works directly on the hardware but can be adapted during runtime Operating System Security Data and process are directly visible Application security can be circumvented from lower layers = > good scope

slide-1
SLIDE 1

1 Operating System Security Why secure the OS?

Works directly on the hardware but can

be adapted during runtime

Data and process are directly visible Application security can be

circumvented from lower layers = > good scope because:

Hardware is too narrow and inflexible Application and Network is too broad

The basis of protection: Seperation

Physical separation

Processes use different physically devices

Temporal separation

Process (with different security demands) execute

at different time

Logical separation

Processes and objects are logical separated so

that they are not aware of each other

Cryptographic separation

Data and computation is concealed by

cryptography to the outside

Privilege levels in 80X86 processors

Procedures can

access objects only in their own ring or in outer rings

Procedures can

invoke subroutines

  • nly in their own

ring

OS function I/O . . .

Privilege levels - A problem

Outer ring procedures have a need to

execute procedures on a lower ring

e.g. An application (level 4) want to save a file

(level 3)

Solution: A gate (well defined access way)

allow the call (execute only) of lower ring procedures

To prevent abuse (outer ring asks lower ring to

transfer an object to the outer ring) both the current privilege level and the calling privilege level need to be verified

Reference Monitor

Reference Monitors control access to

  • bjects

Physical - Memory Management Logical - File Management

slide-2
SLIDE 2

2 Simple Memory protection Tagged Architecture

Each memory segment has a

tag which indicates

the memory type which implies

the allowed operation

  • r explicitly the allowed
  • perations

A tagged architecture can have

a high granularity

Compatibility of code suffers Result STR AND OP 12 INT 124 INT Result R AND X 12 RW 123 R

Simple memory protection Fences

A fence is a predefined address

which separates the a process from another

(e.g. The OS and the User

spaces)

Base and Boundary are

variable type of fences

Base defines a starting address Boundary defines an upper

address limit

Different types of base and

boundary for different spaces can exist

Segmentation

Higher granularity then fences because it

refers to items (data, code)

This implies variable length which makes

boundary checks problematic

Each address reference can be checked for

protection

Different protection levels can be assigned to

  • bjects

Shared objects can have different protection

levels for the involved parties

Paging

Same granularity as segmentation but

pages are of fixed size

The fixed page size enables more

effective boundary checks

The associate of protection level to the

  • bject will not work because pages

cannot be associate to a specific object

File Access

Explicit: The access rights are explicitly

defined

e.g. ACL or AC-Matrix

Implicit: The access rights are bound to

some knowledge and who every posses the knowledge get access

e.g. cryptography

User Management

User – a subject with access rights Default User

Unix: Root (UID 0), daemon, bin ... Windows: Administrator, Guest, SUPPORT ...

Groups – a mean to organize users and add

granularity

Unix: System(GID 0), terminal ... Windows: Users, Power Users, Administrator ...

slide-3
SLIDE 3

3 Root in UNIX/LINUX

Become root only when absolutely necessary Allow root access only trough su or sudo Allow root access remotely only when using

SSH and sudo

Think twice before executing a command as

root and use absolute path names

Do not specify as “/” root‘s home directory Restrict the PATH so that it only contains a

minimum number of entries

Object management

  • rwxr-xr-x 1 AZ root

10 Apr 15 21:21 file

s instead of x in owner and

group means that the

  • wners/groups rights and not

the users rights are used

t for directories means sticky

and prevents users other than the owner or root to delete files in such a directory

ACL for Linux available under:

http://acl.bestbits.at/

Setting of rights during object creation

Linux the first permission is set by the

program but then umask complement logically added (AND)

Windows solves this by inheritance -

Container objects (directories) pass their ACL rights to child's (files or directories)

This inheritance can be blocked and explicit

rights can be defined

Inherited ACL cannot be edited (grayed)

Windows Security

Windows 2000, Windows XP and Windows Server 2003 http://www.microsoft.com/technet/default.mspx

Registry

The registry contains a lot of security

critical information

Operating system security configuration User accounts and password

Security activities with and for the

registry

Set security relevant keys (e.g. Disable

insecure hash) – regedit.exe

Protection of registry entries with AC rights

Active Directory

Windows network

use Active Directory to manage identities and broker relationships between distributed resources

In AD a two-way

transitive trust is assumed by default

slide-4
SLIDE 4

4 Active Directory

The domain model

(each domain contains users, groups and machines) forms a tree

  • f domains

Additionally users,

groups and computers can be organized in Organizational Units (OU).

Domain A (Root) Domain B (Child) Domain C (Child)

Domain/Group Policies

To regulates security

policies are used

Domain/group

policies regulate for

  • ne domain/group

Inheritance can be

controlled

Local computer

policy

A resultant set of

policies is build

Security Administration

Encrypted File System (EFS)

EFS can encrypt/decrypt files transparently

(Command Line, Explorer and Backup support) when using the NTFS file system

How it works

File/Directory encrypted symmetrically (AES in

2003 and DES in XP) with a „file encryption key“ (FEK)

FEK is encrypted with the users Public Key and

eventually with the recovery keys (if enabled)

A list of encrypted FEK is attached to the File

Event Monitoring

Event Log service

monitors the system

Policies configure

the event monitor

Event viewer shows

the events

Security tool for Windows

Management Consol

See earlier

Security Baseline Analyzer

Example in the lecture

slide-5
SLIDE 5

5 Linux Security

Linux Kernel 2.4.x and 2.6.x

Generic

Do not install packages you do not

need

Verify the Hash Value of the

package/files

Do not start services and demons you

do not need

If you want more security in Linux

you can use additionally tools

System start-up

Lock the BIOS Lock LILO (GRUB)

Set the permission to lilo.conf Require a PW when booting in single-user

(put the user into a root shell) mode

Control the start scripts to see what

services are started at which run levels

Shadow File

Passwords are stored in /etc/passwd

Root:toarjakdfnjasdjf:0:0:root:/root:/bin /bash

PW are hashed but that is not enough

because the file can be access by everyone

Solution: /etc/shadow

Can only be accessed by root Can age PW‘s

syslog – system loging utility

PAM Plugable authentication module

More info: www.kernel.org/linux/libs/pam/

slide-6
SLIDE 6

6 PAM.d

A file for each PAM aware application File entry Module type control flag module path arguments Module types

auth prompt the user for identification account checks aspects of the users account session provides functions before and after session establishment (e.g. environment ...) password responsible for updating the user authentication token

PAM.d

Control flags

required must return success; execution continues requisite must return success; failure stop execution

  • ptional

not required; if the only it determines sufficientif success all remaining are ignored [value1=action1...] extended control flag for more control

Arguments

A number of argument regulate the reporting behavior

(syslog and application)

PAM example

auth required /lib/security/pam_securetty.so auth required /lib/security/pam_env.so auth sufficient /lib/security/pam_unix.so likeauth nullok auth required /lib/security/pam_deny.so auth required /lib/security/pam_nologin.so account required /lib/security/pam_unix.so password required /lib/security/pam_cracklib.so retry=3 password sufficient /lib/security/pam_unix.so nullok use_authtok md5 shadow nis password required /lib/security/pam_deny.so session required /lib/security/pam_limits.so session required /lib/security/pam_unix.so session optional /lib/security/pam_console.so

Security tools for Linux

Bastille

Tool to investigate the system weaknesses and harden linux

Tripwire

Assuring system consistency with check sums

CRACK

Password cracking program for Linux

SARA

Vulnerability testing (not only for Linux)

Nessus

Another scanner where you can also write your own attack

scripts

...

Trusted operating systems Requirements

Mechanisms

Strong Authentication MAC or RBAC Controlled and monitored invocation of

processes

Virtualization

Assurance

slide-7
SLIDE 7

7 Trusted Solaris

Based on standard Solaris SUN Microsystems http://wwws.sun.com/software/solaris/ trustedsolaris/ds-ts8/index.html

Security Features I

PAM Authorizations

Least privilege is enforced MAC and RBAC support (additionally to DAC)

Rights profiles

Database of functionally-related procedures which can only

be called with specific commands and require pre-defined security attributes

Labels

Define the required trust to access a resource For each resource a senistivity level is defined. Each subject

get a upper and lower clearance level assigned. Access is granted when a match occurs

Security Features II

Secure desktop – based on X11

Trusted Path

When security sensitive tasks are conducted the source

path is verified

Selection Confirmation

During cut and paste the security level of the copied is

verified and the user (if s/he has the right) can up- /downgrad the level of the copied

Trusted Networking and Interconnectivity

NFS features MAC and DAC Labeled Printing – to print the security level is

verified concerning the receiving printer (and evtl. the user)

Assurance – CC certification Trusted Solaries 8.0

Protection Profiles Labeled Security (LSPP) Role Based Access Control (RBACPP) Controlled Access (CAPP) plus Trusted Desktop and Trusted

Networking

Assurance Level EAL4+

Security-Enhanced Linux

Open source secure linux Sponsored by NSA http://www.nsa.gov/selinux/

Some Facts

SE-Linux builds on standard Linux and

enhance it mainly by MAC

Architecture is from DTMach, DTOS, Flask

Compatibility

Application is promised Kernel Module is promised

Default policies are provided which require

(minimum) modifications

SE-Linux is not a trusted OS because

functionality and auditing is lacking!

slide-8
SLIDE 8

8 Features

Type enforced AC (MAC) and RBAC

Includes a policy tool that is independent

from different policy languages

Additional documentation for:

Native PAM integration NFS fine grained control Limited secure X-Window system Network security by full IPv6 support

Books

Linux System Security – Mann,Mitchell,Krell,

Prentice Hall, ISBN 0-13-047011

Windows XP Professional Security –

Weber,Bahadur, McGraw-Hill/Osborne, ISBN 0-07-222602-1

Windows Server 2003 Security

Infrastructures, DeClercq, Elsevier, ISBN 1-55558-283-4

Questions ?