cse 543 computer security
play

CSE 543 - Computer Security Lecture 11 - OS Security October 2, - PowerPoint PPT Presentation

CSE 543 - Computer Security Lecture 11 - OS Security October 2, 2007 URL: http://www.cse.psu.edu/~tjaeger/cse543-f07/ CSE543 Computer (and Network) Security - Fall 2007 - Professor Jaeger 1 OS Security An secure OS should provide the


  1. CSE 543 - Computer Security Lecture 11 - OS Security October 2, 2007 URL: http://www.cse.psu.edu/~tjaeger/cse543-f07/ CSE543 Computer (and Network) Security - Fall 2007 - Professor Jaeger 1

  2. OS Security • An secure OS should provide the following mechanisms – Memory protection – File protection – General object protection – Access authentication • How do we go about designing a trusted OS? • “Trust” in this context means something different from “Secure” CSE543 Computer (and Network) Security - Fall 2007 - Professor Jaeger Page

  3. Trust vs. Security • When you get your medication at a pharmacy, you are “trusting” that it is appropriate for the condition you are addressing. In effect, you are arguing internally: – The doctor was correct in prescribing this drug – The FDA vetted the drug through scientific analysis and clinical trials – No maniac has tampered with the bottle • The first two are are matters “trust”, and the last is a matter of “security” • An OS needs to perform similar due diligence to achieve “trust” and “security” CSE543 Computer (and Network) Security - Fall 2007 - Professor Jaeger Page

  4. Access Control Lists • ACL: a list of the principals that are authorized to have access to some object. • Eg., • Or more correctly: O 2 O 1 : S 1 S 1 Y O 2 : S 1 , S 2 , S 3 O 3 : S 3 S 2 Y • We are going to see a lot of S 3 Y examples of these throughout the semester. CSE543 Computer (and Network) Security - Fall 2007 - Professor Jaeger Page

  5. ACL in systems • ACLs are typically used to implement discretionary access control • For example: you define the UNIX file system ACLs using the chmod utility …. CSE543 Computer (and Network) Security - Fall 2007 - Professor Jaeger Page

  6. Discretionary Access Control in UNIX FS • The UNIX filesystem implements discretionary access control through file permissions set by user • The set of objects is the files in the filesystem, – e.g., /etc/passwd • Each file an owner and group (subjects) – The owner is typically the creator of the file, and the entity in control of the access control policy – Note: this can be overridden by the “root” user • There is a additional subject called world , which represents everyone else CSE543 Computer (and Network) Security - Fall 2007 - Professor Jaeger Page

  7. UNIX filesystem rights … • There are three rights in the UNIX filesystem – READ - allows the subject (process) to read the contents of the file. – WRITE - allows the subject (process) to alter the contents of the file. – EXECUTE - allows the subject (process) to execute the contents of the file (e.g., shell program, executable, …) • Q: why is execute a right? • Q: does the right to read a program implicitly give you the right to execute it? CSE543 Computer (and Network) Security - Fall 2007 - Professor Jaeger Page

  8. The UNIX FS access policy • Really, this is a bit string encoding an access matrix • E.g., rwx rwx rwx World Group Owner • And a policy is encoded as “r”, “w”, “x” if enabled, and “-” if not, e.g, rwxrw--x • Says user can read, write and execute, group can read and write, and world can execute only. CSE543 Computer (and Network) Security - Fall 2007 - Professor Jaeger Page

  9. Caveats: UNIX Filesystem • Access is often not really this easy: you need to have certain rights to parent directories to access a file (execute, for example) – The reasons for this are quite esoteric • The preceding policy may appear to be contradictory – A member of the group does not have execute rights, but members of the world do, so … – A user appears to be both allowed and prohibited from executing access – Not really: these policies are monotonic … the absence of a right does not mean they should not get access at all, just that that particular identity (e.g., group member, world) should not be given that right. CSE543 Computer (and Network) Security - Fall 2007 - Professor Jaeger Page

  10. Windows 2000 Security Model • Windows uses an ACL model too – But, its model is more general • Subjects – Tokens: Can describe users, groups, arbitrary privileges and retract privileges (restricted contexts) • Objects – Types: An extensible set of object types can be defined • Operations – General operations : Fixed set supported by all types – Per type operations : Operations with semantics specific to the type may be defined • Negative rights • Result : Any combination of rights can be described CSE543 Computer (and Network) Security - Fall 2007 - Professor Jaeger Page

  11. Tokens • Like the UID/GID in a UNIX process – User – Group – Aliases – Privileges (predefined sets of rights) • May be specific to a domain • Composed into global SID • Subsequent processes inherit access tokens – Different processes may have different rights CSE497b Introduction to Computer and Network Security - Spring 2007 - Professor Jaeger Page 11

  12. Access Control Entries • DACL in the security descriptor of an object – List of access control entries (ACEs) • ACE structure (proposed by Swift et al) – Type (grant or deny) – Flags – Object Type: global UID for type (limit ACEs checked) – InheritedObjectType: complex inheritance – Access rights: access mask – Principal SID: principal the ACE applies to • Checking algorithm – ACE matches SID (user, group, alias, etc) – ACE denies access for specified right -- deny – ACE grants access for some rights -- need full coverage CSE497b Introduction to Computer and Network Security - Spring 2007 - Professor Jaeger Page 12

  13. Access Checking with ACEs • Example CSE497b Introduction to Computer and Network Security - Spring 2007 - Professor Jaeger Page 13

  14. Window Vista Integrity • Integrity protection for writing • Defines a series of protection level of increasing protection – untrusted (lowest) – low (Internet) – medium (user) – high (admin) – system – installer (highest) • Semantics: If the subject ’ s (process ’ s) integrity level dominates the object ’ s integrity level, then the write is allowed CSE497b Introduction to Computer and Network Security - Spring 2007 - Professor Jaeger Page 14

  15. Vista Integrity • Does Vista Integrity protect the integrity of J ’ s public key file O 2 ? O 1 O 2 O 3 J R RW R W S 2 N R R W S 3 N R R W CSE543 Computer (and Network) Security - Fall 2007 - Professor Jaeger Page

  16. UID Transition: Setuid • A special bit in the mode bits • Execute file – Resulting process has the effective (and fs) UID/GID of file owner • Enables a user to escalate privilege – For executing a trusted service • Downside: User defines execution environment – e.g., Environment variables, input arguments, open descriptors, etc. • Service must protect itself or user can gain root access • All UNIX services involves root processes -- many via setuid CSE543 Computer (and Network) Security - Fall 2007 - Professor Jaeger Page

  17. /tmp Vulnerability • creat(pathname, mode) • O_EXCL flag – if file already exists this is an error • Potential attack – Attacker creates file in shared space (/tmp) – Give it a filename used by a higher authority service – Make sure that service has permission to the file – If creat is used without O_EXCL, then can share the file with the higher authority process CSE543 Computer (and Network) Security - Fall 2007 - Professor Jaeger Page

  18. Other Vulnerabilities • Objects w/o sufficient control – Windows registry, network • Libraries – Load order permits malware defined libraries • Executables are everywhere – Web content, Email, Documents (Word) • Labeling is wrong – Mount a new file system; device • Malware can modify your permissions – Inherent to discretionary model CSE543 Computer (and Network) Security - Fall 2007 - Professor Jaeger Page

  19. Sandboxing • An execution environment for programs that contains a limited set of rights – A subset of your permissions (meet secrecy and integrity goals) – Cannot be changed by the running program (mandatory) CSE543 Computer (and Network) Security - Fall 2007 - Professor Jaeger Page

  20. UNIX Chroot • Create a domain in which a process is confined – Process can only read/write within file system subtree – Applies to all descendant processes – Can carry file descriptors in ‘ chroot jail ’ CSE543 Computer (and Network) Security - Fall 2007 - Professor Jaeger Page

  21. Chroot Vulnerability • Unfortunately, chroot can trick its own system – define a passwd file at <newroot>/etc/passwd – run su • su thinks that this is the real passwd file – gives root access • Use mknod to create device file to access physical memory • Setup requires great care – Never run chroot process as root – Must not be able to get root privileges – No control by chrooted process (user) of contents in jail – Be careful about descriptors, open sockets, IPC that may be available CSE543 Computer (and Network) Security - Fall 2007 - Professor Jaeger Page

  22. Janus • One of several sandboxing systems developed in the mid-to-late 90s • Operating system access control is too coarse – Run everything as user or root (too many perms) – Can modify permissions (add more) – UNIX is not very expressive (cannot specify minimal rights) CSE543 Computer (and Network) Security - Fall 2007 - Professor Jaeger Page

Recommend


More recommend