������������������ ���������������������� � � �������������������������������� ����������������������������������������� �������������������������������������������� CSE543 - Introduction to Computer and Network Security Module: Operating System Security Professor Patrick McDaniel Fall 2008 1 CSE543 - Introduction to Computer and Network Security Page
OS Security • An secure OS should provide (at least) the following mechanisms ‣ Memory protection ‣ File protection ‣ General object protection ‣ Access authentication • How do we go about designing a trusted OS? • “Trust” in this context means something different from “Secure” 2 CSE543 - Introduction to Computer and Network Security Page
Trust vs. Security • When you get your medication at a pharmacy, you are “trusting” that it is appropriate for the condition you are addressing. In effect, you are arguing internally: The doctor was correct in prescribing this drug ‣ ‣ The FDA vetted the drug through scientific analysis and clinical trials No maniac has tampered with the bottle ‣ • The first two are are matters “trust”, and the last is a matter of “security” • An OS needs to perform similar due diligence to achieve “trust” and “security” 3 CSE543 - Introduction to Computer and Network Security Page
Access Control Lists • ACL: a list of the principals that are authorized to have access to some object. • Or more correctly: • Eg., O 2 O 1 : S 1 O 2 : S 1 , S 2 , S 3 S 1 Y O 3 : S 3 S 2 Y • We are going to see a lot of S 3 Y examples of these throughout the semester. 4 CSE543 - Introduction to Computer and Network Security Page
ACL in systems • ACLs are typically used to implement discretionary access control • For example: you define the UNIX file system ACLs using the chmod utility …. 5 CSE543 - Introduction to Computer and Network Security Page
Discretionary Access • The UNIX filesystem implements discretionary access control through file permissions set by user • The set of objects is the files in the filesystem, e.g., /etc/passwd ‣ • Each file an owner and group (subjects) The owner is typically the creator of the file, and the entity ‣ in control of the access control policy Note: this can be overridden by the “root” user ‣ • There is a additional subject called world , which represents everyone else 6 CSE543 - Introduction to Computer and Network Security Page
UNIX filesystem rights … • There are three rights in the UNIX filesystem ‣ READ - allows the subject (process) to read the contents of the file. ‣ WRITE - allows the subject (process) to alter the contents of the file. ‣ EXECUTE - allows the subject (process) to execute the contents of the file (e.g., shell program, executable, …) • Q: why is execute a right? • Q: does the right to read a program implicitly give you 7 CSE543 - Introduction to Computer and Network Security Page
The UNIX FS access policy • Really, this is a bit string encoding an access matrix • E.g., rwx rwx rwx World Group Owner • And a policy is encoded as “r”, “w”, “x” if enabled, and “-” if not, e.g, rwxrw--x • Says user can read, write and execute, group can read and write, and world can execute only. 8 CSE543 - Introduction to Computer and Network Security Page
Caveats: UNIX Filesystem • Access is often not really this easy: you need to have certain rights to parent directories to access a file (execute, for example) The reasons for this are quite esoteric ‣ • The preceding policy may appear to be contradictory ‣ A member of the group does not have execute rights, but members of the world do, so … A user appears to be both allowed and prohibited from ‣ executing access ‣ Not really: these policies are monotonic … the absence of a right does not mean they should not get access at all, just that that particular identity (e.g., group member, world) should not be given that right. 9 CSE543 - Introduction to Computer and Network Security Page
Tokens • Like the UID/GID in a UNIX process User ‣ Group ‣ Aliases ‣ Privileges (predefined sets of rights) ‣ • May be specific to a domain • Composed into global SID • Subsequent processes inherit access tokens ‣ Different processes may have different rights 10 CSE543 - Introduction to Computer and Network Security Page
Access Control Entries DACL in the security descriptor of an object • List of access control entries (ACEs) ‣ ACE structure (proposed by Swift et al) • Type (grant or deny) ‣ Flags ‣ Object Type: global UID for type (limit ACEs checked) ‣ InheritedObjectType: complex inheritance ‣ Access rights: access mask ‣ Principal SID: principal the ACE applies to ‣ Checking algorithm • ACE matches SID (user, group, alias, etc) ‣ ACE denies access for specified right -- deny ‣ ACE grants access for some rights -- need full coverage ‣ 11 CSE543 - Introduction to Computer and Network Security Page
Access Checking with ACEs • Example 12 CSE543 - Introduction to Computer and Network Security Page
Window Vista Integrity • Integrity protection for writing • Defines a series of protection level of increasing protection untrusted (lowest) ‣ low (Internet) ‣ ‣ medium (user) high (admin) ‣ system ‣ installer (highest) ‣ • Semantics: If subject’s (process’s) integrity level dominates the object’s integrity level, then the write is allowed 13 CSE543 - Introduction to Computer and Network Security Page
Vista Integrity • Does Vista Integrity protect the integrity of J’s public key file O 2 ? O 1 O 2 O 3 J R RW RW S 2 N R RW S 3 N R RW 14 CSE543 - Introduction to Computer and Network Security Page
UID Transition: Setuid • A special bit in the mode bits • Execute file Resulting process has the effective (and fs) UID/GID of file ‣ owner • Enables a user to escalate privilege For executing a trusted service ‣ • Downside: User defines execution environment e.g., Environment variables, input arguments, open ‣ descriptors, etc. • Service must protect itself or user can gain root access • All UNIX services involves root processes -- many via setuid 15 CSE543 - Introduction to Computer and Network Security Page
/tmp Vulnerability • creat(pathname, mode) • O_EXCL flag if file already exists this is an error ‣ • Potential attack Attacker creates file in shared space (/tmp) ‣ Give it a filename used by a higher authority service ‣ Make sure that service has permission to the file ‣ If creat is used without O_EXCL, then can share the file ‣ with the higher authority process 16 CSE543 - Introduction to Computer and Network Security Page
Other Vulnerabilities • Objects w/o sufficient control Windows registry, network ‣ • Libraries Load order permits malware defined libraries ‣ • Executables are everywhere Web content, Email, Documents (Word) ‣ • Labeling is wrong Mount a new file system; device ‣ • Malware can modify your permissions Inherent to discretionary model ‣ 17 CSE543 - Introduction to Computer and Network Security Page
Sandboxing • An execution environment for programs that contains a limited set of rights A subset of your permissions (meet secrecy and integrity goals) ‣ Cannot be changed by the running program (mandatory) ‣ 18 CSE543 - Introduction to Computer and Network Security Page
UNIX Chroot • Create a domain in which a process is confined Process can only read/write within file system subtree ‣ ‣ Applies to all descendant processes Can carry file descriptors in ‘chroot jail’ ‣ 19 CSE543 - Introduction to Computer and Network Security Page
Chroot Vulnerability • Unfortunately, chroot can trick its own system define a passwd file at <newroot>/etc/passwd ‣ run su ‣ su thinks that this is the real passwd file • gives root access ‣ Use mknod to create device file to access physical memory • • Setup requires great care Never run chroot process as root ‣ Must not be able to get root privileges ‣ No control by chrooted process (user) of contents in jail ‣ Be careful about descriptors, open sockets, IPC that may be ‣ available 20 CSE543 - Introduction to Computer and Network Security Page
Process-specific Permissions • Design the permissions of a process specific to its use • How do we change the permissions of a process in an ACL system? 21 CSE543 - Introduction to Computer and Network Security Page
Confused Deputy Problem • Imagine a multi-client server Clients have a different set of objects that they can access ‣ • In an ACL system, the server always has access to all the objects ‣ What happens if a client tricks the server into accessing into another client’s objects? ‣ Shouldn’t the server only have access to that client’s objects for its requests? 22 CSE543 - Introduction to Computer and Network Security Page
Recommend
More recommend
