least privilege and privilege separation
play

Least privilege and privilege separation Deian Stefan Slides - PowerPoint PPT Presentation

Sep 21, 2022 •108 likes •578 views

CSE 127: Computer Security Least privilege and privilege separation Deian Stefan Slides adopted from John Mitchell, Dan Boneh, and Stefan Savage This week How to build secure systems Least privilege and privilege separation

  1. CSE 127: Computer Security Least privilege and privilege separation Deian Stefan Slides adopted from John Mitchell, Dan Boneh, and Stefan Savage

  2. This week… • How to build secure systems ➤ Least privilege and privilege separation ➤ Sandboxing and isolation • Key is underlying principles not mechanisms ➤ We’re going to look at systems techniques ➤ Other ways to achieve similar goals: language-based

  3. Principles of secure design • Principle of least privilege • Privilege separation • Defense in depth ➤ Use more than one security mechanism ➤ Fail securely/closed • Keep it simple

  4. Principles of secure design • Principle of least privilege • Privilege separation • Defense in depth ➤ Use more than one security mechanism ➤ Fail securely/closed • Keep it simple

  5. Principle of Least Privilege Defn: A system should only have the minimal 
 privileges needed for its intended purposes • What’s a privilege? ➤ Ability to access (e.g., read or write) a resource

  6. Principle of Least Privilege Defn: A system should only have the minimal 
 privileges needed for its intended purposes • What’s a privilege? ➤ Ability to access (e.g., read or write) a resource

  7. Principle of Least Privilege Defn: A system should only have the minimal 
 privileges needed for its intended purposes • What’s a privilege? ➤ Ability to access (e.g., read or write) a resource

  8. 
 
 
 
 What’s the problem with this defn? • Talking about a huge, monolith system is not really useful • Why? 
 Network Network User input User device File system File system

  9. 
 
 
 Breaking a system into components • Compartmentalization and isolation ➤ Separate the system into isolated compartments ➤ Limit interaction between compartments • Why is this more meaningful? 
 Network Network User input User device File system File system

  10. How dow we break things apart?

  11. Map compartment to user ids! • Recall: permissions in UNIX granted according to UID ➤ A process may access files, network sockets, …. • Each process has UID • Each file has ACL ➤ Grants permissions to users according to UIDs and 
 roles (owner, group, other) ➤ Everything is a file!

  12. How many UIDs does a process have? • A: one • B: two • C: three • D: four

  13. Process UIDs • Real user ID (RUID) ➤ same as the user ID of parent (unless changed) ➤ used to determine which user started the process • Effective user ID (EUID) ➤ from setuid bit on the file being executed, or syscall ➤ determines the permissions for process • Saved user ID (SUID) ➤ Used to save and restore EUID

  14. Process UIDs • Real user ID (RUID) ➤ same as the user ID of parent (unless changed) ➤ used to determine which user started the process • Effective user ID (EUID) ➤ from setuid bit on the file being executed, or syscall ➤ determines the permissions for process • Saved user ID (SUID) ➤ Used to save and restore EUID

  15. Process UIDs • Real user ID (RUID) ➤ same as the user ID of parent (unless changed) ➤ used to determine which user started the process • Effective user ID (EUID) ➤ from setuid bit on the file being executed, or syscall ➤ determines the permissions for process • Saved user ID (SUID) ➤ Used to save and restore EUID

  16. Process UIDs • Real user ID (RUID) ➤ same as the user ID of parent (unless changed) ➤ used to determine which user started the process • Effective user ID (EUID) ➤ from setuid bit on the file being executed, or syscall ➤ determines the permissions for process • Saved user ID (SUID) ➤ Used to save and restore EUID

  17. SetUID demystified (a bit) • Root ➤ ID=0 for superuser root; can access any file • fork and exec system calls ➤ Inherit three IDs, except exec of file with setuid bit • setuid system call ➤ seteuid(newid) can set EUID to ➤ Real ID or saved ID, regardless of current EUID ➤ Any ID, if EUID is root

  18. SetUID demystified (a bit) • Root ➤ ID=0 for superuser root; can access any file • fork and exec system calls ➤ Inherit three IDs, except exec of file with setuid bit • setuid system call ➤ seteuid(newid) can set EUID to ➤ Real ID or saved ID, regardless of current EUID ➤ Any ID, if EUID is root

  19. SetUID demystified (a bit) • Root ➤ ID=0 for superuser root; can access any file • fork and exec system calls ➤ Inherit three IDs, except exec of file with setuid bit • setuid system call ➤ seteuid(newid) can set EUID to ➤ Real ID or saved ID, regardless of current EUID ➤ Any ID, if EUID is root

  20. SetUID demystified (a bit) • There are actually 3 bits: ➤ setuid - set EUID of process to ID of file owner ➤ setgid - set EGID of process to GID of file ➤ sticky bit ➤ on: only file owner, directory owner, and root can 
 rename or remove file in the directory ➤ off: if user has write permission on directory, can 
 rename or remove files, even if not owner

  21. SetUID demystified (a bit) • There are actually 3 bits: ➤ setuid - set EUID of process to ID of file owner ➤ setgid - set EGID of process to GID of file ➤ sticky bit ➤ on: only file owner, directory owner, and root can 
 rename or remove file in the directory ➤ off: if user has write permission on directory, can 
 rename or remove files, even if not owner

  22. Where have you seen this? -rwsr-xr-x 1 root root 55440 Jul 28 2018 /usr/bin/passwd drwxrwxrwt 16 root root 700 Feb 6 17:38 /tmp/

  23. Why are EUIDs even a thing? We can drop and elevate privileges! Owner 18 RUID 25 SetUID …; program …; exec( ); Owner 18 …; -rw-r--r-- …; RUID 25 file read/write EUID 18 i=getruid() Owner 25 setuid(i); -rw-r--r-- RUID 25 read/write …; EUID 25 file …;

  24. Why are EUIDs even a thing? We can drop and elevate privileges! Owner 18 RUID 25 SetUID …; program …; exec( ); Owner 18 …; -rw-r--r-- …; RUID 25 file read/write EUID 18 i=getruid() Owner 25 setuid(i); -rw-r--r-- RUID 25 read/write …; EUID 25 file …;

  25. Example 1: Mail agent • Requirements ➤ Receive and send email over external network ➤ Place incoming email into local user inbox files • Sendmail ➤ Monolithic design ➤ Historical source of many vulnerabilities • Qmail ➤ Compartmentalized design

  26. qmail design • Isolation based on OS isolation ➤ Separate modules run as separate “users” ➤ Each user only has access to specific resources • Least privilege ➤ Minimal privileges for each UID ➤ Only one “setuid” program ➤ Only one “root” program

  27. structure of qmail qmail-smtpd qmail-inject qmail-queue Incoming internal mail Incoming external mail qmail-send qmail-rspawn qmail-lspawn qmail-remote qmail-local

  28. structure of qmail qmail-smtpd qmail-inject qmail-queue setuid Incoming internal mail Incoming external mail qmail-send qmail-rspawn qmail-lspawn qmail-remote qmail-local

  29. structure of qmail qmail-smtpd qmail-inject qmail-queue setuid Incoming internal mail Incoming external mail qmail-send root qmail-rspawn qmail-lspawn qmail-remote qmail-local

  30. structure of qmail qmaild user qmail-smtpd qmail-inject qmailq qmail-queue qmail-send root qmailr qmails qmail-rspawn qmail-lspawn setuid user qmailr user qmail-remote qmail-local

  31. structure of qmail qmaild user qmail-smtpd qmail-inject qmailq qmail-queue Reads incoming mail directories Splits message into header, body Signals qmail-send qmail-send root qmailr qmails qmail-rspawn qmail-lspawn setuid user qmailr user qmail-remote qmail-local

  32. structure of qmail qmaild user qmail-smtpd qmail-inject qmailq qmail-queue qmail-send signals • qmail-lspawn if local qmail-send • qmail-remote if remote root qmailr qmails qmail-rspawn qmail-lspawn setuid user qmailr user qmail-remote qmail-local

  33. structure of qmail qmaild user qmail-smtpd qmail-inject qmailq qmail-queue qmail-send root qmailr qmails qmail-rspawn qmail-lspawn setuid user qmailr user qmail-remote qmail-local qmail-lspawn • Spawns qmail-local • qmail-local runs with ID of user receiving local mail

  34. structure of qmail qmaild user qmail-smtpd qmail-inject qmailq qmail-queue qmail-send root qmailr qmails qmail-rspawn qmail-lspawn setuid user qmailr user qmail-remote qmail-local qmail-local • Handles alias expansion • Delivers local mail • Calls qmail-queue if needed

  35. structure of qmail qmaild user qmail-smtpd qmail-inject qmailq qmail-queue qmail-send root qmailr qmails qmail-rspawn qmail-lspawn setuid user qmailr user qmail-remote qmail-local qmail-remote • Delivers message to remote MTA

  36. Android design • Isolation: Each app runs with own UID (own VM) ➤ Provides memory protection ➤ Communication limited to using UNIX domain sockets + reference monitor checks permissions ➤ Only ping and zygote run as root • Least Privilege: Applications announces permission ➤ User grants access at install time + runtime

  37. okws design • Isolation: each service runs with own UID ➤ Each service run in a chroot jail, restricted to ➤ Communication limited to structured RPC between service and DB • Least privilege ➤ Each UID is unique non privileged user ➤ Only okld (launcher daemon) runs as root

  38. okws design

  39. okws design

Recommend

Privilege: An Update Litigation Privilege: a brief definition Confidential Made for

Privilege: An Update Litigation Privilege: a brief definition Confidential Made for

Privilege: An Update Litigation Privilege: a brief definition Confidential Made for dominant purpose of civil or criminal litigation Relate to litigation which is pending, reasonably contemplated, or existing Legal Advice Privilege:

532 views • 20 slides
Legal Privilege, Client Communication and Discovery Cayman Islands Legal Practitioners

Legal Privilege, Client Communication and Discovery Cayman Islands Legal Practitioners

Legal Privilege, Client Communication and Discovery Cayman Islands Legal Practitioners Association Adam Huckle 27 March 2019 Overview What is Privilege? Types: Legal Advice Privilege Litigation Privilege Recent cases

226 views • 18 slides
Privilege Escala-on Manual privilege escala/on techniques on Unix

Privilege Escala-on Manual privilege escala/on techniques on Unix

Privilege Escala-on Manual privilege escala/on techniques on Unix and Windows Michal Knapkiewicz, May 2016 whoami Senior Consultant at Advanced Security

884 views • 51 slides
+ The Primacy of Client Privilege: Designing a Statutory Advice Privilege for Accredited

+ The Primacy of Client Privilege: Designing a Statutory Advice Privilege for Accredited

+ The Primacy of Client Privilege: Designing a Statutory Advice Privilege for Accredited Non-Lawyer Tax Advisors Nicole Wilson-Rogers, Annette Morgan and Dale Pinto + Structure Snapshot: Argument advanced in the paper Current Privileges

422 views • 17 slides
FLEXDROID: Enforcing In- App Privilege Separation in Android Jaebaek Seo, Daehyeok Kim, Donghyun

FLEXDROID: Enforcing In- App Privilege Separation in Android Jaebaek Seo, Daehyeok Kim, Donghyun

FLEXDROID: Enforcing In- App Privilege Separation in Android Jaebaek Seo, Daehyeok Kim, Donghyun Cho, T aesoo Kim, Insik Shin (NDSS 16) Presented by Shivansh Chandnani CS 563 (Fall 2018) 3 rd party libraries are very popular in Android

1.12k views • 28 slides
Attorney-Client Privilege Between Affiliated Entities: Who Owns the Privilege When Interests

Attorney-Client Privilege Between Affiliated Entities: Who Owns the Privilege When Interests

Presenting a live 90-minute webinar with interactive Q&A Attorney-Client Privilege Between Affiliated Entities: Who Owns the Privilege When Interests Diverge? Navigating the Complexities of Joint Representations During Litigation, Spinoffs,

889 views • 42 slides
Chapter 13: Design Principles Overview Principles Least Privilege Fail-Safe

Chapter 13: Design Principles Overview Principles Least Privilege Fail-Safe

Chapter 13: Design Principles Overview Principles Least Privilege Fail-Safe Defaults Economy of Mechanism Complete Mediation Open Design Separation of Privilege Least Common Mechanism Psychological

787 views • 43 slides
Chapter 13: Design Principles Overview Principles Least Privilege Fail-Safe

Chapter 13: Design Principles Overview Principles Least Privilege Fail-Safe

Chapter 13: Design Principles Overview Principles Least Privilege Fail-Safe Defaults Economy of Mechanism Complete Mediation Open Design Separation of Privilege Least Common Mechanism Psychological

488 views • 22 slides
Protecting Privilege in Post-Accident Investigations Successfully Asserting Attorney-Client

Protecting Privilege in Post-Accident Investigations Successfully Asserting Attorney-Client

Presenting a live 90-minute webinar with interactive Q&A Protecting Privilege in Post-Accident Investigations Successfully Asserting Attorney-Client Privilege, Self-Critical Analysis Privilege, Work Product Doctrine and More TUESDAY, MARCH

471 views • 36 slides
Principle of Least Privilege Dawn Song Principle of least privilege Privilege Ability to

Principle of Least Privilege Dawn Song Principle of least privilege Privilege Ability to

Computer Security Course. Dawn Computer Security Course. Dawn Song Song Principle of Least Privilege Dawn Song Principle of least privilege Privilege Ability to access or modify a resource Principle of least privilege A

429 views • 39 slides
Privilege separation and isolation Deian Stefan Slides adopted from John Mitchell, Dan Boneh, and

Privilege separation and isolation Deian Stefan Slides adopted from John Mitchell, Dan Boneh, and

CSE 127: Computer Security Privilege separation and isolation Deian Stefan Slides adopted from John Mitchell, Dan Boneh, and Stefan Savage Chromium security architecture Browser ("kernel") Full privileges (file system,

603 views • 29 slides
GSS-Proxy: Better privilege separation Simo Sorce Principal Software Engineer, Red Hat February

GSS-Proxy: Better privilege separation Simo Sorce Principal Software Engineer, Red Hat February

GSS-Proxy: Better privilege separation Simo Sorce Principal Software Engineer, Red Hat February 2013 1 Outline Introduction to GSS-API Using GSS-API Introduction to GSS-Proxy GSS-Proxy components Kernel upcalls and

186 views • 18 slides
Design, Privilege Separation CS 161: Computer Security Prof. David Wagner January 27, 2016

Design, Privilege Separation CS 161: Computer Security Prof. David Wagner January 27, 2016

Software Security: Design, Privilege Separation CS 161: Computer Security Prof. David Wagner January 27, 2016 Robustness Security bugs are a fact of life How can we use access control to improve the security of software, so security bugs

695 views • 32 slides
and Meeting Legal Ethics Standards Addressing Waiver and Exceptions to the Privilege, the

and Meeting Legal Ethics Standards Addressing Waiver and Exceptions to the Privilege, the

Presenting a live 90-minute webinar with interactive Q&A Attorney-Client Privilege in Insurance Disputes: Preserving Confidentiality and Meeting Legal Ethics Standards Addressing Waiver and Exceptions to the Privilege, the Tripartite

1.17k views • 78 slides
Bank Examination Privilege in Litigation: Understanding the Nuances, Best Practices for Asserting

Bank Examination Privilege in Litigation: Understanding the Nuances, Best Practices for Asserting

Presenting a live 90-minute webinar with interactive Q&A Bank Examination Privilege in Litigation: Understanding the Nuances, Best Practices for Asserting the Privilege TUESDAY, JUNE 13, 2017 1pm Eastern | 12pm Central | 11am

895 views • 45 slides
Outline Secure use of the OS Bernsteins perspective CSci 5271 Techniques for privilege

Outline Secure use of the OS Bernsteins perspective CSci 5271 Techniques for privilege

Outline Secure use of the OS Bernsteins perspective CSci 5271 Techniques for privilege separation Introduction to Computer Security Announcements intermission Day 9: OS security basics OS security: protection and isolation Stephen

649 views • 13 slides
Deals: Lessons From Recent Cases for Preserving and Controlling the Privilege MONDAY, DECEMBER 21,

Deals: Lessons From Recent Cases for Preserving and Controlling the Privilege MONDAY, DECEMBER 21,

Presenting a live 90-minute webinar with interactive Q&A Attorney-Client Privilege in M&A Deals: Lessons From Recent Cases for Preserving and Controlling the Privilege MONDAY, DECEMBER 21, 2015 1pm Eastern | 12pm Central | 11am

301 views • 29 slides
Maintaining or Attacking Confidentiality Navigating Privilege Waiver, Common Interest Doctrine,

Maintaining or Attacking Confidentiality Navigating Privilege Waiver, Common Interest Doctrine,

Presenting a live 90-minute webinar with interactive Q&A Attorney-Client Privilege in Broker-Policyholder Communications: Maintaining or Attacking Confidentiality Navigating Privilege Waiver, Common Interest Doctrine, Claims Assistance

523 views • 31 slides
Asserting Bank Examination Privilege in Litigation Determining the Legal Basis and Working With

Asserting Bank Examination Privilege in Litigation Determining the Legal Basis and Working With

Presenting a live 90-minute webinar with interactive Q&A Asserting Bank Examination Privilege in Litigation Determining the Legal Basis and Working With Regulators to Assert and Defend the Privilege WEDNESDAY, MAY 15, 2019 1pm Eastern |

593 views • 34 slides
Attorney-Client Privilege in Insurance Disputes: Preserving Confidentiality and Meeting Legal

Attorney-Client Privilege in Insurance Disputes: Preserving Confidentiality and Meeting Legal

Presenting a live 90-minute webinar with interactive Q&A Attorney-Client Privilege in Insurance Disputes: Preserving Confidentiality and Meeting Legal Ethics Standards Addressing Waiver and Exceptions to the Privilege, the Tripartite

1.04k views • 79 slides
In-House Counsel Depositions: Navigating Complex Privilege Issues Preserving the Attorney Client

In-House Counsel Depositions: Navigating Complex Privilege Issues Preserving the Attorney Client

In-House Counsel Depositions: Navigating Complex Privilege Issues Preserving the Attorney Client Privilege and Preserving the Attorney-Client Privilege and presents presents Maintaining Confidentiality A Live 90-Minute Teleconference/Webinar

699 views • 49 slides
Secure Architecture Principles Isolation and Least Privilege Access Control Concepts

Secure Architecture Principles Isolation and Least Privilege Access Control Concepts

Secure Architecture Principles Isolation and Least Privilege Access Control Concepts Operating Systems Browser Isolation and Least Privilege Original slides were created by Prof. John Mitchel and Suman Janna Some slides are from

1.03k views • 58 slides
1 Comments to Rule 1.12 Yes. The duty defined in this Rule applies to governmental

1 Comments to Rule 1.12 Yes. The duty defined in this Rule applies to governmental

Ethics Rule 1.12 Representation of an Organization & Privilege Charles W. Thompson, Jr. Executive Director and General Counsel Rule 1.12 Whos the Privilege Cases Pot pouri client? $200 $200 $200 $200 $200 $400 $400 $400 $400

483 views • 25 slides
Paper-Reading-Group Nested Kernel: An Operating System Architecture for Intra-Kernel Privilege

Paper-Reading-Group Nested Kernel: An Operating System Architecture for Intra-Kernel Privilege

Paper-Reading-Group Nested Kernel: An Operating System Architecture for Intra-Kernel Privilege Separation Nathan Dautenhahn, Theodoros Kasampalis, Will Dietz, John Criswell, and Vikram Adve Nested Kernel - Motivation Monoliths have single

398 views • 17 slides

More recommend