principle of least privilege
play

Principle of Least Privilege Dawn Song Principle of least privilege - PowerPoint PPT Presentation

Computer Security Course. Dawn Computer Security Course. Dawn Song Song Principle of Least Privilege Dawn Song Principle of least privilege Privilege Ability to access or modify a resource Principle of least privilege A


  1. Computer Security Course. Dawn Computer Security Course. Dawn Song Song Principle of Least Privilege Dawn Song

  2. Principle of least privilege • Privilege – Ability to access or modify a resource • Principle of least privilege – A system module should only have the minimal privileges needed for intended purposes • Privilege separation – Separate the system into independent modules – Each module follows the principle of least privilege – Limit interaction between modules Dawn Song

  3. Unix access control • File has access control list (ACL) File 1 File 2 … – Grants permission to user ids User 1 read write - – Owner, group, other User 2 write write - • Process has user id User 3 - - read – Inherit from creating process … – Process can change id • Restricted set of options User m Read write write – Special “root” id Dawn Song

  4. Unix fjle access control list • Each fjle has owner and group • Permissions set by owner rwx rwx rwx - – Read, write, execute ownr grp othr – Owner, group, other, setuid/setgid – Represented by vector of four octal values • Only owner or root can change permissions – This privilege cannot be delegated or shared Dawn Song

  5. Privileged Programs • Privilege management is coarse-grained in today ’ s OS – Root can do anything • Many programs run as root – Even though they only need to perform a small number of priviledged operations • What ’ s the problem? – Privileged programs are juicy targets for attackers – By fjnding a bug in parts of the program that do not need privilege, attacker can gain root Dawn Song

  6. What Can We Do? • Drop privilege as soon as possible • Ex: a network daemon only needs privilege to bind to low port # (<1024) at the beginning – Solution? – Drop privilege right after binding the port • What benefjt do we gain? – Even if attacker fjnds a bug in later part of the code, can ’ t gain privilege any more • How to drop privilege? – Setuid/setgid programming in UNIX Dawn Song

  7. Efgective user id (EUID) in UNIX • Each process has three Ids – Real user ID (RUID) • same as the user ID of parent (unless changed) • used to determine which user started the process – Efgective user ID (EUID) • from set user ID bit on the fjle being executed, or sys call • determines the permissions for process – fjle access and port binding – Saved user ID (SUID) • So previous EUID can be restored • Real group ID, efgective group ID, used similarly Dawn Song

  8. Operations on UIDs • Root – ID=0 for superuser root; can access any fjle • Fork and Exec – Inherit three IDs, except exec of fjle with setuid bit • Setuid system calls – seteuid(newid) can set EUID to • Real ID or saved ID, regardless of current EUID • Any ID, if EUID=0 • Details are actually more complicated – Several difgerent calls: setuid, seteuid, setreuid Dawn Song

  9. Setuid/setgid/sticky bits on executable Unix fjle • Setuid/setgid/sticky bits – Setuid – set EUID of process to ID of fjle owner – Setgid – set EGID of process to GID of fjle – Sticky • Ofg: if user has write permission on directory, can rename or remove fjles, even if not owner • On: only fjle owner, directory owner, and root can rename or remove fjle in the directory Dawn Song

  10. Setting UIDs - setresuid () sets the real user ID, the efgective user ID, and the saved set-user-ID of the calling process. - seteuid () sets the efgective user ID of the calling process. - setuid () sets the efgective user ID of the calling process. If the efgective UID of the caller is root, the real UID and saved set-user-ID are also set. Dawn Song

  11. Setting UIDs - What’s Allowed? Users choose any new UID to pass in to setuid(), but the OS checks them against certain rules and will raise an error, for example, if a normal user tries to call setuid(0). setresuid(newruid, neweuid, setuid(newuid) newsuid) (euid == 0) (euid == 0) || || (newuid in (ruid, suid)) (newruid in (ruid, euid, suid) && Cases neweuid in (ruid, euid, suid) && ⇒ (euid == 0) (ruid:=newuid, newsuid in (ruid, euid, suid)) euid:=newuid, suid:=newuid) seteuid(neweuid) ⇒ (anything else) (euid:=newuid) (euid == 0) || Note: all policies are for Linux, (neweuid in (ruid, euid, suid)) differs on FreeBSD Dawn Song

  12. Setting UIDs - What’s Allowed? Users choose any new UID to pass in to setuid(), but the OS checks them against certain rules and will raise an error, for example, if a normal user tries to call setuid(0). setresuid(newruid, neweuid, newsuid) setuid(newuid) (euid == 0) (euid == 0) || || (newruid in (ruid, euid, suid) && (newuid in (ruid, suid)) neweuid in (ruid, euid, suid) && Cases newsuid in (ruid, euid, suid)) ⇒ (euid == 0) (ruid:=newuid, seteuid(neweuid) euid:=newuid, suid:=newuid) (euid == 0) ⇒ (anything else) (euid:=newuid) || (neweuid in (ruid, euid, suid)) Note: all policies are for Linux, differs on FreeBSD Dawn Song

  13. Drop Privilege Owner 18 RUID 25 SetUID …; program …; exec( ); Owner 18 -rw-r--r-- …; RUID 25 read/write fjle …; EUID 18 i=getruid() setuid(i); Owner 25 -rw-r--r-- …; RUID 25 read/write EUID 25 fjle …; Dawn Song

  14. Computer Security Course. Dawn Computer Security Course. Dawn Song Song Web Security: Vulnerabilities & Attacks Slide credit: Anthony Joseph and John Mitchell Dawn Song

  15. Introduction Dawn Song

  16. Web & http (browser) HTTP REQUEST: HTTP REQUEST: GET /account.html HTTP/1.1 GET /account.html HTTP/1.1 SAFEBANK login Host: www.safebank.com Host: www.safebank.com password Accounts Bill Pay banking content Mail T ransfers HTTP RESPONSE: HTTP RESPONSE: HTTP/1.0 200 OK HTTP/1.0 200 OK <HTML> . . . </HTML> <HTML> . . . </HTML> SERVER CLIENT Dawn Song

  17. URLs • Global identifjers of network-retrievable documents • Example: http://safebank.com:81/account?id=10#statement Protocol Protocol Fragment Fragment Hostname Hostname Query Query Port Path Port Path • Special characters are encoded as hex: – %0A = newline Dawn Song

  18. HTTP Response HTTP Request HTTP version Status code Reason phrase Method File HTTP version Headers Headers GET /index.html HTTP/1.1 HTTP/1.0 200 OK GET /index.html HTTP/1.1 HTTP/1.0 200 OK Accept: image/gif, image/x-bitmap, Accept: image/gif, image/x-bitmap, Date: Sun, 12 Aug 2012 02:20:42 GMT Date: Sun, 12 Aug 2012 02:20:42 GMT image/jpeg, */* image/jpeg, */* Server: Microsoft-Internet-Information- Server: Microsoft-Internet-Information- Accept-Language: en Accept-Language: en Server/5.0 Server/5.0 Connection: Keep-Alive Connection: Keep-Alive Connection: keep-alive Connection: keep-alive User-Agent: Chrome/21.0.1180.75 (Macintosh; User-Agent: Chrome/21.0.1180.75 (Macintosh; Data Content-Type: text/html Content-Type: text/html Intel Mac OS X 10_7_4) Intel Mac OS X 10_7_4) Last-Modified: Thu, 9 Aug 2012 17:39:05 GMT Last-Modified: Thu, 9 Aug 2012 17:39:05 GMT Host: www.safebank.com Host: www.safebank.com Referer: http://www.google.com?q=dingbats Set-Cookie: … Referer: http://www.google.com?q=dingbats Set-Cookie: … Content-Length: 2543 Content-Length: 2543 <HTML> This is web content formatted using <HTML> This is web content formatted using Blank line html </HTML> html </HTML> Data – none for GET GET : no side efgect Cookies POST : possible Dawn Song

  19. How browser renders a page uppose you are visiting http://safebank.com in a modern web browser. isCached(URI) = false display(UR ChromeBar ChromeBar Browser Browser Networ I) retrieveData(URI) Networ UI UI Engine Engine k Stack k Stack (Browser Process) enters http://safeba (Renderer Process) pageData /*HTML, CSS, nk.com etc*/ and presses renderBitmap(page go. Data) Renderer Renderer Renderer UI Renderer UI Engine Engine Dawn Song

  20. Rendering and events • Basic execution model – Each browser window or frame • Loads content • Renders – Processes HTML and scripts to display page – May involve images, subframes, etc. • Responds to events • Events can be – User actions: OnClick, OnMouseover – Rendering: OnLoad, OnBeforeUnload – Timing: setTimeout(), clearTimeout() Dawn Song

  21. Document Object Model (DOM) • Object-oriented interface used to read HTML DOM Tree and write rendered pages <html> – web page in HTML is structured |-> Document <body> data |-> Element <div> (<html>) – DOM provides representation of foo |-> Element <a>foo2</a> this hierarchy (<body>) </div> |-> Element <form> (<div>) <input • Examples |-> text node type="text” /> – Properties: document.alinkColor, |-> Anchor <input document.URL, document.forms[ ], |-> text node type=”radio” /> |-> Form document.links[ ], <input |-> T ext-box document.anchors[ ] type=”checkbox” /> |-> Radio </form> – Methods: Button </body> document.write(document.referrer) |-> Check Box </html> |-> Button Dawn Song

Recommend


More recommend