Protection Disclaimer: some slides are adopted from book authors - - PowerPoint PPT Presentation

Protection

1

Disclaimer: some slides are adopted from book authors’ slides with permission

Examples of OS Protection

• Memory protection

– Between user processes – Between user and kernel

• File protection

– Prevent unauthorized accesses to files

• Privileged instructions

– Page table updates – Cache/TLB updates

2

Principles of Protection

• Principle of least privilege

– Programs and users should be given just enough privileges to perform their tasks – Limit the damage if the entity has a bug or abused

3

Protection Domains

• Let Di and Dj be any two domain rings
• If j < I ⇒ Di ⊆ Dj
• Kernel mode vs. user mode

4

Access Control Matrix

• Domains in rows

– Domain: a user or a group of users

• Resources in columns

– File, device, …

5

E.g., User D1 can read F1 or F3

Method 1: Access Control List

• Each object stores users and their permissions
• rw-rw-r-- heechul heechul 38077 Apr 23 15:16 main.tex

6

• wner

group world

Method 2: Capability List

• Each domain tracks which objects can access

– Page table: each process (domain) tracks all pages (objects) it can access

7

Summary

• Protection

– Prevent unintended/unauthorized accesses

• Protection domains

– Class hierarchy: root can to everything a normal user can do + alpha

• Access control matrix

– Domains (Users)   Resources (Objects) – Resource oriented: Access control list – Domain oriented: Capability list

8

Security

9

Today

• Security basics
• Security threats
• Security defenses
• Some recent security bugs

– Heartbleed bug (OpenSSL) – Goto fail bug (Apple SSL) – Shellshock bug (Bash)

10

Security

• System secure if resources used and accessed as

intended under all circumstances

– Unachievable

• Intruders (crackers) attempt to breach security
• Threat is potential security violation
• Attack is attempt to breach security

11

Threats

• Threat: Potential security violation

– Physical: power off/destroy the machine – Human: social engineering, phishing – Software: security bugs, viruses – Network: interception, DoS

• Security is as weak as the weakest link in the chain

– But can too much security be a problem?

12

Security Violation Categories

• Breach of confidentiality

– Unauthorized reading of data

• Breach of integrity

– Unauthorized modification of data

• Breach of availability

– Unauthorized destruction of data

• Theft of service

– Unauthorized use of resources

• Denial of service (DOS)

– Prevention of legitimate use

13

Standard Security Attacks

14

Security Measure Levels

15

• Impossible to have absolute security, but make cost to

perpetrator sufficiently high to deter most intruders

• Security must occur at four levels to be effective:

– Physical

• Data centers, servers, connected terminals

– Human

• Avoid social engineering, phishing, dumpster diving

– Operating System

• Protection mechanisms, debugging

– Network

• Intercepted communications, interruption, DOS
• Security is as weak as the weakest link in the chain
• But can too much security be a problem?

Program Threats

• Trojan Horse

– Exploits mechanisms for allowing programs written by users to be executed by other users – Spyware, pop-up browser – Up to 80% of spam delivered by spyware-infected systems

• Logic Bomb

– Program that initiates a security incident under certain circumstances

16

Program Threats

• Stack and Buffer Overflow

– Exploits a bug in a program (overflow either the stack or memory buffers) – Failure to check bounds on inputs, arguments – Write past arguments on the stack into the return address on stack – When routine returns from call, returns to hacked address

• Pointed to code loaded onto stack that executes

malicious code

– Unauthorized user or privilege escalation

17

Stack Frame Layout

18

Stack pointer

Code with Buffer Overflow

• What is wrong in this code?

19

#define BUFFER_SIZE 256 int process_args(char *arg1) { char buffer[BUFFER SIZE]; strcpy(buffer,arg1); ... } int main(int argc, char *argv[]) { process_args(argv[1]); ... }

Code with Buffer Overflow

• Stack layout after calling process_arg()

20

#define BUFFER_SIZE 256 int process_args(char *arg1) { char buffer[BUFFER SIZE]; strcpy(buffer,arg1); ... } int main(int argc, char *argv[]) { process_args(argv[1]); ... }

arg1

Code with Buffer Overflow

• Do you remember strcpy() in C?

21

#define BUFFER_SIZE 256 int process_args(char *arg1) { char buffer[BUFFER SIZE]; strcpy(buffer,arg1); ... } int main(int argc, char *argv[]) { process_args(argv[1]); ... }

arg1

Let’s Get the Shell

• Steps

– Compile the code you want to illegitimately execute – ‘Carefully’ modify the binary – Pass the modified binary as string to the process_arg()

22

#include <stdio.h> int main(int argc, char *argv[]) { execvp(‘‘/bin/sh’’,‘‘/bin/sh’’, NULL); return 0; }

The Attack: Buffer Overflow

23

Before After executing strcpy(buffer, arg1) the crafted string containing the illegitimate code

Linux Kernel Buffer Overflow Bugs

24

Source: http://www.cvedetails.com/vulnerability-list/vendor_id-33/product_id- 47/cvssscoremin-9/cvssscoremax-/Linux-Linux-Kernel.html

212 reported buffer overflow bugs in Linux

Linux Kernel Buffer Overflow Bugs

25

Program Threats

• Viruses

– Code fragment embedded in legitimate program – Self-replicating, designed to infect other computers – Very specific to CPU architecture, operating system, applications – Usually borne via email or as a macro – Visual Basic Macro to reformat hard drive

Sub AutoOpen() Dim oFS Set oFS = CreateObject(’’Scripting.FileSystemObject’’) vs = Shell(’’c:command.com /k format c:’’,vbHide) End Sub

26

A Boot-sector Computer Virus

27

Goto Fail Bug

28

iOS 7.0.6 Data Security Available for: iPhone 4 and later, iPod touch (5th generation), iPad 2 and later Impact: An attacker with a privileged network position may capture or modify data in sessions protected by SSL/TLS Description: Secure Transport failed to validate the authenticity of the connection. This issue was addressed by restoring missing validation steps.

Goto Fail Bug

29

err = 0 . . . hashOut.data = hashes + SSL_MD5_DIGEST_LEN; hashOut.length = SSL_SHA1_DIGEST_LEN; if ((err = SSLFreeBuffer(&hashCtx)) != 0) goto fail; if ((err = ReadyHash(&SSLHashSHA1, &hashCtx)) != 0) goto fail; if ((err = SSLHashSHA1.update(&hashCtx, &clientRandom)) != 0) goto fail; if ((err = SSLHashSHA1.update(&hashCtx, &serverRandom)) != 0) goto fail; if ((err = SSLHashSHA1.update(&hashCtx, &signedParams)) != 0) goto fail; goto fail; if ((err = SSLHashSHA1.final(&hashCtx, &hashOut)) != 0) goto fail; err = sslRawVerify(...); // This code must be executed . . . fail: SSLFreeBuffer(&signedHashes); SSLFreeBuffer(&hashCtx); Return err;

MISTAKE! THIS LINE SHOULD NOT BE HERE

System and Network Threats

• Port scanning

– Automated attempt to connect to a range of ports on one

• r a range of IP addresses

– Detection of answering service protocol – Detection of OS and version running on system – nmap scans all ports in a given IP range for a response – nessus has a database of protocols and bugs (and exploits) to apply against a system – Frequently launched from zombie systems

• To decrease trace-ability

30

System and Network Threats

• Denial of Service

– Overload the targeted computer preventing it from doing any useful work – Distributed denial-of-service (DDOS) come from multiple sites at once – Consider the start of the IP-connection handshake (SYN)

• How many started-connections can the OS handle?

– Consider traffic to a web site

• How can you tell the difference between being a target and being

really popular?

– Accidental – CS students writing bad fork() code – Purposeful – extortion, punishment

31

Heartbleed Bug

• Synopsis

– Due to a bug in OpenSSL (popular s/w for encrypted communication), web server’s internal memory can be dumped remotely

32

Heartbleed Bug

33

Image source: xkcd.com

Heartbleed Bug

34

Image source: xkcd.com

Heartbleed Bug

35

struct { HeartbeatMessageType type; uint16 payload_length;

• paque payload[HeartbeatMessage.payload_length];
• paque padding[padding_length];

} HeartbeatMessage int tls1_process_heartbeat(SSL *s) { ... /* Read type and payload length first */ hbtype = *p++; n2s(p, payload); // payload = recv_packet.payload_length pl = p; ... if (hbtype == TLS1_HB_REQUEST) { ... buffer = OPENSSL_malloc(1 + 2 + payload + padding); bp = buffer; memcpy(bp, pl, payload); r = ssl3_write_bytes(s, TLS1_RT_HEARTBEAT, buffer, 3 + payload + padding); ...

Heartbeat

• req. message

Heartbeat Response function

Shellshock Bug

• Synopsis

– You can remotely execute arbitrary programs on a server running a web server by simply sending a specially crafted http request. – Example

• The problem

– Fail to check the validity of a function definition before executing it

36

curl -H "User-Agent: () { :; }; /bin/eject" http://example.com/

For detailed explanation: security.stackexchange.com

Implementing Security Defenses

• Defense in depth is most common security theory – multiple layers of security
• Security policy describes what is being secured
• Vulnerability assessment compares real state of system / network compared to

security policy

• Intrusion detection endeavors to detect attempted or successful intrusions

– Signature-based detection spots known bad patterns – Anomaly detection spots differences from normal behavior

• Can detect zero-day attacks

– False-positives and false-negatives a problem

• Virus protection

– Searching all programs or programs at execution for known virus patterns – Or run in sandbox so can’t damage system

• Auditing, accounting, and logging of all or specific system or network activities
• Practice safe computing – avoid sources of infection, download from only “good”

sites, etc

37

Network Security via Firewall

• A network firewall is placed between trusted and untrusted

hosts

– The firewall limits network access between these two security domains

• Can be tunneled or spoofed

– Tunneling allows disallowed protocol to travel within allowed protocol (i.e., telnet inside of HTTP) – Firewall rules typically based on host name or IP address which can be spoofed

• Personal firewall is software layer on given host

– Can monitor / limit traffic to and from the host

38

Example: Windows 7

• Security is based on user accounts

– Each user has unique security ID – Login to ID creates security access token

• Includes security ID for user, for user’s groups, and special privileges
• Every process gets copy of token
• System checks token to determine if access allowed or denied
• Uses a subject model to ensure access security

– A subject tracks and manages permissions for each program that a user runs

• Each object in Windows has a security attribute defined by a security descriptor

– For example, a file has a security descriptor that indicates the access permissions for all users

• Security attributes described by security descriptor

– Owner ID, group security ID, discretionary access-control list, system access- control list

39