BS1 WS19/20 – topic-based slides Security • Security as term, Possible Security violations • Authentication • Criteria for Trust in Computer Systems • Three hearts of Windows Security • DACLs
A Look at Security ● System is secure if its resources are utilized and access is as intended under all circumstances ● Security violations: Unauthorized reading of data (theft of information) – Confjdentiality ● Unauthorized modifjcation of data – Integrity ● Unauthorized destruction of data – Integrity , Availability ● ● Security measures: Physical ● User authorization ● ● Weakness at high-level security may circumvent low-level (operating system) measures Operating Systems 20
Authentication ● Username/password, biometric ID, smartcards, 2FA Special case of keys/capabilities ● System generated vs. User generated passwords ● (hard to remember/easy to guess) Paired passwords: system selects one/user responds appropriately ● ● How to store passwords securely one-way functions executed on passwords ● easy to calculate but hard to invert – Shadow passwords ● restricted access to password fjles – Operating Systems 21
Trusted Computer System Evaluation Criteria A1 Verified Design B3 Security Domains B2 Structured Protection (Trusted XENIX) B1 Labeled Security Protection (HP-UX, Trusted IRIX, Tru64 UNIX) C2 Controlled Access Protection (highest level considered practical for general purpose OS) C1 Discretionary Access Protection (obsolete) D Minimal Protection (e.g. DOS) Operating Systems 22
Common Criteria ● New standard, called Common Criteria (CC), is the new standard for software and OS ratings Consortium of US, UK, Germany, France, Canada, and the Netherlands in 1996 ● Became ISO standard 15408 in 1999 ● For more information, see http://www.commoncriteriaportal.org/ and ● http://csrc.nist.gov/cc CC is more fmexible than TCSEC trust ratings ● includes concept of Protection Profjle to collect security requirements into easily ● specifjed and compared sets, and the concept of Security Target (ST) that contains a set of security requirements that can be made by reference to a PP Operating Systems 23
A Note About Physical Security ● Security is harder to maintain if someone has physical access : attackers can always destroy data ● attackers can retrieve and modify unencrypted data by booting a live system ● File System Protection Mechanisms don’t apply – ● Complete Encryption is the only way to secure data on systems that can have compromised physical security (like laptops). Operating Systems 24
Security Components WinLogon LSASS MSGINA Event Logger Active Directory LSA Policy LSA Server SAM Server Active User Directory MSVC1_0.dll Mode Kerberos.dll SAM System Threads Kernel System Service Dispatcher Mode (kernel mode callable interfaces) Windows Processes Configura- USER, Procedure Reference I/O Mgr Play Mgr. (registry) Plug and Security tion Mgr Threads Memory System Monitor Cache Object Virtual Power Local GDI Mgr. Mgr. Call File & Device & Graphic Operating Systems 25 File Sys. s Drivers Drivers Kernel
The three hearts of Windows Security ● Local Security Authority (LSA) - as local user-mode process ● Heart of user authentication on local machine ● LSA - on domain controller ● Heart of user authentication on networked machines ● Security Reference Monitor (SRM) ● Heart of object access protection Operating Systems 26
Security Components ● Local Security Authority User-mode process (\Windows\System32\Lsass.exe) that implements ● policies (e.g. password, logon), authentication, and sending audit records to the security event log LSASS policy database: registry key HKLM\SECURITY ● WinLogon MSGINA LSASS Event Logger NetLogon Active Directory LSA LSA Server SAM Server Active Policy MSVC1_0.dl Directory Kerberos.dll SAM Operating Systems 27
LSASS Components ● Security Account Manager (SAM) Service A set of subroutines (\Windows\System32\Samsrv.dll ) responsible for managing ● the database that contains the usernames and groups defjned on the local machine SAM database: A database that contains the defjned local users and groups, ● along with their passwords and other attributes. This database is stored in the registry under HKLM\SAM. Password crackers attack the local user account password hashes stored in the ● SAM Operating Systems 28
LSASS Components ● Active Directory A directory service that contains a database that stores information about objects ● in a domain A domain is a collection of computers and their associated security groups that ● are managed as a single entity The Active Directory server, implemented as a service, \Windows\System32\ ● Ntdsa.dll, that runs in the Lsass process Operating Systems 29
Protecting Objects object access is gated by the Security Reference Monitor (SRM) ● performs access validation at the time that an object is opened by a process ● Access validation is a security equation that consists of the following: ● Desired Access : the type of access that is being requested. ● must be specifjed up front, – include all accesses that will be performed on the object – as a result of the validation. Token : identifjes the user that owns the process, including their privileges ● Threads can adopt a special type of token called an “impersonation token” that contains – the identify of another account. The object’s Security Descriptor ● contains a Discretionary Access Control List (DACL), – describes the types of access to the object users are allowed. – Operating Systems 30
Handles and Security If the validation succeeds , a handle is created in the process requesting access and through which the process can accesses the resource ● Changing security on an object only afgects subsequent opens Processes that have existing handles can continue to access objects with the ● accesses they were granted E.g. changing permissions on a share won’t afgect currently connected users ● Operating Systems 31
Access Control Lists ● ACL is a set of Access Control List Entries (ACEs) 2 types: access-allowed / access-denied ● ● Each ACE contains SID and access mask ● Order of ACEs in ACL is important: First-Fit algorithm ● ● frequently: access-denied ACEs fjrst implemented by explorer GUI ● other schemes possible ● Operating Systems 32
Access Control Entries (ACEs) ● Each ACE includes an access mask Defjnes all possible actions for a particular object type ● ● Each object can have up to 16 specifjc access types (specifjc access mask) ● Standard types apply to all objects: SYNCHRONIZE – allow a process to wait on signaled state, ● WRITE_OWNER – assign write owner, ● WRITE_DAC – write access to discretionary ACL, ● READ_CONTROL – access to security descriptor, ● DELETE – grant/deny delete access ● ● Generic types FILE_GENERIC_READ, FILE_GENERIC_WRITE, FILE_GENERIC_EXECUTE ● Operating Systems 33
Discretionary Access Control Lists DACLs ● DACLs consist of zero or more Access Control Entries A security descriptor with no DACL allows all access ● A security descriptor with an empty (0-entry) DACL denies all access ● ● An ACE is either “allow” or “deny” ACE Type SID Read, Write, Access Delete, ... Mask Operating Systems 34
Access Check - recap ● ACEs in the DACL are examined in order Does the ACE have a SID matching a SID in the token? ● If so, do any of the access bits match any remaining desired accesses? ● If so, what type of ACE is it? ● Deny: return ACCESS_DENIED – Allow: grant the specifjed accesses and if there are no remaining accesses to – grant, return ACCESS_ALLOWED If we get to the end of the DACL and there are remaining desired accesses, return ● ACCESS_DENIED Operating Systems 35
Example: Access granted Security Token User ID: FredMgr Group Ids: Users Mgrs Everyone Desired access Privileges: None read/write File object AccessAllowed AccessAllowed AccessAllowed Security FredMgr Mgrs Everyone descriptor Read (RX) Special Access(RW) Special Access(X) ACE ACE ACE Operating Systems 36 Discretionary Access Control List
Example: Access denied Security Token User ID: FredMgr Group Ids: Users Mgrs Everyone Desired access Privileges: None read/write File object AccessDenied AccessAllowed AccessAllowed Security Mgrs FredMgr Everyone descriptor (No Access) Read(RX) Write(W) ACE ACE ACE Operating Systems 37 Discretionary Access Control List
UNIX File Protection ● Access rights can be independently defjned for: (u) user Owner of a fjle (defaults to creator) ● (g) group Group ● (o) other all other users of the system ● ● Example: $> ls -lisa total 2 421908 1 drwxr-xr-x 2 apolze 1024 Jan 7 15:06 . 116884 1 drwxr-xr-x 13 apolze 2048 Jan 7 15:06 .. 116992 0 -rw------- 1 apolze 0 Jan 7 15:05 Mail.txt 116991 0 -rw-rw‐rw‐ 1 apolze 0 Jan 7 15:05 test.c Operating Systems 38
Recommend
More recommend