CSE543 - Introduction to Computer and Network Security. Module: Operating System Security

Similar documents
CIS433/533 - Computer and Network Security Operating System Security

Mandatory Access Control Systems

CSE543 - Introduction to Computer and Network Security. Module: Reference Monitor

Mandatory Access Control in Linux

Trent Jaeger Systems and Internet Infrastructure Security Lab Pennsylvania State University

CS161: Operating Systems

Access Control Fundamentals

CSE331: Introduction to Networks and Security. Lecture 34 Fall 2006

Advanced Systems Security: Retrofitting Commercial Systems

CIS 551 / TCOM 401 Computer and Network Security. Spring 2005 Lecture 4

Safety measures in Linux

Securing Commercial Operating Systems

...e SELinux fosse più sicuro?...and if Linux was more secure? (Play on words with the Italian language)

The Case for SE Android. Stephen Smalley Trust Mechanisms (R2X) National Security Agency

Chapter 6, The Operating System Machine Level

Capability-Based Access Control

NSA Security-Enhanced Linux (SELinux)

Chapter 14: Access Control Mechanisms

Virtual Machine Security

Security types to the rescue

Advanced Systems Security

User-level processes (clients) request services from the kernel (server) via special protected procedure calls

Secure Virtual Machine Systems

CMSC 421, Operating Systems. Fall Security. URL: Dr. Kalpakis

Review from last time. CS 537 Lecture 3 OS Structure. OS structure. What you should learn from this lecture

CIS 551 / TCOM 401 Computer and Network Security

COS 318: Operating Systems

CSE 120 Principles of Operating Systems. Modules, Interfaces, Structure

Mandatory Access Control

I Control Your Code Attack Vectors Through the Eyes of Software-based Fault Isolation. Mathias Payer, ETH Zurich

CEN 559 Selected Topics in Computer Engineering. Dr. Mostafa H. Dahshan KSU CCIS

Operating System Security

CS 392/681 - Computer Security. Module 16 Vulnerability Analysis

Kernel Intrusion Detection System

Operating System Structure

Last Class: OS and Computer Architecture. Last Class: OS and Computer Architecture

Operating System Components

Secure computing: SELinux

Last Class: OS and Computer Architecture. Last Class: OS and Computer Architecture

Proceedings of the 11 th USENIX Security Symposium

Introduction to Computer Security

Access Control Lists in Linux & Windows

L16: Ring-based Access Control

Windows Security. CSE497b - Spring 2007 Introduction Computer and Network Security Professor Jaeger.

Gerd Behrmann CISS & Institut for Datalogi Aalborg Universitet. behrmann@cs.aau.dk

Toasterkit - A NetBSD Rootkit. Anthony Martinez Thomas Bowen

How do Users and Processes interact with the Operating System? Services for Processes. OS Structure with Services. Services for the OS Itself

CS 377: Operating Systems. Outline. A review of what you ve learned, and how it applies to a real operating system. Lecture 25 - Linux Case Study

Fundamentals of Computer Security

Traps and Pitfalls: Practical Problems in System Call Interposition Based Security Tools

CSE543 - Introduction to Computer and Network Security. Module: Access Control

UNIX File Management (continued)

Operating Systems. 05. Threads. Paul Krzyzanowski. Rutgers University. Spring 2015

Access Control. 1 Overview of Access Control. Lecture Notes (Syracuse University) Access Control: 1. What is Access Control?

Carlos Villavieja, Nacho Navarro Arati Baliga, Liviu Iftode

A Firewall Model of File System Security

Linux OS-Level Security Nikitas Angelinas MSST 2015

Review and Exploit Neglected Attack Surface in ios 8. Tielei Wang, Hao Xu, Xiaobo Chen of TEAM PANGU

CSC 2405: Computer Systems II

? Resource. Access Control and Operating System Security. Access control matrix. Access control. Capabilities. Two implementation concepts.

Fine-Grained User-Space Security Through Virtualization. Mathias Payer and Thomas R. Gross ETH Zurich

A Survey of Access Control Policies

Security Enhanced Linux and the Path Forward

Process Firewalls: Protecting Processes During Resource Access

Red Hat Linux Internals

CS 416: Opera-ng Systems Design

CAPSICUM. Practical capabilities for UNIX. 19 th USENIX Security Symposium 11 August Washington, DC. Robert N. M. Watson

1. Introduction to the UNIX File System: logical vision

J-202. IT 4823 Information Security Administration. Linux Security Model. Linux Security. In Room. Linux Security April 23

W4118 Operating Systems. Junfeng Yang

Static Checking of C Programs for Vulnerabilities. Aaron Brown

Operating Systems. Design and Implementation. Andrew S. Tanenbaum Melanie Rieback Arno Bakker. Vrije Universiteit Amsterdam

Outline. Operating Systems Design and Implementation. Chap 1 - Overview. What is an OS? 28/10/2014. Introduction

Confining the Apache Web Server with Security-Enhanced Linux

Linux Distributed Security Module 1

Republic Polytechnic School of Information and Communications Technology C226 Operating System Concepts. Module Curriculum

Operating Systems and Networks

OPERATING SYSTEM SERVICES

Eugene Tsyrklevich. Ozone HIPS: Unbreakable Windows

Department of Electrical Engineering and Computer Science MASSACHUSETTS INSTITUTE OF TECHNOLOGY Operating System Engineering: Fall 2005

? Resource. Outline. Access Control and Operating System Security. Access control. Access control matrix. Capabilities. Two implementation concepts

Module: Cloud Computing Security

Virtualization for Cloud Computing

Using Minix to Teach Computer Security Courses

Using An Instructional Operating System In Teaching Computer Security Courses

Introduction to Android 5 Security

System Calls and Standard I/O

How To Write A Windows Operating System (Windows) (For Linux) (Windows 2) (Programming) (Operating System) (Permanent) (Powerbook) (Unix) (Amd64) (Win2) (X

Security Enhanced (SE) Android: Bringing Flexible MAC to Android

Example of Standard API

CS52600: Information Security

CS 665: Computer System Security. Designing Trusted Operating Systems. Trusted? What Makes System Trusted. Information Assurance Module

Using Likewise Enterprise to Boost Compliance with Sarbanes-Oxley

Access Control. ITS335: IT Security. Sirindhorn International Institute of Technology Thammasat University ITS335. Access Control.

X05. An Overview of Source Code Scanning Tools. Loulwa Salem. Las Vegas, NV. IBM Corporation IBM System p, AIX 5L & Linux Technical University

Analysis of advanced issues in mobile security in android operating system

A Simple Implementation and Performance Evaluation Extended-Role Based Access Control

Operating Systems Design 16. Networking: Sockets

Chained Enforceable Re-authentication Barrier Ensures Really Unbreakable Security

Using a Patched Vulnerability to Bypass Windows 8 x64 Driver Signature Enforcement. MJ0011 th_decoder@126.com

Transcription:

CSE543 - Introduction to Computer and Network Security Module: Operating System Security Professor Trent Jaeger 1

OS Security So, you have built an operating system that enables user-space processes to access hardware resources Thru various abstractions: files, pages, devices, etc. Now, you want your operating system to enforce security requirements for your application processes What do you do? 2

OS Security We learned about a few things last time that will hopefully help you Your OS must implement a Protection system Your protection system is enforced by a Reference validation mechanism Which do you tackle first? 3

Multiprocessor Systems Major Effort: Multics Multiprocessing system -- developed many OS concepts Including security Begun in 1965 Development continued into the mid-70s Used until 2000 Initial partners: MIT, Bell Labs, GE/Honeywell Other innovations: hierarchical filesystems, dynamic linking Subsequent proprietary system, SCOMP, became the basis for secure operating systems design 4

Multics Goals Secrecy Multilevel security Integrity Rings of protection Resulting system is considered a high point in secure system design 5

Multics Basics Processes are programs that are executing within Multics (seems obvious now...) Protection domain is a list of segments Stored in the process descriptor segment Segments are stored value regions that are accessible by processes, e.g., memory regions, secondary storage Segments can be organized into hierarchies Local segments (memory addresses) are accessed directly Non-local segments are addressed by hierarchy /tape/drive1/top10k /etc/conf/http.conf This is the genesis of the modern hierarchical filesystem! 6

Segment Management PDS acts like segment working set for process Segments are addressed by name (path) If authorized, added to PDS Multics security is defined with respect to segments Segment 0 Segment 1 Segment N Process Descriptor Segment Segment Descr. Word 0 Segment Descr. Word 1... Segment Descr. Word N 7

Multics Functionality Not all code executing on Multics (or any OS) is the same Kernel System processes Middleware Important User Processes Untrusted User Processes... Previously, all ran in one protection domain Multics supported multiple address spaces (processes) But, how do you protect one process from another? 8

Protection Rings Successively less-privileged domains Modern CPUs support 4 rings Use 2 mainly: Kernel and user Intel x86 rings Ring 0 has kernel Ring 3 has application code Example: Multics (64 rings in theory, 8 in practice) 9

What Are Protection Rings? Coarse-grained, Hardware Protection Mechanism Boundary between Levels of Authority Most privileged -- ring 0 Monotonically less privileged above Fundamental Purpose Protect system integrity Protect kernel from services Protect services from apps So on... 10

Intel Protection Ring Rules Each Memory Segment has a privilege level (ring number) The CPU has a Current Protection Level (CPL) Level of the segment where instructions are being read Program can read/write in segments of higher level than CPL kernel can read/write user space user cannot read/write kernel why not? 11

Protection Ring Rules Program cannot call code of higher privilege directly Gate is a special memory address where lower-privilege code can call higher Enables OS to control where applications call it (system calls) Gate Ring 3 No gate Ring 0 12

Multics Interpretation Kernel resides in ring 0 Process runs in a ring r Access based on current ring Process accesses data (segment) Each data segment has an access bracket: (a1, a2) a1 <= a2 Describes read and write access to segment r is the current ring r <= a1: access permitted a1 < r <= a2: r and x permitted; w denied a2 < r: all access denied Ring 7 6 5 4 3 2 1 0 a 2 a 1 --- R-X RWX 13

Multics Interpretation (con t) Also different procedure segments with call brackets: (c1, c2), c1 <= c2 7 Denied and access brackets (a1, a2) The following must be true (a2 == c1) Rights to execute code in a new procedure segment r < a1: access permitted with ring-crossing fault a1 <= r <= a2 = c1: access permitted and no fault a2 < r <= c2: access permitted through a valid gate c2 < r: access denied What s it mean? case 1: ring-crossing fault changes procedure s ring Ring 6 5 4 3 2 a 2 c 2 c 1 Allow with gate No ring fault increases from r to a1 case 2: keep same ring number case 3: gate checks args, decreases ring number Target code segment defines the new ring 1 0 a 1 Ring fault 14

Examples Process in ring 3 accesses data segment access bracket: (2, 4) What operations can be performed? Process in ring 5 accesses same data segment What operations can be performed? Process in ring 5 accesses procedure segment access bracket (2, 4) call bracket (4, 6) Can call be made? How do we determine the new ring? Can new procedure segment access the data segment above? 15

More Multics Segments Named segments are protected by access control lists and MLS protections Hierarchically arranged Precursor to hierarchical file systems Memory segment access is controlled by hardware monitor Multics hardware retrieves segment descriptor word (SDW) Like a file descriptor Based on rights in the SDW determines whether can access segment Master mode (like root) can override protections 16

Multics & Reference Monitor Multics Final Report - Schroeder Multics is too large to satisfy verifiability Multics was 44K SLOC! What about tamperproofing and complete mediation? 17

Multics Vulnerability Analysis Karger and Schell - Detailed security analysis covering Hardware Software Procedural features (administration) Good news Design for security System language prevents buffer overflows Defined buffer sizes Hardware features prevent buffer overflows Addressing off segment is an error Stack grows up System is much smaller than current UNIX system 18

Vulnerabilities Found Hardware Indirect addressing -- incomplete mediation Check direct, but not indirect address Mistaken modification introduced the error Software Ring protection (done in software) Argument validation was flawed Certain type of pointer was handled incorrectly Master mode transfer For performance, run master mode program (signaler) in user ring Development assumed trusted input to signaler -- bad combo Procedural Trap door insertion goes undetected 19

Now forward to UNIX... 20

Privilege Escalation Sounds bad, but... Many programs depend on a mechanism to increase rights Example: Password Run shell as you, but need to change your password Requires modification to file /etc/shadow Only modifiable by root What do you do? 21

UID Transition: Setuid A special bit in the mode bits Execute file Resulting process has the effective (and fs) UID/GID of file owner Enables a user to escalate privilege For executing a trusted service Downside: User defines execution environment e.g., Environment variables, input arguments, open descriptors, etc. Service must protect itself or user can gain root access All UNIX services involve root processes -- many via setuid 22

UNIX Security Limitations Circa 2000 Problems Discretionary access control Setuid root processes Network-facing daemons vulnerable Name resolution vulnerabilities (we still have those) What can we do? 23

UNIX Security Limitations Circa 2000 Problems Discretionary access control Setuid root processes Network-facing daemons vulnerable Name resolution vulnerabilities (we still have those) What can we do? Reference validation mechanism that satisfies reference monitor concept Protection system with mandatory access control (mandatory protection system) 24

Linux Security Modules Reference validation mechanism for Linux Upstreamed in Linux 2.6 Support modular enforcement - you choose SELinux, AppArmor, POSIX Capabilities, SMACK,... 150+ authorization hooks Mediate security-sensitive operations on Files, dirs/links, IPC, network, semaphores, shared memory,... Variety of operations per data type Control access to read of file data and file metadata separately Hooks are restrictive 25

LSM Hooks Linux Security Modules Systems and Internet Infrastructure Security (SIIS) Laboratory 26 1

Linux Security Modules LSM API Now LSMs are always compiled into the kernel Systems CSE543 - and Introduction Internet Infrastructure to Computer Security and Network (SIIS) Security Laboratory 27 14

LSM & Reference Monitor Does LSM satisfy reference monitor concept? 28

LSM & Reference Monitor Does LSM satisfy reference monitor concept? Tamperproof Can MAC policy be tampered? Can kernel be tampered? By network threats? 29

LSM & Reference Monitor Does LSM satisfy reference monitor concept? Tamperproof Can MAC policy be tampered? Can kernel be tampered? By network threats? Verifiable How large is kernel? Can we perform complete testing? 30

LSM & Reference Monitor Does LSM satisfy reference monitor concept? Tamperproof Can MAC policy be tampered? Can kernel be tampered? By network threats? Verifiable How large is kernel? Can we perform complete testing? Complete Mediation What is a security-sensitive operation? Do we mediate all paths to such operations? 31

LSM & Complete Mediation Security-sensitive operations Instructions? Which? Structure member accesses? To what data? Data types whose instances may be controlled Inodes, files, IPCs, tasks,... Approaches Mediation: Check that authorization hook dominates all control-flow paths to structure member access on security-sensitive data type Consistency: Check that every structure member access that is mediated once is always mediated Several bugs found - some years later 32

LSM & Analysis Complete Mediation THREAD-A: (1) fd1 = op (2) fd2 = op (3) fcntl(fd Static analysis of Zhang, Edwards, and Jaeger [USENIX Security 2002]! Based on a tool called CQUAL! Found a TOCTTOU bug! Authorize filp in sys_fcntl! But pass fd again to fcntl_getlk! Many supplementary analyses were necessary to support CQUAL! /* from fs/fcntl.c */ long sys_fcntl(unsigned int fd, unsigned int cmd, unsigned long arg) { struct file * filp;... filp = fget(fd);... } err = security ops->file ops ->fcntl(filp, cmd, arg);... err = do fcntl(fd, cmd, arg, filp);... static long do_fcntl(unsigned int fd, unsigned int cmd, unsigned long arg, struct file * filp) {... switch(cmd){... case F_SETLK:... }... } err = fcntl setlk(fd,...); /* from fs/locks.c */ fcntl_getlk(fd,...) { struct file * filp;... } filp = fget(fd); /* operate on filp */... Figure 8: Code path from Linux 2.4.9 containing an exploitable type error. KERNEL (4) fi (5) se (6) fc THREAD-B: /* this clos * and assig */ (7) dup2( fd KERNEL /* thi * fil */ (8) fi (9) lo Fig chance of race not properly sy tial exploits. Here we presen curity checks th are performed o ple, the followin dentry structu on the inode s /* from fs/a... security_ops ->setattr(... inode = dent inode_setatt... ystems CSE543 and - Introduction Internet Infrastructure to Computer Security and Network (SIIS) Laboratory Security It is also quite c data structure 2133 an

Take Away Goal: Build authorization into operating systems Multics and Linux Requirements: Reference monitor Satisfy reference monitor concept Multics Mediation on segments Still some bugs; not convinced could verify Linux Did not enforce security (DAC, Setuid, root daemons) Linux Security Modules Approximates reference monitor assuming network threats only -- some challenges in ensuring complete mediation 34

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information