INSE 6130 Operating System Security

Transcription

1 INSE 6130 Operating System Security Secure Booting Prof. Lingyu Wang 1 Overview AEGIS: Secure Bootstrap Architecture TPM: Trusted Platform Module 2 1

2 The Problem All security controls are initiated by... what? Why are we so sure about our kernel/bios/hardware? What if we were insecure from the very beginning? Network Service Security Access Control Authentication tion Auditing and Logging 3 Recall the Smartest Hack of All Time Ken Thompson, in his 1983 Turing Award lecture, admitted a back door he created in early UNIX versions Clean Source of Compiler Compiler Clean Source of UNIX UNIX If you start insecure, you always end up insecure Kenneth Thompson and Dennis Ritchie 4 2

3 OS Boot Process Problem: many things could already go wrong before your OS security controls can ever come into effect! User Programs Operating System (security control) Expanded ROMs Boot Block (MBR,GRUB) BIOS POST 5 Solution: AEGIS Architecture Each level needs to verify its upper level s integrity before the control is passed Level 0 is secure We assume it is If level i can ensure level i+1 is secure, then all levels will be secure (a simple mathematical induction) Expanded ROMs User Programs Operating System Boot Block (MBR,GRUB) BIOS section2 Level 5 Level 4 Level 3 Level 2 Level 1 trusted AEGIS ROM BIOS section1 POST Level 0 6 3

4 Integrity Chaining How does level i ensures integrity of level i+1? Level i stores a digital signature of level i+1 What if this signature is altered? The signature is part of level i So level i-1 will detect the modification Expanded ROMs BIOS section2 trusted AEGIS ROM BIOS section1 POST 7 What If The Check Fails? The boot process will be terminated if a check fails at any level Good for integrity, bad for availability Recovery mechanisms The system will boot into a small recovery kernel in ROM (like safe mode of OS) Then recover either from ROM cards or from network hosts Again, why can we trust what we trust? Bottom line: hacking hardware is more difficult than hacking software 8 4

5 Overview AEGIS: Secure Bootstrap Architecture TPM: Trusted Platform Module 9 Background Extending the ideas of AEGIS TCG (Trusted Computing Group) Industry standards body w/ 135 members including component vendors, software developers, systems vendors and network and infrastructure companies, e.g., AMD, HP, IBM, Intel, Lenovo, Microsoft, Sun Key component TPM (Trusted Platform Module) chip Roughly the AEGIS ROM role Shipped in hardware: Thinkpad, Lifebook, etc. Supported by software: Windows Vista, Trusted GRUB etc. 10 5

6 Architecture of TPM Borrowed from Dan Boneh s slides here 11 How Does TPM Work Very similar to AEGIS Borrowed from Dan Boneh s slides here 12 6

7 What Else Can Be Achieved Besides ensuring the integrity of booting process? Encrypted partitions Offline security (stolen laptops): only verified software can decrypt the partitions Ease data deletion/machine recycling: just change TPM to remove the decryption key 13 INSE 6130 Operating System Security Securing Network Services Prof. Lingyu Wang 14 7

8 Outline Overview inetd/xinetd tcp_wrapper iptables Telnet/FTP/SSH 15 Any Problem in Computer Science Can Be Solved with Another Layer of Indirection (Abstraction) ISO/OSI model vs TCP/IP suite Application layer Presentation layer Session layer Transport layer Nt Network layer Data link layer Physical layer Application layer Transport layer Internet layer Data link layer Physical layer HTTP, FTP, POP3, SMTP, SNMP, IMAP, IRC, SSH, Telnet, FTP BitTorrent, TCP, UDP, RTP SSL IPv4, IPv6 IPSEC Ethernet, Wi-Fi, Token ring, FDDI,PPP RS-232, 10BASE-T, 16 8

9 Network Model (Conceptual/physical) communications Application layer Application layer Application layer Presentation layer Presentation layer Session layer Session layer Transport layer Transport layer Transport layer Network layer Network layer Network layer Internet layer Data link layer Data link layer Data link layer Data link layer Physical layer Physical layer Physical layer Physical layer Alice Eve Bob 17 UNIX/Linux Basic defense in UNIX/Linux: Iptables-based firewall + tcp_wrapper + xinetd It s basic, so you too should have it It s basic, so you shouldn t depend on it 18 9

10 Outline Overview inetd/xinetd tcp_wrapper iptables Telnet/FTP/SSH 19 The UNIX Internet Daemon (inetd) inetd is a super server It runs at boot time as part of the startup procedure It examines /etc/inetd.conf to determine which network services are under its control No longer used in some OSs (e.g., inetd in Solaris is now configured in the Service Management Facility) Then listen to those ports Upon a connection request, inetd starts the appropriate server 20 10

11 The UNIX Internet Daemon (inetd) A sample inetd.con file might look like this: # Internet server configuration database #ftp stream tcp nowait root /usr/etc/ftpd ftpd #telnet stream tcp nowait root /usr/etc/telnetd telnetd #shell stream tcp nowait root /usr/etc/rshd rshd #login stream tcp nowait root /usr/etc/rlogind rlogind #echo stream tcp nowait root internal #daytime stream tcp nowait root internal #time stream tcp nowait root internal #echo dgram udp wait root internal Service Socket type protocol type Re-use server Routinely check the file user Command/ argument After break ins, services may be installed for later use 21 xinetd A replacement for inetd Fedora is not shipped with inetd; it uses xinetd Is better Providing access control to services based on Address/(domain) name of remote host, and time of access Can alleviate DOS by placing limits on The number of processes for each service The number of processes it will fork The size of log files it creates The number of connections a single host can initiate Rate of incoming connections Extensive logging abilities

12 Outline Overview inetd/xinetd tcp_wrapper iptables Telnet/FTP/SSH 23 tcp_wrapper tcp_wrapper does the following: (Optionally) sends a "banner" to connecting client Compares hostname/requested service with a (negative) ACL If denied, tcpwrapper drops the connection Logs the results with syslog Advantages Transparent to both the client and the wrapped network service Centralized management of multiple protocols 24 12

13 tcp_wrapper Configuration Configuration files decide which connections to accept /etc/hosts.allow and /etc/hosts.deny When a connection reaches tcpwrapper: It reads /etc/hosts.allow to match a rule and executes the specified actions If no match, it checks /etc/hosts.deny to match a rule and then denies access If still no match, it handles the request to server At most one rule is executed On a first-come-first-serve basis 25 tcp_wrapper Configuration Language Format of /etc/hosts.allow and/etc/hosts.deny: daemon_list : client_host_list [: option : option... ] daemon_list Command name of a list of services Wildcard ALL client_host_list The hostname or IP address of clients Wildcard ALL, LOCAL, KNOWN, UNKNOWN, PARANOID option : option Actions (e.g., allow, deny, etc.)

14 tcp_wrapper Example 1 To allow all connections except those from the domain pirate.net: # # /etc/hosts.allow: # # Allow anybody to connect to our machine except # people from pirate.net # all :.pirate.net : deny all : all : allow What if the order is reversed? 27 tcp_wrapper Example 2 To only allow finger by internal machines: # # /etc/hosts.allow: # # finger for insiders only # # in.fingerd : LOCAL : allow in.fingerd : ALL : twist /usr/local/bin/some_message message What if the order is reversed? 28 14

15 tcp_wrapper Example 3 If you discover repeated break-in attempts through telnet and rlogin, but you need to telnet into your computer from concordia.ca: # # /etc/hosts.allow: # # Allow telnet & # rlogin from concordia.ca, but nowhere else # telnetd,rlogind : concordia.ca : allow telnetd,rlogind : all : deny 29 tcp_wrapper Utilities tcpdchk scans the configuration file and reports configuration errors % tcpdchk Warning: /etc/host.allow, line 24, iphone: no such process name in /etc/inetd.conf (/etc/host.allow or /etc/inetd.conf are inconsistent) Tcpdmatch simulates a request and see the result % tcpdmatch sshd bush@whitehouse.gov client: hostname whitehouse.gov client: address client: username bush server: process sshd matched: /etc/hosts.deny line 39 option : deny access: denied % 30 15

16 Outline Overview inetd/xinetd tcp_wrapper iptables Telnet/FTP/SSH 31 iptables Where it is In Linux kernel 2.4 or later, a command line program What it is for Define rules for filtering packets What it is Three chains of rules, INPUT, OUTPUT, FORWARD First come first serve input output host forward 32 16

17 iptables Example 1 iptables -A INPUT -s j DROP -A: append to rule chain INPUT -s: source address (IP or DNS name) -j: action (DROP, DENY, ACCEPT) So what does this mean? What about this: iptables -A OUTPUT -d j DROP 33 iptables Example 2 iptables -A INPUT -s /24 -p tcp -- destination-port telnet -j DROP -p: protocol (TCP, UDP, ICMP, etc.) --destination-port: (or source-port) /24: subnet mask (CIDR) iptables -A INPUT -p tcp --destination-port telnet -i wan1 -j DROP -i: input interface (or o) Iptables L, F, -I INPUT 1, -R INPUT 1 -L: list F: flush I: insert R: replace 34 17

18 iptables Example 3 iptables -A INPUT -i wan1 -p tcp --syn -j DROP --syn: syn packet iptables -A INPUT -i ppp0 -p tcp --syn --destinationport! 80 -j DROP!: not equal iptables -P FORWARD ACCEPT Default policy 35 Outline Overview inetd/xinetd tcp_wrapper iptables Telnet/FTP/SSH HTTP, FTP, POP3, SMTP, SNMP, IMAP, IRC, SSH, Telnet, FTP BitTorrent, TCP, UDP, RTP SSL IPv4, IPv6 IPSEC Ethernet, Wi-Fi, Token ring, FDDI,PPP RS-232, 10BASE-T, 36 18

19 Client FTP: Separate Control, Data contacts server at port 21, obtains authorization over control connection, browses remote directory by commands over control connection Server receives a command for a file transfer, opens a TCP data connection to client, closes connection, maintains state : current directory, earlier authentication TCP control connection port 21 FTP client TCP data connection port 20 FTP server 37 Security Issues with FTP Passwords typed to FTP are transmitted in clear 38 19

20 FTP in active mode makes it difficult to implement packet-based firewalls Because server needs to initiate the data connection Bounce attack Security Issues with FTP (Cont d) 39 Telnet Risks Username, Password and other session data are transmitted over the network in clear In Ethernet, packets sent between computers are actually delivered to every computer on the wire Telnet session packets are vulnerable throughout their journey ISPs have a single computer compromised and every Telnet connection passing through it had its password sniffed A second danger of Telnet is session hijacking After you log in using your password, the attacker can seize control of the session and type whatever commands he wishes 40 20

21 What is SSH? SSH Secure Shell A software Commercial version Freeware ( A protocol For secure remote login/many other network services SSH-1 developed in 1995 by Tatu YlöneninFinland Internet Engineering Task Force (IETF) Draft in