Operating system security

Transcription

1 Operating system security Tuomas Aura T Information security technology Aalto University, autumn 2011

2 Outline Access control models in operating systems: 1. Unix 2. Windows Acknowledgements: This lecture material is based on a joint course with Dieter Gollmann. 2

3 UNIX ACCESS CONTROL 3

4 Principals Users and groups are the principals Users have username and user identifier (UID) Groups have group name group identifier (GID) UID and GID are usually 16-bit numbers 0 = root = aura 100 = users Both names and identifiers are permanent; difficult to change once selected UID values differ from system to system Superuser (root) UID is always zero 4

5 User accounts User accounts are stored in /etc/passwd User account format: username:password:uid:gid:name:homedir:shell Example: root:7kssi2k.df:0:0:root:/root:/bin/bash mail:x:8:12:mail:/var/spool/mail: news:x:9:13:news:/var/spool/news: ace:69gedfelkw:500:103:alice:/home/ace:/bin/bash carol:7fkkdefh3d:501:102:carol:/home/carol:/bin/nolo gin tuomas:*:502:102:tuomas Aura:/home/tuomas:/bin/tcsh al::503:102::/home/al:/bin/bash dieter:rt.qszeesxt92:10026:53:dieter Gollmann:/home/staff/dieter:/bin/bash 5

6 User account details User name: up to eight characters long Password: stored encrypted (really a hash) User ID: user identifier for access control group ID: user s primary group ID string: user's full name Home directory Login shell: the program started after successful log in 6

7 Superuser The superuser is a special privileged principal with UID 0 and usually the user name root There are few restrictions on the superuser All security checks are turned off for the superuser The superuser can become any other user Examples: The superuser cannot write to a read-only file system but can remount it as writeable The superuser cannot decrypt passwords (because they are hash values) but can reset them 7

8 Groups Users belong to one or more groups The file /etc/group contains a list of all groups; file entry format: groupname:password:gid:list of users Example: infosecwww:*:209:carol,al Every user belongs to a primary group; the group ID (GID) of the primary group is stored in /etc/passwd Depending on the Unix OS, user can belong to only one or many groups at the same time Usually only superuser can add groups and members 8

9 Subjects The subjects in Unix are processes; a process has a process ID (PID) Processes can create new processes Processes have a real UID and an effective UID (similarly for GID) Real UID/GID: inherited from the parent; typically UID/GID of the user logged in Effective UID/GID: inherited from the parent process or from the file being executed 9

10 Example UID GID Process real effective real effective /bin/login root root system system User dieter logs on; the login process verifies the password and (with its superuser rights) changes its UID and GID: /bin/login dieter dieter staff staff The login process executes the user s login shell: /bin/bash dieter dieter staff staff From the shell, the user executes a command, e.g. ls /bin/ls dieter dieter staff staff The user executes command passwd to change his password: /bin/passwd dieter root staff system 10

11 Objects Files, directories, devices are uniformly treated as resources These resources are the objects of access control The resources are organized in a tree-structured file system Each file entry in a directory is a pointer to a data structure called inode Inode stores information about the owner user and group, and permissions 11

12 Information about objects Example: directory listing with ls -l -rw-r--r-- 1 dieter staff 1617 Oct 28 11:01 my.tex drwx dieter staff 512 Oct 25 17:44 ads/ File type: first character - file d directory b block device file c character device file s socket l symbolic link p FIFO pipe File permissions: next nine characters Link counter: the number of links (i.e. directory entries pointing) to the inode 12

13 Information about objects -rw-r--r-- 1 dieter staff 1617 Oct 28 11:01 my.tex drwx dieter staff 512 Oct 25 17:44 ads/ Username of the owner: usually the user that has created the file Group: a newly created file usually belongs to its creator s group File size, modification time, filename Owner and root can change permissions (chmod); root can change the file owner and group (chown) Filename is stored in the directory, not in inode 13

14 File permissions Permission bits are grouped in three triples that define read, write, and execute access for owner, group, and other A - indicates that a right is not granted. rw-r--r-- read and write access for the owner, read access for group and other rwx read, write, and execute access for the owner, no rights to group and other 14

15 File permissions When ls l displays a SUID program, the execute permission of the owner is given as s instead of x: -rws--x x 3 root bin Nov passwd* When ls l displays a SGID program, the execute permission of the group is given as s instead of x 15

16 Octal representation File permissions can also be specified as octal numbers Examples: rw-r--r-- is equivalent to 644; rwxrwxrwx is equivalent to 777 Conversion table: 0040 read by group 4000 set UID on execution 0020 write by group 2000 set GID on execution 0010 execute by group 1000 set sticky bit 0004 read by other 0400 read by owner 0002 write by other 0200 write by owner 0001 execute by other 0100 execute by owner 16

17 Access control decisions Access control uses the effective UID/GID: If the subject s UID owns the file, the permission bits for owner decide whether access is granted If the subject s UID does not own the file but its GID does, the permission bits for group decide whether access is granted If the subject s UID and GID do not own the file, the permission bits for other (also called world) decide whether access is granted Note that although the permission bits may give the owner less access than to others, the owner can always change the permissions (discretionary access control) 17

18 Permissions for directories Read permission: to find which files are in the directory, e.g. for executing ls Write permission: to add files to and remove files from the directory Execute permission: to make the directory the current directory (cd) and for opening files inside the directory E.g. every user has a home directory for which correct permissions for the directory are required 18

19 Sticky bit Job queues for printing etc., are often implemented as a world-writable directories; anyone can add a file Problem: anyone can also delete files Solution: sticky bit on a directory restricts the deletion of files in that directory only to the file owners (and the superuser) Another problem: either the files in the print queue need to be readable to everyone or the print daemon needs to run as root Solution: in Linux, SGID bit on a directory means that new files inherit their group from the directory, not from the user who creates them; can create a special group for the print daemon (Sticky bit originally indicated that a process should not be swapped to disk. Its use varies between Unix versions.) 19

20 Default permissions Unix utilities typically use default permissions 666 for a new data file and 777 for a new program file Permissions can be restricted with umask: a three-digit octal number specifying the rights that should be withheld File permissions = default AND (NOT umask) Sensible umask values: 022: all permissions for the owner, read and execute permission for group and other 037: all permissions for the owner, read permission for group, no permissions for other 077: all permissions for the owner, no permissions for group and other Example: default permissions 666, umask 077 permissions for new file

21 Controlled Invocation Superuser privilege is required to execute certain operating system functions Example: only processes running as root can listen at the privileged ports Solution adopted in Unix: SUID (set user id) programs and SGID (set group id) programs SUID or SGID programs run with the effective user ID or group ID of their owner or group, giving controlled access to files not normally accessible to other users 21

22 SUID to root When root owns an executable file and the SUID bit is set, the process will get superuser status during execution Important SUID programs: /bin/passwd change password /bin/login login program /bin/at batch job submission /bin/su change UID program SUID programs need to be written very carefully so that their privileges cannot be misused and they only do what is intended 22

23 Unix access control dicsussion Limitations: Files have only one owner and group Complex policies, e.g. access to several groups, are impractical to implement Superuser needed for maintaining groups All access rights (e.g. shutdown, create user) must be mapped to files access and to read, write and execute permissions Relatively simple and widely understood Relatively easy to check the protection state Unix versions may implement additional access control features 23

24 WINDOWS ACCESS CONTROL 24

25 Windows Security Model Principals = users, machines, groups, Objects = files, Registry keys, printers, Each object has an discretionary access control list (DACL) The active subjects are processes and threads Each process (or thread) has an access token When is a process allowed to access an object? Object DACL is compared with the process s security token when creating a handle to the object 25

26 Security indentifier Principal names: machine\principal or domain\principal Aalto\Alice, pc3\administrators, plover\aura = Tuomas Aura Each principal has a unique security identifier (SID) Names may change; SID is permanent User SIDs: S = Alice S = Administrator Typical way to create unique use SIDs: S machine or domain id + relative id Well-known SIDs: S = Local System, S = Everyone, S-1-5-domain-513 = Domain Users, etc. 26

27 Windows domains Windows machine has a Local Security Authority (LSA), which can create local users and local groups (=aliases) Local principals are stored in Registry A Windows server can become a Domain Controller (DC), and other machines can join its domain Domain administrators manage the domain users and groups centrally at the DC Domain principals are stored in Active Directory Names: domain\principal or principal@domain DC provides authentication services to other machines Domain user can log into any domain-joined machine Kerberos protocol used for distributed authentication In large organizations, DCs and domains can form a hierarchy 27

28 Access token Each process has an access token (=security token) Token contains Login user account SID (the process runs as this user) SIDs of all groups in which the user is a member (recursively) All privileges assigned to these groups etc. Privileges are special local access rights: Backup, audit security log, take ownership, trusted for delegation, debugging, performance profiling, shutdown. etc. Groups can be built-in or defined by admins: Users, Administrators, Remote Desktop Users Sales, Security Lab, Researchers, Europe Employees Token never changes after it has been created Reliability, efficiency vs. revocation speed Tokens for child processes may be restricted 28

29 Creating subjects The machine is always running a logon process (winlogon.exe) as the principal SYSTEM When a user logs on to a machine, the logon process collects credentials (e.g. user password) and presents them to the LSA the LSA (lsass.exe) verifies the credentials the logon process starts a shell (explorer.exe) in a new logon session as the user (=principal) Shell spawns processes to the same logon session Logging off destroys the logon session and all processes in it 29

30 Creating more subjects A process can spawn a new local process (subject) by calling e.g. CreateProcess Each process has its own access token New process gets a copy of its parent s token Threads can be given their own tokens, so that they become independent subjects User s network credentials (e.g. password or Kerberos ticket) are cached in the logon session Processes can create network logon sessions for that user at other machines 30

31 Objects Objects: files, folder, Registry and AD objects, printers, processes... Objects can be containers for other objects Securable objects have a security descriptor, which contains the DACL Object also has an owner (identified by SID), who has the implicit right to read and write the DACL (discretionary access control) 31

32 Permissions Permissions are actions that apply to each object class Some generic permissions are defined for all objects: read, write, execute, all, delete, etc. Specific permissions are defined for each class: Append, AddSubDir, CreateThread,etc. Permissions are encoded as a 32-bit mask Object DACL specifies which principals (SIDs) have which permissions 32

33 Access control lists DACL is a list of access control entries (ACEs) ACE format: Type: positive or negative (grant or deny) Permissions Principal (SID): who the ACE applies to Flags Object Type Inherited Object Type 33

34 DACL example ACE1 - Tuomaura ACE2 + Diego ACE2 + Lecturers ACE4 + EVERYONE Write Full Control Read, Write Read This ACL grants read access but no write access to the user Tuomaura Negative access control entries (ACEs) are placed before positive ones 34

35 Viewing the DACL and ACEs Right-click on a file; select Properties/ Security DACL (ACEs) Click on Advanced to see the entire security descriptor Permissions for the selected ACE 35

36 Access check algorithm Process specifies the desired access (requested permissions) when creating a handle to the object Privileges or implicit owner permissions may alone be sufficient to grant access Otherwise, check DACL as follows: Look for ACEs that match (1) any SID in the subjects token and (2) any desired access right If any negative ACE matches, deny access If positive ACEs are found for all requested permissions, grant access If the end of DACL is reached, deny access 36

37 Performance and reliability Access rights are determined at login time The user s group SIDs are cached in the token of the login process, and sub-processes get a copy of the token The token contents will not change even if a membership or privilege is revoked from a SID Desired access is compared against the token and DACL when creating a handle to the object not at access time Changing file DACL does not affect open file handles Consequences: Better performance Better reliability because a process knows in advance whether it has sufficient access rights for a task No immediate revocation of access rights 37

38 ACE inheritance + Diego Read, Write Flags: OBJECT_INHERIT Folder File A + Diego Read, Write Flags: INHERITED_ACE File B - Diego Write + Diego Read, Write Flags: INHERITED_ACE Container objects can have inheritable ACEs Inherited ACEs are copied to the end of sub-object DACLs; aces on the sub-object can override them Inherited ACEs are updated if the original changes 38

39 Container hierarchy + Diego Read, Write Flags: OBJECT_INHERIT, INHERIT ONLY + Diego Read, Write Folder X Folder Y Folder Z Flags: INHERITED_ ACE, INHERIT ONLY, OBJECT_INHERIT - Diego Write Flags: OBJECT_INHERIT + Diego Read, Write Flags: INHERITED_ACE INHERIT_ONLY, OBJECT_INHERIT + Diego Read, Write Flags: INHERITED_ACE File A File B - Diego Write Flag: INHERITED_ACE + Diego Read, Write Flags: INHERITED_ACE 39

40 Inheriting negative ACEs - Tuomaura Read Flags: OBJECT_INHERIT Folder - Tuomaura Read File A Flags: INHERITED_ACE File B + Tuomaura Read - Tuomaura Read Flags: INHERITED_ACE Inherited negative ACEs can end up after positive ACEs; it is possible to override inherited negative ACEs 40

41 Flags on ACEs: Inheritance flags OBJECT_INHERIT_ACE CONTAINER_INHERIT_ACE NO_PROPAGATE_INHERIT_ACE INHERIT_ONLY_ACE INHERITED_ACE ACE applies to leaf objects ACE applies to container objects applies to immediate children only does not apply to the parent itself The ACE has been inherited (Inheritable ACEs can apply to leaf objects, to containers, or to both) Flags on DACLs: SE_DACL_PROTECTED inheritance from containers above this object is blocked 41

42 Blocking inheritance + Diego Read Flags: OBJECT_INHERIT Folder X + Diego Read Flag: INHERITED_ ACE, INHERIT_ONLY Folder Y Folder Z DACL_ PROTECTED + Diego Read, Write Flag: INHERITED_ACE File A File B 42

43 ACE Inheritance ACE1 DACL_ PROTECTED ACE2 ACE3 ACE1 inherited in the entire subtree ACE2 inherited in subtree in front of ACE1 ACE3 inherited in the subtree, ACE1 is blocked 43

44 Advanced inheritance Object hierarchies with inheritance: NTFS, Registry, Active Directory, Inheritable ACEs can apply to only leaf objects or only to containers Similarly, inheritable ACEs can apply to all objects or only to a specific object type Special CREATOR_OWNER SID indicates that the ACE matches to the owner of the object Inheritance simplifies system administration but very few people understand or use it Performance: Inherited ACEs are cached in sub-object DACLs to make access control decisions faster Changing permissions on the top levels of a deep object hierarchy is a slow process; done rarely in applications 44

45 How to see them Local users and aliases: > net user > net localgroup Run compmgmt.msc, see System Tools / Local user and Groups Domain users, groups and aliases: > net user /domain (slow!) > net group /domain > net localgroup /domain Members of a group, e.g.: > net group Researchers /domain User information: > net user alice /domain Privileges: Run secpol.msc, see Local Policies / User Rights Assignment Permissions: > icacls file.txt 45

46 Restricted tokens A process might not always need or want all the rights given by the token Process may create a restricted token remove privileges disable groups: change SIDs to deny-only groups, which are not deleted but marked as USE_FOR_DENY_ONLY add restricted SIDs; a second list of SIDs that is also compared against DACLs Process can assign restricted tokens to its child processes or threads (= impersonation) 46

47 EXAMPLE: IMPLEMENTING THE PRINCIPLE OF LEAST PRIVILEGE 47

48 Unix: applying controlled invocation Sensitive resources, like a web server, can be protected by combining ownership, permission bits, and SUID programs: Create a new UID that owns the resource and all programs that need access to the resource Only the owner gets access permission to the resource Define all the programs that access the resource as SUID programs 48

49 Windows: using restricted SIDs To limit a program s access to a set of objects create a new SID run the program with the new SID as a restricted SID add the new SID to the DACL on objects that the program is allowed to access 49

50 Reading material Dieter Gollmann: Computer Security, 2nd ed., chapter 6 Matt Bishop: Introduction to computer security, chapter 25 Ross Anderson: Security Engineering, 2nd ed., chapter 4 Online: Wayne Pollock, Unix File and Directory Permissions and Modes John R. Michener, Understanding Windows File And Registry Permissions, MSDN Magazine, Nov

51 Exercises: Unix Create a subdirectory in your home directory and put a file welcome.txt in this subdirectory. Set permission bits on the subdirectory so that the owner has execute access. Try to list the subdirectory display the contents of welcome.txt create a copy of welcome.txt in the subdirectory. make the subdirectory the current directory with cd Repeat the same experiment first with read permission and then with write permission on the subdirectory How would you protect a tty device from other users? 51

52 Exercises: Windows How can Unix file permissions can be expressed with Windows ACLs? Assume Fred is member of group Lecturers. Who gets access to an object with DACLs 1. [+,Fred,READ], [-, Lecturers,READ]? 2. [-,Fred,READ], [+, Lecturers,READ]? 3. [-, Lecturers,READ], [+,Fred,READ]? When a new object is created, how is its security descriptor populated? Tokens are objects. How does access control for tokens work? What is the time-of-check-to-time-of-use (TOCTTOU) issue? Where does this create potential problems in the Windows file system? There is no API for giving file ownership to others. Administrators have backup and restore privileges. What trick can they use to change file owner? Changing permissions on a top-level folder in the NTFS file system (such as C:\ or C:\Program Files) is very slow operation. This is actually a performance optimization. Explain why. 52