Introduction to Computer Security

Transcription

1 Introduction to Computer Security UNIX and Windows Security Pavel Laskov Wilhelm Schickard Institute for Computer Science

2 Genesis: UNIX vs. MULTICS MULTICS (Multiplexed Information and Computing Service) a high-availability, modular, multi-component system secure design from ground up: implementation of the Bell-La Padula model initial development from 1963 to 1969; continued until 1985; last system decommissioned in 2000

3 Genesis: UNIX vs. MULTICS MULTICS (Multiplexed Information and Computing Service) a high-availability, modular, multi-component system secure design from ground up: implementation of the Bell-La Padula model initial development from 1963 to 1969; continued until 1985; last system decommissioned in 2000 UNIX: the opposite of MULTICS initial assembler implementation by Ken Thompson and Dennis Ritchie for PDP-7 and PDP-11 rewritten in C in 1973: the first operating system written in a high-level language continuous evolution of various dialects of UNIX and its routines for almost 40 years

4 Security and UNIX design Security was not a primary design goal of UNIX; dominant goals were modularity, portability and efficiency. UNIX provides sufficient security mechanisms that have to be properly configured and administered. The main security strength of UNIX systems comes from open source implementation which helps improve its code base. The main security weakness of UNIX systems comes from open source implementation resulting in a less professional code base.

5 Principals User identifiers (UID) Group identifiers (GID) A UID (GID) is always a 16-bit number A superuser (root) always has UID 0. UID information is stored in /etc/passwd GID information is stored in /etc/group

6 User account information: /etc/passwd 1. Username: used when user logs in, 1 32 characters long 2. Password: x indicates that encrypted password is stored in /etc/shadow 3. User ID (UID): 0 reserved for root, 1-99 for other predefined accounts, for system accounts/groups 4. Group ID (GID): the primary group ID 5. User ID info: a comment field 6. Home directory: The absolute path to the directory the user will be in when they log in 7. Command/shell: The absolute path of a command or shell (/bin/bash)

7 /etc/passwd examples root:x:0:0:root:/root:/bin/bash dhcp:x:101:102::/nonexistent:/bin/false syslog:x:102:103::/home/syslog:/bin/false laskov:x:1000:1000:pavel Laskov,,,:/home/laskov:/bin/bash nobody:x:65534:65534:nobody:/nonexistent:/bin/sh

8 Shadow password file 1. Username: the user name 2. Passwd: the encrypted password 3. Last: days since Jan 1, 1970 that password was last changed 4. May: days before password may be changed 5. Must: days after which password must be changed 6. Warn: days before password is to expire that user is warned 7. Expire: days after password expires that account is disabled 8. Disable: days since Jan 1, 1970 that account is disabled Examples: root:!:14118:0:99999:7::: laskov:$1$/et/grjh$xssvnwpda35twsst7yjvb/:14118:0:99999:7:

9 Group file 1. Groupname: the group name 2. Password: an x indicates that a password is set and if left blank no password has been set 3. GID: the group ID number 4. Members: current members of the group separated by a comma Examples: root:x:0: adm:x:4:laskov laskov:x:1000:

10 Root privileges Almost no security checks: all access control mechanisms turned off can become an arbitrary user can change system clock Some restrictions remain but can be overcome: cannot write to read-only file system but can remount them as writable cannot decrypt passwords but can reset them Any user name can be root! root:x:0:1:root:/:/bin/sh funnybunny:x:0:101:nice Guy:/home/funnybunny:/bin/sh

11 Subjects The subjects in UNIX are processes identified by a process ID (PID). New process creation fork: spawns a new child process which is an identical process to the parent except for a new PID vfork: the same as fork except that memory is shared between the two processes exec family: replaces the current process with a new process image Processes are mapped to UIDs (principal-subject mapping) in either of the following ways: real UID is always inherited from the parent process effective UID is either inherited from the parent process or from the owner of the file to be executed

12 Objects Files, directories, memory devices, I/O devices etc. are uniformly treated as resources subject to access control. All resources are organized in tree-structured hierarchy Each resource in a directory is a pointer to the inode data structure that describes essential resource properties.

13 Inode structure mode uid gid atime mtime itime block count ptr file type and access control rights user name group name last access time last modification time last inode change time size of the file in blocks pointers to physical blocks with file contents

14 Mode field in detail File/resource type - file d directory b block device file c character device file s socket l symbolic link p FIFO Access control rules (permissions) owner rights r, w, e, - group rights r, w, e, - world rights r, w, e, - Examples -rw-r--r-- 1 laskov laskov unix.tex lrwxrwxrwx 1 root root stdin -> /proc/self/fd/0 crw laskov tty /dev/pts/1

15 Directory permissions read: searching a directory using e.g. ls write: modifying directory contents, creating and deleting files and directories execute: making a directory current and/or opening files in it

16 Managing permissions Octal encoding of permissions read-only: 100 B 4 read-write: 110 B 6 read-write-execute: 111 B 7 Modifying permissions chmod 777 filename chmod u+rwx,g+rx,o-w filename Changing file owner (root only) chown user:group filename

17 Default permissions Default permissions are usually 666 for files and 777 for directories. umask command changes default permissions synopsis: umask mask the inverse of mask is ANDed with the current permissions Examples: def. perm. mask inv. mask result

18 Controlled invocation Certain actions, e.g. using system ports (1-1023) or changing a password, require root privileges. We don t want to give users a general root privilege by telling them a root password, but only the right to run selected commands as root. Solution: set a special flag indicating that a program can be run under the privilege of its owner rather than that of a calling user. Disadvantage: this right cannot be given to selected users: all users in the world (or in a group) can run a program under its owner s privilege.

19 SUID, SGID and sticky flags A fourth octal number is added to permissions with the following bit designations: SUID: set UID (allow all users to run a program) SGID: set GID (allow all users in a specific group to run a program) sticky flag: only an owner (or root) can remove files in a directory Use chmod with four octal digits to set the extra flags: chmod unix.tex ls -l 08-unix.tex -rwsr-sr-t 1 laskov laskov unix.tex

20 Security risks of SUID Privilege escalation chmod 7700 bad-script.sh chown root:root badscript.sh./bad-script.sh

21 Security risks of SUID Privilege escalation chmod 7700 bad-script.sh chown root:root badscript.sh./bad-script.sh Ownership transfer to root is forbidden!

22 Security risks of SUID Privilege escalation chmod 7700 bad-script.sh chown root:root badscript.sh./bad-script.sh Ownership transfer to root is forbidden! Exploitation automatically receives root privileges

23 Search paths An attacker can diverting of execution of another program with the same name. Rules of conduct: If possible, specify full paths when calling programs, e.g. /bin/sh instead of sh. The same applies to programs to be run locally: use./program instead of program. Make sure. is the first symbol in the PATH variable. This will at least prevent calling a remote version of a program if what you really want is a local invocation.

24 Path and SUID combined $ ls -altr /home/sitka/ping -rwsrwxr-x 1 root root 8378 Dec 12 09:58 /home/sitka/ping $ cat ping.c #include <unistd.h> int main() { char *args[2]; args[0] = "/bin/sh"; args[1] = NULL; execve(args[0], args, NULL);} $ PATH=/home/sitka:${PATH} $ ping # whoami root

25 Security features missing in UNIX ACLs in general (getfacl only gets permissions) Data labeling, e.g. secret, classified etc. Mandatory access control, so that individuals are unable to overrun certain security decisions made by an admin (e.g. chmod 777 $HOME is always possible) Capabilities are supported by only a small subset of UNIX-like operating systems (e.g. Linux with kernel versions above ) Standardized auditing

26 Microsoft Windows Family Tree Key security milestones: NT 3.51 (1993): network drivers and TCP/IP Windows 2000: Active Directory, Kerberos, security architecture. Server 2003: security policies, LAN and wireless security Vista (2007): no admin-by-default, firewall, DEP, ASLR 64-bit versions (Vista+): mandatory kernel code signing

27 Security components of Windows OS Kernel mode: Security Reference Monitor: ACL verification User mode: Log-on process (winlogon): user logon Local Security Authority (LSA): password verification and change, access tokens, audit logs (MS04-11 buffer overflow: Sasser worm!) Security Accounts Manager (SAM): accounts database, password encryption User Account Control (UAC, Vista): enforcement of limited user privileges

28 Windows registry A hierarchical database containing critical system information Key-value pairs, subkeys, 11 values types A registry hive is a group of keys, subkeys, and values Security-related registry hives: HKEY_LOCAL_MACHINE\SAM: SAM database HKEY_LOCAL_MACHINE\Security: security logs, etc HKEY_LOCAL_MACHINE\Software: paths to programs! Security risks: manipulated registry entries missing security-related registry keys

29 Windows domains A domain is a collection of machines sharing user accounts and security policies. Domain authentication is carried out by a domain controller (DC). To avoid a single point of failure, a DC may be replicated

30 Active directory Active directory introduced in Windows 2000 is an LDAP-like directory service for organization of system resources: Users and groups Security credentials and certificates System resources (desktops, servers, printers) Security policies DNS service Trust management

31 Access control in Windows Access control is applied to objects: files, registry keys and hives, Active Directory objects. More than just access control on files! Various means exist for expressing security policies: groups roles ownership and inheritance rules complex access rights

32 Principals Principals are active entities in security policies Principals can be local users aliases domain users groups machines Principals have a human readable user name and a unique security identifier (SID) Local principals are created by a LSA, e.g. principal = MACHINE\principal Domain principals are administered by DC, e.g. principal@domain = DOMAIN\principal

33 Security identifiers A security identifier (SID) is a unique, machine generated code of varying length used to identify principals. Format: S-1-IA-SA-SA-SA-N, where IA (identifier authority): characterizes an issuer, e.g. World Authority (1) or Local Authority (2) SA (subauthority): identifies a specific SID issuer, e.g. a domain controller N: relative identifier, unique for each authority Examples: Everyone (World): S System: S Administrator: S <domain>-500

34 Principals used for access control SID: an individual principal Group: a collection of principals managed by DC; groups have their own SIDs and can be nested Alias: a local group managed by LSA; cannot be nested Aliases implement logical roles: an application may define an alias to which SIDs are assigned at run-time

35 Subjects Subjects are active entities in OS primitives. Windows subjects are processes and threads. Security credentials for a subject are stored in a token. Tokens provide a principal/subject mapping and may contain additional security attributes. Tokens are inherited (possibly with restrictions) during creation of new processes.

36 Token contents Identity and authorisation contents user SID, group SIDs, alias SIDs privileges Defaults for new securable objects owner SID, group SID, DACL Miscellaneous attributes logon SID

37 Privileges A set of fixed privileges is defined by numeric constants in Winnt.h Privileges control access to system resources. Example privileges: load or unload a device driver lock a page in a physical memory create a computer account shut down a system modify a system time Privileges are not access rights!

38 Objects Objects represent various passive OS entities Example Windows objects: files or directories pipes processes and threads file mappings access tokens window-management objects registry keys printers network shares synchronization objects job objects Active Directory objects Security of built-in objects is managed by OS Security of private objects must be managed by applications Securable objects are equipped with a security descriptor

39 Security descriptor Owner: a principal who owns an object Primary group: for POSIX compatibility DACL: specifies who is granted and who is denied access SACL: specifies a security audit policy

40 Access rights: an overview Describe what one can do to an object Encoded as a 32-bit mask Standard access rights (bits 16 23) are common to most object types DELETE READ_CONTROL: read object s security descriptor SYNCHRONIZE: use object for synchronization (not all objects) WRITE_DAC: change object s DACL WRITE_OWNER: change object s owner Object-specific rights (bits 0 15) are tailored to each class of objects Extended rights can be specified for Active Directory entries.

41 Generic access rights The highest 4 bits (28 31) represent generic access rights: GENERIC_READ GENERIC_WRITE GENERIC_EXECUTE GENERIC_ALL Each class of objects maps its generic rights to object-specific rights. Generic rights are used to simplify design: they provide an intermediate description level for access rights.

42 ACLs in Windows DACL in a security descriptor is a list of Access Control Entries (ACE) ACE format: ACE type: positive or negative permissions Principal SID Access rights mask Inheritance flags ACEs are processed sequentially until either some entry denies all requested access rights or a set of ACEs grants all requested access rights

43 ACE matching algorithm For any objects that do not have DACL, access is always granted. For all other objects, the subject s token is compared sequentially with each ACE as follows: ACE does not contain a matching SID: skip and continue. SID matches and contains a negative permission: deny access and stop. SID matches and contains a positive permission: if accumulated access rights match access mask, grand access and stop. otherwise add ACE to the accumulated access rights and continue.

44 Summary: UNIX vs. Windows

45 Summary: UNIX vs. Windows Windows has more security features: Fine-grained access control via ACLs Automatically generated security identifiers Secure storage of user credentials Active directory and trust management

46 Summary: UNIX vs. Windows Windows has more security features: Fine-grained access control via ACLs Automatically generated security identifiers Secure storage of user credentials Active directory and trust management Windows has a long tradition of excessive superuser privileges.

47 Summary: UNIX vs. Windows Windows has more security features: Fine-grained access control via ACLs Automatically generated security identifiers Secure storage of user credentials Active directory and trust management Windows has a long tradition of excessive superuser privileges. Complex security features in Windows coupled with closed-source implementation lead to potential insecurity due to misconfiguration.