Security Architecture

Similar documents
Confinement. Steven M. Bellovin November 1,

Case Study: Access Control. Steven M. Bellovin October 4,

Program Structure I. Steven M. Bellovin November 8,

Access Control. Steven M. Bellovin September 13,

Program Structure I. Steven M. Bellovin November 14,

Architecture. Steven M. Bellovin October 27,

Program Structure. Steven M. Bellovin April 3,

Web Servers and Security

Case Studies in Access Control

Sandboxing. (1) Motivation. (2) Sandboxing Approaches. (3) Chroot

Web Servers and Security

OS Security III: Sandbox and SFI

Access Control. Steven M. Bellovin September 2,

Secure Architecture Principles

Confinement (Running Untrusted Programs)

Operating System Security

Architecture. Steven M. Bellovin October 31,

Operating system hardening

Lecture 21. Isolation: virtual machines, sandboxes Covert channels. The pump Why assurance? Trust and assurance Life cycle and assurance

Operating Systems 4/27/2015

Advanced Systems Security: Ordinary Operating Systems

I m paranoid, but am I paranoid enough? Steven M. Bellovin February 20,

ELEC 377 Operating Systems. Week 1 Class 2

Secure Programming I. Steven M. Bellovin September 28,

CS 356 Operating System Security. Fall 2013

Keys and Passwords. Steven M. Bellovin October 17,

Department of Electrical Engineering and Computer Science MASSACHUSETTS INSTITUTE OF TECHNOLOGY Fall Quiz I

Advanced Systems Security: Multics

Department of Electrical Engineering and Computer Science MASSACHUSETTS INSTITUTE OF TECHNOLOGY Fall 2008.

Least-Privilege Isolation: The OKWS Web Server

CIS 5373 Systems Security

It was a dark and stormy night. Seriously. There was a rain storm in Wisconsin, and the line noise dialing into the Unix machines was bad enough to

UNIX File Hierarchy: Structure and Commands

Analyzing Systems. Steven M. Bellovin November 26,

OS security mechanisms:

NON SCHOLAE, SED VITAE

CSE543 - Introduction to Computer and Network Security. Module: Operating System Security

Protection. Thierry Sans

Sandboxing Untrusted Code: Software-Based Fault Isolation (SFI)

CPS221 Lecture: Operating System Protection

CPS221 Lecture: Operating System Functions

Sandboxing. CS-576 Systems Security Instructor: Georgios Portokalidis Spring 2018

CS Paul Krzyzanowski

Computer Security Exam 2 Review. Paul Krzyzanowski. Rutgers University. Spring 2018

Data Security and Privacy. Topic 3: Operating System Access Control Enhancement

CSE 565 Computer Security Fall 2018

Chapter 2: Operating-System Structures. Operating System Concepts Essentials 8 th Edition

Advanced Systems Security: Ordinary Operating Systems

CprE Virtualization. Dr. Yong Guan. Department of Electrical and Computer Engineering & Information Assurance Center Iowa State University

Chapter 2: Operating-System Structures

Chapter 2: Operating-System

Introduction to Linux. Fundamentals of Computer Science

Chapter 2: Operating-System Structures

Today. Operating System Evolution. CSCI 4061 Introduction to Operating Systems. Gen 1: Mono-programming ( ) OS Evolution Unix Overview

Chapter 2: Operating-System Structures

Operating System Security, Continued CS 136 Computer Security Peter Reiher January 29, 2008

Chapter 2: Operating-System Structures

6.858 Lecture 4 OKWS. Today's lecture: How to build a secure web server on Unix. The design of our lab web server, zookws, is inspired by OKWS.

Last time. Security Policies and Models. Trusted Operating System Design. Bell La-Padula and Biba Security Models Information Flow Control

Department of Electrical Engineering and Computer Science MASSACHUSETTS INSTITUTE OF TECHNOLOGY Fall Quiz I Solutions

Computer Security. 05. Confinement. Paul Krzyzanowski. Rutgers University. Spring 2018

I m paranoid, but am I paranoid enough? Steven M. Bellovin October 2,

CS140 Operating Systems Final December 12, 2007 OPEN BOOK, OPEN NOTES

Privilege Escalation

Today. Operating System Evolution. CSCI 4061 Introduction to Operating Systems. Gen 1: Mono-programming ( ) OS Evolution Unix Overview

Secure Programming II. Steven M. Bellovin September 29,

Buffer overflow background

INSE 6130 Operating System Security. Overview of Design Principles

TDDI04, K. Arvidsson, IDA, Linköpings universitet Operating System Structures. Operating System Structures Overview. Operating System Services

CSC209. Software Tools and Systems Programming.

Protection and Security

Discretionary Access Control

CS370 Operating Systems

INSE 6130 Operating System Security

SELinux type label enforcement

Operating System Services

Protection. CSE473 - Spring Professor Jaeger. CSE473 Operating Systems - Spring Professor Jaeger

Basic File Attributes

Software Security and Exploitation

The landscape. File hierarchy overview. A tree structure of directories The directory tree is standardized. But varies slightly among distributions

find Command as Admin Security Tool

Programming Project # 2. cs155 Due 5/5/05, 11:59 pm Elizabeth Stinson (Some material from Priyank Patel)

Security Principles & Sandboxes

Explicit Information Flow in the HiStar OS. Nickolai Zeldovich, Silas Boyd-Wickizer, Eddie Kohler, David Mazières

Outline. Operating System Security CS 239 Computer Security February 23, Introduction. Server Machines Vs. General Purpose Machines

What are some common categories of system calls? What are common ways of structuring an OS? What are the principles behind OS design and

1/13/13. How to Study a Program s Behavior. Malware Analysis Basics. How to Study a Program s Behavior (2) Dangers of dynamic program analysis

Storage and File Hierarchy

Computer Security. 04r. Pre-exam 1 Concept Review. Paul Krzyzanowski. Rutgers University. Spring 2018

Designing a System. We have lots of tools Tools are rarely interesting by themselves Let s design a system... Steven M. Bellovin April 10,

Process Time. Steven M. Bellovin January 25,

COS 318: Operating Systems

Chapter 2. Operating-System Structures

Isolation/Confinement

MASSACHUSETTS INSTITUTE OF TECHNOLOGY Fall Quiz II

Virtual Machine Security

Chapter 2: Operating-System Structures. Chapter 2: Operating-System Structures. Objectives. Operating System Services

Meltdown and Spectre - understanding and mitigating the threats (Part Deux)

Lecture 5: February 3

CS 491/591: Introduction to Computer Security. Confinement

Transcription:

Security Architecture We ve been looking at how particular applications are secured We need to secure not just a few particular applications, but many applications, running on separate machines We need a few more primitives first Steven M. Bellovin November 1, 2007 1

Confining an Application For Web security, we used OS permissions to protect the system against compromise via a compromised Web server Suppose we want to isolate the Web server still further More precisely, we want to limit the Web server to a small subset of the system s resources Steven M. Bellovin November 1, 2007 2

Rationale We wish to run powerful, complex applications that we do not completely trust Neither Unix nor Windows file permissions are flexible enough to do what we want There are other resources besides files that need to be protected Steven M. Bellovin November 1, 2007 3

Couldn t We Use MAC? MAC usually does not have negative permissions We d have to find and change the protections of every file on the system that was writable/readable/searchable by other We d have to ensure that no other such files were created This is all possible but difficult More seriously, it is not high assurance Steven M. Bellovin November 1, 2007 4

Other Resources What other resources need to be protected? CPU time Memory, real and virtual Disk space Network identity Network access rights Steven M. Bellovin November 1, 2007 5

Some Are Easy Operating systems already regulate access to some resources Unix examples: setrlimit(), file system quotas Steven M. Bellovin November 1, 2007 6

Network Identity and Access Rights A machine has an IP address A compromised application can use this address to exploit address-based access control If nothing else, it can confuse intrusion detection systems Steven M. Bellovin November 1, 2007 7

Bypassing File Permissions Suppose the attacker gains root privileges This permits overriding file permissions Also allows evasion of other resource limits, plus changes to network identity Change the IP address and hide from the system administrator! Steven M. Bellovin November 1, 2007 8

Goals Security High assurance Simple setup General-purpose mechanism Available to all applications We can t get them all... Steven M. Bellovin November 1, 2007 9

Change Root: chroot() Oldest Unix isolation mechanism Make a process believe that some subtree is the entire file system File outside of this subtree simply don t exist Sounds good, but... Steven M. Bellovin November 1, 2007 10

Chroot / etc bin usr passwd sh jail bin etc bin usr passwd sh bin Steven M. Bellovin November 1, 2007 11

Limitations of Chroot Only root can invoke it. (Why?) Setting up minimum necessary environment can be painful The program to execute generally needs to live within the subtree, where it s exposed Still vulnerable to root compromise Doesn t protect network identity Steven M. Bellovin November 1, 2007 12

Root versus Chroot Suppose an ordinary user could use chroot() Create a link to the su command Create /etc and /etc/passwd with a known root password Create links to any files you want to read or write Besides, root can escape from chroot() Steven M. Bellovin November 1, 2007 13

Escaping Chroot What is the current directory? If it s not under the chroot() tree, try chdir("../../..") Better escape: create device files On Unix, all (non-network) devices have filenames Even physical memory has a filename Create a physical memory device, open it, and change the kernel data structures to remove the restriction Create a disk device, and mount a file system on it. Then chroot() to the real root Steven M. Bellovin November 1, 2007 14

Trying Chroot # mkdir /usr/jail /usr/jail/bin # cp /bin/sh /usr/jail/bin/sh # chroot /usr/jail /bin/sh chroot: /bin/sh: Exec format error # mkdir /usr/jail/libexec # cp /libexec/ld.elf_so /usr/jail/libexec # chroot /usr/jail /bin/sh Shared object "libc.so.12" not found # mkdir /usr/jail/lib # cp /lib/libc.so.12 /usr/jail/lib # chroot /usr/jail /bin/sh Shared object "libedit.so.2" not found Steven M. Bellovin November 1, 2007 15

Trying Chroot (Continued) # cp /lib/libedit.so.2 /usr/jail/lib # chroot /usr/jail /bin/sh Shared object "libtermcap.so.0" not found # cp /lib/libtermcap.so.0 /usr/jail/lib # chroot /usr/jail /bin/sh # ls ls: not found # echo jailed >/jail # ˆD # ls -l /usr/jail total 4 drwxr-xr-x 2 root wheel 512 Nov 1 21:50 bin -rw-r--r-- 1 root wheel 7 Nov 1 22:31 jail drwxr-xr-x 2 root wheel 512 Nov 1 22:31 lib drwxr-xr-x 2 root wheel 512 Nov 1 22:30 libexec Steven M. Bellovin November 1, 2007 16

Summary of Chroot It s a good, but imperfect means of restricting file access It s fairly useless against root it doesn t provide other sorts of isolation Steven M. Bellovin November 1, 2007 17

FreeBSD Jail Like chroot() on steroids Assign a separate network identity to a jail partition Restrict root s abilities within a jail Intended for nearly-complete system emulation Network interactions with main system s daemons Steven M. Bellovin November 1, 2007 18

Sandboxes Very restricted environment, especially for network daemons Assume that the daemon will do anything Example: Janus traps each system call and validates it against policy Can limit I/O to certain paths Steven M. Bellovin November 1, 2007 19

The Java Virtual Machine Java executables contain byte code, not machine language Java interpreter can enforce certain restrictions Java language prevents certain dangerous constructs and operations (unlike, for example, C) In theory, it s safe enough that web browsers can download byte code from arbitrary web sites Steven M. Bellovin November 1, 2007 20

Is the JVM Secure? Heavy dependency on the semantics of the Java language The byte code verifier ensures that the code corresponds only to valid Java The class loader ensures that arguments to methods match properly Very complex process not high assurance Bugs have been found, but they re fairly subtle But there have been buffer overflows in the C support library Steven M. Bellovin November 1, 2007 21

Using the JVM For Servers The dangers come from untrusted executables If you write your applications in Java, you don t have to worry about that The strict type system, the array bounds-checking, and the (optional) file access control all protect you from your own bugs Java is a very secure language for applications (if, of course, you re not too fussy about performance) Steven M. Bellovin November 1, 2007 22

Virtual Machines Give the application an entire machine, down to the (virtual) bare silicon Run an entire operating system on this Run the untrusted application on that OS It can be very safe Steven M. Bellovin November 1, 2007 23

How VMs Work Recall the hardware access control mechanisms: privileged operations and memory protection Run the guest operating system unprivileged Any time the guest OS issues a privileged operation, it traps to the virtual machine monitor The VMM emulates the operation. For example, an attempt at disk I/O is mapped to I/O to a real file that represents the virtual disk Steven M. Bellovin November 1, 2007 24

Virtual Devices Virtual disks (or part or all of a real disk) Virtual screens, keyboards, and mice Virtual Ethernets Other virtual devices as needed Steven M. Bellovin November 1, 2007 25

Virtual Machine Security Very strong isolation Very high overhead... Must set up and administer an entire OS Guest copies of Microsoft Windows require just as many patches as do native copies Performance can be bad Steven M. Bellovin November 1, 2007 26

Using Virtual Machines Great for testing OS changes Great for student use Internet hosting companies Can use them for executing suspected viruses and worms but some viruses detect the presence of the VMM and hide Steven M. Bellovin November 1, 2007 27

Interacting with a Virtual Machine Often don t want perfect isolation. Example: cut-and-paste between windows Performance can be dramatically enhanced if the guest OS signals the VMM Example: add a virtual graphics driver that calls the VMM, via the equivalent of a system call Steven M. Bellovin November 1, 2007 28

Limitations of Virtual Machines They can be too real Would you let your enemy put a machine inside your data center? VMs can spread viruses, launch DoS attacks, etc. VMs require just as much care, administration, and monitoring as do real machines In many situations, they represent an economic mechanism rather than a security mechanism Steven M. Bellovin November 1, 2007 29

Other Isolation Mechanisms Light-weight VM systems, such as Solaris Zones Domain and type enforcement: limit file accesses by each executable Systrace (on some BSD operating systems) is similar Sub-operating system: permission overlay on top of file system, based on subuids All require fairly complex permission-setting Steven M. Bellovin November 1, 2007 30

The Limits of Isolation All of the mechanisms we ve described are complex (but canned scripts can help) Most of them require root privileges As a consequence, they re useful for complex system designs, but not for general application isolation Steven M. Bellovin November 1, 2007 31

Covert Channels We can block ordinary file accesses and network communication Are there other ways to leak information? Yes covert channels Very important issue in a MAC world Steven M. Bellovin November 1, 2007 32

MAC and Covert Channels One goal of MAC is to prevent leakage of information between a high-security process and a low-security process It s (relatively) easy to close the explicit communication channels, such as shared files or network connections There are more subtle ways to communicate Two types: storage channels and timing channels Steven M. Bellovin November 1, 2007 33

Storage Channels Modulate some shared resource Example: create and delete files in a shared directory The files themselves need not be readable MAC systems often have per-level /tmp directories, to help avoid this problem Steven M. Bellovin November 1, 2007 34

Timing Channels Modulate system timing in detectable way Example: do heavy disk I/O or refrain Receiver times how long it takes to do I/O operations Steven M. Bellovin November 1, 2007 35

The Password-Checking Channel An old operating system (Tenex, for the PDP-10) checked (unhashed) passwords one byte at a time. Locate the password overlapping the end of virtual memory; ask the OS to check it If the first byte was wrong, it would return fail. If the byte was right, it would try to fetch the next byte, but take a page fault because it was past the edge Repeat as needed Steven M. Bellovin November 1, 2007 36

Falling Off the Edge of the Earth s e c r s e c r e s 3 c r e s 3 c r e t Steven M. Bellovin November 1, 2007 37

Defeating Covert Channels One approach find them and eliminate them Bandwidth-limit them cap the rate at which certain operations can be done Add noise to the channel Steven M. Bellovin November 1, 2007 38

Defense Limits They re hard to find Will bandwidth limits interfere with legitimate use? Shannon showed that noise can t completely block a channel, just reduce its bandwidth Steven M. Bellovin November 1, 2007 39

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback