System Configuration as a Privilege

Similar documents
Advanced Systems Security: Ordinary Operating Systems

Security Enhanced Linux

Access Control. Steven M. Bellovin September 13,

Last time. Security Policies and Models. Trusted Operating System Design. Bell La-Padula and Biba Security Models Information Flow Control

Case Study: Access Control. Steven M. Bellovin October 4,

Privilege Escalation

SELinux. Sven Vermeulen

Access Control. Steven M. Bellovin September 2,

Application Virtualization and Desktop Security

Outline. Operating System Security CS 239 Computer Security February 23, Introduction. Server Machines Vs. General Purpose Machines

Case Studies in Access Control

Configuring TACACS+ Finding Feature Information. Prerequisites for TACACS+

Securing Android-Powered Mobile Devices Using SELinux

Access Control Lists. Don Porter CSE 506

Web Servers and Security

Secure Architecture Principles

Web Servers and Security

SEEdit: SELinux Security Policy Configuration System with Higher Level Language

Secure Architecture Principles

Linux Kernel Security Update LinuxCon Europe Berlin, 2016

CS 416: Operating Systems Design April 22, 2015

Operating Systems. Week 13 Recitation: Exam 3 Preview Review of Exam 3, Spring Paul Krzyzanowski. Rutgers University.

CPS221 Lecture: Operating System Protection

INFLUENTIAL OPERATING SYSTEM RESEARCH: SECURITY MECHANISMS AND HOW TO USE THEM CARSTEN WEINHOLD

Secure Architecture Principles

CSE 484 / CSE M 584: Computer Security and Privacy. Anonymity Mobile. Autumn Tadayoshi (Yoshi) Kohno

Prerequisites for Controlling Switch Access with Terminal Access Controller Access Control System Plus (TACACS+)

CompTIA SY CompTIA Security+

Secure Architecture Principles

OS security mechanisms:

OS Security III: Sandbox and SFI

Architecture. Steven M. Bellovin October 27,

Confinement (Running Untrusted Programs)

Operating system hardening

Computer Security. 04r. Pre-exam 1 Concept Review. Paul Krzyzanowski. Rutgers University. Spring 2018

Advanced Systems Security: Ordinary Operating Systems

Operating System Security, Continued CS 136 Computer Security Peter Reiher January 29, 2008

The Case for Security Enhanced (SE) Android. Stephen Smalley Trusted Systems Research National Security Agency

Labels and Information Flow

UNIT 9 Introduction to Linux and Ubuntu

SELinux: A New Approach to Secure Systems

Test Conditions. Closed book, closed notes, no calculator, no laptop just brains 75 minutes. Steven M. Bellovin October 19,

Chapter 2. Operating-System Structures

Access Control/Capabili1es

A new Distributed Security Model for Linux Clusters

Linux Systems Security. Security Design NETS Fall 2016

SELinux Introduction. Jason Zaman FOSSASIA 2017 March 17th - 19th blog.perfinion.com

Computer Security. 02r. Assignment 1 & Access Control Review. Paul Krzyzanowski David Domingo Ananya Jana. Rutgers University.

Confinement. Steven M. Bellovin November 1,

Data Security and Privacy. Unix Discretionary Access Control

Lecture 10. Denial of Service Attacks (cont d) Thursday 24/12/2015

Architecture. Steven M. Bellovin October 31,

ELEC 377 Operating Systems. Week 1 Class 2

SELinux. Daniel J Walsh SELinux Lead Engineer

Ricardo Rocha. Department of Computer Science Faculty of Sciences University of Porto

CSE543 - Computer and Network Security Module: Virtualization

ForeScout Extended Module for IBM BigFix

System Administration for Beginners

Lecture 3 MOBILE PLATFORM SECURITY

Operating Systems Linux 1-2 Measurements Background material

Security. Advanced Operating Systems and Virtualization Alessandro Pellegrini A.Y. 2017/2018

MANDATORY ACCESS CONTROL SECURITY ENHANCED LINUX (SELINUX)

ECE 471 Embedded Systems Lecture 15

ABUSING TEXT EDITORS VIA THIRD-PARTY PLUGINS

Meeting 39. Guest Speaker Dr. Williams CEH Networking

Securing Untrusted Code

Everything about Linux User- and Filemanagement

the SWIFT Customer Security

ECE 471 Embedded Systems Lecture 22

Identity-based Access Control

Software Security and Exploitation

Advanced Systems Security: Multics

What are some common categories of system calls? What are common ways of structuring an OS? What are the principles behind OS design and

We ve seen: Protection: ACLs, Capabilities, and More. Access control. Principle of Least Privilege. ? Resource. What makes it hard?

How to Break Software by James Whittaker

CSE543 - Computer and Network Security Module: Virtualization

ForeScout Extended Module for IBM BigFix

Linux Essentials. Smith, Roderick W. Table of Contents ISBN-13: Introduction xvii. Chapter 1 Selecting an Operating System 1

SPECCHIO uses a Client-Server architecture. This User Guide details operation of the Client component of SPECCHIO only.

Príprava štúdia matematiky a informatiky na FMFI UK v anglickom jazyku

Condor Local File System Sandbox Requirements Document

Discretionary Vs. Mandatory

Coordinated Disclosure of Vulnerabilities in McAfee Security Android

Geneious Floating License Manager Version Biomatters Ltd

CFRS : Kernel Forensics and Analysis

SailPoint IdentityIQ Integration with the BeyondInsight Platform. Providing Complete Visibility and Auditing of Identities

CSE 127: Computer Security. Security Concepts. Kirill Levchenko

CIS 5373 Systems Security

An Overview of Security in the FreeBSD Kernel. Brought to you by. Dr. Marshall Kirk McKusick

CSE 544 Advanced Systems Security

CSCI 420: Mobile Application Security. Lecture 7. Prof. Adwait Nadkarni. Derived from slides by William Enck, Patrick McDaniel and Trent Jaeger

SELinux. Don Porter CSE 506

Ftp Command Line Manual Mac Os X Enable Root User

OS Structure. Kevin Webb Swarthmore College January 25, Relevant xkcd:

SE Linux Implementation LINUX20

A Survey of Access Control Policies. Amanda Crowell

Linux Kernel Security Overview

CHAPTER 2: SYSTEM STRUCTURES. By I-Chen Lin Textbook: Operating System Concepts 9th Ed.

Kernel Types Simple OS Examples System Calls. Operating Systems. Autumn CS4023

Geneious Floating License Manager Version Biomatters Ltd

Transcription:

System Configuration as a Privilege Glenn Wurster, Paul C. van Oorschot School of Computer Science Carleton University, Canada HotSec 2009 11 Aug 2009 Glenn Wurster, Paul C. van Oorschot System Config Privilege 1/ 19 1

The Configuration Privilege Separate configuration privilege from traditional root Why separate the two? 1 System is normally used for performing work e.g., reading e-mail, coding, writing papers 2 Prevent stealthy configuration changes 3 Restrict the abilities of installers Glenn Wurster, Paul C. van Oorschot System Config Privilege 2/ 19 1. Compromised daemons/root applications No limit to configuration changes 2. Dubious installers Sony DRM, Kazaa 2

Installing Applications Typical procedure 1 Become the superuser 2 Run the installer Problem: Granting unrestricted access to the file system Glenn Wurster, Paul C. van Oorschot System Config Privilege 3/ 19 1. User knows when they want to install something 2. Explicitly grants superuser privileges Can run arbitrary code Can overwrite arbitrary files 3. Source of installer is downloaded code? The complete opposite of what we re trying to tell them 3

Protecting Configuration-Related Files Examples of Configuration-Related Files Executables Libraries System Config Files System Scripts Glenn Wurster, Paul C. van Oorschot System Config Privilege 4/ 19 1. Information Flow Read and write to data files Only read from configuration-related files 2. Application Includes Installers 3. Regardless of whether the program is run as root 4. Example of Data file: Your pictures of Montreal 4

Primary Existing Mechanisms for File-System Protection Many proposals 1 Discretionary e.g., UNIX and ACL s 2 Mandatory Access control e.g., SELinux, AppArmor 3 Physical e.g., read-only media 4 Reactive e.g., Tripwire What about software installs/updates? Glenn Wurster, Paul C. van Oorschot System Config Privilege 5/ 19 1. Assumption is the system is in a steady state No new applications being installed/removed 2. Need very-high privileges to install/upgrade Read-only media needs to be made writable Tripwire needs manual merging of changes 3. My Observations All handle installs, but were not designed for it. Even MAC systems don t directly tackle the problem of how you get new/updated software onto the system. 5

The Alternative Install Approaches Have Their Own Problems 1 Do everything manually Technical expertise required 2 Application bundles/packages Caveat: binaries/scripts run during application install 3 Track system changes User surveillance Glenn Wurster, Paul C. van Oorschot System Config Privilege 6/ 19 1. Manual Install: Thick book of instructions No installer run with superuser privileges 2. Application bundles: Linux package managers - still run scripts with root Apple bundles - don t know about scripts 3. Tracking Changes: System Checkpointing, Sandboxing User must run tools before install 6

Classifying Installers 1 What is an installer? Is a FTP server an installer? 2 Not all installers are created equal. Game vs. OS upgrade 3 Update vs. Upgrade vs. Install Glenn Wurster, Paul C. van Oorschot System Config Privilege 7/ 19 1. What is an installer Hard question Prone to subversion by malware 2. Different installers need to do different things Security Updates change little OS Upgrades change much 3. Any attempt to subclass the installer space? Apparently not 4. Not sure we need to classify installers Configuration privilege still a contribution without classification 7

Limiting Configuration Actions Two options: 1 Identify installers and limit them Identifying installers is probably hard What about non-installers? 2 Limit all applications Also protects against other attacks The approach we use Glenn Wurster, Paul C. van Oorschot System Config Privilege 8/ 19 1. From Previous: Identifying what is an installer is hard 2. Alternative install approaches (manual, packages, tracking) required identifying installers 3. Non-installers should not be allowed to configure the system 4. Want to limit dangerous configuration operations regardless 8

Limiting all Applications Prevent modifications to system configuration 1 Create a new privilege, the configuration privilege Tied to the ability to modify system configuration Modifying system configuration Operations having a direct visible effect on configuration files or applications on disk Scripts Startup Files (OS and application related) Executable files Glenn Wurster, Paul C. van Oorschot System Config Privilege 9/ 19 1. Privilege required to modify system configuration Files on disk 2. Identify configuration changes and limit them 3. Privilege required to modify configuration files on a system 9

Limiting Configuration-Related Changes Enforcement points 1 Kernel enforcement Not the best fit 2 Proxy enforcement (Configuration Daemon - configd) Our proposal - a single choke-point Ways to limit configuration operations 1 User input 2 What files are modified 3 How the files are modified 4 The previous contents of the modified files 5... Access control on non-traditional properties. Glenn Wurster, Paul C. van Oorschot System Config Privilege 10/ 19 1. Kernel enforcement limits choices Rootkit-resistant disks Code-signing 2. Configd A daemon which responds to configuration requests 3. User-input is intentionally broad Traditional Keyboard/Display USB Keys Location Sensor Biometrics 10

The Crux This application requires configuration privileges in order to install. Please re-run this application after logging in with configuration privilege. 1 The privilege alone is insufficient Glenn Wurster, Paul C. van Oorschot System Config Privilege 11/ 19 1. Problem: Developers pop up a dialogue box Users follow the instructions We ve just shifted the problem. 2. Not sufficient to just create the privilege Must specify how the privilege is used 3. Restrict in a way that developers can t convince the naive user to run with elevated privileges. 11

Preventing a Shell Game 1 Don t let the user grant configuration privilege 2 Restrict configuration privilege to a single system daemon Enforce access-control protections in the daemon Glenn Wurster, Paul C. van Oorschot System Config Privilege 12/ 19 1. Reduce the effectiveness of social engineering 2. A single system daemon Make it hard to get around 12

How Much Complexity Should Be Exposed? Desired target audience: Non-technical users vs. Fine-grained access control solutions which require users to get involved with the fine grains usually fail due to usability issues. Glenn Wurster, Paul C. van Oorschot System Config Privilege 13/ 19 1. The collection of parts in a drill More useful than the drill, but harder to use 2. Going past determining all the pieces we need 3. Involves determining how the pieces work together 4. Decrease the complexity exposed to the user 13

Current Installer Frameworks Examples MSI, Debian, Redhat, Gentoo, InstallShield Glenn Wurster, Paul C. van Oorschot System Config Privilege 14/ 19 1. Installers can bypass most frameworks by talking directly to the OS kernel Including all frameworks I m aware of 2. OS does not restrict activities Installer is run as superuser 14

configd Installer Framework Restrict operations allowed by the kernel Force all system modifications to go through the framework Glenn Wurster, Paul C. van Oorschot System Config Privilege 15/ 19 1. Applies to all applications 2. Interface with OS kernel is limited 3. Configd can reject requests for configuration changes 15

Design of configd Coded modules currently include: 1 Verifying changes with the user 2 Rootkit-resistant disks (Butler et. al. CCS 2008) 3 Code-signing (Wurster et. al. HotSec 2007) Glenn Wurster, Paul C. van Oorschot System Config Privilege 16/ 19 1. Each Module: Examines elements of system state Rejects, Allows, or Postpones making a decision 2. Base Configd also responds to system events 3. Rejected requests do not not modify file-system state 4. Modules work together e.g., Code-signing combined with Rootkit-resistant disks 5. Mix of modules is not right yet. 6. Experimenting with asking the user 7. Extensible to try out new ideas Module list is not designed to be modifed at runtime 16

Additional Design Details Kernel responsibilities 1 Suspend other programs when requested by configd 2 Prevent root from modifying configd 3 Restrict configure permission to configd configd responsibilities 1 Respond to configuration change requests 2 Queue up requests until a specific USB key is inserted 3 Perform allowed changes to system configuration 4 Notify the kernel what configuration-related files to protect Glenn Wurster, Paul C. van Oorschot System Config Privilege 17/ 19 1. Kernel: Prevents others from getting configure permission Protects the configd process Protects configuration-related files 2. Configd: Deals with requests for configuration changes Notifies the kernel what files are configuration related 3. Prevent race conditions by suspending other tasks 17

Current Status Progress made 1 Created configd 2 Modified the Linux kernel to restrict file-system modifications Next steps 1 Test configd on a Debian system 2 Reduce the technical expertise required to use configd Glenn Wurster, Paul C. van Oorschot System Config Privilege 18/ 19 1. Done: Configd framework and modified Linux kernel 2. In progress: Integrating configd into a Debian system Start to determine what the right mix of modules should be 18

Questions Glenn Wurster, Paul C. van Oorschot System Config Privilege 19/ 19 19

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback