Secure Architecture Principles

Similar documents
CIS 5373 Systems Security

Introduction to Information Security

Isolation/Confinement

The confinement principle

OS Security III: Sandbox and SFI

Secure Architecture Principles

Secure Architecture Principles

Secure Architecture Principles

We ve seen: Protection: ACLs, Capabilities, and More. Access control. Principle of Least Privilege. ? Resource. What makes it hard?

Information Security Theory vs. Reality

? Resource. Announcements. Access control. Access control in operating systems. References. u Homework Due today. Next assignment out next week

Secure Software Programming and Vulnerability Analysis

CIS 5373 Systems Security

Discretionary Access Control

IS 2150 / TEL 2810 Information Security and Privacy

Secure Architecture Principles

SysSec. Aurélien Francillon

Sandboxing. (1) Motivation. (2) Sandboxing Approaches. (3) Chroot

Introduction to Security

Introduction to Security

Access Control. CMPSC Spring 2012 Introduction Computer and Network Security Professor Jaeger.

6.858 Lecture 4 OKWS. Today's lecture: How to build a secure web server on Unix. The design of our lab web server, zookws, is inspired by OKWS.

Security Architecture

Confinement (Running Untrusted Programs)

Explicit Information Flow in the HiStar OS. Nickolai Zeldovich, Silas Boyd-Wickizer, Eddie Kohler, David Mazières

Topics : Analysis of Software Systems. Side channel analysis. Remote Timing Attacks are Practical

Operating system security models

Secure Architecture Principles

(In columns, of course.)

CSE543 - Introduction to Computer and Network Security. Module: Operating System Security

Privilege Separation

STING: Finding Name Resolution Vulnerabilities in Programs

Program Structure. Steven M. Bellovin April 3,

Outline. UNIX security ideas Users and groups File protection Setting temporary privileges. Examples. Permission bits Program language components

Program Structure I. Steven M. Bellovin November 14,

OS security mechanisms:

Data Security and Privacy. Unix Discretionary Access Control

Advanced Systems Security: Ordinary Operating Systems

Program Structure I. Steven M. Bellovin November 8,

CS140 Operating Systems Final December 12, 2007 OPEN BOOK, OPEN NOTES

CS 161 Computer Security

CSE 565 Computer Security Fall 2018

[This link is no longer available because the program has changed.] II. Security Overview

Advanced Systems Security: Ordinary Operating Systems

I m paranoid, but am I paranoid enough? Steven M. Bellovin February 20,

1 / Unix protection. 2 Unix security holes. 3 Capability-based protection 3 / 39

View access control as a matrix Subjects (processes/users) access objects (e.g., files) Each cell of matrix has allowed permissions

CIS Operating Systems File Systems Security. Professor Qiang Zeng Fall 2017

Operating Systems Security

OS Security. Authorization. Radboud University Nijmegen, The Netherlands. Winter 2015/2016

Computer Security. 04r. Pre-exam 1 Concept Review. Paul Krzyzanowski. Rutgers University. Spring 2018

cs642 /operating system security computer security adam everspaugh

CYSE 411/AIT681 Secure Software Engineering Topic #13. Secure Coding: Race Conditions

Software Security and Exploitation

Exploiting Concurrency Vulnerabilities in System Call Wrappers

I m paranoid, but am I paranoid enough? Steven M. Bellovin October 2,

Secure Programming II. Steven M. Bellovin September 29,

3/7/18. Secure Coding. CYSE 411/AIT681 Secure Software Engineering. Race Conditions. Concurrency

Secure Architecture Principles

Confinement. Steven M. Bellovin November 1,

CS 380S. TOCTTOU Attacks. Don Porter. Some slides courtesy Vitaly Shmatikov and Emmett Witchel. slide 1

Department of Electrical Engineering and Computer Science MASSACHUSETTS INSTITUTE OF TECHNOLOGY Fall Quiz I

I run a Linux server, so we re secure

Exploiting Unix File-System Races via Algorithmic Complexity Attacks

CSE506: Operating Systems CSE 506: Operating Systems

Trusted Computing and O/S Security

Process. Operating Systems (Fall/Winter 2018) Yajin Zhou ( Zhejiang University

Sandboxing. CS-576 Systems Security Instructor: Georgios Portokalidis Spring 2018

Least-Privilege Isolation: The OKWS Web Server

Non-atomic check and use aka TOCTOU (Time of Check, Time of Use) or race conditions. Erik Poll Digital Security group Radboud University Nijmegen

OPERATING SYSTEM TRANSACTIONS

Running Unreliable Code. Many uses for extensibility. Several Historical Applications. Conventional OS. This lecture

0x1A Great Papers in Computer Security

Operating Systems Security Access Control

Processes. Johan Montelius KTH

Protection. CSE473 - Spring Professor Jaeger. CSE473 Operating Systems - Spring Professor Jaeger

Traps and Pitfalls: Practical Problems in System Call Interposition Based Security Tools

Processes are subjects.

A process. the stack

Internet Security General Unix Security

Dynamic Detection and Prevention of Race Conditions in File Accesses

Outline. Last time. (System) virtual machines. Virtual machine technologies. Virtual machine designs. Techniques for privilege separation

CS 161 Computer Security. Design Patterns for Building Secure Systems

MASSACHUSETTS INSTITUTE OF TECHNOLOGY Fall Quiz II

CS 392/681 - Computer Security. Module 5 Access Control: Concepts and Mechanisms

Linux Capability Exploration Lab

Department of Electrical Engineering and Computer Science MASSACHUSETTS INSTITUTE OF TECHNOLOGY Fall Quiz I Solutions

Unix Basics. UNIX Introduction. Lecture 14

Shellbased Wargaming

Securing Untrustworthy Software Using Information Flow Control

Partitioning a Server with NSA SE Linux

Processes are subjects.

ECE 550D Fundamentals of Computer Systems and Engineering. Fall 2017

CPSC 341 OS & Networks. Processes. Dr. Yingwu Zhu

Execution of Multiple flows (threads, processes, tasks, etc) If not controlled can lead to nondeterministic behavior

Cyber Security. General Unix Security

Last time. Security Policies and Models. Trusted Operating System Design. Bell La-Padula and Biba Security Models Information Flow Control

Secure Coding in C and C++ Race conditions

TEL2821/IS2150: INTRODUCTION TO SECURITY Lab: Operating Systems and Access Control

Midterm Exam CPS 210: Operating Systems Spring 2013

Transcription:

Computer Security Course. Secure Architecture Principles Slides credit: Dan Boneh

What Happens if you can t drop privilege? In what example scenarios does this happen? A service loop E.g., ssh Solution? Privilege separation Identifying operations that need privileges Separate original code into master (priviledged) and slave (unprivileged) Example: ssh

Privilege Separation Process: Step 1: Identify which operations require privilege Step 2: rewrite programs into 2 or more parts Approach: Manual Have been done on security-critical programs, e.g., ssh Labor-intensive and may miss privileged operations Automatic (e.g., Privtrans [Brumley-Song-2004]) Automatic inference of privileged operations using a few initial annotations Automatic source-to-source rewriting Privileged code move into master Unprivileged code move into slave Stubs for inter communication

Automatic Privilege Separation Step 1: automatic inference of privileged data and operations Given some initial annotations of privileged data and/or operations, infer what other data/operations are privileged Idea: can be viewed as a form of static taint analysis Approach: Define qualifier _priv_ and _unpriv_ Operations on _priv_ results in _priv_ int _priv_ a; Int _priv_ f(); int b = f(a); c= c+b; g(c); _priv_ b _priv_ c _priv_ g

Automatic Privilege Separation Step 2: automatic source-to-source transformation Move privileged data and code to Master For call to privileged functions, change the call site to a wrapper function which marshals the args on slave side and sends them to Master s stub Similar stubs on returns for unprivileged return values

Privilege Separation at Runtime Slave Master Main Execution Wrappe r RPC Request RPC Reply Wrappe r Privileged Server State Store Polic y

Summary: Privilege Separation Only master is privileged, usually much smaller Slave is unprivileged Bug in slave cannot harm master, cannot gain privilege How to protect master from a compromised slave? Fault isolation: e.g., running in different processes

Setuid programming Be Careful with Setuid 0! Root can do anything; don t get tricked Principle of least privilege change EUID when root privileges no longer needed

Non-Language-Specific Vulnerabilities // Part of a setuid program if (access("file", W_OK)!= 0) { exit(1); } fd = open("file", O_WRONLY); write(fd, buffer, sizeof (buffer)); access( file, W_OK) open( file, O_WRONLY) write(fd, buffer ) Returns 0 if the user invoking the program has write access to file (it checks the real uid, the actual id of the user, as opposed to the effective uid, the id associated with the process) Returns a handle to file to be used for writing only Writes the contents of buffer to file

Time-of-Check-to-Time-of-Use (TOCTTOU) // Part of a setuid program if (access("file", W_OK)!= 0) { exit(1); } fd = open("file", O_WRONLY); write(fd, buffer, sizeof (buffer)); access( file, W_OK) open( file, O_WRONLY) write(fd, buffer ) symlink( /etc/passwd, file ) Returns 0 if the user invoking the program has write access to file (it checks the real uid, the actual id of the user, as opposed to the effective uid, the id associated with the process) Returns a handle to file to be used for writing only Writes the contents of buffer to file // After the access check symlink("/etc/passwd", "file"); // Before the open, "file" points to the password database Creates a symlink from file to /etc/passwd. A symbolic link is a reference to another file, so in this case the attacker causes file (which they have privileges for) to point to /etc/passwd. The program then opens /etc/passwd instead of file.

TOCTTOU RUID 25 EUID 25 ; ; exec( ); symlink( /etc/passwd, file ) Launch program Owner 25 -rw-r--r-- file symlink Owner 0 -rw------- /etc/passwd Access Write check Writes to /etc/passwd Owner 0 SetUID program RUID 25 EUID 0 if (access("file", W_OK)!= 0) { exit(1); } fd = open("file", O_WRONLY); write(fd, buffer, sizeof (buffer));

The Flaw? Code assumes FS is unchanged between access() and open() calls Never assume anything An attacker could change file referred to by file in between access() and open() Eg. symlink( /etc/passwd, file ) Bypasses the check in the code! Although the user does not have write privileges for /etc/passwd, the program does (and the attacker has privileges for file, so they are allowed to create the symbolic link)

TOCTTOU Vulnerability In Unix, often occurs with file system calls because system calls are not atomic But, TOCTTOU vulnerabilities can arise anywhere there is mutable state shared between two or more entities Example: multi-threaded Java servlets and applications are at risk for TOCTTOU

Good things Unix summary Some protection from most users Flexible enough to make things possible Main limitation Too tempting to use root privileges No way to assume some root privileges without all root privileges

Access control in Windows (since NTFS) Some basic functionality similar to Unix Specify access for groups and users Read, modify, change owner, delete Some additional concepts Tokens Security attributes Generally More flexibility than Unix Can define new permissions Can give some but not all administrator privileges

Identify subject using SID Security ID (SID) Identity (replaces UID) SID revision number 48-bit authority value variable number of Relative Identifiers (RIDs), for uniqueness Users, groups, computers, domains, domain members all have SIDs

Process has set of tokens Security context Privileges, accounts, and groups associated with the process or thread Presented as set of tokens Security Reference Monitor Uses tokens to identify the security context of a process or thread Impersonation token Used temporarily to adopt a different security context, usually of another user

Object has security descriptor Security descriptor associated with an object Specifies who can perform what actions on the object Several fields Header Descriptor revision number Control flags, attributes of the descriptor E.g., memory layout of the descriptor SID of the object's owner SID of the primary group of the object Two attached optional lists: Discretionary Access Control List (DACL) users, groups, System Access Control List (SACL) system logs,..

Example access request Group1: Administrators Group2: Writers Revision Number Control flags Owner SID Group SID DACL Pointer SACL Pointer Deny Writers Read, Write Allow Mark Read, Write

Impersonation Tokens (compare to setuid) Process adopts security attributes of another Client passes impersonation token to server Client specifies impersonation level of server Anonymous Token has no information about the client Identification server obtain the SIDs of client and client's privileges, but server cannot impersonate the client Impersonation server identify and impersonate the client Delegation lets server impersonate client on local, remote systems

Creating Jail

Creating Jail: chroot Change root - changes the root directory of current process Example (within a process): chroot /tmp/guest su guest The root directory for this process ( / ) is now resolved to /tmp/guest, and the EUID is set to guest (handled by the operating system)

Creating Jail: chroot If done properly, the process can no longer access files outside of /tmp/guest Eg: open( /etc/passwd, r ) open( /tmp/guest/etc/passwd, r ) Must consider other processes which it may need to invoke (eg. from /usr/bin)- these must be provided for the environment

Escaping from jails Early escapes: relative paths open(../../etc/passwd, r ) open( /tmp/guest/../../etc/passwd, r )

Many ways to escape jail as root Create device that lets you access raw disk Send signals to non chrooted process Reboot system Bind to privileged ports

FreeBSD jail Stronger mechanism than simple chroot To run: jail jail-path hostname IP-addr cmd calls hardened chroot (no../../ escape) can only bind to sockets with specified IP address and authorized ports can only communicate with processes inside jail root is limited, e.g. cannot load kernel modules

FreeBSD jail User 1 running as root within their own jail. User 2 running as root within their own jail. Actual system, with an actual root user

Problems with chroot and jail Coarse policies: All or nothing access to parts of file system Inappropriate for apps like a web browser Needs read access to files outside jail (e.g. for sending attachments in Gmail) Does not prevent malicious apps from: Accessing network and messing with other machines Trying to crash host OS

System Call Interposition

System call interposition Observation: to damage host system (e.g. persistent changes) app must make system calls: To delete/overwrite files: unlink, open, write To do network attacks: socket, bind, connect, send Idea: monitor app s system calls and block unauthorized calls

Implementation options Completely kernel space (e.g. GSWTK) Completely user space (e.g. program shepherding) Hybrid (e.g. Systrace)

ptrace ptrace (process trace) allows one process to monitor signals sent to and from the controlled process, as well as state in registers, file descriptors, and memory control another process by altering its internal state

Initial implementation (Janus) [GWTB 96] Linux ptrace: process tracing process calls: ptrace (, pid_t pid, ) and wakes up when pid makes sys call. monitored application (browser) open( /etc/passwd, r ) monitor user space OS Kernel Monitor kills application if request is disallowed

Complications If app forks, monitor must also fork forked monitor monitors forked app If monitor crashes, app must be killed cd( /tmp ) open( passwd, r ) cd( /etc ) open( passwd, r ) Monitor must maintain all OS state associated with app current-working-dir (CWD), UID, EUID, GID When app does cd path monitor must update its CWD otherwise: relative path requests interpreted incorrectly

Problems with ptrace Ptrace is not well suited for this application: Trace all system calls or none inefficient: no need to trace close system call Monitor cannot abort sys-call without killing app Security problems: race conditions Example: symlink: file /etc/passwd time proc 1: open( file ) monitor checks and authorizes not atomic proc 2: file /etc/passwd OS executes open( file )

Which of the following sequence of events is a TOCTOU exploit? P1: open( temp, w ) P2: temp important.txt monitor checks P1 s write request OS opens temp (if monitor approves) P2: temp important.txt P1: open( temp, w ) monitor checks P1 s write request OS opens temp (if monitor approves) P1: open( temp, w ) monitor checks P1 s write request OS opens temp (if monitor approves) P2: temp important.txt P1: open( temp, w ) monitor checks P1 s write request P2: temp important.txt OS opens temp (if monitor approves)

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback