Operating system security

Similar documents
Introduction to Computer Security

Operating system security models

Access Control. CMPSC Spring 2012 Introduction Computer and Network Security Professor Jaeger.

Datasäkerhet/Data security EDA625 Lect5

Introduction to Computer Security

CS 392/681 - Computer Security. Module 5 Access Control: Concepts and Mechanisms

CS 392/681 - Computer Security. Module 6 Access Control: Concepts and Mechanisms

TEL2821/IS2150: INTRODUCTION TO SECURITY Lab: Operating Systems and Access Control

? Resource. Announcements. Access control. Access control in operating systems. References. u Homework Due today. Next assignment out next week

Processes are subjects.

5/8/2012. Encryption-based Protection. Protection based on Access Permission (Contd) File Security, Setting and Using Permissions Chapter 9

Secure Architecture Principles

CIS 5373 Systems Security

IS 2150 / TEL 2810 Information Security and Privacy

Secure Architecture Principles

Secure Architecture Principles

Protection. CSE473 - Spring Professor Jaeger. CSE473 Operating Systems - Spring Professor Jaeger

Files (review) and Regular Expressions. Todd Kelley CST8207 Todd Kelley 1

Chapter 8: Security under Linux

Processes are subjects.

Outline. Security. Security Ratings. TCSEC Rating Levels. Key Requirements for C2. Met B-Level Requirements

Security. Outline. Security Ratings. Ausgewählte Betriebssysteme Institut Betriebssysteme Fakultät Informatik

Data Security and Privacy. Unix Discretionary Access Control

bash startup files Linux/Unix files stty Todd Kelley CST8207 Todd Kelley 1

TEL2821/IS2150: INTRODUCTION TO SECURITY Lab: Operating Systems and Access Control

Introduction to Security

We ve seen: Protection: ACLs, Capabilities, and More. Access control. Principle of Least Privilege. ? Resource. What makes it hard?

Introduction to Security

Exercise 4: Access Control and Filesystem Security

Discretionary Access Control

Secure Architecture Principles

Outline. UNIX security ideas Users and groups File protection Setting temporary privileges. Examples. Permission bits Program language components

CSE543 - Introduction to Computer and Network Security. Module: Operating System Security

Network Security: Kerberos. Tuomas Aura

Module 4: Access Control

A Survey of Access Control Policies. Amanda Crowell

Windows Server 2008 Active Directory Resource Kit

Information Security Theory vs. Reality

CSE 390a Lecture 4. Persistent shell settings; users/groups; permissions

User accounts and authorization

Operating System Security. 0Handouts: Quizzes ProsoftTraining All Rights Reserved. Version 3.07

CSE 390a Lecture 4. Persistent shell settings; users/groups; permissions

CSE 390a Lecture 3. Multi-user systems; remote login; editors; users/groups; permissions

CSE 380 Computer Operating Systems

Windows Access Control List (ACL) 2

Unix Basics. UNIX Introduction. Lecture 14

Access Control Mechanisms

UNIX File Hierarchy: Structure and Commands

General Access Control Model for DAC

CST8207: GNU/Linux Operating Systems I Lab Six Linux File System Permissions. Linux File System Permissions (modes) - Part 1

Access Control Lists on Dell EMC Isilon OneFS

CS246 Spring14 Programming Paradigm Notes on Linux

Networks: Access Management Windows NT Server Class Notes # 10 Administration October 24, 2003

Privileges: who can control what

Policy vs. Mechanism. Example Reference Monitors. Reference Monitors. CSE 380 Computer Operating Systems

User Management. René Serral-Gracià Xavier Martorell-Bofill 1. May 26, Universitat Politècnica de Catalunya (UPC)

Introduction to Linux

O/S & Access Control. Aggelos Kiayias - Justin Neumann

FreeBSD Advanced Security Features

IT Service Delivery And Support Week Four - OS. IT Auditing and Cyber Security Fall 2016 Instructor: Liang Yao

Working with Basic Linux. Daniel Balagué

CS/CIS 249 SP18 - Intro to Information Security

Information Security CS 526

OS Security III: Sandbox and SFI

Secure Architecture Principles

Lab Authentication, Authorization, and Accounting

Access Control. Tom Chothia Computer Security, Lecture 5

Unix, History

Server. Client LSA. Winlogon LSA. Library SAM SAM. Local logon NTLM. NTLM/Kerberos. EIT060 - Computer Security 2

Access Control Lists. Don Porter CSE 506

Computer Security Operating System Security & Access Control. Dr Chris Willcocks

Pre-Assessment Answers-1

Access control models and policies. Tuomas Aura T Information security technology

CISNTWK-11. Microsoft Network Server. Chapter 5 Introduction Permissions i and Shares

Users, Groups and Permission in Linux

Faculty of Engineering Computer Engineering Department Islamic University of Gaza Network Lab # 7 Permissions

Roadmap for This Lecture

8. Files and File Systems

PROCESS CONTROL BLOCK TWO-STATE MODEL (CONT D)

Files and Directories

Hardware. Ahmet Burak Can Hacettepe University. Operating system. Applications programs. Users

User Commands chmod ( 1 )

lsx [ls_options ] [names]

Setting Access Controls on Files, Folders, Shares, and Other System Objects in Windows 2000

Operating System Security

File systems security: Shared folders & NTFS permissions, EFS Disk Quotas

Operating systems fundamentals - B10

CSE/ISE 311: Systems Administra5on Access Control and Processes

Operating Systems Lab 1 (Users, Groups, and Security)

CSE 565 Computer Security Fall 2018

Introduction to Unix May 24, 2008

Exercise Sheet 2. (Classifications of Operating Systems)

Table 12.2 Information Elements of a File Directory

Improving the Granularity of Access Control for Windows 2000

File Properties and Permissions

Access Permissions. Agenda. chmod Command (Relative Method) File / Directory Permissions

Answers to Even- Numbered Exercises

Basic File Attributes

Commands are in black

INSE 6130 Operating System Security. Overview of Design Principles

Transcription:

Operating system security Tuomas Aura T-110.4206 Information security technology Aalto University, autumn 2011

Outline Access control models in operating systems: 1. Unix 2. Windows Acknowledgements: This lecture material is based on a joint course with Dieter Gollmann. 2

UNIX ACCESS CONTROL 3

Principals Users and groups are the principals Users have username and user identifier (UID) Groups have group name group identifier (GID) UID and GID are usually 16-bit numbers 0 = root 19057 = aura 100 = users Both names and identifiers are permanent; difficult to change once selected UID values differ from system to system Superuser (root) UID is always zero 4

User accounts User accounts are stored in /etc/passwd User account format: username:password:uid:gid:name:homedir:shell Example: root:7kssi2k.df:0:0:root:/root:/bin/bash mail:x:8:12:mail:/var/spool/mail: news:x:9:13:news:/var/spool/news: ace:69gedfelkw:500:103:alice:/home/ace:/bin/bash carol:7fkkdefh3d:501:102:carol:/home/carol:/bin/nolo gin tuomas:*:502:102:tuomas Aura:/home/tuomas:/bin/tcsh al::503:102::/home/al:/bin/bash dieter:rt.qszeesxt92:10026:53:dieter Gollmann:/home/staff/dieter:/bin/bash 5

User account details User name: up to eight characters long Password: stored encrypted (really a hash) User ID: user identifier for access control group ID: user s primary group ID string: user's full name Home directory Login shell: the program started after successful log in 6

Superuser The superuser is a special privileged principal with UID 0 and usually the user name root There are few restrictions on the superuser All security checks are turned off for the superuser The superuser can become any other user Examples: The superuser cannot write to a read-only file system but can remount it as writeable The superuser cannot decrypt passwords (because they are hash values) but can reset them 7

Groups Users belong to one or more groups The file /etc/group contains a list of all groups; file entry format: groupname:password:gid:list of users Example: infosecwww:*:209:carol,al Every user belongs to a primary group; the group ID (GID) of the primary group is stored in /etc/passwd Depending on the Unix OS, user can belong to only one or many groups at the same time Usually only superuser can add groups and members 8

Subjects The subjects in Unix are processes; a process has a process ID (PID) Processes can create new processes Processes have a real UID and an effective UID (similarly for GID) Real UID/GID: inherited from the parent; typically UID/GID of the user logged in Effective UID/GID: inherited from the parent process or from the file being executed 9

Example UID GID Process real effective real effective /bin/login root root system system User dieter logs on; the login process verifies the password and (with its superuser rights) changes its UID and GID: /bin/login dieter dieter staff staff The login process executes the user s login shell: /bin/bash dieter dieter staff staff From the shell, the user executes a command, e.g. ls /bin/ls dieter dieter staff staff The user executes command passwd to change his password: /bin/passwd dieter root staff system 10

Objects Files, directories, devices are uniformly treated as resources These resources are the objects of access control The resources are organized in a tree-structured file system Each file entry in a directory is a pointer to a data structure called inode Inode stores information about the owner user and group, and permissions 11

Information about objects Example: directory listing with ls -l -rw-r--r-- 1 dieter staff 1617 Oct 28 11:01 my.tex drwx------ 2 dieter staff 512 Oct 25 17:44 ads/ File type: first character - file d directory b block device file c character device file s socket l symbolic link p FIFO pipe File permissions: next nine characters Link counter: the number of links (i.e. directory entries pointing) to the inode 12

Information about objects -rw-r--r-- 1 dieter staff 1617 Oct 28 11:01 my.tex drwx------ 2 dieter staff 512 Oct 25 17:44 ads/ Username of the owner: usually the user that has created the file Group: a newly created file usually belongs to its creator s group File size, modification time, filename Owner and root can change permissions (chmod); root can change the file owner and group (chown) Filename is stored in the directory, not in inode 13

File permissions Permission bits are grouped in three triples that define read, write, and execute access for owner, group, and other A - indicates that a right is not granted. rw-r--r-- read and write access for the owner, read access for group and other rwx------ read, write, and execute access for the owner, no rights to group and other 14

File permissions When ls l displays a SUID program, the execute permission of the owner is given as s instead of x: -rws--x x 3 root bin 16384 Nov 16 1996 passwd* When ls l displays a SGID program, the execute permission of the group is given as s instead of x 15

Octal representation File permissions can also be specified as octal numbers Examples: rw-r--r-- is equivalent to 644; rwxrwxrwx is equivalent to 777 Conversion table: 0040 read by group 4000 set UID on execution 0020 write by group 2000 set GID on execution 0010 execute by group 1000 set sticky bit 0004 read by other 0400 read by owner 0002 write by other 0200 write by owner 0001 execute by other 0100 execute by owner 16

Access control decisions Access control uses the effective UID/GID: If the subject s UID owns the file, the permission bits for owner decide whether access is granted If the subject s UID does not own the file but its GID does, the permission bits for group decide whether access is granted If the subject s UID and GID do not own the file, the permission bits for other (also called world) decide whether access is granted Note that although the permission bits may give the owner less access than to others, the owner can always change the permissions (discretionary access control) 17

Permissions for directories Read permission: to find which files are in the directory, e.g. for executing ls Write permission: to add files to and remove files from the directory Execute permission: to make the directory the current directory (cd) and for opening files inside the directory E.g. every user has a home directory for which correct permissions for the directory are required 18

Sticky bit Job queues for printing etc., are often implemented as a world-writable directories; anyone can add a file Problem: anyone can also delete files Solution: sticky bit on a directory restricts the deletion of files in that directory only to the file owners (and the superuser) Another problem: either the files in the print queue need to be readable to everyone or the print daemon needs to run as root Solution: in Linux, SGID bit on a directory means that new files inherit their group from the directory, not from the user who creates them; can create a special group for the print daemon (Sticky bit originally indicated that a process should not be swapped to disk. Its use varies between Unix versions.) 19

Default permissions Unix utilities typically use default permissions 666 for a new data file and 777 for a new program file Permissions can be restricted with umask: a three-digit octal number specifying the rights that should be withheld File permissions = default AND (NOT umask) Sensible umask values: 022: all permissions for the owner, read and execute permission for group and other 037: all permissions for the owner, read permission for group, no permissions for other 077: all permissions for the owner, no permissions for group and other Example: default permissions 666, umask 077 permissions for new file 0600 20

Controlled Invocation Superuser privilege is required to execute certain operating system functions Example: only processes running as root can listen at the privileged ports 0-1023 Solution adopted in Unix: SUID (set user id) programs and SGID (set group id) programs SUID or SGID programs run with the effective user ID or group ID of their owner or group, giving controlled access to files not normally accessible to other users 21

SUID to root When root owns an executable file and the SUID bit is set, the process will get superuser status during execution Important SUID programs: /bin/passwd change password /bin/login login program /bin/at batch job submission /bin/su change UID program SUID programs need to be written very carefully so that their privileges cannot be misused and they only do what is intended 22

Unix access control dicsussion Limitations: Files have only one owner and group Complex policies, e.g. access to several groups, are impractical to implement Superuser needed for maintaining groups All access rights (e.g. shutdown, create user) must be mapped to files access and to read, write and execute permissions Relatively simple and widely understood Relatively easy to check the protection state Unix versions may implement additional access control features 23

WINDOWS ACCESS CONTROL 24

Windows Security Model Principals = users, machines, groups, Objects = files, Registry keys, printers, Each object has an discretionary access control list (DACL) The active subjects are processes and threads Each process (or thread) has an access token When is a process allowed to access an object? Object DACL is compared with the process s security token when creating a handle to the object 25

Security indentifier Principal names: machine\principal or domain\principal Aalto\Alice, pc3\administrators, plover\aura = Tuomas Aura Each principal has a unique security identifier (SID) Names may change; SID is permanent User SIDs: S-1-5-21-961468069-954667678-1722769278-1002 = Alice S-1-5-21-961468069-954667678-1722769278-500 = Administrator Typical way to create unique use SIDs: S-1-5 + machine or domain id + relative id Well-known SIDs: S-1-5-18 = Local System, S-1-1-0 = Everyone, S-1-5-domain-513 = Domain Users, etc. 26

Windows domains Windows machine has a Local Security Authority (LSA), which can create local users and local groups (=aliases) Local principals are stored in Registry A Windows server can become a Domain Controller (DC), and other machines can join its domain Domain administrators manage the domain users and groups centrally at the DC Domain principals are stored in Active Directory Names: domain\principal or principal@domain DC provides authentication services to other machines Domain user can log into any domain-joined machine Kerberos protocol used for distributed authentication In large organizations, DCs and domains can form a hierarchy 27

Access token Each process has an access token (=security token) Token contains Login user account SID (the process runs as this user) SIDs of all groups in which the user is a member (recursively) All privileges assigned to these groups etc. Privileges are special local access rights: Backup, audit security log, take ownership, trusted for delegation, debugging, performance profiling, shutdown. etc. Groups can be built-in or defined by admins: Users, Administrators, Remote Desktop Users Sales, Security Lab, Researchers, Europe Employees Token never changes after it has been created Reliability, efficiency vs. revocation speed Tokens for child processes may be restricted 28

Creating subjects The machine is always running a logon process (winlogon.exe) as the principal SYSTEM When a user logs on to a machine, the logon process collects credentials (e.g. user password) and presents them to the LSA the LSA (lsass.exe) verifies the credentials the logon process starts a shell (explorer.exe) in a new logon session as the user (=principal) Shell spawns processes to the same logon session Logging off destroys the logon session and all processes in it 29

Creating more subjects A process can spawn a new local process (subject) by calling e.g. CreateProcess Each process has its own access token New process gets a copy of its parent s token Threads can be given their own tokens, so that they become independent subjects User s network credentials (e.g. password or Kerberos ticket) are cached in the logon session Processes can create network logon sessions for that user at other machines 30

Objects Objects: files, folder, Registry and AD objects, printers, processes... Objects can be containers for other objects Securable objects have a security descriptor, which contains the DACL Object also has an owner (identified by SID), who has the implicit right to read and write the DACL (discretionary access control) 31

Permissions Permissions are actions that apply to each object class Some generic permissions are defined for all objects: read, write, execute, all, delete, etc. Specific permissions are defined for each class: Append, AddSubDir, CreateThread,etc. Permissions are encoded as a 32-bit mask Object DACL specifies which principals (SIDs) have which permissions 32

Access control lists DACL is a list of access control entries (ACEs) ACE format: Type: positive or negative (grant or deny) Permissions Principal (SID): who the ACE applies to Flags Object Type Inherited Object Type 33

DACL example ACE1 - Tuomaura ACE2 + Diego ACE2 + Lecturers ACE4 + EVERYONE Write Full Control Read, Write Read This ACL grants read access but no write access to the user Tuomaura Negative access control entries (ACEs) are placed before positive ones 34

Viewing the DACL and ACEs Right-click on a file; select Properties/ Security DACL (ACEs) Click on Advanced to see the entire security descriptor Permissions for the selected ACE 35

Access check algorithm Process specifies the desired access (requested permissions) when creating a handle to the object Privileges or implicit owner permissions may alone be sufficient to grant access Otherwise, check DACL as follows: Look for ACEs that match (1) any SID in the subjects token and (2) any desired access right If any negative ACE matches, deny access If positive ACEs are found for all requested permissions, grant access If the end of DACL is reached, deny access 36

Performance and reliability Access rights are determined at login time The user s group SIDs are cached in the token of the login process, and sub-processes get a copy of the token The token contents will not change even if a membership or privilege is revoked from a SID Desired access is compared against the token and DACL when creating a handle to the object not at access time Changing file DACL does not affect open file handles Consequences: Better performance Better reliability because a process knows in advance whether it has sufficient access rights for a task No immediate revocation of access rights 37

ACE inheritance + Diego Read, Write Flags: OBJECT_INHERIT Folder File A + Diego Read, Write Flags: INHERITED_ACE File B - Diego Write + Diego Read, Write Flags: INHERITED_ACE Container objects can have inheritable ACEs Inherited ACEs are copied to the end of sub-object DACLs; aces on the sub-object can override them Inherited ACEs are updated if the original changes 38

Container hierarchy + Diego Read, Write Flags: OBJECT_INHERIT, INHERIT ONLY + Diego Read, Write Folder X Folder Y Folder Z Flags: INHERITED_ ACE, INHERIT ONLY, OBJECT_INHERIT - Diego Write Flags: OBJECT_INHERIT + Diego Read, Write Flags: INHERITED_ACE INHERIT_ONLY, OBJECT_INHERIT + Diego Read, Write Flags: INHERITED_ACE File A File B - Diego Write Flag: INHERITED_ACE + Diego Read, Write Flags: INHERITED_ACE 39

Inheriting negative ACEs - Tuomaura Read Flags: OBJECT_INHERIT Folder - Tuomaura Read File A Flags: INHERITED_ACE File B + Tuomaura Read - Tuomaura Read Flags: INHERITED_ACE Inherited negative ACEs can end up after positive ACEs; it is possible to override inherited negative ACEs 40

Flags on ACEs: Inheritance flags OBJECT_INHERIT_ACE CONTAINER_INHERIT_ACE NO_PROPAGATE_INHERIT_ACE INHERIT_ONLY_ACE INHERITED_ACE ACE applies to leaf objects ACE applies to container objects applies to immediate children only does not apply to the parent itself The ACE has been inherited (Inheritable ACEs can apply to leaf objects, to containers, or to both) Flags on DACLs: SE_DACL_PROTECTED inheritance from containers above this object is blocked 41

Blocking inheritance + Diego Read Flags: OBJECT_INHERIT Folder X + Diego Read Flag: INHERITED_ ACE, INHERIT_ONLY Folder Y Folder Z DACL_ PROTECTED + Diego Read, Write Flag: INHERITED_ACE File A File B 42

ACE Inheritance ACE1 DACL_ PROTECTED ACE2 ACE3 ACE1 inherited in the entire subtree ACE2 inherited in subtree in front of ACE1 ACE3 inherited in the subtree, ACE1 is blocked 43

Advanced inheritance Object hierarchies with inheritance: NTFS, Registry, Active Directory, Inheritable ACEs can apply to only leaf objects or only to containers Similarly, inheritable ACEs can apply to all objects or only to a specific object type Special CREATOR_OWNER SID indicates that the ACE matches to the owner of the object Inheritance simplifies system administration but very few people understand or use it Performance: Inherited ACEs are cached in sub-object DACLs to make access control decisions faster Changing permissions on the top levels of a deep object hierarchy is a slow process; done rarely in applications 44

How to see them Local users and aliases: > net user > net localgroup Run compmgmt.msc, see System Tools / Local user and Groups Domain users, groups and aliases: > net user /domain (slow!) > net group /domain > net localgroup /domain Members of a group, e.g.: > net group Researchers /domain User information: > net user alice /domain Privileges: Run secpol.msc, see Local Policies / User Rights Assignment Permissions: > icacls file.txt 45

Restricted tokens A process might not always need or want all the rights given by the token Process may create a restricted token remove privileges disable groups: change SIDs to deny-only groups, which are not deleted but marked as USE_FOR_DENY_ONLY add restricted SIDs; a second list of SIDs that is also compared against DACLs Process can assign restricted tokens to its child processes or threads (= impersonation) 46

EXAMPLE: IMPLEMENTING THE PRINCIPLE OF LEAST PRIVILEGE 47

Unix: applying controlled invocation Sensitive resources, like a web server, can be protected by combining ownership, permission bits, and SUID programs: Create a new UID that owns the resource and all programs that need access to the resource Only the owner gets access permission to the resource Define all the programs that access the resource as SUID programs 48

Windows: using restricted SIDs To limit a program s access to a set of objects create a new SID run the program with the new SID as a restricted SID add the new SID to the DACL on objects that the program is allowed to access 49

Reading material Dieter Gollmann: Computer Security, 2nd ed., chapter 6 Matt Bishop: Introduction to computer security, chapter 25 Ross Anderson: Security Engineering, 2nd ed., chapter 4 Online: Wayne Pollock, Unix File and Directory Permissions and Modes http://content.hccfl.edu/pollock/aunix1/filepermissions.htm John R. Michener, Understanding Windows File And Registry Permissions, MSDN Magazine, Nov 2008 http://msdn.microsoft.com/en-us/magazine/cc982153.aspx 50

Exercises: Unix Create a subdirectory in your home directory and put a file welcome.txt in this subdirectory. Set permission bits on the subdirectory so that the owner has execute access. Try to list the subdirectory display the contents of welcome.txt create a copy of welcome.txt in the subdirectory. make the subdirectory the current directory with cd Repeat the same experiment first with read permission and then with write permission on the subdirectory How would you protect a tty device from other users? 51

Exercises: Windows How can Unix file permissions can be expressed with Windows ACLs? Assume Fred is member of group Lecturers. Who gets access to an object with DACLs 1. [+,Fred,READ], [-, Lecturers,READ]? 2. [-,Fred,READ], [+, Lecturers,READ]? 3. [-, Lecturers,READ], [+,Fred,READ]? When a new object is created, how is its security descriptor populated? Tokens are objects. How does access control for tokens work? What is the time-of-check-to-time-of-use (TOCTTOU) issue? Where does this create potential problems in the Windows file system? There is no API for giving file ownership to others. Administrators have backup and restore privileges. What trick can they use to change file owner? Changing permissions on a top-level folder in the NTFS file system (such as C:\ or C:\Program Files) is very slow operation. This is actually a performance optimization. Explain why. 52

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback