Advanced Systems Security: Ordinary Operating Systems

Similar documents
Advanced Systems Security: Ordinary Operating Systems

Advanced Systems Security: Principles

Advanced Systems Security: Principles

Advanced Systems Security: Principles

Advanced Systems Security: Multics

CSCI 420: Mobile Application Security. Lecture 7. Prof. Adwait Nadkarni. Derived from slides by William Enck, Patrick McDaniel and Trent Jaeger

Advanced Systems Security: Integrity

CSE 544 Advanced Systems Security

Advanced Systems Security: Securing Commercial Systems

Topics in Systems and Program Security

Topics in Systems and Program Security

Advanced Systems Security: Security Goals

Advanced Systems Security: Putting It Together Systems

CMPSC 497 Attack Surface

Advanced Systems Security: Integrity

Computer Security. 04r. Pre-exam 1 Concept Review. Paul Krzyzanowski. Rutgers University. Spring 2018

Advanced Systems Security: Integrity

Advanced Systems Security: Security-Enhanced Linux

Operating System Security: Building Secure Distributed Systems

CMPSC 497 Buffer Overflow Vulnerabilities

STING: Finding Name Resolution Vulnerabilities in Programs

Last time. Security Policies and Models. Trusted Operating System Design. Bell La-Padula and Biba Security Models Information Flow Control

Advanced System Security: Vulnerabilities

Protection. CSE473 - Spring Professor Jaeger. CSE473 Operating Systems - Spring Professor Jaeger

Operating System Security

Advanced Systems Security: Virtual Machine Systems

CSE543 - Introduction to Computer and Network Security. Module: Operating System Security

Outline. Security as an economic good. Risk budgeting with ALE. Failure: Risk compensation. Failure: Displacement activity

Module: Operating System Security. Professor Trent Jaeger. CSE543 - Introduction to Computer and Network Security

Multics C H A P T E R MULTICS HISTORY

Access Control/Capabili1es

Advanced Systems Security: Virtual Machine Systems

Symlink attacks. Do not assume that symlinks are trustworthy: Example 1

Static Analysis. Systems and Internet Infrastructure Security

Security Enhanced Linux

Access Control. Discretionary Access Control

Access Control. CMPSC Spring 2012 Introduction Computer and Network Security Professor Jaeger.

OS Security III: Sandbox and SFI

Advanced Systems Security: New Threats

CSE543 - Introduction to Computer and Network Security

ECE 471 Embedded Systems Lecture 22

Introduction to Computer Security

CSE543 - Computer and Network Security Module: Virtualization

Outline. Operating System Security CS 239 Computer Security February 23, Introduction. Server Machines Vs. General Purpose Machines

Wrapup. CSE497b - Spring 2007 Introduction Computer and Network Security Professor Jaeger.

Access Control. Steven M. Bellovin September 13,

Toward Automated Information-Flow Integrity Verification for Security-Critical Applications

Secure Architecture Principles

Advanced Systems Security: Cloud Computing Security

CSE543 - Computer and Network Security Module: Virtualization

Secure Architecture Principles

CIS433/533 - Introduction to Computer and Network Security. Access Control

Secure Architecture Principles

Advanced Systems Security: Future

Operating System Security, Continued CS 136 Computer Security Peter Reiher January 29, 2008

Secure Architecture Principles

CSE543 - Computer and Network Security Module: Virtualization

Justifying Integrity Using a Virtual Machine Verifier

Security Architecture

Advanced Systems Security: Confused Deputy

Confinement. Steven M. Bellovin November 1,

CS 161 Computer Security

We ve seen: Protection: ACLs, Capabilities, and More. Access control. Principle of Least Privilege. ? Resource. What makes it hard?

Virtual Machine Security

Access Control. Tom Chothia Computer Security, Lecture 5

SELinux. Don Porter CSE 506

Outline. Classic races: files in /tmp. Race conditions. TOCTTOU example. TOCTTOU gaps. Vulnerabilities in OS interaction

N-Variant SystemsA Secretless Framework for Security through. Diversity Cox et al.

The Evolution of Secure Operating Systems

OS Security. Authorization. Radboud University Nijmegen, The Netherlands. Winter 2015/2016

CSE Computer Security

Secure Architecture Principles

P1L5 Access Control. Controlling Accesses to Resources

Advanced Systems Security: Program Diversity

A Survey of Access Control Policies. Amanda Crowell

Privilege Escalation

System Configuration as a Privilege

Secure Programming Techniques

Access Control. Steven M. Bellovin September 2,

Computer Security Course. Midterm Review

Module: Program Vulnerabilities. Professor Trent Jaeger. CSE543 - Introduction to Computer and Network Security

CMPSC 497 Other Memory Vulnerabilities

CSE 484 / CSE M 584: Computer Security and Privacy. Anonymity Mobile. Autumn Tadayoshi (Yoshi) Kohno

Web Servers and Security

Architecture. Steven M. Bellovin October 31,

Discretionary Access Control

Advanced Systems Security: Security-Enhanced Linux

The Evolution of Secure Operating Systems

Module: Program Vulnerabilities. Professor Trent Jaeger. CSE543 - Introduction to Computer and Network Security

Module: Future of Secure Programming

Module: Program Vulnerabilities. Professor Trent Jaeger. CSE543 - Introduction to Computer and Network Security

Inevitable Failure: The Flawed Trust Assumption in the Cloud

Computer Security Fall 2006 Joseph/Tygar MT 2 Solutions

CSE 127: Computer Security. Security Concepts. Kirill Levchenko

Access Control. Discretionary Access Control

Software Security and Exploitation

INFLUENTIAL OPERATING SYSTEM RESEARCH: SECURITY MECHANISMS AND HOW TO USE THEM CARSTEN WEINHOLD

19.1. Security must consider external environment of the system, and protect it from:

typedef void (*type_fp)(void); int a(char *s) { type_fp hf = (type_fp)(&happy_function); char buf[16]; strncpy(buf, s, 18); (*hf)(); return 0; }

Architecture. Steven M. Bellovin October 27,

Transcription:

Systems and Internet Infrastructure Security Network and Security Research Center Department of Computer Science and Engineering Pennsylvania State University, University Park PA Advanced Systems Security: Ordinary Operating Systems Trent Jaeger Systems and Internet Infrastructure Security (SIIS) Lab Computer Science and Engineering Department Pennsylvania State University February 2, 2010 Page 1

UNIX and Windows If you want to run an application, you have to install one of these Where UNIX encompasses Linux and Mac OS X Common understanding They are insecure Why? Page 2

UNIX Access Control On Files All objects are files Not exactly true Classical Protection System Limited access matrix Discretionary protection state operations Practical model for end users Still involves some policy specification Page 3

UNIX Mode Bits Page 4

Windows Access Control On Objects Arbitrary classes can be defined New classes can be defined (Active Directory) Classical Protection System Full-blown ACLs (even negative ACLs) Discretionary protection state operations Not so usable Few people have experience Page 5

Windows Access Control Page 6

Vulnerabilities Function run by one subject that enables an attacker to gain unauthorized privileges (i.e., the subject s) Privilege escalation Two views Subject could do something for the attacker Attacker could take over process Either way, the attacker can use the subject s privileges May use these to compromise an even more privileged subject Page 7

The Morris Worm Page 8

Confused Deputy A server process has the privileges necessary to service requests from all its clients Can a client trick the server into using its permissions for the client? Have the server access an object whose name is supplied by a client Page 9

Links Page 10

Unknown Origin A server may use a file under the control of a client Client may provide file by name or predict the name of a file the server may create/use Such a file provides guidance that the server trusts Enabling the client to control how the server runs Page 11

/tmp Vulnerability Page 12

Others Overflow (Buffer or Heap) Inject code into server Libraries (Path or input) Inject code into server TOCTTOU Cause an authorization to pass Integer overflow Cause different control path Page 13

The OS Will Protect Me User-space vulnerabilities are expected Those processes are untrusted OS policies will protect the system from harm Only the OS and a few processes need to be trusted Just need to specify the access control policy We can specify anything we want We have an access matrix Page 14

Secrecy Page 15

Integrity Page 16

Trusted vs. Benign Page 17

Protection and Security Protection Security goals met under benign processes Protects against error by non-malicious entity Security Security goals met under trusted processes Any benign process can come under the control of an attacker Protects against any malicious entity For J: A benign process won t accidentally leak a key, but it would under attackers control Page 18

Is Fixing the Policy Enough? No, as these systems do not satisfy the reference monitor concept Page 19

Complete Mediation Mediation: Does interface mediate correctly? No. Several operations impact security that are ignored. Mediation: On all resources? UNIX: No. No network. Windows: Could. Mediation: Verifably? Ha. Page 20

Tamperproof Tamperproof: Is reference monitor protected? Operating system is not protect (see Rootkits) Kernel modules, trusted processes, extensible function Policy can be modified by untrusted processes (discretionary) Tamperproof: Is system TCB protected? We don t really know what this is All root and setuid processes and ones they depend on Plus anything an admin runs as root Page 21

Verification Verifiable: Is TCB code base correct? No. Verifiable: Does the protection system enforce the system s security goals? Goals? See Protection v. Security again Page 22

Take Away Conventional operating systems are insecure They run programs that suffer from many types of vulnerabilities They are designed to enable protection under benign programs, not secure a system from a directed attacker They do not satisfy reference monitor concept Also fail to implement a mandatory protection system Page 23

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback