Secure Architecture Principles

Similar documents
Secure Architecture Principles

Secure Architecture Principles

Secure Architecture Principles

Secure Architecture Principles

CIS 5373 Systems Security

Information Security Theory vs. Reality

We ve seen: Protection: ACLs, Capabilities, and More. Access control. Principle of Least Privilege. ? Resource. What makes it hard?

Secure Architecture Principles

? Resource. Announcements. Access control. Access control in operating systems. References. u Homework Due today. Next assignment out next week

Unix Basics. UNIX Introduction. Lecture 14

cs642 /operating system security computer security adam everspaugh

Operating system security models

Data Security and Privacy. Unix Discretionary Access Control

IS 2150 / TEL 2810 Information Security and Privacy

Outline. UNIX security ideas Users and groups File protection Setting temporary privileges. Examples. Permission bits Program language components

? Resource. Outline. Lecture 9: Access Control and Operating System Security. Access control. Access control matrix. Two implementation concepts

CSE 565 Computer Security Fall 2018

Introduction to Security

Introduction to Security

CIS 5373 Systems Security

Information Security CS 526

CSE 380 Computer Operating Systems

Discretionary Access Control

Secure Architecture Principles

CIS Operating Systems File Systems Security. Professor Qiang Zeng Fall 2017

Protection. CSE473 - Spring Professor Jaeger. CSE473 Operating Systems - Spring Professor Jaeger

OS Security III: Sandbox and SFI

Module 4: Access Control

Policy vs. Mechanism. Example Reference Monitors. Reference Monitors. CSE 380 Computer Operating Systems

412 Notes: Filesystem

Privileges: who can control what

P1L5 Access Control. Controlling Accesses to Resources

OS security mechanisms:

OS Security Basics CS642: Computer Security

Protection Kevin Webb Swarthmore College April 19, 2018

Announcements. is due Monday April 1 needs to include a paragraph write-up about the results of using the two different scheduling algorithms

OS Security Basics CS642: Computer Security

Operating system security

CS 392/681 - Computer Security. Module 5 Access Control: Concepts and Mechanisms

Hardware. Ahmet Burak Can Hacettepe University. Operating system. Applications programs. Users

CSC 405 Introduction to Computer Security

Chapter 4: Access Control

Operating System Security

CSE 127: Computer Security. Security Concepts. Kirill Levchenko

CS 392/681 - Computer Security. Module 6 Access Control: Concepts and Mechanisms

Outline. Last time. (System) virtual machines. Virtual machine technologies. Virtual machine designs. Techniques for privilege separation

Least-Privilege Isolation: The OKWS Web Server

Access Control. CMPSC Spring 2012 Introduction Computer and Network Security Professor Jaeger.

Shellbased Wargaming

6.858 Lecture 4 OKWS. Today's lecture: How to build a secure web server on Unix. The design of our lab web server, zookws, is inspired by OKWS.

Access Control Mechanisms

General Access Control Model for DAC

Outline. Operating System Security CS 239 Computer Security February 23, Introduction. Server Machines Vs. General Purpose Machines

CSE543 - Introduction to Computer and Network Security. Module: Operating System Security

Chapter 13: Protection. Operating System Concepts Essentials 8 th Edition

Introduction to Computer Security

CS 162 Operating Systems and Systems Programming Professor: Anthony D. Joseph Spring Lecture 18: Naming, Directories, and File Caching

CS 162 Operating Systems and Systems Programming Professor: Anthony D. Joseph Spring Lecture 18: Naming, Directories, and File Caching

Module 19: Protection

FreeBSD Advanced Security Features

Chapter 14: Protection. Operating System Concepts 9 th Edition

Module 19: Protection

Case Studies in Access Control

COS 318: Operating Systems. File Systems. Topics. Evolved Data Center Storage Hierarchy. Traditional Data Center Storage Hierarchy

Operating systems fundamentals - B10

Storage and File Hierarchy

COS 318: Operating Systems

Storage and File System

Chapter 17: System Protection

Processes are subjects.

O/S & Access Control. Aggelos Kiayias - Justin Neumann

5/8/2012. Encryption-based Protection. Protection based on Access Permission (Contd) File Security, Setting and Using Permissions Chapter 9

User Commands chmod ( 1 )

Case Study: Access Control. Steven M. Bellovin October 4,

Privilege Separation

Processes are subjects.

Chapter 4 Protection in General-Purpose Operating Systems

Access Control. Steven M. Bellovin September 13,

Program Structure. Steven M. Bellovin April 3,

Multifactor authentication:

Program Structure I. Steven M. Bellovin November 14,

Chapter 14: System Protection

Programming Project # 2. cs155 Due 5/5/05, 11:59 pm Elizabeth Stinson (Some material from Priyank Patel)

Program Structure I. Steven M. Bellovin November 8,

Access Control Part 1 CCM 4350

Files (review) and Regular Expressions. Todd Kelley CST8207 Todd Kelley 1

Filesystem Hierarchy and Permissions

Confinement (Running Untrusted Programs)

Filesystem Hierarchy and Permissions

Protection and Security

Capability and System Hardening

ESE 333 Real-Time Operating Systems 163 Review Deadlocks (Cont.) ffl Methods for handling deadlocks 3. Deadlock prevention Negating one of four condit

PESIT Bangalore South Campus

CSE361 Web Security. Access Control. Nick Nikiforakis

qmail ~]# rpm -qa grep sendmail ps -ef grep sendmail root :30? 00:00:00 sendmail: accepting connections

Operating Systems Security Access Control

INSE 6130 Operating System Security. Overview of Design Principles

Access Control CSC WAKE FOREST. U N I V E R S I T Y Department of Computer Science. Fall 2014

Privilege Escalation

Computer Security Operating System Security & Access Control. Dr Chris Willcocks

Transcription:

Computer Security Course. Secure Architecture Principles Slides credit: John Mitchell

Basic idea: Isolation A Seaman's Pocket-Book, 1943 (public domain)

http://staff.imsa.edu/~esmith/treasurefleet/treasurefleet/watertight_compartments.htm

Principles of Secure Design Compartmentalization Isolation Principle of least privilege Defense in depth Use more than one security mechanism Secure the weakest link Fail securely Keep it simple

Privilege Principle of Least Privilege Ability to access or modify a resource Principle of Least Privilege A system module should only have the minimal privileges needed for intended purposes Requires compartmentalization and isolation Separate the system into independent modules Limit interaction between modules

Monolithic design Network User input File system System Network User device File system

Monolithic design Network User input File system System Network User device File system

Monolithic design Network User input File system System Network User device File system

Component design Network Network User input User device File system File system

Component design Network Network User input User device File system File system

Component design Network Network User input User device File system File system

Which of these are privileges that allow one component to affect another component or system? Send a message on the network Add two numbers stored in two local variables Call a function defined in the same component Call a function defined in a different component

Example: Mail Agents Requirements Receive and send email over external network Place incoming email into local user inbox files Sendmail Traditional Unix Monolithic design Historical source of many vulnerabilities Qmail Component design

Isolation Qmail design Separate modules run as separate users Each user only has access to specific resources Least privilege Each module has least privileges necessary Only one setuid program setuid allows a program to run as different users Only one root program root program has all privileges

Structure of qmail Incoming external mail qmailinject qmailqueue qmailremote qmaillspawn qmailrspawn qmailsend Incoming internal mail qmaillocal qmailsmtpd

Structure of qmail Splits mail msg into 3 files Message contents 2 copies of header, etc. Signals qmail-send qmailinject qmailqueue qmailremote qmaillspawn qmailrspawn qmailsend qmaillocal qmailsmtpd

Structure of qmail qmail-send signals qmail-lspawn if local qmail-remote if remote qmailinject qmailqueue qmailremote qmaillspawn qmailrspawn qmailsend qmaillocal qmailsmtpd

Structure of qmail qmailinject qmailqueue qmailsend qmail-lspawn qmaillspawn Spawns qmail-local qmail-local runs with ID of user receiving local mail qmaillocal qmailsmtpd

Structure of qmail qmailinject qmailqueue qmailsend qmail-local qmaillspawn Handles alias expansion Delivers local mail Calls qmail-queue if needed qmaillocal qmailsmtpd

Structure of qmail qmailinject qmailqueue qmailsend qmailsmtpd qmailremote qmailrspawn qmail-remote Delivers message to remote MTA

Isolation by Unix UIDs qmaild qmailsmtpd qmailq user who is allowed to read/write mail queue qmailinject user qmailq qmailqueue qmailsend qmailr qmaillspawn qmailrspawn qmails root qmailr setuid user qmaillocal qmailremote user

Least privilege setuid qmailinject qmailqueue qmailsend qmaillspawn qmailrspawn qmailremote root qmaillocal qmailsmtpd

Access Control & Capabilities

Access control Assumptions System knows who the user is Authentication via name and password, other credential Access requests pass through gatekeeper (reference monitor) System must not allow monitor to be bypassed User process access request Reference monitor? Resource policy

Access control matrix [Lampson] Object s File 1 File 2 File 3 File n User 1 read write - - read Subject s User 2 write write write - - User 3 - - - read read User m read write read write read

Two implementation concepts Access control list (ACL) Store column of matrix with the resource Capability User holds a ticket for each resource Two variations store row of matrix with user, under OS control unforgeable ticket in user space File 1 File 2 User 1 read write - User 2 write write - User 3 - - read User m Read write write Access control lists are widely used, often with groups Some aspects of capability concept are used in many systems

ACL vs Capabilities Access control list Associate list with each object Check user/group against list Relies on authentication: need to know user Capabilities Capability is unforgeable ticket Random bit sequence, or managed by OS Can be passed from one process to another Reference monitor checks ticket Does not need to know identify of user/process

ACL vs Capabilities User U Process P Capabilty c,d,e Process P User U Process Q Capabilty c,e Process Q User U Process R Capabilty c Process R

ACL vs Capabilities Delegation Cap: Process can pass capability at run time ACL: Try to get owner to add permission to list? More common: let other process act under current user Revocation ACL: Remove user or group from list Cap: Try to get capability back from process? Possible in some systems if appropriate bookkeeping OS knows which data is capability If capability is used for multiple resources, have to revoke all or none Indirection: capability points to pointer to resource If C P R, then revoke capability C by setting P=0

Roles (also called Groups) Role = set of users Administrator, PowerUser, User, Guest Assign permissions to roles; each user gets permission Role hierarchy Administrator Partial order of roles Each role gets PowerUser permissions of roles below User List only new permissions given to each role Guest

Role-Based Access Control Individuals Roles Resources engineering Server 1 marketing Server 2 human res Server 3 Advantage: user s change more frequently than roles

Information flow High security inputs High security outputs Process Low security inputs Low security outputs

Security Architecture Examples

Unix access control File has access control list (ACL) Grants permission to user ids Owner, group, other Process has user id Inherit from creating process Process can change id Restricted set of options Special root id Bypass access control restrictions File 1 File 2 User 1 read write - User 2 write write - User 3 - - read User m Read write write

Unix file access control list Each file has owner and group Permissions set by owner Read, write, execute Owner, group, other Represented by vector of four octal values setid rwx Only owner, root can change permissions This privilege cannot be delegated or shared Setid bits Discuss in a few slides - rwx rwx ownr grp othr

Question Owner can have fewer privileges than other What happens? Owner gets access? Owner does not? Prioritized resolution of differences if user = owner then owner permission else if user in group then group permission else other permission

Privileged Programs Privilege management is coarse-grained in today s OS Root can do anything Many programs run as root Even though they only need to perform a small number of priviledged operations What s the problem? Privileged programs are juicy targets for attackers By finding a bug in parts of the program that do not need privilege, attacker can gain root

What Can We Do? Drop privilege as soon as possible Ex: a network daemon only needs privilege to bind to low port # (<1024) at the beginning Solution? Drop privilege right after binding the port What benefit do we gain? Even if attacker finds a bug in later part of the code, can t gain privilege any more How to drop privilege? Setuid programming in UNIX

Unix file permission Each file has owner and group Permissions set by owner Read, write, execute Owner, group, other Represented by vector of four octal values setid rwx Only owner, root can change permissions This privilege cannot be delegated or shared Setid bits - rwx rwx ownr grp othr

Effective user id (EUID) in UNIX Each process has three Ids Real user ID (RUID) same as the user ID of parent (unless changed) used to determine which user started the process Effective user ID (EUID) from set user ID bit on the file being executed, or sys call determines the permissions for process file access and port binding Saved user ID (SUID) So previous EUID can be restored Real group ID, effective group ID, used similarly

Root Operations on UIDs ID=0 for superuser root; can access any file Fork and Exec Inherit three IDs, except exec of file with setuid bit Setuid system calls seteuid(newid) can set EUID to Real ID or saved ID, regardless of current EUID Any ID, if EUID=0 Details are actually more complicated Several different calls: setuid, seteuid, setreuid

Setid bits on executable Unix file Three setid bits Setuid set EUID of process to ID of file owner Setgid set EGID of process to GID of file Sticky Off: if user has write permission on directory, can rename or remove files, even if not owner On: only file owner, directory owner, and root can rename or remove file in the directory setid - rwx rwx rwx ownr grp othr

Drop Privilege RUID 25 Owner 18 SetUID ; ; exec( ); Owner 18 -rw-r--r-- file Owner 25 -rw-r--r-- file read/write read/write program ; ; i=getruid() setuid(i); ; ; RUID 25 EUID 18 RUID 25 EUID 25

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback