Last time. Security Policies and Models. Trusted Operating System Design. Bell La-Padula and Biba Security Models Information Flow Control

Similar documents
Operating System Security, Continued CS 136 Computer Security Peter Reiher January 29, 2008

Advanced Systems Security: Ordinary Operating Systems

Operating systems and security - Overview

Operating systems and security - Overview

Last time. User Authentication. Security Policies and Models. Beyond passwords Biometrics

Advanced Systems Security: Multics

CS 458 / 658 Computer Security and Privacy

Introduction to Computer Security

Computer Security. 04r. Pre-exam 1 Concept Review. Paul Krzyzanowski. Rutgers University. Spring 2018

CSE 565 Computer Security Fall 2018

Firewalls Network Security: Firewalls and Virtual Private Networks CS 239 Computer Software March 3, 2003

CS 458 / 658 Computer Security and Privacy. Operating systems. Module outline. Module 3 Operating System Security. Fall 2015

CS 356 Operating System Security. Fall 2013

CSE543 - Introduction to Computer and Network Security. Module: Operating System Security

CSE 127: Computer Security. Security Concepts. Kirill Levchenko

CS 458 / 658 Computer Security and Privacy

Network Security. Thierry Sans

Advanced Systems Security: Ordinary Operating Systems

Outline. Operating System Security CS 239 Computer Security February 23, Introduction. Server Machines Vs. General Purpose Machines

Computer Forensics: Investigating Network Intrusions and Cyber Crime, 2nd Edition. Chapter 3 Investigating Web Attacks

Computer Security and Privacy

CSE543 - Computer and Network Security Module: Virtualization

Access Control. Steven M. Bellovin September 13,

n Learn about the Security+ exam n Learn basic terminology and the basic approaches n Implement security configuration parameters on network

We ve seen: Protection: ACLs, Capabilities, and More. Access control. Principle of Least Privilege. ? Resource. What makes it hard?

Proxy server is a server (a computer system or an application program) that acts as an intermediary between for requests from clients seeking

Software Security and Exploitation

2. INTRUDER DETECTION SYSTEMS

ACS-3921/ Computer Security And Privacy. Chapter 9 Firewalls and Intrusion Prevention Systems

CSC 574 Computer and Network Security. TCP/IP Security

Problem Set 10 Due: Start of class December 11

5. Execute the attack and obtain unauthorized access to the system.

CSE 565 Computer Security Fall 2018

Access Control. Steven M. Bellovin September 2,

CyberP3i Course Module Series

Chair for Network Architectures and Services Department of Informatics TU München Prof. Carle. Network Security. Chapter 8

Inline Reference Monitoring Techniques

CSE 565 Computer Security Fall 2018

Distributed Systems. 29. Firewalls. Paul Krzyzanowski. Rutgers University. Fall 2015

Hacker Academy Ltd COURSES CATALOGUE. Hacker Academy Ltd. LONDON UK

Distributed Systems. 27. Firewalls and Virtual Private Networks Paul Krzyzanowski. Rutgers University. Fall 2013

COMPUTER NETWORK SECURITY

OS Security III: Sandbox and SFI

Chapter 9. Firewalls

Operating Systems. Week 13 Recitation: Exam 3 Preview Review of Exam 3, Spring Paul Krzyzanowski. Rutgers University.

CS 416: Operating Systems Design April 22, 2015

Virtual Machine Security

Topics in Systems and Program Security

Understanding Cisco Cybersecurity Fundamentals

Lecture 15 Designing Trusted Operating Systems

Scribe Notes -- October 31st, 2017

Security and Authentication

Logging. Steven M. Bellovin December 6,

Introduction to Penetration Testing: Part One. Eugene Davis UAH Information Security Club February 21, 2013

INSE 6130 Operating System Security

Denial of Service and Distributed Denial of Service Attacks

Port Scanning A Brief Introduction

T Salausjärjestelmät (Cryptosystems) Introduction to the second part of the course. Outline. What we'll cover. Requirements and design issues

19.1. Security must consider external environment of the system, and protect it from:

Topics in Systems and Program Security

Protection. Thierry Sans

Trusted OS Design CS461/ECE422

Networking interview questions

Amplifying. Examples

Internet Security: Firewall

Network Defenses 21 JANUARY KAMI VANIEA 1

Specialized Security Services, Inc. REDUCE RISK WITH CONFIDENCE. s3security.com

Chapter 8 roadmap. Network Security

Data Security and Privacy. Unix Discretionary Access Control

Why Firewalls? Firewall Characteristics

Wireless Attacks and Countermeasures

Architectural Support for A More Secure Operating System

Cyber Common Technical Core (CCTC) Advance Sheet Windows Operating Systems

Module: Operating System Security. Professor Trent Jaeger. CSE543 - Introduction to Computer and Network Security

SEEM4540 Open Systems for E-Commerce Lecture 03 Internet Security

CYBER ATTACKS EXPLAINED: WIRELESS ATTACKS

What this talk is about?

Operating System Security: Building Secure Distributed Systems

Network Defenses KAMI VANIEA 1

Secure Architecture Principles

HPE Intelligent Management Center

Secure Internet Commerce -- Design and Implementation of the Security Architecture of Security First Network Bank, FSB. Abstract

Advanced Systems Security: Principles

Threat Modeling. Bart De Win Secure Application Development Course, Credits to

Operating Systems Design Exam 3 Review: Spring Paul Krzyzanowski

MASSACHUSETTS INSTITUTE OF TECHNOLOGY Fall Quiz II

Security System and COntrol 1

Post-Class Quiz: Access Control Domain

CHAPTER 8 FIREWALLS. Firewall Design Principles

Ethical Hacking and Countermeasures: Web Applications, Second Edition. Chapter 3 Web Application Vulnerabilities

CSE543 - Computer and Network Security Module: Virtualization

SE420 Software Quality Assurance

NETWORK AND CERTIFICATE SYSTEM SECURITY REQUIREMENTS

Chapter 18: Evaluating Systems

CompTIA Security+(2008 Edition) Exam

CYBER ATTACKS EXPLAINED: PACKET SPOOFING

Pass Microsoft Exam

CSCI 680: Computer & Network Security

IT Service Delivery and Support Week Three. IT Auditing and Cyber Security Fall 2016 Instructor: Liang Yao

CSE 544 Advanced Systems Security

Transcription:

Last time Security Policies and Models Bell La-Padula and Biba Security Models Information Flow Control Trusted Operating System Design Design Elements Security Features 10-1

This time Trusted Operating System Design Security Features Trusted Computing Base Least Privilege in Popular OSs Assurance Security in Networks Network Concepts Threats in Networks 10-2

Accountability and Audit Keep an audit log of all security-related events Provides accountability if something goes bad Who deleted the sensitive records in the database? How did the intruder get into the system? An audit log does not give accountability if attacker can modify the log At what granularity should events be logged? For fine-grained logs, we might run into space/efficiency problems or finding actual attack can be difficult For coarse-grained logs, we might miss attack entirely or don t have enough details about it 10-3

Intrusion Detection There shouldn t be any intrusions in a trusted OS However, writing bug-free software is hard, people make configuration errors, Audit logs might give us some information about an intrusion Ideally, OS detects an intrusion as it occurs Typically, by correlating actual behaviour with normal behaviour Alarm if behaviour looks abnormal See later in Network Security unit 10-4

Trusted Computing Base (TCB) Part of a trusted OS that is necessary to enforce OS security policy Changing non-tcb part of OS won t affect OS security, changing its TCB-part will TCB better be complete and correct TCB can be implemented either in different parts of the OS or in a separate security kernel Separate security kernel makes it easier to validate and maintain security functionality Security kernel runs below the OS kernel, which makes it more difficult for an attacker to subvert it 10-5

Security Kernel 10-6

Rings Some processors support this kind of layering based on rings If processor is operating in ring n, code can access only memory and instructions in rings n Accesses to rings < n trigger interrupt/exception and inner ring will grant or deny access x86 architecture supports four rings, but Linux and Windows use only two of them user and supervisor mode i.e., don t have security kernel Some research OSs (Multics, SCOMP) use more 10-7

Reference Monitor Crucial part of the TCB Collection of access controls for devices, files, memory, IPC,, Not necessarily a single piece of code Must be tamperproof, unbypassable and analyzable Interacts with other security mechanism, e.g., user authentication 10-8

Virtualization Virtualization is a way to provide logical separation (isolation) Different degrees of virtualization Virtual memory Page mapping gives each process the impression of having a separate memory space Virtual machines Also virtualize I/O devices, files, printers, Currently very popular (VMware, Xen, Parallels,...) If Web browser runs in a virtual machine, browser-based attacks are limited to the virtual environment On the other hand, a rootkit could make your OS run in a virtual environment and be very difficult to detect ( Blue Pill ) 10-9

Least Privilege in Popular OSs Pretty poor Windows pre-nt: any user process can do anything Windows pre-vista: fine-grained access control. However, in practice, many users just ran as administrators, which can do anything Some applications even required it Windows Vista Easier for users to temporarily acquire additional access rights ( User Account Control ) Integrity levels, e.g., Internet Explorer is running at lowest integrity level, which prevents it from writing up and overwriting all a user s files 10-10

Least Privilege in Popular OSs (cont.) Traditional UNIX: a root process has access to anything, a user process has full access to user s data SELinux and AppArmor provide Mandatory Access Control (MAC) for Linux, which allows the implementation of least privilege No more root user Support both confidentiality and integrity Difficult to set up Other, less invasive approaches for UNIX Chroot, privilege separation, SUID (see next slides) What about the iphone? 10-11

Chroot Sandbox/jail a command by changing its root directory chroot /new/root command Command cannot access files outside of its jail Some commands/programs are difficult to run in a jail But there are ways to break out of the jail 10-12

Privilege Separation Run as much of a program in an unprivileged way as possible Example: Privilege separation in OpenSSH Split SSH daemon into a privileged monitor and an unprivileged, jailed child Child processes (maybe malicious) network data from a client Child might get corrupted Child needs to talk to monitor when it needs access to privileged information (e.g., password file) Small, well-defined interface Makes it much more difficult to also corrupt monitor Monitor shuts down client if it detects suspicious behavior 10-13

setuid/suid Bit In addition to bits denoting read, write and execute access rights, UNIX ACLs also contain an suid bit If suid bit is set for an executable, the executable will execute under the identity of its owner, not under the identity of the caller /usr/bin/passwd belongs to root and has suid bit set If a user calls /usr/bin/passwd, the program will assume the root identity and can thus update the password file Make sure to avoid confused deputy attack Eve executes /usr/bin/passwd and manages to convince the program that it is Alice who is executing the program. Eve can thus change Alice s password 10-14

Assurance How can we convince others to trust our OS? Testing Can demonstrate existence of problems, but not their absence Might be infeasible to test all possible inputs Penetration testing: Ask outside experts to break into your OS Formal verification Use mathematical logic to prove correctness of OS Has made lots of progress recently Unfortunately, OSs are probably growing faster in size than research advances 10-15

Assurance (cont.) Validation Traditional software engineering methods Requirements checking, design and code reviews, system testing 10-16

Evaluation Have trusted entity evaluate OS and certify that OS satisfies some criteria Two well-known sets of criteria are the Orange Book of the U.S. Department of Defense and the Common Criteria Orange Book lists several ratings, ranging from D (failed evaluation, no security) to A1 (requires formal model of protection system and proof of its correctness, formal analysis of covert channels) See text for others Windows NT has C2 rating, but only when it is not networked and with default security settings changed Most UNIXes are roughly C1 10-17

Common Criteria Replace Orange Book, more international effort Have Protection Profiles, which list security threats and objectives Products are rated against these profiles Ratings range from EAL 1 (worst) to EAL 7 (best) Windows XP has been rated EAL 4+ for the Controlled Access Protection Profile (CAPP), which is derived from Orange Book s C2 Interestingly, the continuous release of security patches for Windows XP does not affect its rating 10-18

Security in Networks Security in Networks Network Concepts Threats in Networks Network Security Controls Firewalls Intrusion Detection Systems 10-19

Architecture of the Internet router workstation server mobile backbone regional ISP regional ISP local ISP company network Slide adapted from Computer Networking by Kurose & Ross 10-20

Characteristics of the Internet No single entity that controls the Internet Traffic from a source to a destination likely flows through nodes controlled by different, unrelated entities End nodes cannot control through which nodes traffic flows Worse, all traffic is split up into individuals packets, and each packet could be routed along a different path Different types of nodes Server, laptop, router, UNIX, Windows, Different types of communication links Wireless vs. wired TCP/IP suite of protocols Packet format, routing of packets, dealing with packet loss, 10-21

TCP/IP Protocol Suite Application Transport HTTP, FTP, email, SSL, TCP or UDP Application Transport Network Link Client IP Ethernet, WiFi, Network Link Router IP Ethernet, WiFi, Network Link Server Transport and network layer designed in the 1970s to connect local networks at different universities and research labs Participants knew and trusted each other Design addressed non-malicious errors (e.g., packet drops), but not malicious errors 10-22

Threats in Networks Reconnaissance Attacks on confidentiality Impersonation and spoofing Attacks on integrity Protocol failures Web site vulnerabilities Denial of service Threats in active/mobile code Script kiddies 10-23

Port Scan To distinguish between multiple applications running on the same server, each application runs on a port E.g., a Web server typically runs on port 80 Attacker sends queries to ports on target machine and tries to identify whether and what kind of application is running on a port Identification based on loose-lipped applications or based on how exactly application implements protocol Goal of attacker is to find application with remotely exploitable flaw E.g., Apache web server prior to version 1.3.26 is known to be vulnerable to buffer overflow Exploits for these flaws can be found on the Internet 10-24

Recap Trusted Operating System Design Security Features Trusted Computing Base Least Privilege in Popular OSs Assurance Security in Networks Network Concepts Threats in Networks 10-25

Next time Security in Networks Threats in Networks Network Security Controls Firewalls 10-26

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback