cs642 /operating system security computer security adam everspaugh

Similar documents
OS Security Basics CS642: Computer Security

OS Security Basics CS642: Computer Security

CIS 5373 Systems Security

Information Security Theory vs. Reality

Secure Architecture Principles

Unix Basics. UNIX Introduction. Lecture 14

Secure Architecture Principles

Secure Architecture Principles

Secure Architecture Principles

Secure Architecture Principles

We ve seen: Protection: ACLs, Capabilities, and More. Access control. Principle of Least Privilege. ? Resource. What makes it hard?

IS 2150 / TEL 2810 Information Security and Privacy

Introduction to Security

Introduction to Security

Data Security and Privacy. Unix Discretionary Access Control

CIS Operating Systems File Systems Security. Professor Qiang Zeng Fall 2017

Protection. CSE473 - Spring Professor Jaeger. CSE473 Operating Systems - Spring Professor Jaeger

Information Security CS 526

Processes are subjects.

CSE 565 Computer Security Fall 2018

Operating system security models

Hardware. Ahmet Burak Can Hacettepe University. Operating system. Applications programs. Users

Operating System Security

Outline. UNIX security ideas Users and groups File protection Setting temporary privileges. Examples. Permission bits Program language components

Discretionary Access Control

Operating systems fundamentals - B10

Introduction to Computer Security

? Resource. Announcements. Access control. Access control in operating systems. References. u Homework Due today. Next assignment out next week

Case Study: Access Control. Steven M. Bellovin October 4,

CS 392/681 - Computer Security. Module 5 Access Control: Concepts and Mechanisms

Exercise Sheet 2. (Classifications of Operating Systems)

Computer Security Operating System Security & Access Control. Dr Chris Willcocks

? Resource. Outline. Lecture 9: Access Control and Operating System Security. Access control. Access control matrix. Two implementation concepts

Permissions and Links

Privileges: who can control what

Introduction to Unix May 24, 2008

Secure Architecture Principles

CS 392/681 - Computer Security. Module 6 Access Control: Concepts and Mechanisms

OS Security III: Sandbox and SFI

CS246 Spring14 Programming Paradigm Notes on Linux

CSE543 - Introduction to Computer and Network Security. Module: Operating System Security

INSE 6130 Operating System Security. Overview of Design Principles

CS631 - Advanced Programming in the UNIX Environment

Processes are subjects.

CSC 405 Introduction to Computer Security

Case Studies in Access Control

Announcements. is due Monday April 1 needs to include a paragraph write-up about the results of using the two different scheduling algorithms

5/8/2012. Encryption-based Protection. Protection based on Access Permission (Contd) File Security, Setting and Using Permissions Chapter 9

INSE 6130 Operating System Security

Shellbased Wargaming

Unix Handouts. Shantanu N Kulkarni

Introduction to Computer Security

Unix, History

Access Control. Steven M. Bellovin September 13,

Secure Architecture Principles

Explicit Information Flow in the HiStar OS. Nickolai Zeldovich, Silas Boyd-Wickizer, Eddie Kohler, David Mazières

Advanced Systems Security: Multics

UNIX / LINUX - GETTING STARTED

The golden age of hacking. OS UNIX GNU/Linux UNIX access control

TEL2821/IS2150: INTRODUCTION TO SECURITY Lab: Operating Systems and Access Control

The UNIX operating system is a set of programs that act as a link between the computer and the user.

Overview LEARN. History of Linux Linux Architecture Linux File System Linux Access Linux Commands File Permission Editors Conclusion and Questions

Protection Kevin Webb Swarthmore College April 19, 2018

Access Control. Tom Chothia Computer Security, Lecture 5

Operating Systems Security Access Control

cs642 /introduction computer security adam everspaugh

Find out where you currently are in the path Change directories to be at the root of your home directory (/home/username) cd ~

Access Control. CMPSC Spring 2012 Introduction Computer and Network Security Professor Jaeger.

Introduction to Systems Security

OS Security. Authorization. Radboud University Nijmegen, The Netherlands. Winter 2015/2016

Files (review) and Regular Expressions. Todd Kelley CST8207 Todd Kelley 1

Operating Systems Lab

Operating system security

Outline. Last time. (System) virtual machines. Virtual machine technologies. Virtual machine designs. Techniques for privilege separation

Introduction to Linux

UNIX File Hierarchy: Structure and Commands

File Security Lock Down Your Data. Brian Reames January 22, 2012

Last time. Security Policies and Models. Trusted Operating System Design. Bell La-Padula and Biba Security Models Information Flow Control

SysSec. Aurélien Francillon

CIS 5373 Systems Security

CSE 127: Computer Security. Security Concepts. Kirill Levchenko

CS 161 Computer Security

Access Control. Steven M. Bellovin September 2,

Access Control Mechanisms

System Programming. Introduction to Unix

UNIVERSITY OF BOLTON CREATIVE TECHNOLOGIES COMPUTING WITH WEBSITE DEVELOPMENT SEMESTER ONE EXAMINATIONS 2018/2019 UNIX MODULE NO: CPU5003

CSC 405 Computer Security Linux Security

Exercises with solutions, Set 2

RED HAT ENTERPRISE LINUX 6 SECURITY TECHNICAL IMPLEMENTATION GUIDE (STIG) OVERVIEW Version 1, Release 2. 3 June 2013

Capability and System Hardening

File Access Control Lists (ACLs)

Software Security and Exploitation

Module: Operating System Security. Professor Trent Jaeger. CSE543 - Introduction to Computer and Network Security

The landscape. File hierarchy overview. A tree structure of directories The directory tree is standardized. But varies slightly among distributions

bash startup files Linux/Unix files stty Todd Kelley CST8207 Todd Kelley 1

TEL2821/IS2150: INTRODUCTION TO SECURITY Lab: Operating Systems and Access Control

Brief Linux Presentation. July 10th, 2006 Elan Borenstein

University of Massachusetts Lowell. One University Avenue. Department of Computer Science Tel: (508)

Linux Kung-Fu. James Droste UBNetDef Fall 2016

6.858 Lecture 4 OKWS. Today's lecture: How to build a secure web server on Unix. The design of our lab web server, zookws, is inspired by OKWS.

Transcription:

cs642 computer security /operating system security adam everspaugh ace@cs.wisc.edu

principles Principles of Secure Designs Compartmentalization / Isolation / Least privilege Defense-in-depth / Use more than one security mechanism / Secure the weakest length / Fail securely Keep it simple / Economy of mechanism / Psychological acceptability / Good defaults Open Design

poll Have you used UNIX since noon today?

family tree Ken Thompson, 1970s Dennis Ritchie bell labs multics unix 1960s mit, at&t, bell labs, ge ~ 100 installations linux freebsd many others

family tree multics 1960s mit, at&t, bell labs, ge ~ 100 installations Ken Thompson, 1970s Dennis Ritchie bell labs unix linux freebsd many others

poll Have you used UNIX since noon today?

multics Lots of design innovations - including lots of security innovations Segmentation and virtual memory Shared memory multiprocessor (SMP) F. Corbato, MIT

protection rings Protection rings 0-7 in which processes execute 0 0 0 1 2 / Lower number = higher privilege / Ring 0 is supervisor / Inherit privileges over higher levels Protection rings included in all typical CPUs today and used by most operating systems

memory isolation / virtual memory / program and data stored in segments / descriptor control field // read, write, execute / segments are access controlled

pw storage enciphered passwords I was no cryptanalyst Joe [Weizenbaum] had suggested I store the square of the password, but I knew people could take square roots, so I squared and ANDed with a mask to discard some bits. T. Van Vleck Later ones used DES, but Multics predates DES Today, UNIX systems store a HASH(pw)

reference monitor Reference monitor or security kernel / Monitors all data access / Enforces security policy Multics security policy: no flow from high classification to lower classification TOP SECRET SECRET Process 1 send M to P2 fail Reference Monitor Process 2

red team / Karger and Schell, 1974 TOP SECRET SECRET Process 1 write to file A OK Reference Monitor read from file B OK Process 2 Send: 1-bit: large write to file 0-bit: idle Hard disk Receive: Read from disk, measure time longer read time = 1-bit shorter read time = 0-bit

red team / Karger and Schell, 1974 TOP SECRET SECRET Process 1 write to file A OK Reference Monitor read from file B OK Process 2 Send: 1-bit: large write to file Hard disk Receive: Read from disk, measure time 0-bit: idle Covert channel: circumvents reference monitor and longer read time = 1-bit security policy shorter read time = 0-bit

access control galapagos-05.cs.wisc.edu /home/ace /scripts /Pictures /upd-encryption /home/rist /lectures /projects /gitbucket /home/sscott /Projects /latex /rust /etc/nginx web-server-private-key.pem

access control Objects (files) Permitted operations a b c d e Subjects (users) ace r,w - r,w, own - r rist - - r r r,w sscott w, own r r - - kpat r r,w r,w - r Access control matrix: [Lampson, Graham, Denning; 1971]

access control list a ace r,w rist - sscott w, own kpat r Objects (files) b c d e ace - rist - sscott r kpat r,w ace - rist r sscott - kpat -

roles Role-based access control Role = set of users Individuals Roles Resources engineering Server 1 marketing Server 2 human res Server 3 Advantages: / many users, few roles / individuals come-and-go frequently, groups are more stable

unix access control View file permissions access control list

unix access control Unix uses role based access control Role => group Individual (or process) => user id (uid) Special user ID: uid 0 / root user / permitted to do anything / for any file: can read, write, change permissions, change owners

unix file system Each file assigned: owner and a group Basic operations: read, write, execute

unix acl --- rwx rwx rwx setid owner group others

unix acls --- rwx rwx rwx setid owner group others / Permissions set by owner (or root) / Determining if an action is permitted: // if uid == 0 (root): allow anything // else if uid == owner: use owner permissions // else if uid in group: use group permissions // else: use other permissions / Only owner, root can change permissions / This privilege cannot be delegated or shared / Setid bits Discuss in a few slides

exercise owner group rwx rwx rwx owner group others -rw-r--r-- 1 ace staff 1087 Aug 10 15:20 LICENSE.txt -rw-r--r-- 1 ace staff 19 Aug 10 15:57 MANIFEST.in -r---w-r-- 1 ace dev 1106 Aug 14 13:55 README.md drwxr-xr-x 3 ace staff 102 Aug 13 07:27 dist drwxr-xr-x 8 ace staff 272 Aug 13 10:47 safeid drwxrwxr-x 9 ace staff 306 Aug 13 07:26 safeid.egg -r-------- 1 ace web 40 Aug 10 15:56 setup.cfg -rw--w-r-x 1 ace dev 1550 Aug 13 07:26 deploy.log staff:*:29:ace,sscott,kpat,rist web:*:31:ace,kpat,rist dev:*:32:ace,sscott,pbriggs Can sscott read the file README.md? Can ace write to setup.cfg? Which users can append to deploy.log?

process ids RUID EUID SUID Real User ID / same as the UID of parent / indicates who started this process process RGID EGID SGID Effective User ID / current permissions for this process Saved User ID / previous EUID so that it can be restored Also: Real Group ID, Effective Group ID,

process IDs RUID EUID SUID Fork/exec / new process inherits all three UIDs (except for setid bit explained later) process seteuid(newid) system call / changes EUID / can only change to saved UID or real UID / unless EUID == 0 in which case can set any ID Also seteguid()

why? Many UNIX systems store passwords in the file /etc/shadow Who should be able to read this file? Write this file? Users change passwords using /usr/bin/passwd What EUID does this process run as? How can it write updates to the password file? setid bits

setid --s --s --- t owner group others sticky setuid: on execute, set EUID of new process to file owner s UID setgid: on execute, set EGID of new process to file owner s GID sticky bit (for directories) When set, restricts deletion and renaming of files setuid/gid: Permits necessary privilege escalation

exercise think-pair-share [ace:/usr/bin/]: ls -l... -rwsr-xr-x 1 root root 47032 Feb 17 2014 passwd... -rwxr-sr-x 1 root tty 19024 Feb 12 2015 wall When passwd is started: what are the RUID, EUID, and SUID values? When wall is started: what are the RUID, EUID, and SUID? What are the RGID, EGID, and SGID?

vulnerabilities -rwsr-xr-x 1 root root 5090 Jan 16 2015 tmp-read... if (access("/tmp/myfile", R_OK)!= 0) { exit(-1); } file = open("/tmp/myfile", "r"); read(file, buf, 1024); close(file); printf("%s\n", buf); Q: Where s the vulnerability?

tocttou access("/tmp/myfile", R_OK) ln sf /home/root/.ssh/id_rsa /tmp/myfile open("/tmp/myfile", "r"); printf("%s\n", buf); Race condition between attacker and tmp-read Prints root user's private SSH key Vulnerability called: time-of-check to time-of-use (TOCTTOU)

better euid = geteuid(); ruid = getuid(); seteuid(ruid); // drop privileges file = open("/tmp/myfile", "r"); read(file, buf, 1024); close(file); print("%s\n", buf);

better EUID 0 0 19 /etc/passwd: ace:*:19:... euid = geteuid(); ruid = getuid(); seteuid(ruid); // drop privileges ln sf /home/root/.ssh/id_rsa /tmp/myfile 19 file = open("/tmp/myfile", "r"); error: errno=13 (Permission denied). What security design principle? > Least privilege

setid / In practice, setid is even more complicated Q: Violates which secure design principles? [Chen, Wagner, Dean. Setuid Demystified]

setid setid permits necessary privilege escalation Source of many privilege escalation vulnerabilities / race conditions (tocttou) / control-flow hijacking

recap Principles for Secure Designs Multics: security design features, covert channel Access control matrix and ACLs Unix file access control setid bits and seteuid system call

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback