Operating Systems Security CS 166: Introduction to Computer Systems Security 1
Acknowledgements Materials from the CS167 lecture slides by Tom Doeppner included with permission Some slides 2016-2018 J. Liebow-Feeser, B. Palazzi, Z. Stoll, R. Tamassia, CC BY-SA 2.5 Examples of race conditions by Kevin Du 2
Source: XKCD 3
What is an Operating System? An operating system provides a useful way to interface with the hardware of the computer Hardware resources are accessed through abstractions provided by the OS CPU Memory Files / folders Windows Network Cursor Application Applications Operating System Hardware 4
Operating System Layers The operating system consists of several layers Hardware is at the bottom and applications are at the top The middle layers form the kernel Execution modes: user mode: access to resources mediated by the kernel kernel mode: full and direct access to resources The kernel supports efficient and secure sharing of resources among multiple applications and users Applications I/O Management Device Drivers Memory Management Process Management CPU Management Hardware 5
Processes The kernel views running programs as processes An application may consist of several processes A process may control other processes Operations start, suspend, resume, and terminate Processes run concurrently by timesharing execution on each CPU core Process identified by a number (process ID) and associated with a user Tree of processes Node: process Edge: connect a process (child) to the one that started it (parent) In Windows, applications stated by a user (e.g., Word) are typically children of the Windows Explorer process Child process inherits context from parent process 6
View Processes in Windows Task Manager Standard application List of running processes Basic information on each process Kill processes Process Explorer Add-on Detailed information on each process Color highlights Tree of processes Process Explorer 7
View Processes in Linux ps: displays snapshot of running processes ps -ef : show all processes ps -u <username>: show processes for a user top: updates list of running processes over time, sorted by CPU usage top u <username>: filter by username kill <pid>: terminates a process 8
The Windows Registry Database for global machine and user information The registry is a set of key-value pairs stored in folders (subkeys) Main folders are stored in hives Registry usually used for holding information such as configuration settings 9
Regedit Gives a view of the Windows registry The folders whose names begin with HKEY are hives They contain folders within them On the right, every folder lists its contents Source: http://hardware.ingame.de/gfx/reviews/registry/registry.jpg 10
Registry Hives HKEY_LOCAL_MACHINE\SAM: Security Accounts Manager HKEY_LOCAL_MACHINE\Security: more security HKEY_LOCAL_MACHINE\Software: installed software settings HKEY_LOCAL_MACHINE\System: boot information HKEY_USERS\.DEFAULT: new user default settings A separate hive for each user, called the user profile hive, it is usually found under HKEY_USERS HKEY_CURRENT_USER: links to the hive of current user HKEY_CURRENT_CONFIG: hardware profile, links to HKEY_LOCAL_MACHINE/System/CurrentControlSet/HardwareProfiles 11
Process Management Access control policies determine which resources can be accessed by each process and which other processes it can control Each process has a context, which includes the user, parent process, and address space (for storing data and instructions) The OS manages the mapping of the address space to physical memory locations 12
Forensics with Processes Analyzing running processes can reveal the presence of malware Process Explorer can be used a forensic tool in Windows First, look for processes with suspicious names Need to know names of safe processes Beware of small name differences Next, inspect processes with known names Username Network activity Image (executable file) Path (location on disk) Author (e.g., Adobe must be the author of Acrobat) Digital signature (not always present or verifiable for open source software) 13
System Calls A process communicates with the kernel to access resources and starting a new process Resources are requested from the kernel by making a system call A system call is executed in kernel mode An OS provides a preset library of system calls In addition to system calls, the kernel also handles Traps: typically caused by error conditions Process System calls OS Traps Interrupts: generated by external devices Malware may modify the library of system calls to change program behavior (e.g., log file activity) Interrupts 14
Users Each process is associated with a user Specific users can have more privileges than regular users Install or remove programs Change rights of other users Modify the configuration of the system Unix: The root is a super-user with no restrictions Windows Special users SYSTEM, LOCAL SERVICE, and NETWORK SERVICE associated with the operating system itself One or more administrators, with fewer privileges than SYSTEM Problems with being logged on as root/administrator Accidental file deletions can disable system Malware infections can modify system 15
Windows User Access Control Protected administrator accounts Have standard user rights in regular mode Can temporarily acquire administrator rights through elevation UAC elevation dialog boxes Triggered by programs that require administrative privileges (e.g., installers) Require explicit user approval Optionally ask for password Source of images: articles by Mark Russinovich in Microsoft TechNet magazine. 16
Unix File Types and Permissions d r w x r w x r w x file type user group other 17
The /tmp Directory In Unix systems, directory /tmp is Readable by any user Writable by any user Usually wiped on reboot Convenience Place for temporary files used by applicaitons Files in /tmp are not subject to the user s space quota What could go wrong? Sharing of resources may lead to vulnerabilities 18
Symbolic Link In Unix, a symbolic link (aka symlink) is a file that points to (stores the path of) another file A process accessing a symbolic link is transparently redirected to accessing the destination of the symbolic link Symbolic links can be chained, but not to form a cycle Windows shortcuts play a similar role but don t provide transparent access to the destination 19
Setuid Programs Unix processes have two user IDs: real user ID: user launching the process effective user ID: user whose privileges are granted to the process An executable file can have the setuser-id property (setuid) enabled If a user A executes setuid file owned by B, then the effective user ID of the process is B and not A System call setuid(uid) allows a process to change its effective user ID to uid Some programs that access system resources are owned by root and have the setuid bit set (setuid programs) e.g., passwd and su Writing secure setuid programs is tricky because vulnerabilities may be exploited by malicious user actions 20
Gone for Ten Seconds You leave your desk for 10 seconds without locking your machine The attacker sits at your desk and types: % cp /bin/sh /tmp % chmod 4777 /tmp/sh The first command makes a copy of shell sh The second command makes sh a setuid program What happens next? The attacker can run the copy of the shell with your privileges For example: Can read your files Can change your files 21
Historical setuid Unix Vulnerabilities: chsh Command chsh (change shell) asks the user to input the name of a shell program and updates the password file The password file consists of lines with the format username [salt] passwordhash shell [directory info] Early implementation did not check if input consisted of more than one line What can go wrong? User could create a new root account with a two-line input 22
Historical setuid Unix Vulnerabilities: lpr Command lpr running as root setuid copied file to print, or symbolic link to it, to spool file named with 3-digit random job number (e.g., print954.spool) in /tmp Did not check if file already existed Random sequence was predictable and repeated after 1,000 times How can we exploit this? Attack A dangerous combination: setuid, /tmp, symlinks, Create new password file newpasswd Print a very large file lpr s /etc/passwd Print a small file 999 times lpr newpasswd The password file is overwritten with newpasswd 23
RPCs Remote Procedure Call When would an RPC be useful? Say you want a spelling suggestion from Google Furthermore, assume Google has a server set up to process such requests An RPC could be used to allow a process on your computer to send a word to Google whose server returns a spelling suggestion 24
Services and RPCs A service is a process that performs common tasks on behalf of other processes A remote procedure call is a cross-process function call A protocol for translating a function call on one platform to a native function call on another platform This can be done over a network or locally RPCs allow processes to communicate Normally processes are completely separate and are not even aware of each other s existence RPC calls allow a process to request an action and, sometimes, a response from another process Alternative to setuid for communicating with privileged processes 25
ServiWin Source: http://windowsxp.mvps.org/images/serviwin.jpg 26
Race Condition 1. if (!access("/tmp/x", W_OK)) { /* the real user ID has access right */ 2. f = open("/tmp/x", O_WRITE); 3. write_to_file(f); } else { /* the real user ID does not have access right */ 4. fprintf(stderr, "Permission denied\n"); } Source: Kevin Du, Race Condition Vulnerability, Lecture Notes Fragment of setuid program that writes into file /tmp/x on behalf of a user who created it access verifies permission of real user ID Transparently follows symlinks open verifies permission of effective user ID Transparently follows symlinks What can go wrong? 27
TOCTOU 1. if (!access("/tmp/x", W_OK)) { /* the real user ID has access right */ 2. f = open("/tmp/x", O_WRITE); 3. write_to_file(f); } else { /* the real user ID does not have access right */ 4. fprintf(stderr, "Permission denied\n"); } Fragment of setuid program access verifies permission of real user ID open verifies permission of effective user ID What can go wrong? In between (1) and (2), user could replace /tmp/x with symlink to /etc/passwd Not easy to accomplish (timing) Example of time of check to time of use (TOCTOU) vulnerability 28
Attempt to Fix the Race Condition 1. lstat("/tmp/x", &statbefore); 2. if (!access("/tmp/x", O_RDWR)) { 3. int f = open("/tmp/x", O_RDWR); 4. fstat(f, &statafter); 5. if (statafter.st_ino == statbefore.st_ino) { /* the I-node is still the same */ 6. write_to_file(f); } 7. else perror("race Condition Attacks!"); } 8. else fprintf(stderr, "Permission denied\n"); } Source: Kevin Du, Race Condition Vulnerability, Lecture Notes lstat and fstat access file descriptor for a path, which includes unique file ID (st_ino) lstat does not traverse symlink fstat accesses descriptor of open file, after symlink traversed by open Step (5) compares IDs of file checked in (1) and file opened in (3) Check-use-check_again approach Defeats swapping in symlink between access and open Fails also if /tmp/x is a symlink when (2) is executed 29
Does the Fix Work? 1. lstat("/tmp/x", &statbefore); 2. if (!access("/tmp/x", O_RDWR)) { 3. int f = open("/tmp/x", O_RDWR); 4. fstat(f, &statafter); 5. if (statafter.st_ino == statbefore.st_ino) { /* the I-node is still the same */ 6. write_to_file(f); } 7. else perror("race Condition Attacks!"); } 8. else fprintf(stderr, "Permission denied\n"); } lstat and fstat access file descriptor for a path, which includes unique file ID (st_ino) lstat does not traverse symlinks in path fstat accesses descriptor of open file, after symlinks traversed by open New attack Before (1) /tmp/x is a hard link to /etc/passwd Between (1) and (2) swap in hard link to user-owned file Between (2) and (3) swap in again hard link to /etc/passwd 30
Negative Result Assumptions Setuid program Path-based permission check for real user ID via syscall access(path, permission) that returns 0 or -1 No atomic check-and-open-file syscall Theorem Program is vulnerable to TOCTOU race condition Proof Attacker can always swaps good file before access and bad file after access lstat/fstat do not help since they are path-based as well Reference Dean, Drew, Alan J. Hu: Fixing Races for Fun and Profit: How to Use access (2). USENIX Security Symposium, 2004. 31
Mitigating and Eliminating Race Conditions Hardness amplification Force the adversary to win a large number of races instead of just one or two in order to exploit the vulnerability Reduces the probability of success Complex to accomplish correctly Reference Dan Tsafrir, Tomer Hertz, David Wagner, Dilma Da Silva: Portably Solving File TOCTTOU Races with Hardness Amplification. USENIX File and Storage Technologies, 2008 Temporary privilege downgrade Within same process Drop to real user ID privileges via setuid(real_userid) Open file Restore root privileges With child process Fork child process with real user ID privileges to open file Approach not portable across Unix variants 32
What We Have Learned What is an operating system Processes, users, files, permissions Setuid programs Dangers of symlinks, setuid, and shared directories Race conditions and time-of-check-to-time-of-use for access/open syscalls 33