Operating Systems Security

Similar documents
CIS Operating Systems File Systems Security. Professor Qiang Zeng Fall 2017

Data Security and Privacy. Unix Discretionary Access Control

SysSec. Aurélien Francillon

Secure Architecture Principles

Portably Preventing File Race Attacks with User-Mode Path Resolution

Secure Software Programming and Vulnerability Analysis

Race Condition Vulnerability Lab

Exploiting Unix File-System Races via Algorithmic Complexity Attacks

Information Security CS 526

3/7/18. Secure Coding. CYSE 411/AIT681 Secure Software Engineering. Race Conditions. Concurrency

Symlink attacks. Do not assume that symlinks are trustworthy: Example 1

CIS 5373 Systems Security

OS Security III: Sandbox and SFI

CYSE 411/AIT681 Secure Software Engineering Topic #13. Secure Coding: Race Conditions

PROCESS CONTROL BLOCK TWO-STATE MODEL (CONT D)

CS 326: Operating Systems. Process Execution. Lecture 5

Announcements Processes: Part II. Operating Systems. Autumn CS4023

CS 380S. TOCTTOU Attacks. Don Porter. Some slides courtesy Vitaly Shmatikov and Emmett Witchel. slide 1

CSE 565 Computer Security Fall 2018

Operating Systems Linux 1-2 Measurements Background material

ADVANCED OPERATING SYSTEMS

Security Architecture

Inf2C - Computer Systems Lecture 16 Exceptions and Processor Management

CS370 Operating Systems

? Resource. Announcements. Access control. Access control in operating systems. References. u Homework Due today. Next assignment out next week

Process Time. Steven M. Bellovin January 25,

Keys and Passwords. Steven M. Bellovin October 17,

(In columns, of course.)

Dynamic Detection and Prevention of Race Conditions in File Accesses

Mon Sep 17, 2007 Lecture 3: Process Management

System Programming. Introduction to Unix

CS140 Operating Systems Final December 12, 2007 OPEN BOOK, OPEN NOTES

CSC 405 Computer Security Linux Security

CS2506 Quick Revision

Outline. UNIX security ideas Users and groups File protection Setting temporary privileges. Examples. Permission bits Program language components

THE PROCESS ABSTRACTION. CS124 Operating Systems Winter , Lecture 7

ENGR 3950U / CSCI 3020U Midterm Exam SOLUTIONS, Fall 2012 SOLUTIONS

The Kernel Abstraction. Chapter 2 OSPP Part I

Unix Basics. UNIX Introduction. Lecture 14

Processes. Dr. Yingwu Zhu

Non-atomic check and use aka TOCTOU (Time of Check, Time of Use) or race conditions. Erik Poll Digital Security group Radboud University Nijmegen

Lecture 4: Process Management

Advanced Systems Security: Ordinary Operating Systems

Access Control. CMPSC Spring 2012 Introduction Computer and Network Security Professor Jaeger.

CS61 Scribe Notes Lecture 18 11/6/14 Fork, Advanced Virtual Memory

OS security mechanisms:

The Kernel. wants to be your friend

Chapter 6. File Systems

Server. Client LSA. Winlogon LSA. Library SAM SAM. Local logon NTLM. NTLM/Kerberos. EIT060 - Computer Security 2

Operating System Architecture. CS3026 Operating Systems Lecture 03

Basic Linux Security. Roman Bohuk University of Virginia

Secure Architecture Principles

Secure Architecture Principles

Operating System Services

Outline. Operating System Security CS 239 Computer Security February 23, Introduction. Server Machines Vs. General Purpose Machines

(MCQZ-CS604 Operating Systems)

Processes are subjects.

ECE 550D Fundamentals of Computer Systems and Engineering. Fall 2017

The Kernel Abstraction

CS5460: Operating Systems

Privilege Escalation

Midterm Exam CPS 210: Operating Systems Spring 2013

Operating Systems. Operating System Structure. Lecture 2 Michael O Boyle

EECS 482 Introduction to Operating Systems

CPSC 341 OS & Networks. Processes. Dr. Yingwu Zhu

CS61 Scribe Notes Date: Topic: Fork, Advanced Virtual Memory. Scribes: Mitchel Cole Emily Lawton Jefferson Lee Wentao Xu

OS Security IV: Virtualization and Trusted Computing

CIS 5373 Systems Security

CSE 127: Computer Security. Security Concepts. Kirill Levchenko

Unix Processes. What is a Process?

Software Security and Exploitation

CS 200. User IDs, Passwords, Permissions & Groups. User IDs, Passwords, Permissions & Groups. CS 200 Spring 2017

Processes are subjects.

Advanced Systems Security: Confused Deputy

G54ADM Sample Exam Questions and Answers

Mid Term from Feb-2005 to Nov 2012 CS604- Operating System

CPSC 341 OS & Networks. Introduction. Dr. Yingwu Zhu

CPS221 Lecture: Operating System Protection

CS197U: A Hands on Introduction to Unix

Operating Systems. Lecture 05

CSCE Operating Systems Interrupts, Exceptions, and Signals. Qiang Zeng, Ph.D. Fall 2018

Capability and System Hardening

I m paranoid, but am I paranoid enough? Steven M. Bellovin February 20,

Introduction to Computer Security

Distributed Systems CSCI-B 534/ENGR E-510. Spring 2019 Instructor: Prateek Sharma

STING: Finding Name Resolution Vulnerabilities in Programs

Operating Systems Lab 1 (Users, Groups, and Security)

ELEC 377 Operating Systems. Week 1 Class 2

CS 162 Operating Systems and Systems Programming Professor: Anthony D. Joseph Spring Lecture 18: Naming, Directories, and File Caching

Dirty COW Attack Lab

Command-line interpreters

PROCESS MANAGEMENT. Operating Systems 2015 Spring by Euiseong Seo

CS 162 Operating Systems and Systems Programming Professor: Anthony D. Joseph Spring Lecture 18: Naming, Directories, and File Caching

Operating system hardening

Secure Architecture Principles

CS 290 Host-based Security and Malware. Christopher Kruegel

Announcement. Exercise #2 will be out today. Due date is next Monday

CS 5460/6460 Operating Systems

CSE 390a Lecture 2. Exploring Shell Commands, Streams, Redirection, and Processes

Advanced Systems Security: Ordinary Operating Systems

Transcription:

Operating Systems Security CS 166: Introduction to Computer Systems Security 1

Acknowledgements Materials from the CS167 lecture slides by Tom Doeppner included with permission Some slides 2016-2018 J. Liebow-Feeser, B. Palazzi, Z. Stoll, R. Tamassia, CC BY-SA 2.5 Examples of race conditions by Kevin Du 2

Source: XKCD 3

What is an Operating System? An operating system provides a useful way to interface with the hardware of the computer Hardware resources are accessed through abstractions provided by the OS CPU Memory Files / folders Windows Network Cursor Application Applications Operating System Hardware 4

Operating System Layers The operating system consists of several layers Hardware is at the bottom and applications are at the top The middle layers form the kernel Execution modes: user mode: access to resources mediated by the kernel kernel mode: full and direct access to resources The kernel supports efficient and secure sharing of resources among multiple applications and users Applications I/O Management Device Drivers Memory Management Process Management CPU Management Hardware 5

Processes The kernel views running programs as processes An application may consist of several processes A process may control other processes Operations start, suspend, resume, and terminate Processes run concurrently by timesharing execution on each CPU core Process identified by a number (process ID) and associated with a user Tree of processes Node: process Edge: connect a process (child) to the one that started it (parent) In Windows, applications stated by a user (e.g., Word) are typically children of the Windows Explorer process Child process inherits context from parent process 6

View Processes in Windows Task Manager Standard application List of running processes Basic information on each process Kill processes Process Explorer Add-on Detailed information on each process Color highlights Tree of processes Process Explorer 7

View Processes in Linux ps: displays snapshot of running processes ps -ef : show all processes ps -u <username>: show processes for a user top: updates list of running processes over time, sorted by CPU usage top u <username>: filter by username kill <pid>: terminates a process 8

The Windows Registry Database for global machine and user information The registry is a set of key-value pairs stored in folders (subkeys) Main folders are stored in hives Registry usually used for holding information such as configuration settings 9

Regedit Gives a view of the Windows registry The folders whose names begin with HKEY are hives They contain folders within them On the right, every folder lists its contents Source: http://hardware.ingame.de/gfx/reviews/registry/registry.jpg 10

Registry Hives HKEY_LOCAL_MACHINE\SAM: Security Accounts Manager HKEY_LOCAL_MACHINE\Security: more security HKEY_LOCAL_MACHINE\Software: installed software settings HKEY_LOCAL_MACHINE\System: boot information HKEY_USERS\.DEFAULT: new user default settings A separate hive for each user, called the user profile hive, it is usually found under HKEY_USERS HKEY_CURRENT_USER: links to the hive of current user HKEY_CURRENT_CONFIG: hardware profile, links to HKEY_LOCAL_MACHINE/System/CurrentControlSet/HardwareProfiles 11

Process Management Access control policies determine which resources can be accessed by each process and which other processes it can control Each process has a context, which includes the user, parent process, and address space (for storing data and instructions) The OS manages the mapping of the address space to physical memory locations 12

Forensics with Processes Analyzing running processes can reveal the presence of malware Process Explorer can be used a forensic tool in Windows First, look for processes with suspicious names Need to know names of safe processes Beware of small name differences Next, inspect processes with known names Username Network activity Image (executable file) Path (location on disk) Author (e.g., Adobe must be the author of Acrobat) Digital signature (not always present or verifiable for open source software) 13

System Calls A process communicates with the kernel to access resources and starting a new process Resources are requested from the kernel by making a system call A system call is executed in kernel mode An OS provides a preset library of system calls In addition to system calls, the kernel also handles Traps: typically caused by error conditions Process System calls OS Traps Interrupts: generated by external devices Malware may modify the library of system calls to change program behavior (e.g., log file activity) Interrupts 14

Users Each process is associated with a user Specific users can have more privileges than regular users Install or remove programs Change rights of other users Modify the configuration of the system Unix: The root is a super-user with no restrictions Windows Special users SYSTEM, LOCAL SERVICE, and NETWORK SERVICE associated with the operating system itself One or more administrators, with fewer privileges than SYSTEM Problems with being logged on as root/administrator Accidental file deletions can disable system Malware infections can modify system 15

Windows User Access Control Protected administrator accounts Have standard user rights in regular mode Can temporarily acquire administrator rights through elevation UAC elevation dialog boxes Triggered by programs that require administrative privileges (e.g., installers) Require explicit user approval Optionally ask for password Source of images: articles by Mark Russinovich in Microsoft TechNet magazine. 16

Unix File Types and Permissions d r w x r w x r w x file type user group other 17

The /tmp Directory In Unix systems, directory /tmp is Readable by any user Writable by any user Usually wiped on reboot Convenience Place for temporary files used by applicaitons Files in /tmp are not subject to the user s space quota What could go wrong? Sharing of resources may lead to vulnerabilities 18

Symbolic Link In Unix, a symbolic link (aka symlink) is a file that points to (stores the path of) another file A process accessing a symbolic link is transparently redirected to accessing the destination of the symbolic link Symbolic links can be chained, but not to form a cycle Windows shortcuts play a similar role but don t provide transparent access to the destination 19

Setuid Programs Unix processes have two user IDs: real user ID: user launching the process effective user ID: user whose privileges are granted to the process An executable file can have the setuser-id property (setuid) enabled If a user A executes setuid file owned by B, then the effective user ID of the process is B and not A System call setuid(uid) allows a process to change its effective user ID to uid Some programs that access system resources are owned by root and have the setuid bit set (setuid programs) e.g., passwd and su Writing secure setuid programs is tricky because vulnerabilities may be exploited by malicious user actions 20

Gone for Ten Seconds You leave your desk for 10 seconds without locking your machine The attacker sits at your desk and types: % cp /bin/sh /tmp % chmod 4777 /tmp/sh The first command makes a copy of shell sh The second command makes sh a setuid program What happens next? The attacker can run the copy of the shell with your privileges For example: Can read your files Can change your files 21

Historical setuid Unix Vulnerabilities: chsh Command chsh (change shell) asks the user to input the name of a shell program and updates the password file The password file consists of lines with the format username [salt] passwordhash shell [directory info] Early implementation did not check if input consisted of more than one line What can go wrong? User could create a new root account with a two-line input 22

Historical setuid Unix Vulnerabilities: lpr Command lpr running as root setuid copied file to print, or symbolic link to it, to spool file named with 3-digit random job number (e.g., print954.spool) in /tmp Did not check if file already existed Random sequence was predictable and repeated after 1,000 times How can we exploit this? Attack A dangerous combination: setuid, /tmp, symlinks, Create new password file newpasswd Print a very large file lpr s /etc/passwd Print a small file 999 times lpr newpasswd The password file is overwritten with newpasswd 23

RPCs Remote Procedure Call When would an RPC be useful? Say you want a spelling suggestion from Google Furthermore, assume Google has a server set up to process such requests An RPC could be used to allow a process on your computer to send a word to Google whose server returns a spelling suggestion 24

Services and RPCs A service is a process that performs common tasks on behalf of other processes A remote procedure call is a cross-process function call A protocol for translating a function call on one platform to a native function call on another platform This can be done over a network or locally RPCs allow processes to communicate Normally processes are completely separate and are not even aware of each other s existence RPC calls allow a process to request an action and, sometimes, a response from another process Alternative to setuid for communicating with privileged processes 25

ServiWin Source: http://windowsxp.mvps.org/images/serviwin.jpg 26

Race Condition 1. if (!access("/tmp/x", W_OK)) { /* the real user ID has access right */ 2. f = open("/tmp/x", O_WRITE); 3. write_to_file(f); } else { /* the real user ID does not have access right */ 4. fprintf(stderr, "Permission denied\n"); } Source: Kevin Du, Race Condition Vulnerability, Lecture Notes Fragment of setuid program that writes into file /tmp/x on behalf of a user who created it access verifies permission of real user ID Transparently follows symlinks open verifies permission of effective user ID Transparently follows symlinks What can go wrong? 27

TOCTOU 1. if (!access("/tmp/x", W_OK)) { /* the real user ID has access right */ 2. f = open("/tmp/x", O_WRITE); 3. write_to_file(f); } else { /* the real user ID does not have access right */ 4. fprintf(stderr, "Permission denied\n"); } Fragment of setuid program access verifies permission of real user ID open verifies permission of effective user ID What can go wrong? In between (1) and (2), user could replace /tmp/x with symlink to /etc/passwd Not easy to accomplish (timing) Example of time of check to time of use (TOCTOU) vulnerability 28

Attempt to Fix the Race Condition 1. lstat("/tmp/x", &statbefore); 2. if (!access("/tmp/x", O_RDWR)) { 3. int f = open("/tmp/x", O_RDWR); 4. fstat(f, &statafter); 5. if (statafter.st_ino == statbefore.st_ino) { /* the I-node is still the same */ 6. write_to_file(f); } 7. else perror("race Condition Attacks!"); } 8. else fprintf(stderr, "Permission denied\n"); } Source: Kevin Du, Race Condition Vulnerability, Lecture Notes lstat and fstat access file descriptor for a path, which includes unique file ID (st_ino) lstat does not traverse symlink fstat accesses descriptor of open file, after symlink traversed by open Step (5) compares IDs of file checked in (1) and file opened in (3) Check-use-check_again approach Defeats swapping in symlink between access and open Fails also if /tmp/x is a symlink when (2) is executed 29

Does the Fix Work? 1. lstat("/tmp/x", &statbefore); 2. if (!access("/tmp/x", O_RDWR)) { 3. int f = open("/tmp/x", O_RDWR); 4. fstat(f, &statafter); 5. if (statafter.st_ino == statbefore.st_ino) { /* the I-node is still the same */ 6. write_to_file(f); } 7. else perror("race Condition Attacks!"); } 8. else fprintf(stderr, "Permission denied\n"); } lstat and fstat access file descriptor for a path, which includes unique file ID (st_ino) lstat does not traverse symlinks in path fstat accesses descriptor of open file, after symlinks traversed by open New attack Before (1) /tmp/x is a hard link to /etc/passwd Between (1) and (2) swap in hard link to user-owned file Between (2) and (3) swap in again hard link to /etc/passwd 30

Negative Result Assumptions Setuid program Path-based permission check for real user ID via syscall access(path, permission) that returns 0 or -1 No atomic check-and-open-file syscall Theorem Program is vulnerable to TOCTOU race condition Proof Attacker can always swaps good file before access and bad file after access lstat/fstat do not help since they are path-based as well Reference Dean, Drew, Alan J. Hu: Fixing Races for Fun and Profit: How to Use access (2). USENIX Security Symposium, 2004. 31

Mitigating and Eliminating Race Conditions Hardness amplification Force the adversary to win a large number of races instead of just one or two in order to exploit the vulnerability Reduces the probability of success Complex to accomplish correctly Reference Dan Tsafrir, Tomer Hertz, David Wagner, Dilma Da Silva: Portably Solving File TOCTTOU Races with Hardness Amplification. USENIX File and Storage Technologies, 2008 Temporary privilege downgrade Within same process Drop to real user ID privileges via setuid(real_userid) Open file Restore root privileges With child process Fork child process with real user ID privileges to open file Approach not portable across Unix variants 32

What We Have Learned What is an operating system Processes, users, files, permissions Setuid programs Dangers of symlinks, setuid, and shared directories Race conditions and time-of-check-to-time-of-use for access/open syscalls 33

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback