Least-Privilege Isolation: The OKWS Web Server

Similar documents
Confinement (Running Untrusted Programs)

6.858 Lecture 4 OKWS. Today's lecture: How to build a secure web server on Unix. The design of our lab web server, zookws, is inspired by OKWS.

Computer Security. 04r. Pre-exam 1 Concept Review. Paul Krzyzanowski. Rutgers University. Spring 2018

Introduction to Security and User Authentication

Confinement (Running Untrusted Programs)

I m paranoid, but am I paranoid enough? Steven M. Bellovin February 20,

[This link is no longer available because the program has changed.] II. Security Overview

Wedge: Splitting Applications into Reduced-Privilege Compartments

Outline. Operating System Security CS 239 Computer Security February 23, Introduction. Server Machines Vs. General Purpose Machines

CS 356 Operating System Security. Fall 2013

Advanced Systems Security: Ordinary Operating Systems

I run a Linux server, so we re secure

OS Security III: Sandbox and SFI

Security Architecture

Privilege Separation

Sandboxing Untrusted Code: Software-Based Fault Isolation (SFI)

Secure Architecture Principles

Secure Architecture Principles

Secure Architecture Principles

Data Security and Privacy. Unix Discretionary Access Control

I m paranoid, but am I paranoid enough? Steven M. Bellovin October 2,

Secure Programming II. Steven M. Bellovin September 29,

Department of Electrical Engineering and Computer Science MASSACHUSETTS INSTITUTE OF TECHNOLOGY Fall Quiz I

Department of Electrical Engineering and Computer Science MASSACHUSETTS INSTITUTE OF TECHNOLOGY Fall Quiz I

CS61 Scribe Notes Date: Topic: Fork, Advanced Virtual Memory. Scribes: Mitchel Cole Emily Lawton Jefferson Lee Wentao Xu

Software Security and Exploitation

CS 161 Computer Security. Design Patterns for Building Secure Systems

Secure Architecture Principles

6.858 Final Project Writeup

Department of Electrical Engineering and Computer Science MASSACHUSETTS INSTITUTE OF TECHNOLOGY Fall Quiz I Solutions

MASSACHUSETTS INSTITUTE OF TECHNOLOGY Fall Quiz I

Architecture. Steven M. Bellovin October 31,

CMPSC 497 Attack Surface

Secure Architecture Principles

Computer Security Spring 2010 Paxson/Wagner Notes 1/29. Patterns for Building Secure Software. 1 The Trusted Computing Base (TCB)

Secure Architecture Principles

MASSACHUSETTS INSTITUTE OF TECHNOLOGY Fall Quiz II

Background: Operating Systems

Last time. Security Policies and Models. Trusted Operating System Design. Bell La-Padula and Biba Security Models Information Flow Control

EE 122: Network Security

Computer Security Course. Midterm Review

OS security mechanisms:

Building Fast and Secure Web Services with OKWS. Maxwell Krohn

Department of Electrical Engineering and Computer Science MASSACHUSETTS INSTITUTE OF TECHNOLOGY Fall Quiz I

Building Secure High-Performance Web Services with OKWS

Fundamentals of Computer Security

Operating system security models

Explicit Information Flow in the HiStar OS. Nickolai Zeldovich, Silas Boyd-Wickizer, Eddie Kohler, David Mazières

Web Servers and Security

Program Structure. Steven M. Bellovin April 3,

Web Servers and Security

Architecture. Steven M. Bellovin October 27,

Symlink attacks. Do not assume that symlinks are trustworthy: Example 1

Labels and Information Flow

Program Structure I. Steven M. Bellovin November 14,

Hackveda Training - Ethical Hacking, Networking & Security

Advanced Systems Security: Ordinary Operating Systems

Lecture 4: Threats CS /5/2018

Midterm Exam CPS 210: Operating Systems Spring 2013

CS61 Scribe Notes Lecture 18 11/6/14 Fork, Advanced Virtual Memory

Improving User Accounting and Isolation with Linux Kernel Features. Brian Bockelman Condor Week 2011

CIS 5373 Systems Security

Quiz 1: Next Wednesday Walker during regular class time

Sandboxing. CS-576 Systems Security Instructor: Georgios Portokalidis Spring 2018

Program Structure I. Steven M. Bellovin November 8,

CS399 New Beginnings. Jonathan Walpole

CS 155 Final Exam. CS 155: Spring 2011 June 3, 2011

Confinement. Steven M. Bellovin November 1,

Web Security. Outline

Securing ArcGIS Services

Background: I/O Concurrency

Buffer Overflows. A brief Introduction to the detection and prevention of buffer overflows for intermediate programmers.

STING: Finding Name Resolution Vulnerabilities in Programs

CSE543 - Introduction to Computer and Network Security

Question No: 2 Which identifier is used to describe the application or process that submitted a log message?

CNIT 129S: Securing Web Applications. Ch 10: Attacking Back-End Components

Policy vs. Mechanism. Example Reference Monitors. Reference Monitors. CSE 380 Computer Operating Systems

CSE 565 Computer Security Fall 2018

Sandboxing. (1) Motivation. (2) Sandboxing Approaches. (3) Chroot

System Structure. Steven M. Bellovin December 14,

Linux Capabilities & Set-UID Vulnerability

MASSACHUSETTS INSTITUTE OF TECHNOLOGY Fall Quiz I Solutions. 40 Grade distribution. Score (max is 84) Histogram of grade distribution

CS155: Computer Security Spring Project #1

CSE 380 Computer Operating Systems

Lecture 1: Buffer Overflows

RESOURCE MANAGEMENT MICHAEL ROITZSCH

(In columns, of course.)

Operating Systems Design Exam 3 Review: Spring Paul Krzyzanowski

PROCESS VIRTUAL MEMORY PART 2. CS124 Operating Systems Winter , Lecture 19

Information Flow Control For Standard OS Abstractions

RESOURCE MANAGEMENT MICHAEL ROITZSCH

Privilege Escalation

Integration of Security Measures and Techniques in an Operating System (considering OpenBSD as an example)

20: Exploits and Containment

5/8/2012. Encryption-based Protection. Protection based on Access Permission (Contd) File Security, Setting and Using Permissions Chapter 9

Lecture 3: O/S Organization. plan: O/S organization processes isolation

Network File System (NFS)

Network File System (NFS)

Design Overview of the FreeBSD Kernel CIS 657

Design Overview of the FreeBSD Kernel. Organization of the Kernel. What Code is Machine Independent?

Transcription:

Least-Privilege Isolation: The OKWS Web Server Brad Karp UCL Computer Science CS GZ03 / M030 14 th December 2015

Can We Prevent All Exploits? Many varieties of exploits Stack smashing, format strings, heap smashing, return-to-libc As many proposed defenses W X, ASLR, TaintCheck, StackGuard, Exploit-specific defenses help, but ever-more vulnerabilities, and adversaries creative Not just a problem with C; consider SQL injection in a Python script: q = SELECT orders FROM accounts WHERE name = + name db.execute(q) Programmers make errors 2

Can We Prevent All Exploits? Many varieties of exploits Stack smashing, format strings, heap smashing, return-to-libc If vulnerabilities and errors are here to stay, how As can many we proposed limit the defenses harm attackers can do W X, ASLR, TaintCheck, StackGuard, when they exploit a server? Exploit-specific defenses help, but ever-more vulnerabilities, and adversaries creative Not just a problem with C; consider SQL injection in a Python script: q = SELECT orders FROM accounts WHERE name = + name db.execute(q) Programmers make errors 3

Problem: Sharing Services, But Isolating Data Servers often hold sensitive data e.g., amazon.com user s credit card number Single server shared by distinct users, who often shouldn t see one another s data e.g., different amazon.com shoppers Subsystems on single server must cooperate e.g., amazon.com web interface and back-end order database Goal: prevent users from obtaining/modifying data other than their own I shouldn t be able to retrieve your order (and credit card number), even if I exploit amazon s web server 4

Approach: Compartmentalization Give each subsystem minimal access to system data and resources to do its job If subsystem exploited, at least minimize data it can read or modify Define narrow interfaces between subsystems, that allow only exact operations required for application Design assuming exploit may occur, especially in subsystems closest to users 5

Idea: Principle of Least Privilege (PoLP) Each subsystem should only have access to read/modify data needed for its job Cannot be enforced within subsystem must be enforced externally (i.e., by OS) Must decompose system into subsystems Must reason carefully about truly minimal set of privileges needed by each subsystem Must be able to grant privileges in finegrained manner Else privileges granted to subsystem may be too generous 6

Idea: Privilege Separation Determine which subsystems most exposed to attack Reduce privileges of most exposed subsystems e.g., amazon payment page can only insert into order database, and order database doesn t have integrated web interface with direct access to data e.g., ssh login daemon code that processes network input shouldn t run as root 7

OKWS: A PoLP Web Server on UNIX Before OKWS: Apache web server process monolithic; all code runs as same user Exploit Apache, and all data associated with web service becomes accessible How might we separate a web server into subsystems, to apply PoLP? Split into multiple processes, each with different, minimal privileges, running as different user IDs Use UNIX isolation mechanisms to prevent subsystems from reading/modifying each other s data 8

UNIX Tools for PoLP: chroot() chroot() system call: set process s notion of file system root; thereafter, can t change directories above that point So can do: chdir( /usr/local/alone ); chroot( /usr/local/alone ); setuid(61100); (unprivileged user ID) Now process has no access to any of filesystem but what s in tree rooted at /usr/local/alone No access to the many UNIX setuid-root programs, or to sensitive data elsewhere on disk But must a priori set up all system files needed by process in directory, e.g., shared libraries, &c. 9

UNIX Tools for PoLP: File Descriptor Passing Initially, parent server process privileged Want to run subsystem in child process, but with minimal privileges (e.g., child chroot()ed) Idea: privileged parent opens files needed by unprivileged child, passes child open file descriptors to these files when it fork()s child Child can read these files, even if it can t open them (i.e., because of chroot()) Can also pass file descriptors dynamically (after fork()) with sendmsg() Process that faces network can accept connection, pass socket for that connection to another process 10

UNIX Tools for PoLP: File Descriptor Passing Initially, parent server process privileged Want to run subsystem in child process, but with Powerful minimal primitive: privileges (e.g., means child can chroot()ed) run subsystem with Idea: minimal privileged privilege parent (e.g., opens can t files bind needed to privileged by port unprivileged 80), but grant child, it specific passes child network open file connections descriptors to or these specific files files when it fork()s child Child can read these files, even if it can t open them (i.e., because of chroot()) Can also pass file descriptors dynamically (after fork()) with sendmsg() Process that faces network can accept connection, pass socket for that connection to another process 11

OKWS System Design okd process parses user input, holds no sensitive data svc i process parses user input for one service; runs in chroot()ed jail database proxy process only accepts authenticated requests for subset of narrow RPC interface; can read sensitive data 12

Analyzing Privilege-Separated Designs What data does subsystem have access to, with what permissions? How complex is the code in a subsystem (e.g., parsing notoriously hard to get right)? What input does a subsystem receive? Less structured à more worrying e.g., okld runs as root; should we worry about exploits of it? 13

Strength of Isolation vs. Performance s i : services u j : users p k : processes t i,j : state for user j in service i Strict Model OKWS Model One process per user gives strictest isolation, but means many, many processes à low performance OKWS uses one process per service for performance reasons; so compromised service may reveal one user s data to another 14

OKWS Summary Shows that PoLP and privilege separation hold real promise for limiting harm exploits can do Programming model for services requires new style of programming Can t use the file system; services chroot()ed Must define narrow, per-service interfaces to database Must communicate explicitly using RPC between service and database 15

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback