Operating system security models

Similar documents
Secure Architecture Principles

Access Control. CMPSC Spring 2012 Introduction Computer and Network Security Professor Jaeger.

Secure Architecture Principles

Secure Architecture Principles

? Resource. Announcements. Access control. Access control in operating systems. References. u Homework Due today. Next assignment out next week

FreeBSD Advanced Security Features

IS 2150 / TEL 2810 Information Security and Privacy

We ve seen: Protection: ACLs, Capabilities, and More. Access control. Principle of Least Privilege. ? Resource. What makes it hard?

Operating system security

Secure Architecture Principles

CIS 5373 Systems Security

User Commands chmod ( 1 )

An Overview of Security in the FreeBSD Kernel. Brought to you by. Dr. Marshall Kirk McKusick

Discretionary Access Control

Introduction to Security

Data Security and Privacy. Unix Discretionary Access Control

Module 4: Access Control

CSE 565 Computer Security Fall 2018

Exercise 4: Access Control and Filesystem Security

Introduction to Security

Secure Architecture Principles

Information Security Theory vs. Reality

Privileges: who can control what

General Access Control Model for DAC

OS Security III: Sandbox and SFI

File Access Control Lists (ACLs)

TEL2821/IS2150: INTRODUCTION TO SECURITY Lab: Operating Systems and Access Control

CIS Operating Systems File Systems Security. Professor Qiang Zeng Fall 2017

Outline. UNIX security ideas Users and groups File protection Setting temporary privileges. Examples. Permission bits Program language components

Outline. Last time. (System) virtual machines. Virtual machine technologies. Virtual machine designs. Techniques for privilege separation

412 Notes: Filesystem

Chapter 4: Access Control

Protection Kevin Webb Swarthmore College April 19, 2018

5/8/2012. Encryption-based Protection. Protection based on Access Permission (Contd) File Security, Setting and Using Permissions Chapter 9

IT Service Delivery And Support Week Four - OS. IT Auditing and Cyber Security Fall 2016 Instructor: Liang Yao

CS 392/681 - Computer Security. Module 5 Access Control: Concepts and Mechanisms

Outline. Security. Security Ratings. TCSEC Rating Levels. Key Requirements for C2. Met B-Level Requirements

Security. Outline. Security Ratings. Ausgewählte Betriebssysteme Institut Betriebssysteme Fakultät Informatik

Unix, History

A Survey of Access Control Policies. Amanda Crowell

Hardware. Ahmet Burak Can Hacettepe University. Operating system. Applications programs. Users

CSE543 - Introduction to Computer and Network Security. Module: Operating System Security

Operating systems fundamentals - B10

CS 290 Host-based Security and Malware. Christopher Kruegel

Unix Basics. UNIX Introduction. Lecture 14

CSE 380 Computer Operating Systems

Operating System Security

Protection. CSE473 - Spring Professor Jaeger. CSE473 Operating Systems - Spring Professor Jaeger

CS 392/681 - Computer Security. Module 6 Access Control: Concepts and Mechanisms

Access Control. Steven M. Bellovin September 13,

cs642 /operating system security computer security adam everspaugh

Introduction to Computer Security

Files (review) and Regular Expressions. Todd Kelley CST8207 Todd Kelley 1

OS Security. Authorization. Radboud University Nijmegen, The Netherlands. Winter 2015/2016

Datasäkerhet/Data security EDA625 Lect5

Computer Security Operating System Security & Access Control. Dr Chris Willcocks

Policy vs. Mechanism. Example Reference Monitors. Reference Monitors. CSE 380 Computer Operating Systems

CSE361 Web Security. Access Control. Nick Nikiforakis

TEL2821/IS2150: INTRODUCTION TO SECURITY Lab: Operating Systems and Access Control

Information Security CS 526

Processes are subjects.

P1L5 Access Control. Controlling Accesses to Resources

Fall 2014:: CSE 506:: Section 2 (PhD) Securing Linux. Hyungjoon Koo and Anke Li

Outline. Operating System Security CS 239 Computer Security February 23, Introduction. Server Machines Vs. General Purpose Machines

Secure Architecture Principles

Access Control. Steven M. Bellovin September 2,

Announcements. is due Monday April 1 needs to include a paragraph write-up about the results of using the two different scheduling algorithms

Improving the Granularity of Access Control for Windows 2000

Security+ Guide to Network Security Fundamentals, Third Edition. Chapter 7 Access Control Fundamentals

6.858 Lecture 4 OKWS. Today's lecture: How to build a secure web server on Unix. The design of our lab web server, zookws, is inspired by OKWS.

Case Studies in Access Control

Pre-Assessment Answers-1

Operating Systems Security Access Control

Computer Security. 04r. Pre-exam 1 Concept Review. Paul Krzyzanowski. Rutgers University. Spring 2018

CSE 390a Lecture 4. Persistent shell settings; users/groups; permissions

Processes are subjects.

Case Study: Access Control. Steven M. Bellovin October 4,

Introduction to Computer Security

Secure Architecture Principles

Linux System Administration

File Security Lock Down Your Data. Brian Reames January 22, 2012

CSE 127: Computer Security. Security Concepts. Kirill Levchenko

Operating System Security. 0Handouts: Quizzes ProsoftTraining All Rights Reserved. Version 3.07

UNIX File Hierarchy: Structure and Commands

Operating System. Operating System Overview. Structure of a Computer System. Structure of a Computer System. Structure of a Computer System

CptS 360 (System Programming) Unit 6: Files and Directories

CSE 390a Lecture 4. Persistent shell settings; users/groups; permissions

Multifactor authentication:

CSE 390a Lecture 3. Multi-user systems; remote login; editors; users/groups; permissions

Computer Security. 02. Operating System Access Control. Paul Krzyzanowski. Rutgers University. Spring 2018

OS security mechanisms:

Shellbased Wargaming

? Resource. Outline. Lecture 9: Access Control and Operating System Security. Access control. Access control matrix. Two implementation concepts

PROCESS CONTROL BLOCK TWO-STATE MODEL (CONT D)

Why secure the OS? Operating System Security. Privilege levels in 80X86 processors. The basis of protection: Seperation. Privilege levels - A problem

Access control. Frank Piessens KATHOLIEKE UNIVERSITEIT LEUVEN

Server. Client LSA. Winlogon LSA. Library SAM SAM. Local logon NTLM. NTLM/Kerberos. EIT060 - Computer Security 2

CSE/ISE 311: Systems Administra5on Access Control and Processes

CSI 402 Lecture 11 (Unix Discussion on Files continued) 11 1 / 19

Security. Advanced Operating Systems and Virtualization Alessandro Pellegrini A.Y. 2017/2018

Transcription:

Operating system security models Unix security model Windows security model MEELIS ROOS 1

General Unix model Everything is a file under a virtual root diretory Files Directories Sockets Devices... Objects are identified by name Several concurrent names are possible for any object (because of links) Discretionary access control (DAC): each object has a owner who decides the access rights for the object MEELIS ROOS 2

Unix security model Access control subjects are users Objects belong to users Users delegate access to their objects to other subjects Users run processes to do things. Processes belong to users Processes run by user have the same privileges as the user does Internally, users are identified by numeric user ID (UID) There are no other ways for accessing objects Hardware protection Protected operating system with well-defined interface to user programs MEELIS ROOS 3

Root user Has UID 0 Can bypass access controls Has other rights in the system (capabilities) can configure devices, network stack, mount filesystems etc Can change the ownership of current process (login!) Can change file ownership Can arbitrarily change file groups Can create and remove users and groups Can install and modify any software Target for attackers gain root privileges from normal user account by some security vulnerability MEELIS ROOS 4

Setuid and setgid programs Normal users need a gateway to privileged operations (e.g. change your password in system password database) Normally processes run with the rights of executing user, independent of whoever owns the file Setuid programs run with the effective UID of the owner of the file (often root) Setgid programs run with effective GID being set to program file s group (whether ot not the user belongs to the group) "Gateways to other user accounts" security critical components Minimize the amount of setuid programs We still need some of them MEELIS ROOS 5

Permissions Fixed structure ACL there are always entries for owner, one group of users and the rest of users For each subject in ACL 3 permission bits are present: r read 4 w write 2 x execute 1 r w x r - x - - - = 0750 (octal representation!!!) ACL only protects one object no influence to objects in subdirectories, each of them has their own permission bits MEELIS ROOS 6

More permission bits 00001 world execute 00002 world write 00004 world read 00010 group execute 00020 group read 00040 group write 00100 owner execute 00200 owner read 00400 owner write 01000 "sticky" bit 02000 setgid 04000 setuid MEELIS ROOS 7

Meaning of permission bits File read, write File execute marks runnable files from data files Executable file sticky bit used to mean no swapping, unused Executable file setuid and setgid change owner of process during run Directory execute access a file or directory by name Directory read list entries (not needed for lookup by name) Directory write any namespace operation (create, rename, remove!!) Directory sticky restricts object removal to object owner Directory setgid determine the group of newly created objects MEELIS ROOS 8

umask umask bitmap of permissions that newly created files must not have Example: Process does open("file.txt", O_RDWR, 0666) If umask=000, file would have permissions rw-rw-rw- If umask=027, file would have permissions rw-r----- MEELIS ROOS 9

Process credentials Each process has UID, GID ("real UID, real GID") EUID, EGID effective UID and GID Usually the same as UID and GID Setuid/setgid programs affect these ID-s Saved UID, saved GID for switching between 2 ID-s ("drop and regain root privileges in setuid root program") At user logon, root-owned process sets group list and all the UID and GID info for the process (changing EUID last) All threads of the process share the same ownership info Credentials are inherited to subprocesses Other resources are also inherited to subprocesses (file descriptors, environment variables, umask, rlimits, priority etc) MEELIS ROOS 10

Unix and ACL-s Try to express the following with Unix permission bits: Owner has rw Group A has also rw Group B has r Others have no permissions Or, a more common example for users public_html directories Owner has rwx Web server user has --x No other users or groups have any permissions So we need more flexible ACL-s (Access Control Lists) MEELIS ROOS 11

POSIX ACL-s Halfway standardized ACL model for Unix system (POSIX dropped the standard) Mostly compatible between Unixes (setfacl, getfacl) Example: setfacl -m user:mroos:rw-,mask:rw- file.txt ACL mask for all ACL entries Default ACL-s for directories (copied into ACL-s of newly created objects) Only positive permissions, no denying ACL entries NFS version 4 network file system makes use of Windows-compatible ACL-s with negative ACL entries too and this is also used in some file systems MEELIS ROOS 12

Windows security model Subjects (users, groups, computers) are identified by SID (Security ID) S-1-5-21-2025429065-492874223-1748137768-500 SAM (Security Account Manager) keeps database of users and performs authentication On login, user s SID and SID-s of all his groups are added to his process Process security token contains user and group SID-s, SID of the logon session, list of system-wide privileges granted to user These security tokens are inherited to subprocesses Threads can have different security token (to impersonate remote users for some local services) System privileges MEELIS ROOS 13

Windows objects Each named object and some unnamed objects have security descriptor owner, group, ACL-s Lots of different object types, including Files, directories Processes, threads Windows Login sessions Named pipes, semaphores, other IPC Registry keys MEELIS ROOS 14

Windows ACL-s Two types of ACL-s: containers and objects Objects in containers inherit their ACL from container ACL is set by the user and delegates access System ACL is set by system administrator and regulates auditing Missing ACL means full access Present but empty ACL means no access ACLs can have negative entries ("no access") Inheritance flags "no ACL here, look at the parent" Directory bypass possible MEELIS ROOS 15

Windows Vista and newer: integrity levels First steps in MAC (Mandatory Access Controls) additional restrictions to the standard discretionary ACL Processes have trustworthiness level, objects have integrity level Objects: files, registry keys, windows (for sending window messages for interaction) Can isolate different processes of the same user one from another Internet Explorer protected mode Stored in system ACL MEELIS ROOS 16

Group Policy 4 levels local site domain organizational unit NOT enforced by OS kernel Voluntarily used by some applications for further restrictions MEELIS ROOS 17

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback