itec 245. material mainly derived from pfleeger; daswani or stallings. slides by prem uppuluri based...

ITEC 245. Material mainly derived from Pfleeger; Daswani or Stallings. Slides by Prem Uppuluri based on material from various sources.Slides by Prem Uppuluri based on material from various sources.

Application Securitycorresponds with Chapter 3: program security;

Chapter 4: OS security and Chapter 5, with additional notes from various sources.

Throughout these agesour operating systems

infested by bugsThe ignorant world

turns to Windows for safetySafety from themselves

It is now the timefor the world to realize

that we all feel painBy DilDog

Ninja Strike Force (Cult of the Dead Cow)Sensei of the Undocumented Opcode.

From the slides of Vitaly Shmatikov – Univ of Texas

ITEC 245. Material mainly derived from Pfleeger; Daswani or Stallings. Slides by Prem Uppuluri based on material from various sources.

So far

• We looked at:– Various vulnerabilities– Fundamentals of Cryptography

• Encryption/decryption• Secure hash functions.

• Next: Software application security (roughly corresponds to chapter 3 – though I have added additional notes from sources other than the textbook)


Applications

• Food for thought:– If a computer does not run any software, then it

cannot be attacked. • Hence, “host-based attacks” are all due to

software applications.– Host-based is different from network-based attacks. – Host-based attacks focus on the information stored

on a “host” computer, while network based attacks focus on information in transit across networks.

• Application security involves studying “host-based” security.


What does application security entail?

• There are several software applications varying in complexity:– E.g, Simple editors, Web Servers, Database Management Systems, Operating Systems.

• While they have some common vulnerabilities, each of them have unique/specific security vulnerabilities.

• Difficult/impossible(?) to study the security of every type of software application.

• Hence, in this part of the course we will limit our study to: – Secure Design principles that apply to any software

application.– Application of secure design principles to Operating

Systems (Windows and Linux) and Database Management Systems (Oracle)

– Examples of secure programming principles for programming in Java.


Secure Design principles

• Design principles are different from implementation principles. Design deals with what facilities etc., that you will offer.

• What principles do you think you will follow when designing a software application?


Secure Design principles (2)

• Originally formulated in 1975 byJerome Saltzer and Michael Shroeder.

• Other principles were added later.

• Complete list from website maintained by the Department of Homeland Security:

https://buildsecurityin.us-cert.gov/daisy/bsi/articles/knowledge/principles/358-BSI.html




List of principles of software security.

• Least Privilege• Economy of Mechanism• Complete Mediation• Separation of Privilege• Least Common Mechanism• Securing the weakest link.• Defense in depth• Failing Securely• Reluctance to trust• Never assuming that your secrets are safe• Promoting Privacy. • Psychological acceptability

• One more principle from the original authors: Open design.


Principles of software security (2)

• Least Privilege• Give the least privilege for the least time to get the job

done. • The time factor is important. • When implementing code or any system – use features that

will limit time. • E.g., if someone logs in as an administrator and the account is

idle, log the person out!

• Economy of Mechanism• Based on the mantra “KISS”: Keep it simple, stupid! • How does it translate to implementation/design of secure

code? – Reuse components of any code (make code modular).– Do not re-implement security algorithms (e.g., DES cryptography)

– use standard APIs.– Create a choke point when developing code – choke points are

interfaces from which all the code must pass.


Principles of software security (2)

– Complete Mediation• Security checks in applications cannot be

bypassed/circumvented.• E.g., the single user mode in Linux or the “safe mode” in

Windows allow login without entering password: This is a violation of complete mediation.

– Open Design• No secrets. • E.g., the security of encryption should not depend on keeping

the encryption algorithm secret. – Separation of Privilege (or “separation of duty”)

• E.g., multiple authentication criteria. (we will see more of this when discussing OS security)

– Least Common Mechanism• E.g, do not share certain resources.


Other principles

• Securing the weakest link.– E.g., if you haven’t fixed buffer overflow, don’t bother installing

retina-scanning-based authentication• Defense in depth

– Have a layered approach if possible for software.– E.g., in the Java code you would want to run the code with certain

protection.• Failing Securely

– Do not let your code or software simply crash! – Or if it crashes, do not let it expose any secrets – e.g., by passing

too much information to the exception handling routines. • Reluctance to trust

– Never assume that the user will use the code the way you design.• Never assuming that your secrets are safe

– Don’t rely on an obscure implementation (similar to Open design)• Promoting Privacy.

– We will look at this when discussing database security.

ITEC 245. Material mainly derived from Pfleeger; Daswani or Stallings. Slides by Prem Uppuluri based on material from various sources.Slides by Prem Uppuluri based on material from various sources.

Next: Example 1: How principles of software security design apply to the

design of general purpose OSes

Corresponds to Chapter 4 w/ additional notes by Prem Uppuluri


General purpose OS.

• Examples: – Windows NT family

• 2000, XP, Vista, 7– Linux (multi-user)– FreeBSD– Solaris

• Specifically, any OS that is designed to run multi-purpose software.

• Excluded from this list: Mobile OSes (iPhone, Android, Windows mobile etc.). Why? These use a subset of general purpose OS security mechanisms.


What is an Operating System?

• What is the function of an Operating System (OS)?

• It is software that:– mediates access to, and – enforces the sharing of

system resources,by all other programs on the machine.


Two key characteristics of a general purpose OS

• Most general purpose OSes these days:

– Support multi processing(multiple processes can share the CPU).

– Support multi users(multiple users can work at the same time).


Functions of an OS

• Some functions of an OS

– Creation/removal of processes: OSes allow users to start new processes and end them.

– Memory management: Operating Systems allocate memory and manage the memory (e.g., free memory) etc., when processes are being executed.

– Process scheduling: When multiple processes are competing with each other to run on ONE CPU, an OS is responsible for scheduling which process runs next?

– Handling I/O and Interrupts


What needs to be protected in a general purpose OS? (1)

• So based on the functions of an OS, it is clear that– When multiprocessing (with multiple users) several

hardware resources are shared and thus need protection: (Examples:

• Memory• I/O systems• Disks• Networks• Sharable data/programs )

• So how do OSes protect these? And against whom?


What needs to be protected in a general purpose OS? (1)

• Examples of where security is needed:

– User level processes should not interfere with each other. E.g., a Word process should not be able to access the memory of a Chrome process.

– Permissions on user directories (folders) and files.

– Sharing of I/O resources (e.g., multiple users on a computer should not be able to view each other's print jobs, or keystrokes).


OS security using separation.

• OSes achieve security using the concept of separation of access to resources.

• Some examples of separation include: – Access control

• (who can access the resources of a system?)– Identity and credential management

• (what is the identity of the current user? Can this identity be changed?)

– Audit and Integrity checks.• (Keeps track of who performed what actions at what time.

Also, have any files been changed? Are different measures consistent?)

– Information flow.• E.g., What can be cut and pasted? What can be copied and

pasted? What info can be sent out on the network?


Next:

• How does an Operating System achieve separation?

• What are the key issues in doing so?


Main challenge: Policing the Police… or protecting the Operating System

itself!• An OS is responsible for separation, however,

there is a problem: – Given that an OS is a software program. What prevents other software programs from

circumventing the OS? i.e., why cannot the OS be bypassed?

Or, can an OS be bypassed?

Example: Is it possible for you to write a program that directly accesses the resources by circumventing the OS's memory management, process management and other mechanisms?


Circumventing the OS

• An OS can be circumvented in certain cases: – E.g., when you boot an OS from a CD or a

DVD – you are circumventing the OS on the disk. • The OS installed on the disk will be unable to

mediate any of your processes access to the CPU.

• However, once you “load” an operating system – it cannot be circumvented (or it should not be if implemented securely). Why cannot it be circumvented?


The Architecture-OS dance.

• Various architectures (Intel, AMD, SPARC etc.) provide some hardware security features (think of them as switches) such that:

– The first software that gets loaded when you start a computer grabs the controls of these hardware features.

– Without control of these hardware features, hardware resources cannot be accessed.

• (unless you use a physical attack, such as removing a hard disk from the computer).

• If the first software is the OS (as is usually the case), it controls these hardware features.


What is separation?

• What are these hardware features?

–Two key ones:

• Interrupts (programmable interrupts) and

• Rings.


Privilege rings in OS.• Most CPUs come with multiple

“rings”.

• When a software wants to access any hardware resource, it has to grab a certain ring number.

• Ring 0: allows access to all the hardware resources…

• Ring 3: doesn’t allow any access to hardware.

• Ring 1 will allow access to a few etc...

Image source:l Wikipedia

© LOTR


Privilege rings in OS (2).• So how does a

software grab a ring?

(A) Defeating Lord Sauron.(B) Using Orcs.(C) Capture Gollum.(D) Using interrupts.

Answer: D



Privilege rings in OS (3).• Interrupts• Every architecture (intel x86, SPARC etc) provides

certain hardware switches called interrupts.

• Interrupts can be “thrown” or triggered using machine language instructions that the architecture supports.– E.g., 0x80h is an assembly op code (in Intel

x86 architecture) that allows a software to grab ring 0.

• Every interrupt is associated with a software method (program).

• ONLY that software program can be executed when the interrupt is thrown.


The first software that gets loaded on boot-up, will also install the software programs associated with each

interrupt


Privilege rings in OS (4).• So an OS (as it is the first process that must

be loaded into the memory):

– Loads the software methods associated with each interrupt.

– E.g., In Intel x86 architecture, interrupt 80 is associated with grabbing the ring 0. • So with this interrupt, the OS associates software

methods (or functions or sub routines) that allow access to hardware resources.

• These software methods are called “system calls”.


System calls in an OS

• Every OS provides a set of system calls – Think of these as an API to access and/or

modify various resources – E.g.,

• in Linux:– sys_open, allows a program to access files on a disk. (so access to the

hardware: disk). – Sys_fork, allows the creation of a new process (thus accessing the resources

of memore etc.).

• In Windows: – NtCreateProcess: creates a new process (similar to fork).

• Complete list of system calls in Linux: • Look at the file: /usr/include/unistd.h on any Linux

machine.

• Complete list of system calls in Windows: • http://www.metasploit.com/users/opcode/syscalls.html

http://www.metasploit.com/users/opcode/syscalls.html


System calls in OS

• There are many system calls as you saw in the links on previous slides.

• System calls are organized into an “array”. Think of this as an array of methods. – System_call[] syscalls … – Each index associated with one system call.

• E.g., syscalls[3] may be the method “fork” system call.


System calls summary.

• When a software process calls a system call, let us say “Open”, then:– Interrupt 80 is thrown. (So the software program now

has access to ring 0).– However remember when an interrupt is thrown:

only the software associated with that interrupt can be executed.

– This software (a whole bunch of system call implementations) is provided by the OS.

– The appropriate system call method is searched (in this case “open”) and executed.

• Hence, OS can control complete access to hardware resources by other software process.


Another way to look at how OS can prevent any process from directly accessing hardware..

• if a software process wants to access the hard disk – it has to grab ring 0.

• However, it can only grab ring 0 by throwing the interrupt 0x80 (on Intel x86).

• However, if it throws interrupt 0x80, then only the code associated with that interrupt can get executed.

• The first process loaded when the system boots up gets the first shot at associating software with each interrupt.

• If the first process is the OS itself – then the OS can control the software associate with each interrupt.

• Hence, any other software program can only use the OS’s software to access hardware resources.


Next:

• Overview of security provided by the operating system in accessing:– Memory– Files– Etc..

itec 245. material mainly derived from pfleeger; daswani or stallings. slides by prem uppuluri based...

Documents

hostbased security

software application

various sources

hostbased attacks

application security

prem uppuluri

pfleeger daswani

networkbased attacks