october 18, 2005
DESCRIPTION
October 18, 2005. Introduction to Computer Security Lecture 6 Windows/Unix/Solaris 10 Design Principles. Two implementation concepts. Access control list (ACL) Store column of matrix with the resource Capability User holds a “ticket” for each resource Two variations - PowerPoint PPT PresentationTRANSCRIPT
IS2150/TEL2810: Introduction of Computer Security 1
October 18, 2005October 18, 2005
Introduction to Introduction to Computer SecurityComputer Security
Lecture 6Lecture 6Windows/Unix/Solaris 10Windows/Unix/Solaris 10
Design PrinciplesDesign Principles
2IS2150/TEL2810: Introduction of Computer Security
Two implementation conceptsTwo implementation concepts
Access control list (ACL)Access control list (ACL) Store column of matrix with the resource
CapabilityCapability User holds a “ticket” for each resource Two variations
store row of matrix with user unforgeable ticket in user space
3IS2150/TEL2810: Introduction of Computer Security
UnixUnix
Developed at AT&T Bell LabsDeveloped at AT&T Bell LabsSingle monolithic kernelSingle monolithic kernel
Kernel mode File system, device drivers, process management
User programs run in user mode networking
4IS2150/TEL2810: Introduction of Computer Security
Unix Unix Identification and authenticationIdentification and authentication
Users have usernameUsers have username Internally identified with a user ID (UID) Username to UID info in /etc/passwd Super UID = 0
can access any file Every user belong to a group – has GID
Passwords to authenticatePasswords to authenticate in /etc/passwd
Shadow file /etc/shadow
5IS2150/TEL2810: Introduction of Computer Security
Unix file securityUnix file security
Each file has owner and groupEach file has owner and group Permissions set by ownerPermissions set by owner
Read, write, execute Owner, group, other Represented by vector of four octal values
Only owner, root can change permissionsOnly owner, root can change permissions This privilege cannot be delegated or shared
6IS2150/TEL2810: Introduction of Computer Security
Unix File PermissionsUnix File Permissions
File type, owner, group, othersFile type, owner, group, othersdrwx------ 2 jjoshi isfac 512 Aug 20 2003 risk managementdrwx------ 2 jjoshi isfac 512 Aug 20 2003 risk managementlrwxrwxrwx 1 jjoshi isfac 15 Apr 7 09:11 risk_m->risk managementlrwxrwxrwx 1 jjoshi isfac 15 Apr 7 09:11 risk_m->risk management-rw-r--r-- 1 jjoshi isfac 1754 Mar 8 18:11 words05.ps-rw-r--r-- 1 jjoshi isfac 1754 Mar 8 18:11 words05.ps-r-sr-xr-x 1 root bin 9176 Apr 6 2002 /usr/bin/rs-r-sr-xr-x 1 root bin 9176 Apr 6 2002 /usr/bin/rs-r-sr-sr-x 1 root sys 2196 Apr 6 2002 /usr/bin/passwd-r-sr-sr-x 1 root sys 2196 Apr 6 2002 /usr/bin/passwd
File type: regular -, directory d, symlink l, device b/c, socket s, fifo f/pFile type: regular -, directory d, symlink l, device b/c, socket s, fifo f/p Permission: r, w, x, s or S (set.id), t (sticky)Permission: r, w, x, s or S (set.id), t (sticky)
While accessing filesWhile accessing files Process EUID compared against the file UID GIDs are compared; then Others are tested
7IS2150/TEL2810: Introduction of Computer Security
Effective user id (EUID)Effective user id (EUID)
Each process has three IdsEach process has three Ids Real user ID (RUID)
same as the user ID of parent (unless changed) used to determine which user started the process
Effective user ID (EUID) from set user ID bit on the file being executed, or sys call determines the permissions for process
Saved user ID (SUID) Allows restoring previous EUID
Similarly we have Similarly we have Real group ID, effective group ID,
8IS2150/TEL2810: Introduction of Computer Security
IDs/OperationsIDs/Operations
Root can access any fileRoot can access any file Fork and ExecFork and Exec
Inherit three IDs, except exec of file with setuid bit
Setuid system calls Setuid system calls seteuid(newid) can set EUID to
Real ID or saved ID, regardless of current EUID Any ID, if EUID=0
Related calls: setuid, seteuid, setreuid
9IS2150/TEL2810: Introduction of Computer Security
Setid bits on executable Unix fileSetid bits on executable Unix file
Three setid bitsThree setid bits Setuid
set EUID of process to ID of file owner Setgid
set EGID of process to GID of file Setuid/Setgid used when a process executes a file
If setuid (setgid) bit is on – change the EUID of the process changed to UID (GUID) of the file
Sticky Off: if user has write permission on directory, can rename or remove
files, even if not owner On: only file owner, directory owner, and root can rename or remove
file in the directory
10IS2150/TEL2810: Introduction of Computer Security
ExampleExample
…;
…;
exec( );
…;
…;
exec( );
RUID 25RUID 25 SetUIDSetUID
programprogram
…;
…;
i=getruid()
setuid(i);
…;
…;
…;
…;
i=getruid()
setuid(i);
…;
…;
RUID 25EUID 18
RUID 25EUID 25
-rw-r--r---rw-r--r--
filefile
-rw-r--r---rw-r--r--
filefile
Owner 18Owner 18
Owner 25Owner 25
read/write
read/write
Owner 18Owner 18
11IS2150/TEL2810: Introduction of Computer Security
Careful with Setuid !Careful with Setuid !
Can do anything that owner of file is allowed Can do anything that owner of file is allowed to doto do
Be sure not toBe sure not to Take action for untrusted user Return secret data to untrusted user
Principle of least privilegePrinciple of least privilege change EUID when root privileges no longer needed
Setuid scripts (bad idea)Setuid scripts (bad idea) Race conditions: begin executing setuid program;
change contents of program before it loads and is executed
Anything possible if root
Anything possible if root
12IS2150/TEL2810: Introduction of Computer Security
Windows NTWindows NT
Windows 9x, Me Windows 9x, Me Never meant for security FAT file system – no file level security PWL password scheme – not secure
Can be simply deleted
Windows NTWindows NT Username mapped to Security ID (SID) SID is unique within a domain
SID + password stored in a database handled by the Security Accounts Manager (SAM) subsystem
13IS2150/TEL2810: Introduction of Computer Security
Windows NTWindows NT
Some basic functionality similar to UnixSome basic functionality similar to Unix Specify access for groups and users
Read, modify, change owner, delete Some additional conceptsSome additional concepts
Tokens Security attributes
GenerallyGenerally More flexibility than Unix
Can define new permissions Can give some but not all administrator privileges
14IS2150/TEL2810: Introduction of Computer Security
Sample permission optionsSample permission options
SIDSID Identity (replaces UID)
SID revision number 48-bit authority value variable number of
Relative Identifiers (RIDs), for uniqueness
Users, groups, computers, domains, domain members all have SIDs
15IS2150/TEL2810: Introduction of Computer Security
Permission InheritancePermission Inheritance
Static permission inheritance (Win NT)Static permission inheritance (Win NT) Initially, subfolders inherit permissions of folder Folder, subfolder changed independently Replace Permissions on Subdirectories
command Eliminates any differences in permissions
16IS2150/TEL2810: Introduction of Computer Security
Permission InheritancePermission Inheritance
Dynamic permission inheritance (Win 2000)Dynamic permission inheritance (Win 2000) Child inherits parent permission, remains linked Parent changes are inherited, except explicit
settings Inherited and explicitly-set permissions may conflict
Resolution rules• Positive permissions are additive
• Negative permission (deny access) takes priority
17IS2150/TEL2810: Introduction of Computer Security
TokensTokens
Security contextSecurity context privileges, accounts, and groups associated with the
process or thread Security Reference Monitor Security Reference Monitor
uses tokens to identify the security context of a process or thread
Impersonation token Impersonation token Each thread can have two tokens – primary &
impersonation thread uses temporarily to adopt a different security
context, usually of another user
18IS2150/TEL2810: Introduction of Computer Security
Security DescriptorSecurity Descriptor
Information associated with an objectInformation associated with an object who can perform what actions on the object
Several fieldsSeveral fields Header
Descriptor revision number Control flags, attributes of the descriptor
• E.g., memory layout of the descriptor SID of the object's owner SID of the primary group of the object Two attached optional lists:
Discretionary Access Control List (DACL) – users, groups, … System Access Control List (SACL) – system logs, ..
19IS2150/TEL2810: Introduction of Computer Security
Example access requestExample access request
User: MarkUser: MarkGroup1: AdministratorsGroup1: Administrators
Group2: WritersGroup2: Writers
Control flagsControl flags
Group SIDGroup SIDDACL PointerDACL PointerSACL PointerSACL Pointer Deny Deny Writers Writers Read, Write Read, Write Allow Allow Mark Mark Read, Write Read, Write
Owner SIDOwner SID
Revision NumberRevision Number
Access
token
Security descripto
r
Access request: write
Action: denied• User Mark requests write permission
• Descriptor denies permission to group
• Reference Monitor denies request
20IS2150/TEL2810: Introduction of Computer Security
Impersonation Tokens (setuid?)Impersonation Tokens (setuid?)
Process uses security attributes of anotherProcess uses security attributes of another Client passes impersonation token to server
Client specifies impersonation level of serverClient specifies impersonation level of server Anonymous
Token has no information about the client Identification
server obtains the SIDs of client and client's privileges, but server cannot impersonate the client
Impersonation server identifies and impersonate the client
Delegation lets server impersonate client on local, remote systems
21IS2150/TEL2810: Introduction of Computer Security
Encrypted File Systems Encrypted File Systems (EFS)(EFS)
Store files in encrypted formStore files in encrypted form Key management: user’s key decrypts file Useful protection if someone steals disk
Windows – EFSWindows – EFS User marks a file for encryption Unique file encryption key is created Key is encrypted, can be stored on smart card
22IS2150/TEL2810: Introduction of Computer Security
SELinux Security Policy AbstractionsSELinux Security Policy Abstractions
Type enforcementType enforcement Each process has an associated domain Each object has an associated type Configuration files specify
How domains are allowed to access types Allowable interactions and transitions between domains
Role-based access controlRole-based access control Each process has an associated role
Separate system and user processes configuration files specify
Set of domains that may be entered by each role
23IS2150/TEL2810: Introduction of Computer Security
Sample Features of Trusted OSSample Features of Trusted OS
Mandatory access controlMandatory access control MAC not under user control, precedence over DAC
Object reuse protectionObject reuse protection Write over old data when file space is allocated
Complete mediationComplete mediation Prevent any access that circumvents monitor
AuditAudit Log security-related events
Intrusion detectionIntrusion detection Anomaly detection
Learn normal activity, Report abnormal actions Attack detection
Recognize patterns associated with known attacks
24IS2150/TEL2810: Introduction of Computer Security
Kernelized DesignKernelized Design
Trusted Computing BaseTrusted Computing Base Hardware and software for enforcing
security rules Reference monitorReference monitor
Part of TCB All system calls go through reference
monitor for security checking Most OS not designed this way
Reference validation mechanism – Reference validation mechanism – 1. Tamperproof2. Never be bypassed3. Small enough to be subject to analysis
and testing – the completeness can be assured
User spaceUser space
Kernel spaceKernel space
User process
OS kernelOS kernel
TCBTCB
Reference monitorReference monitor
25IS2150/TEL2810: Introduction of Computer Security
Is Windows is “Secure”?Is Windows is “Secure”?
Good thingsGood things Design goals include security goals Independent review, configuration guidelines
But …But … “Secure” is a complex concept
What properties protected against what attacks? Typical installation includes more than just OS
Many problems arise from applications, device drivers Windows driver certification program
26IS2150/TEL2810: Introduction of Computer Security
Window 2000Window 2000
Newer features than NTNewer features than NTNTFS file system redesigned for NTFS file system redesigned for
performanceperformanceActive directoryActive directory
Kerberos for authentication IPSec/L2TP
27IS2150/TEL2810: Introduction of Computer Security
Windows XPWindows XP
Improvement over Win 2000 ProfessionalImprovement over Win 2000 Professional Personalized login
Multiple users to have secure profiles User switching
Multiple users to be logged in Internet connection firewall (ICF)
Active packet filtering Blank password restriction (null sessions) Encrypting File System (EFS) using PKI Smart card support (uses X.509 certificate for
authentication)
28IS2150/TEL2810: Introduction of Computer Security
Active DirectoryActive Directory
Core for the flexibility of Win2000Core for the flexibility of Win2000 Centralized management for clients, servers and user accounts
Information about all objectsInformation about all objects Group policy and remote OS operationsGroup policy and remote OS operations Replaces SAM databaseReplaces SAM database
AD is trusted component of the LSA StoresStores
Access control information – authorization User credentials – authentication
SupportsSupports PKI, Kerberos and LDAP
29IS2150/TEL2810: Introduction of Computer Security
Win 2003Win 2003
30IS2150/TEL2810: Introduction of Computer Security
Solaris 10Solaris 10
UNIX-based OSUNIX-based OS Access Control is
similar. Some new features Some new features
have been added in have been added in Solaris 10.Solaris 10. User Templates Authorizations Projects RBAC – Only for
administrative purposes
IS2150/TEL2810: Introduction of Computer Security 31
Design PrinciplesDesign Principles
32IS2150/TEL2810: Introduction of Computer Security
Design Principles for Security Design Principles for Security MechanismsMechanisms
PrinciplesPrinciples Least Privilege Fail-Safe Defaults Economy of Mechanism Complete Mediation Open Design Separation of Privilege Least Common Mechanism Psychological Acceptability
Based on the idea of Based on the idea of simplicitysimplicity and and restrictionrestriction
33IS2150/TEL2810: Introduction of Computer Security
OverviewOverview
SimplicitySimplicity Less to go wrong Fewer possible inconsistencies Easy to understand
RestrictionRestriction Minimize access power (need to know) Inhibit communication
34IS2150/TEL2810: Introduction of Computer Security
Least PrivilegeLeast Privilege
A subject should be given only those A subject should be given only those privileges necessary to complete its taskprivileges necessary to complete its task Function, not identity, controls
RBAC! Rights added as needed, discarded after use
Active sessions and dynamic separation of duty Minimal protection domain
A subject should not have a right if the task does not need it
35IS2150/TEL2810: Introduction of Computer Security
Fail-Safe DefaultsFail-Safe Defaults
Default action is to deny accessDefault action is to deny access If action fails, system as secure as when If action fails, system as secure as when
action beganaction began Undo changes if actions do not complete Transactions (commit)
36IS2150/TEL2810: Introduction of Computer Security
Economy of MechanismEconomy of Mechanism
Keep the design and implementation as Keep the design and implementation as simple as possiblesimple as possible KISS Principle (Keep It Simple, Silly!)
Simpler means less can go wrongSimpler means less can go wrong And when errors occur, they are easier to
understand and fix
Interfaces and interactionsInterfaces and interactions
37IS2150/TEL2810: Introduction of Computer Security
Complete MediationComplete Mediation
Check every access to an object to ensure Check every access to an object to ensure that access is allowedthat access is allowed
Usually done once, on first actionUsually done once, on first action UNIX: Access checked on open, not checked
thereafter
If permissions change after, may get If permissions change after, may get unauthorized accessunauthorized access
38IS2150/TEL2810: Introduction of Computer Security
Open DesignOpen Design
Security should not depend on secrecy of Security should not depend on secrecy of design or implementationdesign or implementation Popularly misunderstood to mean that source
code should be public “Security through obscurity” Does not apply to information such as
passwords or cryptographic keys
39IS2150/TEL2810: Introduction of Computer Security
Separation of PrivilegeSeparation of Privilege
Require multiple conditions to grant Require multiple conditions to grant privilegeprivilege Example: Checks of $70000 must be signed by
two people Separation of duty Defense in depth
Multiple levels of protection
40IS2150/TEL2810: Introduction of Computer Security
Least Common MechanismLeast Common Mechanism
Mechanisms should not be sharedMechanisms should not be shared Information can flow along shared channels Covert channels
IsolationIsolation Virtual machines Sandboxes
41IS2150/TEL2810: Introduction of Computer Security
Psychological AcceptabilityPsychological Acceptability
Security mechanisms should not add to Security mechanisms should not add to difficulty of accessing resourcedifficulty of accessing resource Hide complexity introduced by security
mechanisms Ease of installation, configuration, use Human factors critical here