secure architecture principles - columbia universitysuman/security_1/principles.pdf · principles...
TRANSCRIPT
![Page 1: Secure Architecture Principles - Columbia Universitysuman/security_1/principles.pdf · Principles of Secure Design • Compartmentalization – Isolation – Principle of least privilege](https://reader030.vdocument.in/reader030/viewer/2022041100/5ed68e385cd0d56eef02e6be/html5/thumbnails/1.jpg)
SecureArchitecturePrinciples
• IsolationandLeastPrivilege• AccessControlConcepts• OperatingSystems• BrowserIsolationandLeastPrivilege
OriginalslideswerecreatedbyProf.JohnMitchel
1
![Page 2: Secure Architecture Principles - Columbia Universitysuman/security_1/principles.pdf · Principles of Secure Design • Compartmentalization – Isolation – Principle of least privilege](https://reader030.vdocument.in/reader030/viewer/2022041100/5ed68e385cd0d56eef02e6be/html5/thumbnails/2.jpg)
SecureArchitecturePrinciples
IsolationandLeastPrivilege
2
![Page 3: Secure Architecture Principles - Columbia Universitysuman/security_1/principles.pdf · Principles of Secure Design • Compartmentalization – Isolation – Principle of least privilege](https://reader030.vdocument.in/reader030/viewer/2022041100/5ed68e385cd0d56eef02e6be/html5/thumbnails/3.jpg)
3
PrinciplesofSecureDesign
![Page 4: Secure Architecture Principles - Columbia Universitysuman/security_1/principles.pdf · Principles of Secure Design • Compartmentalization – Isolation – Principle of least privilege](https://reader030.vdocument.in/reader030/viewer/2022041100/5ed68e385cd0d56eef02e6be/html5/thumbnails/4.jpg)
PrinciplesofSecureDesign• Compartmentalization– Isolation– Principleofleastprivilege
• Defenseindepth– Usemorethanonesecuritymechanism– Securetheweakestlink– Failsecurely
• Keepitsimple
4
![Page 5: Secure Architecture Principles - Columbia Universitysuman/security_1/principles.pdf · Principles of Secure Design • Compartmentalization – Isolation – Principle of least privilege](https://reader030.vdocument.in/reader030/viewer/2022041100/5ed68e385cd0d56eef02e6be/html5/thumbnails/5.jpg)
PrincipleofLeastPrivilege• What’saprivilege?– Abilitytoaccessormodifyaresource
• Assumecompartmentalizationandisolation– Separatethesystemintoisolatedcompartments– Limitinteractionbetweencompartments
• PrincipleofLeastPrivilege– Asystemmoduleshouldonlyhavetheminimalprivilegesneededforitsintendedpurposes
5
![Page 6: Secure Architecture Principles - Columbia Universitysuman/security_1/principles.pdf · Principles of Secure Design • Compartmentalization – Isolation – Principle of least privilege](https://reader030.vdocument.in/reader030/viewer/2022041100/5ed68e385cd0d56eef02e6be/html5/thumbnails/6.jpg)
Monolithicdesign
System
Network
Userinput
Filesystem
Network
Userdevice
Filesystem
6
![Page 7: Secure Architecture Principles - Columbia Universitysuman/security_1/principles.pdf · Principles of Secure Design • Compartmentalization – Isolation – Principle of least privilege](https://reader030.vdocument.in/reader030/viewer/2022041100/5ed68e385cd0d56eef02e6be/html5/thumbnails/7.jpg)
Monolithicdesign
System
Network
Userinput
Filesystem
Network
Userdevice
Filesystem
7
![Page 8: Secure Architecture Principles - Columbia Universitysuman/security_1/principles.pdf · Principles of Secure Design • Compartmentalization – Isolation – Principle of least privilege](https://reader030.vdocument.in/reader030/viewer/2022041100/5ed68e385cd0d56eef02e6be/html5/thumbnails/8.jpg)
Monolithicdesign
System
Network
Userinput
Filesystem
Network
Userdisplay
Filesystem
8
![Page 9: Secure Architecture Principles - Columbia Universitysuman/security_1/principles.pdf · Principles of Secure Design • Compartmentalization – Isolation – Principle of least privilege](https://reader030.vdocument.in/reader030/viewer/2022041100/5ed68e385cd0d56eef02e6be/html5/thumbnails/9.jpg)
Componentdesign
Network
Userinput
Filesystem
Network
Userdisplay
Filesystem
9
![Page 10: Secure Architecture Principles - Columbia Universitysuman/security_1/principles.pdf · Principles of Secure Design • Compartmentalization – Isolation – Principle of least privilege](https://reader030.vdocument.in/reader030/viewer/2022041100/5ed68e385cd0d56eef02e6be/html5/thumbnails/10.jpg)
Componentdesign
Network
Userinput
Filesystem
Network
Userdevice
Filesystem
10
![Page 11: Secure Architecture Principles - Columbia Universitysuman/security_1/principles.pdf · Principles of Secure Design • Compartmentalization – Isolation – Principle of least privilege](https://reader030.vdocument.in/reader030/viewer/2022041100/5ed68e385cd0d56eef02e6be/html5/thumbnails/11.jpg)
Componentdesign
Network
Userinput
Filesystem
Network
Userdevice
Filesystem
11
![Page 12: Secure Architecture Principles - Columbia Universitysuman/security_1/principles.pdf · Principles of Secure Design • Compartmentalization – Isolation – Principle of least privilege](https://reader030.vdocument.in/reader030/viewer/2022041100/5ed68e385cd0d56eef02e6be/html5/thumbnails/12.jpg)
PrincipleofLeastPrivilege• What’saprivilege?– Abilitytoaccessormodifyaresource
• Assumecompartmentalizationandisolation– Separatethesystemintoisolatedcompartments– Limitinteractionbetweencompartments
• PrincipleofLeastPrivilege– Asystemmoduleshouldonlyhavetheminimalprivilegesneededforitsintendedpurposes
12
![Page 13: Secure Architecture Principles - Columbia Universitysuman/security_1/principles.pdf · Principles of Secure Design • Compartmentalization – Isolation – Principle of least privilege](https://reader030.vdocument.in/reader030/viewer/2022041100/5ed68e385cd0d56eef02e6be/html5/thumbnails/13.jpg)
Example:MailAgent• Requirements– Receiveandsendemailoverexternalnetwork– Placeincomingemailintolocaluserinboxfiles
• Sendmail– TraditionalUnix– Monolithicdesign– Historicalsourceofmanyvulnerabilities
• Qmail– Compartmentalizeddesign 13
![Page 14: Secure Architecture Principles - Columbia Universitysuman/security_1/principles.pdf · Principles of Secure Design • Compartmentalization – Isolation – Principle of least privilege](https://reader030.vdocument.in/reader030/viewer/2022041100/5ed68e385cd0d56eef02e6be/html5/thumbnails/14.jpg)
OSBasics(beforeexamples)
• Isolationbetweenprocesses– EachprocesshasaUID
• TwoprocesseswithsameUIDhavesamepermissions– Aprocessmayaccessfiles,networksockets,….
• PermissiongrantedaccordingtoUID• Relationtopreviousterminology– CompartmentdefinedbyUID– Privilegesdefinedbyactionsallowedonsystemresources
14
![Page 15: Secure Architecture Principles - Columbia Universitysuman/security_1/principles.pdf · Principles of Secure Design • Compartmentalization – Isolation – Principle of least privilege](https://reader030.vdocument.in/reader030/viewer/2022041100/5ed68e385cd0d56eef02e6be/html5/thumbnails/15.jpg)
Qmaildesign• IsolationbasedonOSisolation– Separatemodulesrunasseparate“users”– Eachuseronlyhasaccesstospecificresources
• Leastprivilege– MinimalprivilegesforeachUID– Onlyone“setuid”program
• setuidallowsaprogramtorunasdifferentusers– Onlyone“root”program
• rootprogramhasallprivileges15
![Page 16: Secure Architecture Principles - Columbia Universitysuman/security_1/principles.pdf · Principles of Secure Design • Compartmentalization – Isolation – Principle of least privilege](https://reader030.vdocument.in/reader030/viewer/2022041100/5ed68e385cd0d56eef02e6be/html5/thumbnails/16.jpg)
Structureofqmail
qmail-smtpd
qmail-localqmail-remote
qmail-lspawnqmail-rspawn
qmail-send
qmail-inject
qmail-queue
Incoming external mail Incoming internal mail
16
![Page 17: Secure Architecture Principles - Columbia Universitysuman/security_1/principles.pdf · Principles of Secure Design • Compartmentalization – Isolation – Principle of least privilege](https://reader030.vdocument.in/reader030/viewer/2022041100/5ed68e385cd0d56eef02e6be/html5/thumbnails/17.jpg)
IsolationbyUnixUIDs
qmail-smtpd
qmail-localqmail-remote
qmail-lspawnqmail-rspawn
qmail-send
qmail-inject
qmail-queue
qmaild user
qmailq
qmails qmailr
qmailr
root
user setuid user
qmailq – user who is allowed to read/write mail queue
17
![Page 18: Secure Architecture Principles - Columbia Universitysuman/security_1/principles.pdf · Principles of Secure Design • Compartmentalization – Isolation – Principle of least privilege](https://reader030.vdocument.in/reader030/viewer/2022041100/5ed68e385cd0d56eef02e6be/html5/thumbnails/18.jpg)
Androidprocessisolation
• Androidapplicationsandbox– Isolation:EachapplicationrunswithitsownUIDinownVM
• Providesmemoryprotection• CommunicationlimitedtousingUnixdomainsockets• Onlyping,zygote(spawnanotherprocess)runasroot
– Interaction:referencemonitorcheckspermissionsoninter-componentcommunication
– LeastPrivilege:Applicationsannouncespermission• Usergrantsaccessatinstalltime
18
![Page 19: Secure Architecture Principles - Columbia Universitysuman/security_1/principles.pdf · Principles of Secure Design • Compartmentalization – Isolation – Principle of least privilege](https://reader030.vdocument.in/reader030/viewer/2022041100/5ed68e385cd0d56eef02e6be/html5/thumbnails/19.jpg)
19
![Page 20: Secure Architecture Principles - Columbia Universitysuman/security_1/principles.pdf · Principles of Secure Design • Compartmentalization – Isolation – Principle of least privilege](https://reader030.vdocument.in/reader030/viewer/2022041100/5ed68e385cd0d56eef02e6be/html5/thumbnails/20.jpg)
20
![Page 21: Secure Architecture Principles - Columbia Universitysuman/security_1/principles.pdf · Principles of Secure Design • Compartmentalization – Isolation – Principle of least privilege](https://reader030.vdocument.in/reader030/viewer/2022041100/5ed68e385cd0d56eef02e6be/html5/thumbnails/21.jpg)
SecureArchitecturePrinciples
AccessControlConcepts
21
![Page 22: Secure Architecture Principles - Columbia Universitysuman/security_1/principles.pdf · Principles of Secure Design • Compartmentalization – Isolation – Principle of least privilege](https://reader030.vdocument.in/reader030/viewer/2022041100/5ed68e385cd0d56eef02e6be/html5/thumbnails/22.jpg)
Accesscontrol• Assumptions
– Systemknowswhotheuseris• Authenticationvianameandpassword,othercredential
– Accessrequestspassthroughgatekeeper(referencemonitor)• Systemmustnotallowmonitortobebypassed
ResourceUserprocess
Referencemonitor
accessrequest
policy
?
22
![Page 23: Secure Architecture Principles - Columbia Universitysuman/security_1/principles.pdf · Principles of Secure Design • Compartmentalization – Isolation – Principle of least privilege](https://reader030.vdocument.in/reader030/viewer/2022041100/5ed68e385cd0d56eef02e6be/html5/thumbnails/23.jpg)
Accesscontrolmatrix[Lampson]
File 1 File 2 File 3 … File n
User 1 read write - - read
User 2 write write write - -
User 3 - - - read read
…
User m read write read write read
Subjects
Objects
23
![Page 24: Secure Architecture Principles - Columbia Universitysuman/security_1/principles.pdf · Principles of Secure Design • Compartmentalization – Isolation – Principle of least privilege](https://reader030.vdocument.in/reader030/viewer/2022041100/5ed68e385cd0d56eef02e6be/html5/thumbnails/24.jpg)
Implementationconcepts• Accesscontrollist(ACL)
– Storecolumnofmatrixwiththeresource
• Capability– Userholdsa“ticket”foreachresource– Twovariations
• storerowofmatrixwithuser,underOScontrol• unforgeableticketinuserspace
File 1 File 2 …
User 1 read write -
User 2 write write -
User 3 - - read
…
User m Read write write
Accesscontrollistsarewidelyused,oftenwithgroupsSomeaspectsofcapabilityconceptareusedinmanysystems 24
![Page 25: Secure Architecture Principles - Columbia Universitysuman/security_1/principles.pdf · Principles of Secure Design • Compartmentalization – Isolation – Principle of least privilege](https://reader030.vdocument.in/reader030/viewer/2022041100/5ed68e385cd0d56eef02e6be/html5/thumbnails/25.jpg)
ACLvsCapabilities• Accesscontrollist– Associatelistwitheachobject– Checkuser/groupagainstlist– Reliesonauthentication:needtoknowuser
• Capabilities– Capabilityisunforgeableticket
• Randombitsequence,ormanagedbyOS• Canbepassedfromoneprocesstoanother
– Referencemonitorchecksticket• Doesnotneedtoknowidentifyofuser/process 25
![Page 26: Secure Architecture Principles - Columbia Universitysuman/security_1/principles.pdf · Principles of Secure Design • Compartmentalization – Isolation – Principle of least privilege](https://reader030.vdocument.in/reader030/viewer/2022041100/5ed68e385cd0d56eef02e6be/html5/thumbnails/26.jpg)
ACLvsCapabilities
ProcessPUserU
ProcessQUserU
ProcessRUserU
ProcessPCapabiltyc,d,e
ProcessQ
ProcessRCapabiltyc
Capabiltyc,e
26
![Page 27: Secure Architecture Principles - Columbia Universitysuman/security_1/principles.pdf · Principles of Secure Design • Compartmentalization – Isolation – Principle of least privilege](https://reader030.vdocument.in/reader030/viewer/2022041100/5ed68e385cd0d56eef02e6be/html5/thumbnails/27.jpg)
ACLvsCapabilities• Delegation
– Cap:Processcanpasscapabilityatruntime– ACL:Trytogetownertoaddpermissiontolist?
• Morecommon:letotherprocessactundercurrentuser• Revocation
– ACL:Removeuserorgroupfromlist– Cap:Trytogetcapabilitybackfromprocess?
• Possibleinsomesystemsifappropriatebookkeeping– OSknowswhichdataiscapability– Ifcapabilityisusedformultipleresources,havetorevokeallornone…
• Indirection:capabilitypointstopointertoresource– IfC→P→R,thenrevokecapabilityCbysettingP=0
27
![Page 28: Secure Architecture Principles - Columbia Universitysuman/security_1/principles.pdf · Principles of Secure Design • Compartmentalization – Isolation – Principle of least privilege](https://reader030.vdocument.in/reader030/viewer/2022041100/5ed68e385cd0d56eef02e6be/html5/thumbnails/28.jpg)
Roles(akaGroups)• Role=setofusers
– Administrator,PowerUser,User,Guest– Assignpermissionstoroles;eachusergetspermission
• Rolehierarchy– Partialorderofroles– Eachrolegetspermissionsofrolesbelow
– Listonlynewpermissionsgiventoeachrole
Administrator
Guest
PowerUser
User
28
![Page 29: Secure Architecture Principles - Columbia Universitysuman/security_1/principles.pdf · Principles of Secure Design • Compartmentalization – Isolation – Principle of least privilege](https://reader030.vdocument.in/reader030/viewer/2022041100/5ed68e385cd0d56eef02e6be/html5/thumbnails/29.jpg)
Role-BasedAccessControlIndividuals Roles Resources
engineering
marketing
humanres
Server1
Server3
Server2
Advantage:userschangemorefrequentlythanroles 29
![Page 30: Secure Architecture Principles - Columbia Universitysuman/security_1/principles.pdf · Principles of Secure Design • Compartmentalization – Isolation – Principle of least privilege](https://reader030.vdocument.in/reader030/viewer/2022041100/5ed68e385cd0d56eef02e6be/html5/thumbnails/30.jpg)
Accesscontrolsummary• Accesscontrolinvolvesreferencemonitor– Checkpermissions:〈userinfo,action〉→yes/no– Important:nowayaroundthischeck
• Accesscontrolmatrix– Accesscontrollistsvscapabilities– Advantagesanddisadvantagesofeach
• Role-basedaccesscontrol– Usegroupas“userinfo”;usegrouphierarchies
30
![Page 31: Secure Architecture Principles - Columbia Universitysuman/security_1/principles.pdf · Principles of Secure Design • Compartmentalization – Isolation – Principle of least privilege](https://reader030.vdocument.in/reader030/viewer/2022041100/5ed68e385cd0d56eef02e6be/html5/thumbnails/31.jpg)
SecureArchitecturePrinciples
OperatingSystems
31
![Page 32: Secure Architecture Principles - Columbia Universitysuman/security_1/principles.pdf · Principles of Secure Design • Compartmentalization – Isolation – Principle of least privilege](https://reader030.vdocument.in/reader030/viewer/2022041100/5ed68e385cd0d56eef02e6be/html5/thumbnails/32.jpg)
Unixaccesscontrol
• Processhasuserid– Inheritfromcreatingprocess– Processcanchangeid
• Restrictedsetofoptions– Special“root”id
• Allaccessallowed• Filehasaccesscontrollist(ACL)
– Grantspermissiontouserids– Owner,group,other
File 1 File 2 …
User 1 read write -
User 2 write write -
User 3 - - read
…
User m Read write write
32
![Page 33: Secure Architecture Principles - Columbia Universitysuman/security_1/principles.pdf · Principles of Secure Design • Compartmentalization – Isolation – Principle of least privilege](https://reader030.vdocument.in/reader030/viewer/2022041100/5ed68e385cd0d56eef02e6be/html5/thumbnails/33.jpg)
Unixfileaccesscontrollist• Eachfilehasownerandgroup• Permissionssetbyowner
– Read,write,execute– Owner,group,other– Representedbyvectoroffouroctalvalues
• Onlyowner,rootcanchangepermissions– Thisprivilegecannotbedelegatedorshared
• Setidbits–Discussinafewslides
rwx rwxrwx-ownr grp othr
setid
33
![Page 34: Secure Architecture Principles - Columbia Universitysuman/security_1/principles.pdf · Principles of Secure Design • Compartmentalization – Isolation – Principle of least privilege](https://reader030.vdocument.in/reader030/viewer/2022041100/5ed68e385cd0d56eef02e6be/html5/thumbnails/34.jpg)
Processeffectiveuserid(EUID)• EachprocesshasthreeIds(+moreunderLinux)
– RealuserID(RUID)• sameastheuserIDofparent(unlesschanged)• usedtodeterminewhichuserstartedtheprocess
– EffectiveuserID(EUID)• fromsetuserIDbitonthefilebeingexecuted,orsyscall• determinesthepermissionsforprocess
– fileaccessandportbinding– SaveduserID(SUID)
• SopreviousEUIDcanberestored
• RealgroupID,effectivegroupID,usedsimilarly34
![Page 35: Secure Architecture Principles - Columbia Universitysuman/security_1/principles.pdf · Principles of Secure Design • Compartmentalization – Isolation – Principle of least privilege](https://reader030.vdocument.in/reader030/viewer/2022041100/5ed68e385cd0d56eef02e6be/html5/thumbnails/35.jpg)
ProcessOperationsandIDs• Root
– ID=0forsuperuserroot;canaccessanyfile• ForkandExec
– InheritthreeIDs,exceptexecoffilewithsetuidbit• Setuidsystemcall
– seteuid(newid)cansetEUIDto• RealIDorsavedID,regardlessofcurrentEUID• AnyID,ifEUID=0
• Detailsareactuallymorecomplicated– Severaldifferentcalls:setuid,seteuid,setreuid
35
![Page 36: Secure Architecture Principles - Columbia Universitysuman/security_1/principles.pdf · Principles of Secure Design • Compartmentalization – Isolation – Principle of least privilege](https://reader030.vdocument.in/reader030/viewer/2022041100/5ed68e385cd0d56eef02e6be/html5/thumbnails/36.jpg)
SetidbitsonexecutableUnixfile• Threesetidbits– Setuid–setEUIDofprocesstoIDoffileowner– Setgid–setEGIDofprocesstoGIDoffile– Sticky
• Off:ifuserhaswritepermissionondirectory,canrenameorremovefiles,evenifnotowner• On:onlyfileowner,directoryowner,androotcanrenameorremovefileinthedirectory
36
![Page 37: Secure Architecture Principles - Columbia Universitysuman/security_1/principles.pdf · Principles of Secure Design • Compartmentalization – Isolation – Principle of least privilege](https://reader030.vdocument.in/reader030/viewer/2022041100/5ed68e385cd0d56eef02e6be/html5/thumbnails/37.jpg)
Example
…;…;exec();
RUID25 SetUID
program
…;…;i=getruid()setuid(i);…;…;
RUID25EUID18
RUID25EUID25
-rw-r--r--file
-rw-r--r--file
Owner18
Owner25
read/write
read/write
Owner18
37
![Page 38: Secure Architecture Principles - Columbia Universitysuman/security_1/principles.pdf · Principles of Secure Design • Compartmentalization – Isolation – Principle of least privilege](https://reader030.vdocument.in/reader030/viewer/2022041100/5ed68e385cd0d56eef02e6be/html5/thumbnails/38.jpg)
Anotherexample• Whydoweneedthesetuidbit?– Someprogramsneedtodoprivilegedoperationsonbehalfofunprivilegedusers• /usr/bin/pingshouldbeabletocreaterawsockets(needsroot)• Anunprivilegedusershouldbeabletorunping• Solution:/usr/bin/pinginLinuxisownedbyrootwithsetuidbitset
38
![Page 39: Secure Architecture Principles - Columbia Universitysuman/security_1/principles.pdf · Principles of Secure Design • Compartmentalization – Isolation – Principle of least privilege](https://reader030.vdocument.in/reader030/viewer/2022041100/5ed68e385cd0d56eef02e6be/html5/thumbnails/39.jpg)
SetUIDforleastprivilege:OpenSSH
39
![Page 40: Secure Architecture Principles - Columbia Universitysuman/security_1/principles.pdf · Principles of Secure Design • Compartmentalization – Isolation – Principle of least privilege](https://reader030.vdocument.in/reader030/viewer/2022041100/5ed68e385cd0d56eef02e6be/html5/thumbnails/40.jpg)
Unixsummary• Goodthings– Someprotectionfrommostusers– Flexibleenoughtomakethingspossible
• Mainlimitation– Tootemptingtouserootprivileges– Nowaytoassumesomerootprivilegeswithoutallrootprivileges
40
![Page 41: Secure Architecture Principles - Columbia Universitysuman/security_1/principles.pdf · Principles of Secure Design • Compartmentalization – Isolation – Principle of least privilege](https://reader030.vdocument.in/reader030/viewer/2022041100/5ed68e385cd0d56eef02e6be/html5/thumbnails/41.jpg)
Weaknessinisolation,privileges• Network-facingDaemons
– Rootprocesseswithnetworkportsopentoallremoteparties,e.g.,sshd,ftpd,sendmail,…• Howcanyousolvethis?
• Rootkits– Systemextensionviadynamicallyloadedkernelmodules
• EnvironmentVariables– SystemvariablessuchasLD_LIBRARY_PATHthataresharedstate
acrossapplications.AnattackercanchangeLD_LIBRARY_PATHtoloadanattacker-providedfileasadynamiclibrary
41
![Page 42: Secure Architecture Principles - Columbia Universitysuman/security_1/principles.pdf · Principles of Secure Design • Compartmentalization – Isolation – Principle of least privilege](https://reader030.vdocument.in/reader030/viewer/2022041100/5ed68e385cd0d56eef02e6be/html5/thumbnails/42.jpg)
Weaknessinisolation,privileges• SharedResources
– Sinceanyprocesscancreatefilesin/tmpdirectory,anuntrustedprocessmaycreatefilesthatareusedbyarbitrarysystemprocesses
• Time-of-Check-to-Time-of-Use(TOCTTOU)– Typically,arootprocessusessystemcalltodetermineifinitiatinguser
haspermissiontoaparticularfile,e.g./tmp/X.– Afteraccessisauthorizedandbeforethefileopen,usermaychange
thefile/tmp/Xtoasymboliclinktoatargetfile/etc/shadow.
42
![Page 43: Secure Architecture Principles - Columbia Universitysuman/security_1/principles.pdf · Principles of Secure Design • Compartmentalization – Isolation – Principle of least privilege](https://reader030.vdocument.in/reader030/viewer/2022041100/5ed68e385cd0d56eef02e6be/html5/thumbnails/43.jpg)
SecureArchitecturePrinciples
BrowserIsolationandLeastPrivilege
43
![Page 44: Secure Architecture Principles - Columbia Universitysuman/security_1/principles.pdf · Principles of Secure Design • Compartmentalization – Isolation – Principle of least privilege](https://reader030.vdocument.in/reader030/viewer/2022041100/5ed68e385cd0d56eef02e6be/html5/thumbnails/44.jpg)
Webbrowser:ananalogy
Operatingsystem• Subject:Processes
– HasUserID(UID,SID)– Discretionaryaccesscontrol
• Objects– File– Network– …
• Vulnerabilities– Untrustedprograms– Bufferoverflow– …
Webbrowser• Subject:webcontent(JavaScript)
– Has“Origin”– Mandatoryaccesscontrol
• Objects– Documentobjectmodel– Frames– Cookies/localStorage
• Vulnerabilities– Cross-sitescripting– Implementationbugs– …
Thewebbrowserenforcesitsowninternalpolicy.Ifthebrowserimplementationiscorrupted,thismechanismbecomesunreliable. 44
![Page 45: Secure Architecture Principles - Columbia Universitysuman/security_1/principles.pdf · Principles of Secure Design • Compartmentalization – Isolation – Principle of least privilege](https://reader030.vdocument.in/reader030/viewer/2022041100/5ed68e385cd0d56eef02e6be/html5/thumbnails/45.jpg)
Componentsofsecuritypolicy• Frame-Framerelationships– canScript(A,B)
• CanFrameAexecuteascriptthatmanipulatesarbitrary/nontrivialDOMelementsofFrameB?
– canNavigate(A,B)• CanFrameAchangetheoriginofcontentforFrameB?
• Frame-principalrelationships– readCookie(A,S),writeCookie(A,S)
• CanFrameAread/writecookiesfromsiteS?45
![Page 46: Secure Architecture Principles - Columbia Universitysuman/security_1/principles.pdf · Principles of Secure Design • Compartmentalization – Isolation – Principle of least privilege](https://reader030.vdocument.in/reader030/viewer/2022041100/5ed68e385cd0d56eef02e6be/html5/thumbnails/46.jpg)
ChromiumSecurityArchitecture
• Browser("kernel")– Fullprivileges(filesystem,networking)
• Renderingengine– Upto20processes– Sandboxed
• Oneprocessperplugin– Fullprivilegesofbrowser
46
![Page 47: Secure Architecture Principles - Columbia Universitysuman/security_1/principles.pdf · Principles of Secure Design • Compartmentalization – Isolation – Principle of least privilege](https://reader030.vdocument.in/reader030/viewer/2022041100/5ed68e385cd0d56eef02e6be/html5/thumbnails/47.jpg)
Chromium
Communicatingsandboxedcomponents
See:http://dev.chromium.org/developers/design-documents/sandbox/ 47
![Page 48: Secure Architecture Principles - Columbia Universitysuman/security_1/principles.pdf · Principles of Secure Design • Compartmentalization – Isolation – Principle of least privilege](https://reader030.vdocument.in/reader030/viewer/2022041100/5ed68e385cd0d56eef02e6be/html5/thumbnails/48.jpg)
DesignDecisions• Compatibility– Sitesrelyontheexistingbrowsersecuritypolicy– Browserisonlyasusefulasthesitesitcanrender– Rulesoutmore“cleanslate”approaches
• BlackBox– OnlyrenderermayparseHTML,JavaScript,etc.– Kernelenforcescoarse-grainedsecuritypolicy– Renderertoenforcesfiner-grainedpolicydecisions
• MinimizeUserDecisions 48
![Page 49: Secure Architecture Principles - Columbia Universitysuman/security_1/principles.pdf · Principles of Secure Design • Compartmentalization – Isolation – Principle of least privilege](https://reader030.vdocument.in/reader030/viewer/2022041100/5ed68e385cd0d56eef02e6be/html5/thumbnails/49.jpg)
TaskAllocation
49
![Page 50: Secure Architecture Principles - Columbia Universitysuman/security_1/principles.pdf · Principles of Secure Design • Compartmentalization – Isolation – Principle of least privilege](https://reader030.vdocument.in/reader030/viewer/2022041100/5ed68e385cd0d56eef02e6be/html5/thumbnails/50.jpg)
LeverageOSIsolation• SandboxbasedonfourOSmechanisms
– Arestrictedtoken– TheWindowsjobobject– TheWindowsdesktopobject– WindowsVistaonly:integritylevels
• Specifically,therenderingengine– adjustssecuritytokenbyconvertingSIDStoDENY_ONLY,adding
restrictedSID,andcallingAdjustTokenPrivileges– runsinaWindowsJobObject,restrictingabilitytocreatenew
processes,readorwriteclipboard,..– runsonaseparatedesktop,mitigatinglaxsecuritycheckingofsome
WindowsAPIsSee:http://dev.chromium.org/developers/design-documents/sandbox/ 50
![Page 51: Secure Architecture Principles - Columbia Universitysuman/security_1/principles.pdf · Principles of Secure Design • Compartmentalization – Isolation – Principle of least privilege](https://reader030.vdocument.in/reader030/viewer/2022041100/5ed68e385cd0d56eef02e6be/html5/thumbnails/51.jpg)
Evaluation:CVEcount
• TotalCVEs:
• Arbitrarycodeexecutionvulnerabilities:
51
![Page 52: Secure Architecture Principles - Columbia Universitysuman/security_1/principles.pdf · Principles of Secure Design • Compartmentalization – Isolation – Principle of least privilege](https://reader030.vdocument.in/reader030/viewer/2022041100/5ed68e385cd0d56eef02e6be/html5/thumbnails/52.jpg)
Summary• Securityprinciples
– Isolation– PrincipleofLeastPrivilege– Qmailexample
• AccessControlConcepts– Matrix,ACL,Capabilities
• OSMechanisms– Unix
• Filesystem,Setuid– Windows
• Filesystem,Tokens,EFS• Browsersecurityarchitecture
– Isolationandleastprivilegeexample 52