Post on 29-May-2020
SecureArchitecturePrinciples
• IsolationandLeastPrivilege• AccessControlConcepts• OperatingSystems• BrowserIsolationandLeastPrivilege
OriginalslideswerecreatedbyProf.JohnMitchel
1
SecureArchitecturePrinciples
IsolationandLeastPrivilege
2
3
PrinciplesofSecureDesign
PrinciplesofSecureDesign• Compartmentalization– Isolation– Principleofleastprivilege
• Defenseindepth– Usemorethanonesecuritymechanism– Securetheweakestlink– Failsecurely
• Keepitsimple
4
PrincipleofLeastPrivilege• What’saprivilege?– Abilitytoaccessormodifyaresource
• Assumecompartmentalizationandisolation– Separatethesystemintoisolatedcompartments– Limitinteractionbetweencompartments
• PrincipleofLeastPrivilege– Asystemmoduleshouldonlyhavetheminimalprivilegesneededforitsintendedpurposes
5
Monolithicdesign
System
Network
Userinput
Filesystem
Network
Userdevice
Filesystem
6
Monolithicdesign
System
Network
Userinput
Filesystem
Network
Userdevice
Filesystem
7
Monolithicdesign
System
Network
Userinput
Filesystem
Network
Userdisplay
Filesystem
8
Componentdesign
Network
Userinput
Filesystem
Network
Userdisplay
Filesystem
9
Componentdesign
Network
Userinput
Filesystem
Network
Userdevice
Filesystem
10
Componentdesign
Network
Userinput
Filesystem
Network
Userdevice
Filesystem
11
PrincipleofLeastPrivilege• What’saprivilege?– Abilitytoaccessormodifyaresource
• Assumecompartmentalizationandisolation– Separatethesystemintoisolatedcompartments– Limitinteractionbetweencompartments
• PrincipleofLeastPrivilege– Asystemmoduleshouldonlyhavetheminimalprivilegesneededforitsintendedpurposes
12
Example:MailAgent• Requirements– Receiveandsendemailoverexternalnetwork– Placeincomingemailintolocaluserinboxfiles
• Sendmail– TraditionalUnix– Monolithicdesign– Historicalsourceofmanyvulnerabilities
• Qmail– Compartmentalizeddesign 13
OSBasics(beforeexamples)
• Isolationbetweenprocesses– EachprocesshasaUID
• TwoprocesseswithsameUIDhavesamepermissions– Aprocessmayaccessfiles,networksockets,….
• PermissiongrantedaccordingtoUID• Relationtopreviousterminology– CompartmentdefinedbyUID– Privilegesdefinedbyactionsallowedonsystemresources
14
Qmaildesign• IsolationbasedonOSisolation– Separatemodulesrunasseparate“users”– Eachuseronlyhasaccesstospecificresources
• Leastprivilege– MinimalprivilegesforeachUID– Onlyone“setuid”program
• setuidallowsaprogramtorunasdifferentusers– Onlyone“root”program
• rootprogramhasallprivileges15
Structureofqmail
qmail-smtpd
qmail-localqmail-remote
qmail-lspawnqmail-rspawn
qmail-send
qmail-inject
qmail-queue
Incoming external mail Incoming internal mail
16
IsolationbyUnixUIDs
qmail-smtpd
qmail-localqmail-remote
qmail-lspawnqmail-rspawn
qmail-send
qmail-inject
qmail-queue
qmaild user
qmailq
qmails qmailr
qmailr
root
user setuid user
qmailq – user who is allowed to read/write mail queue
17
Androidprocessisolation
• Androidapplicationsandbox– Isolation:EachapplicationrunswithitsownUIDinownVM
• Providesmemoryprotection• CommunicationlimitedtousingUnixdomainsockets• Onlyping,zygote(spawnanotherprocess)runasroot
– Interaction:referencemonitorcheckspermissionsoninter-componentcommunication
– LeastPrivilege:Applicationsannouncespermission• Usergrantsaccessatinstalltime
18
19
20
SecureArchitecturePrinciples
AccessControlConcepts
21
Accesscontrol• Assumptions
– Systemknowswhotheuseris• Authenticationvianameandpassword,othercredential
– Accessrequestspassthroughgatekeeper(referencemonitor)• Systemmustnotallowmonitortobebypassed
ResourceUserprocess
Referencemonitor
accessrequest
policy
?
22
Accesscontrolmatrix[Lampson]
File 1 File 2 File 3 … File n
User 1 read write - - read
User 2 write write write - -
User 3 - - - read read
…
User m read write read write read
Subjects
Objects
23
Implementationconcepts• Accesscontrollist(ACL)
– Storecolumnofmatrixwiththeresource
• Capability– Userholdsa“ticket”foreachresource– Twovariations
• storerowofmatrixwithuser,underOScontrol• unforgeableticketinuserspace
File 1 File 2 …
User 1 read write -
User 2 write write -
User 3 - - read
…
User m Read write write
Accesscontrollistsarewidelyused,oftenwithgroupsSomeaspectsofcapabilityconceptareusedinmanysystems 24
ACLvsCapabilities• Accesscontrollist– Associatelistwitheachobject– Checkuser/groupagainstlist– Reliesonauthentication:needtoknowuser
• Capabilities– Capabilityisunforgeableticket
• Randombitsequence,ormanagedbyOS• Canbepassedfromoneprocesstoanother
– Referencemonitorchecksticket• Doesnotneedtoknowidentifyofuser/process 25
ACLvsCapabilities
ProcessPUserU
ProcessQUserU
ProcessRUserU
ProcessPCapabiltyc,d,e
ProcessQ
ProcessRCapabiltyc
Capabiltyc,e
26
ACLvsCapabilities• Delegation
– Cap:Processcanpasscapabilityatruntime– ACL:Trytogetownertoaddpermissiontolist?
• Morecommon:letotherprocessactundercurrentuser• Revocation
– ACL:Removeuserorgroupfromlist– Cap:Trytogetcapabilitybackfromprocess?
• Possibleinsomesystemsifappropriatebookkeeping– OSknowswhichdataiscapability– Ifcapabilityisusedformultipleresources,havetorevokeallornone…
• Indirection:capabilitypointstopointertoresource– IfC→P→R,thenrevokecapabilityCbysettingP=0
27
Roles(akaGroups)• Role=setofusers
– Administrator,PowerUser,User,Guest– Assignpermissionstoroles;eachusergetspermission
• Rolehierarchy– Partialorderofroles– Eachrolegetspermissionsofrolesbelow
– Listonlynewpermissionsgiventoeachrole
Administrator
Guest
PowerUser
User
28
Role-BasedAccessControlIndividuals Roles Resources
engineering
marketing
humanres
Server1
Server3
Server2
Advantage:userschangemorefrequentlythanroles 29
Accesscontrolsummary• Accesscontrolinvolvesreferencemonitor– Checkpermissions:〈userinfo,action〉→yes/no– Important:nowayaroundthischeck
• Accesscontrolmatrix– Accesscontrollistsvscapabilities– Advantagesanddisadvantagesofeach
• Role-basedaccesscontrol– Usegroupas“userinfo”;usegrouphierarchies
30
SecureArchitecturePrinciples
OperatingSystems
31
Unixaccesscontrol
• Processhasuserid– Inheritfromcreatingprocess– Processcanchangeid
• Restrictedsetofoptions– Special“root”id
• Allaccessallowed• Filehasaccesscontrollist(ACL)
– Grantspermissiontouserids– Owner,group,other
File 1 File 2 …
User 1 read write -
User 2 write write -
User 3 - - read
…
User m Read write write
32
Unixfileaccesscontrollist• Eachfilehasownerandgroup• Permissionssetbyowner
– Read,write,execute– Owner,group,other– Representedbyvectoroffouroctalvalues
• Onlyowner,rootcanchangepermissions– Thisprivilegecannotbedelegatedorshared
• Setidbits–Discussinafewslides
rwx rwxrwx-ownr grp othr
setid
33
Processeffectiveuserid(EUID)• EachprocesshasthreeIds(+moreunderLinux)
– RealuserID(RUID)• sameastheuserIDofparent(unlesschanged)• usedtodeterminewhichuserstartedtheprocess
– EffectiveuserID(EUID)• fromsetuserIDbitonthefilebeingexecuted,orsyscall• determinesthepermissionsforprocess
– fileaccessandportbinding– SaveduserID(SUID)
• SopreviousEUIDcanberestored
• RealgroupID,effectivegroupID,usedsimilarly34
ProcessOperationsandIDs• Root
– ID=0forsuperuserroot;canaccessanyfile• ForkandExec
– InheritthreeIDs,exceptexecoffilewithsetuidbit• Setuidsystemcall
– seteuid(newid)cansetEUIDto• RealIDorsavedID,regardlessofcurrentEUID• AnyID,ifEUID=0
• Detailsareactuallymorecomplicated– Severaldifferentcalls:setuid,seteuid,setreuid
35
SetidbitsonexecutableUnixfile• Threesetidbits– Setuid–setEUIDofprocesstoIDoffileowner– Setgid–setEGIDofprocesstoGIDoffile– Sticky
• Off:ifuserhaswritepermissionondirectory,canrenameorremovefiles,evenifnotowner• On:onlyfileowner,directoryowner,androotcanrenameorremovefileinthedirectory
36
Example
…;…;exec();
RUID25 SetUID
program
…;…;i=getruid()setuid(i);…;…;
RUID25EUID18
RUID25EUID25
-rw-r--r--file
-rw-r--r--file
Owner18
Owner25
read/write
read/write
Owner18
37
Anotherexample• Whydoweneedthesetuidbit?– Someprogramsneedtodoprivilegedoperationsonbehalfofunprivilegedusers• /usr/bin/pingshouldbeabletocreaterawsockets(needsroot)• Anunprivilegedusershouldbeabletorunping• Solution:/usr/bin/pinginLinuxisownedbyrootwithsetuidbitset
38
SetUIDforleastprivilege:OpenSSH
39
Unixsummary• Goodthings– Someprotectionfrommostusers– Flexibleenoughtomakethingspossible
• Mainlimitation– Tootemptingtouserootprivileges– Nowaytoassumesomerootprivilegeswithoutallrootprivileges
40
Weaknessinisolation,privileges• Network-facingDaemons
– Rootprocesseswithnetworkportsopentoallremoteparties,e.g.,sshd,ftpd,sendmail,…• Howcanyousolvethis?
• Rootkits– Systemextensionviadynamicallyloadedkernelmodules
• EnvironmentVariables– SystemvariablessuchasLD_LIBRARY_PATHthataresharedstate
acrossapplications.AnattackercanchangeLD_LIBRARY_PATHtoloadanattacker-providedfileasadynamiclibrary
41
Weaknessinisolation,privileges• SharedResources
– Sinceanyprocesscancreatefilesin/tmpdirectory,anuntrustedprocessmaycreatefilesthatareusedbyarbitrarysystemprocesses
• Time-of-Check-to-Time-of-Use(TOCTTOU)– Typically,arootprocessusessystemcalltodetermineifinitiatinguser
haspermissiontoaparticularfile,e.g./tmp/X.– Afteraccessisauthorizedandbeforethefileopen,usermaychange
thefile/tmp/Xtoasymboliclinktoatargetfile/etc/shadow.
42
SecureArchitecturePrinciples
BrowserIsolationandLeastPrivilege
43
Webbrowser:ananalogy
Operatingsystem• Subject:Processes
– HasUserID(UID,SID)– Discretionaryaccesscontrol
• Objects– File– Network– …
• Vulnerabilities– Untrustedprograms– Bufferoverflow– …
Webbrowser• Subject:webcontent(JavaScript)
– Has“Origin”– Mandatoryaccesscontrol
• Objects– Documentobjectmodel– Frames– Cookies/localStorage
• Vulnerabilities– Cross-sitescripting– Implementationbugs– …
Thewebbrowserenforcesitsowninternalpolicy.Ifthebrowserimplementationiscorrupted,thismechanismbecomesunreliable. 44
Componentsofsecuritypolicy• Frame-Framerelationships– canScript(A,B)
• CanFrameAexecuteascriptthatmanipulatesarbitrary/nontrivialDOMelementsofFrameB?
– canNavigate(A,B)• CanFrameAchangetheoriginofcontentforFrameB?
• Frame-principalrelationships– readCookie(A,S),writeCookie(A,S)
• CanFrameAread/writecookiesfromsiteS?45
ChromiumSecurityArchitecture
• Browser("kernel")– Fullprivileges(filesystem,networking)
• Renderingengine– Upto20processes– Sandboxed
• Oneprocessperplugin– Fullprivilegesofbrowser
46
Chromium
Communicatingsandboxedcomponents
See:http://dev.chromium.org/developers/design-documents/sandbox/ 47
DesignDecisions• Compatibility– Sitesrelyontheexistingbrowsersecuritypolicy– Browserisonlyasusefulasthesitesitcanrender– Rulesoutmore“cleanslate”approaches
• BlackBox– OnlyrenderermayparseHTML,JavaScript,etc.– Kernelenforcescoarse-grainedsecuritypolicy– Renderertoenforcesfiner-grainedpolicydecisions
• MinimizeUserDecisions 48
TaskAllocation
49
LeverageOSIsolation• SandboxbasedonfourOSmechanisms
– Arestrictedtoken– TheWindowsjobobject– TheWindowsdesktopobject– WindowsVistaonly:integritylevels
• Specifically,therenderingengine– adjustssecuritytokenbyconvertingSIDStoDENY_ONLY,adding
restrictedSID,andcallingAdjustTokenPrivileges– runsinaWindowsJobObject,restrictingabilitytocreatenew
processes,readorwriteclipboard,..– runsonaseparatedesktop,mitigatinglaxsecuritycheckingofsome
WindowsAPIsSee:http://dev.chromium.org/developers/design-documents/sandbox/ 50
Evaluation:CVEcount
• TotalCVEs:
• Arbitrarycodeexecutionvulnerabilities:
51
Summary• Securityprinciples
– Isolation– PrincipleofLeastPrivilege– Qmailexample
• AccessControlConcepts– Matrix,ACL,Capabilities
• OSMechanisms– Unix
• Filesystem,Setuid– Windows
• Filesystem,Tokens,EFS• Browsersecurityarchitecture
– Isolationandleastprivilegeexample 52