1 Chapter 5a Operating Systems Security Stallings chapters 4,10,23,24.

1

Chapter 5a

Operating Systems Security

Stallings chapters 4,10,23,24

2

Protecting Hardware / System Resources

Hardware:Memory, CPU, I/OSystemIdentity (Authentication)Processes and address spacesFilesNetwork (penetration, messages)Databases, Web sites

3

Hardware security

The lowest and most basic levelAffects all other levelsWithout minimal support, no security

is possible

04/21/23Prof. Ehud Gudes Security

Ch 5 4

Protecting Memory

Base and Bound RegistersSegmented memoryProtection keysVirtual (Paged) memorySegmented and Paged Virtual memoryTagged architecture (capabilities)


Ch 5 5

Base

Limit

0 user

Mode Bit

Supervisor mode can load B / L registers

Memory Protection (basic)

Was also used in Intel 808X


Ch 5 6

Protection Keys (IBM 360 - History)

PSW had 4 bits protection keyEach memory partition had 4 bits

protection key (total 16 possible partitions)

To access:PSW key = Memory keyKey 0 (OS) can access partition with any

other key!


Ch 5 7

Memory Protection - PagingMemory protection implemented by

associating protection bit with each frame.

Valid-invalid bit attached to each entry in the page table:“valid” indicates that the associated page is in

the process’ logical address space, and is thus a legal page.

“invalid” indicates that the page is not in the process’ logical address space.

different than in/out of memory!


Ch 5 8

Address Translation Architecture


Ch 5 9

Valid (v) or Invalid (i) Bit In A Page Table


Ch 5 10

Segmentation

One-dimensional address space with growing tablesOne table may bump into another


Ch 5 11

Segmentation cont.

Allows each table to grow or shrink, independently


Ch 5 12

Segmentation – primitive form – Intel 286 (old PC)

Data segment and Code segment

Fixed size – 64K each


Ch 5 13

Implementation of Pure Segmentation

(a)-(d) Development of checkerboarding(e) Removal of the checkerboarding by compaction


Ch 5 14

Segmentation Architecture (Cont.)Protection. With each entry in segment table

associate:validation bit = 0 illegal segmentread/write/execute privileges

Protection bits associated with segments; code sharing occurs at segment level.

Since segments vary in length, memory allocation is a dynamic storage-allocation problem.

A segmentation example is shown in the following diagram


Ch 5 15

Example of Segmentation


Ch 5 16

Segmentation vs. Paging

Comparison of paging and segmentation


Ch 5 17

Segmentation with Paging: MULTICS (1)

Descriptor segment points to page tablesSegment descriptor – numbers are field lengths


Ch 5 18


A 34-bit MULTICS virtual address

Into Descriptor Segment

19


Conversion of a 2-part MULTICS address into a main memory address


Ch 5 20


Simplified version of the MULTICS TLB Existence of 2 page sizes makes actual TLB more complicated


Ch 5 21

Paged segmentation on the INTEL 80386

16k segments, each up to 1G (32bit words)

2 types of segment descriptors Local Descriptor Table (LDT), for each process Global (GDT) system etc. access by loading a 16bit selector to one of the 6

segment registers: CS, DS, SS, (holding the 16bit selector during run time, 0 means not-in-use0 means not-in-use)

Selector points to segment descriptor (8 bytes)

Index

1 2Privilege level (0-3)0 = GDT/ 1 = LDT13


Ch 5 22

Segmentation with Paging: Pentium (3)

Conversion of a (selector, offset) pair to a linear address


Ch 5 23

Segmentation with Paging: Pentium (4)

Mapping of a linear address onto a physical address

04/21/23 Prof. Ehud Gudes Security Ch 5

24

Intel 30386 Address Translation


Ch 5 25

Protecting CPU/Processes

User vs. Kernel (supervisor) modeAmplification – System calls (Trap,

SVC)Protection rings


Ch 5 26

-Supervisor mode can execute all the instructions

-One must trust the supervisor

-User mode can execute non-privileged instructions only

Instructions

PrivilegedInstructions

SVC

User / Supervisor Mode


Ch 5 27

Basic policies

Isolation—a process must be protected from other processes.

Controlled sharing—processes must be able to share resources in a controlled way.


Ch 5 28

Execution states or modes

At least two modes of operation are needed to have any security.

Most hardware architectures use a supervisor and a user mode. In the user mode some intructions, called privileged instructions, cannot be executed directly. In supervisor mode all the instructions can be executed. The state of a process is kept in a Program Status Word.


Ch 5 29

How the mode is switched

A supervisor/kernel call (trap) switch to an address in the OS address space with the new mode (this is called: Amplification)

Old address and old mode is saved (e.g. in OLD PSW)

When returning the old address and mode are restored (note different than a procedure call because of the mode switch)


Ch 5 30

Memory protection vs. CPU protection

Both are mutually dependent!:Without CPU protection, anyone can

change keys/bound registers!Without memory protection, anyone

can change old PSW and set to Supervisor mode!

Both are needed!


Ch 5 31

Protection rings

Some architectures define in their hardware a set of rings (4 to 32) that correspond to domains of execution with hierarchical levels of trust. Rings are a generalization of the concept of mode of operation.

Crossing of rings is done through gates that check the rights of the crossing process. A process calling a segment in a higher ring must go through a gate.


Ch 5 32

Rings in Multics

r0 r1 r2 r3 r4 r5 r6 r7

Ex CC

W

R

W – Write

R – Read

Ex – Execute

C – Call

R – ring


Ch 5 33

01

2

3

0 = kernel1 = OS functions

2 = safe applications3 = untrusted applications

-Calls upward( higher privilege)

-Data access toward less privilege

-Gate crossings -Protected entry points


Ch 5 34

Protection rings on Intel Pentium

Protection on the Pentium

Level


Ch 5 35

Protecting I/O

I/O privileged instructionsInterrupts vector in protected areaOpen file table in protected areaOpen requires system callExample for combined Memory/CPU

protection


Ch 5 36

Security in Multics - Summary

Files on disk – Access Control listsFiles equal segments in Virtual memory!When segment is called, file is opened and

ACL checked. Then segment descriptor is created and protection is via the descriptor.

Process protection using protection rings.Process control and amplification using

Gates.


Ch 5 37

Access Matrix ModelView protection as a matrix (access matrix)

Rows represent domains (or Subjects) – a subject may be a user, a process, a role, an IP, etc. a Domain is a subject in some context.

Columns represent objects to which access is required

Access(i, j) is the set of operations that a subject executing in Domaini can invoke on Objectj


Ch 1 38

What’s the Difference Between a Subject and a Domain

A subject is usually a process. During its life-time, a subject may acquire rights or lose them. At a particular point in time, a subject has given a set of rights that’s a domain!


Ch 5 39

Access Matrix

Figure A


Ch 5 40

Access Matrix of Figure A With Domains as Objects

Figure B


Ch 5 41

Use of Access MatrixIf a process in Domain Di tries to do “op” on

object Oj, then “op” must be in the access matrix.

Can be expanded to dynamic protection.Operations to add, delete access rights.Special access rights:

owner of Oi

copy op from Oi to Oj

control – Di can modify Dj access rights

transfer – switch from domain Di to Dj

Reminder - the HRU model


Ch 5 42

Implementation of Access Matrix – Capabilities and Access-control lists

Representing by row – each subject (domain ) with the objects it can access – Capability list

Representation by Column – each object with the list of subjects that can access it (and which type of access) –

Access control list (ACL)

43

Implementation of Access MatrixEach column = Access-control list for one object

Defines who can perform what operation.For File F1

Domain 4 = Read, WriteDomain 1 = Read

For File f2 Domain 2 = Read

Each Row = Capability List (like a set of keys)

Fore each domain, what operations allowed on what objects. For domain 1:

File 1 – Read, File 3 - ReadFor Domain 3:File 2 – Read, File 3 - Execute


Ch 5 44

Access Control Lists (1)

In Unix - the (abstract) ACL is in the Inode


Ch 5 45

Access Control Lists (2)

Two access control lists


Ch 5 46

Capabilities (1)

Each process has a capability list


Ch 5 47

Implementing Access Matrix - Capability Lists

“Slicing” the protection matrix by rowsUsers and processes have capability lists which

are lists of permissions for each object appearing in a domain - c-lists.

Hard to revoke access to objects, have to be found in

Capabilities are “special” objects - ticket, never accessible to user space objects - better protection. To get access process must present the “ticket”!

Generic operations on c-lists Copy capability (from one object to another) Copy Object (with capability) Remove capability (an entry of the c-list)


Ch 5 48

DescriptorsDescriptors are similar to capabilities

but are used mainly for accessing memory.

Because the descriptors are used for addressing they are handled by the memory allocation unit of the OS and we need to trust now that unit.

Descriptors and capabilities can be seen as embodiments of rows of the access matrix


Ch 5 49

Using Capabilities for Addressing - Descriptors

Instruction address

cap offset

C i

Rights Object

RW X

Capability

Object Length Base

X L B

Descriptor Table

Memory

B

B+

B+

C

The instruction contains pointer to capability

instead of a segment address


Ch 5 50

Sharing Using Capabilities

RW

P1 C - list

R

P2 C - list

RW

RW

R

D

D1

RW

R

R

D3

RW

D2

Directories

R

D11

D12

RW

R

D31

RW

R

F1

F2

F4

F3

F5

F6


Ch 5 51

Capability-Based Systems Hydra

Fixed set of access rights known to and interpreted by the system.

Interpretation of user-defined rights performed solely by user's program; system provides access protection for use of these rights.

Cambridge CAP System Data capability - provides standard read, write,

execute of individual storage segments associated with object.

Software capability -interpretation left to the subsystem, through its protected procedures.


Ch 5 52

In system area – need system call for every access?

Cryptographically-protected capability

Generic Rights1. Copy capability2. Copy object3. Remove capability4. Destroy object

Capabilities - Protection of

ServerObjectRightsf(Objects, Rights, Check)


Ch 5 53

Capabilities – AmplificationDomain Switch with Protected entry Points

callingprocedure

datasegment

R

C – listcalling Domain

RE

Ent

RW

C – listcalled Domain

REcalled

procedure

datasegment

Rights Object

Rights Object

call

return


Ch 5 54

Capabilities – AmplificationAbstract Data Type and Rights Amplification

Pop, Pushempty

calling C – list

RE

Ent

Rights Object callingprocedure

Pop / RW

C – list forpop procedure

RE

Stack S

Popprocedure

Amplification template

RW

C – list forActivation of pop

RE

Before call

After call


Ch 5 55

Capabilities – AmplificationAbstract Data Type and Rights Amplification

?What the difference with OO

1) Historically much earlier

2)Implemented at a much lower level (Hardware vs. Compiler)


Ch 5 56

Capabilities – RevocationRevocation of Rights with Indirection

RWRevoke

X’

RW X’

RW X

X’

X Object

C

C’

C’

user:

owner:

Descriptor Table

X’ entry is deleted


Ch 5 57

Capabilities – RevocationRevocation of Rights with Indirect Capability in SWARD

Object

RWC

X

Descriptor Table

user:

owner:

CI RW

I RW

Also X’ entry is deleted but its indirect capability

X’


Ch 5 58

ACLs and CapabilitiesACLs need not be in memory, checked at

the time of first access (disadv). C-lists need to be in memory (assigned at process creation – adv)

ACL is checked only at first access (open). Capability is checked for every access (ticket for addressing). But finer granularity!

Security / performance tradeoff!Capabilities enable easy granting/copying

amplification. No simple analog in ACLs (setUid?)


Ch 5 59

ACLs and Capabilities, cont.ACLs are more convenient for Objects

changes (deleting objects, creating objects, changing access to objects).Capabilities are more convenient for User changes (user deletion)

Revocation of ACLs is easy. Revocation of capabilities is hard

Capabilities can be used to control Mobile code


Ch 5 60

Security in Multics - Summary

Files on disk – Access Control listsFiles equal segments in Virtual memory!When segment is called, file is opened and

ACL checked. Then segment descriptor is created and protection is via the descriptor.

Process protection using protection rings.Process control and amplification using

Gates.


Ch 5 61

An example for Access matrix implementation - File System Security in Unix

Octal Representation of Access Permissions

4000Set user ID on execution (see below)

2000Set group ID on execution (see below)

1000Set sticky bit (see below)

0400Read by owner

0200Write by owner

0100Execute by owner

0040Read by group

0020Write by group

0010Execute by group

0004Read by other

0002Write by other

0001Execute by other

UNIX File Access Control


Ch 5 63

Protection of Files and Directories – Unix

ReadWriteExecute

Filescancancan

readWrite, truncate

execute

Directories

cancancan

do lscreate, delete

pass through


Ch 5 64

File System security - Unix

Ownership – Umask, Chown (problem with Setuid)

Link (hard or soft) and sticky bitAmplification – SetUid, SetGId

UNIX File Access Control

“set user ID”(SetUID) or “set group ID”(SetGID)system temporarily uses rights of the file owner /

group in addition to the real user’s rights when making access control decisions

enables privileged programs to access files / resources not generally accessible

sticky bit on directory limits rename/move/delete to owner

superuser is exempt from usual access control restrictions


Ch 5 66

Unix – Example for SetUid1. $ chmod +r grades

$ ls –1 *grades

-rw-r--r-- 1 pat CS440 514 Apr 5 18:26 grades

-rwx--x--x 1 pat CS440 1725 Apr 2 10:26 prgrades

2. $ chmod u+s prgrades Turn on SUID permission

$ ls –1 prgrades

-rws--x--x 1 pat CS440 1725 Apr 2 10:26 prgrades

$

3. $ chmod 600 grades Just give read/write to owner

$ls –1 *grades

-rw------- 1 pat CS440 514 Apr 5 18:26 grades

-rws--x--x 1 pat CS440 1725 Apr 2 10:26 prgrades


Ch 5 67

File System Security – Unix Group Problem

Affiliation (user may belong to primary group and multiple secondary groups)

Limited sharingMultiple personalityChanges in group membership

(prolifiration control?)Command newgrp – try it with chmod!


Ch 5 68

Unix File System Security – Violating Security Principles [SU]

Principle of Least Privilage (group access)

Principle of Safe DefaultsPrinciple of Need to Know (Others

access, Super-user power)Principle of Accountability (setUid)

Always there is Tradeoff:Security / Convenience / Performance!

UNIX Access Control Lists(new in Unix Berkeley! Also in Linux and Solaris)

modern UNIX systems support ACLscan specify any number of additional users

/ groups and associated rwx permissionsACLs are optional extensions to std permsgroup perms also set max ACL permswhen access is required

select most appropriate ACLowner, named users, owning / named groups, others

– SETFACL command (do man!)check if have sufficient permissions for access

UNIX Access Control (Cont.)

FreeBSD files include an additional protection bit that indicates whether the file has an extended ACL. FreeBSD and most UNIX implementations use the following strategy: 1. The owner entries have the same meaning as normal. 2. The group class entry specifies group permissions. These permissions represent the maximum permissions that can be assigned to named users or named groups, other than the owning user, and hence functions as a mask.3. Additional named users and named groups may be associated with the file, each with a 3-bit permission field.4.When a process requests access to a file system object, two steps are performed. Step 1 selects the ACL entry that most closely matches the requesting process. The ACL entries are looked at in the following order: owner, named users, (owning or named) groups, others. Only a single entry determines access. Step 2 checks if the matching entry (which may be one of several group entries) contains sufficient permissions.


Ch 5 71

File Encryption [Gudes80]

K’ j1

K’ j2

. . . K’ jnj

Validation Record – k’j

File Fj

The “keys record” scheme


Ch 5 72

File Encryption, cont.

1 1

01U2

U1

F2F1

Access Matrix

K’11 K’12

K’1

File F1

K’21 0

K’2

File F2

Fig. 6. The “key inversion” problem


Ch 5 73

File Encryption Enciphering and Deciphering with subkeys

(Davida81)

*c1 *cj *ct. . . . . .

Plaintextrecord m1 mj mt

. . . . . .M

Σ mod n

C

mod d1

mj

Ciphertextrecord

Plaintextfield

encipher

decipher


Ch 5 74

Distributed systems security

What is the semantics of file security on the serverWhat happens after the client opens a file? – the

concept of file handle.Authentication of the client and server machinesDistributed object architectures - CORBA Middleware software

75

The concept of Mount

Client 1 Client 2Server 1Games

Server 2Work

(a)Client 1 Client 2

(b) (c)

games

work

games

pacman

pacwoman

pacchild

mail

news

other

pacman

pacwoman

pacchild

work

mail

news

other

pacman

pacwoman

pacchild

mail

news

other


Ch 5 76

Layer Structure of NFS

Client Server

System call layer

Virtual file system layer

NFS Client

Network

Virtual file system layer

Message to server

Local disk

Local Operating System

Message from client

Local disk

Local operating systemNFS server


Ch 5 77

Distributed systems security – Scenario in Unix (see [T] for details)

After Open, information is maintained in the file-handle on the CLIENT machine! So state (e.g. file pointer is maintained by client

So if the server fails, the state is preservedBut how to insure authentication of file-handle and

no replay? Remember after Open, no more checks!New versions of Unix include machine to machine

authentication


Ch 5 78

Distributed systems security – Example problem in Unix

Rhost command allows a machine to define what other machines/users can login into your machine

Assume you allow user: ehud to login into my machine

What happens if a Linux user defines a user-id: ehud on his machine and connect it to the system?

Right! He can login in into your machine and do whatever he likes!

Solution: define in rhost the set of local servers only!


Ch 5 79

Windows-NT SecurityC2 Certified (mainly DAC and Authentication)Monitor based architecture (SRM) plus Clients

modules (LSA, SAM) for Login & AuthenticationObjects based – Registry file for everythingAuthentication – Passwords and KerberosSID (Security ID) and SAT (Security Access Token).

Remote authentication.Domains – For set of machines. Machine (SID)

Authentication.Groups and Subgroups


Ch 5 80

Security descriptors (in Registry)ACL’s. ACE – Access Control Entry – Positive and

Negative.User Profiles and Security Management.Auditing – What and When.File Encryption.Web security, Certificates, SSL, etc….

Windows-NT Security, cont.


Ch 5 81

Windows NT Security Architecture

82

- ב עצמים Windows-NTסוגיTypeDescription

ProcessUser Process

ThreadThread within a process

SemaphoreCounting semaphore used for interprocess synchronization

MutexBinary Semaphore used to enter a critical region

EventSynchronization object with persistent state (signaled/not)

PortMechanism for interprocess message passing

TimerObject allowing a thread to sleep for a fixed time interval

QueueObject used for completion notification on asynchronous I/O

Open fileObject associated with an open file

Access tokenSecurity descriptor for some object

ProfileData structure used for profiling CPU usage

SectionStructure used for mapping files onto virtual address space

KeyRegistry key

Object directory

Directory for grouping objects within the object manager

Symbolic linkPointer to another object by name

DeviceI/O device object

Device driverEach loaded device driver has its own object


Ch 5 83

- ב הרשאות Windows-NTסוגי

TypeDescription

Read (R)Can read a file

Write (W)Can change the content of a file

Execute (X)Can run the program

Delete (D) Can delete the file

Change permissions (P)

Can change permissions on the file

Take ownership (O)Can take ownership of the file


Ch 5 84

- ב הגנה למתאר – Windows-NTדוגמהpart of Registery

Header

Owner’s SID

Group SID

DACL

SACL

Header

DEny

Elvis

111111

Allow

Cathy

110000

Ida

111111

Allow

Everyone

100000

SACL

Header

Audit

Marilyn

111111

SecurityDescriptor

Security

Descriptor

File

ACE

ACE

Note, multiple files may have the same descriptor


Ch 5 85

נוכחית גישה אלגוריתם1. If the object has no DACL, the object has no protection and the

security system grants the desired access.2. If the caller has the take-ownership privilege, the security system

grants write-owner access before examining the DACL. The security system grants write-owner access if it was the only access requested.

3. If the caller is the owner of the object, the read-control and write-DACL access rights are granted. If these rights were the only access rights requested, access is granted without examining the DACL.

4. Each ACE in the DACL is examined from first to last. If the SID in the ACE matches an enabled SID (SIDs can be enabled and disabled) in the caller’s access token(whether that be the primary SID or a group SID), the ACE is processed. If it is an access-allowed ACE, the rights in the access mask in the ACE are granted; if all the requested access rights have been granted, the access check succeeds. If it is an access-denied ACE and any of the requested access rights are in the denied-access rights, access is denied to the object.

5. If the end of the DACL is reached and some of the requested access rights still haven’t been granted, access is denied.


Ch 5 86

Audit Trails

Not all auditing is configured through the default GUI.

Audit log sizing.Audit of important things:

Audit failed login attemptsAudit use of backup/restore rightsAudit changes to the registry


Ch 5 87

Security in Windows 2000

Structure of an access token

HeaderExpiration

timeGroups

Default CACL

User SID

Group SID

Restricted SIDs

Privileges

Priveliges are non-standard privileges like Debug or Backup privileges

88

Security API calls

Principal Win32 API functions for security

Win32 API functionDescription

InitializeSecurityDescriptorPrepare a new security descriptor for use

LookupaccountSidLook up the SID for a given user name

SetSecurityDescriptorOwner

Enter the owner SID in the security descriptor

SetSecurityDescriptorGroup

Enter a group SID in the security descriptor

InitializeAclInitialize a DACL or SACL

AddAccessAllowedAceAdd a new ACE to a DACL or SACL allowing access

AddAccessDeniedAceAdd a new ACE to a DACL or SACL denying access

DeleteAceRemove an ACE from a DACL or SACL

SetSecurityDescriptionDaclAttach a DACL to a security descriptor


Ch 5 89

The Registry

Some of the Win32 API calls for using the registry

Win32 API functionDescription

RegCreateKeyExCreate a new registry key

RegDeleteKeyDelete a registry key

RegOpenKeyExOpen a key to get a handle to it

RegEnumKeyExEnumerate the subkeys subordinates to the key of the handle

RegQueryValueExLook up the data for a value within a key


Ch 5 90

The Registry

A Security Nightmare!The repository for all important dataA haven for trojan horse attacksToo complicated, too arcane, too

opaqueRemote accessLock it and audit, audit, audit…

Impersonation

process can have multiple threadscommon for both clients and servers

impersonation allows a server to serve a user, using their access privilegese.g. ImpersonateNamedPipeClient function

sets user’s token on the current threadthen access checks for that thread are

performed against this token not server’swith user’s access rights

Mandatory Access Control

have Integrity Control in Windows Vistathat limits operations changing an object’s stateobjects and principals are labeled (using SID) as:

Low integrity (S-1-16-4096)Medium integrity (S-1-16-8192)High integrity (S-1-16-12288) System integrity (S-1-16-16384)

when write operation occurs first check subject’s integrity level dominates object’s integrity level

much of O/S marked medium or higher integrity


Ch 5 93

PWDump and NTCrack

Lots of press!PWDump

Dumps the user contents of the SAM, including encrypted passwords.

Requires administrator or backup privilages%SystemRoot%\Repair\SAM._

NTCrackSimple implementation of an off-line

dictionary attack for Windows-NT


Ch 5 94

Conclusions

Windows-NT can be secureBy default, it isn’t secureOver time, users have a tendency to

make less secureInsecure defaults

Watch the security alerts; understand enough to estimate their importance.

04/21/23 95

Trusted (Secure) Operating Systems

Layered softwareSmall kernelOne Monitor capturing all access

requestsValidation and VerificationFulfilling standards and Assurance

criteria (see Stallings chp. 10)


Ch 5 96

Trusted Systems Trusted Computing Base

A reference monitor

Reference Monitors


Ch 5 98

Layered Operating System

Subprocesses of User Processes

User Processes

Compilers, Data Base Managers

Utility Functions

Systems, Device Allocation

Scheduling, Sharing, Memory Management

Synchronization, Allocation

Security Functions

Hardware

OperatingSystem

OperatingSystemKernel

SecurityKernel


Ch 5 99

Virtual Machine


Ch 5 100

Principles of Security Kernel

Coverage – of each accessSeparation – of security functions from

restUnity – a single moduleModifiability and Maintenance – easy

to controlCompactness – small and thereforeVerifyable


Ch 5 101

Formal Verification

Formal specification Proof that implementation follows formal

specification Problem: how to “prove” the specification? Definitions:

a program is correct if it halts and produces correct output for every input

A program is partially correct if whenever it halts, it produces the correct output

102

Assertions

Q: n > 0 and 1 i n and min A[1]

R: n > 0 and 1 i n and j 1 j i –1 min A[j]

S: n > 0 and i = n + 1 and j 1 j n min A[j]

P: n > 0

YES

YES

ENTRY

min A[1]i 1

i i + 1

i > n?

min < A[i]?

NO

NO

min A[j]

EXIT


Ch 5 103

Verification and ValidationVerification: Assuring the system is

correct!

Validation: Assuring it’s the correct system!

Model checking methods

The debate around “Open Source”!

Trusted Platform Module (TPM)

concept from Trusted Computing Group hardware module at heart of hardware /

software approach to trusted computinguses a TPM chip on

motherboard, smart card, processorworking with approved hardware / softwaregenerating and using crypto keys

has 3 basic services: authenticated boot, certification, and encryption

Authenticated Boot Service

responsible for booting entire O/S in stagesensuring each is valid and approved for use

verifying digital signature associated with codekeeping a tamper-evident log

log records versions of all code runningcan then expand trust boundary

TPM verifies any additional software requestedconfirms signed and not revoked

hence know resulting configuration is well-defined with approved components

Certification Service

once have authenticated bootTPM can certify configuration to others

with a digital certificate of configuration infogiving another user confidence in it

include challenge value in certificate to also ensure it is timely

provides hierarchical certification approachtrust TPM then O/S then applications

Encryption Serviceencrypts data so it can be decrypted

by a certain machine in given configuration

depends onmaster secret key unique to machineused to generate secret encryption key for

every possible configuration only usable in it

can also extend this scheme upwardcreate application key for desired application

version running on desired system version

TPM Functions

Protected Storage Function

Trusted Systems

security models aimed at enhancing trustwork started in early 1970’s leading to:

Trusted Computer System Evaluation Criteria (TCSEC), Orange Book, in early 1980s

further work by other countriesresulting in Common Criteria in late 1990s

also Computer Security Center in NSAwith Commercial Product Evaluation Programevaluates commercially available productsrequired for Defense use, freely published


Ch 1 111

Computer Security ClassificationsU.S. Department of Defense outlines four

divisions of computer security: A, B, C, and D.D – Minimal security.C – Provides discretionary protection through

auditing. Divided into C1 and C2. C1 identifies cooperating users with the same level of protection. C2 allows user-level access control.

B – All the properties of C, however each object may have unique sensitivity labels. Divided into B1, B2, and B3.

A – Uses formal design and verification techniques to ensure security.

112

Orange Book Security (1)

Symbol X means new requirements Symbol -> requirements from next lower category apply here

also


Ch 5 113

Orange Book Security (2)

Common Criteria (CC)

ISO standards for security requirements and defining evaluation criteria to give:greater confidence in IT product securityfrom formal actions during process of:development using secure requirementsevaluation confirming meets requirementsoperation in accordance with requirements

evaluated products are listed for use

CC Requirementshave a common set of potential security

requirements for use in evaluationtarget of evaluation (TOE) refers product /

system subject to evaluationfunctional requirements

define desired security behavior

assurance requirementsthat security measures effective correct

have classes of families of components


Ch 5 116

Summary - OS attacks

Remote login weaknessesPassword guessingBypass file permissionsScavenge memoryBuffer overflow attacksDenial of service attacks (resource

hogging)


Ch 5 117

Generic Security AttacksTypical attacksRequest memory, disk space, tapes and just readTry illegal system callsStart a login and hit DEL, RUBOUT, or BREAKTry modifying complex OS structuresTry to do specified DO NOTsConvince a system programmer to add a trap doorBeg admin's sec’y to help a poor user who forgot

password


Ch 5 118

Famous Security Flaws

The TENEX – password problem

(a) (b) (c)


Ch 5 119

WeaknessesBoth Unix and Windows use passwords for

authentication. Unix keeps passwords encrypted but the password file is readable by all users. This allows a user to make a copy and use dictionaries and parallel processing to guess passwords.

Process protection is based mainly on the user/supervisor mode separation and kernel processes are not protected against each other.

Even if hardware architectures offer further protection, e.g., descriptors and rings, commercial OSs do not use them in an effort to get more performance


Ch 5 120

Weaknesses IIThe concept of superuser, an almighty user, typically

the systems administrator, is a poor security decision. Inheritance of rights in forked processes is another

flaw commonly exploited in attacks. If an attacker tricks a program in superuser mode to execute a Trojan Horse, this inherits the rights of that program and runs in superuser mode

Transfer of rights between processes—In Unix every user has a unique id, UID. If a bit in a file permission (setuid) for a file containing an executable program is turned on, the program executing that program acquires the rights of the file owner. Windows has an impersonation token, that has a similar effect. This violates the principle of accountability.


Ch 5 121

Weaknesses IIILack of conceptual model. The file permission

structure doesn’t follow the access matrix or any other security model. The interpretation of rights for directories makes things even more muddled

Directory problems. An attacker can place his own file in the path of a writable directory and maybe get higher privileges when the file is invoked.

Most systems lack the concept of a trusted path [Los00]. A trusted path is a user connection to a part of the system that provides secure login, authentication, and rights.

Some systems do not have auditing facilities or the audit log is within reach of the superuser (and could be changed by a hacker acting as a superuser).


Ch 5 122

Weaknesses IVComplex, poorly designed, and poorly tested utilities.

Microsoft’s Outlook is a Swiss cheese. The Sendmail program in Unix is another source of trouble.

Some flaws come from implementation languages, e.g., buffer overflow. Buffer overflow occurs when a variable in a procedure is filled with more values that it can hold. The overflow can overwrite the return address and if the hacker put her code there her program could get superuser mode [Dil]

Finally, configuration of these systems is complex and administrators make many mistakes. There are many demo programs and rarely used utilities which can be exploited by hackers. This is even more true for PCs where the users

usually have no idea what they get in their software


Ch 5 123

OS defensesMemory protection (supported by hardware)File protection Access control for I/O devicesRequires good processor support for low

overhead and to avoid bypassing of high-level mechanisms

Capabilities and descriptors are effective mechanisms

Firewalls to protect access to the systemAuthentication (part of login)


Ch 5 124

Threat MonitoringCheck for suspicious patterns of activity

– i.e., several incorrect password attempts may signal password guessing.

Audit log – records the time, user, and type of all accesses to an object; useful for recovery from a violation and developing better security measures.

Scan the system periodically for security holes; done when the computer is relatively unused.


Ch 5 125

Threat Monitoring (Cont.)Check for:

Short or easy-to-guess passwordsUnauthorized set-uid programsUnauthorized programs in system directoriesUnexpected long-running processesImproper directory protectionsImproper protections on system data filesDangerous entries in the program search path

(Trojan horse)Changes to system programs: monitor checksum

values


Ch 5 126

Hardened OSsIBM’s AIX [Cam90]—It implements a TCB to

support DAC. Instead of read/write/execute rights AIX defines an Abstract Data Type (class), with higher-level operations, appropriate for the type of object such as copy, save, query, and set. These accesses define an access matrix implemented as Access Control Lists. The ACLs are set by the owners of files and by administrators. ACLs can be permissive or restrictive. AIX reduces the privileges of the system administrator by defining five partially-ordered roles


Ch 5 127

Hardened OSs IIVirtual Vault [HP, Rub94]—A trusted version of HP-UX

operating system (A Unix variant). It uses compartments based on the multilevel model to isolate portions of the OS. It also reduces the root privileges and controls inheritance of rights in forked threads.

Argus Pitbull [Arg]—This is a system based on: Compartmentalization using a multilevel MAC

model. Least privilege applied to all processes, including

superuser. The superuser is implemented using three roles: Systems Security Officer, System Administrator, and System Operator.

Kernel-level enforcement.

Prof. Ehud Gudes Security Ch 1 128

Design Principles for Security

1. System design should be public2. Default should be No access3. Check for current authority4. Give each process least privilege possible5. Protection mechanism should be

- simple

- uniform

- in lowest layers of system

6. Scheme should be psychologically acceptableAnd … keep it simple (Kiss)

1 Chapter 5a Operating Systems Security Stallings chapters 4,10,23,24.

Documents

Transcript of 1 Chapter 5a Operating Systems Security Stallings chapters 4,10,23,24.