Applied IT Security - Technische Universität München · • Trusted Solaris ... Logging of syslog...

4 OS Security

Applied IT Security, Dr. Stephan Spitz

Dr. Stephan [email protected]

Applied IT Security

System Security

4 OS Security


• Applied Cryptography

• System Security

• Firewalls and Intrusion Detection Systems

• Authentication Protocols

• Encryption and digital Signatures in topical Applications

• Public Key Infrastructures

• Security Threats on Networks

• Overview & Basics• Network Protocols and the Internet

• Operating Systems and Applications

• The Future of IT Security

• Operating System Security

• Security Certification

• Device Security• Smart Cards, Secure µProcessors and Crypto Libraries

4 OS Security


Today• System Security

• Operating Systems and Applications


• Applied Cryptography

• Firewalls and Intrusion Detection Systems

• Authentication Protocols

• Encryption and digital Signatures in topical Applications

• Public Key Infrastructures

• Security Threats on Networks

• Overview & Basics• Network Protocols and the Internet

• The Future of IT Security

• Security Certification

• Device Security• Smart Cards, Secure µProcessors and Crypto Libraries

4 OS Security


Overview Operating System Security

• Malicious Code

• Examples

• The Java Runtime Environment

• Structure of a Virus

• Overview malicious Code

• Counter Measures

• Trusted Solaris


• General Security Design Criteria

• Risks

• Secure Configuration and Tailoring

• OS Security Requirements and Models

4 OS Security


General Security Design Criteria

Design principle of „need to know“ i.e. user or process has exact the necessary rights and not more

• Security concept: Provable and as simple as possible

•

• Closed security concept which can not be bypassed

• No „security by obscurity“ i.e. security mechanisms are public

• Security mechanisms have lowest possible impact on usability

4 OS Security


Risks

Unauthorized access on data (e.g. read on freed memorywhich is not really deleted like swap files)

•

Faked user identification (e.g. interrupt of user authenticationcan create a successfull login)

Attempts to corrupt the OS (e.g. wrong input creates an inconsistent OS state, try to create a bufferoverflow)

Security holes in applications (e.g. internet worms takeadvantage of bugs in sendmail or ftp deamons, forgotten debugcode and insufficient parameter checks in applications)

Always install the topical security patches

•

•

•

4 OS Security


Secure OS Configuration = Tailoring

Purpose driven configuration (workstation with user access, application or file server, WIN Domain Controller, etc.)

•

Strict divison of privileges between user, system (e.g. lp) and root or administrator accounts

Disable or delete unused system ressources (temporary files and shared directories)

Try to establish a hacking resistant reporting mechanism for security incidents (checksums, IDS)

•

•

•

Which default installed network services are really necessary ? (DNS, DHCP, RAS, FTP)

•

4 OS Security


Unix Tailoring Examples

Lookup of all available network adapters (from a remote machine) with ifconfig –a and disable the not necessary locally in ipchain/iptable

•

Scanning for programs with setXid (X=user/group) i.e. process is executed under the preset user:

find /\ (-perm -02000 –o –perm -04000 \) -ls

Be careful: Don´t disable necessary administration programs e.g. passwd

•

Logging of syslog messages via entry in the file /etc/syslog.conf:

Program.loglevel destination (file, pipe, logserver, user, terminal)e.g. daemon.notice /var/log/deamon.log

•

Installation of integrity checks (e.g. with the program md5sum):

md5sum /bin/ping bin/su /etc/ld/so.conf

Hacker prefer files in /etc/ to modify: inetd.conf, host.conf, ftpaccess

•

4 OS Security


Server Tailoring Examples

Apache Unix/Win HTTP server: Only the root/admin should be ownerof the Apache directory

•

BIND Unix DNS server : Remove all unnecessary informationrecords in named.conf/named.boot e.g. CNAME containing host name, SAO containing administrative information and check it with host –t txt server.com

•

Apache Unix/Win HTTP server: Disable all unnecessary preinstalledmodules like mod_cgi and mod_status and mod_info

•

Apache Unix HTTP server: Install Apache in a chroot container i.e. limit the access of Apache process httpd to a certain directory tree e.g. /usr/local/httpd

•

Anyway: If possible avoid to use Apache under WIN•

4 OS Security


OS Security Control Mechanism (1/2)

User identification and authentication i.e. the system uniquely identifies and authenticates users prior to all other user interaction.

•

Discretionary Access Control i.e. the system distinguishes and administers access rights with an object between each user, group or both (standard with file access in UNIX)

Mandatory Access Control i.e. the system provides all subjects and objects with attributes which are the basis for the rules togrant access (e.g. labeled security in Trusted Solaris)

Object and Data re-use protection i.e. all storage objectsreturned to the system are treated in such a way that the preceding content can not be reused by other subjects.

•

•

•

Role Based Access Control i.e. the system grants priviligesbased on the role of the user (sysadmin role in Trusted Solaris)

•

4 OS Security


OS Security Control Mechanism (2/2)

Principle of Least Privilege i.e. each subject in the system is granted the most restrivtive set of privileges

•

Trusted Path The system supports a trusted communicationpath between itself and a user which is logically isolated and unmistakably distinguishable from other paths

A Trusted computing base (TCB) consists of a collection of hardware, firmware, software and databases used by the software, and document and administrative procedures thatenforce the system‘s security policy.

Roles are given to authenticated and authorized entities based on strictly seperated environments.

•

•

•

4 OS Security


OS Security Mechanisms and Models

Simple Models for Access Control (ACL, Capabilitiesand XrML)

1.

Introduction to the Security Model from Bell and LaPadula

Security Mechanism in the OS Trusted Solaris and the Java Runtime Environment

2.

3.

4 OS Security


Access Control List (ACL)

Object File X File Y

Joe Read Read/Write

Jane None Execute

Subject

4 OS Security


Capabilities

Object File X File Y

Joe Read Read/Write

Jane None Execute

Subject

4 OS Security


Xtensible rights Markup Language (XrML)

• XrML 2.0 adopts a simple model consisting of four entitiesand the relationship between those entities.

• The basic relationship is defined by the XrML assertion grant

• Structurally, an XrML grant consists of the following:

The principal to whom the

grant is issued

The right that the grant specifies

The resource that is the direct object of the

.right. verb

The condition that mustbe met for the right to be exercised

4 OS Security


XrML

<license xmlns="xrml2core" xmlns:sx="xrml2sx" xmlns:dsig="xmldsig#" xmlns:xsi="XMLSchema-instance" xmlns:cx="xrml2cx" xsi:schemaLocation=xrml2cx.xsd"> <grant><keyHolder><!– keyHolder is the principal authenticated by a cryptographic key -->

<!– further tags containing public key .. --></keyHolder><cx:print /> <!– print is the right --><!– locator specifies the resource --><cx:locator><nonSecureIndirectURI="http://www.foo.com/sampleBook.spd" />

</cx:locator><validityInterval><notAfter>2001-12-24T23:59:59</notAfter> </validityInterval>

</grant></license>

4 OS Security


Bell-LaPadula Model

Elements of the Bell-LaPadula Model are Subjects, Objects, Access Attributes and Security Levels

•

ACLs containing Subjects, Objects and Access Attributes are used for Discretionary Access Control

Security Levels form the Mandatory Access Control (Top Secret, Secret, Confidential, Unclassified with NRU, NWD)

Bell-LaPadula does not address how access rights areestablished (creation/deletion of subjects and objects) and does not differentiate between executable data and code

•

•

•

4 OS Security


No Read Up (1)

Top Secret

Secret

Unclassified

Top Secret

Secret

Unclassified

Read OK

Read OKRead O

K

4 OS Security


No Read Up (2)

Top Secret

Secret

Unclassified

Top Secret

Secret

UnclassifiedRead OK

Read

Forb

idde

nRead Forbidden

4 OS Security


No Write Down (1)

Top Secret

Secret

Unclassified

Top Secret

Secret

UnclassifiedWrite OK

Write

OK

Write OK

4 OS Security


No Write Down (2)

Top Secret

Secret

Unclassified

Top Secret

Secret

Unclassified

Write OKWriteForbidden

Write Forbidden

4 OS Security


Main Characteristics of Tusted Solaris

Trusted i.e. OS that satifies a number of stringent security requirements (roles, trusted path, DAC, MAC, RSBAC, etc.)

•

MAC is based on labels i.e. all objects (files and so on) and subjects (processes) on the system are labeled.

The Principle of Least Privilege is introduced by distinct roleswhich replace the privileged superuser root of standard Unix systems i.e. admin, secadmin, oper and root

There are different purpose driven predefined configurations liketrusted desktop, trusted server, trusted database application and trusted firewall

•

•

•

RSBAC can be used to represent special groups (e.g. engineering, sales, administrator)

•

4 OS Security


The Java Sandbox Model

The Java Sandbox defines a secure execution environment for Java Virtual Machine (JVM) bytecode

•

The Java Sandbox consists of the three parts Bytecode Verifier, Class Loader and Security Manager

The Bytecode Verifier checks the compiled bytecode before it is executed (correct class format, forged references, accessrestrictions, incorrect class type information)

The Class Loader is responsible for loading and allocating newclasses i.e. name spaces (Java knows only references by name).

•

•

•

The Security Manager makes decision which resources (files, network connections, etc.) can be allocated during JVM bytecodeexecution.

•

4 OS Security


Anatomy of a Java Application

4 OS Security


The Java Security Package

• The security package (classes in the java.security package + security extensions) allows for adding security features to

applications and helps to exetend the Sandbox model

• The security package provides the basis by which Java classes may be signed.

• The security package is a complex API including:

• The security provider interface (JCA)

• Message digests

• Keys and certificates

• Digital signatures

• Encryption (through JCE and JSSE)

• Authentication (through JAAS)

4 OS Security


Structure of any Virus

Trigger

Payload

InfectionMechanism

• Search for possible targets (boot sector, exec-file, scripts)

• Establish virus code in the target

• Hide the code in the target

• Trigger starts the replication (main virus characteristic)

• Trigger starts the payload execution

• Trigger events are timer interrupt, system boot, file access

• Payload contains the malicious code

• Broad range of activities (simple message to system break down)

• Payload sequences are a good way to identify viruses

4 OS Security


Overview malicious Code

Trojan Horse: Virus to gain an account on a target system not necessarily with a replication mechanism

•

Macro Virus: Virus infecting applications (e.g. WordBasic or VBA script viruses in the Microsoft Office Suite) instead of an OS

Worm: Virus without an infection mechanism i.e. security holes in running (mainly network) processes are abused e.g. Email, FTP

Boot (Sector) Virus: Virus writes its code into the boot sector of a floppy or harddisk (mainly the master boot record)

•

•

•

Hoax: Only a rumor about a virus •

4 OS Security


Virus Example: MyDoom (11.02.04)

MyDoom is a worm: E-mail user is seduced to klick on attachment „Mail transaction failed. Partial message is available“i.e. no own infection mechanism

•

Trigger: The Windows registry is manipulated to load theMyDoom code memory resident during the system boot

•

Trojan Horse: MyDoom/Novarg establishes a backdoor on the infected system i.e. a little server on the TCP ports 3127 and 3198 allows intruders to start a Distributed Denial-of-Service (DDoS) attack from the captured system

•

Payload and Replication: The MyDoom code looks for everystored email address on the hard disk and sends a copy of itself

•

4 OS Security


Virus Example: Sasser (03.05.04)

Sasser is a worm: A bug in the WindowsXP, 2000 Local Security Authority Subsystem Service (LSASS) i.e. LSASRV.DLL (Active Directory service functions) can be used to cause a buffer overflow and to execute malicious code.

•

Trigger: The Windows registry is manipulated to load Sasser duringthe system boot via the program avserve.exe (15.872 bytes) whichexecutes simultaneously 128 attacks in the available netRegistry entry in Windows: [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft …

…\Windows\CurrentVersion\Run]"avserve.exe"="%windir%\avserve.exe"

•

Payload and Replication: Sasser copies itself by FTP download to c:\windows\system32\[XXXXX]_up.exe and causes the infectedsystem to reboot

•

4 OS Security


Trojan Horse Example: Troj/DSNX-05 (09.04.05)

Troj/DSNX-05 is a trojan horse: A faked Windows securityupdate page is used to seduce user to install a malicious patch which contains Troj/DSNX-05. It has neither a infection mechanism nor an replication mechanism (social infection mechanism and replication via faked Webpage).

•

The payload of Troj/DSNX-05 contains a background server process allowing a remote attacker (using a certain client program) to gain access and control over the machine.

•

A Windows registry entry is used as trigger event:HKLM\Software\Microsoft\Windows\CurrentVersion\Run\WinDSNX = <Windows System>\<Trojan name>Before this entry is created Troj/DSNX-05 copies itself to the Windows System directory using the name of a randomly chosen DLL file and an EXE extension.

•

4 OS Security


Counter Measurements

Virus scanners try to identify viruses according to a certaincharacteristic (virus signature) stored in a database

•

Signed Code on a Trusted Operating Base prohibits the execution of not authorized code e.g. viruses on a system

Checksums and/or Encryption make it possible to detect/avoidmodifications done by a virus

Intrusion Detection Systems (IDS) monitor a system to detect processes which may be the result of a virus infection

•

•

•

Heuristic virus scanners try to identify a virus with a forecast about the runtime behaviour of code (sophisticatedapproach, but not really efficient)

•

Applied IT Security - Technische Universität München · • Trusted Solaris ... Logging of syslog...

Documents

Transcript of Applied IT Security - Technische Universität München · • Trusted Solaris ... Logging of syslog...