1

Operating systems

• Examples from Unix, VMS, Windows NT on user authentication, memory protection and file and object protection.

• Trusted Operating Systems, example from PitBull

Unix, History

2

Unix, History

Unix

• Each user has a unique id and belongs to one or more groups.

• Users are divided into three domains: user, group and world (all).

• The privileged user is called root. • Runs in two modes: kernel and user.

3

User authentication

• The kernel itself treats users as numbers. Each user is identified by a unique integer, the user id or uid

• A separate database outside the kernel assigns a textual name, the user name to each user id.

• Other information in the database: – Username – Password, in an encrypted form. – Numeric user id. – Numeric group id. – Full name or other description of account. – Home directory. – Login shell (program to run at login).

User authentication

• The basic user database in a Unix system is the text file, /etc/passwd (called the password file).

• Any user on the system may read the password file, so that they can, for example, learn the name of another user.

• Many Unix systems have shadow passwords. – This is an alternative way of storing the password: the encrypted

password is stored in a separate file, (e.g. /etc/shadow), whichonly root can read.

– The /etc/passwd file only contains a special marker in the second field.

• Any program that needs to verify a user is setuid, and can therefore access the shadow password file.

4

/etc/passwd examples

• No shadow password file:troot:lRlqhO051W3C.:0:1:Operator:/:/usr/local/bin/tcshsroot:kFi6W.UvPZeNg:0:1:Operator:/:/bin/shrolle:BV4VYbp.FsbNg:6915:43:Roland Parviainen:/c8/rolle:/usr/local/bin/bash

• Shadow password file:root:x:0:0:root,,,:/root:/bin/bashrolle:x:501:501:Roland Parviainen:/home/rolle:/bin/bash

Logging in

• Logging in from a terminal

5

File and object protection

• Has a single hierarchical tree structure; all of the mounted files and filesystems are presented as one integrated virtual filesystem.

• Devices such as soundcards, modems and floppy drives are represented by a device special files in /dev/.

• Example: /dev/sound • Every file and directory in the virtual filesystem is

represented by one inode. An inode contain, among other things, the following information: – mode: describes what this inode represents as well as access

rights to it. – user and group ids: the owner and the group of the file.

File and object protection

• Access rights: – read (r) – write (w) – execute (or access for directories) (x) – set user or group ID on execution (s)

• A combination of rights can be set for each domain (user, group and world).

• s is only valid for user and group. • Access rights also applies to device special files, e.g

/dev/sound. • Some Unix operating systems also has Access control

lists, such as Secure HP-UX or Solaris.

6

File and object protection, example

• Want to give access to /dev/sound to Alice, Bob and Carol but not Dave

• Create a new group abc, containing Alice, Bob and Carol– Change the group of /dev/sound to abc

• Create a group sound, change the group of /dev/sound to sound– Add Alice, Bob and Carol to group sound

File and object protection, example

• cron run commands at specified times• Commands to be run are stored in

/var/spool/cron/, owned by root• A user adds a command using the

crontab command– crontab need to be set uid root!

drwx------ 2 root root 4096 nov 19 20:01 /var/spool/cron/-rwsr-xr-x 1 root root 21820 jul 7 2001 /usr/bin/crontab

7

File and object protection, example

• You can send a message to another user logged in using the write command

• The write command need to have permissions to write text to any user’s text terminal

• write set group id tty• All text terminal devices owned by group tty-rwxr-sr-x 1 root tty 7900 apr 25 15:06 /usr/bin/writecrw--w---- 1 rolle tty 136, 6 maj 3 19:11 /dev/pts/6

Memory protection

• Each process in the system has its own virtual address space.

• These virtual address spaces are completely separate from each other.

• Paging.

8

Memory protection

• Example of information in the page table (from Linux on Alpha): – V: Valid – FOE: "Fault on execute", Whenever an attempt to execute

instructions in this page occurs, the processor reports an errorand passes control to the operating system

– FOW: "Fault on write", As above, but an error on write – FOR: "Fault on read", As abobe, but an error on read – KRE: Code running in kernel mode can read this page – URE: Code running in user mode can read this page – KWE: Code running in kernel mode can write to this page – UWE: Code running in user mode can write to this page – Page frame number

VMS

• OpenVMS: originally called VMS (Virtual Memory System)

• First conceived in 1976 as a new operating system for Digital's new, 32-bit, virtual memory line of computers, eventually named VAX (Virtual Address eXtension)

• VMS version X0.5 was the first released to customers, in support of the hardware beta test of the VAX-11/780, in 1977. VAX/VMS Version V1.0 shipped in 1978.

• Now runs on Digitals (Compaq) Alpha computers. • C2 Certified

9

VMS, Authentication

• Keeps a history of the user's passwords, which prevents the selection of passwords that have been used recently.

• Can be made to enforce the changing of passwords on a regular basis.

• A user can be forced to select a password from a randomly generated collection.

• A password selected by a user is checked against a list of commonly used passwords.

• Passwords are stored in the User Authorization File (SYS$SYSTEM:SYSUAF.DAT) using one-way encryption.

VMS, System architecture

10

VMS, Hardware Protection Mechanisms

• CHMx: – x: K,E,S,U (Kernel, Executive, Supervisor, User) – Kernel is the only mode with access to the full

instruction set; the other three operate using the restricted subset of instructions.

– REI returns to the former mode. – CHMx can only change inwards towards "higher"

modes. – REI can only change outwards towards "lower"

modes. – Executive: For RMS only, record managements

services (handles all files on disk) – Supervisor mode: For CLI, command line interface

VMS, Object and File protection

• To determine the rights a domain (i.e. user, subject), the system checks the following mechanisms in order: – Access control lists – User identification codes (UICs) – Privileges

11

VMS, Object and File protection

Change rightsChange rights Control

Delete if emptyDeleteDelete

List specified entries Execute if programExecute

Create new files Write or modifyWrite

List all entriesRead, print or copyRead

FolderFile

VMS, UIC Protection

• UIC, User Identification Code • Divides the users into four domains: System,

Owner, Group and World. • Each user belong to one group • System: a special Group • System and Owner has control rights • World never has control rights • (System rights, Owner rights, Group Rights,

World rights) • E.g.: (RWED, RWE, RE, R)

12

VMS, Privilege Protection

• 64 bits are available for each user. • Examples:

– SYSPRV causes the user to be treated as if the user were in the System domain.

– BYPASS permits unconditional and unlimited access to an object.

– READALL permits read and control access. • When a program is run, the users privileges are

merged with the privileges for the program (using OR).

• This provides the ability for unprivileged users to run privileged programs.

VAX Security Kernel

• Targeted at the A1 level of the TCSEC. • Backwards compatible with VMS • The security kernel emulated the VAX

hardware, including all modes, virtual memory, I/O devices etc.

• Built twice during the 1980's. • Terminated in 1990.

13

Windows NT

• Windows NT 3 Late 80's• Windows NT 3.51 1994• Windows NT 4 1996• Windows 2000 (5.0) Feb 2000• Windows XP (5.1) Late 2001

Windows NT

• Based on a microkernel, designed to be as small as efficient as possible.

• Most operating services are implemented by semi-independent secondary subsystems.

• Two execution modes: user mode and kernel mode.

• Kernel mode: complete access to every system resource and of all memory.

14

NT, System architecture

NT, System architecture

• I/O Manager: controls most input and output • Object Manager: creates, modifies and deletes

system objects (e.g. a file or process) • Security Reference Manager (SRM): grants and

denies requests for access to objects and system resources by the object manager. Relies on Security Access Tokens (SATs)

15

Memory system

• Demand paged, virtual memory system • Flat, linear 32-bit address space (up to 4

GB) • Pages 4kB in size • Pages in use are redirected to physical

RAM

User authentication• The privileged user is called Administrator by default (can

be changed). • Items may be temporarily protected against the

Administrator account, but Administrator can always change their permissions to gain access.

• Passwords are stored in the user accounts database (Security Account Database, SAD) hashed (a one-way encryption).

• The SAD is managed by the security account manager (SAM).

• The encrypted passwords can be read by a user. • Users can be forced to change their passwords after a

period of time. • A history of already used passwords can also be stored. • Users can be locked out of the system after a certain

amount of failed login attempts.

16

Local Security Authority (LSA)

• Validates local and remote logins• Generates access tokens during the login

process• Manages local security policies• Provides user authentication and

validation• Logs audiot messages generated by the

SRM (Security Reference Monitor)

Security Reference Monitor, SRM

• Runs in kernel mode• Responsible for checking access to

objects

17

Security subsystem

LocalSecurityAuthority

SecurityAccountManager

SecurityAccount

Database

SecurityReference

Monitor

Auditlog

Loginprocess

SecurityPolicy

DatabaseUser Mode

Kernel Mode

User authentication

• The user authentication process – Enter the userid and password

• The password is hashed (encrypted) and sent to the local security authority (LSA)

• LSA makes a call to SAM and compares the hash stored in the SAD.

• LSA creates an access token using the user's account Security ID (SID) and group SIDs.

• The NT explorer shell opens with the user's access token attached.

18

User authenticationWinLogon

(User, Password)

LSA

Win32 subsyst.

New process

Explorer

SAD

SAM

AT

AT

AT

AT

AT

1

2

3 4

5

6 7

8

Access Tokens

• Access tokens are created by the Local Security Authority after SAM validation, as part of a successful logon process.

• All processes created by the user has a copy of the token attached to it.

• Information in the token: – User's security identifier (SID) – Group security identifiers – User privileges – Primary Group SID (only used by the POSIX subsystem)– Default ACL (assigned to any object created by the user)

19

Possible user privileges

• Around 30 specific 'user rights' can be assigned to users or groups.

• Examples: – Access this computer from network – Change the system time – Shut down the system

• Not even administrators have all privileges by default

File and object protection

• The NTFS (NT File System) has some security features: – Discretionary Access Control (DAC). – Journaling

• Information about files are stored in the master file table (MFT). Examples of information: the filename, security attributes, etc.

• Files have only a single owner, group ownership does not exist.

• Access control lists (ACLs) are used to control access to files, directories and objects.

20

File protection

Take ownership of a file.Take ownership of the folderTake ownership (O)

Change the permissions on the file

Change a folders permissions Change Permissions (P)

Delete a filedelete a folder Delete (D)

Display file attributes, owner & permissions. Run a file if it is an executable.

Display folder attributes, make changes to folders within a folder, and display owner & permissions

Execute (X)

Display owner & permissions, change file attributes, create data in and append data to a file.

Add file & folders, change a folders attribute, display owner & permissions

Write (W)

Display file data, attributes, owner & permissions

Display folder names, attributes, owner & permissions

Read (R)

FileFoldersNTFS Permission

PitBull

• From Argus Systems• Add on to Sun Solaris and IBM AIX • Has features comparable to B2 • Principles:

– Information Compartmentalization – Role Compartmentalization – Least privilege – Kernel-level enforcement

21

Information Compartmentalization

• Preventing any user (inc. root) from viewing or modifying information the user is not cleared for.

• Prevent compromises in one application from being used for attacks against other unrelated applications

• MAC, mandatory access controls• Based on Sensitivity Labels - SLs. • Every object has a SL (including files and

processes) • Some objects can have more than one SL, such

as directories (to specify a range for example)

SLs

• Two components: classifications and compartments

• Classification - hierarchical, such as Top Secret, Secret, Confidential

• Compartments - non-hierarchical • A SL can have any number of

compartments • Example: Top Secret: A, B

22

Dominance relationships

• Dominant, Equal and Disjoint• A process can read but not write any file which it

dominates but does not equal • Writes are permitted if and only if the process's

SL equals the file's SL • Examples:

– A process with a Top Secret SL can read but not write a file with a Confidential SL

– A Top Secret: A process can neither read nor write a Confidential: A B file

Clearance

• A user have three SLs, which form the clearance of the user

• Minimum, default and maximum SL • At login, a user get the default SL, unless

an SL is requested: – login: smith -e "othersl a b"

• Can not change SL while running without special privileges

23

Role Compartmentalization

• Access to a root shell should not give control of the entire system

• Combination of privileges and authorizations • root's old "can do anything"-privilege has been divided

into smaller abilities called privileges – Example: Mounting filesystems, Changing MACs, etc.

• Authorizations are assigned to users • Privileges belong to processes and executable files • If a user is not authorized for a privilege, executing a

privileged file will not help • Different users for configuring hardware, adding users,

changing MACs and SLs.

Least privilege

• A process should only have the minimum necessary privileges

• A user should only have the authorizations necessary to do his duties

24

https-webaProcess: Secret: Web, Server, A

Shared files SL: Confidential: Web, Server

HTML docs for https-weba

SL: Confidential: Web, AOwner: weba

User webaSL: Conf.:

Web, AAuths:LOGINWEBA

EXECENV

https-webbProcess: Secret: Web, Server, B

HTML docs for https-webb

SL: Confidential: Web, BOwner: webb

User webbSL: Conf.:

Web, BAuths:LOGINWEBB

EXECENV

Compartment A Compartment B

PitBull Summary

• Complex to administer • Still relies on the integrity of the kernel

25

Next time

• Data base security