Tuomas Aura T-110.4206 Information security technology Operating system security Aalto University,...
-
Upload
alban-sullivan -
Category
Documents
-
view
213 -
download
0
Transcript of Tuomas Aura T-110.4206 Information security technology Operating system security Aalto University,...
Tuomas AuraT-110.4206 Information security technology
Operating system security
Aalto University, autumn 2011
2
OutlineAccess control models in operating systems:1. Unix2. Windows
Acknowledgements: This lecture material is based on a joint course with Dieter Gollmann.
UNIX ACCESS CONTROL
3
4
Principals Users and groups are the principals Users have username and user identifier (UID) Groups have group name group identifier (GID) UID and GID are usually 16-bit numbers
0 = root19057 = aura100 = users
Both names and identifiers are permanent; difficult to change once selected
UID values differ from system to system Superuser (root) UID is always zero
5
User accounts User accounts are stored in /etc/passwd User account format:
username:password:UID:GID:name:homedir:shell Example:
root:7kSSI2k.Df:0:0:root:/root:/bin/bashmail:x:8:12:mail:/var/spool/mail:news:x:9:13:news:/var/spool/news:ace:69geDfelkw:500:103:Alice:/home/ace:/bin/bashcarol:7fkKdefh3d:501:102:Carol:/home/carol:/bin/nologintuomas:*:502:102:Tuomas Aura:/home/tuomas:/bin/tcshal::503:102::/home/al:/bin/bashdieter:RT.QsZEEsxT92:10026:53:Dieter Gollmann:/home/staff/dieter:/bin/bash
7
Superuser The superuser is a special privileged principal
with UID 0 and usually the user name root There are few restrictions on the superuser
– All security checks are turned off for the superuser – The superuser can become any other user
Examples:– The superuser cannot write to a read-only file
system but can remount it as writeable– The superuser cannot decrypt passwords (because
they are hash values) but can reset them
8
Groups Users belong to one or more groups The file /etc/group contains a list of all groups;
file entry format: groupname:password:GID:list of users
Example: infosecwww:*:209:carol,al
Every user belongs to a primary group; the group ID (GID) of the primary group is stored in /etc/passwd
Depending on the Unix OS, user can belong to only one or many groups at the same time
Usually only superuser can add groups and members
9
Subjects The subjects in Unix are processes; a process
has a process ID (PID) Processes can create new processes Processes have a real UID and an effective UID
(similarly for GID) Real UID/GID: inherited from the parent;
typically UID/GID of the user logged in Effective UID/GID: inherited from the parent
process or from the file being executed
10
ExampleUID GID
Process real effective real effective/bin/login root root system system
User dieter logs on; the login process verifies the password and (with its superuser rights) changes its UID and GID:/bin/login dieter dieter staff staff
The login process executes the user’s login shell:/bin/bash dieter dieter staff staff
From the shell, the user executes a command, e.g. ls/bin/ls dieter dieter staff staff
The user executes command passwd to change his password:/bin/passwd dieter root staff system
11
Objects Files, directories, devices are uniformly
treated as resources– These resources are the objects of access control – The resources are organized in a tree-structured
file system Each file entry in a directory is a pointer to a
data structure called inode Inode stores information about the owner
user and group, and permissions
12
Information about objects
Example: directory listing with ls -l -rw-r--r-- 1 dieter staff 1617 Oct 28 11:01 my.texdrwx------ 2 dieter staff 512 Oct 25 17:44 ads/
File type: first character‘-’ file ‘d’ directory ‘s’ socket ‘b’ block device file ‘l’ symbolic link‘c’ character device file ‘p’ FIFO pipe
File permissions: next nine characters Link counter: the number of links (i.e. directory
entries pointing) to the inode
13
Information about objects
-rw-r--r-- 1 dieter staff 1617 Oct 28 11:01 my.texdrwx------ 2 dieter staff 512 Oct 25 17:44 ads/
Username of the owner: usually the user that has created the file
Group: a newly created file usually belongs to its creator’s group
File size, modification time, filename Owner and root can change permissions (chmod);
root can change the file owner and group (chown) Filename is stored in the directory, not in inode
14
File permissions Permission bits are grouped in three triples that
define read, write, and execute access for owner, group, and other
A ‘-’ indicates that a right is not granted. rw-r--r-- read and write access for the owner,
read access for group and other rwx------ read, write, and execute access for the
owner, no rights to group and other
15
File permissions When ls –l displays a SUID program, the
execute permission of the owner is given ass instead of x:
-rws--x—x 3 root bin 16384 Nov 16 1996 passwd*
When ls –l displays a SGID program, the execute permission of the group is given ass instead of x
16
Octal representation File permissions can also be specified as octal
numbers Examples: rw-r--r-- is equivalent to 644; rwxrwxrwx is equivalent to 777
Conversion table: 0040 read by group 4000 set UID on execution0020 write by group 2000 set GID on execution0010 execute by group 1000 set sticky bit0004 read by other 0400 read by owner0002 write by other 0200 write by owner0001 execute by other 0100 execute by owner
17
Access control decisions Access control uses the effective UID/GID:
– If the subject’s UID owns the file, the permission bits for owner decide whether access is granted
– If the subject’s UID does not own the file but its GID does, the permission bits for group decide whether access is granted
– If the subject’s UID and GID do not own the file, the permission bits for other (also called world) decide whether access is granted
Note that although the permission bits may give the owner less access than to others, the owner can always change the permissions (discretionary access control)
18
Permissions for directories Read permission: to find which files are in the
directory, e.g. for executing ls Write permission: to add files to and remove
files from the directory Execute permission: to make the directory the
current directory (cd) and for opening files inside the directory
E.g. every user has a home directory for which correct permissions for the directory are required
19
Sticky bit Job queues for printing etc., are often implemented as a
world-writable directories; anyone can add a file Problem: anyone can also delete files
– Solution: sticky bit on a directory restricts the deletion of files in that directory only to the file owners (and the superuser)
Another problem: either the files in the print queue need to be readable to everyone or the print daemon needs to run as root– Solution: in Linux, SGID bit on a directory means that new files
inherit their group from the directory, not from the user who creates them; can create a special group for the print daemon
(Sticky bit originally indicated that a process should not be swapped to disk. Its use varies between Unix versions.)
20
Default permissions Unix utilities typically use default permissions 666 for a new
data file and 777 for a new program file Permissions can be restricted with umask: a three-digit octal
number specifying the rights that should be withheld File permissions = default AND (NOT umask)
Sensible umask values:– 022: all permissions for the owner, read and execute permission for
group and other– 037: all permissions for the owner, read permission for group, no
permissions for other– 077: all permissions for the owner, no permissions for group and
other Example: default permissions 666, umask 077 permissions
for new file 0600
23
Unix access control — dicsussion Limitations:
– Files have only one owner and group– Complex policies, e.g. access to several groups, are
impractical to implement– Superuser needed for maintaining groups– All access rights (e.g. shutdown, create user) must be
mapped to files access and to read, write and execute permissions
Relatively simple and widely understood Relatively easy to check the protection state Unix versions may implement additional access
control features
24
WINDOWS ACCESS CONTROL
Windows Security Model Principals = users, machines, groups,… Objects = files, Registry keys, printers, … Each object has an discretionary access control
list (DACL) The active subjects are processes and threads Each process (or thread) has an access token When is a process allowed to access an object?
– Object DACL is compared with the process’s security token when creating a handle to the object
25
26
Security indentifier Principal names: machine\principal or domain\principal
– Aalto\Alice, pc3\Administrators, plover\aura = Tuomas Aura Each principal has a unique security identifier (SID)
– Names may change; SID is permanent User SIDs:
– S-1-5-21-961468069-954667678-1722769278-1002 = Alice
– S-1-5-21-961468069-954667678-1722769278-500 = Administrator
– Typical way to create unique use SIDs:S-1-5 + machine or domain id + relative id
Well-known SIDs:– S-1-5-18 = Local System, S-1-1-0 = Everyone, S-1-5-domain-513 =
Domain Users, etc.
27
Windows domains Windows machine has a Local Security Authority (LSA), which
can create local users and local groups (=aliases)– Local principals are stored in Registry
A Windows server can become a Domain Controller (DC), and other machines can join its domain
Domain administrators manage the domain users and groups centrally at the DC– Domain principals are stored in Active Directory– Names: domain\principal or principal@domain
DC provides authentication services to other machines– Domain user can log into any domain-joined machine– Kerberos protocol used for distributed authentication
In large organizations, DCs and domains can form a hierarchy
Access token Each process has an access token (=security token) Token contains
– Login user account SID (the process “runs as” this user)– SIDs of all groups in which the user is a member (recursively)– All privileges assigned to these groups– etc.
Privileges are special local access rights: – Backup, audit security log, take ownership, trusted for delegation,
debugging, performance profiling, shutdown. etc. Groups can be built-in or defined by admins:
– Users, Administrators, Remote Desktop Users– Sales, Security Lab, Researchers, Europe Employees
Token never changes after it has been created– Reliability, efficiency vs. revocation speed
Tokens for child processes may be restricted 28
Objects Objects: files, folder, Registry and AD objects,
printers, processes...– Objects can be containers for other objects
Securable objects have a security descriptor, which contains the DACL
Object also has an owner (identified by SID), who has the implicit right to read and write the DACL (discretionary access control)
31
32
Permissions Permissions are actions that apply to each
object class Some generic permissions are defined for all
objects: read, write, execute, all, delete, etc. Specific permissions are defined for each
class: Append, AddSubDir, CreateThread,etc. Permissions are encoded as a 32-bit mask Object DACL specifies which principals (SIDs)
have which permissions
34
DACL example
This ACL grants read access but no write access to the user Tuomaura
Negative access control entries (ACEs) are placed before positive ones
ACE1 - Tuomaura WriteACE2 + Diego Full ControlACE2 + Lecturers Read, WriteACE4 + EVERYONE Read
35
Viewing the DACL and ACEs Right-click on a file;
select Properties/Security
Click on Advanced to see the entire security descriptor
DACL (ACEs)DACL (ACEs)
Permissions for the selected ACEPermissions for the selected ACE
36
Access check algorithm Process specifies the desired access (requested
permissions) when creating a handle to the object Privileges or implicit owner permissions may
alone be sufficient to grant access Otherwise, check DACL as follows:
– Look for ACEs that match (1) any SID in the subjects token and (2) any desired access right
– If any negative ACE matches, deny access– If positive ACEs are found for all requested
permissions, grant access– If the end of DACL is reached, deny access
37
Performance and reliability Access rights are determined at login time
– The user’s group SIDs are cached in the token of the login process, and sub-processes get a copy of the token
– The token contents will not change even if a membership or privilege is revoked from a SID
Desired access is compared against the token and DACL when creating a handle to the object – not at access time– Changing file DACL does not affect open file handles
Consequences: – Better performance– Better reliability because a process knows in advance whether
it has sufficient access rights for a task– No immediate revocation of access rights
38
ACE inheritance
Container objects can have inheritable ACEs Inherited ACEs are copied to the end of sub-object DACLs; aces on
the sub-object can override them Inherited ACEs are updated if the original changes
Folder
File A File B
+ Diego Read, Write Flags: OBJECT_INHERIT
- Diego Write
+ Diego Read, Write
Flags: INHERITED_ACE
+ Diego Read, Write
Flags: INHERITED_ACE
40
Inheriting negative ACEs
Inherited negative ACEs can end up after positive ACEs; it is possible to override inherited negative ACEs
Folder
File A File B
- Tuomaura Read Flags: OBJECT_INHERIT
+ Tuomaura Read
- Tuomaura Read
Flags: INHERITED_ACE
- Tuomaura Read
Flags: INHERITED_ACE
42
DACL_PROTECTED
Blocking inheritance
Folder X
Folder Y Folder Z
+ Diego Read Flags: OBJECT_INHERIT
File A File B
+ Diego Read, Write
Flag: INHERITED_ACE
+ Diego Read
Flag: INHERITED_ ACE, INHERIT_ONLY
44
Advanced inheritance Object hierarchies with inheritance:
NTFS, Registry, Active Directory, … Inheritable ACEs can apply to only leaf objects or only to
containers Similarly, inheritable ACEs can apply to all objects or only to a
specific object type Special CREATOR_OWNER SID indicates that the ACE matches to
the owner of the object Inheritance simplifies system administration but very few people
understand or use it Performance:
– Inherited ACEs are cached in sub-object DACLs to make access control decisions faster
– Changing permissions on the top levels of a deep object hierarchy is a slow process; done rarely in applications
46
Restricted tokens A process might not always need or want all
the rights given by the token Process may create a restricted token
– remove privileges– disable groups: change SIDs to deny-only groups,
which are not deleted but marked as USE_FOR_DENY_ONLY
– add restricted SIDs; a second list of SIDs that is also compared against DACLs
Process can assign restricted tokens to its child processes or threads (= impersonation)
EXAMPLE: IMPLEMENTING THE PRINCIPLE OF LEAST PRIVILEGE
47
48
Unix: applying controlled invocation Sensitive resources, like a web server, can be
protected by combining ownership, permission bits, and SUID programs:– Create a new UID that owns the resource and all
programs that need access to the resource– Only the owner gets access permission to the
resource – Define all the programs that access the resource
as SUID programs
49
Windows: using restricted SIDs To limit a program’s access to a set of objects
– create a new SID– run the program with the new SID as a restricted
SID– add the new SID to the DACL on objects that the
program is allowed to access
50
Reading material Dieter Gollmann: Computer Security, 2nd ed., chapter 6 Matt Bishop: Introduction to computer security, chapter
25 Ross Anderson: Security Engineering, 2nd ed., chapter 4 Online:
– Wayne Pollock, Unix File and Directory Permissions and Modes http://content.hccfl.edu/pollock/AUnix1/FilePermissions.htm
– John R. Michener, Understanding Windows File And Registry Permissions, MSDN Magazine, Nov 2008http://msdn.microsoft.com/en-us/magazine/cc982153.aspx
51
Exercises: Unix Create a subdirectory in your home directory and put
a file welcome.txt in this subdirectory. Set permission bits on the subdirectory so that the owner has execute access. Try to– list the subdirectory– display the contents of welcome.txt– create a copy of welcome.txt in the subdirectory.– make the subdirectory the current directory with cd
Repeat the same experiment first with read permission and then with write permission on the subdirectory
How would you protect a tty device from other users?
52
Exercises: Windows How can Unix file permissions can be expressed with Windows ACLs? Assume Fred is member of group Lecturers. Who gets access to an object
with DACLs1. [+,Fred,READ], [-, Lecturers,READ] ?2. [-,Fred,READ], [+, Lecturers,READ] ?3. [-, Lecturers,READ], [+,Fred,READ] ?
When a new object is created, how is its security descriptor ‘populated’? Tokens are objects. How does access control for tokens work? What is the time-of-check-to-time-of-use (TOCTTOU) issue? Where does
this create potential problems in the Windows file system? There is no API for giving file ownership to others. Administrators have
backup and restore privileges. What trick can they use to change file owner?
Changing permissions on a top-level folder in the NTFS file system (such as C:\ or C:\Program Files) is very slow operation. This is actually a performance optimization. Explain why.