I I 3YSTEMS AND NTERNET NFRASTRUCTURE 3ECURITY ETWORK AND 3ECURITY 2ESEARCH ENTER EPARTMENT OF OMPUTER 3CIENCE AND NGINEERING 0ENNSYLVANIA 3TATE 5NIVERSITY 5NIVERSITY 0ARK 0 CMPSC443 Introduction to Computer and Network Security Module Operating System Security Professor Patrick McDaniel Spring 2009 CMPSC443 Introduction to Computer and Network Security Page 1 OS Security An secure OS should provide at least the following mechanisms Memory protection File protection General object protection Access authentication How do we go about designing a trusted OS Trust in this context means something different from Secure CMPSC443 Introduction to Computer and Network Security Page 2 Trust vs Security When you get your medication at a pharmacy you are trusting that it is appropriate for the condition you are addressing In effect you are arguing internally The doctor was correct in prescribing this drug The FDA vetted the drug through scientific analysis and clinical trials No maniac has tampered with the bottle The first two are are matters trust and the last is a matter of security An OS needs to perform similar due diligence to achieve trust and security CMPSC443 Introduction to Computer and Network Security Page 3 Access Control Lists ACL a list of the principals that are authorized to have access to some object Or more correctly Eg O 2 O1 S1 S1 Y O2 S1 S2 S3 O3 S3 S2 S3 Y Y CMPSC443 Introduction to Computer and Network Security We are going to see a lot of examples of these throughout the semester Page 4 ACL in systems ACLs are typically used to implement discretionary access control For example you define the UNIX file system ACLs using the chmod utility CMPSC443 Introduction to Computer and Network Security Page 5 Discretionary Access Control in UNIX FS The UNIX filesystem implements discretionary access control through file permissions set by user The set of objects is the files in the filesystem e g etc passwd Each file an owner and group subjects The owner is typically the creator of the file and the entity in control of the access control policy Note this can be overridden by the root user There is a additional subject called world which represents everyone else CMPSC443 Introduction to Computer and Network Security Page 6 UNIX filesystem rights There are three rights in the UNIX filesystem READ allows the subject process to read the contents of the file WRITE allows the subject process to alter the contents of the file EXECUTE allows the subject process to execute the contents of the file e g shell program executable Q why is execute a right Q does the right to read a program implicitly give you CMPSC443 Introduction to Computer and Network Security Page 7 The UNIX FS access policy Really this is a bit string encoding an access matrix E g rwx rwx rwx World Group Owner And a policy is encoded as r w x if enabled and if not e g rwxrw x Says user can read write and execute group can read and write and world can execute only CMPSC443 Introduction to Computer and Network Security Page 8 Caveats UNIX Filesystem Access is often not really this easy you need to have certain rights to parent directories to access a file execute for example The reasons for this are quite esoteric The preceding policy may appear to be contradictory A member of the group does not have execute rights but members of the world do so A user appears to be both allowed and prohibited from executing access Not really these policies are monotonic the absence of a right does not mean they should not get access at all just that that particular identity e g group member world should not be given that right CMPSC443 Introduction to Computer and Network Security Page 9 Window Vista Integrity Integrity protection for writing Defines a series of protection level of increasing protection untrusted lowest low Internet medium user high admin system installer highest Semantics If subject s process s integrity level dominates the object s integrity level then the write is allowed CMPSC443 Introduction to Computer and Network Security Page 10 Vista Integrity Does Vista Integrity protect the integrity of J s public key file O2 CMPSC443 Introduction to Computer and Network Security O1 O2 O3 J R RW RW S2 N R RW S3 N R RW Page 11 UID Transition Setuid A special bit in the mode bits Execute file Resulting process has the effective and fs UID GID of file owner Enables a user to escalate privilege For executing a trusted service Downside User defines execution environment e g Environment variables input arguments open descriptors etc Service must protect itself or user can gain root access All UNIX services involves root processes many via setuid CMPSC443 Introduction to Computer and Network Security Page 12 tmp Vulnerability creat pathname mode O EXCL flag if file already exists this is an error Potential attack Attacker creates file in shared space tmp Give it a filename used by a higher authority service Make sure that service has permission to the file If creat is used without O EXCL then can share the file with the higher authority process CMPSC443 Introduction to Computer and Network Security Page 13 Other Vulnerabilities Objects w o sufficient control Windows registry network Libraries Load order permits malware defined libraries Executables are everywhere Web content Email Documents Word Labeling is wrong Mount a new file system device Malware can modify your permissions Inherent to discretionary model CMPSC443 Introduction to Computer and Network Security Page 14 Sandboxing An execution environment for programs that contains a limited set of rights A subset of your permissions meet secrecy and integrity goals Cannot be changed by the running program mandatory CMPSC443 Introduction to Computer and Network Security Page 15 UNIX Chroot Create a domain in which a process is confined Process can only read write within file system subtree Applies to all descendant processes Can carry file descriptors in chroot jail CMPSC443 Introduction to Computer and Network Security Page 16 Chroot Vulnerability Unfortunately chroot can trick its own system define a passwd file at newroot etc passwd run su su thinks that this is the real passwd file gives root access Use mknod to create device file to access physical memory Setup requires great care Never run chroot process as root Must not be able to get root privileges No control by chrooted process user of contents in jail Be careful about descriptors open sockets IPC that may be available