Systems and Internet Infrastructure Security Network and Security Research Center Department of Computer Science and Engineering Pennsylvania State University University Park PA Advanced Systems Security Ordinary Operating Systems Trent Jaeger Systems and Internet Infrastructure Security SIIS Lab Computer Science and Engineering Department Pennsylvania State University Systems and Internet Infrastructure Security SIIS Laboratory February 2 2010 Page 1 UNIX and Windows If you want to run an application you have to install one of these Where UNIX encompasses Linux and Mac OS X Common understanding They are insecure Why Systems and Internet Infrastructure Security SIIS Laboratory Page 2 UNIX Access Control On Files All objects are files Not exactly true Classical Protection System Limited access matrix Discretionary protection state operations Practical model for end users Still involves some policy specification Systems and Internet Infrastructure Security SIIS Laboratory Page 3 UNIX Mode Bits Systems and Internet Infrastructure Security SIIS Laboratory Page 4 Windows Access Control On Objects Arbitrary classes can be defined New classes can be defined Active Directory Classical Protection System Full blown ACLs even negative ACLs Discretionary protection state operations Not so usable Few people have experience Systems and Internet Infrastructure Security SIIS Laboratory Page 5 Windows Access Control Systems and Internet Infrastructure Security SIIS Laboratory Page 6 Vulnerabilities Function run by one subject that enables an attacker to gain unauthorized privileges i e the subject s Privilege escalation Two views Subject could do something for the attacker Attacker could take over process Either way the attacker can use the subject s privileges May use these to compromise an even more privileged subject Systems and Internet Infrastructure Security SIIS Laboratory Page 7 The Morris Worm Systems and Internet Infrastructure Security SIIS Laboratory Page 8 Confused Deputy A server process has the privileges necessary to service requests from all its clients Can a client trick the server into using its permissions for the client Have the server access an object whose name is supplied by a client Systems and Internet Infrastructure Security SIIS Laboratory Page 9 Links Systems and Internet Infrastructure Security SIIS Laboratory Page 10 Unknown Origin A server may use a file under the control of a client Client may provide file by name or predict the name of a file the server may create use Such a file provides guidance that the server trusts Enabling the client to control how the server runs Systems and Internet Infrastructure Security SIIS Laboratory Page 11 tmp Vulnerability Systems and Internet Infrastructure Security SIIS Laboratory Page 12 Others Overflow Buffer or Heap Inject code into server Libraries Path or input Inject code into server TOCTTOU Cause an authorization to pass Integer overflow Cause different control path Systems and Internet Infrastructure Security SIIS Laboratory Page 13 The OS Will Protect Me User space vulnerabilities are expected Those processes are untrusted OS policies will protect the system from harm Only the OS and a few processes need to be trusted Just need to specify the access control policy We can specify anything we want We have an access matrix Systems and Internet Infrastructure Security SIIS Laboratory Page 14 Secrecy Systems and Internet Infrastructure Security SIIS Laboratory Page 15 Integrity Systems and Internet Infrastructure Security SIIS Laboratory Page 16 Trusted vs Benign Systems and Internet Infrastructure Security SIIS Laboratory Page 17 Protection and Security Protection Security goals met under benign processes Protects against error by non malicious entity Security Security goals met under trusted processes Any benign process can come under the control of an attacker Protects against any malicious entity For J A benign process won t accidentally leak a key but it would under attackers control Systems and Internet Infrastructure Security SIIS Laboratory Page 18 Is Fixing the Policy Enough No as these systems do not satisfy the reference monitor concept Systems and Internet Infrastructure Security SIIS Laboratory Page 19 Complete Mediation Mediation Does interface mediate correctly No Several operations impact security that are ignored Mediation On all resources UNIX No No network Windows Could Mediation Verifably Ha Systems and Internet Infrastructure Security SIIS Laboratory Page 20 Tamperproof Tamperproof Is reference monitor protected Operating system is not protect see Rootkits Kernel modules trusted processes extensible function Policy can be modified by untrusted processes discretionary Tamperproof Is system TCB protected We don t really know what this is All root and setuid processes and ones they depend on Plus anything an admin runs as root Systems and Internet Infrastructure Security SIIS Laboratory Page 21 Verification Verifiable Is TCB code base correct No Verifiable Does the protection system enforce the system s security goals Goals See Protection v Security again Systems and Internet Infrastructure Security SIIS Laboratory Page 22 Take Away Conventional operating systems are insecure They run programs that suffer from many types of vulnerabilities They are designed to enable protection under benign programs not secure a system from a directed attacker They do not satisfy reference monitor concept Also fail to implement a mandatory protection system Systems and Internet Infrastructure Security SIIS Laboratory Page 23