CSE543 Computer (and Network) Security - Fall 2006 - Professor JaegerCSE 543 - Computer Security(Fall 2006)Lecture 12 - OS SecurityOctober 17, 2006URL: http://www.cse.psu.edu/~tjaeger/cse543-f06/1CSE543 Computer (and Network) Security - Fall 2006 - Professor Jaeger Page OS Security•An secure OS should provide the following mechanisms–Memory protection–File protection–General object protection–Access authentication•How do we go about designing a trusted OS?•“Trust” in this context means something different from “Secure”CSE543 Computer (and Network) Security - Fall 2006 - Professor Jaeger Page Trust vs. Security •When you get your medication at a pharmacy, you are “trusting” that it is appropriate for the condition you are addressing. In effect, you are arguing internally:–The doctor was correct in prescribing this drug–The FDA vetted the drug through scientific analysis and clinical trials–No maniac has tampered with the bottle•The first two are are matters “trust”, and the last is a matter of “security”•An OS needs to perform similar due diligence to achieve “trust” and “security”CSE543 Computer (and Network) Security - Fall 2006 - Professor Jaeger Page Access Control Lists•ACL: a list of the principals that are authorized to have access to some object.•Eg., O2S1YS2YS3Y•! Or more correctly:! !O1: S1 O2: S1, S2, S3 O3: S3•! We are going to see a lot of examples of these throughout the semester.CSE543 Computer (and Network) Security - Fall 2006 - Professor Jaeger Page ACL in systems•ACLs are typically used to implement discretionary access control•For example: you define the UNIX file system ACLs using the chmod utility ….CSE543 Computer (and Network) Security - Fall 2006 - Professor Jaeger Page Discretionary Access Control in UNIX FS•The UNIX filesystem implements discretionary access control through file permissions set by user•The set of objects is the files in the filesystem, –e.g., /etc/passwd•Each file an owner and group (subjects)–The owner is typically the creator of the file, and the entity in control of the access control policy–Note: this can be overridden by the “root” user•There is a additional subject called world, which represents everyone elseCSE543 Computer (and Network) Security - Fall 2006 - Professor Jaeger Page UNIX filesystem rights …•There are three rights in the UNIX filesystem–READ - allows the subject (process) to read the contents of the file.–WRITE - allows the subject (process) to alter the contents of the file.–EXECUTE - allows the subject (process) to execute the contents of the file (e.g., shell program, executable, …)•Q: why is execute a right?•Q: does the right to read a program implicitly give you the right to execute it?CSE543 Computer (and Network) Security - Fall 2006 - Professor Jaeger Page The UNIX FS access policy•Really, this is a bit string encoding an access matrix•E.g.,! ! ! ! rwx rwx rwx•And a policy is encoded as “r”, “w”, “x” if enabled, and “-” if not, e.g,rwxrw--x•Says user can read, write and execute, group can read and write, and world can execute only.WorldGroupUserCSE543 Computer (and Network) Security - Fall 2006 - Professor Jaeger Page Caveats: UNIX Filesystem•Access is often not really this easy: you need to have certain rights to parent directories to access a file (execute, for example)–The reasons for this are quite esoteric•The preceding policy may appear to be contradictory–A member of the group does not have execute rights, but members of the world do, so …–A user appears to be both allowed and prohibited from executing access–Not really: these policies are monotonic … the absence of a right does not mean they should not get access at all, just that that particular identity (e.g., group member, world) should not be given that right.CSE543 Computer (and Network) Security - Fall 2006 - Professor Jaeger Page Capabilities•A capability is the tuple (object, rights)•A capability system implements access control by checking if the process has an appropriate capability–Simple, right?–This is a little like a ticket in the Kerberos system•Q: Does this eliminate the need for authentication?CSE543 Computer (and Network) Security - Fall 2006 - Professor Jaeger Page Capabilities •A: Well, yes and no …•Capabilities remove the overhead of managing per object rights, but add the overhead of managing capabilities•Moreover, to get any real security, they have to be unforgeable–Hardware tags (to protect capabilities)–Protected address space/registers–Language based techniques!•Enforce access restrictions on caps.–Cryptography •Make them unforgeableCSE543 Computer (and Network) Security - Fall 2006 - Professor Jaeger Page Real OS Capabilities•The OS kernel manages capabilities in the process table, out of reach of the process•Capabilities added by user requests (that comply with policy)Process Table...Process ZRX AW BX CR DW E...C ListABCDCSE543 Computer (and Network) Security - Fall 2006 - Professor Jaeger Page User space capability?•Well, what are the requirements?–Authenticity/integrity - do not want malicious process to forge capabilities•Start with the data itself: [object, rights]–Object is typically encoded with identifier, or by some other tag (capabilities are sometimes known as tags)–Rights are often fixed (read, modify, write, execute, etc.)•Now, do what you with any other data (assume the kernel has a secret key k)E(k, [Oi, r1, r2, … rn])•What’s wrong with this construction (I got it from the website of one of the experts in the area)?CSE543 Computer (and Network) Security - Fall 2006 - Professor Jaeger Page The right construction•Encryption does not provide authenticity/integrity, it provides confidentiality[Oi, r1, r2, … rn],HMAC(k, [Oi, r1, r2, … rn])•So how would you attack the preceding construction?CSE543 Computer (and Network) Security - Fall 2006 - Professor Jaeger Page A (fictional) Capability Example•We use the “ls -lt” command to view the contents of our home directory in a OS implementing capabilities:–Initially, our shell process has RWX capabilities for our home directory, and RX capabilities for all the directories to the root.–The “ls -lt” command is fork()ed, and the shell delegates the directory permissions by giving it the capabilities •Note that the capabilities are _not_ tied to
View Full Document
Unlocking...