Operating System Security

What have we learned about OS so far? Goals Resource Manager User Interface Important things we have discussed Multi-user, multi-process, multi-thread Synchronization, Mutual Exclusion, Deadlock Scheduling Memory I/O Devices Files, and File System

What are the security problems? Top 25 Most Dangerous Software/OS Problems http://www.sans.org/top25-software-errors/#cat1

Problem: Cleartext Transmit/Storage of Sensitive Info Login: Ginger Password: Snap Fix: Encrypt data with standard, reliable encryption before transmission Whole-drive/File Encryption The dog is ‘sniffing’. That is what hackers (or admins) do when they listen to traffic on a communications medium. One mouse means not a significant problem (but still a problem). 4

Problem: Adopting Untrusted Software Fix: Use monitoring tools that examine processes as it interacts with the OS Truss (Solaris) Strace (Linux) FileMon, RegMon, Process Monitor, Sysinternals (Windows) Sniffers, Protocol analyzers Download File Free Software … Is it Safe?

Problem: Incorrect Input Car Sale Model: Chevrolet XR2 Price $: 25.45 VIN: 12K4FG436DDE842 Status: New Sale to: Rubber Ducky 2222 Atlantic Ocean Antarctica, NY, 00000 Phone: 911 VISA: RUAFOOL444 Bad checks get passed signed by ‘Rubber Ducky’, so it is not improbable that silly input such as this may be entered. On some slides you will see 1, 2, or 3 mice indicating the severity of the problem. Here, the 3 mice at top right-hand side signify a currently popular problem. 6

Problem: Buffer Overflow Name Zzzzzzzzzz Count 49, 425,222 State: 84 Return address 0x246625 Frame pointer Enter Name: Zzzzzzzzzzzzzz zzzzzzzzzzzzzzzzzzzzzzzzzz zzzzzzzzzzzzzzzzzzzzzzzzz zzzzzzzzzzzzzzzzzzzz Here when the zzzzz was entered, variables following the Name field were overlaid. This can happen at the assembly language level or at the high level language level. The value entered into the ‘name’ field was too long for the program to process, so the excess overwrote the next sections of the buffer. A skilled cracker can use this flaw to gain control of a program or an OS. 7

Fix: Input Validation Assume all input is malicious! Validate: Length Type Syntax Context: Business Rules Or Use Special input checkers Struts or OWASP ESAPI Validation API Whitelist: List of acceptable input Blacklist: Reject suspect input Validate First!!! network Validation should be fully checked on the server side; the code that gets executed on the client’s browser can be viewed and altered by the client. (next two slides) 8

Problem: Race Condition Thread P1 Thread P2 Comment cin >> input; .. // read in "hello" into global .. cin >> input; // read in "good-bye" into global out = input; out = input; // do a string copy (...use strcpy()) cout << out; .. // print out "good-bye" .. cout << out; // print out "good-bye“ Fix: Use Synchronization Primitives around critical code Minimize use of shared resources Test using artificial delays in race window Identify and trigger error conditions Result: Data Corruption & Denial of Service A race condition occurs when multiple threads or processes need the same resources to complete their tasks. If not synchronized properly, one or more may become ‘starved’ and unable to finish, or unpredictable errors may occur. A race condition was cited as the original cause of the 2003 (electricity) blackout in the northeastern U.S. Another nearly scuttled the Mars rover Spirit’s mission. 9

Problem: OS Command Injection Problem: Command Injection into SQL Inserts ‘|shell(“cmd /c echo “ & char(124) & “format c:”)|’ Data and control can traverse same path Login: Password: Welcome to My System With this problem, attackers use an SQL feature to exit SQL and to access the operating system command line. 10

Fix: Avoid OS Command Injection Separate control information from data information. E.g. where data-> database, control defines application Use library calls instead of external processes Avoid external control of command input Run code in “jail” or other sandbox environment Provide lowest possible permissions for executable Data can be separated from control using two TCP Ports, for example, or different message types. Data: “Terry, Brian, Jerry, Ann, Louis, …” Control: Start WPI session, parms -lmk 11

Problem: External Control of Critical State Data User-side data can be modified: Cookies Configuration files Profiles Hidden form fields Environmental variables Registry keys Web request Web Form Form with fake data

Fix: Control Critical State Data Understand all locations that are accessible to attackers Do not keep state info on client without using encryption and integrity checking (e.g. HMAC) Store state info on server side only: ASP.NET View State, OWASP ESAPI Session Mgmt

Problem: Insecure Interaction Between Components real -> network Program B Attack: Code is reverse engineered and modified to act differently. fake -> Problem: Server assumes validation occurred in client Does not recheck Program B*

Problem: Insecure Interaction Between Components Web servers are memoryless Do not remember sending a form to a client – what type, info Client side can remove checks, insert other code, return unexpected data, etc. Web access Web Form with javascript Revised form With data and java script

Problem: Forgery Web access Web Form with javascript Fake form With data and java script Here the attacker is pretending to be someone else, sending in fake data. He may try to bypass authentication and proceed straight to the middle of someone else’s session. Real form Also known as Cross-Site Request Forgery 16

Fix: Prevent Forgery Rivers Use a nonce for each form Not predictable Name: Ann Winkler Address: 2526 Pratt Ave Racine WI Phone: 262-595-2111 Interests: Horses, Movies, Travel Security Code: Johnson Rivers Use a nonce for each form Not predictable If dangerous operation, send a separate confirmation request Security Code: Johnson Rivers Nonce = Active authorization ticket: Security code, or permission tag which indicates the maximum time the user has to respond. Submit 17

Problem: Improper Access Control Web access Web Form need authentication Reply to www.abc.com/123 Web Reply w. authent. To www.abc.com/123 cache Web Form for actual data for www.abc.com/345 In this case, the server may be programmed correctly to respond only to authenticated users, but the web page is cached and available to anyone. Web Request for www.abc.com/345 Web Form for actual data for www.abc.com/345 18

Fix: Access Permissions Use Role-Based Access At least permissions: anonymous, normal, privileged, administrative Verify access control at server side Sensitive pages are never cached and must have active authorization token Only provide higher level access when you need it; always run with the minimum possible authorization level Check that files read have the required access level permissions; administrators may not set them properly. Use a good random number generator when generating random session keys – if not random, attackers will figure out next key sequence

Problem: External Control of Path If you download an external file or navigate to a URL – and execute If you provide access to a file on your system Attacker can insert ../../ and access files outside privilege. Fix: Run as low-privilege user Provide fixed input values Run code in ‘jail’: Unix chroot jail and AppArmor If attackers take advantage of your flexibility, it is best to provide them only minimal permissions, by restricting their access. Submit File: Enter pathname: Browse Browse 20

Problem: Some Security Errors Find the errors: Security() { String contents, environment; String spath = “security.dat” File security = new File; if (security.open(“spath”) >0) contents = security.read(); environment = security.read(); else print(“Error: Security.dat not found”); } Some errors are 3 stars, others are 1 star 21

Problem: Some Security Errors Find the errors: Security() { String contents, environment; String spath = “security.dat” File security = new File; if (security.open(“spath”) >0) contents = security.read(); environment = security.read(); else print(“Error: Security.dat not found”); } Variables contents & environment not initialized Can cause problems if executed in certain ways Attacker can initialize or read variables from previous session “security.dat” is not full pathname. File can be replaced if run from another location File ‘security’ not closed Leaves file open to attack Keeps unnecessary resources busy Error message indicates file name Can give attacker important info For 2: create own easy security.dat and run executable from the new location. 22

Problem: More Security Errors Find the errors: purchaseProduct() { password = “N23m**2d3”; count = form.quantity; total = count * product.cost(); Message m = new Message( name,product,total); m.myEncrypt(); server.send(m); } Some errors are 3 stars, others are 1 star 23

Problem: More Security Errors Find the errors: purchaseProduct() { password = “N23m**2d3”; count = form.quantity; total = count * product.cost(); Message m = new Message( name,password,product,total); m.myEncrypt(); server.send(m); } Errors: Password is hardcoded If attacker finds it, every system can be broken into before software is changed on all computers Passwords may only be stored in encrypted file Total may overflow, producing very small number Input is not checked (could be zero or invalid) Encryption should be standard algorithm Home-written variety can be broken into easily Some errors are 3 stars, others are 1 star 24

Security Countermeasures

Security Countermeasure What do we really need? From user perspective From process/thread perspective From file/directory/file system perspective From memory management and other I/O device perspective From service perspective From network perspective ……

What we need in term of security? Authentication Username/Password One-time Password Smartcards/Activebadge Biometrics Access Control User-based Role-based Location-based Separation/Interaction, Multi-level Security Data Confidentiality & Integrity Encrypted file Encrypted file system Service/system availability/reliability Redundancy: RAID, Multi-Core, etc.

Access Control Fundamentals Lampson’s Access Matrix Reference Monitor A secure OS is the one that satisfies: Complete Mediation TOCTTOU (Time-of-Check-to-time-of-use) Tamperproof Verifiable Assessment Criteria

Verifiable Security Goals Information Flow IF Secrecy Denning’s Lattice Model Bell-LaPadula Model IF Integrity Biba Integrity Model Low-water Mark Integrity Clark-Wilson Integrity Covert Channels

History of Secure OSes Multics UNIX/Windows Security Security Kernels/TCB/SELinux Microkernels/MicroVM TPM System Assurance Orange Book Common Creitera

Case Studies UNIX Password Unix/Linux Access Control Users and groups File system controls (HW) Windows NT/XP Security Executive Access tokens Security descriptors ACLs (HW) Windows Vista Security additions

Unix Reading Material Man pages Groups, newgroup Chmod, chown, chgrp Unix and Security: The Influences of History ftp://coast.cs.purdue.edu/pub/doc/misc/spaf-influences-of-history.ps.Z

Basic Unix Security Model User authenticated on logon User ID associated with process Default Group ID associated with process Default Process listed in passwd file Groups defined in /etc/groups Set of users listed with each group definition User can be member of multiple groups

Passwords in UNIX Login: guan Password: cpre308 How does the system check if the password is correct? One solution: Password file has (username, password) pairs Store [guan, cpre308] in /etc/passwd Password file readable only by privileged user Privileged users can get your password Why is this a problem?

Solution: One-Way Functions f(x) is easy to compute f -1(x) is extremely difficult, if not impossible, to compute Password file can now be world-readable Unix password file contains image of each password /etc/passwd contains guan:y guan logs in, supplies x if f(x) == y, then ok How to deal with the verifier is an issue even in non-distributed systems. Unix, and many other systems, authenticate users by having them supply their passwords. Rather than keep the plaintext of the passwords a file where they might be seen by others, Unix stores encrypted passwords, as described in the slide. Much of our discussion on cryptology-related concerns comes from Applied Cryptography, 2nd Edition, by Bruce Schneier, John Wiley and Sons, 1996. Copyright © 2002 Thomas W. Doeppner. All rights reserved.

Dictionary Attack (Morris and Thompson) For all words in dictionary, compute f(word) Find word such that f(word) == y Many users use simple passwords Systems that employ just one-way functions to protect their passwords are vulnerable to dictionary attacks. Systems that employ just one-way functions to protect their passwords are vulnerable to dictionary attacks.

Counterattack Salt for each password, create random “salt” value /etc/passwd contains (f(append(word, salt)), salt) 12-bit salt values in Unix attacker must do dictionary attack 4096 times, for each salt value done … Feldmeier and Karn produced list of 732,000 most common passwords concatenated with each of 4096 salt values covers ~30% of all passwords Unix uses “salt” as a means to foil dictionary attacks, though it’s probably not of tremendous use anymore.

Shadow Files /etc/passwords and /etc/group must be readable by everyone Both files contain crypt’ed passwords Access enable offline attacks Add shadow versions of each file Password obscured in passwords and group Stored in more restricted shadow versions of these files