Jan 26, 2004 OS Security CSE 525 Course Presentation Dhanashri Kelkar Department of Computer Science and Engineering OGI School of Science and Engineering.

Slides:



Advertisements
Similar presentations
JENNIS SHRESTHA CSC 345 April 22, Contents Introduction History Flux Advanced Security Kernel Mandatory Access Control Policies MAC Vs DAC Features.
Advertisements

Secure In-VM Monitoring Using Hardware Virtualization Monirul Sharif, Wenke Lee, Weidong Cui, and Andrea Lanzi Presented by Tyler Bletsch.
Traps and Pitfalls: Practical Problems in System Call Interposition Based Security Tools Vinay Gangasani vcg
Ensuring Operating System Kernel Integrity with OSck By Owen S. Hofmann Alan M. Dunn Sangman Kim Indrajit Roy Emmett Witchel Kent State University College.
OPERATING SYSTEMS Threads
SubDomain: Parsimonious Server Security Presenter: Alptekin Küpçü.
Chapter 6 Limited Direct Execution
A SECURE JAILING SYSTEM FOR CONFINING UNTRUSTED APPLICATIONS Guido Noordende, ´Ad´am Balogh, Rutger Hofman, Frances M. T. Brazier, and Andrew S. Tanenbaum.
InkTag: Secure Applications on an Untrusted Operating system
CMPT 300: Operating Systems I Dr. Mohamed Hefeeda
Chapter 9 Building a Secure Operating System for Linux.
3.5 Interprocess Communication Many operating systems provide mechanisms for interprocess communication (IPC) –Processes must communicate with one another.
Threads 1 CS502 Spring 2006 Threads CS-502 Spring 2006.
3.5 Interprocess Communication
OS Spring’03 Introduction Operating Systems Spring 2003.
CS-3013 & CS-502, Summer 2006 Memory Management1 CS-3013 & CS-502 Summer 2006.
Process in Unix, Linux and Windows CS-3013 C-term Processes in Unix, Linux, and Windows CS-3013 Operating Systems (Slides include materials from.
Building Secure Software Chapter 9 Race Conditions.
Unix & Windows Processes 1 CS502 Spring 2006 Unix/Windows Processes.
CS 3013 & CS 502 Summer 2006 Threads1 CS-3013 & CS-502 Summer 2006.
Processes in Unix, Linux, and Windows CS-502 Fall Processes in Unix, Linux, and Windows CS502 Operating Systems (Slides include materials from Operating.
Intro to OS CUCS Mossé Processes and Threads What is a process? What is a thread? What types? A program has one or more locus of execution. Each execution.
Lecture slides prepared for “Computer Security: Principles and Practice”, 2/e, by William Stallings and Lawrie Brown, Chapter 4 “Overview”.
Virtual Machine Monitors CSE451 Andrew Whitaker. Hardware Virtualization Running multiple operating systems on a single physical machine Examples:  VMWare,
Linux Security.
ADVANCED LINUX SECURITY. Abstract : Using mandatory access control greatly increases the security of an operating system. SELinux, which is an implementation.
An Introduction to Device Drivers Sarah Diesburg COP 5641 / CIS 4930.
Security-Enhanced Linux & Linux Security Module The George Washington University CS297 Programming Language & Security YU-HAO HU.
1 CS503: Operating Systems Part 1: OS Interface Dongyan Xu Department of Computer Science Purdue University.
9/13/20151 Threads ICS 240: Operating Systems –William Albritton Information and Computer Sciences Department at Leeward Community College –Original slides.
Protection and the Kernel: Mode, Space, and Context.
Computer Architecture and Operating Systems CS 3230: Operating System Section Lecture OS-7 Memory Management (1) Department of Computer Science and Software.
Announcements Assignment 3 due. Invite friends, co-workers to your presentations. Course evaluations on Friday.
NMD202 Web Scripting Week3. What we will cover today Includes Exercises PHP Forms Exercises Server side validation Exercises.
Silberschatz, Galvin and Gagne  2002 Modified for CSCI 399, Royden, Operating System Concepts Operating Systems Lecture 7 OS System Structure.
Background: Operating Systems Brad Karp UCL Computer Science CS GZ03 / M th November, 2008.
ADV. NETWORK SECURITY CODY WATSON What’s in Your Dongle and Bank Account? Mandatory and Discretionary Protections of External Resources.
G53SEC 1 Reference Monitors Enforcement of Access Control.
Threads G.Anuradha (Reference : William Stallings)
Operating Systems Lecture November 2015© Copyright Virtual University of Pakistan 2 Agenda for Today Review of previous lecture Hardware (I/O, memory,
Processes Introduction to Operating Systems: Module 3.
RaceGuard: Kernel Protection From Temporary File Race Vulnerabilities Crispin Cowan, Steve Beattie, Chris Wright, and Greg Kroah-Hartman In USENIX Security.
Unix Security Assessing vulnerabilities. Classifying vulnerability types Several models have been proposed to classify vulnerabilities in UNIX-type Oses.
Concurrency, Processes, and System calls Benefits and issues of concurrency The basic concept of process System calls.
1 Lecture 1: Computer System Structures We go over the aspects of computer architecture relevant to OS design  overview  input and output (I/O) organization.
1 Linux Security Module: General Security Support for the Linux Kernel Presented by Chao-Sheng Lin 2005/11/1.
Threads. Readings r Silberschatz et al : Chapter 4.
Race conditions and synchronization issues Exploiting UNIX.
4P13 Week 5 Talking Points 1. Security Provided by BSD a self-protecting Trusted Computing Base (TCB) spanning kernel and userspace; kernel isolation.
Security-Enhanced Linux Stephanie Stelling Center for Information Security Department of Computer Science University of Tulsa, Tulsa, OK
Chapter 6 Limited Direct Execution Chien-Chung Shen CIS/UD
Virtual Machine Monitors
Boxify: Full-fledged App Sandboxing for Stock Android
Process Management Presented By Aditya Gupta Assistant Professor
An Introduction to Device Drivers
OS Virtualization.
Chapter 4: Threads.
Chapter 4: Threads.
OPERATING SYSTEMS Threads
CSE 451: Operating Systems Spring 2012 Module 6 Review of Processes, Kernel Threads, User-Level Threads Ed Lazowska 570 Allen.
Basic Concepts Protection: Security:
Operating Systems Processes (Ch 4.1).
Chapter 2: Operating-System Structures
Operating Systems Lecture 3.
CSE 451: Operating Systems Autumn 2003 Lecture 10 Paging & TLBs
CSE 451: Operating Systems Autumn Module 24 Virtual Machine Monitors
CSE 451: Operating Systems Autumn 2003 Lecture 10 Paging & TLBs
System calls….. C-program->POSIX call
Chapter 4: Threads.
Chapter 2: Operating-System Structures
Presentation transcript:

Jan 26, 2004 OS Security CSE 525 Course Presentation Dhanashri Kelkar Department of Computer Science and Engineering OGI School of Science and Engineering

1 Jan 26, 2004Dhanashri Kelkar – OGI School of Science and Engineering OS Security C. Cowan, S. Beattie, C. Wright, G. Kroah- Hartman "RaceGuard: Kernel Protection From Temporary File Race Vulnerabilities", USENIX Security Symposium 2001 C. Wright, C. Cowan, J. Morris, S. Smalley, and G. Kroah-Hartman. Linux security modules: General security support for the linux kernel. In Linux Security Modules: General Security Support for the Linux Kernel, USENIX Security Symposium 2002.

2 Jan 26, 2004Dhanashri Kelkar – OGI School of Science and Engineering Introduction A study of computer security ‣ TOCTTOU: Time of check to time of use errors Race in between file existence check and file creation ‣ Used in temporary file creation ‣ Non-atomicity problem ‣ Preemptive operating system

3 Jan 26, 2004Dhanashri Kelkar – OGI School of Science and Engineering Temporary File Creation mktemp() ‣ filename = generateRandomName(); ‣ statResult = stat(filename); ‣ if(!statResult) then open(filename, O_CREAT) ‣ else go to step 1 What if there is context switch between steps 2 and 3?

4 Jan 26, 2004Dhanashri Kelkar – OGI School of Science and Engineering Security Attack filename = generateRandomName(); statResult = stat(filename); if(!statResult) then open(filename, O_CREAT) ln /etc/passwd tmpfile Privileged program attempts to create temp file and attacker guesses the file name

5 Jan 26, 2004Dhanashri Kelkar – OGI School of Science and Engineering Safe Temporary File Creation Safe mechanism: ‣ filename = generateRandomName(); ‣ open(filename, O_CREAT|O_EXCL) Used by mkstemp() Not commonly available and portable Many popular programs use mktemp()

6 Jan 26, 2004Dhanashri Kelkar – OGI School of Science and Engineering RaceGuard Kernel enhancement ‣ detects attempts to exploit temporary file race conditions ‣ does this with sufficient speed and precision

7 Jan 26, 2004Dhanashri Kelkar – OGI School of Science and Engineering Temporary File Creation Victim Program ‣ Seeks to create temp file ‣ Probes for existence of the file ‣ If not found, proceeds to create it Attacker ‣ Exploits by creating a symbolic or hard link ‣ Points to a security sensitive file

8 Jan 26, 2004Dhanashri Kelkar – OGI School of Science and Engineering RaceGuard Design Maintains per-process cache of temporary file races in each PCB (task_struct) If probe result is non-existent then cache If file exists and name matches cached name then race attack, abort open attempt If file creation is without conflicts then clear entry from cache ‣ To avoid false positive event

9 Jan 26, 2004Dhanashri Kelkar – OGI School of Science and Engineering RaceGuard Implementation Three groups system calls: ‣ To inform that a file system entry does not exist ‣ To create file system entries ‣ To create and remove processes

10 Jan 26, 2004Dhanashri Kelkar – OGI School of Science and Engineering Security Testing Non-deterministic vulnerability Doctored version of mktemp library call ‣ Pause program –Give attacker more time to deploy race ‣ Print file name to be created –Instead of guessing file name, provide it by printing Attacked programs ‣ RCS 5.7, rdist 6.1.5, sdiff GNU 2.7 shadow- utils

11 Jan 26, 2004Dhanashri Kelkar – OGI School of Science and Engineering Compatibility Testing Check whether RaceGuard breaks down existing programs without race attacks Programs checked ‣ Mozilla web/mail client ‣ RedHat Linux bootup/shutdown scripts ‣ CVS checkout ‣ VMW (Virtual Machine Emulation) system Some tweaking performed to make it work

12 Jan 26, 2004Dhanashri Kelkar – OGI School of Science and Engineering Performance Testing Microbenchmarks: Stat non-existent file: ‣ w/o: 4.3 µS w/: 8.8 µS Overhead: 104% Open non-existent file: ‣ w/o: 1.5 µS w/: 1.44 µS Overhead: -4% Fork: ‣ w/o: 161 µS w/: 183 µS Overhead: 13%

13 Jan 26, 2004Dhanashri Kelkar – OGI School of Science and Engineering Performance Testing Macrobenchmarks (Khernel-stone): Real TimeUser TimeSystem Time w/o RaceGuard w/ RaceGuard % Overhead0.4%0.2%0.3%

14 Jan 26, 2004Dhanashri Kelkar – OGI School of Science and Engineering Where Are We? RaceGuard: ‣ Particular computer security case ‣ Try to avoid temporary file creation races LSM: Linux Security Modules ‣ Generic access control mechanism

15 Jan 26, 2004Dhanashri Kelkar – OGI School of Science and Engineering Linux Access Control Mechanism Discretionary access control mechanism (DAC): ‣ User decides who gets access Mandatory access control mechanism (MAC): ‣ System administrator decides who gets access POSIX1.e Many more: e.g. SELinux by NSA

16 Jan 26, 2004Dhanashri Kelkar – OGI School of Science and Engineering Problems w/ multiple access control mechanism No mechanism as to which is better ‣ Depends on usage Unable to include all available security modules inside kernel ‣ Kernel upgrade is needed for every new module Solution: ‣ Separate loadable kernel modules ‣ Load module you want to use ‣ Direct access to modules through syscalls

17 Jan 26, 2004Dhanashri Kelkar – OGI School of Science and Engineering Problems with loadable modules No efficient mechanism for kernel modules to access kernel data ‣ Modules rely on system calls ‣ Highly inefficient

18 Jan 26, 2004Dhanashri Kelkar – OGI School of Science and Engineering Linux Security Modules Mechanism Access calls are handled inside kernel Kernel uses its default policy If default policy grants access, kernel “consults” loaded module ‣ Special hooks provided for consulting Access is granted only if modules says “Go ahead”

19 Jan 26, 2004Dhanashri Kelkar – OGI School of Science and Engineering LSM Hook Mechanism Global table called security_ops in kernel ‣ Table divided into sub-tables ‣ Each sub-table has pointers to functions that make access decisions –Default access-granting entries filled at kernel boot time Each module responsible for filling up tables ‣ Module registration

20 Jan 26, 2004Dhanashri Kelkar – OGI School of Science and Engineering Module Registration & Deregistration Module registration fails if another LSM module already loaded and registered To load new module previous module needs to be un-registered ‣ Success of un-registration depends on policy set by previous module

21 Jan 26, 2004Dhanashri Kelkar – OGI School of Science and Engineering LSM Summary LSM provides generic way to implement access control mechanism Different access control mechanisms can reside as loadable modules System administrator can use appropriate modules as per need

22 Jan 26, 2004Dhanashri Kelkar – OGI School of Science and Engineering Details Not Covered Implementation details Data storage needs of various security policies Module stacking Performance evaluation