Least-Privilege Isolation: The OKWS Web Server Brad Karp UCL Computer Science CS GZ03 / M030 12 th December, 2008.

Slides:



Advertisements
Similar presentations
What is code injection? Code injection is the exploitation of a computer bug that is caused by processing invalid data. Code injection can be used by.
Advertisements

Operating System Security
CS 443 Advanced OS Fabián E. Bustamante, Spring 2005 Resource Containers: A new Facility for Resource Management in Server Systems G. Banga, P. Druschel,
1 Chapter 8 Fundamentals of System Security. 2 Objectives In this chapter, you will: Understand the trade-offs among security, performance, and ease of.
PlanetLab Operating System support* *a work in progress.
CMSC 414 Computer and Network Security Lecture 22 Jonathan Katz.
Introduction to Operating Systems CS-2301 B-term Introduction to Operating Systems CS-2301, System Programming for Non-majors (Slides include materials.
Lecture 2 Page 1 CS 236, Spring 2008 Security Principles and Policies CS 236 On-Line MS Program Networks and Systems Security Peter Reiher Spring, 2008.
System and Network Security Practices COEN 351 E-Commerce Security.
Slide 1 Client / Server Paradigm. Slide 2 Outline: Client / Server Paradigm Client / Server Model of Interaction Server Design Issues C/ S Points of Interaction.
Information Networking Security and Assurance Lab National Chung Cheng University 1 Top Vulnerabilities in Web Applications (I) Unvalidated Input:  Information.
Building Secure Software Chapter 9 Race Conditions.
Early OS security Overview by: Greg Morrisett Cornell University, Edited (by permission) for CSUS CSc250 by Bill Mitchell.
1 Security and Software Engineering Steven M. Bellovin AT&T Labs – Research
NFS. The Sun Network File System (NFS) An implementation and a specification of a software system for accessing remote files across LANs. The implementation.
G Robert Grimm New York University Protection and the Control of Information Sharing in Multics.
C. Edward Chow Presented by Mousa Alhazzazi C. Edward Chow Presented by Mousa Alhazzazi Design Principles for Secure.
CS252: Systems Programming Ninghui Li Final Exam Review.
Chapter 3 Operating Systems Concepts 1. A Computer Model An operating system has to deal with the fact that a computer is made up of a CPU, random access.
Introduction to Security Brad Karp UCL Computer Science CS GZ03 / th November, 2007.
Csci5233 Computer Security1 Bishop: Chapter 27 System Security.
Lecture 16 Page 1 CS 236 Online SQL Injection Attacks Many web servers have backing databases –Much of their information stored in a database Web pages.
Networks Research Group Prof. Mark Handley Department of Computer Science.
SECURITY ZONES. Security Zones  A security zone is a logical grouping of resources, such as systems, networks, or processes, that are similar in the.
9 Chapter Nine Compiled Web Server Programs. 9 Chapter Objectives Learn about Common Gateway Interface (CGI) Create CGI programs that generate dynamic.
1 In the good old days... Years ago… the WWW was made up of (mostly) static documents. –Each URL corresponded to a single file stored on some hard disk.
Attacking Applications: SQL Injection & Buffer Overflows.
CGI Security COEN 351. CGI Security Security holes are exploited by user input. We need to check user input against Buffer overflows etc. that cause a.
4P13 Week 1 Talking Points. Kernel Organization Basic kernel facilities: timer and system-clock handling, descriptor management, and process Management.
1 Application Security: Electronic Commerce and Chapter 9 Copyright 2003 Prentice-Hall.
1 Labels and Event Processes in the Asbestos Operating System Petros Efstathopoulos, Maxwell Krohn, et al. KARTHIK ANANTAPUR BACHERAO 10/28/2005.
Analysis of SQL injection prevention using a filtering proxy server By: David Rowe Supervisor: Barry Irwin.
Background: Operating Systems Brad Karp UCL Computer Science CS GZ03 / M th November, 2008.
Privilege separation in Condor Bruce Beckles University of Cambridge Computing Service.
© 2004 IBM Corporation IBM ^ z/VM Design considerations > Security > Performance (SIE)
Hands On UNIX II Dorcas Muthoni. Processes A running instance of a program is called a "process" Identified by a numeric process id (pid)‏  unique while.
CIS 450 – Network Security Chapter 14 – Specific Exploits for UNIX.
Silberschatz, Galvin and Gagne ©2009 Operating System Concepts – 8 th Edition, Protection (Chapter 14)
Lecture 18 Page 1 CS 111 Online OS Use of Access Control Operating systems often use both ACLs and capabilities – Sometimes for the same resource E.g.,
Web Security Lesson Summary ●Overview of Web and security vulnerabilities ●Cross Site Scripting ●Cross Site Request Forgery ●SQL Injection.
Database Security Cmpe 226 Fall 2015 By Akanksha Jain Jerry Mengyuan Zheng.
On the Effectiveness of Address-Space Randomization Hovav Shacham, Matthew Page, Ben Pfaff, Eu-Jin Goh, Nagendra Modadugu, Dan Boneh.
Race conditions and synchronization issues Exploiting UNIX.
LINUX Presented By Parvathy Subramanian. April 23, 2008LINUX, By Parvathy Subramanian2 Agenda ► Introduction ► Standard design for security systems ►
Security-Enhanced Linux Stephanie Stelling Center for Information Security Department of Computer Science University of Tulsa, Tulsa, OK
PREPARED BY: MS. ANGELA R.ICO & MS. AILEEN E. QUITNO (MSE-COE) COURSE TITLE: OPERATING SYSTEM PROF. GISELA MAY A. ALBANO PREPARED BY: MS. ANGELA R.ICO.
1 Design Principles CS461 / ECE422 Spring Overview Simplicity  Less to go wrong  Fewer possible inconsistencies  Easy to understand Restriction.
Lecture 14 Page 1 CS 236 Online Secure Programming CS 236 On-Line MS Program Networks and Systems Security Peter Reiher.
Protecting Memory What is there to protect in memory?
Web Application Vulnerabilities, Detection Mechanisms, and Defenses
...looking a bit closer under the hood
Protecting Memory What is there to protect in memory?
Protecting Memory What is there to protect in memory?
Hands On UNIX AfNOG 2010 Kigali, Rwanda
SQL Injection Attacks Many web servers have backing databases
Security mechanisms and vulnerabilities in .NET
Hands On UNIX AfNOG X Cairo, Egypt
CSE 154 Lecture 26: web security.
Chapter 27: System Security
Defense in Depth Web Server Custom HTTP Handler Input Validation
Lecture 2 - SQL Injection
Back-End Data Security
Lecture 27 Security I April 4, 2018 Open news web sites.
Designing IIS Security (IIS – Internet Information Service)
Preventing Privilege Escalation
CSc 337 Lecture 24: Security.
CS703 - Advanced Operating Systems
Least-Privilege Isolation: The OKWS Web Server
Set-UID Privileged Programs
SHELLSHOCK ATTACK.
Presentation transcript:

Least-Privilege Isolation: The OKWS Web Server Brad Karp UCL Computer Science CS GZ03 / M th December, 2008

2 Can We Prevent All Exploits? Many varieties of exploits –Stack smashing, format strings, heap smashing, return-to-libc As many proposed defenses –W X, ASLR, TaintCheck, StackGuard, … Exploit-specific defenses help, but ever-more vulnerabilities, and adversaries creative Not just a problem with C; consider SQL injection in a Python script: q = “SELECT orders FROM accounts WHERE name = ” + name db.execute(q) Programmers make errors If vulnerabilities and errors are here to stay, how can we limit the harm attackers can do when they exploit a server?

3 Problem: Sharing Services, But Isolating Data Servers often hold sensitive data –e.g., amazon.com user’s credit card number Single server shared by distinct users, who often shouldn’t see one another’s data –e.g., different amazon.com shoppers Subsystems on single server must cooperate –e.g., amazon.com web interface and back-end order database Goal: prevent users from obtaining/modifying data other than their own –I shouldn’t be able to retrieve your order (and credit card number), even if I exploit amazon’s web server

4 Approach: Compartmentalization Give each subsystem minimal access to system data and resources to do its job –If subsystem exploited, at least minimize data it can read or modify Define narrow interfaces between subsystems, that allow only exact operations required for application Design assuming exploit may occur, especially in subsystems closest to users

5 Idea: Principle of Least Privilege (PoLP) Each subsystem should only have access to read/modify data needed for its job Cannot be enforced within subsystem— must be enforced externally (i.e., by OS) Must decompose system into subsystems –Must reason carefully about truly minimal set of privileges needed by each subsystem Must be able to grant privileges in fine- grained manner –Else privileges granted to subsystem may be too generous…

6 Idea: Privilege Separation Determine which subsystems most exposed to attack Reduce privileges of most exposed subsystems –e.g., amazon payment page can only insert into order database, and order database doesn’t have integrated web interface with direct access to data –e.g., ssh login daemon code that processes network input shouldn’t run as root

7 OKWS: A PoLP Web Server on UNIX Before OKWS: –Apache web server process monolithic; all code runs as same user –Exploit Apache, and all data associated with web service becomes accessible How might we separate a web server into subsystems, to apply PoLP? Split into multiple processes, each with different, minimal privileges, running as different user IDs –Use UNIX isolation mechanisms to prevent subsystems from reading/modifying each other’s data

8 UNIX Tools for PoLP: chroot() chroot() system call: set process’s notion of file system root; thereafter, can’t change directories above that point So can do: chdir(“/usr/local/alone”); chroot(“/usr/local/alone”); setuid(61100); (unprivileged user ID) Now process has no access to any of filesystem but what’s in tree rooted at /usr/local/alone –No access to the many UNIX setuid-root programs, or to sensitive data elsewhere on disk –But must a priori set up all system files needed by process in directory, e.g., shared libraries, &c.

9 UNIX Tools for PoLP: File Descriptor Passing Initially, parent server process privileged Want to run subsystem in child process, but with minimal privileges (e.g., child chroot()ed) Idea: privileged parent opens files needed by unprivileged child, passes child open file descriptors to these files when it fork()s child –Child can read these files, even if it can’t open them (i.e., because of chroot()) Can also pass file descriptors dynamically (after fork()) with sendmsg() –Process that faces network can accept connection, pass socket for that connection to another process Powerful primitive: means can run subsystem with minimal privilege (e.g., can’t bind to privileged port 80), but grant it specific network connections or specific files

10 OKWS System Design okd process parses user input, holds no sensitive data svc i process parses user input for one service; runs in chroot()ed “jail” database proxy process only accepts authenticated requests for subset of narrow RPC interface; can read sensitive data

11 Analyzing Privilege-Separated Designs What data does subsystem have access to, with what permissions? How complex is the code in a subsystem (e.g., parsing notoriously hard to get right)? What input does a subsystem receive? –Less structured  more worrying –e.g., okld runs as root; should we worry about exploits of it?

12 Strength of Isolation vs. Performance One process per user gives strictest isolation, but means many, many processes  low performance OKWS uses one process per service for performance reasons; so compromised service may reveal one user’s data to another “Strict” ModelOKWS Model

13 OKWS Summary Shows that PoLP and privilege separation hold real promise for limiting harm exploits can do Programming model for services requires new style of programming –Can’t use the file system; services chroot()ed –Must define narrow, per-service interfaces to database –Must communicate explicitly using RPC between service and database

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.