Lecture9 Page 1 CS 236 Online Operating System Security, Con’t CS 236 On-Line MS Program Networks and Systems Security Peter Reiher.

Slides:

Advertisements

Similar presentations

Operating Systems Components of OS

Advertisements

Applications of Feather-Weight Virtual Machines (FVMs) Hadi Salimi Distributed Systems Lab, School of Computer Engineering, Iran University of Science.

Operating System Security

More on OS Security.

Lecture 19 Page 1 CS 111 Online Protecting Operating Systems Resources How do we use these various tools to protect actual OS resources? Memory? Files?

Operating-System Structures

Lecture 12 Page 1 CS 111 Online Devices and Device Drivers CS 111 On-Line MS Program Operating Systems Peter Reiher.

Chapter 6 User Protections in OS. csci5233 computer security & integrity (Chap. 6) 2 Outline User-level protections 1.Memory protection 2.Control of access.

CSE331: Introduction to Networks and Security Lecture 28 Fall 2002.

UNIX Chapter 01 Overview of Operating Systems Mr. Mohammad A. Smirat.

1 CSE 380 Computer Operating Systems Instructor: Insup Lee and Dianna Xu University of Pennsylvania Fall 2003 Lecture Note: Protection Mechanisms.

Silberschatz, Galvin and Gagne ©2009 Operating System Concepts – 8 th Edition Chapter 2: Operating-System Structures Modified from the text book.

G Robert Grimm New York University Protection and the Control of Information Sharing in Multics.

Secure Operating System Architectures Patterns

Basics of Operating Systems March 4, 2001 Adapted from Operating Systems Lecture Notes, Copyright 1997 Martin C. Rinard.

Linux Basics CS 302. Outline  What is Unix?  What is Linux?  Virtual Machine.

Stack Management Each process/thread has two stacks  Kernel stack  User stack Stack pointer changes when exiting/entering the kernel Q: Why is this necessary?

Operating systems and security

Lecture 18 Page 1 CS 111 Online Design Principles for Secure Systems Economy Complete mediation Open design Separation of privileges Least privilege Least.

Silberschatz, Galvin and Gagne ©2009 Operating System Concepts – 8 th Edition, Chapter 2: System Structures.

Systems Security & Audit Operating Systems security.

Lecture 18 Page 1 CS 111 Online Access Control Security could be easy – If we didn’t want anyone to get access to anything The trick is giving access to.

Lecture 16 Page 1 CS 236 Online SQL Injection Attacks Many web servers have backing databases –Much of their information stored in a database Web pages.

CE Operating Systems Lecture 3 Overview of OS functions and structure.

Computers Operating System Essentials. Operating Systems PROGRAM HARDWARE OPERATING SYSTEM.

Ihr Logo Operating Systems Internals & Design Principles Fifth Edition William Stallings Chapter 2 (Part II) Operating System Overview.

Linux Security. Authors:- Advanced Linux Programming by Mark Mitchell, Jeffrey Oldham, and Alex Samuel, of CodeSourcery LLC published by New Riders Publishing.

UNIX System Protection. Unix History Developed by Dennis Ritchie and Ken Thompson at AT&T Bell Labs Adapted some ideas from the Multics project in 1969.

Lecture 16 Page 1 CS 236 Online Web Security CS 236 On-Line MS Program Networks and Systems Security Peter Reiher.

CS 346 – Chapter 2 OS services –OS user interface –System calls –System programs How to make an OS –Implementation –Structure –Virtual machines Commitment.

Lecture 2 Page 1 CS 111 Online System Services for OSes One major role of an operating system is providing services – To human users – To applications.

Lecture 5 Page 1 CS 111 Online Processes CS 111 On-Line MS Program Operating Systems Peter Reiher.

Lecture 18 Page 1 CS 111 Online OS Use of Access Control Operating systems often use both ACLs and capabilities – Sometimes for the same resource E.g.,

Operating Systems Security

Computer Science and Engineering Computer System Security CSE 5339/7339 Session 19 October 26, 2004.

A. Frank - P. Weisberg Operating Systems Structure of Operating Systems.

Security Vulnerabilities in A Virtual Environment

Lecture 4 Page 1 CS 111 Online Modularity and Virtualization CS 111 On-Line MS Program Operating Systems Peter Reiher.

Computer Security: Principles and Practice

Lecture 7 Page 1 CS 111 Online Process Communications and Concurrency CS 111 On-Line MS Program Operating Systems Peter Reiher.

Lecture 14 Page 1 CS 111 Summer 2013 Security in Operating Systems: Basics CS 111 Operating Systems Peter Reiher.

Lecture 12 Page 1 CS 111 Summer 2014 Security in Operating Systems: Basics CS 111 Operating Systems Peter Reiher.

Concepts and Structures. Main difficulties with OS design synchronization ensure a program waiting for an I/O device receives the signal mutual exclusion.

Lecture 3 Page 1 CS 236 Online Security Mechanisms CS 236 On-Line MS Program Networks and Systems Security Peter Reiher.

LINUX Presented By Parvathy Subramanian. April 23, 2008LINUX, By Parvathy Subramanian2 Agenda ► Introduction ► Standard design for security systems ►

Lecture 8 Page 1 CS 236, Spring 2008 Operating System Security CS 236 On-Line MS Program Networks and Systems Security Peter Reiher Spring, 2008.

Lecture 10 Page 1 CS 111 Online Memory Management CS 111 On-Line MS Program Operating Systems Peter Reiher.

Lecture 4 Page 1 CS 111 Online Modularity and Memory Clearly, programs must have access to memory We need abstractions that give them the required access.

PREPARED BY: MS. ANGELA R.ICO & MS. AILEEN E. QUITNO (MSE-COE) COURSE TITLE: OPERATING SYSTEM PROF. GISELA MAY A. ALBANO PREPARED BY: MS. ANGELA R.ICO.

1 Chapter 2: Operating-System Structures Services Interface provided to users & programmers –System calls (programmer access) –User level access to system.

Lecture 2 Page 1 CS 236 Online Security Policies Security policies describe how a secure system should behave Policy says what should happen, not how you.

Lecture 14 Page 1 CS 236 Online Secure Programming CS 236 On-Line MS Program Networks and Systems Security Peter Reiher.

Modularity Most useful abstractions an OS wants to offer can’t be directly realized by hardware Modularity is one technique the OS uses to provide better.

Operating System Structures

Protecting Memory What is there to protect in memory?

Lecture 1-Part 2: Operating-System Structures

Protecting Memory What is there to protect in memory?

Protecting Memory What is there to protect in memory?

Outline What does the OS protect? Authentication for operating systems

Operating System Structure

Introduction to Operating System (OS)

Modularity and Memory Clearly, programs must have access to memory

Outline What does the OS protect? Authentication for operating systems

Chapter 2: System Structures

UNIX System Protection

Outline Chapter 2 (cont) OS Design OS structure

System calls….. C-program->POSIX call

Lecture Topics: 11/1 Hand back midterms

Outline Introduction Memory protection Buffer overflows

Presentation transcript:

Lecture9 Page 1 CS 236 Online Operating System Security, Con’t CS 236 On-Line MS Program Networks and Systems Security Peter Reiher

Lecture9 Page 2 CS 236 Online Outline Designing secure operating systems Assuring OS security TPM and trusted computing

Lecture9 Page 3 CS 236 Online Desired Security Features of a Normal OS Authentication of users Memory protection File and I/O access control General object access control Enforcement of sharing Fairness guarantees Secure IPC and synchronization Security of OS protection mechanisms

Lecture9 Page 4 CS 236 Online Extra Features for a Trusted OS Mandatory and discretionary access control Object reuse protection Complete mediation Audit capabilities Intruder detection capabilities

Lecture9 Page 5 CS 236 Online How To Achieve OS Security Kernelized design Layered design Separation and isolation mechanisms Virtualization

Lecture9 Page 6 CS 236 Online Secure OS Kernels Basic idea is to specify a core set of OS functions Keep it small, build it carefully All other services build on top of this kernel Key idea: if the kernel is safe, everything else must be, too

Lecture9 Page 7 CS 236 Online Advantages of Kernelization Smaller amount of trusted code Easier to check every access Separation from other complex pieces of the system Easier to maintain and modify security features

Lecture9 Page 8 CS 236 Online A Disadvantage of Kernelization Introduces boundaries in the OS Stuff inside is cheaper to work with than stuff outside –Since checks and limitations at the boundaries Temptation is to keep moving stuff in –An irresistible temptation in all major kernelization efforts

Lecture9 Page 9 CS 236 Online A Major Challenge for Kernelization What’s in and what’s out? What must you trust to ensure that the rest of the system is secure? Depends heavily on how you define “secure” Certain types of known attacks still possible against certain “secure” systems –They left those attacks out of their definition

Lecture9 Page 10 CS 236 Online Layered OS Design A generalization of kernelization Define inner layer with high security Next layer out builds on that –Allowing lower security Next layer out provides even lower security Outer layers use inner layer services through strong interfaces

Lecture9 Page 11 CS 236 Online Multics and Layered Security Multics came before Unix –And was a lot more sophisticated and powerful Key element of Multics was this layered security model Multics is still one of the most sophisticated secure OS designs

Lecture9 Page 12 CS 236 Online Separation and Isolation Mechanisms Divide system into components Define a secure interface for each –Allow communication only over interfaces Might ensure no bad stuff crosses boundaries Can separate on user or process boundaries –Not just functionality A pretty successful OS security approach

Lecture9 Page 13 CS 236 Online Uses of Separation and Isolation The core idea behind page table security Also the core idea behind virtual memory process security Domain and type enforcement –E.g., as used in SE Linux

Lecture9 Page 14 CS 236 Online Domain and Type Enforcement A way of confining security problems into a single domain –Commonly abbreviated DTE Allows system to specify security domains –E.g., the printing domain And to specify data types –E.g., the printer type

Lecture9 Page 15 CS 236 Online Using DTE Processes belong to some domain –Can change domains, under careful restrictions Only types available to that domain are accessible –And only in ways specified for that domain

Lecture9 Page 16 CS 236 Online A DTE Example Protecting the FTP daemon from buffer overflow attacks Create an FTP domain Only the FTP daemon and files in the FTP directory can be executed in this domain –And these executables may not be written within this domain Executing the FTP daemon program automatically enters this domain

Lecture9 Page 17 CS 236 Online What Happens On Buffer Overflow? The buffer overflow attack allows the attacker to request execution of an arbitrary program –Say, /bin/sh But the overflowed FTP daemon program was in the FTP domain –And still is /bin/sh is of a type not executable from this domain –So the buffer overflow can’t fork a shell

Lecture9 Page 18 CS 236 Online DTE in SE Linux SE Linux provides substantial DTE support Each process has a domain Each object has a type Configuration files specify domain interactions and what types they access Starting specified programs puts them in particular domains

Lecture9 Page 19 CS 236 Online Types in SE Linux Domains are actually specified as types in SE Linux Access control matrix specifies which types can interact with other types So a process is given a type –Which implies what other types it can access

Lecture9 Page 20 CS 236 Online Example of SE Linux Type Enforcement Files in /etc are mostly limited to access by few sysadmin process types But /etc also contains /etc/aliases –Which the mail program must access –And everyone uses the mail program So rules are set up to allow the sendmail process’ type to access /etc/aliases

Lecture9 Page 21 CS 236 Online Types in the Example The sendmail process is assigned type sendmail_t The /etc/aliases file is assigned type etc_aliases_t Other mail related files and directories also get their own types

Lecture9 Page 22 CS 236 Online The SE Linux sendmail Rules allow sendmail_t etc_aliases_t:file { read write }; allow sendmail_t etc_mail_t:dir { read search add_name remove_name }; allow sendmail_t etc_mail_t:file { create read write unlink }; This rule allows processes of sendmail_t type to access files of etc_aliases_t type for read and write Without regard for which user started the process

Lecture9 Page 23 CS 236 Online Contrast With Standard Unix File Access Control What permissions to set for /etc/aliases ? Must be sufficient to allow normal work –So must allow read and write But not too much to allow anyone to read and write anything there

Lecture9 Page 24 CS 236 Online Standard Unix Solution Run sendmail setuid to a special user named mail or something Set ownership of /etc/aliases to mail user Allow any user to run the sendmail program Why is SE Linux approach better?

Lecture9 Page 25 CS 236 Online Some Differences Don’t need to create fake users like mail You’ve centralized the security-critical access control rules –No worry that a file somewhere had the wrong permission bits The sendmail process runs under the identity of the calling user –No need for “real” and “effective” uids Clean, extensible abstraction

Lecture9 Page 26 CS 236 Online Virtualization A popular modern approach Run untrusted stuff in a virtual machine Only allow VM to access things you don’t worry about Thus, untrusted stuff can’t screw you over

Lecture9 Page 27 CS 236 Online Approaches to Virtualization Native OS virtualization facilities –Meta-OS runs various virtual machines on same real machine –Developed in 1970s for mainframes Programming language based VM –E.g., Java VM package tacked on to operating system –E.g., VMWare and Parallels

Lecture9 Page 28 CS 236 Online Challenges to Using Virtualization Securely confining code to a VM –Often, there are ways for it to get out Proper allocation of processes and resources to a VM –If things have to share data, must they be in the same VM? –If not, how do you keep them in? Efficiency Multiplexing real hardware