Presentation is loading. Please wait.

Presentation is loading. Please wait.

Operating System Security

Published byJayson Haynes Modified over 7 years ago

Similar presentations

Presentation on theme: "Operating System Security"— Presentation transcript:

1 Operating System Security

2 What have we learned about OS so far?
Goals Resource Manager User Interface Important things we have discussed Multi-user, multi-process, multi-thread Synchronization, Mutual Exclusion, Deadlock Scheduling Memory I/O Devices Files, and File System

3 What are the security problems?
Top 25 Most Dangerous Software/OS Problems

4 Problem: Cleartext Transmit/Storage of Sensitive Info
Login: Ginger Password: Snap Fix: Encrypt data with standard, reliable encryption before transmission Whole-drive/File Encryption The dog is ‘sniffing’. That is what hackers (or admins) do when they listen to traffic on a communications medium. One mouse means not a significant problem (but still a problem). 4

5 Problem: Adopting Untrusted Software
Fix: Use monitoring tools that examine processes as it interacts with the OS Truss (Solaris) Strace (Linux) FileMon, RegMon, Process Monitor, Sysinternals (Windows) Sniffers, Protocol analyzers Download File Free Software … Is it Safe?

6 Problem: Incorrect Input
Car Sale Model: Chevrolet XR2 Price $: VIN: 12K4FG436DDE842 Status: New Sale to: Rubber Ducky 2222 Atlantic Ocean Antarctica, NY, 00000 Phone: VISA: RUAFOOL444 Bad checks get passed signed by ‘Rubber Ducky’, so it is not improbable that silly input such as this may be entered. On some slides you will see 1, 2, or 3 mice indicating the severity of the problem. Here, the 3 mice at top right-hand side signify a currently popular problem. 6

7 Problem: Buffer Overflow
Name Zzzzzzzzzz Count 49, 425,222 State: 84 Return address 0x246625 Frame pointer Enter Name: Zzzzzzzzzzzzzz zzzzzzzzzzzzzzzzzzzzzzzzzz zzzzzzzzzzzzzzzzzzzzzzzzz zzzzzzzzzzzzzzzzzzzz Here when the zzzzz was entered, variables following the Name field were overlaid. This can happen at the assembly language level or at the high level language level. The value entered into the ‘name’ field was too long for the program to process, so the excess overwrote the next sections of the buffer. A skilled cracker can use this flaw to gain control of a program or an OS. 7

8 Fix: Input Validation Assume all input is malicious! Validate: Length
Type Syntax Context: Business Rules Or Use Special input checkers Struts or OWASP ESAPI Validation API Whitelist: List of acceptable input Blacklist: Reject suspect input Validate First!!! network Validation should be fully checked on the server side; the code that gets executed on the client’s browser can be viewed and altered by the client. (next two slides) 8

9 Problem: Race Condition
Thread P1 Thread P2 Comment cin >> input; // read in "hello" into global cin >> input; // read in "good-bye" into global out = input; out = input; // do a string copy (...use strcpy()) cout << out; // print out "good-bye" cout << out; // print out "good-bye“ Fix: Use Synchronization Primitives around critical code Minimize use of shared resources Test using artificial delays in race window Identify and trigger error conditions Result: Data Corruption & Denial of Service A race condition occurs when multiple threads or processes need the same resources to complete their tasks. If not synchronized properly, one or more may become ‘starved’ and unable to finish, or unpredictable errors may occur. A race condition was cited as the original cause of the 2003 (electricity) blackout in the northeastern U.S. Another nearly scuttled the Mars rover Spirit’s mission. 9

10 Problem: OS Command Injection
Problem: Command Injection into SQL Inserts ‘|shell(“cmd /c echo “ & char(124) & “format c:”)|’ Data and control can traverse same path Login: Password: Welcome to My System With this problem, attackers use an SQL feature to exit SQL and to access the operating system command line. 10

11 Fix: Avoid OS Command Injection
Separate control information from data information. E.g. where data-> database, control defines application Use library calls instead of external processes Avoid external control of command input Run code in “jail” or other sandbox environment Provide lowest possible permissions for executable Data can be separated from control using two TCP Ports, for example, or different message types. Data: “Terry, Brian, Jerry, Ann, Louis, …” Control: Start WPI session, parms -lmk 11

12 Problem: External Control of Critical State Data
User-side data can be modified: Cookies Configuration files Profiles Hidden form fields Environmental variables Registry keys Web request Web Form Form with fake data

13 Fix: Control Critical State Data
Understand all locations that are accessible to attackers Do not keep state info on client without using encryption and integrity checking (e.g. HMAC) Store state info on server side only: ASP.NET View State, OWASP ESAPI Session Mgmt

14 Problem: Insecure Interaction Between Components
real -> network Program B Attack: Code is reverse engineered and modified to act differently. fake -> Problem: Server assumes validation occurred in client Does not recheck Program B*

15 Problem: Insecure Interaction Between Components
Web servers are memoryless Do not remember sending a form to a client – what type, info Client side can remove checks, insert other code, return unexpected data, etc. Web access Web Form with javascript Revised form With data and java script

16 Problem: Forgery Web access Web Form with javascript Fake form
With data and java script Here the attacker is pretending to be someone else, sending in fake data. He may try to bypass authentication and proceed straight to the middle of someone else’s session. Real form Also known as Cross-Site Request Forgery 16

17 Fix: Prevent Forgery Rivers Use a nonce for each form Not predictable
Name: Ann Winkler Address: Pratt Ave Racine WI Phone: Interests: Horses, Movies, Travel Security Code: Johnson Rivers Use a nonce for each form Not predictable If dangerous operation, send a separate confirmation request Security Code: Johnson Rivers Nonce = Active authorization ticket: Security code, or permission tag which indicates the maximum time the user has to respond. Submit 17

18 Problem: Improper Access Control
Web access Web Form need authentication Reply to Web Reply w. authent. To cache Web Form for actual data for In this case, the server may be programmed correctly to respond only to authenticated users, but the web page is cached and available to anyone. Web Request for Web Form for actual data for 18

19 Fix: Access Permissions
Use Role-Based Access At least permissions: anonymous, normal, privileged, administrative Verify access control at server side Sensitive pages are never cached and must have active authorization token Only provide higher level access when you need it; always run with the minimum possible authorization level Check that files read have the required access level permissions; administrators may not set them properly. Use a good random number generator when generating random session keys – if not random, attackers will figure out next key sequence

20 Problem: External Control of Path
If you download an external file or navigate to a URL – and execute If you provide access to a file on your system Attacker can insert ../../ and access files outside privilege. Fix: Run as low-privilege user Provide fixed input values Run code in ‘jail’: Unix chroot jail and AppArmor If attackers take advantage of your flexibility, it is best to provide them only minimal permissions, by restricting their access. Submit File: Enter pathname: Browse Browse 20

21 Problem: Some Security Errors
Find the errors: Security() { String contents, environment; String spath = “security.dat” File security = new File; if (security.open(“spath”) >0) contents = security.read(); environment = security.read(); else print(“Error: Security.dat not found”); } Some errors are 3 stars, others are 1 star 21

22 Problem: Some Security Errors
Find the errors: Security() { String contents, environment; String spath = “security.dat” File security = new File; if (security.open(“spath”) >0) contents = security.read(); environment = security.read(); else print(“Error: Security.dat not found”); } Variables contents & environment not initialized Can cause problems if executed in certain ways Attacker can initialize or read variables from previous session “security.dat” is not full pathname. File can be replaced if run from another location File ‘security’ not closed Leaves file open to attack Keeps unnecessary resources busy Error message indicates file name Can give attacker important info For 2: create own easy security.dat and run executable from the new location. 22

23 Problem: More Security Errors
Find the errors: purchaseProduct() { password = “N23m**2d3”; count = form.quantity; total = count * product.cost(); Message m = new Message( name,product,total); m.myEncrypt(); server.send(m); } Some errors are 3 stars, others are 1 star 23

24 Problem: More Security Errors
Find the errors: purchaseProduct() { password = “N23m**2d3”; count = form.quantity; total = count * product.cost(); Message m = new Message( name,password,product,total); m.myEncrypt(); server.send(m); } Errors: Password is hardcoded If attacker finds it, every system can be broken into before software is changed on all computers Passwords may only be stored in encrypted file Total may overflow, producing very small number Input is not checked (could be zero or invalid) Encryption should be standard algorithm Home-written variety can be broken into easily Some errors are 3 stars, others are 1 star 24

25 Security Countermeasures

26 Security Countermeasure
What do we really need? From user perspective From process/thread perspective From file/directory/file system perspective From memory management and other I/O device perspective From service perspective From network perspective ……

27 What we need in term of security?
Authentication Username/Password One-time Password Smartcards/Activebadge Biometrics Access Control User-based Role-based Location-based Separation/Interaction, Multi-level Security Data Confidentiality & Integrity Encrypted file Encrypted file system Service/system availability/reliability Redundancy: RAID, Multi-Core, etc.

28 Access Control Fundamentals
Lampson’s Access Matrix Reference Monitor A secure OS is the one that satisfies: Complete Mediation TOCTTOU (Time-of-Check-to-time-of-use) Tamperproof Verifiable Assessment Criteria

29 Verifiable Security Goals
Information Flow IF Secrecy Denning’s Lattice Model Bell-LaPadula Model IF Integrity Biba Integrity Model Low-water Mark Integrity Clark-Wilson Integrity Covert Channels

30 History of Secure OSes Multics UNIX/Windows Security
Security Kernels/TCB/SELinux Microkernels/MicroVM TPM System Assurance Orange Book Common Creitera

31 Case Studies UNIX Password Unix/Linux Access Control
Users and groups File system controls (HW) Windows NT/XP Security Executive Access tokens Security descriptors ACLs (HW) Windows Vista Security additions

32 Unix Reading Material Man pages
Groups, newgroup Chmod, chown, chgrp Unix and Security: The Influences of History ftp://coast.cs.purdue.edu/pub/doc/misc/spaf-influences-of-history.ps.Z

33 Basic Unix Security Model
User authenticated on logon User ID associated with process Default Group ID associated with process Default Process listed in passwd file Groups defined in /etc/groups Set of users listed with each group definition User can be member of multiple groups

34 Passwords in UNIX Login: guan Password: cpre308
How does the system check if the password is correct? One solution: Password file has (username, password) pairs Store [guan, cpre308] in /etc/passwd Password file readable only by privileged user Privileged users can get your password Why is this a problem?

35 Solution: One-Way Functions
f(x) is easy to compute f -1(x) is extremely difficult, if not impossible, to compute Password file can now be world-readable Unix password file contains image of each password /etc/passwd contains guan:y guan logs in, supplies x if f(x) == y, then ok How to deal with the verifier is an issue even in non-distributed systems. Unix, and many other systems, authenticate users by having them supply their passwords. Rather than keep the plaintext of the passwords a file where they might be seen by others, Unix stores encrypted passwords, as described in the slide. Much of our discussion on cryptology-related concerns comes from Applied Cryptography, 2nd Edition, by Bruce Schneier, John Wiley and Sons, 1996. Copyright © 2002 Thomas W. Doeppner. All rights reserved.

36 Dictionary Attack (Morris and Thompson)
For all words in dictionary, compute f(word) Find word such that f(word) == y Many users use simple passwords Systems that employ just one-way functions to protect their passwords are vulnerable to dictionary attacks. Systems that employ just one-way functions to protect their passwords are vulnerable to dictionary attacks.

37 Counterattack Salt for each password, create random “salt” value
/etc/passwd contains (f(append(word, salt)), salt) 12-bit salt values in Unix attacker must do dictionary attack 4096 times, for each salt value done … Feldmeier and Karn produced list of 732,000 most common passwords concatenated with each of 4096 salt values covers ~30% of all passwords Unix uses “salt” as a means to foil dictionary attacks, though it’s probably not of tremendous use anymore.

38 Shadow Files /etc/passwords and /etc/group must be readable by everyone Both files contain crypt’ed passwords Access enable offline attacks Add shadow versions of each file Password obscured in passwords and group Stored in more restricted shadow versions of these files

Download ppt "Operating System Security"

Similar presentations

JavaScript FaaDoOEngineers.com FaaDoOEngineers.com.

JavaScript FaaDoOEngineers.com FaaDoOEngineers.com.
CWE-732 Incorrect Permission Assignment for Critical Resource

CWE-732 Incorrect Permission Assignment for Critical Resource
Copyright © 2004 - The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation.

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation.
Secure Software Professional Recommendations from CWE/SANS.

Secure Software Professional Recommendations from CWE/SANS.
By Brian Vees.  SQL Injection  Username Enumeration  Cross Site Scripting (XSS)  Remote Code Execution  String Formatting Vulnerabilities.

By Brian Vees.  SQL Injection  Username Enumeration  Cross Site Scripting (XSS)  Remote Code Execution  String Formatting Vulnerabilities.
It’s always better live. MSDN Events Security Best Practices Part 2 of 2 Reducing Vulnerabilities using Visual Studio 2008.

It’s always better live. MSDN Events Security Best Practices Part 2 of 2 Reducing Vulnerabilities using Visual Studio 2008.
Information Networking Security and Assurance Lab National Chung Cheng University The Ten Most Critical Web Application Security Vulnerabilities Ryan J.W.

Information Networking Security and Assurance Lab National Chung Cheng University The Ten Most Critical Web Application Security Vulnerabilities Ryan J.W.
It’s always better live. MSDN Events Securing Web Applications Part 1 of 2 Understanding Threats and Attacks.

It’s always better live. MSDN Events Securing Web Applications Part 1 of 2 Understanding Threats and Attacks.
Samba Integrating SMB file systems with UNIX. Samba Provides a file server compatible with Windows 9x and NT.. SMB Can function in NETBIOS name browsing.

Samba Integrating SMB file systems with UNIX. Samba Provides a file server compatible with Windows 9x and NT.. SMB Can function in NETBIOS name browsing.
Information Networking Security and Assurance Lab National Chung Cheng University 1 Top Vulnerabilities in Web Applications (I) Unvalidated Input:  Information.

Information Networking Security and Assurance Lab National Chung Cheng University 1 Top Vulnerabilities in Web Applications (I) Unvalidated Input:  Information.
How Clients and Servers Work Together. Objectives Learn about the interaction of clients and servers Explore the features and functions of Web servers.

How Clients and Servers Work Together. Objectives Learn about the interaction of clients and servers Explore the features and functions of Web servers.
Chapter 6: Hostile Code Guide to Computer Network Security.

Chapter 6: Hostile Code Guide to Computer Network Security.
Web Application Vulnerabilities Checklist. EC-Council Parameter Checklist  URL request  URL encoding  Query string  Header  Cookie  Form field 

Web Application Vulnerabilities Checklist. EC-Council Parameter Checklist  URL request  URL encoding  Query string  Header  Cookie  Form field 
OWASP Mobile Top 10 Why They Matter and What We Can Do

OWASP Mobile Top 10 Why They Matter and What We Can Do
INTRODUCTION TO WEB DATABASE PROGRAMMING

INTRODUCTION TO WEB DATABASE PROGRAMMING
CSCI 6962: Server-side Design and Programming Secure Web Programming.

CSCI 6962: Server-side Design and Programming Secure Web Programming.
Lecture 16 Page 1 CS 236 Online SQL Injection Attacks Many web servers have backing databases –Much of their information stored in a database Web pages.

Lecture 16 Page 1 CS 236 Online SQL Injection Attacks Many web servers have backing databases –Much of their information stored in a database Web pages.
9 Chapter Nine Compiled Web Server Programs. 9 Chapter Objectives Learn about Common Gateway Interface (CGI) Create CGI programs that generate dynamic.

9 Chapter Nine Compiled Web Server Programs. 9 Chapter Objectives Learn about Common Gateway Interface (CGI) Create CGI programs that generate dynamic.
FTP Server and FTP Commands By Nanda Ganesan, Ph.D. © Nanda Ganesan, All Rights Reserved.

FTP Server and FTP Commands By Nanda Ganesan, Ph.D. © Nanda Ganesan, All Rights Reserved.
Top Five Web Application Vulnerabilities Vebjørn Moen Selmersenteret/NoWires.org Norsk Kryptoseminar Trondheim 09.11.2004.

Top Five Web Application Vulnerabilities Vebjørn Moen Selmersenteret/NoWires.org Norsk Kryptoseminar Trondheim

Similar presentations

Ads by Google