Presentation is loading. Please wait.

Presentation is loading. Please wait.

IS2150/TEL2810: Introduction of Computer Security1 October 18, 2005 Introduction to Computer Security Lecture 6 Windows/Unix/Solaris 10 Design Principles.

Published byGwendolyn Barnett Modified over 9 years ago

Similar presentations

Presentation on theme: "IS2150/TEL2810: Introduction of Computer Security1 October 18, 2005 Introduction to Computer Security Lecture 6 Windows/Unix/Solaris 10 Design Principles."— Presentation transcript:

1 IS2150/TEL2810: Introduction of Computer Security1 October 18, 2005 Introduction to Computer Security Lecture 6 Windows/Unix/Solaris 10 Design Principles

2 IS2150/TEL2810: Introduction of Computer Security2 Two implementation concepts Access control list (ACL) Access control list (ACL)  Store column of matrix with the resource Capability Capability  User holds a “ticket” for each resource  Two variations store row of matrix with user unforgeable ticket in user space

3 IS2150/TEL2810: Introduction of Computer Security3 Unix Developed at AT&T Bell Labs Developed at AT&T Bell Labs Single monolithic kernel Single monolithic kernel  Kernel mode File system, device drivers, process management  User programs run in user mode networking

4 IS2150/TEL2810: Introduction of Computer Security4 Unix Identification and authentication Users have username Users have username  Internally identified with a user ID (UID)  Username to UID info in /etc/passwd  Super UID = 0 can access any file  Every user belong to a group – has GID Passwords to authenticate Passwords to authenticate  in /etc/passwd Shadow file /etc/shadow

5 IS2150/TEL2810: Introduction of Computer Security5 Unix file security Each file has owner and group Each file has owner and group Permissions set by owner Permissions set by owner  Read, write, execute  Owner, group, other  Represented by vector of four octal values Only owner, root can change permissions Only owner, root can change permissions  This privilege cannot be delegated or shared

6 IS2150/TEL2810: Introduction of Computer Security6 Unix File Permissions File type, owner, group, others File type, owner, group, others drwx------ 2 jjoshi isfac 512 Aug 20 2003 risk management lrwxrwxrwx 1 jjoshi isfac 15 Apr 7 09:11 risk_m->risk management -rw-r--r-- 1 jjoshi isfac 1754 Mar 8 18:11 words05.ps -r-sr-xr-x 1 root bin 9176 Apr 6 2002 /usr/bin/rs -r-sr-sr-x 1 root sys 2196 Apr 6 2002 /usr/bin/passwd File type: regular -, directory d, symlink l, device b/c, socket s, fifo f/p File type: regular -, directory d, symlink l, device b/c, socket s, fifo f/p Permission: r, w, x, s or S (set.id), t (sticky) Permission: r, w, x, s or S (set.id), t (sticky) While accessing files While accessing files  Process EUID compared against the file UID  GIDs are compared; then Others are tested

7 IS2150/TEL2810: Introduction of Computer Security7 Effective user id (EUID) Each process has three Ids Each process has three Ids  Real user ID (RUID) same as the user ID of parent (unless changed) used to determine which user started the process  Effective user ID (EUID) from set user ID bit on the file being executed, or sys call determines the permissions for process  Saved user ID (SUID) Allows restoring previous EUID Similarly we have Similarly we have  Real group ID, effective group ID,

8 IS2150/TEL2810: Introduction of Computer Security8 IDs/Operations Root can access any file Root can access any file Fork and Exec Fork and Exec  Inherit three IDs, except exec of file with setuid bit Setuid system calls Setuid system calls  seteuid(newid) can set EUID to Real ID or saved ID, regardless of current EUID Any ID, if EUID=0  Related calls: setuid, seteuid, setreuid

9 IS2150/TEL2810: Introduction of Computer Security9 Setid bits on executable Unix file Three setid bits Three setid bits  Setuid set EUID of process to ID of file owner  Setgid set EGID of process to GID of file  Setuid/Setgid used when a process executes a file If setuid (setgid) bit is on – change the EUID of the process changed to UID (GUID) of the file  Sticky Off: if user has write permission on directory, can rename or remove files, even if not owner On: only file owner, directory owner, and root can rename or remove file in the directory

10 IS2150/TEL2810: Introduction of Computer Security10 Example …; exec( ); …; exec( ); RUID 25 SetUID program …; i=getruid() setuid(i); …; i=getruid() setuid(i); …; RUID 25 EUID 18 RUID 25 EUID 25 -rw-r--r-- file -rw-r--r-- file Owner 18 Owner 25 read/write Owner 18

11 IS2150/TEL2810: Introduction of Computer Security11 Careful with Setuid ! Can do anything that owner of file is allowed to do Can do anything that owner of file is allowed to do Be sure not to Be sure not to  Take action for untrusted user  Return secret data to untrusted user Principle of least privilege Principle of least privilege  change EUID when root privileges no longer needed Setuid scripts (bad idea) Setuid scripts (bad idea)  Race conditions: begin executing setuid program; change contents of program before it loads and is executed Anything possible if root

12 IS2150/TEL2810: Introduction of Computer Security12 Windows NT Windows 9x, Me Windows 9x, Me  Never meant for security  FAT file system – no file level security  PWL password scheme – not secure Can be simply deleted Windows NT Windows NT  Username mapped to Security ID (SID)  SID is unique within a domain SID + password stored in a database handled by the Security Accounts Manager (SAM) subsystem

13 IS2150/TEL2810: Introduction of Computer Security13 Windows NT Some basic functionality similar to Unix Some basic functionality similar to Unix  Specify access for groups and users Read, modify, change owner, delete Some additional concepts Some additional concepts  Tokens  Security attributes Generally Generally  More flexibility than Unix Can define new permissions Can give some but not all administrator privileges

14 IS2150/TEL2810: Introduction of Computer Security14 Sample permission options SID SID  Identity (replaces UID) SID revision number 48-bit authority value variable number of Relative Identifiers (RIDs), for uniqueness  Users, groups, computers, domains, domain members all have SIDs

15 IS2150/TEL2810: Introduction of Computer Security15 Permission Inheritance Static permission inheritance (Win NT) Static permission inheritance (Win NT)  Initially, subfolders inherit permissions of folder  Folder, subfolder changed independently  Replace Permissions on Subdirectories command Eliminates any differences in permissions

16 IS2150/TEL2810: Introduction of Computer Security16 Permission Inheritance Dynamic permission inheritance (Win 2000) Dynamic permission inheritance (Win 2000)  Child inherits parent permission, remains linked  Parent changes are inherited, except explicit settings  Inherited and explicitly-set permissions may conflict Resolution rules Positive permissions are additive Negative permission (deny access) takes priority

17 IS2150/TEL2810: Introduction of Computer Security17 Tokens Security context Security context  privileges, accounts, and groups associated with the process or thread Security Reference Monitor Security Reference Monitor  uses tokens to identify the security context of a process or thread Impersonation token Impersonation token  Each thread can have two tokens – primary & impersonation  thread uses temporarily to adopt a different security context, usually of another user

18 IS2150/TEL2810: Introduction of Computer Security18 Security Descriptor Information associated with an object Information associated with an object  who can perform what actions on the object Several fields Several fields  Header Descriptor revision number Control flags, attributes of the descriptor E.g., memory layout of the descriptor  SID of the object's owner  SID of the primary group of the object  Two attached optional lists: Discretionary Access Control List (DACL) – users, groups, … System Access Control List (SACL) – system logs,..

19 IS2150/TEL2810: Introduction of Computer Security19 Example access request User: Mark Group1: Administrators Group2: Writers Control flags Group SID DACL Pointer SACL Pointer Deny Writers Read, Write Allow Mark Read, Write Owner SID Revision Number Access token Security descriptor Access request: write Action: denied User Mark requests write permission Descriptor denies permission to group Reference Monitor denies request

20 IS2150/TEL2810: Introduction of Computer Security20 Impersonation Tokens (setuid?) Process uses security attributes of another Process uses security attributes of another  Client passes impersonation token to server Client specifies impersonation level of server Client specifies impersonation level of server  Anonymous Token has no information about the client  Identification server obtains the SIDs of client and client's privileges, but server cannot impersonate the client  Impersonation server identifies and impersonate the client  Delegation lets server impersonate client on local, remote systems

21 IS2150/TEL2810: Introduction of Computer Security21 Encrypted File Systems (EFS) Store files in encrypted form Store files in encrypted form  Key management: user’s key decrypts file  Useful protection if someone steals disk Windows – EFS Windows – EFS  User marks a file for encryption  Unique file encryption key is created  Key is encrypted, can be stored on smart card

22 IS2150/TEL2810: Introduction of Computer Security22 SELinux Security Policy Abstractions Type enforcement Type enforcement  Each process has an associated domain  Each object has an associated type  Configuration files specify How domains are allowed to access types Allowable interactions and transitions between domains Role-based access control Role-based access control  Each process has an associated role Separate system and user processes  configuration files specify Set of domains that may be entered by each role

23 IS2150/TEL2810: Introduction of Computer Security23 Sample Features of Trusted OS Mandatory access control Mandatory access control  MAC not under user control, precedence over DAC Object reuse protection Object reuse protection  Write over old data when file space is allocated Complete mediation Complete mediation  Prevent any access that circumvents monitor Audit Audit  Log security-related events Intrusion detection Intrusion detection  Anomaly detection Learn normal activity, Report abnormal actions  Attack detection Recognize patterns associated with known attacks

24 IS2150/TEL2810: Introduction of Computer Security24 Kernelized Design Trusted Computing Base Trusted Computing Base  Hardware and software for enforcing security rules Reference monitor Reference monitor  Part of TCB  All system calls go through reference monitor for security checking  Most OS not designed this way Reference validation mechanism – Reference validation mechanism – 1.Tamperproof 2.Never be bypassed 3.Small enough to be subject to analysis and testing – the completeness can be assured User space Kernel space User process OS kernel TCB Reference monitor

25 IS2150/TEL2810: Introduction of Computer Security25 Is Windows is “Secure”? Good things Good things  Design goals include security goals  Independent review, configuration guidelines But … But …  “Secure” is a complex concept What properties protected against what attacks?  Typical installation includes more than just OS Many problems arise from applications, device drivers Windows driver certification program

26 IS2150/TEL2810: Introduction of Computer Security26 Window 2000 Newer features than NT Newer features than NT NTFS file system redesigned for performance NTFS file system redesigned for performance Active directory Active directory  Kerberos for authentication  IPSec/L2TP

27 IS2150/TEL2810: Introduction of Computer Security27 Windows XP Improvement over Win 2000 Professional Improvement over Win 2000 Professional  Personalized login Multiple users to have secure profiles  User switching Multiple users to be logged in  Internet connection firewall (ICF) Active packet filtering  Blank password restriction (null sessions)  Encrypting File System (EFS) using PKI  Smart card support (uses X.509 certificate for authentication)

28 IS2150/TEL2810: Introduction of Computer Security28 Active Directory Core for the flexibility of Win2000 Core for the flexibility of Win2000  Centralized management for clients, servers and user accounts Information about all objects Information about all objects Group policy and remote OS operations Group policy and remote OS operations Replaces SAM database Replaces SAM database  AD is trusted component of the LSA Stores Stores  Access control information – authorization  User credentials – authentication Supports Supports  PKI, Kerberos and LDAP

29 IS2150/TEL2810: Introduction of Computer Security29 Win 2003

30 IS2150/TEL2810: Introduction of Computer Security30 Solaris 10 UNIX-based OS UNIX-based OS  Access Control is similar. Some new features have been added in Solaris 10. Some new features have been added in Solaris 10.  User Templates  Authorizations  Projects  RBAC – Only for administrative purposes

31 IS2150/TEL2810: Introduction of Computer Security31 Design Principles

32 IS2150/TEL2810: Introduction of Computer Security32 Design Principles for Security Mechanisms Principles Principles  Least Privilege  Fail-Safe Defaults  Economy of Mechanism  Complete Mediation  Open Design  Separation of Privilege  Least Common Mechanism  Psychological Acceptability Based on the idea of simplicity and restriction Based on the idea of simplicity and restriction

33 IS2150/TEL2810: Introduction of Computer Security33 Overview Simplicity Simplicity  Less to go wrong  Fewer possible inconsistencies  Easy to understand Restriction Restriction  Minimize access power (need to know)  Inhibit communication

34 IS2150/TEL2810: Introduction of Computer Security34 Least Privilege A subject should be given only those privileges necessary to complete its task A subject should be given only those privileges necessary to complete its task  Function, not identity, controls RBAC!  Rights added as needed, discarded after use Active sessions and dynamic separation of duty  Minimal protection domain A subject should not have a right if the task does not need it

35 IS2150/TEL2810: Introduction of Computer Security35 Fail-Safe Defaults Default action is to deny access Default action is to deny access If action fails, system as secure as when action began If action fails, system as secure as when action began  Undo changes if actions do not complete  Transactions (commit)

36 IS2150/TEL2810: Introduction of Computer Security36 Economy of Mechanism Keep the design and implementation as simple as possible Keep the design and implementation as simple as possible  KISS Principle (Keep It Simple, Silly!) Simpler means less can go wrong Simpler means less can go wrong  And when errors occur, they are easier to understand and fix Interfaces and interactions Interfaces and interactions

37 IS2150/TEL2810: Introduction of Computer Security37 Complete Mediation Check every access to an object to ensure that access is allowed Check every access to an object to ensure that access is allowed Usually done once, on first action Usually done once, on first action  UNIX: Access checked on open, not checked thereafter If permissions change after, may get unauthorized access If permissions change after, may get unauthorized access

38 IS2150/TEL2810: Introduction of Computer Security38 Open Design Security should not depend on secrecy of design or implementation Security should not depend on secrecy of design or implementation  Popularly misunderstood to mean that source code should be public  “Security through obscurity”  Does not apply to information such as passwords or cryptographic keys

39 IS2150/TEL2810: Introduction of Computer Security39 Separation of Privilege Require multiple conditions to grant privilege Require multiple conditions to grant privilege  Example: Checks of $70000 must be signed by two people  Separation of duty  Defense in depth Multiple levels of protection

40 IS2150/TEL2810: Introduction of Computer Security40 Least Common Mechanism Mechanisms should not be shared Mechanisms should not be shared  Information can flow along shared channels  Covert channels Isolation Isolation  Virtual machines  Sandboxes

41 IS2150/TEL2810: Introduction of Computer Security41 Psychological Acceptability Security mechanisms should not add to difficulty of accessing resource Security mechanisms should not add to difficulty of accessing resource  Hide complexity introduced by security mechanisms  Ease of installation, configuration, use  Human factors critical here

Download ppt "IS2150/TEL2810: Introduction of Computer Security1 October 18, 2005 Introduction to Computer Security Lecture 6 Windows/Unix/Solaris 10 Design Principles."

Similar presentations

November 1, 2004Introduction to Computer Security ©2004 Matt Bishop Slide #12-1 Chapter 12: Design Principles Overview Principles –Least Privilege –Fail-Safe.

November 1, 2004Introduction to Computer Security ©2004 Matt Bishop Slide #12-1 Chapter 12: Design Principles Overview Principles –Least Privilege –Fail-Safe.
Access Control Chapter 3 Part 3 Pages 209 to 227.

Access Control Chapter 3 Part 3 Pages 209 to 227.
1 Design Principles CSSE 490 Computer Security Mark Ardis, Rose-Hulman Institute April 13, 2004.

1 Design Principles CSSE 490 Computer Security Mark Ardis, Rose-Hulman Institute April 13, 2004.
Chapter 9 Chapter 9: Managing Groups, Folders, Files, and Object Security.

Chapter 9 Chapter 9: Managing Groups, Folders, Files, and Object Security.
Design Principles Overview Principles Least Privilege Fail-Safe Defaults Economy of Mechanism Complete Mediation Open Design Separation of Privilege Least.

Design Principles Overview Principles Least Privilege Fail-Safe Defaults Economy of Mechanism Complete Mediation Open Design Separation of Privilege Least.
CS-550 (M.Soneru): Protection and Security - 1 [SaS] 1 Protection and Security.

CS-550 (M.Soneru): Protection and Security - 1 [SaS] 1 Protection and Security.
Hands-On Microsoft Windows Server 2003 Administration Chapter 5 Administering File Resources.

Hands-On Microsoft Windows Server 2003 Administration Chapter 5 Administering File Resources.
1 CSE 380 Computer Operating Systems Instructor: Insup Lee and Dianna Xu University of Pennsylvania Fall 2003 Lecture Note: Protection Mechanisms.

1 CSE 380 Computer Operating Systems Instructor: Insup Lee and Dianna Xu University of Pennsylvania Fall 2003 Lecture Note: Protection Mechanisms.
Introduction To Windows NT ® Server And Internet Information Server.

Introduction To Windows NT ® Server And Internet Information Server.
70-270, 70-290 MCSE/MCSA Guide to Installing and Managing Microsoft Windows XP Professional and Windows Server 2003 Chapter Nine Managing File System Access.

70-270, MCSE/MCSA Guide to Installing and Managing Microsoft Windows XP Professional and Windows Server 2003 Chapter Nine Managing File System Access.
G22.3250-001 Robert Grimm New York University Protection and the Control of Information Sharing in Multics.

G Robert Grimm New York University Protection and the Control of Information Sharing in Multics.
C. Edward Chow Presented by Mousa Alhazzazi C. Edward Chow Presented by Mousa Alhazzazi Design Principles for Secure.

C. Edward Chow Presented by Mousa Alhazzazi C. Edward Chow Presented by Mousa Alhazzazi Design Principles for Secure.
Lecture 7 Access Control

Lecture 7 Access Control
Lecture slides prepared for “Computer Security: Principles and Practice”, 2/e, by William Stallings and Lawrie Brown, Chapter 4 “Overview”.

Lecture slides prepared for “Computer Security: Principles and Practice”, 2/e, by William Stallings and Lawrie Brown, Chapter 4 “Overview”.
7-Access Control Fundamentals Dr. John P. Abraham Professor UTPA.

7-Access Control Fundamentals Dr. John P. Abraham Professor UTPA.
LERSAIS.  Access Control in Unix  Access Control in Windows  Port Redirection 2.

LERSAIS.  Access Control in Unix  Access Control in Windows  Port Redirection 2.
ADVANCED LINUX SECURITY. Abstract : Using mandatory access control greatly increases the security of an operating system. SELinux, which is an implementation.

ADVANCED LINUX SECURITY. Abstract : Using mandatory access control greatly increases the security of an operating system. SELinux, which is an implementation.
Guide to Operating System Security Chapter 5 File, Directory, and Shared Resource Security.

Guide to Operating System Security Chapter 5 File, Directory, and Shared Resource Security.
Security features of Windows 2000. What is computer security ? Computer security refers to the protection of all components—hardware, software, and stored.

Security features of Windows What is computer security ? Computer security refers to the protection of all components—hardware, software, and stored.
John Mitchell Secure OS Principles and Security Policies by John Mitchell (Modified by Vijay Ganesh)

John Mitchell Secure OS Principles and Security Policies by John Mitchell (Modified by Vijay Ganesh)

Similar presentations

Ads by Google