Operating system security

صفحه 1:
Operating System Security 95-752:6-1 

صفحه 2:
Users * UNIX user -> username -> uid - uid is systems real name for user - integer 0 ... 65536 (varies in some systems) - mapping is in /etc/passwd. shimeall:*:5003:20:Tim:/users/shimeall:csh ¢ More than one username may map to a uid - Desired for some system purposes (program tracking) - Problem for ordinary users (confused file ownership) - Security problem (hacker makes duplicate uid account) ¢ Temporary uid change: su 95-752:6-2 

صفحه 3:
Groups User - one or more groups Group - Zero or more users - Used for file permissions - Defined by /etc/groups and network sharing software - ypeat group.byname - gid - integer system name for group (generally unique) Listed for individual users with groups Change group of file with chgrp - chgrp newgroup myfile 95-752:6-3 

صفحه 4:
SETUID and SETGID * Special mechanisms: temporarily use a uid or gid during the execution of a program) ¢ Part of mode bits - sin user x field - setuid - s in group x field - setgid * To be effective, both 5 and x must be set - chmod a+x myprog - chmod u+s myprog - chmod 4755 myprog * WARNING: Lots of subtle security holes! 95-752:6-4 

صفحه 5:
Dangerous Accounts * root - superuser * open, guest, play, nobody - courtesy accounts ٠ Accounts without passwords * uucp, sync, pspq - single-command accounts * Group accounts 95-752:6-5 

صفحه 6:
User Policy * Restricting access - commands - file access - login times - network access - terminal access * Inactive users - Detection - Password change - Locking (change shell) - Deletion (after backup) * Ultimately - need multilevel security 95-752:6-6 

صفحه 7:
Multilevel Security * Users with different needs to know sharing computer or network ¢ If don’t need to know - shouldn’t even be able to determine if information exists ¢ Should be able to filter functionality based on allowable information * Mandatory and Discretionary protections 95-752:6-7 

صفحه 8:
Monitor Model ٠ General Schema: - Takes user's request. - Consults access control information. - Allows or disallows request. ¢ Advantages - Easy to implement. - Easy to understand ۰ Disadvantages - Bottleneck in system - Controls only direct accesses (not inferences) 95-752:6-8 

صفحه 9:
Graham-Denning Model * Introduces protection rules that operate on: - Aset of subjects S - Aset of objects O - A set of rights R - An access control matrix Contr |Read |Owne]|read ol * r 0656 

صفحه 10:
Graham-Denning Rights Eight primitive protection rights - create, delete object - create, delete subject - read, grant, delete, transfer access right 95-752:6-10 

صفحه 11:
Military Security Model * Information is ranked: - Unclassified - Confidential - Secret - Top Secret * Least Privilege: Subject should have access to fewest objects needed for successful work - The system backup program may be allowed to bypass read restrictions on files, but it would not have the ability to modify files. - Need to Know” 95-752:6-11 

صفحه 12:
Compartmentalization Information may belong to one or more compartments Compartments are used to enforce need-to- know. * Classification of Information: <rank; compartments> * Clearance: <rank; compartments> - an indication of a level of trust * A subject can access an object only if - The clearance level of the subject is at least as high as that of the information. - The subject has a need to know about all compartments for which the information is classified. 95-752:6-12 

صفحه 13:
Information Flow Models * Acts as an intelligent filter to control the transfer of information permitted by access to a particular object. * Information flow analysis can assure that operating system modules that have access to sensitive data cannot leak that data to calling modules. 95-752:6-13 

صفحه 14:
Bell-LaPadula Model ۰ A formal description of the allowable paths of information flow in a secure system. - Applies only to privacy - Identifies paths that could lead to inappropriate disclosures. - Is used as the basis for the design of systems that handle data of multiple levels. - Includes both discretionary and mandatory access rules ¢ B-LP Discretionary Access Control - Uses Access Matrix similar to Graham-Denning Model - Includes functions for dealing with the access matrix. 95-752:6-14 

صفحه 15:
Bell-LaPadula Mandatory Controls ¢ Fixed security classes for each subject and each object * Security classes ordered by a relation - Tranquility constraint prevents access classes of objects from changing * Simple Security Property ¢ * Property 95-752:6-15, 

صفحه 16:
Bell-LaPadula Properties Simple Security Property: * Subject may have read access only if object classified at same level or lower. * - Property * Subject may have write access only if all objects read are at same level or higher than object to be written. 95-752:6-16 

صفحه 17:
Biba Model * Concerned with integrity rather than secrecy. * Defines integrity levels much like sensitivity levels. - Fixed integrity classes for each subject and each object - Ordered integrity classes 95-752:6-17 

صفحه 18:
Biba Properties Simple Integrity Property: * Subject can modify object only if integrity class at least as high as the object. (untrusted subjects reduce integrity class when writing) * - Property: * Subjects may have write access only if the integrity of objects they are reading is at least as high as the object to be written. (untrusted sources reduce integrity of results) 95-752:6-18 

صفحه 19:
Integrity Preservation A high integrity file is one whose contents are created by high-integrity processes. * high-integrity file cannot be contaminated by information from low-integrity processes. * high-integrity process cannot be subverted by low integrity processes or data. The integrity class label on a file guarantees that the contents came only from sources of at least that degree of integrity. 95-752:6-19 

صفحه 20:
Secure Operating Systems Basic Features of a Multiprogramming OS - Authentication of users. - Protection of memory. - File and I/O device access control. - Allocation and access control to general objects. - Enforcement of sharing. - Guarantee of fair service. - Interprocess communication and synchronization. ۰ Basic Considerations - Security must be considered in every aspect of the design of operating systems. - It is difficult to add on security features. 95-752:6-20 

صفحه 21:
Basic Design Principles Least privilege - fewest possible privileges for user. Economy of mechanism - small, simple, straight forward. Open design Complete mediation - check every access Permission based - default is denial of access. Separation of privilege - no single super user. Least common mechanism - avoid shared objects. Easy to use. 95-752:6-21 

صفحه 22:
Security Kernel * Responsible for implementing the security mechanisms of the entire operating system. * Provides the security interfaces among the hardware, the operating system, and the other parts of the computing system. ¢ Implementation of a security kernel: ~ May degrade system performance (one more layer). ~ May be large. - No guarantees. 95-752:6-22 

صفحه 23:
Backups First line of defense against denial-of- service and modification threats Don’t depend on system backups for important data User backups Administrator backups: - Day-zero backup - Upgrade backup - Full backup - Incremental backup 95-752:6-23 

صفحه 24:
Backup Policy One backup volume per partition Time backup for restoration - How much work are we willing to lose? ۰ Verify backup at archive location - Content - not just format - Ensure operator training - Ensure archive environment Rotate media - Need more than most recent backup Maintain physical security on backups Maintain logical security on backups Be careful about legal issues on backups 95-752:6-24 

صفحه 25:
Integrity * Compromise of integrity equal to compromise of privacy ¢ Integrity threats: - Change permissions to allow modification/reading - Change password file - Change device / interface configurations - Move files - Replace system programs with substitutes - Replace log files with sanitized versions * 95% of UNIX security incidents result of misconfiguration 95-752:6-25, 

صفحه 26:
Integrity Protection Strategies ٠. * Detection * Recovery 95-752:6-26 

صفحه 27:
Unix Operation Modes ٠ Normal Operating Mode: - Any user login - Diverse command set - Network operations - Import and export files * Single User Mode: - Intended for system maintenance / full backup - Only root login allowed - Restricted command set - No network operations - No file import/export 95-752:6-27 

صفحه 28:
Prevention Strategies * Software Controls: - File permissions - Directory permissions - Restrictions on root access * Low-level operating system controls: - Immutability - only change in single-user mode - append - only add to file, except single-user mode ¢ Hardware controls: - Read-only file systems (CD ROM, WORM) - Write-protect options 95-752:6-28 

صفحه 29:
Detection Strategies * Comparison copies: - On read-only media - On standard media, remote storage - Large space, slow, expensive ٠١ - Stored list of files - Path to files - Modification times - Easy to fool * Digital Signature - Encrypt with private key of modifier - Fast, small, hard to fool, requires extra work 95-752:6-29 

صفحه 30:
TRIPWIRE * System to compute signatures on all files in system - Batch mode - compare against stored signatures & report differences - Interactive mode - compare against stored signatures & confirm updates - Both commercial and freeware products * Detects: - Corrupted file systems - Unlogged administrator actions - Replacement of system programs 95-752:6-30 

صفحه 31:
Recovery Strategies Restore from backup - Rollback (Data Loss) If data problem, may be able to replay changes - Selective Rollback (some data loss) If redundant file system, vote file versions - Masking If specific changes found - correct - Roll forward In general -- the more detection and prevention, the easier the recovery 95-752:6-31 

صفحه 32:
Auditing * Installing security protection is only a beginning * Need to monitor systems * Monitoring methods: Audits and Logs - Audit - active scanning of current state of system - Log - record of actions taken in operation of system * Audits often use logs, and do more 95-752:6-32 

صفحه 33:
Log File Vulnerabilities * Alteration - Append mode - Non-rewritable media (print) * Deletion - Non-rewritable media - Move to restricted log host - PC linked by serial line * Flooding - Ensure large storage - Reduce before logging (look for repeating patterns) 95-752:6-33 

صفحه 34:
Syslog General purpose logging utility Any program can generate syslog messages - Socket connect to syslogd process TCP port Messages to files, devices or computers - Dependent on severity and service Messages marked with authentication level - kern, user, mail, lpr, auth, demon, news, uucp, local0...local7, mark Messages marked with priority - emerg, alert, crit, err, warning, notice, info, 95-752:6-34 debug, none 

صفحه 35:
Syslog Vulnerabilities * Network/Device flooding * Stack overwrites (old versions) * False log entries ¢ Need for consistent, frequent review 95-752:6-35, 

صفحه 36:
Hand-Written Logs * Journal System * Ensure physical protection ۰ “Where do you keep them?” ٠ Ensure legitimate entries - Signature rules * Keep for system * Keep for site 95-752:6-36 

Operating System Security 95-752:6-1 Users • UNIX user -> username -> uid – uid is systems real name for user – integer 0 ... 65536 (varies in some systems) – mapping is in /etc/passwd shimeall:*:5003:20:Tim:/users/shimeall:csh • More than one username may map to a uid – Desired for some system purposes (program tracking) – Problem for ordinary users (confused file ownership) – Security problem (hacker makes duplicate uid account) • Temporary uid change: su 95-752:6-2 Groups • User - one or more groups • Group - zero or more users – Used for file permissions – Defined by /etc/groups and network sharing software – ypcat group.byname – gid - integer system name for group (generally unique) • Listed for individual users with groups • Change group of file with chgrp – chgrp newgroup myfile 95-752:6-3 SETUID and SETGID • Special mechanisms: temporarily use a uid or gid during the execution of a program) • Part of mode bits – s in user x field - setuid – s in group x field - setgid • To be effective, both s and x must be set – chmod a+x myprog – chmod u+s myprog – chmod 4755 myprog • WARNING: Lots of subtle security holes! 95-752:6-4 Dangerous Accounts • root – superuser • open, guest, play, nobody courtesy accounts • Accounts without passwords • uucp, sync, pspq - single-command accounts • Group accounts 95-752:6-5 User Policy • Restricting access – – – – – commands file access login times network access terminal access • Inactive users – – – – Detection Password change Locking (change shell) Deletion (after backup) • Ultimately - need multilevel security 95-752:6-6 Multilevel Security • Users with different needs to know sharing computer or network • If don’t need to know – shouldn’t even be able to determine if information exists • Should be able to filter functionality based on allowable information • Mandatory and Discretionary protections 95-752:6-7 Monitor Model • General Schema: – Takes user's request. – Consults access control information. – Allows or disallows request. • Advantages – Easy to implement. – Easy to understand • Disadvantages – Bottleneck in system – Controls only direct accesses (not inferences) 95-752:6-8 Graham-Denning Model • Introduces protection rules that operate on: – – – – A set of subjects S A set of objects O A set of rights R An access control matrix Subje cts s1 s2 S1 S2 O1 O2 Contr Read Owne read ol * r 95-752:6-9 Contr Owne Graham-Denning Rights Eight primitive protection rights – create, delete object – create, delete subject – read, grant, delete, transfer access right 95-752:6-10 Military Security Model • Information is ranked: – – – – Unclassified Confidential Secret Top Secret • Least Privilege: Subject should have access to fewest objects needed for successful work – The system backup program may be allowed to bypass read restrictions on files, but it would not have the ability to modify files. – Need to Know” 95-752:6-11 Compartmentalization Information may belong to one or more compartments Compartments are used to enforce need-toknow. • Classification of Information: <rank; compartments> • Clearance: <rank; compartments> – an indication of a level of trust • A subject can access an object only if – The clearance level of the subject is at least as high as that of the information. – The subject has a need to know about all compartments for which the information is classified. 95-752:6-12 Information Flow Models • Acts as an intelligent filter to control the transfer of information permitted by access to a particular object. • Information flow analysis can assure that operating system modules that have access to sensitive data cannot leak that data to calling modules. 95-752:6-13 Bell-LaPadula Model • A formal description of the allowable paths of information flow in a secure system. – Applies only to privacy – Identifies paths that could lead to inappropriate disclosures. – Is used as the basis for the design of systems that handle data of multiple levels. – Includes both discretionary and mandatory access rules • B-LP Discretionary Access Control – Uses Access Matrix similar to Graham-Denning Model – Includes functions for dealing with the access matrix. 95-752:6-14 Bell-LaPadula Mandatory Controls • Fixed security classes for each subject and each object • Security classes ordered by a relation – Tranquility constraint prevents access classes of objects from changing • Simple Security Property • * Property 95-752:6-15 Bell-LaPadula Properties Simple Security Property: • Subject may have read access only if object classified at same level or lower. * - Property • Subject may have write access only if all objects read are at same level or higher than object to be written. 95-752:6-16 Biba Model • Concerned with integrity rather than secrecy. • Defines integrity levels much like sensitivity levels. – Fixed integrity classes for each subject and each object – Ordered integrity classes 95-752:6-17 Biba Properties Simple Integrity Property: • Subject can modify object only if integrity class at least as high as the object. (untrusted subjects reduce integrity class when writing) * - Property: • Subjects may have write access only if the integrity of objects they are reading is at least as high as the object to be written. (untrusted sources reduce integrity of results) 95-752:6-18 Integrity Preservation A high integrity file is one whose contents are created by high-integrity processes. • high-integrity file cannot be contaminated by information from low-integrity processes. • high-integrity process cannot be subverted by low integrity processes or data. The integrity class label on a file guarantees that the contents came only from sources of at least that degree of integrity. 95-752:6-19 Secure Operating Systems Basic Features of a Multiprogramming OS – – – – Authentication of users. Protection of memory. File and I/O device access control. Allocation and access control to general objects. – Enforcement of sharing. – Guarantee of fair service. – Interprocess communication and synchronization. • Basic Considerations – Security must be considered in every aspect of the design of operating systems. – It is difficult to add on security features. 95-752:6-20 Basic Design Principles • Least privilege - fewest possible privileges for user. • Economy of mechanism - small, simple, straight forward. • Open design • Complete mediation - check every access • Permission based - default is denial of access. • Separation of privilege - no single super user. • Least common mechanism - avoid shared objects. • Easy to use. 95-752:6-21 Security Kernel • Responsible for implementing the security mechanisms of the entire operating system. • Provides the security interfaces among the hardware, the operating system, and the other parts of the computing system. • Implementation of a security kernel: – May degrade system performance (one more layer). – May be large. – No guarantees. 95-752:6-22 Backups • First line of defense against denial-ofservice and modification threats • Don’t depend on system backups for important data • User backups • Administrator backups: – – – – Day-zero backup Upgrade backup Full backup Incremental backup 95-752:6-23 Backup Policy • One backup volume per partition • Time backup for restoration – How much work are we willing to lose? • Verify backup at archive location – Content - not just format – Ensure operator training – Ensure archive environment • Rotate media – Need more than most recent backup • Maintain physical security on backups • Maintain logical security on backups • Be careful about legal issues on backups 95-752:6-24 Integrity • Compromise of integrity equal to compromise of privacy • Integrity threats: – Change permissions to allow modification/reading – Change password file – Change device / interface configurations – Move files – Replace system programs with substitutes – Replace log files with sanitized versions • 95% of UNIX security incidents result of misconfiguration 95-752:6-25 Integrity Protection Strategies • Prevention • Detection • Recovery 95-752:6-26 Unix Operation Modes • Normal Operating Mode: – – – – Any user login Diverse command set Network operations Import and export files • Single User Mode: – – – – – Intended for system maintenance / full backup Only root login allowed Restricted command set No network operations No file import/export 95-752:6-27 Prevention Strategies • Software Controls: – File permissions – Directory permissions – Restrictions on root access • Low-level operating system controls: – Immutability - only change in single-user mode – append - only add to file, except single-user mode • Hardware controls: – Read-only file systems (CD ROM, WORM) – Write-protect options 95-752:6-28 Detection Strategies • Comparison copies: – On read-only media – On standard media, remote storage – Large space, slow, expensive • Metadata: – – – – Stored list of files Path to files Modification times Easy to fool • Digital Signature – Encrypt with private key of modifier – Fast, small, hard to fool, requires extra work 95-752:6-29 TRIPWIRE • System to compute signatures on all files in system – Batch mode - compare against stored signatures & report differences – Interactive mode - compare against stored signatures & confirm updates – Both commercial and freeware products • Detects: – Corrupted file systems – Unlogged administrator actions – Replacement of system programs 95-752:6-30 Recovery Strategies • Restore from backup - Rollback (Data Loss) • If data problem, may be able to replay changes - Selective Rollback (some data loss) • If redundant file system, vote file versions Masking • If specific changes found - correct - Roll forward • In general -- the more detection and prevention, the easier the recovery 95-752:6-31 Auditing • Installing security protection is only a beginning • Need to monitor systems • Monitoring methods: Audits and Logs – Audit - active scanning of current state of system – Log - record of actions taken in operation of system • Audits often use logs, and do more 95-752:6-32 Log File Vulnerabilities • Alteration – Append mode – Non-rewritable media (print) • Deletion – Non-rewritable media – Move to restricted log host – PC linked by serial line • Flooding – Ensure large storage – Reduce before logging (look for repeating patterns) 95-752:6-33 Syslog • General purpose logging utility • Any program can generate syslog messages – Socket connect to syslogd process TCP port • Messages to files, devices or computers – Dependent on severity and service • Messages marked with authentication level – kern, user, mail, lpr, auth, demon, news, uucp, local0...local7, mark • Messages marked with priority – emerg, alert, crit, err, warning, notice, info, debug, none 95-752:6-34 Syslog Vulnerabilities • Network/Device flooding • Stack overwrites (old versions) • False log entries • Need for consistent, frequent review 95-752:6-35 Hand-Written Logs • Journal System • Ensure physical protection • “Where do you keep them?” • Ensure legitimate entries – Signature rules • Keep for system • Keep for site 95-752:6-36