Operating system security
اسلاید 1: 95-752:6-1Operating System Security
اسلاید 2: 95-752:6-2UsersUNIX user -> username -> uiduid is systems real name for userinteger 0 ... 65536 (varies in some systems)mapping is in /etc/passwdshimeall:*:5003:20:Tim:/users/shimeall:cshMore than one username may map to a uidDesired for some system purposes (program tracking)Problem for ordinary users (confused file ownership)Security problem (hacker makes duplicate uid account)Temporary uid change: su
اسلاید 3: 95-752:6-3GroupsUser - one or more groupsGroup - zero or more usersUsed for file permissionsDefined by /etc/groups and network sharing softwareypcat group.bynamegid - integer system name for group (generally unique)Listed for individual users with groupsChange group of file with chgrpchgrp newgroup myfile
اسلاید 4: 95-752:6-4SETUID and SETGIDSpecial mechanisms: temporarily use a uid or gid during the execution of a program)Part of mode bitss in user x field - setuids in group x field - setgidTo be effective, both s and x must be setchmod a+x myprogchmod u+s myprogchmod 4755 myprogWARNING: Lots of subtle security holes!
اسلاید 5: 95-752:6-5Dangerous Accountsroot – superuseropen, guest, play, nobody - courtesy accountsAccounts without passwordsuucp, sync, pspq - single-command accountsGroup accounts
اسلاید 6: 95-752:6-6User PolicyRestricting accesscommandsfile accesslogin timesnetwork accessterminal accessInactive usersDetectionPassword changeLocking (change shell)Deletion (after backup)Ultimately - need multilevel security
اسلاید 7: 95-752:6-7Multilevel SecurityUsers with different needs to know sharing computer or networkIf don’t need to know – shouldn’t even be able to determine if information existsShould be able to filter functionality based on allowable informationMandatory and Discretionary protections
اسلاید 8: 95-752:6-8Monitor ModelGeneral Schema:Takes users request.Consults access control information.Allows or disallows request.AdvantagesEasy to implement.Easy to understandDisadvantagesBottleneck in systemControls only direct accesses (not inferences)
اسلاید 9: 95-752:6-9Graham-Denning ModelIntroduces protection rules that operate on:A set of subjects SA set of objects OA set of rights RAn access control matrixSubjectsS1S2O1O2s1ControlRead*Ownerreads2ControlOwner
اسلاید 10: 95-752:6-10Graham-Denning RightsEight primitive protection rightscreate, delete objectcreate, delete subjectread, grant, delete, transfer access right
اسلاید 11: 95-752:6-11Military Security ModelInformation is ranked:UnclassifiedConfidentialSecretTop SecretLeast Privilege: Subject should have access to fewest objects needed for successful workThe system backup program may be allowed to bypass read restrictions on files, but it would not have the ability to modify files. Need to Know”
اسلاید 12: 95-752:6-12CompartmentalizationInformation may belong to one or more compartmentsCompartments are used to enforce need-to-know.Classification of Information: <rank; compartments>Clearance: <rank; compartments>an indication of a level of trustA subject can access an object only ifThe clearance level of the subject is at least as high as that of the information.The subject has a need to know about all compartments for which the information is classified.
اسلاید 13: 95-752:6-13Information Flow ModelsActs as an intelligent filter to control the transfer of information permitted by access to a particular object.Information flow analysis can assure that operating system modules that have access to sensitive data cannot leak that data to calling modules.
اسلاید 14: 95-752:6-14Bell-LaPadula ModelA formal description of the allowable paths of information flow in a secure system.Applies only to privacyIdentifies paths that could lead to inappropriate disclosures.Is used as the basis for the design of systems that handle data of multiple levels.Includes both discretionary and mandatory access rulesB-LP Discretionary Access ControlUses Access Matrix similar to Graham-Denning ModelIncludes functions for dealing with the access matrix.
اسلاید 15: 95-752:6-15Bell-LaPadula Mandatory ControlsFixed security classes for each subject and each objectSecurity classes ordered by a relationTranquility constraint prevents access classes of objects from changingSimple Security Property* Property
اسلاید 16: 95-752:6-16Bell-LaPadula PropertiesSimple Security Property:Subject may have read access only if object classified at same level or lower.* - PropertySubject may have write access only if all objects read are at same level or higher than object to be written.
اسلاید 17: 95-752:6-17Biba ModelConcerned with integrity rather than secrecy.Defines integrity levels much like sensitivity levels.Fixed integrity classes for each subject and each objectOrdered integrity classes
اسلاید 18: 95-752:6-18Biba PropertiesSimple Integrity Property:Subject can modify object only if integrity class at least as high as the object. (untrusted subjects reduce integrity class when writing)* - Property:Subjects may have write access only if the integrity of objects they are reading is at least as high as the object to be written. (untrusted sources reduce integrity of results)
اسلاید 19: 95-752:6-19Integrity PreservationA high integrity file is one whose contents are created by high-integrity processes.high-integrity file cannot be contaminated by information from low-integrity processes.high-integrity process cannot be subverted by low integrity processes or data.The integrity class label on a file guarantees that the contents came only from sources of at least that degree of integrity.
اسلاید 20: 95-752:6-20Secure Operating SystemsBasic Features of a Multiprogramming OSAuthentication of users.Protection of memory.File and I/O device access control.Allocation and access control to general objects.Enforcement of sharing.Guarantee of fair service.Interprocess communication and synchronization.Basic ConsiderationsSecurity must be considered in every aspect of the design of operating systems.It is difficult to add on security features.
اسلاید 21: 95-752:6-21Basic Design PrinciplesLeast privilege - fewest possible privileges for user.Economy of mechanism - small, simple, straight forward.Open design Complete mediation - check every accessPermission based - default is denial of access.Separation of privilege - no single super user.Least common mechanism - avoid shared objects.Easy to use.
اسلاید 22: 95-752:6-22Security KernelResponsible for implementing the security mechanisms of the entire operating system.Provides the security interfaces among the hardware, the operating system, and the other parts of the computing system.Implementation of a security kernel:May degrade system performance (one more layer).May be large.No guarantees.
اسلاید 23: 95-752:6-23BackupsFirst line of defense against denial-of-service and modification threatsDon’t depend on system backups for important dataUser backupsAdministrator backups:Day-zero backupUpgrade backupFull backupIncremental backup
اسلاید 24: 95-752:6-24Backup PolicyOne backup volume per partitionTime backup for restorationHow much work are we willing to lose?Verify backup at archive locationContent - not just formatEnsure operator trainingEnsure archive environmentRotate mediaNeed more than most recent backupMaintain physical security on backupsMaintain logical security on backupsBe careful about legal issues on backups
اسلاید 25: 95-752:6-25IntegrityCompromise of integrity equal to compromise of privacyIntegrity threats:Change permissions to allow modification/readingChange password fileChange device / interface configurationsMove filesReplace system programs with substitutesReplace log files with sanitized versions95% of UNIX security incidents result of misconfiguration
اسلاید 26: 95-752:6-26Integrity Protection StrategiesPreventionDetectionRecovery
اسلاید 27: 95-752:6-27Unix Operation ModesNormal Operating Mode:Any user loginDiverse command setNetwork operationsImport and export filesSingle User Mode:Intended for system maintenance / full backupOnly root login allowedRestricted command setNo network operationsNo file import/export
اسلاید 28: 95-752:6-28Prevention StrategiesSoftware Controls:File permissionsDirectory permissionsRestrictions on root accessLow-level operating system controls:Immutability - only change in single-user modeappend - only add to file, except single-user modeHardware controls:Read-only file systems (CD ROM, WORM)Write-protect options
اسلاید 29: 95-752:6-29Detection StrategiesComparison copies:On read-only mediaOn standard media, remote storageLarge space, slow, expensiveMetadata:Stored list of filesPath to filesModification timesEasy to foolDigital SignatureEncrypt with private key of modifierFast, small, hard to fool, requires extra work
اسلاید 30: 95-752:6-30TRIPWIRESystem to compute signatures on all files in systemBatch mode - compare against stored signatures & report differencesInteractive mode - compare against stored signatures & confirm updatesBoth commercial and freeware products Detects:Corrupted file systemsUnlogged administrator actionsReplacement of system programs
اسلاید 31: 95-752:6-31Recovery StrategiesRestore from backup - Rollback (Data Loss)If data problem, may be able to replay changes - Selective Rollback (some data loss)If redundant file system, vote file versions - MaskingIf specific changes found - correct - Roll forwardIn general -- the more detection and prevention, the easier the recovery
اسلاید 32: 95-752:6-32AuditingInstalling security protection is only a beginningNeed to monitor systemsMonitoring methods: Audits and LogsAudit - active scanning of current state of systemLog - record of actions taken in operation of systemAudits often use logs, and do more
اسلاید 33: 95-752:6-33Log File VulnerabilitiesAlterationAppend modeNon-rewritable media (print)DeletionNon-rewritable mediaMove to restricted log hostPC linked by serial lineFloodingEnsure large storageReduce before logging (look for repeating patterns)
اسلاید 34: 95-752:6-34SyslogGeneral purpose logging utilityAny program can generate syslog messagesSocket connect to syslogd process TCP portMessages to files, devices or computersDependent on severity and serviceMessages marked with authentication levelkern, user, mail, lpr, auth, demon, news, uucp, local0...local7, markMessages marked with priorityemerg, alert, crit, err, warning, notice, info, debug, none
اسلاید 35: 95-752:6-35Syslog VulnerabilitiesNetwork/Device floodingStack overwrites (old versions)False log entriesNeed for consistent, frequent review
اسلاید 36: 95-752:6-36Hand-Written LogsJournal SystemEnsure physical protection“Where do you keep them?”Ensure legitimate entriesSignature rulesKeep for systemKeep for site
نقد و بررسی ها
هیچ نظری برای این پاورپوینت نوشته نشده است.