Download OS Security: Memory, File, and Access Control in Computer Systems and more Study notes Computer Science in PDF only on Docsity!
CSE543 Computer (and Network) Security - Fall 2007 - Professor Jaeger
CSE 543 - Computer Security
Lecture 11 - OS Security
October 2, 2007
URL: http://www.cse.psu.edu/~tjaeger/cse543-f07/ 1
OS Security
- An secure OS should provide the following mechanisms - Memory protection - File protection - General object protection - Access authentication
- How do we go about designing a trusted OS?
- “Trust” in this context means something different from “Secure”
Access Control Lists
- ACL: a list of the principals that are authorized to have access to some object.
- Eg., O 2 S 1 Y S 2 Y S 3 Y
- Or more correctly: O 1
: S
1 O 2
: S
1
, S
2
, S
3 O 3
: S
3
- We are going to see a lot of examples of these throughout the semester.
ACL in systems
- ACLs are typically used to implement discretionary access control
- For example: you define the UNIX file system ACLs using the chmod utility ….
UNIX filesystem rights …
- There are three rights in the UNIX filesystem
- READ - allows the subject (process) to read the contents of the file.
- WRITE - allows the subject (process) to alter the contents of the file.
- EXECUTE - allows the subject (process) to execute the contents of the file (e.g., shell program, executable, …)
- Q: why is execute a right?
- Q: does the right to read a program implicitly give you the right to execute it?
The UNIX FS access policy
- Really, this is a bit string encoding an access matrix
- E.g., rwx rwx rwx
- And a policy is encoded as “r”, “w”, “x” if enabled, and “-” if not, e.g, rwxrw--x
- Says user can read, write and execute, group can read and write, and world can execute only. World Group Owner
Windows 2000 Security Model
- Windows uses an ACL model too
- But, its model is more general
- Subjects
- Tokens: Can describe users, groups, arbitrary privileges and retract privileges (restricted contexts)
- Objects
- Types: An extensible set of object types can be defined
- Operations
- General operations : Fixed set supported by all types
- Per type operations : Operations with semantics specific to the type may be defined
- Negative rights
- Result : Any combination of rights can be described
CSE497b Introduction to Computer and Network Security - Spring 2007 - Professor Jaeger Page
Tokens
- Like the UID/GID in a UNIX process
- User
- Group
- Aliases
- Privileges (predefined sets of rights)
- May be specific to a domain
- Composed into global SID
- Subsequent processes inherit access tokens
- Different processes may have different rights 11
CSE497b Introduction to Computer and Network Security - Spring 2007 - Professor Jaeger Page
Access Checking with ACEs
CSE497b Introduction to Computer and Network Security - Spring 2007 - Professor Jaeger Page
Window Vista Integrity
- Integrity protection for writing
- Defines a series of protection level of increasing protection - untrusted (lowest) - low (Internet) - medium (user) - high (admin) - system - installer (highest)
- Semantics: If the subject’s (process’s) integrity level dominates the object’s integrity level, then the write is allowed 14
UID Transition: Setuid
- A special bit in the mode bits
- Execute file
- Resulting process has the effective (and fs) UID/GID of file owner
- Enables a user to escalate privilege
- For executing a trusted service
- Downside: User defines execution environment
- e.g., Environment variables, input arguments, open descriptors, etc.
- Service must protect itself or user can gain root access
- All UNIX services involves root processes -- many via setuid
/tmp Vulnerability
- creat(pathname, mode)
- O_EXCL flag
- if file already exists this is an error
- Potential attack
- Attacker creates file in shared space (/tmp)
- Give it a filename used by a higher authority service
- Make sure that service has permission to the file
- If creat is used without O_EXCL, then can share the file with the higher authority process
Sandboxing
- An execution environment for programs that contains a limited set of rights - A subset of your permissions (meet secrecy and integrity goals) - Cannot be changed by the running program (mandatory)
UNIX Chroot
- Create a domain in which a process is confined
- Process can only read/write within file system subtree
- Applies to all descendant processes
- Can carry file descriptors in ‘chroot jail’