Operating System Security Qiwen Pan and Hailei Jiang.

Operating System SecurityQiwen Pan and Hailei Jiang

VIDEO

•http://www.youtube.com/watch?v=nHERFh7OO8c

Security ThreatsTrojan Horse: A piece of code that misuses its environment. The

program seems innocent enough, however when executed, unexpected behavior occurs.

Trap Doors: Inserting a method of breaching security in a system. For instance, some secret set of inputs to a program might provide special privileges.

Threat monitoring: Look for unusual activity. Once access is gained, how do you identify someone acting in an unusual fashion?

Audit Log: Record time, user, and type of access on all objects. Trace problems back to source.

Worms : Use spawning mechanism; standalone programs. Internet Worm: In the Internet worm, Robert Morse exploited UNIX

networking features (remote access) as well as bugs in finger and sendmail programs. Grappling hook program uploaded main worm program.

Viruses: Fragment of code embedded in a legitimate program. Mainly effects personal PC systems. These are often downloaded via e-mail or as active components in web pages.

Typical Security Attacks

Take measures at four levels to protect the system•Physical•Human•Network•Operating System

Windows XP Security

WINLOGON.exe• Windows Logon

Process - Winlogon.exe

• presses CTRL+ALT+DEL

Logon and Security Subsystems

Security is based on user accounts Each user has unique security ID

Login to ID creates security access token

The local security authority subsystem(LSASS) generates access tokens represent users on the systems

The authentication package checks to see the password is correct

The security subsystem then generates the access token containing the privileges, quota limits and group IDs.

Encrypting File System(EFS)

•Allows you to encrypt data stored on an NTFS drive

•Only enabling user can gain access to encrypted object

•Uses public and private key encryption method

•Encryption process is invisible to user

Is there a file where password information is kept in Windows XP?

•C:\WINDOWS\system32\config\SAM

•C:\WINDOWS\system32\config\SYSTEM

• MD4----- a destructive algorithm

Hack WinXP an Admins Passwords

Log in and go to DOS command prompt and enter these commands exactly: cd\ cd\windows\system32 mkdir temphack copy logon.scr temphack\logon.scr copy cmd.exe temphack\cmd.exe del logon.scr rename cmd.exe logon.scr exit

Hack WinXP an Admins Passwords

•User Name: Andy•Password: 1234

enter “net user Andy 1234”

TSL/SSL

•Secure Socket Layer/Transport Layer Security

• Authentication scheme often used by Web-based applications

• Supported on Windows XP through IIS (Internet Information Server).

SSL/TLS Protocol Layers

•Handshake: negotiate session information between the client and the server

•Change Cipher Spec. : change the keying material used for encryption between the client and server.

•Alert: indicate a change in status or an error condition to the peer.

IP Security Policies

•Security measure added to TCP/IP •Protects communications between two

systems using that protocol•Can be used over a RAS or WAN link•Creates a secured point-to-point link

between two systems•Configured and enabled with Advanced

TCP/IP Settings dialog box

IP Security Policies Modes

•Transport•Tunneling

Internet Security

•Risks▫Unwittingly downloading Trojan horses or

viruses, ▫Accepting malicious e-mail▫Allowing a remote cracker to take complete

control of your computer•Protection:

▫Security features for standalone or LAN system

▫Internet Connection Firewall

Defends Your Computer

•Act Safely Online•Install Self-Defense

Software(Firewall, anti-Virus, Anti-Malware……)

•Keep Your Programs Up-to-Date!•Don't Let Another User Compromise

Your Computer•Use Administrator Rights Sparingly•Use Strong Passwords•Always Back Up Your Data•Encrypt Your Data

More information about defend your computer is on the website:http://www.osnews.com/story/19701/How_to_Secure_Your_Windows_Computer_and_Protect_Your_Privacy

Linux Security

Linux has evolved into one of the mostpopular and versatile operating systemsmany features mean broad attack surfacecan create highly secure Linux systemswill review:

Discretionary Access Controlstypical vulnerabilities and exploits in Linuxbest practices for mitigating those threatsnew improvements to Linux security model

Linux Security Model

Linux’s traditional security model is:people or proceses with “root” privileges cando anything

other accounts can do much less

hence attacker’s want to get root privileges

can run robust, secure Linux systems

crux of problem is use of DiscretionaryAccess Controls (DAC)

Linux Security Transactions

File System Security

in Linux everything as a filee.g. memory, device-drivers, named pipes,and other system resources

hence why filesystem security is so important

I/O to devices is via a “special” filee.g. /dev/ cdrom

have other special files like named pipesa conduit between processes / programs

Users and Groups

a user-account (user)represents someone capable of using files

associated both with humans and processes

a group-account (group)is a list of user-accounts

users have a main group

may also belong to other groups

users & groups are not files

Users and Groups

user's details are kept in/etc/passwordmaestro:x:200:100:Maestro EdwardHizzersands:/home/maestro:/bin/bash

additional group details in /etc/groupconductors:x:100:

pianists:x:102:maestro,volodya

use useradd, usermod, userdel to alter

File Permissions

files have two owners: a user & a group

each with its own set of permissions

with a third set of permissions for other

permissions are to read/write/execute inorder user/group/other, cf.- rw- rw-r -- 1 maestrouser 35414 Mar25 01:38

baton.txt

set using chmod command

Directory Permissions

read = list contentswrite = create or delete files in directoryexecute = use anything in or changeworking directory to this directorye.g.$ chmod g+rx extreme_casseroles$ ls -l extreme_casserolesdrwxr-x--- 8 biff drummers 288Mar 25 01:38 extreme_casseroles

Sticky Bit

originally used to lock file in memorynow used on directories to limit delete

if set must own file or dir to deleteother users cannot delete even if have write

set using chmod command with +t flag, e.g.chmod +t extreme_casseroles

directory listing includes t or T flagdrwxrwx--T 8 biff drummers 288 Mar25 01:38 extreme_casseroles

only apply to specific directory not child dirs

SetUID and SetGID

setuid bit means program "runs as" ownerno matter who executes it

setgid bit means run as a member of thegroup which owns it

again regardless of who executes it

"run as" = "run with same privileges as”are very dangerous if set on file owned byroot or other privileged account or group

only used on executable files, not shell scripts

SetGID and Directories

setuid has no effect on directories

setgid does and causes any file created ina directory to inherit the directory's group

useful if users belong to other groups androutinely create files to be shared withother members of those groups

instead of manually changing its group

Numeric File Permissions

Kernel vs User Space

Kernel spacerefers to memory used by the Linux kerneland its loadable modules (e.g., device drivers)

User spacerefers to memory used by all other processes

since kernel enforces Linux DAC andsecurity critical to isolate kernel from user

so kernel space never swapped to disk

only root may load and unload kernel modules

setuid root Vulnerabilities

a setuid root program runs as rootno matter who executes it

used to provide unprivileged users with accessto privileged resourcesmust be very carefully programmed

if can be exploited due to a software bugmay allow otherwise-unprivileged users to use it towield unauthorized root privileges

distributions now minimise setuid-root programssystem attackers still scan for them!

Web Vulnerabilities

a very broad category of vulnerabilitiesbecause of ubiquity of world wide web have big andvisible attack surfaces

when written in scripting languagesnot as prone to classic buffer overflows

can suffer from poor input-handling

few “enabled-by-default” web applications

but users install vulnerable web applications

or write custom web applications having easily-identified and easily-exploited flaws

Rootkits

allow attacker to cover their tracksif successfully installed before detection, all isvery nearly lostoriginally collections of hacked commands

hiding attacker’s files, directories, processes

now use loadable kernel modulesintercepting system calls in kernel-spacehiding attacker from standard commands

may be able to detect with chkrootkitgenerally have to wipe and rebuild system

Linux System Hardening

consider how to mitigate Linux securityrisks at system and application levels

first look at OS-level security tools andtechniques that protect the entire system

OS Installationsecurity begins with O/S installationespecially what software is run

since unused applications liable to be left in default,un-hardened and un-patched state

generally should not run:X Window system, RPC services, R-services, inetd,SMTP daemons, telnet etc

also have some initial system s/w configuration:setting root passwordcreating a non-root user accountsetting an overall system security levelenabling a simple host-based firewall policyenabling SELinux

Patch Management

installed server applications must be:configured securelykept up to date with security patches

patching can never win “patch rat-race”have tools to automatically download andinstall security updates

e.g. up2date, YaST, apt-getnote should not run automatic updates onchange-controlled systems without testing

Network Access Controls

network a key attack vector to secure

TCP wrappers a key tool to check accessoriginally tcpd inetd wrapper daemon

before allowing connection to service checks•

•

•

if requesting host explicitly in hosts.allow is ok

if requesting host explicitly in hosts.deny is blocked

if not in either is ok

checks on service, source IP, username

now often part of app using libwrappers

Network Access Controls

also have the very powerful netfilter Linuxkernel native firewall mechanism

and iptables user-space front end

as useful on firewalls, servers, desktopsdirect config tricky, steep learning curvedo have automated rule generatorstypically for “personnal” firewall use will:

allow incoming requests to specified servicesblock all other inbound service requestsallow all outbound (locally-originating) requests

if need greater security, manually config

Antivirus Software

historically Linux not as vulnerable to virusesmore to lesser popularity than securityprompt patching was effective for wormsbut viruses abuse users privilegesnon-root users have less scope to exploit

but can still consume resources

growing Linux popularity mean exploitshence antivirus software will more important

various commercial and free Linux A/V

User Management

guiding principles in user-account security:need care setting file / directory permissionsuse groups to differentiate between rolesuse extreme care in granting / using root privs

commands: chmod, useradd/mod/del,groupadd/mod/del, passwd, chageinfo in files /etc/passwd & /etc/groupmanage user’s group membershipsset appropriate password ages

Root Delegation

have "root can to anything, users do little” issue

“su” command allows users to run as rooteither root shell or single command

must supply root password

means likely too many people know this

SELinux RBAC can limit root authority, complex

“sudo” allows users to run as rootbut only need their password, not root password

/etc/sudoers file specifies what commands allowed

or configure user/group perms to allow, tricky

Logging

effective logging a key resourceLinux logs using syslogd or Syslog-NG

receive log data from a variety of sourcessorts by facility (category) and severitywrites log messages to local/remote log files

Syslog-NG preferable because it has:variety of log-data sources / destinationsmuch more flexible “rules engine” to configurecan log via TCP which can be encrypted

should check and customized defaults

Log Management

balance number of log files usedsize of few to finding info in many

manage size of log filesmust rotate log files and delete old copies

typically use logrotate utility run by cron

to manage both system and application logs

must also configure application logging

Application Security

this is a large topicmany security features are implemented insimilar ways across different applicationswill review issues such as:

running as unprivileged user/grouprunning in chroot jailmodularityencryptionlogging

Running As UnprivilegedUser/Group

every process “runs as” some user

extremely important this user is not rootsince any bug can compromise entire system

may need root privileges, e.g. bind porthave root parent perform privileged function

but main service from unprivileged child

user/group used should be dedicatedeasier to identify source of log messages

Running in chroot Jail

chroot confines a process to a subset of /maps a virtual “/” to some other directory

useful if have a daemon that should onlyaccess a portion of the file system, e.g. FTP

directories outside the chroot jail aren’t visibleor reachable at all

contains effects of compromised daemon

complex to configure and troubleshootmust mirror portions of system in chroot jail

Modularity

applications running as a single, large,multipurpose process can be:

more difficult to run as an unprivileged user

harder to locate / fix security bugs in source

harder to disable unnecessary functionality

hence modularity a highly prized featureproviding a much smaller attack surface

cf. postfix vs sendmail, Apache modules

Encryption

sending logins & passwords or applicationdata over networks in clear text exposesthem to network eavesdropping attacks

hence many network applications nowsupport encryption to protect such data

often using OpenSSL library

may need own X.509 certificates to usecan generate/sign using openssl command

may use commercial/own/free CA

Logging

applications can usually be configured tolog to any level of detail (debug to none)

need appropriate setting

must decide if use dedicated file or systemlogging facility (e.g. syslog)

central facility useful for consistent use

must ensure any log files are rotated

Mandatory Access Controls

Linux uses a DAC security model

but Mandatory Access Controls (MAC) impose aglobal security policy on all users

users may not set controls weaker than policy

normal admin done with accounts without authority tochange the global security policy

but MAC systems have been hard to manage

Novell’s SuSE Linux has AppArmor

RedHat Enterprise Linux has SELinux

pure SELinux for high-sensitivity, high-security

SELinuxis NSA's powerful implementation of mandatoryaccess controls for LinuxLinux DACs still applies, but if it allows the actionSELinux then evaluates it against its ownsecurity policies"subjects" are processes (run user cmds)actions are "permissions”objects not just files & dirsto manage complexity SELinux has:

"that which is not expressly permitted, is denied”groups of subjects, permissions, and objects

Security Contextseach individual subject & object in SELinux isgoverned by a security context being a:

user - individual user (human or daemon)•••

SELinux maintains its own list of usersuser labels on subjects specify account's privilegesuser labels on objects specify its owner

role - like a group, assumed by users• a user may only assume one role at a time,• may only switch roles if and when authorized to do so

domain (type) - a sandbox being a combination ofsubjects and objects that may interact with each other

this model is called Type Enforcement (TE)

Decision Making in SELinux

two types of decisions:

access decisionswhen subjects do things to objects that already exist,or create new things in expected domain

transition decisionsinvocation of processes in different domains than theone in which the subject-process is running

creation of objects in different types (domains) thantheir parent directories

transitions must be authorized by SELinux policy

RBAC and MLS Controls

have Role Based Access Control (RBAC)rules specify roles a user may assume

other rules specify circumstances when a usermay transition from one role to another

and Multi Level Security (MLS)concerns handling of classified data

• “no read up, no write down”

MLS is enforced via file system labeling

SELinux Policy Management

creating and maintaining SELinux policiesis complicated and time-consuming

a single SELinux policy may consist ofhundreds of lines of text

RHEL has a default “targeted” policydefines types for selected network apps

allows everything else to use DAC controls

have a range of SELinux commandssee additional references for details

Novell AppArmor

Novell’s MAC for SuSE Linuxenforced at kernel levelusing Linux Security Modules

restricts behavior of selected applicationsin a very granular but targeted way

hence a compromised root application'saccess will be containedhas no controls addressing data classificationhence only a partial MAC implementation

non-protected apps just use Linux DAC

Summary

reviewed Linux security model and DAC

vulnerabilities

O/S and application hardening

MAC, SELinux and AppArmor